Combined Modeling and Side Channel Attacks on Strong PUFs

Physical Unclonable Functions (PUFs) have established themselves in the scientific literature, and are also gaining ground in commercial applications. Recently, however, several attacks on PUF core properties have been reported. They concern their physical and digital unclonability, as well as their assumed resilience against invasive or side channel attacks. In this paper, we join some of these techniques in order to further improve their effectiveness. The combination of machine-learning based modeling techniques with side channel information allows us to attack so-called XOR Arbiter PUFs and Lightweight PUFs up to a size and complexity that was previously out of reach. For Lightweight PUFs, for example, we report successful attacks for bitlengths of 64, 128 and 256, and for up to nine single Arbiter PUFs whose output is XORed. Previous work at CCS 2010 and IEEE TIFS 2013, which provides the currently most efficient modeling results, had only been able to attack this structure for up to five XORs and bitlength 64. Our attack employs the first power side channel (PSC) for Strong PUFs in the literature. This PSC tells the attacker the number of single Arbiter PUF within an XOR Arbiter PUF or Lightweight PUF architecture that are zero or one. This PSC is of little value if taken by itself, but strongly improves an attacker’s capacity if suitably combined with modeling techniques. At the end of the paper, we discuss efficient and simple countermeasures against this PSC, which could be used to secure future PUF generations.

[1]  Stephen A. Benton,et al.  Physical one-way functions , 2001 .

[2]  U. Rührmair Oblivious Transfer based on Physical Unclonable Functions ( Extended Abstract ) , 2010 .

[3]  Srinivas Devadas,et al.  Silicon physical random functions , 2002, CCS '02.

[4]  Jeroen Delvaux,et al.  Side channel modeling attacks on 65nm arbiter PUFs exploiting CMOS device noise , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[5]  Srinivas Devadas,et al.  PUF Modeling Attacks on Simulated and Silicon Data , 2013, IEEE Transactions on Information Forensics and Security.

[6]  R. Pappu,et al.  Physical One-Way Functions , 2002, Science.

[7]  Stefan Katzenbeisser,et al.  Physically Uncloneable Functions in the Universal Composition Framework , 2011, CRYPTO.

[8]  Jean-Pierre Seifert,et al.  Invasive PUF Analysis , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[9]  Srinivas Devadas,et al.  Identification and authentication of integrated circuits , 2004, Concurr. Pract. Exp..

[10]  Srinivas Devadas,et al.  Security Based on Physical Unclonability and Disorder , 2012 .

[11]  Jean-Pierre Seifert,et al.  Cloning Physically Unclonable Functions , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[12]  Ulrich Rührmair,et al.  Practical Security Analysis of PUF-Based Two-Player Protocols , 2012, CHES.

[13]  Ingrid Verbauwhede,et al.  Machine learning attacks on 65nm Arbiter PUFs: Accurate modeling poses strict bounds on usability , 2012, 2012 IEEE International Workshop on Information Forensics and Security (WIFS).

[14]  Berk Sunar,et al.  Towards Robust Low Cost Authentication for Pervasive Devices , 2008, 2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom).

[15]  Frank Sehnke,et al.  On the Foundations of Physical Unclonable Functions , 2009, IACR Cryptol. ePrint Arch..

[16]  Srini Devadas Physical Unclonable Functions and Secure Processors , 2009, CHES.

[17]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[18]  Boris Skoric,et al.  Read-Proof Hardware from Protective Coatings , 2006, CHES.

[19]  Marten van Dijk,et al.  A technique to build a secret key in integrated circuits for identification and authentication applications , 2004, 2004 Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.04CH37525).

[20]  Georg Sigl,et al.  Semi-invasive EM attack on FPGA RO PUFs and countermeasures , 2011 .

[21]  Srinivas Devadas,et al.  Modeling attacks on physical unclonable functions , 2010, CCS '10.

[22]  Jeroen Delvaux,et al.  Fault Injection Modeling Attacks on 65 nm Arbiter and RO Sum PUFs via Environmental Changes , 2014, IEEE Transactions on Circuits and Systems I: Regular Papers.

[23]  Ulrich Rührmair,et al.  An Attack on PUF-Based Session Key Exchange and a Hardware-Based Countermeasure: Erasable PUFs , 2011, Financial Cryptography.

[24]  Ulrich Rührmair,et al.  PUFs in Security Protocols: Attack Models and Security Evaluations , 2013, 2013 IEEE Symposium on Security and Privacy.

[25]  Miodrag Potkonjak,et al.  Lightweight secure PUFs , 2008, 2008 IEEE/ACM International Conference on Computer-Aided Design.

[26]  Miodrag Potkonjak,et al.  Testing Techniques for Hardware Security , 2008, 2008 IEEE International Test Conference.

[27]  G. Edward Suh,et al.  Extracting secret keys from integrated circuits , 2005, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[28]  Ulrich Rührmair,et al.  On the practical use of physical unclonable functions in oblivious transfer and bit commitment protocols , 2013, Journal of Cryptographic Engineering.

[29]  Georg Sigl,et al.  Side-Channel Analysis of PUFs and Fuzzy Extractors , 2011, TRUST.

[30]  Jorge Guajardo,et al.  FPGA Intrinsic PUFs and Their Use for IP Protection , 2007, CHES.