Low-complexity and Reliable Transforms for Physical Unclonable Functions

Noisy measurements of a physical unclonable function (PUF) are used to store secret keys with reliability, security, privacy, and complexity constraints. A new set of low-complexity and orthogonal transforms with no multiplication is proposed to obtain bit-error probability results significantly better than all methods previously proposed for key binding with PUFs. The uniqueness and security performance of a transform selected from the proposed set is shown to be close to optimal. An error-correction code with a low-complexity decoder and a high code rate is shown to provide a block-error probability significantly smaller than provided by previously proposed codes with the same or smaller code rates.Comment: To appear in IEEE International Conference on Acoustics, Speech, and Signal Processing 202

Secure and Reliable Key Agreement with Physical Unclonable Functions

Different transforms used in binding a secret key to correlated physical-identifier outputs are compared. Decorrelation efficiency is the metric used to determine transforms that give highly-uncorrelated outputs. Scalar quantizers are applied to transform outputs to extract uniformly distributed bit sequences to which secret keys are bound. A set of transforms that perform well in terms of the decorrelation efficiency is applied to ring oscillator (RO) outputs to improve the uniqueness and reliability of extracted bit sequences, to reduce the hardware area and information leakage about the key and RO outputs, and to maximize the secret-key length. Low-complexity error-correction codes are proposed to illustrate two complete key-binding systems with perfect secrecy, and better secret-key and privacy-leakage rates than existing methods. A reference hardware implementation is also provided to demonstrate that the transform-coding approach occupies a small hardware area.Comment: An extra term in the last page due to the mismatch between the Arxiv compiler and MDPI template is eliminated. No other change

A Formal Analysis of 5G Authentication

Mobile communication networks connect much of the world's population. The security of users' calls, SMSs, and mobile data depends on the guarantees provided by the Authenticated Key Exchange protocols used. For the next-generation network (5G), the 3GPP group has standardized the 5G AKA protocol for this purpose. We provide the first comprehensive formal model of a protocol from the AKA family: 5G AKA. We also extract precise requirements from the 3GPP standards defining 5G and we identify missing security goals. Using the security protocol verification tool Tamarin, we conduct a full, systematic, security evaluation of the model with respect to the 5G security goals. Our automated analysis identifies the minimal security assumptions required for each security goal and we find that some critical security goals are not met, except under additional assumptions missing from the standard. Finally, we make explicit recommendations with provably secure fixes for the attacks and weaknesses we found.Comment: Categories (ACM class 2012): Security and privacy - Formal methods and theory of security -- Security requirements -- Formal security models -- Logic and verification; Network protocols - Protocol correctness -- Formal specifications; Security and privacy - Network security -- Mobile and wireless security - Security services -- Privacy-preserving protocol

Bringing data minimization to digital wallets at scale with general-purpose zero-knowledge proofs

Today, digital identity management for individuals is either inconvenient and error-prone or creates undesirable lock-in effects and violates privacy and security expectations. These shortcomings inhibit the digital transformation in general and seem particularly concerning in the context of novel applications such as access control for decentralized autonomous organizations and identification in the Metaverse. Decentralized or self-sovereign identity (SSI) aims to offer a solution to this dilemma by empowering individuals to manage their digital identity through machine-verifiable attestations stored in a "digital wallet" application on their edge devices. However, when presented to a relying party, these attestations typically reveal more attributes than required and allow tracking end users' activities. Several academic works and practical solutions exist to reduce or avoid such excessive information disclosure, from simple selective disclosure to data-minimizing anonymous credentials based on zero-knowledge proofs (ZKPs). We first demonstrate that the SSI solutions that are currently built with anonymous credentials still lack essential features such as scalable revocation, certificate chaining, and integration with secure elements. We then argue that general-purpose ZKPs in the form of zk-SNARKs can appropriately address these pressing challenges. We describe our implementation and conduct performance tests on different edge devices to illustrate that the performance of zk-SNARK-based anonymous credentials is already practical. We also discuss further advantages that general-purpose ZKPs can easily provide for digital wallets, for instance, to create "designated verifier presentations" that facilitate new design options for digital identity infrastructures that previously were not accessible because of the threat of man-in-the-middle attacks

Multi-party authentication protocols for web services

The Web service technology allows the dynamic composition of a workflow (or a business flow) by composing a set of existing Web services scattered across the Internet. While a given Web service may have multiple service instances taking part in several workflows simultaneously, a workflow often involves a set of service instances that belong to different Web services. In order to establish trust relationships amongst service instances, new security protocols are urgently needed. Hada and Maruyama [HAD02] presented a session-oriented, multi-party authentication protocol to resolve this problem. Within a session the protocol provides a common session secret shared by all the service instances, thereby distinguishing the instances from those of other sessions. However, individual instances cannot be distinguished and identified by the session secret. This leads to vulnerable session management and poor threat containment. In this thesis, we present a new design for a multi-party authentication protocol. In this protocol, each service instance is provided with a unique identifier. The Diffie-Hellman Key Agreement scheme is employed to generate the trust relationship between service instances within the same flow. The Coordinated Atomic Action scheme is exploited for achieving an improved level of threat containment. The new protocol was implemented in Java and evaluated by a combined use of experiments and model-based analysis. The results show that the time consumption for multi-party authentication increases linearly as the number of service instances that are introduced into a session increases. Our solution is therefore potentially applicable for Web service flow with a large number of participants. Various public key algorithms are also compared and evaluated during the experiments in order to select the most suitable one for our new protocol