Challenge Codes for Physically Unclonable Functions (PUFs) A - - PowerPoint PPT Presentation

challenge codes for physically unclonable functions pufs
SMART_READER_LITE
LIVE PREVIEW

Challenge Codes for Physically Unclonable Functions (PUFs) A - - PowerPoint PPT Presentation

Apr 26, 2023 422 likes •695 views

Challenge Codes for Physically Unclonable Functions (PUFs) A Maximum Entropy Problem Alexander Schaub a , Olivier Rioul ab , Joseph Boutros c , Jean-Luc Danger ad & Sylvain Guilley ad a LTCI, Tlcom ParisTech, Paris-Saclay Univ. b CMAP ,

slide-1
SLIDE 1

Challenge Codes for Physically Unclonable Functions (PUFs)

A Maximum Entropy Problem Alexander Schauba, Olivier Rioulab, Joseph Boutrosc, Jean-Luc Dangerad & Sylvain Guilleyad

aLTCI, Télécom ParisTech, Paris-Saclay Univ. bCMAP

, Ecole Polytechnique, Paris-Saclay Univ.

cTexas A&M University in Qatar dSecure-IC

slide-2
SLIDE 2

2

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Layout of the presentation

Introduction to Physically Unclonable Functions (PUFs) Presentation of the Entropy Problem Entropy Problem: Results

slide-3
SLIDE 3

3

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Layout of the presentation

Introduction to Physically Unclonable Functions (PUFs) Presentation of the Entropy Problem Entropy Problem: Results

slide-4
SLIDE 4

4

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Physically Unclonable Functions

Motivation

Embedded Security Anti-counterfeiting Secure password storage

slide-5
SLIDE 5

5

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Physically Unclonable Functions

Definition and Usage

Definition

PUF: Physical device, behavior defined by: Input: challenge bit-string C ∈ {0, 1}n Output: bit response B ∈ {0, 1}. and that is not clonable (physically and mathematically).

slide-6
SLIDE 6

6

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Physically Unclonable Functions

Definition and Usage

Unclonability

Physically Unclonable: Presence of uncontrollable physical factors during manufacturing, elements of the circuit are built slightly different each time → Anti-counterfeiting: Different circuit behavior for cloned hardware → Key storage: Different key generated for each device Mathematically Unclonable: Attacker cannot predict responses of challenges she did not observe yet. → Challenge-response authentication for embedded security (IoT, etc.).

slide-7
SLIDE 7

7

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Technological dispersion

Delay variation among devices

⇒ Gaussian distribution of the delays

slide-8
SLIDE 8

8

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Loop-PUF

Mathematical Description

Definition

Set of M challenges (codewords): C = (c1, c2, . . . , cM), where ci = (ci,1ci,2...ci,n) ∈

  • +1, −1

n Loop-PUF: output results from delay differences, modeled by inner product: ci · X =

n

  • j=1

ci,jXj where X = (X1, X2, ..., Xn) and Xj

i.i.d.

∼ N(0, 1) PUF Response bits: Bi = sign(ci · X), i = 1, . . . , M Objective: compute HC

def.

= H(B1, B2, . . . , BM)

slide-9
SLIDE 9

9

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Layout of the presentation

Introduction to Physically Unclonable Functions (PUFs) Presentation of the Entropy Problem Entropy Problem: Results

slide-10
SLIDE 10

10

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Entropy Computation

Motivation

If challenges are orthogonal, responses are independent1.

  • The covariance matrix of the Gaussian vector C · X is equal to CCT

n ,

and thus equal to the identity matrix in this case. Therefore, the delays are independent. Possible for M = n when a Hadamard matrix of rank n exists.

However, not the case when there are more challenges. Open problems:

  • What is the entropy for a code that is not orthogonal ?
  • What is the maximum entropy for a given number of challenges ?
  • What is the maximum entropy for all possible challenges ?
  • What device complexity is needed for a given required key length ?
  • 1O. Rioul, P

. Solé, S. Guilley, et al., “On the entropy of physically unclonable functions”, in IEEE International Symposium on Information Theory (ISIT), 2016,

  • pp. 2928–2932.
slide-11
SLIDE 11

11

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Entropy Computation

Notations

In order to compute the maximal entropy, we consider the first M = 2n−1 challenges in lexicographical order (adding more challenges does not increase the entropy) The corresponding entropy is denoted by Hn. The possible outcomes of the random variables (B1, ..., BM) are denoted by b = b1b2...bM, which we call sign vectors. We define Pb = Pb1b2...bM = P[B1 = b1, B2 = b2, ..., BM = bM] Thus, Hn =

  • b∈{±1}2n−1

−Pb log2(Pb)

slide-12
SLIDE 12

12

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Example Challenge Code

n = 4, M = 8

C4 =             1 1 1 1 1 1 1 −1 1 1 −1 1 1 1 −1 −1 1 −1 1 1 1 −1 1 −1 1 −1 −1 1 1 −1 −1 −1             ,             b1 b2 b3 b4 b5 b6 b7 b8             = sign             X1 + X2 + X3 + X4 X1 + X2 + X3 − X4 X1 + X2 − X3 + X4 X1 + X2 − X3 − X4 X1 − X2 + X3 + X4 X1 − X2 + X3 − X4 X1 − X2 − X3 + X4 X1 − X2 − X3 − X4             Hadamard matrix of order 4.

slide-13
SLIDE 13

13

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Layout of the presentation

Introduction to Physically Unclonable Functions (PUFs) Presentation of the Entropy Problem Entropy Problem: Results

slide-14
SLIDE 14

14

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Entropy Computation

Quadrant probability of bivariate normal (M = 2)

Let Y1 = c1 · X, Y2 = c2 · X, ρ = E[Y1Y2]

n

. Define Y ′

1 such that Y2 ≡ ρY1 − ρ′Y ′ 1 and ρ2 + ρ′2 = 1. Then Y1 ⊥

⊥ Y ′

1.

Y2 ⇒ Y ′

1

Y1 Y1 P[Y1 > 0, Y2 > 0] = 1 4 + arcsin(ρ) 2π

slide-15
SLIDE 15

15

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Entropy Computation

Orthant probability of trivariate normal (M = 3)

We define ρi,j

def

= E[(ci·X)(cj·X)]

n

. Orthant probability of trivariate normal: P(c1 · X > 0, c2 · X > 0, c3 · X > 0) = 1 8 + arcsin(ρ1,3) + arcsin(ρ1,2) + arcsin(ρ2,3) 4π Exact computations for small M are possible. Thus, the exact computation of Hn is possible for small n (thanks to the use of symmetries).

slide-16
SLIDE 16

16

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Entropy Computation

Small PUFs

Exact entropy calculations for n ≤ 4 possible: n 1 2 3 4 Hn 1 2 H3 ≃ 3.6655...

14 3 + log2 3 ≃ 6.2516...

Where: H3 = −

  • 1 − 6arcsin 1

3

π

  • log
  • 1

8 − 3arcsin 1

3

  • − 6
  • arcsin 1

3

π

  • log
  • arcsin 1

3

π

slide-17
SLIDE 17

17

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Maximal Entropy

For M ≥ 4, no closed-form expression for orthant probabilities exists. Ideas to obtain entropy results for n up to 8:

  • Find sign vectors with zero probability.
  • For the resulting vectors: exploit symmetries to find sign vectors of

equal probability.

  • Perform a simulation to evaluate the value of these probabilities.
slide-18
SLIDE 18

18

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Zero-probability Sign-Vectors

Definition and Results

A zero-probability sign-vector is a sign vector b for which Pb = 0 We have the following characterization: Pb = 0 ⇐ ⇒ ∃α = (α1, ..., αM) ∈ RM\{0}M : sign(αi) = bi when αi = 0 and

M

  • i=1

αici = 0 We call α an annihilator for b, if it exists. Fact: If b admits an annihilator, then there exists an annihilator for b with weight at most n + 1. Fact: for the maximal code of size M = 2n−1, any annihilator has weight at least 4.

slide-19
SLIDE 19

19

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Zero-probability Sign-Vectors

Results and Conjectures

Conjecture: If b admits an annihilator, then there exists an annihilator for b with minimal weight 4 (checked for n = 1, . . . , 7). Knowing zero-probability vectors of order n rules out many vectors at order n + 1. Hn ≤ Max-entropy = log2(# non-zero probability vectors).

n Maximum # of outcomes Non-zero probabilities Proportion among outcomes max-entropy (bits) 1 2 2 1. 1. 2 4 4 1. 2. 3 16 14 0.875 3.8073 4 256 104 0.40625 6.7004 5 65536 1882 0.0287 10.8780 6 4294967296 94572 2.202 ·10−5 16.5291 7 ∼ 1.8 · 1019 15 028 134 8.147 ·10−13 23.8411 8 ∼ 3.4 · 1038 8 378 070 864 2.462 ·10−29 32.9640

slide-20
SLIDE 20

20

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Symmetry Exploitation

Sign symmetry

Gaussian random variables are symmetric: Xi

d

= −Xi. Changing the signs of the Gaussian r.v. is equivalent to multiplying all lines of the challenge matrix with these signs. If sign of X1 is not changed: this is equivalent to a permutation of lines of the challenge matrix. The original and the permuted sign vectors have the same probability.

slide-21
SLIDE 21

21

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Example of Sign Symmetry

n = 4

Example vector: s =

  • +1 −1 + 1 −1

           1 1 1 1 1 1 1 −1 1 1 −1 1 1 1 −1 −1 1 −1 1 1 1 −1 1 −1 1 −1 −1 1 1 −1 −1 −1             · diag(s) =             1 −1 1 −1 1 −1 1 1 1 −1 −1 −1 1 −1 −1 1 1 1 1 −1 1 1 1 1 1 1 −1 −1 1 1 −1 1             = PσC4 where σ = (1 6) ◦ (2 5) ◦ (3 8) ◦ (4 7)

slide-22
SLIDE 22

22

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Symmetry Exploitation

Permutation symmetry.

All Xi have the same distribution, thus, (Xi, Xj) d = (Xj, Xi) for i = j. A permutation of the Xi corresponds to a permutation of the columns in the challenge code. Due to the structure of the challenge code, a permutation of the columns (when the first column is not involved) corresponds to a permutation of the lines. The original and the permuted (according to permutation of the lines) sign vectors have the same probability. Similar result holds if the first column is not a fixed point of the permutation (need to multiply the sign vector by a column of C).

slide-23
SLIDE 23

23

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Example of Permutation Symmetry

n = 4

Example permutation: τ = (2 3).             1 1 1 1 1 1 1 −1 1 1 −1 1 1 1 −1 −1 1 −1 1 1 1 −1 1 −1 1 −1 −1 1 1 −1 −1 −1             · Pτ =             1 1 1 1 1 1 1 −1 1 −1 1 1 1 −1 1 −1 1 1 −1 1 1 1 −1 −1 1 −1 −1 1 1 −1 −1 −1             = PσC4 where σ = (3 5) ◦ (4 6)

slide-24
SLIDE 24

24

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Symmetry Exploitation

Wrap-up

We obtain equivalence classes of sign vectors with same probability by applying aforementioned transformations. This makes computing the entropy tractable up to n = 7 n Equivalence classes Estimated entropy 1 1 1. 2 1 2. 3 2 3.6655 4 3 6.251 5 7 9.97 6 21 15.24 7 135 21.9

slide-25
SLIDE 25

25

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Results Obtained

1 2 3 4 5 6 7 8 n 5 10 15 20 25 30 Entropy (in bits) Quadratic fit (Entropy) Entropy Quadratic fit (Max-entropy) Max-entropy

slide-26
SLIDE 26

26

July 26, 2018

Télécom ParisTech Challenge Codes for Physically Unclonable Functions

Conclusion

We presented the theoretical model of the Loop-PUF, and computed the maximal entropy and max-entropy. Results up to n = 8 were obtained, but the computational complexity is too high for larger values. Perspectives: find (perhaps approximate) entropy formulas for larger values, using for example compressed sensing techniques.