An Authentication Code over Galois Rings with Optimal Impersonation and Substitution Probabilities

An Authentication Code over Galois Rings with Optimal Impersonation and Substitution Probabilities Juan Carlos Ku-Cauich 1,†,‡, Guillermo Morales-Luna 1,‡ ID and Horacio Tapia-Recillas2,* 1 Computer Science, CINVESTAV-IPN, Mexico City, Mexico; {jcku,gmorales}@cs.cinvestav.mx 2 Departamento de Matemáticas, Universidad Autónoma Metropolitana-I, Mexico City, Mexico; htr@xanum.uam.mx * Correspondence: gmorales@cs.cinvestav.mx † Current address: Av. IPN 2508, San Pedro Zacatenco, 07300 Mexico City, Mexico ‡ These authors contributed equally to this work.


Introduction
Resilient maps were introduced in 1985 by Chor et al. [1] and independently by Bennett et al. [2], in the context of key distribution and quantum cryptography protocols.Resilient maps have also been used in the generation of random sequences aimed to stream ciphering [3].
The current paper deals with the notion of systematic authentication codes without secrecy as defined in [4] and considered in [5,6].Within the systematic authentication codes, two main problems arise: the first problem consists in getting optimal minimal attack probabilities, the second problem consists in keeping the size of the key spaces as low as possible in comparison with the size of the message space, namely, the product of the sizes of the source state space and the tag space.These two goals are conflicting, thus a trade-off strategy is required.Theorems 2.3 and 3.1 in [7] state that when optimal values for the impersonation and the substitution probabilities p I , p S are reached, then some relations among the sizes of the spaces arouse, see also Theorem 14 in [8].
In this paper two new systematic authentication codes based on the Gray map on a Galois ring are introduced with the purpose of optimally reducing the impersonation and substitution probabilities.
In the context of authentication codes the substitution and impersonation probabilities are important characteristics.We build a first code with optimal values for these probabilities but at the cost of huge key and source spaces.A second code is introduced with convenient spaces sizes but the corresponding substitution probability is not optimal.
The first code presented here is another example of a previously constructed code using the Gray map on Galois rings and modules over these rings [9].The construction in [9] is based on rational non-degenerated maps.Here, through the generalized Gray map and resilient maps on Galois rings we obtain minimal upper bounds for the attack probabilities, thus improving former codes.Indeed, the obtained impersonation and substitution probabilities are optimal.However, the introduced code has a smaller source state space in comparison with the key space.We introduce precise definitions over Galois rings of the notions of resilient maps and the generalized Gray map.The introduced construction over Galois rings is translated into finite fields via the Gray map, thus providing similar codes on Galois fields In [10] a family of bent maps is introduced over Galois rings of characteristic p 2 , with p a prime number.The class of these maps is closed under multiplication by units in the Galois ring.Under the assumption that there exists a similar class of bent functions in Galois rings of characteristic p r , with r > 2. For this hypothetical code we obtain spaces of acceptable size, similar to sizes in former constructions but the impersonation and substitution probabilities are improved in fact, the probabilities are lower than those in other authentication codes with no optimal probabilities.The paper is organized as follows: In Section 2 the basic construction of the Gray map is recalled.
In Section 3 a new systematic authentication code based on the Gray map is introduced and its main properties are determined.In Subsection 3.1 the general construction of a systematic authentication code is recalled and the new code is treated in Subsections 3.2 and 3.3, and in Subsection 3.4 we introduce the second codeon the assumption of the existence of an appropriate class of bent functions.
In Section 4 we make a succinct comparison with formerly introduced systematic authentication codes, and in Section 5 we state some conclusions.The existence of the required bijection between the key space and the set of encoding maps is proved in an exhaustive way and the current proof is rather long, hence tedious.However, the reader may find it in [11].

The Gray map over Galois Rings
Let Z p r be the ring of integers modulo p r , where p is a prime and r a positive integer.A monic polynomial f (x) ∈ Z p r [x] is called monic basic irreducible (primitive) if its reduction modulo p is an irreducible (primitive) polynomial over F p .The Galois ring of characteristic p r is defined as: where f (x) ∈ Z p r [x] is a monic basic irreducible polynomial of degree l and f (x) is the ideal of Z p r [x] generated by f (x).The polynomial f (x) can be taken such that it is a divisor of x p l −1 − 1.
The Galois ring R = GR(p r , l) is local with maximal ideal M = p = pR and residue field isomorphic to F q where q = p l .This ring has characteristic p r , is a chain ring and |R| = p rl .The group of units of R is U(R) = C × G where G is a group of order p (r−1)l , C = ω has order (p l − 1) and f (ω) = 0.The Teichmüller set of representatives of R is For details and further properties we refer the reader to [12] (Chapter XVI), and [13].
Let p be a prime number, r, , m ∈ Z + and q = p .Let A = GR (p r , ) and B = GR (p r , m) be the corresponding Galois rings of degrees and m.The ring A is an extension of Z p r and B is an extension of A. Let Tr B/A : B → A, Tr B/Z p r : B → Z p r and Tr A/Z p r : A → Z p r be the corresponding trace maps, and let pA and pB denote the maximal ideals of zero divisors of A and B respectively.
Firstly, let us recall some well known facts [9]: Lemma 1.Let u ∈ A. Then the following assertions hold: From now on we assume that r ≥ 2. The homogeneous weight on the ring A is the map [14] w h : A → N, u → w h (u), where and, according to Lemma 1, ∀u ∈ A : , is a metric on A. The ring A can also be considered as the metric space (A, d h ).
Let F q q be the q-dimensional vector space over the Galois field F q , and "⊗" denote the Kroenecker product We iterate this product "on the right" as: i=0 be the j-th vector in the canonical basis of F q q , where δ ij is the Kroenecker delta, 1 (q) = (1, . . ., 1) = ∑ q−1 j=0 e j ∈ F q q , is the vector with constant entries equal to 1, and ρ : A → F q the reduction modulus p map.Let (here, for any ).The vector φ i is the concatenation of q i blocks, each one consisting of the concatenation of blocks of the form [ρ j ] q r−2−i , where ρ j is the j-th coordinate of Ξ, for j = 0, . . ., q − 1 (see relation ( 3)).
Then, the vector φ i can be efficiently constructed: In summary, for each i = 0, . . ., r − 2, the vector φ i defined by (3) can be expressed as: where we are using the notation introduced immediately after the relation (3).As a final vector, let us The Gray map is defined as follows where the elements of A are represented in their p-adic form, i.e a i ∈ T(A).
In particular, if r = 2, we have Then the Gray map, as defined by ( 5), equals, for any element of the form r 0 + r 1 p ∈ GR p 2 , : which coincides with the definition given in [9].
The vector space F q r−1 q can be endowed with a structure of metric space with the Hamming distance d H : the distance between two vectors is the number of entries at which they differ.
Two important properties of the Gray map are stated by the following proposition: Proposition 1.The following assertions hold: 1. Isometry [14].The Gray map is an isometry between the Galois ring A and the vector space 2. The Gray map preserves addition:

General systematic authentication codes
We recall that a systematic authentication code without secrecy [4] is a structure (S, T, K, E) where S is the source state space, T is the tag space, K is the key space and E = (e k ) k∈K is a sequence of encoding rules S → T.
A transmitter and a receiver agree to a secret key k ∈ K. Whenever a source s ∈ S must be sent, the participants proceed according to the protocol depcted at and for to be acceptable, both, p I and p S must be as small as possible.

A new systematic authentication code
In the context of finite fields of characteristic 2, for n ∈ Z + and 1 ≤ t ≤ n, let J = {j 0 , . . ., j t−1 } ⊂ {0, . . ., n − 1} be an index t-subset.The affine J-variety determined by a = (a 0 , . . ., a t−1 ) ∈ F t 2 is The notion of t-resilient maps has been studied by several authors in the context of Galois rings, assumed as the last property of the above paragraph, and well known wider classes of t-resilient maps have been provided.For instance, from Theorem 1 in [15], for any n ∈ Z + , if B is a Galois ring and f 0 : B n → B n is a map such that any element at its image f 0 (B n ) has more than t entries which are units in B and f 1 : B n → B is any map, then the map f : In this section a systematic authentication code is constructed using a resilient function on a Galois ring and the Gray map on this ring.
Let p > 2 be a prime number, r, , m ∈ Z + , and q = p .Assume the same setting as in the beginning of the Section 2.
Let U(B) = (B − pB) ∪ {0} be the set of elements of the Galois ring B that are either units or zero.
Let n ∈ Z + be another positive integer, and f : B n → B be a t-resilient map.The following assertions hold: • For a ∈ B − pB, the map B n → B, x → a f (x), is t-resilient, hence it is also balanced.
• For a ∈ B − pB, the map B n → Z p r , x → Tr B/Z p r (a f (x)), is balanced (as composition of balanced maps).
• As a more general result than Corollary 2 of [16], we have that the map is balanced whenever w h (b) ≤ t and either (a, b) ∈ U(B) × (U(B)) n , with (a, b) = (0, 0), or • Recall that the Fourier transform of the map a f is the function .
As shown in [15], ζ a f (b) = 0 under the same conditions as the above assertion, just because the Let T(A) be the set of the Teichmüller representatives of F q in A.
Similarly, T(B) is the set of the Teichmüller representatives of F q m in B.
Let n ∈ Z + and t ≤ n.For any i < n, let e i = δ ij n−1 j=0 be the i-th vector in the canonical set of generators of B n .For any b ∈ T(B) n , let Let us consider an (r − 1)n-subset of T(A) − {0, 1}, and Then j=0 be an n-sequence of G(T(B)) (repetitions are allowed), and ζ ∈ T(B) − {0}.For each integer k, with 0 ≤ k ≤ q m − (r − 1)n − 2, let Then T θζk ⊂ B × B n and T θζk = (q m − 1)n.
be a subset of T(B) − {0}, with (q m − 1 − (r − 1)n − 1) elements, such that Z ∩ η = ∅, and Then T ηθZ ⊂ B × B n and Certainly, at this point the definition of the source set S is quite unnatural.However, defined in this way, it guarantees an appropriate distance between elements (Proposition 2) leading to optimal results (Proposition 4), while keeping balanced the maps x → Tr B/Z p r (a f (x) + b • x), for a t-resilient map f .This particular structure of the source space S will allow a one-to-one correspondence between keys and encoding maps (Proposition 3).From relations ( 14), S ⊂ B × B n × A, and |K| = q r(mn+1) .

Main characteristics of the new code
Let Φ : A → F q r−1 q be the Gray map on A as defined in (5).We observe that for any element y = ∑ r−2 i=0 a i p i ∈ L, with (a 0 , . . ., a r−2 ) ∈ T(A) r−1 (see (10)), the evaluation of Φ at y, according to (5), is Also, since q − 1 is even, for any ξ generating T A , either −ξ ∈ T A or −1 ∈ T A .The following implication holds: (see relation (8) above).Let Since p r−1 A = q, we have F q r−1 q q rmn+1 F q r(mn+1) q , thus we may assume u s ∈ F q r(mn+1) q .
Proposition 2. Let d H be the Hamming distance on the vector space F q r(mn+1) q and let f : B n → B be a t-resilient map.For any two points s 0 = (s 00 , s 10 , s 20 ), s 1 = (s 01 , s 11 , s 21 ) ∈ S, with s 0 = s 1 , and any two w 0 , w 1 ∈ p r−1 A, the following relation holds: d H (u s 0 ,w 0 , u s 1 ,w 1 ) = q rmn (q r−1 − q r−2 ).
Proof.Let s 2 = s 0 − s 1 and w 2 = w 0 − w 1 .Then, the calculation of the Hamming distance of the points u s 0 ,w 0 , u s 1 ,w 1 is displayed in Table 2, there equality (i) holds because Φ is an isometry, equality (ii) follows from the defining relation (1), and equality (iii) is due to relation (16).
If (s 02 , s 12 ) = (0, 0), also from ( 18) we obtain For each k ∈ K = Z q r(mn+1) , let e k : S → T be the map The set of encoding rules in the proposed systematic authentication code is thus E = (e k ) k∈K .
Proposition 3. The map K → E, k → e k , is one-to-one.
Proof.The proposition is clearly equivalent to the following statement: ∀k 0 , where u s is given by relation (17).
According to (17), each element u s , s ∈ S, is the concatenation of q arrays u s,w , each of length q rmn .The index range {0, . . ., q r(mn+1) − 1} of the element u s can be split as the concatenation of q rmn+1 integer intervals K x,w = {indexes of entries with the value Φ (v s,w (x))} with (x, w) ∈ B n × p r−1 A, and each integer interval K x,w has length q r−1 .
• Case III: ∃w 0 , w 1 ∈ p r−1 A, ∃x ∈ B n : • Case IV: ∃w 0 , w 1 ∈ p r−1 A, ∃x, y ∈ B n : The analysis of these cases, giving a full proof of the proposition, is rather extensive and certainly tedious.It is provided in full detail in [11].
Proposition 4. For the authentication code defined by the relations ( 14) and ( 19) the following relations hold: is one-to-one.For any t ∈ T = F q , we have where u s is defined by relation (17).Since |K| = q r(mn+1) , then, from (6), p I = 1 q .Now, consider s 0 = (s 00 , s 10 , s 20 ), s 1 = (s 01 , s 11 , s 21 ) ∈ S such that s 0 = s 1 .For each t 0 , t 1 ∈ T, and each k ∈ K, let w ∈ p r−1 A and x ∈ B n be such that k ∈ K x,w .Then the equivalences shown in Table 3 are immediate.From there, it can be seen that |{k ∈ K|(e k (s 0 ) = t 0 )&(e k (s 1 ) = t 1 )}| = q r(mn+1)−1 − d H (u s 0 ,w , u s 1 ,w ).Now, from ( 7) and (23): Observe at this point that instead of N in (14), it is possible to take the set } in order to produce a new systematic authenticatication code with the same impersonation and substitution probabilities as in (22).

A second systematic authentication code
Let p be a prime number, r, , n ∈ Z + and q = p .Let A = GR (p r , ) and B = GR (p r , n) be the corresponding Galois rings of degrees and n.Let, L = {r 0 + r 1 p + • • • + r r−2 p r−2 | r 0 , . . ., r r−2 ∈ T(A)} ⊂ A\p r−1 A ∪ {0}.space sizes of the codes in [4,8] although the code in [8] does not attain the optimal values for these probabilities.
Similar constructions were performed through resilient maps and functions generalising bent maps, for any characteristic p r , with r > 1.

Conclusions
An authentication code using the trace, the Gray maps and the resilient functions on Galois rings was constructed.In this regard, the current construction is similar to the constructions in [9].In order to diminish the substitution and impersonation probabilities, here we used resilient maps on Galois rings of general characteristic p r , with p a prime number and r an integer greater or equal to 2, in contrast to the former approach based either on non-degenerate and rational maps on Galois rings of general characteristic [9], or on bent maps on Galois rings of characteristic p 2 .The current construction provides optimal substitution and impersonation probabilities, at the expense of growth of cardinalities and an elaborated space structure.In contrast with [9], the key space in our code is of greater cardinality than the source space.Our code attains optimal probabilities values, but it has a key space greater than the corresponding source space.
A second authentication code is built and this code has convenient space sizes with a significant difference between the key space and the source space, and a small cardinality in the tag space.The probabilities are rather small, but the substitution probability is not optimal.However, this second construction is conditioned to the existence of a class of bent functions closed under the multiplication by units in the corresponding Galois ring.We look towards the proof of existence of this necessary class of bent functions.
Tr A/Z p r (r 0 w 2 ) e 2π p r i Tr A/Z p r (r 0 s 22 ) ∑ x∈B n e 2π p r i Tr B/Z p r (r 0 s 02 f (x)+r 0 s 12 •x)

Table 1 .
Protocol of the transmission of a source s ∈ S. receives m = (s , t ), evaluates t = e k (s ) ∈ T if t = t then accepts s , otherwise the message m is rejected m −→

Table 1 .
The communicating channel is public, thus it can be eavesdropped upon by an intruder able to perform either impersonation or

Table 3 .
Equivalent conditions for a pair of encoding sources.
e k (s 0