Multireceiver Authentication Scheme for Multiple Messages Based on Linear Codes
Abstract.
In this paper, we construct an authentication scheme for multireceivers and multiple messages based on a linear code . This construction can be regarded as a generalization of the authentication scheme given by SafaviNaini and Wang [8]. Actually, we notice that the scheme of SafaviNaini and Wang is constructed with ReedSolomon codes. The generalization to linear codes has the similar advantages as generalizing Shamir’s secret sharing scheme to linear secret sharing sceme based on linear codes [1, 6, 5, 7, 9]. For a fixed message base field , our scheme allows arbitrarily many receivers to check the integrity of their own messages, while the scheme of SafaviNaini and Wang has a constraint on the number of verifying receivers . And we introduce access structure in our scheme. Massey [5] characterized the access structure of linear secret sharing scheme by minimal codewords in the dual code whose first component is . We slightly modify the definition of minimal codewords in [5]. Let be a linear code. For any coordinate , a codeword in is called minimal respect to if the codeword has component at the th coordinate and there is no other codeword whose th component is with support strictly contained in that of . Then the security of receiver in our authentication scheme is characterized by the minimal codewords respect to in the dual code .
Key words and phrases:
Authentication scheme, linear codes, secret sharing, minimal codewords, substitution attack.1. Introduction
1.1. Background
One of the important goals of cryptographic scheme is authentication, which is concerned with the approaches of providing data integrity and data origin validation between two communication entities in computer network. Traditionally, it simply deals with the data authentication problem from a single sender to a single receiver. With the rapid progress of network communication, the urgent need for providing data authentication has escalated to multireceiver and/or multisender scenarios. However, the original pointtopoint authentication techniques are not suitable for multipoint communication. In the multireceiver authentication model, a sender broadcasts an authenticated message such that all the receivers can independently verify the authenticity of the message with their own private keys. It requires a security that malicious groups of up to a given size of receivers can not successfully impersonate the transmitter, or substitute a transmitted message. Desmedt et al. [4] gave an authentication scheme of single message for multireceivers. SafaviNaini and Wang [8] extended the DFY scheme [4] to be an authentication scheme of multiple messages for multireceivers.
The receivers independently verify the authenticity of the message using each own private key. So multireceiver authentication scheme involves a procedure of secret sharing. To introduce the linear secret sharing scheme based on linear codes, we recall some definitions in coding theory.
Let be the dimensional vector space over the finite field with elements. For any vector , the Hamming weight of is defined to be the number of nonzero coordinates, i.e.,
A linear code is a dimensional linear subspace of . The minimum distance of is the minimum Hamming weight of all nonzero vectors in , i.e.,
A linear code is called a linear code if has minimum distance . A vector in is called a of . A matrix is call a generator matrix of if rows of form a basis for . A well known tradeoff between the parameters of a linear code is the Singleton bound which states that
A code is called a maximum distance separable (MDS) code if . The dual code of is defined as the set
where is the inner product of vectors and , i.e.,
The secret sharing scheme provides security of a secret key by “splitting” it to several parts which are kept by different persons. In this way, it might need many persons to recover the original key. It can achieve to resist the attack of malicious groups of persons. Shamir [9] used polynomials over finite fields to give an threshold secret sharing scheme such that any persons of the shares can uniquely determine the secret key but any persons can not get any information of the key. A linear secret sharing scheme based on a linear code [5] is constructed as follows: encrypt the secret to be the first coordinate of a codeword and distribute the rest of the codeword (except the first secret coordinate) to the group of shares. McEliece and Sarwate [7] pointed out that the Shamir’s construction is essentially a linear secret sharing scheme based on ReedSolomon codes. Also as a natural generalization of Shamir’construction, Chen and Cramer [1] constructed a linear secret sharing scheme based on algebraic geometric codes.
The qualified subset of a linear secret sharing scheme is a subset of shares such that the shares in the subset can recover the secret key. A qualified subset is call minimal if any share is removed from the qualified subset, the rests cannot recover the secret key. The access structure of a linear secret sharing scheme consists of all the minimal qualified subsets. A codeword in a linear code is said to be minimal if is a nonzero codeword whose leftmost nonzero component is a and no other codeword whose leftmost nonzero component is has support strictly contained in the support of . Massey [5, 6] showed that the access structure of a linear secret sharing scheme based on a linear code are completely determined by the minimal codewords in the dual code whose first component is .
Proposition 1 ([5]).
The access structure of the linear secretsharing scheme corresponding to the linear code is specified by those minimal codewords in the dual code whose first component is . In the manner that the set of shares specified by a minimal codeword whose first component is in the dual code is the set of shares corresponding to those locations after the first in the support of this minimal codeword.
In both schemes of Desmedt et al. [4] and SafaviNaini and Wang [8], the key distribution is similar to that in Shamir’s secret sharing scheme [9], using polynomials. Both schemes are threshold authentication scheme, i.e., any malicious groups of up to receivers can not successfully ( unconditional secure in the meaning of information theory) impersonate the transmitter, or substitute a transmitted message to any other receiver, while any receivers or more receivers can successfully impersonate the transmitter, or substitute a transmitted message to any other receiver. Actually, in the proof of security of the authentication scheme of SafaviNaini and Wang, the security is equivalent to the difficulty to recover the private key of other receivers. So the security essentially depends on the security of key distribution.
In this paper, we use general linear codes to generalize the scheme of SafaviNaini and Wang. One advantage is that our scheme allows arbitrarily many verifying receivers for a fixed message base field , while the scheme of SafaviNaini and Wang has a constraint on the number of verifying receivers . We introduce the concept of minimal codeword respect to each coordinate, which helps to characterize the capability of resisting substitution attack in our authentication scheme, similarly to the linear secret sharing scheme [6]. It guarantees higher security for some important receivers.
1.2. Our Construction and Main Results
In a multireceiver authentication model for multiple messages, a trusted authority choose random parameters as the secret key and generates shares of private keys secretly. Then the trusted authority transmits a private key to each receiver and secret parameters to the source. For each fixed message, the source computes the authentication tag using the secret parameters and sends the message adding with the tag. In the verification phase, the receiver verify the integrity of each tagged message using his private key. There are some malicious receivers who collude to perform an impersonation attack by constructing a fake message, or a substitution attack by altering the message content such that the new tagged message can be accepted by some other receiver or specific receiver.
In this subsection, we present our construction of an authentication scheme based on a linear code for multireceivers and multiple messages. It will be shown that the ability of our scheme to resist the attack of the malicious receivers is measured by the minimum distance of the dual code and minimal codewords respect to specific coordinate in the dual code.
Let be a linear code with minimum distance . And assume that the minimum distance of the dual code is . Fix a generator matrix of
Then make public. Our scheme is as follows.

Key generation: A trusted authority randomly chooses parameters

Key distribution: The trusted authority computes
Then the trusted authority distributes each receiver the th column of as his private key, for .

Authentication tag: For message , the source computes the tag map
where the map () is defined by
Instead of sending the message , the source actually sends the authenticated messages of the form^{1}^{1}1In general, we can first use a hash function to hash the message , then send the tagged message .

Verification:The receiver accepts the message if . Under the integrity of the tagged message, one can easily verify the following
Here, we call the result the label of for message .
If we take to be the ReedSolomon code, i.e., the generator matrix is of the form
(1.1) 
for pairwise distinct , then the scheme is the scheme of SafaviNaini and Wang [8].
The security of the above authentication scheme is summarized in the following theorems.
Theorem 2.
The scheme we constructed above is a unconditionally secure multireceiver authentication code against a coalition of up to () malicious receivers in which every key can be used to authentication up to messages.
More specifically, if we consider what a coalition of malicious receivers can successfully make a substitution attack to one fixed receiver . To characterize this malicious group, we slightly modify the definition of minimal codeword in [5].
Definition 1.
Let be a linear code. For any , a codeword in is called minimal respect to if the codeword has component at the th location and there is no other codeword whose th component is with support strictly contained in that of .
Then we have
Theorem 3.
For the authentication scheme we constructed, we have
 (i):

The set of all minimal malicious groups that can successfully make a substitution attack to the receiver is determined completely by all the minimal codewords respect to in the dual code .
 (ii):

All malicious groups that can not produce a fake authenticated message which can be accepted by the receiver are onetoone corresponding to subsets of such that each of them together with does not contain any support of minimal codeword respect to in the dual code , where .
Compared with SafaviNaini and Wang’s scheme, our scheme has an important advantage. The scheme of SafaviNaini and Wang is a threshold authentication scheme, so any coalition of malicious receivers can easily make a substitution attack to any other receiver. While in our scheme, by Theorem 3, sometimes it can withstand the attack of coalitions of or more malicious receivers to some fixed important receiver . And it is in general NPhard to find one (or list all) coalition(s) of malicious receivers with the minimum members that can make a substitution attack to the receiver . So in this sense, our scheme has better security than the previous one.
The rest of this paper is organized as follows. In Section 2, we give the security analysis of our scheme. In Section 3, we show the relationship between the security of our scheme and parameters of the linear code.
2. Security Analysis of Our Authentication Scheme
In this section, we present the security analysis of our scheme. From the verification step, we notice that a tagged message can be accepted by the receiver if and only if . So in order to make a substitution attack to , it suffices to know the label for some not sent by the transmitter, then it is trivial to construct a tag such that .
Indeed, we will find that the security of the above authentication scheme depends on the hardness of finding the key matrix from a system of linear equations. Suppose a group of malicious receivers collaborate to recover and make a substitution attack. Without loss of generality, we assume that the malicious receivers are . Suppose have been sent. Each has some information about the key :
and
The group of malicious receivers combines their equations, and they get a system of linear equations
(2.1) 
Lemma 4.
Let be the subspace of generated by , where represents the th column of the generator matrix . Suppose . Then there exists exact matrices satisfying the system of equations (2.1).
Proof.
Denote
Rewrite the matrix of variables as a single column of variables. Then System (2.1) becomes
(2.2) 
where is the identity matrix with rank () and is the column vector of constants in System (2.1) with proper order. Notice that the space generated by rows of is contained in the space generated by if . So the rank of the big matrix of coefficients in System (2.2) equals to
which is less than , the number of variables. So System (2.2) has solutions, i.e., System (2.1) has solutions. ∎
Remark 1.
In [8], they gave a constructive proof of Lemma 4 in the case that is of the form (1.1). The method here can be used for a general class of systems of linear equations over a field :
where is a matrix of variables, the coefficient matrices with rank and with rank , the constant matrices and . Then solutions of the system in has dimensional hypersurface in the space .
Note that if is an MDS code, e.g., ReedSolomon code, then whenever the vectors in any subset of columns of are linearly independent.
By Lemma 4, the security of our authentication scheme follows.
Theorem 5.
The scheme we constructed above is an unconditionally secure multireceiver authentication scheme against a coalition of up to () malicious receivers in which every key can be used to authentication up to messages.
Proof.
Suppose the source receiver has sent messages . It is enough to consider the case that malicious receivers have received the messages, since in this case they know the most information about the key matrix .
What they try to do is to guess the label for some and construct a vector such that
Then the fake message can be accepted by .
Because any columns of the generator matrix is linearly independent over , otherwise there exist such that where is the th column of , then the dual code will have a codeword with Hamming weight which is a contradiction. By Lemma 4, there exists matrices satisfying the system of equations (2.1).
For any , we define the label map
Then we claim:
 (1):

is surjective.
 (2):

for any , the number of the inverse image of is .
So the information held by the colluders allows them to calculate equally likely different labels for and hence their probability of success is which is equal to that of guessing a label for randomly from . And hence we finish the proof of the theorem.
Next, we prove our claim. As , is linearly independent over , otherwise the dual code will have a codeword with Hamming weight which is impossible by the definition of minimum distance of a code. Then choose extra columns of such that they combining with form a basis of . Without loss of generality, we assume the first columns of is linearly independent of . For any , the system of linear equations
(2.3) 
has solutions by Lemma 4, saying . The solutions are also solutions of System (2.1). Next, we show
Otherwise, there are two solutions and such that
Then we have
But matrices
are invertible. So which contradicts to the condition . And hence, the statement (1) holds.
Next, we prove (2). Any one solution of System (2.1) gives one , while corresponding to such a there are solutions of System (2.1) from the proof of (1). In this way, we partition solutions of System (2.1) into parts such that each part contains elements. Also from the proof of (1), the image of each part under is . So for any , the number of the inverse image of is .
∎
Remark 2.
From the proofs of Lemma 4 and Theorem 5, the coalition of malicious receivers can successfully make a substitution attack to the receiver if and only if is contained in the subspace of generated by , where represents the th column of the generator matrix . In this case, they can recover the private key of . This is the motivation of the next section.
Example 1.
Let . The messages sent are . The is a systematic code with the generator matrix
One can check that the dual code has minimum distance . The trusted authority randomly chooses , for instance,
Then the trusted authority computes
and distributes the th column of to the receiver as his private key.
Suppose are corrupted and they have seen the authenticated messages
then they want to substitute one of the authenticated messages during the transmission by a new codeword that can be accepted by one of the other receivers. They have information about the key matrix :
(2.4) 
This system of linear equations has solutions
where . For and any , we have the label map
Let . Then the images of are

Notice that for any , is surjective and for any , the number of the inverse image of is . One can check the properties of about surjection and uniform distribution of the images for also hold.
Actually, we can verify that even the coalition of can successfully generate a fraudulent codeword for any other still only in a probability which is the success probability of randomly choosing a label from for a fake message.
3. Codebased Authentication Scheme and Minimal Codewords
In the previous section, we considered that any coalition of malicious receivers can not obtain any information about any other receiver’s label to make a substitution attack. To consider a weak point, we propose that for a fixed receiver , what a coalition of malicious receivers that can not get any information of the label of . By Theorem 5, we have seen that any coalition of up to malicious receivers can not generate a valid codeword for in a probability better than guessing a label from randomly for the fake message .
Denote and . Without any confusion, we identify the index set and the receiver set .
Definition 2.
A subset of receivers is call an adversary group to if their coalition can not obtain any information of the label of when they want to make a substitution attack to . Define to be the largest integer such that any subset with cardinality is an adversary group to .
Definition 3.
A subset of that can successfully make a substitution attack to is call a substitution group to . Moreover, a substitution group is call minimal if any one receiver is removed from the group, then the rests can not obtain any information of the label of . Define