physical(ly) unclonable functions · id pre-programmed digital identifier challenge = ask...

1

Physical(ly) Unclonable

Functions

An introduction to Intrinsic PUFs

Ingrid Verbauwhede

Slide courtesy: Roel Maes

COSIC – K.U.Leuven

Supported by:

IWT and

ECRYPT, ALBENA, MAY 2011 2

Introduction

Goal of this talk try to answer the question:

What is a PUF?

What is it usage?

Can we use it as an unclonable device

identifier?

P.U.F.?P.U.F. Physical Unclonable Functiona physical function which is unclonable in every sense

P.U.F. Physically Unclonable Functiona function which is unclonable in a physical sense

2


Introduction (cont.)

Need for unique identification of devices or goodsExample: RFID tags

Secure storage of a key bit string (non volatile memory, batterybacked up SRAM, fuses, etc.)

Problem: personalization step during fabricationExpensive, extra processing steps

Post-processing e.g. by blowing fuses

Idea: use physical uniqueness of devices

Idea: use CMOS process variations for thisThreshold voltage

Oxide thickness

Metal line shapes


Functional description of PUF

For use in crypto applications

PUF = (physical) function which is physically

unclonable

Very hard (“impossible”) to produce two PUFs with

similar challenge-response behavior

Easy to construct and evaluate a random PUF

PUF

Challenge Response

3


Basic properties of PUF

Minimum requirements:

For two random PUFs, difference between expected

responses to same challenge, should be large

For single random PUF, difference between two measured

responses to same challenge, should be small

For single random PUF, uncertainty about response to

challenge is large, when one does not have access to this

PUF instance

= manufacturing variability is ‘large’

= noise, aging, temperature effects,… are limited

= unpredictability is large


Intrinsic PUFs

Use inherent manufacturing variability present in

CMOS fabrication

Keep measured PUF responses inside chip

Useful for secure key storage!

Requirements:

PUF + measurement circuit + post-processing

inside chip

Standard processing, no extra processing steps

4


MOS Transistor

Gate voltage below “threshold” - No current

(there is subthreshold current)

Gate voltage above “threshold” - current can flow

Threshold = f(doping concentration)


Delay of gate

Time to charge or discharge capacitances at output

Delay t = C x V / I

I = f (Cox, (VGS - VTh))

Process variations:Oxide thickness

Threshold voltage

Capacitance

0-1

transition

5


Outline

Introduction

A few examples of Intrinsic PUFs

PUF properties

PUF applications

Conclusion

First example: Arbiter PUF

Delay based intrinsic PUF

6


Arbiter PUF: basic operation

Initial design [Lee et al, MIT 2004]switch block: e.g. two muxes

arbiter: e.g. a latch or a flip-flop

n switch blocks 2n “different” delays

0 1 0 0 1 1

Arbiter0/1

Challenge

Response

Switch Block


Arbiter PUF: experiments [Lee04]

Results:10000 CRPs from 37 ASICs

64-stage arbiter PUF

Results on FPGA [Lee at al 04] : μinter = 1.05%, μintra = 0.3%

[Lee04]

μinter = 23%

μintra 0.7%

μintra 3.47% (voltage variation)

μintra 4.82% (temperature variation)

[L04]

7


Arbiter PUF: analysis

delay additive !leads to model-building attack (linear programming)

also machine-learning techniques (Artificial Neural Networks, Support VectorMachines, …)

Attack results:ASIC: 3.55% prediction error with SVM trained with 5000 CRPs ( < μintra !!!)

FPGA: 0.6% prediction error with perceptron trained with 90000 CRPs

Extensions [Ozturk et al 2008]tri-state buffer based delay circuit comparable to switch-based

Simulation: prediction error < 3% for linear programming on 4000 CRPs

Conclusion: (Improved) arbiter PUFs can be accuratelymodelled (= “cloned”) from polynomial # known CRPs

Second example:

Ring Oscillator PUF

Delay based Intrinsic PUF

8


fA

fB

fA

fB

Ring Oscillator PUF: basic operation

Initial design [Gassend et al 2003]

CompensationTo eliminate (scaling)

environmental influence

One-bit compensation

[Suh 2007]To avoid costly division

Response ~ fDelay

Edge

detector

Counter++

Challenge

Response

÷

Response

0 if fA < fB

1 if fA fB

r = fA / fB

f


Ring Oscillator PUF: experiments

Results [Suh2007]:measurements on 15 FPGAs, 1024

loops/FPGA and 1 out of 8 masking

μinter = 46.15%

μintra = 0.48% (with temp./volt. var.)

9


Ring Oscillator PUF: analysis

Modelling attacks?

same as arbiter PUFs for basic design

not for fixed delay circuit as in [Suh 2007]

but much less challenges!

[N/2 < #challenges < log2(N!)]

inefficient area use

SRAM PUF

Memory based Intrinsic PUF

10


SRAM PUF: basic operation

SRAM cell:(6T-CMOS)

Which state right after power-up?depends on physical mismatch between M2 and M4

power-up state =

measure for manufacturing variability

QQ

Q Q

0 1

1 0

2 possible stable states

1-bit storage


SRAM PUF: basic operation

SRAM PUFchallenge = SRAM address

response = power-up state of addressed cell(s)

Guajardo et al 2007SRAM on FPGA

Holcomb et al 2007COTS SRAM

SRAM on embedded micro-controller

QQ

QQ

power-up state:

Q = 0

Q = 1

11


SRAM PUF: experiments

Results [Guarjado et al CHES 2007]measurements on FPGA, 8190 bytes from different SRAM blocks

intra = 3.57% , intra = 0.13% inter = 49.97% , inter = 0.3%


SRAM PUF: experiments

Results [Holcomb, Burleson, Fu 2009]measurements on two types of devices

COTS SRAM chip: 5120 64-bit blocks on 8 ICs

Embedded SRAM in C: 15 64-bit blocks on 3 ICs

SRAM chip Embedded SRAM

μinter = 43.16%

μintra = 3.8%

μinter = 49.34%

μintra = 6.5%

12


Outline

Introduction

Examples of Intrinsic PUFs

PUF properties

PUF applications

Conclusion


Quick overview

Evaluatable: y = PUF (x) is easy

Unique: PUF(x) contains some unique information

Reproducible: PUF() has only small error

Unclonable: hard to make PUF’(x) given PUF(x)

Unpredictable: hard to find yN=PUF(xN) given other

x, y pairs

One-way: given y and PUF(), cannot find x

Tamper evident: tampering changes PUF()

13


Compare PUF constructions1. OPT

Optical PUF [P01][STO06]• Challenge = laser orientation

• Response = Gabor hash of speckle pattern

2. COAT Coating PUF [TSSVVW06]

• Challenge = sensor pair selection

• Response = quantized capacitance measurement

3. ARB Basic switch-based arbiter PUF [L04]

• Challenge = switch-block delay setting

• Response = one-bit arbiter decision

4. FF-ARB Feed-forward arbiter PUF [L04]

• Challenge = (reduced) switch-block delay setting

• Response = one-bit arbiter decision

5. LW-ARB Lightweight arbiter PUF [MKP08]

• Challenge = pre-challenge to input-network

• Response = one-bit XOR of arbiter decisions

6. RO Basic switch-based ring oscillator PUF with

division compensation [GCVD02b][B03]• Challenge = switch-block delay setting

• Response = ratio of two counter values

7. 1B-RO Inverter ring oscillator PUF with comparator

compensation [SD07]Challenge = oscillator pair selection

Response = one-bit comparator output

8. SRAM/FF SRAM PUF [GKST07], flip-flop PUF

[MTV08b]Challenge = SRAM cell address

Response = one-bit power-up state of addressed cell

9. LATCH/BUTTER Basic latch PUF [SHO07], butterfly PUF

[KGMST08]Challenge = latch/butterfly cell selection

Response = one-bit settling state of excited cell

10. CPUF Controlled PUF [GCVD02]

Challenge = pre-PUF hash input

Response = post-PUF hash output

11. ID pre-programmed digital identifier

Challenge = ask identifier

Response = identifier value

12. PK pre-programmed asymmetric private key

Challenge = random nonce

Response = signature on nonce

13. TRNG true random number generator

Challenge = ask true random number

Response = “physically produced” true random number


PUF properties table

No protection

If good crypto

Knows

private key

Knows

private key

Copy key

Perfect

If good RNG

Computation

PK

If good TRNG

TRNG

If good hash

If good hash

If good hash

If good PUF

If good ECC

Integrated

CPUF

No protection

Trivial

Trivial

Trivial

Copy ID

Perfect

If good RNG

Very fast

ID

Tamper

Evident

If q << 5000If q << 50000If q << 50000If q << 5000

Unpred

.

1-bit response1-bit response1-bit response1-bit response1-bit response1-bit responseFew

challenges

One-

way

Full readoutFull readoutFull readoutModellableModellableModellableModellableFull readout

Math.

Unclon.

Phys.

Unclon.

Reprod

.

Unique

Integrated

Integrated

(+ power-up!)IntegratedIntegratedIntegratedIntegratedIntegrated

Integrated

(extra

process)

Mechanical

procedure

Eval.

LATCH

/

BUTTE

R

SRAM/

FF1B-RORO

LW-

ARB

FF-

ARBARBCOATOPT

Reference

14


Outline

Introduction

Examples of Intrinsic PUFs

PUF properties

PUF applications

Conclusion


PUF Applications

System identificationanti-counterfeiting

hardware binding

hardware metering (passive)

Secret Key Generationsecure key storage

secure key distribution

Hardware Entangled Cryptographyside-channel resistance provable physical security?

key-based crypto …

15


System Identification

Very similar to biometrical identification systems

Easy, fast, straightforward, but limited securitye.g. no authentication

Optimal Identification

ThresholdFRR:

False Rejection Rate

FAR:

False Acceptance Rate

Distance measure

Frequency

Intra-distance Inter-distance

PUF Ax yA

PUF Ax yA’

PUF Bx yB

yA yA’

yA yB


Key Generation

Integration of PUFs with keyed crypto primitives

Key extraction

“non-volatile” key storage in a “non-digital” waykey only digitally present when needed in crypto computation

no long-term digital storage required

unique key material “intrinsically” presentno key programming step required

however, two-phase key generation: enrollment - reproduction

PUFKey

Extraction

x y K

Crypto

16


Hardware Entangled Cryptography

Embedded integration of PUFs in crypto primitives

Secret parameter = device-unique PUF behaviorno digital key present at any point

no digital key-storage required whatsoever

Basic complexity/cryptographic assumptions about PUFs are needed

No digital key constrains application scenarios!

Topic of active research

Crypto

PUFx y


Conclusion

“What is a PUF?” is not an easy question

We identified some minimal requirements which…are common to all known PUF constructions (exhaustively)

…, but distinguish them from other primitives

“Which is the best PUF?” is an even harder questionthere are contradicting goals trade-offs

application dependent

Still many open questions…

For an extended reference list, see website Roel Maes:

http://rmaes.ulyssis.be/pufbib.php

17


Future work: “situating PUFs”

hard-

programmed

keys

TRNGsPUFs

physical unclonability

uniqueness vs reproducibility (μinter/μintra)

μinter > μintra μinter < μintraμintra = 0

physically

unclonable

practically

physically clonable

physically unclonable

in practice

practical physical

cloning is hard


References[LDT00] Keith Lofstrom and W. Robert Daasch and Donald Taylor, "IC identification circuit using device mismatch", ISSCC, 2000

[P01] Ravikanth S. Pappu, "Physical one-way functions", PhD Thesis, MIT, 2001

[GCVD02] Blaise Gassend and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Controlled Physical Random Functions",ACSAC, 2002

[GCVD02b] Blaise Gassend and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Silicon physical random functions",ACM CCS, 2002

[PRTG02] Ravikanth S. Pappu and Ben Recht and Jason Taylor and Niel Gershenfeld, "Physical one-way functions", Science, 2002

[SCGVD03] G. Edward Suh and Dwaine Clarke and Blaise Gassend and Marten van Dijk and Srinivas Devadas, "AEGIS:architecture for tamper-evident and tamper-resistant processing", ICS, 2003

[B03] Blaise Gassend, "Physical Random Functions", Master's Thesis MIT, 2003

[LLGSVD04] Jae W. Lee and Daihyun Lim and Blaise Gassend and G. Edward Suh and Marten van Dijk and Srinivas Devadas, "Atechnique to build a secret key in integrated circuits for identification and authentication application", Symposium on VLSI Circuits,2004

[GLCVD04] Blaise Gassend and Daihyun Lim and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Identification andauthentication of integrated circuits", Concurr. Comput. : Pract. Exper., 2004

[TSSAO04] P. Tuyls and B. kori and S. Stallinga and A.H.M. Akkermans and W. Ophey, "An information theoretic model forphysical uncloneable functions", ISIT, 2004

[L04] Daihyun Lim, "Extracting Secret Keys from Integrated Circuits", Master's Thesis MIT, 2004

[V04] Serge Vrijaldenhoven, "Acoustical Physical Uncloneable Functions", Master's Thesis, T.U.Eindhoven, 2004

[BCJPSXAFAB05] James D. R. Buchanan and Russell P. Cowburn and Ana-Vanessa Jausovec and Dorothee Petit and Peter Seemand Gang Xiong and Del Atkinson and Kate Fenton and Dan A. Allwood and Matthew T. Bryan, "Forgery: `Fingerprinting' documentsand packaging", Nature, 2005

[TSSAO05] P. Tuyls and B. Skoric and S. Stallinga and A.H.M. Akkermans and W. Ophey, "Information-Theoretic Security Analysisof Physical Uncloneable Functions ", Financial Crypto (LNCS 3570), 2005

[LLGSVD05] Daihyun Lim and Jae W. Lee and Blaise Gassend and G. Edward Suh and Marten van Dijk and Srini Devadas,"Extracting secret keys from integrated circuits", IEEE Transactions on VLSI Systems, 2005

[SOSD05] G. Edward Suh and Charles W. O'Donnell and Ishan Sachdev and Srinivas Devadas, "Design and Implementation of theAEGIS Single-Chip Secure Processor Using Physical Random Functions", ISCA, 2005

[STO06] B. kori and P. Tuyls and W. Ophey , "Robust key extraction from Physical Uncloneable Functions ", ACNS (LNCS 3531),2005

[TSSVVW06] Pim Tuyls and Geert-Jan Schrijen and Boris kori and Jan van Geloven and Nynke Verhaegh and Rob Wolters,"Read-proof hardware from protective coatings", CHES, 2006

[TS06] Pim Tuyls and Boris kori , "Physical Unclonable Functions for enhanced security of tokens and tags ", ISSE, 2006

18


References[ISSTW06] T. Ignatenko and G.J. Schrijen and B. kori and P. Tuyls and F. Willems , "Estimating the Secrecy Rate of PhysicalUncloneable Functions with the Context-Tree Weighting Method ", ISIT, 2006

[SMKT06] B. kori and S. Maubach and T. Kevenaar and P. Tuyls, "Information-theoretic analysis of capacitive physical unclonablefunctions", Journal of Applied Physics, 2006

[DK07] Gerald DeJean and Darko Kirovski, "RF-DNA: Radio-Frequency Certificates of Authenticity", CHES, 2007

[GKST07] Jorge Guajardo and Sandeep S. Kumar and Geert Jan Schrijen and Pim Tuyls, "FPGA intrinsic PUFs and their use for IPprotection", CHES, 2007

[HBF07] Daniel E. Holcomb and Wayne P. Burleson and Kevin Fu, "Initial SRAM state as a fingerprint and source of true randomnumbers for RFID tags", Conference on RFID Security, 2007

[GKST07b] Jorge Guajardo and Sandeep S. Kumar and Geert Jan Schrijen and Pim Tuyls, "Physical unclonable functions andpublic-key crypto for FPGA IP protection", FPL, 2007

[SD07] G. Edward Suh and Srinivas Devadas, "Physical unclonable functions for device authentication and secret key generation",DAC, 2007

[SHO07] Y. Su and J. Holleman and B. Otis, "A 1.6pJ/bit 96% Stable Chip-ID Generating Circuit using Process Variations", ISSCC,2007

[OHS08] Ozturk, E. and Hammouri, G. and Sunar, B., "Towards Robust Low Cost Authentication for Pervasive Devices", PERCOM,2008

[OHS08b] Ozturk, E. and Hammouri, G. and Sunar, B., "Physical unclonable function with tristate buffers", ISCAS, 2008

[GVCTDT08] Blaise Gassend and Marten Van Dijk and Dwaine Clarke and Emina Torlak and Srinivas Devadas and Pim Tuyls,"Controlled physical random functions and applications", ACM TISSEC, 2008

[AKKP08] Yousra Alkabani and Farinaz Koushanfar and Negar Kiyavash and Miodrag Potkonjak, "Trusted Integrated Circuits: ANondestructive Hidden Characteristics Extraction Approach", Information Hiding (LNCS), 2008

[MKP08] Majzoobi Mehrdad and Koushanfar Farinaz and Potkonjak Miodrag, "Lightweight secure PUFs", ICCAD, 2008

[MKP08b] Mehrdad Majzoobi and Farinaz Koushanfar and Miodrag Potkonjak, "Testing Techniques for Hardware Security", ITC,2008

[MTV08] R. Maes and P. Tuyls and I. Verbauwhede, "Statistical Analysis of Silicon PUF responses for Device Identification", SECSI,2008

[HOBS08] Ghaith Hammouri and Erdinc Ozturk and Berk Birand and Berk Sunar, "Unclonable Lightweight Authentication Scheme",ICICS, 2008

[MTV08b] R. Maes and P. Tuyls and I. Verbauwhede, "Intrinsic PUFs from Flip-flops on Reconfigurable Devices", WISSEC, 2008

[HAS08] Ghaith Hammouri, Kahraman Akdemir, and Berk Sunar, "Novel PUF-based Error Detection Methods in Finite StateMachines", ICISC 2008, 2008

[KGMST08] Sandeep S. Kumar and Jorge Guajardo and Roel Maes and Geert-Jan Schrijen and Pim Tuyls, "Extended abstract: Thebutterfly PUF protecting IP on every FPGA", HOST, 2008


References[S09] Boris kori , "Quantum readout of Physical Unclonable Functions: Remote authentication without trusted readers andauthenticated Quantum Key Exchange without initial shared secrets", Cryptology ePrint Archive: Report 2009/369, 2009

[KSSTS09] K. Kursawe and A. Sadeghi and D. Schellekens and P. Tuyls, and B. kori , "Reconfigurable Physical UnclonableFunctions -- Enabling Technology for Tamper-Resistant Storage", HOST, 2009

[HAP09] Ryan Helinski and Dhruva Acharyya and Jim Plusquellic, "A physical unclonable function defined using power distributionsystem equivalent resistance variations", DAC, 2009

[GSTKBBS09] Jorge Guajardo and Boris kori and Pim Tuyls and Sandeep S. Kumar and Thijs Bel and Antoon H. M. Blom andGeert-Jan Schrijen, "Anti-counterfeiting, key distribution, and key storage in an ambient world via physical unclonable functions",Information Systems Frontiers, 2009

[RSS09] Ulrich Rührmair and Jan Sölter and Frank Sehnke, "On the Foundations of Physical Unclonable Functions", CryptologyePrint Archive, 2009

[RCLSSC09] Ulrich Rührmair and Qingqing Chen and Paolo Lugli and Ulf Schlichtmann and Martin Stutzmann and György Csaba,"Towards Electrical, Integrated Implementations of SIMPL Systems", Cryptology ePrint Archive, 2009

[MNRS09] Abhranil Maiti, Raghunandan Nagesh, Anand Reddy, Patrick Schaumont, "Physical unclonable function and true randomnumber generator: a compact and scalable implementation", ACM Great Lakes Symposium on VLSI 2009, 2009

[KBS09] Michael Kirkpatrick, Elisa Bertino, Frederick T. Sheldon, "Physically Restricted Authentication and Encryption for Cyber-physical Systems", DHS Workshop on Future Directions in Cyber-physical Systems Security, 2009

[R09] Ulrich Rührmair, "SIMPL Systems: On a Public Key Variant of Physical Unclonable Functions", Cryptology ePrint Archive, 2009

[CJCPSSLR09] György Csaba and Xueming Ju and Qingqing Chen and Wolfgang Porod and Jürgen Schmidhuber and UlfSchlichtmann and Paolo Lugli and Ulrich Rührmair, "On-Chip Electric Waves: An Analog Circuit Approach to Physical UncloneableFunctions", Cryptology ePrint Archive, 2009

[SM09] Boris Skoric and Marc X. Makkes, "Flowchart description of security primitives for Controlled Physical Unclonable Functions",Cryptology ePrint Archive, 2009

[MKP09] Mehrdad Majzoobi and Farinaz Koushanfar and Miodrag Potkonjak, "Techniques for Design and Implementation of SecureReconfigurable PUFs", ACM TRETS, 2009

[BP09] Nathan Beckmann and Miodrag Potkonjak, "Hardware-Based Public-Key Cryptography with Public Physically UnclonableFunctions", Information Hiding (LNCS 5806), 2009

[HBF09] Daniel E. Holcomb and Wayne P. Burleson and Kevin Fu, "Power-Up SRAM State as an Identifying Fingerprint and Sourceof True Random Numbers", IEEE Transactions on Computers, 2009

[MTV09] Roel Maes and Pim Tuyls and Ingrid Verbauwhede, "A Soft decision helper data algorithm for SRAM PUFs", ISIT, 2009

[BSQ09] P. Bulens and F.-X, Standaert and J.-J Quisquater, "How to Strongly Lonk Data and its Medium: the Paper Case", to appearIET Information Security, 2009

[J09] Tamara Jun, "Circuit approaches to Physical Cryptography", Diploma Thesis, T.U.München, 2009

[HDS09] Ghaith Hammouri and Aykutlu Dana and Berk Sunar, "CDs Have Fingerprints Too ", CHES, 2009

physical(ly) unclonable functions · id pre-programmed digital identifier challenge = ask...

Documents