Practical Security Analysis of PUF-Based Two-Player Protocols

In recent years, PUF-based schemes have not only been suggested for the basic tasks of tamper sensitive key storage or the identification of hardware systems, but also for more complex protocols like oblivious transfer (OT) or bit commitment (BC), both of which possess broad and diverse applications. In this paper, we continue this line of research. We first present an attack on two recent OT- and BC-protocols which have been introduced at CRYPTO 2011 by Brzuska et al. [1,2]. The attack quadratically reduces the number of CRPs which malicious players must read out in order to cheat, and fully operates within the original communication model of [1,2]. In practice, this leads to insecure protocols when electrical PUFs with a medium challenge-length are used (e.g., 64 bits), or whenever optical PUFs are employed. These two PUF types are currently among the most popular designs. Secondly, we discuss countermeasures against the attack, and show that interactive hashing is suited to enhance the security of PUF-based OT and BC, albeit at the price of an increased round complexity.

[1]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[2]  Joe Kilian,et al.  Interactive Hashing: An Information Theoretic Tool (Invited Talk) , 2008, ICITS.

[3]  Boris Skoric,et al.  Strong Authentication with Physical Unclonable Functions , 2007, Security, Privacy, and Trust in Modern Data Management.

[4]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[5]  Milan Petkovic,et al.  Security, Privacy, and Trust in Modern Data Management , 2007, Data-Centric Systems and Applications.

[6]  Ulrich Rührmair,et al.  Strong PUFs: Models, Constructions, and Security Proofs , 2010, Towards Hardware-Intrinsic Security.

[7]  George Savvides,et al.  Interactive hashing and reductions between oblivious transfer variants , 2007 .

[8]  Jorge Guajardo,et al.  FPGA Intrinsic PUFs and Their Use for IP Protection , 2007, CHES.

[9]  Blaise L. P. Gassend,et al.  Physical random functions , 2003 .

[10]  Rafail Ostrovsky,et al.  Perfect Zero-Knowledge Arguments for NP Using Any One-Way Permutation , 1998, Journal of Cryptology.

[11]  Ulrich Rührmair,et al.  Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results , 2012, IACR Cryptol. ePrint Arch..

[12]  Ingrid Verbauwhede,et al.  Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions , 2010, Towards Hardware-Intrinsic Security.

[13]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[14]  Srinivas Devadas,et al.  Modeling attacks on physical unclonable functions , 2010, CCS '10.

[15]  Ulrich Rührmair,et al.  Oblivious Transfer Based on Physical Unclonable Functions , 2010, TRUST.

[17]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[18]  Elisabeth Oswald,et al.  A Comprehensive Evaluation of Mutual Information Analysis Using a Fair Evaluation Framework , 2011, CRYPTO.

[19]  Miodrag Potkonjak,et al.  Lightweight secure PUFs , 2008, ICCAD 2008.

[20]  Ernest F. Brickell,et al.  Advances in Cryptology — CRYPTO’ 92 , 2001, Lecture Notes in Computer Science.

[21]  R. Pappu,et al.  Physical One-Way Functions , 2002, Science.

[22]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[23]  Jorge Guajardo,et al.  Extended abstract: The butterfly PUF protecting IP on every FPGA , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[24]  Ivan Damgård,et al.  On the (Im)possibility of Basing Oblivious Transfer and Bit Commitment on Weakened Security Assumptions , 1998, EUROCRYPT.

[25]  Ingrid Verbauwhede,et al.  Cryptographic Hardware and Embedded Systems - CHES 2007, 9th International Workshop, Vienna, Austria, September 10-13, 2007, Proceedings , 2007, CHES.

[26]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[27]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[28]  Shlomo Shamai,et al.  Information Theoretic Security , 2009, Found. Trends Commun. Inf. Theory.

[29]  Srinivas Devadas,et al.  Silicon physical random functions , 2002, CCS '02.

[30]  Rafail Ostrovsky,et al.  Perfect Zero-Knowledge Arguments for NP Can Be Based on General Complexity Assumptions (Extended Abstract) , 1992, CRYPTO.

[31]  Srinivas Devadas,et al.  Identification and authentication of integrated circuits: Research Articles , 2004 .

[32]  Rafail Ostrovsky,et al.  Fair Games against an All-Powerful Adversary , 1990, Advances In Computational Complexity Theory.

[33]  Ronen Shaltiel,et al.  Constant-Round Oblivious Transfer in the Bounded Storage Model , 2004, Journal of Cryptology.

[34]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[35]  Stephen A. Benton,et al.  Physical one-way functions , 2001 .

[36]  U. Rührmair Oblivious Transfer based on Physical Unclonable Functions ( Extended Abstract ) , 2010 .

[37]  Boris Skoric,et al.  Information-Theoretic Security Analysis of Physical Uncloneable Functions , 2005, Financial Cryptography.

[38]  Boris Skoric,et al.  Read-Proof Hardware from Protective Coatings , 2006, CHES.

[39]  Marten van Dijk,et al.  A technique to build a secret key in integrated circuits for identification and authentication applications , 2004, 2004 Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.04CH37525).

[40]  Frank Sehnke,et al.  On the Foundations of Physical Unclonable Functions , 2009, IACR Cryptol. ePrint Arch..

[41]  Mitsuru Matsui,et al.  Cryptographic Hardware and Embedded Systems - CHES 2006, 8th International Workshop, Yokohama, Japan, October 10-13, 2006, Proceedings , 2006, CHES.

[42]  Stefan Katzenbeisser,et al.  Physically Uncloneable Functions in the Universal Composition Framework , 2011, CRYPTO.

[43]  Edwin Pickstone,et al.  ILLEGITIMI NON CARBORUNDUM , 2012 .

[44]  Srinivas Devadas,et al.  Identification and authentication of integrated circuits , 2004, Concurr. Pract. Exp..