Three Authentication Schemes without Secrecy over Finite Fields and Galois Rings

Abstract

We provide three new authentication schemes without secrecy. The first two on finite fields and Galois rings, using Gray map for this link. The third construction is based on Galois rings. The main achievement in this work is to obtain optimal impersonation and substitution probabilities in the schemes. Additionally, in the first and second scheme, we simplify the source space and obtain a better relationship between the size of the message space and the key space than the one given in a recent paper. Finally, we provide a third scheme on Galois rings.

1. Introduction

In an authentication model introduced by Simmons [1], three participants: a transmitter, a receiver, and an intruder. The transmitter wants to send a message to the receiver through a public channel. Since the communication channel is public, there is the possibility that an intruder could deliberately observe or disrupt the ordinary communication. There are two types of authentication schemes: without secrecy and with secrecy [2]. In an authentication code without secrecy, the pieces of information are sent to the receiver in plaintext, and the secret key is used for authentication purposes only. In an authentication code with secrecy, the information pieces are sent to the receiver in an encrypted form.

Different messages can be sent by the receiver through the communication channel using the same secret key in an authentication scheme. The intruder observes the $i\ge 0$ distinct messages and sends a message $m^{\prime }$ to the receiver, hoping that it will be accepted as authentic. This action is known as the spoofing attack [3]. If $i=0$, it is called impersonation game, and if $i=1$, it is called the substitution game. We study the cases when $i=0$ and $i=1$ (cases considered, for example, in [4,5,6]).

The authentication schemes without secrecy are considered, for instance, in [4,5]. There are two main problems: the first problem consists of determining optimal minimal attack probabilities. The second is keeping the size of the key spaces as low as possible compared to the size of the message space, namely the product of the dimensions of the source state space and the tag space. These goals are conflicting, and thus a trade-off strategy is required. When optimal probabilities are reached, there are then inequalities regarding the size of the key space and the message space (see Theorems 2.3 and 3.1 in [6], and Theorem 14 in [7]). In this case, an optimal relationship between the sizes of the spaces can be found.

In this work, we achieve the main objective in the three schemes: to determine the minimum values for the success probabilities of impersonation and substitution attacks (related to impersonation game and substitution game). Furthermore, the spaces’ size inequalities are better in construction 1, 2 than the scheme given in [8] because here, we use a source space with more elements (giving less difference between the key space and the message space). Besides, in [8], the source space is impractical, and the proof of injection between the key space and the encoding rules is very long (approximately eight pages) and laborious. In the second scheme, we reduce the first schemes’ parameters, thus obtaining an alternative scheme. Construction 3 is a generalization, now on Galois rings, of the scheme given in [9] on finite fields. If the characteristic of the Galois ring is $p^s$, p prime, s positive integer, then there is one more variable in the scheme, s. If p is kept constant and s increases, then the values for the success probabilities of impersonation and substitution attacks decrease. If $s=1$, we have the case of [9].

We work over two structures, Galois rings and finite fields, using the Gray map to relate these. Additionally, trace function and resilient functions are introduced in these schemes. Using the composition of all these functions, we obtain balanced functions and distinct properties, for instance, Corollary 1, Theorems 9, 10 and 13.

The current construction scheme is in line with previously constructed codes using rational, non-degenerated and bent functions on Galois rings and compositions of maps and the generalized Gray map on Galois rings [10,11,12].

The paper is organized as follows: In Section 2, Galois rings are reviewed, and t-resilient functions and Gray maps definitions over these rings and finite fields are recalled. It also reviews the important properties of these functions. In Section 3, three authentication schemes without secrecy are constructed and compared with other schemes. Minimum values for the success probabilities of impersonation and substitution attacks are obtained. In Section 3.1, the general authentication scheme without secrecy scheme is recalled. In Section 3.2 a first authentication scheme using the map Gray is proposed. In Section 3.3 a second scheme using the Gray map also is presented, a modification of the first scheme. In Section 3.4 a third construction only over Galois rigs is introduced. In Section 4 the final conclusions are presented.

2. Background

A monic polynomial $h\left(x\right)\in {\mathbb{Z}}_{p^s}\left[x\right]$ is called monic basic irreducible (basic primitive) if its reduction modulo p is an irreducible polynomial (primitive polynomial) over ${\mathbb{F}}_p$. The Galois ring of characteristic $p^s$ and degree extension m, respect to ${\mathbb{Z}}_{p^s}$, can be written as:

$$\begin{array}{c}\hfill \mathrm{G}\mathrm{R}(p^s,m)={\mathbb{Z}}_{p^s}\left[x\right]/⟨h\left(x\right)⟩,\end{array}$$

where $h\left(x\right)\in {\mathbb{Z}}_{p^s}\left[x\right]$ is a monic basic irreducible polynomial of degree m and $⟨h\left(x\right)⟩$ is the ideal of ${\mathbb{Z}}_{p^s}\left[x\right]$ generated by $h\left(x\right).$

If $h\left(x\right)$ is a monic basic primitive polynomial, then it is possible to define the Teichmüller set

$${\mathcal{T}}_{GR(p^s,m)}:=\{0,1,\xi ,\dots ,{\xi }^{p^m-1}\}$$

and each element in $GR(p^s,m)$ can be written uniquely in a p-adic form,

$$\sum _{k=0}^{s-1}{b}_k{p}^k,$$

with $b_k\in {\mathcal{T}}_{GR(p^s,m)}.$ For details we refer the reader to [13,14].

Definition 1

([15]). Let $n\in {\mathbb{Z}}^{+}$, $J:=\{j_0,...,j_{t-1}\}\subset \{0,...,n-1\}$. The affine J-variety determined by $a=(a_0,...,a_{t-1})\in {\mathbb{F}}_2^t$ is

$$V_{J,a,n}:=\{x\in {\mathbb{F}}_2^n|\forall k\in \{0,...,t-1\}{x}_{j_k}=a_{j_k}\}.$$

Let $f:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ be a function, $m\le n$.

(1)

The function f is J-resilient if $\forall a\in {\mathbb{F}}_2^t$, the function ${f|}_{V_{J,a,n}}$ is balanced.

(2)

The function f is t-resilient if it is J-resilient for any set J such that $\left|J\right|=t$.

The above definition is also given for finite fields of any characteristic and Galois rings [16].

Let $m,n,s$ be positive integers, p prime number. Let $S=GR(p^s,mn)$ and $R=GR(p^s,m)$ be Galois rings of characteristic $p^s,$ such that S is an extension of R of degree $mn$, R an extension of ${\mathbb{Z}}_{p^s}$ of degree m, and $f:S^r\to S$ a t-resilient function. We denote $S^{\times }=S-pS,$$U\left(S\right)=(S-pS)\cup \left\{0\right\}.$ The following observations can be found in [8].

(1)

For $a\in S^{\times }$, the function $S^r\to S,x\mapsto af\left(x\right)$, is t-resilient.

(2)

For $a\in S^{\times }$, the function $S^r\to {\mathbb{Z}}_{p^s},x\mapsto T_{S/R}\left(af\left(x\right)\right)$, where $T_{S/R}:S\to R$ is the trace function, is a balanced function.

(3)

The function

$${\gamma }_{abf}:S^r\to R,{\gamma }_{abf}:x\mapsto T_{S/R}(af\left(x\right)+b·x)$$

is balanced whenever $w_H\left(b\right)\le t$, $(a,b)\in U\left(S\right)\times {\left(U\left(S\right)\right)}^r$, $(a,b)\ne (0,0)$.

(4)

The Fourier transform of the function $af$ is

$$S^r\to \mathbb{C},b\mapsto {\zeta }_{af}\left(b\right),{\zeta }_{af}\left(b\right)=\sum _{x\in S^r}{e}^{\frac{2\pi }{p^s}i{T}_{S/R}(af\left(x\right)-b·x)}.$$

which satisfies that ${\zeta }_{af}\left(b\right)=0$ because the function $x\mapsto T_{S/R}(af\left(x\right)+b·x)$ is balanced under the same conditions as the above assertion.

Consider $q=p^m$. Let us recall necessary facts [12]:

Lemma 1

([12]). Let $u\in R.$ Then,

$$\sum _{x\in R}{e}^{2\pi i{T}_{S/R}\left(ux\right)/p^s}=\left\{\begin{array}{cc}{q}^s\hfill & \mathrm{if}u=0\hfill \\ 0\hfill & \mathrm{if}u\ne 0\hfill \end{array}\right..$$

Definition 2

([12]). Let $u\in R$,

$$s\left(u\right):=\sum _{x\in R-pR}{e}^{2\pi i{T}_{R/{\mathbb{Z}}_{p^s}}\left(ux\right)/p^s}and{w}_h\left(u\right):=-\frac{1}{q}s\left(u\right)+(q^{s-1}-q^{s-2}).$$

$w_h$ is called the homogeneous weight at the ring R.

The homogeneous weight at R is given by

$$w_h\left(u\right)=\left\{\begin{array}{ccc}0\hfill & \mathrm{if}\hfill & u=0\hfill \\ q^{s-1}\hfill & \mathrm{if}\hfill & u\in p^{s-1}R-\left\{0\right\}\hfill \\ q^{s-1}-q^{s-2}\hfill & \mathrm{if}\hfill & u\in R-p^{s-1}R\hfill \end{array}\right..$$

An important tool since it provides a relationship between Galois rings and finite fields is the Gray map.

Definition 3

([10]). The Gray map on R is

$$\begin{array}{cccc}\mathrm{\Phi }:& R& \to & {\mathbb{F}}_q^{q^{s-1}}\\ & r_0+r_{1}p+\cdots +r_{s-1}{p}^{s-1}& \mapsto & {\overline{r}}_0{c}_0+{\overline{r}}_1{c}_1+\cdots +{\overline{r}}_{s-1}{c}_{s-1}\end{array}$$

$$c_i:=\left(v+{\delta }_{i0}(u-v)\otimes \cdots \otimes v+{\delta }_{is-2}(u-v)\right),i=0,\dots ,s-1,$$

and

$$v:=(1,\dots ,1)\in {\mathbb{F}}_q^q,u:=(0,\overline{\eta },{\overline{\eta }}^2,\dots ,{\overline{\eta }}^{q-1})\in {\mathbb{F}}_q^q.$$

There is an isometry between the Galois rings and the finite fields, considering the homogeneous distance and the Hamming distance.

Theorem 1

([10]). Let $u,$$v\in R.$ Then

$$d_h(u,v)=d_H(\mathrm{\Phi }\left(u\right),\mathrm{\Phi }\left(v\right)),$$

where $d_H$ is the Hamming distance and $d_h=(u,v)=w_h(u-v).$

Lemma 2

([8]). Let Φ be the Gray map on R. Then,

$$\begin{array}{c}\hfill \mathrm{\Phi }(a+b)=\mathrm{\Phi }\left(a\right)+\mathrm{\Phi }\left(b\right),\end{array}$$

for all $a\in R$ and $b\in p^{s-1}R$.

3. An Authentication Scheme without Secrecy on Galois Rings

3.1. A General Scheme without Secrecry

An authentication scheme [5] provides a method to ensure the integrity of the information when sent through a channel public. A transmitter and receiver share a secret key, which allows the receiver to verify that the message received is authentic. An authentication scheme without secrecy is a quadruple:

$$(\mathcal{S},\mathcal{T},\mathcal{K},\mathcal{E}=\{E_k:k\in \mathcal{K}\}),$$

where $\mathcal{S}$ is the source space, $\mathcal{T}$ is the tag space, $\mathcal{K}$ is the space key, and $E_k:\mathcal{S}\to \mathcal{T}$ is the encoding rule. The sets $\mathcal{S}$, $\mathcal{T},$ and $\mathcal{K}$ are assumed to be finite and not empty. Additionally, the message space is defined, $\mathcal{M}:=\mathcal{S}\times \mathcal{T}.$

A transmitter and the receiver share a secret key $k\in \mathcal{K}.$ The transmitter wants to send a piece of information (called source) $s\in \mathcal{S}$ to the receiver, then the transmitter calculates $t=E_k\left(s\right)\in \mathcal{T}$ and inserts into the public channel the message m consisting of the ordered pair $(s,t).$ The receiver, when receiving $m^{\prime }=(s^{\prime },t^{\prime })$ calculates $E_k\left(s^{\prime }\right)$ and verifies if $E_k\left(s^{\prime }\right)=t^{\prime }$; if so, the receiver accepts the message as authentic, otherwise the message is rejected. Since the communication channel is public, there is a risk that an intruder may deliberately observe, and cause a communication disturbance. It is assumed that the intruder can insert a message into the channel or replace the observed message m with another message $m^{\prime }.$ The success probabilities in these attacks (impersonation and substitution) denoted by $P_I$ and $P_S,$ are respectively [6].

$$\begin{array}{ccc}\hfill P_I& =& \underset{s\in \mathcal{S},t\in \mathcal{T}}{max}\frac{\left|\right\{k\in \mathcal{K}:E_k\left(s\right)=t\left\}\right|}{\left|\mathcal{K}\right|}\hfill \end{array}$$

(1)

$$\begin{array}{ccc}\hfill p_S& =& \underset{(s,t)\in \mathcal{S}\times \mathcal{T}}{max}\underset{(s^{\prime },t^{\prime })\in (\mathcal{S}-\left\{s\right\})\times \mathcal{T}}{max}\frac{\left|\right\{k\in \mathcal{K}:E_k\left(s\right)=t,E_k\left(s^{\prime }\right)=t^{\prime }\left\}\right|}{\left|\right\{k\in \mathcal{K}:E_k\left(s\right)=t\left\}\right|}\hfill \end{array}$$

(2)

Lower bounds are obtained for $P_I$ and $P_S$ [5]:

$$\frac{1}{\left|\mathcal{T}\right|}\le P_I,\frac{1}{\left|\mathcal{T}\right|}\le P_S.$$

Relationships between the sizes of the spaces are given.

Theorem 2

([7]). Let $\mathcal{A}$ be an authentication scheme without secrecy in which $P_I=P_S=\frac{1}{\left|\mathcal{T}\right|}$. Then

$$\left|\mathcal{K}\right|\ge \left|\mathcal{S}\right|\left(\right|\mathcal{T}|-1)+1 if\left|\mathcal{S}\right|\ge \left|\mathcal{T}\right|+1and\left|\mathcal{K}\right|\ge {\left|\mathcal{T}\right|}^2 if\left|\mathcal{S}\right|\le \left|\mathcal{T}\right|+1.$$

The authentication scheme is optimal if the equality $\left|\mathcal{K}\right|=\left|\mathcal{S}\right|\left(\right|\mathcal{T}|-1)+1$ if $\left|\mathcal{S}\right|\ge \left|\mathcal{T}\right|+1.$

In this way, the relationship between the cardinality of the source space and the tag space is compromised by obtaining the minimum bounds for $P_I$ and $P_S$.

3.2. A First Construction Using Gray Map

We give an authentication scheme without secrecy. Encoding rules with domain in a Galois ring and image over a finite field, using Gray map, trace map, and resilient functions are given. We obtain minimum bounds in success probabilities in impersonation and substitution attacks.

In [8] there are a tedious source space and a long injection proof between key space and encoding maps, eight pages approximately. Here we simplify the source space increasing its number of elements, obtaining a better relation between message space and key space. The reader can see the link between the message space and key space in [6]. On the other hand, we reduce the injection proof of [8] mainly due to Gray map properties, the new source space, and Theorem 3.

Let $n>s,p>2,$ and $L:=\{l_0+l_{1}p+\cdots +l_{s-2}{p}^{s-2}|l_0,\dots ,l_{s-2}\in {\mathcal{T}}_R\}.$ We can see that $⟨p^{s-1}⟩=\left\{a{p}^{s-1}\right|a\in {\mathcal{T}}_R\}$. If $a,b\in L,$ then $a-b\in (R-p^{s-1}R)\cup \left\{0\right\}$.

Let $f:S^r⟶S$ be a t-resilient function, $r,t\in {\mathbb{Z}}^{+},$$r>t>1,$ and $\mathrm{\Phi }:R\to {\mathbb{F}}_q^{q^{s-1}}$ be the Gray map. We build the following authentication scheme,

$$\begin{array}{c}\hfill {\mathcal{A}}_1=(\mathcal{S},\mathcal{T},\mathcal{K},\mathcal{E}):\end{array}$$

(3)

$$\begin{array}{ccc}& & \mathcal{S}:=U\left(S\right)\times \{(b_1,\dots ,b_{t-1},0\dots ,0),(0,\dots ,0,b_t,0,\dots ,0),\dots ,(0,\dots ,0,b_r)\}\hfill \\ & & \times L,b_i\in U\left(S\right),i=1,\dots ,r,if(a,b,c)\in \mathcal{S},(a,b)\ne (0,0),\hfill \\ & & \mathcal{T}:={\mathbb{F}}_q,\hfill \\ & & \mathcal{K}:={\mathbb{Z}}_{q^{s(nr+1)}},\hfill \\ & & \mathcal{E}:=\{E_k\left(s\right)=p{r}_k\left(u_s\right),k\in \mathcal{K},s\in \mathcal{S}\}.\hfill \end{array}$$

where $s=(a,b,c)\in \mathcal{S}$, $\beta \in p^{s-1}R=\left\{{\beta }_1,{\beta }_2,\dots ,{\beta }_q\right\}$,

$$\begin{array}{cc}\hfill & v_{s,\beta }\left(x\right)=\beta +T_{S/R}(af\left(x\right)+b·x)+c,\hfill \\ \hfill & u_{s,\beta }={\left(\mathrm{\Phi }\left(v_{s,\beta }\left(x\right)\right)\right)}_{x\in S^r},\hfill \\ \hfill & u_s={\left(u_{s,\beta }\right)}_{\beta \in p^{s-1}R},\hfill \end{array}$$

and $p{r}_k$ the projection function ${\mathbb{Z}}_q^{q^{s(nr+1)}}$ to ${\mathbb{F}}_q$, sending $u_s$ to the k-th coordinate.

We can see that

$\left|\mathcal{S}\right|=\left[\left[(q^n-1)q^{n(s-1)}+1\right]\left[{\left((q^n-1)q^{n(s-1)}+1\right)}^{t-1}+W\right]-1\right]·q^{s-1}$,

$\left|\mathcal{T}\right|=q,$$\left|\mathcal{K}\right|=\left|\mathcal{E}\right|=q^{s(nr+1)},$

where

$W=(r-t+1)·\left[(q^n-1)q^{n(s-1)}+1\right].$

The size of $\mathcal{S}$ is greater than the respective space in the first scheme given in [8], and the tag space is similar. Therefore, in this work $\left|\mathcal{K}\right|$ and $\left|\mathcal{S}\right|\left(\right|\mathcal{T}|-1)+1$ are closer, obtaining then (following the Theorem 2) a better relationship between the spaces.

Please note that the source space can be considered to be

$$\begin{array}{ccc}& & \mathcal{S}:=\{a\in U\left(S\right)\}\times \{b\in S^r|b=(b_1,\dots ,b_r),b_i\in U\left(S\right),w_H\left(b\right)\le \frac{t}{2}\times L\},\hfill \\ & & (a,b)\ne (0,0).\hfill \end{array}$$

In this case, $\left|\mathcal{S}\right|=\left[\left[\left((q^n-1)q^{n(s-1)}+1\right)·W\right]-1\right]·q^{s-1}$,

where

$W=C(r,1)W_0+C(r,2)W_0^2+\cdots +C(r,t/2)W_0^{t/2}+1.$

$W_0=(q^n-1)q^{n(s-1)}.$

Before resolving the injection problem, we give the next results.

Theorem 3.

Let $n>s,$$a\in S,$$a\ne 0$, and $b\in p^{s-1}R$. Then exists an element $a_0\in S^{\times }$ such that $T_{S/R}\left(a_{0}a\right)=b.$

Proof. 

We know that there are $q^{n(s-1)}$ zero divisors in S. Given $b\in p^{s-1}R,$ there are $(q^{sn}/q^s)=q^{sn-s}$ elements a in S such that $T_{S/R}\left(a\right)=b.$ As $n>s$, then

$$q^{sn-s}=\frac{q^{sn}}{q^s}>\frac{q^{sn}}{q^n}=q^{sn-n}=q^{n(s-1)}.$$

Let $a\in S^{\times }.$ Hence there is at least an element $a_0$ in $S^{\times }$ such that $T_{S/R}\left(a_{0}a\right)=b$ if $b\in S.$

Let $a\in pS$. In particular $a=p^i{a}^{\prime },1\le i\le s-1,$$a^{\prime }\in S^{\times }.$ There is $a_0$ in $S^{\times }$ such that $T_{S/R}\left(a_0{a}^{\prime }\right)=b_0,$$b_0\in p^{s-i-1}R.$

$$T_{S/R}\left(a_{0}a\right)=p^i{T}_{S/R}\left(a_0{a}^{\prime }\right)=p^i{b}_0=b\in p^{s-1}R.$$

□

We will consider ${\mathrm{\Phi }}_w$ the value in the w coordinate of $\mathrm{\Phi },$$1\le w\le q^{s-1}.$

Remark 1

([8]). Let $c=r_0+r_{1}p+\cdots +r_{s-2}{p}^{s-2}\in L.$ Then

$$\begin{array}{c}\hfill \mathrm{\Phi }\left(c\right)={\overline{r}}_0{c}_0+{\overline{r}}_1{c}_1+\cdots +{\overline{r}}_{s-2}{c}_{s-2}.\end{array}$$

Consider two coordinates $k,$ j of $\mathrm{\Phi }\left(c\right).$

If $k-j$ is not a multiple of q, then take c such that only $r_{s-2}\ne 0$. In this case ${\mathrm{\Phi }}_k\left(c\right)$ and ${\mathrm{\Phi }}_j\left(c\right)$ values are different.

If $k-j$ is multiple of q such that $q^i\le k-j<q^{i+1},$$i=0,1,\dots ,s-2$ and $i+1+l=s-1$, then take $c\in L$ such that only $r_l\ne 0$. In this case the two coordinates k and j of $\mathrm{\Phi }\left(c\right)$ are different.

If $k-j$ is a multiple of q such that $k-j=q^{s-1}$, then take $c\in L$ such that only $r_0\ne 0$. In this case ${\mathrm{\Phi }}_k\left(c\right)$ and ${\mathrm{\Phi }}_j\left(c\right)$ values are different.

Remark 2.

If $q-1$ is an even number and $\xi \in T_R$ a generator, then $-\xi \in T_R$ or $-1\in T_R.$ In any case, if $x^d\in T_R,$$d\in \{1,\dots ,q-1\},$ hence $-x^d\in T_R.$ Therefore, if

$$a_0+a_{1}p+\cdots +a_{s-2}{p}^{s-2}\in R$$

is in p-adic form, then

$$-a_0-a_{1}p-\cdots -a_{s-2}{p}^{s-2}\in R$$

is also in its p-adic form.

Theorem 4.

Let the function $H:\mathcal{K}⟶\mathcal{E}$ be given by $H\left(k\right)=E_k.$ Then H is a bijective function.

Proof. 

Note we need to prove the following:

Let $k_1\ne k_2$ coordinates of $u_s.$ If $p{r}_{k_1}\left(u_s\right)\ne p{r}_{k_2}\left(u_s\right)$ for an element $s\in \mathcal{S},$ then H is a bijective function.

We compare all the possibles coordinate pairs of $u_s$ considering its length by parts. Let us consider three cases.

Case 1: Two coordinates of $\mathrm{\Phi }\left(v_{s,\beta }\left(x\right)\right),$$x\in S^r,$$\beta \in p^{s-1}R.$

Case 2: A coordinate of $\mathrm{\Phi }\left(v_{s,\beta }\left(x\right)\right)$ and a coordinate of $\mathrm{\Phi }\left(v_{s,\beta }\left(y\right)\right),$$x\ne y,$$x,y\in S^r,$$\beta \in p^{s-1}R.$

Case 3: A coordinate of $\mathrm{\Phi }(v_{s,{\beta }_i}\left(x\right))$ and a coordinate of $\mathrm{\Phi }(v_{s,{\beta }_j}\left(y\right)),$${\beta }_i\ne {\beta }_j,$${\beta }_i,{\beta }_j\in p^{s-1}R:$ two cases, $x=y$ and $x\ne y.$

Case 1:

Let $x\in S^r$ and the first two coordinates $(a,b)$ of $\mathcal{S}.$ If

$$T_{S/R}(af\left(x\right)+b·x)=a_0+\cdots +a_k{p}^k+\cdots +a_{s-2}{p}^{s-2}+a_{s-1}{p}^{s-1},$$

by Remark 2 we can take $c=-a_0+\cdots +c_k{p}^k+\cdots +(-a_{s-2}{p}^{s-2})\in L$ such that:

If $a_k\ne 0,$ then $c_k=0.$ Thus, $T_{S/R}(af\left(x\right)+b·x)+c=a_k{p}^k+a_{s-1}{p}^{s-1},$

If $a_k=0,$ then $c_k\ne 0.$ Thus, $T_{S/R}(af\left(x\right)+b·x)+c=c_k{p}^k+a_{s-1}{p}^{s-1}.$

Therefore if $s=(a,b,c)\in \mathcal{S}$ as above, given two coordinates of $\mathrm{\Phi }\left(v_{s,\beta }\left(x\right)\right),$$\beta \in p^{s-1}R,$ these are distinct. It follows from Remark 1 and Lemma 2.

Case 2:

Let us pick a coordinate of $\mathrm{\Phi }\left(v_{s,\beta }\left(x\right)\right)$ and a coordinate of $\mathrm{\Phi }\left(v_{s,\beta }\left(y\right)\right),$ $x\ne y.$

In a first place we consider the same coordinate w in $\mathrm{\Phi }\left(v_{s,\beta }\left(x\right)\right)$ and in $\mathrm{\Phi }\left(v_{s,\beta }\left(y\right)\right),$ that means ${\mathrm{\Phi }}_w\left(v_{s,\beta }\left(x\right)\right)$ and ${\mathrm{\Phi }}_w\left(v_{s,\beta }\left(y\right)\right).$

Let $a=0$ and $c=0$. We know that exists a k entry such that $x_k-y_k\ne 0$ (of $x-y$). By Theorem 3 we can choose an element $b\in {(S-pS)}^r,$$b_k\ne 0,$ and $b_j=0,j\ne k$ such that $T_{S/R}\left(b(x_k-y_k)\right)\in p^{s-1}R-\left\{0\right\}.$ Hence, if

$$T_{S/R}\left(b{x}_k\right)=b_0+b_{1}p+\cdots +b_{s-2}{p}^{s-2}+b_{s-1}{p}^{s-1}$$

and

$$T_{S/R}\left(b{y}_k\right)=b_0^{\prime }+b_1^{\prime }p+\cdots +b_{s-2}^{\prime }{p}^{s-2}+b_{s-1}^{\prime }{p}^{s-1},$$

then $b_0=b_0^{\prime },b_1=b_1^{\prime },\dots ,b_{s-2}=b_{s-2}^{\prime },$$b_{s-1}\ne b_{s-1}^{\prime }.$

So that ${\mathrm{\Phi }}_w\left(T_{S/R}\left(b{x}_k\right)\right)\ne {\mathrm{\Phi }}_w\left(T_{S/R}\left(b{y}_k\right)\right).$ Therefore ${\mathrm{\Phi }}_w\left(v_{s,\beta }\left(x\right)\right)\ne {\mathrm{\Phi }}_w\left(v_{s,\beta }\left(y\right)\right)$ with $s=(0,b,0)$.

We now consider distinct coordinates $w_1,$$w_2$ in $\mathrm{\Phi }\left(v_{s,\beta }\left(x\right)\right)$ and in $\mathrm{\Phi }\left(v_{s,\beta }\left(y\right)\right).$ Similarly as above,

$$T_{S/R}\left(b{x}_k\right)=b_0+b_{1}p+\cdots +b_{s-2}{p}^{s-2}+b_{s-1}{p}^{s-1}$$

and

$$T_{S/R}\left(b{y}_k\right)=b_0+b_{1}p+\cdots +b_{s-2}{p}^{s-2}+b_{s-1}^{\prime }{p}^{s-1},$$

$b_{s-1}\ne b_{s-1}^{\prime }.$ If $a=0$ and $c=-b_0-b_{1}p-\cdots -b_{s-2}{p}^{s-2}$ (p-adic form by Remark 2), then ${\mathrm{\Phi }}_{w_1}\left(v_{s,\beta }\left(x\right)\right)={\mathrm{\Phi }}_{w_1}(\beta +b_{s-1}{p}^{s-1})\ne {\mathrm{\Phi }}_{w_2}(\beta +b_{s-1}^{\prime }{p}^{s-1})={\mathrm{\Phi }}_{w_2}\left(v_{s,\beta }\left(y\right)\right).$

Case 3:

Let ${\beta }_i\ne {\beta }_j,$${\beta }_i,{\beta }_j\in pR,$$(a,b,c)\in \mathcal{S}.$ If $x=y,$$x,y\in S^r,$ then

$${\mathrm{\Phi }}_w\left(v_{s,{\beta }_i}\left(x\right)\right)\ne {\mathrm{\Phi }}_w(v_{s,{\beta }_j}\left(y\right)).$$

In otherwise we would have ${\beta }_i={\beta }_j.$

Let two distinct elements $w_1$, $w_2$. Let an entry k of x, $x_k\ne 0$. By Theorem 3, there is a b such that $T_{S/R}\left(b_k{x}_k\right)\in p^{s-1}R$ ($b_k,$ k-th coordinate of $b\in {(S-pS)}^r$) and $b_j=0,j\ne k$; from here ${\varphi }_{w_1}(b·x)={\varphi }_{w_2}(b·y).$ On the other hand, ${\varphi }_{w_1}\left({\beta }_i\right)\ne {\varphi }_{w_2}\left({\beta }_j\right).$ Therefore $a=0$ and $c=0,$ and by Lemma 2, ${\mathrm{\Phi }}_{w_1}\left(v_{s,{\beta }_i}\left(x\right)\right)\ne {\mathrm{\Phi }}_w(v_{s,{\beta }_j}\left(y\right)).$

Let $x\ne y$, $a=0$ and $c=0$. Using Theorem 3, we know exists $b\in {(S-pS)}^r,$ such that $T_{S/R}\left(b_k(x_k-y_k)\right)=0$, where $b_k\in S-pS$ and $b_j=0,j\ne k.$ Then,

$${\mathrm{\Phi }}_w\left(v_{s,{\beta }_i}\left(x\right)\right)\ne {\mathrm{\Phi }}_w(v_{s,{\beta }_j}\left(y\right))$$

follows from Lemma 2.

Finally, the case $x\ne y$ and distinct coordinates. Let $a=0,$ and similar to above we find $b_k\in S-pS$ such that $T_{S/R}\left(b_k(x_k-y_k)\right)=0.$ Hence,

$$T_{S/R}(b·x)=b_0+b_{1}p+\cdots +b_{s-2}{p}^{s-2}+b_{s-1}{p}^{s-1}$$

and

$$T_{S/R}(b·y)=b_0+b_{1}p+\cdots +b_{s-2}{p}^{s-2}+b_{s-1}{p}^{s-1}.$$

Then, we consider, $c=-b_0-b_{1}p-\cdots -b_{s-2}{p}^{s-2}$. Therefore,

$${\mathrm{\Phi }}_{w_1}\left(v_{s,{\beta }_i}\left(x\right)\right)\ne {\mathrm{\Phi }}_{w_2}(v_{s,{\beta }_j}\left(y\right))$$

follows from Lemma 2.

The distinct above cases conclude the proof. □

The procedure to obtain bound for $P_I$ and $P_S$ is similar to Proposition 4 of [8]. We give this result for granted.

Theorem 5.

The scheme ${\mathcal{A}}_1$ satisfy,

$$P_I=\frac{1}{q}and{P}_S=\frac{1}{q}.$$

3.3. A Second Construction Using Map Gray

In this authentication scheme, we remove a parameter from the first scheme, thus reducing the key spaces’ size; however, it is necessary to reduce the size of the source space. We obtain minimum bounds in success probabilities in impersonation and substitution attacks. To show that the minimum values for $P_I$ and $P_S$ are obtained, we find balanced functions in the composition of the Gray map, the trace and the resilient functions on Galois rings.

Let us recall that $S=GR(p^s,mn),$$R=GR(p^s,m),$ and L as the scheme ${\mathcal{A}}_1.$ Let $f:S^r⟶S$ be a t-resilient function, $p>2,$$n>s$, $r,t\in {\mathbb{Z}}^{+},$$r>t>1,$ and $\mathrm{\Phi }:R\to {\mathbb{F}}_q^{q^{s-1}}$ be the Gray map. We build the following authentication scheme,

$$\begin{array}{c}\hfill {\mathcal{A}}_2=(\mathcal{S},\mathcal{T},\mathcal{K},\mathcal{E}):\end{array}$$

(4)

$$\begin{array}{ccc}& & \mathcal{S}:=\left(\left\{1\right\}\times \{(b_1,\dots ,b_{t-1},0,\dots ,0),(0,\dots ,0,b_t,0,\dots ,0),\dots ,(0,\dots ,0,b_r)\}\times L\right)\hfill \\ & & \cup \left(\left\{0\right\}\times \{(b_1^{\prime },0,\dots ,0),\dots ,(0,\dots ,0,b_r^{\prime })\}\times L\right),b_i\in U\left(S\right),b_i^{\prime }\in S-pS,i=1,\dots ,r,\hfill \\ & & \mathcal{T}:={\mathbb{F}}_q,\hfill \\ & & \mathcal{K}:={\mathbb{Z}}_{q^{s(nr+1)-1}},\hfill \\ & & \mathcal{E}:=\{E_k\left(s\right)=p{r}_k\left(u_s\right),k\in \mathcal{K},s\in \mathcal{S}\}.\hfill \end{array}$$

where $s=(a,b,c)\in \mathcal{S}$,

$$\begin{array}{cc}\hfill & v_s\left(x\right)=T_{S/R}(af\left(x\right)+b·x)+c,\hfill \\ \hfill & u_s={\left(\mathrm{\Phi }\left(v_s\left(x\right)\right)\right)}_{x\in S^r},\hfill \end{array}$$

and $p{r}_k$ the projection function ${\mathbb{Z}}_q^{q^{s(nr+1)-1}}$ to ${\mathbb{F}}_q$, sending $u_s$ to the k-th coordinate.

We can see that $\left|\mathcal{S}\right|=\left[{\left((q^n-1)q^{n(s-1)}+1\right)}^{t-1}+W\right]·q^{s-1}$, $\left|\mathcal{T}\right|=q,$$\left|\mathcal{K}\right|=\left|\mathcal{E}\right|=q^{s(nr+1)-1},$ where

$W=(r-t+1)·\left[(q^n-1)q^{n(s-1)}+1\right]+r(q^n-1)q^{n(s-1)}$.

Theorem 6.

Let the function $H:\mathcal{K}⟶\mathcal{E}$ be given by $H\left(k\right)=E_k.$ Then H is a bijective function.

Proof. 

Note we need to prove the following:

Let $k_1\ne k_2$ coordinates of $u_s.$ If $p{r}_{k_1}\left(u_s\right)\ne p{r}_{k_2}\left(u_s\right)$ for an element $s\in \mathcal{S},$ then H is a bijective function.

We compare all the possibles coordinate pairs of $u_s$ considering its length by parts. Let us consider 2 cases.

Case 1: Two coordinates of $\mathrm{\Phi }\left(v_s\left(x\right)\right),$$x\in S^r.$

Case 2: A coordinate of $\mathrm{\Phi }\left(v_s\left(x\right)\right)$ and a coordinate of $\mathrm{\Phi }\left(v_s\left(y\right)\right),$$x\ne y,$$x,y\in S^r.$

We can see that the proof of these two cases is similar to the first two cases of the demonstration of Theorem 4, since in this proof only $\beta =0$ is considered. Additionally, we know that the image of an element $\beta \in p^{s-1}R$ under the Gray map is a vector with all equal entries.

To find $P_I$ and $P_S$, we give the following results. □

Let $c_i\in {\mathbb{F}}_q^{q-1}$ be the vectors in the image of the Gray map given in Definition 3, $i=0,\dots ,s-1.$

Theorem 7.

The sum of two or more elements of the vector set $\{c_0,c_1,\dots ,c_{s-2}\}$ as above has the form

$${\left[{\left[P_0\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}},{\left[P_1\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}},\dots ,{\left[P_{q-1}\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}}\right]}_{q^r},$$

where

$$c_l^{\prime }=\left[{\left[0\right]}_{q^{s-l-2}},{\left[\xi \right]}_{q^{s-l-2}},\dots ,{\left[{\xi }^{q-1}\right]}_{q^{s-l-2}}\right],$$

$P_i,$$i=0,1,\dots ,q-1$ are arbitrary permutations of the vectors ${\left[\zeta \right]}_{q^{s-l-2}}$ in $c_l^{\prime },$$\zeta \in {\mathbb{F}}_q$, and $c_l$ and $c_r$ are the last and second last terms of the sum, respectively, in increasing order of the indexes.

Proof. 

The claim is proved by mathematical induction.

Basis step:

Let two summands, $c_j$ and $c_i$, $j<i$, $j\in \{0,\dots ,s-3\},$$i\in \{1,\dots ,s-2\}$. We know that

$$c_j={\left[{\left[0\right]}_{q^{s-j-2}},{\left[\xi \right]}_{q^{s-j-2}},\dots ,{\left[{\xi }^{q-1}\right]}_{q^{s-j-2}}\right]}_{q^j}$$

and

$$c_i={\left[{\left[0\right]}_{q^{s-i-2}},{\left[\xi \right]}_{q^{s-i-2}},\dots ,{\left[{\xi }^{q-1}\right]}_{q^{s-i-2}}\right]}_{q^i}.$$

Please note that

$$c_i={\left[{\left[{\left[{\left[0\right]}_{q^{s-i-2}},{\left[\xi \right]}_{q^{s-i-2}},\dots ,{\left[{\xi }^{q-1}\right]}_{q^{s-i-2}}\right]}_{q^{i-j-1}}\right]}_q\right]}_{q^j}.$$

which indicates that each vector ${\left[\zeta \right]}_{q^{s-j-2}}$ of $c_j$ has exactly $q^{i-j-1}$ times the length of the vector $c_i^{\prime }$. Then,

$$c_j+c_i={\left[{\left[P0\left(c_i^{\prime }\right)\right]}_{q^{i-j-1}},{\left[P\xi \left(c_i^{\prime }\right)\right]}_{q^{i-j-1}},\dots ,{\left[P{\xi }^{q-1}\left(c_i^{\prime }\right)\right]}_{q^{i-j-1}}\right]}_{q^j},$$

$$P\zeta \left(c_i^{\prime }\right):={\left[\zeta \right]}_{q^{s-j-2}}+{\left[c_i^{\prime }\right]}_{q^{i-j-1}}=\left[{[\zeta +0]}_{q^{s-i-2}},{[\zeta +\xi ]}_{q^{s-i-2}},\dots ,{[\zeta +{\xi }^{q-1}]}_{q^{s-i-2}}\right],$$

$\zeta \in {\mathbb{F}}_q$.

Inductive step:

Suppose that we have the sum of $k-1$ vectors (the sum in increasing order with respect to indexes) of the set $\{c_0,c_1,\dots ,c_{s-2}\}$ found in the image of the Gray map, where the second last vector is r and the last is l:

$${\left[{\left[P_0\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}},{\left[P_1\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}},\dots ,{\left[P_{q-1}\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}}\right]}_{q^r}.$$

Now, a k-th vector, $c_v$, is added to the resulting sum above:

$${\left[{\left[P_0\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}},{\left[P_1\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}},\dots ,{\left[P_{q-1}\left(c_l^{\prime }\right)\right]}_{q^{l-r-1}}\right]}_{q^r}+{\left[{\left[{\left[c_v^{\prime }\right]}_{q^{v-l}}\right]}_{q^{l-r-1}q}\right]}_{q^r}$$

$$={\left[{\left[P0\left(P_0\left(c_l^{\prime }\right)\right)\right]}_{q^{v-l-1}},{\left[P\xi \left(P_1\left(c_l^{\prime }\right)\right)\right]}_{q^{v-l-1}},\dots ,{\left[P{\xi }^{q-1}\left(P_{q-1}\left(c_l^{\prime }\right)\right)\right]}_{q^{v-l-1}}\right]}_{q^l},$$

where

$$c_v={\left[{\left[{\left[c_v^{\prime }\right]}_{q^{v-l-1}}\right]}_q\right]}_{q^l}={\left[{\left[{\left[c_v^{\prime }\right]}_{q^{v-l}}\right]}_{q^{l-r-1}q}\right]}_{q^r}.$$

Observe that ${\left[c_v^{\prime }\right]}_{q^{v-l}}$ has length $q^{s-l-1}.$ This completes the inductive step.

So by mathematical induction we prove the statement of the theorem. □

Let $c_i\in {\mathbb{F}}_q^{q-1}$ be the vectors in the image of the Gray map given in Definition 3, $i=0,\dots ,s-1.$

Corollary 1.

Let $c_0,c_1,\dots ,c_{s-2}$, be $s-1$ vectors as above. Then, in the sum of at most $s-1$ of those terms, every element $t\in {\mathbb{F}}_q$ is in $q^{s-2}$ entries.

Proof. 

Consider a finite sum, such that the vectors $c_v$ and $c_l$ are the last and second last terms of the sum, respectively, in increasing order of the indexes. The resulting vector is conformed by a permutation of the vectors ${\left[\zeta \right]}_{q^{s-l-2}}$ in $c_v^{\prime },$ where

$$c_v={\left[{\left[{\left[c_v^{\prime }\right]}_{q^{v-l-1}}\right]}_q\right]}_{q^l}$$

$$c_v^{\prime }=\left[{\left[0\right]}_{q^{s-v-2}},{\left[\xi \right]}_{q^{s-v-2}},\dots ,{\left[{\xi }^{q-1}\right]}_{q^{s-v-2}}\right].$$

It follows from Theorem 7.

Then, the number of entries equal to a value $t\in {\mathbb{F}}_q$ is equal to $q^{s-2}$, being that each element ${\left[\zeta \right]}_{q^{s-v-2}}$ of $c_v^{\prime }$ is repeated $q^{v-l-1}q{q}^l=q^v$ times in $c_v.$ □

Corollary 2.

Let $c,c^{\circ }\in \{a_0{c}_0+a_1{c}_1+\cdots +a_{s-2}{c}_{s-2}|a_0,a_1,\dots ,a_{s-2}\in {\mathcal{T}}_R\}$, $c\ne c^{\circ }$. Then $\{k\in {\mathbb{Z}}_{q^{s-1}}|{\mathrm{\Phi }}_k\left(c\right)=t,{\mathrm{\Phi }}_k\left(c^{\circ }\right)=t^{\prime }\}=q^{s-3}$.

Proof. 

By proof of Theorem 7, c and $c^{\circ }$ can be obtained from vectors $c_j$ and $c_i,$$i,j\in \{0,1,\dots ,s-2\},$$j<i,$ giving the respective permutations of vectors ${\left[\zeta \right]}_{q^{s-j-2}}$ and ${\left[\zeta \right]}_{q^{s-i-2}}$ in these. Where

$$c_j={\left[{\left[0\right]}_{q^{s-j-2}},{\left[\xi \right]}_{q^{s-j-2}},\dots ,{\left[{\xi }^{q-1}\right]}_{q^{s-j-2}}\right]}_{q^j}$$

and

$$c_i={\left[{\left[{\left[{\left[0\right]}_{q^{s-i-2}},{\left[\xi \right]}_{q^{s-i-2}},\dots ,{\left[{\xi }^{q-1}\right]}_{q^{s-i-2}}\right]}_{q^{i-j-1}}\right]}_q\right]}_{q^j}.$$

We can see that any element in ${\mathbb{F}}_q$ is repeated in the same coordinates of $c_i$ and $c_j$, $q^{s-i-2}{q}^{i-j-1}{q}^j=q^{s-j-3}$ times.

Please note that different from Corollary 3, here the sum of the elements $c_0,c_1,\dots ,c_{s-2}$ have coefficients, but this does not represent a problem, since we would only have additionally permutations of elements of c and $c^{\circ }.$ □

The following theorem is a generalization of Proposition 3 of [9], now on Galois rings.

Theorem 8.

Let $f:S^r\to S$ be a t-resilient function and let $(a_1,b_1,c_1),(a_2,b_2,c_2)\in \mathcal{S}$ such that $(a_1,b_1)\ne (a_2,b_2),$$u_1,u_2\in R,$ and

$$\begin{array}{ccc}& & N(f;a_1,b_1,c_1,a_2,b_2,c_2;u_1,u_2)\hfill \\ & =& \left|\right\{x\in S^r:T_{S/R}(a_{1}f\left(x\right)+b_1·x)+c_1=u_1,T_{S/R}(a_{2}f\left(x\right)+b_2·x)+c_2=u_2\left\}\right|.\hfill \end{array}$$

Then,

$$N(f;a_1,b_1,c_1,a_2,b_2,c_2;u_1,u_2)=q^{snr-2s}.$$

Proof. 

There are the following equalities

$$\begin{array}{ccc}& & q^{2s}N(f;a_1,b_1,a_2,b_2;u_1,u_2)\hfill \\ & =& \sum _{x\in S^r}\left[\sum _{y_1\in R}{e}^{2\pi i{T}_{R/{\mathbb{Z}}_{p^s}}\left(y_1(T_{S/R}(a_{1}f\left(x\right)+b_1·x)+c_1-u_1)\right)/p^s}\right]\hfill \\ & & \left[\sum _{y_2\in R}{e}^{2\pi i{T}_{R/{\mathbb{Z}}_{p^s}}\left(y_2(T_{S/R}(a_{2}f\left(x\right)+b_2·x)+c_2-u_2)\right)/p^s}\right]\hfill \\ & =& \sum _{x\in S^r}\sum _{y_1\in R}\sum _{y_2\in R}{e}^{2\pi i{T}_{R/{\mathbb{Z}}_{p^s}}\left(y_1(T_{S/R}(a_{1}f\left(x\right)+b_1·x)+c_1-u_1)+y_2(T_{S/R}(a_{2}f\left(x\right)+b_2·x)+c_2-u_2)\right)/p^s}\hfill \\ & =& q^{snr}+\sum _{\begin{array}{c}{y}_1,y_2\in R\\ (y_1,y_2)\ne (0,0)\end{array}}\hfill \\ & & e^{2\pi i{T}_{R/{\mathbb{Z}}_{p^s}}\left(-y_1{u}_1-y_2{u}_2+y_1{c}_1+y_2{c}_2\right)/p^s}\sum _{x\in S^r}{e}^{2\pi i{T}_{S/{\mathbb{Z}}_{p^s}}\left((y_1{a}_1+y_2{a}_2)f\left(x\right)+(y_1{b}_1+y_2{b}_2)·x\right)/p^s}\hfill \\ & =& q^{snr}+\sum _{\begin{array}{c}{y}_1,y_2\in R\\ (y_1,y_2)\ne (0,0)\end{array}}{e}^{2\pi i{T}_{R/{\mathbb{Z}}_{p^s}}\left(-y_1{u}_1-y_2{u}_2+y_1{c}_1+y_2{c}_2\right)/p^s}\sum _{(d_1,d_2,\dots ,d_t)\in S^t}\hfill \\ & & \sum _{x\in {S^r}_{|x_1=d_1,\dots ,x_t=d_t}}{e}^{2\pi i{T}_{S/{\mathbb{Z}}_{p^s}}\left((y_1{a}_1+y_2{a}_2)f\left(x\right)+(y_1{b}_1+y_2{b}_2)·x\right)/p^s}\hfill \\ & =& q^{snr}+\begin{array}{c}0+\cdots +0\\ q^{snt}times\end{array}=q^{snr}\hfill \end{array}$$

The last equality is justified as follows:

Please note that $y_1{b}_1+y_2{b}_2$ and $y_1{a}_1+y_2{a}_2$ cannot both be zero, unless $y_1=y_2=0,$ because of the shape of source space.

If $y_1{a}_1+y_2{a}_2=0$ and $y_1{b}_1+y_2{b}_2\ne 0,$ exists $z\in S^r$ such that

$T_{S/{\mathbb{Z}}_{p^s}}\left((y_1{b}_1+y_2{b}_2)·z\right)\ne 0.$ Then, similar to Lemma 2.1 proof of [12],

$$\sum _{x\in S^r}{e}^{2\pi i{T}_{S/{\mathbb{Z}}_{p^s}}\left((y_1{b}_1+y_2{b}_2)·x\right)/p^s}=0.$$

If $y_1{a}_1+y_2{a}_2\ne 0$ and $y_1{b}_1+y_2{b}_2=0,$ then, since $f\left(x\right)$ is balanced and by Lemma 1,

$$\sum _{x\in S^r}{e}^{2\pi i{T}_{S/{\mathbb{Z}}_{p^s}}\left((y_1{a}_1+y_2{a}_2)f\left(x\right)\right)/p^s}=0.$$

Finally, if $y_1{a}_1+y_2{a}_2\ne 0$ and $y_1{b}_1+y_2{b}_2\ne 0,$ suppose without loss of generality that the nonzero entries of $y_1{b}_1+y_2{b}_2$ are in the entries $x_1,\dots ,x_t$. Since f is t-resilient, these t entries of $S^r$ are kept constant. Then,

$$f{\left(x\right)}_{|x_1=d_1,\dots ,x_t=d_t}$$

is balanced; even more, $(y_1{b}_1+y_2{b}_2)·x_{|x_1=a_1,\dots ,x_t=a_t}$ is constant, and also by Lemma 1 we have the last equality.

From here,

$$q^{2s}N(f;a_1,b_1,a_2,b_2;u_1,u_2)-q^{snr}=0.$$

Therefore,

$$N(f;a_1,b_1,a_2,b_2;u_1,u_2)=q^{snr-2s}.$$

□

Theorem 9.

Let $\mathcal{S},\mathcal{T}$, $\mathcal{K}$ be as in scheme ${\mathcal{A}}_2$, and $t\in {\mathbb{F}}_q$. Then, the vector of length $q^{snr+s-1},$${\left(\mathrm{\Phi }\left(v_s\left(x\right)\right)\right)}_{x\in S^r},$ where $v_s\left(x\right)=T_{S/R}(af\left(x\right)+b·x)+c$, $s=(a,b,c)\in \mathcal{S}$, has $q^{snr+s-2}$ coordinates equal to t, namely the value of the distinct coordinates are balanced.

Proof. 

By Corollary 1, in the sum of at most $s-2$ vectors of $c=c_0,c_1,\dots ,c_{s-2}$ of the Gray map, every element $t\in {\mathbb{F}}_q$ is in $q^{s-2}$ entries. On the other hand, if an element

$$a=a_0+a_{1}p+\cdots +a_{s-2}{p}^{s-2}+a_{s-1}{p}^{s-1}\in R,$$

then

$$\mathrm{\Phi }\left(a\right)={\overline{a}}_0{c}_0+{\overline{a}}_1{c}_1+\cdots +{\overline{a}}_{s-2}{c}_{s-2}+{\overline{a}}_{s-1}{c}_{s-1}\in {\mathbb{F}}_q^{q^{s-1}}.$$

To have the number of images $\mathrm{\Phi }\left(a\right)$ equal to a value $t\in {\mathbb{F}}_q$ for any element a in $R,$ it is necessary to consider the possible values that can have the coefficients $a_0,a_1,\dots ,a_{s-2},a_{s-1}:$

If we consider the possible combinations for the sum of $s-1$ terms without the case $a_0=a_1=\cdots =a_{s-2}=0$ and without considering the last term, then $(q^{s-1}-1)·q^{s-2}$ entries are equal to t.

If the term ${\overline{a}}_{s-1}{c}_{s-1}$ is considered:

• If the sum of the first $s-1$ terms is nonzero, then the number of combinations increases to $(q^{s-1}-1)·q^{s-2}·q=(q^{s-1}-1)·q^{s-1},$ since there are q distinct elements ${\overline{a}}_{s-1}.$
• If the sum of the first $s-1$ terms is zero, then we only have the term ${\overline{a}}_{s-1}{c}_{s-1}$. Since there is only one element ${\overline{a}}_{s-1}\in {\mathbb{F}}_q$ such that ${\overline{a}}_{s-1}=t$, then we have a vector with $q^{s-1}$ entries equal to t. Hence, the possible combinations are $(q^{s-1}-1)·q^{s-1}+q^{s-1}=q^{2s-2}$.

The above is valid for all elements in R repeated only once because in $u_s$ each element of R is repeated $q^{snr-s}$ times. Therefore, there are $q^{snr+s-2}$ elements in $\mathcal{K}$ that corresponding to coordinates of $u_s$ equal to t. □

Theorem 10.

Let $\mathcal{S},\mathcal{T}$, $\mathcal{K}$ be as in the scheme ${\mathcal{A}}_2$, $t_1,t_2\in {\mathbb{F}}_q$, $t_1\ne t_2$. Then

$$|\{x\in {\mathcal{S}}^r|\mathrm{\Phi }\left(v_{s_1}\left(x\right)\right)=t_1,\mathrm{\Phi }\left(v_{s_2}\left(x\right)\right)=t_2\}|=q^{snr-2},$$

where $v_{s_1}\left(x\right)=T_{S/R}(a_{1}f\left(x\right)+b_1·x)+c_1$ and $v_{s_2}\left(x\right)=T_{S/R}(a_{2}f\left(x\right)+b_2·x)+c_2$, $s_1=(a_1,b_1,c_1)\in \mathcal{S},s_2=(a_2,b_2,c_2)\in \mathcal{S},$$(a_1,b_1)\ne (a_2,b_2).$

Proof. 

Let $s_1=(a_1,b_1,c_1)$ and $s_2=(a_2,b_2,c_2)$ such that $(a_1,b_1)\ne (a_2.b_2)$. Then by Theorem 8 and proceeding as in the proof of Theorem 9, $|\{k\in \mathcal{K}|e_k\left(s_1\right)=t_1,e_k\left(s_2\right)=t_2\}|=(q^{s-1}-1)q^{s-1}{q}^{snr-2s}+q^{s-1}{q}^{snr-2s}=q^{2s-2}{q}^{snr-2s}=q^{snr-2}.$ □

Theorem 11.

In the scheme ${\mathcal{A}}_2$,

$$P_I=\frac{1}{q}and{P}_S=\frac{1}{q}.$$

Proof. 

Let us find $P_I$:

By Theorem 9, $|\{k\in \mathcal{K}|e_k\left(s\right)=t\}|=q^{snr+s-2}$. Thus, the probability of impersonation is

$$P_I=\frac{\left|\right\{k\in \mathcal{K}|e_k\left(s\right)=t\}|}{\left|\mathcal{K}\right|}=\frac{q^{snr+s-2}}{q^{srn+s-1}}=\frac{1}{q}.$$

Let us find $P_S$:

Let $(a_1,b_1,c_1)\ne (a_2,b_2,c_2)$ and $t_1\ne t_2.$ By Theorem 10 if $(a_1,b_1)\ne (a_2,b_2)$, then

$$|\{k\in \mathcal{K}|e_k\left(s_1\right)=t_1,e_k\left(s_2\right)=t_2\}|=q^{snr-2}.$$

If $(a_1,b_1)=(a_2,b_2)$, then $c_1\ne c_2$. Thus, $\{k\in {\mathbb{Z}}_{q^{s-1}}|{\mathrm{\Phi }}_k\left(c\right)=t,{\mathrm{\Phi }}_k\left(c^{\prime }\right)=t^{\prime }\}=q^{s-3}$ (follows from Corollary 2). Hence,

$$|\{k\in \mathcal{K}|e_k\left(s_1\right)=t_1,e_k\left(s_2\right)=t_2\}|=q^{s-3}{q}^{snr}=q^{snr+s-3}.$$

Therefore, $P_S=\frac{max\{q^{snr-2},q^{snr+s-3}\}}{q^{snr+s-2}}=\frac{1}{q}.$ □

3.4. Third Construction: Without Map Gray, over Galois Rings

In this scheme, the composition of resilient functions and trace function on Galois rings are provided. We get a generalization on Galois rings of the authentication scheme given on finite fields in [9]. If $s=1$, then we obtain the scheme presented in [9], with the difference that the source space of the scheme constructed here has a greater cardinality; this result brings a better relationship between the message space and the key space for our scheme (see Theorems 2.3 and 3.1 in [6] and Theorem 14 in [7]).

Let $f:S^r⟶S$ be a t-resilient function, $r,t\in {\mathbb{Z}}^{+},$$r>t>1.$ We build the following authentication scheme,

$$\begin{array}{c}\hfill {\mathcal{A}}_3=(\mathcal{S},\mathcal{T},\mathcal{K},\mathcal{E}):\end{array}$$

(5)

$$\begin{array}{ccc}& & \mathcal{S}=\left(\left\{1\right\}\times \{(b_1,\dots ,b_{t-1},0\dots ,0),(0,\dots ,0,b_t,0,\dots ,0),\dots ,(0,\dots ,0,b_r)\}\right)\hfill \\ & & \cup \left(\left\{0\right\}\times \{(b_1^{\prime },0,\dots ,0),\dots ,(0,\dots ,0,b_r^{\prime })\}\right)\subset S\times U{\left(S\right)}^r,\hfill \\ & & b_1,\dots ,b_{t-1}\in U\left(S\right),b_1^{\prime },\dots ,b_r^{\prime }\in S^{\times }.\hfill \\ & & \mathcal{T}=R,\hfill \\ & & \mathcal{K}=S^r,\hfill \\ & & \mathcal{E}=\{E_k:k\in \mathcal{K}\},\hfill \end{array}$$

and

$$E_k\left(s\right)=T_{S/R}(af\left(x\right)+b·x),$$

$x\in \mathcal{K},$$s=(a,b)\in \mathcal{S}.$

We can see that $\left|\mathcal{S}\right|=\left[{\left((q^n-1)q^{n(s-1)}+1\right)}^{t-1}+W^{\prime }\right]$, $\left|\mathcal{T}\right|=q^s,$$\left|\mathcal{K}\right|=\left|\mathcal{E}\right|=q^{snr},$ where $W^{\prime }=(r-t+1)·\left[(q^n-1)q^{n(s-1)}+1\right]+r(q^n-1)q^{n(s-1)}$

This authentication scheme is a generalization of the first authentication scheme given in [9], where the scheme is considered on finite fields. In our scheme if we consider $s=1$, then we obtain the same scheme, except the size of the source space; here, this is greater than the size of the source space given in [9]. Therefore, in this work $\mathcal{K}$ and $\left|\mathcal{S}\right|\left(\right|\mathcal{T}|-1)+1$ are closer, following the Theorem 2. Then, we have a better relationship between the spaces.

The following result ensures that the encoding rules are equally likely to be chosen.

Theorem 12.

The function $H:\mathcal{K}\to \mathcal{E}$ defined by $H:k\to E_k$ is a bijection.

Proof. 

Suppose $E_x=E_{x^{\prime }}$, $x,x^{\prime }\in S^r.$ Then,

$$T_{S/R}(af\left(x\right)+bx)=T_{S/R}(af\left(x^{\prime }\right)+b{x}^{\prime }),\forall (a,b)\in \mathcal{S}.$$

Let $x-x^{\prime }$ be nonzero in its i-th entry. Let $a=0$ and $b=(0,\dots ,0,b_i,0,\dots ,0)$. Then $T_{S/R}\left(b_i{(x-x^{\prime })}_i\right)=0\forall b_i\in U\left(S\right)-\left\{0\right\}.$ Thus, $x-x^{\prime }=0,$ namely $x=x^{\prime }.$ □

Solving similarly to the proof of Theorem 8, the following result is granted.

Theorem 13.

Let $f:S^r\to S$ be a t-resilient function, $(a_1,b_1)\ne (a_2,b_2)$ elements of $\mathcal{S},$ $u_1,u_2\in R,$ and

$$\begin{array}{ccc}& & N(f;a_1,b_1,a_2,b_2;u_1,u_2)\hfill \\ & =& \left|\right\{x\in S^r:T_{S/R}(a_{1}f\left(x\right)+b_1·x)=u_1,T_{S/R}(a_{2}f\left(x\right)+b_2·x)=u_2\left\}\right|.\hfill \end{array}$$

Then,

$$N(f;a_1,b_1,a_2,b_2;u_1,u_2)=q^{snr-2s}.$$

In the following result, minimum values for $P_I$ and $P_S$ are obtained.

Theorem 14.

Let the authentication scheme ${\mathcal{A}}_3$. Then,

$$P_I=\frac{1}{q^s},P_S=\frac{1}{q^s}.$$

Proof. 

Let $(a,b)\in \mathcal{S},$$(a,b)\ne (0,0)$. We know that the function

$$k\mapsto T_{S/R}(af\left(k\right)+bk)$$

is balanced. Then,

$$\begin{array}{ccc}\hfill P_I& =& \underset{s\in \mathcal{S},t\in \mathcal{T}}{max}\frac{\left|\right\{k\in \mathcal{K}:T_{S/R}(af\left(k\right)+bk)=t\}}{\left|\mathcal{K}\right|}\hfill \\ & =& \frac{q^{snr-s}}{q^{snr}}\hfill \\ & =& \frac{1}{q^s}.\hfill \end{array}$$

Now by Theorem 13,

$$N(f;a_1,b_1,a_2,b_2;u_1,u_2)=q^{snr-2s}.$$

Also,

$$|\{k\in \mathcal{K}:T_{S/R}(af\left(k\right)+bk)=t\}|=q^{snr-s}.$$

Thus,

$$\begin{gathered} \begin{array}{ccccc}\hfill P_S& =& max \\ s\in \mathcal{S} \\ t\in \mathcal{T}\hfill & max \\ {s}^{\prime }\in \mathcal{S},s^{\prime }\ne s \\ {t}^{\prime }\in \mathcal{T}& \frac{\left|\right\{k\in \mathcal{K}:E_k\left(s\right)=t,E_k\left(s^{\prime }\right)=t^{\prime }\left\}\right|}{\left|\right\{k\in \mathcal{K}:E_k\left(s\right)=t\left\}\right|}\\ & =& \frac{q^{snr-2s}}{q^{snr-s}}\hfill \\ & =& \frac{1}{q^s}.\hfill \end{array} \end{gathered}$$

□

4. Conclusions

We obtain minimum values for the success probabilities of impersonation and substitution attacks in the distinct schemes. In the first and second scheme, compared to the first scheme in [8], a better relationship between the parameters’ size is obtained, simplifying the source space. On the other hand, the injectivity proof between the key space and the encoding rules is substantially reduced. In the second scheme, a parameter is removed from the first scheme, leading to a more in-depth analysis of the Gray map and also of the composition with the resilient functions and the trace function. In the third scheme, a generalization is obtained on Galois rings, of the first scheme on finite fields given in [9], improving the relationship between their spaces’ size, based on Theorem 2.