Presentation on theme: "Lecture10 – More on Physically Unclonable Functions (PUFs)"— Presentation transcript:
1 Lecture10 – More on Physically Unclonable Functions (PUFs) Rice ELEC 528/ COMP 538Farinaz KoushanfarSpring 2009
2 Outline Implementations on silicon Applications Cryptographic keysAuthenticationDetails of RFID applicationsIssues with nonstability
3 Existing Approaches Sensors to detect attacks Expensive Continually battery-poweredTamper-Proof Package: IBM 4758Trusted Platform Module (TPM)A separate chip (TPM) for security functionsDecrypted “secondary” keys can be read out from the busSay both 4758 and TPM do not work. Too expensive or insecure.
4 ProblemStoring digital information in a device in a way that is resistant to physical attacks is difficult and expensive.EEPROM/ROMProcessorProbeAdversaries can physically extract secret keys from EEPROM while processor is offTrusted party must embed and test secret keys in a secure locationEEPROM adds additional complexity to manufacturingBlaise: What is the goal? Was not clear the goal is to embed a secret into the device.Fonts are too smallVoltage?
5 Our Solution: Physical Random Functions (PUFs) Generate keys from a complex physical systemHard to fully characterize or predictPhysical SystemProcessorcharacterizeconfigureUse as a secretResponse (n-bits)Challenge (c-bits)Can generate many secrets by changing the challengeSecurity AdvantageKeys are generated on demand No non-volatile secretsNo need to program the secretCan generate multiple master keysWhat can be hard to predict, but easy to measure?
6 PUF ExperimentsFabricated 200 “identical” chips with PUFs in TSMC 0.18m on 5 different wafer runsSecurityWhat is the probability that a challenge produces different responses on two different PUFs?ReliabilityWhat is the probability that a PUF output for a challenge changes with temperature?With voltage variation?Bigger picturePoint out that we named them…
7 Distance between Chip X and Y Inter-Chip VariationApply random challenges and observe 100 response bitsMeasurement noise for Chip X = 0.9 bitsDistance between Chip X and Yresponses = 24.8 bitsCan identifyindividual ICs
8 Environmental Variations What happens if we change voltage and temperature?Measurement noise at 125C(baseline at 20C) = 3.5 bitsEven with environmental variation, we can still distinguish two different PUFsMeasurement noise with10% voltage variation = 4 bits
9 Reliable PUFsPUFs can be made more secure and reliable by adding extra control logicChallengeResponsekOne-WayHashFunctionNew ResponsePUFBCHDecodingSyndromecSyndromeBCHEncodingn - knFor Re-generationFor calibrationHash function (SHA-1,MD5) precludes PUF “model-building” attacks since, to obtain PUF output, adversary has to invert a one-way functionError Correcting Code (ECC) can eliminate the measurement noise without compromising security
10 Ring-Oscillator (RO) PUF The structure relies on delay loops and counters instead of MUX and arbitersBetter results on FPGA – more stable
11 RO PUFs (cont’d)Easy to duplicate a ring oscillator and make sure the oscillators are identicalMuch easier than ensuring the racing paths with equal path segmentsHow many bits can we generate from the scheme in the previous page?There are N(N-1)/2 distinct pairs, but the entropy is significantly smaller: log2(N!)E.g., 35 ROs can produce 133 bits, 128 can produce 716, and 1024 can produce 8769
12 Reliability enhancement Environmental changes have a large impact on the freq. (and even relative ones)
13 RO PUFsROs whose frequencies are far are more stable than the ones with closer f’sPossible advantage: do not use all pairs, but only the stable onesIt is easy to watch the distance in the counter and pick the very different onesThe new question is how many ring oscillators do we need to accomplish having B stable bits?What are the other comparative advantages/ disadvantages compared to delay-based PUFs?Can we use this structure to generate many challenge-response pairs?
14 Applications -- Authentication Challenges should never be used to prevent the man-in-the-middle attacksIs this practical?
15 Application – Cryptographic Key Generation The unstability is a problemSome crypto protocols (e.g., RSA) require specific mathematical properties that random numbers generated by PUFs do not haveHow can we use PUFs to generate crypto keys?Error correction process: initialization and regenerationThere should be a one-way function that can generate the key from the PUF output
16 Crypto Key GenerationInitialization: a PUF output is generated and error correcting code (e.g., BCH) computes the syndrome (public info)Regeneration: PUF uses the syndrome from the initial phase to correct changes in the outputClearly, the syndrome reveals information about the circuit output and introduces vulnerabilities
17 Vulnerabilities Caused by ECC Given a b-bit syndrome, the attackers can learn at most b-bits about the PUF outputThus, to have k secret bits after error correction, we generate n=k+b bits at PUFHow much area / power overhead do we get for the RO implementation?
18 Experiments with RO PUFs Experiments done on 15 Xilinx Virtex4 LX25 FPGA (90nm)They placed 1024 ROs in each FPGA as a 16-by-64 arrayEach RO consisted of 5 INVs and 1 AND, implemented using look-up tablesThe goal is to know if the PUF outputs are unique (for security) and reproducible (for reliability and security)
20 The Probability Distribution for Inter-chip Variations 128 bits are produced from each PUFx-axis: number of PUF o/p bits different b/w two FPGAs; y-axis: probabilityPurple bars show the results from 105 pair-wise comparisonsBlue lines show a binomial distribution with fitted parameters (n=128, p =0.4615)Average intra-chip variations ~ 0.5
21 The Probability Distribution for Intra-chip Variations PUF o/p are generated at two different conditions and comparedChanging the temperature from 20C to 120C and the core voltage from 1.2 to 1.08 altered the PUF o/p by ~0.6 bits (0.48%)Intra-chip variations is much lower than inter-chip – the PUF o/p did not change fro small to moderate environmental changes
22 False Positive (FP) and Negative (FN) Experiments If we allow up to 10 bits out of 128 to be different, FP rate ~2.1x10-21, and FN rate is less than 5x10-11Assumption: inter-chip and intra-chip follow binomial distributionsThe same experiments could be used to compute the reliability of PUF-based crypto keys
23 Physically Unclonable Function–Based Security and Privacy in RFID Systems Leonid Bolotnyy and Gabriel RobinsDept. of Computer ScienceUniversity of Virginia
24 Contribution and Motivation Privacy-preserving tag identification algorithmSecure MAC algorithmsComparison of PUF with digital hash functionsMotivationDigital crypto implementations require 1000’s of gatesLow-cost alternativesPseudonyms / one-time padsLow complexity / power hash function designsHardware-based solutions
25 PUF-Based SecurityPhysical Unclonable Function (PUF) [Gassend et al 2002]PUF Security is based onwire delaysgate delaysquantum mechanical fluctuationsPUF characteristicsuniquenessreliabilityunpredictabilityPUF AssumptionsInfeasible to accurately model PUFPair-wise PUF output-collision probability is constantPhysical tampering will modify PUF
26 Privacy in RFIDPrivacyABCAlice was here: A, B, Cprivacy
27 Private Identification Algorithm DatabaseID1, p(ID1), p2(ID1), …, pk(ID1)...IDn, pn(IDn), pn2(IDn), …, pnk(IDn)IDIDp(ID)RequestIt is important to havea reliable PUFno loops in PUF chainsno identical PUF outputsAssumptionsno denial of service attacks (e.g., passive adversaries, DoS detection/prevention mechanisms)physical compromise of tags not possible
28 Improving Reliability of Responses Run PUF multiple times for same ID & pick majorityμm(1-μ)N-m )kR(μ, N, k) ≥ (1 - ∑NmN+12m=number of runschain lengthunreliabilityprobabilityoverallreliabilityR(0.02, 5, 100) ≥ 0.992Create tuples of multi-PUF computed IDs & identify a tag based on at least one valid position value∞expected number of identificationsS(μ, q) = ∑ i [(1 – (1-μ)i+1)q - (1 – (1-μ)i)q]i=1tuple sizeS(0.02, 1) = 49, S(0.02, 2) = 73, S(0.02, 3) = 90(ID1, ID2, ID3)
29 Privacy Model Experiment: A passive adversary observes polynomially-many rounds of reader-tag communications with multiple tagsAn adversary selects 2 tagsThe reader randomly and privately selects one of the 2 tags and runs one identification round with the selected tagAn adversary determines the tag that the reader selectedDefinition: The algorithm is privacy-preserving if an adversary can not determine reader selected tag with probability substantially greater than ½Theorem: Given random oracle assumption for PUFs,an adversary has no advantage in the above experiment.
30 PUF-Based MAC Algorithms MAC = (K, τ, υ)Kvalid signature σ : υ (M, σ) = 1forged signature σ’ : υ (M’, σ’) = 1, M = M’MAC based on PUFMotivation: “yoking-proofs”, signing sensor datalarge keys (PUF is the key)cannot support arbitrary messagesAssumptionsadversary can adaptively learn poly-many (m, σ) pairssignature verifiers are off-linetag can store a counter (to protect against replay attacks)
31 Large Message SpaceAssumption: tag can generate good random numbers (can be PUF-based)Key: PUFσ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m)Signature verificationrequires tag’s presencepassword-based or in radio-protected environment (Faraday Cage)learn pc(ri, m), 1 ≤ i ≤ nverify that the desired fraction of PUF computations is correctTo protect against hardware tamperingauthenticate tag before MAC verificationstore verification password underneath PUF
33 Theorem Given random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded from above by the tag impersonation probability.
34 Small Message Space Assumption: small and known a priori message space Key[p, mi, c] = c, pc(1)(mi), ..., pc(n) (mi)PUFmessagecounterPUF reliability is again crucialσ(m) = c, pc(1)(m), ..., pc(n) (m), ,c+q-1, pc+q-1(1)(m), pc+q-1(n)(m)sub-signatureVerify that the desired number of sub-signatures are valid
35 TheoremGiven random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded by the tag impersonation probability times the number of sub-signatures.
36 Attacks on MAC Protocols originalcloneImpersonation attacksmanufacture an identical tagobtain (steal) existing PUFsModeling attacksbuild a PUF model to predict PUF’s outputsSide-channel attacksalgorithm timingpower consumptionHardware-tampering attacksphysically probe wires to learn the PUFphysically read-off/alter keys/passwords
37 Comparison of PUF With Digital Hash Functions MD47350MD58400SHA-25610868Yuksel1701PUF545AES3400algorithm# of gatesReference PUF: 545 gates for 64-bit input6 to 8 gates for each input bit33 gates to measure the delayLow gate count of PUF has a costprobabilistic outputsdifficult to characterize analyticallynon-unique computationextra back-end storageDifferent attack target for adversariesmodel building rather than key discoveryPhysical securityhard to break tag and remain undetected
38 PUF Design Attacks on PUF Weaknesses of existing PUF New PUF design impersonationmodelinghardware tamperingside-channelWeaknesses of existing PUFreliabilityNew PUF designno oscillating circuitsub-threshold voltageCompare different non-linear delay approaches
39 Conclusions and Future Work PUF: hardware primitive for RFID securityIdentification and MAC algorithms based on PUFPUFs protect tags from physical attacksPUFs is the keyDevelop theoretical framework for PUFDesign new sub-threshold voltage based PUFManufacture and test PUFsvarying environmental conditionsmotion, acceleration, vibration, temperature, noiseDesign new PUF-based security protocolsownership transferrecovery from privacy compromisePUFs on RFID readers}in progress
40 Thank You Questions ? Leonid Bolotnyy email@example.com Dept. of Computer ScienceUniversity of Virginia
41 PUF-Based Ownership Transfer To maintain privacy we needownership privacyforward privacyPhysical security is especially importantSolutionspublic key cryptography (expensive)knowledge of owners sequencetrusted authorityshort period of privacy
42 Using PUF to Detect and Restore Privacy of Compromised System Detect potential tag compromiseUpdate secrets of affected tags