Secure Computation Laboratory

Department of Electrical & Computer Engineering

University of Connecticut

PUFs and Modeling Attacks on PUFs: A tutorial

Marten van Dijk

Syed Kamran Haider, Chenglu Jin, Phuong Ha Nguyen

Content

2

PUF’s

introductionPUF’s attacks

Attack’s Flow

Logistic Regression

base MLMA on

APUF

Covariance Matrix

Adaption Evolution

Strategy base MLMA on

APUF and XOR PUF

Concept Applications Categories

Weak PUF (POK):

RO PUF

Strong PUF : APUF,

XORPUF, LPN PUF

Reliability:

Fuzzy Extractor

Physically Unclonable Functions - PUF

Challenge-Response behavior of a given PUF can not be physically cloned and it is unique, i.e., different PUF instances have different Challenge-Response Behaviors

3

Process variations – basement for PUF

4

Courtesy of [1]

Courtesy of [2]

Courtesy of [3]

PUF-based Applications

5

Courtesy of [4]

IP’s protection/ authentication

Courtesy of [5]

Secret key generation

PUF’s classification

6

PUF

Weak PUF

(POK): RO PUF Strong PUF : APUF,

XORPUF, LPN PUF

Weak PUF: Ring Oscillator PUF

7

Courtesy of [9]

Ring Oscillator (RO) Ring Oscillator PUF (RO PUF)

Strong PUF Constructions

Arbiter PUF (APUF)

XOR Arbiter PUF (XOR PUF)

LPN based PUF

8

Arbiter PUF [1]

Blaise Gassend, Dwaine E. Clarke, Marten van Dijk, Srinivas Devadas:Silicon physical random functions. ACM Conference on Computer and Communications Security 2002: 148-160

9

APUF [2]

10

APUF linear delay model [1]

11

Encoding C[i] = 0 (or 1) as +1 (or -1)

APUF linear delay model [2]

12

APUF linear delay model [3]

13

APUF linear delay model [4]

14

The response r = 1 if ∆ < 0. Otherwise, r = 0

Proof of APUF’s linear delay Model

15

XOR PUF

16

Learning Parity with Noise

17

LPN-based PUF

18

LPN-based PUF is a strong PUF design which is based on LPN problem, POK and cryptographic primitives

TRNG and Hash function. (See [10])

Reliability Problem in PUF and Fuzzy Extractor [1]

ALL PUFs exploit the process variations which are not a stable feature. Thus PUF can generate different responses when a challenge is evaluated many times.

Not reliable + not full entroy: cannot directly use POK’s output as secret key

Need a methodology to generate a secret key r which is reliable and has full entropy from POK’s output.

19

POK

w0

w1 ≠w0

rAlgorithm

Reliability Problem in PUF and Fuzzy Extractor [2]

20

POK

w0

w1 ≠w0

rAlgorithm Fuzzy

Extractor

Extractor

Sketch/Gen

w0

r

P: helper dataExtractor

Rec/Decw1

rw0

Gen

p

Fuzzy Extractor: Generation Phase (Gen) and Reproduction Phase (Rep)

Rep

Reliability Problem in PUF and Fuzzy Extractor [3]

21

Courtesy of [11]

Machine Learning Techniques based Modeling Attacks

Logistic Regression

Covariance Matrix Adaption Evolution Strategy

22

Introduction on MLMA

Machine learning techniques based modelling attack (MLMA or MA): using the machine learning technique to model a PUF design

Typically, a mathematical structure of the target PUF design is required. In this context, the mathematical structure is the delay model

The goal: Learning the unknown variables w=(w[0],….,w[n-1],w[n]=1) from the recorded challenge-response pairs (CRPs)

Support Vector Machine (SVM), Logistic Regression (LR), Covariance Matric Adaptation Evolution Strategy (CMA-ES), etc.

23

Basic Steps in MLMA1. Building the model

2. Access the PUF and record a set of CRPs S={(c,r)}

3. Partition the set S into sets S1 and S2

4. Determine which MLMA technique is used

5. The set S1 is used for the phase called: training phase. In this phase, the MLMA is used to learn the unknown variables, i.e., vector w (APUF)

6. The set S2 is used to test the prediction accuracy of model, 𝑤 (APUF)

Note that: the discussion on MLMA in this presentation is based on [6]

24

S={(c,r)}

S1={(c,r)}

S2={(c,r)}

PUF P

Model M

Accuracy

Model M

MLMA

Logistic Regression

25

Courtersy of [7]

Maximum Likelihood Estimator

26

APUF A

𝜃 = 𝑤X1=(C1,R1),

X2=(C2,R2),

….

Xn=(Cn,Rn)

𝜃 = 𝑤

(C1,R’1),

(C2,R’2),

….

(Cn,R’n)

Maximum matchings

(Ri = Ri’)

X1=(C1,R1),

X2=(C2,R2),

….

Xn=(Cn,Rn)

Logistic Regression: Math Background [1]

Let us define

Define the logistic sigmoid function:

Define

27

Logistic Regression: Math Background [2]

28

Logistic Regression: Math Background [3]

Why the correct w should be found by maximizing the function l ?

29

Logistic Regression: Math Background [4]

30

• To find the optimal w of function l, we should

compute the gradient of function l, i.e.

• According to LR algorithm, w is randomly

regenerated at very beginning

• We repeat the following steps until is close

to 0

Step 1: compute

Step 2: update

• When the algorithm stops, w is the desired

model

Logistic Regression: Pseudo Code of LR

31

Enhanced LR Algorithm

Basically, the efficiency of LR can be significantly enhanced by combining Resilient Back Propagation (Rprop)

The Rprop algorithm is described in the following paper: http://deeplearning.cs.cmu.edu/pdfs/Rprop.pdf

In the LR algorithm above, 𝜂 is a constant but in Rprop algorithm, 𝜂 is dynamically changed in each iteration

32

Arbiter: Repeatability –short-term Reliability

33

(C,1),

(C,2),

….

(C,M)

APUF A

(R1=0),

(R2=1),

….

(RM=0)

R = (R1+R2+...+RM)/M

Arbiter PUF: Repeatability and Noise

34

Idea of Attack on APUF using Repeatability

35

[3]: The Gap Between Promise and Reality: On the Insecurity of XOR Arbiter PUFs CHES2015, Georg T. Becker

[5]: Side Channel Modeling Attacks on 65nm Arbiter PUFs Exploiting CMOS Device Noise, Delvaux, J., Verbauwhede, I.

CMA ES

36

Courtesy of [7]

Matlab Code of CMAES is available at [8]

CMA-ES Algorithm

37

Courtesy of [8]

CMAES on APUF based on Repeatability: Attack Strategy

38

XOR PUF

40

CMAES based attack on XOR PUF Fact 1: CMAES based attack on x-XOR PUF is done in the similar way as described for APUF

Fact 2: CMAES based attack on x-XOR PUF is a divide-and-conquer attack, i.e., all the models M0, M1, …, M(x-1) for A0, A1, …., A(x-1) are recovered. It is done by repeating CMAES many times until all x different models M0, …, M(x-1) are built

Fact 3: Each run of CMAES always produces a model M which may be the model of a certain APUF instance among x APUFs. Thus, we need to run CMAES on XORPUF many times, number of runs > x.

41

Why CMAES on XOR PUF works

42

Fact 3: Now, the CMAES-based algorithm tries to find model M which can have highest correlation coefficient with set Q and thus, M likely converges to A0 because A0 has largest noise rate.

Fact 4: If we repeat the attack many times and each time, new set Q is generated, then the models of all APUF instances will be built due to Fact 1, 2 and 3.

Fact 1

Fact 3

Fact 2

Literature1. http://image.slidesharecdn.com/secureesweb-131229032029-phpapp02/95/secure-embedded-systems-17-

638.jpg?cb=1388287390

2. https://www.gsaglobal.org/forum/2009/3/articles_tuyls.asp

3. http://rijndael.ece.vt.edu/puf/background.html

4. http://images.slideplayer.com/13/3927633/slides/slide_10.jpg

5. http://studiopresence.com/client/verayo/page_images/how_pufs_work_ill2.jpg

6. Cryptanalysis of electrical PUFs via machine learning algorithms – Master Thesis of Jan Solter

7. The Gap Between Promise and Reality: On the Insecurity of XOR Arbiter PUFs CHES, September 16 th , 2015, Georg T. Becker

8. https://en.wikipedia.org/wiki/CMA-ES

9. Physical unclonable functions for device authentication and secret key generation. DAC2007, G. E. Suh and S. Devadas

10. Trapdoor Computational Fuzzy Extractors and Stateless Cryptographically-Secure Physical Unclonable Functions. Charles Herder, Ling Ren, Marten van Dijk, Meng-Day (Mandel) Yu, and Srinivas Devadas.

11. http://www.cs.haifa.ac.il/~orrd/PrivDay/2015/Benjamin-Slides.pdf

12. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. EuroCrypt2004. Yevgeniy Dodis, Leonid Reyzin and Adam Smith

43