Bounds and Constructions for Multireceiver Authentication Codes

Multireceiver authentication codes allow one sender to construct an authenticated message for a group of receivers such that each receiver can verify authenticity of the received message. In this paper, we give a formal deenition of multireceiver authentication codes, derive information theoretic and combinatorial lower bounds on their performance and give new eecient constructions for such codes, our constructions are based on the linear error-correcting codes. Multireceiver authentication codes (MRA-codes) 4] extend Simmons' model of unconditionally secure authentication 16]. In an MRA-code 4], a sender wants to authenticate a message for a group of receivers such that each receiver can verify authenticity of the received message. Receivers are not trusted and may try to construct fraudulent messages on behalf of the transmitter. If the fraudulent message is acceptable by even one receiver the attackers have succeeded. This is a useful extension of traditional authentication code and has numerous applications. For example a director wanting to give instructions to employees in an organisation such that each employee is able to verify authenticity of the message. Providing such service using digital signature implies that security relies on unproven assumptions and the attackers have nite amount of computational resources. In unconditionally secure model, there is no computational assumptions or limitations on the attackers' resources. A multireceiver A-code can be trivially constructed using traditional A-codes: the sender shares a common key with each receiver; to send an authenticated message it constructs n codewords, one for each receiver, concatenates them and broadcasts the result. Now each receiver can verify its own codeword and so authenticate the message. In this construction collaboration of even n ? 1 receivers does not help them in constructing a message that is acceptable by the n th receiver simply because the n codewords are independently constructed. If we assume that the size of the malicious groups cannot be too large, for example the biggest number of collaborators is w ? 1 (where w < n), then we can expect to save on the size of the key and the length of the codeword because codewords can have dependencies. This is the basis of attempting to construct codes that are more eecient than the trivial one. The rst two constructions of (w; n) MRA-codes, given in 4], are based on polynomials over nite elds and