Multi-receiver Authentication Scheme for Multiple Messages Based on Linear Codes

Multi-receiver Authentication Scheme for Multiple Messages Based on Linear Codes

Jun Zhang, Xinran Li and Fang-Wei Fu Chern Institute of Mathematics, Nankai University, Tianjin, P.R. China zhangjun04@mail.nankai.edu.cn; xinranli@mail.nankai.edu.cn; fwfu@nankai.edu.cn
Abstract.

In this paper, we construct an authentication scheme for multi-receivers and multiple messages based on a linear code . This construction can be regarded as a generalization of the authentication scheme given by Safavi-Naini and Wang [8]. Actually, we notice that the scheme of Safavi-Naini and Wang is constructed with Reed-Solomon codes. The generalization to linear codes has the similar advantages as generalizing Shamir’s secret sharing scheme to linear secret sharing sceme based on linear codes [1, 6, 5, 7, 9]. For a fixed message base field , our scheme allows arbitrarily many receivers to check the integrity of their own messages, while the scheme of Safavi-Naini and Wang has a constraint on the number of verifying receivers . And we introduce access structure in our scheme. Massey [5] characterized the access structure of linear secret sharing scheme by minimal codewords in the dual code whose first component is . We slightly modify the definition of minimal codewords in [5]. Let be a linear code. For any coordinate , a codeword in is called minimal respect to if the codeword has component at the -th coordinate and there is no other codeword whose -th component is with support strictly contained in that of . Then the security of receiver in our authentication scheme is characterized by the minimal codewords respect to in the dual code .

Key words and phrases:
Authentication scheme, linear codes, secret sharing, minimal codewords, substitution attack.
This research is supported by the National Key Basic Research Program of China (Grant No. 2013CB834204), and the National Natural Science Foundation of China (Nos. 61171082, 10990011 and 60872025). The author Jun Zhang is also supproted by the Chinese Scholarship Council under the State Scholarship Fund during visiting University of California, Irvine.

1. Introduction

1.1. Background

One of the important goals of cryptographic scheme is authentication, which is concerned with the approaches of providing data integrity and data origin validation between two communication entities in computer network. Traditionally, it simply deals with the data authentication problem from a single sender to a single receiver. With the rapid progress of network communication, the urgent need for providing data authentication has escalated to multi-receiver and/or multi-sender scenarios. However, the original point-to-point authentication techniques are not suitable for multi-point communication. In the multi-receiver authentication model, a sender broadcasts an authenticated message such that all the receivers can independently verify the authenticity of the message with their own private keys. It requires a security that malicious groups of up to a given size of receivers can not successfully impersonate the transmitter, or substitute a transmitted message. Desmedt et al. [4] gave an authentication scheme of single message for multi-receivers. Safavi-Naini and Wang [8] extended the DFY scheme [4] to be an authentication scheme of multiple messages for multi-receivers.

The receivers independently verify the authenticity of the message using each own private key. So multi-receiver authentication scheme involves a procedure of secret sharing. To introduce the linear secret sharing scheme based on linear codes, we recall some definitions in coding theory.

Let be the -dimensional vector space over the finite field with elements. For any vector , the Hamming weight of is defined to be the number of non-zero coordinates, i.e.,

A linear code is a -dimensional linear subspace of . The minimum distance of is the minimum Hamming weight of all non-zero vectors in , i.e.,

A linear code is called a linear code if has minimum distance . A vector in is called a of . A matrix is call a generator matrix of if rows of form a basis for . A well known trade-off between the parameters of a linear code is the Singleton bound which states that

A code is called a maximum distance separable (MDS) code if . The dual code of is defined as the set

where is the inner product of vectors and , i.e.,

The secret sharing scheme provides security of a secret key by “splitting” it to several parts which are kept by different persons. In this way, it might need many persons to recover the original key. It can achieve to resist the attack of malicious groups of persons. Shamir [9] used polynomials over finite fields to give an threshold secret sharing scheme such that any persons of the shares can uniquely determine the secret key but any persons can not get any information of the key. A linear secret sharing scheme based on a linear code [5] is constructed as follows: encrypt the secret to be the first coordinate of a codeword and distribute the rest of the codeword (except the first secret coordinate) to the group of shares. McEliece and Sarwate [7] pointed out that the Shamir’s construction is essentially a linear secret sharing scheme based on Reed-Solomon codes. Also as a natural generalization of Shamir’construction, Chen and Cramer [1] constructed a linear secret sharing scheme based on algebraic geometric codes.

The qualified subset of a linear secret sharing scheme is a subset of shares such that the shares in the subset can recover the secret key. A qualified subset is call minimal if any share is removed from the qualified subset, the rests cannot recover the secret key. The access structure of a linear secret sharing scheme consists of all the minimal qualified subsets. A codeword in a linear code is said to be minimal if is a non-zero codeword whose leftmost nonzero component is a and no other codeword whose leftmost nonzero component is has support strictly contained in the support of . Massey [5, 6] showed that the access structure of a linear secret sharing scheme based on a linear code are completely determined by the minimal codewords in the dual code whose first component is .

Proposition 1 ([5]).

The access structure of the linear secret-sharing scheme corresponding to the linear code is specified by those minimal codewords in the dual code whose first component is . In the manner that the set of shares specified by a minimal codeword whose first component is in the dual code is the set of shares corresponding to those locations after the first in the support of this minimal codeword.

In both schemes of Desmedt et al. [4] and Safavi-Naini and Wang [8], the key distribution is similar to that in Shamir’s secret sharing scheme [9], using polynomials. Both schemes are threshold authentication scheme, i.e., any malicious groups of up to receivers can not successfully ( unconditional secure in the meaning of information theory) impersonate the transmitter, or substitute a transmitted message to any other receiver, while any receivers or more receivers can successfully impersonate the transmitter, or substitute a transmitted message to any other receiver. Actually, in the proof of security of the authentication scheme of Safavi-Naini and Wang, the security is equivalent to the difficulty to recover the private key of other receivers. So the security essentially depends on the security of key distribution.

In this paper, we use general linear codes to generalize the scheme of Safavi-Naini and Wang. One advantage is that our scheme allows arbitrarily many verifying receivers for a fixed message base field , while the scheme of Safavi-Naini and Wang has a constraint on the number of verifying receivers . We introduce the concept of minimal codeword respect to each coordinate, which helps to characterize the capability of resisting substitution attack in our authentication scheme, similarly to the linear secret sharing scheme [6]. It guarantees higher security for some important receivers.

1.2. Our Construction and Main Results

In a multi-receiver authentication model for multiple messages, a trusted authority choose random parameters as the secret key and generates shares of private keys secretly. Then the trusted authority transmits a private key to each receiver and secret parameters to the source. For each fixed message, the source computes the authentication tag using the secret parameters and sends the message adding with the tag. In the verification phase, the receiver verify the integrity of each tagged message using his private key. There are some malicious receivers who collude to perform an impersonation attack by constructing a fake message, or a substitution attack by altering the message content such that the new tagged message can be accepted by some other receiver or specific receiver.

In this subsection, we present our construction of an authentication scheme based on a linear code for multi-receivers and multiple messages. It will be shown that the ability of our scheme to resist the attack of the malicious receivers is measured by the minimum distance of the dual code and minimal codewords respect to specific coordinate in the dual code.

Let be a linear code with minimum distance . And assume that the minimum distance of the dual code is . Fix a generator matrix of

Then make public. Our scheme is as follows.

  • Key generation: A trusted authority randomly chooses parameters

  • Key distribution: The trusted authority computes

    Then the trusted authority distributes each receiver the -th column of as his private key, for .

  • Authentication tag: For message , the source computes the tag map

    where the map () is defined by

    Instead of sending the message , the source actually sends the authenticated messages of the form111In general, we can first use a hash function to hash the message , then send the tagged message .

  • Verification:The receiver accepts the message if . Under the integrity of the tagged message, one can easily verify the following

    Here, we call the result the label of for message .

If we take to be the Reed-Solomon code, i.e., the generator matrix is of the form

(1.1)

for pairwise distinct , then the scheme is the scheme of Safavi-Naini and Wang [8].

The security of the above authentication scheme is summarized in the following theorems.

Theorem 2.

The scheme we constructed above is a unconditionally secure multi-receiver authentication code against a coalition of up to () malicious receivers in which every key can be used to authentication up to messages.

More specifically, if we consider what a coalition of malicious receivers can successfully make a substitution attack to one fixed receiver . To characterize this malicious group, we slightly modify the definition of minimal codeword in [5].

Definition 1.

Let be a linear code. For any , a codeword in is called minimal respect to if the codeword has component at the -th location and there is no other codeword whose -th component is with support strictly contained in that of .

Then we have

Theorem 3.

For the authentication scheme we constructed, we have

(i):

The set of all minimal malicious groups that can successfully make a substitution attack to the receiver is determined completely by all the minimal codewords respect to in the dual code .

(ii):

All malicious groups that can not produce a fake authenticated message which can be accepted by the receiver are one-to-one corresponding to subsets of such that each of them together with does not contain any support of minimal codeword respect to in the dual code , where .

Compared with Safavi-Naini and Wang’s scheme, our scheme has an important advantage. The scheme of Safavi-Naini and Wang is a threshold authentication scheme, so any coalition of malicious receivers can easily make a substitution attack to any other receiver. While in our scheme, by Theorem 3, sometimes it can withstand the attack of coalitions of or more malicious receivers to some fixed important receiver . And it is in general NP-hard to find one (or list all) coalition(s) of malicious receivers with the minimum members that can make a substitution attack to the receiver . So in this sense, our scheme has better security than the previous one.

The rest of this paper is organized as follows. In Section 2, we give the security analysis of our scheme. In Section 3, we show the relationship between the security of our scheme and parameters of the linear code.

2. Security Analysis of Our Authentication Scheme

In this section, we present the security analysis of our scheme. From the verification step, we notice that a tagged message can be accepted by the receiver if and only if . So in order to make a substitution attack to , it suffices to know the label for some not sent by the transmitter, then it is trivial to construct a tag such that .

Indeed, we will find that the security of the above authentication scheme depends on the hardness of finding the key matrix from a system of linear equations. Suppose a group of malicious receivers collaborate to recover and make a substitution attack. Without loss of generality, we assume that the malicious receivers are . Suppose have been sent. Each has some information about the key :

and

The group of malicious receivers combines their equations, and they get a system of linear equations

(2.1)
Lemma 4.

Let be the subspace of generated by , where represents the -th column of the generator matrix . Suppose . Then there exists exact matrices satisfying the system of equations (2.1).

Proof.

Denote

Rewrite the matrix of variables as a single column of variables. Then System (2.1) becomes

(2.2)

where is the identity matrix with rank () and is the column vector of constants in System (2.1) with proper order. Notice that the space generated by rows of is contained in the space generated by if . So the rank of the big matrix of coefficients in System (2.2) equals to

which is less than , the number of variables. So System (2.2) has solutions, i.e., System (2.1) has solutions. ∎

Remark 1.

In [8], they gave a constructive proof of Lemma 4 in the case that is of the form (1.1). The method here can be used for a general class of systems of linear equations over a field :

where is a matrix of variables, the coefficient matrices with rank and with rank , the constant matrices and . Then solutions of the system in has -dimensional hypersurface in the space .

Note that if is an MDS code, e.g., Reed-Solomon code, then whenever the vectors in any -subset of columns of are linearly independent.

By Lemma 4, the security of our authentication scheme follows.

Theorem 5.

The scheme we constructed above is an unconditionally secure multi-receiver authentication scheme against a coalition of up to () malicious receivers in which every key can be used to authentication up to messages.

Proof.

Suppose the source receiver has sent messages . It is enough to consider the case that malicious receivers have received the messages, since in this case they know the most information about the key matrix .

What they try to do is to guess the label for some and construct a vector such that

Then the fake message can be accepted by .

Because any columns of the generator matrix is linearly independent over , otherwise there exist such that where is the -th column of , then the dual code will have a codeword with Hamming weight which is a contradiction. By Lemma 4, there exists matrices satisfying the system of equations (2.1).

For any , we define the label map

Then we claim:

(1):

is surjective.

(2):

for any , the number of the inverse image of is .

So the information held by the colluders allows them to calculate equally likely different labels for and hence their probability of success is which is equal to that of guessing a label for randomly from . And hence we finish the proof of the theorem.

Next, we prove our claim. As , is linearly independent over , otherwise the dual code will have a codeword with Hamming weight which is impossible by the definition of minimum distance of a code. Then choose extra columns of such that they combining with form a basis of . Without loss of generality, we assume the first columns of is linearly independent of . For any , the system of linear equations

(2.3)

has solutions by Lemma 4, saying . The solutions are also solutions of System  (2.1). Next, we show

Otherwise, there are two solutions and such that

Then we have

But matrices

are invertible. So which contradicts to the condition . And hence, the statement (1) holds.

Next, we prove (2). Any one solution of System (2.1) gives one , while corresponding to such a there are solutions of System (2.1) from the proof of (1). In this way, we partition solutions of System (2.1) into parts such that each part contains elements. Also from the proof of (1), the image of each part under is . So for any , the number of the inverse image of is .

Remark 2.

From the proofs of Lemma 4 and Theorem 5, the coalition of malicious receivers can successfully make a substitution attack to the receiver if and only if is contained in the subspace of generated by , where represents the -th column of the generator matrix . In this case, they can recover the private key of . This is the motivation of the next section.

Next, we give a toy example to illustrate Lemma 4 and Theorem 5.

Example 1.

Let . The messages sent are . The is a systematic code with the generator matrix

One can check that the dual code has minimum distance . The trusted authority randomly chooses , for instance,

Then the trusted authority computes

and distributes the -th column of to the receiver as his private key.

Suppose are corrupted and they have seen the authenticated messages

then they want to substitute one of the authenticated messages during the transmission by a new codeword that can be accepted by one of the other receivers. They have information about the key matrix :

(2.4)

This system of linear equations has solutions

where . For and any , we have the label map

Let . Then the images of are

(0, 4, 3, 2, 0, 2) (0, 3, 1, 1, 4, 3) (0, 2, 4, 0, 3, 4) (0, 1, 2, 4, 2, 0) (0, 0, 0, 3, 1, 1)
(4, 4, 4, 2, 0, 0) (4, 3, 2, 1, 4, 1) (4, 2, 0, 0, 3, 2) (4, 1, 3, 4, 2, 3) (4, 0, 1, 3, 1, 4)
(3, 4, 0, 2, 0, 3) (3, 3, 3, 1, 4, 4) (3, 2, 1, 0, 3, 0) (3, 1, 4, 4, 2, 1) (3, 0, 2, 3, 1, 2)
(2, 4, 1, 2, 0, 1) (2, 3, 4, 1, 4, 2) (2, 2, 2, 0, 3, 3) (2, 1, 0, 4, 2, 4) (2, 0, 3, 3, 1, 0)
(1, 4, 2, 2, 0, 4) (1, 3, 0, 1, 4, 0) (1, 2, 3, 0, 3, 1) (1, 1, 1, 4, 2, 2) (1, 0, 4, 3, 1, 3)

Notice that for any , is surjective and for any , the number of the inverse image of is . One can check the properties of about surjection and uniform distribution of the images for also hold.

Actually, we can verify that even the coalition of can successfully generate a fraudulent codeword for any other still only in a probability which is the success probability of randomly choosing a label from for a fake message.

3. Code-based Authentication Scheme and Minimal Codewords

In the previous section, we considered that any coalition of malicious receivers can not obtain any information about any other receiver’s label to make a substitution attack. To consider a weak point, we propose that for a fixed receiver , what a coalition of malicious receivers that can not get any information of the label of . By Theorem 5, we have seen that any coalition of up to malicious receivers can not generate a valid codeword for in a probability better than guessing a label from randomly for the fake message .

Denote and . Without any confusion, we identify the index set and the receiver set .

Definition 2.

A subset of receivers is call an adversary group to if their coalition can not obtain any information of the label of when they want to make a substitution attack to . Define to be the largest integer such that any subset with cardinality is an adversary group to .

Definition 3.

A subset of that can successfully make a substitution attack to is call a substitution group to . Moreover, a substitution group is call minimal if any one receiver is removed from the group, then the rests can not obtain any information of the label of . Define