Authentication over Noisy Channels

Authenticati on o v er Noisy Ch annels Lifeng Lai ∗ , Hesham El Gamal † , H. V incent Poor ‡ ∗ ‡ Departmen t of Electrical Engineer ing Princeton U niv ersity , Princeton , NJ 0851 2, USA Email: { llai,po or } @prin ceton.edu † Departmen t of Electrical and Computer En gineering Ohio State University Columbus, OH 43 202, USA Email: helgam al@ece.osu.edu Abstract — In this wor k, message authentication ov er noisy channels is studied. The model developed in this paper is the authentication theory coun terpart of W yner’s wiretap channel model. T w o types of opp onent attacks, namely impersonation attacks and substitu tion attacks, ar e in vestiga ted for both single message and multiple message auth entication scenarios. For each scenario, in for mation th eoretic lower and up per bounds on the opponent’s success probability are deriv ed . Rema rkably , in both scenarios, lower and upper bounds are shown to match, and hence the f undamental limit of message authentication ov er noisy channels is full y characterized. T he opponent’s success probability is further shown to be sma ller than that derive d in the classic authenti cation model in which the channel is assumed to be noiseless. These r esults rely on a propose d nov el authentication scheme in which key informa tion is used to provide si multaneous protection again both types of attacks. I . I N T RO D U C T I O N There are two fun damental pr imiti ves f or any security systems: 1) secure tr a nsmission , to ensure that th e message is r eceiv ed only by the legitimate r ec eiver ; 2) a uthentica tion , to en sure tha t the received me ssage truly comes from th e acclaimed transmitter . Secure transmission has been in vestigated und er two dif- ferent mod els. In the mod el developed by Shanno n [1], transmissions a re assumed to b e noiseless; and th e sour ce and intend ed destination use a common secret key K to encryp t an d dec rypt the m essage M . Transmission is said to be p erfectly secu re, if th e signal rec eiv e d at the oppon ent does no t p rovide it with any info rmation about M . Shann on proved that one needs H ( K ) ≥ H ( M ) to achieve perfect security . T aking tr ansmission no ise into conside ration, W yner developed t he wir etap ch annel [2], in which the transmitter exploits the two different noise proc esses at the receiver an d oppon ent to tra nsmit in formation secu rely . Csisz ´ ar and K ¨ orner [3] g eneralized this mod el and characteriz ed the capacity of the Discrete Mem oryless Chann el (DMC) with security constraints. Authentication th eory with a noiseless transmission model, which is shown in Figure 1, was developed by Simmon s [4]. In this model, the sou rce S an d the rece i ver R share a secret key K , which is used to identify the transm itter . When the transmitter in tends to send m essage M , it transmits W = This research w as supported by the National Science Foundat ion under Grants ANI-03-38807 and CNS-06-25637. S R K M W O W Fig. 1. The authe ntica tion channel. f ( K, M ) over a no iseless public channel, where f is the encodin g f unction at the sour ce. On receiving ˆ W , which might be different from W due to v arious attacks from the oppon ent O , the receiver needs to judge wheth er the me ssage comes from the legitimate tran smitter o r not. If the recei ver accepts th e message (i.e., the receiver believes th at the signal is authen tic), th e receiver then ge ts an estimate of the sou rce message M ; other wise, it rejec ts the message. The oppo nent gets a perfec t copy of W an d can perfo rm the following two types o f attack s. The first one is called an impersonation attack , in which the op ponen t sends W ′ to the destination before the source send s anything . Th is attack is suc cessful if W ′ is accepted by the recei ver as authentic. W e den ote the success pr obability of th is attack by P I . Th e second a ttack is called a sub stitution attack , in wh ich af ter r eceiving W , the oppon ent modifies it to W ′ and sends it to the destination. The attack is successful if the rece i ver accepts W ′ and decod es this into ano ther source state. W e den ote the su ccess pro bability of this attack by P S . Obvio usly , the o ppone nt will c hoose th e attack that has high er succ ess probab ility . Hence the success probab ility P D of the oppo nent (i.e., the chea ting pr obability ) is P D = max { P I , P S } . Lower bou nds on P I and P S have been developed in [4] and recovered by Maurer [ 5] f rom a hyp othesis testing point of view . In particular, it was shown that P I ≥ 2 − I ( K ; W ) and P S ≥ 2 − H ( K | W ) . One can easily identify a tradeoff be tween P I and P S . T o min imize the pr obability of a successful im per- sonation attack, the transmitted ciphertext, fro m th e legitimate source, m ust contain a sufficient amount o f info rmation about the secret key in order to co n v ince the legitimate rece i ver that the transmitted message comes fr om the source. Th at is I ( K ; W ) should be large, which unf ortunately dec reases H ( K | W ) . Hence, the attacker can take advantage o f the leaked info rmation over its n oiseless ch annel (con tained in W ) to increase the probab ility of a successfu l substitution attack. In fact, the strategy that min imizes the lower boun d on P D = max { P I , P S } is to use half of the key info rmation to protect against the impersonation attack a nd the other half of the key info rmation to pro tect against the substitution attack , which gives P D ≥ 2 − H ( K ) / 2 . These boun ds are of a negative nature, since they only give lower bounds for the ch eating probab ility . There is no up per-bound a vailable in the literature, partly d ue to the fact that usua l boun ding techniqu es such as Jensen’ s inequality and the lo g-sum in equality are not applicable here. W e will e laborate o n this po int in the sequel. Simmons’ s model was d ev eloped und er a noiseless trans- mission model. Howe ver, since ph ysical transmission systems are noisy , com mon practice is to u se channel cod ing to co n vert the no isy channel into a noiseless on e, and then to d esign an auth entication co de on top of the chan nel co ding. Liu and Bonc elet [6], [7] also c onsidered the situation in which the c hannel c oding is not perfect, and hence there are some residual errors induced by th e channel. The conclusion of these papers is that cha nnel no ise is detrimental to authe ntication, since it will cause the receiver to reject authen tic message s from th e transmitter . In this paper, we take an alterna ti ve v iew o f the transmission noise and d esign the channel coding and authen tication sche me jointly . W e show that by do ing so, one can exploit the noise to lower the che ating pr obability of the oppone nt. Mor e specifically , we der iv e bo th a lower boun d and an up per-bound on the cheatin g p robabilities of a uthentication schem es over noisy ch annels. W e show tha t these two b ounds coincide, an d are smaller than the lower -bo und on the cheating prob ability when the ch annel is assumed to be noiseless. In p articular, we show that P D = 2 − H ( K ) , thus all the key in formation can be used to pro tect against the substitution attack and the imperson ation attack simu ltaneously . W e also study the authenticatio n of mu ltiple messages using the same key K , and show tha t all the key informatio n can be used to p rotect against a ll th e attack s simu ltaneously . The rest o f th e pa per is organ ized a s f ollows. In Sectio n I I, we introdu ce the mo del. I n Sectio n III, we discu ss the single message authenticatio n scenario. W e then analyz e the authen- tication of multiple message using a sam e key in Section I V. Finally , in Section V, we offer som e conclusio ns. I I . M O D E L Throu ghout this pa per , u pper-case letters (e.g. , X ) d enote random variables, lower-case letters (e.g. , x ) deno te realiza - tions o f the cor respond ing ran dom variables, and calligraph ic letters (e.g , X ) deno te finite alph abet sets over which co r- respond ing variables rang e. Also, up per-case bold face letter s (e.g., X ) denote rando m vector s and lo wer-case bo ldface let- ters (e. g., x ) den ote realizations of the cor respond ing rando m vectors. Figure 2 shows th e mo del u nder co nsideration. The model differs f rom Simmons’ s model on ly in that th e transmission S R K M O X Z Y Fig. 2. The authe ntica tion channel. channel is noisy . Mo re specifically , we c onsider the DMC and assume that when th e transmitter sends x , th e receiver re ceiv es y with pr obability P n Y | X ( y | x ) = n Y j =1 P ( y | x ) and the oppon ent receives z with p robability P n Z | X ( z | x ) = n Y j =1 P ( z | x ) . Here P ( y | x ) and P ( z | x ) deno te the chan nel transition prob - abilities, while x, y and z ra nge throug h fin ite sets X , Y and Z , respectively . In o rder to d eriv e mo re gen eral b ounds, we assume that the chann el between the oppon ent and receiver is noiseless, and that the oppo nent c an send anything over this channel. Note that this a ssumption does not in cur any loss of generality , a nd a ctually gives the op ponent advantages, sin ce any noisy chann el can be simulated by this noiseless chan nel by simply rando mizing the transmitted signal. T o ide ntify the tran smitter , we assume that the source and the d estination have a commo n secret key K ran ging from a set K h a ving |K| po ssible v alues. T o transmit the message M , the sou rce uses a stochastic e ncoding fu nction f to co n vert the message and key into a leng th n vecto r X , i.e. , X = f ( K, M ) . Upon receiving Y , which m ay c ome fro m eith er th e source or the oppo nent, the destination u ses a d ecoding functio n g to judge w hether th e me ssage is authentic or not. I f th e sign al is deemed authentic, then the d estination recovers the message ˆ M = g ( Y , K ) ; o therwise the destina tion sets φ = g ( Y , K ) . W e req uire the cond ition that, if th e signa l is authen tic, th e decodin g error probab ility at the d estination must approach zero as th e len gth of the code increases, i.e., fo r any ǫ > 0 , there is a positive integer n 0 , such that when n ≥ n 0 , we have P e = Pr { g ( Y , K ) 6 = M | Y co mes fr om X } ≤ ǫ . The erro r prob ability P e consists of two par ts: P 1 and P 2 , where P 1 is the pro bability o f a miss, which is th e prob ability that th e rec eiv e r wro ngly re jects an a uthentic m essage, an d P 2 is the prob ability that the deco der co rrectly acce pts the signal as being authen tic but incorr ectly decod es it. The oppo nent is assumed to b e aware o f the system design , except for the particular realizations k and m of the key K and me ssage M . W e co nsider both of the two forms of attack described abov e. That is, we co nsider the imperson ation attack , in which the opponen t sends code word X to t he recei ver before the transmitter send s a nything. Such an attack is suc cessful if X is accepted as authentic by the receiver , and we denote this proba bility of suc cess as P I as noted above. W e also consider the substitution a ttack, in which the op ponent blocks the transmission o f the m ain chan nel while receiving Z . After that, the oppo nent modifies the signal and tr ansmits it to the receiver . T his attack is considered to be successfu l if the modified signal is accep ted as authen tic by the r eceiv er an d is decoded into m ′ that is not eq ual to the or iginal m essage m . Again, the suc cess probab ility of this attack is denoted by P S . I I I . A U T H E N T I C A T I O N O F A S I N G L E M E S S AG E A. The W ir etap Chan nel W e begin by revie wing som e results related to the wireta p channel in troduced in [2]. The wiretap c hannel is defined by two DMCs X → ( Y , Z ) , where X is th e input alphabet from the transmitter, Y is the output alphabet at the legitimate receiver a nd Z is the output alphabet at the wiretapper . I n the wir etap ch annel, th e wiretap per is a ssumed to be passive, and th e goal is to transmit info rmation to the destination while preventing inform ation leaka ge to the wiretapper . More specifically , to send a m essage M ∈ M , th e transmitter sends X = f ( M ) , wher e f is a stochastic en coder . After receiving Y , the destina tion obtain s an estima te ˆ M = g ( Y ) . A perf ectly secure rate R s is said to be achievable if th ere exist f an d g , such that fo r r each ǫ > 0 , there is a positive in teger n 0 , such that ∀ n > n 0 |M| ≥ 2 nR s (1) Pr { ˆ M 6 = M } ≤ ǫ, and (2) 1 n I ( M ; Z ) ≤ ǫ. (3) The per fect secr ecy capacity C s is defined to be the su pre- mum of the set of R s values that satisfy the cond itions (1) - (3). It is p roved in [3] th at the per fect secr ecy c apacity is giv en by C s = max U → X → Y Z [ I ( U ; Y ) − I ( U ; Z )] , where U is an au xiliary random variable satisfying the Markov chain relationship U → X → Y Z . The source-wir etapper channel is said to be le ss n oisy th an the m ain ch annel, if for all p ossible U th at satisfy the above Markov chain relationship , one has I ( U ; Z ) > I ( U ; Y ) . W e can see that the per fect secrecy capacity is nonze ro unless the wiretapper channel is less noisy than the ma in ch annel. B. A uthenticatio n S cheme W e use the wiretap chann el to perf orm authen tication. More specifically , if the wiretapper chan nel is no t less n oisy than the main chan nel, there exists an in put distribution P X such th at I ( X ; Y ) − I ( X ; Z ) > 0 . For a giv en key size |K| , there exists a positive in teger n 0 , such that ∀ n ≥ n 0 , exp { n ( I ( X ; Y ) − I ( X ; Z )) } > |K| . In our tra nsmission sch eme, we separ ate the transmission of inform ation and key . The sou rce first sends the message M using a co de f or the wiretap ch annel, and then sen ds the key K using the same c ode bo ok. After re ceiving these signals, the d estination obtain s an estimate ˆ M of the m essage an d a separate estimate ˆ K of th e key . If ˆ K = K , the re ceiv e r accepts the message to be authentic; other wise it rejects th e message. For an imperson ation attack, the optimal strategy for th e oppon ent is to choose the key th at has the largest prob ability of being accepted by the receiver , i.e., P I = max k ′ ∈K ( X k ∈K P ( k ) γ ( k , k ′ ) ) , where γ ( k , k ′ ) is an indicator fu nction that eq uals 1 if k ′ is accepted as auth entic, and equals 0 in o ther cases. In our scheme, γ ( k , k ′ ) = 1 if k ′ = k ; other wise γ ( k , k ′ ) = 0 . For a sub stitution attack, the optimal stra tegy fo r th e op po- nent is to cho ose m ′ and k ′ such that the pro bability of the message b eing accepted b y the receiver an d being deco ded into m ′ 6 = m , is max imized, i.e., P S = X z 1 , z 2 P ( z 1 , z 2 ) max m ′ ∈M ,k ′ ∈K    X m,k P ( m, k | z 1 , z 2 ) γ ( m, k , m ′ , k ′ )    = X z 1 , z 2 P ( z 1 ) P ( z 2 ) max m ′ ∈M ,k ′ ∈K    X m,k P ( m | z 1 ) P ( k | z 2 ) γ ( m, m ′ ) γ ( k, k ′ )    , where z 1 is the signal received for the m essage p art and z 2 is the signal r eceiv ed f or the key part. Here γ ( m, k , m ′ , k ′ ) = 1 if m ′ 6 = m and k ′ = k , an d equals 0 otherwise. Th e second equality in the above expr ession is d ue to the fact th at M and K a re indepen dent, and thus that Z 1 and Z 2 are also indepen dent. T o simp lify the analysis, we first upp er-bound P S as follows P S = X z 1 , z 2 P ( z 1 ) P ( z 2 ) max m ′ ∈M ,k ′ ∈K    X m,k P ( m | z 1 ) P ( k | z 2 ) γ ( m, m ′ ) γ ( k, k ′ )    ( a ) ≤ X z 1 , z 2 P ( z 1 ) P ( z 2 ) max m ∈M ,k ∈K { P ( m | z 1 ) P ( k | z 2 ) } ( b ) ≤ X z 1 P ( z 1 ) X z 2 P ( z 2 ) max k ∈K { P ( k | z 2 ) } ! = X z 2 P ( z 2 ) max k ∈K { P ( k | z 2 ) } . (4) In this expression, in equality (a) follows by assuming that γ ( m, m ′ ) = 1 and γ ( k, , k ′ ) = 1 for m ′ = arg max m ∈M P ( m | z 1 ) and k ′ = arg ma x k ∈K P ( k | z 2 ) . If th is is no t the case, the summation will only be smaller, since γ ( x, y ) is the indicator function . Inequality (b ) follows from the fact that P ( m | z 1 ) ≤ 1 . In the sequ el, we will use this upper-bound , and henc e we can igno re the message tr ansmission par t z 1 . Conseq uently , we write z 2 as z for the sake of simplicity of no tation. After receiving Z , th e opp onent ga ins an amount I ( K ; Z ) of info rmation about the key , and thus can use th is informatio n to choo se k that maxim izes P ( k | z 2 ) . From (3), we have that I ( K ; Z ) ≤ n ǫ. (5) The inequality in (5) is not eno ugh to an alyze (4) for the following two reason s. First, though ǫ is small, nǫ can go to infinity as n grows, and he nce the opp onent may eventually gain a sufficient am ount of infor mation ab out the key . This point ha s been pointed ou t in [8]–[ 10]. Th e secon d reason is that the re is a maximization in the summand in (4), which means that we nee d to consider the worst case scenar io, whereas I ( K ; Z ) is an average qu antity . Actually , this fact is exploited in [ 4], [5] to derive the lower bound s by replacing this max imization with an averaging, which readily gives us a lower boun d and is mor e amen able to analysis. In this pap er , we b orrow techniq ues fro m [ 10], [11] to analyze this term. C. Bound s W e begin with some defin itions. Let C be a co debook for the wiretap chann el, and let ˜ P ( x , z ) be the joint distribution on C × Z n . W e d enote by Q ( z ) the marginal distribution of z when the in put distribution is limited to C , an d b y P ( x | z ) = ˜ P ( x , z ) /Q ( z ) the conditional distribution of x given z . Let {C 1 , · · · , C N } be a partition of C , an d denote this partition as a mapp ing, i.e., f : C → {C 1 , · · · , C N } . Also denote by Q j the c onditiona l distribution of z when the input distribution is un iform on C j , i.e., Q j ( z ) = X x ∈C j ˜ P ( x , z ) /P ( C j ) . Define d av ( f ) = N P j =1 P ( C j ) d ( Q j , Q ) , with d ( Q j , Q ) = X z ∈Z n    Q j ( z ) − Q ( z )    . Here d ( Q j , Q ) is the L 1 distance between the tw o distributions Q j and Q . When d ( Q j , Q ) is zero , th e oppon ent cannot distinguish b etween the un iform inpu t distributions o n C j and C by observ ing only the chann el ou tput. Intuitively , if ther e exists a set C and a cor respond ing partition f such th at d av ( f ) is arbitrar ily small, the receiver gains no info rmation ab out th e subset C j from which the transmitted codeword x comes, given the chan nel o utput z . W e can rewrite d av ( f ) as fo llows d av ( f ) = N X j =1 X z ∈Z n    P ( C j ) Q j ( z ) − P ( C j ) Q ( z )    = X z ∈Z n Q ( z ) d ( z ) , with d ( z ) = N X j =1    P ( C j | z ) − P ( C j )    . Here d ( z ) is the L 1 distance between uniform d istribution and conditiona l distribution of the key after o bserving z at th e oppon ent. W e need th e following lemma from [10] . Lemma 1 ( [10]): Consider a wiretap chan nel X → ( Y , Z ) , an d ch oose δ > 0 . Supp ose T P ⊂ X n is a type class with P ( x ) bo unded away fr om 0, an d suc h th at I ( X ; Y ) > I ( X ; Z ) + 2 δ . Th en, there exist a co deboo k C with size |C | = exp { n ( I ( X ; Y ) − δ ) } , d rawn fro m T P , and e qual-size disjoint subsets C 1 , · · · , C N of C with N ≤ exp { n ( I ( X ; Y ) − I ( X ; Z ) − 2 δ ) } , such that C = N S i =1 C i is the codeword with exponen tially small av erage pro bability of error for the main chann el X → Y . Moreover , the partition fu nction f : C → { 1 , · · · , N } of C with f − 1 ( i ) = C i , i = 1 , · · · , N has expo nentially sma ll d av ( f ) for the distribution ˜ P C defined o n C × Z n by ˜ P C ( x , z ) = 1 |C | P ( z | x ) , x ∈ C , z ∈ Z n . Pr oof: Please see [10] . Our main result is the fo llowing theore m. Theor em 1: If the sou rce-wiretapp er chann el is not less noisy than th e main channel, the n P I = P S = 2 − H ( K ) , and hence, P D = 2 − H ( K ) . Pr oof: (Sketch) For the lower -b ound , the oppo nent can guess the value of the key . If the gu ess is co rrect, the op ponen t can in voke any attack and the attack will be su ccessful. The probab ility that the opponent g uesses the v alue of k ey c orrectly is 2 − H ( K ) . This provides a lower bou nd. W e outline the proof of a tigh t upper-bou nd in the following. If the so urce- wiretapper channel is not less noisy than the main chan nel, there exists an input distribution such that the secrecy rate is larger th an z ero. W e generate a codeb ook for th e wiretap channel accor ding to this inpu t distribution and transmit the message and key separately u sing this c odeboo k. T o bo und the success pr obability of the substitutio n attack, we first b ound the ’max ’ sign in (4) with d ( z ) . W e then link d av ( f ) to the mutual information leaked to the opp onent. Using the fact that the mutual infor mation leakage in the wiretap chann el can be arbitrarily sm all if the secrecy capac ity is nonzero , we o btain an upper-boun d for the success pr obability of the substitution attack that is arbitrarily close to 2 − H ( K ) . Th e optimal strategy f or the im personation attack of th e op ponent is to guess the value of the key , hen ce the succ ess p robability of the imperso nation attack is boun ded by 2 − H ( K ) . I V . A U T H E N T I C AT I O N O F M U LT I P L E M E S S AG E S In this section, we consider th e situatio n in wh ich the sam e key K is used to authen ticate a sequen ce of J me ssages. W e use the same scheme as f or th e sing le message case. That is, we send the message and th e key sepa rately f or each packet using a co de f or th e wiretap ch annel. Let P I ,i be the success probab ility of the imper sonation attack after the op ponen t h as observed i − 1 transmission s, i.e., the op ponent s ends codeword X i to cheat th e destination after ob serving Z 1 , · · · , Z i − 1 . Th is attack is su ccessful if X i is accepted as authentic by th e destination. The optim al attack strategy of the o pponen t is to choose to send the key k ′ with the largest su ccess proba bility; that is P I ,i = X z 1 , ··· , z i − 1 P ( z 1 , · · · , z i − 1 ) max k ′ ∈K ( X k ∈K P ( k | z 1 , · · · , z i − 1 ) γ ( k, k ′ ) ) ≤ X z 1 , ··· , z i − 1 P ( z 1 , · · · , z i − 1 ) max k ∈K { P ( k | z 1 , · · · , z i − 1 ) } , (6) where γ ( k, k ′ ) is the in dicator f unction d efined above. The oppo nent can also choo se to i n voke a substitution attack after receiving the i th transmission, i. e., it changes the co ntent of the i th package and send s it to the destination. Th e attack is successful if the mod ified message is accepted as authen tic and the de stination deco des it into an incorre ct so urce state. On deno ting the success p robability of this attack to be P S,i , we have P S,i = X z i, 0 , z 1 , ··· , z i P ( z i, 0 , z 1 , · · · , z i ) max m ′ ∈M ,k ′ ∈K    X m,k P ( m, k | z i, 0 , z 1 , · · · , z i ) γ ( m, k , m ′ , k ′ )    , where z i, 0 is th e m essage pa rt of the i th packet. Following the same steps as those in (4), we can b ound P S,i as P S,i ≤ X z 1 , ··· , z i P ( z 1 , · · · , z i ) max k ∈K { P ( k | z 1 , · · · , z i ) } . (7) Note th at (6) an d ( 7) have similar for ms. Hence, we can derive tight b ounds for only one of these attacks. Th e result f or the other attack follows similarly . Obviously , th e opp onent will choo se th e attack th at maxi- mizes its ch eating prob ability P D . Bound s for P I ,i and P S,i under the n oiseless tran smission mo del were derived in [ 5], which shows that P D = max { P I , 1 , · · · , P I ,J , P S, 1 , · · · , P S,J } ≥ 2 − H ( K ) / ( J +1) . This implies that after se veral ro unds of authen tication, the oppon ent o btains almost all the informatio n ab out the key and hence ca n ch oose an attack having a hig h success proba bility . On th e other hand, in the n oisy chann el mode l, we show that one can lim it the inform ation leaked to th e oppon ent, an d thus the success p robability of the op ponent will no t increase ev en by o bserving mo re p ackets. Theor em 2: For any finite J , P I ,i = P S,i = 2 − H ( K ) , i ∈ { 1 , · · · , J } . Hence, P D = 2 − H ( K ) . Pr oof: (Sketch) For the lower -b ound, the op ponen t can guess th e value of th e key . If the gu ess is co rrect, the op ponen t can in voke any attack and the attac k will be successful. Th e probab ility that the opponent g uesses the v alue of k ey c orrectly is 2 − H ( K ) . This pr ovides a lower boun d. For a tigh t upper- bound , we first upper bound the key informatio n leaked to the opponen t. W e then follow the similar steps as those of the single m essage authen tication case an d obtain an uppe r- bound of the success probab ility of the substitution attack that is ar bitrarily clo se to 2 − H ( K ) . Similarly , we o btain an upp er- bound for the imp ersonation attack that is arbitrarily close to 2 − H ( K ) . V . C O N C L U S I O N S In th is paper, we h av e studied the pro blem of message authenticatio n in the presen ce of cha nnel noise. W e have derived infor mation theoretic lower and uppe r b ounds f or the success prob ability o f an oppo nent’ s im personation attack and substitution attack in single and multiple m essage authen tica- tion scenarios. W e h av e further sho wn th at the lo we r and upper bound ma tch, an d th us ha ve completely characterized these probab ilities. W e have fur ther shown that, com pared with the classical au thentication mo del in which channel is assumed to be noiseless, the o pponen t’ s suc cess pro bability is largely reduced . W e thus have establishe d the utility of ch annel n oise in m essage authenticatio n a pplications. Exploiting other ch aracteristics of ch annels, such as ch annel fading, to facilitate message authentication is an interesting av enue fo r fu rther re search. Also of interest is the d ev elop- ment of auth entication theory for th e scenario in which the source and destination p ossess correlated, b ut not identical, sequences, wh ich h as obvious pr actical implication s. R E F E R E N C E S [1] C. E. Shannon , “Communication theory of secrecy systems, ” Bell System T ec hnical Jou rnal , vol. 28, pp. 656–715, Oct. 1949. [2] A. D. W yner, “The wire-tap channel, ” Bell System T ec hnical Jo urnal , vol. 54, no. 8, pp. 1355–1387, 1975. [3] I. Csisz ´ ar and J. K ¨ orner , “Broadca st channels with confidenti al mes- sages, ” IE EE T ransactions on Information Theory , vol. 24, pp. 339–348, May 1978. [4] G. J. Simmons, “ Authenti cati on theory/ coding theory , ” in Proce edings of CRYPTO 84 on Advances in Cryptolo gy , (New Y ork, NY , USA), pp. 411–431, Springer-V erla g Inc., 1985. [5] U. M. Maurer , “ Authe ntica tion theory and hypothesi s testing, ” IEEE T rans. on Information Theory , vol. 46, pp. 1350–1356, Jul. 2000. [6] Y . L iu and C. G. Boncelet, “The CRC-NTMA C for noisy message au- thenti cati on, ” IEEE T ransactions on Information F ore nsics and Security , vol. 1, pp. 517–523, Dec. 2006. [7] C. G. Boncelet , “The NT MA C for authentic ation of noisy messages, ” IEEE T ransaction s on Information F or ensics and Security , vol. 1, pp. 35–42, Mar . 2006. [8] C. H. Bennett , G. Brassard, C. Crepeau, and U. M. Maurer , “General- ized pri vac y amplificatio n, ” IEEE T ransactio ns on Information Theory , vol. 41, pp. 1915–1923, Nov . 1995. [9] U. M. Maurer and S. W olf, “Information-t heoreti c ke y agreement: From weak to strong s ecrec y for free, ” Lectur e Notes in Computer Science , vol. 1807, pp. 356–373, 2000. [10] I. Csisz ´ a r, “ Almost independenc e and secrecy capacity , ” Probl ems of Informatio n T ransmission , vol . 32, pp. 40–47, Jan. 1996. [11] R. Ahlswede and I. Csiszar , “Common randomness in information theory and cryptogr aphy , part II: CR capacity , ” IEEE T ransact ions on Informatio n Theory , vol. 44, pp. 225–240, Jan. 1998. [12] T . M. Co ver and J. A. Thomas, Elements of Information Theory . New Y ork: W iley , 1991. [13] U. M. Maurer and S. W olf, “Secret ke y agreement ov er a non- authent icated channel - Part I: Definiti ons and bounds, ” IEEE Tr ans- actions on Information Theory , vol. 49, pp. 822–831, Apr . 2003.