Hindawi Publishing Corporation Journal of Applied Mathematics Volume 2014, Article ID 102301, 7 pages http://dx.doi.org/10.1155/2014/102301
Research Article A Construction of Multisender Authentication Codes with Sequential Model from Symplectic Geometry over Finite Fields Shangdi Chen1 and Chunli Yang2 1 2
College of Science, Civil Aviation University of China, Tianjin 300300, China Information Security Center, Beijing University of Posts and Telecommunications, P.O. Box 126, Beijing 100876, China
Correspondence should be addressed to Shangdi Chen;
[email protected] Received 26 August 2013; Revised 26 December 2013; Accepted 5 January 2014; Published 30 April 2014 Academic Editor: Francesco Pellicano Copyright © 2014 S. Chen and C. Yang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Multisender authentication codes allow a group of senders to construct an authenticated message for a receiver such that the receiver can verify authenticity of the received message. In this paper, we construct multisender authentication codes with sequential model from symplectic geometry over finite fields, and the parameters and the maximum probabilities of deceptions are also calculated.
1. Introduction Information security consists of confidentiality and authentication. Confidentiality is to prevent the confidential information from decrypting by adversary. The purpose of authentication is to ensure the sender is real and to verify that the information is integrated. Digital signature and authentication codes are two important means of authenticating the information and provide good service in the network. In practical, digital signature is computationally secure assuming that the computing power of adversary is limited and a mathematical problem is intractable and complex. However, authentication codes are generally safe (unconditional secure) and relatively simple. In the 1940s, C. E. Shannon first put forward the concept of perfect secrecy authentication system using the information theory. In the 1980s, information theory method had been applied to the problem of authentication by G. J. Simmons; then authentication codes became the foundation for constructing unconditionally secure authentication system. In 1974, Gilbert et al. constructed the first authentication code [1], which is a landmark in the development of authentication theory. During the same period, Simmons independently studied the authentication theory and established three participants and four participants certification models [2]. The famous mathematician Wan Zhexian constructed an authentication code without arbitration from the subspace of the classical
geometry [3]. In the case of transmitter and receiver being not honest, Ma et al. constructed a series of authentication codes with arbitration [4–9]. Xing et al. constructed authentication codes using algebraic curve and nonlinear functions, respectively [10, 11]. Safavi-Naini and Wang gave some results on multireceiver authentication codes [12]. Chen et al. made great contributions on multisender authentication codes from polynomials and matrices [13–19]. With the rapid development of information science, the traditional one-to-one authentication codes have been unable to meet the requirements of network communication, thus making the study of multiuser authentication codes particularly important. Multiuser authentication code is a generalization of traditional two-user authentication code. It can be divided into two cases: one is a sender and many receivers authentication codes; the other one is many senders and a receiver authentication codes. We call the former as multireceiver authentication codes and the latter as multisender authentication codes. Safavi-Naini R gave some results on multireceiver authentication codes using the subspace of the classical geometry, while there are only some multisender authentication codes using polynomials and matrices to construct. We present the first construction multisender authentication code using the subspace of the classical geometry, specifically symplectic geometry. The main contribution of our paper is constructing a multi-sender authentication code using symplectic geometry.
2 Furthermore, we calculate the corresponding parameters and the maximum probabilities of deceptions. The paper is organised as follows. Section 2 gives the models of multisender authentication codes. In Section 3, we provide the calculation formulas on probability of success in attacks by malicious groups of senders. In Section 4, we give some definitions and properties on geometry of symplectic groups over finite fields. In Section 5, a construction of multisender authentication codes with sequential model from symplectic geometry over finite fields is given; then the parameters and the maximum probabilities of deceptions are also calculated. We give a comparison with the other construction of multisender authentication [19] in Section 6.
2. Models of Multisender Authentication Codes We review the concepts of authentication codes which can be extracted from [20]. Definition 1 (see [20]). A systematic Cartesian authentication code 𝐶 is a 4-tuple (𝑆, 𝐸, 𝑇; 𝑓), where 𝑆 is the set of source states, 𝐸 is the set of keys, 𝑇 is the set of authenticators, and 𝑓 : 𝑆 × 𝐸 → 𝑇 is the authentication mapping. The message space 𝑀 = 𝑆 × 𝑇 is the set of all possible messages. In the actual computer network communications, multisender authentication codes include sequential models and simultaneous models. Sequential models are that each sender uses his own encoding rules to encode a source state orderly, and the last sender sends the encoded message to the receiver; then the receiver receives the message and verifies whether the message is legal or not. Simultaneous models are that all senders use their own encoding rules to encode a source state simultaneously; then the synthesizer forms an authenticated message and sends it to the receiver; the receiver receives the message and verifies whether the message is legal or not. In the following we will give out the working principles of two modes of multisender authentication codes and the protocols that the participants should follow. Definition 2 (see [17]). In sequential model, there are three participants: a group of senders 𝑈 = {𝑈1 , 𝑈2 , . . . , 𝑈𝑛 }; a Key Distribution Center (KDC), for the distribution keys to senders and receiver; a receiver who receives the authenticated message and verifies the message true or not. The code works as follows: each sender and receiver has their own Cartesian authentication code, respectively. It is used to generate part of the message and verify authenticity of the received message. Sender’s authentication codes are called branch authentication codes, and receiver’s authentication code is called channel authentication code. Let (𝑆𝑖 , 𝐸𝑖 , 𝑇𝑖 ; 𝑓𝑖 ), 𝑖 = 1, 2, . . . , 𝑛, be the 𝑖th sender’s Cartesian authentication codes, and let 𝑇𝑖−1 ⊂ 𝑆𝑖 , 1 ≤ 𝑖 ≤ 𝑛, (𝑆, 𝐸, 𝑇; 𝑓) be the receiver’s Cartesian authentication code, and let 𝑆 = 𝑆1 , 𝑇 = 𝑇𝑖 , 𝜋𝑖 : 𝐸 → 𝐸𝑖 be a subkey generation algorithm. For authenticating
Journal of Applied Mathematics a message, the senders and the receiver should comply with protocols: (1) KDC randomly selects an 𝑒 ∈ 𝐸 and secretly sends it to the receiver 𝑅 and sends 𝑒𝑖 = 𝜋𝑖 (𝑒) to the 𝑖th sender 𝑈𝑖 , 𝑖 = 1, 2, . . . , 𝑛; (2) if the senders would like to send a source state 𝑠 to the receiver 𝑅, 𝑈1 calculates 𝑡1 = 𝑓1 (𝑠, 𝑒1 ) and then sends 𝑡1 to 𝑈2 through an open channel; 𝑈2 receives 𝑡1 and calculates 𝑡2 = 𝑓2 (𝑡1 , 𝑒2 ) and then sends 𝑡2 to 𝑈3 through an open channel. In general, 𝑈𝑖 receives 𝑡𝑖−1 and calculates 𝑡𝑖 = 𝑓𝑖 (𝑡𝑖−1 , 𝑒𝑖 ) and then sends 𝑡𝑖 to 𝑈𝑖+1 through an open channel, 1 < 𝑖 < 𝑛. 𝑈𝑛 receives 𝑡𝑛−1 and calculates 𝑡𝑛 = 𝑓𝑛 (𝑡𝑛−1 , 𝑒𝑛 ) and then sends 𝑚 = (𝑠, 𝑡𝑛 ) through an open channel to the receiver 𝑅; (3) when the receiver receives the message 𝑚 = (𝑠, 𝑡𝑛 ), he checks the authenticity by verifying whether 𝑡𝑛 = 𝑓(𝑠, 𝑒) or not. If the equality holds, the message is regarded as authentic and is accepted. Otherwise, the message is rejected. Definition 3 (see [17]). In simultaneous model of a multisender authentication code, there are four participants: a group of senders 𝑈 = {𝑈1 , 𝑈2 , . . . , 𝑈𝑛 }; a Key Distribution Center (KDC), for the distribution keys to senders and receiver; a synthesizer 𝐶 who only runs the trusted synthesis algorithm; a receiver who receives the authenticated message and verifies the message true or not. The code works as follows: each sender and receiver has their own Cartesian authentication code, respectively. It is used to generate part of the message and verify the received message. Sender’s authentication codes are called branch authentication codes, and receiver’s authentication code is called channel authentication code. Let (𝑆𝑖 , 𝐸𝑖 , 𝑇𝑖 ; 𝑓𝑖 ), 𝑖 = 1, 2, . . . , 𝑛, be the sender’s Cartesian authentication codes, let (𝑆, 𝐸, 𝑇; 𝑓) be the receiver’s Cartesian authentication code, let 𝑔 : 𝑇1 × 𝑇2 × ⋅ ⋅ ⋅ × 𝑇𝑛 → 𝑇 be the synthesis algorithm, and let 𝜋𝑖 : 𝐸 → 𝐸𝑖 be a subkey generation algorithm. For authenticating a message, the senders and the receiver should comply with protocols: (1) KDC randomly selects a encoding rule 𝑒 ∈ 𝐸 and secretly sends it to the receiver 𝑅 and sends 𝑒𝑖 = 𝜋𝑖 (𝑒) to the 𝑖th sender 𝑈𝑖 , 𝑖 = 1, 2, . . . , 𝑛; (2) if the senders would like to send a source state 𝑠 to the receiver 𝑅, 𝑈𝑖 computes 𝑡𝑖 = 𝑓𝑖 (𝑠, 𝑒𝑖 ), 𝑖 = 1, 2, . . . , 𝑛, and sends 𝑚𝑖 = (𝑠, 𝑡𝑖 ) (𝑖 = 1, 2, . . . , 𝑛) to the synthesizer 𝐶 through an open channel; (3) the synthesizer 𝐶 receives the messages 𝑚𝑖 = (𝑠, 𝑡𝑖 ), 𝑖 = 1, 2, . . . , 𝑛, and calculates 𝑡 = 𝑔(𝑡1 , 𝑡2 , . . . , 𝑡𝑛 ) using the synthesis algorithm 𝑔; then sends message 𝑚 = (𝑠, 𝑡) to the receiver 𝑅; (4) when the receiver receives the message 𝑚 = (𝑠, 𝑡), he checks the authenticity by verifying whether 𝑡 = 𝑓(𝑠, 𝑒) or not. If the equality holds, the message is regarded as authentic and is accepted. Otherwise, the message is rejected.
Journal of Applied Mathematics
3
3. Probabilities of Deceptions We assume that the arbitrator (KDC) and the synthesizer (C) are credible; though they know the senders’ and receiver’s encoding rules, they do not participate in any communication activities. When transmitter and receiver are disputing, the arbitrator settles it. At the same time, assume that the system follows Kerckhoff ’s principle which the other information of the whole system is public except the actual used keys. Assume that the source state space 𝑆 and the receiver’s decoding rules space 𝐸𝑅 are according to a uniform probability distribution; then the probability distribution of message space 𝑀 and tag space 𝑇 is determined by the probability distribution of 𝑆 and 𝐸𝑅 . In a multisender authentication system, assume that the whole senders cooperate to form a valid message; that is, all senders as a whole and receiver are reliable. But there are some malicious senders which they together cheat the receiver; the part of senders and receiver are not credible; they can take impersonation attack and substitution attack. Assume that 𝑈1 , 𝑈2 , . . . , 𝑈𝑛 are senders, 𝑅 is a receiver, and 𝐸𝑖 is the encoding rules of 𝑈𝑖 , 1 ≤ 𝑖 ≤ 𝑛. 𝐸𝑅 is the decoding rules of receiver 𝑅. 𝐿 = {𝑖1 , 𝑖2 , . . . , 𝑖𝑙 } ⊂ {1, 2, . . . , 𝑛}, 𝑙 < 𝑛, 𝑈𝐿 = {𝑈𝑖1 , 𝑈𝑖2 , . . . , 𝑈𝑖𝑙 }, 𝐸𝐿 = {𝐸𝑖1 , 𝐸𝑖2 , . . . , 𝐸𝑖𝑙 }. Impersonation Attack. 𝑈𝐿 , after receiving their secret keys, sends a message 𝑚 to receiver. 𝑈𝐿 is successful if the receiver accepts it as legitimate message. Denote 𝑃𝐼 [𝐿] as the maximum probability of success of the impersonation attack. It can be expressed as 𝑃𝐼 [𝐿] = max max 𝑃 (𝑚 is accepted by 𝑅 | 𝑒𝐿 ) . 𝑒𝐿 ∈𝐸𝐿 𝑚∈𝑀
(1)
Substitution Attack. 𝑈𝐿 , after observing a legitimate message, substitutes it with another message 𝑚 . 𝑈𝐿 is successful if 𝑚 is accepted by receiver as authentic. Denote 𝑃𝑆 [𝐿] as the maximum probability of success of the substitution attack. It can be expressed as 𝑃𝑆 [𝐿] = max max max 𝑃 (𝑚 is accepted by 𝑅 | 𝑚, 𝑒𝐿 ) . 𝑒𝐿 ∈𝐸𝐿 𝑚∈𝑀 𝑚 ≠ 𝑚∈𝑀
(2)
4. Symplectic Geometry In this section, we give some definitions and properties on geometry of symplectic groups over finite fields, which can be extracted from [20]. Let F𝑞 be a finite field with 𝑞 elements, 𝑛 = 2] and define the 2] × 2] alternate matrix 0 𝐼(]) 𝐾 = ( (]) ). −𝐼 0
F𝑞(2]) × 𝑆𝑝2] (F𝑞 ) → F𝑞(2]) , ((𝑥1 , 𝑥2 , . . . , 𝑥2] ) , 𝑇) → (𝑥1 , 𝑥2 , . . . , 𝑥2] ) 𝑇.
(3)
(4)
(5)
The vector space F𝑞(2]) together with this action of 𝑆𝑝2] (F𝑞 ) is called the symplectic space over F𝑞 . Let 𝑃 be an 𝑚-dimensional subspace of F𝑞(2]) . We use the same latter 𝑃 to denote a matrix representation of 𝑃; that is, 𝑃 is an 𝑚×2] matrix of rank 𝑚 such that its rows form a basis of 𝑃. The 𝑃𝐾 𝑡 𝑃 is alternate. Assume that it is of rank 2𝑠; then 𝑃 is called a subspace of type (𝑚, 𝑠). It is known that subspaces of type (𝑚, 𝑠) exist in F𝑞(2]) if and only if 2𝑠 ≤ 𝑚 ≤ ] − 𝑠.
(6)
It is also known that subspaces of the same type form an orbit under 𝑆𝑝2] (F𝑞 ). Denote by 𝑁(𝑚, 𝑠; 2]) the number of subspaces of type (𝑚, 𝑠) in F𝑞(2]) . Denote by 𝑃⊥ the set of vectors which are orthogonal to every vector of 𝑃; that is, 𝑃⊥ = {𝑦 ∈ F𝑞(2]) | 𝑦𝐾 𝑡 𝑥 = 0 for all 𝑥 ∈ 𝑃} .
(7)
Obviously, 𝑃⊥ is a (2] − 𝑚)-dimensional subspace of F𝑞(2]) . Readers can refer to [15] for notations and terminology, which are not explained, on symplectic geometry of classical groups over finite fields.
5. Construction Let F𝑞 be a finite field with 𝑞 elements. Assume that 1 < 𝑛 < 𝑟 < ]. 𝑈 = ⟨𝑒1 , 𝑒2 , . . . , 𝑒𝑛 ⟩; then 𝑈⊥ = ⟨𝑒1 , . . . , 𝑒] , 𝑒]+𝑛+1 , . . . , 𝑒2] ⟩. Let 𝑊𝑖 = ⟨𝑒1 , . . . , 𝑒𝑖−1 , 𝑒𝑖+1 , . . . , 𝑒𝑛 ⟩; then 𝑊𝑖 ⊥ = ⟨𝑒1 , . . . , 𝑒] , 𝑒]+𝑖 , 𝑒]+𝑛+1 , . . . , 𝑒2] ⟩. The set of source states 𝑆 = {𝑠 | 𝑠 is a subspace of type (2𝑟 − 𝑛, 𝑟 − 𝑛) and 𝑈 ⊂ 𝑠 ⊂ 𝑈⊥ }; the set of 𝑖th sender’s encoding rules 𝐸𝑖 = {𝑒𝑖 | 𝑒𝑖 is a subspace of type (𝑛 + 1, 1), 𝑈 ⊂ 𝑒𝑖 and 𝑒𝑖 ⊥ 𝑊𝑖 }, 1 ≤ 𝑖 ≤ 𝑛; the set of receiver’s decoding rules 𝐸𝑅 = {𝑒𝑅 | 𝑒𝑅 is a subspace of type (2𝑛, 𝑛) and 𝑈 ⊂ 𝑒𝑅 }; the set of tags 𝑇𝑖 = {𝑡𝑖 | 𝑡𝑖 is a subspace of type (2𝑟 − 𝑛 + 𝑖, 𝑟 − 𝑛 + 𝑖) and 𝑈 ⊂ 𝑡𝑖 }, 1 ≤ 𝑖 ≤ 𝑛. Define the encoding maps: 𝑓1 : 𝑆 × 𝐸1 → 𝑇1 ,
The symplectic group of degree 2] over F𝑞 , denoted by 𝑆𝑝2] (F𝑞 ), is defined to be the set of matrices 𝑆𝑝2] (F𝑞 ) = {𝑇 | 𝑇𝐾 𝑡 𝑇 = 𝐾} ,
with matrix multiplication as its group operation. Let F𝑞(2]) be the 2]-dimensional row vector space over F𝑞 . 𝑆𝑝2] (F𝑞 ) has an action on F𝑞(2]) defined as follows:
𝑓𝑖 : 𝑇𝑖−1 × 𝐸𝑖 → 𝑇𝑖 ,
𝑓1 (𝑠, 𝑒1 ) = 𝑠 + 𝑒1 ,
𝑓𝑖 (𝑡𝑖−1 , 𝑒𝑖 ) = 𝑡𝑖−1 + 𝑒𝑖 ,
2 ≤ 𝑖 ≤ 𝑛. (8)
Define the decoding map: 𝑓 : 𝑆 × 𝐸𝑅 → 𝑇𝑛 ,
𝑓 (𝑠, 𝑒𝑅 ) = 𝑠 + 𝑒𝑅 .
(9)
4
Journal of Applied Mathematics 𝑈
Then, we can assume that 𝑡𝑛 = ( 𝑉 ), satisfying
This code works as follows.
𝑄
(1) Key Distribution. First, the KDC does a list 𝐿 of senders; assume that 𝐿 = {1, 2, . . . , 𝑛}. Then, the KDC randomly chooses a subspace 𝑒𝑅 ∈ 𝐸𝑅 and privately sends 𝑒𝑅 to the receiver 𝑅. Last, the KDC randomly chooses a subspace 𝑒𝑖 ∈ 𝐸𝑖 and 𝑒𝑖 ⊂ 𝑒𝑅 , then privately sends 𝑒𝑖 to the 𝑖th sender, 1 ≤ 𝑖 ≤ 𝑛. (2) Broadcast. For a source state 𝑠 ∈ 𝑆, the sender 𝑈1 calculates 𝑡1 = 𝑠 + 𝑒1 and sends (𝑠, 𝑡1 ) to 𝑈2 . The sender 𝑈2 calculates 𝑡2 = 𝑡1 + 𝑒2 and sends (𝑠, 𝑡2 ) to 𝑈3 . Finally, the sender 𝑈𝑛 calculates 𝑡𝑛 = 𝑡𝑛−1 + 𝑒𝑛 and sends 𝑚 = (𝑠, 𝑡𝑛 ) to the receiver 𝑅. (3) Verification. Since the receiver 𝑅 holds the decoding rule 𝑒𝑅 , 𝑅 accepts 𝑚 as authentic if 𝑡𝑛 = 𝑠 + 𝑒𝑅 . Otherwise, it is rejected by 𝑅. Lemma 4. Let 𝐶 = (𝑆, 𝐸𝑅 , 𝑇𝑛 ; 𝑓), 𝐶1 = (𝑆, 𝐸1 , 𝑇1 ; 𝑓1 ), 𝐶𝑖 = (𝑇𝑖−1 , 𝐸𝑖 , 𝑇𝑖 ; 𝑓𝑖 ) (2 ≤ 𝑖 ≤ 𝑛); then 𝐶, 𝐶1 , 𝐶𝑖 are all Cartesian authentication codes. Proof. First, we show that 𝐶 is a Cartesian authentication code. (1) For 𝑠 ∈ 𝑆, 𝑒𝑅 ∈ 𝐸𝑅 . Let 𝑈 𝑛 𝑠=( ) 𝑄 2 (𝑟 − 𝑛) ,
(14)
Let 𝑠 = ( 𝑈 𝑄 ); then 𝑠 is a subspace of type (2𝑟 − 𝑛, 𝑟 − 𝑛) and 𝑈 ⊂ 𝑠 ⊂ 𝑈⊥ ; that is, 𝑠 ∈ 𝑆 is a source state. For any V ∈ 𝑉 and V ≠ 0, we have V ∉ 𝑠 and 𝑉 ∩ 𝑈⊥ = {0}. Therefore, 𝑡𝑛 ∩ 𝑈⊥ = 𝑈 (𝑈 𝑄 ) = 𝑠. Let 𝑒𝑅 = ( 𝑉 ); then 𝑒𝑅 is a transmitter’s encoding rule satisfying 𝑡𝑛 = 𝑠 + 𝑒𝑅 . If 𝑠 is another source state contained in 𝑡𝑛 , then 𝑈 ⊂ 𝑠 ⊂ ⊥ 𝑈 . Therefore, 𝑠 ⊂ 𝑡𝑛 ∩ 𝑈⊥ = 𝑠, while dim 𝑠 = dim 𝑠, so 𝑠 = 𝑠. That is, 𝑠 is the uniquely source state contained in 𝑡𝑛 . Similarly, we can show that 𝐶1 and 𝐶𝑖 (2 ≤ 𝑖 ≤ 𝑛) are also Cartesian authentication code. From Lemma 4, we know that such construction of multisender authentication codes is reasonable. Next we compute the parameters of this code. Lemma 5. The number of the source states is |𝑆| = 𝑁(2(𝑟 − 𝑛), 𝑟 − 𝑛; 2(] − 𝑛)). Proof. For any 𝑠 ∈ 𝑆, since 𝑈 ⊂ 𝑠 ⊂ 𝑈⊥ , 𝑠 has the form
(10)
𝑈 𝑛 𝑒𝑅 = ( ) 𝑉 𝑛. From the definition of 𝑠 and 𝑒𝑅 , we can assume that 0 0 0(𝑛) 𝑈 𝑈 ( )𝐾 ( ) = ( 0 0 𝐼(𝑟−𝑛) ) , 𝑄 𝑄 0 −𝐼(𝑟−𝑛) 0
(11)
(𝑛)
𝑈 𝑈 0 𝐼 ( ) 𝐾 ( ) = ( (𝑛) ). 𝑉 𝑉 −𝐼 0 Obviously, we have V ∉ 𝑠 for any V ∈ 𝑉 and V ≠ 0. Therefore, 𝑈 𝑡𝑛 = 𝑠 + 𝑒𝑅 = (𝑉) , 𝑄 0 0 0 𝐼(𝑛) 𝑡 𝑈 𝑈 ∗ ∗ −𝐼(𝑛) 0 (𝑉) 𝐾 (𝑉) = ( ). 0 ∗ 0 𝐼(𝑟−𝑛) 𝑄 𝑄 (𝑟−𝑛) 0 ∗ −𝐼 0
(12)
𝑛 0 ) 𝑃4 2 (𝑟 − 𝑛) ] − 𝑛,
(15)
Lemma 6. The number of the 𝑖th sender’s encoding rules is |𝐸𝑖 | = 𝑞2(]−𝑛) . Proof. For any 𝑒𝑖 ∈ 𝐸𝑖 , 𝑒𝑖 is a subspace of type (𝑛 + 1, 1) containing 𝑈 and 𝑒𝑖 is orthogonal to 𝑊𝑖 . So we can assume that 𝑒𝑖 = 𝑡 (𝑒1 , . . . , 𝑒𝑛 , 𝑢), where 𝑢 = (𝑥1 𝑥2 ⋅ ⋅ ⋅ 𝑥2] ). Obviously, 𝑥1 = ⋅ ⋅ ⋅ = 𝑥𝑛 = 𝑥]+1 = ⋅ ⋅ ⋅ = 𝑥]+𝑖−1 = 𝑥]+𝑖+1 = ⋅ ⋅ ⋅ = 𝑥]+𝑛 = 0, 𝑥]+𝑖 = 1, and 𝑥𝑛+1 , . . . , 𝑥] , 𝑥]+𝑛+1 , . . . , 𝑥2] arbitrarily. Therefore, |𝐸𝑖 | = 𝑞2(]−𝑛) . Lemma 7. The number of the receiver’s decoding rules is |𝐸𝑅 | = 𝑞2𝑛(]−𝑛) . Proof. For any 𝑒𝑅 ∈ 𝐸𝑅 , since 𝑒𝑅 is a subspace of type (2𝑛, 𝑛) containing 𝑈, 𝑒𝑅 has the form
From above, 𝑡𝑛 is a subspace of type (2𝑟, 𝑟) and 𝑈 ⊂ 𝑡𝑛 ; that is, 𝑡𝑛 ∈ 𝑇𝑛 . (2) For 𝑡𝑛 ∈ 𝑇𝑛 , 𝑡𝑛 is a subspace of type (2𝑟, 𝑟) containing 𝑈. So there is subspace 𝑉 ⊂ 𝑡𝑛 , satisfying 𝑡
𝑈 𝑈 0 𝐼(𝑛) ( ) 𝐾 ( ) = ( (𝑛) ). 𝑉 𝑉 −𝐼 0
𝐼(𝑛) 0 0 𝑠 =( 0 𝑃2 0 𝑛 ]−𝑛 𝑛
where (𝑃2 , 𝑃4 ) is a subspace of type (2(𝑟 − 𝑛), 𝑟 − 𝑛) in the symplectic space 𝐹𝑞2(]−𝑛) . Therefore, the number of the source states is |𝑆| = 𝑁(2(𝑟 − 𝑛), 𝑟 − 𝑛; 2(] − 𝑛)).
𝑡
𝑡
0 0 0 𝐼(𝑛) 𝑡 𝑈 𝑈 0 0 −𝐼(𝑛) 0 (𝑉) 𝐾 (𝑉) = ( ). 0 0 0 𝐼(𝑟−𝑛) 𝑄 𝑄 0 0 −𝐼(𝑟−𝑛) 0
(13)
𝐼(𝑛) 0 0 0 𝑛 ) 𝑒𝑅 = ( 0 𝑄2 𝐼(𝑛) 𝑄4 𝑛 𝑛 ] − 𝑛 𝑛 ] − 𝑛,
(16)
where 𝑄2 , 𝑄4 are arbitrary matrices. Therefore, |𝐸𝑅 | = 𝑞2𝑛(]−𝑛) .
Journal of Applied Mathematics
5
Lemma 8. (1) The number of decoding rules 𝑒𝑅 contained in 𝑡𝑛 is 𝑞2𝑛(𝑟−𝑛) ; (2) the number of the tags is |𝑇𝑛 | = 𝑞2𝑛(]−𝑟) 𝑁(2(𝑟 − 𝑛), 𝑟 − 𝑛; 2(] − 𝑛)). Proof. (1) For any 𝑡𝑛 ∈ 𝑇𝑛 , 𝑡𝑛 is a subspace of type (2𝑟, 𝑟) and 𝑈 ⊂ 𝑡𝑛 . We assume that 𝑡𝑛 has the form
Without loss of generality, we can assume that 𝑈𝐿 = {𝑈1 , 𝑈2 , . . . , 𝑈𝑙 }, 𝐸𝐿 = {𝐸1 × ⋅ ⋅ ⋅ × 𝐸𝑙 }, where 𝑙 < 𝑛. Lemma 10. For any 𝑒𝐿 = (𝑒1 , 𝑒2 , . . . , 𝑒𝑙 ) ∈ 𝐸𝐿 , the number of 𝑒𝑅 containing 𝑒𝐿 is 𝑞2(𝑛−𝑙)(]−𝑛) . Proof. For any 𝑒𝐿 = (𝑒1 , 𝑒2 , . . . , 𝑒𝑙 ) ∈ 𝐸𝐿 , we can assume that
𝑡𝑛 𝐼(𝑛) 0 0 𝐼(𝑟−𝑛) = ( 0 0 0 0 𝑛 𝑟−𝑛
0 0 0 0 ]−𝑟
0 0 𝐼(𝑛) 0 𝑛
0 0 0
0 𝑛 0 𝑟−𝑛 ) 𝑛 0 𝑟 − 𝑛 0 ] − 𝑟. (17)
𝐼(𝑟−𝑛) 𝑟−𝑛
0 0 0 0 𝐼(𝑙) 0 𝑙 𝑒𝐿 = ( 0 𝐼(𝑛−𝑙) 0 0 0 0) 𝑛−𝑙 𝑙 𝐼(𝑙) 0 𝑃6 0 0 𝑃3 𝑙 𝑛 − 𝑙 ] − 𝑛 𝑙 𝑛 − 𝑙 ] − 𝑛. If 𝑒𝐿 ⊂ 𝑒𝑅 , then 𝑒𝑅 has the form 𝐼(𝑙) 0 0 𝐼(𝑛−𝑙) 𝑒𝑅 = ( 0 0 0 0 𝑙 𝑛−𝑙
If 𝑒𝑅 ⊂ 𝑡𝑛 , then we can assume that 𝐼(𝑛) 𝑒𝑅 = ( 0 𝑛
0 𝑅2 𝑟−𝑛
0 0 ]−𝑟
0
𝐼(𝑛) 𝑛
0 0 𝑛 ) 𝑅5 0 𝑛 𝑟 − 𝑛 ] − 𝑟, (18)
where 𝑅2 , 𝑅5 are arbitrary matrices. Therefore, the number of 𝑒𝑅 contained in 𝑡𝑛 is 𝑞2𝑛(𝑟−𝑛) . (2) We know that a tag contains only one source state and the number of decoding rules 𝑒𝑅 contained in 𝑡𝑛 is 𝑞2𝑛(𝑟−𝑛) . Therefore, we have |𝑇𝑛 | = |𝑆||𝐸𝑅 |/𝑞2𝑛(𝑟−𝑛) = 𝑞2𝑛(]−𝑟) 𝑁(2(𝑟 − 𝑛), 𝑟 − 𝑛; 2(] − 𝑛)). Theorem 9. The parameters of the above constructed multisender authentication code are
(21)
Lemma 11. For any 𝑡𝑛 ∈ 𝑇𝑛 and 𝑒𝐿 = (𝑒1 , 𝑒2 , . . . , 𝑒𝑙 ) ∈ 𝐸𝐿 , the number of 𝑒𝑅 contained in 𝑡𝑛 and containing 𝑒𝐿 is 𝑞2(𝑛−𝑙)(𝑟−𝑛) . Proof. For any 𝑡𝑛 ∈ 𝑇𝑛 , 𝑡𝑛 is a subspace of type (2𝑟, 𝑟) and 𝑈 ⊂ 𝑡𝑛 . We assume that 𝑡𝑛 has the form 0 0 0 𝐼(𝑛) 0 0 𝑛 0 0 0 0 𝐼(𝑟−𝑛) 0 𝑟−𝑛 𝑡𝑛 = ( ) 𝑛 0 0 0 0 0 𝐼(𝑛) (𝑟−𝑛) 𝑟−𝑛 0 0 0 0 0 𝐼 𝑛 𝑟 − 𝑛 ] − 𝑟 𝑛 𝑟 − 𝑛 ] − 𝑟.
(19)
2𝑛(]−𝑟) 𝑁 (2 (𝑟 − 𝑛) , 𝑟 − 𝑛; 2 (] − 𝑛)) . 𝑇𝑛 = 𝑞
0 0 0 0 𝑙 0 0 0 0 𝑛−𝑙 ) 𝑙 𝐼(𝑙) 0 𝑃6 𝑃3 𝑛−𝑙 𝑃3 0 𝐼(𝑛−𝑙) 𝑃6 ] − 𝑛 𝑙 𝑛 − 𝑙 ] − 𝑛,
where 𝑃3 , 𝑃6 are arbitrary matrices. Therefore, the number of 𝑒𝑅 containing 𝑒𝐿 is 𝑞2(𝑛−𝑙)(]−𝑛) .
|𝑆| = 𝑁 (2 (𝑟 − 𝑛) , 𝑟 − 𝑛; 2 (] − 𝑛)) ; 2(]−𝑛) ; 𝐸𝑖 = 𝑞 2𝑛(]−𝑛) ; 𝐸𝑅 = 𝑞
(20)
(22)
If 𝑒𝐿 ⊂ 𝑡𝑛 , assume that 𝑒𝐿 has the form
0 0 0 𝐼(𝑙) 0 𝑒𝐿 = ( 0 𝐼(𝑛−𝑙) 0 0 0 0 𝐼(𝑙) 0 0 𝑅3 𝑙 𝑛−𝑙 𝑟−𝑛 V−𝑟 𝑙
0 0 0 𝑙 0 0 0) 𝑛 − 𝑙 𝑙 0 𝑅7 0 𝑛 − 𝑙 𝑟 − 𝑛 ] − 𝑟.
(23)
If 𝑒𝑅 ⊂ 𝑡𝑛 and 𝑒𝐿 ⊂ 𝑒𝑅 , then 0 0 𝐼(𝑙) 0 0 0 0 𝐼(𝑛−𝑙) 𝑒𝑅 = ( 0 0 0 𝑅3 0 0 0 𝑅3 𝑙 𝑛−𝑙 𝑟−𝑛 V−𝑟
0 0 0 0 (𝑙) 𝐼 0 0 𝐼(𝑛−𝑙) 𝑙 𝑛−𝑙
0 0 𝑙 0 0 𝑛−𝑙 ) 𝑙 𝑅7 0 𝑛 − 𝑙 𝑅7 0 𝑟 − 𝑛 ] − 𝑟,
(24)
6
Journal of Applied Mathematics
where 𝑅3 , 𝑅7 are arbitrary matrices. Therefore, the number of 𝑒𝑅 contained in 𝑡𝑛 and containing 𝑒𝐿 is 𝑞2(𝑛−𝑙)(𝑟−𝑛) . Lemma 12. Assume that 𝑡𝑛 ∈ 𝑇𝑛 and 𝑡𝑛 ∈ 𝑇𝑛 are two distinct tags which are decoded by receiver’s decoding rule 𝑒𝑅 . 𝑠1 and 𝑠2 contained in 𝑡𝑛 and 𝑡𝑛 , respectively. Let 𝑠0 = 𝑠1 ∩𝑠2 , dim 𝑠0 = 𝑘; then 𝑛 ≤ 𝑘 ≤ 2𝑟 − 𝑛 − 1; the number of 𝑒𝑅 contained in 𝑡𝑛 ∩ 𝑡𝑛 and containing 𝑒𝐿 is 𝑞(𝑛−𝑙)(𝑘−𝑛) . 𝑠1 + 𝑒𝑅 , 𝑡𝑛
𝑡𝑛 ≠ 𝑡𝑛 ,
Proof. Since 𝑡𝑛 = = 𝑠2 + 𝑒𝑅 and then 𝑠1 ≠ 𝑠2 . And for any 𝑠 ∈ 𝑆, 𝑈 ⊂ 𝑠, therefore, 𝑛 ≤ 𝑘 ≤ 2𝑟 − 𝑛 − 1. Assume that 𝑠𝑖 is the complementary subspace of 𝑠0 in the 𝑠𝑖 ; then 𝑠𝑖 = 𝑠0 +𝑠𝑖 (𝑖 = 1, 2). Because of 𝑡𝑛 = 𝑠1 +𝑒𝑅 = 𝑠0 +𝑠1 +𝑒𝑅 , 𝑡𝑛 = 𝑠2 +𝑒𝑅 = 𝑠0 +𝑠2 +𝑒𝑅 and 𝑠1 = 𝑡𝑛 ∩𝑈⊥ , 𝑠2 = 𝑡𝑛 ∩𝑈⊥ , we know 𝑠0 = (𝑡𝑛 ∩𝑈⊥ )∩(𝑡𝑛 ∩𝑈⊥ ) = 𝑡𝑛 ∩𝑡𝑛 ∩𝑈⊥ = 𝑠1 ∩𝑡𝑛 = 𝑠2 ∩𝑡𝑛 , and 𝑡𝑛 ∩ 𝑡𝑛 = (𝑠1 + 𝑒𝑅 ) ∩ 𝑡𝑛 = (𝑠0 + 𝑠1 + 𝑒𝑅 ) ∩ 𝑡𝑛 = ((𝑠0 + 𝑒𝑅 ) + 𝑠1 ) ∩ 𝑡𝑛 . Since 𝑠0 + 𝑒𝑅 ⊆ 𝑡𝑛 , then 𝑡𝑛 ∩ 𝑡𝑛 = (𝑠0 + 𝑒𝑅 ) + (𝑠1 ∩ 𝑡𝑛 ), while 𝑠1 ∩ 𝑡𝑛 ⊆ 𝑠1 ∩ 𝑡𝑛 = 𝑠0 , so 𝑡𝑛 ∩ 𝑡𝑛 = 𝑠0 + 𝑒𝑅 . From the definition of the 𝑡𝑛 and 𝑡𝑛 , we assume that 𝐼(𝑛) 0 0 𝑃22 𝑡𝑛 = ( 0 0 0 0 𝑛 ]−𝑛 𝐼(𝑛) 0 0 𝑃22 𝑡𝑛 = ( 0 0 0 0 𝑛 ]−𝑛
0 0
0 𝑛 0 𝑟−𝑛 ) 𝑛 𝐼(𝑛) 0 𝑟−𝑛 0 𝑃44 𝑛 ] − 𝑛, 0 0
0 𝑛 0 𝑟−𝑛 ) 𝑛 𝐼(𝑛) 0 𝑟−𝑛 0 𝑃44 𝑛 ] − 𝑛.
(25)
𝑡𝑛 ∩
(26)
(27)
(28)
If 𝑒𝑅 ⊂ 𝑡𝑛 ∩ 𝑡𝑛 and 𝑒𝐿 ⊂ 𝑒𝑅 , then 𝑒𝑅 has the form 𝐼(𝑙) 0 0 𝐼(𝑛−𝑙) 𝑒𝑅 = ( 0 0 0 0 𝑙 𝑛−𝑙
0 0 0 0 𝑙 0 0 0 0 𝑛−𝑙 ) 𝑙 𝐼(𝑙) 0 𝑅6 𝑅3 𝑛−𝑙 𝑅3 0 𝐼(𝑛−𝑙) 𝑅6 ] − 𝑛 𝑙 𝑛 − 𝑙 ] − 𝑛.
,
𝑃𝑆 (𝐿) =
1 𝑞(𝑛−𝑙)
.
(30)
Proof. (1) Impersonation Attack. 𝑈𝐿 , after receiving their secret keys, sends a message 𝑚 to 𝑅. 𝑈𝐿 is successful if the receiver accepts it as authentic. Therefore, {𝑒 ∈ 𝐸𝑅 | 𝑒𝐿 ⊂ 𝑒𝑅 , 𝑒𝑅 ⊂ 𝑡} } 𝑃𝐼 (𝐿) = max max { 𝑅 𝑒𝐿 ∈𝐸𝐿 𝑚∈𝑀 {𝑒𝑅 ∈ 𝐸𝑅 | 𝑒𝐿 ⊂ 𝑒𝑅 } =
𝑞2(𝑛−𝑙)(𝑟−𝑛) 𝑞2(𝑛−𝑙)(]−𝑛) 1 𝑞2(𝑛−𝑙)(]−𝑟)
(31) .
(2) Substitution Attack. 𝑅𝐿 , after observing a message 𝑚 that is transmitted by the sender, replaces 𝑚 with another message 𝑚 . 𝑅𝐿 is successful if 𝑚 is accepted by 𝑅 as authentic. Therefore,
=
𝑞(𝑛−𝑙)(𝑘−𝑛) 𝑛≤𝑘≤2𝑟−𝑛−1 𝑞2(𝑛−𝑙)(𝑟−𝑛)
=
1 . 𝑞(𝑛−𝑙)
max
(32)
For any 𝑒𝐿 ⊂ 𝑡𝑛 ∩ 𝑡𝑛 , we assume that 0 0 0 0 𝐼(𝑙) 0 𝑙 𝑒𝐿 = ( 0 𝐼(𝑛−𝑙) 0 0 0 0) 𝑛−𝑙 𝑙 𝐼(𝑙) 0 𝑅6 0 0 𝑅3 𝑙 𝑛 − 𝑙 ] − 𝑛 𝑙 𝑛 − 𝑙 ] − 𝑛.
1 𝑞2(𝑛−𝑙)(]−𝑟)
{𝑒𝑅 ∈ 𝐸𝑅 | 𝑒𝐿 ⊂ 𝑒𝑅 , 𝑒𝑅 ⊂ 𝑡, 𝑒𝑅 ⊂ 𝑡 } } = max max max { 𝑒𝐿 ∈𝐸𝐿 𝑚∈𝑀𝑚 ≠ 𝑚 ∈𝑀 {𝑒𝑅 ∈ 𝐸𝑅 | 𝑒𝐿 ⊂ 𝑒𝑅 , 𝑒𝑅 ⊂ 𝑡}
And from above we know that 𝑡𝑛 ∩ 𝑡𝑛 = 𝑠0 + 𝑒𝑅 ; then dim (𝑡𝑛 ∩ 𝑡𝑛 ) = 𝑘 + 𝑛; therefore, 0 𝑃2 0 0 ) = 𝑘 − 𝑛. dim ( 0 0 0 𝑃4
𝑃𝐼 (𝐿) =
𝑃𝑆 (𝐿)
(𝑛)
0 0 0 𝑛 0 0 0 𝑃2 𝑟−𝑛 = ( ) 𝑛 0 0 𝐼(𝑛) 0 𝑟−𝑛 0 0 0 𝑃4 𝑛 ] − 𝑛 𝑛 ] − 𝑛. 𝐼
Theorem 13. In the constructed multi-sender authentication codes, the maximum probabilities of success for impersonation attack and substitution attack from 𝑈𝐿 on the receiver 𝑅 are
=
Let 𝑡𝑛
So, every row of (0 𝑅3 0 𝑅6 ) is the linear combination of ( 00 𝑃02 00 𝑃04 ). Therefore, the number of 𝑒𝑅 contained in 𝑡𝑛 ∩ 𝑡𝑛 and containing 𝑒𝐿 is 𝑞(𝑛−𝑙)(𝑘−𝑛) .
(29)
6. The Advantage of the Constructed Authentication Code The security of an authentication code could be measured by the maximum probabilities of deceptions. The smaller the probability of successful attack, the higher the security of the authentication codes. Now let us compare the security of our constructed authentication code with the known one [19]. The constructed authentication code in [19] is also a multisender authentication code from symplectic geometry over finite fields, but which is in simultaneous model. If we choose the parameters 𝑛, 𝑛 , 𝑟, and ] with 1 < 𝑛 < 𝑛 < 𝑟 < ], 𝑛 > (𝑟/2), and 𝑛 − 𝑛 > ] − 𝑟, from Table 1 we see that the maximum probabilities of deceptions of our construction are smaller than the construction in [19]. Therefore, compared with the construction in [19], our construction is more efficient.
Journal of Applied Mathematics
7 Table 1: (𝑛 > 𝑟/2, 𝑛 − 𝑛 > ] − 𝑟).
Constructions The number of senders The number of attackers The parameters of codes |𝑆| 𝐸𝑖 𝐸𝑅 |𝑇| The probabilities of deceptions 𝑃𝐼 (𝐿) 𝑃𝑆 (𝐿)
[19] 𝑛 𝑙, 1 ≤ 𝑙 < 𝑛
Size relation = =
Ours 𝑛 𝑙, 1 ≤ 𝑙 < 𝑛
𝑁(2(𝑟 − 𝑛), 𝑟 − 𝑛; 2(] − 𝑛)) 𝑞2(]−𝑛) 𝑞2𝑛 (]−𝑛 ) 𝑁(2(𝑟 − 𝑛), 𝑟 − 𝑛; 2(] − 𝑛))𝑞2𝑛 (]−𝑟−𝑛 +𝑛)
= = >
>
1 𝑞2(𝑛−𝑙)(]−𝑟) 1 𝑞𝑛−𝑙
[9] L. Ruihu and L. Zunxian, “Construction of A2 -codes from symplectic geometry,” Journal of Shanxi Normal University, vol. 26, no. 4, pp. 10–15, 1998. [10] C. Xing, H. Wang, and K.-Y. Lam, “Constructions of authentication codes from algebraic curves over finite fields,” IEEE Transactions on Information Theory, vol. 46, no. 3, pp. 886–892, 2000. [11] C. Carlet, C. Ding, and H. Niederreiter, “Authentication schemes from highly nonlinear functions,” Designs, Codes and Cryptography, vol. 40, no. 1, pp. 71–79, 2006. [12] R. Safavi-Naini and H. Wang, “Multireceiver authentication codes: models, bounds, constructions, and extensions,” Information and Computation, vol. 151, no. 1-2, pp. 148–172, 1999. [13] S. Chen and D. Zhao, “Construction of multi-receiver multifold authentication codes from singular symplectic geometry over finite fields,” Algebra Colloquium, vol. 20, no. 4, pp. 701– 710, 2013. [14] S. Chen and D. Zhao, “Two constructions of multireceiver authentication codes from symplectic geometry over finite fields,” Ars Combinatoria, vol. 99, pp. 193–203, 2011. [15] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-receiver/multisender network security: efficient authenticated multicast/feedback,” in Proceedings of the the 11th Annual Conference of the IEEE Computer and Communications Societies, vol. 3, pp. 2045–2054, May 1992. [16] Q. Yingchun and Z. Tong, “Multiple authentication Code with multi-transmitter and its constructions,” Journal of Zhongzhou University, vol. 20, no. 1, pp. 118–120, 2003. [17] M. Wen-Ping and W. Xin-Mei, “Several new constructions on multitransmitters authentication codes,” Acta Electronica Sinica, vol. 28, no. 4, pp. 117–119, 2000. [18] D. Qingling and L. Shuwang, “Bounds and construction for multi-sender authentication code,” Computer Engineering and Applications, vol. 10, pp. 9–10, 2004. [19] S. Chen and C. Yang, “A new construction of multisender authentication codes from symplectic geometry over finite fields,” Ars Combinatoria, vol. 106, pp. 353–366, 2012. [20] Z. Wan, Geometry of Classical Groups over Finite Fields, Science Press, Beijing, China, 2nd edition, 2002.
Advances in
Operations Research Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Advances in
Decision Sciences Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Journal of
Applied Mathematics
Algebra
Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Journal of
Probability and Statistics Volume 2014
The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
International Journal of
Differential Equations Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
Submit your manuscripts at http://www.hindawi.com International Journal of
Advances in
Combinatorics Hindawi Publishing Corporation http://www.hindawi.com
Mathematical Physics Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Journal of
Complex Analysis Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
International Journal of Mathematics and Mathematical Sciences
Mathematical Problems in Engineering
Journal of
Mathematics Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Discrete Mathematics
Journal of
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Discrete Dynamics in Nature and Society
Journal of
Function Spaces Hindawi Publishing Corporation http://www.hindawi.com
Abstract and Applied Analysis
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
International Journal of
Journal of
Stochastic Analysis
Optimization
Hindawi Publishing Corporation http://www.hindawi.com
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
Volume 2014
