Designs, Codes and Cryptography, 13, 107–129 (1998) c  1998 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands. Bounds and Characterizations of Authentication/Secrecy Schemes L. R. A. CASSE rcasse@maths.adelaide.edu.au K. M. MARTIN kmartin@maths.adelaide.edu.au Department of Pure Mathematics, The University of Adelaide, Adelaide 5005, Australia P. R. WILD p.wild@rhbnc.ac.uk Department of Mathematics, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom Communicated by: L. Teirlinck Received October 17, 1996; Revised October 17, 1996; Accepted January 8, 1997 Abstract. We consider authentication/secrecy schemes from the information theoretic approach. We extend results on unconditionally secure authentication schemes and then consider unconditionally secure authentication schemes that offer perfect L -fold secrecy. We consider both ordered and unordered secrecy. We establish entropy bounds on the encoding rules for authentication schemes with these types of secrecy. We provide some combinatorial characterizations and constructions for authentication schemes having perfect L -fold secrecy that meet these bounds. Keywords: authentication scheme, secrecy scheme, bounds, orthogonal arrays 1. Introduction The theory of unconditional secrecy was introduced by Shannon [13]. Simmons [14], [15] developed an analogous theory of unconditional authentication. Massey [6] put the two theories in a common setting and drew parallels between them. The many papers that have followed study secrecy and/or authentication either from a combinatorial point of view or by using information theoretic concepts. We follow this approach and the setting we consider may be described by the following scenario. A Transmitter communicates a sequence of distinct source states from a set S to a Receiver by encoding them using one from a set of encoding rules E . We do not consider splitting in this paper, so each encoding rule is an injective mapping from S into a set of messages M. The receiver recovers the source states from the received messages by determining their (unique) pre-images under the agreed encoding rule. The Receiver accepts a message as authentic if it lies in the image of the agreed encoding rule. An Opponent observes the resulting sequence of messages and attempts to determine information about the source states, thereby compromising their secrecy, or attempts to determine another message which will be accepted by the Receiver as authentic, thereby deceiving the Receiver. Shannon [13] introduced the concept of perfect secrecy. Informally, this means that the Opponent gains no information about the source states from intercepted messages. Bounds