Protection of keys against modification attack

QUALITY AND RELIABILITY ENGINEERING INTERNATIONAL

Qual. Reliab. Engng. Int. 2002; 18: 217–230 (DOI: 10.1002/qre.476)

PROTECTION OF KEYS AGAINST MODIFICATION ATTACK

WAI W. FUNG1∗, MORDECAI J. GOLIN1 AND JAMES W. GRAY, III2

1Department of Computer Science, HKUST, Clear Water Bay, Kowloon, Hong Kong2RSA Security Inc., 2955 Campus Drive, Suite 400, San Mateo, CA 94040, USA

SUMMARYIn 1997, Anderson and Kuhn described an attack against tamper-resistant devices wherein a secret key stored inEEPROM is compromised using a simple and low-cost attack. The attack consists of setting bits in the EEPROMusing low-cost probes and observing the effect on the output of the device. These attacks are extremely general, asthey apply to virtually any cryptosystem. The objective of the present work is to explore cryptographic techniqueswith the goal of raising the cost (in terms of time and money) of carrying out the EEPROM modification attack byclass I attackers, at least to a point where it is as prohibitive as the cost of purchasing more expensive equipment.We propose the m-permutation protection scheme in which the key will be encoded in a special way and burnedinto the EEPROM of the device. To attack the scheme, the attacker needs to be able to solve for K in the equationK = ⊕m

i=1 Pi , in which Pi ’s are unknown. It is observed that the m-permutation protection scheme does notdistribute the key K uniformly. However, analysis shows that m = 3 or m = 5 are already good enough practicallyto provide strong security if the encoding is done properly, and that m > 5 may not give significant improvementto the security of the scheme. Copyright 2002 John Wiley & Sons, Ltd.

KEY WORDS: modification attack; permutation; tamper-resistant; Chernoff bound

INTRODUCTION

In 1997, Anderson and Kuhn introduced a low-costattack called the EEPROM modification attack [3].This is a physical attack in which two low-costmicroprobing needles† are used, with the help of amicroscope and micromanipulators, to set or cleartarget bits in an effort to infer those bits. In additionto being low-cost, this attack is quite general andpractical. The objective of the present work is toexplore techniques of raising the cost (in termsof time and money) of carrying out an EEPROMmodification attack, at least to the point where it ismore expensive than EEPROM reading equipment.From the taxonomy of attackers proposed by IBM[1], attackers can be categorized into three classes:class I (clever outsiders with moderately sophisticatedequipment), class II (knowledgeable insiders) andclass III (funded organizations). The proposed solutionaims primarily to protect against class I attackers.

In this attack, we assume that attackers can write

∗Correspondence to: W. W. Fung, Room 2804, Block C, Hong TinCourt, Lam Tin, Kowloon, Hong Kong.Email: [email protected]

Contract/grant sponsor: Hong Kong Research Grant Council

†Such microprobing needles can be obtained for only US$5 each.

arbitrary values to arbitrary locations of an EEPROMand the location of the key within EEPROM is known.This is in fact often the case, since, in practice, aDES key is often stored in the bottom 8 bytes of theEEPROM. We also assume that EEPROM bits cannotbe read directly, since equipment to sense the value ofan EEPROM bit is substantially more expensive thanthe microprobing needles.

Anderson and Kuhn’s attack makes use of thekey parity errors implemented in many applicationsutilizing DES. Their assumption is that the tamper-resistant device will not work (e.g. returning an errorcondition) whenever a key parity error is detected.We will see below that this assumption is not strictlynecessary for a successful attack.

The paper is structured as follows. We first describethe EEPROM modification attack. Then, variouspossible protection schemes will be discussed andwe argue that it is not an easy problem. Ourproposed scheme for protecting the keys againstthe modification attack will then be introduced andanalyzed.

The EEPROM modification attack

Anderson and Kuhn’s original attack proceeded asfollows.

Copyright 2002 John Wiley & Sons, Ltd.

218 W. W. FUNG, M. J. GOLIN AND J. W. GRAY, III

modification attack

1 loop for i from 0 to length(key)−12 randomly set the ith bit to 1 (or 0, it

doesn’t matter)3 operate (e.g. encrypt or sign) with the device4 if (device works) then5 conclude the bit was a 16 if (key parity error message appears) then7 re-set the bit to 0 (as it was 0)8 loopend

Although Anderson and Kuhn originally describedthe above attack with respect to a DES key andthe associated key-parity bits, the attack can begeneralized for an arbitrary key, with or without key-parity bits. In particular, to infer bit i, the attackerruns the device once before setting bit i and onceafter setting bit i to one. If the output changes in anyway (e.g. giving a key parity error or simply giving adifferent output), we know the original value for bit iis zero; if there was no change, the original value wasone. Thus, the attack is quite general and efficient andcan be applied to virtually any key stored in a knownEEPROM location.

A CLOSER LOOK

In our discussion, we use K to denote the actual key bitvector. That is, the key value to be used by the card inencrypting, signing and so on. P will be used to denotethe physical key bit vector. It is the actual bit patternstored in the EEPROM and is not necessarily the sameas K. In particular, it may represent some encoding ofK and may take up more space than K would.

There are at least two weaknesses that themodification attack exploits. The first is that P = K;that is, the key is stored bare in the device and henceevery bit compromised is the actual key bit to be usedin the encryption process. The second is that the keyparity error enables the attacker to know with 100%certainty whether the current bit was changed or not.Together, these two weaknesses allow the attack tobe performed fast, using O(n) probes, where n is thelength of K.

These observations lead us to consider possibleprotection schemes that could help close theseloopholes. At first, it may seem that there are easyways of foiling the modification attack. We willdiscuss a few ideas and why they do not work.

Hiding the key in a random location

One may think it would help if we store the keyin a random location; thus the attacker would notknow where exactly, within the EEPROM, to apply hisattack.

By the following reasoning, this approach addsnegligible security to the system. Whenever the keyneeds to be used, its address (e.g. its offset withinEEPROM) needs to be retrieved. That is, the actualaddress of the key needs to be stored on the card.However, is this address stored at some fixed location?If it is, the address becomes, essentially, part of thekey; the attacker begins his attack by reading (via amodification attack) the address of the key and thencontinues by reading the actual key. If the address isnot stored in a fixed location—perhaps it is also storedin a random location—then the address’ address needsto be stored on the card. Now is the address’ addressstored in a fixed location?

Clearly, we cannot perform address indirection adinfinitum; at some point, we need to store something ina fixed location. That something is, essentially, the key.Thus, storing the key in a random location and usingit indirectly does not, in itself, solve our problem. Itsucceeds in making the attacker’s job a little bit harderbecause he needs to find the address before finding theactual key, but the attack can still be done in O(n) time.For the above reason, the model we will set out in thenext section assumes that the key is stored in a fixedlocation within EEPROM.

On-chip reprogramming

Another approach that comes to mind immediatelyis for the card to keep track of the number of faultsoccurring during its use (using, for example, a counter)and erase the key once a certain threshold is reached.In fact, one can imagine any number of possiblebooby traps that could be set for the attacker, foilingwith high probability any attempt to use an EEPROMmodification attack.

This seems like a good solution. For example, ifwe erase the key the first time a key parity erroris detected, the attacker would cause an error withprobability 1 − 2−n (for an n-bit key). Thus, the keywould probably be erased by the third or fourth bitbeing attacked. For large n, the attacker’s probabilityof obtaining the complete key would be negligible.

However, this approach again adds only a smallamount of security. As pointed out by Anderson andKuhn [2], on-chip reprogramming of the EEPROMrequires a programming voltage that would need

Copyright 2002 John Wiley & Sons, Ltd. Qual. Reliab. Engng. Int. 2002; 18: 217–230

KEY PROTECTION AGAINST MODIFICATION ATTACK 219

to be generated using a large capacitor. Further,such capacitors can be identified under a microscopeand destroyed, thus removing the on-chip EEPROMreprogramming capability of the card. Hence, themodel we set out in the next section will rule outreprogramming of the EEPROM.

MODEL

We will make several assumptions in our discussion.Firstly, class I attackers, namely clever outsiders withmoderately sophisticated equipment, are assumed. Inparticular, we do not attempt to address attacks byinsiders or attacks utilizing military-grade equipment.Secondly, it is assumed that P is stored in EEPROMand that the attacker cannot read the EEPROMdirectly. Finally, we assume the attacker is not able tosee the exact wiring‡ of the device. In particular, partof the wiring will be hidden beneath the surface of thechip (i.e. in one of the lower layers) during the chipfabrication process. Attackers can reverse engineer thechips to recover the hidden wirings, but it would bea costly process and it requires special expertise § aswell. Only Class III attackers could probably performsuch a reverse engineering process.

This wiring is considered to be the ‘batch key’,which is known only to the manufacturers and to thosewho need to program the device. For example, thedevices would be manufactured in batches of 10 000,all with the same batch key. A single customer, say abank, would purchase a batch of devices and wouldbe given the batch key. This would enable them toprogram keys into the card.

On the other hand, we will assume that the attackercan get hold of the device and can operate it as manytimes as he wishes. Other than the hidden wiring, thealgorithm is open and we assume the attacker knowsthe details of the protection scheme.

A protection scheme is formally specified by thefollowing entities:

(1) n, the length of the actual key K;(2) p, the length of the physical key P;(3) the function encode will be used at the card-

programming/card-issuing organization (e.g. thebank), it will generate a pattern to be burned into

‡The wirings can help us implement some permutation functions.We will discuss more on this later.§The initial stage of the reverse engineering process requires a high-power microscope which can cost more than US$40 000, dependingon the accuracy in the digital stage, to magnify and divide the wholechip into thousands of sub-areas. Pictures are then taken and puttogether like a jigsaw puzzle.

the chip:

encode : {0, 1}n −→ {0, 1}p

(4) the decoding functions and wiring functions willbe implemented by the chip manufacturer. Foreach actual key bit i, 0 ≤ i < n, the followingapply.

• Define Ai to be the arity of the ith decodingfunction. (Note that in practice, Ai ≥ 1.)• The ith decoding function decodei is the

function producing the ith bit of the actualkey K given Ai bits of the physical key P

decodei : {0, 1}Ai −→ {0, 1}• The ith wiring function determines the

offset within P from where a wire isconnected to the ith decoding function

wiringi : {1, . . . , Ai} −→ {0, 1, . . . , p − 1}For example, wiringi (j ) = k means the j thinput bit for the ith decoding function iswired from the kth bit of P.

For any valid protection scheme, we require that thesame K will be decoded from its encoded version bythe chip. That is, if the actual key is K = k0k1. . .kn−1and the physical key is P = encode(K), we requirethat for all i, 0 ≤ i < n,

ki = decodei (P[wiringi (1)], . . . ,P[wiringi (Ai)])With respect to this model (see Figure 1), the attackeris assumed to know the location of P as well as thedecoding functions decodei and the wiring functionswiringi . Of course, the card manufacturer can chooseto keep all these secret. However, our protectionschemes will be designed under Kerckoff’s principle[6], in which the security of a cryptosystem is notbased on the secrecy of what system is being used.

The attacker can use the microprobing needles towrite a 0 or 1 to any location of the EEPROM storagefor P. Each of the attacker’s writes to the EEPROM iscalled a probe.

Notice that the actual key K will not be storedanywhere in the chip. If the chip needs theactual key K for cryptographic activities such asencryption/decryption, the chip will decode for theactual K, which will then be passed directly tothe circuits performing the required cryptographicfunctions.



��

��

��

��

encodeK P

k k k

Chip Programming Process

Actual Key

decode decode decoden-110

0 1 n-1 K

P

P

EEPROM

Secure Key Storage Chip

Protection Scheme

p-bit register

hidden wiring

Figure 1. Schematic diagram of the model for a secure chip

POSSIBLE PROTECTION SCHEMES

Introducing redundancy

In this approach, P is chosen to be a redundantrepresentation of K. The idea is that even when somebits of P are changed, there will be no change in theoutput. It is tempting to think we will be able to designthe wiring and decoding functions so that by the timean attacker is able to infer some bits of the actual key,other bits will be destroyed. In this way, the attackerwould not be able to recover the entire key.

In this section, we illustrate this idea with anexample that employs a voting function and concludethat for any deterministic decoding and wiringfunction, there would not be any real benefit. Inparticular, the attacker can always break the scheme inO(p) time (where p is the length of the physical key).

Voting scheme. A simple voting scheme can beset-up as follows. We choose P to be three times thesize of K. When a new device is to be programmedand issued with, say, an n-bit key, K = k0k1 . . . kn−1,we create P as follows. For each i, we will programthree bits of P such that two of the bits are equal toki and the third is equal to the complement, ki . Thesethree bits will be stored in locations P[3i], P[3i + 1]and P[3i + 2]. However, the ordering of these threebits (i.e. which one will be the complement) will bechosen randomly at the device programming time.This defines the encode function in our model. Inaddition, this scheme also defines p = 3n, ∀i, Ai = 3,and ∀i, j,wiringi (j ) = 3i + j − 1.

To re-derive K from P, we can use the votingfunction which sets ki to be the majority function ofthe values in the (3i)th, (3i+1)th, (3i+2)th locations

of P. That is, decodei (P [3i], P [3i + 1], P [3i+ 2])=bit value which occurs most often in the triple.

Although somewhat more complicated than theprevious approaches, the attacker can still successfullycarry out an EEPROM modification attack on thisscheme. The only difference is that the exact bitpattern of P might not be retrieved; instead, thebit pattern of a modified P will be recoveredby the attacker. This is due to the fact thateach decoding function, decodei , is many-to-one.That is, decodei (1, 1, 0) = decodei (1, 0, 1) =decodei (0, 1, 1) = decodei (1, 1, 1) = 1; hencebit pattern 110 and any of its permutations,as well as 111 will all give the same result.Similarly, decodei (1, 0, 0) = decodei (0, 1, 0) =decodei (0, 0, 1) = decodei (0, 0, 0) = 0. Therefore,there exists a number of possible bit patterns, P′, thatevaluate to each K under this scheme. However, thisdoes not affect the attack. So long as the attackerobtains some P′ that results in the actual value of K,the attacker has succeeded. If during the EEPROMmodification attack, the attacker ever modifies toomany bits, a different K will be generated and adifferent output¶ will be observed. At that point, theattacker can always correct the modified bit and go on.In this way, a usable P′ (of length 3n) can be found inonly one pass of the 3n bits. Since (on average) half thekey bits will need to be corrected, the expected numberof probes in this attack is (4.5)n.

Some may think that the situation might improveif a more complicated function is designed and moreredundancy is used in P. However, the above attackindicates that once there is a change in the output ofthe device, the attacker infers the value of a bit in P.Thus, a modified P′ can be found in O(p) probes. Thissuggests the following proposition.

Definition 1. A protection scheme is a five-tuple(K,P, E,W,D) in which:

(1) K is the n-bit actual key space {0, 1}n and K ∈ Kis an n-bit key to be protected;

(2) P is the p-bit physical key space {0, 1}p andP ∈ P is the bit stream stored in the EEPROM;

(3) E is the set of encoding functions and E : K −→P;

(4) W is the wiring function; and(5) D is the decoding function;

Proposition 1. For any protection scheme (K,P,

E,W,D), if W and D are known, deterministic

¶For example, a parity error, or other outcome from thecryptographic operation.



functions, then an attacker can break the protectionscheme (that is, to find K) in O(p) probes.

This proposition can be proved by induction.Assume that P is p bits long. Before the attack starts(i.e. at iteration 0), the device is producing a givenoutput, say α. We prove that after O(p) probes, theattacker can find some P′ which will be decodedto a key that results in a device output of α. Fromthe known and deterministic functions W and D, theattacker can find K.

The attack is performed iteratively. In the firstiteration, bit 0 of P is set to 1 and the output is checked.If there is a change, bit 0 is reset to 0. At this point, thecard will again output α, since it is impossible that thedevice does not output α for either 1 or 0. (Recall thatdevice reprogramming is ruled out.) For the inductionstep, if the device outputs α at iteration k, by a similarargument, the attacker can choose between 0 and 1for the bit value of the (k − 1)th bit. As each stepof the iteration takes at most two probes (on average1.5 probes) and the attack completes in p iterations,the attack succeeds in O(p) probes. Hence we haveProposition 1.

Corollary 1. For any protection scheme (K,P, E,W,D), if W and D are known deterministic functionsand p is a linear function of n, then an attacker canbreak the protection scheme in O(n) probes.

This corollary suggests that if we want a schemethat costs the attacker more than O(p) probes, wemust have something secret. Due to the Kerckoff’sprinciple, we would not consider using secretdecoding functions. Rather, we will make use ofhidden wirings to help the protection. We willimplement a family of functions via the hidden wiresso as to make the attacker time-expensive to find theparticular function instance being used. One possiblechoice is the permutation.

Permutation

In this approach, the manufacturer chooses (as thebatch key) a random permutation of the n-bit key. Thispermutation is used to form P at device-programmingtime. This batch key is very sensitive information andthe manufacturer must be working with the clients(e.g. banks) to make sure that this information can onlybe accessed by as few as possible of the personnel.Special management procedures must be designedto eliminate the possibilities of introducing class IIattackers.

To restore the actual key K, the wirings are usedto invert the permutation. From the attacker’s point of

view, even though he does not know the permutation,he can proceed as follows. First, the attacker appliesthe original attack and, with n probings, finds the n

bits of P. At this point, the attacker does not knowthe permutation. Hence, he does not know the actualkey, K. However, if a secret-key encryption schemeis used in the device and the encryption algorithm isknown, then the attacker can find the permutation inan additional O(n) probes. In particular, the wiringpattern can be found as follows. As the attacker knowsthe function of the device (e.g. encryption using DES),he can find the device output corresponding to anarbitrarily selected input (using, for example, a PC)using the following n (i.e. for DES n = 56 ) actualkeys: 0 . . .01, 0 . . . 10, . . . , 10 . . .0. Call these n

outputs α1, . . . , αn.After computing the αi , the attacker uses probes

to write 0 . . .01 to the area storing P, operates thedevice and compares the encrypted result with allthe αi . Since the protection scheme is simply apermutation, one of the αi will match. Thus, thefirst wiring line is identified. Continuing with theremaining n − 1 patterns (0 . . .10, . . . , 10 . . .0), allthe wiring information can be revealed. Thus, the keyK is found in O(n) probes.

Protection via m permutations

In all the protection attempts described above, theattacker can find the key in O(n) probes (assumingp isa linear function of n). One may naturally wonder is itpossible to devise a scheme that can provide protectionagainst the modification attack?

In this section, we show that by cascading(i.e. taking the cross product of) m permutations (form ≥ 2), we can achieve a design that will be moreexpensive for the attacker to perform the modificationattack against.

Consider the case where m = 2. We proceed asfollows.

• p = 2n.• The device manufacturer chooses (randomly) two

distinct permutation functions π1 and π2.• Let K be the n-bit actual key. The chip will

store P = π1(K) · π2(K) (where · denotesconcatenation and in this paper, we overload thenotation that πi(K) = K permuted by πi).• The wirings implement the inverses of both

permutations. In particular, wiringi (1) = π1(i)

and wiringi (2) = π2(i)+ n.• To restore the key, we require that for each i,

P[wiringi (1)] = P[wiringi (2)]. That is, if all n



decoding functions receive matching inputs, akey is output; otherwise an error is given. In thecase, where a key is output, decodei (x, x) = x.

To restore the wirings, an attacker can proceed asfollows.

Attack

1 set all bits of P to 02 loop for i from 0 to n− 13 set bit i of P to 14 loop for j from 0 to n− 15 set bit n+ j of P to 1 and test6 if (ok) then7 record the wiring8 reset bit n+ j of P to 09 exit from this inner loop10 ifend11 reset bit n+ j of P to 012 loopend13 reset bit i of P to 014 loopend

On average, it will take ((n−1)+1)/2 = n/2 trials tofix the 0th wiring, (n − 1)/2 trials for the first wiringand so on. This arithmetic sum is of the order of n2/4.For example, with a 128-bit key, it is expected to takeabout 212 probes to get the wiring information.

To further increase this number, we can cascademore permutations. That is, store P = π1(K) · π2(K)

. . . πm(K) where m > 2. From our investigations,the straightforward modification of the above attackwill take the attacker O(nm) probes to find K with m

permutations.

Proposition 2. If a protection scheme uses m differentpermutations, cascaded as above, a brute-force searchwill take O(nm) time for the attacker to find K.

The proof follows directly from the fact that∑im−1 is of order O(nm).

PROPOSED PROTECTION SCHEME

Observation

In the previous section, we gave an upper boundfor breaking a whole batch of cards for the cascadedm-permutation protection scheme. Usually, we simplyneed to crack a single card instead of the whole batchof devices. With the above cascaded m-permutationscheme, it may be hard to break the whole batch (i.e. to

infer the wiring information), but this may not be truefor the individual card where what we want to find isthe key K.

One weakness of the cascaded m-permutationscheme is that the number of occurrences of 0’s and1’s are preserved, though their locations are permuted.This gives the attacker additional information (thenumber of 0’s and 1’s in key K) to exploit. Beforewe proceed to discuss this, the following definition isintroduced.

Definition 2. A permutation matrix [4] correspondingto a permutation π is a matrix Mπ , which has theeffect of permuting a vector by π when it multipliesthe vector. That is, MπK = permuted K.

Mπ will be a n × n matrix if K is of length n andK is considered as a n × 1 column vector. The matrixMπ = (mij )n×n can be derived from π by

mij ={

1 if j = π(i)

0 otherwise

Using this definition, we can describe the batchkey for the cascaded m-permutation as a m-tuples(Mπ1,Mπ2, . . . ,Mπm).

The scheme

To remove the weaknesses we just described, wepropose a scheme in which:

(1) the number of bit occurrence of 0’s and 1’s in Kwill be unknown to the attacker;

(2) we do not care if the EEPROM can somehow beread directly.

The motivation for this scheme is that instead ofstoring a concatenation of the permuted versions ofK as P, we store for each Pi a permuted version ofK xor’ed with two independently chosen n-bit wordsK̂i , which will not be stored explicitly in the card. Thiswill lead us to devise a scheme that satisfies the abovetwo desired properties.

The basic set-up is the same as the cascaded m-permutation scheme but with the following amend-ments.

(1) m must be odd and m ≥ 3 (this will be neededlater in (3)).

(2) P is no longer Mπ1K ·Mπ2K . . .MπmK; instead,



it will be P = P1 · P2 . . .Pm where

P1 =Mπ1(K⊕ K̂2 ⊕ K̂3)

... (1)

Pi =Mπi (K⊕ K̂(i+1 modm) ⊕ K̂(i+2 modm))

...

Pm =Mπm(K⊕ K̂1 ⊕ K̂2)

with K̂0 = K̂m.In the next section, we will show in Property 4that with this set-up, there will be a total of 2n−1

possible bit patterns for K if the bit pattern ofindividual Pi does not contain too many 0’s or1’s.For each Pi , K will be xor’ed with two differentK̂i’s instead of one before it is permuted. Thisspecial arrangement enables us to easily decodeK.

(3) To decode K from the Pi ’s, we use the followingproperty.

Property 1. If Pi’s are set-up as above, then

m⊕i=1

M−1πi

Pi ={

K if m is odd

0 if m is even(2)

As a result, if m is odd, the above decoding functionwill always return the correct value of K if thecard has not been tampered with. The hidden wiringimplements the Mπi ’s.

However, this is not an ideal decoding functionas the attacker can compromise the ith permutationdetails (i.e. find the Mπi ’s), via techniques describedin previous section, by comparing encrypted resultof vector with only one bit on, i.e. by setting thePi to 000 . . .1, 000 . . .10, . . . , and 100 . . .0 one byone, while setting all other Pj ’s (j �= i) to 000 . . .0and compare the result with the encrypted pattern of000 . . .1, 000 . . .10, . . . , and 100 . . .0, respectively.Without loss of generality, suppose P1 = 000 . . .1and Pi = 000 . . .0,∀ i > 1. Then

⊕mi=1 M

−1πi

Pi =M−1

π1P1 is a vector with only one bit on. As a result,

the encrypted result using this key must be amongthe encrypted patterns of 000 . . .1, 000 . . .10, . . . , and100 . . .0 and we can therefore infer the wiring detailof this bit.

The basic problem with the above decodingfunction is that an attacker knows many valid physicalkeys (i.e. sets of Pi ’s) of a special form and can usethese to attack the card to find the wiring. Once theattacker knows the wiring, they can work backwardto find the key. Instead, we need a method that is

not expensive (in terms of complexity of building thecircuit) to decode K and for which it is difficult to findvalid physical keys without knowledge of the physicalwiring.

Our approach will be to introduce m new n-bitwords P̂1, P̂2, . . . , P̂m. These words will give usanother equation for finding K. Comparing the resultof this and Equation (2) will enable the card to tell if ithas been tampered with. These P̂i’s would be set to

P̂1 = (Mπ2K)⊕ K̂1

...

P̂i = (Mπ(i+1 modm)K)⊕ K̂i (3)

...

P̂m = (Mπ1K)⊕ K̂m

where π0 = πm.These P̂i ’s will be stored in the EEPROM. Note

that in this scheme the K̂i’s will be dumped after use.Their values can only be deduced when both K and thecorresponding P̂i’s are known.

Decoding function. The key K will then becomputed as follows:

(1) we calculate a first value for K via Kinit =⊕mi=1 M

−1πi

Pi ;(2) rearrange the m equations in Equation (1) for

each Pi , multiply both sides of Equation (1)by M−1

πi, leave K at the left-hand side and

then substitute in the appropriate values fromEquation (3), giving

K = M−1πi

Pi ⊕ K̂(i+1 modm) ⊕ K̂(i+2 modm)

= M−1πi

Pi ⊕ (̂P(i+1 modm) ⊕Mπ(i+2 modm)Kinit)

⊕ (̂P(i+2 modm) ⊕Mπ(i+3 modm)Kinit)

which yields m different expressions for K.

If Pi ’s have not been tampered with (that is, the cardis functioning as it was first issued to the customer),the correct K will be returned if we logically ANDor logically OR all these m K’s. Hence, K can becalculated via the following steps.

(1) Calculate Kand by:

Kand =m∧i=1

{M−1πi

Pi


⊕ (̂P(i+2 modm) ⊕Mπ(i+3 modm)Kinit)}

(4)



(2) Calculate Kor by:

Kor =m∨i=1

{M−1πi

Pi


⊕ (̂P(i+2 modm) ⊕Mπ(i+3 modm)Kinit)} (5)

(3) If Kand = K and Kor = K, then return K; elsereturn an error message.

With this decoding function, the attacker is unable toderive any information about the hidden permutationas before by setting one Pi to 00 . . .1, while settingthe other Pj ’s (j �= i) to 00 . . .0 and P̂i to 00 . . .0.In this special case, K = 00 . . .1. Define 1i to be then-bit word with the ith bit being 1 and all the other bitsto be 0. That is, K = 11, while

Kand = (11 ⊕ 1m3 ⊕ 1m4) ∧ (1m4 ⊕ 1m5)

∧ · · · ∧ (1m2 ⊕ 1m3)

and

Kor = (11 ⊕ 1m3 ⊕ 1m4) ∨ (1m4 ⊕ 1m5)

∨ · · · ∨ (1m2 ⊕ 1m3)

where 1mi = Mπi 11.To ensure that Kand = K, each sub-expression

of Kand must have at least one 1. That is, 1m4 �=1m5, . . . , 1m2 �= 1m3 . Consequently, Kor will havemore than one 1 and hence Kor �= K. As a result, theattacker cannot get any information by setting one Pi

to 00 . . .1 while setting the other Pj ’s (j �= i) and P̂i’sto 00 . . .0.

Remarks. Actually, the auxiliary equations forP̂i’s described in (3) leaked relative permutationinformation for Mπi ’s, as the attacker can collectn mappings (i1, i2, . . . , im) −→ zi after O(nm)

iterations, where ij ’s correspond to the bit locationsin P̂j ’s that relate to some unknown zi th bit of K.This can be achieved as follows. Suppose the attackerrandomly flips a bit i1 in P̂1 (it can always be done, asP̂i’s are stored in the chips and attackers can alwaysget these values via a modification attack). Whenthe device is operated, it will always give an errorbecause Kand and Kor would then be mismatched.However, it is observed that changing one bit in P̂1effectively alters one bit (though the attacker doesnot know which bit) of K in the expression for P̂1.By changing the corresponding bits in the remainingP̂i’s, in O(nm−1) time the device will be workingagain, though with a new K which differs from theoriginal K by one bit, say, the unknown zi th bit in K.

Hence, in O(nm) time, the attacker can get n tuples(i1, i2, . . . , im) which correspond to the relative wiringsettings in the Mπi ’s.

To resolve this limitation, a number of countermea-sures are possible. Consider the following counter-measure:

P̂i = (Mπ(i modm)Mπ(i+1 modm)

K)

⊕ (Mπ(i modm)Mπ(i+2 modm)

K)⊕ K̂i

This will slow the attacker by increasing thecomplexity required to obtain the wiring information.In this countermeasure, each P̂i has two possiblelocations to be satisfied simultaneously and hence itwill take the attacker O(n(Cn

2 )m) or O(n2m+1) time

complexity to derive the wiring information. Thiscomplexity can be further increased arbitrarily. Forexample, if

P̂i = (Mπ(i modm)K)⊕ (Mπ(i modm)

Mπ(i modm)K)


K)


K)⊕ K̂i

There can be four possible locations to be satisfied ineach trial. Hence O(n4m+1) = O(291) for m = 3 orO(2147) for m = 5

For simplicity, we will stick to using the auxiliaryequations for P̂i’s described in (3) in the rest of thepaper.

Some properties

With the modification attack, the attacker canderive the values of the Pi’s and P̂i’s but not thepermutation details (that is, the πi’s are unknown). Inthis subsection, we are going to argue that these valuesof Pi ’s and P̂i’s cannot help much to derive the actualkey K. The attacker can perform an exhaustive searchto find the value of K as follows (in this example, weassume that the card can do secret-key encryption).

(1) The attacker picks a set of messages and thengenerates their corresponding ciphertexts withthe working card.

(2) Find the values of Pi’s using the modificationattack.

(3) Then the attacker needs to find the value of K. Anattack is successful if, given the pairs of messageand ciphertext, the attacker can find the key Kthat encrypts the message to the correspondingciphertext.

As it is known that the value of K is calculated basedon K = ⊕m

i=1 M−1πi

Pi , we are going to show that, in



the worst case, there are a total of 2n−1 possible bitpatterns for the correct n-bit key K and the attackerneeds to test these 2n−1 possible bit patterns for K.Although this process can be done off-line, it still takesa long time for the attacker to get K.

We start with the following property on the binomialcoefficients Cn

i = (n!/i!(n− i)!) of (1+ x)n.

Property 2.

�n/2�∑0

Cn2i =

�(n+1)/2�−1∑0

Cn2i+1 = 2n−1.

The following property asserts that Equation (1) issafe. In particular, knowledge of Pi’s alone cannotderive any information on K.

Property 3. If πi’s are unknown but fixed permuta-tions, X and X̂i ’s are uniformly and independentlychosen n-bit binary words, and Y satisfies Y =Mπ1(X ⊕ X̂2 ⊕ X̂3), then P(X = x|Y = y) =P(X = x).

Proof. Let R = X̂2 ⊕ X̂3, Y ′ = X ⊕ R. ThenY = Mπ1Y

′. First of all, as X̂2 and X̂3 are uniformlydistributed, R is also uniformly distributed, so Y ′ isalso uniformly distributed. Then, by the definition ofconditional probability,

P(X = x|Y ′ = y ′) = P(X = x ∧ Y ′ = y ′)P (Y ′ = y ′)

As

P(X = x ∧ Y ′ = y ′)= P(X = x ∧ R = y ′ ⊕ x)

= P(X = x)P (R=y ′ ⊕ x) (due to independence)

= P(X = x)1

2n, (as R is uniformly distributed)

Since Y ′ is also uniformly distributed,

P(Y ′ = y ′) = 1

2n

Thus

P(X = x|Y ′ = y ′) = P(X = x)(1/2n)

1/2n= P(X = x)

Hence,

P(X = x|Y = y)

= P(X = x ∧ Y = y)

P (Y = y)

= P(X = x ∧ Y ′ = y ′)P (Y ′ = y ′)

(as π1 is one-to-one

and onto)

= P(X = x|Y ′ = y ′) = P(X = x) ✷

Property 4. If π1 and π2 are two unknown but fixedpermutations, P1 and P2 are two n-bit words (with n1and n2 1’s respectively), then Kinit = Mπ1P1⊕Mπ2P2

has a total of∑(u−l)/2

i=0 Cnl+2i possible bit patterns

where l = |n1 − n2| and

u ={n1 + n2 if n1 + n2 ≤ n

2n− (n1 + n2) if n1 + n2 > n

Furthermore, given m ≥ 3, for any m n-bitwords P1,P2, . . . ,Pm (with n1, n2, . . . , and nm 1’s,respectively), if there exist:

(1) two words Pi and Pj , i �= j such that theresulting P′ = MπiPi ⊕ Mπj Pj has possiblyl, l + 2, . . . , and u 1’s; and

(2) a third word Pk , k �= i, k �= j , such that l ≤ nk ≤u and ni + nj + nk ≥ n,

then Kinit =⊕mi=1 Mπi Pi has a total of 2n−1 possible

bit patterns.

Proof. In this proof, we first imagine all the 1’s ofPi ’s sink down to the bottom of the column vectorswhile the 0’s float at the top and then compute the totalnumber of possible bit patterns of the resulting vectorwhen the 1’s of one vector start to float gradually tothe top.

For the m = 2 case, if Kinit = Mπ1P1 ⊕ Mπ2 P2,then Kinit has at least |n1 − n2| 1’s when the 1’s ofthe shorter vector cancels out part of the 1’s of thelonger vector (as 1 ⊕ 1 = 0). Kinit will have at mostn1 + n2 1’s when the 1’s from P1 and P2 stack upwithin the n-bit boundary. If n1 + n2 is greater thann, some of the n1 + n2 1’s will be forced to coincidewith each other (which has the effect of losing 1’s as1 ⊕ 1 = 0), and the resulting number of 1’s in Kinitwill be n− (n1 + n2 − n) = 2n− (n1 + n2).

Hence, Kinit is expected to have at least l 1’s and atmost u 1’s. It is also noted that the oddity of l and u arethe same, and so u− l is even. When the shorter vectorstarts to float upwards to the top, the number of 1’swill be incremented by two each time. Therefore, thepossible number of 1’s in W can only be l, l+2, . . . , u,and so the possible number of bit patterns for W willbe

∑(u−l)/2i=0 Cn

l+2i .For the m ≥ 3 case, if P′ = Mπi Pi ⊕ Mπj Pj has

possibly l, l + 2, . . . , and u 1’s and Pk has nk 1’swhere l ≤ nk ≤ u and ni + nj + nk ≥ n, thendepending whether nk is odd or even, P′′ = P′ ⊕MπkPk will possibly have 1, 3, . . . , 2(�(n + 1)/2� −1)+ 1 1’s if nk + l is odd; while it will possibly have0, 2, . . . , 2(�n/2�) 1’s if nk + l is even. Therefore,there will be

∑�n/2�0 Cn

2i =∑�(n+1)/2�−1

0 Cn2i+1 =



2n−1 different bit patterns for P′′. Adding more termsto P′′ will not increase the possible bit patterns, itsimply provides alternative routes to get to a particularbit pattern. ✷

The implication of this property is that there willbe a total of 2n−1 possible bit patterns for the n-bitkey K if the bit pattern of individual Pi does notcontain too many 0’s or 1’s. Consequently, a bruteforce attack needs to try the 2n−1 possible bit patternsfor K in the worst case, if there are at least threePi’s satisfying the above properties and the securityis approximate to cracking for an unknown key ofn − 1 bits long. This does not imply, however, thatthe attacker has a probability of 1/2n−1 to guess forthe key, because the 2n−1 possible bit patterns for Kare not uniformly distributed. In next section, we willdiscuss the probability distribution of K, and analysethe consequences.

Further improvement

The proposed scheme confuses the attackers byincreasing the number of possible bit patterns to 2n−1.A simple encoding algorithm can further increase thisnumber to 2n. The following algorithm encodes agiven key Kin into the card.

Encode

input: Kin

1 randomly choose m K̂i’s2 if ⊕m

i=1K̂i has even number of 1’s then3 K←− Kin

4 else5 K←− Kin

6 endif7 ∀ i, Pi ←− Mπi (K⊕ K̂(i+1 modm) ⊕ K̂(i+2 modm))

8 ∀ i, P̂i ←− (Mπ(i+1 modm)K)⊕ K̂i , or its

countermeasure

return Pi’s and P̂i’s

This idea exploits the fact that the attacker doesnot know the values of K̂i’s while we use this todetermine if we encode the cryptographic key Kin

or its complement Kin into the card. As a result, thenumber of possible bit patterns is doubled. Hence, wehave the following proposition.

Proposition 3. Under the same condition as inProperty 4, the above Encode procedure will increasethe number of possible bit patterns for the actual keyto 2n.

ANALYSIS

To attack the proposed scheme, one has to guess thevalue of the key K (which is unknown) based on thevalues of the Pi’s (which can be derived). Althoughthe scheme can be designed to generate the wholespectrum of 2n possible bit patterns, this does notmean that, conditioned on the given values of the Pi ’s,each possible K is uniformly likely to have been theoriginal key. Hence, we cannot draw the conclusionthat the attacker only has a probability of 1/2n ofguessing the correct key when the attack is based onlyupon the knowledge of the Pi ’s.

We would study the chance that the attacker canguess the key. Using the modification attack, theattacker can see the values of the Pi ’s and knows thatK = ⊕m

i=1 M−1πi

Pi . As the attacker cannot see thehidden wires, the values of M−1

πiPi’s are unknown.

However, the permutation cannot change the numberof 1’s (and 0’s) in the Pi’s; this is the only additionalinformation leaked to the attacker. Thus, the onlychance for the attacker to derive K is to take advantageof the properties of

⊕mi=1 M

−1πi

Pi (with the numberof 1’s in the Pi’s known) and see if these propertiescan be exploited to derive something better than abrute force attack. As the M−1

πi’s are unknown to the

attacker, the problem can be restated as follows.

Let n1, n2, . . . , nm be arbitrary integerswhere 0 ≤ ni ≤ n. Let P1,P2, . . . ,Pm bechosen independently with Pi being chosenuniformly from among the Cn

nin-bit words

with ni 1’s. Let K = ⊕mi=1 Pi . What is the

distribution of K?

We will show that although the keys are not uniformlydistributed, their distribution is close to uniform ifweak values are discarded. Analysis also shows thatm = 3 or m = 5 are already good enough practicallyto provide strong security if the encoding is doneproperly.

Approach

Suppose we are going to store an encoding ofthe n-bit key K into the device, m n-bit Pi’s withn1, n2, . . . , nm 1’s, respectively, will be created andburned into the EEPROM.

Notice that these m Pi ’s are generated randomlyand independently. We can repeat the generationprocess until all these Pi ’s have some proven desiredproperties. That is, we can abandon the set of m Pi’sif it is not generated satisfactorily (e.g. one of the Pi’scontains a word with too many 0’s or 1’s) and repeat



the process again (so that all Pi’s satisfy the requiredcondition that we will describe shortly).

If Pi ’s are chosen randomly, then ni is a binomialrandom variable with parameters n, p = 1/2 and,therefore, the expected values of these ni’s will be n/2.We will study how ni will deviate from n/2 and see ifit can give us some hints on how to pick the Pi’s.

Chernoff bounds

Each Pi is made up of n bits. We can view these n

bits in Pi as mutually-independent Bernoulli variables,with ni the sum of these 0’s and 1’s. According to theChernoff bound [5], we have for all δ, 0 < δ < 1,

Pr

[ m⋃i=1

(∣∣∣ni − n

2

∣∣∣ > δn

2

) ]

< m · 2[

eδ

(1+ δ)1+δ

]n/2

= γm,δ.

Chernoff bound arguments tell us that, with highprobability, ni is very close to n/2. This leads to thefollowing idea. When generating P1,P2, . . . ,Pm, wecheck if ∀ i, |ni−n/2| < δn/2 for some appropriatelychosen δ (δ will be such that the probability that∀ i, |ni − n/2| > δn/2 will be very high, but smallenough to substantially restrict the δn/2 size of therange that the ni can appear in). If the answer is yes,we keep these Pi’s and burn them into the device. Ifno, we throw away all of these Pi’s and generate anew set of P1,P2, . . . ,Pm. This process will continueuntil |ni − n/2| < δn/2 for all i. For given m andδ, the expected number of times we need to generateP1,P2, . . . ,Pm is less than 1/(1−γm,δ) and, if γm,δ <

1/2, we will get a good set of Pi’s in less than twotrials on average.

Results

Given n-bit words P1,P2, . . . ,Pm with respectivelyn1, n2, . . . , nm 1’s, we would like to calculate theprobability that key K has l 1’s, which we will denoteby q(n, n1, n2, . . . , nm, l). For the m = 2 case, wecan exhaustively calculate the value of q(n, n1, n2, l)

using a computer program.To derive the formulae for q(n, n1, n2, . . . , nm, l) in

terms of q(n, n1, n2, l), we need the following basiclemma.

Lemma 1. If B is a partition of Xi (that is, B =⋃i Xi and Xi ’s are mutually exclusive events), then

for event A, Pr(A|B) =∑i Pr(A|Xi)Pr(Xi |B).

For the m = 3 case, we are given three Pi’swith n1, n2, and n3 1’s, respectively, and we need tocalculate the probability that the result K has l 1’s:

q(n, n1, n2, n3, l)

def= Pr(|K| = l|n1, n2, n3)

=∑l1

{Pr(|K| = l|(|P1 ⊕ P2|) = l1, n3)

Pr(|P1 ⊕ P2| = l1|n1, n2, n3)}

=∑l1

q(n, l1, n3, l)q(n, n1, n2, l1)

where l1 ranges from |n1 − n2| to max(n1 + n2, n)

step 2.Based on the argument from the previous section,

we can choose the range for the ni’s and then calculatethe probability for different l 1’s in the resulting K.Once we find q(n, n1, . . . , nm, l), then the probabilityfor each individual key with l 1’s is given by

αn,n1,...,nm,l =q(n, n1, . . . , nm, l)

Cnl

. (6)

If αn,n1,...,nm,l’s do not differ significantly, then theattacker will need to almost exhaustively search allthe possible keys, as no one key will appear with asignificantly higher probability.

A program has been written to calculate the valuesof q(n, n1, . . . , nm, l)/C

nl , for m = 3 and the result is

summarized in Table 1.We showed in Property 4 that our protection scheme

will give a total of 2n−1 possible bit patterns for an n-bit K. If all these possible bit patterns are uniformlydistributed, the attacker will only have a chance of1/2127 of guessing the key K correctly. Table 1 showsthat if the values of ni ’s are restricted to a range from32 to 96 (which corresponds to the Chernoff boundrange given by taking δ = 0.5), the weakest keywill take the attacker 2112.1 trials to get it right onaverage, which, while not 2127, is already good enoughin practice. In addition, the number of weak keys (thatis, keys with α > 1/2127) is less than that of the strongkeys (that is, keys with α ≤ 1/2127). As we furtherrestrict the ranges for ni and l, the results improve andα will be getting closer to 1/2n−1.

Similarly, for m = 5 case, we are given five Pi’swith n1, n2, n3, n4 and n5 1’s, respectively, and weneed to calculate the probability that the resulting Khas l 1’s and we have

q(n, n1, n2, n3, n4, n5, l)

def= Pr(|K| = l|n1, n2, n3, n4, n5)



Table 1. Maximum and minimum values of αn,n1,n2,n3,l for different ranges for l (n = 128) and m = 3

Number of Number ofRange of ni Range of l Max α Min α α > 1/2127 α ≤ 1/2127

32–96 1–128 2−112.1 2−155.4 2.265 11 × 1043 7.079 89 × 1043

20–109 2−115.8 2−155.4 2.265 11 × 1043 7.079 89 × 1043

38–90 1–128 2−118.5 2−152.3 1.253 33 × 1043 3.812 69 × 1043

20–109 2−120.7 2−144.6 1.253 33 × 1043 3.812 69 × 1043

45–83 1–128 2−123.5 2−136.5 5.036 19 × 1042 1.5149 × 1043

20–109 2−124.3 2−132.1 5.036 19 × 1042 1.5149 × 1043

45–83 2−124.8 2−130 5.033 62 × 1042 1.514 12 × 1043

=∑l1

{Pr(|K| = l|(|P1 ⊕ P2 ⊕ P3|) = l1, n4, n5)

Pr(|P1 ⊕ P2 ⊕ P3| = l1|n1, n2, n3)}

=∑l1

q(n, l1, n4, n5, l)q(n, n1, n2, n3, l1) (7)

=∑l1

{∑l2

q(n, l2, n5, l)q(n, l1, n4, l2)

∑l3

q(n, l3, n3, l1)q(n, n1, n2, l3)

}(8)

where l1 takes the values of the possible numberof 1’s in the word P1 ⊕ P2 ⊕ P3. Thus, we cancalculate q(n, n1, n2, n3, n4, n5, l) in a number ofways. If we calculate it using Equation (7), then weneed huge memory (in "(n4) space) to keep the tableq(n, ·, ·, ·, ·) values. If, instead, we use Equation (8) toperform the computation, it will take a very long time(in "(n6) time) for the calculation.

However, Equation (7) has a special form thatenables us to roughly estimate the performance of thescheme. As

∑l1q(n, n1, n2, n3, l1) = 1, we find that

q(n, n1, n2, n3, n4, n5, l)

=∑l1

q(n, l1, n4, n5, l)q(n, n1, n2, n3, l1)

≤ maxl1

q(n, l1, n4, n5, l)

Similarly,

q(n, n1, n2, n3, n4, n5, l) ≥ minl1

q(n, l1, n4, n5, l)

Although we use n4 and n5 in the above twoexpressions, they do not necessarily physicallycorrespond to the last two words stored in theEEPROM. Actually these bounds are true for any twoni ’s among the m ni ’s. For example, it is also true that,q(n, n1, n2, n3, n4, n5, l) ≥ minl1 q(n, l1, n1, n4, l).

As q(n, l1, n4, n5, l) will be close to 1/2n−1 whenn4 and n5 are close to n/2, this implies thatq(n, n1, n2, n3, n4, n5, l) will be close to 1/2n−1 ifany two ni ’s are close to n/2.

The same approach can be generalized for othervalues of m, and hence we have the following theorem.

Theorem 1. For all m ≥ 3, the probability that |K| =l given the n-bit words P1, P2, . . . , Pm+1, Pm+2 havingrespectively n1, n2, . . . , nm+1, nm+2 1’s is given by

q(n, n1, n2, . . . , nm, nm+1, nm+2, l)

=∑l1

q(n, l1, nm+1, nm+2, l)q(n, n1, . . . , nm, l1)

where l1 takes the values of the possible numberof 1’s in the word P1 ⊕ · · · ⊕ Pm. In addition,q(n, n1, n2, . . . , nm, nm+1, nm+2, l) is bounded fromabove by

maxl1

q(n, l1, nm+1, nm+2, l).

To get an idea of how the bounds look, we restrict thevalues of nm+1 and nm+2 in the range 45–83. In sucha case, for each (nm+1, nm+2) pair, we have

maxl1

q(n, l1, nm+1, nm+2, l)

≤ maxnm+1,nm+2∈[45,83];l1

q(n, l1, nm+1, nm+2, l)

We used a program to calculate all values ofq(128, l1, nm+1, nm+2, l) where l1 loops from 1 to128, nm+1 and nm+2 loops from 45 to 83 and l loopsfrom 1 to 128. For each l, we find the maximum andminimum values of q(128, ·, ·, ·, l).Definition 3. The bit equivalent of a number v isdefined as − log2 v.

Figure 2 shows the bit equivalent of the maximum andminimum values of q(128, l1, n1, n2, l), where n1 andn2 are in the range 45–83.



20 40 60 80 100 120115

120

125

130

135

140

145

150

155

no. of 1s in key K (l)

bits

equ

ival

ent

Figure 2. Bit equivalent of the maximum and minimum ofq(128, l1, n1, n2, l) versus l (ni ’s ∈ [45, 83])

The upper curve represents the bit equivalent of theminimum value while the lower curve represents thebit equivalent of the maximum value over l. It showsthat when an attacker is attempting to guess the keyK with l 1’s, it is at least as difficult as guessing for arandomly chosen b-bits word, where b is bit equivalentof the maximum value for q(128, ·, ·, ·, l). From thefigure, it is observed that for a 128-bit key K, guessingthe weakest key is equivalent to guessing a randomkey more than 115-bit long. If we restrict the range toa narrower interval, say from 50 to 78, the strength forthe weakest key is equivalent to that of a random keymore than 121-bit long. That is, if any two Pi’s fallinto this range, we can be sure that the security of thescheme is equivalent to guessing a random key morethan 121-bit long. This strength is reasonably goodagainst class I attackers.

Theorem 1 shows that the overall security may notbe improved by simply increasing m. Rather, we needto generate good Pi’s. In practice, m = 3 or m = 5 arealready good enough if the encoding is done properly;m > 5 may not give a significant improvement to thesecurity of the scheme—it only increases the chanceof getting good Pi’s.

DISCUSSION AND CONCLUSION

In this paper, we first introduced the modificationattack and then studied and analyzed ways ofprotecting keys stored in the EEPROM of tamper-resistant devices against the modification attack. Wediscussed some possible protection schemes suchas voting schemes and found that they are notvery satisfactory. Instead, we introduced the idea ofencoding the key rather than leaving it unencoded

in the device. Our suggested scheme can be furtherenhanced to cover the whole spectrum of key values.

In the device, m n-bit words Pi’s are stored(together with another m n-bit auxiliary words fordecoding); the actual key K will be decoded as⊕m

i=1 M−1πi

Pi where Mπi represents the permutationmatrix for πi , implemented physically as hidden wiresin the device. Keys in this scheme, however, arenot uniformly distributed, leading to the possibilitythat the scheme can be broken by checking forhigh-probability keys. We studied this problem andfound that the distribution will be practically closeto uniform, if all ni ’s (the number of 1’s in Pi) arechosen properly (that is, relatively close to n/2 and,furthermore, it is easy to ensure that this conditionholds). Theorem 1 asserts that for m > 3, theprobability to break the scheme will be bounded aboveby maxl1 q(n, l1, ni , nj , l), where q(n, l1, ni , nj , l) isthe probability that the key K will have l 1 bits andK is the result of xor’ing three n-bit words with l1, niand nj 1 bits respectively. In particular, if ni and njare in the range from 45 to 83, breaking the scheme isat least as difficult as breaking a random key more than115-bit long. In addition, m = 3 or m = 5 are alreadygood enough practically to provide strong security ifthe encoding is done properly and that m > 5 may notgive a significant improvement to the security of thescheme.

However, there remain a few areas of concern.First, if the attacker succeeds in breaking any onedevice, the whole batch to which this device belongswould become less secure. That is, the attacker couldbreak any additional device belonging to the samebatch in O(n) time. This is simply because tamper-resistant devices will be mass produced, and thewiring topology will be the same for all devicesin the same batch. Second, we should keep inmind that the scheme is insecure against class IIattackers (i.e. knowledgeable insiders [1]) who mayhave knowledge of the wiring topology. Therefore, thedevice manufacturer must take appropriate proceduresto protect this sensitive knowledge. Finally, againstclass III attackers (i.e. funded organizations [1]) thereis really no/little hope of designing a truly tamper-resistant device, as they may possess equipment thatmakes it possible to completely reverse engineer thedevice.

ACKNOWLEDGEMENTS

The work of the first two authors was partiallysupported by HK RGC CERG grants HKUST6082/97E and HKUST 6137/98E.



REFERENCES

1. Abraham DG, Dolan GM, Double GP, Stevens JV.Transaction security system. IBM Systems Journal 1991;30(2):206–229.

2. Anderson R, Kuhn M. Tamper resistance—a cautionary note.Proceedings of the Second USENIX Workshop on ElectronicCommerce. USENIX Press, 1996; 1–11.

3. Anderson R, Kuhn M. Low cost attacks on tamper resistantdevices. Security Protocols: 5th International Workshop(Lecture Notes in Computer Science, vol. 1361). Springer,1997; 125–136.

4. Cormen TH, Leiserson CE, Rivest RL. Introduction toAlgorithms. MIT Press: Cambridge, MA, 1990.

5. Motwani R, Raghavan P. Randomized Algorithms. CambridgeUniversity Press: Cambridge, 1995.

6. Stinson DR. Cryptography: theory and practice. CRC Press:Boca Raton, FL, 1995.

Authors’ biographies:

Wai W. Fung received his BEng(Hons) in ComputerSystems Engineering from the University of Warwick(England), MPhil and PhD in Computer Science from theHong Kong University of Science and Technology. HisMasters research was on computer vision and robotics,while his PhD research was on cryptography for tamper-resistant devices. He has working and research experiencein imaging processing, robotics, computer security and PKIapplications. His current interests focus on cryptography

and steganography, Internet security, PKI applications andcomputer viruses.

Mordecai J. Golin received his BSc from the HebrewUniversity of Jerusalem in 1984, his MA in ComputerScience from Princeton University in 1987 and his PhDin Computer Science from Princeton University in 1990.He then served as a postdoc in Projet Algo of INRIAin Rocquencourt, France through to the end of 1992.In 1993 he joined the Computer Science Department ofthe Hong Kong University of Science and Technologywhere he is now an Associate Professor. His researchinterests include the design and analysis of algorithms withspecial emphasis on mathematical methods, computationalgeometry, combinatorics and coding theory.

James W. Gray, III received his PhD in Computer Sciencefrom the University of Maryland at College Park. As anacademic, he performed research at the Naval ResearchLaboratory in Washington, DC, the University of Scienceand Technology in Hong Kong and at RSA Labs inSan Mateo, CA. He is currently serving as a securityarchitect for internet and embedded device applications.He was directly involved in launching PayPal (an internetpayment service) and its security infrastructure, and iscurrently the lead developer for RSA’s DOCSIS cablemodem manufacturing CA—a client-server application thatissues public-key certificates for DOCSIS-compliant cablemodems. His areas of expertise are cryptographic algorithmsand cryptographic protocols.


Documents

Protection of keys against modification attack