At 4:18 PM -0800 11/1/96, Martin Minow wrote:

There is an inherent conflict between two claims that are central to the fault-analysis paper(s): "the secret key [is] stored in a tamperproof cryptographic device" and "the cryptographic key is stored in an asymmetric type of memory, in which induced faults ..."

If the device is truly tamperproof, the attacker should not be able to induce faults. Even given susceptable "consumer-

OK, so the authors might have better used the phrase "putatively tamperproof." Or the more accepted modern phrase, "tamper-resistant." As with safes, castles, and "bulletproof vests," all claims of absolute security are dubious. What the Bellcore and Biham-Shamir (and other, reportedly) attacks have done is to show another vector by which "tamperproof" is not.

quality" devices, it would be trivial to store the cryptographic keys in a redundant memory configuration, such as ECC "error-correcting code" memory that can self-correct a range of failures and detect a much wider range. It would also seem reasonable to protect the cryptographic core (algorithms and data) with a digital signature that would "crash" the device, rather than proceed with incorrect key information.

Faults can be induced as well in logic devices. I agree that redundancy can be added to logic devices (I worked on this for Intel a while back), but this would require an almost complete re-doing of smartcard processors. (For starters, imagine implementing triple redundancy in smartcards....not cheap.) Again, what these recent attacks show is a theoretical avenue by which nominally tamper-resistant cards may have their defenses breached. Whether this is an important threat depends on a bunch of factors. Whether cardmakers change their chips also depends on a bunch of factors. --Tim May P.S. A while back there were a bunch of posts with the title "Professor Shamir Arrested." Was it ever established whether or not the arrested Shamir was in fact _our_ Adi Shamir? And what the charges were? "The government announcement is disastrous," said Jim Bidzos,.."We warned IBM that the National Security Agency would try to twist their technology." [NYT, 1996-10-02] We got computers, we're tapping phone lines, I know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^1,257,787-1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."