Paper 2010/169

Dismantling SecureMemory, CryptoMemory and CryptoRF

Flavio D. Garcia, Peter van Rossum, Roel Verdult, and Ronny Wichers Schreur


The Atmel chip families SecureMemory, CryptoMemory, and CryptoRF use a proprietary stream cipher to guarantee authenticity, confidentiality, and integrity. This paper describes the cipher in detail and points out several weaknesses. One is the fact that the three components of the cipher operate largely independently; another is that the intermediate output generated by two of those components is strongly correlated with the generated keystream. For SecureMemory, a single eavesdropped trace is enough to recover the secret key with probability 0.57 in 2^{39} cipher ticks. This is a factor of 2^{31.5} faster than a brute force attack. On a 2 GHz laptop, this takes around 10 minutes. With more traces, the secret key can be recovered with virtual certainty without significant additional cost in time. For CryptoMemory and CryptoRF, if one has 2640 traces it is possible to recover the key in 2^{52} cipher ticks, which is 2^{19} times faster than brute force. On a 50 machine cluster of 2 GHz quad-core machines this would take less than 2 days.

Available format(s)
Publication info
Published elsewhere. to appear in ACM CCS 2010
stream cipherspractical cryptanalysissmartcard securityRFID
Contact author(s)
flaviog @ cs ru nl
2010-06-30: last of 2 revisions
2010-03-30: received
See all versions
Short URL
Creative Commons Attribution


      author = {Flavio D.  Garcia and Peter van Rossum and Roel Verdult and Ronny Wichers Schreur},
      title = {Dismantling SecureMemory, CryptoMemory and CryptoRF},
      howpublished = {Cryptology ePrint Archive, Paper 2010/169},
      year = {2010},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.