Challenge Codes for Physically Unclonable …Challenge Codes for Physically Unclonable Functions...
Transcript of Challenge Codes for Physically Unclonable …Challenge Codes for Physically Unclonable Functions...
Challenge Codes forPhysically UnclonableFunctions (PUFs)A Maximum Entropy Problem
Alexander Schauba, Olivier Rioulab, JosephBoutrosc, Jean-Luc Dangerad & Sylvain Guilleyad
aLTCI, Télécom ParisTech, Paris-Saclay Univ.bCMAP, Ecole Polytechnique, Paris-Saclay Univ.cTexas A&M University in QatardSecure-IC
2 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Layout of the presentation
Introduction to Physically Unclonable Functions (PUFs)
Presentation of the Entropy Problem
Entropy Problem: Results
3 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Layout of the presentation
Introduction to Physically Unclonable Functions (PUFs)
Presentation of the Entropy Problem
Entropy Problem: Results
4 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Physically Unclonable FunctionsMotivation
Embedded Security
Anti-counterfeiting
Secure password storage
5 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Physically Unclonable FunctionsDefinition and Usage
DefinitionPUF: Physical device, behavior defined by:
Input: challenge bit-string C ∈ {0,1}n
Output: bit response B ∈ {0,1}.and that is not clonable (physically and mathematically).
6 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Physically Unclonable FunctionsDefinition and Usage
Unclonability
Physically Unclonable: Presence of uncontrollable physical factorsduring manufacturing, elements of the circuit are builtslightly different each time→ Anti-counterfeiting: Different circuit behavior for
cloned hardware→ Key storage: Different key generated for each device
Mathematically Unclonable: Attacker cannot predict responses ofchallenges she did not observe yet.→ Challenge-response authentication for embedded
security (IoT, etc.).
7 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Technological dispersionDelay variation among devices
⇒ Gaussian distribution of the delays
8 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Loop-PUFMathematical Description
Definition
Set of M challenges (codewords): C = (c1, c2, . . . , cM), whereci = (ci,1ci,2...ci,n) ∈
{+1,−1
}n
Loop-PUF: output results from delay differences, modeled byinner product:
ci · X =n∑
j=1
ci,jXj
where X = (X1,X2, ...,Xn) and Xji.i.d .∼ N (0,1)
PUF Response bits: Bi = sign(ci · X ), i = 1, . . . ,M
Objective: compute HCdef.= H(B1,B2, . . . ,BM)
9 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Layout of the presentation
Introduction to Physically Unclonable Functions (PUFs)
Presentation of the Entropy Problem
Entropy Problem: Results
10 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Entropy ComputationMotivation
If challenges are orthogonal, responses are independent1.• The covariance matrix of the Gaussian vector C · X is equal to CCT
n ,and thus equal to the identity matrix in this case. Therefore, thedelays are independent. Possible for M = n when a Hadamardmatrix of rank n exists.
However, not the case when there are more challenges.Open problems:• What is the entropy for a code that is not orthogonal ?• What is the maximum entropy for a given number of challenges ?• What is the maximum entropy for all possible challenges ?• What device complexity is needed for a given required key length ?
1O. Rioul, P. Solé, S. Guilley, et al., “On the entropy of physically unclonablefunctions”, in IEEE International Symposium on Information Theory (ISIT), 2016,pp. 2928–2932.
11 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Entropy ComputationNotations
In order to compute the maximal entropy, we consider the firstM = 2n−1 challenges in lexicographical order (adding morechallenges does not increase the entropy)The corresponding entropy is denoted by Hn.The possible outcomes of the random variables (B1, ...,BM) aredenoted by b = b1b2...bM , which we call sign vectors.We define Pb = Pb1b2...bM = P[B1 = b1,B2 = b2, ...,BM = bM ]Thus,
Hn =∑
b∈{±1}2n−1
−Pb log2(Pb)
12 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Example Challenge Coden = 4,M = 8
C4 =
1 1 1 11 1 1 −11 1 −1 11 1 −1 −11 −1 1 11 −1 1 −11 −1 −1 11 −1 −1 −1
,
b1b2b3b4b5b6b7b8
= sign
X1 + X2 + X3 + X4X1 + X2 + X3 − X4X1 + X2 − X3 + X4X1 + X2 − X3 − X4X1 − X2 + X3 + X4X1 − X2 + X3 − X4X1 − X2 − X3 + X4X1 − X2 − X3 − X4
Hadamard matrix of order 4.
13 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Layout of the presentation
Introduction to Physically Unclonable Functions (PUFs)
Presentation of the Entropy Problem
Entropy Problem: Results
14 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Entropy ComputationQuadrant probability of bivariate normal (M = 2)
Let Y1 = c1 · X ,Y2 = c2 · X , ρ = E[Y1Y2]n .
Define Y ′1 such that Y2 ≡ ρY1 − ρ′Y ′1 and ρ2 + ρ′2 = 1. Then Y1 ⊥⊥ Y ′1.
Y2 ⇒ Y ′1
Y1 Y1
P[Y1 > 0,Y2 > 0] =14+
arcsin(ρ)2π
15 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Entropy ComputationOrthant probability of trivariate normal (M = 3)
We define ρi,jdef=
E[(ci ·X)(cj ·X)]n .
Orthant probability of trivariate normal:
P(c1 · X > 0, c2 · X > 0, c3 · X > 0) =18+
arcsin(ρ1,3) + arcsin(ρ1,2) + arcsin(ρ2,3)
4π
Exact computations for small M are possible. Thus, the exactcomputation of Hn is possible for small n (thanks to the use ofsymmetries).
16 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Entropy ComputationSmall PUFs
Exact entropy calculations for n ≤ 4 possible:
n 1 2 3 4Hn 1 2 H3 ' 3.6655... 14
3 + log2 3 ' 6.2516...
Where:
H3 =−
(1− 6
arcsin 13
π
)log
(18− 3
arcsin 13
4π
)
− 6
(arcsin 1
3π
)log
(arcsin 1
3π
)
17 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Maximal Entropy
For M ≥ 4, no closed-form expression for orthant probabilitiesexists.Ideas to obtain entropy results for n up to 8:• Find sign vectors with zero probability.• For the resulting vectors: exploit symmetries to find sign vectors of
equal probability.• Perform a simulation to evaluate the value of these probabilities.
18 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Zero-probability Sign-VectorsDefinition and Results
A zero-probability sign-vector is a sign vector b for which Pb = 0We have the following characterization:
Pb = 0 ⇐⇒ ∃α = (α1, ..., αM) ∈ RM\{0}M :
sign(αi) = bi when αi 6= 0 andM∑
i=1
αici = 0
We call α an annihilator for b, if it exists.Fact: If b admits an annihilator, then there exists an annihilator forb with weight at most n + 1.Fact: for the maximal code of size M = 2n−1, any annihilator hasweight at least 4.
19 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Zero-probability Sign-VectorsResults and Conjectures
Conjecture: If b admits an annihilator, then there exists anannihilator for b with minimal weight 4 (checked for n = 1, . . . ,7).Knowing zero-probability vectors of order n rules out many vectorsat order n + 1.Hn ≤ Max-entropy = log2(# non-zero probability vectors).
n Maximum # of outcomes Non-zero probabilities Proportion among outcomes max-entropy (bits)1 2 2 1. 1.2 4 4 1. 2.3 16 14 0.875 3.80734 256 104 0.40625 6.70045 65536 1882 0.0287 10.87806 4294967296 94572 2.202 ·10−5 16.52917 ∼ 1.8 · 1019 15 028 134 8.147 ·10−13 23.84118 ∼ 3.4 · 1038 8 378 070 864 2.462 ·10−29 32.9640
20 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Symmetry ExploitationSign symmetry
Gaussian random variables are symmetric: Xid= −Xi .
Changing the signs of the Gaussian r.v. is equivalent to multiplyingall lines of the challenge matrix with these signs.If sign of X1 is not changed: this is equivalent to a permutation oflines of the challenge matrix.The original and the permuted sign vectors have the sameprobability.
21 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Example of Sign Symmetryn = 4
Example vector: s =(+1 −1 + 1 −1
)
1 1 1 11 1 1 −11 1 −1 11 1 −1 −11 −1 1 11 −1 1 −11 −1 −1 11 −1 −1 −1
· diag(s) =
1 −1 1 −11 −1 1 11 −1 −1 −11 −1 −1 11 1 1 −11 1 1 11 1 −1 −11 1 −1 1
= PσC4
whereσ = (1 6) ◦ (2 5) ◦ (3 8) ◦ (4 7)
22 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Symmetry ExploitationPermutation symmetry.
All Xi have the same distribution, thus, (Xi ,Xj)d= (Xj ,Xi) for i 6= j .
A permutation of the Xi corresponds to a permutation of thecolumns in the challenge code.Due to the structure of the challenge code, a permutation of thecolumns (when the first column is not involved) corresponds to apermutation of the lines.The original and the permuted (according to permutation of thelines) sign vectors have the same probability.Similar result holds if the first column is not a fixed point of thepermutation (need to multiply the sign vector by a column of C).
23 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Example of Permutation Symmetryn = 4
Example permutation: τ = (2 3).
1 1 1 11 1 1 −11 1 −1 11 1 −1 −11 −1 1 11 −1 1 −11 −1 −1 11 −1 −1 −1
· Pτ =
1 1 1 11 1 1 −11 −1 1 11 −1 1 −11 1 −1 11 1 −1 −11 −1 −1 11 −1 −1 −1
= PσC4
whereσ = (3 5) ◦ (4 6)
24 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Symmetry ExploitationWrap-up
We obtain equivalence classes of sign vectors with sameprobability by applying aforementioned transformations.This makes computing the entropy tractable up to n = 7
n Equivalence classes Estimated entropy1 1 1.2 1 2.3 2 3.66554 3 6.2515 7 9.976 21 15.247 135 21.9
25 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Results Obtained
1 2 3 4 5 6 7 8n
0
5
10
15
20
25
30
Entro
py (i
n bi
ts)
Quadratic fit (Entropy)Entropy
Quadratic fit (Max-entropy)Max-entropy
26 July 26, 2018 Télécom ParisTech Challenge Codes for Physically Unclonable Functions
Conclusion
We presented the theoretical model of the Loop-PUF, andcomputed the maximal entropy and max-entropy.Results up to n = 8 were obtained, but the computationalcomplexity is too high for larger values.Perspectives: find (perhaps approximate) entropy formulas forlarger values, using for example compressed sensing techniques.