Mosaics of combinatorial designs for information-theoretic security

We study security functions which can serve to establish semantic security for the two central problems of information-theoretic security: the wiretap channel, and privacy amplification for secret key generation. The security functions are functional forms of mosaics of combinatorial designs, more precisely, of group divisible designs and balanced incomplete block designs. Every member of a mosaic is associated with a unique color, and each color corresponds to a unique message or key value. Every block index of the mosaic corresponds to a public seed shared between the two trusted communicating parties. The seed set should be as small as possible. We give explicit examples which have an optimal or nearly optimal trade-off of seed length versus color (i.e., message or key) rate. We also derive bounds for the security performance of security functions given by functional forms of mosaics of designs.


Two problems of information-theoretic security
A channel W : X → Z is a stochastic matrix W with rows indexed by the finite input alphabet X and columns indexed by the finite output alphabet Z. The (x, z) entry is nonnegative and denoted by w(z|x). The sum of the entries of every row sums to 1, hence it defines a probability distribution on Z. For the purpose of this paper, a wiretap channel is determined by a single channel W . The interpretation is that a sender, Alice, wants to transmit a confidential message to a receiver, Bob, through a channel which accepts inputs from X and whose output is identical to the input, or whose error probability is as small as desired. An eavesdropper, Eve, obtains a noisy version of the input symbol x ∈ X through the channel W , in other words, she observes a random variable distributed according to w( · |x). The task now is to devise a security code for the transmission of confidential messages which does not decrease the reliability of the channel to Bob, and which at the same time ensures that Eve learns nothing about the transmitted messages. In fact, we aim for semantic security, by which we loosely mean that the security code should guarantee security no matter how the message is distributed on the message set. Two possible rigorous definitions of this concept will be given below. They guarantee unconditional security, which means that no assumptions are made on Eve's computing power.
Another problem from information-theoretic security is privacy amplification. Here, Alice and Bob share a random variable X living on a finite set X . Eve, the adversary, has access to a discrete random variable Z correlated with X. The task is to apply a privacy amplification function to X such that the resulting random variable A (the secret key shared by Alice and Bob) is distributed approximately uniformly and such that Eve has no information about A. Again, the goal is to achieve semantic security. Although all distributions are fixed in this setting, it makes sense to require semantic security. For instance, it guarantees that even if Eve has the a priori knowledge that the key generated in the privacy amplification process has one of only two possible values, she is unable to tell which of these two is the one actually chosen. This property is sometimes called distinguishing security, but it is well-known that it is equivalent to unconditional semantic security [4].
Practical scenarios will not in general translate directly into one of the two problems described above. In the wiretap scenario, the physical channel from Alice to Bob will generally be noisy as well, and an error-correcting code needs to be applied first to make the error probability on this channel as small as possible. In this case, the input alphabet X actually is the message set of the error-correcting code. Similarly, in secret key generation, two remote parties will not in general share a random variable X from the outset. In order to establish such a random variable, an information reconciliation protocol has to be performed using communication over a public channel. Eve obtains at least part of her correlated information Z about X as she observes the public messages exchanged during information reconciliation.
It follows that a security code or a privacy amplification function will generally be just one component of a modular scheme which as a whole ensures both "reliability" (viz. error-correction or information reconciliation) and semantic security as well as, in the privacy amplification setting, approximately uniform key distribution.
The two problems above are key techniques for the generation of information-theoretic security in communication and data storage systems. They can be building blocks for embedded security and security-by-design of such systems. An important feature of information-theoretic security is that it provides provable security even against attacks performed by a quantum computer. For this reason, the techniques developed here are of great importance for the development of future 6G mobile communication systems [17]. A first practical implementation is presented in [32].

Alice
Bob α ∈ A f (s, ·) X f (s, ·) α ∈ A P Z|X Eve S Z s Figure 1: The privacy amplification scenario. The correlation between X and Eve's observation Z here is represented by the conditional probability P Z|X . Alice and Bob are usually assumed to be connected by a public channel over which they can exchange messages. In particular, they can use this channel to share the seed. The arrow from S to Eve is dashed because Eve may know the seed, but this is not necessary for the operability of the protocol.

Security functions
Both for the wiretap and the privacy amplification scenario, we will assume that Alice and Bob can share an additional resource, a publicly known seed s chosen uniformly at random from the finite seed set S. Then the basis both for security codes and privacy amplification functions are onto functions f : X × S → A, where A is a finite set. We will call such a function a security function. In the wiretap scenario, A will be the set of confidential messages; in privacy amplification, it represents the range of possible key values. In fact, in privacy amplification, f is nothing else than the privacy amplification function, i.e., given a seed s ∈ S and a realization x ∈ X of the random variable X shared by Alice and Bob, the secret key is chosen to be f (x, s) (see Fig. 1). For the wiretap channel, if Alice wants to send a confidential message α ∈ A and shares the seed s with Bob, she selects an element x from the preimage f −1 s (α) = {x : f (x, s) = α} uniformly at random and transmits x. We call this process of selecting x the randomized inverse of f . By assumption, with high probability, or even with certainty, Bob receives the x that was sent and decodes it into the original confidential message α = f (x, s), so the reliability of message transmission is preserved (see Fig. 2).
The color rate of a security function f : X × S → A, both in the wiretap and in the privacy amplification context, is given by 1 ̺ = log|A| log|X | (the name will be justified in the context of mosaics, see below). As f is onto, this is a number between 0 and 1 which indicates the cost of establishing security as well as, in the privacy amplification scenario, approximately uniform key distribution. This is not a parameter to be optimized. Instead, given a required security level, the channel W in the former and the joint probability P XZ in the latter situation determine a maximal possible color rate. The question is which f achieve or come close to this rate.

Alice
Bob Figure 2: The wiretap scenario in the case where the channel between Alice and Bob is the identity channel. In principle, it is immaterial where the seed is generated. In practice, Alice will generate the seed and transmit it to Bob publicly. The arrow from S to Eve is dashed because Eve may know the seed, but this is not necessary for the operability of the protocol.
In the wiretap case, a common assumption is that Alice generates the seed, but then she has to use the unsecured channel to transmit it to Bob. This diminishes the overall communication rate significantly. The block rate log|S| log|X | indicates how often the unsecured channel needs to be used for the transmission of the seed. It has been shown that in some scenarios the seed can be reused in order to make the loss of overall communication rate negligibly small asymptotically. Nevertheless, it is important to make the seed set S as small as possible.
The use of a seed is not as problematic in the privacy amplification setting, since it is commonly assumed that there exists a public channel between Alice and Bob. For the purpose of seed sharing, it is sufficient that the public channel goes in one direction only. Usually, one still wants to keep the communication overhead on this public channel small, and this overhead can again be measured by the block rate.
Finally, we would like security codes and privacy amplification functions to be efficiently computable. For an underlying security function, this translates to the efficiency of computing f (x, s) and the randomized inverse f −1 s (α). A precise definition of what we mean by efficiency will be given below.

Semantic security by mosaics of designs
Semantic security can be seen as a per-message type of security. It means that the probability distribution of Eve's observations conditional on any message or key value should be indistinguishable from an arbitrary fixed distribution on Eve's observation space which is independent of the message or key distribution. This suggests to construct security functions f : X × S → A whose preimages f −1 (α) for every α ∈ A have a structure suitable for establishing this indistinguishability.
Our goal in this paper is to systematically study security functions where every preimage f −1 (α) is the incidence relation of a balanced incomplete block design (BIBD) or a group divisible design (GDD) with point set X and block index set S. Such a function defines a mosaic of designs (D α ) α∈A , which is a family of designs on a common point set and a common block index set satisfying that every pair (x, s) ∈ X × S is incident in a unique D α . The security function corresponding to such a mosaic will be its functional form. The precise definitions will be given in Section 2.
Two aspects guide us in the construction of mosaics of designs: the trade-off of the color rate and the block rate, and the computational complexity of the functional form and its randomized inverse. We investigate the optimal trade-off of the color rate ̺ vs. the block rate for functional forms of mosaics of BIBDs and GDDs. For mosaics of BIBDs with small color rate, the block rate can at best be equal to 1. In all other cases, the minimal block rate is approximately equal to 2̺. In particular, if ̺ < 1/2 and the mosaic consists of GDDs, then a block rate smaller than 1 is possible.
We construct families of examples which are close to optimal, or even optimal, in terms of this trade-off. Their color rates are distributed over the complete interval between 0 and 1, densely in all cases except for BIBDs of small color rate. Both for mosaics of BIBDs and GDDs, we need two different families in order to obtain sufficiently variable color rates ̺. In both cases, at ̺ ≈ 1/2, the type of designs which is (close to) optimal in terms of this trade-off changes.
To the best of our knowledge, we are the first to explicitly study semantic security for privacy amplification. In both scenarios, we measure the amount of semantic security offered by the functional form of a mosaic of BIBDs or GDDs using two alternative security metrics, one of them based on total variation distance, the other on Kullback-Leibler divergence. The upper bounds on these metrics rely on the local properties of the functional form, i.e., on the properties of BIBDs and GDDs. The wiretap channel and the distribution of the random variables X and Z only appear in these bounds through at most two Rényi entropies or divergences, which gives the bounds some robustness with respect to the knowledge about the channel or the random variables.
We evaluate the security bounds in the most frequently studied scenarios of memoryless discrete or Gaussian wiretap channels and of privacy amplification for secret-key generation from discrete memoryless correlated sources. Unfortunately, block rate optimal mosaics of GDDs in the range where ̺ is small only achieve a suboptimal security level in general. This is not due to our construction, but holds in general. Hence a block rate of at least 1 is necessary to achieve asymptotically perfect semantic security at the maximal message or key rate with mosaics of BIBDs or GDDs. For the other block rate optimal constructions, the bounds are asymptotically optimal in the benchmark scenarios. Additionally, in the case of privacy amplification, the regularity of BIBDs and GDDs immediately implies the perfect uniform distribution of the key generated by the functional form of a mosaic of designs.
All the mosaics we construct are explicit, by which we mean the efficient computability of the functional form and its inverse in the usual setting of asymptotic complexity. The examples are derived from well-known designs based on finite fields, so in some cases the explicitness is obvious. There is one case where some work is required to show explicitness.

Related literature
Mosaics of combinatorial designs were introduced by Gnilke, Greferath and Pavčević [18]. Our method of constructing mosaics from resolvable designs or duals thereof is essentially due to them. The application of mosaics to construct functions with special desired properties is new, in particular, the analysis of color and block rates and of efficient computability of such functions. Mosaics generalize more specialized concepts like the tiling of a group with difference sets due toĆustić, Krčadinac and Zhou [14].
A predecessor of what now is called mosaics was presented in [19] by Greferath and Therkelsen. General background on combinatorial designs can be found in the reference work of Beth, Jungnickel and Lenz [8].
The idea of separating privacy amplification from information reconciliation goes back to Bennett, Brassard and Robert [7] and Bennett, Brassard, Crépeau and Maurer [6]. Hayashi [22] extended the idea to the construction of security codes for the wiretap channel, where error correction is separated from the establishment of security. Like in [7], [6] and [22], the weaker strong secrecy criterion has been widely applied in informationtheoretic security, where Eve's a priori knowledge is restricted to the true message or key distribution.
Semantic security ensures security no matter what the key or message distribution might be. Originating in complexity-based cryptography, it was adapted for (unconditional) information-theoretic security by Bellare, Tessaro and Vardy [4] (the shorter, published version of which is [5]). To the authors' knowledge, semantic security has only been considered for wiretap channels so far. In [21], Hayashi implicitly describes a technique for achieving semantic security for the quantum BB84 key distribution protocol.
[7], [6] and [22] used universal hash functions as security functions. Alternative choices in the privacy amplification scenario with strong secrecy are ε-almost dual universal hash functions (Hayashi [23]) and strong randomness extractors (Maurer and Wolf [26]). None of these choices guarantees perfect uniform distribution of the key. However, the seed required by randomness extractors can be very short. Seedless extractors have been used by Cheraghchi, Didier and Shokrollahi [11] to ensure strong secrecy for the "wiretap channel II", where the eavesdropper may observe a fraction of his choosing of the transmitted codeword.
When applied as security functions in the wiretap scenario, it seems that the global property defining universal hash functions in general is not enough to ensure semantic security. Even with additional regularity properties (cf. [3,33]), semantic security can only be shown for sufficiently symmetric channels. Usually, only strong secrecy is achievable.
Upper bounds on the semantic security metric for the wiretap channel which are comparable to ours were given by Hayashi and Matsumoto [24,Lemma 21] and the authors [34], using security functions of a different type. The security functions of the former paper are defined in terms of group homomorphisms together with a regularity condition. The single efficiently computable example given in [24,Remark 16] exhibits a block rate ≈ 2, which is worse than for mosaics of designs with an optimal trade-off of block rate vs. color rate. The security functions of [34] are induced by decompositions of complete biregular bipartite graphs into nearly Ramanujan graphs. A nonconstructive example of such a decomposition into Ramanujan graphs is given with a block rate of 1 independent of the color rate.

Outline
In Section 2, we define and analyze mosaics of BIBDs and GDDs. In Section 3, we define how we measure semantic security and give the bounds on the security metrics obtained from functional forms of mosaics of designs. These bounds are proved in Section 4. In Section 5, we prove the explicitness of one of the examples of Section 2 for which this is not immediately obvious.

Mosaics of combinatorial designs 2.1 Definitions
Let X and S be finite sets. An incidence structure D = (X , S, I) on (X , S) is determined by the incidence relation I on X × S. An incidence structure (X , S, I) is called empty if I = ∅. If x I s, then x and s are called incident. The incidence matrix of an incidence structure D = (X , S, I) is the 01-matrix N with rows indexed by X and columns indexed by S such that N(x, s) = 1 if and only if x and s are incident in D.
A mosaic of incidence structures on (X , S) is a family M = (D α ) α∈A of nonempty incidence structures on (X , S) such that for every pair (x, s) there exists a unique incidence structure D α in which x and s are incident. We call A the color set of M. Every D α is called a member of M. If N α is the incidence matrix of D α , then α∈A N α = J, the all-ones matrix of appropriate size.
Any function f : X × S → A induces a mosaic (D α ) α∈A of incidence structures, where x and s are incident in D α if and only if f (x, s) = α. We say that f is the functional form of this mosaic. Clearly, every mosaic (D α ) α∈A on (X , S) has a functional form f : X × S → A.
We consider the case where every D α is a combinatorial design. In the context of designs, we will call X the point set and S the block index set. We set v = |X | and b = |S|. A (v, k, r) tactical configuration on (X , S) is an incidence structure where every point x is incident with precisely r block indices and every block index s is incident with precisely k points. It holds that bk = vr. (2.1) A (v, k, λ) balanced incomplete block design (BIBD) on (X , S) is an incidence structure on (X , S) such that every s is incident with precisely k points from X and such that any two distinct points from X are incident with precisely λ ≥ 1 common block indices. Every (v, k, λ) BIBD is a (v, k, r) tactical configuration, where The key equality when we want to establish security using a security function which is the functional form of a mosaic of BIBDs is that the incidence matrix N of a (v, k, λ) BIBD satisfies (here I is the identity matrix of appropriate dimensions). The second type of designs we consider are group divisible designs (GDDs). A (u, m, k, λ 1 , λ 2 ) GDD is based on a partition of X into m point classes of size u each, so v = um. Every block index is incident with precisely k points, and two points are incident with λ 1 ≥ 0 common block indices if they are contained in the same point class and with λ 2 ≥ 1 block indices otherwise. A (u, m, k, λ 1 , λ 2 ) GDD is a (v, k, r) tactical configuration for r satisfying An equality similar to (2.3) holds for the incidence matrix N of a GDD. Let C be the 01-matrix with rows and columns indexed by X which has a 1 in the (x, x ′ ) entry if and only if x and x ′ are contained in the same point class. With a suitable ordering of the elements of X , this is a block diagonal matrix with m all-ones matrices of size u each on the diagonal. Then For a BIBD or GDD (X , S, I), the sets of the form {x : x I s}, where s ∈ S, are usually called blocks and the set S is identified with the multiset of blocks of the design. Occasionally, we will also speak of blocks and call the parameter k the block size. However, we will not identify S with a block multiset since we operate with multiple designs simultaneously. Hence the more cumbersome term "block index set".
All mosaics in this paper will consist of tactical configurations with the same parameters (v, k, r). Given a mosaic (D α ) α∈A , we will use the letter a to indicate the cardinality of its color set A. If (D α ) α∈A is a mosaic of (v, k, r) tactical configurations, then In fact, the examples of mosaics constructed in the present paper will exclusively consist of BIBDs only or of GDDs only. BIBDs and GDDs together allow us to construct security functions with a wide range of color rates between 0 and 1. For a mosaic of BIBDs with constant block size k, note that λ also has to be constant due to (2.1) and (2.2).

Some properties and examples of designs
If D = (X , S, I) is an incidence structure, then its dual is the incidence structure D T = (S, X , I T ) where s I T x if and only if x I s. Obviously, the incidence matrix of D T is the transpose of the incidence matrix of D. If (D α ) α∈A is a mosaic of designs, then so is (D T α ) α∈A . A (v, k, r) tactical decomposition (X , S, I) is called resolvable if the block index set S can be partitioned into subsets S 1 , . . . , S r such that for every j ∈ {1, . . . , r}, every x ∈ X is incident with a unique s ∈ S j . (It is clear that such a partition necessarily has to have precisely r elements.) Every S j is called a parallel class and contains v/k block indices, in particular, k divides v.
The sum of a mosaic is the incidence structure on (X , aS), where aS is the disjoint union of a copies of S, and where a point x is incident with the α-th copy of s ∈ S if x and s are incident in D α . Note that the sum of a mosaic of tactical configurations is resolvable.
Two incidence structures (X , S, I) and (X ′ , S ′ , I ′ ) are called isomorphic if there exist bijective mappings Φ X : X → X ′ and Φ S : S → S ′ such that x I s if and only if Φ X (x) I ′ Φ S (s). We also define that two mosaics (D α ) α∈A on (X , S) and (D ′ α ′ ) α ′ ∈A ′ on (X ′ , S ′ ) are isomorphic if there exist bijective mappings Φ X : X → X ′ and Φ S : S → S ′ and Φ A : A → A ′ such that x ∈ X and s ∈ S are incident in D α for α ∈ A if and only if Φ X (x) and Φ S (s) are incident in D Φ A (α) .
A BIBD is called affine or affine resolvable if it is resolvable and if there exists a number µ > 0 such that any two distinct non-parallel blocks have precisely µ points in common. An affine plane is an affine BIBD with µ = 1 and block size at least 2. Affine BIBDs have the property that their number of blocks is minimal among all resolvable BIBDs with the same number of points and parallel classes. This is a consequence of Bose's inequality, which states that for resolvable BIBDs [8,Corollary 8.6], and that equality holds if and only if the BIBD is affine.
Here we give the classical examples of affine designs, on which our constructions below will be based. This is no restriction, since all known affine BIBDs have the same parameters as the affine-geometric ones below or are Hadamard designs [8, p. 128]. We ignore the latter since they are limited to v/k = a = 2, which only allows a very small color rate which vanishes asymptotically as v increases.
Let q be a prime power and t ≥ 2. The (q t , q t−1 , q t−2 ) BIBD AG t−1 (t, q) has as block set the vector space F t q , the blocks are given by the hyperplanes of this vector space, i.e., all cosets of all (t − 1)-dimensional subspaces, and the incidence relation is ∈. These designs are affine resolvable, the parallel classes are given by the sets of nonintersecting hyperplanes. In the case t = 2, one obtains the affine plane AG(2, q), where the hyperplanes are called lines.

Block rate optimality
We characterize block rate optimality for mosaics of BIBDs and GDDs.
then this means for the block rate that We call a mosaic of (v, k, λ) BIBDs satisfying equality in one of these two cases block rate optimal.
Proof. Using (2.1) and (2.2), , then strict inequality has to hold due to v > k.
We note that ̺ 0 (v, k) quickly approaches 1/2 from below as v increases. We also consider the block rate for GDDs. This is connected to some subclasses of GDDs. First, we recall the classification of GDDs due to Bose and Connor [10]. A GDD is called 3) regular if r > λ 1 and rk > vλ 2 .
Every GDD falls under exactly one of these categories.
An important subclass of the semi-regular GDDs are the transversal designs, which satisfy that every block intersects every point class in precisely one point. In this case m = k and λ 1 = 0. We call a transversal design with these parameters a (u, k, λ) TD, where λ = λ 2 . Hanani [20] has shown that a (u, k, λ) TD necessarily satisfies α∈A be a mosaic of GDDs of constant block size k and of color rate ̺. Then Equality holds if and only if every D α is an (a, k, 1) TD. We call such a mosaic block rate optimal.
Proof. The parameters v, b, k, r are the same for all members of the mosaic. Choose any Equality here implies λ 1,α = 0, whence also m α ≥ k. In this case, Equality holds for m α = k and λ 2,α = 1. Thus altogether we obtain with equality as claimed in the statement.
Unfortunately, the block rate of any mosaic one of whose members is a semi-regular GDD cannot be much smaller than 1. This implies that the minimal possible color rate of a block rate optimal GDD quickly approaches 1/2 from below as the number of colors increases.
Lemma 2.3. Consider a mosaic M of (v, k, r) tactical configurations and of color rate Proof. From (2.1) and the semi-regularity of D α , it follows that Since log a = ̺ log v, this means that The color rate is connected to λ as follows. It was shown for semi-regular GDDs in (this generalizes Hanani's inequality) and that m divides k, say k = cm. This implies u = ac, since um = v = ak = acm. Inserting this and (2.10) in (2.12), one obtains Inserting this in (2.11) gives the result.
Corollary 2.4. A necessary condition for a mosaic (D α ) α∈A of (u, k, 1) TDs to be block rate optimal is that the color rate ̺ satisfies .
Equality is attained if and only if every D α is the dual of an affine plane.
Proof. We know that that λ = 1 for mosaics of block rate optimal TDs. Using this and c = 1 in (2.13), which holds for arbitrary ̺, gives the lower bound. Assume that equality holds, and so Hanani's inequality holds with equality for every D α . According to Neumaier [28, Corollary 3.8], equality holds in Hanani's inequality for a TD D if and only if D is the dual of an affine BIBD. Thus every D α is the dual of an affine BIBD. Since every D α is a (u, k, 1) TD, any two distinct blocks of its dual D T α intersect in at most one point, hence D T α is an affine plane. We have seen that we cannot come close to block rate optimality for rates well below 1/2 using mosaics which contain at least one semi-regular GDD. The same holds for mosaics which have at least one regular GDD as a member, since regular GDDs satisfy b ≥ v by [10], so For color rates smaller than those in Corollary 2.4, the solution is to use singular GDDs. (However, we will see that singular block rate optimal GDDs give suboptimal bounds for semantic security for sufficiently large point set.) Bose and Connor show in [10] that every singular GDD is obtained by the multiplication of the points of a BIBD. We apply the same construction in order to obtain a mosaic M = (D α ) α∈A of singular GDDs from a mosaic M * = (D * α ) α∈A of (v * , k * , λ * ) BIBDs on (X * , S * ). For an arbitrary positive integer u, replace each point x * ∈ X * by a class of u copies of x * . This gives the point set X of M. The block index set does not change, we set S = S * . A point x and a block index s are defined to be incident in D α if x is a copy of an x * which is incident with s in D * α . Every D α has parameters Note that all members of M have the same point class partition. We call M the u-fold point multiple of M * . Conversely, one shows in the same way as in [10] that every mosaic of singular GDDs with the same parameters and the same point class partition is the u-fold point multiple of a mosaic of BIBDs.
Proof. For the color rate, observe that a = a * , and so as claimed. The claim about the block rates follows from We see that if M * is close to block rate optimality and ̺ * ≥ ̺ 0 (v * , k * ), then M is close to block rate optimality as well. The color rates can be chosen arbitrarily small by choosing u accordingly. A block rate optimal mosaic M * of BIBDs with color rate larger than 1/2 will be constructed in Section 2.6.

Complexity
With a view towards applications, we would like to be able to find examples of mosaics of designs whose functional form and randomized inverse are efficiently computable (in the Turing model of computation). By efficiency, we mean that it must be possible to do the computations in time polylogarithmic in v and b. This is compatible with the usual requirements in coding theory, where encoding and decoding must be done in time polynomial in the blocklength. For this asymptotic definition to make sense, we will implicitly assume that the mosaic is part of an infinite family of mosaics where each color rate can be attained infinitely often and where v is unbounded. This will be satisfied by all examples we give below.
Since X and S do not necessarily have a natural representation as a set of consecutive bit sequences, we define efficiency in terms of the functional form of an isomorphic mosaic defined on sets of integers. The choice of integers instead of bit strings allows us to ignore questions arising when the cardinality of a set is not a power of 2.
For any positive integer n, we write [n] = {1, . . . , n}. We call the mosaic M = (D α ) α∈A explicit if there exists a mosaicM = (D j ) j∈[a] with point set [v] and block index set [b] which is isomorphic to M and whose functional formf : (M2) there exists a mapping g : such that g(s,α, κ) can be computed in time poly(log b, log v) for alls,α, κ and which for fixeds Remark 2.6. Condition (M2) corresponds to the usual complexity-theoretic definition of strong explicitness of graph families [1]. Condition (M1) means the efficient distinction between different graphs, which is only of concern in the context of mosaics.
If, in the wiretap channel case, Alice chooses the seed, which is the most likely scenario, then the order of the choice of seed s and channel input x can be reversed. So far, we have assumed that s is chosen first and x is chosen from f −1 s (α). Due to (2.1), it is equivalent to first choose x uniformly at random from X and then to choose s from We will see in one of the mosaics which we are going to construct that this can reduce the cost of computation.
However, reversing the order of choosing s and x has a drawback. We already mentioned above that if the channel from Alice to Bob is used to first transmit the seed and then the confidential message, this incurs a loss of total communication rate, and that it is possible to make up for this by reusing the seed. Since s depends on x if the latter is chosen first, seed reuse is impossible in this case.
All functions constructed in this paper will be based on finite-field arithmetic. For real implementations, not all finite fields are equally suitable. However, in principle, the complexities are comparable. If q = p t for a prime p, then F q can be regarded as a vector space over F p . If F q is represented in a polynomial basis, i.e., a basis of the form {1, ϑ, ϑ 2 , . . . , ϑ t−1 }, then addition and subtraction in the field F q can be done in time O(log q). For multiplication and division, O((log q) 2 ) time is sufficient [27]. A polynomial basis exists for all prime powers q [25].

A general construction
We next present a method from which all examples of mosaics below will be constructed.
A key ingredient for its construction are quasigroups. A quasigroup on the finite set A is an array L with entries from A and rows and columns indexed by A and which satisfies 1) for every α, γ ∈ A there is a unique β ∈ A such that L(α, β) = γ, 2) for every β, γ ∈ A there is a unique α ∈ A such that L(α, β) = γ.
Every finite group is a quasigroup. If one labels the rows and columns of a quasigroup by a set which is not necessarily the same as A, one obtains a Latin square. Using quasigroups instead of Latin squares is more convenient in our setting.
The following theorem was already shown in [18] for the case of resolvable BIBDs, using Latin squares instead of quasigroups (which combinatorially amounts to the same thing). It is based on the idea that it should be possible to obtain a mosaic if one starts with a resolvable incidence structure, since the sum of a mosaic is resolvable.
Theorem 2.7. Let D be a resolvable (v, k, r) tactical configuration with incidence relation I. Let A be an index set for every parallel class of the blocks of D, and let L be a quasigroup on A. Then there exists a mosaic M = (D α ) α∈A where each D α is isomorphic to D, and there exists a mosaic M T = (D T α ) α∈A where each D T α is isomorphic to D T . If D is a GDD, then all D α share their point class partitions with D. If D T is a GDD, then every D T α has the same point class partition as D T and λ 1 = 0. Proof. The proof essentially is a reformulation of the proof of [18] together with the observation, already mentioned above, that if one has a mosaic and passes to the dual of every member of this mosaic, then one again obtains a mosaic. Our formulation of the proof will make it straightforward to derive the functional form of a mosaic constructed in this way.
The block index set of D can be written as R × A, where R is an index set of cardinality r for the parallel classes, and the blocks of each parallel class are labeled with a unique symbol from A. Denote the point set of D by P. For every p ∈ P and i ∈ R there exists a unique α ∈ A such that p I (i, α). We define the incidence structure D α = (P, R × A, I α ) by saying that p I α (i, β) if and only if p I (i, γ) for the unique γ satisfying L(β, γ) = α. This gives a mosaic. It follows directly from the construction and the quasigroup property of L that all members of this mosaic are isomorphic to D. By dualization, one obtains a mosaic all members of which are isomorphic to D T .
It is clear that if D is a GDD, then all D α must have the same point class partition. For D T , the point class partition corresponds to the partition of the blocks of D into parallel classes, which is shared by all D α . This shows that all D T α have the same point class partition with λ 1 = 0.  I (i, γ).
The explicitness of a mosaic constructed as in Theorem 2.7 follows from the explicitness of the involved design D and the quasigroup L. This is important in those cases where explicitness is not immediately clear from the functional form of the mosaic, like for the mosaics M (2) of the next section.
We say that a quasigroup L on A is explicit if there exists an isomorphic quasigroup L over [a] such that In order to check (M2), fix any (ĩ,β) ∈ [r] × [a] andα ∈ [a]. By (L2), theγ satisfying L(β,γ) =α can be found in time poly(log a). By (D2), there exists a mapping κ → g(ĩ,γ, κ) which enumerates all points incident with (ĩ,γ) inD and whose values can be computed in time poly(log b, log k). The set of these points equalsf −1 (ĩ,β) (α). Altogether, this proves the explicitness of M. The explicitness of M T is shown similarly.

Examples of (nearly) block rate optimal mosaics
We present four families of mosaics. Not all of these are block rate optimal, but those which are not are arbitrarily close to optimality for sufficiently large point sets. There is a family for each combination of the cases 1) color rate ̺ ≥ 1/2 or ̺ ≤ 1/2 (roughly), 2) BIBD or GDD.
The sets of color rates will be dense except for the case of BIBDs with small color rates.
In all cases we will use Theorem 2.7. Thus in every case the key is to find a single resolvable design with the desired parameters.
BIBD and ̺ ≤ 1/2: For this case we build our construction on the affine designs. Fix an integer t ≥ 2 and a prime power q and let v, k, λ etc. be the parameters of the BIBD Hence the color rate of the mosaic M t,q we obtain from AG t−1 (t, q) with the construction of Theorem 2.7 is ̺ = 1 t .
We have 1/t > ̺ 0 (v, k) only if t = 2. In this case, M t,q is block rate optimal since λ = 1. If t ≥ 3, then M (1) t,q could only be block rate optimal if it were square, which is not the case. However, since AG t−1 (t, q) is affine, it is a consequence of Bose's inequality (2.6) that the block rate of M (1) t,q is minimal among those mosaics constructed from any of the known resolvable BIBDs with v = q t and color rate 1/t. The block rate satisfies Thus for fixed color rate 1/t, one gets closer to block rate optimality by increasing q. Every hyperplane of AG t−1 (t, q) can be represented by a unique pair (h, α), where α ∈ F q and h is a nonzero element of F t q whose first nonzero component is normalized to 1. We denote the set of these h by R. The hyperplane corresponding to (h, α) is the set of points x satisfying h · x = α, where h · x = i h i x i . Different h give different parallel classes and different α with a fixed h indicate different parallel hyperplanes in the parallel class corresponding to h.
The natural quasigroup to construct a mosaic from AG t−1 (t, q) is the additive group of F q . Then a point x ∈ F t q and an element (h, β) of the block index set are incident in D α if and only if x is incident with (h, α − β) in AG t−1 (t, q). The functional form t,q is given by This immediately shows that the family t,q : t ≥ 2, q prime power} is explicit.
BIBD and ̺ ≥ 1/2: Fix a positive integer t ≥ 2 and an integer ℓ between 1 and t. For q = 2 t , let Q : F 2 q → F q be an irreducible quadratic form, i.e., a polynomial of the form Q(x, y) = η 1 x 2 + η 2 xy + η 3 y 2 which cannot be factored into linear forms. Such a quadratic form exists for all q. Choose an arbitrary subgroup H of order 2 ℓ of the additive group of F q and consider the set It was proved by Denniston [15] that X has v = 1 + (2 t + 1)(2 ℓ − 1) (2.14) elements and that every line of AG(2, q) has either 2 ℓ or no points in common with X . We will regard X as a subset of AG(2, q). It is not hard to see [8,Corollary VIII.5.21] that if we denote by S the set of nontrivial intersections of lines of AG(2, q) with X , then D = (X , S, ∈) is a resolvable (v, k, 1) BIBD with k = 2 ℓ . Since r = 2 t + 1 by (2.2), the set of parallel classes of D is in one-to-one relation with the set of parallel classes of lines in AG(2, q). In fact, if ℓ = t, then D = AG(2, q).
Applying Theorem 2.7, one constructs a mosaic M Since λ = 1, the mosaic M t,ℓ,H is block rate optimal and satisfies For every t and ℓ, it is possible to choose a subgroup H t,ℓ such that the resulting family t,ℓ,H t,ℓ : t ≥ 2, 1 ≤ ℓ ≤ t} is explicit. Some work has to be done in order to show this, which we postpone to Section 5. Moreover, every number between 1/2 and 1 can be approximated arbitrarily closely by the color rates of elements of M (2) for sufficiently large t and ℓ.
GDD and ̺ < 1/2: Fix a positive integer t and a nonnegative ℓ between 0 and t. Denote the elements of the explicit family M (2) constructed above by M (2) t,ℓ (we omit the subgroups here in order to simplify notation). Choose an integer u and let M

By Lemma 2.5, its color rate is
and the ratio of the block rate and the color rate is given by (2.15). The color rate is smaller than 1/2 for sufficiently large u.
Denote the point set of M t,ℓ by X * and its block index set by S * . Let f * : X * × S * → A * be the functional form of M follows from that of M (2) .
By the discussion in Section 2.3, mosaics of singular GDDs give the best approximation to block rate optimality among mosaics of GDDs with a small color rate if the point set is sufficiently large. The ratio of the block and the color rates is given by (2.15). All numbers between 0 and 1 can be approximated arbitrarily well by the color rates of suitable members of M (3) .
GDD and ̺ ≥ 1/2: If one deletes some of the parallel classes from the block set of AG(2, q), where q is a prime power, then one obtains the dual of a transversal design. Assume we keep k ≥ 2 of the parallel classes of AG(2, q). Call the resulting design D T and set D = (D T ) T . The point set X of D consists of lines of AG(2, q) and the block index set S of D consists of all the points of AG(2, q). Two points x, x ′ ∈ X are incident with a common block index s if and only if they intersect as lines in AG(2, q), and so parallel classes of D T translate into point classes of D. If x, x ′ are not in the same point class of D, then in D T , their corresponding lines intersect in a unique point. In D, this means that two points from different point classes are incident with a unique block index, and so D is a (q, k, 1) TD.
Letting R denote the set of remaining parallel classes of lines, we construct from this transversal design a mosaic M (4) k,q,R as in Theorem 2.7, using the natural additive group structure of F q on every parallel class of AG(2, q). We obtain a mosaic with u = q, k, b = q 2 , λ = 1, a = q.
Thus M (4) k,q,R has color rate ̺ = log q log q + log k .
Since k ranges between 2 and q + 1, ̺ is a number between log q log q + log(q + 1) and log q 1 + log q .
The block rate is optimal by Lemma 2.2. The point set X of M k,q,R has the structure of a Cartesian product, X = R × F q . For the discussion of the functional form of the mosaic, we assume that k ≤ q and that R is given by a subset of F q . Then x = (c, d) ∈ X corresponds to the line {(u, cu + d) : u ∈ F q } in AG(2, q). The case k = q + 1 can be treated analogously and corresponds to a mosaic whose members all are isomorphic to the dual of AG(2, q).
Given α ∈ F q and s = (s 1 , s 2 ) ∈ F 2 q , one can find those x ∈ X which are incident with s by taking any c ∈ R and solving for d = α − s 2 + cs 1 . In this way, one obtains the randomized inverse of f . This can be done efficiently if R can be enumerated efficiently. Clearly, such an R = R k,q exists for every k. This gives us an explicit family M (4) = {M (4) k,q,R k,q : 2 ≤ k ≤ q + 1, q prime power}. All numbers between 1/2 and 1 can be approximated arbitrarily well by the color rates of members of this family.

Discussion.
All our examples are constructed using Theorem 2.7, hence all members of these designs are either themselves resolvable or duals of resolvable designs. We do not know whether mosaics of BIBDs or GDDs with constant block size exist which are not resolvable or dually resolvable. Such a construction would be particularly relevant for cases where mosaics of resolvable designs cannot be block rate optimal. For instance, a block rate optimal mosaic of BIBDs with color rate smaller than 1/2 must be square, and consequently cannot be resolvable.
It would also be desirable to construct a family of mosaics of BIBDs which is close to block rate optimality and whose color rates are dense in the interval between 0 and 1/2.

Related structures 2.7.1 Universal hash functions.
A function f : X × S → A is called a universal hash function if for all distinct x, x ′ ∈ X , (where, as usual, |X | = v, |S| = b and |A| = a). The left-hand side of (2.16) can be interpreted as the probability that the values assigned to x and x ′ by f "collide" if the seed is chosen uniformly at random. Let (D α ) α∈A be the mosaic of incidence structures induced by f as described in Section 2.1. Stinson [30] has shown that the maximal collision probability of f is minimal if the sum D of (D α ) α∈A is a BIBD (recall the definition of the sum of a mosaic in Section 2.2).

Lemma 2.10 ([30]).
Any onto function f : X × S → A satisfies for at least one pair of distinct points x, x ′ ∈ X . Equality holds for all distinct x, x ′ ∈ X if and only if the sum D of the mosaic of incidence structures (D α ) α∈A induced by f is a resolvable BIBD.
A universal hash function f for which the sum D of the corresponding mosaic (D α ) α∈A is a BIBD is called optimally universal. It follows immediately that a mosaic (D α ) α∈A of BIBDs with common parameters (v, k, λ) gives rise to an optimally universal hash function, since all blocks have the same size, and for distinct x, x ′ ∈ X |{s : f (s, x) = f (s, x ′ )}| = This proves the first part of the following lemma. Lemma 2.11. Let M = (D α ) α∈A be a mosaic of (v, k, r) tactical configurations on (X , S) with functional form f : X × S → A. D α is a (v, k, λ) BIBD, then f is optimally universal.

1) If every
2) If M consists of (u, m, k, λ 1 , λ 2 ) GDDs with a common point class partition, then (a) if every D α is either semi-regular, or singular with a = 1, then f is a universal hash function; (b) if the D α are singular with a ≥ 2, then f is not a universal hash function.
Proof. It remains to prove the second part of the lemma. We analyze the parameters of the mosaic. For distinct points x, x ′ , x, x ′ are contained in the same point class, aλ 2 else.
Since a/b = 1/r and a = v/k, we have for i = 1, 2 A singular GDD satisfies r = λ 1 , and so f is a universal hash function if and only if v = k, which means that every block covers the whole point set. Equivalently, a = 1.
We do not have a simple criterion for when regular GDDs induce a universal hash function. Since a regular GDD D satisfies kr > λ 2 v by definition, one only needs to check whether kr ≥ λ 1 v. This is obviously true if λ 1 ≤ λ 2 . If λ 1 > λ 2 , then some parameter choices result in mosaics whose functional form is a universal hash function, while this is not true for other parameter choices.
We conclude from Lemma 2.11 that not all of the functions constructed in Section 2.6 are universal hash functions. The mosaics of singular GDDs from the family M (3) have functional forms which are not universal hash functions. Similarly, there exist universal hash functions which cannot be decomposed as a mosaic of BIBDs or GDDs. For instance, the optimally universal hash function induced by the resolvable BIBD AG t−1 (t, q) (i.e., where the sum of the induced mosaic is AG t−1 (t, q)) does not have the additional substructure we require from the security functions in this paper.

Orthogonal arrays.
A v × b array M with entries from the alphabet A is called a (b, v, a) orthogonal array if every 2 × b subarray of M contains each pair of entries (α, α ′ ) from A exactly λ = b/a 2 times as a column.
If we denote the set of rows by X and the set of columns by S, then an orthogonal array gives rise to a function f : X ×S → A which associates to the pair (x, s) the symbol from A which is at the intersection of column s with row x. By definition, f satisfies for distinct x, x ′ ∈ X and for any α, α ′ ∈ A This means that f is an ε-almost strongly universal hash function for ε = λa/b [31]. In particular, Moreover, if we set r = aλ, then It is not in general the case that also is constant in s and α. Assume (2.18) is constant in s and α and denote this number by k. Then M gives a mosaic of (v, k, λ) BIBDs with functional form f .  3 Semantic security from mosaics of combinatorial designs

Distances and divergences
The degree of semantic security offered by a security function when applied to a wiretap channel or in privacy amplification can be measured using various distances, divergences and entropies of probability measures. Let P, Q be probability distributions on a finite set Z. The total variation distance of P and Q is This is a metric on the space of probability measures on Z. The χ 2 divergence which is an immediate consequence of Cauchy-Schwarz. The Kullback-Leibler divergence of P and Q is given by if P ({z : Q(z) = 0}) = 0, +∞ else, and the Rényi 2-divergence by They are nonnegative and related by [16] D(P Q) ≤ D 2 (P Q).

(3.2)
It is a straightforward calculation to show that if D 2 (P Q) < ∞, then We also introduce averaged versions of these divergences. If W : X → Z is a channel, and additionally P is a probability distribution on X and Q on Z, then we set and Let X, Y be discrete random variables with joint distribution P XY . Denote the marginal distributions by P X and P Y and the conditional distribution of Y given the event X = x by P Y |X=x . Then the mutual information of X and Y is defined by The bounds obtained in the privacy amplification scenario involve Rényi 2-entropy, which for a random variable X on X is defined as

Wiretap channel
Let f : X × S → A be the functional form of a mosaic (D α ) α∈A of (v, k, r) tactical configurations and let W : X → Z be a wiretap channel. Assume that the confidential messages to be transmitted are represented by the random variable A on A. The random seed is represented by S, uniformly distributed on S and independent of A. Application of the randomized inverse of f determines the random input X to W , and the random output of W seen by Eve is denoted by Z. The joint probability distribution of these four random variables is (3.4) where N α is the incidence matrix of D α . The two security metrics by which we measure the degree of security offered by f for W are defined in terms of the joint distribution of Z, S and A with a worst-case choice of A. The first security metric is defined as the mutual information between the message A and the eavesdropper's information Z, S, maximized over all possible message distributions, max The best case would be that Eve's observations are independent of the message, no matter what the message distribution is, in which case the mutual information would vanish. This is not achievable in general, even for a fixed message distribution. Instead, we try to make the maximum in (3.5) as small as possible. Like the other security criteria defined below, the requirement that (3.5) be small does not make any assumptions on Eve's computing power. Thus we aim for unconditional security.
Remark 3.1. For the strong secrecy criterion mentioned in Section 1.4, it is assumed that the distribution P A is fixed, so that only the corresponding I(A ∧ Z, S) has to be small. Usually, one takes A to be uniformly distributed on A.
In order to formulate the upper bound for (3.5), we need to introduce additional notation. If U is a finite set and R : U → X a channel, then the usual matrix product RW of the stochastic matrices R and W gives the channel with input alphabet U and output alphabet Z resulting from concatenating R and W . If P is a probability measure on X , then this also defines the probability measure P W on Z by regarding P as a channel with a single row.
The uniform distribution on any set X is denoted by P X . Also, recall Rényi 2divergence defined in Subsection 3.1.
Theorem 3.2. 1) Let W : X → Z be a wiretap channel and let f : X × S → A be the functional form of a mosaic of (v, k, λ) BIBDs. Then 2) Let W : X → Z be a wiretap channel and let f : X × S → A be the functional form of a mosaic of (u, m, k, λ 1 , λ 2 ) GDDs with a common point class partition Π = {X 1 , . . . , X m }. Let P Π be the uniform distribution on Π and R Π : Π → X the channel which associates to an element X j of Π the uniform distribution on X j . Then This theorem is proved in Section 4. The main observation is Proposition 4.2, which both for the BIBD and the GDD case states equality between exp(D 2 (P Z|S,A=α P Z|S |P S )) and the respective upper bounds in the statement. Since this equality for every α only depends on D α , it really is a statement about BIBDs and GDDs.
Clearly, a GDD with λ 1 = λ 2 is a BIBD, so the first part of the theorem is implied by the second one. The same holds for Theorems 3.3, 3.6 and 3.7 below.
An alternative measure of semantic security is formulated in terms of total variation distance. Denote the product of probability distributions P and Q by P Q. Then, with the random variables Z, S, A as defined in (3.4), we would like to be small. If it equals zero, then the eavesdropper's observations are independent of the message, for all possible message distributions.
Theorem 3.3. 1) Let W : X → Z be a wiretap channel and let f : X × S → A be the functional form of a mosaic of (v, k, λ) BIBDs. Then 2) Let W : X → Z be a wiretap channel and let f : X × S → A be the functional form of a mosaic of (u, m, k, λ 1 , λ 2 ) GDDs with a common point class partition Π.
Define P Π and R Π as in Theorem 3.2. Then This theorem is also proved in Section 4. It essentially follows from Theorem 3.2 and the relations (3.1) and (3.3).
Interpretation. The importance of the bounds of Theorems 3.2 and 3.3 is that they show how much randomness k is sufficient in the randomized inverse in order to obtain a desired level of semantic security. Since v non-confidential messages can be reliably transmitted to Bob, this transforms into a lower bound on the number a of confidential messages.
The bounds of Theorems 3.2 and 3.3 can be improved by "smoothing" W . This means that the outputs of W are restricted to being "typical", i.e., outputs of low probability are cut off. This idea goes back to Renner and Wolf [29]. By smoothing, the conditional divergences can be reduced substantially at the cost of a small additive term in each bound. After smoothing, the channel will in general not be stochastic any more, but only substochastic. The proofs of the theorems remain valid for substochastic channels since they only use the nonnegativity of the entries of W . All that needs to be done is to generalize the Rényi divergences to substochastic channels like in [34].
The bounds can be evaluated by comparing them with the benchmark cases of memoryless discrete and Gaussian wiretap channels (see [9] or [34] for a definition). These wiretap channels actually are families {W n : n ≥ 1} of channels; the parameter n indicates the blocklength. For these channels, a sequence of security codes achieves asymptotic optimality as the blocklength goes to infinity if the largest possible asymptotic communication rate for confidential message transmission, the secrecy capacity, is achieved subject to the condition that either (3.5) or (3.6) goes to zero. Theorems 3.2 and 3.3 show that security functions given by suitable mosaics of BIBDs or of semi-regular GDDs achieve asymptotic optimality when applied to memoryless discrete or Gaussian wiretap channels after smoothing each W n . This holds even if the channel between Alice and Bob is not perfect, in which case the W n are concatenations of an encoder and a memoryless channel. For the proof, one proceeds like in [34]. Functional forms of block rate optimal mosaics of singular GDDs turn out to be suboptimal security functions, as discussed below.
We would like to stress, however, that the theorems hold without any further structural assumptions on the channel W . For a targeted level of security and a given channel, they can be used to determine an achievable communication rate at which confidential messages can be sent through the channel using an efficiently computable security code.
Note that both in Theorem 3.2 and Theorem 3.3, the wiretap channel enters into the upper bounds only through the conditional Rényi 2-divergences. This gives some robustness against channel variations or limited channel knowledge.
The bounds in the GDD case. Assume that N is the incidence matrix of a (u, m, k, λ 1 , λ 2 ) GDD and w ∈ R X a nonnegative vector. Set λ max = max{λ 1 , λ 2 }. Then (3.7) In the proofs of the GDD cases of Theorems 3.2 and 3.3, the relation (2.5) is used with equality. By using (3.7) instead of (2.5), one obtains an upper bound of the same form as that obtained in the BIBD case of the theorems, with λ replaced by λ max . Since the point class decomposition of X associated with the applied mosaic of GDDs will not in general have any special relation to the channel, using this looser upper bound might save the work of estimating the additional Rényi divergence or entropy and give a bound which, for the benchmark cases and for mosaics of BIBDs or of semi-regular GDDs, is asymptotically equivalent to the one appearing in the theorems. The GDD bounds of Theorems 3.2 and 3.3 can also be simplified without using the upper bound (3.7) by taking the type of the members of the mosaic M = (D α ) α∈A into consideration.
In the case where the members of M are singular GDDs, every D α is induced by a BIBD D * α . Since the point class partitions of all D α are the same, all D * α have the same parameters v * , k * , λ * and form a mosaic of BIBDs. The coefficients of D 2 (W P X W |P X ) vanish, hence only the divergence involving the point class partition is relevant. In Theorem 3.2, the two nonzero coefficients have the form In Theorem 3.3, both remaining coefficients equal (r * − λ * )/k * r * .
Semi-regular GDDs satisfy rk = λ 2 v. Hence if M consists of semi-regular GDDs, then the three coefficients in Theorem 3.2, in the order of their appearance, equal For the case where λ 1 = 0, in particular, in the case of transversal designs, the same coefficients become The coefficients obtain a similarly simple form in Theorem 3.3.
Suboptimality of singular GDDs. When applied in Theorems 3.2 and 3.3, approximately block rate optimal mosaics of singular GDDs with a small color rate and a sufficiently large point set achieve strictly lower color rates than mosaics of BIBDs or of semi-regular GDDs at the same security level. In particular, they turn out to be asymptotically suboptimal in the case of memoryless discrete or Gaussian wiretap channels, where the size of the point set goes to infinity with increasing blocklength. This means that asymptotically optimal sequences of security functions given by mosaics of BIBDs or GDDs for these channels have block rates at least 1. We only discuss Theorem 3.2 here, the situation is analogous in Theorem 3.3. We begin with the following simple lemma which is the basis of our discussion.
Equality is possible on both sides. It holds on the left-hand side if and only if for every z ∈ Z and 1 ≤ i ≤ m, there exists at most one x ∈ X i such that w(z|x) > 0. Equality holds on the right-hand side if and only if for every z ∈ Z and every 1 ≤ i ≤ m, the entries w(z|x) are constant for x ranging over X i .
If one applies Theorem 3.2 with a mosaic of semi-regular GDDs, then one sees from (3.9) that a security level max P A I(A ∧ Z, S) smaller than δ > 0 is achieved by choosing log k equal to D 2 (W P X W |P X ) + log(1/δ). This results in the color ratẽ The same holds in the simpler situation of mosaics of BIBDs. Now assume that̺ < 1/2. By Section 2.3, the only possibility to achieve a security level smaller than δ for the same channel W with an approximately block rate optimal mosaic could be a mosaic M of singular GDDs which is the u-fold multiple of a mosaic M * of block rate optimal BIBDs and of color rate ̺ * . When Theorem 3.2 is applied with the security function determined by M, the D 2 (W P X W |P X ) term vanishes in the upper bound of Theorem 3.2. By (3.8), a security level smaller than δ is achieved by choosing log k * equal to D 2 (R Π W P X W |P Π )+log(1/δ), and without any further information about the channel, this latter expression can be as large as D 2 (W P X W |P X ) + log(1/δ) by Lemma 3.4. For the color rate ̺ of M, this means that This is at most̺. In fact, for fixed̺, it is easy to see that log u/ log v is bounded from below for large v. This is because the approximate block rate optimality of M requires ̺ * to be at least ̺ 0 (v * , k * ), which tends to 1/2 as v * grows. And if v * is kept small, then u necessarily has to be large. The loss of color rate as in (3.10) can be avoided if one knows that equality is satisfied in the left-hand inequality of Lemma 3.4 for a certain partition Π. However, an application of this in the security bounds would require knowledge of D 2 (R Π W P X W |P Π ) and the adaptation of the point class partition of the GDDs to that of the wiretap channel, which is not necessary in the case of mosaics of BIBDs or of semi-regular GDDs.

Privacy amplification
Now we turn to privacy amplification. Assume that the random variable X is shared by Alice and Bob and that Eve observes a random variable Z correlated with X. Without loss of generality, we assume that P Z (z) > 0 for all z ∈ Z. Moreover, Alice and Bob both are given the functional form f : X × S → A of a mosaic (D α ) α∈A of (v, k, r) tactical configurations. In order to generate a secret key, Alice and Bob observe a realization x of X, choose a seed s ∈ S uniformly at random, and take α = f (x, s) as the secret key. Denote the random variable generated by applying f as described above by A. The joint distribution of X, Z, S and A is 11) where N α is the incidence matrix of D α . The key A should be nearly uniformly distributed on A and semantically secure with respect to Eve's observation. The first condition is satisfied perfectly.
Lemma 3.5. The distribution of A is uniform on A.
Proof. Note that N α j = rj, where j denotes the all-ones vector of appropriate dimension. Hence, considering P X as a vector in R X and using (2.1), For semantic security, we can again use total variation distance or mutual information as the security measure. One equivalent formulation of semantic security is the indistinguishability of two possible realizations of the secret. In terms of total variation distance, this means that for any two distinct α, α ′ ∈ A, one wants P ZS|A=α − P ZS|A=α ′ to be uniformly small. By the triangle inequality, this is true if is small, uniformly in α ∈ A. For any point class partition Π = {X 1 , . . . , X m } of X , we define the random variable X Π whose conditional distribution given Z is Then we have the following result.
Theorem 3.6. 1) Let P XZSA be the joint distribution (3.11) generated by the functional form of a mosaic of (v, k, λ) BIBDs. Then 2) Let P XZSA be the joint distribution (3.11) generated by the functional form of a mosaic of (u, m, k, λ 1 , λ 2 ) GDDs with a common point class partition Π. Then . This is proved in Section 4 as a consequence of the next theorem.
If we prefer to measure the indistinguishability of key values with respect to Kullback-Leibler divergence, we should ensure that there exists a probability measure Q on Z × S such that P ZS|A=α is close to Q in terms of Kullback-Leibler divergence, uniformly in α ∈ A. This is analogous to (3.12). If we choose Q = P Z P S , then we have the following bound.
Theorem 3.7. 1) Let P XZSA be the joint distribution (3.11) generated by the functional form of a mosaic of (v, k, λ) BIBDs. Then 2) Let P XZSA be the joint distribution (3.11) generated by the functional form of a mosaic of (u, m, k, λ 1 , λ 2 ) GDDs with a common point class partition Π. Then The theorem is proved in Section 4. As in the wiretap case, its core is Proposition 4.4, proving the equality of exp(D 2 (P S|Z=z,A=α P S )) with the z-term in the upper bound.
Remark 3.8. The strong secrecy criterion usually applied in information theoretic security for secret key generation assumes that the adversary's a priori knowledge is restricted to the true key distribution. A security function which establishes semantic security also guarantees strong secrecy, since (3.13) We prove this inequality. It is straightforward to check that for any pair of random variables X, Y on X × Y and any probability measure Q on Y, one has We use this with Y = (Z, S), X = A and Q = P Z P S . Then This shows (3.13).
Interpretation. The interpretation of Theorems 3.6 and 3.7 is analogous to that of Theorems 3.2 and 3.3. The number of interest is a, the size of the key space. Theorems 3.6 and 3.7 give a lower bound on the maximal possible a given a required degree of security, and show that this lower bound is achievable using the functional form of a mosaic of BIBDs or GDDs.
It is proved in [6,Corollary 4] that if the security function is a universal hash function. The upper bound is very similar to the one proved in the first part of Theorem 3.7 for mosaics of BIBDs or of semiregular GDDs, but only gives strong secrecy. (The conditioning on the event Z = z is also possible in our setting, see (4.7).) It follows that these mosaics yield the same key size as universal hash functions, but resulting in a stronger notion of security and generating a perfectly uniformly distributed key. Mosaics of singular GDDs only involve the min z H 2 (X Π |Z = z) term and are discussed in more detail below. If Alice and Bob are connected by a public two-way channel without rate constraint, the secret-key capacity in the benchmark case of a memoryless discrete source model can be achieved by a sequential key distillation protocol guaranteeing semantic security, using functional forms of mosaics of BIBDs or suitable GDDs in the privacy amplification step (cf. [9,Theorem 4.5]).
The bounds in the GDD case. By applying (3.7), the bounds for the GDD cases of Theorems 3.6 and 3.7 can be given the same form as the ones for the BIBD case, with λ replaced by λ max .
If the mosaic consists of singular GDDs, then the coefficient of the H 2 (X|Z = z) term vanishes. The second and third terms in Theorem 3.7 are where, like in the wiretap scenario, k * , r * , λ * are parameters of the underlying BIBDs.
In the case of semi-regular GDDs, one has, in the order of their appearance, the three terms a(r − λ 1 ) r , − a(r − λ 1 ) ur , 0.
Similar simplifications are possible for the bounds of Theorem 3.6.
Suboptimality of singular GDDs. As in the wiretap scenario, mosaics of singular GDDs are suboptimal compared with mosaics of BIBDs or of semi-regular GDDs since they require a larger k in order to achieve a comparable security level. The reasons are analogous to those for the wiretap case, based on the inequalities for any partition Π = {X 1 , . . . , X m } of X into sets of size u, and any z ∈ Z. The condition for equality in the right-hand inequality is that there exist at most one x per X i with P X|Z (x|z) > 0. On the left-hand side, equality holds if and only if P X|Z (·|z) is constant on each X i for every z.
With a mosaic of BIBDs or of semi-regular GDDs, a key size log a approximately equal to min z H 2 (X|Z = z) + log(1/δ) gives a security level δ. Now assume that the security function is given by a mosaic of singular GDDs. If one only knows min z H 2 (X|Z = z), then the largest possible key size log a by which to guarantee a security level of δ is H 2 (X|Z = z) − log u + log(1/δ). The key can be chosen larger if one also knows min z H 2 (X Π |Z = z). However, the same key size as in the case of BIBDs or semi-regular GDDs is achievable only if there exists a partition Π such that equality is satisfied on the right-hand side of (3.14). If one knows that the joint distribution P XZ has this property for a partition Π, then a mosaic of singular GDDs incurs no rate loss, but the security function has to be adapted to Π.

Proof of Theorems 3.2 and 3.3
We first prove Theorem 3.2. It is sufficient to do the proof for mosaics of GDDs. We start with an upper bound on max P A I(A ∧ Z, S) in terms of Kullback-Leibler divergence. The all-ones vector of suitable dimension will be denoted by j, and for each z ∈ Z, we let w z be the z-th column of W Proof. The inequality is the statement of [34,Corollary 16], whose proof we will just sketch here. The independence of A and S implies I(A ∧ Z, S) ≤ I(A, S ∧ Z) using elementary properties of mutual information. The right-hand mutual information can be expressed as This gives the claimed inequality.
In order to prove that the upper bound is independent of P A , we note that (3.4) and (2.1) imply Thus P Z is independent of P A . Since P S and P Z|S,A=α do not depend on P A either, this proves the lemma.
Note that, since the eavesdropper also knows S, the validity of (4.1) is not enough to guarantee security.
If we want to use (2.3) or (2.5), we need to pass from Kullback-Leibler to Rényi 2divergence. By Lemma 4.1 and (3.2), it is sufficient to show that the upper bound of Theorem 3.2 is an upper bound for max α∈A D 2 (P Z|S,A=α P Z |P S ).
(4.2) P Z|S,A=α is fully determined by N α and W . Hence for each of the divergence terms in (4.2) it is no longer important that N α is the incidence matrix of a member of a mosaic. It follows that Theorem 3.2 is a consequence of the following equality. Then exp D 2 (P Z|S P Z |P S ) Proof. As in (4.1), one shows that P Z = P X W . Since also we can apply (2.5) and obtain In the second summand, we have For the third summand, we observe that z w T z j = v and which follows from (2.4). Inserting all this above yields the claimed equality.
Turning to the proof of Theorem 3.3, we first state the following simple analog of Lemma 4.1.

Proof of Theorems 3.6 and 3.7
We start by proving Theorem 3.7. Define the R X -vector p z by p z (x) = P XZ (x, z).
From (3.11), Lemma 3.5 and (2.1), it follows that In particular, Z is independent of A. (Of course, since the eavesdropper also knows S, this is not yet enough to guarantee security.) A straightforward computation gives As in the wiretap case, one passes to Rényi 2-divergence, and so it remains to bound D 2 (P S|Z=z,A=α P S ), uniformly in z and α. We compute P S|Z=z,A=α as follows. Recall the assumption that P Z (z) > 0 for all z ∈ Z. Let α ∈ A and s ∈ S. The uniform distribution of A and (4.6) imply that P ZA (z, α) = a −1 p T z j. Hence, again applying (2.1), This only depends on the incidence matrix N α , and so as in the wiretap case, we can reduce the proof of Theorem 3.7 to a proposition which holds for GDDs without any reference to mosaics.

Explicitness of Denniston's BIBD
Let t ≥ 2 and 1 ≤ ℓ ≤ t. Set q = 2 t . Recall that Denniston's design D, defined in Section 2.6, has the point set X = {(x, y) ∈ F 2 q : Q(x, y) ∈ H}, where Q is an irreducible quadratic form and H a subgroup of F q of order ℓ. We will consider F q as a t-dimensional vector space over F 2 , which makes H an ℓ-dimensional subspace of F q . The blocks of D are given by the nontrivial intersections of lines of AG(2, q) with X .
Proposition 5.1. There exists an H such that D is explicit.
The proof of this proposition will be done in the subsections following below. We first observe that the proposition implies that the mosaic M (2) t,ℓ,H whose members are isomorphic to D is explicit. This follows from Theorem 2.9 together with the efficiency of addition and subtraction on the cyclic group Z a , which serves as the color set for the mosaic.

Characterization of X and S
Denote by L c,d = {(x, cx+d) : x ∈ F q } the line in AG(2, q) with slope c ∈ F q and intercept d ∈ F q . This are all lines of AG(2, q) except the "vertical" ones with infinite slope, given by L ∞,d = {(d, y) : y ∈ F q }, for any d ∈ F q . For these lines, we call d the intercept.
For the characterization of X and S, we choose H arbitrary. Note that 0 ∈ X . Thus every line L c,0 (c ∈ F q ∪ {∞}) has nontrivial intersection X c with X . Since any two of these lines only meet in 0, the union of all these X c has precisely v = 1 + (2 t + 1)(2 ℓ − 1) = 2 t+ℓ + 2 ℓ − 2 t elements, and so X must equal the union of all X c by (2.14). Now assume c ∈ F q . An element (x, cx) of L c,0 is contained in X c if and only if x 2 (η 1 + η 2 c + η 3 c 2 ) ∈ H, or equivalently, x 2 ∈ (η 1 +η 2 c+η 3 c 2 ) −1 H (the irreducibility of Q ensures that η 1 +η 2 c+η 3 c 2 is nonzero). In an analogous way one sees that (0, y) ∈ X ∞ if and only if y 2 ∈ η −1 3 H. H .
Next we turn to S. We already noted in Section 2 that the parallel classes of D are in one-to-one correspondence with those of AG(2, q), i.e., with the slopes from F q ∪ {∞}.
For the description of the elements of a parallel class, we need the (absolute) trace of an element x of F q defined by Tr(x) = x + x 2 + · · · + x 2 t−1 .
The trace is an F 2 -linear form from F q onto F 2 . Every linear form ξ from F q to F 2 corresponds to a unique element β ∈ F q such that ξ(x) = Tr(βx) for all x ∈ F q (see [25,Theorem 2.23]). We denote by H ⊥ the (t − ℓ)-dimensional subspace of F q consisting of those elements whose corresponding linear form vanishes on H.
We will also use the following facts on polynomials. The first one is [25,Theorem 2.25], the second one is elementary. Fact 5.3. 1) The polynomial x 2 + x + α, with α ∈ F q , has a root in F q if and only if Tr(α) = 0.
2) Let F (x) = αx 2 + βx + γ be a polynomial over F q . Then F (c) = 0 if and only if αc/β is a root of We have the following lemma.
Lemma 5.4. For any c ∈ F q ∪ {∞}, denote by U c the set of those d ∈ F q for which L c,d has nonempty intersection with X . If c ∈ F q , then Proof. We use Fact 5.3. Let c, d ∈ F q . For L c,0 we already know that it has nonempty intersection with X , so assume d = 0. Then L c,d has nonempty intersection with X if and only if the polynomial F (x) = (η 1 + η 2 c + η 3 c 2 )x 2 + η 2 dx + η 3 d 2 assumes a value in H for some x ∈ F q . By Fact 5.3, this is the case if and only if there exists a z ∈ H such that Tr (η 1 + η 2 c + η 3 c 2 )(η 3 d 2 + z) η 2 2 d 2 = 0.
The term inside the trace can be written as The sum inside the large brackets has trace zero since Tr(α) + Tr(α 2 ) = 0 for all α ∈ F q . The trace of (η 1 η 3 )/η 2 2 equals 1 due to the irreducibility of Q. It follows that z ∈ H satisfies F (x) = z for some x ∈ F q if and only if Tr (η 1 + η 2 c + η 3 c 2 )z η 2 2 d 2 = 1.
Hence a nonzero d ∈ F q is not contained in U c if and only if (η 1 + η 2 c + η 3 c 2 ) η 2 2 d 2 ∈ H ⊥ , which immediately shows (5.1). The proof for c = ∞ is analogous.
Denote by Φ R : [q + 1] → F t 2 ∪ {∞} a poly(log q) time bijection between [q + 1] and the set of slopes R = F q ∪ {∞}, where Φ(ĩ) for anyĩ ∈ [q] is the representation in the basis Θ of a unique element of F q .
Arithmetic operations in F q can be performed efficiently in Θ, as well as the computation of the square root [2, Corollary 7.1.2]. Hence using Φ R and Φ H , one obtains a mapping Φ X : [v] → F t 2 which to every element of [v] associates the Θ-representation of a unique element of X (see Lemma 5.2). This mapping is computable in time poly(log v).
H ⊥ is the span of {ζ ℓ , . . . , ζ t−1 }. Denote by T the change-of-basis matrix representing every ζ i in terms of Θ. Then for any c, there exists a bijective mapping Φ Uc : [a] → F t 2 which to any element of [a] first associates the Z-representation of an element of (F q \ H ⊥ ) ∪ {0}, then changes the basis to Θ using T , and finally does the necessary arithmetic to obtain an element of U c . The values of this mapping can be computed in time poly(t) = poly(log a). Now assume we are given numbersx ∈ [v] andĩ ∈ [q + 1], corresponding to the point (x,cx) ∈ X and the parallel class c ∈ F q ∪ {∞} via Φ X and Φ R . We want to find the intercept d such that (x,cx) ∈ L c,d . If c ∈ F q , then d = (c +c)x. If c = ∞, then d = x. It is straightforward to do these computations in Θ. The result is transformed to a number from [a] via Φ −1 Uc . The representation of d in [a] can be found from inputsx andĩ in poly(log v) time.

Property (D2)
Let (c, d) ∈ S be given. We want to find the set B c,d of those elements of X which are incident with (c, d) in D. For d = 0, we have L c,d = X c ∪ {0}. Now we consider the case d = 0. Let R c,d = {c ∈ R : L c,d ∩ Xc = ∅}.
Once we know the set R c,d , we can for everyc ∈ R c,d find the unique point at the intersection of L c,d and Xc. Ifc ∈ F q , this point has the form (x,cx) for x = d c +c (clearly, c =c). Ifc = ∞, the point at the intersection of L c,d and X ∞ is given by (0, d).