An Authentication Code over Galois Rings with Optimal Impersonation and Substitution Probabilities

Abstract

Two new systematic authentication codes based on the Gray map over a Galois ring are introduced. The first introduced code attains optimal impersonation and substitution probabilities. The second code improves space sizes, but it does not attain optimal probabilities. Additionally, it is conditioned to the existence of a special class of bent maps on Galois rings.

1. Introduction

Resilient maps were introduced in 1985 by Chor et al. [1] and independently by Bennett et al. [2], in the context of key distribution and quantum cryptography protocols. Resilient maps have also been used in the generation of random sequences aimed to stream ciphering [3].

The current paper deals with the notion of systematic authentication codes without secrecy as defined in [4] and considered in [5,6]. Within the systematic authentication codes, two main problems arise: the first problem consists of getting optimal minimal attack probabilities, the second problem consists of keeping the size of the key spaces as low as possible in comparison with the size of the message space—namely, the product of the sizes of the source state space and the tag space. These two goals are conflicting, and thus a trade-off strategy is required. Theorems 2.3 and 3.1 in [7] state that when optimal values for the impersonation and the substitution probabilities $p_I$, $p_S$ are reached, then some relations among the sizes of the spaces arise (see also Theorem 14 in [8]).

In this paper, two new systematic authentication codes based on the Gray map on a Galois ring are introduced with the purpose of optimally reducing the impersonation and substitution probabilities. In the context of authentication codes, the substitution and impersonation probabilities are important characteristics. We build a first code with optimal values for these probabilities but at the cost of huge key and source spaces. A second code is introduced with convenient spaces sizes, but the corresponding substitution probability is not optimal.

The first code presented here is another example of a previously constructed code using the Gray map on Galois rings and modules over these rings [9]. The construction in [9] is based on rational non-degenerated maps. Here, through the generalized Gray map and resilient maps on Galois rings we obtain minimal upper bounds for the attack probabilities, thus improving former codes. Indeed, the obtained impersonation and substitution probabilities are optimal. However, the introduced code has a smaller source state space in comparison with the key space. We introduce precise definitions over Galois rings of the notions of resilient maps and the generalized Gray map. The introduced construction over Galois rings is translated into finite fields via the Gray map, thus providing similar codes on Galois fields.

In [10] a family of bent maps is introduced over Galois rings of characteristic $p^2$, with p a prime number. The class of these maps is closed under multiplication by units in the Galois ring, under the assumption that there exists a similar class of bent functions in Galois rings of characteristic $p^r$, with $r>2$. For this hypothetical code we obtain spaces of acceptable size, similar to sizes in former constructions but with improved impersonation and substitution probabilities. In fact, the probabilities are lower than those in other authentication codes with no optimal probabilities.

The paper is organized as follows: In Section 2 the basic construction of the Gray map is recalled. In Section 3 a new systematic authentication code based on the Gray map is introduced and its main properties are determined. In Section 3.1 the general construction of a systematic authentication code is recalled, and the new code is treated in Section 3.2 and Section 3.3. In Section 3.4 we introduce the second code on the assumption of the existence of an appropriate class of bent functions. In Section 4 we make a succinct comparison with formerly introduced systematic authentication codes, and in Section 5 we state some conclusions. The existence of the required bijection between the key space and the set of encoding maps is proved exhaustively and the current proof is rather long (hence, tedious). However, the reader can find it in [11].

2. The Gray Map over Galois Rings

Let ${\mathbb{Z}}_{p^r}$ be the ring of integers modulo $p^r$, where p is a prime and r a positive integer. A monic polynomial $f\left(x\right)\in {\mathbb{Z}}_{p^r}\left[x\right]$ is called monic basic irreducible (primitive) if its reduction modulo p is an irreducible (primitive) polynomial over ${\mathbb{F}}_p$. The Galois ring of characteristic $p^r$ is defined as

$$\begin{array}{c}\hfill \mathrm{GR}(p^r,l)={\mathbb{Z}}_{p^r}\left[x\right]/⟨f\left(x\right)⟩,\end{array}$$

where $f\left(x\right)\in {\mathbb{Z}}_{p^r}\left[x\right]$ is a monic basic irreducible polynomial of degree l and $⟨f\left(x\right)⟩$ is the ideal of ${\mathbb{Z}}_{p^r}\left[x\right]$ generated by $f\left(x\right)$. The polynomial $f\left(x\right)$ can be taken such that it is a divisor of $x^{p^l-1}-1$.

The Galois ring $R=\mathrm{GR}(p^r,l)$ is local with maximal ideal $M=⟨p⟩=pR$ and residue field isomorphic to ${\mathbb{F}}_q$ where $q=p^l$. This ring has characteristic $p^r$, is a chain ring, and $\left|R\right|=p^{rl}$. The group of units of R is $U\left(R\right)=C\times G$, where G is a group of order $p^{(r-1)l}$, $C=⟨\omega ⟩$ has order $(p^l-1)$, and $f\left(\omega \right)=0$. The Teichmüller set of representatives of R is $T\left(R\right)=\left\{0\right\}\cup C$. Any $\beta \in R$ has a unique p-adic (multiplicative) representation: $\beta ={\beta }_0+{\beta }_{1}p+\cdots +{\beta }_{r-1}{p}^{r-1},$ where ${\beta }_i\in T\left(R\right)$ for $0\le i\le r-1$. The ring R has the structure of a ${\mathbb{Z}}_{p^r}$-module: $R={\mathbb{Z}}_{p^r}\left[\omega \right]={\mathbb{Z}}_{p^r}+\omega {\mathbb{Z}}_{p^r}+\cdots +{\omega }^{l-1}{\mathbb{Z}}_{p^r}.$ For details and further properties we refer the reader to ([12], [Chapter XVI]) and [13].

Let p be a prime number, $r,\ell ,m\in {\mathbb{Z}}^{+}$, and $q=p^{\ell }$. Let $A=\mathrm{GR}\left(p^r,\ell \right)$ and $B=\mathrm{GR}\left(p^r,\ell m\right)$ be the corresponding Galois rings of degrees ℓ and $\ell m$. The ring A is an extension of ${\mathbb{Z}}_{p^r}$, and B is an extension of A. Let ${\mathrm{Tr}}_{B/A}:B\to A$, ${\mathrm{Tr}}_{B/{\mathbb{Z}}_{p^r}}:B\to {\mathbb{Z}}_{p^r}$ and ${\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}:A\to {\mathbb{Z}}_{p^r}$ be the corresponding trace maps, and let $pA$ and $pB$ denote the maximal ideals of zero divisors of A and B, respectively.

Firstly, let us recall some well-known facts [9], as follows.

Lemma 1.

Let $u\in A$. Then the following assertions hold:

1.

${\displaystyle \sum _{x\in A}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}\left(ux\right)}=\left\{\begin{array}{cc}{q}^r& ifu=0\hfill \\ 0& ifu\ne 0\hfill \end{array}\right.}$

2.

${\displaystyle \sum _{x\in pA}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}\left(ux\right)}=\left\{\begin{array}{cc}{q}^{r-1}& ifu\in p^{r-1}A\hfill \\ 0& ifu\notin p^{r-1}A\hfill \end{array}\right.}$

3.

${\displaystyle \sum _{x\in A-pA}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}\left(ux\right)}}=\left\{\begin{array}{cc}\hfill q^r-q^{r-1}& ifu=0\hfill \\ \hfill -q^{r-1}& ifu\in p^{r-1}A-\left\{0\right\}\hfill \\ \hfill 0& ifu\notin p^{r-1}A\hfill \end{array}\right.$

From this point forward we assume that $r\ge 2$. The homogeneous weight on the ring A is the map [14] $w_h:A\to \mathbb{N}$, $u\mapsto w_h\left(u\right),$ where

$$w_h\left(u\right)=\left(q^{r-1}-q^{r-2}\right)-\frac{1}{q}\sum _{x\in A-pA}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}\left(ux\right)},$$

(1)

and, according to Lemma 1, $\forall u\in A:$

$$w_h\left(u\right)=\left\{\begin{array}{cc}0\hfill & \mathrm{if}u=0\hfill \\ q^{r-1}\hfill & \mathrm{if}u\in p^{r-1}A-\left\{0\right\}\hfill \\ q^{r-1}-q^{r-2}\hfill & \mathrm{if}u\in A-p^{r-1}A\hfill \end{array}\right..$$

(2)

Indeed, the map $d_h:A\times A\to {\mathbb{Z}}^{+}$, $(u,v)\mapsto d_h(u,v)=w_h(u-v),$ is a metric on A. The ring A can also be considered as the metric space $(A,d_h)$.

Let ${\mathbb{F}}_q^q$ be the q-dimensional vector space over the Galois field ${\mathbb{F}}_q$, and “⊗” denote the Kroenecker product ${\mathbb{F}}_q^m\times {\mathbb{F}}_q^n\to {\mathbb{F}}_q^{mn}$, $\left({\left(u_i\right)}_i,{\left(v_j\right)}_j\right)\mapsto {\left(u_i\right)}_i\otimes {\left(v_j\right)}_j={\left(w_{in+j}=u_i{v}_j\right)}_{i,j}.$ We iterate this product “on the right” as: ${⨂}_{k=0}^n{v}_k=\left({⨂}_{k=0}^{n-1}{v}_k\right)\otimes v_n.$ Let $e_j={\left({\delta }_{ij}\right)}_{i=0}^{q-1}$ be the j-th vector in the canonical basis of ${\mathbb{F}}_q^q$, where ${\delta }_{ij}$ is the Kroenecker delta, ${\mathbf{1}}^{\left(q\right)}=(1,\dots ,1)={\sum }_{j=0}^{q-1}{e}_j\in {\mathbb{F}}_q^q$ is the vector with constant entries equal to 1, and $\rho :A\to {\mathbb{F}}_q$ the reduction modulus p map. Let $T\left(A\right)=\left\{0\right\}\cup {\left({\xi }_A^j\right)}_{j=0}^{q-2}$ be the set of Teichmüller representatives of ${\mathbb{F}}_q$ in A and let $\Xi =(0,\rho \left({\xi }_A\right),\dots ,\rho \left({\xi }_A^{q-2}\right),\rho \left({\xi }_A^{q-1}\right))\in {\mathbb{F}}_q^q.$ For each index $i=0,\dots ,r-2$ let

$${\varphi }_i=\underset{k=0}{\overset{r-2}{⨂}}\left({\mathbf{1}}^{\left(q\right)}+{\delta }_{ik}(\Xi -{\mathbf{1}}^{\left(q\right)})\right)={\left({\mathbf{1}}^{\left(q\right)}\right)}^{\otimes i}\otimes \Xi \otimes {\left({\mathbf{1}}^{\left(q\right)}\right)}^{\otimes (r-2-i)}\in {\mathbb{F}}_q^{q^{r-1}}$$

(3)

(here, for any $v\in {\mathbb{F}}_q^q$, $v^{\otimes 0}=\left[1\right]$ and $v^{\otimes (k+1)}=v^{\otimes k}\otimes v$). For $k\in {\mathbb{Z}}^{+}$ let ${\left[y\right]}_k=y{\mathbf{1}}^{\left(k\right)}=(\underset{\underset{k-times}{︸}}{y,\dots ,y})$. The vector ${\varphi }_i$ is the concatenation of $q^i$ blocks, each one consisting of the concatenation of blocks of the form ${\left[{\rho }_j\right]}_{q^{r-2-i}}$, where ${\rho }_j$ is the j-th coordinate of $\Xi$, for $j=0,\dots ,q-1$ (see Relation (3)).

Then, the vector ${\varphi }_i$ can be efficiently constructed: given an index k, with $0\le k\le q^{r-1}-1$, let $k_0=kmod{q}^{r-1-i}$ and $k_i=\lfloor \frac{k_0}{q^{r-2-i}}\rfloor$. Then, ${\varphi }_i\left(k\right)$ is the $k_i$-th coordinate of $\Xi$. In summary, for each $i=0,\dots ,r-2$, the vector ${\varphi }_i$ defined by (3) can be expressed as:

$${\varphi }_i={\left[{\left[0\right]}_{q^{r-2-i}},{\left[\rho \left({\xi }_A\right)\right]}_{q^{r-2-i}},\dots ,{\left[\rho \left({\xi }_A^{q-2}\right)\right]}_{q^{r-2-i}},{\left[\rho \left({\xi }_A^{q-1}\right)\right]}_{q^{r-2-i}}\right]}_{q^i},$$

(4)

where we are using the notation introduced immediately after the relation (3). As a final vector, let us define ${\varphi }_{r-1}={\left[1\right]}_{q^{r-1}}.$ The Gray map is defined as follows:

$$\begin{array}{ccc}\hfill \Phi :\mathrm{GR}\left(p^r,\ell \right)=A& \to & {\mathbb{F}}_q^{q^{r-1}}\hfill \\ \hfill \sum _{i=0}^{r-1}{a}_i{p}^i& \mapsto & \Phi \left(\sum _{i=0}^{r-1}{a}_i{p}^i\right)=\sum _{i=0}^{r-1}\rho \left(a_i\right){\varphi }_i,\hfill \end{array}$$

(5)

where the elements of A are represented in their p-adic form (i.e., $a_i\in T\left(A\right)$).

In particular, if $r=2$, we have

$$\begin{array}{ccc}\hfill {\varphi }_0& =& (0,\rho \left({\xi }_A\right),\dots ,\rho \left({\xi }_A^{q-2}\right),\rho \left({\xi }_A^{q-1}\right)),\hfill \\ \hfill {\varphi }_1& =& (1,1,\dots ,1,1)\in {\mathbb{F}}_q^q.\hfill \end{array}$$

Then the Gray map, as defined by (5), equals, for any element of the form $r_0+r_{1}p\in \mathrm{GR}\left(p^2,\ell \right)$:

$$\begin{array}{ccc}\hfill \Phi \left(r_0+r_{1}p\right)& =& \rho \left(r_0\right){\varphi }_0+\rho \left(r_1\right){\varphi }_1\hfill \\ & =& \rho \left(r_0\right)(0,\rho \left({\xi }_A\right),\dots ,\rho \left({\xi }_A^{q-2}\right),\rho \left({\xi }_A^{q-1}\right))+\rho \left(r_1\right)(1,1,\dots ,1,1)\hfill \\ & =& \left((\rho \left(r_1\right),\rho (r_1+r_0{\xi }_A),\dots ,\rho (r_1+r_0{\xi }_A^{q-2}),\rho (r_1+r_0{\xi }_A^{q-1})\right),\hfill \end{array}$$

which coincides with the definition given in [9].

The vector space ${\mathbb{F}}_q^{q^{r-1}}$ can be endowed with a structure of metric space with the Hamming distance $d_H$: the distance between two vectors is the number of entries at which they differ.

Two important properties of the Gray map are stated by the following proposition:

Proposition 1.

The following assertions hold:

1.

Isometry[14]. The Gray map is an isometry between the Galois ring A and the vector space ${\mathbb{F}}_q^{q^{r-1}}$:

$$\forall u,v\in A:d_h(u,v)=d_H(\Phi \left(u\right),\Phi \left(v\right)).$$

2.

The Gray map preserves addition:

$$\forall (u,v)\in A\times p^{r-1}A:\Phi (u+v)=\Phi \left(u\right)+\Phi \left(v\right).$$

3. A Systematic Authentication Code Based on the Gray Map

3.1. General Systematic Authentication Codes

We recall that a systematic authentication code without secrecy [4] is a structure $(S,T,K,E)$ where S is the source state space, T is the tag space, K is the key space and $E={\left(e_k\right)}_{k\in K}$ is a sequence of encoding rules $S\to T$.

A transmitter and a receiver agree to a secret key $k\in K$. Whenever a source $s\in S$ must be sent, the participants proceed according to the protocol depicted in Table 1.

Table 1. Protocol of the transmission of a source $s\in S$.

Transmitter		Receiver
evaluates $t=e_k\left(s\right)\in T$
forms the pair $m=(s,t)$	$\stackrel{m}{⟶}$	receives $m^{\prime }=(s^{\prime },t^{\prime })$,
		evaluates $t^{″}=e_k\left(s^{\prime }\right)\in T$
		if $t^{\prime }=t^{″}$ then accepts $s^{\prime }$, otherwise the message $m^{\prime }$ is rejected

The communicating channel is public, thus it can be eavesdropped upon by an intruder able to perform either impersonation or substitution attacks through the public channel. The intruder’s success probabilities for impersonation and substitution are, respectively [7]:

$$\begin{array}{ccc}\hfill p_I& =& \underset{(s,t)\in S\times T}{max}\frac{\left|\{k\in K|e_k\left(s\right)=t\}\right|}{\left|K\right|},\hfill \end{array}$$

(6)

$$\begin{array}{ccc}\hfill p_S& =& \underset{(s,t)\in S\times T}{max}\underset{(s^{\prime },t^{\prime })\in (S-\left\{s\right\})\times T}{max}\frac{\left|\{k\in K|e_k\left(s\right)=t\&e_k\left(s^{\prime }\right)=t^{\prime }\}\right|}{\left|\{k\in K|e_k\left(s\right)=t\}\right|}.\hfill \end{array}$$

(7)

For systematic authentication codes, lower bounds are known for $p_I$ and $p_S$ [5]:

$$\begin{array}{c}\hfill \frac{1}{\left|T\right|}\le p_I\mathrm{and}\frac{1}{\left|T\right|}\le p_S,\end{array}$$

and in order to be acceptable, both $p_I$ and $p_S$ must be as small as possible.

3.2. A New Systematic Authentication Code

In the context of finite fields of characteristic 2, for $n\in {\mathbb{Z}}^{+}$ and $1\le t\le n$, let $J=\{j_0,\dots ,j_{t-1}\}\subset \{0,\dots ,n-1\}$ be an index t-subset. The affine J-variety determined by $a=(a_0,\dots ,a_{t-1})\in {\mathbb{F}}_2^t$ is

$$\begin{array}{c}\hfill V_{J,a,n}=\{x\in {\mathbb{F}}_2^n|\forall k\in \{0,\dots ,t-1\}:x_{j_k}=a_k\}.\end{array}$$

A map $f:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$, $m\le n$, is J-resilient if $\forall a\in {\mathbb{F}}_2^t$, the map ${\left.f\right|}_{V_{J,a,n}}$ is balanced, namely, $\forall y\in {\mathbb{F}}_2^m$, $\left|V_{J,a,n}\cap f^{-1}\left(y\right)\right|=2^{n-t-m}$. The map $f:{\mathbb{F}}_2^n\to {\mathbb{F}}_2^m$ is t-resilient if it is J-resilient for any set J such that $\left|J\right|=t$. The notion of t-resilient maps has been studied by several authors in the context of Galois rings, assumed as the last property of the above paragraph, and well-known wider classes of t-resilient maps have been provided. For instance, from Theorem 1 in [15], for any $n\in {\mathbb{Z}}^{+}$, if B is a Galois ring and $f_0:B^n\to B^n$ is a map such that any element at its image $f_0\left(B^n\right)$ has more than t entries which are units in B and $f_1:B^n\to B$ is any map, then the map $f:B^{2n}\to B$, $(x,y)\mapsto x·f_0\left(y\right)+f_1\left(y\right)$ is a t-resilient map, $1\le t\le n.$

In this section, a systematic authentication code is constructed using a resilient function on a Galois ring and the Gray map on this ring.

Let $p>2$ be a prime number, $r,\ell ,m\in {\mathbb{Z}}^{+}$, and $q=p^{\ell }$. Assume the same setting as in the beginning of Section 2.

Let $U\left(B\right)=\left(B-pB\right)\cup \left\{0\right\}$ be the set of elements of the Galois ring B that are either units or zero. Let $n\in {\mathbb{Z}}^{+}$ be another positive integer, and $f:B^n\to B$ be a t-resilient map. The following assertions hold:

• For $a\in B-pB$, the map $B^n\to B$, $x\mapsto af\left(x\right)$, is t-resilient, hence it is also balanced.
• For $a\in B-pB$, the map $B^n\to {\mathbb{Z}}_{p^r}$, $x\mapsto {\mathrm{Tr}}_{B/{\mathbb{Z}}_{p^r}}\left(af\left(x\right)\right)$, is balanced (as composition of balanced maps).
• As a more general result than Corollary 2 of [16], we have that the map

  $${\gamma }_{abf}:B^n\to A,{\gamma }_{abf}:x\mapsto {\mathrm{Tr}}_{B/A}(af\left(x\right)+b·x).$$

  (8)

  is balanced whenever $w_h\left(b\right)\le t$ and either $(a,b)\in U\left(B\right)\times {\left(U\left(B\right)\right)}^n$, with $(a,b)\ne (0,0)$, or $(a,b)\in (B-pB)\times B^n$.
• Recall that the Fourier transform of the map $af$ is the function

  $$B^n\to \mathbb{C},b\mapsto {\zeta }_{af}\left(b\right)=\sum _{x\in B^n}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{B/{\mathbb{Z}}_{p^r}}(af\left(x\right)-b·x)}.$$
  As shown in [15], ${\zeta }_{af}\left(b\right)=0$ under the same conditions as the above assertion, just because the map $x\mapsto {\mathrm{Tr}}_{B/{\mathbb{Z}}_{p^r}}(af\left(x\right)+b·x)$ is balanced.

Let $T\left(A\right)$ be the set of the Teichmüller representatives of ${\mathbb{F}}_q$ in A. Then, $p^{r-1}A=\left\{a{p}^{r-1}\right|a\in T\left(A\right)\}$. Similarly, $T\left(B\right)$ is the set of the Teichmüller representatives of $F_{q^m}$ in B.

Let $n\in {\mathbb{Z}}^{+}$ and $t\le n$. For any $i<n$, let $e_i={\left({\delta }_{ij}\right)}_{j=0}^{n-1}$ be the i-th vector in the canonical set of generators of $B^n$. For any $b\in T{\left(B\right)}^n$, let

$$\begin{array}{ccc}\hfill X_{b,t}& =& \{\sum _{j=0}^{t-2}{b}_j{e}_j,b_{t-1}{e}_{t-1},\dots ,b_{n-1}{e}_{n-1}\}\subset B^n,\hfill \end{array}$$

$$\begin{array}{ccc}\hfill N& =& \bigcup _{b\in T{\left(B\right)}^n}{X}_{b,t},\hfill \end{array}$$

(9)

$$\begin{array}{ccc}\hfill L& =& \left\{\sum _{i=0}^{r-2}{r}_i{p}^i|(r_0,\dots ,r_{r-2})\in T{\left(A\right)}^{r-1}\right\}.\hfill \end{array}$$

(10)

Then, $\left|X_{b,t}\right|=n-t+1$, $\left|N\right|=q^{m(t-1)}+(n-(t-1))q^m$, $\left|L\right|=q^{r-1}$, $L\subset (A-p^{r-1}A)\cup \left\{0\right\}$, and also

$$\forall u,v\in L:(u-v)\in (A-p^{r-1}A)\cup \left\{0\right\}.$$

Let us consider an $(r-1)n$-subset of $T\left(A\right)-\{0,1\}$,

$$\eta ={\left\{{\eta }_k\right\}}_{k=0}^{(r-1)n-1},$$

(11)

and

$$D_{\eta }=\left\{({\eta }_{(i-1)n+j},p^i{e}_j)\right|1\le i\le r-1,0\le j\le n-1\}.$$

(12)

Then, $D_{\eta }\subset A\times B^n$ and $\left|D_{\eta }\right|=(r-1)n$.

Let $T\left(B\right)=\left\{0\right\}\cup {\left({\xi }_B^k\right)}_{k=0}^{q^m-2}$, $G\left(T\left(B\right)\right)=\left\{{\xi }_B^k\right|\gcd (k,q^m-1)=1\}$, let $\theta ={\left\{{\theta }_j\right\}}_{j=0}^{n-1}$ be an n-sequence of $G\left(T\right(B\left)\right)$ (repetitions are allowed), and $\zeta \in T\left(B\right)-\left\{0\right\}.$ For each integer k, with $0\le k\le q^m-(r-1)n-2$, let

$$T_{\theta \zeta k}={\left\{({\theta }_j^i,(\zeta +{\theta }_j^i{p}^{1+(kmod(r-1\left)\right)})e_j)\right\}}_{0\le i\le q^m-2}^{0\le j\le n-1}.$$

Then, $T_{\theta \zeta k}\subset B\times B^n$ and $\left|T_{\theta \zeta k}\right|=(q^m-1)n$.

Now, let $Z={\left\{{\zeta }_k\right\}}_{k=0}^{q^m-(r-1)n-2}$ be a subset of $T\left(B\right)-\left\{0\right\}$, with $(q^m-1-(r-1)n-1)$ elements, such that $Z\cap \eta =\varnothing$, and

$${\mathbf{T}}_{\eta \theta Z}=D_{\eta }\cup \bigcup _{k=0}^{q^m-(r-1)n-2}{T}_{\theta {\zeta }_{k}k}.$$

(13)

Then, ${\mathbf{T}}_{\eta \theta Z}\subset B\times B^n$ and

$$\begin{array}{ccc}\hfill \left|{\mathbf{T}}_{\eta \theta Z}\right|& =& (r-1)n+(q^m-1-(r-1)n)(q^m-1)n\hfill \\ & =& \left[(r-1)+\left[(q^m-1)-(r-1)n\right](q^m-1)\right]n.\hfill \end{array}$$

Let $S_0=\left\{0\right\}\times \left(N-\left\{0\right\}\right)\times L$, $S_1={\mathbf{T}}_{\eta \theta Z}\times L$, $S_2=\left(T\left(B\right)-\left(\right\{0\}\cup \eta )\right)\times \left\{0\right\}\times L$ and

$$S=S_0\cup S_1\cup S_2,T={\mathbb{F}}_q,K={\mathbb{Z}}_{q^{r(mn+1)}}.$$

(14)

Certainly, at this point the definition of the source set S is quite unnatural. However, defined in this way, it guarantees an appropriate distance between elements (Proposition 2), leading to optimal results (Proposition 4) while keeping balanced the maps $x\mapsto {\mathrm{Tr}}_{B/{\mathbb{Z}}_{p^r}}(af\left(x\right)+b·x)$, for a t-resilient map f. This particular structure of the source space S will allow a one-to-one correspondence between keys and encoding maps (Proposition 3). From Relation (14), $S\subset B\times B^n\times A$, and

$$\begin{array}{ccc}\hfill \left|S\right|& =\hfill & \left(\right(q^{m(t-1)}+(n-(t-1))q^m-1)+\hfill \\ & & \left((r-1)+\left((q^m-1)-(r-1)n\right)(q^m-1)\right)n+(q^m-((r-1)n+1)))q^{r-1}\hfill \\ & =& \left(c_0+c_{1}n-c_2{n}^2\right)q^{r-1}\hfill \\ \hfill \left|T\right|& =& q\hfill \\ \hfill \left|K\right|& =& q^{r(mn+1)},\hfill \end{array}$$

(15)

where $c_0=q^m(q^{m(t-2)}-t)+2(q^m-1)$, $c_1=q^m(q^m-1)+1$, $c_2=(q^m-1)(r-1).$ The introduced construction imposes the supplementary condition $(r-1)(n+1)<p^m-1.$

3.3. Main Characteristics of the New Code

Let $\Phi :A\to {\mathbb{F}}_q^{q^{r-1}}$ be the Gray map on A as defined in (5). We observe that for any element $y={\sum }_{i=0}^{r-2}{a}_i{p}^i\in L$, with $(a_0,\dots ,a_{r-2})\in T{\left(A\right)}^{r-1}$ (see (10)), the evaluation of $\Phi$ at y, according to (5), is

$$\Phi \left(y\right)=\sum _{i=0}^{r-2}\rho \left(a_i\right){\varphi }_i.$$

Also, since $q-1$ is even, for any $\xi$ generating $T_A$, either $-\xi \in T_A$ or $-1\in T_A$. The following implication holds: $\forall z\in A\forall d\in \{1,\dots ,q-1\}\left[z^d\in T_A⟹-z^d\in T_A\right].$ Hence, if the p-adic form of an element in A is $z={\sum }_{k=0}^{s-1}{z}_k{p}^k$, the p-adic form of $-z$ is $-z={\sum }_{k=0}^{s-1}(-z_k)p^k$. Let $f:B^n\to B$ be a t-resilient map. For each $s=(s_0,s_1,s_2)\in S$ and each $w\in p^{r-1}A$, consider the map $v_{s,w}:B^n\to A$, $x\mapsto v_{s,w}\left(x\right)$, where

$$v_{s,w}\left(x\right)={\mathrm{Tr}}_{B/A}(s_{0}f\left(x\right)+s_1·x)+s_2+w={\gamma }_{s_0{s}_{1}f}\left(x\right)+s_2+w$$

(16)

(see relation (8) above). Let

$$u_{s,w}={\left(\Phi \left(v_{s,w}\left(x\right)\right)\right)}_{x\in B^n}\in {\left({\mathbb{F}}_q^{q^{r-1}}\right)}^{q^{rmn}},u_s={\left(u_{s,w}\right)}_{w\in p^{r-1}A}\in {\left({\mathbb{F}}_q^{q^{r-1}}\right)}^{q^{rmn+1}}.$$

(17)

Since $\left|p^{r-1}A\right|=q$, we have ${\left({\mathbb{F}}_q^{q^{r-1}}\right)}^{q^{rmn+1}}\simeq {\mathbb{F}}_q^{q^{r(mn+1)}}$, thus we may assume $u_s\in {\mathbb{F}}_q^{q^{r(mn+1)}}$.

Proposition 2.

Let $d_H$ be the Hamming distance on the vector space ${\mathbb{F}}_q^{q^{r(mn+1)}}$ and let $f:B^n\to B$ be a t-resilient map. For any two points $s_0=(s_{00},s_{10},s_{20})$, $s_1=(s_{01},s_{11},s_{21})\in S$, with $s_0\ne s_1$, and any two $w_0,w_1\in p^{r-1}A$, the following relation holds:

$$d_H(u_{s_0,w_0},u_{s_1,w_1})=q^{rmn}(q^{r-1}-q^{r-2}).$$

Proof. 

Let $s_2=s_0-s_1$ and $w_2=w_0-w_1$. Then, the calculation of the Hamming distance of the points $u_{s_0,w_0},u_{s_1,w_1}$ is displayed in (18), there equality (i) holds because $\Phi$ is an isometry, equality (ii) follows from the defining Relation (1), and equality (iii) is due to Relation (16).

$$\begin{array}{ccc}\hfill d_H(u_{s_0,w_0},u_{s_1,w_1})& =\hfill & {\sum }_{x\in B^n}{d}_H\left(\Phi \left(v_{s_0,w_0}\left(x\right)\right),\Phi \left(v_{s_1,w_1}\left(x\right)\right)\right)\hfill \\ & \stackrel{\left(i\right)}{=}\hfill & {\sum }_{x\in B^n}{d}_h\left(v_{s_0,w_0}\left(x\right),v_{s_1,w_1}\left(x\right)\right)\hfill \\ & =\hfill & {\sum }_{x\in B^n}{w}_h\left(v_{s_0,w_0}\left(x\right)-v_{s_1,w_1}\left(x\right)\right)\hfill \\ & =\hfill & {\sum }_{x\in B^n}{w}_h\left(v_{s_2,w_2}\left(x\right)\right)\hfill \\ & \stackrel{\left(ii\right)}{=}\hfill & {\sum }_{x\in B^n}\left(\left(q^{r-1}-q^{r-2}\right)-\frac{1}{q}{\sum }_{r_0\in A-pA}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}\left(r_0{v}_{s_2,w_2}\left(x\right)\right)}\right)\hfill \\ & =\hfill & q^{rmn}\left(q^{r-1}-q^{r-2}\right)-\frac{1}{q}{\sum }_{x\in B^n}{\sum }_{r_0\in A-pA}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}\left(r_0{v}_{s_2,w_2}\left(x\right)\right)}\hfill \\ & \stackrel{\left(iii\right)}{=}\hfill & q^{rmn}\left(q^{r-1}-q^{r-2}\right)\hfill \\ & & -\frac{1}{q}{\sum }_{r_0\in A-pA}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}\left(r_0{w}_2\right)}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}\left(r_0{s}_{22}\right)}{\sum }_{x\in B^n}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{B/{\mathbb{Z}}_{p^r}}(r_0{s}_{02}f\left(x\right)+r_0{s}_{12}·x)}\hfill \end{array}$$

(18)

If $(s_{02},s_{12})\ne (0,0)$, since f is t-resilient and $x\mapsto {\mathrm{Tr}}_{B/{\mathbb{Z}}_{p^r}}(r{s}_{12}·x))$ is a balanced map, from (18) the claim follows:

$$d_H(u_{s_0,w_0},u_{s_1,w_1})=q^{rmn}(q^{r-1}-q^{r-2}).$$

If $(s_{02},s_{12})=(0,0)$, also from (18) we obtain

$$d_H(u_{s_0,w_0},u_{s_1,w_1})=\sum _{x\in B^n}{w}_h\left(v_{s_2,w_2}\left(x\right)\right)=\sum _{x\in B^n}{w}_h\left(s_{22}+w_2\right)=q^{rmn}(q^{r-1}-q^{r-2})$$

because $s_{22}+w_2\in A-p^{r-1}A$. ☐

For each $k\in K={\mathbb{Z}}_{q^{r(mn+1)}}$, let $e_k:S\to T$ be the map

$$s\mapsto e_k\left(s\right)={\pi }_k\left(u_s\right):k-\mathrm{th\; entry\; of\; element}{u}_s.$$

(19)

The set of encoding rules in the proposed systematic authentication code is thus $E={\left(e_k\right)}_{k\in K}$.

Proposition 3.

The map $K\to E$, $k\mapsto e_k$, is one-to-one.

Proof. 

The proposition is clearly equivalent to the following statement: $\forall k_0,k_1\in K$,

$$k_0\ne k_1⟹\exists s\in S:{\pi }_{k_0}\left(u_s\right)\ne {\pi }_{k_1}\left(u_s\right),$$

(20)

where $u_s$ is given by Relation (17).

According to (17), each element $u_s$, $s\in S$, is the concatenation of q arrays $u_{s,w}$, each of length $q^{rmn}$. The index range $\{0,\dots ,q^{r(mn+1)}-1\}$ of the element $u_s$ can be split as the concatenation of $q^{rmn+1}$ integer intervals

$$K_{x,w}=\{\mathrm{indexes\; of\; entries\; with\; the\; value}\Phi \left(v_{s,w}\left(x\right)\right)\},$$

with $(x,w)\in B^n\times p^{r-1}A$, and each integer interval $K_{x,w}$ has length $q^{r-1}$.

We recall at this point that $\left|B^n\times p^{r-1}A\right|=q^{rmn}q=q^{rmn+1}.$ Let ${\alpha }_b:B^n\to \{0,\dots ,q^{rmn}-1\}$, ${\alpha }_a:p^{r-1}A\to \{0,\dots ,q-1\}$ be the corresponding natural bijections. Then, up to these enumerations and relation (4), we can identify $K_{x,w}\approx \{k\in K|k_{x,w}{q}^{r-1}\le k\le k_{x,w}{q}^{r-1}+(q^{r-1}-1)\},$ where

$$\forall (x,w)\in B^n\times p^{r-1}A:k_{x,w}={\alpha }_b\left(x\right)q+{\alpha }_a\left(w\right).$$

(21)

Let $k_0,k_1\in K\approx \{0,\dots ,q^{r(mn+1)}-1\}$ be two keys such that $k_0\ne k_1$. Depending on the intervals $K_{x,w}$ in which these keys fall, we can consider four mutually disjoint and exhaustive cases:

• Case I:$\exists w\in p^{r-1}A,\exists x\in B^n$: $k_0\in K_{x,w}$ & $k_1\in K_{x,w}$.
• Case II:$\exists w\in p^{r-1}A,\exists x,y\in B^n$: $x\ne y$ & $k_0\in K_{x,w}$ & $k_1\in K_{y,w}$.
• Case III:$\exists w_0,w_1\in p^{r-1}A,\exists x\in B^n$: $w_0\ne w_1$ & $k_0\in K_{x,w_0}$ & $k_1\in K_{x,w_1}$.
• Case IV:$\exists w_0,w_1\in p^{r-1}A,\exists x,y\in B^n$: $w_0\ne w_1\&x\ne y\&k_0\in K_{x,w_0}\&k_1\in K_{y,w_1}.$

The analysis of these cases, giving a full proof of the proposition, is rather extensive and certainly tedious. It is provided in full detail in [11]. ☐

Proposition 4.

For the authentication code defined by the relations (14) and (19), the following relations hold:

$$p_I=\frac{1}{q},p_S=\frac{1}{q}.$$

(22)

Proof. 

Let $s=(s_0,s_1,s_2)\in S$ and $x\in B^n$ be fixed. Then, the map $p^{r-1}A\to {\mathbb{F}}_q^{q^{r-1}}$,

$$w\mapsto \Phi \left({\mathrm{Tr}}_{B/A}(s_{0}f\left(x\right)+s_1·x)+s_2+w\right)$$

is one-to-one. For any $t\in T={\mathbb{F}}_q$, we have

$$\left|\{k\in K|{\pi }_k\left(u_s\right)=t\}\right|=q^{r(mn+1)-1},$$

(23)

where $u_s$ is defined by relation (17). Since $\left|K\right|=q^{r(mn+1)}$, then, from (6), $p_I=\frac{1}{q}$.

Now, consider $s_0=(s_{00},s_{10},s_{20})$, $s_1=(s_{01},s_{11},s_{21})\in S$ such that $s_0\ne s_1$. For each $t_0,t_1\in T$, and each $k\in K$, let $w\in p^{r-1}A$ and $x\in B^n$ be such that $k\in K_{x,w}$. Then, equivalent conditions for a pair of encoding sources are shown in the following:

$$\begin{array}{ccc}\hfill \left.\begin{array}{ccc}\hfill e_k\left(s_0\right)& =& t_0\hfill \\ \hfill e_k\left(s_1\right)& =& t_1\hfill \end{array}\right\}& ⟺& \left\{\begin{array}{cccc}\hfill {\pi }_k\left(u_{s_0}\right)& =& t_0\hfill & \&\\ \hfill {\pi }_k\left(u_{s_1}\right)& =& t_1\hfill \end{array}\right.\hfill \\ & ⟺& \left\{\begin{array}{cccc}\hfill {\pi }_k\circ \Phi \left(v_{s_0,w}\left(x\right)\right)& =& t_0\hfill & \&\\ \hfill {\pi }_k\circ \Phi \left(v_{s_1,w}\left(x\right)\right)-{\pi }_k\circ \Phi \left(v_{s_0,w}\left(x\right)\right)& =& t_1-t_0\hfill \end{array}\right.\hfill \\ & ⟺& \left\{\begin{array}{cccc}\hfill {\pi }_k\circ \Phi \left(v_{s_0,w}\left(x\right)\right)& =& t_0\hfill & \&\\ \hfill {\pi }_k\circ \Phi \left(v_{s_1,w}\left(x\right)\right)-{\pi }_k\circ \Phi \left(v_{s_0,w}\left(x\right)\right)& =& t_1-t_0\hfill \end{array}\right.\hfill \\ & \stackrel{\mathrm{Prop.\; 1}}{⟺}& \left\{\begin{array}{cccc}\hfill {\pi }_k\circ \Phi ({\mathrm{Tr}}_{B/A}(s_{00}f\left(x\right)+s_{10}·x)+s_{20}+w)& =& t_0\hfill & \&\\ \hfill {\pi }_k\circ \Phi ({\mathrm{Tr}}_{B/A}(s_{01}f\left(x\right)+s_{11}·x)+s_{21})\\ \hfill -{\pi }_k({\mathrm{Tr}}_{B/A}(s_{00}f\left(x\right)+s_{10}·x)+s_{20})& =& t_1-t_0\hfill \end{array}\right.\hfill \end{array}$$

From there, it can be seen that

$$\left|\{k\in K|(e_k\left(s_0\right)=t_0)\&(e_k\left(s_1\right)=t_1)\}\right|=q^{r(mn+1)-1}-d_H(u_{s_0,w},u_{s_1,w}).$$

Now, from (7) and (23):

$$p_S=\frac{q^{r(mn+1)-1}-d_H(u_{s_0,w},u_{s_1,w})}{q^{r(mn+1)-1}}\le \frac{q^{r(mn+1)-1}-q^{rmn}(q^{r-1}-q^{r-2})}{q^{r(mn+1)-1}}=\frac{q^{rmn+r-2}}{q^{rmn+r-1}}=\frac{1}{q}.$$

 ☐

Observe at this point that instead of N in (14), it is possible to take the set $N^{\prime }=\{b\in B^n|w_h\left(b\right)\le \frac{t}{2}\}$ in order to produce a new systematic authenticatication code with the same impersonation and substitution probabilities as in (22).

3.4. A Second Systematic Authentication Code

Let p be a prime number, $r,\ell ,n\in {\mathbb{Z}}^{+}$ and $q=p^{\ell }$. Let $A=\mathrm{GR}\left(p^r,\ell \right)$ and $B=\mathrm{GR}\left(p^r,\ell n\right)$ be the corresponding Galois rings of degrees ℓ and $\ell n$. Let

$$L=\{r_0+r_{1}p+\cdots +r_{r-2}{p}^{r-2}|r_0,\dots ,r_{r-2}\in T\left(A\right)\}\subset A\backslash p^{r-1}A\cup \left\{0\right\}.$$

Observe that since $⟨p^{r-1}⟩=\left\{a{p}^{r-1}\right|a\in T\left(A\right)\}$, if $a,b\in L$ then $a-b\in A\backslash p^{r-1}A$.

Let f be a bent function on B such that $uf$ is a bent function for any unit $u\in S$ and let $\Phi$ be the Gray map on A. The proposed systematic authentication code, $\mathcal{A}=(S,T,K,E)$, is the following:

$$\begin{array}{c}S:=\left(T\left(B\right)\times B-\left\{\right(0,0\left)\right\}\right)\times L,\hfill \\ T:={\mathbb{F}}_q,\hfill \\ K:={\mathbb{Z}}_{q^{r(n+1)}},\hfill \\ E:=\{E_k\left(s\right)=p{r}_k\left(u_s\right),k\in K,s\in B\},\hfill \end{array}$$

where for $s=(a,b,c)\in S$, $\beta \in p^{r-1}A=\left\{{\beta }_1,{\beta }_2,\dots ,{\beta }_q\right\}$, $v_{s,\beta }\left(x\right)=\beta +{\mathrm{Tr}}_{B/A}(af\left(x\right)+bx)+c$, $u_{s,\beta }={\left(\Phi \left(v_{s,\beta }\left(x\right)\right)\right)}_{x\in B}$, $u_s={\left(u_{s,\beta }\right)}_{\beta \in p^{r-1}A}$, and $p{r}_k$ is the k-th projection map from ${\mathbb{F}}_q^{q^{r(n+1)}}$ onto ${\mathbb{F}}_q$, mapping $u_s$ to its k-th coordinate.

Let L be as above and let $V=\{c\in B|{\mathrm{Tr}}_{(B/A)}\left(c\right)\in L\}.$ With the notation as above, a second systematic authentication code, ${\mathcal{A}}^{\prime }=(S^{\prime },T^{\prime },K^{\prime },E^{\prime })$ is also proposed:

$$\begin{array}{c}{S}^{\prime }:=\{(a,b,c)\in T\left(S\right)\times S\times V|(a,b)\ne (0,0)\},\hfill \\ T^{\prime }:={\mathbb{F}}_q,\hfill \\ K^{\prime }:={\mathbb{Z}}_{q^{r(n+1)}},\hfill \\ E^{\prime }:=\{E_k\left(s\right)=p{r}_k\left(u_s\right),k\in K^{\prime },s\in S^{\prime }\}.\hfill \end{array}$$

Note that the code ${\mathcal{A}}^{\prime }$ is a slight modification of the code $\mathcal{A}$: in the definition of the source space S for $\mathcal{A}$, the set L is taken while in the definition of the source space $S^{\prime }$ for ${\mathcal{A}}^{\prime }$ the set V is used.

The impersonation and substitution probabilities $p_I$ and $p_S$ can be upper-bounded.

Lemma 2.

Let $d_H$ be the Hamming distance on ${\mathbb{F}}_q^{q^{n(t+1)}}$. With the notation as above, for any $s_1=(a_1,b_1,c_1),s_2=(a_2,b_2,c_2)\in S,s_1\ne s_2$, and any elements ${\beta }_1,{\beta }_2\in p^{r-1}R$, we have

$$(q^{r-1}-q^{r-2})(q^{rn}-q^{rn/2})\le d_H\left(u_{s_1,{\beta }_1},u_{s_2,{\beta }_2}\right)\le (q^{r-1}-q^{r-2})(q^{rn}+q^{rn/2}).$$

Theorem 1.

With the notation as above, the function $H:K⟶E$ given by $H\left(k\right)=E_k$ is bijective.

Theorem 2.

Let$\mathcal{A}$ be the systematic authentication code as defined above. Then,

$$p_I=\frac{1}{q}and{p}_S\le \frac{1}{q}+\frac{q-1}{q^{\frac{rn+2}{2}}}.$$

4. Parameter Comparison with Other Codes

We summarize quite succinctly in Table 2 a parameter comparison of our codes with other codes based on the Gray map. There, as in Relation (15),

$$c_0=q^m(q^{m(t-2)}-t)+2(q^m-1),c_1=q^m(q^m-1)+1,c_2=(q^m-1)(r-1).$$

D is an integer in the interval $[1,q^{\frac{n}{2}}]$, and, as stated in [9] Prop. 3.5, N is a positive integer such that $q^n-N>q^{\frac{n}{2}}((p+1)(N+1)-2).$

Table 2. Parameter comparison of the introduced code with other previously published codes.

Code	Sizes			Bound for ${\mathit{p}}_{\mathit{I}}$	Bound for ${\mathit{p}}_{\mathit{S}}$
	$\left|\mathit{S}\right|$	$\left|\mathit{K}\right|$	$\left|\mathit{T}\right|$
(1)	$c_0+c_{1}n-c_2{n}^2{q}^{r-1}$	$q^{r(mn+1)}$	q	$q^{-1}$	$q^{-1}$
(2)	$q^{2n}$	$q^{r(n+1)}$	$q^r$	$q^{-r}$	$q^{-1}+(q-1)q^{-(n+1)}$
(3)	$q^{3n+1}$	$q^{2(n+1)}$	q	$q^{-1}$	$q^{-1}+(q-1)q^{-(n+1)}$
(4)	$q^{n\left(D-\left[\frac{D}{p^2}\right]\right)}$	$q^{n+2}$	q	$q^{-1}$	$q^{-1}+\frac{q-1}{q}\frac{D-1}{q^{\frac{n}{2}}}$
(5)	$q^{2n(N+1)}$	$q^2(q^n-N)$	q	$q^{-1}$	$q^{-1}$ + $\frac{q-1}{q}\frac{q^{\frac{n}{2}}}{q^n-N}$. $\left((p+1)(N+1)-2\right)$
(6)	$q^{n\left(D-\left[\frac{D}{p^2}\right]\right)}{p}^{-1}$	$p^{n+1}$	p	$p^{-1}+\frac{p-1}{p}\frac{D-1}{p^{\frac{n}{2}}}$	$$\begin{gathered} p^{-1}+ \\ \frac{p^2+p-2}{p}\frac{D-1}{p^{\frac{n}{2}}-(p-1)(D-1)} \end{gathered}$$
(7)	$q^{n\left(D-\left[\frac{D}{p^{\ell }}\right]\right)}$	$q^{n+\ell }$	q	$q^{-1}$	$q^{-1}+\frac{q-1}{q}\frac{D-1}{q^{\frac{n}{2}}}$

The codes are the following: (1) Our code. (2) [17] Prop. 11 (3) [18] Thm. 4.3. (4) [9] Prop. 3.2. (5) [9] Prop. 3.5 (6). [9] Prop. 4.5. (7) [9] Thm. 5.1.

Our first code provides optimal values for $p_I$ and $p_S$ for all parameters q, m, n, r in which the code exists. For the codes in [9] the optimal values are obtained only if $D=1$. However, in our code, the cardinality of the key space is greater than the product of the cardinalities of the source and tag spaces.

In [10], it is stated that a map $f:A^n\to A$ valued on a Galois ring $A=\mathrm{GR}\left(p^r,\ell \right)$ is a bent function if

$$\left|\sum _{x\in A^n}{e}^{\frac{2\pi }{p^r}i{\mathrm{Tr}}_{A/{\mathbb{Z}}_{p^r}}(f\left(x\right)-⟨u,x⟩)}\right|={\left|A\right|}^{\frac{n}{2}},$$

and it was shown that, for the special case of $r=2$, whenever k and $q-1=p^{\ell }-1$ are relatively prime, then for any $\alpha \in A$ and any unit $u\in A-pA$ in A, the map $A\to A$, $x\mapsto u\left(x^{kp+1}+\alpha x^p\right)$, is a bent function ($n=1$).

Namely, for the special case of $r=2$, a class of bent maps, closed by the multiplication of units in the Galois ring, can be used to build a systematic authentication code (SAC).

Later, the Gray map and the above-mentioned class of bent maps were used to build a new SAC, improving the impersonation and substitution probabilities. In fact, these constructions can be extended to any characteristic $p^r$, with $r>1$, under the assumption that there exists a similar class of bent maps, closed by the multiplication of units in the Galois ring. In this case, the obtained SAC $\mathcal{A}$ would have the parameters displayed in Table 3.

Table 3. Parameters of the obtained systematic authentication code (SAC) $\mathcal{A}$.

Code	Sizes			Bound for ${\mathit{p}}_{\mathit{I}}$	Bound for ${\mathit{p}}_{\mathit{S}}$
	$\left|\mathit{S}\right|$	$\left|\mathit{K}\right|$	$\left|\mathit{T}\right|$
$\mathcal{A}$	$(q^{n(t+1)}-1)q^{(t-1)}$	$q^{t(n+1)}$	q	$q^{-1}$	$q^{-1}+(q-1)q^{-\frac{tn+2}{2}}$
${\mathcal{A}}^{\prime }$	$(q^{n(t+1)}-1)q^{(nt-1)}$	$q^{t(n+1)}$	q	$q^{-1}$	$q^{-1}+(q-1)q^{-\frac{tn+2}{2}}$

In comparison with the values displayed at Table 2, we have that this last hypothetical construction would have more convenient parameters for the spaces: the source space is greater than the key space, and the tag space is rather small. Even more, it has a greater difference on the cardinality of the cardinality of the key space and the product of the cardinalities of the source and tag spaces. This is an advantage even when comparing with other SACs with no optimal impersonation and substitution probabilities. For instance, this last hypothetical construction would improve the probabilities and the space sizes of the codes in [4,8], although the code in [8] does not attain the optimal values for these probabilities.

Similar constructions were performed through resilient maps and functions generalizing bent maps, for any characteristic $p^r$, with $r>1$.

5. Conclusions

An authentication code using the trace, the Gray maps, and the resilient functions on Galois rings were constructed. In this regard, the current construction is similar to the constructions in [9]. In order to diminish the substitution and impersonation probabilities, here we used resilient maps on Galois rings of general characteristic $p^r$, with p a prime number and r an integer greater or equal to 2, in contrast to the former approach based either on non-degenerate and rational maps on Galois rings of general characteristic [9], or on bent maps on Galois rings of characteristic $p^2$. The current construction provides optimal substitution and impersonation probabilities, at the expense of growth of cardinalities and an elaborated space structure. In contrast with [9], the key space in our code is of greater cardinality than the source space. Our code attains optimal probability values, but it has a key space greater than the corresponding source space.

A second authentication code was built, and this code has convenient space sizes with a significant difference between the key space and the source space, and a small cardinality in the tag space. The probabilities are rather small, but the substitution probability is not optimal. However, this second construction is conditioned to the existence of a class of bent functions closed under the multiplication by units in the corresponding Galois ring. We look towards the proof of the existence of this necessary class of bent functions.