Broadcast anti-jamming systems

Computer Networks 35 (2001) 223±236

www.elsevier.com/locate/comnet

Broadcast anti-jamming systems Yvo Desmedt a,*, Rei Safavi-Naini b, Huaxiong Wang b, Lynn Batten c, Chris Charnes d, Josef Pieprzyk b a

d

Department of Computer Science, Florida State University, 206 Love Building, Tallahassee, FL 32306, USA b School of IT and CS, University of Wollongong, Wollongong, NSW 2522, Australia c School of Computing and Mathematics, Deakin University, Clayton, Victoria 3168, Australia Department of Computer Science and Software Engineering, University of Melbourne, Carlton, Victoria 3053, Australia Received 3 March 2000; accepted 4 April 2000 Corresponding Editor: J.B. Thompson

Abstract In a traditional anti-jamming system a transmitter who wants to send a signal to a single receiver spreads the signal power over a wide frequency spectrum with the aim of stopping a jammer from blocking the transmission. In this paper, we consider the case that there are multiple receivers and the transmitter wants to broadcast a message to all receivers such that colluding groups of receivers cannot jam the reception of any other receiver. We propose ecient coding methods that achieve this goal and link this problem to well-known problems in combinatorics. We also link a generalisation of this problem to the Key Distribution Pattern problem studied in combinatorial cryptography. Ó 2001 Elsevier Science B.V. All rights reserved. Keywords: Anti-jamming; Cover-free family; Perfect hash family; Key distribution pattern

1. Introduction Security and reliability are two required properties of today's data networks. While reliability is concerned with accidental faults, security deals with malicious ones. System availability is an important consideration from both perspectives. The possibility of a malicious shut down of communications is a major concern, as expressed by the US

*

Corresponding author. Tel.: +1-850-644-92-98. E-mail addresses: [email protected] (Y. Desmedt), rei@ uow.edu.au (R. Safavi-Naini), [email protected] (H. Wang), [email protected] (L. Batten), charnes@ cs.mu.oz.au (C. Charnes), [email protected] (J. Pieprzyk).

President's Commission on Critical Infrastructure Protection [24]. Traditional anti-jamming systems [28] use spread spectrum techniques to increase availability. In these systems a transmitter wants to broadcast a signal to a single receiver such that the enemy cannot jam the transmission. In the classical communication scenario, a message modulates a carrier frequency f which is known to the transmitter and receiver and so the receiver can receive the message. However if f is publicly known, an outsider can send a strong noise signal on the same frequency and hence completely jam the reception. To protect against jamming, the transmitter and the receiver can keep their shared frequency secret and use new frequencies after

1389-1286/01/$ - see front matter Ó 2001 Elsevier Science B.V. All rights reserved. PII: S 1 3 8 9 - 1 2 8 6 ( 0 0 ) 0 0 1 6 9 - 9

224

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

every v seconds, where v is the minimum time required for the enemy to ®nd f. Pseudorandom generators [21] are often used to decide the new frequency. This is the so-called frequency-hopping spread spectrum system. Spread-spectrum systems have been recently used for Wireless LAN, or WLAN [8,26]. A WLAN is a ¯exible data communication system that provides an attractive alternative for wired LAN within a building or where wire cannot go. A PC with a wireless adapter can connect to a wired LAN equipped with a transmitter/receiver device, called an access point, or can have a peer-to-peer connection with a set of PCs with wireless adapters. Traditional spread spectrum systems are for providing security and reliability between the two ends of a single communication channel. Using spread spectrum in group communication requires a careful adaptation of the traditional model. In particular, if a group member wants to broadcast a message to the rest of the group, one possible solution is to give the transmitter's frequency list and frequency update table, to all the receivers. This would allow the receivers to synchronise their receiving equipment and follow the transmitter's frequency `hopping'. However, the system would be completely vulnerable to jamming by a receiver simply because receivers know the secret frequencies and can use this knowledge to jam the transmitter. That is, when more than one receiver is considered, the attack is not limited to the outsiders who do not know the frequencies but also could be launched by insiders with some privileged information. In other words, using the above simplistic approach means that the system only works if receivers are assumed trusted. This is not a reasonable assumption in an open environment. In this paper we propose a coding method that provides protection against malicious insiders. We assume each receiver has some unique secret information, and may collude with other receivers to jam the reception of one or more other receivers. Note that in this attack model colluders are successful if they can jam another receiver whose allocated frequencies occupy part of the transmitter's frequency set. This is a much stronger attack compared to the traditional model

where the transmitter is fully jammed. Anti-jamming techniques are traditionally studied by electrical engineers using communication technology concepts. In eciency analysis and constructions of our proposed coding scheme we will show direct application to, and the importance of, areas of discrete mathematics such as polynomials over ®nite ®elds and combinatorics, thus bringing research into anti-jamming techniques closer to the main stream research in communication security. Anti-jamming techniques, are mainly used in · Military communication, where a (single) transmitter and a (single) receiver are concerned about an outsider who tries to disrupt or shut down the communication. · Mobile communication, where a larger total bandwidth of spread spectrum communication is used to allow multiple transmitters and receivers. In the former case, even if multiple transmitters or multiple receivers are allowed, the insiders are not usually viewed as malicious. This is not a reasonable assumption in a non-military environment and applications such as WLAN where communicating parties do not necessarily trust each other. We consider the following two scenarios: · Broadcast there is a single transmitter and multiple receivers, and · Multi-broadcast there are multiple transmitters and multiple receivers. To allow uninterrupted communication between any two users, such as is in a multi-broadcast scenario, one approach is to assign a di€erent frequency to each transmitter±receiver pair and use a frequency hopping strategy to change the frequency with time. This means that the system not only provides protection against jamming but also provides con®dentiality because no transmitter±receiver pair knows the frequency allocated to any of the other pairs and so their communication cannot be eavesdropped by others. However, the drawback of the system is that for ` participants, on the order of `2 frequencies are required. An important question is, whether we can have a more ecient anti-jamming system if we only require protection against jamming.

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

In our proposed model, the transmitter sends the same signal on a number of frequencies such that each receiver only knows a subset of these frequencies. This means that two receivers might have common frequencies and so there is no con®dentiality. Moreover, the common frequencies allow malicious receivers to collude and jam the reception of another receiver and so we must rely on frequency allocation to prevent jamming. Another important consideration in the design of the frequency allocation table is the eciency. As we noted before, in our proposed scheme the transmitter broadcasts simultaneously on many frequencies and each receiver listens to a subset of frequencies at a given time. Thus sending, or receiving, the same signal on multiple frequencies adds to the cost of transmission and reception and must be minimised. In general, one might use a weighted sum of the number of frequencies used by the transmitter and receiver as a measure of the cost of the system where weights re¯ect the difference between costs of channels in transmitting and receiving and receivers. In a multi-transmitter scenario, users can interact and a receiver can become the transmitter of the next message. In this case, eciency can be related to the average number of frequencies given to each participant. In any event, we make the assumption throughout this paper that the eciency of the system can be expressed in terms of the parameters of the frequency allocation table. This is the motivation for this paper. We allow any of up to t ÿ 1 insiders (receivers in the ®rst scenario and transmitters or receivers in the second one), to collude to prevent a receiver from listening to the transmitter. We call such insiders simply jammers. That is, we do not consider jamming by outsiders who are in a much weaker position compared to the insider jammers. The paper is organised as follows. In Section 2, we discuss the model for the case we have a single transmitter. By linking this problem with coverfree families ± a problem studied by Erd os et al. [15,16], we immediately have bounds which we discuss in Section 3. In Sections 4 and 5 we give some constructions and in Section 5 we establish an equivalence between anti-jamming systems and perfect hash families. In Section 6 we extend our

225

results to the case of multiple transmitters and prove that anti-jamming systems with multiple transmitters are equivalent to the Key Distribution Patterns (KDP) introduced in [22]. 2. The model For simplicity, we start with the single transmitter case. Each receiver Ri is given a set of secret frequencies. When the number of di€erent frequencies the transmitter wants to use is less than the number of receivers, some frequencies will have to be shared. Therefore, some frequencies will be assigned to at least two receivers. While the actual frequencies must remain secret, we allow anyone to know with whom they share some of their frequencies. So to each secret frequency we assign a public ``channel'', and we can view the channel as an index to the frequency. From now on, we ignore the detail of the secret frequency and will mainly talk about the public channels. We also ignore the fact that these frequencies may be updated using pseudo-noise generators. A transmitter T will secretly choose m frequencies out of a total of M frequencies and will send the message simultaneously over these m frequencies. Knowing the frequency of a channel, a receiver may use it either to receive the messages sent by T, or else to send noise on that frequency with the purpose of jamming the reception of other receivers who are listening to the same channel. T uses a public channel allocation table. For simplicity, we number the channels from 1 to m. Each receiver is assigned a collection of channels or in other words, a subset of f1; . . . ; mg. This allocation is public and is displayed in the table. Any receiver is also given secret information which speci®es the correspondence between the allocated channels and the actual frequency, i.e., if a receiver is assigned the channels i1 ; . . . ; ik , it will receive the associated frequencies fi1 ; . . . ; fik . We assume that there are ` receivers, R1 ; . . . ; R` , a group of up to t ÿ 1 receivers might collude against a receiver Ri . In this case they can send noise on all their allocated channels (frequencies).

226

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

If Ri 's allocated frequencies are all among the frequencies of the colluders, then it cannot receive any message and its reception will be jammed. We assume the channels are authenticated, i.e., the transmitter can be uniquely determined. This means that if a receiver is left with even one unjammed channel, it is able to receive messages sent by the transmitter. A trivial frequency allocation strategy assigns a unique channel to each receiver. In this case we need ` channels for ` receivers. Such a channel allocation is overly generous but ensures that collaboration of all other receivers cannot jam a receiver. The question is, whether the system can be designed more eciently? In the following, we will give an armative answer to this question. We evidently require that a single receiver is always left with at least one single free channel provided that the group of colluding jammers consists of t ÿ 1 or fewer members. We study a variety of such antijamming systems. Three main parameters characterise an antijamming system · m, the number of channels used in the system, · `, the number of receivers in the system, · t, one trusts that t receivers are not going to jam other receivers or in other words, a collaborating group of jammers may include at most …t ÿ 1† members. Clearly, we need only consider systems with at least one channel and one receiver. In addition if t ˆ 1, then no members are attempting to jam. So for practical purposes we may assume t P 2. Furthermore, any receiver not assigned channels or any channel not assigned to any receiver may be ignored. Hence, we will always suppose that each channel is used and each receiver is allocated at least a channel. Formally, an …m; `; t† anti-jamming system (…m; `; t†-AJS, or AJS if parameters are known, for short) is a pair …X ; B† such that the following properties are satis®ed, for m; l; t positive integers, t P 2: 1. X ˆ fx1 ; x2 ; . . . ; xm g is a set of points; 2. B ˆ fB1 ; B2 ; . . . ; B` g is a set of subsets of X called blocks (Bi  X ); i2 ; . . . ; itÿ1 g  f1; 2; . . . ; `g and 3. for any F ˆ fi1 ;S any j 62 F , Bj 6 k2F Bk .

With this de®nition an …m; `; t†-AJS is equivalent to a previously de®ned set family, called a cover-free family [15]. It is also easy to see that if …X ; B† is an …m; `; t†-AJS, it is also an …m; `0 ; t0 †-AJS for all 2 6 t0 6 t and for all `0 6 `. For given m and `, we use tmax to denote the largest value of t such that …m; `; t†-AJS exist. In any practical application, an AJS will be viewed as being inecient if more frequencies than receivers are used. Thus we limit ourselves to the situation m 6 l. When m ˆ l, the trivial AJS, de®ned as an AJS in which all elements of B are singletons, provides the most ecient system. However, since the work on bounds in Section 3 easily includes the case m ˆ l, we retain it.

3. Bounds on performance of AJS The eciency of anti-jamming systems can be measured in several ways. In general, if two of the three parameters are ®xed, we wish to optimise the third. This results in the following three questions, each of which we examine in turn. Q1 Given ` receivers and at most t ÿ 1 colluders, what is the minimum number of channels required by the transmitter? Q2 Given m channels and at most t ÿ 1 colluders, what is the maximum number of receivers? Q3 Given ` receivers and m channels, what is the maximum number of colluders that a system can tolerate? (Equivalently, what is the minimum level of trust within the system?) In all of the above, it is not dicult to get an upper or lower bound for one parameter in terms of the other two. To see this, we use the fact that an …m; `; 2†-AJS is a Sperner family [12], i.e., there do not exist two blocks such that one is contained in the other. It is well-known that there exists a Sperner family consisting   of ` subsets of an m-set if and only if m . Furthermore, the case of equality is ` 6 bm=2c achieved precisely by taking all bm=2c-subsets. We can now prove the following lemma which will enable us to produce partial answers to all three of the above questions.

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

Proof. Clearly, B is in the union of jBj other blocks in this situation. The result follows from the de®nition of t. 

Lemma 3.1. In an …m; `; t†-AJS, we have     ` m 6 : tÿ1 bm=2c

In order to ®nd an upper bound on t in the most general situation, the next lemma is extremely useful. It gives a characterisation of an AJS in terms of properties of its incidence matrix.

Proof. Let …X ; B† be an …m; `; t†-AJS. Set ( ) tÿ1 [ Bik jfi1 ; i2 ; . . . ; itÿ1 g Cˆ kˆ1

runs through all subsets of f1; 2; . . . ; lg. If there exists fi1 ; i2 ; . . . ; itÿ1 g 6ˆ fj1 ; j2 ; . . . ; jtÿ1 g, then Stÿ1 Bik does js 62 fi1 ; i2 ; . . . ; itÿ1 g. It follows Sthat kˆ1 S tÿ1 tÿ1 B ˆ 6 not contain ÿBjs
. Therefore, i k kˆ1 kˆ1 Bjk , ` and so jCj ˆ tÿ1 . By a similar argument, we have that all such unions are incomparable under inclusion. Thus  …X ; C† is a Sperner family, and so ÿ`
m 6 .  tÿ1 bm c 2

Corollary 3.1. mP ÿ `
In any …m; `; t†-AJS, we havem=tÿ1 , or equivalently, ` 6 …t ÿ 1†2 . …t ÿ 1† log2 tÿ1 Proof. These follow from 

` tÿ1

tÿ1

 6

   ` m 6 m 6 2m : tÿ1 b2c

227



The above corollary answers in part, Q1 and Q2 above. Erd os et al. [15] proved a stronger bound: ` 6 e…1‡O…1††m=…tÿ1† . Probabilistic `constructions' of systems satisfying this bound were produced by Dyer et al. [14], but explicit constructions are known to be hard. In Section 4, we present some asymptotically good constructions. We are left with Q3 on which we concentrate for the remainder of this section. Fujii et al. [18] studied AJS in the context of broadcast authentication. Under the assumption that all receivers are allocated the same number of channels, say c, they prove that m < ` implies t 6 c. The following related result is easy to see. Lemma 3.2. Let B be a block of an AJS such that each of its points is on a second block. Then t 6 jBj.

Theorem 3.1. A necessary and sufficient condition for an `  m binary matrix to be an AJS with parameters …m; l; t† is that for every collection of t rows there exists a collection of t columns such that the restriction of the array to the t rows and t columns is a permutation matrix. Proof. Without loss of generality, consider the collusion of t rows denoted by R ˆ fr1 ; . . . ; rt g. Let C ˆ fci1 ; . . . ; cit g denote the collection of columns such that restriction of the array to R  C is a permutation matrix. This means that for each row (receiver) in R there is a channel (column) that is not shared by any other receiver and so cannot be jammed. To prove necessity let R be de®ned as above. Let C ˆ fci1 ; . . . ; cis g denote the collection of columns in which at least one of the rows r1 ; r2 ; . . . ; rt has a one. Then, there is at least one column cu1 , where r1 has a one and all other ri ; i ˆ 2; . . . ; t, have zeros. Otherwise r1 can be jammed by a collaboration of the others. That is the restriction of the array to rows fr1 ; . . . ; rt g and column cu1 is a column of weight 1. Repeating the same argument for the other t ÿ 1 rows gives columns cu2 . . . ; cut , each with weight one and hence the restriction of the array to rows r1 to rt and columns cu2 . . . ; cut is a permutation matrix.  Before applying the above theorem, we also need the following lemma. Lemma 3.3. In an …m; `; t†-AJS S with m 6 `, we have tmax 6 bm=2c unless m ˆ `. Proof. Suppose t P bm=2c ‡ 1. Then S is an …m; `; bm=2c ‡ 1†-AJS. By Lemma 3.1.

228

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236



   ` m 6 ; bm=2c bm=2c

from which it follows that ` 6 m. tmax P bm=2c ‡ 1 only if m ˆ `. 

Thus

With much more diculty we can improve this bound, as we demonstrate below. The next lemma gains us information in the case t P bm=2c. Lemma 3.4. Let S be a non-trivial AJS, m 6 ` and t P bm=2c, t P 4 for m odd, t P 3 for m even. Then tmax ˆ bm=2c. Moreover, (a) if m is even, then jBj 6 bm=2c for all blocks B; (b) if m is odd, then jBj 6 bm=2c ‡ 1 for all blocks B; (c) if each point is on at least two blocks and when t P 5 for m odd (t P 3 for m even), then jBj ˆ bm=2c for all blocks B. Proof. Suppose m is even and let B satisfy jBj P m=2 ‡ 1. By Theorem 3.1, all blocks have 6 m=2 ‡ 1 points, and so jBj ˆ m=2 ‡ 1, whence t ˆ m=2. Let B0 be any second block. Choosing t blocks including B and B0 and using Theorem 3.1 again, it follows that B0 must have exactly one 1 in the m=2 ÿ 1 columns which contain 0's corresponding to B in the adjacency matrix. This must be true for each such B0 . Since ` > t, we conclude that among the above set of m=2 ÿ 1 columns, there is at least one with two 1's. Let Bi and Bj be blocks corresponding to these two 1's. Choose a set of t … P 3† rows including B, Bi and Bj . Then Theorem 3.1 yields a contradiction. Suppose m is odd and let B satisfy jBj P bm=2c ‡ 2. Theorem 3.1 implies jBj ˆ bm=2c ‡ 2, and so t ˆ bm=2c. The same argument now as in the even case yields a set of bm=2c ÿ 1 columns in which case B0 6ˆ B has precisely one 1 in the corresponding row. As above, this leads to a contradiction. For part (c), if m is even, Lemma 3.2 and part (a) give bm=2c ˆ t 6 jBj 6 bm=2c for all blocks B. If m is odd, Lemma 3.2 and part (b) give bm=2c ˆ t 6 jBj 6 bm=2c ‡ 1.

The argument now is similar to that of parts (a) and (b). In the adjacency matrix, the row corresponding to B has t 0's. Take two of the columns corresponding to 0's of B. Since each point is on two blocks, each of these columns contains at least two 1's. At most four rows pick up two 1's from each column. Applying Theorem 3.1 to t rows including these rows along with B yieds a contradiction.  Example 3.1. It is possible for an AJS to have all blocks of size bm=2c while t < bm=2c. For instance, consider the Witt design S…3; 6; 12† [3] in which all blocks have six points. Each pair of points is on several blocks while any triple of points in on a unique block. Hence tmax ˆ 3 in the system. We are now in a position to prove that in all but the trivial case, any AJS with m 6 ` has tmax < bm=2c if t is suciently large (here t P 7 suces in the odd case, and t P 3 in the even case). This is the best known general bound to date. It is not known whether this is the best possible bound. In the next lemma, we consider the special case that each point is on at least two blocks, followed by the general result in Theorem 3.2. Lemma 3.5. Suppose S is a non-trivial AJS with m 6 `, t P 7, in which each point is on at least two blocks. Then t < bm=2c. (t P 3 is sufficient for m even.) Proof. Although the strategy is the same, we treat the cases m odd and m even separately because the application of Theorem 3.1 is slightly di€erent. The idea, in cases, is to show that for any set of t rows, the same set of columns must be deleted to produce the permutation of the identity matrix required by Theorem 3.1. Suppose t P bm=2c. Then by Lemma 3.4, each block has precisely bm=2c points and t ˆ bm=2c, if t P 5, or if t P 3 when m is even. Consider m even. Let B and B0 be blocks sharing s points, where B has a P 1 points not on B0 and B0 has a0 P 1 points not on B. Then s ‡ a ˆ m=2 ˆ s ‡ a0 implies a ˆ a0 , while m=2 ÿ 1 6 m=2 ‡ a ÿ 2 ˆ s ‡ 2a ÿ 2 6 m=2, the last inequality a

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

result of Theorem 3.1. It follows that any two blocks have at least m=2 ÿ 2 common points. Let B and B0 have m=2 ÿ 2 common points with each on two points not on the other. Then jB [ B0 j ˆ m=2 ‡ 2. Choose any point not in B [ B0 . This must be on (at least) two blocks B1 and B2 . Any set of t blocks including B; B0 ; B1 and B2 forces the deletion of …m=2 ÿ 2† ‡ 3 columns in order to produce a permutation of the identity matrix in the complement. This contradicts Theorem 3.1. Let B and B0 have m=2 ÿ 1 common points with each one point not on the other, say p and p0 . By assumption, p is on a second block B1 and p0 on a second block B2 . Choosing t blocks including B; B0 ; B1 and B2 again leads to a contradiction of Theorem 3.1. We consider the cases m even, t ˆ 2; 3 in Appendix A. Consider m odd. De®ning s; a and a0 as in the even case, this time we obtain 1 6 a 6 3. Thus any two blocks have at least bm=2c ÿ 3 common points. If B and B0 have either bm=2c ÿ 3 or bm=2c ÿ 2 common points, then each point of …B n B0 † [ …B0 n B† is on a second block. Thus we can choose a set of t P 7 blocks, including B; B0 and some or all of these second blocks, to obtain a contradiction to Theorem 3.1. In case B and B0 share bm=2c ÿ 1 points, choose, similarly, second blocks on the points of …B n B0 † [ …B0 n B† and choose two additional blocks on a common point not in B [ B0 . Again, selectively choosing t blocks gives a contradiction to Theorem 3.1.  We are now in a position to tackle the proof of the main result of this section. Theorem 3.2. Let S be a non-trivial AJS with m 6 `, t P 3 for m even, t P 7 for m odd. Then t < bm=2c. Proof. Because of Lemma 3.5, we need to consider the case of points on unique blocks. We prove, ®rst of all, the following statement: if S has a point on a single block, and if t P bm2 c, then ` 6 m. The proof is by induction. If m is even, then t 6 m and t P 3 implies m 6 4. Consider the case

229

m ˆ 4, t ˆ 3. We may assume that a partial matrix for S is given by 2

1 60 6 40 0

3 1 0 0

0 1 0

07 7: 05 1

If there exists a ®fth row, taking each pair of the second, third and fourth rows along with the ®fth, contradicts Theorem 3.1. If m is odd, then t 6 m and t P 7 implies m P 9. Consider m ˆ 9 and t ˆ 7. The use of Theorem 3.1 implies that at most two columns have multiple 1's. Since each column has at least one 1, we obtain a 7  7 identity matrix which can be placed in the top right-hand corner. Now rows 8 and 9 must contain a 1 in the ®rst two columns. (Since ` P m, these rows exist.) Judiciously choosing seven rows including b8 and b9 now contradicts Theorem 3.1. Assume now, that the result holds up to m ÿ 1 and consider an …m; `; t†-AJS S with p1 ; p2 ; . . . ; pk ; k P 1, the points of a block B which are only on B. Delete the points p1 ; . . . ; pk from S along with the block B. This results in an …m ÿ k; ` ÿ 1; t †-AJS S  with t P t. If S  contains a point on a unique block, then, since t P t P bm=2c P bm ÿ k=2c, by induction we have ` ÿ 1 6 m ÿ k 6 m ÿ 1 and so ` 6 m. If S  contains no point on a unique block, and if ` ÿ 1 P m ÿ k, we can apply Lemma 3.5 to get t < bm ÿ k=2c < bm=2c and so t < bm=2c, contradicting our assumption. Hence we must have ` ÿ 1 < m ÿ k 6 m ÿ 1, whence ` < m. We are now ready to prove the theorem. If t P bm=2c, then m ˆ `, by the previous argument, in case S has a point on a unique block. We prove the following statement by induction: if S has a point on a single block, and if t P bm=2c, then S is trivial. It is easy to adapt the cases earlier for m ˆ 4, t ˆ 3 and m ˆ 7, t ˆ 6 to this situation. Assume that the result holds for m ÿ 1 and consider the …m; m; t†-AJS S with point p1 on the unique block B. Deleting p1 and B from S gives rise to an …m ÿ 1; m ÿ 1; t †-AJS, S  , t P t. If S  has a point on a single block, then by induction, S  is trivial.

230

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

But this must be the case by Lemma 3.5. Thus S has an identity matrix except possibly for the row corresponding to p1 . However, for t P 2, we now contradict Theorem 3.1 unless S is trivial.  4. Constructions for AJSs In this section we give direct constructions for anti-jamming systems which are based on the following result [13]. Theorem 4.1. Let X be a set of cardinality m, and B ˆ fB1 ; B2 ; . . . ; B` g be a collection of subsets of X. If jBi j P 1 ‡ …t ÿ 1†d for all 1 6 i 6 ` and jBi \ Bj j 6 d for all i 6ˆ j. Then …X ; B† is a …m; `; t†-AJS: We note that, the hypotheses of Theorem 4.1 are sucient but not necessary for the construction of anti-jamming systems as the following Example shows. Allocate channels such that: B1 ˆ f1; 2g; B2 ˆ f2; 3g; B3 ˆ f4; 5g; B4 ˆ f5; 6g to four participants. This system is immune to t ÿ 1 ˆ 2 jammers, yet the size of each block is 2, not the expected P 1 ‡ 2 as assumed by Theorem 4.1. In the following we present two constructions that satisfy Theorem 4.1. 4.1. Steiner system constructions A Steiner system S…d; k; v† is a family of k-subsets (a subset of cardinality k) of a v-set (a set of cardinality v) with the property that any d-set lies in a unique member of the family. For a survey of Steiner systems see Chapter I of [10]. An S…2; 3; v† is called a Steiner triple system; the number of blocks is v…v ÿ 1†=6. A necessary and sucient condition for the existence of a S…2; 3; v† is that v  1 or 3…mod 6†. By the de®nition of a S…d; k; v† any two k-subsets can intersect in at most d ÿ 1 points. So for Steiner triple systems, Theorem 4.1 gives the following. Theorem 4.2. Every S…2; 3; v† gives a …v; …v…v ÿ 1†=6†; 3†-AJS:

We note that Steiner systems have the following property: a S…d ÿ 1; k ÿ 1; v ÿ 1† system is obtained from a S…d; k; v† by derivation. In this procedure a point x is chosen from the v-set; a S…d ÿ 1; k ÿ 1; v ÿ 1† is obtained by taking all the blocks of the S…d; k; v† containing x and deleting x from each such block. This property implies that anti-jamming systems constructed from Steiner systems have a property which is reminiscent of disenrollment in secret sharing schemes; see the discussion in Chapter 41 [11]. If the transmitter T stops broadcasting on a particular channel and continues to transmit on the remaining channels, the anti-jamming system does not need to be reinitialised as this amounts to deriving S…d; k; v† in a point. Although the process will have a lower antijamming threshold. 4.2. A polynomial construction Consider a Galois ®eld GF …q†, where q is a prime power and q P d ‡ 1. We de®ne an AJS …X ; B† as follows. X consists of pairs of the elements in GF …q†, i.e., X ˆ GF …q†  GF …q† ˆ f…x; y†jx; y 2 GF …q†g. To each polynomial f of degree less than or equal to d, we associate a block Bf ˆ f…x; f …x†† j x 2 GF …q†g, and let B ˆ fBf j f a polynomial of degree at most dg: It is easy to see that jBf j ˆ q. Further, jBj ˆ qd‡1 since there are qd‡1 di€erent polynomials with degree at most d. Now, if f 6ˆ g, then jBf \ Bg j 6 d because h…x† ˆ f …x† ÿ g…x† is a polynomial of degree d with at most d di€erent solutions for the equation h…x† ˆ 0, or f …x† ÿ g…x† ˆ 0. By Theorem 4.1, we know that for all integers t; d which satisfy q P …t ÿ 1†d ‡ 1, …X ; B† is a …q2 ; qd‡1 ; t†-AJS. In particular, …X ; B† is a …q2 ; qb…qÿ1=tÿ1†c ; t†-AJS for all 2 6 t 6 q ÿ 2. Theorem 4.3. For a prime power q there is a…q2 ; qb…qÿ1=tÿ1†c ; t†-AJS for all 2 6 t 6 q ÿ 2: A similar result was found in [16].

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

5. AJS and perfect hash families Perfect hash families (PHF) arose as part of the study of compiler design. See [20] for a summary of the early results in this area. PHF have applications in numerous areas of computer science, including operating systems, language translation systems, information retrieval systems. See [9] for a survey of recent results. They have also been used in cryptographic applications such as broadcast encryption [17], secret sharing [21] and threshold cryptography [2,4±6,17]. We show ®rst that AJS and PHF are equivalent in the sense that any AJS can be used to construct a PHF and conversely. Then, in Section 5.2, we present a construction of AJS using a combination of AJS and PHF. This latter idea is particularly useful for large groups of users and results in ecient AJS when broadcasting is aimed at many receivers. An …n; m; w†-perfect hash family is a set of functions F such that f : f1; 2; . . . ; ng ! f1; 2; . . . ; mg: for each f 2 F, and for any X  f1; 2; . . . ; ng such that jX j ˆ w, there exists at least one function in F which is injective (one-to-one) on X. We use the notation PHF …N ; n; m; w† for an …n; m; w†-perfect hash family with jFj ˆ N . Let N …n; m; w† denote the minimum N for which an …n; m; w†-perfect hash family exists. We are interested in determining this value. We are also interested in the behaviour of N …n; m; w† as a function of n when m and w are ®xed. From [20], we have the non-constructive result that N …n; m; w† P H…log n† while constructive results achieving this bound are yet to be found. E€orts have been made to give explicit constructions which, while not achieving the above bound, give N as a polynomial function of log n [1]. In the case of linear PHF with n ˆ qd , a prime power, Blackburn and Wild [6] prove N P d…w ÿ 1† and construct, probabilistically, examples with N ˆ d…t ÿ 1†. 5.1. The connection between AJS and PHF Theorem 5.1. A PHF …N ; `; u; t† gives rise to a …Nu; `; t†-AJS.

231

Proof. We show that a PHF can produce an AJS. Consider a PHF …N ; `; u; w† on a set of N functions F, each a map from L ˆ f1; 2; . . . ; lg to U ˆ f1; 2; . . . ; ug. We form an `  Nu binary matrix as follows. Label the rows from L. The columns are labelled using F  U ˆ f…j; k† j j 2 F; k 2 Ug. The …i; …j; k†† position in the matrix is 1 if j…i† ˆ k and 0 otherwise. Take any w rows. Then there is a function j which is 1±1 on these rows, resulting in a w  w permutation matrix. By Theorem 3.1 the matrix corresponds to an …Nu; `; w†-AJS. Conversely, consider an …m; `; t†-AJS. De®ne for every t-subset X of L ˆ f1; 2; . . . ; `g, a function f on X ˆ fw1 ; w2 ; . . . ; wt g such that f …wi † ˆ j if wi is 1 in the jth column and 0 in that column at all elements of X n fwi g. De®ne f randomly into f1; 2; . . . ; mg for all ÿ
other elements of L n X . This yields a family of `t functions forming an …`; m; t†PHF.  As we noted previously, for ®xed u and t, a PHF …N ; `; u; t† with N ˆ O…log `† exists and so there exists a …O…log `†; `; t†-AJS. That is, Corollary 5.1. For fixed ` and t, …O…log `†; `; t†AJSs exist. 5.2. AJS for large groups We provide a method of building new AJSs from old ones, using PHF. The construction works as follows. Let …X0 ; B0 † be a …m0 ; `0 ; t†-AJS and let F ˆ ff1 ; . . . ; fN g be a PHF …N ; `; `0 ; t†. Consider N copies of …X0 ; B0 †, denoted by …X1 ; B1 †; . . . ; …XN ; BN †, with Xi and Xj being disjoint sets, i.e., Xi \ Xj ˆ ;, for all i 6ˆ j. For each 1 6 i 6 N , let Xi ˆ fxi1 ; . . . ; xim0 g and Bi ˆ fBi1 ; . . . ; Bi`0 g. Then …Xi ; Bi † is a …m0 ; `0 ; t†-AJS. We construct a pair …X ; B† X ˆ X1 [


[ XN

and

B ˆ fB1 ; . . . ; B` g;

where Bi ˆ B1f1 …i† [


[ BNfN …i† ˆ [Njˆ1 Bjfj …i† for 1 6 i 6 `. That is, an element of B is a union of elements of Bi , 1 6 i 6 `, chosen through the application of PHF. We show that …X ; B† is a …Nm0 ; `; t†-AJS. Clearly, jX j ˆ Nm0 and jBj ˆ `. Now for any given t blocks fBi ; Bj1 ; . . . ; Bjtÿ1 g  B,

232

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

there exists at least one hash function fk 2 F which is one-to-one on fi; j1 ; . . . ; jtÿ1 g. For each 1 6 j 6 N , consider the …Xj ; Bj †, which may be regarded as a subsystem of …X ; B†. Since …Xk ; Bk g, is a …m0 ; `0 ; t†-AJS, we have jBi n …Bj1 [


[ Bjtÿ1 †j P jBkfk …i† n …Bkfk …j1 † [


[ Bkfk …jtÿ1 † †j P 1; which proves the desired result. We then have the following theorem. Theorem 5.2. Suppose that there exists a …m0 ; `0 ; t†AJS and a PHF …N ; `; `0 ; t†. Then there exists an …Nm0 ; `; t†-AJS. As in Corollary 5.1, we can also conclude from Theorem 5.2 that for given ` and t, …O…log `†; `; t†AJS exist. However, as noted earlier only existence, and not construction, of PHF with the required parameters is known. Atici et al. in [1] constructed wa PHF …N ; n; m; w† in which N is O……log n†log…… 2 †‡1† † and so we have an explicit construction for an …m; `; t†-AJS where m is a polynomial function of log `. In the linear prime power case, Blackburn and Wild [6] produce more ecient AJS. 5.3. An example We illustrate the eciency of our above two approaches by looking at an example. Consider the …m; `; t†-AJS, where t ˆ 3. The Erd os et al [15] non-constructive results show that in any …m; `; 3†AJS, m P …3:1† log ` and …m; `; 3† with m ˆ …5:1† log ` exists. The Dyer et al. [14] probabilistic construction shows the existence of …m; `; 3†-AJS with m ˆ d13 log `e. To show the eciency of our explicit construction in Section 5.2, we recall a result due to Atici et al. [1] which says that there exists an explicit construction for a PHF …3  j 4j ; 52 ; 3; 3†, from which it follows that there is a j …m; `; 3†-AJS with m ˆ 3  3  4j and ` ˆ 52 . A straightforward calculation yields that mˆ3

3 …log 5†

2

2

2

…log `†  1:668…log `† :

For a second construction, based on Section 5.2 we start with a trivial …3; 3; 3†-AJS …X0 ; B0 † with X0 ˆ fx1 ; x2 ; x3 g and B1 ˆ fx1 g; B2 ˆ fx2 g; B3 ˆ fx3 g, and apply the Atici, Magliveras, Stinson and Wei construction to obtain an …m; `; 3†-AJS with parameters the same as the the ®rst construction. Compared to the earlier non-construction results and probabilistic construction, our constructions are explicit and m is not much bigger than theirs. Moreover our examples are very easy to construct. 6. Multi-transmitter schemes Now consider the case where more than one transmitter exists. We refer to transmitters and receivers as participants and assume there is a trusted authority who allocates channels, using a channel allocation matrix, and secretly gives the frequency attached to the channel to the participant who is allocated the channel. We note that the multi-transmitter case is different from the key distribution problem for dynamic conferences considered in [7]. Indeed in that problem one is interested in con®dentiality, while we are not. Our problem is to guarantee availability of the broadcast for the intended recipients. We assume that each participant can be a transmitter or a receiver on its allocated channels. In general it might be useful to consider the case that, up to a given number of participants are transmitters. However, we only consider the case where every participant can be a transmitter and receiver. For simplicity, we assume that at each instant only one legitimate transmitter exists. That is, although in general colluders may transmit on their frequencies at anytime, only one transmitter in the system is legitimate. As in the single transmitter case, a group of colluding receivers attempts to jam another receiver's reception by sending noise signals over their allocated frequencies. In the multitransmitter case we always have the following trivial solutions: each participant shares a unique channel with every other participant. In this case for ` participants `…` ÿ 1†=2 channels are required. A pair …X ; B† is called an …m; `; t† multitransmitter anti-jamming system (…m; `; t†-MAJS, or

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

MAJS if parameters are known, for short) if it satis®es the following properties: 1. X ˆ fx1 ; x2 ; . . . ; xm g is a set of points; 2. B ˆ fB1 ; B2 ; . . . ; B` g is a family of subsets of X called blocks (Bi  X ); 3. For any block Bi , …Bi ; Ai † is a …jBi j; ` ÿ 1; t†AJS, where Ai is Ai ˆ fB1 \ Bi ; . . . ; Biÿ1 \ Bi ; Bi‡1 \ Bi ; . . . ; Bl \ Bi g: We prove that a multitransmitter anti-jamming system is equivalent to a key distribution pattern. Key distribution patterns (KDP) [22] are ®nite incidence structures that are used to distribute keys between pairs of participants in a network and in the absence of an online key distribution centre. A KDP is used to allocate a collection of subkeys to users in a system, such that any pair of users can compute a common key by ®nding an appropriate combination of their subkeys. De®nition 6.1. Let X ˆ fx1 ; . . . ; xm g be a set and B ˆ fB1 ; . . . ; B` g be a family of subsets of X. The pair …X ; B† is called a …m; `; t†-key distribution pattern (…m; `; t†-KDP) if ! tÿ1 [ Bsk P 1; …Bi \ Bj † n kˆ1 for any …t ‡ 1†-subset fi; j; s1 ; . . . ; stÿ1 g of f1; 2; . . . ; `g. Theorem 6.1. A pair …X ; B† is an …m; `; t†-MAJS if and only if it is an …m; `; t†-KDP. Proof. De®ne Pij ˆ Bi \ Bj for 1 6 i; j 6 `. Then, ! tÿ1 [ Bsk j1; …Bi \ Bj † n kˆ1 Stÿ1 if and only Stÿ1if Bi \ Bj  kˆ1 …Bsk \ Bj †, if and only if Pij  kˆ1 Psk j : The result follows.  KDPs have been extensively studied in the literature; see [14,19,22,23,25,27]. Among them we mention that Mitchell and Piper [22] and Gong and Wheller [19] gave explicit constructions for …m; `; t†-KDP in which m is O…`†, as opposed to the trivial construction which requires that m is O…`2 †.

233

Dyer et al. [14] further showed the existence of …m; `; t†-KDP with m ˆ O…log `†. However, their scheme is probabilistic, it would be interesting to have an explicit construction that requires only m ˆ O…log `†. 7. Conclusions and open problems Traditional anti-jamming systems guarantee availability of signals from a single transmitter to a single receiver against a jammer. These systems can also be used for broadcasting to a group of receivers, assuming that all the receivers are honest. This is an unreasonable assumption in open environments. We have presented ecient solutions to this broadcast anti-jamming problem and have linked this problem to well-known problems in combinatorics. We have also extended our work to a multi-transmitter scenario. In all our schemes, we were not interested in privacy and assumed that all the receivers could listen to the communication. A natural extension of our work is to combine our schemes with the key distribution problem for conferences discussed in [7] to achieve con®dentiality and protection against jamming at the same time. Also, in our multitransmitter solution all receivers could be transmitters. A useful extension is when a subset of users has transmitting capability and the rest are only receiving the signal. Ecient solutions might be possible in this latter case. Appendix A Here we complete the details of Lemma 3.5 in the case m even, for t ˆ 3. We also point out that the lemma is false for t ˆ 2. Suppose m is even and t 6 3. Assume t P m=2. Note that if t ˆ 2 we can have the matrix 2 3 1 1 0 0 61 0 1 07 6 7 40 1 0 15 0 0 1 1 with m ˆ 4, and this contradicts the statement of our Lemma 3.5. However, if t ˆ 3, applying Lemma 3.3 gives m ˆ 6, and we show that this

234

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236

cannot happen. Label the points p1 ; p2 ; p3 ; p4 ; p5 ; p6 , without loss of generality, assign p1 to b1 and b2 . Choose a 3-set fb1 ; b2 ; b3 g and apply Theorem 3.1 and put p2 on a second block b4 , to arrive at the following partial matrix: 2 3 1 1 0 0 61 0 1 07 6 7: 4 0 0 15 1 Suppose p3 this forces 2 1 1 0 61 0 1 6 4 0 0 1 1

is on b4 . Using the 3-set fb1 ; b2 ; b4 g, 0 0 1 1

1 0 0

3 0 17 7: 5 0

Now taking the three set fb2 ; b3 ; b4 g forces 1 in the position p3  p5 . Using fb1 ; b3 ; b4 g yields the partial matrix 2 3 1 1 0 0 1 0 61 0 1 0 0 17 6 7: 4 0 0 1 1 15 0 1 1 1 0 0 Now m 6 l, so there is a ®fth block b5 , which without loss of generality, we may suppose is on p1 . Consider the 3-set fb1 ; b3 ; b5 g. This forces a 0 in the b5  p2 position. On the other hand, the 3-set fb2 ; b3 ; b5 g forces a 1 in the same position, contradiction. Therefore the b4  p3 position must contain 0. We backtrack, then, to the partial matrix 2 3 1 1 0 0 1 61 0 1 0 7 6 7 4 5 0 0 1 1 0 by also using the fb1 ; b3 ; b4 g forces 2 1 1 0 0 1 61 0 1 0 6 4 0 0 1 0 1 0 0 0

3-set fb1 ; b2 ; b4 g. Using rows 0

3

7 7; 05 1

and two zeros are inserted in row b2 using fb1 ; b2 ; b4 g. Now p3 must be in a new block, b5 , say, and we obtain:

2

1 61 6 6 6 4

1 0 0 1

0 1 0 0 1

0 0 1 0

1 0 0 0

3 0 07 7 07 7: 15

Consider the 3-set fb1 ; b2 ; b5 g; this yields the partial matrix   1 0 1 0 0 0 0 0 of which no three columns can be embedded in a 3  3 identity matrix, which is a contradiction to Theorem 3.1. So for m even, Lemma 3.5 holds for t P 3. References [1] M. Atici, S.S. Magliveras, D.R. Stinson, W.D. Wei, Some recursive constructions for perfect hash families, Journal of Combinatorial Designs 4 (1996) 353±363. [2] N. Alon, M. Naor, Derandomization witnesses for Boolean matrix multiplication and construction of perfect hash functions, Algorithmica 16 (1996) 434±449. [3] T. Beth, D. Jungnickel, H. Lenz, Design Theory, Cambridge University Press, Cambridge, 1986. [4] S.R. Blackburn, Combinatorics and threshold cryptology, in: Combinatorial Designs and their Applications, Chapman and Hall/CRC Research Notes in Mathematics, CRC Press, London, 1999, 49±70. [5] S.R. Blackburn, M. Burmester, Y. Desmedt, P.R. Wild, Ecient multiplicative sharing schemes, in: Advances in Cryptology±Eurocrypt '96, Lecture Notes in Computer Science, vol. 1070, Springer, Berlin, 1996, pp. 107±118. [6] S.R. Blackburn, P.R. Wild, Optimal linear perfect hash families, Journal of Combinatorial Theory A 83 (1998) 233±250. [7] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, M. Yung, Perfectly-secure key distribution for dynamic conferences, in: E.F. Brickell (Ed.), Advances in Cryptology ± Crypto '92, Proceedings, Lecture Notes in Computer Science, vol. 740, Springer, Berlin, 1993, pp. 471±486. [8] B. Bruegge, B. Bennington, Applications of mobile computing and communication, IEEE Personal Communication 3 (1) (1996) 64±71. [9] Z.J. Czech, G. Havas, B.S. Majewski, Perfect hashing, Theoretical Computer Science 182 (1997) 1±143. [10] C.J. Colbourn, J.H. Dinitz (Eds.), The CRC Handbook of Combinatorial Designs, CRC Press, New York, 1996. [11] M.J. Atallah (Ed.), CRC Handbook of Algorithms and Theory of Computation, CRC Press, Boca Raton, 1998. [12] P.J. Cameron, J.H. Van Lint, Deisigns Graphs Codes and their Links, Cambridge University Press, Cambridge, 1991.

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236 [13] Y. Desmedt, R. Safavi-Naini, H. Wang, C. Charnes, J. Pieprzyk, Broadcast anti-jamming systems, in: IEEE International Conference in Netwoking, ICON'99. [14] M. Dyer, T. Fenner, A. Frieze, A. Thomason, On key storage in secure networks, Journal of Cryptology 8 (1995) 189±200. [15] P. Erd os, P. Frankl, Z. Furedi, Families of ®nite sets in which no set is covered by the union of two others, Journal of Combinatorial Theory A 33 (1982) 158±166. [16] P. Erd os, P. Frankl, Z. Furedi, Families of ®nite sets in which no set is covered by the union of r others, Israel Journal of Mathematics 51 (1985) 79±89. [17] A. Fiat, M. Naor, Broadcast encryption, in: Advances in Cryptology±Crypto '93, Lecture Notes in Computer Science, vol. 773, Springer, Berlin, 1994, pp. 480±491. [18] H. Fujii, W. Kachen, K. Kurosawa, Combinatorial bounds and design of broadcast authentication, IEICE Trans. E -A 79 (4) (1996) 502±506. [19] L. Gong, D.J. Wheeler, A matrix key-distribution scheme, J. Cryptology 2 (1990) 51±59. [20] K. Mehlhorn, Data Structures and Algorithms, Vol. 1, Springer, Berlin, 1984. [21] A. Menezes, P. van Oorschot, S. Vanstone, Applied Cryptography, CRC, Boca Raton, 1996. [22] C.J. Mitchell, F.C. Piper, Key storage in secure networks, Discrete Applied Mathematics 21 (1988) 215±228. [23] C.M. O'Keefe, Key distribution patterns using Minkowski planes, Designs, Codes and Cryptography 5 (1995) 261±267. [24] President's Commission on Critical Infrastructure Protection, 1998, http://www.pccip.gov/. [25] K.A.S. Quinn, Some constructions for key distribution patterns, Designs Codes and Cryptography 4 (1994) 177± 191. [26] M. Satyanarayanan, Mobile information access, IEEE Personal Communication 3 (1) (1996) 26±33. [27] D.R. Stinson, On some methods for unconditionally secure key distribution and broadcast encryption, Designs Codes and Cryptography 12 (1997) 215±243. [28] A.J. Viterbi, CDMA Principles of Spread Spectrum Communications, Addison-Wesley, Reading, MA, 1995. Yvo Desmedt received his PhD (Summa cum Laude) from the University of Leuven, Belgium (1984) (Electrical Engineering). He is presently a professor at Florida State University (Computer Science), a visiting professor of Information Security at Royal Holloway, University of London (Department of Mathematics), and an adjunct professor in Computer Science at the University of Wisconsin±Milwaukee. His interests include cryptography, network security and computer security (in particular computer viruses, covert channels, key management and computer survivability). He has authored more than 100 papers in international conferences and journals. He has been ranked as the second most productive author in the Eurocrypt/Crypto proceedings between 1981 and 1997. He was the author of the section on Cryptography in the 1999 Wiley Encyclopedia of Electrical and

235

Electronics Engineering. His research on Information Hiding, Tracing and Watermarking is currently funded by the National Science Foundation. He was program chair of Crypto '94, a director of the International Association for Cryptologic Research, the founding director of the Center Center for Cryptology, Computer and Network Security at the University of Wisconsin - Milwaukee, he served on more than 10 program committees of conferences on security. He has given 100 invited lectures at such universities as Cambridge University (UK), ETH (Switzerland), JAIST (Japan), Oxford University (UK), Stanford University (USA), etc., and such institutes as: AT&T Shannon Research Labs (USA), Hewlett Packard (UK), IBM Watson Research Laboratories (USA), Nippon Telegraph and Telephone Corp. (Japan), the National Institute of Standards and Technology (USA), etc. He has held visiting positions at the Australian Defence Force Academy, the University de Montreal (Canada), the University of Karlsruhe (Germany), Technion (Israel), the University of New Mexico (USA), etc.. He was an invited speaker at 1999 NATO workshop on Protecting Information Systems in the 21st Century conference in Washington, DC, he has been an invited speaker at 6 other conferences. He is a recipient of the Society of Worldwide Interbank Funds Transfer (SWIFT) award. Rei Safavi-Naini is a Professor of Computer Science at the School of Information Technology and Computer Science of the University of Wollongong. She has received a PhD in Electrical Engineering from University of Waterloo and has worked on design, analysis and implementation of secure systems for the last 15 years.

Huaxiong Wang received a PhD degree from University of Haifa, Israel. He is currently a Research Associate at the School of Information Technology and Computer Science of the University of Wollongong, Australia. Prior to his current position, he worked at Fujian Normal University (China), Kobe University (Japan) and the National University of Singapore (Singapore). His research interests include cryptography, coding theory, combinatorics, semiring theory and formal languages. Lynn Batten was the Head of the Department of Mathematics at the University of Manitoba from 1989 to 1996. After two years there as Associate Dean of Academic and Industrial Research, Faculty of Science, she took up the position of Professor of Mathematics at Deakin University, Melbourne, Australia, e€ective January 1, 2000. Her research work is in the area of combinatorics, coding theory and security.

236

Y. Desmedt et al. / Computer Networks 35 (2001) 223±236 Chris Charnes received his PhD in Mathematics under J. H. Conway from University of Cambridge in 1992. He was a Research Fellow at the Centre for Computer Security University of Wollongong until 2000, and is currently with Department of Computer Science and Software Engineering, University of Melbourne, Australia. His research intertests are in cryptography, coding theory, combinatorics and group theory.

Josef Pieprzyk received BSc in Electrical Engineering from Academy of Technology in Bydgoszcz, Poland, MSc in Mathematics from University of Torun, Poland, and PhD degree from Polish Academy of Sciences in Warsaw. Currently Josef Pieprzyk is an Associate Professor in the Department of Computer Science, University of Wollongong, Australia. His research interest includes computer network security, database security, design and analysis of cryptographic algorithms, theory of cryptographic protocols, secret sharing schemes, threshold cryptography, copyright protection, e-commerce and Web security. Josef Pieprzyk is a member of IACR.