Physically Unclonable Random Permutations

Physically Unclonable Random Permutations
Riccardo Bernardini and Roberto Rinaldo
University of Udine–Italy
{riccardo.bernardini, rinaldo}@uniud.it
Recent Adv. in Electrical and Electronic Eng. (Florence, 2014)
Full article version:
http://link.springer.com/article/10.1007/s10207-016-0324-2
January 30, 2017

Outline
• The problem
• Motivation
• The solution(s)
• Conclusions
1
DIEGM University of Udine

The problem
• PUCs (Physically Unclonable Constants) allow to embed in chip
unique random bitstrings.
Embed in a device a unique permutation/involution on S = {1, . . . , N}
permutation ⇒ bijective map π : S → S
involution ⇒ π ◦ π = id, ∀x π(x) = x
Why?
– It is scientiﬁcally intriguing, but also. . .
– Potentially useful for “private” cryptography
2

Motivation: sponges
Example: sponges
• Flexible building block (hash, PRNG, Authenticated Encryption, . . . )
• Map f can be a permutation
3

Motivation: stream cypher
4

Motivation: stream cypher (2)
Warning!
5

Motivation: stream cypher (3)
Stream cypher + permutation
6

Permutation: How To
• Permutation/involution implemented as a Look-Up Table (LUT)
in RAM
• LUT ﬁlled at start-up by a processing block that uses a PUC as
source of randomness
• Only simple processing allowed
– No ﬂoating point
– Informally: ≈ 1 day work to write it in assembly 6502
– Complexity:
∗ LUT size = N log2 N bits ⇒ O(N log N) OK
7

Permutation: How To
K-bit
PUC
Processing
Look-up
Table
(RAM)
Addr
Data
K-bit
PUC
Processing
Look-up
Table
(RAM)
Addr
Data
x
π(x)
at start-up run-time
8

Permutation/Involution: How many bits?
Permutation log2(N!) ≈ N(log2 N − 1.44) ≈ N log2 N
Involution log2(N!!) ≈ N
2 log2 N
d N = 2d log2(N!) log2(N!!)
4 16 45 21
6 64 296 147
8 256 1684 840
10 1024 8770 4382
14 16384 205 748 102 870
16 65536 954 037 477 015
9

Random permutation: how to
• Problem: randomly permute the entries of array[0..N-1]
• Well-known solution:
– for k in 0 .. N-2 loop
– swap array[k] and array[k + rand(0 .. N-1-k)];
– end loop;
• We need random numbers
n ∈ {0, . . . , }, = 1, . . . , N − 1
10

Implementation Example
Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
≅ N log2 N
N log2 N
log2 N
log2 N
log2 N
11

Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
12

Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
13

Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
14

Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
15

Random involutions: how to
• An involution is described by the pairs (x, π(x)).
– S= {1, . . . , N}
– while S = ∅ loop
– x ← min(S); --Assign and extract
– n := rand(1..|S|);
– y ← n-th element of S;
– (x,y) is the new pair;
– end loop;
• We need random numbers
n ∈ {1, 2, 3, . . . , 2 − 1}, ∈ {1, . . . , N/2}
16

Random integers: how hard can be?
Everything we need is a way to generate random inte-
gers in {0, . . . , L − 1}, L = 2, 3, . . . , N
• Everything we have is a string of random bit from a PUC
The case L = 2d is easy ⇒ just get a block of d bit
What about when L = 2d?
17

Random Integers
Modulo Reduction

Random Integers
• Use modular reduction
– Let d = log2 L
– Get d random bits and make them into a number n
– Return n mod L
Simple, minimun number of bits
Not uniform: outcomes 0 . . . 2d − 1 − L are more probable
18

How much serious is the unbalance?
• Let ΠN a uniformly chosen random permutation
• Let ΠN the generated permutation
• Theorem:
∆N := H(ΠN) − H(ΠN) < 0.09N
• Note that H(ΠN) ≈ N log2 N, so that
lim
N→∞
∆N
H(ΠN)
= 0
19

Random Integers
Rejection method

Rejection method
• Use rejection
1. Get d bits and make them into a number n
2. If n < L return it
3. Go to 1
More than d bits needed (in average)
Uniform outcome
20

How many bits?
Single number
• Probability of rejection
qL = P[n ≥ L] =
2d − L
2d
= 1 −
L
2d
< 1/2
• # of bit needed = “interpolated” geometric
P[k bits needed] = fL(k) :=



0 if L |k
q
k/L−1
L (1 − qL) if L|k
• Let BL be the required number of bits
21

How many bits? (2)
Permutation
• R.v. Bk, k = 1, . . . are independent
• Total number of bits T = k Bk
P[Total bits needed] = P[T = ] = f2 ∗ f3 ∗ · · · ∗ fL( )
• Easily computed numerically
22

How many bits do we allocate?
• Fix a probability of discarding the device
• Compute distribution
FT (x) = P[T ≤ x] = cumsum(f2 ∗ · · · ∗ fL)
and choose the number of bit M so that
P[T > M] = 1 − FT (M) ≤ ⇔ FT (M) ≥ 1 −
• Note that
∀x < B(0) :=
N
k=2
log2 k FT (x) = 0
23

Redundancy (permutation)
1 1.2 1.4 1.6 1.8
10
−4
10
−3
10
−2
10
−1
10
0
x / optimum
1−F
T
(x)
N=64, opt=296
N=256, opt=1684
N=1024, opt=8770
24

Redundancy (involution)
1 1.2 1.4 1.6 1.8
10
−4
10
−3
10
−2
10
−1
10
0
x / optimum
1−F
T
(x)
N=64, opt=147
N=256, opt=840
N=1024, opt=4382
25

Composition
• If L is slightly larger than 2 ⇒
– Few invalid values in the rejection method
– ≈ 0
• If L is sligtly smaller thant 2 ⇒
Use composition
– Generate a number in 0, 1, . . . , L(L + 1) · · · (L + M) − 1
– “Break” the result using divisions
26

Composition
Eﬃcient
N. bits N. bits
N = 2d d No comp Comp log2(N!) ∆ no comp ∆ comp
16 4 49 45 45 0.75 0.19
64 6 321 298 296 3.50 0.60
256 8 1793 1687 1684 14.50 0.95
1024 10 9217 8773 8770 58.51 1.32
16384 14 212993 205753 205748 938.71 2.00
65536 16 983041 954044 954037 3755.36 2.52
Increased complexity (division)
27

Conclusions
• A method to generate random permutations/involutions from
PUCs has been presented
• The approach is suited for HW implementation
• 2 + 1 alternatives were considered
Technique
Reduction Deterministic N. bits Non-Uniform
Rejection Uniform Redundancy required
Composition More eﬃcient Additional complexity
28

Physically Unclonable Random Permutations

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Physically Unclonable Random Permutations

Similar to Physically Unclonable Random Permutations (20)

More from Riccardo Bernardini

More from Riccardo Bernardini (8)

Recently uploaded

Recently uploaded (20)

Physically Unclonable Random Permutations