slender puf protocol authentication by substring matching m. majzoobi, m. rostami, f. koushanfar, d....
TRANSCRIPT
![Page 1: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/1.jpg)
Slender PUF Protocol Authentication by Substring
Matching
M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas*
International Workshop on Trustworthy Embedded Devices,
San Francisco, May 2012
1
ACES Lab, Rice University*Computation Structures Group, MIT
![Page 2: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/2.jpg)
2
Traditional digital key-based authentication
• Keys stored in non-volatile memory– Verifier sends random number (challenge)– Prover signs the number by it’s secret key and sends a
response• Limitation
– Extra cost of non-volatile memory – Physical and side channel attacks– Intensive cryptographic algorithms
Challenge
Verifier Prover
![Page 3: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/3.jpg)
3
Physical unclonable functions(PUFs)
• PUFs based on the inherent, hard to forge, physical disorders
• Two major types*:– Weak PUF– Strong PUF
*Ruhrmair, et al., Book chapter in ‘Intro to Hardware Security and Trust’, Springer’11
![Page 4: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/4.jpg)
4
Security based on PUFs:Weak PUFs
• Also called Physically Obfuscated Keys (POKs)• Limited Challenge-Response Pairs
– Based on ring-oscillators • Generate standard digital key for security apps• When challenged by one (or very few) fixed
challenge(s) generates Response(s) depending on its physical disorder
• Response(s) is used to generate secret key• Intensive cryptographic algorithm is still needed
Ruhrmair, et al., Book chapter in ‘Intro to Hardware Security and Trust’, Springer’11
![Page 5: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/5.jpg)
5
Strong PUFs*
• Directly used for challenge response authentication
• Provide large Challenge-Response Pairs (CRPs)• Often exponential w.r.t. system elements• Neither an adversary nor manufacturer should
correctly predict the response to a randomly chosen challenge with a high probability**
*Ruhrmair, et al., Book chapter in ‘Intro to Hardware Security and Trust’, Springer’11**Gassend, et al., CCS’02
![Page 6: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/6.jpg)
6
Delay-based Strong PUF
• Compare two paths with an identical delay in design*, **• Each challenge selects a unique pair of delay paths
– Random process variation determines which path is faster– An arbiter outputs 1-bit digital response– Multiple bits can be obtained by either duplicate the circuit or
use different challenges
…
c-bitChallenge
RisingEdge
1 if toppath is faster,else 0
D Q1
1
0
0
1
1
0
0
1
1
0
0
1 0 10 0 1
01
G
Response
*Suh and Devadas, DAC 2007
*Gassend, et al. , SAC’03**Lee, et al., VLSI Symp’04
![Page 7: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/7.jpg)
7
• An arbiter PUF can be modeled easily*
• Fast modeling compromised security **
Model building
*Majzoobi, Koushanfar, Potkonjak, TRETS’08**Ruhrmair, et al., CCS’10
![Page 8: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/8.jpg)
8
Lightweight safeguarding of PUFs
• Protect against machine learning attacks by• Blocking controllability and observability*
PUF
PUFInput
Net. (G)
PUF
Input Net. (G)
Input Net. (G)
...
...
Output Network (Z)
...
Interconnect Network
Input Output
1. Transform challenges • Input network
2. Block controllability3. Block observability
• Output network
* Majzoobi, et al., ICCAD ‘08
![Page 9: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/9.jpg)
9
XORed delay-based PUF
• Block observability by lossy compression• Swapping the challenge order to improve
statistical properties*
*Majzoobi, et al., ICCAD ‘08
![Page 10: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/10.jpg)
10
XORed delay-based PUFs
• Improvement in randomness of responses• Strict Avalanche Criterion
– Any transition in the input causes a transition in the output with a probability of 0.5
• Balances the impact of challenge on output
![Page 11: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/11.jpg)
11
Model building attack on Xored-PUF
• Use XORed PUFs to guard against modeling • Harder, but still breakable *
– Logistic regression, evolutionary strategies – Two order of magnitude more CRPs needed
*Ruhrmair, et al., CCS’10
![Page 12: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/12.jpg)
12
Problem with just Xoring
• Still breakable • Cannot increase XOR layers indefinitely • Accumulates error
– 5% 20% for 4 XOR• A solution* to guard against modeling while
robust against errors– Using error correction codes (ECC) and hashing – Computationally intensive!– Not suitable for low-power embedded devices
*Gassend, et al., CCS’02
![Page 13: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/13.jpg)
13
Desired properties of protocol
• Robust against model building attacks • Robust against PUF errors• Ultra low-power
– No Hashing – No error correction codes
![Page 14: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/14.jpg)
14
Slender PUFProtocol
![Page 15: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/15.jpg)
15
Communicating parties
• Prover– Has PUF– Will be authenticated
• Verifier – Has a compact soft model of the PUF
• Compute challenge/response pairs
– Will authenticate the prover
Challenge
Verifier Prover
![Page 16: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/16.jpg)
16
Xored delay-based PUF model
• PUF secrets – Set of delays
• The secret sharing is performed initially • Electronic fuse burned to disable access*
Probing here for model building
*Majzoobi, Koushanfar, Potkonjak, TRETS’08
![Page 17: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/17.jpg)
17
Malicious parties
• Dishonest prover– Does not have access to the PUF– Wants to pass the authentication
• Eavesdropper – Taps the communication between prover and verifier– Tries to learn the secret
• Dishonest verifier– Does not have access to the PUF soft model – Tries to actively trick the prover to leak information
![Page 18: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/18.jpg)
18
Slender PUF ProtocolVerifier Prover
Noncev(1)
Verifier Prover
![Page 19: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/19.jpg)
19
Slender PUF Protocol
Verifier Prover
Verifier Prover
Noncep(2)
Noncev(1)
![Page 20: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/20.jpg)
20
Slender PUF Protocol
Verifier Prover
Verifier Prover
Noncep
Seed ={Noncev,Noncep} Seed = {Noncev,Noncep}(3)
(2)
Noncev(1)
![Page 21: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/21.jpg)
21
Slender PUF Protocol
Verifier Prover
Verifier Prover
Noncep
Seed ={Noncev,Noncep} Seed = {Noncev,Noncep}(3)
(2)
Noncev(1)
The same seed for both sides Random if only one of them is honest
![Page 22: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/22.jpg)
22
Slender PUF Protocol
Verifier Prover
Verifier Prover
Noncep
Seed ={Noncev,Noncep} Seed = {Noncev,Noncep}
C = G(Seed) C = G(Seed)
(3)
(4)
(2)
Noncev(1)
PRNG PRNG
Generate challenge stream from seedThe same challenge for both sides
![Page 23: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/23.jpg)
23
Slender PUF ProtocolVerifier Prover
Noncep
Seed ={Noncev,Noncep} Seed = {Noncev,Noncep}
C = G(Seed) C = G(Seed)
R’ = PUF_model(C) R = PUF(C)
(3)
(4)
(2)
(5)
Noncev(1)
![Page 24: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/24.jpg)
24
Slender PUF Protocol
1 0 0 1 1 1 0 0 1 1 0 1 1 0 0 0 1 1 1 0 0 1 0 0 1 1R:
R’: 1 0 0 1 1 1 0 0 1 1 0 1 1 1 0 0 0 1 1 0 0 1 0 0 1 1
Verifier Prover
Noncep
Seed ={Noncev,Noncep} Seed = {Noncev,Noncep}
C = G(Seed) C = G(Seed)
R’ = PUF_model(C) R = PUF(C)
(3)
(4)
(2)
(5)
Noncev(1)
![Page 25: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/25.jpg)
25
Slender PUF Protocol
1 0 0 1 1 1 0 0 1 1 0 1 1 0 0 0 1 1 1 0 0 1 0 0 1 1R:
R’: 1 0 0 1 1 1 0 0 1 1 0 1 1 1 0 0 0 1 1 0 0 1 0 0 1 1
Verifier Prover
Noncep
Seed ={Noncev,Noncep} Seed = {Noncev,Noncep}
C = G(Seed) C = G(Seed)
R’ = PUF_model(C) R = PUF(C)
(3)
(4)
(2)
(5)
Noncev(1)
PUF modeling error
![Page 26: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/26.jpg)
26
Verifier Prover
Noncep
Seed ={Noncev,Noncep} Seed = {Noncev,Noncep}
C = G(Seed) C = G(Seed)
R’ = PUF_model(C) R = PUF(C)
W = sub-seq (ind,Lsub,R)
(3)
(4)
(2)
(6)
(5)
Noncev(1)
1 0 0 1 1 1 0 0 1 1 0 1 1 0 0 0 1 1 1 0 0 1 0 0 1 1
Lsub = 11
ind = 10
R:
1 0 1 1 0 0 0 1 1 1 0 0W:
The index is not transmitted
![Page 27: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/27.jpg)
27
Verifier Prover
Noncep
Seed ={Noncev,Noncep} Seed = {Noncev,Noncep}
C = G(Seed) C = G(Seed)
R’ = PUF_model(C) R = PUF(C)
W = sub-seq (ind,Lsub,R)
(3)
(4)
(2)
(6)
(5)
Noncev(1)
T =match(R’,W,e)
Auth. pass: T = true?
(7)
1 0 1 1 0 0 0 1 1 1 0 0W:
R’: 1 0 0 1 1 1 0 0 1 1 0 1 1 1 0 0 0 1 1 0 0 1 0 0 1 1
10errors:
It reveals minimum informationn about original response sequence
![Page 28: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/28.jpg)
28
Model building attacks
• Set Lsub = 500, L = 1024• 99% threshold for authentication
– 99% accuracy in modeling• XORed PUF attack: 500,000 CRPs needed• 500,000 /500=1000 rounds needed• He doesn’t have ind …
![Page 29: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/29.jpg)
29
Brute-force modeling attack
• Set Lsub = 500, L = 1024– 500000/500=1000 rounds of protocol needed– In each one, ind is unknown– 1024500000/500 = 10241000 models needed to be built
• Strict avalanche criteria to avoid correlation attacks
210000
![Page 30: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/30.jpg)
30
Guessing attack
• Dishonest Prover
• Honest Prover – Perr : PUF error rate
![Page 31: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/31.jpg)
31
Replay attack
• Eavesdropping and replying the responses• Nonce scheme prevents it • If prover and verifier nonces are 128-bit:
– Size of database for 50%: 2127
• Very low probability!
![Page 32: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/32.jpg)
32
Implementation
• Same challenge streams should not be used• We need :
– PRNG (pseudo random number generator)• Challenge stream generation
– TRNG (true random number generator)• Nonce • Index of substring (ind)
• ind is generated first – PUF is only challenged when necessary
![Page 33: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/33.jpg)
33
Slender PUF protocol:System overview
![Page 34: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/34.jpg)
34
TRNG and PRNG
• TRNG:– PUF based– Based on flip-flop meta-
stability
Control
MonitorD
C
Q
PDLBinary Sequence
M. Majzoobi, et al., CHES, 2011
• PRNG:• Need not to be
cryptographically secure
• LFSR is enough
![Page 35: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/35.jpg)
35
• Slender PUF Protocol
• Previously known protocol*, just SHA-2
Slender PUFOverhead comparison
*Gassend, et al., CCS’02
![Page 36: Slender PUF Protocol Authentication by Substring Matching M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas* International Workshop on](https://reader031.vdocuments.pub/reader031/viewer/2022013011/56649cf75503460f949c741a/html5/thumbnails/36.jpg)
36
Conclusions
– Authentication protocol based on PUFs
– Protect against model building
– Revealing a partial section of the PUF responses
• Based on string matching
– Resilient against PUF error, without: – Error correction– Hashing– Exponentiation