This invention relates to use of pattern matching with Physical Unclonable Functions (PUFs) to repeatedly and reliably generate keys or other secrets values in a device.
An important aspect of improving the level of trustworthiness of semiconductor devices, semiconductor based systems, and semiconductor supply chain relates to enhancing physical security. Not only do we want semiconductor devices to be resistant to computational attacks, but also to physical attacks. Physical Unclonable Functions (PUFs) are becoming a useful tool in this regard.
Silicon PUFs generate signatures based on device manufacturing variations which are difficult to control or reproduce. Given a challenge as input, a PUF outputs a response that is unique to the manufacturing instance of the PUF circuit. These responses are similar, but not necessarily bit exact, when regenerated on a given device using the given challenge, and are expected to deviate more in Hamming distance from a reference response as environmental parameters (for example, temperature and voltage) deviate between provisioning and regeneration. For instance, this is because circuit delays do not vary uniformly with temperature and voltage.
There are two broad classes of applications for PUFs. In certain classes of authentication applications, the silicon device is authenticated if the regenerated response is “close enough” in Hamming distance to the provisioned response. Errors in PUF responses are forgiven up to a certain threshold. In an authentication application, not repeating challenges prevents replay attacks. The PUF should be resistant to software model building attacks (e.g., machine learning attacks) in order to be secure, because otherwise an adversary can create a software model or clone of a particular PUF. A second class of applications is secret key generation. In conventional usage of a PUF as a key generator, only a fixed number of secret bits need to be generated from the PUF. These bits can be used as symmetric key bits or used as a random seed to generate a public/private key pair in a secure processor. However, in order for the PUF outputs to be usable in cryptographic applications, the noisy bits need to be error corrected, with the aid of helper bits, commonly referred to as a Helper data. The greater the environmental variation a PUF is subject to, the greater the possible difference (noise) between a provisioned PUF response and a re-generated response.
This conventional method of PUF key generation using PUF response bits as secret keys has been explored in many publications. Error correction should be secure, robust and efficient. A security concern is the leakage of secret bits through the Helper data or helper bits. Robustness requires that the number of corrected errors be equal to greater than the maximum number of bit-errors from the widest range of environmental variation expected. Previously proposed schemes have used relatively heavyweight error correction logic, for instance using a BCH decoder that is capable of correcting several bit-errors in a 64-bit codeword.
In one aspect, in general, a novel method is used to reliably provision and re-generate a finite and exact sequence of bits, for use with cryptographic applications, e.g., as a key, by employing one or more challengeable Physical Unclonable Function (PUF) circuit elements. The method reverses the conventional paradigm of using public challenges to generate secret PUF responses; it exposes the response and keeps the particular challenges that generate the response secret.
In some examples, a key is assembled from a series of small (e.g., initially chosen or random), secret integers, each being an index into a string of bits produced by the PUF circuit(s). A PUF unique pattern at each respective index is then persistently stored between provisioning and all subsequent key re-generations. To obtain the secret integers again, a newly repeated PUF output string is searched for high probability matches with the stored patterns. This means that complex error correction logic such as BCH decoders are not required. The method reveals only relatively short PUF output data in public store, thwarting opportunities for modeling attacks.
In another aspect, in general, a method for secret key generation uses PUF in a novel way. Rather than using a fixed (possibly) public challenge and keeping the response bits secret, we reverse the paradigm and keep the particular challenges that generate exposed response bits secret. The secret key can be chosen at random. Roughly, the method works as follows: A PUF beginning from a fixed public challenge generates a string of response bits of length L. A secret integer s of bit-size N=log2(L) is treated as an index into the string L. Beginning with that index, a W<L-length pattern of PUF outputs is exposed and stored in non-volatile storage. This is the provisioning step. During key re-generation, the W-length pattern is provided to the PUF, and the PUF begins internally generating its output string. In the simplest instantiation, comparison logic looks for the pattern in the output string, allowing for some mismatches. If an approximate match with mismatches equal to or less than T bits is found, then the associated index for the match is s, which is correct with a very high probability. To generate a K-bit secret, we can run the above scheme K/log2(L) times.
In another aspect, in general, a method is used to securely maintaining a secret value based on device-specific characteristics of a device. The method includes first accepting the secret value. A device-specific pattern sequence is generated in the device in a first phase. The pattern sequence is statistically unique to the device. One or more offset values are selected to represent the secret value, and selected patterns in the pattern sequence at the selected offset values are determined. The selected patterns are provided for maintenance in a storage associated with the device for use in subsequent regeneration of the secret value.
Aspects may include one or more of the following.
Generating the device specific pattern sequence comprises generating a bit sequence, wherein the patterns of the pattern sequence represent segments of the bit sequence.
Generating the device specific pattern sequence comprises applying a sequence of inputs to a Physical Unclonable Function (PUF) module, and forming the devices specific pattern sequence from the corresponding outputs of the PUF module.
The method further includes accessing the maintained selected patterns from the storage associated with the device, and in the device in second phase, regenerating a device-specific pattern sequence, the patterns in the sequence being statistically similar to the patterns generated in the device in the first phase. For each of the selected patterns from the storage, an offset in the regenerated pattern sequence is determined at which the regenerated pattern corresponds to the pattern accessed from the storage. The secret value is formed from the determined offset of each of the maintained selected patterns.
Determining the offset in the regenerated pattern sequence at which the regenerated pattern corresponds to the pattern accessed from the storage includes determining whether the regenerated pattern matched the pattern from the storage within a predetermined degree of difference.
The patterns are represented as bit sequences, and the predetermined degree of difference comprised as predetermined number of bit differences.
The method further includes forming a plurality of parts of the secret value, and wherein each of the selected one or more offsets represents a different part of the secret value.
Generating the device specific pattern sequence comprises applying a sequence of inputs to a Physical Unclonable Function (PUF) module, and forming the devices specific pattern sequence from the corresponding outputs of the PUF module.
The sequence of inputs depends on one or more parts of the secret value.
The secret value comprises a cryptographic key. For instance, the cryptographic key comprises a symmetric key, an asymmetric key, and/or a private key.
The method further includes using the cryptographic key to perform a function on the device.
In another aspect, in general, a method is used for securely regenerating a secret value based on one or more maintained patterns. The method includes accessing the maintained selected patterns from a storage associated with the device. In the device, a device-specific pattern sequence is regenerated, the patterns in the sequence being statistically similar to patterns of a prior pattern sequence generated in the device. For each of the selected patterns from the storage, an offset in the regenerated pattern sequence is determined at which the regenerated pattern corresponds to the pattern accessed from the storage. The secret value is formed from the determined offset of each of the maintained selected patterns.
In another aspect, in general, a circuit module includes: a pattern sequence generator for repeatedly generating a pattern sequence that is statistically unique to the device; a pattern selector configured to accept a secret value, and select patterns in the pattern sequence according to one or more offsets determined from the secret value; an interface for storing the selected patterns, and subsequence retrieval of the selected patterns; a pattern matcher configured to retrieve the selected patterns and to determine offsets of the one or more patterns in a repeated generation of the pattern sequence; and a value assembler for combining the determined offsets to assemble a regeneration of the secret value.
In another aspect, in general, a software description of a circuit module comprises data embodied on a tangible machine readable medium for causing a processor to assemble the module into a device description. The circuit module includes: a pattern sequence generator for repeatedly generating a pattern sequence that is statistically unique to the device; a pattern selector configured to accept a secret value, and select patterns in the pattern sequence according to one or more offsets determined from the secret value; an interface for storing the selected patterns, and subsequence retrieval of the selected patterns; a pattern matcher configured to retrieve the selected patterns and to determine offsets of the one or more patterns in a repeated generation of the pattern sequence; and a value assembler for combining the determined offsets to assemble a regeneration of the secret value.
Advantages of one or more embodiments include only requiring comparison logic, which is very efficient from a hardware standpoint. The parameters L, W and T may be chosen so the probability of a collision (i.e., a different index being returned) and the probability of no match (all patterns have more than T mismatches) are negligible under prescribed environmental variation. The security of the scheme is based on the assumption that it is hard to construct a model of PUF behavior given a (limited) number of challenge-response relationships.
Another advantage arises from the limited hardware requirements of the approach: only a PUF, registers, bit-comparison, and threshold computation logic is required. The generation of keys can be made faster and the security-level raised by increasing the number of PUFs.
Other features and advantages of the invention are apparent from the following description, and from the claims.
The following notation is generally followed in the description below. Example values, which may be used in one or more embodiments are also provided.
Generally, one or more embodiments described below address the technical problem of repeatedly generating a value in a device, without requiring storing of the generated value (or any other value from which the secret value may be determined) in a non-volatile storage on or off the device, thereby preventing the value from being exposed. Such a value may be used, for example, directly as part of a secret cryptographic key, as an input to a deterministic function that computes such a key, or in other cryptographic and/or authentication applications. In some examples, the value may be provided to the device or may be initially chosen within the device at random.
Rather than using a fixed (possibly) public challenge and keeping the response bits secret, the paradigm is reversed by keeping the particular challenges that generate exposed response bits secret. Roughly, an example of the method works as follows: A PUF beginning from a fixed public challenge generates a string of response bits of length L. A secret integer s of bit-size log2(L) is treated as an index into the string L. Beginning with that index, a W<L-length pattern of PUF outputs is exposed and stored in non-volatile storage (e.g., either on the device or in an off-device storage).
During key re-generation, the pattern is retrieved from the storage, and the PUF begins internally re-generating its output string, again beginning from the fixed public challenge used during provisioning. In the simplest instantiation, comparison logic looks for the pattern in the output string, allowing for some mismatches. If an approximate match with bit mismatches equal to or less than T is found (with some probability) then the associated index for the match is s. To generate a K-bit secret, we can run the above scheme K/log2(L) times.
Referring to
Referring to
The architecture of an example of a Pattern Matching Key Generator (PMKG) 200 is shown in
The key generator works in rounds. A round is an instance of generating O bits (O=L+W) of continuous, blended PUF data; there are L possible patterns of width W found in such data. The position of such pattern is represented by its (zero-based index) I, which is N bits wide for binary power round lengths (L=2N).
During provisioning, for each round, a secret index is selected. Blended PUF output bits of length W beginning from the appropriate index are loaded into non-volatile memory. Multiple bits are blended by the PUF Blender, for example, four PUF output bits (from a single or multiple PUFs) may be XOR'ed together to generate a blended PUF output bit. This blending improves security as is discussed in Section 3.
Assume now that the PMKG has been provisioned. During key re-generation, the PMKG works in multiple rounds, each consisting of a fixed-length challenge sequence. The challenge sequence generator is a linear feedback shift register (LFSR) with an associated primitive polynomial, and begins from the fixed challenge. PUFs generate response bits based on the applied challenge. The blended outputs are shifted into a pattern shift register and the Tolerant Match Detector matches the first pattern against the contents of the pattern shift register. If the number of mismatches is This should <=T, not the subset symbol ≦T, the match signal is raised. At the end of the round, the index of the challenge that caused the match is loaded into the Volatile Key Store. If there is no match in a round, we have a failure. We note that the PMKG takes exactly the same number of cycles and performs exactly the same number of operations each round to generate any key. Thus, it is less susceptible to differential power or timing analysis.
The match signal in
Security is enhanced. Since the index that is matched on is secret, each round makes the actual challenge sequence less and less traceable to an outsider/attacker, at a multiplicative rate of L per round.
It is consistent with running the challenge sequencer for a fixed number of cycles each round.
Forking in the challenge sequencer is set up in such a way that at the end of the round, the matching secret index can be deterministically derived from the LFSR contents.
Let us further define CS(c, a, f) as the challenge sequencing function with the starting challenge c, number of advancements a, and sequence-forking flag f. The forking flag f is cleared at the beginning of every round, and set upon finding a pattern match between the round's Helper data and the current blended PUF data. The challenge sequencing is therefore split into two parts, one “before match” and “at and after match”. Note that the “before match” part may be of zero length. If no match were found (a fault condition), the resulting challenge value would be composed as cr+1(no_match)=CS(cr, L, 0), for the sequence that started with the challenge cr, advanced L times, with the forking flag cleared during the whole round. Under non-faulty conditions, a Helper data pattern match is made at some index Ir, setting the forking flag f for the rest of the round. Resulting challenge can be composed from the concatenated sequencing operations, cr+1=CS(crm, L−Ir,1), where crm=CS(cr, Ir, 0).
Alternatively, the challenge sequence could be split into three parts, one “before match”, one “at match”, and one “after match”, whereby the flag is only set in the single-advancement “at match” phase.
The PUF output data are not fully repeatable, which is usually exaggerated by the blending function (e.g., XOR), and there is no guarantee that this key generator can always converge to the same key, despite and/or because of the forgiving nature of the noise-tolerant pattern matching logic. We have two possible failure conditions: pattern misses and pattern collisions.
A miss occurs if the PUF generated data contain so much noise that it differs too much from the Helper data block and the match detector does not fire at all during a round, which is detectable by the control logic at the end of each round. Frequent misses indicate that the threshold T is set too low and should be increased. Pattern misses can be thought of as false negatives.
A collision occurs if the PUF generated data happens to come too close to matching a Helper data block originated by a different secret index within the round. This error results in an incorrect recapture of the secret index and subsequent catastrophic divergence from the provisioned challenge scheduling case of the bi-modal challenge sequence generator. Unlike the pattern miss, it is undetectable at the control level. If collisions occur, it means that the threshold T is set too high. Pattern collisions can be thought of as false positives.
The best defense against the above failures lies in choosing sufficiently wide pattern (W), so that the probabilities of misses and collisions decrease to miniscule levels with appropriate choice of T. This is the approach we take in Section 5.
In implementations where wide patterns can be traded for time, partial (miss) and full (collision) retrials with error detection can be employed. For example, a one way (hash) function slaved to the challenge sequencer produces a digest that is compared with a hash value stored at provisioning time; a match indicates a high probability of correct key generation. A narrow pattern retrial approach needs additional logical support at provisioning time, as the index choices must be discriminated for stability, and rejected if found unable to perform within acceptable number of re-tries.
We are exposing response data of the PUF. In authentication applications, it is assumed that even given unlimited challenge-response pairs (CRPs), the adversary is unable to create the model of the underlying PUF or successfully predict the response for a new challenge. A circuit for which it is currently impossible to create a software model for is called a Strong PUF. Recent work has determined that several architectures that were previously considered Strong PUFs are, in fact, clonable via machine learning attacks. This is similar to traditional cryptography, where many encryption and hashing algorithms once considered secure are now broken. One architecture that is resistant to machine learning attacks is a k-XOR n-stage Arbiter PUF with k>6 and n=64. However, the number of CRPs required to successfully attack k-XOR PUFs grows rapidly with k. For a 4-XOR Arbiter PUF with error-inflicted CRPs, over 30,000 CRPs are required, and for a 5-XOR 128-stage PUF over 100,000 CRPs are required. We note that we cannot arbitrarily increase k, since the noise levels increase with k.
In PMKG, CRPs are not exposed directly, but the adversary knows all the details of the PMKG architecture including the beginning fixed challenge. The number of exposed response bits is the Helper data size, which can be assumed to be 4096. This is much smaller than the number of CRPs required for modeling. We have two means of increasing the complexity seen by the adversary.
For small additional circuit area, the number of PUFs P can be increased and the effective response size that is exposed per PUF (or set of PUFs) can be reduced by a factor of P.
The second way is to not expose the challenge sequence schedule to the adversary. As described above, the occurrence of a match at a particular index affects the challenge schedule in the subsequent round. Since the matching index is secret, constructing possible CRPs becomes more and more difficult with each passing round. In effect, this reduces the number of CRPs available to the adversary.
We describe two possible strategies for provisioning: (1) The manufacturer and provisioning entity are trusted, or (2) The manufacturer is trusted to fabricate the design, and anyone in possession of the chip can provision a new secret with the guarantee that it cannot be discovered.
Strategy (1) requires that the provisioning mode be disabled when the chip is in the field, for example, through an irreversible “fuse” operation. This is often assumed when PUFs are used to generate a fixed-length response that is used as a key (e.g., ring oscillator bits or SRAM bits). The same strategy can be employed with PMKG as well.
Strategy (2) requires more hardware functionality in the chip. In the conventional case of the PUF response being secret, one can imagine using a PUF to generate a “fixed” response string and built-in error encoding functionality. (Only on-chip error decoding is required in (1).) produces a syndrome for the PUF response string and stores it in nonvolatile memory. The PUF response is never exposed, and is used to merely encrypt and decrypt secondary keys. Any entity can provision a secondary key that is stored in encrypted form in persistent storage. In the field, the PUF chip internally decrypts the secondary key upon power-up. Trying to provision again may generate a slightly different key and a different syndrome and is not a security concern provided secure error correction schemes are used. In the PMKG case, we can use a separate PUF or the same PUF with a different challenge to generate a secret, and use the secret as the Seed input to the PMKG during provisioning. Note that the PMKG is an encoder as well as a decoder, and so does not have to change. Upon repeated provisioning, the Seed may vary slightly and generate slightly different pattern data, but remains unknown, as does the Key derived from down-mixing the Seed. The PMKG is constructed with large enough PUF count P such that exposing multiple sets of (similar) patterns does not compromise resilience against modeling attacks.
Pappu (R. Pappu, “Physical one-way functions,” Ph.D. dissertation, Massachusetts Institute of Technology, 2001) described Physical One-Way Functions implemented using microstructures and coherent radiation and described an authentication application. Gassend et al (B. Gassend, D. Clarke, M. van Dijk, and S. Devadas, “Silicon physical random functions,” in Computer and Communication Security Conference, 2002) coined the term Physical Unclonable Function and showed how PUFs could be implemented in silicon, and used for authentication as well as cryptographic applications. Many other silicon realizations of PUFs have been proposed.
It has been shown that some proposed PUFs can be modeled or reverse-engineered precluding their use in unlimited authentication applications. Recent work related to numerical modeling attacks on PUFs and is discussed in Section 3.
In a typical error correction setting for PUF, during an initialization phase, the PUF is evaluated for a set of challenges. Then a Helper data is computed based on the responses. The Helper data or helper data is public information which is later sent to the PUF along with the challenges to perform correction on response bits. Equivalently, the Helper data can be stored locally on chip. Early work employed 2D hamming codes for error correction, and later work proposed use of Bose-Chaudhuri-Hochquenghen (BCH) codes for error correction on PUF responses. In particular, the use of BCH(255, 63, t=30) code was proposed, where 255 PUF response bits are mapped to a 63-bit key with a 192-bit Helper data. The code is capable of correcting maximum 30 erroneous responses bits. However, the implementation cost and hardware overhead of this code is significantly high and becomes even impractical as the number of errors in responses increases.
Since the Helper data is public information, the adversary can derive bias information from the Helper data to tighten the search space to find the secret key. Information leakage via Helper data is a critical aspect of the error correction. Note that previous uses of Helper data corresponded to using PUF response bits as secret key bits. In one or more embodiments of the present approach, indices into PUF challenge bits are used as the secret key bits, and the PUF response is exposed. In some embodiments, a PUF with the properties that have been termed a “Strong” PUF. In other embodiments, we can weaken the adversary to only knowing a relatively small set of PUF response bits.
We evaluated the PMKG approach described above on data obtained from 4-XOR and higher Arbiter PUFs. We focused on 4-XOR Arbiters in our experiments.
We first provide results on inter-chip and intra-chip variation of ten 4-XOR Arbiter chips in
We next provide results on key provisioning and re-generation. Five 4-XOR Arbiter chips were provisioned at 25° C. and response re-generation was done between −25° C. and +85° C. with switching between −25° C., +25° C., and +85° C. We used four settings for W and T: W=96, T=24, W=128, T=36, W=192, T=54, and W=256, T=80. For each of the four settings of W and T, keys were re-generated over 18,500 times across the temperature range.
If key re-generation fails, we retry up to 19 total times. For example, W=96, T=24 resulted in only 14,003 out 18,540 successful key re-generation in the first trial, and in 94 cases, 19 trails were not enough. On the other hand, W=256, T=80 was successful in the very first trial 100% of the time.
Our results indicate that we require W≧128, and the specific choice will depend on the trading off key generation time (including possible retrials) for Helper data size.
We have presented a viable method of PUF key generation that differs significantly from previous proposals.
In order for the exposed responses to not be a security hazard we had to use a 4-XOR arbiter PUF. Other forms of delay PUF structures that are hard to model and have less intrinsic noise than a 4-XOR arbiter PUF may be used in other implementations.
In alternative embodiments, the approach described above may be used to securely store other quantities. Referring to
Referring to
Referring to
Referring to
Note that in yet other examples, the key generator is not necessarily integrated onto the device, and a private or symmetric key is provide to the device for encoding during a provisioning procedure.
It should also be understood that other forms of statistically regeneratable (i.e., regeneratable with some errors) pseudo-random sequences can be used in this manner. For example, the result sequence may depend on biometric or physical measurements in addition to or rather than on device-specific circuit characteristics (e.g., delay characteristics).
In some implementations, modules or entire devices may be represented in data that imparts functionality onto a design or fabrication system. For example, a module may be represented though functional data and/or instructions of a hardware description language (e.g., HDL, Verilog, etc.), which is used to lay out and then fabricate devices that embody that module.
It is to be understood that the foregoing description is intended to illustrate and not to limit the scope of the invention. Other embodiments are within the scope of the following claims.