Message Authentication over Noisy Channels

The essence of authentication is the transmission of unique and irreproducible information. In this paper, the authentication becomes a problem of the secure transmission of the secret key over noisy channels. A general analysis and design framework for message authentication is presented based on the results of Wyner’s wiretap channel. Impersonation and substitution attacks are primarily investigated. Information-theoretic lower and upper bounds on the opponent’s success probability are derived, and the lower bound and the upper bound are shown to match. In general, the fundamental limits on message authentication over noisy channels are fully characterized. Analysis results demonstrate that introducing noisy channels is a reliable way to enhance the security of authentication.


Introduction
One of the prominent problems in communication is security, and authentication is the first step to ensure a secure communication.The failure to properly authenticate users will result in serious damage since the opponent can do whatever any valid user can do [1].Usually, authentication is more important than confidentiality [2], because the threats of active attacks are always more serious than those of the passive ones.
In the studies of conventional authentication, most of the mechanisms [3][4][5] are based on encryption.The transmitter and the receiver communicate according to a previously coordinated encryption agreement with a secret key, where messages are authentic if the receiver can successfully decrypt the transmission.However, these cryptographic security mechanisms need key management to distribute, refresh, and revoke the secret keys.Due to the open air nature of wireless networks, the key management can be difficult, especially in ad hoc networks [6].Therefore, this paper considers utilizing the noisy nature of wireless channels to extend the service life of the secret keys.
The authentication model over noiseless channels was developed by Simmons [7].In the model, the transmitter and the receiver share a secret key K, and both of them are assumed to be honest to each other.Meanwhile, an opponent wants to trick the receiver.When the transmitter intends to send a source message M over a public channel, it transmits an encoded message W = f (K, M ), where f (•) is an authentication coding function.Upon receiving a message Ŵ , the receiver should determine whether it comes from the legitimate transmitter or the opponent.The receiver uses a decoding function d(•) to obtain an estimate of the source message and the secret key, i.e., ( M , K) = d( Ŵ ).If K = K, the receiver accepts M ; otherwise, the receiver rejects it.
There are two types of attacks considered in [7].The first one is called an impersonation attack, in which the opponent sends a malicious message W ′ to the receiver before the legitimate transmitter sends anything.The second one is called a substitution attack, in which after intercepting a message W , the opponent modifies it into an erroneous message W ′ and sends it to the receiver.(Actually, there are two aspects of the substitution attack.Another kind of substitution attack, which is called power-substitution attack, occurs in the transmission from the transmitter to the legitimate receiver.The opponent modifies messages by overpowering the transmitter's signal with its malicious signal [3].In the following, it will be distinguished in particular when to employ the power-substitution attack.)If the false message W ′ of the impersonation attack or the substitution attack is deemed as authentic and accepted by the receiver, it is called a successful attack.The success probability of the impersonation attack and the substitution attack are denoted by P I and P S , respectively.The lower bounds on P I and P S have been derived in [7], which are respectively shown as P I ≥ 2 −I(K;W ) and P S ≥ 2 −H(K|W ) , where I(K; W ) denotes the mutual information between K and W , and H(K|W ) denotes the conditional entropy of K given W .One can easily figure out a tradeoff between P I and P S , since H(K|W ) = H(K) − I(K; W ). Because the attack with higher success probability will be preferentially chosen, the success probability P D of the opponent is P D = max (P I , P S ).Obviously, the lower bound on P D is P D ≥ 2 −H(K)/2 .It means that the best defensive strategy is to use half of the key information to protect against the impersonation attack and the other half to protect against the substitution attack.
Similar to Simmons' work, current practices firstly convert a noisy channel into a noiseless one, and then design an authentication code over the noiseless channel.However, according to the results of Wyner's wiretap channel [8], the work in [9] jointly designed the channel coding and the authentication code over noisy channels.In this way, as long as the wiretap channel's perfect secrecy capacity C s is nonzero, the secret key can be kept hidden from the opponent by using a codebook whose codeword rate is higher than the channel capacity between the source and the opponent.Thus, the substitution attack is prevented due to the fact that the opponent cannot obtain any information about the secret key from its observed messages.Then, all the information of the secret key can be used to protect against the impersonation attack.Regarding the bounds on P D , it has been shown that 2 −H(K) ≤ P D ≤ 2 −H(K) + αe −nβ , where α and β are positive constants, and n is the codeword length.The upper bound is shown to match the lower bound as n goes to infinity.Compared with the performance of the Simmons' model, [9] brings additional security gain.
However, the work in [9] has several flaws.Firstly, it may incur the power-substitution attack.When the function f (•) is linear, during the transmission, an agent (e.g., Eve) could tamper with the legitimate message by a synchronously transmitted and well-designed malicious signal.Secondly, its lower bound on P S is given by simply ignoring the intercepted information Z n .Unfortunately, evident security flaws will happen if the coding scheme is not well-designed [10][11][12][13], then the intercepted information Z n may provide much information about the secret key.Though it can be proved that there exists a code scheme to attain this lower bound when the codeword length n goes to infinity, it is impracticable because the codeword length is indeed limited.Thirdly, it exposes the secret key because the wiretap channel's secrecy capacity cannot be guaranteed to stay nonzero, e.g., the channels are time-varying or Eve's channel is not easy to obtain.(The works in [14][15][16] provide the calculation and measurement of the probability of a nonzero secrecy capacity P (C s > 0) for Rayleigh fading channels, etc.) This paper makes the following contributions.Firstly, we propose an enhanced message authentication scheme.Specifically, we securely transmit an authentication tag T instead of the secret key K in [9].This authentication tag T encapsulates the information of the secret key K and the source message M .Secondly, this scheme can protect against the power-substitution attack.Thirdly, we derive our scheme's information-theoretic lower bounds on P I , P S and P D , and give the sufficient and necessary conditions for tightness.In addition, we also derive our scheme's information-theoretic upper bound on P D .
The rest of this paper is organized as follows.Section 2 provides various aspects of our authentication scheme in the designated scenario.Section 3 introduces the security analysis of our scheme and the performance comparison with the previous works in detail.Section 4 concludes the paper.
Notation: Throughout this paper, random variables are denoted by upper case letters (e.g., X), the realizations of the corresponding random variables are denoted by lower case letters (e.g., x), and the corresponding finite alphabets are denoted by calligraphic letters (e.g., X ).The n-length sequences of the elements X and x are denoted by X n and x n , respectively.

Scenario
This paper considers the scenario depicted in Figure 1, where three nodes share a wireless medium.Bob is a critical node that has sensitive information, and only Alice has access rights to him.Eve is a potentially malicious attacker who wishes to disrupt the authentication process by causing Bob to accept inauthentic messages.In this context, Bob and Alice agree on a keyed authentication scheme that allows Bob to verify that the messages he receives are intact from Alice.As is shown in Figure 2, Alice and Bob share a secret key K.The secret key is assumed only known to both Alice and Bob, and it has been allocated before the communication.In order to authenticate, Alice sends an additional proof, which is called an authentication tag T , together with the source message M for Bob's verification.Generally, the tag T is a function of the source message M and the secret key K.When a signal Y n is received, Bob decodes it and determines whether the message is authentic or not.Meanwhile, when Alice sends X n to Bob, Eve can eavesdrop or intercept an observation Z n .Eve's primary purpose is to have her messages accepted by Bob, so she will try her best to impersonate or substitute Alice's messages.Without loss of generality, we assume that Eve is aware of all details except the secret key of the authentication scheme between Alice and Bob.

Proposed Authentication Scheme
Let M, K and T denote the finite alphabet of the source message, the secret key and the authentication tag, respectively.The random variables of the source message M and the secret key K are assumed statistically independent.Alice and Bob share a common secret key K uniformly chosen from K. When Alice intends to send a message M from M to Bob, she transmits the authentication tag T together with it.The transmitted signal of Alice is denoted by where the function f (•) encapsulates any prospective coding or modulation.For the purpose of covering the secret key, the authentication tag T is a function of the source message M and the secret key K, i.e., where a source message M and a secret key K uniquely determine an authentication tag T by the authentication coding function g(•).
The authentication relies on the destination terminal.Upon receiving a signal Y n , which may come from either Alice or Eve, Bob uses a decoding function d(•) to obtain an estimate of the source message and the authentication tag, i.e., ( M , T ) = d(Y n ).If it is determined that the observation Y n demonstrates knowledge of the secret key, i.e., T = g( M , K), the message M is considered authentic and Bob will accept it; otherwise, the message M will be rejected.

Channel Model
Firstly, a less noisy wiretap channel [17,18] is introduced to ensure that the wiretap channel's perfect secrecy capacity is positive.A wiretap channel X → (Y, Z) is less noisy if the main channel is less noisy than the source-wiretapper channel.If a wiretap channel is less noisy, the perfect secrecy capacity is given [17,18] by In this paper, the channels between every two nodes among Alice, Bob and Eve are considered to be noisy, except that the channel between Eve and Bob is noiseless (this assumption of giving Eve an advantage does not incur any loss of generality).In addition, we consider that the Alice-Bob channel P Y |X is less noisy than the Alice-Eve channel P Z|X .
As is depicted in Figure 3, a codebook C is designed to transmit the secret key in a perfectly secure way.In the transmission, if Alice intends to transmit source message m using secret key k, she randomly chooses a codeword x n (m, t) from the mth bin of the tth subset using a uniform distribution, where t = g(m, k).According to Lemma 1 in the following, the authentication tag can be kept hidden from Eve by channel noise.
Lemma 1. [13,19] Consider a less noisy wiretap channel X → (Y, Z).For a distribution p(x), generate 2 n(Rm+Rt+δ) x n sequences through p(x n ) = ∏ n i=1 p(x i ) where δ > 0, and index these sequences as x n (m, t) according to the codebook C shown in Figure 3 where m ∈ { 1, ..., 2 nRm } and t ∈ { 1, ..., 2 nRt } .The codeword x n (m, t) is picked from the mth bin of the tth subset using a uniform distribution.Then, rate R = R m +R t can be delivered to the legitimate receiver as long as R ≤ I(X; Y ), and by setting R m = I(X; Z), R t = I(X; Y ) − I(X; Z) is an achievable equivocation rate.
Proof.Please refer to [19] for technical details.

Security Performance Analysis
In this section, the impersonation attack and the substitution attack are primarily considered.The performances of protecting against the impersonation attack and the substitution attack are respectively analyzed.
Firstly, for an impersonation attack, the optimal strategy for Eve is to transmit a codeword x n (m, t) corresponding to the secret key k that has the largest probability of being accepted by Bob.Hence, Eve's success probability of an impersonation attack P I is From ( 4), it can be seen that the success probability of the impersonation attack does not relate to the channels P Y |X or P Z|X .Therefore, to simplify the analysis, we finish the derivation by recalling the following lower bound on P I in [7], and we have the following lemma.

Lemma 2. The opponent's success probability of the impersonation attack is lower bounded by
( Proof.Please refer to [7] for technical details. Remark 1.The lower bound P I ≥ 2 −I(K;X n ) is the infimum on P I .Due to the fact that That is, the performance of protecting against the impersonation attack relates to the design of the authentication code (i.e., the design of the generation function g(•)).
Secondly, for a substitution attack, Eve intercepts an additional observation z n = h(x n ), where h(•) represents the channel between Alice and Eve.Eve has to replace the intercepted source message m * with another message m (m ̸ = m * ); otherwise, Eve becomes a relay node.Note that m * denotes the estimated source message according to the observation z n = h(f (m * , g(m * , k))), and according to Lemma 1 Eve can estimate the source message correctly by setting R m = I(X; Z), i.e., p(m * |z n ) = 1.The optimal strategy for Eve is to transmit a codeword x n (m, t) (m ̸ = m * ) corresponding to the secret key k that has the largest probability of being accepted by Bob to replace the intercepted one.Hence, based on the information z n , the success probability of a substitution attack P S is To simplify the analysis, we have the following theorems.
Theorem 1.The opponent's success probability of the substitution attack is lower bounded by where X n and Z n come from two distinct source messages with the same secret key.
Proof.Please refer to Appendix A for technical details.
Theorem 2. The lower bound Proof.Please refer to Appendix B for technical details.
Remark 2. The lower bound P S ≥ 2 −I(K;X n |Z n ) in Theorem 1 is the infimum on P S .The condition H(K|Z n ) = H(K) means that Eve cannot acquire any knowledge about the secret key from her observations.According to Lemma 1, Theorems 1 and 2 show that the performance of protecting against the substitution attack relates to the codebook C and the function f (•).Furthermore, the lower bound P S ≥ 2 −H(K) is achievable due to the same reason in Remark 1.
According to the theorems and lemmas above and [9], we draw the following theorem.
Theorem 3. If K satisfies the uniform distribution, H(K|X n ) = 0 and the perfect secrecy capacity C s of the wiretap channel X → (Y, Z) is nonzero, then there exist constants α > 0 and β > 0 so that where n is the codeword length that satisfies n > max{ . The sufficient and necessary conditions for P D = 2 −H(K) are that K satisfies the uniform distribution, H(K|X n ) = 0 and H(K|Z n ) = H(K).
Proof.Please refer to Appendix C for technical details.
Remark 3. The condition that H(K|X n ) = 0 reveals the optimal design of the authentication coding function g(•) (e.g., g(m, k) = hash(m) ⊕ k).The condition H(K|Z n ) = H(K) reveals that it should choose an appropriate codebook C and the function f (•) (e.g., [20][21][22][23][24]) to prevent the information leakage of the secret key.Remark 4. P D ≥ 2 −H(K|Z n ) is the infimum on P D , and P D ≤ 2 −H(K) + αe −nβ is the supremum on P D .When the perfect secrecy capacity C s of the wiretap channel X → (Y, Z) is nonzero, there exist a codebook C and a function f (•) such that I(K; Z n ) → 0 when n → ∞ [12,[23][24][25].At this time, it becomes secrecy from channel resolvability [26], that is, Eve cannot distinguish between the uniform input distribution on sub-C (i.e., a subset of C) and C by observing only Z n .Then, the upper bound can be derived.Thus, as n goes to infinity, the upper bound of P D matches its lower bound, i.e., P D = 2 −H(K) .Remark 5. Theorem 3 shows that the substitution attack can be prevented due to the fact that the secret key is completely hidden from Eve, then all the information about the secret key can be used to protect against the impersonation attack.

Comparisons With Previous Works
Compared with conventional authentication modes over noiseless channels, introducing channel noise to protect the transmission of the secret key brings additional security gain, which has been discussed in [9].Another merit is that the service life of the secret key can be efficiently extended.In classical authentication schemes, after eavesdropping several transmissions between Alice and Bob, the knowledge of encoded messages enables the information of the secret key to be determined [27].However, if the information of the secret key is primarily protected by channel noise, its security will not rely on any assumption on the computational power of attackers.Thus, it can efficiently extend the service life of the secret key.Moreover, compared with the work in [9], ours has the following advantages.
(1) Our work can scale the optimal security performance exactly even if the codeword length n is limited.Specifically, this paper considers the intercepted observation Z n , directly derives the infimums on P S and P D and gives the sufficient and necessary conditions for tightness.Moreover, these results reveal the optimal design of the authentication scheme (i.e., Remark 3).However, the work in [9] only proves the reachability of the optimal security performance when the codeword length n goes to infinity.Thus, our work is more significant and practicable.
(2) The authentication model in [9] may incur the power-substitution attack, especially in linear code schemes (e.g., superposition coding is encapsulated in f (•) [10]).For example, as is depicted in Figure 3, a codeword could be modified into another one by a synchronously transmitted and well-designed malicious signal.However, in our scheme, since the authentication tag encapsulates the source message and the secret key (i.e., Equation ( 2)), the power-substitution attack can be effectively limited in the subsets of the source message, and with an additional trick it can be prevented.(Please refer to Appendix D for more technical details.) Instead of designing specific code schemes in f (•), our scheme introduced g(•) (i.e., Equation ( 2)) to defend against the power-substitution attack.Thus, our scheme can be applied in the existing wireless communication systems with minimal modifications.
(3) Our authentication model degrades to the one in [9] when T = g(M, K) = K.Thus, the authentication model in [9] can be seen as a special case of ours.This special case is not the optimal one and is not permitted in our scheme due to the reasons above.In addition, it is obvious that the scheme in [9] exposes the secret key when the wiretap channel's secrecy capacity cannot be guaranteed to be nonzero according to its codebook.However, when the authentication tag leaks to Eve, our In this expression, the inequality (a) follows from the fact that the maximum must be greater than or equal to the weighted average of a distribution, and q(m|z n ) is the probability of substituting the original source message with m when given the observation z n , especially q(m|z n ) = 0 if m = m * ; (a) with equality iff max t∈T p(t|m, z n ) is constant for all m ∈ M\ {m * }; the inequality (b) comes from Jensen's inequality, and (b) with equality iff max t∈T p(t|m, z n ) is constant for all z n ∈ Z n \ {z n : p(z n ) = 0} and m ∈ M\ {m * }; the equality (c) holds due to the fact that max t∈T p(t|m, z n ) is constant when m and z n are given; the inequality (d) follows from the fact that the maximum must be greater than all other individuals of a distribution, and (d) with equality iff p(t|m, z n ) is constant for all t ∈ T ; the equality (e) comes from the fact that where H(T |z n , m, K) = 0, since the source message and the secret key uniquely determine the authentication tag; the equality (f ) holds due to the fact that K → Z n → M forms a Markov chain.
In addition, notice that X n and Z n come from two distinct source messages with the same secret key K.In this way, it is necessary to define a probability distribution on X n × Z n , with the stipulation that Hence, we have with equality iff p(t|m, z n ) is constant for all t ∈ T , z n ∈ Z n \ {z n : p(z n ) = 0}, and m ∈ M\ {m * } due to the concentration of the conditions for the equality of (a), (b) and (d) in (10).

B. Proof of Theorem 2
We prove sufficiency followed by necessity.Sufficiency: According to (7), when H(K|Z n ) = H(K), we have Then, the sufficiency is proved.Necessity: By recalling Lemma 1, from the intercepted observation z n , the eavesdropping agent Eve can obtain a correct source message estimate m but with a fuzzy authentication tag estimate t, i.e., d(z n ) = (m, t).Thus, the equivocation about the authentication tag is , it means that Eve cannot acquire any information about the secret key, that is, it is equivalent to H(K|Z n ) = H(K).
On the other hand, we draw that I(K; X n |Z n ) is an increasing function as the equivocation of Z n grows, since where H(X n |Z n ) increases as H(T |Z n ) grows, and Then, the necessity is proved.
C. Proof of Theorem 3 By recalling the lower bound on P I in (5), where (g) with equality iff p(t|m) is constant for all m ∈ M and t ∈ T [7]; the inequality (h) follows from the fact that H(K|X n ) ≥ 0, and (h) with equality iff Thus, the lower bound P I ≥ 2 −H(K) is achievable iff H(K|X n ) = 0 and K is uniformly distributed.
Next, according to (7), we have where (i) with equality iff H(K|X n ) = 0. Hence, we have the infimum with equality iff K is uniformly distributed and H(K|X n ) = 0.
According to Theorem 2, we have that the lower bound We reprise the derivation of the upper bound of P S from the channel resolvability.Let be the average L 1 (i.e., variational) distance between the conditional distribution p(k|z n ) and the prior distribution q(k), where q(k) represents the probability of guessing the secret key Notice that in our work, k is uniformly distributed.Thus, q(k) satisfies the uniform distribution.When If d av (f ) can be arbitrarily small by appropriately choosing a codebook C and function f (•), Eve cannot distinguish the distributions between p(k|z n ) and q(k).That is, Eve cannot acquire any information about k by only observing z n .
Following from the same proof steps as those used in [9], we can get an upper bound where the constants α > 0, β > 0 and the codeword length n satisfies According to (17), we draw that P S ≤ 2 −H(K) + αe −nβ is the supremum on P S .This completes our proof.

D. The Power-substitution Attack
We assume that Alice's messages can be predicted, since authentication does not provide privacy and Eve can intercept Alice's messages to cause message retransmission.Moreover, the linear code scheme (e.g., superposition coding) is an easy and common implementation in practice [10].Thus, the power-substitution attack is potentially dangerous.
When the code scheme in f (•) is linear, Eve can successfully modify Alice's message m into m ′ (which also can be authenticated by Bob) with malicious message ε by the power-substitution attack in [9]'s model.That is, where ε = f 1 (m ′ ) − f 1 (m).Therefore, to prevent the power-substitution attack, the model in [9] has to construct specific nonlinear code schemes and may need lots of modifications on the existing communication system.
However, in our model the authentication code function g(•) is introduced, and if Eve wants to successfully modify Alice's message m into m ′ with a malicious message ε, we have Obviously, if ε is varying with k, then the power-substitution attack is prevented.
Since f 2 (•) is unknown, it is hard to construct explicit g(•) to prevent the power-substitution attack.Furthermore, whether there exist constructions of g(•) to prevent the power-substitution attack relates to the size of the alphabets M, T , and K.
Take t = g(m, k) = hash(m) ⊕ k (one of the construction of g(•) according to the conclusion in Remark 3) for example, and assume that f 2 (•) represents BPSK modulation (define that BSPK respectively modulates "0" to the symbol "+1" and "1" to the symbol "−1").We have When |M| > |T |, there must exist a subset of M that has the same hash value.Thus, if Alice transmits a message from this subset, Eve can successfully modify it into any other messages in the same subset without any knowledge of the secret key.
However, if N = ⌈|M|/|T |⌉ is large, we can prevent the power-substitution attack by other techniques.For example, divide M into N subsets (i.e., M = M s1 ∪ • • • ∪ M sN ), and each subset satisfies that ∀m ′ ̸ = m ∈ M si (1 ≤ i ≤ N ), hash(m ′ ) ̸ = hash(m).Then, it can design a protocol that only one subset is valid in each transmission.
Furthermore, the example above contributes to the analysis of the relationship between Eve's success probability of the power-substitution attack and the size of the alphabets M, T , and K.We have the following theorem.According to (22), we can draw that when |M| = |T | there exists a g(•) (i.e., t = m ⊕ k, padding zeros on the high-order bits of k when |K| < |M|) satisfying that ∀m ̸ = m ∈ M, k ∈ K, it has g(m, k) ̸ = g( m, k).Therefore, with the same k and t, there must exists a m ∈ M s that satisfies t = g(m, k).
In conclusion, though the power-substitution attack is inevitable when |M| > |T |, it is still feasible to introduce g(•) into the existing linear code schemes (e.g., superposition coding) to defend against the power-substitution attack.Together with other techniques, it is an efficient solution.

Figure 1 .
Figure 1.The scenario of authentication.

Figure 3 .
Figure 3.The codebook used in our authentication scheme.The codebook is divided into |T | subsets, each of which further partitioned into |M| bins.Each subset corresponds to an authentication tag t, and each bin in each subset corresponds to a source message m.

Theorem 4 .
When |M| > |T |, there exist m ′ ̸ = m ∈ M and k ∈ K satisfying g(m ′ , k) = g(m, k), that is, Eve has nonzero success probability of the power-substitution attack.Proof.Assume that |M| = |T | + 1, and M = M s ∪ {m ′ }.Then, there must exist a k ∈ K and a t ∈ T satisfying t = g(m ′ , k).