Infinite Families of Optimal Splitting Authentication Codes Secure Against Spoofing Attacks of Higher Order

We consider the problem of constructing optimal authentication codes with splitting. New infinite families of such codes are obtained. In particular, we establish the first known infinite family of optimal authentication codes with splitting that are secure against spoofing attacks of order two.


1.
Introduction. In the standard model of authentication theory [13,14,15,18], a transmitter wants to send some information to a receiver across an insecure channel while an opponent with access to the channel wants to deceive the receiver. The opponent can either insert new messages into the channel, or intercept messages from the transmitter and modify them into his own. In each case, the opponent's goal is to deceive the receiver into believing that the new messages are authentic (coming from the transmitter). The first attack based on insertion of new messages is known as impersonation and the second attack based on modification of messages from the transmitter is known as substitution.
More formally, let S denote the set of all source states, M be the set of all messages, and E be the set of all encoding rules. All these are finite sets. A source state is the information the transmitter wishes to communicate to the receiver. An encoding rule is an injection from S to 2 M . The transmitter and receiver agree beforehand on a secret encoding rule e ∈ E. To communicate a source state s ∈ S, the transmitter determines M = e(s) (note that M ⊆ M) and chooses a message m ∈ M to send to the receiver. The receiver accepts the received message as authentic if there exists an M in the image of e containing the received message.
For the receiver to recover the source state, each encoding rule must satisfy the condition e(s) ∩ e(s ′ ) = ∅, for distinct s, s ′ ∈ S.
The triple (S, M, E) is called an authentication code, or A-code in short.
An A-code (S, M, E) can be represented by an |E| × |S| matrix, whose rows are indexed by authentication rules, and columns indexed by source states, such that the entry in row e ∈ E and column s ∈ S is e(s).
For k an integer and X a finite set, we denote by X k the set of all k-subsets of X. Research on authentication codes have focused on the case when every encoding rule is an injection from S to M c , for some positive c. Such an A-code is called a c-splitting A-code. A 1-splitting A-code is also known as an A-code without splitting, and a c-splitting A-code with c ≥ 2 is known as an A-code with splitting. A-codes with splitting are useful for the analysis of authentication with arbitration [9], an extended model of authentication introduced by Simmons [16,17] for the scenario when the transmitter and receiver may both be deceptive.
In a spoofing attack of order i [10], the opponent observes i distinct messages sent by the transmitter through the insecure channel under the same encoding rule. The opponent then inserts a new message (distinct from the i messages already sent), hoping to have it accepted by the receiver as authentic. Within this framework, impersonation and substitution attacks are just spoofing attacks of order zero and one, respectively. While these attacks have been rather well studied for A-codes, less is known for the case of spoofing attacks of order i ≥ 2, especially on c-splitting A-codes when c ≥ 2.
The probability distribution on the set of source states S induces a probability distribution on S i , i ≥ 0. Given these probability distributions, the transmitter and receiver choose a probability distribution on E, called an encoding strategy. For any s ∈ S and e ∈ E, the transmitter also chooses a probability distribution on e(s), called a splitting strategy. The opponent is assumed to know the encoding and splitting strategies. The transmitter and receiver chooses the encoding and splitting strategies to minimize the probability of being deceived by the opponent. We denote by P di the probability that the opponent can deceive the receiver with a spoofing attack of order i. The following lower bound on P di is known. Proposition 1.1 (Huber [7]). In a c-splitting A-code (S, M, E), A c-splitting A-code is said to be (t − 1)-fold secure against spoofing if P di = c(|S| − i)/(|M| − i), for all i, 0 ≤ i < t. For succinctness, we call such a code a (t, c)-splitting A-code.
Huber [7] also showed that the number of encoding rules must be large enough if an A-code is to be (t − 1)-fold secure against spoofing. Proposition 1.2 (Huber [7]). In a (t, c)-splitting A-code (S, M, E), For efficiency, we want the number of encoding rules in an A-code to be as small as possible. We call a (t, c)-splitting A-code optimal if the lower bound in Proposition 1.2 is met with equality.
The main contribution of this paper is on the construction of optimal (t, c)splitting A-codes with three source states, for c ≥ 2 and t ∈ {2, 3}. In particular, we show that the following two new families of A-codes exist: (i) (2, 5)-splitting A-codes with three source states and v messages, for all v ≡ 1 mod 150, v = 301. (ii) (3, 2)-splitting A-codes with three source states and v messages, for all v ≡ 2 mod 8. The (3, 2)-splitting A-codes we obtained is the first known infinite family of (t, c)splitting A-codes with t > 2 and c > 1. We also prove that a (2, c)-splitting A-code with k source states and v messages exists for all sufficiently large v (with k and c fixed).

2.
Preliminaries. This section serves to provide notions and results that are required for our construction in subsequent sections.
The ring Z/nZ is denoted Z n .
A is a set of k × c arrays, called blocks, with entries from X, such that each point of X occurs at most once in each block; Note that a splitting t-(v, k × 1, λ) design coincides with the classical notion of a t-(v, k, λ) design. Huber [7] proved the equivalence between splitting t-designs and optimal splitting A-codes.
Theorem 2.2 (Huber [7]). There exists a splitting t-(v, k×c, 1) design if and only if there exists an optimal (t, c)-splitting A-code for k equiprobable source states, having v messages and v t /c t k t encoding rules. The necessary divisibility conditions for the existence of splitting t-designs are as follows.
Proposition 2.1 (Huber [7]). The necessary conditions for the existence of a split- Sometimes, the points of a splitting t-design (X, A) can be identified with the elements of an additive group Γ, so that X = Γ. If the set of blocks A can be generated by a set B ⊆ A, that is, then B is called a set of base blocks of (X, A). Our constructions for splitting t-designs also rely on group divisible designs (GDD). Let t, k, and v be nonnegative integers. A group divisible t-design of order v and block size k, denoted GDD(t, k, v), is a triple (X, G, A) satisfying the following properties: (i) X is a set of v elements, called points; . . , G s } is a partition of X into subsets, called groups; (iii) A ⊆ X k , whose elements are called blocks, such that each A ∈ A intersects any group G ∈ G in at most one point; (iv) every T ∈ X t containing at most one point from each group is contained in exactly one block. The type of a GDD(t, k, v) (X, G, A) is the multiset [|G| : G ∈ G]. We use the exponential notation to describe the type of a GDD: a GDD of type g n1 1 · · · g ns s is a GDD where there are exactly n i groups of size g i , 1 ≤ i ≤ s.
Analogous to splitting t-designs, a "splitting" version of a GDD can be defined. This has been done by Wang [19] for t = 2. Here, we extend it to general t. A splitting group divisible t-design, denoted splitting GDD(t, k × c, v), is a triple (X, G, A) satisfying the following properties: (i) X is a set of v elements, called points; (ii) G = {G 1 , . . . , G s } is a partition of X into subsets, called groups; (iii) A is a set of k × c arrays, called blocks, with entries from X, such that each point of X occurs at most once in each block; (iv) for every {x i : 1 ≤ i ≤ t} ∈ X t containing at most one point from each group, there is exactly one block in which x i , 1 ≤ i ≤ t, occur in t different rows. The type of a splitting GDD is defined in a fashion similar to that for a GDD.
Splitting GDDs play an important role in the recursive constructions of splitting designs. The following is a straightforward extension of Wilson's Fundamental Construction for GDDs [21,22] to splitting GDDs. Theorem 2.4 (Fundamental Construction). Let (X, G, A) be a GDD(t, k, v). Suppose that for each block A ∈ A, there exists a splitting GDD(t, k ′ × c, kc) of type c k , Since the trivial splitting GDD(t, k × c, kc) of type c k (containing only one block) always exists for any t, k, and c, we have the following. As shown by Ge et al. [3], we can also fill in the groups of a splitting GDD with a splitting 2-design to obtain new splitting 2-designs.

2.2.
State of Affairs. The following theorem summarizes the state of knowledge on the existence of splitting t-designs with λ = 1. 3. Nonexistence and Asymptotic Existence. Let λ be a positive integer. The complete (loopless) multigraph on v vertices, denoted λK v , is the graph where every pair of distinct vertices is connected by λ edges. Let G be a simple graph without isolated vertices. A G-design of order v and index λ is a partition of edge set of λK v into subgraphs, each of which is isomorphic to G. If e(G) denotes the number of edges in G, and d(G) denotes the greatest common divisor of the degrees of vertices in G, then simple counting shows that the conditions are necessary for the existence of a G-design of order v and index λ. A celebrated result of Wilson [23] states that these necessary conditions are also asymptotically sufficient.
Theorem 3.1 (Wilson [23]). Let G be a simple graph without isolated vertices. Then there exists a constant v 0 depending only on G and λ such that a G-design of order v and index λ exist for all v ≥ v 0 satisfying λv(v − 1) ≡ 0 mod 2e(G) and λ(v − 1) ≡ 0 mod d(G).
Let K k×c denote the complete k-partite graph, with each part having c vertices. A splitting 2-(v, k × c, λ) design (X, A) is equivalent to a K k×c -design of order v and index λ through the following correspondence: (i) a point in X corresponds to a vertex in λK v , (ii) a block A ∈ A corresponds to the complete k-partite graph, where the i-th part contains c vertices corresponding to the c entries in row i of A, 1 ≤ i ≤ k. Applying Theorem 3.1 with G = K k×c then gives the following result on the asymptotic existence of splitting 2-designs.

Splitting 3-Designs.
In this section, we establish the existence of the first known infinite family of splitting 3-designs with c > 1.
Let t, k, and v be nonnegative integers. A (t, k) candelabra system of order v is a quadruple (X, S, G, A) that satisfies the following properties: (i) X is a set of v elements, called points; (ii) S ⊆ X, called the stem; (iii) G = {G 1 , . . . , G m } is a partition of X \ S (elements of G are called groups); (iv) A ⊆ X k , whose elements are called blocks; The type of a (t, k) candelabra system (X, S, G, A) is the multiset [|G| : G ∈ G]. A (t, k) candelabra system of type g n1 1 · · · g nr r with a stem of size s is denoted (t, k)-CS(g n1 1 · · · g nr r : s). Here, we introduce the notion of splitting candelabra systems. A splitting (t, k × c) candelabra system of order v is a quadruple (X, S, G, A) that satisfies the following properties: (i) X is a set of v elements, called points; (ii) S ⊆ X, called the stem; (iii) G = {G 1 , . . . , G m } is a partition of X \ S (elements of G are called groups); (iv) A is a set of k × c arrays, called blocks, with entries from X, such that each point of X occurs at most once in each block; occur in t different rows. We use the same notation for splitting (t, k) candelabra systems as those for (t, k) candelabra systems.
The following theorem is an extension of Hartman's Fundamental Construction [5] from (3, k) candelabra systems to splitting (3, k) candelabra systems. Proof. Let (X, S, G, A) be a (3, k)-CS(g n1 1 · · · g nr r : s), and let ∞ be a distinguished point in S. For Y ⊆ X, define the set of points Further define For each A ∈ A containing the point ∞, let be a splitting (3, k ′ × c)-CS(m k−1 : a), and for each A ∈ A not containing the point It is easy to check that (P (X), S ′ , G ′ , A ′ ), where is the required splitting (3, k ′ × c)-CS((g 1 m) n1 · · · (g r m) nr : m(s − 1) + a).
We can also fill in the groups of a splitting candelabra system by splitting 3designs to obtain larger splitting 3-designs.