Early RTL Analysis for SCA Vulnerability in Fuzzy Extractors of
  Memory-Based PUF Enabled Devices by Lai, Xinhui et al.
©2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any
current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new
collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other
works.
ar
X
iv
:2
00
8.
08
40
9v
1 
 [c
s.C
R]
  1
9 A
ug
 20
20
Early RTL Analysis for SCA Vulnerability in Fuzzy
Extractors of Memory-Based PUF Enabled Devices
Xinhui Lai1, Maksim Jenihhin1, Georgios Selimis2, Sven Goossens2, Roel Maes2, Kolin Paul3
1 Department of Computer Systems, Tallinn University of Technology, Estonia
2 Intrinsic ID, The Netherlands
3 Department of Computer Science & Engg, Indian Institute of Technology Delhi, India
Email: xinhui.lai@taltech.ee
Abstract—Physical Unclonable Functions (PUFs) are gaining
attention in the cryptography community because of the ability to
efficiently harness the intrinsic variability in the manufacturing
process. However, this means that they are noisy devices and
require error correction mechanisms, e.g., by employing Fuzzy
Extractors (FEs). Recent works demonstrated that applying
FEs for error correction may enable new opportunities to break
the PUFs if no countermeasures are taken. In this paper, we
address an attack model on FEs hardware implementations
and provide a solution for early identification of the timing
Side-Channel Attack (SCA) vulnerabilities which can be
exploited by physical fault injection. The significance of this
work stems from the fact that FEs are an essential building
block in the implementations of PUF-enabled devices. The
information leaked through the timing side-channel during
the error correction process can reveal the FE input data
and thereby can endanger revealing secrets. Therefore, it is
very important to identify the potential leakages early in the
process during RTL design. Experimental results based on
RTL analysis of several BoseChaudhuriHocquenghem (BCH)
and Reed-Solomon decoders for PUF-enabled devices with FEs
demonstrate the feasibility of the proposed methodology.
Keywords - timing side-channel attack, physical unclonable
function, fuzzy extractor, fault-injection attack, error correction
code, BCH, Reed-Solomon, RTL analysis.
I. INTRODUCTION
Physical unclonable functions (PUFs) are hardware prim-
itives which derive identifiers and cryptographic keys from
the random variations of the silicon manufacturing process.
PUFs provide a significantly higher security assurance as keys
are volatile and derived only when required. Thus, a PUF
can be easily attached or embedded into the cryptographic
implementation for authentication and identification [1]. PUF-
enabled devices are also an efficient alternative to the ex-
pensive conventional measures against the integrated circuit
power-off, e.g., by using the Non-Volatile Memory (NVM)
for the key storage. The keys generated by PUFs are derived
by measurements in the field during the run time and can be
saved in a cheaper volatile memory.
PUFs are known to be sensitive to the environmental factors
such as the ambient temperature, the supply voltage noise, etc.
that may affect the reliability of the response measurement,
and ultimately, reduce the reproducibility of the cryptographic
key. Along with the external factors, the internal factors of the
PUFs manufacturing technology prevent it from guaranteeing
a constant response all the time. This nondeterminism poses
issues for applying a PUF as a key generator or identifier [2].
Therefore, for the post-processing, a Fuzzy Extractor (FE) is
an essential component to help a PUF generate a reliable key
by correcting the errors caused internally or by environmental
variations.
Different types of the PUF structure and the environmental
conditions imply different requirements for the FE and the cor-
responding ECC. An example of a silicon PUF is the memory-
based PUF, which is widely used in chip-level authentication.
FE ECCs such as the BoseChaudhuriHocquenghem (BCH) [2]
or Reed-Solomon [3] are used in memory-based PUF enabled
devices.
While FEs with ECCs significantly raise reliability, they
can lead to new exploits such as allowing an attacker to
extract sensitive information by studying the behavior of ECC.
Side-Channel Attacks (SCA) on ECC implementations have
attracted particular attention of the research community. In
[4], the authors extract the information about the key by non-
invasive measurement of electromagnetic radiation together
with a differential power analysis of the BCH decoder. In [5],
the authors study the simple power analysis of both BCH and
Reed-Solomon code and manage to recover the PUF response
from the collected power traces. However, there is no research
work that refers to attacks that combine timing SCA and fault
attacks for FEs, namely targeting to the execution time of the
error-correcting code of FE in combination with the insertion
of faults to PUF. So in this paper, we address this gap by
a study on BCH and Reed-Solomon RTL designs execution
time differences as a reaction to intentionally triggered faults
inserted to PUF. Specifically, the contributions of the paper
include:
• Definition of an attack model based on fault injection
and timing analysis of ECC execution that may lead to
the secret PUF values extraction.
• An early design stage RTL methodology for verification
of an ECC design invulnerability against the proposed
attack by employing both structural and simulation-based
analysis steps.
• Case studies of Reed-Solomon and BCH based ECC with
vulnerabilities identification and exploitation.
978-1-7281-5409-1/20/$31.00 ©2020 IEEE
The rest of the paper is organized as follows. Section
II reviews the background of the FE architecture and ECC
decoders. The attack model is discussed in Section III. Section
IV presents the proposed methodology for verifying invul-
nerability against the proposed attack. Section V presents a
case study for ECC implementations. Section VI concludes
the paper.
II. BACKGROUND AND RELATED WORKS
A. Fuzzy Extractor and Secure Sketch
The Fuzzy Extractor [6] is a secure method to generate cryp-
tographic keys from noisy sources. The FE serves as a post-
processing unit in memory-based PUF-enabled cryptographic
schemes. It is used both in the Generation and Reconstruction
Procedures, as illustrated in Fig. 1 and Fig. 2 correspondingly.
In the Generation Procedure case, the fuzzy data from
the PUF response W and a random secret S are used to
generate the Helper Data by XOR operation on W and E(S0)
which is encoded S0. The generated helper data is stored in a
non-volatile memory. In memory-based PUF-enabled devices,
the Generation Procedure happens only once at the first-time
power-on of the memory-based PUF.
Fig. 1. Generation Procedure in A PUF Fuzzy Extractor
On the contrary to this, the Reconstruction Procedure is
executed many times during the product lifetime. Due to the
noise and PUF manufacturing randomness, it is difficult to
generate the same response consistently. To reproduce the
correct cryptographic key, the Helper Data, stored in an NVM,
is used in conjunction with the measured PUF response W ′.
Then with the help of the ECC decoder to detect and correct
the divergent bits, the correct W is reproduced. After applying
the Hash Function, the expected correct cryptographic key is
reconstructed.
Fig. 2. Reconstruction Procedure in A PUF Fuzzy Extractor
The FE guarantees that the resulting key is consistent while
the publicly accessible Helper Data does not leak any infor-
mation related to the secret of the key. To ensure consistent
generation of the correct key, the hamming distance between
the measured PUF response W ′ with the originally measured
W in the Generator Procedure should be smaller or equal to
the correction capability of the ECC decoder, represented as a
constant value t. In this paper, we assume that the measured
responses of the memory-based PUF are within this hamming
distance constraint.
Recent research works have identified potential attacks on
FEs [7]. Most of them target the Reconstruction Procedure.
In [8], the authors report on a method to extract the PUF
secret by manipulating the Helper Data in the Reconstruction
Procedure. In [9], Delvaux et al. provide an in-depth analysis
of the Helper Data algorithms, and identify new threats for
leaking the Helper Data and the soft-decision coding.
B. ECC decoder
The ECC unit is the main component in a FE. Binary
BCH and Reed-Solomon are the two types of ECC that are
widely used in PUF-enabled devices. Both codes are cyclic
and capable of detecting up to 2t and correct up to t errors
by adding 2t check bits or non-binary values (symbols) to
the data. Binary BCH is used for binary error correction, and
Reed-Solomon is used for symbol error correction. While both
software and hardware implementations of these codes exist,
the hardware ones are more adopted. First, this is because the
complex algorithms of the decoders require significant compu-
tational power along with the real-time constraints. The second
difficulty for software implementations is the limited support
of the Galois Fields Arithmetic operation in the general-
purpose processors [10]. The hardware implementations of
binary BCH and Reed-Solomon decoders are discussed in
more detail in Section V.
III. ATTACK MODEL
In this paper, we assume an attack combining 1) fault
injection to the memory-based PUF with 2) a timing SCA
for observing and comparing the different decoding execution
times of the ECC unit that is aimed at revealing the correct
memory-based PUF data. In case of success, the attack ex-
plicitly compromises the core function of the PUF-enabled
cryptographic devices, because the attacker can clone the PUF
and can steal the secret.
A. Fault Injection Parameters
For the physical fault injection to the memory-based PUF
the following fault parameters are assumed.
(a) Granularity: each fault injection results in exactly one
fault in one-bit data.
(b) Modification (fault type): after the fault injection, the
manipulated data is set to a specified logic value, i.e.
either 1 or 0.
(c) Control: the attacker has a bit-wise precise control of fault
injection to the memory-based PUF bits.
(d) Effect of the fault: the injected faults have a transient na-
ture, i.e. the injected values are overwritten by the normal
functionality of the device (e.g. the next measurement of
the PUF on power-on).
Several studies on laser fault injection [11] have demonstrated
similar attack parameters and, therefore, the feasibility of the
above assumptions. Technical details of the fault injection
attack implementation are out of the scope of this study.
B. Attack Assumptions
The following set of assumptions must be satisfied for the
success of the attack. The feasibility of the assumptions (iii)-
(vi) is supported by several research works in state of the art.
(i) The output of a memory-based PUF measurement in the
cryptographic device is processed by a FE with a binary
BCH or Reed-Solomon based ECC.
(ii) The ECC implementation leaks exploitable information
through the timing-side channel.
Comment: The methodology for identifying the vulnera-
bility enabling this assumption is the core contribution of
this paper and presented in Section IV.
(iii) The memory-based PUF is noise-free under stable en-
vironmental conditions. The errors in the memory-based
PUF are caused by the environment.
Comment: While an ideal noise-free memory-based PUF
would not require the FE at all, we assume that the noise
is caused by the variations in the external environment
while the internal noise is negligible. [12] demonstrated
that the external environmental conditions like the am-
bient temperature, supply voltage, etc. have a significant
impact on the error rate of the PUF.
(iv) The generated Helper Data is stored in NVM or the
flash memory of the cryptographic devices and remains
constant during the Reconstruction Procedure.
Comment: As an added value, this assumption creates an
advantage for the proposed attack, compared to alterna-
tives (e.g. [8], [9]), because it does not rely on the attacker
being able to modify the Helper Data.
(v) The fault injection parameters (a) to (d) hold (see III.A).
Comment: Several research works proposed bit-wise fault
injection in SRAM and other on-chip memories. E.g.,
in [13], bit-wise faults were successfully injected in a
PIC microcontroller through a semi-invasive method and
without mechanical damage to the silicon.
(vi) The attacker has a controlled access for measuring the
decoding execution time.
Comment: The physical measurement of the ECC decod-
ing execution time can exploit the reflection of timing by
the power traces. In [14], the authors analyze use of the
AES execution power traces for a SCA. The power traces
are represented by changes of power over time, with
the timing information embedded. A similar approach is
used in [15] for RTL verification of RSA designs against
vulnerability to timing SCAs.
C. Attack Procedure
The proposed attack is a combination of fault injection with
timing side channel analysis and represented by the following
4 steps. The procedure is illustrated in Fig.3.
1) Power on the device. Measure the initial PUF data.
With the above assumptions, this memory value should
be error-free, i.e. the same with W generated in the
Generation Procedure. Measure and record the reference
time T as the number of clock cycles for the execution
of the ECC decoding.
2) Inject a fault f at the mth bit of memory-based PUF
following the (a) to (d) parameters and generate the new
memory data Wm f . Wm f has a one-bit difference value
compared to W . E.g, if the f is a set to logic 1 value
and m = 1 then W and W1 f can be either equal or
can be different by exactly one bit at the first position.
Then execute the Reconstruction Procedure, measure the
decoding execution time T (m).
3) The relation between these two decoding times T and
T (m) contains only two possible cases. The PUF’s secret
single bit m can be revealed by comparing the two
decoding times as follows:
• if T ! = T (m), then a different value at the mth bit was
injected. E.g., for f = 1, the original value of the mth
bit in memory is 0;
• if T = T (m) then the value at the mth bit was equal
to the injected one. E.g., for f = 1, the original value
of the mth bit in memory is 1;
4) Repeat the steps 1) to 3). of the procedure until the last
mth bit of memory-based PUF. The memory-based PUF’s
secret value is revealed.
Fig. 3. An illustration of the proposed attack procedure
IV. PROPOSED METHODOLOGY
The precondition for the introduced attack is the non-
constant decoding execution time in case of different input data
for the ECC unit of the memory-based PUF Fuzzy Extractor.
In this section, we propose a methodology to identify this
vulnerability in an ECC implementation already at the RTL
design phase. The methodology employs both structural and
simulation-based analysis for binary BCH and Reed-Solomon
algorithms based hardware ECC implementations. In practice,
these two algorithms are widely used by the industry in
memory-based PUF-enabled devices.
A. Structural Analysis of ECC Decoder
1) Binary BCH Decoder: A general binary BCH decoder
hardware implementation has three stages, as shown in Fig.4.
The divergent (error) bits are identified by the Syndrome
Calculator, Key Equation Solver and the Chien Search. Next,
the decoder corrects the error bits by the XOR operation on the
stored input with the identified error bits to recover the correct
codeword. Let r(x), c(x) and e(x) be the received polynomial,
codeword polynomial and error polynomial, i.e. r(x) = c(x) +
e(x). Assume the binary BCH decoder can correct t errors.
As the structural analysis of the binary BCH, we consider the
Fig. 4. Binary BCH Decoder Structure
following reasoning.
• Syndrome Calculator: It is the first stage in the decoder
generates 2t syndromes as defined in (1).
Si = r(x
i) = r0+r1x
i+r2x
2i+ .....+rn−1x(n−1)i (1)
where 1 ≤ i ≤ 2t − 1.An important feature of the
syndromes is that they do not depend on transmitted
information but only on error locations. If at position
i there is an error then Si has a non-zero value and it
is equal to zero otherwise. For all possible inputs, the
decoder always generates 2t syndromes. Therefore, the
time for the syndrome calculation is constant for the BCH
decoder with a fixed error correction capability.
• Key Equation Solver: In the second stage, the error lo-
cation polynomial σ(x) is generated. Berlekamp Massey
Algorithm (BMA) is one known iterative procedure that
determines polynomial equation (2) out of a set of linear
equations for the 2t syndromes calculated in the first
stage.
σ(x) = 1 + σ1x+ σ2x
2 + ...σtx
t (2)
BMA can be implemented in parallel or serially. In
[16], it is demonstrated that a parallel implementation
for a t errors correction BMA needs 2t iterations. A
serial implementation implies a significant increase in
the number of iterations. According to [17], it needs 2t2
iterations. However, for both cases, the total number of
iterations is determined only by t, which is the maximum
number of errors the decoder can correct.
• Chien Search: This stage searches for error locations by
checking the roots of σ(x). It is a simple trial-and-error
procedure. All nonzero elements of the Galois Fields for
a binary BCH decoder are generated in sequence and
only capture the condition when σ(xi) is equal to zero
which the error position. Therefore, in this stage, the total
number of nonzero elements depends only on the Galois
Field GF(2m) where n = 2m − 1 and n is the size of
codeword.
To conclude, for different binary BCH decoder implementa-
tions, the error correction bits and the size of the codeword are
the factors which lead to the different decoding execution time.
However, for a specific binary BCH decoder, these parameters
are fixed at the design phase. Therefore, the structural analysis
has not identified timing channels in binary BCH decoder
structures.
2) Reed-Solomon Decoder: Reed-Solomon (RS) decoder
aimes at non-binary (symbol) error correction. Different from
the binary BCH, which needs only to generate error locator
polynomial σ(x) RS also needs to generate an error value
polynomial. Therefore, some RS implementations replace
BMA by Euclidean Algorithm (EA) for the Key Equation
Solver to calculate the error location polynomial and error
value polynomial and add a new component Forney to cal-
culate the error value. The Reed-Solomon decoder structure
is illustrated in Fig.5. Here, the differences with the BCH
decoder structure are highlighted in red. In the following
structural analysis, we focus only on these two different
components.
Fig. 5. Reed-Solomon Decoder Structure
• Euclidean Algorithm (EA): It is an iterative procedure
to generate the error locator polynomial and the error
value polynomial with the 2t syndromes generated by the
Syndrome Calculator stage. Particular implementations of
EA may prefer a pipelined version with the objective of
performance optimization [18]. In EA procedure [18],
the error locator polynomial σ(x) and the error value
polynomial ω(x) are acquired by solving the equation (3).
Equation (3) can be represented in the form of equation
(4). The extend Euclidean Algorithm can find a series
polynomial by (5). From (4) and (5), Ai(x) = σ(x),
Ri(x) = ω(x) and Bi(x) = −Q(x). To solve the
Key Equation the EA procedure starts with initiating
the values R0(x) = x2t, Q0(x) = S(x), L0(x) = 0,
U0(x) = 1 and then it is followed by interactions of
four equations used to calculate Ri(x), Qi(x), Li(x) and
Ui(x), based on the values from the previous stage, until
the degree of Ri(x) gets smaller than the degree of Li(x)
or t. When the iteration is finished, the equation (3) is
solved. Because the R(x) starts at the degree 2t, and the
iteration can finish at the degree of R(x) equal to t or
smaller. Therefore, the EA stage may require a different
number of iterations for the different codewords which
may introduce different execution times.
ω(x) = S(x)σ(x) mod x2t (3)
σ(x)S(x) = Q(x)x2t + ω(x) (4)
Ai(x)S(x) +Bi(x)x
t = Ri(x) (5)
• Forney: By using the Forney algorithm, the error value
e(x) can be acquired by the equation (6).
ej = − ω(Xj)
σ
′
(Xj)
(6)
Normally, it is implemented in combinational logic be-
cause ω(X) and σ(x) are available. The execution time
of this stage is constant.
To conclude, the structural analysis has not identified the
timing channel in the other stages of the Reed-Solomon
structure but the second stage. Based on the implementation,
the Key Equation Solver stage in the Reed-Solomon based
ECC decoder can introduce the vulnerability.
B. Simulation-based analysis of ECC decoder
In an RTL simulation of an ECC decoder implementation,
a number of stimuli data parameters may have an impact on
the execution time of a decoding iteration. For the proposed
simulation-based analysis step, the following parameters are
identified:
• codewordvalue: the encoded codeword value
• errorvalue: the error value is relevant only for a non-
binary (symbol) ECC decoders
• errorposition: the error bit position for a binary ECC
decoder or the error symbol position for a non-binary
ECC decoder
• errornumber : the number of error bits or symbols for
binary or non-binary ECC decoder correspondingly
The structural analysis of binary BCH and RS decoders and
the defined attack model allows reducing the search space.
Table I presents the relationship of the execution time variation
introduced by manipulating a particular decoding parameter
and the vulnerability to the proposed attack. The notations
C and NC represent constant and non-constant decoding
execution time, while V and NV represent vulnerability or
invulnerability.
TABLE I
ECC EXECUTION TIME VARIABILITY AND THE SCA VULNERABILITY
ECC Decoding Execution Time/Vulnerability
Parameters RS decoder Binary BCH decoder
codewordvalue C/NV C/NV
errorvalue C/V
errorposition C/V C/V
errornumber NC/V C/V
In particular, manipulation of the codewordvalueparameter
does not identify the vulnerability of the target decoder. The
attacker does not have access to manipulate the predefined
correct codeword and can only manipulate the input codeword
to cause an error. Based on the structural analysis, it is
already known that different codewords do not introduce
different decoding time neither in binary BCH nor in RS
structures. The errorvalue and errorposition parameters can
be manipulated by the attacker by injecting faults to the input
codeword. However, the constant decoding time will not leak
information through the timing channel. From Table I, we can
conclude that the binary BCH decoder structures are secure
with regards to the information leakage through the timing
channel. An RS decoder implementation can be vulnerable if
the attacker injects a different number of error symbols, i.e. the
errornumber. The table guides the designer which simulation
campaigns are required to verify a particular implementation
against vulnerability to the proposed SCA.
V. CASE STUDY
The feasibility of the proposed methodology was validated
by running an exhaustive simulation campaign on 3 case study
ECC designs for memory-based PUF Fuzzy Extractors, i.e. 2
binary BCH and a Reed-Solomon ECC implementations.
A. Binary BCH decoder
The implementation of the binary BCH decoder is an open-
source design in RTL Verilog accessible from Github [19].
Its general architecture is illustrated in Fig. 4. The decoder
was configured for a 12-bit codeword, 8-bit message and
supports two types of BMA, i.e. serial BMA serial and parallel
BMA parallel versions. The configuration was set to correct
up to two errors, i.e. t = 2. Both versions were simulated
with an exhaustive set of test vectors to identify the timing
information leakage. Only valid values for the 12-bit binary
codeword were extracted by running the encoder with all
possible inputs. The input for the encoder is 4-bit message and
2-bit error correction capability. Since the number of errors
correctable for a given polynomial is sparse, the encoder has
the selection algorithm to select suitable polynomial function
to meet the provided requirements. Thus the actual message
bit might be changed. In our case, the encoder pads 4-bit zeros
and makes the input message bit 8-bit. We input all possible
4-bit value into encoder. Then each encoded message value
was merged with all possible error combinations considering
the injection of 0, 1 or 2 errors at a time, i.e. all combina-
tions of errornumber and errorposition were simulated. This
means Ttest vectors = 24 ∗ (
(
12
0
)
+
(
12
1
)
+
(
12
2
)
)=1,264 ECC
decoding executions were analyzed for the each design, and
the decoding time was measured.
B. Reed-Solomon decoder
The case-study Reed-Solomon decoder implementation is
also an open-source design accessible from Github [20] and
illustrated in Fig.5. The design was configured for 8-symbol
codewords, 4-symbol messages and 8-bit symbols. The error
correction capacity was also set to 2 errors, i.e. t = 2. By
default, the design is pipelined by using registers to extend
the execution time for each stage to the worst execution-
time case. In practice, for memory-based PUF enabled devices
where execution time is a critical factor, a configuration
aimed at the decoder speed optimization is often used. This
was also applied for the current case study. Different from
the binary BCH, the Reed-Solomon decoder uses symbol-
based error correction. While the parameter errorposition
represents the position of the error symbol, the errorvalue
can take one of the 28 = 256 possible values for an error in
each symbol. The number of all combinations for the valid
codewords merged with all possible errors for each symbol
is Ttestvector =
(
8
1
) ∗ (28 − 1) + (82) ∗ (28 − 1) + (80)=
1,822,741 that represents the number of executions to simulate
and analyse per codeword. In the simulation campaign, we
limited the analysis to one random valid codeword. Based on
the architecture analysis, the other codewords provide the same
results.
C. Experiment Results Analysis
Experiment results are shown in Table II. In the list
of parameters identified for manipulation by the proposed
methodology, the symbols ” ” and ”-” represent the varied and
constant parameters correspondingly. Td denotes the number
of different decoding execution times identified and the cor-
responding values in clock cycles. For the Binary BCH, the
experimental results confirm the conclusions of the structural
analysis and do not identify any variations in the execution
times. For the Reed-Solomon decoder, the red cells highlight
the cases with the varying decoding time. In this experiment,
Td:3 {38, 66, 72} denotes different timing cases in case of the
different number of errors to be corrected, i.e. 38, 66 or 72
clock cycles for 0, 1 or 2 errors correspondingly. As shown
in the first three rows, different errorposition and errorvalue
can not affect the decoding time, and it remains constant (but
can be equal to different values) Td : 1 {38}‖{66}‖{72}.
TABLE II
ECC-BASED FE DECODING TIMING ANALYSIS
Varied Parameters Decoding time by ECC Implementations (clock cycles)
co
d
ew
o
r
d
v
a
lu
e
er
r
o
r n
u
m
b
e
r
er
r
o
r p
o
s
it
io
n
er
r
o
r v
a
lu
e
Binary
BCH-12-8
BMA serial
Binary
BCH-12-8
BMA parallel
Reed-Solomon-4-8-8
- - - Td:1 {38}‖{66}‖{72}
- - - Td:1 {28} Td:1 {21} Td:1 {38}‖{66}‖{72}
- - Td:1 {38}‖{66}‖{72}
- - - Td:1 {28} Td:1 {21} Td:3 {38, 66, 72}
- - Td:1 {28} Td:1 {21} Td:3 {38, 66, 72}
- - Td:3 {38, 66, 72}
- Td:3 {38, 66, 72}
- - - Td:1 {28} Td:1 {21}
- - Td:1 {28} Td:1 {21}
- Td:1 {28} Td:1 {21}
- - Td:1 {28} Td:1 {21}
VI. CONCLUSIONS
Application of Fuzzy Extractors for error correction may
enable opportunities to break the secure PUFs if no counter-
measures are taken. This paper considers a combined attack
model based on fault injection and timing analysis of ECC ex-
ecution. In the worst case, such an attack may lead to the secret
PUF value extraction. An early design stage RTL methodology
was developed to verify the ECC design invulnerability against
such or a similar SCA.
The methodology involves structural and simulation-based
analysis parts. In our study, we targeted at two ECC archi-
tectures most widely used in FEs. The structural analysis has
not identified vulnerabilities in the considered binary BCH
architectures, while the architecture of Reed-Solomon based
ECC may be vulnerable in particular implementations. A set
of simulation-based experimental results have confirmed the
findings and demonstrated the timing information leakage. Un-
der the specified assumptions, the proposed attack procedure
is able to exploit this vulnerability and reveal the secret.
The results of the early RTL analysis can guide in the
selection of suitable ECC implementation or in the application
of design-level countermeasures. To remove the leakage, e.g., a
register can be added at the output of the Euclidean Algorithm
stage to equalize the timing to the worst-case execution, or
optimizations at the ECC algorithm may be applied. The
efficiency of the mitigation solutions can be explored by the
proposed methodology at a low cost.
VII. ACKNOWLEDGEMENTS
This research was supported in part by the project H2020 MSCA
ITN RESCUE funded from the EU H2020 programme under the
MSC grant agreement No.722325 and by European Union through
the European Structural, Regional Development and Social Funds.
REFERENCES
[1] R. Maes et al., “Physically unclonable functions: A study on the state of
the art and future research directions,” in Towards Hardware-Intrinsic
Security. Springer, 2010, pp. 3–37.
[2] R. Maes et al., “A soft decision helper data algorithm for sram pufs,”
in 2009 IEEE international symposium on information theory.
[3] A. R. Korenda et al., “A proof of concept sram-based physically
unclonable function (puf) key generation mechanism for iot devices,”
in 2019 16th Annual IEEE International Conference on Sensing, Com-
munication, and Networking (SECON), 2019, pp. 1–8.
[4] L. Tebelmann et al., “Em side-channel analysis of bch-based error
correction for puf-based key generation,” in Proceedings of the 2017
Workshop on Attacks and Solutions in Hardware Security.
[5] D. Karakoyunlu et al., “Differential template attacks on puf enabled
cryptographic devices,” in 2010 IEEE International Workshop on Infor-
mation Forensics and Security. IEEE, 2010, pp. 1–6.
[6] Y. Dodis et al., “Fuzzy extractors: How to generate strong keys from
biometrics and other noisy data,” in International conference on the
theory and applications of cryptographic techniques. Springer, 2004.
[7] D. Merli et al., “Side-channel analysis of pufs and fuzzy extractors,”
in International Conference on Trust and Trustworthy Computing.
Springer, 2011, pp. 33–47.
[8] G. T. Becker. (2017) Robust fuzzy extractors and helper data manipu-
lation attacks revisited: Theory vs practice.
[9] J. Delvaux et al., “Helper data algorithms for puf-based key generation:
Overview and analysis,” IEEE Transactions on Computer-Aided Design
of Integrated Circuits and Systems, vol. 34, no. 6, pp. 889–902, 2014.
[10] M. Riley et al., “An introduction to reed-solomon codes: principles,
architecture and implementation,” 2003.
[11] C. Roscian et al., “Fault model analysis of laser-induced faults in sram
memory cells,” in 2013 Workshop on Fault Diagnosis and Tolerance in
Cryptography. IEEE, 2013, pp. 89–98.
[12] Y. Gao et al., “Building secure sram puf key generators on resource con-
strained devices,” in 2019 IEEE International Conference on Pervasive
Computing and Communications Workshops (PerCom Workshops).
[13] S. P. Skorobogatov et al., “Optical fault induction attacks,” in Inter-
national workshop on cryptographic hardware and embedded systems.
Springer, 2002, pp. 2–12.
[14] A. Krieg et al., “A side channel attack countermeasure using system-on-
chip power profile scrambling,” in 2011 IEEE 17th International On-
Line Testing Symposium. IEEE, 2011, pp. 222–227.
[15] X. Lai et al., “Pascal: Timing sca resistant design and verification flow,”
in 2019 IEEE 25th International Symposium on On-Line Testing and
Robust System Design (IOLTS). IEEE, 2019, pp. 239–242.
[16] W. Liu et al., “Low-power high-throughput bch error correction vlsi
design for multi-level cell nand flash memories,” in 2006 IEEE Workshop
on Signal Processing Systems Design and Implementation.
[17] H.-C. Chang et al., “New serial architecture for the berlekamp-massey
algorithm,” IEEE transactions on communications, 1999.
[18] S. Lee et al., “A high-speed pipelined degree-computationless modified
euclidean algorithm architecture for reed-solomon decoders,” IEICE
Transactions on Fundamentals of Electronics, Communications and
Computer Sciences, vol. 91, no. 3, pp. 830–835, 2008.
[19] “Verilog based bch encoder / decoder,” https://github.com/russdill/bch
verilog.
[20] “Freecores reed-solomon codec generator,” https://github.com/freecores/
reed solomon codec generator.
