nach oben

Journal of Cryptographic Engineering

Erschienen in:

01.06.2016 | CHES 2015

Secure key generation from biased PUFs: extended version

verfasst von: Roel Maes, Vincent van der Leest, Erik van der Sluis, Frans Willems

Erschienen in: Journal of Cryptographic Engineering | Ausgabe 2/2016

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

When the applied PUF in a PUF-based key generator does not produce full entropy responses, information about the derived key material is leaked by code-offset helper data. If the PUF’s entropy level is too low, the PUF-derived key is even fully disclosed by the helper data. In this work we analyze this entropy leakage, and provide several solutions for preventing leakage for PUFs suffering from i.i.d. biased bits. Our methods pose no limit on the amount of PUF bias that can be tolerated for achieving secure key generation, with only a moderate increase in the required PUF size. This solves an important open problem in this field. In addition, we also consider the reusability of PUF-based key generators and present a variant of our solution which retains the reusability property. In an exemplary application of these methods, we are able to derive a secure 128-bit key from a 15 %-noisy and 25 %-biased PUF requiring only 4890 PUF bits for the non-reusable variant, or 7392 PUF bits for the reusable variant.

Vorheriger Artikel Exclusive exponent blinding is not enough to prevent any timing attack on RSA

Nächster Artikel Masking ring-LWE

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

Relaxed, in the sense that practical constructions often consider the entropy of the PUF responses instead of the more pessimistic min-entropy, and use cryptographic key derivation functions to generate secure keys instead of strong randomness extractors.

The construction in Fig. 1 is technically a variant of a fuzzy commitment scheme as proposed in [9], rather than a fuzzy extractor as classically described in [5]. However, for the treatment in this work, they can be considered equivalent.

In this work, unpredictability of random variables is expressed by Shannon entropy, as is done in many earlier work on this subject, e.g., [10]. Note that Shannon entropy serves as a lower bound for average guesswork [23]. For a stronger (less practical) provable security notion, the more pessimistic min-entropy measure should be used. We express entropies and mutual informations in bits.

Note that \(H(X|W) = H(S|W)\), see Appendix 1, Corollary 2. This shows the equivalence in security (in terms of entropy) for a key generated from S or X.

E.g., a variant thereof appeared before in an early version of [25].

This has led to some confusion and occasional misinterpretations, i.e., under- or overestimations of the leakage. A discussion on this is, e.g., found in [3].

Note that in particular for strong bias this entropy bound even becomes negative, making it absolutely clear that this is a pessimistic lower bound.

A similar result for min-entropy is given in [3].

Only \(p \le 0.5\) is shown; all shown entropy-vs-bias graphs are symmetrical around \(p=0.5\).

Efficient in terms of PUF size, while following the design of Fig. 1 and using only a single enrollment measurement per derived key.

[14] aims for a seed of 171 bits, but this is rounded up to 180 for practicality. The need for having 171-bit seeds originated in [7], but the reasoning there is not fully clear.

Since bits of X are assumed i.i.d., which particular bits from X are considered for the entropy calculation is of no importance.

\(X_{1:n_1}\mathbf {H_{rep}}^\mathbf {\top }\) and \(X_{1:n_2}\mathbf {H_2}^\mathbf {\top }\) are not necessarily independent.

Note that this does not directly imply that the key becomes predictable, just that it is potentially less unpredictable than it should be according to its length.

Note that we cannot increase beyond \(r=31\), without increasing the length of the repetition code, otherwise the failure rate gets too large.

Von Neumann(-like) extractors have a small effect on bit error rate, as explained in Sect. 4.1.

We denote the probability mass and cumulative distribution function of the binomial distribution with parameters n and p, respectively, as \(f_{\text {bino}}\left( x;n,p\right) \) and \(F_{\text {bino}}\left( x;n,p\right) \).

This is just one possible exemplary representation of the information contained in (W, D).

The graphs of Fig. 9b are generic and not depending on selected parameters. These graphs are hence generically usable, the only assumption being that the considered PUF is compatible with the stochastic model used in [18].

Failure rates differ slightly from the results in Table 1 which were extrapolated from [14]. For objective comparison, the results of Table 2 are based on a new simulations, with the Hackett Golay decoder from [14] implemented in Matlab. The single Golay decoding failure rate \(p_{\text {Golay-fail}}\) is estimated as the 95 %-confidence upper bound from the simulations; the actual values for \(p_{\text {Golay-fail}}\) are hence likely smaller. The total reconstruction failure rate is computed as \(1-(1-p_{\text {Golay-fail}})^{r}\).

The same can also be derived from the observation in [5] that secure sketches based on the code-offset construction and the syndrome construction are information-theoretically equivalent.

It was demonstrated that these distributions are very realistic, fitting on experimental PUF data of different PUF constructions with high accuracy. We only consider the fixed-temperature case from [18]. A similar derivation can be done for varying temperatures.

Bösch, C., Guajardo, J., Sadeghi, A.R., Shokrollahi, J., Tuyls, P.: Efficient helper data key extractor on FPGAs. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES), pp. 181–197 (2008)

Boyen, X.: Reusable cryptographic fuzzy extractors. In: ACM Conference on Computer and Communications Security—CCS 2004, pp. 82–91. ACM Press, New York (2004)

Delvaux, J., Gu, D., Schellekens, D., Verbauwhede, I.: Helper data algorithms for PUF-based key generation: overview and analysis. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD) (2014)

Delvaux, J., Verbauwhede, I.: Attacking PUF-based pattern matching key generators via helper data manipulation. In: RSA Conference Cryptographers’ Track (CT-RSA), pp. 106–131 (2014)

Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)MathSciNetCrossRefMATH

Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In: Advances in Cryptology-EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 523–540. Springer, Berlin Heidelberg (2004)

Guajardo, J., Kumar, S.S., Schrijen, G.J., Tuyls, P.: FPGA intrinsic PUFs and their use for IP protection. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES), pp. 63–80 (2007)

Ignatenko, T., Willems, F.: Information leakage in fuzzy commitment schemes. IEEE Trans. Inf. Forensics Secur. 5(2), 337–348 (2010)CrossRef

Juels, A., Wattenberg, M.: A fuzzy commitment scheme. In: Proceedings of the 6th ACM Conference on Computer and Communications Security. CCS ’99, pp. 28–36. ACM, New York (1999)

10.

Katzenbeisser, S., Kocabas, U., Rozic, V., Sadeghi, A.R., Verbauwhede, I., Wachsmann, C.: PUFs: myth, fact or busted? A security evaluation of physically unclonable functions (PUFs) cast in silicon. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES), pp. 283–301 (2012)

11.

Koeberl, P., Li, J., Maes, R., Rajan, A., Vishik, C., Wójcik, M.: Evaluation of a PUF device authentication scheme on a discrete 0.13um SRAM. In: Trusted Systems-INTRUST. Lecture Notes in Computer Science, vol. 7222, pp. 271–288. Springer, Berlin Heidelberg (2011)

12.

Koeberl, P., Li, J., Rajan, A., Wu, W.: Entropy loss in PUF-based key generation schemes: The repetition code pitfall. In: IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 44–49 (2014)

13.

Krawczyk, H.: Cryptographic extraction and key derivation: the HKDF scheme. In: Advances in Cryptology CRYPTO 2010. Lecture Notes in Computer Science, vol. 6223, pp. 631–648. Springer, Berlin Heidelberg (2010)

14.

van der Leest, V., Preneel, B., van der Sluis, E.: Soft decision error correction for compact memory-based PUFs using a single enrollment. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES), pp. 268–282 (2012)

15.

Lily, C.: NIST Special Publication 800-108: Recommendation for Key Derivation Using Pseudorandom Functions (revised) (2009)

16.

Lily, C.: NIST Special Publication 800-56C: Recommendation for Key Derivation through Extraction-then-Expansion (2011)

17.

Lim, D., Lee, J., Gassend, B., Suh, G., van Dijk, M., Devadas, S.: Extracting secret keys from integrated circuits. IEEE Trans. Very Large Scale Integr. VLSI Syst. 13(10), 1200–1205 (2005)CrossRef

18.

Maes, R.: An accurate probabilistic reliability model for silicon PUFs. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES), pp. 73–89 (2013)

19.

Maes, R.: Physically Unclonable Functions: Constructions, Properties and Applications. Springer, New York (2013)CrossRefMATH

20.

Maes, R., Van der Leest, V., Van der Sluis, E., Willems, F.: Secure key generation from biased PUFs. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES), pp. 517–534 (2015)

21.

Maes, R., Tuyls, P., Verbauwhede, I.: Low-overhead implementation of a soft decision helper data algorithm for SRAM PUFs. In: Workshop on Cryptographic Hardware and Embedded Systems (CHES), pp. 332–347 (2009)

22.

Maes, R., Van Herrewege, A., Verbauwhede, I.: PUFKY: a fully functional PUF-based cryptographic key generator. In: Cryptographic Hardware and Embedded Systems CHES 2012. Lecture Notes in Computer Science, vol. 7428, pp. 302–319. Springer, Berlin Heidelberg (2012)

23.

Massey, J.L.: Guessing and entropy. In: IEEE International Symposium on Information Theory (ISIT), p. 204 (1994)

24.

von Neumann, J.: Various techniques used in connection with random digits. In: Applied Math Series 12. National Bureau of Standards, USA (1951)

25.

Skoric, B., de Vreede, N.: The Spammed Code Offset Method. Cryptology ePrint Archive, Report 2013/527 (2013). http://eprint.iacr.org/

26.

Yu, M.D.: MRaihi, D., Sowell, R., Devadas, S.: Lightweight and secure PUF key storage using limits of machine learning. In: Cryptographic Hardware and Embedded Systems CHES 2011. Lecture Notes in Computer Science, vol. 6917, pp. 358–373. Springer, Berlin Heidelberg (2011)

Titel: Secure key generation from biased PUFs: extended version
verfasst von: Roel Maes
Vincent van der Leest
Erik van der Sluis
Frans Willems
Publikationsdatum: 01.06.2016
Verlag: Springer Berlin Heidelberg
Erschienen in: Journal of Cryptographic Engineering / Ausgabe 2/2016
Print ISSN: 2190-8508
Elektronische ISSN: 2190-8516
DOI: https://doi.org/10.1007/s13389-016-0125-6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2016

Introduction to the CHES 2015 special issue

Exclusive exponent blinding is not enough to prevent any timing attack on RSA

Leakage assessment methodology

Masking ring-LWE

Improved cryptanalysis of the DECT standard cipher