This application is directed to error detection and protection from side channel attacks with block cipher cryptographic algorithms.
A block cipher is a deterministic cryptographic algorithm that operates on fixed-length groups of bits, called blocks, with an unvarying transformation that is specified by a symmetric key. Block ciphers typically carry out encryption in multiple rounds, each of which uses a different subkey derived from the original key. A block cipher uses two paired algorithms, one for encryption and an inverse algorithm for decryption. Both algorithms accept two inputs: an input block of size n bits and a key of size k bits; and both yield an n-bit output block. For example, a block cipher encryption algorithm might take a 128-bit block of plaintext as input, and output a corresponding 128-bit block of ciphertext. The exact transformation is controlled using a second input the secret key. Decryption is similar: the decryption algorithm takes, in this example, a 128-bit block of ciphertext together with the secret key, and yields the original 128-bit block of plain text. Each key selects one permutation from the possible set of all permutations over the set of input blocks. Today, there is a palette of attack techniques against which a block cipher must be secure, in addition to being robust against brute force attacks. A multitude of modes of operation have been designed to allow block ciphers to be repeatedly and securely used, commonly to achieve the security goals of confidentiality and authenticity.
One example of a block cipher is the Advanced Encryption Standard (AES), a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001 which uses blocks of 27=128 bits. Other block ciphers include the Data Encryption Standard (DES), Triple DES, the International Data Encryption Algorithm (IDEA), RC5, and Blowfish. The AES has been adopted by the U.S. government and is now used worldwide. All known direct attacks on the AES are computationally infeasible. However, there are several known side-channel attacks on certain implementations of AES, which do not attack the underlying cipher, but rather attack implementations of the cipher on systems which inadvertently leak data. Power consumption, electro-magnetic radiation, execution time, and behavior in the presence of faults can all be used to drastically decrease the complexity of cryptanalysis. Mobile cryptographic devices such as smartcards and mobile computers are especially vulnerable since the physical hardware implementing the algorithms, and hence the side-channel information, is easily accessible. Side channel attacks can use information obtained from an incorrectly functioning implementation of an algorithm to derive the secret information. Incorrect operation can result from faults within a circuit which may be due to natural effects or may be maliciously induced.
The concept of non-probabilistic error detection codes for protecting data against adversarial error injection was introduced by Kulikowski, et al. (K. J. Kulikowski, M. G. Karpovsky, and A. Tubing, “Robust Codes and Robust, Fault Tolerant Architectures of the Advanced Encryption Standard”, J. of System Architecture, Vol. 53, pp. 138-149, 2007, the contents of which are herein incorporated by reference in their entirety), and that of probabilistic algebraic manipulation detection (AMD) codes was introduced by Cramer, et al. (R. Cramer, Y. Dodis, S. Fehr, C. Padro, and D. Wichs, “Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors”, Cryptography ePrint Archive, Report 2008/030, 2008, the contents of which are herein incorporated by reference in their entirety). An AMD code can probabilistically encode a plaintext source string s from a set S as an element of a group G, with a unique decodability. In a case of an adversary intentionally flipping bits of data for revealing a secret of the AES, a technique known as intentional fault injection, AMD codes can detect a worst case bit-flipping error with high probability. Redundancy can be added to guarantee the detection of the worst-case error. Kulikowski propose the use of weak AMD codes, in which security holds only for a random s∈S, rather than an arbitrary string, and which are derived from perfect nonlinear functions. However, Kulikowski assumes that the injected error is added (modulo 2) to the valuable data, and that the error checking is performed on x+e, where x is the original data, while the injected error e does not depend on the choice of x. This checking could require calculations on very large finite fields. Cramer focuses on the use of strong AMD codes from the evaluation of polynomials. However, Cramer's methods also require working in very large finite fields if a large number of bits need to be protected, even if the miss probability is modest. For example, to protect 216 bits with a miss probability of 1%, calculations are performed in F2
Exemplary embodiments of the disclosure as described herein generally include systems and methods for the use of algebraic curves to reduce complexity and the required field size of AMD error detection codes with a block cipher algorithms. Embodiments of the disclosure can efficiently provide protection to very large chunks of data, e.g. chunks larger than about 2′5 bits, which is 256 AES blocks, before the data is encrypted, where the allowed miss probability is of order 10−2 to 10−3. Embodiments of the disclosure can perform protection simultaneously on several block cipher blocks.
According to an aspect of the invention, there is provided a method for protecting data from algebraic manipulation, including receiving a data word s∈Fqd to be protected, wherein q is a prime power and Fqd is a vector space over the finite field Fq including vectors (x1, x2, . . . , xd) with xi∈Fq for all i∈{1, . . . , d}, fixing a basis {1, b1, . . . , bd} for a Riemann-Roch space L(mdQ) as an Fq-vector space, wherein Q is a distinct place of degree 1 of an algebraic function field F/Fq of one variable with full constant field Fq and with genus g and md is a pole number of Q, uniformly drawing an index i from a set I:={1, . . . , n}, and encoding s as (s, i, fs(Pi))∈Fqd×In×Fq, wherein fs(Pi) is defined as fs:=x[f(d)]+Σj=1dsjbj, wherein r(d):=min{j|∃×∈L(mjQ):∀σ∈Φ,σ≠id: σ(x)−x∈L(mjQ)|L(mdQ)}, Φ is a subgroup of AutD,Q(F/Fq):={σ∈Aut(F/Fq)|σ(Q)=Q and σ(D)=D}, Aut(F/Fq) is a group of automorphisms of F over Fq, D:=P1+ . . . +Pn wherein Q, P1, . . . , Pn are pairwise distinct places of F/Fq of degree 1, and x[r(d)] is an element of L(mr(d)Q) for which σ(x[r(d)])−x[r(d)]∈L(meQ)\L(mdQ) for all σ∈Φ, σ≠id, and for a minimum possible e≧d+1, wherein a received triple r:=( ĩ, {tilde over (v)})∈Fqd×In×Fq is valid iff {tilde over (v)}=f{tilde over (s)}(Pĩ).
According to a further aspect of the invention, the method includes protecting the index i with a weak AMD code, wherein an error is detected in (, ĩ, {tilde over (v)})) by checking the index ĩ, and if the ĩ-check passes, checking whether {tilde over (v)}=f{tilde over (s)}(Pĩ).
According to a further aspect of the invention, the weak AMD code is constructed from a perfect nonlinear function.
According to a further aspect of the invention, wherein q is a square and the number of places of degree 1 is qr for some integer r, the perfect non-linear function
is constructed as (x1, . . . , x2r)x1x2+x3x4+x2r−1x2r.
According to a further aspect of the invention, the method includes encoding the data word s using a block cipher.
According to a further aspect of the invention, the block cipher is selected from a group comprising AES, DES, Triple DES, IDEA, RC5, and Blowfish.
According to an aspect of the disclosure, there is provided a computer processor configured to execute a program of instructions to perform method steps for protecting encoded data from algebraic manipulation, the method including receiving a data word see to be protected, where K is a finite field of q elements for a square prime power q and a predetermined d, randomly selecting two integers a∈{0, . . . , q−1} and b∈{0, . . . √q−1}, finding a point (α, β) on a Hermitian curve over a field Fq that corresponds to the randomly selected integers (a, b) from a mapping (a, b)→(α, β)ua, ua√q+1z+vb), where
and z is a pre-selected element of the field Fq of unit trace, and where γ1 is a pre-selected fixed primitive element of the field Fq and γ2 is a pre-determined fixed element of the field Fq which is a primitive element of a field F√q⊂Fq, and calculating a sum fs(α, β)=αi
According to a further aspect of the disclosure, the Hermitian curve √ over Fq, is defined by point pairs (α, β) where ={(α, β)∈Fq×Fq|β√q+β=α√q+1}, where √q=2m/2 is an integer for an even m.
According to a further aspect of the disclosure, the method includes calculating q and the dimension d based on a number u∈N* of information bits to be protected and a maximum allowed miss probability, 2−κ, for κ∈N, where q and d satisfy log(qd)≧u.
According to a further aspect of the disclosure, calculating q and the dimension d includes initializing m=2κ, and if
setting
where q=2m.
According to a further aspect of the disclosure, if
the method includes incrementing in by 2 and repeating the step of setting
if
According to a further aspect of the disclosure, γ2=γ1√q+1, and z is determined by scanning γ1, γ12, . . . , until an element of unit trace is found, where an element of unit trace z satisfies z√q+z=1.
According to a further aspect of the disclosure, the method includes finding a (d+1)-th pole number, md, of a place Q of F/Fq of degree 1, where a set of pole numbers of place Q is {i√q+j(√q+1)|i≧0, 0≦j≦√q−1}, where exponents
I
1={(ik,jk)}k=1d={(i,j)∈N×N|i+j<i*+j* and j≦√{square root over (q)}−1}∪{(i,j)∈N×N|i+j=i*+j* and j≦j*}
are a pre-calculated set of all pairs (i, j)∈N×N that correspond to pole numbers m1, m2, . . . , md, i*∈N, j*∈{0, . . . , √{square root over (q)}−1} are unique integers such that md=i*√{square root over (q)}+j*(√{square root over (q)}+1) and exponents (id+1, jd+1) are pre-calculated from
According to a further aspect of the disclosure, if d≧g=(√q−1)√q/2, then the (d+1)-th pole number md is md=2g+(d−g)=d+g, and if d∈{0, . . . , g−1}, the method includes finding a largest positive integer l such that
where if
then md=i*√q+j*(√q+1) for i*=0 and j*=l−1, otherwise md=i*√q+j*(√q+1) for j*=d−l(l+1)/2∈{0, . . . , l≦√q−2} and i*l−j*≧0.
According to a further aspect of the disclosure, the method includes encoding the data word s using a block cipher.
According to a further aspect of the disclosure, the block cipher may be selected from a group comprising AES, DES, Triple DES, IDEA, RC5, and Blowfish.
According to a further aspect of the disclosure, the computer processor is a hardware implementation that encodes the program of instructions to perform the method steps for protecting encoded data from algebraic manipulation.
According to a further aspect of the disclosure, the computer processor may be one of an application specific integrated circuit, or a field programmable gate array.
According to another aspect of the disclosure, there is provided a computer processor configured to encode and execute a program of instructions to perform the method steps for protecting encoded data from algebraic manipulations, the method including receiving a triple (s, (α, β), γ) that is an element of Fqd×Fq2×Fq, where s is an encoded data word, and q and d are predetermined constants, determining whether β√q+β=α√q+1, and if β√q+β=α√q+1, determining whether a sum fs(α, β)=γ, where fs(α, β)=αi
According to a further aspect of the disclosure, the method includes calculating q and the dimension d based on a number u∈N* of information bits being protected and a maximum allowed miss probability, 2−κ, for κ∈N, where q and d satisfy log(qd)≧u.
According to a further aspect of the disclosure, calculating q and the dimension d includes initializing m=2κ, and if
setting
where q=2m for even in.
According to a further aspect of the disclosure, if
the method further comprises incrementing in by 2 and repeating the step of setting
if
According to a further aspect of the disclosure, the method includes finding a (d+1)-th pole number, md, of a place Q of F/Fq of degree 1, where a set of pole numbers of place Q is {i√q+j(√q+1)|i≧0, 0≦j≦√q−1}, where exponents
I
1={(ik,jk)}k=1d{(i,j)∈N×N|i+j<i*+j* and j≦√{square root over (q)}−1}∪{(i,j)∈N×N|i+j=i*+j* and j≦j*}
are a pre-calculated set of all pairs (i, j)∈N×N corresponding to pole numbers m1, m2, . . . , md, and exponents (id+1, jd+1) are pre-calculated from
According to a further aspect of the disclosure, if d≧g=(√q−1)√q/2, then the (d+1)-th pole number md is md=2g+(d−g)=d+g, and if d∈{0, . . . , g−1}, the method further comprises finding a largest positive integer f such that
where if
then md=i*√q+j*(√q+1) for i*=0 and j*=l−1, otherwise md=i*√q+j*(√q+1) for j*=d−l(l+1)/2∈{0, . . . , l≦√q−2} and i*=l−j*≧0.
According to a further aspect of the disclosure, the data word s was encoded using a block cipher.
According to a further aspect of the disclosure, the block cipher may be selected from a group comprising AES, DES, Triple DES, IDEA, RC5, and Blowfish.
According to a further aspect of the disclosure, the computer processor is a hardware implementation that encodes the program of instructions to perform the method steps for protecting encoded data from algebraic manipulation.
According to a further aspect of the disclosure, the computer processor may be one of an application specific integrated circuit, or a field programmable gate array.
Exemplary embodiments of the invention as described herein generally provide systems and methods for the use of algebraic curves to reduce complexity and the required field size of AMD error detection codes with a block cipher cryptographic algorithm. While embodiments are susceptible to various modifications and alternative forms, specific embodiments thereof are shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that there is no intent to limit the invention to the particular forms disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.
Algebraic manipulations may be defined as follows: suppose there is some data s to be protected with some redundancy r appended to s for detecting manipulations. The adversary is allowed to: (1) replace s by some s′ of his/her will, possibly depending on s; and (2) Add some error A to r, where A may depend on s. Hence, the original data (s, r) is modified to be (s′,r+Δ). Note that it is assumed that r sits in some abelian group and the “+” in “r+Δ” is the addition of this group. Typically, the abelian group is just the underlying abelian group of F2n.
According to an embodiment of the disclosure, to protect data s∈Kd, where K is a finite field, one can select a random point P of an algebraic curve, where the point is represented by a tuple of elements from K, and calculate the parity bits
parity bits(s,P)=fd+1(P)+Σk=1dsk·fk(P),
where the fi, 1≦i≦d+1, are appropriately chosen rational, typically polynomial, functions that map curve points to elements of K. The overall protected word includes the data s, the index of point P, and the parity bits, in addition to index protection bits, as shown in
Upon receipt of a corrupted word, a receiver may first check for the integrity of the index using the index protection field. This check may amount to checking a standard weak AMD code, or could amount to checking if a pair is a point on a Hermitian curve, as will be described in detail below. If this check fails, an error may be declared; otherwise a second check may be performed. In the second check, the parity bits are compared:
parity bits(s′,P+Δ2)==(parity bits+Δ3)?
If these bits are not equal, an error may be declared, otherwise it may be determined that no error was injected.
Construction of AMP codes
Let q be a prime power and let F/Fq be an algebraic function field of one variable with frill constant field Fq and with genus g. Let Q, P1, . . . , Pn be pairwise distinct places of F/Fq of degree 1, and write D:=P1+ . . . +Write
Aut
D,Q
:={σ∈Aut(F/Fq)|σ(Q)=Q and σ(D)=D}
where Aut(F/Fq) is the group of automorphisms of F over Fq; the definition of AutD,Q says that the action of this group on the set of places of F/Fq fixes Q and permutes P1, . . . , Pn.
For a place R of F/Fq, one may write vR for the discrete valuation associated with R. For a divisor G of F/Fq, let L(G) be the Riemann-Roch space defined by L(G):={f∈F*|(f)+G≧0}∪{0}, where (f) represents the principal divisor of f. L(G) is a vector space over Fq, and by the Riemann-Roch theorem one has dim(L(G))≧deg(G)−g+1, with equality if deg(G)≧2g−1, where deg(G) is the degree of G.
Let m0:=0<m1<m2< . . . be the pole numbers of Q. So, for all i, L((mi−1)Q)/⊂L(miQ). According to the Riemann-Roch theorem, starting from 2g, all integers are pole numbers, and there are exactly g gaps (integers that are not pole numbers) in {1, . . . , 2g−1}. In addition, for all x∈L(miQ)\L(mi−1Q) and all σ∈AutD,Q, σ(x) is also in L(miQ)\L(mi−1Q).
Let Φ⊂AutD,Q(F/Fq) be a subgroup. For d>1, the dimension of the information set, let
r(d):=min{j|∃∈L(mjQ):∀σ∈Φ,σ≠id:σ(x)−x∈L(mjQ)\L(mdQ)} (1)
and let x[r(d)] be some element in L(mr(d)Q) for which σ(x[r(d)])−x[r(d)]∈L(meQ)\L(mdQ) for all σ∈Φ, σ≠id, and for the minimum possible e≧d+1, which will be known as e(d). Note that if Φ={id}, then there is no restriction on x[r(d)], and therefore x[r(d)] may be chosen freely, e.g., one may choose x[r(d)]=0.
It is implicit in the definition of r(d) that the set from which the minimum element in the right-hand side of EQ. (1) is taken is non-empty. For the Hermitian case, conditions for this to hold will be found in the following section. For the general case, where an arbitrary function field is used, note again that if Φ={id}, then the condition in EQ. (1) is always met, and hence one may always take x[r(d)]=0.
Before constructing the target AMD codes, one begins by constructing weaker codes, which may be referred to as pre-AMD codes. A flowchart of a method of encoding data using pre-AMD codes is presented in
f
s
:=x
[r(d)]+Σj=1dsjbj.
A code according to an embodiment of the disclosure may be defined as follows. An index i is drawn uniformly from the set In:={1, . . . , n} at step 43, and the data word s is encoded as (s, i, fs(Pi))∈Fqd×In×Fq at step 44, where fs is defined as above. It may be assumed in some embodiments that an adversary knows s, but not i and fs(Pi). The allowed manipulations for this pre-AMD code are: (1) replace s by some s′∈Fqd, (2) add a constant in Fq to fs(Pi), and (3) apply to i a constant permutation π∈Sn that corresponds to the action of some σ∈Φ on {P1, . . . , Pn}. According to an embodiment of the disclosure, this may be known as a defined code Cd. A code according to an embodiment of the disclosure can protect against manipulations of type (1) and (2) for any choice of x[r(d)]. However, if an element x[r(d)] satisfies the above conditions imposed by Φ, then a code according to an embodiment of the disclosure can protect against the manipulations on the index part described by manipulations of type (3). So, a code according to an embodiment of the disclosure encodes log(qd) bits of information to obtain an encoded word of length log(qd)+log(n)+log(q)=log(nqd+1). Note here that all logs are to the base of 2, thus a base subscript will be omitted hereinbelow. A decoder according to an embodiment of the disclosure works as follows, with reference to the flowchart of
For the set of manipulations described above, the miss probability of the pre-AMD code Cd is not above me/n≦(e+g)/n, where e=e(d).
For simplicity and without loss of generality, it may be assumed that after drawing i, the encoding is of the form s(s, Pi, fs(Pi)). Note that specifying i in the second coordinate is like specifying Pi. For an arbitrary fixed s, it is desired to find an upper bound on the probability (over i) that an adversary succeeds, that is, that for s′≠s∈Fqd, some fixed Δ∈Fq and some fixed σ∈Φ, there is fs′(σ(Pi))=fs(Pi)+Δ. In detail, one would like to bound the number of possible choices of i for which
x
[r(d)](σPi)−x[r(d)](Pi)+Σj=1ds′jbj(σPi)−Σj=1dsjbj(Pi)−Δ=0. (2)
If σ=id, then EQ. (2) becomes
(Σj=1d(s′j−sj)bj−Δ)(Pi)=0.
Because Σj=1d(s′j−sj)bj−Δ is a non-zero element of L(mdQ), as s≠s′, it has at most md<me zeros.
Otherwise, if a is not the identity, then since for all u with vσP
x
[r(d)](σPi)−x[r(d)](Pi)=(σ−1(x[r(d)])−x[r(d)])(Pi)=z(Pi) for some z∈L(meQ)\L(mdQ)
by the definition of x[r(d)] and e=e(d). Also,
Note that for all τ∈AutD,Q, all u∈F and all m∈N* (where N* is the set of positive integers), u∈L(mQ)τu∈L(mQ)). Since me>md, it follows from the strict triangle inequality that for all i, the left-hand side of EQ. (2) is of the form u(Pi) for some u∈L(meQ)\L(mdQ) that does not depend on i. Since the number of places Pi such that u(Pi)=0 is not greater than me, the proof is complete. ▪
Next, drop the restriction that the manipulations on the i part may only come from automorphisms of the function field. This will be done in detail for the Hermitian case in the following section.
In general, one can move from pre-AMD codes to AMD codes by adding protection on the index i. In one option according to an embodiment of the disclosure, Φ={id}, and so the protection should detect with high probability any constant additive error on the (typically binary) vector representing i. In another option according to an embodiment of the disclosure, Φ⊃{id}, and the protection is allowed to miss those additive errors that correspond to automorphisms from Φ. This option is used in the Hermitian case described below. In the first option according to an embodiment of the disclosure, Φ={id} and there are no restriction on x[r(d)], and one may choose x[r(d)]=0, resulting in fs=Σj=1dsjbj. To replace and enhance the lost protection of the index part against the manipulations of type (3), embodiments of the disclosure may include an explicit protection on the index-field, in the form of a weak AMD code. The miss probability will then be at most max {δ, md/n≦(d+g)/n}, where δ is the probability of missing an error on i. Here, i is first checked, and if the check passes, fs(Pi) is checked. If the i-check fails, an error may be declared. If an adversary injects an error on i, then this error itself may already be detected with probability δ, regardless of the other errors. So, the i-check will be transparent if δ≦(d+g)/n. Because g/n is at least about 1/√q, it is enough to assure that δ is not above about 1/√q. In general, this can be achieved by using a perfect non-linear function with codomain F√q. So, for a fixed q, even if n grows to infinity using an optimal tower of function fields, the redundancy required for protecting i does not grow. Note also that if q is a square and the number of places of degree 1 is qr for some integer r, then there is a very simple way to construct a perfect non-linear function
: take (x1, . . . , x2r)x1x2+x3x4+ . . . +x2r−1x2r.
The construction of the codes according to embodiments of the current disclosure can also be described in terms of error-correcting codes. Let C⊂Fqn be a code with |C|=qk for some k≦n, and let c:Fqk→C be a bijection (an encoding function). A permutation σ∈Sn, where Sn is the symmetric group on n letters, may be called a quasi-automorphism of C if for all u∈C there exists u′∈C and a constant vector d=(Δ, . . . , Δ)∈Fqn such that σu=u′+d, where σu:=(uσ(1), . . . , uσ(n)).
Suppose that the set of indices I:={1, . . . , n} of C is embedded in some abelian group A via an injective function t:I→A (it is not required that the image of I is a subgroup of A), so that one may think of the indices as elements of A. For simplicity, consider I as a subset of A, without explicit reference to the injection t.
Given a message s∈Fqk, an index i∈I may be chosen at random, and the encoded message may be defined to be the triple (s, i, [c(s)]i), where for a vector v, [v]i represents the i-th coordinate of v. Decoding works as follows: given a triple (s′, a, y)∈Fqk×A×Fq, one first checks whether α∈I (this check is only necessary if I is a proper subset of A), and then, if this check succeeds, one checks whether y=[c(s′)]α. The message is declared valid if and only if the two tests are successful.
The need to effectively cope with injected errors of the form (s, i, [c(s)]i)→(s′,i+Δ2, [c(s)]i+Δ3), where s′∈Fqk,Δ2∈A, Δ3∈Fq, and s′, Δ2, Δ3 are allowed to depend on s, imposes some constraints on the possible codes C to be used:
The construction of the AMD codes according to embodiments of the current disclosure may also be described as follows. The algebraic-geometry codes CL (P1+ . . . +Pn, md Q) (as defined, e.g., in Definition II.2.1, p. 42-43 of H. Stichtenoth, Algebraic Function Fields and Codes, Springer Universitext, 1993, the contents of which are herein incorporated by reference in their entirety) are useful because these codes have a large minimum Hamming distance. However, without some changes, these codes do not meet conditions 1 and 2 above. So, to meet condition 1, use a subcode spanned by non-constant functions: starting with the basis {1, b1, . . . , bd} of L(mdQ), keep only the non-constant functions {b1, . . . , bd}. To meet condition 2, use an appropriate coset, C: the coset containing the evaluation of x[r(d)].
True AMD Codes from the Hermitian Function Field
For a square prime power q, a Hermitian function field H/Fq is defined as H=Fq(x, y) with x transcendental over Fq and with x and y satisfying y√q+y=x√q+1. There i+y is only one Hermitian function field over Fq, up to isomorphism. The Hermitian function field has q√q+1 places of degree one: the common pole Q of x and y, and for each (α, β)∈Fq×Fq with β√q+β=α√q+1, there is a unique place Pα,β of H of degree one such that x(Pα,β)=α and y(Pα,β)=β. Also, vQ(x)=−√{square root over (q)}, vQ(y)=−(√{square root over (q)}+1), and for all m∈N, the set
{xiyj|i≧0,0≦k≦√q−1,i√q+j(√{square root over (q)}+1)≦m}
is a basis for L(mQ). Hence, the set (semigroup) {i√q+j(√q+1)|i≧0, 0≦j≦√q−1} of pole numbers of Q can be described as a set of non-negative integers r with └r/√{square root over (q)}┘≧r mod √q (write i√q+j(√q+1)=(i+j)√q+j)). So: 0, (√q,√q+1), (2√q, 2√q+1, 2√q+2), . . . . The genus of H/Fq is g=√q(√q−1)/2.
Define
:={(α,β)∈Fq×Fg|β√q+β=α√q+1}
for a Hermitian curve over Fq.
The automorphism group AutΣP
τε(x)=εx and τε(y)=ε√q+1y for all ε∈Fq*,
and
σδ,μ(x)=x+δ and σδ,μ(y)=y+δ√qx+μ, for all (δ,μ)␣.
For a construction according to an embodiments of the disclosure, take all places of degree one other than Q as the Pi, so that n=q√q. Note that can be thought as an index set for the places Pα,β of degree one, replacing the previous index set I.
In addition, take the subgroup Φ⊂AutΣP
To continue, the following issues should be considered.
1. For all d, determine r(d) and e(d), and explicitly describe x[r(d)].
2. Move from pre-AMD codes to AMD codes, which provide protection against all additive manipulations on the index part i.
The next proposition and its corollary address the first point.
Let j∈{1, . . . , √q−1}, and suppose that p:=char(Fq) does not divide j. Then for all integers i≧0 and for all σ∈Φ, σ≠id, one has
−vQ(σ(xiyj)−xiyj)=−vQ(xiyj)−√q−1.
Proof. For μ≠0 with μ√q=0, the action of a general automorphism σ0,μ∈Φ, σ0,μ≠id, on xiyj is described by
Subtracting xiyj, one gets jμxiyk−1+lower order terms. Since j, μ≠0 by assumption, the proof is complete by the strict triangle inequality. ▪
Let dN*, and write md=i*√q+j*(√q+1) for i*≧0 and for 0≦j*≦√q−1. Then,
1. If pj*, define i(d):=i*+2 and j(d):=j*, so that −vQ(xi(d)yi(d))=md+2√q. Then, by Proposition 2, for all σ∈Φ, σ≠id, one has
−vQ(σ(xi(d)yi(d))−xi(d)yj(d))=md+2√q−√q−1=md+√q−1.
By definition, the last number is some pole number me′(d), with d+1≦e′(d)≦d+√q−1. Then the results of Theorem 1 will hold if x[r(d)] is replaced by xi(d)yj(d) and e(d) is replaced by e′(d).
2. If p|j*, so that j*≠√q−1, take i(d):=i*+1 and j(d)=j*+1, so that pj(d). It then follows from Proposition 2 that for all σ∈Φ, σ≠=id, one has
−vQ(σ(xi(d)yi(d))−xj(d)yj(d))=md2√q+1−√q−1=md+√q.
Again, the last number is some pole number me′(d), now with d+1≦e′(d)≦d+√q, and the results of Theorem 1 hold if x[r(d)] is replaced by xi(d))yj(d) and e(d) is replaced by e′(d).
So, in any case, the bound on the miss probability in Theorem 1 holds if me is replaced by md+√q or e(d) by d+√q.
The second issue concerns modifying the pre-AMD codes of the previous section to become true AMD codes. According to an embodiment of the disclosure, this issue can be handled in the following way. Given the information s∈Fqd, draw some (α,β)∈and map s to (s, (α,β),fs(Pα,β)). The resulting code may be known as CdH.
At a first glance, a Hermitian encoding procedure according to an embodiment of the disclosure looks like an encoding according to an embodiment of the disclosure from the previous section, but there is a subtle difference: Instead of using a minimum required log(|→|)=log(q√q) bits for storing the index from , a full pair (α, β) is used, requiring log(q2) bits. This extra redundancy moves from a pre-AMD code to an AMD code according to an embodiment of the disclosure.
According to an embodiment of the invention, the decoding can work as follows: For a vector r:=({tilde over (s)}({tilde over (α)},{tilde over (β)}),γ)∈Fqd×Fq2×Fq to be checked, the following two steps may be performed:
Curve Test Step:
Check whether ({tilde over (α)}, {tilde over (β)})∈→, that is, check whether β√q+{tilde over (β)}={tilde over (α)}√{square root over (q)}+1. If ({tilde over (α)}, {tilde over (β)})∉, declare that the vector r is illegal, meaning an adversary modified the original stored value. Otherwise, continue to the following step.
Error Detection Step:
Check whether f{tilde over (s)}(P{tilde over (α)},{tilde over (β)})=γ, that is, check whether substituting ({tilde over (α)},{tilde over (β)}) in xi(d)yj(d)+Σk{tilde over (s)}kbk gives γ, where the bk are of the form xi
Before proceeding, the action of AutΣP
It is desired to find a ({tilde over (α)},{tilde over (β)})∈ such that σ−1Pα,β=P{tilde over (α)},{tilde over (β)}. Such {tilde over (α)}, {tilde over (β)} exist by the definition of AutΣP
This means that the affine functions that take (x, y) to (σ(x), σ(y)) may also be used to take (α,β) to ({tilde over (α)},{tilde over (β)}):
{tilde over (α)}=εα+δ,{tilde over (β)}=ε√{square root over (q)}+1β+ε√{square root over (q)}α+μ.
As described above, the encoding of CdH appends to an arbitrary message s∈Fqd a random redundancy part in Fq2×Fq.
For any replacement of the message part and for any additive error on the redundancy part of the output of the encoder of CdH, the probability δ of miss-detecting the error is bounded by
In particular, the code CdH is a (qd, qd+3, δ)-AMD code over Fq, with
In particular, if d≧g=q/2−√q/2, then
The encoded word is of the form (s, (α,β), fs(Pα,β)), where s∈Fqd is the information, and (α,β) is drawn uniformly from . Suppose an adversary transforms this encoded word into the corrupted word r:=(s′, (α+Δ1, β+Δ2),fs(Pα,β)+Δ3) for some s′∈Fq, s′≠s, and some Δ1, Δ2, Δ3∈Fq. Two cases may be distinguished.
Case 1: Δ1≠0. In this case, the probability that r passes the Curve Test Step is exactly 1/√q. To show this, show that for all Δ1, Δ2∈Fq with Δ1≠0,
Now, the last equation can be written as
Tr(Δ1√qα)=Tr(Δ2)−N(Δ1), (8)
where
is the trace map and
is the norm map. Since the trace is an onto F√q-linear map Fq→F√q, there are exactly √q choices for Δ1√q α for which EQ. (8) is satisfied. Since Δ1≠0, this means that there are √q values of a satisfying EQ. (8). For each of these choices of α, all √q choices of β∈Fq for which Tr(β)=N(α) can be used in a pair (α, β) satisfying EQ. (6), as there is no constraint on β in EQ. (7).
Thus, there are q pairs (α,β)∈ that are shifted by (Δ1, Δ2) to another point of , as desired.
Case 2: Δ1=0. Substituting Δ1=0 in EQ. (7), one obtains
∀(α,β)∈:(α+0,β+Δ2)∈(0,Δ2)∈.
This means that if (0, Δ2)∉, then the miss probability is 0, since the Curve Test Step will not pass for all choices of (α,β)∈. Otherwise, if (0, Δ2)∈, then an adversary is in fact applying an automorphism from Φ on the places of degree 1, and therefore the bound δ≦(e(d)+g/n) from Theorem 1 may be used. Substituting e(d)≦d+√q (Corollary 3) completes the proof. ▪
Suppose one would like to protect u=220 information bits with a miss probability of no more than 2−κ for κ=10. That is, the miss probability should not exceed about 10−3. The code of Cramer et al. requires working in F2
The parameters of a code CdH according to an embodiment of the disclosure can now be found. Writing q=2m for in even, the requirements are:
1. Information size: and md≧u=220
2. Probability of miss:
The minimum d satisfying EQ. (9) is d=┌220/20┐=52429. So, for the choice of m=220 and d=52429, all conditions are satisfied, and so one may get a code with the required parameters using 3m=60 bits of redundancy while working in the field F2
A detailed description of the operations for working with Hermitian AMD codes follows below. For simplicity, the case of characteristic 2 will be considered, as the other cases are similar as will be apparent to those of skill in the art. First, a high level description of the offline stages is provided.
Offline stage 1: The size q=2m for even in of the finite field and the dimension d are calculated based on the number u∈N* of bits to be protected and the maximum allowed miss probability, 2−κ, for κ∈N. The q and d calculated in this stage satisfy log(qd)≧u, and so one may think of information vectors, originally vectors in F2u, as vectors in Fqd.
Offline stage 2: Recall that encoding includes drawing a random point from the Hermitian curve over Fq, defined by
={(α,β)∈Fq×Fq|β√q+β=α√q+1},
where m is even, and therefore √q=2m/2 is an integer. This curve has q√q points, and it is not possible to store the whole curve. In the second offline stage, one stores the appropriate constants needed for efficiently producing the i-th curve point given a random index i∈{0, . . . q√q−1}.
Offline stage 3: In later online stages, given the information vector s∈Fqd and a point (α, β)∈, a sum is calculated of the form
f
s(α,β)=αi
for an appropriate set I={(ik,jk)}k=1d+1 of d+1 pairs of integers. The entire set of pairs I may be specified by a relatively small set of integers, and this small set may be calculated and stored in the third offline stage.
As discussed in the example above, the parameters in and d should satisfy the following constraints, where u is the number of information bits to be protected, and the maximum allowed miss probability is 2−κ:
1. Information size: md≧u, that is, d≧u/m.
2. Probability of miss:
m≧2κ and u/m≦d≦23m/2−κ−2m−1−2m/2−1 (11)
Write L(m):=u/m and U(m):=23m/2−κ−2m−1−2m/2−1. According to an embodiment of the disclosure, to work in a smallest possible finite field, and for this finite field, to work with a smallest possible d, one can find in and d as follows:
1. Set m:=2κ.
2. If ┌L(m)▴≦U(m), set d:=┌L(m)┐ and output m and d. Otherwise, increase in by 2, since in is even, and repeat this step.
Note that an algorithm according to an embodiment of the disclosure will halt after a finite number of steps, because U(m) increases exponentially with in and L(m) decreases with in.
In this stage, enough information is stored to support an efficient online mapping of a pair (a, b) of integers a∈{0, . . . , q−1} and b∈{0, . . . √q−1} to a point of . More precisely, one would like to store enough constants to support an efficient online computation of a bijection {0, . . . , q−1}×{0, . . . √q−1}→√.
Recall that J-C includes all pairs (α, β)εFq×Fq that satisfy β√q+β=α√q+1. Now, because ββ√q+β is a surjective (onto) F√q-linear map Fq→F√q, which is the trace map, and because α√q+1∈F√q for all α∈Fq, for each fixed α∈Fq there are exactly √q choices of β∈Fq such that (α, β)∈√. Moreover, if a single β*∈Fq is found such that (α, β*)∈√ for a fixed α, then the set of all β fitting α is β*+F√q, because the kernel of the above trace map in characteristic 2 is F√q.
Now, it can be verified by substitution that if z∈Fq is an element of unit trace, that is, z√q+z=1, then a possible choice for β* is β*=β*(α)=α√q+1z. So, in a current offline stage according to an embodiment of the disclosure, the following constants will be stored:
For future reference, a bijection h: {0, . . . q−1}×{0, . . . , √q−1}→ according to an embodiment of the disclosure may be described as follows:
First, for a∈{0, . . . , q−1}, define
so that Fq={u0, . . . , uq−1}. Similarly, for b∈{0, . . . , √q−1}, define
so that F√q={v0, . . . , v√q−1}. Now a bijection h according to an embodiment of the disclosure is given by
h(a,b)=(ua,ua√q+1z+vb), (12)
where β*(ua)=ua√q+1z.
In this stage enough information is stored to reproduce the exponentials for calculating EQ. (10). For this, one first finds the (d+1)-th pole number, md, of the place Q defined above. Here, the set W of pole numbers, which is a Weierstrass semigroup of the place Q, is {i√q+j(√q+1)|i≧0, 0≦j≦√g−1}. Writing an integer of the form i√q+j(√q+1) as (i+j)√q+j, it may be seen that W is the set of integers k with └k/√{square root over (q)}┘≧k mod √q:
0,(√q,√q+1),(2√q,2√+1,2√q+2), . . . .
Note that starting from (√q−1)√q, there are no gaps. So, m0=0, m1=√q, etc.
Recalling that genus g=(√q−1)√q/2, note that starting from 2g, there are no gaps, while in the range 0, . . . , 2g−1, there are exactly g gaps and g pole numbers. This follows from the general Weierstrass Gap Theorem, or, for the current Hermitian case, by noting that the number of pole numbers is 1+2+ . . . +(√q−1)=g.
This means that if d≧g, then the (d+1)-th pole number md is given by md=2g+(d−g)=d+g, because starting from mg=2g, each number is a pole number. Writing d+g=a√q+j* for integer a≧0 (actually, a≧√q−1 in this case) and 0≦j*≦√q−1, then md=i*√q+j*(√q+1) for i*:=a−j*≧0.
Now, if d∈{0, . . . , g−1}, one needs to find in which “chunk” md sits. For this, a largest positive integer l may be found such that 1+2+ . . . +l≦d+1, that is, such that
Write l* for the maximal such l, which may be found by solving a quadratic equation. If l* satisfies EQ. (13) with equality, then md=(l*−1)√q+l*−1=i*√q+j*(√q+1) for i*=0 and j*=l*−1. Otherwise, setting j*:=d−l*(l*+1)/2∈{0, . . . , l*≦√q−2} and i*=l*−j*≧0, then md=i*√q+j*(√q+1).
The set of exponents I1:={ik,jk)}k=1d for the rightmost sum of EQ. (10) is the set of all pairs (i, j)∈N×N corresponding to all pole numbers m1, m2, . . . , md, where m0 is excluded, that is, the set of all pairs (i, j)∈N×N with j≦√q−1 such that some pole number ma with 1≦a≦d can be written as i√q+j(√q+1). Thus, according to an embodiment of the disclosure,
I
I={(i,j)∈N×N|i+j<i*+j* and j≦√{square root over (q)}−1}∪{(i,j)∈N×N|i+j=i*+j* and j≦j*}
Graphically, in the ij plane, I1 comprises diagonal lines of slope −45 degrees with a constant sum i+j bounded from the left by the vertical line i=0, from above by the line j=√q−1, and from below by the line j=0. On the rightmost diagonal line that corresponds to i+j=i*+j*, typically only a subset of the points are included, defined by the upper limit j≦j*, while all other lines are only restricted by the vertical line i=0 from the left and the horizontal lines j=0 and j=√q−1 from below and from above, respectively. According to an embodiment of the disclosure, for defining h, it is enough to store i* and j*, assuming that √q is known.
Until this point only the rightmost sum in EQ. (10) has been considered. It remains to consider the pair of exponents (id+1, jd+1) appearing in the right-hand side of EQ. (10). Note that this pair does not necessarily correspond to md+1. Using Corollary 3, above, (id+1, jd+1) can be calculated as follows:
Note that in the second case, j* is strictly smaller than √q−1. The calculated pair (id+1, jd+1) may be stored.
Step 61: For drawing a random point P from , draw two integers a∈{0, . . . , q−1} and b∈{0, . . . , √q−1}. Equivalently, draw a single integer from {0, . . . q√q−1} and perform the appropriate mod and floor operations.
Step 62: Use the stored information from Offline Stage 2 to find a corresponding point (α, β)∈ using EQ. (12).
Step 63: Calculate the sum fs(α, β) from EQ. (10), using the information from Offline Stage 3 for producing the appropriate power pairs (ik, jk).
Step 64: Output as the encoded word the triple (s, (α, β), fs(α, β)).
As an example, consider an AES encryption block that works per sectors of 215 bits. The encryption block divides the sector internally into chunks of 128 bits and performs encryption, and the encrypted output is released sector-by-sector. In a side channel attack, an adversary injects errors during the encryption process and uses the faulty outputs to retrieve the secret key. Protecting internal AES blocks is relatively simple, except that fault can be injected between checks. For example, if check i checks the i-th round of AES, in which parity is calculated before the round and then checked after the round, then fault can be injected between the parity check of round i and the parity calculation of round i+1. On the other hand, error injection can be checked externally, in the sector level. If a fault is injected before the parity calculation, then the wrong data will be encrypted, but there will be no faulty states during encryption, so that the secret key cannot be retrieved. In such an application, it is reasonable to allow a rather modest miss probability of about 0.1-1% on the entire sector, especially since it is possible to disable encryption if a pre-defined number of faults, or a pre-defined fault rate, is detected.
One solution is to decrypt the encrypted sector and compare it to the input plaintext. The encrypted sector is revealed only if the plaintext=decrypt(encrypt(plaintext)). This probably has a very low miss probability, but requires storing the entire plaintext sector for comparison.
However, a solution with reduced storage is to use an embodiment of the disclosure to perform error detection with AMD codes. The redundancy bits of the Hermitian AMD code are calculated for the plaintext sector, and only the redundancy bits are stored, which is typically a couple of tens of bits. Then, encrypt, decrypt, and AMD-check the following vector: [decrypt(encrypt(plaintext)), redundancy bits].
It is to be understood that embodiments of the present disclosure can be implemented in various forms of hardware, software, firmware, special purpose processes, or a combination thereof. In one embodiment, the present disclosure can be implemented in hardware as an application-specific integrated circuit (ASIC), or as a field programmable gate array (FPGA). In another embodiment, the present disclosure can be implemented in software as an application program tangible embodied on a computer readable program storage device. The application program can be uploaded to, and executed by, a machine comprising any suitable architecture.
The computer system 71 also includes an operating system and micro instruction code. The various processes and functions described herein can either be part of the micro instruction code or part of the application program (or combination thereof) which is executed via the operating system. In addition, various other peripheral devices can be connected to the computer platform such as an additional data storage device and a printing device.
It is to be further understood that, because some of the constituent system components and method steps depicted in the accompanying figures can be implemented in software, the actual connections between the systems components (or the process steps) may differ depending upon the manner in which the present invention is programmed. Given the teachings of the present invention provided herein, one of ordinary skill in the related art will be able to contemplate these and similar implementations or configurations of the present invention.
While the present invention has been described in detail with reference to exemplary embodiments, those skilled in the art will appreciate that various modifications and substitutions can be made thereto without departing from the spirit and scope of the invention as set forth in the appended claims.