摘要
消息认证码(message authentication code,MAC)是一种对称密码算法,能检查消息的完整性与来源合法性,可广泛用于各类信息系统.然而,当运行MAC算法的设备受到物理攻击时,攻击者可通过读取存储器或电路调试等手段获取算法密钥并生成合法的消息认证码,从而危害系统安全.为此,本文提出了PUF-MAC,一种基于物理不可克隆函数(physically unclonable function,PUF)和Hash函数的MAC算法.PUF是一种具有结构不可克隆性与输出不可预测性的数据映射实体,不同PUF实体映射间的差异来源于生产时物理环境的微小变化.通信双方可使用PUF生成共享密钥.在标准模型下,本文归约证明了PUF-MAC算法在适应性选择消息攻击下满足存在性不可伪造(existential unforgeability under chosen message attack,EUF-CMA),且算法的EUF-CMA安全性依赖于Hash的弱抗碰撞性以及PUF的EUF-CMA安全性.同时,本文基于PUF-MAC算法设计了一种满足前后向安全性的密钥协商方案和双向身份认证协议,体现了PUF-MAC良好的实用性.理论分析表明,与其他MAC算法相比,PUF-MAC结构轻量且实现简单,无需预先存储大量的PUF响应.PUF的引入使攻击者即使获取算法密钥,也无法生成合法的消息认证码,保证了通信系统的安全.
Message authentication code(MAC), widely used in all kinds of information systems, is a symmetric cryptographic algorithm that checks message integrity and source authenticity. However, when the devices running MAC face physical invasion, the attacker can extract the keys inside and generate valid tags by directly reading the memory or adjusting the circuits. In this paper, we propose PUF-MAC, a new MAC algorithm based on the physically unclonable function(PUF), which is constructed from the hash function and PUF. The PUF is a kind of data mapping entity with unclonable internal structures and unpredictable outputs. The difference between mappings preserved by PUF entities originates from minor variations in the physical environment during production. The communicating parties can apply the PUF to form the shared secret key. Under the standard security model, this paper inductively proves that PUF-MAC satisfies the existential unforgeability under a chosen message attack, and the EUF-CMA security of PUF-MAC relies on the(weak) collision resistance of hash and the EUF-CMA security of PUF. Additionally, this paper recasts PUF-MAC into a key agreement protocol with forward/backward security, along with a bilateral authentication protocol by which its practicability is indicated.A comparison with other MAC reveals that PUF-MAC is indeed lightweight and easy to deploy, and PUF-MAC requires no pre-established PUF responses. The involvement of the PUF allows an attacker to forge a valid tag even after retrieving the key, thereby ensuring communication security.
作者
张效林
谷大武
Xiaolin ZHANG;Dawu GU(School of Electronic Information and Electrical Engineering,Shanghai Jiao Tong University,Shanghai 200240,China)
出处
《中国科学:信息科学》
CSCD
北大核心
2022年第12期2336-2350,共15页
Scientia Sinica(Informationis)
基金
国家自然科学基金(批准号:62072307)资助项目。
