NEW CONSTRUCTIONS OF SYSTEMATIC AUTHENTICATION CODES FROM THREE CLASSES OF CYCLIC CODES

. Recently, several classes of cyclic codes with three nonzero weights were constructed. With the generic construction presented by C. Ding, T. Helleseth, T. Kløve and X. Wang, we present new systematic authentication codes based on these cyclic codes. In this paper, we study three special classes of cyclic codes and their authentication codes. With the help of exponential sums, we calculate the maximum success probabilities of the impersonation and substitution attacks on the authentication codes. Our results show that these new authentication codes are better than some of the authentication codes in the literature. As a byproduct, the number of times that each element occurs as the coordinates in the codewords of the cyclic codes is settled, which is a diﬃcult problem in general.


Introduction
There are two types of authentication codes, those with secrecy and those without secrecy. In this paper, we will focus on the authentication codes without secrecy which are called systematic authentication codes. A systematic authentication code is defined as a four-tuple (S, T , K, {E k : k ∈ K}), where S is the source state, T is the tag space, K is the key space, and E k : S → T is called the encoding rule. To send information s ∈ S to a receiver, the transmitter computes the tag t = E k (s) ∈ T and sends the concatenated message m = (s, t) ∈ M into a public channel. When the receiver gets the message m = (s , t ) through the channel, he/she will check whether t equals E k (s ). If so, the receiver will accept m as authentic, otherwise reject it.
Since the communication channel is public, an adversary could involve in the procedure to attack. In the authentication model by Simmons [17], there are two kinds of attacks, namely the impersonation attack and the substitution attack. In the impersonation attack, the adversary chooses a message and puts it into the channel, disguised to be a message from the transmitter. We denote by P I the maximum probability that the receiver takes the disguised message as authentic.
In the substitution attack, the adversary notices a message m in the channel and replaces it with a new message m = m, hoping the receiver will accept m as authentic. We use P S to denote the maximum success probability of the substitution attack. For systematic authentication codes, it is a well-known fact that P S ≥ P I ≥ 1 |T | [16].
The security of the systematic authentication codes is not generally based on the complexity of the exhaustion provided by long keys, which is different from that of ciphers. Furthermore, systematic authentication codes are widely used in authenticating large data files, so taking the efficiency and storage cost into account, we need to obtain better ratio between the key length and the message length. Therefore, a variety of new approaches were proposed, such as constructions based on projective geometry [1], error-correcting codes [7,9] and functions over Galois rings [15].
Among these constructions, methods which construct systematic authentication codes by error-correcting codes, such as q-twisted construction [11] and construction using rank distance codes [18], error-correcting codes [7], are of special interests. A main problem is to find "good" error-correcting codes to construct systematic authentication codes with nice properties. Thus, in this paper, we will use the generic construction presented in [7] to construct new authentication codes from several classes of cyclic codes with three nonzero weights. The major contribution of this paper is that we found examples of "good" error-correcting codes and successfully calculated the exact values of P S . The rest of the paper is organized as follows. In Section 2, we give notations, the definition of the generic construction and lemmas which will be used in the sequel. In Section 3, we study three classes of authentication codes generated from three classes of cyclic codes with three nonzero weights. We compare our authentication codes with other authentication codes in the literature in Section 4. Finally, we conclude this paper in Section 5.

Notations.
• p is an odd prime, m is an integer, q = p m , n = q − 1.
• GF (q) is the finite field with q elements. GF (q) * is the set of all the nonzero elements of GF (q). • ω = e 2πi/p is a primitive p-th root of unity, i = √ −1. • Tr l/j (x) = l/j−1 t=0 x p tj is the trace function from GF(p l ) to GF(p j ), where l, j are positive integers such that j|l. Especially, when l = m and j = 1, Tr m/1 (·), or simply denoted by Tr(·), is the trace function from GF(q) to GF(p).

2.2.
A generic construction of authentication codes. In [7], a generic construction of authentication codes using the error-correcting codes was presented. Let C be an (n, M ) code over an alphabet B where (B, +) is an Abelian group with q elements. In the generic construction, we define a Cartesian authentication code by where for any k = (k 1 , k 2 ) ∈ K and s ∈ S, the encoding rule is defined by E k (s) = c s,k1 + k 2 , and c s,k1 is the (k 1 + 1)-th component of the codeword c s . Furthermore, |S| = q κ , |T | = q, |K| = nq.
According to Proposition 1, the difficult part of this generic construction is the selection of the underlying error-correcting code and the computation of the success probability of the substitution attack. While obtaining the weight distribution of a linear code is a well-known hard problem, computing the success probability P S of the authentication code is more difficult.

2.3.
Lemmas. In this subsection, we recall several definitions and results about quadratic forms and exponential sums. 14]). Let m ≥ 2 and k be integers, d = gcd(m, k) and let s = m/d. Assume that q = p m and q 0 = p d , where p is an odd prime, i.e., q = q s 0 . Let Q(a, b) = Tr m/d (ax p k +1 + bx 2 ). Then, the following two statements hold: 1. for (a, b) ∈ (GF(q) × GF(q))\{(0, 0)}, the quadratic form Q(a, b) has rank no less than s − 2; 2. for any a ∈ GF(q) * and b ∈ GF(q), at least one of Q(a, b) and Q(−a, b) has rank s.
Furthermore, for j = 0, 1, 2, assume that the rank of Q(a, b) is s − j. Thus, the possible values of In addition, for any y ∈ GF(p) * , where r is the rank of the quadratic form Q(a, b).
and let v j , j = 0, 1, 2, be defined as Equation (2). Define Furthermore, for odd m ≥ 3 and positive integer k with gcd(m, k) = 1, the values of the multi-sets 1. Let φ be a multiplicative character and χ b an additive character of GF(q). Then, the Gaussian sum G(φ, χ b ) is defined by 2. Let λ 1 , ..., λ k be k multiplicative characters of GF(q). Then, the Jacobi sum in GF(q) is defined by The following lemma indicates the calculation of some Gaussian sums with quadratic multiplication characters.
Lemma 2.4 ([13, Exercise 5.19]). Let p be an odd prime and q = p m . Let η be the quadratic character of GF(q) and χ b be an additive character, where b ∈ GF(q). Then, we have

Authentication codes based on cyclic codes with two zeroes
Let p be a prime, m be a positive integer, q = p m and π be a primitive element in GF(q). Let Γ j be the p-cyclotomic coset modulo q − 1 containing j. Assume that t ≥ 1, i 1 , ..., i t are elements of Z q−1 such that the cyclotomic cosets Γ i1 , ..., Γ it are pairwise disjoint with size m. Define the code C (i1,...,it) by the cyclic code with parity-check polynomial From Delsarte's Theorem [5], the trace representation of C (i1,...,it) is Tr(a s π jis ) Herein and after, we will consider the cyclic codes in Equation (4) with two zeroes, namely, C (1,e) , where we choose proper values for e to get special cyclic codes. A general study into this kind of codes was presented in [12]. The original idea of constructing the cyclic code was from [2,19], where the monomial x e is a PN polynomial. Moreover, the code here is so general that it contains several classes of three-weight codes in the literature as special cases, for example, [4,6,14,20,21].
In the next three subsections, we will use three classes of cyclic codes from [20], [4] and [21], respectively, to construct the authentication codes.
The most difficult part is the computation of the probability P S of the authentication codes, which is harder than the determination of the weight distribution of the linear codes. This is also the major contribution of this paper.
3.1. Authentication code based on the first class of cyclic codes.
With the generic construction of authentication codes, we can get the first class of authentication codes as follows.
Furthermore, we have Proof. Let n = p m − 1 and h = (m + 1)/2. To obtain the success probability of the substitution attack, we need to know the number of times that each element in GF(p) occurs as the coordinates in the codewords of the cyclic code. We have When u = 0, we get So the rest is to consider the cases for u = 0, and we have Noting that −1 is a non-square of GF(3 m ), the following equality (Theorem 6.2 of [20]) can be easily verified: a, b)).
Hence if u = 1, then we have By Lemma 2.2, we know the relationship between R(a, b) and R(−a, −b) and all the possible values of the multi-sets (R(a, b), R(−a, b)).
When (R(a, b), R(−a, b)) = (v 0 , v 0 ), since −1 is a non-square element in GF(p), R(a, −b). And it follows that With a similar method, for all possible values of R(a, b) and R(−a, b), we have It is easy to verify that the values of σ for u = −1 are the same as those in Equation (5). Hence, we have . Therefore, the maximum can be obtained by It then follows from Proposition 1 that P S = Remark 1. The sixth class of cyclic codes in [20] is similar with the cyclic code in this subsection since they can be summarized into the same quadratic form problem. So the authentication codes based on them have the same parameters as our first class of authentication codes.

3.2.
Authentication code based on the second class of cyclic codes.
Theorem 3.5. The authentication code constructed from the code  where r 1 , r 2 are the ranks of Q(a, b), Q(−a, b), respectively. The last identity follows from Equation (3). According to Lemma 2.1, we know that r 1 , r 2 ∈ {s, s − 1, s − 2} and at lease one of r 1 and r 2 is equal to s. Hence the rest of the calculation of S(ya, yb) splits into the following cases. Recall that d = gcd(m, k) = k and s = m/d = m/k. It is clear that s = m/k is odd since m is odd. Firstly, we assume that m > k, i.e., s > 2.
Hence, we have The first case is r 1 = r 2 = 1.
The second is that one of r 1 , r 2 is 1 and the other is 0. In this case, In conclusion, if m = k;

Authentication code based on the third class of cyclic codes.
Lemma 3.6 ( [21]). Let m and k be positive integers such that s = m/d is odd and s ≥ 3, where d = gcd(m, k). Let p be an odd prime, q = p m and q 0 = p d . Then, the cyclic code C with parity check polynomial are the minimal polynomials of (−π) −1 and π −(p k +1)/2 , has the following trace representation: The parameter of the code is [p m − 1, 2m, p m − p m−1 − p−1 2 p (m+d−2)/2 ]. Theorem 3.7. The authentication code constructed from the code in Lemma 3.6 is Proof. When u = 0, we have max N (c(a, b), 0) = p m−1 + p − 1 2 p (m+d−2)/2 − 1.
When u = 0, as in the previous subsections, the key to calculate P S is to compute the following exponential sum: Let λ be a fixed non-square of GF(q 0 ). One can easily verify the following result (Proposition 3.1 of [21]): ω yTr m/1 (aη(x)x+bx (p k +1)/2 ) .
It follows from Lemma 2.1 that Q(a, b) and Q(−a, −b) have the same rank. In addition, with Equation (3), we have As a result, the following equation holds (a,b) .

Comparison
There are five parameters, namely |S|, |T |, |K|, P I and P S , in a systematic authentication code. Hence, for any two authentication codes, they are comparable when they have at least three parameters in common. However, it does not mean that we cannot compare authentication codes with less than three parameters in common, since there are examples that all the parameters of one code are better than those of another code.
In this section, we call the authentication codes constructed in Theorems 1, 2 and 3 as Code C1,C2 and C3 respectively.
(1) It is clear that the source state, tag space, key space and maximum success probability of the impersonation attack are the same for C1 and C2 when p = 3, while , if k/d is even; As a consequence, when k = 1 < m, the two authentication codes have the same parameters. However, when m > k ≥ 2 or m = k > 3, C1 is better than C2 since P S (C1) < P S (C2), which means the success probability of the substitution attack of C1 is smaller than that of C2. Similarly, C1 is better than C3 when p = 3.
(2) The source space and key space of C2 and C3 are of the same size, when d = k in C3, the two codes are comparable with P S (C2) ≤ P S (C3). Thus, under a special condition, C2 is better than C3.
(3) Compared with the authentication codes constructed in the literature, our new authentication codes also have some advantages. In Theorem 8 of [7], the authors constructed a class of authentication codes (denoted by C4) with the following parameter: , when m is even; , when m is odd, and |S| = p 2m , |T | = p, |K| = p m+1 . Compared with C2, it has the same parameters |S|, |T | and P I . However, the key space of C2 is smaller, which indicates less cost on the key storage and better ratio between the key length and the message length, while P S of C2 is certainly larger than that of C4. However, it is necessary to point out that the differences between P S of C2 and P S of C4 is negligible. For example, when p = 3, m = 3, k = 1, the difference is 0.039, and when p = 11, m = 9, k = 3, the difference is 0.004. The differences narrow down with the increases of p, m and k. Therefore, it is worthy for us to make the tradeoff between the key length and P S , compared with the authentication code in C4.
(4) When q = p ≥ 3, the systematic authentication codes (denoted by C5) constructed from some highly nonlinear functions have the following parameters [8]: Similar with the previous comparison, C2 and C5 have the same |S|, |T |, P I , and |K(C5)| > |K(C2)|. Although we have P S (C2) > P S (C5), the difference decreases with the growing of p, m, which means that C2 is better than C5 when authenticating large files.
(5) Recall the construction by Helleseth and Johansson [10], and denote it by C6. When q = p ≥ 3, we have: |S| = p m(D− D/p ) , |T | = p, |K| = p m+1 , Particularly, if D = 2, then we have |S| = p 2m , |T | = p, |K| = p m+1 , It is clear that |K(C6)| = |K(C4)| > |K(C2)|. Besides, since P S (C6) > P S (C4), C2 is better than C4, therefore better than C5. As for those authentication codes with three or more different parameters, we define a new parameter as ρ value. To obtain a better ratio between the key length and the message length, the ρ value is expected to be relatively small with a decent key length. Definition 4.1. Let a systematic authentication code be (S, T , K, P I , P S ). We define the ratio between key space and source space as its ρ value, i.e., ρ = |K| |S| .
Besides, it has P S > P I > 1/p.

Conclusion
In this paper, we employed three classes of cyclic codes to construct new systematic authentication codes. The exact values of P I , P S were deduced by calculating the number of times that each element occurs as the coordinates in the codewords. Compared with some authentication codes generated in the literature, our authentication codes are better with a lower probability of successful substitution attack or a smaller key space.
The results in this paper imply that one could obtain good authentication codes from good cyclic codes, especially those cyclic codes with relatively fewer weights. Recently, many constructions of three-weight [20] and five-weight cyclic codes [22] were presented and most of them were constructed with the same rule as the cyclic codes used in our paper. So we believe it is worthwhile to study the authentication codes based on these cyclic codes. The readers are cordially invited to join this adventure.