Identification for the Internet of Things

Summary of the project

The project "IDentification for the Internet Of Things" is a cooperation between TU Eindhoven, INRIA (France) and the University of Geneva. The topic is privacy-preserving algorithms for authentication and identification of huge numbers of low-power devices. The Internet of Things (IoT) will contain a huge number of devices and objects that have very low or nonexistent processing and communication resources, coupled to a small number of high-power devices. The weakest devices, which are most ubiquitous, will not be able to authenticate themselves using cryptographic methods. Other important tasks in the IoT will be to verify if an object is authentic, or to identify an object. Our plan is to address these issues using Physical Unclonable Functions (PUFs). PUFs, and especially Quantum Readout PUFs, are ideally suited to the IoT setting because they allow for the authentication and identification of physical objects without requiring any crypto or storage of secret information. Furthermore, we foresee that back-end systems will not be able to provide security and privacy via cryptographic primitives due to the sheer number of IoT devices. Our plan is to address these problems using privacy-preserving database structures and algorithms with good scaling behaviour. Approximate Nearest Neighbour (ANN) search algorithms, which have remarkably good scaling behaviour, have recently become highly efficient, but do not yet have the right security properties and have not yet been applied to PUF data. Summarised in a nutshell, the project aims to improve the theory and practice of tech- nologies such as PUFs and ANN search in the context of generic IoT authentication and identification scenarios.

Goals

The advent of the Internet of Things (IoT) will exacerbate existing security problems by adding large numbers of extra devices, and introduce new problems by creating use scenarios that involve low-resource devices. The ubiquitous presence of sensor-equipped devices close to (and attached to) people will cause a major privacy threat unless constraints on data communication and storage are strictly enforced. To make things worse, even a well designed privacy-preserving system can fail due to security breaches. Our aim is to provide IoT schemes that are secure and privacy-preserving even given all these threats. In our view this aim has to be achieved through a combination of information-theoretic and physics-based techniques. As IoT devices are low-resource, advanced cryptographic techniques will not work; the alternative is to organize communication and storage in such a way that a breach does not expose useful information. Furthermore, in the absence of cryptography one can authenticate devices only based on physical properties such as Physical Unclonable Functions (PUFs) [1,2]. Our global objective is to capture the essence of the most powerful state-of-the-art techniques in information-theoretic and physics-based security, and from this generate a general security and privacy toolbox for the IoT. We will address a number of generic scenarios that will play a role no matter how the IoT develops in the future.

The handling of PUF data captured by IoT sensors, in particular for authentication and identification purposes. The main objectives are (i) having information-theoretic guarantees on security and user privacy while allowing for efficient authentication as well as fast searching in identification databases; (ii) simplifying the signal processing to the point where IoT devices can perform the bulk of the necessary tasks.
Privacy-preserving databases with good scaling behaviour. While back-end systems (Clouds) have lots of storage and computation power, they can be overwhelmed by the sheer number of IoT devices, especially if privacy is protected using cryptography. The objective is to develop database architectures and protocols that achieve privacy and scalability. This precludes any use of advanced cryptographic schemes which process data in the encrypted domain. We are convinced that relevance to IoT implies investigating the trade-off between security and scalability. Today advanced cryptography offers extreme security levels which are not needed in IoT and not deployable because they are unable to handle large numbers of devices. On the other hand, approximate nearest neighbours search algorithms are now extremely powerful for indexing very large databases. Their remarkable scalability would be well suited for use in the IoT. However, security and privacy are ignored by this community.
Mass deployment of Quantum-Readout PUFs (QRPUFs) a.k.a. Quantum-Secure Authentication (QSA). QSA combines the best of traditional PUFs with quantum-security. QSA guarantees unconditional security against spoofing attacks and thereby provides the highest possible level of security in object authentication. QSA operates without storing any secrets, making it ideal for the IoT. Our objective is to realize QSA's full potential and turn it into a cheap ubiquitous tool. For mass deployment to become practical we will need to develop new protocols and search algorithms.
Group membership verification. This is an example of new functionalities related to, but different from, authentication and identification. It aims at convincing the Cloud that the PUF data captured by a sensor matches one of the previously enrolled PUFs of a given group. The enrolled PUFs of a group are aggregated into one unique compact representation. The Cloud should neither identify the match inside the group, nor estimate any enrolled PUF from the group representation.

This proposal is built on the belief that PUFs will play an important role in IoT. It aims at making PUF technologies more practical. We do not address the physical and engineering problems (they will be solved by others) but the protocols that will enable authentication, identification, and group membership verification.

Progress

Measurements on optical PUFs are now publicly available, see Data. Two papers have been written, see publications.