Physical Unclonable Functions are arguably the current best hope to protect against physical attacks aimed at extracting secret keys (root of trust). That being said, PUFs are an active area of research where new PUFs design are proposed and existing designs are broken. Hence, research is needed to better understand the limitations of PUFs in the context of TEEs.
The first PUFs was presented in the PhD thesis titled Physical one-way functions, by Ravikanth Srinivasa Pappu.
Not sure where it's best to start, but perhaps this article (if you have access):
Physical unclonable functions by Yansong Gao, Said F. Al-Sarawi & Derek Abbott
OR:
-
Physical Unclonable Functions for Device Authentication and Secret Key Generation
Because the PUF circuit is rather simple, attackers can try to construct a precise timing model and learn the parameters from many input-output pairs [8]. To prevent these model-building attacks, the PUF circuit output can be obfuscated by XOR’ing multiple outputs or a PUF output can be used as one of the MUX control signals. Note that the model building attack is irrelevant for the cryptographic key generation where the PUF output is never directly exposed. G. Edward Suh, Srinivas Devadas
-
An Introduction to Physically Unclonable Functions
When manufactured, the PUF will be fed a series of different challenges and have its responses recorded. Through this exercise, the designers know each PUF's unique response to a given challenge and can use this information to prevent counterfeiting, create and store cryptographic keys, and many other security feats.
TODO: figure out if the set of CRPs is not needed for signing keys. Also, out of curiosity could there be oblivious (or zk) CRPs, meaning that no one knows the challenge response pairs, but yet, they can be used.
https://www.science.org/doi/full/10.1126/science.1074376
Also at https://nbviewer.org/github/rpappu/pdf-publications/blob/master/Pappu-Science-2002.pdf
Main reference: https://pubs.aip.org/aip/apr/article/6/1/011303/571003/A-PUF-taxonomy
Images source: A PUF taxonomy by McGrath et al.
| Concept | Mechanism | Parameter | Implicity | Evaluation | Family |
|---|---|---|---|---|---|
| Arbiter PUF | All-electronic | Time | Implicit | Intrinsic | Racetrack |
| ClockPUF | |||||
| Ring oscillator PUF | Frequency | ||||
| TERO PUF | Transient/glitch | ||||
| GlitchPUF | Voltage/current | ||||
| SRAM failure PUF | Volatile memory | ||||
| Bistable ring PUF | Bistable state | ||||
| DRAM PUF | |||||
| MECCA PUF | |||||
| Rowhammer PUF | |||||
| SRAM PUF | |||||
| CNN PUF | Voltage/current | Direct characterisation | |||
| Power distro. PUF | |||||
| QUALPUF | |||||
| TV PUF | |||||
| VIA PUF | Binary connectivity | ||||
| NEMS PUF | Explicit | Extrinsic | |||
| Self-assembly PUF | |||||
| CN PUF | Voltage/current | ||||
| MEMS PUF | |||||
| Q EPUF | |||||
| SHIC PUF | |||||
| BoardPUF | Capacitance | ||||
| Coating PUF | |||||
| Acoustical PUF | Frequency | ||||
| Memristor PUF | Bistable state | Non-volatile memory | |||
| PCKGEN | |||||
| STT-MRAM PUF | |||||
| CD PUF | Hybrid (optical) | Light intensity | Implicit | Optical | |
| Paper PUF | |||||
| Nanowire distro. PUF | Explicit | ||||
| Optical fibre PUF | |||||
| Optical PUF | |||||
| Phosphor PUF | |||||
| Nanoparticle distro. PUF | |||||
| Monolayer depo. PUF | |||||
| Lanthanide lum. PUF | |||||
| Q OPUF | Intensity and Frequency | ||||
| Liquid crystal PUF | Frequency | ||||
| LC PUF | Hybrid (RF) | RF power absorption | RF | ||
| RF-DNA PUF | |||||
| Magnetic PUF | Hybrid (magnetic) | Mag. field | intensity | Implicit | Magnetic |
Table source: A PUF taxonomy by McGrath et al.
| Concept | Mechanism | Parameter | Implicity | Evaluation | Family |
|---|---|---|---|---|---|
| Arbiter PUF | All-electronic | Time | Implicit | Intrinsic | Racetrack |
| Ring oscillator PUF | Frequency | ||||
| SRAM PUF | Bistable state | Volatile memory | |||
| Power distro. PUF | Voltage/current | Direct characterisation | |||
| TV PUF | |||||
| VIA PUF | Binary connectivity | ||||
| Q EPUF | Voltage/current | Explicit | Extrinsic | ||
| Q OPUF | Hybrid (optical) | Intensity and Frequency | Optical |
Partial table source: A PUF taxonomy by McGrath et al.
- A lightweight remote attestation using PUFs and hash-based signatures for low-end IoT devices
- SMART: Secure and Minimal Architecture for (Establishing a Dynamic) Root of Trust
- Feasibility and Infeasibility of Secure Computation with Malicious PUFs
- On the Security of PUF Protocols under Bad PUFs and PUFs-inside-PUFs Attacks
- Everlasting UC Commitments from Fully Malicious PUFs
- Self-assembled physical unclonable function labels based on plasmonic coupling
- https://pubs.aip.org/aip/sci/article/2019/29/290009/360043/Fingerprinting-silicon-chips-just-got-easier
- Spectral sensitivity near exceptional points as a resource for hardware encryption
In this paper, an alternative authentication approach in which an MCU generates a secret key internally is introduced, exploiting manufacturing variability as a physical unclonable function (PUF). As the key is generated by the device itself, manufacturers save the expense of a secure environment for external key generation. In production, once chips are loaded with a firmware, it is only necessary to run an internal characterization and pass on the resulting public key, mask and helper data to be stored for authentication and recovery. Further external memory access is prevented, e.g., by blowing the JTAG security fuse. As the secret key is regenerated (with the same result each time) rather than stored in non-volatile memory, it is very hard to clone and the cost of a secure element can be saved.
The case for such IoT devices is strengthened further in combination with a distributed ledger, or blockchain. First of all, the immutability and distributed trust provided by a blockchain can make the device authentication independent of the manufacturer. Secondly, a business process implemented in chaincode that relies on IoT inputs can validate device signatures to ensure the authenticity and integrity of those inputs.
Replacing the central database operated by a manufacturer with a blockchain makes the system independent of the manufacturer. The chaincode will still allow only the manufacturer to create new machine entries on the distributed ledger but as the ledger content is distributed to all participants (multiple manufacturers, retailers, owners, etc.) the manufacturer is relieved of administering the system and guaranteeing its availability. A central database would go offline when the manufacturer goes out of business whereas a blockchain can survive.
Given the security disadvantages of symmetric authentication schemes (keeping a database of keys to authenticate with the risk of being hacked or lost, the risk of cloning, and barriers for third-party authentication, among others) our approach instead uses public-key cryptography based on learning parity with noise (LPN) problems, and in particular zero-knowledge (ZK) protocols to further simplify the management of device public keys. The blockchain may make the public keys generated by each device available for anyone to use in their own authentication system.
As for the second aspect, even a low-cost device can prevent manipulation of its communication with a blockchain by signing its messages with our PUF-derived keys, making the proposal suitable for any resources-limited device connected to the blockchain [9]. The chain code, in turn, can also validate the device signatures to ensure data integrity and authenticity, extending the trust the blockchain provides into the IoT device.
This paper proposes using an SRAM-based PUF to generate cryptographic keys that are employed in a zero-knowledge proof to authenticate an IoT device. We present an efficient implementation in an MCU and show that even low-cost devices can perform the required computational tasks sufficiently fast. Experimental results demonstrate that our approach is robust against temperature variations and that collisions of device identities are unlikely.
https://www.cryptoquantique.com/products/qdid/
As per Physical unclonable functions:
Authentication can also be executed remotely, once the CRP (challenge–response pair) is recorded in a secure database only known by the trusted party (server).
This seems to be relating to what is called remote attestation in the context of popular TEEs like SGX. In the context of SGX, for instance, the chip manufacturer is considered to be a trusted party, for various reasons (e.g: #2).
- https:/nils-wisiol/pypuf (cryptanalysis)
- https://asvin.io/physically-unclonable-function-setup/
- https:/nils-wisiol/LP-PUF
- https:/stnolting/fpga_puf
- https://www.crypto.ruhr-uni-bochum.de/imperia/md/crypto/kiltz/ulrich_paper_47.pdf
- https:/chipsalliance/Caliptra/blob/main/doc/Caliptra.md#future-effort-caliptra-security-subsystem
- https:/chipsalliance/caliptra-rtl/blob/main/docs/CaliptraIntegrationSpecification.md
- Physical One-Way Functions by Pappu et al.
- On the Foundations of Physical Unclonable Functions by Rührmair et al.
- Security based on Physical Unclonability and Disorder by Rührmair et al.
- SIMPL Systems: On a Public Key Variant of Physical Unclonable Functions by Rührmair
- Towards Secret-Free Security by Ruhrmair
- Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions by Roel Maes & Ingrid Verbauwhede
- Silicon Physical Random Functions by Gassend et al.
- PUF Taxonomy