Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas.

Similar presentations


Presentation on theme: "1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas."— Presentation transcript:

1 1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas Chen, Anup Jadhav

2 2 U NIVERSITY OF M ICHIGAN Outline  Motivation & Security Challenges  Problem & Previous Approaches  Physical Unclonable Functions (PUF)  PUF-based Key Generation Using Pattern Matching  Results  Conclusion  References

3 3 U NIVERSITY OF M ICHIGAN Motivation  Secure computing  Devices are becoming:  Distributed  Unsupervised  Physically exposed  Prone to physical tampering  Need protection at the hardware level

4 4 U NIVERSITY OF M ICHIGAN Problem & Previous Approaches  Making a device tamper proof is difficult and expensive  IBM 4758 cryptographic coprocessor ($3000)  Battery powered sensors  Anti-tamper package  Attackers can  Extract keys from NVM while processor is off  Depackage,etch, and polish down to poly to read off fuse bits ROMFusesFlashAnti-fuses

5 5 U NIVERSITY OF M ICHIGAN Physical Unclonable Function (PUF)  Silicon “fingerprint”  Unique per instance  Reproducible/repeatable  Usefulness  Random key generation  Low-cost key “storage”  Tamper resistant  Extract keys from complex physical system Variability Sensitive Circuit Challenge Response C R1R1 R2R2 R3R3 !=

6 6 U NIVERSITY OF M ICHIGAN PUF-based Key Generation  Use PUF to generate fixed size of secret bits  Can use as symmetric key bits or seed for asymmetric key  But…  Some bits may be “noisy”- need error correction  Need to use helper data/syndrome to correct PUFKey Generator ResponseKey … D C Q C0C0 C1C1 C2C2 CnCn Arbiter Path-swapping switch

7 7 U NIVERSITY OF M ICHIGAN Reproducibility  Intra-distance metric (use fractional Hamming distance)  Ideally HD intra =0  Mean intra-distance varies with voltage, temperature  Can reduce unstable bits by:  pre/post selection, temporal majority voting, compensation, etc.  Typically >5%, <20% over region of operation (before corr.) PUF A Stored PUF A response bits -> 6.25%

8 8 U NIVERSITY OF M ICHIGAN Uniqueness  Inter-distance metric  Use fractional Hamming distance  Ideally, HD inter of 50% -> no correlation between chips PUF A PUF B bits -> %

9 9 U NIVERSITY OF M ICHIGAN Error Correction & Entropy  Key must be 100% reproducible (HD intra =0)  Often use BCH codes  Increase reproducibility  But helper data leaks information, reduces unpredictability  Need bigger response then compress  Extracted key length <= Total accumulated entropy Correction Helper Data

10 10 U NIVERSITY OF M ICHIGAN Pattern Matching Key Generator(PMKG) Architecture

11 11 U NIVERSITY OF M ICHIGAN Key Generation Scheme  Major Difference  Instead of making challenge public, make response public  Provisioning and Regeneration  Happens over a number of rounds  Regeneration  Involves matching the patterns provisioned to recreate key

12 12 U NIVERSITY OF M ICHIGAN Pattern Matching  Provisioning  In each round select an index I  Starting at that index store a pattern of length W  Regeneration  Match against known patterns to obtain index bits Index=sub-key PUF generated bit stream: XX710 Pattern Storage

13 13 U NIVERSITY OF M ICHIGAN Key Generator Architecture

14 14 U NIVERSITY OF M ICHIGAN Security  Public helper data does not leak information about key  Index based key  Key mixer  Post process key bits  LFSR forking  Fork the next round of challenge generator based on key index  Fixed number of comparisons against helper patterns

15 15 U NIVERSITY OF M ICHIGAN Key Generation Parameters

16 16 U NIVERSITY OF M ICHIGAN Intra-distance and Inter-distance

17 17 U NIVERSITY OF M ICHIGAN Matching threshold and FAR,FRR  Tolerance match detector  Causes false positives and false negatives  Requires appropriate matching threshold  Requires sufficiently wide pattern  Otherwise use error correction scheme  For small pattern, additional logic required to prevent collision

18 18 U NIVERSITY OF M ICHIGAN False Negatives and False Positives

19 19 U NIVERSITY OF M ICHIGAN Trials Required For Key Regeneration

20 20 U NIVERSITY OF M ICHIGAN Conclusion  Main contribution  Expose PUF response, keep challenge hidden  Key regeneration via pattern matching  Key bits are not directly stored  Subkeys are indices of PUF responses  Avoid heavy error correction logic  But need to choose good threshold and pattern width  False positives, false negatives

21 21 U NIVERSITY OF M ICHIGAN Questions & Discussion Points  Is there enough process variation to identify between ICs?  Is setting a threshold a good enough approach?  Is the arbiter PUF a good choice?

22 22 U NIVERSITY OF M ICHIGAN References  [1] Paral, Z., and Srinivas Devadas. "Reliable and efficient PUF-based key generation using pattern matching." Hardware-Oriented Security and Trust (HOST), 2011 IEEE International Symposium on. IEEE, 2011.


Download ppt "1 U NIVERSITY OF M ICHIGAN Reliable and Efficient PUF- Based Key Generation Using Pattern Matching Srini Devadas and Zdenek Paral (MIT), HOST 2011 Thomas."

Similar presentations


Ads by Google