Authentication system and device including physical unclonable function and threshold cryptography

Description

FIELD OF THE INVENTION

This disclosure relates generally to hardware verification, and in particular but not exclusively, to binding authentication to protect against tampering and subversion by substitution.

BACKGROUND OF THE INVENTION

The unique properties of PUFs provide several advantages to cryptographic constructions. In general, PUFs may provide some or all of three main advantages: (1) eliminating private key storage, (2) providing tamper detection, and (3) establishing a hardware root-of-trust. Private key storage can be eliminated by evaluating a PUF to dynamically regenerate a value unique to an identified piece of hardware having that PUF. As to tamper detection, a PUF's unclonable properties (e.g., wire delays, resistance) may be such that modification to the PUF irreversibly alters the PUF's mapping from challenges (inputs) to responses (outputs) after enrollment (however, not against malicious modifications before enrollment, e.g., Becker et al., “Stealthy Dopant-Level Hardware Trojans,” Cryptographic Hardware and Embedded Systems—CHES 2013, volume 8086 of Lecture Notes in Computer Science, pages 197-214, Springer, 2013). These PUF properties may be used to produce a hardware-unique, tamper-protected value from which a hardware root-of-trust can be established.

Literature on physical unclonable functions evaluates the properties of PUF hardware design (e.g., Gassend et al., “Silicon Physical Random Functions,” Proceedings of the 9th ACM conference on Computer and communications security, CCS '02, pages 148-160, ACM, 2002; Katzenbeisser et al., “PUFs: Myth, Fact or Busted A Security Evaluation of Physically Unclonable Functions (PUFs) Cast in Silicon,” Cryptographic Hardware and Embedded Systems—CHES '12, pages 283-301, Springer, 2012; Ravikanth, Physical one-way functions, Ph.D. thesis, 2001; Rührmair et al., “Applications of High-Capacity Crossbar Memories in Cryptography,” IEEE Trans. Nanotechnol., volume 10, no. 3:489-498, 2011; Suh et al., “Physical Unclonable Functions for Device Authentication and Secret Key Generation,” Proceedings of the 44 th annual Design Automation Conference, DAC '07, pages 9-14, ACM, 2007; Yu et al., “Recombination of Physical Unclonable Functions,” GOMACTech, 2010), provides formal theoretical models of PUF properties, and designs protocols around those definitions (cf. Armknecht et al., “A Formalization of the Security Features of Physical Functions,” Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, pages 397-412, IEEE Computer Society, 2011; Brzuska et, ah, “Physically Uncloneable Functions in the Universal Composition Framework,” Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference, volume 6841 of Lecture Notes in Computer Science, page 51, Springer, 2011; Frikken et al., “Robust Authentication using Physically Unclonable Functions,” Information Security, volume 5735 of Lecture Notes in Computer Science, pages 262-277, Springer, 2009; Handschuh et al., “Hardware Intrinsic Security from Physically Unclonable Functions,” Towards Hardware-Intrinsic Security, Information Security and Cryptography, pages 39-53, Springer, 2010; Kirkpatrick et al., “PUF ROKs: A Hardware Approach to Read-Once Keys,” Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11, pages 155-164, ACM, 2011; Parai et al., “Reliable and Efficient PUF-based Key Generation using Pattern Matching,” IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pages 128 -133, 2011; Rührmair et al., “PUFs in Security Protocols: Attack Models and Security Evaluations,” 2013 IEEE Symposium on Security and Privacy, volume 0:286-300, 2013; van Dijk et al., “Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results,” Cryptology ePrint Archive, Report 2012/228, 2012; Wu et al., “On Foundation and Construction of Physical Unclonable Functions,” 2010; Yu et al., “Lightweight and Secure PUF Key Storage using Limits of Machine Learning,” Proceedings of the 13th international conference on Cryptographic Hardware and Embedded Systems, CHES'11, pages 358-373, Springer, 2011).

Prior art PUF-based protocols fall into two broad categories: (1) a simple challenge-response provisioning process like the one described below in Protocol 3, or (2) cryptographic augmentation of a device's PUF response such that the raw PUF output never leaves the device. These approaches may require external entities to handle auxiliary information (e.g., challenges and their associated helper data) that is unsupported or superfluous in existing public key cryptography standards, and/or involve a hardware device authenticating to a challenge applied during an initial enrollment process, and/or are premised on the hardware device always recovering essentially the same response to a given challenge.

While a given challenge-response pair reflects the hardware state of a device when the pair was collected, the device will age and its hardware state drift over time. As the PUF hardware ages, the number of errors present in the responses may increase. Maiti et al. (“The Impact of Aging on an FPGA-Based Physical Unclonable Function,” International Conference on Field Programmable Logic and Applications (FPL), pages 151-156, 2011) study the effects of simulated aging on PUF hardware by purposefully stressing the devices beyond normal operating conditions. By varying both temperature and voltage, the authors were able to show a drift in the intra-PUF variation that, over time, will lead to false negatives. Maiti et al. note that the error drift strictly affected the intra-PUF error rate distribution tending towards the maximum entropy rate of 50%. After enough time elapses, the hardware device may no longer be able to recover the proper response for the enrolled challenge.

For example, assume that a specific challenge c_iis issued to a device during enrollment, with the device returning a public token {commitment_i, helper_i} that links the device's hardware identity with the challenge c. To be authenticated, the device uses the pair {c_i, helper_i} to recover its private identity custom character _i^priv. As shown in FIG. 10, over time the PUF hardware may reach a time (e.g., at time τ=5 in the example of FIG. 10, which for simplicity assumes a drift that occurs linearly over time) at which hardware aging has increased the errors beyond the device's error correction limit, and the device is no longer able to reliably regenerate its private key.

Kirkpatrick et al. (“Software Techniques to Combat Drift in PUF-based Authentication Systems,” Workshop on Secure Component and System Identification, 2010) describe a method for detecting hardware aging drift, and responding by updating the device's challenge-commitment pair stored on an external server. This approach requires that the server maintain auxiliary information in the form of challenge-commitment pairs, however, and that a periodic protocol be executed between the server and the device.

Another challenge facing PUF-based systems is side channel attacks, which seek to observe and analyze auxiliary environmental variables to deduce information about the sensitive PUF output. For example, electromagnetic (EM) analysis (e.g., Merli et al., “Semi-invasive EM Attack on FPGA RO PUFs and Countermeasures,” Proceedings of the Workshop on Embedded Systems Security, WESS '11, pages 2:1-2:9, ACM, 2011; Merli et al., “Side-Channel Analysis of PUFs and Fuzzy Extractors,” Trust and Trustworthy Computing, volume 6740 of Lecture Notes in Computer Science, pages 33-47, Springer, 2011; Schuster, Side-Channel Analysis of Physical Unclonable Functions (PUFs), Master's thesis, Technische Universitat. Munchen, 2010) extracts PUF output bits by observing changing EM fields during device operation. Another side channel attack methodology is (simple or differential) power analysis (e.g., Karakoyunlu et al., “Differential template attacks on PUF enabled cryptographic devices,” IEEE International Workshop on Information Forensics and Security (WIFS), pages 1-6, 2010; Kocher et al., “Introduction to Differential Power Analysis,” Cryptography Research, Inc., 2011; Kocher et al., “Differential Power Analysis,” Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO '99, pages 388-397, Springer, 1999; Rührmair et al., “Power and Timing Side Channels for PUFs and their Efficient Exploitation,” 2013), where power traces are collected from a device and analyzed to extract sensitive information (e.g., PUF output bits). Over many observations of a device recovering essentially the same response to a fixed challenge, an adversary can discover the sensitive PUF output.

While it is known that the effectiveness of side channel attacks may in some systems be reduced by introducing randomness (Coron, “Resistance Against Differential Power Analysis For Elliptic Curve Cryptosystems,” Cryptographic Hardware and Embedded Systems, volume 1717 of Lecture Notes in Computer Science, pages 292-302, Springer, 1999), disguising sensitive values in this way may leave some vulnerability since the underlying values remain static and/or introduce additional complexity and/or processing overhead.

SUMMARY OF THE INVENTION

In an authentication system according to the present invention, a PUF's challenge-response behavior may be internalized and used to maintain shares of a private key. This approach may be implemented such that a PUF-enabled hardware device can execute arbitrary threshold cryptographic operations (e.g., decryption, digital signature generation, zero knowledge proofs) without ever generating, reconstructing, or storing a private key. It may also be implemented so as to eliminate the need for any external entity to issue challenges and store helper data for a device, and/or so as to enable PUF-based protocols that an external entity cannot distinguish from standard public key protocols. In one embodiment, a device may be equipped with a root-of-trust such as a PUF and configured to periodically refresh all sensitive values that must be generated, recovered, or processed by the device. This may be employed to mitigate PUF aging and/or side-channel attacks. The threshold share operations may be staggered such that one share always remains stored.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a functional diagram of a device having a single PUF circuit and two threshold shares;

FIG. 2 is a functional diagram of a device having dual PUF circuits;

FIG. 3 is a graph illustrating an attempt to interpolate an example polynomial P(x) of degree d=3 given only one point, which fails as at least d+1 points are needed:

FIG. 4 illustrates a failed attempt to interpolate the same polynomial P(x) given two points;

FIG. 5 illustrates a failed attempt to interpolate the same polynomial P(x) given three points;

FIG. 6 illustrates a successful interpolation of P(x) given four points;

FIG. 7 is an operational flowchart of enrollment of a device like that of FIG. 2 in an embodiment of the invention:

FIG. 8 is an operational flowchart of threshold cryptographic operations in a device like that of FIG. 2 in an embodiment of the invention;

FIG. 9 is an operational flowchart of the staggered threshold operations;

FIG. 10 is a graph illustrating errors over time in PUF output for a fixed challenge;

FIG. 11 is a graph illustrating errors over time in PUF output with an updated challenge-helper pair for τ=1;

FIG. 12 is a graph illustrating errors over time in PUF output, with pair refreshing establishing a bounded PUF error rate;

FIG. 13 is a diagram depicting a batch PUF processing center; and

FIG. 14 is a diagram depicting joint identity from composite elements.

DETAILED DESCRIPTION OF EMBODIMENTS

The present invention is described with reference to the example of an embodiment utilizing elliptic curve cryptography (including the associated terminology and conventions), but the inventive concept and teachings herein apply equally to various other cryptographic schemes such as ones employing different problems like discrete logarithm or factoring (in which regard the teachings of U.S. Pat. No. 8,918,647 are incorporated here by reference), and the invention is not limited by the various additional features described herein that may be employed with or by virtue of the invention. Before setting forth details of the invention, basic handling of PUF output, modeling assumptions, and primitives for PUF-based cryptographic schemes and threshold cryptography applicable to the example embodiment are described.

PUF output is noisy in that it varies slightly despite evaluating the same input. This is generally addressed with fuzzy extraction, a method developed to eliminate noise in biometric measurements. (See Juels et al., “A Fuzzy Commitment Scheme,” Proceedings of the 6th ACM conference on Computer and Communications Security, CCS '99, pages 28-36, ACM, 1999). Fuzzy extraction may in part be employed within a device having a PUF such as within an auxiliary control unit, such that the output is constant for a fixed input. Fuzzy extraction (or reverse fuzzy extraction) may for example employ a “secure sketch,” as described by Juels et al.

A secure sketch SS for input string O, where ECC is a binary (n, k, 2t+1) error correcting code of length n capable of correcting t errors and V←{0,1}^kis a k-bit value, may be defined as SS(O; V)=O⊕ECC(V). This definition can be used to build a Gen algorithm, which outputs a set custom character V, P, where V is the value to be reconstructed and P is a helper string (which may be public) that is used to recover V.

Algorithm 1 Gen Algorithm

Input : A finite field custom character

_nof order n; A challenge c

O ← PUF(c)

V ∈ custom character

_n

P ← O ⊕ ECC(V)

return custom character

V, P

Correspondingly, a Rep algorithm can be defined such that, on input O′ within a maximum Hamming distance t of O, the original value V may be recovered. Rep(O′, P), where D is the decoding scheme for the binary (n, k, 2t+1) error-correcting code ECC and O′ is an input such that dist(O,O′)≤t, can be defined as:

$\begin{matrix} Rep (O^{'}, P) = D (P \oplus O^{'}) \\ = D (O \oplus ECC (V) \oplus O^{'}) \\ = V \end{matrix}$

This definition can then be used to build a Rep algorithm that allows a PUF output O′ that differs from the original output O by at most t to reproduce output V such that Rep(O′)=V using the helper string P=O⊕ECC(V):

Algorithm 2 Rep Algorithm

Input : A challenge c, Helper string P

O′ ← PUF(c)

V ← D(P ⊕ O′)

return V

Gen and Rep algorithms such as these may be used in PUF-based protocols to ensure that the same value V is recovered so long as the PUF outputs O, O′ differ by at most t bits.

It is desirable that an adversary cannot predict a device's PUF response r for a challenge c with more than negligible probability (at least without physical access to the device), and that helper data does not reveal anything to an adversary about PUF responses. In assessing these security aspects, the following entities may be considered: a set of servers custom character , where each server s_i∈ authentication of devices on its system; a set of devices d_i∈, each with an embedded PUF; and an adversary that wishes to masquerade as a legitimate device d_i∈ to obtain resources stored on some subset of the servers ′⊆. It may be assumed that all entities are bound to probabilistic polynomial-time (PPT), i.e., can only perform computation requiring polynomially many operations with respect to a global security parameter λ (which refers to the number of bits in the relevant parameter). Computation requiring exponentially many operations with respect to λ is not efficient for the agents, and will succeed with only negligible probability.

Games can be employed to assess a PPT adversary's advantage in (1) predicting a PUF's output, and (2) distinguishing helper data from a truly random string. It is sufficient to require that an adversary's advantage in a game is negligible with respect to the security parameter of the protocol, where a function ƒ(x): custom character is negligible if for every positive polynomial (⋅) and sufficiently large x, the absolute value of ƒ(x) is less than 1/(x). Although we describe exemplary games for capturing properties (1) and (2), they may be substituted for other game formulations designed to capture the concepts.

The unpredictability of a PUF can be assessed through the following game between an adversary custom character and a PUF device P: {0,1}^κ¹>{0,1}^κ²mapping input strings from the challenge space _Pp of length κ₁to the response space _Pof length κ₂where λ is the security parameter for the protocol, given in unary as 1^λ.

Protocol 1: PUF - PRED: PUF Prediction Game

Adversary custom character

PUF Device P

(1)
c_i∈ custom character

_P⊂

_P,
→

0 ≤ i ≤ poly(λ)

←
r_i= P(c_i) ∈ custom character

_P
(2)

custom character

_P⊂

_P,

0 ≤ i ≤ poly(λ)

(3)
Challenge c custom character

_P
→

(4)
c′_i∈ custom character

_P′ ⊂

_P,
→

c custom character

_P′,

0 ≤ i ≤ poly(λ)

←
r′_i= P(c_i′) ∈ custom character

_P′
(5)

custom character

_P′ ⊂

_P,

0 ≤ i ≤ poly(λ)

(6)
Guess r’ custom character

P(c)
→

The game proceeds as follows:

1. The adversary custom character issues polynomially many (w.r.t. the security parameter λ) challenges c_i∈_Pthe PUF device P, where the challenge set _Pis a proper subset of the entire challenge space _P.

2. The PUF device P returns the responses {r_i|r_i←P(c_i)} to custom character .

3. The adversary custom character eventually outputs a challenge c that was not in the original set of challenge queries _P. The adversary is not allowed to query the PUF device P on the committed challenge c.

4. The adversary custom character may once again issue a new set of polynomially many challenges c′_i∈′_Pto the PUF device P. The adversary is not allowed to query the PUF device P on the committed challenge c.

5. The PUF device P returns the responses {r′_i|r′_i←P(c′_i)} to custom character .

6. The adversary custom character eventually outputs a guess r′ for P's response to the committed challenge c.

The probability of the adversary custom character guessing the correct response of the PUF P to the challenge c is then ^-PREDκ₂):=Pr[r=r′]. That is, the adversary only wins the game when 's guess r′ is equal to P's actual response r←P(c) to 's committed challenge c. (Technically, the PUF's output is noisy and will vary slightly on any fixed input; thus, the equality is taken with respect to the output of a fuzzy extractor (e.g., Dodis et al.)).

In the PUF indistinguishability game, an adversary custom character is asked to differentiate between the output r of the fuzzy extractor for a PUF P and a randomly chosen string s∈ of the same length .

Protocol 2: PUF - IND: PUF Indistinguishability Game

Adversary custom character

PUP Device P

(1)
c_i∈ custom character

⊂

_P,
→
(R_i, H_i) ←

0 ≤ i ≤ poly(λ)

Gen(r_i= P(c))

←
H_i∈ custom character

_P⊂

_P,
(2)

0 ≤ i ≤ poly(λ)

(3)
c_i∈ custom character

⊂

_P,
→

0 ≤ i ≤ poly(λ)

←
R_i∈ custom character

_P⊂

_P,
(4)

0 ≤ i ≤ poly(λ)

(5)
Challenge c custom character

→
b ∈ {0, 1}

←
b(s ∈ {0, 1 custom character

+
(6)

(1 − b)(R_i),

R_i= Rep(P(c), H_i)

(7)
c′_i∈ custom character

⊂

_P,
→

c ≠ c′_i,

0 ≤ i ≤ poly(λ)

←
R′_i∈ custom character

_P⊂

_P,
(8)

0 ≤ i ≤ poly(λ)

(9)
Guess b' custom character

b
→

This game proceeds as follows:

1. Adversary custom character executes the enrollment phase on any challenge c_i∈_P.

2. The PUF device returns the corresponding helper string H_ifrom the output of Gen. Denote this set of challenge-helper pairs (c_i, H_i) as custom character .

3. Adversary custom character now requests the PUF response r_i=P(c_i) for any c_i∈. Denote the set of requested challenges in this step .

4. For all requests c_i∈ custom character , the PUF device returns the set {r_i|r_i←P(c_i)}.

5. Adversary custom character selects a challenge c∉, such that has H_ibut not R_ifor c. The PUF device chooses a bit b∈{0,1} uniformly at random.

6. If b=0, custom character is given R_i=Rep(P(c)=r_i, H_i). Otherwise, if b=1 then is given a random string s∈{0,1}^l.

7. Adversary custom character is allowed to query the PUF device for c′_i∈ so long as no c′_i=c.

8. For all requests c′_i≠, the PUF device returns the set {r′_i|r′_i←P(c′_i)}.

9. The adversary outputs a guess bit b′, and succeeds when b′=b.

Types of PUFs

Rührmair et al. (“Modeling Attacks on Physical Unclonable Functions,” Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pages 237-249, ACM, 2010) define three distinct classes of PUF devices:

1. A Weak PUF is typically used only to derive a secret key. The challenge space may be limited, and the response space is assumed to never be revealed. Typical constructions include the SRAM (Holcomb et al., “Initial SRAM State as a Fingerprint and Source of True Random Numbers for RFID Tags,” In Proceedings of the Conference on RFID Security, 2007), Butterfly (Kumar et al., “Extended abstract: The Butterfly PUF Protecting IP on Every FPGA,” IEEE International Workshop on Hardware-Oriented Security and Trust, pages 67-70, 2008), Arbiter (Lee et al., “A technique to build a secret key in integrated circuits for identification and authentication applications,” IEEE Symposium on VLSI Circuits: Digest of Technical Papers, pages 176-179, 2004), Ring Oscillator (Suh et al.), and Coating (Tuyls et al., “Read-Proof Hardware from Protective Coatings,” Proceedings of the 8th international conference on Cryptographic Hardware and Embedded Systems, CHES'06, pages 369-383, Springer, 2006) PUFs.

2. A Strong PUF is assumed to be (i) physically impossible to clone, (if) impossible to collect a complete set of challenge response pairs in a reasonable time (typically taken to be on the order of weeks), and (iii) difficult to predict the response to a random challenge. For example, the super-high information content (SHIC) PUF described by Rührmair et al. (“Applications of High-Capacity Crossbar Memories in Cryptography”) may be considered a Strong PUF.

3. A Controlled PUF satisfies all of the criteria for strong PUFs, and additionally implements an auxiliary control unit capable of computing more advanced functionalities to cryptographically augment protocols. A controlled PUF should ideally satisfy the five conditions below.

One definition for an ideal physical unclonable function P_d: {0,1}^κ¹→{0,1}^κ²bound to a device d that the function preferably exhibits the following properties:

1. Unclonable: Ideally, Pr[dist(y,x)≤t|x←U_κ₁, y←P(x), z←P′]≤ϵ₁, the probability of duplicating PUF P with a clone PUF P′, such that their output distributions are t-statistically close is less than some sufficiently small ϵ₁.

2. Unpredictable: Ideally, custom character ^-PRED(κ₂):=Pr[r=r′], denoting the probability of the adversary guessing the correct response r of the PUF P to the challenge c, is negligible in κ₂for all probabilistic polynomial time (PPT) adversaries . This refers to the decisional variant of the PUF unpredictability game described in Protocol 1.

3. Robust: Ideally, Pr[dist(y,z)>t|x←U_κ₁, y∂P(x), z←P(x)]≤ϵ₂, i.e., the probability of a fixed PUF P yielding responses i-distant on the same input x is less than some sufficiently small ϵ₂. This property is satisfied by binding the PUF device d with a (m, custom character , t, ϵ₃) fuzzy extractor (Gen, Rep).

4. Fuzzy Extraction: Ideally, during the enrollment phase for a noisy PUF P, given a challenge c, the PUF computes (R,H)←Gen(r), where r←P_d(c) and outputs H. The helper string H allows for R to be recovered when the challenge r′ is t-close to the original challenge r.

5. Indistinguishability: Ideally, the output of the PUF is computationally indistinguishable from a random string of the same length, such that the advantage of a PPT adversary custom character is ^-IND()≤½+ϵ₃, where ϵ₃is negligible. This requires that the adversary distinguishes between a random string, s, and the output of the fuzzy extractor, R_i, with probability at most negligibly more than ½. Thus, ^-IND−½≤ϵ₃, where ϵ₃is negligible.

However, alternate definitions (e.g., Hori et al., “Quantitative and Statistical Performance Evaluation of Arbiter Physical Unclonable Functions on FPGAs,” 2010 International Conference on Reconfigurable Computing and FPCAs (ReConFig), pages 298-303, 2010: Maiti, A Systematic Approach to Design an Efficient Physical Undeniable Function, dissertation, Virginia Tech, 2012) for an ideal physical unclonable function may be substituted.

Threshold Cryptography

Threshold cryptography involves distributing cryptographic operations among a set of participants such that operations are only possible with the collaboration of a quorum of participants. A trusted dealer custom character generates a master asymmetric key pair ^pub, ^priv for the set of participants _i∈, ||=n. The private key is then split among the n participants, with each participant, receiving a share of ^priv. This constitutes a (t, n) sharing of ρ^priv, such that a quorum of at least t participants must combine their private shares in order to perform operations using the master private key.

While other secret schemes can be used with the present invention (e.g., Blakley, “Safeguarding cryptographic keys,” Proceedings of the 1979 AFIPS National Computer Conference, pages 313-317, AFIPS Press, 1979), an example will be described employing Shamir's polynomial interpolation construction (“How to Share a Secret,” Commun. ACM, volume 22, no. 11:612-613, 1979), which can be used for sharing a secret. A polynomial ƒ(⋅) of degree t−1 is defined, where the coefficients c_iremain private: ƒ(x)=c₀+c₁x+ . . . +c_t−1x^t−1mod q. Without knowledge of the coefficients, ƒ(⋅) can be evaluated when at least t points of ƒ(⋅) are known by applying Lagrange's polynomial interpolation approach. A private key custom character ^privcan be set as the free coefficient c₀(i.e., ƒ(0)=^priv), and a set of shares of the private key distributed to the participants (cf., e.g., Ertaul, “ECC Based Threshold Cryptography for Secure Data Forwarding and Secure Key Exchange in MANET (I),” NETWORKING 2005, Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems, volume 3462 of Lecture Notes in Computer Science, pages 102-113, Springer, 2005). To split the private key custom character ^privamong n participants _i∈₁≤i≤n, the dealer computes _i's public, private key pair as r_i·G mod q,r_i such that r_i=ƒ(i), i≠0. Here, G∈E/_pis a base point of order q for elliptic curve E, and (P)_x(resp. (P)_y) refers to the x (resp. y) coordinate of point P on curve E. (The modulus that operations are performed under may be omitted where it is apparent from context). The public keys are made available to all participants, while the private keys are distributed securely to each participant (e.g., using the device's public key and Algorithm 3 below). All participants are also given access to (c_j·G)_{0≤j≤t−1}, which allows them to verify their secret key and the public keys of other participants by checking that:

$\begin{matrix} r_{i} \cdot G = \sum_{j = 0}^{t - 1} i^{j} (c_{j} \cdot G) & \mod p \end{matrix}$

This constitutes a (t,n) verifiable secret sharing (VSS) (e.g., Feldman, “A Practical Scheme for Non-interactive Verifiable Secret Sharing,” Proceedings of the 28th Annual Symposium on Foundations of Computer Science, SFCS '87, pages 427-438, IEEE Computer Society, 1987; Pedersen, “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing,” Advances in Cryptology, CRYPTO 91, volume 576 of Lecture Notes in Computer Science, pages 129-140, Springer, 1992) of the private key custom character ^priv, as participants are able to verify the legitimacy of their share with respect to a globally-known public key.

Now, given access to any t shares {(i,r_i)}1≤i≤t, where ƒ(⋅) has degree t−1 and t≤n, the shares (i, r_i) may be combined through Lagrange polynomial interpolation to evaluate ƒ(x):

$\begin{matrix} f (x) = \sum_{i = 1}^{t} (r_{i} \cdot (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{x - x_{j}}{x_{i} - x_{j}})) & \mod q \end{matrix}$

This allows any quorum of t participants custom character _i∈⊆, |=t≤n to combine their shares {(i,r_i)}_1≤i≤tand recover the polynomial's free coefficient c₀=ƒ(0), which is the master asymmetric private key ^priv. Although we use the Lagrange form for the interpolating polynomial, other approaches (e.g., using a monomial basis or the Newton form) may be substituted. Similarly, although our exemplary construction prefers to evaluate ƒ(⋅) rather than recover the coefficients, the latter may be accomplished using a Vandermonde matrix representation and solving the system of linear equations.

FIG. 3-FIG. 6 illustrate the Lagrange polynomial interpolation of

$P (x) = - \frac{x^{3}}{6} + \frac{3 x^{2}}{2} - \frac{7 x}{3} + 2.$

The interpolating polynomial P(⋅) is generated from a set of k points {(x_i, P(x_i))}_1≤i≤k. FIG. 3 illustrates the interpolating polynomial P(⋅)=1, which was generated from only a single point. FIG. 4 illustrates the interpolating polynomial P(⋅)=x, which was generated from two points. FIG. 5 illustrates the interpolating polynomial

$\overline{P} (\cdot) = \frac{x^{2}}{2} - \frac{x}{2} + 1,$

which was generated from three points. FIG. 6 illustrates the interpolating polynomial

$\overline{P} (\cdot) = - \frac{x^{3}}{6} + \frac{3 x^{2}}{2} - \frac{7 x}{3} + 2,$

which was generated from four points. As the degree of the polynomial is only three, any four points results in a perfect interpolation of the original polynomial. When the size of the set k exceeds the degree of the polynomial t−1 (i.e., k≥5), P(⋅) perfectly interpolates the original polynomial P(⋅). Thus in this example, the interpolating polynomial is generated from four points, which exceeds the degree (3) of the polynomial. Note that given any set of k<t points, no information about the secret P(0) is revealed, as an infinite number of polynomials of degree t−1 exist that satisfy the set of k<t points.

While an exemplary embodiment may use elliptic curve cryptography, it will be readily apparent that various other cryptographic frameworks (e.g., EIGamal, RSA, NTRU, etc.) could be employed. A number of threshold cryptographic operations can be carried out within this framework, using a variety of methods such as threshold encryption, decryption, and signing, threshold zero knowledge proofs of knowledge, threshold signcryption, and distributed key generation. Other elliptic curve mechanisms such as Massey-Omura, Diffie-Hellman, Menezes-Vanstone, Koyarna-Maurer-Okamoto-Vanstone, Ertaul, Demytko, etc. could likewise be employed.

An entity in possession of a device's enrollment information { custom character _i^pub, c_i, helper_i} can thus encrypt a message m such that only the target device is able to recover it, using a method such as EIGamal encryption:

Algorithm 3 ElGamal Encryption

for Server s do

Lookup: challenge c_i, generator G, modulus p and Helper h_i

for Device p_i

Select y ∈ custom character

_puniformly at random

Lookup public key A = p_i^priv• G mod p for Device p_i

Generate shared key: y • G mod p

Encrypt message m by computing m + (yA)_ymod q

Device p_i← {yG, m + (yA)_ymod q, c_i, G, p, h_i}

end for

Then, if all participants of a group custom character ⊆, where ||≥t, ||=n and t≤n, wish to decrypt an encryption (yG, m+(yrG)_x) of a message m∈[1, −1] using group private key r, threshold EIGamal decryption (e.g., per Ertaul) can be used as follows:

Each participant _i∈ uses their secret key r_i=ƒ(i) to compute a shadow:

$\begin{matrix} w_{i} = (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) \cdot r_{i} & \mod q \end{matrix}$

Each participant then broadcasts their partial decryption S_idefined as S_i=w_i·yG mod q.

Each participant locally computes the value:

$\begin{matrix} S = \begin{matrix} \sum_{i = 1}^{t} S_{i} & \mod q \end{matrix} \\ = (\sum_{i = 1}^{t} w_{i}) \cdot yG \\ = r \cdot yG \end{matrix}$

Finally, each participant may now locally recover the message m by computing

(m+(yrG)_y)−S mod q=(m+(yrG)_y)−(ryG)_y=m

Likewise, a group custom character ⊆ where ||≥t, ||=n and t≤n, can use a threshold signature scheme (e.g., Chen et al., “An efficient threshold group signature scheme,” IEEE Region 10 Conference TENCON, volume B. pages 13-16 Vol. 2, 2004; Hua-qun et al., “Verifiable (t, n)Threshold Signature Scheme based on Elliptic Curve,” Wuhan University Journal of Natural Sciences, volume 10, no. 1:165-168, 2005; Ibrahim et al., “A Robust Threshold Elliptic Curve Digital Signature providing a New Verifiable Secret Sharing Scheme,” IEEE 46th Midwest Symposium on Circuits and Systems, volume 1, pages 276-280 Vol. 1, 2003; Kim et al., “Threshold Signature Schemes for ElGamal Variants,” Computer Standards and Interfaces, volume 33, no. 4:432-437, 2011; Shao, “Repairing Efficient Threshold Group Signature Scheme,” International Journal of Network Security, 2008) to generate a signature representing all of custom character for message m as follows:

Each participant _i∈ uses their secret key r_i=ƒ(i) and a random integer y_i∈_qto calculate their individual signature (R_i, S_i) for message m.
- First, R_iis computed and publicized to all participants _i∈:
  
  R_i=y_i·G mod p
- Next, each participant _icalculates R, e, S_ias follows:

$\begin{matrix} R = \sum_{i = 1}^{t} R_{i} & \mod p \end{matrix}$

$e = h (\begin{matrix} m, {(R)}_{y} & \mod q \end{matrix})$

$\begin{matrix} S_{i} = y_{i} + r_{i} e (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) & \mod q \end{matrix}$

- h(⋅) or H(⋅) denotes a cryptographic hash function. Each participant broadcasts S_ito an appointed secretary (for convenience, and who need not be trusted).

The secretary, having received all (R_i, S_i) pairs, verifies the signature by computing:

$\begin{matrix} R = \sum_{i = 1}^{t} R_{i} & \mod p \end{matrix}$

$e = h (m, {(R)}_{y} \mod q)$

$\begin{matrix} R_{i} = S_{i} \cdot G + e (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) (- p_{i}^{pub}) & \mod p \end{matrix}$

If constructed properly, this equation will hold as:

$\begin{matrix} R_{i} \overset{?}{=} S_{i} \cdot G + e (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) (- p_{i}^{pub}) \mod p \\ = (y_{i} + r_{i} e (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j})) \cdot G + e (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) (- r_{i} G) \\ = y_{i} G + e r_{i} G (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) + e (- r_{i} G) (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) \\ = y_{i} G + (e r_{i} G - e r_{i} G) (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) \\ = y_{i} G \\ := R_{i} \end{matrix}$

If these hold, the secretary calculates:

$\begin{matrix} S = \sum_{i = 1}^{t} S_{i} & \mod q \end{matrix}$

which computes the group signature ((R)_ymod q, S) over m.

Upon receipt of (R,S), receiver _Rchecks its validity against the public key ^pubof the entire group of participants _i∈_1≤i≤n:

eh(m,(S·G+ϵ·−^pub)_ymod q)

which holds on valid signatures because:

$\begin{matrix} e \overset{?}{=} \begin{matrix} h (m, {(S \cdot G + e \cdot - 𝒫^{pub})}_{y} & \mod q) \end{matrix} \\ = h (m, {((y + re) \cdot G + e \cdot (- rG))}_{y}) \\ = h (m, {(yG + erG - erG)}_{y}) \\ = h (m, {(yG)}_{y}) \\ = \begin{matrix} h (m, {(R)}_{y} & \mod q) \end{matrix} \end{matrix}$

The participants of a group custom character ⊆ where ||≥t, ||=n and t≤n can also collaborate to demonstrate possession of a shared private key ^priv=r∈[1, q−1] using a threshold Zero Knowledge Proof of Knowledge (e.g., Sardar et al., “Zero Knowledge Proof in Secret Sharing Scheme Using Elliptic Curve Cryptography,” Global Trends in Computing and Communication Systems, volume 269 of Communications in Computer and Information Science, pages 220-226, Springer, 2012) as follows:

The group public key is ^pub=rG, where r is a shared secret and G is a group generator. The verifier chooses an ephemeral nonce N and distributes this to all participants of .
Each participant _i∈ uses their secret share r_i=ƒ(i) and a random nonce integer y_ito calculate their individual proof (B_i, M_i) of the shared secret r.
- First, B_iis computed and publicized to all participants _i∈:
  
  B_i=y_i·G mod
- Each participant locally computes:

$\begin{matrix} B = y \cdot G = \sum_{i = 1}^{t} B_{i} & \mod p \end{matrix}$

- Next, each participant _icalculates e, M_ias follows:

$e = h (G, B, 𝒫^{pub}, N)$

$\begin{matrix} M_{i} = y_{i} + r_{i} e (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) & \mod q \end{matrix}$

Upon receipt of (B_i, M_i)_1≤i≤t, the verifier computes:

$\begin{matrix} B = \sum_{i = 1}^{t} B_{i} & \mod p \end{matrix}$

$\begin{matrix} M = \sum_{i = 1}^{t} M_{i} & \mod q \end{matrix}$

$e = h (G, B, 𝒫^{pub}, N)$

Next, the verifier checks the proof's validity against the public key ^pub=rG.

$\begin{matrix} B \overset{?}{=} \begin{matrix} M \cdot G - e \cdot 𝒫^{pub} & \mod p \end{matrix} \\ = (y + re) \cdot G - e \cdot (rG) \\ = yG + reG - reG \\ = yG \end{matrix}$

If B=M·G−e· custom character ^pub, the verifier accepts the threshold zero knowledge proof as valid, and rejects the proof otherwise.

The process of signcrypting (e.g., Changgen et al., “Threshold Signcryption Scheme based on Elliptic Curve Cryptosystem and Verifiable Secret Sharing,” International Conference on Wireless Communications, Networking and Mobile Computing, volume 2, pages 1182-1185, 2005: Zheng, “Digital Signcryption or How to Achieve Cost (Signature & Encryption)«Cost (Signature)+Cost(Encryption),” Advances in Cryptology, CRYPTO '97, volume 1294 of Lecture Notes in Computer Science, pages 165-179, Springer, 1997; Zheng et al., “How to Construct Efficient Signcryption Schemes on Elliptic Curves,” Inf. Process. Lett., volume 68, no. 5:227-233, 1998) a message facilitates performing both signing and encrypting a message at a cost less than computing each separately. Given a message m∈[1,q −1] and a receiver custom character _Rwith public key _R^pub, signcryption can be generated as follows:

Each _i∈ selects a random k_i∈[1,q−1] and computes Y_i=k_i·G and publicly broadcasts this to both a secretary (for convenience, and who need not be trusted) and the receiver _R. Each _i∈ also computes Z_i=k_i·_R^pubwhich is privately (for example, using Algorithm 3) sent to _R.
The secretary computes:

$Z = \sum_{i = 1}^{t} Z_{i} = \sum_{i = 1}^{t} k_{i} \cdot p_{R}^{pub} = k \cdot p_{R}^{pub}$

$\begin{matrix} r = m \cdot {(Z)}_{x} & \mod p \end{matrix}$

and broadcasts r (not to be confused with r_i, participant custom character _i's share of ^priv) to each signer _1≤i≤t.

Each signer _1≤i≤tcomputes:

$\begin{matrix} x_{i} = \prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j} & \mod q \end{matrix}$

$\begin{matrix} e_{i} = r_{i} \cdot x_{i} & \mod q \end{matrix}$

$\begin{matrix} s_{i} = k_{i} - e_{i} \cdot r & \mod q \end{matrix}$

where r_i=ƒ(i) is custom character _i's share of ^priv. Each signer sends their partial signcryption s_ito the secretary.

Upon receipt of a partial signcryption s_i, the secretary computes Y′_i=r·x_i·_i^pub+s_i·G in order to verify the validity of the partial signcryption by checking Y_iY′_i.
Once receiving all partial signcryptions s_iand checking their validity, the secretary combines them to compute:

$\begin{matrix} s = \sum_{i = 1}^{t} s_{i} & \mod q \end{matrix}$

and (r, s) is the final signcryption sent to receiver _R.

The receiving participant _R, which has now received {Y_i=k_i·G}_{i∈[1 . . . n]}, (r, s), computes:

$Y = \sum_{i = 1}^{t} Y_{i} = \sum_{i = 1}^{t} (k_{i} \cdot G) = k \cdot G$

$Y^{'} = r \cdot 𝒫^{pub} + s \cdot G$

$Z^{'} = p_{R}^{priv} \cdot Y^{'}$

The recipient _Rthen verifies that:

$\begin{matrix} Y^{'} \overset{?}{=} r \cdot 𝒫^{pub} + s \cdot G \\ = r \cdot 𝒫^{pub} + \sum_{i = 1}^{t} s_{i} \cdot G \\ = r \cdot 𝒫^{pub} + G \cdot \sum_{i = 1}^{t} (k_{i} - e_{i} \cdot r) \\ = r \cdot 𝒫^{pub} + (G \cdot \sum_{i = 1}^{t} k_{i}) - (G \cdot \sum_{i = 1}^{t} e_{i} \cdot r) \\ = r \cdot 𝒫^{pub} + k \cdot G - r \cdot G \cdot \sum_{i = 1}^{t} e_{i} \\ = r \cdot 𝒫^{pub} + k \cdot G - r \cdot G \cdot (\sum_{i = 1}^{t} r_{i} \cdot (\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j})) \\ = r \cdot 𝒫^{pub} + k \cdot G - r \cdot G \cdot (f (0)) \\ = r \cdot 𝒫^{priv} \cdot G + k \cdot G - r \cdot G \cdot 𝒫^{priv} \\ = k \cdot G = Y \end{matrix}$

If these hold, the group signature over m is valid.

The recipient _Rcan now recover the message m by computing:

$\begin{matrix} r \cdot {(Z^{'})}_{x}^{- 1} = (m \cdot {(Z)}_{x}) \cdot {(Z^{'})}_{x}^{- 1} \\ = (m \cdot {(k \cdot p_{R}^{pub})}_{x}) \cdot {(p_{R}^{priv} \cdot Y^{'})}_{x}^{- 1} \\ = (m \cdot {(k \cdot (p_{R}^{priv} \cdot G))}_{x}) \cdot {(p_{R}^{priv} \cdot (k \cdot G))}_{x}^{- 1} \\ = m \end{matrix}$

With this, the recipient custom character _Rhas both verified the group's signature over message m, as well as decrypted m.

Distributed Key Generation

Standard threshold cryptographic operations (e.g., those discussed above) traditionally require the presence of a trusted dealer custom character to define a generating polynomial ƒ(⋅), select a secret r, and distribute shares of r to all participants _i∈. Distributed key generation protocols (e.g., Ibrahim; Pedersen, “A Threshold Cryptosystem without a Trusted Party,” Advances in Cryptology, EURO CRYPT 91, volume 547 of Lecture Notes in Computer Science, pages 522-526, Springer, 1991; Tang, “EGDKG: A Distributed Key Generation Protocol Based on Elliptic Curve Discrete Logarithm,” Technical Report 04-838, Department of Computer Science, University of Southern California, 2004) remove the necessity of a trusted dealer, and allow a set of participants custom character to generate shares of a secret where no one knows the shared secret r. This can be accomplished in the present context as follows:

Each participant _i∈ defines a random polynomial ƒ_i(⋅) of degree t−1, where t is the threshold. The temporary private value of participant _iis c₀⁽ⁱ⁾, the free coefficient of ƒ_i(⋅).
Each participant _i∈ privately sends ƒ_i(j) to participant _j, ∀j∈[1, . . . , n]/i.
Participant _ibroadcasts {c_k⁽ⁱ⁾·G mod p}_{k∈[0, . . . ,t−1]}, commitments to the coefficients of ƒ_i(⋅).
Participant _ibroadcasts {ƒ_i(j)·G mod p}_{j∈[0, . . . , n]}, the public shares for all participants.
Each participant _j≠i∈ must now verify the shares they have received.
- First, each participant _j≠iverifies that:

$\begin{matrix} f_{i} (j) \cdot G \overset{?}{=} \begin{matrix} \sum_{k = 0}^{t - 1} j^{k} (c_{k}^{(i)} \cdot G) & \mod p \end{matrix} \\ = G \cdot (\sum_{k = 0}^{t - 1} j^{k} c_{k}^{(i)}) \\ = G \cdot f_{i} (j) \end{matrix}$

- Similarly, each participant _j≠i∈ verifies that their share is consistent with other shares:

$\begin{matrix} c_{0}^{(i)} \cdot G \overset{?}{=} \begin{matrix} \sum_{i = 1}^{t} ((\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) f_{i} (j) \cdot G) & \mod p \end{matrix} \\ = G \cdot \sum_{i = 1}^{t} ((\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) f_{i} (j)) \\ = G \cdot c_{0}^{(i)} \end{matrix}$

If these two verifications succeed, each participant _i∈ computes its share of the master asymmetric private key r:

$\begin{matrix} r_{i} = \sum_{j = 1}^{n} f_{j} (i) & \mod q \end{matrix}$

Similarly, the master asymmetric public key for the group is computed as:

$\begin{matrix} r \cdot G = \sum_{j = 1}^{n} \sum_{i = 1}^{n} (f_{j} (i) \cdot G) & \mod p \end{matrix}$

The distributed key generation protocol is preferably secure against an adversary that attempts to bias the output distribution, as in the attack described by Gennaro et al. (“Secure Distributed Key Generation for Discrete-Log Based Cryptosystems,” Advances in Cryptology, EUROCRYPT 99, volume 1592 of Lecture Notes in Computer Science, pages 295-310, Springer, 1999). (Gennaro et al. (“Secure Applications of Pedersen's Distributed Key Generation Protocol,” Topics in Cryptology, CT-RSA 2003, volume 2612 of Lecture Notes in Computer Science, pages 373-390, Springer, 2003) later concluded that many threshold operations may be performed securely despite an adversary's ability to bias the output distribution). Similarly, threshold constructions are preferably secure against both static as well as adaptive malicious adversaries (Abe et al., “Adaptively Secure Feldman VSS and Applications to Universally-Composable Threshold Cryptography,” Advances in Cryptology, CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pages 317-334, Springer, 2004; Jarecki et al., “Adaptively Secure Threshold Cryptography: Introducing Concurrency, Removing Erasures,” Advances in Cryptology, EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 221-242, Springer, 2000; Libert et al., “Adaptively Secure Forward-Secure Non-interactive Threshold Cryptosystems,” Information Security and Cryptology, volume 7537 of Lecture Notes in Computer Science, pages 1-21, Springer, 2012).

PUF-Enabled Threshold Cryptography

The core functionality of a PUF is extracting a unique mapping between the challenge (input) domain and the response (output) range. As the mapping from challenges to responses is unique for each PUF-enabled device, collecting a set of challenge-response pairs (CRPs) through a provisioning process allows the device to be verified in the future. Protocol 3 illustrates the naïve provisioning process that underlies many PUF-enabled protocols.

Protocol 3: Challenge-Response Provisioning

PUF Device D

Server s

←
challenge c ∈ {0, 1}^κ¹

P(c) custom character

r ∈ {0, 1}^κ²
→
store(D, {c, r})

Authentication proceeds by issuing a challenge for which the response is known to the server, and verifying that the response is i-close to the expected response. However, this lightweight naïve protocol has many limitations. During enrollment, a large number of challenge-response pairs must be collected, as each pair can only be used once for authentication. If an adversary observed the response, it could masquerade as the device. Similarly, the challenge-response database is sensitive, as an adversary could apply machine learning to fully characterize the PUF mapping [Rührmair I]. These issues can be entirely eliminated by applying cryptographic constructs around the PUF functionality.

In the example of an embodiment employing elliptic curve cryptography, Algorithms 4 and 5 below can be used to allow a PUF-enabled device to locally store and retrieve a sensitive value without storing any sensitive information in non-volatile memory. Algorithm 4 illustrates the storing of a sensitive value custom character _iusing a PUF, and Algorithm 5 illustrates the dynamic regeneration of _i. The challenge c_iand helper data helper_ican be public, as neither reveals anything about the sensitive value _i. While the present example uses encryption of _iby exclusive-or, ⊕, _icould also be used as a key to other encryption algorithms (e.g., AES) to enable storage and retrieval of arbitrarily sized values.

Algorithm 4 PUF-Store

Goal: Store value custom character

_i

for PUF Device d do

Select finite field custom character

_nof order n

Select E, an elliptic curve over custom character

_n

Find G ∈ E/ custom character

_n, a group generator

Select challenge c_i∈ custom character

_n

x = H(c_i, E, G, n)

O = PUF(x)

helper_i= P_i= O ⊕ ECC( custom character

_i)

Write {c_i, helper_i} to non-volatile memory

end for

Algorithm 5 PUF-Retrieve

Goal: Retrieve value custom character

_i

for PUF Device d do

Read {c_i, helper_i} from non-volatile memory

x ← H(c_i, E, G, n)

O′ = PUF(x)

custom character

_i← D((ECC( custom character

_i) ⊕ O) ⊕ O′)

end for

Whenever O and O′ are t-close, the error correcting code ECC can be passed to a decoding algorithm D which will recover the sensitive value custom character

_i.

Using Algorithm 6, a local device can perform an enrollment protocol using the PUF.

This allows each PUF circuit to generate a local public key custom character _i^pub, which is useful for bootstrapping more complex key setup algorithms (e.g., the distributed key generation protocol in Algorithm 7). When the key setup algorithm is performed internal

Algorithm 6 The Enrollment Algorithm

for Device d do

c_i∈ custom character

_p, a group element

x = H(c_i, E, G, p, q)

O = PUF(x)

helper_i= O ⊕ ECC custom character

_i^privmod q)

custom character

_i
^pub= A_i= custom character

_i^priv· G mod p

Store { custom character

_i^pub, c_i, helper_i}

end for

to the device (rather than externally among a set of distinct devices), this bootstrap process may not be necessary.

In accordance with the invention, PUF-based cryptographic primitives are adapted to secret sharing to permit threshold cryptography founded on PUF or other root of trust. Using the example of an embodiment employing elliptic curve cryptography, distributed key generation is used to generate a number of shares (for example, two: r₁, r₂) of a master private key custom character ^priv=(r₁+r₂) mod q), which itself is never generated or constructed. (It is also possible to work directly with a message (e.g., as described by Ertaul) rather than a private key). The protocol is summarized in Algorithm 7: PUF-DKG, where an exemplary implementation would choose (t,n) as (2,2).

Algorithm 7 PUF-DKG

Goal: Generate shares of master private key custom character

^priv

for 1 ≤ i ≤ n do

Select random polynomial f_i(·) = c₀⁽ⁱ⁾+ . . . + c_t−1⁽ⁱ⁾x^t−1 mod q

Compute f_i(j), ∀j ∈ [1, . . . , n]/i

Store coefficient commitments {c_k⁽ⁱ⁾· G mod p}_{k∈[0,...,t−1]}

Store share commitments {f_i(j) · G mod p}_{j∈[0,...,n]}

for 1 ≤ i ≤ n do

Verify

f_{i} (j) \cdot G \overset{?}{=} \sum_{k = 0}^{t - 1} j^{k} (c_{k}^{(i)} \cdot G) \mod p

Verify

c_{0}^{(i)} \cdot G \overset{?}{=} \sum_{i = 1}^{t} ((\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) f_{i} (j) \cdot G) \mod p

end for

Recover share

r_{i} = \sum_{j = 1}^{n} ((\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) f_{j} (i)) \mod q

Recover public key

𝒫^{pub} = r \cdot G = \sum_{j = 1}^{n} \sum_{i = 1}^{n} (((\prod_{\underset{j \neq i}{j = 1}}^{t} \frac{- j}{i - j}) f_{j} (i)) \cdot G) \mod p

end for

Using Algorithms 4 and 5 for storing and retrieving a sensitive value, and Algorithm 7 for performing the initial distributed key generation protocol, arbitrary PUF-enabled threshold cryptographic operations (e.g., decryption, digital signatures, zero knowledge proofs) can now be performed. Algorithm 8 describes how to evaluate an arbitrary threshold cryptographic operation custom character that requires as input a participant's share r_i. Note that the recovered share r_ihas already been multiplied by the Lagrange terms

$(\prod_{j = 1, j \neq i}^{t} \frac{- j}{i - j}) .$

Algorithm 8 PUF-Threshold-OP

Goal: Perform threshold operation custom character

Assume: PUF-DKG (Algorithm 7) has been executed by PUF Device d

for Server s do

Issue Command custom character

and Auxiliary information Aux

end for

for PUF Device d do

for each challenge c_i(Challenge c = c₀∥ . . . ∥c_n) do

Read challenge c_iand helper data h_i

Recover share r_i←PUF-Retrieve(c_i, h_i)

Perform threshold. operation custom character

(r_i, Aux)

end for

Combine threshold operations custom character

← Combine({ custom character

(r_i, Aux)}_0≤i≤n)

return Result custom character

end for

for Server s do

Process operation custom character

end for

This enables any threshold cryptographic operation (e.g., decryption, digital signature generation, zero knowledge proofs) to be performed by a PUF-enabled participant without ever generating, reconstructing, or storing their private key. Further, from an external perspective (e.g., the server), the PUF-enabled device simply implements standard public key cryptographic protocols. That is, the server never issues a challenge or stores helper data, and its interaction with the device is indistinguishable from any standard public key cryptography device.

By internalizing the challenge-response functionality of the PUF, and utilizing Algorithms 4 and 5 to locally store and recover a value (e.g., a cryptographic key), arbitrary (e.g., symmetric or asymmetric) cryptographic operations can be performed without need for issuing or storing auxiliary (e.g., challenges or helper data) information. While one embodiment described herein advantageously strengthens the construction through both distributed key generation and threshold cryptography, neither is necessary to support arbitrary cryptographic operations through localized storage and retrieval of a value using a device's PUF functionality according to the present invention.

Although threshold cryptography typically considers distributing operations across physically-distinct nodes, in one embodiment of the present invention, threshold cryptography may be applied within a single device. As an example, a device may be equipped, e.g., with two PUF circuits and provided with the ability to execute at least two instructions at the same time (e.g., through multiple CPU cores). An embodiment of the present invention with only one PUF circuit would simply execute operations over each share sequentially, rather than querying the multiple PUF circuits in parallel. FIG. 2 illustrates a device equipped with two PUF circuits to enable local threshold cryptographic operations; the device may be, for example, an FPGA with a separate core containing each PUF. The potentially extractable output of a single PUF may then be obviated by constructing a local (2,2) threshold system with each of the parts custom character _iacting as a distinct participant. For example, each part may select a random challenge, run the enrollment algorithm (Algorithm 6) to generate an asymmetric key pair _i^pub=_i^priv·G, _i^priv and locally store its public enrollment information and then together run the distributed key generation protocol (Algorithm 7) and perform all cryptographic operations over a private key that is never actually constructed. When threshold cryptography is applied within a single device, it may not be necessary to run the enrollment algorithm (Algorithm 6) to generate an asymmetric key pair as all computations are performed internal to the device.

Algorithm 9 describes how a dual-PUF device can compute cryptographic operations in a threshold manner by constructing a (2, 2) threshold sharing within the device using distributed key generation. That is, the two parts establish a private key known to neither part through distributed key generation and publicize the corresponding public key custom character ^pub. All operations targeted at. the device are now performed in a threshold manner through internal collaboration (with each part retrieving its share r_iand performing a local threshold operation, and the results are combined to complete a threshold operation ), while the input/output behavior of the device remains unchanged to external systems.

Algorithm 9 Dual-PUF-Threshold-OP

Goal: Perform threshold operation custom character

at time τ

One-Time Setup Stage

for each PUF Core p_i∈ custom character

do

Run Algorithm 6: Enrollment, Publicize custom character

_i^pub

end for

Run(2, 2)-PUF-DKG Protocol, Publicize custom character

^pub

Evaluation Stage

for each PUF Core p_i∈ custom character

do

Recover share r_i^(τ)←PUF-Retrieve (c_i^(τ), helper_i^(τ))

custom character

_i
⁽
custom character

⁾ ←

(r_i^(τ)), PUF core local threshold share

end for

return custom character

← Combine({ custom character

})

Thus, rather than being constrained to a mapping between a challenge issued to the device and its response (which to an extent may be a function of the challenge), a multi-PUF device d_ican have a single static external identity, custom character _i^pub. The challenge-response functionality of each PUF core is used to maintain each share of the device's private identity, _i^priv, which is never generated or constructed. This renders a side channel attack more difficult for a remote adversary, which now must observe and resolve multiple values simultaneously generated within the device. Each part retrieves its share r_i^(τ)and performs a local threshold operation, and the shares are combined to complete the operation custom character .

Referring to FIG. 7 and FIG. 8, the core operations of an example embodiment employing elliptic curve cryptography, division of a key into two shares, and a (2, 2) threshold operation, are described.

Enrollment Command 1: During the initial enrollment process, the server and device agree on an elliptic curve E defined over a finite field and base point G of order q, where is λ bits long. The server issues the enrollment command to the device.
Distributed Key Generation 2: The device performs a distributed key generation locally, creating shares (r₀,r₁) of the master private key (which is never generated or constructed) and its public key A=(r₀+r₁)·G. Rather than directly add the shares together (which would construct the private key r=r₀+r₁), the public key is formed by computing (r₀·G)+(r₁·G).
Helper Data Generation 3: The device generates a random challenge c=c₀∥c₁, where ∥ denotes concatenation and each c_iblock is λ bits long. The device links each share r_ito the output O_iof the PUF on challenge c_ithrough fuzzy extraction, which outputs a public helper h_i. As the PUF output O_iis noisy, there is no guarantee that when queried on challenge c_iin the future, the new output O′_iwill satisfy O′_i=O_i. However, it is assumed that O_iand O′_iwill be t-close with respect to some distance metric (e.g. Hamming distance). Thus, an error correcting code may be applied to the PUF output such that at most t errors will still recover O_i. Error correction may be applied over each share r_i, and this value blinded with the output of the PUF O_ion challenge c_i, so that each helper value h_i=ECC(r_i)⊕O_ireveals no information about share r_i. During recovery through fuzzy extraction, computing the exclusive-or of ECC(r_i)⊕O_i⊕O′_iwill return r_iwhenever O_iand O′_iare t-close. The device locally stores the challenge c=c₀∥c₁and helper data h=h₀∥h₁, which will allow it to later recover the shares. Note that both the challenge and the helper data are public, and reveal nothing about the shares or the device's private key without invoking the PUF. This process is described by Algorithm 4.
Returned Public Key 4: The device returns its public enrollment information {A=(r₀+r₁)·G} to the server.
Store Enrollment 5: The server stores the device's public enrollment information along with a (non-sensitive) identifier that is unique to the device (e.g., a serial number).
Threshold Operation Query 6: When the server wishes the device to perform a cryptographic operation (e.g., decryption, digital signature generation, zero knowledge proof authentication), it issues:
- the appropriate command for the operation to be performed
- any auxiliary data Aux that is necessary for the operation (e.g., ciphertext to be decrypted, a message to be signed)
PUF Retrieval 7: The device reads the challenge c=c₀∥c₁and helper data h=h₀∥h₁from its local storage. The device then queries the PUF on each challenge block c_i, and combines the output O′_iwith the helper block h_iand error correcting code to recover each share block r_i. This process is described by Algorithm 5.
Threshold Operation 8: The device performs a threshold operation (r_i, Aux) over each share r_i. Algorithm 8 describes this process for any arbitrary threshold operation .
Combined Threshold Operations 9: The device combines the threshold operations to form the complete operation and returns the result to the server.
Process Operation 10: The server finally performs any additional processing required for the operation (e.g., verifying a zero knowledge proof).

Share Refreshing

Various share refresh protocols (e.g., Frankel et al., “Optimal-Resilience Proactive Public-Key Cryptosystems,” 38th Annual Symposium on Foundations of Computer Science, pages 384-393, 1997; Herzberg et al., “Proactive Public Key and Signature Systems,” Proceedings of the 4th ACM Conference on Computer and Communications Security, CCS '97, pages 100-110, ACM, 1997; Herzberg et al., “Proactive Secret Sharing Or: How to Cope With Perpetual Leakage,” Advances in Cryptology, CRYPTO 95, volume 963 of Lecture Notes in Computer Science, pages 339-352, Springer, 1995) allow each of a set of players custom character _i∈ to refresh their share r_i^(τ)of an original secret r at time period τ into a new share r_i^(τ+1)such that the resulting set of new shares {r_i^(τ+1)}_{i∈[1 . . . n]} remains a sharing of the original secret. This protocol does not require reconstruction of the master secret r, so a mobile adversary would have to compromise t players in a fixed time period τ in order to recover the shared secret. Assuming a polynomial ƒ(⋅) of degree (t−1) represents a shared secret r=ƒ(0) amongst n participants each having a share r_i=ƒ(i), and denoting encrypting for player custom character _jas ENC_j(⋅) and decryption by _jas DEC_j(⋅), the set of players _i∈ can refresh their sharing of r using such a protocol as follows:

Each player _idefines a new polynomial of degree (t−1) such that δ_i(0)=0:

δ_i(⋅)=Δ₁⁽ⁱ⁾x+ . . . +Δ_m⁽ⁱ⁾x^t−1
where the set {Δ_m^(i)}_{m∈[1 . . . t−1]} chosen randomly from _q.
Each player _icomputes the following sets:

{ϵ_im=Δ_m⁽ⁱ⁾·G}_{m∈[1 . . . t−1]}
{u_ij=δ_i(j)}_{j∈[1 . . . n]}
{e_ij=ENC_j(u_ij)}_{j∈[1 . . . n]}
and broadcasts a verifiable secret sharing VSS_i^(τ)=i, τ, {ϵ_im}, {e_ij} and their signature SIG_i(VSS_i^(τ)).
Each player _irecovers u_ji=DEC_i(ENC_i(u_ji)) and verifies ∀j≠i:

$\begin{matrix} u_{ji} \cdot G \overset{?}{=} \sum_{k = 1}^{t - 1} i^{k} ϵ_{jk} \\ = \sum_{k = 1}^{t - 1} (i^{k} Δ_{k}^{(j)} \cdot G) \\ = G \cdot \sum_{k = 0}^{t - 1} i^{k} Δ_{k}^{(j)} \\ = G \cdot δ_{j} (i) = G \cdot u_{ji} \end{matrix}$

Finally, each player _iupdates their share from time period (τ) as:

$r_{i}^{(τ + 1)} \leftarrow r_{i}^{(τ)} + (\begin{matrix} \sum_{j = 1}^{n} u_{ji} & \mod q \end{matrix})$

Thus, the refreshed set of shares {r_i^(τ+1)}_{i∈[1 . . . n]} remains a sharing of the master private key custom character ^priv, and yet knowledge of t−1 or fewer shares from time period τ is useless in time period τ+1.

As outlined in Algorithm 10, participants can update their share r_i^(τ)in time period τ to a new share r_i^(τ+1)in the next time period such that the set of shares {r_i}_{i∈[1 . . . n]} remains a sharing of the master private key custom character ^priv.

Algorithm 10 PUF-Share-Update

Goal: Generate new share r_i^(τ+1)

for all Participants p_i∈ custom character

do

Recover share r_i^(τ)

r_i^(τ) ← PUF-Retrieve(c_i^(τ), helper_i^(τ))

Select random polynomial of degree (t − 1) such that δ_i(0) = 0:

δ_i(·) = Δ₁⁽ⁱ⁾x + . . . + Δ_m⁽ⁱ⁾x^t−1

Compute

{ϵ_im= Δ_m⁽ⁱ⁾· G}_{m∈[1...t−1]}

{u_ij= δ_i(j)}_j∈[1...n]

{e_ij= ENC_j(u_ij)}_j∈[1...n]

Broadcast

VSS_i^(τ) = custom character

i, τ, {ϵ_im}, {e_ij} custom character

, SIG_i(VSS_i^(τ))

Verify ∀j ≠ i

{DEC}_{i} ({ENC}_{i} (u_{ji})) \cdot G \overset{?}{=} \sum_{k = 1}^{t} i^{k} ϵ_{jk}

Update share as:

r_{i}^{(τ + 1)} \leftarrow r_{i}^{(τ)} + (\sum_{j = 1}^{n} u_{ji} \mod q)

Store r_i^(τ+1) and update PUF challenge:

{c_i^(τ+1), helper_i^(τ+1)} ← PUF-Store(r_i^(τ+1))

end for

The hardware device performs Algorithm 10 at Share Refresh 11 in FIG. 8 to generate new shares r_i^(τ+1)for the next time period τ+1. At PUF Refresh and Store 12, the hardware device generates a new challenge c_i^(τ+1), which will refresh the challenge-helper pair for the next time period. The hardware device uses the new challenge to store the updated share r_i^(τ+1). Algorithms 8 and 9 are modified to refresh both the threshold shares as well as the challenge-helper pair, with Algorithms 11 and 12, respectively, reflecting the modifications.

Algorithm 11 PUF-Threshold-OP-Refreshing

Goal: Perform threshold operation custom character

Assume: PUF-DKG (Algorithm 7) has been executed by PUF Device d

for Server s do

Issue Command custom character

and Auxiliary Information Aux

end for

for PUF Device d do

for each challenge c_i(Challenge c = c₀∥ . . . ∥c_n) do

Read challenge c_iand helper data h_i

Recover share r_i←PUF-Retrieve(c_i, h_i)

Perform threshold operation custom character

(r_i, Aux)

end for

Combine threshold operations custom character

← Combine({ custom character

(r_i, Aux)}_0≤i≤n)

return Result custom character

for each share r_ido

Update share

r_i^(τ+1) ← PUF-Share-Update(r_i^(τ))

Store r_i^(τ+1) and update PUF challenge:

{c_i^(τ+1), helper_i^(τ+1)} ← PUF-Store(r_i^(τ+1))

end for

end for

for Server s do

Process operation custom character

end for

Algorithm 12 Dual-PUF-Threshold-OP-Refreshing

Goal: Perform threshold operation custom character

at time τ

One-Time Setup Stage

for each PUF Core p_i∈ custom character

do

Run Algorithm 6: Enrollment, Publicize custom character

_i^pub

end for

Run (2,2)-PUF-DKG Protocol, Publicize custom character

^pub

Evaluation Stage

for each PUF Core custom character

_i ∈

do

Recover share r_i^(τ)←PUF-Retrieve(c_i^(τ), helper_i^(τ))

custom character

←

(r_i^(τ)), PUF core local threshold share

Update share

r_i^(τ+1)← PUF-Share-Update(r_i^(τ))

Store r_i^(τ+1)and update PUF challenge:

{c_i^(τ+1), helper_i^(τ+1)} ← PUF-Store(r_i^(τ+1))

end for

return custom character

← Combine({ custom character

})

Referring for example to a single-PUF embodiment as shown in FIG. 1, Algorithm 10 can be logically split into a preparation and application phase. During preparation, each participant generates their random polynomial and distributes their portion of the update to the other participants. After each participant has broadcast their portion of the share update, the preparation phase is complete. Algorithm 13 illustrates the preparation phase of share updating. Note that in one embodiment, the broadcast phase may be omitted when Algorithm 13 is applied within a single device (e.g., an FPGA).

Algorithm 13 PUF-Share-Update-Preparation

Goal: Prepare update to construct share r_i^(τ+1)

for all Participants custom character

_i∈

do

Select random polynomial of degree (t − 1) such that δ_i(0) = 0:

δ_i(·) = Δ₁⁽ⁱ⁾x + . . . + Δ_m⁽ⁱ⁾x^t−1

Compute

{∈ _im= Δ_m⁽ⁱ⁾· G}_m∈_[1...t−1]

{μ_ij= δ_i(j)}_j∈_[1...n]

{e_ij= ENC_j(u_ij)}_j∈_[1...n]

Broadcast

VSS_i^(τ)= custom character

i, τ, {∈ _im}, {e_ij} custom character

SIGi(VSS_i^(τ))

end for

When a participant is ready to apply the update to their share, they perform the latter portion of Algorithm 10. That is, the participant verifies the update information received from other participants, and then applies the update to their share. The share update application phase is illustrated in Algorithm 14.

Algorithm 14 PUF-Share-Update-Application

Goal: Apply share update to construct r_i^(τ+1)

for all Participants p_i∈ custom character

do

Recover share r_i^(τ)

r_i^(τ) ← PUF-Retrieve(c_i^(τ), helper_i^(τ))

Verify ∀j ≠ i

{DEC}_{i} ({ENC}_{i} (u_{ji})) \cdot G \overset{?}{=} \sum_{k = 1}^{t} i^{k} ϵ_{jk}

Update share as:

r_{i}^{(τ + 1)} \leftarrow r_{i}^{(τ)} + (\sum_{j = 1}^{n} u_{ji} \mod q)

end for

As each threshold operation over a share can be performed independently of the other shares, the device need only recover one share at a time. This process is illustrated in Algorithm 15. Upon receiving a command custom character and its associated auxiliary information Aux, the device first performs Algorithm 13 to prepare for the share update. Next, the device iteratively performs threshold operations over each share. A share is recovered by reading a challenge-helper pair from non-volatile memory, and using the PUF to regenerate the corresponding share. After performing a threshold operation over the share, the share update is applied using Algorithm 14, which generates the updated share for new time period (τ+1). After computing the threshold operations over each share, the threshold operations are combined to form the result custom character which is returned to the server.

Algorithm 15 PUF-Threshold-OP-Staggered

Goal: Perform threshold operation custom character

Assume: PUF-DKG (Algorithm 7) has been executed by PUF Device d

for Server s do

Issue Command custom character

and Auxiliary Information Aux

end for

for PUF Device d do

for each share r_ido

PUF-Share-Update-Preparation

end for

for each challenge c_i(Challenge c = c₀∥ . . . ∥c_n) do

Read challenge c_iand helper data h_i

Recover share r_i←PUF-Retrieve (c_i, h_i)

Perform threshold operation custom character

(r_i, Aux)

Update share

r_i^(τ+1) ← PUF-Share-Update-Application(r_i^(τ))

Store r_i^(τ+1) and update PUF challenge:

{c_i^(τ+1) , helper_i^(τ+1)} ← PUF-Store(r_i^(τ+1))

end for

Combine threshold operations custom character

← Combine({ custom character

(r_i, Aux)}_0≤i≤n)

return Result custom character

end for

for Server s do

Process operation custom character

end for

In one embodiment, a (2,2) threshold system is constructed internally to the device. Algorithm 16 illustrates an example of a single-PUF (2,2) threshold construction of the more general Algorithm 15. The device has the share set {r₀, r₁}, and iteratively computes a threshold operation over each share to produce the set { custom character ,}. Once both threshold operations are complete and the shares have been updated and stored, the two threshold operations are combined into the final output .

Algorithm 16 Internal-PUF-Threshold-OP-Staggered

Goal: Perform threshold operation custom character

at time τ

One-Time Setup Stage

for each Threshold Share r_ido

Run Algorithm 6: Enrollment Publicize custom character

_i^pub

end for

Run (2, 2)PUF-DKG Protocol, Publicize custom character

^pub

Evaluation Stage

for each Threshold Share r_ido

PUF-Share-Update-Preparation

end for

for each Threshold Share r_ido

Recover share r_i^(τ)←PUF-Retrieve(c_i^(τ), helper_i^(τ))

custom character

←

(r_i^(τ)), Local threshold operation

Update share

r_i^(τ+1) ← PUF-Share-Update-Application(r_i^(τ))

Store r_i^(τ+1) and update PUF challenge:

{c_i^(τ+1) , helper_i^(τ+1)} ← PUF-Store(r_i^(τ+1))

end for

return custom character

← Combine({ custom character

})

The flow of Algorithm 16, a specific single-PUF (2,2) threshold construction of the more general Algorithm 15, is illustrated in FIG. 9. Prior to Step 1, the share update preparation (Algorithm 13) is performed. In Step 1, the first share r₀^τ is retrieved and its corresponding local threshold operation is performed. The share update (Algorithm 14) is then applied to r₀^τ to yield r₀^(τ+1)for the next time period. The updated share is then stored using a new random challenge c₀^(τ+1)which generates the corresponding helper data h₀^(τ+1)which will allow the updated share to be recovered using the PUF. The same process is followed in Step 2 for share r₁^τ. Finally, the combined output custom character is constructed by combining the two local threshold operations that were performed over each share.

The device has a constant identity custom character ^pub, ^priv, yet all operations that require ^privare performed without ever reconstructing ^privand with values that change after each operation is executed. As each part uses the PUF-Store and PUF-Retrieve algorithms to maintain their share, the (challenge, helper) pair is updated after each operation when PUF-Store is executed. Each share is refreshed for the new time period τ+1, and is stored by generating a new random challenge c_i^(τ+1)and setting the updated helper to helper_i^(τ+1)←ECC(r_i^(τ+1))⊕PUF(c_i^(τ+1)). Staggering the threshold operations such that the share regeneration, threshold operation, and share storing occur consecutively (rather than concurrently), precludes the simultaneous recovery of more than one updated share. Any tampering while one share exists would (assuming tampering pushes PUF output beyond error correction limits) prevent recovery of another share, in which case the device cannot perform operations over its private key.

An adversary applying a side channel attack against such an embodiment therefore must extract t or more shares from a period of observation that cannot exceed the period of refreshment. In other words, the adversary must compromise t devices in a given time period τ since any shares from time period τ are useless in time period τ+1. The difficulty of a side channel attack thus can be increased by updating more frequently (even after each operation). (Increasing refresh frequency also may multiply the difficulty inherent in side channel attacks on multiple-PUF device embodiments in which a remote adversary must observe and resolve multiple PUF values simultaneously generated in the device).

Also, whereas the longevity of systems using a fixed challenge/helper and response is directly limited to the hardware's increase in error rate due to aging, by continuously updating the pair in each time period, the error rate can be nominally reset to zero. That is, periodically refreshing the pair (c_i^(τ), helper_i^(τ)) during each time period τ links the PUF output to the current state of the hardware, eliminating the hardware drift, from previous time periods. In that regard, FIG. 11 illustrates the device recovering its share at time τ=1 using the original challenge-helper pair {c_i⁽⁰⁾, helper_i⁽⁰⁾} from time τ=0 using Algorithm 5: PUF-Retrieve. The device then internally generates a new challenge-helper pair {c_i⁽¹⁾, helper_i⁽¹⁾} for time period τ=1. The share is then stored by running Algorithm 4: PUF-Store using the new challenge-helper pair for τ=1. This links the updated challenge-helper pair to the current state of the hardware, which eliminates the hardware aging that occurred during time period τ∈[0,1). Thus, the expected number of bit errors in the PUF output at time τ=1 is zero despite the hardware continuing to age according to rate ρ.

As can be seen in FIG. 12, by repeating this process of periodically updating the internal challenge-helper pair of each PUF core, the maximum PUF output error can be bounded and made arbitrarily small by adjusting the refresh cycle period. Thus, a gradual shift in the PUF mapping is inconsequential. So long as the hardware has not fatally aged during the time between, the shift will be continuously factored into the stored challenge and helper data.

Dynamic Membership

The dynamic nature of shares in this construct also permits an embodiment in which the number of participants n participating in a group can be varied dynamically so that participants may join or leave the set of participants in the (t, n) threshold system. In this case, up to n−t participants can be removed from the set custom character simply by leaving them out of the next share refresh protocol. To add a participant _jto the set of participants, each current participant _igenerates an extra share u_ijfrom their share update polynomial δ_i(⋅).

In some embodiments employing dynamic membership (in a (t, n) threshold system) and multi-PUF device(s), the device(s) may be configured to perform a local self-test to ensure it is not nearing the point where it can no longer recover its shares due to hardware aging. A secondary threshold, t<i (the maximum number of errors that may be corrected by error correction), may be set for the device such that when t errors are observed in the PUF output a transition protocol is initiated. The transition protocol can transfer the ability of a device d_ito perform operations over its private key custom character _i^privto a different device d_j≠iwithout recovering _i^priv. In the example of a dual-PUF device, when device d_idetects critical hardware aging (e.g., when the PUF errors exceed secondary threshold t), it runs the share refreshing protocol and increases n: 2→4. Device d_inow possesses the set of shares {r_i}_1≤i≤4, and privately sends ENC_j{r_i}_3≤i≤4to d_jafter verifying that d_jis valid (e.g., verify the signature from a trusted source on d_j's enrollment token and have d_jperform a zero knowledge proof). Once d_jhas received the set {r_i}_3≤i≤4, both d_iand d_jmay act as d_i, and in the event of a hardware failure of d_i, it can be easily replaced by d_j.

The internal self-test procedure may be easily extended to the setting where multiple PUF-enabled devices are used as part of a larger system (see paragraph 74). When one PUF-enabled device fails to recover its share, it can be replaced with a new device. The remaining and correctly functioning PUF-enabled devices run the share update algorithm and increase n by sending the new device shares as well. This allows systems composed of multiple PUF-enabled devices to continue acting as a single entity, as failing devices can be immediately replaced and provisioned with shares of the global (t, n) threshold system.

Scalability

Standard PUF protocols are inherently linked to a specific hardware device (indeed, this is their goal), which can impose a constraint on the ability to readily scale a system to support an arbitrary processing load. FIG. 13 illustrates a processing center designed to scale to support an arbitrarily large processing load with PUFs employed to dynamically regenerate private information. By constructing a (t, n) sharing of a secret through distributed key generation, the private key for the system is never constructed or stored. However, any t PUFs can collaborate to perform cryptographic operations on behalf of the processing center. For example, if t=7, each row of PUFs can jointly perform a cryptographic operation on behalf of the processing center, and four requests (using rows A through D ) can be completed simultaneously. Thus, scalable hardware-intrinsic identity solutions can be designed in which a group of hardware components with local hardware-intrinsic identity (e.g., equipped with a PUF) are able to act cooperatively to form a unique hardware-intrinsic identity for their group as a whole. This embodiment of the present invention does not require the devices that compose the system to implement threshold cryptography locally. Rather, each device could run Algorithm 6 and publicize their local public key custom character _i^pub. The (t,n) sharing is then set up for the system, using each device's local public key for private communication.

FIG. 14 illustrates a Master identity being generated from a set of component identities. An (n, n) threshold system could be constructed to require that all components are able to recover their share in order to perform cryptographic operations using the Master identity. In another embodiment of the invention, a (t,n) threshold system could be constructed to require that all of the critical components and some of the non-critical components are able to recover their share in order to perform cryptographic operations using the Master identity.

Performance

Performance tests were conducted on an embodiment having a single simulated 384-bit ring oscillator PUF (which did not require error correction), and a (2,2) threshold system defined over NIST elliptic curve P-384. Operations over each share were performed sequentially, rather than simultaneously as may be done in a multiple PUF embodiment. The tests measured the total time necessary for storage and retrieval of values, and communication between the device and the server. The server was equipped with an 8-core 3.1 GHz processor and 16 GB of RAM, and the device-side algorithms implemented on a Xilinx Artix 7 FPGA running at 100 MHz over a 115200 baud connection, where all operations were performed on the NIST P-384 curve. Table 1 reports the average time per protocol over 1000 trials.

TABLE 1

Performance Results

Protocol
Average Runtime
St. Dev.

Enrollment
0.011 seconds
0.0027

Authentication
0.352 seconds
0.0002

ElGamal Encryption
0.342 seconds
0.0014

ElGamal Signature
0.352 seconds
0.0002

Claims

1. A device for securely executing cryptographic operations, the device comprising: a physical unclonable function (PUF) device;a memory; anda processor connected to the PUF device, the processor configured to: execute an arbitrary cryptographic operation in a sequence of ordered stages including at least a first stage associated with a first secret and a second stage associated with a second secret, the executing comprising: during the first stage: obtaining at least a first value from the PUF device;recovering the first secret based on at least the first value obtained from the PUF device;executing a first cryptographic operation using the first secret; andremoving from the memory one or more intermediate values generated by the act of recovering prior to execution of a subsequent stage;during the second stage and after the first stage: obtaining at least a second value from the PUF device;recovering the second secret based on at least the second value obtained from the PUF device; andexecuting a second cryptographic operation using the second secret and an output from the first cryptographic operation;execute the arbitrary cryptographic operation using an output of the second cryptographic operation; andprevent execution of the arbitrary cryptographic operation responsive to tampering with the device based on preventing recovery of at least one secret in the sequence of ordered stages.
2. The device of claim 1, wherein preventing execution of the arbitrary cryptographic operation responsive to tampering comprises preventing recovery of the second secret responsive to tampering prior to execution of the second stage.
3. The device of claim 1, wherein executing the arbitrary cryptographic operation comprises decrypting a data payload encrypted with at least the first secret and the second secret.
4. The device of claim 3, wherein: executing the first cryptographic operation using the first secret comprises executing a first decryption operation on the data payload using the first secret to obtain an intermediate output; andexecuting the second cryptographic operation using the second secret comprises executing a second decryption operation on the intermediate output using the second secret to decrypt the data payload.
5. The device of claim 1, wherein executing the arbitrary cryptographic operation comprises generating a digital signature with at least the first secret and the second secret.
6. The device of claim 5, wherein: executing the first cryptographic operation using the first secret comprises generating a first portion of the digital signature using the first secret; andexecuting the second cryptographic operation using the second secret comprises generating a second portion of the digital signature using the second secret.
7. The device of claim 1, wherein the processor is configured to: map the first secret to a first challenge using the PUF device; andmap the second secret to a second challenge using the PUF device.
8. The device of claim 7, wherein: the PUF device is configured to generate the unique values based on a challenge and the hardware characteristics of the PUF device; andthe processor is configured to: obtain the first value from the PUF device in response to transmitting the first challenge to the PUF device; andobtain the second value from the PUF device in response to transmitting the second challenge to the PUF device.
9. The device of claim 1, wherein removing the one or more intermediate values from the memory prior to execution of the subsequent stage comprises removing at least the first secret from the memory.
10. A method of securely executing cryptographic operations by a device, the method comprising: using a processor to perform: executing an arbitrary cryptographic operation, encoded with at least a first secret and a second secret, in a sequence of ordered stages including at least a first stage and a second stage, the executing comprising: during the first stage: obtaining a first value from a physical unclonable function (PUF) device;recovering the first secret based on at least the first value obtained from the PUF device;executing a first cryptographic operation using the first secret;removing from memory one or more intermediate values generated by the act of recovering prior to execution of a subsequent stage;during the second stage and after the first stage: obtaining a second value from the PUF device;recovering the second secret based on at least the second value obtained from the PUF device; andexecuting a second cryptographic operation using the second secret and an output from the first cryptographic operation;executing the arbitrary cryptographic operation using an output of the second cryptographic operation; andpreventing execution of the arbitrary cryptographic operation responsive to tampering with the device based on preventing recovery of at least one secret in the sequence of ordered stages.
11. The method of claim 10, wherein preventing execution of the arbitrary cryptographic operation responsive to tampering comprises preventing recovery of the second secret responsive to tampering prior to execution of the second stage.
12. The method of claim 10, wherein executing the arbitrary cryptographic operation comprises decrypting a data payload encrypted with at least the first secret and the second secret.
13. The method of claim 10, wherein executing the arbitrary cryptographic operation comprises generating a digital signature with at least the first secret and the second secret.
14. The method of claim 10, further comprising: obtaining the first value from the PUF device in response to transmitting a first challenge to the PUF device; andobtaining the second value from the PUF device in response to transmitting a second challenge to the PUF device.
15. The method of claim 10, wherein removing the one or more intermediate values from the memory prior to execution of the subsequent stage comprises removing at least the first secret from the memory.
16. A non-transitory computer-readable storage medium storing instructions that, when executed by a processor, cause the processor to perform a method comprising: executing an arbitrary cryptographic operation, encoded with at least a first secret and a second secret, in a sequence of ordered stages including at least a first stage and a second stage, the executing comprising: during the first stage: obtaining a first value from a physical unclonable function (PUF) device;recovering the first secret based on at least the first value obtained from the PUF device;executing a first cryptographic operation using the first secret; removing from memory one or more intermediate values generated by the act of recovering prior to execution of a subsequent stage;during the second stage and after the first stage: obtaining a second value from the PUF device;recovering the second secret based on at least the second value obtained from the PUF device; andexecuting a second cryptographic operation using the second secret and an output from the first cryptographic operation;executing the arbitrary cryptographic operation using an output of the second cryptographic operation; andpreventing execution of the arbitrary cryptographic operation responsive to tampering with the PUF device based on preventing recovery of at least one secret in the sequence of ordered stages.
17. The non-transitory computer-readable medium of claim 16, wherein preventing execution of the arbitrary cryptographic operation responsive to tampering comprises preventing recovery of the second secret responsive to tampering prior to execution of the second stage.

CROSS REFERENCE TO RELATED APPLICATIONS

This Application is a Continuation of and claims the benefit under 35 U.S.C. § 120 of U.S. application Ser. No. 14/704,914, filed May 5, 2015, entitled “AUTHENTICATION SYSTEM AND DEVICE INCLUDING PHYSICAL UNCLONABLE FUNCTION AND THRESHOLD CRYPTOGRAPHY”, which claims priority under 35 U.S.C. § 119(e) to: U.S. Provisional Application Ser. No. 62/150,586, filed Apr. 21, 2015, entitled “SYSTEM AND DEVICE HAVING STAGGERED THRESHOLD OPERATIONS;” U.S. Provisional Application Ser. No. 62/128,920, filed Mar. 5, 2015, entitled “SYSTEM AND DEVICE HAVING REFRESHABLE HARDWARE ROOT OF TRUST;” and U.S. Provisional Application Ser. No. 61/988,848, filed May 5, 2014, entitled “AUTHENTICATION USING ELLIPTIC CURVES AND PHYSICALLY UNCLONABLE FUNCTIONS”. Each of the preceding applications are incorporated by reference in their entirety herein. This application claims the benefit of the priority of provisional U.S. patent applications Ser. No. 62/150,586 fled Apr. 21, 2015, Ser. No. 62/128,920 filed Mar. 5, 2015, and Ser. No. 61/988,848 filed May 2014, and the contents of each of those provisional application is incorporated by reference here.

US Referenced Citations (172)

Number	Name	Date	Kind
6128735	Goldstein	Oct 2000	A
6182214	Hardjono	Jan 2001	B1
6477254	Miyazaki	Nov 2002	B1
6501390	Chainer et al.	Dec 2002	B1
7564345	Devedas et al.	Jul 2009	B2
7581248	Atkins et al.	Aug 2009	B2
7653197	Van Dijk	Jan 2010	B2
7702927	Devedas et al.	Apr 2010	B2
7839278	Devedas et al.	Nov 2010	B2
7926089	Tulshibagwale et al.	Apr 2011	B2
7962516	Bahrs et al.	Jun 2011	B2
8032760	Tuyls et al.	Oct 2011	B2
8281127	Hayes	Oct 2012	B2
8290150	Erhart et al.	Oct 2012	B2
8346951	Hayes	Jan 2013	B2
8379856	Potkonjak	Feb 2013	B2
8386990	Trimberger et al.	Feb 2013	B1
8418006	Trimberger et al.	Apr 2013	B1
8446250	Kursawe et al.	May 2013	B2
8458489	Beckmann et al.	Jun 2013	B2
8463813	Siress et al.	Jun 2013	B2
8468186	Yu	Jun 2013	B2
8510608	Futa et al.	Aug 2013	B2
8516269	Hamlet et al.	Aug 2013	B1
8525169	Edelstein et al.	Sep 2013	B1
8566579	Armstrong et al.	Oct 2013	B2
8577091	Ivanov et al.	Nov 2013	B2
8625788	Pendakur et al.	Jan 2014	B2
8667265	Hamlet et al.	Mar 2014	B1
8752155	Lauper	Jun 2014	B2
8782396	Ziola et al.	Jul 2014	B2
8844009	Walsh et al.	Sep 2014	B2
8848477	Schrijen et al.	Sep 2014	B2
8848905	Hamlet et al.	Sep 2014	B1
8868923	Hamlet et al.	Oct 2014	B1
8912817	Wang et al.	Dec 2014	B2
8918647	Wallrabenstein	Dec 2014	B1
8938792	Koeberl et al.	Jan 2015	B2
8995660	Kobayashi et al.	Mar 2015	B2
9018972	Gurrieri et al.	Apr 2015	B1
9032476	Potkonjak	May 2015	B2
9038133	Chellappa et al.	May 2015	B2
9049011	Agrawal	Jun 2015	B1
9158906	Guajardo Merchan et al.	Oct 2015	B2
9225512	Trimberger	Dec 2015	B1
9292692	Wallrabenstein	Mar 2016	B2
9672342	Walsh et al.	Jun 2017	B2
9681302	Robinton et al.	Jun 2017	B2
9690927	Chellappa et al.	Jun 2017	B2
9705854	Khazan et al.	Jul 2017	B2
9715590	Gardner et al.	Jul 2017	B2
9755841	Chen	Sep 2017	B2
9806718	Wallrabenstein	Oct 2017	B2
9946858	Wallrabenstein	Apr 2018	B2
10013543	Walsh et al.	Jul 2018	B2
10044514	Peterson et al.	Aug 2018	B1
10425235	Wallrabenstein et al.	Sep 2019	B2
10432409	Wallrabenstein	Oct 2019	B2
20020116611	Zhou	Aug 2002	A1
20030081785	Boneh et al.	May 2003	A1
20030088782	Forrest	May 2003	A1
20030204743	Devadas et al.	Oct 2003	A1
20050149496	Mukherjee et al.	Jul 2005	A1
20050222896	Rhyne et al.	Oct 2005	A1
20060023887	Agrawal et al.	Feb 2006	A1
20060045262	Orlando	Mar 2006	A1
20060210082	Devadas	Sep 2006	A1
20060271792	Devadas et al.	Nov 2006	A1
20070036353	Reznik et al.	Feb 2007	A1
20070044139	Tuyls et al.	Feb 2007	A1
20070206786	Chakraborty	Sep 2007	A1
20080044027	Van Dijk	Feb 2008	A1
20080069341	Relyea	Mar 2008	A1
20080133912	Yamamoto et al.	Jun 2008	A1
20080181398	Pappu	Jul 2008	A1
20080256549	Liu et al.	Oct 2008	A1
20080256600	Schrijen et al.	Oct 2008	A1
20080304657	Tuyls et al.	Dec 2008	A1
20090063860	Barnett et al.	Mar 2009	A1
20090083833	Ziola et al.	Mar 2009	A1
20100031065	Futa et al.	Feb 2010	A1
20100037055	Fazio	Feb 2010	A1
20100037056	Follis et al.	Feb 2010	A1
20100078636	Zachariasse	Apr 2010	A1
20100085075	Luzzi et al.	Apr 2010	A1
20100122093	Tuyls et al.	May 2010	A1
20100127822	Devedas	May 2010	A1
20100131752	Flegel	May 2010	A1
20100176920	Kursawe et al.	Jul 2010	A1
20100199103	Van Rijnswou	Aug 2010	A1
20100272255	Devedas et al.	Oct 2010	A1
20100293384	Potkonjak	Nov 2010	A1
20100293612	Potkonjak	Nov 2010	A1
20110002461	Erhart et al.	Jan 2011	A1
20110033041	Yu et al.	Feb 2011	A1
20110099117	Schepers et al.	Apr 2011	A1
20110113392	Chakraborty et al.	May 2011	A1
20110138475	Gordon et al.	Jun 2011	A1
20110191837	Guajardo Merchan et al.	Aug 2011	A1
20110215829	Guajardo Merchan et al.	Sep 2011	A1
20110299678	Deas et al.	Dec 2011	A1
20120072717	Hayes	Mar 2012	A1
20120072736	Kudoh	Mar 2012	A1
20120072737	Schrijen et al.	Mar 2012	A1
20120124385	Klasen et al.	May 2012	A1
20120131340	Teuwen et al.	May 2012	A1
20120137137	Brickell et al.	May 2012	A1
20120183135	Paral	Jul 2012	A1
20120213359	Troncoso Pastoriza et al.	Aug 2012	A1
20120233674	Gladstone et al.	Sep 2012	A1
20120321077	Shiota et al.	Dec 2012	A1
20130010957	Yu et al.	Jan 2013	A1
20130013931	O'Hare et al.	Jan 2013	A1
20130046990	Fahrny et al.	Feb 2013	A1
20130051552	Handschuh et al.	Feb 2013	A1
20130073860	Ibraimi	Mar 2013	A1
20130094649	Tomlinson et al.	Apr 2013	A1
20130114810	Kobayashi et al.	May 2013	A1
20130138710	Yamamoto et al.	May 2013	A1
20130142329	Bell et al.	Jun 2013	A1
20130198838	Schmidt et al.	Aug 2013	A1
20130246809	Beckmann et al.	Sep 2013	A1
20130272521	Kipnis et al.	Oct 2013	A1
20140047565	Back et al.	Feb 2014	A1
20140093074	Gotze et al.	Apr 2014	A1
20140108786	Kreft	Apr 2014	A1
20140140513	Brightley et al.	May 2014	A1
20140189365	Cox	Jul 2014	A1
20140189890	Koeberl	Jul 2014	A1
20140205089	Irwin	Jul 2014	A1
20140225639	Guo et al.	Aug 2014	A1
20140226813	Heffner	Aug 2014	A1
20140279532	Tremlet	Sep 2014	A1
20140297540	Swamy	Oct 2014	A1
20140328481	Morioka	Nov 2014	A1
20150058928	Guo et al.	Feb 2015	A1
20150071432	Zhu et al.	Mar 2015	A1
20150091747	Watanabe	Apr 2015	A1
20150095655	Sherman	Apr 2015	A1
20150134966	Wallrabenstein	May 2015	A1
20150143130	Ducharme et al.	May 2015	A1
20150156184	Tucker et al.	Jun 2015	A1
20150172049	Chida et al.	Jun 2015	A1
20150192637	Falk et al.	Jul 2015	A1
20150195088	Rostami et al.	Jul 2015	A1
20150229480	Joye	Aug 2015	A1
20150234751	Van der Sluis et al.	Aug 2015	A1
20150242620	Newell et al.	Aug 2015	A1
20150278505	Lu et al.	Oct 2015	A1
20150295722	Falk	Oct 2015	A1
20150317480	Gardner et al.	Nov 2015	A1
20150317481	Wallrabenstein	Nov 2015	A1
20150318994	Walsh et al.	Nov 2015	A1
20150319000	Falk et al.	Nov 2015	A1
20150341792	Wallrabenstein et al.	Nov 2015	A1
20160021096	Wallrabenstein	Jan 2016	A1
20160072623	Joye et al.	Mar 2016	A1
20160080158	Geherer	Mar 2016	A1
20160154981	Wesselhoff	Jun 2016	A1
20160170907	Walsh et al.	Jun 2016	A1
20160261409	French et al.	Sep 2016	A1
20160269186	Wallrabenstein	Sep 2016	A1
20160378983	Spurlock et al.	Dec 2016	A1
20170063559	Wallrabenstein et al.	Mar 2017	A1
20170132434	Wang et al.	May 2017	A1
20170149572	Wallrabenstein	May 2017	A1
20170270288	Walsh et al.	Sep 2017	A1
20180096172	Lu	Apr 2018	A1
20180248706	Wallrabenstein	Aug 2018	A1
20180351752	Wallrabenstein et al.	Dec 2018	A1
20180351753	Gardner et al.	Dec 2018	A1
20180351754	Wallrabenstein et al.	Dec 2018	A1

Foreign Referenced Citations (23)

Number	Date	Country
2482635	Oct 2003	CA
101276389	Oct 2008	CN
101847296	Sep 2010	CN
103154925	Jun 2013	CN
103391199	Nov 2013	CN
106576046	Apr 2017	CN
10 2014 208 212	Nov 2015	DE
2 320 344	Jul 2011	EP
2560341	Feb 2013	EP
2684331	Jan 2014	EP
2003-051821	Feb 2003	JP
2011-526113	Sep 2011	JP
2012-503814	Feb 2012	JP
2012-509039	Apr 2012	JP
20090104421	Oct 2009	KR
WO 2009156904	Dec 2009	WO
WO 2010035202	Apr 2010	WO
WO 2010055171	May 2010	WO
WO 2010105993	Sep 2010	WO
WO 2014037812	Mar 2014	WO
WO 2014184899	Nov 2014	WO
WO 2015200196	Dec 2015	WO
WO 2016141386	Sep 2016	WO

Non-Patent Literature Citations (143)

Entry
L. Ham, Group-oriented (t, n) threshold digital signature scheme and digital multisignature, 1994, IEE Proc.-Comput. Digit. Teah., vol. 141, No. 5, p. 307-310 (Year: 1994).
International Search Report and Written Opinion dated Sep. 16, 2015 for Application No. PCT/US2015/036937.
International Preliminary Report on Patentability dated Jun. 16, 2016 for Application No. PCT/US2015/036937.
International Search Report and Written Opinion dated Jun. 3, 2016 for Application No. PCT/US2016/021275.
International Preliminary Report on Patentability dated Sep. 14, 2017 for Application No. PCT/US2016/021275.
International Search Report and Written Opinion dated Jun. 3, 2016 for Application No. PCT/US2016/021264.
International Preliminary Report on Patentability dated Sep. 14, 2017 for Application No. PCT/US2016/021264.
International Search Report and Written Opinion dated Sep. 20, 2018 in connection with International Application No. PCT/US2018/036014.
International Search Report and Written Opinion dated Sep. 20, 2018 in connection with International Application No. PCT/US2018/036023.
Extended European Search Report dated Sep. 28, 2018 in connection with European Application No. EP 16759655.0.
Extended European Search Report dated Jan. 18, 2018 in connection with European Application No. 15811003.1
Extended European Search Report dated Sep. 6, 2018 in connection with European Application No. 18175600.8.
[No Author Listed], D6.5: Publishable Summary. HINT. Seventh Framework Programme. Project 317930. Dec. 11, 2013. 5 pages.
Abe et al., Adaptively Secure Feldman VSS and Applications to Universally-Composable Threshold Cryptography. Advances in Cryptology. CRYPTO 2004. 2004;3152:317-34.
Abercrombie et al., Secure Cryptographic Key Management System (CKMS) Considerations for Smart Grid Devices. CSIIRW'11 Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, Oak Ridge, TN. Article No. 59. Oct. 12-14, 2011. 4 pages.
Al Ibrahim et al., Cyber-Physical Security Using System-Level PUFs. 7th International IEEE Wireless Communications and Mobile Computing Conference (IWCMC). 2011. 5 pages.
Armknecht et al., A Formal Foundation for the Security Features of Physical Functions. Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11. 2011;397-412.
Asaeda et al., Structuring Proactive Secret Sharing in Mobile Ad-hoc Networks. 2006 1st International Symposium on Wireless Pervasive Computing. Jan. 18, 2006. 6 pages.
Asim et al., Physical Unclonable Functions and Their Applications to Vehicle System Security. Vehicular Technology Conference, VTC Spring 2009. 10 pages.
Becker et al., Stealthy Dopant-Level Hardware Trojans. Crytographic Hardware and Embedded Systems, CHES 2013. 2013;8086:197-214. 18 pages.
Bilgin et al., A More Efficient AES Threshold Implementation. Cryptology ePrint Archive. Report 2013/967. 2013. 17 pages.
Blakley, Safeguarding cryptographic keys. Proceedingsof the 1979 AFIPS National Computer Conference. 1979;313-7.
Brzuska et al., Physically Uncloneable Functions in the Universal Composition Framework. Advances in Cryptology—CRYPTO 2011—31st Annual Cryptology Conference. 2011;6841:51-70.
Changgen et al., Threshold Signcryption Scheme Based on Elliptic Curve Cryptosystem and Verifiable Secret Sharing. International Conference on Wireless Communications, Networking and Mobile Computing. 2005;2:1136-9.
Chen et al., An efficient threshold group signature scheme. IEEE Region 10 Conference TENCON. 2004;2(B):13-6.
Chen, Reconfigurable physical unclonable function based on probabilistic switching of RRAM. Electron Lett. Apr. 13, 2015;51(8):615-7.
Coron, Resistance Against Differential Power Analysis for Elliptic Curve Cryptosystems. Crytpographic Hardware and Embedded Systems. 1999;1717:292-302.
Dodis et al., Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. EUROCRYPT 2004. 2004;3027:523-40.
Duc et al., A survey on RFID security and provably secure grouping-proof protocols. Int J Internet Tech Secured Trans. 2010;2(3/4):222-249.
Duren et al., Resilient Device Authentication System (RDAS) through SIOMETRICS. Eighth Annual Cyber Security and Information Intelligence Workshop. ACM. 2012; pp. 1-4.
Dwoskin et al., Hardware-rooted Trust for Secure Key Management and Transient Trust. Proceedings of the 14th ACM Conference: Computer & Communications Security. Nov. 2, 2007;389-400.
Eichhorn et al., Logically Reconfigurable PUFs: Memory-based Secure Key Storage. Proceedings of the Sixth ACM Workshop on Scalable Trusted Computing, STC '11. Oct. 17, 2011;59-64. 6 pages.
Eiroa, Hardware authentication based on PUFs and SHA-3 2nd round candidates. IEEE. 2009; pp. 1-4.
Ertaul et al., ECC Based Threshold Cryptography for Secure Data Forwarding and Secure Key Exchange in MANET (I). Networking 2005, Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems. 2005;3462:102-13.
Feiri et al., Efficient and Secure Storage of Private Keys for Pseudonymous Vehicular Communication. ACM CyCAR '13. Nov. 4, 2013;9-18.
Feldman, A Practical Scheme for Non-interactive Verifiable Secret Sharing. Proceedings of the 28th Annual Symposium on Foundations of Computer Science, SFCS '87. 1987;427-37.
Frankel et al., Optimal-Resilience Proactive Public-Key Cryptosystems. 38th Annual Symposium on Foundations of Computer Science. 1997;384-93. 12 pages.
Frikken et al., Robust Authentication using Physically Unclonable Functions. Information Security, ISC. 2009;5735:262-77.
Garcia-Alfaro et al., Security Threat Mitigation Trends in Low-cost RFID Systems. Data Privacy Management and Autonomous Spontaneous Security. 2010. 15 pages.
Gardner et al., Toward Trusted Embedded Systems. 2nd Annual NSA Trusted Computing Conference and Exposition. Orlando, FL. Sep. 20, 2011. 25 pages.
Gassend et al., Silicon Physical Random Functions. Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS '02. 2002;148-60.
Gennaro et al., Secure Applications of Pedersen's Distributed Key Generation Protocol. Topics in Cryptology. CT-RSA 2003. 2003;2612:373-90.
Gennaro et al., Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. Advances in Cryptology. EUROCRYPT 99. 1999;1592:295-310. 16 pages.
Goldwasser et al., One-time programs, Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology. CRYPTO 2008. 2008;39-56.
Guajardo et al., FPGA intrinsic PUFs and Their Use for IP Protection. Proceedings of the 9th Cryptographic Hardware and Embedded Systems Workshop (CHES). 2007;4727. 22 pages.
Guajardo et al., Physical Unclonable Functions and Public-Key Crypto for FPGA IP Protection. International Conference on Field Programmable Logic and Applications. 2007. 8 pages.
Handschuh et al., Hardware Intrinsic Security from Physically Unclonable Functions. Towards Hardware-Intrinsic Security, Information Security and Cryptography. 2010;39-53.
Herzberg et al., Proactive Public Key and Signature Systems. Proceedings of the 4th ACM Conference on Computer and Communications Security. CCS '97. 1997;100-10. 11 pages.
Herzberg et al., Proactive Secret Sharing or: How to Cope With Perpetual Leakage. Advances in Cryptology. CRYPTO 95. 1995;963:339-52.
Holcomb et al., Initial SRAM State as a Fingerprint and Source of True Random Numbers For RFID Tags. Proceedings of the Conference on RFID Security. 2007. 12 pages.
Hori et al., Quantitative and Statistical Performance Evaluation of Arbiter Physical Unclonable Functions on FPGAs. 2010 International Conference on Reconfigurable Computing and FPGAs (ReCon-Fiq). 2010;298-303. 6 pages.
Horstmeyer et al., Physically secure and fully reconfigurable data storage using optical scattering. IEEE International Symposium on Hardware Oriented Security and Trust (HOST). 2015;157-62. 6 pages.
Huang et al., To verify embedded system software integrity with TCM and FPGA. IEEE. Aug. 2010;65-70.
Hua-Qun et al., Verifiable (t, n) Threshold Signature Scheme based on Elliptic Curve. Wuhan Univ J Nat Sci. 2005;10(1):165-8.
Ibrahim et al., A Robust Threshold Elliptic Curve Digital Signature Providing a New Verifiable Secret Sharing Scheme. IEEE 46th Midwest Symposium on Circuits and Systems. 2003;1:276-80. 5 pages.
Jarecki et al., Adaptively Secure Threshold Cryptography: Introducing Concurrency, Removing Erasures (Extended Abstract). Advances in Cryptology. Eurocrypt 2000. 2000;1807:223-45.
Juels et al., A Fuzzy Commitment Scheme. Proceedings of the 6th ACM Conference on Computer and Communications Security, CCS '99. 1999;28-36. 9 pages.
Karakoyunlu et al., Differential template attacks on PUF enable cryptographic devices. IEEE International Workshop on Information Forensics and Security (WIFS). Dec. 12-15, 2010;1-6.
Katzenbeisser et al., PUFs: Myth, Fact or Busted? A Security Evaluation of Physically Unclonable Functions (PUFs) Cast in Silicon (Extended Version). Cryptographic Hardware and Embedded Systems—CHES '12. 2012;283-301. 18 pages.
Katzenbeisser et al., Recyclable PUFs: logically reconfigurable PUFs. J Cryto Eng. 2011;1(3):177-86. 15 pages.
Kerr et al., PEAR: A Hardware Based Protocol Authentication System. SPRINGL '10 Proceedings of the 3rd ACM 3IGSPATIAL International Workshop on Security and Privacy in GIS and LBS. 2010. 8 pages.
Kerr, Secure Physical System Design Leveraging PUF Technology. Purdue University. Thesis. May 2012. 87 pages.
Khandavilli, A Mobile Role Based Access Control System Using Identity Based Encryption With Non-Interactive 7ero Knowledge Proof of Authentication. Dalhousie University Repository, Faculty of Graduate Studies. Thesis. Apr. 5, 2012. 65 pages.
Khoshroo, Design and Evaluation of FPGA-Based Hybrid Physically Unclonable Functions. Thesis. Graduate Program in Electrical and Computer Engineering. Western University. London, Ontario, Canada May 2013. 107 pages.
Kim et al., Threshold Signature Schemes for EIGamal Variants. Comp Stan Interf. 2011;33(4):432-7.
Kirkpatrick et al., Enforcing Physically Restricted Access Control for Remote Data. Proceedings of CODASPY. 2011. 10 pages.
Kirkpatrick et al., PUF ROKs: A Hardware Approach to Read-Once Keys. Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS '11. 2011;155-64.
Kirkpatrick et al., Software Techniques to Combat Drift in PUF-based Authentication Systems. Workshop on Secure Component and System Identification. 2010. 9 pages.
Kirkpatrick et at, Physically Restricted Authentication and Encryption for Cyber-physical Systems. DHS Workshop on Future Directions in Cyber-physical Systems Security. 2009. 5 pages.
Kish et al., Physical Uncloneable Function Hardware Keys Utilizing Kirchhoff-Law Johnson-Noise Secure Key Exchange and Noise-Based Logic. Fluctuation Noise Lett. 2013;12. 9 pages.
Kocher et al., Differential Power Analysis. Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO '99. 1999;388:97. 10 pages.
Kocher et al., Introduction to Differential Power Analysis. J Cryptogr Eng. Mar. 3, 2011;1:5-27.
Krzywiecki et al., Coalition Resistant Anonymous Broadcast Encryption Scheme Based on PUF. TRUST 2011. 2011;6740:48-62.
Krzywiecki et al., Collusion Resistant Anonymous Broadcast Encryption Scheme Based on PUF. TRUST 2011. Jun. 22-24, 2011. 93 pages.
Kumar et al., Extended abstract: The Butterfly PUF Protecting IP on Every FPGA. IEEE International Workshop on Hardware-Oriented Security and Trust. 2008;67-70. 4 pages.
Kursawe et al., Reconfigurable Physical Unclonable Functions—Enabling Technology for Tamper-Resistant Storage. 2009 IEEE International Hardware-Oriented Security and Trust, HOST '09. 2009;22-9.
Langheinrich et al., Practical Minimalist Cryptography for RFID Privacy. IEEE Sys J. Dec. 2007;1(2). 19 pages.
Langheinrich et al., RFID Privacy Using Spatially Distributed Shared Secrets. International Symposium on Ubiquitous Computing Systems (UCS). 2007;1-16.
Lao et al., Reconfigurable architectures for silicon physical unclonable functions. IEEE International Conference on Electro/Information Technology (EIT). 2011;1-7.
Lee et al., A technique to build a secret key in integrated circuits for identification and authentication applications. IEEE Symposium on VLSI Circuits: Digest of Technical Papers. 2004;176-9. 4 pages.
Libert et al., Adaptively Secure Non-interactive Threshold Cryptosystems. Automata, Languages and Programming. 2011;588-600. 23 pages.
Maes et al., Intrinsic PUFs from flip-flops on reconfigurable devices. 3rd Benelux Workshop on Information and System Security (WISSec 2008). 2008. 17 pages.
Maiti et al., Physical Unclonable Function and True Random Number Generator: a Compact and Scalable implementation. GLSVLSI '09 Proceedings of the 19th ACM Great Lakes Symposium on VLSI. 2009. 4 pages.
Maiti et al., The Impact of Aging on an FPGA-Based Physical Unclonable Function. International Conference on Field Programmable Logic and Applications (FPL). 2011;151-6.
Maiti, A Systematic Approach to Design an Efficient Physical Unclonable Function. Virginia Polytechnic Institute and State University. Dissertation. Apr. 30, 2012. 166 pages.
Majzoobi et al., Techniques for Design and Implementation of Secure Reconfigurable PUFs. ACM Trans Reconfig Tech Sys. Mar. 2009;2(1):5.1-33.
Merli et al., Semi-invasive EM Attack on FPGA RO PUFs and Countermeasures. Proceedings of the Workshop on Embedded Systems Security, WESS '11. 2011;2.1-9.
Merli et al., Side-Channel Analysis of PUFs and Fuzzy Extractors. Trust and Trustworthy Computing. 2011;6740:33-47.
Moradi et al., Pushing the Limits: A Very Compact and a Threshold Implementation of AES. Advances in Cryptology. EUROCRYPT 2011. 2011;6632:69-88.
Nabeel et al., Authentication and key management for advanced metering infrastructures utilizing physically unclonable function. IEEE Third International Conference on Smart Grid Communications SmartGridComm). 2012;324-9. 6 pages.
Nikova et al., Threshold Implementations Against Side-Channel Attacks and Glitches. Information and Communications Security. 2006;4307:529-45. 17 pages.
Owusu et al., OASIS: On Achieving a Sanctuary for Integrity and Secrecy on Untrusted Platforms. Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM. 2013;13-24. 12 pages.
Paral et al., Reliable and Efficient PUF-based Key Generation using Pattern Matching. IEEE International Symposium on Hardware-Oriented Security and Trust (HOST). 2011;128-33.
Pedersen, A Threshold Cryptosystem without a Trusted Party. Advances in Cryptology. EUROCRYPT 91. 1991;547:522-6.
Pedersen, Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. Advances in Cryptology, CRYPTO 91. 1992;576:129-40.
Peeters et al., Towards More Secure and Reliable Access Control. Perv Comp. 2011;11(3). 8 pages.
Peeters, Security Architecture for Things That Think. Department of Electrical Engineering. Arenberg Doctoral-School of Science, Engineering and Technology. Dissertation Jun. 2012. 150 pages.
Pfaffhauser, Protocols for MPC based on Unclonability. Department of Computer Science, ETH Zurich. Master Thesis. Apr. 12, 2011. 53 pages.
Potkonjak et al., Differential Public Physically Unclonable Functions: Architecture and Applications. DAC '11 Proceedings of the 48th Design Automation Conference. 2011. 7 pages.
Ravikanth, Physical one-way functions. Massachusetts Institute of Technology. Dissertation. 2001. 154 pages.
Rigaud, ed., D3.1: Report on Protocol choice and implementation. HINT. Project 317930. Aug. 4, 2014. 35 pages.
Ruan et al., Elliptic curve ElGamal Threshold-based Key Management Scheme against Compromise of Distributed RSUs for VANETs. J Info Proc. 2012;20(4). 8 pages.
Rührmair et al., Applications of High-Capacity Crossbar Memories in Cryptography. IEEE Trans Nanotechnol. May 2011;10(3):489-98.
Rührmair et al., Modeling Attacks on Physical Unclonable Functions. Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS '10. 2010;237-49.
Rührmair et al., Power and Timing Side Channels for PUFs and their Efficient Exploitation. IACR Cryptology ePrint Archive 2013;851. 14 pages.
Rührmair et al., PUFs in Security Protocols: Attack Models and Security Evaluations. 2013 IEEE Symposium on Security and Privacy. 2013;286-300.
Rust, ed., D1.1: Report on use case and architecture requirements. Seventh Framework Programme. Holistic Approaches for Integrity of ICT-Systems. ICT-317930. Feb. 28, 2013. 50 pages.
Sadeghi et al., Short Paper: Lightweight Remote Attestation Using Physical Functions. ACM. Jun. 2011;109-14.
Sardar et al., Zero Knowledge Proof in Secret Sharing Scheme Using Elliptic Curve Cryptography. Global Trends in Computing and Communication Systems. 2012;269:220-6.
Schuster, Side-Channel Analysis of Physical Unclonable Functions (PUFs). Technische Universitat Munchen. Thesis. 2010. 57 pages.
Shamir, How to Share a Secret. Comm ACM. 1979;22(11):612-3.
Shao, Repairing Efficient Threshold Group Signature Scheme. Int J Netw Sec. Sep. 2008;7(2):218-22.
Shpantzer, Implementing Hardware Roots of Trust: The Trusted Platform Module Comes of Age. A SANS Whitepaper. Jun. 2013, pp. 1-17.
Suh et al., Aegis: A Single-Chip Secure Processor. IEEE Des Test Comp. 2007;570-80.
Suh et al., Physical Unclonable Functions for Device Authentication and Secret key Generation. Proceedings of the 44th annual Design Automation Conference, DAC '07. 2007;9-14.
Tang, ECDKG: A Distributed Key Generation Protocol Based on Elliptic Curve Discrete Logarithm. University of Southern California, Department of Computer Science. Technical Report 04-838. 2004. 20 pages.
Tuyls et al., Capacity and Examples of Template Protecting Biometric Authentication Systems. Biometric Authentication. 2004;3087:158-70. 13 pages.
Tuyls et al., Read-Proof Hardware from Protective Coatings. Proceedings of the 8th International Conference on Cryptographic Hardware and Embedded Systems. CHES '06. 2006;4249:369-83. 15 pages.
Van Dijk et al., Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results. Cryptolgoy ePrint Archive. Report 2012/228. Apr. 25, 2012. 36 pages.
Wang et al., Verifiable (t, n)Threshold Signature Scheme based on Elliptic Curve. Wuhan Univ J Natural Sci. 2005;10(1):165-8
Wu et al., On Foundation and Construction of Physical Unclonable Functions. IACR Cryptology ePrint Archive. 2010;171. 18 pages.
Yu et al., Lightweight and Secure PUF Key Storage Using Limits of Machine Learning. Proceedings of the 13th International Conference on Cryptographic Hardware and Embedded Systems, CHES '11. 2011;6917:358-73.
Yu et al., Recombination of Physical Unclonable Functions. GOMACTech. 2010. 4 pages.
Yu et al., Secure and robust error correction for physical unclonable functions. IEEE Des Test. Jan. 2010;27(1):48-65.
Zhang et al., Exploiting Process Variation and Programming Sensitivity of Phase Change Memory for Reconfigurable Physical Unclonable Functions. IEEE Trans Info Forensics Sec. 2014;9(6):921-32.
Zhao et al., Providing Root of Trust for ARM TrustZone using On-Chip SRAM. TrustED '14. ACM. Nov. 3, 2014; pp. 25-36.
Zheng et al., How to Construct Efficient Signcryption Schemes on Elliptic Curves. Inf Proc Lett. 1998;68(5):227-33.
Zheng, Digital Signcryption or How to Achieve Cost(Signature & Encryption) « Cost(Signature) + Cost(Encryption). Advances in Cryptology. CRYPTO '97. 1997;1294:165-79.
U.S. Appl. No. 14/704,914, filed May 5, 2015, Wallrabenstein.
U.S. Appl. No. 15/961,082, filed Apr. 24, 2018, Wallrabenstein.
U.S. Appl. No. 15/613,088, filed Jun. 2, 2017, Wallrabenstein et al.
U.S. Appl. No. 15/615,634, filed Jun. 6, 2017, Wallrabenstein et al.
U.S. Appl. No. 15/615,641, filed Jun. 6, 2017, Wallrabenstein et al.
PCT/US2015/036937, Sep. 16, 2015, International Search Report and Written Opinion.
PCT/US2015/036937, Jun. 16, 2016, International Preliminary Report on Patentability.
PCT/US2016/021275, Jun. 3, 2016, International Search Report and Written Opinion.
PCT/US2016/021275, Sep. 14, 2017, International Preliminary Report on Patentability.
PCT/US2016/021264, Jun. 3, 2016, International Search Report and Written Opinion.
PCT/US2018/036014, Sep. 20, 2018, International Search Report and Written Opinion.
PCT/US2018/036023, Sep. 20, 2018, International Search Report and Written Opinion.
EP 16759655.0, Sep. 28, 2018, Extended European Search Report.
EP 18175600.8, Sep. 6, 2018, Extended European Search Report.
EP 15811003.1, Jan. 18, 2018, Extended European Search Report.

Related Publications (1)

	Number	Date	Country
	20190190726 A1	Jun 2019	US

Provisional Applications (3)

Number	Date	Country
62150586	Apr 2015	US
62128920	Mar 2015	US
61988848	May 2014	US

Continuations (1)

	Number	Date	Country
Parent	14704914	May 2015	US
Child	16279758		US

Authentication system and device including physical unclonable function and threshold cryptography

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

CPC

International Classifications

Abstract

Description

Claims

CROSS REFERENCE TO RELATED APPLICATIONS

US Referenced Citations (172)

Foreign Referenced Citations (23)

Non-Patent Literature Citations (143)

Related Publications (1)

Provisional Applications (3)

Continuations (1)