Laser Fault Attack on Physically Unclonable Functions

Physically Unclonable Functions (PUFs) are introduced to remedy the shortcomings of traditional methods of secure key storage and random key generation on Integrated Circuits (ICs). Due to their effective and low-cost implementations, intrinsic PUFs are popular PUF instances employed to improve the security of different applications on reconfigurable hardware. In this work we introduce a novel laser fault injection attack on intrinsic PUFs by manipulating the configuration of logic cells in a programable logic device. We present two fault attack scenarios, where not only the effectiveness of modeling attacks can be dramatically increased, but also the entropy of the targeted PUF responses are drastically decreased. In both cases, we conduct detailed theoretical analyses by considering XOR arbiter PUFs and RO PUFs as the examples of PUF-based authenticators and PUF-based random key generators, respectively. Finally we present our experimental results based on conducting laser fault injection on real PUFs, implemented on a common complex programmable logic device manufactured in 180 nm technology.

[1]  Peter Schwabe,et al.  High-speed Curve25519 on 8-bit, 16-bit, and 32-bit microcontrollers , 2015, Des. Codes Cryptogr..

[2]  Jean-Max Dutertre,et al.  Fault Model Analysis of Laser-Induced Faults in SRAM Memory Cells , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[3]  Jean-Pierre Seifert,et al.  Physical Characterization of Arbiter PUFs , 2014, IACR Cryptol. ePrint Arch..

[4]  Michael Hutter,et al.  Optical Fault Attacks on AES: A Threat in Violet , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[5]  Miodrag Potkonjak,et al.  Lightweight secure PUFs , 2008, 2008 IEEE/ACM International Conference on Computer-Aided Design.

[6]  Jean-Pierre Seifert,et al.  Why Attackers Win: On the Learnability of XOR Arbiter PUFs , 2015, TRUST.

[7]  Ross J. Anderson,et al.  Optical Fault Induction Attacks , 2002, CHES.

[8]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[9]  Srinivas Devadas,et al.  Modeling attacks on physical unclonable functions , 2010, CCS '10.

[10]  Jean-Pierre Seifert,et al.  Invasive PUF Analysis , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[11]  Régis Leveugle,et al.  Glitch and Laser Fault Attacks onto a Secure AES Implementation on a SRAM-Based FPGA , 2011, Journal of Cryptology.

[12]  Jeroen Delvaux,et al.  Secure Lightweight Entity Authentication with Strong PUFs: Mission Impossible II , 2014, IACR Cryptol. ePrint Arch..

[13]  Srinivas Devadas,et al.  FPGA PUF using programmable delay lines , 2010, 2010 IEEE International Workshop on Information Forensics and Security.

[14]  Jasper G. J. van Woudenberg,et al.  Practical Optical Fault Injection on Secure Microcontrollers , 2011, 2011 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[15]  Michael J. Wirthlin,et al.  A Comparison of fault-tolerant memories in SRAM-based FPGAs , 2010, 2010 IEEE Aerospace Conference.

[16]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[17]  David Vigilant,et al.  Static Fault Attacks on Hardware DES Registers , 2011, IACR Cryptol. ePrint Arch..

[18]  Jean-Pierre Seifert,et al.  Cloning Physically Unclonable Functions , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[19]  Jean-Pierre Seifert,et al.  PAC learning of arbiter PUFs , 2016, Journal of Cryptographic Engineering.

[20]  Jean-Pierre Seifert,et al.  Functional integrated circuit analysis , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[21]  Ulrich Rührmair,et al.  The Bistable Ring PUF: A new architecture for strong Physical Unclonable Functions , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[22]  Umesh V. Vazirani,et al.  An Introduction to Computational Learning Theory , 1994 .

[23]  Xin Fan,et al.  GALS design of ECC against side-channel attacks — A comparative study , 2014, 2014 24th International Workshop on Power and Timing Modeling, Optimization and Simulation (PATMOS).

[24]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.

[25]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[26]  Ingrid Verbauwhede,et al.  PUFKY: A Fully Functional PUF-Based Cryptographic Key Generator , 2012, CHES.

[27]  Fakultat Informatik,et al.  Evaluation of Design Alternatives for Flexible Elliptic Curve Hardware Accelerators , 2006 .

[28]  Jeroen Delvaux,et al.  Fault Injection Modeling Attacks on 65 nm Arbiter and RO Sum PUFs via Environmental Changes , 2014, IEEE Transactions on Circuits and Systems I: Regular Papers.

[29]  Julie Ferrigno,et al.  When AES blinks: introducing optical side channel , 2008, IET Inf. Secur..

[30]  Assia Tria,et al.  Adjusting Laser Injections for Fully Controlled Faults , 2014, COSADE.

[31]  Ulrich Rührmair,et al.  Security Evaluation and Enhancement of Bistable Ring PUFs , 2015, RFIDSec.

[32]  Assia Tria,et al.  Increasing the efficiency of laser fault injections using fast gate level reverse engineering , 2014, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[33]  Jean-Pierre Seifert,et al.  Lattice Basis Reduction Attack against Physically Unclonable Functions , 2015, CCS.

[34]  Stephen A. Benton,et al.  Physical one-way functions , 2001 .

[35]  Georg Sigl,et al.  Semi-invasive EM attack on FPGA RO PUFs and countermeasures , 2011 .

[36]  R. Pappu,et al.  Physical One-Way Functions , 2002, Science.

[37]  Srinivas Devadas,et al.  FPGA-Based True Random Number Generation Using Circuit Metastability with Adaptive Feedback Control , 2011, CHES.

[38]  Sergei Skorobogatov,et al.  Optical Fault Masking Attacks , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[39]  M. Wirthlin,et al.  SEU-induced persistent error propagation in FPGAs , 2005, IEEE Transactions on Nuclear Science.

[40]  Luigi Carro,et al.  Designing fault-tolerant techniques for SRAM-based FPGAs , 2004, IEEE Design & Test of Computers.

[41]  Luigi Carro,et al.  On the optimal design of triple modular redundancy logic for SRAM-based FPGAs , 2005, Design, Automation and Test in Europe.

[42]  Srinivas Devadas,et al.  Silicon physical random functions , 2002, CCS '02.

[43]  Roel Maes Physically Unclonable Functions: Concept and Constructions , 2013 .

[44]  Christian Wittke,et al.  Clockwise Randomization of the Observable Behaviour of Crypto ASICs to Counter Side Channel Attacks , 2015, 2015 Euromicro Conference on Digital System Design.

[45]  Jacques Stern,et al.  The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications , 1999, CRYPTO.

[46]  Jan Sölter,et al.  Efficient Power and Timing Side Channels for Physical Unclonable Functions , 2014, CHES.

[47]  Frédéric Valette,et al.  Detailed Analyses of Single Laser Shot Effects in the Configuration of a Virtex-II FPGA , 2008, 2008 14th IEEE International On-Line Testing Symposium.

[48]  Nico Van Eijk,et al.  Security collapse in the HTTPS market , 2014, Commun. ACM.

[49]  Elena Trichina,et al.  Multi Fault Laser Attacks on Protected CRT-RSA , 2010, 2010 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[50]  Marten van Dijk,et al.  A technique to build a secret key in integrated circuits for identification and authentication applications , 2004, 2004 Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.04CH37525).

[51]  Manfred Josef Aigner,et al.  Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks , 2001, CHES.

[52]  Sergei P. Skorobogatov,et al.  Using Optical Emission Analysis for Estimating Contribution to Power Analysis , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[53]  Georg T. Becker,et al.  Active and Passive Side-Channel Attacks on Delay Based PUF Designs , 2014, IACR Cryptol. ePrint Arch..

[54]  Jean-Pierre Seifert,et al.  Emission Analysis of Hardware Implementations , 2014, 2014 17th Euromicro Conference on Digital System Design.

[55]  Stefan Katzenbeisser,et al.  Reverse Fuzzy Extractors: Enabling Lightweight Mutual Authentication for PUF-Enabled RFIDs , 2012, Financial Cryptography.