IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 57, NO. 12, DECEMBER 2011 8007 A Comment on the Karpovsky–Taubin Code Shlomo Engelberg and Osnat Keren Abstract—This paper presents generalizations of the Kar- povsky–Taubin nonlinear code. The generalizations lead to robust and partially robust single error detecting codes and single error correcting codes. Index Terms—Fault analysis attack, nonlinear code, robust code, undetected error. I. INTRODUCTION I N [3], Karpovsky and Taubin presented a set of robust and partially robust nonlinear codes. In this comment, we present a generalized version of their code. Robust codes are codes designed to detect malicious active fault analysis attacks on cryptographic devices. Each time the cryptographic device is activated, it generates a codeword . The attacker, who knows the codebook but cannot predict which codeword will appear at the outputs, distorts the outputs of the device by injecting an error vector. The probability, , that a given error, , will map a codeword onto another codeword is called the error masking probability or the undetected error probability and is defined as . There are three classes of errors. • Errors that are never detected. An error, , is said to be undetected if for all , that is . The set of such errors is called the detection kernel of the code. One design goal is to construct a code with a minimal kernel. • Errors that are always detected. An error, , is always de- tected if for all , , that is . • Errors that are detected with probability less than one. That is, . A second design goal is to construct a code for which the undetected error probability of the code, , is as small as possible. A code is robust with respect to its error-masking probability if the probability of missing an error is less than one for all nonzero errors. A code is partially robust if the size of the kernel is smaller than the size of the code. A linear code cannot be robust or partially robust [3]. The undetected error probability of a binary systematic robust code of length is lower bounded by , [4]. Thus, the number of redundancy bits in a robust binary code having minimal must be greater than or equal to where is the dimension of the code. Manuscript received March 21, 2011; revised June 26, 2011; accepted June 30, 2011. Date of publication July 25, 2011; date of current version December 07, 2011. S. Engelberg is with the Department of Electronics, Jerusalem College of Technology, 91160 Jerusalem, Israel. O. Keren is with the School of Engineering, Bar-Ilan University, 33021-3409 Ramat-Gan, Israel (e-mail: kereno@macs.biu.ac.il). Communicated by M. Blaum, Associate Editor for Coding Theory. Digital Object Identifier 10.1109/TIT.2011.2162718 In [3], Karpovsky and Taubin introduced a new class of non- linear systematic codes having the smallest possible kernel and the smallest possible undetected error probability. Construction 1 (Karpovsky–Taubin Code, [3]): Let be a binary matrix of rank . Define . The Karpovsky–Taubin (KT) code is an code of length , dimension and minimum distance that equals two when is odd and equals one when is even. The kernel forms a linear subspace of dimension , and there are errors that are masked with prob- ability . The remaining error vectors are detected with probability 1. We generalize the KT code and construct a single error de- tecting (SED) code for which all single bit errors are included in the set of error vectors that are always detected. Then, we show how by adding a single parity bit the code becomes a single error correcting (SEC) code with . The generalized Vasil’ev codes, Etzion-Vardy switching construction codes, and the generalized Phelps codes are SEC robust and partially robust codes [4], [5]. The first two have . Generalized KT (GKT) codes have the smallest possible , and for , this is always less than 0.5. By properly selecting the code parameters, it is possible to construct a Phelps code having the smallest possible . In this case, the characteristics of SEC GKT codes are the same as those of the Generalized Phelps code, but the length and dimension of the Generalized Phelps code are restricted to be and , respectively, whereas the GKT codes can have arbitrary lengths and dimension. II. GKT CODES The GKT codes are defined as follows. Construction 2 (SED GKT Code): Let be a full rank binary matrix, and let . Define The generalized code has the same immunity to fault anal- ysis attacks as the KT code. That is, each class of errors (never detected, always detected, detected with probability ) contains the same number of vectors as the KT-code. The values of the coefficients and the matrix determine the class of each error vector. As we show next, it is possible to choose these pa- rameters so that single-bit errors are always detected. Let be a codeword and be a nonzero error vector. An error vector is undetected if . In other words, if 0018-9448/$26.00 © 2011 IEEE