Constructing Optimal Authentication Codes
with Perfect Multifold Secrecy
Abstract
We establish a construction of optimal authentication codes achieving perfect multifold secrecy by means of combinatorial designs. This continues the author’s work (ISIT 2009, cf. [1]) and answers an open question posed therein. As an application, we present the first infinite class of optimal codes that provide twofold security against spoofing attacks and at the same time perfect twofold secrecy.
I Introduction
Authentication and secrecy are two crucial concepts in cryptography and information security. Although independent in their nature, various scenarios require that both aspects hold simultaneously. For informationtheoretic or unconditional security (i.e. robustness against an attacker that has unlimited computational resources), authentication and secrecy codes have been investigated for quite some time. The initial construction of authentication codes goes back to Gilbert, MacWilliams & Sloane [2]. A more general and systematic theory of authentication was developed by Simmons (e.g., [3, 4]). Fundamental work on secrecy codes started with Shannon [5].
This paper deals with the construction of optimal authentication codes with perfect multifold secrecy. It continues the author’s recent work [1], which naturally extended results by Stinson [6] on authentication codes with perfect secrecy. We will answer an important question left open in [1] that addresses the construction of authentication codes with perfect multifold secrecy for equiprobable source probability distributions. We establish a construction of optimal authentication codes which are multifold secure against spoofing attacks and simultaneously provide perfect multifold secrecy. This can be achieved by means of combinatorial designs. As an application, we present the first infinite class of optimal codes that achieve twofold security against spoofing as well as perfect twofold secrecy.
The paper is organized as follows: Necessary definitions and concepts from the theory of authentication and secrecy codes as well as from combinatorial design theory will be summarized in Section II. Section III gives relevant combinatorial constructions of optimal authentication codes which bear no secrecy assumptions. In Section IV, we review Stinson’s constructions in [6] and recent results from [1]. Section V is devoted to our new constructions.
Ii Preliminaries
Iia Authentication and Secrecy Codes
We rely on the informationtheoretical or unconditional secrecy model developed by Shannon [5], and by Simmons (e.g., [3, 4]) including authentication. Our notion complies, for the most part, with that of [6, 7]. In this model of authentication and secrecy three participants are involved: a transmitter, a receiver, and an opponent. The transmitter wants to communicate information to the receiver via a public communications channel. The receiver in return would like to be confident that any received information actually came from the transmitter and not from some opponent (integrity of information). The transmitter and the receiver are assumed to trust each other. Sometimes this is also called an code.
In what follows, let denote a set of source states (or plaintexts), a set of messages (or ciphertexts), and a set of encoding rules (or keys). Using an encoding rule , the transmitter encrypts a source state to obtain the message to be sent over the channel. The encoding rule is an injective function from to , and is communicated to the receiver via a secure channel prior to any messages being sent. For a given encoding rule , let denote the set of valid messages. For an encoding rule and a set of distinct messages, we define , i.e., the set of source states that will be encoded under encoding rule by a message in . A received message will be accepted by the receiver as being authentic if and only if . When this is fulfilled, the receiver decrypts the message by applying the decoding rule , where
An authentication code can be represented algebraically by a encoding matrix with the rows indexed by the encoding rules, the columns indexed by the source states, and the entries defined by (, ).
We address the scenario of a spoofing attack of order (cf. [7]): Suppose that an opponent observes distinct messages, which are sent through the public channel using the same encoding rule. The opponent then inserts a new message (being distinct from the messages already sent), hoping to have it accepted by the receiver as authentic. The cases and are called impersonation game and substitution game, respectively. These cases have been studied in detail in recent years (e.g., [8, 9]), however less is known for the cases . In this article, we focus on those cases where .
For any , we assume that there is some probability distribution on the set of subsets of source states, so that any set of source states has a nonzero probability of occurring. For simplification, we ignore the order in which the source states occur, and assume that no source state occurs more than once. Given this probability distribution on , the receiver and transmitter choose a probability distribution on (called encoding strategy) with associated independent random variables and , respectively. These distributions are known to all participants and induce a third distribution, , on with associated random variable . The deception probability is the probability that the opponent can deceive the receiver with a spoofing attack of order . The following theorem (cf. [7]) provides combinatorial lower bounds.
Theorem 1
Massey In an authentication code with source states and messages, the deception probabilities are bounded below by
An authentication code is called fold secure against spoofing if for all .
Moreover, we consider the concept of perfect multifold secrecy which has been introduced by Stinson [6] and generalizes Shannon’s fundamental idea of perfect (onefold) secrecy (cf. [5]). We say that an authentication code has perfect fold secrecy if, for every positive integer , for every set of messages observed in the channel, and for every set of source states, we have
That is, the a posteriori probability distribution on the source states, given that a set of messages is observed, is identical to the a priori probability distribution on the source states.
When clear from the context, we often only write instead of resp. .
IiB Combinatorial Designs
We recall the definition of a combinatorial design. For positive integers and , a  design is a pair , satisfying the following properties:

is a set of elements, called points,

is a family of subsets of , called blocks,

every subset of is contained in exactly blocks.
We denote points by lowercase and blocks by uppercase Latin letters. Via convention, let denote the number of blocks. Throughout this article, ‘repeated blocks’ are not allowed, that is, the same subset of points may not occur twice as a block. If holds, then we speak of a nontrivial design. For historical reasons, a  design with is called a Steiner design (sometimes also a Steiner system). The special case of a Steiner design with parameters and is called a Steiner triple system of order . A Steiner design with parameters and is called a Steiner quadruple system of order . Specifically, we are interested in Steiner quadruple systems in this paper. As a simple example, the vector space () with the set of blocks taken to be the set of all subsets of four distinct elements of whose vector sum is zero, is a nontrivial boolean Steiner quadruple system . More geometrically, these consist of the points and planes of the dimensional binary affine space .
For the existence of designs, basic necessary conditions can be obtained via elementary counting arguments (see, for instance, [10]):
Lemma 1
Let be a  design, and for a positive integer , let with . Then the number of blocks containing each element of is given by
In particular, for , a  design is also an  design.
It is customary to set denoting the number of blocks containing a given point. It follows
Lemma 2
Let be a  design. Then the following holds:



for .
Iii Optimal Authentication Codes
For our further purposes, we summarize the stateoftheart for authentication codes which bear no secrecy assumptions. The following theorem (cf. [7, 13]) gives a combinatorial lower bound on the number of encoding rules.
Theorem 2
Massey–Schöbi If an authentication code is fold against spoofing, then the number of encoding rules is bounded below by
An authentication code is called optimal if the number of encoding rules meets the lower bound with equality. When the source states are known to be independent and equiprobable, optimal authentication codes which are fold secure against spoofing can be constructed via designs (cf. [6, 13, 14]).
Theorem 3
DeSoete–Schöbi–Stinson Suppose there is a  design. Then there is an authentication code for equiprobable source states, having messages and encoding rules, that is fold secure against spoofing. Conversely, if there is an authentication code for equiprobable source states, having messages and encoding rules, that is fold secure against spoofing, then there is a Steiner  design.
Iv Stinson’s Constructions & Recent Results
Using the notation introduced in Section IIA, we review in Tables I and II previous constructions from [6, 1] for equiprobable source probability distributions. This lists all presently known optimal authentication codes with perfect secrecy.
Ref.  

1  1  [6]  
prime power  even  
1  1  (mod )  [1]  
1  1  (mod )  [1]  
1  1  (mod )  [1]  
2  1  [1]  
prime power  even  
2  1  (mod )  [1] 
Infinite classes
Ref.  
2  1  5  26  260  [1] 
5  11  66  [1]  
7  23  253  [1]  
5  23  1.771  [1]  
5  47  35.673  [1]  
3  1  5  83  367.524  [1] 
5  71  194.327  [1]  
5  107  1.032.122  [1]  
5  131  2.343.328  [1]  
5  167  6.251.311  [1]  
5  243  28.344.492  [1]  
6  12  132  [1]  
4  1  6  84  5.145.336  [1] 
6  244  1.152.676.008  [1] 
Further examples
V New Constructions
Starting from the condition of perfect fold secrecy, we obtain via Bayes’ Theorem that
It follows
Lemma 3
An authentication code has perfect fold secrecy if and only if, for every positive integer , for every set of messages observed in the channel and for every set of source states, we have
Hence, if the encoding rules in a code are used with equal probability, then for every , a given set of messages occurs with the same frequency in each columns of the encoding matrix.
We can now establish an extension of the main theorem in [1]. Our construction yields optimal authentication codes which are multifold secure against spoofing and provide perfect multifold secrecy.
Theorem 4
Suppose there is a Steiner  design, where divides the number of blocks for every positive integer . Then there is an optimal authentication code for equiprobable source states, having messages and encoding rules, that is ()fold secure against spoofing and simultaneously provides perfect fold secrecy.
Let be a Steiner  design, where divides for every positive integer . By Theorem 3, the authentication code has fold security against spoofing attacks. Hence, it remains to prove that the code also achieves perfect fold secrecy under the assumption that the encoding rules are used with equal probability. With respect to Lemma 3, we have to show that, for every , a given set of messages occurs with the same frequency in each columns of the resulting encoding matrix. This can be accomplished by ordering, for each , every block of in such a way that every subset of occurs in each possible choice in precisely blocks. Since every subset of occurs in exactly blocks due to Lemma 1, necessarily must divide . By Lemma 2 (b), this is equivalent to saying that divides . To show that the condition is also sufficient, we consider the bipartite (subset, block) incidence graph of with vertex set , where is an edge if and only if () for and . An ordering on each block of can be obtained via an edgecoloring of this graph using colors in such a way that each vertex is adjacent to one edge of each color, and each vertex is adjacent to edges of each color. Specifically, this can be done by first splitting up each vertex into copies, each having degree , and then by finding an appropriate edgecoloring of the resulting regular bipartite graph using colors. The claim follows now by taking the ordered blocks as encoding rules, each used with equal probability.
Remark 1
It follows from the proof that we may obtain optimal authentication codes that provide ()fold security against spoofing and at the same time perfect fold secrecy for , when the assumption of the above theorem holds with divides for every positive integer .
As an application, we give an infinite class of optimal codes which are twofold secure against spoofing and achieve perfect twofold secrecy. This appears to be the first infinite class of authentication and secrecy codes with these properties.
Theorem 5
For all positive integers (mod ), there is an optimal authentication code for equiprobable source states, having messages, and encoding rules, that is twofold secure against spoofing and provides perfect twofold secrecy.
We will make use of Steiner quadruple systems (cf. Section IIA). Hanani [15] showed that a necessary and sufficient condition for the existence of a is that or (mod ) . Hence, the condition is fulfilled when or (mod ) and the condition when (mod ) in view Lemma 2 (b). Therefore, if we assume that (mod ), then we can apply Theorem 4 to establish the claim.
We present the smallest example:
Example 1
An optimal authentication code for equiprobable source states, having messages, and encoding rules, that is twofold secure against spoofing and provides perfect twofold secrecy can be constructed from a Steiner quadruple system . Each encoding rule is used with probability .
Remark 2
For , the first was constructed by Fitting [16], admitting a cycle as an automorphism (cyclic ). We generally remark that the number of nonisomorphic is only known for with , , and (cf. [17]). Lenz [18] proved that for the admissible values of , the number grows exponentially, i.e. . For comprehensive survey articles on Steiner quadruple systems, we refer the reader to [19, 20]. For classifications of specific classes of highly regular Steiner quadruple systems and Steiner designs, see, e.g., [21, 22].
Acknowledgment
The author thanks Doug Stinson for an interesting conversation on this topic. The author gratefully acknowledges support of his work by the Deutsche Forschungsgemeinschaft (DFG) via a Heisenberg grant (Hu954/4) and a Heinz MaierLeibnitz Prize grant (Hu954/5).
References
 [1] M. Huber, “Authentication and secrecy codes for equiprobable source probability distributions”, in Proc. IEEE International Symposium on Information Theory (ISIT) 2009, pp. 1105–1109, 2009.
 [2] E. N. Gilbert, F. J. MacWilliams and N. J. A. Sloane, “Codes which detect deception”, Bell Syst. Tech. J., vol. 53, pp. 405–424, 1974.
 [3] G. J. Simmons, “Authentication theory/coding theory”, in Advances in Cryptology – CRYPTO ’84, ed. by G. R. Blakley and D. Chaum, Lecture Notes in Computer Science, vol. 196, Springer, Berlin, Heidelberg, New York, pp. 411–432, 1985.
 [4] G. J. Simmons, “A survey of information authentication”, in Contemporary Cryptology: The Science of Information Integrity, ed. by G. J. Simmons, IEEE Press, Piscataway, pp. 379–419, 1992.
 [5] C. E. Shannon, “Communication theory of secrecy systems”, Bell Syst. Tech. J., vol. 28, pp. 656–715, 1949.
 [6] D. R. Stinson, “The combinatorics of authentication and secrecy codes”, J. Cryptology, vol. 2, pp. 23–49, 1990.
 [7] J. L. Massey, “Cryptography – a selective survey”, in Digital Communications, ed. by E. Biglieri and G. Prati, NorthHolland, Amsterdam, New York, Oxford, pp. 3–21, 1986.
 [8] D. R. Stinson, “Combinatorial characterizations of authentication codes”, Designs, Codes and Cryptography, vol. 2, pp. 175–187, 1992.
 [9] D. R. Stinson and R. S. Rees, “Combinatorial characterizations of authentication codes II”, Designs, Codes and Cryptography, vol. 7, pp. 239–259, 1996.
 [10] Th. Beth, D. Jungnickel and H. Lenz, Design Theory, vol. I and II, Encyclopedia of Math. and Its Applications, vol. 69/78, Cambridge Univ. Press, Cambridge, 1999.
 [11] C. J. Colbourn and J. H. Dinitz (eds.), Handbook of Combinatorial Designs, 2nd ed., CRC Press, Boca Raton, 2006.
 [12] M. Huber, “Coding theory and algebraic combinatorics”, in Selected Topics in Information and Coding Theory, ed. by I. Woungang et al., World Scientific, Singapore, 38 pages, 2010 (in press). Preprint at arXiv:0811.1254v1.
 [13] P. Schöbi, “Perfect authentication systems for data sources with arbitrary statistics” (presented at EUROCRYPT ’86), unpublished.
 [14] M. De Soete, “Some constructions for authentication  secrecy codes”, in Advances in Cryptology – EUROCRYPT ’88, ed. by Ch. G. Günther, Lecture Notes in Computer Science, vol. 330, Springer, Berlin, Heidelberg, New York, pp. 23–49, 1988.
 [15] H. Hanani, “On quadruple systems”, Canad. J. Math., vol. 12, pp. 145–157, 1960.
 [16] F. Fitting, “Zyklische Lösungen des Steiner’schen Problems”, Nieuw. Arch. Wisk., vol. 11, pp. 140–148, 1915.
 [17] P. Kaski, P. R. J. Östergård and O. Pottonen, “The Steiner quadruple systems of order ”, J. Combin. Theory, Series A, vol. 113, pp. 1764–1770, 2006.
 [18] H. Lenz, “On the number of Steiner quadruple systems”, Mitt. Math. Sem. Giessen, vol. 169, pp. 55–71, 1985.
 [19] A. Hartman and K. T. Phelps, “Steiner quadruple systems”, in: Contemporary Design Theory, ed. by J. H. Dinitz and D. R. Stinson, Wiley, New York, pp. 205–240, 1992.
 [20] C. C. Lindner and A. Rosa, “Steiner quadruple systems – A survey”, Discrete Math., vol. 22, pp. 147–181, 1978.
 [21] M. Huber, “Almost simple groups with socle acting on Steiner quadruple systems”, J. Combin. Theory, Series A, 4 pages, 2010 (in press). Preprint at arXiv:0907.1281v1.
 [22] M. Huber, Flagtransitive Steiner Designs, Birkhäuser, Basel, Berlin, Boston, 2009.