Fuzzy extractor based on universal hashes Part 1: Fuzzy extractor based on universal hashes Part 2: Simplification of Controlled PUF primitives Dagstuhl, July 6-8, 2009

Part 1: Fuzzy extractor based on universal hashes BŠ and Pim Tuyls

Fuzzy Extractor / Helper Data scheme Dodis et al. 2003 Juels+Wattenberg 1999 Linnartz+Tuyls 2003 noisy Properties Secrecy and uniformity: Δ(WS; WU) ≤ ε. "S given W is almost uniform" Error correction: If X' sufficiently close to X, then S'=S. Robustness [Boyen et al. 2005]: Detection of active attack against W Applications privacy preserving biometrics anti-counterfeiting ("object biometrics") PUF-based key storage

Fuzzy Extractor: Efficiency noisy What's so special? Redundancy data (in W) must not leak info about secret S. Make near-uniform S from non-uniform X. How to authenticate W when there is no PKI? "Efficiency" Extract as many reproducible bits from X as possible. Low storage requirements. Small computational load.

x x' Limited noise Common class of noise Example Common class of noise Considerable prob. that x' ≠ x. Small number of likely x'. x x' Problematic for error correcting codes Most codes work best with low error rate Cannot exploit non-uniform error patterns (low entropy of errors) Entropy loss.

Def: δ-almost universal hash functions Fr. For fixed x and x': Fr with random r L bits Def: δ-almost universal hash functions Fr. For fixed x and x': Not a cryptographic hash Main purpose: uniformity Light-weight implementation in hardware and software. Information-theoretic properties. Does not rely on unproven security assumptions

Fuzzy Extractor based on universal hash functions p q r Publicly stored enrolment data: p,q,r,w, m:=MAC(v; pqrw) attack p', q', r', w', m' redundancy for error correction MAC key secret key Key reconstruction procedure Measure x'. Read p', q', r', w', m'. Make list L of likely candidates. Must be manageable! Find x in L such that Ψp'(x)=w'. Sort of Slepian-Wolf Compute v'=Γq'(x). Check if MAC(v'; p'q'r'w')=m'. If okay, reconstruct secret s=Φr'(x).

Robustness: KMS-MAC Theorem: If then Δ(PQRWM S; PQRWM U) ≤ ε . Robustness Ordinary MAC insufficient MAC with Key Manipulation Security? [Cramer et al, Eurocrypt 2008] Assumes strong attacker. Key Linearity: ΔK = known function of w and modified w'. We do not have the linearity property! (Also the case for other types of helper data.) Effect of modifying helper data unknown to attacker. KMS-MAC is overkill.

Simplification of Controlled PUF primitives Part 2: Simplification of Controlled PUF primitives BŠ and Marc X. Makkes Eindhoven University of Technology

CPUF protocols Controlled PUFs (CPUFs) PUF shielded from the outside world by control layer control layer restricts PUF input & output more secure than "bare" PUF Protocols exploiting large number of Challenge-Response Pairs Gassend et al 2002, 2007, 2008 Each user has shared secret (CRP) with CPUF Symmetric crypto Certified Execution, Proof of Execution, key renewal, ... Presented as API code Self-referential 'hash blocks'

Self-referential use of program hashes E-Proof generation: computes a hash over the hash block

Simplification Avoid hashes of control layer code Flowchart notation Basically the same protocols; minor modifications Helper data explicitly visible

Some wise concluding remarks Boris: None of this is rocket science, and the results are far from spectacular ... so I will not complain if you don't put any of this in the schedule. Ahmad: (...) And we do not need rocket science. By the way, rocket science is very easy, this is a fairy-tale that rocket science is difficult. You buy some explosive powder and some metal container and you put them together.