The recent availability of reliable schemes for physically unclonable constants (PUC) opens interesting possibilities in the field of security. In this paper, we explore the possibility of using PUCs to embed in a chip random permutations to be used, for example, as building blocks in cryptographic constructions such as sponge functions, substitution–permutation networks, and so on. We show that the most difficult part is the generation of random integers using as the only randomness source the bit-string produced by the PUC. In order to solve the integer generation problem, we propose a partial rejection method that allows the designer to trade-off between entropy and efficiency. The results show that the proposed schemes can be implemented with reasonable complexity.
Full paper: "Making random permutations from physically unclonable constants" Bernardini, R. & Rinaldo, R. Int. J. Inf. Secur. (2016). doi:10.1007/s10207-016-0324-2
http://link.springer.com/article/10.1007/s10207-016-0324-2
1. Physically Unclonable Random Permutations
Riccardo Bernardini and Roberto Rinaldo
University of Udine–Italy
{riccardo.bernardini, rinaldo}@uniud.it
Recent Adv. in Electrical and Electronic Eng. (Florence, 2014)
Full article version:
http://link.springer.com/article/10.1007/s10207-016-0324-2
January 30, 2017
2. Physically Unclonable Random Permutations
Outline
• The problem
• Motivation
• The solution(s)
• Conclusions
1
DIEGM University of Udine
3. Physically Unclonable Random Permutations
The problem
• PUCs (Physically Unclonable Constants) allow to embed in chip
unique random bitstrings.
Embed in a device a unique permutation/involution on S = {1, . . . , N}
permutation ⇒ bijective map π : S → S
involution ⇒ π ◦ π = id, ∀x π(x) = x
Why?
– It is scientifically intriguing, but also. . .
– Potentially useful for “private” cryptography
2
DIEGM University of Udine
4. Physically Unclonable Random Permutations
Motivation: sponges
Example: sponges
• Flexible building block (hash, PRNG, Authenticated Encryption, . . . )
• Map f can be a permutation
3
DIEGM University of Udine
7. Physically Unclonable Random Permutations
Motivation: stream cypher (3)
Stream cypher + permutation
6
DIEGM University of Udine
8. Physically Unclonable Random Permutations
Permutation: How To
• Permutation/involution implemented as a Look-Up Table (LUT)
in RAM
• LUT filled at start-up by a processing block that uses a PUC as
source of randomness
• Only simple processing allowed
– No floating point
– Informally: ≈ 1 day work to write it in assembly 6502
– Complexity:
∗ LUT size = N log2 N bits ⇒ O(N log N) OK
7
DIEGM University of Udine
9. Physically Unclonable Random Permutations
Permutation: How To
K-bit
PUC
Processing
Look-up
Table
(RAM)
Addr
Data
K-bit
PUC
Processing
Look-up
Table
(RAM)
Addr
Data
x
π(x)
at start-up run-time
8
DIEGM University of Udine
10. Physically Unclonable Random Permutations
Permutation/Involution: How many bits?
Permutation log2(N!) ≈ N(log2 N − 1.44) ≈ N log2 N
Involution log2(N!!) ≈ N
2 log2 N
d N = 2d log2(N!) log2(N!!)
4 16 45 21
6 64 296 147
8 256 1684 840
10 1024 8770 4382
14 16384 205 748 102 870
16 65536 954 037 477 015
9
DIEGM University of Udine
11. Physically Unclonable Random Permutations
Random permutation: how to
• Problem: randomly permute the entries of array[0..N-1]
• Well-known solution:
– for k in 0 .. N-2 loop
– swap array[k] and array[k + rand(0 .. N-1-k)];
– end loop;
• We need random numbers
n ∈ {0, . . . , }, = 1, . . . , N − 1
10
DIEGM University of Udine
12. Physically Unclonable Random Permutations
Implementation Example
Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
≅ N log2 N
N log2 N
log2 N
log2 N
log2 N
11
DIEGM University of Udine
13. Physically Unclonable Random Permutations
Implementation Example
Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
12
DIEGM University of Udine
14. Physically Unclonable Random Permutations
Implementation Example
Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
13
DIEGM University of Udine
15. Physically Unclonable Random Permutations
Implementation Example
Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
14
DIEGM University of Udine
16. Physically Unclonable Random Permutations
Implementation Example
Register 2
LUTAddr Data
PUC RND
Counter
Register 1
Clk
15
DIEGM University of Udine
17. Physically Unclonable Random Permutations
Random involutions: how to
• An involution is described by the pairs (x, π(x)).
– S= {1, . . . , N}
– while S = ∅ loop
– x ← min(S); --Assign and extract
– n := rand(1..|S|);
– y ← n-th element of S;
– (x,y) is the new pair;
– end loop;
• We need random numbers
n ∈ {1, 2, 3, . . . , 2 − 1}, ∈ {1, . . . , N/2}
16
DIEGM University of Udine
18. Physically Unclonable Random Permutations
Random integers: how hard can be?
Everything we need is a way to generate random inte-
gers in {0, . . . , L − 1}, L = 2, 3, . . . , N
• Everything we have is a string of random bit from a PUC
The case L = 2d is easy ⇒ just get a block of d bit
What about when L = 2d?
17
DIEGM University of Udine
20. Physically Unclonable Random Permutations
Random Integers
• Use modular reduction
– Let d = log2 L
– Get d random bits and make them into a number n
– Return n mod L
Simple, minimun number of bits
Not uniform: outcomes 0 . . . 2d − 1 − L are more probable
18
DIEGM University of Udine
21. Physically Unclonable Random Permutations
How much serious is the unbalance?
• Let ΠN a uniformly chosen random permutation
• Let ΠN the generated permutation
• Theorem:
∆N := H(ΠN) − H(ΠN) < 0.09N
• Note that H(ΠN) ≈ N log2 N, so that
lim
N→∞
∆N
H(ΠN)
= 0
19
DIEGM University of Udine
23. Physically Unclonable Random Permutations
Rejection method
• Use rejection
1. Get d bits and make them into a number n
2. If n < L return it
3. Go to 1
More than d bits needed (in average)
Uniform outcome
20
DIEGM University of Udine
24. Physically Unclonable Random Permutations
How many bits?
Single number
• Probability of rejection
qL = P[n ≥ L] =
2d − L
2d
= 1 −
L
2d
< 1/2
• # of bit needed = “interpolated” geometric
P[k bits needed] = fL(k) :=
0 if L |k
q
k/L−1
L (1 − qL) if L|k
• Let BL be the required number of bits
21
DIEGM University of Udine
25. Physically Unclonable Random Permutations
How many bits? (2)
Permutation
• R.v. Bk, k = 1, . . . are independent
• Total number of bits T = k Bk
P[Total bits needed] = P[T = ] = f2 ∗ f3 ∗ · · · ∗ fL( )
• Easily computed numerically
22
DIEGM University of Udine
26. Physically Unclonable Random Permutations
How many bits do we allocate?
• Fix a probability of discarding the device
• Compute distribution
FT (x) = P[T ≤ x] = cumsum(f2 ∗ · · · ∗ fL)
and choose the number of bit M so that
P[T > M] = 1 − FT (M) ≤ ⇔ FT (M) ≥ 1 −
• Note that
∀x < B(0) :=
N
k=2
log2 k FT (x) = 0
23
DIEGM University of Udine
27. Physically Unclonable Random Permutations
Redundancy (permutation)
1 1.2 1.4 1.6 1.8
10
−4
10
−3
10
−2
10
−1
10
0
x / optimum
1−F
T
(x)
N=64, opt=296
N=256, opt=1684
N=1024, opt=8770
24
DIEGM University of Udine
28. Physically Unclonable Random Permutations
Redundancy (involution)
1 1.2 1.4 1.6 1.8
10
−4
10
−3
10
−2
10
−1
10
0
x / optimum
1−F
T
(x)
N=64, opt=147
N=256, opt=840
N=1024, opt=4382
25
DIEGM University of Udine
30. Physically Unclonable Random Permutations
Composition
• If L is slightly larger than 2 ⇒
– Few invalid values in the rejection method
– ≈ 0
• If L is sligtly smaller thant 2 ⇒
Use composition
– Generate a number in 0, 1, . . . , L(L + 1) · · · (L + M) − 1
– “Break” the result using divisions
26
DIEGM University of Udine
31. Physically Unclonable Random Permutations
Composition
Efficient
N. bits N. bits
N = 2d d No comp Comp log2(N!) ∆ no comp ∆ comp
16 4 49 45 45 0.75 0.19
64 6 321 298 296 3.50 0.60
256 8 1793 1687 1684 14.50 0.95
1024 10 9217 8773 8770 58.51 1.32
16384 14 212993 205753 205748 938.71 2.00
65536 16 983041 954044 954037 3755.36 2.52
Increased complexity (division)
27
DIEGM University of Udine
32. Physically Unclonable Random Permutations
Conclusions
• A method to generate random permutations/involutions from
PUCs has been presented
• The approach is suited for HW implementation
• 2 + 1 alternatives were considered
Technique
Reduction Deterministic N. bits Non-Uniform
Rejection Uniform Redundancy required
Composition More efficient Additional complexity
28
DIEGM University of Udine