physical(ly) unclonable functions · id pre-programmed digital identifier challenge = ask...
TRANSCRIPT
1
Physical(ly) Unclonable
Functions
An introduction to Intrinsic PUFs
Ingrid Verbauwhede
Slide courtesy: Roel Maes
COSIC – K.U.Leuven
Supported by:
IWT and
ECRYPT, ALBENA, MAY 2011 2
Introduction
Goal of this talk try to answer the question:
What is a PUF?
What is it usage?
Can we use it as an unclonable device
identifier?
P.U.F.?P.U.F. Physical Unclonable Functiona physical function which is unclonable in every sense
P.U.F. Physically Unclonable Functiona function which is unclonable in a physical sense
2
ECRYPT, ALBENA, MAY 2011 3
Introduction (cont.)
Need for unique identification of devices or goodsExample: RFID tags
Secure storage of a key bit string (non volatile memory, batterybacked up SRAM, fuses, etc.)
Problem: personalization step during fabricationExpensive, extra processing steps
Post-processing e.g. by blowing fuses
Idea: use physical uniqueness of devices
Idea: use CMOS process variations for thisThreshold voltage
Oxide thickness
Metal line shapes
ECRYPT, ALBENA, MAY 2011 4
Functional description of PUF
For use in crypto applications
PUF = (physical) function which is physically
unclonable
Very hard (“impossible”) to produce two PUFs with
similar challenge-response behavior
Easy to construct and evaluate a random PUF
PUF
Challenge Response
3
ECRYPT, ALBENA, MAY 2011 5
Basic properties of PUF
Minimum requirements:
For two random PUFs, difference between expected
responses to same challenge, should be large
For single random PUF, difference between two measured
responses to same challenge, should be small
For single random PUF, uncertainty about response to
challenge is large, when one does not have access to this
PUF instance
= manufacturing variability is ‘large’
= noise, aging, temperature effects,… are limited
= unpredictability is large
ECRYPT, ALBENA, MAY 2011 6
Intrinsic PUFs
Use inherent manufacturing variability present in
CMOS fabrication
Keep measured PUF responses inside chip
Useful for secure key storage!
Requirements:
PUF + measurement circuit + post-processing
inside chip
Standard processing, no extra processing steps
4
ECRYPT, ALBENA, MAY 2011 7
MOS Transistor
Gate voltage below “threshold” - No current
(there is subthreshold current)
Gate voltage above “threshold” - current can flow
Threshold = f(doping concentration)
ECRYPT, ALBENA, MAY 2011 8
Delay of gate
Time to charge or discharge capacitances at output
Delay t = C x V / I
I = f (Cox, (VGS - VTh))
Process variations:Oxide thickness
Threshold voltage
Capacitance
0-1
transition
5
ECRYPT, ALBENA, MAY 2011 9
Outline
Introduction
A few examples of Intrinsic PUFs
PUF properties
PUF applications
Conclusion
First example: Arbiter PUF
Delay based intrinsic PUF
6
ECRYPT, ALBENA, MAY 2011 11
Arbiter PUF: basic operation
Initial design [Lee et al, MIT 2004]switch block: e.g. two muxes
arbiter: e.g. a latch or a flip-flop
n switch blocks 2n “different” delays
0 1 0 0 1 1
Arbiter0/1
Challenge
Response
Switch Block
ECRYPT, ALBENA, MAY 2011 12
Arbiter PUF: experiments [Lee04]
Results:10000 CRPs from 37 ASICs
64-stage arbiter PUF
Results on FPGA [Lee at al 04] : μinter = 1.05%, μintra = 0.3%
[Lee04]
μinter = 23%
μintra 0.7%
μintra 3.47% (voltage variation)
μintra 4.82% (temperature variation)
[L04]
7
ECRYPT, ALBENA, MAY 2011 13
Arbiter PUF: analysis
delay additive !leads to model-building attack (linear programming)
also machine-learning techniques (Artificial Neural Networks, Support VectorMachines, …)
Attack results:ASIC: 3.55% prediction error with SVM trained with 5000 CRPs ( < μintra !!!)
FPGA: 0.6% prediction error with perceptron trained with 90000 CRPs
Extensions [Ozturk et al 2008]tri-state buffer based delay circuit comparable to switch-based
Simulation: prediction error < 3% for linear programming on 4000 CRPs
Conclusion: (Improved) arbiter PUFs can be accuratelymodelled (= “cloned”) from polynomial # known CRPs
Second example:
Ring Oscillator PUF
Delay based Intrinsic PUF
8
ECRYPT, ALBENA, MAY 2011 15
fA
fB
fA
fB
Ring Oscillator PUF: basic operation
Initial design [Gassend et al 2003]
CompensationTo eliminate (scaling)
environmental influence
One-bit compensation
[Suh 2007]To avoid costly division
Response ~ fDelay
Edge
detector
Counter++
Challenge
Response
÷
Response
0 if fA < fB
1 if fA fB
r = fA / fB
f
ECRYPT, ALBENA, MAY 2011 16
Ring Oscillator PUF: experiments
Results [Suh2007]:measurements on 15 FPGAs, 1024
loops/FPGA and 1 out of 8 masking
μinter = 46.15%
μintra = 0.48% (with temp./volt. var.)
9
ECRYPT, ALBENA, MAY 2011 17
Ring Oscillator PUF: analysis
Modelling attacks?
same as arbiter PUFs for basic design
not for fixed delay circuit as in [Suh 2007]
but much less challenges!
[N/2 < #challenges < log2(N!)]
inefficient area use
SRAM PUF
Memory based Intrinsic PUF
10
ECRYPT, ALBENA, MAY 2011 19
SRAM PUF: basic operation
SRAM cell:(6T-CMOS)
Which state right after power-up?depends on physical mismatch between M2 and M4
power-up state =
measure for manufacturing variability
Q Q
0 1
1 0
2 possible stable states
1-bit storage
ECRYPT, ALBENA, MAY 2011 20
SRAM PUF: basic operation
SRAM PUFchallenge = SRAM address
response = power-up state of addressed cell(s)
Guajardo et al 2007SRAM on FPGA
Holcomb et al 2007COTS SRAM
SRAM on embedded micro-controller
power-up state:
Q = 0
Q = 1
11
ECRYPT, ALBENA, MAY 2011 21
SRAM PUF: experiments
Results [Guarjado et al CHES 2007]measurements on FPGA, 8190 bytes from different SRAM blocks
intra = 3.57% , intra = 0.13% inter = 49.97% , inter = 0.3%
ECRYPT, ALBENA, MAY 2011 22
SRAM PUF: experiments
Results [Holcomb, Burleson, Fu 2009]measurements on two types of devices
COTS SRAM chip: 5120 64-bit blocks on 8 ICs
Embedded SRAM in C: 15 64-bit blocks on 3 ICs
SRAM chip Embedded SRAM
μinter = 43.16%
μintra = 3.8%
μinter = 49.34%
μintra = 6.5%
12
ECRYPT, ALBENA, MAY 2011 23
Outline
Introduction
Examples of Intrinsic PUFs
PUF properties
PUF applications
Conclusion
ECRYPT, ALBENA, MAY 2011 24
Quick overview
Evaluatable: y = PUF (x) is easy
Unique: PUF(x) contains some unique information
Reproducible: PUF() has only small error
Unclonable: hard to make PUF’(x) given PUF(x)
Unpredictable: hard to find yN=PUF(xN) given other
x, y pairs
One-way: given y and PUF(), cannot find x
Tamper evident: tampering changes PUF()
13
ECRYPT, ALBENA, MAY 2011 25
Compare PUF constructions1. OPT
Optical PUF [P01][STO06]• Challenge = laser orientation
• Response = Gabor hash of speckle pattern
2. COAT Coating PUF [TSSVVW06]
• Challenge = sensor pair selection
• Response = quantized capacitance measurement
3. ARB Basic switch-based arbiter PUF [L04]
• Challenge = switch-block delay setting
• Response = one-bit arbiter decision
4. FF-ARB Feed-forward arbiter PUF [L04]
• Challenge = (reduced) switch-block delay setting
• Response = one-bit arbiter decision
5. LW-ARB Lightweight arbiter PUF [MKP08]
• Challenge = pre-challenge to input-network
• Response = one-bit XOR of arbiter decisions
6. RO Basic switch-based ring oscillator PUF with
division compensation [GCVD02b][B03]• Challenge = switch-block delay setting
• Response = ratio of two counter values
7. 1B-RO Inverter ring oscillator PUF with comparator
compensation [SD07]Challenge = oscillator pair selection
Response = one-bit comparator output
8. SRAM/FF SRAM PUF [GKST07], flip-flop PUF
[MTV08b]Challenge = SRAM cell address
Response = one-bit power-up state of addressed cell
9. LATCH/BUTTER Basic latch PUF [SHO07], butterfly PUF
[KGMST08]Challenge = latch/butterfly cell selection
Response = one-bit settling state of excited cell
10. CPUF Controlled PUF [GCVD02]
Challenge = pre-PUF hash input
Response = post-PUF hash output
11. ID pre-programmed digital identifier
Challenge = ask identifier
Response = identifier value
12. PK pre-programmed asymmetric private key
Challenge = random nonce
Response = signature on nonce
13. TRNG true random number generator
Challenge = ask true random number
Response = “physically produced” true random number
ECRYPT, ALBENA, MAY 2011 26
PUF properties table
No protection
If good crypto
Knows
private key
Knows
private key
Copy key
Perfect
If good RNG
Computation
PK
If good TRNG
TRNG
If good hash
If good hash
If good hash
If good PUF
If good ECC
Integrated
CPUF
No protection
Trivial
Trivial
Trivial
Copy ID
Perfect
If good RNG
Very fast
ID
Tamper
Evident
If q << 5000If q << 50000If q << 50000If q << 5000
Unpred
.
1-bit response1-bit response1-bit response1-bit response1-bit response1-bit responseFew
challenges
One-
way
Full readoutFull readoutFull readoutModellableModellableModellableModellableFull readout
Math.
Unclon.
Phys.
Unclon.
Reprod
.
Unique
Integrated
Integrated
(+ power-up!)IntegratedIntegratedIntegratedIntegratedIntegrated
Integrated
(extra
process)
Mechanical
procedure
Eval.
LATCH
/
BUTTE
R
SRAM/
FF1B-RORO
LW-
ARB
FF-
ARBARBCOATOPT
Reference
14
ECRYPT, ALBENA, MAY 2011 27
Outline
Introduction
Examples of Intrinsic PUFs
PUF properties
PUF applications
Conclusion
ECRYPT, ALBENA, MAY 2011 28
PUF Applications
System identificationanti-counterfeiting
hardware binding
hardware metering (passive)
Secret Key Generationsecure key storage
secure key distribution
Hardware Entangled Cryptographyside-channel resistance provable physical security?
key-based crypto …
15
ECRYPT, ALBENA, MAY 2011 29
System Identification
Very similar to biometrical identification systems
Easy, fast, straightforward, but limited securitye.g. no authentication
Optimal Identification
ThresholdFRR:
False Rejection Rate
FAR:
False Acceptance Rate
Distance measure
Frequency
Intra-distance Inter-distance
PUF Ax yA
PUF Ax yA’
PUF Bx yB
yA yA’
yA yB
ECRYPT, ALBENA, MAY 2011 30
Key Generation
Integration of PUFs with keyed crypto primitives
Key extraction
“non-volatile” key storage in a “non-digital” waykey only digitally present when needed in crypto computation
no long-term digital storage required
unique key material “intrinsically” presentno key programming step required
however, two-phase key generation: enrollment - reproduction
PUFKey
Extraction
x y K
Crypto
16
ECRYPT, ALBENA, MAY 2011 31
Hardware Entangled Cryptography
Embedded integration of PUFs in crypto primitives
Secret parameter = device-unique PUF behaviorno digital key present at any point
no digital key-storage required whatsoever
Basic complexity/cryptographic assumptions about PUFs are needed
No digital key constrains application scenarios!
Topic of active research
Crypto
PUFx y
ECRYPT, ALBENA, MAY 2011 32
Conclusion
“What is a PUF?” is not an easy question
We identified some minimal requirements which…are common to all known PUF constructions (exhaustively)
…, but distinguish them from other primitives
“Which is the best PUF?” is an even harder questionthere are contradicting goals trade-offs
application dependent
Still many open questions…
For an extended reference list, see website Roel Maes:
http://rmaes.ulyssis.be/pufbib.php
17
ECRYPT, ALBENA, MAY 2011 33
Future work: “situating PUFs”
hard-
programmed
keys
TRNGsPUFs
physical unclonability
uniqueness vs reproducibility (μinter/μintra)
μinter > μintra μinter < μintraμintra = 0
physically
unclonable
practically
physically clonable
physically unclonable
in practice
practical physical
cloning is hard
ECRYPT, ALBENA, MAY 2011 34
References[LDT00] Keith Lofstrom and W. Robert Daasch and Donald Taylor, "IC identification circuit using device mismatch", ISSCC, 2000
[P01] Ravikanth S. Pappu, "Physical one-way functions", PhD Thesis, MIT, 2001
[GCVD02] Blaise Gassend and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Controlled Physical Random Functions",ACSAC, 2002
[GCVD02b] Blaise Gassend and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Silicon physical random functions",ACM CCS, 2002
[PRTG02] Ravikanth S. Pappu and Ben Recht and Jason Taylor and Niel Gershenfeld, "Physical one-way functions", Science, 2002
[SCGVD03] G. Edward Suh and Dwaine Clarke and Blaise Gassend and Marten van Dijk and Srinivas Devadas, "AEGIS:architecture for tamper-evident and tamper-resistant processing", ICS, 2003
[B03] Blaise Gassend, "Physical Random Functions", Master's Thesis MIT, 2003
[LLGSVD04] Jae W. Lee and Daihyun Lim and Blaise Gassend and G. Edward Suh and Marten van Dijk and Srinivas Devadas, "Atechnique to build a secret key in integrated circuits for identification and authentication application", Symposium on VLSI Circuits,2004
[GLCVD04] Blaise Gassend and Daihyun Lim and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Identification andauthentication of integrated circuits", Concurr. Comput. : Pract. Exper., 2004
[TSSAO04] P. Tuyls and B. kori and S. Stallinga and A.H.M. Akkermans and W. Ophey, "An information theoretic model forphysical uncloneable functions", ISIT, 2004
[L04] Daihyun Lim, "Extracting Secret Keys from Integrated Circuits", Master's Thesis MIT, 2004
[V04] Serge Vrijaldenhoven, "Acoustical Physical Uncloneable Functions", Master's Thesis, T.U.Eindhoven, 2004
[BCJPSXAFAB05] James D. R. Buchanan and Russell P. Cowburn and Ana-Vanessa Jausovec and Dorothee Petit and Peter Seemand Gang Xiong and Del Atkinson and Kate Fenton and Dan A. Allwood and Matthew T. Bryan, "Forgery: `Fingerprinting' documentsand packaging", Nature, 2005
[TSSAO05] P. Tuyls and B. Skoric and S. Stallinga and A.H.M. Akkermans and W. Ophey, "Information-Theoretic Security Analysisof Physical Uncloneable Functions ", Financial Crypto (LNCS 3570), 2005
[LLGSVD05] Daihyun Lim and Jae W. Lee and Blaise Gassend and G. Edward Suh and Marten van Dijk and Srini Devadas,"Extracting secret keys from integrated circuits", IEEE Transactions on VLSI Systems, 2005
[SOSD05] G. Edward Suh and Charles W. O'Donnell and Ishan Sachdev and Srinivas Devadas, "Design and Implementation of theAEGIS Single-Chip Secure Processor Using Physical Random Functions", ISCA, 2005
[STO06] B. kori and P. Tuyls and W. Ophey , "Robust key extraction from Physical Uncloneable Functions ", ACNS (LNCS 3531),2005
[TSSVVW06] Pim Tuyls and Geert-Jan Schrijen and Boris kori and Jan van Geloven and Nynke Verhaegh and Rob Wolters,"Read-proof hardware from protective coatings", CHES, 2006
[TS06] Pim Tuyls and Boris kori , "Physical Unclonable Functions for enhanced security of tokens and tags ", ISSE, 2006
18
ECRYPT, ALBENA, MAY 2011 35
References[ISSTW06] T. Ignatenko and G.J. Schrijen and B. kori and P. Tuyls and F. Willems , "Estimating the Secrecy Rate of PhysicalUncloneable Functions with the Context-Tree Weighting Method ", ISIT, 2006
[SMKT06] B. kori and S. Maubach and T. Kevenaar and P. Tuyls, "Information-theoretic analysis of capacitive physical unclonablefunctions", Journal of Applied Physics, 2006
[DK07] Gerald DeJean and Darko Kirovski, "RF-DNA: Radio-Frequency Certificates of Authenticity", CHES, 2007
[GKST07] Jorge Guajardo and Sandeep S. Kumar and Geert Jan Schrijen and Pim Tuyls, "FPGA intrinsic PUFs and their use for IPprotection", CHES, 2007
[HBF07] Daniel E. Holcomb and Wayne P. Burleson and Kevin Fu, "Initial SRAM state as a fingerprint and source of true randomnumbers for RFID tags", Conference on RFID Security, 2007
[GKST07b] Jorge Guajardo and Sandeep S. Kumar and Geert Jan Schrijen and Pim Tuyls, "Physical unclonable functions andpublic-key crypto for FPGA IP protection", FPL, 2007
[SD07] G. Edward Suh and Srinivas Devadas, "Physical unclonable functions for device authentication and secret key generation",DAC, 2007
[SHO07] Y. Su and J. Holleman and B. Otis, "A 1.6pJ/bit 96% Stable Chip-ID Generating Circuit using Process Variations", ISSCC,2007
[OHS08] Ozturk, E. and Hammouri, G. and Sunar, B., "Towards Robust Low Cost Authentication for Pervasive Devices", PERCOM,2008
[OHS08b] Ozturk, E. and Hammouri, G. and Sunar, B., "Physical unclonable function with tristate buffers", ISCAS, 2008
[GVCTDT08] Blaise Gassend and Marten Van Dijk and Dwaine Clarke and Emina Torlak and Srinivas Devadas and Pim Tuyls,"Controlled physical random functions and applications", ACM TISSEC, 2008
[AKKP08] Yousra Alkabani and Farinaz Koushanfar and Negar Kiyavash and Miodrag Potkonjak, "Trusted Integrated Circuits: ANondestructive Hidden Characteristics Extraction Approach", Information Hiding (LNCS), 2008
[MKP08] Majzoobi Mehrdad and Koushanfar Farinaz and Potkonjak Miodrag, "Lightweight secure PUFs", ICCAD, 2008
[MKP08b] Mehrdad Majzoobi and Farinaz Koushanfar and Miodrag Potkonjak, "Testing Techniques for Hardware Security", ITC,2008
[MTV08] R. Maes and P. Tuyls and I. Verbauwhede, "Statistical Analysis of Silicon PUF responses for Device Identification", SECSI,2008
[HOBS08] Ghaith Hammouri and Erdinc Ozturk and Berk Birand and Berk Sunar, "Unclonable Lightweight Authentication Scheme",ICICS, 2008
[MTV08b] R. Maes and P. Tuyls and I. Verbauwhede, "Intrinsic PUFs from Flip-flops on Reconfigurable Devices", WISSEC, 2008
[HAS08] Ghaith Hammouri, Kahraman Akdemir, and Berk Sunar, "Novel PUF-based Error Detection Methods in Finite StateMachines", ICISC 2008, 2008
[KGMST08] Sandeep S. Kumar and Jorge Guajardo and Roel Maes and Geert-Jan Schrijen and Pim Tuyls, "Extended abstract: Thebutterfly PUF protecting IP on every FPGA", HOST, 2008
ECRYPT, ALBENA, MAY 2011 36
References[S09] Boris kori , "Quantum readout of Physical Unclonable Functions: Remote authentication without trusted readers andauthenticated Quantum Key Exchange without initial shared secrets", Cryptology ePrint Archive: Report 2009/369, 2009
[KSSTS09] K. Kursawe and A. Sadeghi and D. Schellekens and P. Tuyls, and B. kori , "Reconfigurable Physical UnclonableFunctions -- Enabling Technology for Tamper-Resistant Storage", HOST, 2009
[HAP09] Ryan Helinski and Dhruva Acharyya and Jim Plusquellic, "A physical unclonable function defined using power distributionsystem equivalent resistance variations", DAC, 2009
[GSTKBBS09] Jorge Guajardo and Boris kori and Pim Tuyls and Sandeep S. Kumar and Thijs Bel and Antoon H. M. Blom andGeert-Jan Schrijen, "Anti-counterfeiting, key distribution, and key storage in an ambient world via physical unclonable functions",Information Systems Frontiers, 2009
[RSS09] Ulrich Rührmair and Jan Sölter and Frank Sehnke, "On the Foundations of Physical Unclonable Functions", CryptologyePrint Archive, 2009
[RCLSSC09] Ulrich Rührmair and Qingqing Chen and Paolo Lugli and Ulf Schlichtmann and Martin Stutzmann and György Csaba,"Towards Electrical, Integrated Implementations of SIMPL Systems", Cryptology ePrint Archive, 2009
[MNRS09] Abhranil Maiti, Raghunandan Nagesh, Anand Reddy, Patrick Schaumont, "Physical unclonable function and true randomnumber generator: a compact and scalable implementation", ACM Great Lakes Symposium on VLSI 2009, 2009
[KBS09] Michael Kirkpatrick, Elisa Bertino, Frederick T. Sheldon, "Physically Restricted Authentication and Encryption for Cyber-physical Systems", DHS Workshop on Future Directions in Cyber-physical Systems Security, 2009
[R09] Ulrich Rührmair, "SIMPL Systems: On a Public Key Variant of Physical Unclonable Functions", Cryptology ePrint Archive, 2009
[CJCPSSLR09] György Csaba and Xueming Ju and Qingqing Chen and Wolfgang Porod and Jürgen Schmidhuber and UlfSchlichtmann and Paolo Lugli and Ulrich Rührmair, "On-Chip Electric Waves: An Analog Circuit Approach to Physical UncloneableFunctions", Cryptology ePrint Archive, 2009
[SM09] Boris Skoric and Marc X. Makkes, "Flowchart description of security primitives for Controlled Physical Unclonable Functions",Cryptology ePrint Archive, 2009
[MKP09] Mehrdad Majzoobi and Farinaz Koushanfar and Miodrag Potkonjak, "Techniques for Design and Implementation of SecureReconfigurable PUFs", ACM TRETS, 2009
[BP09] Nathan Beckmann and Miodrag Potkonjak, "Hardware-Based Public-Key Cryptography with Public Physically UnclonableFunctions", Information Hiding (LNCS 5806), 2009
[HBF09] Daniel E. Holcomb and Wayne P. Burleson and Kevin Fu, "Power-Up SRAM State as an Identifying Fingerprint and Sourceof True Random Numbers", IEEE Transactions on Computers, 2009
[MTV09] Roel Maes and Pim Tuyls and Ingrid Verbauwhede, "A Soft decision helper data algorithm for SRAM PUFs", ISIT, 2009
[BSQ09] P. Bulens and F.-X, Standaert and J.-J Quisquater, "How to Strongly Lonk Data and its Medium: the Paper Case", to appearIET Information Security, 2009
[J09] Tamara Jun, "Circuit approaches to Physical Cryptography", Diploma Thesis, T.U.München, 2009
[HDS09] Ghaith Hammouri and Aykutlu Dana and Berk Sunar, "CDs Have Fingerprints Too ", CHES, 2009