

#### SPACE 2012, Chennai, India, November 2-3



#### Performance and Security Evaluation of AES S-Boxbased Glitch PUFs on FPGAs

<u>Dai Yamamoto</u> Fujitsu Laboratories Ltd., Japan KU Leuven, Belgium

> Collaborators: Gabriel Hospodar, Roel Maes, Ingrid Verbauwhede (KU Leuven, Belgium)



#### Introduction

Semiconductor counterfeiting has recently boomed

- Huge threat for companies
  - o Technologically
  - Financially

Call for solutions

#### BBC NEWS TECHNOLOGY

http://www.bbc.co.uk/news/tec hnology-17665527



#### Fake semiconductors 'could cause tragedy'

The number of fake memory chips and processors in use has tripled since 2009, suggests a report.

The report, compiled by semiconductor analyst IHS iSuppli, said fakes were found in phones, computers, military hardware, cars and hospital equipment.

The analyst said the fakes were turning up in so many places that they might soon put lives at risk.



Fakes are turning up in more and more gadgets, warns iSuppli

The military and aerospace firms were the most likely to be using fakes, it said.

#### Chip police

More than 1,363 fakes were reported in 2011, said the report, and threatened to dent a market worth more than 169bn (£109bn) a year.

#### **KU LEUVEN**

#### SPACE 2012: Dai Yamamoto et al.

### Why is Counterfeiting Serious?

- Monetary damage for honest manufacturers
  - $_{\circ}$  Customers buy counterfeits  $\rightarrow$  drop in sales  $\rightarrow$  drop in revenues
  - Costs increase due to extra security analyses
- Losing the trust of customers
  - Mistaking the fake with the original
  - Counterfeit often has poorer quality
- Increase risks of life-threatening accidents
  - Electric vehicles, medical devices, smart grid, etc.





**KU LEUVEN** 

- Anti-counterfeiting technologies are specifically required
  - PUF (Physically Unclonable Function)

SPACE 2012: Dai Yamamoto et al.

3/25

#### PUF: Physically Unclonable Function

• Focus on PUFs on LSIs: Silicon PUFs



Outputs depend on process variations of each individual LSIs

- Slight differences of wire/gate delays, drive capability, etc.
- Responses ideally NOT predictable
- Counterfeiting and modeling PUFs is quite difficult
  - Encryption keys can be derived from PUF responses

#### **KU LEUVEN**

### Motivation (1/2)

- Two types of PUFs:
  - Memory-based PUFs
    - SRAM-PUFs, Latch PUFs, Butterfly PUFs, Flip-flop (FF) PUFs, etc.
  - Delay-based PUFs
    - Ring-oscillator PUFs, Arbiter PUFs, Glitch PUFs, etc.
- Developers' self-evaluation is valuable, but they may...
  - Overstate good results
  - Understate undesirable results
- Third-party evaluation is very important
  - Independent verification of claims about proposed PUFs
  - Results contribute for practical usability assessment of new PUFs

**KU LEUVEN** 

### Motivation (2/2)

- Third party evaluation of AES S-Box-based Glitch PUFs
  - Suzuki et al. at CHES 2010 ("developers")
- AES S-Box-based Glitch PUFs (GPUFs)
  - One of the most feasible and secure delay-based PUFs
  - Resistance against machine learning attacks
  - Not evaluated by the community yet



#### **Overview**

- Performance and Security evaluation of GPUFs
  - Performance: **Reliability** and Uniqueness
  - Security: How difficult is GPUF response prediction?
- Contributions
  - [1] # CRPs =  $2^{19}$  (not  $2^{11}$ )
  - [2] Low robustness against voltage variation
    - Reliability (response error rate: RER)
      - Ours ≈ 35%, Developers' ≈ 10%
  - [3] Weak challenges  $\rightarrow$  easily predictable responses
    - Potential vulnerability against machine learning attacks
- Conclusion
  - GPUFs present almost no PUF-behavior

**KU LEUV** 

#### **Table of Contents**

- Background
  - PUF performance: Reliability
  - GPUF
- Contributions

[1] Number of CRPs is 2<sup>19</sup>, instead of 2<sup>11</sup>
[2] Performance: Low robustness against voltage variation
[3] Weak challenges leading to more easily predictable responses

• Summary / Future work



#### **Table of Contents**

- Background
  - PUF performance: Reliability
  - GPUF
- Contributions

[1] Number of CRPs is 2<sup>19</sup>, instead of 2<sup>11</sup>
[2] Performance: Low robustness against voltage variation
[3] Weak challenges leading to more easily predictable responses

• Summary / Future work

**KU LEUVEN** 

SPACE 2012: Dai Yamamoto et al.

### Reliability (Response Error Rate)

- Consistency of responses generated by the same challenges
  - Mean of Hamming distances (HDs) between a reference and n-times measurements



- High reliability = low RER (ideally HD=0)
- Important to keep high reliability in various conditions



### GPUF

- Glitch: A pulse of short duration
  - Occurring before the signal settles to a value

#### • GPUF



- Using an AES S-Box as a glitch generator
  - Based on composite Galois Field
- A toggle FF (TFF) outputs "1" if the parity of the # of glitches is odd
- Challenge: 11 bits, Response: 1 bit



SPACE 2012: Dai Yamamoto et al.

<sup>11/25</sup> 

#### **Table of Contents**

- Background
  - PUF performance: Reliability
  - GPUF
- Contributions

[1] Number of CRPs is 2<sup>19</sup>, instead of 2<sup>11</sup>
[2] Performance: Low robustness against voltage variation
[3] Weak challenges leading to more easily predictable responses

• Summary / Future work



SPACE 2012: Dai Yamamoto et al.

#### No reason in their paper Clitchoo: 8 bit chollongo An S-Box

 Glitches: 8-bit challenge changes from C<sub>p</sub> to C<sub>c</sub>

Developers evaluated 2<sup>11</sup>

 $\circ$   $C_{\rm p}$  affects glitches

0

CRPs

- Challenge is 19 bits
  - $\circ$  8-bit  $C_{\rm p}$ , 8-bit  $C_{\rm c}$ , 3-bit  $2^{nd}$  C





1<sup>st</sup> Contribution

2<sup>nd</sup> Contribution

3<sup>rd</sup> Contribution



SPACE 2012: Dai Yamamoto et al.

13/25

#### No reason in their paper

 Glitches: 8-bit challenge changes from  $C_{\rm p}$  to  $C_{\rm c}$ 

Developers evaluated 2<sup>11</sup>

 $\circ$   $C_{\rm p}$  affects glitches

0

CRPs

- Challenge is 19 bits
  - 8-bit  $C_{\rm p}$ , 8-bit  $C_{\rm c}$ , 3-bit  $2^{nd} C$

1<sup>st</sup> C (8 bits)





SPACE 2012: Dai Yamamoto et al.

8-bit

Data

Register

13/25

Performance and Security Evaluation of Glitch PUFs

1<sup>st</sup> Contribution

2<sup>nd</sup> Contribution

3<sup>rd</sup> Contribution

### Performance Evaluation of GPUFs

1st Contribution2nd Contribution3rd Contribution

- Original performance results are insufficient
  - Developers evaluated only a subset (2<sup>11</sup>) of all CRPs (2<sup>19</sup>)
- Evaluating performance of GPUFs using <u>all CRPs (2<sup>19</sup>)</u>
  - Reliability in various voltage conditions
  - Relation between reliability and challenges:  $HD(C_p, C_c)$
- FPGA-based evaluation
  - Custom-made FPGA board
    - GPUF on FPGAs
    - Varying core voltages
    - 20 replaceable FPGAs



#### SPACE 2012: Dai Yamamoto et al.

14/25

#### Robustness in Various Voltages

- RER in 1.14V, 1.20V, and 1.26V
- Our RER is much higher than the developers'
  - Ours ≈ 35% (Low robustness!!), Developers' ≈ 10%
- Reason: Number of evaluated CRPs
  - Result of 2<sup>11</sup> CRPs satisfying HD( $C_p$ ,  $C_c$ ) = 1, LSB is different bit



SPACE 2012: Dai Yamamoto et al.

1<sup>st</sup> Contribution

2<sup>nd</sup> Contribution 3<sup>rd</sup> Contribution

### RER vs HD( $C_p$ , $C_c$ )

1st Contribution2nd Contribution3rd Contribution

- RER strongly depends on  $HD(C_p, C_c)$ 
  - Small HD( $C_p$ ,  $C_c$ ) → low RER
  - Small number of challenge-bit transitions  $\rightarrow$  little influence on glitches
- Appropriate CRPs selection needed  $\rightarrow$  higher design cost
  - RER > 15%  $\rightarrow$  error correcting with large redundant data 50 Response **40** 1.26V 30 1.14V Error Rate (%) Good 20 15% line 10 1.20V 0 2 3 8  $HD(C_{D}, C_{C})$ **KU LEUVEN**

## RER vs HD( $C_p$ , $C_c$ )

1st Contribution2nd Contribution3rd Contribution

- RER strongly depends on  $HD(C_p, C_c)$ 
  - Small HD( $C_p$ ,  $C_c$ ) → low RER
  - Small number of challenge-bit transitions  $\rightarrow$  little influence on glitches
- Appropriate CRPs selection needed  $\rightarrow$  higher design cost
  - RER > 15%  $\rightarrow$  error correcting with large redundant data Response 40 30 1.26V1.14V

AES S-Box-based GPUF present almost no PUF-behavior since reliability is quite low for different voltages



SPACE 2012: Dai Yamamoto et al.

### Security Evaluation of GPUFs

- # glitches from 6<sup>th</sup> S-Box bit
- Horizontal lines (= 16 Weak challenges)
  - $_{\circ}$  16  $C_{\rm c}$  leading to almost no glitches regardless of  $C_{\rm p}$
  - Attackers can predict such responses more easily than other ones
  - Machine learning attacker could benefit from these correlations



SPACE 2012: Dai Yamamoto et al.

**KU LEUVEN** 

1<sup>st</sup> Contribution

2<sup>nd</sup> Contribution 3<sup>rd</sup> Contribution

### Why such weak challenges exist?



- AES S-Box (composite field) consists of 3 sub-modules
  - Input / output of S-Box: *x* and *y*
  - Input / output of GF inverter: a and b
- Our Goal
  - To find special values of x yielding y[6] = zero



SPACE 2012: Dai Yamamoto et al.

#### Step1: Combination module

- $y[6] = \sim b[4] \oplus b[5] \oplus b[6] \oplus b[7]$ 
  - y[6] depends only on the upper 4 bits of b





#### Step2: GF inverter (1/2)

- The upper 4 bits of b satisfy:
  - $\circ \quad b[7] = tn[0] \oplus tn[1] \oplus tn[3] \oplus tn[4]$
  - $\circ \quad b[6] = tn[0] \oplus tn[2] \oplus tn[3] \oplus tn[5]$
  - $\circ \quad b[5] = tn[0] \oplus tn[1] \oplus tn[7] \oplus tn[8]$
  - $\circ \quad b[4] = tn[0] \oplus tn[2] \oplus tn[6] \oplus tn[7]$
- tn is a 9-bit internal variable in the GF inverter



1st Contribution2nd Contribution3rd Contribution

SPACE 2012: Dai Yamamoto et al.

20/25

### Step2: GF inverter (2/2)

• *tn* satisfies:

tn[8] = (v[3])  $tn[7] = (v[2] \oplus v[3])$  tn[6] = (v[2])  $tn[5] = (v[1] \oplus v[3])$   $tn[4] = (v[0] \oplus v[1] \oplus v[2] \oplus v[3])$   $tn[3] = (v[0] \oplus v[2])$  tn[2] = (v[1])  $tn[1] = (v[0] \oplus v[1])$ tn[0] = (v[0])



1<sup>st</sup> Contribution

2<sup>nd</sup> Contribution

3<sup>rd</sup> Contribution

If a[7:4] are zero, then no glitch is expected in y[6]



SPACE 2012: Dai Yamamoto et al.

21/25

SPACE 2012: Dai Yamamoto et al.

- ...matching the 16 horizontal lines
  - 150 Easily predictable responses due to almost no glitches 200



22/25

### Step3: isomorph $\delta$

- Our goal
  - To find special values of x yielding a[7:4] = zero
- 16 patterns of x (weak challenges  $C_{c}$  regardless of  $C_{p}$ )...
  - 0,1,80,81,12,13,92,93, 224,225,176,177, 236,237,188,189



50

100

Performance and Security Evaluation of Glitch PUFs

8

3

2

#### **Table of Contents**

- Background
  - PUF performance: Reliability
  - GPUF
- Contributions

[1] Number of CRPs is 2<sup>19</sup>, instead of 2<sup>11</sup>
[2] Performance: Low robustness against voltage variation

- [3] Weak challenges leading to more easily predictable responses
- Summary / Future work

**KU LEUVEN** 

SPACE 2012: Dai Yamamoto et al.

#### Summary

- Goal
  - Performance and Security evaluation of GPUFs
- Contributions
  - Number of CRPs is not 2<sup>11</sup> but 2<sup>19</sup>
  - Clarify Reliability of GPUFs
    - Low robustness against voltage variation
    - Reliability strongly depends on  $HD(C_p, C_c)$
    - 16 weak challenges leading to more easily predictable responses
- Conclusion
  - GPUFs should not use AES S-Box as a glitch generator
- Future work
  - ASIC Evaluation of GPUFs
  - Proposing an alternative glitch generator for GPUFs

**KU LEUVEN** 



# Thank you very much



SPACE 2012: Dai Yamamoto et al.

