jaseg/ihsm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Paper rework WIP for submission to CHES'21

Browse source
This commit is contained in:
jaseg 2021-03-31 20:16:17 +02:00
parent 4a25d96235
commit ea44143cf2
16 changed files with 4156 additions and 319 deletions
Download patch file Download diff file Expand all files Collapse all files

2727
doc/paper/CC-by.eps Executable file
View file

File diff suppressed because one or more lines are too long

BIN
doc/paper/CC-by.pdf Executable file
View file

Binary file not shown.

448
doc/paper/iacrtrans.cls Executable file
View file

@ -0,0 +1,448 @@
% IACR Transactions DOCUMENT CLASS -- version 0.24 (26 August 2016)
% Written by Gaetan Leurent gaetan.leurent@inria.fr (2016)
%
% To the extent possible under law, the author(s) have dedicated all
% copyright and related and neighboring rights to this software to the
% public domain worldwide. This software is distributed without any
% warranty.
%
% You should have received a copy of the CC0 Public Domain Dedication
% along with this software. If not, see
% <http://creativecommons.org/publicdomain/zero/1.0/>.
%
%
%%% Class options:
%
% [preprint] Preprint (no copyright info)
% [submission] Anonymous submission
% [spthm] Emulate llncs sptheorem and remove automatic \qed in proof
% [nohyperref] Disable automatic loading of hyperref
% [draft]
%
%%% HOWTO use this class
%
%% Title
% \title[short]{Long title}
%
%% Authors/affiliation:
% \author{Alice \and Bob}
% \institute{ABC\\ \email{alice@abc} \and DEF\\ \email{bob@def}}
%
%% Keywords/abstract:
% \keywords{banana \and apple}
% \begin{abstract}
% Lorem ipsum dolor sit amet...
% \end{abstract}
%
%% Warnings
% - please don't use any \pagestyle of \thispagestyle command
% - if you have proof with explicit \qed inside, you should either
% remove \qed symbols, replace them by \qedhere, or add option [spthm]
\NeedsTeXFormat{LaTeX2e}[1995/12/01]
\ProvidesClass{iacrtrans}[2016/08/26 v0.24 IACR Transactions Author Class]
% Common definitions
\def\publname{IACR Transactions on Cryptographic Hardware and Embedded Systems}
\def\IACR@vol{0}
\def\IACR@no{0}
\def\IACR@fp{1}
\def\IACR@DOI{XXXXXXXX}
\usepackage{lastpage}
\def\IACR@lp{\pageref*{LastPage}}
\newcommand{\setfirstpage}[1]{\def\IACR@fp{#1}\setcounter{page}{#1}}
\newcommand{\setlastpage}[1]{\def\IACR@lp{#1}}
\newcommand{\setvolume}[1]{\def\IACR@vol{#1}}
\newcommand{\setnumber}[1]{\def\IACR@no{#1}}
\newcommand{\setDOI}[1]{\def\IACR@DOI{#1}}
% Options
\newif\if@loadhr
\@loadhrtrue
\DeclareOption{nohyperref}{\@loadhrfalse}
\newif\if@floatrow
\@floatrowfalse
\DeclareOption{floatrow}{\@floatrowtrue}
\newif\if@submission
\@submissionfalse
\newif\if@preprint
\@preprintfalse
\DeclareOption{final}{\PassOptionsToClass{\CurrentOption}{article}} % Default
\DeclareOption{preprint}{\@preprinttrue}
\DeclareOption{submission}{\@submissiontrue}
\DeclareOption{draft}{\@preprinttrue\PassOptionsToClass{\CurrentOption}{article}}
\newif\if@spthm
\@spthmfalse
\DeclareOption{spthm}{\@spthmtrue}
\DeclareOption*{\PassOptionsToClass{\CurrentOption}{article}}
\ProcessOptions\relax
% article class with a4paper
\LoadClass[10pt,twoside]{article}[2007/10/19]
% Geometry
\RequirePackage[a4paper,hscale=0.65,vscale=0.75,marginratio=1:1]{geometry}
% Title fonts: bf+sf
\RequirePackage{sectsty}
\allsectionsfont{\sffamily\boldmath}
% Also for descrptions
\renewcommand*\descriptionlabel[1]{\hspace\labelsep
\normalfont\bfseries\sffamily #1}
% Title/Author/affiliations
\def\@institute{No institute given.}
\newcommand{\institute}[1]{\gdef\@institute{#1}}
\newcommand{\authorrunning}[1]{\gdef\IACR@runningauthors{#1}}
\newcommand{\titlerunning}[1]{\gdef\IACR@runningtitle{#1}}
\newcounter{IACR@author@cnt}
\newcounter{IACR@inst@cnt}
\newif\if@IACR@autoinst
\@IACR@autoinsttrue
\def\IACR@author@last{0}
\renewcommand\maketitle{\par
\begingroup
\renewcommand\thefootnote{\@fnsymbol\c@footnote}%
\long\def\@makefntext##1{\parindent 1em\noindent
\hb@xt@1.8em{%
\hss\@textsuperscript{\normalfont\@thefnmark}}##1}%
\newpage
\global\@topnum\z@ % Prevents figures from going at top of page.
\@maketitle
\thispagestyle{title}\@thanks
\endgroup
\setcounter{footnote}{0}%
\global\let\thanks\relax
\global\let\maketitle\relax
\global\let\@maketitle\relax
\global\let\@thanks\@empty
% \global\let\@author\@empty
\global\let\@date\@empty
% \global\let\@title\@empty
\global\let\title\relax
\global\let\author\relax
\global\let\date\relax
\global\let\and\relax
}
\def\@maketitle{%
% Count authors and affiliations
\setcounter{IACR@author@cnt}{1}%
\setcounter{IACR@inst@cnt}{1}%
\setbox0\hbox{\def\thanks##1{\global\@IACR@autoinstfalse}\def\inst##1{\global\@IACR@autoinstfalse}\def\and{\stepcounter{IACR@author@cnt}}\@author}%
\setbox0\hbox{\def\and{\stepcounter{IACR@inst@cnt}}\@institute}%
\xdef\IACR@author@last{\theIACR@author@cnt}%
\edef\IACR@inst@last{\theIACR@inst@cnt}%
\ifnum\IACR@author@last=\IACR@inst@last\else\@IACR@autoinstfalse\fi
\ifnum\IACR@author@last=1 \@IACR@autoinstfalse\fi
\newpage
\null
\vskip 2em%
\begin{center}%
\let \footnote \thanks
{\def\@makefnmark{\rlap{\@textsuperscript{\normalfont\@thefnmark}}}%
{\LARGE \bfseries\sffamily\boldmath \@title\par}
\ifdefined\@subtitle\vskip .5em{\large\sffamily\bfseries\@subtitle\par}\fi}%
\vskip 1.5em%
{\large
\lineskip .5em%
\if@submission
Anonymous Submission
\else
\setcounter{IACR@author@cnt}{1}%
\def\and{\if@IACR@autoinst\inst{\theIACR@author@cnt} \fi
\stepcounter{IACR@author@cnt}%
\ifnum\theIACR@author@cnt=\IACR@author@last\unskip\space and \ignorespaces\else\unskip, \ignorespaces\fi}
\@author\if@IACR@autoinst\inst{\theIACR@author@cnt}\fi
\vskip 1em\par
\small
\setcounter{IACR@author@cnt}{1}%
\def\and{\par\stepcounter{IACR@author@cnt}$^\theIACR@author@cnt$~}
\ifnum\IACR@inst@last>1 $^1$~\fi
\@institute
\fi
}%
\end{center}%
\par
\vskip 1.5em}
\def\IACR@runningauthors{
\def\thanks##1{}%
\def\inst##1{}%
\def\fnmsep{}%
\def\\{}%
\def\footnote##1{}%
\setcounter{IACR@author@cnt}{1}%
\def\and{\stepcounter{IACR@author@cnt}%
\ifnum\theIACR@author@cnt=\IACR@author@last\unskip\space and \ignorespaces\else\unskip, \ignorespaces\fi}
\@author}
\def\IACR@runningtitle{%
\def\thanks##1{}%
\def\fnmsep{}%
\def\\{}%
\def\footnote##1{}%
\@title}
\def\author{\@ifnextchar[{\IACR@@@author}{\IACR@@author}}
\def\IACR@@@author[#1]#2{\authorrunning{#1}\gdef\@author{#2}}
\def\IACR@@author#1{\gdef\@author{#1}}
\if@submission
\gdef\@author{Anonymous Submission to \publname}
\renewcommand{\author}[2][]{}
\renewcommand{\authorrunning}[1]{}
\renewcommand{\institute}[2][]{}
\fi
\def\title{\@ifnextchar[{\IACR@@@title}{\IACR@@title}}
\def\IACR@@@title[#1]#2{\gdef\@title{#2}\titlerunning{#1}}
\def\IACR@@title#1{\gdef\@title{#1}}
\newcommand{\subtitle}[1]{\gdef\@subtitle{#1}}
\newcommand{\inst}[1]{\unskip$^{#1}$}
\def\fnmsep{\unskip$^,$}
% Head/foot
\RequirePackage{fancyhdr}
\RequirePackage{graphicx}
\fancypagestyle{title}{%
\fancyhf{} % clear all header and footer fields
\if@submission\else\if@preprint\else
\fancyfoot[L]{\small Licensed under \href{http://creativecommons.org/licenses/by/4.0/}{Creative Commons License CC-BY 4.0.}\\
\publname{} Vol.~\IACR@vol, No.\IACR@no, pp.\IACR@fp---\IACR@lp, \href{https://doi.org/\IACR@DOI}{DOI:\IACR@DOI}}
\fancyfoot[R]{\includegraphics[height=2ex]{CC-by}}
\if@loadhr
\hypersetup{pdfcopyright={Licensed under Creative Commons License CC-BY 4.0.}}
\hypersetup{pdflicenseurl={http://creativecommons.org/licenses/by/4.0/}}
\hypersetup{pdfsubject={IACR Transactions on Symmetric Cryptology}}
\hypersetup{pdflang=en}
\fi
\fi\fi
\renewcommand{\headrulewidth}{0pt}
\renewcommand{\footrulewidth}{0pt}}
\fancyhf{} % clear all header and footer fields
\fancyhead[RO,LE]{\thepage}
\fancyhead[RE]{\IACR@runningtitle}
\fancyhead[LO]{\IACR@runningauthors}
\renewcommand{\markboth}[2]{}
\pagestyle{fancy}
\def\subtitle#1{\gdef\@subtitle{#1}}
%Abstract style, keywords
\def\@IACR@keywords{No keywords given.}
\def\keywords{\@ifnextchar[{\IACR@@@keywords}{\IACR@@keywords}}
\def\IACR@@@keywords[#1]#2{\gdef\@IACR@PDFkeywords{#1}\gdef\@IACR@keywords{#2}}
\def\IACR@@keywords#1{\gdef\@IACR@keywords{#1}}
\renewenvironment{abstract}{%
\small\quotation\setlength{\parindent}{0pt}\noindent
\textbf{\textsf{Abstract.}}}
{\smallskip\par\textbf{\textsf{Keywords:}}
\def\and{\unskip\space\textperiodcentered\space\ignorespaces}\@IACR@keywords
\endquotation%
\if@loadhr
%% PDF keywords
\def\and{, }%
\def\thanks##1{}%
\def\footnote##1{}%
\def\inst##1{}%
\def\fnmsep{}%
\def\\{}%
\def\zap@comma@space##1 ,##2{%
##1%
\ifx##2\@empty\else, \expandafter\zap@comma@space\fi
##2}
\ifdefined\@IACR@PDFkeywords
\hypersetup{pdfkeywords=\@IACR@PDFkeywords}
\else
\protected@edef\@tmp{\expandafter\@IACR@keywords}
\protected@edef\@tmp{\expandafter\zap@comma@space\@tmp{} ,\@empty}
\hypersetup{pdfkeywords=\@tmp}
\fi
%% PDF author
\def\zap@one,##1{}
\def\zap@last##1,##2{\ifx##1\@empty\else\space and ##1\expandafter\zap@one\fi}
\def\zap@last@comma##1,##2,##3{%
##1%
\ifx##3\@empty%
\expandafter\zap@last\else
,\expandafter\zap@last@comma\fi%
##2,##3}
\def\zap@dbl@space##1 ##2{%
##1%
\ifx##2\@empty\else\space\expandafter\zap@dbl@space##2\fi}
\protected@edef\@tmp{\expandafter\@author}
% \protected@edef\@tmp{\expandafter\IACR@runningauthors}
\protected@edef\@tmp{\expandafter\zap@last@comma\@tmp,\@empty,\@empty}
\protected@edef\@tmp{\expandafter\zap@comma@space\@tmp{} ,\@empty}
\protected@edef\@tmp{\expandafter\zap@dbl@space\@tmp{} \@empty}
\hypersetup{pdfauthor=\@tmp}
%% PDF title
\hypersetup{pdftitle=\IACR@runningtitle}
\fi
}
% Hyperref
\if@loadhr
\RequirePackage{xcolor}
\RequirePackage{etoolbox}
\AtEndPreamble{
\@ifpackageloaded{hyperref}{}{\usepackage{hyperref}}
\@ifpackageloaded{hyperxmp}{}{\usepackage{hyperxmp}}
\hypersetup{colorlinks=true,
citecolor=black!70!green,
linkcolor=black!70!red}
}
\setcounter{tocdepth}{2}
\fi
% autoref: capitals for Sections, and adding Algorithm
\def\equationautorefname{Equation}%
\def\footnoteautorefname{footnote}%
\def\itemautorefname{item}%
\def\figureautorefname{Figure}%
\def\tableautorefname{Table}%
\def\partautorefname{Part}%
\def\appendixautorefname{Appendix}%
\def\chapterautorefname{Chapter}%
\def\sectionautorefname{Section}%
\def\subsectionautorefname{Subsection}%
\def\subsubsectionautorefname{Subsubsection}%
\def\paragraphautorefname{paragraph}%
\def\subparagraphautorefname{subparagraph}%
\def\FancyVerbLineautorefname{line}%
\def\theoremautorefname{Theorem}%
\def\pageautorefname{page}%
\def\algorithmautorefname{Algorithm}
% AMS math
\RequirePackage{amsmath,amssymb,amsthm}
\RequirePackage{mathtools}
\theoremstyle{definition}
\newtheorem{definition}{Definition}
\newtheorem{example}{Example}
\newtheorem{exercise}{Exercise}
\newtheorem{property}{Property}
\newtheorem{question}{Question}
\newtheorem{solution}{Solution}
\theoremstyle{plain}
\newtheorem{theorem}{Theorem}
\newtheorem{proposition}{Proposition}
\newtheorem{problem}{Problem}
\newtheorem{lemma}{Lemma}
\newtheorem{conjecture}{Conjecture}
\newtheorem{corollary}{Corollary}
\newtheorem*{claim}{Claim}
\theoremstyle{remark}
\newtheorem{remark}{Remark}
\newtheorem{note}{Note}
\newtheorem{case}{Case}
\theoremstyle{plain}
%Emulate LLNCS spnewtheorem
\if@spthm
\def\spnewtheorem{\@ifstar{\IACR@spstar}{\IACR@sp}}
\def\IACR@spstar#1#2#3#4{\newtheorem*{#1}{#2}}
\def\IACR@sp#1{\@ifnextchar[{\IACR@sp@b{#1}}{\IACR@sp@a{#1}}}
\def\IACR@sp@a#1#2[#3]#4#5{\newtheorem{#1}{#2}[#3]}
\def\IACR@sp@b#1[#2]#3#4#5{\newtheorem{#1}[#2]{#3}}
\renewcommand{\pushQED}[1]{}
\fi
% Floats and captions
\if@floatrow
\RequirePackage{floatrow}
\floatsetup[table]{style=Plaintop}
\RequirePackage{caption}
\captionsetup{labelfont={sf,bf}}
\else
\RequirePackage{float}
\newcommand\fs@iacrabove{%
% Swap \abovecaptionskip and \belowcaptionskip
\addtolength\abovecaptionskip{-\belowcaptionskip}
\addtolength\belowcaptionskip{\abovecaptionskip}
\addtolength\abovecaptionskip{-\belowcaptionskip}
\setlength\abovecaptionskip{-\abovecaptionskip}
\fs@plaintop%
\def\@fs@cfont{\sffamily\bfseries}}
\newcommand\fs@iacrbelow{%
\fs@plain%
\def\@fs@cfont{\sffamily\bfseries}}
\floatstyle{iacrabove}
\restylefloat{table}
\floatstyle{iacrbelow}
\restylefloat{figure}
\fi
% Extra commands
\def\email{\@ifnextchar[{\IACR@@email}{\IACR@email}}
\if@loadhr
\def\IACR@@email[#1]#2{\href{mailto:#1}{\nolinkurl{#2}}}
\def\IACR@email#1{\href{mailto:#1}{\nolinkurl{#1}}}
\else
\RequirePackage{url}
\def\IACR@@email[#1]#2{\url{#2}}
\def\IACR@email#1{\url{#1}}
\fi
% Line # for submission
\newcommand\linenomathWithnumbersforAMS{%
\ifLineNumbers
%% \ifx\@@par\@@@par\else
\ifnum\interlinepenalty>-\linenopenaltypar
\global\holdinginserts\thr@@
\advance\interlinepenalty \linenopenalty
\ifhmode % v4.3
\advance\predisplaypenalty \linenopenalty
\fi
%% \advance\postdisplaypenalty \linenopenalty
\advance\interdisplaylinepenalty \linenopenalty
\fi
\fi
\ignorespaces
}
\if@submission
\RequirePackage[mathlines]{lineno}
\linenumbers
\def\linenumberfont{\normalfont\tiny\sffamily\color{gray}}
% Taken from http://phaseportrait.blogspot.fr/2007/08/lineno-and-amsmath-compatibility.html
\newcommand*\patchAmsMathEnvironmentForLineno[1]{%
\expandafter\let\csname old#1\expandafter\endcsname\csname #1\endcsname
\expandafter\let\csname oldend#1\expandafter\endcsname\csname end#1\endcsname
\renewenvironment{#1}%
{\linenomathWithnumbersforAMS\csname old#1\endcsname}%
{\csname oldend#1\endcsname\endlinenomath}}%
\newcommand*\patchBothAmsMathEnvironmentsForLineno[1]{%
\patchAmsMathEnvironmentForLineno{#1}%
\patchAmsMathEnvironmentForLineno{#1*}}%
\AtBeginDocument{%
%\patchBothAmsMathEnvironmentsForLineno{equation}%
\patchBothAmsMathEnvironmentsForLineno{align}%
\patchBothAmsMathEnvironmentsForLineno{flalign}%
\patchBothAmsMathEnvironmentsForLineno{alignat}%
\patchBothAmsMathEnvironmentsForLineno{gather}%
\patchBothAmsMathEnvironmentsForLineno{multline}%
}
\fi
% Microtype
\RequirePackage{microtype}
% Fonts
\usepackage[T1]{fontenc}
\usepackage{lmodern}

BIN
doc/paper/ihsm_shaft_countermeasures_a.pdf Executable file
View file

Binary file not shown.

160
doc/paper/ihsm_shaft_countermeasures_a.svg Executable file
View file

@ -0,0 +1,160 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="49.822006mm"
height="40.336422mm"
viewBox="0 0 49.822006 40.336422"
version="1.1"
id="svg8"
sodipodi:docname="ihsm_shaft_countermeasures_a.svg"
inkscape:version="1.0.1 (3bc2e813f5, 2020-09-07)">
<defs
id="defs2" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="1.1910704"
inkscape:cx="381.22228"
inkscape:cy="206.37328"
inkscape:document-units="mm"
inkscape:current-layer="layer1"
inkscape:document-rotation="0"
showgrid="false"
inkscape:snap-global="true"
inkscape:window-width="2421"
inkscape:window-height="1509"
inkscape:window-x="708"
inkscape:window-y="388"
inkscape:window-maximized="0"
fit-margin-top="5"
fit-margin-left="5"
fit-margin-right="5"
fit-margin-bottom="5" />
<metadata
id="metadata5">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-4.1349375,-13.926987)">
<g
id="g1166"
transform="translate(-94.292689,-63.048881)"
style="stroke-width:0.2;stroke-miterlimit:4;stroke-dasharray:none">
<g
id="g1091"
transform="matrix(1.4664638,0,0,1.4664638,-55.35501,-51.537705)"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1">
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 121.08483,110.52555 -1.13762,1.13762"
id="path868" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 121.98488,110.52555 -1.13762,1.13762"
id="path868-8" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 122.88492,110.52555 -1.13762,1.13762"
id="path868-72" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 123.78497,110.52555 -1.13762,1.13762"
id="path868-12" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 124.68501,110.52555 -1.13762,1.13762"
id="path868-27" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 125.58505,110.52555 -1.13762,1.13762"
id="path868-2" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.38471,110.52555 -1.13762,1.13762"
id="path868-27-8" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.38653,110.51707 h 7.20019"
id="path1040"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 120.18479,110.52555 -1.13762,1.13762"
id="path868-7" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 119.28475,110.52555 -1.13762,1.13762"
id="path868-3" />
</g>
<rect
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
id="rect833"
width="3.2977757"
height="26.799816"
x="121.68974"
y="83.717255" />
<g
id="g840"
transform="matrix(3.3110731,0,0,3.3110731,-210.43824,-304.16294)"
style="opacity:1;stroke:#000000;stroke-width:0.0604034;stroke-miterlimit:4;stroke-dasharray:none">
<path
style="fill:none;stroke:#ff0000;stroke-width:0.151008;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
d="m 95.608189,116.75273 v 0.40521 l 0.716389,0.27243 -1.321788,0.32288 0.605399,0.32288 v 3.79757 h 4.342889"
id="path837"
sodipodi:nodetypes="ccccccc" />
</g>
<use
x="0"
y="0"
xlink:href="#g840"
id="use842"
transform="matrix(-1,0,0,1,246.67726,0)"
width="100%"
height="100%"
style="opacity:1;stroke:#ff0000;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none" />
<g
id="g866"
transform="translate(0,18.33469)"
style="stroke-width:0.2;stroke-miterlimit:4;stroke-dasharray:none">
<rect
style="opacity:1;fill:#ffffff;fill-rule:evenodd;stroke-width:0.203302;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;paint-order:fill markers stroke;stop-color:#000000"
id="rect861"
width="4.0434227"
height="1.6316246"
x="125.36732"
y="96.227684"
transform="matrix(0.96777752,-0.25180681,0,1,0,0)" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000;stop-opacity:1"
d="M 121.0354,66.421635 125.64186,65.1873"
id="path844" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000;stop-opacity:1"
d="m 121.0354,65.536684 4.60646,-1.234335"
id="path844-1" />
</g>
</g>
</g>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 9.2 KiB

BIN
doc/paper/ihsm_shaft_countermeasures_b.pdf Executable file
View file

Binary file not shown.

174
doc/paper/ihsm_shaft_countermeasures_b.svg Executable file
View file

@ -0,0 +1,174 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="49.822006mm"
height="40.336422mm"
viewBox="0 0 49.822006 40.336422"
version="1.1"
id="svg8"
sodipodi:docname="ihsm_shaft_countermeasures_b.svg"
inkscape:version="1.0.1 (3bc2e813f5, 2020-09-07)">
<defs
id="defs2" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="1.1910704"
inkscape:cx="381.22228"
inkscape:cy="206.37328"
inkscape:document-units="mm"
inkscape:current-layer="layer1"
inkscape:document-rotation="0"
showgrid="false"
inkscape:snap-global="true"
inkscape:window-width="2421"
inkscape:window-height="1509"
inkscape:window-x="708"
inkscape:window-y="388"
inkscape:window-maximized="0"
fit-margin-top="5"
fit-margin-left="5"
fit-margin-right="5"
fit-margin-bottom="5" />
<metadata
id="metadata5">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-4.1349375,-13.926987)">
<g
id="g1453"
transform="translate(-41.704948)">
<g
id="g1166-4"
transform="translate(-52.587741,-63.048881)"
style="stroke-width:0.2;stroke-miterlimit:4;stroke-dasharray:none">
<g
id="g1091-7"
transform="matrix(1.4664638,0,0,1.4664638,-55.35501,-51.537705)"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1">
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 121.08483,110.52555 -1.13762,1.13762"
id="path868-26" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 121.98488,110.52555 -1.13762,1.13762"
id="path868-8-9" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 122.88492,110.52555 -1.13762,1.13762"
id="path868-72-7" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 123.78497,110.52555 -1.13762,1.13762"
id="path868-12-3" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 124.68501,110.52555 -1.13762,1.13762"
id="path868-27-9" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 125.58505,110.52555 -1.13762,1.13762"
id="path868-2-1" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.38471,110.52555 -1.13762,1.13762"
id="path868-27-8-1" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.38653,110.51707 h 7.20019"
id="path1040-2"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 120.18479,110.52555 -1.13762,1.13762"
id="path868-7-8" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 119.28475,110.52555 -1.13762,1.13762"
id="path868-3-5" />
</g>
<path
id="rect833-4"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.755906;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="M 261.17383,78.117188 V 106.21875 H 220.8418 v 2.125 25.29687 0.75196 h 40.33203 v 45.01562 h 12.46289 v -45.01562 h 40.33008 v -2.125 -25.1211 -0.92773 H 273.63672 V 78.117188 Z M 223.7793,108.34375 h 37.39453 12.46289 37.39258 v 23.92383 h -87.25 z"
transform="matrix(0.26458333,0,0,0.26458333,52.587741,63.048881)"
sodipodi:nodetypes="cccccccccccccccccccccccc" />
<g
id="g840-5"
transform="matrix(3.3110731,0,0,3.3110731,-210.43824,-304.16294)"
style="opacity:1;stroke:#ff0000;stroke-width:0.0604034;stroke-miterlimit:4;stroke-dasharray:none">
<path
style="fill:none;stroke:#ff0000;stroke-width:0.151008;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
d="m 95.608189,116.75273 v 0.40521 l 0.716389,0.27243 -1.321788,0.32288 0.605399,0.32288 v 3.79757 h 4.342889"
id="path837-6"
sodipodi:nodetypes="ccccccc" />
</g>
<use
x="0"
y="0"
xlink:href="#g840-5"
id="use842-4"
transform="matrix(-1,0,0,1,246.67726,0)"
width="100%"
height="100%"
style="opacity:1;stroke:#ff0000;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none" />
<g
id="g866-9"
transform="translate(0,18.33469)"
style="stroke-width:0.2;stroke-miterlimit:4;stroke-dasharray:none">
<rect
style="opacity:1;fill:#ffffff;fill-rule:evenodd;stroke-width:0.203302;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;paint-order:fill markers stroke;stop-color:#000000"
id="rect861-4"
width="4.0434227"
height="1.6316246"
x="125.36732"
y="96.227684"
transform="matrix(0.96777752,-0.25180681,0,1,0,0)" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000;stop-opacity:1"
d="M 121.0354,66.421635 125.64186,65.1873"
id="path844-2" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000;stop-opacity:1"
d="m 121.0354,65.536684 4.60646,-1.234335"
id="path844-1-6" />
</g>
<rect
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
id="rect1327"
width="5.238483"
height="5.5658879"
x="120.71939"
y="91.720215" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#ff0000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000;stop-opacity:1"
d="m 114.60763,97.286103 h 17.37586"
id="path1329" />
</g>
</g>
</g>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
doc/paper/ihsm_shaft_countermeasures_c.pdf Executable file
View file

Binary file not shown.

246
doc/paper/ihsm_shaft_countermeasures_c.svg Executable file
View file

@ -0,0 +1,246 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="49.822006mm"
height="40.336422mm"
viewBox="0 0 49.822006 40.336422"
version="1.1"
id="svg8"
sodipodi:docname="ihsm_shaft_countermeasures_c.svg"
inkscape:version="1.0.1 (3bc2e813f5, 2020-09-07)">
<defs
id="defs2" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="1.1910704"
inkscape:cx="381.22228"
inkscape:cy="196.04422"
inkscape:document-units="mm"
inkscape:current-layer="layer1"
inkscape:document-rotation="0"
showgrid="false"
inkscape:snap-global="true"
inkscape:window-width="2421"
inkscape:window-height="1509"
inkscape:window-x="708"
inkscape:window-y="388"
inkscape:window-maximized="0"
fit-margin-top="5"
fit-margin-left="5"
fit-margin-right="5"
fit-margin-bottom="5" />
<metadata
id="metadata5">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-4.1349375,-13.926987)">
<g
id="g1166-4-8"
transform="translate(-134.70384,-65.200401)"
style="stroke-width:0.2;stroke-miterlimit:4;stroke-dasharray:none">
<g
id="g2049"
transform="translate(40.411152)">
<g
id="g1091-7-9"
transform="matrix(1.4664638,0,0,1.4664638,-55.35501,-49.386185)"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1">
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 121.08483,110.52555 -1.13762,1.13762"
id="path868-26-3" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 121.98488,110.52555 -1.13762,1.13762"
id="path868-8-9-0" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 122.88492,110.52555 -1.13762,1.13762"
id="path868-72-7-7" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 123.78497,110.52555 -1.13762,1.13762"
id="path868-12-3-2" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 124.68501,110.52555 -1.13762,1.13762"
id="path868-27-9-8" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 125.58505,110.52555 -1.13762,1.13762"
id="path868-2-1-4" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.38471,110.52555 -1.13762,1.13762"
id="path868-27-8-1-7" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.38653,110.51707 h 7.20019"
id="path1040-2-6"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 120.18479,110.52555 -1.13762,1.13762"
id="path868-7-8-1" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.136383;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 119.28475,110.52555 -1.13762,1.13762"
id="path868-3-5-8" />
</g>
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.81567,95.713037 v 0.645726 h 2.87448 v 16.356827 h 3.29748 V 96.358763 h 2.73316 v -0.645726 z"
id="path1713"
sodipodi:nodetypes="ccccccccc" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.755906;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 419.56641,78.117188 v 28.101562 h -40.33203 v 2.125 h 93.125 v -2.125 H 432.0293 V 78.117188 Z"
transform="matrix(0.26458333,0,0,0.26458333,10.679875,63.048881)"
id="rect833-4-6"
sodipodi:nodetypes="ccccccccc" />
<g
id="g840-5-8"
transform="matrix(3.3110731,0,0,3.3110731,-210.43824,-304.16294)"
style="opacity:1;stroke:#ff0000;stroke-width:0.0604034;stroke-miterlimit:4;stroke-dasharray:none">
<path
style="fill:none;stroke:#ff0000;stroke-width:0.151008;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
d="m 95.608189,117.33706 v 0.40521 l 0.716389,0.27243 -1.321788,0.32288 0.605399,0.32288 v 3.79757 h 4.342889 v -1.29199"
id="path837-6-6"
sodipodi:nodetypes="cccccccc" />
</g>
<use
x="0"
y="0"
xlink:href="#g840-5-8"
id="use842-4-7"
transform="matrix(-1,0,0,1,246.67726,0)"
width="100%"
height="100%"
style="opacity:1;stroke:#ff0000;stroke-width:0.5;stroke-miterlimit:4;stroke-dasharray:none" />
<g
id="g866-9-9"
transform="translate(0,18.33469)"
style="stroke-width:0.2;stroke-miterlimit:4;stroke-dasharray:none">
<rect
style="opacity:1;fill:#ffffff;fill-rule:evenodd;stroke-width:0.203302;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;paint-order:fill markers stroke;stop-color:#000000"
id="rect861-4-5"
width="4.0434227"
height="1.6316246"
x="125.36732"
y="96.227684"
transform="matrix(0.96777752,-0.25180681,0,1,0,0)" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000;stop-opacity:1"
d="M 121.0354,66.421635 125.64186,65.1873"
id="path844-2-9" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000;stop-opacity:1"
d="m 121.0354,65.536684 4.60646,-1.234335"
id="path844-1-6-5" />
</g>
<rect
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
id="rect1327-5"
width="5.238483"
height="3.0192733"
x="120.71939"
y="91.720215" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#ff0000;stroke-width:0.5;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000;stop-opacity:1"
d="M 112.97699,94.904854 H 133.983"
id="path1329-3" />
<path
id="rect833-4-6-9-1"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 111.02266,91.186402 v 0.699043 8.157205 0.24737 h 0.76068 v -9.103618 z" />
<g
id="g1941">
<path
id="rect1690"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 116.5067,99.72778 v 0.56224 h 2.90595 v -0.56224 z" />
<path
id="rect1690-0"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 111.02266,99.727777 v 0.562243 h 3.01118 v -0.562243 z" />
<path
id="path1602-6-2-5"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 112.45128,94.654867 v 0.34739 4.053702 0.122924 h 0.59698 v -4.524029 z" />
<path
id="path1602-6-2-5-7"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.81567,95.713037 v 0.161622 1.885975 0.0572 h 0.59698 v -2.10479 z" />
<path
id="path1602-6-2-5-3"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 116.24606,95.713037 v 0.161622 1.885977 0.0572 h 0.59698 v -2.104795 z" />
<path
id="path1602-6-2-5-8"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 113.71621,95.713037 v 0.161622 1.885978 0.0572 h 0.59698 v -2.104796 z" />
<path
id="path1602-6-2-5-0"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 117.51098,94.654867 v 0.347389 4.053703 0.122923 h 0.59698 v -4.524028 z" />
<path
id="path1602-6-2-5-0-9"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#ff0000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 114.98113,96.939146 v 0.354405 4.135579 0.12542 h 0.59698 v -4.615395 z" />
<path
id="rect1690-0-7"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 113.71621,95.713037 v 0.562243 h 3.01118 v -0.562243 z" />
<path
id="path1602-6-2-5-3-4"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 116.24606,97.378429 v 0.223575 2.608916 0.0791 h 0.59698 v -2.911616 z" />
<path
id="path1602-6-2-5-8-8"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 113.71621,97.378429 v 0.223575 2.608916 0.0791 h 0.59698 v -2.911616 z" />
<path
id="path1602-6-2-5-7-3"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 118.81567,96.68356 v 0.276931 3.231519 0.098 h 0.59698 v -3.606448 z" />
</g>
<use
x="0"
y="0"
xlink:href="#g1941"
id="use1943"
transform="matrix(-1,0,0,1,246.68095,0)"
width="100%"
height="100%" />
<path
id="rect833-4-6-9-1-5"
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:0.2;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;paint-order:fill markers stroke;stop-color:#000000;stop-opacity:1"
d="m 134.89761,91.186402 v 0.699043 8.157205 0.24737 h 0.76068 v -9.103618 z" />
</g>
</g>
</g>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
doc/paper/rotohsm_paper.pdf
View file

Binary file not shown.

582
doc/paper/rotohsm_paper.tex
View file

@ -1,6 +1,4 @@
\documentclass[10pt,journal,a4paper]{IEEEtran}
\usepackage[english]{babel}
\usepackage[utf8]{inputenc}
\documentclass[nohyperref]{iacrtrans}
\usepackage[T1]{fontenc}
\usepackage[
backend=biber,
@ -12,74 +10,34 @@
]{biblatex}
\addbibresource{rotohsm.bib}
\usepackage{amssymb,amsmath}
\usepackage{listings}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage{amsthm}
\usepackage{tabularx}
\usepackage{multirow}
\usepackage{multicol}
\usepackage{tikz}
\usepackage{mathtools}
\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil}
\DeclarePairedDelimiter{\paren}{(}{)}
\usetikzlibrary{arrows}
\usetikzlibrary{chains}
\usetikzlibrary{backgrounds}
\usetikzlibrary{calc}
\usetikzlibrary{decorations.markings}
\usetikzlibrary{decorations.pathreplacing}
\usetikzlibrary{fit}
\usetikzlibrary{patterns}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes}
\usepackage[binary-units]{siunitx}
\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\usepackage{hyperref}
\usepackage{tabularx}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{ccicons}
\usepackage{subcaption}
\usepackage{float}
\usepackage{footmisc}
\usepackage{array}
\usepackage[underline=false]{pgf-umlsd}
\usetikzlibrary{calc}
%\usepackage[pdftex]{graphicx,color}
\usepackage{epstopdf}
\usepackage{pdfpages}
\usepackage{minted} % pygmentized source code
\usepackage{hyperref}
\renewcommand{\floatpagefraction}{.8}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\usepackage{fancyhdr}
\fancyhf{}
\fancyfoot[C]{\thepage}
\newcommand{\includenotebook}[2]{
\fancyhead[C]{Included Jupyter notebook: #1}
\includepdf[pages=1,
pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}}
]{resources/#2.pdf}
\includepdf[pages=2-,
pagecommand={\thispagestyle{fancy}}
]{resources/#2.pdf}
}
\newcommand{\partnum}[1]{\texttt{#1}}
\begin{document}
\title{Can't Touch This: Inerial HSMs Thwart Advanced Physical Attacks}
\author{Jan Götte}
\date{2020-12-20}
\title[Can't Touch This]{Inertial HSMs Thwart Advanced Physical Attacks}
\author{Jan Sebastian Götte \and Björn Scheuermann}
\institute{HIIG\\ \email{ihsm@jaseg.de} \and Björn Scheuermann \\ \email{scheuermann@informatik.hu-berlin.de}}
% FIXME keywords
\keywords{hardware security \and implementation \and smart cards \and electronic commerce}
\maketitle
\section*{Abstract}
\begin{abstract}
In this paper, we introduce a novel countermeasure against physical attacks: Inertial hardware security modules (iHSMs).
Conventional systems have in common that they try to detect attacks by crafting sensors responding to increasingly
minute manipulations of the monitored security boundary or volume. Our approach is novel in that we reduce the
@ -89,6 +47,7 @@ the rotation are easily monitored with commercial MEMS accelerometers and gyrosc
can easily be built from off-the-shelf parts by any university electronics lab, yet offers a level of security that is
comparable to commercial HSMs. By building prototype hardware we have demonstrated solutions to the concept's
engineering challenges.
\end{abstract}
\section{Introduction}
@ -235,6 +194,18 @@ tangential velocity is low. Faster rotation can lessen the severity of this at t
mechanical load but can never eliminate it. This effect can be alleviated in two ways: Either by adding additional
tamper protection at the axis, or by having the HSM perform a compound rotation that has no fixed axis.
A beneficial side-effect of rotation is that an attacker trying to follow the motion would have to rotate around
the same axis. By choosing a suitable rotation frequency we can thus prevent an attacker from following the devices
motion since doing so would subject them to impractically large centrifugal forces. Essentially, this limits the
approximate maximum size and mass of an attacker based on an assumption on tolerable centrifugal force (see Appendix
\ref{sec_minimum_angular_velocity}).
Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled
disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device.
From a coarse calculation (Appendix \ref{sec_minimum_angular_velocity}) we conclude that even at moderate speeds (above
$\SI{500}{rpm}$), a manual attack is no longer possible and any attack would have to be carried out using either
computer control or precise mechanics.
In this paper we focus on rotating IHSMs for simplicity of construction. For our initial research, we are focusing on
systems having a fixed axis of rotation due to their relative simplicity in prototype construction but we note the
challenge of hardening the shaft against tampering.
@ -270,35 +241,56 @@ able to measure any external force applied to the IHSM's rotor and should alread
manipulation.
While the obvious choice to monitor rotation would be a tachometer such as a magnetic or opitical sensor attached to the
IHSM's shaft, this would be a poor choice in our application. Both optical and matgnetic sensors are susceptible to
IHSM's shaft, this would be a poor choice in our application. Both optical and magnetic sensors are susceptible to
contact-less interference from outside. Instead, an accelerometer is a good component to serve as an IHSM's tamper
sensor.
sensor. Modern fully intergrated MEMS accelerometers are very precise. By comparing acceleration measurements against a
model of the device's mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper
with the device's motion. It may also allow remote monitoring of the device's mechanical components such as bearings.
Accelerometers are fast enough to capture vibrations, which can be used as an early warning sign of failing mechanical
components. % FIXME citation
%%%
In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal
acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For
a given target speed of rotation, the accelerometer's location has to be carefully chosen to maximize dynamic range. A
key point here is that for rotation speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes
very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}=\SI{17}{\hertz}$ at a
$\SI{10}{\centi\meter}$ radius acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. Off-axis
performance of commercial accelerometers is usually in the order of $\SI{1}{\percent}$ so this large acceleration will
feed through into all accelerometer axes, even those that are tangential to the rotation. It also means that we either
have to place the accelerometer close to the axis or we are limited to a small selection of high-$g$ accelerometers
mostly used in automotive applications.
First, for motion to effectively disincentivize tampering, the HSM has to move fairly fast.
If any point of the HSM's tamper sensing shell moves slow enough for a human to follow, that point becomes a weak spot.
For illustration, consider linear oscillating motion like that of a pendulum.
At its apex, the pendulum becomes stationary and an attacker could use that split second of the device not moving.
To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark: Let us assume that an
IHSM is spinning at $\SI{1000}{rpm}$ and that we wish to detect any attempt to brake it below $\SI{500}{rpm}$. The
difference in centrifugal acceleration will be a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. This results in a
factor-$4$ difference in absolute acceleration that our accelerometer must be able to detect. If we choose our
accelerometer's location to maximize its dynamic range, any commercial MEMS accelerometer should suffice for this degree
of accuracy. For rapid deceleration, commercial accelerometers will be much more sensitive as effects of long-term drift
can be ignored. If we wish to also detect very slow deceleration, we have to take into account the accelerometer's drift
characteristics.
Second, a spinning HSM is potentially more compact than some alternatives like a pendulum or more exotic concepts such
as an HSM on wheels. Its main disadvantage is its circular envelope: When using components such as standard server
hardware for its payload, these components likely come in a rectangular form factor leading to dead space inside the
HSM. Mounting the HSM in a standard rackmount enclosure will also lead to significant dead space around the HSM. An
``vibrating'' HSM with a small amplitude of oscillation might potentially lead to a more compact solution, but this
compactness would come at increased engineering complexity and increased material stresses.
% TODO review below paragraph
In Section~\ref{sec_accel_meas} below we conduct an empirical evaluation of a commercial automotive high-$g$
accelerometer for braking detection in our prototype IHSM.
In Appendix~\ref{sec_degrees_of_freedom} we consider accelerometer configurations and we conclude that one three-axis
accelerometer each in the rotor and in the stator are a good baseline configuration. In general, the system will be more
sensitive to attacks if we over-determine the system of equations describing its motion by using more sensors than
necessary.
Third and finally, constant rotation leads to a predictable, constant acceleration anywhere in the rotating part. This
allows the use of an accelerometer for tamper detection with minimal signal post-processing.
\subsection{Mechanical layout}
A beneficial side-effect of spinning the HSM is that an attacker trying to follow the motion would have to rotate around
the same axis, subjecting them to very large centrifugal accleration.
This allows us to limit the approximate maximum size and mass of an attacker using an assumption on tolerable
centrifugal force (see Appendix \ref{sec_minimum_angular_velocity}).
With our IHSM's components taken care of, what remains to be decided is how to put together these individual components
into a complete device. A basic spinning HSM might look like shown in Figure~\ref{fig_schema_one_axis}. Shown are the
axis of rotation, an accelerometer on the rotating part used to detect braking, the protected payload and the area
covered by the rotating tamper detection mesh.
A basic spinning HSM might look like shown in Figure \ref{fig_schema_one_axis}. Shown are the axis of rotation, an
accelerometer on the rotating part used to detect braking, the protected payload and the area covered by the rotating
tamper detection mesh.
A key observation is that we only have to move the tamper protection mesh, not the entire contents of the HSM.
The HSM's payload and with it most of the HSM's mass can be stationary. This reduces the moment of inertia of the
moving part.
This basic schema accepts a weak spot at the point where the shaft penetrates the spinning mesh. This trade-off makes
for a simple mechanical construction and allows power and data connections to the stationary payload through a hollow
shaft.
\begin{figure}
\center
@ -308,112 +300,99 @@ tamper detection mesh.
\label{fig_schema_one_axis}
\end{figure}
\section{Using accelerometers as rotation sensors}
In a rotating reference frame, centrifugal force is proportional to the square of angular velocity and proportional to
distance from the axis of rotation. We can exploit this fact to use an accelerometer as a sensor that detects any
disturbance to the HSM's rotation. We place the accelerometer at a known distance from the axis of rotation. When the
axis of rotation is vertical, during constant rotation tangential acceleration will be zero and acceleration along the
axis of rotation will be $\SI{1}{\g}$. Centrifugal acceleration will be constant.
Large centrifugal acceleration at high speeds poses the engineering challenge of preventing rapid unscheduled
disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device.
A key observation is that we only have to move the tamper protection mesh, not the entire contents of the HSM.
The HSM's payload and with it most of the HSM's mass can be stationary.
This reduces the moment of inertia of the moving part and it means that we can use cables for power and data connections
to the payload.
From a coarse calculation (Appendix \ref{sec_minimum_angular_velocity}) we conclude that even at moderate speeds (above
$\SI{500}{rpm}$), a manual attack is no longer possible and any attack would have to be carried out using either
computer control or precise mechanics.
In Appendix \ref{sec_degrees_of_freedom} we consider sensor configurations and we conclude that one three-axis
accelerometer each in the rotor and in the stator are a good baseline configuration. In general, the system will be more
sensitive to attacks if we over-determine the system of equations describing its motion by using more sensors than
necessary.
\subsection{Mechanical layout}
Thinking about the concrete construction of our mechanical HSM, the first challenge is mounting both mesh and payload on
a single shaft. The simplest way we found to mount a stationary payload inside of a spinning security mesh is a hollow
shaft. The payload can be mounted on a fixed rod threaded through this hollow shaft along with wires for power and
data. The shaft is a weak spot of the system, but this weak spot can be alleviated through either careful construction
or a second layer of rotating meshes with a different axis of rotation. Configurations that do not use a hollow-shaft
motor are possible, but may require additional bearings to keep the stator from vibrating.
The next design choice we have to make is the physical structure of the security mesh. The spinning mesh must be
designed to cover the entire surface of the payload, but compared to a traditional HSM it suffices if it sweeps over
every part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside
air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious
issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be
solved with complex and costly siphon-style constructions, so in commercial systems heat conduction is used
exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power.
Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum possible power dissipation
of the payload and unlocks much more powerful processing capabilities. In an evolution of our design, the spinning mesh
could even be designed to \emph{be} a cooling fan.
\subsection{Spinning mesh power and data transmission}
On the electrical side, the idea of a security mesh spinning at more than $\SI{500}{rpm}$ leaves us with a few
implementation challenges. Since the spinning mesh must be monitored for breaks or short circuits continuously, we need
both a power supply for the spinning monitoring circuit and a data link to the stator.
We found that a bright lamp shining at a rotating solar panel is a good starting point. In contrast to e.g.\ slip
rings, this setup is mechanically durable at high speeds and it also provides reasonable output power (see Appendix
\ref{sec_energy_calculations} for an estimation of power consumption). A battery may not provide a useful lifetime
without power-optimization. Likewise, an energy harvesting setup may not provide enough current to supply peak demand.
Since the monitoring circuit uses little current, power transfer efficiency is not important. On the other hand, cost
may be a concern in a production device. Here it may prove worthwhile to replace the solar cell setup with an extra
winding on the rotor of the BLDC motor driving the spinning mesh. This motor is likely to be a custom part, so adding
an extra winding is unlikely to increase cost significantly. More traditional inductive power transfer may also be an
option if it can be integrated into the mechanical design.
Besides power, the data link between spinning mesh and payload is critical to the HSM's design. This link is used to
transmit the occassional status report along with a low-latency alarm trigger (``heartbeat'') signal from mesh to payload.
As we will elaborate in Section~\ref{sec_proto} a simple infrared optical link turned out to be a good solution for this
purpose.
\subsection{Tamper detection}
The spinning mesh must be designed to cover the entire surface of the payload, but in contrast to a traditional HSM it
suffices if it sweeps over every part of the payload once per rotation. This means we can design longitudinal gaps into
the mesh that allow outside air to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the
payload processor is a serious issue since any air duct or heat pipe would have to penetrate the HSM's security
boundary. This problem can only be solved with complex and costly siphon-style constructions, so in commercial systems
heat conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus
its processing power. Our setup allows direct air cooling of regular heatsinks. This greatly increases the maximum
possible power dissipation of the payload and unlocks much more powerful processing capabilities. In an evolution of
our design, the spinning mesh could even be designed to \emph{be} a cooling fan.
\section{Attacks}
\label{sec_attacks}
After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to
attack it. Fundamentally, attacks on an inertial HSM are the same as those on a traditional HSM since the tamper
detection mesh is the same. Only, in the inertial HSM any attack on the mesh has to be carried out while the mesh is
rotating, which for most types of attack will require some kind of CNC attack robot moving in sync with it.
attack it. At the core of an IHSM's defenses is the same security mesh that is also used in traditional HSMs. This means
that in the end an attacker will have to perform the same steps they would have to perform to attack a traditional HSM.
Only to attack an IHSM, assuming that the braking detection system works they will have to perform these steps with a
tool that follows the HSMs rotation at high speed. This may require specialized mechanical tools, CNC actuators or
even a contactless attack using a laser, plasma jet or water jet.
\subsection{Attacking at the axis of rotation}
\subsection{Mechanical weak spots}
\subsection{Attacks on the mesh}
The tamper defense of an IHSM rests on the security mesh moving too fast to tamper. Depending on the type of motion
used, the meshes speed may vary by location and over time. Our example configuration of a rotating mesh can keep moving
continuously, so it does not have any time-dependent weak spots. It does however have a weak spot at its axis of
rotation, at the point where the shaft penetrates the mesh. The meshes tangential velocity decreases close to the shaft,
and the shaft itself may allow an attacker to insert tools such as probes into the device through the opening it
creates.
There are two locations where one can attack a tamper-detection mesh. On one hand, the mesh itself can be tampered with.
This includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring
circuit itself to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its
contents~\cite{dexter2015}. Attacks in both locations are electronic attacks, i.e. they require electrical contact to
This issue is related to the issue conventional HSMs also face with their power and data connections. In conventional
HSMs, power and data are routed into the enclosure through the PCB or flat flex cables sandwiched in between
security mesh foil layers. By using a thin substrate and by creating a meandering path by folding the interconnect
substrate/security mesh layers several times, in traditional HSMs this interface rarely is a mechanical weak spot. In
inertial HSMs, careful engineering is necessary to achieve the same effect. Figure~\ref{shaft_cm} shows variations
of the shaft interface of increasing level of complexity.
\begin{figure}
\begin{subfigure}[t]{0.3\textwidth}
\center
\includegraphics[width=4cm]{ihsm_shaft_countermeasures_a.pdf}
\caption{Cross-sectional view of the basic configuration with no special protection of the shaft. Red: Moving
mesh -- Black: Stationary part.}
\label{shaft_cm_a}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.3\textwidth}
\center
\includegraphics[width=4cm]{ihsm_shaft_countermeasures_b.pdf}
\caption{An internal counter-rotating disc greatly decreases the space available to attackers at the expense of
another moving part and a second moving monitoring circuit.}
\label{shaft_cm_a}
\end{subfigure}
\hfill
\begin{subfigure}[t]{0.3\textwidth}
\center
\includegraphics[width=4cm]{ihsm_shaft_countermeasures_c.pdf}
\caption{A second moving tamper detection mesh also enables more complex topographies.}
\label{shaft_cm_a}
\end{subfigure}
\caption{Mechanical countermeasures to attacks through or close to a rotating IHSM's shaft.}
\label{shaft_cm}
\end{figure}
\subsection{Attacking the mesh in motion}
To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging
its traces to allow for a hole to be cut. The other option is to tamper with the monitoring
circuit to prevent a damaged mesh from triggering an alarm~\cite{dexter2015}.
Attacks in both locations are electronic attacks, i.e. they require electrical contact to
parts of the circuit. Traditionally, this contact is made by soldering or by placing a probe such as a thin needle. We
consider this contact infeasible to be performed on an object spinning at high speed without a complex setup that
rotates along with the object or that involves ion beams, electron beams or liquids. Thus, we consider them to be
practically infeasible outside of a well-funded, special-purpose laboratory.
consider this type of attack hard to perform on an object spinning at high speed. Possible remaining attack avenues may
be to rotate an attack tool in sync with the mesh, or to use a laser or ion beam fired at the mesh to cut traces or
carbonize parts of the substrate to create electrical connections. Encapsulating the mesh in a potting compound and
shielding it with a metal enclosure as is common in traditional HSMs will significantly increase the complexity of such
attacks.
\subsection{Attacks on the rotation sensor}
Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need
to fool the rotor's MEMS accelerometer. An electronic attack on the sensor or the monitoring microcontroller would be no
easier than directly bridging the mesh traces.
to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the
monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be
physical attacks of the accelerometer's sensing mechanism.
MEMS accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position can be
MEMS accelerometers usually use a cantilever design, where a proof mass moves a cantilever whose precise position is
measured electronically. A topic of recent academic interest have been acoustic attacks tampering with these
mechanics~\cite{trippel2017}. In the authors' estimate these attacks are too hard to control to be practically useful
against an inertial HSM.
mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify sensor readings.
A possible way to attack the accelerometer inside an inertial HSM may be to first decapsulate it using laser ablation
synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the
moving MEMS parts, locking them in place. To mitigate this type of attack the accelerometer should be mounted in a
shielded place inside the security envelope. Further, this attack can only work if the rate of rotation and thus the
expected accelerometer readings are constant. If the rate of rotation is set to vary over time this type of attack is
quickly detected. In Appendix \ref{sec_degrees_of_freedom} we outline the constraints on sensor placement.
A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation synchronized with the
device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the MEMS, locking the
mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded location inside the
security envelope and by varying the rate of rotation over time. In Appendix~\ref{sec_degrees_of_freedom} we outline
some constraints on sensor placement.
\subsection{Attacks on the alarm circuit}
@ -421,81 +400,80 @@ Besides trying to deactivate the tamper detection mesh, an electronic attack cou
inside the stationary payload, or the communication link between rotor and payload. The link can be secured using a
cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat
message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope.
Like in conventional HSMs it has to be built to either tolerate or detect environmental attacks such as ones using
temperature, ionizing radiation, lasers, supply voltage variations, ultrasound or other vibration and gases or liquids.
Conventionally, incoming power rails are filtered thoroughly to prevent electrical attacks and other types of attacks
are prevented by sensors that thrigger an alarm.
In an inertial HSM, the mesh monitoring circuit's tamper alarm is transmitted from rotor to stator through a wireless
link. Since an attacker may wirelessly spoof this link, it must be cryptographically secured. It also must be
bidirectional to allow the alarm signal receiver to verify link latency: If it were unidirectional, an attacker could
act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed
(say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary
deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and
break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial
crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time.
Like in conventional HSMs it has to be built to either tolerate or detect environmental attacks using sensors for
temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration and gases or
liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured.
To prevent replay attacks this link must be bidirectional so link latency can be measured continuously.
% If it were unidirectional, an attacker could
% act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed
% (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary
% deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and
% break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial
% crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time.
\subsection{Fast and violent attacks}
A variation of the above attacks on the alarm circuitry is to simply destroy the part of the HSM that erases data in
response to tampering before it can finish its job. This attack could use a tool such as a large hammer or a gun.
Mitigations for this type of attack include potting the payload inside a mechanically robust enclosure. Additionally,
the integrity of the entire alarm signalling chain can be checked continuously using a cryptographic heartbeat protocol.
A simple active-high or active-low alarm signal as it is used in traditional HSMs cannot be considered fail-safe in this
scenario as such an attack may well short-circuit or break PCB traces.
response to tampering before it can perform its job using a tool such as a large hammer or a gun. To mitigate this
type of attack, the HSM's tamper response circuitry must be mechanically robust enough to withstand an attack for long
enough to carry out its function or else to reliably destory the payload during an attack.
\section{Prototype implementation}
\label{sec_proto}
After elaborating the design principles of inertial HSMs and researching potential attack vectors we have validated
these theoretical studies by implementing a prototype rotary HSM. The main engineering challenges we solved in our
prototype are:
As we elaboreated above, the mechanical component of an IHSM significantly increases the complexity of any successful
attack even when implemented using only common, off-the-shelf parts. In view of this amplification of design security we
have decided to validate our theoretical studies by implementing a prototype IHSM. The main engineering challenges we
set out to solve in this prototype were:
\begin{enumerate}
\item Fundamental mechanical design suitable for rapid prototyping that can withstand a rotation of $\SI{500}{rpm}$.
\item Fundamental mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$.
\item Automatic generation of security mesh PCB layouts for quick adaption to new form factors.
\item Non-contact power transmission from stator to rotor.
\item Non-contact bidirectional data communication between stator and rotor.
\end{enumerate}
We will outline our findings on these challenges one by one in the following paragraphs.
\subsection{Mechanical design}
We sized our prototype to have space for up to two full-size Raspberry Pi boards. Each one of these boards is already
more powerful than an ordinary HSM, but they are small enough to simplify our prototype's design. For low-cost
prototyping we designed our prototype to use printed circuit boards as its main structural material. The interlocking
parts were designed in FreeCAD as shown in Figure \ref{proto_3d_design}. The mechanical designs were exported to KiCAD
for electrical design before being sent to a commercial PCB manufacturer. Rotor and stator are built from interlocking,
soldered PCBs. The components are mounted to a $\SI{6}{\milli\meter}$ brass tube using FDM 3D printed flanges. The rotor
is driven by a small hobby quadcopter motor.
We sized our prototype to have space for up to two full-size Raspberry Pi boards for an approximation of a traditional
HSM's processing capabilities. We use printed circuit boards as the main structural material for the rotating part, and
2020 aluminium extrusion for its mounting frame. Figure~\ref{proto_3d_design} shows the rotor's mechanical PCB designs
in FreeCAD. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is already sufficiently narrow to
pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our prototype incorporates a
functional PCB security mesh. As we observed previously, this mesh only needs to cover every part of the system once per
revolution, so we designed the longituninal PCBs as narrow strips to save weight.
Security is provided by a PCB security mesh enveloping the entire system and extending to within a few millimeters of
the shaft. For security it is not necessary to cover the entire circumference of the module with mesh, so we opted to
use only three narrow longitudinal struts to save weight.
\subsection{PCB security mesh generation}
To mount the entire HSM, we chose to use ``2020'' modular aluminium profile.
Our proof-of-concept security mesh covers a total of five interlocking PCBs (cf.\ Figure~\ref{mesh_gen_sample}). A sixth
PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the
generation of this security mesh using a plugin for the KiCAD EDA
suite\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. Figure~\ref{mesh_gen_viz} visualizes the mesh
generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a randomized tree
covering the grid. Finally, individual mesh traces are then traced according to a depth-first search through this tree.
We consider the quality of the plugin's output sufficient for practical applications. Along with FreeCAD's KiCAD StepUp
plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB files.
\begin{figure}
\begin{subfigure}{0.45\textwidth}
\center
\includegraphics[height=7cm]{proto_3d_design.jpg}
\caption{The 3D CAD design of the prototype.}
\label{proto_3d_design}
\end{subfigure}
\hfill
\begin{subfigure}{0.45\textwidth}
\vfil
\includegraphics[width=6cm]{mesh_scan_crop.jpg}
\vfil
\caption{Part of the security mesh PCB we produced with our toolchain for the prototype HSM.}
\label{mesh_gen_sample}
\end{subfigure}
\caption{Our prototype IHSM's PCB security mesh design}
\end{figure}
\subsection{PCB security mesh generation}
The security mesh covers a total of five interlocking PCBs. A sixth PCB contains the monitoring circuit and connects to
these mesh PCBs. To allow us to quickly iterate our design without manually re-routing several large security meshes
for every mechanical chage we wrote a plugin for the KiCAD EDA suite that automatically generates parametrized security
meshes. When KiCAD is used in conjunction with FreeCAD through FreeCAD's KiCAD StepUp plugin, this ends up in an
efficient toolchain from mechanical CAD design to security mesh PCB gerber files. The mesh generation plugin can be
found at its website\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. The meshes it produces have a
practical level of security in our application.
The mesh generation process starts by overlaying a grid on the target area. It then produces a randomized tree covering
this grid. The individual mesh traces are then traced along a depth-first search through this tree. A visualization of
the steps is shown in Figure \ref{mesh_gen_viz}. A sample of the production results from our prototype is shown in
Figure \ref{mesh_gen_sample}.
\begin{figure}
\center
\includegraphics[width=9cm]{mesh_gen_viz.pdf}
@ -505,67 +483,57 @@ Figure \ref{mesh_gen_sample}.
\label{mesh_gen_viz}
\end{figure}
\begin{figure}
\center
\includegraphics[width=6cm]{mesh_scan_crop.jpg}
\caption{A section of the security mesh PCB we produced with our toolchain for the prototype HSM.}
\label{mesh_gen_sample}
\end{figure}
\subsection{Power transmission through the rotating joint}
\subsection{Data transmission through rotating joint}
The spinning mesh has its own autonomous monitoring circuit. This spinning monitoring circuit needs both power and data
connectivity to the stator. At the monitoring circuit's low power consumption (see
Appendix~\ref{sec_energy_calculations}), power transfer efficiency is irrelevant so we decided against mechanically
complex solutions such as slip rings or electronically complex ones such as inductive power transfer. Instead we opted
to use six series-connected solar cells mounted on the end of our cylindrical rotor that are directly fed into a large
$\SI{33}{\micro\farad}$ ceramic buffer capacitor. This solution provides around $\SI{3.0}{\volt}$ at several tens of
$\si{\milli\ampere}$ to the payload when illumination using either a $\SI{60}{\watt}$ incandescent light bulb or a
flicker-free LED studio light of similar brightness\footnote{LED lights intended for room lighting exhibit significant
flicker that can cause the monitoring circuit to reset. Incandescent lighting requires some care in shielding the IR
jata link from interference.}.
With the mesh done, the next engineering challenge was the mesh monitoring data link between rotor and stator. As a
baseline solution, we settled on a $\SI{115}{\kilo\baud}$ UART signal sent through a simple bidirectional infrared link.
In the transmitter, the UART TX line on-off modulates a $\SI{920}{\nano\meter}$ IR LED through a common-emitter driver
transistor. In the receiver, an IR PIN photodiode reverse-biased to $\frac{1}{2}V_\text{CC}$ is connected to a
reasonably wideband transimpedance amplifier (TIA) with a $\SI{100}{\kilo\ohm}$ transimpedance. As shown in Figure
\ref{photolink_schematic}, the output of this TIA is fed through another $G=100$ amplifier whose output is then squared
up by a comparator. We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current
consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a
useful transimpedance in the photodiode-facing TIA stage.
\subsection{Data transmission through the rotating joint}
To reduce the requirements on power transmission to the rotor, we have tried to reduce power consumption of the
rotor-side receiver/transmitter pair trading off stator-side power consumption. One part of this is that we use
a wide-angle photodiode and IR LED on the stator, but use narrow-angle components on the rotor. The two rx/tx pairs are
arranged next to the motor on opposite sides. By placing the narrow-angle rotor rx/tx components on the outside as
shown in Figure \ref{ir_tx_schema}, the motor shields both IR links from crosstalk. The rotor transmitter LED is
driven at $\SI{1}{\milli\ampere}$ while the stator transmitter LED is driven at $\SI{20}{\milli\ampere}$.
Besides power transfer from stator to rotor we need a reliable, bidirectional data link to transmit mesh status and a
low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a
quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a
transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into a an
\texttt{MCP6494} general purpose opamp configured as an $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in
Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time, before being squared up by a
comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by
using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the
stator. Figure~\ref{ir_tx_schema} shows the physical arrangement of both links. The links face opposite one another and
are shielded by the motor's body in the center of the PCB.
% We used an \texttt{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current
% consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a
% useful transimpedance in the photodiode-facing TIA stage.
\begin{figure}
\center
\includegraphics{ir_tx_schema.pdf}
\caption{Schema of our bidirectional IR communication link between rotor and stator, view along axis of rotation. 1
\begin{subfigure}{0.3\textwidth}
\includegraphics[width=4.5cm]{ir_tx_schema.pdf}
\caption{Basic layout, view along axis of rotation. 1
- Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.}
\label{ir_tx_schema}
\end{figure}
\begin{figure}
\center
\end{subfigure}
\hfill
\begin{subfigure}{0.65\textwidth}
\includegraphics[width=9cm]{photolink_schematic.pdf}
\caption{Schematic of the IR communication link. Component values are only examples. In particular C2 depends highly
on the photodiode used and stray capacitances due to the component layout.}
\caption{Schematic with sample component values. C2 is highly dependent on the photodiode characteristics and
stray capacitances.}
\label{photolink_schematic}
\end{subfigure}
\caption{IR data link implementation}
\end{figure}
\subsection{Power transmission through rotating joint}
Besides the data link, the other electrical interface we need between rotor and stator is for power transmission. We
power Since this prototype serves only demonstration purposes, we chose to use the simplest possible method of power
transmission: solar cells. We mounted six series-connected solar cells in three commercially available modules on the
circular PCB at the end of our cylindrical rotor. The solar cells direclty feed the rotor's logic supply with buffering
by a large $\SI{33}{\micro\farad}$ ceramic capacitor. With six cells in series, they provide around $\SI{3.0}{\volt}$ at
several tens of $\si{\milli\ampere}$ given sufficient illumination.
For simplicity and weight reduction, at this point we chose to forego large buffer capacitors on the rotor. This means
variations in solar cell illumination directly couple into the microcontroller's supply rail. Initially, we experimented
with regular residential LED light bulbs, but those turned out to have too much flicker and lead to our microcontroller
frequently rebooting. Trials using an incandecent light produced a stable supply, but the large amount of infrared light
emitted by the incandecent light bulb severely disturbed our near-infrared communication link. As a consequence of
this, we settled on a small LED light intended for use as a studio light that provdided us with almost flicker-free
light at lower frequencies, leading to a sufficiently stable microcontroller VCC rail without any disturbance to the IR
link.
%%% FIXME rework parts below
\subsection{Evaluation}
% FIXME maybe move this to last chapter (conclusion)? to be in line with new mems evaluation chapter?
After building our prototype inertial HSM according to the design decisions we outlined above, we performed a series of
experiments to validate the critical components of the design.
@ -586,6 +554,93 @@ HSM concept practical.
\label{prototype_early_comms}
\end{figure}
% FIXME rework parts above
% new section follows.
\section{Using MEMS accelerometers for braking detection}
Using the prototype from the previous section, we performed an evaluation of an \partnum{AIS 1120} commercial automotive
MEMS accelerometer as a braking sensor. The device is mounted inside our prototype at a radius of
$\SI{55}{\milli\meter}$ from the axis of rotation to the center of the device's package. The \partnum{AIS 1120} provides
a measurement range of $\pm 120\,g$. At its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$.
Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually
control this motor controller through an RC servo tester. We measure the devices rotation speed using a magnet fixed to
the rotor and a reed switch held closeby by an articulating arm. The reed switch output is digitized using an USB logic
analyzer at a sampling rate of $\SI{100}{\mega\hertz}$. We calculcate rotation frequency as a $\SI{1}{\second}$ running
average over debounced interval lengths of this captured signal.
The accelerometer is controlled from the \partnum{STM32} microcontroller on the rotor of our IHSM prototype platform.
Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are
accumulated in a small memory buffer, which is continuously transmitted out through the prototype platform's infrared
link. Data is packetized with a sequence number indicating the buffer's position in the data stream and a CRC-32
checksum for error detection. On the host, a Python script stores all packets received with a valid checksum in an
SQLite database.
Data analysis is done separately from data capture. An analysis IPython Notebook reads captured packets and reassembles
the continuous sample stream based on the packets' sequence numbers. The low $\SI{10}{\hertz}$ sampling rate and high
$\SI{115}{\kilo Bd}$ transmission speed lead to a large degree of redundancy with gaps in the data stream being rare.
This allowed us to avoid writing retransmission logic or data interpolation.
Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at
standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually
adjust the rotors speed. The unshaded areas in between are intervals when the rotor speed is steady.
Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange
lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that
measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the
accelerometer's intrinsic errors as well as error in its placement due to construction tolerances.
The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset
to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between
the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from
the time series, then fitting a linear function to the measured data. Offset error is this linear function's intercept,
and scale error is its slope. We then apply this correction to all captured data before plotting and later analysis.
Despite its simplicity, this approach already leads to a good match of measurements and theory modulo a small part of
the device's offset remaining. At high speeds of rotation this remaining offset does not have an appreciable impact, but
due to the quadratic nature of centrifugal acceleration at low speeds it causes a large relative error of up to
$\SI{10}{\percent}$ (at $\SI{95}{rpm}$).
After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data.
Raw data contains significant harmonic content. This content is due to vibrations in our prototype. FFT analysis shows
that this harmonic content is a clean intermodulation product of the accelerometers sampling rate and the speed of
rotation with no other visible artifacts.
Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark
blue, and theoretical behavior is shown in orange.
\begin{figure}
\center
\includegraphics[width=0.7\textwidth]{../../prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf}
\caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental
measurements are shown after correction for device-specific offset and scale error. As is evident, our measurements
agree very well with our theoretical results. Above \SI{300}{rpm}, the relative acceleration error was consistently
below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, residual offset error remaining after our first-order corrections
has a strong impact ($0.05\,g$ absolute or $8\%$ relative at $\SI{95}{rpm}$.}
\label{fig-acc-theory}
\end{figure}
% FIXME note how to sense actual rotation frequency somewhere -> falls out of motor driver
\begin{figure}
\begin{subfigure}{0.5\textwidth}
\center
\includegraphics[width=1.1\textwidth]{../../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf}
\caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time
intervals when we manually adjusted speed, leading to invalid measurements.}
\label{fig-acc-steps}
\end{subfigure}
\hfill
\begin{subfigure}{0.45\textwidth}
\center
\includegraphics[width=1.1\textwidth]{../../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf}
\caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation
artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SIrange{3}{18}{\hertz}$
rotation frequency due to device vibration are clearly visible.}
\label{fig-acc-stacked}
\end{subfigure}
\label{fig-acc-traces}
\caption{Traces of acceleration measurements during one experiment run.}
\end{figure}
\section{Conclusion}
\label{sec_conclusion} To conclude, in this paper we introduced inertial hardware security modules (iHSMs), a
@ -685,15 +740,6 @@ or commercial restrictions. Where possible, we ask you to cite this paper and at
authors.
\center{
\center{\ccbysa}
\center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The
full text of the license can be found at:}
\center{\url{https://creativecommons.org/licenses/by-sa/4.0/}}
\center{For alternative licensing options, source files, questions or comments please contact the authors.}
\center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The git repository can be found at:}
\center{\url{https://git.jaseg.de/rotohsm.git}}

BIN
doc/paper/rotohsm_tech_report.pdf
View file

Binary file not shown.

120
prototype/sensor-analysis/Accelerometer Data Analysis.ipynb
View file

File diff suppressed because one or more lines are too long

BIN
prototype/sensor-analysis/fig-acc-theory-meas-run50.pdf
View file

Binary file not shown.

BIN
prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf
View file

Binary file not shown.

BIN
prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf
View file

Binary file not shown.