Article Preview
Top1. Introduction
An algebraic manipulation is a model of an undesirable data modification (Cramer, Fehr, & Padró, 2013; Jongsma, 2008). It assumes data distortion by some additive error whose value does not depend on the value of data being distorted. In the paper a concept of algebraic manipulations is described in accordance with a design of secure cryptographic devices (Akdemir, Wang, Karpovsky, & Sunar, 2012; Karpovsky & Wang, 2013; Wang, Karpovsky, Sunar, & Joshi, 2009).
It is well known that cryptographic algorithms' implementations are vulnerable to side-channel attacks (Zhou & Feng, 2005). A fault-injection attack is one of the most efficient attacks, based on an analysis of a cryptographic device's functioning in a presence of faults and computational errors. In many cases, this can lead to a cracking of a cipher-under-attack by revealing a secret key to an attacker. Almost all popular ciphers including RSA, DES and AES are recognized as vulnerable to the fault-injection attack (Abuelyaman & Devadoss, 2005; Anderson & Kuhn, 1998; Dusart, Letourneux, & Vivolo, 2003; Karri, Wu, Mishra, & Kim, 2002; Bar-El, Choukri, Naccache, Tunstall, & Whelan, 2006; Canivet et al., 2011; Kim & Quisquater). As a model of injected faults, an algebraic manipulation model is considered (Cramer et al., 2013; Jongsma, 2008; Wang & Karpovsky, 2011).
An algebraic manipulation is defined as an attacker being able to modify data being processed or stored (distort it by injecting a fault) by some device without being able to obtain any information on the value of the data (Jongsma, 2008). From here, it is possible to distinguish two algebraic manipulation models: a weak manipulation model and a strong manipulation model.
In the weak manipulation model, the attacker is not able to control an input to the device-under-attack. In other words, an informational message input into the device is considered to be uniformly distributed and there is no dependency between injected error and data to be distorted. The probability of error masking in case of weak manipulations is denoted 
.
The strong manipulation model is used in cases when the attacker is able to control the input to the device. This can lead to a more sophisticated choice of an error's value by the attacker. The probability of error masking in case of strong manipulations is denoted 
.
Some special data encoding is required in order to protect data against such manipulations. The most widely used method is to encode data using linear error detecting and correcting codes such as duplication codes, parity check codes and a Hamming code. This method is suitable for situations when arising error patterns correspond to the error detecting capability of the code. However, in cases when an attacker is able to inject specific error patterns, linear codes are not effective. Every 
-ary linear code of a dimension 
has 
error patterns (corresponding to nonzero codewords) that are undetectable by this code. Therefore, the attacker can successfully inject one of the codewords as an error into the device. For instance, injecting any double error in data protected with parity check code is undetectable.