Logarithm Cartesian authentication codes

Size: px

Start display at page:

Download "Logarithm Cartesian authentication codes"

Hector O’Connor’
5 years ago
Views:

Informaton and Computaton 184 23 93 18 www.elsever.com/locate/c Logarthm Cartesan authentcaton codes T.W. Sze, a S. Chanson, a C. Dng, a T. Helleseth, b and M.G.

1 Informaton and Computaton Logarthm Cartesan authentcaton codes T.W. Sze, a S. Chanson, a C. Dng, a T. Helleseth, b and M.G. Parker b, a Department of Computer Scence, Hong Kong Unversty of Scence and Technology, Clear Water Bay, Kowloon, Chna b Department of Informatcs, Unversty of Bergen, 52 Bergen, Norway Receved 13 December 21; revsed 4 March 22 Abstract Chanson, Dng and Salomaa have recently constructed several classes of authentcaton codes usng certan classes of functons. In ths paper, we further extend that work by constructng two classes of Cartesan authentcaton codes usng the logarthm functons. The codes constructed here nvolve the theory of cyclotomy and are better than a subclass of Helleseth Johansson s codes and Berbrauer s codes n terms of the maxmum success probablty wth respect to the substtuton attack. 23 Elsever Scence USA. All rghts reserved. Keywords: Authentcaton codes; Cryptography; Cyclotomy 1. Introducton Authentcaton codes were consdered n 1974 by Glbert and Sloane [5]. In the model of authentcaton theory descrbed by Smmons [11], there are three partcpants: a transmtter, a recever, and an opponent. The transmtter wants to send nformaton to the recever through a publc channel whch s subject to actve attacks, whle the opponent wants to deceve the recever. Wthout observng any message from the transmtter to the recever, the opponent mpersonates the transmtter by sendng hs message to the recever, causng the recever to accept a fraudulent message as authentc. Ths s called the mpersonaton attack, and we use P d to denote the opponent s maxmum success probablty wth respect to ths attack. Havng observed one message from the transmtter to the recever, the opponent Correspondng author. Fax: E-mal addresses: szetszwo@cs.ust.hk T.W. Sze, chanson@cs.ust.hk S. Chanson, cdng@cs.ust.hk C. Dng, torh@.ub.no T. Helleseth, Matthew.Parker@.ub.no M.G. Parker /3/$ - see front matter 23 Elsever Scence USA. All rghts reserved. do:1.116/s

2 94 T.W. Sze et al. / Informaton and Computaton replaces the orgnal message wth hs own message. Ths s called the substtuton attack, and we use P d1 to denote the opponent s maxmum success probablty wth respect to ths attack. To protect aganst these attacks, the transmtter and the recever share a secret key, whch s used n an authentcaton code. In ths model there s only one recever, and t s the model consdered n ths paper. For multrecever authentcaton codes, the reader s referred to [4,7,9,1]. A systematc Cartesan authentcaton code s a code n whch the source state.e., the plantext s concatenated wth an authentcator also called a tag to form a message whch s sent va a channel. Such a code s a 5-tuple S,E,M,T,f, where S s the set of source states, E s the set of keys, and T s the set of authentcators, M s the set of all possble messages, and f : S E T s the authentcaton mappng. Each functon f,es called an encodng rule. When the transmtter wants to send the nformaton s S usng a key e E, whch s secretly shared wth the recever, he transmts the message m s, t, where t fs,e T s the tag authentcator. When the recever receves the message m s, t, he checks ts authentcty by verfyng whether t fs,eor not usng the secret key e E. If the equalty holds, the message s regarded as authentc and s accepted. Otherwse the message s rejected. Combnatoral desgns have been successfully used to construct certan optmal authentcaton codes [8,12]. Certan algebrac curves gve also very good authentcaton codes [1,13]. Chanson, Dng and Salomaa [2] have recently presented two constructons of authentcaton codes usng certan classes of functons. Some of ther codes are optmal. In ths paper, usng the framework of [2] we construct authentcaton codes wth logarthm functons. The authentcaton codes constructed n ths paper are better than a subclass of Helleseth Johansson s codes and Berbrauer s codes n terms of the success probablty P d1 wth respect to the substtuton attack. 2. The frst class of Cartesan authentcaton codes based on logarthm functons Let F be a mappng from A to B, where A, + and B, + are fnte abelan groups. The frst constructon of [2] gves authentcaton codes S,E,T,f, 1 where the set of source states s S, + A, +, the set of keys E, + A, +, the tag space s T, + B, +, and the authentcaton mappng f from S E to T s defned by fs,e Fs + e, e A. It s assumed that there s a probablty dstrbuton on both the source state space and the key space. In ths constructon, the keys and the source states are equally lkely. The message space M S T, whch depends totally on S and T. As for the code of 1, the two decepton probabltes are gven n the followng theorem [2], whose proof s ncluded here for completeness. Theorem 1. Let S, + and T, + be fnte abelan groups, and let F be a mappng from S to T.Then for the authentcaton code S,E,T,fof 1 defned above, we have F 1 t P d max. t T S

3 P d1 max max s S,t FS T.W. Sze et al. / Informaton and Computaton s /s,t F 1 t s F 1 t s F 1 t, where FSs the mage of S under the mappng F. Proof. In an mpersonaton attack, the opponent wants to generate a new message m s,t by choosng a source state s and an e E and computng t Fs + e. The new message m s then nserted nto the channel. Ths attack s successful f and only f Fs + e t. We now need to compute the probablty PrF s + e t. Note that the keys and source states are equprobable. We have P d max s,t max s,t max t T {e E : t fs,e} {e E} F 1 t s E F 1 t. v In a substtuton attack, the opponent observed a message m s, t and replaces t wth another message m s,t, where s/ s. Snce the keys and source states are equprobable, the probablty of success of the substtuton attack s P d1 max max {e E : t fs,e,t fs,e} s S,t FS s /s,t {e E : t fs,e} max max F 1 t s F 1 t s s S,t FS s /s,t F 1 t. Wth the framework above, several classes of authentcaton codes were constructed by Chanson, Dng and Salomaa [2]. Ther codes were based on several classes of functons. In ths paper, we use some types of logarthm functons to construct a new class of authentcaton codes. Throughout ths paper we defne Z d {, 1,...,d 1}. It s known that P d P d1 for all systematc Cartesan authentcaton codes [12]. To descrbe authentcaton codes based on the logarthm functons, we make use of the theory of cyclotomy. Let GFq be a fnte feld, and let q 1 dl. For a prmtve element α of GFq, defne D d,q α d, the multplcatve group generated by α d,and D d,q α D d,q for 1, 2,...,d 1. The D d,q are called cyclotomc classes of order d. The cyclotomc numbers of order d wth respect to GFq are defned as, j d D d,q + 1 D d,q j. Clearly, there are at most d 2 dfferent cyclotomc numbers of order d [3]. To prove propertes of the authentcaton codes dealt wth n the followng sectons, for each j Z d we defne

4 96 T.W. Sze et al. / Informaton and Computaton { C d,q D d,q j j f 1 j d 1, D d,q {} f j. 2 Theorem 2. Let q 1 dl, where d 2 and l are postve ntegers. Set S GF q and T Z d. Defne Fx log α x mod d, where log α. Then for the authentcaton code S,E,T,fof 1, we have S q, E q, T d and P d 1 d + d 1 dq, dmax, j d q 1 + d P d max t T { d max,j d +1, f d odd, P d1 d max,d +2 q+, max,j d+1, f d even. Proof. By the defnton of Fx,wehaveF 1 D d,q {} and F 1 D d,q for each Z d \{}. It then follows from Theorem 1 that F 1 t S 1 + q 1/d q 1 d + d 1 dq. F 1 t F 1 t +a To prove the nequaltes for P d1, we need to determne, where / a GFq. Let F 1 t a 1 D d,q, t / mod d and t / mod d. By Lemma 5 n Appendx A, we have F 1 F 1 + a C d,q C d,q + a F 1 d + 1 d, d + D d,q {a, a}, q + d 1 F 1 t F 1 + a C d,q t C d,q + a F 1 t d d, t + d + D d,q t {a}, q 1 F 1 F 1 t + a C d,q C d,q t + a F 1 d + 1 d t +, d + D d,q t { a}, q + d 1

5 F 1 t F 1 t + a F 1 t T.W. Sze et al. / Informaton and Computaton C d,q t C d,q t + a d dt +, t + d. q 1 By Theorem 1 and Lemma 5 n Appendx A, F 1 P d1 max max t s F 1 t s s S,t FS s /s,t F 1 t d, d + D d,q d,t+ d + D t d,q max a/,t / mod d,t / mod d d t+, d + D t d,q { max d, d + 2 q + d 1,dmax, j d + 1 q 1 {a, a} q+, {a}, { a} q+, dt +,t+ d }. If q 1/d s odd, we prove that D d,q {a, a} 1. 3 If l q 1/d s even, then 1 α dl/2, where α s the prmtve element used to defne the cyclotomc classes. Hence 1 D d,q. On the other hand, f 1 D d,q, then there s a postve nteger k<lsuch that 1 α dk. Hence 1 α 2dk and thus 2k mod l. It follows that l s even. Thus 1 D d,q f and only f l s even. Hence f q 1/d s odd, we have { P d1 max d max, j d + 1,d max, j } d + 1 q + d 1 q 1 d max, j d + 1. q 1 It s obvous that dmax, j d P d1. q 1 + d Ths completes the proof. For the authentcaton codes of Theorem 2, the success probablty of mpersonaton P d s essentally 1/d when d s small compared to q. The probablty of successful substtuton P d1 s bounded below and

6 98 T.W. Sze et al. / Informaton and Computaton above by the maxmum cyclotomc number of order d. In general t s hard to determne the maxmum cyclotomc number of order d for large d. The codes descrbed n Theorem 2 do contan very good codes, as gven n the followng theorem. Theorem 3. Let q p 2s and d p s 1. Then the code of Theorem 2 has parameters S p 2s, E p 2s, T p s 1 and P d 1 p s 1 + ps 2 p 2s p s 1, 3 p s +1, f p 2 3 P d1 p s +1, f p odd, and ps + 1 / mod 3, 4 p s +2, f p odd, and ps + 1 mod 3. Proof. To prove ths theorem, we frst show that, j d 2 for any par, j. To ths end, we consder the number of solutons u, v to the equaton α j α du 1 + α α dv, 4 where, j d 1 and u, v p s.defne l p s + 1, a α, b α j. Then t follows from 4 that 1 + aα dv p s +1 b p s +1, whch gves a α dv a ps +1 b ps +1 α dv + a ps. Note that the equaton ax a ps +1 b ps +1 x + a ps 5 has at most two solutons. Hence, j d 2. If p 2, then l p s + 1 must be odd. It then follows from Theorem 2 that P d1 p 3 s +1. If p s + 1 / mod 3, we clam that, d 1. In ths case we have, j,. So5 becomes x 2 + x + 1. If x α dv / 1 s a soluton of x 2 + x + 1, then v/ andx 3 1 x 1x 2 + x + 1. Hence x 3 α 3dv 1 and 3 dvdes l p s + 1. Ths s contrary to the assumpton that p s + 1 / mod 3. Hence n the case p s + 1 / mod 3, x 2 + x + 1 has at most one soluton x 1. It then follows agan from Theorem 2 that P d1 p 3 s +1. If p s + 1 mod 3, t follows from the fact, j d 2 and Theorem 2 that P d1 p 4 s +2. Ths completes the proof. The class of codes of Theorem 3 are the best among all the codes descrbed n Theorem 2, because at least one cyclotomc number of order d must be 2. Ths s justfed by one of the followng two formulas [3]:

7 T.W. Sze et al. / Informaton and Computaton A m h, m d l n h, where 1, h mod d, l even n h 1, l d/2 mod d, l odd, otherwse. B h h, m d l k m, where { 1, f m mod d; k m, otherwse Comparson wth Helleseth Johansson s codes We now compare the codes of Theorem 3 wth a subclass of codes constructed by Helleseth and Johansson [6]. They constructed a class of codes wth parameters and S r md D/p, E r m+n, T r n 6 P d 1 r n, 7 P d1 1 r n + D 1, r m where r s a power of a prme p,andd 1sannteger. For the two codes to be comparable, we need to set m n s, r p>2, and D 2. Then the subclass of codes constructed by Helleseth and Johansson have parameters S p 2s, E p 2s, T p s 8 and P d 1 p s, 9 P d 1 1 p s + 1 p s. Note that the tag space of the subclass of codes constructed by Helleseth and Johansson has one more element than the codes n Theorem 3. So max{p d,p d1 }P d1 for the former should be smaller than that for the latter. However, f p s 4, we have 1 + p s p s p s 2 3ps + p s p s + 2 p s p s >. + 2 Hence from Table 1 the codes of Theorem 3 are better than the subclass of codes constructed by Helleseth and Johansson. Note that whle the parameters of Helleseth Johansson s codes are more flexble, the two code constructon schemes are comparable only when the above mentoned condtons are satsfed.

8 1 T.W. Sze et al. / Informaton and Computaton Table 1 Comparson of a subclass of Helleseth Johansson s codes wth those n Theorem 3 Parameters S E T max{p d,p d1 }P d1 Subclass of HJ s codes p 2s p 2s p s 1+ p s p s Codes n Theorem 3 p 2s p 2s p s p s 3. The second class of authentcaton codes based on the logarthm functon Let F be a mappng from A to B, where A, + and B, + are fnte abelan groups. The second constructon of [2] gves authentcaton codes S,E,T,f, 1 where the set of source states s S, + A, +, the set of keys E, + A B,+, the tag space s T, + B, +, and the authentcaton mappng f from S E to T s defned by fs,e a,e b Fs + e a + e b, e a,e b A B. In ths constructon, all keys and all state sources are equally lkely. Hence, the number of keys encodng rules s equal to the number of messages, whle n the frst constructon gven n Secton 2 the number of keys encodng rules s much smaller. Ths constructon of systematc authentcaton codes s qute general. The key task s to search for functons that gve good authentcaton codes wthn the framework of ths constructon. In ths secton, we use some logarthm functons to construct another class of authentcaton codes. Theorem 4. Let q 1 dl, where d and l are postve ntegers and q s a power of an odd prme. Set S GF q and T Z d. Defne Fx log α x mod d, where log α. Then for the code S,E,T,fof 1, we have and S q, E qd, T d P d 1 d, P d1 1 d + 2 qd 1 d + qd l even and d even or l odd and d mod 4, otherwse. Proof. By Theorem 1, {e E t fs,e} P d max s S,t fs,e {e E} {e a,e b t Fs + e a + e b } max s S,t fs,e A B

9 T.W. Sze et al. / Informaton and Computaton P d1 A A B 1 d. max max s S,t fs,e s /s,t fs,e max max s S,t fs,e s /s,t fs,e max s S,t fs,e max s /s,t fs,e max a/,b b Z d C d,q b {e E t fs,e,t fs,e} {e E t fs,e} {e a,e b t Fs + e a + e b,t Fs + e a + e b } A [ e b Z d C d,q t e b s C d,q t e b s ] + a C d,q q b+b /q, where a s s/, a 1 D 2,q, b t e b and b t t. Case 1: b mod d, by Lemmas 5 and 7, P d1 max a/ C d,q + a C d,q + b Z d \{} C d,q b + a C d,q b max, d + D d,q a/ {a, a} + + b,+ b d /q b Z d \{} max d,q D a/ {a, a} + + b,+ b d /q b Z d max d,q D a/ {a, a} + b,b d /q b Z d [ ] D d,q max {a, a} + l 1 /q a/ { l+1 q l q for dl 2 mod d, otherwse. Case 2: b mod d /, by Lemmas 5 and 7 n the Appendx A, [ P d1 max C d,q a/,b + a C d,q b + C d,q b + a C d,q + C d,q b + a C d,q b+b ]/q b Z d \{, b} /q

10 12 T.W. Sze et al. / Informaton and Computaton [ max, + b d + D d,q a/,b b {a} + b, d b,+ b + b d ]/q max b Z d \{, b} a/,b max a/,b D d,q b D d,q b [ D d,q max a/,b b To maxmze D d,q b and so a D d,q D d,q 2 {a} + {a} + {a} + D d,q b D d,q b D d,q b {a} + D d,q b b+ 2.For a D d,q b D d,q b { a} { a} + + b,+ b + b d /q b Z d { a} + b,b+ b d /q b Z d ] { a} + l /q. { a}, wthout loss of generalty, assume a D d,q b. 1, we consder the equaton b b + q 1 mod d 2 whch s equvalent to 2b dl mod d. 2 We now check whether ths equaton has a soluton. Case 1: l even and d even. In ths case b d/2 s a soluton. Case 2: l even and d odd. In ths case there s no soluton. Case 3: l odd and d mod 4. In ths case b d/4 s a soluton. Case 4: l odd and d 2 mod 4. In ths case there s no soluton. Note that q 1 dl, and the two cases d odd and l odd cannot happen at the same tme. Thus l+2 l even and d even P d1 q or l odd and d mod 4, otherwse. l+1 q All the values of P d1 n Case 2 are greater than or equal to the values of P d1 n Case 1. By substtutng q dl + 1, the theorem s proved Comparson wth another class of codes descrbed n [6] There are authentcaton codes wth parameters [6] S r m, E r m+n S T, T r n 11 and

11 T.W. Sze et al. / Informaton and Computaton P d P d1 1 r n. These codes are usually constructed by usng lnear functons n a natural way. For these codes we have gcd S, T r mnm,n / 1. However, for the codes of Theorem 4 we have gcd S, T 1, and the correspondng P d1 s slghtly bgger than T 1. Under the condton of 12, t may be proved that no code wth P d P d1 r 1 n exsts, because orthogonal arrays wth correspondng parameters may not exst. Hence the parameters of 11 are of dfferent types compared wth those n Theorem 4. On the other hand, the code constructon n Theorem 4 uses the logarthm functon Comparson wth Berbrauer s codes We now compare the codes of Theorem 4 wth Berbrauer s codes [1]. Berbrauer employed the composton method to geometry codes and obtaned an authentcaton code wth the followng parameters: and S r s1+rs t, E r 2s+t, T r t 13 P d 1 r t, P d 1 2 r t, 14 where r s a power of a prme p,ands t are natural numbers. In order for the codes to be comparable to the codes of Theorem 4 we set s t. Then 13 and 14 become S q 2t, E q 3t, T q t 15 and P d 1 q t 1 T, P d1 2 q t 1 T + 1 S. 16 In ths case we have E S T. For the code of Theorem 4, we have also E S T and P d T 1. But the success probablty of the substtuton attack on the code of Theorem 4 s P d1 l + 2 q < 1 d + 2 q 1 T + 1 S /2. Thus n the case that S > 2 T, the code of Theorem 4 s better than the subclass of codes of [1] n the specal case s t. Note that the codes of Theorem 4 are comparable wth only ths subclass of Berbrauer s codes due to restrctons on the code parameters.

12 14 T.W. Sze et al. / Informaton and Computaton Conclusons In ths paper wthn the framework of Chanson, Dng and Salomaa [2], we presented two classes of systematc authentcaton codes usng the theory of cyclotomy and the logarthm functon. In all the cases that the codes are comparable, our codes are better than Helleseth Johansson s codes and also Berbrauer s codes. Wth the known relatons between unversal hash famles and authentcaton codes [13,14], the authentcaton codes descrbed n ths paper may be used to construct unversal hash famles. The parameters of the authentcaton codes descrbed n Theorem 2 are flexble n that d could be any proper dvsor of q 1. However, d must be chosen carefully n order to get good authentcaton codes. For example, f q p 2s and d p s + 1, the code s bad n the sense that P d1 s qute large. Thus the codes of Theorem 2 contan both good and bad codes. A class of very good authentcaton codes based on algebrac curves were constructed by Xng, Wang and Lam [13]. Unfortunately the codes descrbed n ths paper cannot be compared wth the Xng Wang Lam codes because ther parameters are not comparable. Acknowledgments The authors thank both referees for ther constructve comments and suggestons that greatly mproved ths paper. Appendx A. Several auxlary results Recall that q 1 dl and that D d,q are the cyclotomc classes of order d. Also recall the defnton of C d,q n 2. The followng lemma s useful n the proof of Theorem 2. Lemma 5. Let a/, where a 1 D d,q,t / mod d and t / mod d. Then C d,q + a C d,q, d + D d,q {a, a}, C d,q + a C d,q t, + t d + D d,q t {a}, C d,q t + a C d,q + t, d + D d,q t { a}, C d,q t + a C d,q t + t, + t d. Proof. + a C d,q C d,q D d,q {}+a D d,q {} D d,q + a D d,q + D d,q {a, a} a 1 D d,q + 1 a 1 D d,q + D d,q {a, a}, d + D d,q {a, a}.

13 T.W. Sze et al. / Informaton and Computaton The remanng parts are proved smlarly. The Gaussan perods η of order d,, 1,...,d 1, are defned as follows: η ξ c, c D d,q where ξ s a complex qth root of unty. The followng results are well known, but we nclude a proof for the sake of completeness. To smplfy the notatons, we use, j to denote, j d, whch s the cyclotomc number of order d. Lemma 6. For cyclotomc numbers and Gaussan perods of order d, we have the followng: A η 1. B η η +k h k, hη +h + lθ k, where { 1 f l s even and k, or l s odd and k d/2, θ k otherwse. C h k, h l θ k. { l D qk,h 2 + η η +k η +h f l s even, l 2 + η η +k η +h+d/2 f l s odd. Proof. A By defnton, η B By defnton, η η +k c D d,q c D d,q h c D d,q ξ c c Z q ω c+u u D d,q +k u D d,q +k ω c[1+uc 1 ] k, hη +h + lθ k, ξ c 1 where θ k s1f 1 D d,q k and otherwse, mplyng the condton on θ k as defned above. C The expresson h k, h equals the number of tmes an element n Dd,q k s followed by an element n some D d,q h.snced d,q k contans l elements and the only element not n any D d,q h s, t follows that the sum equals l except when 1 snd d,q k, n whch case the sum equals l 1.

14 16 T.W. Sze et al. / Informaton and Computaton D Let h h f l s even and h h + d/2fl s odd. Then, from A, B and C, we obtan η η +k η +h a a a a a a k, aη +a + lθ k η +h a k, a η +a η +h lθ k k, a η u η u+h a lθ k k, a k, a u u b h a,bη u+b + lθ h a lθ k h a,b 1 + dlθ h a lθ k b k, a l θ h a 1 + dlθ h a lθ k k, adl + 1θ h a l lθ k q k, aθ h a l θ k l lθ k a l 2 + q k, aθ h a a l 2 + qk,h whch completes the proof. The next lemma gves a very nce and perhaps surprsng formula for the summatons u u, u + k, whch turn out to be ndependent of the ndvdual cyclotomc numbers. It plays an mportant role n provng Theorem 4. Lemma 7. Let q 1 dl and let q be an odd prme. Then { l 1 f k, u, u + k l f k/. u Proof. Let k k f l s even and k k + d/2fl s odd. By defnton, and the prevous lemmas, t follows that:

15 T.W. Sze et al. / Informaton and Computaton q u, u + kl 2 d + η η +u η +u+k u u q 1l + q 1l + q 1l + η u η t η q 1l + t η h η +u η +u+k η t η t+k h k,hη t+h + lθ k k,h η t+h dlθ k t q 1l + 1 k,h 1 q 1θ k h q 1l + l θ k q 1θ k ql θ k. Dvdng both sdes by q and usng the defnton of θ k prove ths lemma. References [1] J. Berbrauer, Unversal hashng and geometrc codes, Desgns, Codes, and Cryptography [2] S. Chanson, C. Dng, A. Salomaa, Cartesan authentcaton codes from functons wth optmal nonlnearty, Theoretcal Computer Scence [3] T.W. Cusck, C. Dng, A. Renvall, n: Stream Cphers and Number Theory, North-Holland Mathematcal Lbrary, vol. 55, North-Holland/Elsever, Amsterdam, [4] Y. Desmedt, Y. Frankel, M. Yung, Mult-sender network securty: effcent authentcated multcast/feedback, n: Proceedngs of IEEE Infocom 92, 1992, pp [5] E.N. Glbert, F.J. MacWllams, N.J.A. Sloane, Codes whch detect decepton, Bell System Techn. Journal [6] T. Helleseth, T. Johansson, Unversal hash functons from exponental sums over fnte felds and Galos rngs, n: Advances n Cryptology Crypto 96, Lecture Notes n Computer Scence, vol. 119, Sprnger, New York, [7] K. Kurosawa, S. Obana, Characterzaton of k, n mult-recever authentcaton, n: Informaton Securty and Prvacy: Proceedngs of ACISP 97, Lecture Notes n Computer Scence, vol. 127, Sprnger, New York, 1997, pp [8] R.S. Rees, D.R. Stnson, Combnatoral characterzatons of authentcaton codes II, Desgn, Codes, and Cryptography [9] R. Safav-Nan, H. Wang, New results on mult-recever authentcaton codes, n: Advances n Cryptology: Proceedngs of Eurocrypt 98, Lecture Notes n Computer Scence, vol. 143, Sprnger, New York, 1998, pp [1] R. Safav-Nan, H. Wang, Mult-recever authentcaton codes: models, bounds, constructons, and extensons, Informaton and Computaton

16 18 T.W. Sze et al. / Informaton and Computaton [11] G.J. Smmons, Authentcaton theory/codng theor, n: Advances n Cryptology: Proceedngs of Crypto 84, Lecture Notes n Computer Scence, vol. 196, Sprnger, New York, 1985, pp [12] D.R. Stnson, Combnatoral characterzatons of authentcaton codes, Desgns, Codes, and Cryptography [13] C. Xng, H. Wang, K.Y. Lam, Constructon of authentcaton codes from algebrac curves over fnte felds, IEEE Transactons on Informaton Theory [14] M.N. Wegman, J.L. Carter, New hash functons and ther use n authentcaton and set equalty, Journal of Computer and System Scences

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol

Cryptanalysis of pairing-free certificateless authenticated key agreement protocol Cryptanalyss of parng-free certfcateless authentcated key agreement protocol Zhan Zhu Chna Shp Development Desgn Center CSDDC Wuhan Chna Emal: zhuzhan0@gmal.com bstract: Recently He et al. [D. He J. Chen