PUF-RAKE: A PUF-Based Robust and Lightweight Authentication and Key Establishment Protocol

Abstract

Physically unclonable functions (PUFs) bind a device's identity to its physical hardware and thus, can be employed for device identification, authentication and cryptographic key generation. However, PUFs are susceptible to modeling attacks if a number of PUFs’ challenge-response pairs (CRPs) are exposed to the adversary. Furthermore, many of the embedded devices requiring authentication and inter-device communication in a real-time environment/system have stringent resource and low latency requirements, and thus require a lightweight authentication and key establishment mechanism to quickly realize an authenticated and secure connection. We propose PUF-RAKE, a PUF-based lightweight, highly reliable authentication and key establishment scheme. The proposed scheme enhances the reliability of PUF as well as alleviates the resource constraints by employing error correction in the server instead of the device as well as removing cryptographic hashing required by earlier PUF-based protocols. The proposed PUF-RAKE is robust against masquerade, brute force, replay, and modeling attacks. In PUF-RAKE, we introduce an inexpensive yet secure stream authentication scheme inside the device which authenticates the server before the underlying PUF can be invoked. This prevents an adversary from brute forcing the device's PUF to acquire CRPs essentially locking out the device from unauthorized model generation. Additionally, we also introduce a lightweight CRP obfuscation mechanism involving XOR and shuffle operations. The security of PUF-RAKE has been formally verified. A prototype of the protocol has been implemented on two Xilinx Zynq 7000 system-on-chips with one present on Xilinx zc706 evaluation board and the other present on the Avnet Zedboard. Observations, security analysis and results verify that the PUF-RAKE is secure against a probabilistic polynomial time adversary under both the unauthenticated link and authenticated link adversarial models while providing ∼99% reliable authentication. In addition, PUF-RAKE provides a reduction of 60 and 72 percent for look-up tables (LUTs) and register count, respectively, in the programmable logic (PL) part of the Zynq 7000 as compared to a recently proposed approach while providing additional advantages.