Constructing Optimal Authentication Codes with Perfect Multi-fold Secrecy

Constructing Optimal Authentication Codes with Perfect Multi-fold Secrec y Michael Huber University of T uebing en W ilhelm Sch ickard I nstitute fo r Com puter Scien ce Sand 13, D-720 76 T uebin gen, Germany Email: michael. huber@un i-tuebingen.de Abstract —W e establish a construction of optimal authentica- tion c od es achieving perfect multi-fold secr ecy by means of com- binatorial designs. This contin ues th e author’s work (ISIT 2009, cf. [ 1 ]) and answers an open question posed therein. As an application, we pre sen t t he first infi nite class of optimal codes that pro vide two-f old security against s poofing attacks and at the same time perfect two-f old secrecy . I . I N T R O D U C T I O N Authentication and secrecy are two crucial concepts in cryptog raphy and info rmation security . Although in depende nt in their nature, various scenarios require that bo th aspects hold simultaneously . For info rmation-theo r etic or un condi- tional secu rity (i.e. robustness again st an attacker that h as unlimited computational resources), authenticatio n and s ecrecy codes have been in vestigated f or quite some time . The initial construction of a uthentication code s goes back to Gilbert, MacW illiams & Sloane [ 2 ]. A m ore general an d systematic theory of authe ntication was d ev elo ped by Simm ons (e.g., [ 3 ], [ 4 ]). Fund amental work on secrecy codes started with Shan- non [ 5 ]. This paper d eals with the constru ction of optimal authen- tication co des with perfect mu lti-fold secrecy . It con tinues the auth or’ s recent work [ 1 ], which natu rally extended results by Stinson [ 6 ] on authentication codes with perfect secre cy . W e will answer a n im portant question left open in [ 1 ] that addresses the constructio n of authen tication codes with perfect multi-fold secrecy f or equip robable so urce pro bability distri- butions. W e establish a constru ction of o ptimal authenticatio n codes which are m ulti-fold secure against spoofing attacks and simu ltaneously provid e pe rfect multi-fold secr ecy . This can be achiev e d by means of co mbinatorial de signs. As an application, we present the first infinite class of o ptimal cod es that achieve two-fo ld secu rity against spoofing as well as perfect two-fold secrecy . The paper is organized as f ollows: Ne cessary d efinitions and concepts f rom the theory of a uthentication and secrecy codes as well as from combinatorial design th eory will be summarized in Section II . Section III gives r ele vant comb ina- torial construction s of optimal authentication codes which bear no secrecy assumptions. In Section IV , we re view Stinson’ s construction s in [ 6 ] and recen t results from [ 1 ]. Section V is dev oted to ou r new co nstructions. I I . P R E L I M I N A R I E S A. A u thentication an d S ecr ecy Codes W e rely on the info rmation-th eoretical or un conditiona l se- crecy m odel d e velop ed by Shanno n [ 5 ], an d by Sim mons (e.g., [ 3 ], [ 4 ]) inclu ding authentica tion. Our n otion com plies, for the most part, with th at of [ 6 ], [ 7 ]. I n th is m odel of authenticatio n and secr ecy thr ee participants are inv olved: a transmitter , a receiver , and an oppo nent . The transmitter wants to comm unicate informatio n to the receiv e r via a p ublic commun ications channel. The receiver in return would like to be co nfident that any received in formation actually came from the transmitter and not fr om some op ponent ( integrity of informa tion). The transmitter and th e rec ei ver are assumed to trust each other . Sometimes this is also called an A -co de . In what follows, let S denote a set of k sour ce states (or plaintexts ), M a set of v messages (or ciphe rte xts ), an d E a set of b encoding rules (or ke ys ). Using an encoding rule e ∈ E , the transmitter enc rypts a source state s ∈ S to obtain the message m = e ( s ) to be sent over the chann el. The encodin g rule is an injective function fro m S to M , an d is commun icated to the rece i ver via a secure ch annel pr ior to any m essages bein g sen t. For a gi ven en coding ru le e ∈ E , let M ( e ) := { e ( s ) : s ∈ S } den ote the set of valid messages. For an enco ding rule e and a set M ∗ ⊆ M ( e ) of distinct messages, we de fine f e ( M ∗ ) := { s ∈ S : e ( s ) ∈ M ∗ } , i. e., the set of source states that will be encoded under enco ding rule e by a m essage in M ∗ . A received message m will be accepted by the receiver as being authentic if and only if m ∈ M ( e ) . When this is fulfilled , the receiv er d ecrypts the message m by applying the decodin g rule e − 1 , wh ere e − 1 ( m ) = s ⇔ e ( s ) = m. An authen tication code can be r epresented algeb raically by a ( b × k ) -encod ing matrix with the rows index ed by the enc oding rules, the co lumns indexed by the sou rce states, and th e entries defined by a es := e ( s ) ( 1 ≤ e ≤ b , 1 ≤ s ≤ k ). W e address th e scenar io o f a spoofi ng attack of or der i (cf. [ 7 ]): Supp ose that a n opp onent observes i ≥ 0 distinct messages, which are sent thro ugh th e p ublic channel using the same enco ding ru le. The oppo nent then inserts a ne w m essage m ′ (being distinct f rom the i messages alread y sent), hoping to have it accepted by the receiver as au thentic. The cases i = 0 and i = 1 are called impersonation game and substitution game , respectively . These cases have been studied in detail in rec ent yea rs (e.g., [ 8 ], [ 9 ]), howe ver less is k nown f or the cases i ≥ 2 . In this article, we focus on tho se cases where i ≥ 2 . For any i , we assume that there is some probab ility dis- tribution on the set of i -subsets of source states, so that any set of i sou rce states has a non -zero prob ability of occurr ing. For simplification, we ignore the order in which the i source states occur, and assume that no source state occurs more than o nce. Giv en th is probab ility d istribution p S on S , the receiver an d tra nsmitter ch oose a probab ility d istribution p E on E (called encoding strate g y ) with associated indep endent random variables S and E , respectively . Th ese distributions are known to all participants and indu ce a third distribution, p M , on M with associated ran dom variable M . Th e dec eption pr obab ility P d i is the prob ability that the oppon ent can deceive the receiver with a spoo fing attack of ord er i . The following theorem (cf. [ 7 ]) provides co mbinator ial lo wer bo unds. Theor em 1: [ Massey ] In a n authen tication code with k source states and v messages, the d eception p robabilities are bound ed below by P d i ≥ k − i v − i . An authentication code is called t A -fold secu r e against spoofin g if P d i = ( k − i ) / ( v − i ) fo r all 0 ≤ i ≤ t A . Moreover , we co nsider the co ncept of perfect multi-fold secrecy which h as been intro duced by Stin son [ 6 ] and gen eral- izes Shannon’ s f undamen tal idea of perfect (o ne-fold ) secrecy (cf. [ 5 ]). W e say that an au thentication code has pe rfect t S - fold secr ec y if , for every p ositiv e integer t ∗ ≤ t S , for every set M ∗ of t ∗ messages o bserved in the ch annel, an d for e very set S ∗ of t ∗ source states, we have p S ( S ∗ | M ∗ ) = p S ( S ∗ ) . That is, the a posteriori proba bility distrib u tion on the t ∗ source states, given that a set of t ∗ messages is ob served, is identical to the a priori probab ility distribution on the t ∗ source states. When clear fr om the context, we ofte n o nly write t instead of t A resp. t S . B. Combinatorial Desig ns W e recall the definition of a co mbinatorial t - design. For positive in tegers t ≤ k ≤ v and λ , a t - ( v , k , λ ) design D is a pair ( X , B ) , satisfying the following prop erties: (i) X is a set o f v elements, called p oints , (ii) B is a family of k -sub sets of X , called b locks , (iii) every t -subset of X is contained in exactly λ block s. W e den ote points by lower -c ase and blocks by upp er-case Latin letters. V ia co n vention , let b := |B | deno te the num ber of block s. T hrough out this article, ‘re peated blocks’ are not allowed, tha t is, the sam e k -subset of points may not occur twice as a block. If t < k < v holds, th en we speak o f a non-trivial t - design. For historical r easons, a t - ( v , k, λ ) desig n with λ = 1 is called a Steiner t - design (sometimes also a Steiner system ). The special case of a Steiner design with parameters t = 2 and k = 3 is called a Steiner triple system STS ( v ) o f order v . A Steiner de sign with p arameters t = 3 and k = 4 is called a Steiner q uadruple system S QS ( v ) of o rder v . Specifically , we are interested in Steiner quadru ple system s in this pa per . As a simple exam ple, the vecto r space Z d 2 ( d ≥ 3 ) with the set B of block s taken to b e the set of a ll subsets of four distinct elements o f Z d 2 whose vector sum is zero , is a non-tr i v ial bo olean Steine r qu adruple system SQS (2 d ) . Mor e geometrica lly , these SQS (2 d ) con sist o f the poin ts an d planes of the d -dimen sional binar y affine space AG ( d, 2) . Fig. 1. Illustration of the unique S QS (8) , with three types of blocks: faces, oppos ite edges, and inscribed regu lar tetrahedra. For the existence of t -designs, basic necessary cond itions can be obtain ed v ia elem entary counting arguments (see, fo r instance, [ 10 ]): Lemma 1: Let D = ( X , B ) be a t - ( v , k , λ ) design , and for a po siti ve integer s ≤ t , let S ⊆ X with | S | = s . Then the number of blocks conta ining each eleme nt of S is given by λ s = λ  v − s t − s   k − s t − s  . In particular, for t ≥ 2 , a t - ( v , k , λ ) design is also an s - ( v , k , λ s ) design. It is customary to set r := λ 1 denoting the numb er of blocks containing a given point. I t follows Lemma 2: Let D = ( X , B ) be a t - ( v , k, λ ) d esign. Th en the following holds: (a) b k = v r. (b)  v t  λ = b  k t  . (c) r ( k − 1 ) = λ 2 ( v − 1) for t ≥ 2 . For en cyclopedic acco unts of key results in design theor y , we refer to [ 10 ], [ 11 ]. V arious con nections o f designs with coding an d inf ormation theor y can be f ound in a recent survey [ 12 ] ( with many add itional refe rences there in). I I I . O P T I M A L A U T H E N T I C A T I O N C O D E S For our further purposes, we summarize the state-of-the -art for authen tication co des which b ear no secrecy assumptions. The following theorem (cf. [ 7 ], [ 13 ]) gi ves a combinatorial lower boun d on the num ber of enco ding r ules. Theor em 2: [ Massey–Sch ¨ obi ] If an authenticatio n cod e is ( t − 1) -fold against spoofing, then th e number of e ncoding rules is boun ded below by b ≥  v t   k t  . T ABLE I O P T I M A L AU T H E N T I C A T I O N C O D E S W I T H P E R F E C T S E C R E C Y : I N FIN I T E C L A S S E S t A t S k v b Ref. 1 1 q + 1 q d +1 − 1 q − 1 v ( v − 1) k ( k − 1) [ 6 ] q prime power d ≥ 2 even 1 1 3 v ≡ 1 ( mod 6 ) v ( v − 1) 6 [ 1 ] 1 1 4 v ≡ 1 ( mod 12 ) v ( v − 1) 12 [ 1 ] 1 1 5 v ≡ 1 ( mod 20 ) v ( v − 1) 20 [ 1 ] 2 1 q + 1 q d + 1 v ( v − 1)( v − 2) k ( k − 1)( k − 2) [ 1 ] q prime power d ≥ 2 even 2 1 4 v ≡ 2 , 10 ( mod 24 ) v ( v − 1)( v − 2) 24 [ 1 ] An au thentication code is called optima l if the number of encodin g rules meets the lower bo und with equality . Wh en the source states are k nown to be ind ependen t and eq uiprobab le, optimal authentication cod es which are ( t − 1) -fo ld secure against spoo fing can be co nstructed via t -d esigns (cf. [ 6 ], [ 13 ], [ 14 ]). Theor em 3: [ DeSoete–Sch ¨ ob i–Stinson ] Suppose there is a t - ( v , k , λ ) design . Then there is an au thentication c ode f or k equipro bable source states, having v m essages an d λ ·  v t  /  k t  encodin g rules, that is ( t − 1) -fold secure against sp oofing. Con versely , if ther e is an auth entication co de for k equ iprob- able sourc e states, having v messages and  v t  /  k t  encodin g rules, that is ( t − 1) -fo ld secure against sp oofing, then ther e is a Steiner t - ( v , k , 1) d esign. I V . S T I N S O N ’ S C O N S T RU C T I O N S & R E C E N T R E S U LT S Using the n otation introduc ed in Sectio n II-A , we review in T ables I an d I I previous construction s from [ 6 ], [ 1 ] for equipro bable sou rce prob ability distributions. This lists all presently known op timal authentication codes with perfect secrecy . V . N E W C O N S T RU C T I O N S Starting fr om the condition of perf ect t -fold secre cy , we obtain via Bayes’ Theo rem that p S ( S ∗ | M ∗ ) = p M ( M ∗ | S ∗ ) p S ( S ∗ ) p M ( M ∗ ) = P { e ∈E : S ∗ = f e ( M ∗ ) } p E ( e ) p S ( S ∗ ) P { e ∈E : M ∗ ⊆ M ( e ) } p E ( e ) p S ( f e ( M ∗ )) = p S ( S ∗ ) . It follows Lemma 3: An authentication code has perfect t -fold secrecy if and only if, for every p ositi ve integer t ∗ ≤ t , for every set M ∗ of t ∗ messages obser ved in the chan nel an d for every set S ∗ of t ∗ source states, we have X { e ∈E : S ∗ = f e ( M ∗ ) } p E ( e ) = X { e ∈E : M ∗ ⊆ M ( e ) } p E ( e ) p S ( f e ( M ∗ )) . Hence, if the encod ing rules in a co de are u sed with equal probab ility , then fo r every t ∗ ≤ t , a giv en set of t ∗ messages T ABLE II O P T I M A L AU T H E N T I C A T I O N C O D E S W I T H P E R F E C T S E C R E C Y : F U RT H E R E X A M P L E S t A t S k v b Ref. 2 1 5 26 260 [ 1 ] 5 11 66 [ 1 ] 7 23 253 [ 1 ] 5 23 1.771 [ 1 ] 5 47 35.673 [ 1 ] 3 1 5 83 367.524 [ 1 ] 5 71 194.327 [ 1 ] 5 107 1.032.122 [ 1 ] 5 131 2.343.328 [ 1 ] 5 167 6.251.311 [ 1 ] 5 243 28.344.492 [ 1 ] 6 12 132 [ 1 ] 4 1 6 84 5.145.336 [ 1 ] 6 244 1.152.676 .008 [ 1 ] occurs with the same f requency in each t ∗ columns of the encodin g matrix. W e can now establish an extension of the main theorem in [ 1 ]. Our construction y ields optimal authentication codes which are multi-fold secur e against spoo fing and p rovide perfect multi-fo ld secrecy . Theor em 4: Supp ose there is a Steiner t - ( v , k , 1 ) design, where  v t ∗  divides the numb er of blocks b f or every p ositi ve integer t ∗ ≤ t − 1 . Then there is an optimal authentication code f or k equ iprobab le source states, having v messages and  v t  /  k t  encodin g ru les, that is ( t − 1 )-fold secu re again st spoofing and simu ltaneously p rovides perfect ( t − 1) -fold se- crecy . Pr oof: Let D = ( X , B ) be a Steiner t - ( v , k , 1) design, where  v t ∗  divides b for every positi ve integer t ∗ ≤ t − 1 . By Theorem 3 , the authentication code has ( t − 1 ) -fold security against spo ofing attacks. Henc e, it rem ains to prove that the code also ac hiev e s perfect ( t − 1) -fold secr ecy under the assumption tha t the enc oding ru les are used with eq ual probab ility . W ith respect to Lemm a 3 , we hav e to show th at, for every t ∗ ≤ t − 1 , a g i ven set of t ∗ messages occu rs with the same f requency in each t ∗ columns of the resulting encodin g matrix. This can be accomp lished by ordering , fo r each t ∗ ≤ t − 1 , every block of D in such a w a y that ev e ry t ∗ -subset of X occurs in each possible ch oice in pr ecisely b/  v t ∗  blocks. Since every t ∗ -subset of X occur s in exactly λ t ∗ =  v − t ∗ t − t ∗  /  k − t ∗ t − t ∗  blocks du e to Lemma 1 , n ecessarily  k t ∗  must di v ide λ t ∗ . By Lem ma 2 (b), this is equiv alen t to saying that  v t ∗  divides b . T o sho w that the condition is also s u fficient, we conside r the bipar tite ( t ∗ -subset, block ) incidence gra ph o f D with vertex set  X t ∗  ∪ B , where ( { x i } t ∗ i =1 , B ) is an edge if and only if x i ∈ B ( 1 ≤ i ≤ t ∗ ) fo r { x i } t ∗ i =1 ∈  X t ∗  and B ∈ B . An orde ring on each block of D can be obtained via an edge-co loring o f this graph using  k t ∗  colors in suc h a way that each vertex B ∈ B is adjacen t to one ed ge of each co lor , and each vertex { x i } t ∗ i =1 ∈  X t ∗  is adjacent to b/  k t ∗  edges of each c olor . Specifically , this can be done by first splitting up each vertex { x i } t ∗ i =1 into b/  k t ∗  copies, ea ch having degree  k t ∗  , and the n b y finding an a ppropr iate edge-c oloring of the resulting  k t ∗  -regular b ipartite graph using  k t ∗  colors. The claim follows now by takin g the ord ered blo cks as enco ding rules, each used with eq ual pro bability . Remark 1: It fo llows from the proof that we may obtain optimal au thentication codes that pr ovide ( t − 1 )-fold secur ity against spoo fing and a t the same time per fect ( t ′ − 1) -fold secrecy f or t ′ ≤ t , when the assum ption of th e ab ove theorem holds with  v t ∗  divides b for every positive integer t ∗ ≤ t ′ − 1 . As a n app lication, we give an infinite class of optimal co des which are two-fold secure against spoofin g and achieve perfect two-fold secrecy . This ap pears to be the first infinite class of authenticatio n and secrecy co des with th ese proper ties. Theor em 5: For all po siti ve integers v ≡ 2 (mod 24 ), there is an optima l authentication code for k = 4 equ iprobab le source states, having v messages, and v ( v − 1)( v − 2) / 24 encodin g rules, that is two-fold secure ag ainst spoofing and provides pe rfect two-fold secrecy . Pr oof: W e will make use of Steiner qua druple system s (cf. Section II-A ). Ha nani [ 15 ] showed th at a necessary and sufficient conditio n for the existence of a SQS ( v ) is that v ≡ 2 or 4 (mo d 6 ) ( v ≥ 4 ) . H ence, the condition v | b is f ulfilled when v ≡ 2 o r 10 (mod 2 4 ) and the con dition  v 2  | b wh en v ≡ 2 (mod 12 ) in vie w L emma 2 (b). Th erefore, if we assume that v ≡ 2 (mod 24 ), then we can apply Theore m 4 t o establish the claim. W e present the smallest example: Example 1: An o ptimal auth entication code for k = 4 equipro bable source states, having v = 2 6 m essages, an d b = 650 encoding rules, that is two-f old secure ag ainst spo of- ing a nd provide s perf ect two-fold secrecy can be constructed from a Steiner q uadrup le system SQS (26 ) . Each en coding rule is used with pr obability 1 / 6 50 . Remark 2: For v = 26 , the first SQS ( v ) was con structed by Fitting [ 16 ], admitting a v - cycle as an auto morph ism ( cyclic SQS ( v ) ). W e g enerally rem ark that the nu mber N ( v ) of non-isom orphic SQS ( v ) is only known for v = 8 , 10 , 14 , 16 with N (8) = N (10) = 1 , N (14) = 4 , and N (16) = 1 , 054 , 163 (cf. [ 17 ]). Lenz [ 18 ] proved tha t for the admissi- ble values of v , th e number N ( v ) grows expo nentially , i.e. lim inf v →∞ log N ( v ) v 3 > 0 . For compr ehensive survey articles on Steiner q uadrup le systems, we refer the reader to [ 19 ], [ 20 ]. For classifications of specific classes of h ighly regular Steiner quadr uple systems and Steiner designs, see, e.g., [ 21 ], [ 22 ]. A C K N O W L E D G M E N T The auth or thanks Doug Stin son for an in teresting conv er sa- tion on this to pic. The autho r gr atefully acknowledges suppo rt of h is work by the Deutsche Forschu ngsgemeinsch aft (DFG) via a Heisen berg grant ( Hu954/4 ) and a Heinz Maier-Leibnitz Prize grant (Hu9 54/5). R E F E R E N C E S [1] M. Huber , “ Authent ication and s ecrec y codes for equiprobable source probabil ity distrib utions”, in Pro c. IEEE Internat ional Sympo sium on Informatio n Theory (ISIT) 2009 , pp. 1105–1109, 2009. [2] E. N. Gilbert, F . J. MacW illiams and N. J. A. Sloane, “Codes which detec t dec eption”, Bell Syst. T ech. J . , vol. 53, pp. 405–424, 1974. [3] G. J. Simmons, “ Authentic ation theo ry/codi ng theory”, in Advances in Cryptolo gy – CRYPTO ’84 , ed. by G. R. Blakle y and D. Chaum, Lecture Notes in Computer Science, vol. 196, Springer , Berlin, Heidelber g, New Y ork, pp. 411–432 , 1985. [4] G. J. Simmons, “ A survey of informati on authe ntica tion”, in Contem- porary Cryptol ogy: The Scienc e of Information Inte grity , ed. by G. J. Simmons, IEEE Press, Piscata way , pp. 379–419, 1992. [5] C. E. Shannon, “Communicati on theory of secrec y systems”, Bell Syst. T ech. J . , vol. 28, pp. 656–715, 1949. [6] D. R. Stinson, “The combinatorics of authentica tion and secrecy codes”, J . Cryptol ogy , vol. 2, pp. 23–49, 1990. [7] J. L. Massey , “Cryp tography – a selecti ve survey” , in Digital Commu- nicati ons , ed. by E . Bigli eri and G. Prati, North-Holland, Amsterdam, Ne w Y ork, Oxford, pp. 3–21, 1986. [8] D. R. Sti nson, “C ombinator ial chara cterizati ons of authenti cation codes”, Designs, Codes and Crypto graphy , vol . 2, pp. 175–187, 1992. [9] D. R. Stinson and R. S. Rees, “Combinatorial characte rizati ons of authent ication cod es II”, Designs, Codes and Cryptog raphy , vol. 7, pp. 239–259, 1996. [10] Th. Beth, D. Jungnicke l and H. L enz, Design Theory , vol. I and II, Encycl opedia of Math. and Its Applications, vol. 69/78 , Cambridge Uni v . Press, Cambridge , 1999. [11] C. J. Col bourn and J. H. Dinitz (eds.), Handbook of Combinato r ial Designs , 2nd ed., CRC Press, Boca Rat on, 2006. [12] M. Huber , “Coding theory and algebraic combinatorics” , in Selec ted T opics in Informatio n and Coding Theory , ed. by I. W oungang et al. , W orld Scienti fic, Singapore, 38 pages, 2010 (in press). Preprint at arXi v:0811.1254v1. [13] P . Sch ¨ obi, “Perfect authentica tion systems for data s ources with arbitrary statisti cs” (presented at EUROCR YPT ’86), unpublishe d. [14] M. De Soete, “Some constructions for authent ication - secrec y codes”, in Advances in Cryptolo gy – EUR OCRYPT ’88 , ed. by Ch. G. G ¨ unther , Lecture Notes in Computer Science, vol. 330, Springer , Berl in, Heide l- berg, New Y ork, pp. 23–49, 1988. [15] H. Hanani, “On quadruple systems”, Canad. J . Math. , vol. 12, pp. 145– 157, 1960. [16] F . Fitting, “Zyklische L ¨ osungen des Steine r’ s chen Problems”, Nieuw . Arc h. W isk. , vol. 11, pp. 140–148, 1915. [17] P . Kaski, P . R. J. ¨ Osterg ˚ ard and O. Pottonen, “The Steiner quadruple systems of order 16 ”, J. Combin. Theory , Series A , vol . 113, pp. 1764– 1770, 2006. [18] H. Lenz, “On the number of Steine r quadruple s ystems”, Mitt. Math. Sem. Giessen , vol. 169, pp. 55–71, 1985. [19] A. Hartman and K. T . Phelps, “Stein er quadruple systems”, in: Contem- porary Design Theory , ed. by J. H. Dinitz and D. R. Stinson, W iley , Ne w Y ork, pp. 205–240, 1992. [20] C. C. Lindner and A. Rosa, “Steiner quadruple systems – A surve y”, Discr ete Math. , v ol. 22, pp. 147–181, 1978. [21] M. Huber , “ Almost simple groups with socle L n ( q ) acting on Steiner quadrupl e systems”, J. Combin. Theory , Series A , 4 pages, 2010 (in press). Preprint at arXi v:0907.1281v1. [22] M. Huber , Flag-transi tive Steiner Designs , Birkh ¨ auser, Base l, Be rlin, Boston, 2009.