Physically Non-Clonable Function - RFID Systems

8/3/2019 Physically Non-Clonable Function - RFID Systems

1/21

Physically Non-clonable Function

Based Security and Privacyin RFID Systems

Prof. Rushen Chahal

Prof. Rushen Chahal


2/21

Contribution and Motivation

Contribution Privacy-preserving tag identification algorithm

Secure MAC algorithms

Comparison of PUF with digital hash functions

Motivation Digital crypto implementations require 1000s of gates

Low-cost alternatives Pseudonyms / one-time pads

Low complexity / power hash function designs

Hardware-based solutions

Prof. Rushen Chahal


3/21

PUF-Based Security

Physical Unclonable Function (PUF) [Gassend et al 2002]

PUF Security is based on wire delays

gate delays

quantum mechanical fluctuations PUF characteristics

uniqueness

reliability

unpredictability

PUF Assumptions Infeasible to accurately model PUF

Pair-wise PUF output-collision probability is constant

Physical tampering will modify PUF

Prof. Rushen Chahal


4/21

Privacy in RFID

Privacy

A B C

Alice was here: A, B, C

privacy

Prof. Rushen Chahal


5/21

Private Identification Algorithm

Assumptions

no denial of service attacks (e.g., passive adversaries, DoS

detection/prevention mechanisms)

physical compromise of tags not possible

It is important to have

a reliable PUF

no loops in PUF chains

no identical PUF outputs

ID

Request

p(ID)ID

Database

ID1, p(ID1), p2(ID1), , p

k(ID1)

...

IDn, pn(IDn), pn2(IDn), , pn

k(IDn)

Prof. Rushen Chahal


6/21

Improving Reliability of Responses

Run PUF multiple times for same ID & pick majority

m(1-)N-m )k

R(, N, k) (1 -

N N

mN+12

m=

number of runs

chain lengthunreliability

probability

overall

reliability

R(0.02, 5, 100) 0.992

Create tuples of multi-PUF computed IDs &

identify a tag based on at least one valid position value

expected number

of identificationsS(, q) = i [(1 (1-)i+1)q - (1 (1-)i)q]

i=1

tuple size

S(0.02, 1) = 49, S(0.02, 2) = 73, S(0.02, 3) = 90

(ID1, ID2, ID3)

Prof. Rushen Chahal


7/21

Privacy Model

1. A passive adversary observes polynomially-many rounds of

reader-tag communications with multiple tags

2. An adversary selects 2 tags

3. The reader randomly and privately selects one of the 2 tags and

runs one identification round with the selected tag

4. An adversary determines the tag that the reader selected

Experiment:

Definition: The algorithm is privacy-preserving if an adversary can not

determine reader selected tag with probability substantially greater than

Theorem: Given random oracle assumption for PUFs,

an adversary has no advantage in the above experiment.Prof. Rushen Chahal


8/21

PUF-Based MAC Algorithms

MAC based on PUF

Motivation: yoking-proofs, signing sensor data

large keys (PUF is the key)

cannot support arbitrary messages

MAC = (K, , )

K

K

valid signature : (M, ) = 1

forged signature : (M, ) = 1, M = M

Assumptions

adversary can adaptively learn poly-many (m, ) pairs

signature verifiers are off-line

tag can store a counter (to protect against replay attacks)

Prof. Rushen Chahal


9/21

Large Message Space

(m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)

Assumption: tag can generate good random numbers

(can be PUF-based)

Signatureverification

requires tags presence

password-based or in radio-protected environment (Faraday Cage)

learn pc(ri, m), 1 i n verify that the desired fraction of PUF computations is correct

To protect against hardware tampering authenticate tag before MAC verification

store verification password underneath PUF

Key: PUF

Prof. Rushen Chahal


10/21

Choosing # of PUF Computations

25 30 35 40 45 50

0.994

0.995

0.996

0.997

0.998

0.999

< probv 1 and probf 1

0 t n-1

i=t+1

i(1-)n-iprobv(n, t, ) = 1 - n

n

i

j=t+1

j

(1-)

n-j

probf(n, t, )= 1 -

nn

j

probv(n, 0.1n, 0.02)

probf(n, 0.1n, 0.4)

Prof. Rushen Chahal


11/21

Theorem

Given random oracle assumption for a PUF,

the probability that an adversary could forge a

signature for a message is bounded from above

by the tag impersonation probability.

Prof. Rushen Chahal


12/21

Small Message Space

Assumption: small and known a priori message space

Key[p, mi, c] = c, pc(1)(mi), ..., pc(n) (mi)

PUFmessage

counter

(m) = c, pc(1)(m), ..., pc

(n) (m),

...,c+q-1, pc+q-1

(1)(m), pc+q-1(n)(m)

sub-signature

Verify that the desired number of sub-signatures are valid

PUF reliability is again crucial

Prof. Rushen Chahal


13/21

Theorem

Given random oracle assumption for a PUF, the

probability that an adversary could forge a signature

for a message is bounded by the tag impersonation

probability times the number of sub-signatures.

Prof. Rushen Chahal


14/21

Attacks on MAC Protocolsoriginal clone Impersonation attacks

manufacture an identical tag

obtain (steal) existing PUFs

Hardware-tampering attacks

physically probe wires to learn the PUF

physically read-off/alter keys/passwords

Side-channel attacks

algorithm timing

power consumption

Modeling attacks build a PUF model to predict PUFs outputs

Prof. Rushen Chahal


15/21

Comparison of PUF With Digital

Hash Functions

Reference PUF: 545 gates for 64-bit input

6 to 8 gates for each input bit 33 gates to measure the delay

Low gate count of PUF has a cost probabilistic outputs

difficult to characterize analytically

non-unique computation extra back-end storage

Different attack target for adversaries model building rather than key discovery

Physical security

hard to break tag and remain undetected

MD4

7350

MD5

8400

SHA-256

10868

Yuksel

1701

PUF

545

AES

3400

algorithm

# of gates

Prof. Rushen Chahal


16/21

PUF Design

Attacks on PUF impersonation modeling

hardware tampering

side-channel

Weaknesses of existing PUF

New PUF design no oscillating circuit

sub-threshold voltage

Compare different non-linear delay approaches

reliability

Prof. Rushen Chahal


17/21

Conclusions and Future Work

Develop theoretical framework for PUF

Design new sub-threshold voltage based PUF

Manufacture and test PUFs

varying environmental conditions

motion, acceleration, vibration, temperature, noise

Design new PUF-based security protocols

ownership transfer

recovery from privacy compromise

PUFs on RFID readers

} in progress

PUF: hardware primitive for RFID security Identification and MAC algorithms based on PUF

PUFs protect tags from physical attacks

PUFs is the key

Prof. Rushen Chahal


18/21

Thank You

Questions ?

Leonid Bolotnyy

[email protected]

Dept. of Computer Science

University of Virginia

Prof. Rushen Chahal


19/21

PUF-Based Ownership Transfer

Ownership Transfer

To maintain privacy we need ownership privacy

forward privacy

Physical security is especially important

Solutions

public key cryptography (expensive) knowledge of owners sequence

trusted authority

short period of privacy

Prof. Rushen Chahal


20/21

s2,4

s1,2

s3,9

s2,5

s3,10s3,8

Using PUF to Detect and Restore

Privacy of Compromised System

1. Detect potential tag compromise

2. Update secrets of affected tags

s1,0

s2,0

s1,1

s2,1

s3,1

s2,2 s2,3

s3,0 s3,4 s3,5s3,2 s3,3 s3,7s3,6

Prof. Rushen Chahal


21/21

Related Work on PUF

Optical PUF [Ravikanth 2001]

Silicon PUF [Gassend et al 2002] Design, implementation, simulation, manufacturing

Authentication algorithm Controlled PUF

PUF in RFID Identification/authentication [Ranasinghe et al 2004]

Off-line reader authentication using public key cryptography[Tuyls et al 2006]

Prof. Rushen Chahal

Date post:	06-Apr-2018
Category:	Documents
Upload:	dr-singh
View:	226 times
Download:	0 times

Physically Non-Clonable Function - RFID Systems

Documents