Paper #32 - University of Michigan
Download
Report
Transcript Paper #32 - University of Michigan
Reliable and Efficient PUFBased Key Generation Using
Pattern Matching
Srini Devadas and Zdenek Paral (MIT), HOST 2011
Thomas Chen, Anup Jadhav
UNIVERSITY OF MICHIGAN
1
Outline
Motivation & Security Challenges
Problem & Previous Approaches
Physical Unclonable Functions (PUF)
PUF-based Key Generation Using Pattern Matching
Results
Conclusion
References
UNIVERSITY OF MICHIGAN
2
Motivation
Secure computing
Devices are becoming:
Distributed
Unsupervised
Physically exposed
Prone to physical tampering
Need protection at the hardware level
UNIVERSITY OF MICHIGAN
3
Problem & Previous Approaches
Making a device tamper proof is difficult and expensive
IBM 4758 cryptographic coprocessor ($3000)
Battery powered sensors
Anti-tamper package
Attackers can
Extract keys from NVM while processor is off
Depackage,etch, and polish down to poly to read off fuse bits
ROM
UNIVERSITY OF MICHIGAN
Fuses
Flash
Anti-fuses
4
Physical Unclonable Function (PUF)
Silicon “fingerprint”
Unique per instance
Reproducible/repeatable
Challenge
Variability
Sensitive Circuit
Usefulness
Random key generation
Low-cost key “storage”
Tamper resistant
Extract keys from complex physical system
C
R1
UNIVERSITY OF MICHIGAN
Response
!=
R2
!=
R3
5
PUF-based Key Generation
Use PUF to generate fixed size of secret bits
Can use as symmetric key bits or seed for asymmetric key
But…
Some bits may be “noisy”- need error correction
Need to use helper data/syndrome to correct
Response
PUF
Key
Key Generator
Path-swapping switch
Arbiter
…
D Q
C
C0
UNIVERSITY OF MICHIGAN
C1
C2
Cn
6
Reproducibility
Intra-distance metric (use fractional Hamming distance)
Ideally HDintra=0
Mean intra-distance varies with voltage, temperature
Can reduce unstable bits by:
pre/post selection, temporal majority voting, compensation, etc.
Typically >5%, <20% over region of operation (before corr.)
PUF A
2 bits -> 6.25%
Stored PUF A response
1
0
1
1
0
1
1
0
1
0
1
1
0
1
1
0
1
0
1
1
0
1
1
0
0
0
1
0
1
0
0
0
0
0
1
0
1
0
0
0
0
0
1
0
1
0
1
0
1
1
1
1
0
0
1
0
1
1
1
1
0
0
1
0
1
0
1
1
0
0
1
0
1
0
1
1
1
0
0
0
1
0
1
1
1
0
0
0
1
0
1
1
1
0
0
0
UNIVERSITY OF MICHIGAN
7
Uniqueness
Inter-distance metric
Use fractional Hamming distance
Ideally, HDinter of 50% -> no correlation between chips
15 bits ->
46.875%
PUF A
PUF B
1
0
1
1
0
1
1
0
1
0
1
1
0
1
1
0
1
1
1
0
1
1
0
0
0
0
1
0
1
0
0
0
0
0
1
0
1
0
0
0
0
1
1
0
1
0
1
1
1
1
1
1
0
0
1
0
1
1
1
1
0
0
1
0
1
1
0
0
0
1
1
1
1
0
1
1
1
0
0
0
1
0
1
1
1
0
0
0
0
1
1
0
1
0
1
0
UNIVERSITY OF MICHIGAN
8
Error Correction & Entropy
Key must be 100% reproducible (HDintra=0)
Often use BCH codes
Increase reproducibility
But helper data leaks information, reduces unpredictability
Need bigger response then compress
Extracted key length <= Total accumulated entropy
1
0
1
1
0
1
1
0
1
0
0
1
0
1
0
1
0
1
0
1
0
1
1
0
0
1
0
0
0
1
0
1
1
1
0
0
0
0
1
0
1
1
0
1
1
0
0
0
1
0
1
0
0
0
1
1
1
1
0
0
1
1
0
1
1
1
0
0
Correction
1 0 0 1 0 1 1 0
Helper
Data
UNIVERSITY OF MICHIGAN
9
Pattern Matching Key
Generator(PMKG) Architecture
UNIVERSITY OF MICHIGAN
10
Key Generation Scheme
Major Difference
Instead of making challenge public, make response public
Provisioning and Regeneration
Happens over a number of rounds
Regeneration
Involves matching the patterns provisioned to recreate key
UNIVERSITY OF MICHIGAN
11
Pattern Matching
Provisioning
In each round select an index I
Starting at that index store a pattern of length W
Regeneration
Match against known patterns to obtain index
Index=sub-key
X X 7
PUF generated
bit stream:
1
1110100110
10 bits
UNIVERSITY OF MICHIGAN
0
Pattern Storage
011
000
101
12
Key Generator Architecture
UNIVERSITY OF MICHIGAN
13
Security
Public helper data does not leak information about key
Index based key
Key mixer
Post process key bits
LFSR forking
Fork the next round of challenge generator based on key index
Fixed number of comparisons against helper patterns
UNIVERSITY OF MICHIGAN
14
Key Generation Parameters
UNIVERSITY OF MICHIGAN
15
Intra-distance and Inter-distance
UNIVERSITY OF MICHIGAN
16
Matching threshold and FAR,FRR
Tolerance match detector
Causes false positives and false negatives
Requires appropriate matching threshold
Requires sufficiently wide pattern
Otherwise use error correction scheme
For small pattern, additional logic required to prevent collision
UNIVERSITY OF MICHIGAN
17
False Negatives and False Positives
UNIVERSITY OF MICHIGAN
18
Trials Required For Key Regeneration
UNIVERSITY OF MICHIGAN
19
Conclusion
Main contribution
Expose PUF response, keep challenge hidden
Key regeneration via pattern matching
Key bits are not directly stored
Subkeys are indices of PUF responses
Avoid heavy error correction logic
But need to choose good threshold and pattern width
False positives, false negatives
UNIVERSITY OF MICHIGAN
20
Questions & Discussion Points
Is there enough process variation to identify between ICs?
Is setting a threshold a good enough approach?
Is the arbiter PUF a good choice?
UNIVERSITY OF MICHIGAN
21
References
[1] Paral, Z., and Srinivas Devadas. "Reliable and efficient
PUF-based key generation using pattern
matching." Hardware-Oriented Security and Trust (HOST),
2011 IEEE International Symposium on. IEEE, 2011.
UNIVERSITY OF MICHIGAN
22