ebook img

PUF-FSM: A Controlled Strong PUF PDF

0.47 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview PUF-FSM: A Controlled Strong PUF

XXXX 1 PUF-FSM: A Controlled Strong PUF Yansong Gao and Damith C. Ranasinghe Abstract—Physical unclonable functions (PUF), as hardware exist strong PUFs such as the Optical PUF [6] and the SHIC securityprimitives,exploitmanufacturingrandomnesstoextract PUF [7], a practical and lightweight strong PUF realization instance-specificchallenge(input)response(output)pairs(CRPs). seamlessly compatible with current CMOS technology turns Since its emergence, the community started pursuing a strong out to be challenging [8] in front of modeling attacks such as PUF primitive that is with large CRP space and resilient to modeling building attacks. A practical realization of a strong logistic regression (LR) and recently revealed more powerful PUF is still challenging to date. This paper presents the PUF Covariance Matrix Adaptation Evolution Strategy (CMA-ES) 7 finite state machine (PUF-FSM) that is served as a practical attacks,whichhavebrokenpreviouslydeemedpracticalstrong controlled strong PUF. Previous controlled PUF designs have the 1 PUFsincludingXOR-APUF,FeedforwardAPUF,Lightweight difficultiesofstabilizingthenoisyPUFresponseswheretheerror 0 Secure PUF [9], [10], [11] and even Slender PUF [12], [13]. correction logic is required. In addition, the computed helper 2 datatoassisterrorcorrecting,however,leaksinformation,which Yu et al. [14] recently presented a practical strong PUF n poses the controlled PUF under the threatens of fault attacks through upper-bounding the available number of CRPs by a or reliability-based attacks. The PUF-FSM eschews the error an adversary. In this work, gaining new CRPs materials has J correction logic and the computation, storage and loading of to be implicitly authorized by the trusted entity, the concept 5 the helper data on-chip by only employing error-free responses of limiting access to CRPs is alike to controlled PUFs [3], 2 judiciously determined on demand in the absence of an Arbiter PUF with a large CRP space. In addition, the access to the detailedinSectionII-B.Yuetal.[14]furtherintroduceaPUF ] PUF-FSM is controlled by the trusted entity. Control in means devicesidenoncetopreventfaultattacksornoiseside-channel R of i) restricting challenges presented to the PUF and ii) further information based attacks [12], [13]. C preventing repeated response evaluations to gain unreliability We continue the efforts into pursuing a practical and side-channel information are foundations of defensing the most . lightweight strong PUF coined as the PUF-FSM. For au- s powerful modeling attacks. The PUF-FSM goes beyond authen- c tications/identifications to such as key generations and advanced thentication, the PUF-FSM gets around one major limitation [ cryptographic applications built upon a shared key. of [14] in terms of available secure authentication times 2 Index Terms—Physical uncloanble function, APUF, error-free (rounds). Beyond authentication, it enables key generation, v responses, statistical model, modeling attacks, fault attacks. key exchange and more advanced cryptographic applications 7 with no reliance on on-chip ECC and the associated helper 3 data. Eventually, the PUF-FSM is a practical controlled PUF 1 I. INTRODUCTION realization. Contributions of our work are fourfold: 4 Physical unclonable function (PUF), as a hardware security 0 • We present a practical and lightweight strong PUF re- . primitive, exploits manufacturing variations to extract secrets alization termed as PUF-FSM, also a controlled strong 1 on demand [1], [2]. PUFs are increasingly adopted to provide 0 PUF, enabling a wide spread of applications. 7 security for pervasive and ubiquitous distributed resource- • We,forthefirsttime,eschewtheECCandhelperdatato 1 constraint smart Internet of Thing (IoT) devices as an alter- buildacontrolledPUF.Weonlyemploylargenumberof : native to storing a digital secret in the non-volatile memory v available error-free responses in absence of the APUFs. Xi (NVM). In fact, digital keys in the NVM is vulnerable to • We post-process the responses to prevent traditional ma- variousattacks,especially,whenthereisnodedicatedroomin chine learning attacks such as LR that usually requires r cost sensitive IoT devices to implement expensive protection a direct relationship between challenge and response. mechanisms. By using a PUF, there is no digital secret— • We prevent noise side-channel information based attacks must be securely stored—involved, the hardware itself is the (fault attacks) such as the CMA-ES attacks by using secret key that is originated from true randomness, therefore, devicesidenonceinheritedfrom[14]todisableobserving the secret cannot be duplicated and holds higher resistance to repeated evaluated responses or outputs when the same attacks, especially invasive attacks [3]. challenge is maliciously applied. Since the first silicon PUF, Arbiter PUF (APUF), being Section II introduces related work, especially, judiciously se- coined in 2002 [4], the PUF community has never stopped lection of error-free responses from a statistical APUF model. pursuing on the so-called strong PUFs that not only have a Section III details the PUF-FSM design and analyzes its large challenge response pair (CRP) space but also resilient security; Wide spread of applications of the PUF-FSM are to modeling attacks. Applications of the strong PUF range presented in Section IV; Section V concludes this paper. from elementary identifications and authentications to key generations and more advanced cryptographic protocols such II. RELATEDWORK askeyexchangeandoblivioustransfer[5].Thoughtheredoes A. APUF Model for Error-Free Response Generation Y. Gao and D. C Ranasinghe are with the Auto-ID Labs, School of 1) Modeling APUF: The APUF consists of k stages of Computer Science, The University of Adelaide, SA 5005, Australia. e-mail: {yansong.gao,damith.ranasinghe}@adelaide.edu.au. two 2-input multiplexers as shown in Fig. 1, or any other XXXX 2 PUF challenge control logic response ECC helper data Fig.1. AnarbiterPUF(APUF)circuit. Fig.2. GeneralizedcontrolledPUFconstruction. units forming two signal paths. To generate a response bit, a signal is applied to the first stage input, while the challenge that almost 80% randomly given challenges guarantee error- C determines the signal path to the next stage. The input free responses across a wide range of operating conditions signalwillracethrougheachmultiplexerpath(topandbottom (temperature, voltage) as well as considering aging effects. paths) in parallel with each other. At the end of the APUF However, exploiting those error-free responses, especially, architecture, an arbiter, e.g., a latch, determines whether the in a secure manner was not considered. We take the first step top or bottom signal arrives first and hence results in a logic towards to securely exploiting those error-free responses to ‘0’ or ‘1’ accordingly. construct a strong PUF It has been shown that an APUF can be modelled via a linear additive model because a response bit is generated by B. Controlled PUF comparing the summation of each time delay segment in each The controlled PUF [17], [3] proposed by Gassend et al. is stage (two 2-input multiplexers) depending on the challenge a strong PUF construction. A controlled PUF is a PUF that is C, where C is made up of (c1||c2||...||ck) [9], [15], [10]. The combined with a control logic limiting the ways in which the notations in this section following [9], [10]. The final delay PUF can be evaluated. In general, without permission from a difference tdif between these two paths is expressed as: trusted entity, the controlled PUF is locked, no response will be meaningfully evaluated. When a user is authorized a CRP, t =ωTΦ, (1) dif more CRPs can be extracted. This is alike key management, wheremoresessionkeyscanbederivedfromamasterkey.In where ω and Φ are the delay determined vector and the practice, the controlled PUF is built as a means that the PUF parityvector,respectively,ofdimensionk+1asafunctionof C.Wedenoteσ1/0 asthedelayinstageiforthecrossed(c = and its control logic play complementary roles. As illustrated i i in Fig. 2, the PUF prevents invasive attacks on the control 1)anduncrossed(c =0)signalpaththroughthemultiplexers, i logic, at the same time, the control logic protects the PUF respectively. Hence σ1 is the delay of stage i when c = 1, i i from protocol level attacks. For example, the APUF delay while σ0 is the delay of stage i when c =0. Then i i wires wrap the control logic. If invasive attacks attempt to ω =(ω1,ω2 ... ωk,ωk+1)T, (2) probing the control logic, it is more likely that the PUF secret willbealteredanddamaged.Thecontrollogichaltsadaptively whereω1 = σ10−σ11,ωi = σi0−1+σi1−1+σi0−σi1 foralli=2,...,k evaluations on PUFs with no permission from the trusted 2 2 and ωk+1 = σk0+σk1, also entity. 2 The responses in the controlled PUF have to be post- Φ(C)=(Φ1(C),...,Φk(C),1)T, (3) processed, e.g., hashed. Previous works [17], [3] usually held an assumption that the error correction code (ECC) logic where Φj(C)=Πki=j(1−2ci) for j =1,...,k. and the associated helper data are default parts of a PUF. 2) Reliable Response Determination: Suppose the ω is In practice, the ECC logic and storing of helper data are known, given a challenge C, the Φ(C) is determined. Then always expensive, especially for most low-end IoT devices. the t is calculated. Noting that t eventually comprises In addition, availability of the helper data is a non-trivial task dif dif two important useful information: i) sgn(t ) determines the in practice, especially when the key renewal is occurred. In dif binaryresponse;ii)thereliabilityofthisresponse.Ifthet is this context, the user randomly picks up a seed challenge dif faralwayfromzero,thenthisgivessuchachallengewithfull andqueriestheoutput—e.g.,hashedresponses—fromthecon- confidence to reproduce the response without any erroneous. trolled PUF. Fully characterization of all possible CRP given In practice, physically measuring the t is hard, if not a PUF that has exponential number of CRPs, in particular dif possible. Xu et al. [16] recently exploit machine learning the popular employed APUF, and sequentially computing all techniques, specifically Support Vector Machine (SVM), to possible helper data is infeasible. The helper data given the learntheωusingasmallcollectionofCRPs.Onceanaccurate userrandomlychosenchallengescannotbealwaysguaranteed. ω islearnedthroughtheSVM,thet isabletobeaccurately Most importantly, usage of helper data poses the controlled dif predictedgivenanunseenC.Thenthecorrespondingresponse PUFunderpotentialthreatenfrommodelingattacksexploiting and its associated reliability is judiciously determined. If a noise side-channel information leakage [18], [19], [13]. challengeresultsinat thatisfarwayfromzero,thenitscor- The PUF-FSM is the first practical controlled PUF without dif responding response is error-free. Xu et al. [16] demonstrate using ECC along with the associated helper data and with an XXXX 3 C R TR1 TR1 TR2 TR2 TR3 TR3 TR4 TR4 TR5 TR5 TR6 TR6 PUF FSM S S S control logic SOE 0001 11 1001 1010 31 1001 1110 51 0001 RNG nonce hash key dDe=p3th S0 0110 S12 1100 S2 1000 S32 1011 S4 0101 S52 1101 SOE 1001 S13 0111 0011 S33 0100 0000 S53 1100 L=3 level Fig. 3. General structure of the PUF-FSM. Only the correct sequential challenges produced R can unlock the SOE. If the enable signal SOE Fig. 4. FSM example withfive levels(L=5) andthree depths(D =3). is disabled, the hash output is meaningless by presenting random values. WhenthetransitionedgeTRld,eg.,1100,isfed,currentstateS(l−1)d,eg., Otherwise, the key is generated based on part of the response R, Rsecret, S12,transitionsintoSld,eg.,S22.TheappliedTRld remainstheFSMatits andthenonce,wherekey=HASH(Rsecret,nonce). currentstate,markedbythereturningarrow. explicit countermeasure to reliability-based fault attacks. key=hash(R , nonce) secret R secret C. Finite State Machine (FSM) TR1 TR1 TR2 TR2 TR2 TR3 TR3 TR3 TR4 TR5 TR5 TR6 Finitestatemachine(FSM)isapopularsequentiallogic.In 0111 0110 1001 0011 1100 0000 1111 1010 1001 1100 0000 1100 0111 0011 S S S S S S S S S S S S a FSM, the next state depends on both the input (transaction 0 12 12 12 2 2 2 31 4 4 53 OE edge) and the current state. The FSM has been employed n bitsR for IC active metering [20], [21], [22]. In this context, the FSM combines with a unique chip identifier, usually a weak Fig.5. Partofn-bitR,Rsecretishashedtogeneratethekey.Allrestbits after reaching the enable signal SOE are not contributing to the key. Note PUF, where PUF responses act as transaction edges to unlock that the FSM example in Fig. 4 is used for state traverse illustration that is a function such as an Intellectual Property (IP). The PUF markedbythedottedredline. response given a challenge, here, act as a secret key. Previous works [20], [21], [22] extract a constant secret or a key from thenoisyPUFresponses.Pleasenotethatrequirementsonthe described and clear soon. Whenever the S is disabled, the OE on-chip ECC and helper data are still existed. output presents random values. Our work employs the FSM as a control logic to realize An exemplary FSM construction is depicted in Fig. 4. At thesaidcontrolledPUF.Wereleaselargenumberofchallenge the beginning of the PUF-FSM operation, the FSM resets to secretpairs.NeitherECCnorthehelperdataisnecessary.Be- its initial state S . Let’s assume that the TR is 0110, then yondICactivemetering,ourworkenablesauthentication,key 0 1 0110 0001 S −−−→S .SimilarlyiftheTR is0001,thenS −−−→S . generation, key exchange and more advanced cryptographic 0 12 1 0 11 If TR is from none of {0001,0110,1001}, or in other words protocols where a shared secret is required. 1 the TR is fed, then S −T−R→1 S . Note that when the TR is fed, 1 0 0 the FSM remains at its current state. In this case example, for III. PUF-FSM:DESIGNANDSECURITYANALYSIS even states S ,S ,S , the TR having D transition edges that 0 2 4 l A. PUF-FSM Structure canleadittoanyofthefollowingD states,restTR haveonly l The PUF-FSM structure is generalized in Fig. 3. It consists one correct transition edge that leads it to the following state. of a PUF, a FSM, a hash and a random number generator Though other FSM structures can be envisioned, the FSM (RNG) block. Similar to priori work [14], the direct PUF in our proposal has L—always an odd number—internal state responses can only be evaluated by the trusted entity in a layers(levels);eachoddinternallayerhasD parallelstates.A secure environment to build APUF statistical model(s), and constant number, L+1, of TR is a must to reach to the S . l OE the direct access is destroyed afterwards, e.g., through fusing Both the TR and TR are 4-bit in this case example, therefore, l l the wire. the number of TR , and the maximum number of TR , n , l l lmax Duringdeployment,asetofnsequentialchallenges,C ,is in together is n, where we assume that the n is always a set 4 issued by the trusted entity, e.g., the server, the corresponding multiplication of 4 for convenience. In practice, the S can OE error-free responses R with length n is produced. The R is beactivatedinawaybyapplyingL+1TR andn TR ,noting l l l sequentiallyfedintotheFSMcontrollingthetransitionsofthe that n ≤n . The meaningful key will be given only after l lmax FSM states. Note that before the operation, the FSM resets to all n bits in R are fed into FSM—or n clock cycles past– S . Only a series of correct TR—sub-response enabling the and the S is activated/reached. The key is a hash function 0 OE state traverse from the current state to the next state—is able of part of the R that is the all sequentially fed L+1 TR and l toguaranteetheFSMtransitioningintotheS thatisanacti- n TR . An example illustration of the key formation is shown OE l l vationtounlockthekeyoutput.Inthiscontext,onlytheserver in Fig. 5—the state traverse path is illustrated in Fig. 4 in who owns the statistical APUF model is capable of issuing a the dotted red line. Once the S is reached, the rest TR are OE l correct challenge set, C to unlock the S to generate a neglected—will not be hashed to generate the key. It is worth set OB meaningful output as a key. Thekey is HASH(Rsecret, nonce), to stress again that the rest response bits are still fed into the the R is partial of R and formation of R will be FSM as redundant bits to hide the length of R . secret secret secret XXXX 4 1) Device Nonce: The device nonce is exploited to pre- controlled by the FSM. The control logic as shown in Fig. 3 vent observing repeatedly evaluated responses given the same first protects the underlying APUF(s) from modeling attacks challenge [12], [13], [19]. The security rationale shall be such as LR and SVM where knowledge of responses is clear in Section III-B. Nonce is part of the key, where the necessary [9], [10]. key=HASH(Rsecret, nonce). It is reminded that the key will As to perform recent revealed modeling attacks exploit- differ under each evaluation considering the freshed nonce ing the helper data information [19], [13], in other words, even the same C issued by the trusted entity is repeatedly the unreliability information of a given CRP, knowledge of set applied.Thenonceisvisible,thesecurityreliesontheR . which challenge is unreliable is a premise. Unlike traditional secret 2) Design Highlights: (1) Only under a correct set of modeling attacks, e.g, LR, reliability-based fault CMA-ES sequential challenges, C , the final state S of the FSM attacks[13]donotrequiretheknowledgeoftheresponsevalue set OE can be reached or activated; (2) the number of TR , n , before for a given challenge. Such a powerful CMA-ES attack even l l reaching the S and the number of TR , n −n , after threatens the security of a controlled PUF that employs the OE l lmax l reaching the S are flexible configured that is controlled helperdata.InourPUF-FSM,thereisnohelperdatainvolved. OE and only known by the trusted entity; (3) a meaningful key is Thus,exploitationofinformationleakagefromthehelperdata presented only when the S is activated and all n error-free to perform reliability-based attacks is excluded. OE response bits are fed into the FSM. If the S is disabled, Nowwithoutusingthedevicenonce,weexaminethemeans OE a random value is presented; (4) device nonce is employed of finding unreliable challenges by observing the PUF-FSM to prevent repeatedly responses’ observations given the same outputratherthangaininginformationfromthehelperdata.By maliciously applied challenge. applying arbitrarily challenges to the PUF-FSM and without priori knowledge of a correct C , there is no information set B. Security Analyses that can be observed and used by the adversary to discover the unreliable challenges. This lies on the fact that the output 1) AdversaryModel: Weconsiderthesameassumptionfor ofthePUF-FSMisrandomormeaningless,iftheenablesignal controlled PUFs [17], [3] that physical attacks on the control S islocked/disabled.ThecomplexityofunlockingtheS logic is more likely to alter or even destroy the PUF itself. OE OE without the participation of the trusted entity is same to the The adversary can eavesdrop the communication channel and brute-force attacks given in (4). arbitrarily apply challenges to the PUF-FSM input to observe We note that there still exists a potential way to determine the PUF-FSM output. Furthermore, the nonce is visible. The an unreliable challenge through exhaustive search under the adversary attempts to obtain useful information to learn the assumption that a priori C has been eavesdropped and now APUF model in the PUF block. set theadversaryisholdingthephysicalPUF-FSM.Theadversary 2) Brute-force Attacks: As for an adversary, the proba- chooses an unused challenge C to replace one challenge bility of discovering a meaningful key through guessing a x C in the eavesdropped C to observe the output of the correct C without the assistance from the trusted entity is i set set PUF-FSM. If C is an unreliable challenge and its response expressed: x contributes to the TR. Then under repeatedly evaluations, the D 1 L+1 L+1 adversary can determine such an unreliable challenge when Probability=( ) 2 ×( ) 2 , (4) 2nTR 2nTR the key and random output are iteratively exhibited. If C is x where the n is the length of TR . In the case example of unreliable and its response contributes to the TR . Then under TR l l Fig. 4, the n is four. For each even layer, the probability repeatedly evaluations, an unreliable challenge is determined TR of guessing one correct transition edge is ( D ), while the when two differing keys are iteratively exhibited. Through 2nTR probability of guessing a correct transition edge for given an continuous exhaustive searching, other unreliable challenges old layer is ( 1 ). canbedeterminedaswelltoperformreliability-basedattacks. 2nTR The brute-force attack becomes computationally infeasible By employing the device nonce alike [14], no matter the as the FSM state layer L or the n increases. In addition, C isunreliableornot,duetothenoncebeingrefreshedeach TR x even an adversary luckily guesses a correct C that unlocks evaluation,observingthesamekeybyrepeatedlyapplyingthe set the S , (s)he is actually incapable of recognizing it. Output samechallengeisinfeasible.Thus,discoveryoftheunreliable OE from the PUF-FSM looks random to the adversary under challenge is disabled. The reliability-based attack [12], [13] each evaluation without prior knowledge of a correct C is, as a result, prevented. set attributing to the refreshed nonce. 3) ModelingAttacks: TheplausibleattacksonstrongPUFs IV. APPLICATIONS are modeling attacks. Numerous works [9], [10], [11], [12], A. Mutual Authentication [13] have shown the vulnerability of the strong PUFs to modeling attacks. Those deemed but later breakable strong The PUF-FSM achieves mutual rather than common uni- PUFs include XOR-APUF, Feedforward APUF, Lightweight directional authentication. Recall that only a trusted entity Secure PUF and even Slender PUF. has the capability of issuing a correct challenge sequence to In PUF-FSM, arbitrarily CRP collection is disabled by activatetheS .Asaconsequence,onlythePUF-FSMdevice OE any party except the trusted entity during the secure en- and the trusted entity know the S . secret rollment phase. After the enrollment phase, the response is When the PUF-FSM is transfered to the user. The trusted never directly exposed unless hashing and its usage is further entity issues a C and sends them to the user may through set XXXX 5 insecure communication channels. The user presents the C extracting a key. As a controlled PUF, it holds the promise of set to the PUF-FSM and sends both the nonce and the PUF- a cost-effective way to increase resistance to various attacks, FSMoutput(key)backtothetrustedentity.Thetrustedentity especially invasive attacks, for IoT devices. Security analyses computes a key, HASH(Rsecret, nonce), and compares it with demonstratethatthePUF-FSMisresilienttomodelingattacks. the key received. If they are same, the user holding the PUF- FSM is authenticated. Once the user is authenticated, the REFERENCES user applies the same C again to the PUF-FSM to obtain [1] G. E. Suh and S. Devadas, “Physical unclonable functions for device set a refreshed output (key). The user asks the refreshed key authentication and secret key generation,” in Proc. Design Automation Conf.(DAC). ACM,2007,pp.9–14. computedbythetrustedentityaftersendingoutthenonce.The [2] C.Herder,M.-D.Yu,F.Koushanfar,andS.Devadas,“Physicalunclon- trusted entity is authenticated by the user only if the received able functions and applications: A tutorial,” Proc. IEEE, vol. 102, pp. computed key is same to the key produced by the PUF-FSM. 1126–1141,2014. [3] B.Gassend,M.V.Dijk,D.Clarke,E.Torlak,S.Devadas,andP.Tuyls, “Controlled physical random functions and applications,” ACM Trans- actionsonInformationandSystemSecurity,vol.10,no.4,p.3,2008. B. Key Exchange [4] B. Gassend, D. Clarke, M. Van Dijk, and S. Devadas, “Silicon phys- Followingtheforegoingmutualauthentication,weconsider ical random functions,” in Proc. Conf. Computer and communications security. ACM,2002,pp.148–160. the key exchange scenario between the user and the trusted [5] U. Ruhrmair and M. Van Dijk, “PUFs in security protocols: Attack entity. The user applies the same C and sends the nonce modelsandsecurityevaluations,”inIEEESymposiumonSecurityand set to the trusted entity. But there is no key (shared key) sending Privacy(SP),2013,pp.286–300. [6] R. Pappu, B. Recht, J. Taylor, and N. Gershenfeld, “Physical one-way between two parties. Now only the user who holds the PUF- functions,”Science,vol.297,no.5589,pp.2026–2030,2002. FSM and the trusted entity know the shared key. The user [7] U.Ruhrmair,C.Jaeger,M.Bator,M.Stutzmann,P.Lugli,andG.Csaba, obtainsitfromthePUF-FSM,whiletheservercomputesitby “Applications of high-capacity crossbar memories in cryptography,” IEEETrans.Nanotechnol.,vol.10,no.3,pp.489–498,2011. hashing the R and the nonce. secret [8] A. Vijayakumar, V. C. Patil, C. B. Prado, and S. Kundu, “Machine learning resistant strong puf: Possible or a pipe dream?” in Int. Symp. HardwareOrientedSecurityandTrust(HOST). IEEE,2016,pp.19–24. C. Controlled PUF [9] U.Ruhrmair,J.Solter,F.Sehnke,X.Xu,A.Mahmoud,V.Stoyanova, G.Dror,J.Schmidhuber,W.Burleson,andS.Devadas,“PUFmodeling Served as a controlled PUF, intermediate benefits of the attacks on simulated and silicon data,” IEEE Trans. Inf. Forensics PUF-FSM are the exclusion of the on-chip ECC logic and the Security,vol.8,no.11,pp.1876–1891,2013. usage of helper data, which finally release the constraints on [10] U.Ru¨hrmair,F.Sehnke,J.So¨lter,G.Dror,S.Devadas,andJ.Schmid- huber, “Modeling attacks on physical unclonable functions,” in CCS, a practical realization of the controlled PUF. In addition, no 2010,pp.237–249. ECC and helper data eliminates potential security concerns [11] M. Majzoobi, F. Koushanfar, and M. Potkonjak, “Testing tech- on previous controlled PUF designs from modeling attacks, niques for hardware security,” in Proc. Int. Test Conf. ITC, 2008, DOI:10.1109/TEST.2008.4700636. where the helper data leaks information [13], [18], [19]. [12] G.T.Becker,“Thegapbetweenpromiseandreality:Ontheinsecurity 1) Key Obtain: As an intentional design purpose, the of XOR Arbiter PUFs,” in Cryptographic Hardware and Embedded controlled PUF restricts the means in which a PUF can be Systems(CHES). Springer,2015,pp.535–555. [13] G.T.Becker,“OnthepitfallsofusingArbiter-PUFsasbuildingblocks,” evaluated.WhoholdsthePUF-FSMisunabletoevaluateitto IEEETrans.Comput.-AidedDesignIntegr.CircuitsSyst,vol.34,no.8, obtain a (cid:104)Cset,Rsecret(cid:105)—(cid:104),(cid:105) means a tuple—without permis- pp.1295–1307,2015. sionfromthetrustedentity.Toacquirea(cid:104)C ,R (cid:105),first, [14] M.-D. Yu, M. Hiller, J. Delvaux, R. Sowell, S. Devadas, and I. Ver- set secret bauwhede, “A lockdown technique to prevent machine learning on the mutual authentication is performed to establish trustiness PUFsforlightweightauthentication,”IEEETransactionsonMulti-Scale between the trusted entity and the user who needs to hold ComputingSystems,2016,DOI:10.1109/TMSCS.2016.2553027. the physical PUF-FSM. Then the trusted entity issues a fresh [15] D.Lim,“Extractingsecretkeysfromintegratedcircuits,”Ph.D.disser- tation,MassachusettsInstituteofTechnology,2004. set of challenges to the user who is now authorized with a [16] X. Xu, W. Burleson, and D. E. Holcomb, “Using statistical models (cid:104)Cset,Rsecret(cid:105). to improve the reliability of delay-based PUFs,” in Proc. Symp. VLSI. 2) Key Renewal: Once the user is authorized with a IEEE,2016,pp.547–552. [17] B.Gassend,D.Clarke,M.VanDijk,andS.Devadas,“Controlledphys- (cid:104)C,R (cid:105), (s)he is able to renew arbitrary keys from the secret icalrandomfunctions,”inProc.AnnualComputerSecurityApplications PUF-FSM. The Rsecret can be treated as a master secret, Conf. IEEE,2002,pp.149–160. whereallothersub-keys, HASH(Rsecret,nonce),areavailable. [18] oGn.Td.eBlaeyckbears,eRd.PKUuFmadreesitganls.,.”“AIAcCtivReCanrdypptoalsosgivyeesPidrein-cthAanrcnheilvaet,tavcokls. Given a known nonce, the user and the trusted entity can 2014,p.287,2014. retrieve sub-keys or sub-session keys without issuing a new [19] J. Delvaux, D. Gu, D. Schellekens, and I. Verbauwhede, “Helper data challengeset.Asharedkeybetweentwopartiesindeedenable algorithmsforPUF-basedkeygeneration:Overviewandanalysis,”IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 34, no. 6, pp. a wide variety of standard cryptographic protocols to be 889–902,2015. implemented [3]. [20] F. Koushanfar and G. Qu, “Hardware metering,” in Proc. Design AutomationConf. ACM,2001,pp.490–493. [21] F.Koushanfar,“Provablysecureactiveicmeteringtechniquesforpiracy V. CONCLUSION avoidance and digital rights management,” IEEE Trans. Inf. Forensics Security,vol.7,no.1,pp.51–63,2012. We have presented a practical controlled strong PUF, PUF- [22] J. Zhang, Y. Lin, Y. Lyu, and G. Qu, “A PUF-FSM binding scheme FSM, by (1) exploiting error-free responses in absence of forFPGAIPprotectionandpay-per-devicelicensing,”IEEETrans.Inf. an APUF and (2) controlling the means of evaluating the ForensicsSecurity,vol.10,no.6,pp.1137–1150,2015. [23] M.Majzoobi,F.Koushanfar,andPotkonjak,“LightweightsecurePUFs,” PUF by using a control logic. The PUF-FSM requires neither inProc.IEEE/ACMInt.Conf. Computer-AidedDesign,2008,pp.670– on-chip ECC nor helper data that were usually must when 673.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.