Information-Theoretically Secure Entity Authentication in the Multi-user Setting

Abstract

In this paper, we study unilateral entity authentication protocols and mutual entity authentication protocols with information-theoretic security in the multi-user setting. To the best of our knowledge, only one paper by Kurosawa studied an entity authentication protocol with information-theoretic security, and an unilateral entity authentication protocol in the two-user setting was considered in his paper. In this paper, we extend the two-user unilateral entity authentication protocol to the multi-user one. In addition, we formally study an information-theoretically secure mutual entity authentication protocol in the multi-user setting for the first time. Specifically, we formalize a model and security definition, and derive tight lower bounds on size of users’ secret-keys, and we show an optimal direct construction.

Appendices

A Proof of Theorem 2

First, we show the second inequality. By Theorem 1, we have \(H(Y_{i}^{(r)})\ge \log \epsilon ^{-1}\) for any \(i\in \{1,2,\ldots ,n\}\) and \(r\in \{1,2,\ldots ,t\}\). Thus, it follows that \(\log |\mathcal{Y}| \ge \log \epsilon ^{-1}\).

Next, we show the first inequality. Without loss of generality, we suppose that \(V:=\{U_1,\ldots ,U_{\omega +1}\}\) and \(U_i,U_j \notin V\). Then, we obtain

$$\begin{aligned} H(K_j) \ge&I(K_1,\ldots ,K_{\omega +1};K_j \mid X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\ =&H(K_1,\ldots ,K_{\omega +1} \mid X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\&-H(K_1,\ldots ,K_{\omega +1}|K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)}). \end{aligned}$$

(1)

Now, we have the following inequalities.

$$\begin{aligned}&H(K_1,\ldots ,K_{\omega +1}|X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\&= \sum _{s=1}^{\omega +1}H(K_s|K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\&= \sum _{s=1}^{\omega +1}\{I(Y_{s}^{(1)},\ldots ,Y_{s}^{(t)};K_s|K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)})\nonumber \\&\qquad +H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)})\} \nonumber \\&= \sum _{s=1}^{\omega +1}\{H(Y_{s}^{(1)},\ldots ,Y_{s}^{(t)}|K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\&\qquad -H(Y_{s}^{(1)},\ldots ,Y_{s}^{(t)}|K_1,\ldots ,K_{s},X_{j}^{(1)},\ldots ,X_{j}^{(t)})\nonumber \\&\qquad +H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\} \nonumber \\&=\sum _{s=1}^{\omega +1}\{H(Y_{s}^{(1)},\ldots ,Y_{s}^{(t)}|K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)})\nonumber \\&\qquad +H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\} \nonumber \\&=\sum _{r=1}^{t}\sum _{s=1}^{\omega +1}H(Y_{s}^{(r)}|K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)},Y_{s}^{(1)},\ldots ,Y_{s}^{(r-1)}) \nonumber \\&\qquad +\sum _{s=1}^{\omega +1}H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)}). \end{aligned}$$

(2)

On the other hand, we get

$$\begin{aligned}&H(K_1,\ldots ,K_{\omega +1}|K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\&=\sum _{s=1}^{\omega +1}H(K_s|K_j,K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\&=\sum _{s=1}^{\omega +1}\{I(Y_{s}^{(1)},\ldots ,Y_{s}^{(t)};K_s|K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\&\qquad +H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\} \nonumber \\&=\sum _{s=1}^{\omega +1}\{H(Y_{s}^{(1)},\ldots ,Y_{s}^{(t)}|K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \nonumber \\&\qquad -H(Y_{s}^{(1)},\ldots ,Y_{s}^{(t)}|K_1,\ldots ,K_{s},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\nonumber \\&\qquad +H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\} \nonumber \\&=\sum _{s=1}^{\omega +1}\{H(Y_{s}^{(1)},\ldots ,Y_{s}^{(t)}|K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\nonumber \\&\qquad +H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\} \nonumber \\&=\sum _{r=1}^{t}\sum _{s=1}^{\omega +1}H(Y_{s}^{(r)}|K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)},Y_{s}^{(1)},\ldots ,Y_{s}^{(r-1)}) \nonumber \\&\qquad +\sum _{s=1}^{\omega +1}H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)}). \end{aligned}$$

(3)

Then, from (1), (2) and (3), we have

$$\begin{aligned} H(K_j)&= H(K_1,\ldots ,K_{\omega +1} \mid X_{j}^{(1)},\ldots ,X_{j}^{(t)})-H(K_1,\ldots ,K_{\omega +1}|K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)}) \\&= \sum _{r=1}^{t}\sum _{s=1}^{\omega +1}H(Y_{s}^{(r)}|K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)},Y_{s}^{(1)},\ldots ,Y_{s}^{(r-1)})\\&+\sum _{s=1}^{\omega +1}H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\\&-\sum _{r=1}^{t}\sum _{s=1}^{\omega +1}H(Y_{s}^{(r)}|K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)},Y_{s}^{(1)},\ldots ,Y_{s}^{(r-1)})\\&-\sum _{s=1}^{\omega +1}H(K_s|Y_{s}^{(1)},\ldots ,Y_{s}^{(t)},K_1,\ldots ,K_{s-1},K_j,X_{j}^{(1)},\ldots ,X_{j}^{(t)})\\&= \sum _{r=1}^{t}\sum _{s=1}^{\omega +1}I(Y_{s}^{(r)};K_j|K_1,\ldots ,K_{s-1},X_{j}^{(1)},\ldots ,X_{j}^{(t)},Y_{s}^{(1)},\ldots ,Y_{s}^{(r-1)}) \\&\ge t(\omega +1)\log \epsilon ^{-1}, \end{aligned}$$

where the last inequality follows from Theorem 1.    \(\square \)

B Proof of Theorem 3

For simplicity, we describe the outline of the proof of \(P\le 1/q\). The full proof will appear in the full version of this paper. Without loss of generality, we suppose that \(W=\{U_1,\ldots ,U_{\omega } \}\) and \(U_i,U_j \not \in W\). To succeed in the impersonation attack such that \(U_i\) is a prover and \(U_j\) is a verifier, the adversary \(W\) will generate a fraudulent response \(Y\in \mathbb {F}_q\) for a given challenge \(X\) under the following conditions: the adversary has \(\omega \) secret-keys, and at most \(t-1\) pairs of challenges and responses \(Z(W,U_i,U_j)^{t-1}\). However, the degrees of \(f(x,y,z)\) with respect to variables \(x\), \(y\), and \(z\) is at most \(\omega \), \(\omega \), and \(t-1\), respectively, the adversary cannot guess at least one coefficient of \(f(x,y,z)\) with probability larger than \(1/q\). Therefore, \(W\) cannot guess the response which \(U_j\) will accept with probability more than \(1/q\). Hence, we have \(P \le 1/q\).

Finally, it is straightforward to see that the construction satisfies all the lower bounds in Theorem 2 with equalities.    \(\square \)

C Comparison to Previous Results

We compare our UEA in the two-users setting (i.e., the special case of \(n=2\)) with Kurosawa’s one in [7] in details, and we show that our protocol is regarded as an extension of Kurosawa’s one. In the following discussion, let \(n=2, \omega =0\) and \(t=N+1\) in our model. Then, we can consider similarity and difference between ours and Kurosawa’s one as follows.

Similarity

1. (1)

   Models: The two models are essentially the same except for the differences (3) and (4) below.

2. (2)

   Constructions: Our construction and Kurosawa’s one are the same.

Difference

1. (3)

   Secret-keys in the models: Two users’ secret-keys in our model may be different (i.e., asymmetric), while in [7] they are the same (i.e., symmetric). Thus, our model is more general than the one in [7].

2. (4)

   The way of counting \(M_1\) and \(M_2\) in the protocols: The following difference exists in adversarial models. The adversary is allowed to attack only once after performing \(Z(W,U_i,U_j)\) \(t-1\) times in our security definition, whereas the adversary is allowed to attack \(t\) times after performing \(Z(W,U_i,U_j)\) \(t-1\) times in the security definition in [7].

   In [7], the maximum number of protocol execution is defined by the number up to which each user can execute, and each user needs to count the number of having generated \(M_1\) and \(M_2\). On the other hand, in our model, the maximum number of protocol execution is defined by the number up to which all users can execute, and it is necessary that it counts the total number of having generated \(M_1\) and \(M_2\) in the protocol.

3. (5)

   Security definitions: When \(U_i\) wants to prove his identification to \(U_j\) more than once, the possibility that challenges sent from \(U_j\) to \(U_i\) are the same is considered and evaluated in [7]. On the other hand, we have assumed that challenges sent from \(U_j\) to \(U_i\) are all different (see also Remark 1), since we would like to consider the worst case (i.e., the adversary will take the best strategy).

   Moreover, we have formalized the success probability of Cheat when the adversary obtains best information to succeed in the attack by performing \(Z(W,U_i,U_j)\) \(t-1\) times. On the other hand, in [7] the case is not considered, namely, by gathering \(t-1\) responses for randomly chosen \(t-1\) challenges, the adversary randomly repeats the impersonation attack \(t\) times, and the success probability is defined by that at least one of the attacks is successful. Therefore, from the above aspects, our security definition is stronger than the one in [7].

4. (6)

   Lower bounds. Since our security definition is different from the one in [7], it is natural that our lower bound on the success probability of attacks is different from the one in [7]. Technically, our lower bound on secret-keys has been derived from that of the success probability of attacks, while in [7] his lower bound was derived from the number of responses, and these two proof techniques are different. However, the construction of ours and his (note that constructions are the same) meets both lower bounds with equalities.

From the above discussion, we can consider that our protocol is an extension of Kurosawa’s one [7] for the multi-user setting.

D Proof of Theorem 5

First, we prove the second inequality. From Theorem 4, we have \(H(Y_{i,\alpha }^{(t)})\ge \log \epsilon ^{-1}\). Thus, it follows that \(\log |\mathcal{Y}| \ge \log \epsilon ^{-1}\).

Next, we show the first inequality. Without loss of generality, we suppose that \(V:=\{U_1,\ldots ,U_{\omega +1}\}\) and \(U_i,U_j \notin V\). Let \(K_{[s]}=(K_1\ldots K_{s})\), \(X^{[t]}_{j,1}=(X^{(1)}_{j,1},\ldots ,X^{(t)}_{j,1})\), and \(Y^{[t]}_{i,1}=(Y^{(1)}_{i,1},\ldots ,Y^{(t)}_{i,1})\).

$$\begin{aligned}&H(K_j) \nonumber \\ \ge&I(K_{[\omega +1]};K_j|X_{j,1}^{[t]})\nonumber \\ =&\sum _{s=1}^{\omega +1}I(K_s;K_j|K_{[s-1]},X_{j,1}^{[t]})\nonumber \\ =&\sum _{s=1}^{\omega +1}H(K_j|K_{[s-1]},X_{j,1}^{[t]})-\sum _{s=1}^{\omega +1}H(K_j|K_{[s]},X_{j,1}^{[t]})\nonumber \\ =&\sum _{s=1}^{\omega +1}I(Y_{s,1}^{[t]};K_j|K_{[s-1]},X_{j,1}^{[t]})+\sum _{s=1}^{\omega +1}H(K_j|K_{[s-1]},X_{j,1}^{[t]}Y_{s,1}^{[t]})-\sum _{s=1}^{\omega +1}H(K_j|K_{[s]},X_{j,1}^{[t]})\nonumber \\ \ge&\sum _{s=1}^{\omega +1}\sum _{r=1}^{t}I(Y_{s,1}^{(r)};K_j|K_{[s-1]},X_{j,1}^{[t]},Y_{s1}^{[r-1]})+\sum _{s=1}^{\omega +1}H(K_j|K_{[s-1]},X_{j,1}^{[t]},X_{j,2}^{[t]},Y_{s,1}^{[t]})\nonumber \\&-\sum _{s=1}^{\omega +1}H(K_j|K_{[s]},X_{j,1}^{[t]})\nonumber \\ =&\sum _{s=1}^{\omega +1}\sum _{r=1}^{t}I(Y_{s,1}^{(r)};K_j|K_{[s-1]},X_{j,1}^{[t]},Y_{s,1}^{[r-1]})+\sum _{s=1}^{\omega +1}I(Y_{s,2}^{[t]};K_j|K_{[s-1]},X_{j,1}^{[t]},X_{j,2}^{[t]},Y_{s,1}^{[t]})\nonumber \\&+\sum _{s=1}^{\omega +1}H(K_j|K_{[s-1]},X_{j,1}^{[t]},X_{j,2}^{[t]},Y_{s,1}^{[t]},Y_{s,2}^{[t]})-\sum _{s=1}^{\omega +1}H(K_j|K_{[s]},X_{j,1}^{[t]})\nonumber \\ =&\sum _{s=1}^{\omega +1}\sum _{r=1}^{t}I(Y_{s,1}^{(r)};K_j|K_{[s-1]},X_{j,1}^{[t]},Y_{s,1}^{[r-1]})\nonumber \\&+\sum _{s=1}^{\omega +1}\sum _{r=1}^{t}I(Y_{s,2}^{(r)};K_j|K_{[s-1]},X_{j,1}^{[t]},X_{j,2}^{[t]},Y_{s,1}^{[t]},Y_{s,2}^{[r-1]})\nonumber \\&+\sum _{s=1}^{\omega +1}\{H(K_j|K_{[s-1]},X_{j,1}^{[t]},X_{j,2}^{[t]},Y_{s,1}^{[t]},Y_{s,2}^{[t]})-H(K_j|K_{[s]},X_{j,1}^{[t]})\}\nonumber \\ \ge&\sum _{s=1}^{\omega +1}\sum _{r=1}^{t}I(Y_{s,1}^{(r)};K_j|K_{[s-1]},X_{j,1}^{[t]},Y_{s,1}^{[r-1]})\nonumber \\&+\sum _{s=1}^{\omega +1}\sum _{r=1}^{t}I(Y_{s,2}^{(r)};K_j|K_{[s-1]},X_{j,1}^{[t]},X_{j,2}^{[t]},Y_{s,1}^{[t]},Y_{s,2}^{[r-1]}) \nonumber \\ \ge&2t(\omega +1)\log \epsilon ^{-1}, \end{aligned}$$

(4)

where (4) follows from that \(K_j\) is independent from \((K_{[s]},X_{j,1}^{[t]},X_{j,2}^{[t]},Y_{s,1}^{[t]},Y_{s,2}^{[t]})\) and the last inequality follows from Theorem 4.    \(\square \)

E Proof of Theorem 6

For simplicity, we describe the outline of the proof of \(\max (\Pr (\mathsf{Cheat }_1),\) \(\Pr (\mathsf{Cheat }_2))\le 1/q\). The full proof will appear in the full version of this paper. Without loss of generality, we suppose that \(W = \{U_1,\ldots ,U_\omega \}\) and \(U_i,U_j\notin W\).

1. 1.

   We show \(\Pr (\mathsf{Cheat }_1)\le 1/q\). To succeed in the impersonation attack such that \(U_i\) is a responder and \(U_j\) is an initiator, the adversary \(W\) will generate a fraudulent response \(Y_1\in \mathbb {F}_q\) for a given challenge \(X_1\) under the following conditions: the adversary \(W\) has \(\omega \) secret-keys, and obtains \(Z^\mathsf{Ses }(W,U_i,U_j)^{t-1}\), namely, \(t-1\) pairs of \(M_1\) and \(M_2\). However, the degrees of \(f(x,y,z)\) with respect to variables \(x\), \(y\) and \(z\) is at most \(\omega \), \(\omega \) and \(t-1\), respectively, and \(W\) cannot guess at least one coefficient of \(f(x,y,z)\) with probability larger than \(1/q\).

2. 2.

   We show \(\Pr (\mathsf{Cheat }_2)\le 1/q\). To succeed in the impersonation attack such that \(U_i\) is an initiator and \(U_j\) is a responder, the adversary \(W\) will generate a fraudulent response \(Y_2\in \mathbb {F}_q\) for a given challenge \(X_2\) under the following conditions: the adversary \(W\) has \(\omega \) secret-keys, and obtains \(Z^\mathsf{Int }(W,U_i,U_j)^{t-1}\), namely, \(t-1\) \((M_1,M_2,M_3)\). However, the degree of \(g(x,y,z)\) with respect to variables \(x\), \(y\) and \(z\) is at most \(\omega \), \(\omega \) and \(t-1\), respectively, and \(W\) cannot guess at least one coefficient of \(g(x,y,z)\) with probability larger than \(1/q\).

Therefore, we have \(\max (\Pr (\mathsf{Cheat }_1),\Pr (\mathsf{Cheat }_2))\le 1/q\).

Finally, it is straightforward to see that the construction satisfies all the lower bounds in Theorem 5 with equalities.    \(\square \)