Non-Malleable Codes from the Wire-Tap Channel

Non-Malleable Co des f rom the Wire-T ap Channel ∗ Herv ´ e Chabanne †‡ G ´ erard Cohen †§ Jean-Pierre Flori †§ Alain P atey †‡ § No v em b er 14, 2018 Abstract Recently , Dziem b owski et al. introduced the notion of non-mal le able c o des (NMC), inspired f rom the notion of non-malleabili ty in cryptogra- phy and the w ork of Gennaro et al. in 2004 on tamp er pro of securit y . Informally , when using NMC, if an attac ker modifies a cod ew ord, decod - ing this mo dified co dew ord will return either the original message or a completely unrelated v alue. The definition of NMC is related to a family of modifications autho- rized to the attac ker. In t heir paper, Dziembow ski et al . prop ose a con- struction v alid for the family of all bit-wise indep endent f un ctions. In this article, we study the link b etw een th e second version of the Wire-T ap (WT) Channel, introduced by Ozaro w and W yner in 1984, and NMC. Using cos et- co ding, we desc rib e a new construction fo r NMC w.r.t. a subset of the family of bit-wise indep end ent functions. Our scheme is easier to bu ild and more efficient than the one proposed by Dziembows ki et al. 1 In tro duc tion In cryptogr aphy , t he non-mallea bilit y prop erty [1] requires that it is imp ossible, given a ciphertext, to pro duce another different ciphertext s o that the c orre- sp o nding pla int exts are related to each other. Non-malleability under adaptive chosen-ciphertext attack (NM-CCA2) is one of the strongest computational se- curity prop erty that is requir ed fro m an asymmetric encryption scheme (it is ∗ This work h as been partially funded by the ANR SP ACES proj ect. † IDen tity & Security Alliance (The Morpho and T´ el´ e com ParisT ec h Research Center) T´ e l´ ecom Pa ri sT ech – 46, r ue Bar rault - 75013 P ari s - F rance – Em ail: { c habanne, cohen, flori, patey } @t elecom-paristech.fr ‡ Morpho – 11, boulev ard Gallieni - 92130 Issy-Les-Mouli neaux - F rance – Email: { herv e.chaban ne, al ai n.patey } @morpho.com § CNRS-L TCI 1 equiv alen t to indistinguishabilit y under a da ptive chosen-ciphertext attack (IND- CCA2)). Recent ly , Dziem b owski et al. [2 ] prop osed a transp os ition of the crypto- graphic definition of non-ma lleabilit y to the field of co ding theory . Informally , they define a NMC as a co de suc h that, when a codeword is sub ject to mo difi- cations, its deco ding pro cedure either cor rects these errors and deco des to the original message o r returns a v alue that is completely unrelated to the origina l message. The pr op erty o f non-mallea bilit y , as defined in [2], is sub ject to a c ho ic e of a family of mo difica tions that we allow a n adversary to make on the co dewords. Dziem b owski et al. also proved that it is impo ssible for a co de to b e non- malleable w.r.t. the set of all possible mo difications of co dew ords. The motiv ation for NMC is tamp e r pro ofness. The a uthors o f [2] were indeed m uch influenced b y the work of Gennaro et al. [3]. Non-ma lleability can b e useful in rea l- life applications. Some stor age devices may be ass umed to b e “read- pro of ” b eca use of a sufficient amount of physical or a lg orithmic protections to preven t any one from le a rning the data stored o n them. How ever, even if one cannot r ead the data, injecting faults in the data and o bserving the wa y it affects functions using these data can help to recov er them. Injecting faults can be done for instance using las ers [4]. There exists an imp or tant literature on how to use Differential F ault Analysis to brea k cryptosy stems (e.g. [5, 6]). Dziem b owski et al. studied deeply the non-ma llea bilit y w.r.t. bit-wise in- dependent tamp er ing functions, i.e. mo difications that affect each bit of the co deword indep endently: flipping the bit or setting it to 0 or 1. Thi s is typi- cally what can be done using fault injections a nd, consequently , focusing o n this family of tamp ering functions is worthwhile. In [2], a constr uctio n for NMC w.r .t. all bit-wis e indep enden t functions is prop osed. How ever, an implement a ble construction is left as an op en pro blem. Our goal is to prop os e NMC that can b e explicitly built. T o this e nd, we exploit a relation that can be established b etw een the mo del for NMC and the second version o f the Wire-T ap channel [7]. This allows us to prov e how coset-co ding can b e used to build a NMC. F urthermor e, the dec o ding pro cedure of linear- coset co ding co nsists uniquely of o ne matrix-vector pr o duct. O ur construction is th us computationally efficient. Moreover, unlike their solution, our pr o cedure alwa ys deco des messag e s wher e a s theirs is closer to er ror detection and often returns an erro r symbol. Organization of the P ap er In Section 2, we expla in a nd give the forma l definitions for NMC as es ta blished in [2]. W e describ e the model of the WT channel in Section 3 and explain the use of co set-co ding. W e show how the second version of the WT channel and NMC w.r.t. bit-wise indep endent functions ar e r elated and prove why coset-co ding can b e used as a NMC in Section 4. W e finally conclude in Section 5. 2 2 Non-Malleable Co des In this section, we intend to g ive an easy -to-understand description of NMC and their go als. All definitions co me from [2]. In the following, w e consider a rando mized enco ding function Enc : { 0 , 1 } k 7→ { 0 , 1 } n , whic h is asso cia ted to a deterministic deco ding function Dec : { 0 , 1 } n 7→ { 0 , 1 } k ∪ {⊥} , where ⊥ means that the co deword cannot b e deco ded. Let F 2 denote the field with tw o elements. 2.1 The T amp er ing E xp erimen t Let us first intro duce the situation consider ed in NMC. In this mo del, a sour ce message m is enco ded using Enc, in o rder to b e later deco ded using Dec. The co deword c = Enc( m ) is stored on a device or sen t ov er a channel b efore b eing deco ded. During this phase, an attack er a pplies so me tamp ering function f belo nging to a given family of functions F ⊂ F n 2 F n 2 . A tamp e r ed co dew ord ˜ c = f ( c ) is thus obtained. This erro neous co deword is then deco ded to ˜ m = Dec(˜ c ). This pro cess is describ ed in Figure 1. Enc f Dec m c ˜ c ˜ m Figure 1: The T amper ing E xp eriment Now fo cus on the behaviour o f the attack er, called Eve in the following. Eve applies a function f ∈ F to the co deword c , but she do es not re a d c . In the real w or ld, this can be seen as injecting faults on a device that you ca nno t read (e.g. a smart-ca rd) using, for instance , a laser . In this exp e r iment , Eve can how ever read the re s ulting deco ded messa g e ˜ m and try to learn a s muc h as po ssible ab out m from ˜ m . Let us a lso sp ecify that f is a deterministic function and, furthermo r e, that Eve knows which function she has chosen in F . 2.2 Defining Non-Malleabilit y Let us now g ive the formal definition of non-malleability . Let F b e a family of tamper ing functions. F or each f ∈ F , we define a r andom v ariable T amp er f s corresp o nding to the tampe r ing experiment descr ib ed in the previous section: T amp er f s =  c ← R Enc( s ) , ˜ c = f ( c ) , ˜ s = Dec( ˜ c ) Output : ˜ s  The randomness is induced b y the encoding function Enc. The Non-Mal le abi lity prop erty is defined as follows: Definition 1 (Non-Mallea bilit y) . L et (Enc , Dec) b e a c o di n g scheme, wher e Enc : { 0 , 1 } k 7→ { 0 , 1 } n is r andom and Dec : { 0 , 1 } n 7→ { 0 , 1 } k ∪ {⊥ } determin- istic. L et F ⊂ F n 2 F n 2 b e a family of tamp ering functions. 3 W e say that the c o ding scheme (Enc , Dec) is non-malleable w.r.t. F if for e ach f ∈ F , ther e exists a distribution D f over { 0 , 1 } k ∪ {⊥ , same } such t hat, ∀ s ∈ { 0 , 1 } k , we have: T amp er f s ≈    ˜ s ← D f Output  s if ˜ s = same ˜ s otherwise    (1) wher e ≈ denotes c omputational or st atistic al indistinguishabi lity. 2.3 Explaining t he Definition First, no tice that the definition is relative to a family F o f tampe r ing functions, but the prop erty of indistinguishability co ncerns each function f separ ately . Non-malleability w.r.t. a family is in fact non- malleabilit y w.r.t. ea ch function in this family . Now let us r e c a ll what we exp ect from a NMC. W e wan t that, after the tam- per ing exp eriment, either the co dew ord ˜ c is w ell-deco ded to the o riginal message s despite the tamp ering or the deco ding pro cedure results in a v a lue ˜ s that is unrelated to the origina l mes s age. That is the idea behind the distribution D f : either it returns the symbol s ame , meaning that the deco ding furnishes the original v alue or it returns a v alue ˜ s ∈ { 0 , 1 } k ∪ {⊥} . As D f depends only on f and not on the message s , in the latter case, the v alue returned in the second part o f Eq ua tion (1) is unrelated to s . 2.4 Basic E xamples W e summarize here tw o examples developed in [2 ] that corr esp ond to usual families of co des encompassed by the definition of NMC. Error Correction Let us assume that F is a family of tamp ering functions and C an error - correcting c o de such that error s introduced by the application o f a function f ∈ F on any co deword o f C can be corrected. Then C is non-mallea ble w.r.t. F . The distribution a sso ciated to every function f ∈ F is the consta nt distri- bution D f = same , since erro neous co dewords are alwa ys well-deco ded. Error Detection The same idea can b e applied to erro r -detecting co des. If there is a family F of tamp ering functions such that ea ch f ∈ F introduces errors in every co deword that a re detected by a co de C , then C is non-mallea ble w.r.t. F . The distribution a sso ciated to every function f ∈ F is the co nstant distr ibution D f = ⊥ . 4 2.5 General (Im)Possibilit y Results Imp ossi bility As prov en in [2], no co de is non-malleable w.r .t. the set of all poss ible tamp ering functions ( i.e . F = F n 2 F n 2 ). Indeed there is, for instance, in F a function that deco des the co deword, “increments” the message ( i.e. adds 1 to its representa- tion in F k 2 ) and re-enco des it. The res ult of the deco ding of such a tamp ered co deword w ould alwa ys be s + 1 and th us would b e neither the original message s nor an unrelated v a lue. P ossibi lity In [2], the a uthors prov e that for any bounded-s iz e d family of tamper ing func- tions, there exists a NMC. Their r esult is summed up in the following theorem: Theorem 1 ( [2]) . L et F ⊂ F n 2 F n 2 b e a family of tamp ering functions such that n > log(log( |F | )) . Then t her e exists a non-mal le able c o de w.r.t. F . 2.6 Bit-wise I ndep enden t T ampering Bit-wise indepe ndent tamp ering is a sp ecia l case o f tamp ering where each bit of the co deword is tamp ered with indep endently . F ormally a function f : { 0 , 1 } n 7→ { 0 , 1 } n is bit-wise indep endent if we can find n indep endent functions f 1 , . . . , f n : { 0 , 1 } 7→ { 0 , 1 } s uch that ∀ x ∈ { 0 , 1 } n , f ( x ) = ( f 1 ( x ) , . . . , f n ( x )). There are four po ssibilities for each f i which we denote by keep , flip , 0 and 1 ( k ee p and flip are explicit, 0 (resp. 1 ) is the function that sets a bit to 0 (resp. 1) rega rdless of what it was b efor e ). In [2], a construction for a NMC w.r.t. the family of all bit-wise indep endent functions is introduced. It uses Linear Error -Corr e c ting Secret-Sharing (LECSS) schemes [8] and Algebr a ic Manipulation Detection (AMD) co des [9]. Bo th are quite new to ols and even the a uthors of [2 ] leav e the explicit c onstruction of LECSS co des as an “in teres ting op en problem” . F urthermore, their so lution is quite close to error detecting co des as it deco des to ⊥ after a tamp ering in mo st cases 1 . In Section 4, we prop ose a new w ay to build NMC w.r.t. bit-wise indep endent functions. O ur so lution covers less tamp ering functions but us e s mor e standar d and efficient to o ls . Moreover, our scheme is neither err or-co rrecting nor erro r- detecting (it never returns ⊥ ) and so , to our opinion, is close r to the orig ina l definition o f non-mallea bility , which is mo re generic than error detection or correction. 1 In their proof of non-mall eability , the authors of [2] distinguish differen t cases depending on the considered tampering function (more precisely its num b er q of 0 and 1 sub-functions) and the se cr e cy t of the LECSS sch eme. When t < q < n − t , the tampering exp er iment alwa ys returns ⊥ and when q ≤ t , the scheme is likely to often return ⊥ . 5 3 The Wire-T ap Channel In the following, a [ n, k , d ] line ar c o de deno tes a subspa c e o f dimension k of F n 2 with minimal Hamming distance d . 3.1 Linear Coset Co ding Coset co ding is a random enco ding used for b oth models o f WT Channel. This t yp e of enco ding uses a [ n, k , d ] linear co de C with a parity-c heck matrix H . Let r = n − k . T o enco de a messag e m ∈ F r 2 , one chooses randomly an elemen t among all x ∈ F n 2 such that m = H t x . T o deco de a co deword x , o ne just applies the parity-c heck matr ix H and obtains the syndrome of x for the co de C , whic h is the message m . This pro cedure is summed up in Figure 2. Given: C a [ n, n − r , d ] linear co de with a r × n parity-c heck matrix H Enco de : m ∈ F r 2 7→ R x ∈ F n 2 s.t. H t x = m Deco de : x ∈ F n 2 7→ m = H t x Figure 2: Linea r Coset-co ding 3.2 The W ir e-T ap Channel I The Wire-T ap Channel w as introduced by W yner [1 0]. In this mo del, a sender Alice sends messag e s ov er a p o tentially noisy channel to a receiver Bob. An adversary Eve listens to an auxilia r y channel, the WT c hannel, which is a nois- ier version of the main channel. It was shown that, with an appropria te co ding scheme, the secret messag e ca n b e conv eyed in such a wa y that Bo b has com- plete k nowledge of the s ecret and Eve do es not learn an ything. In the s pec ia l case where the main channel is noiseless, the secr ecy capacity can b e achiev ed through a linear coset co ding scheme. W e summarize the WT Chanel I in Figure 3. Alice Enc small (o r no) noise big no is e Bob Eve m c c ′ c ′′ Figure 3: The Wire-T ap Cha nnel I 6 3.3 The W ir e-T ap Channel I I T en years later, Ozarow and W yner int r o duced a second version of the WT Channel [7]. In this mo del, b oth main and WT channels are noiseless . This time, the disadv an tag e for E ve is that she can o nly see messages with erasur e s: she has o nly access to a limited num b er of bits p er co deword. She is ho wever allow ed to choose whic h bits she c a n le a rn. W e summarize the Wire-T ap Chanel II in Figure 4. Alice Enc erasures Bob Eve m c chosen bits of c Figure 4: The Wire-T ap Channel II The enco ding used in this mo del is again a coset co ding bas e d on a linear co de C , as in the Wire T ap Channel I with a nois e less ma in channel. Let d ⊥ denote the minimal dista nce of the dual C ⊥ of C . One can prov e (see [11] for instance) that, if Eve can access les s than d ⊥ bits of a co deword, then she gains no infor mation a t all on the a sso ciated mess age. Linear co set-co ding for the WT channel can b e efficiently implemen ted using LDPC co des [12, 1 3]. 4 F rom the Wire-T ap Channel to Non-Malleable Co des F or our construction, we o nly deal with tamp er ing functions that are bit-wise independent. 4.1 Motiv ations for Using Wire-T ap Roughly sp eaking , in both mo dels, co dew ords are modified either with ra ndom faults (WT I), adversary- controlled era sures (WT I I) or an adversary-controlled tamper ing function (NMC). F rom these mo dified co dewords or their deco ding results, the adversary tries to lear n infor mation o n the original messages. The first WT is a little different from the other mo dels b eca use errors are random and so do not o ccur in the same num b er and bit p ositions every time. It could how ever b e covered by the definition of NMC if every p ossible tam- per ing caused b y these random error s were included in the family of ta mper ing functions tak en in to account by the co de. 7 Let us now a ssume that we want to use a linea r cos et-co ding sc heme with a parity-c heck matrix H a s NMC. W e c a nnot be protected ag ainst tamp ering functions that only add erro rs ( i.e. bit-wise indep endent functions where the only choices for each bit ar e k eep or flip ). T o see why , let F be a family of such functions. Obviously , for each f ∈ F , there is an erro r vector e ∈ F n 2 such that ∀ c ∈ F n 2 , f ( c ) = c + e . Let us follow the tamp ering exper iment . Let m ∈ F r 2 be a source message and c a n enco ding o f m . Say c is tamp ered to ˜ c = c + e . Deco ding r esults in ˜ m = H t c + H t e = m + H t e . Th us, ˜ m is alwa ys m plus a constant offset. It is consequently r elated to m . Linear coset-co ding cannot b e non-malleable w.r.t. these “error -only” functions. Ther e must me some 0 and 1 in the tamper ing. This is why we consider WT I I. Indeed, using 0 and 1 on so me bits of the co dewords is, in a n information-theoretic sense, like having eras ur es a t the corresp o nding loca tions, a s we do not know what w as or iginally there. As WT II guarantees that no information is lea ked from eras ed co dewords enco ded using an appropria te co set-co ding scheme, there will b e no relation b etw een the deco ded tamp er e d co deword and the o riginal mess a ge. That is what motiv ates our propo sal. 4.2 The Construct ion As discussed b efore, we consider bit-wise indepe ndent functions w her e the sub- functions are not only k eep or flip . Nevertheless, w e author ize bit-flips b eca us e if the result of the tamp ering exp eriment is unrelated to the or iginal message, then the result added to a constant offset will also b e unrelated to this messa ge. W e state the following theorem: Theorem 2 (Linear coset-co ding as NMC) . L et F ⊂ F n 2 F n 2 b e a family of bit- wise indep endent t amp ering functions such t hat: ∀ f = ( f 1 , . . . , f n ) ∈ F , |{ i | f i = 0 or f i = 1 }| ≥ D . L et C b e a [ n, k , d ] -line ar c o de such that D > n − d ⊥ , wher e d ⊥ is the minimal distanc e of its dual c o de C ⊥ . Then a line ar c oset-c o ding using C is n on-mal le able w.r.t. F . 4.3 Pro of of Non-Malleabi lity Our pro o f of non-malleability is inspired from the pro o f of security of the WT II in [14]. Let us cons ider w e ar e in the situation of Theo rem 2. L e t f = ( f 1 , . . . , f n ) ∈ F be a ta mper ing function. Let S 01 be the set of all p o sitions i suc h that f i = 0 or f i = 1 . Let S ke ep and S flip be the equiv alent s ets for keep and fli p . Let e ∈ F n 2 be such that ∀ i = 1 , . . . , n, e i = χ S flip ( i ) (where χ A denotes the indicator function o f a set A ) and ǫ ∈ F n 2 be such that ǫ i = 1 if f i = 1 a nd ǫ i = 0 otherwise. Let h 1 , ..., h n denote the co lumns of the parity-c heck matrix H . Let m ∈ F r 2 be a messa ge enco ded to c ∈ F n 2 . Let ˜ c = f ( c ) a nd ˜ m = H ˜ c . W e hav e 8 ˜ m = X i ∈ S 01 h i ˜ c i + X i ∈ S k ee p h i ˜ c i + X i ∈ S flip h i ˜ c i = X i ∈ S 01 h i ǫ i + X i ∈ S k ee p h i c i + X i ∈ S flip h i ( c i + e i ) = H t ǫ + H t e + X i ∈ S k ee p ∪ S flip h i c i (= m + H t ǫ + H t e − X i ∈ S 01 h i c i ) If we wan t ˜ m to b e unrela ted to m , then we wan t P i ∈ S k ee p ∪ S flip h i c i to b e unrelated to m . If the s ubmatrix H kf made of the columns h i , i ∈ S ke ep ∪ S flip is of full rank r = n − k , then we gain no infor mation on the corre s po nding bits o f m , and all v alues a re e quiprobable. This is achiev ed in particular if | S ke ep ∪ S flip | < d ⊥ (see c hapter 9 of [14]). If D > n − d ⊥ , then | S 01 | > n − d ⊥ , i.e. n − | S ke ep ∪ S flip | > n − d ⊥ or | S ke ep ∪ S flip | < d ⊥ . The condition o f the previous paragra ph is thus ac hieved if we use the parameters of Theorem 2. Let us define more formally the distribution D f asso ciated to f . Let K i , i ∈ S ke ep ∪ S flip be Berno ulli(1/ 2) distributions. Then D f = H t ǫ + H t e + P i ∈ S k ee p ∪ S flip h i K i . This distribution and the result of the tamp ering exp eriment are identically distributed. The coset-co ding scheme used in Theorem 2 is conseq uent ly no n-malleable w.r.t. F . 4.4 Going F urther T o w ards a Larger F amily of T amp ering F unctions When compar ing o ur co nstruction to the one of [2], one can relate the LECSS and our co set-co ding scheme. The only requirement that is not fulfilled by linear coset-co ding is a lar ge distance. As the distance of linear coset-co ding is 1, we cannot a ssume d > n/ 4 as they do. That is why we cannot directly mo dify this construction and repla ce LECSS with co set-co ding in the description of the co de a nd the pro of of no n-malleability . Both LECSS and coset-co ding ensure non-mallea bilit y when the n umber of 0 or 1 s ub-functions of the tamper ing function is high enoug h. T o deal with the case wher e the num b e r of such functions is low, Dziem b owski et al. concatenated the LECSS with an AMD co de. In such a case, the tampering function acts by adding an err or following a fixed distribution ( i.e. indep endent of the c o dew ord) and the dec o ding pro cedure results in ⊥ with high pro babilit y b ecause of the AMD co de. Therefore, non-malleability is ensure d. F ollowing this idea, it might 9 also b e po s sible to encapsulate our coset-co ding scheme within a n erro r-detecting or an error -correc ting co de. Thus we would achiev e non-malleability w.r.t. a larger family o f functions. In particular, functions w ith a s mall num be r o f 0 or 1 sub-functions which cannot b e dealt with by coset-co ding alone could b e included. F or the erro r-detecting case, using a n AMD co de as in [2] seems to be feasible. Howev er, for the err o r-cor recting case, it is no t clear which kind of cor rection strategy to use to deal with the effects of the linear coset-co ding scheme. Nevertheless, if such functions are the only ones of interest, one must be aw ar e that an er ror corre c ting o r an er ror detecting c o de is sufficient by itself. Relaxing the Notion of No n- M alleabili ty In the mo del for the WT I I describ ed in this pap er, we require that Eve canno t obtain any bit o f infor mation on the messages sent ov er the ch a nnel. This strong security notion can b e relax e d. Indeed, one c o uld b e satisfied even if Eve lear ned only a b ounded amo unt of bits. This is p ossible if we co nsider generalized Hamming distances [11] instea d of the dual distance d ⊥ of the co de considered in the linea r cos et-co ding scheme. F or i ∈ N , the generalized distance d i is such that if Eve cannot obtain more than d i bits pe r mess age, then she gains no mo re than i − 1 bits of information per message. F or instance, d 1 = d ⊥ . In the same spir it, one could r elax the notion of non-ma lleabilit y . After the tamp ering exp eriment, we co uld state that either the deco ding pro cedure returns the original message or it ena bles to learn a bounded num ber of bits of information on this mes sage. Using our construction, it is easy to build a nother scheme that would sa tisfy this requirement. One would only hav e to repla ce dual distances by gener a lized distances. 5 Conclusion W e established in this pap er a para llel b etw een Non-Malleable Co des and the Wire-T ap Channel. This relation enabled us to build an efficient non-mallea ble scheme, w.r .t. a family of bit-wise independent functions, that is neither error - correcting nor error -detecting. Considering bit-wise indep endent tamp ering is a worth while first step for NMC. An interesting o p en pr oblem would b e now to build schemes that are non-malleable w.r .t. larg er families of functions. A c kno wledgemen t The author s would like to thank Julien Br inger for his helpful comments. 10 References [1] D. Dolev, C. Dwork, a nd M. Naor, “Non-malleable cryptogra ph y (extended abstract),” in STOC . ACM, 199 1, pp. 542–5 52. [2] S. Dziembowski, K. Pietrza k , and D. Wichs, “Non-ma lleable co des,” in ICS , A. C.-C. Y ao, Ed. T singhua Univ er sity Press, 2 010, pp. 434 –452. [3] R. Gennaro, A. Lysyanskay a, T. Malkin, S. Mica li, and T. Rabin, “Algo - rithmic tamp er-pr o of (A TP) security: Theo retical foundations fo r security against hardware tamp ering,” in TCC , ser. Lecture Notes in Computer Science, M. Nao r, Ed., vol. 295 1. Springer, 2004, pp. 25 8–277 . [4] S. P . Sk or ob oga tov and R. J. Anders on, “Optica l fault induction attacks,” in CHES , ser . Lecture Notes in Co mputer Science, B. S. K. Jr., C ¸ etin Kay a Ko¸ c, and C. Paar, E ds., vol. 2 523. Springer, 2 002, pp. 2–12. [5] D. Boneh, R. A. DeMillo, and R. J. Lipton, “On the imp or tance of chec king cryptogra phic pr oto cols for faults (extended abstra ct),” in EUROCR YPT , 1997, pp. 37 –51. [6] H. Bar -El, H. Choukri, D. Nacca che, M. T unstall, and C. Whelan, “The sorcerer ’s a pprentice guide to fault attacks,” in W orkshop on F ault Diag- nosis and T oler enc e in Crypto gr aphy in asso ciation with DSN 2004 - The International Confer enc e on Dep endable Systems and N etworks , 2004, pp. 330–3 42. [7] L. H. Ozarow and A. D. W yner, “Wire-tap channel II,” in EUR OCR YPT , 1984, pp. 33 –50. [8] H. Chen, R. Cramer, S. Goldwasser, R. de Haan, and V. V aikun tana than, “Secure co mputation from random er ror cor r ecting co des,” in EURO- CR YPT , ser. Le c tur e Notes in Computer Science, M. Naor, Ed., vol. 4515. Springer, 2007, pp. 291 –310. [9] R. Cramer, Y. Do dis, S. F e hr , C. Padr´ o, and D. Wichs, “Detection of algebraic manipulatio n with applications to r obust secr et sharing a nd fuzzy extractors,” in EUROCR YPT , ser. Lecture Notes in Co mputer Science, N. P . Smart, Ed., v ol. 4965 . S pr ing er, 2008, pp. 471– 488. [10] A. D. W yner, “The wire-tap channel,” The Bel l System T e chnic al Journal , vol. 54, no. 8, pp. 1355– 1387, O ctob er 1975. [11] V. K.-W. W ei, “Gener a lized hamming weight s for linear co des,” IEEE T r ansactions on Information The ory , vol. 3 7, no . 5 , pp. 1412 –, 1991. [12] A. Thanga r a j, S. Dihidar, A. R. Ca lderbank, S. W. McLa ughlin, and J.- M. Merolla, “Applications o f LDPC co des to the wiretap channel,” IEEE T r ansactions on Information The ory , vol. 5 3, no . 8 , pp. 2933 –294 5 , 2007 . 11 [13] A. Subramanian, A. Thangara j, M. Blo ch, and S. W. McLaughlin, “Strong secrecy on the binary era sure wiretap channel using large- girth LDPC co des,” CoRR , vol. abs/ 1009 .3130, 2 010. [14] G. Z´ emor, Cours de crypto gr aph ie . Cassini, 2000. 12