Redshift: Manipulating Signal Propagation Delay via Continuous-Wave Lasers

. We propose a new laser injection attack Redshift that manipulates signal propagation delay, allowing for precise control of oscillator frequencies and other behaviors in delay-sensitive circuits. The target circuits have a signiﬁcant sensitivity to light, and a low-power continuous-wave laser, similar to a laser pointer, is suﬃcient for the attack. This is in contrast to previous fault injection attacks that use high-powered laser pulses to ﬂip digital bits. This signiﬁcantly reduces the cost of the attack and extends the range of possible attackers. Moreover, the attack potentially evades sensor-based countermeasures conﬁgured for conventional pulse lasers. To demonstrate Redshift, we target ring-oscillator and arbiter PUFs that are used in cryptographic applications. By precisely controlling signal propagation delays within these circuits, an attacker can control the output of a PUF to perform a state-recovery attack and reveal a secret key. We ﬁnally discuss the physical causality of the attack and potential countermeasures.


Introduction
There is a continuous demand for network-enabled embedded devices to extend evergrowing information technologies further into the physical world. Unfortunately, any new technology always comes with new attack surfaces; such embedded devices are exposed to local attackers with physical access. Ensuring security against local attackers is a challenging task because they can use physical attacks including side-channel attacks [MOP07] and fault-injection attacks [DFM + 11, JT12,KSV13]. The attacks pose realistic threats to otherwise secure embedded devices, such as smartcards, and researchers have been studying new attacks and countermeasures for more than two decades.
Laser fault injection (LFI) induces faults on a target chip by applying laser stimulation [SA02]. Among many ways to inject faults [DFM + 11, JT12,KSV13], LFI is considered particularly effective because of its high spatial selectivity. By illuminating a particular coordinate with a tiny laser spot, an attacker can induce precise faults such as a single bit flip in a particular address in memory. This is in contrast to the other fault-injection methods, such as clock glitching, that globally affect a target chip. The industry considers LFI a realistic threat and certification schemes (e.g., EAL5+ in Common Criteria [Joi20]) require penetration testing against LFI. To support this ecosystem, several vendors sell LFI instruments for security assessment [Risb, Alpa].
The conventional LFI focuses on digital circuits that implement cryptographic algorithms [DBC + 18]. The state-of-the-art LFI setup is optimized for the peak laser power needed for a successful bitflip in digital circuits. Such a modern LFI setup is extremely expensive, typically costing more than $100,000, and is only available to well-funded attackers.
Besides LFI, there are several light-induced interferences in the wild. Xenon Death Flash [Upt15] is an issue found in Raspberry Pi 2, wherein illuminating the circuit board with a camera flash causes the system to reboot. The light interfered with a voltage regulator in a bare-silicon package and caused the problem. Another example is Light Commands [SCR + 20] that silently injects voice commands to MEMS microphones with a low-power, modulated laser. The researchers identified that an ASIC inside the microphone package is one of the causes. The laser light reached the ASIC through the microphone's acoustic port and induced an electrical signal representing false audio accepted by the computer system as authentic audio.
The interesting gap between the above two attacks motivated our study. On the one hand, a conventional LFI needs an optimized high-power and short-pulse laser. On the other hand, ordinary camera flashes and laser pointers were sufficient to cause interference. The gap led us to the hypothesis that certain analog and timing circuits are more sensitive to light because they handle more variation in voltage and delay than digital circuits. If this hypothesis is correct, more light-sensitive targets opens another direction of low-cost laser injection attacks [SA02,SH07,GGS17] that extend the potential attackers from well-funded organizations to individuals with low-cost equipment.
Among many analog circuits, we focus on the ones using signal propagation delay, namely delay-sensitive circuits. They are common in cryptographic modules for realizing non-digital features using logic gates only, e.g., physically unclonable functions (PUFs) [Mae13], random-number generators [MM09], and on-chip sensors [HBB + 16]. In particular, we set the ring-oscillator PUF (RO-PUF) and the arbiter PUF (A-PUF) as our targets, suspecting that laser injection would circumvent implicit assumptions of some PUF threat models.

Preliminary
We briefly summarize the conventional works on LFI, PUF, and its attack.

Laser Fault Injection
Semiconductor circuits are inherently sensitive to incident light energy, which can cause soft errors similar to those generated by ionizing radiation [Hab65]. Skorobogatov and Anderson first exploited such light-induced errors to attack smartcards and microcontrollers [SA02]. The attack using a laser, i.e., LFI, has several advantages over other fault-injection methods such as clock and voltage glitching. In particular, LFI enables a more precise and stealthy attack by selectively illuminating a particular coordinate. Consequently, many research works began to thoroughly investigate LFI and its applications to many different circuits [KSV13,DFM + 11]. In the meantime, the industry has established the ecosystem for evaluating and certifying the resistance against LFI [Risb,Alpa,Joi20].
A parasitic photodiode explains the physical causality behind LFI [MFS + 18]. Without an electrical field on the gate terminal, a MOS transistor prevents a current flowing between the source and drain terminals. A reverse PN junction between the substrate and the highly doped regions contributes to this electrical isolation, and this PN junction acts as a parasitic photodiode under laser stimulation. When laser light reaches the junction, it generates electron-hole pairs by the photoelectric effect. The generation of these carriers in the presence of the built-in electric field causes a current flow between otherwise non-conducting transistor terminals. If this photocurrent disturbs a voltage signal to an intermediate level, it can result in a bitflip. Further details about the causality are discussed in Section 8.1.
Since digital circuits periodically refresh their electrical states at clock edges, the attacker needs to inject enough optical energy within a clock cycle to cause a bitflip. But if too much energy is injected, it can cause heat buildup and permanent damage to the device. Therefore short, high-power laser pulses are necessary for a successful attack against these digital circuits. For example, a 1064-nm single-mode laser in Riscure's Laser Station 2 emits a pulse as narrow as 2 nanoseconds, with its peak power reaching 4.6 watts [Risb].
Short-pulse lasers are on the cutting edge of optical engineering, requiring special techniques such as Q-switching [Risa] and optical amplification [Alpb], which significantly increases the instruments' cost. Breier et al. reported the cost of around €150,000 [BJ15]. Meanwhile, van Woudenberg et al. estimated the cost ranging from $50,000 to $150,000 [vWWM11]. Similarly, the Joint Interpretation Library (JIL), a working group organized for certifying cryptographic modules, categorizes the high-end laser station as specialized, rated between €10,000-200,000 [Joi20].

PUFs and their Application to Secure Key Storage
Physical Unclonable Functions (PUFs) are circuits that provide device-unique identifiers that are used in cryptographic modules [Mae13]. The key idea is to extract uniqueness from slight differences in each transistor (e.g., threshold voltage) due to manufacturing process variation. Researchers have been designing sophisticated circuits that efficiently harvest device-specific uniqueness with a variety of mechanisms. Some PUFs use digital components only and are available on FPGAs and semi-custom ASICs [GKST07]. Here, variation in signal propagation delay is frequently used to extract device-unique features using digital components.

Ring-Oscillator PUF (RO-PUF) [SD07]
The RO-PUF uses oscillation frequencies of ring oscillators as a source of uniqueness. Each logic gate has a different propagation delay due to several manufacturing variations such as transistor sizes and dopant density. The RO-PUF efficiently extracts such variation using oscillators. The RO-PUF has a set of ring oscillators and uses their relative frequencies for generating a state.

Arbiter PUF (A-PUF) [LLG + 05]
The A-PUF also uses propagation delays in logic gates but with another circuit. In an A-PUF, a step signal is sent to two distinct electrical paths with slight differences in propagation delay due to device variation. An arbiter circuit determines the faster path, which is used as a binary output. Using cascaded selectors, it configures the electrical paths using challenge bits.

SRAM PUF [GKST07, HBF07]
A 1-bit SRAM cell has two electrically stable states corresponding to the stored bit value. Once a cell moves to a stable state, it will stay there until a write operation overwrites it. When a chip is turned on, each SRAM cell starts from an unstable state and eventually converges to one of the two stable states. The destination is determined by manufacturing variation. Therefore, the SRAM PUF reads the SRAM's initial values and uses them as a PUF state [GKST07,HBF07].

Secure Key Storage Using PUF
A common PUF application is secure key management with the key encryption key (KEK) [Int20]. We denote a binary string from a PUF as the PUF state s. There are techniques for securely correcting errors in s, e.g., fuzzy extractor [GKST07]. As a result, PUF provides an error-free and device-unique key k PUF , which stays within the chip during its lifetime. The system encapsulates a pre-shared key k using k PUF : (1) The system generates c k at an enroll phase and stores it in external non-volatile memory.
In each bootup, the system (i) generates k PUF by calling a PUF, (ii) retrieves c k from the non-volatile memory, and (iii) recovers k by decrypting c k with k PUF . The system finally provides a cryptographic service using k. Those keys disappear when the device is powered down, providing security against static reverse engineering attacks [TJ11,CSW16]. PUF-based key storage has several real-world applications. In particular, NXP Semiconductors' LPC55Sxx devices provide a set of APIs for realizing KEK using SRAM PUF [Sem19]. Other vendors use delay-sensitive PUFs for PUF-based key storage, e.g., A-PUF [DZ04]  ifx = x then returnŝ 5: end for 6: return ⊥

Zeitouni et al's Attack on SRAM PUF [ZOW + 16]
There are several side-channel and fault-injection attacks on PUF [Taj17]. In particular, Zeitouni et al. proposed a sophisticated attack on key storage using an SRAM PUF. The attack exploits the remanence effect: a phenomenon that an SRAM cell preserves its data for a short period after power is off [HBF07]. By exploiting the remanence effect, an attacker can partially control the PUF state.
In a normal case, the SRAM PUF generates a PUF state s PUF , which is secret from the attacker. The attacker can send a query q and obtain a response Dev[s PUF ](q). Here, Dev[·](·) abstracts a service using the PUF state; for example, the system recovers a preshared key k from s PUF as described in Section 2.2.1 and returns a ciphertext obtained by encrypting q with k for challenge-and-response authentication. Here, Dev[·](·) is assumed to be public. Figure 1 illustrates the attack process. First, the attacker writes zeroes to the target SRAM cells and resets the device for τ seconds. The normal case described above corresponds to a sufficiently long pulse, namely τ ∞ . In contrast, when the pulse is very short, namely τ 0 , the SRAM preserves the data across the reset by the remanence effect, and the PUF state becomes s 0 = 0. The attacker obtains Dev[s 0 ](q) accordingly. Then, the attacker sends a slightly longer pulse t 1 , which results in an intermediate state s 1 that satisfies HW(s 0 ) ≤ HW(s 1 ) wherein HW(·) is the Hamming weight. The attacker repeats the above process by gradually increasing the pulse widths τ 0 < · · · < τ i < · · · < τ ∞ , and the corresponding PUF states satisfy 0 = HW(s 0 ) ≤ · · · ≤ HW(s i ) ≤ · · · ≤ HW(s ∞ = s PUF ). (2) In the meantime, the attacker obtains the set of responses If the increment of the pulse widths is sufficiently small, the neighboring states are very close, i.e., HW(s i ⊕ s i+1 ) becomes small. In this situation, the attacker can find s i+1 by exhaustively searching the neighbors of s i . By recursively repeating the process starting from s 0 = 0, the attacker eventually recovers the secret state s PUF . Algorithm 1 describe the process. Here, Finder realizes the neighbor search as described in Algorithm 2; the algorithm searches for a state corresponding to the output x given the previous state s. For each neighborŝ, the attacker emulates Dev and obtainsx = Dev[ŝ](q). Here,x = x implies thatŝ is the desired one. Finder returns ⊥ when the search is unsuccessful.

Proposed Method
We briefly summarize Redshift and discuss its advantages, followed by the threat model describing the attacker's accessibility.

Principle
Redshift is a laser injection attack targeting delay-sensitive circuits, such as oscillators and arbiter PUFs, by changing signal propagation delay with laser stimulation. This attack is different than conventional LFIs because it changes the target's behavior within the analog domain rather than causing pure digital faults [DFM + 11, JT12,KSV13]. Redshift is also different than conventional optical interferences [Upt15, SCR + 20] in that it exploits spatial selectivity by using a tiny laser spot focused with a microscope.
A concrete example of Redshift is the precise control of the frequency of ring oscillators. We measure two ASIC chips fabricated with 180-nm and 40-nm CMOS technologies ( Figure 2-(left) and -(right)). During the experiment, a cheap continuous-wave laser diode illuminates the target ring oscillator under a microscope. Figure 2 shows the linear relationship between the oscillation frequency (the vertical axis) and the injected laser power (the horizontal axis). The maximum laser power of 1.75 mW is several orders of magnitude lower than conventional LFI tools, and even less than the power of a laser pointer.

Advantages
Laser Injection Attack on Delay-Sensitive Circuits Redshift extends the target of laser injection attack to delay-sensitive circuits in contrast to the conventional LFIs targeting digital components for cryptography. Since delay-sensitive circuits are an essential analog building block, Redshift has many applications beyond PUFs. For example, Redshift can degrade random number generators that use propagation delay as a source of entropy [MM09]. Delay-sensitive circuits are commonly used for on-chip sensors, too. For example, an EM sensor uses a shift in oscillation frequency to detect a magnetic-field probe for the electromagnetic side-channel attack [HHM + 14]; manipulating the oscillation frequency can cause false positives and negatives in such sensors. Moreover, underclocking a system clock with a laser can result in conventional digital faults.
Stealthiness As shown in Figure 2, a low-power continuous-wave laser, too weak for conventional LFI, is sufficient for the attack. Redshift potentially evades the detectionbased LFI countermeasures using on-chip sensors configured for the conventional pulse lasers. Those sensors compare the peak photocurrent with a configured detection threshold [NRV + 06, MFS + 18]. Hardware designers are motivated to configure the sensor with a high detection threshold [NRV + 06] to avoid false positives caused by environmental lights or cosmic particles [Hab65]. The threshold is likely set low enough to sense pulse lasers but too high to sense continuous-wave lasers due to the significant difference in peak power: Redshift needs several milliwatts only, which can be less than 1/1000 of the conventional pulse lasers [Risb]. We discuss how to improve on-chip sensors to detect Redshift without sacrificing the false-positive rate in Section 8.2.

Cheaper Setup
The setup for Redshift is much cheaper than the conventional laser stations [Risb,Alpa,vWWM11,BJ15]. This extends the potential attackers from wellfunded organizations to individuals. In particular, this will lower the attack cost from specialized to standard in the Common Criteria certification scheme [Joi20]. Moreover, this makes the attack more stealthy in terms of the instruments' traceability because an attacker can improvise its Redshift setup using off-the-shelf components.
There are few previous works on cost-efficient optical attacks. The first LFI by Skorobogatov and Anderson [SA02] used cheap light sources such as a flashgun and a laser pointer and successfully attacked digital circuits. However, the target device was fabricated with a very old 1300-nm technology, and an attack using a laser pointer has become challenging as semiconductor chips become smaller and faster [GGS17]. As a result, recent works mostly use short-pulse lasers, as discussed previously. We empirically verified that our continuous-wave setup cannot flip digital bits with a preliminary experiment 2 .
By following the above direction, Schmidt and Hutter [SH07] proposed to deliver laser light using an optical fiber instead of a microscope. Later, Guillen et al. used a flashgun combined with a single-lens optics [GGS17] to even eliminate a laser. These attacks can be even cheaper than Redshift because they do not require a microscope. These previous works aimed at achieving a high peak power using a cheap setup. In contrast, Redshift approaches the same problem by finding more light-sensitive targets. These two approaches are complementary and further optimizing the Redshift's cost using the previous techniques is open for further research. Meanwhile, the cost reduction using the previous approaches, cheaper optics and/or incoherent light source, comes at the cost of a larger spot size that makes the attack less stealthy.

Threat Model
Similar to conventional LFI, Redshift assumes a local attacker who can physically access the target chip and apply laser stimulation. Our attacks on PUFs additionally follow the model by Zeitouni [ZOW + 16]: the target chip has PUF-based key storage and provides a Algorithm 3 LIE: Getting a device response while shining a laser Require: Laser current j and query q Ensure: Response x 1: Set the Laser current to j 2: Invoke PUF state generation the PUF state becomes s 3: Get a response x ← Dev[s](q) 4: return x cryptographic service using a pre-shared key to which the attacker can send a query. The attacker aims to recover the secret protected by the PUF.
The attacker measures the target device with the laser-injection experiment LIE in Algorithm 3. First, the attacker keeps illuminating the target chip with laser power specified by a diode current j (line #1) while the PUF generates a state s (line #2). Finally, the attacker is able to send a query q to the chip's legitimate interface and retrieve x ← Dev[s](q) at line #3. Here, Dev[s](q) abstracts the chip's cryptographic service as discussed in Section 2.3. Here, the attacker is assumed to know the details about Dev[·](·) in the same as the previous attack by Zeitouni et al.
The availability of Dev[·](·) follows Kerckhoff's principle, and PUF-based key storage is designed to be secure without hiding it. There are open hardware for PUF wherein the assumption is reasonable [Tri17]. Meanwhile, Dev[·](·) can be unavailable in commercial chips. For example, NXP LPC55S69 uses a proprietary scheme for its SRAM-based key generation [Sem19]. In this case, the attacker should pay the cost of reverse-engineering Dev[·](·) in advance. We note that considering an attacker with reverse-engineering capability would be reasonable because protection against reverse engineering is a significant benefit of PUF-based key storage [Mae13].

Experimental Setup
This section provides the experimental setup and measurement procedure used throughout this paper.
Optics We use a low-cost laser module in Figure 3 composed of a laser diode, a collimation lens, and a C-mount adapter in the optical cage system. The idea is to cheaply upgrade a simple microscope, categorized as standard [Joi20], by attaching the laser module to the standard C-mount camera port. The total cost of the module is less than $500. The module uses a 520-nm green laser diode in the standard TO56 package that can emit up to 110 mW (Osram PLT5 520B [Osr21]), available at less than $50 from a popular online electronics retailer. We use a Wraymer RM-5400T microscope with a manual XY stage we had in our laboratory, which was roughly $4,000 at purchase. Figure 4-(left) shows the laser module installed in our microscope.

Managing the Laser Power
The block diagram in Figure 4-(right) shows the components and connections used to control the laser power in a programmable way. We manage the laser power with a Thorlabs LDC202C laser driver that regulates the laser diode current. We first characterize the relationship between the diode current and the emitted optical power (the I-L curve) to translate an amount of current to laser power. For the preliminary characterization, we measure the optical power with a laser power meter (Thorlabs PM100D with the S121C sensing head) under the objective lens. The DC current output of the laser driver is controlled by a DC voltage from a function generator (Rigol DG1022Z). During our experiments, the laser power is controlled through the function  Focusing and Magnification In general, a higher magnification is advantageous in attacking the target with smaller laser power. That is because the power density in the laser spot increases with the magnification ratio. As a drawback, however, a higher magnification requires more precise aiming. Moreover, increasing the current by a minimum unit can cause too much change in the target with too much magnification. Considering the above trade-off, we use a minimum magnification needed to cause sufficient change with the laser power around 5 mW, the power of a laser pointer. After determining an objective lens, we minimize the laser spot by changing the distance between the diode and the collimation lens using the screw shown in Figure 3. We use a camera on the microscope during the adjustment; see Figures 6 and 8 for the microscope images with laser spots. The laser spot size is proportional to the magnification ratio: the spot diameters are 14.9, 7.7, and 3.9 micrometers with the ×5, ×10, and ×20 lenses, respectively. These spot sizes are much larger than the top metal wires in the target chips, and all our experiments succeeded without intentionally widening the laser spot. Doubling a magnification quadruples the optical energy received at a light-sensitive region covered by the spot. The laser beam does not go through an eyepiece, and its magnification does not affect the results.
Targets We evaluate Redshift on both custom ASIC chips and off-the-shelf microcontrollers. The first set of targets are RO-PUFs and A-PUFs on ASIC chips fabricated with 180-nm and 40-nm CMOS technologies. We use custom chips to perform a white-box analysis, since we know the implementation details about our RO-PUFs and A-PUFs (shown in Sections 5 and 6). We use two chips of each PUF to compare the effectiveness of laser injection in different fabrication technologies, as they have functionally-equivalent circuits but different feature sizes. Our setup illuminates a semiconductor die from the top; we access the die by removing a glued top cover from a ceramic package. The light reaches the transistors after passing through the top metal layers, as there are 4 and 6 metal layers in the 180-nm and 40-nm chips, respectively. The chips can communicate with a PC through evaluation boards. The RO-PUF has an analog debug port that directly outputs the oscillating waveform, where an oscilloscope (Keysight DSO3034T) monitors the signal during the experiments.
The second set of targets are the clock oscillators on off-the-shelf microcontrollers. We use the three microcontrollers from different vendors available on the NewAE UFO target boards [Inc19a,Inc19b,Inc18]: NXP LPC55S69 (Cortex-M33) [Sem21], Microchip SAM L11 (Cortex-M23), and STMicroelectronics STM32F4 (Cortex M4). These devices are used to perform a black-box analysis and verify the feasibility of Redshift on real devices. The laser is injected from the top of the device after decapsulating the quad flat packages; we outsourced the decapsulation for roughly $200 per chip. The target chips are configured to output their clock signals to a GPIO pin. We directly use the 16-MHz internal RC oscillators with SAM L11 and STM32F4. For LPC55S69, on the other hand, we use a 12-MHz signal generated by dividing its 192-MHz free-running oscillator (FRO). Similar to the ASICs, we monitor the GPIO pins with the oscilloscope during the experiments.
Measurement Algorithm 4 shows the experimental procedure of repeating a unit measurement LIE (see Algorithm 3) while changing the laser power. We first fix an arbitrary query q (line #1) and gets a legitimate response x PUF without laser illumination (line #2). Then, we start applying laser stimulation with the diode current starting from j min to j max at the step of j step . As a result, we examine j i = j min + i × j step for i ∈ I = {0, 1, · · · , jmax−jmin jstep }. For each current value j i , we repeat the same measurement r max times, i.e., for r ∈ R = {0, 1, · · · , r max − 1} (line #5-7). We denote the r-th measurement using the laser current j i by x r i (line #6). The algorithm finally returns the list of faulty PUF responses [x r i ] for i ∈ I and r ∈ R (line #11). We choose the following parameters unless otherwise noted: • j min = 34 mA: the laser diode's threshold current, • j step = 0.02 mA: the laser driver's accuracy limit, i.e., ± 0.01 mA, • r max = 25: a sufficiently large number for a decimated experiment in Section 7.2.

Experiment: Oscillator and RO-PUFs
To show the effectiveness of Redshift, we start by controlling the delay within oscillators. First, we manipulate the frequency of a ring oscillator with laser stimulation. Second, we evaluate the same oscillator as an RO-PUF and show that we can manipulate the PUF states. Third, we replicate the frequency manipulation to microcontrollers.

RO-PUF Design
The target RO-PUF comprises of many independent oscillators, two counters, and an arithmetic comparator, as shown in Figure 5. Each ring oscillator is composed of two inverters and one NAND gate. The current source on the top roughly specifies the oscillation frequency [SD07], which we configure to be around 30 MHz. Figure 6 shows the 180-nm and 40-nm RO-PUFs with laser spots. We directly measure the oscillation using the oscilloscope during the experiment, as discussed in Section 4.

Algorithm 4
Measuring the target device while changing the laser power Require: The minimum current j min , the maximum current j max , the current step j step , and the number of iteration r max Ensure: A query q, the true PUF response x PUF , and the list of faulty responses [x r i ] 1: Fix an arbitrary device query q 2: x PUF ← LIE(0, q) A response with no laser injection 3: i ← 0, j 0 ← j min 4: while j i ≤ j max do 5: for r ← 0 to r max − 1 do Repeat the same measurement r max times 6:  The RO-PUF compares the frequencies of two oscillators and generates a 1-bit state for each pair. The circuit measures the frequencies using counters that detect the number of edges as the signal oscillates. We use one reference oscillator RO ref and 256 target oscillators RO i for i ∈ {0, 1, · · · 255}. We assume that the PUF generates the i-th bit by wherein f freq (RO) represents RO's oscillation frequency. Finally, the RO-PUF generates a 256-bit secret state by concatenating these bits, i.e., s = b 0 ||b 1 || · · · ||b 255 . This state s is directly output by the target chip.

Experiment 1: Changing Oscillator Frequency with LFI
First, we examine how laser stimulation affects the oscillation frequency. We locate a light-sensitive region by scanning the chip surface with a manual XY stage while monitoring RO ref 's frequency. After locating a coordinate that indicates light sensitivity, we gradually increase the laser power until the oscillator stops working, i.e., observing a flat line. Figure 2 shows the relationship between the injected laser power (the horizontal axis) and the oscillation frequency (the vertical axis).  between the frequency and the injected optical power. In the 180-nm oscillator, a ×5 magnification is sufficient to decrease the frequency from 30.7 MHz to 4.8 MHz with only 1.7 mW. The 40-nm oscillator is less sensitive because of the smaller dimensions and more metal layers, so the ×5 objective lens was insufficient. After increasing the magnification to ×10, however, the frequency changes from 34.3 to 4.1 MHz with the same laser power of 1.7 mW.

Experiment 2: Changing RO-PUF's Secret State with LFI
The frequency shift by laser stimulation impacts the bias between 0 and 1 in RO-PUF's state. We denote the oscillation frequency by f and its probability distribution by Prob  Figure 7 summarizes the relationship between HW(s) (the vertical axis) and the power of the laser aimed at RO ref (the horizontal axis). The results clearly show that HW(s) approaches 0 as we increase the laser power. HW(s) became zero using 0.3 mW with the ×5 lens for the 180-nm chip and 0.6 mW with the ×10 lens for the 40-nm chip. At this point, RO ref 's frequency is lower than any of RO i . These laser powers are significantly smaller than the power limits that cause the oscillator to fail. By using this relationship between optical power and the Hamming weights, we can recover the PUF state s PUF as shown in Section 7.
We note that the attacker can locate RO ref , without the analog debug port nor the PUF output s, by repeatedly invoking Algorithm 3 while scanning the chip with a laser. If we observe several different outputs x = Dev[s](q) affected by the laser power, it is likely the coordinate for RO ref . The attacker can distinguish it from a laser on any other oscillator RO i , which causes at most 1-bit error in s.

Experiment 3: Clock Oscillators on Microcontrollers
To show how Redshift affects real devices, we evaluate the on-chip clock oscillators on the three microcontrollers discussed in Section 4. Like the ring-oscillator experiment, we evaluate the light-frequency characteristics by monitoring the clock signals on a GPIO pin while changing the laser power. Figure 8   laser spots. Then, we obtain the light-frequency characteristics with the same procedure in Section 5.2. The ×5 objective lens was sufficient for the SAM L11 and STM32F4. Meanwhile, the LPC55S69 was significantly less sensitive, and the ×20 lens was necessary. Figure 8 (d)-(f) are the light-frequency characteristics, which show the frequency decrease similar to the results on the custom ring oscillators. These results verify that the light-induced frequency shift is a common phenomenon that can affect many different devices. The results also show that Redshift still works with modern chips, e.g., LPC55S69 released in 2019.
The SAM L11 and STM32 are more sensitive than our 180-nm RO-PUF; less than 0.12 mW is sufficient to shift 16 to 5 MHz with the ×5 lens. The light-frequency graphs of these chips are relatively non-linear, but they are still monotonic. In contrast, LPC55S69 is much less sensitive, and 6.5 mW is necessary for shifting 12.0 to 9.1 MHz even with the highest magnification (×20). Even though it is less sensitive, its light-frequency graph is highly linear, allowing for precise oscillator control. Although explaining the exact reason for this less sensitivity needs details about the internal design, the rectangular metal patches on the top layer can be one reason. To evade the patches, we put a laser spot on a narrow space between them (see Figure 8), potentially preventing us from aiming the laser at the optimal coordinate.

Experiment: Arbiter PUF
We also verify Redshift on arbiter PUFs, which is another delay-based PUF with different measurement principle.

A-PUF Design
Our A-PUF circuit in Figure 9 compares the slight difference in propagation delay between two configurable delay paths. The paths have 128 stages and accepts a 128-bit challenge. Each stage is composed of a pair of selectors that changes the path depending on a challenge bit. The arbiter decides a faster path using a NAND-based SR latch; Figure 9 shows the arbiter's transistor-level internal structure for the later discussion in Section 8.1.
We use the A-PUF as a weak PUF generating a 256-bit state. We first determine random 256 challenges, namely w i ∈ {0, 1} 128 for i ∈ {0, 1, · · · , 255}. Then, we get 256 bits by feeding these challenges to the A-PUF. The concatenated 256-bit word is the secret state s. Similar to our RO-PUF, the chip directly outputs s.   Figure 9: Our A-PUF Design. The arbiter has transistor-level description with a laserinduced photocurrent, which will be discussed in Section 8.1.

Experiment 4: Changing A-PUF's Secret State with LFI
We repeat the experiments from the previous section, only now targeting our A-PUF. We first explore the light-sensitive region by scanning the chip surface while monitoring HW(s). We locate two light-sensitive regions in the arbiter: one increases and another decreases the Hamming weight HW(s). We aim the laser beam at the former coordinate and gradually increase the laser power while measuring the corresponding HW(s). Figure 10 shows the relationship between the laser power and the Hamming weight HW(s) while applying laser stimulation on the arbiter circuit. Figure 10-(left) and -(right) show the results with the 180-nm and 40-nm chips, respectively. Similar to the previous experiment with RO-PUF, HW(s) almost monotonically decreases as we increase the laser power. We use the ×5 objective lens in both the 180-nm and the 40-nm A-PUFs. The 180-nm A-PUF is highly sensitive; 0.3 mW is sufficient to achieve HW(s) = 0. Similar to the previous experiment, the 40-nm A-PUF is less sensitive. However, the 40-nm A-PUF reaches HW(s) = 0 with 4.6 mW using the ×5 lens.
The above results show that we can manipulate the A-PUF state through laser stimulation in the same way as the RO-PUF. Redshift is applicable to another delay-sensitive

State Recovery Attack
We recover the PUF's secret state s PUF using the data collected in our experiments. For analysis, we extend Zeitouni et al.'s attack [ZOW + 16] to handle unstable bits in our PUFs.

Extension of Zeitouni et al.'s Search Algorithm
Around 5-10% of the bits in our RO-PUFs and A-PUFs are unstable (see Appendix A), which is a problem for the previous state recovery algorithm (Algorithm 1). Figure 11-(left) and (right) illustrate the state recovery with and without unstable bits. In the figure, s 0 , · · · , s end are the intermediate PUF states. The arrow between two states means that one is reachable from another by neighbor search. Algorithm 1 successfully reconstructs each state s i+1 from previous state s i when measurements are stable (Figure 11-(left)), but Algorithm 1 fails with unstable measurements (Figure 11-(right)) for two reasons. First, HW(s i ) ≥ HW(s i+1 ) is not always true when there are measurement errors. Second, there are unhandled branches and deadends (e.g., s 2 , s 4 , and s 5 ) within the search space.
To address these issues, we instead use Algorithm 5, which is an extension of Algorithm 1. Algorithm 5 takes the measured data (q, x PUF , and [x r i ] from Algorithm 4) and the maximum distance d max in neighbor search, and returns the secret PUF state s PUF corresponding to the correct PUF response x PUF . The key idea is to compare the emulated output x with a set of responses X (line #11), instead of a particular response x i−1 in Algorithm 1. The algorithm initializes X with all the measured responses [x r i ] (line #1) and removes a particular element x ∈ X if the corresponding state is found (line #13).
We use another set C to keep track of the discovered states.
In each iteration, the algorithm first fixes a base state s and exhaustively checks its neighbors within the distance d max (line #7). For each candidate s , the algorithm emulates Dev and obtains x = Dev[s ](q) (line # 8), which is then compared with the elements in X (line #11). If x is found in X, i.e., Dev[s ](q) ∈ X, we add s to C and remove x from X (lines # 12 and 13). After the neighbor search, the algorithm continues by choosing a new base from C. We prioritize the candidate in C with the lowest Hamming weights (line #4). If the distance between the neighboring states is closer than d max , we will eventually reach the final state s PUF corresponding to x PUF ; otherwise, the algorithm returns a failure.

State Recovery Experiment
We apply Algorithm 5 to the PUF responses we obtained in Sections 5 and 6 for recovering the 256-bit PUF states s PUF with the most simple Dev given by We discuss a more elaborate Dev in Section 7.3. Although Eq. 4 does not reflect reality, it is sufficient for evaluating the computational effort, i.e., the number of Dev emulations (line #8). Note that since the PUF output s is supposedly secret in Algorithm 5, we use it only for checking hypothetical states. We implemented the search program with C++ and ran it on a mid-range CPU (AMD Ryzen5 2600). Table 1 summarizes the results: • The number of unique states observed after the entire measurement #X, • The number of states #States examined for the neighbor search, • The minimum search distance needed for a successful attackd max , and dmax is the minimum dmax needed for a successful attack.
• The total CPU time measured using the clock function in the C standard library.
The table also shows j max , the maximum laser current needed for observing HW(s) = 0, which is necessary for a successful attack. The algorithm finished within a minute for the 40-nm RO-PUF, 180-nm A-PUF, and 40-nm A-PUF because the measurement was dense enough andd max = 1. The 180-nm RO-PUF required a larger neighbor search distance of d max = 3, but it still finished within an hour.
The experimental results show that we can fully recover a secret PUF state by running Algorithm 5. Even with the most challenging case, i.e., 180-nm RO-PUF, the total number of Dev emulations is 256 3 × 3, 116 ≈ 2 33.0 . The search space 256 dmax increases combinatorially withd max and quickly becomes impractical. Therefore, a successful attack requires a smallerd max with a finer measurement either by reducing j step or increasing r max . We evaluate the impact of these parameters ond max by decimating our 40-nm RO-PUF dataset 3 . Table 2 summarizes the distancê d max for various j step and r max .d max decreases with a smaller j step and a larger r max as expected. With sufficiently dense measurement, we can eventually achieved max = 1 in which running Algorithm 5 is trivial even with a larger PUF state.

Error Correction and Cryptography
We verify the state recovery attack with a more elaborate Dev[·](·) that is described by Algorithm 6, which includes error correction and a cryptographic service. It uses a simple error-correction scheme with a repetition code and bit selection [DGSV15], similar to the one used by Zeitouni et al. [ZOW + 16].
Following the previous work [ZOW + 16], we optimize the recovery algorithm by searching k PUF instead of the raw states s 0 , · · · , s r−1 . In other words, we ignore the error correction by targeting the value after error correction. We can easily extend Algorithm 5 for the optimization by (i) setting the 128-bit k PUF as the target state s and (ii) skipping the lines #1-4 in Algorithm 6 while emulating Dev during the attack.
Algorithm 6 Dev with an error correction and a cryptographic service Require: The raw PUF outputs s 0 · · · s r−1 ∈ {0, 1} M , encrypted key c k , and a query q, the indices of selected bits l 0 , · · · , l N −1 . Ensure: A response x ∈ {0, 1} N 1: s ← Vote(s 0 , · · · , s r−1 ) Bitwise majority voting 2: for i = 0, · · · , N − 1 do 3: Bit selection: t j represents the j the bit of a word t 4: end for 5: k ← Enc −1 k PUF (c k ) 6: x ← Enc k (q) 7: return x Table 3 summarizes the experimental results for recovering k PUF , which shows smaller #X, #States, andd max compared with the previous experiment. The attack is easier because of the smaller search space reduced from 256 to 128 bits and more stables bits by the error correction. As a result, the execution times are faster even though new Dev involves two AES calls. All the searches finished within 1 second. The most challenging case is the 180-nm RO-PUF withd max = 2 that finished in 0.931 seconds. Dev occupies only ≈10% of the total execution time; the AES encryption and decryption with AES-NI is faster than other utility functions for data structures.
We finally discuss how error correction impacts the state recovery attack. Error correction introduces difficulty in two ways. First, the state size before error correction is larger. Second, it extends the distance between the neighboring states. That is because Dev will not generate a different output until a sufficient amount of difference is accumulated [ZOW + 16]. Searching the state after error correction, as we did in our experiment, is a general strategy to improve the attack. However, this technique becomes less efficient with a larger codeword. We consider generating an N -bit key using the κ-bit codeword N/κ times in parallel. In this case, the number of adjacent states after error correction is 2 κ · N/κ. The bitwise repetition code in our experiment is the most efficient case with κ = 1. However, the complexity grows exponentially with κ and eventually becomes infeasible as κ increases.

Discussion
This section includes the discussions on the causality and possible countermeasures, followed by the related works.

Causality
We investigate how laser injection influences the transistors based on the conventional parasitic-photodiode model. Figure 12 shows an inverter within a ring oscillator; Figure 12-(left) and -(right) show the current paths during high-to-low and low-to-high transitions, respectively. The gray arrows are the legitimate current paths. Meanwhile, the dashed arrows are the additional current paths caused by laser-induced photocurrent; the laser stimulation is modeled by the addition of extra current sources.

Oscillators and RO-PUF
We focus on the high-to-low transition in Figure 12-(left) for simplicity. Without a laser injection, all the PMOS current I 1 goes to the load capacitance, and thus I 2 = I 1 . With a laser injection, part of I 1 goes to ground through the photocurrent I 3 causing I 2 < I 1 . A smaller I 2 increases the low-to-high transition delay because the inverter needs more time charging the load capacitance with a smaller I 2 . The high-to-low transition delay, shown in Figure 12-(right), increases in the same way. Finally, the longer propagation delay in each inverter results in a slower oscillation.
A-PUF Figure 9 shows the transistor-level description of the arbiter with the current sources by laser stimulation. The arbiter's frontend is a pull-down network composed of the transistors (Tr T and Tr B ) and the capacitors (Cap T and Cap B ). The capacitors are precharged by negating the reset before sending a step signal; the figure shows the transistor states after the precharge. The capacitors preserve their charges because both Tr T and Tr B are turned off. At the evaluation phase, a step signal propagates through the delay paths and eventually turns Tr T (resp. Tr B ) ON. Then, the capacitor Cap T (resp. Cap B ) starts to discharge through the transistors. When the capacitor voltage V T (resp. V B ) reaches a threshold, the backend cross-coupled inverters converge to a stable state representing the faster path 5 . Figure 9 shows a case a laser illuminates Tr B only. The photocurrent I 7 discharges Cap B , making the delay in discharging Cap B shorter because a part of the charges is already lost when the step signal finally arrives. This causes the arbiter a bias preferring the bottom path at B, increasing the population of corresponding bit value. Laser stimulation on Tr T (cf. Tr B ) causes an opposite bias. This explains the two light-sensitive coordinates observed in Section 6: one increases 0 and another increases 1.

Extension to Other Analog Circuits
We discuss the potential to extend Redshift into other analog circuits beyond the delay-sensitive circuits that were the focus of this paper. The simple principle of the parasitic-photodiode model -laser stimulation generates a current in an otherwise insulating transistor-is still useful for explaining Redshift, as discussed above. Therefore, the model should be useful for predicting how Redshift affects a target analog circuit in advance. For an experimental verification, sweeping the laser power while monitoring an output will be generally useful. An amplitude-modulated laser will be necessary for targets that may reject DC signals, e.g., a microphone [SCR + 20]. Once a problem is experimentally verified, we can use the parasitic-photodiode model in a SPICE simulation to make a quantitative analysis and evaluate the effectiveness of a countermeasure.

Countermeasures
On-Chip Sensors The conventional sensor-based countermeasures should work in principle if a detection threshold is properly configured for Redshift. However, as discussed in Section 3.2, simply raising the detection threshold can prohibitively increase the false positives caused by environmental lights or cosmic particles [Hab65, NRV + 06]. Instead, we can improve the false-positive rate by integrating (averaging) the sensors' output over time. The above technique is effective because Redshift is sustained for a longer period. We can achieve this by adding an integrator circuit after a conventional LFI sensor. Alternatively, an oscillator-based sensing scheme naturally achieves such integration. He et al. proposed to use a ring oscillator to detect laser pulses [HBB + 16]; it can be extended for efficiently detecting Redshift.
Detecting a Wrong PUF Key. Detecting a wrong PUF key and terminating the cryptographic service Dev[s i ](q) [ZOW + 16] can prevent the state-recovery attack. We can achieve this with recalculation. At enrollment, we encrypt a constant value, such as 0, to get the corresponding ciphertext c 0 = Enc k PUF (0) and store it on a non-volatile memory along with the encapsulated pre-shared key c k in Eq. 1. After recovering the PUF key k PUF on each bootup, the system recalculates c 0 = Enc k PUF (0) and compares it with the stored c 0 . An unsuccessful comparison means k PUF = k PUF , and we can terminate the following sensitive operations.

Changing a Reference Oscillator
To attack this scheme, the attacker should change the laser coordinate for each bit, which significantly increases the difficulty of the measurement.
Obfuscation As discussed in Section 3.3, hiding Dev with a proper hardware obfuscation scheme [FBT17] will prevent the attacker from running the state-recovery algorithm in Section 7.

Related Works
Laser-Assisted Device Alteration (LADA) [RE03, BHK13] LADA is an LSI reliability analysis for isolating a failure mechanism typically in a digital circuit. LADA injects a continuous-wave laser on a target transistor while checking the Shmoo plot, the pass/fail test with different frequencies and voltages. If the injection changes the plot, the target transistor has a small operational margin and is a potential failure cause [RE03]. Both Redshift and LADA change transistor behavior with continuous-wave laser injection. Boit et al. mentioned LADA as a modern diagnosis tool at FDTC 2013 [BHK13], but there is no concrete attack so far, as far as the authors are aware. Also, LADA usually targets logical pass/failure in a digital circuit, not in delay-sensitive circuits.

Conclusion
We proposed a new laser injection attack on delay-sensitive circuits that are highly sensitive to light. The attack is feasible by using a low-power, continuous-wave laser that significantly reduces the attack cost and is more stealthy against sensor-based countermeasures. We experimentally verified that we could manipulate the frequency of oscillators by changing the injected laser power on our custom ASIC and the off-the-shelf microcontrollers. An attacker can leverage the above phenomenon to manipulate the PUF states from our ringoscillator PUFs. A similar state manipulation is possible on arbiter PUFs, showing that the proposed attack can be extended beyond oscillators. Our recovery algorithm, extended from Zeitouni et al.'s attack, successfully recovered secret information by exploiting the manipulated PUF states. There are several interesting problems to explore in the future. Extending Redshift to other applications and analog circuits can be an interesting challenge. Also, the causality discussed in Section 8.1 needs further verification through circuit simulation and controlled experiments.

A Evaluation of Unstable Bits
This section describes how we evaluated the unstable bits in the PUF outputs. For the target bit, we consider it stable if we get the same bit value for any r ∈ R; otherwise, we consider it unstable. We counted the number of unstable bits as follows. For each index i that represents the laser current, we count the number of unstable bits as h(i) = HW OR r,r ∈R,r =r XOR(s r i , s r i ) wherein OR and XOR represent bitwise operations over 256-bit words. Table 4 summarizes the average and standard deviation of h(i) regarding i. Table 4 summarizes the number of unstable bits in our measurements; roughly 5-10% are unstable in 256 bits.