Signal Injection Attack on Time-to-Digital Converter and Its Application to Physically Unclonable Function

Physically unclonable function (PUF) is a technology to generate a device-unique identifier using process variation. PUF enables a cryptographic key that appears only when the chip is active, providing an efficient countermeasure against reverse-engineering attacks. In this paper, we explore the data conversion that digitizes a physical quantity representing PUF’s uniqueness into a numerical value as a new attack surface. We focus on time-to-digital converter (TDC) that converts time duration into a numerical value. We show the first signal injection attack on a TDC by manipulating its clock, and verify it through experiments on an off-the-shelf TDC chip. Then, we show how to leverage the attack to reveal a secret key protected by a PUF that uses a TDC for digitization.

[1]  Roel Maes,et al.  Physically Unclonable Functions , 2013, Springer Berlin Heidelberg.

[2]  Arenberg Doctoral,et al.  Physically Unclonable Functions: Constructions, Properties and Applications , 2012 .

[3]  Kevin Fu,et al.  Trick or Heat?: Manipulating Critical Temperature-Based Control Systems Using Rectification Attacks , 2019, CCS.

[4]  Ahmad-Reza Sadeghi,et al.  Remanence Decay Side-Channel: The PUF Case , 2016, IEEE Transactions on Information Forensics and Security.

[5]  Ryszard Szplet Time-to-Digital Converters , 2014 .

[6]  Kevin Fu,et al.  Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems , 2020, USENIX Security Symposium.

[7]  An Chen,et al.  Utilizing the Variability of Resistive Random Access Memory to Implement Reconfigurable Physical Unclonable Functions , 2015, IEEE Electron Device Letters.

[8]  Jorge Guajardo,et al.  FPGA Intrinsic PUFs and Their Use for IP Protection , 2007, CHES.

[9]  Z. Wei,et al.  A ReRAM-based physically unclonable function with bit error rate < 0.5% after 10 years at 125°C for 40nm embedded application , 2016, 2016 IEEE Symposium on VLSI Technology.

[10]  Renato Turchetta Digital Pulse-ProcessingTechniques for X-Rayand Gamma-RaySemiconductor Detectors , 2017 .

[11]  Wenyuan Xu,et al.  Ghost Talk: Mitigating EMI Signal Injection Attacks against Analog Sensors , 2013, 2013 IEEE Symposium on Security and Privacy.

[12]  Makoto Nagata,et al.  A Random Interrupt Dithering SAR Technique for Secure ADC Against Reference-Charge Side-Channel Attack , 2020, IEEE Transactions on Circuits and Systems II: Express Briefs.

[13]  Shimeng Yu,et al.  A highly reliable and tamper-resistant RRAM PUF: Design and experimental validation , 2016, 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[14]  Dick James,et al.  The state-of-the-art in semiconductor reverse engineering , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[15]  Wenyuan Xu,et al.  WALNUT: Waging Doubt on the Integrity of MEMS Accelerometers with Acoustic Injection Attacks , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[16]  Ángel Rodríguez-Vázquez,et al.  Analog Electronics for Radiation Detection , 2016 .