Software-based Remote Memory Attestation Using Quantum Entanglement

We demonstrate a method for software-based remote memory attestation using Quantum Effects. The resulting protocol has the unique feature of resisting collusion be-tween two dishonest devices, one of which has unbounded computational resources.


Introduction
Detecting whether an embedded device is infected with malware is essential to maintaining a secure critical infrastructure, as malicious code is used, for example, to compromise secrets and escalate privileges remotely.A popular approach to this problem is Remote attestation (RA): a trust establishment mechanism whereby a device, called verifier, ensures the memory content of another device, called prover, a e-mail: j.laeuchli@adfa.edu.aub e-mail: rolando.trujillo@urv.cat is in a safe (possibly initial) state, thereby ensuring the absence of malicious code in memory.The term remote in this case means that the verification procedure is executed over a network, rather than by having direct physical access to the embedded device.In this setting, authentication becomes an important security requirement, allowing the verifier to ensure that the intended prover is being attested rather than a third-device, possibly placed by the attacker.
Because the goal of remote attestation is to verify whether the prover is in an initial safe state, none or few security assumptions can be made about the cryptographic keys stored in the device prior the execution of the protocol.Hence RA protocols usually rely on non-cryptographic means, such as secure hardware, timed channels, visual inspection, signal jamming, device fingerprinting, etc. Amongst these techniques, only secure hardware offers cryptographic proofs of authentication by protecting secrets and preventing ma-licious code from interfering with the attestation routine Eldefrawy et al. (2017); Kuang et al. (2022).
Relying on secure hardware to achieve authentication poses two problems, though.First, it increases the manufacturing cost.Second, it makes a vulnerability in the hardware itself costly to fix and impossible to patch at a large scale.
While software vulnerabilities can be patched remotely, hardware vulnerabilities likely require a call out of vulnerable devices.This makes the problem of designing a remote attestation protocol that achieves authentication without relying on secure hardware worth addressing.
Prior research results Francillon et al. ([n. d.]); Trujillo-Rasua ([n. d.]); Armknecht et al. (2013) have shown the problem above unsolvable when the prover can receive help from an attacker.The insecurity argument goes as follows.If the embedded device has been compromised by an attacker and the device has no secure hardware, then all its memory content, including all cryptographic keys, can be leaked.The attacker can thus dump the memory content of the embedded device into a more powerful device that would take over the communication with the verifier, or instruct the prover to relay its communication with the verifier to a more powerful device.In the literature, the latter attack is called a proxy attack Seshadri et al. (2005), while the former is usually neglected.While this argument is correct under the standard computational model, we show in this article that achieving secure remote attestation without secure hardware is possible within a quantum computational model.
Contributions.We put forward in this work the first remote attestation protocol that satisfy authentication and resists collusion with remote conspirators without relying on secure hardware, but on information and quantum theory instead.
Our protocol requires the embedded device and the verifier to share some quantity of maximally entangled qubit pairs (EPRs), needing only low depth quantum circuits that have already been experimentally achieved.That is, our method requires relatively simple quantum capabilities on both the verifier and the embedded device.
Rather than using secret keys, our protocol uses entangled qubit pairs for authentication.However, different to current quantum authentication mechanisms, our approach restricts the prover in its capability to transmit qubits.Such a restriction is necessary, as otherwise the corrupt prover could transmit them to a conspirator.To deter proxy attacks, our approach takes advantage of the classical bits necessary for quantum teleportation to provide the protocol with a distance-bounding mechanism.
We acknowledge that our proposal do require a prover to hold entangled qubits.Hence it is only suitable for a time where Quantum communication is ubiquitous.Like most work in Quantum computing, ours has a theoretical value whose potential depends on the realisation of the underlying technology.As far as secure hardware is concerned, we make no assumption.We assume the attacker has full control of the prover and it is only limited by the laws of physics that restrict the transmission of information, including Quantum information.

Related work
Designing secure remote attestation protocols is notoriously challenging because the prover is assumed to be corrupt.
This assumption would break, for example, the standard authentication properties used to evaluate the security of internet protocols, such as TLS (Transport Layer Security).The earliest works to tackle this challenge focused on limiting the adversary's corruption capability, notably on protecting cryptographic secrets.This requires secure hardware on the prover's side, leading to the terminology hardware-based attestation when referring to these approaches.Francillon et al. established that, in addition to protecting secret keys, secure hardware is needed the prevent malware from modifying or interrupting the attestation routine Francillon et al. ([n. d.]), otherwise the malware may give itself time to move to safe parts of the memory during attestation or to leak information about secret keys.Many works in the literature aim at achieving the above security features for various computer architectures and with the use of minimal hardware Eldefrawy et al. (2017).We refer the reader to Kuang et al. (2022) for a comprehensive survey.
Our focus is on software-based attestation: an approach towards remote attestation that assumes no secure hardware on provers.This makes software-based approaches more costeffective, while also allowing devices to patch vulnerabilities without the need to physically modify the device with additional hardware.SWATT Seshadri et al. (2004) is one of the earliest softwarebased RA protocol, where the verifier sends a random challenge to the prover, which is used as a seed for a pseudorandom function to obtain a sequence of random memory indexes.The challenge posed to the prover is that of calculating, as quick as possible, a checksum of its memory in the order specified by the pseudo-random function.SWATT claims that, if the checksum computation cannot be optimised and every bit of memory is hit (with high probability) by the pseudo-random function, then the verifier can attest the prover memory by evaluating the checksum value and the time taken to calculate it.SWATT's construction of a time-optimal checksum function consists of a computation loop where the value of a random memory index is merged with the checksum of the previous round.
Because of the time constraint, software-based remote attestation have traditionally relied on non-standard checksum calculations Seshadri et al. (2004Seshadri et al. ( , 2005)); Yan et al. (2011); Kovah et al. (2012), opening themselves to attacks Li et al. (2015); Castelluccia et al. (2009).Armknecht et al. argued that the insecurity of software-based approaches is compounded by the lack of a formal treatment to their security analysis Armknecht et al. (2013).Hence they intro- To the best of our knowledge, no software-based attestation protocol exists that satisfy authentication or resist proxy attacks.That is an important limitation, which forces the verifier to run the protocol in a clean environment aided by the use of out-of-band channels, such as visual inspection.
A recent work Trujillo-Rasua ([n. d.]) proposes the use of a distance-bounding channel, rather than visual inspection, to detect collusion with far-away conspirators during the protocol execution.But, they left the authentication problem open, which we address in this work.
From a methodological point of view, our approach is similar to a recent wave of protocols based on Physical Unclonable Functions (PUFs) Feng et al. (2018); Schulz et al. (2011); Kong et al. (2014).They assume that provers are provided with a PUF implementation, allowing the verifier to precompute secret challenge-response pairs.Their key security assumption is that the attacker cannot tamper with the PUF function nor learn the challenge-response pairs the prover shares with the verifier.We note, however, that this is still a contentious assumption Rührmair et al. (2010).Particularly dangerous are modeling attacks on Strong PUFs, allowing an attacker to mimic the PUF behaviour by using machine learning.Last but not least, PUF functions do require additional hardware to protect them from effective adversarial manipulation Rührmair et al. (2014), such as re-use attacks, making PUF-based remote attestation not strictly software-based.
There have been some prior work on securing memory using Quantum Computing, but this has been for local computers and requires a full range of quantum circuits van Dam and Yuan (2009).In contrast, our work considers remote embedded devices, and require only rotation and measurements.
Closely related to the problem we are trying to solve are the series of works on Quantum Authentication based on entanglement and teleportation Dutta and Pathak (2021).
They, however, differ from our approach in that they start with a shared classical secret, and use quantum mechanics to amplify this key.In contrast, having our device start with a shared classical secret key is not desirable, since a compromised device can easily leak its secrets.
Alternatively, Li and Zhang (2006); Abidin et al. (2023) start with shared entangled pairs, which is similar to our approach.However, their method has both parties sending and receiving qubits, which also is undesirable for our application, since if the embedded device has the ability to transmit qubits, the entangled pairs could be transmitted to an attacker for communication.
In general, while these Quantum Authentication methods consider a closely related problem, they do not consider it from the point of view where one party may be compromised, or working against the authenticating authority.In contrast, we consider both the case where one party has been compromised during the initial stage, and the case where one party is subject to ongoing compromise and continues to actively work in conjunction with the attacker.

Preliminaries
Here we introduce the notation and tools we intend to make use of later in our paper.We begin by reviewing the basics of quantum states and quantum teleportation.For a complete introduction to these ideas, the reader is recommended to consult Bennett et al. (1993).

Quantum Notation
We define a single qubit in superposition using the standard Bra-ket notation as (1) Where We define multiqubit systems in the same way, Where again α i ∈ C and ∑ n i=0 |α i | 2 = 1.Our probability of obtaining any basis state |i⟩ on measurement, is |α i | 2 , according to the Born rule.We note that here we are working in the computational basis |i⟩, but that other basis states are possible, a fact which we will make use of later.
We call any state |ψ⟩ c , which can be written as the tensor product of other states |ψ⟩ c = |ψ⟩ a ⊗ |ψ⟩ b separable.
States which are not separable are entangled.As an example, , and we provide one half of the entangled pair to one party, and the other half to another, if either party measures |0⟩ from their half of the pair, the other party will also measure |0⟩, and similarly for |1⟩.This property of entanglement is the basis for the power of quantum computing in general.In particular, this is the property that enables Quantum Teleportation, which is the basis for our scheme.

Quantum Teleportation
We review Quantum Teleportation here, following the approach of Bennett et al. (1993).Quantum Teleportation is a method for teleporting a qubit from one party to another.
The state to be teleported is transmitted instantly over any distance, but cannot be extracted without two classics bits, which can of course be transmitted no faster than the speed of light.
The basis for this approach is that the two parties Alice and Bob share a maximally entangled pair of qubits.There are four such pairs, referred to as the Bell States.
In the equations above, the subscripts a and b denote qubits hold by Alice and Bob, respectively.It does not matter which pair Alice and Bob share, so for convenience we will assume that they shared , as the state that Alice wishes to transmit to Bob.The state of the system is thus We can rewrite Alice's qubits using the following identities.
The total state of the system can be rewritten as below.
Note that this does not change the state of the system, we have merely rewritten it in a new basis.
Alice now measures her qubits c and a in the Bell basis.
With equal probability the system is now in one of the states given below.
Alice then inform Bob which of the four states the to- We note since we intend to make extensive use of it, that since the values α 1 , α 2 , are complex, a qubit lies on a unit sphere known as the Bloch Sphere.Considering α 1 , α 2 , as a vector on this sphere with polar angle θ , and azimuthal angle φ , we can represent any qubit as cos( θ 2 ) |1⟩ + sin( θ 2 )e iφ |0⟩.
Our algorithm mostly makes use of the unit circle on this sphere where 0 ≤ θ ≤ π, and φ = 0 or φ = π.

Remote attestation using quantum entanglement
In this section we introduce two memory attestation protocols.The first protocol is a composition of a traditional software-based memory attestation protocol with a distance bounding mechanism that relies on pre-shared entanglement rather than on secret keys.Being a composition, this protocol is relatively simple to analyse and can be instantiated -Correctness.Attest can be computed within ∆ time.
-Uniformity.Every output of the range should be generated with roughly the same probability, given random inputs.
-Secure.The Attest function allows a verifier, by challenging an isolated prover (i.e., without external help) to compute Attest on input a random challenge, to attest whether the prover is in a correct state with non-zero probability.We note that many software-based memory attestation primitives Seshadri et al. (2004Seshadri et al. ( , 2005)) Challenge.The protocol consists of several challenge-response rounds.At each round, the verifier sends a random challenge c to the prover and starts a clock to measure the round-triptime of this exchange with the prover (See Figure 1).The role of the time measurement is counteracting proxy attacks.
The role of the random challenge is preventing replay attacks on the Attest primitive.
Response.Upon receiving the challenge, the prover calculates Attest(c, s ′ ), where s ′ is the prover's state.Then the prover teleports the qubit where θ ′ is the angle obtained from the output of Attest(c, s ′ ) The teleportation is carried out by entangling |Ψ ⟩ with the qubit to be teleported, then measuring in the Bell basis.This measurement provides the teleportation bits.Lastly, the prover provides both the output of Attest(c, s ′ ) and the teleportation bits.
Verification.Let s be the expected state of the prover.In the verification phase, the verifier aims to authenticate the prover, check proximity with the prover defined by a dis-tance threshold δ , and check that Attest(c, s ′ ) = Attest(c, s).
sured with certainty, and the protocol continues if Attest(s ′ 0 , c 0 ) = Attest(s 0 , c 0 ) and the round-trip-time is low enough.
In the second round, the prover then teleports the second qubit sin( It is worth noting that the naive approach of the prover sending |0⟩ or |1⟩, depending on the value of Attest (e.g., its parity bit), does not work.For example, suppose the prover incorrectly believes that it has to teleport |1⟩, and after measurement, the system is in the state h 1 (see Figure 2 showing the four possible states).The prover sends the classical bits denoting this to the verifier.If the attacker, however, knows Challenge.Armknecht et al.'s protocol starts with the verifier sending two nonces n 0 and m 0 to the prover.The former is used to feed a pseudo-random function Gen, which will create random memory addresses, the latter to calculate a checksum CHK of the prover's memory.
Response.The prover prepares a response by iteratively updating n 0 and m 0 .At the ith iteration, Gen(n i−1 ) outputs a pair (n i , a i ) where n i is a nonce and a i a random memory address, s i stores the memory word at the address a i , and m ′ i is the checksum of m i−1 and s i .After N iterations, the prover sends m ′ N to the verifier.
Verification.The verifier checks that m ′ N is correct and that the round-trip-time is below a time threshold ∆ .fier.In this case, the time threshold ∆ plays no role in the proximity check.

Security analysis
In this section we analyse the security of the two protocols introduced previously.We shall start with the analysis of the protocol composition in Figure 1 by making security assumptions on the Attest function.This will help us to focus on the security added by the distance bounding mechanism based on quantum entanglement, hence building the basis for the analysis of our extension to Armknecht et al.'s protocol.

Threat model
Existing security analyses of software-based memory attestation protocols assume and out-of-the-band authentication channel, such as visual inspection, and that prover and verifier communicate in isolation without interference from an external/adversarial device.This is known as the device isolation assumption.We, however, build our security proofs against the more realistic distant attacker assumption Gil-Pons et al. ( 2022), which considers a standard Dolev-Yao attacker only restricted by its (sufficiently large) distance from prover and verifier.In practice, the distant attacker assumption can be met by establishing a secure physical perimeter that prevents unauthorised access.
The adversary we consider is a man-in-the-middle attacker in full control of the network, meaning it can intercept and modify messages travelling through the network as well as inject new messages.We assume, nevertheless, adversaries restricted in the following ways: 1.No tampering.They cannot manipulate the prover's hardware, i.e., they cannot add to the prover more CPU or memory.Notably, an adversary cannot give the prover the capacity to transmit entangled qubits.
2. Distant attacker.The network distance between the adversary and the prover is larger than the network distance between prover and verifier.
In our security proofs, we further assume: 1. Synchronised quantum state.At the start of the protocol, prover and verifier are capable of agreeing on a sequence of shared entangled qubits.This is used to rule out denial-of-services attacks whereby the adversary desynchronize prover and verifier by wasting their qubits.
2. Restricted quantum communication.Provers can receive, but not transmit entangled qubits.This restriction is reasonable because transmitted qubits requires specialised hardware, depending on the physical instantiation of the qubit being used.
3. Random values are used just once.In particular, values generated by the adversary do not intersect with chal-lenges generated by the verifier.This assumption further simplifies our security proofs.
Observe that Denial-of-service attacks, addressed by the synchronised quantum state assumption, are a common threat to quantum information systems, such as BB84 Hong et al.
(2016).Systems such as BB84 and our own system have in common the idea that they are attempting to detect an attacker that is hiding.If the attacker decides to stop hiding and instead consume system resources, it is possible to attempt to mitigate this threat as we do here, or as other systems do Price et al. ( 2020), but it is not possible to prevent it entirely.Depending on the situation, denial-of-service may not be an advantage to the attacker, since alerting the verifier to the fact that the prover is under attack through the consumption of system resources may be as disadvantageous to the attacker as alerting the verifier through a failure of the security protocol.

Analysis of the protocol composition under the distant-attacker assumption
We shall analyse two different scenarios with respect to the relative position of verifier, prover and the attacker.In the first scenario, the attacker is close to the verifier and the prover is far.The second scenario is the opposite, the attacker is far from the verifier while the prover is close.
Let ∆ be the processing time at the prover side to compute Attest on input the challenge from the verifier.Let d be the distance between the prover and the attacker.Let d A and d P be the distances from the attacker and the prover, respectively, to the verifier.And, let δ be a distance upper bound defining proximity, e.g., a few centimetres.Let the function Attest be secure in the following way.
Definition 1 Let P be a corrupt prover with state s ′ and N a natural number.Given random challenges c 1 , . . ., c N , let ε(N) be the probability of P answering correctly with the sequence Attest(c 1 , s), . .., Attest(c N , s).We say Attest is After the introduction of necessary notation and the security on Attest, we are ready to analyse the simplest case where the attacker is far from the prover and the verifier.
Theorem 1 Let P be the protocol in Figure 1 using N rounds and a time threshold ∆ + 2δ c .Let Attest be a correct attestation function with respect to the time threshold ∆ .As- , i.e., the prover is close to the verifier.If , the attacker is far, then the probability of success of the attacker is ε(N).
This means that the prover cannot relay information to the attacker, nor the attacker can respond on time to the verifier's challenges.Therefore, the prover has to respond on its own.This gives a probability of success equal to the the probability of Attest(c, s ′ ) = Attest(c, s), which, by Definition 1, is ε(N) over N rounds.Proof As before, we argue that relaying is infeasible.Then, because the attacker has to make the prover to rotate and measure its entangled qubit in order to pass the protocol, it follows that the attacker has to interact with the prover prior the reception of the verifier's challenge.We conclude then that, for the adversary to succeed at a given round, he has to send to the prover a challenge, say c ′ , which is different to the challenge, say c, that the verifier will use for that round.
This type of attacks are known in the literature of distance bounding protocols as pre-ask Avoine et al. (2018) or precomputation attacks Mauw et al. (2016).
Let θ ′ be the angle of the qubit transmitted by the prover, on input c ′ .Let θ be the angle of the qubit expected by the verifier.Because Attest is uniform and the challenge c random, it follows that θ is uniformly distributed, as so its the angle between θ and θ ′ .Because the attacker receives the rotation bits sent by the prover, the attacker has the option of selecting the optimal rotation of θ that better approximates θ ′ .The four rotations of θ are simply θ rotated by 0, π 2 , π 1 , 3π 2 .The attacker can do so in the following way.
First, observe that, if the angle between θ and θ ′ is lower than π 2 , then there is no benefit to the attacker on changing the rotation established by the prover, since all these vectors are the same or closer to |0⟩, than |1⟩.Now, assume the angle between θ and θ ′ is greater than or equal to π 2 .
If we consider the fixed interval [0, 1], the average distance between two uniformly distributed points can be calculated Proof First, let's analyse the protocol under the device isolation assumption.Let X be the random variable indicating the round number at which Read(s ′ , a i ) ̸ = Read(s, a i ).
If X = i, then, starting from round i and after normalisation of the bit-sequences m ′ i and m i , the difference between the angles m ′ i and m i will be uniformly distributed This gives a probability of succces equal to: Now, let's analyse the case where the prover colludes with the far-away attacker.Assume that m i was received from the attacker, which means the attacker should have known r ⌊(i−1)/k⌋ .This could be achieved in three ways: 1. Relaying.This is infeasible because the distance between the prover and the attacker is larger than c(∆ + 2δ c ), which violates the time threshold used by the verifier.
3. Fixing the rotation bits.This is the last resort for the attacker to provide a response for the prover on time.It This gives a maximum probability of success for the prover equal to 1/2 N .Depending on the value of p, the prover will find colluding more advantageous than responding on its own.⊓ ⊔ The proof of the next theorem follows a similar line of reasoning to Theorem 2.
Theorem 4 Let P 2 be the protocol in 6 Discussion and conclusions If we wish to build the device with the technology currently available, we will have to work with the limited quantum memory that exists.While our proposal envisions holding qubits in superposition indefinitely until the verifier wishes to test the prover, in practice current quantum memory does not last that long Bashkansky et al. (2021).Therefore, we will have to exchange the entangled qubits at run time.In practice this will mean we need to authenticate the prover with the verifier.Quantum Authentication requires a shared secret.In our original proposal this secret is the pre-shared qubits, but if we exchange these at runtime, we must resort to a pre-shared classical secret(a key), which is a common approach for many Quantum Key Exchange systems.
Therefore in the near term, our device could be combined with other approaches to this problem, such as a trusted module to store the key material.We then have the benefits described by our system, in combination with the benefits of a classical approach.Once long term Quantum memory is readily available, this will cease to be an issue.
An additional question that we do not address in this paper, is the issue of noise.All quantum devices suffer from noise, and the impact of noise measurements must be included in any physical quantum device.We have carried out our analysis with a perfect quantum system in mind, but in practice noise impacts the success rate of all measurements.
The typical approach to handling this problem is to increase the number of qubits used.We leave these calculations for future work.
Overall we have presented the theoretical basis for a method for improving the security of remote devices using quantum entanglement.Our method requires a relatively low number of qubits and gates, and as Quantum Information Science advances and the ability for devices to manipulate quantum effects increases, our method is well placed to improve the security of remote devices.
duced a security framework to analyse software-based remote attestation for low-cost embedded devices.When looking at the adversary capabilities against remote attestation, Armknecht et al. deemed necessary to restrict the adversary to use the hardware characteristics of the prover during the execution of the challenge-response protocol.That is to say, during the protocol execution, the prover cannot receive external help, otherwise the protocol is trivially broken by outsourcing the attestation task to a more powerful device Seshadri et al. (2005).
with various memory attestation routines, although at the cost of high communication complexity.The second protocol embeds the distance bounding mechanism within the generic scheme introduced by Armknecht et al.Armknecht et al. (2013), making it more efficient albeit slightly less secure.4.1 A protocol compositionThis protocol assumes the existence of a time-restricted attestation function Attest in the prover with the following properties, given a time threshold ∆ : ;Yan et al. (2011);Kovah et al. (2012);Gligor (2019);Armknecht et al. (2013) in the literature aims at achieving this no-tion of security, which we formalise later together with the threat model.Setup.The setup phase of the protocol allows provers and verifiers to agree on secret cryptographic keys (possibly) used by the Attest function and on a collection of entangled qubits in superposition.This setup phase can be executed several times with the help of a trusted server, once both prover and verifier have been attested uncorrupt.
threshold and c the propagation speed of the communication channel (e.g., the speed of light for radio waves).Lastly, to authenticate the prover, the verifier rotates the result based on the rotation bits (r) provided by the prover in its response and angle θ .Let |Ψ ⟩ be the resulting qubit.The verifier checks that |Ψ ⟩ = |Ψ ′ ⟩ by performing an inverse rotation |Ψ ⟩ with angle θ as defined by Attest(c, s), measuring, and checking that the result of the measurement is |1⟩.Example 1 Let us consider an example of the protocol running on a compromised device.Further assume that the protocol consists of 2 challenge-response rounds with random challenges c 1 and c 2 .Let θ ′ 1 and θ ′ 2 be the angles obtained from normalising the values Attest(s ′ 0 , c 0 ) and Attest(s ′ 0 , c 1 ), and that the angles generated by the Attest function on the correct state s are θ 1 = π 4 and θ 2 = π 4 .This means that, in the first round, the prover teleportssin( θ 1 2 ) |0⟩+cos( θ 1 2 ) |1⟩, and sends the required classical bits based on the state it finds its qubits to be in post teleport.The verifier after completing the teleportation using the classical bits, performs an additional rotation on the qubit of π 8 .

Fig. 3 :
Fig. 3: Example of system in a compromised state after ro- The modifications we introduce to Armknecht et al.'s protocol are depicted in Figure4.First, we employ a distancebounding mechanism at the start of the protocol.This is a very efficient distance-bounding phase, as it only requires the prover to teleport a nonce back to the verifier.Second, we require the prover to teleport partial results back to the verifier, which are also used to time the performance of the prover.The teleportation process is identical to the one used in the protocol composition described earlier, hence we do not provide further details on this mechanism.Like in the previous protocol, the time threshold ∆ represents a (possibly tight) bound on the computational time used by the prover to calculate a response.In the case of the extension to Armknecht et al.'s protocol, partial responses are provided every k iterations of the attestation loop.This means that ∆ can be tuned up by adjusting k as needed, which is an advantage over the protocol composition described earlier.Note that the distance bounding mechanism based on those partial responses are not based on round-triptime measurements, but on a single trip-time measurement, which is why we require t ′ − t ≥ ∆ + δ c .Further note that the first time check employed by the verifier is a very efficient (classical) distance bounding mechanism, consisting of a prover reflecting back the challenge sent by the veri-

Fig. 4 :
Fig. 4: A memory attestation protocol resistant to proxy at- The theorem above states that, under that assumption that the attacker is sufficiently far (concretely by d > c(∆ + 2δ c )), then the security of our protocol in the distant attacker assumption reduces to the security of the Attest procedure in the device isolated assumption.The next result is more relevant, though, as it provides the first security proof of a software-based memory attestation protocol in the presence of a nearby attacker.Theorem 2 Let P be the protocol in Figure1using N rounds and a time threshold ∆ + 2δ c .Let Attest be a correct attestation function with respect to the time threshold ∆ .Assume d A < c(∆ + 2δ c ) 2 , i.e., the attacker is close to the verifier.If d > c(∆ + 2δ c ), then the probability of success of the attacker is (1 − (1 − 0.1032)) N .
Fig. 5: A graph of |x − y|, x − y < 1 2 consists of the prover committing to send a pre-established rotation bit-sequence, say 00, to the verifier, allowing the attacker to calculate m i without being restricted by the communication channel with the prover.The probability of success of this case is 1/2.
Figure 4, this means adjusting the value of k based on the value of δ .In any case, the bound d > c(∆ + 2δ c )) is conservative, because it assumes an unbounded attacker that can