On the practical use of physical unclonable functions in oblivious transfer and bit commitment protocols

Abstract

In recent years, PUF-based schemes have been suggested not only for the basic tasks of tamper-sensitive key storage or the identification of hardware systems, but also for more complex protocols like oblivious transfer (OT) or bit commitment (BC), both of which possess broad and diverse applications. In this paper, we continue this line of research. We first present an attack on two recent OT and BC protocols which have been introduced by Brzuska et al. (CRYPTO, LNCS 6841, pp 51–70, Springer 2011). The attack quadratically reduces the number of CRPs which malicious players must read out to cheat, and fully operates within the original communication model of Brzuska et al. (CRYPTO, LNCS 6841, pp 51–70, Springer 2011). In practice, this leads to insecure protocols when electrical PUFs with a medium challenge-length are used (e.g., 64 bits), or whenever optical PUFs are employed. These two PUF types are currently among the most popular designs of so-called Strong PUFs. Secondly, we show that the same attack applies to a recent OT protocol of Ostrovsky et al. (IACR Cryptol. ePrint Arch. 2012:143, 2012), leading to exactly the same consequences. Finally, we discuss countermeasures. We present a new OT protocol with better security properties, which utilizes interactive hashing as a substep and is based on an earlier protocol by Rührmair (TRUST, LNCS 6101, pp 430–440, Springer 2010). We then closely analyze its properties, including its security, security amplification, and practicality.

Appendix: Unconditional oblivious transfer protocol for honest PUFs by Ostrovsky et al.

We give below an OT protocol for honest PUFs by Ostrovsky et al. (see Fig. 3 of [20]). It is “unconditional” in the sense that it only relies on PUFs, i.e., it does not use any other assumptions besides PUFs. In agreement and correspondence with the authors, a few minor typos have been discussed and removed [21]. The most relevant of these typos for our analysis is that in item 2 of Step 5, the PUF that is queried must be \(\mathsf{sid^\mathsf{R}}\), and not “\(\mathsf{sid_{i_j}}\)”, as in [20] (note that \(\mathsf{sid_{i_j}}\) is not defined in the protocol, which only uses the PUFs \(\mathsf{sid_{i_j}^\mathsf{S}}\) and \(\mathsf{sid}^\mathsf{R}\)).

Prortocol 9

Unconditional OT with honest PUFs [20]

Sender’s input: Strings \(s^0, s^1 \in \{0,1\}^n\).

Receiver’s input: Bit \(b \in \{0,1\}\).

1. 1.

   [ \((\mathsf{S_{uncOT}} \Rightarrow \mathsf{R_{uncOT}})\) : Sender PUF initialization] \(\mathsf{S}\) initializes \(2k\) PUFs \(\mathsf{sid}_1^\mathsf{S}\), ..., \(\mathsf{sid}_{2k}^\mathsf{S}\) and sends them \(\mathsf R\).

2. 2.

   [ \((\mathsf{S_{uncOT}} \Leftarrow \mathsf{R_{uncOT}})\) : Receiver PUF initialization] \(\mathsf{R}\) initializes a PUF \(\mathsf{sid}^\mathsf{R}\). It uniformly chooses \(2k\) queries \(q_1, \ldots , q_{2k}\), and obtains responses \(a_1, \ldots , a_{2k}\). It sends the PUF \(\mathsf{sid}^\mathsf{R}\) to S.

3. 3.

   [Cut-and-choose]

   1. (a)

      \((\mathsf{S_{uncOT}} \Rightarrow \mathsf{R_{uncOT}})\) For \(1 \le i \le 2k\), sender uniformly selects a pair of challenges \((x^0_i, x^1_i)\) and sends it to \(\mathsf R\).

   2. (b)

      \((\mathsf{S_{uncOT}} \Leftarrow \mathsf{R_{uncOT}})\) For each \(1 \le i \le 2k\), receiver does the following:

      • select random bit \(b_i \in \{0,1\}\).

      • select random query \(d_i\) and let \(da_i\) be the response of the PUF \(\mathsf{sid}^\mathsf{S}_i\). Compute \((\!dst_i, dp_i\!)\! \!\leftarrow \mathsf{FuzGen}(da_i)\). If \(\mathsf{Parity}(dst_i) \ne b_i\), repeat this step. Else, continue.

      • compute \(v_i := x_i^{b_i} \oplus q_i\).

      For each \(1 \le i \le 2k\), receiver sends to sender \((v_i, d_i, dp_i)\).

   3. (c)

      \((\mathsf{S_{uncOT}} \Rightarrow \mathsf{R_{uncOT}})\) Sender selects a random subset \(S \subset [2k]\) of size \(k\) and sends it to receiver.

   4. (d)

      \((\mathsf{S_{uncOT}} \Leftarrow \mathsf{R_{uncOT}})\) For all \(j \in S\), receiver sends \((q_j, a_j)\) to sender, and also hands over the PUF \(\mathsf{sid}_j^\mathsf{S}\) to the sender.

   5. (e)

      Sender makes the following checks for each \(j \in S\):

   • compute the response of PUF \(\mathsf{sid}^\mathsf{R}\) on query \(q_j\) to obtain \(a_j^*\). If \(\mathsf dis(a_j, a_j^*) > d_\mathsf{noise}\), abort.

   • If \(v_j \oplus q_j = x_j^0\), set \(b_j^* = 0\); if \(v_j \oplus q_j = x_j^1\), set \(b_j^* = 1\); else abort.

   • query the PUF \(\mathsf{sid}_j^\mathsf{S}\) with \(d_j\) to obtain response \(da_j^*\); if \(\mathsf{Parity}(\mathsf{FuzRep}(da^*_j, dp_j))\) \(\ne \) \(b_j^*\), abort.

4. 4.

   [ \((\mathsf{S_{uncOT}} \Leftarrow \mathsf{R_{uncOT}})\) : Receiver sends correction-bits] Let \(i_1, \ldots , i_k\) be the indices not in \(S\). For \(1 \le j \le k\), the receiver sends to sender the bit \(b_{i_j}^{\prime } = b_{i_j} \oplus b\).

5. 5.

   [ \((\mathsf{S_{uncOT}} \Rightarrow \mathsf{R_{uncOT}})\) : Sender’s final message] Sender prepares its final message as follows:

   • For \(\delta \in \{0,1\}\), choose random strings \(s_1^\delta , \ldots , s_k^\delta \) such that \(s^\delta = \bigoplus _{j=1}^k s_j^\delta \).

   • For \(\delta \in \{0,1\}\), for \(1 \le j \le k\), compute \(\hat{q}_{i_j}^\delta = v_{i_j} \oplus x_{i_j}^\delta \), and let \((st_{i_j}^\delta , p_{i_j}^\delta )\) be the response of PUF \(\mathsf{sid}^\mathsf{R}\) to the query \(\hat{q}_{i_j}^\delta \).

   • For \(\delta \in \{0,1\}\) and \(1 \le j \le k\), set \(m_{i_j}^\delta = s_j^\delta \oplus st_{i_j}^{b_{i_j}^{\prime } \oplus \delta }\).

   The sender sends \((m_{i_1}^0, m_{i_1}^1), \ldots , (m_{i_k}^0, m_{i_k}^1)\) and \((p_{i_1}^0,\) \(p_{i_1}^1),\) \(\ldots ,\) \((p_{i_k}^0, p_{i_k}^1)\) to the receiver.

6. 6.

   [Receiver’s final step] For \(i \le j \le k\), receiver computes \(st_{i_j} \leftarrow \mathsf{FuzRep} (p_{i_j}^{b_{i_j}^{\prime }}, a_{i_j})\). It outputs \(s^b = \bigoplus _{j=1}^k (m_{i_j}^b \oplus st_{i_j})\).