33 Reconfigurable Binding against FPGA Replay Attacks

Reconfigurable Binding against FPGA Replay Attacks JILIANG ZHANG and YAPING LIN, Hunan University GANG QU, University of Maryland

The FPGA replay attack, where an attacker downgrades an FPGA-based system to the previous version with known vulnerabilities, has become a serious security and privacy concern for FPGA design. Current FPGA intellectual property (IP) protection mechanisms target the protection of FPGA configuration bitstreams by watermarking or encryption or binding. However, these mechanisms fail to prevent replay attacks. In this article, based on a recently reported PUF-FSM binding method that protects the usage of configuration bitstreams, we propose to reconfigure both the physical unclonable functions (PUFs) and the locking scheme of the finite state machine (FSM) in order to defeat the replay attack. We analyze the proposed scheme and demonstrate how replay attack would fail in attacking systems protected by the reconfigurable binding method. We implement two ways to build reconfigurable PUFs and propose two practical methods to reconfigure the locking scheme. Experimental results show that the two reconfigurable PUFs can generate significantly distinct responses with average reconfigurability of more than 40%. The reconfigurable locking schemes only incur a timing overhead less than 1%. Categories and Subject Descriptors: K.5.1 [Hardware/Software Protection]: Licensing; K.6.5 [Security and Protection]: Unauthorized Access; J.7 [Computers in Other Systems]: Computer Applications; B.8 [Performance and Reliability]: Performance Analysis and Design Aids General Terms: Design, Security, Performance Additional Key Words and Phrases: Replay attacks, binding, field-programmable gate array (FPGA), intellectual property (IP) protection, physical unclonable functions (PUFs) ACM Reference Format: Jiliang Zhang, Yaping Lin, and Gang Qu. 2015. Reconfigurable binding against FPGA replay attacks. ACM Trans. Des. Autom. Electron. Syst. 20, 2, Article 33 (February 2015), 20 pages. DOI: http://dx.doi.org/10.1145/2699833

1. INTRODUCTION 1.1. Motivation

Field-Programmable Gate Arrays (FPGAs) are semiconductor devices that can be reprogrammed in the field by end-users to implement any digital circuit. FPGAs have the following advantages over the Application-Specific Integrated Circuits (ASICs): (1) faster time-to-market; (2) lower NonRecurring Engineering (NRE) costs; (3) more flexibility due to reprogrammability. Nowadays these advantages have made FPGAs a popular choice for many applications, such as automotive electronics, consumer electronics, and aerospace equipment. The continuous growth in both capability and capacity for FPGAs now requires significant resources invested in the FPGA-based system. However, both FPGA-based systems and Intellectual Property (IP) cores with modular This work is supported in part by the scholarship from China Scholarship Council (CSC) under grant no. 201306130042, National Natural Science Foundation of China under grant no. 61173038 and 61228204. Authors’ addresses: J. Zhang (corresponding author) and Y. Lin, College of Information Science and Engineering, Hunan University, Changsha 410082 China; email: [email protected]; G. Qu, Department of Electrical and Computer Engineering, University of Maryland, College Park, MD 20742. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. c 2015 ACM 1084-4309/2015/02-ART33 $15.00  DOI: http://dx.doi.org/10.1145/2699833 ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33

33:2

J. Zhang et al.

Fig. 1. Replay attacks.

design can be easily copied or sold by the third party, even without reverse engineering, bringing serious losses to system developers and IP core vendors and reducing the market share of their products. Therefore, how to protect FPGA-based systems and IP cores effectively has become an urgent issue. Currently, FPGA IP protection technologies can be divided into three categories [Zhang and Qu 2014]: (1) the signature-based schemes [Qu and Potkonjak 2003; Zhang et al. 2012a, 2012b]; (2) encryption-based schemes [Kean 2002; Trimberger et al. 2011; Maes et al. 2012a; Guajardo et al. 2007]; and (3) binding schemes [Zhang et al. 2013a]. However, current FPGA IP protection techniques [Qu and Potkonjak 2003; Zhang et al. 2012a, 2012b, 2013a; Kean 2002; Trimberger et al. 2011; Maes et al. 2012a; Guajardo et al. 2007] are vulnerable to the replay attack. As shown in Figure 1, we consider the case where system developers usually need to update their FPGA-based products Bi to a new version Bj for the sake of upgrading, such as fixing the vulnerabilities to protect them against security threat, which gives the attackers the chance to downgrade the system into its previous old version Bi so that they can exploit the outdated vulnerabilities to steal secret information. The replay attack was first introduced in Drimer [2009]. The bitstream replay attacks for current FPGA IP protection techniques are illustrated in Figures 2(a) and 2(b). When a system developer has issued an updated version V2 , the previous version V1 can still work correctly on the FPGA even if the bitstream is watermarked [Qu and Potkonjak 2003; Zhang et al. 2012a, 2012b] or encrypted [Kean 2002; Trimberger et al. 2011; Maes et al. 2012a; Guajardo et al. 2007] or bound [Zhang et al. 2013a] because the FPGA cannot distinguish the difference between the old and updated bitstream legitimately generated by the system developer. Replay attacks are particularly dangerous for FPGA-based system security because attackers can effectively preclude security-critical updates by replaying the previous FPGA configurations. 1.2. Our Solutions

This article proposes a reconfigurable binding mechanism that reconfigures the traditional static PUF and the locking mechanism to protect the FPGA bitstream from replay attacks. As shown in Figure 2(b), we reconfigure the PUF structure to change its challenge-response behavior to recompute the new license license2 for the updated ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:3

Fig. 2. Replay attacks for current FPGA IP protection techniques: (a) FPGA replay attacks are still successful even if the bistream is watermarked or encrypted; (b) FPGA replay attacks are still successful even if the bistream is locked and the key (PUF response) is reconfigured to recompute the new license (license2) in the binding mechanisms; (c) FPGA replay attacks are defeated when both the locking mechanism and the key (PUF response) are reconfigured to recompute the new license (license2) in the binding mechanism.

FPGA bitstream version V2 . However, replay attacks still can be successful because attackers can use the new license (license2 ) of the updated system version (V2 ) to unlock the old system version (V1 ), which enables the old version (V1 ) to continue to run on the specific FPGAs. Therefore, in this article we propose to reconfigure both the traditional static PUF and the original locking mechanism to completely recompute the new license (license2 ), thus the previous old license (license1 ) would be invalid and the new license (license2 ) no longer can be used to unlock the old version (V1 ) so that our proposed reconfigurable binding scheme can completely prevent replay attacks, as shown in Figure 2(c). When system developers detect or discover some flaws in their developed system, they would update the system to fix the flaws and then issue the updated version securely. To illustrate the key idea of our approach, we give an example to demonstrate how the replay attack would fail in attacking systems protected by the reconfigurable PUF-FSM binding method. As an example, assume an 8-bit PUF response for PUF1 is “01010101” and the input of even-layer transitions (we call it passkey) of the State Transition Graph (STG) in the old version V1 is “1011”. According to the lock scheme proposed in Zhang et al. [2013a], all-even 2-bit PUF output (“0101”) should XOR with the passkey (“1011”) to generate license1 (“1110”), as shown in Figure 3(a). After the new version V2 is developed by the system developer, the PUF1 will be reconfigured to PUF2 (the corresponding PUF response is changed into “10101010”). The new license license2 (“0001”) ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:4

J. Zhang et al.

Fig. 3. An example to demonstrate how a replay attack would fail in attacking systems protected by the reconfigurable binding method.

is generated as shown in Figure 3(b). However, as shown in Figure 3(c), old version V1 still can be configured successfully into FPGA using license2 because V1 and V2 have the same passkey in STG. Therefore, in order to prevent replay attacks, both the PUF structure and lock mechanism are required to be reconfigured. As shown in Figure 3(d), the lock mechanism is reconfigured and hence the passkey is changed into “0111”. The new license license2 becomes “1101”. In this case, old license license1 (“1110”) cannot successfully unlock the updated design V2 because the result of “1110” (license1 ) XOR “1010” (all-even 2-bit PUF2 ) is “0100”, which is not equal to the passkey “0111” (see Figure 3(e)). Likewise, license1 (“1110”) cannot be used to unlock V1 (see Figure 3(f)) and license2 (“1101”) also cannot be used to unlock V1 (see Figure 3(g)). Hence, our proposed reconfigurable PUF-FSM binding method defeats replay attacks successfully. 1.3. Contributions

Our contributions are as follows. (1) We propose a new reconfigurable PUF-FSM binding method that reconfigures both the traditional static PUF and the locking mechanism of the FSM to resist FPGA replay attacks. (2) We evaluate the reconfigurability of the location-based and RO-based rPUFs, and the two rPUF structures are not limited to resisting FPGA replay attacks; they also can be applied to other security areas. Experimental results show they have better reconfigurability than previous rPUF structures. (3) We propose two methods to reconfigure the lock mechanisms for the FPGA binding method. The low overheads of the two reconfigurable lock methods are demonstrated on standard benchmark circuits and large sequential circuits. 1.4. Outline of the Article

The rest of this article is organized as follows. Section 2 introduces related work about current FPGA IP protection methods. Section 3 gives a detailed introduction to the two reconfigurable PUFs. Section 4 proposes two reconfigurable lock methods for the binding scheme, while Section 5 proposes a protocol for the reconfigurable PUF-FSM ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:5

binding. Section 6 shows the experimental results and analysis. Known attacks on the reconfigurable PUF-FSM binding technique are analyzed in Section 7. Finally, we conclude in Section 8. 2. RELATED WORK

Current FPGA IP protection technologies mainly include signature-based schemes, encryption-based schemes, and binding schemes. The signature-based schemes [Qu and Potkonjak 2003; Zhang et al. 2012a, 2012b] represent IP core ownership by embedding an encrypted signature into IP cores, for example, a watermark. After embedding the owner’s signature into IP cores, the produced chips will bear the same watermark. When intellectual property disputes occur, the IP owner can ask a trusted third party to recover the signature from the stolen IP cores, which can effectively address the IP infringement issue. Although watermarking technologies have been widely studied [Qu and Potkonjak 2003], they are passive IP protection technologies, meaning they cannot actively prevent the IP core from being illegally duplicated, distributed, and integrated into System-on-Chips (SoCs). Moreover, an FPGA IP core is essentially a bit-file core, and the watermark embedded in the file is more likely to be tampered with or covered than an ASIC, rendering FPGA IP protection more difficult. Hence, current signature-based FPGA IP protection technologies are faced with an effectiveness bottleneck. The encryption-based schemes [Kean 2002; Trimberger et al. 2011; Maes et al. 2012a; Guajardo et al. 2007] can be regarded as a kind of quasi-active IP protection technique. They encrypt the configuration bitstream and then decrypt it using a static cryptographic key [Kean 2002; Trimberger et al. 2011; Maes et al. 2012a] or a physical unclonable function (PUF)-based key [Guajardo et al. 2007] when it is loaded into an FPGA. The encrypted bitstreams cannot work without the correct decryption. However, encryption-based methods are not active IP protection techniques, that is, they cannot actively restrict the FPGA-based system or IP cores running on the specific hardware platform. Moreover, they have the following disadvantages [Zhang et al. 2013a]: (1) commercial encryption-based schemes can only protect single FPGA design and cannot protect individual IP cores; (2) commercial encryption-based techniques cannot provide a solution to the commercially popular pay-per-device licensing requirement for both single large configurations and individual IP cores; (3) current encryption-based FPGA IP protection methods introduce security vulnerabilities (e.g., physical attacks and side-channel attacks) for permanent key storage and management. The current binding method is an active FPGA IP protection technique. The binding seeks to restrict the execution of the protected IPs to the authorized FPGA devices only. Zhang et al. [2013a; 2015] proposed the first nonencryption-based FPGA hardware IP (HWIP) binding method to restrict the HWIP’s execution only on specific FPGA devices in order to protect HWIPs from being cloned, copied, or used with unauthorized integration. The binding scheme can potentially address the drawbacks of the signatureand encryption-based schemes mentioned before. Meanwhile, it can provide a commercially popular pay-per-device licensing mechanism that provides technical support for the system developers to pay IP licensing fees only for the FPGA devices they are using. It enables IP vendors to freely distribute their IPs because they can ensure that the distributed IPs run only on the authorized FPGAs rather than on all FPGAs. The binding method brings a remarkable advantage for the IP-based business model: IP owners can take full control over the use of their IP cores and protect them from unlicensed use; the FPGA-based product developers who could not afford the expensive unlimited IP license are now also able to obtain a number of single instances of the required IP cores at a much lower cost [Zhang et al. 2013a; 2015]. The key part of the binding method is the interaction protocol among FPGA vendor, core vendor, system ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:6

J. Zhang et al.

Fig. 4. PUF response is used to uniquely control the transitions of the state transition graph (STG) [Zhang et al. 2013a].

developer and end-user. The binding protocol includes four parts: (a) FPGA device enrollment; (b) HWIP core enrollment and distribution; (c) HWIP core licensing; and (d) FPGA-based product licensing. Based on the binding protocol, the authors introduce a prototyping design and implementation of the lock mechanism proposed in the binding scheme. As Figure 4 shows, they use the PUF response to control the transitions of the FSM in the HWIP. The error-corrected PUF response is used to uniquely determine the transitions of the state transition graph (STG) of the HWIP (the IP behavior); without the correct PUF response, the STG would not perform correctly. Therefore, the circuit is kept locked until the correct license (formed by the correct PUF response) unlocks it. Although a number of researchers have proposed several kinds of techniques described before for FPGA intellectual property protection, they all are vulnerable to the replay attack, which is particularly dangerous for FPGA-based system security because attackers can effectively preclude security-critical updates by replaying the previous FPGA configurations. In this article we propose a novel reconfigurable PUFFSM method to defeat the replay attack. 3. RECONFIGURING SILICON PUFS

A silicon Physical Unclonable Function (PUF) makes use of uncontrollable process variation during the production of the IC to generate a unique hardware fingerprint for each IC [Zhang et al. 2014]. When a PUF is given a challenge, it produces a response. However, it is very difficult to predict the response (output) without accessing the system physically. Many kinds of silicon PUF have been proposed in the past decade, such as SRAM PUF [Holcomb et al. 2009], Arbiter PUF [Lim et al. 2005], Ring Oscillator (RO) PUF [Suh and Devadas 2007], etc. These traditional PUFs exhibit a static challenge/ response (CR) behavior. However, in many practical applications, we expect the PUFs to exhibit reconfigurable CR behavior. The concept of reconfigurable PUF (rPUF) was first proposed by Lim et al. [2005]. They proposed to integrate a floating gate transistor into the delay lines of an arbiter PUF to physically change the challenge/response behavior of the PUF based on a logical state maintained in nonvolatile memory. Lao and Parhi [2011] presented five rPUF structures to physically or logically change the behavior of silicon PUF after deployment and also evaluated their reconfigurability by simulation. The work in Eichhorn et al. [2011] proposed two concrete constructions of rPUFs, that is, reconfigurable optical PUF and phase-change memory-based rPUF, to protect nonvolatile storage against invasive physical attacks. Katzenbeisser et al. [2011] proposed to logically reconfigure the PUF using hash functions for authentication tokens and RFID-enabled luggage tags, but their method is only applied to strong PUFs such as the Arbiter PUF [Lim et al. 2005]. Majzoobi et al. [2009] proposed to configure the Arbiter PUF into different locations on FPGAs in order to resist modeling and man-in-the-middle attacks. We noticed that the works Lim et al. [2005], Eichhorn et al. [2011], Katzenbeisser et al. [2011], and Majzoobi et al. [2009] did not conduct any ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:7

Fig. 5. The basic structure of the RO-based rPUF [Gao et al. 2014].

experiments to evaluate the reconfigurability of their proposed rPUFs. In this article, we will propose two kinds of rPUFs (location-based rPUF and RO-based rPUF) and evaluate their reconfigurability in detail, and we first propose to use rPUFs to resist FPGA replay attacks. 3.1. Location-Based rPUF

Location-based rPUF makes use of the fabrication variation between different areas of an FPGA to generate unique signatures. Hence, configuring the PUF to different areas of the FPGA would change the behavior of the PUF. We can divide the FPGA into n areas; each area can accommodate an n-bit PUF. The location-based rPUF is straightforward and was first proposed by Majzoobi et al. [2009] to resist modeling and man-in-the-middle attacks, but they did not conduct any experiments to evaluate its reconfigurability. In this article, we test its reconfigurability based on a delay-based PUF [Zhang et al. 2013b] and employ it to resist replay attacks. The experimental results show that location-based rPUFs have good reconfigurability (see Section 6.1). 3.2. RO-Based rPUF

Location-based rPUF actually is a logically reconfigurable PUF, which means that the structure of location-based rPUF doesn’t physically change. However, in practice, we expect that the PUF structure can be physically changed with demands for better security. We proposed an RO-based rPUF structure based on a delay loop (ring oscillator) [Suh and Devadas 2007] to generate dynamic unclonable bit strings. The basic structure of RO-based rPUF is shown in Figure 5. An RO is a simple circuit that oscillates with a particular frequency that cannot be predicted due to the manufacturing process and other uncertain factors. This kind of PUF generates the output logic-0 or logic-1 by comparing the frequencies of two ring oscillators selected. Figure 5 illustrates a simple RO-based rPUF with n-stage ring oscillators. There are n 2-1 multiplexers, each able to change the configuration of the delay loop. Note that the structure of the RO-based rPUF in this article is similar to the configurable RO PUF proposed by Maiti and Schaumont [2009] and even the same as the configurable RO PUF in Gao et al. [2014]. They all proposed to use configurable ROs to generate more reliable PUF bits. In this ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:8

J. Zhang et al.

article, we focus on testing the reconfigurability of the RO-based rPUF structure by setting the challenge to random matrix. In this rPUF structure, challenge C = (C1 , C2 , . . . , Ci , . . . , Cn), where Ci is equal to 0 or 1 and determines whether the signals entering in the ith stage go along the top path or 2 j bottom path. The number of possible different configurations of the delay loops is k=2 (C kn), where j ∈ N (integer); k must be an even number in order to make the delay loop form the oscillation. The frequency level of the ring oscillator is determined by k, and the larger k (more inverters are selected) exhibits lower frequencies. For the same k, the frequency difference between two ring oscillators is determined by the configuration of the delay loops. The ROs within the dashed box in Figure 5 must be identical and the k must be the same for them so as to ensure that the frequency differences between them are caused by the differences in random manufacturing processes. Therefore, the challenge-response behavior of PUF can be changed with C and/or k, and then different PUF responses will be produced. Note that reliability-enhancing techniques need to be used for PUF to generate reliable output (response) because the PUF output is hard to keep absolutely stable, due to noise or other sources of physical uncertainty. Enhancing PUF reliability has become a hot topic in recent years. We can use these techniques to improve PUF reliability in our reconfigurable binding method as well. For example, Paral and Devadas [2011] proposed to use string pattern matching to generate reliable PUF responses without using Error Correction Code (ECC), where both the false positive and false negative rates can be less than 10−9 . Maes et al. [2012b] implemented a low-overhead BCH decoder for correcting bit flips in PUF responses. It utilizes merely 112 slices on a Xilinx Spartan-6 FPGA. Yin and Qu [2009] built a temperature-aware collaborative RO PUF where they measure the PUF output values at different temperatures and choose the correct one based on the real operating temperature from on-chip temperature sensors, which ideally guarantees no bit error. Moreover, device aging is another cause of the reliability problem for PUFs. In recent years, there have been several works focusing on this topic [Maiti et al. 2011; Ganta and Nazhandali 2014] and also several aging-resistant techniques have been developed [Rahman et al. 2014; Maes and van der Leest 2014]. In practice, PUF has been successfully applied to commercial FPGAs. For example, the SmartFusion2 FPGAs use the SRAM PUF to uniquely identify the device and generate the device-specific secret key [Newell 2014], where reliability-enhancing techniques would be used to correct the bit flips of PUF responses due to the effects of environment and aging. We do not discuss this topic much in this work in order to keep it focused on the proposed reconfigurable PUF-FSM binding scheme to resist replay attacks. 4. RECONFIGURING THE LOCKING SCHEME

The lock is achieved by exploiting the PUF’s unique properties (unclonable, persistent, and unpredictable) and used to bind FPGA designs or IP cores into authorized FPGA devices. As introduced in Section 2, the PUF response is used to control the transitions of the FSM in FPGA designs or IP cores. Without the correct PUF response, the STG would not perform correctly. Therefore, the circuit is kept locked until the correct license unlocks it. In the binding scheme, we can add M (M is an even number) layers of states to form the added FSM. Any even-number layer consists of m states and any odd-number layer only has one state. Usually, we need to add some random transitions and create black holes [Alkabani and Koushanfar 2007] in the added STG to improve security. Hence, when an incorrect input is given, the next state may go to unintended states or blackhole states that cannot be exited regardless of the used input sequence. Figure 6 gives an example of the implementation of the lock and the generation of the licenses (in this ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:9

Fig. 6. An example of the implementation of the locking mechanism and the generation of licenses (m = 4; M = 2) [Zhang et al. 2013a].

case, m = 4; M = 2). Here s 1 is called the reset state of the original FSM, and Sr and S6 ∼ S9 are new added states for the original FSM. We define a fixed power-up state Sr for the binding FSM. The first transition step starts from Sr with m transitional edges to each of the other m states. Then the second transition step goes from each of these m states to the next layer (odd layer). After the M-layer (M transition steps) transitions, the state transits to s 1, which is the unlocked state (the reset state). Assume the PUF response is “0100”. When the system is powered on, it begins from Sr to one of the four connected states depending on the first 2-bit PUF outputs. As the first 2-bit PUF output value is “01”, the first step will transition from Sr to S7 . Then, in the second step, the design can only possibly transition from S7 to S10 when the first two input bits equal to “10”. To possibly enable the transition, the second two PUF outputs “00” should be XORed with a 2-bit key that is able to generate the result of “10” (in this case the license is “10”). The FSM can transit from state Sr to the original reset state s 1 with the calculated license and the PUF response [Zhang et al. 2013a]. We will propose two practical methods to reconfigure the locking scheme next. These two methods are complementary and can be used either separately or simultaneously to produce an updated license. (1) The first way to reconfigure the locking scheme is to randomly change the input of even layers of the added STG. For instance, as shown in Figure 7, the PUF response is reconfigured from “0100” to “0110”; we randomly permute the inputs of the second step in the STG. Then the corresponding new license, “01” in this case, can be computed. This method will not introduce any additional hardware overhead. (2) The second way is to increase or decrease the parameter m and/or M in the locking scheme to generate a new STG. For example, as shown in Figure 8, if we increase the value of M from 2 to 4, the license will be changed from “11” to “0100” when the PUF response increases and reconfigures from “0100” to “01100010”. The hardware overhead for this method may increase or decrease, depending on the direction in which we change the values of m and/or M. 5. PROTOCOL FOR RECONFIGURABLE PUF-FSM BINDING

We have introduced two reconfigurable PUF structures and two ways to reconfigure the aforesaid locking scheme. In this section, we propose a protocol to demonstrate the working mechanism of reconfigurable PUF-FSM binding. The interaction protocol is used very generally in many research fields such as pay-per-use [Maes et al. 2012a], ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:10

J. Zhang et al.

Fig. 7. Reconfiguring the locking scheme by randomly permuting the inputs of the second step in STG.

Fig. 8. Reconfiguring the locking scheme by setting different m and M in STG (m = 4; M = 4).

hardware/software authentication [Simpson and Schaumont 2006], and FPGA IP protection [Guajardo et al. 2007]. There are four parties involved in the reconfigurable binding protocol. —FPGA vendor. The FPGA vendor designs and manufactures unconfigured FPGA devices and can securely deploy PUF in the fabric of these devices. —System developer. The system developer purchases FPGA chips from the FPGA vender and then develops a commercial product, and finally sells its products to end-users. A product is a configuration bitstream file with an FPGA chip. System developers usually need to update their configuration bitstream files to a new version for the sake of upgrading, such as fixing the vulnerabilities to protect them against security threat. —Server. The server is a trusted party who is responsible for computing a new license of updated products and remotely updates the product. It cannot be removed. In ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:11

practice, the trusted third party has been widely used in many IP protection techniques such as watermarking [Qu and Potkonjak 2003], offline hardware/software authentication [Simpson and Schaumont 2006], and pay-per-use licensing [Maes et al. 2012a]. The existence and trustworthiness of the third party are essential for these applications and many other standard protocols. If the trusted third party is removed or compromised, these protocols will be broken. In our case, FPGA vendors can play the role of the third party. —End-user. The end-user purchases the product developed by the system developer. The end-user expects that purchased products cannot be downgraded into the old version by adversaries so that adversaries cannot exploit the outdated vulnerabilities to steal secret information. 5.1. Description of the Protocol

To help the reader understand, the symbols used in the protocol are explained as follows: i —FPUF is an FPGA with a PUF deployed inside; i i ) is the uniquely public identifier for FPUF ; —ID(FPUF —ID(Product j ) is the uniquely public identifier for a product Product j ; —Product j (V 1) is the first version for the Product j ; —Product j (V 2) is the updated version for the Product j ; —rSTG(V 2) is the reconfigured STG of Product j (V 2); and —rPI is the reconfigurable PUF information.

The proposed protocol is described as follows. (1) FPGA device enrollment. The FPGA vendor tests the reconfigurable PUF in each FPGA chip to get its reconfigurable PUF information r P I and corresponding rPUF responses before selling them for every enrolled device. For the reconfigurable ROPUF, r P I is the configuration data and the value of k. For location-based PUF, r P I is the location constraint information. r P I is the secret information. The on-chip secure memories would be used to store it. The attacker cannot access the on-chip secure memories; rather, these are solely accessible by the FPGA configuration controller. Hence, once the PUF is reconfigured, bringing the PUF back to its original state (before reconfiguration) will be hard. (2) Product update. As shown in Figure 9, the system developer updates the product Product j from V1 to V2 for the sake of upgrading such as fixing the vulnerabilities to protect against security threats. If the end-user wants to upgrade her purchased product for system stability or security, she will send I D(Product j ) and i I D(FPU F ) to the system developer. After the system developer receives the request, i he sends the I D(Product j ), I D(FPU F ), rST G(V 2), and Product j (V 2) to the server. i The server then sends I D(FPU F ) to the FPGA vendor, asking for a corresponding r P I and rPUF response. After the server receives this information, he computes the License2 for Product j (V 2) according the rPUF response and rST G(V 2). Finally, the server sends the Product j (V 2), License2 , and r P I to the end-user for upgrading. Alternatively, the server can remotely update the system by the secure channel. 6. EXPERIMENTAL RESULTS 6.1. Reconfigurability Test for Location-Based rPUF

The reference implementation of the location-based rPUF in this article was based on a delay-based PUF [Zhang et al. 2013b]. This PUF is designed specifically for FPGAs. It does not need the hard macro with fix routing and is completely described in VHDL ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:12

J. Zhang et al.

Fig. 9. Interaction protocol for the reconfigurable binding scheme.

with the merits of ease of use and low silicon area overhead. We implemented a 64bit PUF on a ZedBoard development board (Zynq-7000 XC7Z020 FPGA) and tested its reconfigurability. The reconfigurability of PUF is defined as the variation of the responses generated by different configuration data for an rPUF in the same IC. Hence, in this experiment, the reconfigurability can be evaluated using Hamming Distances (HDs) of signatures when the PUF is configured into different areas. For a pair of n-bit signatures Si and S j (i = j), the average reconfigurability for the PUF implemented in different areas on FPGA is calculated as follows. m−1 m   H D(Si , S j ) 2 × 100% r= m(m − 1) n

(1)

i=1 j=i+1

Here m is the number of areas available for allocating the PUF on the FPGA. In the experiment, we divide an FPGA into 16 areas as shown in Figure 10. In this way, we get a total of (16 ∗ 15)/2 = 120 statistical data. A 64-bit PUF can be reconfigured into the designated area in an FPGA using the range constraint (ROLC RANGE statements) supported by Xilinx integration development. In the location-based rPUF, the challenge is to select the different area; the corresponding response is the generated digital signature by the PUF. If a 64-bit PUF is reconfigured into different areas, we expect that the PUF signatures are completely different (ideal reconfigurability = 50%). Table I gives the experimental data when the PUF is reconfigured into these 16 different areas. The reconfigurability is calculated according to the 120 data: the minimum, maximum, and average reconfigurability of the 16 signatures is 28.1%, 70.3%, and 49.6%, respectively. In order to demonstrate the high reconfigurability of our rPUF, we compare it with five reconfigurable PUF structures proposed by Lao and Parhi [2011]. As shown in Table II, the average reconfigurability of the location-based rPUF is up to 49.6%, which is much better than any of the structures proposed by Lao and Parhi [2011]. Therefore, the experimental results demonstrate the good reconfigurability of location-based rPUF. Note that the location-based rPUF method is also appropriate for ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:13

Fig. 10. Sixteen reconfigurable areas on an FPGA. Table I. Generated Unique Signatures in 16 Areas for the 64-Bit PUF Area 1 Area 2 Area 3 Area 4 Area 5 Area 6 Area 7 Area 8

87984A6084281593 192EC4017B30A0F1 02C0A874DE408C21 B716C4B186E4F8C3 E64EBA7C05CB0626 00029DB2925AC1A1 E68FEB6350D11530 2DC9913F527A2747

Area 09 Area 10 Area 11 Area 12 Area 13 Area 14 Area 15 Area 16

28812A6212462823 8C07A60A9F329ADB AB9E1383B1D04D53 9279C9E14080BACB FD1FBE2411CA023A E7FDDC50630C54AA 815272AAF76386F9 F4466287AC27F519

Reconfigurability: 28.1%(Min.); 70.3%(Max.); 49.6%(Avg.)

other delay-based PUFs such as Arbiter PUF [Lim et al. 2005] and RO PUF [Suh and Devadas 2007]. 6.2. Reconfigurability Test for RO-Based rPUF

The reconfigurability test for the RO-based rPUF was conducted based on the Virginia Tech public PUF dataset [SES Lab 2014]. The dataset consists of frequencies of ROs from 198 Xilinx Spartan (XC3S500E) FPGA boards. Among the 198 boards, 193 have measurements at a fixed supply voltage (1.20V) and a fixed temperature (25◦ C). We use them to simulate an RO-based rPUF and to test its reconfigurability. Due to the lack of public data on delay and frequency at inverter level, we treat each RO as a single inverter in our experimentation to evaluate the reconfigurability of the RO-based rPUF. The data is processed using Matlab. The reconfigurability for the RO-based rPUF can also be evaluated using HDs of signatures when the structure of the PUF changes. For a pair of n-bit signatures Si and S j (i = j), the average reconfigurability for a PUF implemented using different configuration is calculated as follows. r=

c−1  c  H D(Si , S j ) 2 × 100%, c(c − 1) n

(2)

i=1 j=i+1

where c is the amount of configuration data. In our experiment, we set n = 15 and k = 4 for each basic structure of the RO-based rPUF (see Figure 5). We randomly applied 20 different configuration data for a 16-bit rPUF. The amount of statistical data that we can get is 20*19/2 = 190. Figure 11 shows a histogram demonstrating the reconfigurability for k = 4. Reconfigurability is calculated according to the 190 data: the minimum, maximum, and average reconfigurability were 12.5%, 75%, and 40.2%, respectively. As shown in Table II, the average reconfigurability ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:14

J. Zhang et al.

Fig. 11. Reconfigurability of RO-based rPUF for k = 4.

Fig. 12. Reconfigurability of RO-based PUF with different k.

of the RO-based rPUF was 40.2%, which is better than all the rPUF structures proposed in Lao and Parhi [2011]. Note that the reconfigurability of different rPUFs in Table II isn’t evaluated in the same experimental environment. For example, we evaluate the reconfigurability of location-based rPUF and RO-based rPUF on real FPGAs, while Lao and Parhi [2011] evaluate their proposed rPUFs using SPICE with a Monte Carlo method to simulate the effect of process variation. Next, we discuss the reconfigurability of the RO-based rPUF with different k. As discussed in Section 3.2, the RO frequency level would change with k, indicating that the characteristic parameter k provides the second-level reconfigurability of the RO-based rPUF (the fixed k for each PUF instance is the first-level reconfigurability). Which k to select is up to the FPGA vendor. We also calculated the average reconfigurability for k = 2, 4, 6, 8, 10, and 12, respectively. As shown in Figure 12, the average reconfigurability of the RO-based rPUF decreased with increasing k. The reason is that the variations in delay differences between inverters in different ring oscillators are averaged out with the increasing of k. Finally, in order to check the uniqueness of the RO-based rPUF, frequency distributions of the HDs for the 193 chips are given in Figure 13. Among the 193*192/2 = 18528 data, the average is 7.4 (accounting for 46.25% of the 16 bits), hence showing that our RO-based rPUF also has good uniqueness (46.25%). ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:15

Fig. 13. Frequency distribution of the Hamming distances for the 193 chips when k = 4. Table II. Reconfigurability Comparison Reconfigurable PUFs Challenge LFSR [Lao and Parhi 2011] Challenge Hash [Lao and Parhi 2011] Output Recombination [Lao and Parhi 2011] Reconfigurable Feed-forward [Lao and Parhi 2011] MUX and DeMUX [Lao and Parhi 2011]

Max(%) 44 42 57 47 33

Avg(%) 34.6 28.3 38.9 32.4 24.7

Min(%) 28 19 25 22 13

Location-based rPUF RO-based rPUF

70.3 75

49.6 40.2

28.1 12.5

The RO-based rPUF is not limited to resisting FPGA replay attacks and also can be applied to other security areas, such as generating read-once keys [Kirkpatrick et al. 2011], authentication tokens [Katzenbeisser et al. 2011], and RFID-enabled luggage tags [Katzenbeisser et al. 2011]. 6.3. Overhead of Reconfiguring the Locking Scheme

The first way to reconfigure the locking scheme described in Section 4 introduces zero overhead. Hence, in this section, we just perform experiments to evaluate the overhead of the second lock reconfiguring method on MCNC’91 benchmark sequential circuits and the large FSM benchmarks generated by GenFSM [Pruteanu and Haba 2008]. The FSMs are described in KISS2 format, while the additional states and transitions for the benchmarks are inserted in Java program. The kiss2vl tool [Pruteanu 2000] is used to convert KISS2 to Verilog. Each FSM circuit in Verilog format is synthesized and implemented on a Xilinx Virtex-5 FPGA XC5VLX50T using the Xilinx ISE 14.1 which is configured to optimize for speed. The experiments were conducted on a Dell OptiPlex 740 machine with a 2.4 GHz AMD Athlon(tm) 64 Processor 3800+ and 1GB RAM. In order to evaluate the overhead of the second lock updating scheme, the number of replicated states m in each odd layer and the number of layers M in the added FSM of the binding scheme are set as parameters. Figure 14(a) shows the overhead on the benchmark circuits processed by our method when m = 4 and M increases from 4 to 6. We can see from Figure 14(a) that the area (LUTs), timing, and power overhead due to ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:16

J. Zhang et al.

Fig. 14. Overhead for MCNC’91 benchmarks (left) and large FSMs (right) with the second lock reconfiguring method.

increasing M seem independent of the benchmark circuit size. The average area, power, and timing overhead are 2.12 %, 0.89%, and −0.01% when M increases from 4 to 6. Figure 14(a) reveals that the overhead is small and even negative in some instances. A negative percentage implied that our method has actually improved the performance. The fact that changing M can either increase or decrease power/area/delay is due to the undeterministic behaviors of the synthesis tools which do not guarantee to find an optimal solution. Changing M sometimes may help the tool to find a better solution. For example, in the original hardware watermarking papers [Qu and Potkonjak 2003], it was reported that adding a digital watermark sometimes improves the design quality. Next, we discuss the trend of various m and M on area, timing, and power overhead for benchmarks. Figure 15 shows the impact of various M and various m on area, timing, and power overhead for the benchmark planet when M was assigned to 2, 4, 6, 8, 10, and 12 and m was assigned to 2, 4, 6, 8, and 10, successively. It can be seen that the overheads are roughly positively correlated to both M and m, but nonlinear due to the optimization of the circuits during synthesis. Hence, it brings the advantage that the overhead of the proposed second lock updating method is completely controllable because the overhead may increase or decrease, depending on the direction in which we change the values of m and/or M. It should be noted that the small benchmark circuit contains only the control paths, and therefore the overhead could be much lower in large designs where there are many ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:17

Fig. 15. The area, delay, and power overhead trend with M and m.

components other than control paths, such as memory and I/O peripheries. To demonstrate this, we use GenFSM to generate ten arbitrary STGs of hundreds of states and hundreds to thousands of transitions by specifying the number of inputs, outputs, and states. The original FSM designs (m = 0 & M = 0) and modified FSM designs (m = 4 & M = 4) are synthesized and implemented by Xilinx ISE. The experiment results shown in Figure 14(b) indicate that the second lock reconfiguring method introduced rather low area, power, and timing overhead for large FSM designs, even increasing m and M significantly. The average area, timing, and power overhead are −2.67%, 0.64%, and 0%, respectively. 7. SECURITY ANALYSIS

The potential attacks on the reconfigurable PUF-FSM binding method include bruteforce, FSM reverse engineering, simulating PUF and FSM, modeling attacks, physical cloning attacks, and side-channel attacks. In this section, we focus on the security analysis of the proposed method. —Brute force. The adversary tries to guess the correct license to unlock the FPGAbased system. By using the unclonable PUF responses to control the transition of the added STG, the space of licenses becomes exponential, making such a brute-force attack infeasible [Zhang et al. 2013a]. —FSM reverse engineering. An adversary tries to extract the STG and separate/remove the added STG from the original STG. However, extracting the STG representation from large sequential circuits is a computationally intractable problem. There also exist effective methods that we can use in our scheme against the attack, such as creating black holes in the added FSM and merging the added FSM with the test and other FSMs [Alkabani and Koushanfar 2007]. —Physical cloning attacks. Physical cloning attacks [Helfmeier et al. 2013] have been reported successful for SRAM PUFs, but other PUFs such as RO PUFs, Arbiter PUF, and so on, have not been reported to this date. —Simulating/tapping PUF (modeling attacks). Although machine learning techniques [Ruhrmair et al. 2013] have been used to model some strong PUFs with high prediction rate, they need a huge amount of PUF CRPs during the learning phase. Therefore, this attack will not be effective with weak PUFs such as the delay-based PUF [Zhang et al. 2013b] and RO PUF [Suh and Devadas 2007] used in this article. In addition, our experiments in Section 6.2 show that the RO frequency level in rPUFs would change with k, which indicates that the characteristic parameter k provides the second-level reconfigurability of the RO-based rPUF (the fixed k for each PUF instance is the first-level reconfigurability). This makes modeling attacks become more difficult than with traditional static PUFs. ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:18

J. Zhang et al.

Moreover, in our reconfigurable PUF-FSM binding scheme, the secret PUF response is ephemeral and will be immediately cleared after use. This can resist tapping PUF responses since the secret response is never present once the system is unlocked. —Simulating FSM. If adversaries collect enough authorized licenses and the corresponding PUF responses, they may be able to simulate the functionality of the FSM in the FPGA system and compute new licenses. Since simulating/tapping PUF responses is difficult, we can safeguard our method against this attack. —Side-channel attacks. Side-channel attacks statistically analyze the time, power consumption, or electromagnetic emanation of the cryptographic devices to gain knowledge about integrated secrets [Zhang et al. 2014]. Most recently, Merli et al. [2013] carried out side-channel attacks (EM analyses) on an RO PUF FPGA implementation, leading to the extraction of a full PUF model and thereby breaking the PUFs’ security. The authors also point out that their proposed attack can be successful because they exploit the fact that each RO has a fixed location and a specific measurement path through a multiplexer to a counter. In this article, we can dynamically change the number of inverters of ROs by selecting different configuration data to generate an unclonable bit string, which makes each RO have no fixed physical location and therefore the RO-based rPUF potentially provides a new solution to resist side-channel attacks. Moreover, in our reconfigurable PUF-FSM binding scheme, the secret response is only used to unlock FPGA-based systems at boot time and will be immediately cleared after use. Hence, our PUF-based security mechanism would be less vulnerable to side-channel attacks. —Attacks on nonvolatile memory. For an attacker to bring the rPUF back to its original state, she needs to know the rPI (reconfigurable PUF information) that is associated with the original state. In this article, we propose to store the rPI into nonvolatile memories that have been widely used to store secret information. For example, a secure processor contains a secret key that is programed into the nonvolatile memory by the manufacturer [Maas et al. 2013]; a provably secure active IC metering technique proposed by Koushanfar uses nonvolatile on-chip memories to store the secret passkey [Koushanfar 2012]. In addition, some improved nonvolatile memories have also been proposed in recent years [Dyka et al. 2012; Srinivasan and Princen 2013]. Therefore, as long as the nonvolatile memory is secure, bringing PUF back to its original state will be hard. 8. CONCLUSION

This article proposed a reconfigurable PUF-FSM binding method to resist FPGA bitstream replay attacks. The concepts of location- and RO-based rPUF were proposed, and their reconfigurability was tested. We also analyzed several known attacks to PUFs, showing that the RO-based rPUFs are secure against them. Additionally, the two corresponding lock reconfiguring methods were also proposed. The experimental results show that the location- and RO-based rPUFs have better reconfigurability (average 49.5% and 40.2%, respectively) than previous rPUF structures, and the first lock reconfiguring method introduces zero overhead; the second one introduces rather small overhead (only average 0.64% timing overhead) for large benchmark circuits even increasing m and M significantly. ACKNOWLEDGMENTS The authors would like to thank Dr. Qiang Wu (Hunan University), Dr. Yongqiang Lyu (Tsinghua University) and Mr. Mingze Gao (University of Maryland) for their valuable discussion and suggestions.

ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

Reconfigurable Binding against FPGA Replay Attacks

33:19

REFERENCES Y. Alkabani and F. Koushanfar. 2007. Active hardware metering for intellectual property protection and security. In Proceedings of the USENIX Security Symposium (SS’07). 291–306. S. Drimer. 2009. Security for volatile FPGAs. Ph.D. dissertation, Computer Laboratory, University of Cambridge. http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-763.pdf. Z. Dyka, C. Walczyk, D. Walczyk, C. Wenger, and P. Langendoerfer. 2012. Side channel attacks and the non volatile memory of the future. In Proceedings of the International Conference on Compilers, Architectures and Synthesis for Embedded Systems (CASES’12). 13–16. I. Eichhorn, P. Koeberl, and V. van der Leest. 2011. Logically reconfigurable PUFs: Memory-based secure key storage. In Proceedings of the ACM Workshop on Scalable Trusted Computing (STC’11). 59–64. D. Ganta and L. Nazhandali. 2014. Study of IC aging on ring oscillator physical unclonable functions. In Proceedings of the International Symposium on Quality Electronic Design (ISQED’14). 461–466. M. Gao, K. Lai, and G. Qu. 2014. A highly flexible ring oscillator PUF. In Proceedings of the 51st ACM/IEEE Design Automation Conference (DAC’14). 1–6. J. Guajardo, S. S. Kumar, G. J. Schrijen, and P. Tuyls. 2007. FPGA intrinsic PUFs and their use for IP protection. In Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES’07). 63–80. C. Helfmeier, C. Boit, D. Nedospasov, and J.-P. Seifert. 2013. Cloning physically unclonable functions. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’13). 1–6. D. E. Holcomb, W. P. Burleson, and K. Fu. 2009. Power-up SRAM state as an identifying fingerprint and source of true random numbers. IEEE Trans. Comput. 58, 9, 1198–1210. S. Katzenbeisser, U. Kocabas, V. van der Leest, A. Sadeghi, G. Schrijen, H. Schroder, and C. Wachsmann. 2011. Recyclable PUFs: Logically reconfigurable PUFs. J. Cryptograph. Engin. 1, 3, 177–186. T. Kean. 2002. Cryptographic rights management of FPGA intellectual property cores. In Proceedings of the ACM/SIGDA Symposium on Field-Programmable Gate Arrays (FPGA’02). 113–118. M. S. Kirkpatrick, S. Kerr, and E. Bertino. 2011. PUF roks: A hardware approach to read-once keys. In Proceedings of the ACM Symposium on Information, Computer, and Communications Security (ASIACCS’11). 155–164. F. Koushanfar. 2012. Provably secure active IC metering techniques for piracy avoidance and digital rights management. IEEE Trans. Inf. Forens. Secur. 7, 1, 51–63. Y. Lao and K. K. Parhi. 2011. Reconfigurable architectures for silicon physical unclonable functions. In Proceedings of the IEEE International Conference on Electro/Information Technology (EIT’11). 1–7. D. Lim, J. W. Lee, B. Gassport, G. E. Suh, M. van Dijk, and S. Devadas. 2005. Extracting secret keys from integrated circuits. IEEE Trans. VLSI Syst. 13, 10, 1200–1205. M. Maas, E. Love, E. Stefanov, M. Tiwari, E. Shi, et al. 2013. PHANTOM: Practical oblivious computation in a secure processor. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’13). 311–324. R. Maes, D. Schellekens, and I. Verbauwhede. 2012a. A pay-per-use licensing scheme for hardware IP cores in recent SRAM-FPGAs. IEEE Trans. Inf. Forens. Secur. 7, 1, 98–108. R. Maes, A. van Herrewege, and I. Verbauwhede. 2012b. PUFKY: A fully functional puf-based crypto-graphic key generator. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems (CHES’12). 302–319. R. Maes and V. van der Leest. 2014. Countering the effects of silicon aging on SRAM PUFs. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’14). 148–153. A. Maiti and P. Schaumont. 2009. Improving the quality of a physical unclonable function using configurable ring oscillators. In Proceedings of the International Conference on Field Programmable Logic and Applications (FPL’09). 703–707. A. Maiti, L. McDougall, and P. Schaumont. 2011. The impact of aging on an FPGA-based physical unclonable function. In Proceedings of the International Conference on Field Programmable Logic and Applications (FPL’11). 151–156. M. Majzoobi, F. Koushanfar, and M. Potkonjak. 2009. Techniques for design and implementation of secure reconfigurable PUFs. ACM Trans. Reconfig. Technol. Syst. 2, 1, 1–33. D. Merli, J. Heyszl, B. Heinz, D. Schuster, F. Stumpf, and G. Sigl. 2013. Localized electromagnetic analysis of RO PUFs. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’13). 19–24.

ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.

33:20

J. Zhang et al.

R. Newell. 2014. Securing reconfigurable devices and designs against insiders and other supply chain threats. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’14). Z. Paral and S. Devadas. 2011. Reliable and efficient PUF-based key generation using pattern matching. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’11). 128–133. C. Pruteanu. 2000. Kiss to verilog FSM converter. http://codrin.freeshell.org. C. Pruteanu and C. Haba. 2008. GenFSM: A finite state machine generation tool. In Proceedings of the International Conference on Developing Application Systems (DAS’08). 165–168. G. Qu and M. Potkonjak. 2003. Intellectual Property Protection in VLSI Designs: Theory and Practice. Kluwer Academic Publishers. M. Rahman, D. Forte, J. Fahrny, and M. Tehranipoor. 2014. ARO-PUF: An aging-resistant ring oscillator PUF design. In Proceedings of the Design, Automation, and Test in Europe Conference and Exhibition (DATE’14). 1–6. U. Ruhrmair, J. Solter, F. Sehnke, X. Xu, A. Mahmoud, et al. 2013. PUF modeling attacks on simulated and silicon data. IEEE Trans. Inf. Forens. Secur. 8, 11, 1876–1891. Ses Lab. 2014. Research on physical unclonable functions (PUFs) At, Vt. http://rijndael.ece.vt.edu/ puf/main.html. E. Simpson and P. Schaumont. 2006. Offline hardware/software authentication for reconfigurable platforms. In Proceedings of the Workshop on Cryptographic Hardware and Embedded Systems (CHES’06). 311– 323. P. Srinivasan and J. Princen. 2013. Programming non-volatile memory in a secure processor. Patent no. 8601247, filed October 9, 2009, Issued Aug. Dec 3, 2013. G. E. Suh and S. Devadas. 2007. Physical unclonable functions for device authentication and secret key generateion. In Proceedings of the ACM/IEEE Design Automation Conference (DAC’07). 9–14. S. Trimberger, J. Moore, and W. Lu. 2011. Authenticated encryption for FPGA bitstreams. In Proceedings of the ACM/SIGDA Symposium on Field-Programmable Gate Arrays (FPGA’11). 83–86. C. Yin and G. Qu. 2009. Temperature-aware cooperative ring oscillator PUF. In Proceedings of the IEEE International Workshop on Hardware-Oriented Security and Trust (HOST’09). 36–42. J. Zhang, Y. Lin, Q. Wu, and W. Che. 2012a. Watermarking FPGA bitfile for intellectual property protection. Radioengin. 21, 2, 764–771. J. Zhang, Y. Lin, W. Che, Q. Wu, Y. Lu, and K. Zhao. 2012b. Efficient verification of IP watermarks in FPGA designs through lookup table content extracting. IEICE Electron. Express 9, 22, 1735–1741. J. Zhang, Y. Lin, Y. Lyu, G. Qu, R. C. C. Cheung, et al. 2013a. FPGA IP protection by binding finite state machine to physical unclonable functions. In Proceedings of the 23rd IEEE International Conference on Field Programmable Logic and Applications (FPL’13). 1–4. J. Zhang, Q. Wu, Y. Lyu, Q. Zhou, Y. Cai, et al. 2013b. Design and implementation of a delay-based PUF for FPGA IP protection. In Proceedings of the13th IEEE International Conference on Computer-Aided Design and Computer Graphics (CADGRAPHICS’13). 107–114. J. Zhang, G. Qu, Y. Lyu, and Q. Zhou. 2014. A survey on silicon PUFs and recent advances in ring oscillator PUFs. J. Comput. Sci. Technol. 29, 4, 664–678. J. Zhang and G. Qu. 2014. A survey on security and trust of FPGA-based systems. In Proceedings of the International Conference on Field-Programmable Technology (ICFPT’14). 147–152. J. Zhang, Y. Lin, Y. Lyu, and G. Qu. 2015. A PUF-FSM binding scheme for FPGA IP protection and pay-perdevice licensing. IEEE Trans. Inf. Forensics Security. Received March 2014; revised September 2014; accepted September 2014

ACM Transactions on Design Automation of Electronic Systems, Vol. 20, No. 2, Article 33, Pub. date: February 2015.