Paper Summary: Physically Unclonable Functions ... - Semantic Scholar
Paper Summary: Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions Zahra Ghodsi New York University Email: [email protected] Abstract—This is a summary of paper on Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions as part of the final project for Principles of Software Security, Fall 2015 course. Keywords—Physical Unclonable Function, Challenge, Response.
I.
I NTRODUCTION
Random physical features have been used to indentify objects and people from a long time ago. Fingerprint identification of humans dates back to the nineteenth century. Later, random patterns in paper and optical tokens were used for unique identification of currency notes. A formalization of this concept was introduced first as physical one-way functions, physical random functions, and finally as physically unclonable functions or PUFs. Although the practical relevance of PUFs for security was recognized from the start, the interest in PUFs has risen over the last couple of years, making them a hot topic in the field of hardware security. This paper provides an extensive overview of PUFs and PUF-like proposals up to date. II.
PUF T ERMINOLOGY AND M EASURES
In this section we introduce the terms and measures used in describing PUFs. Challenge response terminology, interand intra-distance measures and the problem of environmental effects and possible solutions are discussed in the following sections. A. Challenges and Responses
•
The intra-distance between two evaluations on one single PUF instantiation is the distance between the two responses resulting from applying this challenge twice to one PUF.
Both inter- and intra-distance are measured on a pair of responses resulting from the same challenge and their values can vary depending on the challenge and the PUFs involved. C. Environmental Effects As it was pointed out in the previous section, applying the same challenge to the same PUF does not result in the same response due to random noise and measurement uncertainties. Because environmental effects are systematic, techniques can be introduced to reduce their influence of the PUF responses. Possible options are: •
If the effects are partially linear, by considering the relation between two simultaneous measurements one obtains a much more robust measure. This technique is called compensation.
•
Certain implementation strategies have a reduced environmental dependency. Also, one can select the environmentally robust responses beforehand and ignore the unstable ones.
•
If the effect of environmental factor is high, it can be measured by an independent onboard sensor. By introducing different operation intervals, one can minimize the environmental effects within one interval.
Despite what the name suggests, PUFs are not functions in the mathematical sense, since an input to a PUF might have more than one possible output. An input to a PUF is called a challenge and the output a response. An applied challenge and its measured response is generally called a challenge-response pair or CRP and the relation enforced between challenges and responses by one PUF is referred to as its CRP behavior.
This section provides a thorough overview of proposed instantiations of PUFs in literature, taking into account certain constructions which have not been labeled a PUF by originators but possess PUF-like properties.
B. Inter- and Intra-distance Measures
A. Non-electronic PUFs
For a set of instantiations of a particular PUF, inter- and intra-distances are calculated as follows: •
The inter-distance between two different PUF instantiations for a particular challenge, is the distance between the two responses resulting from this challenge.
III.
PUF I NSTANTIATIONS
The common denominator non-electronic in this section reflects the nature of the components in the system that contribute to the random structure which makes the PUF unique. The measurement, processing and storage techniques can be using electronics.
1) Optical PUFs: Well before the introduction of PUFs, an early version of an unclonable identification system was proposed. The core element in optical PUFs is an optical token which is radiated with a helium-neon laser. The speckle pattern that arises is captured by a CCD camera for digital processing. A Gabor hash is applied to the observed speckle pattern as a feature extraction procedure. The actual PUF functionality is then completed by a challenge which describes the exact orientation of the laser. The basic implementation of an optical PUF is shown in Figure 1. It is clear that the use of an optical PUF is rather laborious due to the large setup involving a laser and a tedious mechanical positioning system.
2) Ring Oscillator PUFs: The output of a digital delay line is inverted and fed back to its input, creating an asynchronously oscillating loop, also called a ring oscillator. It is evident that the frequency of this oscillator is precisely determined by the exact delay of the delay line. Measuring the frequency is hence equivalent to measuring the delay which will also be partially random and device dependent. IV.
PUF P ROPERTIES
The notion of a physically unclonable function is hard to capture in one closed definition, given the wide variety of different PUF proposals. In this section, we look into PUF properties, check different PUF proposals against them and finally try to detect a least common subset of necessary properties for a PUF construction. A. Property Description In this section we will list the most important properties of PUFs. We consider a PUF as a physical challenge-response procedure. This would imply that PUF should be a physical entity and cannot be an abstract concept, and also, that PUF is a procedure with some input-output functionality. We use the notation Π : X → Y : Π(x) = y to denote the challengeresponse functionality of a PUF Π. Below, we list seven properties which regularly occure and give an informal description of each:
Fig. 1.
Basic operation of an optical PUF.
B. Analog Electronic PUFs In this section, a number of PUF constructions whose basic operation consists of an analog measurement of an electric or electronic quantity are discussed. 1) VT PUFs: The first technique to assign a unique identification to every single instance of a regular integrated circuit was called ICID. A number of equally designed transistors are laid out in an addressable array. The addressed transistor drives a resistive load and because of the effect of manufacturing variations on the threshold voltages (VT ) of these transistors, the current through this load will be partially random. C. Delay-Based Intrinsic PUFs We distinguish two prerequisites for a PUF to be called intrinsic: 1) 2)
The PUF, including the measurement equipment, should be fully integrated in the embedding device. The complete PUF construction should consist of procedures and primitives which are naturally available for the manufacturing process of the embedding device.
1) Arbiter PUFs: The basic idea is to introduce a digital race condition on two paths on a chip and to have a so-called arbiter circuit decide which of the two paths won the race. If the two paths are designed symmetrically, i.e., with the same intended delay, then the outcome of the race is not fixed beforehand.
1. Evaluatable: given Π and x, it is easy to evaluate y = Π(x). From a theoretical perspective, easy means it takes polynomial time and effort to evaluate the PUF. From a practical perspective, it means we want to introduce as little overhead as possible, e.g. in the restricted timing, area, power and energy constraints of an integrated chip. 2. Unique: Π(x) contains some information about the identity of the physical entity embedding Π. Before defining the uniqueness property, we must first define information and identity. The information in a PUF response Π(x) relates to the partition which can be made in the population of PUFs based on that response. In the ideal case, a set of CRPs would partition the population with a single PUF in it. One measure of uniquness is the inter-distance histogram, summarized by its average value µintra . 3. Reproducible: y = Π(x) is reproducible up to a small error. This means that the different evaluations of the same challenge x on the same PUF should produce responses close in the considered distance metric. This is measured by the intra-distance histogram and summarized by its average value µinter . This property distinguishes PUFs from random number generators. 4. Unclonable: given Π, it is hard to construct a procedure Γ 6= Π such that ∀x ∈ X : Γ(x) ≈ Π(x) up to a small error. Note that Γ is described as a procedure, and not necessarily a physical procedure. We explicitly distinguish between physical and mathematical unclonability. If it is hard to come up with a physical entity such that ∀x : ΠΓ (x) ≈ Π(x), we say that Π is physically unclonable. On the other hand, if it is difficult to come up with a mathematical procedure fΓ such that ∀x : fΓ (x) ≈ Π(x), we say that Π is mathematically unclonable. Physical and mathematical unclonability
are different properties and one entity can be easy to clone physically but not mathematically or vice versa. In order to be unclonable, Π needs to be both physically and mathematically unclonable. Although practically, cloning can be very difficult or impossible, demonstrating theoretical unclonability is not so easy. Only the systems based on quantum physics can be proven to be theoretically unclonable. 5. Unpredictable: given only a set Q = {(xi , yi = Π(xi ))}, it is hard to predict yc ≈ Π(xc ) up to a small error, for xc a random challenge such that (xc , .) ∈ / Q. This property can be interpreted as a form of unclonability. It is easy to build a mathematical clone if one can predict the outcome of a random challenge, from observing a set of CRPs. Therefore, predictability implies clonability. 6. One-way: given only y and Π, it is hard to find x such that Π(x) = y. One-wayness is a classical property of cryptography systems. Early definitions of PUFs describe them as one-way functions. 7. Tamper evident: altering the physical entity embedding Π transforms Π → Π0 such that with high probability ∃x ∈ X : Π(x) 6= Π0 (x), not even up to a small error. Tampering is defined as making permanent changes to the integrity of a physical entity. Tamper proof systems are those for which tampering would not reveal any information, whereas tamper evident systems are those for which tampering leaves indelible evidence. A PUF is tamper evident if tampering with the PUF changes the CRP behavior of the PUF. V.
PUF A PPLICATION S CENARIOS
In this section, we present the three application scenarios in which PUFs are used, i.e., system identification, secret key generation and hardware-entangled cryptography. A. System Identification PUFs can be used for indentification due to their unclonability property. Very similar to a biometrical identification scheme, PUF responses are used directly for identification. During an enrollment phase, a number of CRPs from the PUF are stored in a database, together with the identity of the system. During identification, the verifier picks a random CRP from the database and challenges the PUF with. The identification is successful if the response observed is close enough to the response in the database. Each CRP should only be deleted from the database after identification in order to prevent replay attacks. Figure 2 shows the threshold used to decide on a positive identification. There is a trade-off between false-acceptance rate (FAR) and false-rejection rate (FRR). The optimal choice is achieved by minimizing the sum of FAR and FRR which is done by setting the threshold at the intersection of both histograms.
Fig. 2.
Details of basic PUF-based identification.
therefore no non-volatile memory is required to store the key. Moreover, since the key is not permanently stored in digital format, but only appears in volatile memory when requred for operation, it offers additional security against probing attacks and side-channel attacks. Finally, possible tamper evidence of the PUF can be used to provide tamper-proof key storage. PUF responses are usually noisy and with limited entropy, therefore, they cannot be used as keys for cryptographic algorithms which require uniformly random and reliable keys. An intermediate processing step is added to extract a cryptographic key from the response with a two-phase algorithm. In the initial generation phase, the PUF is queried and the algorithm produces the secret key as well as some additional helper data. In the reproduction phase, the verifier presents the helper data to the algorithm and extracts the same key from the PUF. The helper data can be publicly communicated between the verifier and the device, but the key will remain perfectly secret. C. Hardware-Entangled Cryptography Instead of using the PUF to create a secret cryptographic key, one can fully integrate the PUF in the primitive itself, leading to hardware-entangled cryptographic primitives. In this case, the secret element of the primitive is the full unique CRP behavior of the PUF. Figure 3 shows a schematic comparison of classical cryptography with a PUF-based key and hardwareentangled cryptography. For hardware-entangled cryptographic
Fig. 3. Schematic comparison of cryptography with PUF-based key generation and hardware-entangled cryptography.
primitives there is no key stored in either volatile and nonvolatile memory. This provides full security against nonvolatile memory attacks, as well as attacks on volatile memory.
B. Secret Key Generation Intrinsic randomness property of PUFs make them excellent choices for use in secret key generation and storage. This randomness comes from inevitable manufacturing variability, so no explicit key-programming step is required. In addition, this randomness is fixed in the physical details of the chip and
R EFERENCES [1]
R. Maes and I. Verbauwhede, Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions, Towards Hardware-Intrinsic Security, Springer Berlin Heidelberg, 2010.
I.
I NTRODUCTION
Random physical features have been used to indentify objects and people from a long time ago. Fingerprint identification of humans dates back to the nineteenth century. Later, random patterns in paper and optical tokens were used for unique identification of currency notes. A formalization of this concept was introduced first as physical one-way functions, physical random functions, and finally as physically unclonable functions or PUFs. Although the practical relevance of PUFs for security was recognized from the start, the interest in PUFs has risen over the last couple of years, making them a hot topic in the field of hardware security. This paper provides an extensive overview of PUFs and PUF-like proposals up to date. II.
PUF T ERMINOLOGY AND M EASURES
In this section we introduce the terms and measures used in describing PUFs. Challenge response terminology, interand intra-distance measures and the problem of environmental effects and possible solutions are discussed in the following sections. A. Challenges and Responses
•
The intra-distance between two evaluations on one single PUF instantiation is the distance between the two responses resulting from applying this challenge twice to one PUF.
Both inter- and intra-distance are measured on a pair of responses resulting from the same challenge and their values can vary depending on the challenge and the PUFs involved. C. Environmental Effects As it was pointed out in the previous section, applying the same challenge to the same PUF does not result in the same response due to random noise and measurement uncertainties. Because environmental effects are systematic, techniques can be introduced to reduce their influence of the PUF responses. Possible options are: •
If the effects are partially linear, by considering the relation between two simultaneous measurements one obtains a much more robust measure. This technique is called compensation.
•
Certain implementation strategies have a reduced environmental dependency. Also, one can select the environmentally robust responses beforehand and ignore the unstable ones.
•
If the effect of environmental factor is high, it can be measured by an independent onboard sensor. By introducing different operation intervals, one can minimize the environmental effects within one interval.
Despite what the name suggests, PUFs are not functions in the mathematical sense, since an input to a PUF might have more than one possible output. An input to a PUF is called a challenge and the output a response. An applied challenge and its measured response is generally called a challenge-response pair or CRP and the relation enforced between challenges and responses by one PUF is referred to as its CRP behavior.
This section provides a thorough overview of proposed instantiations of PUFs in literature, taking into account certain constructions which have not been labeled a PUF by originators but possess PUF-like properties.
B. Inter- and Intra-distance Measures
A. Non-electronic PUFs
For a set of instantiations of a particular PUF, inter- and intra-distances are calculated as follows: •
The inter-distance between two different PUF instantiations for a particular challenge, is the distance between the two responses resulting from this challenge.
III.
PUF I NSTANTIATIONS
The common denominator non-electronic in this section reflects the nature of the components in the system that contribute to the random structure which makes the PUF unique. The measurement, processing and storage techniques can be using electronics.
1) Optical PUFs: Well before the introduction of PUFs, an early version of an unclonable identification system was proposed. The core element in optical PUFs is an optical token which is radiated with a helium-neon laser. The speckle pattern that arises is captured by a CCD camera for digital processing. A Gabor hash is applied to the observed speckle pattern as a feature extraction procedure. The actual PUF functionality is then completed by a challenge which describes the exact orientation of the laser. The basic implementation of an optical PUF is shown in Figure 1. It is clear that the use of an optical PUF is rather laborious due to the large setup involving a laser and a tedious mechanical positioning system.
2) Ring Oscillator PUFs: The output of a digital delay line is inverted and fed back to its input, creating an asynchronously oscillating loop, also called a ring oscillator. It is evident that the frequency of this oscillator is precisely determined by the exact delay of the delay line. Measuring the frequency is hence equivalent to measuring the delay which will also be partially random and device dependent. IV.
PUF P ROPERTIES
The notion of a physically unclonable function is hard to capture in one closed definition, given the wide variety of different PUF proposals. In this section, we look into PUF properties, check different PUF proposals against them and finally try to detect a least common subset of necessary properties for a PUF construction. A. Property Description In this section we will list the most important properties of PUFs. We consider a PUF as a physical challenge-response procedure. This would imply that PUF should be a physical entity and cannot be an abstract concept, and also, that PUF is a procedure with some input-output functionality. We use the notation Π : X → Y : Π(x) = y to denote the challengeresponse functionality of a PUF Π. Below, we list seven properties which regularly occure and give an informal description of each:
Fig. 1.
Basic operation of an optical PUF.
B. Analog Electronic PUFs In this section, a number of PUF constructions whose basic operation consists of an analog measurement of an electric or electronic quantity are discussed. 1) VT PUFs: The first technique to assign a unique identification to every single instance of a regular integrated circuit was called ICID. A number of equally designed transistors are laid out in an addressable array. The addressed transistor drives a resistive load and because of the effect of manufacturing variations on the threshold voltages (VT ) of these transistors, the current through this load will be partially random. C. Delay-Based Intrinsic PUFs We distinguish two prerequisites for a PUF to be called intrinsic: 1) 2)
The PUF, including the measurement equipment, should be fully integrated in the embedding device. The complete PUF construction should consist of procedures and primitives which are naturally available for the manufacturing process of the embedding device.
1) Arbiter PUFs: The basic idea is to introduce a digital race condition on two paths on a chip and to have a so-called arbiter circuit decide which of the two paths won the race. If the two paths are designed symmetrically, i.e., with the same intended delay, then the outcome of the race is not fixed beforehand.
1. Evaluatable: given Π and x, it is easy to evaluate y = Π(x). From a theoretical perspective, easy means it takes polynomial time and effort to evaluate the PUF. From a practical perspective, it means we want to introduce as little overhead as possible, e.g. in the restricted timing, area, power and energy constraints of an integrated chip. 2. Unique: Π(x) contains some information about the identity of the physical entity embedding Π. Before defining the uniqueness property, we must first define information and identity. The information in a PUF response Π(x) relates to the partition which can be made in the population of PUFs based on that response. In the ideal case, a set of CRPs would partition the population with a single PUF in it. One measure of uniquness is the inter-distance histogram, summarized by its average value µintra . 3. Reproducible: y = Π(x) is reproducible up to a small error. This means that the different evaluations of the same challenge x on the same PUF should produce responses close in the considered distance metric. This is measured by the intra-distance histogram and summarized by its average value µinter . This property distinguishes PUFs from random number generators. 4. Unclonable: given Π, it is hard to construct a procedure Γ 6= Π such that ∀x ∈ X : Γ(x) ≈ Π(x) up to a small error. Note that Γ is described as a procedure, and not necessarily a physical procedure. We explicitly distinguish between physical and mathematical unclonability. If it is hard to come up with a physical entity such that ∀x : ΠΓ (x) ≈ Π(x), we say that Π is physically unclonable. On the other hand, if it is difficult to come up with a mathematical procedure fΓ such that ∀x : fΓ (x) ≈ Π(x), we say that Π is mathematically unclonable. Physical and mathematical unclonability
are different properties and one entity can be easy to clone physically but not mathematically or vice versa. In order to be unclonable, Π needs to be both physically and mathematically unclonable. Although practically, cloning can be very difficult or impossible, demonstrating theoretical unclonability is not so easy. Only the systems based on quantum physics can be proven to be theoretically unclonable. 5. Unpredictable: given only a set Q = {(xi , yi = Π(xi ))}, it is hard to predict yc ≈ Π(xc ) up to a small error, for xc a random challenge such that (xc , .) ∈ / Q. This property can be interpreted as a form of unclonability. It is easy to build a mathematical clone if one can predict the outcome of a random challenge, from observing a set of CRPs. Therefore, predictability implies clonability. 6. One-way: given only y and Π, it is hard to find x such that Π(x) = y. One-wayness is a classical property of cryptography systems. Early definitions of PUFs describe them as one-way functions. 7. Tamper evident: altering the physical entity embedding Π transforms Π → Π0 such that with high probability ∃x ∈ X : Π(x) 6= Π0 (x), not even up to a small error. Tampering is defined as making permanent changes to the integrity of a physical entity. Tamper proof systems are those for which tampering would not reveal any information, whereas tamper evident systems are those for which tampering leaves indelible evidence. A PUF is tamper evident if tampering with the PUF changes the CRP behavior of the PUF. V.
PUF A PPLICATION S CENARIOS
In this section, we present the three application scenarios in which PUFs are used, i.e., system identification, secret key generation and hardware-entangled cryptography. A. System Identification PUFs can be used for indentification due to their unclonability property. Very similar to a biometrical identification scheme, PUF responses are used directly for identification. During an enrollment phase, a number of CRPs from the PUF are stored in a database, together with the identity of the system. During identification, the verifier picks a random CRP from the database and challenges the PUF with. The identification is successful if the response observed is close enough to the response in the database. Each CRP should only be deleted from the database after identification in order to prevent replay attacks. Figure 2 shows the threshold used to decide on a positive identification. There is a trade-off between false-acceptance rate (FAR) and false-rejection rate (FRR). The optimal choice is achieved by minimizing the sum of FAR and FRR which is done by setting the threshold at the intersection of both histograms.
Fig. 2.
Details of basic PUF-based identification.
therefore no non-volatile memory is required to store the key. Moreover, since the key is not permanently stored in digital format, but only appears in volatile memory when requred for operation, it offers additional security against probing attacks and side-channel attacks. Finally, possible tamper evidence of the PUF can be used to provide tamper-proof key storage. PUF responses are usually noisy and with limited entropy, therefore, they cannot be used as keys for cryptographic algorithms which require uniformly random and reliable keys. An intermediate processing step is added to extract a cryptographic key from the response with a two-phase algorithm. In the initial generation phase, the PUF is queried and the algorithm produces the secret key as well as some additional helper data. In the reproduction phase, the verifier presents the helper data to the algorithm and extracts the same key from the PUF. The helper data can be publicly communicated between the verifier and the device, but the key will remain perfectly secret. C. Hardware-Entangled Cryptography Instead of using the PUF to create a secret cryptographic key, one can fully integrate the PUF in the primitive itself, leading to hardware-entangled cryptographic primitives. In this case, the secret element of the primitive is the full unique CRP behavior of the PUF. Figure 3 shows a schematic comparison of classical cryptography with a PUF-based key and hardwareentangled cryptography. For hardware-entangled cryptographic
Fig. 3. Schematic comparison of cryptography with PUF-based key generation and hardware-entangled cryptography.
primitives there is no key stored in either volatile and nonvolatile memory. This provides full security against nonvolatile memory attacks, as well as attacks on volatile memory.
B. Secret Key Generation Intrinsic randomness property of PUFs make them excellent choices for use in secret key generation and storage. This randomness comes from inevitable manufacturing variability, so no explicit key-programming step is required. In addition, this randomness is fixed in the physical details of the chip and
R EFERENCES [1]
R. Maes and I. Verbauwhede, Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions, Towards Hardware-Intrinsic Security, Springer Berlin Heidelberg, 2010.
