Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Physical Unclonable Functions
Ismail San
Anadolu University
EEM 530
Context
What is PUF?
Examples of PUFs
PUF for identification and Authentication
PUF Notation, An approach to make a PUF experiment
Helper Data Algorithm or ECC based noise removal
BCH encoding and decoding for error correction
Security, Threats and Environmental Parameters
2 / 49
What is PUF?
PUF as a Function
Let x = 2n, y = 2m where xdenotes a set of n-bitchallenges and y denotes aset of m-bit responses.
Mapping between challengesand responses
(xi, yi) pairs are determinedby manufacturing variationsof the the device.
010110100010101101010101 100011011010010 011100
Challenge PUF Response
Challenge Response
......
100010101 110110
(xi , yi)
xi yi
3 / 49
Ideal PUF
Design philosophy
H(xi, yi) is distributed normally from 1 to n.
H(yi, yj) is approx. equal to n2 when H(xi, xj) = 1 is given
“Apply crypt. hash function to response”
Observation requires evaluation of PUF
“Ring oscillator type PUF satisfies this”
Summary:
PUFi should be unique to device i
Each challenge and response pairshould not be linkable
Challenge and response pairsshould be independent
010110100010101101010101 100011011010010 011100
Challenge PUF Response
Challenge Response
......
100010101 110110
(xi , yi)
xi yi
4 / 49
Ideal PUF
Design philosophy
H(xi, yi) is distributed normally from 1 to n.
H(yi, yj) is approx. equal to n2 when H(xi, xj) = 1 is given
“Apply crypt. hash function to response”
Observation requires evaluation of PUF
“Ring oscillator type PUF satisfies this”
Summary:
PUFi should be unique to device i
Each challenge and response pairshould not be linkable
Challenge and response pairsshould be independent
010110100010101101010101 100011011010010 011100
Challenge PUF Response
Challenge Response
......
100010101 110110
(xi , yi)
xi yi
4 / 49
Ideal PUF
Design philosophy
H(xi, yi) is distributed normally from 1 to n.
H(yi, yj) is approx. equal to n2 when H(xi, xj) = 1 is given
“Apply crypt. hash function to response”
Observation requires evaluation of PUF
“Ring oscillator type PUF satisfies this”
Summary:
PUFi should be unique to device i
Each challenge and response pairshould not be linkable
Challenge and response pairsshould be independent
010110100010101101010101 100011011010010 011100
Challenge PUF Response
Challenge Response
......
100010101 110110
(xi , yi)
xi yi
4 / 49
Ideal PUF
Design philosophy
H(xi, yi) is distributed normally from 1 to n.
H(yi, yj) is approx. equal to n2 when H(xi, xj) = 1 is given
“Apply crypt. hash function to response”
Observation requires evaluation of PUF
“Ring oscillator type PUF satisfies this”
Summary:
PUFi should be unique to device i
Each challenge and response pairshould not be linkable
Challenge and response pairsshould be independent
010110100010101101010101 100011011010010 011100
Challenge PUF Response
Challenge Response
......
100010101 110110
(xi , yi)
xi yi
4 / 49
Ideal PUF
Design philosophy
H(xi, yi) is distributed normally from 1 to n.
H(yi, yj) is approx. equal to n2 when H(xi, xj) = 1 is given
“Apply crypt. hash function to response”
Observation requires evaluation of PUF
“Ring oscillator type PUF satisfies this”
Summary:
PUFi should be unique to device i
Each challenge and response pairshould not be linkable
Challenge and response pairsshould be independent
010110100010101101010101 100011011010010 011100
Challenge PUF Response
Challenge Response
......
100010101 110110
(xi , yi)
xi yi
4 / 49
Principle of PUF
CICI CI
PUFm
Rm
ChallengeCI
II R2 R3R1
IIPUF1 PUF2 PUF3
· · ·
R1 6= R2 6= R3 6= · · · 6= Rm
5 / 49
Process variations in MOSFET
Components (MOSFET) Interconnect
Geometry
Effective channel length Line width and spaceGate length Metal thicknessComponent width Contact and via size
Material ParametersDoping variations Contact and via resistanceDeposition and anneal Metal resistivity
Electrical Parameters
Threshold voltage Line resistivityParasitic capacities Line capacityGate and source resistivityLeakage currents
Some important parameters that are affected by process variations,and the electrical parameters on which this is an impact.
D.S. Boning and S.R. Nassif. Models of process variations in device and interconnect.Design of High Performance Microprocessor Circuit. IEEE Press, 2000
6 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
Each challenge selects a unique pair of delay paths
Digital race condition on two paths with an identical delay in design
Random, uncontrollable process variations determines who will win
Arbiter output creates 1-bit output response
Multiple bits are obtained by duplicating the circuit or use of differentchallenge
7 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
Each challenge selects a unique pair of delay paths
Digital race condition on two paths with an identical delay in design
Random, uncontrollable process variations determines who will win
Arbiter output creates 1-bit output response
Multiple bits are obtained by duplicating the circuit or use of differentchallenge
7 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0 01 0
D
0
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1 1 1 0
Response
D
10 0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1
Response
0 0 1
0
D
0 0 1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0
Response
0 0 0
D
0 1 01
1
· · ·
Delay difference and so the arbiter output will be device specific. ofan Arbiter PUF.
*** A metastabe state occurs if both delays are nearly identical. After ashort time, arbiter leaves the metastable state and outputs a randombinary value.
In that case, the arbiter output is not device-specific. Thisphenomenon is the cause of unreliability (noise) of the responses.
8 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0 01 0
D
0
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1 1 1 0
Response
D
10 0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1
Response
0 0 1
0
D
0 0 1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0
Response
0 0 0
D
0 1 01
1
· · ·
Delay difference and so the arbiter output will be device specific. ofan Arbiter PUF.
*** A metastabe state occurs if both delays are nearly identical. After ashort time, arbiter leaves the metastable state and outputs a randombinary value.
In that case, the arbiter output is not device-specific. Thisphenomenon is the cause of unreliability (noise) of the responses.
8 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0 01 0
D
0
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1 1 1 0
Response
D
10 0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1
Response
0 0 1
0
D
0 0 1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0
Response
0 0 0
D
0 1 01
1
· · ·
Delay difference and so the arbiter output will be device specific. ofan Arbiter PUF.
*** A metastabe state occurs if both delays are nearly identical. After ashort time, arbiter leaves the metastable state and outputs a randombinary value.
In that case, the arbiter output is not device-specific. Thisphenomenon is the cause of unreliability (noise) of the responses.
8 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0 01 0
D
0
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1 1 1 0
Response
D
10 0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1
Response
0 0 1
0
D
0 0 1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0
Response
0 0 0
D
0 1 01
1
· · ·
Delay difference and so the arbiter output will be device specific. ofan Arbiter PUF.
*** A metastabe state occurs if both delays are nearly identical. After ashort time, arbiter leaves the metastable state and outputs a randombinary value.
In that case, the arbiter output is not device-specific. Thisphenomenon is the cause of unreliability (noise) of the responses.
8 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0 01 0
D
0
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1 1 1 0
Response
D
10 0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1
Response
0 0 1
0
D
0 0 1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0
Response
0 0 0
D
0 1 01
1
· · ·
Delay difference and so the arbiter output will be device specific. ofan Arbiter PUF.
*** A metastabe state occurs if both delays are nearly identical. After ashort time, arbiter leaves the metastable state and outputs a randombinary value.
In that case, the arbiter output is not device-specific. Thisphenomenon is the cause of unreliability (noise) of the responses.
8 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0 01 0
D
0
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1 1 1 0
Response
D
10 0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1
Response
0 0 1
0
D
0 0 1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0
Response
0 0 0
D
0 1 01
1
· · ·
Delay difference and so the arbiter output will be device specific. ofan Arbiter PUF.
*** A metastabe state occurs if both delays are nearly identical. After ashort time, arbiter leaves the metastable state and outputs a randombinary value.
In that case, the arbiter output is not device-specific. Thisphenomenon is the cause of unreliability (noise) of the responses.
8 / 49
Delay-based PUF: Arbiter PUF
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
Response
D
1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
10 0
D
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0 01 0
D
0
Response
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1 1 1 0
Response
D
10 0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
1
Response
0 0 1
0
D
0 0 1
1
0
1
0
1
0
1
0
1
0
1
0
1
0
1
0
Challenge
Q
cN cN−1 cN−2 c1
0
Response
0 0 0
D
0 1 01
1
· · ·
Delay difference and so the arbiter output will be device specific. ofan Arbiter PUF.
*** A metastabe state occurs if both delays are nearly identical. After ashort time, arbiter leaves the metastable state and outputs a randombinary value.
In that case, the arbiter output is not device-specific. Thisphenomenon is the cause of unreliability (noise) of the responses.
8 / 49
Delay-based PUF: Ring Oscillator PUFs
Delay Counter ResponseEdge
Detector
Challenge
9 / 49
Memory-based PUF: SRAM PUFs
Q̄ Q
(1) Logic circuit of
an SRAM PUF (a cell)
(2) Transistor-level circuit of an SRAM PUF
in a standard CMOS tech.
Word Line
−B
itL
ine
Bit
Line
10 / 49
SRAM PUF
R. Maes. Physically Unclonable Functions:Constructions, Properties and Applications. Springer, 2013. 11 / 49
Memory-based PUF: Butterfly PUFs
Reset
(1) Logic circuit of
an SRAM PUF (a cell)
(2) Schematical-level circuit of
a butterfly PUF cell
Excite
Preset
Clear
D Q
Preset
Clear
AD Q
0
0
B
12 / 49
PUF for Identification
PUF-based identification method uses a unique and untamperabledevice identifier exploiting the pyhsics of the device.
Identification is similar to authentication but in this context it hasweaker concept.
PUF should provide the identity of the device without any convincingproof.
In certain situations, identification is enough to achieve entityauthentication.
13 / 49
PUF for Authentication
PUF gives a measure of the device specific physical feature.
Therefore, device authentication is provided by PUF (not messageauthentication).
Besides plain identification, also corroborative evidence of the deviceidentity is required.
Corroborative evidence means that it could only have been created bythat particular device.
For the device authentication:
the identity of a second party involved
the second party is active at the time of the evidence is created.
14 / 49
Device Authentication
UntrustedSupply chain
Responser ′2
==
Responseri
Challenge Response
100010101100010101100010101
010110010110010110
Challengec2
Device ?
Is this deviceauthentic tothe manufacturer?Device A
(ci , ri)
Challengeci
PUF A
PUF A
... ...
15 / 49
PUF Notation
Creation of a PUF Instance:
P ≡ {pufi ← P.Create(rCi ) : ∀i, rCi$← {0, 1}∗}
Random evaluation of PUF instance pufi for challenge x:
y(j)i (x)← pufi(x).Eval(rEj
$← {0, 1}∗)
Y(x)i ← pufi(x).Eval
where rC and rE are randomization variables representing anundetermined fair coin tosses.
16 / 49
PUF Experiment
a PUF class generates responses for the challenges provided to it
Y(x)i ← pufi(x).Eval
where Yis are responses for challenge x.
Statistically, the distribution of PUF responses should be estimated.
This require experiments to understand the distribution statistics fromobserved PUF responses:
1 Experiments estimating the distribution for same challenge x ondistinct evaluations.
2 These experiments should be repeated on responses for differentchallenges.
3 Experiments on responses from different PUF instances
17 / 49
PUF Experiment
A PUF class generates responses for the challenges provided to it
ExperimentP(Npuf , Nchal, Nmeas)→ YExp(P)
YExp(P) = [y(j)i (xk)← pufi(xk).Eval(rEj )
with
∀1 ≤ j ≤ Nmeas : rEj$← {0, 1}∗,
∀1 ≤ k ≤ Nchal : xk$← XP ,
∀1 ≤ i ≤ Npuf : pufi$← P,
If the conditions are important while doing experiments, then theyshould be specified with a parameter.
18 / 49
PUF Response Distances: intra distance
A PUF response intra distance is a random variable refers to thedistance between two responses from the same PUF instance andusing the same challenge.
Dintrapufi
(x) , dist[Yi(x);Y ′i (x)],
with Yi(x) and Y ′i (x) two distinct random evaluations of PUFinstance pufi on the same challenge x. dist[; ] denotes hammingdistance between two random variables.
For the reproducibility of a PUF class, distribution of Dintrapufi
has somestatistical properties.
Estimation of mean (µintraP ), standard deviation (∑
[DintraP ]),
histogram and order statistics should be found.
19 / 49
PUF Response Distances: inter distance
A PUF response inter distance is a random variable refers to thedistance between two responses from different PUF instances andusing the same challenge.
DinterP (x) , dist[Y (x);Y ′(x)],
with Y (x) and Y ′(x) two distinct random evaluations of two distinctPUF instances on the same challenge x.
For the reproducibility of a PUF class, distribution of Dinterpufi
has somestatistical properties.
Estimation of mean (µinterP ), standard deviation (∑
[DinterP ]),
histogram and order statistics should be found.
20 / 49
PUF Tests
Hamming distance 128
His
togr
am
Different challengeSame challenge
Intra-Distance
SC Inter-PUF
Hamming distance 128
His
togr
am
Different challengeSame challenge
Inter-Distance
Hamming distance 128
His
togr
am
SC Intra-PUF
Uniqueness
Quantative tests yield to model a PUF by Hori et al., Quantitativeand Statistical Performance Evaluation of Arbiter Physical UnclonableFunctions on FPGAs. ReConFig2010, pp.298-303, 2010.
21 / 49
Experimental uniqueness results
PUF No Nbits µinterP σinterPSRAM PUF 0 65536 49.59% 0.33%
1 65536 49.61% 0.33%2 65536 49.68% 0.31%3 65536 49.72% 0.30%
Arbiter PUF (basic) 0 65536 47.13% 0.44%
Arbiter PUF (2-XOR) 0 32768 49.74% 0.29%
Ring Oscillator PUF (L.G.) 0 12544 46.86% 0.48%
Latch PUF 0 8192 34.84% 1.20%1 8192 37.01% 1.23%2 8192 33.17% 1.62%3 8192 16.37% 2.02%
Inter-distances statistics (at nominal condition)Table taken from the book by R. Maes. Physically UnclonableFunctions: Constructions, Properties and Applications. Springer,2013.
22 / 49
Helper Data Algorithm or Fuzzy Extractor
Two problems are solved with HDA or FE:
1. PUF responses are noisy. Some processing has to be employed toremove the noise.
2. PUF responses are not generally uniformly random. Hence, aprocessing is required to transform the possibly unknown distribution ofthe physical measurements into a uniform distributed response value.
23 / 49
FE in Secure Key Generation
PUF
Measuring
RepetitionEncoding
BCHEncoding
Randomnumbers Measuring
PUF
Activation code orHelper data
RandomnessExtracting
BCH ErrorCorrecting
RepetitionDecoding
(1) Enrollment phase (2) Reconstruction phase
Activation code or
Helper data
Enrollment phase Reconstruction phaseGenerating activation code It is then used to obtain the K.
K ← PUF(x) K ′ ← PUF(x)C ← ECC-Encoding(r), r is random C ′ ← K ′ + hh← K + C C ← ECC-Decoding(C ′)
K ← C + h
24 / 49
Information Reconciliation
The action of eliminating noise found in the measurments is calledInformation Reconciliation.
Mapping the response X onto an element W of a set of Helper Data.
Helper Data has the following properties:
1. With a deterministic recovery function Rec, X can be recovered bymeans of W and a noisy response of the response X ′.
2. The amount of uncertainty about an unknown response X onlydecreases with a limited amount when W for that response is known.This loss of useful uncertainty is unavaoidable.
For the Helper Data W , the use of error correcting codes (ECC) isone of the solutions.
25 / 49
Privacy Amplification
Besides noise removal, to guarantee a uniform distribution of thederived keys is another important issue and called as PrivacyAmplification.
Approximation of the distribution is obtained by collecting a lot ofsamples from different PUFs.
There is a concept Strong Extractor:
Ext : {0, 1}n → {0, 1}l
It can transform a random variable X, with an unknown distribution,into a new random variable K, with a distribution close to uniform.
Strong extractors can be implemented as pairwise independentuniversal hash functions.
A non-uniform selection of a hash function or keep using the same hashfunction for all the time gives only a minor deviation from uniformity inthe distribution K.
26 / 49
BCH Code: Bose-Chaudhuri-Hoequenghem
A class of cyclic error correcting code
It is constructed in Finite Fields
It is a generalized parity code.
Binary BCH codes are more popular
Reed Solomon codes (RS) are a class of non-binary BCH codes
Some special types of BCH codes are called as Golay code:(23, 12), (31, 16), etc.
BCH (N,K, t) code can correct t bit errors
t =(N −K)
m(1)
where m is an integer such that N = 2m − 1.
27 / 49
BCH Code: Bose-Chaudhuri-Hoequenghem
A class of cyclic error correcting code
It is constructed in Finite Fields
It is a generalized parity code.
Binary BCH codes are more popular
Reed Solomon codes (RS) are a class of non-binary BCH codes
Some special types of BCH codes are called as Golay code:(23, 12), (31, 16), etc.
BCH (N,K, t) code can correct t bit errors
t =(N −K)
m(1)
where m is an integer such that N = 2m − 1.
27 / 49
BCH Code: Bose-Chaudhuri-Hoequenghem
A class of cyclic error correcting code
It is constructed in Finite Fields
It is a generalized parity code.
Binary BCH codes are more popular
Reed Solomon codes (RS) are a class of non-binary BCH codes
Some special types of BCH codes are called as Golay code:(23, 12), (31, 16), etc.
BCH (N,K, t) code can correct t bit errors
t =(N −K)
m(1)
where m is an integer such that N = 2m − 1.
27 / 49
BCH Code: Bose-Chaudhuri-Hoequenghem
A class of cyclic error correcting code
It is constructed in Finite Fields
It is a generalized parity code.
Binary BCH codes are more popular
Reed Solomon codes (RS) are a class of non-binary BCH codes
Some special types of BCH codes are called as Golay code:(23, 12), (31, 16), etc.
BCH (N,K, t) code can correct t bit errors
t =(N −K)
m(1)
where m is an integer such that N = 2m − 1.
27 / 49
BCH Code: Bose-Chaudhuri-Hoequenghem
A class of cyclic error correcting code
It is constructed in Finite Fields
It is a generalized parity code.
Binary BCH codes are more popular
Reed Solomon codes (RS) are a class of non-binary BCH codes
Some special types of BCH codes are called as Golay code:(23, 12), (31, 16), etc.
BCH (N,K, t) code can correct t bit errors
t =(N −K)
m(1)
where m is an integer such that N = 2m − 1.
27 / 49
BCH Code: Bose-Chaudhuri-Hoequenghem
A class of cyclic error correcting code
It is constructed in Finite Fields
It is a generalized parity code.
Binary BCH codes are more popular
Reed Solomon codes (RS) are a class of non-binary BCH codes
Some special types of BCH codes are called as Golay code:(23, 12), (31, 16), etc.
BCH (N,K, t) code can correct t bit errors
t =(N −K)
m(1)
where m is an integer such that N = 2m − 1.
27 / 49
BCH Code: Bose-Chaudhuri-Hoequenghem
A class of cyclic error correcting code
It is constructed in Finite Fields
It is a generalized parity code.
Binary BCH codes are more popular
Reed Solomon codes (RS) are a class of non-binary BCH codes
Some special types of BCH codes are called as Golay code:(23, 12), (31, 16), etc.
BCH (N,K, t) code can correct t bit errors
t =(N −K)
m(1)
where m is an integer such that N = 2m − 1.
27 / 49
BCH Code
Construction of (N,K, t) BCH Codeα is the primitive element in GF(pm)
N is the block length: N = 2m − 1
K is the message length
u(X) is the message polynomial whereu(X) = uK−1X
K−1 + · · ·+ u1X + u0
it is capable of correcting t errors
bit length of the redundancy is N −KN −K ≤ mtdmin ≥ 2t+ 1
g(X) is the generator polynomial and it is computed by LCM ofminimal polynomials
g(X) = LCM {Λ1(X), · · · ,Λ2t(X)}g(X) = gN−KX
N−K + · · ·+ g1X + g0
where Λi(X) is the minimal polynomials of αi, and Λi(X) = Λi×2(X)
28 / 49
BCH Code
Construction of (N,K, t) BCH Codeα is the primitive element in GF(pm)
N is the block length: N = 2m − 1
K is the message length
u(X) is the message polynomial whereu(X) = uK−1X
K−1 + · · ·+ u1X + u0
it is capable of correcting t errors
bit length of the redundancy is N −KN −K ≤ mtdmin ≥ 2t+ 1
g(X) is the generator polynomial and it is computed by LCM ofminimal polynomials
g(X) = LCM {Λ1(X), · · · ,Λ2t(X)}g(X) = gN−KX
N−K + · · ·+ g1X + g0
where Λi(X) is the minimal polynomials of αi, and Λi(X) = Λi×2(X)
28 / 49
BCH Code
Construction of (N,K, t) BCH Codeα is the primitive element in GF(pm)
N is the block length: N = 2m − 1
K is the message length
u(X) is the message polynomial whereu(X) = uK−1X
K−1 + · · ·+ u1X + u0
it is capable of correcting t errors
bit length of the redundancy is N −KN −K ≤ mtdmin ≥ 2t+ 1
g(X) is the generator polynomial and it is computed by LCM ofminimal polynomials
g(X) = LCM {Λ1(X), · · · ,Λ2t(X)}g(X) = gN−KX
N−K + · · ·+ g1X + g0
where Λi(X) is the minimal polynomials of αi, and Λi(X) = Λi×2(X)
28 / 49
BCH Code
Construction of (N,K, t) BCH Codeα is the primitive element in GF(pm)
N is the block length: N = 2m − 1
K is the message length
u(X) is the message polynomial whereu(X) = uK−1X
K−1 + · · ·+ u1X + u0
it is capable of correcting t errors
bit length of the redundancy is N −KN −K ≤ mtdmin ≥ 2t+ 1
g(X) is the generator polynomial and it is computed by LCM ofminimal polynomials
g(X) = LCM {Λ1(X), · · · ,Λ2t(X)}g(X) = gN−KX
N−K + · · ·+ g1X + g0
where Λi(X) is the minimal polynomials of αi, and Λi(X) = Λi×2(X)
28 / 49
BCH Code
Construction of (N,K, t) BCH Codeα is the primitive element in GF(pm)
N is the block length: N = 2m − 1
K is the message length
u(X) is the message polynomial whereu(X) = uK−1X
K−1 + · · ·+ u1X + u0
it is capable of correcting t errors
bit length of the redundancy is N −K
N −K ≤ mtdmin ≥ 2t+ 1
g(X) is the generator polynomial and it is computed by LCM ofminimal polynomials
g(X) = LCM {Λ1(X), · · · ,Λ2t(X)}g(X) = gN−KX
N−K + · · ·+ g1X + g0
where Λi(X) is the minimal polynomials of αi, and Λi(X) = Λi×2(X)
28 / 49
BCH Code
Construction of (N,K, t) BCH Codeα is the primitive element in GF(pm)
N is the block length: N = 2m − 1
K is the message length
u(X) is the message polynomial whereu(X) = uK−1X
K−1 + · · ·+ u1X + u0
it is capable of correcting t errors
bit length of the redundancy is N −KN −K ≤ mtdmin ≥ 2t+ 1
g(X) is the generator polynomial and it is computed by LCM ofminimal polynomials
g(X) = LCM {Λ1(X), · · · ,Λ2t(X)}g(X) = gN−KX
N−K + · · ·+ g1X + g0
where Λi(X) is the minimal polynomials of αi, and Λi(X) = Λi×2(X)
28 / 49
BCH Code
Construction of (N,K, t) BCH Codeα is the primitive element in GF(pm)
N is the block length: N = 2m − 1
K is the message length
u(X) is the message polynomial whereu(X) = uK−1X
K−1 + · · ·+ u1X + u0
it is capable of correcting t errors
bit length of the redundancy is N −KN −K ≤ mtdmin ≥ 2t+ 1
g(X) is the generator polynomial and it is computed by LCM ofminimal polynomials
g(X) = LCM {Λ1(X), · · · ,Λ2t(X)}g(X) = gN−KX
N−K + · · ·+ g1X + g0
where Λi(X) is the minimal polynomials of αi, and Λi(X) = Λi×2(X)28 / 49
Galois Field
GF(p)
Elements: {0, 1, 2, · · · , p− 1}p is prime and operation is “modulo-p” addition and multiplication
GF(pm)
Primitive polynomial of degree m over GF(p) with a root α
p(X) = Xm + pm−1Xm−1 + · · ·+ p1X + p0
Elements:{
0, 1, α, α2 · · · , αpm−2}p is prime and operation is “modulo-p” addition and multiplication
Construction
¬ f(X) = q(X)p(X) + r(X), where deg r < deg p.
αi = (ri,m−1, · · · , ri,1, ri,0)
29 / 49
Galois Field
GF(p)
Elements: {0, 1, 2, · · · , p− 1}p is prime and operation is “modulo-p” addition and multiplication
GF(pm)
Primitive polynomial of degree m over GF(p) with a root α
p(X) = Xm + pm−1Xm−1 + · · ·+ p1X + p0
Elements:{
0, 1, α, α2 · · · , αpm−2}p is prime and operation is “modulo-p” addition and multiplication
Construction
¬ f(X) = q(X)p(X) + r(X), where deg r < deg p.
αi = (ri,m−1, · · · , ri,1, ri,0)
29 / 49
Galois Field
GF(p)
Elements: {0, 1, 2, · · · , p− 1}p is prime and operation is “modulo-p” addition and multiplication
GF(pm)
Primitive polynomial of degree m over GF(p) with a root α
p(X) = Xm + pm−1Xm−1 + · · ·+ p1X + p0
Elements:{
0, 1, α, α2 · · · , αpm−2}
p is prime and operation is “modulo-p” addition and multiplication
Construction
¬ f(X) = q(X)p(X) + r(X), where deg r < deg p.
αi = (ri,m−1, · · · , ri,1, ri,0)
29 / 49
Galois Field
GF(p)
Elements: {0, 1, 2, · · · , p− 1}p is prime and operation is “modulo-p” addition and multiplication
GF(pm)
Primitive polynomial of degree m over GF(p) with a root α
p(X) = Xm + pm−1Xm−1 + · · ·+ p1X + p0
Elements:{
0, 1, α, α2 · · · , αpm−2}p is prime and operation is “modulo-p” addition and multiplication
Construction
¬ f(X) = q(X)p(X) + r(X), where deg r < deg p.
αi = (ri,m−1, · · · , ri,1, ri,0)
29 / 49
Galois Field
GF(p)
Elements: {0, 1, 2, · · · , p− 1}p is prime and operation is “modulo-p” addition and multiplication
GF(pm)
Primitive polynomial of degree m over GF(p) with a root α
p(X) = Xm + pm−1Xm−1 + · · ·+ p1X + p0
Elements:{
0, 1, α, α2 · · · , αpm−2}p is prime and operation is “modulo-p” addition and multiplication
Construction
¬ f(X) = q(X)p(X) + r(X), where deg r < deg p.
αi = (ri,m−1, · · · , ri,1, ri,0)
29 / 49
Enumeration of the elements of GF(24)
GF(24)
and p(X) = X4 + X + 1
Power Polynomial Binary Decimalrepresentation representation representation representation
0 0 0000 0α0 1 0001 1α1 α 0010 2α2 α2 0100 4α3 α3 1000 8α4 α+ 1 0011 3α5 α2 + α 0110 6α6 α3 + α2 1100 12α7 α3 + α+ 1 1011 11α8 α2 + 1 0101 5α9 α3 + α 1010 10α10 α2 + α+ 1 0111 7α11 α3 + α2 + α 1110 14α12 α3 + α2 + α+ 1 1111 15α13 α3 + α2 + 1 1101 13α14 α3 + 1 1001 9α15 1 0001 1
Click to go to Decoding30 / 49
Galois Field
Minimal polynomial of α
Λ(X) = λdXd + · · ·+ λ1X + λ0
where λi ∈ GF (p) and d is the least integer such that Λ(α)|α 6=0 = 0
Conjugates of α in GF(pm)
α, αp, αp2, · · · , αpm
It is due to: Λ(α) = Λ(αp) = Λ(αp2) = · · · = Λ(αp
m) = 0
Example α in GF(24)
and p(X) = X4 +X + 1
¬{α, α2, α4, α8
}, where min poly is X4 +X + 1
{α3, α6, α9, α12
}, → X4 +X3 +X2 +X + 1
®{α5, α10
}, → X2 +X + 1
¯{α7, α11, α13, α14
}, → X4 +X3 + 1
31 / 49
Galois Field
Minimal polynomial of α
Λ(X) = λdXd + · · ·+ λ1X + λ0
where λi ∈ GF (p) and d is the least integer such that Λ(α)|α 6=0 = 0
Conjugates of α in GF(pm)
α, αp, αp2, · · · , αpm
It is due to: Λ(α) = Λ(αp) = Λ(αp2) = · · · = Λ(αp
m) = 0
Example α in GF(24)
and p(X) = X4 +X + 1
¬{α, α2, α4, α8
}, where min poly is X4 +X + 1
{α3, α6, α9, α12
}, → X4 +X3 +X2 +X + 1
®{α5, α10
}, → X2 +X + 1
¯{α7, α11, α13, α14
}, → X4 +X3 + 1
31 / 49
Galois Field
Minimal polynomial of α
Λ(X) = λdXd + · · ·+ λ1X + λ0
where λi ∈ GF (p) and d is the least integer such that Λ(α)|α 6=0 = 0
Conjugates of α in GF(pm)
α, αp, αp2, · · · , αpm
It is due to: Λ(α) = Λ(αp) = Λ(αp2) = · · · = Λ(αp
m) = 0
Example α in GF(24)
and p(X) = X4 +X + 1
¬{α, α2, α4, α8
}, where min poly is X4 +X + 1
{α3, α6, α9, α12
}, → X4 +X3 +X2 +X + 1
®{α5, α10
}, → X2 +X + 1
¯{α7, α11, α13, α14
}, → X4 +X3 + 1
31 / 49
BCH Code: g(X)
Minimal polynomial sets: α in GF(24)
and p(X) = X4 +X + 1
¬{α, α2, α4, α8
}, where min poly is X4 +X + 1
{α3, α6, α9, α12
}, → X4 +X3 +X2 +X + 1
®{α5, α10
}, → X2 +X + 1
¯{α7, α11, α13, α14
}, → X4 +X3 + 1
When t = 2,
g(X) = LCM {Λ1(X),Λ3(X)}
When t = 3,
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}
32 / 49
BCH Code: g(X)
Minimal polynomial sets: α in GF(24)
and p(X) = X4 +X + 1
¬{α, α2, α4, α8
}, where min poly is X4 +X + 1
{α3, α6, α9, α12
}, → X4 +X3 +X2 +X + 1
®{α5, α10
}, → X2 +X + 1
¯{α7, α11, α13, α14
}, → X4 +X3 + 1
When t = 2,
g(X) = LCM {Λ1(X),Λ3(X)}
When t = 3,
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}
32 / 49
BCH Code: g(X)
Minimal polynomial sets: α in GF(24)
and p(X) = X4 +X + 1
¬{α, α2, α4, α8
}, where min poly is X4 +X + 1
{α3, α6, α9, α12
}, → X4 +X3 +X2 +X + 1
®{α5, α10
}, → X2 +X + 1
¯{α7, α11, α13, α14
}, → X4 +X3 + 1
When t = 2,
g(X) = LCM {Λ1(X),Λ3(X)}
When t = 3,
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}
32 / 49
BCH Code Encoding
(N,K, t) BCH Code
c(X) = u(X) · g(X)
XN−Ku(X) = q(X) · g(X) + r(X)
c(X) = XN−Ku(X) + r(X)
Encoding as simple as computing polynomial modulo
r(X) = XN−Ku(X) mod g(X)
33 / 49
BCH Code Encoding
(N,K, t) BCH Code
c(X) = u(X) · g(X)
XN−Ku(X) = q(X) · g(X) + r(X)
c(X) = XN−Ku(X) + r(X)
Encoding as simple as computing polynomial modulo
r(X) = XN−Ku(X) mod g(X)
33 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1
Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +X
N = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 3
15− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3
dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}
=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)
=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)
P (X) = X15−5u(X) =(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)
r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
34 / 49
BCH Code Encoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1Message is (0, 1, 1, 0, 1) where u(X) = X4 +X2 +XN = 15, K = 5, t = 315− 5 ≤ 4× 3dmin ≥ 2× 3 + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}=(X4 +X + 1
)×(X4 +X3 +X2 +X + 1
)×(X2 +X + 1
)=(X10 +X8 +X5 +X4 +X2 +X + 1
)P (X) = X15−5u(X) =
(X14 +X12 +X11
)r(X) = P (X) mod g(X)
= X8 +X4 +X3 +X2 +X
c(X) = P (X) + r(X)
= X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
Codeword:c = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1) 34 / 49
Parity Check Matrix H
c(αi) = cN−1αN−1i+ · · ·+ c1α
i + c0 = 0 for 1 ≤ i ≤ 2tIt is because
g(X)|c(X) andg(α) = g(α2) = · · · = g(α2t) = 0
Then, parity check matrix: cHT = 0
H =
1 α α2 · · · αN−1
1 α2 (α2)2 · · · (α2)N−1
......
.... . .
...1 α2t (α2t)2 · · · (α2t)N−1
35 / 49
Syndrome and Error Location
Received data: r = c + e
The noise: e = (e0, e1, · · · , eN−1) where ej ∈ {0, 1}Computation of syndrome:
S = rHT = (c + e)HT
= eHT = (S1, S2, · · · , S2t)
Si =
N−1∑j=0
ejαij , for i = 1, 2, · · · , 2t
= e(αi) because
e(X) = eN−1XN−1 + · · ·+ e1X + e0
Where v ≤ t, v errors exists at j1, j2, · · · , jv(0 ≤ j1 < j2 < · · · < jv < N)
e(X) = Xj1 +Xj2 + · · ·+Xjv
36 / 49
Error Locator Polynomial
Si = e(αi) = (αj1)i + (αj2)i + · · ·+ (αjv)i, for i = 1, 2, · · · , 2tSolving 2t equations will give the set(
αj1 , αj2 , · · · , αjv)
Error locations are (j1, j2, · · · , jv)
Location numbers of error is denoted as βl = αjl
Syndrome is also computed with respecto βls
S1 = β1 + β2 + · · ·+ βv
S2 = β21 + β22 + · · ·+ β2v...
S2t = β2t1 + β2t2 + · · ·+ β2tv
37 / 49
Error Locator Polynomial
Error locator polynomial is denoted with σ(X) and
σ(X) = (1 + β1X)(1 + β2X) · · · (1 + βvX)
= σvXv + · · ·+ σ1X + σ0
Roots of σ(X) is (β−11 , β−12 , · · · , β−1v )Finding the roots of σ(X) will reveal the error locationsError locations are simply the inverse of the roots of σ(X)
38 / 49
BCH Decoding
1 Syndrome computation
2 Computing the error locator polynomial σ(X)
Peterson-Gorenstein-Zierler algorithmBerlekamp-Massey algorithmEuclid’s algorithm
3 Finding error location: Chien search for v roots
4 Correcting the errors
Decoding result is simply (r− e)
39 / 49
Peterson-Gorenstein-Zierler algorithm¬ Initialize v = t
Compute the determinant of M
det(M) =
S1 S2 · · · SvS2 S3 · · · Sv+1...
.... . .
...Sv Sv+1 · · · S2v−1
® Find the correct value of v: it may less than t{
go to step 4 det(M) 6= 0
v ← v − 1, and then go to step 2 det(M) = 0
¯ Invert M° Compute σ(X) by simply multiplying M−1 by a syndrome vector
σvσv−1
...σ1
= M−1
− Sv+1
−Sv+2...−S2v
40 / 49
Peterson-Gorenstein-Zierler algorithm¬ Initialize v = t Compute the determinant of M
det(M) =
S1 S2 · · · SvS2 S3 · · · Sv+1...
.... . .
...Sv Sv+1 · · · S2v−1
® Find the correct value of v: it may less than t{go to step 4 det(M) 6= 0
v ← v − 1, and then go to step 2 det(M) = 0
¯ Invert M° Compute σ(X) by simply multiplying M−1 by a syndrome vector
σvσv−1
...σ1
= M−1
− Sv+1
−Sv+2...−S2v
40 / 49
Peterson-Gorenstein-Zierler algorithm¬ Initialize v = t Compute the determinant of M
det(M) =
S1 S2 · · · SvS2 S3 · · · Sv+1...
.... . .
...Sv Sv+1 · · · S2v−1
® Find the correct value of v: it may less than t{
go to step 4 det(M) 6= 0
v ← v − 1, and then go to step 2 det(M) = 0
¯ Invert M° Compute σ(X) by simply multiplying M−1 by a syndrome vector
σvσv−1
...σ1
= M−1
− Sv+1
−Sv+2...−S2v
40 / 49
Peterson-Gorenstein-Zierler algorithm¬ Initialize v = t Compute the determinant of M
det(M) =
S1 S2 · · · SvS2 S3 · · · Sv+1...
.... . .
...Sv Sv+1 · · · S2v−1
® Find the correct value of v: it may less than t{
go to step 4 det(M) 6= 0
v ← v − 1, and then go to step 2 det(M) = 0
¯ Invert M
° Compute σ(X) by simply multiplying M−1 by a syndrome vectorσvσv−1
...σ1
= M−1
− Sv+1
−Sv+2...−S2v
40 / 49
Peterson-Gorenstein-Zierler algorithm¬ Initialize v = t Compute the determinant of M
det(M) =
S1 S2 · · · SvS2 S3 · · · Sv+1...
.... . .
...Sv Sv+1 · · · S2v−1
® Find the correct value of v: it may less than t{
go to step 4 det(M) 6= 0
v ← v − 1, and then go to step 2 det(M) = 0
¯ Invert M° Compute σ(X) by simply multiplying M−1 by a syndrome vector
σvσv−1
...σ1
= M−1
− Sv+1
−Sv+2...−S2v
40 / 49
BCH Code Decoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}= X10 +X8 +X5 +X4 +X2 +X + 1
∗c(X) = X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
e(X) = X14 +X3
Then, received codeword is r(X) = X12 +X11 +X8 +X4 +X2 +X
First, computing the syndrome
S1 = r(α) = 1 S2 = r(α2) = 1 S3 = r(α3) = α8
S4 = r(α4) = 1 S5 = r(α5) = α5 S6 = r(α6) = α
∗Same codeword as in Encoding example41 / 49
BCH Code Decoding: An Example
(15, 5, 3) BCH Code in GF(24)
and p(X) = X4 +X + 1
g(X) = LCM {Λ1(X),Λ3(X),Λ5(X)}= X10 +X8 +X5 +X4 +X2 +X + 1
∗c(X) = X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
e(X) = X14 +X3
Then, received codeword is r(X) = X12 +X11 +X8 +X4 +X2 +X
First, computing the syndrome
S1 = r(α) = 1 S2 = r(α2) = 1 S3 = r(α3) = α8
S4 = r(α4) = 1 S5 = r(α5) = α5 S6 = r(α6) = α
∗Same codeword as in Encoding example41 / 49
BCH Code Decoding: An Example
¬ v = t = 3
Computing determinant of M
det(M) =
S1 S2 S3S2 S3 S4S3 S4 S5
=
1 1 α8
1 α8 1α8 1 α5
= 0
® det(M) = 0, then go to step 2 with v = v − 1 = 2
Computing determinant of new M
det(M) =
[S1 S2S2 S3
]=
[1 11 α8
]= α2
® det(M) = α2, then go to step 4
Look at the Table42 / 49
BCH Code Decoding: An Example
¬ v = t = 3
Computing determinant of M
det(M) =
S1 S2 S3S2 S3 S4S3 S4 S5
=
1 1 α8
1 α8 1α8 1 α5
= 0
® det(M) = 0, then go to step 2 with v = v − 1 = 2
Computing determinant of new M
det(M) =
[S1 S2S2 S3
]=
[1 11 α8
]= α2
® det(M) = α2, then go to step 4
Look at the Table42 / 49
BCH Code Decoding: An Example
¬ v = t = 3
Computing determinant of M
det(M) =
S1 S2 S3S2 S3 S4S3 S4 S5
=
1 1 α8
1 α8 1α8 1 α5
= 0
® det(M) = 0, then go to step 2 with v = v − 1 = 2
Computing determinant of new M
det(M) =
[S1 S2S2 S3
]=
[1 11 α8
]= α2
® det(M) = α2, then go to step 4
Look at the Table42 / 49
BCH Code Decoding: An Example
¬ v = t = 3
Computing determinant of M
det(M) =
S1 S2 S3S2 S3 S4S3 S4 S5
=
1 1 α8
1 α8 1α8 1 α5
= 0
® det(M) = 0, then go to step 2 with v = v − 1 = 2
Computing determinant of new M
det(M) =
[S1 S2S2 S3
]=
[1 11 α8
]= α2
® det(M) = α2, then go to step 4
Look at the Table42 / 49
BCH Code Decoding: An Example
¬ v = t = 3
Computing determinant of M
det(M) =
S1 S2 S3S2 S3 S4S3 S4 S5
=
1 1 α8
1 α8 1α8 1 α5
= 0
® det(M) = 0, then go to step 2 with v = v − 1 = 2
Computing determinant of new M
det(M) =
[S1 S2S2 S3
]=
[1 11 α8
]= α2
® det(M) = α2, then go to step 4
Look at the Table42 / 49
BCH Code Decoding: An Example
¯ Inverting M
M−1 =
[α6 α13
α13 α13
]
° Computing σ(X) [σ2σ1
]=
[α6 α13
α13 α13
] [α8
1
]=
[α2
1
]σ(X) = α2X2 +X + 1
σ(X) will tell you the location of the errors
σ(α) = 0, σ(α2) = α14, · · · σ(α12) = 0
After finding the roots, we now compute the inverse of the roots αand α12
α−1 = α14
α−12 = α3
43 / 49
BCH Code Decoding: An Example
¯ Inverting M
M−1 =
[α6 α13
α13 α13
]° Computing σ(X) [
σ2σ1
]=
[α6 α13
α13 α13
] [α8
1
]=
[α2
1
]σ(X) = α2X2 +X + 1
σ(X) will tell you the location of the errors
σ(α) = 0, σ(α2) = α14, · · · σ(α12) = 0
After finding the roots, we now compute the inverse of the roots αand α12
α−1 = α14
α−12 = α3
43 / 49
BCH Code Decoding: An Example
¯ Inverting M
M−1 =
[α6 α13
α13 α13
]° Computing σ(X) [
σ2σ1
]=
[α6 α13
α13 α13
] [α8
1
]=
[α2
1
]σ(X) = α2X2 +X + 1
σ(X) will tell you the location of the errors
σ(α) = 0, σ(α2) = α14, · · · σ(α12) = 0
After finding the roots, we now compute the inverse of the roots αand α12
α−1 = α14
α−12 = α3
43 / 49
BCH Code Decoding: An Example
¯ Inverting M
M−1 =
[α6 α13
α13 α13
]° Computing σ(X) [
σ2σ1
]=
[α6 α13
α13 α13
] [α8
1
]=
[α2
1
]σ(X) = α2X2 +X + 1
σ(X) will tell you the location of the errors
σ(α) = 0, σ(α2) = α14, · · · σ(α12) = 0
After finding the roots, we now compute the inverse of the roots αand α12
α−1 = α14
α−12 = α3
43 / 49
BCH Code Decoding: An Example
¯ Inverting M
M−1 =
[α6 α13
α13 α13
]° Computing σ(X) [
σ2σ1
]=
[α6 α13
α13 α13
] [α8
1
]=
[α2
1
]σ(X) = α2X2 +X + 1
σ(X) will tell you the location of the errors
σ(α) = 0, σ(α2) = α14, · · · σ(α12) = 0
After finding the roots, we now compute the inverse of the roots αand α12
α−1 = α14
α−12 = α3
43 / 49
BCH Code Decoding: An Example
Finally, e(X) = X14 +X3
Corrected codeword:
r(X) + e(X) = X14 +X12 +X11 +X8 +X4 +X3 +X2 +X
c̄ = (0, 1, 1, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1)
44 / 49
Security of PUF
EntropyPUF should have sufficient amount of randomness
PUF type Entropy per 1000 bits
SRAM PUF 950Delay PUF 130Butterfly PUF 600
Tamper evidenceRead-proof hardware against invasive and non-invasive
Invasive attacks make the chip functionally destroyed
Currently, there is no non-invasive attack that gives information aboutthe PUF
UnclonabilityUnique physical property of PUF is translating into a bitstream
This physical property prevents constructing a same PUF
Keep the challenge response pairs secret
45 / 49
Security of PUF
EntropyPUF should have sufficient amount of randomness
PUF type Entropy per 1000 bits
SRAM PUF 950Delay PUF 130Butterfly PUF 600
Tamper evidenceRead-proof hardware against invasive and non-invasive
Invasive attacks make the chip functionally destroyed
Currently, there is no non-invasive attack that gives information aboutthe PUF
UnclonabilityUnique physical property of PUF is translating into a bitstream
This physical property prevents constructing a same PUF
Keep the challenge response pairs secret
45 / 49
Security of PUF
EntropyPUF should have sufficient amount of randomness
PUF type Entropy per 1000 bits
SRAM PUF 950Delay PUF 130Butterfly PUF 600
Tamper evidenceRead-proof hardware against invasive and non-invasive
Invasive attacks make the chip functionally destroyed
Currently, there is no non-invasive attack that gives information aboutthe PUF
UnclonabilityUnique physical property of PUF is translating into a bitstream
This physical property prevents constructing a same PUF
Keep the challenge response pairs secret
45 / 49
Effects of Environmental Parameters on PUF
Die temperature and supply voltage
Heavily affect the delay in ring oscillator PUFs
Less affect the arbiter PU due to the differential measurement
46 / 49
Threats to PUFs
Modeling CRPs proposed by Ruhrmair et al. Modeling Attacks onPhysical Unclonable Functions. CCS, 2010.
delay-based PUF constructions can be modeled using ML algorithms.
CRPs should not be made public in protocols.
Required a Trust to Manufacturers
Helfmeier et al. cloned an SRAM PUF with a failure analysisequipment in at HOST 2013. Cloning Physically UnclonableFunctions.
Nedospasov et al. described successful invasive attempts on SRAMPUFs at FDTC 2013. Invasive PUF Analysis.
EM analyses on RO PUFs have been carried out by Merli et al. atWESS 2011. Semi-invasive EM attack on FPGA RO PUFs andcountermeasures.
47 / 49
Threats to PUFs
Modeling CRPs proposed by Ruhrmair et al. Modeling Attacks onPhysical Unclonable Functions. CCS, 2010.
delay-based PUF constructions can be modeled using ML algorithms.
CRPs should not be made public in protocols.
Required a Trust to Manufacturers
Helfmeier et al. cloned an SRAM PUF with a failure analysisequipment in at HOST 2013. Cloning Physically UnclonableFunctions.
Nedospasov et al. described successful invasive attempts on SRAMPUFs at FDTC 2013. Invasive PUF Analysis.
EM analyses on RO PUFs have been carried out by Merli et al. atWESS 2011. Semi-invasive EM attack on FPGA RO PUFs andcountermeasures.
47 / 49
References
I would like to acknowledge:
R. Maes. Physically Unclonable Functions:Constructions, Properties and Applications. Springer, 2013.
D.S. Boning and S.R. Nassif. Models of process variations in deviceand interconnect. Design of High Performance Microprocessor Circuit.IEEE Press, 2000.
R. Maes and P. Tuyls. Process variations for security: PUFs. Chapter 7of Secure Integrated Circuits and Systems. Editor Ingrid M.R.Verbauwhede, Springer 2009.
Ahmad-Reza Sadeghi and David Naccache. Towards Hardware-IntrinsicSecurity: Foundations and Practice (1st ed.). Springer-Verlag NewYork, Inc., New York, NY, USA.
48 / 49
Thank you for your attention
Questions?
49 / 49