A TWOOA Construction for Multi-Receiver Multi-Message Authentication Codes
|
|
- Martina Jones
- 5 years ago
- Views:
Transcription
1 A TWOOA Construction for Multi-Receiver Multi-Message Authentication Codes R Fuji-Hara Graduate School of Systems and Information Engineering University of Tsukuba Tsukuba , Japan X Li Department of Mathematics Guangxi Normal University Guilin , China Y Miao Graduate School of Systems and Information Engineering University of Tsukuba Tsukuba , Japan D Wu Department of Mathematics Guangxi Normal University Guilin , China In Memory of Professor Jacobus Hendricus van Lint Abstract A (k, n; w) multi-receiver multi-message authentication code allows a transmitter to broadcast up to w 1 different authenticated messages to n receivers in such a way that (1) not only an opponent but also any up to k 1 receivers cannot cheat any other receivers, and (2) all the receivers can independently verify the authenticity of the messages Obana and Kurosawa (Designs, Codes and Cryptography 22 (2001), 47-63) used a special pair of orthogonal arrays, called TWOOA, to construct a (k, n; 2) multi-receiver single-message authentication code In this paper, we generalize the notion of a TWOOA, and then use this generalized TWOOA to construct a (k, n; w) multi-receiver multi-message authentication code, which exceeds that of Savavi-Naini and Wang (Proc of Eurocrypt 98, LNCS 1403, Springera (1998), ) at least in the numbers of receivers and authenticated messages The structures of TWOOAs are investigated Two constructions for TWOOAs are also provided Corresponding author Research supported in part by Guangxi Science Foundation and the Education Department of Guangxi Province 1
2 Keywords: Authentication code, multi-message, multi-receiver, TWOOA 1 Introduction The notion of an authentication code (A-code) was invented by Gilbert, MacWilliams and Sloane [3] in 1974, and the game-theoretic model of an A-code was developed by Simmons [11] in 1984 A conventional A-code involves three active parties: a transmitter T, a receiver R, and an opponent O The transmitter T transmits messages to the receiver R using a public communication channel The opponent O has access to this channel and can interfere with the contents of cryptograms transmitted via this channel In Simmons model, the transmitter T and the receiver R share a common encoding rule (or key) e belonging to some key space E, and are both assumed honest Given a source state (or plaintext) s from some source state space S, the transmitter T computes an authenticated message m = f(e, s) M, where f is an authentication function and M is the message space, and then sends m M to the receiver R The receiver R can verify its authenticity using his/her knowledge of the key e E shared with the transmitter T An A-code C can be represented by a quadruple (S, M, E, f) where S is a source state space, M is a message space, E is a key space, and f is a mapping from E S to M such that f(e, s) = m and f(e, s ) = m imply s = s In a systematic Cartesian A-code, the authenticated message m M corresponding to a source state s S using e E is the concatenation m = (s, a) of the source state s S and an authenticator a A, that is, M = S A, where A is the authenticator space The receiver R will detect a fraudulent message (s, a) M if the authenticator that he/she calculates for s S using his/her key e E shared with the transmitter T is different from the received authenticator a A We will mainly investigate systematic Cartesian A-codes in this paper The notion of a conventional A-code can be easily generalized (see, for example, [12]) to the case where the key e E can be used to encrypt up to w 1 consecutive different source states, where w 2 is some fixed integer That is, for u, 1 u w 1, consecutive different source states s 1,, s u m 1,, m u M, where m j S, the transmitter T computes their corresponding messages receiver R through a public communication channel = f(e, s j ), 1 j u, and then sends m 1,, m u to the We ignore the order in which the messages are sent through the channel, and the order in which the corresponding source states occur We use ( ( S ) ( w 1, M ( w 1), E, f) to denote such a multi-message A-code, where N ) n denotes the set of all subsets of N with cardinality less than or equal to n 2
3 The notion of a multi-receiver A-code was introduced by Desmedt, Frankel and Yung [2] as another generalization of that of a conventional A-code In a (k, n) multi-receiver A-code, there are n+2 parties altogether: a transmitter T, n receivers R 1,, R n, and an opponent O The transmitter T has a key e T E T and each receiver R i has a key e i E i, 1 i n For a source state s S, the transmitter T computes a message m = f(e T, s) M, and then sends m M to receivers through a public communication channel Each receiver R i accepts or rejects m by verifying m according to e i E i It is assumed that at most k 1 receivers are malicious who can collude with the opponent O to cheat other receivers We should note that in Desmedt, Frankel and Yung s model of a multi-receiver A-code, security analysis is only for a single message transmission, and for a second message no protection is guaranteed To provide protection for multiple messages transmission, we need further to generalize the above two generalizations to a (k, n; w) multi-receiver multimessage A-code in the following way Let C T = ( ( S ) ( w 1, M ) w 1, ET, f T ) and C i = ( ( S ) ( w 1, Mi w 1), Ei, f i ), i = 1, 2,, n, be multimessage A-codes We say that (C T ; C 1,, C n ) is a (k, n; w) multi-receiver multi-message ) (, M w 1), ET, E 1,, E n, f T, f 1,, f n ) if the following two conditions are sat- A-code ( ( S w 1 isfied (C1) There are at most k 1 malicious receivers (C2) There exist two mappings τ : E T E 1 E n and π : ( M ) ( w 1 M1 ) ( w 1 Mn ) w 1 such that for any (e T, {s 1,, s u }) E T ( S w 1), 1 u w 1, and any 1 i n, p i (πf T (e T, {s 1,, s u })) = f i (p i τ Id)(e T, {s 1,, s u }), where (p i τ Id) is defined by (p i τ Id)(e T, {s 1,, s u }) = (p i τ(e T ), Id({s 1,, s u }) = (e i, {s 1,, s u }) Let π i = p i π and τ i = p i τ Then we have π i f T (e T, {s 1,, s u }) = f i (τ i Id)(e T, {s 1,, s u }) for any (e T, {s 1,, s u }) E T ( S w 1) We assume that for each i the mappings τi : E T E i and π i : ( M ) ( w 1 Mi w 1) are surjective We also assume that for each Ci the probability distribution on the source states of C i is the same as that in C T, and the probability distribution on E i is derived from that of E T and the mapping τ i Each receiver R i accepts or rejects m j by verifying m j individually according to e i E i We also adopt Kerckhoff s principle that everything in the A-code except the actual keys of the transmitter and receivers is public Malicious receivers can collude with the opponent O to cheat other receivers, after observing u, 0 u w 1, transmitted different messages authenticated using the same key e T, by inserting a new message of their own choosing, hoping to have it accepted by other receivers as authentic, which was termed spoofing of order u by Massey 3
4 in [7] The deception probability P d u, 0 u w 1, is the probability that the malicious receivers and the opponent O will succeed in deceiving other receivers with an order u spoofing attack An order 0 spoofing attack is usually called an impersonation attack, and an order 1 spoofing attack is usually called a substitution attack We define P d u of such a (k, n; w) multi-receiver multi-message A-code in the following way For a set R = {R i1,, R ij } of receivers, let e(r) = {{e i1,, e ij } : e i1 E i1,, e ij E ij } denote the set of possible keys of R Let C Ri = {R : R {R 1,, R n } \ {R i }, 0 R k 1} denote the family of at most k 1 receivers who may try to cheat receiver R i If R =, we consider that an opponent O tries to cheat receiver R i Suppose that after observing u, 0 u w 1, transmitted consecutive different messages {m 1,, m u } which are authenticated using the same key e T E T, R C Ri try to cheat receiver R i by inserting a new message m, where R have {e i1,, e ij } as their keys Their best strategy is to send m such that each key of {e i1,, e ij } accepts m and P r(r i accepts m R have {e i1,, e ij } accepting m, T sent {m 1,, m u }) is the maximum possible, for 0 u w 1 More precisely, for 0 u w 1, the order u spoofing attack probability P d u of a (k, n; w) multi-receiver multi-message A-code in which the key e T E T is used to authenticate up to w 1 consecutive different source states is defined as follows: P d u = max Ri max R CRi max {ei1,,e ij } e(r)max m,ml,m m l,l=1,,u P r(r i accepts m R have {e i1,, e ij } accepting m, T sent {m 1,, m u }), where the source states of m and {m 1,, m u } are different In fact, when we compute the deception probabilities P d u, we need only to consider the coalition of sets of up to a maximum size of receivers, that is, sets of k 1 malicious receivers, since they are at least as powerful as any other collusion In this paper, we use a combinatorial structure called TWOOA to construct unconditionally secure multi-receiver multi-message A-codes, that is, for any 1 u w 1, the probability that the malicious receivers and the opponent will succeed in deceiving other receivers with an order u spoofing attack is the same as that with a random guessing A TWOOA is a pair of orthogonal arrays satisfying a certain condition described in Section 3 The notion of a TWOOA with the strength of the second orthogonal being 2 was introduced by Kurosawa and Obana [5, 8], and was used to construct an unconditionally secure multi-receiver single-message A-code In this paper, we first review Savavi-Naini and 4
5 Wang s polynomial construction [9, 10] for multi-receiver multi-message A-codes, then we generalize the notion of a TWOOA to the case that the strength of the second orthogonal array can be any integer w 2, and then use these generalized TWOOAs to construct multi-receiver multi-message A-codes The upper bounds on the numbers of columns in a TWOOA are determined A direct construction and a product construction for TWOOAs are also presented These constructions give infinite classes of TWOOAs meeting the upper bounds As an immediate consequence, our multi-receiver multi-message A-codes are better than Savavi-Naini and Wang s in terms of the numbers of receivers and source states 2 DFY Polynomial Scheme and its Extension In this section, we briefly review the well-known DFY polynomial scheme due to Desmedt, Frankel and Yung [2], and describe its extension to multiple message model due to Savavi- Naini and Wang [9, 10] In 1992, Desmedt, Frankel and Yung [2] proposed a (k, n; 2) multi-receiver single-message A-code (called DFY polynomial scheme) as follows Assume that there are a transmitter T, n receivers R 1,, R n, and an opponent O Let q n be a prime, and let P k 1 [x] = {a 0 +a 1 x+ +a k 1 x k 1 : a i GF (q), 0 i k 1} The key for T consists of two random polynomials P 1 (x), P 2 (x) P k 1 [x] The key for R i consists of (P 1 (i), P 2 (i)) GF (q) 2 For a source state s GF (q), T broadcasts (s, M s (x)) where M s (x) = P 1 (x)+sp 2 (x) P k 1 [x] Each R i accepts (s, M s (x)) as authentic if and only if M s (i) = P 1 (i) + sp 2 (i) It is proved in [2] that in this scheme, the impersonation attack probability P d 0 and the substitution attack probability P d 1 are both equal to 1/q, which means that the above DFY polynomial scheme is an unconditionally secure (k, n; 2) multi-receiver single-message A-code Six years later, Safavi-Naini and Wang [9, 10] extended the above DFY polynomial scheme to multi-message model in which each key of T can be used to authenticate consecutive different source states In their extended scheme, the key for T consists of w random polynomials P 1 (x),, P w (x) P k 1 [x], and the key for each R i consists of (P 1 (x i ),, P w (x i )) GF (q) w, where x i GF (q) is the public information of R i For a source state s GF (q), T broadcasts (s, M s (x)) where M s (x) = P 1 (x)+sp 2 (x)+ +s w 1 P w (x) P k 1 [x] Each R i accepts (s, M s (x)) as authentic if and only if M s (x i ) = P 1 (x i ) + sp 2 (x i ) + + s w 1 P w (x i ) It is proved in [9] that this extended scheme is a (k, n; w) multi-receiver multimessage A-code in which every key of T can be used to authenticate up to w 1 consecutive different source states It is also proved [9] that for 0 i w 1, the order i spoofing attack probability P d i is equal to 1/q, which means that Savavi-Naini and Wang s extended 5
6 DFY polynomial scheme is an unconditionally secure (k, n; w) multi-receiver multi-message A-code We should emphasize that in Savavi-Naini and Wang s extended DFY polynomial scheme, the numbers of possible receivers and source states are both not greater than q 3 TWOOA: Definition and Preliminary Results In this section, we introduce the notion of a TWOOA and show some of its elementary properties We first recall that an orthogonal array OA λ (k, l, n), with strength k, is a λl k n array of l symbols such that, in any k columns of the array, every one of the possible l k k-tuples of symbols occurs in exactly λ rows of the array If λ = 1, usually this array is briefly denoted by OA(k, l, n) Let L 1 = (a ij ) be an OA(k, t w, n) Let 1 u w 1, and C = (c ij ) be a t wk u array of t k symbols Let Q be the set of row vectors of C For α Q, suppose that C i1 = = C ih = α, where C ij = (c ij 1,, c ij u) is the i j -th row vector of C Define B(α) to be the h n sub-array of L 1 which consists of the i j -th row of L 1 for j = 1,, h We say that L 1 and C are friendly if every column of B(α) contains exactly t w u different symbols for any α Q Suppose L 1 is an OA(k, t w, n) and L 2 is an OA(w, t k, m) Then L = L 1 L 2 is said to be a TWOOA(k, t w, n; w, t k, m) if L 1 and any t wk u sub-array, 1 u w 1, of L 2 are friendly, where denotes concatenation The notion of a TWOOA with w = 2 was first introduced by Kurosawa and Obana [5, 8] to characterize and construct a (k, n; 2) multi-receiver single-message A-code in which the key e T of T is used to authenticate a single source state In this paper, we try to use the generalized TWOOA(k, t w, n; w, t k, m) to construct a (k, n; w) multi-receiver multi-message A-code in which the key e T can be used to authenticate up to w 1 consecutive different source states We first show that Savavi-Naini and Wang s extended DFY polynomial scheme forms in fact a TWOOA Theorem 31 For any prime q and for any two positive integers n, w satisfying max{n, w} q, there exists a TWOOA(k, q w, n; w, q k, q) 6
7 Proof Let q max{n, w} be a prime number, and P k 1 [x] = {a 0 + a 1 x + + a k 1 x k 1 : a i GF (q), 0 i k 1} Let P ij (x) P k 1 [x] for 1 i q wk, 1 j w, and x 1,, x n be n different elements of GF (q) Define L 1 as follows: (P 11 (x 1 ),, P 1w (x 1 )) (P 11 (x 2 ),, P 1w (x 2 )) (P 11 (x n ),, P 1w (x n )) (P 21 (x 1 ),, P 2w (x 1 )) (P 21 (x 2 ),, P 2w (x 2 )) (P 21 (x n ),, P 2w (x n )) (P q wk 1(x 1 ),, P q wk w(x 1 )) (P q wk 1(x 2 ),, P q wk w(x 2 )) (P q wk 1(x n ),, P q wk w(x n )) where the l-th column is labeled by the element x l GF (q) Define L 2 as follows: P 11 (x) P 11 (x) + + s w 1 P 1w (x) P 11 (x) + + (q 1) w 1 P 1w (x) P 21 (x) P 21 (x) + + s w 1 P 2w (x) P 21 (x) + + (q 1) w 1 P 2w (x) P q wk 1(x) P q wk 1(x) + + s w 1 P q wk w(x) P q wk 1(x) + + (q 1) w 1 P q wk w(x),, where the (s + 1)-th column is labeled by the element s GF (q) The rows of L 1 and L 2 are both labeled by (P i1 (x),, P iw (x)) for 1 i q wk By the Lagrange interpolation formula for polynomials, we immediately know that L 1 is an orthogonal array OA(k, q w, n) Since the coefficient matrix 1 s 1 s w s 2 s w s w s w 1 w is a Vandermonde matrix, we also know that L 2 is an orthogonal array OA(w, q k, q) Now we prove that for any u, 1 u w 1, L 1 and any q wk u sub-array of L 2 are friendly Choose any u columns of L 2, say, s 1 -th,, s u -th coumns, and then fix arbitrarily one of their row u-vectors, say (Q 1 (x),, Q u (x)) Then again from the coefficient matrix 1 s 1 s w s 2 s w s u s w 1 u we can determine exactly u polynomials among P i1 (x),, P iw (x) P k 1 [x] such that (P i1 (x) + + s w 1 1 P iw (x),, P i1 (x) + + s w 1 u P iw (x)) = (Q 1 (x),, Q u (x)) For any column x l of L 1, the number of different symbols (P i1 (x l ),, P iw (x l )) in such rows, (P i1 (x),, P iw (x)) is clearly q w u This completes the proof We remark that the case w = 2 in Theorem 31 was first proved in [8] The following are some elementary properties of TWOOAs which are indispensable to our later discussions 7
8 Let L = L 1 L 2 be a TWOOA(k, t w, n; w, t k, m), where L 1 = (a ij ) is an OA(k, t w, n) based on a t w -set U, L 2 = (b ih ) is an OA(w, t k, m) based on a t k -set V, 1 i t wk, 1 j n, and 1 h m For any u columns h 1,, h u of L 2, and for any u-tuple (b 1,, b u ) V u, define R(h 1,, h u ; b 1,, b u ) = {i : (b ih1,, b ihu ) = (b 1,, b u ), 1 i t wk } For any r columns j 1,, j r of L 1, we further define C(j 1,, j r ; h 1,, h u ; b 1,, b u ) to be the collection of r-tuples (a ij1,, a ijr ) U r for all i R(h 1,, h u ; b 1,, b u ) Lemma 32 Let 1 r k and 1 u w Then there are exactly t r(w u) different r-tuples (a ij1,, a ijr ) U r in any C(j 1,, j r ; h 1,, h u ; b 1,, b u ) of a TWOOA(k, t w, n; w, t k, m), where every r-tuple occurs exactly t (k r)(w u) times Proof It is easy to see that R(h 1,, h u ; b 1,, b u ) = t k(w u) since L 2 is an OA(w, t k, m) First we consider the case 1 u w 1 In this case, since L is a TWOOA(k, t w, n; w, t k, m), every C(j v ; h 1,, h u ; b 1,, b u ) has exactly t w u different symbols for any 1 v r, which implies that any C(j 1,, j r ; h 1,, h u ; b 1,, b u ) has at most t r(w u) different r-tuples of U r Therefore we need only to prove that every r-tuple in C(j 1,, j r ; h 1,, h u ; b 1,, b u ) occurs exactly t (k r)(w u) times If it is not the case, then there must exist at least one r-tuple α = (a 1,, a r ) C(j 1,, j r ; h 1,, h u ; b 1,, b u ) such that α occurs f times, where f > t (k r)(w u) If r = k, then this means that there exists a k-tuple α of U k which occurs more than once, a contradiction to the fact that L 1 is an OA(k, t w, n) If 1 r k 1, then for any other k r columns j 1,, j k r of L 1, in a similar way, we can also know that C(j 1,, j k r ; h 1,, h u ; b 1,, b u ) has at most t (k r)(w u) different (k r)-tuples of U k r This implies that C(j 1,, j r, j 1,, j k r ; h 1,, h u ; b 1,, b u ) has repeated k-tuples, again a contradiction to the fact that L 1 is an OA(k, t w, n) So we know that the assertion holds for 1 u w 1 Next we consider the case u = w In this case, R(h 1,, h w ; b 1,, b w ) = 1 for any w columns h 1,, h w of L 2 and for any w-tuple (b 1,, b w ) V w So there is only one r-tuple in any C(j 1,, j r ; h 1,, h w ; b 1,, b w ) of a TWOOA(k, t w, n; w, t k, m) which occurs only once This completes the proof For any r, 1 r k 1, columns j 1,, j r of L 1 and for any r-tuple (a 1,, a r ) U r, define R (j 1,, j r ; a 1,, a r ) = {i : (a ij1,, a ijr ) = (a 1,, a r ), 1 i t wk } It is easy to see that R (j 1,, j r ; a 1,, a r ) = t w(k r) since L 1 is an OA(k, t w, n) For any column h of L 2, we further define B(j 1,, j r ; a 1,, a r ; h) to be the collection of b ih V for all i R (j 1,, j r ; a 1,, a r ) We have the following result Lemma 33 B(j 1,, j r ; a 1,, a r ; h) contains exactly t k r different symbols 8
9 Proof Since R (j 1,, j r ; a 1,, a r ) = t w(k r), we need only to prove that every distinct symbol in B(j 1,, j r ; a 1,, a r ; h) occurs exactly t (w 1)(k r) times If it is not the case, then there must exist at least one b B(j 1,, j r ; a 1,, a r ; h) such that b occurs f t (w 1)(k r) times Then the r-tuple (a 1,, a r ) U r will occur exactly f t (k r)(w 1) times in C(j 1,, j r ; h; b), a contradiction to Lemma 32 This completes the proof This immediately implies the following result, which means that the friendship is a symmetric property Corollary 34 L = L 1 L 2 is a TWOOA(k, t w, n; w, t k, m) if and only if L = L 2 L 1 is a TWOOA(w, t k, m; k, t w, n) Proof The assertion comes from the definition of a TWOOA and Lemma 33 4 A Construction for A-Codes from TWOOAs Now we describe how to use a TWOOA(k, t w, n; w, t k, m) to construct a (k, n; w) multireceiver multi-message A-code Theorem 41 If there exists a TWOOA(k, t w, n; w, t k, m), then there exists an unconditionally secure systematic Cartesian (k, n; w) multi-receiver multi-message A-code ( ( S ) ( w 1, M E T, E 1,, E n, f T, f 1,, f n ), with M = t k S, where each key of the transmitter T is used with equal probability w 1), Proof Let L = L 1 L 2 be a TWOOA(k, t w, n; w, t k, m) where L 1 is an OA(k, t w, n) based on a t w -set U and L 2 is an OA(w, t k, m) based on a t k -set V Let e T, 1 e T t wk, be the indices of row vectors of L (and thus of both L 1 and L 2 ) Let j, 1 j n, be the indices of the columns of L 1, and s S be the indices of the columns of L 2 For a source state s S, the transmitter T computes f T (e T, s) = (s, a) M such that the authenticator a A is the (e T, s)-th element of L 2, and then broadcasts the authenticated message m = (s, a) M to the receivers The corresponding decoding rule e j E j of receiver R j is the (e T, j)-th element of L 1 Receiver R j accepts m = (s, a) as authentic if and only if there exists e T E T such that (1) the (e T, s)-th element of L 2 is a A, and (2) the (e T, j)-th element of L 1 is e j E j The mappings f 1,, f n can be defined in an obvious way Suppose that each key e T E T of the transmitter T is used with equal probability Then for any 1 r k 1 and any 1 j 1,, j r n, any set of possible keys {e j1,, e jr }, 9
10 where e j1 E j1,, e jr E jr, will also occur with equal probability over U r From the definition of the deception probability, for any receiver R i, 1 i n, we need only to consider the case R C Ri such that R = k 1 For any {e j1,, e jk 1 } e(r), define F (e j1,, e jk 1 ) = {e T E T : E j1 = e j1,, E jk 1 = e jk 1 } Then F (e j1,, e jk 1 ) = t w For any u, 1 u w 1, consecutive different source states s 1,, s u, we further define F i (e j1,, e jk 1 ; (s 1, a 1 ),, (s u, a u )) = {e T E T : E j1 = e j1,, E jk 1 = e jk 1, and e i accepts (s 1, a 1 ),, (s u, a u )} Then from Corollary 34 and Lemma 32, we can know that F i (e j1,, e jk 1 ; (s 1, a 1 ),, (s u, a u )) = t w u The deception probabilities in this case then can be easily computed as follows F i (e j1,, e jk 1 ; (s 1, a 1 )) P d 0 = max (s 1,a 1 ) F (e j1,, e jk 1 ) = tw 1 t w = 1 t, P d u = max (s 1,a 1 ),,(s u+1,a u+1 ) = tw u 1 t w u = 1 t, F i (e j1,, e jk 1 ; (s 1, a 1 ),, (s u+1, a u+1 )) F (e j1,, e jk 1 ; (s 1, a 1 ),, (s u, a u )) P d w 1 = F i (e j1,, e jk 1 ; (s 1, a 1 ),, (s w, a w )) max (s 1,a 1 ),,(s w,a w) F (e j1,, e jk 1 ; (s 1, a 1 ),, (s w 1, a w 1 )) = tw w t w w+1 = 1 t Now for any k 1 columns of j 1,, j k 1 of L 1 = (b et,j), and for any e j1 E j1,, e jk 1 E jk 1, we define R(j 1,, j k 1 ; e j1,, e jk 1 ) = {e T E T : b et,j 1 = e j1,, b et,j k 1 = e jk 1 } For any u, 1 u w 1, columns s 1, s u of L 2 = (a et,s), we further define C(j 1,, j k 1 ; e j1,, e jk 1 ; s 1,, s u ) to be the collection of u-tuples (a 1,, a u ) V u for all e T R(j 1,, j k 1 ; e j1,, e jk 1 ) Then from Corollary 34 and Lemma 32, we can know that there are exactly t u different u-tuples (a 1,, a u ) V u in any C(j 1,, j k 1 ; e j1,, e jk 1 ; s 1,, s u ) where every u-tuple occurs exactly t w u times, and there are exactly t u+1 distinct (u + 1)-tuples (a 1,, a u+1 ) V u+1 in any C(j 1,, j k 1 ; e j1,, e jk 1 ; s 1,, s u+1 ) where every (u + 1)-tuple occurs exactly t w u 1 times So the probability of the k 1 malicious receivers correctly guessing the authenticator a u+1 for the source state s u+1 is 1 t This means that our A-code is unconditionally secure The proof is then completed 10
11 5 Upper Bounds on TWOOA(k, t w, n; w, t k, m) In this section, we further investigate the structure of a TWOOA(k, t w, n; w, t k, m) to derive some upper bounds on the column numbers n and m Once again we let L = L 1 L 2 be a TWOOA(k, t w, n; w, t k, m), where L 1 = (a ij ) is an OA(k, t w, n) based on a t w -set U, L 2 = (b ih ) is an OA(w, t k, m) based on a t k -set V, 1 i t wk, 1 j n, and 1 h m Arbitrarily choose a symbol a U and the first k 1 columns of L 1, and define S(a) = {i : (a i1,, a i,k 1 ) = (a,, a), 1 i t wk } It is easy to see that S(a) = t w since L 1 is an OA(k, t w, n) Define M(a) to be the t w m sub-array of L 2 which consists of the i-th row of L 2 for all i S(a) We have the following result Lemma 51 M(a) is an OA(w, t, m) Proof Applying Lemma 32 with r = k 1, we can see that in any u, 1 u w, columns of M(a), if some u-tuple of V u occurs, then it occurs exactly t w u times If it is not the case, then there must exist at least one u-tuple α = (b 1,, b u ) V u in some u columns, say h 1,, h u, of M(a) such that α occurs f t w u times Then the (k 1)-tuple (a,, a) U k 1 will occur exactly f t (k (k 1))(w u) times in C(1,, k 1; h 1,, h u ; b 1,, b u ), a contradiction to Lemma 32 It follows that any u columns of M(a) contains exactly t u different u-tuples each of which occurs exactly t w u times Taking u = 1, we immediately know that every column of M(a) contains exactly t different symbols of V Without loss of generality, we may assume that these symbols belong to the same t-subset of V Since L 2 is an OA(w, t k, m), this forces M(a) to be an OA(w, t, m) Similarly, we arbitrarily choose a symbol b V and the first w 1 columns of L 2, and define T (b) = {i : (b i1,, b i,w 1 ) = (b,, b), 1 i t wk } It is clear that T (b) = t k since L 2 is an OA(w, t k, m) Define N(b) to be the t k n sub-array of L 1 consisting of the i-th row of L 1 for all i T (b) Then by Lemma 32 with u = w 1, we know that any r columns of N(b) contain exactly t r different r-tuples of U r each of which occurs exactly t k r times Taking r = 1, we immediately know that every column of N(b) contains exactly t different symbols of U Without loss of generality, we may assume that the symbols from every column of N(b) belong to the same t-subset of U Since L 1 is an OA(k, t w, n), this forces N(b) to be an OA(k, t, n) Lemma 52 N(b) is an OA(k, t, n) 11
12 The following bound on the column number of an orthogonal array can be found in [1, p180, Theorem 512] Lemma 53 (Bush bound) For k > 1, if there exists an OA(k, t, n), then n B(k, t), where B(k, t) = t + 1, if k = 2, t + k 1, if t is even and 3 k < t, t + k 2, if t is odd and 3 k < t, k + 1, if k t Then imeediately we obtain the following upper bounds on the column numbers m and n of a TWOOA(k, t w, n; w, t k, m) Theorem 54 If there exists a TWOOA(k, t w, n; w, t k, m), then n B(k, t) and m B(w, t) Proof If there exists a TWOOA(k, t w, n; w, t k, m), then from Lemmas 51 and 52, there exist both an OA(k, t, n) and an OA(w, t, m) The conclusion then follows from Lemma 53 The above upper bounds on the column numbers n and m of a TWOOA (k, t w, n; w, t k, m) with w = 2 was first derived by Wu and Zhu in [13] 6 Constructions for TWOOAs Several infinite classes of TWOOA(k, t w, n; w, t k, m) with w = 2 meeting the upper bounds described in Theorem 54 were constructed by Wu and Zhu [13] In this section, we generalize Wu and Zhu s idea to work for all values of 2 w m We present a direct construction and a product construction for TWOOA(k, t w, n; w, t k, m) Consequently, for all values of 2 w m, we obtain many new infinite classes of TWOOA(k, t w, n; w, t k, m) meeting the upper bounds described in Theorem 54 To construct TWOOA(k, t w, n; w, t k, m) directly, the notion of an (n, i, q)-set will be used Let q be a prime power A set of n vectors in V i (GF (q)) is called an (n, i, q)-set if any i of them are linearly independent For any pair (i, q), the largest integer n such that an (n, i, q)-set exists is denoted by m(i, q) Lemma 61 ([6, 4]) The value of m(i, q) is determined in the following cases: 12
13 (1) m(2, q) = q + 1; (2) m(3, q) = q + 1 for q odd, and m(3, q) = q + 2 for q even; (3) m(i, q) = i + 1 for i q Lemma 62 ([13]) If q > 4 is a prime power, then there exists a (q + 1, i, q)-set for any i, 3 < i < q We use a q wk -set S to index the rows of a TWOOA(k, q w, n; w, q k, m), where a 11 a 12 a 1w a 21 a 22 a 2w S = : a ij GF (q), 1 i k, 1 j w a k1 a k2 a kw For the first OA of this TWOOA, we use an (m(k, q), k, q)-set to index its columns Similarly, for the second OA of this TWOOA, we use an (m(w, q), w, q)-set to index its columns Let R 1 be an (m(k, q), k, q)-set in a row vector space, and R 2 an (m(w, q), w, q)-set in a column vector space Define two arrays L 1 = (a Mr ) and L 2 = (b Mc ) as follows: L 1 : the entry of (M, r) is rm, a row vector of length w, L 2 : the entry of (M, c) is Mc, a column vector of length k, where M S, r R 1, c R 2 Lemma 63 L 1 is an OA(k, q w, m(k, q)) Proof We need only to prove that for any given k row vectors r ji = (x ji 1,, x ji k) R 1, 1 j i m(k, q), 1 i k, and for any given ((e 11, e 12,, e 1w ), (e 21, e 22,, e 2w ),, (e k1, e k2,, e kw )) (GF (q) GF (q)) k, there exists exactly one M S such that r j1 M = (e 11, e 12,, e 1w ), r j2 M = (e 21, e 22,, e 2w ), (1) r jk M = (e k1, e k2,, e kw ) Let 13
14 X = r j1, r jk e 11 e 12 e 1w e 21 e 22 e 2w Y = e k1 e k2 e kw Then the system of equations (1) is equivalent to the following matrix equation: XM = Y (2) Since the row vectors r j1,, r jk are taken from an (m(k, q), k, q)-set R 1, they are linearly independent, which means that an X 1 exists Thus, M = X 1 Y is uniquely determined This completes the proof Similarly, we can prove the following result Lemma 64 L 2 is an OA(w, q k, m(w, q)) Now we show that L 1 = (a Mr ) is in fact friendly with any u, 1 u w 1, columns of L 2 = (b Mc ) For convenience, for any given c i = (y 1i, y 2i,, y wi ) T R 2 and for any given v i = (f 1i, f 2i,, f ki ) T GF (q) k, where 1 i u, define R(c 1,, c u ; v 1,, v u ) = {M S : b Mci = v i, 1 i u} Since L 2 is an OA(w, q k, m(w, q)), it is clear that R(c 1,, c u ; v 1,, v u ) = q k(w u) Lemma 65 L 1 is friendly with any u, 1 u w 1, columns of L 2 Proof For any given u such that 1 u w 1, for any given c i = (y 1i, y 2i,, y wi ) T R 2, v i = (f 1i, f 2i,, f ki ) T, 1 i u, and for any given r = (x 1,, x k ) R 1, let Q be the collection of elements a Mr where M R(c 1,, c u ; v 1,, v u ) Since R(c 1,, c u ; v 1,, v u ) = q k(w u), from the definition of friendship, we need only to prove that every element in Q occurs exactly q (k 1)(w u) times For any v 0 = (e 1, e 2,, e w ) Q, define D v0 = {M S : M R(c 1,, c u ; v 1,, v u ), a Mr = v 0 } We need only to prove that D v0 = q (k 1)(w u) holds for any v 0 Q From 14
15 D v0, we have rm = v 0 and Mc i = v i for 1 i u which are equivalent to the following system of equations in unknowns a 11,, a k1, a 12,, a k2,, a 1w,, a kw : x 1 a 11 + x 2 a x k a k1 = e 1, x 1 a 1w + x 2 a 2w + + x k a kw = e w, y 11 a 11 + y 21 a y w1 a 1w = f 11, y 11 a k1 + y 21 a k2 + + y w1 a kw = f k1, y 1u a 11 + y 2u a y wu a 1w = f 1u, y 1u a k1 + y 2u a k2 + + y wu a kw = f ku (3) Let x 1 0 x 2 0 x k 0 0 x 1 0 x 2 0 x k y 11 y w y 11 y w1 0 0 G = y 11 y w1 y 1u y wu y 1u y wu y 1u y wu, P = (a 11,, a 1w, a 21,, a 2w,, a k1,, a kw ) T, Y = (e 1,, e w, f 11,, f k1,, f 1u,, f ku ) T Then the system of equations (3) can be re-written as follows: GP = Y (4) Since r = (x 1,, x k ) R 1 cannot be an all-zero vector, without loss of generality, we may assume that x 1 0 Then the row vectors (y 1i,, y wi ), 1 i u, of the sub-array consisting of the first w columns of G can be canceled by elementary transformations of 15
16 rows The resultant matrix x 1 0 x 2 0 x k 0 0 x 1 0 x 2 0 x k y 11 y w1 0 0 G = y 11 y w y 1u y wu y 1u y wu can further be changed into x 1 0 x 2 0 x k 0 0 x 1 0 x 2 0 x k 0 0 y 11 y w y 1u y wu 0 0 G = y 11 y w y 1u y wu ,, by elementary transformations of rows Suppose Y is changed into Y = (y 1,, y w+ku ) T by the same elementary transformations of rows Then the matrix equation (4) and the following matrix equation have the same solution: G P = Y (5) If y j 0 for some w + (k 1)u + 1 j w + ku, then (5) has no solution, which forces (4) to have no solution, a contradiction Since x 1 0, and the u vectors c i, 1 i u, are taken from an (m(w, q), w, q)-set R 2 so that they are linearly independent, we know that rank(g ) = w + (k 1)u Hence (5) has q wk (w+(k 1)u) = q (k 1)(w u) solutions This completes the proof 16
17 Summarizing Lemmas 63, 64 and 65, we obtain the following important result Theorem 66 For any prime power q, there exists a TWOOA(k, q w, m(k, q); w, q k, m(w, q)) From Lemma 62, we have the following result Corollary 67 If q > 4 is a prime power, then there exists a TWOOA(k, q w, q+1; w, q k, q+ 1) for any 3 < k, w < q Comparing m(k, q) with B(k, q), we see that they are equal when k = 2, 3, or k q for any prime power q In other words, the upper bounds can be met in these cases Besides the three infinite classes of TWOOAs in [13, Corollary 38] corresponding to w = 2, we also have the following new ones Corollary 68 For any prime power q, there exists a TWOOA(k, q w, n; w, q k, m) meeting the upper bounds of n and m if k = 2, 3 or k q, and w = 3 or w q That is, we have the following infinite classes: (1) A TWOOA(2, q 3, q + 1; 3, q 2, q + 2) for q even and a TWOOA(2, q 3, q + 1; 3, q 2, q + 1) for q odd; (2) A TWOOA(3, q 3, q + 2; 3, q 3, q + 2) for q even and a TWOOA(3, q 3, q + 1; 3, q 3, q + 1) for q odd; (3) A TWOOA(k, q 3, k +1; 3, q k, q +2) for k q where q is even and a TWOOA(k, q 3, k + 1; 3, q k, q + 1) for k q where q is odd; (4) A TWOOA(2, q w, q + 1; w, q 2, w + 1) for w q; (5) A TWOOA(3, q w, q+2; w, q 3, w+1) for w q where q is even and a TWOOA(3, q w, q+ 1; w, q 3, w + 1) for w q where q is odd; (6) A TWOOA(k, q w, k + 1; w, q k, w + 1) for k, w q In the remainder of this section, we present a product construction for TWOOAs Suppose that A 1 B 1 is a TWOOA(k, t w, n; w, t k, m), where A 1 = (a (1) ij ) is an OA(k, tw, n) based on a t w -set U 1, and B 1 = (b (1) ih ) is an OA(w, tk, m) based on a t k -set V 1, 0 i t wk 1, 1 j n, 1 h m Suppose that A 2 B 2 is a TWOOA(k, s w, n; w, s k, m), where A 2 = (a (2) i j ) is an OA(k, sw, n) based on an s w -set U 2, and B 2 = (b (2) i h ) is an OA(w, sk, m) 17
18 based on an s k -set V 2, 0 i s wk 1, 1 j n, 1 h m Define L 1 = (l (1) ej ) and L 2 = (l (2) eh ) as follows: for 0 e (ts)wk 1, 1 j n, 1 h m, write e = i + i t wk, where 0 i t wk 1 and 0 i s wk 1, and let l (1) ej = (a (1) ij, a(2) i j ), l(2) eh = (b(1) ih, b(2) i h ) Lemma 69 L 1 is an OA(k, (ts) w, n) based on a (ts) w -set U 1 U 2, and L 2 is an OA(w, (ts) k, m) based on a (ts) k -set V 1 V 2 Proof We show that L 1 is an OA(k, (ts) w, n) For L 2, the proof is similar For any k different columns j 1,, j k of L 1, and ((x 1, y 1 ),, (x k, y k )) (U 1 U 2 ) k, we need only to show that there exists exactly one e, 0 e (ts) wk 1, such that l (1) ej 1 = (x 1, y 1 ),, l (1) ej k = (x k, y k ) From these k equations, we have a (1) ij 1 = x 1,, a (1) ij k = x k, and a (2) i j 1 = y 1,, a (2) i j k = y k, where e = i + i t wk Since both A 1 and A 2 are orthogonal arrays with strength k, there exist exactly one such i, 0 i t wk 1, and one such i, 0 i s wk 1 Thus e, 0 e (ts) wk 1, is uniquely determined Lemma 610 L 1 is friendly with any u, 1 u w 1, columns of L 2 Proof Take arbitrarily fixed u, 1 u w 1, columns b h1,, b hu of L 2 Let Q be the collection of row vectors of the (ts) wk u sub-array of L 2 which is consisted of these u columns For any arbitrarily fixed (β 1,, β u ) Q, define E = {e : (l (2) eh 1,, l (2) eh u ) = (β 1,, β u ), 0 e (ts) wk 1 } Since L 2 is an OA(w, (ts) k, m), we have E = (ts) k(w u) Take the j-th column c j of L 1, and α = l (1) ej c j where e E Let E = {e : l (1) ej = α, 0 e (ts) wk 1 } We need only to show that E E = (ts) (k 1)(w u) In other words, we need only to show that there exist exactly (ts) (k 1)(w u) e s such that l (1) ej = α and l (2) eh g = β g for 1 g u Suppose α = (x 1, x 2 ), β g = (y 1g, y 2g ), 1 g u Then we have the following two systems of equations: x 1 = a (1) ij, y 1g = b (1) ih g, 1 g u; x 2 = a (2) i j, y 2g = b (2) i h g, 1 g u, where e = i + i t wk Since A 1 B 1 is a TWOOA(k, t w, n; w, t k, m), there exist exactly t (k 1)(w u) such i from the first system of equations Also, A 2 B 2 is a TWOOA(k, s w, n; w, s k, m), so from the second system of equations, there exist exactly s (k 1)(w u) such i Thus there exist exactly (ts) (k 1)(w u) such e This completes the proof 18
19 Theorem 611 (Product Construction) If there exist both a TWOOA(k, t w, n; w, t k, m) and a TWOOA(k, s w, n; w, s k, m), then there exists a TWOOA(k, (ts) w, n; w, (ts) k, m) Proof The conclusion comes from Lemmas 69, 610, and the definition of a TWOOA Applying Theorem 611 with Corollary 68, we can obtain more infinite classes of TWOOAs for all values of 2 w m We omit the details here since it is trivial and space-consuming 7 Concluding Remarks In this paper, we generalized the notion of a TWOOA due to Kurosawa and Obana [5, 8], and then used the generalized TWOOAs to construct many infinite classes of unconditionally secure multi-receiver multi-message A-codes Our unconditionally secure multi-receiver multi-message A-codes exceed Savavi-Naini and Wang s at least in the numbers of receivers and source states For example, for an arbitrarily fixed prime q, in Savavi-Naini and Wang s A-code, the maximum numbers of receivers and source states are both q, while in our A-code, the maximum numbers of receivers and source states are m(k, q) and m(w, q), respectively, which are greater than q in many cases We conjecture that most of the newly obtained infinite classes of unconditionally secure multi-receiver multi-message A-codes are optimum in the sense of the deception probabilities, the sizes of keys, and the numbers of receivers and source states Keeping the numbers of receivers and source states in mind, we immediately know that Kurosawa and Obana s definition for optimality [8] is not adequate Acknowledgement A portion of this research was carried out while the last author was visiting the University of Tsukuba He wishes to express his gratitute to the Graduate School of Systems and Information Engineering for their hospitality References [1] C J Colbourn and J H Dinitz (eds), The CRC Handbook of Combinatorial Designs, CRC Press, Boca Raton, 1996 [2] Y Desmedt, Y Frankel and M Yung, Multi-receiver/multi-sender network security: efficient authenticated multicast/feedback, IEEE Infocom 92 (1992),
20 [3] E N Gilbert, F J MacWilliams and N J A Sloane, Codes which detect deception, Bell System Tech J 53 (1974), [4] J W P Hirschfeld, Maximum sets in finite projective spaces, Surveys in Combinatorics, London Math Soc Lecture Note Ser 82 (1983), [5] K Kurosawa and S Obana, Characterization of (k, n) multi-receiver authentication, ACISP 97, LNCS 1270, Springer (1997), [6] F J MacWilliams and N J A Sloane, The Theory of Error-Correcting Codes, Part I, North-Holland, Amsterdam, 1977 [7] J L Massey, Cryptography a selective survey, Digital Communications, North-Holland (1986), 3-21 [8] S Obana and K Kurosawa, Bounds and combinatorial structure of (k, n) multi-receiver A-codes, Des Codes Cryptography 22 (2001), [9] R Safavi-Naini and H Wang, New results on multi-receiver authentication codes, EU- ROCRYPT 98, LNCS 1403, Springer (1998), [10] R Safavi-Naini and H Wang, Multireceiver authentication codes: models, bounds, constructions, and extensions, Inform and Comput 151 (1999), [11] G J Simmons, Authentication theory/coding theory, CRYPTO 84, LNCS 196, Springer (1985), [12] D R Stinson, The combinatorics of authentication and secrecy codes, J Cryptology 2 (1990), [13] D Wu and L Zhu, Bounds and constructions for TWOOAs, Discrete Math 238 (2001),
Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets
Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets Navid Nasr Esfahani, Ian Goldberg and Douglas R. Stinson David R. Cheriton School of Computer Science University of
More informationA Construction for Authentication/ secrecy Codes from 3-homogeneous Permutation Groups
Europ. J. Combinatorics (1990) 11, 73-79 A Construction for Authentication/ secrecy Codes from 3-homogeneous Permutation Groups D. R. STINSON AND L. TEIRLINCK In this paper, we construct codes which provide
More informationThis document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.
This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore Title Multi-receiver authentication code for network coding( Accepted version ) Author(s) Oggier, Frederique;
More informationAuthentication Codes and Algebraic Curves
Authentication Codes and Algebraic Curves Chaoping Xing Abstract. We survey a recent application of algebraic curves over finite fields to the constructions of authentication codes. 1. Introduction Authentication
More informationGeometrical Constructions for Ordered Orthogonal Arrays and (T, M, S)-Nets
Geometrical Constructions for Ordered Orthogonal Arrays and (T, M, S)-Nets Ryoh Fuji-Hara and Ying Miao Institute of Policy and Planning Sciences University of Tsukuba Tsukuba 305-8573, Japan fujihara@sk.tsukuba.ac.jp
More informationAuthentication Codes in Plaintext and Chosen-content Attacks
Authentication Codes in Plaintext and Chosen-content Attacks R. Safavi-Naini * L. Tombak ** Department of Computer Science University of Wollongong Northfields Ave., Wollongong 2522, AUSTRALIA Abstract.
More informationOn the Classification of Splitting (v, u c, ) BIBDs
BULGARIAN ACADEMY OF SCIENCES CYBERNETICS AND INFORMATION TECHNOLOGIES Volume 18, No 5 Special Thematic Issue on Optimal Codes and Related Topics Sofia 2018 Print ISSN: 1311-9702; Online ISSN: 1314-4081
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationUnconditionally Secure Signature Schemes Revisited
Unconditionally Secure Signature Schemes Revisited Colleen M. Swanson and Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, Canada N2L 3G1 c2swanso,dstinson@uwaterloo.ca
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationNew Traceability Codes against a Generalized Collusion Attack for Digital Fingerprinting
New Traceability Codes against a Generalized Collusion Attack for Digital Fingerprinting Hideki Yagi 1, Toshiyasu Matsushima 2, and Shigeichi Hirasawa 2 1 Media Network Center, Waseda University 1-6-1,
More informationSector-Disk Codes and Partial MDS Codes with up to Three Global Parities
Sector-Disk Codes and Partial MDS Codes with up to Three Global Parities Junyu Chen Department of Information Engineering The Chinese University of Hong Kong Email: cj0@alumniiecuhkeduhk Kenneth W Shum
More informationSome Bounds and a Construction for Secure Broadcast Encryption
Some Bounds and a Construction for Secure Broadcast Encryption Kaoru Kurosawa 1, Takuya Yoshida 1, Yvo Desmedt 2,3, and Mike Burmester 3 1 Dept. of EE, Tokyo Institute of Technology 2 12 1 O-okayama, Meguro-ku,
More informationOptimal Ramp Schemes and Related Combinatorial Objects
Optimal Ramp Schemes and Related Combinatorial Objects Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo BCC 2017, Glasgow, July 3 7, 2017 1 / 18 (t, n)-threshold Schemes
More informationOrthogonal arrays of strength three from regular 3-wise balanced designs
Orthogonal arrays of strength three from regular 3-wise balanced designs Charles J. Colbourn Computer Science University of Vermont Burlington, Vermont 05405 D. L. Kreher Mathematical Sciences Michigan
More informationHadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights
Hadamard Matrices, d-linearly Independent Sets and Correlation-Immune Boolean Functions with Minimum Hamming Weights Qichun Wang Abstract It is known that correlation-immune (CI) Boolean functions used
More informationThe Hamming Codes and Delsarte s Linear Programming Bound
The Hamming Codes and Delsarte s Linear Programming Bound by Sky McKinley Under the Astute Tutelage of Professor John S. Caughman, IV A thesis submitted in partial fulfillment of the requirements for the
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationCartesian authentication codes from functions with optimal nonlinearity
Theoretical Computer Science 290 (2003) 1737 1752 www.elsevier.com/locate/tcs Cartesian authentication codes from functions with optimal nonlinearity Samuel Chanson a, Cunsheng Ding a;, Arto Salomaa b
More informationAdditional Constructions to Solve the Generalized Russian Cards Problem using Combinatorial Designs
Additional Constructions to Solve the Generalized Russian Cards Problem using Combinatorial Designs Colleen M. Swanson Computer Science & Engineering Division University of Michigan Ann Arbor, MI 48109,
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationMaximum Distance Separable Symbol-Pair Codes
2012 IEEE International Symposium on Information Theory Proceedings Maximum Distance Separable Symbol-Pair Codes Yeow Meng Chee, Han Mao Kiah, and Chengmin Wang School of Physical and Mathematical Sciences,
More informationSequential and Dynamic Frameproof Codes
Sequential and Dynamic Frameproof Codes Maura Paterson m.b.paterson@rhul.ac.uk Department of Mathematics Royal Holloway, University of London Egham, Surrey TW20 0EX Abstract There are many schemes in the
More informationarxiv: v7 [quant-ph] 20 Mar 2017
Quantum oblivious transfer and bit commitment protocols based on two non-orthogonal states coding arxiv:1306.5863v7 [quant-ph] 0 Mar 017 Li Yang State Key Laboratory of Information Security, Institute
More informationOn Construction of a Class of. Orthogonal Arrays
On Construction of a Class of Orthogonal Arrays arxiv:1210.6923v1 [cs.dm] 25 Oct 2012 by Ankit Pat under the esteemed guidance of Professor Somesh Kumar A Dissertation Submitted for the Partial Fulfillment
More informationASPECIAL case of the general key agreement scenario defined
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 49, NO 4, APRIL 2003 839 Secret-Key Agreement Over Unauthenticated Public Channels Part III: Privacy Amplification Ueli Maurer, Fellow, IEEE, and Stefan Wolf
More informationSecure Modulo Zero-Sum Randomness as Cryptographic Resource
Secure Modulo Zero-Sum Randomness as Cryptographic Resource Masahito Hayashi 12 and Takeshi Koshiba 3 1 Graduate School of Mathematics, Nagoya University masahito@math.nagoya-u.ac.jp 2 Centre for Quantum
More informationRound-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary
Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University, 4-12-1 Nakanarusawa, Hitachi,
More informationRepresentation of Correlated Sources into Graphs for Transmission over Broadcast Channels
Representation of Correlated s into Graphs for Transmission over Broadcast s Suhan Choi Department of Electrical Eng. and Computer Science University of Michigan, Ann Arbor, MI 80, USA Email: suhanc@eecs.umich.edu
More informationSTRONG FORMS OF ORTHOGONALITY FOR SETS OF HYPERCUBES
The Pennsylvania State University The Graduate School Department of Mathematics STRONG FORMS OF ORTHOGONALITY FOR SETS OF HYPERCUBES A Dissertation in Mathematics by John T. Ethier c 008 John T. Ethier
More informationOptimal XOR based (2,n)-Visual Cryptography Schemes
Optimal XOR based (2,n)-Visual Cryptography Schemes Feng Liu and ChuanKun Wu State Key Laboratory Of Information Security, Institute of Software Chinese Academy of Sciences, Beijing 0090, China Email:
More informationOn the construction of asymmetric orthogonal arrays
isid/ms/2015/03 March 05, 2015 http://wwwisidacin/ statmath/indexphp?module=preprint On the construction of asymmetric orthogonal arrays Tianfang Zhang and Aloke Dey Indian Statistical Institute, Delhi
More informationGalois Field Commitment Scheme
Galois Field Commitment Scheme Alexandre Pinto André Souto Armando Matos Luís Antunes University of Porto, Portugal November 13, 2006 Abstract In [3] the authors give the first mathematical formalization
More informationBalanced Nested Designs and Balanced n-ary Designs
Balanced Nested Designs and Balanced n-ary Designs Ryoh Fuji-Hara a, Shinji Kuriki b, Ying Miao a and Satoshi Shinohara c a Institute of Policy and Planning Sciences, University of Tsukuba, Tsukuba, Ibaraki
More informationSimple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme
Simple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme Ashish Choudhury Applied Statistics Unit Indian Statistical Institute Kolkata India partho31@gmail.com, partho 31@yahoo.co.in
More informationThe cocycle lattice of binary matroids
Published in: Europ. J. Comb. 14 (1993), 241 250. The cocycle lattice of binary matroids László Lovász Eötvös University, Budapest, Hungary, H-1088 Princeton University, Princeton, NJ 08544 Ákos Seress*
More informationGeneralized hashing and applications to digital fingerprinting
Generalized hashing and applications to digital fingerprinting Noga Alon, Gérard Cohen, Michael Krivelevich and Simon Litsyn Abstract Let C be a code of length n over an alphabet of q letters. An n-word
More informationAn Application of Coding Theory into Experimental Design Construction Methods for Unequal Orthogonal Arrays
The 2006 International Seminar of E-commerce Academic and Application Research Tainan, Taiwan, R.O.C, March 1-2, 2006 An Application of Coding Theory into Experimental Design Construction Methods for Unequal
More informationPermutation decoding for the binary codes from triangular graphs
Permutation decoding for the binary codes from triangular graphs J. D. Key J. Moori B. G. Rodrigues August 6, 2003 Abstract By finding explicit PD-sets we show that permutation decoding can be used for
More informationExistence of doubly near resolvable (v, 4, 3)-BIBDs
AUSTRALASIAN JOURNAL OF COMBINATORICS Volume 47 (2010), Pages 109 124 Existence of doubly near resolvable (v, 4, 3)-BIBDs R. Julian R. Abel Nigel H. N. Chan School of Mathematics and Statistics University
More information1-Resilient Boolean Function with Optimal Algebraic Immunity
1-Resilient Boolean Function with Optimal Algebraic Immunity Qingfang Jin Zhuojun Liu Baofeng Wu Key Laboratory of Mathematics Mechanization Institute of Systems Science, AMSS Beijing 100190, China qfjin@amss.ac.cn
More informationLinear Algebra March 16, 2019
Linear Algebra March 16, 2019 2 Contents 0.1 Notation................................ 4 1 Systems of linear equations, and matrices 5 1.1 Systems of linear equations..................... 5 1.2 Augmented
More informationDetection of Cheaters in Non-interactive Polynomial Evaluation
Detection of Cheaters in Non-interactive Polynomial Evaluation Maki Yoshida 1 and Satoshi Obana 2 1 Osaka University, Japan 2 Hosei University, Japan Abstract. In this paper, we consider both theoretical
More informationEfficient Secret Sharing Schemes Achieving Optimal Information Rate
Efficient Secret Sharing Schemes Achieving Optimal Information Rate Yongge Wang KINDI Center for Computing Research, Qatar University, Qatar and Department of SIS, UNC Charlotte, USA Email: yonggewang@unccedu
More informationAffine designs and linear orthogonal arrays
Affine designs and linear orthogonal arrays Vladimir D. Tonchev Department of Mathematical Sciences, Michigan Technological University, Houghton, Michigan 49931, USA, tonchev@mtu.edu Abstract It is proved
More informationSets of MOLSs generated from a single Latin square
Sets of MOLSs generated from a single Latin square Hau Chan and Dinesh G Sarvate Abstract The aim of this note is to present an observation on the families of square matrices generated by repeated application
More informationOn the Symmetric Property of Homogeneous Boolean Functions
On the Symmetric Property of Homogeneous Boolean Functions Chengxin Qu, Jennifer Seberry, and Josef Pieprzyk Centre for Computer Security Research School of Information Technology and Computer Science
More informationError control codes for parallel asymmetric channels
Error control codes for parallel asymmetric channels R. Ahlswede and H. Aydinian Department of Mathematics University of Bielefeld POB 100131 D-33501 Bielefeld, Germany E-mail addresses: ahlswede@mathematik.uni-bielefeld.de
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationHadamard matrices of order 32
Hadamard matrices of order 32 H. Kharaghani a,1 B. Tayfeh-Rezaie b a Department of Mathematics and Computer Science, University of Lethbridge, Lethbridge, Alberta, T1K3M4, Canada b School of Mathematics,
More informationGeneralizing Clatworthy Group Divisible Designs. Julie Rogers
Generalizing Clatworthy Group Divisible Designs by Julie Rogers A dissertation submitted to the Graduate Faculty of Auburn University in partial fulfillment of the requirements for the Degree of Doctor
More informationSmall Group Divisible Steiner Quadruple Systems
Small Group Divisible Steiner Quadruple Systems Artem A. Zhuravlev, Melissa S. Keranen, Donald L. Kreher Department of Mathematical Sciences, Michigan Technological University Houghton, MI 49913-0402,
More informationTHE MAXIMUM SIZE OF A PARTIAL 3-SPREAD IN A FINITE VECTOR SPACE OVER GF (2)
THE MAXIMUM SIZE OF A PARTIAL 3-SPREAD IN A FINITE VECTOR SPACE OVER GF (2) S. EL-ZANATI, H. JORDON, G. SEELINGER, P. SISSOKHO, AND L. SPENCE 4520 MATHEMATICS DEPARTMENT ILLINOIS STATE UNIVERSITY NORMAL,
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationFinite Mathematics. Nik Ruškuc and Colva M. Roney-Dougal
Finite Mathematics Nik Ruškuc and Colva M. Roney-Dougal September 19, 2011 Contents 1 Introduction 3 1 About the course............................. 3 2 A review of some algebraic structures.................
More informationGroup divisible designs in MOLS of order ten
Des. Codes Cryptogr. (014) 71:83 91 DOI 10.1007/s1063-01-979-8 Group divisible designs in MOLS of order ten Peter Dukes Leah Howard Received: 10 March 011 / Revised: June 01 / Accepted: 10 July 01 / Published
More informationand its Extension to Authenticity
EWSCS 06 almse, Estonia 5-10 March 2006 Lecture 1: Shannon s Theory of Secrecy and its Extension to Authenticity James L. Massey rof.-em. ETH Zürich, Adjunct rof., Lund Univ., Sweden, and Tech. Univ. of
More informationNew polynomials for strong algebraic manipulation detection codes 1
Fifteenth International Workshop on Algebraic and Combinatorial Coding Theory June 18-24, 2016, Albena, Bulgaria pp. 7 12 New polynomials for strong algebraic manipulation detection codes 1 Maksim Alekseev
More informationA2-codes from universal hash classes
A2codes from universal hash classes Jurgen Bierbrauer Department of Mathematical Sciences Michigan Technological University HOUGHTON, MI 49931 (USA) Abstract We describe a general method to construct codes
More informationPerfect Diffusion Primitives for Block Ciphers
Perfect Diffusion Primitives for Block Ciphers Building Efficient MDS Matrices Pascal Junod and Serge Vaudenay École Polytechnique Fédérale de Lausanne (Switzerland) {pascaljunod, sergevaudenay}@epflch
More informationBinary codes from rectangular lattice graphs and permutation decoding
Binary codes from rectangular lattice graphs and permutation decoding J. D. Key a,,1 P. Seneviratne a a Department of Mathematical Sciences, Clemson University, Clemson SC 29634, U.S.A. Abstract We examine
More informationOn the decomposition of orthogonal arrays
On the decomposition of orthogonal arrays Wiebke S. Diestelkamp Department of Mathematics University of Dayton Dayton, OH 45469-2316 wiebke@udayton.edu Jay H. Beder Department of Mathematical Sciences
More informationIntroduction Inequalities for Perfect... Additive Sequences of... PDFs with holes and... Direct Constructions... Recursive... Concluding Remarks
Page 1 of 56 NSFC, Grant No. 1085103 and No. 10771193. 31th, July, 009 Zhejiang University Perfect Difference Families, Perfect Difference Matrices, and Related Combinatorial Structures Gennian Ge Department
More informationDISTINGUISHING PARTITIONS AND ASYMMETRIC UNIFORM HYPERGRAPHS
DISTINGUISHING PARTITIONS AND ASYMMETRIC UNIFORM HYPERGRAPHS M. N. ELLINGHAM AND JUSTIN Z. SCHROEDER In memory of Mike Albertson. Abstract. A distinguishing partition for an action of a group Γ on a set
More informationCorrecting Codes in Cryptography
EWSCS 06 Palmse, Estonia 5-10 March 2006 Lecture 2: Orthogonal Arrays and Error- Correcting Codes in Cryptography James L. Massey Prof.-em. ETH Zürich, Adjunct Prof., Lund Univ., Sweden, and Tech. Univ.
More informationGeneralized Cover-Free Families
Generalized Cover-Free Families D.R. Stinson School of Computer Science University of Waterloo Waterloo, Ontario N2L 3G1 Canada dstinson@uwaterloo.ca R. Wei Department of Computer Science Lakehead University
More informationEncrypting More Information in Visual Cryptography Scheme
Encrypting More Information in Visual Cryptography Scheme Feng Liu 1, Peng Li 2 and ChuanKun Wu 1 1 State Key Laboratory Of Information Security, Institute of Information Engineering, Chinese Academy of
More informationOrthogonal Arrays & Codes
Orthogonal Arrays & Codes Orthogonal Arrays - Redux An orthogonal array of strength t, a t-(v,k,λ)-oa, is a λv t x k array of v symbols, such that in any t columns of the array every one of the possible
More informationThe decomposability of simple orthogonal arrays on 3 symbols having t + 1 rows and strength t
The decomposability of simple orthogonal arrays on 3 symbols having t + 1 rows and strength t Wiebke S. Diestelkamp Department of Mathematics University of Dayton Dayton, OH 45469-2316 USA wiebke@udayton.edu
More informationMasao KASAHARA. Graduate School of Osaka Gakuin University
Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationVisual Cryptography Schemes with Optimal Pixel Expansion
Visual Cryptography Schemes with Optimal Pixel Expansion Carlo Blundo, Stelvio Cimato and Alfredo De Santis Dipartimento di Informatica ed Applicazioni Università degli Studi di Salerno, 808, Baronissi
More informationNew quasi-symmetric designs constructed using mutually orthogonal Latin squares and Hadamard matrices
New quasi-symmetric designs constructed using mutually orthogonal Latin squares and Hadamard matrices Carl Bracken, Gary McGuire Department of Mathematics, National University of Ireland, Maynooth, Co.
More informationprotocols such as protocols in quantum cryptography and secret-key agreement by public discussion [8]. Before we formalize the main problem considered
Privacy Amplication Secure Against Active Adversaries? Ueli Maurer Stefan Wolf Department of Computer Science Swiss Federal Institute of Technology (ETH Zurich) CH-8092 Zurich, Switzerland E-mail addresses:
More informationMATH 291T CODING THEORY
California State University, Fresno MATH 291T CODING THEORY Spring 2009 Instructor : Stefaan Delcroix Chapter 1 Introduction to Error-Correcting Codes It happens quite often that a message becomes corrupt
More informationUNPREDICTABLE BINARY STRINGS
UNPREDICTABLE BINARY STRINGS R.M. LOW, M. STAMP, R. CRAIGEN, AND G. FAUCHER Abstract. We examine a class of binary strings arising from considerations about stream cipher encryption: to what degree can
More informationGeneralized hyper-bent functions over GF(p)
Discrete Applied Mathematics 55 2007) 066 070 Note Generalized hyper-bent functions over GFp) A.M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montreal, QC, H3G
More informationCounting Functions for the k-error Linear Complexity of 2 n -Periodic Binary Sequences
Counting Functions for the k-error inear Complexity of 2 n -Periodic Binary Sequences amakanth Kavuluru and Andrew Klapper Department of Computer Science, University of Kentucky, exington, KY 40506. Abstract
More informationFlags of almost ane codes
Flags of almost ane codes Trygve Johnsen Hugues Verdure April 0, 207 Abstract We describe a two-party wire-tap channel of type II in the framework of almost ane codes. Its cryptological performance is
More informationA Block Negacyclic Bush-Type Hadamard Matrix and Two Strongly Regular Graphs
Journal of Combinatorial Theory, Series A 98, 118 126 (2002) doi:10.1006/jcta.2001.3231, available online at http://www.idealibrary.com on A Block Negacyclic Bush-Type Hadamard Matrix and Two Strongly
More informationAn Analytic Approach to the Problem of Matroid Representibility: Summer REU 2015
An Analytic Approach to the Problem of Matroid Representibility: Summer REU 2015 D. Capodilupo 1, S. Freedman 1, M. Hua 1, and J. Sun 1 1 Department of Mathematics, University of Michigan Abstract A central
More informationFULLY COMMUTATIVE ELEMENTS AND KAZHDAN LUSZTIG CELLS IN THE FINITE AND AFFINE COXETER GROUPS. Jian-yi Shi
FULLY COMMUTATIVE ELEMENTS AND KAZHDAN LUSZTIG CELLS IN THE FINITE AND AFFINE COXETER GROUPS Jian-yi Shi Abstract. The main goal of the paper is to show that the fully commutative elements in the affine
More informationAn efficient single-key pirates tracing scheme using cover-free families
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2006 An efficient single-key pirates tracing scheme
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationConstruction of some new families of nested orthogonal arrays
isid/ms/2017/01 April 7, 2017 http://www.isid.ac.in/ statmath/index.php?module=preprint Construction of some new families of nested orthogonal arrays Tian-fang Zhang, Guobin Wu and Aloke Dey Indian Statistical
More informationPALINDROMIC AND SŪDOKU QUASIGROUPS
PALINDROMIC AND SŪDOKU QUASIGROUPS JONATHAN D. H. SMITH Abstract. Two quasigroup identities of importance in combinatorics, Schroeder s Second Law and Stein s Third Law, share many common features that
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationBIROn - Birkbeck Institutional Research Online
BIROn - Birkbeck Institutional Research Online Enabling open access to Birkbeck s published research output Sliding-window dynamic frameproof codes Journal Article http://eprints.bbk.ac.uk/5366 Version:
More informationCyclic Redundancy Check Codes
Cyclic Redundancy Check Codes Lectures No. 17 and 18 Dr. Aoife Moloney School of Electronics and Communications Dublin Institute of Technology Overview These lectures will look at the following: Cyclic
More informationDecomposing dense bipartite graphs into 4-cycles
Decomposing dense bipartite graphs into 4-cycles Nicholas J. Cavenagh Department of Mathematics The University of Waikato Private Bag 3105 Hamilton 3240, New Zealand nickc@waikato.ac.nz Submitted: Jun
More informationPerfectly secure cipher system.
Perfectly secure cipher system Arindam Mitra Lakurdhi, Tikarhat Road, Burdwan 713102 India Abstract We present a perfectly secure cipher system based on the concept of fake bits which has never been used
More information4 CONNECTED PROJECTIVE-PLANAR GRAPHS ARE HAMILTONIAN. Robin Thomas* Xingxing Yu**
4 CONNECTED PROJECTIVE-PLANAR GRAPHS ARE HAMILTONIAN Robin Thomas* Xingxing Yu** School of Mathematics Georgia Institute of Technology Atlanta, Georgia 30332, USA May 1991, revised 23 October 1993. Published
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationMATH 433 Applied Algebra Lecture 21: Linear codes (continued). Classification of groups.
MATH 433 Applied Algebra Lecture 21: Linear codes (continued). Classification of groups. Binary codes Let us assume that a message to be transmitted is in binary form. That is, it is a word in the alphabet
More informationBenes and Butterfly schemes revisited
Benes and Butterfly schemes revisited Jacques Patarin, Audrey Montreuil Université de Versailles 45 avenue des Etats-Unis 78035 Versailles Cedex - France Abstract In [1], W. Aiello and R. Venkatesan have
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationOn Systems of Diagonal Forms II
On Systems of Diagonal Forms II Michael P Knapp 1 Introduction In a recent paper [8], we considered the system F of homogeneous additive forms F 1 (x) = a 11 x k 1 1 + + a 1s x k 1 s F R (x) = a R1 x k
More information