Detection of Algebraic Manipulation in the Presence of Leakage

Abstract

We investigate the problem of algebraic manipulation detection (AMD) over a communication channel that partially leaks information to an adversary. We assume the adversary is computationally unbounded and there is no shared key or correlated randomness between the sender and the receiver. We introduce leakage-resilient (LR)-AMD codes to detect algebraic manipulation in this model.

We consider two leakage models. The first model, called linear leakage, requires the adversary’s uncertainty (entropy) about the message (or encoding randomness) to be a constant fraction of its length. This model can be seen as an extension of the original AMD study by Cramer et al. [3] to when some leakage to the adversary is allowed. We study randomized strong and deterministic weak constructions of linear (L)LR-AMD codes. We derive lower and upper bounds on the redundancy of these codes and show that known optimal (in rate) AMD code constructions can serve as optimal LLR-AMD codes. In the second model, called block leakage, the message consists of a sequence of blocks and at least one block remains with uncertainty that is a constant fraction of the block length. We focus on deterministic block (B)LR-AMD codes. We observe that designing optimal such codes is more challenging: LLR-AMD constructions cannot function optimally under block leakage. We thus introduce a new optimal BLR-AMD code construction and prove its security in the model.

We show an application of LR-AMD codes to tampering detection over wiretap channels. We next show how to compose our BLR-AMD construction, with a few other keyless primitives, to provide both integrity and confidentiality in transmission of messages/keys over such channels. We discuss our results and suggest directions for future research.

Appendices

A Proof of Theorem 1: LLR-AMD

We prove the theorem for strong AMD codes (similar proof can be given for weak AMD codes). Let \(Enc/Dec\) denote a \((\mathbf {M},\mathbf {X}, \mathbf {R},\epsilon )\)-strong AMD code. The security property implies (when there is no leakage)

$$\begin{aligned} \forall m:~~ \max _{\delta } \mathop {\Pr }\limits _{R}(Dec(Enc(R;m)+\delta ) \notin \{m,\bot \}) \le \epsilon , \end{aligned}$$

(8)

where \(R\) is the uniform randomness of the encoder. For any \(m\) and \(\delta \), define \(\mathcal {R}_{fail}(m,\delta ) \subseteq \mathcal {R}\) as the set of \(r\) values that lead to the verification failure, by satisfying \(Dec(Enc(R;m)+\delta ) \notin \{m,\bot \}\). Since \(R\) is uniform, the probability that \(R \in \mathcal {R}_{fail}(m,\delta )\) equals to \(|\mathcal {R}_{fail}(m,\delta )|/\mathbf {R}\); thus, to write (8) as \(\forall m:~ \max _{\delta }|\mathcal {R}_{fail}(m,\delta )| \le \epsilon \mathbf {R}\). Let \(Z\) be any random variable such that the randomness \(R\) is \((1-\alpha )\)-weak conditioned on \(Z\) for \(0\le \alpha \le 1\), i.e., \(E_z \left( \max _{r} \Pr (R=r|Z=z) \le \mathbf {R}^{\alpha -1}\right) \). For any message \(m\), the probability of failure when \(Z\) is leaked to the adversary \(\mathcal {A}dv\) is upper bounded as

$$\begin{aligned}&\Pr (Dec(Enc(R;m)+\mathcal {A}dv(Z)) \notin \{m,\bot \})= E_z \left( \Pr (Dec(Enc(R;m)+\mathcal {A}dv(z)) \notin \{m,\bot \} |Z=z) \right) \\&~~~~~~ \le E_z \left( \max _{\delta } \Pr (R \in \mathcal {R}_{fail}(m,\delta ) ~|~ Z=z) \right) \le E_z \left( \max _{\delta } |\mathcal {R}_{fail}(m,\delta )| \max _r \Pr (R=r | Z=z)\right) \\&~~~~~~ = \max _{\delta } |\mathcal {R}_{fail}(m,\delta )| ~~ E_z \left( \max _r \Pr (R=r | Z=z) \right) \le \epsilon \mathbf {R}^\alpha . \end{aligned}$$

B Proof of Theorem 2: Weak AMD

We shall show that for the uniform message \(M \in \mathbb {F}^d\) and any \((\delta _m, \delta _t) \in \mathbb {F}^d \times \mathbb {F}\) such that \(\delta _m \ne 0\), it holds \(\Pr _{M}(f_{w}(M+\delta _m) = f_{w}(M)+\delta _t) \le \frac{2}{q}\). Since \(\delta _m = (\delta _{m,1}, \dots , \delta _{m,d}) \ne 0\), there exists at least non-zero one element \(\delta _{m,o} \ne 0\) for \(1\le o \le d\). This lets us write the term \(f_{w}(M+\delta _m) - f_{w}(M) - \delta _t\) as a polynomial of degree \(t-1\) with respect to the variable \(M_o\), i.e., \(Poly(M_o) \mathop {=}\limits ^{\varDelta }\)

$$\begin{aligned} f_{w}(M+\delta _m) - f_{w}(M) - \delta _t = \left[ \sum _{i=1}^{d} \left( M_i + \delta _{m,i} \right) ^t - M_i^t \right] - \delta _t = \sum _{j=1}^t {t \atopwithdelims ()j} \delta _{m,o}^j M_o^{t-j} + a_0, \end{aligned}$$

where \(a_0 = \left[ \sum _{i=1, i\ne o}^d \left( M_i + \delta _{m,i} \right) ^t - M_i^t \right] - \delta _t\) is the constant term. For any values of \((M_i)_{i\ne o}\), hence fixed \(a_0\), the polynomial \(Poly(M_o)\) evaluates to zero for at most \(t-1 \le 2\) (out of \(q\)) values of \(M_o\). The polynomial thus becomes zero with probability at most \((t-1)/q \le 2/q\), implying the failure probability bound.

The effective tag length of this code family when \(p=2\) is obtained as follows. For integers \(\kappa ,\nu \in \mathbb {N}\), let \(q = 2^{\kappa +1}\) and \(d=\lceil \nu / \log q \rceil \) so that both \(\epsilon =2/q \le 2^{-\kappa }\) and \(|\mathcal {F}^d|=q^d \ge 2^\nu \) are satisfied. By restricting the source space \(\mathcal {F}^d\) to only \(\mathbf {M}=2^\nu \) elements the code range will also reduce to \(\mathbf {X}=q2^\nu \) elements in \(\mathcal {F}^{d+1}\). This leads to \(\log \mathbf {X}- \nu = \nu + \log q - \nu = \kappa + 1\).

C Proof of Theorem 3: Tag Length

The proof relies on the results of the following lemma.

Lemma 2

For any weak, resp. strong, LLR-AMD code the failure probability is lower bounded as

$$\begin{aligned}& \epsilon \ge \max \{\left( (1-e^{-1}) \frac{\mathbf {M}-1}{\mathbf {X}-1}\right) ^{1-\alpha } ~,~ (1-e^{-1}) \mathbf {M}^\alpha \frac{\mathbf {M}-1}{\mathbf {X}-1}\}, \end{aligned}$$

(9)

$$\begin{aligned}& \text{ resp. }~~~ \epsilon \ge \left( (1-e^{-1}) \frac{\mathbf {M}-1}{\mathbf {X}-1}\right) ^{(1-\alpha )/2}. \end{aligned}$$

(10)

Proof

We start by the \((\mathbf {M},\mathbf {X},\alpha ,\epsilon )\)-weak LLR-AMD code. We shall show that for any such code there exists a message distribution \(M\in \mathcal {M}\), a leakage variable \(Z\) with \(\tilde{H}_\infty (M|Z) \ge (1-\alpha ) \log \mathbf {M}\), and an adversary whose success chance in changing \(M\) is lower bounded by (9). We choose \(M\) to be uniform and \(Z\) to be an \(\alpha \log \mathbf {M}\)-bit string that represents answers to the adversary’s \(\alpha \log \mathbf {M}\) questions about the codeword. The variable \(Z\) is such that each bit \(Z_i\) is defined by \(Z_i = Query_i(Z_1^{i-1},M)\), where \(Query_i\) shows the \(i\)th question. Let \(X=Enc(M)\) be the codeword for \(M\). The adversary can choose any non-zero adversarial noise \(\delta \in \mathcal {X}/\{0\}\) to be added to the \(X\). There are \(n=\mathbf {X}-1\) values for \(\delta \), at least \(t=M-1\) of which lead to valid codewords \(X+\delta \). Let \(\mathcal {X}^+\) be the set of such valid \(\delta \) values. If the adversary picks \(\delta \) randomly, her success chance will be \(\ge t/n\). We now describe the adversary’s strategy as follows. She first chooses a random subset \(\mathcal {H}_0 \subseteq \mathcal {X}/ \{0\}\) of size \(k=n/t\) and runs the following algorithm.

The size of \(\mathcal {H}\) at the end of the algorithm decreases to \(k/\mathbf {M}^\alpha \). The adversary succeeds with probability \(\mathbf {M}^\alpha /k\) if and only if \(\mathcal {H}_0 \cap \mathcal {X}^+\) is not empty, whose probability is obtained as

$$\begin{aligned}&\Pr (|\mathcal {H}_0 \cap \mathcal {X}^+|>0) = 1- \Pr (|\mathcal {H}_0 \cap \mathcal {X}^+|=0) = 1- \frac{{n-t \atopwithdelims ()k}}{{n \atopwithdelims ()k}} \\&~~ = 1- \frac{(n-k) \times \dots \times (n-k-t)}{n \times \dots \times (n-t)} \ge 1- (1-k/n)^t = 1 - (1-1/t)^t \ge 1- e^{-1}. \end{aligned}$$

This concludes the adversary’s success probability is at least \(\epsilon \ge (1-e^{-1}) \mathbf {M}^\alpha / k = (1-e^{-1}) \mathbf {M}^\alpha \frac{\mathbf {M}-1}{\mathbf {X}-1}\), which is the second term of (9). For the first term, we use the fact that the message size \(\mathbf {M}\) is such that after \(\alpha \log \mathbf {M}\) questions the adversary cannot guess the correct message with probability more than \(\epsilon \), and this implies \(\mathbf {M}^{1-\alpha } \ge 1/\epsilon \). We use this to write (noting that \(0\le \alpha \le 1\))

$$\begin{aligned} \epsilon ^{1/(1-\alpha )} \ge (1-e^{-1}) \frac{\mathbf {M}-1}{\mathbf {M}\mathbf {T}-1} ~\Longrightarrow ~ \epsilon \ge \left( (1-e^{-1}) \frac{\mathbf {M}-1}{\mathbf {X}-1}\right) ^{1-\alpha }. \end{aligned}$$

A similar argument can be used for the \((\mathbf {M},\mathbf {X},\mathbf {R},\alpha ,\epsilon )\)-strong LLR-AMD code: For uniform randomness \(R\) and the variable \(Z\) such that \(\tilde{H}_\infty (R|Z) \ge (1-\alpha ) \log \mathbf {R}\), the adversary can use a similar strategy to Algorithm 1 with \(\alpha \log \mathbf {R}\) questions to achieve the success chance of \(\epsilon \ge (1-e^{-1}) \mathbf {R}^\alpha \frac{\mathbf {R}(\mathbf {M}-1)}{\mathbf {X}-1}\), noting that there are at least \(\mathbf {R}(\mathbf {M}-1)\) valid \(\delta \) values in \(\mathcal {H}_0\). In a strong LLR-AMD code, the adversary is assumed to know the message. So the randomness size \(\mathbf {R}\) should be large enough to satisfy \(\mathbf {R}^{1-\alpha } \ge 1/\epsilon \). Combining this with the above shows the following for \(0 \le \alpha \le 1\) which proves (10).

$$\begin{aligned} \epsilon ^{2/(1-\alpha )} \ge (1-e^{-1}) \frac{\mathbf {M}-1}{\mathbf {X}-1} ~~\Longrightarrow ~~ \epsilon \ge \left( (1-e^{-1}) \frac{\mathbf {M}-1}{\mathbf {X}-1}\right) ^{(1-\alpha )/2}. ~~~~~~~~~~~~~~~~ \Box \end{aligned}$$

We use (9) to bound the effective tag length of weak AMD code families as

$$\begin{aligned} \log \mathbf {X}- \nu&\ge \log \frac{\mathbf {X}}{\mathbf {M}} = \log \left( \frac{\mathbf {X}}{\mathbf {M}-1} \times \frac{\mathbf {M}-1}{\mathbf {M}} \right) \ge \log \frac{\mathbf {X}-1}{\mathbf {M}-1} + \log (1-\mathbf {M}^{-1})\\&\ge \max \{ \frac{1}{1-\alpha } \log \frac{1}{\epsilon } ~,~ \log \frac{1}{\epsilon } + \alpha \log \mathbf {M}\} + \log (1-e^{-1}) + \log (1- \mathbf {M}^{-1}) \\&\ge \max \{\frac{\kappa }{1-\alpha } ~,~ \kappa + \alpha \nu \} -2. \end{aligned}$$

Similarly, (10) is used to bound the effective tag length of strong code families

$$\begin{aligned} \log \mathbf {X}- \nu \ge \frac{2}{1-\alpha } \log \frac{1}{\epsilon } + \log (1-e^{-1}) + \log (1- \mathbf {M}^{-1}) \ge \frac{2\kappa }{1-\alpha } -2. \end{aligned}$$

D Proof of Theorem 4: BLR-AMD

The code construction \(Enc_{blr}/Dec_{blr}\) is systematic, so we only need to show the security property. Let the message \(M \in \mathbb {Z}_q^d\) and \(Z\) follow the block leakage model such that for some \(o \in \{1,\dots ,d\}\) it holds that \(\tilde{H}_\infty (M_o|Z, (M_j)_{j\ne o} ) \ge (1-\alpha )\log q\). The decoding failure probability when \(Z\) is leaked to the adversary \(\mathcal {A}dv\) is upper bounded as

$$\begin{aligned}&\mathop {\Pr }\limits _{{M}}(Dec_{blr}(Enc_{blr}(M)+\mathcal {A}dv(Z)) \notin \{M,\bot \}) \nonumber \\&~ = E_z \left( \mathop {\Pr }\limits _{M}(Dec_{blr}(Enc_{blr}(M)+\mathcal {A}dv(z)) \notin \{M,\bot \} |Z=z) \right) \nonumber \\&~ \le E_z \left( \max _\delta \mathop {\Pr }\limits _{M}(Dec_{blr}(Enc_{blr}(M)+\delta ) \notin \{M,\bot \} |Z=z)\right) \nonumber \\&~ \mathop {=}\limits ^{(b)} E_z \left( \max _{\delta _m\ne 0, \delta _t} E_{(m_j)_{j\ne o}|Z=z} \big ( \mathop {\Pr }\limits _{{M_o}}(f_{blr}(M+\delta _m) = f_{blr}(M)+\delta _t |Z=z, (M_j=m_j)_{j\ne o}) \big ) \right) ~~\nonumber \\ \end{aligned}$$

(11)

Equality (a) follows from the law of total probability and the systematic construction of the BLR-AMD code. For fixed \((M_j=m_j)_{j\ne o}\in \mathbb {Z}_q^{d-1}\), \(\delta _m \in \mathbb {Z}_q^d\), and \(\delta _t \in \mathbb {F}_{q+1}\), we write the term \(f_{blr}(M+\delta _m) - f_{blr}(M) - \delta _t\) as

$$\begin{aligned} \sum _{i=1}^d \bigg [ \tau ^{\sum _j g_{i,j}(M_j+\delta _{m,j})} -&\tau ^{\sum _j g_{i,j}M_j} \bigg ] - \delta _t = \sum _{i=1}^{d} \bigg [ \Big (\tau ^{\sum _j g_{i,j} \delta _{m,j}} -1 \Big ) \tau ^{\sum _{j\ne o} g_{i,j} m_j} \tau ^{g_{i,o}M_o} \bigg ] \nonumber \\&\qquad - \delta _t = \sum _{i=1}^{d} \left[ a_i Y^{g_{i,o}} \right] + a_0 \mathop {=}\limits ^{\triangle } P_{\delta ,(m_j)_{j \ne o}}(Y), \end{aligned}$$

(12)

letting \(a_0=-\delta _t\), \(Y=\tau ^{M_o}\), and \(a_i\) be the coefficient of \(Y^{g_{i,o}}\) in the summation, i.e., \(a_i = \Big (\tau ^{\sum _j g_{i,j} \delta _{m,j}} -1 \Big ) \tau ^{\sum _{j\ne o} g_{i,j} m_j}\). Applying this to (11), we need to find an upper-bound on

$$\begin{aligned} E_z \left( \max _{\delta _m\ne 0, \delta _t} E_{(m_j)_{j\ne o}|Z=z} \big ( \Pr _{M_o}(P_{\delta ,(m_j)_{j \ne o}}(Y)=0 |Z=z, (M_j=m_j)_{j\ne o}) \big ) \right) . \end{aligned}$$

(13)

The polynomial \(P_{\delta ,(m_j)_{j \ne o}}(Y)\) is of degree at most \(\max _i(g_{i,o}) \le \psi d\) over \(\mathbb {F}_{q+1}\). Lemma 3 shows that the polynomial is non-constant since it has at least one non-zero coefficient.

Lemma 3

For any choice of message blocks \((M_j=m_j)_{j\ne o}\), \(\delta _m\ne 0\), and \(\delta _t\), the polynomial \(P_{\delta ,(m_j)_{j \ne o}}(Y)\) has at least one non-zero coefficient.

Proof

We prove the claim by contradiction. Assume that all \(a_i\)’s are zero, implying (\(\tau \) is a primitive element in \(\mathbb {F}_{q+1}\))

$$\begin{aligned} \forall 1\le i \le d:~~~ \Big (\tau ^{\sum _j g_{i,j} \delta _{m,j}} -1 \Big ) \tau ^{\sum _{j\ne o} g_{i,j} m_j} = 0 \in \mathbb {F}_{q+1} \Rightarrow ~ \sum _{j=1}^{d} g_{i,j}\delta _{m,j} = 0 \in \mathbb {Z}_q. \end{aligned}$$

The above can be written as \(\delta _m.G=0\) over \(\mathbb {Z}_q\), which holds only if \(\delta _m=0\) as \(G\) is non-singular. This contradicts the adversarial assumption \(\delta _m\ne 0\). \(\square \)

For any \(\delta \) (such that \(\delta _m\ne 0\)) and \((M_j=m_j)_{j\ne o}\), at most \(\psi d\) values of \(Y\) (hence \(M_o\)) make the polynomial evaluate to zero. Let \(\mathcal {M}_{o,fail}(\delta , (m_j)_{j\ne o})\) of size at most \(\psi d\) be the set of such \(M_o\) values that lead to decoding failure, implying

$$\begin{aligned} P_{\delta ,(m_j)_{j \ne o}}(Y)=0 \Longleftrightarrow M_o \in \mathcal {M}_{o,fail}(\delta , (m_j)_{j\ne o}). \end{aligned}$$

We prove security by upper-bounding the failure probability (13) as follows.

$$\begin{aligned}&E_z \left( \max _{\delta _m\ne 0, \delta _t} E_{(m_j)_{j\ne o}|Z=z} \big (\mathop { \Pr }\limits _{{M_o}}(P_{\delta ,(m_j)_{j \ne o}}(Y)=0 |Z=z, (M_j=m_j)_{j\ne o}) \big ) \right) \\&~~ = E_z \left( \max _{\delta _m\ne 0, \delta _t} E_{(m_j)_{j\ne o}|Z=z} \big ( \mathop {\Pr }\limits _{{M_o}}(M_o \in \mathcal {M}_{o,fail}(\delta ,(m_j)_{j\ne o}) |Z=z, (M_j=m_j)_{j\ne o}) \big ) \right) \\&~~ \le E_z \!\left( \max _{\delta _m\ne 0, \delta _t} E_{(m_j)_{j\ne o}|Z=z} \big ( |\mathcal {M}_{o,fail}(\delta ,(m_j)_{j\ne o})| \mathop {\max }\limits _{{m_o}} \mathop {\Pr }\limits _{{M_o}}(M_o =m_o |Z=z, (M_j=m_j)_{j\ne o})\big )\!\! \right) \\&~~ \mathop {\le }\limits ^{(a)} \psi d E_z \left( \max _{\delta _m\ne 0, \delta _t} E_{(m_j)_{j\ne o}|Z=z} \big ( \mathop {\max }\limits _{{m_o}} \mathop {\Pr }\limits _{{M_o}}(M_o =m_o |Z=z, (M_j=m_j)_{j\ne o}) \big ) \right) \\&~~ \mathop {=}\limits ^{(b)} \psi d E_z \left( E_{(m_j)_{j\ne o}|Z=z} \big ( \mathop {\max }\limits _{{m_o}} \mathop {\Pr }\limits _{{M_o}}(M_o =m_o |Z=z, (M_j=m_j)_{j\ne o}) \big ) \right) \\&~~ \mathop {=}\limits ^{(c)} \psi d E_{z,(m_j)_{j\ne o}} \big ( \mathop {\max }\limits _{{m_o}} \mathop {\Pr }\limits _{{M_o}}(M_o =m_o |Z=z, (M_j=m_j)_{j\ne o}) \big )\\&~~ \mathop {\le }\limits ^{(d)} \frac{\psi d}{q^{1-\alpha }}. \end{aligned}$$

Inequality (a) holds since we have \(|\mathcal {M}_{o,fail}(\delta ,(m_j)_{j\ne o})|\le \psi d\), equality (b) is attained by removing \(\max _{\delta }\) as the expression has become independent of this parameter, equality (c) uses the law of total probability, and inequality (d) follows the assumption that \(\tilde{H}_\infty (M_o|Z, (M_j)_{j\ne o}) \ge (1-\alpha )\log q\).

E Proof of Theorem 5

For uniform message \(M \in \mathbb {Z}_q^d\), let \(T=f_{blr}(M) \in \mathbb {F}_{q+1}\) denote the tag calculated by the BLR-AMD code and \(X=(M,T)=(X_1,\dots ,X_{d+1})\) denote the codeword. Let \(\eta =\log _u(q+1) \in \mathbb {N}\). For the purpose of \(u\)-ary transmission over \((u,p)\)-EWC, we replace each message block in the codeword by a sequence of \(\eta \) symbols over \(\mathcal {F}_u\); hence, each codeword element \(X_i\) consists of \(\eta \) channel symbols. The theorem provides two bounds, namely \(\epsilon _{blr1}\) (4) and \(\epsilon _{blr2}\) (5), on the BLR-AMD detection failure probability under two different conditions of \(p>0.5\) and \(p^{p^{-1}}>u^{-1}\), respectively. To prove the two bounds, we provide different approaches to bounding the failure probability of the code.

Approach 1: Proving \(\epsilon _{blr1}\) in (4) for \(p>0.5\). Considering \(0.5 < \beta <p\), any message block \(M_o\) for \(o \in \{1,\dots ,d\}\), and the tag \(T\), we shall study two events: \(\mathcal {E}_1\) that the channel leakage leaves \((2\beta -1)\log (q)\) bits of leftover min-entropy in \(M_o\) and \(\mathcal {E}_2\) that the BLR-AMD decoder detects adversarial tampering (assuming \(\mathcal {E}_1\) holds). The failure probability will be then bounded as \(\epsilon _{blr1}\le \Pr (\overline{\mathcal {E}_1})+\Pr (\overline{\mathcal {E}_2})\).

Let \(\eta _o\) and \(\eta _t\) be the numbers of symbols erased from \(M_o\) and \(T\), respectively. We have from the chain rule of min-entropy

$$\begin{aligned} \tilde{H}_\infty (M_o|Z,(M_i)_{i\ne o}) \ge \tilde{H}_\infty (M_o|(M_i)_{i\ne o}) \!-\! (\eta -\eta _t) \log (u) = (\frac{\eta _o +\eta _t}{\eta } - 1) \log (q). \end{aligned}$$

Noting that \(\Pr (\overline{\mathcal {E}_1}) = \Pr (\eta _o+\eta _t < 2\beta \eta )\), we obtain this probability as

$$\begin{aligned} \Pr (\overline{\mathcal {E}_1}) = \sum _{i=0}^{\lfloor 2 \beta \eta \rfloor } {2 \eta \atopwithdelims ()i} p^i (1-p)^{2 \eta -i} \le e^{-\frac{(p-\beta )^2}{2p}2\eta } = e^{-\frac{(p-\beta )^2}{p}\log _u(q+1)} = (q+1)^{-\frac{(p-\beta )^2}{p\ln (u)}}, \end{aligned}$$

where the inequality follows the Chernoff bound. When \(\mathcal {E}_1\) holds, the leftover min-entropy of \(M_o\) shows the uncertainty rate of \(1-\alpha \ge 2\beta -1\). From Theorem 4, the BLR-AMD decoder fails with probability \(\Pr (\overline{\overline{\mathcal {E}_2}}) \le \frac{\psi d}{q^{2\beta -1}}\). Proof is completed.

Approach 2: Proving \(\epsilon _{blr2}\) in (5) for \(p^{p^{-1}}>u^{-1}\). The condition on \(p\) implies \(p > \zeta \) for \(\zeta = \log _u(1/p)\). Choosing \(\zeta < \beta < p\), we consider three events: \(\mathcal {E}_1\) that there is (at least) one message block \(M_o\), \(o \in \{1,\dots ,d\}\) that is completely erased, \(\mathcal {E}_2\) that at least \(\beta \eta \) symbols are erased from the tag \(T\), and \(\mathcal {E}_3\) that the BLR-AMD decoder detects adversarial tampering (assuming that \(\mathcal {E}_1\) and \(\mathcal {E}_2\) hold). The overall failure probability is bounded as \(\epsilon _{blr2} \le \Pr (\overline{\mathcal {E}_1}) + \Pr (\overline{\mathcal {E}_2}) + \Pr (\overline{\mathcal {E}_3})\).

A message block \(M_i\) is completely erased with probability \(p'\ge p^{\eta }=p^{\log _u(q+1)}=(q+1)^{\log _u(p)}=(q+1)^{-\zeta }\). This implies \(\Pr (\overline{\mathcal {E}_1}) = (1-p')^d \le e^{-p'd} = e^{-\frac{d}{(q+1)^{\zeta }}}\). On the other hand, \(\mathcal {E}_2\) holds except with probability

$$\begin{aligned} \Pr (\overline{\mathcal {E}_2}) = \sum _{i=0}^{\lfloor \beta \eta \rfloor } {\eta \atopwithdelims ()i} p^i (1-p)^{2 \eta -i} \le e^{-\frac{(p-\beta )^2}{2p}\eta } = (q+1)^{-\frac{(p-\beta )^2}{2p\ln (u)}}. \end{aligned}$$

Provided that \(\mathcal {E}_1\) and \(\mathcal {E}_2\) holdd, the leftover min-entropy of \(M_o\) is bounded as

$$\begin{aligned} \tilde{H}_\infty (M_o|Z,(M_i)_{i\ne o}) \ge \tilde{H}_\infty (M_o|(M_i)_{i\ne o}) - (1-\beta )\eta \log (u) = \beta \log (q), \end{aligned}$$

which implies the uncertainty rate of \(1-\alpha \ge \beta \) and BLR-AMD decoding failure probability of \(\Pr (\overline{\mathcal {E}_3})\le \frac{\psi d}{q^\beta }\) (from Theorem 4). This completes the proof.

F Proof of Proposition 2

The code rate \(\frac{d}{2(d+1)}\) comes from the product of rates of the Manchester and the BLR-AMD codes. We show that the failure probability is precisely that of the BLR-AMD code over \(p\)-BEWC (or \(p/2\)-BSWC), which equals \(\epsilon _{blr1}\) for \(p>0.5\). We show this by discussing that using on-off keying and Manchester coding causes a bitwise manipulation adversary to be either detected or behave like an additive (keep and flip) adversary, whose manipulation is detected by the BLR-AMD code from Theorem 5. For message \(M\), we denote the \(n\)-bit codeword \(X=Enc_b(M)\), where \(n=2(d+1)v\), by \(X=(X_1,X_2,\dots ,X_n)\).

On-off keying prevents the adversary from set-to-0 tampering [1, Appendix I]. She thus remains with keep, flip, and set-to-1 functions. Considering such an adversary, let \(Tamp_A=(t_1,t_2,\dots ,t_{n})\) be the sequence of bit-manipulation functions over the set of keep, flip, and set-to-1. We claim that \(Dec_{mn}(Tamp_A(X)) \in \{\bot , Dec_{mn}(Tamp_S(X))\}\), where \(Tamp_S=(t'_1,t'_2,\dots ,t'_{n})\) is an “additive” manipulation sequence such that \(\forall 1\le i \le n/2: (t'_{2i-1},t'_{2i}) =\)

$$\begin{aligned} \!\!{\left\{ \begin{array}{ll} \text{(keep, } \text{ keep) },~~ (t_{2i-1},t_{2i}) \in \{\text{(keep, } \text{ set-to-1) }, \text{(set-to-1, } \text{ keep), } \text{(set-to-1, } \text{ set-to-1) }\}\\ \text{(flip, } \text{ flip) },~~~~~ (t_{2i-1},t_{2i}) \in \text{(flip, } \text{ set-to-1) },\text{(set-to-1, } \text{ flip) }\}\\ (t_{2i-1},t_{2i}),~~~~ \text{ else } \end{array}\right. } \end{aligned}$$

(14)

We consider the case where \(Dec_{mn}(Tamp_A(X))\ne \bot \) since otherwise we are done with the proof. For every \(1\le i \le n/2\), the pair of codeword bits \((X_{2i-1},X_{2i})\) are either \(01\) or \(10\). We prove the claim by showing in both of these cases \((t'_{2i-1}(X_{2i-1}),t'_{2i}(X_{2i}))= (t_{2i-1}(X_{2i-1}),t_{2i}(X_{2i}))\). We show the equality for \((X_{2i-1},X_{2i})=01\) and the other case can be argued similarly: The equality holds trivially from (14) if the pair \((t_{2i-1},t_{2i})\) does not include any set-to-1 function; if not, the only valid options are \((t_{2i-1},t_{2i}) \in \{\text{(keep, } \text{ set-to-1) },\text{(set-to-1, } \text{ flip) }\}\) for which the equality again holds.

G Proof of Proposition 3

For parameters \(d\) and \(v\) of the BLR-AMD code, let \(n=2(d+1)v\) and \(k=dv\). The codeword \(C=Enc_{wb}(M)\) is obtained by applying three encoding functions sequentially. The first (wiretap) encoding gives \(X=Enc_w(M) \in \{0,1\}^k\) which is uniform for the uniform message \(M \in \{0,1\}^t\). The second (BLR-AMD) encoding gives \(Y=(X,f_{blr}(X)) \in \{0,1\}^{n/2}\), and the third (Manchester) encoding results in \(C=Enc_{mn}(Y)\). The code rate is \(t/n= (td)/(2k(d+1))\). The detection failure probability equals that of the code \(Enc_b/Dec_b\) and uniformity of \(X\) (see Proposition 2). It remains to prove the privacy property of the code.

We prove privacy for \(p\)-BEWC (noting that it also works for \(p/2\)-BSWC). Manchester encoder \(Enc_{mn}\) appends to each bit of \(Y\) its negation. If both a bit and its negation are erased by \(p\)-BEWC (which occurs with probability \(p'=p^2\)), Eve cannot discover the bit. This implies that Eve’s view \(Z=BEC_p(C)\) can be built from \(Z'=BEC_{p'}(Y)\), i.e., the view over the \(p'\)-BEC without Manchester coding. We thus remove Manchester coding and assume that Eve’s view is \(Z'=(Z'_1,Z'_2)\), where \(Z'_1=BEC_{p'}(X)\) and \(Z'_2=BSC_{p'}(f_{blr}(X))\). We conclude

$$\begin{aligned}&I(M;Z) = I(M;Z'_1,Z'_2) = I(M;Z'_1) + I(M;Z'_2|Z'_1) \le I(M;Z'_1) + H(Z'_2) \\&~~~ \le I(M;Z'_1) + (n/2-k) \le I(M;Z'_1) + v ~~~\Rightarrow ~~~ I(M;Z)/t \le \epsilon + v/t \le 2\epsilon . \end{aligned}$$

H Non-singular Matrix Construction

Let \(H\) be a \(d\times d\) diagonal matrix over (field) \(\mathbb {Z}_q\), where \(q\) is prime and \(d < 3 q\), with entries \(H_{i,i}=i\) for \(1 \le i \le d\). The following algorithm converts \(H\) into a non-singular matrix that has non-identical entries in each and every column. It is easy to show that the value of \(s\) is always upper bounded by \(2i\) and thus at the end, all entries in resulting matrix are less or equal to \(2d+d=3d\).