PUF-Based RFID Authentication for Secure Supply Chain Management

Research Mentor: Marten van Dijk

According to a 2016 report by the OECD and the EUs Intellectual Property Office, the value of imported counterfeited and pirated goods is worth nearly half a trillion dollars a year, which is around 2.5% of global imports with many of the proceeds going to organized crime. Close to 5% of goods that are imported into the European Union are fakes that appear everywhere -- the most dangerous ones are auto parts that fail, drugs making people sick, medical instruments delivering false readings, etc. Given the value of imported counterfeit and pirated goods, the need for secure supply chain management is pertinent. We have developed a new management scheme based on RFID tags (with 2-3K bits NVM) which, if compared to other schemes, is competitive on several performance and security metrics. Its main idea is to have each RFID tag store its reader events in its own NVM while moving through the supply chain -- this allows a so-called connectionless strategy without the need for local databases at supply chain partners or the need for an online connection with a central server. Our solution was further analyzed using a lightweight (compatible with RFID tags) cryptographic method for one-time MACs.

Components for Student Participation

The REU students will extend our lightweight PUF-based solution that can resist the strong adversary who is able to physically read out all digital stored state in an RFID tag. The aim of this project is to implement in HLS or Verilog three approaches: (1) Using a very lightweight 3- or 4-XOR APUF together with a cheap mechanism for generating challenges from a seed challenge based on a BCH code and Gray code. In this approach we implement two modes of operation; after initialization a fuse is set to enter normal mode. (2) As in (1) but now using a mechanism based on an LFSR -- this also requires development of a security proof using combinatorics. (3) We implement the strong Interpose PUF, which is a little less lightweight but avoids the setting of a fuse. All three approaches need to be implemented, optimized with respect to their hardware footprint, and compared. A security analysis of the lightweight PUFs will also be conducted. We expect that the proposed work will lead to publications at good hardware security conferences.