Cryptography Reference
In-Depth Information
to represent
k
-bit integers. While quantifying the error detection capability of
C
p
,
[156] makes the following uniformity assumption:
Assumption 11.1
The values of
x
โ Z
2
k
in
C
p
are uniformly distributed and each
value of
x
is equally likely.
Under this assumption, reference [156] provides the following bound on the error
masking equation which quantifies the error detection performance of the nonlinear
code
C
p
.
Theorem 11.3
2
โ
k
2
k
[156] For C
p
,
max
e
=
0
(
Q
(
e
))
=
ยท
max
(
4
,
โ
p
+
1
)
.
Our protection scheme is built on top of this coding structure. The main idea
is to encode the variables of the FSM using the nonlinear robust code
as
in Definition 11.6, and to use the error detection capability of this coding scheme
for fault detection. However, a direct implementation of this coding scheme for an
FSM would cause a serious security problem. Note that the specific error detection
technique proposed by Gaubatz et al. works under the uniformity assumption, which
states that all the codewords are observed with the same probability (Assumption
11.1). This is a valid assumption if the code is applied to an arithmetic structure
(such as an adder or a multiplier) where the inputs, and hence the outputs, tend to
be uniformly distributed. However, when the FSMs are involved, this assumption
becomes invalid because
(
n
,
k
)
1. depending on the FSM, some states may be visited more than others while the
device is in operation, and
2. the number of inputs and states in an FSM are usually relatively small over a
large domain.
Due to this nonuniform behavior, the security level provided by Theorem 11.3
does not apply if this nonlinear coding scheme is directly applied to an FSM. In this
case, the error detection probabilities of Theorem 11.3 will be much smaller because
the number of valid codewords (fault-free next-state values) determine the value of
M
in the error masking probability of (
11.1
).
If the whole state space is being used uniformly by the valid next-state values
(information carried by the code), then
=|
C
p
|
2
k
|
C
p
|=
as in this theorem. However, in
the nonuniform case of FSMs, the value of
t
, where
t
is the number of
states in the FSM. This alone dramatically increases the error masking probability
of the detection scheme when
t
|
C
p
|=
2
k
(Note that the security level provided by the
applied nonlinear code is directly proportional to the value of
k
. The error detection
probability of the scheme decreases as
k
gets smaller. As a result, for reasonable
security levels,
k
should be reasonably large. However, when this is the case, we
will have
t
2
k
because the number of states in an FSM is usually minimal). In
addition, if there are some states that are visited more than others, this will decrease
the effective value of
|
C
p
|
even further, and hence will also cause an increase in the
error masking probability.
Our solution to this problem is built around two innovative ideas:
