Part 1: Fuzzy extractor based on universal hashes

1. Part 1: Fuzzy extractor based on universal hashes Part 2:Simplification of Controlled PUF primitives Dagstuhl, July 6-8, 2009

2. Part 1:Fuzzy extractor based on universal hashes BŠ and Pim Tuyls

3. Fuzzy Extractor / Helper Data scheme Dodis et al. 2003 Juels+Wattenberg 1999Linnartz+Tuyls 2003 noisy • Properties • Secrecy and uniformity: Δ(WS; WU) ≤ ε. "S given W is almost uniform" • Error correction: If X' sufficiently close to X, then S'=S. • Robustness [Boyen et al. 2005]:Detection of active attack against W • Applications • privacy preserving biometrics • anti-counterfeiting ("object biometrics") • PUF-based key storage

4. Fuzzy Extractor: Efficiency noisy • What's so special? • Redundancy data (in W) must not leak info about secret S. • Make near-uniform S from non-uniform X. • How to authenticate W when there is no PKI? • "Efficiency" • Extract as many reproducible bits from X as possible. • Low storage requirements. • Small computational load.

5. Limited noise Example • Common class of noise • Considerable prob. that x' ≠ x. • Small number of likely x'. x x' • Problematic for error correcting codes • Most codes work best with low error rate • Cannot exploit non-uniform error patterns (low entropy of errors) • Entropy loss.

6. Universal hash functions Fr with random r L bits • Def: δ-almost universal hash functions Fr. For fixed x and x': • Not a cryptographic hash • Main purpose: uniformity • Light-weight implementation in hardware and software. • Information-theoretic properties. • Does not rely on unproven security assumptions

7. Fuzzy Extractor based on universal hash functions p q r Publicly stored enrolment data: p,q,r,w, m:=MAC(v; pqrw) redundancy forerror correction MAC key secret key attack • Key reconstruction procedure • Measure x'. Read p', q', r', w', m'. • Make list L of likely candidates. • Must be manageable! • Find x in L such that Ψp'(x)=w'. • Sort of Slepian-Wolf • Compute v'=Γq'(x). • Check if MAC(v'; p'q'r'w')=m'. • If okay, reconstruct secret s=Φr'(x). p', q', r', w', m'

8. Robustness: KMS-MAC • Robustness • Ordinary MAC insufficient • MAC with Key Manipulation Security? [Cramer et al, Eurocrypt 2008] • Assumes strong attacker. Key Linearity: ΔK = known function of w and modified w'. • We do not have the linearity property!(Also the case for other types of helper data.)Effect of modifying helper data unknown to attacker. • KMS-MAC is overkill. Theorem: If then Δ(PQRWM S; PQRWM U) ≤ ε .

9. Part 2: Simplification of Controlled PUF primitives BŠ and Marc X. Makkes Eindhoven University of Technology

10. CPUF protocols • Controlled PUFs (CPUFs) • PUF shielded from the outside world by control layer • control layer restricts PUF input & output • more secure than "bare" PUF • Protocols exploiting large number of Challenge-Response Pairs • Gassend et al 2002, 2007, 2008 • Each user has shared secret (CRP) with CPUF • Symmetric crypto • Certified Execution, Proof of Execution, key renewal, ... • Presented as API code • Self-referential 'hash blocks'

11. Self-referential use of program hashes E-Proof generation: computes a hashover the hash block

12. Simplification • Avoid hashes of control layer code • Flowchart notation • Basically the same protocols; minor modifications • Helper data explicitly visible

13. Some wise concluding remarks Boris: None of this is rocket science, and the results are far from spectacular ... so I will not complain if you don't put any of this in the schedule. Ahmad: (...) And we do not need rocket science. By the way, rocket science is very easy, this is a fairy-talethat rocket science is difficult. You buy some explosive powder and some metal container and you put them together.