Lecture8 – Physical One Way Functions (POWFs)

Rice ELEC 528/ COMP 538

Farinaz Koushanfar

Spring 2009

Outline

• Definition

• Advantages

• Physical phenomena: coherent transport through disordered medium

• Authentication protocol based on Physical One-Way Functions (POWF)

• Invented by Pappu (MIT 2001)

Reading: “Physical One-Way Functions”, Ravikanth Pappu,* Ben Recht, Jason Taylor, Neil Gershenfeld. Science 20 September 2002:Vol. 297. no. 5589, pp. 2026 - 2030

Security

• Asymmetry b/w the information (secret)• One-way functions

– Easy to evaluate in one direction but hard to reverse in the other

– E.g., multiplying large prime number as opposed to factoring them

• One-way hash functions– Maps a variable length input to a fixed length output– Avalanche property: changing one bit in the input

alters nearly half of the output bits– Pre-image resistant, collision resistant

Challenges of algorithmic (mathematical) one-way functions

• Technological– Massive number of parallel devices broke DES– Reverse-engineering of secure processors

• Fundamental– There is no proof that attacks do not exist– E.g., quantum computers could factor two large prime

numbers in polynomial time

• Practical– Embedded systems applications

Solution -- POWF

• Use the chaotic physical structures that are hard to model instead of mathematical one-way functions!

• Physical One Way Functions (POWF)– Inexpensive to fabricate– Prohibitively difficult to duplicate– No compact mathematical representation– Intrinsically tamper-resistant

• Pappu proposed using coherent multiple scattering from the disordered media

Coherent multiple scattering from disordered medium

• Earlier work (before Pappu)– 2D and 3D inhomogeneous structures as unique

tokens difficult to forge – Coherent scattering has been used to detect

tampering of physical structures– Nobody has used the computations performed by the

physical probe– The use of physical mechanisms for cryptography is

well-known in the context of quantum computing– Unlike quantum cryptography, POWF can be utilized

over a classical communication channel

More about the physics of the phenomena

• Laser speckle fluctuations – sensitivity of scattering the coherent radiation

to the structure of the inhomogeneous media– The mesoscopic limit of scattering in 3D– Any changes in the microstructure of a

disordered medium cause an order unity change in its speckle patterns

The mesoscopic limit of scattering in 3D medium

• The mean free path b/w elastic collisions with scatterers (l) is much larger than the wavelength () of radiation

• The thickness of the structure (L) is much smaller than the coherence light of the probe

• A - The cross sectional area of a laser beam• Moving A/Ll scatterers would produce an

uncorrelated speckle patterns• Rotating the angle of the incident beam by

=/(2L)

One-way hash function

• Any changes in the microstructure of a disordered medium cause an order unity change in its speckle patterns

• Provides a fixed-length key that hashes the specifications of the 3D spatial distribution of the scatterers

How?

• What is a speckle pattern

• Changing the input

Experiment set-up by Pappu et al.

=632.8nm HeNe laser beam• Optical proxy tokens 10x10x2.5 mm3

• Contains glass spheres 500 to 800 m in diameter (~$0.01 cost)

• The density of speckle was chosen to give an average spacing on the order of ~100 m

• The spacing equals he photon mean free path in the limit of strong scattering applicable here

• The patterns recorded by 320x240 pixel charge-coupled device camera

• The tokens mechanically registered with inexpensive kinematic mount allowing submicron positional accuracy in 6D of freedom, providing repeatability of the registers

System description

• 3D structure hashed to produce a 2D image, filtered by a multi-scale Gabor transform to produce a 1D key

Gabor transform

• Represents the image density as a discrete multi-scale decomposition over oriented filter kernels with varying spatial frequencies

• The filter parameters selected to reject pixel-scale noise and ave image intensity variations

• The selected parameters render the key insensitive to mechanical misregistrations

• 1D (Gabor) and 2D (Dougman – showed that the filters are jointly optimal in providing the max possible resolution for info about orientation and spatial frequency content on local image simultaneous with its 2D location

System specifications

• A 1-cm3 cube has 1012 1-m cubic blocks of wavelength size, resulting in terabit structural information

• The 320x240 pixel image contains ~megabit of intensity information

• Gabor transform reduces this to 2400-bit key

Intensity variations along a specific row&column of the speckle pattern

Intensity variations along a specific row&column of the speckle pattern

The remaining variability is filtered by the Gabor transform!

The behavior of the POWF

• Randomness– For 576 keys, plot the probability of a bit set to 1– The average is ~0.5, indicating bitwise maximum

entropy code

The behavior of the POWF

• Like keys: keys with the same origin• Unlike keys: distinct origin

Unlike distributionN(0.5,1.07x10-3) ~233 independent Binomial trials~2233 distinct keys

Like dist.

Technical adjustment

• The overlap b/w like/unlike can be as small as desired, by reading each token from more than one angle – independent

• Demonstration – reading from pairs of angels were combined to form 4800-bit keys in a data set with 165,600/2=82,800 entries

• The resulting pdf has mean 0.5 and variance 5.42x10-4 = 461 effective variables

Authentication of the tokens

• Test each token and form a database• The minimum probability decision rule is to rejects

candidates when the prob that tokens are the same is less than or equal to the prob that tokens are different

• Using the rule, they reject a token’s authenticity if the keys are different by more than 0.41x2400=984 bits

• The prob of false alarm is 9.8x10-3, but can be made arbitrarily small

Test of tamper-resistance

• Intentional modification of the tokens• Drilling a small hole by no.75 drill (533m)• The keys produced before and after tampering

had a normalized Hamming dist of 0.46 – differing in ~ half of the bits

• Thus, we have the avalanche property• Protect the tokens from accidental damage

– Encapsulate in a scratch-resistant material– The Gabor transform can be tuned to reject speckle

features arising from surface scratches while preserving features originated from internals

Security concerns

1. Duplication (cloning) of the token

2. Reproduce behavior under arbitrary illumination

3. Emulate the patterns by a hologram or a diffractive optical element

Counter measure against the attacks: – The space of possible input illumination and

output keys is large!

1. Duplication (Cloning)

• By invasive microscopic probing or polishing or by noninvasive tomographic imaging

• Submicron changes in the scatter’s location would result in avalanche effect

• Cloning is hard to do, because of physical limitations

• E.g., arbitrary submicron devices with small feature sizes are possible to produce, but making a 3D MeMs structure ~5yrs process

2. Reproduction of behavior

• In the experiment here, changing =/(2L) = 4x10-5 rad will produce a totally independent speckle pattern

• Produces about 109 independent patterns in 1mm2

• For 100mm2, this will be 1011

• The number can be increased further by varying amplitude, phase and wavelength

Sensitivity of key as probed moved relative to the token

• Total of 2400-bit keys available from 100mm2 surface

3. Emulation by holograms

• Recording 1011 or more distinct patterns

• The incoherent superposition of patterns reduces the overall diffraction efficiency

• Alternatively, an adversary with access to the terminal may try the replay attack!

• The prohibitively large number of combinations possible counters this attack

Mesoscopic limits

• Photon passing thru performs random walk

• Step size is mean free path (l) and covers the distance l/N1/2 after N scatterings

• L=l(N)1/2, and N=(L/l)2, equals 625 steps!

• Each step requires ~1026 operations!!!

• The process of input-output could be used as a functional mapping!

Enrollment/verification

Protocol (Identification)

1. User: Puts card in reader and claims ID

2. Verifier: Select random C from CRP database and sends it to the User

3. User: Uses C, measures R, calculates S', sends S' to Verifier

4. Verifier: Checks if S equals S', removes C,S

Protocol (authentication)

1. User: Puts card in reader and claims ID

2. Verifier: Select random C from CRP database and sends it to the User together with nonce M

3. User: Uses C, measures R, calculates S', sends Ms'(m) to Verifier

4. Verifier: Checks if Ms'(m) equals Ms(m). If so then use S to encrypt/decrypt all further messages

Security discussions

• Ability to store all illumination-key pairs• Parameterization of the illumination by orientation,

location, and wavelength leads to an enormous address space

• Linear in the input degree of freedom, since independent illumination patterns add linearly

• The space can be exponentially large by using a nonlinear scattering medium that is excited with a two-photon process

• The number of patterns is exponential and can easily exceed technological and cosmological limits

POWF

• Can be embedded as a primitive in larger distributed cryptographic system

• The physical system can transform an enormous amount of information fast and with very low cost

• The security in the difficulty of recreating the microstructure of macroscopic objects down to atomic length scales

• Replaces cryptosystems based on number-theoretical conjectures with technological constraints that have no theoretical grounding

• The system presents practical challenges to adversaries• POWF expands where and how to protect information!