Design and Analysis of Information-Theoretically Secure Authentication Codes with Non-Uniformly Random Keys

The authentication code (A-code) is the one of the most fundamental cryptographic protocols in information-theoretic cryptography, and it provides information-theoretic integrity or authenticity, i.e., preventing information from being altered or substituted by the adversary having unbounded computational powers. In addition, it has a wide range of applications such as multiparty computations and quantum key distribution protocols. The traditional A-code theory states that a good A-code is characterized as an A-code which satisfies equality of a lower bound on size of secret-keys, i.e., an A-code satisfying |K|=\epsilon^{-2}, where |K}| is cardinality of the set of secret-keys and \epsilon is the success probability of attacks of the adversary. However, good A-codes imply that secret-keys must be uniformly distributed. Therefore, if a non-uniformly random key is given, we cannot realize a good A-code by using it as a secret-key. Then, a natural question about this is: what is a good A-code having non-uniformly random keys? And, how can we design such a good A-code having non-uniformly random keys? To answer the questions, in this paper, we perform analysis of A-codes having non-uniformly random keys, and show the principle that guides the design for such good A-codes. Specifically, the contribution of this paper is as follows. We first derive a new lower bound on entropy of secret-keys, and it is described in terms of \R entropy. Next, we define that a good A-code having non-uniformly random keys is the one satisfying equality of the bound, and it is characterized by the min-entropy (a special case of \R entropy). Furthermore, we introduce the classification methodology for A-codes which are realizable from a biased key-source. This classification is performed by using a mathematical tool, i.e., a group action on the set of authentication matrices. By this analysis, we can understand what kind of A-codes is actually constructable. Finally, we design how to construct good A-codes having 1-bit messages from von Neumann sources. We also show that our construction methodology is superior to the one by applying von Neumann extractors and the traditional optimal A-code constructions. Although the case of 1-bit messages may be restricted, however, this case is simple and we believe that a general case will develop from this simple case

Tight Bounds for Unconditional Authentication Protocols in the Manual Channel and Shared Key Models

We address the message authentication problem in two seemingly different communication models. In the first model, the sender and receiver are connected by an insecure channel and by a low-bandwidth auxiliary channel, that enables the sender to ``manually\u27\u27 authenticate one short message to the receiver (for example, by typing a short string or comparing two short strings). We consider this model in a setting where no computational assumptions are made, and prove that for any $0 < \epsilon < 1$ there exists a $\log^* n$-round protocol for authenticating $n$-bit messages, in which only $2 \log(1 / \epsilon) + O(1)$ bits are manually authenticated, and any adversary (even computationally unbounded) has probability of at most $\epsilon$ to cheat the receiver into accepting a fraudulent message. Moreover, we develop a proof technique showing that our protocol is essentially optimal by providing a lower bound of $2 \log(1 / \epsilon) - O(1)$ on the required length of the manually authenticated string. The second model we consider is the traditional message authentication model. In this model the sender and the receiver share a short secret key; however, they are connected only by an insecure channel. We apply the proof technique above to obtain a lower bound of $2 \log(1 / \epsilon) - 2$ on the required Shannon entropy of the shared key. This settles an open question posed by Gemmell and Naor (CRYPTO \u2793). Finally, we prove that one-way functions are {\em necessary} (and sufficient) for the existence of protocols breaking the above lower bounds in the computational setting

Security and privacy in RFID systems

RFID is a leading technology that has been rapidly deployed in several daily life applications such as payment, access control, ticketing, e-passport, supply-chain, etc. An RFID tag is an electronic label that can be attached to an object/individual in order to identify or track the object/individual through radio waves. Security and privacy are two major concerns in several applications as the tags are required to provide a proof of identity. The RFID tags are generally not tamper-resistant against strong adversarial attacks. They also have limited computational resources. Therefore, the design of a privacy preserving and cost-effective RFID authentication protocol is a very challenging task for industrial applications. Moreover, RFID systems are also vulnerable to relay attacks (i.e., mafia, terrorist and distance frauds) when they are used for authentication purposes. Distance bounding protocols are particularly designed as a countermeasure against these attacks. These protocols aim to ensure that the tags are in a bounded area by measuring the round-trip delays during a rapid challenge-response exchange of short authentication messages. Several RFID distance bounding protocols have been proposed recently in the literature. However, none of them provides the ideal security against the terrorist fraud. Besides, the requirements of low resources and inefficient data management trigger to make use of cloud computing technology in RFID authentication systems. However, as more and more information on individuals and companies is placed in the cloud, concerns about data safety and privacy raise. Therefore, while integrating cloud services into RFID authentication systems, the privacy of tag owner against the cloud must also be taken into account. Motivated by this need, this dissertation contributes to the design of algorithms and protocols aimed at dealing with the issues explained above. First of all, we introduce two privacy models for RFID authentication protocols based on Physically Unclonable Functions (PUF). We propose several authentication protocols in order to demonstrate these models. Moreover, we study distance bounding protocols having bit-wise fast phases and no final signature. We give analysis for the optimal security limits of the distance bounding protocols. Furthermore, we propose a novel RFID distance bounding protocol based on PUFs and it satisfies the highest security levels. Finally, we provide a new security and privacy model for integrating cloud computing into RFID systems. For the sake of demonstration of this model, we also propose two RFID authentication protocols that require various computational resources and provide different privacy levels