1 / 32

Lecture8 – Physical One Way Functions (POWFs)

Lecture8 – Physical One Way Functions (POWFs). Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009. Outline. Definition Advantages Physical phenomena: coherent transport through disordered medium Authentication protocol based on Physical One-Way Functions (POWF)

wilda
Download Presentation

Lecture8 – Physical One Way Functions (POWFs)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture8 – Physical One Way Functions (POWFs) Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009

  2. Outline • Definition • Advantages • Physical phenomena: coherent transport through disordered medium • Authentication protocol based on Physical One-Way Functions (POWF) • Invented by Pappu (MIT 2001) Reading: “Physical One-Way Functions”, Ravikanth Pappu,* Ben Recht, Jason Taylor, Neil Gershenfeld. Science 20 September 2002: Vol. 297. no. 5589, pp. 2026 - 2030

  3. Security • Asymmetry b/w the information (secret) • One-way functions • Easy to evaluate in one direction but hard to reverse in the other • E.g., multiplying large prime number as opposed to factoring them • One-way hash functions • Maps a variable length input to a fixed length output • Avalanche property: changing one bit in the input alters nearly half of the output bits • Pre-image resistant, collision resistant

  4. Challenges of algorithmic (mathematical) one-way functions • Technological • Massive number of parallel devices broke DES • Reverse-engineering of secure processors • Fundamental • There is no proof that attacks do not exist • E.g., quantum computers could factor two large prime numbers in polynomial time • Practical • Embedded systems applications

  5. Solution -- POWF • Use the chaotic physical structures that are hard to model instead of mathematical one-way functions! • Physical One Way Functions (POWF) • Inexpensive to fabricate • Prohibitively difficult to duplicate • No compact mathematical representation • Intrinsically tamper-resistant • Pappu proposed using coherent multiple scattering from the disordered media

  6. Coherent multiple scattering from disordered medium • Earlier work (before Pappu) • 2D and 3D inhomogeneous structures as unique tokens difficult to forge • Coherent scattering has been used to detect tampering of physical structures • Nobody has used the computations performed by the physical probe • The use of physical mechanisms for cryptography is well-known in the context of quantum computing • Unlike quantum cryptography, POWF can be utilized over a classical communication channel

  7. More about the physics of the phenomena • Laser speckle fluctuations • sensitivity of scattering the coherent radiation to the structure of the inhomogeneous media • The mesoscopic limit of scattering in 3D • Any changes in the microstructure of a disordered medium cause an order unity change in its speckle patterns

  8. The mesoscopic limit of scattering in 3D medium • The mean free path b/w elastic collisions with scatterers (l) is much larger than the wavelength () of radiation • The thickness of the structure (L) is much smaller than the coherence light of the probe • A - The cross sectional area of a laser beam • Moving A/Ll scatterers would produce an uncorrelated speckle patterns • Rotating the angle of the incident beam by =/(2L)

  9. One-way hash function • Any changes in the microstructure of a disordered medium cause an order unity change in its speckle patterns • Provides a fixed-length key that hashes the specifications of the 3D spatial distribution of the scatterers

  10. How? • What is a speckle pattern • Changing the input

  11. Experiment set-up by Pappu et al. • =632.8nm HeNe laser beam • Optical proxy tokens 10x10x2.5 mm3 • Contains glass spheres 500 to 800 m in diameter (~$0.01 cost) • The density of speckle was chosen to give an average spacing on the order of ~100 m • The spacing equals he photon mean free path in the limit of strong scattering applicable here • The patterns recorded by 320x240 pixel charge-coupled device camera • The tokens mechanically registered with inexpensive kinematic mount allowing submicron positional accuracy in 6D of freedom, providing repeatability of the registers

  12. System description • 3D structure hashed to produce a 2D image, filtered by a multi-scale Gabor transform to produce a 1D key

  13. Gabor transform • Represents the image density as a discrete multi-scale decomposition over oriented filter kernels with varying spatial frequencies • The filter parameters selected to reject pixel-scale noise and ave image intensity variations • The selected parameters render the key insensitive to mechanical misregistrations • 1D (Gabor) and 2D (Dougman – showed that the filters are jointly optimal in providing the max possible resolution for info about orientation and spatial frequency content on local image simultaneous with its 2D location

  14. System specifications • A 1-cm3 cube has 1012 1-m cubic blocks of wavelength size, resulting in terabit structural information • The 320x240 pixel image contains ~megabit of intensity information • Gabor transform reduces this to 2400-bit key

  15. Intensity variations along a specific row&column of the speckle pattern

  16. Intensity variations along a specific row&column of the speckle pattern The remaining variability is filtered by the Gabor transform!

  17. The behavior of the POWF • Randomness • For 576 keys, plot the probability of a bit set to 1 • The average is ~0.5, indicating bitwise maximum entropy code

  18. The behavior of the POWF • Like keys: keys with the same origin • Unlike keys: distinct origin Like dist. Unlike distribution N(0.5,1.07x10-3) ~ 233 independent Binomial trials ~2233 distinct keys

  19. Technical adjustment • The overlap b/w like/unlike can be as small as desired, by reading each token from more than one angle – independent • Demonstration – reading from pairs of angels were combined to form 4800-bit keys in a data set with 165,600/2=82,800 entries • The resulting pdf has mean 0.5 and variance 5.42x10-4 = 461 effective variables

  20. Authentication of the tokens • Test each token and form a database • The minimum probability decision rule is to rejects candidates when the prob that tokens are the same is less than or equal to the prob that tokens are different • Using the rule, they reject a token’s authenticity if the keys are different by more than 0.41x2400=984 bits • The prob of false alarm is 9.8x10-3, but can be made arbitrarily small

  21. Test of tamper-resistance • Intentional modification of the tokens • Drilling a small hole by no.75 drill (533m) • The keys produced before and after tampering had a normalized Hamming dist of 0.46 – differing in ~ half of the bits • Thus, we have the avalanche property • Protect the tokens from accidental damage • Encapsulate in a scratch-resistant material • The Gabor transform can be tuned to reject speckle features arising from surface scratches while preserving features originated from internals

  22. Security concerns • Duplication (cloning) of the token • Reproduce behavior under arbitrary illumination • Emulate the patterns by a hologram or a diffractive optical element Counter measure against the attacks: • The space of possible input illumination and output keys is large!

  23. 1. Duplication (Cloning) • By invasive microscopic probing or polishing or by noninvasive tomographic imaging • Submicron changes in the scatter’s location would result in avalanche effect • Cloning is hard to do, because of physical limitations • E.g., arbitrary submicron devices with small feature sizes are possible to produce, but making a 3D MeMs structure ~5yrs process

  24. 2. Reproduction of behavior • In the experiment here, changing =/(2L) = 4x10-5 rad will produce a totally independent speckle pattern • Produces about 109 independent patterns in 1mm2 • For 100mm2, this will be 1011 • The number can be increased further by varying amplitude, phase and wavelength

  25. Sensitivity of key as probed moved relative to the token • Total of 2400-bit keys available from 100mm2 surface

  26. 3. Emulation by holograms • Recording 1011 or more distinct patterns • The incoherent superposition of patterns reduces the overall diffraction efficiency • Alternatively, an adversary with access to the terminal may try the replay attack! • The prohibitively large number of combinations possible counters this attack

  27. Mesoscopic limits • Photon passing thru performs random walk • Step size is mean free path (l) and covers the distance l/N1/2 after N scatterings • L=l(N)1/2, and N=(L/l)2, equals 625 steps! • Each step requires ~1026 operations!!! • The process of input-output could be used as a functional mapping!

  28. Enrollment/verification

  29. Protocol (Identification) • User: Puts card in reader and claims ID • Verifier: Select random C from CRP database and sends it to the User • User: Uses C, measures R, calculates S', sends S' to Verifier • Verifier: Checks if S equals S', removes C,S

  30. Protocol (authentication) • User: Puts card in reader and claims ID • Verifier: Select random C from CRP database and sends it to the User together with nonce M • User: Uses C, measures R, calculates S', sends Ms'(m) to Verifier • Verifier: Checks if Ms'(m) equals Ms(m). If so then use S to encrypt/decrypt all further messages

  31. Security discussions • Ability to store all illumination-key pairs • Parameterization of the illumination by orientation, location, and wavelength leads to an enormous address space • Linear in the input degree of freedom, since independent illumination patterns add linearly • The space can be exponentially large by using a nonlinear scattering medium that is excited with a two-photon process • The number of patterns is exponential and can easily exceed technological and cosmological limits

  32. POWF • Can be embedded as a primitive in larger distributed cryptographic system • The physical system can transform an enormous amount of information fast and with very low cost • The security in the difficulty of recreating the microstructure of macroscopic objects down to atomic length scales • Replaces cryptosystems based on number-theoretical conjectures with technological constraints that have no theoretical grounding • The system presents practical challenges to adversaries • POWF expands where and how to protect information!

More Related