Multi-sender authentication code was given by Gilbert, Macwilliams and Sloane firstly in Ref.[1] in 1974. Multi-sender authentication system refers to that a group of senders cooperatively transmits a message to a receiver, and then the receiver should be able to ascertain that the message is authentic. The results of the study on authentication codes and Multi-sender authentication codes were very fruitful and many scholars made great contributions [2-16].
In the realistic computer network communications, Multi-sender authentication code includes two kinds of models, that is, sequential model and simultaneous model. Sequential model refers to that each sender uses his own encoding rules to encode a source state in order, and the final sender transmits the encoded message to the receiver, the receiver receives the message and identities whether the message is legal or not. Simultaneous model refers to that all senders use their own encoding rules to encode a source state, and each sender transmits the encoded message to the synthesizer respectively, then the synthesizer forms an authenticated message and transmits the authenticated message to the receiver, the receiver receives the message and identifies whether the message is legal or not. In this article, the second model is adopted.
In a simultaneous model, there are four participants: a group of senders U={U1, U2, …, Un}, a receiver R, the keys distribution center and a synthesizer. The keys distribution center is responsible for the key distribution to senders and receiver, including settling the disputes between senders and receiver. The synthesizer only runs the reliable synthesis algorithm. Each sender and receiver have their own Cartesian authentication code respectively. Let (S, Ei, Ti; fi)(i=1, 2, …, n) be the sender's Cartesian authentication code, (S, ER, T; g) be the receiver's Cartesian authentication code, h: T1×T2×…×Tn→T be the synthesis algorithm, πi: E→Ei be a subkey generation algorithm, where E is the key set of the key distribution center. When authenticating a message, the senders and the receiver should comply with the agreement: the key distribution center randomly selects an encoding rule e∈E and transmits ei=πi(e) to the ith sender Ui(1, 2, …, n) secretly, then it computes eR by e according to an efficient algorithm, and secretly transmits eR to the receiver R. If the senders would like to transmit a source state s to the receiver R, Ui computes ti=fi(s, ei) (i=1, 2, …, n) and transmits mi=(s, ti)(i=1, 2, …, n) to the synthesizer through an open channel. The synthesizer receives the message mi=(s, ti)(i=1, 2, …, n) and computes t=h(t1, t2, …, tn) by the synthesis algorithm h, then transmits the message m=(s, t) to the receiver, it checks the authenticity by identifying whether t=g(s, eR) or not. If the equality holds, the message is authentic and is accepted. If not, the message is rejected.
Suppose the key distribution center is reliable, though he knows the senders' and receiver's encoding rules, it will not participate in any communication activities. When senders and receiver are disputing, the key distribution center solves it. At the same time, suppose the system follows the Kerckhoff's principle which excepts the actual used keys, the other information of the whole system is public.
In a Multi-sender authentication system, suppose that the whole senders are cooperated to form a valid message, that is, all senders as a whole and receiver are reliable. But there are some malicious senders, they unite to deceive the receiver, the part of senders and receiver are not reliable, they can take impersonation attack and substitution attack. In the whole system, suppose {U1, U2, …, Un} are senders, R is a receiver, Ei is the encoding rules set of the sender Ui, eR is the decoding rules set of the receiver R. If the source state space S and the key space ER of receiver R conform to a uniform distribution, then the message space M and the tag space T are determined by the probability distribution of S and ER.We denote L={i1, i2, …, il}⊂ {1, 2, …, n}, l < n, UL={Ui1, Ui2, …, Uil}, EL={Ei1, Ei2, …, Eil}. Now study the attacks from malicious groups of transmitters. We consider three kinds of spoofing attack:
1) The opponent's impersonation attack to receiver.UL, after receiving their secret keys, encodes a message and transmits it to receiver. UL is successful if receiver accepts it as legitimate message. Denote PI the largest probability of some opponent's successful impersonation attack to receiver, it can be represented as:
$ {P_I} = \mathop {\max }\limits_{m \in M} \left\{ {\frac{{\left| {\left\{ {{e_R} \in {E_R}\left| {{e_R} \subset m} \right.} \right\}} \right|}}{{\left| {{E_R}} \right|}}} \right\} $ |
2) The opponent's substitution attack to the receiver.UL uses another message m′ instead of the message m, after they observe a legitimate message m. UL is successful if the receiver accepts it as a legitimate message, it can be represented as:
$ {P_S} = \mathop {\max }\limits_{m \in M} \left\{ {\frac{{\mathop {\max }\limits_{m' \ne m \in M} \left| {\left\{ {{e_R} \in {E_R}\left| {{e_R} \subset m,m'} \right.} \right\}} \right|}}{{\left| {\left\{ {{e_R} \in {E_R}\left| {{e_R} \subset m} \right.} \right\}} \right|}}} \right\} $ |
3) There might be l malicious senders who unite to cheat the receiver, that is, the part of senders and the receiver are not reliable, they can take impersonation attack.
Let L={i1, i2, …, il}⊂{1, 2, …, n}, l < n, EL={Ei1, Ei2, …, Eil}. Assume UL={Ui1, Ui2, …, Uil}, UL after receiving their secret keys, transmits a message m to the receiver R, UL is successful if the receiver accepts it as a legitimate message. Denote PU(L) the maximum probability of success of the impersonation attack to the receiver. It can be represented as:
$ {P_U}\left( L \right) = \mathop {\max }\limits_{{e_L} \in {E_{L,}}} \mathop {\max }\limits_{{e_L} \in {e_u}} \left\{ {\frac{{\mathop {\max }\limits_{m \in M} \left| {\left\{ {{e_R} \in {E_R}\left| {{e_R} \subset m} \right.,{\rm{and}}\;p\left( {{e_R},{e_U}} \right) \ne 0} \right\}} \right|}}{{\left| {\left\{ {{e_R} \in {E_R}\left| {\;p\left( {{e_R},{e_U}} \right) \ne 0} \right.} \right\}} \right|}}} \right\} $ |
Definition 2.1.1 A finite field is a field that contains finite elements.
Theorem 2.1.2 Let Fq be the finite field with q elements, denote Fq* all nonzero elements set of Fq, and Fq* forms a cycle group.
Definition 2.1.3 A generator α of Fq* is called a primitive element of Fq.
Definition 2.1.4 Let α be a primitive element of Fq, then 1, α, α2, …, αn-1 are linearly independent, furthermore, α, α2, …, αn(n < q) are also linearly independent.
Theorem 2.1.5 Let α be a generator of Fq*, and if k is an integer that is relatively prime to m, then αk is also a generator of Fq*.
The above conclusions come from the Ref.[17].
2.2 Eigenvalues and Eigenvectors of a Matrix and the Relevant PropertiesDefinition 2.2.1 Let A be a matrix over Fqn×n, x be a n dimension non-zero column vector over Fq, λ∈Fq be a number, if the equation Ax=λx holds, then we call x an eigenvector of A, and call λ an eigenvalue of A corresponding to x.
Theorem 2.2.2 A n×n matrix A is diagonalized if and only if A has n linearly independent eigenvectors.
Theorem 2.2.3 Let A be a n×n diagonalized matrix over Fq, x1, x2, …, xn be n linearly independent unit eigenvectors (column vector) of A, and λ1, λ2, …, λn be corresponding eigenvectors of x1, x2, …, xn respectively. If we have the matrices
$ \mathit{\boldsymbol{P}} = \left[ {{x_1},{x_2}, \cdots ,{x_n}} \right] $ |
$ \mathit{\boldsymbol{ \boldsymbol{\varLambda} }} = \left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right] $ |
then the equation A=PΛP-1 holds.
Theorem 2.2.4 A n order invertible symmetrical matrix must be diagonalized.
Lemma 2.2.5 If A is a n×n invertible symmetrical matrix, then the eigenvectors of corresponding different eigenvalues are orthogonal. Making these linearly independent eigenvector which are corresponding multiple eigenvalue of A are orthogonal to each other by Schmidt orthogonal method, and making them unitization again, we get a group of orthogonal unitization eigenvectors ξ1, ξ2, …, ξn. Denote P=[ξ1, ξ2, …, ξn], obviously, P is an orthogonal matrix and the equation A=PΛP-1 holds.
The above conclusions come from the Pef.[18].
Theorem 2.2.6[19] The number of invertible matrix over Fqn×n is
$ \prod\limits_{j = 0}^{n - 1} {\left( {{q^n} - {q^j}} \right)} = {q^{\frac{{n\left( {n - 1} \right)}}{2}}}\prod\limits_{j = 1}^n {\left( {{q^j} - 1} \right)} $ |
Theorem 2.2.7[18] If for any n order square matrix A, a n order square matrix P satisfying the equation AP=PA, then P is a n order scalar matrix.
2.3 Related Definition of Authentication CodesDefinition 2.3.1[3] Let S, E and M be nonempty set. Assume f: S×E→M is a surjective mapping from S×E to M, if for any given e∈E, m∈M, s satisfying f(s, e)=m is uniquely determined by e and m, then we called the tetrad (S, E, M; f) an authentication code.
2.4 Some Definition and Related Properties of Group TheoryDefinition 2.4.1 Suppose G is a group, H is a subgroup of G, then the number of left (or right) cosets of H in G is called index of H in G, denoted by [G: H].
Theorem 2.4.2 Let G be a finite group. If H is a subgroup of G, then |G|=|H|[G: H].
Definition 2.4.3 Suppose Ω be the object set and the group G effects on Ω, a∈Ω, then Ωa={g(a)|g∈G} is called an orbit of Ω under G, a is called representative element of the orbit.
Definition 2.4.4 Let the group G effect on Ω, a∈Ω, then Ga={g|g∈G, g(a)=a} is called stable subgroup about the element a, denoted by StabGa.
Theorem 2.4.5 For the group G, the orbit Ωa and the stable subgroup Ga, the orbit formula about them is as follows: |Ωa|=[G: Ga].
The above conclusions come from the Ref.[20].
2.5 Some Definition and Properties of the Matrix Over Finite FieldsDefinition 2.5.1 Let S be an n×n invertible symmetric matrix over Fq, a n×n invertible symmetric matrix T is called orthogonal with respect to S, if the following equation holds: TSTT=S.
Theorem 2.5.2 A n×n invertible symmetric matrix over Fq is cogredient to one and only one of the following four normal forms:
$ {\mathit{\boldsymbol{S}}_{2\nu }} = \left[ {\begin{array}{*{20}{c}} 0&{{I^{\left( \nu \right)}}}\\ {{I^{\left( \nu \right)}}}&0 \end{array}} \right] $ |
$ {\mathit{\boldsymbol{S}}_{2\nu + 1,1}} = \left[ {\begin{array}{*{20}{c}} 0&{{I^{\left( \nu \right)}}}&0\\ {{I^{\left( \nu \right)}}}&0&0\\ 0&0&0 \end{array}} \right] $ |
$ {\mathit{\boldsymbol{S}}_{2\nu + 1,z}} = \left[ {\begin{array}{*{20}{c}} 0&{{I^{\left( \nu \right)}}}&0\\ {{I^{\left( \nu \right)}}}&0&0\\ 0&0&z \end{array}} \right] $ |
$ {\mathit{\boldsymbol{S}}_{2\nu + 2}} = \left[ {\begin{array}{*{20}{c}} 0&{{I^{\left( \nu \right)}}}&0&0\\ {{I^{\left( \nu \right)}}}&0&0&0\\ 0&0&1&0\\ 0&0&0&{ - z} \end{array}} \right] $ |
The above is the corresponding form successively when n=2ν, n=2ν+1, n=2ν+1 and n=2ν+2 respectively. In order to cover the four cases at the same time, we introduce the sign S2ν+δ, Δ, where ν is its index, Δ denotes its definite part, the expression of Δ is as follows:
$ \Delta = \left\{ \begin{array}{l} \begin{array}{*{20}{c}} {\phi ,}&{\;\;\;\;\;\;\;\;\;\;\delta = 0} \end{array}\\ \begin{array}{*{20}{c}} {\left( 1 \right){\rm{or}}\left( z \right),}&{\delta = 1} \end{array}\\ \begin{array}{*{20}{c}} {\left[ {\begin{array}{*{20}{c}} 1&0\\ 0&{ - z} \end{array}} \right],}&{\delta = 2} \end{array} \end{array} \right. $ |
Theorem 2.5.3 Denote the set of all matrices which is orthogonal with respect to S2ν+δ, Δ over Fq by O2ν+δ, Δ(Fq), then,
$ {O_{2\nu + \delta ,\Delta \left( {{F_q}} \right)}} = {q^{\nu \left( {\nu + \delta - 1} \right)}}\prod\limits_{i = 1}^\nu {\left( {{q^i} - 1} \right)} \prod\limits_{i = 0}^{\nu + \delta - 1} {\left( {{q^i} + 1} \right)} $ |
The above conclusions come from the Ref.[19].
3 Construction of the Multi-sender Authentication Code 3.1 Construction of the Multi-sender Authentication CodeLet Fq be a finite field of characteristic not 2, with q≥5, A be a nonsingular symmetric matrix over Fqn×n, λ1, λ2, …, λn be eigenvalues of A, ξ1, ξ2, …, ξn be corresponding orthogonal unit eigenvectors, P=[ξ1, ξ2, …, ξn], obviously P is an orthogonal matrix, Λ be a diagonal matrix over Fqn×n, its form is as follows:
$ \mathit{\boldsymbol{ \boldsymbol{\varLambda} }} = \left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right] $ |
From Theorem 2.2.5, we know that A=PΛP-1, Λ=P-1AP. Set α is a primitive element of Fq, N={1, 2, …, n}.
The source states set S=Fq*;
The encoding rules set of the senders is EUi={(λ1, i)|λi∈Fq*, i∈N}(1≤i≤n).
The decoding rules set of the receiver is ER={(P, A, α)|P, A∈Fqn×n, α is a primitive element};
The label set of the sender Ti=Fq*(1≤i≤n);
The label set of the receiver is T=Fq*;
The encoding function of the sender Ui: fi:
$ S \times {E_{{U_i}}} \to {T_i},{f_i}\left( {s,{e_{{U_i}}}} \right) = {\lambda _i}{s^i},1 \le i \le n $ |
The decoding function of the receiver R:
$ g:S \times {E_R} \to T $ |
$ \mathit{\boldsymbol{g}}\left( {s,{e_R}} \right) = \left[ {s,{s^2}, \cdots ,{s^n}} \right]{\mathit{\boldsymbol{P}}^{ - 1}}\mathit{\boldsymbol{AP}}\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right] $ |
The Multi-sender authentication code works as follows:
1) Key distribution. The key distribution center randomly generates a n×n nonsingular symmetric matrix A over Fq. He computes n eigenvalues and n corresponding orthogonal unit eigenvectors, and selects a eigenvalue randomly, denoted by λi. If λi is a k- tuples eigenvalue, then it is taken k times at most, and it selects a eigenvector from all these orthogonal unit eigenvectors belonging to λi, denoted by ξi, and it sends privately (λi, i) to the sender Ui(1≤i≤n), it means eUi=(λi, i). After all eUi have been sent, ξ1, ξ2, …, ξn will be defined. When he generates the matrix P=[ξ1, ξ2, …, ξn], he selects a primitive elements α of Fq, and sends (A, P, α) to the receiver R, it means eR=(A, P, α).
2) Broadcast. If the senders would like to transmit a source state s∈S to the receiver R, then the sender Ui computes ti=fi(s, eUi)=λisi(1≤i≤n) and sends ti to the synthesizer H.
3) Synthesis.After the synthesizer receives t1, t2, …, tn, it computes h(t1, t2, …, tn)=t1α+t2α2+…+tnαn=t and transmits m=(s, t) to the receiver R.
4) Verification. When the receiver R receives m=(s, t), it calculates
$ t' = g\left( {s,{e_R}} \right) = \left[ {s,{s^2}, \cdots ,{s^n}} \right]{\mathit{\boldsymbol{P}}^{ - 1}}\mathit{\boldsymbol{AP}}\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right] $ |
If t=t′, it accepts t; If not, it rejects it.
From the definition of these parameters, we know when there is no attack.
$\begin{array}{l} t' = \left[ {s,{s^2}, \cdots ,{s^n}} \right]{\mathit{\boldsymbol{P}}^{ - 1}}\mathit{\boldsymbol{AP}}\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right] = \\ \left[ {s,{s^2}, \cdots ,{s^n}} \right]\mathit{\boldsymbol{ \boldsymbol{\varLambda} }}\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right] = \\ \left[ {s,{s^2}, \cdots ,{s^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right] = \\ {\lambda _1}s\alpha + {\lambda _2}{s^2}{\alpha ^2} + \cdots + {\lambda _n}{s^n}{\alpha ^n} = \\ {t_1}\alpha + {t_2}{\alpha ^2} + \cdots + {t_n}{\alpha ^n} = t \end{array} $ |
Lemma 3.2.1 Let Ci=(S, EUi, Ti; fi)(1≤i≤n). Then the code is an A-code for the sender.
Proof For any eUi∈EUi, s∈S, because EUi=(Fq*, N), S=Fq*, so ti=λisi∈Fq*=Ti. For any ti∈Ti=Fq*, because Fq* forms a cyclic group and the primitive element α of Fq is a generator of Fq*, so we can assume ti=αk. We choose eUi=(λi, i)=(αk-i, i)∈(Fq*, N)=EUi, then there is s=α such that fi(s, eUi)=λisi=αk-i·αi=αk=ti holds, so fi is surjective.
If s′∈S is another source state satisfying ti=λisi(1≤i≤n), that is,
$ \left[ {s',{{s'}^2}, \cdots ,{{s'}^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]\left[ {\begin{array}{*{20}{c}} t\\ {{t^2}}\\ \vdots \\ {{t^n}} \end{array}} \right] $ |
then
$ \begin{array}{*{20}{c}} {\left[ {s',{{s'}^2}, \cdots ,{{s'}^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right] = \left[ {\begin{array}{*{20}{c}} t\\ {{t^2}}\\ \vdots \\ {{t^n}} \end{array}} \right] = }\\ {\left[ {s,{s^2}, \cdots ,{s^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]} \end{array} $ |
and
$ \left[ {s - s',{s^2} - {{s'}^2}, \cdots ,{s^n} - {{s'}^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right] = 0 $ |
Because λi∈Fq*, that is, λi≠0, so
$\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right] $ |
is invertible. Therefore [s-s′, s2-s′2, …, sn-s′n]=[0, 0, …, 0], then s′=s, that is, s is the unique source state determined by eUi and ti.
In conclusion, Ci(1≤i≤n) is an A-code for the senders.
Lemma 3.2.2 Let C=(S, ER, T; g), then the code is an A-code for the receiver.
Proof (1) For any s∈S, eR∈ER, because S=Fq*, ER={(P, A, α)|P, A∈Fqn×n, α is a primitive element}, then
$ \begin{array}{l} g\left( {s,{e_R}} \right) = \left[ {s,{s^2}, \cdots ,{s^n}} \right]{\mathit{\boldsymbol{P}}^{ - 1}}\mathit{\boldsymbol{AP}}{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]^{\rm{T}}} = \\ \;\;\;\;\;\;t \in F_q^ * \end{array} $ |
otherwise, we suppose
$ \left[ {s,{s^2}, \cdots ,{s^n}} \right]{\mathit{\boldsymbol{P}}^{ - 1}}\mathit{\boldsymbol{AP}}{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]^{\rm{T}}} = t = 0 $ |
Because α1, α2, …, αn is linearly independent, so [s, s2, …, sn]P-1AP=0, but P-1AP is invertible, so [s, s2, …, sn]=[0, 0, …, 0], that is, s=0, it is a contradiction to s∈S=Fq*.Meanwhile, for any t∈T, we choose eR∈ER. Since s∈S such that g(s, eR)=t holds, then
$ \left[ {s,{s^2}, \cdots ,{s^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right] = t $ |
It is equivalent to
$\left[ {{\alpha _1},{\alpha _2}, \cdots ,{\alpha _n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]\left[ {\begin{array}{*{20}{c}} s\\ {{s^2}}\\ \vdots \\ {{s^n}} \end{array}} \right] = t $ |
Let x1=s, x2=s2, …, xn=sn be unknown variable, getting the matrix B as follows:
$ \mathit{\boldsymbol{B}} = \left[ {{\alpha _1},{\alpha _2}, \cdots ,{\alpha _n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right] $ |
So getting a system of linear equations in the variables
$ {x_1},{x_2}, \cdots ,{x_n}:\mathit{\boldsymbol{B}}\left[ {\begin{array}{*{20}{c}} {{x_1}}\\ {{x_2}}\\ \vdots \\ {{x_n}} \end{array}} \right] = t $ |
where B is the coefficient matrix of the system of linear equations. Obviously rank(B)=1, B=[B, t] is the augmented matrix the system of linear equations, from the definition of α, λi, t, we know rank(B)=1, that is, rank (B)=rank(B)=1.Therefore, from Theorem 2.2.8, the system of linear equations has solution, that is, there exists s satisfying g(s, eR)=t. So g is surjective.
(2) If s′ is another source state satisfying t=g(s′, eR), so get
$ \begin{array}{*{20}{c}} {\left[ {s',{{s'}^2}, \cdots ,{{s'}^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right] = t = }\\ {\left[ {s,{s^2}, \cdots ,{s^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right]}\\ {\left[ {s - s',{s^2} - {{s'}^2}, \cdots ,{s^n} - {{s'}^n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]\left[ {\begin{array}{*{20}{c}} \alpha \\ {{\alpha ^2}}\\ \vdots \\ {{\alpha ^n}} \end{array}} \right]{\rm{ = }}0}\\ {\left[ {{\alpha _1},{\alpha _2}, \cdots ,{\alpha _n}} \right]\left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right]\left[ {\begin{array}{*{20}{c}} {s - s'}\\ {{s^2} - {{s'}^2}}\\ \vdots \\ {{s^n} - {{s'}^n}} \end{array}} \right] = 0} \end{array} $ | (1) |
Because α is primitive element, from Theorem 2.1.4, we know that α, α2, …, αn linearly independent. So
$ \left[ \begin{array}{c} {\lambda _1}\;\;0\;\; \cdots \;\;0\\ 0\;\;{\lambda _2}\;\; \cdots \;\;0\\ \vdots \;\;\; \vdots \;\;\; \vdots \;\;\;\;\; \vdots \\ 0\;\;0\;\; \cdots \;\;{\lambda _n} \end{array} \right]\left[ \begin{array}{l} s - s'\\ {s^2} - {{s'}^2}\\ \vdots \\ {s^n} - {{s'}^n} \end{array} \right] = 0 $ |
Because λi≠0 1≤i≤n,
$ \left[ {\begin{array}{*{20}{c}} {{\lambda _1}}&0& \cdots &0\\ 0&{{\lambda _2}}& \cdots &0\\ \vdots&\vdots&\vdots&\vdots \\ 0&0& \cdots &{{\lambda _n}} \end{array}} \right] $ |
is invertible. Therefore, the above system of the Eq.(1) has only zero solution. Then
$ \left[ {s - s',{s^2} - {{s'}^2}, \cdots ,{s^n} - {{s'}^n}} \right]{\rm{ = }}\left[ {0,0, \cdots ,0} \right] $ |
So s-s′=0, s′=s, that is, s satisfying g(s, eR)=t is the unique determined by eR and t.
In conclusion, the code is an A-code for the receiver.
From Lemmas 3.2.1 and 3.2.2, it can be seen that the construction of this Multi-sender authentication code is reasonable. Next, we will begin to calculate the relevant parameters of constructed Multi-sender authentication code.
3.3 Computation of the Relevant Parameters About the Constructed Authentication CodeLemma 3.3.1 Some relevant parameters of Multi-sender authentication code are as follows:
$ \begin{array}{*{20}{c}} {\left| S \right| = q - 1,\left| T \right| = q - 1,\left| {{T_i}} \right| = q - 1}\\ {{E_{{U_i}}} = n\left( {q - 1} \right)\left( {1 \le i \le n} \right)} \end{array} $ |
Proof From the definitions of S, T, Ti and EUi, these results are obvious.
Theorem 3.3.2 Let A be n×n invertible symmetrical matrix over Fq. If A is cogredient to S2υ+δ, Δ of Theorem 2.5.2, where 2υ+Δ=n, then the number of such A is:
$ \mathit{\Theta } = \frac{{{q^{n\left( {n - 1} \right)}}\prod\limits_{j = 1}^n {\left( {{q^j} - 1} \right)} }}{{{q^{v\left( {v + \delta - 1} \right)}}\prod\limits_{i = 1}^v {\left( {{q^i} - 1} \right)} \prod\limits_{i = 0}^{v + \delta - 1} {\left( {{q^i} + 1} \right)} }} $ |
Proof Let G be the set of all invertible matrix over Fqn×n. Obviously, (G, ×) is a group, where × is the multiplication with matrix, Ω be the set of all invertible symmetrical matrix over Fqn×n. Choose S2υ+δ∈Ω. We assume that Ω forms an orbit under G, ΩS2υ+δ={T(S2υ+δ, Δ)T∈G}, where T satisfies T(S)=TSTT. Obviously, T(S) is cogredient to S, then the stable subgroup of S2υ+δ, Δis:
$ {G_{{S_{2v + \delta ,\Delta }}}} = \left\{ {\mathit{\boldsymbol{T}}\left| {\mathit{\boldsymbol{T}} \in G} \right.,\mathit{\boldsymbol{T}}\left( {{S_{2v + \delta ,\Delta }}} \right) = {S_{2v + \delta ,\Delta }}} \right\} $ |
T contained in GS2υ+δ, Δ satisfies the equation T(S2υ+δ, Δ)=TS2υ+δ, ΔTT=S2υ+δ, Δ. According to Definition 2.5.1, T is orthogonal with respect to S2υ+δ, Δ, GS2υ+δ, Δ is composed of all T orthogonal with respect to S2υ+δ, Δ. Therefore, from Theorem 2.5.3, we know that
$ \begin{array}{l} \left| {{G_{{S_{2v + \delta ,\Delta }}}}} \right| = \left| {{O_{{S_{2v + \delta ,\Delta }}}}\left( {{F_q}} \right)} \right| = \\ \;\;\;{q^{v\left( {v + \delta - 1} \right)}}\prod\limits_{i = 1}^v {\left( {{q^i} - 1} \right)} \prod\limits_{i = 0}^{v + \delta - 1} {\left( {{q^i} + 1} \right)} \end{array} $ |
Therefore, by Theorem 2.4.4 and Theorem 2.4.7, we get
$ \left| {{\mathit{\Omega }_{{S_{2v + \delta ,\Delta }}}}} \right| = \left| {G:{G_{{S_{2v + \delta ,\Delta }}}}} \right| = \frac{{\left| G \right|}}{{\left| {{G_{{S_{2v + \delta ,\Delta }}}}} \right|}} $ |
Because G is the set of all invertible matrices over Fqn×n again, by Theorem 2.2.6, we know
$ \begin{array}{l} \left| {{\mathit{\Omega }_{{S_{2v + \delta ,\Delta }}}}} \right| = \frac{{\left| G \right|}}{{\left| {{G_{{S_{2v + \delta ,\Delta }}}}} \right|}} = \\ \;\;\;\;\;\;\frac{{{q^{n\left( {n - 1} \right)}}\prod\limits_{j = 1}^n {\left( {{q^j} - 1} \right)} }}{{{q^{v\left( {v + \delta - 1} \right)}}\prod\limits_{i = 1}^v {\left( {{q^i} - 1} \right)} \prod\limits_{i = 0}^{v + \delta - 1} {\left( {{q^i} + 1} \right)} }} \end{array} $ |
Since ΩS2υ+δ, Δ is made up of all elements A which are cogredient to S2υ+δ, Δ, |ΩS2υ+δ, Δ| is equal to the number of invertible symmetrical matrix over Fqn×n cogredienting to S2υ+δ, Δ, that is,
$ \mathit{\Theta } = \frac{{{q^{n\left( {n - 1} \right)}}\prod\limits_{j = 1}^n {\left( {{q^j} - 1} \right)} }}{{{q^{v\left( {v + \delta - 1} \right)}}\prod\limits_{i = 1}^v {\left( {{q^i} - 1} \right)} \prod\limits_{i = 0}^{v + \delta - 1} {\left( {{q^i} + 1} \right)} }} $ |
Lemma 3.3.3 If α is a primitive element of Fq, then there are φ(n-1) choices for α, where φ(n-1) expresses the number of less than q-1 and relatively prime to q-1.
Proof Because α is a primitive element of Fq, by Definition 2.1.3, α is a generator of Fq*, the order of α is m, from the properties of generator, m=|Fq*|=q-1. If k is an integer that relatively prime to m, by Theorem 2.1.5, αk is a generator of Fq*, that is, αk is a primitive element of Fq.
When k > m, αk=αk-m and k-m relatively prime to m, the number of generator in Fq* is equal to the number of positive integer less than m and relatively prime with m, because m=q-1. Therefore, there are φ(n-1) choices of α.
Lemma 3.3.4
$ \left| {{E_R}} \right| = \mathit{\Theta }\varphi \left( {q - 1} \right)n!\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{{\mathit{\boldsymbol{s}}_i}!}}} $ |
where Θ is given by Theorem 3.3.2, si means the multiple number of the eigenvalue λi and when i≠j, λi≠λj, 1≤i, j≤m,
Proof For any given n×n invertible symmetrical matrix A over Fq, it has m eigenvalues λ1, λ2, …, λm and they are different from each other, where λi is si multiple eigenvalues, 1≤i≤m≤n and
$ \prod\limits_{j = 0}^{{s_i} - 1} {\left( {{q^{{s_i}}} - {q^j}} \right)} = {q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} $ |
Once the basic solutions system of λiE-A is determined, then si linearly independent eigenvectors of λi are also unique determined and these eigenvectors are in order, when these eigenvectors are no order, suppose there are ki possible choices for si eigenvectors, then there is the equation:
$ {k_i}{s_i}! = {q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} $ |
so
$ {k_i} = \frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{{s_i}!}} $ |
By Schmidt orthogonal method, because the results of the orthogonality of the vector group x1, x2, …, xn and the vector group kx1, kx2, …, kxn (k≠0) are the same, so there are
$ \frac{{{k_i}}}{{q - 1}} = \frac{{{q^{\frac{{{s_i}\left( {{s_i} - 1} \right)}}{2}}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}} $ |
choice for si unit eigenvectors of corresponding to λi. Therefore, for any given matrix A, the number of ξ1, ξ2, …, ξn possible choice is
$ \prod\limits_{i = 1}^m {\frac{{{k_i}}}{{q - 1}}} = \prod\limits_{i = 1}^m {\frac{{{q^{\frac{{{s_i}\left( {{s_i} - 1} \right)}}{2}}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} $ |
where ξ1, ξ2, …, ξn are no order.
From the construction method of P from the above, every possible choice of P all is a permutation for ξ1, ξ2, …, ξn, therefore, for any given ξ1, ξ2, …, ξn, there are n! possible choice of P. So for any given A, the number of all possible cases of P is
$ n!\prod\limits_{i = 1}^m {\frac{{{q^{\frac{{{s_i}\left( {{s_i} - 1} \right)}}{2}}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} $ |
Because eR=(A, P, α), where there are Θ possible cases for A, the number of P is
$ n!\prod\limits_{i = 1}^m {\frac{{{q^{\frac{{{s_i}\left( {{s_i} - 1} \right)}}{2}}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} $ |
and there are φ(n-1) choice for α.Therefore, there are
$ \mathit{\Theta }n!\prod\limits_{i = 1}^m {\frac{{{q^{\frac{{{s_i}\left( {{s_i} - 1} \right)}}{2}}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} $ |
choice for eR=(A, P, α). That is,
$ \left| {{E_R}} \right| = \mathit{\Theta }\varphi \left( {q - 1} \right)n!\prod\limits_{i = 1}^m {\frac{{{q^{\frac{{{s_i}\left( {{s_i} - 1} \right)}}{2}}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} $ |
Lemma 3.3.5 For each m∈M, the number of eR contained in m is 2φ3(q-1).
Proof For each
$ m\left( {s,t} \right) \in M,{e_R} = \left( {P,A,\alpha } \right) \in {E_R} $ |
if eR⊂m, then
$ \begin{array}{l} g\left( {s,{e_R}} \right) = \\ \;\;\;\left[ {s,{s^2}, \cdots ,{s^n}} \right]{\mathit{\boldsymbol{P}}^{ - 1}}\mathit{\boldsymbol{AP}}{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]^{\rm{T}}} = \\ \;\;\;\left[ {s,{s^2}, \cdots ,{s^n}} \right]\mathit{\boldsymbol{ \boldsymbol{\varLambda} }}{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]^{\rm{T}}} = t \end{array} $ |
For any α, suppose there is another Λ′ such than [s, s2, …, sn]Λ′[α, α2, …, αn]T=t. We have
$ \left[ {s,{s^2}, \cdots ,{s^n}} \right]\left( {\mathit{\boldsymbol{ \boldsymbol{\varLambda} }} - \mathit{\boldsymbol{ \boldsymbol{\varLambda} '}}} \right){\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]^{\rm{T}}} = 0 $ |
Because α, α2, …, αn are linearly independent, we get [s, s2, …, sn](Λ-Λ′)=0, from [s, s2, …, sn] is arbitrarily, we have Λ-Λ′=0, that is, Λ=Λ′. Therefore, Λ is only determined by α, so the number of α is φ(q-1).
In the following, we will discuss when Λ is determined, the number of A and P satisfying P-1AP. Let G be the set of all invertible matrix over Fqn×n. Obviously, (G, ×) is a group, where "×" is multiplication with matrix. Let Ω be the set of all invertible symmetrical matrix over Fqn×n. We choose A∈Ω and assume Ω forms an orbit ΩA under the action of G: ΩA={P(A)|P∈G}, where P(A)=P-1AP, then stable subgroup of A is GA={P|P∈G, P(A)=A}, P contained in GA satisfies the equation P(A)=P-1AP=A i.e. AP=PA. By Theorem 2.2.7, such P is scalar matrix λE, because P∈G is an orthogonal matrix, PPT=E. So λ=±1, P=±E, where E is a n order unit matrix. Then |GA|=2.
From the orbit formula and the Lagrange theorem, we know that |G|=|ΩA|·|GA|. Now because the elements of ΩA taking the form P(A)=P-1AP and P-1AP is only determined by α, for P-1AP, there are φ(q-1) possible cases, that is, |ΩA|=φ(q-1). So |G|=2φ(q-1), that is, there are 2φ(q-1) possible choices for P.
Because |ΩA| is the number of all A turned into diagonal matrix by the similarity transformation P-1AP, therefore, the number of A is φ(q-1) now. So when P-1AP is determined, the number of (A, P) is 2φ2(q-1). In summary, the number of the triple (A, P, α) satisfying the known condition is 2φ3(q-1), that is, the number of eR which is contained in m is 2φ3(q-1).
Lemma 3.3.6 For each m=(s, t)∈M, and m′=(s′, t′)∈m′ with s≠s′, the number of eR which is contained m and m′ is 2φ2(q-1).
Proof We assume eR=(P, A, α). If eR⊂m and eR⊂m′, then
$ \begin{array}{*{20}{c}} {g\left( {s',{e_R}} \right) = \left[ {s',{{s'}^2}, \cdots ,{{s'}^n}} \right]{\mathit{\boldsymbol{P}}^{ - 1}}\mathit{\boldsymbol{AP}}{{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]}^{\rm{T}}} = }\\ {\left[ {s',{{s'}^2}, \cdots ,{{s'}^n}} \right]\mathit{\boldsymbol{ \boldsymbol{\varLambda} }}{{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]}^{\rm{T}}} = t'} \end{array} $ |
Furthermore, we obtain
$ \left[ {s - s',{s^2} - {{s'}^2}, \cdots ,{s^n} - {{s'}^n}} \right]\mathit{\boldsymbol{ \boldsymbol{\varLambda} }}{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]^{\rm{T}}} = t - t' $ |
If t=t′, then t-t′=0. Since α, α2, …, αn is linearly independent,
$ \left[ {s - s',{s^2} - {{s'}^2}, \cdots ,{s^n} - {{s'}^n}} \right]\mathit{\boldsymbol{ \boldsymbol{\varLambda} }} = 0 $ |
Because Λ is invertible, we get
$ \left[ {s - s',{s^2} - {{s'}^2}, \cdots ,{s^n} - {{s'}^n}} \right] = 0 $ |
so s=s′, it is contradiction with the known conditions. So t≠t′, t-t′≠0. We obtain
$ {\left( {t - t'} \right)^{ - 1}}\left\lfloor {\left[ {s - s',{s^2} - {{s'}^2}, \cdots ,{s^n} - {{s'}^n}} \right]\mathit{\boldsymbol{ \boldsymbol{\varLambda} }}{{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]}^{\rm{T}}}} \right\rfloor = 1 $ |
For any given m=(s, t), m′=(s′, t′), where s, s′, t and t′ are only determined. From the uniqueness of inverse element over finite fields, Λ[α, α2, …, αn]T is only determined. From the properties of Λ and α, we know that such Λ and α are also only determined respectively. Similar to the proof of Lemma 3.3.5, the number of two-tuple (A, P) is 2φ2(q-1). So the number of eR which is contained m and m′ is 2φ2(q-1).
Lemma 3.3.7 For each eU containing a given eL, the number of eR which is incidence with eU is
$ \left| {{E_R}} \right| = \mathit{\Theta }\varphi \left( {q - 1} \right)n!\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} $ |
Proof From the above construction methods and the properties of eU and eR, we know that for any source state s,
$ \left| {{E_R}} \right| = \mathit{\Theta }\varphi \left( {q - 1} \right)n!\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} $ |
Lemma 3.3.8 For each eU containing a given eL, and m=(s, t), the number of eR which is incidence with eU and contained in m is 2φ2(q-1).
Proof For any s∈S, eR∈ER, from Lemma 3.3.7, we know that for any given eU, all of eR are incidence with eU Because eR⊂m, so
$ \begin{array}{*{20}{c}} {g\left( {s,{e_R}} \right) = \left[ {s,{s^2}, \cdots ,{s^n}} \right]{\mathit{\boldsymbol{P}}^{ - 1}}\mathit{\boldsymbol{AP}}{{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]}^{\rm{T}}} = }\\ {\left[ {s,{s^2}, \cdots ,{s^n}} \right]\mathit{\boldsymbol{ \boldsymbol{\varLambda} }}{{\left[ {\alpha ,{\alpha ^2}, \cdots ,{\alpha ^n}} \right]}^{\rm{T}}} = t} \end{array} $ |
Furthermore, t-1[s, s2, …, sn]Λ[α, α2, …, αn]T=1.
Similar to Lemma 3.3.6, it can be seen that Λ[α, α2, …, αn]T is uniquely determined. Therefore, the number of eR which is incidence with eU and contained in m is 2φ2(q-1).
3.4 Computation of the Attack Probability About the Authentication CodeTheorem 3.4.1 In the constructed Multi-sender authentication code, if the senders' encoding rules and the receiver's decoding rules are chosen conforming to a uniform probability distribution, then the largest probabilities of success for different types of spoofing attack respectively are:
$ {P_I} = \frac{{2{\varphi ^2}\left( {q - 1} \right)}}{{n!\frac{{{q^{n\left( {n - 1} \right)/2}}\prod\limits_{j = 1}^n {\left( {{q^j} - 1} \right)} }}{{{q^{v\left( {v + \delta - 1} \right)}}\prod\limits_{i = 1}^v {\left( {{q^j} - 1} \right)} \prod\limits_{i = 0}^{v + \delta - 1} {\left( {{q^i} + 1} \right)} }}\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} }} $ |
$ {P_S} = \frac{1}{{\varphi \left( {n - 1} \right)}} $ |
$ {P_U}\left( L \right) = \frac{{2\varphi \left( {q - 1} \right)}}{{n!\frac{{{q^{n\left( {n - 1} \right)/2}}\prod\limits_{j = 1}^n {\left( {{q^j} - 1} \right)} }}{{{q^{v\left( {v + \delta - 1} \right)}}\prod\limits_{i = 1}^v {\left( {{q^i} - 1} \right)} \prod\limits_{i = 0}^{v + \delta - 1} {\left( {{q^i} + 1} \right)} }}\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} }} $ |
Proof By Lemma 3.3.4 and Lemma 3.3.5,
$ \begin{array}{*{20}{c}} {{P_I} = \mathop {\max }\limits_{m \in M} \left\{ {\frac{{\left| {\left\{ {{e_R} \in {E_R}\left| {{e_R} \subset m} \right.} \right\}} \right|}}{{\left| {{E_R}} \right|}}} \right\} = \frac{{2{\varphi ^3}\left( {q - 1} \right)}}{{\mathit{\Theta }\varphi \left( {q - 1} \right)n!\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} }} = }\\ {\frac{{2{\varphi ^2}\left( {q - 1} \right)}}{{n!\frac{{{q^{n\left( {n - 1} \right)/2}}\prod\limits_{j = 1}^n {\left( {{q^j} - 1} \right)} }}{{{q^{v\left( {v + \delta - 1} \right)}}\prod\limits_{i = 1}^v {\left( {{q^i} - 1} \right)} \prod\limits_{i = 0}^{v + \delta - 1} {\left( {{q^i} + 1} \right)} }}\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} }}} \end{array} $ |
By Lemma 3.3.5 and Lemma 3.3.6, we get
$ {P_S} = \mathop {\max }\limits_{m \in M} \left\{ {\frac{{\mathop {\max }\limits_{m \ne m' \in M} \left| {\left\{ {{e_R} \in {E_R}\left| {{e_R} \subset m,m'} \right.} \right\}} \right|}}{{\left| {\left\{ {{e_R} \in {E_R}\left| {{e_R} \subset m} \right.} \right\}} \right|}}} \right\} = \frac{{2{\varphi ^2}\left( {q - 1} \right)}}{{2{\varphi ^3}\left( {q - 1} \right)}} = \frac{1}{{\varphi \left( {q - 1} \right)}} $ |
By Lemma 3.3.7 and Lemma 3.3.8, we get
$ \begin{array}{l} {P_U}\left( L \right) = \mathop {\max }\limits_{{e_L} \in {E_{L,}}} \mathop {\max }\limits_{{e_L} \in {e_u}} \left\{ {\frac{{\mathop {\max }\limits_{m \in M} \left| {\left\{ {{e_R} \in {E_R}\left| {{e_R} \subset m,} \right.{\rm{and}}\;p\left( {{e_R},{e_U}} \right) \ne 0} \right\}} \right|}}{{\left| {\left\{ {{e_R} \in {E_R}\left| {p\left( {{e_R},{e_U}} \right) \ne 0} \right.} \right\}} \right|}}} \right\} = \frac{{2{\varphi ^2}\left( {q - 1} \right)}}{{\mathit{\Theta }\varphi \left( {q - 1} \right)n!\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} }} = \\ \frac{{2\varphi \left( {q - 1} \right)}}{{n!\frac{{{q^{n\left( {n - 1} \right)/2}}\prod\limits_{j = 1}^n {\left( {{q^j} - 1} \right)} }}{{{q^{v\left( {v + \delta - 1} \right)}}\prod\limits_{i = 1}^v {\left( {{q^i} - 1} \right)} \prod\limits_{i = 0}^{v + \delta - 1} {\left( {{q^i} + 1} \right)} }}\prod\limits_{i = 1}^m {\frac{{{q^{{s_i}\left( {{s_i} - 1} \right)/2}}\prod\limits_{j = 1}^{{s_i}} {\left( {{q^j} - 1} \right)} }}{{\left( {q - 1} \right){s_i}!}}} }} \end{array} $ |
[1] |
Gilbert E N, Macwiliams F J, Sloan N J. Codes which detect deception. Bell Labs Technical Journal, 1974, 53(3): 405-424. DOI:10.1002/j.1538-7305.1974.tb02751.x (0) |
[2] |
Desmedt Y, Frankel Y, Yung M. Multer-receiver/Multi-sender network security:Efficient authenticated multicast/feedback. INFOCOM '92. Eleventh Annual Joint Conference of the IEEE Computer and Communications Societies. Piscataway: IEEE, 1992: 2045-2054. DOI:10.1109/INFCOM.1992.263476
(0) |
[3] |
Pei Dingyi. Message Authentication Codes. AnHui: China University of Science and Technology Press, 2009.
(0) |
[4] |
Chen Shangdi, Chang Lizhen. Two constructions of Multi-sender authentication codes with arbitration based linear codes. Wseas Transactions on Mathematics, 2012, 11(12): 1103-1113. (0) |
[5] |
Safavi-Naini R, Wang H. New results on multi-receiver authentication codes. Advances in Cryptology-EUROCRYPT'98, International Conference on the Theory and Application of Cryptographic Techniques. 1998, 1403: 527-541. DOI: 10.1007/BFb0054151.
(0) |
[6] |
Gao You, Yu Huafeng. Constructions of authenticationn codes with arbitration from alternate matrix over finite fields. Journal of Nature Science of Heilongjiang University, 2015, 29(1): 42-50. (0) |
[7] |
Liu Yanqin, Gao You, Zhang Dake. The construction of A3-code from singular pseudo-symple ctic geometry over finite fields. Wseas Transactions on Mathematics, 2015, 14: 77-86. (0) |
[8] |
Gao You, Wang Gang, He Yifan. A new construction of multisender authentication codes with simultaneous model from singular symplectic geometry over finite fields. Ars Combinatoria, 2015, 118: 95-107. (0) |
[9] |
Chen Shangdi, Zhang Xiaolian, Ma Hao. Two constructions of A3-codes from projective geometry in finite fields. Journal of China Universities of Posts and Telecommunications, 2015, 22(2): 52-59. DOI:10.1016/S1005-8885(15)60639-2 (0) |
[10] |
Chen Shangdi, Zhang Xiaolian. Three constructions of perfect authentication codes from projective geometry over finite fields. Applied Mathematics and Computation, 2015, 253: 308-317. DOI:10.1016/j.amc.2014.12.088 (0) |
[11] |
Chen Shangdi, Chang Lizhen. A construction of multi-receiver authentication codes with dynamic sender from linear codes. Applied Mathematics and Computation, 2016, 129: 227-236. (0) |
[12] |
Chen Shangdi, Song Minjuan. Two new authentication schemes from singular symplectic geometry over finite fields. J. Comb. Math. Comb. Comp., 2014, 88: 169-190. (0) |
[13] |
Chen Shangdi, Zhang Xiaolian, Ma Hao. Construction of authentication codes with double arbiters over symplectic geometry. Acta Mathematics Applicate Sinica (English Series), 2015, 31(4): 1141-1152. DOI:10.1007/s10255-015-0511-3 (0) |
[14] |
Liang Miao, Li Mingchao, Du Beiliang. A construction for t-fold perfect authentication codes with arbitration. Designs, Codes and Cryptography, 2014, 73(3): 781-790. DOI:10.1007/s10623-013-9826-3 (0) |
[15] |
Li Mingchao, Liang Miao, Du Beiliang. A construction of t-fold perfect splitting authentication codes with equal deception probabilities. Cryptography and Communications, 2015, 7(2): 207-215. DOI:10.1007/s12095-014-0107-4 (0) |
[16] |
Liang Miao, Ji Lijun, Zhang Jingcai. Some new classes of 2-fold optimal or perfect splitting authentication codes. Cryptography and Communications, 2017, 9(3): 407-430. DOI:10.1007/s12095-015-0179-9 (0) |
[17] |
Shen Shiyi, Chen Lushen. Theory of Information and Coding. Beijing: Science Press, 2002.
(0) |
[18] |
Wang E F, Shi S M. Advanced Algebra. Beijing: Higher Education Press, 2003.
(0) |
[19] |
Wan Zhexian. Geometry of Classical Group over Finite Field. Beijing: Science Press, 2002.
(0) |
[20] |
Zhang Herui. Modern Algebra Foundation. Beijing: High Education Press, 1978.
(0) |