Download - WHEN COMBINATORICS MEETS CRYPTOGRAPHY (A Tale About Alice …collectionscanada.gc.ca/obj/s4/f2/dsk2/ftp01/MQ37631.pdf · When Alice and Bob are two computers, they will not communicate

WHEN COMBINATORICS MEETS

CRYPTOGRAPHY

(A Modern Tale About Alice And Bob)

Nelly Simks

B.%. Université de Montréal, 1995

A THESIS SUSMITTED IN PARTIAL FULFILLMEYT

OF THE REQUIREMENTS FOR THE DEGREE OF

MASTER OF SCIENCE (MATHEMATICS) in the Department

of

Mathematics and Statistics

@ Nelly S i d e s 1998 SIMON FRASER UNIVERSITY

December 1998

Ali rights reserved. This work may not be

reproduced in whole or in part, by photocopy

or other means, without the permission of the author.

National Library 1+1 ofcana* BiMitheque nationale du Canada

A.g+ions and Acquisitions et 51bIogra~h~: Sûrvicas senrices bibtiographiques

The author has granted a non- L'auteur a accorde une licence non exclusive licence aliowing the exclusive permettant à la National Library of Canada to Bibliothèque nationale du Canada de reproduce, loaa, distnbute or seil reproduire, prêter, distri'buer ou copies of this thesis in microform, vendre des copies de cette thèse sous paper or electronic formats. la fome de microfiche/nlm, de

reproduction sur papier ou sur format électronique.

The author retains ownership of the L'auteur conserve la propriété du copyright in this thesis. Neither the droit d'auteur qui protège cette thèse. thesis nor substantial extracts fiom it Ni la thése ni des extraits substantiels may be printed or otherwise de celle-ci ne doivent être imprimés reproduced without the author's ou autrement reproduits sans son permission. autorisation.

ABSTRACT

Suppose Alice wants to Say something to Bob and only cares about the authentication

of her message. Authentication without secrecy makes it possible for Bob to receive

Alice's message and be certain it came from her. Alice wants to use an unconditionally

secure method of authentication. She does not want anyone to be able to modify her

message, not even a person with lots of computer power. This is why Mice decides

to use a combinatorial method to authenticate her message to Bob.

Now suppose that we change the cryptographic hypotheses. Suppose now that

Alice wants her message ro Bob to be secret, or that she wants authentication and

secrecy, or suppose Alice wants to. share her secret with three of her friends, or that

Alice is the director of a Company and she wants any two of her vice-presidents to be

able to open a d e , or h d y that she wants to send a secret image to Bob. These

are al1 different cryptographic hypotheses that we are going to analyse and study.

We will investigate, compare and critique some of their constructions as derived fkom

different combinatorial structures such as orthogonal arrays, perpendicular axrays,

latin squares, Steiner systems, projective geometries and blodt designs.

iii

ACKNOWLEDGEMENTS

1 am extremely grateful for the guidance, the moral support, the financial support,

and the friendship of my supervisor Dr. Kathy H e i ~ c h .

1 have a special place in my heart for my patents and al1 my friends in Montréal,

Ottawa and Vancouver. Especidy my mom Lucia, my dad Boaventura, José, François

and Céline because of my studying at this end of the country have spent s fortune

on long distance phone calls.

I am very t h W for the help, advice, kindness and generosity of my &end

Fréderic Tessier. Alice and Bob would never be who they are if it were not for him!

I am also very thankfd to Helen Verrall who tediously read and edited my thesis.

I am very gratefd for the support of dl those who consciously or unconsciously

made my leamhg journey enjoyable and helped me smile on t hose hard working days.

Thanks to the teachers, graduate students and staff of the department of Mathematics

and Statistics.

DEDICATION

KPersonne ne garde un secret comme un enfant."

- Victor Hugo.

Contents

APPROVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

. . . . . . . . . . . . . . . . . . . . . . . . . . ACKNOWLEDGEMENTS iv

DEDICATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . List of Figures viii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Cryptography 1

. . . . . . . . . . . . . . . . . 2 Authentication Codes Without Secrecy 11

. . . . . . . . . . . . . . . . . . 2.1 Oscar, You're Such a Cheater 14

2.2 TrustandHonesty . . . . . . . . . . . . . . . . . . . . . . . . 15

. . . . . . . . . . . . . . . . . . . . . 2.3 Probabilities of Cheating 17

. . . . . . . . . 2.4 Construction of an A - Code Without Secrecy 26

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Secrecy Codes 48

. . . . . . . . . . . . . . . . . . . 3.1 I Have a Secret to Tell You 50

. . . . . . . . . . . . . . . 3.2 I Have So Many Secrets to Tell You 53

. . . . . . . . . . . . . . . . . . 3.3 Constructim of Secrecy Codes 56

. . . . . . . . . . . . . . . . . . . 4 Authentication Codes With Secrecy 65

. . . . . . . . . . . . . . . . . . . . . 4.1 Probabilities of Cheating 67

. . . . . . . . 4.2 Construction of a General Authentication Code 'il

. . . . . 4.3 Construction of (L. L - 1)-Codes a d (i. L j-Codes 83

. . . . . . . . . . . . . . . . . . . . . . . . . . Secret Sharing Schemes 87

. . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Key Splitting 89

. . . . . . 5.2 Threshold Schemes Arising from Orthogonal Arrays 92

5.3 Threshold Schemes Arising From Finite Geometties . . . . . . 102

5.4 Secret Shazing Schemes Ansing From Latin Squates . . . . . . 107 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Visual Cryptography 120

. . . . . . . . . . . . . . . . . . 6.1 Construction of a (2. 2) -VTS 122

. . . . . . . . . . . . . . . . . . 6.2 Constructionofs(2.w)-VTS 128

. . . . . . . . . . . . . 6.3 Oscar. You're Such a Cheater - Again! 135

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusions 140

Appendices

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A Glossary 143

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bibliography 153

vii

List of Figures

. . . . . . . . . . . . . . . . . . 1.1 Roles of the participants in a piotocol 3

1.2 Classical versus present cryptography . . . . . . . . . . . . . . . . . . . 5

. . . . . . . . . . . . . . . . 1.3 Encryption and decryption of information 7

. . . . . . . . . . . . . . . 1.4 Key exchange using public key cryptography 7

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Digital signature 9

. . . . . . . . . . . . . . . . . . . . . . . . 1.6 Aut hentication and Secrecy 10

. . . . . . . . . . . . . . . . . . . . . . . . . 2.1 e ( u ) ( s ) r j s + i ( m o d 3 ) 13

. . . . . . . . . . . . . . . . . . . . . 2.2 An orthogonal array OA(3? 3.1). 27

. . . . . . . . . . . . 2.3 AnOA(3,4.1)constructedfromTheorem2.10. 32

2.4 An orthogonal array 0 4 7.2) . . . . . . . . . . . . . . . . . . . . . . 34

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 AlatinsquareLS(5) 51

. . . . . . . . . . . . . . . . . . . . . . . . 3.2 e K ( x ) r K + x + l (mod5) 52

3.3 A perpendidar array PA1(2, 5.5) . . . . . . . . . . . . . . . . . . . . 57

. . . . . . . . . . . . . 4.1 Representation of the Steiner system ST(2.3.9) 72

4.2 An authentication code constructed from a Steiner system ST(2.3.7) . 81

. . . . . . . . . . 4.3 An authentication perpendicular array APA1(2. 5 . 5 ) 85

. . . . . . . . . . . . . . . . . . 6.1 0.f?9paztionm'&md~pDreL. 1-3

. . . . . . . . . . . . . . . . . . . . . . 6.2 Chmtmctim o f a ~ ~ h i k p i x e l 124

. . . . . . . . . . . . . . . . . . . . . . 6 3 c0nt;tmction d a b h k *L 1%

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-4 ;Uice'spiçtri~e 126

. . . . . . . . . . . . . . . . . . . . . . . . . . 63 $bare distncbt3tadroPl 127

. . . . . . . . . . . . . . . . . . . . . . . . . . 6.6 SbaredisfnhtedtoP2 127

6.7 The reamtrnded image of Alie"s piame asing (2: 2)-\TS . . . . . . 1M

. . . . . . . . . . . . . . . . 63 BBasismatricesfbra(22)-VTSom=2 1-29

. . . . . . . . . . . . . . . . 6.9 Sbares of a (2,3 )-t15 for a bladr pDcd 130

. . . . . . . . . . . . . . . . 6.10 Reamtmaed tladipixelof a(2,3)-VTS 131

. . . . . . . . . . . . . . . . 6.11 Rccoostnirred whitepixelofa(2,3)-VE 131

6.12 The share of Alice's secret love assigned to Bob . . . . . . . . . . . . . 136 6.13 The ehare of Alice's secret love assigneci to Oscar . . . . . . . . . . . . 137

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.14 Oscar's new share 137

6.15 The reconstructed i m q e from Bob's share and Oscar's tampered share . 138 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.16 Alice's truelove 139

. . . . . . . . . . . . . . . . . 7.1 When combinatorics meets cryptography 141

Chapter 1

Cryptography

W e all communicate. Every day, we exchange words and ideas with others. In this

age of communication, the science of cryptology has blossomed. Talks: conferences

and Internet newsgroups on cryptology are very popular. During the past two and

a half decades cryptography has gone from a subject reserved for military activities

to a necessity for conducting commercial activities and is now of importance in our

personal communications.

The generd ides presented in this chapter can be found in the books "Netzuork

Security: PRIVATE communication in a PUBLIC worldn by Kaufman, Perlman and

Speciner [16], the funniest 'serious* book 1 have ever read, in "Applied Cryptographyn

by Schneier [27] and in "Cyptogïaph y: Theom and Pradice" by Stinson [39].

In this chapter, we intend to present simple introductory notions in cryptology and

some of the cryptographie techniques commonly used. We are also going to briefly

present some alternatives to the actud methods used.

The word cryptclogy cornes fiom the ancient Greek kryptos which means hidden

and logos which means words. Cryptology is the science of hidden words. It is the sci-

ence that includes cryptopphy and cryptanalysis. As a short definition, we cas Say

that a cryptographer is responsible of building secure cryptosystems and a crypt-

analyst is responsible for finding flaws in the cryptographer's product so as to be able

to discover the information that the cryptographer wants to- keep secure. Unfortu-

nately, most of the time cryptanalysts are referred to as the bad gu ysl. Ho wever there

are also friendly cryptandysts whose work is to "expose the unsuspected weaknesses

of ciphers so that they can be taken out of services or their designs remedied" [19].

In the domain of cryptology, we hear the word protocol a lot. A protocol is like

a never-fail recipe for good communication between different parties. It is a series of

steps involving two or more parties designed to accomplish a specific task.

There are several characteristics of a protocol:

1. Everyone involved in a protocol must know the protocol and al1 of its steps in

advance.

2. Everyone involved in the protocol must agree to follow it .

3. The protocol must be unambiguous; each step must be well defined and there

must be no chance of a misunderstanding.

4. The protocol must be complete in that there must be a specified action for every

possible situation.

=No moral judgement is made by t h appellation.

Since csrptographic protocols have to be well understood by engineers, computer

scientists, physicist s, rnathematicians, business people and many ot hers, t here is 2

nice tradition in cryptology that gives character names to the participants in the

protocols. In Figure 1.1 we list of the most comrnon ones and their roles:

Participants Alice Bob Carol Dave Eve Malle t Oscar Trent Wdter P e w Victor

Funct ion Participant in d protocols Participant in 2-, 3- and Cparty protocols Participant in 3- and Cparty protocols Participant in 4-party protocols Eavesdropper Mdicious active attacker Opponent Trusted arbitrator Waxden Prover Verifier

Figure 1.1: Roles of the participants in a protocol.

Alice and Bob can be two human beings trying to communicate securely through

an insecure channel (regular or cellular phone, Email, fax machine, . . . ) or they can

be two computers communicating with each other.

When Alice and Bob are two computers, they will not communicate in English,

French or Portuguese. Their communication wil l ac tudy be an exchange of bits,

that is, a st&g of zeros and ones. For simplicity, even when were Alice and Bob are

human beings, we will dways suppose that they communicate by sending strisgs of

bits. For cla.rity purposes, the examples in this thesiç will be given in their decimal

representation, keeping in mind t hat there is always a one-to-one function between

CHAPTER 1. CRYPTOGRAPHY

the bit representation and the decimal represent ation.

In Sections 2.3 and 3.3 we will require the size of the key space K to be minimal

for security reasons. In many of the cryptographie problems we will analyse, a key

which is to be kept secret has to be exchanged between Alice and Bob. The exchange

is done over a secure channe1 before a message is transmitted and must be stored

securely until needed. This means that Alice wants to transmit the common key to

Bob in a secure way. She might want to whisper the key in his ear or she might decide

to use some encryption to transfer the key. In either case, she %-il1 transmit to Bob a

string of zeros and ones and does not want anybody else to be able to heirr it or to

gain any information about the key. It is therefore important to have the size of the

key K (the size of a key is the number of bits needed for its b i n q representation)

as s m d as possible, since the shorter the key, the less chance someone has of heMng

parts of the information Alice is sending to Bob. The size of a key is directly related

to ICI, the number of possible keys. For this reason, we will always try to keep 1x1 relatively small. For a key space of size [El, Alite and Bob wiU need tc, exchange a

key of size pog, InIl.

In this thesis, we will assume that no errors or noise will be introduced by the

chamel used by M c e and Bob to communicate. We will leave the strictly coding

theory problems out of Our analysis.

Let us briefly review how traditiond cryptography was used to send information

that had to be kept secret fiom an eavesdropper. The main idea was to mangle (or

scramble) the information (the plaintext) that was going to be transmitted (the

ciphertext) and then to invert the mangling operation in order to get the original

information. For example by replacing every occurrence of the letter a in a word

by the letter a, the Ietter b by e, and c by f, well, we see the idea . .. This cipher

system is called the Caesar cipher. Traditional cryptography methods include the

alphabetic, substitution and transposition ciphers. References to those methods can

be found in several books on cryptography, however a serious reader should not miss

the book "The Codebreakers" by David Kahn [15]. Those systems are very easy to

break today because they conserve various statistical properties of the laquage (for

example, English).

mangle dernangle Classical: p - c - p

encrypt decrypt Present: p - c - p 1 r y p t i o n : ~ t i o n

Figure 1.2: Classical versus present cryptography.

Xowadays the process used to obtain the ciphertext from the plaintext is known

as encryption. The inverse of encryption is decryption and both operations rely

on the use of keys, encryption and decryption keys, respective- In Figure 1.2 we

give an illustration of how classical cryptography differs fiom cunent cryptogrâphic

protocols.

Two of the very well known modern algorithms for cryptography are DES2 and

RSA3. (Details on those two algonthms and many others can be found in [16] and [27]).

'DES stands for Data Encryption Standards. 3 R S ~ stands for the initials of its m a t ors Rivest, Shamir and Adleman who publicly published

DES is a symmetric cryptosystem, meaning that t k decryption key is t.he came

as or cm be easily obtained h m the encryption key. On the 0 t h hand. RSA is

a public key cryptosystern which means that the user has a set of two keys: the

private key which has to be kept secret and is only known by the user, and the

public key made available to everyone through a public database. The security of

RSA relies mainly in the difnculty of finding the prime factorisation of n, where n is

the product of two large prime numben.

While reading the book "Network Secun'ty: PRIVATE communication in a PUB-

LIC world" [16], one cornes across a fumy yet troubling4 quote:

"Fundamental Tenet of Cryptography"

If lots of smart people have foiled to solve a problem,

Then it probably won't be solved (soon).

Most of the algorithms presently used for cryptography rely on this tenet. How-

ever, other ideas exist and are north being analysed for their compleBty and prac-

ticality. In this thesis, we are going to describe, without considering practicality of

implementation, some unconditionally secure protocols for cryptography. We Say

that a protocol is unconditionally secure if given unlimited time and manpower, the

system cm not be broken. On the other hand, we say that a system is computa-

tionally secure if it is secure given the present computer power of the cqptanalyst.

Let us have a bief look at some protocols that use public key cryptography.

thealgorithm in 1978. However, Gill Co& fiom GCHQ presented the algorithm to the "Intelligence Community" , in 1973-

4Note fiom the author: 1 found this quote troubling because of d the uncertainty in the security of the algorithms and yet they are widely trusted and used.

0 The secret is p

Encrypts p and sends c = EB (P)

Receives and decrypts c

Figure 1.3: Encrypt ion and decryption of information.

Suppose Alice wants to ~ o ~ u n i c a t e secret information to Bob. She encrypts her

plaintext p (what she wants to tell Bob) with Bob's public key, EB, which is available

to everyone from a public database (we cm imagine this as some kind of a phone

book) and sends c = EB(p) to Bob. Bob receives and decrypts the ciphertext c with

his private key, Dg to obtain p, Nice's secret. A schema of this protocol is presented

in Figure 1.3.

Generates the key K

Sends c = EB(K)

Receives and decrypts c :

Fi,we 1.4: Key exchange using public key cryptography.

It is more time consuming to use a public key cryptosystem than to use a syrnrnetric

CXAPTER 1. CRYPTOGRAPHY

key cryptosystem. So if Alice has a lot of information to commumcate to Bob it is

more efficient to only exchange the key using a public key cryptosystem and then use

the key for a symmetric cryptosystem. Alice generates their secret key K and sends

it to Bob using the previous mode1 of public key csrptography. A schema of this

protocol is presented in Figure 1.4.

In this case, Alice obviously has ensured secrecy of the information she is sending

tb Bob but how does Bob know it redy came from Alice? Anyone could have sent

a message saying: "1 am Alice. Here is our private key" and tried to cheat Bob. In

general, authentication refers to the process of verifying the identity of someone or

somet hing .

Authentication codes were invented in 1974 by Gilbert, MacWilliams and Sloane

[Il]. The use of combinatorics as an unconditionally secure method of aut hentication

has been explored extensively by Stinson [34]. In this thesis, we will concentrate our

attention on authentication codes which are unconditionally secure and will closely

examine constructions for authentication codes which require combinatorid methods.

A very important decision we have to make when discussing authentication codes

is whether or not secrecy of the message is important. So we must decide if Mice cares

if everybody can "seen the message she is sending to Bob. We will distinguish between

authentication codes with and without secrecy (Chapters 2 and 4, respectively). In

Chapter 3 we describe a method that allows N i c e to securely send a message to Bob

but does not provide authentication.

Massey said in [19] that secrecy and authentication are independent attributes of

a cryptographie system.

The secret to sign is p

Signs her secret: c = DA(p)

Receives a d decrypts c :

Figure 1.5: Digital signature.

One way for Bob to be certain that information really came from Alice is for Alice

to use a digital signature. A digital signature has the same meaning to digitd

information as a handwritten signature has to a paper document. Alice signs the

plaintext p using her private key Da and Bob decrypts it using Nice's public key? EA.

This is presented in Figure 1.5.

This scheme provides authentication since the information decrypted by Bob can

only corne from Alice. However, it does not provide secrecy since anyone codd decrypt

the ciphertext. (Remember that Alice's public key is stored in a public database.)

An alternative method for securely authenticating a message using combinatorid

structures is described in Chapter 2.

There is a protocol that combines the privacy of encryption with the authentication

of a digital signature. It can be compared to Alice signing a . letter and then putting

it into an envelope before sending it by mail to Bob. First Alice signs her information

p with her private key DA then she encrypts and sends the signed information with

Bob's public key, EB. Bob decrypts the ciphertext c with his private key Dg and

verifies that it r edy came fiorn Alice by recovering the original information (the

0 The secret to sign and encrypt is p

a Signs, encrypts and sen& c :

c = &(.DA(P))

Receives and decrypts c :

Figure 1.6: Authentication and Secrecy.

plaintext) using .4liceYs public key, Ea. This is illustrated in Figure 1.6.

In Chapter 8 , we describe and present an alternative method for obtaining both

secrecy and authentication. In Chapter 5, we analyse different methods for sharing a

secret and finally we finish this thesis in a lighter tone and present methods to share

a secret image called visual threshold schemes (Chapter 6). Findy, in Chapter 7 we

present o u conclusions.

Chapter 2

Aut hentication Codes Wit hout

Secrecy: "1 Have N o Secrets Erom

the World," Says Alice.

We are going to examine authentication codes without secrecy. Suppose Alice wants

to Say something to Bob and cares only abour the authentication of her message.

Authentication makes it possible for Bob to receive Alice's message and be certain

it came from her. Basicdy an authentication code without secrecy is a process in

which a mathematical function transfoms what Alice wants to Say t o Bob, we c d

this the source state, into what is c d e d an authentication tag, and then adds the

authentication tag to the source state to form the message. We also suppose that

Alice and Bob mutually trust each other. Alice wants to use an unconditionally

secure method of authentication. She does not want anyone to be able to modify her

message, not even a person with lots of computer power. This is why -4lice decides to

use a combinatorial method. We are going to explore an unconditionally secure way

CHAPTER 2. A UTHENTICATION CODES WI'THOUT SECRECY

of authenticating Alice's message.

The general ideas and theorems presented in this chapter can be found in "The

CRC Handbook of Combinutorial Designs" [13], in several articles written by Stinson

on authentication codes [25], [33], 1341, [35], and in his book "Cyptography: Theory

and Practice" [39].

First, Alice and Bob privately agree on a secret key Ii. Alice sends the message

m = (s, a), where s is the source state and a = e K ( s ) is the authentication tag, to Bob.

That is, she sends the source state dong with the authentication tag which depends

on the secret key K she shares with Bob and the source state S. For each possible key

Ii there is an encoding function e~ and dl encoding functions are publicly known.

Alice does not really care if anyone overhears her message. She only cares about its

authentication. Bob receives rn, verifies that a = eK(s) and accepts the message as

being authentic. The message m = (s, a) is usually sent unencrypted. However, it is

always possible to encrypt it if privacy is desired, but this operation is independent

of authentication.

Fomally, 6ere is how an authentication code without secrecy is defined.

Definition 2.1. An authentication code without secrecy, an A - code, is a

four-tuple (S , A, K, E ) safisfying

1. S Zs a finite set of source states,

2. A 2s a f i i t e set of authentication tags,

3. C, the key space, is a finite set of possible keys, and

CHAPTER 2. AUTHENTICATION CODES WITIiO UT SECRECY

4. 1 is the set of encoding rules, such that for each IC E K, we have an encoding

rule eK E E, where eK : S -, A,

and where the message sent by AZice lies in M = S x A.

In this case e~ does not necessarily need to be injective. We can represent an au-

thentication code without secrecy (S, A, EC, E) in the form of a lIC 1 x IS 1 matrix that

we cal1 an autbentication matrix. The rows are indexed by the keys, the columns

are indexed by source states and the entry at the intersection of row and colunui

s is eK(s ) = a, the authentication tag.

For example, suppose we have S = A = &; K: = Z3 x Z3 and for all (i, j ) E K: and

for al1 s E S, let e( i , j ) ( s ) a j s + i (mod 3). We will represent this (S: A, IC, E) by the

aut henticat ion matrix presented in Figure 2.1.

Figure 2.1: e(i ,j) (s) j s + i (mod 3).

CHAPTER 2. A UTHENTICATION CODES WITHO UT SECRECY

2.1 Oscar, You're Such a Chezter

The mode1 given by Definition 2.1 presents how things would work in an ideal world.

- However, none of us live in such a world, not even Alice or Bob. This is why we must

now meet Eve and Mallet, the "bad guysn . Eve is a passive attacker, an eavesdropper.

She threatens the confidentiality of the data transmit ted between Alice and Bob. In

this particdu case, we do not r e d y consider Eve a very evil person since Alice does

not care if the whole world overhears what she has to Say to Bob. Mallet is a malicious

active attacker. He threatens the integrity and the availability of the data transmitted

between Alice and Bob. Mallet observes and controls the data; he can modify, extend,

delete or replay the information. Sometimes the roles played by both Mallet and Eve

are also played by Oscar, the opponent. The context will usually be clear enough for

the reader to know if we are talking about Eve or Mallet, even if we refer to them as

Oscar.

Say, for example, that Oscar intercepts the message m = (s, a) sent by Alice.

He can then substitute the message m' = (sr, a'), s' # s, for rn = (s, a) and hope

that Bob, on receiving the new message, will actually believe that the message was

untouched and really came fram Alice. This is c d e d substitution. Oscar can also

try to cheat Bob by making up a bogus message m = (s, a) , sending it to Bob, and

hoping that Bob will accept the message as authentic and coming from Alice. This is

c d e d impersonation. If he happens to choose s and a so that

convince Bob that the sender knows K and

Suppose that Oscar observes i distinct

so must be Alice.l

messages sent using

a = e&), this will

the same encoding

. . . little does Bob know . . .

CHAPTER 2. A UTWENTICATION CODES WITEIO UT SECRECY

nile e K . Since Oscor has the ability to cheat either by introducing new messages

and (or) modifying existing ones, we will denote by Pdi the probability that Oscar

successfully "cheatsn Bob after seeing i messages. In particular, Pd, is the probability

that Oscar can perform a successiul impersonation and Pd, is the probability of success

for Oscar associated with substitution. As you may suspect, it is &hardern to compute

Pdt than Pdo There is still very little known about Pd, for i 2 2, so in this thesis, we

concentrate our attention on Pd, and Ph. We briefly discuss Pd,+ 2 2, at the end of

Section 2.4.

So, as you see, from the point of view of a cryptographer, we want to build an

authentication code in which no advantage is available to Oscar when choosing one

key over another in order to "attackn2.

When Oscar is cheating Bob, three assumptions are made. First, Oscar knows the

aut hentication code being used (this would be an extension of Kerckhoff 's3 criteria

in cryptology to authentication). That is, he knows all about (S, A, K: E). Secondly,

Oscar is able to compute Pdi and, thirdly, he is using an optimal strategy. The only

information that Oscar does not know is the pôrticular key used by Alice and Bob in

the transmission of t heir message.

2.2 Trust and Honesty

Trust and honesty are two of the most important assumptions made in the schemes

presented up until now. However, these two important values in communication are

* ~ n attack is an attempted cryptanalysis of the system. 3~erckhoff's amunption is that the secrecy of the cryptosystem must reside entirely in the key.

It assumes that the cryptanalyst has a complete knowledge of the cryptosystem used.

CHAPTER 2. A UTHENTICATION CODES WTTBO UT SECRlb3CY

not dways present in a protocol. Until now, we have alwâys assumed that Mce and

Bob mtually trust each other. In this chapter we are going to have a bief look at

what might happened if trust d honesty are not at the bais of their relationship

and we wili see that the protocol is more complex in this case. When Alice or Bob is

unable to trust the other party, we have to introduce a new member into our protocol:

Trent, a trusted arbitrator. Trent will act like a judge in the protocol. He is not

allowed to take sides nor is he allowed to cheat. So now we have Alice, Bob, Oscar

and Trent.

Shere are now five different ways of cheating: Alice can do irnpersonation: for

example she cm disavow that she actually sent a message t.o Bob. Bob can try

to cheat AIice by impersonation: for example, he can daim that he has received a

message when none was sent. Bob can also cheat by substitution: for example, he can

change the message that Alice sent to him. And, as before, Oscar can try to cheat

Bob (and -4lice) by impenonation or substitution.

This extended mode1 of an A - code is called an A2 - code, an authentication

code with an arbitrator. Mathematically, we will define an A* - code to be a

four-tuple (S, M, &, EB ) which satisfies

1. S is a finite set of source states,

2. M is a finite set of messages,

3. Sa is a set of Alice's encoding rules4 and

4. EB is a set of Bob's decoding des5.

4Sometimes EA is also represented by &-, where T stands for Dansmitter, and Alice hi the trammitter.

SSometimes EB is &O represented by ER, where you can for sure guess what the R stands for

CHAPTER 2. AUTEIENTICATZON CODES WTHOUT SECRECY 17

We c m easily see t hat the dehi t ion of an A2 - code resembles the definition of an

authentication code (S, A, E C , E ) (Definition 2.1), but the rule for accepting a message

as authentic is now different. However, we will not discuss A* - codes further in this

t hesis.

2.3 Probabilities of Cheating

suppose we are working in an A - code and suppose Oscar is trying to impersonate

Alice. Oscar picks so the source state he wants to send to Bob. He also has to pick

an authentication tag so that Bob will actually accept s. That is, Oscar must pick a

so that a = eK(s) without knowing K itself. The goal of an authentication code is to

ôIlow Bob to detect, with a high probability of success, if Oscar has cheated during

Alice's communication with Bob.

Since it is important to have the size of the key I< as small as possible to anive

at a lower bound on IKI. we hst need to develop and explain some ideas about the

probabili t ies of cheating.

Let Ko be the key that Alice and Bob have agreed on. For s E S and a E A,

we will define the payoff(s,a) to be the probability that Bob accepts ( s , a ) as an

authentic message from -4lice. We have

payoff (s, a) = Prob(a = eK, (s))

(and in case not . . . Receiver).

CHAPTER 2. AUTHENTICATlON CODES WITHO UT SECRECY

where Probr(K) is the probability distribution cxJer K, that is the probability that a

given key K will be chosen.

Since Oscar wishes to optimize his chmces of success, he will choose ( s , a ) so

that payoff(s, a) will be maximized. Then Ph, the probability that Oscar successfully

cheats BOL by way of impersonation, will be

Pda = rnax{payoff(s, a) : s E S, a A).

Suppose now that Oscar intercepts rn = (s, a) being sent frorn Alice to Bob and

tries to cheat Bob by substituting ml = (s',at) for Alice's message, where s' # s (of

course!). In this case, Oscar has more information than in the case of impersonation.

Oscar may be able to use this to restrict the set of possible values the key could be. In

this case, payoff(s', a'; s, a) will be the probability that Bob accepts the substituted

message,

payoff (s' , a'; S, a) = Prob(a' = erc, (s') la = eKo (s) )

- - Prob(al = en-, (s') and a = e ~ - ~ (s)) Prob (a = eKo (s) )

Since Oscar is again trying to rnaximize his chances of cheating Bob, we wiU denote

by ps,, the maximum payoff(sl, a'; s, a). W e then have

ps,= = rnax{~a~off (s', a'; S, a) : S' E S, S' + s , O' E A).

CHAPTER 2. AUTHENTICATION CODES WITHOUT SECRECY

We now have every element needed to compute the probability of Oscar successfdly

cheating Bob by way of substitution. We need to compute the weighted average of

p.., where the weight is the probability that (s, a) will be sent. Denote by Probs(s)

the probability distribution over S; that is, the probability that a given source state

will be chosen among a.ll possible choices. Denote by ProbM(s, a) the probability that

a given pair (s, a) will be chosen by Alice fiom among al1 possible messages.

As we can see, to calculate Pd,, we need to know the probability distribution over

S, Probs (s) . In the examples in this thesis, we will always consider Probs(s) to be the

same for any s E S if not otherwise specified. By doing so, we will not be modeling

most real-life6 situations, but it will still give us a good idea of what is going on.

6For example we know that the letters of the word "SENORITA" have more chances of occurrhg in an English text than any other Ietters.

The role of a cryptographer is to build an authentication code so that Oscar will

not be able to take advantage of the system. For example, as cryptogaphers we will

want Pdi to satisS a certain level of security and not to Qve any information about

the key used by Alice and Bob. Note that in the case of Pd,, Oscaf already has some

information since he sees m = (s, a) , so we want to constmct a system so that this

information will not be useful to him. We want the probability of successful deception

to be as s m d as possible. Furthemore, we want the set of source states S to be large

enough to carry al1 the information that Alice wants to transmit, and finally, we want

the key to be relatively small since it has to be secretly exchanged between .41ice and

Bob pnor to the message being sent. Note that when uçing an authentication code

without secrecy, the key has to be renewed with each message (you can compare this

with One-Time Pad7 ~r~yptosystem).

Suppose that IA( = 4. For a given s E S we cm compute

Since the s u m over al1 possible authentication tags of the payoff(s, a) is 1, and since

Id1 = I , for every s E S, the~e exists at least one authentication tag a E {eK(s ) : K E

XI) such that payoff (s, a) 1 5. Since Pd, = max{payoff (s, a) : s E S, a E A), this

brings us to the following: - - p- - -

'The OTP (One-The Pad) cryptosystem is described in Section 3.2

CHAPTER 2. A UTHENTICATION CODES WITHO UT SECRECY 21

Theorem 2.2. Given a n authentication code ( S , A,Ko ê), with Id1 = 1, we have

Ph 2 i. Moreover, Pd, = $ if and only if payoff (s, a ) = $ for al1 s E S, a E A.

ProoE By definition, Pd, = max{payoff (s, a) : s E S, a E A). Since

the hypothesis that Id[ = t implies Ph 2 i. If Pb = ), then

1 max(payoff (s, a) : s E S, a E A) = - 4 '

and so payoff (s, a) = $ for all (s, a ) E S x A.

Clearly, if payoff (s, a) = for all ( 6 , a ) E S x A, then

1. max{payoff (s, a) : s E S:a E A) = - e

and Ph = $.

This is the same as saying that we have equality if and only if payoff (s, a ) = i.

Let us nont do the same for the case of an attack by substitution. For @ven

CHAPTER 2 A UTHENTICATION CODES WITHOlU' SECRECY

a, s and s' i i t h s' # s, we have

If the sum over the set of authentication tags of payofF(stt a'; s, a) is 1 and Id( = I ,

then for each given a, s, s', there exists an a' for wbich payoff ( s', a'; s , a ) 2 i . Let us

choose s' and a' so that payoff(s', a'; s, a ) = p , , 2 $. Then

= PmbM (s, a ) payoff (su, a*; s, a )

If Pdi = il then by the above, p,,. = and since Ca,EA payoff(sr, a'; s, a) = 1 and

CHAPTER 2. AUTHENTICATION CODES MT11 9 UT S E C m C Y 23

1 IAI = P, payoff (sr, ar; s, a) = 7 for al1 s' and a'. If payoff (sr, a'; s, a ) = 5 for every

1 S, s', a, a', t hen p,,. = 7. So Pdl = $. We then have the following t heorem.

. Theorem 2.3. Given an authentication code ( S , A, K, E) , with [Al = l we have

Pd, 2 5 Mo~eover, Pdi = ) if and only if payoff (s', a'; s, a ) = $ for d l s, sr E

Stu ,a f E A and sr $ S .

Proof: The first part of the theorem cornes

second part from the discussion above.

directly from equation (2.2) and the

O

Theorem 2.4. Given an authentication code ( S , A, K. E ) , with IAl = I , we have

Ph = Pdl = 3 if and only if

for ail S. S' E S.a.a' E A and sr # S.

Proof: We know that Pd, = i if and only if payoff(s, a) = f and also that Pdl =

if and only if payoff (sr, a'; s, a ) = i from Theorems 2.2 and 2.3 for all s, s' E

CHAPTER 2. AUTHENTICATION CODES WITHOUT SECRGCY

S, a, a' E A and s' # S. Now, assuming Pdo = Pdi = $, we have

= payoff (s', a'; s , a ) payoff (.l, a )

On the other hand, suppose that for a11 s, s' E S, a, a' E A and s' f s ,

We also have by Theorem 2.2 that

Choose s = 9, a = û so that Pd,, = payoff(X, oi) 2 i . Since C,,,Apayoff(s', ar ; f ,ü) = 1 (for a l l s' with s' # 3): then there exîsts an

a' = an such that payoff(st, a'; 3, ü) 2 i. - - Now, using equation (2.3) with s = s, a = a, a' = a* and the fact t hat

ProbK(K) = payoff (s', a'; s , a ) payoff ( s , a )

CIiAPTER 2 A UTIIENTICATION CODES WITHO UT SECRECY

for d s,s f E S,a,af E A and s' # s we obtain

This results in equality throughout and payoff(5, a) = $. However, we chose Pd, 1 to be payoff (3, a), which means t hat P4 = ) . By Theorem 2.2, since Pdo = 7

this means that payoff ( 8 , a) = i for every s and a.

for all s, s' E S? a, a' E A and s' # s and payoff (s, a) = i, we obtain

1 payoff (sr: a'; s, a ) = - e

for all s, s' E S, a, a' E A and s' + S. Applying Theorem 2.3 yields Pd, = $.

Theorem 2.4 implies that under given conditions an authentication code has the

property that Oscar lems nothing by seeing an earlier message (this is precisely what

Pdi = Pb means). This means that if Oscar randomly guesses which key was chosen

CHAPTER 2. AUTHENTICATION COY"ES WTHO LTT SECRECY 26

by -4lice and B G ~ he has the same likelihood of success as he would have using ''a$

other method. Moreover, if we suppose that every key h a . an equal probability of

being selected, we then have the followiag coroilary.

Corollary 2.5. Given an authentication code ( S , A, I C , E ) , with [Al = ! and in which

al1 the keys have equal probability of selection, Pd, = Pd, = $ if and only if

for al1 s , s' E S, s' # s, a, a' E A.

Proof: By Theorem 2.4

1 C 1 Ph = Pdi = - if and only if ProbK(K) = - e

{ ~ f Kxh'(s)=a,e~(s')=at) P '

Since al1 keys have, by hypothesis, equd probability of selection, we c m rewrite

this as

which is the same as

I'v I{K € EC : eK(s) = a, ea(st) = a') 1 = - P '

2.4 Construction of an A-Code Without Secrecy

We are now interested in constmcting an authentication code, (S, A, K, E), which

meets the conditions of Theorem 2.4. We wilI use a combinatonal object c d e d an .

orthogonal array.

CHAPTER 2. A UTHEXTZCATION CODES WITHO UT SECRECY 27

Definition 2.6. An orthogonal a m y , OA(n, k, A) is a An2 x k matriz with n diffetent

symboki such that for any pair of colurnns each of the n2 ordered pairs of symbols occurs

in ezactly X rows.

Figilre 2.2: An orthogonal amay OA(3,3,1).

As an example, we can easily verify that the matrix in Figure 2.2 is an OA(3,3: 1).

The authentication matrix presented in Figure 2.1 is also an OA(3,3,1). In fact they

are the same if we permute rows.

We will use an orthogonal may OA(n, k, A) to build an authentication code 1

(S, A, K, E) with Pd,, = Pdl = -, where [Al = n. We need to fix the following n

correspondence:

orthogonal m a y 1 authentication code ( row

column

symbol

encoding d e (key)

source state

aut hent icat ion t ag

The idea of using an orthogonal array seems almost "naturaln since when each

CHAPTER 2. AUTHENTICATION CODES WrTHO UT SECRECY

key of an authentication code has equal probability, to counter impenonation we

need every authentication tag to be presented equally often in every column, and to

counter substitution, we need every ordered pair equally often in any two columns.

Theorem 2.7. If then exists an orthogonal array OA(n, k , A), then there exists an

authentication code ( S , A, EC, E) with \SI = k, Id1 = n, 1K1 = A n 2 and Pdo = P4 = a. Proof: With the correspondence as described above, and the supposition that the

encoding d e s have equal probability of selection, we will be able to satisfy

equation (2.4) (with l = n) and then apply Corollary 2.5 to show that the

authentication code defined by the orthogonal array has the desired properties.

We wish to build an authentication code for S having a given level of security E.

This means that we are looking for a construction in which Pdo 5 E and Pd, < E. If

we wish to use Theorem 2.7, will need an orthogonal array OA(n, k, A) which satisfies

the following propert ies:

0 X is minimal, to reduce the number of keys.

We shauld note that it is always possible to "erasen colurnns of an OA(n, k, A) to

W e are now going to prove that if an orthogonal m a y OA(n, k, A) exists, then

k < -. If X=l, this t h e m m implies that in an orthogonal array OA(n, k, l),

k s n + 1 .

CHAPTER 2. A UTHENTICATION CODES WlTHO UT SECRECY

Theorem 2.8 (Plackett and Burman, 1946 [23]). If there exists an orthogonal

Proof: Let A be an orthogonal array OA(n, k, A) on the symbols X = {O, 1, . . . , n - 1). An orthogonal array is invariant under any permutation of its rows, columns,

or the symbols in a column. Choose, IIi E Sx, the symmetric goup on the

symbols X, 1 5 i 5 k, so that when Ili is applied to the symbols in column i of

. the array, the entry in ce11 (1, i) becomes O. This will make the first row of A

(070,... , O ) -

Let 'R be the set of rows of A? rl the first row of A, and 'RI = 7Z\{rl}.

For each row r of A, let x, be the number of times O appeais. Then the total

number of occurences of O excluding those in the f is t row is given by:

since each symbol appears An times in each column.

The number of times the pair (O, 0) appears in an ordered pair of columns of A,

not including the first row, is

The last inequality is obtained using Jensen's inequaliw which states that

f (C Aiai) 5 C A i f (ai) t t

8This inequaiity is named after the Danish mathematician and engineer Johan Ludvig W ï a m Valdemar Jensen. Jensen was b o m in 1859 and died in 1925. He was a pioneer in the theory of convex functions. [4]

whenever f is real, convex, and continuous, Ci Ai = 1 a d hi 2 O. In this

particular case, we choose f ( x ) = xZ and X i = c h , 1 5 i $ An2 - 1, which

irnpiies t hat

On the other hand, we also have that the pair (0,O) appears exactctly X times

in every pair of columns (by properties of orthogonal arrays). Since there are

k(k - 1) ordered pairs of colums, the number of times the pair (O, O) appears

in the rows of RI is

This inequality simplifies to

which is the same as the required inequality

Corollary 2.9. If there ezists an odhogonal array OA(n, k, l), then k 5 n + 1.

Corollary 2.9 gives an important condition on the number of columns of our or-

thogonal array for a gîven n, when X = 1. If we require k > n + 1, then necessarily

A > 1.

The bound of Corollary 2.9 can be achieved when n is a prime power. The next

theorem gives us a construction of such an orthogonal array when n is prime.


Theorem 2.10. For p rime, there exists an orthogonal array OA(p, p + 1,l).

Proof: First, we constmct an orthogonal array OA(p,p, 1). Let us index the p2 rows

of our matrix A by the elements of Z, x Z, and the p columns by the elernents

of Zp. The entries of the matrix are in the set {O, 1 , . . . , p - 1) and are defined

by

A(( i , j ) , x ) r i + jx (mod p) ,

where A((i , j ) , z) is the entry in row ( i , j ) and column x. For a @en pair (a , 6)

t o be in two distinct columns xi and x2, we need to be able to solve the system

a r i + jxl (mod p )

b i + jxz (rnod p) .

Solving, we find that the system has the unique solution

j (a - ) ( - x ) (mod p )

i r a - jxl (mod p).

For p prime, we conclude that we have an orthogonal array, OA(p,p , 1). We

now extend this to an orthogonal array OA(p, p + 1,l) by adding a new column

p to A.

For any given row (i, j ) , we define the entry in column p of the matrix to be j ;

that is A(@, j) ,p) = j for all (i, j ) E Zp x Zp.

We now have to check t hat for a given pair (a, b) , and columns x i , O 5 11 5 p- 1,

and p, there is a unique solution to

a E i + jxi (mod p)

b j (mod p).

CHAPTER 2. A UTHENTICATION CODES WfTHO UT SECRECY 32

That is, there is a unique row (i, j ) so that in that row, a lies in column X I and

b in column p. Solving, we find that the system does have the unique solution

j z b (mod p)

i E a - bxi (mod p ) .

We conclude that we have an orthogonal may, OA(p, p + 1,l).

In Figure 2.3, we illustrate the construction of an orthogonal array OA(3,4,1)

using Theorem 2.10.

Figure 2.3: An OA(3,4,1) constructed from Theorem 2.10.

We cm also use Theorem 2.8 to obtain a lower bound on the number of keys, AnZ,

by simply re-writing the inequality as An2 2 k(n - 1) + 1. The next theorem ensures

that there exists another infinite class of orthogonal arrays in which the number of

keys attains the lower bound of k(n - 1) + 1, this time wîth h > 1.

Theorem 2.11. For p a prime number and d an integer greater thon or equal to 2,

there exists an orthogonal o m y OA@, $, pd-*).

CHAPTER 2. AUTHENTICATION CODES WITHOUT SECRECY 33

Proot: We have to constmct a x array on p symbols {O, 1, . . . , p - 1) which

satisfies the definition of an orthogonal array, for p prime.

Let us index the rows of our matrix A by the vectors of (Z, )d, where ( Z p ) d is

the vector space of dimension d with coordinates in Zp, and the columns by

al1 non-zero vectors in ( z ~ ) ~ which have a 1 in their first non-zero coordinate

position. Let R = (ZJd be the index set for the rows and C be the index set

for the set of columns of A.

and ICI = 1 + p + p 2 + . . . + p d - 1

We can easily verify that none of the vectors of C are multiples of one another.

The entries of the matrix are in the set {O, 1, . . . , p - 1) and are defined by

A(T, C ) 2 T - c (mod p),

where A(r,c) is the entry in row r and column c and r c is the imer product

of the two vectors r and c.

Let b, c E C index two distinct columns of the matrix A and x : y E Z,. Let us

write b = (b l , b2 , . . . bd) and c = (cl, q, . . . ,cd). We now show that there axe

rows r = (rl, ~ 2 , . . . , rd) so that A(r, b) = x and A(r, c ) = y. For a given

pair ( x , y) to be in two distinct columns b and c of row r, we need to solve the

Iinear s ystem

CHAPTE22 2. AVTHENT'ICATION CODES WTTHOUT SECRECY 34

for rl, rz: . . . , rd. Since no elernent of C is a non-trivial multiple of another,

b # kc for any k E Zp, and we have a system of two equations with d - 2

independent variables and hence precisely distinct solutions. This implies

that the ordered pair ( x , y) = (A(r, b), A(r, c)) appears times in the columns

b and c of the matrix A.

Let us illustrate this theorem with the construction of an orthogonal array OA(2,7,2).

Figure 2.4: An orthogonal array OA(2,7,2).

Example: Let p = 2 and d = 3. Using Theorem 2.1 1, we will construct an orthogonal

array OA(2,7,2) on the symbols O and 1 so that for every pair of columns of

the matrix the pairs (0, O), (0,l) , (1,O) and (1,1) each appear twice. In this

example, we have R={000,001,010,011, 100,101, 110, 111) and C={001,010,

011, 100, 101, 110, 111) and obtain the matrix represented in Figure 2.4.

Theorem 2.12. Gizlen an authentication code (S , A, I , E ) zmth IAl= n, Pb = Pdt =

and in which al2 keys have equal probability of selection, we have IKI 2 n2. Moteouer, IZ

= n2 if and only if there ezists an orthogonal a m y OA(n, k, 1) with ISI = k.

CHAPTER 2. A UTHERiTrCATION CODES WITHOUT SECRECY

Pro& Suppose we have an authentication code (S, A, K, E) with Id1 = n, and Pd, =

Pdi = $ in which aU keys have equal probability of selection. Choose s, s' E S,

and a, a' E A. Then we have by Corollary 2.5 that

and since Pd, = Ph = i, then by Theorem 2.4 we have

which means IKI > n2. Now, if IKl = n2, we must have I{K E K : eK( s ) = a, eK(s f ) = a')l = 1 for

every s,s' E S, sr # s,a, a' E A which tells us that every ordered pair occurs

exactly once in any two columns of the authentication matrix; and so we have

an orthogonal array OA(n, lSI, 1).

Suppose now that we have an orthogonal array OA(n. k, 1). Use each row as

an encoding r d e with equd probability of selection. Since there are n2 rows

in this orthogonal array, this means that PiobK(K) = 5 for every key K E K

and by Theorem 2.7 we obtkin the desired authentication code (S? A, C, E ) with

ISI = k.

Theorem 2.12 gives us a construction for an authentication code (S, At C, E) with

the minimum number of keys when an orthogonal array OA(n, k, 1) exists. However,

for such an orthogonal array to exist, we need k 5 n + 1 (Corollary 2.9). Since k and

n are independent, Theorem 2-13 will give us useful information about authentication

codes (S, A, K, E ) when k > n + 1.

Theorem 2.13. Giuen an authentication code ( S , A, K, E ) with [Al = n, lSI = k

and Pb = Pd> = tue have lECl 2 k in -1 )+1 . Moreouer, IKl = k(n -1)+1

if and only if there exists an orthogonal arruy OA(n, k , A) .with X = k(n-I)+i n2 and any

of the k(n - 1) + 1 keys K E K: has an equul probability of selection.

Proof: Suppose we have an authentication code (S, A, K, E ) with (Al = n, ISI = k

and Pd,, = Pdi = $. Define a red vector space V, with dim(V) = kn. Let a

+ basis of V be B = {E : m E M ) , where is the basis element of V associated

with the message m = ( 8 , a ) , where s E S, a E A. For every K E K, define

That is, ë~ is the sum of the basis elements of V associated with the messages

arising from the key K. For every s E S, define

- rs = C (s, a) .

Define X to be the sum of d the basis elements, that is

For every message m = (s, a) E M , define

CHAPTER 2. A ITTHENTICATION CODES WITHOUT SECRECY 37

By Theorem 2.2, we know that

and by Theorem 2.4, we know that

. Using those two results, we obtain for m = (s, a )

CHAPTER 2. A UTIIENTICATION CODES WITHO UT SECRECY 38

(by defmition)

Probk(K) ( S I , a')

Arbitrarily choose a source state si E S. Let the subspace V' of V be generated

by the vectors of Bf; that is, V' = (B'), where we define

Note that dim(Vt) 5 (k - 1) + [KI. We want to prove V = Vf as then nk 5

CHAPTER 2. A UTHENTICATION CODES WITHO UT SECRECY

We have by Theorem 2.2

- This meôns that X is a linear combination of elements of Br. so we have X E V'.

We also have by definition

Which means

Now VSi is a linear combination of elements of V', so we have Fsi E V'. We have

shown that E V' and we know by assumption that all other Fs E VI. So we

have

Now, from equation (2.5) 1

CHAPTER 2. AUTHENTICATION CODES WITHOUT' SECReCY 40

Since each of ü,, X and 5, lie in V': n also lies in V'. Therefore V C V' and

hence V = V'. This completes the first part of Theorem 2.13.

Suppose now that 1x1 = k(n - 1) + 1. This means that B' is a basis for V.

Define

M ( e K ) = {(s, e&)) : s E S).

That is, M ( e K ) is the set of messages axising from e ~ ; that is, the set of ele-

ments in row K of the authentication matrix. Note that 1 M(eK) 1 = k. Let us

arbitrady choose a key Kt E K. We have seen that V,,, = X + $(X - 6). We

will tben have

(by 2.6)

CHAPTER 2. AUTHENTlrATIOhi CODES WITHO UT SECRECY

W e dso have

- u, = n x Probr(K)ëK, (by definition) {h '€K:eK(s )=a)

where m = (s, a) . Which means that

Hence,

ëK, + ( E t - 1) Probx(K) ëK = n

Since BI is a b a i s of V, we can equate the coefficients of ë p and obtain

Which implies t hat

Since we chose K r arbitrarily, the same argument holds for every K E K, so

every key K has the same probability of selection.

We have

and by equation (2.5)

CHkPTER 2. A UTEIENTICATION CODES UrITHO UT SECRECY

Which means that

For m = (S. a ) E JM and mt = (s',af) E M such that sf # s, define

Our goal is to show that r , and A,,, are constants independent of m and mt.

For fixed rn = (s, a) , we have

and

- 1 - m + ;

- 1 ( X - ü , ) = m + - n C Z, m'f M ,

which implies that

Since B is a basis of V ? we can equate the coefficients of % and obtain

Which means that r, = No*, equating the coefficients of z, m' # m, we

obtain

CHAPTER 2. A UTHENTICATION CODES WIT_HO UT SECRECY

that is

Therefore, our authentication code without secrecy (8, A, K, E ) is an orthogonal k n 1 + 1 array OA(n, k, A), where h = -*, and every key has equd probability of

select ion.

To complete the proof we refer to Theorem 2.7 which states that if there ex-

ists an orthogonal array OA(n, k, A) then there exists an authentication code

(S, A, K, E) with (SI = k, (Al = n, 1x1 = An2 and P4 = Pdt = $ in which every

key K E K is selected with equal probability, &.

Theorems 2.12 and 2.13 show that for an authentication code without secrecy, the

best construction in the sense of being unconditionally secure is to use an orthogonal

array. We also have given some conditions for the existence of such arrays. In the

next example we will see an authentication matrix for a code which does not seem to

be constructed from an orthogonal array but which actually is an orthogonal array in

disguise.

Example: Suppose we have an authent ication code for which the aut hent ication


matrix is

and suppose al1 keys have equal probability of selection and that we have 1st =

1, IAl = 12 and 1x1 = 9. We can calculate

i f a = % + i , i € {0,1,2) 3

O otherwise

which implies that Pd, = 5. We also have

( ~ ~ ~ : e ~ ( s ~ ) = a ' , ~ ( ~ ) = o ) payoff (sr, a'; s, a) =

payoff(s, 4

i f o = 3 ~ + i a n d a ' = 3 ~ ' + i , i E ( 0 , ~ , 2 ) ~ ~ ' # ~ 3

O otherwise

CiiAPTER 2. A UTHEIVTICAT10.N CODES WITHO UT SECRECY

which implies that p , , = where a = 3s + i, i E {O, 1,2). Héiice

This (S, A, K, E) has Pdo = Pd* = and IKl = 3*. We can use Theorem 2.12,

to represent such an authentication code by an orthogonal array OA(3, ISI, 1).

At first sight, the authentication matrix presented above does not seem to be an

orthogonal array. However, we can verify that by applying a change of name to

the symbols we obtain an orthogonal array equivalent to the orthogonal m a y

OA(3,4,l) of Figure 2.3. To do this, replace each authentication tag a by

a' = a (mod 3), a' E {O, 1,2).

We have analysed the probability that Oscar successfully cheats Alice and Bob,

Pdi, i = 0,1, of authentication codes without secrecy, (S, A, E, E ) with Id1 = n, lSI =

k. We will now have a brief look at what happens to Pdi when i 2 2.

Suppose that Alice and Bob are going to use the same key to transmit i 1 2

messages. .4 spoofing attack of order i results when Oscar, who has seen all i

messages, attenpts to cheat Bob by sending a bogus message to him wanting to have

him believe it came from Alice. Of course, Oscar will try to introduce a source state

that has not already been sent by ALice, otherwise, he wodd know which tag to send

in his message. We denote the probability of Oscar's success by Pdi, i 2 2. We say

that an authentication code is t-fold secure against spoofing if Pd, = k, for O 5 i t. Note that in Theorems 2.12 md 2.13 we discussed authentication codes

that are 1 - fold secure against spoofing.

CHAPTER 2. A UTHE?!TICATION CODES WITHC VT SECRECY

We are going to state a theorem (without proving it) that gives a generalization

of Theorem 2.12. But fint, we need to generalize the definition of orthogonal arrays.

We Say that an orthogonal array of strength t , OAA(t, k, n), is an Ant x k m a y

with entries from an n-set so that for any t columns each of the vectors of length t

with entnes from the n-set occurs in exactly X rows. The definition of an orthogonal

array as seen in Definition 2.6 is an orthogonal array of strength 2.

Theorem 2.14. Given an authentication code ( S , A, E , E ) that is t - fdd secure against

spoojing with [Al = n, we have lFCl 2 nt+'. Moreover, IFCI = nt+' if and only if there

exists an orthogonal array of strength t , OAl ( t + 1 , k, n) vrith ISI = k and any of the

nt+' keys K K has equal probability of selection.

At present, a generalisation of Theorern 2.13 to aut hentication codes that are t-fold

secure against spoofing for t 2 2 is an open problem.

Finally, we can summaxize this chapter with the ollowing theorem on the existence

of authentication codes without secrecy which consists of the combination of some well

known combinatorial facts. We chose to analyse authentication codes without secrecy

in relation to orthogonal arrays, but as we see we could have made a different choice.

Theorem 2.15. The follouiing are equivalent:

1. An authentication code (S, A, K, E) with Pd, = Pd, = and IKl = n2 in uhich

eaeh ke y has eqval probability of selection.

2. An orthogonal array OA(n, k: 1).

3. k - 2 mutual orthogonal latin squares of order n .

4 . A net of order n and degree k.

CHAPTER 2. AUTHENTiCATiûN CODES WITHO UT SECRECY

5. A transversal design TD( kt n) .

A lot of research on orthogonal arrays has been dom in recent years and the reader

is referred to the surveys on orthogonal arrays in Chapters 11.2, 11.5 and V.5 of the

"The CRC Handbook of Combina torial Designs " 1131.

Chapter 3

Secrecy Codes: ''1 Have a Secret to

Tell to Bob," Says Alice.

Suppose Alice m a t s to coxnxnunicate information to Bob over an insecure charnel and

does not want Oscar to understand what is being transmitted. In this situation, we

suppose again that Nice and Bob t w t each other. As in the case of authentication

codes, first .&ce and Bob pnvately agee on K, a secret key. Alice encrypts p, the

plaintextl, that she wants to secretly send to Bob, using e K , the encryption rule

which is a function of K, their private key. Alice sends the ciphertext2 eA-(p). Bob

receives and decrypts the ciphertext e K ( p ) by computing dK(eA(p) ) = p, where dK is

the decryption rule, associated with eK. This way Bob obtains the plaintext Alice

sent him. Contrary to the mode1 presented in the chapter on authentication codes

without secrecy (Chapter 2), Alice wants to keep the infomktion secret from Oscar.

l~ht&aint% was referred to Lthe source state in the chapter on authentication codes witbout secrecy (Chapter 2).

2The ciphertext was referred to as the message in the chapter on authentication codes without secrecy (Chapter 2).

CHAPTER 3. SECRECY CODES

Formally, here is the definition of a secrecy code.

Definition 3.1. A secrecy code is a fir>e-tuple (P, C, K, E, D) satisfying

1. P is a fiBite set of plaintezts,

2. C is a finite set of ciphertats,

3. K, the key space, is a finite set of possible keys and

4 . for each K K, we have an injective encypt ion rule e~ E El and a correspond-

ing decryption rule dK E ID where eK : ? + C and dK : C + ? are such that

d K ( e K ( p ) ) = p for e v e y piaintezt p E P.

Basicdy, a secrecy code (P, C, K, E , D) is "an algorith, plus al1 possible plain-

texts, ciphertexts, and k e y ~ , ~ as stated by Schneier in [27] for a cryptosystem. A

secrecy code is sometimes (inappropriately) called a cryptosystem ([13] and [27]).

Even though this is not wrong, the word cryptosystem is used more often in other

contexts. and for this reason, we are making the deliberate choice of not referring to

a secrecy code by the word cryptosystem.

We can represent a secrecy code (P, C, K, E, 27) in the form of a 1x1 x lPl matrix

that we c d an encryption rnatrix. The elements of the matrix are the ciphertexts.

The rows are indexed by the encoding rules and the columns are indexed by the

plaintexts. The entry at the intersection of row K and column p is eK(p) . In this

chapter, we will consider only codes without splitting. These are codes where the

plaintext and the key will determine the unique message to be sent. Thus, since eK

is injective, there must be at le& as many elements in C as there are in P.


3.1 1 Have a Secret to Tell You . . . We Say that a secrecy code (P, C, K, E, 2)) provides perfect secrecy if when O s c d

sees the ciphertext eK@) going from Alice to Bob he obtains no information on the

plaint& p. Mathematically, we Say that a code provides perfect secrecy if

for every plaintext p E P and for every ciphertext c E C, where Probp@) is the

probability that a given plaintext p will be chosen and Probp(plc) is the probability

that p is the plaintext, given that c is the ciphertext.

One of the first times combinatorics and cryptography were publicly4 hked was

in 1949 when Shannon [29] proved Theorem 3.3. To appreciate Theorem 3.3, we need

first to introduce a combinatorid object called a latin square.

Definition 3.2. A latin square of order n, LS(n), is an n x n matrix with n different

symbols such that every row and every column contoins e v e v symbol exactly once.

As an example, we cm easily verify that the matrk in Figure 3.1 is a latin square

LS(5) -

Theorem 3.3 (Shannon, 1949). Given a secrecy code (P, C , K, E , V), that pro-

vides perfect secrecy, we have [KI 2 [Pl. Moreover, lECl = [Pl if and only if the

encryption rnutrix is a latin square of order [Pl, LS(IP1). and the keys are used yith

equal probabilzty.

31n this situation, Oscar plays the role of an eavesdropper. He is not the rnalicious guy he was in Chapter 2.

'Part of the "Intelligence Comrnunity" had already known this for some years, since Shannon's paper appeared for the first time as a confidentid report in 1945. It was entitled "A Mathematical Theory of Cryptography".


Figure 3.1: A latin square LS(5).

ProoE Let x be a plaintext, x E P. Let y be the ciphertext, y E C, obtained by

encoding x with the key K. Thus, e K ( x ) = y. Note that we need Probc(y) # O

and Probp(x) + O for any x E P and y C. Otherwise, it would meôn that the

ciphertext y and the plaintext z were not used and so could be omitted from

our andysis. Suppose that our secrecy code, (P,C, Et- E, V) has perfect secrecy.

By definition of perfect secrecy, this means that Probp ( X I y)=Probp(x) for every

x E ' P , y EC.

We know by Bayes's theorem5 that

R o b p ( x ) Probp(xl~) = Probc(~lx) probc(y)

Since we supposed the (P,C, I ,E?D) to have perfect secrecy, this implies that

Probc(ylx) = Probe (y).

This last equality is the same as saying that Probc(ylx) is independent of x ,

the plaintext, which is also the same as saying that the surn of the probabilities

of all keys that trânsform some plaintext x to the ciphertext y is the same as

the s u of the probabilities of ail keys that transform some plaintext z to the

5Thomas Bayes was born in 1702 and died in 1761. He was a probabilist and theologian and published a defense of Newton's calculus. Be was the 6rst to use probability inductively and established a mathematical basis for probability inference. [43

CHAPTER 3. SECMCY C'ODES 52

ciphertext y, for every z, z E P and y E C. T h tells us that if ProbK(K) > O

for ad K E K: and if a ciphertext appears in the encryption matrix, it appears

in every column of the matrix. This means 1 KI 2 I'P 1.

If lECl = 17'1, e~ being injective means that the elements in row e~ of the mat&

are distinct, so each of these elements occur in every column, which irnplies that

the encryption matrix is a latin square LS(IP() and as Probc(ylx) = Probc(y),

the encryption des must be used with equal probability. It follows trividy

that if the enc~yption matrix is a latin square, then 1x1 = 1 Pl.

A nice property of latin squares is that a latin square LS(n) exists for any positive

integral value of n.

Example: Suppose P = C = K. = Z5. For all K E K and for ail x E P, let

e K ( x ) = K + x + 1 (mod 5). The encryption matrix of this secrecy code is

the latin square of Figure 3.2 and we assume each key is selected with equal

probability. This code has perfect secrecy.

Figure 3.2: eK(z) E K + x + l (mod 5).


3.2 1 Have So Many Secrets to Tell You ...

Suppose Alice wants to encrypt up to L 2 1 different plaintexts with the sanie key and

. send them to Bob consecutively. If for any subset of t plaintexts, 1 5 t L, Oscâr

sees all t ciphertexts going fiom Alice to Boh and yet this gives him no information on

the plaintexts, other than that the t ciphertexts have been encrypted with the same

key, we Say that this code has perfect L-fold secrecy and that L is t h e level of

seeuri@ of the code. We Say that a code achieving perfect 1-fold secrecy is a code

achieving perfect secrecy. We assume the t plâintexts to be all distinct and the order

in which they are sent to Bob to be irrelevant. Denote by

the probability distribution over the subsets of size t of P; that is, the probability

that a given subset X E P of t elements of plaintexts is chosen among dl possible

t-subsets of P. .4s in the case of authentication codes without secrecy, the probability

distribution over P is known by each participant in the protocol, including Oscar6.

Also, we assume that

C for any t-subset X , X E (7) and Pmbg (Y) + 0, for any Y E (,). It must be true

that Prob[:) (X) # O and P r o b [ ~ ~ (Y) # O because if Prob p (X) = O then there exists ( A a p E X such that Probp(p) = O which is a contradiction. .Earlier, we said that if

Probp (p) = O? we could remove p from P. The same argument holds for Prob p (Y). ( t )

FormaDy, a code has perfect L-fold secrecy if for every 1 5 t 5 L, for every set - - - -- - - - -

6As in Section 2.3, this is an extension of Kerckhoffs criteria.

CHAPTER 3- SECRECY CODES 54

Y of t ciphertens (observed by Oscar), and for every set X of t plaintexts, we have

We now can state a generaüzation of Shannon's theorem (Theorem 3.3) whose proof

can be found in [34].

Theorem 3.4. Given a secrecy code (P, C, K, E, V) which achieves perfect L- fold

secrecy, we have

Proof: Let Y(&) be the set of possible ciphertexts obtained using the key Ko E K.

This means Y(&) = { eKo(x ) : x E P).

Let YI C Y (16) and IK 1 = L. Let XI be any set of L plaintexts. Then by (3.1)

If there is no key such that XI is the set of plaintexts which are encrypted to

the set of ciphertexts Yl, then our code does not have perfect L-fold secrecy,

since

Therefore, for each of the (171) L-subsets X of P there is a key h; so that

en;(X) = Yl. All such keys must be distinct as the encryption d e s are injective.

Thus


We Say that a secrecy code which has perfect L-fold secrecy is optimal if it

reaches the bound of Theorem 3.4 with equality.

. Example: We are now going to analyse the secrecy of an OTP (One-Time Pad)

cryptosystem. The 0TP7 was developed in 1917 by U.S. Amy Major Joseph

Mauborgne and Gilbert Vernam, an engineer at AT&T. It was believed to be

"unb~eakable* and Shannon only proved it to be a perfect secrecy code three

. decades later.

The idea of this code is to have a long list of 0's and 1's distributed randomly

which is used as the key and to add, modulo 2, each bitg of this key to the bits

of the plaintext. The key is seen as a pad of bits. To decrypt the ciphertext,

simply add, modulo 2, each bit of the ciphertext to the bits of the same key.

Mathematically, if n, n 2 1: is the length of the plaintext, then P = C =

K: = (Z2)n. For a given key K = (I(1,K2, ... ,&) E iC and a given p =

(pl, h, . . . , pn) E P, we d e h e the ciphertext by c = (cl, c2,. . . , â) where ci =

pi $ Ki, i = 1,2,. . . , n. That is c = (cl, ~ 2 , . . . , n) = e s (p ) i (pl + Ki, pz + K2, . . . ,pn f Kn) (mod 2). To decrypt we need to add bitwise the ciphertext

and the key K

dh- ( ~ ( p ) ) (CI + KI, cz + K2, . - . , c. + Kn) (mod 2) = p.

It is easy t o verify that the OTP is an optimall-fold secrecy code. We know

that the ciphertext c gives Oscar absolutely no information on the plaintext p

'The OTP is also sometimes refetted to as the Vernam cryp tosystem. 8The OTP is unbreakable if the key is truly random. 91n many books, the operation of adding b i t e moduio 2 is called an "exclusive or" operation

and is denoted XOR or 6.


since K is a random string of bits; that is, each K E EC has the same probability

of being chosen. Oscar can spend the rest of his life examining c (a string of

zeros and ones) and he will not be able to determine which vectors of zeros and

ones were added together to obtain c.

It is a well known fact that the OTP is not a perfect 2-fold secrecy code because

in an OTP, I = P = C = &)", but 2" < (2,") for all n 2 2. This is why,

if AIice and Bob are using the OTP, they can not use the sarne key tmice and

must discard their key once they have used it. Hence the name: one-time pad.

3.3 Construction of Secrecy Codes

We now introduce a combinatorid object which wiU be useid for the construction of

optimal secrecy codes which achieve perfect 2-fold secrecy and perfect 3-fold secrecy.

These objects are perpendicular arrays.

Definition 3.5. A perpendicular array, PAA(t, k , n), is a X (:) x k array with n

different symbols such that

1. euery rou of the a m y contains k distinct symbols,

2. each set of t columns contains each set of t distinct syrnbols as a row ezactly X

times.

This definition specifies that if we run t fingers d m any t columns of a perpen-

dicular anay we find every unordered subset of t elements exactly X times. As an

example, we can easily ver* that the matrix in Figure 3.3 is an perpendicular m a y

PAi(2,5, 5) and that the latin square, LS(5), of Figure 3.1 is a PA1(1,5,5).


Figure 3.3: A perpendicular may PA1 (2,5,5).

In generd, lKl depends on IPl, ICI and L, the level of security We now constmct

a secrecy code which will meet the required minimal bounds on the number of keys as

given by Theorem 3.4. This next theorem links the notions of perfect L-fold secrecy

codes and perpendicular arrays.

Theorem 3.6. If there ezists a perpendicular array PAA(L, k, n), with k 2 2L - 1 ,

then then ezists a secrecy code ( P , C , K, E, D) which achieves perfect L- fold secrecy

with lPl = k , ICI = n and IKl = A(:).

Before we prove Theorem 3.6, we need to state and prove a property of perpen-

di cular arrays .

Theorem 3.7 ([17], Thetrem 1.1). Let O t' < f and suppose

Then a PAx(t, k, n) is akro a PAx,,(tl, k, n), where

(:::.3 At# = A-. (3


Proof: Let A be a perpendicular array PAA(t, k,n). For any set J' of t' columns,

define r( JI) to be the number of rows of A such that the elements in a particular

set T' of t' distinct symbols are in the columns of J'.

Given T', for any set J of t columns, we get

J'C J 1 J ' p

As 3' ranges over the coiumns of J, the left-hand side of this equation counts

the number of rows with a particular set T'. In other words, it counts every

occurrence of a particular set T'. Now, the right-hand side considers T'. In the

columns of J every t-set occurs A tirnes, the number of t-sets that contains Tt

,-,,), where each of them occurs h times in the columns of J and each time is (n-tt

one occurs, we get a count of one in the left-hand side.

Allowing J to Vary over all possible sets of t columns, we obtain a system of (:)

equations in (S) unknowns. By hypothesis, we have (:) 5 (:), which means

that if the system has a solution, then it has a unique solution. Setting

A (TI:;) "J" = (;,J 3

for every set J' provides a solution to the system of equations and hence is the

unique solution. B y the definition of r (JI) these values are int egral.

Hence A is also a perpendicular anay PAx, (t', k, n), where

CHAPTER 3. SECmCY CODES

Proof: [Theorem 3.61 Let A be a perpendicular array, PAx(L, k, n), on the sym-

bols X = {O, 1,. . . ,n - 1). Let the rows be the keys in K: and the colurnns

be the plaintexts in P, and define the element of A at the intersection of row

K and column p to be the ciphertext c = e K ( p ) . Suppose each key K E K is

selected with probability

W e have to prove that this defines a secrecy code (P, C, R, ET 2)) which achieves

perfect L-fold secrecy. We need to show that for every f ,1 5 t 5 L,

Prob[:) (XIY) = Prob(?) (X)

for al l X C P, Y E C such that 1x1 = IYI = t.

Since 2t - 1 5 2L - 1 5 k, we have

which implies that our PAx(L, k, n) is also a PAA$, k, n) by Theorem 3.7. We

now show that for every t 5 L, for every set X of t plaintexts, and for every set

Y of t ciphertexts, we have

Probe) (XIY) = Prob(7) (X).

By Bayes's Theorem

CHAPTER 3. SECRECY CODES 60

We note that Prob c (YIX) = Prob c (Y) as Y is independent of the choice of ( t ) ( A

the set X of plaintexts because we have a perpendicular array PAx&, k, n), so

each subset Y of t symbols occurs in At rows for each set X and each key is

chosen equally often. We have

and

Hence,

Prob p ( X I Y ) = Prob p (X). ( t ) ( t )

Theorem 3.8. Given an optimal secrecy code (F, C, FC, E , D) which provides perfect

L- fold secrecy, there exists a perpendicular array PA1(L, IPl, IF[).

Proof: Choose Ko to be any key in K. Let Y ( K o ) be the set of possible ciphertexts

obtained using the key Ko. This means Y(Ko) = {erc , (x) : x E P). Let E Y(Ko) and 1 = L. Let XI be any set of L piaintexts. As in the proof of

Theorem 3.4 there is at least one key Ki such that XI is the set of piaintexts

which are encrypted to the set of ciphertexts K. By hypothesis, the secrecy

code (?, C, K, E, D) is optimal, which means that


LI.

1 nerefore, there is exactly one such key KI and for every key I< E EC, there

exists an L-subset XK E P with e K ( X K ) = K .

Now, there are ('71) different L-subsets of ciphertextç in Y(K0) and each of

these occurs in each key. This means that the L-subsets of Y ( K o ) are the only

L-subsets of C and therefore Y(Ko) = Y ( K ) for every key K E K or ICI = IPl.

By hypothesis,

Prob p (XIY) = Prob p (X), (t) (t)

since the secrecy code (P, C, EC, E, V) provides perfect L-fold secrecy. This then

P C implies that for every L-set X E (L), eveq L-set Y E (L) OCCLUS exactly once

in the columns of X. If Y occurred twice in the columns of some L-set X, then

it rnust have missed some X' so that

Prob p (X'IY) # P r ~ b ( ~ ) (X'). L)

Thus we have shown that the encoding matrix of this secrecy code (F, C, K, E, 2))

is a perpendicular array PAI(L, ]Pi, jPl). It is also worth obsening that to

ensure Prob p (XIY) = Prob ( p (X), each key must necessady occur with equal (t) L)

probabilit y.

We are now going to give a theorem which offers a partial converse to Theorem 3.6

and summarises Theorems 3.4,3.6 and 3.8. It also establishes a bound on the number

of keys in a perfect L-fold secrecy code (P, C, K, E, D).

Theorem 3.9. Given a secrecy code (F, C, K, E, D) which achieues perfect L- fold se-

crecy with 17'1 2 2L-l, ute have ICI 2 (lrl). Moreooer, ICI = (IF) if and only if there

CHAPTER 3. S E C E C Y CODES

exists a perpendicular array, PAi(L, !Pl, lPl) and each of the keys K E K has equal

probability of occurrence.

Proofi This proof is obtained directly from the proofs of Theorems 3.4, 3.6 and 3.8.

Theorem 3.9 tells us how secrecy codes with optimal perfect L-fold secrecy are

obtained from perpendicular arrays. Now, what we redly need to know is for which

values of L and 1 Pl does there exïst a PAI (L, IPl, 17'1). The following results concern-

ing perpendicular arrays will be stated without proof as they can be found in "The

CRC Handbook of Cornbinatorial Designs" [13].

The c u e L = 1 corresponds to Theorem 3.3 since any latin square LS(I'P1) is a

perpendicular array PAI& IPl, (Pl). So, by using a latin square, we obtain an

optimal perfect 1 -fold secrecy.

For any odd prime power q 2 3, there exists a perpendicular m a y P-4& q, q).

This provides us with examples of optimal perfect 3-fold secrecy codes for

l'pl = q*

0 There exist perpendicular arrays PA1(3, V , u ) f c ~ v = 8 and 32. These perpen-

dicular arrays provide us with examples of secrecy codes (P, C, K, E, D) with

optimal perfect 3-fold secrecy.

Examples of secrecy codes with perfect 4-fold secrecy are given by the existence

of perpendicular arrays Ph@, v , v ) for v = 9 and 33.

This demonstrates that we can construct optimal perfect L-fold secrecy codes fiom

perpendicular arrays for L = 1,2,3,4. However no construction has yet been given

for L > 4.

CHAPTER 3. ,cFC'RECY CODES 63

The last theorem we are going to see in this chapter i s both interesting and surpris-

ing. It says that a secrecy code which achieves perfect L-fold secrecy is ind2pendent

of the probability distribution over the plaintexts Probp(p). So Oscar does not gain

information on Alice's and Bob's communication by knowing in which language they

are speaking.

Theorem 3.10. A secrecy code (P,C, C, E, 2)) which achieûes perfect L-fold secrecy

for a given probability distribution over the set of plaintexts P, will achieve perfect

L-fold secrecy for any other probability distribution pl over p .

Proof: Assume we have a secrecy code (P, C, K, E, 2)) which achieves perfect L-fold

secrecy for a given probability distribution po over the set of plaintexts Pl let

Y ( K ) = { e K ( x ) : x E P} be the set of ciphertexts obtained using the key K.

For each key K E K: and set of ciphertexts Y C Y ( K ) define

~ K ( Y ) = { x : 2 E P and en(s) E Y )

to be the set of plaintexts which is encrypted to the set of ciphertexts Y with

the key I L

The condition for a secrecy code (P, C, C, E, 2)) to have perfect L-fold secrecy

with respect to the probability distribution over P, is that for every 1 < t 5 L, for every set Yi of t ciphertexts observed and for eveq set Xi of t plaintexts,

we have

loAbusing notation.


By Bayes's theorem, this is equivalent to

which is the same as

On the other hand, for any probability distribution pl over P, we have

- - by (3.2) (KEK:Y~ GY (R))

Therefore

which is equivalent to ~(x) = po(YIIXl). Therefore, a secrecy code which

achieves perfect L -fold secrecy for a given probability distribution po , d s o

achieves perfect L-fold secrecy for any other probability distribution over P.

Chapter 4

Aut hentication Codes Wit h

Secrecy: "1 Want Aut hentication

and Secrecy," Says Alice.

Suppose now, that Alice does not only want to authenticate the message she is sending

to Bob as in Chapter 2 or simply to keep her message secret from Oscar as in Chapter 3.

Suppose that Alice wants it all; that is she wants authentication and secrecy of her

message. We again suppose that Alice and Bob rnutually trust each other. First Alice

and Bob privately agree on e, an encoding rule that can be seen as a secret key. Alice

encrypts s, the source state that she wants to secretly send to Bob, using e, theis

encryption rule. Alice sends the message m = e(s). Rob receives and decrypts m.

What we are now going to do is to suggest a method in which Bob will be assured

that the message is authentic, cornes fiom Abce and has been kept secret from Oscar.

CHAPTER 4. AUTHENTlCATlON CODES WlTH SECRECY 66

In t h e previous chapters, we went into detailed discussion of aut hentication co-

des without secrecy and secrecy codes. For completeness, in this chapter we would

like to give a brief overview of the ideas behind authentication codes with secrecy.

However, we k s t need to set the stage by stating some results on generd authentica-

tion codes by generalising the ideas of Chapter 2. General authentication codes are

authentication codes for which we do not necessarily impose secrecy.

In Chapter 2, the message was m = (s, a) so in intercepting a message from hlice to

Bob, Oscar knew what Alice was saying to Bob. In this chapter we give constructions

for authentication codes where Oscar does not necessarily know the source state, and

authentication codes where Oscar does know the source state.

The general ideas and theorems presented in this chapter can be found in "The

CRC Handbook of Combinatorial Designs" [13], in articles written by Stinson [32],

[33], 1341 and by Van Trung [40].

Ive define a general authentication code as the follotc-ing.

Definition 4.1. A general authentication code, is o triple (S , M , E ) satisfying

1. S is a finite set of source states,

2. M is a $nite set of messages,

3. 3. Es the f i h i t e set of encoding rules, where for each e E E, we have e : S -, M ,

and where the message sent by Alice lies in M .

Bob wants to be able to determine Alice's message uniquely, so in this chapter,

CHAPTER 4. AUTHENTICATION CODES WTTH SECRECY

we will not d o w splittingl; this means, e E E is injective. We represent a general

authentication code, (S, M, E ) , by a IEl x 1st matrix that we cal1 the encoding

matrix. The rows are indexed by the encoding rules, the columns are indexed by the

source states and the entry at the intersection of row e and column s is the message

in = e(s).

4.1 Probabilities of Cheating

We suppose that Oscar has the ability to do substitution and impersonation by modi-

fying Alice's message to Bob or by introducing a new message. Oscar achieves his goal

if Bob accepts his bogus message rn' = e(s), for some source state S. We suppose that

Oscar is using the best strategy available to cheat Alice and Bob and that Probs(s),

the probability distribution on S, is known to Alice, Bob and Oscar.

Let us denote the set of valid messages under a given encoding rule e to be

M ( e ) = {e(s) : s E S}.

M(e) is the set of elements in row e of the encoding matrix. Suppose ISI = k and

IM( = v. For m E M, the probability that m is accepted as authentic by Bob is

payoff(rn). We have

IRemember that an authentication code does not allow splitting if the source state and the encoding rule uniquely detemine the message. (Chap ter 3)

CHAPTER 4. AUTHENTICATION CODES WITH SECRGCY

W e can see that

Since

exists

the sum over al1 possible messages of the payoff(m) is k asd 1 M 1 = v , there

at least one message mo E M such that pôyoff(mo) 2 o. By hypothesis, Oscar

always chooses the best option available, so he chooses rn such that

Pb = max(payoE(m) : m E M } .

We summaxise this discussion with a theorem similar to Theorem 2.2.

Theorem 4.2. Given a general authentication code (S,MIE) zoith ISI = k and

IMI = v, we have Pdo 2 o. Moreover, Ph = 5 if and only ifpayoff(m)= for

every m E M .

Proof: We have Pd, = max{payoff(rn) : m E M ) . Since CmEM payoff(m) = Ir and k IMl = v , we have Pd, 2 o. If Pdo = 6, then max{payoff(m) : m E M ) = and

payoff(m) = 5 for all m E M. Clearly if payoff(m) = for every rn E M, then

max{payoE(m) : m E M } = h and Pdo = $.

Let us do the same for the case of an attack by substitution. For an encoding d e

e and a message m E M(e)

eml(rn) = s if and only if e(s) = m.

CHAPTER 4. AUTHENTICATION CODES WlTH SECRECY 69

For m, mr E M,mt # m, the probability that mr is accepted as authentic by Bob

knowing that Alice sent the message m is payoff(m, rn'). We have

payoff (m, mr) = Prob(mt = e(s')lm = e(s))

- - Prob(rnr = e(sr) and m = e(s)) Prob(m = e(s))

For given m E M we have

Since IMI = v, then for each m E M , there exists a message rn' E M , m' # n for

which pa.yoff(m, mr) 2 S. Dehe

Similarly to Theorem 2.3, we have the following theorem.

CHAPTER 4. AUTHENSICATION CODES WITH SECRECY

Theorem 4.3. Given a general authentication code ( S , M,E), with ISI = k and

IMI = v , we have Pd, 2 2. Moreover, Pdl = 9 if and only if

C P r o t ( e) Pro bs (s = ë1 (m) ) > 7

( e € E : r n ~ M (e))

for every m, m' E JM such that m' # m.

Proof: For given m E M, if Cm,+, payoff(rn, m') = k - 1 and IM 1 = v, then there

exists an ma such that payoff(na,rno) 3 S. Choose mm (dependent on m) so t hat

payoff(m, nt') = max{payofE(m, m') : m' E M , m' # m)

We have

Pd1 = C P r ~ b , ~ (m) max{payoff (m, na') : n' E M : rn' # m) mEM

"-' Shen we have equality throughout and payoff(m,m') = Suppose Pd, = ,. s, for all rn, which in tuni implies that payoff(m, m') = 2, for all m, m' E

CHAPTER 4. A UTHENTICATlON CODES WIT. SECRECY

Suppose

( c f E:m ,mle M (e)) k - I -- - C Probr(e) Probs(s = ë 1 ( m ) ) v - 1' {c€E:m€M(c) )

for every m, m' E M such that m' # m. This implies payoff(m, m') = for

every m, m' E M such that rn' # m, which means that max{payoff (nt ml) :

m , m ' ~ M } = 2. Hence

m€M

d: - 1 - -- - v - l *

4.2 Construction of a General Aut henticat ion

Code

CVe are now interested in constnicting a generd authentication code which meets

the conditions of Theorems 4.2 and 4.3. We will use a combinatorial object c d e d a

Steiner system2.

?Jakob Steiner (1796 - 1833) was a Swiss rnathematician. He was one of the greatest contributon to projective geometry. He believed that caledation replaces thinkuig while geometry stimulates it. For this reason, he never liked calculus or algebra.

CHAPTER 4. A UTHENTICATION CODES WITH SECRECY

Definition 4.4. Givw two integers k ,v szch that 2 < k < v , a Steiner system

ST(2, k, v ) is a collection of k-sla.bsets called blocks of a v-set of points such that

every pair of points lies in ezactly one of the blocks.

Example: Let V = {1,2,. . . ,9) and

B = (123,456,789,147,258,369,159,267,348,168,249,357).

The pair (V, B ) is a Steiner system ST(2,3,9). In Figure 4.1, we represent it

pictorially. The blocks are represented by eight lines and four closed curves.

Figure 4.1: Represent ation of the Steiner system ST(2: 3,9).

There are two theorems about Steiner systems that we are going t o prove. Theo-

rem 4.8 gives the number of points in each block of a Steiner system S'ï(2, k, v ) and

Theorem 4.6 gives the numbers of blocks of a Steiner system ST(2, k, v ) .

Theorem 4.5. In a Steiner system ST(2, k, v ) , every point occurs in ezactly

blocks.

CHAPTER 4. A UTEIENTZCATION CODES WITH SECRECY

Proof: Let (V, 8) be a Steiner system ST(2, k, v) . Let x E V, and let T denote the

number of blocks containing x. Define the set

We count the number of elements in the set I in two different ways.

If we choose y fist , we have v - 1 choices for y E V such that y $ x . For each

y, there is one block B in which the unordered pair { x , y) occurs. Therefore

On the other haud, if we choose B first, we have r different ways to choose a

block B such that x E B. For each choice of B, there are It - 1 choices for y E B

such that y # x . Therefore

We have,

This means that the number of blocks containing a certain point is

Theorem 4.6. In a Steiner systern ST(2, k, v ) , there are ezactly

CHkPTER 4. AUTHENTICATION CODES WlTH SECRECY

ProoE Let (V , 13) be a Steiner system ST(2, k, v ) . Let b denote the number of blocks

of the system. Define the set

If we choose x first, we have v choices for x E V. We know by Theorem 4.5 that

each x is in exactly blocks. Therefore

On the other hand, if we choose B fmt, we have b different ways to choose a

block B E B. For each choice of B, there are k choices for x E B. Therefore

We have,

This means that the number of blocks of a Steiner system ST(2, k, v ) is

From Theorems 4.5 and 4.6 we have the following corollary.

Corollary 4.7. In a Steiner system ST(2, k,v ) , vr = kb, where r is the number of

blocks containing a certain point and b is the number of blocks of the system.

CHAPTER 4. AUTHENTICATrON CODES WITH SECRECY 75

We will use a Steiner system ST(2, k, v ) to build an authentication code (S, M, E)

with Pdo = 5 and Pd, = s, where ISI = k and IMI = v . The idea of using a Steiner

system ST(2, k, v ) cornes fiom the following discussion.

Let the messages of the code be represented by the set of points V and the encoding

rules by the set of blocks B of the ST(2, k, v ) . The entry at the intersection of the

row corresponding to a block B E B and column v E V is one of the k points of B.

W e have that a block in the Steiner system is represented in the encoding rnatrix as

where the order of the elements in the rows is established at the out-set. Consequently, v(v- 1 )

181 = m- Suppose that Oscar wants to send a bogus message to Bob (he is trying

to cheat Bob by irnpersonation). For any message n' that Oscar wishes to send

t o Bob, he has a probability 5 of successfully cheating -4lice and Bob. We know

by Theorem 4.5 that in a Steiner system ST(2, k, v ) every point occurs in exactly u(w-1) 5 k-1 blocks and by Theorem 4.6 that there are exactly blocks to choose £rom.

This means that assuming each message is equally likely t o be chosen by Oscar, the

probability that Oscar "hitsn the encoding d e being used by Alice and Bob is

u-1 - k- l k - -

u(u-1) - u s k(k-1)

Now, suppose Oscar intercepts a message m and tries to introduce a message m'

of his own, where m' # m. He can choose any of the messages that are in one of

the blocks that contain m. But between them, these blocks contain each of the

elements of Y exactly once and hence, Oscar wiU not do better than guessing and has

a probability of of successfully cheating Alice and Bob by way of substitution.

CHAPTER 4. AUTHEflTICATIOr"*' CODES WTTH SECRECY 76

Theorern 4.8. Given an authentication code (S, M , E ) with IM 1 = v, ISI = k, Pdo =

and f i , = s, we have

v(v-1) Moreouer, IEl = if and only if there ezists a Steiner system ST(2, k , v ) , when u(v-1) UnY of the encodhg rules e E E and any of the k source states s E S has equal

probability of selection.

ProoE Suppose there is an authentication code (S, M, E) with IM 1 = v, lSI = k, k k 5 v , P4 = ; and Pd, = S. Let M ( e ) = ( ( s , e(s)) : s E S}. Then for any

two distinct messages m and m', there is at least one row of the encoding matrix

such that both are in that row. This means that

for every distinct pair of messages m, m'.

Consequent ly,

u(v-1) Suppose that IEl = kii;=ri. Then I{e E E : m,mt E M(e))l = 1 for every pair of

distinct messages m, m' and so the rows of the encoding matrix f o m the blocks

of a Steiner system ST(2, k,v) when taken as unordered subsets.

Suppose there exists a Steiner system ST(2, k , v ) . For every block B E B of the

Steiner system let us d e h e an encoding d e es such that {e&) : s E S) = B.

We will use each encoding d e with equal probabîlity of &. By Theorern 4.6

CHAPTER 4. A UTHENTICATION CODES WITII SECPSCY 77

v(v- 1 there are 181 = encoding rules and we have ô general aut hentication code.

Now

and so by Theorem 4.2, Pd, = 5-

We compute

{e€E:m,mr€lM(e)) payoff (m, m') = C Probr(e) Probs(s = eol(m))

{ e ~ E : r n € M (e))

k - 1 = - v - l

and by Sheorem 4.3, Pd, = 2-

We now show that the existence of an authentication code with Pd, = o, Pdi = k-1 v(v-1) - V-1 a d 181 = q&zg requires each source state s E S and each encoding rule

e E E to have the same probability of being selected.

v(v-1) Suppose that 151 = m. By Theorem 4.3, we have

C Pmbé (e) P d s ( s = ë1(m)) . -

CHAPTER 4. AUTHENTICATION CODES WITH SECRECY 78

for everj m, m' E M such that m' # m. Choosing m' E M such that rn' # m, m', we dso have

C Probr(e) Probs(s = ë1 (m)) ( e ~ P : m , m * ~ M(e)) k - I =-

Probr(e) Probs(s = ë l ( r n ) ) - '

(e~E:mf M (e))

Together these impk

V(V-1) Wesupposed that IEl = m, which we have seen is the same as saying that

I{e E E : m, m' E M(e))l = 1 for every pair of distinct messages m, m'. So we

can Say that

Probr (e) Probs(s) = ProbE (e') Probs(sf),

when rn: n' E M(e), rn? n' E M(e'), s = eml(m) and s' = (et)-'(m).

For rn E JU, let

the probability that the message rn is chosen, and note that

By Theorem 4.5, the number of blocks in which each point of a Steiner system

ST(2, k, u ) occurs is


Since the Steiner system represents as authentication code (S, M , E ) , t hen r is

the number of encoding d e s in which a message rn occurs.

We then have by (4.1)

for ail e, s such that e(s) = m.

. This means that for any e E E,

Let us arbitrarily choose a message mo. By Theorem 4.2 and equation (4.3) we

have

(by 4.2).

CHAPTER 4. AUTHENTICATlON CODES WTTH SECRECY 50

We cbtained (4.4) since every element of M\{mo} occurs exactly once in these

rows. So

which is the same as saying that

Since we chose mo arbitrarily, every m E M has the same probability of seiection

and that is i. (S, M , E ) is a

where b is the

Moreover, since the encoding matrix of the aut hent ication code

Steiner system ST(2, k, v ) , we have by Coroilary 4.7 that = 9, number of blocks of a Steiner system ST(2, k, v ) . Thus

1 ProbE(e) Probs(s) = -

bk

for all s E S, e E E. First, let us fix e and sum over al l source states. We have

for every e E E .

over all encoding

If we do the same thing for the source states, fix s and sum

d e s , we have

for every s E S.

Consequently, we can conclude that both S and E must be equiprobable, which

means that any s E S and any e E E m u t have the same probability of being

selected.

CHAPTER 4. AUTHENTICATION CODES WITH SECRECY

Example: The pair (V, B), where the szt of points is V = {1,2,. . . ,7 ) and the set of

blocks is B = (123,145,167,246,257,347,356) is a Steiner system ST(2,3,7).

We can use this Steiner system ST(2,3,7) to build the authentication code

represented by the encoding matrix of Figure 4.2

If we suppose all encoding d e s and source states to be selected with equal

probability, we can verify that Pdo = $ and Pd, = $. To explain the latter,

. suppose for example that Alice sends m = 2 to Bob. If Oscar sees this and

decides to introduce a message m' of his own, where m' # 2, he c m choose any

of the valid source states that are in M(l), M(2) or M ( 5 ) . Oscar only needs to

guess which row of the encoding matrix was chosen by Alice to send her message

to Bob. He can correctly guess with probability f .

This authentication code reaches the bounds of Theorems 4.2 and 4.3.

Figure 4.2: An aut hentication code constnicted fkom a Steiner system ST(2,3,7).

In this last example, the construction with the Steiner system ST(2,3,7) gives us

an authentication code with secrecy. However, this is not always the case as me can

see in the next example.

CHAPTER 4. AUTIERiTEATION CODES WITH SECRECY

Example: Let us choose to buiId the authentication code with the Steiner system

ST(2,3,9) of Figure 4.1. Since k = 3 and r = 4, the columns of the encoding

matrix can not have each message repeated equdy often in them. This gives

an advantage to Oscar when choosing his best strategy to cheat Alice and Bob.

Massey (181 gave an lower bound for aIl Fdi for an authentication code with secrecy.

Before starting this, we need the definitions of spoofing attack and perfect L-fold

secrecy. As in Section 3.2 a code achieves perfect &-fold secrecy if for every

1 5 t -< L, for every set Y of t ciphertexts (observed by Oscar), and for every set X

of 1 plaintexts, we have P r ~ b ( ~ (XIY) = Prob[:) (X). We say that an authentication

code is L-fold secure against spoofing if for a l l i, O 5 i L;

ISI - i .

Theorem 4.9. The probability of deceplion Pdi in a general authentication code is

bouaded by

We denote an authentication code wi th seczecy that provides perfect Ls-fold

secrecy and is La-fold secure against spoofing (S is for secrecy and A is for cruthentg

cation) by (Ls, LA)-code. Of course, in practice, it is most likely that we wiu want

Ls to be close to LA (since we want authentication and secrecy) . There are two cases

that we are now going to examine: Ls = LA and LS = LA + 1.


4.3 Construction of (L, L - 1)-Codes and

( L , L)-Codes

We now want to be able to build authentication codes with secrecy which achieves

perfect L-fold secrecy and is L - 1-fold secure against spoofing (and perfect L-fold

secrecy and is L - 1-fold secure against spoofing) and which requires the minimum

possible number of encoding rules (for the same reasons as explained in Chapters 2

and 3).

Theorem 4.10. Giuen an (L , L - 1)-code, we have

Proof: Theorem 4.9 and its proof can be used to show that every subset of L messages

is valid uncler at l e s t one encoding rule. We proved in Theorem 3.4 that for a

code which achieves perfect L-fold secrecy, if a subset of L messages is obtained

using a given encoding mle eo E E, then it must also have been obtained using

isi at least ( , ) encoding rules.

Now, let us count the number of ordered pairs (e, YI) , where e E E and YI is

isi- an L-subset of Y (e). If we choose e first, we have [El choices for e and ( , ) choices for YL. This means

tMl) If we choose Yi first. we have ( choices for & and for each YI we then have

a t least (19) choiceç for e. This means

CHAPTER 4. AUTIIENTICATION CODES WITH SECRECY

IM I We say that an (L, L - 1)-code is optimal if IEl 2 ( ) In Chapter 3? we

described how perpendicular arrays PAA@, k, n) are used to construct secrecy codes

(F? C, C, E, D). In this chapter, we describe and construct authentication codes with

secrecy and in doing SO, we transform perpendicular m a y s into combinatorid objects

called authentication perpendicular arrays.

Definition 4.11. An authentication perpendicukr ana y, APAa4(t, k, v ) , is an perpen-

dicdar array, PA& kl v), on v different symbols such that for any O 5 t' 5 t - 1 and

for any t'+ 1 distinct symbols xi: with 1 5 i 5 t'+ 1: we have that among al1 the rows

of d e a m y which contains al1 the symbols zi, the t' symbols xi (1 5 i 5 t') OCCUT in

ail possible subsets of t' cohmns equally often.

As an example, we can easily verify that the matrix in Figure 4.3 is an authenti-

cation perpendicular array APA1(2, 5,5).

Tran Van Trung [40] gives a listing of APAA ( t , k , v ) for t 2 3. Similarly to Theo-

rem 3.7, Teirlinck and Stinson in [38] give a necessary condition for the existence of

certain APAA(t, k, v). We state Theorem 4.12 without proof.

Theorem 4.12 ([38], Theorem 2.3). Let O 5 t' 5 t - 1 and suppose

CHAPTER 4. A UTHINTICATION CODES WITH SECRECY

/ l 2 3 : 5) 2 3 4 5 1 3 4 5 1 2 4 5 1 2 3 5 1 2 3 4 1 3 5 2 4 2 4 1 3 5 3 5 2 4 1 4 1 3 5 2

\ 5 3 4 1 3 )

Figure 4.3: An authentication perpendicular array .4P.A1 (2,5,5).

Then an APAA(t, k , v) is also an APAA (t', k, v ) , cuhere t'

X(tf + 1) (3 ' O (mod (:,) )

The proofs of Theorems 4.13 and 4.14 nrill not be included, however they can be

found in [34!.

Theorem 4.13. Suppose there ezists an authentication perpendicular array APAl(t, k , v ) .

Then there ezists a ( t , t - 1)-code with ISI = k , IM 1 = u and IEl= A(:).

Moreover the (t , t - 1)-code desnibed by Theorem 4.13 is optimal if and ody if X =

1 *

Theorem 4.14. Suppose there is an authentication code uith secrecy that is an (L, L-

I)-code with ISI = k, IMI = u, IEl = c) and k 2 2L - 1. Shen there ezists an

authentication peTpendicular arra y APA1(L, k, v ) .

CHAPTER 4. A UTHENTICATlON CODES WITH SEC=

In Theorems 4.13 and 4.14, we gave a connection between authentication perpen-

dicular array and (L, L - 1)-codes. For results on the existence of authentication

perpendicular arrays, the reader is referred to the surveys on orthogonal arrays in

Chapter IV.30 of the T h e CRC EiBndbook of Combinatorial Designs" [13].

In a method simila CO the proof of Theorern 4.10, we can show the following:

Theorem 4.15. Given an ( L , L)-code, we haue

An (L, L)-code optimal if IEl = l M 1 I"I - We conclude this chap- ( ) , s , 4 ter by stating two theorems that describe a relation between Steiner systems and

(L, L)-codes. The proofs of Theorems 4.16 and 4.18 can be found in [34].

Theorem 4.16. Suppose there exists a Steiner system ST(2, k,v). Then there erists

u'V-l) zvhere any of the source states has a (1,l)-code with 1st = k , IMI = u, = m) an equal probability of selection and any of the encoding rules has an equal probability

of selection.

Theorem 4.18 requires the generalized definition of a Steiner system STx(t , k, v) .

Definition 4.17. Given three integers t , k' u such that 2 5 t < k < v a Steiner

system STx (t , k , v ) is a collection of k-subsets called blocks of a v-set of points

such that each t-subset lies in ezactly X of the blocks.

Theorem 4.18. Suppose there is an authentication code with secrecy that is an (L. L)- V U - L cade with 1st = k, IMI = v , IEl = ( L ) k - L . Then there ezists a Steiner system

STx(t + 1, k , v ) , where X = (:) .

Chapter 5

Secret Sharing Schemes: "1 Have a

Secret 1 Wish to Share," Says

Alice.

In cryptography it is sometimes important to r e tnc t the access of information, for

example to the key, to a certain subgroup of participants in the protocol. A secret

sharing scheme is a method of sharing a secret key K among a finite set P of

participants so that each participant receives one share. The shares are sometimes

called shadows. A secret sharing scheme has the property that only certain prede-

termined subsets of shares can be used to reconstruct the key. The list of subsets of

participants whose shares are authorized to reconstruct the key is cdled an access

structure and denoted î. A specific subset from r is cdled an authorized subset.

The general ideas and theorems presented in this chapter c m be found in the

articles [5], [9], [13], [Z], [27], [36], [37] and [39]. Some research has been done in

CHAPTER 5. SECRET SHARlNG SCHEMES 88

secret sha,ring schemes over infinite domains (see fcr example [7]). However, in this

thesis, we will only consider secret sharing schemes on finite sets.

Definition 5.1. Let EC be the keey space and S be a finite set of shores. A secret

sharing scheme with access structure r is a rnethod of sharing o secret key K E X:

among a finite set of participants P so that

1. any authorized subset of participants 8 P can nconstruct the key K udh their

shares, and

2. any unauthorized subset Bt 3' P can not reconstruct the key K.

Furthermore, a secret sharing sdieme is said to be perfect if any unauthorized

subset 8' C P can not obtain any information on the key K when they pool their

shaxes.

The security E of a secret sharing scheme is the reciprocal of the maximum,

taken over al1 subsets of P not in the access structure ï, of the probability that a

unauthorized set of participants can obtain the key K . That is

E = (ma Prob(Bt obtains K))-'. wér, q?'

A secret sharing scheme on P is detemined by (î,~), the access structure and its

security. An access structure I' is monotone if for B E r and B C B' C F, we have

8' E r. In 1979, when secret sharing schemes were introduced, only monotone access

structures were considered. It was not until 1987 that Ito, Saito and Nishizeki [14]

introduced the idea of a general access structure. As an example of a general access

structure we rnay think of a situation at the Bank in which, in order to perfom a

particular transaction, Ive can only accept the signature of three senior tellers, or a

CHAPTEPL 5. SECRET SHARING SCHEMES

manager and two senior tellers, or two managers, or any of the vice-presidents, or . . . well, you see the idea. In th& article, Ito, Saito and Nishizeki gave a construction

for a secret sharing scheme with a general access structure. Other constmctions have

also been discussed by Stinson in [39]. In this chapter, we will only consider secret

sharing schemes with monotone access structures.

We are going to analyse access structures where the key is to be shared and can only

be reconstructed by some given sets of participants. Models using finite geometries,

coding t heory, vector spaces, matroids, graph t heory, block designs, finite geometries?

polynornial interpolation, orthogonal arrays, latin squares, and many others have been

used t o represent secret sharing schemes. We are going to analyse models using the

last five structures.

5.1 Key Splitting: "Let Us Split the Key," Says

Alice.

Let us analyse the simplest case involving key splitting. Simply said, a key is split

if it is divided up into pieces. Suppose Alice wants to share a secret key K with Bob

so that if Oscar gets access to either of their parts of the key, he gains no information

about K. At the same time, when Alice and Bob get together they want to be

able to reconstruct K. In this situation, even if Alice and Bob completely trust one

another, they need the help of a tnisted third party in the person of Trent1. In this

chapter, we suppose that Trent's goal is to choose a key K, and to assign shares of - - - - -- - -

'We already have b e n introduced ta Trent in Section 2.2. If AIice and Bob did not require Trent's services, one of them would have to do the spiitting and b y the same token h o w the key- And so they would not be sharing it anymore!

CHAPTER 5. SECRET SHARING SCHEMES

K to each participant so that some predetermined subsets of participants will be able

to reconstruct K. We assume that Trent will not receive a share of the key. Alice

and Bob ask Trent to generate a key and to split it into tmo parts. Assuming K

is expressed as a (0, 1)-vector, Trent then generates a random (OI 1)-vector R of the

same length2 as the key K. Trent adds R and K bitwise. modulo 3, to obtain

and distributes R and S to Alice and Bob, respectively. When Alice and Bob want

to reconstruct their key, they get together and add R and S bitwise, modulo 2,

By themselves R a d S provide no information about K to Oscar, or Alice, or Bob.

We c m easily extend this mode1 to include more participants.

Suppose that Carol and Dave dso each need a piece of the key and again each

individual share must provide Oscar with no information should it corne into his

hands. They (Alice, Bob, Carol and Dave) go to Trent mho generates three random

vector vôlues RI: Rz and R3 each with the same length as the key they nant to share.

Trent then adds Ri, Ra, R3 and K bitwise, modulo 2, to obtôin S

and distnbutes &, R2, Rû and S to Alice, Bob, Carol and Dave, respectively. We can

easily see that Alice, Bob, Carol and Dave c m work together to reconstruct the key

K but that no information will be obtained if any subset of fewer than four of them

tries to obtain the key.

2We saw in Chapter 1 and Section 2.3 that the length of a key K is defined to be the number of bits needed to represent K.

CHAPTER 5. SECRET S.HARING SCHEMES

Let us now look at a generâlized case of key splitting. Suppose that K E Z, and

that we want to split the key among t participants. First, Trent will randomly choose

t - 1 values Ri, R2,. . . , Rt-i with & E Zm for al1 1 < i 5 t - 1. Then Trent cornputes

R~ E K - ~ R , (modm)

and distributes the part R, to participant Pi, 1 5 i < t.

To reconstruct the key K, the t participants need to get together and compute

CR, r K (modrn).

We should veri& the security of such a system. Suppose t - 1 participants get

together. Can they find the key? First consider the set of t - 1 participants P \ {Pt}.

They know the random values RI, Rz, . . . , &-i which provide no information on the

key K. Now, consider the set of participants P \ {Pi}, 1 5 i 5 t - 1. They know the

vdues

If they add ail their vdues together, they obtain K - & which, since & is random,

does not give any information on the key K.

However, a few problems occur with this protocol: what if something happens

to one of the participants? What if one of the participants dies? What if Trent is

not as tnistworthy as he should be3 and cheôts aU of the participants? In his book,

Schneier [27] describes secret sharing schemes with cheaters, secret sharing schemes

without the participation of Trent, and other models of secret sharing schemes.

Where is the World going if we cm not trust the trusfed third party? W d , as ayptographers, we have to think about those possibilities . . .

CHAPTER 5. SECRET SHAMNG SCHEMES 92

5.2 Threshold Schemes Arising from Orthogonal

Arrays

Suppose that Alice is the president of a very large and wealthy Company that has four

very competent vice-presidents. The main safe of the Company has been designed so

that any three of the five participants (Alice and her four vice-presidents) cm put

their keys together and open the safe, but no pairs or individuals can do so. To

program the safe, Alice used a specific type of secret sharing scheme cdled a thres-

hold scheme. Alice went to see Trent and asked him to design a mode1 so that she

and each vice-president would receive a share of the key. Trent picked the key and

gave a shôre to each participant so that no participant knows any of the other shares.

A subset B of the participants can reconstruct the key K if lBl 2 3, but not if IBI < 3.

Definition 5.2. Let t , w be two positive integers wifh t 5 W . A ( t , w) wthreshold

scheme is a method of sharing a secret key K among the w participants of P so that

any subset of t participants can reconstruct the key K but no subset of t - 1 (or fewer)

participants can do so.

Moreover, a threshold scheme is said to be perfect if the shares of any subset of

fewer than t participants provides no information about the key K.

The models of key splitting presented in Section 5.1 are ac tudy (w , u)-thres-

hold schemes and the mode1 used as an example at the beginning of this section is a

(3,5) -tkeshold scheme.

The idea of t hreshold schemes was independently presented in 1979 by Shamir [28]

and Blakley4 [SI. They were later extensively studied by Simmons [31]. Shamir's - - - -- - -

4~ener&, the paris of the key are cded d a n s if derived from Shamir's aork and are cailed

CHAPTER 5. SECRET SHARING SCHEMES 93

mechod uses polynomial interpolation over a finite field and Blakley's methcd uses

points and hyperplanes of finite geornetries. In this section, we are going to describe

and analyse Shamir's method as it is one of the commonly used methods. At fist

sight it does not seem to involve combinatorics but the main idea lying underneath is

similzv to the use of orthogonal arrays. We will see how at the end of the section.

Let ( x i , Y i ) , i = 1,2,. . . , t , where all x; are distinct and non-zero, be t points in

the two dimensional vector space, over GF(q). The unique polynomial

where ai E GF(q) that passes through these t points is called the interpolating

polynomial. Figure 5.1 illustrates the basic idea of an interpolating polynomial.

Given an interpolating pol~omial Pt-' ( x ) = a0 + alx + . . + U ~ - ~ X ' - ' the equations

Pt-'(xi) = Y i can be represented as a linear system involving a Vandermonde5

mat rix.

Before continuing further, let us have a qui& look at Vandermonde matrices.

Definition 5.3. The t x t Vandermonde matrix is defilred as:

shadows if derived fiom BlaUeyYs work. 'Alexandre Théophile vandermonde (1735 - 1796) was a French mathematician. His work was

related to the theory of equations and he studied determinants, although the determinant that was named after him by Lebesgue dos not appear in his published work. He aisa worked on the knight 'S

tour problem-

Figure 5. 1: An interpolating polynomial.

We can show that the determinant of the Vandermonde matrix & is

det 6 = ( x ~ - ~ - 14.. . ( x ~ - ~ - X ~ ) ( X ~ - ~ - x g ) det &/t-i

The idea behind the calculation of this determinant is to subtract the last row of

the matrix from each of the preceding ones, expand about the first column, and then

subtract from each column x + ~ times the preceding column.

When the values of x; are aIl distinct and non-zero elements of GF(Q), we have

det & # O and t here exist s a unique polynomial of degree at most t - 1 passing t hrough

t points (x i , Yi), 1 5 i 5 t.

Let P = {Pi : 1 5 i 5 w } be the set of w participants in our threshold scheme,

K be a finite set of possible keys and S be the finite set of shares. We will work

over GF(q), where q 2 w + 1 and q is a prime power. In constructing a secret

CHAPTER 5. SECRET SHARlNG SCHEMES 95

sharing sdieme, Trent fmst chooses w distinct non-zero elements of GF(q); denoted

by xi, 1 5 i < W . For each participant Pi, l 5 i 5 w, Trent assigns xi to Pi. The

dues of xi can be publicly known and are not necessarily kept secret. Trent then

chooses a key K and a polynomial

where ai E GF(q) are random values that are kept secret. Trent computes Yi =

Pt-'(xi); that is,

over GF(q). He secretly distributes ( x i , Yi) to participant P, and then safely discards6

the interpolating polynomial, Pt-' ( x ) .

Suppose t participants Pil, E,, . . , Pi, corne together to determine the key. We

obtain the system of equations:

Since we know the key K is the ccnstant in the polynomial, we cm rewrite this

system as &a = y where V,, o and y are given below:

%ent has to safely discard Pt-'(=). Neglecting to do so highly compromises the security of the key* since possessing Pt-I(z ) is the same as possedg the key.

CHAPTER 5. SECRET SHARWG SCHEMES

Since V, is non-singular, this systern can be solved and admits a unique solution.

If t' 6 t - 1 participaats get together and try to recover the key, will they gain

any information? If we are given t' points, the key could be any element of GF(q)

since for each K E GF(Q), there is the same number of poljmomials passing through

these t' points and the point (O, K). The chances of correctly guessing K when

t' = t - 1 points of the interpolating polynomial are known is f (in this case there is

a unique polynomial through the t - 1 points and (0, K)) which represents no gain

of information in cornparison to guessing the key wit h no information to start with.

This (t, tu) - t h h o l d scheme is perfect.

Note that there aie many ways of solving such a system, some more efficient

than others. However, the Vandermonde matrix is, by definition, a highly structured

matrix, a d it has been shown that it can be inverted in fewer than 0(t3) operations.

Golub and Van Loan (121 give two algorithms for solving Vandermonde systems in

CHAPTER 5. SECRET S H M G SCHEMES

a very eEcient way. These have been implemented in Maple and documented by

Sirnoes [30].

Example: Suppose Alice wishes to have a (3,5)-threshold scheme, where S = K: =

Z17. Suppose that Trent randomly picks five distinct non-zero values in Z1;:

X I = 2, 2 2 = 4, XJ = 9, 2 4 = 15, x s = 16 a d assigns X; to Pi. Trent &O

randomly chooses

where in this case K = 3. Then Trent computes

in &. Trent distributes (2,4) to Pl, (4,8) to Pz. (9,12) to P3, (E,5) to P4,

(16,lO) to P5 and safely discards P 2 ( x ) .

Given any subset of t = 3 participants, it is now easy to reconstruct the key K.

It suffices to solve a pôrticular system of three equations in three unknowns to

rebuild P2(x ) m d obtain K. The coefficient matru< of the system representing

this polynomial is the Vandermonde matrix V&

How does a subset B E P of three participants recover the key? Suppose

B = {Pl, P2, P4). Those three participants will put their shares together and

form the following system:

CHAPTER 5. SECRET SHA€2l?VG SCHEMES

This system admits the unique solution a* = 11, al = 4 and a* = K = 3,

thereby recovering the key.

We have just shown that Shamir's method for secret sharing is perfect since the

coalition of any subset of less than t participants provides no information on the

key. However, this method is still not truly perfect? Although the shares of t - 1

participants of a (t, w)-threshold scheme provide no information on the by, if Oscar

is a participant in the protocol and the last one to submit his share, then he is

able to modify his share to obtain any key he desires. In Section 6.3. we provide a

dramatic example of this situation in the case where the key is an image. A procedure

that would prevent Oscar from cheating in this marner could be to include some

authentication in the shares so that we could detect if a share had been modified.

We now define a measure of the information that a participant possesses in a secret

sharing schemc.

Definition 5.4. In a perfect secret sharing scheme, the information rate pi ob-

tained by a participant Pi is

S(PJ i s the set of al1 possible shares that Pi might receive. The information rate

of a secret sharing scheme i s

We state Theorem 5.5 which gives an upper bound on the information rate for a

perfect secret sharing scheme.

'As in perfect with a capital P. It seems that Oscar can always fbd a method to use the information to his advantage.

CLIAPTER 5. SECRET SHARING SCHEMES

Theorem 5.5. In any perfect sec~et sharing scheme, we have that the infornation

rate p < 1. By Theorem 5.5, in any perfect threshold scheme, 111 5 ISI . A t hreshold scheme

for which In( = (SI is said to be an ideal scheme. We find more details on informa-

tion rate in "Applied Cryptography" by Schneier [27] and in "Cryptography: Theory

and Practice" by Stinson [39].

In Section 2.4, we defined an orthogonal anay of strength t, OAA(t? k, v) to be an

array of Xvt rows and k columns with entries £rom a v-set so that for any t colurnns

each of the vectoa of length t with entries from the v-set occurs in exactly X rows.

This definition will allow us to link threshold schemes with orthogonal arrays.

Theorem 5.6. An ideal (t, w)-thrwhold scheme with 1x1 = v is equivalent to an

O A l ( f , w + 1, v ) .

ProoE We will use the following correspondence to show how a (t,w)-threshold

scheme can be constructed from an orthogonal array OAl(t, w + 1, v) and vice-

versa.

Let A be an orthogonal array OAi(t,w + l , v ) . First, we associate the first

column of A with the set of keys A- and each of the w participants in the

protocol with one of the Y remaining columns of A. We let the v elements of

A be the shares that we will distribute to each participant. Trent chooses K,

one of the entries in the may, and selects one of the ut-l rows which has K in

the fkst column. Let this row be ï(~,j) Trent distribut es the share in position

( r (Kj ) , i -+ 1) to participant Pi, where i = 1,3, . . . ,W.

If we take any t-set of participants, by the definition of orthogonal arrays of

strength t, the shares given to these t participants uniquely determine a row


in A and hence uniquely detemiinhg the key K that was selected by Trent.

Note that when a subset of participants try to reconstruct the key, they have to

identify which share they brought with them, since in the orthogonal array we

consider the elements of the rows as vectors and not as sets.

If we take t' < t pârticipants and any key Ii', then there are vc-"-' rows that

contain this ordered ( t r+ 1)-set knd so every key is equally Iikely to have been

chosen and so no information is gained.

The interpolating polynomial method proposed by Shamir for sharing a secret is a

particular case of a mode1 using orthogonal arrays. Suppose that A is an orthogonal

array OAl (t, w + 1, q). The rows of A are indexed by the vectors of GF(qt), the

first column of A is indexed by K and the other w columns are indexed by the w

participants in the protocol. We define the element of A at the intersection of row

(li, a l , . . . , and column i + l,l 5 i 5 w, to be

t-l

A((K, a l , . . . , at-l) , i + 1 ) K + C ajzi (mod q) . j=l

Let us now consider an example of an orthogonal anay 0A1(2,4,5) that models a

(2,s)-threshold scheme using Shamir's method.

Example: Suppose that ALice asks Trent to design an ideal (2,3)-threshold scheme

with 1x1 = 5. Here, we have t = 2, w = 3 and q = 5. Trent assigns xi = i to

participant A, i = 1,2,3 and uses the orthogonal array 0A1(2, 4,5) of Figure 5.2.

Suppose Trent chooses the key K = 2. Trent also has to choose a row of the

orthogonal array such that a "2" figures in the fmt column. Suppose Trent


Figure 5.2: An OA1(S, 4,5) used to mode1 a (2,t)-threshold scheme.

CHAPTER 5. SECRET SHARING SCNEMES

chooses the row r(la) = [ 2 O 3 1 ] . He distributes ri = (1, O), s* = (2,3)

and sg = (3 , l ) to Pl, & and 5, respectively. We can veri& that if P1,4 or P3 1 alone try to reconstmct the key their probâbility of doing so successfully is 5 .

We can also verify that any pair of participants uniquely recover the key. This

means that even if a single participant knows the information given by his share?

he does not have any better chance of recovering the key K that he would if he

would guess. This mode1 is perfect.

In the last two models, we saw that the participants have to be associated with

their shares. This means that when they pool their shares together, they have to

identify who contributed which share. These models do not provide anonymity. We

are going to remedy this situation in the next section.

5.3 Threshold Schemes Arising From Finite Ge-

ometries

As we mentioned in Section 5.2, BlaMey7s method of modeling a threshold scheme

uses points and hyperplanes of finite geometries. In this section, ive think of the

participants in the secret sharing scheme as points and the access structure of the

scheme as blocks of a design. We use those points and blocks to mode1 a (3, w)-thresh-

old scheme.

Definition 5.7. A projective plane is an incidence structure of points and lines

such that

1. any two distinct points are incident with ezactly one line,

CHAPTER 5. SECRET SHARZNG SCHEMES

2. any two distinct lines are incident &th ezactly one point, and

3. there exists four points no three collinear.

Definition 5.8. A projective space is a set of points and lines, where each line is

a subset of the point set such Mat:

1 . any two points lie on ezactly one fine,

2. any Iine has at least three points, and

S. if for the four distinct points A, B, C and D of which no three are collinear, the

lines passing through AB and CD intersect in a point, then the lines AD and

BC also intersect in a point.

For the construction that we present in this section, we need to construct the

projective space PG (3, q) and list some of its properties.

Proposition 5.9. h the finite projective space PG(3, q ) there are

3. q2 + q + 1 lines through a point,

5- q + 1 points on each line, and

6. q + 1 planes through each line.

Finally? we define an arc on a projective plane and state a theorem that we need

for our construction.


Definition 5.10. A k -arc in a projective plane is a set of k points no thme of which

ore collinear.

If we cm choose q sufliciently large in PG(2,q) so that every point lies on a

(w + +arc, then we can construct a (3, zu) -threshold scheme, where we suppose

lPl = w 2 3. Let us choose a line 1 in the projective space PG(3, q) and let us

suppose that the finite set of keys are the points on 1; that is, K: = 1. FVe choose the

key K to be a point on 2. We suppose that the probability of choosing the point K

on the line 1 is the same for ôny point on 1; that is ProbE(K) = 1 & = m

Let r be a plane that intersects I in K only. By our assumption, we can choose a

set S of w points in T such that S U (K) forms a (w + 1)-arc in r. We distribute a

distinct share s E S to each participant.

Suppose three participants get together and try to reconstruct the key. Since their

shares are in S, and are not collinear, their shares will span the plane r. Knowing r ,

they will be able to determine the key. since K is the point of intersection of r and

the Iine 1 and the projective space is public knowledge.

Now suppose that one or two participants try to reconstruct the key. What h d of

information can they obtain? With the information they have, they need to determine

r. If a single participant tries to reconstruct the key, he will find there are q(q + 1)

planes containing that point and a point K of 1. So he might as well guess K.

If two participants try to reconstruct the key, for any K E 1, since K and these

two points lie on an arc, there is a unique plane containing them. Since there are

q + 1 points on 2 , a subset B of two unauthorized participants has a probability & of successfdy recovering the key K; again, they gain no information. This scheme


is perfect and contrary to the Iast example in Section 5.2 provides anonymity to the

participants.

In Section 5.2, we gave an example of a threshold scheme which did not provide

anonymity. We also mentioned that a threshold scheme constmcted from PG(3, q)

will presewe anonymity. However, we had not ngorously defined what anonymity

meant in a threshold scheme. Let us not wait any longer.

Definition 5.11. A perfect ( t , tu) -threshold scheme is anonymous if it satisjies:

1. each of the w participants receives a distinct shaïe, and

2. the k e y can be recovered by knouing t shares; it is not necessary to know ohich

participant brought which share.

To conclude this section, we are going to present a theorem (without proving it)

that sets a bound on the number of keys in a perfect (t? u)-threshold scheme as a

function of t, w and v , where v = 1st. However, before we do sot we need to introduce

Steiner systems, ST(t , k, u ) ~ .

Definition 5.12. Given three integers t , k ,v such that 2 5 t < k < v, a Steiner

system ST(t, k, v) is a collecticn of k-subsets called blocks of a v-set of points such

that each t-subset lies in ezactly one of the blocks.

The well-known Fano plane presented in Figure 5.3 is an example of a Steiner

system ST(2,3,7). The set of points is X = { O , 1,. . . ,6) and the set of blocks is

B = (013,045,026,124,156,235,346). In Figure 5.3, the blocks are represented by

six lines and one circle.

=In chapter 4, we saw the definition of Steiner 2-systems, ST(2, k, v ) .

CHnPTER 5. SECRET S H ' G SCHE-MES

0 5 4

Figure 5.3: A Steiner system ST(S,3,7) : the Fano plane.


Theorem 5.13. Given an anonymous ( t , tu)- threshoM sdeme, we have 1st 2 IKl(w-

t + 1) + t - 1 . Moreouer, 1st = IKl(w - t + 1) + t - 1 i f and only i f there exists a

Steiner system ST(t, ut, v) that can be partitioned into copies of a Steiner system

ST(t - 1, w , v ) .

5.4 Secret Sharing Schemes Arising Rom Latin

Squares: "Un Secret de Polichinelle"

In this section we analyse a construction for secret shaxing schernes proposed by

Cooper, Donovan and Seberry [9] based on critical sets of latin squares. At first

glance, a protocol that uses latin squares for secret sharing scheme should be a great

idea. However, we will see that this model is definitely not as strong as the others

studied in this thesis. This is one of the reasons this section is entitled Un Secret de

Polichinelle. This French expression translates to 'a secret known to d l the world",

which should emphasize on the lack of security underlying this particular model.

In Chapter 3 we used latin squares as a model for building a secrecy code with

perfect 1-fold secrecy. We defined a latin square of order n, LS(n), to be an n x n

matrix with n different symbols such that every row and every column contains every

symbol exactly once. Sometimes a latin square of order n is denoted by the set

of triples {(i, j; k) : ( i , j) is a cell of the square and k is the element in position

(i, j) of the latin square). A partial latin square is a latin square except that

empty cells are allowed. Suppose that the rows and columns of the latin square are

indexed by the elements of {O, 1,. . . : n - 1). Then the latin square represented by

{(& j ; i + j mod n) : i, j E {O, 1,. . . ,n - 1)) is said to be a back circulant latin

CHAPTER 5. SECRET S H W G SCHEMES

square. In Figure 5.4, we present a back circulant latin squâre of order 5.

Definition 5.14. A critical set A in a latin square of order n, L E LS(n), is a set

. such that:

1. L is the only latin square of order n which has element k in position (i, j ) for

each (i, j; k) E A, and

. 2. no proper subset of A satisfies (1).

We cal1 L the completion of A.

Figure 5.4: A back circulant latin square of order 5.

Example: We can verify that the set

shown in Figure 5.5 is a critical set of the back circulant latin square of order 5.

At this time, very little is hown about critical sets in latin squares. However, for cer-

tain categories of latin squares, some properties about critical sets have been demon-

strated; in particular for the back circulant latin square. It has been shown by Cman

CHAPTER 5. SECRET SHARLNG SCHEMES

Figure 5.5: A critical set for a back circulant latin square of mder 5.

and van Rees in [IO] that for n even, the set

n -4: Cn,eva = {(i, j ; i + j ) : i = O, , and j = O , ... ? 2 - 1 - i ) 2

U { ( i , j ; i + j ) : i = ; + l . , ... ,n-1, a n d j = " - i, ... ! n - 1)

is a critical set with minimum number of elements (a minimal critical set) for the

back circulant latin square of order n.

The idea behind the completion of C,,, is to fill the latin squôre from two

opposite corners in such a way as to force (or trap) a unique solution. Figure 5.6

gives the idea of the completion of a badr circulant latin square of order 6 with C,,,

as a critical set. We note that Steps 2 and 3 are interchangeable, as are Steps 4 and

5. The number of elements in C,,,,, where n = 2772, is

Based on remarks made in [IO] Cooper, Donovan and Seberry [8] showed that for n

CEiAPTER 5. SECRET SWARING SCHEMES

1

Given CnteYcn, we are forced to place the 2's

1

Stept: We are forced to place the 1's

t

Step5: W e are forced to place the 0's

Step2: We are forced to place the 3's 1

Step4: We are forced to place the 4's

Step6: We are forced to place the 5's

Figure 5.6: Completion of the back circulant latin square of order 6 with Cn,=Vm as critical set.

CEIAPTER 5. SECRET SZIARlNG SCHEMES

odd,

n-3 - CnVodd = {(i, j ; i t j ) : i = 0,. . . , , n-3 and j = 0 , ... , F - i )

U { ( i , j ; i + j ) : i = y,. . . ,n - 1, a d j = +-i,*.* , n - 1 )

is a critical set for the back circulant latin square of order n, n = 2m + 1. The idea behind the completion of Cn,odd is the same as for C,,,,, the only

clifference being that we need less information in this case. Figure 5.7 gives an idea

of the completion of Cnaddt for a back circulant latin square of order 7 with as

the critical set. The number of elements in Cngodd, n = 2m + 1, is

The idea for threshold schemes proposed in [9] is to use a latin square of order n,

L E LS(n), as the key K and the cells in the union of critical sets in L as the shares

S. In this case n is public knowledge. The access structure for this scheme is the set

I' = {B : A C B C S, A is a critical set).

Knowing the order of L, once a subset of participants has a critical set for that

particular latin square, they can uniquely reconstruct L (that is, the key K) . In this

case I' is monotone. In the following example, we describe a (2: 3)-threshold scheme

constructed from a latin square.

Example: Let K be the back circulant LS(3),

CHAPTER 5. SECRET SIlARING SCHEMES

Given Cneddr Step 1: Place the 2's Step 2: Place the 3's

E

Step 3: Place the 0's Step 6: Place the 5's

Step 3: Place the 1's Step 4: Place the 4's

Step 7: Place the 6's

Figure 5.7: Completion of the back circulant latin squaze of order 7 with Cn,odd as a critical set,

CHAPTER 5. SECWT SHARLNG SCNEMES 113

Choose S = {(O, 2; 2), (1,O; 1 ) , (2,l; O) ) and give an element of S to each of the

three participants. We c m verify that this models a (2,J) - threshold scheme.

From any of the following three partial latin squares we can reconstnict K

uniquely :

Note that in any latin squate of order 3, any two distinct entries from different

rows aad columns determine the square. Any two participants can reconstnict

K, but no participaat alone can. However, if one participant wants to recon-

struct the key, he has some valuable information in his hands and will not have

to choose among al1 twelve possibilities for a latin square of order 3 but only

among the four possibilities determined by his share. This information is gold

to Oscar who could have eavesdropped while Trent was distributing the shaxes

and might now possess one of them.

As we can see from this last example, the protocol is far from being perfect. Let

us look at another example which shows how a key can easily be reconstructed if an

authorized subset of participants puts their shares together. We will again see how

Oscar's life is made easier. However, for this example, we will choose a latin square

which is not back circulant, as we want to consider general latin squares as well, even

though very little is known about critical sets in general.


Example: Let the key K be the latin square L representing the Abelian 2-group.

where the rows and colurnns of K axe respectively indexed by the elements of

{l, 2,3,4}. Let the set of shares S be

S can be represented by the following partial latin square:

Suppose that t here are ten participants in t his protocol and that a single share

from the set S is given to each of the participants. Clearly,

CHAPTER 5. SECRET SHAHNG S C X E W S 115

where each of the partial latia squares Ai, i E {1,2,. . . ,8), are critical sets for

L a d so can be used to uniquely recover the key K. We have:

Suppose that the five participants of the authorized subset A? get together to

reconstmct K. The subscripts below gîve the order in which K is reconstnicted;

noting that this order is not necessarily unique. The elements in bold represent

the ones iked by Aï

K =


Suppose now that any four participants of Ai try to reconstruct the key. The

information they have is so duable that in some cases, for example if the

subset of participants is A7\((l , 4; 4)), they cm reconstruct K with probability

1 2 ' which is much better than "guessing" K. This means that the protocol is

unsecure.

Actudy, any five of the participants have a very good chance of recovering the

key even if as a set they are not in the access structure. Suppose that by putting

their five shases together they obtain the following partial latin square:

There are two ways to complete this to a latin square and so we have an unau-

thorized subset of participants having a probability of 2 of recovering the key

K; again much better thaa guessing .

The protocol suggested in [9] is to choose the key K to be equivalent to latin square

of order n L E LS(n) and to define the set of shares, S, to be the cells of criticd sets

in L We have security concerns regarding this protocol. Moreover, if we think about

this protocol for a minute, we will soon realize that there is a major problem if Oscar

knows that the key is back circulant!

In [9] the authors made the three following remarks.

Remark 5.15. Since the authorized subgroups are based on critical sets in latin

squares, the absence of one share implies that the secret canaot i e recovered uniquely.


Remark 5.16. The scheme i s obuiously not perfect as an outsider must guess from

the set of al1 possible latin squate of order n, whereas an unauthorized group of par-

ticipants knows the latin squa-e must contain the partial latin square defined b y their

shares.

Remark 5.17. The sec~rity of the scheme is based on the number of possible latin

squares containing the partial ktin square defined by an unauthoTized set of partici-

pants. Rem? has estimated this for a number of back circulant latin squares of srnall

order. He took the critical set

n-3 CnVodd = { ( i , j ; i + j ) : i = O ? . . . , T !

and j = O , ... ?Y-i} U{(i,j;i+j) : i = F, ... ?ri- 1,

a n d j = q - i ? . . . ,n-11,

and jor n = 3,5,î and 11 systematically removed an element (i, j ; k ) /rom C and used

a computer to obtain the number of latin squares which contain C\{(i, j ; k ) ) .

Remy's results are summaxized in Figure 5.8.

- n 1 Number of latin squares containing the set CnVodd\{(iij; k)} 3 1 4

Figure 5.8: Number of latin squares containing the set &,&\{(i, j; k)).

From Remarks 5.15 and 5.16, an unauthorîzed subset of paxticipants may not

In a p i v a t e communication io Sebemy.

CHAPTER 5. SECRET S H m G SCHEMES

uniquely be able to determine K but they gain enough information that the security

of the key is jeopârdized so much that this protocol is not recornmended.

In Remark 5.17, the authors seem to suggest that a set of k - 1 participants of

an authorized subset would still have good security since the number of latin squares

containing the set C\{(i, j ; k)) seems to grow quite fast with n. Although it is not

clearly stated in 191, we assume that the numbers in Figure 5.8 are the minimum

number of possible completions over dl choices for (i, j; k). However, from the point

of view of Oscar this is actudy a great improvement compared with the number

of latin square of order n. In Figure 5.9, we present the numbers found by Remy

compared with the number of distinct Iat in squares.

Figure 5.9: Number of latin squares.

What is important here is not how large the entries in the h s t column of Figure 5.9

are, but how s m d they are when compared to the second. This is the type of situation

Oscar will be looking for in order to prepare an attack.

No. of distint LS(n) 12

n

3

Contrary to the position taken by Cooper, Donovan knd Seberry, we do not think

that this is such a viable secret sharing scheme. Moreover, our main concern should

not only be regarding the Iack of knowledge about critical sets but also the quantity

No. of LS(n) containing the set C\((i, j ; %))

4

CHAPTER 5. SECRET SHAMNG SCHEMES

of infornation gained by Oscaz in knowing pârtid information about the key. E-va

though latin squares are very structured objects, we do not suggest they be used in

this way to derive a secret sharing scheme. Latin squares are, however, completely

secure if used as in Chapter 3 for perfect 1-fold senecy codes.

The idea of critical sets of latin squareç for modeling a secret sharing scheme is very

interesting, however there is still rnuch to be studied before we have any conclusive

results.

Chapter 6

Visual Cryptography: "Take a

Look at This!" Says Alice.

This chapter will approach visual-cryptography in a very light way. We ma? consider

this chapter as the "dessertn of the thesis. We are going to give a basic idea of

visual-cryptography and an overview of some its applications. Visual cryptography is

Yu*, visually appealing and very interest ing to study. However we should be aware

of its limits. Most of the research in this area is done for pure pleasure or for teaching

purposes.

The general ideas and theorems presented in this chapter can be found in [Il, [%],

[21], [41] and notes fiom a t& presented by Stinson at Simon Fraser University in

August 1997.

Until now, we have always assumed that the key in our cryptosystem takes on

a numerical value. However, this is not necessary and, in particular, it may be an

image. In this chapter, we will be interested in sharing a secret image I. A visual-

threshold scheme is very similar to a traditional threshold scheme in the sense that we

will talk about sharing a key, and making shares available to the participants of

an access structure. One of the main differences between a visual-threshold scheme

and a traditional one is how the key is reconstmcted.

As we saw in Chapter 5, recovering a key with the traditional threshold scheme

involves operations over a finite field. If we use a visual-threshold scheme it requires

also the human eye. The key is not only a mathematical object anymore, it is a

"physical" image. Visual-cryptogaphy can be used to conmince someone who has a

phobia of mathematics and does not trust what goes on in a cornputer.

We will concentrate on the analysis of visual-threshold schemes, and particularly

on visual-threshold schemes for black and white images. We have to keep in mind

that the basic ideas presented in this chapter can be extended in different ways: the

image cm be in colour; we may wish to have a different access structure; we may wish

that an unauthorized subset of participants who try to reconstruct the key obtain a

different but recognizable image; etc . . .

The secret image I is a string of binary digits used to represent each pixel. A

white pixel is represented by a zero, and a black pixel by a one.

Xaor and Shamir [20] were the first to observe that it is possible for a visual key

I to be shared like an o r d i n q key; that is, following the mode1 of a (t, w)-threshold

scheme. They suggested that for a (t, tu) -visual-threshold scheme (( t , w ) -VTS),

each of the shares be printed on a transparency and given to one of the w participants,

Pl, Pz,. . . Pw. To recover the key, it suaices for t of the participants to superimpose

CHAPTER 6. VISUAL CRYPTOGRAPHY

their shares. As in Chapter 5, a subset of t' participants, (t' 5 t - l), should not be

able to obtàin any information on the image I. (To be more precise we should talk

about "transparent" pixels instead of "whiten ones, but it is more convenient to refer

to them as white pixels.)

6.1 Construction of a (2,2)-VTS

Let us analyse the simplest case involving a visual-threshold scheme. Suppose we

try to mimic the hypotheses of Section 5.1 and suppose that Alice wants to share a

secret image 1 with Bob so that if Oscar gets access to either of their shares of the

image, he gains no information about I. At the same tirne, when Nice and Bob get

together they want to be able to reconstnict I. As in Section 5.1, even if Alice and

Bob completely trust one another, they need the help of Trent t o share their secret

image. In this chapter, we suppose that Trent's goal is to assign shares of an image

I to each participant so that some predetermined subsets of participants will be able

to reconstnict 1. We assume that Trent will not receive a share of the image. Alice

and Bob ask Trent to generate an image 1 and to split it into two shares. Assuming *

I is expressed as a series of pixels, Trent generates two shares with the same number

of pixels as the original Mage. We want to present a mode1 of a visual-threshold

schenie so that when Alice and Bob superimpose their shmes, they reconstruct I. Bg

themselves the shares of Alice and Bob (sl and s2) should provide no information

about the image to Oscar, or Alice, or Bob.

Our first suggestion is to try extending what we did in Section 5.1, for a (2 , f l ) -thresh-

old scheme. Since we can imagine a black and white image as a string of bits (for each

pixel of the image, we assign either a zero or a one, depending if the pixel is white or

black, respectively), we should be able to do the same operations on an image as we

did over (IF*)". Addition, modulo 2, on bits being the sarne as the XOR operation. If

we try to defme an XOR operation on the pixels of an image, we redse that this does

not work. Because superimposing a black pixel on a black pixel does not give a white

pixel. In fact, superimposing two pixels is like doing the logical OR operation. In

Figure 6.1, we illustrate the difference in these operations on the pixels of the image

I and on the bits of a key K. Note that OR means superimposed on.

XORon bits of K 1 OR on pixels of I j

0 $ 1 = 1 1$0=1 white OR black black 1@1=0

Figure 6.1: OR operation on bits and on pixels.

We see from Figure 6.1 that we have to think of a way to treat pixels that is

different from the OR operation. Otherwise, in building our image, we see that to

get a white pixel we would have to give each participant a Pihite share. So if Oscar

sees that a pazticipant has a black share he will know the colour of the pixel. Hence

Oscar has information on the secret image I. To prevent this, we may agree to lose

some precision of white by redefining what a &whiten would be in the reconstructed

image. Let us agree to find a method in which we want to see a difference between

a black and white pixel. This means, even if a reconstructed white pixel does not

necessarily look as "whiten as in the original image or if a reconstructed black pixel

does not necessarily look as 'black" as in the onginal image, we mostly care about

CHAPTER 6'. VIS UAL CRYPTOGPiVHY

recognisingl the reconstmcted image, even if some contrast is lost.

Let us analyse the following construction. For each pixel in the images 1, Pl and

P2 me each given a share by Trent. First, we analyse how to constmct a single pixel.

We will need to repeat this pattern for as many pixels as there are in the secret image

I. Each pixel P is split in two sub-pixels in each of the shares.

Figure 6.2: Construction of a white pixel.

If the pixel is white, then Trent gives either a black-white pixel (a (1,O)-pixel) to

Tl and P1 or a white-black pixel (a (0,l)-pixel) to Pl and F2, with equal probability

That is, Trent chooses one of the two Yrows" of Figure 6.2 with equal probability. 2 '

When superimposing their shares, FI and Pz obtain either a (1,O)-pixel or a (0,l)-

pixel. We have thus defuied a white pixel (a (O, O)-pixel) in the original image to now

be either a (1,O)-pixel or a (0,l)-pixel.

If the pixel is black, then Trent gïves either a (1,O)-pixel t o Pl and a (0, 1)-pixel)

to Pz, or a (O, 1)-pixel to Tl and a (1,O)-pixel to P2, with equal probability ). That

'Let w not be too pidry.

CHAPTER 6. VISUAL CRYPTOGRAPHY 125

is, Trent chooses one of the two "rowsn of Figure 6.3 with equal probability. In both

cases, when superimposing their shares, 'Pi and Pz obtain a black pixel (a (1, 1)-pixel).

Figure 6.3: Constniction of a black pixel.

Let us consider the security of this mode1 for (2,P)-VTS. The participant pl

receives either a a (1,O)-pixel or a (O, 1)-pixel with probability i. Simi!arly for 73.

Suppose that Oscar intercepts SI. He does not gain any information about I since

the pixel P dso has probability $ of being either white or black. The same happens if

Oscar intercepts $2. Independently, the shâres give no information about a pixel for

any of the pixels of the image 1.

As a result of our choice of construction, we see that a reconstructed "white" pixel

is not really white anymore but something of a "ha-white" and as a consequence,

in reconstructing the key, we lose the intensity of the white. Once a l l the pixels have

been added together, the key 1 looks more like a black and grey image than a black

and white image2.

'Would that be a proof that in life nothing is t d y black or white?


In Figure 6.4, we have an image (Alice's picture) that we want to share among two

participants Pl and P2, using the previous (P,2)-VTS model. (We thank Fréderic

Tessier for programming this mode1 of a (2,2)-VTS, so we could construct the images

of Alice, Bob and Oscar in this chapter.) In Figures 6.5 and 6.6, we have the shares

that Trent generated and distributed to Pl and Pz. As we notice, by iooking at share

si and share 92, we have no idea of what the original image was. When Pi and Pl

superimpose their shares, they obtain the reconstructed image of Figure 6.7. We also

notice how there is loss of contrast and how an originally white pixel now appears to

be grayish.

Figure 6.1: Alice's picture.

If we try to reconstruct the image I by making a photocopy of Figures 6.5 and 6.6

on transparencies and superimposing them, we would have to remember that we

lose details of the image caused by the heat of the photocopier and texture of the

transparencies. This is the reason why Figure 6.7. which was reconstructed digitally,

looks too perfect to be true.

Figure 6.5: Share distributed to Pl.

Figure 6.6: Share distrîbuted to P2.

Figure 6.7: The reconstructed image of Alice's pictuie using (2,2) -VTS.

6.2 Construction of a (2, w) -VTS

Suppose that Alice wants to shase a secret image I among w participants so that

when my two participants superimpose their shares, they are able to reconstruct the

image sent by Alice. Alice designs the (2, w)-VTS that we are going to describe and

analyse in this section. We choose not to present a (t, w)-VTS for t > 2 since it is

already a non-trivial ta& to align two transparencies perfectly. (Refer to the article

by Verheul [41] for a description of a (t, w)-VTS with t > 2.) We want to present a

mode1 of a visual-threshold scheme so that when a subset of authorized participants

B, 1 BI 2 2, superimpose their shares, they reconstnict the image I.

We assume that the image I is expressed as a series of .pixels. In this section,

we analyse how to construct a single pixel. To obtain a complete image, we need to

repeat this construction for as many pixels as there are in the secret image 1. We


The mode1 of a (2,â)-VTS presented in Section 6.1 is determined by the two basis

matrices of Figure 6.8.

Example: Suppose Alice wants to build a (2,s)-VTS with pixel expansion m = 3

and relative contrast 7 = i. This means that in the reconstructed image, a

white pixel in I is now 3 black and that a black pixel in I is now $ black. Let

Suppose P is a black pixel, P = 1, and 0 = (3 1 2). We have

We assign the shares as in Figure 6.9.

Figure 6.9: Shares of a (2,s) -VTS for a black pixel.

If any two of the three participants get together and try to reconstruct the pixel

CHAPTER 6. VISUAL CRYPTOG'RAPHY

P, they obtain one of the three reconstructed representations of a black pixel of

Figure 6.10.

Figure 6.10: Reconstructed black pixel of a (2,3) -VTS.

Suppose now that P is a white pixel P = O. For the same permutation

have

and we assign the same share to each participant. The possible shares are s h o w

in Figure 6.1 1. In this example, we assign the middle share to each participant.

We see that this is also one of the three new ways of representing a white pixel

in the reconstructed image.

Figure 6.11: Reconstructed white pixel of a (2,3) -VTS.

There are two properties of the visual-threshold scheme that Mo and Ml must

ensure: security and contrast. The security condition d be accomplished if for

any subset of t' participants, t1 5 t-1, superimposing any t' rows of Mo and &Il reveals

no information on the coiour of the pixel. This means that the t1 x m sub-matrices

.A$ of Mp, whose rows are indexed by the elements of a t'-set R of pazticipants, and

columns are the same as these of Mp, are equivalent up to a column permutation. For

CHAPTER 6. V7SUA.L CRYPTOGRAPHY

security reasons, all the rows of Mo and Ml have to be of the same Hamming weight

h so that each pixel in any shaie has h black sub-pixels and m - h white sub-pixds,

because when we look at a share we must not be able to obtain any information about

the colour of any pixel.

The contrast condition will be met if by superimposing two different shares, we

can differentiate between a white pixel and a black pixel. Let M p [il be the vector

corresponding to the ith row of Mp, P E {O, 1). Suppose a pixel P of the image 1

is white (P = O). If we superimpose two pixels of different shares si, s j , i # j , the

resulting pixel wiU have *(si OR sj) black sub-pixels. Since si and s j were both

obtained by permuting the columns of Mp by the permutation o, we have

&(si OR sj) = wt(Mp[i] OR Mpb]),

for dl 1 5 i < j t . Since P = O, we need wt(Mo[i] OR 1k&&j]) = h, otherwise we

would gain information on the reconstructed pixel.

Let us d e h e 1% t o be the w x m matrix ~ 5 t h all ones in the kst h columns and

all zeroes in the remaining rn - h columns. For 1 5 h m, we can verify that for

a white pixel wt(Ma[i] OR MOL]) = h for any two rows i, j of Mo. We also need to

define Ml. From the andysis of security and contrast that we did, we need Mi to

sat isfy :

1. Security: wt(Ml[i]) = h for 1 5 i 5 t.

2. Contrast: wt (hfl [i] OR Mi b]) > h + ym, where O < 7 < 1 is the relative

contrast .

We need Condition 2 so that the clifference between the hkmming weight of a black

pixel and a white pixel on the reconstnicted image is at least ym; so as to be able to

CHAPTER 6. VISUAL CRYPTOG'RAPHY

easily distinguish between a black and white pixel on the reconstnicted image. We

need to define Ml so that when the pixel P of 1 is black (P = 1) if we superimpose

the two shares si and sj, the colour of the pixel is determined by

We are now going to develop a method to construct the basis matrix Mi. First,

we need to introduce combinatorid objects cded balanced incomplete block desigris.

Definition 6.1. For v, k, A positive integers such that 2 5 k < v , a balanced in-

complete block design, ( v , b, r, k , A)-BIBD, is a pair ( V , B ) such that

1. V is a set of v elements called points,

2. B is a collection of b k-subsets of V called blocks,

3. each point is contained in exactly r blocks, and

4. every pair of distinct points tk contained in exactly A blocks.

From this defmition and a similar argument to the proofs of Theorems 4.5 and 4.6,

we have that each point in a (v, b, r , k , A)-BIBD occurs in exactly

X(v - 1) r=

k - l

blocks, and the number of blocks in a (v , b, r , k , A)-BIBD is

Clearly, b 2 r. Since b and r are determined by v , k and A, a (u, b, r, k, A)-BI%D is

sornetirnes denoted a ( v , k, A)-BIBD. A balanced incomplete block design (3 , k, 1)-BIBD

is a Steiner system ST(2, k, v ) . The incidence matrix of a balanced incomplete block

design is a v x b matnx A = (a,) in which aij = 1 if the ith element of V occurs in

the jth bblock of B, and aij = O otherwise.

Example: Let

( V , 8) is a (7,3,1)-BIBD where each point appears in exactly r = 3 blocks? and

where there are b = 7 blocks in total. (This balanced incomplete block design

(7,3,1)-BIBD can be pictorially represented by the Fano plane of Figure 5.3.)

If we suppose V and B ordered, then the incidence matrix of this balanced

incomplete block design is

To constmct a (2,w)-VTS with pixel expansion b kom a balanced incomplete

block design, we need only defme the two bais matrices Mo and Ml. We define Mo

the same way we did earlier in this section; that is, Mo is the w x b matrix where

ail the elements in the fbst r columns are ones and a,ll the elements in the remaining

b - r columns are zeros. Let idl be the incidence matrix of a (v? 6, r, k, A)-BIBD. W e

cm verify that wt(Mo[i]) = r = wt(Mi[i]) for dl 1 5 i 5 w ; that is, the weight of

every row of and Ml is r. W e dso have

and

Thus the contrat is

( 2 ) r r - X Y = = -.

b b

This leads to the following theorem:

Theorem 6.2 ([Il). If there ezists a (w, 6, r, k, A)-BIBD, then there ezists a (2, w)-

VTS with pixel ezpansion n = b and relative contrast y = 9.

There exist other constructions to mode1 visual-threshold schemes, but for now we

are going to stop with the descriptions already given3.

6.3 Oscar, You're Such a Cheater - Again!

The goal of this l a t section is simply to illustrate how Oscar can take advantage of a

( t , w)-threshold scheme. As we have said, no information is- revealed about the key

K, when t - 1 participants try to reconstruct the key. However, one of the shares may

be rnodified in such a way that the reconstructed key can take any value. W e will

terminate this thesis by presenting a simple example of how Oscar can take advantage

31t is never good to have too much dessert!

of this situation. We want to emphasize that the story we ase going to read is purely

fictional and that none of us should try this at home!

Suppose that Bob and Oscas have been fighting over Alice's love for the last two

months. Alice promises that by the end of the week she d l tell them who her heart

has chosen. Alice decides to use the mode1 of a (2,P)-VTS presented in Section 6.1

and sends by e-mail the share of Figures 6.12 to Bob and the shâre of Figure 6.13 to

Oscar.

Figure 6.12: The share of Alice's secret love assigned to Bob.

When the time cornes to reconstmct the image sent by Alice, Bob and Oscar pnnt

their shares on tramparencies and superimpose them. Oscar, who is not worthy of

Alice's love, suspects that Alice will have chosen his rival. He decides to cheat Alice

and Bob. Oscar convinces Bob to put his share on the table &st (he needs to get hold

Figure 6.13: The share of Alice's secret love assigned to Oscar.

Figure 6.14: Oscar's new share.

Figure 6.15: The reconstructed image fiom Bob's share and Oscar's tampered share.

of Bob's share ahead of time) and uses a very fast algorithm to modib his share to

obtain the share in Figue 6.14. He then pnnts this modified share and superimposes

it on Bob's share.

As we suspect, using the original shares sent by Alice, the reconstructed image

would have been the one in Figure 6.16. But we should worry not, even if this is the

end of this thesis, this is not the end of Alice and Bob's story and we should trust

cryptography to help these two love birds to find the path to true love . . .

CHAPTER 6. VISUAL CRYPTOGWHY

Figure 6.16: Alice3s tme love.

Chapter 7

Conclusions

We summarise the work we have done in this thesis. In Chapter 1, we gave an ovemiew

of some terminology used in cryptology and described how public-key cryptography is

used today in simple communication schemes. In the following chapters. we described

seven different cryptographie protocols in their simpler form:

in Chapter 2, we analysed and described in detail authentication codes without

secrecy, (S, A, K , E ) ,

in Chapter 3, we analysed and described in detail secrecy codes, (F, C, IC, &, D),

in Chapter 4, we described authentication codes for which we do not necessarily

impose secrecy and authentication codes with secrecy,

in Chapter 5, we desmbed secret sharing schemes and tbreshold schemes, and

finally,

in Chapter 6, we described simple models of visual-threshold schemes.

For each of the protocols analysed in Chapters 2 to 6, we have described and

proposed a symmetnc key method that uses combinatorial objects and gives unccndi-

tionally security to the cryptosystem. We also critique the use of some combinatorial

objects used in certain cryptographie protocols (Section 5.4) and we concluded that

in some cases too much structure is a source of information for Oscar.

In Figure 7.1, we list the main subject of each chapter and the combinatorial

ob jects proposed for t hose protocols:

Protocols authentication codes without secrecy

secrecy codes

general aut hentication codes

authenticat ion codes wit h secrecy

secret shaxîng schemes and threshold schemes

Combinatorid objects - - -

orthogonal arrays orthogonal arrays of strength t

latin squâres perpendicular axrays

Steiner systems

Steiner sys t ems perpendicular arrays aut hentication perpendicul .ar arrays

orthogonal arrays projective spaces Steiner syst ems latin squares

balanced incomplete block designs

Figure 7.1: When combinatorics meets cryptography.

Findy, in Appendix A, we give a glossary of the terrninology used in this thesis.

C W T E R % CONCLUSIONS

In this thesis, we did not discuss the practicability of any of the proposed methods

as this is such a large question that it makes a very interesting project on its own. The

cryptosystems proposed are dl provable on paper, however it would be interesting to

present these protocols to Bad guys and listen to their suggestions. It is very important

that a group of computer scientists, physicists, engineers and cryptanalysts verify

the implementation and the feasibility of such protocols. Nevertheless, it js somehow

reassuring to know that there are methods that are provably secure and do not depend

on the power of present computer technology.

Appendix A

Glossary

The majority of these definitions were taken from (41, [16], b-61 and [;17].

Access structure: .4 data structure that specifies the authorized participants

in a secret sharing scheme protocol.

Arc: A k- arc in a projective plane is a set of k points, no three of which are

collinear.

Asymmetric cryptography : See Public Key Cryptos ystem.

Attack: An attempted cryptanalysis; that is, when the bad guy tries to p t

information from the cryptosystem without the originator's authorkation.

Authentication: The process of verifying the claimed identity of someone or

something.

Authentication matrix: A matrix used to represent an authentication code,

where the rows are indexed by the keys, the columns are indexed by source

states and the elernents of the matrix are the authenticat ion t ags.

143

APPENDE A. GLOSSARY

Authentication tag: What is added (concatenated) to the source state to

form the message in an authentication code without secrecy.

Bad guy: Nichame given to a cryptanalyst; that is, someone who tries to

defeat a cryp t osys tem.

Balanced incomplete block design: A (v, k, A)-BIBD is a pair (V, S) where

V is a v-set and B is a collection of b k-subsets of V (blocks) such that

each element of V is contained in exactly r blocks and any 2-subset of V

is contained in exactly A blocks.

Bayes, Thomas: English theologian and rnathernatician who was boni in

1702 and died in 1761. He was the fmt to use probability inductively

and established a mathematical basis for probability inference (a means of

calculating, from the fiequency with which an event has occurred in prior

trials, the probability that it will occur in future trials).

Bit: Abbreviation for binary digit represented either by a zero or a one of the

binary system.

Brute force attack: A form of attack in which each possibility is tned until

success is obtained. Typically, a ciphertext is deciphered under different

keys until a plaintext is recognized. On average, this procedure may take

about half as many decoding steps as there are keys.

Caesar Cipher: A c~assicd cryptosystem in which each occurrence of the letter

a in a word is replaced by the letter d, the letter b by the letter e, . . . , and the letter r by the letter c.

Ciphertext: The output of an encryption function. Encryption transforms

plaintext into ciphertext.

. Clear text: See Plaintext.

Computationally secure: A protocol is said to be computationdy (or condi-

tionally) secure for cryptography if it is secure aven the present computer

power of the cryptknalyst.

Cryptology: The science of secure communications.

Cryptographer: The person who builds cryptosystems.

Cryptanalyst: The person who tries to break the cryptosystern. The crypt-

andyst tries to undo what the cryptographer worked so hard to build.. .

Crypt osystem: A cryptosystem is the system composed of cry-ptographic ele-

ments such as the key, the participants in the protocol, the protocol itself

and the algorithm for encryption and decryption.

Decipher: See Decryption.

Decryption: The cryptographic transformation of a ciphertext to produce

plaintext; that is, to undo the encryption.

DES: (Data Encryption Standard) A secret key cryptographic scheme stan-

dardized by the 'Tational Institute of Standard and Technology.

Digital signature: A quantity the sender associates with a message which only

someone with knowledge of the sender's private key could have generated;

but which can be verified through knowledge of the sender's public key.

APPENDLX A. GLOSSARY

Encipher: See Encryption.

Encryption: The cryptographie transformation of data to produce ciphertext;

that is to disguise the plaintext so that it becomes unrecognizable.

Encryption matrix: A matrix used to represent a secrecy code, where the

rows are indexed by the encoding d e s , the columns are indexed by the

plaintexts and the elements of the mat rix are the ci phexte-xts.

Fano plane: The projective plane with the srndest possible number of points.

There are seven points and seven lines. Every line contains three points

and there are three lines through every point. Al1 Iines but one are drawn

as straight line segments. The seventh line is drawn as a circle. (See also

Projective space. )

Finite geometry: A finite set of points, a finite set of lines and a relation of

incidence between them.

Good guy: Someone using a cryptosystem in the manner in which it is designed

(as opposed to a Bad guy).

Hamming weight: The number of non-zero symbols in a sequence. For a

binary sequence, the Hamming weight is the number of "ln bits.

Irnpersonation: When Oscar tries to convince Bob that he is Alice without

Alice's permission.

Incidence matrix: A matrix that represents the incidence of points and blocks

in a geometn;. It is also used to represent the incidence of edges or arcs

to nodes in a graph or network.

APPENDIXA. GLOSSARY

Integrity: The property of ensuring that data is trknsmitted from a source to

destination wit hout undetected alterations.

Internet:

1. If capitalized it refea to the large network started as the ARPANET,

a research network funded by the US department of defense.

2. If not capitalized it refers to a connected collection of computer net-

works.

Interpolating polynomial: Given t points in the plane, the interpolating

polynomial is the unique polynomial Pt-'(x) = a0 + alx + . . . + a+&',

where f O, that passes through these t points.

Jensen's inequality: The inequality

holds whenever f is real, convex and continuous, C Ai = 1 and X i 2 O.

Jensen, Johan: Danish mathematician and engineer who was born in 1859

and died in 1925. He was a pioneer in the theory of convex functions.

Key: A quantity used in a cryptosystem to encrypt and decrypt the data.

Key space: The range of possible values that a key might take.

Latin square: An array of n rows and n columns built fkom n different symbols

in such a way that each symbol occurs exactly once in each row and

column. As an example, here is a 4 x 4 latin squâre: [" "1. d c a b

Level of security: The diffidty of breaking a cryptosystem; that is, the

amount of computer power, time and money required to break the system.

Message: The information Alice is sending to Bob.

OR: A standard operation on bits:

O O R 0 = 0

O O R 1 = 1

1 OR 0 = 1

1 OR 1 = 1.

Orthogonal array: An orthogonal array of strength t, OAA(t , k, n ) , is an

Ant x k array with entries kom an n-set such that for any t columns each

of the vectors of length t with entries fiom the n-set occurs in exactly X

rows.

OTP : (One Time Pad) Origindy, a one-time pad was a large non-repeating set

of random key letters, written on a sheet of paper, and glued together in

a pad. Alice would use each key letter on the pad to encrypt exactly one

plaintext character. Encryption is the addition modulo 26 of the plaintext

character and the one-time pad key character. Today, with the use of

cornputers, we do not need glue and paper anpore, but the main idea

remains the same.

APPENDR A. GLOSSARY

Perfect secrecy: A cryptosystern i s said to have perfect secrecy if al1 possi-

ble ciphertexts may be selecied with equal probability given any possible

plôintext. This means that no ciphertext can imply any particulas plain-

text any more t han any other.

Perpendicular array: A perpendicular array, PAA(t, k , n ) , is a A(:) x k array

with n different syrnbols such that if we run t fingers down any t columns

of the array we h d every unordered subset of t elements exactly A times.

Pixel: The smallest unit of on image. The word pizel is a contraction of

"pictuse elements"

Plaintext: The actual message Alice wmts to transmit to Bob before it is

encryp ted.

Private key: Cryptographie key used by a participant in public key cryptog-

raphy to sign and/or decrypt messages which must be kept secret by the

person to which it belongs.

Projective space: A geometry consisting of a set P of points and a set L of

lines, where each fine is a subset of the point set, such that:

1. any two points lie on exactly one line,

2. any line ha. at least three points and

3. if for the four distinct points A, B, C and D which no three are

collinear, the line passing through AB and CD intersect in one point,

then the lines AD and BC also intersect in one point.

APPENDIX A. GLOSSARY

Protocol: Specification of the format and the relative timing of a finite sequence

of messages.

. Public key: The key used by a participant in a public key cryptosystem which

is publicly available.

Public key cryptosystem: A cryptosystem where encryption and decryption

are perfomed using different keys (the public key and the private key).

RSA: A public key cryptosystem named after its t hree creators (Rivest , Shamir

and Adleman) that is mainly used for encryption and digital signatures.

Secrecy: The property that information is not made aiailable to unauthorized

parties.

Secret key: The key used in a private key cryptosystem that is shared between

hlice and Bob and must be kept secret.

Secret key cryptosystem: A cryptosystem where encryption and decryption

are perfomed using the same key (the secret key).

Secret sharing scheme: A method of sharing a secret among a finite set

of participants, where each participant receives a share. A secret sharing

scheme has the property t hat only certain predetermined subset s of shares

can be used to reconstmct the key.

Shadow: See Share.

Share: Piece of secret information received by each participant in a secret

shônng scherne.

APPENDX A. GLOSSAR?'

Source state: See Plaintext.

S poof: See Impersonation.

Steiner, Jacob: Swiss mathematician who was born in 1796 and died in 1833.

He was one of the geatest contributors to projective geometry. He believed

that cdculation replaces thinking while geometry stimulates it. For this

reason, he never liked calculus and algebra.

Steiner systern: Given three integers t , k, v such that 2 5 t < k < v , a Steiner

system ST(t, k: v) is a collection of k-subsets, cded blocks, of a u-set of

points such that each t-subset lies in exactly one of the blocks.

Substitution:

A classical cryptosystem in which a one-to-one mapping is performed

on a fixed sized block of data. For example, the Caesaz cipher.

When Oscar changes a message coming from Alice and tries to con-

vince Bob that it is an authentic message from Alice.

S ymmetric cryptosystem: See Secret Key Cyptosystem.

Trwted arbitrat or: Commonly c d e d Trent. A security authority tnisted

by ail parties involved in the protocol with respect to security-related

activities.

Unconditionally secure: A protocol is said to be unconditiondy secure for

cryptography if given unlimited time and manpower, the system cm not

(theoretically) be broken.

APPENDIX A. GLOSSARY

Vandermonde, Alexandre: French mathematician who was born in 1735

and died in 1796. His work was related to the theory of equations and

he studied deterxninants, although the deteminant that was named after

him by Lebesgue does not appeaz in his published work. He also worked

on the knight's tour problem.

Vandermonde matrix: The t x t Vandermonde matrix is

Vernarn cipher: See OTP.

XOR: The exclusive-or operation denoted $. It is a standard operation on bits:

Bibliography

[l] Giuseppe Ateniese, Car10 Blundo, Alfred0 De Santis, and Douglas R. Stinson.

On the contrast in visual cryptography schemes. Published on the web at the

following URL: http://cacr.math.uwaterloo.ca/-dstinson/ September 1996.

[2] Jiirgen Bierbrauer and Charles J. Colbourn. Orthogonal amays of strngth more

than two, chapter 115, pages 179-182. CRC Press, c.j. colburn and j.h. dinitz

edition, 1996.

[3] G. R. Blakley. Safeguarding cryptographie keys. In Proc. AFIPS 1979 National

Cornputer Conference, pages 313-317. AFIPS, 1979.

[4] E. J. Borowski and J. M. Borwein. The HarperCollins dictionary of mathemat-

ics. HarperPerennial, New York, 1991. With the assistance of J. F. Bowers, A.

Robertson and M. McQuillan, Revised reprint of the 1988 original.

(51 Ernest F. Brickell. Some ideal secret sharing schemes. J. Combin. Math. Combin.

Cornput., 6:105-113, 1989.

[6] K. A. Bush. Orthogonal arrays of index unity. Ann. Math. Stutistics, 23:426-434,

1952.

Benny Chor and Eyal Kushilevitz. Secret sharing over infinite domains. J.

Cryptofogy, 6(2):87-95, 1993.

Joan Cooper, Diane Donovan, and Jennifer Seberry. Latin squares and critical

sets of minimal size. Australas. J. Combin., 4: 113-1 20, 1991. Combinatorial

mathematics and combinatorid computing (Palmerston North, 1990).

Joan Cooper, Diane Donovan, and Jennifer Seberry. Secret sharing schemes

arising from Latin squares. Bull. hst. Combin. AppL, 12:33-43, 1994.

D. Curran and G. H. J. Van Rees. Critical sets in Latin squares. In Proceedings

of the Eighth Manitoba Confennce on Numerical Mathematics and Computing

(Univ. Manitoba, Winnipeg, Man., f978), pages 165-168. Utilitas Math., Win-

nipeg, Man., 1979.

E. N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane. Codes which detect

deception. Bell System Tech. J., j3:405-424, 1974.

Gene H. Golub and Charles F. Van Loan. Matriz computations. Johns Hopkins

University Press, Baltimore, MD, third edition, 1996.

K. Gopalakrishnon and D.R. Stinson. Applications of Designs to Cryptography,

chapter V3, pages 549-557. CRC Press, c.j. colburn and j.h. dinitz edition, 1996.

Mitsuru Ito, Akira Saito, and Tàkao Nishizeki. Secret sharing scheme realizing

generd access structure. Electron. Cornm. Japan Part III Fund. Electron. Sci.,

72(9):56-63, 1989.

David Kahn. The Codebrakers. Macmillan Publishing Co., Inc., 1967.

[16] Charles Kaufman, Radia Perlman, and Michael Specher . Network Security:

Prioate Communication in a Public World. P T R Prentice-Hd, Englewood

Cliffs, NJ 07632, USA, 1995.

[17] Earl S. Krarner, Donald L. Kreher, Rolf Rees, and Douglas R. Stinson. On

perpendicular mays with t 2 3. Ars Combin., 28:215-223, 1989.

[18] James L. Massey. Cryptography - a selective survey. Digital Communications,

pages 3-21, 1986.

[19] James L. Massey. Contemporary cryptology: an introduction. In Contemporary

cryptology, pages 1-39. IEEE, New York, 1992.

[20] Moni Naor and Adi Shamir. Visual cryptography. In Adwnces in cqptology-

EUROCRYPT '94 (Perugia), pages 1-12. Springer, Berlin, 1993.

[21] Moni Naor and Adi Shamir. Visual cryptography. II. Improving the contrast via

the cover base. In Security pmtoco2s (Cambridge, 1996), pages 197-202. Springer,

Berlin, 1997.

[22] Christine M. O 'Keefe. Applications of finite geometries to information securit y.

Australas. J. Combin., 7:195-212, 1993.

[23] R. L. Plackett and J. P. Burnam. The design of optimum multifactorial experi-

ments. Biometrika, 333305325, 1946.

[24] C. RadhaJcrishna Rao. Factorial experiments derivable fiom combinatorial ar-

rangements of arrays. Suppl. J. Roy. Statist. Soc., 9:128-139, 1947.

[25] Rolf S. Rees and Douglas R. Stinson. Combinatorid characterizations of authen-

tication codes. II. Des. Codes Cryptogr., 7(3):239-259, 1996.

[26] Terry Ritter. Ritter's crypto glossary and dictionary of technical cryptography.

Published on the web at the following URL: http://www.io.com/-~tter/, Octo-

ber 1998.

[27] Bruce Schneier. Applied Cryptography, Algon'thms and Source Code in C. John

Wiley and Sons, 2nd ed edition, 1996.

[28] Adi Shamir. How to share a secret. Comm. ACM, 22(11):612-613, 1979.

[29] C. E. Shannon. Communication t heory of secrecy systems. Bell System Tech. J.,

28:656-715, 1949.

[30] Nelly Sirnoes. Vandermonde and toeplitz systems in maple. To be published in

MapleTech.

[31] G. J. Simmons. .4n introduction to shared secret and/or shared control schemes

and their application. In Contemporary cryptology, pages 441-497. IEEE, New

York, 1992.

[32] D. R. S timon. -4 construction for authentication/secrecy codes from certain

combinatorial designs. J. Cyp tology, 1(2):119-127, 1988.

[33] D. R Stinson. Some constructions and bounds for authentication codes. J.

Cypto logy , l(l):37-51, 1988.

[34] D. R. Stinson. The combinatorics of authentication and secrecy codes. J. Cryp-

tology, 2(1):23-49, 1990.

[35] D. R. S tinson. Combinatorid characterizations of aut hentication codes. Des.

Codes Cryptogr., 2(2):175-187, 1992.

[36] D. R. Stinson. An explication of secret sharing schemes. Des. Codes Cryptogr.,

2(4):357-390, 1992.

. [37] D. R. Stinson. Threshold schemes and orthogonal mays. Published on the web

at the following URL: http://cacr .mat h.uwaterloo.ca/-dstinso, October 1998.

[38] D. R. Stinson and L. Teirlinck. A construction for authenticationJsecrecy codes

fiom 3-homogeneous permutation groups. European J. Combin., 11 (1):73-79,

1990.

[39] Douglas R. Stinson. Cyptography. CRC Press, Boca Raton, FL, 1995. Theory

and practice.

1401 Sran Van Trung. On the construction of authentication and secrecy codes. Des.

Codes Cyptogr., 5(3):269-280, 1995.

(411 Eric R. Verheul and Henk C. A. van Tilborg. Constructions ând properties of

k out of n visual secret sharing schemes. Des. Codes Cryptogr., 11(2):179-196,

1997.

TEST TARGET (QA-3)

APPLIEO A IMAGE. lnc a 1653 East Main Street - ,=A Rochester. NY 14609 USA -- - - = Phone: 7 1 6/482-0300 -- -- - - Faxr 716n88-5989

Download - WHEN COMBINATORICS MEETS CRYPTOGRAPHY (A Tale About Alice …collectionscanada.gc.ca/obj/s4/f2/dsk2/ftp01/MQ37631.pdf · When Alice and Bob are two computers, they will not communicate

Top Related