Lecture10 – More on Physically Unclonable Functions (PUFs) Rice ELEC 528/ COMP 538 Farinaz Koushanfar Spring 2009

Outline Implementations on silicon Applications Cryptographic keys Authentication Details of RFID applications Issues with nonstability

Existing Approaches Sensors to detect attacks Expensive Continually battery-powered Tamper-Proof Package: IBM 4758 Trusted Platform Module (TPM) A separate chip (TPM) for security functions Decrypted “secondary” keys can be read out from the bus Say both 4758 and TPM do not work. Too expensive or insecure.

Problem Storing digital information in a device in a way that is resistant to physical attacks is difficult and expensive. EEPROM/ROM Processor Probe Adversaries can physically extract secret keys from EEPROM while processor is off Trusted party must embed and test secret keys in a secure location EEPROM adds additional complexity to manufacturing Blaise: What is the goal? Was not clear the goal is to embed a secret into the device. Fonts are too small Voltage?

Our Solution: Physical Random Functions (PUFs) Generate keys from a complex physical system Hard to fully characterize or predict Physical System Processor characterize configure Use as a secret Response (n-bits) Challenge (c-bits) Can generate many secrets by changing the challenge Security Advantage Keys are generated on demand  No non-volatile secrets No need to program the secret Can generate multiple master keys What can be hard to predict, but easy to measure?

PUF Experiments Fabricated 200 “identical” chips with PUFs in TSMC 0.18m on 5 different wafer runs Security What is the probability that a challenge produces different responses on two different PUFs? Reliability What is the probability that a PUF output for a challenge changes with temperature? With voltage variation? Bigger picture Point out that we named them…

Distance between Chip X and Y Inter-Chip Variation Apply random challenges and observe 100 response bits Measurement noise for Chip X = 0.9 bits Distance between Chip X and Y responses = 24.8 bits Can identify individual ICs

Environmental Variations What happens if we change voltage and temperature? Measurement noise at 125C (baseline at 20C) = 3.5 bits Even with environmental variation, we can still distinguish two different PUFs Measurement noise with 10% voltage variation = 4 bits

Reliable PUFs PUFs can be made more secure and reliable by adding extra control logic Challenge Response k One-Way Hash Function New Response PUF BCH Decoding Syndrome c Syndrome BCH Encoding n - k n For Re-generation For calibration Hash function (SHA-1,MD5) precludes PUF “model-building” attacks since, to obtain PUF output, adversary has to invert a one-way function Error Correcting Code (ECC) can eliminate the measurement noise without compromising security

Ring-Oscillator (RO) PUF The structure relies on delay loops and counters instead of MUX and arbiters Better results on FPGA – more stable

RO PUFs (cont’d) Easy to duplicate a ring oscillator and make sure the oscillators are identical Much easier than ensuring the racing paths with equal path segments How many bits can we generate from the scheme in the previous page? There are N(N-1)/2 distinct pairs, but the entropy is significantly smaller: log2(N!) E.g., 35 ROs can produce 133 bits, 128 can produce 716, and 1024 can produce 8769

Reliability enhancement Environmental changes have a large impact on the freq. (and even relative ones)

RO PUFs ROs whose frequencies are far are more stable than the ones with closer f’s Possible advantage: do not use all pairs, but only the stable ones It is easy to watch the distance in the counter and pick the very different ones The new question is how many ring oscillators do we need to accomplish having B stable bits? What are the other comparative advantages/ disadvantages compared to delay-based PUFs? Can we use this structure to generate many challenge-response pairs?

Applications -- Authentication Challenges should never be used to prevent the man-in-the-middle attacks Is this practical?

Application – Cryptographic Key Generation The unstability is a problem Some crypto protocols (e.g., RSA) require specific mathematical properties that random numbers generated by PUFs do not have How can we use PUFs to generate crypto keys? Error correction process: initialization and regeneration There should be a one-way function that can generate the key from the PUF output

Crypto Key Generation Initialization: a PUF output is generated and error correcting code (e.g., BCH) computes the syndrome (public info) Regeneration: PUF uses the syndrome from the initial phase to correct changes in the output Clearly, the syndrome reveals information about the circuit output and introduces vulnerabilities

Vulnerabilities Caused by ECC Given a b-bit syndrome, the attackers can learn at most b-bits about the PUF output Thus, to have k secret bits after error correction, we generate n=k+b bits at PUF How much area / power overhead do we get for the RO implementation?

Experiments with RO PUFs Experiments done on 15 Xilinx Virtex4 LX25 FPGA (90nm) They placed 1024 ROs in each FPGA as a 16-by-64 array Each RO consisted of 5 INVs and 1 AND, implemented using look-up tables The goal is to know if the PUF outputs are unique (for security) and reproducible (for reliability and security)

Reliability and Security Metrics

The Probability Distribution for Inter-chip Variations 128 bits are produced from each PUF x-axis: number of PUF o/p bits different b/w two FPGAs; y-axis: probability Purple bars show the results from 105 pair-wise comparisons Blue lines show a binomial distribution with fitted parameters (n=128, p =0.4615) Average intra-chip variations 0.4615 ~ 0.5

The Probability Distribution for Intra-chip Variations PUF o/p are generated at two different conditions and compared Changing the temperature from 20C to 120C and the core voltage from 1.2 to 1.08 altered the PUF o/p by ~0.6 bits (0.48%) Intra-chip variations is much lower than inter-chip – the PUF o/p did not change fro small to moderate environmental changes

False Positive (FP) and Negative (FN) Experiments If we allow up to 10 bits out of 128 to be different, FP rate ~2.1x10-21, and FN rate is less than 5x10-11 Assumption: inter-chip and intra-chip follow binomial distributions The same experiments could be used to compute the reliability of PUF-based crypto keys

Physically Unclonable Function–Based Security and Privacy in RFID Systems Leonid Bolotnyy and Gabriel Robins Dept. of Computer Science University of Virginia www.cs.virginia.edu/robins

Contribution and Motivation Privacy-preserving tag identification algorithm Secure MAC algorithms Comparison of PUF with digital hash functions Motivation Digital crypto implementations require 1000’s of gates Low-cost alternatives Pseudonyms / one-time pads Low complexity / power hash function designs Hardware-based solutions

PUF-Based Security Physical Unclonable Function (PUF) [Gassend et al 2002] PUF Security is based on wire delays gate delays quantum mechanical fluctuations PUF characteristics uniqueness reliability unpredictability PUF Assumptions Infeasible to accurately model PUF Pair-wise PUF output-collision probability is constant Physical tampering will modify PUF

Privacy in RFID Privacy A B C Alice was here: A, B, C privacy

Private Identification Algorithm Database ID1, p(ID1), p2(ID1), …, pk(ID1) ... IDn, pn(IDn), pn2(IDn), …, pnk(IDn) ID ID p(ID) Request It is important to have a reliable PUF no loops in PUF chains no identical PUF outputs Assumptions no denial of service attacks (e.g., passive adversaries, DoS detection/prevention mechanisms) physical compromise of tags not possible

Improving Reliability of Responses Run PUF multiple times for same ID & pick majority μm(1-μ)N-m )k R(μ, N, k) ≥ (1 - ∑ N m N+1 2 m= number of runs chain length unreliability probability overall reliability R(0.02, 5, 100) ≥ 0.992 Create tuples of multi-PUF computed IDs & identify a tag based on at least one valid position value ∞ expected number of identifications S(μ, q) = ∑ i [(1 – (1-μ)i+1)q - (1 – (1-μ)i)q] i=1 tuple size S(0.02, 1) = 49, S(0.02, 2) = 73, S(0.02, 3) = 90 (ID1, ID2, ID3)

Privacy Model Experiment: A passive adversary observes polynomially-many rounds of reader-tag communications with multiple tags An adversary selects 2 tags The reader randomly and privately selects one of the 2 tags and runs one identification round with the selected tag An adversary determines the tag that the reader selected Definition: The algorithm is privacy-preserving if an adversary can not determine reader selected tag with probability substantially greater than ½ Theorem: Given random oracle assumption for PUFs, an adversary has no advantage in the above experiment.

PUF-Based MAC Algorithms MAC = (K, τ, υ) K valid signature σ : υ (M, σ) = 1 forged signature σ’ : υ (M’, σ’) = 1, M = M’ MAC based on PUF Motivation: “yoking-proofs”, signing sensor data large keys (PUF is the key) cannot support arbitrary messages Assumptions adversary can adaptively learn poly-many (m, σ) pairs signature verifiers are off-line tag can store a counter (to protect against replay attacks)

Large Message Space Assumption: tag can generate good random numbers (can be PUF-based) Key: PUF σ (m) = c, r1, ..., rn, pc(r1, m), ..., pc(rn, m) Signature verification requires tag’s presence password-based or in radio-protected environment (Faraday Cage) learn pc(ri, m), 1 ≤ i ≤ n verify that the desired fraction of PUF computations is correct To protect against hardware tampering authenticate tag before MAC verification store verification password underneath PUF

Choosing # of PUF Computations probv(n, 0.1n, 0.02) i=t+1 μi(1-μ)n-i probv(n, t, μ) = 1 - ∑ n i probf(n, 0.1n, 0.4) j=t+1 τj(1-τ)n-j probf(n, t, τ) = 1 - ∑ n j α < probv ≤ 1 and probf ≤ β ≤ 1 0 ≤ t ≤ n-1

Theorem Given random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded from above by the tag impersonation probability.

Small Message Space Assumption: small and known a priori message space Key[p, mi, c] = c, pc(1)(mi), ..., pc(n) (mi) PUF message counter PUF reliability is again crucial σ(m) = c, pc(1)(m), ..., pc(n) (m), ..., c+q-1, pc+q-1(1)(m), pc+q-1(n)(m) sub-signature Verify that the desired number of sub-signatures are valid

Theorem Given random oracle assumption for a PUF, the probability that an adversary could forge a signature for a message is bounded by the tag impersonation probability times the number of sub-signatures.

Attacks on MAC Protocols original clone Impersonation attacks manufacture an identical tag obtain (steal) existing PUFs Modeling attacks build a PUF model to predict PUF’s outputs Side-channel attacks algorithm timing power consumption Hardware-tampering attacks physically probe wires to learn the PUF physically read-off/alter keys/passwords

Comparison of PUF With Digital Hash Functions MD4 7350 MD5 8400 SHA-256 10868 Yuksel 1701 PUF 545 AES 3400 algorithm # of gates Reference PUF: 545 gates for 64-bit input 6 to 8 gates for each input bit 33 gates to measure the delay Low gate count of PUF has a cost probabilistic outputs difficult to characterize analytically non-unique computation extra back-end storage Different attack target for adversaries model building rather than key discovery Physical security hard to break tag and remain undetected

PUF Design Attacks on PUF Weaknesses of existing PUF New PUF design impersonation modeling hardware tampering side-channel Weaknesses of existing PUF reliability New PUF design no oscillating circuit sub-threshold voltage Compare different non-linear delay approaches

Conclusions and Future Work PUF: hardware primitive for RFID security Identification and MAC algorithms based on PUF PUFs protect tags from physical attacks PUFs is the key Develop theoretical framework for PUF Design new sub-threshold voltage based PUF Manufacture and test PUFs varying environmental conditions motion, acceleration, vibration, temperature, noise Design new PUF-based security protocols ownership transfer recovery from privacy compromise PUFs on RFID readers } in progress

Thank You Questions ? Leonid Bolotnyy lbol@cs.virginia.edu Dept. of Computer Science University of Virginia

PUF-Based Ownership Transfer To maintain privacy we need ownership privacy forward privacy Physical security is especially important Solutions public key cryptography (expensive) knowledge of owners sequence trusted authority short period of privacy

Using PUF to Detect and Restore Privacy of Compromised System Detect potential tag compromise Update secrets of affected tags