Authentication of ECU is the procedure to verify the claimed
identity of the ECU. If any person e.g. a mechanic gains
momentary access to the vehicle's internal network, can insert
a malicious component into the car and such an attacker who
is able to gain access to any ECU can grasp this ability to
completely find a way to many safety-critical systems. A
range of experiments, both in lab and road test [10],
demonstrated the ability to control a wide range of automotive
functions and completely ignore driver input, including,
selectively braking individual wheels on demand, stopping the
engine, disabling the brakes and so on. Therefore, it is vital to
authenticate the source ECU before the receiver ECU reacts
on the received message packets. The proposed process of
authentication is based on the challenge response pairs
obtained from Physically Unclonable Functions (PUFs). The
aim is to send the challenge to the ECU that is to be
authenticated and verify the response obtained from it by
comparing it with the response stored in the secure database.
PUFs are entities that use production variability which makes
it impossible to clone. This unclonability property, make PUFs
useful in solving problems such as device authentication, and
certified execution, software protection and licensing [17].
3.1 Physical Unclonable Functions
A PUF [2] is an entity that uses manufacturing variations to
generate a device specific output. This output can be used as
the fingerprint for uniquely identifying an ECU. A PUF
receives a challenge for which it generates a unique response
by exploiting the intrinsic variability e.g. delays in the wire
CAN
and gate delays in manufactured circuits. These delays depend
on unpredictable factors such as manufacturing variations,
quantum mechanical fluctuations, thermal gradients, electromigration
effects, parasitic, etc. [12]. For example, even if two
semiconductors are manufactured from the same silicon wafer
but the wires designed to be the same will probably differ in
width and length by a few nanometers, such microscopic
differences in the surface of the silicon will induce minor
variations in the PUF's response for a particular challenge.
To know whether the PUF outputs are unique (for security)
and reproducible (for reliability), proposed approach define
the following two metrics for this purpose.
• Inter-PUF variation: It is a measure of uniqueness which
states the difference in output bits of different PUFs. If the
PUF produces uniformly distributed independent random bits,
the inter-chip variation should be 50% on average. [8] We use
Hamming distance (HD) between a pair of PUF identifiers to
evaluate uniqueness. If two chips, i and j (i 4= j), have k-bit
responses, Ri and Rj respectively for the challenge C, the
average inter-chip HD among k chips is defined in (1).
Equation (1) is…
Uniqueness (HDINTER)-
2
k(k − 1)
Σ Σ
HD(Ri, Rj)
n
∗ 100%)
k
j=i+1
k−1
i=1
(1)
Where
k= index of an ID in a chip (range 1 to K)
R= Responses
n= No of bits in response
It is an estimate of the inter-chip variation in terms of the PUF
responses.
• Intra-PUF (environmental) variation: It is a measure of
reproducibility. It shows number of PUF output bits changed
when re-generated again from a single PUF with or without
environmental changes. Ideally, the intra-chip variation
should be 0% [8].
In current work, Hamming distance (HD) is used within PUF
identifiers to evaluate reproducibility. For the chip i', the
average intra-chip HD is estimated as in (2).
Equation (2) is…
Reproducibility (HDINTRA)-
1
m
Σ
HD(Ri, Rj)
n
m
i=1
∗ 100 (2)
Where
m= number of sample responses
R= Responses
n= No of bits in response
A PUF can be defined as a challenge – response mapping, if
an input challenge C1 is given to a PUF on a particular ECU,
the response generated will be R1. Presenting the same
challenge C1 to the PUF on a different ECU will produce R2
which is different from R1. PUF architectures can be broadly
classified into two categories [2]
i. Explicitly random PUFs and
ii. Intrinsically random PUFs.
Explicitly random PUFs are those where randomness is
induced into the material to manufacture them. Intrinsically
random PUFs can be subdivided into two types
i. Memory-based and
ii. Logic/Delay-based.
Silicon-PUFs or Delay-based PUFs exploit random variations
in delays of interconnect wires and gates [2]. They are
designed to respond to an sequence of input challenge with
outputs of 1 or 0 based on relative delay of two different paths
leading up to an comparator or arbiter [2]. As the fabricated
circuits respond differently due to random delay variations,
the sequence of response can be used to uniquely identify an
ECU which has PUF. The central idea is of exploiting the
relative delay of two signal propagation paths that depends on
the given input challenge. The challenge sets up a race
condition which leads to randomness of the output that is
latched based on the relative arrival times. An Arbiter PUF
[19] is a type of delay-based PUF. The proposed approach
emphasizes the use of Arbiter PUF due to their reduced
complexity and ease of fabrication. The experimental results
in[8] by G. Edward Suh, favors the use of arbiter PUF . It
shows that two different PUF have different outputs for the
same input with a difference of 23% (inter PUF variation).
Multiple measurements on same PUF shows the difference of
0.7%. For realistic changes in temperature from 20 to 70
Celsius and ±2% changes in regulated voltage, the output
noise is 4.8% and 3.7%, respectively. Even when increasing
the temperature by 100C and varying the voltage by 33%, the
PUF output noise still remains below 9%. This variation is
significantly less than the Inter-PUF variation of 23%,
allowing for the identification of individual chips.
The Arbiter PUF measures the relative delay difference which
makes the PUF robust against environmental variations.
Automobiles are consistently influenced by environmental
variations such as change in temperature, device ageing. This
will induce different delays in the PUF circuit incorporated in ECUs every time when it is measured, which results in generation of varying responses. The variation is significantly less for the identical PUF circuits on the ECUs present in the network of car than those of malign ECUs, allowing for the identification of authentic ECU.