An Optimal Non-interactive Message Authentication Protocol

  • Sylvain Pasini
  • Serge Vaudenay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3860)


Vaudenay recently proposed a message authentication protocol which is interactive and based on short authenticated strings (SAS). We study here SAS-based non-interactive message authentication protocols (NIMAP). We start by the analysis of two popular non-interactive message authentication protocols. The first one is based on a collision-resistant hash function and was presented by Balfanz et al. The second protocol is based on a universal hash function family and was proposed by Gehrmann, Mitchell, and Nyberg. It uses much less authenticated bits but requires a stronger authenticated channel.

We propose a protocol which can achieve the same security as the first protocol but using less authenticated bits, without any stronger communication model, and without requiring a hash function to be collision-resistant. Finally, we demonstrate the optimality of our protocol.


Hash Function Commitment Scheme Random Oracle Model Input Message Cryptographic Technique 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BCC88]
    Brassard, G., Chaum, D., Crépeau, C.: Minimum disclosure proofs of knowledge. Journal of Computer and System Sciences 37(2), 156–189 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  2. [BCJ+05]
    Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. [BK90]
    Boyar, J.F., Kurtz, S.A.: A discrete logarithm implementation of perfect zero-knowledge blobs. Journal of Cryptology 2(2), 63–76 (1990)zbMATHCrossRefMathSciNetGoogle Scholar
  4. [BR93]
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  5. [BSSW02]
    Balfanz, D., Smetters, D.K., Stewart, P., Wong, H.C.: Talking to strangers: Authentication in ad-hoc wireless networks. In: Proceedings of Network and Distributed System Security Symposium 2002 (NDSS 2002), San Diego, California, U.S.A (February 2002)Google Scholar
  6. [CGHGN01]
    Catalano, D., Gennaro, R., Howgrave-Graham, N., Nguyen, P.Q.: Paillier’s cryptosystem revisited. In: CCS 2001: Proceedings of the 8th ACM conference on Computer and Communications Security, Philadelphia, Pennsylvania, U.S.A, pp. 206–214. ACM Press, New York (2001)CrossRefGoogle Scholar
  7. [DG03]
    Damgård, I., Groth, J.: Non-interactive and reusable non-malleable commitment schemes. In: STOC 2003: Proceedings of the thirty-fifth annual ACM symposium on Theory of computing, San Diego, California, U.S.A, pp. 426–437. ACM Press, New York (2003)CrossRefGoogle Scholar
  8. [GMN04]
    Gehrmann, C., Mitchell, C.J., Nyberg, K.: Manual authentication for wireless devices. RSA Cryptobytes 7(1), 29–37 (2004)Google Scholar
  9. [LdW05]
    Lenstra, A.K., de Weger, B.: On the possibility of constructing meaningful hash collisions for public keys. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 267–279. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. [LWdW05]
    Lenstra, A., Wang, X., de Weger, B.: Colliding X.509 certificates. Cryptology ePrint Archive, Report 2005/067 (2005),
  11. [Pai99]
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  12. [Pas05]
    Pasini, S.: Secure communications over insecure channels using an authenticated channel. Master’s thesis, Swiss Federal Institute of Technology, EPFL (2005),
  13. [Riv92]
    Rivest, R.L.: The MD5 message digest algorithm. Technical Report Internet RFC-1321,IETF (1992)Google Scholar
  14. [Vau05]
    Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005)Google Scholar
  15. [WLF+05]
    Wang, X., Lai, X., Feng, D., Chen, H., Yu, X.: Cryptanalysis of the hash functions MD4 and RIPEMD. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 1–18. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. [WY05]
    Wang, X., Yu, H.: How to break MD5 and other hash functions. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  17. [WYY05a]
    Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005)Google Scholar
  18. [WYY05b]
    Wang, X., Yu, X., Yin, L.Y.: Efficient collision search attacks on SHA-0. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 1–16. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sylvain Pasini
    • 1
  • Serge Vaudenay
    • 1
  1. 1.EPFLLausanneSwitzerland

Personalised recommendations