Professional Documents
Culture Documents
SEMINAR REPORT
Submitted by
JERIN T VARGHESE
SJC19CS056
to
the APJ Abdul Kalam Technological University
in partial fulfillment of the requirements for the award of the degree
of
Bachelor of Technology
in
Computer Science and Engineering
CERTIFICATE
This is to certify that the seminar report entitled “ BLOCKCHAIN BASED AU-
THENTICATION FOR IIOT DEVICES WITH PUF ” submitted by JERIN T
VARGHESE SJC19CS056 to the APJ Abdul Kalam Technological University in par-
tial fulfillment of the requirements for the award of the Degree of Bachelor of Technology
in Computer Science and Engineering is a bonafide report of the seminar presented by
him under my guidance and supervision.
With the continuous development of edge computing and IIoT technology, there are grow-
ing types of IIoT devices, and the number of such devices is continuously climbing. It is
indispensable to authenticate devices in the IIoT environment. There are two blockchain-
based authentication for IIoT devices with PUF. The first one relies on SRAM PUF,
which is highly compatible with physical devices and has low cost. For the second one,
this utilize the property of Arbiter PUF that it is difficult to physically clone but easy
to be cloned mathematically to build the PUF models for authentication and protect ed
CRPs used for model training from leakage, and prevent PUF from being modeled twice.
We formalize the security properties, and proved that the proposal is secure. Besides,
the proposal achieves scalability, which means that the entities involved in the scheme
authenticate the devices instead of storing amounts of CRPs.
Contents
Contents
Abstract iii
List of Figures vi
Abbreviations vii
1 Introduction 1
2 Realted Works 5
2.1 Cryptography-based device authentication . . . . . . . . . . . . . . . . . . 5
2.2 Blockchain-based device authentication . . . . . . . . . . . . . . . . . . . . 6
2.3 PUF-based device authentication . . . . . . . . . . . . . . . . . . . . . . . 6
3 Preliminaries 7
3.1 Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 PUF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3 Digital signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4 System model 12
4.1 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5 Concrete Scheme 14
5.1 Blockchain-based IIoT devices authentication scheme with SRAM PUF . . 14
5.1.1 Registration phase . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1.2 Authentication phase . . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.2 Blockchain-based IIoT devices authentication scheme with APUF . . . . . 15
5.2.1 Registration phase . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Department of Computer Science and Engineering, SJCET Palai iv
Contents
6 Security analysis 18
6.1 Response unforgeability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
6.2 Modeling resistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6.3 Collusion resistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7 Performance analysis 20
7.1 Comparison with existing schemes . . . . . . . . . . . . . . . . . . . . . . . 20
7.2 PUF modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.3 Smart contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
8 Conclusion 24
References 25
Annexure A
v
List of Figures
List of Figures
Abbreviations
BLS Boneh-Lynn-Shacham
Chapter 1
Introduction
The Internet of Things (IoT) and mobile terminal technologies have developed steadily
in recent years, and centralized computing entities, such as cloud computing, have been
gradually decentralized to enhance the reliability of system. The centralized computing
entities are vulnerable to distributed denial-of-service (DDoS) attacks and the risk of sin-
gle point of failure. Moreover, the centralized computing entity in a system is under the
great pressure of computation and storage. The advent of edge computing relieves this
pressure. The idea of edge computing is to move some storage and computing resources
away from the central data center and closer to the data source. Since the advent of
industry 4.0, edge computing technology has become very popular in the Industrial Inter-
net of Things (IIoT). The data collected by devices is pre-processed at the edge first, and
then transmitted it to the central server for management and storage, which can greatly
improve the efficiency and reliability of system.
With the rapid development of the world economy and the continuous expansion of indus-
trial production scale, industrial control and automation technologies have been gradually
upgraded, and the control methods of industrial systems have become more complex. The
security of industrial device constrains the security of the entire IToT system, and the
reliability of the device determines the security of the data source. In addition, with
the development of IIoT technology, more and more types of devices have been emerged.
Industrial control devices exist everywhere around us, which makes our lives smarter and
more convenient. The improvement of machine learning, edge computing and Internet ,
and computer systems has further promoted the progress of the IIoT. The advancement
of IIoT benefits several fields, like industrial Internet, smart city, intelligent transporta-
tion, wisdom medical, intelligent agriculture, smart grid, and intelligent logistics, etc. In
the industrial Internet setting, amounts of tasks such as temperature detection, humidity
control, pressure monitoring, etc. could be tested and realized by sensors without manual
intervention, where some of these tasks are risky and some environments are not suitable
for people. For instance, the temperature sensor detects that the current indoor tempera-
ture of workshop is higher than 86 degrees Fahrenheit, then the intelligent air conditioner
is automatically turned on to cool down.
According to IDC’s prediction, there will be more than 41 billion connected IoT de-
vices generating more than 79 megabytes of data by 2025.1 Nevertheless, authentication
of these IoT devices turns into a challenging issue in the rapid development of IoT tech-
nology. Just imagine if the IoT devices are not authenticated in a secure manner, the
consequences could be horrible. The devices that are not authenticated will bring more
serious and irreversible consequences in an industrial environment. If an unauthorized
2
Chapter 1. Introduction
smart door lock system is used in the factory or workstation, the adversary may launch
an impersonation attack, putting the property safety and even the safety of personnel at
risk. If the unauthorized sensors are used in the industrial environment, the attack may
pretend to be a sensor and send fake data to the data center, which may lead to serious
consequences, even explosion or the formation of corrosive materials. It is essential to
authenticate IIoT devices before it is put into use.
With the gradual development of blockchain technology and the actual deployment of
multi-field applications based on blockchain technology, it is a common practice to use
blockchain to manage devices in the industrial Internet environment. The storage of
industrial data on blockchain can accelerate the efficient flow of industrial Internet sys-
tems, and make data management decentralized, which enhances the reliability of data
in the entire industrial system. While, the authentication process for industrial device
of blockchain network data management is easily ignored.There are various device au-
thentication methods proposed to solve the problem. Whereas, most of them are based
on a centralized organization, such as some enterprises. Although some systems utilize
the unified authentication methods, they have to authenticate via operators. While, the
disadvantages of the centralized authentication methods are obvious. For instance, once
the centralized enterprise or operator break down, the connected IIoT devices will be
unavailable, even the system cannot work properly. Thus, it is a research challenge to
authenticate IIoT devices in a decentralized manner.
Physical Unclonable Function (PUF) based authentication method comes into the view
of researchers gradually owing to the natural compatibility of PUF and the IIoT de-
vices. PUF is an emerging hardware security primitive [12–18], which can be regarded
as a kind of “digital fingerprint”. PUF relies on tiny manufacturing differences, which
leads to inconsistencies in devices. That is, two (or more) devices with exactly the same
design will actually have different electrical performance parameters. The difference in
electrical performance parameters could neither be predicted nor estimated by optical
or SEM observations. PUF is lightweight, sensitive to physical tampering, and does not
require non-volatile memory (NVM). It has been used in intellectual property protection,
3
Chapter 1. Introduction
hardware security, and equipment security certification, etc. this employ the techniques
of blockchain, pseudorandom permutation, physical unclonable functions, and machine
learning to construct a decentralized authentication scheme for IIoT devices with PUF,
which solves the issues of single point of failure, tamper attack, forgery attack, man-in-
the-middle attack, replay attack, modeling attack, and sybil attack, etc. This utilize the
feature of Arbiter PUF (APUF) that it is difficult to physically clone but easy to be
cloned mathematically to build the PUF models for device authentication. Besides, in
order to prevent the PUF from modeling twice and protect the CRP information from
leakage. This proposal achieves response unforgeability, modeling resistance, and collusion
resistance. Moreover, our proposal achieves scalability.
4
Chapter 2. Realted Works
Chapter 2
Realted Works
6
Chapter 3. Preliminaries
Chapter 3
Preliminaries
3.1 Blockchain
As the backbone technology of cryptocurrencies, blockchain is developing rapidly since it
has been introduced, which has been applied to several fields. Essentially, blockchain is
a distributed public ledger and database, which has the features of decentralization, non-
tampering, collective maintenance, transparency. These appealing features take advan-
tages of the underlying technologies of cryptography, network communication protocols,
and distributed consistency protocols, etc., which lies the foundation of the trust on the
blockchain. The blockchain system consists of 6 layers, namely, data layer, network layer,
consensus layer, incentive layer, contract layer and application layer. Specifically, the data
layer stores some basic data information, such as timestamp, hash values, Merkle tree, etc.
The network layer contains distributed networking mechanism, data dissemination mech-
anism, data verification mechanism, etc. The consensus layer encapsulates the consensus
algorithm that determines the method of generating a new block, which is related to the
security and reliability of the entire system. At present, the well-known consensus mecha-
nisms include Proof of work (PoW), Byzantine Fault-Tolerant (BFT) consensus, Proof of
Stake (PoS), etc [50]. The incentive layer determines the incentive mechanisms and issue
mechanisms for miners. The contract layer encapsulates the script codes, algorithms and
smart contracts in the blockchain system, which helps the blockchain system to process
data flexibly. The application layer mainly contains various application scenarios and
cases on the blockchain.
3.2 PUF
PUF is a physical entity, which relies on the small difference caused by transistors or the
connections between components during hardware manufacture. The difference could be
extracted as digital signal, which forms the unique unpredictable fingerprint of a chip.
The working mechanism of PUF could be represented as a function
where c is a challenge and the output r is called response. For a PUF circuit, it generates
a specific response r only when it was input a challenge c, which is called a challenge-
response pair (CRP). The definition of CRP is first presented by Pappu et al. . Since
the PUF is embedded in the IIoT device, the CRPs can only be obtained by accessing
to the hardware device, which is not feasible in some cases. PUFs are applied to many
fields owing to their charming features, including unclonability, randomness, uniqueness
and stability.
• Unclonability: This feature means that after a PUF hardware entity is generated, the
chip fingerprint has been determined, and it cannot be cloned even through the same
processing steps. Normally, the unclonability consists of physical unclonability and math-
ematical unclonability. PUFs achieve physical unclonability, while it is difficult to achieve
mathematical unclonability. This scheme takes advantage of this characteristic.
• Randomness: Randomness means that the binary outputs of PUFs look like real random
binary strings. The better the randomness, the harder it is to clone the PUF.
• Uniqueness: This feature means that the same type of PUFs can generate different chip
fingerprints on different physical entities. That is, the generated chip fingerprint is unique
for a physical entity, where the difference is denoted by hamming distance.
• Reliability: Reliability means that the PUF responses will not be changed in differ-
ent temperature, humidity, noise, voltage environments. The smaller Hamming distance
between chips, the stronger reliability of PUF could be achieved. This introduce the
Hamming distance in detail below.
The meaning of Hamming distance is the difference between two strings of equal length,
that is, the number of characters that need to be changed when the two strings are
converted to each other. The Hamming distance is defined as
8
3.2. PUF
where HD denotes the Hamming distance between the equal-length strings X and Y , l
represents the length of the strings, xi and yi are the ith character of the string X and
Y , respectively. The reliability of PUF could be obtained by calculating the Hamming
distance between the responses of the same challenge in different environments. The
reliability of PUF is defined as
This introduce two PUFs that involved in the protocol, namely, SRAM PUF and APUF.
Memory-based PUF is the most widely used PUF due to the fact that currently most
circuits use memory, especially Static Random Access Memory (SRAM). SRAM PUF
is the most suitable memory-based PUF for integration, since SRAM PUF could be
integrated into SRAM [51]. Any circuit system that uses SRAM cloud integrate several
bits of SRAM PUF unit in SRAM without redundant control circuits. Even, SRAM can
be used as SRAM PUF directly. SRAM PUF uses the difference in the initial start-up
value of the storage cell resulted from manufacturing differences as the PUF. The structure
of SRAM PUF could be seen as two inverters connected end to end, thus, it could store
two opposite logical states. In the stable state, these two opposing points have opposite
voltages, which are 0 or 1, respectively. In the power-off state, the potentials of both
points are 0. Assuming that the SRAM is started-up at this moment, the voltage at both
points starts to rise.
In the process of rising, when the voltage reaches the threshold voltage of the transistor in
SRAM, the positive feedback in SRAM begins. Due to the inherent intrinsic mismatch in
the transistor, there will be a slight difference in voltage between the two points. During
the start-up process, many factors such as the transistor mismatch, temperature, and
voltage will affect the operation of SRAM PUF, which forming the CRPs. The responses
of SRAM PUF could be obtained by reading the initial value of the memory cell when
starting up, which is widely used in various digital devices. Whereas, SRAM PUF is a
typical weak PUF, which only has a small amount of CRPs.
9
3.3. Digital signature
10
3.3. Digital signature
11
Chapter 4. System model
Chapter 4
System model
• IIoT devices:
IIoT devices need to be authenticated in a decentralized manner. All the IIoT
devices involved in the protocol are embedded with multiple PUFs, which are used
for device authentication. Specifically, given a challenge value, each PUF outputs a
response bit, and then the device forms a response string as the output.
• CA:
CA issues the certificates for IIoT devices, and accesses to the interface of the
device for requesting the response values. Moreover, CA constructs PUFModels by
obtaining several CRPs through machine learning. CA distributes the PUFModels
to n different nodes, where each node holds a PUFModel of the device.
• Blockchain:
Blockchain is used to record all authentication results and transactions generated
Department of Computer Science and Engineering, SJCET Palai 12
4.1. System Model
over P2P network, where the authentication results of IIoT devices could be looked
over immediately.
• Authentication Committee:
The participant peers holding PUFModels constitute an authentication committee
in the P2P network, where the P2P network is the underlying network architecture
of blockchain. Based on the 51of the existing underlying blockchain, this paper
assumes that the most nodes are rational
13
Chapter 5. Concrete Scheme
Chapter 5
Concrete Scheme
There are four entities involved in the IIoT devices authentication protocol. there are two
blockchain-based IIoT device authentication schemes with PUF.
In the registration phase, CA issues a certificate for the IIoT device. Then the device
maintains its CRP list of the SRAM PUF locally. After that, CA distributes the memory
address fields to P2P nodes randomly, each of which gets a portion of SRAM PUF CRPs.
• Preparation
The IIoT device picks a CRP from each memory address field uniformly, and sends
Department of Computer Science and Engineering, SJCET Palai 14
5.2. Blockchain-based IIoT devices authentication scheme with APUF
the challenges of these CRPs to the authentication committee. Then the device
concatenates the corresponding responses R1,R2,. . . ,Rn into a response string R by
powering on the SRAM PUF and signs on it
After that, the device sends the signature σ and Re1,Re2,...Ren to the smart con-
tract. On receiving the challenges, the nodes held the partial SRAM PUF CRPs
output the hash value of their response to the smart contract.
• Authentication
The smart contract verifies the validity of the signature to confirm the identity of
the device
After gathering the enough responses from nodes, the smart contract first verifies the
validity of the signature from the device, and then checks whether Hamming distance of
the response strings uploaded from the both sides is less than the threshold. The au-
thentication results will be uploaded on the blockchain, and then the authenticated IIoT
device is ready for normal operations.
15
5.2. Blockchain-based IIoT devices authentication scheme with APUF
Figure 5.1: The process of blockchain-based IIoT devices authentication with APUF.l
In the registration phase, the IIoT devices request the corresponding certificates to CA
with their identity information ID device , then CA signs on the key and identity infor-
mation with its own secret key, and issues certificates to devices. After that, CA chooses
C1,C2,. . . ,Cd as challenge values randomly to the IIoT device for the PUFs response val-
ues, which are denoted by R1,R2,. . . ,Rd . CA generates PUFModels for each PUF in the
device by learning several CRPs through machine learning.
• Preparation: The smart contract obtains the previous hash value pre hash of the
current block header on the blockchain, and sends it to the IIoT device.
• Authentication:At this step, the smart contract checks the validity of the signature
• Commit: When gathering the enough response bits from the authentication com-
mittee in the P2P network,
16
5.2. Blockchain-based IIoT devices authentication scheme with APUF
17
Chapter 6. Security analysis
Chapter 6
Security analysis
19
Chapter 7. Performance analysis
Chapter 7
Performance analysis
separate two types of linearly separable sample points. Let the classification hyperplane
be W*x+b=0.
where W is the weight of hyperplane, and b is the bias. According to the distance formula
from the point to the plane, the distance between the given training sample (X, y) and
the hyperplane is d = W X + b. Therefore, the training goal of SVM becomes to find the
minimum value of the distance between all samples and the hyperplane, and then maxi-
mize this minimum value. Define the minimum value be dmin = min d. Moreover, if W
and b are changed proportionally, the hyperplane will not change, while the distance will
be changed. Therefore, the normal vector W of the hyperplane needs to be constrained.
For instance, let the L2 norm of W be 1, i.e. ‖W‖ = 1. So that the interval can be
uniquely determined. Then the distance at this time is redefined as
Similar to the LR model, the SVM prediction models can be combined to achieve a 64-
bit response prediction model. training is done on the SVM model on a laptop in the
Windows10 OS with Intel(R) Core(TM) i7- 10710U CPU @ 1.61 GHz, and the imple-
mentation is run in python 3.8.5.and set the size of the training set to 4000 and the size
of the test set to 1000. The number of iterations of the training process is determined by
the model according to the training effect, and the training process can be ended at any
time according to the training effect. The training time is 246,000 ms. Fig. 7.1 shows
the performance of the authentication phase. Fig. 5(a) shows the results of the training,
where the Hamming distance is between the predicted output and the actual response,
and the vertical axis is the proportion of the Hamming distance. From the figure, it can
be seen that about 57.7predicted results are the same as the true value (the Hamming
distance is 0), and more than 98.33% of the Hamming distance between the predicted
results and the true values is less than or equal to 2. More than 99.9% of the Hamming
distance between the predicted results and the true values is less than 4
21
7.3. Smart contract
22
7.3. Smart contract
23
Chapter 8. Conclusion
Chapter 8
Conclusion
This paper proposed the system model and threat model for the blockchain-based IIoT
device authentication protocol, and gave two concrete schemes for blockchain-based IIoT
device authentication. One is based on SRAM PUF and the other is based on APUF. The
former has good compatibility and can be directly applied to existing devices, and the
latter has stronger security guarantee.and proved the proposal achieves response unforge-
ability, modeling resistance, and collusion resistance. Furthermore, this proposal achieves
scalability owing to the PUF model constructed. Finally implemented this proposal and
tested the performance of scheme. The implementation results show that the running de-
lay of the smart contract of the scheme is at the millisecond level, and the authentication
success rate is high, which demonstrates that this proposal is feasible in practice.
This work was supported by the National Key RD Program of China through project
(2021YFB2700200), the Natural Science Foundation of China through projects 62002006,
62172025, U21B2021, 61932011, 61932014, 61972018, 61972019, 61772538, 32071775, and
91646203, the Defense Industrial Technology Development Program (JCKY2021211B017).
References
[1] Li, D., Chen, R., Liu, D., Song, Y., Ren, Y., Guan, Z., Sun, Y., Liu, J. (2022).
Blockchain-based authentication for IIoT devices with PUF. In Journal of Systems
Architecture (Vol. 130, p. 102638). Elsevier BV.
[2] M. Qiu, Z. Ming, J. Li, J. Liu, G. Quan, Y. Zhu, Informer homed routing fault
tolerance mechanism for wireless sensor networks, J. Syst. Archit. 59 (4–5) (2013)
260–270.
[3] M. Qiu, Z. Ming, J. Li, S. Liu, B. Wang, Z. Lu, Three-phase time-aware energy
minimization with DVFS and unrolling for Chip Multiprocessors, J. Syst. Archit.
58 (10) (2012) 439–445.
[4] Z. Shao, C. Xue, Q. Zhuge, et al., Security protection and checking for embedded
system integration against buffer overflow attacks via hardware/software, IEEE
Trans. Comput. 55 (4) (2006) 443–453.
[6] V.L. Eschenauer, Abstract a key-management scheme for distributed sensor net-
works, 2008.
[7] S. Guo, X. Hu, S. Guo, X. Qiu, F. Qi, Blockchain meets edge computing: A
distributed and trusted authentication system, IEEE Trans. Ind. Inf. 16 (2020)
1972–1983.
[9] A.K. Maurya, A.K. Das, S.S. Jamal, D. Giri, Secure user authentication mechanism
for iot-enabled wireless sensor networks based on multiple bloom filters, J. Syst.
Archit. 120 (2021) 102296.
[10] Z. Gu, M. Qiu, Introduction to the special issue on embedded artificial intelligence
and smart computing, J. Syst. Archit. 84 (2018) 1.
26
Annexure
A
i
ii
iii
iv
v
vi
vii
viii
ix
x
xi