Remote side-channel analysis of the loop PUF using a TDC-based voltage sensor

Abstract

FPGAs promise significant performance improvements for several computations in cloud applications. However, their shared use in multi-tenant scenarios makes them susceptible to attacks. Different from classical scenarios, where the attacker has hardware access to the device, in cloud scenarios the attack is possible only from remote. As a consequence remote SCA attacks gained increasing attention in the last years. These attacks exploit that attacker and victim share with the same FPGA also the same PDN so that operation-dependent voltage fluctuations caused by the victim’s IP are observable by a voltage sensor of the attacker. While previous attacks in this domain focused on cryptographic algorithms, this work provides insights in an attack on a PUF primitive, the Loop PUF. This primitive is an interesting target for the attack since it might be used, e.g., for storing or deriving secret keys on a remote FPGA. We introduce and discuss the setup of such a remote SCA using a TDC-based voltage sensor. With this sensor, we compare the performance of classical and remote SCA attacks on the Loop PUF using two different Artix-7 FPGA and demonstrate and discuss findings regarding sampling frequency and placement. This work extends and deepens the analysis from a previously published analysis at the ASHES Workshop 2022. In particular, it provides insights into the influence of repeated measurements, measurement time, and usage of multiple TDCs on the attack performance. It also discusses the applicability of the attack to further RO-based PUF primitives. Overall the results show that remote SCA attacks on PUFs in a multi-tenant FPGA scenario have to be considered as a severe attack vector in the future.