Cryptography Reference
In-Depth Information
that
sr
-bit multipliers and
s
1
r
-bit component-wise additions. Assuming an
r
-bit
multiplier requires
r
2
two-input gates, the encoder for the systematic quadratic code
can be implemented with
sr
2
−
two-input gates.
As a trade off between robustness and the hardware overhead for computational
devices, partially robust codes were introduced in [216]. These codes combine lin-
ear and nonlinear mappings to decrease the hardware overhead associated with the
generation of check bits by the predictor. The encoding of systematic partially robust
code is performed first by using a linear function to compute the redundant
r
check
bits, followed by a nonlinear transformation. The use of the linear code as the first
step in the encoding process typically results in hardware savings in the encode or
predictor since the nonlinear function only needs to be computed based on the
r
-bit
output of the linear block. The application of the nonlinear transformation reduces
the number of undetectable errors, thus increasing the robustness of the linear codes.
+
r
(
s
−
1
)
2
r
2
r
:
(
)
→
(
)
Construction 11.3
(Partially Robust Codes [245])
Let f
GF
GF
be
2
k
2
r
a nonlinear function with P
f
<
1
and let P
:
GF
(
)
→
GF
(
),
r
≤
k, be a
form a code with
2
k
−
r
linear onto function. The set of words in the form
(
x
,
f
(
P
(
x
))
undetectable errors.
For partially robust codes described in Construction 11.3, the number of unde-
tectable errors is reduced from 2
k
to 2
k
−
r
compared to the linear code with the same
redundancy. Partially robust codes with
k
32 have been used in [211]
for the design of private key security devices on AES resistant to fault injection
attacks. Implementation of this approach resulted in about 80 % hardware overhead.
=
128 and
r
=
11.5.2 Variants of Robust and Partially Robust Codes
A possible variant of traditional robust codes is from including a minimum distance
into the design criteria. Let
denote the multiplicity of an error
e
(the number of 1s
in
e
). A robust code where the
Q
e
(
e
)
=
0 for all errors with
e
<
d
is a
d
-minimum
distance robust code.
Minimum distance robust codes are fully robust codes but also have minimum dis-
tance larger than 1. Since these codes are robust they have no undetectable errors and
the worst case error masking probability is upper-bounded and predictable. More-
over, they also provide a guaranteed 100 % probability of detection for errors with
small multiplicities. Such codes can be useful for providing the highest protection
against the most likely or most dangerous threat while maintaining a detection guar-
antee in the case of an unexpected behavior or attack. Moreover, minimum distance
robust or partially robust codes with Hamming distance at least 3 can be used for not
only error detection but also for error correction [241]. For constructions of minimum
distance robust and partially robust codes and for applications of these codes to the
design of secure cryptographic devices and reliable memory architectures, please
refer to [245, 414, 415].
