lecture8 – physical one way functions (powfs)
DESCRIPTION
Lecture8 – Physical One Way Functions (POWFs). Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009. Outline. Definition Advantages Physical phenomena: coherent transport through disordered medium Authentication protocol based on Physical One-Way Functions (POWF) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/1.jpg)
Lecture8 – Physical One Way Functions (POWFs)
Rice ELEC 528/ COMP 538
Farinaz Koushanfar
Spring 2009
![Page 2: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/2.jpg)
Outline
• Definition
• Advantages
• Physical phenomena: coherent transport through disordered medium
• Authentication protocol based on Physical One-Way Functions (POWF)
• Invented by Pappu (MIT 2001)
Reading: “Physical One-Way Functions”, Ravikanth Pappu,* Ben Recht, Jason Taylor, Neil Gershenfeld. Science 20 September 2002:Vol. 297. no. 5589, pp. 2026 - 2030
![Page 3: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/3.jpg)
Security
• Asymmetry b/w the information (secret)• One-way functions
– Easy to evaluate in one direction but hard to reverse in the other
– E.g., multiplying large prime number as opposed to factoring them
• One-way hash functions– Maps a variable length input to a fixed length output– Avalanche property: changing one bit in the input
alters nearly half of the output bits– Pre-image resistant, collision resistant
![Page 4: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/4.jpg)
Challenges of algorithmic (mathematical) one-way functions
• Technological– Massive number of parallel devices broke DES– Reverse-engineering of secure processors
• Fundamental– There is no proof that attacks do not exist– E.g., quantum computers could factor two large prime
numbers in polynomial time
• Practical– Embedded systems applications
![Page 5: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/5.jpg)
Solution -- POWF
• Use the chaotic physical structures that are hard to model instead of mathematical one-way functions!
• Physical One Way Functions (POWF)– Inexpensive to fabricate– Prohibitively difficult to duplicate– No compact mathematical representation– Intrinsically tamper-resistant
• Pappu proposed using coherent multiple scattering from the disordered media
![Page 6: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/6.jpg)
Coherent multiple scattering from disordered medium
• Earlier work (before Pappu)– 2D and 3D inhomogeneous structures as unique
tokens difficult to forge – Coherent scattering has been used to detect
tampering of physical structures– Nobody has used the computations performed by the
physical probe– The use of physical mechanisms for cryptography is
well-known in the context of quantum computing– Unlike quantum cryptography, POWF can be utilized
over a classical communication channel
![Page 7: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/7.jpg)
More about the physics of the phenomena
• Laser speckle fluctuations – sensitivity of scattering the coherent radiation
to the structure of the inhomogeneous media– The mesoscopic limit of scattering in 3D– Any changes in the microstructure of a
disordered medium cause an order unity change in its speckle patterns
![Page 8: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/8.jpg)
The mesoscopic limit of scattering in 3D medium
• The mean free path b/w elastic collisions with scatterers (l) is much larger than the wavelength () of radiation
• The thickness of the structure (L) is much smaller than the coherence light of the probe
• A - The cross sectional area of a laser beam• Moving A/Ll scatterers would produce an
uncorrelated speckle patterns• Rotating the angle of the incident beam by
=/(2L)
![Page 9: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/9.jpg)
One-way hash function
• Any changes in the microstructure of a disordered medium cause an order unity change in its speckle patterns
• Provides a fixed-length key that hashes the specifications of the 3D spatial distribution of the scatterers
![Page 10: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/10.jpg)
How?
• What is a speckle pattern
• Changing the input
![Page 11: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/11.jpg)
Experiment set-up by Pappu et al.
=632.8nm HeNe laser beam• Optical proxy tokens 10x10x2.5 mm3
• Contains glass spheres 500 to 800 m in diameter (~$0.01 cost)
• The density of speckle was chosen to give an average spacing on the order of ~100 m
• The spacing equals he photon mean free path in the limit of strong scattering applicable here
• The patterns recorded by 320x240 pixel charge-coupled device camera
• The tokens mechanically registered with inexpensive kinematic mount allowing submicron positional accuracy in 6D of freedom, providing repeatability of the registers
![Page 12: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/12.jpg)
System description
• 3D structure hashed to produce a 2D image, filtered by a multi-scale Gabor transform to produce a 1D key
![Page 13: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/13.jpg)
Gabor transform
• Represents the image density as a discrete multi-scale decomposition over oriented filter kernels with varying spatial frequencies
• The filter parameters selected to reject pixel-scale noise and ave image intensity variations
• The selected parameters render the key insensitive to mechanical misregistrations
• 1D (Gabor) and 2D (Dougman – showed that the filters are jointly optimal in providing the max possible resolution for info about orientation and spatial frequency content on local image simultaneous with its 2D location
![Page 14: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/14.jpg)
System specifications
• A 1-cm3 cube has 1012 1-m cubic blocks of wavelength size, resulting in terabit structural information
• The 320x240 pixel image contains ~megabit of intensity information
• Gabor transform reduces this to 2400-bit key
![Page 15: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/15.jpg)
Intensity variations along a specific row&column of the speckle pattern
![Page 16: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/16.jpg)
Intensity variations along a specific row&column of the speckle pattern
The remaining variability is filtered by the Gabor transform!
![Page 17: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/17.jpg)
The behavior of the POWF
• Randomness– For 576 keys, plot the probability of a bit set to 1– The average is ~0.5, indicating bitwise maximum
entropy code
![Page 18: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/18.jpg)
The behavior of the POWF
• Like keys: keys with the same origin• Unlike keys: distinct origin
Unlike distributionN(0.5,1.07x10-3) ~233 independent Binomial trials~2233 distinct keys
Like dist.
![Page 19: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/19.jpg)
Technical adjustment
• The overlap b/w like/unlike can be as small as desired, by reading each token from more than one angle – independent
• Demonstration – reading from pairs of angels were combined to form 4800-bit keys in a data set with 165,600/2=82,800 entries
• The resulting pdf has mean 0.5 and variance 5.42x10-4 = 461 effective variables
![Page 20: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/20.jpg)
Authentication of the tokens
• Test each token and form a database• The minimum probability decision rule is to rejects
candidates when the prob that tokens are the same is less than or equal to the prob that tokens are different
• Using the rule, they reject a token’s authenticity if the keys are different by more than 0.41x2400=984 bits
• The prob of false alarm is 9.8x10-3, but can be made arbitrarily small
![Page 21: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/21.jpg)
Test of tamper-resistance
• Intentional modification of the tokens• Drilling a small hole by no.75 drill (533m)• The keys produced before and after tampering
had a normalized Hamming dist of 0.46 – differing in ~ half of the bits
• Thus, we have the avalanche property• Protect the tokens from accidental damage
– Encapsulate in a scratch-resistant material– The Gabor transform can be tuned to reject speckle
features arising from surface scratches while preserving features originated from internals
![Page 22: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/22.jpg)
Security concerns
1. Duplication (cloning) of the token
2. Reproduce behavior under arbitrary illumination
3. Emulate the patterns by a hologram or a diffractive optical element
Counter measure against the attacks: – The space of possible input illumination and
output keys is large!
![Page 23: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/23.jpg)
1. Duplication (Cloning)
• By invasive microscopic probing or polishing or by noninvasive tomographic imaging
• Submicron changes in the scatter’s location would result in avalanche effect
• Cloning is hard to do, because of physical limitations
• E.g., arbitrary submicron devices with small feature sizes are possible to produce, but making a 3D MeMs structure ~5yrs process
![Page 24: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/24.jpg)
2. Reproduction of behavior
• In the experiment here, changing =/(2L) = 4x10-5 rad will produce a totally independent speckle pattern
• Produces about 109 independent patterns in 1mm2
• For 100mm2, this will be 1011
• The number can be increased further by varying amplitude, phase and wavelength
![Page 25: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/25.jpg)
Sensitivity of key as probed moved relative to the token
• Total of 2400-bit keys available from 100mm2 surface
![Page 26: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/26.jpg)
3. Emulation by holograms
• Recording 1011 or more distinct patterns
• The incoherent superposition of patterns reduces the overall diffraction efficiency
• Alternatively, an adversary with access to the terminal may try the replay attack!
• The prohibitively large number of combinations possible counters this attack
![Page 27: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/27.jpg)
Mesoscopic limits
• Photon passing thru performs random walk
• Step size is mean free path (l) and covers the distance l/N1/2 after N scatterings
• L=l(N)1/2, and N=(L/l)2, equals 625 steps!
• Each step requires ~1026 operations!!!
• The process of input-output could be used as a functional mapping!
![Page 28: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/28.jpg)
Enrollment/verification
![Page 29: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/29.jpg)
Protocol (Identification)
1. User: Puts card in reader and claims ID
2. Verifier: Select random C from CRP database and sends it to the User
3. User: Uses C, measures R, calculates S', sends S' to Verifier
4. Verifier: Checks if S equals S', removes C,S
![Page 30: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/30.jpg)
Protocol (authentication)
1. User: Puts card in reader and claims ID
2. Verifier: Select random C from CRP database and sends it to the User together with nonce M
3. User: Uses C, measures R, calculates S', sends Ms'(m) to Verifier
4. Verifier: Checks if Ms'(m) equals Ms(m). If so then use S to encrypt/decrypt all further messages
![Page 31: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/31.jpg)
Security discussions
• Ability to store all illumination-key pairs• Parameterization of the illumination by orientation,
location, and wavelength leads to an enormous address space
• Linear in the input degree of freedom, since independent illumination patterns add linearly
• The space can be exponentially large by using a nonlinear scattering medium that is excited with a two-photon process
• The number of patterns is exponential and can easily exceed technological and cosmological limits
![Page 32: Lecture8 – Physical One Way Functions (POWFs)](https://reader035.vdocuments.us/reader035/viewer/2022062314/568145fc550346895db307c5/html5/thumbnails/32.jpg)
POWF
• Can be embedded as a primitive in larger distributed cryptographic system
• The physical system can transform an enormous amount of information fast and with very low cost
• The security in the difficulty of recreating the microstructure of macroscopic objects down to atomic length scales
• Replaces cryptosystems based on number-theoretical conjectures with technological constraints that have no theoretical grounding
• The system presents practical challenges to adversaries• POWF expands where and how to protect information!