A TWOOA Construction for Multi-Receiver Multi-Message Authentication Codes

Transcription

1 A TWOOA Construction for Multi-Receiver Multi-Message Authentication Codes R Fuji-Hara Graduate School of Systems and Information Engineering University of Tsukuba Tsukuba , Japan X Li Department of Mathematics Guangxi Normal University Guilin , China Y Miao Graduate School of Systems and Information Engineering University of Tsukuba Tsukuba , Japan D Wu Department of Mathematics Guangxi Normal University Guilin , China In Memory of Professor Jacobus Hendricus van Lint Abstract A (k, n; w) multi-receiver multi-message authentication code allows a transmitter to broadcast up to w 1 different authenticated messages to n receivers in such a way that (1) not only an opponent but also any up to k 1 receivers cannot cheat any other receivers, and (2) all the receivers can independently verify the authenticity of the messages Obana and Kurosawa (Designs, Codes and Cryptography 22 (2001), 47-63) used a special pair of orthogonal arrays, called TWOOA, to construct a (k, n; 2) multi-receiver single-message authentication code In this paper, we generalize the notion of a TWOOA, and then use this generalized TWOOA to construct a (k, n; w) multi-receiver multi-message authentication code, which exceeds that of Savavi-Naini and Wang (Proc of Eurocrypt 98, LNCS 1403, Springera (1998), ) at least in the numbers of receivers and authenticated messages The structures of TWOOAs are investigated Two constructions for TWOOAs are also provided Corresponding author Research supported in part by Guangxi Science Foundation and the Education Department of Guangxi Province 1

2 Keywords: Authentication code, multi-message, multi-receiver, TWOOA 1 Introduction The notion of an authentication code (A-code) was invented by Gilbert, MacWilliams and Sloane [3] in 1974, and the game-theoretic model of an A-code was developed by Simmons [11] in 1984 A conventional A-code involves three active parties: a transmitter T, a receiver R, and an opponent O The transmitter T transmits messages to the receiver R using a public communication channel The opponent O has access to this channel and can interfere with the contents of cryptograms transmitted via this channel In Simmons model, the transmitter T and the receiver R share a common encoding rule (or key) e belonging to some key space E, and are both assumed honest Given a source state (or plaintext) s from some source state space S, the transmitter T computes an authenticated message m = f(e, s) M, where f is an authentication function and M is the message space, and then sends m M to the receiver R The receiver R can verify its authenticity using his/her knowledge of the key e E shared with the transmitter T An A-code C can be represented by a quadruple (S, M, E, f) where S is a source state space, M is a message space, E is a key space, and f is a mapping from E S to M such that f(e, s) = m and f(e, s ) = m imply s = s In a systematic Cartesian A-code, the authenticated message m M corresponding to a source state s S using e E is the concatenation m = (s, a) of the source state s S and an authenticator a A, that is, M = S A, where A is the authenticator space The receiver R will detect a fraudulent message (s, a) M if the authenticator that he/she calculates for s S using his/her key e E shared with the transmitter T is different from the received authenticator a A We will mainly investigate systematic Cartesian A-codes in this paper The notion of a conventional A-code can be easily generalized (see, for example, [12]) to the case where the key e E can be used to encrypt up to w 1 consecutive different source states, where w 2 is some fixed integer That is, for u, 1 u w 1, consecutive different source states s 1,, s u m 1,, m u M, where m j S, the transmitter T computes their corresponding messages receiver R through a public communication channel = f(e, s j ), 1 j u, and then sends m 1,, m u to the We ignore the order in which the messages are sent through the channel, and the order in which the corresponding source states occur We use ( ( S ) ( w 1, M ( w 1), E, f) to denote such a multi-message A-code, where N ) n denotes the set of all subsets of N with cardinality less than or equal to n 2

3 The notion of a multi-receiver A-code was introduced by Desmedt, Frankel and Yung [2] as another generalization of that of a conventional A-code In a (k, n) multi-receiver A-code, there are n+2 parties altogether: a transmitter T, n receivers R 1,, R n, and an opponent O The transmitter T has a key e T E T and each receiver R i has a key e i E i, 1 i n For a source state s S, the transmitter T computes a message m = f(e T, s) M, and then sends m M to receivers through a public communication channel Each receiver R i accepts or rejects m by verifying m according to e i E i It is assumed that at most k 1 receivers are malicious who can collude with the opponent O to cheat other receivers We should note that in Desmedt, Frankel and Yung s model of a multi-receiver A-code, security analysis is only for a single message transmission, and for a second message no protection is guaranteed To provide protection for multiple messages transmission, we need further to generalize the above two generalizations to a (k, n; w) multi-receiver multimessage A-code in the following way Let C T = ( ( S ) ( w 1, M ) w 1, ET, f T ) and C i = ( ( S ) ( w 1, Mi w 1), Ei, f i ), i = 1, 2,, n, be multimessage A-codes We say that (C T ; C 1,, C n ) is a (k, n; w) multi-receiver multi-message ) (, M w 1), ET, E 1,, E n, f T, f 1,, f n ) if the following two conditions are sat- A-code ( ( S w 1 isfied (C1) There are at most k 1 malicious receivers (C2) There exist two mappings τ : E T E 1 E n and π : ( M ) ( w 1 M1 ) ( w 1 Mn ) w 1 such that for any (e T, {s 1,, s u }) E T ( S w 1), 1 u w 1, and any 1 i n, p i (πf T (e T, {s 1,, s u })) = f i (p i τ Id)(e T, {s 1,, s u }), where (p i τ Id) is defined by (p i τ Id)(e T, {s 1,, s u }) = (p i τ(e T ), Id({s 1,, s u }) = (e i, {s 1,, s u }) Let π i = p i π and τ i = p i τ Then we have π i f T (e T, {s 1,, s u }) = f i (τ i Id)(e T, {s 1,, s u }) for any (e T, {s 1,, s u }) E T ( S w 1) We assume that for each i the mappings τi : E T E i and π i : ( M ) ( w 1 Mi w 1) are surjective We also assume that for each Ci the probability distribution on the source states of C i is the same as that in C T, and the probability distribution on E i is derived from that of E T and the mapping τ i Each receiver R i accepts or rejects m j by verifying m j individually according to e i E i We also adopt Kerckhoff s principle that everything in the A-code except the actual keys of the transmitter and receivers is public Malicious receivers can collude with the opponent O to cheat other receivers, after observing u, 0 u w 1, transmitted different messages authenticated using the same key e T, by inserting a new message of their own choosing, hoping to have it accepted by other receivers as authentic, which was termed spoofing of order u by Massey 3

4 in [7] The deception probability P d u, 0 u w 1, is the probability that the malicious receivers and the opponent O will succeed in deceiving other receivers with an order u spoofing attack An order 0 spoofing attack is usually called an impersonation attack, and an order 1 spoofing attack is usually called a substitution attack We define P d u of such a (k, n; w) multi-receiver multi-message A-code in the following way For a set R = {R i1,, R ij } of receivers, let e(r) = {{e i1,, e ij } : e i1 E i1,, e ij E ij } denote the set of possible keys of R Let C Ri = {R : R {R 1,, R n } \ {R i }, 0 R k 1} denote the family of at most k 1 receivers who may try to cheat receiver R i If R =, we consider that an opponent O tries to cheat receiver R i Suppose that after observing u, 0 u w 1, transmitted consecutive different messages {m 1,, m u } which are authenticated using the same key e T E T, R C Ri try to cheat receiver R i by inserting a new message m, where R have {e i1,, e ij } as their keys Their best strategy is to send m such that each key of {e i1,, e ij } accepts m and P r(r i accepts m R have {e i1,, e ij } accepting m, T sent {m 1,, m u }) is the maximum possible, for 0 u w 1 More precisely, for 0 u w 1, the order u spoofing attack probability P d u of a (k, n; w) multi-receiver multi-message A-code in which the key e T E T is used to authenticate up to w 1 consecutive different source states is defined as follows: P d u = max Ri max R CRi max {ei1,,e ij } e(r)max m,ml,m m l,l=1,,u P r(r i accepts m R have {e i1,, e ij } accepting m, T sent {m 1,, m u }), where the source states of m and {m 1,, m u } are different In fact, when we compute the deception probabilities P d u, we need only to consider the coalition of sets of up to a maximum size of receivers, that is, sets of k 1 malicious receivers, since they are at least as powerful as any other collusion In this paper, we use a combinatorial structure called TWOOA to construct unconditionally secure multi-receiver multi-message A-codes, that is, for any 1 u w 1, the probability that the malicious receivers and the opponent will succeed in deceiving other receivers with an order u spoofing attack is the same as that with a random guessing A TWOOA is a pair of orthogonal arrays satisfying a certain condition described in Section 3 The notion of a TWOOA with the strength of the second orthogonal being 2 was introduced by Kurosawa and Obana [5, 8], and was used to construct an unconditionally secure multi-receiver single-message A-code In this paper, we first review Savavi-Naini and 4

5 Wang s polynomial construction [9, 10] for multi-receiver multi-message A-codes, then we generalize the notion of a TWOOA to the case that the strength of the second orthogonal array can be any integer w 2, and then use these generalized TWOOAs to construct multi-receiver multi-message A-codes The upper bounds on the numbers of columns in a TWOOA are determined A direct construction and a product construction for TWOOAs are also presented These constructions give infinite classes of TWOOAs meeting the upper bounds As an immediate consequence, our multi-receiver multi-message A-codes are better than Savavi-Naini and Wang s in terms of the numbers of receivers and source states 2 DFY Polynomial Scheme and its Extension In this section, we briefly review the well-known DFY polynomial scheme due to Desmedt, Frankel and Yung [2], and describe its extension to multiple message model due to Savavi- Naini and Wang [9, 10] In 1992, Desmedt, Frankel and Yung [2] proposed a (k, n; 2) multi-receiver single-message A-code (called DFY polynomial scheme) as follows Assume that there are a transmitter T, n receivers R 1,, R n, and an opponent O Let q n be a prime, and let P k 1 [x] = {a 0 +a 1 x+ +a k 1 x k 1 : a i GF (q), 0 i k 1} The key for T consists of two random polynomials P 1 (x), P 2 (x) P k 1 [x] The key for R i consists of (P 1 (i), P 2 (i)) GF (q) 2 For a source state s GF (q), T broadcasts (s, M s (x)) where M s (x) = P 1 (x)+sp 2 (x) P k 1 [x] Each R i accepts (s, M s (x)) as authentic if and only if M s (i) = P 1 (i) + sp 2 (i) It is proved in [2] that in this scheme, the impersonation attack probability P d 0 and the substitution attack probability P d 1 are both equal to 1/q, which means that the above DFY polynomial scheme is an unconditionally secure (k, n; 2) multi-receiver single-message A-code Six years later, Safavi-Naini and Wang [9, 10] extended the above DFY polynomial scheme to multi-message model in which each key of T can be used to authenticate consecutive different source states In their extended scheme, the key for T consists of w random polynomials P 1 (x),, P w (x) P k 1 [x], and the key for each R i consists of (P 1 (x i ),, P w (x i )) GF (q) w, where x i GF (q) is the public information of R i For a source state s GF (q), T broadcasts (s, M s (x)) where M s (x) = P 1 (x)+sp 2 (x)+ +s w 1 P w (x) P k 1 [x] Each R i accepts (s, M s (x)) as authentic if and only if M s (x i ) = P 1 (x i ) + sp 2 (x i ) + + s w 1 P w (x i ) It is proved in [9] that this extended scheme is a (k, n; w) multi-receiver multimessage A-code in which every key of T can be used to authenticate up to w 1 consecutive different source states It is also proved [9] that for 0 i w 1, the order i spoofing attack probability P d i is equal to 1/q, which means that Savavi-Naini and Wang s extended 5

6 DFY polynomial scheme is an unconditionally secure (k, n; w) multi-receiver multi-message A-code We should emphasize that in Savavi-Naini and Wang s extended DFY polynomial scheme, the numbers of possible receivers and source states are both not greater than q 3 TWOOA: Definition and Preliminary Results In this section, we introduce the notion of a TWOOA and show some of its elementary properties We first recall that an orthogonal array OA λ (k, l, n), with strength k, is a λl k n array of l symbols such that, in any k columns of the array, every one of the possible l k k-tuples of symbols occurs in exactly λ rows of the array If λ = 1, usually this array is briefly denoted by OA(k, l, n) Let L 1 = (a ij ) be an OA(k, t w, n) Let 1 u w 1, and C = (c ij ) be a t wk u array of t k symbols Let Q be the set of row vectors of C For α Q, suppose that C i1 = = C ih = α, where C ij = (c ij 1,, c ij u) is the i j -th row vector of C Define B(α) to be the h n sub-array of L 1 which consists of the i j -th row of L 1 for j = 1,, h We say that L 1 and C are friendly if every column of B(α) contains exactly t w u different symbols for any α Q Suppose L 1 is an OA(k, t w, n) and L 2 is an OA(w, t k, m) Then L = L 1 L 2 is said to be a TWOOA(k, t w, n; w, t k, m) if L 1 and any t wk u sub-array, 1 u w 1, of L 2 are friendly, where denotes concatenation The notion of a TWOOA with w = 2 was first introduced by Kurosawa and Obana [5, 8] to characterize and construct a (k, n; 2) multi-receiver single-message A-code in which the key e T of T is used to authenticate a single source state In this paper, we try to use the generalized TWOOA(k, t w, n; w, t k, m) to construct a (k, n; w) multi-receiver multi-message A-code in which the key e T can be used to authenticate up to w 1 consecutive different source states We first show that Savavi-Naini and Wang s extended DFY polynomial scheme forms in fact a TWOOA Theorem 31 For any prime q and for any two positive integers n, w satisfying max{n, w} q, there exists a TWOOA(k, q w, n; w, q k, q) 6

7 Proof Let q max{n, w} be a prime number, and P k 1 [x] = {a 0 + a 1 x + + a k 1 x k 1 : a i GF (q), 0 i k 1} Let P ij (x) P k 1 [x] for 1 i q wk, 1 j w, and x 1,, x n be n different elements of GF (q) Define L 1 as follows: (P 11 (x 1 ),, P 1w (x 1 )) (P 11 (x 2 ),, P 1w (x 2 )) (P 11 (x n ),, P 1w (x n )) (P 21 (x 1 ),, P 2w (x 1 )) (P 21 (x 2 ),, P 2w (x 2 )) (P 21 (x n ),, P 2w (x n )) (P q wk 1(x 1 ),, P q wk w(x 1 )) (P q wk 1(x 2 ),, P q wk w(x 2 )) (P q wk 1(x n ),, P q wk w(x n )) where the l-th column is labeled by the element x l GF (q) Define L 2 as follows: P 11 (x) P 11 (x) + + s w 1 P 1w (x) P 11 (x) + + (q 1) w 1 P 1w (x) P 21 (x) P 21 (x) + + s w 1 P 2w (x) P 21 (x) + + (q 1) w 1 P 2w (x) P q wk 1(x) P q wk 1(x) + + s w 1 P q wk w(x) P q wk 1(x) + + (q 1) w 1 P q wk w(x),, where the (s + 1)-th column is labeled by the element s GF (q) The rows of L 1 and L 2 are both labeled by (P i1 (x),, P iw (x)) for 1 i q wk By the Lagrange interpolation formula for polynomials, we immediately know that L 1 is an orthogonal array OA(k, q w, n) Since the coefficient matrix 1 s 1 s w s 2 s w s w s w 1 w is a Vandermonde matrix, we also know that L 2 is an orthogonal array OA(w, q k, q) Now we prove that for any u, 1 u w 1, L 1 and any q wk u sub-array of L 2 are friendly Choose any u columns of L 2, say, s 1 -th,, s u -th coumns, and then fix arbitrarily one of their row u-vectors, say (Q 1 (x),, Q u (x)) Then again from the coefficient matrix 1 s 1 s w s 2 s w s u s w 1 u we can determine exactly u polynomials among P i1 (x),, P iw (x) P k 1 [x] such that (P i1 (x) + + s w 1 1 P iw (x),, P i1 (x) + + s w 1 u P iw (x)) = (Q 1 (x),, Q u (x)) For any column x l of L 1, the number of different symbols (P i1 (x l ),, P iw (x l )) in such rows, (P i1 (x),, P iw (x)) is clearly q w u This completes the proof We remark that the case w = 2 in Theorem 31 was first proved in [8] The following are some elementary properties of TWOOAs which are indispensable to our later discussions 7

8 Let L = L 1 L 2 be a TWOOA(k, t w, n; w, t k, m), where L 1 = (a ij ) is an OA(k, t w, n) based on a t w -set U, L 2 = (b ih ) is an OA(w, t k, m) based on a t k -set V, 1 i t wk, 1 j n, and 1 h m For any u columns h 1,, h u of L 2, and for any u-tuple (b 1,, b u ) V u, define R(h 1,, h u ; b 1,, b u ) = {i : (b ih1,, b ihu ) = (b 1,, b u ), 1 i t wk } For any r columns j 1,, j r of L 1, we further define C(j 1,, j r ; h 1,, h u ; b 1,, b u ) to be the collection of r-tuples (a ij1,, a ijr ) U r for all i R(h 1,, h u ; b 1,, b u ) Lemma 32 Let 1 r k and 1 u w Then there are exactly t r(w u) different r-tuples (a ij1,, a ijr ) U r in any C(j 1,, j r ; h 1,, h u ; b 1,, b u ) of a TWOOA(k, t w, n; w, t k, m), where every r-tuple occurs exactly t (k r)(w u) times Proof It is easy to see that R(h 1,, h u ; b 1,, b u ) = t k(w u) since L 2 is an OA(w, t k, m) First we consider the case 1 u w 1 In this case, since L is a TWOOA(k, t w, n; w, t k, m), every C(j v ; h 1,, h u ; b 1,, b u ) has exactly t w u different symbols for any 1 v r, which implies that any C(j 1,, j r ; h 1,, h u ; b 1,, b u ) has at most t r(w u) different r-tuples of U r Therefore we need only to prove that every r-tuple in C(j 1,, j r ; h 1,, h u ; b 1,, b u ) occurs exactly t (k r)(w u) times If it is not the case, then there must exist at least one r-tuple α = (a 1,, a r ) C(j 1,, j r ; h 1,, h u ; b 1,, b u ) such that α occurs f times, where f > t (k r)(w u) If r = k, then this means that there exists a k-tuple α of U k which occurs more than once, a contradiction to the fact that L 1 is an OA(k, t w, n) If 1 r k 1, then for any other k r columns j 1,, j k r of L 1, in a similar way, we can also know that C(j 1,, j k r ; h 1,, h u ; b 1,, b u ) has at most t (k r)(w u) different (k r)-tuples of U k r This implies that C(j 1,, j r, j 1,, j k r ; h 1,, h u ; b 1,, b u ) has repeated k-tuples, again a contradiction to the fact that L 1 is an OA(k, t w, n) So we know that the assertion holds for 1 u w 1 Next we consider the case u = w In this case, R(h 1,, h w ; b 1,, b w ) = 1 for any w columns h 1,, h w of L 2 and for any w-tuple (b 1,, b w ) V w So there is only one r-tuple in any C(j 1,, j r ; h 1,, h w ; b 1,, b w ) of a TWOOA(k, t w, n; w, t k, m) which occurs only once This completes the proof For any r, 1 r k 1, columns j 1,, j r of L 1 and for any r-tuple (a 1,, a r ) U r, define R (j 1,, j r ; a 1,, a r ) = {i : (a ij1,, a ijr ) = (a 1,, a r ), 1 i t wk } It is easy to see that R (j 1,, j r ; a 1,, a r ) = t w(k r) since L 1 is an OA(k, t w, n) For any column h of L 2, we further define B(j 1,, j r ; a 1,, a r ; h) to be the collection of b ih V for all i R (j 1,, j r ; a 1,, a r ) We have the following result Lemma 33 B(j 1,, j r ; a 1,, a r ; h) contains exactly t k r different symbols 8

9 Proof Since R (j 1,, j r ; a 1,, a r ) = t w(k r), we need only to prove that every distinct symbol in B(j 1,, j r ; a 1,, a r ; h) occurs exactly t (w 1)(k r) times If it is not the case, then there must exist at least one b B(j 1,, j r ; a 1,, a r ; h) such that b occurs f t (w 1)(k r) times Then the r-tuple (a 1,, a r ) U r will occur exactly f t (k r)(w 1) times in C(j 1,, j r ; h; b), a contradiction to Lemma 32 This completes the proof This immediately implies the following result, which means that the friendship is a symmetric property Corollary 34 L = L 1 L 2 is a TWOOA(k, t w, n; w, t k, m) if and only if L = L 2 L 1 is a TWOOA(w, t k, m; k, t w, n) Proof The assertion comes from the definition of a TWOOA and Lemma 33 4 A Construction for A-Codes from TWOOAs Now we describe how to use a TWOOA(k, t w, n; w, t k, m) to construct a (k, n; w) multireceiver multi-message A-code Theorem 41 If there exists a TWOOA(k, t w, n; w, t k, m), then there exists an unconditionally secure systematic Cartesian (k, n; w) multi-receiver multi-message A-code ( ( S ) ( w 1, M E T, E 1,, E n, f T, f 1,, f n ), with M = t k S, where each key of the transmitter T is used with equal probability w 1), Proof Let L = L 1 L 2 be a TWOOA(k, t w, n; w, t k, m) where L 1 is an OA(k, t w, n) based on a t w -set U and L 2 is an OA(w, t k, m) based on a t k -set V Let e T, 1 e T t wk, be the indices of row vectors of L (and thus of both L 1 and L 2 ) Let j, 1 j n, be the indices of the columns of L 1, and s S be the indices of the columns of L 2 For a source state s S, the transmitter T computes f T (e T, s) = (s, a) M such that the authenticator a A is the (e T, s)-th element of L 2, and then broadcasts the authenticated message m = (s, a) M to the receivers The corresponding decoding rule e j E j of receiver R j is the (e T, j)-th element of L 1 Receiver R j accepts m = (s, a) as authentic if and only if there exists e T E T such that (1) the (e T, s)-th element of L 2 is a A, and (2) the (e T, j)-th element of L 1 is e j E j The mappings f 1,, f n can be defined in an obvious way Suppose that each key e T E T of the transmitter T is used with equal probability Then for any 1 r k 1 and any 1 j 1,, j r n, any set of possible keys {e j1,, e jr }, 9

10 where e j1 E j1,, e jr E jr, will also occur with equal probability over U r From the definition of the deception probability, for any receiver R i, 1 i n, we need only to consider the case R C Ri such that R = k 1 For any {e j1,, e jk 1 } e(r), define F (e j1,, e jk 1 ) = {e T E T : E j1 = e j1,, E jk 1 = e jk 1 } Then F (e j1,, e jk 1 ) = t w For any u, 1 u w 1, consecutive different source states s 1,, s u, we further define F i (e j1,, e jk 1 ; (s 1, a 1 ),, (s u, a u )) = {e T E T : E j1 = e j1,, E jk 1 = e jk 1, and e i accepts (s 1, a 1 ),, (s u, a u )} Then from Corollary 34 and Lemma 32, we can know that F i (e j1,, e jk 1 ; (s 1, a 1 ),, (s u, a u )) = t w u The deception probabilities in this case then can be easily computed as follows F i (e j1,, e jk 1 ; (s 1, a 1 )) P d 0 = max (s 1,a 1 ) F (e j1,, e jk 1 ) = tw 1 t w = 1 t, P d u = max (s 1,a 1 ),,(s u+1,a u+1 ) = tw u 1 t w u = 1 t, F i (e j1,, e jk 1 ; (s 1, a 1 ),, (s u+1, a u+1 )) F (e j1,, e jk 1 ; (s 1, a 1 ),, (s u, a u )) P d w 1 = F i (e j1,, e jk 1 ; (s 1, a 1 ),, (s w, a w )) max (s 1,a 1 ),,(s w,a w) F (e j1,, e jk 1 ; (s 1, a 1 ),, (s w 1, a w 1 )) = tw w t w w+1 = 1 t Now for any k 1 columns of j 1,, j k 1 of L 1 = (b et,j), and for any e j1 E j1,, e jk 1 E jk 1, we define R(j 1,, j k 1 ; e j1,, e jk 1 ) = {e T E T : b et,j 1 = e j1,, b et,j k 1 = e jk 1 } For any u, 1 u w 1, columns s 1, s u of L 2 = (a et,s), we further define C(j 1,, j k 1 ; e j1,, e jk 1 ; s 1,, s u ) to be the collection of u-tuples (a 1,, a u ) V u for all e T R(j 1,, j k 1 ; e j1,, e jk 1 ) Then from Corollary 34 and Lemma 32, we can know that there are exactly t u different u-tuples (a 1,, a u ) V u in any C(j 1,, j k 1 ; e j1,, e jk 1 ; s 1,, s u ) where every u-tuple occurs exactly t w u times, and there are exactly t u+1 distinct (u + 1)-tuples (a 1,, a u+1 ) V u+1 in any C(j 1,, j k 1 ; e j1,, e jk 1 ; s 1,, s u+1 ) where every (u + 1)-tuple occurs exactly t w u 1 times So the probability of the k 1 malicious receivers correctly guessing the authenticator a u+1 for the source state s u+1 is 1 t This means that our A-code is unconditionally secure The proof is then completed 10

11 5 Upper Bounds on TWOOA(k, t w, n; w, t k, m) In this section, we further investigate the structure of a TWOOA(k, t w, n; w, t k, m) to derive some upper bounds on the column numbers n and m Once again we let L = L 1 L 2 be a TWOOA(k, t w, n; w, t k, m), where L 1 = (a ij ) is an OA(k, t w, n) based on a t w -set U, L 2 = (b ih ) is an OA(w, t k, m) based on a t k -set V, 1 i t wk, 1 j n, and 1 h m Arbitrarily choose a symbol a U and the first k 1 columns of L 1, and define S(a) = {i : (a i1,, a i,k 1 ) = (a,, a), 1 i t wk } It is easy to see that S(a) = t w since L 1 is an OA(k, t w, n) Define M(a) to be the t w m sub-array of L 2 which consists of the i-th row of L 2 for all i S(a) We have the following result Lemma 51 M(a) is an OA(w, t, m) Proof Applying Lemma 32 with r = k 1, we can see that in any u, 1 u w, columns of M(a), if some u-tuple of V u occurs, then it occurs exactly t w u times If it is not the case, then there must exist at least one u-tuple α = (b 1,, b u ) V u in some u columns, say h 1,, h u, of M(a) such that α occurs f t w u times Then the (k 1)-tuple (a,, a) U k 1 will occur exactly f t (k (k 1))(w u) times in C(1,, k 1; h 1,, h u ; b 1,, b u ), a contradiction to Lemma 32 It follows that any u columns of M(a) contains exactly t u different u-tuples each of which occurs exactly t w u times Taking u = 1, we immediately know that every column of M(a) contains exactly t different symbols of V Without loss of generality, we may assume that these symbols belong to the same t-subset of V Since L 2 is an OA(w, t k, m), this forces M(a) to be an OA(w, t, m) Similarly, we arbitrarily choose a symbol b V and the first w 1 columns of L 2, and define T (b) = {i : (b i1,, b i,w 1 ) = (b,, b), 1 i t wk } It is clear that T (b) = t k since L 2 is an OA(w, t k, m) Define N(b) to be the t k n sub-array of L 1 consisting of the i-th row of L 1 for all i T (b) Then by Lemma 32 with u = w 1, we know that any r columns of N(b) contain exactly t r different r-tuples of U r each of which occurs exactly t k r times Taking r = 1, we immediately know that every column of N(b) contains exactly t different symbols of U Without loss of generality, we may assume that the symbols from every column of N(b) belong to the same t-subset of U Since L 1 is an OA(k, t w, n), this forces N(b) to be an OA(k, t, n) Lemma 52 N(b) is an OA(k, t, n) 11

12 The following bound on the column number of an orthogonal array can be found in [1, p180, Theorem 512] Lemma 53 (Bush bound) For k > 1, if there exists an OA(k, t, n), then n B(k, t), where B(k, t) = t + 1, if k = 2, t + k 1, if t is even and 3 k < t, t + k 2, if t is odd and 3 k < t, k + 1, if k t Then imeediately we obtain the following upper bounds on the column numbers m and n of a TWOOA(k, t w, n; w, t k, m) Theorem 54 If there exists a TWOOA(k, t w, n; w, t k, m), then n B(k, t) and m B(w, t) Proof If there exists a TWOOA(k, t w, n; w, t k, m), then from Lemmas 51 and 52, there exist both an OA(k, t, n) and an OA(w, t, m) The conclusion then follows from Lemma 53 The above upper bounds on the column numbers n and m of a TWOOA (k, t w, n; w, t k, m) with w = 2 was first derived by Wu and Zhu in [13] 6 Constructions for TWOOAs Several infinite classes of TWOOA(k, t w, n; w, t k, m) with w = 2 meeting the upper bounds described in Theorem 54 were constructed by Wu and Zhu [13] In this section, we generalize Wu and Zhu s idea to work for all values of 2 w m We present a direct construction and a product construction for TWOOA(k, t w, n; w, t k, m) Consequently, for all values of 2 w m, we obtain many new infinite classes of TWOOA(k, t w, n; w, t k, m) meeting the upper bounds described in Theorem 54 To construct TWOOA(k, t w, n; w, t k, m) directly, the notion of an (n, i, q)-set will be used Let q be a prime power A set of n vectors in V i (GF (q)) is called an (n, i, q)-set if any i of them are linearly independent For any pair (i, q), the largest integer n such that an (n, i, q)-set exists is denoted by m(i, q) Lemma 61 ([6, 4]) The value of m(i, q) is determined in the following cases: 12

13 (1) m(2, q) = q + 1; (2) m(3, q) = q + 1 for q odd, and m(3, q) = q + 2 for q even; (3) m(i, q) = i + 1 for i q Lemma 62 ([13]) If q > 4 is a prime power, then there exists a (q + 1, i, q)-set for any i, 3 < i < q We use a q wk -set S to index the rows of a TWOOA(k, q w, n; w, q k, m), where a 11 a 12 a 1w a 21 a 22 a 2w S = : a ij GF (q), 1 i k, 1 j w a k1 a k2 a kw For the first OA of this TWOOA, we use an (m(k, q), k, q)-set to index its columns Similarly, for the second OA of this TWOOA, we use an (m(w, q), w, q)-set to index its columns Let R 1 be an (m(k, q), k, q)-set in a row vector space, and R 2 an (m(w, q), w, q)-set in a column vector space Define two arrays L 1 = (a Mr ) and L 2 = (b Mc ) as follows: L 1 : the entry of (M, r) is rm, a row vector of length w, L 2 : the entry of (M, c) is Mc, a column vector of length k, where M S, r R 1, c R 2 Lemma 63 L 1 is an OA(k, q w, m(k, q)) Proof We need only to prove that for any given k row vectors r ji = (x ji 1,, x ji k) R 1, 1 j i m(k, q), 1 i k, and for any given ((e 11, e 12,, e 1w ), (e 21, e 22,, e 2w ),, (e k1, e k2,, e kw )) (GF (q) GF (q)) k, there exists exactly one M S such that r j1 M = (e 11, e 12,, e 1w ), r j2 M = (e 21, e 22,, e 2w ), (1) r jk M = (e k1, e k2,, e kw ) Let 13

14 X = r j1, r jk e 11 e 12 e 1w e 21 e 22 e 2w Y = e k1 e k2 e kw Then the system of equations (1) is equivalent to the following matrix equation: XM = Y (2) Since the row vectors r j1,, r jk are taken from an (m(k, q), k, q)-set R 1, they are linearly independent, which means that an X 1 exists Thus, M = X 1 Y is uniquely determined This completes the proof Similarly, we can prove the following result Lemma 64 L 2 is an OA(w, q k, m(w, q)) Now we show that L 1 = (a Mr ) is in fact friendly with any u, 1 u w 1, columns of L 2 = (b Mc ) For convenience, for any given c i = (y 1i, y 2i,, y wi ) T R 2 and for any given v i = (f 1i, f 2i,, f ki ) T GF (q) k, where 1 i u, define R(c 1,, c u ; v 1,, v u ) = {M S : b Mci = v i, 1 i u} Since L 2 is an OA(w, q k, m(w, q)), it is clear that R(c 1,, c u ; v 1,, v u ) = q k(w u) Lemma 65 L 1 is friendly with any u, 1 u w 1, columns of L 2 Proof For any given u such that 1 u w 1, for any given c i = (y 1i, y 2i,, y wi ) T R 2, v i = (f 1i, f 2i,, f ki ) T, 1 i u, and for any given r = (x 1,, x k ) R 1, let Q be the collection of elements a Mr where M R(c 1,, c u ; v 1,, v u ) Since R(c 1,, c u ; v 1,, v u ) = q k(w u), from the definition of friendship, we need only to prove that every element in Q occurs exactly q (k 1)(w u) times For any v 0 = (e 1, e 2,, e w ) Q, define D v0 = {M S : M R(c 1,, c u ; v 1,, v u ), a Mr = v 0 } We need only to prove that D v0 = q (k 1)(w u) holds for any v 0 Q From 14

15 D v0, we have rm = v 0 and Mc i = v i for 1 i u which are equivalent to the following system of equations in unknowns a 11,, a k1, a 12,, a k2,, a 1w,, a kw : x 1 a 11 + x 2 a x k a k1 = e 1, x 1 a 1w + x 2 a 2w + + x k a kw = e w, y 11 a 11 + y 21 a y w1 a 1w = f 11, y 11 a k1 + y 21 a k2 + + y w1 a kw = f k1, y 1u a 11 + y 2u a y wu a 1w = f 1u, y 1u a k1 + y 2u a k2 + + y wu a kw = f ku (3) Let x 1 0 x 2 0 x k 0 0 x 1 0 x 2 0 x k y 11 y w y 11 y w1 0 0 G = y 11 y w1 y 1u y wu y 1u y wu y 1u y wu, P = (a 11,, a 1w, a 21,, a 2w,, a k1,, a kw ) T, Y = (e 1,, e w, f 11,, f k1,, f 1u,, f ku ) T Then the system of equations (3) can be re-written as follows: GP = Y (4) Since r = (x 1,, x k ) R 1 cannot be an all-zero vector, without loss of generality, we may assume that x 1 0 Then the row vectors (y 1i,, y wi ), 1 i u, of the sub-array consisting of the first w columns of G can be canceled by elementary transformations of 15

16 rows The resultant matrix x 1 0 x 2 0 x k 0 0 x 1 0 x 2 0 x k y 11 y w1 0 0 G = y 11 y w y 1u y wu y 1u y wu can further be changed into x 1 0 x 2 0 x k 0 0 x 1 0 x 2 0 x k 0 0 y 11 y w y 1u y wu 0 0 G = y 11 y w y 1u y wu ,, by elementary transformations of rows Suppose Y is changed into Y = (y 1,, y w+ku ) T by the same elementary transformations of rows Then the matrix equation (4) and the following matrix equation have the same solution: G P = Y (5) If y j 0 for some w + (k 1)u + 1 j w + ku, then (5) has no solution, which forces (4) to have no solution, a contradiction Since x 1 0, and the u vectors c i, 1 i u, are taken from an (m(w, q), w, q)-set R 2 so that they are linearly independent, we know that rank(g ) = w + (k 1)u Hence (5) has q wk (w+(k 1)u) = q (k 1)(w u) solutions This completes the proof 16

17 Summarizing Lemmas 63, 64 and 65, we obtain the following important result Theorem 66 For any prime power q, there exists a TWOOA(k, q w, m(k, q); w, q k, m(w, q)) From Lemma 62, we have the following result Corollary 67 If q > 4 is a prime power, then there exists a TWOOA(k, q w, q+1; w, q k, q+ 1) for any 3 < k, w < q Comparing m(k, q) with B(k, q), we see that they are equal when k = 2, 3, or k q for any prime power q In other words, the upper bounds can be met in these cases Besides the three infinite classes of TWOOAs in [13, Corollary 38] corresponding to w = 2, we also have the following new ones Corollary 68 For any prime power q, there exists a TWOOA(k, q w, n; w, q k, m) meeting the upper bounds of n and m if k = 2, 3 or k q, and w = 3 or w q That is, we have the following infinite classes: (1) A TWOOA(2, q 3, q + 1; 3, q 2, q + 2) for q even and a TWOOA(2, q 3, q + 1; 3, q 2, q + 1) for q odd; (2) A TWOOA(3, q 3, q + 2; 3, q 3, q + 2) for q even and a TWOOA(3, q 3, q + 1; 3, q 3, q + 1) for q odd; (3) A TWOOA(k, q 3, k +1; 3, q k, q +2) for k q where q is even and a TWOOA(k, q 3, k + 1; 3, q k, q + 1) for k q where q is odd; (4) A TWOOA(2, q w, q + 1; w, q 2, w + 1) for w q; (5) A TWOOA(3, q w, q+2; w, q 3, w+1) for w q where q is even and a TWOOA(3, q w, q+ 1; w, q 3, w + 1) for w q where q is odd; (6) A TWOOA(k, q w, k + 1; w, q k, w + 1) for k, w q In the remainder of this section, we present a product construction for TWOOAs Suppose that A 1 B 1 is a TWOOA(k, t w, n; w, t k, m), where A 1 = (a (1) ij ) is an OA(k, tw, n) based on a t w -set U 1, and B 1 = (b (1) ih ) is an OA(w, tk, m) based on a t k -set V 1, 0 i t wk 1, 1 j n, 1 h m Suppose that A 2 B 2 is a TWOOA(k, s w, n; w, s k, m), where A 2 = (a (2) i j ) is an OA(k, sw, n) based on an s w -set U 2, and B 2 = (b (2) i h ) is an OA(w, sk, m) 17

18 based on an s k -set V 2, 0 i s wk 1, 1 j n, 1 h m Define L 1 = (l (1) ej ) and L 2 = (l (2) eh ) as follows: for 0 e (ts)wk 1, 1 j n, 1 h m, write e = i + i t wk, where 0 i t wk 1 and 0 i s wk 1, and let l (1) ej = (a (1) ij, a(2) i j ), l(2) eh = (b(1) ih, b(2) i h ) Lemma 69 L 1 is an OA(k, (ts) w, n) based on a (ts) w -set U 1 U 2, and L 2 is an OA(w, (ts) k, m) based on a (ts) k -set V 1 V 2 Proof We show that L 1 is an OA(k, (ts) w, n) For L 2, the proof is similar For any k different columns j 1,, j k of L 1, and ((x 1, y 1 ),, (x k, y k )) (U 1 U 2 ) k, we need only to show that there exists exactly one e, 0 e (ts) wk 1, such that l (1) ej 1 = (x 1, y 1 ),, l (1) ej k = (x k, y k ) From these k equations, we have a (1) ij 1 = x 1,, a (1) ij k = x k, and a (2) i j 1 = y 1,, a (2) i j k = y k, where e = i + i t wk Since both A 1 and A 2 are orthogonal arrays with strength k, there exist exactly one such i, 0 i t wk 1, and one such i, 0 i s wk 1 Thus e, 0 e (ts) wk 1, is uniquely determined Lemma 610 L 1 is friendly with any u, 1 u w 1, columns of L 2 Proof Take arbitrarily fixed u, 1 u w 1, columns b h1,, b hu of L 2 Let Q be the collection of row vectors of the (ts) wk u sub-array of L 2 which is consisted of these u columns For any arbitrarily fixed (β 1,, β u ) Q, define E = {e : (l (2) eh 1,, l (2) eh u ) = (β 1,, β u ), 0 e (ts) wk 1 } Since L 2 is an OA(w, (ts) k, m), we have E = (ts) k(w u) Take the j-th column c j of L 1, and α = l (1) ej c j where e E Let E = {e : l (1) ej = α, 0 e (ts) wk 1 } We need only to show that E E = (ts) (k 1)(w u) In other words, we need only to show that there exist exactly (ts) (k 1)(w u) e s such that l (1) ej = α and l (2) eh g = β g for 1 g u Suppose α = (x 1, x 2 ), β g = (y 1g, y 2g ), 1 g u Then we have the following two systems of equations: x 1 = a (1) ij, y 1g = b (1) ih g, 1 g u; x 2 = a (2) i j, y 2g = b (2) i h g, 1 g u, where e = i + i t wk Since A 1 B 1 is a TWOOA(k, t w, n; w, t k, m), there exist exactly t (k 1)(w u) such i from the first system of equations Also, A 2 B 2 is a TWOOA(k, s w, n; w, s k, m), so from the second system of equations, there exist exactly s (k 1)(w u) such i Thus there exist exactly (ts) (k 1)(w u) such e This completes the proof 18

19 Theorem 611 (Product Construction) If there exist both a TWOOA(k, t w, n; w, t k, m) and a TWOOA(k, s w, n; w, s k, m), then there exists a TWOOA(k, (ts) w, n; w, (ts) k, m) Proof The conclusion comes from Lemmas 69, 610, and the definition of a TWOOA Applying Theorem 611 with Corollary 68, we can obtain more infinite classes of TWOOAs for all values of 2 w m We omit the details here since it is trivial and space-consuming 7 Concluding Remarks In this paper, we generalized the notion of a TWOOA due to Kurosawa and Obana [5, 8], and then used the generalized TWOOAs to construct many infinite classes of unconditionally secure multi-receiver multi-message A-codes Our unconditionally secure multi-receiver multi-message A-codes exceed Savavi-Naini and Wang s at least in the numbers of receivers and source states For example, for an arbitrarily fixed prime q, in Savavi-Naini and Wang s A-code, the maximum numbers of receivers and source states are both q, while in our A-code, the maximum numbers of receivers and source states are m(k, q) and m(w, q), respectively, which are greater than q in many cases We conjecture that most of the newly obtained infinite classes of unconditionally secure multi-receiver multi-message A-codes are optimum in the sense of the deception probabilities, the sizes of keys, and the numbers of receivers and source states Keeping the numbers of receivers and source states in mind, we immediately know that Kurosawa and Obana s definition for optimality [8] is not adequate Acknowledgement A portion of this research was carried out while the last author was visiting the University of Tsukuba He wishes to express his gratitute to the Graduate School of Systems and Information Engineering for their hospitality References [1] C J Colbourn and J H Dinitz (eds), The CRC Handbook of Combinatorial Designs, CRC Press, Boca Raton, 1996 [2] Y Desmedt, Y Frankel and M Yung, Multi-receiver/multi-sender network security: efficient authenticated multicast/feedback, IEEE Infocom 92 (1992),

20 [3] E N Gilbert, F J MacWilliams and N J A Sloane, Codes which detect deception, Bell System Tech J 53 (1974), [4] J W P Hirschfeld, Maximum sets in finite projective spaces, Surveys in Combinatorics, London Math Soc Lecture Note Ser 82 (1983), [5] K Kurosawa and S Obana, Characterization of (k, n) multi-receiver authentication, ACISP 97, LNCS 1270, Springer (1997), [6] F J MacWilliams and N J A Sloane, The Theory of Error-Correcting Codes, Part I, North-Holland, Amsterdam, 1977 [7] J L Massey, Cryptography a selective survey, Digital Communications, North-Holland (1986), 3-21 [8] S Obana and K Kurosawa, Bounds and combinatorial structure of (k, n) multi-receiver A-codes, Des Codes Cryptography 22 (2001), [9] R Safavi-Naini and H Wang, New results on multi-receiver authentication codes, EU- ROCRYPT 98, LNCS 1403, Springer (1998), [10] R Safavi-Naini and H Wang, Multireceiver authentication codes: models, bounds, constructions, and extensions, Inform and Comput 151 (1999), [11] G J Simmons, Authentication theory/coding theory, CRYPTO 84, LNCS 196, Springer (1985), [12] D R Stinson, The combinatorics of authentication and secrecy codes, J Cryptology 2 (1990), [13] D Wu and L Zhu, Bounds and constructions for TWOOAs, Discrete Math 238 (2001),