Results 1  10
of
10
Universal Hashing and Authentication Codes
, 1991
"... unconditionally secure authentication codes without secrecy. This idea is most useful when the number of authenticators is exponentially small compared to the number of possible source states (plaintext messages). We formally de ne some new classes of hash functions and then prove some new bounds a ..."
Abstract

Cited by 59 (1 self)
 Add to MetaCart
unconditionally secure authentication codes without secrecy. This idea is most useful when the number of authenticators is exponentially small compared to the number of possible source states (plaintext messages). We formally de ne some new classes of hash functions and then prove some new bounds and give some general constructions for these classes of hash functions. Then we discuss the implications to authentication codes.
Authentication Theory and Hypothesis Testing
, 2000
"... By interpreting message authentication as a hypothesis testing problem, this paper provides a generalized treatment of informationtheoretic lower bounds on an opponent's probability of cheating in oneway message authentication. We consider the authentication of an arbitrary sequence of messages, u ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
By interpreting message authentication as a hypothesis testing problem, this paper provides a generalized treatment of informationtheoretic lower bounds on an opponent's probability of cheating in oneway message authentication. We consider the authentication of an arbitrary sequence of messages, using the same secret key shared between sender and receiver. The adversary tries to deceive the receiver by forging one of the messages in the sequence. The classical two types of cheating are considered, impersonation and substitution attacks, and lower bounds on the cheating probability for any authentication system are derived for three types of goals the adversary might wish to achieve. These goals are (a) that the fraudulent message should be accepted by the receiver, or, in addition, (b) that the adversary wishes to know or (c) wants to even choose the value of the plaintext message obtained by the legitimate receiver after decoding with the secret key.
Combinatorial Characterizations of Authentication Codes II
 Designs, Codes and Cryptography
, 1996
"... For any authentication code for k source states and v messages having minimum possible deception probabilities (namely, P d 0 = k=v and P d 1 = (k \Gamma 1)=(v \Gamma 1)), we show that there must be at least v encoding rules. (This can be thought of as an authenticationcode analogue of Fisher's In ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
For any authentication code for k source states and v messages having minimum possible deception probabilities (namely, P d 0 = k=v and P d 1 = (k \Gamma 1)=(v \Gamma 1)), we show that there must be at least v encoding rules. (This can be thought of as an authenticationcode analogue of Fisher's Inequality. ) We derive several properties that an extremal code must satisfy, and we characterize the extremal codes for equiprobable source states as arising from symmetric balanced incomplete block designs. We also present an infinite class of extremal codes, in which the source states are not equiprobable, derived from affine planes. 1 Introduction Authentication codes were invented in 1974 by Gilbert, MacWilliams and Sloane [4]. The theory of authentication codes was developed throughout the 1980's by Simmons and others. Numerous papers have given constructions and bounds for authentication codes; see the list of references for a representative sample. For a survey of authentication code...
A Unified and Generalized Treatment of Authentication Theory
 Proc. 13th Symp. on Theoretical Aspects of Computer Science (STACS’96), LNCS
, 1996
"... This paper provides a unified and generalized treatment of informationtheoretic lower bounds on an opponent's probability of cheating in oneway message authentication. It extends and generalizes, in a number of directions, the substantial body of known results, each of which holds only for a certa ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
This paper provides a unified and generalized treatment of informationtheoretic lower bounds on an opponent's probability of cheating in oneway message authentication. It extends and generalizes, in a number of directions, the substantial body of known results, each of which holds only for a certain restricted scenario. At the same time the treatment of unconditionallysecure authentication is simplified considerably.
Codes for Interactive Authentication

, 1998
"... An authentication protocol is a procedure by which an informant tries to convey n bits of information, which we call an input message, to a recipient. An intruder, I, controls the network over which the informant and the recipient talk and may change any message before it reaches its destination ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
An authentication protocol is a procedure by which an informant tries to convey n bits of information, which we call an input message, to a recipient. An intruder, I, controls the network over which the informant and the recipient talk and may change any message before it reaches its destination. a If the protocol ha security p, then the the recipient must detect this a cheating with probability at leat I  p. This paper
Combinatorial Bounds of Authentication Codes with Arbitration
 Proc. of CRYPTO’94, LNCS 839
, 1997
"... Unconditionally secure authentication codes with arbitration (A²codes) protect against deceptions from the transmitter and the receiver as well as that from the opponent. In this paper, we present combinatorial lower bounds on the cheating probabilities and the sizes of keys of A²codes. ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Unconditionally secure authentication codes with arbitration (A²codes) protect against deceptions from the transmitter and the receiver as well as that from the opponent. In this paper, we present combinatorial lower bounds on the cheating probabilities and the sizes of keys of A²codes. Especially, our bounds for A²codes without secrecy are all tight for small size of source states.
Tight bounds for unconditional authentication protocols in the manual channel and shared key models
 IN ADVANCES IN CRYPTOLOGY  CRYPTO ’06
, 2006
"... We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiv ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually” authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ɛ < 1 there exists a log ∗ nround protocol for authenticating nbit messages, in which only 2 log(1/ɛ)+O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ɛ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/ɛ) − O(1) on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. We apply the proof technique above to obtain a lower bound of 2 log(1/ɛ) − 2 on the
Combinatorial Bounds and Design of Broadcast Authentication
 IN IEICE TRANS
, 1996
"... This paper presents a combinatorial characterization of broadcast authentication in which a transmitter broadcasts v messages e 1 (s); \Delta \Delta \Delta ; e v (s) to authenticate a source state s to all n receivers so that any k receivers cannot cheat any other receivers, where e i is a key. Supp ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
This paper presents a combinatorial characterization of broadcast authentication in which a transmitter broadcasts v messages e 1 (s); \Delta \Delta \Delta ; e v (s) to authenticate a source state s to all n receivers so that any k receivers cannot cheat any other receivers, where e i is a key. Suppose that each receiver has l keys. First, we prove that k ! l if v ! n. Then we show an upper bound of n such that n v(v \Gamma 1)=l(l \Gamma 1) for k = l \Gamma 1 and n ` v dl=ke ' = ` l dl=ke ' + ` v dl=ke ' for k ! l \Gamma 1. Further, a scheme for k = l \Gamma 1 which meets the upper bound is presented by using a BIBD and a scheme for k ! l \Gamma 1 such that n = ` v dl=ke ' = ` l dl=ke ' is presented by using a Steiner system. Some other efficient schemes are also presented.
Galois Field Commitment Scheme
, 2006
"... In [3] the authors give the first mathematical formalization of an unconditionally secure commitment scheme. Their construction has some similarities to one used to build authentication codes, so they raise the question whether there is some relation between commitment schemes and authentication sc ..."
Abstract
 Add to MetaCart
In [3] the authors give the first mathematical formalization of an unconditionally secure commitment scheme. Their construction has some similarities to one used to build authentication codes, so they raise the question whether there is some relation between commitment schemes and authentication schemes. They conjecture that authentication schemes with arbitration can be used, but they stress that the information flows are different. In this
Under the Supervision of
"... We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually ” authenticate one short message to the recei ..."
Abstract
 Add to MetaCart
We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a lowbandwidth auxiliary channel, that enables the sender to “manually ” authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any 0 < ϵ < 1 there exists a log ∗ nround protocol for authenticating nbit messages, in which only 2 log(1/ϵ) + O(1) bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most ϵ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of 2 log(1/ϵ) − 6 on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. Once again, we apply our proof technique, and prove a lower bound of 2 log(1/ϵ) − 2 on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (CRYPTO ’93). Finally, we prove that oneway functions are necessary (and sufficient) for the existence of protocols