Efficient Power and Timing Side Channels for Physical Unclonable Functions

  • Ulrich Rührmair
  • Xiaolin Xu
  • Jan Sölter
  • Ahmed Mahmoud
  • Mehrdad Majzoobi
  • Farinaz Koushanfar
  • Wayne Burleson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8731)


One part of the original PUF promise was their improved resilience against physical attack methods, such as cloning, invasive techniques, and arguably also side channels. In recent years, however, a number of effective physical attacks on PUFs have been developed [17,18,20,8,2]. This paper continues this line of research, and introduces the first power and timing side channels (SCs) on PUFs, more specifically on Arbiter PUF variants. Concretely, we attack so-called XOR Arbiter PUFs and Lightweight PUFs, which prior to our work were considered the most secure members of the Arbiter PUF family [28,30]. We show that both architectures can be tackled with polynomial complexity by a combined SC and machine learning approach.

Our strategy is demonstrated in silicon on FPGAs, where we attack the above two architectures for up to 16 XORs and 512 bits. For comparison, in earlier works XOR-based Arbiter PUF designs with only up to 5 or 6 XORs and 64 or 128 bits had been tackled successfully. Designs with 8 XORs and 512 bits had been explicitly recommended as secure for practical use [28,30].

Together with recent modeling attacks [28,30], our work shows that unless suitable design countermeasures are put in place, no remaining member of the Arbiter PUF family resists all currently known attacks. Our work thus motivates research on countermeasures in Arbiter PUFs, or on the development of entirely new Strong PUF designs with improved resilience.


Physical unclonable functions (PUFs) side-channel attacks power side channel timing side channel modeling attacks machine learning hardware security 


  1. 1.
    Bishop, C.M., Nasrabadi, N.M.: Pattern recognition and machine learning. Springer, New York (2006)zbMATHGoogle Scholar
  2. 2.
    Delvaux, J., Verbauwhede, I.: Side channel modeling attacks on 65nm arbiter PUFs exploiting CMOS device noise. In: HOST (2013)Google Scholar
  3. 3.
    Delvaux, J., Verbauwhede, I.: Attacking PUF-Based Pattern Matching Key Generators via Helper Data Manipulation. IACR Cryptology ePrint Archive, Report 2013/566Google Scholar
  4. 4.
    Delvaux, J., Verbauwhede, I.: Key-recovery Attacks on Various RO PUF Constructions via Helper Data Manipulation. IACR Cryptology ePrint Archive, Report 2013/610Google Scholar
  5. 5.
    Delvaux, J., Verbauwhede, I.: Fault Injection Modeling Attacks on 65nm Arbiter and RO Sum PUFs via Environmental Changes. IACR Cryptology ePrint Archive, Report 2013/619Google Scholar
  6. 6.
    Devadas, S.: Physical unclonable functions and secure processors. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 65–65. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Gassend, B., Clarke, D., van Dijk, M., Devadas, S.: Silicon physical random functions. In: ACM Conference on Computer and Communications Security, pp. 148–160 (2002)Google Scholar
  8. 8.
    Helfmeier, C., Nedospasov, D., Boit, C., Seifert, J.-P.: Cloning Physically Unclonable Functions. In: HOST 2013 (2013)Google Scholar
  9. 9.
    Lim, D.: Extracting Secret Keys from Integrated Circuits. MSc Thesis, MIT (2004)Google Scholar
  10. 10.
    Majzoobi, M., Koushanfar, F., Devadas, S.: FPGA PUF using programmable delay lines. In: IEEE Workshop Information Forensics and Security, WIFS (2010)Google Scholar
  11. 11.
    Majzoobi, M., Koushanfar, F., Potkonjak, M.: Lightweight Secure PUFs. In: ICCAD, pp. 607–673 (2008)Google Scholar
  12. 12.
    Majzoobi, M., Koushanfar, F., Potkonjak, M.: Testing techniques for hardware security. In: Proceedings of the International Test Conference (ITC), pp. 1–10 (2008)Google Scholar
  13. 13.
    Majzoobi, M., Koushanfar, F., Potkonjak, M.: Techniques for Design and Implementation of Secure Reconfigurable PUFs. ACM Trans. Reconfigurable Technology and Systems 2(1) (2009)Google Scholar
  14. 14.
    Majzoobi, M., Dyer, E., Elnably, A., Koushanfar, F.: Rapid FPGA Characterization using Clock Synthesis and Signal Sparsity. In: International Test Conference (ITC), pp. 1–10 (2010)Google Scholar
  15. 15.
    Majzoobi, M., Koushanfar, F.: Time-Bounded Authentication of FPGAs. IEEE Transactions on Information Forensics and Security (TIFS) 6(3), 1123–1135 (2011)CrossRefGoogle Scholar
  16. 16.
    Rostami, M., Majzoobi, M., Koushanfar, F., Wallach, D., Devadas, S.: Robust and Reverse-Engineering Resilient PUF Authentication and Key-Exchange by Substring Matching. IEEE Transactions on Emerging Topics in Computing (2014)Google Scholar
  17. 17.
    Merli, D., Schuster, D., Stumpf, F., Sigl, G.: Side-Channel Analysis of PUFs and Fuzzy Extractors. In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 33–47. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Merli, D., Schuster, D., Stumpf, F., Sigl, G.: Semi-invasive EM attack on FPGA RO PUFs and countermeasures. In: ACM Workshop on Embedded Systems Security, WESS 2011 (2011)Google Scholar
  19. 19.
    Merli, D., Heyszl, J., Heinz, B., Schuster, D., Stumpf, F., Sigl, G.: Localized electromagnetic analysis of RO PUFs. In: HOST 2013 (2013)Google Scholar
  20. 20.
    Nedospasov, D., Helfmeier, C., Seifert, J.-P., Boit, C.: Invasive PUF Analysis. In: Fault Diagnonsis and Tolerance in Cryptography, FDTC 2013 (2013)Google Scholar
  21. 21.
    Pappu, R.: Physical One-Way Functions. PhD Thesis, Massachusetts Institute of Technology (2001)Google Scholar
  22. 22.
    Pappu, R., Recht, B., Taylor, J., Gershenfeld, N.: Physical One-Way Functions. Science 297, 2026–2030 (2002)CrossRefGoogle Scholar
  23. 23.
    Riedmiller, M., Braun, H.: A direct adaptive method for faster backpropagation learning: The RPROP algorithm. In: IEEE International Conference on Neural Networks, pp. 586–591 (1993)Google Scholar
  24. 24.
    Rührmair, U., Devadas, S., Koushanfar, F.: Security based on Physical Unclonability and Disorder. In: Tehranipoor, M., Wang, C. (eds.) Introduction to Hardware Security and Trust, Springer, Heidelberg (2011)Google Scholar
  25. 25.
    Rührmair, U., van Dijk, M.: Practical security analysis of PUF-based two-player protocols. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 251–267. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  26. 26.
    Rührmair, U., van Dijk, M.: PUFs in Security Protocols: Attack Models and Security Evaluations. In: IEEE Symposium on Security and Privacy, Oakland 2013 (2013)Google Scholar
  27. 27.
    Rührmair, U., Holcomb, D.E.: PUFs at a glance. In: DATE 2014, pp. 1–6 (2014)Google Scholar
  28. 28.
    Rührmair, U., Sehnke, F., Sölter, J., Dror, G., Devadas, S., Schmidhuber, J.: Modeling Attacks on Physical Unclonable Functions. In: ACM Conference on Computer and Communications Security (2010)Google Scholar
  29. 29.
    Rührmair, U., Sölter, J., Sehnke, F.: On the Foundations of Physical Unclonable Functions. Cryptology e-Print Archive (June 2009)Google Scholar
  30. 30.
    Rührmair, U., Sölter, J., Sehnke, F., Xu, X., Mahmoud, A., Stoyanova, V., Dror, G., Schmidhuber, J., Burleson, W., Devadas, S.: PUF Modeling Attacks on Simulated and Silicon Data. IEEE Transactions on Information Forensics and Security, IEEE T-IFS (2013)Google Scholar
  31. 31.
    Edward Suh, G.: Physical Unclonable Functions for Device Authentication and Secret Key Generation. In: DAC 2007, pp. 9–14 (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Ulrich Rührmair
    • 1
  • Xiaolin Xu
    • 1
  • Jan Sölter
    • 3
  • Ahmed Mahmoud
    • 1
  • Mehrdad Majzoobi
    • 4
  • Farinaz Koushanfar
    • 4
  • Wayne Burleson
    • 2
  1. 1.Technische Universität MünchenMünchenGermany
  2. 2.University of Massachusetts AmherstAmherstUSA
  3. 3.Freie Universität BerlinBerlinGermany
  4. 4.Rice UniversityHoustonUSA

Personalised recommendations