ebook img

A new Definition and Classification of Physical Unclonable Functions PDF

0.25 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview A new Definition and Classification of Physical Unclonable Functions

A new Definition and Classification of Physical Unclonable Functions Rainer Plaga Dominik Merli FederalOfficeforInformationSecurity(BSI) FraunhoferResearchInstitutionAISEC GodesbergerAllee185-189 Parkring4 Bonn,Germany Garching(nearMunich),Germany [email protected] [email protected] 5 ABSTRACT ofattempts(summarizedinsectionSection2.1)toprecisely 1 Anewdefinitionof“PhysicalUnclonableFunctions”(PUFs), definewhatamemberoftheresearchcommunitywouldin- 0 thefirstonethatfullycapturesitsintuitiveideaamongex- tuitively call a PUF. Searched for is a definition that con- 2 tainsacompleteandminimallistoftheconditionsthathave perts,ispresented. APUFisaninformation-storagesystem to be fulfilled to identify a device as a PUF. No necessary n with a security mechanism that is conditionmustbeabsent. Nosuperfluouscondition,i.e. one a 1. meanttoimpedetheduplicationofapreciselydescribed that PUFs can, but do not absolutely have to fulfill, must J storage-functionality in another, separate system and be present. In section 2.2 we present a novel definition of 6 2. remains effective against an attacker with temporary ac- a PUF. We demonstrate that it really fulfills, for the first 2 cess to the whole original system. time, both of the above demands. A novel classification scheme of the security objectives and AnovelclassificationschemeforthePUFsecurityobjectives ] mechanismsofPUFsisproposedanditsusefulnesstoaidfu- R and mechanisms is presented in Section 3. Its usefulness is ture research and security evaluation is demonstrated. One demonstrated by two examples. In Section 4 we show that C classofPUFsecuritymechanismsthatpreventsanattacker the PUF security mechanism “cryptostorage” has a funda- . to apply all addresses at which secrets are stored in the s mentalimportancesimilartotheoneofcryptography. PUF information-storagesystem,isshowntobecloselyanalogous c research is thus of a much more fundamental importance [ to cryptographic encryption. Its development marks the thanhithertorealized. Wediscusshowthenewschememo- dawn of a new fundamental primitive of hardware-security 1 engineering: cryptostorage. These results firmly establish tivates qualitatively novel questions for further research in v PUFs as a fundamental concept of hardware security. Section 5 and helps the certification of PUFs in Section 6 3 respectively. Section 7 concludes this paper. 6 CategoriesandSubjectDescriptors 3 2. DEFINITIONOFPUFS 6 K.6.5[SecurityandProtection]: PhysicalSecurity;H.3.0 0 [Information Storage and Retrieval]: General 2.1 PreviousProposals . 1 Inthefollowing,webrieflysketchthedevelopmentofthe 0 GeneralTerms ideasonwhichwebaseourproposal. Startingwithanearly 5 Security paper by Gassend et al. [1], most proposed definitions are 1 based on the concept of a physical challenge-response func- : tion which can be evaluated in a reproducible manner. Un- v Keywords i til approx. 2010, most proposed definitions characterized X ACM proceedings, Physical Unclonable Functions PUFs further by being “hard to characterize” [1], “hard to r predict” [2], “physically unclonable” [3] or “tamper resis- a 1. INTRODUCTION tant” [4]. Such demands carry the problem that devices which turn out to be predictable, clonable or tamper vul- Physical Unclonable Functions (PUFs)[1] were originally nerable are no longer PUFs according to the proposed defi- understoodas“hardwaredevicesthatarehardtocharacter- nitions. However,e.g.,inacertificationprocess,theconcept izeandcanbeuniquelyidentified”[1]. Theyhavedeveloped of an “insecure, broken PUF” is clearly necessary. Indeed, intoanimportantresearchtopicinthefieldofhardwarese- inpractice,thecommunitydoesnotreallyemploysuchdef- curity within the past decade. There have been a number initions because it universally continues to refer to inse- cure PUFs that have been completely broken as “PUFs”. Permissiontomakedigitalorhardcopiesofallorpartofthisworkfor Armknecht et al. [5] recognized this problem and defined personalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesare PUFs as physical functions PFs, i.e., they dropped the U notmadeordistributedforprofitorcommercialadvantageandthatcopies bearthisnoticeandthefullcitationonthefirstpage.Tocopyotherwise,to for“unclonable”. Suchphysicalfunctionsaredigitalmemo- republish,topostonserversortoredistributetolists,requirespriorspecific riesbecausethelatterarephysicaldevicesthatalwayshave permissionand/[email protected]. torealizeachallenge-responsemechanism: anaddressisap- CS2’15,January19-212015,Amsterdam,Netherlands plied as a challenge and the memory content is returned as Copyright2015ACM978-1-4503-3187-6/15/01...$15.00 a response. The remaining problem is then: how to charac- http://dx.doi.org/10.1145/2694805.2694807 terize the specific characteristic of PUFs that sets it apart, . e.g., fromastandardmemorystick, whichis, ofcourse, not Information−storage system understood as a PUF in the community? An alternative to identify it with absolute unclonability is to identify it with C certainfeaturesofthePUFarchitecture. Severaldefinitions Storage module [6,7,8]proposetoidentifythespecificcharacteristicproper- tiesthatwecallbelowinSection3“complex-structureupon challenge measure production”and“cryptostorage”. WewilldiscussinSection R 3.1.2 that these properties classify special security mecha- Encoder module nisms. But a demand for a special security mechanism in itsdefinitionwouldrenderthePUFconceptinflexible. E.g. theinformationstoredinaquantumtoken,discussedinsec- tion3.2,mustbeloadedafteritsproduction-otherwisethe Figure 1: Sketch of a physical information-storage storage is not secure. A definition that demands a loading system, accordingtoourdefinition. Thedot-dashed uponproductionwouldratherarbitrarilyexcludesquantum outer box symbolizes the whole system which usu- tokens as PUFs. ally is (but does not have to be) also a module, like WewillexplicitelyidentifythespecificcharacteristicofPFs, the storage- and encode-module always are. that we searched for in the previous paragraph in section 2.2.2. system in its original form. 2.2 ProposedDefinitionofPUFsandits Meaning 2.2.2 ExplanationofthePUFDefinition 2.2.1 AuxiliaryandPUFDefinition Thedefinitiondoesnotdemandthatasecurity-mechanism actuallydoesrendertheduplicationmoredifficult,butonly We first formulate an auxiliary definition: that an implemented mechanism is meant to do so. This • Definitionofaphysicalinformation-storagesys- avoids the circularity problem with earlier PUF definitions tem (1) discussed in Section 1 (“an insecure PUF is no PUF”). As An information-storage system is a set of at least two the following example shows security primitives are often modules1 that are conceptually or physically perma- defined in an analogous manner: nentlyconnected. Thesemodules(orpartsofthemod- • Definitionofcryptographicencryptionalgorithm uleifthesystemisasinglemodule)havethefollowing (3) purposes: a “storage module” can be put into a physi- Acryptographicencryptionalgorithmisakey-dependent cal state H which is determined by the information in mappingfromacleartextstringofbitstoacryptogram achallengeC.Thisstoragemoduleismeasuredinthis string of bits. Its security objective is that an attacker state and the measurement result is reproducibly en- findsnoalgorithmforaninversemapping(decryption) coded as the information of a response R by another ofthecryptogramtothecleartextwithoutthekey. The “encoder module” of the total system. The set of all key is a string of bits on which the encryption algo- Rs for all Cs is the information stored in the system. rithm depends. This definition agrees with the intuitive idea of a digital Caesar’s cipher is trivial to break, but still a cryptographic memory,andmakesitsrelationtoachallenge-responsefunc- encryption algorithm because there is a specific key depen- tion precise. The challenges are the addresses at which dent mapping with the said objective. The precise storage the physical information, the responses, are stored. An functionality is the most characteristic feature of a PUF. information-storage system is depicted in Figure 1. The It can go beyond the mere storage and release of informa- term “reproducibly encoded” demands that a noise in the tion, as in the case of public PUFs [9, 10], where a re- responses is bounded. leaseoftheresponsewithinacertaintimeframeisrequired. • Definition of a PUF (2) Even if the functionality is merely the storage and release A PUF is a physical information-storage system that ofphysicalinformation,theobjectivecanbetopreventdu- is protected by a security mechanism which plicationtodifferentdegreesasinthepreviousproposalsof a “physical” and “mathematical” duplication [3]. We will 1. has the security objective to render it more diffi- comebacktotheclassificationofPUFsecurityobjectivesin culttoduplicateapreciselydescribedstoragefunc- Section 3.1.1. We define an “information-storage system” tionality of the system in another, separate sys- as the system that actually stores the information (rather tem. than auxiliary systems for packaging, energy supply etc.). 2. ismeanttoremaineffectiveagainstanactive2 at- Our definition of a PUF requires that the security mecha- tackerwithtemporaryphysicalaccesstothewhole nism is based on the system’s storage-mechanism, because 1A module is defined to be an artificial (the artificiality is otherwise it would not remain effective against an attacker necessarytodelimitPUFsfrombiometricsystems,aclosely with full access to the original system. This makes the re- related concept with which the PUF concept is often com- quiredsecurity-andinformation-storagemechanismindivis- pared) physical system that is permanently physically con- ible, i.e., without the latter, the former cannot be realized. nected and serves a certain purpose. A physical system is Devices in which information-storage and security mecha- defined to be a set of materials and fields that is delimited from the rest of the world in a well defined manner. nism are separable are no PUFs. This indivisibility, let us 2Active means that she can change the system rather than call it “security-memory boundedness”, is the specific char- only passively listen. acteristic of a PUF that was searched for in Section 2.1. Anotherangleonthemotivationforthesecondconditionof Security Objective the PUF definition will be discussed in Section 2.2.4. Render it more difficult to duplicate A main result of this paper is that the PUF definition list the storage functionality F on a is complete and minimal with the proposed conditions. No separate device other of the myriad other conditions that PUFs may well fulfill,e.g.,thatthestoragemechanismisnoisy,thatthese- F = release R curitymechanismworkswithoutenergysupply,etc.,hasto F = release R within ∆ t befulfilledtocharacterizeamoduleasaPUF.Summarizing Public PUF we state: A module is a PUF if and only if it fulfills both con- Mathematical duplicate ditions of the definition (2). Arbiter PUF Quantum PUF Optical PUF 2.2.3 ExemplaryAnalysis: ArbiterPUF Physical duplicate Ring Osc. PUF CharacterizedasaPUF SRAM PUF As an exemplary case, we discuss how the arbiter PUF Figure 2: Classification of the PUFs’ security ob- [11]ischaracterizedasaPUFinthesenseofourdefinition. jectives; some existing PUFs are assigned to these ThearbiterPUFhasastoragemoduleintheformofachain classes. of multiplexers that are programmed by a certain number of inputs which act as a challenge. The encoder module is a latch that determines which of two delay paths - that are 3. PUFCLASSIFICATION configured (with other words “put in a physical state”) by thechallenge-producedalongerdelayfortwotestsignals. 3.1 ClassificationCriteria The arbiter PUF is thus an information-storage system in oursense. ThesecuritymechanismisdescribedbySuhand 3.1.1 SecurityObjectives Devadas as: “a set of challenges (is mapped) to a set of re- Themostbasicclassificationisbysecurityobjectives. Ac- sponses based on an intractably complex physical system.” cordingtothefirstconditionindefinition(2)theobjectives The unclonable storage-functionality is the release of a re- are characterized by the precise nature of the storage func- sponseafterachallengeissupplied. Theauthorsmakeclear tionalitiesandthekindofduplicationtobeprevented. The that this must be understood as an objective rather than a simplest storage functionalities are: propertybecause“topreventmodel-buildingattacks”afur- S1. Tostorephysicalinformationandtoreleaseitupon therdevelopmentofthePUFarchitecturemightbeneeded. some challenge which can be: Thus the first condition of our definition of a PUF is ful- S1.a. a simple trigger or filled. The“intractablycomplexstructure”uponproduction S1.b. a sophisticated address, chosen by the user. is meant to protect against an attacker with temporary ac- An example for a more sophisticated storage functionality cess to the storage system. Therefore, the second condition is: of our definition (2) is fulfilled, too. S2. the release of the stored information within a cer- tain time interval ∆t. 2.2.4 DelimitationofPUFsfromotherConcepts There are two widely used meanings of the term “dupli- Conventional secure memories, as typically realized, e.g., cate”[3]. in smartcards as conventional digital memories with some D1. “Physical duplication” is to prevent a duplication passive or active protection shields to guarantee “tamper in physical detail. I.e. the separate duplicated system either resistance”, are no PUFs because they are not security- followsthespecificationsfortheconstructionoftheoriginal, memory bounded. A conventionally secured memory has or at least returns physically identical responses. been called “controlled” by Gassend et al.[12] 3. The qual- D2. “Mathematical duplication” only requires that the itative novelty of PUFs, characterized by the second condi- duplicationsystemreturnsresponseswiththesameinforma- tion in the definition (2), is that their security mechanisms tion content as the ones of the original module to all chal- go beyond such conventional (access) control. lenges. Its physical structure is otherwise not constrained. Unique physical labels as they are used, e.g., on banknotes D2isamoreambitiousobjectivethanD1becauseitrequires or drug packages against counterfeiting are no PUFs, not to absolutely prevent the readout of the stored information conceptually permanently connected to an encoder module at the challenge addresses, also against sophisticated mod- as required by our definition (2). “Physically obfuscated eling attacks[18]. As soon as this information is read out, keys”[13]witharead-outmechanismforthekeyarePUFs itcanbestoredinanothermemoryunderthesameaddress because their obfuscation through a non-standard storage thus realizing a mathematical clone. D1 can still be attain- mechanism is security-memory bound. able when the stored information is known to the attacker. Fig. 2 illustrates the storage-functionality classes and gives 3Gassend et al. call a PUF controlled “if it can only be examples of PUFs within them. accessed via an algorithm that is linked to the PUF in an The security objectives are determined by the security ar- inseparable way (i.e. any attempt to circumvent the algo- chitecturethatusesthePUFratherthanthearchitectureof rithmwillleadtothedestructionofthePUF.”Ifwereplace “PUF” by “information-storage system” and interpret “al- the PUF itself. In Section 3.2, we will discuss classification gorithm” as “hardware-interface that implements the sys- examples for some PUFs including one that can have both tem’sintendedfunctionality”,thisisadefinitionofthehith- objective D1 or D2 in different contexts. ertoconventionalmannertoprotectaninformation-storage system against duplication. 3.1.2 SecurityMechanisms Three principal classes of security mechanisms for PUFs Mechanism Complex have been proposed up to now. Structure Mechanism No cloning Securitymechanism1“ComplexStructure”(CS).Acom- SRAM PUF plex structure of the information-storage module prevents Ring. Osc. PUF analysis and/or reproduction. Coating PUF Arbiter PUF MostPUFsthatwereproposeduptonowrelyonthisprin- Quantum ciple. Usuallythefollowingprincipleisexploited: itiseasier Optical PUF Token to create a complex random structure, than to analyze and duplicate it. Such PUFs are produced in a process that creates some complex structure in the storage module from Mechanism Cryptostorage whichrandomresponsescanbederivedbytheencodemod- ule[14]. We classify this security mechanism as PUFs with “Complex-Structure upon Production” (CSP) property. Security mechanism 2 “No Cloning”(NC). A principle Figure3: ThePUFsecuritymechanismsandPUFs of physics forbids the duplication of the storage module. thatarebasedonthem. SeeSection3.1.2forfurther This is a security mechanism that prevents the duplication explanation. of the storage unit because of some fundamental principle of physics. An example are physical quantum systems in a state unknown to the attacker, that cannot be cloned due Section3.1.1). Thissecurityobjectivewilltypicallyarisein to the “no cloning principle”[15]. acontextinwhichoneaimstomakeitdifficultforthepro- Security Mechanism 3 “Cryptostorage”. Let us call a ducerofthePUFtoproducephysicalduplicates. Theother subset of all possible challenges the set of secret challenges possible aim is to render the mathematical duplication (se- (s-challenges). The secret responses (s-responses) to be pro- curity objective D2 in Section 3.1.1) more difficult by mak- tected are defined as the responses to the s-challenges. The ing a readout in the switched-off state more difficult. This security mechanism prevents that the attacker can apply all secondaimcannotreasonablybetopreventtheread-outof or most s-challenges. thestoredinformationaltogetherbecausenosecuritymech- If the attacker cannot apply an s-challenge in principle she anism of SRAM and ring-oscillators prevents such readout. will not be able to get the corresponding secret (response), The arbiter PUF [17] uses intrinsic delay variations in mi- i.e. cryptostorage protects the physical stored information crochips and was proposed to be used with an s-challenge againstreadout. Cryptostorageiscloselyanalogoustocryp- that is much smaller than the set of all challenges. It thus tographicencryption. Thisparallelwillbefurtherdeveloped aims to prevent the mathematical duplication (security ob- in Section 4. jective D2, in Section 3.1.1) with the help of both the CSP Two general architectures to realize cryptostorage in prac- mechanism and cryptostorage with the MRT mechanism. tice have been proposed [8]. For quantum-token based PUFs [15], the security objective Securitymechanism3a. “MinimumReadoutTime(MRT)”. D2 is reached via proving that the s-challenge is necessary Thenumberofchallenge-responsepairsischosenverylarge. toextractthepreviouslystoredinformation. Therefore,this Then, if there is a sufficiently long minimum readout time PUF prevents mathematical duplication with the help of for one challenge-response pair, the attacker cannot apply the NC mechanism and cryptostorage with the EUR mech- the s-challenges within a reasonable time period if the set of anism. s-challenges is unknown to her. A qualitatively special authentication functionality is real- PUFs with a MRT-mechanism are a.k.a. as “strong” PUFs ized with the “public PUF” [9, 10] idea, which proposes [13]. PUFs that can prove their authenticity even though their Security mechanism 3b. “Erasure Upon Readout (EUR)”. challenge-response pairs are public. A public PUF not only If a non s-challenge is applied the s-response corresponding stores and protects information, but is also required to re- to the s-challenge is erased. Therefore the attacker cannot spond to the challenge within a certain minimum time pe- apply the s-challenge if it is not known to her, because an riod. It has the objective to prevent the construction of a attempt to do so, erases most of the secret information in duplicate that releases a response within a certain time pe- general. riod, even though a module that releases it within a much Fig. 3illustrateswhichPUFconstructionsareprotectedby longer period must be possible. these mechanisms. 3.2 ExemplaryClassificationofsomeExisting 4. ANEWSECURITYPRIMITIVE: PUFs CRYPTOSTORAGE Thering-oscillatorPUF[11]andtheSRAMPUF[16]ex- ploitvariationsinringoscillatorfrequenciesormemorycell 4.1 DescriptionofthePrimitive balances respectively, to generate secret bits and store the The security mechanism of “cryptostorage” first intro- information in a currently unconventional manner. The se- ducedinSection3.1.2isoffundamentalimportance. Itcan curitymechanismistogeneratearandomvalueduringfabri- be characterized in the following manner: cationi.e. itisaCSPmechanism. Thesecurityobjectiveof thering-oscillatorPUF[11]andtheSRAMPUF[16](a.k.a • Definition of the cryptostorage mechanism (4) “weak PUFs” [13]) can be twofold. One possible aim is to A clearstring is a string of bits physically stored in prevent the physical duplication (security objective D1 in an information-storage system with no security mech- anism. A cryptostorage mechanism is a s-challenge- Cryptographic encryption Cryptostorage dependent mapping from a clearstring to the storage module of a PUF. Its security objective is that an at- 1. meaning of Information physical Information tacker finds no mechanism for the extraction of the 2. cryptogram PUF storage module clearstringfromthePUFwithoutthesetofs-challenges. 3. crypto-algorithm cryptostorage mechanism The s-challenge is a string of bits that designates a subset of the address space of the information-storage 4. inversion of cryptogram reproduction of PUF system. 5. cryptographic key s-challenge Whenonecomparesthisdefinitionwiththeoneofacryp- 6. encrypt with key store at s-challenge adr. tographic encryption algorithm (3), the close analogy be- 7. decrypt with key apply s-chall. & measure tweenthetwoisobvious: thes-challengeisequivalenttothe key, the storage system of the PUF to the cryptogram and Table 1: A listing of corresponding concepts of theclearstringtothecleartext. Ifcryptographicencryption cryptographic encryption and cryptostorage. 1. is the science of concealed (crypto) writing (graphein), re- What is protected? 2. Where is protected infor- searchanddevelopmentonPUFscanbeidentifiedasthesci- mation? 3. What is the security mechanism that 4. ence of concealed storage, or “cryptostorage”. Cryptostor- prevents what? ageprotectsthephysicalinformation4 itself. Cryptographic encryption protects the meaning of the information5 in the cryptogram. The close parallel between cryptographic en- MRT PUFs with N secret elements require on the order of cryption and cryptostorage is illustrated in Table 1. 2N challenge-response pairs to extract all contained infor- In cryptographic encryption, principles and comprehensi- mation even under sophisticated learning attacks? Another ble systematic arguments (not necessarily proofs) based on important research topic are algorithms and protocols to mathematicsandinformaticsensurethatthecleartextcan- support PUF-based applications. not be extracted without the key. In an analogous manner, If a new “PUF protocol”, e.g., for authentication is pro- in cryptostorage, principles based on physics and electrical posed, it should be communicated which of its features are engineeringmustensurethatthestoredinformationcannot PUF specific, and why. Otherwise, it would be a general beextractedwithoutbeinginpossessionofthes-challenges. authenticationprotocol,i.e.,itsnoveltycannotlieinitsap- The analog of cryptanalytic analyses of cryptographic en- plicability to PUFs. cryption are, e.g., attacks using various forms of sophisti- cated learning programs[18]. 6. CERTIFICATIONOFPUFS The specific value of cryptostorage for embedded security is the systematic practical and theoretical development of AfirststepinaPUFsecurityevaluationmustbetoascer- information-storage systems that remain secure when the tain that a hardware element within a target of evaluation attacker can directly and completely access them, i.e. uses (TOE)isreallyaPUFaccordingtoourproposeddefinition. their regular read-out system. It will be necessary to de- The next step will be to identify the PUF’s security objec- velop the primitive of cryptostorage in a systematic man- tives within the TOE’s architecture and the security mech- ner because it will always remain impossible in principle to anisms that fulfill these objectives. The central task of a completely deny access to embedded storage systems. The PUF certification will be to theoretically model and verify major aim of cryptostorage will be to develop PUFs with the PUF’s security mechanism in simulation and practice. a comprehensible, well understood security level based on Possible effects of the PUF’s security mechanism on other sound principles of engineering, physics and mathematics. conventional,non-PUFmechanismthatsecuretheprotected memory also need to be considered. 5. FUTUREPUFRESEARCH ClassifyingthePUFaccordingtothecharacteristicsinSec- tion 3 will be useful to lay out the scope of the evalua- The two most basic question are: tion. Preciselydefinedsecurityobjectivesclearlydetermine 1. What new security objectives for PUFs could there be? the tasks of the security mechanisms. If, e.g., the PUF Which PUF storage-functionalities, besides the simple, ad- hasaninternallygeneratedrandomvalueasresponse(CSP dressed and timed release of information could be useful? mechanism),themachineproducingitassumestheroleofa 2. Whatnewsecuritymechanisms,besidestheCS,NCand Random-Number Generator (RNG). It will then be neces- cryptostorage classes could there be? sary to evaluate the manufacturing system, e.g., according Thecryptostoragesecurityprimitiveisboundtoplayasim- to the existing guidelines for the certification of RNGs [19]. ilarlyimportantroleinembeddedsecurityascryptographic PUFs can be valuable because they reach new levels of se- encryptiondoes. ManyproposedPUFsarebasedonit,but curity, but also because they allow cheaper solutions than thesecurityoftheseproposalsstillneedfurtherstudy. The conventional approaches. Therefore, security evaluations of foundationsofcryptostorageneedtobedevelopedsystemat- PUFs must not just address whether a PUF can be repro- ically: Whichfurtherstandarddesignprinciplesforphysical duced but also at which effort. memoriescouldbegivenup,tomakethemsecurity-memory bounded? How can EUR PUFs be constructed which are notbasedonquantum-storage? Howcanitbeensuredthat 7. CONCLUSION 4Physicalinformationisaphysicalsystemthathasacertain We proposed to define PUFs as physical memories de- computable relation to the outside world in space an time. signed with the objective to protect a well defined storage 5Themeaningofinformationisadescriptionoftherelation functionality against duplication with a mechanism that is between physical information and outside world. inseparablefromtheinformation-storagemechanism. PUFs inthissenseseemtocompletelycharacterizewhatthecom- in Proceedings of the 16th international GI/ITG munity always meant by this concept. conference on Measurement, Modelling, and We welcome challenges to this claim. Evaluation of Computing Systems and Dependability Our definition does not restrict PUF architectures in any and Fault Tolerance, ser. MMB’12/DFT’12. Berlin, way, but provides a clear separation to other conventional Heidelberg: Springer-Verlag, 2012, pp. 288–301. security modules. Conventional secure memories in which [9] U.Ru¨hrmair,“Simplsystems: Onapublickeyvariant information-storage and security mechanism are separable, of physical unclonable functions,” Cryptology ePrint i.e. protect against access to the informations-storage sys- Archive, International Association for Cryptologic tem, are no PUFs. In principle, their security mechanism Research, Tech. Rep., 2009. canalsoprotectentitiesdifferentfromassociatedmemories. [10] N. Beckmann and M. Potkonjak, “Hardware-based Therefore,aclassificationofsucharchitecturesastwoinde- public-key cryptography with public physically pendent security and storage architectures is more appro- unclonable functions,” in Information Hiding. priate. Springer, 2009, pp. 206–220. We argue that PUF research and development is a much [11] G. E. Suh and S. Devadas, “Physical unclonable morefundamentalandimportantfieldthanpreviouslythought. functions for device authentication and secret key In a sense, it is the discipline of the secure storage of phys- generation,” Design Automation Conference, 2007. ical information itself, just as cryptography is the field of DAC ’07. 44th ACM/IEEE, pp. 9–14, 2007. secure writing of the meaning of information. [12] B. Gassend, M. van Dijk, D. Clarke, E. Torlak, P. Tuyls, and S. Devadas, “Controlled physical random functions and applications,” ACM Transactions on Information and System Security, Acknowledgment vol. 10, no. 4, Jan. 2008. WethankRalphBreithaupt,UteGebhardt,DieterSchuster [13] U. Ru¨hrmair, J. So¨lter, and F. Sehnke, “On the and Markus Ullmann for helpful discussions and criticisms foundations of physical unclonable functions,” on previous drafts of this manuscript. We further thank Cryptology ePrint Archive, Report 2009/277, 2009, three anonymous referees for very helpful critical remarks. http://eprint.iacr.org/. [14] R. Maes, A. V. Herrewege, and I. Verbauwhede, 8. REFERENCES “Pufky: A fully functional puf-based cryptographic [1] B. Gassend, D. Clarke, M. van Dijk, and S. Devadas, key generator,” in CHES, vol. 7428. Springer, 2012, “Silicon physical random functions,” in CCS ’02: pp. 302–319. Proceedings of the 9th ACM conference on Computer [15] F. Pastawski, N. Y. Yao, L. Jiang, M. D. Lukin, and and communications security. New York, NY, USA: J. I. Cirac, “Unforgeable noise-tolerant quantum ACM, 2002, pp. 148–160. tokens,” 2011. [2] ——, “Delay-based circuit authentication and [16] J. Guajardo, S. S. Kumar, G. J. Schrijen, and applications,” in Symposium on Applied Computing P. Tuyls, “FPGA intrinsic PUFs and their use for IP (SAC), 2003. protection,” in 9th International Workshop of [3] R. Maes and I. Verbauwhede, “A discussion on the Cryptographic Hardware and Embedded Systems, properties of physically unclonable functions,” CHES’07, 2007, pp. 63–80. TRUST 2010 Workshop on Security Hardware, Berlin, [17] D. Lim, J. W. Lee, B. Gassend, G. E. Suh, M. van DE, 2010. Dijk, and S. Devadas, “Extracting secret keys from [4] A.-R. Sadeghi, I. Visconti, and C. Wachsmann, integrated circuits,” Very Large Scale Integration “PUF-enhanced rfid security and privacy,” in (VLSI) Systems, IEEE Transactions on, vol. 13, Workshop on Secure Component and System no. 10, pp. 1200–1205, December 2005. Identification (SECSI), 2010. [18] U. Ru¨hrmair, F. Sehnke, J. So¨lter, G. Dror, [5] F. Armknecht, R. Maes, A.-R. Sadeghi, F.-X. S. Devadas, and J. Schmidhuber, “Modeling attacks Standaert, and C. Wachsmann, “A formalization of on physical unclonable functions,” in Proceedings of the security features of physical functions,” in the 17th ACM conference on Computer and Proceedings of the 2011 IEEE Symposium on Security communications security, ser. CCS ’10. New York, and Privacy, ser. SP ’11. Washington, DC, USA: NY, USA: ACM, 2010, pp. 237–249. IEEE Computer Society, 2011, pp. 397–412. [Online]. [19] W. S. Wolfgang Killmann, “Ais 31 v3 - functionality Available: http://dx.doi.org/10.1109/SP.2011.10 classes and evaluation methodology for random [6] U. Ru¨hrmair, H. Busch, and S. Katzenbeisser, “Strong number generators,” Federal Office for Information PUFs: Models, constructions, and security proofs,” in Security (BSI), Germany, 2013, Towards Hardware-Intrinsic Security, A.-R. Sadeghi https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung and D. Naccache, Eds. Springer, 2010, pp. 79–96. /Interpretationen/AIS 31 pdf.pdf. [7] A. Maiti, V. Gunreddy, and P. Schaumont, “A systematic method to evaluate and compare the performance of physical unclonable functions,” Cryptology ePrint Archive, Report 2011/657, 2011, http://eprint.iacr.org/2011/657. [8] R.PlagaandF.Koob, “Aformaldefinitionandanew security mechanism of physical unclonable functions,”

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.