Bounds and Combinatorial Structure of (k; n) Multi

Designs, Codes and Cryptography, , 1{17 ()

c Kluwer Academic Publishers, Boston. Manufactured in The Netherlands.

Bounds and Combinatorial Structure of (k; n) Multi-Receiver A-codes SATOSHI OBANA C&C Media Research Laboratories, NEC Corporation, 4-1-1 Miyazaki, Miyamae-ku, Kawasaki, Kanagawa 216-8555, Japan

[email protected]

KAORU KUROSAWA [email protected] Department of Electrical and Electronic Engineering, Faculty of Engineering, Tokyo Institute of Technology 2-12-1 O-okayama, Meguro-ku, Tokyo 152-8552, Japan

Editor: Abstract. In the model of (k; n) multi-receiver authentication codes (A-codes), a transmitter

broadcasts a message m to n receivers in such a way that not only an outside opponent but also any k ? 1 receivers cannot cheat any other receiver. In this paper, we derive lower bounds on the cheating probabilities and the sizes of keys of (k; n) multi-receiver A-codes. The scheme proposed by Desmedt, Frankel and Yung meets all our bounds with equalities. This means that our bounds are tight and their scheme is optimum. We further show a combinatorial structure of optimum (k; n) multi-receiver A-codes. A notion of TWOOAs is introduced. A TWOOA is a pair of orthogonal arrays which satisfy a certain condition. We then prove that an optimum (k; n) multi-receiver A-code is equivalent to a TWOOA.

Keywords: Cryptography, authentication code, multi-receiver, bound, orthogonal array.

1. Introduction In the model of unconditionally secure authentication codes (A-codes) [13], there are three participants: a transmitter, a receiver, and an opponent. The opponent tries to cheat the receiver by impersonation attack and substitution attack. This model has been studied extensively. Lower bounds on the cheating probabilities and the size of keys have been given [11, 1, 12, 7, 15, 16, 17, 14]. Optimum A-codes are obtained by using combinatorial designs [15, 16, 17]. In the model of (k; n) multi-receiver A-codes, a transmitter broadcasts a message m to n receivers in such a way that not only an outside opponent but also any k ? 1 receivers cannot cheat any other receiver. This model is very important for many application, such as for network control and distributed-systems. The obvious solution, to give every receiver its own key and to transmit an individually encrypted messages to each receiver, requires a very long transmission. Another simple solution is to provide every receiver with the same key, but then any receiver could cheat any other receiver. Desmedt, Frankel and Yung [3] proposed an ecient (k; n) multi-receiver A-code in which the message length is smaller than that required when using the obvious solution. In this paper, we derive combinatorial lower bounds on the cheating probabilities and the sizes of keys of (k; n) multi-receiver A-code. The DFY (Desmedt, Frankel

2

and Yung) scheme [3] meets all our bounds with equalities. This means that our bounds are tight and their scheme is optimum. We further show a combinatorial structure of optimum (k; n) multi-receiver A-codes. A notion of TWOOAs is introduced. A TWOOA is a pair of orthogonal arrays which satisfy a certain condition. We then prove that an optimum (k; n) multi-receiver A-code is equivalent to a TWOOA. This equivalence implies that: 1. A better (k; n) multi-receiver A-code is obtained if we can construct a TWOOA with better parameters. 2. A new bound for (k; n) multi-receiver A-code is obtained if we can derive a new bound for TWOOA. This paper is organized as follows. Section 2 brie y overviews known results of A-codes. In Section 3, we give a de nition of (k; n) multi-receiver A-codes. We also show that there exists a relationship between splitting A-codes and (k; n) multireceiver A-codes. In Section 4, we derive lower bounds on the cheating probabilities of (k; n) multi-receiver A-codes. Section 5 derives lower bounds on the sizes of keys. In Section 6, we introduce the notion of TWOOAs and prove that the optimum (k; n) multi-receiver A-code is equivalent to the TWOOA. Recently, Safavi-Naini and Wang showed a generalization of the DFY scheme to the multiple message model [8]. They also showed a (k; n) multi-receiver A-code with dynamic sender [8]. A construction based on (n; m; k)-cover-free family was given by [8] and [4] independently. Broadcast encryption schemes [5, 18] and traceability schemes [2, 19] have similar but dierent models. In the model of broadcast encryption schemes, a center broadcasts a ciphertext so that only an intended subset of receivers can decrypt. In the model of traceability schemes, a canter can identify an authorized user who contributed to make a pirate decoder if the center can nd the pirate decoder. (A preliminary version of this paper [6] assumed that any k ? 1 receivers can not guess the key of another receiver. This assumption is eliminated in this paper. Safavi-Naini and Wang showed information theoretic bounds and new constructions [9] after [6].)

2. Authentication code (A-code) In the model of authentication code (A-codes), there are three participants: a transmitter T, a receiver R, and an opponent O. T and R share a common encoding rule e. On input a source state s and an encoding rule e, T computes a message m = e(s) and sends m to R. R accepts or rejects m according to e. 4 fsg; E = 4 feg and M = 4 fmg. Assume independent probability disLet S = tributions on S and E . We denote an A-code by (S ; E ; M), where X denotes a probability distribution over a set X . In the impersonation attack, the opponent O sends a message m to the receiver. O succeeds if the receiver accepts m as authentic. The impersonation attack probability PI is de ned as

3

4 max Pr[R accepts m]: PI = m

(1)

4 PS =

(2)

In the substitution attack, O observes a message m that is transmitted by T and substitutes another message m ^ for m. Again, O succeeds if m^ is accepted as authentic. The substitution attack probability PS is de ned by X

m

Pr(M = m) max Pr[R accepts m ^ jR accepts m]; m^

where the maximum is taken over m^ such that the source state of m ^ is dierent from that of m. An A-code is called without secrecy if each m is written as m = (s; a), where s is a source state and a is an authenticator. Proposition 1 [12] PI  jS j=jM j. The equality holds if and only if Pr[R accepts m] = jS j=jM j for all m 2 M . Proposition 2 [16] In an A-code without secrecy, if PI = jS j=jM j, then PS  jS j=jM j. De nition 1. [10] An orthogonal array OA (k; l; n) is a lk  n array of l symbols such that, in any k columns of the array, every one of the possible lk tuples of symbols occurs in exactly  rows. If  = 1, this array is denoted by OA(k; l; n). Proposition 3 [16] Suppose we have an A-code without secrecy which satis es PI = PS = jS j=jM j = 1=l. Then jE j  l2 . The equality occurs if and only if the authentication matrix of E is an OA(2; l; jS j) and E is uniformly distributed.

3. (k; n) Multi-Receiver Authentication Code 3.1. De nitions

In the model of (k; n) multi-receiver authentication codes, there are n + 1 participants, a transmitter T and n receivers R1 ; R2 ; : : : ; Rn . T has a key eT and each Ri has a key ei . For a source state s, T computes a message m = eT (s) and broadcasts m. Each Ri accepts or rejects m according to ei . It is assumed that k ? 1 or fewer receivers and an outside opponent may be malicious and can collude to cheat another receiver by impersonation attack or substitution attack. We de ne a (k; n) multi-receiver A-code in terms of random variables as follows. De nition 2. Let S denote the set of source states and M denote the set of messages. Let ET denote the set of keys of T and Ei denote the set of keys of Ri . We say that (S ; ET ; E1 ;


; En ; M) is a (k; n) multi-receiver A-code if the following two conditions are satis ed. 1. If Pr(Ei = ei jET = eT ) > 0 then ei accepts eT (s) for all s 2 S and for all i (1  i  n).

4

2. there are at most k ? 1 malicious receivers. where X denotes a random variable on a set X . De nition 3. Let L = fRi1 ;


; Rij g be a subset of receivers. Let e(L) denote the set of possible keys of L. That is, 4 f(e ;


; e ) j Pr(E


E = e


e ) > 0g: e(L) = ij i1 ij i1 ij i1 Let CRi denote the family of at most k ? 1 receivers who may try to cheat the receiver Ri . That is,

CRi =4 fL j L  fR ;


; Rn g n fRi g; 0  jLj  k ? 1g: If L = ;, we consider that an outside opponent tries to cheat a receiver. 1

Suppose that L 2 CRi tries to cheat Ri by sending m to Ri , where L has (ei1 ;


; eij ) as their keys. Their best strategy is to send m such that each key of (ei1 ;


; eij ) accepts m and Pr[Ri accepts m j L has (ei1 ;


; eij ) accepting m] is the maximum. From this observation, we de ne impersonation attack probability PI and substitution attack probability PS of (k; n) multi-receiver A-codes as follows. 4 max max PI = max max Ri L2CRi (ei1 ;


;eij )2e(L) m Pr[Ri accepts m j L has (ei1 ;


; eij ) accepting m]; 4 max PS = max max max R L2C (e ;


;e )2e(L) m;m0 i

Ri i 1

ij

m6=m0

Pr[Ri accepts m0 j L has (ei1 ;


; eij ) accepting m0 ; T sent m]

(3) (4)

where the source states of m and m0 are dierent. 3.2. DFY polynomial scheme

Desmedt et al. [3] showed a (k; n) multi-receiver A-code as follows. All operations are done in GF (q). Let

eT = (P0 (x); P1 (x)); where P0 (x) and P1 (x) are random polynomials of degree at most k ? 1. Let ei = (P0 (i); P1 (i)): For a source state s, T broadcasts m = (s; M (x)), where

5

M (x) = P0 (x) + sP1 (x): Each Ri accepts (s; M (x)) as authentic if and only if M (i) = P0 (i) + sP1 (i): In this scheme,

PI = PS = 1=q: 3.3. Splitting A-code and (k; n) Multi-Receiver A-code

In an A-code, it is possible that more than one message can be used to communicate a particular source state s; this is called splitting. For e 2 E and s 2 S , de ne 4 fm j e(s) = mg: Split(e; s) = An A-code is called splitting if jSplit(e; s)j > 1 for some (e; s). It is called no splitting if jSplit(e; s)j = 1 for all (e; s). Let 4 fm j e accepts mg = M (e) =

De Soete showed that

[

s2S

Split(e; s):

Proposition 4 [14] In a splitting A-code,

jM (e)j : PI  min e2E jM j Splitting A-codes are closely related to (k; n) multi-receiver A-codes. For example, suppose that some k ? 1 receivers accept just one message m for a source state s. Then they can cheat another receiver Ri easily by sending this m to Ri . Therefore, any k ? 1 receivers must accept more than one message for each source state s. From Proposition 1 and Proposition 4, we have the following corollaries. Corollary 1 In any A-code (whether or not it is splitting),

Sj : PI  jjM j Corollary 2 If

Sj ; PI = jjM j then the A-code is no splitting.

6

4. Lower bounds on cheating probabilities In this section, we show lower bounds on the cheating probabilities of (k; n) multireceiver A-codes. Fix a (k; n) multi-receiver A-code (S ; ET ; E1 ; : : : ; En ; M) and let 4 jM j=jS j: l=

4.1. Lower bounds on PI Lemma 1 Let X and Y be random variables. Let x be an event that X can take. Let b1 ; b2 ; : : : ; bl be exclusive events that Y can take. Then

max Pr[X = xjY = bi ]  Pr[X = xjY = b1 or b2 or : : : or bl ]: i

The equality holds if and only if Pr[X = xjY = bi ] = Pr[X = xjY = b1 or b2 or : : : or bl ] for all i.

Proof:

Pr[X = x j Y = b1 or b2 or : : : or bl ] : : : or bl ] = Pr[XPr[=Yx;=Yb =orb1bororb2 :or : : or bl ] 1 2 X X Pr[X = x; Y = bi ] Pr[X = xjY = bi ] Pr[Y = bi ] i i X X = = Pr[Y = bi ] Pr[Y = bi ] i

max Pr[X = xjY = bi ] i

X

i X  Pr[Y = bi ] i = max Pr[ X = xjY = bi ]: i

Pr[Y = bi ]

i

It will be easy to see the if and only if part. Corollary 3 For all Ri ; L 2 CRi and for all m 2 M ,

max

ei1 ;:::;eij )2e(L)

(

Pr[Ri accepts m j L has (ei1 ; : : : ; eij ) accepting m]

 Pr[Ri accepts m j L accepts m]: The equality holds if and only if

7

Pr[Ri accepts m j L has (ei1 ; : : : ; eij ) accepting m] = Pr[Ri accepts m j L accepts m]

(5)

for all (ei1 ; : : : ; eij ) 2 e(L). Proof: \L accept m" is equivalent to _

ei1 ;:::;eij )2e(L)

\L has (ei1 ; : : : ; eij ) accepting m":

(

It is clear that \L has (ei1 ; : : : ; eij )" and \L has (e0i1 ; : : : ; e0ij )" are exclusive events if (ei1 ; : : : ; eij ) 6= (e0i1 ; : : : ; e0ij ). Theorem 1 In a (k; n) multi-receiver A-code,

p

PI  1= k l: The equality holds if and only if for all m 2 M ,

Pr[Ri1 ; : : : ; Rik accept m] = 1=l for all (Ri1 ; : : : ; Rik ) and

(6)

p

Pr[Ri accepts m j L has (ei1 ;


; eij ) accepting m] = 1= k l

(7)

for all Ri ; L 2 CRi and for all (ei1 ;


; eij ) 2 e(L). Proof: Fix a (k; n) multi-receiver A-code (S ; ET ; E1 ; : : : ; En ; M). For any k receivers Ri1 ; : : : ; Rik , we construct an A-code (S 0 ; E 0 ; M0 ) as follows. 4 Pr(S = s); = 4 Pr(E ; : : : ; E = e ; : : : ; e ); = 1 ik 1 k 0 E = f(e1; : : : ; ek ) j Pr(Ei1 = e1 ; : : : ; Eik = ek ) > 0g: The receiver of this A-code accepts a message m if and only if all of R1 ; : : : ; Rk accept m. Let P^I denote the impersonation attack probability of this A-code. Then from Corollary 1, we have P^I  1=l. That is, P^I = max Pr(Ri1 ; : : : ; Rik accept m) m  1=l: Therefore, there exists a message m such that

Pr(S 0 = s) Pr(E 0 = (e1 ;


; ek ))

Pr(Ri1 ; : : : ; Rik accept m)  1=l: Next, let Am i denote an event that \Ri accepts m". Then

m m Pr[Am i1 Ai2


Aik ] = Pr(Ri1 ; : : : ; Rik accept m)  1=l:

(8)

8

Now m m Pr[Am i1 Ai2


Aik ] m m m = Pr[Ai1 ] Pr[Am i2


Aik jAi1 ] m m m m m m = Pr[Am i1 ] Pr[Ai2 jAi1 ] Pr[Ai3


Aik jAi1 Ai2 ] m m m m m m m m m m = Pr[Am i1 ] Pr[Ai2 jAi1 ] Pr[Ai3 jAi1 Ai2 ] Pr[Ai4


Aik jAi1 Ai2 Ai3 ] .. . m m m m m m m m m = Pr[Am i1 ] Pr[Ai2 jAi1 ] Pr[Ai3 jAi1 Ai2 ]


Pr[Aik jAi1 Ai2


Aik?1 ]  1

(9)

l

Therefore, there exists some j (1  j  k) such that Pr[Am jAm Am


Am ]  p1 : ij

ij?1

i1 i2

(10)

kl

Let L = (Ri1 ;


; Rij?1 ). Then from Corollary 3, we have PI  (e ;


max Pr(Rij accepts m j L has (ei1 ;


; eij ) accepting m) ;e )2e(L) i1

ij

 Pr(Rij accepts m j L accept m) m m m = Pr[Am ij jAi1 Ai2


Aij?1 ]  pk1 : (11) l p Therefore, PI  1= k l. Suppose that eq.(7) holds. Thenp from the de nition of PI , it holds that PI = pk k 1= l. Next suppose that PI = 1= l. Then all the equalities of eq.(11) must hold. From the equality of eq.(8), we have eq.(6). Finally, from the second equality of eq.(11) and Corollary 3, we have eq.(7).

p

Corollary 4 If PI = 1= k l, then

p

Pr(Ri accepts m j L accepts m) = 1= k l for all Ri ; L 2 CRi and for all m 2 M . Proof: Since all the equalities of eq.(11) are satis ed. 4.2. Lower bounds on PS

In this subsection, we consider (k; n) multi-receiver A-codes without secrecy. Let Ms denote the set of messages whose source state is s. In DFY scheme, any k receivers accept just one authenticator M (x) simultaneously for a given source state s. This observation can be generalized as follows.

9

p

Lemma 2 If PI = 1= k l, then

jSplit(e ; : : : ; ek ; s)j = 1 for all (Ri1 ; : : : ; Rik ); (e ; : : : ; ek ) 2 e(Ri1 ; : : : ; Rik ) and for all s 2 S , where Split(e ; : : : ; ek ; s) = fm j m 2 Ms ; each ei accepts mg: p Proof: If PI = 1= k l, then from Theorem 1, 1

1

1

Pr[Ri1 ; : : : ; Rik accept m] = 1=l for all m 2 M and for all (Ri1 ; : : : ; Rik ). Then the A-code(S 0 ; E 0 ; M) in the proof of Theorem 1 is no splitting from Corollary 2.

p

Lemma 3 If PI = 1= k l, then jMs j = l for all s 2 S .

p Proof: Suppose that PI = 1= k l and x s arbitrarily. Let L = fR ;


; Rk g. Then jSplit(e ; : : : ; ek ; s)j = 1 for any (e ; : : : ; ek ) 2 e(L) from lemma 2. Therefore, \L accept m 2 Ms " and \L accept m0 2 Ms " are exclusive events if m 6= m0 . 1

1

1

Hence,

X

m2Ms

Pr(L accept m) = 1:

On the other hand, from Corollary 4, Pr(L accept m) = 1=l for all m 2 M . Therefore, 1=

X

m2Ms

Pr(L accept m) =

X

m2Ms

1=l = Ms =l:

Hence, we have jMs j = l for all s 2 S .

p

Theorem 2 In a (k; n) multi-receiver A-code without secrecy, if PI = 1= k l then

p

PS  1= k l: The equality holds if and only if for all s; s0 with s 6= s0 and for all m 2 Ms ; m0 2 Ms0 ,

Pr[Ri1 ; : : : ; Rik accept m0 j T sent m] = 1=l for all (Ri1 ; : : : ; Rik ) and

(12)

p

Pr[Ri accepts m0 j L has (ei1 ;


; eij ) accepting m0 ; T sent m] = 1= k l (13)

10

for all Ri ; L 2 CRi and for all (ei1 ;


; eij ) 2 e(L). Proof: Fix a (k; n) multi-receiver A-code (S ; ET ; E1 ; : : : ; En; M). Suppose thats T sent m such that m 2 Ms . Consider a new (k; n) multi-receiver A-code, Multim, 4 S nfsg, the set of messages is M 0 = 4 S nM such that the set of source states is S 0 = s and the probability distribution on each key is conditioned by the fact that T sent m. Then the PS of the original (k; n) multi-receiver A-code is equal to maxm PI of Multim. For Multim, let 4 jM 0 j=jS 0j: l0 =

Then from lemma 3, l0 = (jM j ? jMs j)=(jS j ? 1) = (ljS j ? l)=(jS j ? 1) = l: Therefore, from Theorem 1, p p PS  1= k l0 = 1= k l: The necessary and sucient condition of the equality also comes from Theorem 1.

5. Lower bounds on the size of keys In this section, we derive lower bounds on the sizes of keys of (k; n) multi-receiver A-codes without secrecy. p Lemma 4 If PI = 1= k l, then the following two statements are equivalent. For all (Ri1 ; : : : ; Rik ) and for all s. 1. Ri1 ; : : : ; Rik accept m 2 Ms . 2. T has a key eT such that m = eT (s).

Proof: From Lemma 2, there exists just one m 2 Ms which Ri1 ; : : : ; Rik accept. This means that T has a key eT such that m = eT (s). Hence, we have (1) ! (2). It is clear that (2) ! (1). pk Theorem 3 In a (k; n) multi-receiver A-code without secrecy, if PI = PS = 1= l,

then

jET j  l

2

The equality holds if and only if the structure of ET is an orthogonal array OA1 (2; l; jS j) and ET is uniformly distributed. Proof: Fix a (k;pn) multi-receiver A-code (S ; ET ; E1; : : : ; En ; M) and suppose that PI = PS = 1= k l. From the (k; n) multi-receiver A-code, consider an A-code (S ; ET ; M). Let R~ denote the receiver of this A-code. R~ accepts m = (s; a) if and only if m = eT (s). Then the following three statements are equivalent from Lemma 4. For all s 2 S ,

11

1. R1 ; : : : ; Rk accept m 2 Ms . 2. T has a key eT such that m = eT (s). 3. R~ accepts only m 2 Ms . This means that (S ; ET ; M) is no splitting. Let P~I and P~S denote the PI and the PS of the A-code (S ; ET ; M), respectively. Then from Theorem 1 and Theorem 2, we have P~I = P~S = 1=l: Finally, apply Proposition 3 to the A-code (S ; ET ; M). Then we obtain this Theorem.

p

Lemma 5 If PI = 1= k l, then

p jfm j m 2 Ms ; (e ; : : : ; ek? ) accept mgj = k l for all s 2 S; L = fRi1 ; : : : ; Rik?1 g and for all (e ; : : : ; ek? ) 2 e(L). Proof: Fix s, L = fRi1 ; : : : ; Rik?1 g and (e ; : : : ; ek? ) 2 e(L) arbitrarily. Let 1

1

1

1

1

1

4 fm j m 2 M ; (e ; : : : ; e ) accept mg Mks?1 = s 1 k?1

Choose Ri 2= L arbitrarily and consider e~i such that Pr(Ei = e~i jEi1 ; : : : ; Eik?1 = e1 ; : : : ; ek?1 ) > 0 Such e~i accepts just one message of Mks?1 from Lemma 2 if L has (e1 ;


; ek?1 ). Therefore, \Ri accepts m 2 Mks?1 " and \Ri accepts m0 2 Mks?1 " are exclusive events if m 6= m0 . Hence X

m2Mks?1

Pr(Ri accepts m j L has (e1 ; : : : ; ek?1 )) = 1:

Now from Theorem 1, 1 = =

X

m2Mks?1 X

Pr(Ri accepts m j L has (e1 ; : : : ; ek?1 ))

p

1= k l

m2Mks?1 p = jMks?1 j= k l: p Therefore, jMks?1 j = k l.

p

Theorem 4 In a (k; n) multi-receiver A-code without secrecy, if PI = PS = 1= k l,

then

12

p jEi j  ( k l)

(14)

2

Proof: Fix Ri ; L 2 CRi and (e ;


; ek? ) 2 e(L) arbitrarily, where L = (Ri1 ; : : : ; Rik?1 ). Let 1

1

4 fm j m 2 M ; (e ; : : : ; e ) accept mg: Mks?1 = s 1 k?1

For all s; s0 2 S with s 6= s0 and for all m 2 Mks?1 ; m0 2 Mks?0 1 , let

4 Pr(R accepts m0 j L has (e ; : : : ; e ) accepting m0 ; T sent m): p1 = i 1 k?1 pk Then p1 = 1= l > 0 from Theorem 2. On the other hand, from Lemma 4,

p1 = Pr(Ri accepts m0 j L has (e1 ; : : : ; ek?1 ) accepting m0 and m; Ri accepts m) i accepts m and m0 j L has (e1 ; : : : ; ek?1 ) accepting m0 and m) = Pr(RPr( Ri accepts m j L has (e1 ; : : : ; ek?1 ) accepting m0 and m) Therefore, Pr(Ri accepts m and m0 j L has (e1 ; : : : ; ek?1 ) accepting m0 and m) > 0:

Hence, for all s; s0 2 S with s 6= s0 and for all m 2 Mks?1 ; m0 2 Mks?0 1 , there exists e~i 2 Ei which accepts both m and m0 . Further, Ri accepts just one message of Mks?1 for all s 2 S from Lemma 2. Therefore,

p jEi j  jMks? j  jMks?0 j = ( k l) 1

1

2

from Lemma 5.

6. Combinatorial structure of optimum (k; n) multi-receiver A-codes 6.1. Key structure

The scheme proposed by Desmedt, Frankel and Yung [3] meets all the bounds of Theorem 1, Theorem 2, Theorem 3 and Theorem 4 with equalities. This means that our bounds are tight and their scheme is optimum. Therefore, we have the following de nition. De nition 4. We say that p p a (k; n) multi-receiver A-code is optimum if PI = PS = 1= k l; jET j = l2 ; jEi j = ( k l)2 for 1  i  n and ET is uniformly distributed.

Let

ALL = e(R1 ; : : : ; Rn ) = f(e1; : : : ; en ) j Pr(E1 ; : : : ; En = e1 ; : : : ; en ) > 0g:

13

Lemma 6 In an optimum (k; n) multi-receiver A-code,

jALLj = l : 2

Proof: Since there exists at least one (e ; : : : ; en ) such that Pr(E ; : : : ; En = e ; : : : ; en jET = eT ) > 0 for all eT 2 ET , we have jALLj  jET j = l : (15) Next we will show that jALLj  l . Fix (e ;


; ek ) arbitrarily. From Lemma 2, jSplit(e ; : : : ; ek ; s)j = 1 for 8s 2 S . Therefore, eT (s) is uniquely determined for 8s 2 S . Fix s 2 S and s 2 S such that s = 6 s arbitrarily. Then for 8i  1, there exists apunique ek i 2 Ek i such that ek i accepts both eT (s ) and eT (s ) if jEk i j = ( k l) from the proof of Theorem 4. This implies that ek i is uniqely determined from (e ;


; ek ). Therefore, (e ;


; en) is uniqely determined from (e ;


; ek ). Hence, jALLj = je(R ; : : : ; Rk )j (16)  jEp j 


 jEk j (17) k k 1

1

1

2

2

1

1

1

+

1

+

2

1

+

2

+

1

2

+

1

1

1

1

1

= ( l )2 = l2 From, eq.(15) and eq.(18) we have jALLj = l2 .

(18)

In the proof of Lemma 6, the equality of eq.(15) must hold. Therefore, there exists just one (e1 ; : : : ; en ) such that Pr(E1 ; : : : ; En = e1 ; : : : ; en j ET = eT ) > 0 (19) for all eT 2 ET . From this observation, we have the following de nition. De nition 5. The key structure L1 of an optimum (k; n) multi-receiver A-code is a jET j  n matrix such that the eT th row is (e1 ; : : : ; en ) which satis es eq.(19) Lemma p7 The key structure L1 of an optimum (k; n) multi-receiver A-code is an

OA(k; ( k l)2 ; n).

Proof: In the proof of Lemma 6, the pk equality of eq.(17) must hold. This means that the key structure is an OA(k; ( l)2 ; n). 6.2. TWOOA

p

De nition 6. Let L1 = [aij ] be an OA(k; ( k l)2 ; n). Let b = (b1 ; : : : ; bl2 )T be a vector which consists of l elements fa1 ;


; al g. For x 2 fa1;


; al g, suppose that

14

bi1 = bi2 =


= bih = x: De ne B (x) to be a h  n submatrix of L1 which consists of the ij -th row of L1 for j = 1pk; 2;


; h. We say that L1 and b are friendly if each column of B (x) contains just l symbols for all x 2 f1; 2; : : :; lg. Example: Let k = 2; l = 4; n = 2 and let 



LT1 = 00 11 01 10 22 33 23 32 02 13 03 12 20 31 21 30   bT = 1 1 1 1 2 2 2 2 3 3 3 3 4 4 4 4 Then 2

0 61 6 B (1) = 4 0 1

3

2

2 0 1 77 B (2) = 66 3 42 15 3 0

3

2

0 2 3 77 B (3) = 66 1 40 35 1 2

3

2

2 2 3 77 B (4) = 66 3 42 35 3 2

3

0 1 77 15 0

B (1) is the rst 4 rows p of L1 , B (2) is the next 4 rows of L1 , etc. Each column of B (i) consists of 2 = 4 symbols for i = 1; 2; 3; 4. Therefore, L1 and b are friendly.

p

De nition 7. p We say that L = L1  L2 is a TWOOA(k; ( k l)2 ; n1 ; 2; l; n2) if L1 is an OA(k; ( k l)2 ; n1 ), L2 is an OA(2; l; n2 ), and L1 and each column vector of L2 are friendly, where  denotes concatenation. 6.3. Multi-Receiver A-code = TWOOA De nition In an optimum (k; n) multi-receiver A-code, let L1 be the p 8. OA(k; ( k l)2 ; n) of the key structure and L2 be the OA(2; l; jS j) of the structure of ET (see Theorem 3). We say that L = L1  L2 is the structure of the (k; n) multi-receiver A-code, where  denotes concatenation. Example: Consider a DFY polynomial scheme such that jS j = q = prime. Then

L1 is as follows.




n (P (x); Q (x)) (P (1); Q (1))


(P (n); Q (n)) (P (x); Q (x)) (P (1); Q (1))


(P (n); Q (n)) 1

1

1

1

1

1

2

2

2

2

2

.. .

.. .

1

.. .

2

where deg Pi (x)  k ? 1 and deg Qi (x)  k ? 1. L2 is as follows.

15

s=0 s=1


s=q?1 (P1 (x); Q1 (x)) P1 (x) P1 (x) + Q1 (x)


P1 (x) + (q ? 1)Q1 (x) (P2 (x); Q2 (x)) P2 (x) P2 (x) + Q2 (x)


P2 (x) + (q ? 1)Q2 (x)

.. .. . . L = L1  L2 is as follows. 1

P x ; Q1 (x)) P x ; Q2 (x))

( 1( ) ( 2( )

. . .

P P

; Q1 (1)) ; Q2 (1))

( 1 (1) ( 2 (1)

. . .

.. .












.. .

n (P1 (n); Q1 (n)) (P2 (n); Q2 (n)) . . .

s=0 P1 (x) P2 (x) . . .




s=q?1


P1 (x) + (q ? 1)Q1 (x)


P2 (x) + (q ? 1)Q2 (x) . . .

Theorem 5 The p structure L = L1  L2 of an optimum (k; n) multi-receiver A-code

is a TWOOA(k; ( k l)2 ; n; 2; l; jS j). Proof: From De nition 4, each row of L is uniformly chosen. We will show that L1 and the sth column vector of L2 are friendly for all s 2 S . Since L1 is an OA and each row of L1 is uniformly chosen, Ei is also uniformly distributed for 1  i  n. Then from Theorem 1, for all a, p 1= k l = Pr(Ri accepts m = (s; a)) = jfei jei 2 Ei ; ei accepts (s; a)gj=jEi j Therefore, p p jfei jei 2 Ei ; ei accepts (s; a)gj = jEi j= k l = k l: p This shows that the ith column of Bp (a) contains just k l symbols for 1  i  n. k This means that L is a TWOOA(k; ( l)2 ; n; 2; l; jS j).

We next prove the converse of Theorem 5.

p

Theorem 6 If there exists a TWOOA(k; ( k l)2 ; n; 2; l; m), then there exists an optimum (k; n) multi-receiver A-code(S ; ET ; E1 ; : : : ; En ; M) such that jS j = m and

jM j = l
m. p Proof: Let the TWOOA be L = L  L , where L is an OA(k; ( k l) ; n) and L is an OA(2; l; m). Let eT be an integer such that 1  eT  l . For s 2 S , T 1

2

1

2

transmits m = (s; a) such that

a = the (eT ; s)-th element of L2 : The corresponding decoding rule of Ri is ei = the (eT ; i)-th element of L1 : Ri accepts m = (s; a) as authentic if there exists eT such that 1. the (eT ; s)-th element of L2 is a and

2

2

16

2. the (eT ; i)-th element of L1 = ei . p p Since L1 is an OA(k; ( k l)2 ; n), we have jET j = l2 and jEi j = ( k l)2 for 1  j  n. Let ET be uniformly distributed pk 2 over f1;


; l2 g. Then each Ei is pkalso2 uniformly distributed over the set of ( l) symbols because L1 is an OA(k; ( l) ; n). Since L1 and each column vector of L2 are friendly,

p jfei j ei accepts (s; a)gj = k l

(20)

for all s; a, and for all i. Hence

pk jf e j e accepts ( s; a ) gj l = p1 i i p Pr[Ri accepts (s; a)] = = (21) kl k jEi j ( l) for all (Ri1 ; : : : ; Rik ). Further, for all Ri ; L 2 CRi and for all (ei1 ;


; eij ) 2 e(L), Pr(Ei = ei j Ei1 ;


; Eij = ei1 ;


; eij ) pk pk 2

is a uniform distribution over the set of ( l)2 symbols since L1 is an OA(k; ( l)2 ; n). Therefore, in the same way as eq.(21), we have

p

Pr[Ri accepts (s; a) j (ei1 ;


; eij ) accept (s; a)] = 1= k l for all Ri ; L 2 CRi and for all (ei1 ;


; eij ) 2 e(L). Hence,

p

PI = 1= k l:

p

Finally, we prove that PS = 1= k l. Since L2 is an OA(2; l; jS j),

jfei j ei accepts (s; a) and (s0 ; a0 )gj = 1

(22)

for all s; s0 ; a; a0 and for all j . Therefore

(s; a) and (s0 ; a0 )gj Pr[Ri accepts (s0 ; a0 ) j T sent (s; a)] = jfei j ejfieaccepts i j ei accepts (s; a)gj 1 = p: kl

from eq.(20) and eq.(22). By using the similar discussion on PI , it is easy to see that

p

Pr[Ri accepts (s0 ; a0 ) j (ei1 ;


; eij ) accept (s0 ; a0 ); T sent (s; a)] = 1= k l for all Ri ; L 2 CRi and for all (ei1 ;


; eij ) 2 e(L). Hence,

p

PS = 1= k l:

17

Notes 1. A preliminary version of this paper appeared in [6].

References 1. E. F. Brickell: A few results in message authentication, Congresus Numerantium, vol. 43 (1984), 141{154. 2. B. Chor, A. Fiat, and M. Naor. \Tracing traitors". In Proc. of Crypto'94, Lecture Notes in Computer Science, LNCS 839, Springer Verlag, pages 257{270, 1994. 3. Y. Desmedt, Y. Frankel and M. Yung: Multi-receiver/Multi-sender network security: ecient authenticated multicast/feedback, IEEE Infocom'92 (1992), 2045{2054. 4. H. Fujii, W. Kachen and K. Kurosawa, Combinatorial bounds and design of broadcast authentication, IEICE Trans., vol.E79-A, No.4 (1996), 502-506. 5. Fiat, A., Naor, M.: Broadcast encryption, Advances in Cryptology { CRYPTO '93, Lecture Notes in Computer Science #773. Springer-Verlag (1994) 480{491 6. K. Kurosawa and S. Obana: Characterization of (k; n) Multi-Receiver Authentication, Proc. of ACISP'97, LNCS 1270, Springer Verlag (1997), 204{215. 7. J. L. Massey: Cryptography { a selective survey, Digital Communications, North Holland (pub.) (1986), 3{21. 8. R. Safavi-Naini and H. Wang: New results on multi-receiver authentication codes, Proc. of Eurocrypt'98, LNCS 1403, Springer Verlag (1998), 527{541. 9. R. Safavi-Naini and H. Wang: Bounds and Characterization for multi-receiver authentication codes, Proc. of Asiacrypt'98, LNCS 1514, Springer Verlag (1998), 242{256. 10. S. Raghavarao: Constructions and combinatorial problems in design of experiments, John Wiley & Sons, Inc. (1971). 11. G. J. Simmons: Authentication theory/coding theory, Proc. Crypto '84, Lecture Notes in Computer Science 196, Springer Verlag (1985), 411{431. 12. G. J. Simmons: Message authentication: a game on hypergraphs, Congr. Number. 45 (1984), 161{192. 13. G. J. Simmons: A survey of Information Authentication, Contemporary Cryptology, The science of information integrity, ed. G. J. Simmons, IEEE Press, New York (1992). 14. Marijke De Soete: New Bounds and Constructions for Authentication/Secrecy Codes with Splitting, Journal of Cryptology, Vol. 3, no 3 (1991), 173{186. 15. D. R. Stinson: Some constructions and bounds for authentication codes, Journal of Cryptology 1 (1988), 37{51. 16. D. R. Stinson: The combinatorics of authentication and secrecy codes, Journal of Cryptology, Vol. 2, no 1 (1990), 23{49. 17. D. R. Stinson: Combinatorial Characterization of Authentication Codes, Designs, Codes and Cryptography, (1992), 175{187. 18. D.R.Stinson, On some methods for unconditionally secure key distribution and broadcast encryption, Designs, Codes and Cryptography, 12 (1997) 215{243 19. D. Stinson and R. Wei. \Combinatorial properties and constructions of traceability schemes and frameproof codes". In SIAM J. on Discrete Math., vol.11, no.1, pages 41{53, 1998.