Silicon PUFs and PUF-based Key Storage Roel Maes Intrinsic-ID, - PowerPoint PPT Presentation

Silicon PUFs and PUF-based Key Storage Roel Maes Intrinsic-ID, Eindhoven (NL) June 6, 2014 Summerschool: Design and security of cryptographic algorithms and devices for real-world applications Šibenik , Croatia

Roots of Trust Entity Data security … Authentication Information Security Objectives Symmetric Public Key Hash / MAC Protocols … Ciphers Crypto Crypto Primitives Secure Randomness Key Storage … Computation Generation Execution Primitives Secure Shielded Intrusion Logistic PUFs TRNGs … Logic Storage Detection Control Physical Primitives

Physical Key Storage Key Storage “Shielded” Storage ROM Fuses Flash Anti-fuses • Alternative to NVM-based key storage: Key Storage PUF-based key storage • Main advantages: PUF • Key not present when device is powered down • Key depends on device intrinsic randomness

PUFs: Physically Unclonable Functions • On many levels, PUFs are more like fingerprints than like programmed keys: Human Fingerprint PUF Programmed Key No guarantee of Unique per person Unique per device uniqueness Inherent from Programmed after Inherent from birth production production Impossible to Infeasible to Easy to program “clone” humans with “clone” devices with many devices with the same fingerprints the same PUF the same key

Silicon PUFs: classification & advantages • Many PUF(- like) proposals in myriad of materials, techniques, … Non-silicon PUFs, e.g. impedance variations, RF- based, … Based on process variations in standard silicon circuits: Electronic Silicon PUFs • delay-based PUFs PUFs • memory-based • … Non-electronic PUFs, e.g. paper- based, optical PUFs, … • Advantages of silicon PUFs: • Standard manufacturing with implicitly present randomness “Intrinsic PUFs” • Completely embedded in evaluating device • Easy integration with digital circuits → crypto implementations

Silicon PUFs: process variations What you aim for… What you get: Silicon Process Variations What you get: e.g. speed, power, … What you design for…

Silicon PUF Constructions: general idea • Silicon PUF construction = a silicon circuit whose response ( y ) is mainly determined by process variations ( PV ) and the applied challenge ( x ) • Ideal silicon PUF: y = f (PV, x) • Silicon PUFs in practice: PUF behavior y = f (PV, x; … Temp, V dd , Noise, Device age, … Unreliable Deterministic offset, Structural bias …) Biased

Delay-based silicon PUFs • Silicon process variations randomly affect delay of digital circuits Process variations Digital Digital Digital Digital Circuit Circuit (1) Circuit (2) Circuit (3) • Arbiter PUF exploits race conditions between identically designed delay lines Challenge: Response: 0 1 0 1 1 0 Arbiter 0/1 Switch Block

Delay-based silicon PUFs • Ring Oscillator PUFs exploit frequency variability amongst identically designed ring oscillator circuits f 1 0 , if f 1 < f 2 ? ≥ f 2 1 , if f 1 ≥ f 2 (many variants possible…) • Glitch PUF exploits variability in glitch behavior of identically designed combinatorial circuits #glitches = even ⇨ Response = 0 Combinatorial Input Toggle Logic Register Flip-flop #glitches = odd e.g. AES S-box ⇨ Response = 1 Glitch waveform Challenge = input (transition)

Bi-stable memory based PUFs: SRAM PUF • Silicon process variations cause device “mismatch” Matched circuit Circuit (1) Circuit (2) Circuit (3) Process variations = < < > • SRAM PUF based on mismatch between “matched” invertors in SRAM cell V V DD A V Stable(A=1) DD (Power-up behavior) I 1 < I 2 A B I 1 Metastable I 1 > I 2 I 2 V Power up B Stable(A=0)

Bi-stable memory based PUFs: SRAM PUF • Silicon process variations cause device “mismatch” Matched circuit Circuit (1) Circuit (2) Circuit (3) Process variations = < < > • SRAM PUF based on mismatch between “matched” invertors in SRAM cell V V DD A Stable(A=1) I 1 < I 2 Typical Metastable SRAM array Power-up Pattern I 1 > I 2 V Power up B Stable(A=0)

Bi-stable memory based PUFs: other elements • Similar PUF behavior in other memory cells (Power-up behavior) Response Reset Latch Latch Latch PUF D Flip-flop PUF (Power-up behavior) preset Response Latch Latch clear “Butterfly” PUF Buskeeper PUF

Name Fingerprint Basic PUF properties: reproducibility Alice Database Alice Chip PUF response 1 0 1 1 0 1 1 0 A 0 0 1 0 1 0 1 0 1 0 1 1 0 0 1 0 PUF 1 0 1 1 1 0 0 0 1 0 1 1 0 1 1 0 1 0 1 1 0 1 1 0 1 0 1 1 0 1 1 0 A 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 1 0 1 1 1 1 0 0 1 0 1 1 1 1 0 0 1 0 1 0 1 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 0 0 0 1 0 1 1 1 0 0 0 Intra -distance = 2 bit = 6.25% Database

Basic PUF properties: uniqueness Alice Bob PUF PUF 1 0 1 1 0 1 1 0 1 1 1 0 1 1 0 0 1 1 1 0 1 1 0 0 A B 0 0 1 0 1 0 0 0 0 1 1 0 1 0 1 1 0 1 1 0 1 0 1 1 1 1 1 1 0 0 1 0 1 1 0 0 0 1 1 1 1 1 0 0 0 1 1 1 1 0 1 1 1 0 0 0 0 1 1 0 1 0 1 0 0 1 1 0 1 0 1 0 Inter -distance = 15 bit = 46.88%

Basic PUF properties: unpredictability Insight Chip PUF response + PUF 1 0 1 1 0 1 1 0 Guessing A 0 0 1 0 1 0 1 0 A 1 0 1 1 0 0 1 0 1 0 1 1 1 0 0 0 1 1 0 1 1 1 1 0 1 1 0 1 1 1 1 0 1 0 1 1 0 1 1 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 0 1 0 1 0 1 0 0 1 0 1 1 0 0 1 0 1 0 1 1 0 0 1 1 0 1 1 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 1 1 0 0 0 Accurate Prediction = 20 bits = 62.5% Database Eve • Complete (100%) unpredictability = guessing every bit → 50% prediction accuracy • Use entropy to express unpredictability: – 50% accuracy → 100% entropy → 100% “guessing” and 0% “insight” – 62.5% accuracy → 95.4% entropy → 95.4% “guessing” and 4.6% “insight” Unpredictability → 95.4% entropy

Basic PUF properties: “physical unclonability ” • Technical infeasibility/impossibility to create “non - unique” PUF instantiations • Due to uncontrollable random process variations Silicon Process variations variability PUF developer Minimize Regular Chip designer Chip manufacturer

Silicon PUF-based applications • Device identification PUF response = PUF device ID • Device authentication PUF challenge • Some variant of: PUF PUF response = authentication secret • Cryptographic key generation CRYPTO: Key PUF Encryption, PUF response = Generator Signing, “static” source of entropy Key wrapping, for key generation … Embedded on chip

Key generation/storage with Silicon PUFs • Discrepancy between PUF response and crypto key: PUF Key Generator ??? PUF Response Secure Key  Reproducible:  Reproducible: e.g. 3% intra-distance 0% failure rate  Unpredictable:  Unpredictable: e.g. 70% entropy 100% entropy • Key Generator: 1. Improves reproducibility by taking care of intra-distance of response = correct bit errors 2. Improves unpredictability by extracting unpredictable part of response = compress & accumulate entropy

PUF-based key generation: Error correction • Intra-distance = 1 bit • Entropy = 70% = 22.4 bit 1 0 1 1 0 1 1 0 1 0 1 1 0 1 1 0 1 1 0 0 0 0 1 0 1 0 0 0 1 0 1 0 1 0 0 1 PUF PUF Response PUF Response 1 1 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 0 1 1 1 0 0 0 1 0 1 1 1 0 0 0 0 0 1 1 1 1 0 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 0 1 0 1 0 0 1 Helper Data 0

PUF-based key generation: Error correction • Intra-distance = 1 bit • Intra-distance = 0 bit • Entropy = 70% = 22.4 bit • Entropy Left = 10.4 bit 1 0 1 1 0 1 1 0 1 0 1 1 0 1 1 0 1 1 1 1 0 1 1 0 1 1 0 0 0 0 0 1 0 1 0 1 0 1 0 0 0 1 1 0 1 1 0 0 0 1 0 1 0 0 0 PUF Correct PUF Response PUF Response 1 1 1 1 1 0 0 1 0 1 1 1 0 0 1 0 1 1 1 1 1 1 1 0 0 1 0 1 0 1 1 1 0 0 0 1 0 1 1 1 0 0 0 0 0 0 1 0 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 1 1 1 0 0 0 1 1 1 1 0 0 1 0 0 1 0 1 1 0 1 0 1 0 0 • Entropy Loss = 12 bit 1 Helper Data 0 • Result: reproducibility improves drastically, but unpredictability decreases due to helper data leakage

PUF-based key generation: Entropy extraction 1 1 1 0 1 1 0 0 0 1 1 0 1 0 1 1 1 1 0 0 0 1 1 1 1 0 0 1 1 0 1 0 1 0 0 1 1 0 1 0 1 0 0 1 0 0 1 1 0 1 0 0 1 0 1 1 0 1 1 0 0 1 1 1 1 0 0 0 1 0 0 0 1 0 1 0 0 0 1 1 1 1 0 0 1 0 1 0 1 1 1 0 0 0 Corrected PUF Response Secure Key 0 0 0 0 1 1 1 0 Compress 1 1 0 0 1 1 0 1 1 1 0 0 1 0 1 1 0 0 1 1 1 1 0 1 Key Length: 30 bit PUF Response Length: 96 bit Accumulated Entropy: 31.2 bit • Result: Sufficient unpredictability achieved by accumulating and compressing response bits • Extracted key length ≤ total accumulated entropy

PUF-based key generation: Fuzzy Extractor • Combination of error correction and entropy extraction: Key Generator 1 0 1 1 0 1 1 0 1 0 0 1 0 1 0 0 0 0 1 1 1 1 0 0 1 0 1 PUF 1 0 1 1 1 0 0 0 0 1 1 0 1 0 1 0 0 1 0 1 1 0 1 0 1 0 0 1 Helper Data 0