PUF-Based Token

In this section we show how to make astrong authentication tokenbased on PUF CRPs. We first show how the whole measurement setup of an optical PUF can be shrunk to a small integrated package that fits inside a token. Then we present a backwards-secure authentication protocol for uncontrolled PUFs.

Finally we discuss more-advanced authentication methods using CPUFs.

142 P. Tuyls, B. ˇSkori´c

10.6.1 Integrated Optical PUF

The token contains an optical PUF, a coherent light source, a challenge selec-tion mechanism, a detector and electronics for processing and communicaselec-tion.

In [2] a system with multiple lasers was proposed. Here we describe a more efficient integrated system containing only one laser (see Fig. 10.2). The com-plementary metal oxide semiconductor (CMOS) sensor has detector pixels as well as switchable display pixels. The display pixels are used to locally switch the liquid crystal (LC) layer between two phase rotation states, e.g., no rotation and 45^◦ rotation. The configuration of the display pixels forms a challenge. The optical PUF is situated in the top layer. The laser light enter-ing the PUF is scattered downward. There it may directly enter a detector pixel. Alternatively, it hits a display pixel, where it partly gets absorbed, and partly scatters with a phase rotation depending on the LC state. Part of the scattered light will eventually reach a detector pixel, possibly after a number of scatterings in the PUF or at other display pixels. At each detector pixel all contributions from the various scattering paths are added coherently. The configuration of the display pixels significantly influences the image recorded by the detector.

It is important to know the number ofindependentCRPs (see Sect. 10.5).

Ordinarily, this number follows from the physical properties of the PUF.

For the integrated PUF, however, the fixed measurement geometry puts con-straints on the number of challenges that can be applied. We make an estimate based on the linearity of the Maxwell equations in a linear optical medium.

We neglect scattering events where more than one display pixel is visited.

This is a good approximation, since these events are far less likely than most paths containing zero or one display pixel visit. In this approximation, we can view the display pixels as (highly complicated) light sources in their own right which emit light in two states. Due to the linearity of the medium, the com-plex amplitude of the light hitting the camera is the sum of all the amplitudes generated by the light sources separately. We denote the number of display pixels as N_pix, the intensity at detector pixel j as I_j, and the amplitude at detectorjoriginating from light sourceαin states_αasA_jα(s_α). The intensity registered by the camera is

Ij({sα}) =

N_pix

α=1

Ajα(sα)

2

=

N_pix

α=1

|Ajα(sα)|²+ 2

α>β

ReAjα(sα)A^∗_jβ(sβ).

(10.1) Hence, if one knows all the speckle patterns generated by one or two light sources, then one can compute the response to an arbitrary challenge. If the PUF contains enough randomness and scatters strongly enough, then each term is independent of the other terms. The number of possible configura-tions of one or two sources follows from (10.1). The first summation hasN_pix terms. Multiplying by 2 (for the possible states_αof the source) gives the num-ber of possible configurations of a single source. The second summation has

10 Strong Authentication with Physical Unclonable Functions 143

1

2N_pix(N_pix−1) terms. Multiplying by 4 (for the statess_α, s_β) gives the num-ber of configurations of two sources. Added together, the numnum-ber of possible one- or two-source configurations is 2N_pix+ 4·¹₂N_pix(N_pix−1) = 2N_pix² . We conclude that, in a linear medium, the number of independent CRPs scales as N_pix² . Hence, no matter how strong the PUF, a 1000-pixel configuration cannot yield more thanO(10⁶) independent challenges.

Of course, in a nonlinear medium the superposition rule does not apply, and the number of independent CRPs is expected to grow faster thanN_pix² .

CMOS sensor/display display pixel sensor pixel

laser

PUF LC layer cover layer

Fig. 10.2. Integrated system containing a laser, an optical PUF, switchable LC pixels for applying challenges, and a camera.

10.6.2 Authentication Protocol for an Uncontrolled PUF

We present a CRP-based protocol for authentication and session key estab-lishment. The PUF is unprotected and fastened to a carrier such as a credit card. The carrier also has a small amount of rewritable nonvolatile memory.

The holder of the PUF (the user) has to prove to the verifier (the bank) that he possesses the PUF. To this end he inserts the PUF in a reader e.g.

automated telling machine (ATM) which communicates with the bank.

Attack Model

• The enrolment procedure and the bank’s database are secure.

• The attacker cannot see the challenges and responses at the ATM side.

• The ATM↔bank channel is not secure. An attacker records all messages.

• The attacker gets hold of the user’s PUF for a short time without being noticed. He has time to measure a limited number of CRPs. Using these CRPs he tries to impersonate the user or to decrypt past messages.

Enrolment

For a number of PUFs the bank performs the following procedure:

• Assign an identifier ID_PUFto the PUF.

• Generate a random stringx.

144 P. Tuyls, B. ˇSkori´c

Bank ATM + PUF

IDPUF, n',m', {C,W,S'}

E&MACK1'(α,C,W,β)

Check MAC.

Measure PUF response and extract bitstringS.

K=h(K₁,S).

MACK(β) Check MAC.

UseKas session key α^{,n, ID}PUF

K'=h(K1',S').

Checkn≥n'.

Compute M=h^n-n’(m').

K1'=h(m, IDPUF).

Randomly select challengeC.

Generate random β^.

n→n+1,m→h(m).

n'→n+1,m'→h(M).

Remove Cfrom database.

IDPUF,n,m=hⁿ(x)

K1=h(m, IDPUF).

Generate random α.

Fig. 10.3.Backwards-secure authentication protocol based on CRPs.

• Generate a set of random challengesC_i. For each challenge, choose a secret S_i at random, and generate helper dataW_i.

• Store ID_PUF,n= 0, and m=xin the token memory.

• Coupled to ID_PUFstoren= 0,m=x, and{C_i, W_i, S_i} in a database.

When a user account is opened, the user receives one of the enrolled PUF tokens, and the corresponding PUF identifier is coupled to his account.

Authentication

The user inserts his PUF token in an ATM and authenticates himself to the bank as follows.

• ATM: reads the token memory and generates a random nonceα. Sendsα, ID_PUF,nto the bank.

• Bank: checks if n≥n. If not, it generates an error message and aborts.

ComputesM =hⁿ⁻ⁿ(m) and K₁ =h(M,ID_PUF). Here his a one-way function. Generates a random nonceβ. Selects a random CRPj from the database, coupled to ID_PUF. Sends E₁= E&MAC_K

1(α, C_j, W_j, β) to the ATM (E&MAC_κ denotes encryption and MAC with keyκ).

• ATM: computes K₁ = h(m,ID_PUF). Decrypts E₁ with the key K₁ and checks the MAC. If the MAC is wrong or the decryptedαis wrong, the protocol is aborted with an error message. The ATM usesCj to challenge the PUF. Converts the PUF response to a bitstring Sj using the helper dataW_j. ComputesK=h(K₁, S_j). SendsE₂= MAC_K(β) to the bank.

• Bank: computes K =h(K₁, S_j). Checks the MAC E₂ using the keyK. If the check fails, it aborts with an error message.

• Bank and ATM: useK=K as a session key. Complete the transaction.

• ATM: modifiesn→n+ 1 and m→h(m) in the token memory.

10 Strong Authentication with Physical Unclonable Functions 145

• Bank: modifiesn→n+ 1 andm→h(M) in the database. Removes the j’th CRP from the database.

Properties of the Protocol

• There are no public key operations. The most resource-intensive operations are hashing and symmetric encryptions/decryptions.

• The protocol is backwards-secure. Intuitively the argument goes as follows.

Suppose an attacker records all communications, and then gets hold of a token long enough to read ID_PUF, n and m_n = hⁿ(x) and to measure some CRPs. In order to reconstruct the previous session key K, he has to measure the response to the previous challenge C. To obtain C he has to reconstruct the keyK₁. However,K₁ was derived fromhⁿ⁻¹(x) = h⁻¹(mn). Hence he is forced to invert the hash function.

• With each authentication session, the bank’s list of usable CRPs shrinks.

In order to prevent it from shrinking to zero, one can use a replenishment protocol [8]. Before the database gets empty, a successful authentication session can be used to let the bank query the PUF and store the responses.

• The security is broken if the attacker can see what happens inside the ATM, i.e., if he can hack it or replace it with his own fake ATM.

10.6.3 Authentication Token Based on a Controlled PUF

Much stronger authentication is achievable if the PUF in the token is a con-trolled one. In the simplest case, the protocol of Sect. 10.6.2 can be used.

The CPUF computes all the hashes and encryptions/decryptions itself, and uses the ATM as a simple conduit for the messages. Hence, the ATM does not have to be trusted any more. A more sophisticated use of the POK(s) inside the CPUF is to employ asymmetric cryptography. As will be explained below, one advantage is that the bank no longer needs to maintain a CRP database for each PUF. Another advantage is that the authenticity of the CPUF can be verified by anyone, not just the bank. In [20] it was shown that the measurement processing for a coating PUF and the cryptography for a Schnorr zero-knowledge (ZK) protocol can be realized in surprisingly little hardware: 5 kilogates in total. This means that it can be implemented on an RFID tag. Hence, it is possible to make an unclonable RFID tag with strong ZK authentication.

Enrolment

The enroller (a TA) selects a random PUF challenge C for a CPUF with identifier i. The challenge is fed into the CPUF. The CPUF transforms the response into a bitstring, which it treats as an asymmetric private key S.

Then the CPUF generates the corresponding public key P and outputs P. The TA creates a certificate, signed with his own private key, stating that the CPUF with identifierihas public keyP associated with the challengeC. The certificate is stored in/on the CPUF.

146 P. Tuyls, B. ˇSkori´c Authentication

The verifier obtains the certificate from the CPUF. He checks the signature using the TA’s public key. If the signature is invalid, the authentication fails.

Then he sends C to the CPUF. Finally he runs the interactive ZK protocol with the CPUF [20], where the CPUF has to prove its knowledge of the PUF-based secretS associated with the challenge Cand the public keyP. Remarks

In contrast to CPUF protocols based on symmetric cryptography, there is no bootstrapping mode [10]: the private key is never revealed to the outside world. Note that the computation of the public key inside the CPUF requires one exponentiation. Any CPUF capable of running a Schnorr ZK protocol is capable of performing this operation.