A Novel Forward-Secure Key Establishment Protocol from Physically Related Functions

In this section, we show that our protocol is forward secure according to the standard AKE models, namely Canetti-Krawczyk model [2] and extended Canetti-Krawczyk model [1].

AKE Model for PReF Network. The model assumes that all devices 𝒟₁, …, 𝒟_T and the adversary 𝒜 run as Probabilistic Polynomial Time (PPT) algorithms. The adversary 𝒜 is capable of initiating multiple instances of the protocol between any pair of devices (𝒟_i, 𝒟_j), with each instance identified as a session. Every session is attributed by a unique nonce or session identifier TS, preventing the adversary from reusing the same nonce to start multiple sessions. During the experiment, 𝒜 can issue the following oracle queries:

Key Reveal (TS): This query outputs the session key and nonce TS

Output Reveal (x∈Xi,j′)\left( {x \in {\cal X}_{i,j}^\prime } \right): The output of the functions embedded in 𝒟_i or 𝒟_j is revealed through this query. Whenever an adversary issues this query with input x, the respective devices that reveals the corresponding long-term secret y are said to be corrupt. Note that this query is analogous to the long-term key reveal query defined in the eCk model [1].

Ephemeral Key Reveal (TS): This query outputs ephemeral key of the session identified by TS.

Test (TS): This query is made only once during the entire experiment. Whenever this query is issued, the challenger chooses a bit b ∈ {0, 1} and reveals either the session key of the session with TS or a uniformly random key.

The adversary uses the above queries to establish a second session with the same key as the targeted session. The adversary is permitted to issue the test query only on a fresh session that meets the following conditions:

• 𝒜 does not issue Key Reveal query for the test session.

• Whenever 𝒜 issues ephemeral key reveal query, then it is not allowed to issue output reveal query for the corresponding pair of devices.

• Whenever 𝒜 issues output reveal query for the devices, then it is not allowed to issue ephemeral key reveal query for the same pair of devices.

After issuing a test query on the fresh session, the adversary's goal is to distinguish the session key from a random key. Consequently, the adversary wins the experiment only when it distinguishes the session key from a random key with a non-negligible probability.

Pseudorandomness. Let 𝒞 represents a PPT algorithm embedded with the function f_i. 𝒞 selects b ∈ {0, 1} at random and computes y_i = E(r) + y_i, + k, for a PReF input x∈Xi,j′x \in {\cal X}_{i,j}^\prime and a random r ∈ {0, 1}ⁿ. Whenever b is 0, it sets y_i = f_i(x) and k = k_1,2. Otherwise, it sets y_i = s and k = k′ where s and k′ are chosen at random from {0, 1}ⁿ.

Let ε(λ) be a non-negligible function and 𝒟 be the PPT distinguisher having non-negligible advantage of distinguishing the output E(r) + f_i (x) + k _1,2 from E(r) + s + k′. That is, for all r ∈ {0, 1}ⁿ and s ∈ {0, 1}ⁿ, the advantage of 𝒟 is | Pr[ D(E(r)+fi(x)+k1,2)=1 ]−Pr[ D(E(r)+s+k′)=1 ] |=ε(λ).\left| {\Pr \left[ {{\cal D}\left( {E(r) + {f_i}(x) + {k_{1,2}}} \right) = 1} \right] - \Pr \left[ {{\cal D}\left( {E(r) + s + {k^\prime }} \right) = 1} \right]} \right| = \varepsilon (\lambda ).

Now we show that there exist a PPT algorithm 𝒜 against the pseudorandomness of the function f_i that uses 𝒟 to win the pseudorandom experiment against the challenger as follows:

• Whenever an input 1^λ is received from the challenger, the adversary 𝒜 submits x ∈ 𝒳′_i,j

• Upon receiving the response x from 𝒜, the challenger selects b ∈ {0, 1} and assigns y_i = f_i(x) and k = k_1,2 if b = 0. Otherwise it sets y_i = s and k = k′ for a random s and k′ chosen from {0, 1}ⁿ.

• After receiving y_i from the challenger, 𝒜 simulates the algorithm 𝒞 to distinguisher 𝒟. Finally 𝒜 sets the output b′ = 0 if 𝒟 outputs 0. Otherwise b′ is set to 1.

Clearly the adversary 𝒜 wins the challenger with a non-negligible advantage ε(λ) as the distinguisher 𝒟 wins the challenge with the advantage ε(λ) which is a contradiction to the definition of Pseudorandomnes of f_i. Thus any distinguisher against 𝒞 can distinguish E(r) + f_i(x) + k_1,2 from E(r) + s + k′ only with negligible advantage.

AKE Proof. Assume that there exists a PPT adversary 𝒜 against our AKE protocol in Figure 2. In the AKE experiment, the aim of an adversary is to distinguish between the session key of the test session and a random key.

Consider an event E₁ where an adversary tries to establish a second session with the same session key computed in the target session and then wins the experiment by issuing a session key reveal query to the second session. We now analyze the probability of event E₁ occurring. According to the AKE experiment definition, the adversary is not allowed to use the same nonce to initiate multiple sessions TS, although they can choose the same input x for both sessions. Let the session key for the target session be r and for the second session be m. The only way the adversary can replace m with r is by determining the unknowns k_1,2 and y_i from A and making the checksum B = ℋ(r∥TS∥𝒟₁∥𝒟₂∥x) valid. However, this is negligible under the assumption that the hash function ℋ is collision-resistant.

Recall that a test query is issued against a fresh session where the adversary is allowed to issue either the ephemeral key reveal query or the output reveal query. Now define an event E₂ where an adversary tries to distinguish the target session key from a random key after obtaining secret information used in the target session through the following queries:

• Case 1. The adversary 𝒜 issues only the ephemeral key reveal query for the session it targets. The adversary obtains the random value k_1,2 used in the session. The adversary having k_1,2 and x has to compute r from A which is sent public. 𝒜 cannot distinguish E(r) + f_i(x) + k_1,2 from E(r) + s + k_1,2 for a random s as the PReF functions are pseudorandom. On the other hand, 𝒜 cannot recover r from B = ℋ(r∥TS∥𝒟₁∥𝒟₂∥x) since ℋ is modelled as a random oracle and r is chosen uniformly at random. From the above arguments, it is clear that 𝒜 can forge the session only with negligible probability even if the ephemeral key is revealed.

• Case 2. Now consider the case where an adversary 𝒜 issues the output reveal query (x) on the target session to obtain f_i(x). Then the adversary is not allowed by definition to use the same x for a new session. The adversary is unable find the session key r from A and f_i(x) without knowing k_1,2. Thus the adversary is successful in forging the session key of the target session only with negligible probability. In particular, it is clear that the above argument holds when the adversary tries to compute session keys of the completed session. In the case of completed sessions, the adversary could not retrieve k_1,2 of the particular session as they are updated at the end of each session and hence the session key r. With this, we claim that our AKE protocol is forward secure.

This section compares our protocol with existing (PUF based) AKE protocols in terms of computational cost and forward secrecy property. In particular, the computation cost is calculated by referring the work of Shahidinejad and Abawajy [13] where the authors reported the execution time of algorithms listed in Table 1 and Table 2 in both the Intel and ARM processors.

This section intends to describe the main difference between PReFs and PUFs as the former requires additional assumptions to be realised in hardware. The main objective of PReF is to set randomised functionalities in hardware [8] similar to strong PUF. Contrary to the design of PUF where the similarity in responses of a PUF pair for an entire input space is expected to be unpredictable/uncorrelated, PReF is defined to exhibit its usage on correlated responses for specific values in the input space. This in turn, makes PReFs a predominant function to design efficient AKE protocols as PUF-based AKE protocols need additional assumptions such as the existence of secure channels and/or a trusted third party. On the other hand, it is more challenging to design PReFs compared to PUFs as they rely on :(a) internal devices knowledge to generate related input/output pairs during the setup phase and (b) avoiding the exposure of related input/output pairs to an adversary only having black-box access to the devices [9].

A.1 Notations and Definitions

Denote the security parameter by λ ∈ ℕ. The following definitions are reproduced from [9].

Ideal PReF pairs. Let f_A and f_B be the pair of functions with input and output space 𝒳 and 𝒴 respectively. We call f_A and f_B be the related function pair whenever the output behaviour of f_A and f_B are identical for a specific input from 𝒳. Those inputs form a subset 𝒳_A,B ⊆ 𝒳. Note that the output behaviours of f_A and f_B are uncorrelated for inputs outside of the subset 𝒳_A,B. More formally, it should be difficult for a computationally bounded adversary to correctly guess the output of f_B(x) and f_A(x) for a given input x ⊈ 𝒳_A,B with a probability much better than the random guess.

To realise PReF pairs in the real world using hardware characteristics, the outputs of PReFs pairs are allowed to be non-identical but related via a distance function as in the following definition.

Related Function (ReF). For a family of functions ℱ = {f_i : 𝒳 → 𝒴} and arbitrary sets 𝒳 and 𝒴, assume that there is a well-defined distance function dist: 𝒴 × 𝒴 → ℕ over a pair of elements in 𝒴. Then, each pair (f, f_j) ∈ ℱ × ℱ is defined as (ε, δ) – related for constants ε ∈ (0,1] and δ ∈ ℕ, whenever there exists a set of inputs 𝒳_{i, j} ⊆ 𝒳 that satisfies the following conditions:

• |𝒳_i,j| ≥ ε|𝒳|

• For any input x ∈ 𝒳_{i, j}, dist[f_i, f_j] ≤ δ.

Reconciliation. The major goal of an AKE protocol is to enable the parties to establish a common secret. In order to design AKE using ReFs, reconciliation to a common secret from the respective parties outputs (evaluated on the same input) has to be achieved. That is, for each ReF pair (f_i, f_j) with related input x and an appropriate δ, there must exist an error correcting code scheme such that: dist[fi(x),fj(x)]≤δ⇔Decode(fi(x))=Decode(fj(x)){\mathop{\rm dist}\nolimits} \left[ {{f_i}(x),{f_j}(x)} \right] \le \delta \Leftrightarrow {\mathop{\rm Decode}\nolimits} \left( {{{\rm{f}}_{\rm{i}}}({\rm{x}})} \right) = {\mathop{\rm Decode}\nolimits} \left( {{{\rm{f}}_{\rm{j}}}({\rm{x}})} \right)

It is evident that such a reconciliation can be achieved easily using well established information-theoretic techniques such as error-correcting codes (ECC) [11].

Error-Correction Code (ECC). [9] Let (E, D) be the encoding and decoding algorithms of an (n, k,δ) linear error correction code. Then, D(E(a)+e)=a;E(a)+E(b)=E(a+b)D(E(a) + e) = a;\quad E(a) + E(b) = E(a + b) where a, bE(a), E(b) ∈ {0, 1}^k and Hamming weight(e) ≤ δ.

Pseudo-randomness of ReF. Let f_i ∈ ℱ, 0 ≤ i ≤ n be the functions that are (ε, δ) related on the respective input sets 𝒳_i ⊆ 𝒳, 1 ≤ i ≤ n. Let 𝒜 be a probabilistic polynomial time (PPT) algorithm with oracle access to f_i, 0 ≤ i ≤ n. For an input x ∈ 𝒳 and b ∈ {0, 1}, define the event E_𝒜,x,b(λ) : EA,x,b(λ):Af0(.),f1(.),…,fn(.)(1λ,x,yb)=b{{\rm{E}}_{{\cal A},x,b}}(\lambda ):{{\cal A}^{{f_0}(.),{f_1}(.), \ldots ,{f_n}(.)}}\left( {{1^\lambda },x,{y_b}} \right) = b where y_b satisfies the following:

• dist(y_b, f₀(x)) ≤ δ whenever b = 0

• uniformly random from 𝒴 whenever b = 1

and 𝒜 is not allowed to issue a query of the form f₀(x) and f_i(x), 1 ≤ i ≤ n for x ∈ 𝒳_i. The function f₀ is pseudo-random whenever any input x ∈ 𝒳 satisfies the above conditions. Then, for any such PPT algorithm 𝒜, | Pr[ EA,x,0(λ) ]−Pr[ EA,x,1(λ) ] |≤negl(λ).\left| {\Pr \left[ {{{\rm{E}}_{{\cal A},x,0}}(\lambda )} \right] - \Pr \left[ {{{\rm{E}}_{{\cal A},x,1}}(\lambda )} \right]} \right| \le {\mathop{\rm negl}\nolimits} (\lambda ).

In the following definition, a ReF graph is defined as a collection of ReF where each ReF pair related over a unique set of inputs satisfies the property of reconciliation and pseudo-randomness.

ReF Graph. Assume ℱ = {f_i: 𝒳 → 𝒴} to be a family of functions for the arbitrary sets 𝒳 and 𝒴. Then, a set of T functions f₁, …, f_T ∈ ℱ represents a (T, ε, ε′, δ) – ReF graph for ε′ ∈ (0, ε] whenever the following holds for each i, j ∈ [T]:

• (f_i, f_j) is (ε,δ) related

• f_i is pseudorandom

• a unique subset of inputs 𝒳′_i,j exists with size at least ε′|𝒳| for f_i and f_j.

Let D be a hardware device manufactured to physically realise the same input-output behaviour of the boolean function f. Then D is referred as reliable embodiment of function f.

Reliable Embodiment. D is a reliable physical embodiment of a function f: 𝒳 → 𝒴 if: Pr[D(x)≠f(x)]≤neg∣(λ)\Pr [{\bf{D}}(x) \ne f(x)] \le {\mathop{\rm neg}\nolimits} \mid (\lambda ) for all x ∈ 𝒳 and the probability is defined on multiple calls to the device D.

Physically Related Function(PReF). A device pair (D_i, D_j) represent an (ε, δ) – physically related function, if it reliably embodies an (ε,δ) pair (f_i, f_j).

PReF Network. A set of devices D₁, …, D_T represent a (T, ε, ε′, δ) – PReF network whenever every device D_i reliably embodies a function f_i in a way that the corresponding collection of functions f₁, …, f_T ∈ ℱ in turn represent a (T, ε, ε′,δ) – ReF graph.

Chatterjee et al. introduced a basic two party based key exchange protocol meant to establish secure communication by avoiding the use of traditional cryptographic assumptions.

System model for Static PReF Network. Let ℱ = {f_i: 𝒳 → 𝒴} be a family of functions, where 𝒳 = {0, 1}^m and 𝒴 = {0, 1}ⁿ are arbitrary sets. Let Alice and Bob be two parties that physically implement f₁ and f₂ using their respective hardware devices D₁ and D₂. Assume that there exist a trusted party (e.g., a manufacturer) which is semi-honest and does the following before the deployment of devices D_i, i = 1, …, T in the static PReF network with the corresponding functions f_i, i = 1, …, T : (a) A (T, ε,ε′, δ) – ReF graph represented by the functions (f₁, f₂, …, f_T) ∈ ℱ is constructed where each f_i is embodied to the corresponding device D_i, i = 1, …, T. (b) It also publishes the related input set 𝒳_{i, j} for the corresponding devices D_i and D_j on a public loud/ledger. The parties D₁ and D₂ communicate on an input x from a publicly available related input set 𝒳_1,2 and compute the output y using their respective PReFs f₁ and f₂. Note that an adversary with f₀ cannot predict the value y even if it shares PReF pairs 𝒳_1,0 and 𝒳_2,0 as X1,2∩X1,0=X1,2∩X2,0=ϕ.{{\cal X}_{1,2}} \cap {{\cal X}_{1,0}} = {{\cal X}_{1,2}} \cap {{\cal X}_{2,0}} = \phi .

Chatterjee et al.'s Basic Key Exchange from PReFs. The basic key exchange protocol using PReF in Figure 4 is executed to establish a session key between two parties D₁ and D₂ where the party D₁ initiates the session as follows: D₁ selects x at random from the input set 𝒳_1,2 and then computes y₁ from x using f₁. Then D₁ computes A using y₁ and random r and sends (A,x) to D₂. Upon receiving (A,x), D₂ first finds y₂ as f₂(x) and then obtains r using A and y₂. Finally the session key is set as r. Note that the protocol makes use of only physically related function (existence of PUF) and linear Error correcting codes as per Definition A.1 to establish the session key between two parties in one round of communication. The protocol does not require secure storage contrary to the requirement of the scheme proposed in [32] that: (1) uses fuzzy extractors for correcting the noisy response and then match it with the response stored in a server and (2) is vulnerable to attacks as described in [12]. To avoid the possibility of such security vulnerabilities, the protocol in Figure 4 uses BCH-based error correction to reconcile the outputs of PReF from both the devices and then engage in fixation of session key. However the protocol in Figure 4 is secure only against passive adversaries.

Figure 4.

Basic Key Exchange from PReFs [9]

Upgraded AKE. To achieve security against replay, impersonation and integrity attacks, the basic protocol in Figure 4 is proposed as depicted in Figure 5 by incorporating a collision-resistant hash function ℋ : {0, 1 }* → {0, 1}ⁿ. Note that it is computationally infeasible to sample TS′ ≠ TS and r ≠ r′ such that ℋ(r∥TS∥𝒟₁∥𝒟₂) = ℋ(r′∥TS′∥𝒟₁∥𝒟₂). Thus with the minimal addition to the basic PReF protocol, the upgraded protocol achieves the security guarantees of [33–35].

Figure 5.

Upgraded AKE protocol using PReFs [9]

Chatterjee et al. [9] pointed out that the upgraded protocol depicted in Figure 5 does not achieve forward secrecy as x values are sent in clear. The adversary having black box access to the PReF oracle f_o that provides the output y = f_o(x) whenever x is given, will learn the session key of the particular session using A. Also, the protocol restricts usage of x more than once as the adversary learns sum of two session keys r + s whenever the same x is used in two sessions with different random values r and s.

Forward Secure AKE. In order to achieve forward secrecy, Chatterjee et al. [9] proposed to incorporate elliptic curve Diffie–Hellman based protocol to compute session keys using the ephemeral values α and β. The protocol is illustrated in Figure 6.

Figure 6.

Forward Secure AKE protocol using PReFs [9]