authentication codes

Authentication Codes

IntroductionAn authentication code provides a method of ensuring the integrity of a message, i.e., that the message has not been tampered with and that it originated with the presumed transmitter.

Our goal is to achieve this authentication capability even in the presence of an active opponent, Oscar, who can observe messages in the channel and introduce messages of his own choosing into the channel.

We will study codes that provide authentication but no “secrecy” and will work in the “private key” setting, meaning that Alice and Bob must share a secret key before any message is transmitted.

Introduction

In an authentication code, the secret key is used to compute an authentication tag which will enable Bob to check the authenticity of the message he receives. The authentication tag is similar to the use of MAC's and digital signature schemes with slight differences.

If s is the original data and a the authentication tag, then the message Alice sends to Bob is the pair (s,a).

Formal Definition

An authentication code is a four-tuple (S,A,K,E) where: 1. S is a finite set of original plaintexts, 2. A is a finite set of possible authentication tags, 3. K, the keyspace, is a finite set of possible keys, and 4. for each K ∈ K, there is an e

K ∈ E, an authentication

rule eK: S → A.

The message set is defined to be M = S x A.

Impersonation and SubstitutionThe types of attacks that Oscar might carry out:

Impersonation:

Oscar introduces a message (s,a) into the channel, hoping to have it accepted as authentic by Bob.

Substitution:

Oscar observes a message (s,a) in the channel, and then changes it to (s',a'), where s ≠ s', again hoping to have it accepted as authentic by Bob.

Deception ProbabilitiesAssociated with each type of attack is a deception probability, which represents the probability that Oscar will successfully deceive Bob, assuming Oscar follows some optimal strategy.

These probabilities are denoted by Pd0 (impersonation)

and Pd1 (substitution). In order to compute these, we need

to specify probability distributions on S and K, which we will assume to be normal (random) for simplicity.

We shall assume that Oscar knows the authentication code and these probability distributions. The only thing not known by Oscar is the value of the key K.

An ExampleLet S = A = ℤ

3 and K = ℤ

3 x ℤ

3. For each (i,j) ∈ K and

each s ∈ S, define eij(s) = is + j mod 3. We tabulate the

authentication tags for all keys and plaintexts.

Key \ Data 0 1 2(0,0) 0 0 0(0,1) 1 1 1(0,2) 2 2 2(1,0) 0 1 2(1,1) 1 2 0(1,2) 2 0 1(2,0) 0 2 1(2,1) 1 0 2(2,2) 2 1 0

Suppose the keys are chosen at random, i.e., with probability 1/9.

After choosing a data value and guessing a tag for it, Oscar has a 1/3 probability of getting a correct message. Pd

0 = 1/3

An Example

Now suppose Oscar observes the message (0,0). This gives him some information about the key; it must be(0,0), (1,0) or (2,0). If he now wants to substitute (1,x) for this message, he has 3 choices for x (one for each key) and therefore a probability of deceiving Bob of 1/3, since the x values are distinct in this example.

Pd1 = 1/3

Key \ Data 0 1 2(0,0) 0 0 0(0,1) 1 1 1(0,2) 2 2 2(1,0) 0 1 2(1,1) 1 2 0(1,2) 2 0 1(2,0) 0 2 1(2,1) 1 0 2(2,2) 2 1 0

SecurityOscar's probability of deceiving Bob is clearly at least 1/k where k = |K|. However, Gilbert, MacWilliams and Sloane have shown that Oscar's probability is actually greater than that.

Thm: Oscar's probability of deceiving Bob is at least 1/√k.

Pf: Assume that this probability is at most 1/√k, if we can show that this implies equality, then we have proved the result. For any message c, let k

c be the number of keys for

which c is valid. The probability of Oscar sending a valid message is k

c/k, which by assumption satisfies:

so kc ≤ √k.

k ck≤ 1k

SecuritySuppose that the message c is sent with probability p(c) and Oscar intercepts this message and so knows the kc keys valid for this message. The probability that Oscar can substitute a message c' successfully is the number of keys k

c,c' for which both c and c' are valid divided by k

c.

Since kc,c'

is at least 1 (else Oscar would not substitute c'), we have:

k c ,c 'kc

≥ 1kc≥ 1k

.

With overall probability p, we have:

1k

≥ p≥∑cp cmaxc '≠c

k c ,c 'kc

≥∑cp c 1

k= 1k

.

SecurityThus, p = 1/√k and we can also conclude that k

c = √k.

Definition: An authentication code with k keys is perfect, if the probability of Oscar successfully impersonating or substituting is 1/√k.

Lemma: In a perfect authentication code with k keys, the following hold:a) Each message is valid under exactly √k keys.b) For each plaintext there are exactly √k different messages.c) Two messages belonging to different plaintexts are valid under exactly one common key.

Examples of Perfect AuthenticationLet Π be a projective plane of order n. Choose a fixed line l of Π. Define the authentication code by: S : the set of points on l. K : the set of points off of l. e

k(s) = line determined by points s and k.

This construction gives a perfect authentication code.

Recall: |S| = n+1. |K| = n2. |M| = n(n+1) = n2 + n.

In an impersonation attack, Oscar choses a message for the fixed point s on l. There are n lines to chose from and each of them contains n keys. Thus, Oscar's probability of success is n/n2 = 1/n.

Projective Plane Construction

In a substitution attack, Oscar knows one message (line) and therefore that the key is one of n points. Thus, the probability of picking a correct line through some other point of l is 1/n again.

Either probability is thus = 1/n = 1/√|K| and the code is perfect.

This construction is a special case of a more general geometric construction.

File: C:\My Documents\Courses\Combinatorics\M5410\authentic.odp

Nets

A q-net is a set of n2 points and nq lines with each line containing n points, and the lines are partitioned into q classes of n lines apiece with the properties that each point is on exactly one line of each class and any two

lines from different classes meet in a unique point.

The classes of lines are called parallel classes.

n is called the order of the q-net.

An affine plane (projective plane minus a line) is a n+1-net.


Nets

A 3-net of order 4


Nets

In any k-net note that: 1) Through any two points there is at most one line, 2) Through each point outside of a line l there is exactly one line not intersecting l (which is the line in the same parallel class as l that passes through the point), and 3) Every point of the net is on one and only one line of each parallel class.

Authentication Codes from NetsLet N be a q-net with n points on a line. We define an authentication code by:

S = the set of parallel classes (q of these) K = the set of points of N (n2 of these) M = the lines of N (qn of these)

The ek(s) is the line of parallel class s which passes

through the point k.

The proof that this is a perfect authentication code is very similar to the projective plane proof.


Latin Squares

A Latin Square of order q is a q ×q array of q symbols with each symbol appearing exactly once

in each row and each column.

Latin Squares are equivalent to 3-nets.


Latin Squares and Nets

A 3-net of order 4

0 1 2 31 2 3 02 3 0 13 0 1 2


Latin Squares

0 1 2 31 0 3 22 3 0 13 2 1 0

0 1 2 32 3 0 13 2 1 01 0 3 2

0 1 2 32 3 0 13 2 1 01 0 3 2

0 1 2 31 0 3 22 3 0 13 2 1 0

Two Latin Squares of the same size are orthogonal if, when superimposed, the ordered pairs of entries are all distinct.


Latin Squares and Nets

A q-net of order n is equivalent to a set of q-2 mutually orthogonal Latin Squares of order n.

Two of the parallel classes are used to assign positions (coordinates) of an nxn array. Each of the

remaining parallel classes is used to fill in the entries in a Latin Square as in the formation of a

Latin Square from a 3-net.

This process is reversible.

Orthogonal ArraysThere is a generalization of q-nets and Latin Squares which is useful in constructing authentication codes which need not be perfect.

An orthogonal array OA(n,q,λ) is a λn2 x q array of n symbols, such that in any two columns of the array every one of the possible n2 pairs of symbols occurs in exactly λ rows.

An OA(n,q,1) is equivalent to a q-net or set of (q-2) mutually orthogonal Latin Squares of order n. Use two of the columns to determine positions and then each of the remaining columns to fill in the entries of a Latin Square.

ExampleOur first example of a (perfect) authentication code actually was an OA(3,3,1) (that is, the array of authentication tags was.) We will form the corresponding Latin Square of order 3.

0 1 20 0 2 11 2 1 02 1 0 2

Key \ Data 0 1 2(0,0) 0 0 0(0,1) 1 1 1(0,2) 2 2 2(1,0) 0 1 2(1,1) 1 2 0(1,2) 2 0 1(2,0) 0 2 1(2,1) 1 0 2(2,2) 2 1 0

Authentication Codes from OA'sSuppose there is an orthogonal array OA(n,q,λ). Then there is an authentication code (S, A, K, E), where |S| = q,|A| = n, |K| = λn2 and Pd

0 = Pd

1 = 1/n.

The columns of the OA correspond to the plaintexts, the rows to the authentication rules (one for each key) and the symbols are the authentication tags.

Corollary: If λ = 1 in the OA, then the authentication code is perfect.

Perfect Authentication Codes

A perfect authentication code with |A| = n exists if and only if there exists an OA(n,q,1) for some q.

More Geometry

Authentication codes coming from OA's with λ > 1 can also have geometric interpretations.

In PG(d,q) the set of points C defined by:

C = {(1,t,t2,t3,...,td) | t ∈ GF(q)} U {(0,0, ..., 1)}is called a normal rational curve.

More Geometry

Let H be a hyperplane of PG(d+1,q) and Q a point of the space not in H. Furthermore, let C be the normal rational curve in H. Define the authentication code by: S = points of C K = hyperplanes not through Q M = points not equal to Q.

ek(s) = the intersection of the line Qs with the

hyperplane k.

Two lines Qs and Qs' span a plane which does not lie in any hyperplane not containing Q. There is a constant number λ of such hyperplanes intersecting this plane.