Physically Unclonable Functions Rajat Subhra Chakraborty Associate Professor Department of Computer Science and Engineering IIT Kharagpur E-mail: rschakraborty@cse.iitkgp.ernet.in ISEA Workshop IIT Kharagpur, October 2016
Security Threats: Overview DARPA s Model of Hardware Security Threats* Third-party Offshore Not really Trusted!! *http://www.darpa.mil/mto/solicitations/baa07-24/index.html 2
What is PUF? Fingerprint of Devices A challenge-response mechanism in which the mapping between an applied input ( challenge ) and the corresponding observed output ( response ) is dependent on the complex and variable nature of a physical material The challenge-response mapping is unclonable (ideally) and instance-specific n-bit Challenge(C) PUF n-bit Response (R) 3
PUF Properties Evaluatable: given PUF and x, it is easy to evaluate y = PUF(x). Unique: PUF(x) contains some information about the identity of the physical entity embedding PUF. Reproducible: y = PUF(x) is reproducible up to a small error. Unclonable: given PUF, it is hard to construct a procedure PUF PUF' PUF and x C PUF'( x) PUF( x) up to a small error. Unpredictable: given only a set, Q {( x, it is hard to i, yi PUF ( xi )} predict y c = PUF(x c ) up to a small error, for x c a random challenge such that ( x c,.) Q. One-way: given only y and PUF, it is hard to find x such that PUF(x) = y. Tamper-evident: altering the physical entity embedding PUF transforms PUF PUF such that with high probability x C PUF( x) PUF'( x) not even up to a small error. 4
PUF Taxonomy 5
PUF Taxonomy 6
Arbiter PUF Arbiter R = 0/1 C = 0 C = 1 C = 1 Compare two paths with an identical delay in design. Random process variation determines which path is faster. An arbiter (usually a latch) outputs 1-bit digital response. D 1 clk C = 1 C = 0 Switching Component Operation D 0 clk Arbiter Operation 7
Ring Oscillator PUF 1 2 2467MHz 2519MHz MUX counter >? Response (0 / 1) N oscillators N counter 2453MHz Compare frequencies of two oscillators Challenge The faster oscillator is randomly determined by manufacturing variations Disadvantage: exponential hardware requirement 8
Silicon PUFs Family Latch PUF cell SRAM PUF cell Butterfly PUF cell Bi-stable Ring PUF Loop PUF FF PUF cell 9
Metrics for Quality Measurement Uniformity: Estimates how uniform the proportion of 0's and `1's is in the response bits of a PUF. For truly random PUF responses, this proportion must be 50%. uniformity n i r i, l n l1 where r i,l is the l-th binary bit of an n-bit response from a chip i. 1 10
Metrics for Quality Measurement (cont.) Uniqueness: represents the ability of a PUF to uniquely distinguish a particular chip among a group of chips of the same type. Ideal value is 50% uniqueness k( k k1 2 1) k i1 ji1 HD( R i n, R j ) 100% where: HD(R i, R j ) is Hamming Distance between n-bit signature of chip i and j. K is the number of chip containing PUF under interest. 11
Metrics for Quality Measurement (cont.) Reliability: How efficient a PUF is in reproducing the response bits. Employ intra-chip HD among several samples of PUF response bits to evaluate it. The same n-bit response is extracted at a different operating condition (different ambient temperature or different supply voltage) Ideal value is 100% reliability 1 HD( R, R ) m n m i i, t (1 ) 100% t1 Where: R i is n-bit response of PUF instance i at normal operating conditions. R i,t is the t-th sample of R i. 12
The Advantages World without PUF World with PUF Trusted party embeds and tests secret keys in a secure nonvolatile memory (NVM) EEPROM adds additional complexity to manufacturing Intrinsic properties of device is used to generate secret key. Key never leaves the IC s cryptographic boundary, nor be stored in a non-volatile memory. Adversaries may physically extract secret key from nonvolatile memory Key is deleted after usage in de- or encryption process 13
Low-Cost Authentication Applications (1/2) Protect against IC/FPGA substitution and counterfeits without using cryptographic operations Authentic Device A PUF Untrusted Supply Chain / Environments??? PUF Is this the authentic Device A? Challenge Response Record Challenge Response Challenge Response 1001010 010101 1011000 101101 0111001 000110 Database for Device A =? 14
Applications (2/2) Private/Public Key Pair Generation Private key ECC + PUF Seed Key Generation Public key PUF response is used as a random seed to a private/ public key generation algorithm No secret needs to be handled by a manufacturer A device generates a key pair on-chip, and outputs a public key 15
Security Parameters of PUF Unclonability: - Cannot be achieved using traditional cryptographic techniques. - Two types of unclonability: - Physical Unclonability - A PUF is physically unclonable if a physical copy of the PUF with similar challenge/response behaviour cannot be made, even by the manufacturer. - Mathematical Unclonability - it is not possible to construct a mathematical approximator which models the original PUF behaviour up to some small error. Unpredictability: - Adversary can t predict response of a new challenge form a known set of CRPs
Cloning of PUF Creating a physical clone of the PUF is considered infeasible The creation of a mathematical clone requires that the raw PUF response(s) be predicted with sufficient accuracy Non-invasive attack methods using side channel analysis on the PUF Invasive attack involving mechanical probing of r Attackers with access to contactless probing equipment can use a semi-invasive methodology to obtain the data of interest
Brute Force: PUF Attacks To save every Challenge Response Pairs (CRPs) Physical Access to PUF is required Replay Attack: Eavesdropping CRPs and play them back Modelling Attack (or Machine Learning Attack): Take the advantage between relationship between challenge the challenge/response Build a PUF model using Machine Learning (ML) methods: - Support vector machine - Artificial Neural network - Logistic regression - Evolutionary Computing Set of CRPs needed to train ML algorithm
ML Attack on Arbiter PUF Modeling Attacks by Machine Learning (Rührmair et al.) Logistic Regression technique : success rate Arbiter 99.9% using 18K CRPs in 0.6 sec. (64 taps) XOR Arbiter 99% using 12K CRPs in 3 min 42 secs (4 XOR, 64 taps). Lightweight Arbiters 99% using 12K CRPs in 1 hour and 28 mins (4 XORs, 64 taps). Feed-forward Arbiters 99% using 5K CRPs in 47 mins and 7 secs (7 FF, 64 taps).
Linear Delay Model of Arbiter PUF d d 1Ci i 1) 2 1 C 1 i1 ( p 1 d ( i)) ( s d ( )) 2 i i top i bottom top ( 1 1Ci i 1) 2 1 C 1 i1 ( q 1 d ( i)) ( r d ( )) 2 i i top i bottom bottom( 1 where C i {1,1} denotes the challenge bit of the i-th stage
Linear Delay Model of Arbiter PUF (contd.) d top d bottom n ) ( 1 1 1 1 ) ( 1) ( i i i i C i C i 2 n n n n n s r q p 2 n n n n n s r q p
Linear Delay Model of Arbiter PUF Let p k be the parity of challenge bits: n p C and p i i n ik 1 1 ( n) p ( ) p ( ) p p where 1 0 2 1 2 n n1 n1 n n P, D P ( p, p,, p ) and D (,,,, ) 0 1 n 1 2 1 n n1 n An Arbiter PUF is a linear classifier of random challenge vectors in n-dimensional space, where n is the total number of challenge bits Apply Support Vector Machine (SVM) using: Parity vectors X are n-dimensional feature vectors Constant vector d is the normal to the hyperplane that classifies challenges into two classes
Reported Experimental Results [D. Lim, M.S. Thesis, MIT, 2002] Worked on computer simulation model of Arbiter PUF Claimed 100% modeling accuracy by applying SVM (PUF size and training set size not mentioned) [Maes et al, IEEE WIFS 12] Silicon (ASIC) data ASIC fabricated in 65 nm CMOS technology 64-bit Arbiter PUF 500 CRPs as training set Claims ~90% prediction accuracy using SVM [CSE Dept., IIT-KGP] Silicon (FPGA Data) 64-bit Arbiter PUF 5000 CRPs as training set ~96% prediction accuracy using SVM
Cryptanalytic Attack on PUF Machine learning based modeling attack are considered successful if modeling accuracy is extremely high (e.g. > 95%) However, cryptographic notions of security are different Any computational technique that reduces a given PUF instance from being a random Boolean mapping to being a predictable mapping, with success rate better than ½, can be considered successful cryptanalysis: Let P be an arbitrary PUF instance with m-bit challenge, and 1- bit response. Then, the PUF instance P is considered to be secure if and only if there is no efficient algorithm which can predict for a given challenge c, the corresponding response r, with a probability of success greater than 1/2 Such a notion has important implications on PUF security
Alternative to Classic ROPUF: Enhanced ROPUF [Maity et al, IEEE TC, 2012] Main Goals Avoid the exponential hardware overhead of ROPUF Retain the robustness to machine learning attack resistance To improve reliability by having inherent error-correction capabilities at low hardware footprint Main Ideas Have only n ROs (in place of 2 n ROs for classical ROPUF) Select multiple ROs for a given challenge (no. of ROs selected = Hamming Weight of the challenge) Output is a complex non-linear function of the chosen RO frequencies Retain auxiliary information called Helper Data, along with the response, to enable to error correction
Response and Helper Data Generation - e ( 1), q: real numbers, chosen security parameters A quantity Q is calculated based on the frequencies of the selected ROs Range of Q values assigned alternately 0/1 labels over intervals of size q : this gives the response r W (real number between -q and q) is the helper data An incorrect response due to noisy Q can be corrected based on the value of W
Example: Response Generation Corresponding value of W: W = (2n 0.5) q Q = (2 X 6 0.5) X 1 10.8 = 0.7
Example: Response Correction During decoding phase: assume Q is the observed value Then, correct response is given by: Note: the decoding scheme uses exactly opposite parity as the encoding scheme with respect to Q The scheme works if Q - Q q/2 Thus, if Q (= 10.8) changes to 10.3 Q 11.3 for q = 1, correction is possible, otherwise not Hence, choice of q is crucial, and depends on the expected deviation levels of the RO frequencies of the particular implementation
Cryptanalysis of Enhanced ROPUF [DATE 15] This is a chosen challenge attack It is a divide-and-conquer approach that tries to recover individual terms in the expression of Q Let q = 1, and Q = n + ᵟ, where 0 ᵟ < 1 and n = floor(q). Then, we have the following observations: r n (mod 2) ᵟ = W + 0.5 if W < 0, otherwise ᵟ = 1 - W 0.5 If an adversary can recover the value of ᵟij corresponding to Q ij = w ij f i - f j e by setting only two challenge bits to 1 and the others to 0, then eventually she can recover the value of r by recovering one ᵟij value per chosen challenge Two variants of the attack are possible, differing in complexity and probability of success
Attack-1: All W ij, r ij and c ij Values Available Algorithm can be easily modified to recover the value of r for any challenge of arbitrary form Data complexity: O(m 2 ) Time complexity: O(t 2 ) if Hamming Weight of challenge is t Probability of success: 1
Attack-2: Only r ij and c ij Values Available Cryptanalysis is considerably more difficult when helper data is not available Main insight: Since Q = Q ij = (n ij + ᵟij ), the parity of n = floor(q), and the parity of the sum of the ᵟij quantities leak information about the value of the response r For sake of explanation, assume c 1 =c 2 =c 3 =1, c i = 0 for i > 3. Thus the challenge is c = (1,1,1,0,0,,0). Q = Q 12 + Q 13 + Q 23 = n 12 + n 13 + n 23 + (ᵟ 12 + ᵟ 13 + ᵟ 23 ) = n + (let) Adversary computes: p(n ) n (mod 2) and tries to guess p( ) (mod 2) Note that: Pr[p( ) = 0] = 2/3!, and hence the if the adversary knows p(n ), she can predict the actual response with a success probability > ½!
Attack-2: Algorithm: r ij and c ij Values Available Data complexity: O(t) Time complexity: O(t) Probability of Success t even: (1 + 1/t)/2, t > 4 t odd: (1 + 1/ (3t-5))/2 Attack not possible if t = 4
Experimental Results Virginia Tech. Dataset for FPGA implementation of Enhanced ROPUF downloaded from: http://rijndael.ece.vt.edu/puf/download.html Good agreement between theoretical and experimental bias
Thank You for Your Attention! 34