End-to-end Design of a PUF based Privacy Preserving Authentication Protocol Aydin Aysu (Virginia Tech) Ege Gulcan (Virginia Tech) Daisuke Moriyama (NICT) Patrick Schaumont (Virginia Tech) Moti Yung (Google/Columbia University) 1
Motivation PUF is attractive in implementation and theory Implementation - Investigate new construction - Analyze PUF’s data - Check environmental effect 2
Motivation PUF is attractive in implementation and theory Implementation Theory - Investigate new construction - Propose PUF-based protocol - Analyze PUF’s data - Provide security model - Check environmental effect 3
Motivation PUF is attractive in implementation and theory Implementation Theory - Investigate new construction - Propose PUF-based protocol - Analyze PUF’s data - Provide security model - Check environmental effect Combine!!! Development for Realistic Usage 4
PUF Protocol Design has a GAP Provide provable security Theory Propose protocol GAP! Program and evaluate Imple. 5
PUF Protocol Design has a GAP Provide provable security Theory Propose protocol Question: How can we implement theoretically secure (provably secure) protocol? GAP! Question: Can the PUF-based protocol be worked in a resource-constrained device? Program and evaluate Imple. 6
This talk Provide provable security Theory Propose protocol PRF, RNG, MAC, Extract building blocks Fuzzy extractor,… Investigate implementation-primitives AES, BCH, HMAC,… for computing elements Estimate bit length for each variable Program and evaluate Imple. 7
First Step Provide provable security Theory Propose protocol Extract building blocks Investigate implementation-primitives for computing elements Estimate bit length for each variable Program and evaluate Imple. 8
Theoretical Description (core part)… Device Server PUF PRFs If , Update to 9
Secure Authentication Device (Stored data 1 and 2) (PUF DB, key DB) Server Stored data 1 PUF RNG RNG RNG Fuzzy extractor randomness PRF For each DB entries (contain all PUFs), helper data Stored data 2 Encrypt Key DB Decrypt helper data RNG PUF PUF DB Fuzzy extractor PRF randomness PRF , Accept! If , Accept! 10 Update stored data to Update DBs to
Secure Authentication Device (Stored data 1 and 2) (PUF DB, key DB) Server Stored data 1 PUF RNG RNG PUF is evaluated twice RNG Fuzzy extractor - First data is used for authentication - Second data is encrypted and randomness PRF For each DB entries (contain all PUFs), used for next authentication helper data Stored data 2 Encrypt Key DB Decrypt helper data RNG PUF PUF DB Fuzzy extractor PRF randomness PRF , Accept! If , Accept! 11 Update stored data to Update DBs to
Secure Authentication Device (Stored data 1 and 2) (PUF DB, key DB) Server Stored data 1 PUF RNG RNG PUF is evaluated twice RNG Fuzzy extractor - First data is used for authentication - Second data is encrypted and randomness PRF For each DB entries (contain all PUFs), used for next authentication helper data Stored data 2 Encrypt Support mutual authentication Key DB Decrypt helper data RNG PUF PUF DB Fuzzy extractor PRF randomness PRF , Accept! If , Accept! 12 Update stored data to Update DBs to
Secure Authentication Device (Stored data 1 and 2) (PUF DB, key DB) Server Stored data 1 PUF RNG RNG Privacy preserving authentication RNG Fuzzy extractor - No identity in communication randomness - Server mounts exhaustive search PRF For each DB entries (contain all PUFs), helper data Stored data 2 Encrypt Key DB Decrypt helper data RNG PUF PUF DB Fuzzy extractor PRF randomness PRF , Accept! If , Accept! 13 Update stored data to Update DBs to
Secure Authentication Device (Stored data 1 and 2) (PUF DB, key DB) Server Stored data 1 PUF RNG RNG Privacy preserving authentication RNG Fuzzy extractor - No identity in communication randomness - Server mounts exhaustive search PRF For each DB entries (contain all PUFs), helper data Forward secure authentication Stored data 2 Encrypt - Stored data is updated Key DB Decrypt helper data RNG PUF PUF DB Fuzzy extractor PRF randomness PRF , Accept! If , Accept! 14 Update stored data to Update DBs to
Abstract Description Device Server Key/PUF DB Non-VM Memory RNG Fuzzy Extractor Protocol Protocol PRF Encrypt PUF 15
Third Step Provide provable security Theory Propose protocol Extract building blocks Investigate implementation-primitives for computing elements Estimate bit length for each variable Program and evaluate Imple. 16
PUF & RNG Construction We select SRAM PUF and evaluated with SASEBO-GII (SRAM PUF is area efficient) x100 RNG part SRAM PUF part To avoid bias, 2-XORed is performed 8-XORed SRAM data passed NIST random test Min-entropy rate: 26% Noise rate : 10% 17
Implement Fuzzy Extractor ECC part: Code-offset with (63,16,23)-BCH code Correct noise up to 11-bit in 63-bit 63-bit Original PUF data Encode randomness BCH.Encode Helper data (device side) 63-bit 16-bit Helper data 63-bit Decode Noisy PUF data Original PUF data (server side) BCH.Decode 63-bit 18
Implement Fuzzy Extractor ECC part: Code-offset with (63,16,23)-BCH code 4x63-bit (=252- bit) PUF’s data Min-entropy rate: 26% 128-bit entropy in 8x63-bit PUF data Remark: 10% noise rate Correct one block (63-bit): 97.62% Need modification Correct eight blocks (8x63-bit): 82.61% 19
Implement Fuzzy Extractor ECC part: Code-offset with (63,16,23)-BCH code 4x63-bit (=252- bit) PUF’s data Novelty: Apply code-offset for left- rotated PUF’s data 20
Implement Fuzzy Extractor ECC part: Code-offset with (63,16,23)-BCH code Novelty: Apply code-offset for left- rotated PUF’s data -6 Correctness is improved (> 1 - 10 ) Security is also analyzed 21
Implement Fuzzy Extractor Randomness extraction part: CBC-MAC based PRF + randomness 504-bit Input data + 256-bit randomness Secret key (seed) 128-bit output data PRF and this part are performed by same code We selected SIMON for the encryption algorithm 22
Final Step Provide provable security Theory Propose protocol Extract building blocks Investigate implementation-primitives for computing elements Estimate bit length for each variable Program and evaluate Imple. 23
Architecture Design We provide two versions: Soft-core mapping MSP430 in FPGA MSP430 w/ Micro-coded hardware implementation 24
Implementation Results 64-bit 128-bit 128-bit Category Unit SW (MSP430) SW (MSP430) HW Text size 6,862 8,104 4,920 Bytes Time 562,632 1,859,754 240,814 Cycles • Fit in real MSP430 (8KB) • Cycle count includes all procedures – In SW, BCH encoding is heavy – In HW, write/read from memory is heavy 25
Comparison with related works PUFKY Slender Reverse-FE This work (CHES 2012) (S&P 2012) (FC 2012) Application Key Gen Protocol Protocol Protocol Privacy No No No Yes Security No Yes (ePrint Yes (ePrint No flaws 2014/977) 2014/977) Cycle 55,310 - - 1,859,754 (SW) count 240,814 (HW) Logic cost 120 Slices 144 LUT, 658 LUT, 1221 LUT, 274 Register 496 Register 442 Register PUF RO-PUF XOR-Arbiter - SRAM PUF PUF 26
Conclusions • We demonstrated how to bridge theory and implementation • Implementing secure protocol requires many steps • The proposed protocol can fit in microcontroller MSP 430: text size < 8KB (further optimization is still possible) 27
Thank you for your attention! 28
Appendix: Process of our code-offset ECC part: Code-offset with (63,16,23)-BCH code Noise < 12bit Noise >= 12bit 4x63-bit (=252- bit) PUF’s data 47-bit among 63-bit has been noiseless Novelty: Apply code-offset for left- rotated PUF’s data 29
Appendix: Implementation Cost 64-bit 128-bit 128-bit Category Unit SW (MSP430) SW (MSP430) HW HW abstraction 1,022 1,022 1,398 Bytes Communication 496 644 628 Bytes SIMON 1604 2,440 0 Bytes Text BCH encoding 1,214 1,214 0 Bytes PUF + Fuzzy 562 646 590 Bytes RNG 396 456 396 Bytes Protocol 1,568 1,682 1,908 Bytes Total text 6,862 8,104 4,920 Bytes Variables 424 656 656 Bytes Data Constants 197 197 73 Bytes Total data 621 853 729 Bytes Fit into real MSP430 (8KB memory space) 30
Appendix: Performance details 64-bit 128-bit 128-bit Category Unit SW (MSP430) SW (MSP430) HW Read stored data 31,356 61,646 61,646 Cycles RNG (SRAM) 11,552 23,341 22,981 Cycles SRAM PUF 4,384 9,082 8,741 Cycles BCH encoding 268,820 485,094 Cycles Fuzzy extractor 28,691 205,080 Cycles First PRF 39,583 299,724 18,597 Cycles Encrypt 44,355 252,829 Cycles Second PRF 57,601 394,129 Cycles Write updated data 76,290 128,829 128,849 Cycles Total cycles 562,632 1,859,754 240,814 Cycles Expensive part in SW: BCH encoding Expensive part in HW: read/write data 31
Recommend
More recommend