Puf cafe E#2

Hi, thanks for taking your time to watch the episode. That's a very insightful question, and answering it in full detail would probably take up another webinar 🙂 

You are right that (multi-party) symmetric-key protocols require the same key value to be shared among two or more parties. PUF-derived keys do not naturally have that property, since they are derived intrinsically on the device. That means an additional action is needed, which comes in the form of cryptographic key distribution or key agreement protocols. These are standard procedures for establishing shared secrets, which can be used with PUFs or with any other root of trust. Some rather straightforward options are:

1. you can simply off-load a PUF-derived key from the device and store it in a secure database, e.g. during a one-time secure provisioning flow. If you set up the key management in the right way, and use context binding as explained in the episode, you can even make it such that a particular key value can be exported only once from the device, so you don't need to worry about someone else exposing the same key value later on.
2. instead of using an intrinsic PUF-derived key, you can also inject an external key and protect it with a PUF-derived key. In that case, the injected key is already shared, and you still get the PUF-based protection. You can again employ context binding in such a way that an injected key value can never be exported afterwards.
3. in a slightly more advanced scenario, you can use public-key cryptography. In that case, you would derive a PUF-based public-private key pair and only export the public key. From that point on, any party can use the public key of a device to perform a key agreement protocol and establish a shared secret with the device. In order to protect the authenticity of the public key, you can e.g., encapsulate it in a certificate as part of a public-key infrastructure.

I hope that answers your question.