Physically Uncloneable Functions in the Universal Composition Framework. Christina Brzuska Marc Fischlin Heike Schröder Stefan Katzenbeisser

Transcription

1 Physically Uncloneable Functions in the Universal Composition Framework Marc Fischlin Heike Schröder Stefan Katzenbeisser

2 Security of s Optical Arbiter Coating Many other s bounded noise physically uncloneable unpredictable mathematically uncloneable one-way formal security model Cryptographic applications Slide 2

3 Applications + nice surprise Key agreement Oblivious Transfer Commitments OT COM at cost of one round All protocols UC-secure Canetti, Fischlin [CF01]: UC-secure commitments RO RO random function in a bo ¼ NPRO [CF01] etends to NPRO UC-secure commitment scheme from s (without cryptographic assumptions) Slide 3

4 Physically Uncloneable Functions ()? input domain Fuzzy measurement with bounded noise High(er) entropy for fresh challenge values output domain Slide 4

5 Physically Uncloneable Functions ()? Bounded noise High(er) entropy for fresh challenge values ok ok Superpolynomially big input domain some s Our Definition Needed for applications Slide 5

6 Attack Model If input domain is small, the adversary can measure the whole Small input domain can be used for key storage, weaker attack model Slide 6

7 NPRO: Fuzzy Etractors [DRS04] Goal: random function in a bo Not a function because of fuzzyness No uniform outputs, only high entropy outputs?? Fuzzy measurement: error correction High entropy for fresh input values, but not uniform: smooth out entropy fuzzy etractor Slide 7

8 NPRO: Fuzzy Etractors [DRS04] Fuzzy etractor RO? Fuzzy measurement: error correction High entropy for fresh input values, but not uniform: smooth out entropy fuzzy etractor Slide 8

9 NPRO: Fuzzy Etractors [DRS04] Fuzzy etractor RO? Almost: If two input values are close, output values might still related It two input values are far away, outputs are uniform and independent Slide 9

10 3 Main Properties for Application Correctness: Fuzzy((.)) is a mathematical function Well-Spread Domain: input domain random inputs value is usually far away from previous ones Uniform outputs: For values, that are far away from previous ones, the output is uniform (probability over: generation, evaluation, fuzzy etractor) Slide 10

11 Warm-Up: Key Agreement c r k Challenge c + fuzzy info c r k They compute the same key due to correctness property of Fuzzy((.)). When adversary measures, c is information-theoretically hidden. Due to the well-spread domain property, adversary only queries about values that are far away from c. Therefore, the value k is random from the point of view of the adversary due to the uniform outputs property. Slide 11

12 OT COM s 0, s 1 Draw s 0, s 1 s 0, s 1 OT s b b s b b Bit b is secret. Receiver learns only s b Main idea: OT receiver is COM sender b committed b COM b open Slide 12

13 Oblivious Transfer (OT) s 0, s 1 OT b s b s 0, s 1 b c r Draw random 0, 1 0, 1 b + c b + c + 0 r st 0 s 0 + st 0, s 1 + st 1, fuzzy r st b b + c + 1 st 1 Slide 13

14 Oblivious Transfer (OT) s 0, s 1 OT b s b 0, 1 b + c s 0 + st 0, s 1 + st 1, fuzzy Security against receiver via properties Security against sender information-theoretic. Hence, the resulting commitment scheme is secure against adaptive corruptions Slide 14

15 Summary For active adversaries, we need s with: Bounded noise High(er) entropy for fresh challenge values Superpolynomially big input domain Properties of +fuzzy etractor: Correctness Well-spread domain Uniform outputs Get efficient provably secure protocols without cryptographic assumptions Key Agreement Oblivious Transfer Commitments: one-round transformation from OT + Fuzzy ¼ NPRO, but apparently, one can do even more with s Slide 15

16 Thank you Marc Fischlin Heike Schröder Stefan Katzenbeisser Slide 16

17 On NPRO and s in UC Z Z Adversary/Environment cannot access s of honest parties S Assymmetric No programming abilities Slide 17