1 Introduction

Instant messaging is gaining extremely-increased popularity as a tool enabling users to communicate with other users either individually or within groups. A variety of available messaging platforms hold an overall user base of more than 1.5 billion active users (e.g., WhatsApp, Signal, Telegram, and many more [Wik]), and recognize user authentication and end-to-end encryption as key ingredients for ensuring secure communication within them.

Extensive efforts are currently put into securing messaging platforms, both commercially (e.g., [PM16, Telb, Wha]) and academically (e.g., [FMB+16, BSJ+17, CCD+17, KBB17]). The vast majority of these efforts, however, have so far focused on securing user-to-user messaging, and substantially less attention has been devoted to securing group messaging. Unfortunately, it recently turned out that whereas the security of user-to-user messaging is gradually reaching a stable ground, the security of group messaging is still quite fragile [CGCG+17, RMS18, Gre18a, Gre18b].

Out-of-band authentication. A key challenge in securing messaging platforms is that of protecting against man-in-the-middle attacks when setting up secure end-to-end channels. Such attacks are enabled by the inability of users to authenticate their incoming messages given the somewhat ad-hoc nature of messaging platforms.Footnote 1 To this end, various messaging platforms enable “out-of-band” authentication, assuming that users have access to an external channel for authenticating short values. These values typically correspond to short hash values that are derived, for example, from the public keys of the users, or more generally from the transcript of any key-exchange protocol that the users execute for setting up a secure end-to-end channel.

For example, in the user-to-user setting, some messaging platforms offer users the ability to compare with each other a value that is displayed by their devices (e.g., Telegram [Tela], WhatsApp [Wha] and Viber [Vib]).Footnote 2 This may rely on the realistic assumption that by recognizing each other’s voice, two users can establish a low-bandwidth authenticated channel: A man-on-the-middle adversary can view, delay or even remove any message sent over this channel, but cannot modify its content in an undetectable manner.

Such an authentication model was initially proposed back in 1984 by Rivest and Shamir [RS84]. They constructed the “Interlock” protocol which enables two users, who recognize each other’s voice, to mutually authenticate their public keys in the absence of a trusted infrastructure.Footnote 3 More recently, motivated by the task of securely pairing wireless devices (e.g., wireless USB or Bluetooth devices), this model was formalized by Vaudenay [Vau05] in the computational setting and extended by Naor et al. [NSS06, NSS08] to the statistical setting (considering computationally-bounded and computationally-unbounded adversaries, respectively).

Given that the out-of-band channel is of low bandwidth, it is of extreme importance to construct out-of-band authentication protocols with an essentially optimal tradeoff between the length of their out-of-band authenticated value and the adversary’s success probability. Vaudenay and Naor et al. provided a complete characterization of this tradeoff, resulting in optimal computationally-secure and statistically-secure protocols.

Out-of-band authentication: The group setting. Motivated by the insufficiently explored security of group messaging, we initiate the study of out-of-band message authentication protocols in the group setting. We extend the user-to-user setting to consider a group of users that consists of a sender (e.g., the group administrator) and multiple receivers (e.g., all other group members): All users communicate over an insecure channel, and we assume that the sender can out-of-band authenticate one short message to all receivers.Footnote 4 As in the user-to-user setting, this can be based, for example, on the assumption that each user can identify the administrator’s voice, and having the administrator record and broadcast a short voice message. As above, we assume that an adversary may read or remove any message sent over the out-of-band channel for some or all receivers, and may delay it for different periods of time for different receivers, but cannot modify it in an undetectable manner.

Equipped with such an authentication protocol, the users of a group can now authenticate their public keys, or more generally, authenticate the transcript of any group key-exchange protocol of their choice. As in the user-to-user setting, given that the out-of-band channel is of low bandwidth, we aim at identifying the optimal tradeoff between the length of the out-of-band authenticated value and the adversary’s success probability, and at constructing protocols that achieve this best-possible tradeoff.

1.1 Our Contributions

Modeling out-of-band authentication in the group setting. In this work we first put forward a realistic framework and strong notions of security for out-of-band message authentication protocols in the group setting. We consider a group of users that consists of a sender (e.g., the group administrator) and k receivers (e.g., all other group members), where for every \(i \in [k]\) the sender would like to authenticate a message \(m_i\) to the ith receiver. We assume that all users are connected via an insecure channel (over which a man-in-the-middle adversary has complete control), and via a low-bandwidth “out-of-band” authenticated channel that enables the sender to authenticate one short message to all receivers. Adversaries may read or remove this message for some or all receivers, and may delay it for different periods of time for different receivers, but cannot modify it in an undetectable manner (we refer the reader to Sect. 3 for a formal description of our communication model and notions of security).

Identifying the optimal tradeoff: Protocols and matching lower bounds. Within our framework we then construct out-of-band authentication protocols with an optimal tradeoff between the length of their out-of-band authenticated value and the adversary’s success probability. We consider both the computational setting where security is guaranteed against computationally-bounded adversaries, and the statistical setting where security is guaranteed against computationally-unbounded adversaries. In each setting we construct an authentication protocol, and then prove a lower bound showing that our protocol achieves essentially the best possible tradeoff between the length of the out-of-band authenticated value and the adversary’s success probability. Our results are briefly summarized in Table 1, and we refer the reader to the following section for a more detailed overview and theorem statements.

Table 1. The length of the out-of-band authenticated value in our protocols and lower bounds. We denote by k the number of receivers (i.e., we consider groups of size \(k+1\)), and by \(\epsilon \) the adversary’s forgery probability. Our computationally-secure protocol relies on the existence of any one-way function (see Theorem 1.1), whereas our statistically-secure protocol and our two lower bounds do not rely on any computational assumptions (see Theorems 1.2, 1.3 and 1.4).
Full size table

Computational vs. statistical security. Our tight bounds reveal a significant gap between the possible length of the out-of-band authenticated value in the computational setting and in the statistical setting: Whereas in the statistical setting we prove a lower bound that depends linearly on the size of the group, the length of the out-of-band authenticated value in our computationally-secure protocol depends very weakly on the size of the group. Moreover, when instantiating its cryptographic building block (a concurrent non-malleable commitment scheme) in the random-oracle model, our approach yields an efficient and practically-relevant protocol (which, alternatively, can also be based on any one-way function in the standard model).Footnote 5

1.2 Overview of Our Contributions

A naive approach to constructing an out-of-band authentication protocol in the group setting is to rely on any such protocol in the user-to-user setting: Given a sender and k receivers, we can invoke a user-to-user protocol between the sender and each of the receivers. Thus, if the length of the out-of-band authenticated value in the underlying user-to-user protocol is \(\ell (\epsilon )\) bits (where \(\epsilon \) is the adversary’s forgery probability), then the length of the out-of-band authenticated value in the resulting group protocol is \(k \cdot \ell (\epsilon /k)\) bits.Footnote 6 Thus, the naive approach yields out-of-band authenticated values whose length is linear in the size of the group, and the key technical challenge underlying our work is understanding whether or not this is the best possible.

Concretely, the user-to-user protocols of Vaudenay [Vau05] and Naor et al. [NSS06] have out-of-band authenticated values of lengths \(\ell (\epsilon ) = \log (1/\epsilon )\) and \(\ell (\epsilon ) = 2\log (1/\epsilon ) + \varTheta (1)\), respectively. Thus, instantiating the naive approach with their protocols yields computationally-secure and statistically-secure protocols where the sender out-of-band authenticates \(k\cdot (\log (1/\epsilon ) + \log k)\) bits and \(2k \cdot (\log (1/\epsilon ) + \log k + \varTheta (1))\) bits, respectively.

Our results show that, unlike in the user-to-user setting, in the group setting computationally-secure and statistically-secure protocols exhibit completely different behaviors. First, we show that for computationally-secure protocols it is possible to do dramatically better compared to the naive approach and completely eliminate the linear dependency on the size of the group. We prove the following two theorems providing an out-of-band authentication protocol and a matching lower bound:

Theorem 1.1

Assuming the existence of any one-way function, for any \(k \ge 1\) there exists a computationally-secure constant-round k-receiver out-of-band message authentication protocol in which the sender out-of-band authenticates \(\log (1/\epsilon ) + \log k\) bits, where \(\epsilon \) is the adversary’s forgery probability.

Theorem 1.2

In any computationally-secure k-receiver out-of-band message authentication protocol, the sender must out-of-band authenticate at least \(\log (1/\epsilon ) + \log k - \varTheta (1)\) bits, where \(\epsilon \) is the adversary’s forgery probability.

Then, we show that for statistically-secure protocols the naive approach is in fact asymptotically optimal, but it can still be substantially improved by a multiplicative constant factor (which is of key importance given that the out-of-band channel is of low bandwidth). We prove the following two theorems, once again providing an out-of-band authentication protocol and a lower bound:

Theorem 1.3

For any \(k \ge 1\) there exists a statistically-secure k-receiver out-of-band message authentication protocol in which the sender out-of-band authenticates \((k + 1) \cdot (\log (1/\epsilon ) + \log k + \varTheta (1))\) bits, where \(\epsilon \) is the adversary’s forgery probability.

Theorem 1.4

In any statistically-secure k-receiver out-of-band message authentication protocol, the sender must out-of-band authenticate at least \((k + 1) \cdot \log (1/\epsilon ) - k\) bits, where \(\epsilon \) is the adversary’s forgery probability.

As discussed above, note that here our upper bound and lower bound differ by an additive \((k+1)\cdot \log k + \varTheta (k)\) term. However, whenever \(\epsilon = o(1/k)\) as one would typically expect when setting a bound on the adversary’s forgery probability, this difference becomes a lower-order term.

In the remainder of this section we overview the main ideas underlying our protocols and lower bounds, first describing our contributions in the computational setting, and then describing our contributions in the statistical setting.

Computational security: Our protocol. Our computationally-secure protocol is inspired by the user-to-user protocol proposed by Vaudenay [Vau05]. In his protocol the sender S first commits to the value \((m, r_S)\), where m is the message to be authenticated, and \(r_S\) is a random \(\ell \)-bit string. The receiver R then replies with a random string \(r_R\), followed by S revealing \(r_S\) and out-of-band authenticating \(r_S \oplus r_R\). Finally, the receiver R accepts m if and only if the out-of-band authenticated value is consistent with his view of the protocol.

When moving to the group setting, however, a man-in-the-middle adversary has many more possible ways to interleave its interactions with the parties, thus providing security becomes a much more intricate task. For instance, a naive attempt to generalize Vaudenay’s protocol to the group setting (while keeping the out-of-band authenticated value short) might naturally rely on the following idea: Have the sender choose a single value \(r_S\) and send each receiver a commitment to \((m_i, r_S)\),Footnote 7 and then have each receiver \(R_i\) reply with a string \(r_{R_i}\) to all other parties.Footnote 8 The out-of-band authenticated value is then \(r_S \oplus r_{R_1} \oplus \ldots \oplus r_{R_k}\), and each receiver \(R_i\) accepts the message \(m_i\) if and only if this value is consistent with his view of the protocol. Alas, this protocol is completely insecure – even when considering just one additional receiver. For example, an adversary can send \(R_1\) a commitment to \((\widehat{m_1}, \widehat{r_S})\) for a message \(\widehat{m_1} \ne m_1\) and an arbitrary \(\widehat{r_S}\). After learning \(r_S\) and \(r_{R_2}\), the adversary can simply send \(R_1\) the value \(\widehat{r_{R_2}} = r_{R_2} \oplus r_S \oplus \widehat{r_S}\) instead of \(r_{R_2}\). Since \(r_S \oplus r_{R_2} = \widehat{r_S} \oplus \widehat{r_{R_2}}\), the attack will go undetected and the receiver \(R_1\) will accept a fraudulent message \(\widehat{m_1}\).

To immune our protocol from attacks as the one described above, the receivers in our protocol must avoid sending their random strings in the clear. Rather, they too send commitments of these strings at the beginning of the protocol. Informally, our protocol proceeds as follows: (1) Each \(R_i\) sends a commitment to a random \(\ell \)-bit string \(r_{R_i}\); (2) S chooses a random string \(r_S\) and sends a commitment to \((m_i, r_S)\) to each \(R_i\); (3) The receivers open their commitments; (4) S opens her commitments; (5) S out-of-band authenticates \(r_S \oplus r_{R_1} \oplus \ldots \oplus r_{R_k}\). One can verify that the additional commitments indeed prevent the aforementioned attack, but there are clearly many additional attacks to consider given that an adversary has many possible ways to interleave its interactions with the parties.

The multitude of commitments in our protocol, and the many possible synchronizations an adversary may impose on them in the group setting, make proving the security of our protocol a challenging task. Nonetheless, we are able to show that when the commitment scheme being used is a concurrent non-malleable commitment scheme (see Sect. 2 for a formal definition), our protocol is indeed secure: Setting \(\ell = \log (1/\epsilon ) + \log k\) guarantees that the adversary’s forgery probability is at most \(\epsilon \).

Technical details omitted, the intuition behind the security of the protocol is the following. An adversary A wishing to cause some \(R_i\) to accept a fraudulent message, essentially has to choose between two options. If A delivers all commitments to S and to \(R_i\) before \(R_i\) reveals \(r_{R_i}\), then \(R_i\) accepting a fraudulent message implies breaking the concurrent non-malleability of the commitment scheme: The 2k commitments delivered to S and to \(R_i\) by the adversary must define values whose exclusive-or is equal to \(r_{R_i} \oplus r_S\). These commitments thus satisfy a “non-trivial” relation which violates the concurrent non-malleability of the commitment scheme. On the other hand, if \(r_{R_i}\) is revealed before all commitments were delivered to S, then \(r_S\) is chosen after all commitments were delivered to S and to \(R_i\). Hence, all other values contributing to the authenticated value sent by S, and to the value \(R_i\) is expecting to see as the out-of-band authenticated value, have already been determined, so the exclusive-or of all relevant values guarantees that the probability of the chosen \(r_S\) to result in equality is \(2^{-\ell }\).

Computational security: Lower bound. Already in the user-to-user setting, at least \(\log (1/\epsilon )\) bits must be out-of-band authenticated, where \(\epsilon \) is the adversary’s forgery probability. This can be proved, for example, by analyzing the collision entropy of the random variable corresponding to the out-of-band authenticated value (see, for example, [PV06]). We show that such an analysis can be extended to the group setting, resulting in a stronger lower bound which depends on the size of the group (and is in fact optimal given our above-described protocol).

Specifically, we show an efficient attack against any k-receiver protocol that succeeds with probability roughly \(k \cdot 2^{-\ell }\), where \(\ell \) is the number of bits the sender authenticates out-of-band. Given such a protocol \(\pi \) involving a sender and k receivers, our attacker runs \(k+1\) independent executions of \(\pi \), one with each party taking part in the protocol. In each execution, the attacker independently chooses k random messages as the input to the sender (the true sender in the execution with the sender, and the simulated one in the executions with each of the receivers), and honestly simulates the roles of all other parties. Now, if the out-of-band authenticated value in the execution with the sender is equal to the out-of-band authenticated value in one of the k executions with the receivers, then the attacker combines these two executions by forwarding the out-of-band authenticated value that is sent by the true sender for replacing the simulated value in the execution with that receiver.

Observe that the probability of a successful forgery is roughly the probability that the out-of-band authenticated value in the execution with the sender is indeed equal to the out-of-band authenticated value in one of the k executions with the receivers.Footnote 9 Hence, in order to analyze the effectiveness of this attack, it is sufficient to bound the probability of this event. We manage to provide a \(\varTheta (k\cdot 2^{-\ell })\) lower bound on the probability of this event, which yields Theorem 1.2.

Statistical security: Our protocol. The starting point of our statistically-secure protocol is the iterative hashing protocol of Naor et al.  [NSS06]. Loosely speaking, in their protocol the parties maintain a joint sequence of values of decreasing length, starting with the input message of the sender and ending up with the out-of-band authenticated value. In each round, the parties apply to the current value a hash function that is cooperatively chosen by both parties: Half of the randomness for choosing the function is determined by the sender, and the other half by the receiver.

As noted above, when moving to the group setting, a naive generalization of the Naor et al.  protocol in which the sender executes the user-to-user protocol with each receiver independently, will result in a blow-up of factor k in the length of the out-of-band authenticated value. However, we show that it is possible to exploit the specific structure of the Naor et al.  protocol, and in particular of the out-of-band authenticated value, in order to cut its length in the group setting roughly by half (compared to the naive generalization). The main observation underlying our approach is that the k executions of the user-to-user protocol need not be completely independent. More concretely, we show that if in the last round (before sending the out-of-band authenticated value), the sender contributes the same randomness for all k hash functions, then all k executions are “tied together” in a way that permits a significant reduction in the number of bits that are authenticated out-of-band. Security is now of course not trivially guaranteed, as this change introduces heavy dependencies between the executions. We nevertheless manage to prove, carefully adjusting the structure of our protocol, that the resulting protocol provides an essentially optimal tradeoff between the length of the out-of-band authenticated value and its security.

Statistical security: Lower bound. We prove our lower bound in the statistical security setting by providing a lower bound on the Shanon entropy of the random variable corresponding to the out-of-band authenticated value in any out-of-band authentication protocol. Intuitively speaking, at the beginning of any such protocol, the out-of-band authenticated value is completely undetermined, while at the end of the execution it is fully determined. We show that if the forgery probability is to be bounded by \(\epsilon \), this decline in entropy must adhere to a specific structure: Each party must decrease the entropy of the out-of-band authenticated value – via the messages it sends during the execution of the protocol – by at least \(\log (1/\epsilon ) - 1\) bits on average. It follows that \(\mathrm {H}(\varSigma ) \ge (k+1) \cdot \log (1/\epsilon ) -k\), where \(\varSigma \) is the afore-defined random variable and k is the number of receivers.

We formalize and prove this intuition by presenting a collection of \(k+ 1\) attacks against any k-receiver out-of-band authentication protocol, one per each participating party. Loosely speaking, the attack corresponding to party P (where P may be the sender or any of the receivers) consists of running two executions of the protocol. First, our adversary plays the role of P in an honest execution of the protocol with all other parties, and obtains the out-of-band authenticated value \(\sigma \) to be sent at the end of this execution. Then, the adversary runs an execution of the protocol with P, playing the role of all other parties, while choosing their messages throughout the protocol not only conditioned on their views, but also conditioned on the out-of-band authenticated value being \(\sigma \). We show in our analysis that if we denote by \(\epsilon _{P}\) the success probability of the attack corresponding to party P, then it holds that \(\prod _{P} \epsilon _{P} \ge 2^{-\mathrm {H}(\varSigma )-k}\). Hence, if the probability of a successful forgery in any attack (and in particular in our \(k+1\) attacks) is at most \(\epsilon \), then it holds that

$$\begin{aligned} 2^{-\mathrm {H}(\varSigma ) - k} \le \prod _{P} \epsilon _{P} \le \epsilon ^{k+1}, \end{aligned}$$

and our lower bound follows. Our proof technique is inspired by the lower bound of Naor et al. [NSS06] for statistically-secure user-to-user out-of-band authentication protocols. In the group setting, however, there are many more “independent” attacks to consider, adding to the intricacy of the proof.

1.3 Paper Organization

The remainder of this paper is organized as follows. In Sect. 2 we review the basic notions and tools that are used in this paper. In Sect. 3 we put forward our framework for out-of-band message authentication protocols in the group setting, formally discussing our communication models and notions of security. Then, in Sects. 4 and 5 we present our protocols and prove our corresponding lower bounds in the computational and statistical settings, respectively.

2 Preliminaries

In this section we present the notation and basic definitions that are used in this work. For a distribution X we denote by \(x \leftarrow X\) the process of sampling a value x from the distribution X. Similarly, for a set \(\mathcal {X}\) we denote by \(x \leftarrow \mathcal {X}\) the process of sampling a value x from the uniform distribution over \(\mathcal {X}\). For an integer \(n \in \mathbb {N}\) we denote by [n] the set \(\{1,\ldots , n\}\). A function \(\nu : \mathbb {N} \rightarrow \mathbb {R}^+\) is negligible if for any polynomial \(p(\cdot )\) there exists an integer N such that for all \(n > N\) it holds that \(\nu (n) \le 1/p(n)\).

Shannon entropy and mutual information. For random variables X, Y and Z we rely the following standard notions:

  • The entropy of X is defined as \(\mathrm {H}(X) = - \sum _x \Pr \! \left[ {X = x} \right] \cdot \log \Pr \! \left[ {X = x} \right] \).

  • The conditional entropy of X given Y is defined as \(\mathrm {H}(X | Y) = \sum _y \Pr \! \left[ {Y = y} \right] \cdot \mathrm {H}(X | Y = y)\).

  • The mutual information of X and Y is defined as \( \mathrm {I}(X ; Y) = \mathrm {H}(X) - \mathrm {H}(X | Y)\).

  • The mutual information of X and Y given Z is defined as \(\mathrm {I}(X ; Y | Z) = \mathrm {H}(X | Z) - \mathrm {H}(X | Z, Y)\).

Non-malleable commitment schemes. In this paper we rely on the notion of statistically-binding concurrent non-malleable commitments (for basic definitions and background on commitment schemes, we refer the reader to [Gol01]). We follow the indistinguishability-based definition of Lin and Pass [LP11], though we find it convenient to consider non-malleability with respect to content, other than with respect to identities. For simplicity, the definition below only addresses the one-many setting (which is equivalent to the general many-many setting [PR05]), as this is enough for our needs. Lin and Pass [LP11] and Goyal [Goy11] have shown that constant-round concurrent non-malleable commitment schemes can be constructed from any one-way function (the round complexity was further improved by Ciampi et al. [COS+17] to just 4 rounds). From a more practical perspective, such schemes can be constructed efficiently in the random-oracle model [BR93]. For further information regarding non-malleable and concurrent non-malleable commitment schemes see, for example, [DDN00, CIO98, FF00, CF01, PR05, PR08, LPV08] and the references therein.

Intuitively speaking, a (one-many) concurrent non-malleable commitment scheme has the following guarantee: Any efficient adversary cannot use a commitment to some value v in order to produce commitments to values \(\widehat{v_1},\ldots , \widehat{v_k}\) that are “non-trivially” related to v. More formally, Let \(\mathsf {Com} = (C, R)\) be a statistically-binding commitment scheme, and let \(k = k(\cdot )\) be a function of the security parameter \(\lambda \in \mathbb {N}\), bounded by some polynomial. Consider an efficient adversary A that gets an auxiliary input \(z \in \{0,1\}^*\) (in addition to the security parameter) and participates in the following “man-in-the-middle” experiment. A takes part in a single “left” interaction and in k “right” interactions: In the left interaction, A interacts with the committer C, and receives a commitment to a value v. Denote the resulting commitment (transcript of the interaction) by c. In the right interactions, A interacts with the receiver R, resulting in k commitments \(\widehat{c_1},\ldots , \widehat{c_k}\). We define k related values \(\widehat{v_1},\ldots ,\widehat{v_k}\) in the following manner. For every \(i \in [k]\), if \(\widehat{c_i} = c\), if \(\widehat{c_i}\) is not a valid commitment, or if \(\widehat{c_i}\) can be opened to more than one value, we let \(\widehat{v_i} = \bot \) (note that by the statistical binding property of \(\mathsf {Com}\), the latter case only happens with negligible probability). Otherwise, \(\widehat{v_i}\) is the unique value to which \(\widehat{c_i}\) may be opened. Let \(\mathsf {mim}_{\mathsf {Com}}^A(v,z)\) denote the random variable that includes the values \(\widehat{v_1}, \ldots , \widehat{v_k}\) and A’s view at the end of the afore-described experiment.

Definition 2.1

Let A and D be a pair of algorithms. We define the advantage of (AD) with respect to security parameter \(\lambda \in \mathbb {N}\) as

We say that a statistically-binding commitment scheme is concurrent non-malleable if for any pair of probabilistic polynomial-time algorithms (AD) there exists a negligible function \(\nu = \nu (\cdot )\) such that \(\mathsf {Adv}_{\mathsf {Com}}^{A,D}(\lambda ) \le \nu (\lambda )\) for all sufficiently large \(\lambda \in \mathbb {N}\).

3 The Communication Model and Notions of Security

We consider the message authentication problem in a setting involving a group of \(k+1\) users: A sender S and k receivers \(R_1,\ldots , R_k\). For each \(i \in [k]\) the sender would like to authenticate a message \(m_i\) to the ith receiver \(R_i\). We assume that the users communicate over two channels: An insecure channel over which a man-in-the-middle adversary has complete control, and a low-bandwidth “out-of-band” authenticated channel, enabling the sender to authenticate one short message to all receivers. In what follows we formally specify the underlying communication model as well as the notions of security that we consider in this work (generalizing those of Vaudenay [Vau05] and Naor et al. [NSS06] to the group setting).

3.1 Communication Model

Our starting point is the framework of Vaudenay [Vau05] and Naor et al. [NSS06] which considers a sender who wishes to authenticate a single message to a single receiver using out-of-band authentication. They modeled this interaction by providing the sender and the receiver with two types of channels: A bidirectional insecure channel that is completely vulnerable to man-in-the middle attacks, and an authenticated unidirectional low-bandwidth channel from the sender to the receiver (an “out-of-band” channel).

We extend this model to the group setting in the following manner. Similarly to the framework of Vaudenay and Naor et al. we assume that the parties are connected via two types of communication channels: An insecure channel and an authenticated low-bandwidth channel. As for the authenticated channel, we assume that the sender S is equipped with an out-of-band channel, through which S may send a short message visible to all receivers in an authenticated manner (e.g., a voice message in group messaging). The adversary may read or remove this message for some or all receivers, and may delay it for different periods of time for different receivers, but cannot modify it in an undetectable manner. One may also consider a scenario where S, as well as the receivers, may send multiple messages over the out-of-band authenticated channel throughout the protocol. However, this is less desirable from a practical standpoint, and in any case, will not be necessary in our protocols. Furthermore, our lower bounds readily capture this more general case as well, providing a lower bound on the total number of bits sent over the authenticated channel throughout the protocol.

As mentioned above, we also assume that the parties are connected among themselves in a network of insecure channels. These channels are vulnerable to man-in-the-middle attacks, and the adversary is assumed to have complete control over them: The adversary can read, delay and stop messages sent by the parties, as well as insert new messages at any point in time. In particular, this provides the adversary with considerable control over the synchronization of the protocol’s execution. Nonetheless, the execution is still guaranteed to be “marginally synchronized”: Each party sends her messages in the ith round of the protocol only upon receiving all due messages of round \(i-1\).

One may consider various possible networks to define the topology of the insecure channels. Two extremes of that spectrum are the following:

  • The star network model: In this model each receiver \(R_i\) is connected to the sender S via a bidirectional insecure channel. In particular, the receivers cannot send messages directly to each other, and any communication among them must pass through the sender S.

  • The complete network model: In this model every pair of parties (sender and receiver as well as two receivers) is connected through an insecure channel.

In that respect, our results – both in the computational setting and in the statistical setting – will be of the strongest form possible. Our protocols will be articulated, and their correctness and security proven, in the restrictive “star” network model, which in particular means that they can be implemented in models richer in channels, and namely in the complete network model (in that case, some communication efficiency optimizations are possible). Our lower bounds on the other hand, will assume complete communication networks, and will hence apply to weaker network models as well.

3.2 Notions of Security

In what follows we define the security and correctness requirements of out-of-band authentication protocols, essentially extending those of Vaudenay [Vau05] and Naor et al. [NSS06] to the group setting in an intuitive manner. In such protocols, the input to the sender S is a vector of message \(m_1, \ldots , m_k\) which may be chosen by the adversary. At the end of the execution, each receiver \(R_i\) outputs either a message \(\widehat{m_i}\) or the unique symbol \(\bot \), implying rejection. Informally, correctness states that in an honest execution, with high probability all receivers output the correct message; i.e., \(\widehat{m_i} = m_i\) for every \(i \in [k]\). As for security, we demand that an adversary (which is efficient in the computational setting and unbounded in the statistical setting) cannot convince a receiver to output an incorrect message; i.e., the probability that \(\widehat{m_i} \not \in \{m_i, \bot \}\) is bounded by a pre-specified parameter.

For the sake of generality, Definitions 3.1 and 3.2 below are articulated without specific reference to an underlying communication model, and may be applied to any of the group communication models discussed above. We begin with a formal definition of out-of-band authentication in the statistical setting.

Definition 3.1

A statistically-secure out-of-band \((n, \ell , k, r, \epsilon )\)-authentication protocol is a \((k+1)\)-party r-round protocol in which the sender S is invoked on a k-tuple of n-bit messages, and sends at most \(\ell \) bits over the authenticated out-of-band channel. The following requirements must hold:

  • Correctness: In an honest execution of the protocol, for all input messages \(m_1,\ldots ,m_k \in \{0,1\}^{n}\) to S and for every \(i \in [k]\), receiver \(R_i\) outputs \(m_i\) with probability 1.

  • Unforgeability: For any adversary and for every adversarially-chosen input messages \(m_1,\ldots , m_k\) on which S is invoked, the probability that there exists some \(i \in [k]\) for which receiver \(R_i\) outputs some message \(\widehat{m_i} \not \in \{m_i, \bot \}\) is at most \(\epsilon \).

A computationally-secure out-of-band authentication protocol is defined similarly, except that security need only hold against efficient adversaries, and the probability of forgery is also allowed to additively grow (with respect to the statistical setting) by a negligible function of the security parameter \(\lambda \in \mathbb {N}\).

Definition 3.2

Let \(n = n(\lambda ), \ell = \ell (\lambda ), k = k(\lambda ), r = r(\lambda )\) and \(\epsilon = \epsilon (\lambda )\) be functions of the security parameter \(\lambda \in \mathbb {N}\). A computationally-secure out-of-band \((n, \ell , k, r, \epsilon )\)-authentication protocol is a \((k+1)\)-party r-round protocol in which the sender S is invoked on a k-tuple of n-bit messages, and sends at most \(\ell \) bits over the authenticated out-of-band channel. The following requirements must hold:

  • Correctness: In an honest execution of the protocol, for all input messages \(m_1,\ldots ,m_k \in \{0,1\}^{n}\) to S and for every \(i \in [k]\), receiver \(R_i\) outputs \(m_i\) with probability 1.

  • Unforgeability: For any probabilistic polynomial-time adversary there exists a negligible function \(\nu = \nu (\cdot )\) such that the following holds: For every input messages \(m_1,\ldots ,m_k\) chosen by the adversary and on which S is invoked, the probability that there exists some \(i \in [k]\) for which receiver \(R_i\) outputs some message \(\widehat{m_i} \not \in \{m_i, \bot \}\) is at most \(\epsilon + \nu (\lambda )\) for all sufficiently large \(\lambda \in \mathbb {N}\).

4 The Computational Setting

In this section we prove tight bounds for computationally-secure out-of-band authentication in the group setting. In Sect. 4.1 we present our computationally-secure protocol and discuss its possible instantiations (both in the standard model and in the random-oracle model). The security proof of our protocol is provided in the full version of the paper [RS18]. In Sect. 4.2 we prove a matching lower bound on the length of the out-of-band authenticated value in any computationally-secure protocol.

4.1 Our Protocol and Its Instantiations

Let \(\mathsf {Com} = (C_{\mathsf {Com}}, R_{\mathsf {Com}})\) be a concurrent non-malleable commitment scheme that is statistically binding (see Sect. 2 and Definition 2.1). Our protocol, denoted \(\pi _{\mathsf {Comp}}\), is parameterized by the security parameter \(\lambda \in \mathbb {N}\), by the number \(k = k(\lambda )\) of receivers, by the length \(\ell = \ell (\lambda )\) of the out-of-band authenticated value, and by the length \(n = n(\lambda )\) of the messages that the user would like to authenticate. The protocol is defined as follows:

  1. 1.

    For every \(i \in [k]\) the receiver \(R_i\) chooses a random \(\ell \)-bit string \(r_i \leftarrow \{0,1\}^{\ell }\), and commits to it to the sender S using \(\mathsf {Com}\). For every \(i\in [k]\) denote the resulting commitment according to the view of \(R_i\) by \(c_i\), and denote the commitments received by S by \(\widehat{c_i}\).Footnote 10

  2. 2.

    The sender S chooses a random string \(r_s \leftarrow \{0,1\}^{\ell }\), and executes k (possibly parallel) executions of \(\mathsf {Com}\) to commit to the message \((m_i, r_s)\) to the receiver \(R_i\) for every \(i \in [k]\). Denote the resulting commitments, as seen by the sender S by \(c_s^i\), and denote the commitment received by \(R_i\) by \(\widehat{c_s^i}\).

    For every \(i\in [k]\) the sender S also explicitly appends the following information to the first message it sends \(R_i\) as part of the commitment: (1) The message \(m_i\), and (2) the (possibly tampered with) commitments \(\left( \widehat{c_j} \right) _{j \in [k] \setminus \{i\}}\) received from the other receivers in Step 1 of the protocol. We let \(\widehat{m_i}\) and \((\widehat{c_{j \rightarrow i}})_{j \in [k] \setminus \{i\}}\) denote the message and the forwarded commitments as received by \(R_i\).

  3. 3.

    For every \(i \in [k]\) the receiver \(R_i\) sends a decommitment \(d_i\) of her commitment from Step 1 of the protocol to reveal \(r_i\) to the sender S. Let \(\widehat{d_i}\) denote the decommitment received by S from \(R_i\). For every \(i \in [k]\) the sender S then checks whether \(\widehat{d_i}\) is a valid decommitment to \(\widehat{c_i}\). If so, let \(\widehat{r_i}\) denote the committed value. Otherwise, S sends \(\bot \) over the authenticated channel, in which case all receivers output \(\bot \).

  4. 4.

    For every \(i\in [k]\), the sender S sends receiver \(R_i\) a decommitment \(d_s^i\) to the corresponding commitment from Step 2 of the protocol, and reveals \(r_s\) to \(R_i\). Denote by \(\widehat{d_s^i}\) the decommitment received by \(R_i\). For every \(i \in [k]\) the receiver \(R_i\) checks if \(\widehat{d_s^i}\) is a valid decommitment to \(\widehat{c_s^i}\). If it is, denote the committed value by \((\widehat{m_i'}, \widehat{r_s^i})\). If it is not a valid decommitment or if \(\widehat{m_i'} \ne \widehat{m_i}\) (where \(\widehat{m_i}\) was received in Step 2), then \(R_i\) outputs \(\bot \) and terminates.

    For every \(i \in [k]\) the sender S also sends \(R_i\) the (possibly tampered with) decommitments \((\widehat{d_j})_{j\in [k]\setminus \{i\}}\) she received in Step 3. We let \((\widehat{d_{j\rightarrow i}})_{j\in [k]\setminus \{i\}}\) denote the decommitments received by \(R_i\). If for some \(j \in [k]\setminus \{i\}\) it holds that \(\widehat{d_{j\rightarrow i}}\) is not a valid decommitment to \(\widehat{c_{j \rightarrow i}}\) received by \(R_i\) is Step 2, then \(R_i\) outputs \(\bot \) and terminates. Otherwise, denote by \((\widehat{r_{j\rightarrow i}})_{j\in [k]\setminus \{i\}}\) the values obtained by opening the commitments.

  5. 5.

    S computes \(\sigma = r_s \oplus \widehat{r_1} \oplus \ldots \oplus \widehat{r_k}\) and sends \(\sigma \) over the authenticated out-of-band channel. Every receiver \(R_i\) computes \(\widehat{\sigma _i} = \widehat{r_s^i} \oplus \widehat{r_{1 \rightarrow i}} \oplus \ldots \oplus \widehat{r_{i-1 \rightarrow i}} \oplus r_i \oplus \widehat{r_{i+1\rightarrow i}} \oplus \ldots \widehat{r_{k \rightarrow i}}\), and then outputs \(\widehat{m_i}\) (received in Step 2) if \(\widehat{\sigma _i} = \sigma \) and outputs \(\bot \) otherwise.

Theorem 4.1 (when combined with the existence of a constant-round concurrent non-malleable statistically-binding commitment scheme based on any one-way function – see Sect. 2) implies Theorem 1.1 as an immediate corollary:

Theorem 4.1

Let \(k = k(\cdot ), \ell = \ell (\cdot ), r = r(\cdot )\) and \(n = n(\cdot )\) be functions of the security parameter \(\lambda \in \mathbb {N}\) and let \(\mathsf {Com}\) be an r-round concurrent non-malleable commitment scheme. Then, protocol \(\pi _{\mathsf {Comp}}\) is a computationally-secure out-of-band \((n, \ell , k, O(r), k\cdot 2^{-\ell })\)-authentication protocol.

The correctness and round complexity of \(\pi _{\mathsf {Comp}}\) are straightforward. The unforgeability of the protocol (according to the parameters of Theorem 4.1) is proven in the full version of this paper [RS18].

Possible instantiations. Our protocol \(\pi _\mathsf {Comp}\) can be instantiated with \(\mathsf {Com}\) being any concurrent non-malleable statistically-biding commitment scheme. From a theoretical point of view, Lin and Pass [LP11] and Goyal [Goy11] gave constant-round constructions of such schemes from any one-way function (and the round complexity was further improved by [COS+17]). Hence, our protocol can also be instantiated as a constant-round protocol, assuming only the existence of one-way functions. This assumption is minimal and necessary, since Naor et al. [NSS06] showed that even in the user-to-user setting, any computationally-secure out-of-band authentication protocol for which \(\ell < 2\log {1/\epsilon } - \varTheta (1)\) implies the existence of one-way functions.

From a more practical standpoint, a non-interactive concurrent non-malleable statistically-biding commitment scheme can be very efficiently constructed in the random oracle model [BR93]. Thus, instantiating \(\pi _{\mathsf {Comp}}\) with a cryptographic hash function (e.g., SHA-2) as the random oracle yields a highly efficient protocol. Given a random oracle H, in order to commit to a value v, one simply has to send \(c = H(v, r)\) for a sufficiently long random string r. Decommitment is done by revealing v and r, and the receiver asserts that \(c = H(v, r)\). Consider a pair of poly-query algorithms (AD), where A is the man-in-the-middle adversary and D is the distinguisher (see Definition 2.1). Informally speaking, assume H is sufficiently length-increasing (say, length-doubling) so that it is difficult to find an element y in its image without querying H on a pre-image of y. So the algorithm A, that receives \(c = H(v,r)\) and produces \(c_1 = H(v_1, r_1), \ldots , c_k = H(v_k, r_k)\), knows \(v_1, \ldots , v_k\) with overwhelming probability. Hence, it can distinguish between the case that \(c = H(v,r)\), and the case that \(c = H(v', r')\) where the value \(v'\) – when taken together with \(v_1, \ldots , v_k\) and the view of A – does not satisfy the polynomial time relation defined by the distinguisher D. By a standard argument, this is hard for any adversary making a polynomial number of queries to the random oracle.

Non-malleable commitment schemes also exist in the common reference string (CRS) model (see, for example, [CIO98, CKO+01, FF00, CF01, DG03]). However, assuming a trusted CRS may be somewhat incompatible with the ad-hoc nature of instant messaging platforms and applications.

4.2 Lower Bound

In this section, we prove a lower bound on the length of out-of-band authenticated value in any out-of-band authentication protocol, as a function of the desired security level \(\epsilon \) and of the number of receivers k. Our bound shows that the length of the out-of-band authenticated value in our protocol \(\pi _{\mathsf {Comp}}\) of Sect. 4.1 is optimal (up to an additive constant). The lower bound is stated by the following Theorem, which yields Theorem 1.2.

Theorem 4.2

For any computationally-secure \((n, \ell , k, r, \epsilon )\)-authentication protocol where \(n \ge \log (1/\epsilon ) + \log k + 3\) and \(\epsilon < 1/6\), it holds that \(\ell \ge \log {1/\epsilon }+ \log k - 3\).

Proof

Let \(\pi = (S, R_1, \ldots , R_k)\) be a k-receiver out-of-band authentication protocol for messages of length n in the complete network communication model. We present an efficient adversary A that succeeds in fooling at least one of the reveivers with probability at least \(k \cdot 2^{-\ell -3}\), and the theorem follows (for an intuitive overview of the attack and analysis, see Sect. 1.2).

On input \(1^\lambda \), A runs the following steps:

  1. 1.

    A samples k input messages \((m_1, \ldots , m_k) \leftarrow \{0,1\}^{m \times k}\) as the input to the sender S, and runs an execution with S in which A plays the role of all receivers. Denote by \(\sigma \in \{0,1\}^\ell \) the value that S sends over the authenticated channel at the end of this execution.

  2. 2.

    For every \(i \in [k]\), A samples k input messages \((\widehat{m_1^i}, \ldots , \widehat{m_k^i}) \leftarrow \{0,1\}^{m \times k}\) uniformly at random (independently from the messages sampled in the other executions), and runs an execution of \(\pi \) with \(R_i\) in which A plays the role of the sender (with input \((\widehat{m_1^i}, \ldots , \widehat{m_k^i})\)) and all other receivers. For every \(i \in [k]\) denote the out-of-band authenticated value the (simulated) sender sends in the end of the execution with the true receiver \(R_i\) by \(\widehat{\sigma _i}\).

We first wish to lower bound the probability that there exists some receiver \(R_i\) that outputs \(\widehat{m_i^i}\). By the correctness of \(\pi \), this is at least the probability that \(\widehat{\sigma _i} = \sigma \). Thus, for every \(i \in [k]\), it holds that

$$\begin{aligned} \Pr \left[ R_i \text { outputs } \widehat{m_i^i} \right] \ge \Pr \left[ \widehat{\sigma _i} = \sigma \right] = \sum _{v \in \{0,1\}^\ell } \Pr \left[ \sigma = v \right] \cdot \Pr \left[ \widehat{\sigma _i} = v \right] . \end{aligned}$$

More generally, for any subset \(\mathcal {I} \subseteq [k]\) of the receivers, it holds that

$$\begin{aligned} \Pr \left[ \forall i \in \mathcal {I}: R_i \text { outputs } \widehat{m_i^i} \right]\ge & {} \sum _{v \in \{0,1\}^\ell } \Pr \left[ \sigma = v \right] \cdot \prod _{i \in \mathcal {I}} \Pr \left[ \widehat{\sigma _i} = v \right] \\= & {} \sum _{v \in \{0,1\}^\ell } \left( \Pr \left[ \sigma = v \right] \right) ^{|\mathcal {I}| + 1}. \end{aligned}$$

The inequality follows by the fact that the executions A conducts with the receivers are independent from each other, and the equality holds since \(\sigma \) and \(\widehat{\sigma _i}\) are identically distributed for every \(i \in [k]\). The inclusion-exclusion principle now yields that the probability that for at least one receiver it holds that \(\widehat{\sigma _i} = \sigma \) is

$$\begin{aligned} \Pr \left[ \exists i\in [k] \text { s.t. } R_i \text { outputs } \widehat{m_i^i} \right] \ge \sum _{i=1}^{k} (-1)^{i+1}\cdot \left( {\begin{array}{c}k\\ i\end{array}}\right) \cdot \!\left( \sum _{v \in \{0,1\}^\ell } \left( \Pr \left[ \sigma = v \right] \right) ^{i + 1} \right) \!. \end{aligned}$$

The above probability is minimized when the distribution of \(\sigma \) over a random execution of the protocol as described above is uniform; i.e., when \(\Pr \left[ \sigma = v \right] = 2^{-\ell }\) for all \(v \in \{0,1\}^\ell \). Hence, it holds that

$$\begin{aligned} \Pr \left[ \exists i\in [k] \text { s.t. } R_i \text { outputs } \widehat{m_i^i} \right] \ge \sum _{i=1}^{k} (-1)^{i+1}\cdot \left( {\begin{array}{c}k\\ i\end{array}}\right) \cdot 2^{-i\cdot \ell }. \end{aligned}$$

In what follows, we make use of the following claim, which bounds the above expression. For the proof of Claim 4.3, see the full version of this paper [RS18].

Claim 4.3

\(\sum _{i=1}^{k} (-1)^{i+1}\cdot \left( {\begin{array}{c}k\\ i\end{array}}\right) \cdot 2^{-i\cdot \ell } \ge \min \left\{ 1/3, k\cdot 2^{-\ell }/4 \right\} \).

Let \(\mathsf {Forge}_A\) denote the event in which for some \(i\in [k]\), \(R_i\) outputs \(\widehat{m_i^i}\ne m_i\). By Claim 4.3,

$$\begin{aligned} \Pr \left[ \mathsf {Forge}_A \right]= & {} \Pr \left[ \exists i \in [k] \text { s.t. } m_i \ne \widehat{m_i^i} \wedge R_i \text { outputs } \widehat{m_i^i} \right] \\\ge & {} \Pr \left[ \forall j \in [k], m_j \ne \widehat{m_j^j} \wedge \exists i \in [k] \text { s.t. } R_i \text { outputs } \widehat{m_i^i} \right] \\\ge & {} \Pr \left[ \exists i\in [k] \text { s.t. } R_i \text { outputs } \widehat{m_i^i} \right] - \Pr \left[ \exists j \in [k] \text { s.t. } m_j = \widehat{m_j^j}\right] \\\ge & {} \min \left\{ \frac{1}{3}, \frac{k}{4}\cdot 2^{-\ell } \right\} - k\cdot 2^{-n} \\\ge & {} \min \left\{ \frac{1}{6}, k \cdot 2^{-\ell - 2} - k \cdot 2^{-n} \right\} . \end{aligned}$$

The last inequality holds since \(n \ge \log k + \log 1/\epsilon + 3 > \log k + 3 \) and thus \(k \cdot 2^{-n} < 1/6\). Finally, since \(\epsilon < 1/6\) and \(n \ge \log k + \log 1/\epsilon \), it holds that

$$\begin{aligned} \epsilon \ge k \cdot 2^{-\ell - 2} - k \cdot 2^{-n} \ge k \cdot 2^{-\ell - 2} - \epsilon . \end{aligned}$$

Equivalently, \(\epsilon \ge k \cdot 2^{-\ell -3}\), which implies \(\ell \ge \log 1/\epsilon + \log k - 3\).    \(\blacksquare \)

5 The Statistical Setting

In this section we prove tight bounds for statistically-secure out-of-band authentication protocols in the group setting. First, in Sect. 5.1 we present our statistically-secure protocol. Then, in Sect. 5.2 we prove the security of our protocol, and in Sect. 5.3 we prove a matching lower bound on the length of the out-of-band authenticated value in any statistically-secure protocol.

5.1 Our Protocol

Our protocol, denoted \(\pi _{\mathsf {Stat}}\), is parametrized by the maximal forgery probability \(\epsilon \in (0,1)\), integers \(n, k \in \mathbb {N}\) denoting the length of each message and the number of receivers, respectively, and an odd integer \(r \in \mathbb {N}\) denoting the number of rounds (we refer the reader to Sect. 1.2 for an intuitive overview of the protocol).

Notation. Denote the Galois field with q elements by GF(q). Then, a message m of length n can be parsed as a polynomial of degree at most \(\lceil n/\log {q} \rceil \) over GF(q). Namely, a message \(m = m_1,\ldots , m_t \in GF(q)^t\) defines a polynomial in the following manner: For every \(x \in GF(q)\), we let \(m(x) = \sum _{i=1}^{t} m_i \cdot x^i \). Then, for two distinct messages \(m, \widehat{m} \in GF(q)^t\) and any two field elements \(y, \widehat{y} \in GF(q)\), it holds that the polynomials \(m(\cdot ) + y\) and \(\widehat{m}(\cdot ) + \widehat{y}\) are distinct and thus \(\Pr _{x \leftarrow GF(q)} \left[ m(x) + y = \widehat{m}(x) + \widehat{y}\right] \le t/q\). Let \(\epsilon ' = \epsilon /k\), and let \(n_1 = n\). For every \(j \in [r-1]\) let \(q_j\) be a prime number chosen in a deterministically and agreed upon manner in the interval \(\left[ \frac{2^{r-j} \cdot n_j}{\epsilon '} , \frac{2^{r-j + 1} \cdot n_j}{\epsilon '} \right) \), and let \(n_{j+1} = \lceil 2 \log q_j \rceil \).

Our protocol \(\pi _{\mathsf {Stat}}\) is then defined by the following steps:

  1. 1.

    For every \(i \in [k]\), S sends \(m^{1}_{S,i} = m_i\) to \(R_i\). Denote by \(m^{1}_{R_i}\) the string received by \(R_i\).

  2. 2.

    For \(j = 1\) to \(r-2\):

    1. (a)

      If j is odd, then for every \(i \in [k]\):

      1. i.

        S chooses \(y_i^j \leftarrow GF(q_j)\) and sends it to \(R_i\).

      2. ii.

        \(R_i\) receives \(\widehat{y_i^j}\), chooses \(x_i^j \leftarrow GF(q_j)\) and sends it to S.

      3. iii.

        S receives \(\widehat{x_i^j}\) and computes \(m^{j+1}_{S,i} = \widehat{x_i^j} \Vert m^{j}_{S,i}(\widehat{x_i^j}) + y_i^j\).

      4. iv.

        \(R_i\) computes \(m^{j+1}_{R_i} = x_i^j \Vert m^{j}_{R_i}(x_i^j) + \widehat{y_i^j}\).

    2. (b)

      if j is even, then for every \(i \in [k]\):

      1. i.

        \(R_i\) chooses \(y_i^j \leftarrow GF(q_j)\) and sends it to S.

      2. ii.

        S receives \(\widehat{y_i^j}\), chooses \(x_i^j \leftarrow GF(q_j)\) and sends it to \(R_i\).

      3. iii.

        \(R_i\) receives \(\widehat{x_i^j}\) and computes \(m^{j+1}_{R_i} = \widehat{x_i^j} \Vert m^{j}_{R_i}(\widehat{x_i^j}) + y_i^j\).

      4. iv.

        S computes \(m^{j+1}_{S,i} = x_i^j \Vert m^{j}_{S,i}(x_i^j) + \widehat{y_i^j}\).

  3. 3.

    For every \(i \in [k]\), \(R_i\) chooses \(y_i^{r-1} \leftarrow GF(q_j)\) and sends it to S.

  4. 4.

    S receives \(\widehat{y_1^{r-1}},\ldots , \widehat{y_k^{r-1}}\), chooses \(x^{r-1} \leftarrow GF(q_{r-1})\), and for every \(i \in [k]\) sends \(x_i^{r-1} = x^{r-1}\) to \(R_i\).

  5. 5.

    For every \(i \in [k]\), \(R_i\) receives \(\widehat{x_i^{r-1}}\) and computes \(\widehat{\sigma _i} = m^{r-1}_{R_i}(\widehat{x^{r-1}_i}) + y_i^{r-1}\). Denote \(m^{r}_{R_i} = \widehat{x_i^{r-1}} \Vert \widehat{\sigma _i}\).

  6. 6.

    For every \(i \in [k]\), S computes \(\sigma _i = m^{r-1}_{S,i}(x^{r-1}) + \widehat{y_i^{r-1}}\). Denote \(m^{r}_{S,i} = x^{r-1} \Vert \sigma _i\). S sends \(x^{r-1} \Vert \sigma _1 \Vert \ldots \Vert \sigma _k\) over the authenticated channel.

  7. 7.

    For every \(i \in [k]\), if \(m^{r}_{S,i} = m^{r}_{R_i}\) (i.e., if \(x^{r-1} = \widehat{x_i^{r-1}}\) and \(\sigma _i = \widehat{\sigma _i}\)), \(R_i\) outputs \(m_{R_i}^1\). Otherwise, \(R_i\) outputs \(\bot \).

The following theorem (when the protocol is invoked with at least \(\log ^*n\) rounds) implies Theorem 1.3 as an immediate corollary:

Theorem 5.1

Let \(n, k \in \mathbb {N}\), let \(r \ge 3\), and let \(\epsilon \in (0,1)\). Then, protocol \(\pi _{\mathsf {Stat}}\) is a statistically-secure out-of-band \((n, \ell , k, r, \epsilon )\)-authentication protocol, where \(\ell = (k+1)\cdot \left( \log \frac{1}{\epsilon } + \log k + \log ^{(r-1)}n + O(1) \right) \).

The correctness of our protocol is straightforward. In Lemma 5.2 we bound the length \(\ell \) of the out-of-band authenticated value as stated in Theorem 5.1, and the proof of unforgeability is given in Sect. 5.2, yielding Theorem 5.1. A corollary of Lemma 5.2 is that when invoked with \(r = \varOmega (\log ^*n)\), the sender in protocol \(\pi _{\mathsf {Stat}}\) has to authenticate at most \((k+1)\cdot \left( \log (1/\epsilon ) + \log k + O(1)\right) \) bits.

Lemma 5.2

Let \(n, k \in \mathbb {N}\), let \(r \ge 3\), and let \(\epsilon \in (0,1)\). Then, in protocol \(\pi _{\mathsf {Stat}}\) it holds that \(\ell \le (k+1)\cdot \left( \log \frac{1}{\epsilon } + \log k + \log ^{(r-1)}n + O(1) \right) \).

The proof of Lemma 5.2 will make use of the following two claims.

Claim 5.3

If \(n_j > 2^{r-j}/\epsilon '\) for every \(j \in [r-2]\), then \(n_{j+1} \le \max \{ 4\log ^{(j)} n\)\(+ 4\log 5 + 3, 27 \}\) for every \(j \in [k-2]\).

Proof

The proof is by induction on j. Since \(n_j > 2^{r-j}/\epsilon '\) for every \(j \in [r-2]\), it holds that for every \(j \in [r-2]\),

$$\begin{aligned} q_j < \frac{2^{r - j + 1}}{\epsilon '} \cdot n_j \le 2n_j^{2}. \end{aligned}$$

This implies that for every \(j \in [r-2]\), it holds that

$$\begin{aligned} n_{j+1} = \lceil 2\log q_j \rceil < \lceil 2 \log \left( 2n_j^2 \right) \rceil \le 4 \log n_j +3. \end{aligned}$$

For \(j = 1\), the claim indeed yields: \(n_2 < 4 \log n + 3\). For \(2 \le j \le r-2\), if \(n_j \le 27\), then \(n_{j+1}< 4 \log 27 + 3 < 23\). Otherwise, by the induction hypothesis, it holds that

$$\begin{aligned} n_{j+1} \le 4 \log n_j + 3 \le 4 \log \left( 4\log ^{(j-1)} n + 4\log 5 + 3\right) + 3. \end{aligned}$$

Consider the following two cases:

  1. 1.

    If \(\log ^{(j-1)} n \le 4\log 5 + 3\), then \(n_{j+1} \le 4 \log (20 \log 5 + 15) + 3 < 27\).

  2. 2.

    If \(\log ^{(j-1)} n > 4\log 5 + 3\), then \(n_{j+1} \le 4 \log \left( 5 \log ^{(j-1)}n \right) + 3 = 4\log ^{(j)} n + 4\log 5 + 3\).

   \(\blacksquare \)

Claim 5.4

If \(n_j \le 2^{r-j}/\epsilon '\) for some \(j \in [r-2]\), then for every \(j' \in \{j, \ldots , r-2\}\), it holds that \(n_{j'} \le 2^{r-j'}/\epsilon '\).

Proof

Assume \(n_j \le 2^{r-j}/\epsilon '\) for some \(j \in [r-3]\). We prove \(n_{j+1} \le 2^{r-j-1}/\epsilon '\) and the claim follows. By the assumption on \(n_j\), it holds that

$$\begin{aligned} n_{j+1}= & {} \lceil 2 \log q_j \rceil \\\le & {} \Biggl \lceil 2 \log \left( \frac{2^{r-j}}{\epsilon '} \cdot n_j \right) \Biggl \rceil \\\le & {} \Biggl \lceil 4 \log \left( \frac{2^{r-j}}{\epsilon '} \right) \Biggl \rceil \\\le & {} 4\cdot \left( r- j + \log \frac{1}{\epsilon '}\right) + 1\\\le & {} 2^{r -j + \log \frac{1}{\epsilon '} - 1} \\= & {} \frac{2^{r-j-1}}{\epsilon '}. \end{aligned}$$

The last inequality follows by the fact that \(4 x + 1\le 2^{x-1}\) for any \(x \ge 6\) (if \(r -j + \log (1/\epsilon ') < 6\) then the parties can jump to Step 3 of the protocol and complete it, while S only has to send \((k+1)\cdot O(1)\) bits over the out-of-band channel, which implies Lemma 5.2).    \(\blacksquare \)

We are now ready to prove Lemma 5.2.

Proof of Lemma 5.2

Informally speaking, we prove that \({q_{r-1}}\) is at most roughly \(1/\epsilon '\), and then the lemma follows, since S authenticates to \(k+1\) elements in \(GF(q_{r-1})\), which can be encoded using \(\lceil (k+1) \cdot \log {q_{r-1}} \rceil \) bits.

More formally, we consider two separate cases. First we consider the case where \(n_j > 2^{r-j}/\epsilon '\) for every \(j \in [r-2]\). By Claim 5.3, it holds that \(n_{r-1} \le \max \left\{ 4\log ^{(r-2)} n + 4\log 5 + 3, 27 \right\} \). If \(n_{r-1} \le 27\), then \(q_{r-1} < 4\cdot 27 / \epsilon '\), and then

$$\begin{aligned} \ell= & {} \lceil (k+1)\cdot \log q_{r-1} \rceil \\\le & {} (k+1) \cdot \left( \log \frac{1}{\epsilon '} + O(1)\right) \\= & {} (k+1)\cdot \left( \log \frac{1}{\epsilon } + \log k + O(1) \right) . \end{aligned}$$

Otherwise, it holds that \(n_{r-1} \le 4\log ^{(r-2)} n + 4\log 5 + 3\). Hence,

$$\begin{aligned} \ell= & {} \lceil (k+1)\cdot \log q_{r-1} \rceil \\= & {} \Biggr \lceil (k+1) \cdot \log \left( \frac{4}{\epsilon '}\cdot n_{r-1}\right) \Biggr \rceil \\\le & {} (k+1)\cdot \left( \log \frac{1}{\epsilon } + \log k + \log ^{(r-1)}n + O(1) \right) . \end{aligned}$$

We now turn to consider the case where there exists some \(j \in [r-2]\) such that \(n_j \le 2^{r-j}/\epsilon '\). By Claim 5.4, this means that \(n_{r-2} \le 4/\epsilon '\). Therefore,

$$\begin{aligned} n_{r-1} = \lceil 2 \log q_{r-2} \rceil \le \Biggl \lceil 2 \log \frac{2^{3}}{\epsilon '} \cdot n_{r-2} \Biggl \rceil \le 4\log \frac{1}{\epsilon '} + 11. \end{aligned}$$

Where this is the case, the parties can set \(q_{r-1} = \varTheta (1/\epsilon ')\), and the security of the protocol is preserved. This is due to the fact that our proof of security (see Sect. 5.2) only relies on the fact that two distinct polynomials over \(GF(q_{r-1})\) defined by \(n_{r-1}\)-bit strings evaluate to the same value on at most \(\epsilon '/2\) field elements; i.e., \({q_{r-1}}^{-1} \cdot \lceil n_{r-1}/\log (1/\epsilon ') \rceil \le \epsilon '/2\). If \(q_{r-1} = \varTheta (1/\epsilon ')\), then indeed

$$\begin{aligned} \ell \le (k+1)\cdot \left( \log \frac{1}{\epsilon } + \log k + \log ^{(r-1)}n + O(1) \right) , \end{aligned}$$

concluding the proof.    \(\blacksquare \)

5.2 Proof of Security

In this section, we prove the unforgeability of our protocol \(\pi _{\mathsf {Stat}}\), proving Theorem 5.1. For an adversary A, let \(\mathsf {Forge}_{A,i}\) denote the event in which \(R_i\) outputs \(\widehat{m_i} \not \in \{m_i, \bot \}\) in an execution of \(\pi _{\mathsf {Stat}}\) with A, and let \(\mathsf {Forge}_A = \bigcup _{i \in [k]} \mathsf {Forge}_{A,i}\). The following Lemma captures the unforgeability of \(\pi _{\mathsf {Stat}}\).

Lemma 5.5

For any computationally unbounded adversary A, it holds that \(\Pr \left[ \mathsf {Forge}_{A} \right] \le \epsilon \).

Proof

We prove that for every \(i\in [k]\), any computationally unbounded adversary A succeeds in making \(R_i\) output a fraudulent message with probability at most \(\epsilon ' = \epsilon /k\) and the theorem thus follows by union bound. Note that if A fools \(R_i\) this in particular means that \(m_{S,i}^1 \ne m_{R_i}^1\) but \(m^{r}_{S,i} = m^{r}_{R_i}\). Hence, there exists a round \(j \in [r-1]\) such that \(m^{j}_{S,i} \ne m^j_{R_i}\) but \(m^{j+1}_{S,i} = m^{j+1}_{R_i}\); denote this event by \(\mathsf {Coll}_{i}^j\). We will prove that for every j, \(\Pr \left[ \mathsf {Coll}_i^j \right] \le \epsilon '/2^{r-j}\), and then by taking a union bound over all rounds, the probability of \(\mathsf {Forge}_{A,i}\) is at most \(\sum _{j=1}^{r-1}\Pr \left[ \mathsf {Coll}_i^j \right] \le \sum _{j=1}^{r-1} \epsilon '/2^{r-j} < \epsilon ' \).

We denote by T(v) the time in which a message v in the protocol is sent and fixed. We analyze separately the case where the round index j is odd, and the case that it is even. We start by bounding \(\Pr \left[ \mathsf {Coll}_i^j \right] \) in case j is odd (\(R_i\) picks the evaluation point of the polynomial and S chooses the shift), and consider three possible attack timings:

  1. 1.

    \({T(\widehat{x_i^j}) < T(x_i^j)}\): In this case, \(R_i\) chooses \(x_i^j\) at random from the field only after \(\widehat{x_i^j}\) was fixed and sent to S. Recall that \(\widehat{x_i^j}\) is the first part of \(m_{S,i}^{j+1}\) and \(x_i^j\) is the first part of \(m_{R_i}^{j+1}\). Hence,

    $$\begin{aligned} \Pr \left[ \mathsf {Coll}_i^j \right] \le \mathop {\Pr }\limits _{x_i^j \leftarrow GF(q_j)} \left[ x_i^j = \widehat{x_i^j} \right] = \frac{1}{q_j} \le \frac{\epsilon '}{2^{r-j}}. \end{aligned}$$
  2. 2.

    \(T(\widehat{x_i^j}) \ge T(x_i^j)\) and \(T(\widehat{y_i^j}) \ge T(y_i^j)\): In this case, if the adversary chooses \(\widehat{x_i^j} \ne x_i^j\), then \(\Pr \left[ \mathsf {Coll}_i^j \right] = \Pr \left[ m^{j+1}_{S,i} = m^{j+1}_{R_i} \right] = 0\). So for the remainder of the analysis of this case, we assume \(\widehat{x_i^j} = x_i^j\). Since j is odd, it is always the case that \(T(x_i^j) > T(\widehat{y_i^j})\); i.e., \(R_i\) chooses \(x_i^j\) after receiving \(\widehat{y_i^j}\). Since we are also in the case where \(T(\widehat{y_i^j}) \ge T(y_i^j)\), this means that \(R_i\) chooses \(x_i^j\) when \( m^{j}_{S,i}, m^{j}_{R_i}, y_i^j\) and \(\widehat{y_i^j}\) are all fixed. In particular, if \(m^{j}_{S,i} \ne m^{j}_{R_i}\), then the polynomials \(m^{j}_{S,i}(\cdot ) + y_i^j\) and \(m^{j}_{R_i}(\cdot ) + \widehat{y_i^j}\) are two distinct polynomials of degree at most \(\lceil n_j / \log q_j \rceil \). Hence,

    $$\begin{aligned} \Pr \left[ \mathsf {Coll}_i^j \right]= & {} \mathop {\Pr }\limits _{x_i^j \leftarrow GF(q_j)} \left[ m^{j}_{S,i} \ne m^{j}_{R_i} \wedge m^{j}_{S,i}(x_i^j) + y_i^j = m^{j}_{R_i}(x_i^j) + \widehat{y_i^j} \right] \\\le & {} \frac{1}{q_j} \cdot \Big \lceil \frac{n_j}{\log q_j} \Big \rceil \le \frac{\epsilon '}{2^{r-j}}. \end{aligned}$$
  3. 3.

    \(T(\widehat{x_i^j}) \ge T(x_i^j)\) and \(T(\widehat{y_i^j}) < T(y_i^j)\): As before, if \(\widehat{x_i^j} \ne x_i^j\), then \(\Pr \left[ \mathsf {Coll}_i^j \right] = 0\), so we assume \(\widehat{x_i^j} = x_i^j\). In this case, S chooses \(y_i^j\) and \(R_i\) chooses \(x_i^j\) when the adversary has already chosen \(\widehat{y_i^j}\). Since \(y_i^j\) and \(x_i^j\) are chosen independently, we may assume without loss of generality that \(T(y_i^j) > T(x_i^j)\), meaning \(y_i^j\) is chosen when \( m^{j}_{S,i}, m^{j}_{R_i}, \widehat{y_i^j}\) and \(x_i^j\) are already fixed (and thus also \(\widehat{x_i^j}\), since we assume \(\widehat{x_i^j} = {x_i^j}\)). It follows that

    $$\begin{aligned} \Pr \left[ \mathsf {Coll}_i^j \right]= & {} \mathop {\Pr }\limits _{y_i^j \leftarrow GF(q_j)} \left[ y_i^j = m^{j}_{R_i}(x_i^j) + \widehat{y_i^j} - m^{j}_{S,i}(x_i^j) \right] \le \frac{1}{q_j} \le \frac{\epsilon '}{2^{r-j}}. \end{aligned}$$

We now turn to bound \(\Pr \left[ \mathsf {Coll}_i^j \right] \) in case j is even (S picks the evaluation point of the polynomial and \(R_i\) chooses the shift). The proof is very similar to the case where j is odd, and considers the same three cases:

  1. 1.

    \({T(\widehat{x_i^j}) < T(x_i^j)}\): In this case, S chooses \(x_i^j\) at random when \(\widehat{x_i^j}\) is fixed. Therefore,

    $$\begin{aligned} \Pr \left[ \mathsf {Coll}_i^j \right] \le \mathop {\Pr }\limits _{x_i^j \leftarrow GF(q_j)} \left[ x_i^j = \widehat{x_i^j} \right] = \frac{1}{q_j} \le \frac{\epsilon '}{2^{r-j}}. \end{aligned}$$
  2. 2.

    \(T(\widehat{x_i^j}) \ge T(x_i^j)\) and \(T(\widehat{y_i^j}) \ge T(y_i^j)\): As in the analysis for odd values of j, we can assume \(\widehat{x_i^j} = x_i^j\), and we know that S chooses \(x_i^j\) when \( m^{j}_{S,i}, m^{j}_{R_i}, y_i^j\) and \(\widehat{y_i^j}\) are all fixed (in the last round, this follows also by the fact that S chooses \(x^{r-1}\) after receiving all \(\widehat{y_i^{r-1}}\)’s). In particular, if \(m^{j}_{S,i} \ne m^{j}_{R_i}\), then the polynomials \(m^{j}_{S,i}(\cdot ) + \widehat{y_i^j}\) and \(m^{j}_{R_i}(\cdot ) + {y_i^j}\) are two distinct polynomials of degree at most \(\lceil n_j / \log q_j \rceil \). Hence,

    $$\begin{aligned} \Pr \left[ \mathsf {Coll}_i^j \right]= & {} \mathop {\Pr }\limits _{x_i^j} \left[ m^{j}_{S,i} \ne m^{j}_{R_i} \wedge m^{j}_{S,i}(x_i^j) + \widehat{y_i^j} = m^{j}_{R_i}(x_i^j) + {y_i^j} \right] \le \frac{\epsilon '}{2^{r-j}}. \end{aligned}$$
  3. 3.

    \(T(\widehat{x_i^j}) \ge T(x_i^j)\) and \(T(\widehat{y_i^j}) < T(y_i^j)\): As before, we assume \(\widehat{x_i^j} = x_i^j\), and we know that \(R_i\) chooses \(y_i^j\) and S chooses \(x_i^j\) when the adversary has already chosen \(\widehat{y_i^j}\). Since \(y_i^j\) and \(x_i^j\) are chosen independently, we may assume without loss of generality that \(T(y_i^j) > T(x_i^j)\), meaning \(y_i^j\) is chosen when \( m^{j}_{S,i}, m^{j}_{R_i}, \widehat{y_i^j}\) and \(x_i^j\) are already fixed. Hence,

    $$\begin{aligned} \Pr \left[ \mathsf {Coll}_i^j \right]= & {} \mathop {\Pr }\limits _{y_i^j \leftarrow GF(q_j)} \left[ y_i^j = m^{j}_{S,i}(x_i^j) + \widehat{y_i^j} - m^{j}_{R_i}(x_i^j) \right] \le \frac{\epsilon '}{2^{r-j}}. \end{aligned}$$

Let \(\mathsf {Coll}_i = \bigcup _{j \in [r - 1]} \mathsf {Coll}_i^j\). By taking a union bound over all rounds, it follows that for every \(i \in [k]\),

$$\begin{aligned} \Pr \left[ \mathsf {Coll}_i \right] \le \sum _{j=1}^{r-1}\Pr \left[ \mathsf {Coll}_i^j \right] \le \sum _{j=1}^{r-1} \frac{\epsilon '}{2^{r-j}} < \epsilon '. \end{aligned}$$

Since for every \(i\in [k]\), it is the case that \(\mathsf {Forge}_{A,i}\) implies \(\mathsf {Coll}_i\), it holds that for every \(i \in [k]\), \(\Pr \left[ \mathsf {Forge}_{A,i} \right] \le \Pr \left[ \mathsf {Coll}_i \right] \le \epsilon '\). By taking a union bound over all receivers it holds that \( \Pr \left[ \mathsf {Forge}_A \right] \le k \cdot \epsilon ' = \epsilon \).    \(\blacksquare \)

5.3 Lower Bound

In this section we present a lower bound on the number of bits the sender has to out-of-band authenticate in the group setting. We prove the following theorem:

Theorem 5.6

For any statistically-secure out-of-band \((n, \ell , k, r, \epsilon )-\)authentication protocol, if \(n \ge (k+2)\cdot \log (1/\epsilon )\) then \(\ell \ge (k+1)\cdot \log (1/\epsilon ) - k\).

Proof

Let \(\pi = (S,R_1,\ldots ,R_k)\) be a statistically-secure out-of-band \((n, \ell , k, r, \epsilon )\)-authentication protocol. We assume without loss of generality that \(r \equiv 1 \mod (k+1)\) and that \(\pi \) has the following structure. For every \(j \in [r-1]\), in round j there exists a single “active” party that sends a message (over the insecure channels) to each of the other parties, and all other parties do not send any messages in that round. If \(j \equiv 1 \mod (k+1)\), then the sender S is the active party in round j. Otherwise, if \(j \equiv i+1 \mod (k+1)\) for some \(i \in [k]\), then receiver \(R_{i}\) is the active user in round j. Denote the vector of messages sent in round j by \(x_{j-1}\) and the random variable describing that vector by \(X_{j-1}\) (so the vectors of messages sent over the insecure channels are \(x_0, \ldots , x_{r-2}\)). Finally, in round r, the sender S sends the short out-of-band authenticated value \(\sigma \), and we denote the random variable describing it by \(\varSigma \). We also denote the random variable describing the vector of input messages to S by M.

Observe, that we can write the Shannon entropy of \(\varSigma \) as

To bound the above expression, we make use of the following two lemmata, proofs for which are provided in the full version of the paper [RS18]. Intuitively speaking, Lemma 5.7 shows that the messages of the sender S during the execution of \(\pi \) need to reduce, on average, roughly \(\log (1/\epsilon )\) bits of entropy from the out-of-band authenticated value.

Lemma 5.7

If \(n \ge 1/k \cdot \log (1/\epsilon )\), then

$$\begin{aligned} \mathrm {I}(\varSigma ; M, X_0)+ & {} \sum _{\begin{array}{c} j \in [r-2]: \\ j \equiv 0 \mod (k+1) \end{array}} \mathrm {I}(\varSigma ; X_{j} \vert M, X_0,\ldots , X_{j-1}) \\&\qquad \qquad \qquad +\,\mathrm {H}(\varSigma \vert M, X_0, \ldots , X_{r-2}) \ge \log (1/\epsilon ) - 1. \end{aligned}$$

In a similar fashion, Lemma 5.8 shows that for any \(i \in [k]\), the messages of receiver \(R_i\) during the execution of \(\pi \) need to reduce, on average, roughly \(\log (1/\epsilon )\) bits of entropy from the out-of-band authenticated value.

Lemma 5.8

If \(n \ge (k+2) \cdot \log (1/\epsilon )\) and \(\ell \le (k+1) \cdot \log (1/\epsilon )\), then for every \(i \in [k]\),

$$\begin{aligned} \sum _{\begin{array}{c} j \in [r-2]: \\ j \equiv i \mod (k+1) \end{array}} \mathrm {I}(\varSigma ,X_{j} \vert M,X_0,\ldots ,X_{j-1}) \ge \log (1/\epsilon ) - 1. \end{aligned}$$

Now, if \(\ell > (k+1)\cdot \log (1/\epsilon )\), then the theorem follows. Otherwise, by Lemmata 5.7 and 5.8 it holds that, \( \ell \ge \mathrm {H}(\varSigma ) \ge (k+1)\cdot \log (1/\epsilon ) - k,\) concluding the proof of Theorem 5.6.