Authentication With a Guessing Adversary

TL;DR

This paper analyzes the minimum number of guesses an adversary needs to impersonate a user in an authentication system, extending existing guessing problem results to include side information, and characterizes the asymptotic deception exponent.

Contribution

It provides a complete characterization of the asymptotic guessing exponent for impersonation attacks, including scenarios with side information, advancing understanding of authentication security.

Findings

Derived the asymptotic exponent of guessing for impersonation

Extended the guessing problem to include side information

Connected the results to the Guessing problem by Arikan and Merhav

Abstract

In this paper, we consider the authentication problem where a candidate measurement presented by an unidentified user is compared to a previously stored measurement of the legitimate user, the enrollment, with respect to a certain distortion criteria for authentication. An adversary wishes to impersonate the legitimate user by guessing the enrollment until the system authenticates him. For this setting, we study the minimum number of required guesses (on average) by the adversary for a successful impersonation attack and find the complete characterization of the asymptotic exponent of this metric, referred to as the deception exponent. Our result is a direct application of the results of the Guessing problem by Arikan and Merhav [19]. Paralleling the work in [19] we also extend this result to the case where the adversary may have access to additional side information correlated to the enrollment data. The paper is a revised version of a submission to IEEE WIFS 2015, with the referencing to the paper [19] clarified compared with the conference version.