How to Disembed a Program?

  • Benoît Chevallier-Mames
  • David Naccache
  • Pascal Paillier
  • David Pointcheval
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3156)


This paper presents the theoretical blueprint of a new secure token called the Externalized Microprocessor (X μ P). Unlike a smart-card, the X μ P contains no ROM at all.

While exporting all the device’s executable code to potentially untrustworthy terminals poses formidable security problems, the advantages of ROM-less secure tokens are numerous: chip masking time disappears, bug patching becomes a mere terminal update and hence does not imply any roll-out of cards in the field. Most importantly, code size ceases to be a limiting factor. This is particularly significant given the steady increase in on-board software complexity.

After describing the machine’s instruction-set we introduce a public-key oriented architecture design which relies on a new RSA screening scheme and features a relatively low communication overhead. We propose two protocols that execute and dynamically authenticate arbitrary programs, provide a strong security model for these protocols and prove their security under appropriate complexity assumptions.


Embedded cryptography RSA screening schemes ROM-less smart cards program authentication compilation theory provable security mobile code 


  1. 1.
    Aho, A., Sethi, R., Ullman, J.: Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading (1986)Google Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential Fault Analysis of Secret Key Cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)Google Scholar
  3. 3.
    Biehl, I., Meyer, B., Müller, V.: Differential Fault Attacks on Elliptic Curve Cryptosystems. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 131–146. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Garay, J., Rabin, T.: Fast Batch Verification for Modular Exponentiation and Digital Signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236–250. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Random Oracles Are Practical: a Paradigm for Designing Efficient Protocols. In: Proceedings of the first CCS, pp. 62–73. ACM Press, New York (1993)Google Scholar
  6. 6.
    Chevallier-Mames, B., Naccache, D., Paillier, P., Pointcheval, D.: How to Disembed a Program?, IACR ePrint Archive, (2004)
  7. 7.
    Chen, Z.: Java Card Technology for Smart Cards: Architecture and Programmer’s Guide. The Java Series. Addison-Wesley, Reading (2000)Google Scholar
  8. 8.
    Coron, J.-S.: On the exact security of full domain hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, p. 229. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Coron, J.-S., Naccache, D.: On the Security of RSA Screening. In: Proceedings of the Fifth CCS, pp. 197–203. ACM Press, New York (1998)Google Scholar
  10. 10.
    Knuth, D.E.: The Art of Computer Programming, 3rd edn. Seminumerical Algorithms, vol. 1, pp. 124–185. Addison-Wesley, Reading (1997)Google Scholar
  11. 11.
    Muchnick, S.: Advanced Compiler Design and Implementation. Morgan Kaufmann, San Francisco (1997)Google Scholar
  12. 12.
    Ramalingam, G.: Identifying Loops in Almost Linear Time. ACM Transactions on Programming Languages and Systems 21(2), 175–188 (1999)CrossRefMathSciNetGoogle Scholar
  13. 13.
    Stata, R., Abadi, M.: A Type System for Java Bytecode Subroutines, SRC Research Report 158, June 11 (1998),

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Benoît Chevallier-Mames
    • 1
  • David Naccache
    • 1
  • Pascal Paillier
    • 1
  • David Pointcheval
    • 2
  1. 1.Gemplus/Applied Research and Security Center 
  2. 2.Ecole Normale Supérieure/CNRS  

Personalised recommendations