Cryptology ePrint Archive: Report 2015/937

End-to-end Design of a PUF-based Privacy Preserving Authentication Protocol

Aydin Aysu and Ege Gulcan and Daisuke Moriyama and Patrick Schaumont and Moti Yung

Abstract: We demonstrate a prototype implementation of a provably secure protocol that supports privacy-preserving mutual authentication between a server and a constrained device. Our proposed protocol is based on a physically unclonable function (PUF) and it is optimized for resource-constrained platforms. The reported results include a full protocol analysis, the design of its building blocks, their integration into a constrained device, and finally its performance evaluation. We show how to obtain efficient implementations for each of the building blocks of the protocol, including a fuzzy extractor with a novel helper-data construction technique, a truly random number generator (TRNG), and a pseudo-random function (PRF). The prototype is implemented on a SASEBO-GII board, using the on-board SRAM as the source of entropy for the PUF and the TRNG. We present three different implementations. The first two execute on a MSP430 soft-core processor and have a security level of 64-bit and 128-bit respectively. The third uses a hardware accelerator and has 128-bit security level. To our best knowledge, this work is the first effort to describe the end-to-end design and evaluation of a privacy-preserving PUF-based authentication protocol.

Category / Keywords: implementation / Physically Unclonable Function, authentication, privacy-preserving protocol, implementation

Original Publication (with minor differences): IACR-CHES-2015

Date: received 24 Sep 2015, last revised 10 Nov 2015

Contact author: dmoriyam at nict go jp

Available format(s): PDF | BibTeX Citation

Note: A preliminary version of this paper appears in the proceedings of CHES 2015. This is the full version including the security proof against the proposed protocol.

Version: 20151111:062532 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]