39 research outputs found
Physically Uncloneable Functions in the Stand-Alone and Universally Composable Framework
In this thesis, we investigate the possibility of basing cryptographic primitives on Physically Uncloneable Functions (PUF). A PUF is a piece of hardware that can be seen as a source of randomness. When a PUF is evaluated on a physical stimulus, it answers with a noisy output. PUFs are unpredictable such that even if a chosen stimulus is given, it should be infeasible to predict the corresponding output without physically evaluating the PUF. Furthermore, PUFs are uncloneable, which means that even if all components of the system are known, it is computational infeasible to model their behavior. In the course of this dissertation, we discuss PUFs in the context of their implementation, their mathematical description, as well as their usage as a cryptographic primitive and in cryptographic protocols.
We first give an overview of the most prominent PUF constructions in order to derive subsequently an appropriate mathematical PUF model. It turns out that this is a non- trivial task, because it is not certain which common security properties are generally necessary and achievable due to the numerous PUF implementations.
Next, we consider PUFs in security applications. Due to the properties of PUFs, these hardware tokens are good to build authentication protocols that rely on challenge/response pairs. If the number of potential PUF-based challenge/response pairs is large enough, an adversary cannot measure all PUF responses. Therefore, the at- tacker will most likely not be able to answer the challenge of the issuing party even if he had physical access to the PUF for a short time. However, we show that some of the previously suggested protocols are not fully secure in the attacker model where the adversary has physical control of the PUF and the corresponding reader during a short time.
Finally, we analyze PUFs in the universally composable (UC) framework for the first time. Although hardware tokens have been considered before in the UC framework, designing PUF-based protocols is fundamentally different from other hardware token approaches. One reason is that the manufacturer of the PUF creates a physical object that outputs pseudorandom values, but where no specific code is running. In fact, the functional behavior of the PUF is unpredictable even for the PUF creator. Thus, only the party in possession of the PUF has full access to the secrets. After formalizing PUFs in the UC framework, we derive efficient UC-secure protocols for basic tasks like oblivious transfer, commitments, and key exchange
Unconditionally Secure and Universally Composable Commitments from Physical Assumptions
We present a constant-round unconditional black-box compiler that transforms any ideal (i.e., statistically-hiding and statistically-binding) straight-line extractable commitment scheme, into an extractable and equivocal commitment scheme, therefore yielding to UC-security [9]. We exemplify the usefulness of our compiler by providing two (constant-round) instantiations of ideal straight-line extractable commitment based on (malicious) PUFs [36] and stateless tamper-proof hardware tokens [26], therefore achieving the first unconditionally UC-secure commitment with malicious PUFs and stateless tokens, respectively. Our constructions are secure for adversaries creating arbitrarily malicious stateful PUFs/tokens.
Previous results with malicious PUFs used either computational assumptions to achieve UC- secure commitments or were unconditionally secure but only in the indistinguishability sense [36]. Similarly, with stateless tokens, UC-secure commitments are known only under computational assumptions [13, 24, 15], while the (not UC) unconditional commitment scheme of [23] is secure only in a weaker model in which the adversary is not allowed to create stateful tokens.
Besides allowing us to prove feasibility of unconditional UC-security with (malicious) PUFs and stateless tokens, our compiler can be instantiated with any ideal straight-line extractable commitment scheme, thus allowing the use of various setup assumptions which may better fit the application or the technology available
The Limits of Composable Crypto with Transferable Setup Devices
UC security realized with setup devices imposes that single instances of these setups are used. In most cases, UC-realization relies further on other properties of the setups devices, like tamper-resistance. But what happens in stronger versions of the UC framework, like EUC or JUC, where multiple instances of these setups are allowed? Can we formalise what it is about setups like these which makes them sometimes hinder UC, JUC, EUC realizability? In this paper, we answer this question. As such, we formally introduce transferable setups, which can be viewed as setup devices that do not (publicly) disclose if they have been maliciously passed on. Further, we prove the general result that one cannot realize oblivious transfer (OT) or any "interesting" 2-party protocol using transferable setups in the EUC model. As a by-product, we show that physically unclonable functions (PUFs) themselves are transferable devices, which means that one cannot use PUFs as a global setups; this is interesting because non-transferability is a weaker requirement than locality, which until now was the property informally blamed for UC-impossibility results regarding PUFs as global setups. If setups are transferable (i.e., they can be passed on from one party to another without explicit disclosure of a malicious transfer), then they will not intrinsically leak if a relay attack takes place. Indeed, we further prove that if relay attacks are possible then oblivious transfer cannot be realized in the JUC model. Linked to the prevention of relaying, authenticated channels have historically been an essential building stone of the UC model. Related to this, we show how to strengthen some existing protocols UC-realized with PUFs, and render them not only UC-secure but also JUC-secure
On the Security of PUF Protocols under Bad PUFs and PUFs-inside-PUFs Attacks
We continue investigations on the use of so-called Strong PUFs as a cryptographic primitive in realistic attack models, in particular in the “Bad/Malicious PUF Model”. We obtain the following results:
– Bad PUFs and Simplification: As a minor contribution, we simplify a recent OT-protocol for malicious PUFs by Dachman-Soled et al. [4] from CRYPTO 2014. We can achieve the same security properties under the same assumptions, but use only one PUF instead of two.
– PUFs-inside-PUFs, Part I: We propose the new, realistic adversarial models of PUF modifications and PUFs-inside-PUF attacks, and show that the earlier protocol of Dachman-Soled et al. [4] is vulnerable against PUFs-inside-PUFs attacks (which lie outside the original framework of [4]).
– PUFs-inside-PUFs, Part II: We construct a new PUF-based OT-protocol,
which is secure against PUFs-inside-PUFs attacks if the used bad PUFs are stateless. Our protocol introduces the technique of interleaved challenges.
– PUFs-inside-PUFs, Part III: In this context, we illustrate why the use of interactive hashing in our new protocol appears necessary, and why a first protocol attempt without interactive hashing fails
On the practical use of physical unclonable functions in oblivious transfer and bit commitment protocols
In recent years, PUF-based schemes have been suggested not only for the basic tasks of tamper-sensitive key storage or the identification of hardware systems, but also for more complex protocols like oblivious transfer (OT) or bit commitment (BC), both of which possess broad and diverse applications. In this paper, we continue this line of research. We first present an attack on two recent OT and BC protocols which have been introduced by Brzuska et al. (CRYPTO, LNCS 6841, pp 51–70, Springer 2011). The attack quadratically reduces the number of CRPs which malicious players must read out to cheat, and fully operates within the original communication model of Brzuska et al. (CRYPTO, LNCS 6841, pp 51–70, Springer 2011). In practice, this leads to insecure protocols when electrical PUFs with a medium challenge-length are used (e.g., 64 bits), or whenever optical PUFs are employed. These two PUF types are currently among the most popular designs of so-called Strong PUFs. Secondly, we show that the same attack applies to a recent OT protocol of Ostrovsky et al. (IACR Cryptol. ePrint Arch. 2012:143, 2012), leading to exactly the same consequences. Finally, we discuss countermeasures. We present a new OT protocol with better security properties, which utilizes interactive hashing as a substep and is based on an earlier protocol by Rührmair (TRUST, LNCS 6101, pp 430–440, Springer 2010). We then closely analyze its properties, including its security, security amplification, and practicality
Quantum Cryptography Beyond Quantum Key Distribution
Quantum cryptography is the art and science of exploiting quantum mechanical
effects in order to perform cryptographic tasks. While the most well-known
example of this discipline is quantum key distribution (QKD), there exist many
other applications such as quantum money, randomness generation, secure two-
and multi-party computation and delegated quantum computation. Quantum
cryptography also studies the limitations and challenges resulting from quantum
adversaries---including the impossibility of quantum bit commitment, the
difficulty of quantum rewinding and the definition of quantum security models
for classical primitives. In this review article, aimed primarily at
cryptographers unfamiliar with the quantum world, we survey the area of
theoretical quantum cryptography, with an emphasis on the constructions and
limitations beyond the realm of QKD.Comment: 45 pages, over 245 reference
A PUF-based Secure Communication Protocol for IoT
Security features are of paramount importance for IoT, and implementations are challenging given the
resource-constrained IoT set-up. We have developed a lightweight identity-based cryptosystem suitable for
IoT, to enable secure authentication and message exchange among the devices. Our scheme employs Physically
Unclonable Function (PUF), to generate the public identity of each device, which is used as the public
key for each device for message encryption. We have provided formal proofs of security in the Session Key
security and Universally Composable Framework of the proposed protocol, which demonstrates the resilience
of the scheme against passive as well as active attacks. We have demonstrated the set up required for the
protocol implementation and shown that the proposed protocol implementation incurs low hardware and
software overhead
Secure computation under network and physical attacks
2011 - 2012This thesis proposes several protocols for achieving secure com-
putation under concurrent and physical attacks. Secure computation
allows many parties to compute a joint function of their inputs, while
keeping the privacy of their input preserved. It is required that the pri-
vacy one party's input is preserved even if other parties participating
in the protocol collude or deviate from the protocol.
In this thesis we focus on concurrent and physical attacks, where
adversarial parties try to break the privacy of honest parties by ex-
ploiting the network connection or physical weaknesses of the honest
parties' machine.
In the rst part of the thesis we discuss how to construct proto-
cols that are Universally Composable (UC for short) based on physical
setup assumptions. We explore the use of Physically Uncloneable Func-
tions (PUFs) as setup assumption for achieving UC-secure computa-
tions. PUF are physical noisy source of randomness. The use of PUFs
in the UC-framework has been proposed already in [14]. However, this
work assumes that all PUFs in the system are trusted. This means
that, each party has to trust the PUFs generated by the other parties.
In this thesis we focus on reducing the trust involved in the use of such
PUFs and we introduce the Malicious PUFs model in which only PUFs
generated by honest parties are assumed to be trusted. Thus the secu-
rity of each party relies on its own PUF only and holds regardless of the
goodness of the PUFs generated/used by the adversary. We are able to
show that, under this more realistic assumption, one can achieve UC-
secure computation, under computational assumptions. Moreover, we
show how to achieve unconditional UC-secure commitments with (ma-
licious) PUFs and with stateless tamper-proof hardware tokens. We
discuss our contribution on this matter in Part I. These results are
contained in papers [80] and [28].
In the second part of the thesis we focus on the concurrent setting,
and we investigate on protocols achieving round optimality and black-
box access to a cryptographic primitive. We study two fundamental
functionalities: commitment scheme and zero knowledge, and we focus
on some of the round-optimal constructions and lower bounds con-
cerning both functionalities. We nd that such constructions present
subtle issues. Hence, we provide new protocols that actually achieve
the security guarantee promised by previous results.
Concerning physical attacks, we consider adversaries able to re-
set the machine of the honest party. In a reset attack a machine is
forced to run a protocol several times using the same randomness. In
this thesis we provide the rst construction of a witness indistinguish-
able argument system that is simultaneous resettable and argument of
knowledge. We discuss about this contribution in Part III, which is the
content of the paper. [edited by author]XI n.s