Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results. Dijk, M. v. & Rührmair, U. Technical Report 228, 2012.
Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results [link]Paper  abstract   bibtex   
We investigate the power of physical unclonable functions (PUFs) as a new primitive in cryptographic protocols. Our contributions split into three parts. Firstly, we focus on the realizability of PUF-protocols in a special type of stand-alone setting (the “stand-alone, good PUF setting”) under minimal assumptions. We provide new PUF definitions that require only weak average security properties of the PUF, and prove that these definitions suffice to realize secure PUF-based oblivious transfer (OT), bit commitment (BC) and key exchange (KE) in said setting. Our protocols for OT, BC and KE are partly new, and have certain practicality and security advantages compared to existing schemes. In the second part of the paper, we formally prove that there are very sharp limits on the usability of PUFs for OT and KE \\textbackslashem beyond\ the above stand-alone, good PUF scenario. We introduce two new and realistic attack models, the so-called posterior access model (PAM) and the bad PUF model, and prove several impossibility results in these models. First, OT and KE protocols whose security is solely based on PUFs are generally impossible in the PAM. More precisely, one-time access of an adversary to the PUF after the end of a single protocol (sub-)session makes all previous (sub-)sessions provably insecure. Second, OT whose security is solely based on PUFs is impossible in the bad PUF model, even if only a stand alone execution of the protocol is considered (i.e., even if no adversarial PUF access after the protocol is allowed). Our impossibility proofs do not only hold for the weak PUF definition of the first part of the paper, but even apply if ideal randomness and unpredictability is assumed in the PUF, i.e., if the PUF is modeled as a random permutation oracle. In the third part, we investigate the feasibility of PUF-based bit commitment beyond the stand-alone, good PUF setting. For a number of reasons, this case is more complicated than OT and KE. We first prove that BC is impossible in the bad PUF model if players have got access to the PUF between the commit and the reveal phase. Again, this result holds even if the PUF is “ideal” and modeled as a random permutation oracle. Secondly, we sketch (without proof) two new BC-protocols, which can deal with bad PUFs or with adversarial access between the commit and reveal phase, but not with both. We hope that our results can contribute to a clarification of the usability of PUFs in cryptographic protocols. They show that new hardware properties such as offline certifiability and the erasure of PUF responses would be required in order to make PUFs a broadly applicable cryptographic tool. These features have not yet been realized in practical PUF-implementations and generally seem hard to achieve at low costs. Our findings also show that the question how PUFs can be modeled comprehensively in a UC-setting must be considered at least partly open.
@techreport{dijk_physical_2012,
	title = {Physical  {Unclonable}  {Functions}  in  {Cryptographic}  {Protocols}:  {Security}  {Proofs}   and  {Impossibility}  {Results}},
	shorttitle = {Physical  {Unclonable}  {Functions}  in  {Cryptographic}  {Protocols}},
	url = {https://eprint.iacr.org/2012/228},
	abstract = {We  investigate  the  power  of  physical  unclonable  functions (PUFs)  as  a  new  primitive  in  cryptographic  protocols.  Our  contributions  split  into  three  parts.  Firstly,  we  focus  on  the  realizability  of  PUF-protocols  in  a  special  type  of  stand-alone  setting (the “stand-alone,  good  PUF  setting”)  under  minimal  assumptions.  We  provide  new  PUF  definitions  that  require  only  weak  average  security  properties  of  the  PUF,   and  prove  that  these  definitions  suffice  to  realize  secure  PUF-based  oblivious  transfer (OT),  bit  commitment (BC)   and  key  exchange (KE)  in  said  setting.  Our  protocols  for  OT,  BC   and  KE  are  partly  new,   and  have  certain  practicality   and  security  advantages  compared  to  existing  schemes.

In  the  second  part  of  the  paper,  we  formally  prove  that  there  are  very  sharp  limits  on  the  usability  of  PUFs  for  OT   and  KE \{{\textbackslash}em  beyond\}  the  above  stand-alone,  good  PUF  scenario.  We  introduce  two  new   and  realistic  attack  models,  the  so-called  posterior  access  model (PAM)   and  the  bad  PUF  model,   and  prove  several  impossibility  results  in
these  models.  First,  OT   and  KE  protocols  whose  security  is  solely  based  on  PUFs  are  generally  impossible  in  the  PAM.  More  precisely,  one-time  access  of  an  adversary  to  the  PUF  after  the  end  of  a  single  protocol (sub-)session  makes  all  previous (sub-)sessions  provably  insecure.  Second,  OT  whose  security  is  solely  based  on  PUFs  is
impossible  in  the  bad  PUF  model,  even  if  only  a  stand  alone  execution  of  the  protocol  is  considered (i.e.,  even  if  no  adversarial  PUF  access  after  the  protocol  is  allowed).  Our  impossibility  proofs  do  not  only  hold  for  the  weak  PUF  definition  of  the  first  part  of  the  paper,  but  even  apply  if  ideal  randomness   and  unpredictability  is  assumed  in  the  PUF,  i.e.,  if  the  PUF  is  modeled  as  a  random  permutation  oracle.

In  the  third  part,  we  investigate  the  feasibility  of  PUF-based  bit  commitment  beyond  the  stand-alone,  good  PUF  setting.  For  a  number  of  reasons,  this  case  is  more  complicated  than  OT   and  KE.  We  first  prove  that  BC  is  impossible  in  the  bad  PUF  model  if  players  have  got  access  to  the  PUF  between  the  commit   and  the  reveal  phase.  Again,  this  result  holds  even  if  the  PUF  is “ideal”   and  modeled  as  a  random  permutation  oracle.  Secondly,  we  sketch (without  proof)  two  new  BC-protocols,  which  can  deal  with  bad  PUFs  or  with  adversarial  access  between  the  commit   and  reveal  phase,  but  not  with  both.

We  hope  that  our  results  can  contribute  to  a  clarification  of  the  usability  of  PUFs  in  cryptographic  protocols.  They  show  that  new  hardware  properties  such  as  offline  certifiability   and  the  erasure  of  PUF  responses  would  be  required  in  order  to  make  PUFs  a  broadly  applicable  cryptographic  tool.  These  features  have  not  yet  been  realized  in  practical  PUF-implementations   and  generally  seem  hard  to  achieve  at  low  costs.  Our  findings  also  show  that  the  question  how  PUFs  can  be  modeled  comprehensively  in  a  UC-setting  must  be  considered  at  least  partly  open.},
	number = {228},
	urldate = {2015-08-21TZ},
	author = {Dijk, Marten van and Rührmair, Ulrich},
	year = {2012}
}
Downloads: 0
About
Documentation
Keywords
Search
Users
Terms and Conditions of Use
Privacy Policy
Sitemap
© BibBase.org 2021