A formal definition and a new security mechanism of physical unclonable functions

The characteristic novelty of what is generally meant by a "physical unclonable function" (PUF) is precisely defined, in order to supply a firm basis for security evaluations and the proposal of new security mechanisms. A PUF is defined as a hardware device which implements a physical function with an output value that changes with its argument. A PUF can be clonable, but a secure PUF must be unclonable. This proposed meaning of a PUF is cleanly delineated from the closely related concepts of "conventional unclonable function", "physically obfuscated key", "random-number generator", "controlled PUF" and "strong PUF". The structure of a systematic security evaluation of a PUF enabled by the proposed formal definition is outlined. Practically all current and novel physical (but not conventional) unclonable physical functions are PUFs by our definition. Thereby the proposed definition captures the existing intuition about what is a PUF and remains flexible enough to encompass further research. In a second part we quantitatively characterize two classes of PUF security mechanisms, the standard one, based on a minimum secret read-out time, and a novel one, based on challenge-dependent erasure of stored information. The new mechanism is shown to allow in principle the construction of a "quantum-PUF", that is absolutely secure while not requiring the storage of an exponentially large secret. The construction of a PUF that is mathematically and physically unclonable in principle does not contradict the laws of physics.Comment: 13 pages, 1 figure, Conference Proceedings MMB & DFT 2012, Kaiserslautern, German

Greater Expectations?

Physically Unclonable Functions (PUFs) are key tools in the construction of lightweight authentication and key exchange protocols. So far, all existing PUF-based authentication protocols follow the same paradigm: A resource-constrained prover, holding a PUF, wants to authenticate to a resource-rich verifier, who has access to a database of pre-measured PUF challenge-response pairs (CRPs). In this paper we consider application scenarios where all previous PUF-based authentication schemes fail to work: The verifier is resource-constrained (and holds a PUF), while the prover is resource-rich (and holds a CRP-database). We construct the first and efficient PUF-based authentication protocol for this setting, which we call converse PUF-based authentication. We provide an extensive security analysis against passive adversaries, show that a minor modification also allows for authenticated key exchange and propose a concrete instantiation using controlled Arbiter PUFs

The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption

Abstract. Motivated by the security of the nonlinear filter generator, the concept of correlation was previously extended to the conditional correlation, that studied the linear correlation of the inputs conditioned on a given (short) output pattern of some specific nonlinear function. Based on the conditional correlations, conditional correlation attacks were shown to be successful and efficient against the nonlinear filter generator. In this paper, we further generalize the concept of conditional correlations by assigning it with a different meaning, i.e. the correlation of the output of an arbitrary function conditioned on the unknown (partial) input which is uniformly distributed. Based on this generalized conditional correlation, a general statistical model is studied for dedicated key-recovery distinguishers. It is shown that the generalized conditional correlation is no smaller than the unconditional correlation. Consequently, our distinguisher improves on the traditional one (in the worst case it degrades into the traditional one). In particular, the distinguisher may be successful even if no ordinary correlation exists. As an application, a conditional correlation attack is developed and optimized against Bluetooth two-level E0. The attack is based on a recently detected flaw in the resynchronization of E0, as well as the investigation of conditional correlations in the Finite State Machine (FSM) governing the keystream output of E0. Our best attack finds the original encryption key for two-level E0 using the first 24 bits of 2 23.8 frames and with 2 38 computations. This is clearly the fastest and only practical known-plaintext attack on Bluetooth encryption compared with all existing attacks. Current experiments confirm our analysis

Faster Correlation Attack on Bluetooth Keystream Generator E0

Abstract. We study both distinguishing and key-recovery attacks against E0, the keystream generator used in Bluetooth by means of correlation. First, a powerful computation method of correlations is formulated by a recursive expression, which makes it easier to calculate correlations of the finite state machine output sequences up to 26 bits for E0 and allows us to verify the two known correlations to be the largest for the first time. Second, we apply the concept of convolution to the analysis of the distinguisher based on all correlations, and propose an efficient distinguisher due to the linear dependency of the largest correlations. Last, we propose a novel maximum likelihood decoding algorithm based on fast Walsh transform to recover the closest codeword for any linear code of dimension L and length n. It requires time O(n + L · 2 L) and memory min(n, 2 L). This can speed up many attacks such as fast correlation attacks. We apply it to E0, and our best key-recovery attack works in 2 39 time given 2 39 consecutive bits after O(2 37) precomputation. This is the best known attack against E0 so far.

The Drosophila FoxA Ortholog Fork Head Regulates Growth and Gene Expression Downstream of Target of Rapamycin

Forkhead transcription factors of the FoxO subfamily regulate gene expression programs downstream of the insulin signaling network. It is less clear which proteins mediate transcriptional control exerted by Target of rapamycin (TOR) signaling, but recent studies in nematodes suggest a role for FoxA transcription factors downstream of TOR. In this study we present evidence that outlines a similar connection in Drosophila, in which the FoxA protein Fork head (FKH) regulates cellular and organismal size downstream of TOR. We find that ectopic expression and targeted knockdown of FKH in larval tissues elicits different size phenotypes depending on nutrient state and TOR signaling levels. FKH overexpression has a negative effect on growth under fed conditions, and this phenotype is not further exacerbated by inhibition of TOR via rapamycin feeding. Under conditions of starvation or low TOR signaling levels, knockdown of FKH attenuates the size reduction associated with these conditions. Subcellular localization of endogenous FKH protein is shifted from predominantly cytoplasmic on a high-protein diet to a pronounced nuclear accumulation in animals with reduced levels of TOR or fed with rapamycin. Two putative FKH target genes, CG6770 and cabut, are transcriptionally induced by rapamycin or FKH expression, and silenced by FKH knockdown. Induction of both target genes in heterozygous TOR mutant animals is suppressed by mutations in fkh. Furthermore, TOR signaling levels and FKH impact on transcription of the dFOXO target gene d4E-BP, implying a point of crosstalk with the insulin pathway. In summary, our observations show that an alteration of FKH levels has an effect on cellular and organismal size, and that FKH function is required for the growth inhibition and target gene induction caused by low TOR signaling levels

Unsupervised machine learning on encrypted data

In the context of Fully Homomorphic Encryption, which allows computations on encrypted data, Machine Learning has been one of the most popular applications in the recent past. All of these works, however, have focused on supervised learning, where there is a labeled training set that is used to configure the model. In this work, we take the first step into the realm of unsupervised learning, which is an important area in Machine Learning and has many real-world applications, by addressing the clustering problem. To this end, we show how to implement the K-Means-Algorithm. This algorithm poses several challenges in the FHE context, including a division, which we tackle by using a natural encoding that allows division and may be of independent interest. While this theoretically solves the problem, performance in practice is not optimal, so we then propose some changes to the clustering algorithm to make it executable under more conventional encodings. We show that our new algorithm achieves a clustering accuracy comparable to the original K-Means-Algorithm, but has less than $5\%$ of its runtime

Boolean functions for homomorphic-friendly stream ciphers

The proliferation of small embedded devices having growing but still limited computing and data storage facilities, and the related development of cloud services with extensive storage and computing means, raise nowadays new privacy issues because of the outsourcing of data processing. This has led to a need for symmetric cryptosystems suited for hybrid symmetric-FHE encryption protocols, ensuring the practicability of the FHE solution. Recent ciphers meant for such use have been introduced, such as LowMC, Kreyvium, FLIP, and Rasta. The introduction of stream ciphers devoted to symmetric-FHE frameworks such as FLIP and its recent modification has in its turn posed new problems on the Boolean functions to be used in them as filter functions. We recall the state of the art in this matter and present further studies (without proof)

A Versatile ΦC31 Based Reporter System for Measuring AP-1 and Nrf2 Signaling in Drosophila and in Tissue Culture

This paper describes the construction and characterization of a system of transcriptional reporter genes for monitoring the activity of signaling pathways and gene regulation mechanisms in intact Drosophila, dissected tissues or cultured cells. Transgenic integration of the reporters into the Drosophila germline was performed in a site-directed manner, using ΦC31 integrase. This strategy avoids variable position effects and assures low base level activity and high signal responsiveness. Defined integration sites furthermore enable the experimenter to compare the activity of different reporters in one organism. The reporter constructs have a modular design to facilitate the combination of promoter elements (synthetic transcription factor binding sites or natural regulatory sequences), reporter genes (eGFP, or DsRed.T4), and genomic integration sites. The system was used to analyze and compare the activity and signal response profiles of two stress inducible transcription factors, AP-1 and Nrf2. To complement the transgenic reporter fly lines, tissue culture assays were developed in which the same synthetic ARE and TRE elements control the expression of firefly luciferase

Optimal Collision Security in Double Block Length Hashing with Single Length Key

The idea of double block length hashing is to construct a compression function on 2n bits using a block cipher with an n-bit block size. All optimally secure double length hash functions known in the literature employ a cipher with a key space of double block size, 2n-bit. On the other hand, no optimally secure compression functions built from a cipher with an n-bit key space are known. Our work deals with this problem. Firstly, we prove that for a wide class of compression functions with two calls to its underlying n-bit keyed block cipher collisions can be found in about 2n/2 queries. This attack applies, among others, to functions where the output is derived from the block cipher outputs in a linear way. This observation demonstrates that all security results of designs using a cipher with 2n-bit key space crucially rely on the presence of these extra n key bits. The main contribution of this work is a proof that this issue can be resolved by allowing the compression function to make one extra call to the cipher. We propose a family of compression functions making three block cipher calls that asymptotically achieves optimal collision resistance up to 2n(1-ε) queries and preimage resistance up to 23n(1-ε)/2 queries, for any ε > 0. To our knowledge, this is the first optimally collision secure double block length construction using a block cipher with single length key space. © International Association for Cryptologic Research 2012.status: publishe