A Construction of Multisender Authentication Codes with Sequential Model from Symplectic Geometry over Finite Fields

Multisender authentication codes allow a group of senders to construct an authenticated message for a receiver such that the receiver can verify authenticity of the received message. In this paper, we construct multisender authentication codes with sequential model from symplectic geometry over finite fields, and the parameters and the maximum probabilities of deceptions are also calculated.


Introduction
Information security consists of confidentiality and authentication.Confidentiality is to prevent the confidential information from decrypting by adversary.The purpose of authentication is to ensure the sender is real and to verify that the information is integrated.Digital signature and authentication codes are two important means of authenticating the information and provide good service in the network.In practical, digital signature is computationally secure assuming that the computing power of adversary is limited and a mathematical problem is intractable and complex.However, authentication codes are generally safe (unconditional secure) and relatively simple.In the 1940s, C. E. Shannon first put forward the concept of perfect secrecy authentication system using the information theory.In the 1980s, information theory method had been applied to the problem of authentication by G. J. Simmons; then authentication codes became the foundation for constructing unconditionally secure authentication system.In 1974, Gilbert et al. constructed the first authentication code [1], which is a landmark in the development of authentication theory.During the same period, Simmons independently studied the authentication theory and established three participants and four participants certification models [2].The famous mathematician Wan Zhexian constructed an authentication code without arbitration from the subspace of the classical geometry [3].In the case of transmitter and receiver being not honest, Ma et al. constructed a series of authentication codes with arbitration [4][5][6][7][8][9].Xing et al. constructed authentication codes using algebraic curve and nonlinear functions, respectively [10,11].Safavi-Naini and Wang gave some results on multireceiver authentication codes [12].Chen et al. made great contributions on multisender authentication codes from polynomials and matrices [13][14][15][16][17][18][19].
With the rapid development of information science, the traditional one-to-one authentication codes have been unable to meet the requirements of network communication, thus making the study of multiuser authentication codes particularly important.Multiuser authentication code is a generalization of traditional two-user authentication code.It can be divided into two cases: one is a sender and many receivers authentication codes; the other one is many senders and a receiver authentication codes.We call the former as multireceiver authentication codes and the latter as multisender authentication codes.Safavi-Naini R gave some results on multireceiver authentication codes using the subspace of the classical geometry, while there are only some multisender authentication codes using polynomials and matrices to construct.We present the first construction multisender authentication code using the subspace of the classical geometry, specifically symplectic geometry.
The main contribution of our paper is constructing a multi-sender authentication code using symplectic geometry.Furthermore, we calculate the corresponding parameters and the maximum probabilities of deceptions.
The paper is organised as follows.Section 2 gives the models of multisender authentication codes.In Section 3, we provide the calculation formulas on probability of success in attacks by malicious groups of senders.In Section 4, we give some definitions and properties on geometry of symplectic groups over finite fields.In Section 5, a construction of multisender authentication codes with sequential model from symplectic geometry over finite fields is given; then the parameters and the maximum probabilities of deceptions are also calculated.We give a comparison with the other construction of multisender authentication [19] in Section 6.

Models of Multisender Authentication Codes
We review the concepts of authentication codes which can be extracted from [20].
Definition 1 (see [20]).A systematic Cartesian authentication code  is a 4-tuple (, , ; ), where  is the set of source states,  is the set of keys,  is the set of authenticators, and  :  ×  →  is the authentication mapping.The message space  =  ×  is the set of all possible messages.
In the actual computer network communications, multisender authentication codes include sequential models and simultaneous models.Sequential models are that each sender uses his own encoding rules to encode a source state orderly, and the last sender sends the encoded message to the receiver; then the receiver receives the message and verifies whether the message is legal or not.Simultaneous models are that all senders use their own encoding rules to encode a source state simultaneously; then the synthesizer forms an authenticated message and sends it to the receiver; the receiver receives the message and verifies whether the message is legal or not.
In the following we will give out the working principles of two modes of multisender authentication codes and the protocols that the participants should follow.
Definition 2 (see [17]).In sequential model, there are three participants: a group of senders  = { 1 ,  2 , . . .,   }; a Key Distribution Center (KDC), for the distribution keys to senders and receiver; a receiver who receives the authenticated message and verifies the message true or not.The code works as follows: each sender and receiver has their own Cartesian authentication code, respectively.It is used to generate part of the message and verify authenticity of the received message.Sender's authentication codes are called branch authentication codes, and receiver's authentication code is called channel authentication code.Let (  ,   ,   ;   ),  = 1, 2, . . ., , be the th sender's Cartesian authentication codes, and let  −1 ⊂   , 1 ≤  ≤ , (, , ; ) be the receiver's Cartesian authentication code, and let  =  1 ,  =   ,   :  →   be a subkey generation algorithm.For authenticating a message, the senders and the receiver should comply with protocols: (1) KDC randomly selects an  ∈  and secretly sends it to the receiver  and sends   =   () to the th sender   ,  = 1, 2, . . ., ; (2) if the senders would like to send a source state  to the receiver ,  (3) when the receiver receives the message  = (,   ), he checks the authenticity by verifying whether   = (, ) or not.If the equality holds, the message is regarded as authentic and is accepted.Otherwise, the message is rejected.
Definition 3 (see [17]).In simultaneous model of a multisender authentication code, there are four participants: a group of senders  = { 1 ,  2 , . . .,   }; a Key Distribution Center (KDC), for the distribution keys to senders and receiver; a synthesizer  who only runs the trusted synthesis algorithm; a receiver who receives the authenticated message and verifies the message true or not.The code works as follows: each sender and receiver has their own Cartesian authentication code, respectively.It is used to generate part of the message and verify the received message.Sender's authentication codes are called branch authentication codes, and receiver's authentication code is called channel authentication code.Let (  ,   ,   ;   ),  = 1, 2, . . ., , be the sender's Cartesian authentication codes, let (, , ; ) be the receiver's Cartesian authentication code, let  :  1 ×  2 × ⋅ ⋅ ⋅ ×   →  be the synthesis algorithm, and let   :  →   be a subkey generation algorithm.For authenticating a message, the senders and the receiver should comply with protocols: (1) KDC randomly selects a encoding rule  ∈  and secretly sends it to the receiver  and sends   =   () to the th sender   ,  = 1, 2, . . ., ; (2) if the senders would like to send a source state  to the receiver ,   computes   =   (,   ),  = 1, 2, . . ., , and sends   = (,   ) ( = 1, 2, . . ., ) to the synthesizer  through an open channel; (3) the synthesizer  receives the messages   = (,   ),  = 1, 2, . . ., , and calculates  = ( 1 ,  2 , . . .,   ) using the synthesis algorithm ; then sends message  = (, ) to the receiver ; (4) when the receiver receives the message  = (, ), he checks the authenticity by verifying whether  = (, ) or not.If the equality holds, the message is regarded as authentic and is accepted.Otherwise, the message is rejected.

Probabilities of Deceptions
We assume that the arbitrator (KDC) and the synthesizer (C) are credible; though they know the senders' and receiver's encoding rules, they do not participate in any communication activities.When transmitter and receiver are disputing, the arbitrator settles it.At the same time, assume that the system follows Kerckhoff 's principle which the other information of the whole system is public except the actual used keys.Assume that the source state space  and the receiver's decoding rules space   are according to a uniform probability distribution; then the probability distribution of message space  and tag space  is determined by the probability distribution of  and   .In a multisender authentication system, assume that the whole senders cooperate to form a valid message; that is, all senders as a whole and receiver are reliable.But there are some malicious senders which they together cheat the receiver; the part of senders and receiver are not credible; they can take impersonation attack and substitution attack.(2)

Symplectic Geometry
In this section, we give some definitions and properties on geometry of symplectic groups over finite fields, which can be extracted from [20].Let F  be a finite field with  elements,  = 2] and define the 2] × 2] alternate matrix The symplectic group of degree 2] over F  , denoted by  2] (F  ), is defined to be the set of matrices with matrix multiplication as its group operation.Let F (2])  be the 2]-dimensional row vector space over F  . 2] (F  ) has an action on F (2])  defined as follows: , (( 1 ,  2 , . . .,  2] ) , ) → ( 1 ,  2 , . . .,  2] ) . ( The vector space F (2])  together with this action of  2] (F  ) is called the symplectic space over F  .
Let  be an -dimensional subspace of F (2])  .We use the same latter  to denote a matrix representation of ; that is,  is an ×2] matrix of rank  such that its rows form a basis of .The    is alternate.Assume that it is of rank 2; then  is called a subspace of type (, ).It is known that subspaces of type (, ) exist in F (2])  if and only if It is also known that subspaces of the same type form an orbit under  2] (F  ).Denote by (, ; 2]) the number of subspaces of type (, ) in F (2])  .Denote by  ⊥ the set of vectors which are orthogonal to every vector of ; that is, Obviously,  ⊥ is a (2] − )-dimensional subspace of F (2])  .Readers can refer to [15] for notations and terminology, which are not explained, on symplectic geometry of classical groups over finite fields.

Construction
Let F  be a finite field with  elements.Assume that Define the encoding maps: Define the decoding map:

Journal of Applied Mathematics
This code works as follows.
(1) Key Distribution.First, the KDC does a list  of senders; assume that  = {1, 2, . . ., }.Then, the KDC randomly chooses a subspace   ∈   and privately sends   to the receiver .Last, the KDC randomly chooses a subspace   ∈   and   ⊂   , then privately sends   to the th sender, 1 ≤  ≤ . ( From the definition of  and   , we can assume that Obviously, we have V ∉  for any V ∈  and V ̸ = 0. Therefore, From above,   is a subspace of type (2, ) and  ⊂   ; that is,   ∈   .
If   is another source state contained in   , then  ⊂   ⊂  ⊥ .Therefore,   ⊂   ∩  ⊥ = , while dim   = dim , so   = .That is,  is the uniquely source state contained in   .
Similarly, we can show that  1 and   (2 ≤  ≤ ) are also Cartesian authentication code.
From Lemma 4, we know that such construction of multisender authentication codes is reasonable.Next we compute the parameters of this code.

Lemma 8. (1) The number of decoding rules 𝑒
(2) the number of the tags is Proof.(1) For any   ∈   ,   is a subspace of type (2, ) and  ⊂   .We assume that   has the form If   ⊂   , then we can assume that where  2 ,  5 are arbitrary matrices.Therefore, the number of We know that a tag contains only one source state and the number of decoding rules   contained in   is  2(−) .Therefore, we have Without loss of generality, we can assume that   = { 1 ,  2 , . . .,   },   = { 1 × ⋅ ⋅ ⋅ ×   }, where  < .

Lemma
And from above we know that   ∩    =  0 +   ; then dim For any   ⊂   ∩    , we assume that and   ⊂   , then   has the form So, every row of (0   3 0   6 ) is the linear combination of ( 0  2 0 0 0 0 0  4 ).Therefore, the number of   contained in   ∩    and containing   is  (−)(−) .
Theorem 13.In the constructed multi-sender authentication codes, the maximum probabilities of success for impersonation attack and substitution attack from   on the receiver  are  (32)

The Advantage of the Constructed Authentication Code
The security of an authentication code could be measured by the maximum probabilities of deceptions.The smaller the probability of successful attack, the higher the security of the authentication codes.Now let us compare the security of our constructed authentication code with the known one [19].
The constructed authentication code in [19] is also a multisender authentication code from symplectic geometry over finite fields, but which is in simultaneous model.If we choose the parameters ,   , , and ] with 1 <  <   <  < ],  > (/2), and   −  > ] − , from Table 1 we see that the maximum probabilities of deceptions of our construction are smaller than the construction in [19].Therefore, compared with the construction in [19], our construction is more efficient.
∈ ( is accepted by  |   ) .(1)SubstitutionAttack.  , after observing a legitimate message, substitutes it with another message   .  is successful if   is accepted by receiver as authentic.Denote   [] as the maximum probability of success of the substitution attack.It can be expressed as   [] = max   ∈  max ∈ max   ̸ = ∈  (  is accepted by  | ,   ) .