New Insights to Key Derivation for Tamper-Evident Physical - PowerPoint PPT Presentation

New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions (PUFs) Vincent Immler, Karthik Uppund Conference on Cryptographic Hardware and Embedded Systems, Atlanta, Aug 26, 2019

PUF in a Nutshell: Biometrics of Objects PUF Object Properties apply stimulus easy to evaluate random response hard to predict ...sounds great! Let’s use this in HW crypto! | 1

PUF in a Nutshell: Example SoC binary response 011100 ... 01110 ALU 10011 ... 00010 0111 ... 01111 110 ... 10000 01 ... 11010 1 ... 01110 PUF non-initialized SRAM key derivation from response instead of key storage! advantages: delayering and optical analysis cannot reveal key disadvantages: noisy response necessitates error-correction | 2

PUFs and Probing (In-)Security SoC invasive probing ALU PUF What about other physical atacks? cf. “On the Physical Security of Physically Unclonable Functions” by Shahin Tajik | 3

PUFs and Probing (In-)Security: A Common Misconception SoC invasive probing ALU not claimed and not designed to resist atack PUF most PUFs � protection from live physical atacks (they are not tamper-evident, still needed:active meshes and other countermeasures) | 4

Idea of Tamper-Evident PUFs SoC PUF Assumptions invasive probing encloses system ALU sensitive to causes key tampering derivation to fail self-protective tamper-evident PUF = protection from probing atacks examples: Coating PUF (CHES’06), Waveguide PUF (’15), B-TREPID (HOST’18) | 5

Key Derivation based on Type of PUF PUF Response tamper-evident most PUFs 011100 ... 01110 PDF ( X ) 10011 ... 00010 0111 ... 01111 110 ... 10000 01 ... 11010 1 ... 01110 X i.i.d. bits � ??? bias? → debiasing noise? → binary ECC | 6

Two Well-Known Qantization Schemes equiprobable equidistant 000 001 · · · 101 100 a b c d e f g h symbols! no (i.i.d) bits! i.i.d. bits � no bias � biased! noise? → ECC? noise? → binary ECC | 7

Equiprobable Qantization: Partial Insensitivity to Atacks PDF of PUF population large intervals: atack possible w/o atacker change in value! { { { { { noise σ N assumption: σ N < atacker { PDF of instance | 8

Missing Selectivity of Binary ECC for Respones w/ Multiple Values capacitive PUF enrollment 101 111 100 000 111 reconstruction ECC w/ t=3 corrects all! case 1 xxx 111 100 000 111 case 2 101 111 x00 x00 x11 case 3 101 111 100 xx0 x11 (plus: bit string per capacitor < #intervals → large magnitude errors with only t = 1) | 9

Tamper-Sensitivity as High-Level Goal for PUF Key Derivation Tamper-Sensitivity Helper Data Storage Cost and Security and Performance of PUF Safety of PUF Key Derivation Key Derivation Logic Area Reliability Entropy Run-Time previous work: strong focus on making PUFs small and lightweight different approach needed: make PUFs tamper-evident, large, and secure! | 10

Two Definitions for Fair Comparison of Tamper-Sensitivity max -TS : Maximum Magnitude Tamper Insensitivity Defines the maximum magnitude of the atacker that goes undetected (worst-case). min -TS : Minimum Magnitude Tamper Sensitivity Defines the minimum magnitude of the atacker that is detected (best case). comparability: express magnitude in multiples of measurement noise σ N “practically best” physical security for max -TS = min -TS; and close to 1 (equal to σ N ) | 11

Zoo of Key Derivation Options for Tamper-Evident PUFs quantization error-correction binary ECC over Hamming distance (P5) raw output map to bits (fixed length) (P3) symbols map to bits (variable length) ECC over Levenshtein distance (P4) ? q-ary ECC over Hamming distance (P2) q-ary ECC over Lee distance (P6) | 12

P6: q-ary Channel Model and Limited Magnitude Codes (LMC) 0 0 wrap-around (Lee) 1 1 d Lee ( x , y ) = min (( x − y ) , q − ( x − y )) d Lee ( 0 , q − 1 ) = 1 q − 2 q − 2 non wrap-around (Manhatan) d Lee ( x , y ) = | x − y | q − 1 q − 1 d Lee ( 0 , q − 1 ) = q − 1 wrap-around (dashed + thick) non wrap-around (thick only, use this) | 13

LMC Types and Result High selectivity of error correction: magnitude, direction, # of magnitude errors l u a b c d e f g h i j k l m n o p 0 1 2 3 4 5 Q w = 2 yσ N Asymmetric tamper sensitive area l d l u S tamper insensitive area 0 1 2 3 4 5 Symmetric l d l u 0 1 2 3 4 5 l d l u Bidirectional | 14

Results Coating PUF parameters (node = single capacitor; device = all capacitors) H eff TS max TS max Distance ∞ Profile y L z ECC ( n , t ) node device [ bit ] [ σ N ] [ σ N ] Metric P1 5.4 8 128 – 267 5.4 692 none P2 2.3 32 4 RS ( 31 , 7 ) 122 148 4352 d H | S P3 3.6 16 5 BCH ( 127 , 2 ) 265 116 1577 d H | 2 P4 4.95 12 1 VT (· , 1 ) 276 65 693 d Lev P5 BCH ( 255 , 4 ) 2.87 8 2 320 112 2994 d H | 2 P6 LMC ( 63 , 10 ) 2.1 64 1 319 6 . 3 395 d Man | 15

Conclusions and Future Work � Tamper-evident PUFs are important for highest physical security � Physical design and key derivation must be optimized for tamper-sensitivity � Formalized tamper-sensitivity to beter assess PUF key derivation � Proposed new scheme to overcome previous limitations � Updated definitions of Uniqueness and Reliability for Lee/Manhaten metric � Responses based on symbols/higher-order alphabet � Benefits of same concept when applied to regular PUFs? � Impact of same concept on strong PUFs? � Future work: investigate beter quantization options | 16

Contact Information Vincent Immler Central Office for Information Technology in the Security Sector (ZITiS) For government inquiries only: vi n c e n t . i m m l e r @ z i t i . s b u n . d d e All other inquiries: sc i e n c e + c h e s 2 0 1 9 @ m m . s t This work was performed while with Fraunhofer Institute AISEC. | 17

Thank You! Qestions? | 18

Backup | 19

Profile 5: Equiprobable Qantization + BCH-based Code-Offset a b c d e f g h p ( X ) < 0 . 1% p ( X ) < 0 . 1% tamper sensitive area tamper insensitive area TS max node = � L i = 1 width ( Q i ) TS max device = z t TS max node + ( v − z t ) · Q max / 2 TS min node = 3 · Q min / 2 + ϵ iff t = 1 S TS min device = z t 3 · Q min / 2 + Q min / 2 + ϵ grayCode ( 0 ) = 00 .. 0 log 2 ( q ) graycode ( q − 1 ) = 10 .. 0 log 2 ( q ) | 20