combinatorial designs for authentication and secrecy...

97
Foundations and Trends R in Communications and Information Theory Vol. 5, No. 6 (2008) 581–675 c 2010 M. Huber DOI: 10.1561/0100000044 Combinatorial Designs for Authentication and Secrecy Codes By Michael Huber Contents 1 Introduction 582 1.1 Authentication and Secrecy Model 584 1.2 Combinatorial Designs: A Brief Historical Account 589 1.3 Some Group Theory 591 2 Combinatorial Design Theory 594 2.1 t-Designs and Finite Geometries 595 2.2 Latin Squares and Perpendicular Arrays 609 2.3 Authentication Perpendicular Arrays 613 2.4 Splitting Designs and Others 617 3 Applications to Authentication and Secrecy Codes 624 3.1 Secrecy Codes 625 3.2 General Authentication Codes 629 3.3 Authentication Codes with Secrecy 630 3.4 Authentication Codes with Secrecy in the Verification Oracle Model 644 3.5 Authentication Codes with Splitting 648

Upload: doanquynh

Post on 04-Jun-2018

219 views

Category:

Documents


0 download

TRANSCRIPT

Foundations and TrendsR© inCommunications and Information TheoryVol. 5, No. 6 (2008) 581–675c© 2010 M. HuberDOI: 10.1561/0100000044

Combinatorial Designs forAuthentication and Secrecy Codes

By Michael Huber

Contents

1 Introduction 582

1.1 Authentication and Secrecy Model 5841.2 Combinatorial Designs: A Brief Historical Account 5891.3 Some Group Theory 591

2 Combinatorial Design Theory 594

2.1 t-Designs and Finite Geometries 5952.2 Latin Squares and Perpendicular Arrays 6092.3 Authentication Perpendicular Arrays 6132.4 Splitting Designs and Others 617

3 Applications to Authentication andSecrecy Codes 624

3.1 Secrecy Codes 6253.2 General Authentication Codes 6293.3 Authentication Codes with Secrecy 6303.4 Authentication Codes with Secrecy in the Verification

Oracle Model 6443.5 Authentication Codes with Splitting 648

3.6 Authentication Codes with Arbitration 6553.7 Other Applications 6553.8 Synthesis and Discussion 657

4 Appendix 659

4.1 Multiply Homogeneous Permutation Groups 659

Acknowledgments 662

References 663

Foundations and TrendsR© inCommunications and Information TheoryVol. 5, No. 6 (2008) 581–675c© 2010 M. HuberDOI: 10.1561/0100000044

Combinatorial Designs forAuthentication and Secrecy Codes

Michael Huber

Wilhelm Schickard Institute for Computer Science, University of Tuebingen,Sand 13, D-72076 Tuebingen, Germany, [email protected]

Abstract

Combinatorial design theory is a very active area of mathematicalresearch, with many applications in communications and informationtheory, computer science, statistics, engineering, and life sciences. Asone of the fundamental discrete structures, combinatorial designs areused in fields as diverse as error-correcting codes, statistical designof experiments, cryptography and information security, mobile andwireless communications, group testing algorithms in DNA screen-ing, software and hardware testing, and interconnection networks. Thismonograph provides a tutorial on combinatorial designs, which gives anoverview of the theory. Furthermore, the application of combinatorialdesigns to authentication and secrecy codes is described in depth. Thisclose relationship of designs with cryptography and information secu-rity was first revealed in Shannon’s seminal paper on secrecy systems.We bring together in one source foundational and current contribu-tions concerning design-theoretic constructions and characterizationsof authentication and secrecy codes.

1Introduction

Authenticity and secrecy are two crucial concepts in cryptographyand information security. Concerning authenticity, typically commu-nicating parties would like to be assured of the integrity of informa-tion they obtain via potentially insecure channels. Regarding secrecy,protection of the confidentiality of sensitive information shall beensured in the presence of eavesdropping. Although independent intheir nature, various scenarios require that both aspects hold simultane-ously. For information-theoretic, or unconditional, security (i.e. robust-ness against an attacker that has unlimited computational resources),authentication and secrecy codes can be used to minimize the pos-sibility of an undetected deception. The construction of such codesis of great importance and has been considered by many researchersover the last few decades. Often deep mathematical tools are involvedin the constructions, mainly from combinatorics. This close relation-ship of cryptography and information security with combinatorics hasbeen first revealed in Shannon’s landmark paper “Communication the-ory of secrecy systems” [182]: a key-minimal secrecy system providesperfect secrecy if and only if the encryption matrix is a Latin squareand the keys are used with equal probability. The initial construction

582

583

of authentication codes goes back to Gilbert et al. [74], and usesfinite projective planes. A more general and systematic theory ofauthenticity was developed by Simmons (see [183, 184, 185, 186, 187],and [188] for a survey). Further foundational works on authenticationand secrecy codes have been carried out by Massey [152] and Stinsonet al. [194, 195, 196, 201, 202]. A generalized information-theoreticframework for authentication was introduced by Maurer [157].

The purpose of this monograph is to describe in depth classi-cal and current interconnections between combinatorial designs andauthentication and secrecy codes. The latter also include the author’srecent [102, 106, 107] and new contributions (cf. Section 3.4) onmulti-fold secure authentication and secrecy codes in various mod-els. Moreover, this issue provides a tutorial overview on the theoryof combinatorial designs. These fundamental discrete structures findapplications in fields as diverse as error-correcting codes, statisticaldesign of experiments, cryptography and information security, mobileand wireless communications, group testing algorithms in DNA screen-ing, software and hardware testing, and interconnection networks. Inparticular, the last few years have witnessed an increasing body of workin the communications and information theory literature that makessubstantial use of results in combinatorial design theory.

The organization of the monograph is as follows. Section 1.1 intro-duces the Shannon–Simmons model of information-theoretical authen-tication and secrecy. We define the important concepts of spoofingattacks and perfect secrecy. A short historical account on combinato-rial designs is given in Section 1.2. Since permutation groups often playa crucial role in the construction of combinatorial designs, we intro-duce basic notions on permutation groups and group actions in Sec-tion 1.3. Section 2 provides a tutorial account on combinatorial designtheory. We emphasize on the construction of various combinatorialstructures including t-designs, finite geometries, Latin squares, orthog-onal arrays, perpendicular and authentication perpendicular arrays,splitting t-designs, and others. These combinatorial structures provideessential tools for the construction and characterization of authentica-tion and secrecy codes in the following section. A special notice is placedon examples for each type of combinatorial designs. We also briefly

584 Introduction

point to the interplay between t-designs and error-correcting codes. Sec-tion 3 is devoted to various key applications of combinatorial designsto authentication and secrecy codes. Foundational and recent resultsconcerning the construction and characterization of authentication andsecrecy codes are exposed. Starting with Shannon’s classical result, wefirst deal with secrecy codes in Section 3.1. Authentication codes with-out any secrecy requirements are considered in Section 3.2. In Sec-tion 3.3, codes that offer both authenticity and secrecy are discussed indetail. We distinguish between arbitrary and equiprobable source prob-ability distributions. The advantage of the source states being equiprob-able distributed is that the number of encoding rules can be reduced.Section 3.4 is devoted to an extended authentication model, where theopponent can act pro-actively by having access to a verification oracle.Authentication codes with splitting are considered in Section 3.5. Insuch a code, several messages can be used to communicate a particularplaintext (non-deterministic encoding). We briefly mention authenti-cation codes that permit arbitration in Section 3.6. In Section 3.7,further recent applications are highlighted which makes substantial useof combinatorial design theory. Finally, we conclude in Section 3.8 witha synthesis of the work and some directions for future research.

1.1 Authentication and Secrecy Model

We rely on the information-theoretical (or unconditional) secrecy modeldeveloped by Shannon [182], and by Simmons [183, 184, 185, 188]including authentication. Information-theoretical security means thatthe security of the model is not dependent on any complexity assump-tions and hence cannot be broken given unlimited computationalresources. A well-known practical application of such a perfectly-securesystem is the Washington–Moscow Hotline (“red telephone”) duringthe time of the cold war. Modern applications may include protectionof digital data where cryptographic long-term security and/or confi-dentiality is strongly required, e.g., in archiving official documents,notarial contracts, court records, medical data, state secrets, copyrightprotection as well as further areas concerning e-government, e-health,e-publication, etc.

1.1 Authentication and Secrecy Model 585

The reader may be interested in the area of information-theoreticalcryptography [156], long-term secure cryptography [33], post-quantumcryptography [15], and in the broad area of cryptography in general [77,78, 159, 200].

1.1.1 Basic Preliminaries

We introduce the basic model of information-theoretical authenticationand secrecy. Our notation follows, for the most part, that of [152, 195].Figure 1.1 gives an illustration of the model (cf. [152, 195]).

In this basic model of authentication and secrecy three participantsare involved: a transmitter, a receiver, and an opponent. The trans-mitter wants to communicate information to the receiver via a publiccommunications channel. The receiver in return would like to be confi-dent that any received information actually came from the transmitterand not from some opponent (integrity of information). The transmit-ter and the receiver are assumed to trust each other. Sometimes thisis also called an A-code. Variants of this model will be discussed inSections 3.4, 3.5, and 3.6.

In what follows, let S denote a set of k source states (or plaintexts),M a set of v messages (or ciphertexts), and E a set of b encoding rules(or keys). Using an encoding rule e ∈ E , the transmitter encrypts asource state s ∈ S to obtain the message m = e(s) to be sent over the

Fig. 1.1 Shannon–Simmons authentication and secrecy model.

586 Introduction

channel. The encoding rule is an injective function from S to M, and iscommunicated to the receiver via a secure channel prior to any messagesbeing sent. For a given encoding rule e ∈ E , let M(e) := {e(s) | s ∈ S}denote the set of valid messages. For an encoding rule e and a setM∗ ⊆ M(e) of distinct messages, we define fe(M∗) := {s ∈ S | e(s) ∈M∗}, i.e., the set of source states that will be encoded under encodingrule e by a message in M∗. Furthermore, we define E(M∗) := {e ∈ E |M∗ ⊆ M(e)}, i.e., the set of encoding rules under which all the messagesin M∗ are valid. A received message m will be accepted by the receiveras being authentic if and only if m ∈ M(e). When this is fulfilled, thereceiver decrypts the message m by applying the decoding rule e−1,where

e−1(m) = s ⇔ e(s) = m.

An authentication code can be represented algebraically by a(b × k)-encoding matrix with the rows indexed by the encoding rules,the columns indexed by the source states, and the entries defined byaes := e(s) (1 ≤ e ≤ b, 1 ≤ s ≤ k).

1.1.2 Protection Against Spoofing Attacks

We introduce the scenario of a spoofing attack of order i (cf. [152]):Suppose that an opponent observes i ≥ 0 distinct messages, which aresent through the public channel using the same encoding rule. Theopponent then inserts a new message m′ (being distinct from the i

messages already sent), hoping to have it accepted by the receiver asauthentic. The cases i = 0 and i = 1 are called impersonation game andsubstitution game, respectively. These cases have been studied in detailin recent years (see, for instance, [196, 201, 27, 53, 165]), however lessis known for the cases i ≥ 2. In this monograph, we especially focus onthose cases where i ≥ 2.

For any i, we assume that there is some probability distribution onthe set of i-subsets of source states, so that any set of i source stateshas a non-zero probability of occurring. For simplification, we ignorethe order in which the i source states occur, and assume that no sourcestate occurs more than once. Given this probability distribution pS on

1.1 Authentication and Secrecy Model 587

S, the receiver and transmitter choose a probability distribution pE

on E , called an encoding strategy, with associated independent randomvariables S and E, respectively. These distributions are known to allparticipants and induce a third distribution, pM , on M with associatedrandom variable M . The deception probability Pdi

is the probabilitythat the opponent can deceive the receiver with a spoofing attack oforder i. The following theorem by Massey provides combinatorial lowerbounds (for the proof, we follow [194, 195]).

Theorem 1.1 (Massey [152]). In an authentication code with k

source states and v messages, for every 0 ≤ i ≤ t, the deception proba-bilities are bounded below by

Pdi≥ k − i

v − i.

Proof. Let M∗ ⊂ M denote a set of i ≤ t distinct messages. We supposethat an opponent observes the i messages in the channel, and then sendsa message m ∈ M not in M∗. Let payoff(m,M∗) denote the probabilitythat the message m would be accepted by the receiver as authentic.Then

payoff(m,M∗) =

∑e∈E(M∗∪{m}) p(e) · p(S = fe(M∗))∑

e∈E(M∗) p(e) · p(S = fe(M∗)).

It follows that ∑m∈M\M∗

payoff(m,M∗) = k − i.

Hence, there exists some m ∈ M not in M∗ such that payoff(m,M∗) ≥(k − i)/(v − i). For every set M∗ of i messages, the opponent canchoose such an m. This defines a deception strategy in which thetransmitter/receiver can be deceived with probability at least (k − i)/(v − i).

An authentication code is called tA-fold secure against spoofing ifPdi

= (k − i)/(v − i) for all 0 ≤ i ≤ tA.

588 Introduction

1.1.3 Perfect Secrecy

We address Shannon’s fundamental idea of perfect secrecy (cf. [182]):An authentication code is said to have perfect secrecy if

pS(s|m) = pS(s)

for every source state s ∈ S and every message m ∈ M.That is, the a posteriori probability that the source state is s, given

that the message m is observed, is identical to the a priori probabilitythat the source state is s.

It can easily be shown via Bayes’ Theorem that

pS(s|m) =pM (m|s) · pS(s)

pM (m)(1.1)

=

∑{e∈E|e(s)=m} pE(e) · pS(s)∑

{e∈E|m∈M(e)} pE(e) · pS(e−1(m)). (1.2)

Moreover, we introduce the concept of perfect multi-fold secrecyestablished by Stinson [195], which generalizes Shannon’s perfect (one-fold) secrecy. An alternative definition has been given by Godlewskiand Mitchell [75]. Instead of assuming that each encoding rule is usedto encode only one message, the situation is extended in a naturalway: each encoding rule is used to encode up to tS messages for somepositive integer tS . More formally, we say that an authentication codehas perfect tS-fold secrecy if, for every positive integer t∗ ≤ tS , for everyset M∗ of t∗ messages observed in the channel, and for every set S∗

of t∗ source states, we have

pS(S∗|M∗) = pS(S∗).

That is, the a posteriori probability distribution on the t∗ source states,given that a set of t∗ messages is observed, is identical to the a prioriprobability distribution on the t∗ source states. Obviously, for the casetS = 1 this coincides with the definition of perfect secrecy.

When clear from the context, we often only write t instead of tArespectively tS .

As the encoding rules have to be communicated to the receivervia a secure channel, i.e. log2 b bits for b encoding rules, we want tominimize the number of encoding rules. With respect to the minimal

1.2 Combinatorial Designs: A Brief Historical Account 589

number, we will deal with the construction and characterization ofoptimal authentication and secrecy codes in Section 3.

Remark 1.1. We note that the term secrecy code (sometimes alsosecrecy system) is customarily used in the above model to describe acipher that achieves Shannon’s perfect secrecy over noiseless channels.This should not be confused with the same expression often used todayfor describing codes that can achieve both reliable and secure communi-cation over noisy channels (also known as wiretap channels). For recentdevelopments on information-theoretic security for noisy channels, werefer to the monograph [142] and the references therein.

1.2 Combinatorial Designs: A Brief Historical Account

Combinatorial designs have a long and rich history of work. We brieflyhighlight three historical examples:

Leonhard Euler considered in 1782 the following problem [64], posedby Catherine the Great according to folklore. This problem came toknown as Euler’s 36 Officers Problem:

“A very curious question, which has exercised for sometime the ingenuity of many people, has involved me inthe following studies, which seem to open a new fieldof analysis, in particular the study of combinations.The question resolves around arranging 36 officers tobe drawn from 6 different ranks and also from 6 dif-ferent regiments so that they are ranged in a square sothat in each line (both horizontal and vertical) there are6 officers of different ranks and different regiments.”

590 Introduction

This question asks for finding two orthogonal Latin squares oforder 6. Euler correctly conjectured that this was impossible, and acomplete proof with an exhaustive search of all Latin squares of order6 were given in 1900 by Tarry [207, 208]. A short proof is due to Stin-son [193].

The Swiss geometer Jakob Steiner posed in 1853 in his classical“Combinatorische Aufgabe” [192] the following question:

“Welche Zahl, N , von Elementen hat die Eigenschaft,dass sich die Elemente so zu dreien ordnen lassen, dassje zwei in einer, aber nur in einer Verbindung vorkom-men?”[Transl.: “For what number, N , of elements is it possibleto arrange the elements in triplets, so that every pair ofelements is contained in one and only one triplet?”]

Writing v, k, and t instead of N , 3, and 2, respectively, leads us tothe definition of what is now called a Steiner t-design (or a Steiner sys-tem, cf. Definition 2.1). However, there had been earlier work on thesecombinatorial designs going back to, in particular, Plucker, Woolhouse,and most notably Kirkman.

Thomas Kirkman’s famous 15 Schoolgirl Problem, which he pro-posed in 1850 in the popular magazine The Lady’s and Gentleman’sDiary [132], states as follows:

“Fifteen young ladies in a school walk out three abreastfor seven days in succession: it is required to arrangethem daily so that no two shall walk twice abreast.”

1.3 Some Group Theory 591

This is equivalent to the problem of constructing a Steiner 2-designwith parameters k = 3 and v = 15, having the extra requirement thatthe set of triples can be partitioned into seven ‘parallel classes’.Kirkman’s problem as well as the more general case for other possi-ble values of v attracted great interest among late 19th and early 20thcentury mathematicians, including contributions by Burnside, Cayleyand Sylvester. However, it was not until 1971 that the general problemwas completely resolved by Ray-Chaudhuri and Wilson [173], showingthat there exists at least one such design for every v ≡ 3 (mod 6). Forv = 15, there are seven different solutions to the problem (up to isomor-phism). For all other admissible values v ≥ 21, the number of solutionsremains unknown up to the present.

For an detailed account on the history of combinatorial designs, werefer the interested reader, e.g., to [43, Chap. I.2] and [225].

1.3 Some Group Theory

Often permutation groups play a crucial role in the construction of com-binatorial designs. We introduce basic notions on permutation groupsand group actions in this section. We will restrict ourselves to finitegroups, although most of the concepts also make sense for infinitegroups.

Let X be a non-empty finite set. The set Sym(X) of all permutationsof X with respect to the composition

xgh := (xg)h for x ∈ X and g,h ∈ Sym(X)

forms a group, called the symmetric group on X. If X = {1, . . . ,v}, thenwe write Sv for the symmetric group of degree v. Clearly, Sym(X) ∼= Sv

if and only if |X| = v.

592 Introduction

A group G acts (or operates) on X, if to each element g ∈ G apermutation x → xg of X is assigned such that

(i) x1 = x for all x ∈ X (where 1 = 1G denotes the identity ele-ment of G),

(ii) (xg)h = xgh for all x ∈ X and all g,h ∈ G.

Evidently, these properties are fulfilled if and only if the map

ϕ : g → (x → xg)

of G into Sym(X) is a group homomorphism. In general, any homo-morphism ϕ of G into Sym(X) is said to be an action (or a permutationrepresentation) of G on X. If ker(ϕ) = 1 for the kernel of ϕ, then G

acts faithfully on X; in this case, G is a called a permutation groupon X. If ker(ϕ) = G, then G operates trivially on X. The degree of apermutation group is the size of X.

Example 1.1. The group of symmetries of a three-dimensional cube(cf. Figure 2.3) acts on various sets including the set of 8 vertices, theset of 6 faces, the set of 12 edges, and the set of 4 principal diagonals.Properties (i) and (ii) are clearly satisfied in each case.

Let G1 and G2 be permutation groups acting on the sets X1 andX2, respectively. Then, G1 and G2 are called permutation isomorphic,if there exists a group isomorphism σ : G1 → G2 and a bijective mapτ : X1 → X2 with

(xg)τ = (xτ )(gσ)

for all x ∈ X1 and all g ∈ G1. Essentially, this means that the groupsG1 and G2 are “the same” except for the labeling of the points.

Let G be a group acting on X. For x ∈ X, the subgroup

Gx := {g ∈ G | xg = x}denotes the (point-)stabilizer of x in G and the set

xG := {xg | g ∈ G}

1.3 Some Group Theory 593

is the orbit of x under G (or the G-orbit of x). For B ⊆ X, let

GB := {g ∈ G | Bg = B}be its setwise stabilizer. The order of G is denoted by |G|.

A group G acting on X is called transitive on X, if G has only oneorbit, i.e. xG = X for all x ∈ X. Equivalently, G is transitive if for anytwo points x,y ∈ X there exists an element g ∈ G with xg = y. For apositive integer t ≤ |X|, we call G to be t-transitive, if for any two injec-tive t-tuples (x1,x2, . . . ,xt) and (y1,y2, . . . ,yt) there exists an elementg ∈ G with xi

g = yi for all 1 ≤ i ≤ t. We say that G is t-homogeneous,if it is transitive on the set of all t-subsets of X. Obviously, t-transitiveimplies t-homogeneous.

Example 1.2. The symmetric group Sv is v-transitive, and the alter-nating group Av (i.e., the subgroup of Sv consisting of all even per-mutations) is (v − 2)-transitive in their actions on the set {1, . . . ,v}(v ≥ 3).

We will list all finite multiply homogeneous permutation groups inAppendix 4.1. We note that this classification relies on the Classifica-tion of the Finite Simple Groups (CFSG), one of the most powerfultools of modern algebra.

For a detailed treatment of finite group theory and permutationgroups, we refer the reader to [5, 38, 41, 61, 117, 118, 139, 223].

2Combinatorial Design Theory

The theory of combinatorial designs is concerned with a crucial prob-lem of combinatorics, that of arranging objects into patterns accordingto specified rules. It has strong connections with other fields in discretemathematics. Besides linear and abstract algebra and number theory,we mention especially its links to graph theory [39, 209], finite and inci-dence geometry [54, 34], and permutation group theory [38, 41, 61, 223].Fields of applications, among others, include coding and informationtheory [6, 39, 50, 105, 111, 112, 149], cryptography [170, 197, 200],statistical design of experiments [11, 65, 172, 205], and combinatorialalgorithms [129]. Further details on some recent applications are high-lighted in Section 3.7.

We give in this section a tutorial overview of combinatorial designtheory. We emphasize on the construction of various combinatorialstructures including t-designs, finite geometries, Latin squares, orthog-onal arrays, perpendicular and authentication perpendicular arrays,splitting t-designs, and others. These combinatorial structures provideessential tools for the construction and characterization of authenti-cation and secrecy codes in Section 3. A special notice is placed on

594

2.1 t-Designs and Finite Geometries 595

examples for each type of combinatorial designs. We also briefly pointto the interplay between t-designs and error-correcting codes.

Throughout this section, let t ≤ k ≤ v and λ be positive integers,and q be a prime power. Let GF (q) denote the finite field with q ele-ments.

2.1 t-Designs and Finite Geometries

We start by introducing combinatorial t-designs.

Definition 2.1. A t-(v,k,λ) design D is a pair (X,B), which satisfiesthe following properties:

(i) X is a set of v elements, called points,(ii) B is a family of k-subsets of X, called blocks,(iii) every t-subset of X is contained in exactly λ blocks.

We will denote points by lower-case and blocks by upper-caseLatin letters. Via convention, let b := |B| denote the number of blocks.Throughout this work, ‘repeated blocks’ are not allowed, that is, thesame k-subset of points may not occur twice as a block. If t < k < v

holds, then we speak of a non-trivial t-design. A t-(v,k,λ) design withλ = 1 is called a Steiner t-design (or a Steiner system, cf. Section 1.2).The special case of a Steiner design with parameters t = 2 and k = 3is called a Steiner triple system of order v, briefly STS(v). A Steinerdesign with parameters t = 3 and k = 4 is called a Steiner quadruplesystem of order v, briefly SQS(v).

We give some illustrative examples.

Example 2.1. We choose as point set

X = {1,2,3,4,5,6,7}

and as block set

B = {{1,2,4},{2,3,5},{3,4,6},{4,5,7},{1,5,6},{2,6,7},{1,3,7}}.

596 Combinatorial Design Theory

Fig. 2.1 The Fano plane PG(2,2).

This yields a Steiner 2-(7,3,1) design, the well-known Fano plane,which is the smallest design arising from a projective geometry. Theusual representation of this unique projective plane of order 2 is givenby the diagram in Figure 2.1.

Combinatorial t-designs can be represented algebraically in termsof incidence matrices: Let D = (X,B) be a t-design, and let the pointsbe labeled {x1, . . . ,xv} and the blocks be labeled {B1, . . . ,Bb}. Then,the b × v matrix A = (aij) (1 ≤ i ≤ b, 1 ≤ j ≤ v) defined by

aij :={

1, if xj ∈ Bi

0, otherwise(2.1)

is called an incidence matrix of D. Clearly, A depends on the respectivelabeling, however, it is unique up to column and row permutation.

If a 2-design has, like in Example 2.1, equally many points andblocks, i.e. v = b, then we speak of a square design (as its incidencematrix is square). By tradition, square designs are often called sym-metric designs, although here the term does not imply any symmetryof the design. For more on these interesting designs, we refer, e.g.,to [119].

Example 2.2. We take as point set

X = {1,2,3,4,5,6,7,8,9}and as block set

B = {{1,2,3},{4,5,6},{7,8,9},{1,4,7},{2,5,8},{3,6,9},

{1,5,9},{2,6,7},{3,4,8},{1,6,8},{2,4,9},{3,5,7}}.

2.1 t-Designs and Finite Geometries 597

Fig. 2.2 The affine plane of order 3.

This gives a Steiner 2-(9,3,1) design, the smallest non-trivial designarising from an affine geometry, which is again unique up to isomor-phism. This affine plane of order 3 can be constructed from the array

1 2 34 5 67 8 9

as illustrated in Figure 2.2.

More generally, we obtain the following examples.

Example 2.3. We choose as point set X the set of one-dimensionalsubspaces of a vector space V = V (d + 1, q) of dimension d + 1 ≥ 3over GF (q). As block set B we take the set of two-dimensional sub-spaces of V . Then there are v = qd+1−1

q−1 points and each block B ∈ Bcontains k = q + 1 points. Since clearly any two one-dimensional sub-spaces span a single two-dimensional subspace, any two distinct pointsare contained in a unique block. Hence, the projective space PG(d,q) isan example of a Steiner 2-( qd+1−1

q−1 , q + 1,1) design. For d = 2, the par-ticular designs are projective planes of order q, which are square designs.More generally, for any 1 ≤ i ≤ d − 1, the points and i-dimensional sub-spaces of PG(d,q) (i.e., the (i + 1)-dimensional subspaces of V ) yielda 2-design.

Example 2.4. We take as point set X the set of elements of a vectorspace V = V (d,q) of dimension d ≥ 2 over GF (q). As block set B we

598 Combinatorial Design Theory

choose the set of affine lines of V (i.e., the translates of one-dimensionalsubspaces of V ). Then there are v = qd points and each block B ∈ Bcontains k = q points. As obviously any two distinct points lie onexactly one line, they are contained in a unique block. Hence, we obtainthe affine space AG(d,q) as an example of a Steiner 2-(qd, q,1) design.When d = 2, these designs are affine planes of order q. More gener-ally, for any 1 ≤ i ≤ d − 1, the points and i-dimensional subspaces ofAG(d,q) form a 2-design.

If D1 = (X1,B1) and D2 = (X2,B2) are two t-designs, then a bijec-tive map α : X1 → X2 is called an isomorphism of D1 onto D2, if

B ∈ B1 ⇔ α(B) ∈ B2.

In this case, the designs D1 and D2 are isomorphic. An isomorphism ofa design D onto itself is called an automorphism of D. Evidently, the setof all automorphisms of a design D form a group under composition,the full group of automorphisms of D. We call any subgroup of it agroup of automorphisms of D.

It is a well-known result that both affine and projective planes oforder n exist whenever n is a prime power. The conjecture that nosuch planes exist with orders other than prime powers is unresolved sofar. The classical result of Bruck and Ryser [31] still remains the onlygeneral statement: If n ≡ 1 or 2 (mod 4) and n is not equal to the sumof two squares of integers, then n does not occur as the order of a finiteprojective plane. The smallest integer that is not a prime power andnot covered by the Bruck–Ryser Theorem is 10. Using substantial com-puter analysis, Lam et al. [140] proved the non-existence of a projectiveplane of order 10. The next smallest number is 12, for which neither apositive nor a negative answer has been proved. Likewise the existenceproblem, the question on the number of different isomorphism types isof fundamental importance. There are, for example, precisely four non-isomorphic projective planes of order 9. For a further discussion, inparticular of the rich history of affine and projective planes, the readermay be referred, e.g., to [20, 54, 95, 113, 148, 171].

For our purposes, we are especially interested in t-designs with t ≥ 3.Here is a simple example.

2.1 t-Designs and Finite Geometries 599

Fig. 2.3 The Steiner quadruple system of order 8.

Example 2.5. We take as points the vertices of a three-dimensionalcube. As illustrated in Figure 2.3, we can choose three types of blocks:

(i) a face (six of these),(ii) two opposite edges (six of these),(iii) an inscribed regular tetrahedron (two of these).

This yields a Steiner 3-(8,4,1) design, which is unique up to isomor-phism.

More generally, the binary vector space V (d,2) of dimension d ≥ 2with the set B of blocks taken to be the set of all subsets of four distinctelements of V (d,2) whose vector sum is zero, form a Boolean SQS(2d).Geometrically speaking, these SQS(2d) consist of the points and planesof the d-dimensional binary affine space AG(d,2) as shown by the nextexample.

Example 2.6. In AG(d,q) any three distinct points define a planeunless they are collinear (i.e., lie on the same line). If the underlyingfield is GF (2), then the lines contain only two points and hence anythree points cannot be collinear. Therefore, the points and planes ofthe affine space AG(d,2) form a Steiner 3-(2d,4,1) design. More gen-erally, for any fixed i with 2 ≤ i ≤ d − 1, the points and i-dimensionalsubspaces of AG(d,2) form a 3-design.

If D = (X,B) is a t-(v,k,λ) design with t ≥ 2, and x ∈ X arbitrary,then the derived design with respect to x is Dx = (Xx,Bx), where Xx =X\{x}, Bx = {B\{x} | x ∈ B ∈ B}. In this case, D is also called anextension of Dx. Obviously, Dx is a (t − 1)-(v − 1,k − 1,λ) design. The

600 Combinatorial Design Theory

complementary design D is obtained by replacing each block of D byits complement.

We indicate some helpful combinatorial tools.For the existence of t-designs, basic necessary conditions can be

obtained via elementary counting arguments.

Theorem 2.1 (cf., e.g., [16]). Let D = (X,B) be a t-(v,k,λ) design.For a positive integer s ≤ t, let S ⊆ X with |S| = s. Then the numberλs of blocks containing all the points of S is given by

λs = λ

(v−st−s

)(k−st−s

) .In particular, for t ≥ 2, a t-(v,k,λ) design is also an s-(v,k,λs) design.

It is customary to set r := λ1 to be the number of blocks containing agiven point (referring to the ‘replication number’ from statistical designof experiments, one of the origins of combinatorial design theory). Itfollows

Corollary 2.2. Let D = (X,B) be a t-(v,k,λ) design. Then the fol-lowing holds:

(a) bk = vr.

(b)(

v

t

)λ = b

(k

t

).

(c) r(k − 1) = λ2(v − 1) for t ≥ 2.

Since in Theorem 2.1 each λs must be an integer, we obtain more-over the subsequent necessary arithmetic conditions.

Corollary 2.3. Let D = (X,B) be a t-(v,k,λ) design. Then

λ

(v − s

t − s

)≡ 0

(mod

(k − s

t − s

))

for each positive integer s ≤ t.

2.1 t-Designs and Finite Geometries 601

The next theorem is a classical result in the theory of designs, gen-erally known as Fisher’s Inequality.

Theorem 2.4 (Fisher [66]). If D = (X,B) is a non-trivial t-(v,k,λ)design with t ≥ 2, then we have b ≥ v, that is, there are at least asmany blocks as points in D.

Proof. As a non-trivial t-design with t ≥ 2 is also a non-trivial 2-designby Theorem 2.1, it is sufficient to prove the assertion for an arbitrarynon-trivial 2-(v,k,λ) design D. Let A be an incidence matrix of Dlabeled as in Equation (2.1). Clearly, the (i,k)th entry

(AAt)ik =b∑

j=1

(A)ij(At)jk =b∑

j=1

aijakj

of the v × v matrix AAt is the number of blocks incident with both xi

and xk, and is thus equal to r if i = k, and to λ if i �= k. Hence

AAt = (r − λ)Iv + λJv,

where Iv denotes the v × v unit matrix and Jv the v × v matrix withall entries equal to 1. Using elementary row and column operations, itfollows easily that

det(AAt) = rk(r − λ)v−1.

Thus AAt is non-singular as r = λ would imply v = k by Theo-rem 2.1, yielding that the design is trivial. Therefore, the matrixAAt has rank(AAt) = v. But, if b < v, then rank(A) ≤ b < v, and thusrank(AAt) < v, a contradiction. It follows that b ≥ v, proving the claim.

We note that equality holds exactly for square designs when t = 2.Obviously, the equality v = b implies r = k by Corollary 2.2 (a).

We state an important generalization to arbitrary t-designs (seealso, e.g., [16] for a proof).

Theorem 2.5(Ray-Chaudhuri–Wilson [174]). Let D = (X,B) bea t-(v,k,λ) design. If t is even, say t = 2s, and v ≥ k + s, then b ≥ (vs).If t is odd, say t = 2s + 1, and v − 1 ≥ k + s, then b ≥ 2

(v−1

s

).

602 Combinatorial Design Theory

We will consider now various constructions of t-designs. In a verynatural way, t-designs can be constructed from multiply homogeneouspermutations groups.

Theorem 2.6 (cf., e.g., [16]). Suppose there is a t-homogeneous (inparticular, t-transitive) permutation group G of degree v, and k ≥ t.Then there is a t-(v,k,λ) design with

λ = b

(kt

)(vt

) =|G|

|GB| ·(kt

)(vt

) ,where GB is the setwise stabilizer of a block B ∈ B.

Example 2.7. Let d ≥ 2 be an integer. As point set X we choose theelements of the projective line GF (qd) ∪ {∞} over GF (qd), where ∞denotes a symbol with ∞ /∈ GF (qd). The linear fractional group

PGL(2, qd) = {g : x → ax+bcx+d

∣∣a,b,c,d ∈ GF (qd),ad − bc �= 0}

acts on GF (qd) ∪ {∞} in the natural manner (with the usual conven-tions for ∞: g(∞) := a

c , g(−dc ) := ∞ if c �= 0, and g(∞) =: ∞ if c = 0).

As block set B take the images of GF (q) ∪ {∞} under PGL(2, qd).This gives a Steiner 3-(qd + 1, q + 1,1) design with PGL(2, qd) as point3-transitive group of automorphisms. These designs, known as sphericalgeometries (or circle geometries), were first described by Witt [227]. Ford = 2, they are often called Mobius planes (or inversive planes) of orderq. Apart from the classical example for each prime power q, there is forq = 22e+1, e ≥ 1, another Mobius plane with the Suzuki group Sz(q) asa simple point 2-transitive group of automorphisms (cf. Appendix 4.1).

Example 2.8. The unique Steiner 2-(9,3,1) design whose points andblocks are the points and lines of the affine plane AG(2,3) is extend-able exactly three times to the following designs which are also uniqueup to isomorphism: the Steiner 3-(10,4,1) design which is the Mobiusplane of order 3 with PΓL(2,9) as full group of automorphisms, and

2.1 t-Designs and Finite Geometries 603

the two Mathieu–Witt designs 4-(11,5,1) and 5-(12,6,1) with the spo-radic Mathieu groups M11 and M12 as point 4-transitive and point5-transitive full groups automorphisms, respectively.

The construction of the ‘large’ Mathieu–Witt designs starts with theSteiner 2-(21,5,1) design whose points and blocks are the points andlines of the projective plane PG(2,4). This is extendable also preciselythree times to the following unique designs: the Mathieu–Witt design3-(22,6,1) with Aut(M22) as point 3-transitive full group of automor-phisms as well as the Mathieu–Witt designs 4-(23,7,1) and 5-(24,8,1)with M23 and M24 as point 4-transitive and point 5-transitive fullgroup of automorphisms, respectively. Further details can be found,e.g., in [4, 147]. However, the easiest way to construct and prove unique-ness of the Mathieu–Witt designs is via coding theory, using the relatedbinary and ternary Golay codes (see, e.g., [149, 50]).

Historical Note. The five Mathieu groups were the first examples ofsporadic finite simple groups and were discovered over 100 years ago byMathieu [153, 154]. They are the only finite 4- and 5-transitive permu-tation groups besides the symmetric or alternating groups. The Steinerdesigns associated with the Mathieu groups were first constructed byboth Carmichael [41] and Witt [226], and their uniqueness, up to iso-morphism, proved by Witt [227].

In all the examples above, the group of automorphisms acts transi-tively on incident point-block pairs, that is, on the flags, of the Steinert-designs. This reveals a high degree of regularity of the combinato-rial structure. Basically all flag-transitive Steiner t-designs have beendetermined recently, see [96, 97, 98, 99] and [101] for a monograph.Further recent results about block-transitive and other highly regulart-designs are, e.g., [100, 103, 104, 108, 109]. For the numerous interac-tions between highly regular combinatorial structures and applicationsin information and coding theory, we refer to the literature given in theapplication at the end of this section.

Example 2.9. A few Steiner 5-(v,k,1) designs have been constructedby combining several orbits of some prescribed group PSL(2, q)

604 Combinatorial Design Theory

on k-subsets (so-called method of orbiting under a group). Dennis-ton [56] discovered Steiner 5-(24,6,1) designs (with derived Steiner4-(23,5,1) designs), a Steiner 5-(28,7,1) design (with derived Steiner4-(27,6,1) and 3-(26,5,1) designs), Steiner 5-(48,6,1) designs (withderived Steiner 4-(47,5,1) designs), and Steiner 5-(84,6,1) designs(with derived Steiner 4-(83,5,1) designs). Mills [160] obtained a Steiner5-(72,6,1) design (with derived Steiner 4-(71,5,1) design). Several fur-ther Steiner 5-(v,6,1) designs have been obtained by this method withthe parameters v = 36, 108, 132, 168, 244 (cf. [18, 19, 46, 56, 57, 82,83, 84, 160]).

The above examples list all presently known Steiner 5-designs. Allknown Steiner 4-designs are derived from Steiner 5-designs. There aremany infinite classes of Steiner 2- and 3-designs. In addition to theexamples already given, we mention the following results concerningSteiner triple and quadruple systems.

Example 2.10. Recall that a Steiner triple system STS(v) of order v

is a 2-(v,3,1) design, and a Steiner quadruple system SQS(v) of orderv is a 3-(v,4,1) design. It is elementary to verify that a STS(v) of orderv exists if and only if v ≡ 1 or 3 (mod 6), v ≥ 3, as was first proved byKirkman [131]. The number of non-isomorphic STS(v) is only known inthe following cases: For v = 7 and v = 9 there exists an STS(v) in eachcase, unique up to isomorphism. These are the Fano plane PG(2,2)and the affine plane of order 3. For v = 13 and v = 15 we have exactly2 and 80 distinct isomorphism types, respectively. For v = 19 there areexactly 11,084,874,829 distinct isomorphism types (cf. [42, 128]).

Using recursive constructions, Hanani [88] showed that a similarcondition hold for the existence of a Steiner quadruple system: a SQS(v)of order v exists if and only if v ≡ 2 or 4 (mod 6), v ≥ 4. The num-ber of non-isomorphic SQS(v) is only known in the following cases:For v = 8 and v = 10 there exists an SQS(v) in each case, unique upto isomorphism. These are the affine space AG(3,2) and the Mobiusplane of order 3. For v = 14 we have exactly four distinct isomorphism

2.1 t-Designs and Finite Geometries 605

types. For v = 16 there are exactly 1,054,163 distinct isomorphismtypes (cf. [13, 115, 130]).

We also mention that a Steiner 2-(v,4,1) design exists if and only ifv ≡ 1 or 4 (mod 12), and a Steiner 2-(v,5,1) design exists if and onlyif v ≡ 1 or 5 (mod 20) (cf. [16]).

We give two results due to Hanani on the construction of 3-designs.

Theorem 2.7 (Hanani [89]). The following holds:

(a) Suppose there is a 3-(v + 1, q + 1,λ) design for some primepower q. Then there exists a 3-(vqd + 1, q + 1,λ) design forall positive integers d.

(b) If there is a 3-(v + 1,6,λ) design, then there exists a3-(4v + 2,6,λ) design.

Exploration of the construction of t-designs for large values of t leadto the following celebrated theorem of Teirlinck.

Theorem 2.8 (Teirlinck [206]). For every positive integer value oft, there exists a non-trivial t-design.

However, although Teirlinck’s recursive methods are constructive,they only produce examples with tremendously large values of λ. Untilnow, no non-trivial Steiner t-design with t > 5 has been constructed.This is one of the most central and long-standing open questions incombinatorial design theory:

Problem 2.1. Does there exist any non-trivial Steiner t-design witht ≥ 6?

For recent progress in the case of Steiner t-designs for large t

with high symmetry properties, see, e.g., [100]. A detailed account

606 Combinatorial Design Theory

on general Steiner designs can be found, e.g., in [16, 46]. Comprehen-sive survey articles especially on (Steiner) triple systems and Steinerquadruple systems include [47, 42] and [91, 144], respectively. For amore general treatment of combinatorial t-designs, the reader is referredto [16, 21, 35, 43, 86, 114, 199]. In particular, [16, 43] provide encyclope-dic accounts of key results and existence tables with known parametersets. DISCRETA [17] and DESIGN [191] are software packages for con-structing and classifying combinatorial t-designs.

Application: Error-Correcting Codes

We want to briefly point to the rich and fruitful interplay between cod-ing theory and the theory of t-designs. For a codeword x = (x1, . . . ,xd),the set

supp(x) := {i | xi �= 0}

of all coordinate positions with non-zero coordinates is called the sup-port of x. The (support) t-design of a code can be formed in the follow-ing way: given a, usually linear, code of length d that contains the zerovector, and non-zero weight w, we choose as point set X the set of d

coordinate positions of the code and as block set B the supports of allcodewords of weight w. As repeated blocks are not allowed, only dis-tinct representatives of supports for codewords with the same supportsare taken in the non-binary case.

A simple example is the following.

Example 2.11. The matrix

G =

1 1 0 1 0 0 00 1 1 0 1 0 00 0 1 1 0 1 00 0 0 1 1 0 1

is a generator matrix of a binary [7,4,3] Hamming code, which is thesmallest non-trivial Hamming code. The seven codewords of weight 3

2.1 t-Designs and Finite Geometries 607

are exactly the seven rows of the incidence matrix

1 1 0 1 0 0 00 1 1 0 1 0 00 0 1 1 0 1 00 0 0 1 1 0 11 0 0 0 1 1 00 1 0 0 0 1 11 0 1 0 0 0 1

of the Fano plane PG(2,2) (cf. Example 2.1). The supports of the sevencodewords of weight 4 yield the complementary 2-(7,4,2) design, i.e.the biplane of order 2. The matrix (I4,J4 − I4) with I4 the 4 × 4 unitmatrix and J4 the 4 × 4 matrix with all entries equal to 1 generatesthe extended binary [8,4,4] Hamming code. Since any two codewordsof weight 4 have distance at least 4, they have at most two ones incommon, and hence no codeword of weight 3 appears as a subword ofmore than one codeword. On the other hand, there are

(83

)= 56 words of

weight 3 and each codeword of weight 4 has four subwords of weight 3.Hence each codeword of weight 3 is a subword of precisely one codewordof weight 4. Thus, the supports of the 14 codewords of weight 4 form aSteiner 3-(8,4,1) design (cf. Example 2.5). More generally, in a binary[2m − 1,2m − 1 − m,3] Hamming code the supports of codewords ofweight 3 form an STS(2m − 1), and the supports of the codewords ofweight 4 in the extended code yield an SQS(2m).

Via multiply homogeneous permutations groups, t-designs can beobtained from codes as follows.

Theorem 2.9(cf., e.g., [209]). Let C be a code which admits a groupof automorphisms acting t-homogeneously (in particular, t-transitively)on the set of coordinates. Then the supports of the codewords of anynon-zero weight form a t-design.

Example 2.12. The rth order Reed–Muller (RM) code RM(r,m) oflength 2m is a binary [2m,

∑ri=0(mi

),2m−r] code with its codewords

608 Combinatorial Design Theory

the value-vectors of all Boolean functions in m variables of degree atmost r. For example, the extended binary [8,4,4] Hamming code inExample 2.11 is RM(1,3). Alternatively, a codeword in RM(r,m) can beviewed as the sum of characteristic functions of subspaces of dimensionat least m − r of the affine space AG(m,2). Hence, the full group ofautomorphisms of RM(r,m) contains the 3-transitive group AGL(m,2)of all affine transformations (cf. Appendix 4.1), and so the codewordsof any fixed non-zero weight yield a 3-design.

Historical Note. These codes were developed by Muller [161] andReed [175] in 1954.

We also briefly mention the constructions of the Mathieu–Wittdesigns from the Golay codes.

Example 2.13. The supports of codewords of minimum weight 7 inthe binary [23,12,7] Golay code form a Steiner 4-(23,7,1) design, andthe supports of the codewords of weight 8 in the extended binary[24,12,8] Golay code give a Steiner 5-(24,8,1) design. The supportsof codewords of minimum weight 5 in the ternary [11,6,5] Golay codeyield a Steiner 4-(11,5,1) design, and that the supports of the code-words of weight 6 in the extended ternary [12,6,6] Golay code give aSteiner 5-(12,6,1) design.

Historical Note. The Golay codes were discovered by M. J. E.Golay [76] in 1949 in the process of extending R. W. Hamming’s codeconstructions [87] from the mid-1940’s.

As the above examples may suggest the interplay between codingtheory and t-designs is most evidently seen in the relationship betweenperfect linear error-correcting codes and t-designs (cf. [8]). Anotherfundamental result in the interplay of coding theory and design theoryis the Assmus–Mattson Theorem [9], which gives a sufficient conditionfor the codewords of constant weight in a linear code to form a t-design.In the light of this celebrated theorem, a number of new 5-designshave been found in the last decades by considering the codewords offixed weight in certain codes. For a further discussion of the various

2.2 Latin Squares and Perpendicular Arrays 609

connections of t-designs with coding theory, we refer the reader to thelarge amount of literature [10, 6, 7, 26, 39, 112, 215, 216, 209, 210, 211,149] as well as a recent up-to-date survey [105] including additionalreferences.

2.2 Latin Squares and Perpendicular Arrays

We recall the definition of a Latin square.

Definition 2.2. A Latin square of order v is an v × v array of v sym-bols, in which each symbol occurs exactly once in each row and exactlyonce in each column.

Example 2.14. A simple example is given by the following array

1 2 32 3 13 1 2

This Latin square of order 3 can be derived from the cyclic group oforder 3.

More generally, we have

Example 2.15. The multiplication table (Cayley table) of a (quasi-)group on v elements is a Latin square of order v.

There are various connections between Latin squares and othertypes of combinatorial structures (see, e.g., [1]). Exemplarily, we givethe following example.

Example 2.16. The affine plane of order 3 (see Example 2.2) is equiv-alent to the two 3 × 3 orthogonal Latin squares

1 2 3 1 2 32 3 1 3 1 23 1 2 2 3 1

610 Combinatorial Design Theory

(Note that two Latin squares of order v are said to be orthogonal ifthe v2 pairs formed by juxtaposition of the two arrays are all distinct.)More generally, an affine plane, or projective plane, of order n exists ifand only if there are n − 1 pairwise orthogonal Latin squares of order n.

There is a vast body of research concerning Latin squares. We men-tion in particular the comprehensive monograph [55] as well as thesurvey articles in [43] and [12, 124]. Latin squares of small orders areavailable online [158]; for the number of Latin squares, see sequenceA002860 in [190].

For our further purposes, we are interested in a generalization ofLatin squares, known as perpendicular arrays.

Definition 2.3. A perpendicular array PAλ(t,k,v) is a λ · (vt) × k

array, A, of v symbols, which satisfies the following properties:

(i) every row of A contains k distinct symbols,(ii) for any t columns of A, and for any t distinct symbols, there

are precisely λ rows r of A such that the t given symbols alloccur in row r in the given t columns.

We note that property (i) is implied by (ii), when t ≥ 2.

Example 2.17. A Latin square of order k is a perpendicular arrayPA1(1,k,k). Hence, a PA1(1,k,k) exists for all positive integers k.

We prove two helpful assertions on perpendicular arrays.

Theorem 2.10(Kramer–Kreher–Rees–Stinson [134, 195]). Fora positive integer s ≤ t, let (

k

t

)≥(

k

s

).

Then a perpendicular array PAλ(t,k,v) is also a PAλs(s,k,v) with

λs = λ

(v−st−s

)(

ts

) .

2.2 Latin Squares and Perpendicular Arrays 611

Proof. Let A be a PAλ(t,k,v), and let the columns be labeled by{1, . . . ,k}. Let S be any set of s distinct symbols. For any set I ofs columns, define n(I) to be the number of rows of A in which thesymbols in S are all contained in the columns in I. Then, for any setJ of t columns, we obtain the equation

∑I⊆J,|I|=s

n(I) = λ

(v − s

t − s

).

This gives us(kt

)linear equations in the

(ks

)unknowns n(I). Now, if we

assume that (k

t

)≥(

k

s

),

then the system has for each I the unique solution

n(I) = λ

(v−st−s

)(

ts

) .

Hence, A is a PAλs(s,k,v) with λs as defined above.

Since each λs must be an integer, we derive the following necessaryarithmetic conditions.

Corollary 2.11(Kramer–Kreher–Rees–Stinson [134, 195]). Letk ≥ 2t − 1 and suppose that a perpendicular array PAλ(t,k,v) exists.Then

λ

(v − s

t − s

)≡ 0

(mod

(t

s

))

for each positive integer s ≤ t.

In the following, we will study several constructions of perpendiculararrays. For t = 2, an infinite class can be obtained as follows.

Example 2.18. Let q be an odd prime power, and let a ∈ GF (q) bea primitive element (i.e., a generator of the field’s cyclic multiplicative

612 Combinatorial Design Theory

group). For each 0 ≤ i ≤ q−32 and for each c ∈ GF (q), we define a

row as

c c + ai c + ai+1 · · · c + ai+q−2.

The resulting array is a PA1(2, q,q). This construction is due to Mullinet al. [162] (see also [195]).

Perpendicular arrays can be obtained in a natural way from multi-plying homogeneous permutations groups, by taking the permutationsas the rows of an array.

Theorem 2.12 (Stinson–Teirlinck [202]). Suppose there is a t-homogeneous permutation group G of degree v. Then there exists aPAλ(t,v,v) with

λ =|G|(vt

) .

Example 2.19. The group ASL(1, q) is 2-homogeneous of degree q,when q ≡ 3 (mod 4) (cf. Appendix 4.1). Since |ASL(1, q)| = q2−q

2 , aPA1(2, q,q) exists for any prime power q ≡ 3 (mod 4).

Example 2.20. The group PSL(2, q) is 3-homogeneous of degreeq + 1, when q ≡ 3 (mod 4) (cf. Appendix 4.1). Note that |PSL(2, q)| =q3−q

2 . Hence a PA3(3, q + 1, q + 1) exists for any prime powerq ≡ 3 (mod 4).

For t > 3, only a finite number of perpendicular arrays are presentlyknown. We summarize in Table 2.1 all perpendicular arrays that arisefrom finite t-homogeneous but not t-transitive permutation groups fort ≥ 2 (cf. [126] and the list of finite multiply homogeneous permutationgroups in Appendix 4.1).

Sometimes perpendicular arrays can be constructed from other per-pendicular arrays via recursive constructions.

2.3 Authentication Perpendicular Arrays 613

Table 2.1. Perpendicular arrays PAλ(t,v,v) from finite t-homogeneousbut not t-transitive permutation groups G, t ≥ 2.

λ t v G

1 2 q ASL(1, q)

q ≡ 3 (mod 4), prime power

1 3 8 AGL(1,8)

1 3 32 AΓL(1,32)

3 3 q + 1 PSL(2, q)

q ≡ 3 (mod 4), prime power

4 4 9 PGL(2,8)

4 4 33 PΓL(2,32)

Theorem 2.13 (Kramer–Magliveras–van Trung–Wu [135]). Ifthere is an PAλ(t,k,k) which is also a PAλt−1(t − 1,k,k), then thereis a PAλ(k+1−t)(t,k + 1,k + 1).

Concerning the existence of perpendicular arrays, we state twoimportant and long-standing open problems (cf. [195]):

Problem 2.2. Is there an infinite class of a PA1(3,k,k) with k ≥ 5?(As necessary condition, k ≡ 2 (mod 3) must hold by Corollary 2.11.)

Problem 2.3. Does there exist any PA1(t,k,v) with t ≥ 4?

2.3 Authentication Perpendicular Arrays

We introduce a further class of combinatorial designs, known as authen-tication perpendicular arrays. These are natural extensions of perpen-dicular arrays, which were defined by Stinson and Teirlinck [202] inorder to endow secrecy codes with an authentication capacity (cf. Sec-tion 3.3).

Definition 2.4. An authentication perpendicular array APAλ(t,k,v)is a PAλ(t,k,v), A, such that, for any s ≤ t − 1 and for any s + 1

614 Combinatorial Design Theory

distinct symbols {xi}s+1i=1 , it holds that among all the rows of A that

contain all the symbols {xi}s+1i=1 , the s symbols {xi}s

i=1 occur in allpossible subsets of s columns equally often.

We note that perpendicular arrays and authentication perpendic-ular arrays may be regarded as generalizations of t-designs with anadditional ordering on the blocks.

We present a simple example (due to van Rees, cf. [194]).

Example 2.21. A 55 × 3 array A can be constructed by developingthe five rows

0 1 20 9 70 3 60 4 80 5 10

modulo 11. Every pair {x1,x2} occurs in three rows of A. Within thesethree rows, x1 occurs once in each of the three columns, as does x2.This gives an APA1(2,3,11).

For authentication perpendicular arrays, we have the followingassertions.

Theorem 2.14(Stinson–Teirlinck [202]). If k ≥ 2t − 1, then a per-pendicular array PAλ(t,k,k) is an authentication perpendicular arrayAPAλ(t,k,k).

Proof. Let A be a PAλ(t,k,k). Then every subset of {1, . . . ,k} appearsin all rows of A. Thus, A is an APAλ(t,k,k) if and only if A is aPAλs(s,k,k) for all positive integers s ≤ t. Hence, by Theorem 2.10,the claim follows.

Example 2.22. Each example of the PAλ(t,k,k) given above is alsoan example of an APAλ(t,k,k) (except for q = 3 in Example 2.20).

2.3 Authentication Perpendicular Arrays 615

Theorem 2.15 (Stinson–Teirlinck [202]). For a positive integers ≤ t, an authentication perpendicular array APAλ(t,k,v) is also anAPAλs(s,k,v).

Proof. Let A be an APAλ(t,k,v). The case s = t is trivial. Therefore,let us assume that s < t and that it has already been proven that A

is an APAλs+1(s + 1,k,v). Let S denote a set of s columns of A and{xi}s

i=1 a set of s distinct symbols. For each symbol y /∈ {xi}si=1, we

have λs+1(

ks+1

)rows containing {y} ∪ {xi}s

i=1. Of these,

λs+1

(k

s+1

)(ks

) (2.2)

will contain {xi}si=1 in the columns in S. Let λ0 denote the number

of rows containing {xi}si=1 in the columns in S. We now count triples

(c,xs+1, r), where c /∈ S, xs+1 /∈ {xi}si=1, and row r contains {xi}s

i=1 inthe columns in S and xs+1 in column c. It follows

(k − s)λ0 = (v − s)λs+1

(k

s+1

)(ks

) ,

and hence λ0 = λs. Therefore, A is a PAλs(s,k,v), and hence anAPAλs(s,k,v) in view of Theorem 2.14.

As we can see from Equation (2.2), the following necessary arith-metic conditions must hold.

Corollary 2.16 (Stinson–Teirlinck [202]). Suppose that anauthentication perpendicular array APAλ(t,k,v) exists. Then

λs+1

(k

s + 1

)≡ 0

(mod

(k

s

))

for each positive integer s ≤ t − 1.

We present an infinite class of authentication perpendicular arrays.

616 Combinatorial Design Theory

Example 2.23. Let a ∈ GF (q) be a primitive element, and set b :=a

q−1k . For each 1 ≤ i ≤ q−1

2k , for each 0 ≤ j ≤ k − 1, and for each c ∈GF (q), we define a row as

c + aibj c + aibj+1 · · · c + aibk−1+j .

The resulting array is an APA1(2,k,q). This construction is due toGranville et al. [85] (see also [195]).

We also mention that there always exists an APA1(1,k,v) for allpositive integers k ≤ v (see [195]). There also exists an APA1(2,3,v) ifand only if v ≥ 7 is odd (see [194]), and an APA1(2,5,v) if v ≡ 1 or 5(mod 10), v ≥ 11, v �= 15 (see [145]).

Sometimes it is possible to construct authentication perpendiculararrays by combining different classes of combinatorial designs, as wecan see from the following result.

Theorem 2.17 (Stinson–Teirlinck [202]). Suppose there isa t-(v,k,λ) design and an authentication perpendicular arrayAPAλ′(t,k,k), then there is an APAλ·λ′(t,k,v).

Proof. We construct an APAλ′(t,k,k) for each block in the t-(v,k,λ)design. The union of these authentication perpendicular arrays yieldsan APAλ·λ′(t,k,v).

Example 2.24. Using spherical geometries from Example 2.7, weobtain from Example 2.22 an APA3(3, q + 1, qd + 1) for all primepowers q ≡ 3 (mod 4), q ≥ 7, and all integers d ≥ 2. Moreover, thereis an APA1(3, q + 1, qd + 1) for all integers d ≥ 2, when q = 7 or 31(cf. [202]).

Further recursive constructions of authentication perpendiculararrays which make use of t-designs or other authentication perpendic-ular arrays have been obtained. We list some of them without proofs.

2.4 Splitting Designs and Others 617

Theorem 2.18 (van Trung [219]). We have the following:

(a) Suppose there is a t-(v, l,λ) design and an APAλ′(t,k, l), thenthere is an APAλ·λ′(t,k,v).

(b) If there is an APAλ(t,k,k), then there is anAPAλ(k+1−t)(t,k + 1,k + 1).

(c) Suppose there is a t-(v,k,λ) design and an APAλ′(t,k,k),then there is an APAλ·λ′(v−k)(t,k + 1,v).

For further constructions (in particular when the underlying setof permutations is not a group) as well as existence tables of knownPAλ(t,k,v) resp. APAλ(t,k,v) for small values of λ and t, we refer thereader to [24, 25, 23, 22, 219].

We close this section by mentioning two long-standing open prob-lems concerning the existence of authentication perpendicular arrays(cf. [202]):

Problem 2.4. Does there exist any APA1(3,k,v) for arbitrarily largevalues of k?

Problem 2.5. Is there any APA1(t,k,v) with t ≥ 4?

We note that sometimes the transposed orthogonal (perpendicular,authentication perpendicular) array is used.

2.4 Splitting Designs and Others

We introduce a new type of combinatorial designs, called splittingt-designs (cf. [106]). This extends the notion of a splitting balancedincomplete block design, introduced by Ogata et al. [165], to the gen-eral case for arbitrary t.

Definition 2.5. For positive integers t,v,b,c,u,λ with t ≤ u andcu ≤ v, a t-(v,b, l = cu,λ) splitting design D is a pair (X,B), which

618 Combinatorial Design Theory

satisfies the following properties:

(i) X is a set of v elements, called points,(ii) B is a family of l-subsets of X, called blocks, such that

every block Bi ∈ B (1 ≤ i ≤ b := |B|) is expressed as a dis-joint union

Bi = Bi,1 ∪ ·· · ∪ Bi,u

with |Bi,1| = · · · = |Bi,u| = c and |Bi| = l = cu,(iii) every t-subset {xm}t

m=1of X is contained in exactly λ blocksBi = Bi,1 ∪ ·· · ∪ Bi,u such that

xm ∈ Bi,jm (jm between 1 and u)

for each 1 ≤ m ≤ t, and j1, . . . , jt are mutually distinct.

Example 2.25. As a simple example, take as point set

X = {1,2,3,4,5,6,7,8,9}and as block set

B = {B1, . . . ,B9}with

B1 = {{1,2}, {3,5}}B2 = {{2,3}, {4,6}}B3 = {{3,4}, {5,7}}B4 = {{4,5}, {6,8}}B5 = {{5,6}, {7,9}}B6 = {{6,7}, {8,1}}B7 = {{7,8}, {9,2}}B8 = {{8,9}, {1,3}}B9 = {{9,1}, {2,4}}.

This gives a 2-(9,9,4 = 2 × 2,1) splitting design (cf. [165]).

2.4 Splitting Designs and Others 619

Example 2.26. A 3-(10,15,6 = 2 × 3,1) splitting design can beobtained by taking as point set

X = {1,2,3,4,5,6,7,8,9,0}

and as block set

B = {B1, . . . ,B15}

with

B1 = {{1,2}, {4,0}, {5,9}}B2 = {{1,3}, {2,8}, {5,0}}B3 = {{1,4}, {3,8}, {6,9}}B4 = {{1,5}, {4,7}, {6,8}}B5 = {{1,7}, {2,3}, {4,8}}B6 = {{1,8}, {2,5}, {6,9}}B7 = {{1,8}, {6,7}, {9,0}}B8 = {{1,9}, {2,5}, {3,7}}B9 = {{1,9}, {3,4}, {7,0}}

B10 = {{2,4}, {5,6}, {7,9}}B11 = {{2,5}, {4,7}, {3,0}}B12 = {{2,9}, {6,8}, {3,0}}B13 = {{2,0}, {4,5}, {6,8}}B14 = {{3,7}, {4,6}, {8,0}}B15 = {{3,9}, {5,7}, {6,0}}.

We prove some basic necessary conditions for the existence of split-ting designs.

Theorem 2.19 (Huber [106]). Suppose that D = (X,B) is at-(v,b, l = cu,λ) splitting design, and for a positive integer s ≤ t, let

620 Combinatorial Design Theory

S ⊆ X with |S| = s. Then the number of blocks containing each ele-ment of S as per Definition 2.5 is given by

λs = λ

(v−st−s

)ct−s

(u−st−s

) .In particular, for t ≥ 2, a t-(v,b, l = cu,λ) splitting design is also ans-(v,b, l = cu,λs) splitting design.

Proof. We count in two ways the number of pairs (T,Bi), where T :={xm}t

m=1 ⊆ X and Bi =⋃u

j=1 Bi,j ∈ B such that

xm ∈ Bi,jm

for each 1 ≤ m ≤ t with j1, . . . , jt mutually distinct, andS := {xm}s

m=1 ⊆ T . First, each of the λs blocks Bi =⋃u

j=1 Bi,j

such that

xm ∈ Bi,jm

for each 1 ≤ m ≤ s with j1, . . . , js mutually distinct gives∏t−1i=s(l − ic)(t − s)!

= ct−s

(u − s

t − s

)

such pairs. Second, there are (v − s

t − s

)

such subsets T ⊆ X with S ⊆ T , each giving λ pairs by Definition 2.5.

As it is customary for t-designs, we also set r := λ1 denoting thenumber of blocks containing a given point. The above elementary count-ing arguments give the following assertions.

Corollary 2.20(Huber [106]). Let D = (X,B) be a t-(v,b, l = cu,λ)splitting design. Then the following holds:

(a) bl = vr.

2.4 Splitting Designs and Others 621

(b)(

v

t

)λ = bct

(u

t

).

(c) rct−1(u − 1) = λ2(v − 1) for t ≥ 2.

The assertions (b) and (c) have been proved in [165] for the casewhen t = 2. Since in Theorem 2.19 each λs must be an integer, weobtain furthermore the subsequent necessary arithmetic conditions.

Corollary 2.21(Huber [106]). Let D = (X,B) be a t-(v,b, l = cu,λ)splitting design. Then

λ

(v − s

t − s

)≡ 0

(mod ct−s

(u − s

t − s

))

for each positive integer s ≤ t.

Ogata et al. [165] proved a Fisher-type inequality for splittingt-designs when t = 2. Since a splitting t-design with t ≥ 2 is also asplitting 2-design in view of Theorem 2.19, we obtain the followingtheorem.

Theorem 2.22 (Ogata–Kurosawa–Stinson–Saido–Huber [106,165]). If D = (X,B) is a t-(v,b, l = cu,λ) splitting design with t ≥ 2,then

b ≥ v

u.

We shortly mention two further types of combinatorial designs. Formore details, we refer to [16, 43, 200].

Definition 2.6. An orthogonal array OAλ(t,k,v) is a λvt × k array, A,of v symbols, such that for any injective t-tuple (x1, . . . ,xt) of symbolsand any t columns c1, . . . , ct of A, there are precisely λ rows of A inwhich the entry xi occurs in column ci for all 1 ≤ i ≤ t.

622 Combinatorial Design Theory

Example 2.27. The Latin square given in Example 2.2 can repre-sented by the following orthogonal array OA1(2,3,v)

1 1 11 2 21 3 32 1 22 2 32 3 13 1 33 2 13 3 2

More generally, a Latin square of order v is equivalent to an OA1(2,3,v).

Example 2.28. An OA1(2, q,q) can be constructed for any primepower q. The well-known construction is essentially obtained from anaffine plane of order q, yielding the property that each of the q distinctrows contains precisely one symbol q-times (cf., e.g., [195, 200]).

A comprehensive reference on the theory of orthogonal arrays andtheir applications is [92]. An electronic library of orthogonal arrays isgiven in [189].

Definition 2.7. A transversal design TDλ(t,k,v) is a triple (X,G,A),which satisfies the following properties:

(i) X is a set of kv elements, called points,(ii) G is a partition of X into k classes, called groups, each of size

v,(iii) A is a family of λvt blocks, each of which meets each group

in a point,(iv) every t-subset of points from distinct groups is contained in

exactly λ blocks.

2.4 Splitting Designs and Others 623

Example 2.29. A Latin square of order v is equivalent to aTD1(2,3,v).

Further types of combinatorial designs including difference sets andgroup divisible designs can be found in [16, 43, 200]. For the readerinterested in the broad area of combinatorics in general, we recom-mend [2, 37, 81, 86, 176, 217].

3Applications to Authentication and

Secrecy Codes

This section is devoted to various key applications of combinatorialdesigns to authentication and secrecy codes. Foundational and currentresults concerning the construction and characterization of authentica-tion and secrecy codes are exposed. Starting with Shannon’s classicalresult [182] on secrecy systems, we first deal with secrecy codes in Sec-tion 3.1. Authentication codes without any secrecy requirements areconsidered in Section 3.2. In Section 3.3, codes that offer both authen-ticity and secrecy are discussed in detail. We distinguish between arbi-trary and equiprobable source probability distributions. The advantageof the source states being equiprobable distributed is that the numberof encoding rules can be reduced. Section 3.4 is devoted to an extendedauthentication model, where the opponent can act pro-actively by hav-ing access to a verification oracle (V-oracle). Authentication codes withsplitting are considered in Section 3.5. In such a code, several messagescan be used to communicate a particular plaintext (non-deterministicencoding). We briefly mention authentication codes that permit arbi-tration in Section 3.6. In Section 3.7, further recent applications arehighlighted which makes substantial use of combinatorial design the-ory. Finally, we conclude in Section 3.8 with a synthesis of the workand some directions for future research.

624

3.1 Secrecy Codes 625

3.1 Secrecy Codes

We first study codes which provide solely secrecy. Recall that the formaldefinition of perfect (multi-fold) secrecy is given in Subsection 1.1.3. Ascombinatorial tools, we will make use of Latin squares and perpendic-ular arrays (cf. Section 2.2).

As a starting point, we state Shannon’s fundamental result, whichgives the first link between information-theoretical cryptography andcombinatorial designs (see also, e.g., [200] for a proof).

Theorem 3.1 (Shannon [182]). If a secrecy code provides perfectsecrecy, then b ≥ k, that is, there are at least as many encoding rulesas source states. Moreover, equality occurs if and only if the encodingmatrix is a Latin square of order k and the encoding rules are usedwith equal probability.

Presumably the most prominent example of an information-theoretically secure secrecy code is the One-time Pad of Vernam[221, 222].

Example 3.1. Let S = M = E = V (d,2), d ≥ 1. Each encoding rule isused with equal probability 1/2d. For a given u ∈ V (d,2), we define anencoding rule

eu(s) := (s1 + u1, . . . ,sd + ud)(mod 2)

as the vector sum modulo 2 of u and s. A message m will be decodedanalogously. The encoding matrix is a Latin square of order 2d. There-fore, the One-time Pad has perfect secrecy.

A close connection between secrecy codes and perpendicular arrayshas been established by Stinson.

Theorem 3.2 (Stinson [195]). Suppose there is a perpendiculararray PAλ(t,k,v) with k ≥ 2t − 1. Then there is a secrecy code for k

source states, having v messages and λ(vt

)encoding rules, that provides

perfect t-fold secrecy.

626 Applications to Authentication and Secrecy Codes

Proof. Let A be a PAλ(t,k,v). An encoding rule can be constructedfrom each row r of A by defining

er(s) := xs

for each row r = (x1, . . . ,xk) and for each source state 1 ≤ s ≤ k. Eachencoding rule is used with probability 1/(λ

(vt

)). It remains to show that

perfect t∗-fold secrecy can be achieved for every t∗ ≤ t: as k ≥ 2t − 1by assumption, we have (

k

t

)≥(

k

t∗

).

Thus, A is a PAλt∗ (t∗,k,v) in view of Theorem 2.10. It follows thatany set of t∗ messages corresponds equally often to every possible setof t∗ source states. We conclude now by showing via Bayes’ Theoremthat

pS(S∗|M∗) =pM (M∗|S∗) · pS(S∗)

pM (M∗)

=(λt∗/b) · pS(S∗)∑

{e∈E|M∗⊆M(e)} pE(e) · pS(fe(M∗))

=(λt∗/b) · pS(S∗)∑

{S⊆S∣∣|S|=t∗}

∑{e∈E|S=fe(M∗)}(1/b) · pS(S)

=(λt∗/b) · pS(S∗)

(1/b) · λt∗

= pS(S∗)

for every set M∗ of t∗ messages observed in the channel, and for everyset S∗ of t∗ source states.

The condition k ≥ 2t − 1 is necessary as demonstrated by the fol-lowing example (cf. [195]).

Example 3.2. The array

1 2 3 42 1 4 33 4 1 24 3 2 1

3.1 Secrecy Codes 627

is a PA1(1,4,4) as well as a PA1(3,4,4). However, it is not aPAλ(2,4,4) for any λ. Thus, perfect one-fold secrecy is achieved, butnot perfect two-fold secrecy.

The next theorem generalizes Shannon’s result (Theorem 3.1). Italso gives a partial converse to Theorem 3.2.

Theorem 3.3 (Godlewski–Mitchell–Stinson [75, 195]). If asecrecy code provides perfect t-fold secrecy and k ≥ 2t − 1, then

b ≥(

k

t

).

Moreover, equality occurs if and only if the encoding matrix is a per-pendicular array PA1(t,k,k) and the encoding rules are used with equalprobability.

Proof. For an arbitrary encoding rule e1 ∈ E , let M∗ ⊆ M(e1) with|M∗| = t. Let S∗ ⊆ S with |S∗| = t. We first prove that the lower boundon the number of encoding rules holds if a secrecy code achieves per-fect t-fold secrecy. We assume that there is no encoding rule e2 ∈ E suchthat S∗ = fe2(M

∗). It follows that pS(S∗|M∗) = 0 �= pS(S∗), and thusperfect t-fold secrecy cannot hold by definition. Therefore, there are atleast

(kt

)encoding rules under which all the messages in M∗ are valid.

This establishes the bound

b ≥(

k

t

).

For the second part of the theorem, observe that for secrecy codesconstructed from a PAλ(t,k,v) with k ≥ 2t − 1 via Theorem 3.2 thisbound is attained if and only if λ = 1 and k = v. To prove the otherdirection, recall from above that there is at least one encoding rulee2 ∈ E such that S∗ = fe2(M

∗). Hence, for the bound on the num-ber of encoding rules to be met with equality, there must be exactlyone such encoding rule. This implies that all the messages in M∗

are valid under all b =(kt

)encoding rules. Clearly, we have

(kt

)dif-

ferent t-subsets of messages which are contained in M(e1), and each of

628 Applications to Authentication and Secrecy Codes

these occurs in(kt

)encoding rules. On the other hand, each of the

(kt

)encoding rules contains

(kt

)different t-subsets of messages. Therefore,

M(e1) = M(e) must hold for every encoding rule e ∈ E . Furthermore,the encoding matrix is a perpendicular array PA1(t,k,k) of the symbolsin M(e1).

A secrecy code is called optimal if the number of encoding rulesmeets the lower bound with equality. As an example, the One-time Pad(Example 3.1) is an optimal secrecy codes providing perfect one-foldsecrecy. Relying on Theorem 3.2, we can give in the following furtherconstructions of optimal secrecy codes with perfect multi-fold secrecy:

As noted in Example 2.17, a PA1(1,k,k) exists for all positive inte-gers k. Hence, we have

Theorem 3.4(Stinson [195]). For all positive integers k, there is anoptimal secrecy code for k source states that achieves perfect one-foldsecrecy.

In view of Example 2.18, we obtain

Theorem 3.5 (Stinson [195]). For all odd prime powers q, there isan optimal secrecy code for q source states that achieves perfect two-fold secrecy.

From Table 2.1, we have

Theorem 3.6(Stinson [195]). For v = 8 and 32, there is an optimalsecrecy code for v source states that achieves perfect three-fold secrecy.For v = 9 and 33, there is an optimal secrecy code for v source statesthat achieves perfect four-fold secrecy.

We remark that with respect to optimal secrecy codes, no infiniteclass having perfect t-fold secrecy is known for t = 3, and no examplefor t > 3 (cf. Section 2.2).

3.2 General Authentication Codes 629

3.2 General Authentication Codes

For general authentication codes, no secrecy requirements are speci-fied. The following theorem gives a combinatorial lower bound on thenumber of encoding rules for multi-fold secure authentication codes.

Theorem 3.7 (Massey–Schobi [152, 181]). If an authenticationcode is (t − 1)-fold secure against spoofing, then the number of encod-ing rules is bounded below by

b ≥(vt

)(kt

) .

Proof. Let M∗ ⊆ M be a set of i ≤ t − 1 distinct messages that arevalid under a particular encoding rule. Let x ∈ M be any message notin M∗. We assume that there is no encoding rule e ∈ E under which allmessages in M∗ ∪ {x} are valid. Following the proof of Theorem 1.1,mutatis mutandis, yields

Pdi> (k − i)/(v − i),

a contradiction. Therefore, any set of t distinct messages is valid underat least one encoding rule. Now, the bound follows by counting intwo ways the number of pairs (e,M∗), where e ∈ E and M∗ ⊆ M with|M∗| = t: first choosing e and then M∗, gives b

(kt

)such pairs. On the

other hand, there are(vt

)subsets M∗ ⊆ M, each giving at least one

pair by the above observation.

An authentication code is called optimal if the number of encodingrules meets the lower bound with equality.

When the source states are known to be independent and equiprob-able, optimal authentication codes which are (t − 1)-fold secure againstspoofing can be constructed via t-designs.

Theorem 3.8 (De Soete–Schobi–Stinson [52, 181, 195]). Sup-pose there is a t-(v,k,λ) design. Then there is an authentication code

630 Applications to Authentication and Secrecy Codes

for k equiprobable source states, having v messages and λ · (vt)/(kt)encoding rules, that is (t − 1)-fold secure against spoofing. Conversely,if there is an authentication code for k equiprobable source states, hav-ing v messages and

(vt

)/(kt

)encoding rules, that is (t − 1)-fold secure

against spoofing, then there is a Steiner t-(v,k,1) design.

Proof. Let D = (X,B) be a t-(v,k,λ) design. We order each block B ∈ Barbitrarily, and take these ordered blocks as encoding rules. We provefirst that Pdt−1 = (k − t + 1)/(v − t + 1): Let {mi}t

i=1 be a set of dis-tinct messages. We suppose that an opponent observes the t − 1 mes-sages {mi}t−1

i=1 in the channel, and then sends the message mt. Theprobability payoff(mt,{mi}t−1

i=1) that the message mt is accepted by thereceiver as authentic is

payoff(mt,{mi}t−1i=1) =

∑e∈E({mi}t

i=1) p(e) · p({si}t−1i=1 = fe({mi}t−1

i=1))∑e∈E({mi}t−1

i=1) p(e) · p({si}t−1i=1 = fe({mi}t−1

i=1)).

Since p(e) is constant and the source states are known to be equiprob-able, it follows that

payoff(mt,{mi}t−1i=1) =

∣∣{e ∈ E({mi}ti=1)}

∣∣∣∣{e ∈ E({mi}t−1i=1)}

∣∣ =k − t + 1v − t + 1

,

as desired. To establish that Pdi= (k − i)/(v − i) for all 0 ≤ i ≤ t − 2,

we make use of the fact that a t-(v,k,λ) design with t ≥ 2 is also ant∗-(v,k,λt∗) design for every t∗ ≤ t in view of Theorem 2.1.

Conversely, in order to meet the lower bound in Theorem 3.7 withequality, every set of t distinct messages must be valid under preciselyone encoding rule.

3.3 Authentication Codes with Secrecy

We study now codes that offer both authenticity and secrecy. Forauthentication codes without secrecy, there exist numerous construc-tions for quite some time. Combinatorial constructions (see, e.g., [79,170, 196, 197, 201]) rely on configurations including orthogonal arraysand transversal designs (cf. Section 2.4). However, if we wish that theauthentication codes simultaneously provide for secrecy, then only a

3.3 Authentication Codes with Secrecy 631

few constructions have been known until recently. These constructionsare primarily of combinatorial nature. An algebraic approach by Dinget al. [60, 59] is based on (non-)linear functions between finite Abeliangroups.

We will distinguish between equiprobable and arbitrary source prob-ability distributions. The advantage of the source states being equiprob-able distributed is that the number of encoding rules can be reduced.

3.3.1 Equiprobable source probability distribution

In the first part, we assume that the source states are equiprobable dis-tributed. Our approach relies on various t-designs and finite geometries(cf. Section 2.1).

As a consequence of Equation (1.1), we obtain the following usefulobservation.

Lemma 3.9 (Stinson [201]). An authentication code has perfectsecrecy if and only if∑

{e∈E|e(s)=m}pE(e) =

∑{e∈E|m∈M(e)}

pE(e) · pS(e−1(m))

for every source state s ∈ S and every message m ∈ M.

Thus, if the encoding rules in a code are used with equal probability,then a given message m occurs with the same frequency in each columnof the encoding matrix.

The first optimal authentication codes that are one-fold secureagainst spoofing and simultaneously achieve perfect secrecy were con-structed by Stinson in 1990. The constructions rely on Steiner 2-designsand assume that the source states are equiprobably distributed.

Theorem 3.10(Stinson [195]). Suppose there is a Steiner 2-(v,k,1)design, where v divides the number of blocks b. Then there is an optimalauthentication code for k equiprobable source states, having v messagesand v(v − 1)/k(k − 1) encoding rules, that is one-fold secure againstspoofing and provides perfect secrecy.

632 Applications to Authentication and Secrecy Codes

We will give a proof of the more general case for arbitrary t inTheorem 3.12.

Relying on Steiner 2-( qd+1−1q−1 , q + 1,1) designs from projective

geometries (cf. Example 2.3), an infinite class of authentication andsecrecy codes can be constructed as follows.

Theorem 3.11 (Stinson [195]). For all prime powers q and for alleven integers d ≥ 2, there is an optimal authentication code for anequiprobable source probability distribution with q + 1 source states,having (qd+1 − 1)/(q − 1) messages, that is one-fold secure againstspoofing and provides perfect secrecy.

We give the smallest example (cf. [195]).

Example 3.3. An optimal authentication code for k = 3 equiprobablesource states, having v = 7 messages, and b = 7 encoding rules, thatis one-fold secure against spoofing and provides perfect secrecy can beconstructed from a Steiner 2-(7,3,1) design, i.e. the unique Fano plane(cf. Example 2.1). Each encoding rule is used with probability 1/7. Anencoding matrix is given in Table 3.1.

Theorem 3.10 have been extended recently. Optimal multi-foldsecure authentication codes which simultaneously achieve perfectsecrecy can be obtained by means of Steiner t-designs for larger t.

Table 3.1. Authentication codefrom the Fano plane.

s1 s2 s3

e1 1 2 4

e2 2 3 5

e3 3 4 6

e4 4 5 7

e5 5 6 1

e6 6 7 2

e7 7 1 3

3.3 Authentication Codes with Secrecy 633

Theorem 3.12 (Huber [102]). Suppose there is a Steiner t-(v,k,1)design with t ≥ 2, where v divides the number of blocks b. Then thereis an optimal authentication code for k equiprobable source states,having v messages and

(vt

)/(kt

)encoding rules, that is (t − 1)-fold secure

against spoofing and provides perfect secrecy.

Proof. Let D = (X,B) be a Steiner t-(v,k,1) design with t ≥ 2, wherev divides b. Clearly, the authentication capacity of the code follows viaTheorem 3.8. To establish perfect secrecy under the assumption thatthe encoding rules are used with equal probability, it is necessary inview of Lemma 3.9 that a given message occurs with the same frequencyin each column of the resulting encoding matrix. This can be done byordering every block of D in such a way that every point occurs ineach possible position in precisely b/v blocks. Since every point occursin exactly r =

(v−1t−1

)/(k−1t−1

)blocks due to Corollary 2.2 (c), necessarily

k must divide r, or equivalently, v divides b by Corollary 2.2 (b). Toshow that the condition is also sufficient, we consider the bipartitepoint-block incidence graph of D with vertex set X ∪ B, where (x,B)is an edge if and only if x ∈ B for x ∈ X and B ∈ B. An ordering oneach block of D can be obtained via an edge-coloring of this graphusing k colors in such a way that each vertex B ∈ B is adjacent to oneedge of each color, and each vertex x ∈ X is adjacent to b/v edges ofeach color. Technically, this can be achieved by first splitting up eachvertex x into b/v copies, each having degree k, and then by findingan appropriate edge-coloring of the resulting k-regular bipartite graphusing k colors. Taking the ordered blocks as encoding rules, each usedwith equal probability, establishes the claim.

Relying on spherical geometries from Example 2.7, we can constructa new infinite class of optimal codes which are two-fold secure againstspoofing and achieve perfect secrecy.

Theorem 3.13 (Huber [102]). For all prime powers q and for alleven integers d ≥ 2, there is an optimal authentication code for anequiprobable source probability distribution with q + 1 source states,

634 Applications to Authentication and Secrecy Codes

having qd + 1 messages, that is two-fold secure against spoofing andprovides perfect secrecy.

Proof. By Example 2.7, there exists a Steiner 3-(qd + 1, q + 1,1) designfor every prime power q. Now, if we assume that d is even, then

q2 − 1 | qd − 1

and hence

(q + 1)q(q − 1) | qd(qd − 1).

Therefore, v divides b, and the claim follows by applying Theorem 3.12.

We present the smallest example (cf. [102]).

Example 3.4. An optimal authentication code for k = 4 equiprobablesource states, having v = 10 messages, and b = 30 encoding rules, thatis two-fold secure against spoofing and provides perfect secrecy can beconstructed from a Steiner 3-(10,4,1) design, i.e. the unique Mobiusplane of order 3 (cf. Example 2.7). Each encoding rule is used withprobability 1/30. We give an encoding matrix in Table 3.2.

We can construct several further new optimal authentication codesfor equiprobable source distributions, which are (t − 1)-fold secureagainst spoofing and simultaneously achieve perfect secrecy:

By Theorem 3.12, we have to examine whether the parameters ofknown Steiner t-(v,k,1) designs satisfy the condition that v dividesthe number of blocks b =

(vt

)/(kt

). We recall that there are two infi-

nite classes of optimal authentication codes, one arises from projectivegeometries (Theorem 3.11) and the other from spherical geometries(Theorem 3.13). In view of Example 2.10, further infinite classes ofoptimal codes for a fixed number of source states can be constructedas follows (cf. [102]).

• A Steiner 2-(v,3,1) design exists if and only if v ≡ 1 or 3 (mod6). Hence, if v ≡ 1 (mod 6), then an optimal authentication

3.3 Authentication Codes with Secrecy 635

Table 3.2. Authentication codefrom the Mobius plane of order 3.

s1 s2 s3 s4

e1 1 2 4 5

e2 2 3 5 6

e3 3 4 6 7

e4 4 5 7 8

e5 5 6 8 9

e6 6 7 9 0

e7 7 8 0 1

e8 8 9 1 2

e9 9 0 2 3

e10 0 1 3 4

e11 1 2 3 7

e12 2 3 4 8

e13 3 4 5 9

e14 4 5 6 0

e15 5 6 7 1

e16 6 7 8 2

e17 7 8 9 3

e18 8 9 0 4

e19 9 0 1 5

e20 0 1 2 6

e21 1 3 5 8

e22 2 4 6 9

e23 3 5 7 0

e24 4 6 8 1

e25 5 7 9 2

e26 6 8 0 3

e27 7 9 1 4

e28 8 0 2 5

e29 9 1 3 6

e30 0 2 4 7

code can be constructed for k = 3 equiprobable source states,having v messages, and v(v − 1)/6 encoding rules, that isone-fold secure against spoofing and provides perfect secrecy.

636 Applications to Authentication and Secrecy Codes

• A Steiner 2-(v,4,1) design exists if and only if v ≡ 1 or 4 (mod12). Hence, if v ≡ 1 (mod 12), then an optimal authenticationcode can be constructed for k = 4 equiprobable source states,having v messages, and v(v − 1)/12 encoding rules, that isone-fold secure against spoofing and provides perfect secrecy.

• A Steiner 2-(v,5,1) design exists if and only if v ≡ 1 or 5 (mod20). Hence, if v ≡ 1 (mod 20), then an optimal authenticationcode can be constructed for k = 5 equiprobable source states,having v messages, and v(v − 1)/20 encoding rules, that isone-fold secure against spoofing and provides perfect secrecy.

• A Steiner 3-(v,4,1) design exists if and only if v ≡ 2 or 4(mod 6). Hence, if v ≡ 2 or 10 (mod 24), then an optimalauthentication code can be constructed for k = 4 equiproba-ble source states, having v messages, and v(v − 1)(v − 2)/24encoding rules, that is two-fold secure against spoofing andprovides perfect secrecy.

We summarize in Table 3.3 the infinite classes of optimal codes con-structed in this subsection. Moreover, we present further optimal codeswith these properties in Table 3.4. Here, all presently known Steiner4-designs and 5-designs have been examined; for Steiner 2-designs and3-designs only the cases up to v = 30 have been investigated (cf. [102]).We give the parameters of the codes as well as of the respective Steiner

Table 3.3. Optimal authentication codes with perfect secrecy:infinite classes.

tA tS k v b

1 1 q + 1 qd+1−1q−1

v(v−1)k(k−1)

q prime power d ≥ 2 even

1 1 3 v ≡ 1 (mod 6) v(v−1)6

1 1 4 v ≡ 1 (mod 12) v(v−1)12

1 1 5 v ≡ 1 (mod 20) v(v−1)20

2 1 q + 1 qd + 1 v(v−1)(v−2)k(k−1)(k−2)

q prime power d ≥ 2 even

2 1 4 v ≡ 2,10 (mod 24) v(v−1)(v−2)24

3.3 Authentication Codes with Secrecy 637

Table 3.4. Optimal authentication codes with perfect secrecy: further examples.

tA tS k v b Design parameters Design ref.

2 1 5 26 260 3-(26,5,1) Ex. 2.9

3 1 5 11 66 4-(11,5,1) Ex. 2.8

7 23 253 4-(23,7,1) Ex. 2.8

5 23 1,771 4-(23,5,1) Ex. 2.9

5 47 35,673 4-(47,5,1) Ex. 2.9

5 83 367,524 4-(83,5,1) Ex. 2.9

5 71 194,327 4-(71,5,1) Ex. 2.9

5 107 1,032,122 4-(107,5,1) Ex. 2.9

5 131 2,343,328 4-(131,5,1) Ex. 2.9

5 167 6,251,311 4-(167,5,1) Ex. 2.9

5 243 28,344,492 4-(243,5,1) Ex. 2.9

4 1 6 12 132 5-(12,6,1) Ex. 2.8

6 84 5,145,336 5-(84,6,1) Ex. 2.9

6 244 1,152,676,008 5-(244,6,1) Ex. 2.9

t-designs (cf. Section 2.1). Both tables lists all presently known optimalauthentication codes with perfect secrecy.

We consider now authentication codes that are (t − 1)-fold secureagainst spoofing and achieves perfect (t − 1)-fold secrecy:

Starting from the condition of perfect t-fold secrecy, we obtain viaBayes’ Theorem that

pS(S∗|M∗) =pM (M∗|S∗) · pS(S∗)

pM (M∗)

=

∑{e∈E|S∗=fe(M∗)} pE(e) · pS(S∗)∑

{e∈E|M∗⊆M(e)} pE(e) · pS(fe(M∗))

= pS(S∗).

This yields

Lemma 3.14 (Huber [107]). An authentication code has perfectt-fold secrecy if and only if, for every positive integer t∗ ≤ t, for everyset M∗ of t∗ messages observed in the channel and for every set S∗ of t∗

638 Applications to Authentication and Secrecy Codes

source states, we have∑{e∈E|S∗=fe(M∗)}

pE(e) =∑

{e∈E|M∗⊆M(e)}pE(e) · pS(fe(M∗)).

Hence, if the encoding rules in a code are used with equal proba-bility, then for every t∗ ≤ t, a given set of t∗ messages occurs with thesame frequency in each t∗ columns of the encoding matrix.

We can now establish an extension of Theorem 3.12. Our construc-tion yields optimal authentication codes which are multi-fold secureagainst spoofing and provide perfect multi-fold secrecy.

Theorem 3.15 (Huber [107]). Suppose there is a Steiner t-(v,k,1)design with t ≥ 2, where

(vt∗)

divides the number of blocks b for everypositive integer t∗ ≤ t − 1. Then there is an optimal authenticationcode for k equiprobable source states, having v messages and

(vt

)/(kt

)encoding rules, that is (t − 1)-fold secure against spoofing and providesperfect (t − 1)-fold secrecy.

Proof. Let D = (X,B) be a Steiner t-(v,k,1) design with t ≥ 2, where(vt∗)

divides b for every positive integer t∗ ≤ t − 1. By Theorem 3.8, theauthentication code has (t − 1)-fold security against spoofing attacks.Hence, it remains to prove that the code also achieves perfect (t − 1)-fold secrecy under the assumption that the encoding rules are usedwith equal probability. With respect to Lemma 3.14, we have to showthat, for every t∗ ≤ t − 1, a given set of t∗ messages occurs with thesame frequency in each t∗ columns of the resulting encoding matrix.This can be accomplished by ordering, for each t∗ ≤ t − 1, every blockof D in such a way that every t∗-subset of X occurs in each possiblechoice in precisely b/

(vt∗)

blocks. Since every t∗-subset of X occurs inexactly λt∗ =

(v−t∗t−t∗

)/(k−t∗t−t∗

)blocks due to Theorem 2.1, necessarily

(kt∗)

must divide λt∗ . By Corollary 2.2 (b), this is equivalent to saying that(vt∗)

divides b. To show that the condition is also sufficient, we considerthe bipartite (t∗-subset, block) incidence graph of D with vertex set(Xt∗) ∪ B, where ({xi}t∗

i=1,B) is an edge if and only if xi ∈ B (1 ≤ i ≤ t∗)for {xi}t∗

i=1 ∈ (Xt∗) and B ∈ B. An ordering on each block of D can be

3.3 Authentication Codes with Secrecy 639

obtained via an edge-coloring of this graph using(

kt∗)

colors in sucha way that each vertex B ∈ B is adjacent to one edge of each color,and each vertex {xi}t∗

i=1 ∈ (Xt∗) is adjacent to b/(

vt∗)

edges of each color.Specifically, this can be done by first splitting up each vertex {xi}t∗

i=1into b/

(vt∗)

copies, each having degree(

kt∗), and then by finding an

appropriate edge-coloring of the resulting(

kt∗)-regular bipartite graph

using(

kt∗)

colors. The claim follows now by taking the ordered blocksas encoding rules, each used with equal probability.

Remark 3.1. It follows from the proof that we may obtain optimalauthentication codes that provide (t − 1)-fold security against spoofingand at the same time perfect (t′ − 1)-fold secrecy for t′ ≤ t, when theassumption of the above theorem holds with

(vt∗)

divides b for everypositive integer t∗ ≤ t′ − 1.

As an application, we give an infinite class of optimal codes whichare two-fold secure against spoofing and achieve perfect two-foldsecrecy. This appears to be the first infinite class of authenticationand secrecy codes with these properties.

Theorem 3.16 (Huber [107]). For all positive integers v ≡ 2 (mod24), there is an optimal authentication code for k = 4 equiprobablesource states, having v messages, and v(v − 1)(v − 2)/24 encodingrules, that is two-fold secure against spoofing and provides perfect two-fold secrecy.

Proof. By Example 2.10, a Steiner quadruple system SQS(v) existsif and only if v ≡ 2 or 4 (mod 6) (v ≥ 4). Hence, the condition v | b

is fulfilled when v ≡ 2 or 10 (mod 24) and the condition(v2

) | b whenv ≡ 2 (mod 12) in view of Corollary 2.2 (b). Therefore, if we assumethat v ≡ 2 (mod 24), then we can apply Theorem 3.15 to establish theclaim.

We present the smallest example (cf. [107]).

640 Applications to Authentication and Secrecy Codes

Example 3.5. An optimal authentication code for k = 4 equiprobablesource states, having v = 26 messages, and b = 650 encoding rules, thatis two-fold secure against spoofing and provides perfect two-fold secrecycan be constructed from a Steiner quadruple system SQS(26). Eachencoding rule is used with probability 1/650.

Historical Note. The first SQS(v) for v = 26 was constructed by Fit-ting [67], admitting a v-cycle as an automorphism (a cyclic SQS(v)).

3.3.2 Arbitrary Source Probability Distribution

In this part, let us assume that we have arbitrary source probability dis-tributions. As combinatorial tools, we will use primarily authenticationperpendicular arrays (cf. Section 2.3).

We first consider authentication codes that are (t − 1)-fold secureagainst spoofing and simultaneously achieves perfect t-fold secrecy:

For these codes, a combinatorial lower bound on the number ofencoding rules can be given as follows.

Theorem 3.17(Stinson [194]). If an authentication code is (t − 1)-fold secure against spoofing and provides perfect t-fold secrecy, thenthe number of encoding rules is bounded below by

b ≥(

v

t

).

Proof. Assuming that the authentication code is (t − 1)-fold secureagainst spoofing, we may establish analogously as in the proof of The-orem 3.7 that any set of t distinct messages is valid under at least oneencoding rule. Under the further assumption that the code providesperfect t-fold secrecy, we obtain as in the proof of the bound in The-orem 3.3 that any such set of t distinct messages must be valid underat least

(kt

)encoding rules. Now, counting pairs analogously as in the

proof of Theorem 3.7 establishes the claim.

We call such a code optimal if the number of encoding rules meetsthe lower bound with equality.

3.3 Authentication Codes with Secrecy 641

Theorem 3.18 (Stinson–Teirlinck [202]). Suppose there is anauthentication perpendicular array APAλ(t,k,v). Then there is anauthentication code for k source states, having v messages and λ · (vt)encoding rules, that is (t − 1)-fold secure against spoofing and achievesperfect t-fold secrecy. Moreover, the code is optimal if and only if λ = 1.

Proof. Let A be an APAλ(t,k,v). We construct the code as in Theo-rem 3.2, which gives immediately the desired secrecy capacity. To estab-lish that the code is also (t − 1)-fold secure against spoofing, we haveto prove that Pdi

= (k − i)/(v − i) for all 0 ≤ i ≤ t − 1. Let {mi}t∗+1i=1

be a set of distinct messages (0 ≤ t∗ ≤ t − 1). We assume that an oppo-nent observes the t∗ messages {mi}t∗

i=1 in the channel, and then sendsthe message mt∗+1. The probability payoff(mt∗+1,{mi}t∗

i=1) that themessage mt∗+1 is accepted by the receiver as authentic is

payoff(mt∗+1,{mi}t∗i=1)

=

∑e∈E({mi}t∗+1

i=1 ) p(e) · p({si}t∗i=1 = fe({mi}t∗

i=1))∑e∈E({mi}t∗

i=1) p(e) · p({si}t∗i=1 = fe({mi}t∗

i=1))

and as p(e) is constant, it follows that

payoff(mt∗+1,{mi}t∗i=1) =

∑e∈E({mi}t∗+1

i=1 ) p({si}t∗i=1 = fe({mi}t∗

i=1))∑e∈E({mi}t∗

i=1) p({si}t∗i=1 = fe({mi}t∗

i=1))

=λt∗+1

(k

t∗+1

)λt∗(

kt∗) .

As λt∗+1λt∗

= t∗+1v−t∗ due to Theorem 2.10, we obtain

payoff(mt∗+1,{mi}t∗i=1) =

(t∗ + 1)(

kt∗+1

)(v − t∗)

(kt∗) =

k − t∗

v − t∗.

So, we have Pdi= (k − i)/(v − i) for all 0 ≤ i ≤ t − 1, as desired. Obvi-

ously, optimality holds if and only if λ = 1 in view of Theorem 3.17,completing the proof.

In view of Examples 2.23 and 2.24, we hence obtain the subsequentresults.

642 Applications to Authentication and Secrecy Codes

Theorem 3.19 (Stinson–Teirlinck [202]). The following holds:

(a) For all odd positive integers k and all prime powersq ≡ 1 (mod 2k), there is an optimal authentication code withk source states and q messages, that is one-fold secure againstspoofing and provides perfect two-fold secrecy.

(b) For all prime powers q ≡ 3 (mod 4) (q ≥ 7) and all integersd ≥ 2, there is a (non-optimal) authentication code for q + 1source states, having qd + 1 messages and q3d−qd

2 encodingrules, that is two-fold secure against spoofing and providesperfect three-fold secrecy. Furthermore, there is an optimalcode for q + 1 source states and qd + 1 messages achievingthese capacities, when q = 7 or 31.

Further authentication codes with these properties can be con-structed from the other examples of authentication perpendiculararrays given in Section 2.3.

We state without proof the following result, which gives a partialconverse to Theorem 3.18.

Theorem 3.20 (Stinson [195]). Suppose there is an authenticationcode for k source states, having v messages and

(vt

)encoding rules,

that is (t − 1)-fold secure against spoofing and achieves perfect t-foldsecrecy, and k ≥ 2t − 1. Then there exists an authentication perpen-dicular array APA1(t,k,v).

We consider now authentication codes that are t-fold secure againstspoofing and simultaneously achieves perfect t-fold secrecy:

A combinatorial lower bound on the number of encoding rules aswell as a characterization of these codes can be obtained similarly asbefore.

Theorem 3.21 (Stinson [195]). If an authentication code is t-foldsecure against spoofing and provides perfect t-fold secrecy, then the

3.3 Authentication Codes with Secrecy 643

number of encoding rules is bounded below by

b ≥(

v

t

)v − t

k − t.

Again, we call such a code optimal when equality is achieved.

Theorem 3.22 (Stinson [195]). Suppose there is a perpendiculararray PAλ(t,k,k) and a (t + 1)-(v,k,λ′) design with k ≥ 2t − 1. Thenthere is an authentication code for k source states, having v messagesand λ·λ′(v−t)

k−t

(vt

)encoding rules, that is t-fold secure against spoofing

and achieves perfect t-fold secrecy. Moreover, the code is optimal ifand only if λ = λ′ = 1.

Using Example 2.17 and Steiner 2-( qd+1−1q−1 , q + 1,1) designs from

projective geometries (cf. Example 2.3) yields the following theorem.

Theorem 3.23 (Stinson [195]). The following holds:

(a) Suppose there is a Steiner 2-(v,k,1) design. Then there is anoptimal authentication code with k source states and v mes-sages, that is one-fold secure against spoofing and providesperfect one-fold secrecy.

(b) For all prime powers q and all positive integers d ≥ 2, there isan optimal authentication code for q + 1 source states, hav-ing qd+1−1

q−1 messages, that is one-fold secure against spoofingand provides perfect one-fold secrecy.

We obtain from Theorem 3.22 furthermore the next results.

Theorem 3.24 (Stinson [195]). The following holds:

(a) For all Mersenne primes q = 2a − 1 and for all integers d ≥ 2,there is a (non-optimal) authentication code for q + 1 sourcestates, having qd + 1 messages and (qd+1)qd(qd−1)

q−1 encodingrules, that is two-fold secure against spoofing and providesperfect two-fold secrecy.

644 Applications to Authentication and Secrecy Codes

(b) For all Fermat primes q = 2a + 1 and for all integers d ≥ 2,there is an optimal authentication code for q source states,having (q − 1)d + 1 messages, that is two-fold secure againstspoofing and provides perfect two-fold secrecy.

Proof. Since q + 1 = 2a is a prime power, there is an OA1(2, q + 1, q +1) in view of Example 2.28. Using spherical geometries from Exam-ple 2.7 establishes assertion (a).

By Example 2.18, there is a PA1(2, q,q). As q − 1 = 2a is a primepower, a Steiner 3-((q − 1)d + 1, q,1) design exists due to Example 2.7.This proves (b).

We remark that presently only five Fermat primes are known (3 =21 + 1, 5 = 22 + 1, 17 = 24 + 1, 257 = 28 + 1, and 65,537 = 216 + 1).For Mersenne primes, only 47 prime numbers are known (the largestknown Mersenne prime 2243,112,609 − 1 is indeed the largest knownprime number up to the time of writing; for the list of known Mersenneprimes, see sequence A000668 in [190].)

A partial converse to Theorem 3.22 can be stated (without proof)as follows.

Theorem 3.25 (Stinson [195]). Suppose there is an authenticationcode for k source states, having v messages and

(vt

)v−tk−t encoding rules,

that is t-fold secure against spoofing and achieves perfect t-fold secrecy.Then there is a (t + 1)-(v,k,λ) design with λ =

(kt

).

We summarize the results in this subsection in Table 3.5 (cf. [195]).

3.4 Authentication Codes with Secrecy in the VerificationOracle Model

Using the same notation as in the basic model (cf. Section 1.1), weconsider in this section an extended authentication model, where theopponent has access to a verification oracle (V-oracle). In this model,

3.4 Authentication Codes with Secrecy in the Verification Oracle Model 645

Table 3.5. Optimal and non-optimal authentication and secrecy codes.

tA tS k v b Optimal

1 1 q + 1 qd+1−1q−1

v(v−1)k−1 Yes

q prime power d ≥ 2

1 2 k ≥ 1 odd q ≡ 1 (mod 2k) v(v−1)2 Yes

q prime power

2 2 q + 1 qd + 1 v(v−1)(v−2)k−2 No

q Mersenne prime d ≥ 2

2 2 q (q − 1)d + 1 v(v−1)(v−2)2(k−2) Yes

q Fermat prime d ≥ 2

2 3 q + 1 qd + 1 v(v−1)(v−2)2 No

q ≡ 3 (mod 4) d ≥ 2

q ≥ 7 prime power

we assume that the opponent is no longer restricted to passively observ-ing messages transmitted by the sender to the receiver. The oppo-nent may send a message of the opponent’s choice to the receiver andobserve the receiver’s response whether or not the receiver accepts itas authentic. This more powerful, pro-active attack scenario can bemodeled in terms of a V-oracle that provides a response (accept orreject) to a query message in the same way as the message wouldbe accepted or not by the legitimate receiver. This attack model wasrecently introduced in [14, 177]. Further details on this model can befound in [14, 177, 213, 214].

Two types of attacks, an online and an offline attack, are consid-ered in [213]. In the online attack, the receiver is supposed to responseto each incoming query message, and thus the opponent is successfulas soon as the receiver accepts a message as authentic. Thus, everyquery message is at the same time a spoofing message. In the offlineattack, the query and the spoofing phase are separated. First, the oppo-nent makes all his queries to the oracle, and then uses this collected(state) information to construct a spoofing message. In both scenar-ios, the opponent is assumed to be adaptive. The online attack modelsan opponent’s interaction with a verification oracle such as an ATM,

646 Applications to Authentication and Secrecy Codes

while in the offline attack the opponent may have captured an offlineverification box. Often, the offline attack model is used as an interme-diate model for analyzing the online scenario.

We speak in each scenario of a spoofing attack of order i in the V-oracle model if the opponent has access to i verification queries. Theopponent’s strategy can be modeled via probability distributions onthe query set M of verification queries. The online deception proba-bility P online

di, respectively offline deception probability P offline

di, denotes the

probability that the opponent can deceive the receiver with a spoofingattack of order i.

We indicate lower bounds on the deception probabilities in theV-oracle model.

Theorem 3.26 (Tonien–Safavi-Naini–Wild [213]). In an authen-tication code with k source states and v messages, the offline and onlinedeception probabilities in the V-oracle model are bounded below by

P offlinedi

≥ k

vand P online

di≥ 1 −

(v−ki+1

)(

vi+1

) , respectively.

Moreover, it follows that

P offlinedi

=k

vif and only if P online

di= 1 −

(v−ki+1

)(

vi+1

) .

Hence, an authentication code that attains the bound in the offlineattack is the same as in the online attack, and vice versa. Clearly, P offline

di

is independent of i. If the bound for P onlinedi

is satisfied with equality, thenalso the bound for P online

di−1is satisfied with equality for i > 1 (cf. [213]).

Thus, a code is called t-fold secure against spoofing in the V-oraclemodel (in either scenario) if t = i.

An analogue to Theorem 3.7 has been derived for the V-oraclemodel.

Theorem 3.27(Tonien–Safavi-Naini–Wild [213]). If an authenti-cation code is (t − 1)-fold secure against spoofing in the V-oracle model,

3.4 Authentication Codes with Secrecy in the Verification Oracle Model 647

then the number of encoding rules is bounded below by

b ≥(vt

)(kt

) .Again, we call a code optimal when the lower bound holds with

equality.For equiprobable source states, optimal authentication codes which

are (t − 1)-fold secure against spoofing in the V-oracle model have beencharacterized recently. We present the result in a slightly more gener-alized form, which can be deduced from the original proof.

Theorem 3.28(Tonien–Safavi-Naini–Wild [213]). Suppose thereis a t-(v,k,λ) design. Then there is an authentication code for k

equiprobable source states, having v messages and λ · (vt)/(kt) encod-ing rules, that is (t − 1)-fold secure against spoofing in the V-oraclemodel. Conversely, if there is an authentication code for k equiproba-ble source states, having v messages and

(vt

)/(kt

)encoding rules, that is

(t − 1)-fold secure against spoofing in the V-oracle model, then thereis a Steiner t-(v,k,1) design.

We will now proceed as in Theorem 3.12 to construct optimalauthentication codes which are multi-fold secure against spoofing inthe V-oracle model and simultaneously achieve perfect secrecy.

Theorem 3.29 (Huber). Suppose there is a Steiner t-(v,k,1) designwith t ≥ 2, where v divides the number of blocks b. Then there is anoptimal authentication code for k equiprobable source states, having v

messages and(vt

)/(kt

)encoding rules, that is (t − 1)-fold secure against

spoofing in the V-oracle model and provides perfect secrecy.

Proof. The authentication capacity of the code follows from Theo-rem 3.28. Under the assumption that the encoding rules are used withequal probability, we may proceed as in the proof of Theorem 3.12 toestablish perfect secrecy.

648 Applications to Authentication and Secrecy Codes

Clearly, our constructions in Theorem 3.13 and the subsequenttables also work for authentication codes in the V-oracle model. Exem-plarily, we state:

Theorem 3.30(Huber). For all prime powers q and for all even inte-gers d ≥ 2, there is an optimal authentication code for an equiprobablesource probability distribution with q + 1 source states, having qd + 1messages, that is two-fold secure against spoofing in the V-oracle modeland provides perfect secrecy.

Moreover, Theorem 3.15 and all the other results obtained in Sub-section 3.3.1 can be transferred accordingly.

We close with an interesting open question:

Problem 3.1. Addressing a further variant of an extended authen-tication model, where the opponent has access to an authenticationoracle that provides the authenticated message corresponding to aquery source state in the same way as the legitimate sender would(cf. [14, 177]): Is it possible to give combinatorial characterizationsas well as constructions of optimal codes (with and without secrecyrequirements)?

3.5 Authentication Codes with Splitting

We study authentication codes with splitting in this section. In such acode, several messages can be used to communicate a particular plain-text (non-deterministic encoding). These codes were first introducedby Simmons [183]. The concept plays an important role, for instance,in the context of authentication codes that permit arbitration (cf. Sec-tion 3.6). We will make use of splitting t-designs, which we introducedin Section 2.4 and for which we gave basic necessary conditions regard-ing their existence.

Let S again denote a finite set of source states, M a finite setof messages, and E a finite set of encoding rules. In addition to the

3.5 Authentication Codes with Splitting 649

notion of the basic model in Section 1.1, we introduce the followingdefinitions: When it is possible that more than one message can beused to communicate a particular source state s ∈ S under the sameencoding rule e ∈ E , then the authentication code is said to have split-ting. In this case, a message m ∈ M is computed as m = e(s,r), wherer denotes a random number chosen from some specified finite set R. Ifwe define

e(s) := {m ∈ M | m = e(s,r) for some r ∈ R},

for each encoding rule e ∈ E and each source state s ∈ S, then splittingmeans that |e(s)| > 1 for some e ∈ E and some s ∈ S. In order to ensurethat the receiver can decrypt the message being sent, it is requiredfor any e ∈ E that e(s) ∩ e(s′) = ∅ if s �= s′. For a given encoding rulee ∈ E , let

M(e) :=⋃s∈S

e(s)

denote the set of valid messages. For an encoding rule e and a setM∗ ⊆ M(e) of distinct messages, we define

fe(M∗) := {s ∈ S | e(s) ∩ M∗ �= ∅},

i.e., the set of source states that will be encoded under encoding rulee by a message in M∗. A received message m will be accepted bythe receiver as being authentic if and only if m ∈ M(e). When this isfulfilled, the receiver decrypts the message m by applying the decodingrule e−1, where

e−1(m) = s if m = e(s,r) for some r ∈ R.

A splitting authentication code is called c-splitting if

|e(s)| = c

for every encoding rule e ∈ E and every source state s ∈ S. When split-ting occurs, the receiver and transmitter will also choose a splittingstrategy to determine m ∈ M, given s ∈ S and e ∈ E .

We first state lower bounds on deception probabilities for splittingauthentication codes.

650 Applications to Authentication and Secrecy Codes

Theorem 3.31 (De Soete–Blundo–De Santis–Kurosawa–Ogata[27, 53]). In a splitting authentication code, for every 0 ≤ i ≤ t, thedeception probabilities are bounded below by

Pdi≥ min

e∈E|M(e)| − i · maxs∈S |e(s)|

|M| − i.

A splitting authentication code is called t-fold secure against spoof-ing if

Pdi= min

e∈E|M(e)| − i · maxs∈S |e(s)|

|M| − i

for all 0 ≤ i ≤ t.For splitting authentication codes that are one-fold secure against

spoofing attacks, Brickell [30] and Simmons [187] have established acombinatorial lower bound on the number of encoding rules. A combi-natorial lower bound accordingly for multi-fold secure splitting authen-tication codes has been obtained lately.

Theorem 3.32 (Huber [106]). If a splitting authentication code is(t − 1)-fold secure against spoofing, then the number of encoding rulesis bounded below by

|E| ≥t−1∏i=0

|M| − i

|M(e)| − i · maxs∈S |e(s)| .

Proof. Let M∗ ⊆ M be a set of i ≤ t − 1 distinct messages that arevalid under a particular encoding rule, in such a way that they definei different source states. Let x ∈ M be any message not in M∗. Weassume that there is no encoding rule e ∈ E under which all messagesin M∗ ∪ {x} are valid and for which fe(x) /∈ fe(M∗). Following theproof of Theorem 3.31, mutatis mutandis, yields

Pdi> min

e∈E|M(e)| − i · maxs∈S |e(s)|

|M| − i,

3.5 Authentication Codes with Splitting 651

a contradiction. Therefore, any set of t distinct messages is valid underat least one encoding rule such that they define different source states.The bound follows now by counting in two ways the number of t-subsetsof messages that are valid under some encoding rule such that theycorrespond to different source states.

Analogously, we call a splitting authentication code optimal if thenumber of encoding rules meets the lower bound with equality.

As a consequence, we obtain for c-splitting authentication codes thefollowing lower bounds:

Corollary 3.33 (Huber [106]). In a c-splitting authentication code,

Pdi≥ c(|S| − i)

|M| − i

for every 0 ≤ i ≤ t.

Proof. We set l := |M(e)| = c |S|. Then Theorem 3.31 yields

Pdi≥ l − i · c

|M| − i=

c(|S| − i)|M| − i

.

Corollary 3.34 (Huber [106]). If a c-splitting authentication codeis (t − 1)-fold secure against spoofing, then

|E| ≥(|M|

t

)ct(|S|

t

) .

Proof. Using Theorem 3.32, we may proceed as for Corollary 3.33.

Ogata et al. characterized in 2004 optimal splitting authenticationcodes that are one-fold secure against spoofing. Their combinatorialresult is based on splitting 2-designs.

Theorem 3.35 (Ogata–Kurosawa–Stinson–Saido [165]). Sup-pose there is a 2-(v,b, l = cu,1) splitting design. Then there is an opti-mal c-splitting authentication code for u equiprobable source states,

652 Applications to Authentication and Secrecy Codes

having v messages and(v2

)/[c2

(u2

)] encoding rules, that is one-fold secure

against spoofing. Conversely, if there is an optimal c-splitting authen-tication code for u source states, having v messages and

(v2

)/[c2

(u2

)]

encoding rules, that is one-fold secure against spoofing, then there is a2-(v,b, l = cu,1) splitting design.

A simple example is as follows (cf. [165]).

Example 3.6. An optimal 2-splitting authentication code for u = 2equiprobable source states, having v = 9 messages and b = 9 encodingrules, that is one-fold secure against spoofing can be constructed fromthe 2-(9,9,4 = 2 × 2,1) splitting design in Example 2.25. Each encod-ing rule is used with probability 1/9. An encoding matrix is given inTable 3.6.

A natural extension of Theorem 3.35 has been obtained recently.Optimal splitting authentication codes that are multi-fold secureagainst spoofing can be characterized in terms of splitting t-designs.

Theorem 3.36 (Huber [106]). Suppose there is a t-(v,b, l = cu,1)splitting design with t ≥ 2. Then there is an optimal c-splitting

Table 3.6. Splitting authen-tication code from a 2-(9,9,4 = 2 × 2,1) splitting design.

s1 s2

e1 {1,2} {3,5}e2 {2,3} {4,6}e3 {3,4} {5,7}e4 {4,5} {6,8}e5 {5,6} {7,9}e6 {6,7} {8,1}e7 {7,8} {9,2}e8 {8,9} {1,3}e9 {9,1} {2,4}

3.5 Authentication Codes with Splitting 653

authentication code for u equiprobable source states, having v messagesand

(vt

)/[ct(ut

)] encoding rules, that is (t − 1)-fold secure against spoof-

ing. Conversely, if there is an optimal c-splitting authentication code foru source states, having v messages and

(vt

)/[ct(ut

)] encoding rules, that

is (t − 1)-fold secure against spoofing, then there is a t-(v,b, l = cu,1)splitting design.

Proof. Let us first assume that there is an optimal c-splittingauthentication code for |S| := u source states, having |M| := v

messages and |E| :=(vt

)/[ct(ut

)] encoding rules, that is (t − 1)-fold

secure against spoofing. In order to meet the lower bound in Theo-rem 3.32 with equality, every set of t distinct messages must be validunder precisely one encoding rule, in such a way that they define dif-ferent source states. For e ∈ E , let us define a block Be ∈ B as disjointunion

Be :=u⋃

j=1

e(sj).

Then (X,B) = (M,{Be | e ∈ E}) is a t-(v,b, l = cu,1) splitting design inview of Definition 2.5.

To prove the other direction, let |M| := v. For every block Bi ∈ Bwith

Bi =u⋃

j=1

Bi,j ,

we arbitrarily define an encoding rule eBi via

eBi(sj) := Bi,j

for each 1 ≤ j ≤ u. Using every encoding rule with equal probability1/b establishes the claim.

We give a simple example (cf. [106]).

Example 3.7. An optimal 2-splitting authentication code for u = 3equiprobable source states, having v = 10 messages and b = 15 encoding

654 Applications to Authentication and Secrecy Codes

Table 3.7. Splitting authentication codefrom a 3-(10,15,6 = 2 × 3,1) splitting design.

s1 s2 s3

e1 {1,2} {4,0} {5,9}e2 {1,3} {2,8} {5,0}e3 {1,4} {3,8} {6,9}e4 {1,5} {4,7} {6,8}e5 {1,7} {2,3} {4,8}e6 {1,8} {2,5} {6,9}e7 {1,8} {6,7} {9,0}e8 {1,9} {2,5} {3,7}e9 {1,9} {3,4} {7,0}e10 {2,4} {5,6} {7,9}e11 {2,5} {4,7} {3,0}e12 {2,9} {6,8} {3,0}e13 {2,0} {4,5} {6,8}e14 {3,7} {4,6} {8,0}e15 {3,9} {5,7} {6,0}

rules, that is two-fold secure against spoofing can be constructed fromthe 3-(10,15,6 = 2 × 3,1) splitting design in Example 2.26. Each encod-ing rule is used with probability 1/15. An encoding matrix is given inTable 3.7.

We close this section by indicating two interesting questions con-cerning future research.

Problem 3.2. We pose the following problems (cf. [106]):

(i) Construction of multi-fold secure splitting authenticationcodes: Using Theorem 3.36, this asks for systematicallyconstructing t-(v,b, l = cu,1) splitting design for t > 2. Weremark that in the case when t = 2, various combinato-rial constructions have been obtained recently, e.g., in [71]via recursive and direct constructions by the method ofdifferences.

3.6 Authentication Codes with Arbitration 655

(ii) Including the aspect of perfect secrecy: Is it possible to givea characterization of optimal splitting authentication codesthat are multi-fold secure against spoofing and simultane-ously achieve perfect (multi-fold) secrecy?

3.6 Authentication Codes with Arbitration

We only briefly mention authentication codes that permit arbitration.To our best knowledge, no secrecy aspects have been incorporated sofar. In this scenario, the two communicating parties do not trust eachother, and hence disputes between them may occur. Hence, a trustedperson (i.e., the arbiter) is also involved in this model. The arbiterchooses an encoding rule eK which is distributed only to the transmitterand a verification rule fK which is distributed only to the receiver.The arbiter is only present to resolve possible disputes and does nottake part in any communication activities. The arbiter is assumed tobe honest. Sometimes such a code is also called an A2-code. Thesecodes were introduced by Simmons [186, 187]. Further important workinclude [73, 120, 121, 136, 137, 138, 170].

We generally remark that further constructions and characteri-zations of authentication codes from combinatorial designs can beobtained by using entropy bounds, instead of combinatorial bounds, ondeception probabilities and encoding rules. For this different approach,see [170] and the references therein.

We also mention that there are various other constructions of dif-ferent types of authentication codes, using, e.g., algebraic curves [228],Galois rings [168], rational normal curves [170], generalized quadran-gles [52, 180], coding theory [218], universal hashing [198], and manymore. A bibliography on early publications (until 1998) on authentica-tion and secrecy codes is online available [204].

3.7 Other Applications

We highlight in this section some further applications of combinatorialdesigns which we have not discussed so far. Particularly the last fewyears have witnessed an increasing body of work in the communications

656 Applications to Authentication and Secrecy Codes

and information theory, cryptography, and computer science litera-ture that makes substantial use of combinatorial designs. Generalsurveys are [43, 44, 48, 197, 200]. Specific areas of recent applicationsinclude:

• Secret sharing schemes. There are several constructionsand characterizations of secret sharing schemes based oncombinatorial designs. These include combinatorial charac-terizations of ideal threshold schemes via orthogonal arrays,anonymous threshold schemes via partitionable and resolv-able Steiner designs, and optimum secret sharing schemessecure against cheating via difference sets, amongst others.There are also combinatorial constructions for non-perfectthreshold schemes. Cf., e.g., [164, 165, 197, 203].

• Visual cryptography. Visual threshold schemes have beenobtained based on 2-designs. In particular, schemes withoptimal relative contrast have been constructed via 2-designsobtained from Hadamard matrices, depending on the famousHadamard Matrix Conjecture (1893). Cf., e.g., [28, 29, 63].

• Key predistribution for distributed wireless sensornetworks. A variety of combinatorial designs have foundapplications for different types of cryptographic key estab-lishment schemes. In particular, key predistribution schemessuitable for distributed wireless sensor networks have beenconstructed via 2-designs, 3-designs, transversal designs andstrongly-regular graphs. Cf., e.g., [141, 151, 224].

• Powerline communication (PCL). Permutation arraysoffer a way of encoding data which allows the noise problemsexperienced in PLCs to be overcome. These combinatorialstructures are closely related to mutually orthogonal Latinsquares (MOLS). Cf., e.g., [45, 110, 169].

• Frequency-hopping (FH) sequences. Various FHsequences have been constructed by means of combinatorialstructures such as affine geometries, cyclic designs, differ-ence families and difference packings, which are useful forfrequency-hopping spread-spectrum (FHSS) communication

3.8 Synthesis and Discussion 657

systems and ultra-wide-band (UWB) communication sys-tems. Cf., e.g., [40, 68, 70, 72].

• Low-density parity-check (LDPC) codes. Finitegeometries (also partial geometries) and Steiner 2-designs(particularly when resolvable or cyclic) have been used forthe design of regular LDPC codes. One of the main advan-tages of these structured LDPC codes is that they can lendthemselves to very low-complexity encoding, as opposed torandom-like LDPC codes. Experimental results show thatthe proposed codes perform well with iterative decoding. Cf.,e.g., [3, 122, 123, 133, 220].

• Software and hardware testing. Orthogonal arrays andcombinatorial structures known as covering arrays havefound applications as efficient test suites in the testing ofsoftware and hardware. Cf., e.g., [32, 90, 155].

• Group testing algorithms in DNA screening. Steinert-designs, in particular resolvable Steiner 2-designs and2-resolvable Steiner 3-designs, provide useful structures toachieve a minimal number of individual tests in a two-stagedisjunctive testing algorithm. Transversal designs have alsobeen used for one- and two-stage group testing algorithms.Cf., e.g., [62, 212].

3.8 Synthesis and Discussion

We have discussed applications of combinatorial designs for the con-struction and characterization of authentication and secrecy codes. Wehave considered different attack scenarios in the classical Shannon-Simmons model and in extended models, such as with oracle accessor in case of non-deterministic encoding. Moreover, we have given atutorial overview of combinatorial designs and we pointed to furtherapplications of combinatorial designs in various other fields.

Several challenging open problems have been stated throughout thetext. Another direction for future work may concern applications ofthe proposed codes with regard to authentication and secrecy aspectsin group communication. Moving from point-to-point communication

658 Applications to Authentication and Secrecy Codes

to point-to-multipoint communication, the concept of multi-receiver(or group-based, broadcast) authentication codes was introduced byDesmedt et al. [58] and extended in [69, 163, 178, 179, 177]. Multi-receiver authentication codes have found recent applications in networkcoding [166, 167], amongst others. In such a multi-receiver authentica-tion code, a trusted sender constructs an authenticated message for agroup of receivers such that each receiver can individually verify theauthenticity of the received message. The receivers are not trusted andmay try to construct fraudulent messages on behalf of the transmitter.If the fraudulent message is accepted by even one receiver the attackhas been successful. Often, constructions of multi-receiver authentica-tion codes are obtained by combining conventional authentication codeswith further building blocks, including combinatorial designs such asorthogonal arrays and cover-free families, finite geometries, perfect hashfamilies, secret sharing schemes, etc. It is therefore interesting to inves-tigate further applications of the proposed codes in this framework(with and without secrecy constraints).

4Appendix

4.1 Multiply Homogeneous Permutation Groups

We list all finite multiply homogeneous permutation groups. We remarkthat besides the symmetric or alternating groups, the sporadic simpleMathieu groups Mv with v = 11, 23 and v = 12, 24 are the only finite4- and 5-transitive permutation groups, respectively.

Let G be a group acting 2-homogeneously on a finite set X ofv ≥ 3 points. If G is not 2-transitive on X, then G ≤ AΓL(1, q) withv = q ≡ 3 (mod 4) by a result of Kantor [125]. On the other hand,relying on the Classification of the Finite Simple Groups (CFSG), all2-transitive groups on X are known (cf. [51, 80, 93, 94, 116, 127, 143,150]). By a classical result of Burnside, they split into two types ofgroups. The list of groups is as follows: A finite 2-transitive permuta-tion group G on X is either of

(A) Affine Type: G contains a regular normal subgroup T whichis elementary Abelian of order v = pd, where p is a prime. If a divides d,and if we identify G with a group of affine transformations

x → xg + u

659

660 Appendix

of V = V (d,p), where g ∈ G0 and u ∈ V , then particularly one of thefollowing occurs:

(1) G ≤ AΓL(1,pd)(2) G0 � SL(d

a ,pa), d ≥ 2a

(3) G0 � Sp(2da ,pa), d ≥ 2a

(4) G0 � G2(2a)′, d = 6a

(5) G0 ∼= A6 or A7, v = 24

(6) G0 � SL(2,3) or SL(2,5), v = p2, p = 5,7,11,19,23,29 or 59,or v = 34

(7) G0 contains a normal extraspecial subgroup E of order 25,and G0/E is isomorphic to a subgroup of S5, v = 34

(8) G0 ∼= SL(2,13), v = 36,

or

(B) Almost Simple Type: G contains a simple normal subgroupN , and N ≤ G ≤ Aut(N). In particular, one of the following holds,where N and v = |X| are given as follows:

(1) Av, v ≥ 5(2) PSL(d,q), d ≥ 2, v = qd−1

q−1 , where (d,q) �= (2,2),(2,3)(3) PSU(3, q2), v = q3 + 1, q > 2(4) Sz(q), v = q2 + 1, q = 22e+1 > 2 (Suzuki groups)(5) Re(q), v = q3 + 1, q = 32e+1 > 3 (Ree groups)(6) Sp(2d,2), d ≥ 3, v = 22d−1 ± 2d−1

(7) PSL(2,11), v = 11(8) PSL(2,8), v = 28 (N is not 2-transitive)(9) Mv, v = 11,12,22,23,24 (Mathieu groups)

(10) M11, v = 12(11) A7, v = 15(12) HS, v = 176 (Higman–Sims group)(13) Co3, v = 276. (smallest Conway group)

We also state the classification of all finite 3-homogeneous permuta-tion groups, again relying on CFSG (cf. [36, 80, 126, 143, 146]). The listof groups is as follows: Let G be a finite 3-homogeneous permutation

4.1 Multiply Homogeneous Permutation Groups 661

group on a finite set X of v ≥ 4 points. Then G is either of(A) Affine Type: G contains a regular normal subgroup T which

is elementary Abelian of order v = 2d. If we identify G with a group ofaffine transformations

x → xg + u

of V = V (d,2), where g ∈ G0 and u ∈ V , then particularly one of thefollowing occurs:

(1) G ∼= AGL(1,8), AΓL(1,8) or AΓL(1,32)(2) G0 ∼= SL(d,2), d ≥ 2(3) G0 ∼= A7, v = 24

or

(B) Almost Simple Type: G contains a simple normal subgroupN , and N ≤ G ≤ Aut(N). In particular, one of the following holds,where N and v = |X| are given as follows:

(1) Av, v ≥ 5(2) PSL(2, q), q > 3, v = q + 1(3) Mv, v = 11,12,22,23,24(4) M11, v = 12

It is elementary that if q is odd, then PSL(2, q) is 3-homogeneous forq ≡ 3 (mod 4), but not for q ≡ 1 (mod 4), and hence not every groupG of almost simple type satisfying (2) is 3-homogeneous on X.

For further properties of the listed groups, we refer, e.g., to [38, 49,61, 117, 118].

Acknowledgments

I thank Prof. Douglas Stinson, University of Waterloo, for an inspiringconversation on this topic. I am also indebted to the Editor-in-ChiefProf. Sergio Verdu, Princeton University, and Mike Casey fromNow Publishers for their interest and encouragement to write thisFoundations and Trends issue as well as to an anonymous reviewerfor insightful comments. This work was supported by the DeutscheForschungsgemeinschaft (DFG) via a Heisenberg grant (Hu954/4) anda Heinz Maier-Leibnitz Prize grant (Hu954/5). Last but certainly notleast, special thanks to my wife Susanne and our two daughters Lynn-Scharon and Sheila-Ann.

662

References

[1] R. J. R. Abel, C. J. Colbourn, and J. H. Dinitz, “Mutually orthogonal Latinsquares (MOLS),” in Handbook of Combinatorial Designs, (C. J. Colbournand J. H. Dinitz, eds.), pp. 160–193, Boca Raton: CRC Press, 2006.

[2] M. Aigner, A Course in Enumeration. Berlin, Heidelberg, New York: Springer,2007.

[3] B. Ammar, B. Honary, Y. Kou, J. Xu, and S. Lin, “Construction of low-density parity-check codes based on balanced incomplete block designs,” IEEETransactions on Information Theory, vol. 50, pp. 1257–1269, 2004.

[4] M. Aschbacher, Sporadic Groups. Cambridge: Cambridge University Press,1994.

[5] M. Aschbacher, Finite Group Theory. Cambridge: Cambridge UniversityPress, 2000.

[6] E. F. Assmus Jr. and J. D. Key, Designs and Their Codes. Cambridge: Cam-bridge University Press, 1993.

[7] E. F. Assmus Jr. and J. D. Key, “Designs and codes: an update,” Designs,Codes and Cryptography, vol. 9, pp. 7–27, 1996.

[8] E. F. Assmus Jr. and H. F. Mattson Jr., “On tactical configurations anderror-correcting codes,” Journal of Combinatorial Theory, Series A, vol. 2,pp. 243–257, 1967.

[9] E. F. Assmus Jr. and H. F. Mattson Jr., “New 5-designs,” Journal of Combi-natorial Theory, Series A, vol. 6, pp. 122–151, 1969.

[10] E. F. Assmus Jr. and H. F. Mattson Jr., “Coding and combinatorics,” SIAMReview, vol. 16, pp. 349–388, 1974.

[11] R. A. Bailey, Design of Comparative Experiments. Cambridge: CambridgeUniversity Press, 2008.

663

664 References

[12] R. A. Bailey, P. J. Cameron, and R. Connelly, “Sudoku, gerechte designs,resolutions, affine space, spreads, reguli, and Hamming codes,” The AmericanMathematical Monthly, vol. 115, pp. 383–404, 2008.

[13] J. A. Barrau, “On the combinatory problem of Steiner,” in Proc. Sect. Sci.Konink. Akad. Wetensch. Amsterdam, pp. 352–360, 1908.

[14] M. Bellare, O. Goldreich, and A. Mityagin, “The power of verification queriesin message authentication and authenticated encryption,” Cryptology ePrintArchive, Report 2004/309, 2004.

[15] D. J. Bernstein, J. Buchmann, and E. Dahmen, eds., Post-Quantum, Cryp-tography. Berlin, Heidelberg, New York: Springer, 2009.

[16] T. Beth, D. Jungnickel, and H. Lenz, Design Theory, vols. I and II, Ency-clopedia of Math. and Its Applications, vol. 69/78. Cambridge: CambridgeUniversity Press, 1999.

[17] A. Betten, E. Haberberger, R. Laue, and A. Wassermann, DISCRETA — AProgram to Construct t-Designs with Prescribed Automorphism Group. Avail-able at http://www.algorithm.uni-bayreuth.de/en/research/discreta/index.html.

[18] A. Betten, R. Laue, S. Molodtsov, and A. Wassermann, “Steiner systemswith automorphism groups PSL(2,71), PSL(2,83) and PΣL(2,35),” Journalof Geometry, vol. 67, pp. 35–41, 2000.

[19] A. Betten, R. Laue, and A. Wassermann, “A Steiner 5-design on 36 points,”Designs, Codes and Cryptography, vol. 17, pp. 181–186, 1999.

[20] A. Beutelspacher, “Projective planes,” in Handbook of Incidence Geometry,(F. Buekenhout, ed.), pp. 101–136, Amsterdam, New York, Oxford: North-Holland, 1995.

[21] A. Beutelspacher, Einfuhrung in die endliche Geometrie I: Blockplane.Mannheim, Wien, Zurich: Bibliographisches Institut, 2006.

[22] J. Bierbrauer, “Ordered designs, perpendicular arrays, and permutation sets,”in Handbook of Combinatorial Designs, (C. J. Colbourn and J. H. Dinitz, eds.),pp. 543–547, Boca Raton: CRC Press, 2006.

[23] J. Bierbrauer and Y. Edel, “Theory of perpendicular arrays,” Journal of Com-binatorial Designs, vol. 2, pp. 375–406, 1994.

[24] J. Bierbrauer and T. van Trung, “Halving PGL(2,2f ), f odd: A series ofcryptocodes,” Designs, Codes and Cryptography, vol. 1, pp. 141–148, 1991.

[25] J. Bierbrauer and T. van Trung, “Some highly symmetric authentication per-pendicular arrays,” Designs, Codes and Cryptography, vol. 1, pp. 307–319,1991.

[26] I. F. Blake, “Codes and designs,” Mathematics Magazine, vol. 52, pp. 81–95,1979.

[27] C. Blundo, A. De Santis, K. Kurosawa, and W. Ogata, “On a fallaciousbound for authentication codes,” Journal of Cryptology, vol. 12, pp. 155–159,1999.

[28] C. Blundo, A. De Santis, and D. R. Stinson, “On the contrast in visual cryp-tography schemes,” Journal of Cryptology, vol. 12, pp. 261–289, 1999.

[29] M. Bose and R. Mukerjee, “Optimal (k,n) visual cryptographic schemes forgeneral k,” Designs, Codes and Cryptography, vol. 55, pp. 19–35, 2010.

References 665

[30] E. F. Brickell, “A few results in message authentication,” Congressus Numer-antium, vol. 43, pp. 141–154, 1984.

[31] R. H. Bruck and H. J. Ryser, “The non-existence of certain finite projectiveplanes,” Canadian Journal of Mathematics, vol. 1, pp. 88–93, 1949.

[32] R. C. Bryce and C. J. Colbourn, “A density-based greedy algorithm forhigher strength covering arrays,” Software Testing, Verification and Relia-bility, vol. 19, pp. 37–53, 2009.

[33] J. Buchmann, A. May, and U. Vollmer, “Perspectives for cryptographic long-term security,” Communications of the ACM, vol. 49, pp. 50–55, 2006.

[34] F. Buekenhout, ed., Handbook of Incidence Geometry. Amsterdam, New York,Oxford: North-Holland, 1995.

[35] P. J. Cameron, Parallelisms of Complete Designs. London MathematicalSociety, Lecture Note Series, vol. 23. Cambridge: Cambridge University Press,1976.

[36] P. J. Cameron, “Finite permutation groups and finite simple groups,” Bulletinof the London Mathematical Society, vol. 13, pp. 1–22, 1981.

[37] P. J. Cameron, Combinatorics: Topics, Techniques, Algorithms. Cambridge:Cambridge University Press, 1994. Reprint (1996).

[38] P. J. Cameron, Permutation Groups. Cambridge: Cambridge University Press,1999.

[39] P. J. Cameron and J. H. van Lint, Designs, Graphs, Codes and their Links.Cambridge: Cambridge University Press, 1991.

[40] Z. Cao, G. Ge, and Y. Miao, “Combinatorial characterizations of one-coincidence frequency-hopping sequences,” Designs, Codes and Cryptography,vol. 41, pp. 177–184, 2006.

[41] R. D. Carmichael, Introduction to the Theory of Groups of Finite Order.Boston: Ginn, 1937. Reprint: Dover Publications, New York, 1956.

[42] C. J. Colbourn, “Triple systems,” in Handbook of Combinatorial Designs,(C. J. Colbourn and J. H. Dinitz, eds.), pp. 58–71, Boca Raton: CRC Press,2006.

[43] C. J. Colbourn and J. H. Dinitz, eds., Handbook of Combinatorial Designs.Boca Raton: CRC Press, 2nd ed., 2006.

[44] C. J. Colbourn, J. H. Dinitz, and D. R. Stinson, “Applications of combinato-rial designs to communications, cryptography, and networking,” in Surveys inCombinatorics, London Mathematical Society, Lecture Note Series, vol. 267,(J. D. Lamb and D. A. Preece, eds.), pp. 37–100, Cambridge: CambridgeUniversity Press, 1999.

[45] C. J. Colbourn, T. Kløve, and A. C. H. Ling, “Permutation arrays forpowerline communication and mutually orthogonal latin squares,” IEEETransactions on Information Theory, vol. 50, pp. 1289–1291, 2004.

[46] C. J. Colbourn and R. Mathon, “Steiner systems,” in Handbook of Combi-natorial Designs, (C. J. Colbourn and J. H. Dinitz, eds.), pp. 102–110, BocaRaton: CRC Press, 2006.

[47] C. J. Colbourn and A. Rosa, Triple Systems. Oxford: Oxford University Press,1999.

666 References

[48] C. J. Colbourn and P. C. van Oorschot, “Applications of combinatorial designsin computer science,” ACM Computing Surveys, vol. 21, pp. 223–250, 1989.

[49] J. H. Conway, R. T. Curtis, S. P. Norton, R. A. Parker, and R. A. Wilson,Atlas of Finite Groups. Oxford: Oxford University Press, 1985.

[50] J. H. Conway and N. J. A. Sloane, Sphere Packings, Lattices and Groups.Berlin, Heidelberg, New York: Springer, 3rd ed., 1998.

[51] C. W. Curtis, W. M. Kantor, and G. M. Seitz, “The 2-transitive permutationrepresentations of the finite Chevalley groups,” Transactions of the AmericanMathematical Society, vol. 218, pp. 1–59, 1976.

[52] M. De Soete, “Some constructions for authentication-secrecy codes,” inAdvances in Cryptology — EUROCRYPT 1988, Lecture Notes in ComputerScience, vol. 330, (C. G. Gunther, ed.), pp. 23–49, Berlin, Heidelberg, NewYork: Springer, 1988.

[53] M. De Soete, “New bounds and constructions for authentication-secrecy codeswith splitting,” Journal of Cryptology, vol. 3, pp. 173–186, 1991.

[54] P. Dembowski, Finite Geometries. Berlin, Heidelberg, New York: Springer,1968. Reprint (1997).

[55] J. Denes and A. D. Keedwell, Latin Squares: New Developments in the Theoryand Applications, Annals of Discrete Math., vol. 46. Amsterdam, New York,Oxford: North-Holland, 1991.

[56] R. H. F. Denniston, “Some new 5-designs,” Bulletin of the London Mathemat-ical Society, vol. 8, pp. 263–267, 1976.

[57] R. H. F. Denniston, “A small 4-design,” Annals of Discrete Mathematics,vol. 18, pp. 291–294, 1983.

[58] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-receiver/Multi-sender networksecurity: Efficient authenticated multicast/feedback,” in Proceedings of IEEEInfocom 1992, pp. 2045–2054, 1992.

[59] C. Ding, A. Salomaa, P. Sole, and X. Tian, “Three constructions of authenti-cation/secrecy codes,” Journal of Pure and Applied Algebra, vol. 196, pp. 149–168, 2005.

[60] C. Ding and X. Tian, “Three constructions of authentication codes withperfect secrecy,” Designs, Codes and Cryptography, vol. 33, pp. 227–239,2004.

[61] J. D. Dixon and B. Mortimer, Permutation Groups. Berlin, Heidelberg, NewYork: Springer, 1996.

[62] D.-Z. Du and F. K. Hwang, Pooling Designs and Nonadaptive Group Testing:Important Tools for DNA Sequencing. Singapore: World Scientific, 2006.

[63] P. A. Eisen and D. R. Stinson, “Threshold visual cryptography schemes withspecified whiteness levels of reconstructed pixels,” Designs, Codes and Cryp-tography, vol. 25, pp. 15–61, 2002.

[64] L. Euler, “Recherches sur une nouvelle espece de quarres magiques,” Verh.Zeeuwsch. Genootsch. Wetensch. Vlissingen, vol. 9, pp. 85–239, 1782.

[65] R. A. Fisher, The Design of Experiments. Edinburgh: Oliver and Boyd, 1935.9th ed., NewYork: Macmillan, 1971.

[66] R. A. Fisher, “An examination of the different possible solutions of a problemin incomplete blocks,” Annals of Eugenics, vol. 10, pp. 52–75, 1940.

References 667

[67] F. Fitting, “Zyklische Losungen des Steiner’schen Problems,” Nieuw. Arch.Wisk., vol. 11, pp. 140–148, 1915.

[68] R. Fuji-Hara, Y. Miao, and M. Mishima, “Optimal frequency hoppingsequences: A combinatorial approach,” IEEE Transactions on InformationTheory, vol. 50, pp. 2408–2420, 2004.

[69] H. Fujii, W. Kachen, and K. Kurosawa, “Combinatorial bounds and designof broadcast authentication,” IEICE Transactions, vol. E97-A, pp. 502–506,1996.

[70] G. Ge, R. Fuji-Hara, and Y. Miao, “Further combinatorial constructionsfor optimal frequency-hopping sequences,” Journal of Combinatorial Theory,Series A, vol. 113, pp. 1699–1718, 2006.

[71] G. Ge, Y. Miao, and L. Wang, “Combinatorial constructions for optimal split-ting authentication codes,” SIAM Journal on Discrete Mathematics, vol. 18,pp. 663–678, 2005.

[72] G. Ge, Y. Miao, and Z. Yao, “Optimal frequency hopping sequences: Auto-and cross-correlation properties,” IEEE Transactions on Information Theory,vol. 55, pp. 867–879, 2009.

[73] G. Ge, Y. Miao, and L. Zhu, “GOB designs for authentication codeswith arbitration,” Designs, Codes and Cryptography, vol. 40, pp. 303–317,2006.

[74] E. N. Gilbert, F. J. MacWilliams, and N. J. A. Sloane, “Codes which detectdeception,” Bell System Technical Journal, vol. 53, pp. 405–424, 1974.

[75] P. Godlewski and C. Mitchell, “Key-minimal cryptosystems for unconditionalsecrecy,” Journal of Cryptology, vol. 3, pp. 1–25, 1990.

[76] M. J. E. Golay, “Notes on digital coding,” Proceedings of IRE, vol. 37, p. 657,1949.

[77] O. Goldreich, Foundations of Cryptography, vols. I and II. Cambridge: Cam-bridge University Press, 2001/2004.

[78] O. Goldreich, “Foundations of Cryptography — A Primer,” Foundations andTrends in Theoretical Computer Science, vol. 1, pp. 1–116, 2005.

[79] K. Gopalakrishnan and D. R. Stinson, “Secrecy and authentication codes,” inHandbook of Combinatorial Designs, (C. J. Colbourn and J. H. Dinitz, eds.),pp. 606–611, Boca Raton: CRC Press, 2006.

[80] D. Gorenstein, Finite Simple Groups. An Introduction to Their Classification.New York, London: Plenum Publishing Corp., 1982.

[81] R. L. Graham, M. Grotschel, and L. Lovasz, eds., Handbook of Combinatorics,vols. I and II. Amsterdam, New York, Oxford: North-Holland, 1995.

[82] M. J. Grannell and T. S. Griggs, “On Steiner systems S(5,6,24),” Ars Com-binatoria, vol. 8, pp. 45–48, 1979.

[83] M. J. Grannell, T. S. Griggs, and R. Mathon, “Some Steiner 5-designs with108 and 132 points,” Journal of Combinatorial Designs, vol. 1, pp. 213–238,1993.

[84] M. J. Grannell, T. S. Griggs, and R. Mathon, “Steiner systems S(5,6,v) withv = 72 and 84,” Mathematics of Computation, vol. 67, pp. 357–359, 1998.

[85] A. Granville, A. Moisiadis, and R. Rees, “Nested Steiner n-gon systems andperpendicular arrays,” Journal of Combinatorial Mathematics and Combina-torial Computing, vol. 3, pp. 163–167, 1988.

668 References

[86] M. Hall Jr., Combinatorial Theory. New York: J. Wiley, 1986.[87] R. W. Hamming, “Error detecting and error correcting codes,” Bell System

Technical Journal, vol. 29, pp. 147–160, 1950.[88] H. Hanani, “On quadruple systems,” Canadian Journal of Mathematics,

vol. 12, pp. 145–157, 1960.[89] H. Hanani, “A class of three-designs,” Journal of Combinatorial Theory, Series

A, vol. 26, pp. 1–19, 1979.[90] A. Hartman, “Software and hardware testing using combinatorial covering

suites,” in Interdisciplinary Applications of Graph Theory, Combinatorics, andAlgorithms, (M. C. Golumbic and I. B.-A. Hartman, eds.), pp. 237–266, Berlin,Heidelberg, New York: Springer, 2005.

[91] A. Hartman and K. T. Phelps, “Steiner quadruple systems,” in ContemporaryDesign Theory, (J. H. Dinitz and D. R. Stinson, eds.), pp. 205–240, New York:Wiley, 1992.

[92] A. S. Hedayat, N. J. A. Sloane, and J. Stufken, Orthogonal Arrays: Theoryand Applications. Berlin, Heidelberg, New York: Springer, 1999.

[93] C. Hering, “Transitive linear groups and linear groups which contain irre-ducible subgroups of prime order,” Geometriae Dedicata, vol. 2, pp. 425–460,1974.

[94] C. Hering, “Transitive linear groups and linear groups which contain irre-ducible subgroups of prime order II,” Journal of Algebra, vol. 93, pp. 151–164,1985.

[95] J. W. P. Hirschfeld, Projective Geometries over Finite Fields. Oxford: OxfordUniversity Press, 1998.

[96] M. Huber, “Classification of flag-transitive Steiner quadruple systems,” Jour-nal of Combinatorial Theory, Series A, vol. 94, pp. 180–190, 2001.

[97] M. Huber, “The classification of flag-transitive Steiner 3-designs,” Advancesin Geometry, vol. 5, pp. 195–221, 2005.

[98] M. Huber, “A census of highly symmetric combinatorial designs,” Journal ofAlgebraic Combinatorics, vol. 26, pp. 453–476, 2007.

[99] M. Huber, “The classification of flag-transitive Steiner 4-designs,” Journal ofAlgebraic Combinatorics, vol. 26, pp. 183–207, 2007.

[100] M. Huber, “Steiner t-designs for large t,” in Mathematical Methods inComputer Science (Beth Festschrift), Lecture Notes in Computer Science,vol. 5393, (J. Calmet et al., eds.), pp. 18–26, Berlin, Heidelberg, New York:Springer, 2008.

[101] M. Huber, Flag-transitive Steiner Designs. Basel, Berlin, Boston: Birkhauser,2009.

[102] M. Huber, “Authentication and secrecy codes for equiprobable source proba-bility distributions,” in Proc. IEEE International Symposium on InformationTheory (ISIT) 2009, pp. 1105–1109, 2009.

[103] M. Huber, “Almost simple groups with socle Ln(q) acting on Steiner quadruplesystems,” Journal of Combinatorial Theory, Series A, vol. 117, pp. 1004–1007,2010.

[104] M. Huber, “Block-transitive designs in affine spaces,” Designs, Codes andCryptography, vol. 55, pp. 235–242, 2010.

References 669

[105] M. Huber, “Coding theory and algebraic combinatorics,” in Selected Topicsin Information and Coding Theory, Series on Coding Theory and Cryptology,vol. 7, (I. Woungang et al., eds.), pp. 121–158, Singapore: World Scientific,2010.

[106] M. Huber, “Combinatorial bounds and characterizations of splitting authen-tication codes,” Cryptography and Communications, in press (online first),2010.

[107] M. Huber, “Constructing optimal authentication codes with perfect multi-foldsecrecy,” in Proceedings of International Zurich Seminar on Communications(IZS) 2010, pp. 86–89, 2010.

[108] M. Huber, “On the Cameron–Praeger conjecture,” Journal of CombinatorialTheory, Series A, vol. 117, pp. 196–203, 2010.

[109] M. Huber, “On the existence of block-transitive combinatorial designs,” Dis-crete Mathematics and Theoretical Computer Science (DMTCS), vol. 12,pp. 123–132, 2010.

[110] S. Huczynska, “Powerline communication and the 36 officers problem,” Philo-sophical Transactions of the Royal Society A, vol. 364, pp. 3199–3214, 2006.

[111] W. C. Huffman and V. Pless, eds., Handbook of Coding Theory, vols. I and II.Amsterdam, New York, Oxford: North-Holland, 1998.

[112] W. C. Huffman and V. Pless, Fundamentals of Error-Correcting Codes. Cam-bridge: Cambridge University Press, 2003.

[113] D. R. Hughes and F. C. Piper, Projective Planes. Berlin, Heidelberg, NewYork: Springer, 1982.

[114] D. R. Hughes and F. C. Piper, Design Theory. Cambridge: CambridgeUniversity Press, 1985.

[115] S. H. Y. Hung and N. S. Mendelsohn, “On the Steiner systems S(3,4,14) andS(4,5,15),” Utilitas Mathematica, vol. 1, pp. 5–95, 1972.

[116] B. Huppert, “Zweifach transitive, auflosbare Permutationsgruppen,” Mathe-matische Zeitschrift, vol. 68, pp. 126–150, 1957.

[117] B. Huppert, Endliche Gruppen I. Berlin, Heidelberg, New York: Springer,1967.

[118] B. Huppert and N. Blackburn, Finite Groups III. Berlin, Heidelberg, NewYork: Springer, 1982.

[119] Y. J. Ionin and M. S. Shrikhande, Combinatorics of Symmetric Designs.Cambridge: Cambridge University Press, 2006.

[120] T. Johansson, “Lower bounds on the probability of deception in authentica-tion with arbitration,” IEEE Transactions on Information Theory, vol. 40,pp. 1573–1585, 1994.

[121] T. Johansson, “Further results on asymmetric authentication schemes,” Infor-mation and Computation, vol. 151, pp. 100–133, 1999.

[122] S. J. Johnson and S. J. Weller, “Resolvable 2-designs for regular low-density parity-check codes,” IEEE Transactions on Communications, vol. 51,pp. 1413–1419, 2003.

[123] S. J. Johnson and S. R. Weller, “Codes for iterative decoding from partialgeometries,” IEEE Transactions on Communications, vol. 52, pp. 236–243,2004.

670 References

[124] D. Jungnickel, “Lateinische Quadrate, ihre Geometrien und ihre Gruppen,”Jahresber. Deutsch. Math. Verein., vol. 86, pp. 69–108, 1984.

[125] W. M. Kantor, “Automorphisms of designs,” Mathematische Zeitschrift,vol. 109, pp. 246–252, 1969.

[126] W. M. Kantor, “k-homogeneous groups,” Mathematische Zeitschrift, vol. 124,pp. 261–265, 1972.

[127] W. M. Kantor, “Homogeneous designs and geometric lattices,” Journal ofCombinatorial Theory, Series A, vol. 38, pp. 66–74, 1985.

[128] P. Kaski and P. R. J. Ostergard, “The Steiner triple systems of order 19,”Mathematics of Computation, vol. 73, pp. 2075–2092, 2004.

[129] P. Kaski and P. R. J. Ostergard, Classification Algorithms for Codes andDesigns. Berlin, Heidelberg, New York: Springer, 2006.

[130] P. Kaski, P. R. J. Ostergard, and O. Pottonen, “The Steiner quadruple systemsof order 16,” Journal of Combinatorial Theory, Series A, vol. 113, pp. 1764–1770, 2006.

[131] T. P. Kirkman, “On a problem in combinatorics,” The Cambridge and DublinMathematical Journal, vol. 2, pp. 191–204, 1847.

[132] T. P. Kirkman, “Query VI,” Lady’s and Gentleman’s Diary, p. 48, 1850.[133] Y. Kou, S. Lin, and M. P. C. Fossorier, “Low-density parity-check codes based

on finite geometries: A rediscovery and new results,” IEEE Transactions onInformation Theory, vol. 47, pp. 2711–2736, 2001.

[134] E. S. Kramer, D. L. Kreher, R. Rees, and D. R. Stinson, “On perpendiculararrays with t ≥ 3,” Ars Combinatoria, vol. 28, pp. 215–223, 1989.

[135] E. S. Kramer, S. S. Magliveras, T. van Trung, and Q. Wu, “On the constructionof some perpendicular arrays for arbitrarily large t,” Discrete Mathematics,vol. 96, pp. 101–110, 1991.

[136] K. Kurosawa, “New bound on authentication code with arbitration,” inAdvances in Cryptology — CRYPTO 1994 , Lecture Notes in Computer Sci-ence, vol. 839, (Y. Desmedt, ed.), pp. 140–149, Berlin, Heidelberg, New York:Springer, 1994.

[137] K. Kurosawa and S. Obana, “Combinatorial classification of optimal authen-tication codes with arbitration,” Designs, Codes and Cryptography, vol. 20,pp. 281–305, 2000.

[138] K. Kurosawa and S. Obana, “Combinatorial bounds on authentication codeswith arbitration,” Designs, Codes and Cryptography, vol. 22, pp. 265–281,2001.

[139] H. Kurzweil and B. Stellmacher, The Theory of Finite Groups. An Introduc-tion. Berlin, Heidelberg, New York: Springer, 2004.

[140] C. W. H. Lam, L. Thiel, and S. Swiercz, “The non-existence of finite projectiveplanes of order 10,” Canadian Journal of Mathematics, vol. 41, pp. 1117–1123,1989.

[141] J. Lee and D. R. Stinson, “On the construction of practical key predistributionschemes for distributed sensor networks using combinatorial designs,” ACMTransactions on Information and System Security (TISSEC), vol. 11, no. 2,Art. 1, 2008.

References 671

[142] Y. Liang, H. V. Poor, and S. Shamai (Shitz), “Information theoretic security,”Foundations and Trends in Communications and Information Theory, vol. 5,pp. 355–580, 2008.

[143] M. W. Liebeck, “The affine permutation groups of rank three,” Proceedingsof the London Mathematical Society, vol. 54, pp. 477–516, 1987.

[144] C. C. Lindner and A. Rosa, “Steiner quadruple systems — A survey,” DiscreteMathematics, vol. 22, pp. 147–181, 1978.

[145] C. C. Lindner and D. R. Stinson, “Steiner pentagon systems,” Discrete Math-ematics, vol. 52, pp. 67–74, 1984.

[146] D. Livingstone and A. Wagner, “Transitivity of finite permutation groups onunordered sets,” Mathematische Zeitschrift, vol. 90, pp. 393–403, 1965.

[147] H. Luneburg, Transitive Erweiterungen Endlicher Permutationsgruppen.Berlin, Heidelberg, New York: Springer, 1968.

[148] H. Luneburg, Translation Planes. Berlin, Heidelberg, New York: Springer,1980.

[149] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes.Amsterdam, New York, Oxford: North-Holland, 1977. 12th impression 2006.

[150] E. Maillet, “Sur les isomorphes holoedriques et transitifs des groupessymetriques ou alternes,” Journal de Mathematiques Pures et Appliquees,vol. 1, pp. 5–34, 1895.

[151] K. M. Martin, “On the applicability of combinatorial designs to key predis-tribution for wireless sensor networks,” in International Workshop on Codingand Cryptology — IWCC 2009, Lecture Notes in Computer Science, vol. 5557,(C. Xing et al., eds.), pp. 124–145, Berlin, Heidelberg, New York: Springer,2009.

[152] J. L. Massey, “Cryptography — A selective survey,” in Digital Communi-cations, (E. Biglieri and G. Prati, eds.), pp. 3–21, Amsterdam, New York,Oxford: North-Holland, 1986.

[153] E. Mathieu, “Memoire sur l’etude des fonctions de plusieurs quantities,” Jour-nal de Mathematiques Pures et Appliquees, vol. 6, pp. 241–323, 1861.

[154] E. Mathieu, “Sur la fonction cinq fois transitive de 24 quantites,” Journal deMathematiques Pures et Appliquees, vol. 18, pp. 25–46, 1873.

[155] A. P. Mathur, Foundations of Software Testing. New York: Addison-Wesley,2008.

[156] U. M. Maurer, “Information-theoretic cryptography,” in Advances in Cryptol-ogy — CRYPTO 1999, Lecture Notes in Computer Science, vol. 1666, (M. J.Wiener, ed.), pp. 47–64, Berlin, Heidelberg, New York: Springer, 1999.

[157] U. M. Maurer, “Authentication theory and hypothesis testing,” IEEE Trans-actions on Information Theory, vol. 46, pp. 1350–1356, 2000.

[158] B. D. McKay, Latin Squares. Available at http://cs.anu.edu.au/∼bdm/data/latin.html.

[159] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, eds., Handbook ofApplied Cryptography. Boca Raton: CRC Press, 1996.

[160] W. H. Mills, “A new 5-design,” Ars Combinatoria, vol. 6, pp. 193–195, 1978.[161] D. E. Muller, “Application of boolean algebra to switching circuit design and

to error correction,” IEEE Transactions on Computers, vol. 3, pp. 6–12, 1954.

672 References

[162] R. C. Mullin, P. J. Schellenberg, G. H. J. van Rees, and S. A. Vanstone, “Onthe construction of perpendicular arrays,” Utilitas Math., vol. 18, pp. 141–160,1980.

[163] S. Obana and K. Kurosawa, “Bounds and combinatorial structure of (k,n)multi-receiver A-codes,” Designs, Codes and Cryptography, vol. 22, pp. 47–63,2001.

[164] W. Ogata, K. Kurosawa, and D. R. Stinson, “Optimum secret sharing schemessecure against cheating,” SIAM Journal on Discrete Mathematics, vol. 20,pp. 79–95, 2006.

[165] W. Ogata, K. Kurosawa, D. R. Stinson, and H. Saido, “New combinato-rial designs and their applications to authentication codes and secret sharingschemes,” Discrete Mathematics, vol. 279, pp. 383–405, 2004.

[166] F. Oggier and H. Fathi, “Multi-receiver authentication code for networkcoding,” in Proceedings of IEEE 46th Annual Allerton Conference on Com-munication, Control, and Computing, pp. 1225–1231, 2008.

[167] F. Oggier and H. Fathi, “An authentication code against pollution attacks innetwork coding,” Preprint arXiv:0909.3146v1, 2009.

[168] F. Ozbudak and Z. Saygi, “Some constructions of systematic authenticationcodes using Galois rings,” Designs, Codes and Cryptography, vol. 41, pp. 343–357, 2006.

[169] N. Pavlidou, A. J. H. Vinck, J. Yazdani, and B. Honary, “Power line communi-cations: State of the art and future trends,” IEEE Communications Magazine,vol. 41, pp. 34–40, 2003.

[170] D. Pei, Authentication Codes and Combinatorial Designs. Boca Raton: CRCPress, 2006.

[171] G. Pickert, Projektive Ebenen. Berlin, Heidelberg, New York: Springer, 2nded., 1975.

[172] D. Raghavarao and L. V. Padgett, Block Designs: Analysis, Combinatoricsand Applications. Singapore: World Scientific, 2005.

[173] D. K. Ray-Chaudhuri and R. M. Wilson, “Solution of Kirkman’s schoolgirlproblem,” in Combinatorics: Proceedings of American Mathematical SocietySymposium in Pure Mathematics, pp. 187–203, 1971.

[174] D. K. Ray-Chaudhuri and R. M. Wilson, “On t-designs,” Osaka Journal ofMathematics, vol. 12, pp. 737–744, 1975.

[175] I. S. Reed, “A class of multiple-error-correcting codes and the decodingscheme,” IEEE Transactions on Information Theory, vol. 4, pp. 38–49, 1954.

[176] H. J. Ryser, Combinatorial Mathematics, Carus Mathematical Monographs,vol. 14. Buffalo: Mathematical Association of America, 1963.

[177] R. Safavi-Naini, L. McAven, and M. Yung, “General group authenticationcodes and their relation to “unconditionally-secure signatures”,” in Public KeyCryptography — PKC 2004, Lecture Notes in Computer Science, vol. 2947,(F. Bao et al., ed.), pp. 231–248, Berlin, Heidelberg, New York: Springer,2004.

[178] R. Safavi-Naini and H. Wang, “Multireceiver authentication codes: Mod-els, bounds, constructions, and extensions,” Information and Computation,vol. 151, pp. 148–172, 1999.

References 673

[179] R. Safavi-Naini and H. Wang, “Broadcast authentication for group communi-cation,” Theoretical Computer Science, vol. 269, pp. 1–21, 2001.

[180] J. Schillewaert and K. Thas, “Authentication codes from generalized quad-rangles,” Preprint, 2009.

[181] P. Schobi, “Perfect authentication systems for data sources with arbitrarystatistics,” (presented at EUROCRYPT 1986), unpublished.

[182] C. E. Shannon, “Communication theory of secrecy systems,” Bell SystemTechnical Journal, vol. 28, pp. 656–715, 1949.

[183] G. J. Simmons, “A game theory model of digital message authentication,”Congressus Numerantium, vol. 34, pp. 413–424, 1982.

[184] G. J. Simmons, “Message authentication: A game on hypergraphs,” Congres-sus Numerantium, vol. 45, pp. 161–192, 1984.

[185] G. J. Simmons, “Authentication theory/coding theory,” in Advances in Cryp-tology — CRYPTO 1984, Lecture Notes in Computer Science, vol. 196, (G. R.Blakley and D. Chaum, eds.), pp. 411–432, Berlin, Heidelberg, New York:Springer, 1985.

[186] G. J. Simmons, “Message authentication with arbitration of transmitter/receiver disputes,” in Advances in Cryptology — EUROCRYPT 1987, Lec-ture Notes in Computer Science, vol. 304, (D. Chaum and W. L. Price, eds.),pp. 150–165, Berlin, Heidelberg, New York: Springer, 1988.

[187] G. J. Simmons, “A Cartesian product construction for unconditionally secureauthentication codes that permit arbitration,” Journal of Cryptology, vol. 2,pp. 77–104, 1990.

[188] G. J. Simmons, “A survey of information authentication,” in Contempo-rary Cryptology: The Science of Information Integrity, (G. J. Simmons, ed.),pp. 379–419, Piscataway: IEEE Press, 1992.

[189] N. J. A. Sloane, ed., A Library of Orthogonal Arrays. Available at http://www2.research.att.com/∼njas/oadir.

[190] N. J. A. Sloane, ed., The On-Line Encyclopedia of Integer Sequences. Availableat http://www.research.att.com/∼njas/sequences.

[191] L. H. Soicher, “The DESIGN package for GAP,” Version 1.4, 2009. Availableat http://designtheory.org/software/gap design.

[192] J. Steiner, “Combinatorische Aufgabe,” Journal fur die reine und angewandteMathematik, vol. 45, pp. 181–182, 1853.

[193] D. R. Stinson, “A short proof of the non-existence of a pair of orthogonalLatin squares of order 6,” Journal of Combinatorial Theory, Series A, vol. 36,pp. 373–376, 1984.

[194] D. R. Stinson, “A construction for authentication/secrecy codes from certaincombinatorial designs,” Journal of Cryptology, vol. 1, pp. 119–127, 1988.

[195] D. R. Stinson, “The combinatorics of authentication and secrecy codes,” Jour-nal of Cryptology, vol. 2, pp. 23–49, 1990.

[196] D. R. Stinson, “Combinatorial characterizations of authentication codes,”Designs, Codes and Cryptography, vol. 2, pp. 175–187, 1992.

[197] D. R. Stinson, “Combinatorial designs and cryptography,” in Surveys inCombinatorics, London Mathematical Society, Lecture Note Series, vol. 187,(K. Walker, ed.), pp. 257–287, Cambridge: Cambridge University Press, 1993.

674 References

[198] D. R. Stinson, “Universal hashing and authentication codes,” Designs, Codesand Cryptography, vol. 4, pp. 369–380, 1994.

[199] D. R. Stinson, Combinatorial Designs: Constructions and Analysis. Berlin,Heidelberg, New York: Springer, 2004.

[200] D. R. Stinson, Cryptography: Theory and Practice. Boca Raton: CRC Press,3rd ed., 2006.

[201] D. R. Stinson and R. S. Rees, “Combinatorial characterizations of authenti-cation codes II,” Designs, Codes and Cryptography, vol. 7, pp. 239–259, 1996.

[202] D. R. Stinson and L. Teirlinck, “A construction for authentication/secrecycodes from 3-homogeneous permutation groups,” European Journal of Com-binatorics, vol. 11, pp. 73–79, 1990.

[203] D. R. Stinson and S. A. Vanstone, “A combinatorial approach to thresholdschemes,” SIAM Journal on Discrete Mathematics, vol. 1, pp. 230–237, 1988.

[204] D. R. Stinson and R. Wei, eds., Bibliography on Authentication Codes. Avail-able at http://www.cacr.math.uwaterloo.ca/∼dstinson/acbib.html.

[205] A. P. Street and D. J. Street, Combinatorics of Experimental Design. Oxford:Oxford University Press, 1987.

[206] L. Teirlinck, “Non-trivial t-designs without repeated blocks exist for all t,”Discrete Mathematics, vol. 65, pp. 301–311, 1987.

[207] G. Terry, “Le probleme de 36 officiers,” Compte Rendu de l’Assoc. FrancaisAvanc. Sci. Naturel, vol. 1, pp. 122–123, 1900.

[208] G. Terry, “Le probleme de 36 officiers,” Compte Rendu de l’Assoc. FrancaisAvanc. Sci. Naturel, vol. 2, pp. 170–203, 1901.

[209] V. D. Tonchev, Combinatorial Configurations: Designs, Codes, Graphs.Harlow: Longman, 1988.

[210] V. D. Tonchev, “Codes and designs,” in Handbook of Coding Theory vol. II,(W. C. Huffman and V. Pless, eds.), pp. 1229–1267, Amsterdam, New York,Oxford: North-Holland, 1998.

[211] V. D. Tonchev, “Codes,” in Handbook of Combinatorial Designs, (C. J. Col-bourn and J. H. Dinitz, eds.), pp. 677–702, Boca Raton: CRC Press, 2006.

[212] V. D. Tonchev, “Steiner systems for two-stage disjunctive testing,” Journal ofCombinatorial Optimization, vol. 15, pp. 1–6, 2008.

[213] D. Tonien, R. Safavi-Naini, and P. Wild, “Combinatorial characterizationsof authentication codes in verification oracle model,” in Proceedings of 2ndACM Symposium on Information, Computer and Communications Security(ASIACCS 2007), (F. Bao and S. Miller, eds.), pp. 183–193, 2007.

[214] D. Tonien, R. Safavi-Naini, and P. Wild, “Authentication codes in the querymodel,” in Coding and Cryptology, (Y. Li et al., eds.), pp. 214–225, Singapore:World Scientific, 2008.

[215] J. H. van Lint, “Codes and designs,” in Higher Combinatorics: Proceedingsof NATO Advanced Study Institute, (M. Aigner, ed.), pp. 241–256, Boston,Dordrecht: Reidel, 1977.

[216] J. H. van Lint, “Codes and combinatorial designs,” in Proceedings of MarshallHall Conference on Coding Theory, Design Theory, Group Theory, (D. Jung-nickel and S. A. Vanstone, eds.), pp. 31–39, New York: J. Wiley, 1993.

[217] J. H. van Lint and R. M. Wilson, A Course in Combinatorics. Cambridge:Cambridge University Press, 2nd ed., 2001.

References 675

[218] H. C. A. van Tilborg, “Authentication codes: an area where coding and cryp-tology meet,” in Proceedings of 5th IMA Conference on Cryptography andCoding 1995, Lecture Notes in Computer Science, vol. 1025, (C. Boyd, ed.),pp. 169–183, Berlin, Heidelberg, New York: Springer, 1995.

[219] T. van Trung, “On the construction of authentication and secrecy codes,”Designs, Codes and Cryptography, vol. 5, pp. 269–280, 1995.

[220] B. Vasic and O. Milenkovic, “Combinatorial constructions of low-densityparity-check codes for iterative decoding,” IEEE Transactions on Informa-tion Theory, vol. 50, pp. 1156–1176, 2004.

[221] G. S. Vernam U.S. patent 1,310,719. Secret signaling system. July 22nd, 1919.[222] G. S. Vernam, “Cipher printing telegraph systems for secret wire and radio

telegraph communications,” Journal of American Institute of Electrical Engi-neers, vol. 45, pp. 109–115, 1926.

[223] H. Wielandt, Finite Permutation Groups. New York: Academic Press, 1964.[224] P. Wild, “The combinatorics of cryptographic key establishment,” in Sur-

veys in Combinatorics, London Mathematical Society, Lecture Note Series,vol. 346, (A. Hilton and J. Talbot, eds.), pp. 223–273, Cambridge: CambridgeUniversity Press, 2007.

[225] R. J. Wilson, “The early history of block designs,” Rend. Sem. Mat. MessinaSer. II, vol. 9, pp. 267–276, 2003.

[226] E. Witt, “Die 5-fach transitiven Gruppen von Mathieu,” Abhandlungen ausdem Mathematischen Seminar der Universitat Hamburg, vol. 12, pp. 256–264,1938.

[227] E. Witt, “Uber Steinersche Systeme,” Abhandlungen aus dem MathematischenSeminar der Universitat Hamburg, vol. 12, pp. 265–275, 1938.

[228] C. Xing, H. Wang, and K. Y. Lam, “Constructions of authentication codesfrom algebraic curves over finite fields,” IEEE Transactions on InformationTheory, vol. 46, pp. 886–892, 2000.