Message Authentication Code over a Wiretap Channel

Message Authentication Code (MAC) is a keyed function $f_K$ such that when Alice, who shares the secret $K$ with Bob, sends $f_K(M)$ to the latter, Bob will be assured of the integrity and authenticity of $M$. Traditionally, it is assumed that the channel is noiseless. However, Maurer showed that in this case an attacker can succeed with probability $2^{-\frac{H(K)}{\ell+1}}$ after authenticating $\ell$ messages. In this paper, we consider the setting where the channel is noisy. Specifically, Alice and Bob are connected by a discrete memoryless channel (DMC) $W_1$ and a noiseless but insecure channel. In addition, an attacker Oscar is connected with Alice through DMC $W_2$ and with Bob through a noiseless channel. In this setting, we study the framework that sends $M$ over the noiseless channel and the traditional MAC $f_K(M)$ over channel $(W_1, W_2)$. We regard the noisy channel as an expensive resource and define the authentication rate $\rho_{auth}$ as the ratio of message length to the number $n$ of channel $W_1$ uses. The security of this framework depends on the channel coding scheme for $f_K(M)$. A natural coding scheme is to use the secrecy capacity achieving code of Csisz'{a}r and K"{o}rner. Intuitively, this is also the optimal strategy. However, we propose a coding scheme that achieves a higher $\rho_{auth}.$ Our crucial point for this is that in the secrecy capacity setting, Bob needs to recover $f_K(M)$ while in our coding scheme this is not necessary. How to detect the attack without recovering $f_K(M)$ is the main contribution of this work. We achieve this through random coding techniques.

💡 Research Summary

The paper “Message Authentication Code over a Wiretap Channel” studies the problem of authenticating messages when the communication medium is noisy, rather than the traditional noiseless setting. Alice and Bob share a secret key K. They communicate over two parallel links: (i) a noiseless but insecure public channel (controlled by the adversary Oscar) used to transmit a short auxiliary string S, and (ii) a discrete memoryless wiretap channel (W₁ from Alice to Bob, W₂ from Alice to Oscar). The goal is to send a message M and a MAC tag T = f_K(M) while minimizing the usage of the expensive noisy channel. The authors define the authentication rate ρ_auth = |M|/n, where n is the number of uses of W₁.

A natural baseline is to encode the tag T with a secrecy‑capacity‑achieving code (Csiszár‑Körner). This guarantees that Bob can fully recover T, but it forces the rate to be ρ_auth = ρ_tag·C_s, where C_s = H(X|Z) − H(X|Y) is the wiretap secrecy capacity. The authors argue that full recovery of T is unnecessary: in the honest case Bob can recompute T from M and K, and in the attack case he only needs to detect inconsistency between the received noisy vector Yⁿ and the public string S′.

The main contribution is a new coding scheme that exploits this observation. The construction proceeds as follows:

1. Tag Generation: Use an ε‑almost strongly universal (ε‑ASU) hash family to compress M into a short tag T. Such hash families have provable collision bounds and are efficiently implementable.

2. Channel Coding without Full Recovery: Instead of a secrecy‑capacity code, the authors design a random codebook of size roughly 2^{n(H(X|Z)−δ)} (for any small δ>0). The codewords Xⁿ are drawn i.i.d. according to a distribution that maximizes H(X|Z). The decoder at Bob’s side does not attempt to recover T. Rather, it checks whether the pair (S′,Yⁿ) is jointly typical with respect to the distribution induced by a legitimate transmission. If the pair is typical, Bob accepts and recomputes T = h_K(M) locally; otherwise he rejects.

3. Security Analysis: Using typical‑sequence arguments and the properties of ε‑ASU hashing, the authors show that an unbounded adversary Oscar, even after a polynomial number of authentication attempts, can succeed only with probability ≤2^{−Ω(n)}. The analysis hinges on the fact that Oscar’s observation Zⁿ provides negligible information about the codeword Xⁿ because the codebook is essentially “wiretap‑secure” (H(X|Z) is large), while Bob’s observation Yⁿ together with the public S′ is sufficient to detect any tampering with overwhelming probability.

4. Rate Improvement: The achieved authentication rate is ρ_auth = ρ_tag·(H(X|Z) − δ). Compared with the baseline ρ_tag·C_s, the ratio is 1 − H(X|Y)/H(X|Z) < 1, which can be arbitrarily close to 1 when the main channel W₁ is much less noisy than the eavesdropper channel W₂. Thus the new scheme strictly outperforms the secrecy‑capacity approach in terms of channel usage efficiency.

5. Practical Considerations: The authors note that the noisy channel can be instantiated by any error‑correcting coded wireless or Internet link, and the ε‑ASU hash can be realized with standard algebraic constructions (e.g., polynomial hashing over finite fields). The scheme therefore requires only modest additional computational overhead while delivering a provably information‑theoretic level of authentication security.

In summary, the paper introduces a novel perspective on MAC design over wiretap channels: by abandoning the requirement that the receiver fully decode the MAC tag, and instead relying on statistical consistency checks, it achieves a higher authentication rate without sacrificing security. The work bridges cryptographic authentication and information‑theoretic secrecy, offering a concrete coding strategy that could be deployed in real noisy communication systems where bandwidth is at a premium.