Simple Electromagnetic Analysis Attacks based on Geometric Leak on an ASIC Implementation of Ring-Oscillator PUF

Abstract

Physically unclonable functions (PUFs) are assumed to provide high tamper resistance against counterfeiting and hardware attacks since PUFs extract inherent physical properties from random and uncontrollable variations in manufacturing. Recent studies have reported on the vulnerabilities to physical and mathematical attacks on PUFs. This paper focuses on the security evaluation of a ring-oscillator PUF (RO PUF) against electromagnetic analysis (EMA) attacks. We designed an RO PUF with a 180-nm CMOS process to evaluate the threats of EMA attacks. The power consumption of this RO PUF is reduced as much as possible to reduce EM leaks and EMA resistance is enhanced in the layout design. We show the EMA-attack results on our RO PUF and discuss the threats of EMA attacks on the application specific integrated circuit (ASIC) implementation of RO PUFs. We also propose a new EMA attack on RO PUFs. The key is geometric leak. All components of an RO PUF are usually arranged in a matrix or an array. Geometric periodicity in the layout of RO PUFs leaks secret PUF responses. Though previous studies require identifying ROs, the proposed attack, called simple EMA (SEMA) attack based on geometric leak, reveals a PUF response from one measured EM trace directly. These attacks correctly predicted 94.2% of PUF responses of our RO PUF. We present how a PUF response is revealed from a measured EM trace, suggesting that such attacks pose a serious threat to RO PUFs.