Physical(ly) Unclonable Functions An introduction to Intrinsic PUFs - - PDF document

SLIDE 1

1

Physical(ly) Unclonable Functions

An introduction to Intrinsic PUFs

Ingrid Verbauwhede Slide courtesy: Roel Maes COSIC – K.U.Leuven Supported by: IWT and

ECRYPT, ALBENA, MAY 2011

2

Introduction

Goal of this talk try to answer the question:

What is a PUF? What is it usage? Can we use it as an unclonable device

identifier?

P.U.F.?

• P.U.F. Physical Unclonable Function

a physical function which is unclonable in every sense

• P.U.F. Physically Unclonable Function

a function which is unclonable in a physical sense

SLIDE 2

2

ECRYPT, ALBENA, MAY 2011

3

Introduction (cont.)

Need for unique identification of devices or goods

• Example: RFID tags
• Secure storage of a key bit string (non volatile memory, battery

backed up SRAM, fuses, etc.) Problem: personalization step during fabrication

• Expensive, extra processing steps
• Post-processing e.g. by blowing fuses

Idea: use physical uniqueness of devices Idea: use CMOS process variations for this

• Threshold voltage
• Oxide thickness
• Metal line shapes

ECRYPT, ALBENA, MAY 2011

4

Functional description of PUF

For use in crypto applications PUF = (physical) function which is physically

unclonable

Very hard (“impossible”) to produce two PUFs with

similar challenge-response behavior

Easy to construct and evaluate a random PUF PUF Challenge Response

SLIDE 3

3

ECRYPT, ALBENA, MAY 2011

5

Basic properties of PUF

Minimum requirements:

For two random PUFs, difference between expected

responses to same challenge, should be large

For single random PUF, difference between two measured

responses to same challenge, should be small

For single random PUF, uncertainty about response to

challenge is large, when one does not have access to this PUF instance = manufacturing variability is ‘large’ = noise, aging, temperature effects,… are limited = unpredictability is large

ECRYPT, ALBENA, MAY 2011

6

Intrinsic PUFs

Use inherent manufacturing variability present in

CMOS fabrication

Keep measured PUF responses inside chip

Useful for secure key storage! Requirements:

PUF + measurement circuit + post-processing

inside chip

Standard processing, no extra processing steps

SLIDE 4

4

ECRYPT, ALBENA, MAY 2011

7

MOS Transistor

Gate voltage below “threshold” - No current

(there is subthreshold current)

Gate voltage above “threshold” - current can flow Threshold = f(doping concentration)

ECRYPT, ALBENA, MAY 2011

8

Delay of gate

Time to charge or discharge capacitances at output Delay t = C x V / I I = f (Cox, (VGS - VTh)) Process variations:

• Oxide thickness
• Threshold voltage
• Capacitance

0-1 transition

SLIDE 5

5

ECRYPT, ALBENA, MAY 2011

9

Outline

Introduction A few examples of Intrinsic PUFs PUF properties PUF applications Conclusion

First example: Arbiter PUF

Delay based intrinsic PUF

SLIDE 6

6

ECRYPT, ALBENA, MAY 2011

11

Arbiter PUF: basic operation

Initial design [Lee et al, MIT 2004]

• switch block: e.g. two muxes
• arbiter: e.g. a latch or a flip-flop
• n switch blocks 2n “different” delays

1 1 1

Arbiter

0/1 Challenge Response

Switch Block

ECRYPT, ALBENA, MAY 2011

12

Arbiter PUF: experiments [Lee04]

Results:

• 10000 CRPs from 37 ASICs
• 64-stage arbiter PUF
• Results on FPGA [Lee at al 04] : μinter = 1.05%, μintra = 0.3%

[Lee04]

μinter = 23% μintra 0.7% μintra 3.47% (voltage variation) μintra 4.82% (temperature variation)

[L04]

SLIDE 7

7

ECRYPT, ALBENA, MAY 2011

13

Arbiter PUF: analysis

delay additive !

• leads to model-building attack (linear programming)
• also machine-learning techniques (Artificial Neural Networks, Support Vector

Machines, …)

Attack results:

• ASIC: 3.55% prediction error with SVM trained with 5000 CRPs ( < μintra !!!)
• FPGA: 0.6% prediction error with perceptron trained with 90000 CRPs

Extensions [Ozturk et al 2008]

• tri-state buffer based delay circuit comparable to switch-based
• Simulation: prediction error < 3% for linear programming on 4000 CRPs

Conclusion: (Improved) arbiter PUFs can be accurately

modelled (= “cloned”) from polynomial # known CRPs

Second example: Ring Oscillator PUF

Delay based Intrinsic PUF

SLIDE 8

8

ECRYPT, ALBENA, MAY 2011

15

fA fB fA fB

Ring Oscillator PUF: basic operation

Initial design [Gassend et al 2003] Compensation

• To eliminate (scaling)

environmental influence One-bit compensation

[Suh 2007]

• To avoid costly division

Response ~ f

Delay Edge detector Counter

++ Challenge Response

÷

Response

• 0 if fA < fB

1 if fA fB r = fA / fB

f

ECRYPT, ALBENA, MAY 2011

16

Ring Oscillator PUF: experiments

Results [Suh2007]:

• measurements on 15 FPGAs, 1024

loops/FPGA and 1 out of 8 masking

μinter = 46.15% μintra = 0.48% (with temp./volt. var.)

SLIDE 9

9

ECRYPT, ALBENA, MAY 2011

17

Ring Oscillator PUF: analysis

Modelling attacks?

same as arbiter PUFs for basic design not for fixed delay circuit as in [Suh 2007]

but much less challenges! [N/2 < #challenges < log2(N!)] inefficient area use

SRAM PUF

Memory based Intrinsic PUF

SLIDE 10

10

ECRYPT, ALBENA, MAY 2011

19

SRAM PUF: basic operation

SRAM cell:

(6T-CMOS)

Which state right after power-up?

• depends on physical mismatch between M2 and M4
• power-up state =

measure for manufacturing variability

Q Q Q Q 1 1 2 possible stable states 1-bit storage

ECRYPT, ALBENA, MAY 2011

20

SRAM PUF: basic operation

SRAM PUF

• challenge = SRAM address
• response = power-up state of addressed cell(s)

Guajardo et al 2007

• SRAM on FPGA

Holcomb et al 2007

• COTS SRAM
• SRAM on embedded micro-controller

Q Q Q Q power-up state: Q = 0 Q = 1

SLIDE 11

11

ECRYPT, ALBENA, MAY 2011

21

SRAM PUF: experiments

Results [Guarjado et al CHES 2007]

• measurements on FPGA, 8190 bytes from different SRAM blocks
• intra = 3.57% , intra = 0.13% inter = 49.97% , inter = 0.3%

ECRYPT, ALBENA, MAY 2011

22

SRAM PUF: experiments

Results [Holcomb, Burleson, Fu 2009]

• measurements on two types of devices
• COTS SRAM chip: 5120 64-bit blocks on 8 ICs
• Embedded SRAM in C: 15 64-bit blocks on 3 ICs

SRAM chip Embedded SRAM

μinter = 43.16% μintra = 3.8% μinter = 49.34% μintra = 6.5%

SLIDE 12

12

ECRYPT, ALBENA, MAY 2011

23

Outline

Introduction Examples of Intrinsic PUFs PUF properties PUF applications Conclusion

ECRYPT, ALBENA, MAY 2011

24

Quick overview

Evaluatable: y = PUF (x) is easy Unique: PUF(x) contains some unique information Reproducible: PUF() has only small error Unclonable: hard to make PUF’(x) given PUF(x) Unpredictable: hard to find yN=PUF(xN) given other

x, y pairs

One-way: given y and PUF(), cannot find x Tamper evident: tampering changes PUF()

SLIDE 13

13

ECRYPT, ALBENA, MAY 2011

25

Compare PUF constructions

1.

OPT

Optical PUF [P01][STO06]

• Challenge = laser orientation
• Response = Gabor hash of speckle pattern

2.

COAT

Coating PUF [TSSVVW06]

• Challenge = sensor pair selection
• Response = quantized capacitance measurement

3.

ARB

Basic switch-based arbiter PUF [L04]

• Challenge = switch-block delay setting
• Response = one-bit arbiter decision

4.

FF-ARB

Feed-forward arbiter PUF [L04]

• Challenge = (reduced) switch-block delay setting
• Response = one-bit arbiter decision

5.

LW-ARB

Lightweight arbiter PUF [MKP08]

• Challenge = pre-challenge to input-network
• Response = one-bit XOR of arbiter decisions

6.

RO

Basic switch-based ring oscillator PUF with division compensation [GCVD02b][B03]

• Challenge = switch-block delay setting
• Response = ratio of two counter values

7.

1B-RO

Inverter ring oscillator PUF with comparator compensation [SD07]

• Challenge = oscillator pair selection
• Response = one-bit comparator output

8.

SRAM/FF

SRAM PUF [GKST07], flip-flop PUF [MTV08b]

• Challenge = SRAM cell address
• Response = one-bit power-up state of addressed cell

9.

LATCH/BUTTER

Basic latch PUF [SHO07], butterfly PUF [KGMST08]

• Challenge = latch/butterfly cell selection
• Response = one-bit settling state of excited cell

10.

CPUF

Controlled PUF [GCVD02]

• Challenge = pre-PUF hash input
• Response = post-PUF hash output

11.

ID

pre-programmed digital identifier

• Challenge = ask identifier
• Response = identifier value

12.

PK

pre-programmed asymmetric private key

• Challenge = random nonce
• Response = signature on nonce

13.

TRNG

true random number generator

• Challenge = ask true random number
• Response = “physically produced” true random number

ECRYPT, ALBENA, MAY 2011

26

PUF properties table

No protection If good crypto Knows private key Knows private key Copy key Perfect If good RNG Computation

PK

If good TRNG

TRNG

If good hash If good hash If good hash If good PUF If good ECC Integrated

CPUF

No protection Trivial Trivial Trivial Copy ID Perfect If good RNG Very fast

ID Tamper Evident

If q << 5000 If q << 50000 If q << 50000 If q << 5000

Unpred .

1-bit response 1-bit response 1-bit response 1-bit response 1-bit response 1-bit response Few challenges

One- way

Full readout Full readout Full readout Modellable Modellable Modellable Modellable Full readout

Math. Unclon. Phys. Unclon. Reprod . Unique

Integrated Integrated (+ power-up!) Integrated Integrated Integrated Integrated Integrated Integrated (extra process) Mechanical procedure

Eval. LATCH / BUTTE R SRAM/ FF 1B-RO RO LW- ARB FF- ARB ARB COAT OPT

Reference

SLIDE 14

14

ECRYPT, ALBENA, MAY 2011

27

Outline

Introduction Examples of Intrinsic PUFs PUF properties PUF applications Conclusion

ECRYPT, ALBENA, MAY 2011

28

PUF Applications

System identification

• anti-counterfeiting
• hardware binding
• hardware metering (passive)

Secret Key Generation

• secure key storage
• secure key distribution

Hardware Entangled Cryptography

• side-channel resistance provable physical security?

key-based crypto …

SLIDE 15

15

ECRYPT, ALBENA, MAY 2011

29

System Identification

Very similar to biometrical identification systems Easy, fast, straightforward, but limited security

• e.g. no authentication

Optimal Identification Threshold FRR: False Rejection Rate FAR: False Acceptance Rate Distance measure Frequency Intra-distance Inter-distance

PUF A

x yA

PUF A

x yA’

PUF B

x yB yA yA’ yA yB

ECRYPT, ALBENA, MAY 2011

30

Key Generation

Integration of PUFs with keyed crypto primitives Key extraction “non-volatile” key storage in a “non-digital” way

• key only digitally present when needed in crypto computation

no long-term digital storage required unique key material “intrinsically” present

• no key programming step required

however, two-phase key generation: enrollment - reproduction

PUF

Key Extraction

x y K Crypto

SLIDE 16

16

ECRYPT, ALBENA, MAY 2011

31

Hardware Entangled Cryptography

Embedded integration of PUFs in crypto primitives Secret parameter = device-unique PUF behavior

• no digital key present at any point

no digital key-storage required whatsoever

• Basic complexity/cryptographic assumptions about PUFs are needed

No digital key constrains application scenarios! Topic of active research

Crypto PUF

x y

ECRYPT, ALBENA, MAY 2011

32

Conclusion

“What is a PUF?” is not an easy question We identified some minimal requirements which

• …are common to all known PUF constructions (exhaustively)
• …, but distinguish them from other primitives

“Which is the best PUF?” is an even harder question

• there are contradicting goals trade-offs
• application dependent

Still many open questions…

For an extended reference list, see website Roel Maes: http://rmaes.ulyssis.be/pufbib.php

SLIDE 17

17

ECRYPT, ALBENA, MAY 2011

33

Future work: “situating PUFs”

hard- programmed keys TRNGs PUFs

physical unclonability uniqueness vs reproducibility (μinter/μintra)

μinter > μintra μinter < μintra μintra = 0

physically unclonable practically physically clonable physically unclonable in practice practical physical cloning is hard ECRYPT, ALBENA, MAY 2011

34

References

• [LDT00] Keith Lofstrom and W. Robert Daasch and Donald Taylor, "IC identification circuit using device mismatch", ISSCC, 2000
• [P01] Ravikanth S. Pappu, "Physical one-way functions", PhD Thesis, MIT, 2001
• [GCVD02] Blaise Gassend and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Controlled Physical Random Functions",

ACSAC, 2002

• [GCVD02b] Blaise Gassend and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Silicon physical random functions",

ACM CCS, 2002

• [PRTG02] Ravikanth S. Pappu and Ben Recht and Jason Taylor and Niel Gershenfeld, "Physical one-way functions", Science, 2002
• [SCGVD03] G. Edward Suh and Dwaine Clarke and Blaise Gassend and Marten van Dijk and Srinivas Devadas, "AEGIS:

architecture for tamper-evident and tamper-resistant processing", ICS, 2003

• [B03] Blaise Gassend, "Physical Random Functions", Master's Thesis MIT, 2003
• [LLGSVD04] Jae W. Lee and Daihyun Lim and Blaise Gassend and G. Edward Suh and Marten van Dijk and Srinivas Devadas, "A

technique to build a secret key in integrated circuits for identification and authentication application", Symposium on VLSI Circuits, 2004

• [GLCVD04] Blaise Gassend and Daihyun Lim and Dwaine Clarke and Marten van Dijk and Srinivas Devadas, "Identification and

authentication of integrated circuits", Concurr. Comput. : Pract. Exper., 2004

• [TSSAO04] P. Tuyls and B. kori and S. Stallinga and A.H.M. Akkermans and W. Ophey, "An information theoretic model for

physical uncloneable functions", ISIT, 2004

• [L04] Daihyun Lim, "Extracting Secret Keys from Integrated Circuits", Master's Thesis MIT, 2004
• [V04] Serge Vrijaldenhoven, "Acoustical Physical Uncloneable Functions", Master's Thesis, T.U.Eindhoven, 2004
• [BCJPSXAFAB05] James D. R. Buchanan and Russell P. Cowburn and Ana-Vanessa Jausovec and Dorothee Petit and Peter Seem

and Gang Xiong and Del Atkinson and Kate Fenton and Dan A. Allwood and Matthew T. Bryan, "Forgery: `Fingerprinting' documents and packaging", Nature, 2005

• [TSSAO05] P. Tuyls and B. Skoric and S. Stallinga and A.H.M. Akkermans and W. Ophey, "Information-Theoretic Security Analysis
• f Physical Uncloneable Functions ", Financial Crypto (LNCS 3570), 2005
• [LLGSVD05] Daihyun Lim and Jae W. Lee and Blaise Gassend and G. Edward Suh and Marten van Dijk and Srini Devadas,

"Extracting secret keys from integrated circuits", IEEE Transactions on VLSI Systems, 2005

• [SOSD05] G. Edward Suh and Charles W. O'Donnell and Ishan Sachdev and Srinivas Devadas, "Design and Implementation of the

AEGIS Single-Chip Secure Processor Using Physical Random Functions", ISCA, 2005

• [STO06] B. kori and P. Tuyls and W. Ophey , "Robust key extraction from Physical Uncloneable Functions ", ACNS (LNCS 3531),

2005

• [TSSVVW06] Pim Tuyls and Geert-Jan Schrijen and Boris kori and Jan van Geloven and Nynke Verhaegh and Rob Wolters,

"Read-proof hardware from protective coatings", CHES, 2006

• [TS06] Pim Tuyls and Boris kori, "Physical Unclonable Functions for enhanced security of tokens and tags ", ISSE, 2006

SLIDE 18

18

ECRYPT, ALBENA, MAY 2011

35

References

• [ISSTW06] T. Ignatenko and G.J. Schrijen and B. kori and P. Tuyls and F. Willems , "Estimating the Secrecy Rate of Physical

Uncloneable Functions with the Context-Tree Weighting Method ", ISIT, 2006

• [SMKT06] B. kori and S. Maubach and T. Kevenaar and P. Tuyls, "Information-theoretic analysis of capacitive physical unclonable

functions", Journal of Applied Physics, 2006

• [DK07] Gerald DeJean and Darko Kirovski, "RF-DNA: Radio-Frequency Certificates of Authenticity", CHES, 2007
• [GKST07] Jorge Guajardo and Sandeep S. Kumar and Geert Jan Schrijen and Pim Tuyls, "FPGA intrinsic PUFs and their use for IP

protection", CHES, 2007

• [HBF07] Daniel E. Holcomb and Wayne P. Burleson and Kevin Fu, "Initial SRAM state as a fingerprint and source of true random

numbers for RFID tags", Conference on RFID Security, 2007

• [GKST07b] Jorge Guajardo and Sandeep S. Kumar and Geert Jan Schrijen and Pim Tuyls, "Physical unclonable functions and

public-key crypto for FPGA IP protection", FPL, 2007

• [SD07] G. Edward Suh and Srinivas Devadas, "Physical unclonable functions for device authentication and secret key generation",

DAC, 2007

• [SHO07] Y. Su and J. Holleman and B. Otis, "A 1.6pJ/bit 96% Stable Chip-ID Generating Circuit using Process Variations", ISSCC,

2007

• [OHS08] Ozturk, E. and Hammouri, G. and Sunar, B., "Towards Robust Low Cost Authentication for Pervasive Devices", PERCOM,

2008

• [OHS08b] Ozturk, E. and Hammouri, G. and Sunar, B., "Physical unclonable function with tristate buffers", ISCAS, 2008
• [GVCTDT08] Blaise Gassend and Marten Van Dijk and Dwaine Clarke and Emina Torlak and Srinivas Devadas and Pim Tuyls,

"Controlled physical random functions and applications", ACM TISSEC, 2008

• [AKKP08] Yousra Alkabani and Farinaz Koushanfar and Negar Kiyavash and Miodrag Potkonjak, "Trusted Integrated Circuits: A

Nondestructive Hidden Characteristics Extraction Approach", Information Hiding (LNCS), 2008

• [MKP08] Majzoobi Mehrdad and Koushanfar Farinaz and Potkonjak Miodrag, "Lightweight secure PUFs", ICCAD, 2008
• [MKP08b] Mehrdad Majzoobi and Farinaz Koushanfar and Miodrag Potkonjak, "Testing Techniques for Hardware Security", ITC,

2008

• [MTV08] R. Maes and P. Tuyls and I. Verbauwhede, "Statistical Analysis of Silicon PUF responses for Device Identification", SECSI,

2008

• [HOBS08] Ghaith Hammouri and Erdinc Ozturk and Berk Birand and Berk Sunar, "Unclonable Lightweight Authentication Scheme",

ICICS, 2008

• [MTV08b] R. Maes and P. Tuyls and I. Verbauwhede, "Intrinsic PUFs from Flip-flops on Reconfigurable Devices", WISSEC, 2008
• [HAS08] Ghaith Hammouri, Kahraman Akdemir, and Berk Sunar, "Novel PUF-based Error Detection Methods in Finite State

Machines", ICISC 2008, 2008

• [KGMST08] Sandeep S. Kumar and Jorge Guajardo and Roel Maes and Geert-Jan Schrijen and Pim Tuyls, "Extended abstract: The

butterfly PUF protecting IP on every FPGA", HOST, 2008 ECRYPT, ALBENA, MAY 2011

36

References

• [S09] Boris kori, "Quantum readout of Physical Unclonable Functions: Remote authentication without trusted readers and

authenticated Quantum Key Exchange without initial shared secrets", Cryptology ePrint Archive: Report 2009/369, 2009

• [KSSTS09] K. Kursawe and A. Sadeghi and D. Schellekens and P. Tuyls, and B. kori, "Reconfigurable Physical Unclonable

Functions -- Enabling Technology for Tamper-Resistant Storage", HOST, 2009

• [HAP09] Ryan Helinski and Dhruva Acharyya and Jim Plusquellic, "A physical unclonable function defined using power distribution

system equivalent resistance variations", DAC, 2009

• [GSTKBBS09] Jorge Guajardo and Boris kori and Pim Tuyls and Sandeep S. Kumar and Thijs Bel and Antoon H. M. Blom and

Geert-Jan Schrijen, "Anti-counterfeiting, key distribution, and key storage in an ambient world via physical unclonable functions", Information Systems Frontiers, 2009

• [RSS09] Ulrich Rührmair and Jan Sölter and Frank Sehnke, "On the Foundations of Physical Unclonable Functions", Cryptology

ePrint Archive, 2009

• [RCLSSC09] Ulrich Rührmair and Qingqing Chen and Paolo Lugli and Ulf Schlichtmann and Martin Stutzmann and György Csaba,

"Towards Electrical, Integrated Implementations of SIMPL Systems", Cryptology ePrint Archive, 2009

• [MNRS09] Abhranil Maiti, Raghunandan Nagesh, Anand Reddy, Patrick Schaumont, "Physical unclonable function and true random

number generator: a compact and scalable implementation", ACM Great Lakes Symposium on VLSI 2009, 2009

• [KBS09] Michael Kirkpatrick, Elisa Bertino, Frederick T. Sheldon, "Physically Restricted Authentication and Encryption for Cyber-

physical Systems", DHS Workshop on Future Directions in Cyber-physical Systems Security, 2009

• [R09] Ulrich Rührmair, "SIMPL Systems: On a Public Key Variant of Physical Unclonable Functions", Cryptology ePrint Archive, 2009
• [CJCPSSLR09] György Csaba and Xueming Ju and Qingqing Chen and Wolfgang Porod and Jürgen Schmidhuber and Ulf

Schlichtmann and Paolo Lugli and Ulrich Rührmair, "On-Chip Electric Waves: An Analog Circuit Approach to Physical Uncloneable Functions", Cryptology ePrint Archive, 2009

• [SM09] Boris Skoric and Marc X. Makkes, "Flowchart description of security primitives for Controlled Physical Unclonable Functions",

Cryptology ePrint Archive, 2009

• [MKP09] Mehrdad Majzoobi and Farinaz Koushanfar and Miodrag Potkonjak, "Techniques for Design and Implementation of Secure

Reconfigurable PUFs", ACM TRETS, 2009

• [BP09] Nathan Beckmann and Miodrag Potkonjak, "Hardware-Based Public-Key Cryptography with Public Physically Unclonable

Functions", Information Hiding (LNCS 5806), 2009

• [HBF09] Daniel E. Holcomb and Wayne P. Burleson and Kevin Fu, "Power-Up SRAM State as an Identifying Fingerprint and Source
• f True Random Numbers", IEEE Transactions on Computers, 2009
• [MTV09] Roel Maes and Pim Tuyls and Ingrid Verbauwhede, "A Soft decision helper data algorithm for SRAM PUFs", ISIT, 2009
• [BSQ09] P. Bulens and F.-X, Standaert and J.-J Quisquater, "How to Strongly Lonk Data and its Medium: the Paper Case", to appear

IET Information Security, 2009

• [J09] Tamara Jun, "Circuit approaches to Physical Cryptography", Diploma Thesis, T.U.München, 2009
• [HDS09] Ghaith Hammouri and Aykutlu Dana and Berk Sunar, "CDs Have Fingerprints Too ", CHES, 2009