Advertisement

Side-Channel Analysis of the TERO PUF

  • Lars TebelmannEmail author
  • Michael Pehl
  • Vincent Immler
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11421)

Abstract

Physical Unclonable Functions (PUFs) have the potential to provide a higher level of security for key storage than traditional Non-Volatile Memory (NVM). However, the susceptibility of the PUF primitives to non-invasive Side-Channel Analysis (SCA) is largely unexplored. While resistance to SCA was indicated for the Transient Effect Ring Oscillator (TERO) PUF, it was not backed by an actual assessment. To investigate the physical security of the TERO PUF, we first discuss and study the conceptual behavior of the PUF primitive to identify possible weaknesses. We support our claims by conducting an EM-analysis of a TERO design on an FPGA. When measuring TERO cells with an oscilloscope in the time domain, a Short Time Fourier Transform (STFT) based approach allows to extract the relevant information in the frequency domain. By applying this method we significantly reduce the entropy of the PUF. Our analysis shows the vulnerability of not only the originally suggested TERO PUF implementation but also the impact on TERO designs in general. We discuss enhancements of the design that potentially prevent the TERO PUF from exposing the secret and point out that regarding security the TERO PUF is similar to the more area-efficient Ring Oscillator PUF.

Keywords

TERO PUF Side-Channel Analysis Non-invasive EM side-channel Physical Unclonable Function 

Notes

Acknowledgement

This work was partly funded by the German Ministry of Education and Research in the project ALESSIO under grant number 16KIS0632.

References

  1. 1.
    Bayon, P., Bossuet, L., Aubert, A., Fischer, V.: Electromagnetic analysis on ring oscillator-based true random number generators. In: 2013 IEEE International Symposium on Circuits and Systems (ISCAS2013), pp. 1954–1957, May 2013Google Scholar
  2. 2.
    Bossuet, L., Ngo, X.T., Cherif, Z., Fischer, V.: A PUF based on a transient effect ring oscillator and insensitive to locking phenomenon. IEEE Trans. Emerg. Top. Comput. 2(1), 30–36 (2014)CrossRefGoogle Scholar
  3. 3.
    Cherkaoui, A., Bossuet, L., Marchand, C.: Design, evaluation, and optimization of physical unclonable functions based on transient effect ring oscillators. IEEE Trans. Inf. Forensics Secur. 11(6), 1291–1305 (2016)CrossRefGoogle Scholar
  4. 4.
    Delvaux, J., Gu, D., Schellekens, D., Verbauwhede, I.: Helper data algorithms for PUF-based key generation: overview and analysis. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 34(6), 889–902 (2015)CrossRefGoogle Scholar
  5. 5.
    Gassend, B., Clarke, D., Dijk, M.V., Devadas, S.: Silicon physical random functions. In: ACM CCS (2002)Google Scholar
  6. 6.
    Haddad, P., Fischer, V., Bernard, F., Nicolai, J.: A physical approach for stochastic modeling of TERO-based TRNG. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 357–372. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48324-4_18CrossRefGoogle Scholar
  7. 7.
    Helfmeier, C., Boit, C., Nedospasov, D., Seifert, J.: Cloning physically unclonable functions. In: 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 1–6, June 2013Google Scholar
  8. 8.
    Immler, V., Specht, R., Unterstein, F.: Your rails cannot hide from localized EM: how dual-rail logic fails on FPGAs. In: Fischer, W., Homma, N. (eds.) CHES 2017. LNCS, vol. 10529, pp. 403–424. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-66787-4_20CrossRefGoogle Scholar
  9. 9.
    Katzenbeisser, S., Kocabaş, Ü., Rožić, V., Sadeghi, A.-R., Verbauwhede, I., Wachsmann, C.: PUFs: myth, fact or busted? A security evaluation of physically unclonable functions (PUFs) cast in silicon. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 283–301. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33027-8_17CrossRefGoogle Scholar
  10. 10.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_25CrossRefGoogle Scholar
  11. 11.
    Lohrke, H., Tajik, S., Boit, C., Seifert, J.-P.: No place to hide: contactless probing of secret data on FPGAs. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 147–167. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53140-2_8CrossRefGoogle Scholar
  12. 12.
    Maes, R., Van Herrewege, A., Verbauwhede, I.: PUFKY: a fully functional PUF-based cryptographic key generator. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 302–319. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33027-8_18CrossRefGoogle Scholar
  13. 13.
    Marchand, C., Bossuet, L., Cherkaoui, A.: Design and characterization of the TERO-PUF on SRAM FPGAs. In: 2016 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pp. 134–139, July 2016Google Scholar
  14. 14.
    Marchand, C., Bossuet, L., Mureddu, U., Bochard, N., Cherkaoui, A., Fischer, V.: Implementation and characterization of a physical unclonable function for IoT: a case study with the TERO-PUF. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 37(1), 97–109 (2018)CrossRefGoogle Scholar
  15. 15.
    Merli, D., Heyszl, J., Heinz, B., Schuster, D., Stumpf, F., Sigl, G.: Localized electromagnetic analysis of RO PUFs. In: 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 19–24, June 2013Google Scholar
  16. 16.
    Merli, D., Schuster, D., Stumpf, F., Sigl, G.: Semi-invasive EM attack on FPGA RO PUFs and countermeasures. In: 6th Workshop on Embedded Systems Security (WESS 2011). ACM, Mar 2011Google Scholar
  17. 17.
    Quisquater, J.-J., Samyde, D.: Electro Magnetic Analysis (EMA): measures and counter-measures for smart cards. In: Attali, I., Jensen, T. (eds.) E-smart 2001. LNCS, vol. 2140, pp. 200–210. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45418-7_17CrossRefzbMATHGoogle Scholar
  18. 18.
    Sauvage, L., Guilley, S., Mathieu, Y.: Electromagnetic radiations of FPGAs: high spatial resolution cartography and attack on a cryptographic module. ACM Trans. Reconfigurable Technol. Syst. 2(1), 4:1–4:24 (2009)CrossRefGoogle Scholar
  19. 19.
    Sigl, G., Gross, M., Pehl, M.: Where technology meets security: key storage and data separation for system-on-chips. In: ESSCIRC 2018 - IEEE 44th European Solid State Circuits Conference (ESSCIRC), pp. 12–17, September 2018Google Scholar
  20. 20.
    Tebelmann, L., Pehl, M., Sigl, G.: EM side-channel analysis of BCH-based error correction for PUF-based key generation. In: Proceedings of the 2017 Workshop on Attacks and Solutions in Hardware Security, ASHES@CCS 2017, Dallas, TX, USA, November 3, 2017, pp. 43–52 (2017)Google Scholar
  21. 21.
    The SALWARE Project: Source code of the TERO-PUF implementation on SRAM FPGA (2016). https://perso.univ-st-etienne.fr/bl16388h/salware/tero_puf.htm. Accessed 11 Feb 2019
  22. 22.
    Unterstein, F., Heyszl, J., De Santis, F., Specht, R.: Dissecting leakage resilient PRFs with multivariate localized EM attacks. In: Guilley, S. (ed.) COSADE 2017. LNCS, vol. 10348, pp. 34–49. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-64647-3_3CrossRefGoogle Scholar
  23. 23.
    Varchola, M., Drutarovsky, M.: New high entropy element for FPGA based true random number generators. In: Mangard, S., Standaert, F.-X. (eds.) CHES 2010. LNCS, vol. 6225, pp. 351–365. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-15031-9_24CrossRefGoogle Scholar
  24. 24.
    Wild, A., Becker, G.T., Güneysu, T.: A fair and comprehensive large-scale analysis of oscillation-based PUFs for FPGAs. In: 2017 27th International Conference on Field Programmable Logic and Applications (FPL), pp. 1–7, September 2017Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Technical University of MunichMunichGermany
  2. 2.Fraunhofer Institute AISECGarching bei MünchenGermany

Personalised recommendations