Biometric and Physical Identifiers with Correlated Noise for - - PowerPoint PPT Presentation

Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication

Onur G¨ unl¨ u Information Theory and Applications Chair, TU Berlin Joint work with Rafael F. Schaefer (TU Berlin) and H. Vincent Poor (Princeton) ISIT 2020

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 1

Motivation for Biometrics

Source Enrollment Authentication Secret Key Secret Key Helper Data Noisy Measurements

Noisy Measurements

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 1

Motivation for Physical Unclonable Functions (I)

Physical Unclonable Function (PUF)

Q Q

• Logically stable states of a static random access memory (SRAM) cell are

(Q, Q) = (1, 0) and (0, 1).

• The power-up state of an SRAM cell converges to one of the states.
• Uniformly random convergence due to random and uncontrollable

physical mismatch of the inverters.

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 2

Motivation for Physical Unclonable Functions (II)

Encryption Decryption Message

(Plaintext)

Ciphertext

Decrypted Message

(Plaintext)

Encryption Key

Secret Key Source (e.g., NVM, PUF)

Decryption Key

NVM= Non-Volatile Memory

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 3

Motivation for Physical Unclonable Functions (III)

• Wiretap channel (WTC) communication with PUF Outputs

used as the Local Source of Randomness at the WTC Encoder

ENCODER DECODER M M ALICE BOB channel Xn EVE Y n channel Zn

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 4

Problem Definition (I)

• Suppose a secret key S is agreed securely using noisy measurements
• Xn and Y n of the PUF outputs Xn and a public communication

link, which Allows multiple measurements via ˜ X and Y vectors; Accounts for the effects of correlated noise in the measurements

e.g., encoder and decoder measurements are made within a coherence time;

Allows decoder measurement channels to be controllable by a cost-constrained action sequence An; Hides the secret key from an eavesdropper that observes a sequence Zn correlated with ( Xn, Y n, Xn).

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 5

Problem Definition (II)

PX (W, S)

(a)

= f1( Xn) W

(b)

= f2( Xn, S) PY Z|X

XA

P

X|X

An = fa(W) ˆ S = g (W, Y n) EVE W Xn Y n

• Xn

Xn An Zn S ˆ S (b) (a) W

• Xn

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 6

Problem Definition (III) - Enrollment

PX (W, S)

(a)

= f1( Xn) W

(b)

= f2( Xn, S) PY Z|X

XA

P

X|X

An = fa(W) ˆ S = g (W, Y n) EVE W Xn Y n

• Xn

Xn An Zn S ˆ S (b) (a) W

• Xn

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 6

Problem Definition (III) - Enrollment

PX (W, S)

(a)

= f1( Xn) W

(b)

= f2( Xn, S) PY Z|X

XA

P

X|X

An = fa(W) ˆ S = g (W, Y n) EVE W Xn Y n

• Xn

Xn An Zn S ˆ S (b) (a) W

• Xn

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 6

Problem Definition (IV) - Authentication

PX (W, S)

(a)

= f1( Xn) W

(b)

= f2( Xn, S) PY Z|X

XA

P

X|X

An = fa(W) ˆ S = g (W, Y n) EVE W Xn Y n

• Xn

Xn An Zn S ˆ S (b) (a) W

• Xn

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 7

Problem Definition (IV) - Authentication

PX (W, S)

(a)

= f1( Xn) W

(b)

= f2( Xn, S) PYZ|X

XA

P

X|X

An = fa(W) ˆ S = g (W, Y n) EVE W Xn Yn

• Xn

Xn An Zn S ˆ S (b) (a) W

• Xn

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 7

Problem Definition (IV) - Authentication

PX (W, S)

(a)

= f1( Xn) W

(b)

= f2( Xn, S) PY Z|X

XA

P

X|X

An = fa(W) ˆ S = g (W, Yn) EVE W Xn Yn

• Xn

Xn An Zn S ˆ S (b) (a) W

• Xn

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 7

Problem Definition (IV) - Authentication

PX (W, S)

(a)

= f1( Xn) W

(b)

= f2( Xn, S) PY Z|X

XA

P

X|X

An = fa(W) ˆ S = g (W, Y n) EVE W Xn Y n

• Xn

Xn An Zn S ˆ S (b) (a) W

• Xn

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 7

Problem Definition (V)

➤ Reliability: Error probability Pe = Pr[ ˆ S = S] should vanish; ➤ Secrecy Leakage: S should be independent of (W, Zn); ➤ Key Rate: Rs = log |S| n should be maximized; ➤ Privacy Leakage: Rℓ ≈ I(Xn; W, Zn) n should be minimized; ➤ Storage: Rw ≈ log |W| n should be minimized; ➤ Action Cost: Expected action cost C ≈ E[Γ(An)] should be minimized.

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 8

Key-Leakage-Storage-Cost Region Definitions

Generated-Secret (GS) and Chosen-Secret (CS) Models

A key-leakage-storage-cost tuple (Rs, Rℓ, Rw, C) is achievable for the GS or CS model if, given δ>0, there is some n≥1, an encoder, and a decoder such that Rs = log |S| n and Pr[ ˆ S = S] ≤ δ (reliability) (1) I(S; W, Zn) ≤ δ (strong secrecy) (2) 1 nH(S) ≥ Rs − δ (uniformity) (3) 1 nI(Xn; W, Zn) ≤ Rℓ + δ (privacy) (4) 1 n log

• W
• ≤ Rw + δ

(storage) (5) E[Γ(An)] ≤ C + δ (action cost) (6) where Γ(An)= 1

n

n

i=1 Γ(Ai). The key-leakage-storage-cost regions Rgs and

Rcs are the closures of the sets of all achievable tuples. ♦

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 9

Inner Bound GS Model (I)

Theorem 1 (An Achievable Region for the GS Model)

Define Rℓ,1 = I(V, X; Z|A) + I(X; A, V, Y ) − I(V, X; Y |A) Rℓ,2 = I(V, X; Z|A, U) + I(X; A, V, Y ) − I(V, X; Y |A, U) Rℓ,3 = I(X; A, U, Z). An inner bound for the rate region Rgs for the GS model is the set of all tuples (Rs, Rℓ, Rw, C) satisfying 0 ≤ Rs ≤I(V ; Y |A, U) − I(V ; Z|A, U) (7) Rℓ ≥ max

• Rℓ,1, Rℓ,2, Rℓ,3
• (8)

Rw ≥ I( X; A) + I(V ; X|A, Y ) (9) for some PXP

X|XPA| XPY Z|X XAPV | XAPU|V such that E[Γ(A)]≤C.

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 10

Inner Bound GS Model (II)

• Proof uses the output statistics of random binning (OSRB) method

(Yassaee-Aref-Gohari, 2014) for nine decodability cases.

• The achievability proof for the CS model uses the achievability proof for

the GS model and a one-time padding step. ➤ GS Model Proof Sketch: Fix PA|

X, PV | XA, and PU|V such that

E[Γ(A)] ≤ C + ǫ and let (U n, V n, An, Xn, Xn, Y n, Zn) be i.i.d. according to PUV A

XXY Z = PU|V PV | XAPA| XP X|XPXPY Z|X XA;

➤ Assign two random bin indices (Fa, Wa) to each an; two indices (Fu, Wu) to each un; three indices (Fv, Wv, S) to each vn. The helper data are W = (Wa, Wu, Wv), the public indices are F = (Fa, Fu, Fv), and the generated secret key is S.

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 11

Inner Bound GS Model (III)

➤ All constraints, except the privacy constraint in (4), can be satisfied by fixing the bin sizes. ➤ Following multi-letter terms remain in Rℓ analysis −H(U n|Zn, An, Wu, Fu)+H(V n|W, An, Xn, Zn, F). (10) ➤ Nine different cases for the bin sizes assigned to the bins of U n and V n to be considered to represent (10) with single-letter terms. ➤ Out of nine cases, we obtain six different privacy-leakage rate terms whose maximum can be written as max{Rℓ,1, Rℓ,2, Rℓ,3}, as above.

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 12

Outer Bound GS Model (I)

Conditionally Less-Noisy (CLN) Channels

X is conditionally less-noisy (CLN) than Z given (A, Y ) if I(L; X|A, Y ) ≥ I(L; Z|A, Y ) (11) holds for any random variable L such that L − (A, X, Y ) − (X, Z) form a Markov chain and we denote this relation as (X ≥ Z|A, Y ). (12) ➤ The set of CLN channels is shown in (Timo-Oechtering-Wigger, 2014) to be larger than the set of physically degraded channels.

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 13

Outer Bound GS Model (II)

Theorem 2 (An Outer Bound for the GS Model)

An outer bound for the rate region Rgs for all CLN channels such that (X ≥ Z|A, Y ) and (Z ≥ Y |A, X) is the set of all tuples (Rs, Rℓ, Rw, C) satisfying 0 ≤ Rs ≤I(V ; Y |A, U) − I(V ; Z|A, U) (13) Rℓ ≥ I(X; A, V, Y )−I(X; Y |A)+I(X; Z|A) + I(U; Y |A) − I(U; Z|A) (14) Rw ≥ I( X; A) + I(V ; X|A, Y ) (15) such that U − V − (A, X) − (A, X, X) − (Y, Z) form a Markov chain and E[Γ(A)]≤C.

• It suffices to limit the cardinalities to |U|≤|A||

X|+3 and |V|≤(|A|| X|+3)(|A|| X|+2).

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 14

Outer Bound GS Model (III)

➤ Proof Sketch: The proof requires two new lemmas:

Lemma 1

For a CLN channel (X ≥ Z|A, Y ), we have I(Xi; Xi−1|W, S, An, Y n) ≥ I(Xi; Zi−1|W, S, An, Y n), (16) I(Zi; Xi−1|W, S, An, Y n) ≥ I(Zi; Zi−1|W, S, An, Y n) (17) for i = 1, 2, . . . , n if (S, W) − ( Xn, Y n, An) − (Xn, Zn) form a Markov chain.

• Extension of Lemma 1 of (Wang-Nair, 2010), proved for less-noisy

broadcast channels (BCs).

• Fundamental for the bound on Rℓ because we define

Ui = (W, An\i, Y n

i+1, Zi−1) and Vi = (S, W, An\i, Y n i+1, Zi−1)!

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 15

Outer Bound GS Model (IV)

Lemma 2

There exists a random variable Ď W such that (Ď W n, An, Xn, Xn, Y n, Zn) are i.i.d., Ď W − (A, X) − (A, X, X) − (Y, Z) form a Markov chain, and H(W|An, Xn, Y n) − H(W|An, Xn, Zn) = n

• H(Ď

W|A, X, Y ) − H(Ď W|A, X, Z)

• (18)

when n → ∞.

• Cannot apply the Csisz´

ar’s sum identity due to conditioning on Xn.

• The second CLN condition (Z ≥ Y |A, X) allows

H(W|An, Xn, Y n) − H(W|An, Xn, Zn) ≥ 0 in the bound for Rℓ.

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 16

SRAM PUF Example (I)

➤ SRAM output measurement channels are binary symmetric channels (BSCs). ➤ Suppose P

X|X(·|·) ∼ BSC(penc),

(19) PZ|Y (·|·) ∼ BSC(peve), (20) PY |X

XA(·|·,

x, a) ∼ BSC(q

xa) for all

x, a ∈ {0, 1}. (21) ➤ The action cost should be higher for cases with higher hardware cost (i.e., smaller crossover probability), so choose costs of actions as Γ(0) = q01 + q11 q01 + q11 + q10 + q00 , Γ(1) = 1 − Γ(0). (22)

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 17

SRAM PUF Example (II)

0.3 0.35 0.4 0.45 0.5 0.55 0.6 0.65 0.7 0.1 0.2 0.3 Cost C Secret-key Rate Rs Rw = 0.001 Rw = 0.050 Rw = 0.250 ➤ Larger public storage nRw available increases the maximum secret-key rate R∗

s by up to 1.22%, and significantly decreases the

required action cost to achieve R∗

s by up to 13.62%.

➤ Thus, a low-complexity PUF design with small hardware area such as our transform-coding methods (G¨ unl¨ u et al., 2018) should be used!

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 18

Conclusion

➤ Inner bounds for the key-leakage-storage-cost regions with a cost-constrained action sequence, strong secrecy, and correlated noise components; ➤ Outer bounds for CLN channels; ➤ An action sequence significantly decreases the necessity of reliable measurements, which allows to further increase the secret-key rate; ➤ Might suffice to introduce a third auxiliary random variable for general probability distributions!

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 19

THANK YOU!

G¨ unl¨ u, Schaefer, and Poor: Biometric and Physical Identifiers with Correlated Noise for Controllable Private Authentication 19