Combinatorial Bounds and Characterizations ofSplitting Authentication Codes This work was supported by the Deutsche Forschungsgemeinschaft (DFG) via a Heisenberg grant (Hu954/4) and a Heinz Maier-Leibnitz Prize grant (Hu954/5).

Combinatorial Bounds and Characterizations of
Splitting Authentication Codes thanks: This work was supported by the Deutsche Forschungsgemeinschaft (DFG) via a Heisenberg grant (Hu954/4) and a Heinz Maier-Leibnitz Prize grant (Hu954/5).

Michael Huber M. Huber Wilhelm-Schickard-Institute for Computer Science, University of Tuebingen,
Sand 13, 72076 Tuebingen, Germany
22email: michael.huber@uni-tuebingen.de
Received: July 17, 2009 / Accepted: January 19, 2010
Abstract

We present several generalizations of results for splitting authentication codes by studying the aspect of multi-fold security. As the two primary results, we prove a combinatorial lower bound on the number of encoding rules and a combinatorial characterization of optimal splitting authentication codes that are multi-fold secure against spoofing attacks. The characterization is based on a new type of combinatorial designs, which we introduce and for which basic necessary conditions are given regarding their existence. \subclass94A60 94C30

Information authenticity unconditional security authentication code splitting non-deterministic encoding splitting design.
\smartqed\journalname

Cryptogr. Commun.

1 Introduction

Authenticity is one of the fundamental components in cryptography and information security. Typically, communicating parties would like to be assured of the authenticity of information they obtain via potentially insecure channels. Concerning unconditional (theoretical) authenticity, authentication codes can be used to minimize the possibility of an undetected deception. Their initial study appears to be that of Gilbert, MacWilliams & Sloane gil74 (). A more general and systematic theory of authenticity was developed by SimmonsSim84 (); Sim85 ().

We primarily focus on authentication codes with splitting in this paper. In such a code, several messages can be used to communicate a particular plaintext (non-deterministic encoding). This concept plays an important role, for instance, in the context of authentication codes that permit arbitration (see, for example, John94 (); Kur94 (); Kur01 (); Sim88 (); Sim90 ()). We will deal with splitting authentication codes from a combinatorial point of view. By studying the aspect of multi-fold security, we obtain several natural generalizations of results on splitting authentication codes. As the two primary results, we prove a combinatorial lower bound on the number of encoding rules and a combinatorial characterization of optimal splitting authentication codes that are multi-fold secure against spoofing attacks.

For splitting authentication codes that are one-fold secure against spoofing attacks, Brickell Brick84 () and Simmons Sim90 () have established a combinatorial lower bound on the number of encoding rules. We will give a combinatorial lower bound accordingly for multi-fold secure splitting authentication codes. Ogata et al. Ogata04 () introduced splitting balanced incomplete block designs (BIBDs). They proved basic necessary conditions for their existence and derived a Fisher-type inequality. Furthermore, they established an equivalence between splitting BIBDs and optimal one-fold secure splitting authentication codes. We will extend the notion of splitting BIBDs to splitting -designs. Comprehensive necessary conditions regarding their existence will be given. Moreover, we will prove an equivalence between splitting -designs and optimal -fold secure splitting authentication codes.

The paper is organized as follows. In Section 2, we give the definition and concept of multi-fold secure splitting authentication codes. We introduce splitting designs and prove basic necessary conditions for their existence in Section 3. With respect to our further purposes, we summarize in Section 4 the state-of-the-art for authentication codes without splitting. In Section 5, lower bounds on deception probabilities and the number of encoding rules are established for multi-fold secure splitting authentication codes. A combinatorial characterization of optimal multi-fold secure splitting authentication codes in terms of splitting designs is given in Section 6. We finally conclude the paper and propose further research problems in Section 7.

2 Splitting Authentication Codes

Splitting authentication codes were first introduced by Simmons Sim82 (). These codes are useful, inter alia, for the analysis of authentication codes with arbitration. In particular, Kur01 () gives an equivalence between splitting authentication codes and authentication codes with arbitration.

We use the unconditional (theoretical) secure authentication model developed by Simmons (e.g. Sim82 (); Sim84 (); Sim85 (); Sim92 ()). Our notation follows, for the most part, that of Mass86 (); Ogata04 (); Stin90 (). In this model, three participants are involved: a transmitter, a receiver, and an opponent. The transmitter wants to communicate information to the receiver via a public communications channel. The receiver in return would like to be confident that any received information actually came from the transmitter and not from some opponent (integrity of information). The transmitter and the receiver are assumed to trust each other. Sometimes this is also called an -code.

Let denote a finite set of source states (or plaintexts), a finite set of messages (or ciphertexts), and a finite set of encoding rules (or keys). Using an encoding rule , the transmitter encrypts a source state to obtain the message to be sent over the channel. The encoding rule is communicated to the receiver via a secure channel prior to any messages being sent. When it is possible that more than one message can be used to communicate a particular source state under the same encoding rule , then the authentication code is said to have splitting. In this case, a message is computed as , where denotes a random number chosen from some specified finite set . If we define

for each encoding rule and each source state , then splitting means that for some and some . In order to ensure that the receiver can decrypt the message being sent, it is required for any that if . For a given encoding rule , let

denote the set of valid messages. For an encoding rule and a set of distinct messages, we define

i.e., the set of source states that will be encoded under encoding rule by a message in . A received message will be accepted by the receiver as being authentic if and only if . When this is fulfilled, the receiver decrypts the message by applying the decoding rule , where

A splitting authentication code is called -splitting if

for every encoding rule and every source state . We note that an authentication code can be represented algebraically by a -encoding matrix with the rows indexed by the encoding rules , the columns indexed by the source states , and the entries defined by . As a simple example, Table 1 displays an encoding matrix of a -splitting authentication code for source states, having messages and encoding rules (cf. Example 6).

{} {}
{} {}
{} {}
{} {}
{} {}
{} {}
{} {}
{} {}
{} {}
Table 1: An example of a splitting authentication code.

2.1 Protection Against Spoofing Attacks

We address the scenario of a spoofing attack of order (cf. Mass86 ()): Suppose that an opponent observes distinct messages, which are sent through the public channel using the same encoding rule. The opponent then inserts a new message (being distinct from the messages already sent), hoping to have it accepted by the receiver as authentic. The cases and are called impersonation game and substitution game, respectively. These cases have been studied in detail in recent years for authentication codes without splitting (see, e.g., Stin92 (); Stin96 ()) and with splitting (see, e.g., Blund99 (); DeSoete91 (); Ogata04 ()). However, much less is known for the cases in particular for splitting authentication codes.

For any , we assume that there is some probability distribution on the set of -subsets of source states, so that any set of source states has a non-zero probability of occurring. For simplification, we ignore the order in which the source states occur, and assume that no source state occurs more than once. Given this probability distribution on the set of source states, the receiver and transmitter also choose a probability distribution on the set of encoding rules, called an encoding strategy. It is assumed that the opponent knows the encoding strategy being used. If splitting occurs, then the receiver/transmitter will also choose a splitting strategy to determine , given and (this corresponds to non-deterministic encoding). The transmitter/receiver will determine these strategies to minimize the chance of being deceived by the opponent. The deception probability denotes the probability that the opponent can deceive the transmitter/receiver with a spoofing attack of order .

3 Splitting Designs

There are natural and deep connections between authentication codes and combinatorial designs, see, for example, crc06 (); Hub2009 (); Ogata04 (); pei06 (); Stin90 (); Stin92 (); Stin96 (). The close relationship between cryptography and designs was presumably first revealed in Shannon’s classical paper Shan49 () on secrecy systems.

In order to give a combinatorial characterization of multi-fold secure splitting authentication codes in the remainder of the paper, we define in this section a new type of combinatorial designs. Let us first recall the classical notion of a combinatorial -design (see, for instance, BJL1999 ()):

{definition}

For positive integers and , a - design is a pair , satisfying the following properties:

  1. is a set of elements, called points,

  2. is a family of -subsets of , called blocks,

  3. every -subset of is contained in exactly blocks.

By convention, denotes the number of blocks. It is easily seen that

For encyclopedic references on combinatorial -designs, we refer to BJL1999 (); crc06 (). A recent treatment on highly regular designs and their applications in information and coding theory can be found, e.g., in Hu2008 (); Hu2009 ().

The notion of a splitting balanced incomplete block design (BIBD) have been introduced by Ogata et al. Ogata04 (). We will extend this concept to splitting -designs:

{definition}

For positive integers with and , a - splitting design is a pair , satisfying the following properties:

  1. is a set of elements, called points,

  2. is a family of -subsets of , called blocks, such that every block is expressed as a disjoint union

    with and ,

  3. every -subset of is contained in exactly blocks such that

    for each , and are mutually distinct.

{example}

A splitting -design is a splitting BIBD. As a simple example, take as point set

and as block set

with

This gives a - splitting design (see (Ogata04, , Ex. 5.1)).

{example}

A - splitting design can be obtained (via a computer search) by taking as point set

and as block set

with

We prove some basic necessary conditions for the existence of splitting designs:

{proposition}

Let be a - splitting design, and for a positive integer , let with . Then the number of blocks containing each element of as per Definition 3 is given by

In particular, for , a - splitting design is also an - splitting design.

{proof}

We count in two ways the number of pairs , where and such that

for each with mutually distinct, and . First, each of the blocks such that

for each with mutually distinct gives

such pairs. Second, there are

such subsets with , each giving pairs by Definition 3.\qed

As it is customary for -designs, we also set denoting the number of blocks containing a given point. The above elementary counting arguments give the following assertions.

{proposition}

Let be a - splitting design. Then the following holds:

  1. for .

{remark}

The above proposition extends the result (Ogata04, , Lemma 5.1), where (b) and (c) have been proved for the case when .

Since in Proposition 3 each must be an integer, we obtain furthermore the subsequent necessary arithmetic conditions.

{proposition}

Let be a - splitting design. Then

for each positive integer .

Ogata et al. Ogata04 () proved a Fisher-type inequality for splitting BIBDs. As a splitting -design with is also a splitting -design in view of Lemma 3, we derive

{proposition}

If is a - splitting design with , then

4 Authentication Codes without Splitting

With respect to our further purposes, we summarize the state-of-the-art for authentication codes without splitting:

The following theorems (cf. Mass86 (); Sch86 ()) give combinatorial lower bounds on cheating probabilities as well as on the size of encoding rules for multi-fold secure authentication codes:

{theorem}

[Massey] In an authentication code without splitting, for every , the deception probabilities are bounded below by

We remark that a code is called -fold secure against spoofing if

for all .

{theorem}

[Massey–Schöbi] If an authentication code without splitting is -fold secure against spoofing, then the number of encoding rules is bounded below by

Such a code is called optimal if the number of encoding rules meets the lower bound with equality. When the source states are known to be independent and equiprobable, optimal authentication codes without splitting which are multi-fold secure against spoofing have been characterized via -designs (cf. DeS88 (); Sch86 (); Stin90 ()).

{theorem}

[DeSoete–Schöbi–Stinson] Suppose there is a - design. Then there is an authentication code without splitting for equiprobable source states, having messages and encoding rules, that is -fold secure against spoofing. Conversely, if there is an optimal authentication code without splitting for equiprobable source states, having messages and encoding rules, that is -fold secure against spoofing, then there is a - design.

Combinatorial constructions of optimal multi-fold secure authentication codes without splitting which simultaneously achieve perfect secrecy have been obtained recently via the following theorem (see Hub2009 ()).

{theorem}

[Huber] Suppose there is a - design, where divides the number of blocks . Then there is an optimal authentication code without splitting for equiprobable source states, having messages and encoding rules, that is -fold secure against spoofing and provides perfect secrecy.

5 Combinatorial Bounds for Splitting Authentication Codes

In this section, we give combinatorial lower bounds on deception probabilities, and a combinatorial lower bound on the size of encoding rules for splitting authentication codes that are multi-fold secure against spoofing.

We first state lower bounds on cheating probabilities for splitting authentication codes (see Blund99 (); DeSoete91 ()).

{theorem}

[DeSoete–Blundo–DeSantis–Kurosawa–Ogata] In a splitting authentication code, for every , the deception probabilities are bounded below by

A splitting authentication code is called -fold secure against spoofing if

for all .

We prove now a lower bound on the size of encoding rules for multi-fold secure splitting authentication codes.

{theorem}

If a splitting authentication code is -fold secure against spoofing, then the number of encoding rules is bounded below by

{proof}

Let be a set of distinct messages that are valid under a particular encoding rule, in such a way that they define different source states. Let be any message not in . We assume that there is no encoding rule under which all messages in are valid and for which . Following the proof of Theorem 5, mutatis mutandis, yields

a contradiction. Therefore, any set of distinct messages is valid under at least one encoding rule such that they define different source states. The bound follows now by counting in two ways the number of -subsets of messages that are valid under some encoding rule such that they correspond to different source states.\qed

Analogously, we call a splitting authentication code optimal if the number of encoding rules meets the lower bound with equality.

{remark}

The above theorem generalizes results by Brickell Brick84 () and Simmons Sim90 (), where a lower bound in the case of one-fold secure splitting authentication codes has been established.

As a consequence, we obtain for -splitting authentication codes the following lower bounds:

{corollary}

In a -splitting authentication code,

for every .

{proof}

We set . Then Theorem 5 yields

\qed
{corollary}

If a -splitting authentication code is -fold secure against spoofing, then

{proof}

Using Theorem 5, we may proceed as for Corollary 5.\qed

6 Combinatorial Characterizations of Optimal Splitting Authentication Codes

Ogata et al. (Ogata04, , Thms. 5.4 and 5.5) characterized in 2004 optimal splitting authentication codes that are one-fold secure against spoofing. Their combinatorial result is based on splitting BIBDs.

{theorem}

[Ogata–Kurosawa–Stinson–Saido] Suppose there is a - splitting design. Then there is an optimal -splitting authentication code for equiprobable source states, having messages and encoding rules, that is one-fold secure against spoofing. Conversely, if there is an optimal -splitting authentication code for source states, having messages and encoding rules, that is one-fold secure against spoofing, then there is a - splitting design.

An example is as follows (cf. (Ogata04, , Ex. 5.2)):

{example}

An optimal -splitting authentication code for equiprobable source states, having messages and encoding rules, that is one-fold secure against spoofing can be constructed from the - splitting design in Example 3. Each encoding rule is used with probability . An encoding matrix is given in Table 2.

{1,2} {3,5}
{2,3} {4,6}
{3,4} {5,7}
{4,5} {6,8}
{5,6} {7,9}
{6,7} {8,1}
{7,8} {9,2}
{8,9} {1,3}
{9,1} {2,4}
Table 2: Splitting authentication code from a - splitting design.

We give a natural extension of Theorem 6. We prove that optimal splitting authentication codes that are multi-fold secure against spoofing can be characterized in terms of splitting -designs.

{theorem}

Suppose there is a - splitting design with . Then there is an optimal -splitting authentication code for equiprobable source states, having messages and encoding rules, that is -fold secure against spoofing. Conversely, if there is an optimal -splitting authentication code for source states, having messages and encoding rules, that is -fold secure against spoofing, then there is a - splitting design.

{proof}

Let us first assume that there is an optimal -splitting authentication code for source states, having messages and encoding rules, that is -fold secure against spoofing. In order to meet the lower bound in Theorem 5 with equality, every set of distinct messages must be valid under precisely one encoding rule, in such a way that they define different source states. For , let us define a block as disjoint union

Then is a - splitting design in view of Definition 3.

To prove the other direction, let . For every block with

we arbitrarily define an encoding rule via

for each . Using every encoding rule with equal probability establishes the claim.\qed

We present an example:

{example}

An optimal -splitting authentication code for equiprobable source states, having messages and encoding rules, that is two-fold secure against spoofing can be constructed from the - splitting design in Example 3. Each encoding rule is used with probability . An encoding matrix is given in Table 3.

{1,2} {4,0} {5,9}
{1,3} {2,8} {5,0}
{1,4} {3,8} {6,9}
{1,5} {4,7} {6,8}
{1,7} {2,3} {4,8}
{1,8} {2,5} {6,9}
{1,8} {6,7} {9,0}
{1,9} {2,5} {3,7}
{1,9} {3,4} {7,0}
{2,4} {5,6} {7,9}
{2,5} {4,7} {3,0}
{2,9} {6,8} {3,0}
{2,0} {4,5} {6,8}
{3,7} {4,6} {8,0}
{3,9} {5,7} {6,0}
Table 3: Splitting authentication code from a - splitting design.

7 Conclusion

We have given a combinatorial lower bound on the number of encoding rules for splitting authentication codes that are multi-fold secure against spoofing attacks. Moreover, we have provided a combinatorial characterization of those codes that attain these bounds. Our characterization was based on a new type of combinatorial designs, which we introduced and for which basic necessary conditions regarding their existence were given. For future research, at least two directions would be of interest:

  1. Construction of multi-fold secure splitting authentication codes: Using Theorem 6, this asks for constructing - splitting design for . We remark that in the case when , various combinatorial constructions have been obtained recently in Du04 (); Ge05 (); Wan06 () via recursive and direct constructions by the method of differences.

  2. Including the aspect of perfect secrecy: Is it possible to give a characterization of optimal splitting authentication codes that are multi-fold secure against spoofing and simultaneously achieve perfect secrecy in the sense of Shannon? For the case of multi-fold secure authentication codes without splitting such a result has been established lately in Hub2009 () (cf. Theorem 4).

Acknowledgments

I thank the two anonymous referees for their careful reading and suggestions that helped improving the presentation of the paper. I also thank Moritz Eilers and Christoff Hische for running the computer search for Example 3.

References

  • (1) T. Beth, D. Jungnickel, and H. Lenz, Design Theory, vol. I and II, Encyclopedia of Math. and Its Applications, vol. 69/78, Cambridge Univ. Press, Cambridge, 1999.
  • (2) C. Blundo, A. De Santis, K. Kurosawa, and W. Ogata, “On a fallacious bound for authentication codes”, J. Cryptology, vol. 12, pp. 155–159, 1999.
  • (3) E. F. Brickell, “A few results in message authentication”, Congr. Numer., vol. 43, pp. 141–154, 1984.
  • (4) C. J. Colbourn and J. H. Dinitz (eds.), Handbook of Combinatorial Designs, 2nd ed., CRC Press, Boca Raton, 2006.
  • (5) M. De Soete, “Some constructions for authentication - secrecy codes”, in Advances in Cryptology – EUROCRYPT 1988, ed. by Ch. G. Günther, Lecture Notes in Computer Science, vol. 330, Springer, Berlin, Heidelberg, New York, pp. 23–49, 1988.
  • (6) M. De Soete, “New bounds and constructions for authentication/secrecy codes with splitting”, J. Cryptology, vol. 3, pp. 173–186, 1991.
  • (7) B. Du, “Splitting balanced incomplete block designs with block size ”, J. Combin. Des., vol. 12, pp. 404–420, 2004.
  • (8) G. Ge, Y. Miao, and L. Wang, “Combinatorial constructions for optimal splitting authentication codes”, SIAM J. Discrete Math., vol. 18, pp. 663–678, 2005.
  • (9) E. N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane, “Codes which detect deception”, Bell Syst. Tech. J., vol. 53, pp. 405–424, 1974.
  • (10) M. Huber, “Authentication and secrecy codes for equiprobable source probability distributions”, in Proc. IEEE International Symposium on Information Theory (ISIT) 2009, pp. 1105–1109, 2009.
  • (11) M. Huber, Flag-transitive Steiner Designs, Birkhäuser, Basel, Berlin, Boston, 2009.
  • (12) M. Huber, “Coding theory and algebraic combinatorics”, in Selected Topics in Information and Coding Theory, ed. by I. Woungang et al., World Scientific, Singapore, 38 pages, 2010 (in press). Preprint at arXiv:0811.1254v1.
  • (13) T. Johansson, “Lower bounds on the probability of deception in authentication with arbitration”, IEEE Trans. Inform. Theory, vol. 40, pp. 1573–1585, 1994.
  • (14) K. Kurosawa, “New bound on authentication code with arbitration”, in Advances in Cryptology – CRYPTO 1994, ed. by Y. Desmedt, Lecture Notes in Computer Science, vol. 839, Springer, Berlin, Heidelberg, New York, pp. 140–149, 1994.
  • (15) K. Kurosawa and S. Obana, “Combinatorial bounds on authentication codes with arbitration”, Designs, Codes and Cryptography, vol. 22, pp. 265–281, 2001.
  • (16) J. L. Massey, “Cryptography – a selective survey”, in Digital Communications, ed. by E. Biglieri and G. Prati, North-Holland, Amsterdam, New York, Oxford, pp. 3–21, 1986.
  • (17) W. Ogata, K. Kurosawa, D. R. Stinson, and H. Saido, “New combinatorial designs and their applications to authentication codes and secret sharing schemes”, Discrete Math., vol. 279, pp. 383–405, 2004.
  • (18) D. Pei, Authentication Codes and Combinatorial Designs, CRC Press, Boca Raton, 2006.
  • (19) P. Schöbi, “Perfect authentication systems for data sources with arbitrary statistics” (presented at EUROCRYPT 1986), unpublished.
  • (20) C. E. Shannon, “Communication theory of secrecy systems”, Bell Syst. Tech. J., vol. 28, pp. 656–715, 1949.
  • (21) G. J. Simmons, “A game theory model of digital message authentication”, Congr. Numer., vol. 34, pp. 413–424, 1982.
  • (22) G. J. Simmons, “Message authentication: a game on hypergraphs”, Congr. Numer., vol. 45, pp. 161–192, 1984.
  • (23) G. J. Simmons, “Authentication theory/coding theory”, in Advances in Cryptology – CRYPTO 1984, ed. by G. R. Blakley and D. Chaum, Lecture Notes in Computer Science, vol. 196, Springer, Berlin, Heidelberg, New York, pp. 411–432, 1985.
  • (24) G. J. Simmons, “Message authentication with arbitration of transmitter/receiver disputes”, in Advances in Cryptology – EUROCRYPT 1987, ed. by D. Chaum and W. L. Price, Lecture Notes in Computer Science, vol. 304, Springer, Berlin, Heidelberg, New York, pp. 150–165, 1988.
  • (25) G. J. Simmons, “A Cartesian product construction for unconditionally secure authentication codes that permit arbitration”, J. Cryptology, vol. 2, pp. 77–104, 1990.
  • (26) G. J. Simmons, “A survey of information authentication”, in Contemporary Cryptology: The Science of Information Integrity, ed. by G. J. Simmons, IEEE Press, Piscataway, pp. 379–419, 1992.
  • (27) D. R. Stinson, “The combinatorics of authentication and secrecy codes”, J. Cryptology, vol. 2, pp. 23–49, 1990.
  • (28) D. R. Stinson, “Combinatorial characterizations of authentication codes”, Designs, Codes and Cryptography, vol. 2, pp. 175–187, 1992.
  • (29) D. R. Stinson and R. S. Rees, “Combinatorial characterizations of authentication codes II”, Designs, Codes and Cryptography, vol. 7, pp. 239–259, 1996.
  • (30) J. Wang, “A new class of optimal -splitting authentication codes”, Designs, Codes and Cryptography, vol. 38, pp. 373–381, 2006.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
305389
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description