Key recycling in authentication
This work addresses a security flaw in a foundational authentication protocol, offering a composable proof that enables efficient key reuse for cryptographic applications.
The paper revisits Wegman and Carter's authentication protocol, showing that reusing hash functions with one-time pads leaks information when adversaries learn acceptance outcomes, but proves it remains ε-secure with ε-almost strongly universal2 hash functions, allowing key recycling with minimal error.
In their seminal work on authentication, Wegman and Carter propose that to authenticate multiple messages, it is sufficient to reuse the same hash function as long as each tag is encrypted with a one-time pad. They argue that because the one-time pad is perfectly hiding, the hash function used remains completely unknown to the adversary. Since their proof is not composable, we revisit it using a composable security framework. It turns out that the above argument is insufficient: if the adversary learns whether a corrupted message was accepted or rejected, information about the hash function is leaked, and after a bounded finite amount of rounds it is completely known. We show however that this leak is very small: Wegman and Carter's protocol is still $ε$-secure, if $ε$-almost strongly universal$_2$ hash functions are used. This implies that the secret key corresponding to the choice of hash function can be reused in the next round of authentication without any additional error than this $ε$. We also show that if the players have a mild form of synchronization, namely that the receiver knows when a message should be received, the key can be recycled for any arbitrary task, not only new rounds of authentication.