 Hi, my name is Jan Sturbisch and I'm going to present join work with Anita and Georg on breaking the inter-post-puff with reliability attacks. I want to start with a quick introduction, what are physical and cloneable functions? So puffs are a hardware function. You can think of them as a module embedded on an integrated circuit. And these have an interface where you can apply challenges and then you get a response and you can think of these in the context of this talk as bit victors. So the puff maps bit vectors to bit vectors. And the trick is that the process variations that occur during manufacturing of the integrated circuit guarantee uniqueness of this mapping. So whenever you implement two different or when you manufacture two different instances puff A and puff B they will have a unique mapping and so you can identify them by their responses. You can use them in a very simple protocol where you have an enrollment phase after manufacturing and there you build a secret database of challenge response pairs. And then later in the field the puff can be authenticated by selecting a specific challenge and checking whether the response sent from the puff is the same as the one in the database. Now this protocol can only work for so-called strong puffs because they have a really large challenge space that is exponential in some design parameter. So the advantages of these puffs are that they are cheaper to manufacture and supposedly they are more secure than traditional crypto based solutions. So here you don't have a secret key that you need to protect. And just assume that invasive physical attacks are not really feasible on puffs at least in an ideal scenario. Now why don't you see strong puffs in the field deployed in the field? Well all candidates so far that have been proposed have been broken by modeling attacks. So what an attacker can try to do is they can record a large set of challenge response pairs. This is assumed that it's feasible in the attacker model. And then they can try to build some mathematical model. And as soon as their mathematical model is able to perform this mapping from challenges to responses with high fidelity, high accuracy, then the security of the puff is broken. So where now does our contribution come in? At chess 2019 again I introduced a new design, the Interpose Puff. And this design had some new ideas to provide security against the state of the art attacks. Especially the focus was on reliability attacks, which are the most devastating attacks because they require the smartest training set. Already a year later at chess 2020, I showed that security is not quite as good as the security of the eye puff as it was claimed or as it was hoped. And this year we show that also reliability attacks are possible, which breaks the original security claims. So to understand the attack and the design, we need some preliminaries. First, you need to know the Arbiter Puff, which is the building block of most strong puffs. It consists of a number of stages. And you can see that each stage has a challenge bit applied. And what this challenge bit does is basically it determines whether the path is that the signal path that runs through the stage across or whether they are sent straight through. So here, for example, is zero is applied and the blue and the red path is across. Now to query the puff, you apply a signal at the beginning, and then you have two signals racing through these stages. And at the end, the arbiter determines which of the two signals arrives first. And this determines the single response bit. So what the arbiter does is it evaluates the sign of the delay difference D. Now as it turns out, this puff can be modeled very well with just N plus one parameters where N is the number of stages. And to do this, you have a weight vector W, which basically is equal to or equals the physical delays that are applied to the signals. And you have a parity vector, which is basically a function of the applied challenge. And with these two vectors, you can compute the true delay by simple scalar multiplication. Now, if you model a real puff, what you always have is noise. So whenever you have two signals racing through here, there will be some noise and you can model this with a Gaussian variable. And as you can see on the bottom right, you have a decision threshold. And whenever the delay is below that, the response bit is zero. And if it's higher than this decision threshold, it's one. And you can see if the noise is large enough and it gets added to your true delay, it might be possible that you cross the decision threshold and your response bit flips. This will become important later on. And we'll talk about the reliability attack. So as you saw, the puff can be described by a very simple linear model. This means that it can be trivially broken by modeling attacks. So what people did was they composed puffs consisting of multiple arbitrary puffs. So the most well-known one is the XOR puff, where you have multiple arbitrary puff instances and their responses are just simply XOR together to get a single response bit. And this non-linearity really helps. It increases your training set size. So now your training set size is exponential in the number of arbitrary puffs that are in your design. But still there's a problem because as we saw, the arbitrary puffs are noisy. So you cannot combine too many of these. Otherwise, your response bit will be really noisy and you cannot use the puff in authentication. All practical instance sizes of this puff can be broken. We'll see you later. Now, based on the XOR puff, again, I developed the interpose puff, which is basically a composition. You have the upper XOR puff, which introduces a new challenge bit into the original challenge. And then you have the lower YXOR puff, which is evaluated now on this augmented challenge. And this RY then is your true response bit. So how do you attack these puffs? So the general model is you have challenges and responses. You have a lot of pairs of these. This is your training set. And now you're trying to find a model that maps these challenges to the responses. And your model has some internal weights. So it has a weight vector w. Now, what you can always do as an attacker, you can just pick a random w. You can start somewhere in weight space and then try to make your way to a good solution that provides a good mapping. So one thing you can do is you can get a local loss function L. And what this function does is it basically measures how well your current pick w is in predicting a single challenge. The response for a single challenge. And based on this function, what you can do is you can build a sum that basically tells you for your whole training set, how well your current pick w is performing. And now you can enter an optimization loop where you evaluate your loss. And then you try to tune your w such that you move towards a minimum in this loss landscape. So if you use gradient descent, for example, you evaluate the gradient at the point where currently are and then follow the gradient towards the optimization of the loss function. So this is how you can think. These texts performed. So in the classical modeling, you just use challenge for the response pairs. And then I showed that logistic regression is able to break XOR paths for all basically all possible or feasible instance sizes. These are at all showed how this technique can be adapted to the interpose path. So they did not provide a fully differentiable model of the ipath. Instead, they showed that you can basically divide and conquer the interpose path and attack the the different parts separately. So now turning to the reliability attack. What you can do as an attacker is you can query the path, for example, an avatar path multiple times for the same challenge. So you have one challenge and you have, in this case, T repetition T times the response bit. And as we saw the response may flip at certain times if the noise is large enough based on these T response bits what you can compute as a reliability score. And this just basically tells you how noisy your response bit is for the specific challenge. Now the observation is that this reliability score gives you information how the magnitude of the delay difference D looks like. So looking at the blue example, we can see that the true delay is pretty close to the decision threshold. This means that you don't need a lot of noise to cross this decision threshold. So your response will be rather noisy. In contrast, an orange you can see that your true delay is pretty far away from the decision threshold. So you would need a lot of noise which is quite unlikely to cross to the other side. So this is a stable response. So there we have this connection and this information that you get from the reliability score. So how do you use this to attack X or paths. The observation is that the reliability score of the single outer path correlates with the overall reliability score of the of the global response bit. And this is simply because due to the X operation, whenever you are noisy, our type of a for example flips its response bit, then also the global response bit will flip. So we have this direct correlation. And on the previous slides, we saw that in turn the reliability score of your individual arbitra pass correlates with the magnitude of the delay difference. So now we have one value that can be observed by the attacker, and one value that can be predicted by your model. And now this directly leads to a text in which you can find the arbitra pass. And what you do is you simply try to find with an optimization routine would you try to find an arbitra path that has a high Pearson correlation with your observed global reliability score. So and whenever you run this optimization, it yields you exactly one arbitra path can you that. Now the observation is that you need to run this attack multiple times, because you need all of the individual arbitra pass. And what can happen is that the probability that you encounter each other path in the optimization runs is probably not not equal. So in this case, for example, I have a type of a, which is just more likely to be found because it's it's minimal is more pronounced compared to a type of B. So some arbitra pass are more likely to be learned than others. And this is exactly the idea that Union and I used for the security of their construction, because they said, okay, we have this XOR arbitra path. If we put it in the top, then it will have much less effect on the overall. And the overall response but so the correlation between the reliability of the X XOR arbitra pass and the overall reliability score is pretty low. And according to the analysis, this means that it's highly unlikely that all XOR arbitra paths that belong to this top path will be actually found. In general, we could follow the argument and with simulations we could see that indeed the X arbitra paths have a lesser correlation with the global reliability score. And internally the Y paths, you will find them more easily because they have a larger correlation. However, we came up with the idea that you don't have to run the, the same optimization routine always again, instead you can resort to adaptive reliability attacks. And the idea is, let's say, you have found the first minimum. So you have optimized in this area and in the topology of this blue curve. You have found a minimum somewhere here. What you can do is now you can modify your optimization target. You can say, okay, I never want to go here again. So I add additional loss where I ended up. And now you end up with a new target function, this green one, which does not have the same minimum anymore over here. So you will explore other minimum in the lost landscape. So you might end up over here if you run the optimization now again. And this is already, yeah, this idea is already direct, direct challenge to the IPAW security argument. And next we will see a few more steps that we and I took to get a practical attack. So learning one avatar path at a time still, if you do this adaptive attack, still is somewhat cumbersome. We found that you need a lot of manual tuning. So instead to build like an efficient attack, we sort of resorted to learning all other paths at once. So you perform the reliability take in parallel on all other paths. And to prevent them from conversion to the same solution, you discourage the similarity by adding constraint terms. And we did another modification, which is also important. We added another term to the, to the optimization goal. And this term is basically your classic machine learning attack, which just measures how well your model produces predictions for the response bit. So now you have three terms the classical logistic regression loss. So your global model how well does it predict responses. So you have another term in blue, which encourages the individual other paths to show a high correlation with the reliability score. And you have one optimization goal, which discourages the other paths from converging to the same solution. So it's counteracts a little bit this reliability correlation term. So, it doesn't take overhand. And some experiments, again, simulations that show that this, including all your available information is actually beneficial. So in blue we have the original reliability attack and orange you have a constraint term so now the outer part of this courage from converging to the same solution and green, additionally, is logistic regression loss. And what you can see is that an attacks on the 55 interpose path that with our modified approach in green, then you actually are able to find all other paths and to model the complete path. So, I briefly want to mention some technical steps that were also important in our attack in the original reliability attack. The optimization routine was CMA is which is a evolutionary strategy evolutionary evolutionary strategy approach, and we just replace this by gradient descent, because we actually found a differential model. The gradient descent usually beats CMA yes. So we also had to find a differential model of the iPath. We just had to modify the computation of the feature vectors of this parity vector phi. And, yeah, the details on the paper it's just a small technical step, and then you have a complete differential model of the complete iPath. Another another technical issue that we had to solve was finding good constraints for the iPath, because you really really need to watch out that you don't end up with why a puffs in places where you need the X out of the puffs because this design is as a metric, but the reliability attack in the original formulation does not know this and cannot sort them. So this actually took quite a lot of time and again I refer to the paper where we have all the details on this. So, looking briefly at the results. What we can see here is that we were able to break the 110 iPath. This is important because it was proposed as a secure instantiation. And the 110 iPath with 64 stages of a size. If you were to run a classical machine learning attack. Then you probably wouldn't be successful because it would require billions of challenges, but with the reliability information included you just need a couple hundred thousand. And the time is also very much feasible and as always could be further optimized. So be able to run attacks on on xx iPaths for example the 77 iPath. I have to mention that this was a bit more involved we had to run the attack in multiple stages. Because there's a lot of fiddling around with this numbers and with optimization goals. So this is an area where the our attack would still be improved, but nevertheless we were able to as I said break the 77 iPath. The most important takeaway result is basically the scaling of the attack. In blue is our attack. And the y axis is scaled rhythmically. And what you can see is, is that the that our tech scale somewhat linearly. So in contrast you have three other curves here, which are all logistic regression based attacks. And these all scale exponentially and they don't take reliability information to account. So the takeaway is, if you take the reliability information you can and you can attack really really large instances and security of the iPath in this attacker model is actually broken. So what's the conclusion as I said, the iPath actually does not hold up to its claims unfortunately reliability attacks are still possible. And what we really want to show it also show is with with our methodology is that these attacks. You have a lot of flexibility in building these. There's a lot of specifics about certain optimization algorithms do not matter as much, you have a lot of freedom and how you can compose compose optimization objectives and so the takeaways it's it's somewhat hard and technically involved to to run these attacks. And to really test your design on on for certain state of the art attacks it's really not that easy. So technical note, in the future, if you want to run such kind of attacks on on your own designs to find improvements. Do use modern libraries like pie torch tensor flow to develop these attacks that makes it much much easier and it's much more enjoyable and crafting code by yourself or grading computation for example. All right, thanks for your attention.