Read-Proof Hardware from Protective Coatings CHES 2006 ... Tuyls.pdf · Read-Proof Hardware from Protective Coatings; CHES 2006 17 Research • Grid points represent ECC Code words

Read-Proof Hardware from Protective Coatings

CHES 2006, Tokyo-YokohamaPim TuylsG.J. Schrijen, B. Skoric, J. van Geloven, N.Verhaegh, R. Wolters

Philips Research Eindhoven The [email protected]

Read-Proof Hardware from Coating PUFs

CHES 2006, Tokyo-YokohamaPim TuylsG.J. Schrijen, B. Skoric, J. van Geloven, N.Verhaegh, R. Wolters

Philips Research Eindhoven The [email protected]

3Read-Proof Hardware from Protective Coatings; CHES 2006

Research

Contents

• Limitations of the Black-Box Model• Brief Overview of Physical Attacks• Security in a Physical World• Methods and Requirements• Components

– Coating PUFs– Fuzzy Extractors/Helper data

• Secure Key Storage Device


Research

Assumption:IC: Black-Box

↓Crypto guaranteesSecurity level

Security not guaranteedby cryptography

Secret Key: 001011101011

Mathematical AttacksProtocol Attacks

Physical Attacks

Micro ProbesFocused IonBeam

Limitations of the Black-Box ModelLimitations of the Black-Box Model


Research

Brief Overview Physical AttacksBrief Overview of Physical Attacks

• Invasive Attacks• Micro Probing• Focused Ion Beams• Chemical• Mechanical• Etching

• Side Channel Attacks• Timing Analysis

• Power Analysis

• Electromagnetic Radiation

• Fault Induction (light, X-ray, power glitch)

• Optical Inspection


Research

Security in a Physical World

1. Read-Proof Hardware:Enemy can not read the data stored in it

2. Tamper-Proof Hardware: Enemy can not change the data stored in it

3. Self Destruction Capability

Algorithmic Tamper Proof Security can be achieved [Gennaro et al]

Big Challenge: Develop theory and practical components for security in the presence of physical leakage: No Black-Boxes!

Components



Research

GoalPractical Methods

Focus: Read-Proof HardwareRead-Proof Hardware is hardware where the attacker can not read any information on the data stored in it

M EK(M) 0110M EK(M)

Practical Meaning?!


Should be resistant against:• Invasive Physical Attacks• Side-Channel Attacks• Fault Attacks• Optical Inspection


Research

Invasive vs Non-Invasive AttacksInvasive Physical Attacks Non - Invasive Physical Attacks

DefinitionAn invasive physical attack is an attack where the attacker physically breaks into the device by modifying its structure

Examples:• Chemical etching• Drilling a hole• Focused Ion Beam attack

DefinitionAn non-invasive physical attack is an attack where the attacker physically breaks into the device without modifying its structure

Examples:• Optical inspection of the memory• Side-Channel attacks (Time, EMA, DPA, …)

Physical Attacks


Research

Methods and Requirements

In order to protect keys against physical attacks:

1. Do not store a key in digital form in a device

2. Generate the key only when needed(extract it from a physical source on the IC)

3. Delete the key



Research

ComponentsTwo components are needed:

1. Hardware component (Physics)

1. Physical Source

2. Cryptographic component

1. Fuzzy Extractor/Helper data algorithm



Research

Hardware RequirementsSecurity Requirements:

1. Physical Inscrutability (opaqueness)2. Unclonability

1. Physical Unclonability2. Mathematical Unclonability

3. Tamper evident: key is destroyed upon damage

Practicality Requirements:

1. Easy to challenge the source2. Cheap and easy integratable on an IC3. Excellent mechanical and chemical properties



Research

Components: Physical SourcePhysical Unclonable Function (PUF):

Inherently unclonable Physical Structure (consisting of many random/uncontrollable components) satisfying:

• Easy to evaluate: Challenges-Responses• Responses are unpredictable• Inherently tamper evident• Manufacturer not-reproducable• Extract keys from measurements

Components


Research

Coating PUF• An IC is covered with an opaque coating

containing random particles with high εr• Array of capacitive sensors in upper metal layer

detects local coating properties.• Inhomogeneous coating random capacitive

properties

• PUF is used as a source of secret random information which are derived from the local coating capacitances (secure key storage).

(Si) substrateinsulation

Al Al

coating

passivationM 1M 2

M 3

M 4M 5

tra n sis to rs

p a ss iva tion

C o a tin g -P U F

O n ch ip d e m o

Components


Research

Information Content of a Coating PUF (Response)

Coating PUF [JAP06]

Components

≈ 6.6 bits/sensor

1 2 3 4

5 6 7 89 10 11 12

13 14 15 1617 18 19 20

21 22 23 24

25 26 27 2829 30 31 32


Research

Capacitance values of 21 ICs

0 5 10 15 20 25 30-80

-60

-40

-20

0

20

40

60

s ensor num ber

(Cx-

C0-

<C

x-C

0>)/

(Cre

f-C

0)*f

ref

Sensor number

(Rel

ativ

e) C

apac

itanc

e

Components

(Cx-C0)/(Cref-C0)


Research

Fuzzy Extractor/Helper Data Algorithm

• Information present in the PUF has to be extracted

• Measurements (Challenges - Responses)

• Measurements on Physical Systems are noisy

• Noisy values can not be used as keys in cryptography

• A Fuzzy Extractor/Helper Data Algorithm is needed

Components


Research

• Grid points represent ECC Code words

Enrollment

Key Reconstruction

• Random codeword C(S) is chosen

C

• Helper data W is generated (differencebetween X and C) and stored in EEPROM

• Key K is generated and its public key P(K) is output and the Key K is destroyed

W

• Response X is measured

X

• Y is noisy response

Y• S’=DEC(C’)• Y+W=C’

C’

W

Key Extraction from PUFs: Fuzzy Extractor

Assumption: Response X uniformly random

Components

Security Condition

• I(K;W) ≤ε


Research

Properties

• The parameter ε can be made negligible in the security parameter

• The maximal length of a secret key is given by

where I(X;Y) is the mutual information between

Enrollment: X Key Reconstruction: Y

I(X;Y)


Research

Practical Key extraction requirements

• Measured Data are continuous, not discrete!

• Uniformly Distributed Keys: All possible n-bit keys must be equally probable.

• Robustness: key extraction must be reproducible, regardless of measurement noise.

Secure Key Storage Device


Research

Statistics

1.5 1.6 1.7 1.8 1.9 2 2.1 2.2 2.3 2.4

x 10-13

0

2

4

6

8

10

12

14x 10

13

PD

F

x

Normal Gaussian distribution

inter-class

intra-classPD

F



Research

Uniformly Distributed Keys

• Quantization with equiprobable intervals

1 . 5 1 . 6 1 . 7 1 . 8 1 . 9 2 2 . 1 2 . 2 2 . 3

x 1 0- 1 3

0

0 . 5

1

1 . 5

2

2 . 5

3x 1 0

1 3

0 1 2 3 4 5 6 7



Research

Achieving Robustness (I)

• Define helper-data W* that shifts measurements to the center of a quantization interval.

1 . 5 1 . 6 1 . 7 1 . 8 1 . 9 2 2 . 1 2 . 2 2 . 3

x 1 0- 1 3

0

0 . 5

1

1 . 5

2

2 . 5

3x 1 0

1 3

0 1 2 3 4 5 6 7

W*



Research

Achieving Robustness (II)

• Assign bits to quantization intervals according to a Gray-code.

1 . 5 1 . 6 1 . 7 1 . 8 1 . 9 2 2 . 1 2 . 2 2 . 3

x 1 0- 1 3

0

0 . 5

1

1 . 5

2

2 . 5

3x 1 0

1 3

000 001 011 010 110 111 101 100

W*



Research

Achieving Robustness (III)

• Concatenate bits from multiple sensors to construct a key of length n.

• Use an Error Correcting Code (ECC) andthe XOR-Fuzzy Extractor:Enrollment: K, W=X⊕CK

Key Reconstruction: Dec(Y⊕W)=Dec(Y⊕X⊕CK)= CK iff d(X,Y)<T



Research

Key Extraction, helperdata scheme

Enrollment Key Extraction

YXW K’RNG WK ENC C C’ DEC

YBXB

Cap.Meas.

DeriveW*

Binarization

W* Cap.Meas.

Correctwith W*

Binarization

W*

Memory



Research

Store key temporarily in Volatile Memory

CryptoProcessorIC

RAMEEPROMHelper Data W

Al Al

coating

passivation

Measurement CircuitAD-conversion

Fuzzy Extractor

W

Capacitances:X

KeyKey



Research

Delete key afterwards

CryptoProcessorIC


Al Al

coating

passivation


Key Extractor

WKey

Key

CryptoProcessorIC


Al Al

coating

passivation


Key Extractor

W



Research

Attack Detection

0 5 10 15 20 25 30

-150

-100

-50

0

50

100

senso r num ber

Cap

acita

nce

B e fo re F IB

0 5 10 15 20 25 30

-150

-100

-50

0

50

100

senso r num ber

Ca

pa

cita

nce

A f te r F IBB e fo re F IB

sensor nr.

Cap

acita

nce

Focused Ion BeamAttack



Research

A026 Crater into M3

A005 Crater into M30 5 1 0 1 5 2 0 2 5 3 0 3 5

- 1 5

- 1 0

- 5

0

5

1 0

0 5 1 0 1 5 2 0 2 5 3 0 3 5- 2 0

- 1 5

- 1 0

- 5

0

5

1 0

Mod 18: M4=grid

Mod 14: M4=no metal

ss ee cc uu rr ii tt yy cc oo aa tt ii nn gg

p a s s i v a t i o n l a y e r s P t ( s i d e )

P t ( t o p )

s e n s o r

m e t a l p l a t e

A026 Crater into IMD40 5 1 0 1 5 2 0 2 5 3 0 3 5

- 5 0

0

5 0

1 0 0

1 5 0

2 0 0

2 5 0

3 0 0

Mod 10: M4=plate

Craters: 10 µm x10 µm

3.0-3.5 coating

3.0-3.5 coating

6.0-6.5 coating

Next: craters of 5x5 mu



Research

Model of Key DamageUnattacked Device: Measurement Channel: X → Y Model BSC: Error Rate: α

Attacked Device: Measurement Channel: X → Z Model BSC: Error Rate: ε

Fuzzy Extractor corrects αn errors

αncK

<R>=εn

Nc= density of codewords x volume ball = 2n(h(ε)-h(α))



Research

Key Damage: Experiments

α=1/30

ε=11/90

X (Enrollment)

Y (Reconstruction)

Z (After FIB)

Attack Complexity:

Nc=251 for 128 bit keys



Research

Summary of Results

• Test ICs with 30 sensors per IC• Deriving 3 bits per sensor 90 bits per IC• Limit error correction: 4 of the 90 bits

– Depends on the coarseness of the quantisation

• Temperature compensation• No humidity influence



Research

Conclusions

• Developed Read-Proof Hardware (Invasive Attacks)• Coating PUF• Fuzzy Extractor

• Made a demonstrator• Attacks can be detected• Key Damage is shown

• Next Steps• Further investigate side-channel leakages• Investigate the impact of smaller holes

Documents

Read-Proof Hardware from Protective Coatings CHES 2006 ... Tuyls.pdf · Read-Proof Hardware from Protective Coatings; CHES 2006 17 Research • Grid points represent ECC Code words