Abstract
Paral and Devadas introduced a simple key generation scheme with a physically unclonable function (PUF) that requires no error correction, e.g., by using a fuzzy extractor. Their scheme, called a pattern matching key generation (PMKG) scheme, is based on pattern matching between auxiliary data, assigned at the enrollment in advance, and a substring of PUF output, to reconstruct a key. The PMKG scheme repeats a round operation, including the pattern matching, to derive a key with high entropy. Later, to enhance the efficiency and security, a circular PMKG (CPMKG) scheme was proposed. However, multiple round operations in these schemes make them impractical. In this paper, we propose a singleround circular PMKG (SCPMKG) scheme. Unlike the previous schemes, our scheme invokes the PUF only once. Hence, there is no fear of information leakage by invoking the PUF with the (partially) same input multiple times in different rounds, and, therefore, the security consideration can be simplified. Moreover, we introduce another hash function to generate a check string which ensures the correctness of the key reconstruction. The string enables us not only to defeat manipulation attacks but also to prove the security theoretically. In addition to its simple construction, the SCPMKG scheme can use a weak PUF like the SRAMPUF as a building block if our system is properly implemented so that the PUF is directly inaccessible from the outside, and, therefore, it is suitable for tiny devices in the IoT systems. We discuss its security and show its feasibility by simulations and experiments.
1. Introduction
The Internet of Things (IoT) is widely spread to make us more intelligent, efficient, and comfortable. In IoT systems, devices are located everywhere to exchange their sensing data and their control information. On the other hand, lots of devices in these systems are resourceconstrained where it is hard to implement security functions. Unlike the closed system with a limited number of devices, in the IoT systems, attackers are able to obtain devices to analyze them maliciously, and therefore they can be weak points of these systems.
Let us consider the safety of the IoT systems. First of all, the reliability of data is important because the devices work unwillingly with the improper data, especially with the data manipulated by the attacker. Moreover, the correctness of the firmware including the safety functionalities, such as the failstop and the failtolerance, is also important. In order to avoid the manipulation of the firmware by attacker so that the safe functionality does not work, the firmware should be well protected and securely updated. Both for the data reliability and for the firmware correctness, the security is essential. Hence, securing such devices is one of our emerging challenges. Particularly, the management of key is a crucial task.
The physically unclonable function (PUF) is one of the promising primitives to improve the security of tiny devices. It derives a unique value for each device (function) from its fine characteristics. For example, the SRAMPUF [1–3] uses initial states of the SRAM cells just after the poweron as such characteristics; and, the ArbiterPUF [4–6] uses the logic delays of a dualrail circuit as such ones. The unique value derived is used as (a source of) an identity (ID) or a cryptographic key. The PUF is suitable for a tiny device for the following two reasons. First, since these characteristics naturally arise during the manufacturing process, we can remove the process of embedding an ID or a key and decrease the manufacturing cost. Second, since analyzing the unique and fine characteristics is difficult, it can be regarded as a secure and tamper evident storage which proves the physical manipulation for analyzing the key.
On the other hand, the output of PUF may include a small noise for each invocation, e.g., % or up to % noise in the signal, because of external factors such as external/ambient temperature variations and/or supplied voltage variations. In order to use the output as a cryptographic key, the noise should be removed by error correction techniques, such as the fuzzy extractor [7, 8], because the cryptographic results completely differ if the key differs by only one bit. The fuzzy extractor, however, includes a complex error correction code whose cost might be high for the tiny devices.
1.1. Pattern Matching Key Generation Using PUF
Paral and Devadas [9] gave an interesting solution to remove the noises without an error correcting code. Their proposal uses a pattern matching which only estimates the Hamming distance between two strings. Their main idea is to regard the index (bit position) indicating a substring of the PUF output as a secret, instead of the (sub)string of PUF output itself. This scheme is called a pattern matching key generation (PMKG) scheme.
The PMKG scheme consists of multiple rounds. In each round of its enrollment phase, a key generation device extracts a substring of PUF output indicated by a secret index and stores the substring into the public (and maybe insecure) nonvolatile memory (NVM) area, as auxiliary data. The PMKG scheme regards a (hash value of a) concatenation of the substrings as a secret key. In each round of its reconstruction phase, the device compares a noisy PUF output with the stored auxiliary data and recovers the corresponding index and eventually the key.
Against the PMKG scheme, Delvaux and Verbauwhede [10, 11] gave attacks, named snake attacks, to recover the secret indices. Their attacks modify the auxiliary data stored in the NVM bit by bit in each round and detect the index by running the device with the modified data. To avoid the snake attacks, they also suggested regarding the PUF output as circular data. We call the scheme a circular PMKG (CPMKG) scheme.
The PMKG (CPMKG, respectively) scheme stores, for each round, the substring (resp., circularly shifted string) of PUF output into the NVM as auxiliary data. If two auxiliary data pieces for different rounds have the same substring (intersection), it might leak information on the secret indexes for the corresponding rounds. To mitigate the leakage, there are several solutions. The first one is to control the inputs of PUF for rounds to avoid such intersection. Another one is to enlarge the input/output space so as to neglect the intersection. These solutions increase the implementation cost and may be inappropriate for tiny devices.
1.2. Our Contribution
In this paper, we propose a simple and efficient PMKG scheme, named a singleround circular PMKG (SCPMKG) scheme. Unlike the previous schemes, the SCPMKG scheme consists of a singleround operation with multiple indexes. It divides a PUF output into multiple substrings, circularly shifts each substring by each secret index, and stores the shifted data into the NVM as auxiliary data. Moreover, it also stores a hash value, as a check string to check the correctness of the key reconstruction, into the NVM.
By reducing the number of rounds in the (C)PMKG scheme to one, we need not care for the information leakage from the PUF output strings in the auxiliary data with the (partially) same input, and therefore the security discussion can be simplified. In addition, the check string not only disables the manipulation attacks but also ensures the provable security of our scheme in the random oracle model [12]. We give a security proof under the condition (assumption), for simplicity, that there is no adversarial interface to access the internal PUF. This condition also provides our choice of the PUF candidates applicable to the SCPMKG scheme. Without such interfaces, machine learning attacks to the PUF are impractical, and, hence, various PUFs can be applicable to the SCPMKG, including a weak PUF such as the SRAMPUF. (The modeling attack requires challengeresponse pairs (CRPs) of PUF, which is applicable to PUF applications where adversaries can obtain the PUF CRPs, such as an authentication with PUF. In the application of the key generation, adversaries can obtain the PUF outputs from auxiliary data. Against this application, the modeling attack could be meaningless for the following two reasons. First, the corresponding inputs for the auxiliary data are unknown to adversaries. Second, the number of auxiliary data is limited; for example, if the key generation device is specific to a key of certain application, adversaries can obtain PUF outputs only for the key.) Note that, on the provable security, we can relax the assumption where there are adversarial interfaces to the PUF except one to directly access the output corresponding to the target key, as we discuss in Section 4.3. Such discussions on the adversarial conditions and the security show that the security coengineering for the developments of the PUF devices and of the PUF application is important.
Furthermore, we check its feasibility by simulations and experiments. We also check the validity with theoretical estimation. Our theoretical estimation can derive parameter candidates not only for the SCPMKG scheme but also for the CPMKG schemes. From our discussion, the SCPMKG scheme is secure and efficient rather than the previous PMKG schemes; and, therefore, it is suitable for tiny devices to tackle the emerging threats against the IoT systems.
1.3. Organization
In Section 2, we give the definitions of PUF and PUFbased key generation scheme. We then review the constructions of previous PMKG schemes and discuss their drawbacks in Section 3. In Section 4, we present the SCPMKG scheme and discuss its security. We then test its feasibility and make comparisons among the PMKG schemes in Sections 5 and 6, respectively. Finally, Section 7 concludes this paper.
2. Definition
In this section, we review definitions of the PUF and PUFbased key generation scheme.
2.1. PUF
References, such as [13, 14], gave a definition of the PUF with several properties. In this paper, we regard the PUF as a physical function satisfying relaxed properties below, in order for various types of PUF to be applicable to our PMKG.
Definition 1 (PUF). A family of physical functions is called the family of PUFs if these functions satisfy the following properties.(1)Each function works within polynomial steps(2)Each function produces an output including a small noise; however, the signaltonoise ratio is high enough to remove the noise by using an error correcting code. Hence, it acts as a function which provides a particular output for an input(3)It is practically hard to characterize or clone each function(4)Functions produce unique outputs per each of them
The third property does not ensure that it is hard to characterize or clone the physical function. The function may be characterized or cloned in future, if more sophisticated physical equipment to analyze it appears. In this paper, we regard the SRAMPUF, ArbiterPUF, and ringoscillator PUF (ROPUF) with fine processes and careful designs as PUFs.
We give a security assumption of PUF, which is a formal description of above third condition, to be used in the security proof of the SCPMKG scheme.
Definition 2 (indistinguishable PUF). Let and be input and output lengths of PUF, respectively. We state that a physically unclonable function PUF is indistinguishable in if any adversary , within the time bound , cannot achieve an advantage more than , even if observes inputoutput pairs . The advantage is defined with − . Here, is allowed to output where there is no overlap between and the observed PUF outputs for .
This indistinguishability captures the unpredictability and unclonability, which relate to the third property of Definition 1. Intuitively, the advantage is a metric of adversary’s ability to distinguish the PUF output from a random string. The distinguishing game is as follows: The adversary chooses an input for the PUF and receives either an output or a random string . outputs 1 if supposes that . In this game, may collect inputoutput pairs of PUF, as hints, by accessing the PUF oracle.
Let us assume the SRAMPUF. In the SRAMPUF, the challenge is an bit address , and the output is a sequence of initial states of SRAM cells starting with an address . Definition 2 allows to collect a pair for . With these pairs, the ’s restriction stated in Definition 2 means that is disallowed to output where any subsequence of is included in .
2.2. PUFBased Key Generation
We then review a definition of the PUFbased key generation (PBKG) scheme.
Definition 3 (PUFbased key generation, PBKG). A PBKG scheme consists of the following two phases. (i)Enrollment phase: A key generation device in the PBKG scheme assigns a key and auxiliary data which help to reconstruct the key from a noisy PUF output in the next phase. The auxiliary data are stored into a public (maybe insecure) nonvolatile memory (NVM). Note that the device can generate the key inside itself or receive the key from outside.(ii)Reconstruction phase: The key generation device regenerates the PUF output with some noises, loads the auxiliary data from the NVM, and reconstructs the key from these data.
We then review a definition of security for the PBKG scheme. As Datta et al. [15] discussed, the indistinguishability [16, 17] may be inadequate if the PBKG scheme is composed of another cryptographic protocol, such as an encryption scheme or message authentication code (MAC). This is because even though a key derived from the PBKG scheme is indistinguishable from a random string, the indistinguishability can be lost when the key is used, e.g., to encrypt a (partially) known message. In order to ensure the security for a combination of the PBKG scheme and a cryptographic protocol, we should customize the definition of its security by modeling an adversary to collect hints from both the PBKG scheme and the cryptographic protocol; namely, to access oracles of the scheme and the protocol, respectively. In this paper, we propose a PBKG scheme for a general purpose. Therefore, we discuss the indistinguishability [16, 17] as follows.
Definition 4 (indistinguishable PBKG). Let be a bit length of a key derived from a PBKG scheme. We say that the PBKG scheme is indistinguishable in if any adversary , within the time bound , cannot achieve an advantage more than even if invokes a key generation device with a (maybe intentionally modified) auxiliary data at most times. Here, the advantage is defined with , where and .
3. Previous Works and Their Drawbacks
This section reviews the PMKG and CPMKG schemes and discusses their drawbacks.
3.1. PMKG Scheme
Figures 1 and 2 show the building blocks of the PMKG scheme [9] in its enrollment and reconstruction phases, respectively. They use the following functions.(i)PUF: Physically unclonable function which, given an bit input , outputs an bit string (ii)CS: Challenge sequencer which, given at least one bit index and a flag as inputs, outputs the input of PUF (iii)KGF: Key generation function which, given a set of bit indexes , outputs an bit key (iv)pattern match: Comparator which, given bit () auxiliary data stored in a public NVM and an bit PUF output, looks for an index that leads an bit substring of PUF output near to the auxiliary data. It may look for an index with which the distance between auxiliary data and substring indicated by the index is less than some predetermined threshold and/or with which the distance is the smallest among all substring candidates
Paral and Devadas [9] used the ArbiterPUF as a building block which outputs only one bit per an input. In order to obtain an bit output with the ArbiterPUF, generates inputs sequentially from index(es), instead of one input as above, within each round. And then returns bit output in total with the inputs in the round. More precisely, we extend the above notations; we extend to output inputs (by regarding as ), and we extend to output an bit concatenation for inputs . Note that the above notations naturally cover the SRAMPUF. Throughout this paper, for simply, we use the above notations regardless of the type of PUF.
The PMKG scheme uses four registers: an input register, an output register, an index register, and a key register, as depicted in Figures 1 and 2. The input register holds an input of PUF. The output register holds an output of PUF and it is randomly accessible. The index register holds a set of indexes. The key register holds a recovered key to pass it to the cryptographic protocol.
The PMKG scheme also uses the public NVM. In the enrollment phase, a key generation device stores a set of substrings of PUF outputs as a set of auxiliary data into the NVM. In the reconstruction phase, the key generation device loads the auxiliary data and uses it to reconstruct the key. Note that the NVM may be insecure and the stored auxiliary data may be modified by an adversary.
Protocol 1 (PMKG). Let , , , and pattern match be functions as above. A PMKG scheme consists of two phases: an enrollment phase and a reconstruction phase below.
Enrollment phase: A key generation device repeats a round operation times with indexes . The index is an initial input of CS and we assume that it is fixed and stored into the NVM in advance. (Since the NVM is public, we assume that is observable by adversaries. At the final steps of enrollment and reconstruction phases, we remove from the input of , because its observable value does not increase the entropy of a key.) Other indexes may be also fixed in advance or randomly generated inside the device, and we assume the former case here. This phase consists of the following steps.(1)The key generation device sets flag to one(2)For , the device repeats the following steps:(a)It inputs into to generate an input of PUF (b)It inputs into to generate a PUF output (c)It stores a substring of PUF output into the NVM. Here, denotes a substring of , consisting of its th to th bits(3)It regards as
Reconstruction phase: The key generation device repeats a round operation times to recover the indexes and eventually the key, assigned at the enrollment phase. Note that a PUF output in this phase may differ from that in the enrollment phase. We add prime marks to the variables in this phase. This phase consists of the following steps.(1)The key generation device sets flag to one(2)For , the device repeats the following steps:(a)It inputs into to generate an input of PUF (b)It inputs into to generate a PUF output (c)It loads auxiliary data from the NVM(d)It looks for an index indicating the substring of (from th bit to th bit) near to from the pattern match. If a mismatch happens, namely, if such an index is not detected or if more than one index is detected, and are set with a constant value, e.g., and zero, respectively(3)If , then it inputs into to recover . Otherwise, it aborts.
Paral and Devadas [9] regarded as a XOR PUF which blends outputs of four independent ArbiterPUFs. The blended PUF decreases a correlation between inputs and outputs of PUF; and therefore it makes the machine learning attacks [18] meaningless. The more the number of blend increases, the more difficult the attack is. In this paper, we assume that the PUF is ideal and indistinguishable as in Definition 2 where there is no correlation between the inputs and the outputs. To realize such PUF, the blending is one of solutions.
The PMKG scheme has several drawbacks as follows. First of all, it requires lots of PUF output, and therefore it may be unsuitable for tiny devices in the IoT systems. The key generation device regards the bit substring out of the bit PUF output as auxiliary data. In other words, it discards the remaining bit in each round. In [9], they assumed that, as an example, and . With this example, the bits, out of PUF output bits, are discarded. It makes the PMKG scheme inefficient, by requiring the execution time to generate the 16368 PUF output bits and the power consumption more.
In addition to its inefficiency, it has a security vulnerability, caused by attacks with an NVM manipulation. Such a manipulation leads mismatches in its reconstruction and these mismatches change the device’s behavior. Delvaux and Verbauwhede [10, 11] gave attacks, named snake attacks, which modify the auxiliary data in the NVM, invoke the key generation with the modified one, and guess the index by observing its behavior.
Specifically, their attacks repeatedly modify the auxiliary data in the NVM to be (noncircularly) one bit shifted by guessing the next bit of PUF output. If the modified auxiliary data move out of the range of the PUF output with a large amount of shift, a mismatch happens and the device’s behavior changes; until the amount is less than or equal to the distance to head or end, the device outputs a key, which should be different from the assigned one because inputs for and differ; on the other hand, if it exceeds the distance, the device aborts because the mismatch happens. Namely, the snake attacks repeat the shift and guess by increasing its amount of shift until the device’s behavior changes and return the amount as its guess for the secret index.
3.2. CPMKG Scheme
To enhance the efficiency and/or the security, a circular PMKG (CPMKG) scheme was proposed in [10, 19] independently and further discussed in [11, 20], respectively. It regards PUF outputs circularly shifted by secret indices as auxiliary data.
Figures 3 and 4 show its building blocks. As for PUF, CS, pattern match, and KGF, we use the same notations as ones for the PMKG scheme, while we set in . In addition to them, it also uses the function rotate:(i)rotate: rotate function which, given an bit string and an amount of circularity , circularly shifts by bit
Protocol 2 (CPMKG). Let PUF, CS, pattern match, and KGF be functions as in the PMKG scheme, except that the output length of the PUF is not bit but bit. Also let rotate be a function as above. The CPMKG scheme consists of following two phases: an enrollment phase and a reconstruction phase below.
Enrollment phase: A key generation device repeats a round operation times with indexes . The index is an initial input of CS and we assume that it is fixed in advance and stored in the NVM. Other indexes may be also fixed in advance or randomly chosen inside the device, and we assume the former case. This phase consists of the following steps.(1)The key generation device sets flag to one(2)For , the device repeats the following steps:(a)It inputs into to generate an input of PUF (b)It inputs into to generate a PUF output (c)It stores a circularly shifted PUF output into the NVM as auxiliary data(3)It regards as
Reconstruction phase: The key generation device repeats a round operation times to recover the indexes and eventually key, assigned at the enrollment phase. This phase consists of the following steps.(1)The key generation device sets flag to one(2)For , the device repeats the following steps:(a)It inputs into to generate an input of PUF (b)It inputs into to generate a PUF output (c)It loads auxiliary data from the NVM(d)It looks for an index indicating the circularity shifted string near to from the pattern match. If a mismatch happens, namely, if such an index is not detected or if more than one index is detected, and are set with a constant value and zero, respectively(3)If , then it inputs into to recover . Otherwise, it aborts
Unlike the PMKG scheme, the CPMKG scheme uses the whole (circularly shifted) PUF output as auxiliary data. Removing the discarding of PUF outputs enhances its efficiency compared to the PMKG scheme. Moreover, since there is no head or end in the circularity, the snake attacks are meaningless to the CPMKG scheme.
However, in order for the CPMKG scheme to be in use, there are technical issues to be considered. The most important one is a careful design of . The circularly shifted PUF outputs are stored in the public NVM as auxiliary data in the CPMKG scheme; and, here, if some of them have intersections, the information of the corresponding indexes may be leaked. Hence, to ensure the security of CPMKG scheme, should be designed leading to no intersection over rounds.
4. SingleRound Circular PMKG Scheme
In this section, we propose a simple PMKG scheme, named singleround circular PMKG (SCPMKG), and show its security against manipulation attacks.
4.1. Our Idea
We construct the SCPMKG scheme, based on the CPMKG scheme, by improving the simplicity and security as follows.(i)Simplicity: Unlike the previous PMKG schemes with round operations, the SCPMKG scheme is performed within a singleround. In order to increase the entropy of key efficiently, the previous schemes prepare PUF output strings with bit each. On the other hand, the SCPMKG scheme prepares an bit PUF output string and divides it into substrings with bit each. From this change, there is no fear to overlap among the (sub)strings and the security discussion can be simplified. Moreover, the simple design helps us to develop devices.(ii)Security: To detect and defeat the manipulation attack, we introduce a check string to confirm the correctness of the key reconstruction. The string is derived from a cryptographic hash function with which, by regarding it as a random oracle, we can theoretically prove the security of the SCPMKG scheme.
The following subsections give our construction and the security consideration.
4.2. Construction
As for , CS, , pattern match, and KGF, we use the same notations for the CPMKG scheme, except that we assume for as in the PMKG scheme. Additionally, our scheme uses a hash function , to check the integrity of a reconstructed key.(i)hash: Cryptographic oneway hash function which, given an bit , returns an bit check string
Protocol 3 (SCPMKG). Let , , , pattern match, and be functions as in the CPMKG scheme, except that we assume for an integer , and let be a hash function as above. The SCPMKG scheme consists of the following two phases: an enrollment phase and a reconstruction phase below.
Enrollment phase: A key generation device with indexes performs an enrollment as follows. The index is an initial input for CS and we assume that it is fixed in advance and stored in the NVM. Other indexes may be also fixed in advance or randomly chosen inside the device, and we assume the former case. This phase consists of the following steps.(1)The key generation device inputs into to generate an input of PUF (2)It inputs into to generate a PUF output(3)It divides the PUF output into substrings with bit each(4)It stores for into the NVM as auxiliary data(5)It computes (6)It computes and stores it into the NVM as a check string
Reconstruction phase: The key generation device recovers the indexes and eventually the key, assigned at the enrollment phase. This phase consists of the following steps.(1)The device sets flag to one(2)It inputs into to generate an input of PUF (3)It inputs into to generate a PUF output(4)It divides the PUF output into substrings with bit each(5)For , it repeats the following steps:(a)It loads auxiliary data from the NVM(b)It looks for an index indicating the circularity shifted string near to from the pattern match. If a mismatch happens, and flag are set with a constant value and zero, respectively(6)If , then it inputs into to compute . Otherwise, it aborts(7)It loads a check string from the NVM(8)If holds, it regards as the reconstructed key. Otherwise, it aborts
There are two advantages in the SCPMKG scheme. The first one is that, from its simple construction with a singleround, we do not need to pay attention to the intersections of auxiliary data over rounds. It simplifies the design of and the security consideration. The second one is that, by introducing the check string, the security against manipulation attacks of the NVM is ensured, if is an ideal hash function (random oracle [12]). We discuss the security in the following subsection.
4.3. Security Consideration
As in the CPMKG scheme, since the auxiliary data is obtained from the circularly shift of the PUF output, the snake attacks are invalid for the SCPMKG scheme. In addition, we can prove that the SCPMKG scheme is an indistinguishable PBKG scheme in the random oracle model [12]. As for the security, the following theorem holds.
Theorem 5. Assume that is an indistinguishable PUF in and that is the random oracle. Then, the SCPMKG scheme is an indistinguishable PBKG in whereHere, denotes an execution time of the SCPMKG scheme.
The proof is done by the contradiction. Namely, we show that if there exists an adversary against the SCPMKG scheme, we can construct an algorithm , which uses as a subroutine, to break the indistinguishability of . The construction of is simple and we give a proof in the Appendix.
Note that, in Theorem 5, we assume that for the underlying PUF. The condition of makes the PUF strongly protected within the system, lest no PUF output for an adversarial input is observable. However, there is a tradeoff between the assumptions for the secure system () and for a secure PUF (, see next paragraph). The condition we assume relaxes the choice of PUF because we can neglect the fear of the machine learning attacks [18], and because we can use a weak PUF with a small inputoutput space, such as SRAMPUF.
We can extend the security model of Definition 4 so that an adversary against the PBKG scheme is allowed to collect inputoutput pairs of the underlying PUF; that is, we can consider the security model with a powerful adversary. In this case, the indistinguishability of the PBKG scheme is defined with fourtuple , instead of threetuple , where the adversary accesses the PBKG and PUF oracles at most and times, respectively. With this extension, we can prove another theorem, if the underlying PUF is indistinguishable in , instead of . If is so large, a weak PUF may not be a possible choice for our system. Note that, even with this extension, the adversary of the SCPMKG scheme should be restricted not to access the PUF oracle on corresponding to the target key. To simplify the security proof, this paper discusses the security without the extension.
Regardless of whether the model is extended or not, we require the PUF so that its output is unobservable by invalid interface other than the interfaces in Definition 2. As for the SRAMPUF, for example, to avoid the physical probing attack [21, 22], we should choose an appropriate PUF, with a fine process [23], etc.
4.4. Notes on Parameters
The SCPMKG scheme is parameterized with the following parameters: , , , , and . If the pattern match in the reconstruction phase looks for the index with a threshold, the threshold is also required.
Among them, and (and, therefore, and ) relate to the security. The (Shannon) entropy of key source is estimated by . To ensure the bit entropy for the source, we set them so that exceeds . In addition, also relates to the security. The larger it is, up to , the harder the manipulation attack is.
On the other hand, and relate to the correctness. There are two failure scenarios in reconstructing the key: the pattern match fails at Step (5)(b) or the hash value does not match the check string at Step (8). Note that if the indexes are correctly recovered at Step (5)(b), the verification at Step (8) should succeed. Hence, let us discuss the failure at Step (5)(b).
The pattern match at Step (5)(b) looks for an index with which the distance between a substring candidate and the auxiliary data is less than and/or the smallest, as stated in Section 3.1. In order for the pattern match to be performed with only the former criterion, should be set with adequate value (and additional criterion to narrow index candidates, if necessary) so that only the correct index is detected. With the latter criterion, it is easy to see that the index can be correctly recovered if is large. Note that, under the condition that each bit of PUF output is independent of other bits, the distances for correct and incorrect indexes are expected about and , where is a bit error rate, respectively. Namely, if increases, the gap between these distances also increases and the correct index is detectable. In the next section, we check the relation between and the correctness of the recovered index (key). The combination of the first and second criteria, first finding index candidates with a loose threshold and then detecting the index with the smallest distance, enables not only the recovery of correct index but also the detection of system errors from faults and manipulation attacks.
5. Feasibility Tests
In this section, we test the feasibility of the SCPMKG scheme by simulations and experiments, respectively.
5.1. Simulation
We first check the feasibility of the SCPMKG scheme by a simulation with an approximation analysis. In this simulation, we estimate the failure probability in the key reconstruction by changing parameters , , and where is a bit error rate in the PUF output. Following Paral and Devadas [9], for each , we set so that the entropy of input for is bit. For example, if we use , we set as a minimum integer so that .
Table 1 summarizes the failure probability for and from to . Here, we assume and for because is a well discussed parameter for PUF instantiations and is an average of bit error rate in our experiments below. As for , we set for each by a minimum integer as in the above case for . With and , is a length of the PUF output. For each and , the “prob. (sim)” shows the failure probability from the simulation, which is estimated as shown in Algorithm 1.

For each , we tried reconstructions, in total. (In Table 1, “0” means that there is no error for , which means that prob. (sim) is less that .) From our simulation, () or () should be enough for the key reconstruction with the failure probability less than .
We also estimate the failure probability by an approximation analysis, as shown in “prob. (approx)” in Table 1.
Let us discuss the distance between a substring stored in the NVM and one circularly shifted by the correct index. The distance follows the binomial distribution . We approximate it with the normal distribution . Similarly, we approximate the distribution of the distance related to an incorrect index with the normal distribution .
In case the distance for the correct index is more than one for the incorrect index, the wrong index is recovered. Let us denote the probability by . The difference between the distances for correct and incorrect indexes follows the normal distribution where and , which is a composite (difference) of two normal distributions. With this notation, can be estimated by
Note that there are wrong candidates for one index. If is small enough, the probability where one of wrong index is recovered is estimated by . Also note that there are indexes to be recovered. Similarly, the probability where one of index is incorrectly recovered among substrings is approximated by . “prob. (approx)” in Table 1 summarizes the failure probability for each , (and ), and .
Since the approximations are inappropriate for small parameters, there are gaps between the failure probabilities from simulation and our approximation analysis. However, our analysis seems valid for large ; namely, and are large enough, when is and , respectively, so that the failure probability is negligible.
5.2. Experiments with Nucleo Boards
We then test the feasibility with two NucleoF401RE boards (http://www.st.com/en/evaluationtools/nucleof401re.html (accessible on Nov. 9, 2018)) by STMicroelectronics. We load initial SRAM bits on each board and regard them as an output of SRAMPUF. The experiments are performed in the room temperature and the power is supplied by the USB interface. (The characteristics of PUF would change by environments such as temperature and supplied power voltage. Refer to Chapter of [24], for instance. The success rate of the key reconstruction depends on the bit error rate of PUF. We should select adequate parameters, such as and , with the worst error rate among the different environments.) The averages of bit error rate for 4,096 SRAM bits on these boards are % and %, respectively. Here, the bit error rate is evaluated, in a simple manner, by a difference between the bit for the first read and bits for the following 10,000 reads.
Similar to the above simulation, we estimate the failure probability by changing . For each board, we try the reconstruction 10,000 times. Table 2 summarizes the failure probabilities for two boards, respectively. (Similar to Table 1, “0” means that there is no error for and that the failure probability is less than .)
For small , the probabilities differ from those of Table 1. This is because, different from the simulation, the initial values of SRAM cells are not uniformly random, and their stabilities are not constant for each bit. With larger , the probabilities in our experiment are close to those in the simulation. Note that since the initial values of SRAM cells are not uniform, if we use this SRAM as SRAMPUF directly, the resulting SCPMKG scheme might be insecure. From our observations, the initial values of SRAM cells have certain bit patterns; and therefore regarding either a concatenation of first bits of each byte or an XORed value of different cells like XOR PUF as an output of the SRAMPUF may be a solution to enhance the security of the SCPMKG scheme.
5.3. Experiments with Open Dataset
In order to check the feasibility with a different type of PUF, we use the ring oscillators’ (ROs’) frequencies which are available at the Secure Embedded Systems (SES) Lab at Virginia Tech (http://rijndael.ece.vt.edu/puf/download.html (accessible on Nov. 9, 2018)). We select “Full Standard Dataset Oscillator Counts.” The dataset includes 100 oscillator counts for 512 ROs of 193 Xilinx Spartan3E FPGA boards (XC3S500E) under the standard temperature/voltage. Using these ROs’ counts, up to bits of ROPUF can be derived. We implement the SCPMKG with some of them. The average bit error rate for the first 1728 ROPUF bits is 1.21%.
In the dataset, there are only 100 samples for each board. In the feasibility test, we evaluate the average and maximum of failure probabilities over 193 boards. Table 3 summarizes them. (Similar to Table 2, “0” means that the failure probability is less than .)
Since the bit error rate (1.21%) is smaller than that of Nucleo boards (approx. 3%), the failure probabilities are also small. That is, for the correctness, fewer PUF output bits are required, for example, .
6. Discussion
Table 4 summarizes the comparison among the PMKG, CPMKG, and SCPMKG schemes. Let us discuss the detail of each item below. We refer to [9, 25] for parameters of the PMKG and CPMKG schemes, respectively. As for CPMKG, we also add parameters, in parentheses, which we estimate by the similar theoretical approximation of Section 5.1. Note that the authors of [9, 25] decided the parameters so that the failure in key reconstruction should be negligible (with probability less that ).
“” is a bit length of an output of . References [9, 25] set it to , and we follow them for the SCPMKG scheme. In order to generate the bit key, the previous works [9, 25] assumed that the source of the key had the bit entropy in preparation for the entropy loss of PUF output and the randomness of indexes; i.e., the sum of index lengths was supposed to be bit. We also follow them for the SCPMKG scheme and give it in the second line “” as the entropy of the source.
“” shows the entropy of an index. In the PMKG scheme, the index is an address of the first bit of substring. Paral and Devadas [9] set it with . In the CPMKG and SCPMKG schemes, on the other hand, the index is the amount of circular shift which is at most the length of the substring. Reference [25] followed [9] to set the length of the substring with , and therefore was set with . On the SCPMKG scheme, from our simulation and experiments, the length of substring seems enough with and we set with . As in parentheses, the length of substring for the CPMKG scheme can be similarly estimated with our approximation estimation, so that the failure probability is less than .
“♯rounds” is a number of rounds. On the PMKG scheme, to generate bit key with bit index per round, rounds may be enough. However, Paral and Devadas [9] used to make the entropy of source bit. Following them, we set the number of rounds to make the entropy of source bit or more. Similarly, in the CPMKG scheme, since the length of each index is eight, it is (or with our approximation). As for the SCPMKG scheme, the number of rounds is one.
“♯indexes/rounds” are a number of indexes per a round. In the PMKG and CPMKG schemes, they are one. On the other hand, in the SCPMKG scheme, it is to achieve the bit entropy.
“” is a bit length of a (sub)string of a PUF output to be patternmatched. It is the same as the bit length of each auxiliary data. They set it to which is expected to avoid the mismatch. As for the SCPMKG scheme, we set it to from our simulation. As in parentheses, the length of (and ones of items below) for the CPMKG scheme can be similarly estimated as ours, with the approximation estimation.
“” is a bit length of PUF output in each round. They set it with and 256, respectively. As for the SCPMKG scheme, since it requires substrings of 160bit in a round as we discuss, the length is .
“” is a bit length of PUF output in total, which is .
“” means the total length of stored data in the NVM, except . The total length of auxiliary data is estimated with . In the SCPMKG scheme, beside the auxiliary data, the check string is stored in the NVM. We assume that SHA256 is used as and the length is .
Although the CPMKG and SCPMKG schemes require fewer PUF outputs in total, they require additional functions, which derive an implementation and computation overhead, compared to the PMKG scheme. In the PMKG scheme, the index search can be performed sequentially. On the other hand, the CPMKG and SCPMKG schemes require the additional function rotate. In addition, the SCPMKG scheme requires the hash function to compute the check string.
The challenge sequencers for the PMKG and CPMKG schemes are carefully designed to avoid an intersection of auxiliary data over rounds as we discussed; however, its design for the SCPMKG scheme can be simple.
As for the security, the PMKG scheme is vulnerable against the snake attacks. The CPMKG and SCPMKG schemes are secure against the snake attacks. Let us discuss the provable security. Although [20] discussed the provable security of the CPMKG scheme, the security model did not take the manipulation attacks into consideration. It remains an open problem whether the CPMKG scheme is provably secure without a hash function which, in the SCPMKG, plays an important role in the provable security. On the other hand, the SCPMKG scheme is provably secure as in Theorem 5.
To summarize, compared to the PMKG scheme, the CPMKG and SCPMKG schemes are not only secure but also efficient; namely, they require less PUF output. In addition, the simple design to generate a challenge in the singleround of the SCPMKG scheme allows us to use even a weak PUF, like the SRAMPUF, as a building block. It is an advantage for applications with tiny devices, such as the IoT systems.
7. Conclusions
This paper proposes a secure and efficient PMKG scheme, the SCPMKG scheme, which saves the PUF output and allows a simple construction. It can be realized with even a weak PUF, such as the SRAMPUF, and is suitable for tiny devices in the IoT systems. Feasibility test with other types of PUF changing the environments is one of our future works.
Appendix
A. Proof of Theorem 5
Proof sketch: We construct as follows.(1) randomly generates , where is with prefixed length and for .(2) computes an input .(3) outputs as a challenge to receive as a target. If is in the real game (the real game is a challenge to whether can guess that the key is correctly generated; it corresponds to in Definition 4), is an output ; otherwise, if is in the random game (the random game is a challenge to whether fails to guess that the key is randomly generated; it corresponds to in Definition 4), is a random string over . The goal of is to distinguish these games.(4) proceeds to steps from to of the enrollment phase in Protocol 3, by regarding as an output of PUF. Note that, in the random oracle model, is defined by the random oracle through an oracle query.(5) gives as a challenge.(6)For a query from to the random oracle, answers it as follows.(a)If the query includes which chose at Step (1) above, aborts and fails the proof.(b)If the query does not include which chose at Step (1) above, passes the query/response between and the oracle.(7)For a query from to the SCPMKG scheme as a PBKG scheme, answers it as follows.(a)If , , or are not modified, returns to .(b)If at least one of , , and is modified with different values, returns nothing to .(8)If returns , returns .
In the above construction, fails the proof at Step (6)(a), with probability . Otherwise, if succeeds in distinguishing the games for the SCPBKG scheme, also succeeds in distinguishing the games for the PUF. Therefore, we have the theorem.
Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
This work was supported by JSPS KAKENHI Grant Number JP18H05289. We sincerely thank Dr. Jeroen Delvaux for his invaluable comments.