Characterisations of optimal algebraic manipulation detection codes

Transcription

1 Characterisations of optimal algebraic manipulation detection codes M.B. Paterson 1 D.R. Stinson 2 1 David R. Cheriton School of Computer Science, University of Waterloo 2 Department of Economics, Mathematics and Statistics, Birkbeck, University of London Joint Mathematics Meetings, Seattle, January 7, 2016

2 Algebraic Manipulation Detection Codes Cramer, Dodis, Fehr, Padró, Wichs. Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. (Eurocrypt 2008) Source space S with S = m Encoded message space G (additive Abelian group of order n) Encoding rule E maps a source s S to some g G encode: s g

3 Algebraic Manipulation Detection Codes Cramer, Dodis, Fehr, Padró, Wichs. Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. (Eurocrypt 2008) Source space S with S = m Encoded message space G (additive Abelian group of order n) Encoding rule E maps a source s S to some g G encode: s g adversary:? +

4 Algebraic Manipulation Detection Codes Cramer, Dodis, Fehr, Padró, Wichs. Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. (Eurocrypt 2008) Source space S with S = m Encoded message space G (additive Abelian group of order n) Encoding rule E maps a source s S to some g G encode: s g adversary:? + decode: g + s S { }

5 Algebraic Manipulation Detection Codes Cramer, Dodis, Fehr, Padró, Wichs. Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. (Eurocrypt 2008) Source space S with S = m Encoded message space G (additive Abelian group of order n) Encoding rule E maps a source s S to some g G encode: s g adversary:? + Adversary succeeds if s / {s, } decode: g + s S { }

6 Notation For s S, we call A(s) G the set of valid encodings of s. (Note: A(s) A(s ) = if s s.) Set A = {A s s S}, a s = A s, a = s S a s and G A(s 1 ). A(s m ) Let a = s S A(s) be the total number of valid encodings. k-uniform: A(s) = k for all s S k-regular: k-uniform, plus the encoding of s is chosen uniformly from the elements of A(s) (1-regular deterministic encoding)

7 Weak AMD codes Definition 1 (S, G, A, E) is a weak (m, n, ɛ)-amd code if the adversary wins the following game with probability at most ɛ: 1. The adversary chooses G \ {0}. 2. The source s is chosen uniformly at random by the encoder. 3. s is encoded into g A(s) by the function E. 4. The adversary wins if and only if g + A(s ) for some s s.

8 Weak AMD codes Definition 1 (S, G, A, E) is a weak (m, n, ɛ)-amd code if the adversary wins the following game with probability at most ɛ: 1. The adversary chooses G \ {0}. 2. The source s is chosen uniformly at random by the encoder. 3. s is encoded into g A(s) by the function E. 4. The adversary wins if and only if g + A(s ) for some s s. Example 2 S = {s 1, s 2, s 3 }, G = Z 7. A(s 1 ) = {0}, A(s 2 ) = {1}, A(s 3 ) = {3} This is a deterministic weak (3, 7, 1 3 )-AMD code.

9 External Difference Families Ogata, Kurosawa, Stinson, Saido. New combinatorial designs and their applications to authentication codes and secret sharing schemes. (Discrete Mathematics 2004) Definition 3 ((n, m, k, λ)-edf) family A 1, A 2..., A m of m disjoint k-subsets of additive abelian group G (with G = n) such that each nonzero element of G occurs λ times as a difference between elements in different subsets. Example 4 (7, 3, 1, 1)-EDF: {0}, {1}, {3} Z 7 (9, 2, 2, 1)-EDF: {0, 1}, {2, 4} Z 9 (19, 3, 3, 3)-EDF: {1, 7, 11}, {4, 9, 6}, {16, 17, 5} Z 19

10 The random strategy for weak AMD codes Suppose the adversary chooses uniformly at random from G \ {0}. For any g A(s) and for a randomly chosen, the probability that the adversary wins is (a a s )/(n 1). The overall success probability is ( Pr[s] Pr[E(s) = g] a a ) s n 1 s g A(s) = ( Pr[s] a a ) s n 1 s a = n 1 a s (because the sources are equiprobable) m(n 1) s a = n 1 a m(n 1) a(m 1) = m(n 1).

11 The guess strategy for weak AMD codes Suppose the adversary guesses a valid encoding and then chooses a that will succeed whenever that encoding is used. The success probability of this strategy is at least 1/a. Combining the lower bounds for these two strategies gives ɛ 2 m 1 m(n 1). A weak AMD code is R-optimal if the optimal strategy is the random strategy. The code is G-optimal if the optimality strategy is the guess strategy.

12 Optimal weak AMD codes Theorem 5 ( A k-regular (n, m, k, λ)-edf. m, n, k(m 1) (n 1) ) -AMD code is equivalent to an Theorem 6 A (G-optimal) weak ( m, n, 1 a) -AMD code is equivalent to an (n, m, k, 1)-BEDF A BEDF is a bounded EDF, i.e., a generalization of EDF where each external difference occurs at most λ times. Theorem 7 A k-regular weak AMD code that is R-optimal and G-optimal is equivalent to an (n, m, k, 1)-EDF.

13 Partitioned external difference families Definition 8 (Partitioned external difference family) Let G be an additive abelian group of order n. An (n, m; c 1,..., c l ; k 1,..., k l ; λ 1,..., λ l )-partitioned external difference family (PEDF) is a set of m = i c i disjoint subsets of G, say A 1,..., A m, such that there are c h subsets of size k h, for 1 h l, and the following multiset equation holds for every h: {i: A i =c h } {j:j i} D(A i, A j ) = λ i (G \ {0}). Notation: D(A 1, A 2 ) = {x y : x A 1, y A 2 }.

14 A PEDF Example 9 Let G = (Z 13, +), A 1 = {0, 1, 4}, A 2 = {3, 5, 10}, A 3 = {2, 6, 7, 9}, A 4 = {8}, A 5 = {11}, A 6 = {12}. It can be verified that A 1,..., A 6 is a (13, 6; 2, 1, 3; 3, 4, 1; 5, 3, 3)-PEDF. As part of the verification, we first compute the occurrence of differences from A 1 to the union of the other A i s: difference frequency Then we compute the occurrence of differences from A 2 to the union of the other A i s: difference frequency Each difference occurs a total of five times in the two lists.

15 Maximal PEDF A PEDF is maximal if the union of the sets A 1,..., A m is the whole group G. Theorem 10 Suppose A 1,..., A m is a partition of G (where G = n) such that there are c h subsets of size k h for 1 h l. Then A 1,..., A m is a (maximal) (n, m; c 1,..., c l ; k 1,..., k l ; λ 1,..., λ l )-PEDF if and only if the subsets of cardinality k h form an (n, k h, c h k h λ h )-difference family in G, for 1 h l. In the previous example, the two sets of size 3 form a (13, 2, 3, 1)-difference family; the set of size 4 is a (13, 1, 4, 1)-difference family; and the three sets of size 1 form a (13, 3, 1, 0)-difference family.

16 Non-regular R-optimal weak AMD codes It is not difficult to see that any PEDF yields an R-optimal weak AMD code. However, there are R-optimal weak AMD codes that do not come from PEDF. Example 11 G = Z 10 A(s 1 ) = {0} A(s 2 ) = {5} A(s 3 ) = {1, 9} A(s 4 ) = {2, 3} Suppose we have equiprobable encodings. = 5: succeeds when the source is s 1 or s 2 so ɛ 5 = = 1 2 = 2: succeeds when the source is s 1, or s 3 when E(s 3 ) = 1, or s 4 when E(s 4 ) = 3 so ɛ 2 = = 1 2 etc. It follows that ɛ = 1/2 for all. For this code, m = 4, n = 10, a = 6, so a(m 1) m(n 1) = = 1 2 and the code is R-optimal.

17 Thank you! Combinatorial Characterizations of Algebraic Manipulation Detection Codes Involving Generalized Difference Families Maura B. Paterson, Douglas R. Stinson