On the Optimality of Keyless Authentication in a Noisy Model

We further study the keyless authentication problem in a noisy model in our previous work, where no secret setup is available for sender Alice and receiver Bob while there is DMC $W_1$ from Alice to Bob and a two-way noiseless but insecure channel between them. We propose a construction such that the message length over DMC $W_1$ does not depend on the size of the source space. If the source space is ${\cal S}$ and the number of channel $W_1$ uses is $n$, then our protocol only has a round complexity of $\log^|{\cal S}|-\log^n+4.$ In addition, we show that the round complexity of any secure protocol in our model is lower bounded by $\log^|{\cal S}|-\log^ n-5$. We also obtain a lower bound on the success probability when the message size on DMC $W_1$ is given. Finally, we derive the capacity for a non-interactive authentication protocol under general DMCs, which extends the result under BSCs in our previous work.

💡 Research Summary

The paper studies keyless authentication in a setting where Alice and Bob share no secret information, but have access to a discrete memoryless channel (DMC) W₁ from Alice to Bob, a second DMC W₂ from the adversary Oscar to Bob, and a completely public, unauthenticated two‑way noiseless channel. Oscar can observe all communications over both channels, tamper with the noiseless messages, and impersonate Alice using W₂. The goal is to design protocols that prevent two types of attacks: (i) a substitution attack where Oscar modifies the public exchange to make Bob accept a state not sent by Alice, and (ii) an impersonation attack where Oscar authenticates an arbitrary state to Bob.

The authors extend their earlier three‑round construction to a protocol whose length over W₁ (the “expensive” noisy channel) is independent of the size of the source space S. By employing a (v, b, r, λ) set system—a combinatorial structure originally used in block designs—they map source messages to blocks, transmit block identifiers over W₁, and use the public channel to exchange verification tokens that allow both parties to confirm the consistency of the selected blocks. The protocol proceeds in ν rounds; each round consists of a transmission over W₁ followed by a public‑channel exchange. The total number of uses of W₁ is denoted by n, and the round complexity of the construction is shown to be

  log*|S| − log* n + 4,

where log* denotes the iterated logarithm (the number of times the logarithm must be applied before the result drops below 2). This expression demonstrates that even for astronomically large source spaces, the number of rounds grows only very slowly.

A complementary lower bound is proved: any protocol that achieves information‑theoretic security in this model must use at least

  log*|S| − log* n − 5

rounds. The proof combines the existence of set systems with the non‑redundancy property of DMCs, showing that insufficient rounds would allow Oscar to succeed in either a type‑I or type‑II attack with non‑negligible probability. Consequently, the proposed construction is essentially optimal with respect to round complexity.

Beyond round complexity, the paper derives a quantitative bound on Oscar’s success probability when the total number of symbols transmitted over W₁ is fixed. Using typical‑sequence analysis and concentration inequalities, the authors show that the success probability decays exponentially in n (e.g., Pr(succ) ≤ 2^{‑Ω(n)}), providing a concrete security guarantee for practical parameter choices.

Finally, the authors address the non‑interactive (single‑round) authentication scenario. They define the authentication rate as log|S| / n, where n is the number of symbols sent over W₁, and determine the capacity for arbitrary DMCs W₁ and W₂. The capacity is expressed as

  C = max_{P_X}