Algebraic manipulation detection codes with perfect nonlinear functions under non-uniform distribution Текст научной статьи по специальности «Математика»

НАУЧНО-ТЕХНИЧЕСКИИ ВЕСТНИК ИНФОРМАЦИОННЫХ ТЕХНОЛОГИИ, МЕХАНИКИ И ОПТИКИ ноябрь-декабрь 2017 Том 17 № 6 ISSN 2226-1494 http://ntv.ifmo.ru/

SCIENTIFIC AND TECHNICAL JOURNAL OF INFORMATION TECHNOLOGIES, MECHANICS AND OPTICS

November-December 2017

Vol. 17 No 6 ISSN 2226-1494

http://ntv.ifmo.tu/en

ALGEBRAIC MANIPULATION DETECTION CODES WITH PERFECT NONLINEAR FUNCTIONS UNDER NON-UNIFORM DISTRIBUTION

C. Carleta, A.B. Levinab, , S.V. Taranovb

a University of Paris 8, Paris, France

b ITMO University, Saint Petersburg, 197101, Russian Federation Corresponding author: levina@cit.ifmo.ru Article info

Received 06.10.17, accepted 26.10.17

doi: 10.175 86/2226-1494-2017-17-6-1052-1062

Article in English

For citation: Carlet C., Levina A.B., Taranov S.V. Algebraic manipulation detection codes with perfect nonlinear functions under non-uniform distribution. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2017, vol. 17, no. 6, pp. 1052-1062 (in English). doi: 10.17586/2226-1494-2017-17-6-1052-1062

Abstract

Classical methods of error detection are not efficient when an attacker controls the process of error injection. Nowadays the problem of providing high level of security for cryptographic systems, secret sharing schemes, flash memories and other communications, computation and storage systems is central to information security. To solve this problem the algebraic manipulation detection (AMD) codes have been proposed by Cramer at EUROCRYPT 2008. AMD codes represent a new class of nonlinear error detection codes which minimize the maximum of error masking probability. The paper presents the findings on behavior research of perfect nonlinear functions used in algebraic manipulation codes when the input distribution is not uniform. This research gives the detail review of behavior of perfect nonlinear functions and the maximum of error masking probability in case of different irreducible polynomials used for AMD codes. The received measurements can be used for selection of coding function that can be the most suitable for encoding information in specific situation such as given distribution of input codewords, irreducible polynomial and other parameters. The paper highlights the cases of parameter changing in coding system which do not change the error masking probability distribution or the changes are insignificant. These cases can be used to modify designs without reducing the stability of the entire integrity system to algebraic attacks that gives the possibility to customize the system for practical needs. Such parameters as the distribution of input codewords are also considered. They have an adverse effect on the stability of the system to algebraic manipulations. Changes in the input codeword distribution should be monitored in the integrity system, and additional transformations for input codewords should be used for security reasons or the encoding function within the integrity system should be changed. Keywords

robustness, error masking probability, AMD codes, encoding function complexity, nonuniform distribution УДК 004.056.2

КОДЫ, ОБНАРУЖИВАЮЩИЕ АЛГЕБРАИЧЕСКИЕ МАНИПУЛЯЦИИ, НА ОСНОВЕ СОВЕРШЕННО НЕЛИНЕЙНЫХ ФУНКЦИЙ НАД НЕРАВНОМЕРНЫМ РАСПРЕДЕЛЕНИЕМ К. Карлет", А.Б. Левинаb, , С.В. Тарановb

"University of Paris 8, Париж, 93526, Франция

b Университет ИТМО, Санкт-Петербург, 197101, Российская Федерация Адрес для переписки: levina@cit.ifmo.ru Информация о статье

Поступила в редакцию 06.10.17, принята к печати 26.10.17 doi: 10.175 86/2226-1494-2017-17-6-1052-1062 Язык статьи - английский

Ссылка для цитирования: Карлет К., Левина А.Б., Таранов С.В. Коды, обнаруживающие алгебраические манипуляции, на основе совершенно нелинейных функций над неравномерным распределением // Научно-технический вестник информационных технологий, механики и оптики. 2017. Т. 17. № 6. С. 1052-1062. doi: 10.17586/2226-1494-2017-17-6-1052-1062

Аннотация

Стандартные методы обнаружения ошибок неэффективны в случаях, когда атакующий контролирует процесс внедрения ошибок. Проблема обеспечения высокого уровня защиты для криптографических систем, схем разделения секрета, флеш памяти и других систем передачи, обработки и хранения информации является одной из важнейших в области обеспечения информационной безопасности. Для решения данной проблемы Р. Крамером на EUROCRYPT

2008 были предложены коды, обнаруживающие алгебраические манипуляции (AMD-коды). AMD-коды являются новым классом нелинейных кодов, обнаруживающих ошибки, которые минимизируют максимальное значение вероятности маскировки ошибки. В данной статье представлены результаты изучения поведение кодов, обнаруживающих алгебраические манипуляции, на основе совершенно нелинейных функций при неравномерно распределении входных значений. Исследование дает подробный обзор поведения совершенно нелинейных функций и вероятности маскировки ошибки при различных неприводимых многочленах, используемых для AMD-кодов. Полученные результаты могут быть использованы для выбора функции кодирования, которая наиболее подходит для конкретной ситуации, задаваемой распределением входных кодовых слов, неприводимыми многочленами и другими параметрами. Выделены случаи изменения параметров системы кодирования, при которых распределение вероятности маскировки не изменяется или изменения незначительны. Эти варианты могут использоваться для модификации конструкций без снижения устойчивости всей системы целостности к алгебраическим атакам, что позволяет настроить систему под практические нужды. Рассмотрен такой параметр, как распределение входных кодовых слов, который отрицательно влияет на устойчивость системы. Изменения в распределении входных кодовых слов должны отслеживаться в системе обеспечения целостности, и в целях безопасности должны использоваться дополнительные преобразования для входных кодовых слов, либо изменяться функция кодирования внутри системы целостности. Ключевые слова

надежность, вероятность маскировки ошибки, AMD-коды, сложность функции кодирования, неравномерное распределение

Introduction

As shown in [1-3], classical methods of error detection are not effective when the error distribution of a device is unknown or controlled by anattacker; they do not give the possibility to minimize the worst error masking probability. The majority of currently used linear and nonlinear codes have a set of undetectable errors, and their injection could compromise security in encoding devices. If an error configuration is controlled by an attacker, then he can produce an error changing of a correct codeword into a wrong codeword, exceeding the correction ability of the used code. In the case of linear codes, undetectable errors are codewords, so it is enough for the attacker to know only the code, used in the device, for the error injection. One of the models for error injection is algebraic manipulation. This model assumes that the attacker is able to modify the value of some abstract data storage devices without having read-access to the data. This model can be used for memory security [4-6], and for the other systems, such as secret sharing schemes [7]. In these cases, error configuration is absolutely unpredictable and depends on the attacker's capabilities and method of fault injection.

The solution for the problem of algebraic manipulation was firstly introduced by Cramer et al [7]. Algebraic manipulation detection (AMD) codes may, in some sense, be viewed as keyless combinatorial authentication codes that provide security in the presence of an oblivious algebraic attacker. Its original applications included robust fuzzy extractors, secure message transmission and robust secret sharing. In recent years, however, a rather diverse array of additional applications in cryptography has emerged.

The nonuniformity of input values opens up wide opportunities for an attacker introducing errors, when he is able to find correlations between the error masking probability distributions for some encoding function and the probability distributions of the inputs. This correlation more likely enables the introduction of an error in the device, because in this case the probability of error masking is dependent on the input values. Today this question is being studied in details. There is a mechanism to reduce the maximum of error masking probability by Gray mapping [8]. However, in the paper [8] the authors do not analyse the effect of the encoding function parameters on minimization of the error masking probability.

This paper compares the error masking probability for several AMD codes basedon PN functions in cases of uneven distribution of the input codewords. As a PN function, we take the so-called Maiorana - McFarland functions defined as follows: denoting input s by (x, y) with x,y 6 F2k/2, we have F(x,y) = xx n(y), where n is a permutation on F2k/2. We consider, in particular, F1(x,y) = xy, F2(x,y) = xy-1 and F3(x,y) = xy3 (with the convention 0-1 = 0 in the second case and with k/2 odd in the latter case so that у ^y3 is a permutation). The purpose of the comparison is to identify the relationships between the probability of error masking and distribution of input values that enable an attacker to accelerate the error finding with the high probability of errors masking.

In the analysis of the encoding functions, the following issues are discussed in details:

- the error masking probability of encoding functions with the same nonlinearity and the code redundancy;

- what is the effect of changing the irreducible polynomial chosen to build the finite field, over which the PN function is defined.

For each probability distribution of error masking investigated, the following parameters are analyzed:

- maximums of error masking probability;

- number of the error masking probability maximums for given distributions;

- number of errors with error masking probability exceeding 0.5 (so-called "bad errors").

The studies carried out are also applicable to the class of wavelet robust codes presented in the works

[9, 10].

Algebraic Manipulation Detection code

The model of algebraic manipulation over an abstract storage device has been firstly described by Cramer et al. in [11] and presented in Figure 1. Such device is denoted by £ (G) and can hold an element g from a finite Abelian group G. An attacker is not able to obtain any information about the element g stored in the device £ (G). However, he can change the stored element g by adding another element e £ G. This tampering is called an algebraic manipulation. After algebraic manipulation, the abstract storage device £ (G) will store the value g + e, we will call e an error. An adversary can choose the value e only on the basis of what he already knew about g before it was stored in the device (his a priori knowledge of g). AMD codes are supposed to encode an original information s £ S as an element of g £ G in such way that any algebraic manipulation is detected with high probability. It is known that the best option is to choose a perfect nonlinear function [12] for this encoding mapping. But this option is in fact optimal under the condition that the input distribution is uniform. In this paper, we analyse the case of non-uniform input distribution of AMD codes.

Original information (input codewords).

In practice, s is nonuniform distributed

s e S

Injection of error

r

Encoder of security-oriented code E : S ^ G

g^G

2(G) Abstract storage device

g+eeG

Decoder of security-oriented code D : G ^ S

s e S

Figure 1. Model of algebraic manipulation and protection scheme based on AMD code

In the paper [11] Cramer et al. presents two types of injection attack: weak and strong. In weak attack, the adversary cannot choose the inputs. So, from the adversary's point of view the source s is uniformly distributed and the attacker only can inject any specific error pattern e in the storage device £ (G), but he cannot change value s at his own discretion.

In case of strong attack, the adversary can influence the outputs by choosing the inputs. In this case the adversary knows the value s £ S and, moreover, he can choose it himself. In both types of fault injection attacks the value g stored in £ (G) is hidden from the attacker.

Definition 1 [11]. Let m and n be two positive integers. An (m, n) AMD code is a pair of a probabilistic encoding functions E.S^G from a set S of size m into a finite Abelian group G of order n, and a deterministic decoding function D.G ^ S U (!) such that D(E(s)) = s with probability 1 for every s £ S, where 1 denotes combinations which are not included in the code.

An AMD code is called "systematic" if set S is a group and the encoding function E has the form

E.S ^ SXG1XG2

s ^ (s,t,F(t,s)),

for a function F, with t being randomly chosen with uniform probability in G1.

Definition 2 [11]. An AMD code is called weak £-secure, £ > 0 if, for every s chosen at random from S and for every e £ G sampled from G according to some distribution independent of s and E(s), the probability that D(E(s) + e) (s, 1) is at most £.

So in the system with an AMD code, when the decoding function gives the correct value s with probability 1 — £ or the special symbol 1, it means that algebraic manipulation has been detected.

Definition 3 [11]. An AMD code is called strong £-secure for £ > 0 if, for every s £ S sampled at random from S and for every e £ G sampled from G according to some distribution independent of E(s), the probability that D(E(s) + e) (s, 1) is at most £.

e

Before Cramer's work, in the works written by Mark Karpovsky et al [1, 13] the notion of robust code was presented, which is related to deterministic weak AMD code:

Definition 4 [6]. A code C £ GF(2n) is fl-robust if the size of the intersection of the code C and any of its translates C = [g | ~g = g + e,g £ C},e £ GF(2n), e ± 0 is upper bounded by R :

R = maxo^cF(2n)lidld £C,g + e £ C}| where + is the componentwise addition modular two. A binary fl-robust code C of length n with M = card(C) is denoted by a triple (n, M, R) (Figure 2).

C C=C+e

R = max | C n C

Figure 2. Definition of robust code

The code (which is not necessarily linear) is supposed systematic: there exists a subset I of positions in codewords, called an information set of C, such that every possible tuple of length |/| occurs in exactly one codeword within the specified coordinates xt: i £ I. The code equals then, up to a permutation of the codeword coordinates: {(s,F(s)); s £ S} where S is a subgroup of G, for some (non necessarily linear) function F, and the encoding function E:S ^ G is then E(s) = (s, F(s)).

The probability of missing an algebraic manipulation e with such a robust code equals the so-called probability of error masking, which is denoted Q(e) and is defined as:

ni \ — card (Cn(e + C)) ) = card (C) .

The maximum probability of error masking maxe^0Q(e) is directly related to the robustness order of code max„^nQ(e) =-.

\ J card (C)

Weak AMD codes must provide the detection of algebraic manipulation with security parameter for the set of errors (0 ^ es, ex, ef), on condition that the information part contains an error es ^ 0. Thus, the weak AMD codes are not tested for the set of errors with zero information part (0 = es,ex,ef). Mark Karpovsky in [14] writes that es ± 0 is a necessary condition for successful algebraic manipulation. However, for secure architectures, the integrity of redundant bits of codes is also important. For example, errors (es, ef = 0) have a high probability of error masking for some multilinear arithmetic codes [15]. Thus, it is necessary to perform analysis for the whole set of errors, not just for errors in the information part. Strong AMD codes must consider the case when the adversary injects errors, but does not alter the value , as successful algebraic manipulation. That is, in strong AMD codes, injection of errors in redundancy part (and also in random part) of codeword g must be detected with probability that D(E(s) + e) {!} bounded above by e. Examples of strong AMD codes are given in [16] Section 3 and [11] Section 6.

In this section, the main definitions of the AMD code theory are presented. The main characteristics of these structures are outlined.

Robustness and max Q(e) for perfect nonlinear functions

In the late 1980s the importance of highly nonlinear functions in cryptography was first discovered by Meier and Staffelbach from the point of view of correlation attacks on stream ciphers, and later by Nyberg in the early 1990s after the introduction of the differential cryptanalysis method. Perfect nonlinear (PN) and almost perfect nonlinear (APN) functions, which have the optimal properties for offering resistance against differential cryptanalysis, have since then been an object of intensive study by many mathematicians.

Perfect nonlinear functions play an important role in robust codes or deterministic weak algebraic manipulation detection codes also. The best possible codes which have maximum possible number of codewords for a given length and robustness are optimum robust codes which have perfect nonlinear encoding function.

Proposition. Let C = {(x,F(x)),x £ F2}, where F is a vectorial function from to W2,, with k and r non-negative. Then C is optimum robust if and only if F is perfect nonlinear.

In the case of weak model of algebraic manipulation, the robustness R and the error masking probability Q(e) are defined by the encoding function F. In particular, under uniform distribution of input codeword, the error masking probability of a code based on a PN function Q(e) is bounded above by l/2r. Indeed, denoting

e = (a, b), we have

card (Cn(e + C)) = card ({(x,y) £ (V*)2; {p^^pfy) + ¿})

For every a ± 0, this size equals 2k-r by the definition of PN functions, and for a = 0,b ± 0 it is null.

c nu nk nr \ card (cn(e + c)) 2k-r r

Since C has size 2K, this gives maxe^0Q(e) =-= —r- =2 '.

b card (C) 2k

Example 1. Let us consider the distribution of error masking probability of the systematic code with codewords (x, y, xy), x,y £ W2r based on the PN function F (x, y) = xy with r = 2.

The error vector is e = (ex,ey,eF) ^ (0,0,0), and we have C n(e + C) = {(x,y,xy); (x + ex)(y + ey) = xy + eF] = {(x,y,xy); eyx + exy = exey + eF}, and the error masking probability equals to 2-2 if (ex,ey) ^ (0,0), whatever is eF, and 0 if (ex,ey) = (0,0) since then we have eF ^ 0. Triples (ex,ey,eF) are represented by the decimal numbers whose binary expansions are equal to these triples.

There are three errors {ex = 0,ey = 0, eF ^ 0} that are always detected by above described code (Q(e) = 0). Indeed, these errors are: ex = 00, ey = 00, eF = 01; ex = 00, ey = 00, eF = 10; ex = 00, ey = 00, eF = 11.

This section shows the relationship between the nonlinearity of the coding function and the reliability of the code. Also the part explains why, for uniform distribution, the max Q(e) is bounded above by 1/2r.

PN functions under different nonuniform distribution of input codewords

Robust codes do not provide protection against the strong model of algebraic manipulation. If there is a dependence between the data entered in the device and the manipulation, such that the distortion takes the value of the difference between a current codeword and any other one, then this distortion cannot be detected with a high probability.

Example 2. Let the distribution of the input codewords be nonuniform. Assume, there is a function $(s) that determines the probability of occurrence of a given information message s £ S at the input of abstract storage device £ (G) described above. Then, the error masking probability under nonuniform distribution of the outputs for given code C equals Q(e) = £g+e£C [8], where g is the codeword corresponding to input information s (we have g £ C by construction). For simplicity of reading, all binary vectors will be represented as integers. For instance, the distribution of error masking probability of optimum robust code (x, y, xy), x,y £

0.25, for s £ [8; 9]

W2i under nonuniform distribution ф(я) =

0.15, for s £ [7;10] .

is shown in Figure 3, s = (x\y) (since r is

0.05, for s £ [6;11] 0.01, otherwise

still equal to 2, s is a vector of length 4), where | denotes concatenation, and integers in brackets denote integer representation of binary word s. For instance, the entry 0.25, for s £ [8; 9] means that the probability that s = (1,0,0,0) (resp. s = (1,0,0,1)) equals to 0.25.

0.6

0.5

0.4

0.3

0.2

0.1

0

Figure 3. Distribution of error masking probability for code (x,y,xy),x,y £ ¥22 under nonuniform distribution.

Ordinate is error masking probability for each possible error. Abscissa is decimal representation of error vectors

The set of errors [ex = 0,ey = 0,ep ^ 0} that are always detected (i.e. such that Q(e) = 0) by code is unchanged. The maximum of error masking probability drastically increases from 0.25 to 0.52, and we know that injection of errors with the high masking probability are dangerous for protected device. Moreover, optimum robust code under nonuniform distribution of input codeword already does not provide equal probabilities of detection for all possible errors.

To protect against strong algebraic manipulation, it is necessary to get rid of deterministic encoding procedures [15, 5]. For deterministic encoding functions, there is one correspondence between the input values s and codeword g = (s, F(s)). Therefore, the probability of occurrence of input values has a direct impact on the codewords. That is, if the probability of occurrence of the input value p(s1) equals to 0.8, then the probability of a corresponding codeword ptg-i) is also equal to 0.8. So, deterministic encoding functions do not prevent the

analysis of code for searching a high probability of error masking.

For providing randomness, the encoding process can be performed with the help of a random variable x that is independent of the input data . For such stochastic encoding, each input value corresponds to the set of codewords g = {(s, ti,F(ti, s)), ...,(s, ti, F(ti, s))}, where i depends on the length of the random part t. Thus, even for the same input values, the output may be different. One input value corresponds to a few codewords; each one has its own set of errors with high probability masking. Indeed, to calculate the probability of error masking Q(e) for all e, we need to count all sum g + e for all errors e and for all codewords g. Thus, the maximum value of Q(e) corresponds to several codewords g' such that {(C n(e + C)), e + C = {e + g',g' e C}} is performed. For a deterministic function, attacker can select one of these codewords g', and find the corresponding input value '. Inputting the value ' and the simultaneous introduction of error can compromise the encoding device. In the stochastic coding, input of values s' does not guarantee that we will get the required codeword g'.

Let us consider the codes Ci = {(s,F(s)),s e and C2 = {(s,t,F(t,s)),s e W%,t eR ¥£} (with F(s) e W2,F(t, s) e Wr2), under some nonuniform distribution <(s). For deterministic version C1, the probability of codeword occurrence of g equals to <(s). For stochastic version Cr, the probability of codeword occurrence of g equals to <(s)2m. For analysing all possible combinations, the attacker can either control the random number generator (RNG) in the encoding device or have the ability to send the input to the device until all combinations have been received. Thus, the attacker is able to compute a set of possible codewords ( , ), but not the encoded version of input .

The computational complexity of the probabilistic encoding function for AMD codes depends on both the complexity of obtaining the random part and the complexity of encoding function F( , ). In cryptographic applications and devices, the random part x can be generated by a RNG, that is already used in most of the modern cryptographic devices. In any case the probabilistic AMD codes have higher computational complexity than the robust codes (deterministic AMD codes). If there are problems with the generation of random values or if the computation power is not sufficient, it is preferable to use robust codes. But robust codes are poorly investigated in the case of nonuniformly distributed input s. This paper investigates the behavior of PN functions under non-uniform input different distribution.

The paper compares the following power PN functions:

1. F(x,y) = xy and F(x,y) = xy-1 where x,y e Wrr (for r = 2,3,4,5);

2. F(x,y) = xy3 and F(x,y) = xy-3 where x,y e Wrr (forr = 3,5).

For given values r, max Q (e) is measured for all possible irreducible polynomials. Used polynomial is given in description of table with corresponding measurements.

Comparison of PNfunctions for r=2

We compared the functions already discussed earlier: xy and xy-1, where x,y e Wrr are two parts of information of equal length . These two functions have the same value of robustness and the maximum of error masking probability. Indeed, both encoding functions are perfect nonlinear functions, hence maxe^0Q(e) = l/2r. Comparison of the functions F(x,y) = xy and F(x,y) = xy-1 for various distributions and value r = 2 is shown in Table 1.

Distribution xy xy 1

Uniform distribution 025 0.25

Bernouilli distribution 0.5598 0.5598

ф (a)-!01 forge[4;9] 0.04, otherwise 0.4 0.4

Г 0.25, forge [8; 9] . g)-\015, forge[T;l°] ф2(д)-|0.05, forge[6;11] V 0.01, otherwise 0.52 0.52

Table 1. Comparison of the error masking probability for the functions F(x,y) = xy and F(x,y) = xy-1 for value r = 2 over irreducible polynomial xr + x + 1. g denotes the codeword of code and <£(g) probability of codeword occurrence

In the case of a uniform distribution, the probability of codeword occurrence is the same for every input, or, in other words, <(g1) = <(gr) =...= <(gr2r).

Bernouilli distribution of parameter p e [0; 1] that is:

<(g) = nhpgi(l-p)1-gi.

There is no difference between codes based on these functions. For = 2 most codewords in both codes coincide. These two codes are different in 6 codewords.

The difference between codes will be more explicit if we explore the functions for higher value of , for example 4 and 5, but then a huge number of comparisons is needed for each codes (for example, for r = 4, the

number of codewords is 28, the error space is 212).

Comparing the behavior of PNfunctions for r=3 under two irreducible polynomials

For comparison, the following PN functions have been chosen: F(x, y) = xy, F(x, y) = xy-1, F(x, y) = xy3, F(x,y) = xy-3, where x,y £ W2r are information parts of length equal to r (supposed odd in the case of the two last functions so that y ^ y3 is bijective that is a necessary and sufficient condition for F(x,y) = xy3 and F(x,y) = xy-3 to be PN). We checked that for other choices of irreducible polynomials the maximum of error masking probability has not changed essentially. If we compare the max Q (e) over irreducible polynomial x3 + x2 + 1 and x3 + x + 1 it is seen that the differences are small. Table 2 presents the values for the same functions but for irreducible polynomial x3 + x2 + 1 (probability distributions of error masking Q(e) are different, but the maximum value of Q (e) remains unchanged in most cases).

Distribution ф(х),ж = (х,у) xy xy 1 = xy6 xy3 xy 3

Uniform distribution 0.0125 0.0125 0.0125 0.0125

Bernouilli distribution 0.5197 0.4631 0.4947 0.4189

Ф1С0) = 0.84, for д £ [31; 34] . 0.260, otherwise 0.42 0.6166 0.6166 0.42

Ф2(д) = ■ 0.730, for д£[16;45] 0.334, otherwise 0.1866 0.1721 0.1721 0.1866

фз(д) = ■ 0.144, forg £ [1; 44] 0.920, otherwise 0.36 0.2745 0.2745 0.36

Г 0.115, for де[1;15] I 0.415, for д £ [16; 30] ф4(^) = { 0.215, forg £[31;45] V 0.319, otherwise 0.2133 0.1824 0.1824 0.2133

Table 2. Comparison of maximum error masking probability for the functions F(x,y) = xy, F(x,y) = xy 1, F(x,y) = xy3 and F(x,y) = xy-3 for value r = 3 over irreducible polynomial x3 + x + 1

Measurements of the masking probability over irreducible polynomial x3 + x2 + 1 for distributions ^ (g), $2 (g), (g), (g) yield results that coincide with a deviation of 0.05 with results in Table 2.

For r = 3, xy-1 = xy6 is linearly equivalent to xy3. It is interesting to see that with some distributions, two equivalent PN functions give the same error masking probability and with the others it can give different ones. However, polynomials x3 + x + 1 and x3 + x2 + 1 are reciprocal of each other and they are the only primitive polynomials for r = 3.

For most distributions, the maximum values of the function F(x, y) = xy-1 and F(x, y) = xy3 are close to each other (disributions ty2(g), ty3(g), $4(s0). If we look at the distribution of Q(e) for function F(x,y) = xy-1 and F(x,y) = xy3 (Figure 4), we can see that distribution does not coincide fully. However, as shown in Figure 4, we can select error classes with the same values of error masking probability for both functions.

, , ^ ^ (0.84, for g£[31;34] ,

However, for distribution of input codewords <&-\(g) = \ , . , the maximum of error

(. 0.260, otherwise

masking probability has a high value for function F(x,y) = xy-1 (Figure 5). In comparison with the other encoding functions, maxe^0Q(e) for function F(x,y) = xy-1 under distribution 01 is very high, therefore using of this function under distribution ^ is undesirable.

The nonuniform distributions of input codeword can lead to jumps in the probability distribution of the error masking Q(e). Figure 6 represents the case of correlation between the input distribution and injected error that give rise in error masking probability distribution. For example, we can see an error with a decimal representation 84 in Figure 6 or, in other words, the error with maximal Q (e) for the distribution of (g) and an irreducible polynomial 100101.

Behavior of the error masking probability for encoding functions F(x,y) = xy and F(x,y) = xy-3 is also largely the same. As shown in Table 2 for these functions the maximums of error masking probability for all distributions except the Bernouilli coincide. Distribution of Q(e) are different, but as in the case of functions F(x,y) = xy-1 and F(x,y) = xy3, there are set of errors with the same Q(e).

0.6 0.5 0.4 0.3 0.2 0.1 0

0.6 0.5 0.4 0.3 0.2 0.1 0

1 71 1 141 211 281 3 151 421 491

ишжиигостжпю ИТ1 ,»IPj ТО,

ИТ 1" ¥гч|[тпт!т™г "г ту tp

1

71

141

211

281

351

421

491

Figure 4. Distribution of error masking probability for encoding functions F(x,y) = xy modulo x3 + x + 1 (top graphic) and F(x,y) = xy modulo x3 +x2 + 1 (lower graphic) under Bernoilli distribution. Ordinate is error masking probability for each possible error. Abscissa is decimal representation of error vectors

0.3

0.25

0.2

0.15

0.1

0.05

0

0.3 0.25 0.2 0.15 0.1 0.05 0

1 61 121 181 241 301 361 421 4

Figure 5. Distribution of error masking probability for encoding functions F(x,y) = xy-1 (top graphic) and F(x,y) = xy3 (lower graphic) under distribution $3(g). Ordinate is error masking probability for each possible error. Abscissa is decimal representation of error vectors

0.7 0.6 0.5 0.4 0.3 0.2 0.1 0

1

Figure 6. Distri bution of error masking probability for encoding function F(x,y) = xy-1 under nonuniform distribution ^(g). Ordinate is an error masking probability for each possible error. Abscissa is a decimal

representation of error vectors

Comparison of PNfunctions for r=4 over two irreducible polynomials

Comparison of the functions F(x,y) = xy and F(x,y) = xy-1 for various distribution and value r = 4 is shown in Table 3.

Distribution xy xy 1

Uniform distribution 0.0625 0.0625

Bernoilli distribution 0.4987 0.2227

Ф1С0) = 0.856, for #£[51;106] 0.2200, otherwise 0.2285 0.1222

ф2(д) = ■ 0.7100, for #£[101;200] 0.3156, otherwise 0.H2 0.0917

фз(д) = 0.1150, for 0£[1;150] . 0.9106, otherwise 0.1358 0.1045

ф4(д) = ■ 0.930, for 0£[101;130] 0.1226, otherwise 0.48 0.1844

Table 3. Comparison of the error masking probability for the functions F(x,y) = xy and F(x,y) = xy-1 for value r = 4 over irreducible polynomial x4 + x3 + 1. g denotes the codeword of code and probability of codeword

occurrence

From Table 3 we can see that function F(x,y) = xy has a lower error masking probability for all distributions.

Comparison of PNfunctions for r=5 over six irreducible polynomials We have chosen one function with r = 5 and tried all primitive polynomials in Table 4.

Distribution ф(х),ж = (x,y) 100101 101001 111101 101111 110111

Ф1(д) = \252,™»(5)= 5 v.0, otherwise 0.05952 0.05952 0.051587 0.05556 0.05556

ф2(д) = ■ 1/120, wH(s) = 3 0, otherwise 0.08333 0.08333 0.08333 0.08333 0.08333

Bernouilli distribution 0.4880 0.4880 0.4880 0.4880 0.4880

ф4(д) = 0.824,g £ [501; 525] 0.21000, otherwise 0.43713 0.43713 0.43713 0.43713 0.43713

ф5(д) = 0.6424, g £ [301;725] 0.4600, otherwise 0.04528 0.04528 0.04528 0.04528 0.04528

Table 4. Comparison of maximum error masking probability for the functions F(x,y) = xy for value r = 5 over all irreducible polynomial in GF(25). Number of vector with hamming weight 5 in GF(210) equal to 252. s = (x,y) is information part of codeword g = (s,F(s)). The denotion wH(s) means the Hamming weight of vector s

Distribution ф(з),5 = (x,y) 100101 101001 111101 101111 110111 111011

ф (a)=\V252, Wh(S) = 5 ^^ 0, otherwise 0.06746 0.06746 0.05952 0.05556 0.05952 0.05952

ф2(д) = ■ 1/120, wH(s) = 3 0, otherwise 0.09167 0.09167 0.08333 0.08333 0.08333 0.08333

Bernouilli distribution - - - - - -

ф4(д) = ' 0.824,g £ [501; 525] 0.21000, otherwise 0.17207 0.17207 0.17207 0.20520 0.17207 0.17207

ф5(д) = 0.6424, g £ [301;725] 0.4600, otherwise 0.03630 0.17207 0.03630 0.03630 0.03630 0.03630

Table 5. Comparison of maximum error masking probability for the functions F(x,y) = xy-1 for value r = 5 over all irreducible polynomial in GF(25). Number of vector with hamming weight 5 in GF(210) equal to 252. s = (x,y) is information part of codeword g = (s,F(s)). The denotion wH(s) means the Hamming weight of vector s

In the first line of Table 4, the irreducible polynomial of GF(25) is presented. Polynomials are represented via binary coefficients, that is, for example, the 100101 denotes the polynomial x5 + x2 + 1. The first column contains the distribution of input distributions ty(g). We made a simulation with a distribution uniform over some strict subset of (F^r) and null outside, for instance the set of those (x, y) of Hamming weight r = 5. A number of binary sequences with the length of 10 bits and hamming weight of 5 equals to 252. So, probability of occurrence for vector s with weight 5 equals to 1/252. Each column presents the irreducible

polynomial and corresponding maximum value of error masking probability for each distribution of input codeword.

For distribution we get the different values of maxQ(e), however, for another distribution

maximum of error masking it does not depend on irreducible polynomial.

Based on the measurement results carried out in this section for codes constructed with the Maorana -McFarland functions, the following conclusions can be drawn:

- Tables 4 and 5 show how the changing of an irreducible polynomial that is used to construct codewords effects on the probability of error masking. From the tables we see that for the same distribution of input codewords, the using of reciprocal irreducible polynomials gives an equal maximum value of the error masking probability. Nonreciprocal irreducible polynomials give the masking probability maximum that is different from the other irreducible polynomials for same input codeword distribution (Values maxQ(e) differ by at most 0.01).

- the set of input codeword distribution, codespace and irreducible polynomial can give jumps in the probability distribution of the error masking Q(e).The examples of jumps can be seen in Figure 6 for error with a decimal representation 84.

- the probability distribution of the error masking given by equivalent codes coincide up to permutations (Figures 4 and 5).

- max Q (e) for equivalent codespaces are equal for identical irreducible polynomials, for example, the functions xy-1 and xy3 or xy and xy-3 in Tables 2 and 3.

Conclusion

AMD codes based on PN functions are considered as the object of research. AMD codes present a new method of ensuring integrity for structural elements of device for processing, storing and transferring information, such as cache memory, RAM, logic and arithmetic elements in circuits. In this work AMD codes based on PN functions were tested for stability, made an overview of changes in the input codeword distribution, irreducible polynomials used to generate code spaces. As a result, cases were identified when it is possible to reduce the stability of code constructions. Such cases are possible if the coding function, the input codeword distribution or irreducible polynomial is changing. These cases should be taken into account when methods of integrity ensuring based on the considered code constructions are designed.

References

1. Karpovsky M.G., Taubin A. New class of nonlinear systematic error detecting codes // IEEE Transactions on Information Theory. 2004. V. 50(8). P. 1818-1820. doi: 10.1109/TIT.2004.831844

2. Karpovsky M.G., Kulikowski K.J, Wang Z., Robust error detection in communication and computational channels // Proc. Int. Workshop on Spectral Methods and Multirate Signal Processing. Citeseer, 2007.

3. Wang Z. , Karpovsky M. New error detecting codes for the design of hardware resistant to strong fault injection attacks // Proc. Int. Conference on Security and Management, SAM. LasVegas, USA, 2012.

4. Wang Z., Karpovsky M., Kulikowski K.J. Design of memories with concurrent error detection and correction by nonlinear sec-ded codes // Journal of Electronic Testing. 2010. V. 26. N 5. P. 559-580. doi: 10.1007/s10836-010-5168-5

5. Wang Z., Karpovsky M.G. Reliable and secure memories based on algebraic manipulation correction codes // Proc. 2012 IEEE 18th Int. On-Line Testing Symposium. Sitges, Spain, 2012. P. 146-149. doi: 10.1109/I0LTS.2012.6313861

6. Ge S., Wang Z., Luo P., Karpovsky M.G. Secure memories resistant to both random errors and fault injection attacks using nonlinear error correction codes // Proc. 2nd Int. Workshop on Hardware and Architectural Support for Security and Privacy. 2013. Art. 5.

7. Cramer R., Dodis Y., Fehr S., Padro C., Wichs D. Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors // Lecture Notes in Computer Science. 2008. V. 4965. P. 471-488. doi: 10.1007/978-3-540-78967-3_27

8. Keren O., Shumsky I., Karpovsky M.G. Robustness of security-oriented binary codes under non-uniform distribution of codewords // Proc. 6th Int. Conf. on Dependability. Barcelona, Spain, 2013. P. 25-30.

9. Levina A., Taranov S. Creation of codes based on wavelet transformation and its application in ADV612 chips //

Литература

1. Karpovsky M.G., Taubin A. New class of nonlinear systematic error detecting codes. IEEE Transactions on Information Theory, 2004, vol. 50, no. 8, pp. 1818-1820. doi: 10.1109/TIT.2004.831844

2. Karpovsky M.G., Kulikowski K.J, Wang Z., Robust error detection in communication and computational channels. Proc. Int. Workshop on Spectral Methods and Multirate Signal Processing. Citeseer, 2007.

3. Wang Z. , Karpovsky M. New error detecting codes for the design of hardware resistant to strong fault injection attacks. Proc. Int. Conference on Security and Management, SAM. Las-Vegas, USA, 2012.

4. Wang Z., Karpovsky M., Kulikowski K.J. Design of memories with concurrent error detection and correction by nonlinear sec-ded codes. Journal of Electronic Testing, 2010, vol. 26, no. 5, pp. 559-580. doi: 10.1007/s10836-010-5168-5

5. Wang Z., Karpovsky M.G. Reliable and secure memories based on algebraic manipulation correction codes. Proc. 2012 IEEE 18th Int. On-Line Testing Symposium. Sitges, Spain, 2012, pp. 146-149. doi: 10.1109/I0LTS.2012.6313861

6. Ge S., Wang Z., Luo P., Karpovsky M.G. Secure memories resistant to both random errors and fault injection attacks using nonlinear error correction codes. Proc. 2nd Int. Workshop on Hardware and Architectural Support for Security and Privacy, 2013, art. 5.

7. Cramer R., Dodis Y., Fehr S., Padro C., Wichs D. Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. Lecture Notes in Computer Science, 2008, vol. 4965, pp. 471-488. doi: 10.1007/978-3-540-78967-3_27

8. Keren 0., Shumsky I., Karpovsky M.G. Robustness of security-oriented binary codes under non-uniform distribution of codewords. Proc. âh Int. Conf. on Dependability. Barcelona, Spain, 2013, pp. 25-30.

9. Levina A., Taranov S. Creation of codes based on wavelet transformation and its application in ADV612 chips.

International Journal of Wavelets, Multiresolution and Information Processing. 2017. V. 15. N 2. P. 1750014. doi: 10.1142/S021969131750014X

10. Levina A., Taranov S. Spline-wavelet robust code under nonuniform codeword distribution // Proc. 3rd Int. Conf. on Computer, Communication, Control and Information Technology, C3IT 2015. Hooghly, India, 2015. Art. 7060125. doi: 10.1109/C3 IT.2015.7060125

11. Cramer R., Fehr S., Padro C. Algebraic manipulation detection codes // Science China Mathematics. 2013. V. 56. N 7. P. 13491358. doi: 10.1007/s11425-013-4654-5

12. Nyberg K. Perfect non-linear s-boxes // Lecture Notes in Computer Science. 1992. V. 547. P. 378-386.

13. Kulikowski K.J., Karpovsky M.G., Taubin A. Robust codes and robust, fault-tolerant architectures of the advanced encryption standard // Journal of Systems Architecture. 2007. V. 53. N 2-3. P. 139-149. doi: 10.1016/j.sysarc.2006.09.007

14. Karpovsky M.G., Kulikowski K.J., Wang Z. On-line self error detection with equal protection against all errors // International Journal of Highly Reliable Electronic System Design. 2008.

15. Karpovsky M.G., Wang Z. Design of strongly secure communication and computation channels by nonlinear error detecting codes // IEEE Transactions on Computers. 2014. V. 63. N 11. P. 2716-2728. doi: 10.1109/TC.2013.146

16. Sunar B., Wang Z., Karpovsky M.G., Joshi A. Design of reliable and secure multipliers by multilinear arithmetic codes // Lecture Notes in Computer Science. 2009. V. 5927. P. 47-62. doi: 10.1007/978-3-642-11145-7 6

Authors

Claude Carlet - Full professor, University of Paris 8, Paris, 93526, France, claude.carlet@gmail.com

Alla B. Levina - PhD, Associate Professor, ITMO University, Saint Petersburg, 197101, Russian Federation, levina@cit.ifmo.ru

Sergey V. Taranov - Assistant, ITMO University, Saint Petersburg, 197101, Russian Federation, serg.tvc@mail.ru

International Journal of Wavelets, Multiresolution and Information Processing, 2017, vol. 15, no. 2, pp. 1750014. doi: 10.1142/S021969131750014X

10. Levina A., Taranov S. Spline-wavelet robust code under nonuniform codeword distribution. Proc. 3rd Int. Conf. on Computer, Communication, Control and Information Technology, C3IT 2015. Hooghly, India, 2015, art. 7060125. doi: 10.1109/C3 IT.2015.7060125

11. Cramer R., Fehr S., Padro C. Algebraic manipulation detection codes. Science China Mathematics, 2013, vol. 56, no. 7, pp. 1349-1358. doi: 10.1007/s11425-013-4654-5

12. Nyberg K. Perfect non-linear s-boxes. Lecture Notes in Computer Science, 1992, vol. 547, pp. 378-386.

13. Kulikowski K.J., Karpovsky M.G., Taubin A. Robust codes and robust, fault-tolerant architectures of the advanced encryption standard. Journal of Systems Architecture, 2007, vol. 53, no. 2-3, pp. 139-149. doi: 10.1016/j. sysarc.2006.09.007

14. Karpovsky M.G., Kulikowski K.J., Wang Z. On-line self error detection with equal protection against all errors. International Journal of Highly Reliable Electronic System Design, 2008.

15. Karpovsky M.G., Wang Z. Design of strongly secure communication and computation channels by nonlinear error detecting codes. IEEE Transactions on Computers, 2014, vol. 63, no. 11, pp. 2716-2728. doi: 10.1109/TC.2013.146

16. Sunar B., Wang Z., Karpovsky M.G., Joshi A. Design of reliable and secure multipliers by multilinear arithmetic codes. Lecture Notes in Computer Science, 2009, vol. 5927, pp. 4762. doi: 10.1007/978-3-642-11145-7_6

Авторы

Карлет Клод - профессор, профессор, University of Paris 8,

Париж, 93526, Франция, claude.carlet@gmail.com

Левина Алла Борисовна - кандидат физико-математических

наук, доцент, Университет ИТМО, Санкт-Петербург, 197101,

Российская Федерация, levina@cit.ifmo.ru

Таранов Сергей Владимирович - ассистент, Университет

ИТМО, Санкт-Петербург, 197101, Российская Федерация,

serg.tvc@mail.ru