Analysis of some simple stabilizers for physically obfuscated keys

Abstract

Physically Obfuscated Keys (POK) are used to embed in chips secret bit-strings to be used in cryptographic protocols. Usually a POK is built as an array of elementary 1-bit POKs (cells). In order to guarantee that the same secret bit-string is generated at every turn-on, stabilizer circuits are required, which are typically based on possibly expensive error-correction circuitry. In this paper we propose a stabilizer scheme that is not based on error-correction codes, but rather forces to zero the cells that are too unreliable and compensate for the disabled cells by means of a mixing stage.

A Proofs

Lemma 4

Let be any matrix in with . If , then or, equivalently,

(38)

In particular, if is full rank, then .

Proof

The case is obvious. The other case follows from the fact that if the equation has always solutions. \(\square \)

Proof A.1

Proof of Lemma 1, page 9 Let and let be the projection on , that is,

(39)

Step 1: Showing that .

Let . Since it must exist such that . Since also , it must be , that is, . Therefore, we showed that . In order to show the other implication, let . Of course, and it remains to show that , but in order to prove this it suffices to observe that since .

Step 2: Prof of (14).

Since is full-rank, and the following equality holds

(40)

where the last equality follows by observing that the null-rank theorem states that and that \(\dim (\ker ({\mathbf M}^t))=0\). By exploiting the null-rank theorem, we can deduce

(41)

Equation (14) follows at once from (41).

Step 3: Proof of (15) Call, for notational convenience, and and .

The left-hand side inequality is obvious since implies . In order to prove the right-hand side inequality, suppose , that is, is strictly contained in . Let \(\beta _1, \ldots , \beta _D\) be a basis of and let \(\alpha \) be a vector of that does not belong to . At least one vector \(\alpha \) exists since we are supposing that is strictly contained in . Remember that and observe that since , the ath component of \(\alpha \) must be equal to 1, that is, \([\alpha ]_a =1\), otherwise \(\alpha \) would belong to .

We want to show that every vector of can be written as a linear combination of \(\beta _1, \ldots , \beta _D\) and \(\alpha \), that is, that \(\{\alpha , \beta _1, \ldots , \beta _D\}\) is a basis of . This will imply .

Let \(\xi \) be any vector of .

• if , \(\xi \) can obviously be written as linear combination of \(\beta _1, \ldots , \beta _D\);

• if , then by repeating the reasoning done for \(\alpha \) we deduce \([\xi ]_a=1\). Therefore, \([\xi -\alpha ]_a=0\) and can be written as linear combination of \(\beta _1, \ldots , \beta _D\).

Step 4: Proof of (16) Equation (16a) follows at once from (14) since if then . Inequality (16b) is easily proved by induction by using any , as initial case and using (15) in the inductive step. \(\square \)

Proof A.2

Proof of Theorem 1, page 9 In order to compute probabilities (17), we are going to condition over the set of zeroed cells. Let \({\mathfrak I}\) be a random subset of \(\{1, \ldots , n\}\) with the following probability

(42)

Note that the event \({\mathscr {A}}_{}\) is equivalent to \(|{{\mathfrak I}}|\le Z\). By conditioning over \({\mathfrak I}\) one obtains

(43)

where we used the fact that is contained in \({\mathscr {A}}_{}\) (since ).

Since is \(m\)-mixing with \(m\ge Z\), is full rank for all . It follows from Lemma 4 that

(44)

Using (44) in (43) one obtains

(45)

where we used the fact that since events are a partition of \({\mathscr {A}}_{}\). \(\square \)

Proof A.3

Proof of Theorem 2, page 9 Probability \( P[{{{\overline{{\mathbf x}}}_{}}={\mathbf x}_{}}|{{\mathscr {A}}_{\text {PUC}}}]\) can be computed by conditioning on . Note that sets \({\mathscr {I}}_{ {c,s}}\) with \(c\le Z\) and \(s\le Z-m\) are a partition of \({\mathscr {I}}_{{\mathscr {A}}_{}}\) (note that some \({\mathscr {I}}_{ {c,s}}\) can be empty, but this does not invalidate the reasoning).

It follows

(46)

where we used definition (23) of \(q_{c}\) and the fact that event is contained in \({{\mathscr {A}}_{\text {PUC}}}\). According to Lemma 4, is equal to if and zero otherwise. It follows that in the last sum of (46), only the terms corresponding to such that survive. Remembering definition (22) of \({\mathscr {N}}_{c,s}\, {}\) one can write

(47)

\(\square \)

Proof A.4

Proof of Lemma 3, page 10 Step 1: Proof of (30) In order to prove (30), it is convenient first to isolate the values of \(c\) that are within the mixing limit \(m\) and use (19b) to obtain

(48)

As it will result clear later, the first addend in the last line of (48) can be written as ratio \({F_{{n},{p_{\text {u}}}} { {({m})}}} / {F_{{n},{p_{\text {u}}}} { {({Z})}}}\). Our aim is to extract from the second addend a term similar to the first one in order to combine them.

(49)

Observe that because of (19a), every with must belong to one (and only one) set \({\mathscr {I}}_{ {c,s}}\) with \(s\le c-m\). This implies that the sum in square brackets in (49) is equal to the number of the sets with . Therefore, (49) can be rewritten as

$$\begin{aligned} \sum _{c=m+1}^{Z} q_{c}\sum _{s=0}^{c-m} 2^{s} |{{\mathscr {I}}_{ {c,s}}}|= & {} \sum _{c=m+1}^{Z} q_{c}{c\atopwithdelims ()n} \nonumber \\&+ \sum _{c=m+1}^{Z} q_{c}\sum _{s=1}^{c-m} (2^{s}-1) |{{\mathscr {I}}_{ {c,s}}}|\end{aligned}$$

(50)

Equation (50) can now be used in (48) to obtain, using the definition of \(q_{c}\) and the fact that \(P[{{\mathscr {A}}_{\text {PUC}}}] = {F_{{n},{p_{\text {u}}}} { {({Z})}}}\),

(51)

where the last passage follows by observing that the sum at the numerator is the probability that a Binomial random variable is less or equal to \(Z\).

Step 2: Proof of bounds (31)

The lower bound in (31) is easily proved by limiting sum in (30) to only \(c=d\) (and, consequently, \(s=1\)) and remembering that \( |{{\mathscr {I}}_{ {d,1}}}| = W_{d}\) (see (19c)).

In order to prove the upper bound

where the last steps follow a reasoning similar to the one used for (51). More precisely, (*) is obtained by observing that every belongs to one and only one \({\mathscr {I}}_{ {c,s}}\), while the last equality follows from the fact that the sum in (**) is the probability that a Binomial r.v. is not larger than \(Z\). \(\square \)

Proof A.5

Proof of Theorem 4, page 11 First, let us compute the probability that the PO of a cell is 0 conditioned by \({{\mathscr {A}}_{\text {PUC}}}\).

$$\begin{aligned} \begin{aligned} P[B_{i}=0|{{\mathscr {A}}_{\text {PUC}}}] =&\mathrel {\mathop {\underbrace{P[B_{i}=0|{{\mathscr {A}}_{\text {PUC}}}, U_{i}=1]}}\limits _{1}} \;P[U_{i}=1|{{\mathscr {A}}_{\text {PUC}}}] \\ +&\mathrel {\mathop {\underbrace{P[B_{i}=0|{{\mathscr {A}}_{\text {PUC}}}, U_{i}=0]}}\limits _{1/2}} \;P[U_{i}=0|{{\mathscr {A}}_{\text {PUC}}}] \end{aligned} \end{aligned}$$

(54)

Probability \(P[B_{i}=0|{{\mathscr {A}}_{\text {PUC}}}, U_{i}=0]\) is equal to 1 since if \(U_i=1\) the cell is zeroed, while probability \(P[B_{i}=0|{{\mathscr {A}}_{\text {PUC}}}, U_{i}=0]\) is equal to 1 / 2 since if \(U_i=0\) the cell is reliable and the PO is the “natural” one. Therefore,

$$\begin{aligned} \begin{aligned} P[B_{i}=0|{{\mathscr {A}}_{\text {PUC}}}]&= P[U_{i}=1|{{\mathscr {A}}_{\text {PUC}}}] + \frac{1}{2} P[U_{i}=0|{{\mathscr {A}}_{\text {PUC}}}] \\&= P[U_{i}=1|{{\mathscr {A}}_{\text {PUC}}}] {+} \frac{1}{2} (1-P[U_{i}{=}1|{{\mathscr {A}}_{\text {PUC}}}]) \\&= \frac{1}{2} (1- {\mathfrak u}) + {\mathfrak u}= \frac{1}{2}(1+ {\mathfrak u}) \end{aligned} \end{aligned}$$

(55)

Note that \(P[B_{i}=0|{{\mathscr {A}}_{\text {PUC}}}] \ge 1/2\), since \(B_i=0\) can be obtained with a reliable cell with PO equal to 0 or with an unreliable cell.

Proof of (34) First, we prove the equality in (34). Let \(U_i\), \(i=1,\ldots , L\) be the r.v. that assumes value 1 if the ith cell is unreliable and 0 otherwise. Suppose, without loss of generality, that we are considering the first cell, that is, we want to compute \({\mathfrak u}=P[U_1=1|{\mathscr {A}}_{}]\). Block acceptance event \({\mathscr {A}}_{}\) can clearly be written as \(\sum _{i=1}^{L} U_i \le Z\). Therefore,

$$\begin{aligned} {\mathfrak u}=P[U_1=1|{\mathscr {A}}_{}]&= \frac{P[U_1=1,\;{\mathscr {A}}_{}]}{P[{\mathscr {A}}_{}]} = \frac{P[U_1=1,\;\sum _{i=1}^{L} U_i \le Z]}{P[\sum _{i=1}^{L} U_i \le Z]} \\&= \frac{P[U_1=1,\;\sum _{i=2}^{L} U_i \le Z-1]}{P[\sum _{i=1}^{L} U_i \le Z]}&\hbox { Use}\ U_1=1 \\&= \frac{P[U_1=1]\;\;P[\sum _{i=2}^{L} U_i \le Z-1]}{P[\sum _{i=1}^{L} U_i \le Z]}&U_i\text { independent} \\&= p_{\text {u}}\frac{F_{{L-1},{p_{\text {u}}}} { {({Z-1})}}}{F_{{L},{p_{\text {u}}}} { {({Z})}}}&\sum _i U_i\text { binomial} \end{aligned}$$

Now, we need to prove the inequalities in (34). Left-hand side inequality \( {\mathfrak u}\ge 0\) is obvious. Moreover, it is easy to check that the extremes in (34) are reached for \(Z=0\) and \(Z=n\). It remains to show that \({F_{{n-1},{p_{\text {u}}}} { {({Z-1})}}} \le {F_{{n},{p_{\text {u}}}} { {({Z})}}}\). Suppose that \(A_i\), \(i=1, \ldots , n\) are iid Bernoulli r.v. with alphabet \(\{0,1\}\) and \(P[A_i =1]=p_{\text {u}}\). Since \(\sum _{i=1}^{n} A_i \sim {\mathscr {B}}( {n,} p_{\text {u}})\), it follows

$$\begin{aligned} F_{{n},{p_{\text {u}}}} { {({Z})}}&= P\left[ \sum _{i=1}^{n} A_i \le Z\right] \end{aligned}$$

(56a)

$$\begin{aligned}&= P\left[ \sum _{i=1}^{n} A_i \le Z| A_1=0\right] (1-p_{\text {u}}) \nonumber \\&\quad + P\left[ \sum _{i=1}^{n} A_i \le Z| A_1=1\right] p_{\text {u}}\end{aligned}$$

(56b)

$$\begin{aligned}&= P\left[ \sum _{i=2}^{n} A_i \le Z] (1-p_{\text {u}}) {+} P[\sum _{i=2}^{n} A_i \le Z-1\right] p_{\text {u}}\end{aligned}$$

(56c)

$$\begin{aligned}&= (1-p_{\text {u}})\,F_{{n-1},{p_{\text {u}}}} { {({Z})}}+ p_{\text {u}}\, F_{{n-1},{p_{\text {u}}}} { {({Z-1})}}\end{aligned}$$

(56d)

$$\begin{aligned}&\ge (1-p_{\text {u}})\,F_{{n-1},{p_{\text {u}}}} { {({Z-1})}} + p_{\text {u}}\, F_{{n-1},{p_{\text {u}}}} { {({Z-1})}}\end{aligned}$$

(56e)

$$\begin{aligned}&= F_{{n-1},{p_{\text {u}}}} { {({Z-1})}}. \end{aligned}$$

(56f)

Min-entropy (35) In order to compute min-entropy observe that, for every cell, 0 is the most probable PO; therefore, the most likely outcome is the all-zero word. It follows that

(57)

\(\square \)