Secure and Private, yet Lightweight, Authentication for the IoT via PUF and CBKA

Abstract

The Internet of Things (IoT) is boon and bane. It offers great potential for new business models and ecosystems, but raises major security and privacy concerns. Because many IoT systems collect, process, and store personal data, a secure and privacy-preserving identity management is of utmost significance. Yet, strong resource limitations of IoT devices render resource-hungry public-key cryptography infeasible. Additionally, the security model of IoT enforces solutions to work under memory-leakage attacks. Existing constructions address either the privacy issue or the lightweightness, but not both. Our work contributes towards bridging this gap by combining physically unclonable functions (PUFs) and channel-based key agreement (CBKA): (i) We show a flaw in a PUF-based authentication protocol, when outsider chosen perturbation security cannot be guaranteed. (ii) We present a solution to this flaw by introducing CBKA with an improved definition. (iii) We propose a provably secure and lightweight authentication protocol by combining PUFs and CBKA.

Appendices

A Security Proof

We use the proof provided by the work of Moriyama [29] and Aysu et al. [6] as a basis for our proof. The proof for Theorem 1 is as follows.

Proof

The adversary \(\mathcal {A}\) wants the verifier \(\mathcal {V}\) or the prover \(\mathcal {P}\) to accept the session while the communication is altered by the adversary. We concentrate only on the former case, as the verifier authentication is quite similar to that of the prover. We consider the following game transformations. Let \(S_i\) be the advantage that the adversary wins the game in Game i.

• Game 0. This is the original game between the challenger and the adversary.

• Game 1. The challenger randomly guesses the device \(dev^*\) with PUF \(f_{i^*}(\cdot )\), where \(i^* \xleftarrow {\textstyle \mathsf {{\scriptstyle U}}} \{1 \le i \le n\}\). If the adversary cannot impersonate \(dev^*\) to the verifier, the challenger aborts the game.

• Game 2. Assume that \(\ell \) is the upper bound of the sessions that the adversary can establish in the game. For \(1 \le j \le \ell \), we evaluate or change the variables related to the session between the verifier and \(dev^*\) up to the \(\ell \)-th session as the following.

  • Game 2- j -1. The challenger evaluates the output from the channel measurement and quantization of the CBKA algorithm implemented in \(dev^*\) at the j-th session. If the output does not have enough min-entropy \(m_Q\) or requirements for channel observations are violated, then the challenger aborts the game.

  • Game 2- j -2. The output from the information reconciliation procedure (\(r_\mathcal {P}\)) is changed to a random variable.

  • Game 2- j -3. The output from the privacy amplification procedure (sk) is changed to a random variable.

  • Game 2- j -4. The challenger evaluates the output from the PUF implemented in \(dev^*\) at the j-th session. If the output does not have enough min-entropy m or requirements for intra-distance and inter-distance are violated, then the challenger aborts the game.

  • Game 2- j -5. The output from the fuzzy extractor (\(r_1\)) is changed to a random variable.

  • Game 2- j -6. The output from the PRF \(\mathcal {G}(r_1, \cdot )\) is derived from a truly random function in this game.

  • Game 2- j -7. We change the PRF \(\mathcal {G}(r_{old}, \cdot )\) to a truly random function.

  • Game 2- j -8. We change the XORed output \(u_1 := s_2 \oplus z_2\) to randomly chosen \(u_1 \xleftarrow {\textstyle \mathsf {{\scriptstyle U}}} \{0,1\}^k\).

  • Game 2- j -9. The output from the PRF \(\mathcal {G'}(s_3, \cdot )\) is derived from a truly random function in this game.

If the common source of randomness generates enough min-entropy, then the CBKA algorithm can output strings statistically close to uniform. Furthermore, if the PUF, that is equipped on the device generates enough min-entropy, then the fuzzy extractor can output strings statistically close to uniform. We then can set these strings as the seed for the PRF and the verifier and the prover share a common secret. So we can construct the challenge response authentication protocol with secure key update.

Lemma 1

\(S_0 = n \cdot S_1\) (where n is the number of devices, i.e. provers).

Proof

If the adversary wins the game, there is at least one session which the verifier or prover accepts while the communication is modified by the adversary. Since the challenger randomly selects the session, the probability that the session is correctly guessed by the challenger is at least \(1{\slash }n\).

Lemma 2

\(|S_1 - S_{2-1-1}| \le \epsilon \) and \(|S_{2-(j-1)-9} - S_{2-j-1}| \le \epsilon \) for any \(2 \le j \le \ell \) if the CBKA algorithm is secure as required in Theorem 1.

Proof

Here, the output of the channel measurement and quantization of the CBKA algorithm has enough min-entropy and is independent from the other outputs except with negligible probability \(\epsilon \). If so, then there is no difference between these games. The property of CBKA assumed here says that even if the input to channel measurement and quantization of the CBKA algorithm is published, i.e. the authentic common randomness, the output derived from the input keeps the sufficient min-entropy property, and therefore each output is uncorrelated. Hence, the reveal query issued by the adversary is random looking by the assumption of this property.

Lemma 3

\(|S_{2-j-1} - S_{2-j-2}| \le \epsilon \) for any \(2 \le j \le \ell \) if the \(\mathsf {CBKA.IR}\) is an information reconciliation in a \((m_Q, m_{IR},t,n,\ell ,\epsilon )\)-channel-based key agreement.

Proof

Since we assumed that, always, the output from the quantization of the CBKA algorithm has enough min-entropy, the output of the information reconciliation procedure of the CBKA algorithm has enough min-entropy and is independent from the other outputs except with negligible probability \(\epsilon \). This is given by the security property of information reconciliation.

Lemma 4

\(|S_{2-j-2} - S_{2-j-3}| \le \epsilon \) for any \(2 \le j \le \ell \) if the \(\mathsf {CBKA.PA}\) is a privacy amplification in a \((m_Q, m_{IR},t,n,\ell ,\epsilon )\)-channel-based key agreement.

Proof

Since we assumed that, always, the output from the information reconciliation procedure of the CBKA algorithm has enough min-entropy, it is clear that no adversary can distinguish these games due to the randomization property of privacy amplification, meaning privacy amplification guarantees that its output is statistically close to random. This is given by the security property of privacy amplification.

Lemma 5

\(|S_{2-j-3} - S_{2-j-4}| \le \epsilon \le j \le \ell \) if f is a secure PUF as required in Theorem 1.

Proof

Here, the PUF’s output has enough min-entropy and is independent from the other outputs except with negligible probability \(\epsilon \). If so, then there is no difference between these games. The property of the PUF assumed here says that even if the input to the PUF is published, the output derived from the input keeps the sufficient min-entropy property, and therefore each output is uncorrelated. Hence, the reveal query issued by the adversary is random looking by the assumption of this property.

Lemma 6

\(|S_{2-j-4} - S_{2-j-5}| \le \epsilon \) for any \(2 \le j \le \ell \) if the \(\mathsf {FE}\) is a (\(m, \ell , t, \epsilon \))-fuzzy extractor.

Proof

Since we assumed that, always, the output from the PUF has enough min-entropy, it is clear that no adversary can distinguish these games due to the randomization property of the fuzzy extractor, meaning the fuzzy extractor guarantees that its output is statistically close to random.

Lemma 7

\(\forall 1 \le j \le \ell \), \(|S_{2-j-5} - S_{2-j-6}| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G,B}}(k)\) where \(\mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G,B}}(k)\) is an advantage of \(\mathcal {B}\) to break the security of the PRF \(\mathcal {G}\).

Proof

If there is a difference between these games, we construct an algorithm \(\mathcal {B}\) which breaks the security or PRF \(\mathcal {G}\). \(\mathcal {B}\) can access the real PRF \(\mathcal {G}(r_1, \cdot )\) or truly random function \(\mathsf {RF}\). \(\mathcal {B}\) sets up all secret keys and simulates our protocol except the n-th session. When the adversary invokes the n-th session, \(\mathcal {B}\) sends \(m_1 \xleftarrow {\textstyle \mathsf {{\scriptstyle U}}} \{0,1\}^k\) as the output of the verifier. When \(\mathcal {A}\) sends \(m^*_1\) to a device \(dev_i\), \(\mathcal {B}\) selects \(m_2\) and issues \(m^*_1 || m_2\) to the oracle instead of the normal computation of \(\mathcal {G}\). Upon receiving (\(s_1, \dots , s_4\)), \(\mathcal {B}\) continues the computation as the protocol specification and outputs (\(c, m_2, s_1, u_1, v_1\)) as the prover’s response. When the adversary sends (\(m^*_2, s^*_1, u^*_1, v^*_1\)), \(\mathcal {B}\) issues \(m_1 || m^*_2\) to the oracle and obtains (\(s'_1, \dots , s'_6\)).

If \(\mathcal {B}\) accesses the real PRF, this simulation is equivalent to Game 2-j-5. Otherwise, the oracle query issued by \(\mathcal {B}\) is completely random and this distribution is equivalent to Game 2-j-6. Thus we have \(|S_{2-j-5} - S_{2-j-6}| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G,B}}(k)\).

Lemma 8

\(\forall 1 \le j \le \ell \), \(|S_{2-j-6} - S_{2-j-7}| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G,B}}(k)\).

Proof

The proof is as the proof for Lemma 7.

Lemma 9

\(\forall 1 \le j \le \ell \), \(S_{2-j-7} = S_{2-j-8}\).

Proof

Since the PRF \(\mathcal {G}(r_1, \cdot )\) is already changed to the truly random function in Game 2-j-7, \(s_2\) is used as effectively one-time pad to encrypt \(z'_2\). Therefore this transformation is purely conceptual change and the output distributions of these games are information theoretically equivalent.

Lemma 10

\(\forall 1 \le j \le \ell \), \(|S_{2-j-8} - S_{2-j-9}| \le 2 \cdot \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G',B'}}(k)\).

Proof

We can think that the seed input to the PRF \(\mathcal {G'}\) is changed to the random variable from the previous games. Consider an algorithm \(\mathcal {B}\) which interacts with PRF \(\mathcal {G'}(s_3, \cdot )\) or random function \(\mathsf {RF}\). As in the proof for Lemma 7, \(\mathcal {B}\) simulates the protocol as the challenger up to the n-th session. \(\mathcal {B}\) generates (\(c, u_1\)) and issues \(c || u_1\) to the oracle. \(\mathcal {B}\) generates the other variables as in the previous game and sends \((c, m_2, s_1, u_1, v_1)\) as the prover’s output after it obtains \(v_1\) from the oracle. If the verifier receives \((c^*, m^*_2, s^*_1, u^*_1, v^*_1)\), \(\mathcal {B}\) checks that \((c^*, m^*_2, s_1^*) = (c, m_2, s_1)\). If so, \(\mathcal {B}\) issues \(c^* || m^*_2 || u^*_1\) to the oracle to check whether its response is identical to \(v^*_1\).

If \(\mathcal {B}\) accesses the real PRF, this simulation is equivalent to Game 2-j-8. Otherwise, \(\mathcal {B}\)’s simulation is identical to Game 2-j-9. Thus the difference between these games are bounded by the security of PRF \(\mathcal {G'}\).

Since the above game transformation is bounded by certain assumptions; i.e. for PUF, fuzzy extractor and PRFs, we can transform Game 0 to Game 2-\(\ell \)-9. Considering Game 2-\(\ell \)-9 there is no advantage for the adversary to impersonate the prover. Consider the case that the server accepts the session which is not actually derived the prover. Assume that the adversary obtains \((c, m_2, s_1, u_1, v_1)\) from the prover. To mount the man-in-the-middle attack, the adversary must modify at least one of these variables.

Even when the adversary issues the reveal query and obtains \(y_1\) before the session, he cannot predict the response \(z_1\). Since sk is generated after he can issue his reveal query, the session key remains secret and so hd remains encrypted. When the adversary modifies \(m_2\), the probability that the adversary wins the security game is negligible since \(s_1\) is chosen from the truly random function. If \(m_2\) is not changed, the verifier only accepts \(s_1\) since it is deterministically defined by \(m_1\) chosen by the verifier and \(m_2\). The first verification is passed only when the adversary reuses \((c, m_2, s_1)\), but \(v_1\) is also derived from another random function. Thus the adversary cannot guess it and any modified message is rejected except with negligible probability. The same argument also applies to the verifier authentication, because the prover checks the verifier with the outputs from \(\mathcal {G}\) and \(\mathcal {G'}\). Therefore, any adversary cannot mount the man-in-the-middle attack in our protocol and we finally have

$$\begin{aligned} \mathsf {Adv}^{\mathsf {Sec}}_{\varPi , \mathcal {A}}(1^k) \le \frac{1}{2 \ell n} \cdot \left( \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G,B}}(1^k) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G',B'}}(1^k) \right) + \epsilon \end{aligned}$$

if the PUF and fuzzy extractor holds its properties.

B Privacy Proof

Again, we use the proof provided by the work of Moriyama [29] and Aysu et al. [6] as a basis for our proof. The proof for Theorem 2 is as follows.

Proof

The proof we provide here is similar to that for Theorem 1. However, we remark that it is important to assume that our protocol satisfies security as in Theorem 1 first for privacy to hold. The reason is that if the security is broken and a malicious adversary successfully impersonates device \(dev^*_0\), the verifier will update the secret key that is not derived by the prover any more. So the verifier does not accept this prover after the attack and the adversary easily distinguishes the prover in the privacy game. Even if the adversary honestly transmits the communication message between \(\mathcal {I}(dev^*_0)\) and the verifier in the challenge phase, the authentication result is always 0 and the adversary can realize which prover is selected as the challenge prover.

We modify Game 1 such that the challenger guesses two provers which will be chosen by the adversary in the privacy game. This probability that is at least \(1 / n^2\), and, then, we can continue the game transformation. After that, the game transformation described in Game 2 is applied to the sessions related to \(dev^*_0\) and \(dev^*_1\). Then the communication message \((c,m_2, s_1, u_1, v_1)\) and \((s'_4)\) are changed to random variables. Even if the adversary can obtain the secret key of the prover within the privacy game, input to the PUF and helper data used in the challenge phase are independent from choices in the other phases. The re-synchronization allows this separation and new values are always random. Therefore, there is no information against which the adversary can distinguish the challenge prover in the privacy game, and we get:

$$\begin{aligned} \mathsf {Adv}^{\mathsf {IND^*}}_{\varPi , \mathcal {A}}(1^k) \le \mathsf {Adv}^{\mathsf {Sec}}_{\varPi , \mathcal {A'}}(1^k) + \frac{1}{4 \ell n^2} \cdot \left( \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G,B}}(1^k) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathcal {G',B'}}(1^k) \right) + \epsilon \end{aligned}$$

for some algorithm \((\mathcal {A'}, \mathcal {B}, \mathcal {B'})\) derived from the games.