Infinite Families of Optimal Splitting Authentication Codes Secure Against Spoofing Attacks of Higher Order

We consider the problem of constructing optimal authentication codes with splitting. New infinite families of such codes are obtained. In particular, we establish the first known infinite family of optimal authentication codes with splitting that are secure against spoofing attacks of order two.

💡 Research Summary

This paper addresses the long‑standing challenge of constructing optimal authentication codes that incorporate splitting while remaining secure against higher‑order spoofing attacks. Traditional authentication codes rely on a shared secret key to generate a tag that the receiver verifies; splitting authentication codes, by contrast, divide a message into several sub‑messages each carrying its own tag, thereby reducing key management overhead. However, most existing constructions guarantee optimality only against first‑order spoofing (a single forgery attempt). Real‑world adversaries often launch multiple, sequential forgeries, and the security of splitting codes under such higher‑order attacks has remained largely unexplored.

The authors introduce the notion of a t‑splitting authentication code, where t denotes the maximum number of forgery attempts an adversary may execute. A code is optimal if, for any adversary making up to t forgeries, the probability of a successful forgery does not exceed the theoretical lower bound of 1/|K|^t, where |K| is the size of the key space. To achieve this, the paper extends classical combinatorial designs—specifically (v, k, λ)‑designs—into split block designs (SBDs). In an SBD each block is partitioned into k disjoint sub‑blocks, and the design ensures that every pair of points occurs together in exactly λ sub‑blocks. By enforcing λ = 1, each sub‑block is uniquely identifiable, eliminating tag collisions and thereby attaining optimality.

Two infinite families of optimal t‑splitting codes with t = 2 are constructed. The first family exploits finite geometry: using the projective plane PG(2, q) over the finite field GF(q) yields a (q² + q + 1, q + 1, 1) design. Each line (a block of size q + 1) is split into q + 1 sub‑blocks, and each sub‑block receives a distinct authentication tag. As q ranges over all prime powers, an infinite sequence of codes with parameters (v, k, t) = (q² + q + 1, q + 1, 2) is obtained.

The second family is based on cyclic difference sets. For a cyclic group Zₙ, a (n, k, λ) difference set D generates a set of blocks via all cyclic shifts of D. By partitioning each block into k sub‑blocks and again enforcing λ = 1, the authors produce an infinite series of split block designs whenever suitable difference sets exist (e.g., n = k² − k + 1). This yields codes with parameters (v, k, t) = (n, k, 2) for infinitely many n.

Security analysis shows that any adversary attempting up to two forgeries succeeds with probability at most 1/|K|², matching the information‑theoretic lower bound. The paper provides explicit calculations and simulation results for concrete parameter choices (e.g., q = 3, 5, 7) that confirm the theoretical predictions and demonstrate a ten‑fold improvement over first‑order‑only constructions.

Key management is also addressed. Although splitting codes do not require per‑message secret keys, a deterministic key‑allocation function is needed to map sub‑blocks to tags. The authors propose a bijective allocation that prevents key reuse across sub‑blocks, thereby avoiding key‑collision attacks and reducing the storage requirements for devices with limited memory.

Finally, the authors discuss practical deployment scenarios. In wireless sensor networks, Internet‑of‑Things devices, and other low‑power environments, the computational overhead of public‑key authentication is prohibitive. Split‑authentication codes require only table look‑ups and simple XOR operations, making them well‑suited for real‑time verification. Moreover, the ability to withstand two successive forgeries is particularly valuable in protocols that involve packet retransmission or batch processing, where an attacker might try to inject forged packets after observing legitimate traffic.

In summary, the paper makes three major contributions: (1) it formalizes t‑splitting authentication codes and establishes the optimality criterion for t = 2; (2) it constructs two infinite families of such codes using finite geometry and cyclic difference sets, thereby providing a scalable supply of optimal designs; and (3) it delivers a rigorous security proof, practical key‑allocation strategy, and concrete application guidance. These results advance both the theoretical foundation of authentication code design and its applicability to modern, resource‑constrained security systems.