Authentication

In symmetric cryptography Bob can be assured of the identity of Alice by virtue that Alice was able to encrypt her message with the secret key shared by her and Bob, and therefore the resulting text from Bob’s decryption made sense. In asymmetric cryptography, where anyone in the public, having Bob’s public key, can encrypt a message for Bob he has no such assurance. Fortunately, using techniques closely related to cryptography, Bob can be given assurances that the message is indeed from Alice. Not surprisingly authentication techniques come in both symmetric and asymmetric flavours. Asymmetric authentication is the more common and so will be covered first.

The mathematics of asymmetric authentication techniques (also known asdigital sign- ing) are well covered in literature from the RSA paper [85] onwards. It involves Alice

§2.2 Secret Key Distillation 23

Advantage Information Privacy

Distillation Reconciliation Amplification

Post-Selection[98](Sec. 4.3.2) Maurer’s N-bit Repeat Code[65](Sec. 4.3.3)

Bit-pair Iteration[28]

Direct Sliced Reconciliation[19](Sec. 4.3.1) Reverse Sliced Reconciliation[37](Sec. 4.3.1) Liu’set al Advantage Distillation[61](Sec. 4.3.7)

Cascade[13](Sec. 4.3.4) Forward error correction[8](Sec. 4.3.7) Various classes of universal hashing functions[7](Sec. 4.3.5) Calderbank-Shor-Steane (CSS) Codes[99]

Table 2.1: Summary of major SKD protocols and their position in the standard model

‘signing’ her message with her private key in such a way that Bob, who is in possession of Alice’s public key, can tell that the message was signed by the person in possession of Alice’s private key. That is, the key pairs are linked in such a way that Bob’s knowledge of Alice’s public key is enough to recognise an action taken with her private key. The system is still vulnerable during the exchange of public keys. Eve could intercept the two public keys and replace them with her own. She would therefore be able to pretend to be Alice to Bob and vice versa. This is called a ‘man-in-the-middle’ attack. Current practice for applications requiring reasonable security (such as internet banking) involve a trusted third party holding Alice and Bob’s public keys, which have been sent on a previous oc- casion. When Alice wants to talk to Bob securely, they each download the other’s public key from the trusted third party. They can then be assured of the other’s identity since they both trust the third party to give them the right public key. Eve must perform two simultaneous man-in-the-middle attacks in order to effectively breach this system.

The most secure way of conducting asymmetric authentication, however, is to perform the initial exchange of public keys using an already-secure means, in the same way a sym- metric key is distributed. Although this method seems to undermine the main advantage of asymmetric cryptography over symmetric, once established many authentications can take place without the need for constant rekey as in a symmetric circuit. Asymmetric authentication with secure public key exchange permits large, secure public key distribu- tion infrastructures which use far less resources than equivalent symmetric infrastructures. The same cautions as for public key cryptography apply: a fast-factoring algorithm may be discovered or a quantum computer may be built, rendering all asymmetric techniques unusable.

A symmetric authentication scheme is based on symmetric keys - if Alice and Bob share knowledge of a pre-distributed symmetric key then that secret knowledge can form the basis of a digital signature. The mathematics - the field of universal hash functions - were introduced by Carter and Wegman in 1979, [18]. Naor and Yung later proposed a digital signature scheme based on the introduced one way universal hash functions, called “One- Time Signature” (OTS). In a manner similar to Shannon they provided a mathematical

24 Information Theory

proof for the perfect (information-theoretic) authenticity of a OTS, based as it is on the one-time use of a symmetric key.

Authentication is crucial to the security of asymmetric cryptography, since a standard public key exchange, over an insecure channel, offers provides no verifiable information about the identity of the exchangers. Either symmetric or asymmetric techniques can be used to authenticate an asymmetric system, although asymmetric authentication is the sensible option. There is no point paying the higher resource price for information-theoretic symmetric authentication when the cryptography itself is only computationally secure. And since symmetric cryptography has built-in authentication3 it is not immediately ob- vious why symmetric authentication might be useful today. Considering the promise of section 2.2, however, that information-theoretically secure keys can be distributed by au- thentic public discussion of common information, the relevance of an information-theoretic authentication system becomes clear. All public discussion during an SKD process must be authenticated or the system becomes vulnerable to a man-in-the-middle attack. The distilled key cannot be considered information-theoretically secure unless the authentica- tion method was also information-theoretically secure.

Distillation-Style Authentication

Some research has been conducted on using the techniques of SKD for authentication as well as key agreement.[60],[66]. Such a scheme would remove the requirement for Alice and Bob to initially share a secret to authenticate their public discussions for key agree- ment. This scheme could be considered the ultimate cryptographic system—information- theoretic security without the need to establish any security infrastructure beyond the communications themselves. In an era when ad-hoc networks are becoming increasingly popular such a system would be in high demand.

Unfortunately distillation-style authentication relies on Bob having an information ad- vantage over Eve to begin with, and using that advantage to reveal himself as the legitimate recipient of Alice’s information. Therefore these schemes only work when Eve’s channel is noisier than Bob’s, an assumption that is in general unreasonable for information-theoretic security.