Next Article in Journal
TL-Moments for Type-I Censored Data with an Application to the Weibull Distribution
Previous Article in Journal
Optimal Strategies for Psoriasis Treatment
Article

An Authentication Code over Galois Rings with Optimal Impersonation and Substitution Probabilities

1
Computer Science, CINVESTAV-IPN, Mexico City 07360, Mexico
2
Departamento de Matemáticas, Universidad Autónoma Metropolitana-I, Mexico City 14387, Mexico
*
Author to whom correspondence should be addressed.
Current address: Av. IPN 2508, San Pedro Zacatenco, Mexico City 07300, Mexico
These authors contributed equally to this work.
Math. Comput. Appl. 2018, 23(3), 46; https://doi.org/10.3390/mca23030046
Received: 27 July 2018 / Revised: 2 September 2018 / Accepted: 2 September 2018 / Published: 6 September 2018

Abstract

Two new systematic authentication codes based on the Gray map over a Galois ring are introduced. The first introduced code attains optimal impersonation and substitution probabilities. The second code improves space sizes, but it does not attain optimal probabilities. Additionally, it is conditioned to the existence of a special class of bent maps on Galois rings.
Keywords: authentication schemes; resilient maps; gray map authentication schemes; resilient maps; gray map

1. Introduction

Resilient maps were introduced in 1985 by Chor et al. [1] and independently by Bennett et al. [2], in the context of key distribution and quantum cryptography protocols. Resilient maps have also been used in the generation of random sequences aimed to stream ciphering [3].
The current paper deals with the notion of systematic authentication codes without secrecy as defined in [4] and considered in [5,6]. Within the systematic authentication codes, two main problems arise: the first problem consists of getting optimal minimal attack probabilities, the second problem consists of keeping the size of the key spaces as low as possible in comparison with the size of the message space—namely, the product of the sizes of the source state space and the tag space. These two goals are conflicting, and thus a trade-off strategy is required. Theorems 2.3 and 3.1 in [7] state that when optimal values for the impersonation and the substitution probabilities p I , p S are reached, then some relations among the sizes of the spaces arise (see also Theorem 14 in [8]).
In this paper, two new systematic authentication codes based on the Gray map on a Galois ring are introduced with the purpose of optimally reducing the impersonation and substitution probabilities. In the context of authentication codes, the substitution and impersonation probabilities are important characteristics. We build a first code with optimal values for these probabilities but at the cost of huge key and source spaces. A second code is introduced with convenient spaces sizes, but the corresponding substitution probability is not optimal.
The first code presented here is another example of a previously constructed code using the Gray map on Galois rings and modules over these rings [9]. The construction in [9] is based on rational non-degenerated maps. Here, through the generalized Gray map and resilient maps on Galois rings we obtain minimal upper bounds for the attack probabilities, thus improving former codes. Indeed, the obtained impersonation and substitution probabilities are optimal. However, the introduced code has a smaller source state space in comparison with the key space. We introduce precise definitions over Galois rings of the notions of resilient maps and the generalized Gray map. The introduced construction over Galois rings is translated into finite fields via the Gray map, thus providing similar codes on Galois fields.
In [10] a family of bent maps is introduced over Galois rings of characteristic p 2 , with p a prime number. The class of these maps is closed under multiplication by units in the Galois ring, under the assumption that there exists a similar class of bent functions in Galois rings of characteristic p r , with r > 2 . For this hypothetical code we obtain spaces of acceptable size, similar to sizes in former constructions but with improved impersonation and substitution probabilities. In fact, the probabilities are lower than those in other authentication codes with no optimal probabilities.
The paper is organized as follows: In Section 2 the basic construction of the Gray map is recalled. In Section 3 a new systematic authentication code based on the Gray map is introduced and its main properties are determined. In Section 3.1 the general construction of a systematic authentication code is recalled, and the new code is treated in Section 3.2 and Section 3.3. In Section 3.4 we introduce the second code on the assumption of the existence of an appropriate class of bent functions. In Section 4 we make a succinct comparison with formerly introduced systematic authentication codes, and in Section 5 we state some conclusions. The existence of the required bijection between the key space and the set of encoding maps is proved exhaustively and the current proof is rather long (hence, tedious). However, the reader can find it in [11].

2. The Gray Map over Galois Rings

Let Z p r be the ring of integers modulo p r , where p is a prime and r a positive integer. A monic polynomial f ( x ) Z p r [ x ] is called monic basic irreducible (primitive) if its reduction modulo p is an irreducible (primitive) polynomial over F p . The Galois ring of characteristic p r is defined as
GR ( p r , l ) = Z p r [ x ] / f ( x ) ,
where f ( x ) Z p r [ x ] is a monic basic irreducible polynomial of degree l and f ( x ) is the ideal of Z p r [ x ] generated by f ( x ) . The polynomial f ( x ) can be taken such that it is a divisor of x p l - 1 - 1 .
The Galois ring R = GR ( p r , l ) is local with maximal ideal M = p = p R and residue field isomorphic to F q where q = p l . This ring has characteristic p r , is a chain ring, and | R | = p r l . The group of units of R is U ( R ) = C × G , where G is a group of order p ( r - 1 ) l , C = ω has order ( p l - 1 ) , and f ( ω ) = 0 . The Teichmüller set of representatives of R is T ( R ) = { 0 } C . Any β R has a unique p-adic (multiplicative) representation: β = β 0 + β 1 p + + β r - 1 p r - 1 , where β i T ( R ) for 0 i r - 1 . The ring R has the structure of a Z p r -module: R = Z p r [ ω ] = Z p r + ω Z p r + + ω l - 1 Z p r . For details and further properties we refer the reader to ([12], [Chapter XVI]) and [13].
Let p be a prime number, r , , m Z + , and q = p . Let A = GR p r , and B = GR p r , m be the corresponding Galois rings of degrees and m . The ring A is an extension of Z p r , and B is an extension of A. Let Tr B / A : B A , Tr B / Z p r : B Z p r and Tr A / Z p r : A Z p r be the corresponding trace maps, and let p A and p B denote the maximal ideals of zero divisors of A and B, respectively.
Firstly, let us recall some well-known facts [9], as follows.
Lemma 1.
Let u A . Then the following assertions hold:
1.
x A e 2 π p r i Tr A / Z p r ( u x ) = q r i f   u = 0 0 i f   u 0
2.
x p A e 2 π p r i Tr A / Z p r ( u x ) = q r - 1 i f   u p r - 1 A 0 i f   u p r - 1 A
3.
x A - p A e 2 π p r i Tr A / Z p r ( u x ) = q r - q r - 1 i f   u = 0 - q r - 1 i f   u p r - 1 A - { 0 } 0 i f   u p r - 1 A
From this point forward we assume that r 2 . The homogeneous weight on the ring A is the map [14] w h : A N , u w h ( u ) , where
w h ( u ) = q r - 1 - q r - 2 - 1 q x A - p A e 2 π p r i Tr A / Z p r ( u x ) ,
and, according to Lemma 1, u A :
w h ( u ) = 0 if   u = 0 q r - 1 if   u p r - 1 A - { 0 } q r - 1 - q r - 2 if   u A - p r - 1 A .
Indeed, the map d h : A × A Z + , ( u , v ) d h ( u , v ) = w h ( u - v ) , is a metric on A. The ring A can also be considered as the metric space ( A , d h ) .
Let F q q be the q-dimensional vector space over the Galois field F q , and “⊗” denote the Kroenecker product F q m × F q n F q m n , u i i , v j j u i i v j j = w i n + j = u i v j i , j . We iterate this product “on the right” as: k = 0 n v k = k = 0 n - 1 v k v n . Let e j = δ i j i = 0 q - 1 be the j-th vector in the canonical basis of F q q , where δ i j is the Kroenecker delta, 1 ( q ) = ( 1 , , 1 ) = j = 0 q - 1 e j F q q is the vector with constant entries equal to 1, and ρ : A F q the reduction modulus p map. Let T ( A ) = { 0 } ξ A j j = 0 q - 2 be the set of Teichmüller representatives of F q in A and let Ξ = ( 0 , ρ ( ξ A ) , , ρ ( ξ A q - 2 ) , ρ ( ξ A q - 1 ) ) F q q . For each index i = 0 , , r - 2 let
ϕ i = k = 0 r - 2 1 ( q ) + δ i k ( Ξ - 1 ( q ) ) = 1 ( q ) i Ξ 1 ( q ) ( r - 2 - i ) F q q r - 1
(here, for any v F q q , v 0 = [ 1 ] and v ( k + 1 ) = v k v ). For k Z + let [ y ] k = y 1 ( k ) = ( y , , y k - t i m e s ) . The vector ϕ i is the concatenation of q i blocks, each one consisting of the concatenation of blocks of the form [ ρ j ] q r - 2 - i , where ρ j is the j-th coordinate of Ξ , for j = 0 , , q - 1 (see Relation (3)).
Then, the vector ϕ i can be efficiently constructed: given an index k, with 0 k q r - 1 - 1 , let k 0 = k mod q r - 1 - i and k i = k 0 q r - 2 - i . Then, ϕ i ( k ) is the k i -th coordinate of Ξ . In summary, for each i = 0 , , r - 2 , the vector ϕ i defined by (3) can be expressed as:
ϕ i = 0 q r - 2 - i , ρ ( ξ A ) q r - 2 - i , , ρ ( ξ A q - 2 ) q r - 2 - i , ρ ( ξ A q - 1 ) q r - 2 - i q i ,
where we are using the notation introduced immediately after the relation (3). As a final vector, let us define ϕ r - 1 = 1 q r - 1 . The Gray map is defined as follows:
Φ : GR p r , = A F q q r - 1 i = 0 r - 1 a i p i Φ i = 0 r - 1 a i p i = i = 0 r - 1 ρ ( a i ) ϕ i ,
where the elements of A are represented in their p-adic form (i.e., a i T ( A ) ).
In particular, if r = 2 , we have
ϕ 0 = ( 0 , ρ ( ξ A ) , , ρ ( ξ A q - 2 ) , ρ ( ξ A q - 1 ) ) , ϕ 1 = ( 1 , 1 , , 1 , 1 ) F q q .
Then the Gray map, as defined by (5), equals, for any element of the form r 0 + r 1 p GR p 2 , :
Φ r 0 + r 1 p = ρ ( r 0 ) ϕ 0 + ρ ( r 1 ) ϕ 1 = ρ ( r 0 ) ( 0 , ρ ( ξ A ) , , ρ ( ξ A q - 2 ) , ρ ( ξ A q - 1 ) ) + ρ ( r 1 ) ( 1 , 1 , , 1 , 1 ) = ( ρ ( r 1 ) , ρ ( r 1 + r 0 ξ A ) , , ρ ( r 1 + r 0 ξ A q - 2 ) , ρ ( r 1 + r 0 ξ A q - 1 ) ,
which coincides with the definition given in [9].
The vector space F q q r - 1 can be endowed with a structure of metric space with the Hamming distance d H : the distance between two vectors is the number of entries at which they differ.
Two important properties of the Gray map are stated by the following proposition:
Proposition 1.
The following assertions hold:
1.
Isometry[14]. The Gray map is an isometry between the Galois ring A and the vector space F q q r - 1 :
u , v A : d h ( u , v ) = d H ( Φ ( u ) , Φ ( v ) ) .
2.
The Gray map preserves addition:
( u , v ) A × p r - 1 A : Φ ( u + v ) = Φ ( u ) + Φ ( v ) .

3. A Systematic Authentication Code Based on the Gray Map

3.1. General Systematic Authentication Codes

We recall that a systematic authentication code without secrecy [4] is a structure ( S , T , K , E ) where S is the source state space, T is the tag space, K is the key space and E = e k k K is a sequence of encoding rules S T .
A transmitter and a receiver agree to a secret key k K . Whenever a source s S must be sent, the participants proceed according to the protocol depicted in Table 1.
The communicating channel is public, thus it can be eavesdropped upon by an intruder able to perform either impersonation or substitution attacks through the public channel. The intruder’s success probabilities for impersonation and substitution are, respectively [7]:
p I = max ( s , t ) S × T { k K | e k ( s ) = t } K ,
p S = max ( s , t ) S × T max ( s , t ) ( S - { s } ) × T { k K | e k ( s ) = t & e k ( s ) = t } { k K | e k ( s ) = t } .
For systematic authentication codes, lower bounds are known for p I and p S [5]:
1 | T | p I and 1 | T | p S ,
and in order to be acceptable, both p I and p S must be as small as possible.

3.2. A New Systematic Authentication Code

In the context of finite fields of characteristic 2, for n Z + and 1 t n , let J = { j 0 , , j t - 1 } { 0 , , n - 1 } be an index t-subset. The affine J-variety determined by a = ( a 0 , , a t - 1 ) F 2 t is
V J , a , n = { x F 2 n | k { 0 , , t - 1 } : x j k = a k } .
A map f : F 2 n F 2 m , m n , is J-resilient if a F 2 t , the map f V J , a , n is balanced, namely, y F 2 m , V J , a , n f - 1 ( y ) = 2 n - t - m . The map f : F 2 n F 2 m is t-resilient if it is J-resilient for any set J such that J = t . The notion of t-resilient maps has been studied by several authors in the context of Galois rings, assumed as the last property of the above paragraph, and well-known wider classes of t-resilient maps have been provided. For instance, from Theorem 1 in [15], for any n Z + , if B is a Galois ring and f 0 : B n B n is a map such that any element at its image f 0 ( B n ) has more than t entries which are units in B and f 1 : B n B is any map, then the map f : B 2 n B , ( x , y ) x · f 0 ( y ) + f 1 ( y ) is a t-resilient map, 1 t n .
In this section, a systematic authentication code is constructed using a resilient function on a Galois ring and the Gray map on this ring.
Let p > 2 be a prime number, r , , m Z + , and q = p . Assume the same setting as in the beginning of Section 2.
Let U ( B ) = B - p B { 0 } be the set of elements of the Galois ring B that are either units or zero. Let n Z + be another positive integer, and f : B n B be a t-resilient map. The following assertions hold:
  • For a B - p B , the map B n B , x a f ( x ) , is t-resilient, hence it is also balanced.
  • For a B - p B , the map B n Z p r , x Tr B / Z p r ( a f ( x ) ) , is balanced (as composition of balanced maps).
  • As a more general result than Corollary 2 of [16], we have that the map
    γ a b f : B n A , γ a b f : x Tr B / A ( a f ( x ) + b · x ) .
    is balanced whenever w h ( b ) t and either ( a , b ) U ( B ) × ( U ( B ) ) n , with ( a , b ) ( 0 , 0 ) , or ( a , b ) ( B - p B ) × B n .
  • Recall that the Fourier transform of the map a f is the function
    B n C , b ζ a f ( b ) = x B n e 2 π p r i Tr B / Z p r ( a f ( x ) - b · x ) .
    As shown in [15], ζ a f ( b ) = 0 under the same conditions as the above assertion, just because the map x Tr B / Z p r ( a f ( x ) + b · x ) is balanced.
Let T ( A ) be the set of the Teichmüller representatives of F q in A. Then, p r - 1 A = { a p r - 1 | a T ( A ) } . Similarly, T ( B ) is the set of the Teichmüller representatives of F q m in B.
Let n Z + and t n . For any i < n , let e i = δ i j j = 0 n - 1 be the i-th vector in the canonical set of generators of B n . For any b T ( B ) n , let
X b , t = { j = 0 t - 2 b j e j , b t - 1 e t - 1 , , b n - 1 e n - 1 } B n ,
N = b T ( B ) n X b , t ,
L = i = 0 r - 2 r i p i | ( r 0 , , r r - 2 ) T ( A ) r - 1 .
Then, X b , t = n - t + 1 , N = q m ( t - 1 ) + ( n - ( t - 1 ) ) q m , L = q r - 1 , L ( A - p r - 1 A ) { 0 } , and also
u , v L : ( u - v ) ( A - p r - 1 A ) { 0 } .
Let us consider an ( r - 1 ) n -subset of T ( A ) - { 0 , 1 } ,
η = η k k = 0 ( r - 1 ) n - 1 ,
and
D η = { ( η ( i - 1 ) n + j , p i e j ) | 1 i r - 1 , 0 j n - 1 } .
Then, D η A × B n and D η = ( r - 1 ) n .
Let T ( B ) = { 0 } ξ B k k = 0 q m - 2 , G ( T ( B ) ) = { ξ B k | gcd ( k , q m - 1 ) = 1 } , let θ = θ j j = 0 n - 1 be an n-sequence of G ( T ( B ) ) (repetitions are allowed), and ζ T ( B ) - { 0 } . For each integer k, with 0 k q m - ( r - 1 ) n - 2 , let
T θ ζ k = ( θ j i , ( ζ + θ j i p 1 + ( k mod ( r - 1 ) ) ) e j ) 0 i q m - 2 0 j n - 1 .
Then, T θ ζ k B × B n and T θ ζ k = ( q m - 1 ) n .
Now, let Z = ζ k k = 0 q m - ( r - 1 ) n - 2 be a subset of T ( B ) - { 0 } , with ( q m - 1 - ( r - 1 ) n - 1 ) elements, such that Z η = , and
T η θ Z = D η k = 0 q m - ( r - 1 ) n - 2 T θ ζ k k .
Then, T η θ Z B × B n and
T η θ Z = ( r - 1 ) n + ( q m - 1 - ( r - 1 ) n ) ( q m - 1 ) n = ( r - 1 ) + ( q m - 1 ) - ( r - 1 ) n ( q m - 1 ) n .
Let S 0 = { 0 } × N - { 0 } × L , S 1 = T η θ Z × L , S 2 = T ( B ) - ( { 0 } η ) × { 0 } × L and
S = S 0 S 1 S 2 , T = F q , K = Z q r ( m n + 1 ) .
Certainly, at this point the definition of the source set S is quite unnatural. However, defined in this way, it guarantees an appropriate distance between elements (Proposition 2), leading to optimal results (Proposition 4) while keeping balanced the maps x Tr B / Z p r ( a f ( x ) + b · x ) , for a t-resilient map f. This particular structure of the source space S will allow a one-to-one correspondence between keys and encoding maps (Proposition 3). From Relation (14), S B × B n × A , and
S = ( ( q m ( t - 1 ) + ( n - ( t - 1 ) ) q m - 1 ) + ( r - 1 ) + ( q m - 1 ) - ( r - 1 ) n ( q m - 1 ) n + ( q m - ( ( r - 1 ) n + 1 ) ) ) q r - 1 = c 0 + c 1 n - c 2 n 2 q r - 1 T = q K = q r ( m n + 1 ) ,
where c 0 = q m ( q m ( t - 2 ) - t ) + 2 ( q m - 1 ) , c 1 = q m ( q m - 1 ) + 1 , c 2 = ( q m - 1 ) ( r - 1 ) . The introduced construction imposes the supplementary condition ( r - 1 ) ( n + 1 ) < p m - 1 .

3.3. Main Characteristics of the New Code

Let Φ : A F q q r - 1 be the Gray map on A as defined in (5). We observe that for any element y = i = 0 r - 2 a i p i L , with ( a 0 , , a r - 2 ) T ( A ) r - 1 (see (10)), the evaluation of Φ at y, according to (5), is
Φ y = i = 0 r - 2 ρ ( a i ) ϕ i .
Also, since q - 1 is even, for any ξ generating T A , either - ξ T A or - 1 T A . The following implication holds: z A d { 1 , , q - 1 } z d T A - z d T A . Hence, if the p-adic form of an element in A is z = k = 0 s - 1 z k p k , the p-adic form of - z is - z = k = 0 s - 1 ( - z k ) p k . Let f : B n B be a t-resilient map. For each s = ( s 0 , s 1 , s 2 ) S and each w p r - 1 A , consider the map v s , w : B n A , x v s , w ( x ) , where
v s , w ( x ) = Tr B / A ( s 0 f ( x ) + s 1 · x ) + s 2 + w = γ s 0 s 1 f ( x ) + s 2 + w
(see relation (8) above). Let
u s , w = Φ v s , w ( x ) x B n F q q r - 1 q r m n , u s = u s , w w p r - 1 A F q q r - 1 q r m n + 1 .
Since p r - 1 A = q , we have F q q r - 1 q r m n + 1 F q q r ( m n + 1 ) , thus we may assume u s F q q r ( m n + 1 ) .
Proposition 2.
Let d H be the Hamming distance on the vector space F q q r ( m n + 1 ) and let f : B n B be a t-resilient map. For any two points s 0 = ( s 00 , s 10 , s 20 ) , s 1 = ( s 01 , s 11 , s 21 ) S , with s 0 s 1 , and any two w 0 , w 1 p r - 1 A , the following relation holds:
d H ( u s 0 , w 0 , u s 1 , w 1 ) = q r m n ( q r - 1 - q r - 2 ) .
Proof. 
Let s 2 = s 0 - s 1 and w 2 = w 0 - w 1 . Then, the calculation of the Hamming distance of the points u s 0 , w 0 , u s 1 , w 1 is displayed in (18), there equality (i) holds because Φ is an isometry, equality (ii) follows from the defining Relation (1), and equality (iii) is due to Relation (16).
d H ( u s 0 , w 0 , u s 1 , w 1 ) = x B n d H Φ v s 0 , w 0 ( x ) , Φ v s 1 , w 1 ( x ) = ( i ) x B n d h v s 0 , w 0 ( x ) , v s 1 , w 1 ( x ) = x B n w h v s 0 , w 0 ( x ) - v s 1 , w 1 ( x ) = x B n w h v s 2 , w 2 ( x ) = ( i i ) x B n q r - 1 - q r - 2 - 1 q r 0 A - p A e 2 π p r i Tr A / Z p r ( r 0 v s 2 , w 2 ( x ) ) = q r m n q r - 1 - q r - 2 - 1 q x B n r 0 A - p A e 2 π p r i Tr A / Z p r ( r 0 v s 2 , w 2 ( x ) ) = ( i i i ) q r m n q r - 1 - q r - 2 - 1 q r 0 A - p A e 2 π p r i Tr A / Z p r ( r 0 w 2 ) e 2 π p r i Tr A / Z p r ( r 0 s 22 ) x B n e 2 π p r i Tr B / Z p r ( r 0 s 02 f ( x ) + r 0 s 12 · x )
If ( s 02 , s 12 ) ( 0 , 0 ) , since f is t-resilient and x Tr B / Z p r ( r s 12 · x ) ) is a balanced map, from (18) the claim follows:
d H ( u s 0 , w 0 , u s 1 , w 1 ) = q r m n ( q r - 1 - q r - 2 ) .
If ( s 02 , s 12 ) = ( 0 , 0 ) , also from (18) we obtain
d H ( u s 0 , w 0 , u s 1 , w 1 ) = x B n w h v s 2 , w 2 ( x ) = x B n w h s 22 + w 2 = q r m n ( q r - 1 - q r - 2 )
because s 22 + w 2 A - p r - 1 A . ☐
For each k K = Z q r ( m n + 1 ) , let e k : S T be the map
s e k ( s ) = π k ( u s ) : k - th entry of element   u s .
The set of encoding rules in the proposed systematic authentication code is thus E = e k k K .
Proposition 3.
The map K E , k e k , is one-to-one.
Proof. 
The proposition is clearly equivalent to the following statement: k 0 , k 1 K ,
k 0 k 1 s S : π k 0 ( u s ) π k 1 ( u s ) ,
where u s is given by Relation (17).
According to (17), each element u s , s S , is the concatenation of q arrays u s , w , each of length q r m n . The index range { 0 , , q r ( m n + 1 ) - 1 } of the element u s can be split as the concatenation of q r m n + 1 integer intervals
K x , w = { indexes of entries with the value   Φ v s , w ( x ) } ,
with ( x , w ) B n × p r - 1 A , and each integer interval K x , w has length q r - 1 .
We recall at this point that B n × p r - 1 A = q r m n q = q r m n + 1 . Let α b : B n { 0 , , q r m n - 1 } , α a : p r - 1 A { 0 , , q - 1 } be the corresponding natural bijections. Then, up to these enumerations and relation (4), we can identify K x , w { k K | k x , w q r - 1 k k x , w q r - 1 + ( q r - 1 - 1 ) } , where
( x , w ) B n × p r - 1 A : k x , w = α b ( x ) q + α a ( w ) .
Let k 0 , k 1 K { 0 , , q r ( m n + 1 ) - 1 } be two keys such that k 0 k 1 . Depending on the intervals K x , w in which these keys fall, we can consider four mutually disjoint and exhaustive cases:
  • Case I: w p r - 1 A , x B n : k 0 K x , w & k 1 K x , w .
  • Case II: w p r - 1 A , x , y B n : x y & k 0 K x , w & k 1 K y , w .
  • Case III: w 0 , w 1 p r - 1 A , x B n : w 0 w 1 & k 0 K x , w 0 & k 1 K x , w 1 .
  • Case IV: w 0 , w 1 p r - 1 A , x , y B n : w 0 w 1 & x y & k 0 K x , w 0 & k 1 K y , w 1 .
The analysis of these cases, giving a full proof of the proposition, is rather extensive and certainly tedious. It is provided in full detail in [11]. ☐
Proposition 4.
For the authentication code defined by the relations (14) and (19), the following relations hold:
p I = 1 q , p S = 1 q .
Proof. 
Let s = ( s 0 , s 1 , s 2 ) S and x B n be fixed. Then, the map p r - 1 A F q q r - 1 ,
w Φ Tr B / A ( s 0 f ( x ) + s 1 · x ) + s 2 + w
is one-to-one. For any t T = F q , we have
{ k K | π k ( u s ) = t } = q r ( m n + 1 ) - 1 ,
where u s is defined by relation (17). Since K = q r ( m n + 1 ) , then, from (6), p I = 1 q .
Now, consider s 0 = ( s 00 , s 10 , s 20 ) , s 1 = ( s 01 , s 11 , s 21 ) S such that s 0 s 1 . For each t 0 , t 1 T , and each k K , let w p r - 1 A and x B n be such that k K x , w . Then, equivalent conditions for a pair of encoding sources are shown in the following:
e k ( s 0 ) = t 0 e k ( s 1 ) = t 1 π k ( u s 0 ) = t 0 & π k ( u s 1 ) = t 1 π k Φ ( v s 0 , w ( x ) ) = t 0 & π k Φ ( v s 1 , w ( x ) ) - π k Φ ( v s 0 , w ( x ) ) = t 1 - t 0 π k Φ ( v s 0 , w ( x ) ) = t 0 & π k Φ ( v s 1 , w ( x ) ) - π k Φ ( v s 0 , w ( x ) ) = t 1 - t 0 Prop. 1 π k Φ ( Tr B / A ( s 00 f ( x ) + s 10 · x ) + s 20 + w ) = t 0 & π k Φ ( Tr B / A ( s 01 f ( x ) + s 11 · x ) + s 21 ) - π k ( Tr B / A ( s 00 f ( x ) + s 10 · x ) + s 20 ) = t 1 - t 0
From there, it can be seen that
{ k K | ( e k ( s 0 ) = t 0 ) & ( e k ( s 1 ) = t 1 ) } = q r ( m n + 1 ) - 1 - d H ( u s 0 , w , u s 1 , w ) .
Now, from (7) and (23):
p S = q r ( m n + 1 ) - 1 - d H ( u s 0 , w , u s 1 , w ) q r ( m n + 1 ) - 1 q r ( m n + 1 ) - 1 - q r m n ( q r - 1 - q r - 2 ) q r ( m n + 1 ) - 1 = q r m n + r - 2 q r m n + r - 1 = 1 q .
 ☐
Observe at this point that instead of N in (14), it is possible to take the set N = { b B n | w h ( b ) t 2 } in order to produce a new systematic authenticatication code with the same impersonation and substitution probabilities as in (22).

3.4. A Second Systematic Authentication Code

Let p be a prime number, r , , n Z + and q = p . Let A = GR p r , and B = GR p r , n be the corresponding Galois rings of degrees and n . Let
L = { r 0 + r 1 p + + r r - 2 p r - 2 | r 0 , , r r - 2 T ( A ) } A \ p r - 1 A { 0 } .
Observe that since p r - 1 = { a p r - 1 | a T ( A ) } , if a , b L then a - b A \ p r - 1 A .
Let f be a bent function on B such that u f is a bent function for any unit u S and let Φ be the Gray map on A. The proposed systematic authentication code, A = ( S , T , K , E ) , is the following:
S : = T ( B ) × B - { ( 0 , 0 ) } × L , T : = F q , K : = Z q r ( n + 1 ) , E : = { E k ( s ) = p r k ( u s ) , k K , s B } ,
where for s = ( a , b , c ) S , β p r - 1 A = β 1 , β 2 , , β q , v s , β ( x ) = β + Tr B / A ( a f ( x ) + b x ) + c , u s , β = Φ ( v s , β ( x ) ) x B , u s = u s , β β p r - 1 A , and p r k is the k-th projection map from F q q r ( n + 1 ) onto F q , mapping u s to its k-th coordinate.
Let L be as above and let V = { c B | Tr ( B / A ) ( c ) L } . With the notation as above, a second systematic authentication code, A = ( S , T , K , E ) is also proposed:
S : = { ( a , b , c ) T ( S ) × S × V | ( a , b ) ( 0 , 0 ) } , T : = F q , K : = Z q r ( n + 1 ) , E : = { E k ( s ) = p r k ( u s ) , k K , s S } .
Note that the code A is a slight modification of the code A : in the definition of the source space S for A , the set L is taken while in the definition of the source space S for A the set V is used.
The impersonation and substitution probabilities p I and p S can be upper-bounded.
Lemma 2.
Let d H be the Hamming distance on F q q n ( t + 1 ) . With the notation as above, for any s 1 = ( a 1 , b 1 , c 1 ) , s 2 = ( a 2 , b 2 , c 2 ) S , s 1 s 2 , and any elements β 1 , β 2 p r - 1 R , we have
( q r - 1 - q r - 2 ) ( q r n - q r n / 2 ) d H u s 1 , β 1 , u s 2 , β 2 ( q r - 1 - q r - 2 ) ( q r n + q r n / 2 ) .
Theorem 1.
With the notation as above, the function H : K E given by H ( k ) = E k is bijective.
Theorem 2.
Let A be the systematic authentication code as defined above. Then,
p I = 1 q a n d p S 1 q + q - 1 q r n + 2 2 .

4. Parameter Comparison with Other Codes

We summarize quite succinctly in Table 2 a parameter comparison of our codes with other codes based on the Gray map. There, as in Relation (15),
c 0 = q m ( q m ( t - 2 ) - t ) + 2 ( q m - 1 ) , c 1 = q m ( q m - 1 ) + 1 , c 2 = ( q m - 1 ) ( r - 1 ) .
D is an integer in the interval [ 1 , q n 2 ] , and, as stated in [9] Prop. 3.5, N is a positive integer such that q n - N > q n 2 ( ( p + 1 ) ( N + 1 ) - 2 ) .
Our first code provides optimal values for p I and p S for all parameters q, m, n, r in which the code exists. For the codes in [9] the optimal values are obtained only if D = 1 . However, in our code, the cardinality of the key space is greater than the product of the cardinalities of the source and tag spaces.
In [10], it is stated that a map f : A n A valued on a Galois ring A = GR p r , is a bent function if
x A n e 2 π p r i Tr A / Z p r ( f ( x ) - u , x ) = A n 2 ,
and it was shown that, for the special case of r = 2 , whenever k and q - 1 = p - 1 are relatively prime, then for any α A and any unit u A - p A in A, the map A A , x u x k p + 1 + α x p , is a bent function ( n = 1 ).
Namely, for the special case of r = 2 , a class of bent maps, closed by the multiplication of units in the Galois ring, can be used to build a systematic authentication code (SAC).
Later, the Gray map and the above-mentioned class of bent maps were used to build a new SAC, improving the impersonation and substitution probabilities. In fact, these constructions can be extended to any characteristic p r , with r > 1 , under the assumption that there exists a similar class of bent maps, closed by the multiplication of units in the Galois ring. In this case, the obtained SAC A would have the parameters displayed in Table 3.
In comparison with the values displayed at Table 2, we have that this last hypothetical construction would have more convenient parameters for the spaces: the source space is greater than the key space, and the tag space is rather small. Even more, it has a greater difference on the cardinality of the cardinality of the key space and the product of the cardinalities of the source and tag spaces. This is an advantage even when comparing with other SACs with no optimal impersonation and substitution probabilities. For instance, this last hypothetical construction would improve the probabilities and the space sizes of the codes in [4,8], although the code in [8] does not attain the optimal values for these probabilities.
Similar constructions were performed through resilient maps and functions generalizing bent maps, for any characteristic p r , with r > 1 .

5. Conclusions

An authentication code using the trace, the Gray maps, and the resilient functions on Galois rings were constructed. In this regard, the current construction is similar to the constructions in [9]. In order to diminish the substitution and impersonation probabilities, here we used resilient maps on Galois rings of general characteristic p r , with p a prime number and r an integer greater or equal to 2, in contrast to the former approach based either on non-degenerate and rational maps on Galois rings of general characteristic [9], or on bent maps on Galois rings of characteristic p 2 . The current construction provides optimal substitution and impersonation probabilities, at the expense of growth of cardinalities and an elaborated space structure. In contrast with [9], the key space in our code is of greater cardinality than the source space. Our code attains optimal probability values, but it has a key space greater than the corresponding source space.
A second authentication code was built, and this code has convenient space sizes with a significant difference between the key space and the source space, and a small cardinality in the tag space. The probabilities are rather small, but the substitution probability is not optimal. However, this second construction is conditioned to the existence of a class of bent functions closed under the multiplication by units in the corresponding Galois ring. We look towards the proof of the existence of this necessary class of bent functions.

Author Contributions

The three authors contributed equally to conceptualization and formal analysis of this paper.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Chor, B.; Goldreich, O.; Håstad, J.; Friedman, J.; Rudich, S.; Smolensky, R. The Bit Extraction Problem of t-Resilient Functions (Preliminary Version). In Proceedings of the 26th Annual Symposium on Foundations of Computer Science (FOCS), Portland, OR, USA, 21–23 October 1985; pp. 396–407. [Google Scholar]
  2. Bennett, C.H.; Brassard, G.; Robert, J.M. Privacy Amplification by Public Discussion. SIAM J. Comput. 1988, 17, 210–229. [Google Scholar] [CrossRef][Green Version]
  3. Rueppel, R. Analysis and Design of Stream Ciphers; Communications and Control Engineering; Springer: Berlin, Germany, 1986. [Google Scholar]
  4. Ding, C.; Niederreiter, H. Systematic authentication codes from highly nonlinear functions. IEEE Trans. Inf. Theory 2004, 50, 2421–2428. [Google Scholar] [CrossRef]
  5. Carlet, C.; Ding, C.; Niederreiter, H. Authentication Schemes from Highly Nonlinear Functions. Des. Codes Cryptogr. 2006, 40, 71–79. [Google Scholar] [CrossRef]
  6. Ding, C.; Helleseth, T.; Kløve, T.; Wang, X. A Generic Construction of Cartesian Authentication Codes. IEEE Trans. Inf. Theory 2007, 53, 2229–2235. [Google Scholar] [CrossRef]
  7. Stinson, D.R. Combinatorial characterizations of authentication codes. Des. Codes Cryptogr. 1992, 2, 175–187. [Google Scholar] [CrossRef][Green Version]
  8. Chanson, S.; Ding, C.; Salomaa, A. Cartesian authentication codes from functions with optimal nonlinearity. Theor. Comput. Sci. 2003, 290, 1737–1752. [Google Scholar] [CrossRef]
  9. Özbudak, F.; Saygi, Z. Some constructions of systematic authentication codes using Galois rings. Des. Codes Cryptogr. 2006, 41, 343–357. [Google Scholar] [CrossRef]
  10. Carlet, C.; Ku-Cauich, J.C.; Tapia-Recillas, H. Bent functions on a Galois ring and systematic authentication codes. Adv. Math. Commun. 2012, 6, 249–258. [Google Scholar] [CrossRef][Green Version]
  11. Ku-Cauich, J.C.; Morales-Luna, G.; Tapia-Recillas, H. Proof of Correspondence between Keys and Encoding Maps in an Authentication Code. Technical Report. arxiv 2017, arXiv:1703.08147. [Google Scholar]
  12. McDonald, B. Finite Rings with Identity; Pure and Applied Mathematics Series; Marcel Dekker Incorporated: New York, NY, USA, 1974. [Google Scholar]
  13. Wan, Z. Lectures on Finite Fields and Galois Rings; World Scientific: Singapore, 2003. [Google Scholar]
  14. Greferath, M.; Schmidt, S.E. Gray isometries for finite chain rings and a nonlinear ternary (36, 312, 15) code. IEEE Trans. Inf. Theory 1999, 45, 2522–2524. [Google Scholar] [CrossRef]
  15. Carlet, C. More Correlation-Immune and Resilient Functions over Galois Fields and Galois Rings; EUROCRYPT; Fumy, W., Ed.; Springer: Berlin/Heidelberg, Germany, 1997; Volume 1233, pp. 422–433. [Google Scholar]
  16. Zhang, X.M.; Zheng, Y. Cryptographically resilient functions. IEEE Trans. Inf. Theory 1997, 43, 1740–1747. [Google Scholar] [CrossRef][Green Version]
  17. Ku-Cauich, J.C.; Morales-Luna, G. Authentication codes based on resilient Boolean maps. Des. Codes Cryptogr. 2015, 1–15. [Google Scholar] [CrossRef]
  18. Ku-Cauich, J.C.; Tapia-Recillas, H. Systematic Authentication Codes Based on a Class of Bent Functions and the Gray Map on a Galois Ring. SIAM J. Discret. Math. 2013, 27, 1159–1170. [Google Scholar] [CrossRef]
Table 1. Protocol of the transmission of a source s S .
Table 1. Protocol of the transmission of a source s S .
Transmitter Receiver
evaluates t = e k ( s ) T
forms the pair m = ( s , t ) m receives m = ( s , t ) ,
evaluates t = e k ( s ) T
if t = t then accepts s , otherwise the message m is rejected
Table 2. Parameter comparison of the introduced code with other previously published codes.
Table 2. Parameter comparison of the introduced code with other previously published codes.
CodeSizesBound for p I Bound for p S
S K T
(1) c 0 + c 1 n - c 2 n 2 q r - 1 q r ( m n + 1 ) q q - 1 q - 1
(2) q 2 n q r ( n + 1 ) q r q - r q - 1 + ( q - 1 ) q - ( n + 1 )
(3) q 3 n + 1 q 2 ( n + 1 ) q q - 1 q - 1 + ( q - 1 ) q - ( n + 1 )
(4) q n D - D p 2 q n + 2 q q - 1 q - 1 + q - 1 q D - 1 q n 2
(5) q 2 n ( N + 1 ) q 2 ( q n - N ) q q - 1 q - 1 + q - 1 q q n 2 q n - N .
( p + 1 ) ( N + 1 ) - 2
(6) q n D - D p 2 p - 1 p n + 1 p p - 1 + p - 1 p D - 1 p n 2 p - 1 + p 2 + p - 2 p D - 1 p n 2 - ( p - 1 ) ( D - 1 )
(7) q n D - D p q n + q q - 1 q - 1 + q - 1 q D - 1 q n 2
The codes are the following: (1) Our code. (2) [17] Prop. 11 (3) [18] Thm. 4.3. (4) [9] Prop. 3.2. (5) [9] Prop. 3.5 (6). [9] Prop. 4.5. (7) [9] Thm. 5.1.
Table 3. Parameters of the obtained systematic authentication code (SAC) A .
Table 3. Parameters of the obtained systematic authentication code (SAC) A .
CodeSizesBound for p I Bound for p S
S K T
A ( q n ( t + 1 ) - 1 ) q ( t - 1 ) q t ( n + 1 ) q q - 1 q - 1 + ( q - 1 ) q - t n + 2 2
A ( q n ( t + 1 ) - 1 ) q ( n t - 1 ) q t ( n + 1 ) q q - 1 q - 1 + ( q - 1 ) q - t n + 2 2
Back to TopTop