Hongjun Wu, Feng Bao, Dingfeng Ye, and Robert H. Deng

Size: px

Start display at page:

Download "Hongjun Wu, Feng Bao, Dingfeng Ye, and Robert H. Deng"

Shanna Black
6 years ago
Views:

1 Cryptaalyss of the Perutato Protecto Schees Hogu Wu, Feg Bao, gfeg Ye, ad Robert H. eg et Rdge gtal abs Heg Mu eg errace Sgpore 963 {hogu, baofeg, dfye, Abstract. Aderso ad uh have proposed the EEPROM odfcato attack to recover the secret key stored the EEPROM. At ACISP 98, Fug ad Gray proposed a perutato protecto schee agast the EEPROM odfcato attack. At ACISP 99, Fug ad Gray poted out that ther orgal schee, a secret key wth too sall or too large Hag weght could be recovered easly. he they proposed a revsed perutato protecto schee ad claed that ther revsed schee does ot leak ay forato of the secret key. I ths paper, we break copletely both the orgal ad the revsed perutato protecto schees. he orgal schee s broke wth about log devces fro the sae batch ad about ( 3log + probes ( s the legth of the secret key ad s the aout of perutatos. he revsed perutato protecto schee s ore vulerable tha the orgal oe. It could be broke wth oly oe devce 3 ad about / 3 probes. Itroducto he desg of taperproof devce s a portat ssue the applcatos of cryptographc systes. here are bascally two types of attacks agast the taperproof devces. he drect attack s to reverse egeer the devce wth advaced hardware techology. Aother type of attacks s to force the devce to produce coputatoal errors. Boeh, emllo ad pto have developed such a attack agast taperproof devce [4]. I ther attack rado errors are troduced to the data o the devce. he rado errors cause a correspodg erroeous output that ca be used to deduce the key. hs attack s sple but powerful ad s able to break the devces usg RSA. A slar attack was reported depedetly by Bao, eg et. al. who showed how to attack the RSA, El Gaal ad Schorr Sgature schees []. Bha ad Shar later troduced the fferetal Fault Aalyss or FA [3]. FA ca be appled to recover a block cpher key fro a sealed taperproof devce. o resst these fault-related attacks the devce eeds to perfor fault checkg before outputtg the ecrypted (or decrypted, sged result. Aderso ad uh troduced the EEPROM odfcato attack that s qute geeral ad practcal. I ther attack, a attacker s assued to be able to wrte E. awso, A. Clark, ad C. Boyd (Eds.: ACISP, NCS 84, 97-,. Sprger Verlag Berl Hedelberg

2 98 H. Wu et al. arbtrary values to arbtrary locatos of the EEPROM, where the secret key s stored, but caot read a value fro the EEPROM. hs s because the cost of wrtg a value to EEPROM s uch lower tha that of readg a value fro EEPROM,.e., the wrtg ca be doe wth the low-cost equpet, such as croprobes, whle the readg requres uch ore expesve equpet, such as a electro-optcal probe. o protect the devce agast the EEPROM odfcato attack, Fug ad Gray proposed a cascaded perutato schee that uses a ( bt ecodg for a bt key [5]. Each batch of devces eploys the sae perutatos (.e., ecodg. he perutato wrg s secret ad t s assued that the attacker has o equpet to reveal the wrg. Fug ad Gray claed that the attack o the perutato schee requres O ( probes to coprose the key. I [6], Fug ad Gray poted out that f the Hag weght of a key s too sall or too large, the key could be recovered easly. he they troduced the revsed schee whch rado ubers are troduced to hde the forato about the Hag weght of the secret key. I ths paper, we show that both the orgal ad the revsed schees are ot secure. For the orgal schee, there exsts a attack that could recover the perutatos wth about log devces fro the sae batch ad about ( 3log + probes. he perutato schee acheves oly lear growth of coplexty wth a lear growth of the aout of perutatos. I the revsed schee, rado ubers are troduced to each devce to hde the forato of the Hag weght of the secret key. However, these rado ubers leak the forato about the secret perutatos. By odfyg these rado ubers, we could recover the appgs betwee those perutatos,.e., the perutato schee could be reduced to oe perutato schee. hus wth 3 oly oe devce, we break the revsed perutato schee wth / 3 probes. Sce oly oe devce s eeded ths attack, we cosder that the revsed schee s ore vulerable tha the orgal schee. We try to stregthe the revsed schee by elatg the flaw troduced by the rado ubers. However, there stll exst a attack that could recover those perutatos wth about devces fro the sae batch ad about 3.5( probes. A farly sple ad effcet schee to defeat the EEPROM odfcato attack s proposed ths paper. By restrctg the Hag weght of the key to be half of, oly oe perutato s eeded. hs paper s orgazed as follows. he EEPROM odfcato attack s troduced Secto. Fug ad Gray s orgal ad revsed perutato protecto schees are troduced Secto 3. We break the orgal ad the revsed perutato schee Secto 4 ad Secto 5, respectvely. I Secto 6, we break the stregtheed verso of the revsed schee. Secto 7 gves our sple ad effcet protecto schee. Secto 8 cocludes the paper.

3 Cryptaalyss of the Perutato Protecto Schees 99 he EEPROM Modfcato Attack I [], Aderso ad uh proposed the EEPROM odfcato attack. It s a physcal attack whch two croprobg eedles are used to set or clear target bts order to fer the. It s assued that EEPROM bts caot be read drectly sce the equpet requred s uch ore expesve tha the croprobg eedles. I the EEPROM odfcato attack, f oe bt of the secret key s set correctly, there would be o error the output of the devce; otherwse, error occurs. he secret key ca thus be detered bt by bt. Aderso ad uh s attack [] s wth respect to a ES key. he ore geeral attack descrbed by Fug ad Gray [5] s gve below: for = to - set the th bt to ; operate the devce; f the devce gves the correct output, the coclude that the bt s ; otherwse, coclude that the bt s ad reset t to. I addto to requrg oly low-cost equpet, ths attack ca be carred out wth very few probg actos. I partcular, t takes.5 probes o the average to recover a bt key. 3 he Perutato Protecto Schees he perutato schees [5,6] provde a physcal ecodg ( perutatos of keys, alog wth a logcal chp desg ad hdg the perutato wrg beeath the surface of the chp. he perutatos are cosdered as the batch key whch s kow oly to the aufacturers ad to those who are legtately prograg the devce. For exaple, the devces ay be aufactured batches of, devces all wth the sae batch key. A sgle custoer purchases a batch of devces ad s gve the batch key so that he ca progra secret keys to the cards. here are several assuptos ade. Frstly, the attacker s assued to be a clever outsder wth oderately sophstcated equpet". Secodly, the ecoded key s assued to be stored EEPROM ad that the attacker caot read the EEPROM drectly. Fally, t s assued that the attacker s ot able to see the exact wrg (. e., the batch key of the devces. he followg otatos are used the rest of ths paper: : he actual key bt vector wth legth of bts. It s to be used by the card ecryptg, sgg, etc. P : he physcal key bt vector wth legth of p bts. It s the actual bt patter stored the EEPROM. π : A perutato fucto, π : {,,,, -} {,,,, -}

4 H. Wu et al. π : he verse fucto of the perutato π Eleet of π : A eleet of the perutato table (, π ( ( {,,, }. π ( : It deotes the peruted result of uder the operato of π,.e., ( π ( = ( for, where ( deotes the value of π ( the th bt of. 3. Oe-Perutato Schee [5] I ths approach, the aufacturer chooses a rado perutato of the -bt key as the batch key ad works as follows: Schee. Oe-perutato Schee. he devce aufacturer chooses radoly a perutato π. Set P = π ( 3. he wrg pleets the verse of π 4. he devce reads fro P sce P = π ( π ( π ( =. he attacker ca fd the value of P as descrbed Secto. he the perutato p ca be detered as follows. he attacker frst sets P as a vector wth Hag weght oe, the operates the devce to obta a output. he value of ca be detered sce the Hag weght of s also oe due to the fact that = π ( P. hus oe eleet of π s kow. Repeat ths process for tes, the perutato p ca be detered wth about 3 probes. 3. Perutato Protecto Schee [5] I the perutato schee, the aufacturer chooses rado perutatos of the bt key as the batch key ad works as follows: Schee. perutato protecto schee. he devce aufacturer chooses perutatos: π, π,, π : {,,,, -} {,,,, -} for π = P P... P. et P, where deotes cocateato ad P = π (. 3. he wrg pleets the verse of those perutatos. 4. he devce reads fro P, fro P,, fro P. If = =... = s ot true, the devce gves a error essage.

5 Cryptaalyss of the Perutato Protecto Schees he attack to break the oe-perutato schee could ot be appled drectly to the perutato schee sce wthout kowg the secret perutatos, the odfed values of P ca pass the detecto wth eglgble probablty. As poted out by Fug ad Gray, soe secret key wth sall Hag weght could be recovered easly [5]. o elate such weakess, Fug ad Gray proposed the revsed perutato schee [6] to hde the forato about the Hag weght of the secret key by troducg rado ubers to each devce. he revsed schee s gve the ext subsecto. 3.3 he Revsed I the revsed devce. Schee 3. Revsed Perutato Protecto Schee perutato schee, rado ubers are troduced to each perutato protecto schee. Choose as a odd uber.. he devce aufacturer chooses perutatos π, π,, π as the secret forato (batch key for a batch of devces. : {,,,, -} {,,,, -} for π 3. Radoly choose bt words,,, for each devce. 4. Store the devce P = P P... P where = π π ( π ( P ( + od + od + od + od = P P... P 5. Store the devce P where P =. 6. he wrg pleets the verse of those perutatos. 7. he devce decodes the key as = π ( P 8. he devce the coputes ad = ( + od + od = = /\ π ( P π ( P π P = or + = ( + od + od \ ( π ( P π ( P od π ( P + od + od + od / where /\ ad \/ dcates logcal AN ad OR respectvely. If = =, the the devce uses the crypto ad or applcato; else retur a error essage. I the revsed schee (Schee 3, the Hag weght of the secret key s ukow after P ad P beg recovered uder the EEPROM odfcato attack. Fug ad ( Gray claed that the attacker has oly a probablty of to guess the bt key

6 H. Wu et al. sce the perutatos are ukow to the attacker. However, as we wll preset Secto 5, there exsts a attack that ca recover those perutatos wth 3 oly oe devce ad about / 3 probes. Oce those perutatos are recovered, the whole batch of devces s broke ad the secret keys ca be detered easly. 4 Cryptaalyss of the Orgal Perutato Protecto Schee Fug ad Gray have poted out a weakess ther orgal perutato protecto schee that soe keys wth sall or large Hag weght could be recovered easly. I ths secto, we preset a attack to break copletely the orgal schee wth about log devces fro the sae batch ad about 3 log probes. Our attack cossts of two steps. I the frst step, we detere the appgs betwee those perutatos by aalyzg log devces,.e., we reduce the protecto schee to oe-perutato schee. I the secod step, we recover the reag perutato. We start wth the frst step. Assue that about log devces fro the sae batch are avalable ad the values of P ( P = P P... P these devces are detered already by applyg the EEPROM odfcato attack. he aout of probes eeded here s about 3 log. We deote P as the value of P the th devce. We kow that P = π o π ( P sce P = π ( ad P = ( π ( s the secret key the th devce. he perutato π s detered as follows. Cosder two ( log bary atrces M ad N wth the th row M = P ad N = P. We ote that M = π o π ( N,.e., M s obtaed by exchagg the colus of N uder the perutato π. Clearly, f all the colus of N are dfferet, the perutato π ca be detered uquely. Assue that all the keys are radoly geerated, the the colus of the atrx N are rado eleets a set wth eleets. Fro the brthday paradox, the probablty that all these eleets are dfferet s about.6 (for alost all the key legth hus the perutatos π ( < could be uquely detered wth about log devces wth probablty about.6. If a few eleets of the perutatos π ( < could ot be recovered (.e., soe colus of the atrx N are wth the sae value, soe key bts would be ukow. However, those key bts ca be detered easly by exhaustve search. I the rest of ths secto, we sply assue that π ( < are uquely detered already. he there s oly oe ukow perutato left,.e., f we ca fd π, we wll kow all the π sce π = ( π. We gve below the detals to recover π.

7 Cryptaalyss of the Perutato Protecto Schees 3 o recover π, we eed to wrte a key wth Hag weght oe to the devce correctly so that π ( P = π ( P = = π ( P. If P s set as a bt word wth Hag weght oe, the P could be detered easly sce P = π ( P ad π s kow already. hus we are able to wrte ay key wth Hag weght oe to the devce. Oce kowg the devce output, the value of the key wth Hag weght oe could be detered. Sce P = π (, oe eleet of π s detered. Set the bt wth value at dfferet postos P ad repeat the attack, we could recover π wth about probes. Fro π ad π ( =,,, we kow all the perutatos ad thus ca break the protecto schee. About log devces are eeded ths attack ad the total aout of probes eeded s about log + 3 = ( 3log +. he attack ths secto eeds about log devces fro the sae batch. I case devces fro a uber of batches are well xed, a sple ethod could be used to group those devces. We wrte the P of oe devce to all the devces, the those devces that operate properly belog to the sae batch. 5 Cryptaalyss of the Revsed Perutato Protecto Schee I the revsed schee, rado ubers are troduced to each devce to hde the forato of the Hag weght of the secret key. However, the revsed schee s fact ore vulerable tha the orgal oe sce those rado ubers leak the forato about the perutatos. Wth oly oe devce, those perutatos could 3 be recovered wth about / 3 probes. Slar to the attack Secto 4, the attack ths secto cossts of two steps. he frst step of the attack s to reduce the protecto schee to oe-perutato schee by odfyg the rado ubers. he secod step s to recover the reag perutato. We start wth the frst step. Assue that the values of P ad P a devce are detered already by applyg the EEPROM odfcato attack. We ote that those ubers ( =,,, the revsed schee are radoly chose. Obvously, f we replace ay wth aother rado uber, the value of the secret key wll ot be affected ad the devce wll operate properly. Suppose we wat to odfy the th bt of a partcular rado uber. hs bt s deoted as. We kow that ths bt appears oly P, P od ad P od sce P =, (,

8 4 H. Wu et al. Modfyg the bt P. Modfyg, π P ( od od + od + od P = π ( π ( π ( od od od od = π π ( π ( ( (3 P s trval sce we oly eed to vert the value of, ad od od P, od ad P od wthout kowg the perutato π requres about / trals o average. hus wth about probes, we could odfy the value of successfully (If t s ot odfed, P P correctly, the devce gves error essage. If the values of P, ad, od, od, are odfed ad the devce operates properly, we kow fro (, ( ad (3 that π o π ( =, π ( = od od We thus detered oe eleet of π ad π. Repeat ths attack od od for the rest bts of, π ad π are recovered wth about od od probes. Slar attack ca be appled to recover the perutatos π obtaed as follows: ( =,,, od. Fro these perutatos, π π = ad od ( =,, are π = ( π o ( π ( π = ( π = ( π + od ( π + od o ( π + od ( π o ( π o ( π + od o ( π o ( π (4 After π ( =,, beg recovered, oly π reas to be recovered. o recover π, we eed to wrte a key wth Hag weght oe to the devce correctly,.e., the values of ad ( =,,, should be set correctly P ad P. We deal frst wth. We choose as a bt word wth Hag weght oe. It appears P ( =,,, ad ( =,,,. he value of P s tself sce P = ( =,,,. But, the value of P, s ukow sce = π ( ad π s ukow. We radoly set as a bt word wth Hag weght oe. he probablty that = π ( s. After settg the value of P, the value of P could be detered sce = π ( = π o π ( ad π s kow fro (4. hus the values of P ad P are detered wth probablty P. We the deal wth the rado

9 Cryptaalyss of the Perutato Protecto Schees 5 ubers ( =,,,. he splest way s to set ther values as zero. he ther values P ad P are zero. Now, we are able to wrte a key wth Hag weght oe to a devce wth success rate. Oce the devce operates properly, we kow that the key s wrtte successfully to the devce. If that happes ad the bt ad are wth value oe, the = π (,.e., oe eleet of π s recovered. he aout of probes eeded s about. Repeat ths attack, we could fally recover π wth about probes. = After recoverg π ad π ( =,,, we break the revsed protecto schee copletely. Oly oe devce s eeded ths attack ad the total 3 aout of probes eeded s about + / 3. = = I the ext secto, we wll dscuss whether the revsed protecto schee could be stregtheed or ot. Our aalyss gves egatve result. 6 Is It Possble to Stregthe the Revsed Schee he attack Secto 5 s based essetally o the fact that each rado uber appears at oly three locatos the EEPROM. he appgs betwee the perutato tables could be detered by odfyg oe by oe the bt of those rado ubers. o resst the attack Secto 5, each rado uber should appear at far ore tha three locatos the EEPROM. For exaple, the P the revsed schee ca be odfed as P = π ( π ( π ( π ( + od + od + od + od + 8od + 8 od the each rado uber appears at eght postos the EEPROM. However, the revsed schee stregtheed ths way s stll ot secure. We ca recover those perutato tables f about devces fro the sae batch are avalable. I the rest of ths secto, we preset a ew attack to break oly Schee 3, but the sae attack ca be appled to the schee where each rado uber appears at a uber of locatos the EEPROM. Assue that about devces fro the sae batch are avalable ad the values of P ( P = P P... P ad P ( P = P P... P these devces are detered already by applyg the EEPROM odfcato attack. he aout of probes eeded here s about 3 (. We deote P ad P as the values of P ad P the th devce, respectvely. Our a s to wrte a P wth Hag weght oe to the devce. Fug ad Gray have cosdered ths kd of attack ad cocluded that t s possble to apply t to break ther revsed schee [6]. hey cosder that f a P wth Hag weght oe s wrtte to the EEPROM ad the value of P s radoly set, the the probablty,

10 6 H. Wu et al. that the devce could operate properly (o error essage s eglgbly sall (about. However, wth about devces fro the sae batch, t s possble to costruct a rght par ( P, P (a rght par eas that wth whch the devce operates properly ad gves o error essage. he ethod to costruct such a par s gve below. Algorth. hs algorth s to costruct a par ( P, P for ay gve P. It eeds devces fro the sae batch.. For two bary atrces M ad N wth the th colu M = ( P ad N = ( P.. Solve the lear equatos M x = P. et P = ( N x. 3. he par ( P, P s the oe we eed. he we eed to show: the equato M x = P could be solved,.e., the atrx M s vertble wth large probablty, wth the par ( P, P geerated Algorth, the devce operates properly. o show that the Matrx M s vertble wth large probablty, we start wth the followg theore. heore. I Schee 3 (the revsed protecto schee, assue that all the keys ad rado ubers the devces are geerated depedetly ad radoly. Choose devces fro the sae batch. For a bary atrx M, wth the th colu M = ( P. he the atrx M s a rado atrx. he proof of heore s gve the Appedx. I theore, we deal oly wth Schee3. But the sae result could be obtaed f each rado uber appears at ore tha three locatos the EEPROM. Fro heore, we kow atrx M s radoly geerated. So t s vertble wth probablty about.9. Wth slghtly ore tha devces, a vertble atrx M could be fored. So the par ( P, P Algorth ca be obtaed. he we show below that wth the par ( P, P geerated Algorth, the devce operates properly. heore. I Schee 3, choose ay devces fro the sae batch. et P = = P ad P = = P operate properly (o error essage s gve.. If P ad P are wrtte to the devce, the devce wll

11 Cryptaalyss of the Perutato Protecto Schees 7 Proof. Sce P = = P ad P = = = P, t s equvalet to ecode a key = = wth rado ubers ( =,,,. hus, the key wll be = decoded correctly ad the devce wll operate properly. Fro the dscusso above, we kow that fro slghtly ore tha devces, a rght par ( P, P whch the Hag weght of P s oe could be obtaed easly. Oce we obtaed such a par, we could recover oe eleet of those perutato tables as follows. Suppose oly the bt P, P s wth value oe. Fro Schee 3, we kow that the key s decoded as = ( P l l l= π = ( P π. So the Hag weght of s oly oe. By aalyzg the output of the devce, the value of ca be detered. Suppose the bt wth value oe s, the = π (,.e., oe eleet of π s recovered. Set the o-zero bt at other postos P ad repeat ths attack, we ca fally recover all the perutato tables. he aout of probes eeded s about (.5 =.5 (. he attack ths secto thus break the revsed protecto schee eve f the schee allows each rado uber appearg at ore tha three locatos. It eeds slghtly ore tha devces fro the sae batch. he total aout of probes eeded s about 3 ( +.5 ( = 3.5 (. 7 How to Prevet the EEPROM Modfcato Attack We ow kow that all the perutato schees are ot secure. he flaw those schees s that those perutatos could be reduced to oe perutato. We ote that all the attacks ths paper have oe coo step: a key wth Hag weght oe s wrtte to the EEPROM to recover the perutato table eleet by eleet. o hde the perutato, we beleve that the ost essetal way s to dsallow a key wth too sall (or too large Hag weght beg wrtte to the devce. Based o ths observato, we gve below a farly sple ad effcet schee to resst the EEPROM odfcato attack. Schee 4. hs schee protects a bt secret key agast the EEPROM odfcato attack wth the use of oly oe bt perutato. It s the stregtheed verso of the oe-perutato schee gve Subsecto 3... Choose a perutato π as the batch key.. Choose the secret key wth Hag weght /. 3. et P = π ( ad wrte P to the EEPROM. 4. he wrg pleets the verse of π.

12 8 H. Wu et al. 5. he devce reads fro P. If the Hag weght of s /, s accepted; otherwse, the devce gves error essage. he value of P could be recovered by applyg the EEPROM odfcato attack. However the perutato π could ot be recovered. he reaso s that the output of π (the value of P s kow, but the put of π (the value of s ukow. By applyg the EEPROM odfcato attack, the secret key could oly be recovered by exhaustve search ad the coplexty s.5. For = 8, the coplexty s /.7 about ad t s suffcet to defeat the exhaustve key search. We thus beleve that Schee 4 s suffcet to resst the EEPROM odfcato attack. However, t should be oted that ay coprose of the secret key degrades the securty of the devces of the sae batch. As poted out by the aoyous referee, soe publc key cryptosystes such as RSA do ot allow the Hag weght to be cotrolled. Schee 4 could ot be used to protect the prvate keys these cryptosystes. o resst the EEPROM odfcato attack, we recoed the use of a hash fucto. he oe-perutato schee Subsecto 3. s used to protect the key together wth ts hashed value. he devce hashes the key ad copares the result wth the hashed value stored the EEPROM. If these two values are equal, the key s used the crypto applcatos; otherwse, the devce gves error essage. 8 Cocluso I ths paper, we showed that Fug ad Gray s orgal ad revsed perutato schees are ot secure. We the proposed a very sple ad effcet schee to resst the EEPROM odfcato attack by allowg oly the key wth Hag weght / beg wrtte to the devce. Ackowledgeet We would lke to thak the aoyous referees of ACISP for ther helpful coets. Refereces. R. Aderso ad M. uh, "ow Cost Attacks o aper Resstat evces", Securty protocols: Iteratoal Workshop 97, NCS 36, Sprger-Verlag, pp.5-36, 997.

13 Cryptaalyss of the Perutato Protecto Schees 9. F. Bao, R.H. eg, Y. Ha, A. Jeg, A.. Narashaly ad. Ngar, "Breakg Publc ey Crystosystes o aper Resstat evces the Presece of raset Faults", Securty Protocols: Iteratoal Workshop 97, NCS 36, Sprger-Verlag, E. Bha ad A. Shar, "fferetal Fault Aalyss of Secret ey Cryptosystes", Advaces Cryptology - Crypto 97, NCS 94, Sprger- Verlag, pp , Boeh, R.A. ello ad RJ pto, "O the Iportace of Checkg Cryptographc Protocols for Faults", Advaces Cryptology - Eurocrypt 97, NCS 33, Sprger-Verlag, pp. 37-5, W.W. Fug ad J.W. Gray, "Protecto Agast EEPROM Modfcato Attacks", Iforato Securty ad Prvacy - Proc. of ACISP 98, NCS 438, Sprger-Verlag, pp. 5-6, W.W. Fug ad J.W. Gray, "O -perutato Protecto Schee Agast Modfcato Attack", Iforato Securty ad Prvacy - Proc. of ACISP 99, NCS 587, Sprger-Verlag, pp , 999. Appedx. Proof of heore ea. Cosder the operato over GF (. et N ad N be two ( bary atrces. If N s wth rak ad each eleet of N s geerated depedetly ad radoly, the N N s radoly geerated. ( Proof. Select learly depedet colus fro N ad for a atrx N. he reag colus for a atrx N. Select ay colus fro N ad for a atrx N. he reag colus for a atrx N. Clearly, the atrx N ( N s radoly geerated sce N s a vertble atrx ad N s a rado atrx. he atrx N ( N = N ( N + N ( N, where N ( N ad N ( N are two depedet atrces sce N ad N are depedet fro each other. So the atrx N N s radoly geerated. ( ea. A ( + bary atrx M, f M M for, = =,, + M = ad all the other eleets are wth value,.e., M s the followg, for:

14 H. Wu et al. he the rak of M s. M = (A. M M M O O M M Proof. Cosder the last colus of M. hey for a tragular atrx M. det( = M, =,.e., the rak of M s. So the rak of M s. = M ea 3. For a bary atrx M, f M for {(, =, or = or = =, } ad the other eleets are wth value,.e., M s the followg for: M = (A. M M M M O M he the rak of M s f ad oly f s a odd uber. Proof. eote a relatoshp holds: atrx M the for of (A. as det( M = + det( M. ( + ( + M. he followg Sce det( M =, we kow that det( M = od. So f ad oly f s a odd uber, det( M =,.e., the rak of M s. heore. I Schee 3 (the revsed protecto schee, assue that all the keys ad rado ubers the devces are geerated depedetly ad radoly. Choose devces fro the sae batch. For a bary atrx M, wth the th colu M = ( P. he atrx M s radoly geerated. et r (, be bt bary ubers, r = Proof. π for ad ( + od + od r = (where s the +th + od rado

15 Cryptaalyss of the Perutato Protecto Schees uber the th devce ad s the key the th devce. Assue ad + od are geerated depedetly ad radoly, so r (, are geerated depedetly ad radoly. et s (, be ( + bt bary ubers, the k th bt of s s detered fro s = r,.e., s, k ( ( + + k ( ( + + k od/, ( + + k od (, < are the peruted result fro r (,. Clearly, the eleets For a + s, are geerated depedetly ad radoly. k ( atrx S wth S = s. Sce every, ( od + / +, od + eleet of S s geerated depedetly ad radoly, the probablty that S wth rak s about For a ( + atrx ad a atrx P : = M M M M O M P P = M P M P M P M O M P where s a ( + bary atrx the for of (A. ad P s a atrx the for of (A.. Fro ea ad 3, t s easy to see that both P ad are wth rak. efe a atrx M as M = P S. Fro ea, we kow that M s radoly geerated sce P ad are wth rak ad S s radoly geerated. he atrx M fored Schee 3 could be cosdered as beg fored by exchagg the colus of M. So the atrx M s radoly geerated.

2/20/2013. Topics. Power Flow Part 1 Text: Power Transmission. Power Transmission. Power Transmission. Power Transmission

2/20/2013. Topics. Power Flow Part 1 Text: Power Transmission. Power Transmission. Power Transmission. Power Transmission /0/0 Topcs Power Flow Part Text: 0-0. Power Trassso Revsted Power Flow Equatos Power Flow Proble Stateet ECEGR 45 Power Systes Power Trassso Power Trassso Recall that for a short trassso le, the power