Information Theoretic Authentication and Secrecy Codes in the Splitting Model

In the splitting model, information theoretic authentication codes allow non-deterministic encoding, that is, several messages can be used to communicate a particular plaintext. Certain applications require that the aspect of secrecy should hold simultaneously. Ogata-Kurosawa-Stinson-Saido (2004) have constructed optimal splitting authentication codes achieving perfect secrecy for the special case when the number of keys equals the number of messages. In this paper, we establish a construction method for optimal splitting authentication codes with perfect secrecy in the more general case when the number of keys may differ from the number of messages. To the best knowledge, this is the first result of this type.

💡 Research Summary

The paper addresses the problem of constructing information‑theoretic authentication codes that simultaneously provide secrecy, within the so‑called “splitting model”. In this model a single encoding rule (key) may map a given source state (plaintext) to several distinct ciphertexts, i.e., the encoding is non‑deterministic. While this property is useful for resisting insider attacks and for providing robustness against spoofing, achieving perfect secrecy (in the Shannon sense) at the same time has previously been possible only in the special case where the number of keys equals the number of messages. The seminal construction of Ogata, Kurosawa, Stinson and Saido (2004) relied on external difference families (EDFs) and was limited to that balanced situation.

Huber’s contribution is to lift this restriction and to give a general construction that works for arbitrary numbers of keys and messages. The key technical tool is the introduction of cyclic 2‑splitting designs, a combinatorial structure that extends the notion of splitting t‑designs. A t‑(v, b, l=cu, λ) splitting design consists of a point set X of size v (the messages) and a family of b blocks, each block being a disjoint union of u subsets of equal size c (c is the splitting factor). The defining property is that every t‑subset of points is contained in exactly λ blocks, with its t elements occupying distinct sub‑blocks. When λ=1 and t=2, such a design directly yields an optimal c‑splitting authentication code: the number of encoding rules (keys) is |E| = ⌈v²/(c²u²)⌉, which meets the lower bound derived from the spoofing security analysis.

The paper first reviews the information‑theoretic authentication model (Simmons’ game‑theoretic framework) and defines the deception probabilities P_di for i‑order spoofing attacks. General lower bounds on P_di and on the number of encoding rules are given (Theorems 1–3). An authentication code is called t‑fold secure if it attains these bounds for all i ≤ t. Corollaries specialize the bounds to c‑splitting codes, showing that optimality requires |E| = (|M|^t)/(c^t |S|^t) when the source states are equiprobable.

To achieve perfect secrecy, the paper invokes Shannon’s condition p_S(s|m) = p_S(s) for all source states s and messages m. In the splitting context this translates to requiring that each key be used with the same probability and that the mapping from source states to messages be uniformly distributed across the message set. The cyclic nature of the designs guarantees exactly this uniformity: if the design possesses an automorphism of order v (a full cyclic shift), every block appears in a full orbit of length v, and thus each key (row of the encoding matrix) is used equally often. Consequently, when the encoding rules are selected uniformly at random, the resulting authentication code automatically satisfies perfect secrecy.

The central existence result (Theorem 5) states: if there exists a cyclic 2‑(v, b, l=cu, 1) splitting design with no short orbits (which is ensured when v ≡ 1 (mod u(u‑1)c²)), then there exists an optimal c‑splitting authentication code for u equiprobable source states, having v messages and ⌈v²/(c²u²)⌉ encoding rules, that is one‑fold secure against spoofing and simultaneously achieves perfect secrecy. The condition v ≡ 1 (mod u(u‑1)c²) is both necessary and sufficient for the existence of a full‑orbit cyclic design.

Concrete families of such designs are presented. The paper revisits the classic example with v=9, c=2, u=2, yielding a 2‑splitting code with 9 messages, 9 keys, and perfect secrecy. It then constructs a larger example with v=17, c=2, u=2, resulting in 34 keys and still preserving optimality and secrecy. Finally, a parametric infinite family is given: for any integer n≥1 and any splitting factor c, the design 2‑(2c²n+1, (2c²n+1)n, l=2c, 1) exists, providing optimal c‑splitting codes with v=2c²n+1 messages and b=(2c²n+1)n keys. The base blocks are explicitly described, and the construction relies on known results about cyclic splitting designs (referencing recent work