rejection sampling schemes for extracting uniform
play

Rejection Sampling Schemes for Extracting Uniform Distribution from - PowerPoint PPT Presentation

Jun 16, 2023 •414 likes •588 views

Rejection Sampling Schemes for Extracting Uniform Distribution from Biased PUFs Rei Ueno , Kohei Kazumori, and Naofumi Homma Tohoku University Background PUF circuit One PUF cell response (Latch PUF) Example of PUF signal Set wafer

  1. Rejection Sampling Schemes for Extracting Uniform Distribution from Biased PUFs Rei Ueno , Kohei Kazumori, and Naofumi Homma Tohoku University

  2. Background PUF circuit One PUF cell response (Latch PUF) Example of PUF signal Set wafer Silicon input outputting one bit PUF circuit constructing secure and trustable systems Chip #1 Chip #2 • Physically unclonable functions (PUFs) play essential role for • Generate hardware-intrinsic random number like fingerprint • Exploit process variations for physical unclonability and tamper evidence • Major applications of PUF • Entity authentication (Strong PUF) • Cryptographic key generation (Weak PUF) R 1 n -bit R 2 Even for same input and same circuit construction, PUF responses vary due to process variation (i.e., R 1 ≠ R 2 ≠ …) 2

  3. PUF-based key generation enrolled key from noisy PUF response Reconstruction Enrollment ́ ́ • Fuzzy extractor (FE) is commonly used for reconstructing x x PUF PUF ECC s c w (Noisy) RNG Helper data encode w c s k ECC Helper data KDF key decode k KDF key (key derivation function) • Helper data is stored in common nonvolatile memory (NVM) • NVM is usually non-tamper resistant, and helper data is considered public • We should consider conditional entropy for key generation • A s -bit key generation is realized only if 3

  4. Problem of PUF bias: Entropy leakage • If PUF response is unbiased, (i.e., seed length) • But significantly decreases with PUF bias increase • Entropy leakage • If PUF is biased, random seed should be set longer than s such that • But required PUF size rapidly grows with PUF bias, especially when p 1 > 0.58 PUF size required for reliable C W 128-bit key generation 1 – p 1 0 0 (Values are from [DGV+16]) p 1 p 1 PUF 0.54 0.58 0.62 0.66 1 1 1 – p 1 bias p 1 p 1 : probability Bit-error 0.100 0.098 0.096 0.092 of 1 in X rate Channel diagram of FE [HO17] PUF size 1,530 2,550 5,100 13,005 4

  5. Debiasing = 1 0 1 ≠ ≠ = ≠ 1 PUF size FE w/o debiasing FEs w/ debiasing Figure is based on graph in presentation slide of [DGV+16] 1 0 0 0 biased PUF response 1 0 1 1 1 1 1 1 0 1 • Extract unbiased bit string from • Realize secure key generation even from PUFs with nonnegligible biases • Efficiency has been evaluated through PUF size required for reliable 128-bit key gen. PUF bias p 1 • Example of debiasing: von Neumann corrector (VNC) • Values of 1 and 0 are extracted with an identical probability of p 1 p 0 • Debiasing data d is used for reproducing z at reconstruction PUF response ! : Debiased data $ : Debiasing data ": 5

  6. Conventional debiasing-based FEs Trivial debiasing biased PUFs 2019 2016 [DGV+16] Tight bounds of min-entropy loss, motivation for debiasing [SUHA17] Ternary VNC- based FEs [S17] [AWSO17] secure key Maskless debiasing (MD) [HO17] Coset coding (CC)-based FE, FE is modeled as wire-tap channel [USH19] Biased masking (BM)-based FE [KW19] Selection and balancing schemes generation from solution for for SRAM PUF 2010 developed for improving efficiency [YD10] Index-based syndrome (IBS) [LSHT10] First von Neumann corrector (VNC)- based debiasing [HMSS12] Generalized first explicit IBS 2012 2014 2015 2017 [KLRW14] Report on entropy loss in PUF- based key generation [MLSW15] VNC-based FEs, • Various debiasing-based FEs have been • Efficient FE reduces PUF and NVM sizes • How far can we go? 6

  7. This work scheme based on rejection sampling and FE construction of 128-bit key generation in comparison with conventional FEs • Acceptance-or-Rejection (AR)-based FE: New debiasing • Extract uniform distribution with highest efficiency among conventional FEs • Implemented with solely an RNG at enrollment, and no critical additional operation is required at reconstruction performed on client device • First FE which can tolerate local biases depending on cell addresses (for example, found in some SRAM PUFs) • Extended to ternary PUF response for improved efficiency (see our paper) • Performance of proposed FE is evaluated through simulation • AR-based FE achieves smallest PUF and/or NVM sizes (i.e., hardware cost) for various PUFs • At most 55% and 72% smaller PUF and/or NVM sizes than counterparts 7

  8. Bias models Global and cell-wise biases Typical example of cell-wise-based PUF • Global bias model • All bits in PUF response have an identical bias of p 1 (with corresponding p 0 ) • All conventional debiasing scheme employed global bias model • Cell-wise bias model (or local bias model) • Each bit has unique bias depending on cell address i • Expected value of biases are considered equal to global bias (i.e., ) i = 0 1 2 3 4 5 6 7 8 9 i = 0 1 2 3 4 5 6 7 8 9 0 0 0 0 0 0 0 0 0 0 3 2 7 9 3 4 5 2 1 8 Local bias p 1, i = Grobal bias p 1 = 0.44 . . . . . . . . . . 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8 8 8 8 8 2 2 2 2 2 Local bias p 1, i = Grobal bias p 1 = 0.50 . . . . . . . . . . 0 0 0 0 0 0 0 0 0 0 PUF response x 1 : 0 0 1 1 0 0 1 0 0 1 PUF response x 1 : 0 1 1 1 0 0 0 0 0 1 PUF response x 2 : 0 0 0 1 1 1 1 1 0 0 PUF response x 2 : 1 1 0 0 0 1 1 1 1 0 PUF response x 3 : 1 0 1 1 0 0 0 0 1 1 PUF response x 3 : 1 0 1 1 1 1 0 0 0 1 0 PUF response x 4 : 0 1 0 1 0 1 1 0 0 1 PUF response x 4 : 1 1 1 1 1 0 1 0 0 0 PUF response x 5 : 0 0 1 1 0 0 0 0 0 1 PUF response x 5 : 1 0 1 1 1 0 0 0 0 0 8

  9. Rejection sampling (Scaled) proposal Accept Overview of rejection sampling otherwise, reject it distribution Target Reject • Method for deriving target distribution from proposal one • Target distribution: Distribution which is needed, but not directly available • Proposal distribution: Easily available distribution distribution hp prop ( x ) Step (1): Obtain sample a from p prop ( x ) hp prop ( a ) Step (2): Draw random number b from [0, p prop ( a )] p tar ( x ) p tar ( a ) Step (3): Accept the sample if b < p tar ( a ) ; Sample a • Application to PUF debiasing • Target distribution: Uniform distribution • Proposal distribution: PUF response (i.e., p 1, i -biased Bernoulli distribution) 9

  10. reject “1” cells are rejected (i.e., discarded) with Debiased always accepted Minor value is bit string “0” cells are always accepted and probability of Rejected with (i.e., target distribution) rejection sampling Distribution after (Frequency) Occurrence probability 1 PUF 0 (i.e., proposal distribution) as Bernoulli distribution Biased PUF response (Frequency) Occurrence probability Rejection 1 0 sampling Extraction of uniform distribution from biased PUFs reject response • Key idea: Bit-wise rejection sampling • Rejection sampling is applied to i -th cell with biases p 1, i , p 0, i for all i • Expected length of debiased bit string is longer than conventional schemes 1 1 1 0 1 1 1 0 1 1 0 reject reject 1 – p 0, i / p 1, i 1 0 1 0 1 0 1 p 0, i p 0, i p 0, i p 1, i Example of debiasing ( p 1, i = 0.70 for all i ): Value of i -th cell Value of i -th cell probability of 1 – p 0, i / p 1, i = 0.57 10

  11. Proposed scheme: AR-based FE Enrollment of AR-based FE Reconstruction of AR-based FE extraction (ACE) operations are applied to PUF response • Reproducible rejection sampling (RRS) and accepted cell x x′ PUF PUF (Noisy) d RRS ACL data d ACL data ACE u ECC s c w u′ Helper data RNG encode ECC w c′ s k Helper data KDF key decode k KDF key • RRS operation generates debiased bit string and accepted cell location (ACL) data d • Naïve rejection sampling is not reproducible • ACL data enables us to reproduce debiased bits at ACL at reconstruction • We proved there is no entropy leakage from pair of helper and ACL data 11

  12. RRS and ACE operations̶Implementation Input PUF Step (4) : Obtain debiased bit string Step (3) : Generate ACL data as Step (1) : Take bit- Step (0) : Generate bit- • RRS operation performs rejection sampling with reproducibility • First generate ACL data d , and then extract debiased bit string • Implemented using an RNG and bit-parallel operations in enrollment server Step (2) : Generate random number r p 1, i = 0.6 0.3 0.7 0.4 0.5 0.9 0.6 0.4 0.1 0.8 0.3 ( i -th bit has a bias of min( p 1, i , p 0, i )/max( p 1, i , p 1, i ) ) 1 1 0 1 1 0 1 0 1 1 0 1 1 1 0 1 1 1 0 0 1 0 response x d = h ∨ r 1 0 1 0 1 1 1 0 0 1 0 1 1 0 1 1 1 0 0 1 1 0 string h , where i -th bit is Boolean value of p 1, i ≥ p 0, i as extraction of x i with d i = 1 0 0 0 1 1 0 0 0 0 0 0 1 0 1 0 1 0 1 parallel XOR of x and h (as y ) • ACE operation extracts bit value of cells indicated by ACL data • No additional computation is required in reconstruction 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sampling Methods CMSC 678 UMBC Outline Recap Monte Carlo methods Sampling Techniques Uniform

Sampling Methods CMSC 678 UMBC Outline Recap Monte Carlo methods Sampling Techniques Uniform

Approximate Inference: Sampling Methods CMSC 678 UMBC Outline Recap Monte Carlo methods Sampling Techniques Uniform sampling Importance Sampling Rejection Sampling Metropolis-Hastings Gibbs sampling Example: Collapsed Gibbs Sampler for

1.03k views • 71 slides
Sampling Methods Oliver Schulte - CMPT 419/726 Bishop PRML Ch. 11 Sampling Rejection Sampling

Sampling Methods Oliver Schulte - CMPT 419/726 Bishop PRML Ch. 11 Sampling Rejection Sampling

Sampling Rejection Sampling Importance Sampling Markov Chain Monte Carlo Sampling Methods Oliver Schulte - CMPT 419/726 Bishop PRML Ch. 11 Sampling Rejection Sampling Importance Sampling Markov Chain Monte Carlo Recall Inference For

573 views • 41 slides
From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform:

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform: Application to the BLISS Signature Pauline Bert and Adeline Roux-Langlois Journes C2 2018 Univ Rennes, CNRS, IRISA 1 Contribution Fiat-Shamir

326 views • 19 slides
Adaptive rejection Metropolis sampling Dr. Jarad Niemi STAT 615 - Iowa State University November

Adaptive rejection Metropolis sampling Dr. Jarad Niemi STAT 615 - Iowa State University November

Adaptive rejection Metropolis sampling Dr. Jarad Niemi STAT 615 - Iowa State University November 14, 2017 Jarad Niemi (STAT615@ISU) Adaptive rejection Metropolis sampling November 14, 2017 1 / 20 (Logarithmically) Concave Univariate Function

620 views • 20 slides
CS786 Lecture 13: May 14, 2012 Sampling techniques [KF Chapter 12] CS786 P. Poupart 2012 1

CS786 Lecture 13: May 14, 2012 Sampling techniques [KF Chapter 12] CS786 P. Poupart 2012 1

10/07/2012 CS786 Lecture 13: May 14, 2012 Sampling techniques [KF Chapter 12] CS786 P. Poupart 2012 1 Sampling Techniques Direct sampling Rejection sampling Likelihood weighting Importance sampling Markov chain Monte Carlo

295 views • 18 slides
Rejection Sampling Variational Inference Karan Grewal CSC2547 / STA4273 Overview Variational

Rejection Sampling Variational Inference Karan Grewal CSC2547 / STA4273 Overview Variational

Rejection Sampling Variational Inference Karan Grewal CSC2547 / STA4273 Overview Variational Inference Interested in computing posterior , but it is often intractable parametrize a variational family of distributions to

623 views • 12 slides
7 STEPS TO CRUSHING YOUR #REJECTION &amp; GETTING BACK ON TRACK - FAST!

7 STEPS TO CRUSHING YOUR #REJECTION &amp; GETTING BACK ON TRACK - FAST!

7 STEPS TO CRUSHING YOUR #REJECTION &amp; GETTING BACK ON TRACK - FAST! www.bulletproofactor.com www.actonthis.tv #REJECTION DEALING WITH REJECTION, IS PROBABLY ONE OF THE HARDEST TASKS FOR AN ACTOR. OUR INDUSTRY IS RIFE WITH REJECTION,

727 views • 13 slides
Uniform Sampling of SAT Solutions for Configurable Systems: Are We There Yet? Gilles Perrouin

Uniform Sampling of SAT Solutions for Configurable Systems: Are We There Yet? Gilles Perrouin

Uniform Sampling of SAT Solutions for Configurable Systems: Are We There Yet? Gilles Perrouin gilles.perrouin@unamur.be @GPerrouin Journe GLE / LOUISE / RIMEL - GDR GPL CNRS - Talence 12 Avril 2019 gilles.perrouin@unamur.be 1 Uniform

361 views • 24 slides
Global Illumination Multi-Sampling Path Tracing Simple Sampling Josef talked about all of

Global Illumination Multi-Sampling Path Tracing Simple Sampling Josef talked about all of

Global Illumination Multi-Sampling Path Tracing Simple Sampling Josef talked about all of the details behind signals and sampling For assignment purposes, things will be a bit simpler Sampling techniques Uniform Random

546 views • 42 slides
Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8

Generation of Non-Uniform Random Numbers Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for typos) Acceptance-Rejection Convolution Method Composition Method Peter J. Haas Alias Method Random

228 views • 6 slides
Uniform Sampling of Subshifts of Finite Type Ir` ene Marcovici With the support of the European

Uniform Sampling of Subshifts of Finite Type Ir` ene Marcovici With the support of the European

Uniform Sampling of Subshifts of Finite Type Ir` ene Marcovici With the support of the European INTEGER project Institut Elie Cartan de Lorraine, Universit e de Lorraine, Nancy, France AofA15, Strobl Monday 8 June 2015 Ir` ene

896 views • 74 slides
Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for

Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for

Generation of Non-Uniform Random Numbers Refs: Chapter 8 in Law and book by Devroye (watch for typos) Peter J. Haas CS 590M: Simulation Spring Semester 2020 1 / 21 Generation of Non-Uniform Random Numbers Acceptance-Rejection Convolution

322 views • 21 slides
Uniform sampling of a feasible set of model parameters Wenyu Li Arun Hegde Jim Oreluk Andrew

Uniform sampling of a feasible set of model parameters Wenyu Li Arun Hegde Jim Oreluk Andrew

Uniform sampling of a feasible set of model parameters Wenyu Li Arun Hegde Jim Oreluk Andrew Packard Michael Frenklach SIAM UQ18 APRIL 17, 2018 Acknowledgements This work is supported as a part of the CCMSC at the University of Utah,

567 views • 17 slides
Spatiotemporal trade-off for quasi-uniform sampling of evolving signals Jacqueline Davis joint

Spatiotemporal trade-off for quasi-uniform sampling of evolving signals Jacqueline Davis joint

Spatiotemporal trade-off for quasi-uniform sampling of evolving signals Jacqueline Davis joint work with Akram Aldroubi and Ilya Krishtal Vanderbilt University Department of Mathematics September 9, 2014 B(Bx) ? Bx x x The General

322 views • 16 slides
Uniform Sampling through the Lovsz Local Lemma Heng Guo Berkeley, Jun 06 2017 Queen Mary,

Uniform Sampling through the Lovsz Local Lemma Heng Guo Berkeley, Jun 06 2017 Queen Mary,

Uniform Sampling through the Lovsz Local Lemma Heng Guo Berkeley, Jun 06 2017 Queen Mary, University of London 1 Draft: arxiv.org/abs/1611.01647 2 Joint with Mark Jerrum (QMUL) and Jingcheng Liu (Berkeley) A tale of two algorithms (Moser

1.63k views • 133 slides
Acceptance-Rejection method The acceptance-rejection method is usually used when the inverse

Acceptance-Rejection method The acceptance-rejection method is usually used when the inverse

Acceptance-Rejection Method Acceptance-Rejection method The acceptance-rejection method is usually used when the inverse transform method is not directly applicable or is inefficient. To simulate a sample x of X with pdf f X . Aim: 1 Consider a

930 views • 26 slides
CSE 473: Artificial Intelligence Bayesian Networks: Inference Hanna Hajishirzi Many slides over

CSE 473: Artificial Intelligence Bayesian Networks: Inference Hanna Hajishirzi Many slides over

CSE 473: Artificial Intelligence Bayesian Networks: Inference Hanna Hajishirzi Many slides over the course adapted from either Luke Zettlemoyer, Pieter Abbeel, Dan Klein, Stuart Russell or Andrew Moore 1 Outline Bayesian Networks

539 views • 24 slides
Introduction to Machine Learning CMU-10701 Markov Chain Monte Carlo Methods Barnabs Pczos

Introduction to Machine Learning CMU-10701 Markov Chain Monte Carlo Methods Barnabs Pczos

Introduction to Machine Learning CMU-10701 Markov Chain Monte Carlo Methods Barnabs Pczos &amp; Aarti Singh Contents Markov Chain Monte Carlo Methods Goal &amp; Motivation Sampling Rejection Importance Markov

1.16k views • 70 slides
Strategic Partnerships to Create Inclusive Career Pathways Tuesday, March 10th, 2020 3:00 PM -

Strategic Partnerships to Create Inclusive Career Pathways Tuesday, March 10th, 2020 3:00 PM -

Strategic Partnerships to Create Inclusive Career Pathways Tuesday, March 10th, 2020 3:00 PM - 4:00 PM EDT Captioning and Housekeeping Open the captioning web page in a new browser. You can click the link posted in the Chat box. The link

530 views • 30 slides
FY2019 Budget Introduction/Overview Douglas DiVello, CEO Stephen Brown, CFO Dr.

FY2019 Budget Introduction/Overview Douglas DiVello, CEO Stephen Brown, CFO Dr.

FY2019 Budget Introduction/Overview Douglas DiVello, CEO Stephen Brown, CFO Dr. Christopher Schmidt, CMO Crystal Mansfield, Director of Rehabilitation 2 What is ? A 19-bed Critical Access Hospital A Rural Health Clinic

313 views • 19 slides
Sampling from PDFs II CS295, Spring 2017 Shuang Zhao Computer Science Department University of

Sampling from PDFs II CS295, Spring 2017 Shuang Zhao Computer Science Department University of

Sampling from PDFs II CS295, Spring 2017 Shuang Zhao Computer Science Department University of California, Irvine CS295, Spring 2017 Shuang Zhao 1 Announcements Additional readings on the course website Homework 1 due this Thursday

924 views • 32 slides
CS 4100: Artificial Intelligence Bayes Nets: Sampling Jan-Willem van de Meent, Northeastern

CS 4100: Artificial Intelligence Bayes Nets: Sampling Jan-Willem van de Meent, Northeastern

CS 4100: Artificial Intelligence Bayes Nets: Sampling Jan-Willem van de Meent, Northeastern University [These slides were created by Dan Klein and Pieter Abbeel for CS188 Intro to AI at UC Berkeley. All CS188 materials are available at

304 views • 14 slides
Inference Connecting models to data The problem with infection data Often only observe a

Inference Connecting models to data The problem with infection data Often only observe a

Inference Connecting models to data The problem with infection data Often only observe a proportion of reality Hospitalised case data gives you those who had severe infection Symptom onsets are observed but infection times are not Or

715 views • 45 slides
RIP to HIP: The Data Reject Heterogeneous Labor Income Profiles Dmytro Hryshko Econ 312, Spring

RIP to HIP: The Data Reject Heterogeneous Labor Income Profiles Dmytro Hryshko Econ 312, Spring

Introduction Models Empirical Part Conclusion Monte Carlo Design RIP to HIP: The Data Reject Heterogeneous Labor Income Profiles Dmytro Hryshko Econ 312, Spring 2019 Hryshko RIP to HIP Introduction Models Empirical Part Conclusion

619 views • 44 slides

More recommend