Patent Grant
10725936
The invention relates to a data processing system and a method for protecting the data stored in a data memory against an undetected change.
In safety-related applications, it is common practice to use variables in coded form so that they can be protected against errors and undetected modification. During an arithmetic coding process, a functional variable x is expanded by different check bits that enable specific errors that have occurred to be detected. An extended form of arithmetic coding is the ANBD encoding scheme. In ANBD encoding, an uncoded functional variable x is converted via an input constant A, a variable-specific input signature Bx and a timestamp D into a coded variable xc.
xc=A*x+Bx+D Eq. 1
The input constant A enables errors in the value range to be detected. The use of a variable-specific input signature Bx enables operand and operator errors to be detected. The use of a timestamp D enables an unperformed update of the variable to be detected.
In the application, the coded variable xc is used throughout in this case, because a decoding of the variable into the uncoded form x would lead to the loss of the error information present in the coded variable xc. In order to perform computational operations with a coded variable xc, it is necessary to use coded operators that include not only the functional part x, but also the associated check bits in the operation.
EP 3 104 276 A1 describes a method that enables an AND-encoded variable xc to be recoded into an A′NB′D′-encoded variable xc′, i.e., the check bits A, B and D to be replaced by the check bits A′, B′ and D′, without at the same time decoding the coded variable in one of the intermediate steps.
A disadvantageous aspect of ANBD encoding is that realizing floating-point arithmetic in this encoding scheme is very complicated and time-consuming. Thus, in accordance with the present state of the art, floating-point numbers (also known, inter alia, as reals or floats) are not processed explicitly as a data type in purely software-based safety-related applications. In accordance with the present state of the art, a particular solution approach in integer arithmetic (also known, inter alia, as integers) must be found for each requirement. In safety-related applications, it should be noted in this regard that it is not the mean but the maximum error of a calculation that is relevant. For this reason, the property of floating-point arithmetic, i.e., a value is always calculated with maximum precision, is not relevant in safety-related applications, but leads in ANBD-encoded processing of the data type to a computing time that is orders of magnitude longer than the computing time elapsing in the case of uncoded processing. Using a fixed-point arithmetic is not an alternative, because it does not allow the desired precision, in particular for more complex processing operations.
It is therefore an object of the invention to provide a representation of the data that allows a comparable application flexibility to floating-point arithmetic but requires fewer computing steps.
This and other objects and advantages are achieved in accordance with the invention by a method for protecting data in a data memory against an undetected change. A modification of the data can therefore be detected via the method. In this case, a functional variable x is encoded via a value valuex, an input constant A, an input signature Bx and a timestamp D into a coded variable xc in accordance with the following relationship:
xc:=valuex*A+Bx+D. Eq. 2
The method is characterized in that the functional variable x is normalized relative to a base Basex to form the integer value valueX from the functional variable x. In other words, a functional variable x is converted into an ANBD-encoded variable xc, where the functional variable is normalized to a base Basex. This means that the functional variable x is represented within the coded variable xc as valuex, which is an integer multiple of the base BaseX. The base BaseX is therefore the unit in which the functional variable x is represented. Accordingly, a functional variable x present as a floating-point number is reproduced in the coded variable as a functional component via an integer valuex. The advantage resulting from this is that operations relating to the functional variable x may be performed in integer arithmetic. In this way, the maximum error in operations and the required computational overhead are reduced in comparison with floating-point arithmetic. At the same time, the flexibility is not limited with respect to the value range compared to the floating-point representation. The calculations are therefore performed with a higher degree of precision in the intermediate results and a subsequent rounding. As a result of the method, the duration of a coded processing operation is increased by a factor compared to uncoded processing. This factor lies significantly below the several orders of magnitude by which the duration increases when using coded floating-point numbers compared to uncoded processing.
In an embodiment of the method, the functional variable x is encoded during a compilation operation to yield the coded variable xc. In other words, the functional variable x is encoded during the binary number generation, for example in the compiler, into the coded variable xc. The encoding and in particular the normalization to a fixed base are therefore already performed at the time of the code generation. The advantage resulting from this is that the computing time can be reduced during the execution of the program because it is no longer necessary to establish a base during the runtime of a program.
In an embodiment, the value valuex is calculated in accordance with the following relationship:
valuex:=(x/Basex)mod(2)Sizex. Eq. 3
In other words, the functional variable x is divided by the base Basex, where a remainder of the division is discarded. Sizex is the number of possible states or the available memory. This may be specified by the available number of bits n for storing a single value, that is to say, be equal, e.g., to a value 2n=216 where n=16 bits. The advantage resulting from this is that the value valuex is present as an integer. It is therefore possible to convert a floating-point number into an integer.
In another embodiment of the invention, the value valuex is formed by subtracting a smallest attainable value minx of the functional variable x, which smallest attainable value is predefined according to a control program, from the functional variable x before the smallest attainable value is divided by the base Basex, the remainder being discarded, i.e.,
valuex:=(x−minx/Basex)mod(2)Sizex Eq. 4
The value minx may be determined in uncoded form in a test run of the control program.
This results in the advantage that the value range is limited to the predefined value range.
In another embodiment, the data is provided for a control program and the base Basex is calculated to a value greater than or equal to the difference between a greatest attainable value maxx predefined in accordance with the control program for the value x and a smallest attainable value minx of the value x, divided by the size of the available memory, i.e.,
Basex≥(maxx−minx)/Sizex Eq. 5
In other words, the base Basex represents the smallest possible unit into which the attainable value range can be subdivided. Two advantages are produced as a result of this step: Because the base is determined relative to the entire attainable value range, an overflow of values is excluded. Put differently, a value is prevented from exceeding the maximum value and consequently being unable to be represented. Because the base assumes the smallest possible value, the greatest possible precision is provided. In other words, the computational inaccuracy due to an overly, roughly chosen base is minimized. Overall, this development leads to the base assuming the smallest possible value that is possible without the risk of an overflow. The precise value of the base Basex may be specified according to this criterion.
In an embodiment of the method, a coded addition +c of two coded variables x1c and x2c is performed in accordance with the following relationship:
x3c:=x1c+cx2c, where: Eq. 6
valuex3:=(valuex1*k1+valuex2*k2+k3)/Sizex3,
where the following applies:
maxx3=maxx1+maxx2
minx3=minx1+minx2
Basex1≥(maxx1−minx1)/Sizex1
Basex2(maxx2−minx2)/Sizex2
Basex3(maxx3−minx3)/Sizex3
k2/k1Basex1/Basex2
k1+Basex1/2n≈Basex3
k2+Basex2/2n≈Basex3
and ≈ means that due to rounding errors and processor inaccuracy there is no requirement for any mathematical equality to be present, yet the specified calculation is to be implemented.
In other words, the coded operator +c relating to the addition is defined via the above-cited relationship. Here, calculations in the compiled program are performed only with the values valuex1, valuex2 and valuex3. The constants k1 and k2 in this case describe the relations between the bases Basex1, Basex2 and Basex3. The base Basex1 is the base of the variable x1, the base Basex2 is the base of the variable x2, and the base Basex3 is the base of the result x3. The greatest values maxx1 and maxx2 predefined in accordance with the control program, as well as the smallest values minx1 and minx2 predefined in accordance with the control program for the variables x1 and x2, are used to form the bases Basex1 and Basex2. The smallest and the greatest value for x3 are formed by means of an addition of the greatest and smallest values, respectively, of the variables x1 and x2. The constant k3 may be chosen so as to minimize rounding errors. The bases may be determined via a compiler. The advantage resulting from this is that no base needs to be determined during the runtime of the addition operation. Furthermore, only integers are used during the operation. Separate operations relating to the mantissa and the exponent, as is necessary in the addition of floating-point numbers, and the transformations and normalizations required for this, are therefore unnecessary.
In an embodiment, a coded multiplication *c of two coded variables x1c and x2c is performed in accordance with the following relationship:
x3c:=x1c*cx2c, where Eq. 7
valuex3:=(valuex1*valuex2+k)/Sizex3,
where the following applies:
Basex1≥(maxx1−minx1)/Sizex1
Basex2≥(maxx2−minx2)/Sizex2
Basex3≥(maxx3−minx3)/Sizex3
Basex3≈(Basex1*Basex2)/Sizex3
maxx3=MAX(minx1*minx2,minx1*maxx2,maxx1*minx2,maxx1*maxx2)
minx3=MIN(minx1*minx2,minx1*maxx2,maxx1*minx2,maxx1*maxx2).
In other words, a multiplication of the coded variables x1c and x2c is performed via the values valuex1 and valuex2. The greatest and smallest product yielded in each case in a multiplication of the greatest possible values maxx1, maxx2 and the smallest possible values minx1, minx2 of x1 and x2, respectively, are used as the greatest possible value maxx3 and as the smallest possible value minx3, respectively, of the variable x3.
In a further embodiment, a value valuex1 having a base Basex1 is recoded to a value value′x1 having a base Base′x1 in accordance with the following relationship:
value′x1=(((valuex1+k1)/2n)*k2+k3)/2n′, Eq. 8
where
k2/(2n+n′)≈Basex/Base′x
and n′ is the bit count of the recoded representation.
In this case, the constants k1, k2 and k3 are chosen so as to minimize the rounding error as a function of k2.
It is also an object of the invention to provide a data processing system that is configured to perform one of the above-cited methods. In this context, the system may be a microcontroller or a microprocessor, for example.
Other objects and features of the present invention will become apparent from the following detailed description considered in conjunction with the accompanying drawings. It is to be understood, however, that the drawings are designed solely for purposes of illustration and not as a definition of the limits of the invention, for which reference should be made to the appended claims. It should be further understood that the drawings are not necessarily drawn to scale and that, unless otherwise indicated, they are merely intended to conceptually illustrate the structures and procedures described herein.
An exemplary embodiment of the invention is described below, in which:
The sine value of a functional variable x in degrees may be calculated numerically in a range of 0° inclusive up to and including 45° by means of the following function:
The function concerns a power series using the constants a, b, c and d. Intermediate steps may be combined here under tmp1-tmp7. The power series may be concluded with tmp7, which can be output at the end of a program (return tmp7). The value square may be the square of the functional variable x. All of the values may be a floating-point number (float).
The above-cited function may be performed in coded form via the method in accordance with the invention. Here, a bit count n of e.g. 49 bits may be made available. The precision of the input may be specified to a thousandth, for example.
With reference to
Sizex:=249
minx:=0
maxx:=45000
In a second step P2, the square of x is calculated, where a bit count of n=49 bits can be available. The base for calculating a square of x given a bit count of n=49, Basex
maxx
minx
Basex
valuex
=valuex*valuex*277999.
In a third step P3, the value valuex
valuex
In a fourth step P4, the temporary value valuetmp1 is calculated:
valuetmp1:=(valuex
In a fifth step P5, the temporary value valuetmp2 is calculated:
valuetmp2:=(valuec,n=49*k1+valuetmp1,n=49*k2+k)/224
In a sixth step P6, the temporary value valuetmp3 is calculated:
valuetmp3:=(valuex
In a seventh step P7, the temporary value valuetmp4 is calculated:
valuetmp4:=(valueb,n=24*k1+valuetmp3,n=24*k2+k)/224
In an eighth step P8, the temporary value valuetmp5 is calculated:
valuetmp5:=(valuex2,n=24*valuetmp4,n=24+k)/224
In a ninth step P9, the temporary value valuetmp6 is calculated:
valuetmp6:=(valuea,n=24*k1+valuetmp5,n=24*k2+k)/224
In a tenth step P10, the temporary value valuetmp7 is calculated:
valuetmp7:=(valuex,n=24*valuetmp6,n=24+k)/224
In an eleventh step P11, the value z is calculated from the temporary value valuetmp7 and its base Basetmp7:
z:=sin(x):=valuetmp7,n=24*Basetmp7
In a twelfth step P12, the value valuez having a base 2−49 specified for a return value is calculated from the temporary value valuetmp7 and its base Basetmp7:
valuez:=Basetmp7*Basetmp7/2−49
In a thirteenth step P13, the value valuez is converted into a floating-point number Floatz. This is advantageous owing to the fact that the base of the value valuez is a 2nd power.
A program code could be written in the following manner, for example:
Size:=249
Minimum:=0
Maximum:=45000
squareval49:=277999*Xval*Xval
squareval24:=(squareval49+224)/225
tmp2val:=18172496+(−1378477226−squareval49)/231
tmp4val:=(squareval24*tmp2val+111040616)/2−18415894
tmp6val:=(squareva124*tmp4val−197673)/218+11464190094
tmp7val:=(tmp6val*xval+222)/223
tmp7bas:=1.277097000028899636e−8
z:=SIN(x):=tmp7val*1.277097000028899636e−8
Desired base for z: 2−49
Zval:=tmp7bas*7189417
Overall, the example demonstrates how, via the invention, a representation of data is provided that allows a flexible and efficient processing of ANBD-encoded data.
| Number | Date | Country | Kind |
|---|---|---|---|
| 17185083 | Aug 2017 | EP | regional |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5974350 | Davis, Jr. | Oct 1999 | A |
| 9460168 | Sinclair | Oct 2016 | B1 |
| 20080068588 | Hess | Mar 2008 | A1 |
| 20090055828 | McLaren | Feb 2009 | A1 |
| 20100211201 | Papenfort | Aug 2010 | A1 |
| 20130262938 | Schmitt | Oct 2013 | A1 |
| 20140019823 | Ramirez | Jan 2014 | A1 |
| 20150199530 | Thanos | Jul 2015 | A1 |
| 20150220405 | Neef | Aug 2015 | A1 |
| 20150220457 | Katoh | Aug 2015 | A1 |
| 20160241981 | Law | Aug 2016 | A1 |
| 20170093439 | Motwani | Mar 2017 | A1 |
| 20190027082 | Van Belle | Jan 2019 | A1 |
| Number | Date | Country |
|---|---|---|
| 1904876 | Jan 2007 | CN |
| 3104276 | Jun 2015 | EP |
| Entry |
|---|
| Zheng et al, Hardware Error Detection Using AN-Codes, 1980, pp. 10-250 (Year: 1980). |
| Schiffel Ute: “Hardware Error Detection Using AN-Codes”, XP055448091, Dresden, Germany Gefunden im Internet: URL:https://d-nb.info/1067189289/34; 2011. |
| Number | Date | Country | |
|---|---|---|---|
| 20190073320 A1 | Mar 2019 | US |
