On the Size of Source Space in a Secure MAC

Viewer
Transcript

1

On the Size of Source Space in a Secure MAC Shaoquan Jiang

Abstract—A message authentication code (MAC) is (t, ϵ)secure if an attacker can not forge a valid message with probability better than ϵ after adaptively obtaining t valid messages. For a fixed key space K, it is important for a MAC to support a source space S as large as possible because this implies a bandwidth saving in practice. Hence, we study the possible size of S in a MAC through |S| or equivalently (to our convenience) the ratio log|K||S| for a fixed K. Our novelty in the methodology is to regard the MAC function of a given source state as a partition mapping for K. Under this view, we obtain an upper bound on |S| for a (t, ϵ)-secure MAC. Then, by analyzing a randomized partition of K, we prove the existence of an approximately optimal (t, ϵ)-secure MAC (in the sense of a large |S|). Our ratio log|K||S| is much larger than the previous results, where the previous results usually only considered case t = 1 by proposing a good universal hashing. This method is hard to obtain a general t as a universal hashing only relates two inputs while the general case needs to relate t inputs. Finally, we construct a selectively (1, ϵ)-secure MAC, where an attacker fixes two source states in advance with one for his forgery and the other for his inquiry for a valid message. Our ratio log|K||S| in this construction is close to the upper bound of its kind and is significantly larger than our existential result above for case t = 1.

a Cartesian MAC. In this paper, we only consider a Cartesian MAC. For a MAC to be useful, we must demonstrate its resistance to various attacks. An attacker’s power is usually specified by his time complexity and capabilities. The time complexity in the information security community is popularly set to be polynomial. The complexity class of infinity is also frequently adopted. A MAC resistant to an infinite attacker is said information theoretically secure or unconditionally secure. In this paper, we study the information theoretical security. The attacker’s capabilities are specified by his basic behaviors. The widely used model is a t-order chosen message attack. In this setting, the adversary can adaptively query t source states to the MAC oracle f (K, ·) and receive the corresponding messages. A MAC is (t, ϵ)-secure if an attacker, after t MAC queries, can not forge a message of a new source state with probability larger than ϵ. We also consider a selectively (t, ϵ)-secure MAC, where the difference from a chosen message attacker is that the adversary in this case must fix the t query source states and the new source state of his forgery before any query to the MAC oracle.

Index Terms—Message authentication code, information theoretical security, set partition, upper bound.

A. Motivation I. I NTRODUCTION Message authentication code (MAC) [1] essentially is a mechanism that allows a sender Alice to send a source state S to Bob such that the latter is assured of its authenticity. Toward this, Alice and Bob will share a secret key K. Then, Alice will use a function f to generate a message M = f (K, S) and send it to Bob, who will then use another function g with input K, M to verify the validity of M. In the literature, MACs are studied with or without the secrecy of S. If S can be determined from M without K, then it is called Copyright (c) 2015 IEEE. Personal use of this material is permitted. However, permission to use this material for any other purposes must be obtained from the IEEE by sending a request to [email protected] Shaoquan Jiang is with the Institute of Information Security, Mianyang Normal University, Mianyang, China 621000, and State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China 100093. Email: [email protected]

Safavi-Naini, Wang and Xing [2] considered the (1, ϵ)secure linear authentication code. They showed that 2 n log |S| ≤ loglog|K| q , where |K| = q for some n ∈ N. |K| . So we can not expect This implies that log|K||S| ≤ log|K| a large |S| from a linear MAC. Helleseth and Johansson [3] used exponential sums over finite fields to construct a (1, ϵ)-secure MAC with log|K||S| ≤ |K|−0.5 log |K| for any ϵ and this bound can be approximated for certain parameters. The similar bound was applicable to Bierbrauer [4]. A more interesting result to us is due to Xing, Wang and Lam [5], who used algebraic curves over finite fields to construct a (1, ϵ)-secure MAC with ϵ|K|−δ ≤ log|K||S| ≤ ϵ3 for any arbitrary small constant δ > 0. From the results above, we can see that log|K||S| differs a lot. It would be interesting to ask whether it is possible to characterize the achievable ratio log|K||S| for a (t, ϵ)-secure MAC. This question is important as given ϵ and K, it is certainly desired for a MAC to authenticate a source state of length as large as possible, because

H(K)

and Maurer [20] obtained the lower bound ϵ ≥ 2− t+1 for a (t, ϵ)-secure MAC, where [19] only considered a Cartesian MAC and Maurer [20] is more general than the other two. Safavi-Naini and Wild [21] extended the H(K) bound ϵ ≥ 2− t+1 to the setting where the adversary can additionally make verification queries. Our work focuses on the traditional MAC, where no attacker can forge a message of a new source state. Recently, there are works on a homomorphic MAC for network coding, where a forgery is regarded as a success only if the source state in it does not belong to a queried source vector space. Agrawal and Boneh [22] formalized the formal model for authentication in this setting and proposed computationally secure constructions using secret linear combinations. The homomorphic property allows an intermediate user to operate on his receiving messages authentically without a key. Cheng and Jiang [23] proposed a construction with improved security using a small key. Cheng, Jiang and Zhang [24] proposed a MAC scheme to authenticate a P2P live streaming system. Oggier and Fathi [25] proposed an information theoretically secure MAC against a pollution attack.

a large |S| implies a better channel efficiency. We will discuss this in Section III. We remark that although the above results and the related works below are cited in terms of the ratio log|K||S| , the focuses of these works mostly are not to maximize |S|. So the cited ratios here are calculated or upper bounded by us according to their obtained results. B. Related works With the above motivation, we now review the status of the achievable log|K||S| in a (t, ϵ)-secure MAC. MAC was invented by Gilbert, MacWilliams and Sloane [1]. They constructed (1, ϵ)-secure MACs from projective planes, block designs and random codes, where one of them can be (1, O( √1 ))-secure with log |S| = |K|

O(log2 |K|), where note that O(·) (also o(·), Θ(·), ω(·)) are standard complexity notions and for convenience we also recall their definitions in Section II. The general authentication theory was developed by Simmons [6], [7]. A useful tool to construct a MAC is universal hashing by Wegman and Carter [8], [9]. Stinson [10], [11] used the universal hashing to construct (1, ϵ)-secure log |S| log |S| MAC with a large log is only roughly |K| but |K| |K|−1 . Den Boer [12] obtained a (1, ϵ)-secure MAC √ |K| . This approach is diwith log|K||S| bounded by log

C. Contribution

|K|

rectly based on a universal hashing and is hard (if not impossible) to obtain a general (t, ϵ)-secure MAC as a universal hashing only relates two inputs while the general (t, ϵ)-secure MAC needs to relate t inputs. To overcome this problem, Atici and Stinson [13, Theorem 12] extends the universal hashing to relate t inputs. Based on the extended notion, they constructed a (t, ϵ)secure MAC with log|K||S| ≤ |K|−1+1/w log |K|, where 1 ≤ t ≤ w − 1. Rosebaum [14] showed that (t, ϵ)-secure 1 MAC with ϵ = |K|− 1+t (called t-perfect MAC) must 1 satisfy |S| ≤ |K| t+1 +t. So a perfectly secure MAC only has a small |S|. Krawczyk [15, Theorem 7] presented a construction of (1, ϵ)-secure MAC with log|K||S| roughly bounded by |K|−1/2 log |K|. The achievable log|K||S| in a (t, ϵ)-secure MAC is very related to ϵ. Hence, it is necessary to mention the related works on the bound of ϵ. The lower bound of ϵ was a hot topic in the literature. Gilbert, MacWilliams and Sloane 1 [1] proved that ϵ ≥ |K|− 2 for case t = 1. For a Cartesian MAC, F˚ak [16] showed the combinatorial lower bound H(K) 1 ϵ ≥ |K|− t and Smeets [17] showed that ϵ ≥ 2− t+1 , where H(·) is the entropy function and K is the secret key. Rosenbaum [14] and Pei [18] independently derived t+1 t the lower bound ϵ ≥ 2H(K|M )−H(K|M ) , where M ℓ is a list of ℓ messages. Walker [19], Rosebaum [14]

In this paper, we study the possible size of source space S in a secure MAC through |S| or (to our convenience) the ratio log|K||S| for a fixed key space K. Through a motivation lemma, we will see that this problem is important for the bandwidth efficiency of communication. We regard the encoding function for any given source state S as a partition mapping of K. Under this view, we first obtain an upper bound on |S| for a (t, ϵ)secure MAC. Then, through a randomized argument, we prove the ϵ)-secure MAC with ( existence ) of a (t, δ log |S| (2ϵ/3)t+1 |K|−δ = Θ( t+1 ) for ϵ = 1.5|K|− t+1 , |K| = Θ t+1 any constant δ > 0 and t = o(log |K|). This is interesting as the previous best result [13] (in the sense of this ratio) 1 for a (t, ϵ)-secure MAC is at most |K|−1+ t+1 and the previous best result for case t = 1 [5] is O(ϵc ) for any constant c < 3 (ours is O(ϵ2 ) by assigning t = 1 in our ratio). For both cases, our ratio is much larger than theirs. If t is ω(1) but o(log |K|), our ratio asymptotically approaches our upper bound, up to a factor |K|o(1) . From a known lower bound on ϵ, if ϵ is set to be negligible, our assumption t = o(log |K|) is inevitable. Finally, if a selective security is acceptable, we show that there exists a selectively (1, ϵ)-secure MAC with log|K||S| significantly larger than our foregoing existential result of case t = 1 and is close to its upper bound. 2

- For i = 1, · · · , t, Oscar can adaptively query source state Si to the MAC oracle f (K, ·) and receive the corresponding message Mi . After this, he tries to output a message M ∗ of a source state S ∗ . He succeeds if M ∗ is valid and S ∗ ̸= S1 , · · · , St . If the authentication holds when Oscar chooses S1 , · · · , St , S ∗ before querying the MAC oracle f (K, ·), then (f, g) is said selectively (t, ϵ)-secure.

II. M ESSAGE AUTHENTICATION C ODE Notions. We list notions that will be used later. - Function negl(λ) is negligible in λ if for any polynomial f (λ), limλ→∞ negl(λ)f (λ) = 0. - [n] denotes the set {1, · · · , n}. - For function f and set A, f (A) = {f (a) | a ∈ A}. - For a set A, |A| denotes its cardinality; for a string s, |s| denotes its bit length. - log(·) denotes the logarithm with basis 2 while ln(·) denotes the logarithm with basis e (Euler constant). - o(f (λ)), O(f (λ)), Θ(f (λ)), ω(f (λ)) respectively denotes a function g(λ) such that limλ→∞ fg(λ) (λ) is = 0, ≤ C, = C and = ∞ for a constant C > 0.

Remark. In the literature, the (t, ϵ)-security is widely known as the security under a chosen message attack while the selective (t, ϵ)-security is known as the security under a selective attack. Although the security under a chosen message attack is desired, the security under a selective attack is sometimes also acceptable. This is so when the attacker does not have the freedom to choose the subsequent source states. For instance, in a stream authentication, when a few heading source states are sent, the next source state is usually very related to the previous ones.

A. Syntax A message authentication code essentially is a mechanism that allows a sender Alice to send a source state S in a source space S to a receiver Bob such that the later is assured of its authenticity. Toward this, Alice and Bob share a secret key K from a key space K. For simplicity, we assume that K is uniformly random over K. To authenticate S, Alice will use an authentication function f with inputs S and K to generate a message M = f (K, S). The set of all possible M form a message space M. Alice will send M to Bob. Upon M , Bob will use a verification function g : K × M → S ∪ {⊥} to recover the source state S ′ = g(K, M ). If S ′ =⊥, then Bob rejects the authentication; otherwise, he accepts M as an authentication of S ′ . Under the above description, we will say that (f, g) is a message authentication code with source space S, key space K and message space M. When the description of g is not important to us, we sometimes also directly say f is a message authentication code. If S can be determined from M without K, then (f, g) is said Cartesian. We only consider a Cartesian MAC (as almost every known MAC is of this kind).

Convention. Note that in this paper, the security parameter is set to be the key length log |K|. So unless otherwise mentioned, a negligible function, a polynomial function, o(1) and ω(1) are always in terms of log |K|. III. M OTIVATION L EMMA Although our work is mainly motivated by [2], [5], the study of the possible size of S is clearly inspired by the bandwidth efficiency. In this section, we discuss this in more details. The following lemma will be useful toward this purpose. It states that for any (selectively) (t, ϵ)-secure MAC, we can construct another (selectively) (t, ϵ)-secure MAC with the same key space K, the same source space S but the message space has a format S ×Υ such that Υ does not depend on |S| (given K). Lemma 1: Let (f, g) be a (selective) (t, ϵ)-secure MAC with key space K, source space S and message space M. Then, there exists a (selective) (t, ϵ)-secure MAC (f ′ , g ′ ) with key space K, source space S and message space M′ so that M′ = S×Υ, where |Υ| = |K| (especially given K, |Υ| does not depend on |S|). Proof. We only consider the adaptive security case as the proof for the selective case is the same. For each S, let M(S) = {f (k, S) | k ∈ K}. Assume M(S) is sorted in an arbitrary but publicly known order. For m ∈ M(S), we use i = ind(m, S) to denote the location of m in M(S). Then, f ′ (K, S) is defined as (S, i) with i = ind(f (K, S), S). Correspondingly, g ′ (K, i, S) is defined by first finding the ith entry M in M(S) and computing g(K, M ). Notice that by our

B. Security We define the (t, ϵ)-security for MAC. Essentially, a MAC is (t, ϵ)-secure if after adaptively seeing t messages, Oscar still can not find a message M ∗ of a new source state S ∗ . Definition 1: A message authentication code (f, g) for a source space S, key space K and message space M is (t, ϵ)-secure if the following holds. • Correctness. For any S ∈ S, g(K, f (K, S)) = S holds with probability 1 (over K). • Authentication. Oscar succeeds with probability at most ϵ in the following attack: 3

Then, {A1 , · · · , AQ } is a partition of K. For any (t, ϵ)-secure MAC (f, g) with t ≥ 1 and ϵ < 1, a useful observation is that partitions induced by any two source states must be different. Otherwise, assume s, s′ induce the same partition {A1 , · · · , AQ } with f (Ai , s) = mi and f (Ai , s′ ) = m′i , i = 1, · · · , Q. Then, an attacker can launch the following attack. He first queries s to the MAC oracle f (K, ·), where K is the challenge MAC key. If the returned message for s is mj , then the attacker can output m′j as his forged message for s′ . This attack is successful as f (K, s) = mj implies that K ∈ Aj . In this attack, since s and s′ are chosen before the MAC query, it is a selective attack. The second observation is as follows. For any source state s, if the partition of K induced by s is i| {A1 , · · · , AQ }, then |A |K| ≤ ϵ. Otherwise, if |Aj | > ϵ|K|, then an attacker can simply output mj = f (Aj , s) as his forgery for s. This attack is successful if the challenge key K ∈ Aj , which occurs with probability more than ϵ. This breaks the (t, ϵ)-security of MAC for any t ≥ 0. In the following, we prove an upper bound for |S|. Our strategy is basically to interleave the above two observations in each of the t MAC queries of the attacker. Theorem 1: Let (f, g) be a (t, ϵ)-secure MAC with source space S, key space K and message space M. Then, |S| ≤ T (ϵt |K|) + t − 1 for any t ≥ 1. Proof. Assume the conclusion is wrong. Then we present an adversary A to break the (t, ϵ)-security of (f, g). The description of A consists of t steps, where step i handles the ith MAC query. Let K1 = K.

syntax, M can determine S. If the (t, ϵ)-security of (f ′ , g ′ ) is broken by an attacker A′ , we can construct an attacker A to break the (t, ϵ)-security of (f, g). Toward this, A simply runs A′ to attack (f ′ , g ′ ). Upon a query Sj from A′ , A queries it to his oracle oracle f (K, ·) and receives Mj . He then finds the index ij of Mj in M(Sj ) and returns (Sj , ij ) to A′ . Upon a forgery (S ∗ , i∗ ) from A′ , A′ outputs the i∗ th message M ∗ in M(S ∗ ) as his forgery. It is immediate that the success of A′ implies the success of A. Hence, the security of (f ′ , g ′ ) is proved. Finally, since |M(S)| ≤ |K| for any S, we can define Υ = {1, · · · , |K|}. The lemma follows. Remark. For any MAC, since a message M can always recover the source state S, it follows that H(M ) > H(S), where H(X) is the entropy function. The entropy difference H(M ) − H(S) will be used to guarantee the authentication. It should be made as small as possible to save a communication bandwidth. In our lemma, we state that the message can be made as a form of (S, τ ) with |τ | independent of |S| (given K). Our result has the property that the original MAC is (selectively) (t, ϵ)-secure if and only if the new MAC is (selectively) (t, ϵ)-secure. So we only need to study a MAC with message space S × Υ (although our subsequent sections do not use this point). Hence, for a better bandwidth efficiency, it is desired that S should be as large as possible, given K (hence |Υ|). IV. B OUNDING THE S OURCE S PACE In this section, we bound |S| for a (t, ϵ)-secure MAC (f, g) with source space S. Our idea is to look at the partition of the key space K induced by each source state, where the notion of the partition is defined as follows. Definition 2: An ℓ-partition of a set A is a list of ℓ non-empty and disjoint subsets A1 , · · · , Aℓ of A such that A1 ∪ · · · ∪ Aℓ = A. A partition of A is a ℓ-partition of it for some ℓ ∈ [|A|]. Let T (n) be the number of partitions for a set of size n. By De Bruijn [26, pp. 108],

Step 1. For s ∈ S, m ∈ M, let K1 (s, m) = {k | f (k, s) = m, k ∈ K1 }. Then, K1 (s, m) is the subset of K1 , whose element maps s to m under f . Notice that {K1 (s, m)}m∈f (K1 ,s) is a partition of K1 . It must hold that |K1 (s, m)| ≤ ϵ|K1 | for any s, m. Otherwise, assume |K1 (s′ , m′ )| > ϵ|K1 | for some s′ , m′ . In this case, A can directly output m′ as his forgery for s′ . He succeeds if and only if the challenge key K ∈ K1 (s′ , m′ ), which occurs with probability > ϵ (recall that K is uniformly random over K), contradiction to the (t, ϵ)-security. In the following, we always assume |K1 (s, m)| ≤ ϵ|K1 | for any s, m. The attack of A in this step is to choose an arbitrary s1 and query it to the MAC oracle f (K, ·). In turn, he will receive m1 = f (K, s1 ). Let K2 = K1 (s1 , m1 ). As said above, |K2 | ≤ ϵ|K1 |.

ln T (n) ln ln n 1 = ln n − ln ln n − 1 + + n ln n ln n ( )2 ( ) ln ln n 1 ln ln n +O . + 2 ln n (ln n)2 ( )n So T (n) = cn nln n , where cn → e. When n large n enough, log Tn (n) ≤ log e ln n. For each source state s ∈ S, the MAC function f (·, s) naturally induces a partition of K. Let f (K, s) = {m1 , · · · , mQ }. But it should be noted that for s′ ̸= s, there is no guarantee that f (K, s) = f (K, s′ ). Define

Ai = {k | f (k, s) = mi , k ∈ K}, i = 1, · · · , Q.

Step 2. 4

1

t t+1 ≥ 1/ϵ = ω(1). MAC. So for ϵ( = o(1), )nϵ |K| ≥ |K| n From T (n) = cn ln n , we have

Similar to the case of K1 (s, m), we can define K2 (s, m) and assume that |K2 (s, m)| ≤ ϵ|K2 | ≤ ϵ2 |K1 | for any s ̸= s1 and any m. The attack of A in this step is to choose an arbitrary s2 ̸= s1 and query it to the MAC oracle. In turn, he will receive m2 = f (K, s2 ). Then, A defines K3 = K2 (s2 , m2 ). As noted above, |K3 | ≤ ϵ2 |K1 |. .. .

log T (n) ≤ n log n − n log(cn ln n) ≤ n log n − 2, when n large enough. So for t < |S| 2 + 1 and ϵ = o(1), Theorem 1 implies that log|K||S| ≤ ϵt log(ϵt |K|), when |K| is large enough (as cϵt |K| → 3 from ϵt |K| = ω(1)). Finally, if t = 1, then the proof of Theorem 1 collapses to the last step, where the choice of st , s′t is chosen before receiving mt . Hence, it works for a selectively √ |K|; (1, ϵ)-secure MAC. This remark (with ϵ|K| ≥ see Appendix) gives the following corollary. Corollary 2: Let (f, g) be a selectively (1, ϵ)-secure MAC with source space S, key space K and message space M. Then, |S| ≤ T (ϵ|K|). Especially, log|K||S| ≤

Step t. We have defined Kt at Step t−1 with |Kt | ≤ ϵt−1 |K1 |. Now A defines Kt∗ to be an arbitrary subset of Kt with size ϵ|Kt | ≤ ϵt |K|. He also defines Kt∗ (s, m), similar to K1 (s, m) in Step 1. Since we assume the theorem were wrong, it follows that |S| − (t − 1) > T (|Kt∗ |). Hence, there must exist st , s′t in S − {s1 , · · · , st−1 } such that

ϵ|K| ϵ log( e ln(ϵ|K|) ) when |K| large enough.

{Kt∗ (st , m)}m∈f (Kt∗ ,st ) , {Kt∗ (s′t , m)}m∈f (Kt∗ ,s′t ) give the same partition of Kt∗ . Under this, A can break the (t, ϵ)-security of (f, g) as follows. He queries st to the MAC oracle and receives mt = f (K, st ). Then, he returns m′t with Kt∗ (st , mt ) = Kt∗ (s′t , m′t ) as his forgery for the source state s′t . By our description of Step 1 to Step t−1, mi = f (K, si ) for i = 1, · · · , t−1. It ∗follows |K | that K ∈ Kt . So K ∈ Kt∗ with probability |Ktt | = ϵ. When K ∈ Kt∗ , A will succeed by our definition of m′t . This contradicts the (t, ϵ)-security of (f, g).

V. E XISTENCE OF A (t, ϵ)- SECURE MAC L ARGE S OURCE S PACE

In this section, we will show the existence of a (t, ϵ)-secure MAC with a large source space for t = o(log |K|) and ϵ negligible (in log |K|). We remark that 1 from the lower bound ϵ ≥ |K|− t+1 [14], [19], [20], t = o(log |K|) is inevitable (in fact, precisely it should be 1 log x for any x > 0) t = o( logloglog|K| |K| ) using the fact 2 = x if ϵ is set to be negligible (i.e., ϵ = (log |K|)−ω(1) ). Our result needs the following notions. A decomposition of a set A with |A| = b is a collection of b disjoint subsets {A1 , · · · , Ab } with ∪bi=1 Ai = A. When each Ai is non-empty, a decomposition is a partition. A decomposition {A1 , · · · , Ab } of A restricted to a subset B ⊆ A is a decomposition {A1 ∩B, · · · , Ab ∩B} for B. Intersection of two decompositions {A1 , · · · , Au } and {B1 , · · · , Bv } of A is {A1 ∩B1 , A1 ∩B2 , · · · , Au ∩Bv }. This is a decomposition of A of size uv. Intersection of multiple decompositions can be generalized from the case of two in an obvious way. Theorem 2: For n ∈ N and constant δ ∈ (0, 1), let δ 1 n1−δ t = o(log n), b = n t+1 and ν = e 32 t+1 . Then, there exists a (t, 1.5 b )-secure MAC F : K × S → M with K = [n], S = [ν] and M = [b]. Proof. Let P = {P1 , · · · , Pν } be a collection of ν decompositions of a set A with |A| = n, where each Pi is taken uniformly randomly among all decompositions of size b. Note Pi can be obtained by throwing each x ∈ A into a bin uniformly random over totally b bins. Consider any t + 1 decompositions in P. Let them be Q1 , · · · , Qt+1 . Then, the intersection of Q1 , · · · , Qt is a uniformly random decomposition {B1 , · · · , Bbt } for A.

The above contradiction implies that |S| − (t − 1) ≤ T (|Kt∗ |) ≤ T (ϵt |K|). The theorem follows. Theorem 1 gives a bound for |S|. But the expression is not looking intuitive. For ease of comparison with other works, we give a more explicit corollary. Corollary 1: Let (f, g) be a (t, ϵ)-secure MAC with source space S, key space K and message space M. If ϵ = o(1) and 1 ≤ t ≤ |S| 2 + 1, then log |S| ≤ ϵt log(ϵt |K|), |K|

WITH A

(1)

when |K| is large enough. Proof. Note that log |S| = log(|S| − (t − 1) + (t − 1)) (t − 1) log e ≤ log(|S| − (t − 1)) + |S| − (t − 1) ≤ log(|S| − (t − 1)) + 2, when t ≤ |S| 2 + 1 and the first “≤” uses the well-known inequality ln(1 + x) ≤ x for any x > −1. It was known 1 [14], [19], [20] that ϵ ≥ |K|− t+1 in any (t, ϵ)-secure 5

Let ki = |Bi |. Then, Qt+1 restricted to Bi is a uniformly random decomposition {Bi1 , · · · , Bib } of Bi (as Qt+1 is independent of Q1 , · · · , Qt (hence Bi )). Let kij = |Bij |. By Chernoff bound, for any j ∈ [b], ( ) (.5/b)2 ki P |kij − ki /b| > .5ki /b ≤2e− 2/b·(1−1/b)

partition (B1 , · · · , Bbt ). Then, there exists i such that Bi = ∩tj=1 Asj vj . Since vj is the MAC value of source state sj , it follows that the challenge key k ∈ Asj vj . Hence, k ∈ Bi . In addition, given (s1 , v1 ), · · · , (st , vt ), k is uniformly random in Bi . Assume that Pt+1 restricted to Bi is (Bi1 , · · · , Bib ). Then, u ∈ [b] is a valid MAC for st+1 if and only if k ∈ Biu . This occurs with probability kiu /ki . As P is ¬Bad, kiu /ki ≤ 1.5/b. Especially, kiv∗ /ki ≤ 1.5/b, desired.

ki

≤2e− 8b . Thus,

( ) P ∃i, j, s. t. |kij − ki /b| > .5ki /b ≤2bt+1 e−

kmin 8b

= 2e−

kmin 8b

+(t+1) ln b

,

Remark. Note that n log n = 2. Hence, n− t+1 = log n − δ t+1 2 , which is negligible in log n when t = n o( logloglogn n ). Indeed, in this case, log t+1 ≥ c log log n for any constant c when n large enough. For any δ log n fixed c0 , take c = 2c0 /δ. Then, (ln n)c0 2− t+1 < (log n)c0 −2c0 → 0 with n. As a negligible value is the desired quantity for an insecurity bound in the information security community, t = o( logloglogn n ) is an interesting assignment although the theorem is valid for t = o(log n). Note that t = o(log n) is required in the theorem for the non-trivial MAC; otherwise, b is upper 1 bounded by a constant (using n log n = 2). 1

(2) (3)

where kmin = mini ki . Similarly, P (∃i s.t. |ki − nb−t | > .5nb−t ) ≤ 2e− 8bt +t ln b . (4) n

Note that the choice of Q1 , · · · , Qt+1 for the above argument is arbitrary. We say P is Bad if there exists Q1 , · · · , Qt+1 in P such that either ∃i, j, s. t. |kij − ki /b| > .5kmin /b, or ∃i s.t. |ki − nb−t | > .5nb−t .

Remark. From Theorem 2, we have ( (2ϵ/3)t+1 ) ( |K|−δ ) log |S| =Θ =Θ , |K| t+1 t+1

Since Eqs. (3)(4) hold for any choice of (Q1 , Q2 , · · · , Qt+1 ) while there are at most |P|t+1 choices of it, we have

δ

−(t+1)

−t

+(t+1) ln b ≤ 2ν t+1 e− 16 nb + 2ν t+1 e− 8 nb +t ln b −(t+1) 1 +(t+1) ln b+(t+1) ln ν ≤ 2e− 16 nb + − 81 nb−t +t ln b+(t+1) ln ν 2e −(t+1) 1 +(t+1) ln b+(t+1) ln ν ≤ 4e− 16 nb 1−δ 1 1 − 16 n +δ ln n+ 32 n1−δ ≤ 4e 1−δ 1 = 4nδ e− 32 n , which exponentially approaches zero with n. Here the first term of inequality (∗) requires the condition kmin ≥ .5nb−t , where the probability of violating this condition has been accounted in the second term as ki < .5nb−t implies |ki − nb−t | > .5nb−t . For a collection P that is ¬Bad, all decompositions in P are partitions of size b (furthermore, also all intersections of t + 1 partitions in P are partitions of size bt+1 ). For such a P, we can construct a MAC F : [n]×[ν] → [b] as F (k, s) = v if and only if k ∈ Asv , where (As1 , · · · , Asb ) is the partition Ps . It remains to prove the (t, 1.5/b)-security for F . Assume that an attacker has adaptively queried source states s1 , · · · , st and in turn received the replies v1 , · · · , vt respectively. Let his MAC forgery be v ∗ for a new source state s∗ . Now we analyze his success probability. Let the intersection of Ps1 , · · · , Pst be the 1

1

(5)

with ϵ = 1.5|K|− t+1 . In the literature, the previous best record for log|K||S| with a general t is upper bounded by |K|−1+1/t by Atici and Stinson [13]. Obviously, Eq. (5) is larger than this as δ can be arbitrarily small and t = o(log |K|). For a concrete t, the previous best record is due to Xing, Wang and Lam [5] with t = 1, where their ratio asymptotically satisfies ϵ|K|−δ ≤ log|K||S| ≤ ϵc for any constant δ > 0 and c < 3. Our ratio in this case is Θ(ϵ2 ) (from Eq. (5) with t = 1), which is much larger than their upper bound ϵc with c > 2. This is interesting as it shows the existence of a (t, ϵ)-secure MAC that can support a source space much larger than known records. Besides the comparison with previous results, we also compare our existential result and the upper bound in Corollary 1. Corollary 1 states that for ϵ = o(1) and t ≤ |S|/2 + 1,

P (Bad(P)) ∗

δ

log |S| ≤ ϵt log(ϵt |K|). |K|

(6)

Using ϵ = 1.5|K|− t+1 , the ratio of Eq. (6) to Eq. (5) is δ

δ

δ

t log 1.5

O(1.5t |K| t+1 log2 |K|) = |K| t+1 + log |K| +o(1) . log 1.5 δ + tlog Note that the exponent t+1 |K| + o(1) approaches zero when t = ω(1) and t = o(log |K|). Note that t = o(log |K|) is inevitable from the known lower bound ϵ ≥

6

H(K)

2− t+1 [14], [19], [20] if ϵ is set to be negligible, where H(K) is the entropy of the secret key K. VI. A

SELECTIVELY

(1, ϵ)- SECURE MAC

of A that w-cover {A1 , · · · , Aℓ }. Then, ( ) n |Pw (A1 , · · · , Aℓ )| ≤ Tℓ (n − w + ℓ). w

WITH A

Proof. For any ∑ non-empty subsets Bi ⊆ ℓ Ai , i = 1, · · · , ℓ with i=1 |Bi | = w, any partition ′ ′ {A1 , · · · , Aℓ } with Bi ⊆ A′ji for each i and some ji must w-cover {A1 , · · · , Aℓ }. Given Bi , i = 1, · · · , ℓ, there are Tℓ (n − w + ℓ) such partitions: if we regard each Bi as a super element, the number of such {A′1 , · · · , A′ℓ } is exactly the number of ℓ-partitions for a set of size n − w + ℓ. On the other hand, for each {A′1 , · · · , A′ℓ } ∈ Pt (A1 , · · · , Aℓ ), there must exist nonempty subsets Bi , i = 1, · · · , ℓ with Bi ⊆ Ai , Bi ⊆ A′ji ∑ℓ for each i and some ji such that i=1 |Bi | = w. Thus, |P(A1 , · · · , Aℓ )| is bounded by the number of choices (B1 , · · · , Bℓ ) times Tℓ (n−w +ℓ). Given {A1 , · · · , Aℓ }, the ( n ) number of choices for (B1 , · · · , Bℓ ) is bounded by w as Bi is uniquely determined by B1 ∪ · · · ∪ Bℓ and Ai (recall that Bj ⊆ Aj for j ̸= i is disjoint with Ai ). Hence, the lemma follows.

LARGE SOURCE SPACE

In previous sections, we have considered MAC with security against a chosen message attack and proved the existence of (t, ϵ)-secure MAC with log|K||S| = ( ) t+1 Θ (2ϵ/3) . As noted above, this is close to the t+1 best possible bound (Eq. (6)) when ϵ is negligible and t = ω(1). However, this almost optimality is only in δ terms of the specific ϵ (i.e., ϵ = 1.5|K|− t+1 ). Generally, for any ϵ, we would like to ask whether there exists a (t, ϵ)-secure MAC with log|K||S| close to ϵt log(ϵt |K|)) (i.e., the bound in Theorem 1 and Corollary 1). However, we do not know the answer. Instead, we will show in this section that there exists a selectively (1, ϵ)-secure MAC with log|K||S| ≈ ϵ log(ϵ2 100|K| ln |K| ) for almost all feasible ϵ. This ratio is almost optimal by Corollary 2. We use the term “feasible” here because there does not exist a selectively (1, ϵ)-secure MAC for ϵ < √1 (see [1];

Our lower bound on the number of partitions that are mutually not w-covered by each other will be obtained under the help of a result from graph theory. Toward this, we first introduce several notions in graph theory. We only consider a graph with no loop (that is, it has no edge of form (v, v)). An undirected multi-graph G = (V, E) is a graph, where it is allowed to have multiple edges between two vertices in V . If there is at most one edge between two vertices, G is called a simple graph. For v ∈ V , we use d(v) (degree of v) to denote the number of edges incident to v. The maximum independent set of G (denote its cardinality by α(G)) is the maximum number of vertices in V that have no edge between any two of them. For a multi-graph G, let G∗ = (V, E ∗ ) be a simple graph derived from G by keeping only one edge between any two nodes if there are multiple edges between them. Trivially, S ⊆ V is an independent set in G if and only if it is an independent set in G∗ . So α(G∗ ) = α(G). In our work, we will use the following result proved in [28, Theorem 3.2.1]. We stress that this is not the best result. For ∑ instance, Caro [29] and Wei |V | [30] showed that α(G) ≥ v∈V d(v)+1 . However, it is very convenient for our use. Lemma 4: Let G = (V, E) be a simple graph and ∑ d(v) | D = v∈V ≥ 1. Then, α(G) ≥ |V |V | 2D . With the above two lemmas, we now can bound the maximum set of ℓ-partitions that are mutually not wcovered by each other. We remark that the notion of w-covering is not symmetric. That is, if P w-covers Q, there is no guarantee that Q w-covers P.

|K|

alternatively, see Appendix for a short proof). We prove the existence of selectively (1, ϵ)-secure MAC with a large S through a construction. Our construction is based on a set of partitions that are mutually not partially covered by each other, where the partial covering is precisely defined as follows. Definition 3: A partition {A1 , · · · , Aℓ } of A is said to be w-covered by partition {A′1 , · · · , A′h } of A if ℓ ∑ i=1

max |Ai ∩ A′j | ≥ w. j∈[h]

For a set A of size n, we are interested in the total number of its ℓ-partitions. We denote it by Tℓ (n). This is called a Stirling number of the second kind [27]. The following bounds were proved in [27]. Lemma 2: For n ∈ N and 1 ≤ ℓ( < ) n, let Lℓ = 1 2 1 n n−ℓ n−ℓ−1 (ℓ + ℓ + 2)ℓ − 1 and U = . Then, ℓ 2 2 ℓ ℓ Lℓ ≤ Tℓ (n) ≤ Uℓ . For a fixed ℓ ∈ [n], we want to bound the largest subset P of ℓ-partitions of A that are mutually not wcovered by each other (i.e., there does not exist P1 , P2 ∈ P such that P1 w-covers P2 ). Toward this, we will first upper bound the number of ℓ-partitions of A that can w-cover a particular partition. Lemma 3: For a partition {A1 , · · · , Aℓ } of A with |A| = n, let Pw (A1 , · · · , Aℓ ) be the set of ℓ-partitions 7

This completes the proof. Theorem 3: There exists a selectively (1, ϵ)-secure ϵ2 n ϵn log( 100 ln n ) and |K| = n ≥ 2. MAC with |S| ≥ 2 ϵn ln n 2 Proof. For n ∈ N, let Ωn (ℓ, w) = {P1 , · · · , PN }, where the partitions are defined for a set A of size n and ℓ, w will be defined later. Let S = [N ]. For each s ∈ S, define MAC F : A × S → [ℓ] as F (k, s) = v if and only if k ∈ Asv , where Ps = {As1 , · · · , Asℓ }. This MAC is (1, w/n)-secure against a selective attack: if the attacker chooses s as the query source state (assume the MAC oracle replies with v) and another s∗ as the challenge source state and outputs v ∗ , then his success probability ∑ |Asva| |Aforgery s∗ v ∗ ∩Asv | p = v |A| . As this is a selective attack, |Asv | s, s∗ are chosen before v is returned. It follows that s∗ will remain unchanged when v varies. Hence, p = ∑ ∑ |As∗ v∗ ∩Asv | v maxv ∗ |As∗ v ∗ ∩Asv | ≤ < w/n, as v |A| |A| {As1 , · · · , Asℓ } is not w-covered by {As∗ 1 , · · · , As∗ ℓ }. The selective (1, w/n)-security follows. To get the bound of |S|, compute Ωn (ℓ, w) in Lemma 5 with β = ϵ and α = lnϵn (note: α is found through an optimization process but this is not necessarily the best point). For this assignment, the (lower )bound in Lemma ϵ2 n ξn 5 is 2 ϵn ln n e , where ξ = ϵ ln e ln n + γ with γ = 2(1 − ϵ) ln(1 − ϵ) − (1 − ϵ + lnϵn ) ln(1 − ϵ + lnϵn ). Using inequalities ln(1 + x) ≤ x for any x ≥ −1 and (1 + 2x)(1 − x) ≥ 1, we have that

Lemma 5: Let Ωn (ℓ, w) be the largest set of ℓpartitions for A with |A| = n that are mutually not w-covered by each other. Then, for any ℓ ≤ w, Tℓ (n) |Ωn (ℓ, w)| ≥ ( n ) , 4 w Tℓ (n − w + ℓ)

(7)

Further, if α = ℓ/n, β = w/n with α ≤ β ≤ 1 − 1/n, then |Ωn (ℓ, w)| is lower bounded by α

0.5αn · 2[(β−α) log(αn)−h(β)−(1−β+α)h( 1−β+α )]n . Proof. For part one, we only consider case ℓ < n and w < n (as ℓ = n implies |Ωn (ℓ, w)| = 1 while w = n implies |Ωn (ℓ, w)| = Tℓ (n), and so both cases hold trivially). We build an undirected multi-graph G = (V, E), where V consists of all ℓ-partitions of A and E is defined as follows: for any distinct v1 , v2 ∈ V , if v2 w-covers v1 , then add an edge between v1 and v2 (note: if v1 also w-covers v2 , then there are two edges between v1 and v2 and so G is a multi-graph). We use d+ (v) to denote the number of vertices that v w-covers and use d− (v) to denote the number of vertices ∑that w-covers + + − v. Then d(v) = d (v) + d (v) and ( n ) v∈V d (v) = ∑ − − By Lemma 3, d (v) ≤ w Tℓ (n − w + ℓ). v∈V d (v). ∑ (n) def v d(v) Thus, D = ≤ 2 w Tℓ (n − w + ℓ). Now let n G∗ = (V, E ∗ ) be the simple graph derived from G by removing one edge between two vertices if there are two between them. Let d∗ (v) be the degree of v in G∗ . Obviously, d− (v) ≥ 1 (as we assume ℓ < n, w < n and so there exists v ′ that differs from v only by changing one element of A). So if no edge incident to v is removed in creating G∗ , then d∗ (v) ≥ 1. If one edge incident to v (e.g., between u, v) is removed in creating G∗ , then there must one edge between u, v that has been left in G∗ , which implies that d∗∑(v) ∗≥ 1 too. So in any case, d (v) d∗ (v) ≥ 1. Thus, D∗ := v|V | ≥ 1. From Lemma 4 ∗

∗

|V | 2D ∗

ϵ ϵ γ ≥ − 2(1 − ϵ) ln(1 + 2ϵ) − (1 − ϵ + )(−ϵ + ) ln n ln n ϵ ϵ )(ϵ − ) ≥ − 4(1 − ϵ)ϵ + (1 − ϵ + ln n ln n ≥ − 3.5ϵ. So taking γ into ξ and noting that eln x = 2log x , we obtain the desired bound as e4.5 < 100. Remark. We notice that our theorem claims the existence without restricting ϵ. However, it is known [1] that a selectively (1, ϵ)-secure MAC must have ϵ ≥ √1

|V | 2D ,

(on graph G ), we have α(G) = α(G ) ≥ ≥ where D∗ ≤ D follows from d∗ (v) ≤ d(v). Hence, part one follows. We now consider part two. From part one,

|K|

(also see the appendix for a short proof). This seems to contradict our theorem. However, this is not true. If the restriction is not satisfied, then our lower bound for |S| is ≤ 0. So in this case, the theorem claims nothing. √ 100 ln |K| On the other hand, when ϵ > , our theorem |K| asserts the existence of a selectively (1, ϵ)-secure MAC. We remark that this existence of such a MAC for some S is not new as there are results achieving (1, ϵ)-security (stronger than the selective security) for given K with ϵ = √1 (see [14] for example). What is new in our

Lℓ (n) |Ωn (ℓ, w)| ≥ ( n ) 4 w Uℓ (n − w + ℓ) ℓw−ℓ+1 ≥ ( n )(n−w+ℓ) . 2 w ℓ (n) h(m/n)n Using inequality m ≤ 2 , we have |Ωn (ℓ, w)| ≥0.5(αn)(β−α)n+1 2−h(β)n−h( 1−β+α )(1−β+α)n α

α [(β−α) log(αn)−h(β)−(1−β+α)h( 1−β+α )]n

≥0.5αn · 2

|K|

theorem is that we assert the existence of (1, ϵ)-secure MAC with a large S. Our theorem does not have a claim

. 8

for ϵ between √1

|K|

√ and

100 ln |K| . |K|

Also, our view of f (·, S) for a given S as a partition of K is new. It would be interesting to see this view can be used to obtain more results about MAC. It is also interesting to discuss the achievable size of source space for a MAC with various constraints imposed by real applications (such as [22], [23], [24], [25]).

This might be an

interesting question for future work. Remark. The above theorem implies the existence of a selectively (1, ϵ)-secure MAC with log|K||S| ≈

ϵ log(ϵ2 100|K| ln |K| ) for large |K|. This is almost optimal by Corollary 2. Write ϵ = |K|−δ(|K|) . Usually, ϵ is desired to be negligible (i.e., ϵ = (log |K|)−ω(1) ). In 1 |K| this case, δ(|K|) = ω( logloglog|K| ) using 2 = x log x for any x > 0.c If we further require δ = o(1), then we can |K| for any constant c > 0. For this type set δ = logloglog |K|

A PPENDIX It was shown in [1] that ϵ ≥ |K|− 2 holds for a selectively (1, ϵ)-MAC. In this appendix, we give a short proof for this from the view point of set partition. We remark that there exists a general lower bound H(K) ϵ ≥ 2− t+1 [14], [19], [20] for a (t, ϵ)-secure MAC. But the proofs in all of these works depend on the nature of a chosen message attacker. Lemma 6: Let F be a selectively (1, ϵ)-secure MAC with source space S, key space K and message space M. Then, ϵ ≥ √1 . 1

of assignment, we have that log|K||S| ≈ |K|−δ log |K| with δ = o(1) while ϵ is negligible.

VII. C ONCLUSION In this paper, we studied the message authentication code f (K, S), where K is the shared key from a key space K between Alice and Bob and S from source space S is the source state to be authenticated by Alice. We showed that any MAC must have an equivalent MAC (in security) with the same K and S such that a message M from the latter has a format of (S, τ ), where τ is called a tag and has a bit length of log |K| (especially independent of S). Given K (hence the tag length), a larger S implies a better bandwidth efficiency. Motivated by this, we studied the achievable size of S for a given K, through either |S| or equivalently the ratio log|K||S| . We considered a (t, ϵ)-secure MAC, in which an attacker can not forge a valid message with probability better than ϵ after adaptively obtaining t valid messages. For a fixed S, we regarded f (·, S) as a partition mapping for K. Under this view, we obtained an upper bound on |S| for a (t, ϵ)-secure MAC. Through a random coding technique, we showed that the existence of (t, ϵ)-secure MAC with log|K||S| close to the upper bound. Our ratio is much larger than the previous results. We also considered the selectively secure MAC, where an adversary fixed all the choices of source states for his encoding queries and the final forgery. By using a graph theory result, we showed the existence of selectively (1, ϵ)-secure MAC with log|K||S| larger than that in the existential construction above for case t = 1 and close to its upper bound. Constructions in this work demonstrated the possibility for MAC to achieve the approximately optimal bandwidth efficiency. This could be very important in practice. However, these constructions are theoretical in nature and obtained mainly through random arguments. They can not be used in a practical system. Hence, an interesting question is to find direct or computationally efficient secure MACs with a large S, maybe from certain (algebraic) structures.

|K|

Proof. For any s ∈ S, let the partition of K induced by s be {A1 , · · · , Aℓ }. In the following, we assume that |Ai | ≤ ϵ|K| holds for any s and i. Otherwise, if |Aj | > ϵ|K| for some s and j, then an attacker can simply output m = F (k, s) for k ∈ Aj , which leads to a success |A | probability |K|j > ϵ, contradiction to the security! Now we consider an attacker A who chooses arbitrary two s, s′ from S. Then, he sends s to the MAC oracle F (K, ·) and receives m = F (K, s). Let the partition of K induced by s be {A1 , · · · , Aℓ }. Assume F (Aj , s) = m. Then, A takes k randomly from Aj and outputs F (k, s′ ) as his forgery. ∑ℓHe succeeds if K = ℓk. This occurs with probability j=1 PK (Aj ) |A1j | = |K| . ∑ As |Ai | ≤ ϵ|K| for any i and i |Ai | = |K|, it follows that ℓ ≥ 1/ϵ. So the success probability of A is at least 1 ϵ|K| . On the other hand, the success probability of A 1 . The lemma is upper bounded by ϵ. Hence, ϵ ≥ ϵ|K| follows. ACKNOWLEDGMENTS We would like to thank anonymous reviewers for valuable comments that help improve the quality of the paper. This work is supported by an open grant (No. 2015-MS11) of State Key Lab of Inf. Sec., IIE, CAS. R EFERENCES [1] E. N. Gilbert, F. J. MacWilliams and N. J. Sloane, “Codes which detect deception”, Bell Syst. Tech. J., vol 53, no. 3, pp. 405-424, 1974. [2] R. Safavi-Naini, H. Wang and C. Xing, “Linear authentication codes: bounds and constructions”, in 2nd Int. Conf. on Cryptol. in India (INDOCRYPT’2001), LNCS 2247, C. P. Rangan and C. Ding, Eds. Berlin, Germany: Springer-Verlag, 2001, pp. 127-135.

9

[3] T. Helleseth and T. Johansson, “Universal hash functions from exponential sums over finite fields and Galois rings”, in Advances in cryptology (Lecture Notes in Computer Science), vol. 1109, N. Koblitz, Ed. Berlin, Germany: Springer-Verlag, 1996, pp. 31-44. [4] J. Bierbrauer, “Universal hashing and geometric codes”, Des., Codes Cryptogr., vol. 11, pp. 207-221, 1997. [5] C. Xing, H. Wang and K. Y. Lam, “Constructions of authentication codes from algebraic curves over finite fields”, IEEE Trans. Inf. Theory, vol. 46, no. 3, pp. 886-892, May 2000. [6] G. J. Simmons, “Message authentication: a game on hypergraphs”, Congressus Numerantium, vol. 45, pp. 161-192, 1984. [7] G. J. Simmons, “A survey of information authentication”, Proceedings of the IEEE, vol. 76, pp. 603-620, 1988. [8] J. L. Carter and M. N. Wegman, “Universal classes of hash functions”, J. Comput. System Sci., vol. 18, no. 2, pp. 143-154, 1979. [9] M. N. Wegman and J. L. Carter, “New hash functions and their use in authentication and set equality”, J. Comput. System Sci., vol.22, no. 3, pp. 265-279, 1981. [10] D. R. Stinson, “Universal Hashing and Authentication codes”, in Advances in Cryptology (Lecture Notes in Computer Science), vol. 576, J. Feigenbaum, Ed. Berlin, Germany: Springer-Verlag, 1992, pp. 74-85. [11] D. R. Stinson, “Universal hashing and authentication codes”, Des., Codes Cryptogr., vol. 4, no. 3, pp. 369-380, 1994. [12] B. den Boer, “A simple and key-economical unconditional authentication scheme”, Journal of Computer Security, vol. 2, pp. 65-71, 1993. [13] M. Atici and D. R. Stinson, “Universal hashing and multiple authentication”, in Advances in cryptology (Lecture Notes in Computer Science), vol. 1109, N. Koblitz, Ed. Berlin, Germany: Springer-Verlag, 1996, pp. 16-30. [14] U. Rosenbaum, “A lower bound on authentication after having observed a sequence of messages”, J. Cryptol., vol. 6, no. 3, pp. 135-156, 1993. [15] H. Krawczyk, “LFSR-based hashing and authentication”, in Advances in Cryptology (Lecture Notes in Computer Science), vol. 839, Y. G. Desmedt, Ed. Berlin, Germany: Springer-Verlag, 1994, pp. 129-139. [16] V. F˚ak, “Repeated use of codes which detect deception”, IEEE Trans. Inf. Theory, vol. 25, no. 2, pp. 233-234, 1979. [17] B. Smeets, “Bounds on the probability of deception in multiple authentication”, IEEE Trans. Inf. Theory, vol. 40, no. 5, pp. 15861591, 1994. [18] D. Pei, “Information-theoretic bounds for authentication codes and block designs”, J. Cryptol., vol. 8, pp. 177-188, 1995. [19] M. Walker, “Information-theoretic bounds for authentication schemes”, J. Cryptol., vol. 2, pp. 131-143, 1990. [20] U. Maurer, “Authentication theory and hypothesis testing,” IEEE Trans. Inf. Theory, vol. 46, No. 4, pp. 1350-1356, 2000. [21] R. Safavi-Naini and P. R. Wild, “Information theoretic bounds on authentication systems in query model”, IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 2426-2436, June 2008. [22] S. Agrawal and D. Boneh, “Homomorphic MACs: MAC-based integrity for network coding,” in Proc. 7th Int. Conf. Applied Cryptography and Network Security (ACNS 2009), LNCS 5536, M. Abdalla, D. Pointcheval, P. A. Fouque, D. Vergnaud, Eds. Berlin, Germany: Springer-Verlag, 2009, pp. 292-305. [23] C. Cheng and T. Jiang, “An efficient homomorphic MAC with small key size for authentication in network coding,” IEEE Trans. Comput., vol. 62, no. 10, pp. 2096-2100, Oct. 2013. [24] C. Cheng, T. Jiang, and Q. Zhang, “TESLA-based homomorphic MAC for authentication in P2P system for live streaming with network coding,” IEEE J. Sel. Areas Commun., vol. 31, no. 9, pp. 291-298, Sept. 2013. [25] F. Oggier and H. Fathi, “An authentication code against pollution attacks in network coding”, IEEE/ACM Trans. Netw., vol. 19, no. 6, pp. 1587-1596, Dec. 2011.

[26] N. G. de Bruijn, Asymptotic Methods in Analysis, 3rd ed., New York, NY, USA: Dover Publication, 1981. [27] B. C. Rennie and A. J. Dobson, On stirling numbers of the second kind, J. Combin. Theory , Vol. 7, No. 2, pp. 116-121, 1969. [28] N. Alon and J. H. Spencer, The Probabilistic Method, 3rd ed., Hoboken, New Jersey, USA: John Wiley & Sons, 2008. [29] Y. Caro, “New results on the independence number”, Technical Report, Tel Aviv University, 1979. [30] V. K. Wei, “A lower bound on the stability number of a simple graph”, Bell Laboratories Technical Memorandum, no. 81-112179, 1981.

Shaoquan Jiang received the B.S. and M.S. degrees in mathematics from the University of Science and Technology of China, Hefei, China, in 1996 and 1999, respectively. He received the Ph.D degree in Electrical and Computer Engineering from the University of Waterloo, Waterloo, ON, Canada, in 2005. From 1999 to 2000, he was a research assistant at the Institute of Software, Chinese Academy of Sciences, Beijing; from 2005 to 2013, he was a faculty member at the University of Electronic Science and Technology of China, Chengdu, China; from 2013 to now, he is a faculty member at Mianyang Normal University, Mianyang, China. He was a postdoc at the University of Calgary from 2006 to 2008 and a visiting research fellow at Nanyang Technological University from Oct. 2008 to Feb. 2009. His research interests are public-key based secure systems and secure protocols.

10