1UNIVERSITY OF MICHIGAN

Reliable and Efficient PUF-Based Key Generation Using Pattern Matching

Authors:

Zdenek (Sid) Paral and Srinivas Devadas

Presented by:

Sugandha Gupta and Vishishtha Bothra

2UNIVERSITY OF MICHIGAN

OUTLINE

▪ INTRODUCTION

▪ MOTIVATION

▪ SOLUTION

▪ INSIGHT TO PUF & WORKING

▪ PUF BASED KEY GENERATION

▪ PATTERN MATCHING KEY GENERATION (PMKG)

▪ BASICS

▪ PATTERN MATCHING

▪ ARCHITECTURE

▪ MAIN FEATURES

▪ RELIABILITY

▪ EVALUATION

▪ CONCLUSIONS

▪ REFERENCES

▪ DISCUSSION POINTS

3UNIVERSITY OF MICHIGAN

MOTIVATION

▪ Mobile and Embedded devices are used universally

▪ Important to protect critical application to prevent significant loss

▪ Need for Secure Computing

▪ Current practices

▪ Place secret key in EEPROM/ battery-backed SRAM

▪ Use hardware cryptographic operations

▪Digital signature

▪Encryption

High Design Area

High Power Consumption

Vulnerable to invasive attacks

4UNIVERSITY OF MICHIGAN

SOLUTION

PUF - Physical Unclonable Function

▪ Silicon “biometric” ▪Unique▪Robust▪Unclonable

▪ Based on a complex physical system ▪ Secret is derived from the physical “variabilities” of the IC

▪Gate delay▪Power on state of SRAM▪Voltage threshold

High Design Area

High Power Consumption

Vulnerable to invasive attacks

Less Area

Less Power

Invasive attacks are difficult to execute without modifying the physical characteristics

Input Output

5UNIVERSITY OF MICHIGAN

INSIGHT TO PUF

CHALLENGE

RESPONSE 1 RESPONSE 2 RESPONSE 4RESPONSE 3

SERVER CLIENT

▪Uniqueness

▪Same challenge input gives different responses

▪Robustness

▪Stable over time

▪Unclonability

▪Impractical and unreasonably expensive to clone

▪Working

6UNIVERSITY OF MICHIGAN

▪One of the major application of PUF

▪Generates fixed size secret bits – seed, asymmetric key

▪Caution!

▪The challenge response pair must be kept secret

▪Error correction needed for “noisy bits”

▪Helper data/ “syndrome”

▪Syndrome can further lead to leakage of data

PUF BASED KEY GENERATION

PUFKey

Generator Key

Arbiter PUFTwo delay paths, produces

output Y based on which is faster

7UNIVERSITY OF MICHIGAN

BASICS OF KEY GENERATION

▪Unconventional Approach

▪Challenge is kept secret instead of the response

▪Provisioning

▪Externally provided secret seed

▪Generates public helper data and secret key

▪Regeneration

▪Reproduce one of the earlier provisioned key using the helper data

8UNIVERSITY OF MICHIGAN

PATTERN MATCHINGPrivate

Challenge (seed)

PUF

Secret Index (I)

Public Pattern (W)

Non-volatile Memory

Block

▪Provisioning

Pattern

1011

1101

1111

0110111101101011Index

0

6

8 068

W

L

PUF

Comparison Logic

W from Non-Volatile Memory

Key Storage (Volatile Memory)

match

▪Regeneration

9UNIVERSITY OF MICHIGAN

PMKG ARCHITECTURAL PARAMETERS

10UNIVERSITY OF MICHIGAN

ARCHITECTURE

11UNIVERSITY OF MICHIGAN

MAIN FEATURES OF PMKG

▪Helper data/ Syndrome cannot leak key

▪Index based key generation

▪Forking in the challenge sequencer

▪Match signal is also used in the challenge sequencer

▪Subsequent challenge are less traceable after each iteration

▪Constant number of comparisons against helper pattern in each iterations

▪Avoids differential power and timing analysis attack

▪Key Mixer

▪During provisioning – comparisons between running index counter

and secret index of current round

SECURITY

12UNIVERSITY OF MICHIGAN

RELIABILITY

▪Threshold has to be selected very wisely

▪ Intra-PUF variability – measure of reproducibility of responses

▪ Inter-PUF variability – measure of uniqueness of responses

▪ Leads to Pattern Miss and Pattern Collision

Intra-PUF Variability (~5%)

Inter-PUF Variability(~50%)

13UNIVERSITY OF MICHIGAN

EVALUATION USING ASIC DATA

▪ Voltage variations in provisioning and regeneration at different temperatures

▪ But can’t be quantified

▪ Threshold = 80 code bits

▪ Pattern Size W = 256 bits

14UNIVERSITY OF MICHIGAN

CONCLUSIONS

▪ Viable method of PUF based Key Generation

▪ Key generation using index

▪ No storage of key directly

▪ Low clock latency

▪ Hardware requirements – minimal

▪ No error correction needed

▪ Select optimal Threshold (T) and Pattern Width (W)

▪ Improvements

▪ Can be made faster and secure by increasing number of PUF

▪ Future Work

▪ Use Delay PUF instead of Arbiter PUF

15UNIVERSITY OF MICHIGAN

REFERENCES

▪ Paral, Z.; Devadas, S., "Reliable and efficient PUF-based key generation using pattern matching," in Hardware-Oriented Security and Trust (HOST), 2011 IEEE International Symposium on , vol., no., pp.128-133, 5-6 June 2011

▪ Herder, C.; Meng-Day Yu; Koushanfar, F.; Devadas, S., "Physical Unclonable Functions and Applications: A Tutorial," in Proceedings of the IEEE , vol.102, no.8, pp.1126-1141, Aug. 2014

▪ Lecture Slides

▪ http://www.eecs.umich.edu/courses/eecs573/lectures/03%20-%20Security-Tutorial.pdf

▪ Web

▪ http://people.csail.mit.edu/rudolph/Teaching/Lectures/Security/Lecture-Security-PUFs-2.pdf

16UNIVERSITY OF MICHIGAN

QUESTIONS

17UNIVERSITY OF MICHIGAN

DISCUSSION Points

▪ Are the physical characteristics like process variation good enough to distinguish between ICs?

▪ Can PUF integrity be compromised with silicon wear out and extreme changes?

▪ Is setting threshold better or doing error correction?