Protection of keys against modification attack

Abstract

Anderson and Kuhn (1997) described an attack against tamper-resistant devices wherein a secret key stored in EEPROM is compromised using a simple and low-cost attack. The attack consists of setting bits in the EEPROM using low-cost probes and observing the effect on the output of the device. These attacks are extremely general, as they apply to virtually any cryptosystem. The objective of the present work is to explore cryptographic techniques with the goal of raising the cost (in terms of time and money) of carrying out the EEPROM modification attack by Class I attackers, at least to a point where it is as prohibitive as the cost of purchasing more expensive equipment. We propose the m-permutation protection scheme in which the key will be encoded in a special way and burned into the EEPROM of the device. To attack the scheme, the attacker needs to be able to solve for K in the equation K=/spl oplus//sub i=1//sup m/P/sub i/ in which P/sub i/'s are unknown. It is observed that the m-permutation protection scheme does not distribute the key K uniformly. Analysis shows that m=3 or m=5 are already good enough practically to provide strong security if the encoding is done properly and that m>5 may not give significant improvement to the security of the scheme.