Tight Bounds for Unconditional Authentication Protocols in the Manual Channel and Shared Key Models
- 1.9k Downloads
We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ε< 1 there exists a log* n-round protocol for authenticating n-bit messages, in which only 2 log(1 /ε) + O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ε to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/ ε) – 6 on the required length of the manually authenticated string.
The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. Once again, we apply our proof technique, and prove a lower bound of 2 log(1/ ε) – 2 on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (CRYPTO ’93).
Finally, we prove that one-way functions are essential (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.
KeywordsHash Function Authentication Protocol Tight Bound Message Authentication Input Message
- 1.Barak, B.: Constant-round coin-tossing with a man in the middle or realizing the shared random string model. In: 43rd FOCS, pp. 345–355 (2002)Google Scholar
- 2.Bluetooth, http://www.bluetooth.com/bluetooth/
- 3.Certified Wireless USB, http://www.usb.org/developers/wusb/
- 4.Di Crescenzo, G., Ishai, Y., Ostrovsky, R.: Non-interactive and non-malleable commitment. In: 30th STOC, pp. 141–150 (1998)Google Scholar
- 7.Gehrmann, C.: Cryptanalysis of the gemmell and naor multiround authentication protocol. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 121–128. Springer, Heidelberg (1994)Google Scholar
- 8.Gehrmann, C., Mitchell, C.J., Nyberg, K.: Manual authentication for wireless devices. RSA Cryptobytes 7, 29–37 (2004)Google Scholar
- 9.Gemmell, P.S., Naor, M.: Codes for interactive authentication. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 355–367. Springer, Heidelberg (1994)Google Scholar
- 11.Impagliazzo, R., Luby, M.: One-way functions are essential for complexity based cryptography. In: 30th FOCS, pp. 230–235 (1989)Google Scholar
- 12.Laur, S., Asokan, N., Nyberg, K.: Efficient mutual data authentication using manually authenticated strings. Cryptology ePrint Archive, Report 2005/424 (2005)Google Scholar
- 14.Naor, M., Rothblum, G.N.: The complexity of online memory checking. In: 46th FOCS, pp. 573–584 (2005)Google Scholar
- 15.Naor, M., Segev, G., Smith, A.: Tight bounds for unconditional authentication protocols in the manual channel and shared key models. Cryptology ePrint Archive, Report 2006/175 (2006)Google Scholar
- 16.Pass, R., Rosen, A.: New and improved constructions of non-malleable cryptographic protocols. In: 37th STOC, pp. 533–542 (2005)Google Scholar
- 19.Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005)Google Scholar