Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results

We investigate the power of physical unclonable functions (PUFs) as a new primitive in cryptographic protocols. Our contributions split into three parts. Firstly, we focus on the realiza bility of PUF-protocols in a special type of stand-alone setting (the “stand-alone, good PUF setting”) under minimal assumptions. We provide new PUF definitions that require only weak average security properties of the PUF, and prove that these definitions suffice to realize secure PUF-based oblivious transfer (OT), bit com mitment (BC) and key exchange (KE) in said setting. Our protocols for OT, BC and KE are partly new, and have certain practicality and security advantages compared to existing schemes. In the second part of the paper, we formally prove that there are very sharp limits on the usability of PUFs for OT and KE beyond the above stand-alone, good PUF scenario. We introduce two new and realistic attack models, the so-called posterior access model (PAM) and the bad PUF model, and prove several impossibility results in these models. First, OT and KE protocols whose security is solely based on PUFs are generally impossible in the PAM. More precisely, one-time access of an adversary to the PUF after the end of a single protocol (sub-)session makes all previous (sub-)sessions provably insecure. Second, OT whose security is solely based on PUFs is impossible in the bad PUF model, even if only a stand alone execution of the protocol is considered (i.e., even if no adversarial PUF access after the protocol is allowed). Our impossibility proofs do not only hold for the weak PUF definition of the first part of the paper, but even apply if ideal rand omness and unpredictability is assumed in the PUF, i.e., if the PUF is modeled as a random permutation oracle. In the third part, we investigate the feasibility of PUF-based bit commitment beyond the stand-alone, good PUF setting. For a number of reasons, this case is more complicated than OT and KE. We first prove that BC is impossible in the bad PUF model if players have got access to the PUF between the commit and the reveal phase. Again, this result holds even if the PUF is “ideal” and modeled as a random permutation oracle. Secondly, we sketch (without proof) two new BC-protocols, which can deal with bad PUFs or with adversarial access between the commit and reveal phase, but not with both. We hope that our results can contribute to a clarification of the usability of PUF s in cryptographic protocols. They show that new hardware properties such as offline certifiability and the erasure of PUF responses would be required in order to make PUFs a broadly applicable cryptographic tool. These features have not yet been realized in practical PUF-implementations and generally seem hard to achieve at low costs. Our findings also show that the question how PUFs can be modeled comprehensively in a UC-setting must be considered at least partly open.

[1]  Frederik Armknecht,et al.  A Formalization of the Security Features of Physical Functions , 2011, 2011 IEEE Symposium on Security and Privacy.

[2]  Ueli Maurer,et al.  Protocols for Secret Key Agreement by Public Discussion Based on Common Information , 1992, CRYPTO.

[3]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[4]  Ulrich Rührmair,et al.  Practical Security Analysis of PUF-Based Two-Player Protocols , 2012, CHES.

[5]  Ronen Shaltiel,et al.  Constant-Round Oblivious Transfer in the Bounded Storage Model , 2006, Journal of Cryptology.

[6]  Stefan Katzenbeisser,et al.  Physically Uncloneable Functions in the Universal Composition Framework , 2011, CRYPTO.

[7]  Ueli Maurer Conditionally-perfect secrecy and a provably-secure randomized cipher , 2004, Journal of Cryptology.

[8]  A. D. Wyner,et al.  The wire-tap channel , 1975, The Bell System Technical Journal.

[9]  Sampath Kannan,et al.  The relationship between public key encryption and oblivious transfer , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.

[10]  Russell Impagliazzo,et al.  Limits on the provable consequences of one-way permutations , 1988, STOC '89.

[11]  Donald Beaver,et al.  Correlated pseudorandomness and the complexity of private computations , 1996, STOC '96.

[12]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[13]  Jorge Guajardo,et al.  FPGA Intrinsic PUFs and Their Use for IP Protection , 2007, CHES.

[14]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[15]  Ulrich Rührmair,et al.  Strong PUFs: Models, Constructions, and Security Proofs , 2010, Towards Hardware-Intrinsic Security.

[16]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[17]  Stephen A. Benton,et al.  Physical one-way functions , 2001 .

[18]  U. Rührmair Oblivious Transfer based on Physical Unclonable Functions ( Extended Abstract ) , 2010 .

[19]  Yonatan Aumann,et al.  Everlasting security in the bounded storage model , 2002, IEEE Trans. Inf. Theory.

[20]  George Savvides,et al.  Interactive hashing and reductions between oblivious transfer variants , 2007 .

[21]  Dusko Pavlovic,et al.  Gaming security by obscurity , 2011, NSPW '11.

[22]  Imre Csiszár,et al.  Broadcast channels with confidential messages , 1978, IEEE Trans. Inf. Theory.

[23]  Edwin Pickstone,et al.  ILLEGITIMI NON CARBORUNDUM , 2012 .

[24]  Srinivas Devadas,et al.  Identification and authentication of integrated circuits , 2004, Concurr. Pract. Exp..

[25]  Boris Skoric,et al.  Strong Authentication with Physical Unclonable Functions , 2007, Security, Privacy, and Trust in Modern Data Management.

[26]  Frank Sehnke,et al.  On the Foundations of Physical Unclonable Functions , 2009, IACR Cryptol. ePrint Arch..

[27]  Manuel Blum How to Exchange (Secret) Keys (Extended Abstract) , 1983, STOC 1983.

[28]  R. Pappu,et al.  Physical One-Way Functions , 2002, Science.

[29]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[30]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[31]  Srinivas Devadas,et al.  Silicon physical random functions , 2002, CCS '02.

[32]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[33]  Ulrich Rührmair,et al.  An Attack on PUF-Based Session Key Exchange and a Hardware-Based Countermeasure: Erasable PUFs , 2011, Financial Cryptography.

[34]  Rafail Ostrovsky,et al.  Universally Composable Secure Computation with (Malicious) Physically Uncloneable Functions , 2012, IACR Cryptol. ePrint Arch..

[35]  G. Edward Suh,et al.  Extracting secret keys from integrated circuits , 2005, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[36]  Ivan Damgård,et al.  On the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions , 1998, EUROCRYPT.

[37]  Miodrag Potkonjak,et al.  Lightweight secure PUFs , 2008, ICCAD 2008.

[38]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[39]  Srinivas Devadas,et al.  Modeling attacks on physical unclonable functions , 2010, CCS '10.

[40]  Osamu Watanabe On One-Way Functions , 1989 .

[41]  Ronen Shaltiel,et al.  Constant-Round Oblivious Transfer in the Bounded Storage Model , 2004, Journal of Cryptology.

[42]  Boris Skoric,et al.  Information-Theoretic Security Analysis of Physical Uncloneable Functions , 2005, Financial Cryptography.

[43]  Boris Skoric,et al.  Read-Proof Hardware from Protective Coatings , 2006, CHES.

[44]  Marten van Dijk,et al.  A technique to build a secret key in integrated circuits for identification and authentication applications , 2004, 2004 Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.04CH37525).

[45]  Ulrich Rührmair,et al.  SIMPL Systems, or: Can We Design Cryptographic Hardware without Secret Key Information? , 2011, SOFSEM.

[46]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[47]  Miodrag Potkonjak,et al.  Testing Techniques for Hardware Security , 2008, 2008 IEEE International Test Conference.