



# **End-to-end Design of a PUF-based Privacy Preserving Authentication Protocol**

Aydin Aysu<sub>1</sub>, Ege Gulcan, Daisuke  
Moriyama<sub>2</sub>, Patrick Schaumont, and  
Moti Yung

**Navid Vafaei  
Sepand Haghghi**

**Fall - 2016**

**Hardware Security & Trust - Dr.Bayat**

# Outline

- Introduction
- Notations
- Protocol
- Design of SRAM-PUF/TRNG
- Design of Fuzzy Extractor
- Architecture Design
- Conclusion

# Introduction

- Prototype Implementation of a provably secure protocol
- Support privacy-preserving mutual authentication
- Based on PUF
- Implemented on SASEBO-GII using onboard SRAM

# Innovative Features



# Notations

- **Truly Random Number Generator**

TRNG derives a truly random number sequence.

- **Physically Unclonable Functions**

$f: K \times D \rightarrow R$  which takes as input a physical characteristic  $x \in K$  and message  $y \in D$  and outputs  $z \in R$

# Notations

- **Symmetric Key Encryption**

$SKE := (SKE:Enc; SKE:Dec)$  denotes the symmetric key encryption.  $SKE.Enc$  takes as input secret key  $sk$  and plaintext  $m$  and outputs ciphertext  $c$ .  $SKE.Dec$  decrypts the ciphertext  $c$  using the same secret key  $sk$  to generate plaintext  $m$

- **Pseudorandom Function**

$PRF, PRF': K' \times D' \rightarrow R'$  takes as input secret key  $sk \in K'$  and message  $m \in D'$  and provides an output which is indistinguishable from random.

# Notations

- **Fuzzy Extractor**

$FE := (FE.Gen, FE.Rec)$  denotes a fuzzy extractor. The  $FE.Gen$  algorithm takes as input a variable  $\underline{z}$  and outputs randomness  $\underline{r}$  and helper data  $\underline{hd}$ .

The  $FE.Rec$  algorithm recovers  $\underline{r}$  with input variable  $\underline{z}'$  and  $\underline{hd}$ .

# Protocol Setup Phase

## Setup Phase

Server

$$(sk, y_1) \xleftarrow{R} \text{TRNG}$$

$$\xrightarrow{sk, y_1}$$
  
$$\xleftarrow{z_1}$$

Device ( $f(x_i, \cdot)$ )

$$z_1 \xleftarrow{R} f(x_i, y_1)$$

# Protocol

## Authentication Phase

### Authentication Phase



# Protocol Authentication Phase

$r_1 := \text{FE.Rec}(z_1, hd)$

$(t'_1, \dots, t'_5) := \text{PRF}(r_1, y'_1 \| y'_2)$

If  $t'_1 = t_1$  in  $1 \leq i \leq \text{num}$ ,

If  $v_1 = \text{PRF}'(t'_3, c \| u_1)$ ,

$z'_2 := u_1 \oplus t'_2$

Update  $(z_1, sk, z_{old}, sk_{old})$  to

$(z'_2, t_5, z_1, sk)$

Else,  $hd_1 := \text{SKE.Dec}(sk_{old}, c)$

$r_1 := \text{FE.Rec}(z_{old}, hd_1)$

$(t'_1, \dots, t'_5) := \mathcal{G}(r_1, y'_1 \| y'_2)$

$\vdots$

Else,  $t'_4 \xleftarrow{\text{R}} \text{TRNG}$

$\xrightarrow{t'_4}$

If  $t'_4 = t_4$ ,

$(y_1, sk) := (y_2, t_5)$

# SRAM - PUF



# SRAM - TRNG



# PRF based on CBC



# Fuzzy Extractor Error Correction

**Encode( $a$ ):**  $\delta \xleftarrow{\text{RNG}} \{0, 1\}^{k_1}, cw := \text{BCH.Gen}(\delta) \in \{0, 1\}^{n_1}, hd := a \oplus cw$

$$\begin{aligned} z'_1 &\xleftarrow{\text{R}} f(x_i, y_1) \\ (r_1, hd) &\xleftarrow{\text{R}} \text{FE.Gen}(z'_1) \end{aligned}$$

**Decode( $a', hd$ ):**  $cw' := a' \oplus hd, cw := \text{BCH.Dec}(cw'), a := cw \oplus hd$

$$\begin{aligned} hd &:= \text{SKE.Dec}(sk, c) \\ r_1 &:= \text{FE.Rec}(z_1, hd) \end{aligned}$$

# Helper Data



15

# Faulty PUF Output



# Key Length and Data Sizes

| Category             | Purpose                      | Variables                     | 64-bit security | 128-bit security |
|----------------------|------------------------------|-------------------------------|-----------------|------------------|
| Setup Phase          | Input address                | $y_1$                         | 12              | 12               |
|                      | PUF's output                 | $z_1$                         | 252             | 504              |
|                      | Stored key                   | $sk, sk'$                     | 64              | 128              |
| Authentication Phase | PUF's output                 | $z'_1, z'_2$                  | 252             | 504              |
|                      | Nonce                        | $y'_1, y'_2$                  | 64              | 128              |
|                      | Randomness for FE            | $\delta, \text{rnd}$          | 128             | 256              |
|                      | Secret key for PRF           | $r_1$                         | 64              | 128              |
|                      | Helper data                  | $hd$ (includes $\text{rnd}$ ) | 632             | 1,264            |
|                      | Ciphertext                   | $c$                           | 640             | 1,280            |
|                      | PUF's input                  | $y_2$                         | 12              | 12               |
|                      | Mutual authentication        | $t_1, t_4$                    | 64              | 128              |
|                      | XORed element                | $t_2$                         | 252             | 504              |
|                      | Secret key for PRF' and MAC  | $t_3, s_1$                    | 64              | 128              |
| Communication        | Updated stored key           | $t_5$                         | 128             | 256              |
|                      | First message (from server)  | $y'_1$                        | 64              | 128              |
|                      | Second message (from device) | $(c, y'_2, t_1, u_1, s_1)$    | 1,084           | 2,168            |
| Memory               | Third message (from server)  | $t'_4$                        | 64              | 128              |
|                      | Persistent State (NVM)       | $(sk, sk', y_1)$              | 140             | 268              |
|                      | SRAM area for PUF            |                               | 504             | 1,008            |
|                      | SRAM area for RNG            |                               | 2,656           | 5,216            |

# System Architecture of the Device and Server



# Data Flows

| Seq | Authentication Step                                  | MSP430<br><i>Fig. 6 Ver. 1</i>       | MSP430 + HW Engine<br><i>Fig. 6 Ver. 2</i> |
|-----|------------------------------------------------------|--------------------------------------|--------------------------------------------|
| 1   | Receive $y'_1$                                       | UART.Receive → MSP430.DM             | UART.Receive → MSP430.DM                   |
| 2   | Read $sk, sk', y_1$                                  | SPIROM.Read → MSP430.DM              | SPIROM.Read → MSP430.DM                    |
| 3   | $z'_1 \xleftarrow{R} f(x_i, y_1)$                    | SRAM.PUF → MSP430.DM                 | SRAM.PUF → MSP430.DM                       |
| 4   | $(r_1, hd_1) \xleftarrow{R} \text{FE.Gen}(z'_1)$     | MS430.run(PRF)<br>MS430.run(BCH.Enc) |                                            |
| 5   | $m_2 \xleftarrow{R} \text{TRNG}$                     | SRAM.TRNG → MSP430.DM                | SRAM.TRNG → MSP430.DM                      |
|     | $y_2 \xleftarrow{R} \text{TRNG}$                     |                                      |                                            |
| 6   | $(t_1, \dots, t_5) := \text{PRF}(r_1, y'_1 \  y'_2)$ | MS430.run(PRF)                       |                                            |
| 7   | $c := \text{SKE.Enc}(sk, hd_1)$                      | MS430.run(Enc)                       |                                            |
| 8   | $z'_2 \xleftarrow{R} f(x_i, y_2)$                    | SRAM.PUF → MSP430.DM                 | SRAM.PUF → MSP430.DM                       |
| 9   | $u_1 := z'_2 \oplus t_2$                             | MSP430.run(xor)                      |                                            |
| 10  | $v_1 := \text{PRF}'(t_3, c \  u_1)$                  | MS430.run(PRF)                       |                                            |
|     |                                                      |                                      | MSP430.DM → HW.SharedMem                   |
| 11  | <i>HW Execution Step</i>                             |                                      | HW.run<br>HW.SharedMem → MS430.DM          |
| 12  | Send $c, m_2, t_1, u_1, v_1$                         | MSP430.DM → UART.Send                | MSP430.DM → UART.Send                      |
| 13  | Receive $t'_4$                                       | UART.Receive → MSP430.DM             | UART.Receive → MSP430.DM                   |
| 14  | Write $y_2, t_5$                                     | MSP430.DM → SPIROM.Write             | MSP430.DM → SPIROM.Write                   |

# Conclusion

| Reference                        | PUFKY [27]        | Slender [29]             | Reverse-FE [38]          | This work                            |
|----------------------------------|-------------------|--------------------------|--------------------------|--------------------------------------|
| Operation                        | Key generation    | Protocol                 | Protocol                 | Protocol                             |
| Privacy                          | No                | No                       | No                       | Yes                                  |
| Security flaws                   | No                | Major [10]               | Minor [10]               | No                                   |
| Implemented Parties              | N/A               | Device                   | Device                   | Device,<br>Server                    |
| Communication Interface          | Yes: Bus          | No                       | No                       | Yes: Bus, UART                       |
| Flexibility                      | Low               | Low                      | Low                      | High                                 |
| Reconfiguration Method           | Redesign Hardware | Redesign Hardware        | Redesign Hardware        | Modify Software,<br>Update Microcode |
| Demonstrator                     | FPGA              | FPGA                     | FPGA                     | FPGA + PC                            |
| Security-level                   | 128-bits          | 128-bits                 | 128-bits                 | 64,128-bits                          |
| Execution time<br>(clock cycles) | 55,310            | -                        | -                        | 18,597                               |
| Logic Cost<br>(w/o PUF)          | 210 Slices        | 144 LUT,<br>274 Register | 658 LUT,<br>496 Register | 1221 LUT,<br>441 Register            |
| PUF-type                         | Strong-PUF        | Strong-PUF               | -                        | Weak-PUF                             |
| PUF-instance                     | RO-PUF            | XOR-Arbiter              | -                        | SRAM                                 |
| Hardware Platform                | XC6SLX45          | XC5VLX110T               | XC5VLX50                 | XC5VLX30                             |



Thank you!