CSE 127: Lecture 15


The topics covered in this lecture are strong/weak induction, DFA, extra credit project

Strong / Weak Induction and Recursion

Proofs of correctness for recursive algorithms require the use of strong induction. See the quicksort code and the handout [pdf].

Differential Fault Analysis

By applying external radiation to some types of smartcards, it is possible to change the stored key (in EEPROM cells) in a random way. The change often is minimal, only one or two bits changed. Furthermore, the affected bits will tend to reflect the charge leaking from the EEPROM cell, i.e., ones will turn into zeros much more often than the other way (exactly how the charge is interpreted depends on the EEPROM cell design, so it may actually be zeros turning into ones). This means that each application of external radiation is a short random walk that is biased towards setting the key to all zeros.

By recording a plaintext/ciphertext pair at each stage, we can determine if a guessed key is the same as the current key in the card, even though the key is never divulged by the card's interface. We simply run a software version of the algorithm with the guessed key and see if the plaintext/ciphertext pair would match.

This means we can do a sequence of small-neighborhood searches, starting backwards from the all-zeros key and search for the previous key.

If we irradiated the card too much, the number of changed bits will be too large, and the neighborhood -- edit distance between keys -- will be too large and the search ineffective. We may even destroy the card and have to start from scratch.

If we apply DFA correctly, we should be able to extract the original n-bit key with O(N2) work. This compares quite well with O(2N) work for exhaustively searching the keyspace.

Extra Credit Project

Download the DTA handout tarball. Extract it and read the README file. This is due midnight Friday, March 14.

Links

These are links additional security-related information. Exploring them is optional unless otherwise stated.


[ search CSE | CSE | bsy's home page | links | webster | MRQE | google | yahoo | citeseer | pgp certserver | openpgp certserver ]
picture of bsy

bsy+cse127.w03@cs.ucsd.edu, last updated Fri Mar 7 05:08:01 PST 2003. Copyright 2003 Bennet Yee.
email bsy.


Don't make me hand over my privacy keys!