Combinatorial Bounds and Characterizations of
Splitting Authentication Codes
^{†}^{†}thanks: This work was supported by the Deutsche Forschungsgemeinschaft (DFG) via a Heisenberg grant (Hu954/4) and a Heinz MaierLeibnitz Prize grant (Hu954/5).
Abstract
We present several generalizations of results for splitting authentication codes by studying the aspect of multifold security. As the two primary results, we prove a combinatorial lower bound on the number of encoding rules and a combinatorial characterization of optimal splitting authentication codes that are multifold secure against spoofing attacks. The characterization is based on a new type of combinatorial designs, which we introduce and for which basic necessary conditions are given regarding their existence. \subclass94A60 94C30
Cryptogr. Commun.
1 Introduction
Authenticity is one of the fundamental components in cryptography and information security. Typically, communicating parties would like to be assured of the authenticity of information they obtain via potentially insecure channels. Concerning unconditional (theoretical) authenticity, authentication codes can be used to minimize the possibility of an undetected deception. Their initial study appears to be that of Gilbert, MacWilliams & Sloane gil74 (). A more general and systematic theory of authenticity was developed by SimmonsSim84 (); Sim85 ().
We primarily focus on authentication codes with splitting in this paper. In such a code, several messages can be used to communicate a particular plaintext (nondeterministic encoding). This concept plays an important role, for instance, in the context of authentication codes that permit arbitration (see, for example, John94 (); Kur94 (); Kur01 (); Sim88 (); Sim90 ()). We will deal with splitting authentication codes from a combinatorial point of view. By studying the aspect of multifold security, we obtain several natural generalizations of results on splitting authentication codes. As the two primary results, we prove a combinatorial lower bound on the number of encoding rules and a combinatorial characterization of optimal splitting authentication codes that are multifold secure against spoofing attacks.
For splitting authentication codes that are onefold secure against spoofing attacks, Brickell Brick84 () and Simmons Sim90 () have established a combinatorial lower bound on the number of encoding rules. We will give a combinatorial lower bound accordingly for multifold secure splitting authentication codes. Ogata et al. Ogata04 () introduced splitting balanced incomplete block designs (BIBDs). They proved basic necessary conditions for their existence and derived a Fishertype inequality. Furthermore, they established an equivalence between splitting BIBDs and optimal onefold secure splitting authentication codes. We will extend the notion of splitting BIBDs to splitting designs. Comprehensive necessary conditions regarding their existence will be given. Moreover, we will prove an equivalence between splitting designs and optimal fold secure splitting authentication codes.
The paper is organized as follows. In Section 2, we give the definition and concept of multifold secure splitting authentication codes. We introduce splitting designs and prove basic necessary conditions for their existence in Section 3. With respect to our further purposes, we summarize in Section 4 the stateoftheart for authentication codes without splitting. In Section 5, lower bounds on deception probabilities and the number of encoding rules are established for multifold secure splitting authentication codes. A combinatorial characterization of optimal multifold secure splitting authentication codes in terms of splitting designs is given in Section 6. We finally conclude the paper and propose further research problems in Section 7.
2 Splitting Authentication Codes
Splitting authentication codes were first introduced by Simmons Sim82 (). These codes are useful, inter alia, for the analysis of authentication codes with arbitration. In particular, Kur01 () gives an equivalence between splitting authentication codes and authentication codes with arbitration.
We use the unconditional (theoretical) secure authentication model developed by Simmons (e.g. Sim82 (); Sim84 (); Sim85 (); Sim92 ()). Our notation follows, for the most part, that of Mass86 (); Ogata04 (); Stin90 (). In this model, three participants are involved: a transmitter, a receiver, and an opponent. The transmitter wants to communicate information to the receiver via a public communications channel. The receiver in return would like to be confident that any received information actually came from the transmitter and not from some opponent (integrity of information). The transmitter and the receiver are assumed to trust each other. Sometimes this is also called an code.
Let denote a finite set of source states (or plaintexts), a finite set of messages (or ciphertexts), and a finite set of encoding rules (or keys). Using an encoding rule , the transmitter encrypts a source state to obtain the message to be sent over the channel. The encoding rule is communicated to the receiver via a secure channel prior to any messages being sent. When it is possible that more than one message can be used to communicate a particular source state under the same encoding rule , then the authentication code is said to have splitting. In this case, a message is computed as , where denotes a random number chosen from some specified finite set . If we define
for each encoding rule and each source state , then splitting means that for some and some . In order to ensure that the receiver can decrypt the message being sent, it is required for any that if . For a given encoding rule , let
denote the set of valid messages. For an encoding rule and a set of distinct messages, we define
i.e., the set of source states that will be encoded under encoding rule by a message in . A received message will be accepted by the receiver as being authentic if and only if . When this is fulfilled, the receiver decrypts the message by applying the decoding rule , where
A splitting authentication code is called splitting if
for every encoding rule and every source state . We note that an authentication code can be represented algebraically by a encoding matrix with the rows indexed by the encoding rules , the columns indexed by the source states , and the entries defined by . As a simple example, Table 1 displays an encoding matrix of a splitting authentication code for source states, having messages and encoding rules (cf. Example 6).
{}  {}  
{}  {}  
{}  {}  
{}  {}  
{}  {}  
{}  {}  
{}  {}  
{}  {}  
{}  {} 
2.1 Protection Against Spoofing Attacks
We address the scenario of a spoofing attack of order (cf. Mass86 ()): Suppose that an opponent observes distinct messages, which are sent through the public channel using the same encoding rule. The opponent then inserts a new message (being distinct from the messages already sent), hoping to have it accepted by the receiver as authentic. The cases and are called impersonation game and substitution game, respectively. These cases have been studied in detail in recent years for authentication codes without splitting (see, e.g., Stin92 (); Stin96 ()) and with splitting (see, e.g., Blund99 (); DeSoete91 (); Ogata04 ()). However, much less is known for the cases in particular for splitting authentication codes.
For any , we assume that there is some probability distribution on the set of subsets of source states, so that any set of source states has a nonzero probability of occurring. For simplification, we ignore the order in which the source states occur, and assume that no source state occurs more than once. Given this probability distribution on the set of source states, the receiver and transmitter also choose a probability distribution on the set of encoding rules, called an encoding strategy. It is assumed that the opponent knows the encoding strategy being used. If splitting occurs, then the receiver/transmitter will also choose a splitting strategy to determine , given and (this corresponds to nondeterministic encoding). The transmitter/receiver will determine these strategies to minimize the chance of being deceived by the opponent. The deception probability denotes the probability that the opponent can deceive the transmitter/receiver with a spoofing attack of order .
3 Splitting Designs
There are natural and deep connections between authentication codes and combinatorial designs, see, for example, crc06 (); Hub2009 (); Ogata04 (); pei06 (); Stin90 (); Stin92 (); Stin96 (). The close relationship between cryptography and designs was presumably first revealed in Shannon’s classical paper Shan49 () on secrecy systems.
In order to give a combinatorial characterization of multifold secure splitting authentication codes in the remainder of the paper, we define in this section a new type of combinatorial designs. Let us first recall the classical notion of a combinatorial design (see, for instance, BJL1999 ()):
For positive integers and , a  design is a pair , satisfying the following properties:

is a set of elements, called points,

is a family of subsets of , called blocks,

every subset of is contained in exactly blocks.
By convention, denotes the number of blocks. It is easily seen that
For encyclopedic references on combinatorial designs, we refer to BJL1999 (); crc06 (). A recent treatment on highly regular designs and their applications in information and coding theory can be found, e.g., in Hu2008 (); Hu2009 ().
The notion of a splitting balanced incomplete block design (BIBD) have been introduced by Ogata et al. Ogata04 (). We will extend this concept to splitting designs:
For positive integers with and , a  splitting design is a pair , satisfying the following properties:

is a set of elements, called points,

is a family of subsets of , called blocks, such that every block is expressed as a disjoint union
with and ,

every subset of is contained in exactly blocks such that
for each , and are mutually distinct.
A splitting design is a splitting BIBD. As a simple example, take as point set
and as block set
with
This gives a  splitting design (see (Ogata04, , Ex. 5.1)).
A  splitting design can be obtained (via a computer search) by taking as point set
and as block set
with
We prove some basic necessary conditions for the existence of splitting designs:
Let be a  splitting design, and for a positive integer , let with . Then the number of blocks containing each element of as per Definition 3 is given by
In particular, for , a  splitting design is also an  splitting design.
We count in two ways the number of pairs , where and such that
for each with mutually distinct, and . First, each of the blocks such that
for each with mutually distinct gives
such pairs. Second, there are
such subsets with , each giving pairs by Definition 3.\qed
As it is customary for designs, we also set denoting the number of blocks containing a given point. The above elementary counting arguments give the following assertions.
Let be a  splitting design. Then the following holds:



for .
The above proposition extends the result (Ogata04, , Lemma 5.1), where (b) and (c) have been proved for the case when .
Since in Proposition 3 each must be an integer, we obtain furthermore the subsequent necessary arithmetic conditions.
Let be a  splitting design. Then
for each positive integer .
Ogata et al. Ogata04 () proved a Fishertype inequality for splitting BIBDs. As a splitting design with is also a splitting design in view of Lemma 3, we derive
If is a  splitting design with , then
4 Authentication Codes without Splitting
With respect to our further purposes, we summarize the stateoftheart for authentication codes without splitting:
The following theorems (cf. Mass86 (); Sch86 ()) give combinatorial lower bounds on cheating probabilities as well as on the size of encoding rules for multifold secure authentication codes:
[Massey] In an authentication code without splitting, for every , the deception probabilities are bounded below by
We remark that a code is called fold secure against spoofing if
for all .
[Massey–Schöbi] If an authentication code without splitting is fold secure against spoofing, then the number of encoding rules is bounded below by
Such a code is called optimal if the number of encoding rules meets the lower bound with equality. When the source states are known to be independent and equiprobable, optimal authentication codes without splitting which are multifold secure against spoofing have been characterized via designs (cf. DeS88 (); Sch86 (); Stin90 ()).
[DeSoete–Schöbi–Stinson] Suppose there is a  design. Then there is an authentication code without splitting for equiprobable source states, having messages and encoding rules, that is fold secure against spoofing. Conversely, if there is an optimal authentication code without splitting for equiprobable source states, having messages and encoding rules, that is fold secure against spoofing, then there is a  design.
Combinatorial constructions of optimal multifold secure authentication codes without splitting which simultaneously achieve perfect secrecy have been obtained recently via the following theorem (see Hub2009 ()).
[Huber] Suppose there is a  design, where divides the number of blocks . Then there is an optimal authentication code without splitting for equiprobable source states, having messages and encoding rules, that is fold secure against spoofing and provides perfect secrecy.
5 Combinatorial Bounds for Splitting Authentication Codes
In this section, we give combinatorial lower bounds on deception probabilities, and a combinatorial lower bound on the size of encoding rules for splitting authentication codes that are multifold secure against spoofing.
We first state lower bounds on cheating probabilities for splitting authentication codes (see Blund99 (); DeSoete91 ()).
[DeSoete–Blundo–DeSantis–Kurosawa–Ogata] In a splitting authentication code, for every , the deception probabilities are bounded below by
A splitting authentication code is called fold secure against spoofing if
for all .
We prove now a lower bound on the size of encoding rules for multifold secure splitting authentication codes.
If a splitting authentication code is fold secure against spoofing, then the number of encoding rules is bounded below by
Let be a set of distinct messages that are valid under a particular encoding rule, in such a way that they define different source states. Let be any message not in . We assume that there is no encoding rule under which all messages in are valid and for which . Following the proof of Theorem 5, mutatis mutandis, yields
a contradiction. Therefore, any set of distinct messages is valid under at least one encoding rule such that they define different source states. The bound follows now by counting in two ways the number of subsets of messages that are valid under some encoding rule such that they correspond to different source states.\qed
Analogously, we call a splitting authentication code optimal if the number of encoding rules meets the lower bound with equality.
The above theorem generalizes results by Brickell Brick84 () and Simmons Sim90 (), where a lower bound in the case of onefold secure splitting authentication codes has been established.
As a consequence, we obtain for splitting authentication codes the following lower bounds:
In a splitting authentication code,
for every .
If a splitting authentication code is fold secure against spoofing, then
6 Combinatorial Characterizations of Optimal Splitting Authentication Codes
Ogata et al. (Ogata04, , Thms. 5.4 and 5.5) characterized in 2004 optimal splitting authentication codes that are onefold secure against spoofing. Their combinatorial result is based on splitting BIBDs.
[Ogata–Kurosawa–Stinson–Saido] Suppose there is a  splitting design. Then there is an optimal splitting authentication code for equiprobable source states, having messages and encoding rules, that is onefold secure against spoofing. Conversely, if there is an optimal splitting authentication code for source states, having messages and encoding rules, that is onefold secure against spoofing, then there is a  splitting design.
An example is as follows (cf. (Ogata04, , Ex. 5.2)):
An optimal splitting authentication code for equiprobable source states, having messages and encoding rules, that is onefold secure against spoofing can be constructed from the  splitting design in Example 3. Each encoding rule is used with probability . An encoding matrix is given in Table 2.
{1,2}  {3,5}  
{2,3}  {4,6}  
{3,4}  {5,7}  
{4,5}  {6,8}  
{5,6}  {7,9}  
{6,7}  {8,1}  
{7,8}  {9,2}  
{8,9}  {1,3}  
{9,1}  {2,4} 
We give a natural extension of Theorem 6. We prove that optimal splitting authentication codes that are multifold secure against spoofing can be characterized in terms of splitting designs.
Suppose there is a  splitting design with . Then there is an optimal splitting authentication code for equiprobable source states, having messages and encoding rules, that is fold secure against spoofing. Conversely, if there is an optimal splitting authentication code for source states, having messages and encoding rules, that is fold secure against spoofing, then there is a  splitting design.
Let us first assume that there is an optimal splitting authentication code for source states, having messages and encoding rules, that is fold secure against spoofing. In order to meet the lower bound in Theorem 5 with equality, every set of distinct messages must be valid under precisely one encoding rule, in such a way that they define different source states. For , let us define a block as disjoint union
Then is a  splitting design in view of Definition 3.
To prove the other direction, let . For every block with
we arbitrarily define an encoding rule via
for each . Using every encoding rule with equal probability establishes the claim.\qed
We present an example:
An optimal splitting authentication code for equiprobable source states, having messages and encoding rules, that is twofold secure against spoofing can be constructed from the  splitting design in Example 3. Each encoding rule is used with probability . An encoding matrix is given in Table 3.
{1,2}  {4,0}  {5,9}  
{1,3}  {2,8}  {5,0}  
{1,4}  {3,8}  {6,9}  
{1,5}  {4,7}  {6,8}  
{1,7}  {2,3}  {4,8}  
{1,8}  {2,5}  {6,9}  
{1,8}  {6,7}  {9,0}  
{1,9}  {2,5}  {3,7}  
{1,9}  {3,4}  {7,0}  
{2,4}  {5,6}  {7,9}  
{2,5}  {4,7}  {3,0}  
{2,9}  {6,8}  {3,0}  
{2,0}  {4,5}  {6,8}  
{3,7}  {4,6}  {8,0}  
{3,9}  {5,7}  {6,0} 
7 Conclusion
We have given a combinatorial lower bound on the number of encoding rules for splitting authentication codes that are multifold secure against spoofing attacks. Moreover, we have provided a combinatorial characterization of those codes that attain these bounds. Our characterization was based on a new type of combinatorial designs, which we introduced and for which basic necessary conditions regarding their existence were given. For future research, at least two directions would be of interest:

Construction of multifold secure splitting authentication codes: Using Theorem 6, this asks for constructing  splitting design for . We remark that in the case when , various combinatorial constructions have been obtained recently in Du04 (); Ge05 (); Wan06 () via recursive and direct constructions by the method of differences.

Including the aspect of perfect secrecy: Is it possible to give a characterization of optimal splitting authentication codes that are multifold secure against spoofing and simultaneously achieve perfect secrecy in the sense of Shannon? For the case of multifold secure authentication codes without splitting such a result has been established lately in Hub2009 () (cf. Theorem 4).
Acknowledgments
I thank the two anonymous referees for their careful reading and suggestions that helped improving the presentation of the paper. I also thank Moritz Eilers and Christoff Hische for running the computer search for Example 3.
References
 (1) T. Beth, D. Jungnickel, and H. Lenz, Design Theory, vol. I and II, Encyclopedia of Math. and Its Applications, vol. 69/78, Cambridge Univ. Press, Cambridge, 1999.
 (2) C. Blundo, A. De Santis, K. Kurosawa, and W. Ogata, “On a fallacious bound for authentication codes”, J. Cryptology, vol. 12, pp. 155–159, 1999.
 (3) E. F. Brickell, “A few results in message authentication”, Congr. Numer., vol. 43, pp. 141–154, 1984.
 (4) C. J. Colbourn and J. H. Dinitz (eds.), Handbook of Combinatorial Designs, 2nd ed., CRC Press, Boca Raton, 2006.
 (5) M. De Soete, “Some constructions for authentication  secrecy codes”, in Advances in Cryptology – EUROCRYPT 1988, ed. by Ch. G. Günther, Lecture Notes in Computer Science, vol. 330, Springer, Berlin, Heidelberg, New York, pp. 23–49, 1988.
 (6) M. De Soete, “New bounds and constructions for authentication/secrecy codes with splitting”, J. Cryptology, vol. 3, pp. 173–186, 1991.
 (7) B. Du, “Splitting balanced incomplete block designs with block size ”, J. Combin. Des., vol. 12, pp. 404–420, 2004.
 (8) G. Ge, Y. Miao, and L. Wang, “Combinatorial constructions for optimal splitting authentication codes”, SIAM J. Discrete Math., vol. 18, pp. 663–678, 2005.
 (9) E. N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane, “Codes which detect deception”, Bell Syst. Tech. J., vol. 53, pp. 405–424, 1974.
 (10) M. Huber, “Authentication and secrecy codes for equiprobable source probability distributions”, in Proc. IEEE International Symposium on Information Theory (ISIT) 2009, pp. 1105–1109, 2009.
 (11) M. Huber, Flagtransitive Steiner Designs, Birkhäuser, Basel, Berlin, Boston, 2009.
 (12) M. Huber, “Coding theory and algebraic combinatorics”, in Selected Topics in Information and Coding Theory, ed. by I. Woungang et al., World Scientific, Singapore, 38 pages, 2010 (in press). Preprint at arXiv:0811.1254v1.
 (13) T. Johansson, “Lower bounds on the probability of deception in authentication with arbitration”, IEEE Trans. Inform. Theory, vol. 40, pp. 1573–1585, 1994.
 (14) K. Kurosawa, “New bound on authentication code with arbitration”, in Advances in Cryptology – CRYPTO 1994, ed. by Y. Desmedt, Lecture Notes in Computer Science, vol. 839, Springer, Berlin, Heidelberg, New York, pp. 140–149, 1994.
 (15) K. Kurosawa and S. Obana, “Combinatorial bounds on authentication codes with arbitration”, Designs, Codes and Cryptography, vol. 22, pp. 265–281, 2001.
 (16) J. L. Massey, “Cryptography – a selective survey”, in Digital Communications, ed. by E. Biglieri and G. Prati, NorthHolland, Amsterdam, New York, Oxford, pp. 3–21, 1986.
 (17) W. Ogata, K. Kurosawa, D. R. Stinson, and H. Saido, “New combinatorial designs and their applications to authentication codes and secret sharing schemes”, Discrete Math., vol. 279, pp. 383–405, 2004.
 (18) D. Pei, Authentication Codes and Combinatorial Designs, CRC Press, Boca Raton, 2006.
 (19) P. Schöbi, “Perfect authentication systems for data sources with arbitrary statistics” (presented at EUROCRYPT 1986), unpublished.
 (20) C. E. Shannon, “Communication theory of secrecy systems”, Bell Syst. Tech. J., vol. 28, pp. 656–715, 1949.
 (21) G. J. Simmons, “A game theory model of digital message authentication”, Congr. Numer., vol. 34, pp. 413–424, 1982.
 (22) G. J. Simmons, “Message authentication: a game on hypergraphs”, Congr. Numer., vol. 45, pp. 161–192, 1984.
 (23) G. J. Simmons, “Authentication theory/coding theory”, in Advances in Cryptology – CRYPTO 1984, ed. by G. R. Blakley and D. Chaum, Lecture Notes in Computer Science, vol. 196, Springer, Berlin, Heidelberg, New York, pp. 411–432, 1985.
 (24) G. J. Simmons, “Message authentication with arbitration of transmitter/receiver disputes”, in Advances in Cryptology – EUROCRYPT 1987, ed. by D. Chaum and W. L. Price, Lecture Notes in Computer Science, vol. 304, Springer, Berlin, Heidelberg, New York, pp. 150–165, 1988.
 (25) G. J. Simmons, “A Cartesian product construction for unconditionally secure authentication codes that permit arbitration”, J. Cryptology, vol. 2, pp. 77–104, 1990.
 (26) G. J. Simmons, “A survey of information authentication”, in Contemporary Cryptology: The Science of Information Integrity, ed. by G. J. Simmons, IEEE Press, Piscataway, pp. 379–419, 1992.
 (27) D. R. Stinson, “The combinatorics of authentication and secrecy codes”, J. Cryptology, vol. 2, pp. 23–49, 1990.
 (28) D. R. Stinson, “Combinatorial characterizations of authentication codes”, Designs, Codes and Cryptography, vol. 2, pp. 175–187, 1992.
 (29) D. R. Stinson and R. S. Rees, “Combinatorial characterizations of authentication codes II”, Designs, Codes and Cryptography, vol. 7, pp. 239–259, 1996.
 (30) J. Wang, “A new class of optimal splitting authentication codes”, Designs, Codes and Cryptography, vol. 38, pp. 373–381, 2006.