140 research outputs found
A formal definition and a new security mechanism of physical unclonable functions
The characteristic novelty of what is generally meant by a "physical
unclonable function" (PUF) is precisely defined, in order to supply a firm
basis for security evaluations and the proposal of new security mechanisms. A
PUF is defined as a hardware device which implements a physical function with
an output value that changes with its argument. A PUF can be clonable, but a
secure PUF must be unclonable. This proposed meaning of a PUF is cleanly
delineated from the closely related concepts of "conventional unclonable
function", "physically obfuscated key", "random-number generator", "controlled
PUF" and "strong PUF". The structure of a systematic security evaluation of a
PUF enabled by the proposed formal definition is outlined. Practically all
current and novel physical (but not conventional) unclonable physical functions
are PUFs by our definition. Thereby the proposed definition captures the
existing intuition about what is a PUF and remains flexible enough to encompass
further research. In a second part we quantitatively characterize two classes
of PUF security mechanisms, the standard one, based on a minimum secret
read-out time, and a novel one, based on challenge-dependent erasure of stored
information. The new mechanism is shown to allow in principle the construction
of a "quantum-PUF", that is absolutely secure while not requiring the storage
of an exponentially large secret. The construction of a PUF that is
mathematically and physically unclonable in principle does not contradict the
laws of physics.Comment: 13 pages, 1 figure, Conference Proceedings MMB & DFT 2012,
Kaiserslautern, German
Some Results on Sprout
Abstract. Sprout is a lightweight stream cipher proposed by Armknecht and Mikhalev at FSE 2015. It has a Grain-like structure with two State Registers of size 40 bits each, which is exactly half the state size of Grain v1. In spite of this, the cipher does not appear to lose in security against generic Time-Memory-Data Tradeoff attacks due to the novelty of its design. In this paper, we first present improved results on Key Recovery with partial knowledge of the internal state. We show that if 50 of the 80 bits of the internal state are guessed then the remaining bits along with the Secret Key can be found in a reasonable time using a SAT solver. Thereafter we show that it is possible to perform a distinguishing attack on the full Sprout stream cipher in the multiple IV setting using around 240 randomly chosen IVs on an average. The attack requires around 248 bits of memory. Thereafter we will show that for every Secret Key, there exist around 230 IVs for which the LFSR used in Sprout enters the all zero state during the Keystream generating phase. Using this observation, we will first show that it is possible to enumerate Key-IV pairs that produce keystream bits with period as small as 80. We will then outline a simple Key recovery attack that takes time equivalent to 266.7 encryptions with negligible memory requirement. This although is not the best attack reported against this cipher in terms of the Time complexity, it is the best in terms of the memory required to perform the attack
Quantum control without access to the controlling interaction
In our model a fixed Hamiltonian acts on the joint Hilbert space of a quantum
system and its controller. We show under which conditions measurements, state
preparations, and unitary implementations on the system can be performed by
quantum operations on the controller only.
It turns out that a measurement of the observable A and an implementation of
the one-parameter group exp(iAr) can be performed by almost the same sequence
of control operations. Furthermore measurement procedures for A+B, for (AB+BA),
and for i[A,B] can be constructed from measurements of A and B. This shows that
the algebraic structure of the set of observables can be explained by the Lie
group structure of the unitary evolutions on the joint Hilbert space of the
measuring device and the measured system.
A spin chain model with nearest neighborhood coupling shows that the border
line between controller and system can be shifted consistently.Comment: 10 pages, Revte
Greater Expectations?
Physically Unclonable Functions (PUFs) are key tools in the construction of lightweight authentication and key exchange protocols. So far, all existing PUF-based authentication protocols follow the same paradigm: A resource-constrained prover, holding a PUF, wants to authenticate to a resource-rich verifier, who has access to a database of pre-measured PUF challenge-response pairs (CRPs). In this paper we consider application scenarios where all previous PUF-based authentication schemes fail to work: The verifier is resource-constrained (and holds a PUF), while the prover is resource-rich (and holds a CRP-database). We construct the first and efficient PUF-based authentication protocol for this setting, which we call converse PUF-based authentication. We provide an extensive security analysis against passive adversaries, show that a minor modification also allows for authenticated key exchange and propose a concrete instantiation using controlled Arbiter PUFs
The Conditional Correlation Attack: A Practical Attack on Bluetooth Encryption
Abstract. Motivated by the security of the nonlinear filter generator, the concept of correlation was previously extended to the conditional correlation, that studied the linear correlation of the inputs conditioned on a given (short) output pattern of some specific nonlinear function. Based on the conditional correlations, conditional correlation attacks were shown to be successful and efficient against the nonlinear filter generator. In this paper, we further generalize the concept of conditional correlations by assigning it with a different meaning, i.e. the correlation of the output of an arbitrary function conditioned on the unknown (partial) input which is uniformly distributed. Based on this generalized conditional correlation, a general statistical model is studied for dedicated key-recovery distinguishers. It is shown that the generalized conditional correlation is no smaller than the unconditional correlation. Consequently, our distinguisher improves on the traditional one (in the worst case it degrades into the traditional one). In particular, the distinguisher may be successful even if no ordinary correlation exists. As an application, a conditional correlation attack is developed and optimized against Bluetooth two-level E0. The attack is based on a recently detected flaw in the resynchronization of E0, as well as the investigation of conditional correlations in the Finite State Machine (FSM) governing the keystream output of E0. Our best attack finds the original encryption key for two-level E0 using the first 24 bits of 2 23.8 frames and with 2 38 computations. This is clearly the fastest and only practical known-plaintext attack on Bluetooth encryption compared with all existing attacks. Current experiments confirm our analysis
Anonymous Single-Sign-On for n designated services with traceability
Anonymous Single-Sign-On authentication schemes have been proposed to allow
users to access a service protected by a verifier without revealing their
identity which has become more important due to the introduction of strong
privacy regulations. In this paper we describe a new approach whereby anonymous
authentication to different verifiers is achieved via authorisation tags and
pseudonyms. The particular innovation of our scheme is authentication can only
occur between a user and its designated verifier for a service, and the
verification cannot be performed by any other verifier. The benefit of this
authentication approach is that it prevents information leakage of a user's
service access information, even if the verifiers for these services collude
which each other. Our scheme also supports a trusted third party who is
authorised to de-anonymise the user and reveal her whole services access
information if required. Furthermore, our scheme is lightweight because it does
not rely on attribute or policy-based signature schemes to enable access to
multiple services. The scheme's security model is given together with a
security proof, an implementation and a performance evaluation.Comment: 3
- …