Rejection Sampling Schemes for Extracting Uniform Distribution from - - PowerPoint PPT Presentation

rejection sampling schemes for extracting uniform
SMART_READER_LITE
LIVE PREVIEW

Rejection Sampling Schemes for Extracting Uniform Distribution from - - PowerPoint PPT Presentation

Jun 16, 2023 414 likes •593 views

Rejection Sampling Schemes for Extracting Uniform Distribution from Biased PUFs Rei Ueno , Kohei Kazumori, and Naofumi Homma Tohoku University Background PUF circuit One PUF cell response (Latch PUF) Example of PUF signal Set wafer

slide-1
SLIDE 1

Rejection Sampling Schemes for Extracting Uniform Distribution from Biased PUFs

Rei Ueno, Kohei Kazumori, and Naofumi Homma Tohoku University

slide-2
SLIDE 2

Background

  • Physically unclonable functions (PUFs) play essential role for

constructing secure and trustable systems

  • Generate hardware-intrinsic random number like fingerprint
  • Exploit process variations for physical unclonability and tamper evidence
  • Major applications of PUF
  • Entity authentication (Strong PUF)
  • Cryptographic key generation (Weak PUF)

2

Chip #1 Chip #2 PUF circuit PUF circuit input R1 R2

Silicon wafer Even for same input and same circuit construction, PUF responses vary due to process variation (i.e., R1 ≠ R2 ≠ …) Set signal

Example of PUF (Latch PUF)

n-bit response One PUF cell

  • utputting one bit
slide-3
SLIDE 3

PUF-based key generation

  • Fuzzy extractor (FE) is commonly used for reconstructing

enrolled key from noisy PUF response

  • Helper data is stored in common nonvolatile memory (NVM)
  • NVM is usually non-tamper resistant, and helper data is considered public
  • We should consider conditional entropy for key generation
  • A s-bit key generation is realized only if

3

x

PUF KDF RNG key Helper data

s w c k

ECC encode

PUF KDF key Helper data (Noisy) ECC decode

x w c s k ́ ́

Enrollment Reconstruction (key derivation function)

slide-4
SLIDE 4

Problem of PUF bias: Entropy leakage

  • If PUF response is unbiased, (i.e., seed length)
  • But significantly decreases with PUF bias increase
  • Entropy leakage
  • If PUF is biased, random seed should be set longer than s such that
  • But required PUF size rapidly grows with PUF bias, especially when p1 > 0.58

4

Channel diagram of FE [HO17]

1 1

p1 p1 1 – p1 1 – p1 W C

p1: probability

  • f 1 in X

PUF bias p1 0.54 0.58 0.62 0.66 Bit-error rate 0.100 0.098 0.096 0.092 PUF size 1,530 2,550 5,100 13,005

PUF size required for reliable 128-bit key generation (Values are from [DGV+16])

slide-5
SLIDE 5

Debiasing

5

  • Extract unbiased bit string from

biased PUF response

  • Realize secure key generation even from

PUFs with nonnegligible biases

  • Efficiency has been evaluated through PUF

size required for reliable 128-bit key gen.

1 1 1 1 1 1 1 1 1 1 1 1

PUF response !: Debiasing data ": Debiased data $:

≠ ≠ = = ≠

PUF bias p1 PUF size FE w/o debiasing FEs w/ debiasing

Figure is based on graph in presentation slide of [DGV+16]

  • Example of debiasing: von Neumann corrector (VNC)
  • Values of 1 and 0 are extracted with an identical probability of p1p0
  • Debiasing data d is used for reproducing z at reconstruction
slide-6
SLIDE 6

Conventional debiasing-based FEs

  • Various debiasing-based FEs have been

developed for improving efficiency

  • Efficient FE reduces PUF and NVM sizes
  • How far can we go?

6

[YD10] Index-based syndrome (IBS) [LSHT10] First von Neumann corrector (VNC)- based debiasing [HMSS12] Generalized IBS

2010 2012 2014 2015 2017

[KLRW14] Report on entropy loss in PUF- based key generation [MLSW15] VNC-based FEs, first explicit solution for secure key generation from biased PUFs

2019 2016

[DGV+16] Tight bounds of min-entropy loss, motivation for debiasing [SUHA17] Ternary VNC- based FEs [S17] Trivial debiasing [AWSO17] Maskless debiasing (MD) [HO17] Coset coding (CC)-based FE, FE is modeled as wire-tap channel [USH19] Biased masking (BM)-based FE [KW19] Selection and balancing schemes for SRAM PUF

slide-7
SLIDE 7

This work

  • Acceptance-or-Rejection (AR)-based FE: New debiasing

scheme based on rejection sampling and FE construction

  • Extract uniform distribution with highest efficiency among conventional FEs
  • Implemented with solely an RNG at enrollment, and no critical additional
  • peration is required at reconstruction performed on client device
  • First FE which can tolerate local biases depending on cell addresses

(for example, found in some SRAM PUFs)

  • Extended to ternary PUF response for improved efficiency (see our paper)
  • Performance of proposed FE is evaluated through simulation
  • f 128-bit key generation in comparison with conventional FEs
  • AR-based FE achieves smallest PUF and/or NVM sizes (i.e., hardware cost)

for various PUFs

  • At most 55% and 72% smaller PUF and/or NVM sizes than counterparts

7

slide-8
SLIDE 8

Bias models

  • Global bias model
  • All bits in PUF response have an identical bias of p1 (with corresponding p0)
  • All conventional debiasing scheme employed global bias model
  • Cell-wise bias model (or local bias model)
  • Each bit has unique bias depending on cell address i
  • Expected value of biases are considered equal to global bias (i.e., )

8

1 1 1 1 PUF response x1: Local bias p1,i = 1 1 1 1 1 PUF response x2: 1 1 1 1 1 PUF response x3: 1 1 1 1 1 PUF response x4: 1 1 1 PUF response x5: i = 0 1 2 3 4 5 6 7 8 9 Grobal bias p1 = 0.44 . 3 . 2 . 7 . 9 . 3 . 4 . 5 . 2 . 1 . 8

Global and cell-wise biases

1 1 1 PUF response x1: Local bias p1,i = 1 1 1 1 PUF response x2: 1 1 1 1 PUF response x3: 1 1 1 PUF response x4: 1 1 PUF response x5: i = 1 2 3 4 5 6 7 8 9 Grobal bias p1 = 0.50 . 8 . 8 . 8 . 8 . 8 . 2 . 2 . 2 . 2 . 2 1 1 1 1 1 1 1 1 1 1

Typical example of cell-wise-based PUF

slide-9
SLIDE 9

Rejection sampling

  • Method for deriving target distribution from proposal one
  • Target distribution: Distribution which is needed, but not directly available
  • Proposal distribution: Easily available distribution
  • Application to PUF debiasing
  • Target distribution: Uniform distribution
  • Proposal distribution: PUF response (i.e., p1,i-biased Bernoulli distribution)

9

(Scaled) proposal distribution hpprop(x) Target distribution ptar(x)

Step (1): Obtain sample a from pprop(x) Step (2): Draw random number b from [0, pprop(a)]

Sample a

Step (3): Accept the sample if b < ptar(a);

  • therwise, reject it

hpprop(a)

Overview of rejection sampling

ptar(a) Accept Reject

slide-10
SLIDE 10
  • Key idea: Bit-wise rejection sampling
  • Rejection sampling is applied to i-th cell with biases p1,i, p0,i for all i
  • Expected length of debiased bit string is longer than conventional schemes

Extraction of uniform distribution from biased PUFs

10

1 Value of i-th cell Occurrence probability (Frequency) Biased PUF response as Bernoulli distribution (i.e., proposal distribution) 1 Value of i-th cell Occurrence probability (Frequency) Distribution after rejection sampling (i.e., target distribution) Rejected with probability of 1 – p0,i/p1,i p1,i Minor value is always accepted p0,i p0,i p0,i

1 1 1 1 1 1 1

PUF response

1 1 1 1 1

Debiased bit string Example of debiasing (p1,i = 0.70 for all i): “0” cells are always accepted and “1” cells are rejected (i.e., discarded) with probability of 1 – p0,i/p1,i = 0.57 Rejection sampling

reject reject reject reject

slide-11
SLIDE 11

Proposed scheme: AR-based FE

  • Reproducible rejection sampling (RRS) and accepted cell

extraction (ACE) operations are applied to PUF response

  • RRS operation generates debiased bit string and accepted

cell location (ACL) data d

  • Naïve rejection sampling is not reproducible
  • ACL data enables us to reproduce debiased bits at ACL at reconstruction
  • We proved there is no entropy leakage from pair of helper and ACL data

11

x

PUF ECC encode KDF RNG key Helper data

s w c k

RRS ACL data

d u

Enrollment of AR-based FE

PUF ECC decode KDF key Helper data (Noisy)

w c′ x′ k s

ACE ACL data

d u′

Reconstruction of AR-based FE

slide-12
SLIDE 12

RRS and ACE operations̶Implementation

  • RRS operation performs rejection sampling with reproducibility
  • First generate ACL data d, and then extract debiased bit string
  • Implemented using an RNG and bit-parallel operations in enrollment server
  • ACE operation extracts bit value of cells indicated by ACL data
  • No additional computation is required in reconstruction

12

1 1 1 1 1 1 1

Input PUF response x

1 1 1 1 1

Step (4): Obtain debiased bit string as extraction of xi with di = 1 Step (2): Generate random number r (i-th bit has a bias of min(p1,i , p0,i)/max(p1,i, p1,i))

1 1

Step (0): Generate bit- string h, where i-th bit is Boolean value of p1,i ≥ p0,i p1,i = 0.6 0.3 0.7 0.4 0.5 0.9 0.6 0.4 0.1 0.8 0.3

1 1 1

Step (1): Take bit- parallel XOR of x and h (as y)

1 1 1 1 1

Step (3): Generate ACL data as d = h ∨ r

1 1 1 1 1 1 1 1 1 1 1

slide-13
SLIDE 13

AR-based FE̶Features

  • Security
  • No entropy leakage, and s-bit random seed realizes s-bit key generation
  • Efficiency
  • Retained entropy via debiasing is given by 2mp0 (for p1 ≥ p0) from m-bit PUF

VNC [MLSW15]: 2mp1p0, (Simplest one), MD [AWSO17]: m/µ (µ ≥ 3 for most cases), and TD [S17]: 2mp0 – 2

  • Reliability
  • AR-based FE may fail enrollment if length of extracted bit string is insufficient
  • PUF size should be determined such that enrollment failure rate is smaller than threshold
  • Enrollment failure rate is feasibly calculated similarly to VNC-based FEs
  • RRS and ACE operations have no impact on bit-error rate of extracted bits
  • ECC can be designed in the same way as conventional FEs
  • Implementation aspects
  • RNG and bit-parallel operation at enrollment are required as main overhead
  • Reconstruction require no additional computationally-critical operations

13

slide-14
SLIDE 14

Performance evaluation

  • Simulate 128-bit key generation to evaluate PUF and NVM

sizes (i.e., hardware cost) for various biases and bit-error rates

  • PUF bias: 0.58̶0.90
  • Bit-error rate: 0.025̶0.100
  • ECC: BCH-repetition concatenate code
  • BCH codes with length of 7, 15, 31, 63, 127, and 255 are considered
  • Enrollment and reconstruction failure rates are set less than 10-6
  • Compared to VNC-, MD-, and BM-based FEs herein [MLSW15, AWSO17, USH19]
  • See our paper for comparison with other conventional FEs

14

[MLSW15] R. Maes et al., Secure key generation from biased PUFs, CHES 2015. [AWSO17] A. Aysu et al., A new maskless debiasing method for lightweight physical unclonable function, HOST 2017. [USH19] R. Ueno et al., Tackling biased PUFs through biased masking: A debiasing method for efficient fuzzy extractor, IEEE TC, 2019.

slide-15
SLIDE 15

Evaluation result

  • AR-based FE achieves highest efficiency for most biases and

bit-error rates

  • At most 55% smaller PUF size
  • NVM size is basically consistent with PUF size

15

Bit-error rate = 0.050 Bit-error rate = 0.100

slide-16
SLIDE 16

Concluding remarks

  • We present AR-based FE which extracts uniform distribution

from biased PUFs based on rejection sampling

  • Implemented using RNG and bit-parallel operations on enrollment server
  • Client device with PUF requires no computational overhead
  • First debiasing scheme applicable to PUFs with local biases
  • Simulation of 128-bit key generation shows that AR-based FE has higher

efficiency for most biases and bit-error rates than conventional FEs, and achieves at most 55% and/or 72% smaller PUF and NVM sizes respectively

  • Extended to ternary PUF response for improved efficiency (see our paper)
  • More efficient for many PUFs than counterparts (i.e., ternary VNC-based FEs and C-IBS)
  • Future works
  • Real-world implementation and evaluation of key generation system

based on AR-based FE

  • Extension of AR-based FE for secure reuse of PUF

16