Analysis and Protection of the Two-Metric Helper Data Scheme

Abstract

To compensate for the poor reliability of Physical Unclonable Function (PUF) primitives, some low complexity solutions not requiring error-correcting codes (ECC) have been proposed. One simple method is to discard less reliable bits, which are indicated in the helper data stored inside the PUF. To avoid discarding bits, the Two-metric Helper Data (TMH) method, which particularly applies to oscillation-based PUFs, allows to keep all bits by using different metrics when deriving the PUF response. However, oscillation-based PUFs are sensitive to side-channel analysis (SCA) since the frequencies of the oscillations can be observed by current or electromagnetic measurements. This paper studies the security of PUFs using TMH in order to obtain both reliable and robust PUF responses. We show that PUFs using TMH are sensitive to SCA, but can be greatly improved by using temporal masking and adapted extraction metrics. In case of public helper data, an efficient protection requires the randomization of the measurement order. We study two different solutions, providing interesting insights into trade-offs between security and complexity.

This work was partly funded by the German Ministry of Education and Research in the project SecForCARs under grant number 01KIS0795 and under the SPARTA project, which has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement number 830892.

A Attacker with Helper Data Access and No Temporal Masking

Fig. 8.

Visualization of the attack failure for attacker with helper data knowledge. As an example metric M1 is used, but no temporal masking is effective.

We assume that the attacker can read the helper data, but the temporal masking countermeasure is not activated. We show how this additional information affects the attack highlighting that the TMH scheme without further protection enables SCA. This notion is rather of theoretical interest as without temporal masking, the frequency difference \(df_{}\) would be revealed independently of the helper data scheme. However, the results show that the reliability information of the TMH can also be exploited by the attacker and improves the attack compared to the scenario without helper data knowledge.

Figures 8a and 8b depict the attack scenario assuming helper data knowledge. As an example, the use of metric M1 is depicted, where an attacker can use the bounds \(-{T1}^{\star }\) and \({T2}^{\star }\)instead of \(\pm a^{\star }\) if no helper data is known. Compared to Figs. 2a and 2b, the red area below the distribution of observed values is significantly smaller. This indicates that the attacker benefits from the reliability information encoded in the helper data and is formalized in the following.

Assuming metric M1 and the value \(df_{}> a\) during enrollment the actual PUF bit is \(k_{C}\) = 0 according to Eqs. (2) and (3). The attacker will know that M1 is the metric but any observed value \({T1}^{\star }\le df^{\prime }_{C}< {T2}^{\star }\) is decoded as \(\hat{k}_{C}=1\ne k_{C}\). In other words any perturbation \({T1}^{\star }-df_{}< \epsilon < {T2}^{\star }-df_{} \) will lead to an error in the attack. Now for \(df^{\star }_{}\sim \mathcal {N}(df_{}, \sigma _{adv.})\), the probability for this event is

$$\begin{aligned} P_1(df_{}, \sigma _{adv.})&= Pr[\hat{k}_{C}\ne k_{C}|w_{C}=M1, df_{}>a] \nonumber \\&= \int _{-{T1}^{\star }}^{{T2}^{\star }} \phi ^{\star }\left( df^{\star }_{}; df_{}, \sigma _{adv.} \right) \mathrm {d}df^{\star }_{}. \end{aligned}$$

(14)

The boundaries \(-{T1}^{\star }\) and \({T2}^{\star }\) depend on the noise the attacker faces⁵, thus Eq. (14) establishes a relationship between the SNR and failure probability. Similarly, for the case when the metric is M1 and \(k_{C}=1\), the failure probability is:

$$\begin{aligned} P_2(df_{}, \sigma _{adv.})&= Pr[\hat{k}_{C}\ne k_{C}|w_{C}=M1, -a \le df_{} \le 0] \nonumber \\&= \int _{-\infty }^{-{T1}^{\star }} \phi ^{\star }\left( df^{\star }_{}; df_{}, \sigma _{adv.} \right) \mathrm {d}df^{\star }_{} + \int _{{T2}^{\star }}^{\infty } \phi ^{\star }\left( df^{\star }_{}; df_{}, \sigma _{adv.} \right) \mathrm {d}df^{\star }_{}. \end{aligned}$$

(15)

In an analogous way the failure probability for metric M2 with \(k_{C}=0\) is defined as

$$\begin{aligned} P_3(df_{}, \sigma _{adv.})&= Pr[\hat{k}_{C}\ne k_{C}|w_{C}=M2, df_{}<-a] \nonumber \\&= \int _{-{T2}^{\star }}^{{T1}^{\star }}\phi ^{\star }\left( df^{\star }_{}; df_{}, \sigma _{adv.} \right) \mathrm {d}df^{\star }_{}, \end{aligned}$$

(16)

and for metric M2 with \(k_{C}=1\) it results in

$$\begin{aligned} P_4(df_{}, \sigma _{adv.})&= Pr[\hat{k}_{C}\ne k_{C}|w_{C}=M2, 0 < df_{} \le a] \nonumber \\&= \int _{-\infty }^{-{T2}^{\star }} \phi ^{\star }\left( df^{\star }_{}; df_{}, \sigma _{adv.} \right) \mathrm {d}df^{\star }_{} + \int _{{T1}^{\star }}^{\infty } \phi ^{\star }\left( df^{\star }_{}; df_{}, \sigma _{adv.} \right) \mathrm {d}df^{\star }_{}. \end{aligned}$$

(17)

From the probabilities in Eqs. (14) to (17), which define the entire support of \(df_{}\), the overall success probability to recover a PUF bit is given by

$$\begin{aligned} Pr_{success}(df_{}, \sigma _{adv.}) = 1 - \sum _{i=1}^4 P_i(df_{}, \sigma _{adv.}). \end{aligned}$$

(18)

Figure 9 depicts the success probability for different levels of noise \(\sigma _{adv.}\) an attacker faces and depending on the enrollment value \(df_{}\). The results show that \(df_{}\approx \pm a\) and \(df_{}\approx 0\) contain most uncertainty for the attacker, i.e., it is most likely that the estimated value for the PUF bit \(k^{\prime }_{C}\) is wrong. The attacker faces the highest uncertainty for values of \(df_{}\) close to the boundary between \(\hat{k}_{}= 0\) and \(\hat{k}_{}= 1\). On the one hand, this means the attack will not yield a 100% success rate for all PUF bits. On the other hand, the attacker is provided with reliability information for the attack results that allow for develo** a smart guessing strategy.

Fig. 9.

Helper data/no temporal masking: Simulation of the attack success probability for different levels of attacker noise \(\sigma _{adv.} \).