TY - GEN
T1 - Tight bounds for unconditional authentication protocols in the manual channel and shared key models
AU - Naor, Moni
AU - Segev, Gil
AU - Smith, Adam
PY - 2006
Y1 - 2006
N2 - We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually" authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ∈ < 1 there exists a log* n-round protocol for authenticating n-bit messages, in which only 2 log(1/∈) + O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ∈ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/∈) - 6 on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. Once again, we apply our proof technique, and prove a lower bound of 2 log(1/∈) - 2 on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (CRYPTO '93). Finally, we prove that one-way functions are essential (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.
AB - We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to "manually" authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ∈ < 1 there exists a log* n-round protocol for authenticating n-bit messages, in which only 2 log(1/∈) + O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ∈ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/∈) - 6 on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. Once again, we apply our proof technique, and prove a lower bound of 2 log(1/∈) - 2 on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (CRYPTO '93). Finally, we prove that one-way functions are essential (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting.
UR - http://www.scopus.com/inward/record.url?scp=33749546005&partnerID=8YFLogxK
U2 - 10.1007/11818175_13
DO - 10.1007/11818175_13
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:33749546005
SN - 3540374329
SN - 9783540374329
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 214
EP - 231
BT - Advances in Cryptology - CRYPTO 2006 - 26th Annual International Cryptology Conference, Proceedings
PB - Springer Verlag
T2 - 26th Annual International Cryptology Conference, CRYPTO 2006
Y2 - 20 August 2006 through 24 August 2006
ER -