Lightweight Authentication Using Noisy Key Derived from Physically Unclonable Function

Abstract

Internet of things (IoT) systems consist of many devices that send their sensor data to cloud servers. Cryptographic authentication is essential for maintaining the consistency of these systems, and lightweight authentication in particular is required because most IoT devices are resource-constrained. Physically unclonable functions (PUF) are promising tools for protecting such devices from cyber-attacks. It can naturally generate a unique but noisy (i.e., erroneous) key for a device without implementing costly secure key storage in the device. However, a costly error correction technique is required to remove the noise. In this paper, we propose a lightweight authentication scheme with a noisy key (i.e., an uncorrected key) naturally derived from a PUF. The security of our scheme is based on a combinatorial problem with small noise. We also discuss its security and feasibility.

Y. Komano—Presently, the author is with Chiba Institute of Technology, Japan.

Appendices

A Related Works

We give a review of the helper-data-free PUF-based authentication protocol Slender PUF as a previous work on an authentication protocol using a noisy key. We then review a non-PUF-based authentication that relates to our protocol.

Fig. 2.

Improved Slender PUF [23].

1.1 A.1 Helper-Data-Free PUF-Based Authentication: Slender PUF

We first review Slender PUF, which was proposed by Majzoobi et al. [16]. Rostami et al. [23] then improved it to enhance the security against learning attacks⁵, by adding circularity operations such as \(\textsf{SubCirc}\) and \(\textsf{CircPad}\). In Slender PUF and its improvement, the device is assumed to include a PUF. The server is also assumed to learn the model of the PUF and securely store the model during enrollment of the device. Yu et al. [30] also proposed a variant of Slender PUF, which treated selected bits from the PUF output, instead of the circulative data, as the response.

Figure 2 shows the protocol of Rostami et al. [23]. In this figure, \(\textsf{TRNG}\), \(\textsf{CGEN}\), and \(\textsf{SPUF}\) are a true number generator, a challenge generator, and a strong PUF with an L-bit output, respectively. \(\textsf{SubCirc}(\textbf{y}, i_1)\) is a function that extracts an m-bit substring \(\textbf{w}\) from the \(i_1\)-th bit of the L-bit PUF output \(\textbf{y}\), for an integer \(i_1 < L\) and the predetermined m. In \(\textsf{SubCirc}\), the L-bit PUF output is used in a circular manner. That is, if \(i_1+m > L\), the remainder of the substring is taken from the beginning of \(\textbf{y}\). \(\textsf{CircPad}(\textbf{w},i_2)\) is a function that pads the m-bit substring \(\textbf{w}\) with random bits to create an \(L'\)-bit string where \(L' > m\). Specifically, \(\textsf{CircPad}\) generates an \(L'\)-bit string \(\textbf{a}'\) at random, replaces a substring of \(\textbf{a}'\) from its \(i_2\)-th bit with \(\textbf{w}\), and returns the resulting substring as \(\textbf{a}\). In this process, the \(L'\)-bit string \(\textbf{a}'\) is used in a circular manner. That is, if \(i_2 + m > L'\), the remainder of the substring is taken from the beginning of \(\textbf{a}'\). \(\textsf{Predict}(\textbf{x})\) is a function that, for an input \(\textbf{x}\), returns \(\textsf{SPUF}(\textbf{x})\) from the trained PUF model. \(\epsilon \) is a prefixed threshold.

Because this protocol transmits the circulative raw bits of the PUF output, the PUF output cannot be reused in order to prevent forgery attacks using previous responses. Hence, it requires a strong PUF as a building block. Although we omit the details, the original Slender PUF [16] and another variant [30] also require a strong PUF for similar reasons.

1.2 A.2 Non-PUF-Based Authentication

Kiltz et al. [10] proposed a lightweight authentication protocol with man-in-the-middle security implied by their secure MAC. Figure 3 shows the protocol that we refer to while constructing our protocol later. In this figure, \(\textbf{s}_{\downarrow \textbf{v}} \in \{0,1\}^l\) denotes, for \(\textbf{s}, \textbf{v} \in \{0,1\}^{2l}\) such that \(\textsf{hw}(\textbf{v})=l\), an l-bit string, which is a concatenation of (i-th) bits extracted from \(\textbf{s}\), where the corresponding (i-th) bit of \(\textbf{v}\) is 1. \(\textsf{Ber}_{\tau }\) denotes the Bernoulli distribution parameterized by \(\tau \in (0,1/2)\). \(\textbf{R}^{\textrm{T}}\) and \(\textsf{rank}(\textbf{R})\) denote a transpose and a rank of matrix \(\textbf{R}\), respectively.

In this protocol, the device and the server digitally share secret keys: a 2l-bit secret key \(\textbf{s}\) and a pair of secret functions \((\textsf{C}, h, \pi )\), where \(\textsf{C}\) is a public function from \(\mathbb {Z}_2^{\nu }\) to \(\mathbb {Z}_2^{2l}\) whose output satisfies both \(\textsf{hw}(\textsf{C}(\textbf{x})) = l\) and \(\textsf{hw}(\textsf{C}(\textbf{x}) \oplus \textsf{C}(\textbf{x}')) \ge 0.9 l\), for arbitrary inputs \(\textbf{x} \ne \textbf{x}'\), h is a pairwise independent permutation, and \(\pi \) is a permutation.

Fig. 3.

2-round lightweight device authentication based on \(\hbox {MAC}_1\) [10].

As in the figure, the device computes a response by adding a small amount of logical noise \(\textbf{e}\), chosen from the Bernoulli distribution, to the product of the matrix and secret vector. The server reproduces the response in a similar manner to the device, and accepts the device if the distance of these responses is small enough. Note that the noise makes it difficult for an adversary to recover the secret vector from the response. The scheme can be proven to be secure if the learning parity with noise (LPN, [2]) problem is hard.

B Proof Sketch of Theorem 1

In this subsection, we give a sketch of security proof for our protocol.

Sketch of Proof: We give a proof by contradiction. Namely, we show that if an adversary \(\mathcal {A}\) against our protocol exists, then we can construct a reduction \(\mathcal {B}\) that, by using \(\mathcal {A}\) as a subroutine, breaks the linear unpredictability of the underlying PUF.

\(\mathcal {A}\) is an adversary who forges a response of the authentication protocol. \(\mathcal {A}\) makes queries to a random oracle \(O_H\) and an authentication oracle \(O_A\), and then, \(\mathcal {A}\) asks \(\mathcal {B}\) to send a challenge \(\textbf{a}^{*}\) to \(\mathcal {A}\). After that, \(\mathcal {A}\) continues to make queries to the above two oracles, and then \(\mathcal {A}\) outputs a forged response \((\textbf{b}^{*}, \textbf{z}^{*})\) for \(\textbf{a}^{*}\). Note that \(\mathcal {A}\) is disallowed to output \(( \textbf{b}^{*}, \textbf{z}{*})\) where \(O_A\) returns \(( \textbf{b}^{*}, \textbf{z}^{*})\) for query \(\textbf{a}^*\).

\(\mathcal {B}\) interacts with \(\mathcal {A}\) to break the linear unpredictability of the PUF. \(\mathcal {B}\) is allowed to access the PUF oracle \(O_P\) to obtain the XOR of PUF outputs with positions indicating the output bits to be XORed. With the replies of \(O_P\), \(\mathcal {B}\) simulates \(O_H\) and \(O_A\) in order for \(\mathcal {A}\) to work correctly. If \(\mathcal {B}\) succeeds, \(\mathcal {B}\) can obtain a forgery from \(\mathcal {A}\), and, with this forgery, \(\mathcal {B}\) tries to break the underlying assumption of the PUF.

The proof uses the game hopping technique [27] with four steps from \(\textsf{Game}_0\) (original game for \(\mathcal {A}\) to break the authentication protocol) to \(\textsf{Game}_{4}\) (where \(\mathcal {B}\) breaks the assumption) below. In each game, \(\mathcal {B}\) interacts with \(\mathcal {A}\) to receive a forged response. Here, \(\textsf{S}_i\) denotes an event where \(\mathcal {B}\) receives a forgery that passes the verification from \(\mathcal {A}\) in \(\textsf{Game}_i\) (\(i \in [0,4]\)).

Overview of Games:

In the proof, we consider five games.

\(\textsf{Game}_0\) is an original/real game where \(\mathcal {A}\) tries to break the security of our authentication protocol. Note that in the random oracle model, we assume that H is a random oracle. That is, \(\mathcal {A}\) obtains the output of H not from a computation, but from a query to oracle \(O_H\) outside of \(\mathcal {A}\).

In \(\textsf{Game}_1\), we modify the entity who invokes the PUF. In \(\textsf{Game}_0\), \(\mathcal {B}\) (which interacts with \(\mathcal {A}\)) invokes PUF by itself. However, because our proof goal is to construct \(\mathcal {B}\), which breaks the security assumption of the PUF that is located outside of \(\mathcal {B}\), we let \(\mathcal {B}\) ask the PUF output to \(O_P\), not to invoke PUF by itself.

In \(\textsf{Game}_2\), we modify \(\mathcal {A}\) to ask \(O_H\) about \(H(\textbf{a}^{*}, \textbf{b}^{*},i)\) as for the forgery \((\textbf{a}^{*}, \textbf{b}^{*}, \textbf{z}^{*} )\), in advance.

\(\textsf{Game}_3\) and \(\textsf{Game}_4\) are the main parts of this proof. In this proof, \(\mathcal {B}\) tries to distinguish the real world from the random one, by using \(\mathcal {A}\) as a subroutine.

The basic strategy for constructing \(\mathcal {B}\) is as follows. From the challenger \(\mathcal {C}\), \(\mathcal {B}\) receives \(\{(\widetilde{p}_{i,1}, \cdots \), \(\widetilde{p}_{i,l}, \widetilde{z}_i)\}\) as an instance. Let us consider the case where \(\mathcal {B}\) receives a forged response \((\textbf{b}^{*}, \textbf{z}^{*})\) corresponding to \(\{(\widetilde{p}_{i,1}, \cdots , \widetilde{p}_{i,l})\}\) from \(\mathcal {A}\). If \(c=1\), then, for more than or equal to k i’s, \(z_i^{*}\) is expected to be equal to \(\widetilde{z}_i\). However, if \(c=0\), because \(\widetilde{z}_i\)’s are random and independent from PUF outputs, \(z_i^{*}\) can be equal to \(\widetilde{z}_i\) for about n/2 i’s. Hence, \(\mathcal {B}\) can distinguish between whether the number of equations \(\{z_i^{*} = \widetilde{z}_i\}\) exceeds the threshold k or not.

To make \(\mathcal {A}\) output forged response corresponding to \(\{(\widetilde{p}_{i,1}, \cdots , \widetilde{p}_{i,l})\}_i\), \(\mathcal {B}\) needs to embed it in the simulation of the answer of \(O_H\). In \(\textsf{Game}_3\), \(\mathcal {B}\) decides when \(\mathcal {B}\) embed them on queries to \(O_H\). To do so, \(\mathcal {B}\) looks for the query from \(\mathcal {A}\) to \(O_H\) on \((\textbf{a}^{*}, \textbf{b}^{*}, *)\). Note that \(\mathcal {A}\) is a black-box adversary and \(\mathcal {A}\) may not query \((\textbf{a}^{*}, \textbf{b}^{*}, 1), (\textbf{a}^{*}, \textbf{b}^{*}, 2), \cdots \) in sequential, but in random order. Therefore, at step 10(b) in \(\textsf{Game}_3\), \(\mathcal {B}\) also checks whether it is the first query on \((\textbf{a}^{*}, \textbf{b}^{*})\).

Finally, in \(\textsf{Game}_4\), we let \(\mathcal {B}\) distinguish the worlds by a threshold k.

Probability Estimation: From above discussions,

$$\begin{aligned} \epsilon '= & {} |\Pr [c'=1|c=1] - \Pr [c'=1 | c=0]|\\\ge & {} \Pr [\textsf{S}_4|c=1] - \Pr [\textsf{Bad}_2] \\= & {} \Pr [\textsf{S}_3] - \Pr [\textsf{Bad}_2] \\\ge & {} \frac{1}{q_h + n q_a}\Pr [\textsf{S}_2] - \Pr [\textsf{Bad}_2] \\\ge & {} \frac{1}{q_h + n q_a} \left( \Pr [\textsf{S}_0] - \Pr [\textsf{Bad}_1] \right) - \Pr [\textsf{Bad}_2] \\= & {} \frac{1}{q_h + n q_a} \left( \epsilon - \Pr [\textsf{Bad}_1]\right) - \Pr [\textsf{Bad}_2] \\\ge & {} \frac{1}{q_h + n q_a}\epsilon - \frac{1}{2^{k_b}} - \sum _{i= k}^{n} \frac{\left( {\begin{array}{c}n\\ i\end{array}}\right) }{2^{i}} \end{aligned}$$

holds, where \(\textsf{Bad}_i\) denotes an event where \(\mathcal {A}\)’s views are different between \(\textsf{Game}_{i-1}\) and \(\textsf{Game}_i\). \(\square \)