Page 1

Tight Bounds for Unconditional Authentication Protocols

in the Manual Channel and Shared Key Models∗

Moni Naor†

Gil Segev‡

Adam Smith§

Abstract

We address the message authentication problem in two seemingly different communication

models. In the first model, the sender and receiver are connected by an insecure channel and

by a low-bandwidth auxiliary channel, that enables the sender to “manually” authenticate one

short message to the receiver (for example, by typing a short string or comparing two short

strings). We consider this model in a setting where no computational assumptions are made,

and prove that for any 0 < ? < 1 there exists a log∗n-round protocol for authenticating n-bit

messages, in which only 2log(1/?)+O(1) bits are manually authenticated, and any adversary (even

computationally unbounded) has probability of at most ? to cheat the receiver into accepting

a fraudulent message. Moreover, we develop a proof technique showing that our protocol is

essentially optimal by providing a lower bound of 2log(1/?) − O(1) on the required length of the

manually authenticated string.

The second model we consider is the traditional message authentication model. In this model

the sender and the receiver share a short secret key; however, they are connected only by an

insecure channel. We apply the proof technique above to obtain a lower bound of 2log(1/?)−O(1)

on the required Shannon entropy of the shared key. This settles an open question posed by

Gemmell and Naor (CRYPTO ’93).

Finally, we prove that one-way functions are necessary (and sufficient) for the existence of

protocols breaking the above lower bounds in the computational setting.

Keywords: Authentication, Cryptographic protocols, Lower bounds, Unconditional security.

∗A preliminary version of this work appeared as [22].

†Incumbent of the Judith Kleeman Professorial Chair, Department of Computer Science and Applied Mathematics,

Weizmann Institute of Science, Rehovot 76100, Israel. Email: moni.naor@weizmann.ac.il. Research supported in

part by a grant from the Israel Science Foundation.

‡Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100, Israel.

Email: gil.segev@weizmann.ac.il.

§Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA 16803.

Email: asmith@cse.psu.edu. Research was done at the Weizmann Institute of Science and supported by the Louis L.

and Anita M. Perlman postdoctoral fellowship.

Page 2

1 Introduction

Message authentication is one of the major issues in cryptography. Protocols for message authen-

tication provide assurance to the receiver of a message that it was sent by a specified legitimate

sender, even in the presence of an adversary who controls the communication channel. For more

than three decades, numerous authentication models have been investigated, and many authenti-

cation protocols have been suggested. The security of these protocols can be classified according

to the assumed computational resources of the adversary. Security that holds when one assumes a

suitable restriction on the adversary’s computing capabilities is called computational security, while

security that holds even when the adversary is computationally unbounded is called unconditional

security or information-theoretic security. This paper is concerned mostly with unconditional secu-

rity of a single instance of message authentication protocols. We remark that there are three main

advantages to unconditional security over computational security. The first is the obvious fact that

no assumptions are made about the adversary’s computing capabilities or about the computational

hardness of specific problems. The second, less apparent advantage, is that unconditionally secure

protocols are often more efficient than computationally secure protocols. The third advantage is that

unconditional security allows exact evaluation of the error probabilities.

Shared key authentication.

was suggested by Gilbert, MacWilliams and Sloane [12] in the information-theoretic adversarial

setting. They considered a communication model in which the sender and the receiver share a

key, which is not known to the adversary. Gilbert et al. presented a non-interactive protocol in

which the length of the shared key is 2max{n,log(1/?)}; henceforth, n is the length of the input

message and ? is the adversary’s probability of cheating the receiver into accepting a fraudulent

message. They also proved a lower bound of 2log(1/?) on the required entropy of the shared key in

non-interactive deterministic protocols. Clearly, a lower bound on this entropy is log(1/?), since an

adversary can merely guess the shared key. This model, to which we refer as the shared key model,

became the standard model for message authentication protocols. Protocols in this model should

provide authenticity of messages while minimizing the length of the shared key.

Wegman and Carter [35] suggested using ?-almost strongly universal2hash functions for authen-

tication. This enabled them to construct a non-interactive protocol in which the length of the shared

key is O(lognlog(1/?)) bits. In 1984, Simmons [30] initiated a line of work on unconditionally se-

cure authentication protocols (see, for example, [9, 17, 19, 27, 28, 31, 32]). Gemmell and Naor [11]

proposed a non-interactive protocol with a shared key of length only logn + 5log(1/?) bits. They

also demonstrated that interaction can reduce the length of the shared key and make it indepen-

dent of the length of the input message. More specifically, they described a log∗n-round protocol

that enables the sender to authenticate n-bit messages, where the length of the shared key is only

2log(1/?) + O(1) bits. However, it was not known whether this upper bound is optimal, that is, if

by introducing interaction the entropy of the shared key can be made smaller than 2log(1/?).

The first construction of an authentication protocol in the literature

Manual authentication.

abilities into an authentication protocol. They constructed the “Interlock” protocol which enables

two parties, who can recognize each other’s voice, to mutually authenticate their public encryp-

tion keys in absence of trusted infrastructure1. Although such a communication model seems very

In 1984, Rivest and Shamir [25] were the first to incorporate human

1However, the security of the protocol relies on very special non-malleability properties of the underlying encryption

scheme. To the best of our knowledge, there is no construction for such an encryption scheme in the plain model.

1

Page 3

realistic, until recently it never received a formal treatment in the literature.

In 2005, Vaudenay [34] formalized such a realistic communication model for message authenti-

cation, in which the sender and the receiver are connected by a bidirectional insecure channel, and

by a unidirectional low-bandwidth auxiliary channel, but do not share any secret information. It is

assumed that the adversary has full control over the insecure channel. In particular, the adversary

can read any message sent over this channel, prevent it from being delivered, and insert a new mes-

sage at any point in time. The low-bandwidth auxiliary channel enables the sender to “manually”

authenticate one short string to the receiver (for example, by typing a short string or comparing

two short strings). The adversary cannot modify this short string. However, the adversary can still

read it, delay it, and remove it. We refer to the auxiliary channel as the manual channel, and to

this communication model as the manual channel model. Protocols in this model should provide

authenticity of long messages2while minimizing the length of the manually authenticated string. We

remark that log(1/?) is an obvious lower bound in this model as well (see [23]).

The manual channel model is becoming very popular in real-world scenarios, whenever there

are ad hoc networks with no trusted infrastructure3. In particular, this model was found suitable

for initial pairing of devices in wireless networks (see, for example, [14, 15]), such as Wireless USB

[4] and Bluetooth [2]. While in wired connections when a device is plugged in (i.e., when the wire

is connected), the user can see that the connection is made, wireless connections may establish

connection paths that are not straightforward. In fact, it may not be obvious when a device is

connected or who its host is. Therefore, initial authentication in device and host connections is

required so that the user will be able to validate both the device and its host.

Consider, for example, a user who wishes to connect a new DVD player to her home wireless

network. Then, having the user read a short message from the display of the DVD player and type

it on a PC’s keyboard constitutes a manual authentication channel from the DVD player to the

PC. An equivalent channel consists of the user comparing two short strings displayed by the two

devices, as suggested by Gehrmann, Mitchell and Nyberg [10], and by Cagalj, Capkun and Hubaux

[3]. Other possible implementations of the manual channel may include a visual channel [20] and an

audio channel [13].

Constants do matter.

of the manually authenticated string. This quantity is determined by the environment in which

the protocol is executed, and in particular by the capabilities of the user. While it is reasonable to

expect a user to manually authenticate 20 or 40 bits, it is not reasonable to expect a user to manually

authenticate 160 bits. Therefore, there is a considerable difference between manually authenticating

log(1/?) or 2log(1/?) bits, and manually authenticating a significantly longer string. This motivates

the study of determining the exact lower bound on the required length of the manually authenticated

string.

The most significant constraint in the manual channel model is the length

Our contribution.

channel model, in which the sender manually authenticates only 2log(1/?)+O(1) bits. Moreover, we

prove that our protocol essentially minimizes the length of the manually authenticated string. The

proof of optimality involves a careful accounting of how randomness is introduced into the protocol.

In particular, our proof technique identifies the exact amount of randomness that each party is

We present an unconditionally secure authentication protocol in the manual

2Short messages can be manually authenticated without the use of any authentication protocol.

3For example, the recently suggested ZRTP protocol [36] is an RTP (Real-time Transport Protocol) [26] header

extension for a Diffie-Hellman exchange to agree on a session key.

2

Page 4

required to contribute to the manually authenticated string. In the shared key setting, we use it

to settle an open question posed by Gemmell and Naor [11] by deriving a similar lower bound of

2log(1/?) − 2 on the required entropy of the shared key, which matches their upper bound. Finally,

we consider these two communication models in the computational setting, and prove that one-way

functions are necessary for the existence of protocols breaking the above lower bounds.

Thus, we have now gained a complete understanding of unconditionally secure message authen-

tication in the manual channel and shared key models, for each set of parameters ? and ?, where

? is the length of the manually authenticated string or the length of the shared key, and ? is the

adversary’s probability of cheating the receiver into accepting a fraudulent message. In addition, we

have indicated an exact relation between the computational setting and the information-theoretic

setting for authentication in both models. Figure 1 illustrates the achievable security according to

our results.

??????????

?????????????

????????

???????

?????????

?????????????

????????

?

?

?????? ?

???????? ? ?

??????? ? ?

?

?

Figure 1: The achievable security for any parameters ? and ?.

Paper organization.

known definitions in Section 2. In Section 3 we describe the communication and adversarial models

we deal with. Then, in Section 4 we present an overview of our results, and compare them to

previous work. In Section 5 we propose an unconditionally secure message authentication protocol

in the manual channel model. In Section 6 we describe the proof technique, that is then used to

establish the optimality of our protocol. In Section 7 we apply the same proof technique to the shared

key model, and prove a lower bound on the required entropy of the shared key. Finally, in Section

8 we prove that in the computational setting, one-way functions are necessary for the existence of

protocols breaking the above lower bounds.

The rest of the paper is organized as follows. We first briefly present some

2 Preliminaries

We first present some notations used in this paper and several fundamental definitions from Infor-

mation Theory. Then, we briefly present the definitions of one-way functions, statistical distance and

distributionally one-way functions. All logarithms in this paper are to the base of 2. For a finite

set S, we denote by x ∈RS the experiment of choosing an element of S according to the uniform

distribution. Given two strings u and v, we denote by u◦v the concatenation of u and v. For random

variables X, Y and Z we use the following definitions:

3

Page 5

• The (Shannon) entropy of X is defined as H(X) = −?

xPr[X = x]logPr[X = x].

• The conditional entropy of X given Y is defined as H(X|Y ) =?

• The mutual information of X and Y is defined as I(X;Y ) = H(X) − H(X|Y ).

• The mutual information of X and Y given Z is defined as I(X;Y |Z) = H(X|Z) − H(X|Z,Y ).

Definition 2.1. A function ν : N → R is called negligible if for any c ∈ N there exists an integer nc

such that |ν(n)| < n−cfor every n ≥ nc.

Definition 2.2. A function f : {0,1}∗→ {0,1}∗is called one-way if it is computable in polynomial-

time, and for every probabilistic polynomial-time Turing machine4M it holds that

Pr?M(f(x),1n) ∈ f−1(f(x))?< ν(n) ,

for some negligible function ν(n) and for all sufficiently large n, where the probability is taken

uniformly over all the possible choices of x ∈ {0,1}nand all the possible outcomes of the internal

coin tosses of M.

Definition 2.3. The statistical distance between two distributions D and F, which we denote by

∆(D,F), is defined as:

∆(D,F) =1

2

α

yPr[Y = y]H(X|Y = y).

?

|Prx←D[x = α] − Prx←F[x = α]| .

The distributions D and F are said to be ?-statistically far if ∆(D,F) ≥ ?. Otherwise, D and F are

?-statistically close.

Definition 2.4. A function f : {0,1}∗→ {0,1}∗is called distributionally one-way if it is computable

in polynomial-time, and there exists a constant c > 0 such that for every probabilistic polynomial-

time Turing machine M, the distribution defined by x◦f(x) and the distribution defined by M(f(x))◦

f(x) are n−c-statistically far when x ∈R{0,1}n.

Informally, it is hard to find a random inverse of a distributionally one-way function, although

finding some inverse may be easy. Clearly, any one-way function is also a distributionally one-way

function, but the converse is not always true. Nevertheless, Impagliazzo and Luby [16] proved that

the existence of both primitives is equivalent.

3 Communication and Adversarial Models

We consider the message authentication problem in a setting where the sender and the receiver

are connected by a bidirectional insecure communication channel, over which an adversary has full

control. In particular, the adversary can read any message sent over this channel, delay it, prevent

it from being delivered, and insert a new message at any point in time.

4For simplicity we focus on uniform adversaries. However, uniformity is not essential to our results.

4