Non-interactive authentication

The main advantage of non-interactive authentication is that the signer can simply send an authenticated message off, e.g., by electronic mail, whereas an interactive protocol requires an on-line connection. 

In signature schemes with non-interactive authentication, the message that the signer s entity sends during authentication can be called the signature. 

In the case of interactive authentication, as with all interactive protocols, an important criterion is the round complexity, i.e., the number of rounds needed. Message complexity, the number of separate messages sent during a protocol execution, essentially equals round complexity in 2-party protocols, but bit complexity, the number of bits sent, is as important as usual. The bit complexity of non-interactive authentication is the length of the signature. 

Transfers in all existing signature schemes with arbitrary or finite transferability are non-interactive. Most of them are with non-interactive authentication, too, and in the transfer, the original signature is simply passed on. Only the test carried out by the recipient s entity depends on the acceptance level i in signature schemes with finite transferability. 

I see no real benefit in the existence of a public key in a general setting, because in contrast to properties like non-interactive authentication, it does not reduce any complexity parameter. Nevertheless, public keys occur naturally in many constructions. 

As shown in Figure 6.1, all these schemes are with non-interactive authentication, i.e., the notion of a signature exists, and without invisibility. Additional service properties they have in common are ... 

An algorithm lest exists because of non-interactive authentication. 

This section sketches the information-theoretically secure signature schemes from [ChRo91, PfWa92, Waid91]. These schemes are with non-interactive authentication and 2-party disputes hence one can speak of signatures and of testing them. 

According to Section 6.1.2, standard fail-stop signature schemes are with non-interactive authentication. Hence, as described in Section 5.3.2, one can identify two non-interactive algorithms sign and test. Moreover, there is no dependence on the recipient. 

Arbitrary transferability is easy to achieve as a consequence of the existence of public keys and non-interactive authentication The entity of the former recipient of a signed message can simply pass the signature on, and the entity of the new recipient tests it with the normal algorithm test. (Signatures had to be stored anyway in case of disputes.) The effectiveness of transfers, i.e., the requirement that the new recipient should accept the signature, is guaranteed information-theoretically without error probability because both entities have the same public key. 

Schemes with non-interactive authentication and no dependence on the recipient. Then, as usual, test is used by the recipient s entity in authentication, and the recipients are the testers. 

The term normal , as opposed to invisible , is short for 2-party disputes or 3-party disputes at the recipient s discretion interactive and non-interactive refer to authentication. 

External verifiability of authentication is easy to achieve because authentication is non-interactive, public keys exist, and test is deterministic and memory-less restr If the message exchange during authentication, i.e., sending the signature, takes place on a reliable broadcast channel (as it is standard when external verifiability is considered), all entities that took part in initialization can test the signature with the same public key. 

---