New Results on Multi-receiver Authentication Codes - CiteSeerX

New Results on Multi-receiver Authentication Codes Rei Safavi-Naini and Huaxiong Wang School of IT and CS University of Wollongong North elds Ave, Wollongong, NSW 2522, AUSTRALIA e-mail: rei/[email protected]

Abstract

Multi-receiver authentication is an extension of the traditional point-to-point message authentication. In a multi-receiver authentication system the sender broadcasts a single authenticated message such that all the receivers can independently verify the authenticity of the message, and malicious groups of up to a given size of receivers can not successfully impersonate the transmitter, or substitute a transmitted message. This paper presents some new results on unconditionally secure multi-receiver authentication codes. First we generalize Desmedt et al polynomial scheme for multi-receiver authentication, in such a way that instead of a single message each key can be used to authenticate multiple messages. Second, we suggest a exible construction for multi-receiver A-code by combining an A-code and an (n; m; k)-cover-free family. Finally, we introduce the model of multi-receiver A-code with dynamic sender and present a construction that is much more ecient than the naive approach.

Keywords: Authentication code, Multi-receiver authentication code.

 This work is supported in part by an Australian

Research Council Grant under A49703076

1

New Results on Multi-receiver Authentication Code Abstract

Multi-receiver authentication is an extension of the traditional point-to-point message authentication. In a multi-receiver authentication system the sender broadcasts a single authenticated message such that all the receivers can independently verify the authenticity of the message, and malicious groups of up to a given size of receivers can not successfully impersonate the transmitter, or substitute a transmitted message. This paper presents some new results on unconditionally secure multi-receiver authentication codes. First we generalize Desmedt et al polynomial scheme for multi-receiver authentication, in such a way that instead of a single message each key can be used to authenticate multiple messages. Second, we suggest a exible construction for multi-receiver A-code by combining an A-code and an (n; m; k)-cover-free family. Finally, we introduce the model of multi-receiver A-code with dynamic sender and present a construction that is much more ecient than the naive approach.

Keywords: Authentication code, Multi-receiver authentication code.

1 Introduction Conventional authentication systems deal with point-to-point message authentication. In Simmons' model of unconditionally secure authentication there are three participants: a transmitter (sender), a receiver, and an opponent. The transmitter and receiver share a secret key and are both assumed honest. Transmitter wants to send a message over a public channel which is subject to active attack. Transmitter and receiver use an authentication code which is a set of authentication functions f , indexed by keys belonging to a set E . To authenticate a message, called a source state and denoted by s 2 S , transmitter forms a codeword f (e; s) and sends it to the transmitter who can verify it authenticity using his knowledge of the key. We are only concerned with systematic Cartesian A-codes. In such codes, the codeword constructed for s using e 2 E is the concatenation of s and f (e; s), that is (s; f (e; s)) where f (e; s) is called authentication tag, or simply tag. The receiver will detect a fraudulent codeword (s; t) if t 6= f (e; s) 2 T , where T denotes the set of all tags. The opponent can perform an impersonation attack, or a substitution attack, by constructing a codeword that is acceptable by the receiver. In impersonation the attacker has not seen any previous communication while in substitution he has seen one transmitted codeword. A code provides perfect protection against impersonation if enemy's best strategy is randomly guessing the tag and in the case of Cartesian A-codes, his probability of success is P0 = jT1 j . Perfect protection for substitution is de ned in a similar way and for Cartesian A-code the probability of success of the intruder is P1 = jT1 j . An extension of this model proposed by Desmedt, Frankel and Yung (DFY) [4] is when there are multiple receivers who can not all be trusted. Transmitter broadcasts a message to all the receivers who can individually verify authenticity of the message using their secret key information. There are malicious groups of receiver who use their secret key and all the previous communications in the system to construct fraudulent messages. They succeed in their attack even if a single receiver accepts the message as being authentic. In an (k; n) multi-receiver authentication system there are n receivers such that in any group of k receivers, there is at least one honest receiver. In other words the largest coalition of cheating receivers can have k ? 1 members. The system provides perfect protection against impersonation, or substitution, if the best chance of success in the corresponding attacks is 1=q, where q is the common size of tag space for all the receivers. A multi-receiver authentication code can be constructed from a traditional A-code by allowing transmitter to use n dierent keys for the n receivers and broadcast a codeword that is simply a 1

concatenation of the codewords for each receiver. The length of the combined tag is n times the length of the individual receiver tags, and the transmitter's key is n times the size of a receiver's key. This is a very uneconomical method of authenticating a message as such a system can prevent attacks by even n ? 1 colluding receiver, while the assumption is that in every group of k receivers there is at least one honest receiver. The question is whether it is possible to have a more ecient system with shorter tags and shorter transmitter's key. Desmedt, Frankel and Yung [4] gave a positive answer to this question by constructing a (k; n) multi-receiver A-code in which the size of the tag and the size of the transmitter's key are signi cantly less than that of the naive solution. Kurosawa and Obana [8] showed that, these are the smallest sizes of the transmitted tag, and transmitter and receiver key for the given deception probabilities. In this paper we present a number of new results on multi-receiver A-codes.

 We extend DFY polynomial construction to multiple messages. The proof of security in this

case is more involved than a single message.  We give a new construction for multi-receiver A-codes by combining an arbitrary A-code and a special combinatorial structure called (n; m; k)-cover-free family. The construction is particularly useful when the number of receivers, or the size of the source is large. In DYF construction the numbers of bits needed for the tag and the keys for the transmitter and receivers are both at least log q (in this paper, all logs are on base 2), where q is a prime power that is not less the number of receivers or the size of the source states. This is an unnecessary constraint which is removed in our construction.  Finally we extend the model of multi-receiver A-code to the case that the transmitter is not determined beforehand. This model is useful for authenticated conference communication. An interesting property of this model is separating message authentication and entity authentication. Again it is possible to have a trivial construction by giving each participant the required key information for a transmitter, but the result will be a very inecient system. We give a construction which is much more ecient than the trivial construction. In section 2 after recalling DFY construction, we give the extension to multiple messages. In section 3 we give the new construction for multi-receiver A-codes and nally in section 4 give the model and construction of multi-receiver A-code with dynamic receiver. Section 5 concludes the paper.

2 A Generalization of DFY Scheme for Multiple Messages In a multi-receiver A-code, there is a trusted Key Distribution Centre (KDC) that generates and distributes the required keys. The system has three phases: 1. Key distribution: The KDC privately sends to the sender, and each receiver, their individual keys. 2. Broadcast: For a source state s, the sender generates an authenticated message using his/her key and broadcasts the authenticated message. 3. Veri cation: Each user can verify the authenticity of the authenticated message. First, we brie y review DYF scheme for multi-receiver authentication. Assume there is a sender T , and n receivers R1 ; : : : ; Rn . The key for T consists of two random polynomials P0(x) and P1 (x), 2

of degree at most k ? 1, with coecients in GF (q). The key for Ri consists of P0 (i) and P1 (i). For a source state s 2 GF (q), T broadcasts (s; A(x)) where A(x) = P0 (x) + sP1 (x). Ri accepts (s; A(x)) as authentic if A(i) = P0 (i) + sP1 (i): It is proved in [4] that in this scheme no group of k ? 1 receivers can perform an impersonation or substitution attacks against a single receiver, with a probability greater than q1 . In this section we generalize DFY scheme such that each key can be used to authenticate up to w (w  2) messages. Again, assume that there is a sender T and n receivers R1 ; R2 ;


; Rn . Assume q is larger than or equal to the number of the possible messages, (q  n). The scheme has the following steps: 1. Key distribution: The KDC randomly generates w + 1 polynomials P0 (x);P1 ;


; Pw (x) of degree at most k ?1 and chooses n distinct elements x1 ; x2 ;


; xn of GF (q ). KDC makes xi s public and sends privately (P0 (x); P1;


; Pw (x)) to the sender T , and (P0 (xi ); P1 (xi);


; Pw (xi )) to the receiver Ri . 2. Broadcast: For a source state s, T computes As (x) = P0 (x) + sP1 (x) +


+ sw Pw (x) and broadcasts (s; As (x)). 3. Veri cation: Ri accepts (s; As (x)) as authentic if As (xi ) = P0 (xi)+ sP1 (xi )+


+ sw Pw (xi ). The above scheme is a multi-receiver authentication code in which each key can be used to authenticate up to w messages. To prove the security of the scheme, we consider the scenarios that for a given key (P0 (x);P1 ;


; Pw (x)), w source states s1 ; s2 ;


; sw have been authenticated using the same key, and there are k ? 1 receivers who want to cheat against one of the other receivers. Without loss of generality, we may assume that those malicious receivers are R1 ; R2 ;


; Rk?1 . Let Pi (x) = ai0 + ai1 x +


; +aik?1 xk?1 ; 0  i  w: Since s1 ; s2 ;


; sw have been sent, As1 ; As2 ;


; Asw are publicly known where, Asj (x) = bj 0 + bj 1 x +


+ bjk?1 xk?1 ; for all 1  j  w: It follows that, 3 3 2 32 2 b10 b11


b1k?1 1 1


1 a00 a10


aw0 66 a01 a11


aw1 77 66 s1 s2


sw 77 66 b20 b21


b2k?1 77 64











75 64











75 = 64











75

bw0 bw1


bwk?1 sw1 sw2


sww a0k?1 a1k?1


awk?1 Since k ? 1 receivers R1 ; R2 ;


; Rk?1 know their keys (P0 (x1); P1 (x1 );


; Pw (x1));


; (P0(xk?1 ); P1 (xk?1 );


; Pw (xk?1 ));

we have

2 1 x


xk? 66 1 x


xk? 64











1 xk?


xkk?? 1

1

2

2

1

1 1

1 1

32 a 77 66 a 75 64







aw


aw








awk?

a10 a 01 11


a0k?1 a1k?1 00

0

1

3 2 P (x ) 77 66 P (x ) 75 = 64




1

P1 (x1) P1 (x2) 0 2


P0 (xk?1 ) P1 (xk?1 ) 0

1

3


Pw (x )


Pw (x ) 777 :





5


Pw (xk? ) 1

2

1

The above equations can be written as

AMw = B Xk?1 A = C 3

(1) (2)

where2

3

2

3

1 1


1 aw 0 6 66 aa0001 aa1011


7


a s s2


sw 777, 6 A = 64










w
1 775, Mw = 64


1








5 w sw


sw a20k?1 a1k?1


awk?13 s 1 2 w 3 2 1 x1


x1k?1 b10 b11


b1k?1 66 b20 b21


b2k?1 77 6 1 x2


x2k?1 77 , B = Xk?1 = 664


64











75, 7








5 k?1 b3w0 bw1


bwk?1 2 1 xk?1


xk?1


Pw (x1) 66 PP00((xx21)) PP11((xx21))


Pw (x2) 777 : C = 64











5 P0 (xk?1 ) P1(xk?1 )


Pw (xk?1 ) We rst give a lemma, which says that knowing Mw ; Xk?1 ; B and C cannot determine A. In

other words, the matrix satisfying (1) and (2) is not unique. Lemma 2.1 There exist q dierent matrices D such that DMw = B and Xk?1D = C .

2

Proof: See Appendix

Theorem 2.1 The above scheme is a (k; n) unconditionally secure multi-receiver authentication code in which every key can be used to authenticate up to w messages.

Proof: We only consider the substitution attack, the proof for the impersonation attack can be done in a similar way. The malicious receivers P1 ; : : : ; Pk?1 , want to generate a valid codeword (sw+1 ; b0 + b1 x +


bk?1 xk?1 ) such that it is accepted by Rk as authentic. What they try to do is to guess the secret key of Rk , P0 (xk );P1 (xk );


; Pw (xk ) and choose a polynomial A(x) = b0 + b1x +


+ bk?1 xk?1 such that b0 + b1 xk +


+ bk?1 xkk?1 = P0 (xk ) + sw+1 P1(xk ) +


+ sww+1 Pw (xk ): We note that even the key of Rk is known, there are q k?1 polynomials A(x) satisfying the above condition. From Lemma 2.1 we know that there are q dierent matrices D such that DMw = B and Xk?1 D = C . This implies that there are q dierent(w+1)-tuples of polynomials (Q0(x); Q1(x);


; Qw+1 (x)) such that each of them is equally likely to be the key of the sender. We rst show that such q dierent (w + 1)-tuples of polynomials give rise to q dierent possible keys of Rk . Indeed, suppose that Q[x] = (Q0 (x);Q1 (x);


; Qw?1 (x)) and Q0 [x] = (Q00 (x);Q01 (x);


; Q0w?1 (x)) are two dierent keys of T , and their corresponding matrices are D and D0 . Then

Ck = (Q0(xk ); Q1(xk );


; Qw+1 (xk )) = (1; xk ;


; xkk?1 )D; and

Ck0 = (Q00(xk ); Q01(xk );


; Q0w+1 (xk )) = (1; xk ;


; xkk?1 )D0 ; are their corresponding!keys for Rk . By Lemma !2.1, we know that Xk D = Xk D0 = C . It follows that Xk+1 D = CC and Xk+1 D0 = CC0 . Xk+1 is a Vandermonde matrix and so is k k invertible. This implies that Ck = 6 Ck0 , by the assumption that D =6 D0. 4

Next, we prove that

0 BB sw1 Ck B B@ ...

1 0 CC BB sw1 CC 6= Ck0 BB .. A @ .

1 CC CC : A

0 BB sw1 Ck B B@ ...

0 1 BB sw1 CC CC = Ck0 BB .. @ . A

1 CC CC ; A

+1

+1

sww+1 sww+1 Again, by Lemma 2.1, we have Ck Mw = Ck0 Mw . Now if +1

sww+1

+1

sww+1

then Ck Mw+1 = Ck0 Mw+1 . But Mw+1 is an invertible matrix too, it follows that Ck = Ck0 which is a contradiction. 0From the1 above discussion, we know that for any given sw+1 , there are q dierent values 1

BB sw Ck B B@ ...

+1

CC CC that all are equally likely to be accepted by Rk as authentic. So the probability of A

sww+1 the k ? 1 receivers guessing A(x) correctly is 1=q . 2 To authenticate w consecutive messages using DYF scheme, 2w polynomials are required while in our scheme we only need w + 1 polynomials. So the key storages for the sender and receivers

are reduced to w2+1 w times of that of DFY scheme, while the lengths of the authenticator for both constructions are the same.

3 A Construction Based on (n; m; k )-Cover-Free Family In this section we present a construction for multi-receiver authentication by combining an A-code and a (n; m; k)- cover-free Family. As noted before, a trivial solution for multi-receiver authentication is to give each receiver a shared secret key with the sender, and to transmit a concatenation of aa the individual authenticated messages to all the receivers. The disadvantage of this solution is that it requires the sender to store many key bits and requires a long tag for the authenticated message. DFY scheme significantly reduces the size of the key storage and the length of the authenticator. However in their scheme the order of the nite eld GF (q) has to be chosen such that q is not less than the size of the source space and the number of the receivers. The probabilities of impersonation and substitution attacks are both 1=q, and the size of the key storage and the length of the authenticator are a linear function of log q . Although it is acceptable to have the key storage, and length of the tag, a function of the probability of success, having the number of receivers and the size of source lower bound by this probability is not reasonable. In this case when the size of the source or the number of the receivers are very large, the requirements on the key storage of the sender and the receivers, as well as the length of authenticator may become too large. In practical application, we may deal with the scenarios that we are satis ed with deception probabilities higher than 1=q, but have limitation on the key storage or communication bandwidth. So it is desirable to look at construction methods that meet such trade-os. 5

De nition 3.1 Let X = fx ; : : : ; xmg and F = fB ; : : : ; Bn g be a family of subsets of X . We call (X; F ) an (n; m; k) Cover-Free Family (CFF) if B 6 B [


[ Bk? for all B ; B ; : : : ; Bk? 2 F , where Bi = 6 Bj if i = 6 j 1

1

0

1

1

0

1

1

We note that a (n; w; 2) CFF is exactly a Sperner family. CFF has been extensively studied by Erdos et al in [6] and [7]. A trivial CFF is the family consisting of single element subsets, in which n = m. Non-trivial CFFs are those with n > m. A good CFF is the one that for given m and k, n is as large as possible. Finding good CFFs is believed to be a hard combinatorial problem. Construction of good CFFs employs various areas of mathematics such as nite geometry, design theory and probability theory, and is beyond the scope of this paper. Let X = fx1; : : : ; xm g be a nite set and F = fB1 ; : : : ; Bn g be a family of subsets of X . Assume that (X; F ) is a (n; m; k) CFF and (S; T ; E; f ) is an A-code without secrecy. We construct a (k; n) multi-receiver A-code as follows 1. Key Distribution The KDC randomly chooses m-tuple of keys (e1; : : : ; em ) 2 E m , then privately sends (e1 ; : : : ; em ) to the sender T and ei to every receiver Rj for all j with xi 2 Bj , 1  i  m. 2. Broadcast For a source state s 2 S , the sender calculates ai = f (s; ei ) for all 1  i  m and broadcast (s; a1 ; : : : ; am ). 3. Veri cation Since the receiver Ri holds the keys fej j for all j with xj 2 Bi g, Ri accepts (s; a1 ; : : : ; am ) as authentic if for all j satisfying xj 2 Bi ; aj = f (s; ej ). Assume that the probabilities of impersonation and substitution attacks of the underlying code C are PI and PS , respectively, and let  = minfjB0nB1 [


[ Bk?1 jj for all B0 ; : : : ; Bk?1 2 Fg. Theorem 3.1 The above scheme is a (k; n) multi-receiver A-code and the probabilities of impersonation and substitution attacks are (PI ) and (PS ), respectively. The proof of the theorem is straightforward. In this scheme the sender is required to store mdlog jEje bits, and the receiver Ri to store jBi jdlog jEje bits. The authenticator is of size of mdlog jT je. The following example compares this construction with that of DFY polynomial scheme. Assume that the size of source states is only one bit (for example, yes and no) and we need a (2; 70) multi-receiver authentication code with the probabilities of impersonation and substitution attacks not greater than 1=2. Using DFY polynomial scheme we need a nite eld GF (q ) with q  70; it follows that dlog q e  7, and so the sender must store at least 28 bits and each receiver must store at least 14 bits. The length of the authenticator is at least 14 bits, and the probabilities of impersonation and substitution attack are not less than ( 21 )7. Now we use our construction. First, the Sperner family consisting of all 4-subsets of a set of 8 elements gives a (70; 8; 2) CFF. We also de ne the underlying A-code C = (S; T ; E; f ) as follows. Let S = T = GF (2); E = GF (2)2, and f : S  E ?! T be given by f (s; (e; e0 )) = e + se0 . Then C is an A-code with PI = PS = 12 . Applying our scheme, the sender must store 16 bits and each receiver must store 8 bits, the length of authenticator is of 8 bits. The probabilities of impersonation and substitution attack are both 1/2. We note that this construction is only suitable for the case when the number of malicious users is not very large compared to the number of the total users. This is due to the following result. Lemma 3.1 ([7]) In a non-trivial (n; m; k) CFF, k(k2?1)  n: 6

However, in [5] using the probabilistic method the authors proved that for small k, there exists (n; O(log n); k) CFFs. Finally, we point out that although in general the construction based on CFF does not provide the perfect protection, in some case it is more exible compared to DFY polynomial scheme, since the underlying A-code can be chosen according to various requirements. For example, it can be replaced by the universal hashing family, or a multiple A-code.

4 Multi-receiver Authentication with dynamic sender In this section we study the multi-receiver A-code with dynamic sender. We consider a scenario where there is a KDC(key distribution center) and a set of users. The KDC privately distributes a secret information (key) to each user. At a later time, one of the users generates an authenticated message and broadcasts it such that every other user can verify the authenticity of the sender and integrity of her/his message. That is, a collusion of up to a given size of the group of the receivers cannot succeed in impersonation or substitution attacks on other receivers. We assume that in the key distribution , the KDC does not know which user is going to broadcast the authenticated message. This means that each user is a potential sender or receiver. An obvious solution is by establishing a multi-receiver authentication system between each user, considered as the sender, and all the remaining users, considered as receivers . For instance, assume that there are n users P1 ; : : : ; Pn . Using DFY (k; n ?1) multi-receiver authentication scheme, the KDC randomly chooses an n-tuple of polynomial pairs of degree less than k, ([f1(x); g1(x)];: : : ; [fn (x); gn (x)]), and gives user Pi the secret information [fi (x); gi (x)] and ([f1(i);g1 (i)];: : : ; [fi?1 (i); gi?1 (i)]; [fi+1 (i); gi+1(i)];: : : ; [fn (i); gn (i)]), for each 1  i  n. If the user Pi wants to generate an authenticated message for a source state s 2 GF (q), Pi calculates Mi (x) = fi(x)+ sgi (x) and broadcasts (s; i; Mi (x)). The user Pj can verify authenticity of the message in the following way. Pj accepts (s; i;Mi (x)) as authentic being sent from Pi if Mi (j ) = fi (j ) + sgi (j ). In this scheme the KDC must store 2kndlog q e bits and each user to store 2(n + k ? 1)dlog q e bits. The length of the authenticator for each message is (k + 1)dlog q e bits. Since the lengths of keys for KDC and each user are of order O(n) , when the number of the users is very large, the overhead for the key storage both at the KDC and each user becomes very large. We de ne the multi-receiver A-code with dynamic sender similar to the multi-receiver A-code. The system has three phases: Key distribution, Broadcast and Veri cation. In a (k; n) multi-receiver A-code with dynamic sender no group of (k ? 1) users can perform a successful impersonation and substitution attacks on any other user. To de ne PI and PS , we note that because every user can be a sender, when a message is received by a user Pi , she/he must rst assume an identity for the sender and then verify the authenticity of the message with respect to the assumed identity. Let the k ? 1 malicious users be denoted by, Pl1 ; : : : ; Plk?1 . In the impersonation attack, Pl1 ; : : : ; Plk?1 collude and try to launch an attack against a pair of users Pi and Pj , by generating a message such that Pj accepts it as authentic and as being sent from Pi . We denote the successful probability in this case by PI [m; i; j ; L], where L = fPl1 ; : : : ; Plk?1 g. PI is the best probability of all such attack and is de ned by

PI = fmax max P [m; i; j ; L] L;i;j g m I where L [ fi;j g runs through all the (k + 1)-subsets of f1; 2; : : : ; ng In substitution attack, there are two distinct cases: 1. Message substitution: After seeing a valid message m broadcasted by Pi , the users fPl1 ; : : : ; Plk?1 g construct a new message m0 (m 6= m0 ) such that Pj will accept m0 as being sent from Pi . We 7

denote the successful probability in this case by PS [m; m0 ; i; j ; L], and the best probability of such an attack is denoted by PSmessage ,

PSmessage = fmax max P [m; m0 ; i; j ; L] L;i;jg m0 6=m S where L [ fi;j g runs through all the (k + 1)-subsets of f1; 2; : : : ; ng 2. Entity substitution: After seeing a valid message m broadcasted by Pi , the users fPl1 ; : : : ; Plk?1 g construct a new message m0 (m is not necessarily dierent from m0) such that Pj will accepts m0 as being sent from Pi0 , where i 6= i0. We denote the successful probability in this case by PS [m; m0 ; i; i0; j; L], and the best probability of such an attack is denoted by

PSentity = fL;i;i max0 max P [m; m0 ; i; i0; j ; L] S 0 m ;m ;j g where L [ fi;i0; j g runs through all the (k + 2)-subsets of f1; 2; : : : ; ng. We also de ne the probability of the substitution attack for the system as

PS = maxfPSmessage ; PSentity g: Now we present our construction. Let S be the set of source state, we assume S  GF (q ) and q  jSj + n. 1. Key distribution: The KDC chooses n distinct numbers ai in GF (q)nS , and gives ai to user Pi (1  i  n). These values are public knowledge and used as identity information for users. Then the KDC randomly chooses 3 symmetric polynomials of degree less than k with coecients in GF (q ),

0 BB k ? F`(x; y) = (1; x; : : : ; x )A` B B@ 1

1

y .. .

1 CC CC ; ` = 0; 1; 2; A

y k?1 where A` is a k  k symmetric matrix for all 0  `  2. For 1  i  n, the KDC computes the polynomials

0 BB G`i (x) = F` (x; ai ) = (1; x; : : : ; xk? )A` B B@ 1

1

ai .. .

1 CC CC ; ` = 0; 1; 2; A

aik?1 and gives the 3-tuple of polynomials, (G0i(x);G1i (x);G2i (x)), to user Pi . This constitutes the secret information of Pi . 2. Broadcast: For 1  i  n, assume that the user Pi wants to generate the authenticates message for a source state s 2 S . Pi computes the polynomial M1 (x) = G0i(x) + ai G1i (x) + a2i G2i(x) and M2 (x) = G0i (x) + sG1i (x) + s2 G2i(x) and broadcasts (s; ai ; M1 (x);M2 (x)). 3. Veri cation: The user Pj can verify the authenticity of the message in the following way. Pj accepts (s; ai ; M1 (x);M2 (x) as authentic being sent from Pi if M1(aj ) = G0j (ai )+ ai G1j (ai )+ a2i G2j (ai) and M2(aj ) = G0j (ai ) + sG1j (ai) + s2 G2j (ai ). 8

Theorem 4.1 The above scheme is a (k; n) multi-receiver authentication code with PI = q2 and 1

PS = PSmessage = PSentity = 1q :

The proof is given in the Appendix. Here we give some intuition behind the proof. Assume that after seeing an authenticated message (s; ai ; M1 (x);M2 (x)) broadcasted by the user Pi , the malicious users P1 ; : : : ; Pk?1 want to commit a message substitution attack on the user Pj . They want to generate a polynomial M (x) of degree less than k and a source state s0 2 S; s0 6= s; such that M (aj ) = G0j (ai)+ s0 G1j (ai )+ s02 G2j (ai) = F (ai ; aj )+ s0F1(ai; aj )+ s02 F2(ai; aj ). Using the idea of Blom's key distribution scheme in [1] (for the polynomial representation of Blom's scheme see [2] and [11]), we know that P1; : : : ; Pk?1 , by pooling their secret information f(F0(x; ai ); F1 (x; ai )) j i = 1; : : : ; k ? 1g together can not obtain any information about (F0 (ai ; aj ); F1 (ai ; aj ); F2 (ai ; aj )), and so it is easy to see that even if they know M1 (aj )) and M2 (aj ) the probability that they correctly guess the value of M (aj ) is 1=q . The contribution of our proof is that it remains true even P1 ; : : : ; Pk?1 know M1 (x) and M2 (x). This scheme, requires the KDC to store 3k(k2+1) dlog q e bits and each user to store 3kdlog q e bits. The length of the authenticator for each message is (2k + 1)dlog q e bits. Compared with the construction based on DFY scheme, we see that the key storages at the KDC and receivers are both reduced. The length of authenticator in this construction is about twice of that of DFY scheme. This is expectable since the length of theauthenticator in DFY scheme is optimal and the cost of longer authenticator is compensated by the reduced key storage. The above scheme can be easily generalized in the following ways. Firstly instead of 3 symmetric polynomials, by choosing (w + 2) (w  1) symmetric polynomials of degree less than k, using a construction similar to that of Section 2, we can generalize the scheme such that the sender (one of the users) can broadcast w authenticated messages. Secondly, the scheme can be extended such that more than one user can broadcast authenticated messages. We brie y describe the main idea behind this construction. Assume that there are t users who want to broadcast authenticated messages. In the key distribution phase, the KDC randomly chooses (2t +1) symmetric polynomials of degree less than k + t, F0 (x; y ); : : : ; F2t(x; y ), and privately sends to Pi the polynomials, F0 (x; ai ); : : : ; F2t(x; ai ). If Pi wants to authenticate a message s, Pi calculates M1 (x) = F0 (x; ai ) + ai F1 (x; ai ) + : : : + a2i t F2t(x; ai ) and M2 (x) = F0 (x; ai ) + sF1 (x; ai ) + : : : + s2tF2t(x; ai ) and broadcasts (s; ai; M1 (x); M2 (x)). Then every user can verify the authenticity of (s; ai ; M1 (x);M2 (x)). In this scheme, up to t users can individually broadcast authenticated messages, and any group of k ? 1 users can not succeed in impersonation or substitution attacks on other users. Details of these constructions will be given in the nal version of the paper.

5 Conclusion In this paper rst we generalized DFY polynomial scheme for multi-receiver A-code in such a way that each key can be used to authenticate multiple messages instead of a single message. Next we suggested a exible construction for multireceiver A-codes by combining an A-code and an (m; n; k) cover-free family. Finally we introduced the model of multi-receiver A-codes with dynamic sender and presented a construction that is much more ecient than the naive method.

References [1] R. Blom, An optimal class of symmetric key generation systems, Lecture Notes in Computer Science, 209(1985), 335-338 (Advances in Cryptology{Eurocrypt '84) 9

[2] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro and M. Yung, Perfectly secure key distribution for dynamic conferences, Lecture Notes in Computer Science, 740(1993), 471-486 (Advances in Cryptology { CRYPTO'92) [3] Y. Desmedt and Y. Frankel, Shared generation of authenticators and signatures, Adv. in Cryptology - Crypto '91, Lecture Notes in Comput. Sci., 576, 457-469. [4] Y. Desmedt, Y. Frankle and M. Yung, Multi-receiver/Multi-sender network security: ecient authenticated multicast/feedback, IEEE Infocom'92, (1992) 2045-2054. [5] M. Dyer, T. Fenner, A. Frieze and A. Thomason, On key storage in secure networks, Journal of Cryptology 8(1995), 189-200. [6] P. Erdos, P. Frankl, and Z. Furedi, Families of nite sets in which no sets is covered by the union of two others, Journal of Combinatorial Theory, Series A 33(1982), 158-166. [7] P. Erdos, P. Franlkl, and Z. Furedi,Families of nite sets in which no sets is covered by the union of r others, Israel Journal of Mathematics,51(1985), 79-89. [8] K. Kurosawa and S. Obana, Characterization of (k; n) multi-receiver authentication, Information Security and Privacy, ACISP'97, Lecture Notes in Cpmput. Sci. 1270,(1997) 204-215. [9] J. L. Massey, Cryptography - a selective survey, Digital Communications, North Holland(pub) (1986)3-21. [10] G. J. Simmons, A survey of information authentication, in Contemporary Cryptology, The Science of Information Integrity, G.J. Simmons, ed., IEEE Press, (1992), 379-419. [11] D. R. Stinson, On some metholds for unconditionally secure key distribution and broadcast encryption, Designs, Codes and Cryptography, 12(1997), 215-243.

10

APPENDIX Lemma 2.1 There exist q dierent matrices D such that DMw = B and Xk? D = C . Proof: It is sucient to prove that there exist q dierent matrices D such that DMw = 0 and Xk? D = 0. First, we observe that given an n  m matrix D = (dij ), we can associate it a polynomial over x; y 1 0 1 BB y CC n ? (3) F (x;y) = (1;x;


; x )D B B@ ... CCA 1

1

0

1

0

ym?1

and conversely, every polynomial F (x; y ) can be written as the form (3) for some n  m matrix D0. Now consider the polynomial

F (x; y) = (x ? x1)(x ? x2)


(x ? xk?1 )(y ? s1 )(y ? s2)


(y ? sw ):

0 B B k ? Let F (x; y ) = (1; x;


; x )D B B @ 1

1

y .. .

1 CC CC ; where D is a k  (w + 1) matrix and D 6= 0. Clearly, A

yw F (x1; y) = F (x2; y) =


= F (xk?1 ; y) = 0 for all y. It follows

2 1 x


xk? 66 1 x


xk? 64











1 xk?


xkk?? 1

1

2

2

1 1

1 1

1

3 77 75 D = 0:

Indeed, we may choose (w + 1) distinct elements y1 ; y2 ;


; yw+1 in GF (q ), then

F (x1 ; yi ) = F (x2 ; yi) =


= F (xk?1 ; yi ) = 0; for all 1  i  w + 1: Thus we have

2 66 y1 y1 Since 64





1

have

2

y1w y2w

3 2 1 x


xk? 3 2 1 1


1 66 1 x


xk? 77 66 y y


yw 77 64











75 D 64











75 = 0 y w yw


yww 1 xl


xkk?? 3


1


yw 777 is a Vandermonde matrix, the desired result follows. Similarly, we





5


yww 3 2 1 1


1 6 s


sw 777 = 0: D 664
s










5 w w s s


sww 1

1

2

2

1

1

1 1

1

2

+1

1

2

+1

+1

+1

1

2

1

2

For each r 2 GF (q ), we also have (rD)Mw = 0 and Xk?1 (rD) = 0. Thus there are q dierent matrices frD j r 2 GF (q )g with the desired property. So we complete the proof of the lemma 2 11

Theorem 4.1 The above scheme is a (k; n) multi-receiver authentication code with PI =

1

q2

and PS = PSmessage = PSentity = 1q : Proof: Assume that after seeing an authenticated message (s; ai; M1(x); M2(x)) broadcasted by the user Pi , the users P1 ; : : : ; Pk?1 want to generate a new message (s0; ai ; M1 (x);M20 (x)), where s0 6= s such that the user Pj will accepts it as authentic, i.e. M20 (aj ) = G0j (ai) + s0 G1j (ai ) + s02 G2j (ai ). First, we observe that for each m 2 GF (q ) each user, Pt say, can 0 calculate 1 the polynomial G0t(x)+ 1

mG1t(x) + m G2t(x) = 2

BB + m A )B B@

(1; x;


; xk?1 )(a0 + mA1

2

2

at C CC

.. C. It follows that for each . A

atk?1 m 2 GF (q), P1; : : : ; Pk?1 can calculated a k  (k ? 1) matrix D[m] such that the following identity holds 2 1


1 3 6 a1


ak?1 77 (4) (A0 + mA1 + m2A2 ) 664








75 = D[m]: a1k?1


akk??11 Since (s; ai ; M1 (x);M2 (x)) has been broadcasted. 0 it1follows that the following two polynomials 1

BB ai CC f (x) = (1;x;


; xk? )(A + ai A + ai A ) B B@ ... CCA and g(x) = (1;x;


; xk? )(A + sA + aik? 0 1 1 BB ai C C . By combining equation 4 and these two polynomials. P ; : : : ; Pk? can also s A )B B@ ... C C A 1

0

1

2

1

2

0

1

1

2

1

2

1

aik?1

calculate matrices B and C such that the following equations hold. A0 + ai A1 + a2i A2 = B 2 2 A0 + sA1 + s A32 = C 1


1 6 a1


ak?1 777 = D[m] for all m 2 GF (q) (A0 + mA1 + m2 A2) 664








5

a1k?1


akk??11

(5) (6) (7)

We claim that in the above equations (5), (6) and (7), knowing B , C , and D[m] for all m 2 GF (q) can not determine the 3-tuple matrices (A0; A1 ; A2 ).In fact, there exists q distinct 3-tuple matrices (A0; A1; A3 ) satisfying equations (5), (6) and (7). This is equivalent to the following statement There exists a 3-tuple matrices (A0 ; A1 ; A2 ) 6= (0; 0; 0) such that the following equations hold A0 + aiA1 + a2i A2 = 0 (8) 2 (9) 2 A1 0 +

sA
1 +1s A32 = 0 6 a1


ak?1 77 (A0 + mA1 + m2 A2 ) 664


(10)





75 = 0 for all m 2 GF (q)

a1k?1


akk??11 12

Consider the symmetric polynomial over x; y

F (x; y) = (x ? a1 )


(x ? a0k?1 )(y ?1a1)


(y ? ak?1 )

BB = (1; x;


; xk? )A B B@

1

y C CC

.. C ; . A

1

yk?1

where A is a k  k symmetric matrix and A 6= 0. Let f (x) = (x ? ai )(x ? s) = x2 ? (ai + s)x + ai s. We de ne A0 = ai sA; A1 = ?(ai + s)A and A3 = A, then it is not dicult to verify that A0 ; A1 ; A2 satisfy the desired properties. We note that if (A0; A1; A3) satisfy the equations (8), (9) and (10) , so is (rA0 ; rA1 ; rA3) for all r 2 GF (q). This implies that there are q distinct 3-tuple symmetric polynomials which are equally likely to be chosen by the KDC. But, of course, one of them is exactly chosen . Now let the 3-tuple matrices (A0; A1; A2) satisfy the equations (8), (9) and (10), we claim that for each s0 6= s; ai in GF (q) 1 0 1

B @

B (1;aj ;


; ajk?1 )(A0 + s0 A1 + s02 A2 ) B B

Indeed, we have

2 1 a


ak? 66











64 1 ak?


ak? k? 1 aj


ajk? 2 1 a


ak? 6











= 664 1 a k? k?


ak? 1 aj


ajk? " # 1

1

1 1 1

1

1

1

1

=

1

1

1 1 1

ai C CC

.. C = d 6= 0 . A

aik?1

3 2 1


1 3 1 77 6


ak? ai 777 75 (A + s0A + s0 A ) 664
a










5 ak?


akk?? aik? 2 1


1 3 1 6 77 a


ak? ai 75 (ais ? (ai + s)s0 + s0 )A 664











k ?


akk?? aik? a 0

1

2

1

2

1

1

1

1 1

1

1

2

1

1

1

1 1

1

3 77 75

0 0 0 d

Since f (s0) = (s0 ? s)(s0 ? ai ) 6= 0, we have d = f (s0 )F (ai ; aj ) 6= 0. It follows that q distinct 3-tuple matrices give rise to q distinct possible value of d. This is equivalent to that the q distinct possible 3-tuple polynomials (F0(x; y ); F1 (x; y ); F2 (x;y )) chosen by the KDC results in q distinct values of the form F0 (ai; aj ) + s0 F1 (ai ; aj ) + s2 F2 (ai ; Aj ). Therefore the probability of message substitution attack PSmessage is 1=q. Similarly, we can prove that the probability of entity substitution attack PSentity is also 1=q, and the probability of impersonation attack PI is 1=q 2. 2

13