Beruflich Dokumente
Kultur Dokumente
AbstractPhysical unclonable functions (PUFs) and biometrics are inherently noisy. When used in practice as cryptographic
key generators, they need to be combined with an extraction
technique to derive reliable bit strings (i.e., cryptographic key).
An approach based on an error correcting code was proposed
by Dodis et al. and is known as a fuzzy extractor. However, this
method appears to be difficult for non-specialists to implement.
In our recent study, we reported the results of some example implementations using PUF data and presented a detailed
implementation diagram. In this paper, we describe a more
efficient implementation method by replacing the hash function
output with the syndrome from the BCH code. The experimental
results show that the Hamming distance between two keys vary
according to the key size and information-theoretic security has
been achieved.
KeywordsFuzzy Extractor, Arbiter PUF, Physical Unclonable
Functions
I.
I NTRODUCTION
Physical unclonable functions (PUFs) generate deviceunique data streams by using the manufacturing variations of
each LSI. If a system requires the best extraction scheme,
high security authentication is possible using PUF-based secret
key generation. Since PUFs always produce bit errors in their
responses, some processing has to be performed to remove the
noise for use as a cryptographic key.
In this context, an approach based on an error correcting
code was proposed by Dodis et al. [1] and is known as a
fuzzy extractor. A fuzzy extractor corrects bit errors in the
non-uniform PUF responses and extracts uniform random bits.
Experimental studies of fuzzy extractors [2][3][4][5] have received considerable attention since this approach was proposed
in 2004.
However, it appears to be a difficult method for nonspecialists to implement. In our recent study, we reported on
the results of some example implementations using PUF data
and presented a detailed implementation diagram [6]. In this
paper, we present a more efficient method by replacing the
hash function output with the syndrome from the BCH code.
II.
P ROPOSED METHOD
Reproduction procedure
(helper data)
x: 255bits
SS
s, x
s, x
w: 255bits
PUF
Rec
s: 255bits
s: 255bits
PUF
r: 255bits
RNG1
K bits
(ex.131bits)
SHA
256
w: 255bits
r: 255bits
BCH
dec
r: 255bits
BCH
enc
K bits
(ex.131bits)
BCH
enc
R: 256bits
x: 255bits
w: 255bits
Ext
SHA
256
R: 256bits
Ext
Generation procedure
PUF
255bits
N bits
K bits
115bits
140bits
N-K bits
Reproduction procedure
(helper data)
Key
BCH
enc
Syndrome
140bits
PUF
255bits
S0
N-K bits
0000
115bits
140bits
255bits
W: 255bits
N bits
255bits
255bits
255bits
K bits
K bits
Implementation diagram for our efficient fuzzy extractor based on the syndrome (N = 255).
The proposed method is more simply constructed by replacing the hash function output with the syndrome from the
BCH code, at the same time enabling an information theoretic
security of K bits (where K is the key size).
III.
E XPERIMENTAL RESULTS
Count rate
Figure 2 shows the implementation diagram for our efficient fuzzy extractor using the BCH code and syndrome
concept (N=255). However, the ideas presented in this paper
are not limited to BCH codes. In fact, any error correcting
code with an efficient syndrome decoding algorithm can be
used in this scheme. An approach used for low density parity
check (LDPC) codes, for example, was proposed by Hagiwara
et al. [8]. In future work, we plan to generalize the extraction
scheme (fuzzy extractors) such that other error correcting code
methods, including LDPC codes, may be applied.
Fig. 3.
Virtex-5 LX FPGA
Arbiter PUF1
Arbiter PUF2
Reliability
(Response 255bits)
72
17
148
28
Reliability
(Response 255bits)
66
17
Reliability
(Response 511bits)
140
30
Hamming distance
Fig. 5.
Hamming distance
Hamming distance
Fig. 4.
Reliability
(Response 511bits)
Count rate
(1 )
Entropy =
2
where is mean and is standard deviation of the distribution.
Virtex-5 LX FPGA
Count rate
Count rate
Fig. 2.
BCH
dec
115bits
Key
N-K bits
Hamming distance
Count rate
Uniqueness
(Response 255bits)
30
17
Enrolled PUF
Authenticated PUF
Uniqueness
(Response 511bits)
64
30
Hamming distance
Fig. 6.
Count rate
Hamming distance
Index of Table 2
Fig. 9. Hamming distance between two keys extracted from the same PUF (N
= 511).
The codeword length, N, is 511
Enrolled PUF
Enrolled PUF
Authenticated PUF
Authenticated PUF
Index of Table 1
Fig. 7. Hamming distance between two keys extracted from the same PUF (N
= 255).
Index of Table 2
Fig. 10.
Hamming distance between two keys extracted from different
PUFs (N = 511).
Enrolled PUF
Authenticated PUF
Entropy =
0.50011 (1 0.50011)
= 155.65 bits.
0.0400772
Fig. 8. Hamming distance between two keys extracted from different PUFs (N
= 255).
Fig. 11.
255).
TABLE II.
index
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Fig. 12.
511).
0.500003 (1 0.500003)
= 335.44 bits.
0.02732
N UMBER
index
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
N
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
N = 255
K
247
239
231
223
215
207
199
191
187
179
171
163
155
147
139
131
123
IV.
t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
18
19
index
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
N
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
255
K
115
107
99
91
87
79
71
63
55
47
45
37
29
21
13
9
BCH
We showed the results of the proposed fuzzy extractor implementation using Arbiter PUF data and presented a detailed
K
502
493
484
475
466
457
448
439
430
421
412
403
394
385
376
367
358
349
340
331
322
313
304
295
286
277
268
259
250
t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
25
26
27
28
29
30
31
index
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
N
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
K
241
238
229
220
211
202
193
184
175
166
157
148
139
130
121
112
103
94
85
76
67
58
49
40
31
28
19
10
BCH
CODE
t
36
37
38
39
41
42
43
45
46
47
51
53
54
55
58
59
61
62
63
85
87
91
93
95
109
111
119
127
R EFERENCES
[1]
[2]
[3]
C ONCLUSION
N
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
511
THE
CODE FOR
t
21
22
23
25
26
27
29
30
31
42
43
45
47
55
59
63
[4]
[5]
[6]
[7]
[8]
[9]