diff --git a/.gitmodules b/.gitmodules index f111b3f..70a0e78 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,16 @@ [submodule "chapter-qkd/figures/ihsm-secondary-mesh"] path = chapter-qkd/figures/ihsm-secondary-mesh url = git@git.jaseg.de:ihsm-secondary-mesh.git + branch = main +[submodule "chapter-sampling-mesh-monitor/figures/ihsm-sampling-mesh-monitor-hw"] + path = chapter-sampling-mesh-monitor/figures/ihsm-sampling-mesh-monitor-hw + url = git@git.jaseg.de:ihsm-sampling-mesh-monitor-hw.git + branch = main +[submodule "chapter-nice-coils/figures/nice-coils"] + path = chapter-nice-coils/figures/nice-coils + url = git@git.jaseg.de:nice-coils.git + branch = main +[submodule "chapter-ihsm/figures/ihsm"] + path = chapter-ihsm/figures/ihsm + url = git@git.jaseg.de:ihsm.git + branch = main diff --git a/Chapter_Makefile b/Chapter_Makefile index cd56c96..f6e5744 100644 --- a/Chapter_Makefile +++ b/Chapter_Makefile @@ -7,28 +7,31 @@ MAKEFLAGS += --warn-undefined-variables MAKEFLAGS += --no-builtin-rules VERSION_STRING := $(shell git describe --always --tags --long) +# chapter subdir cwd, thesis repo root, system tex distribution +TEXINPUTS := .:..: +export TEXINPUTS all: clean chapter.pdf # We need three runs for biblatex's defernumbers -%.pdf: %.tex ../main.bib version.tex - pdflatex -shell-escape $< - biber $* - pdflatex -shell-escape $< - biber $* - pdflatex -shell-escape $< +%.pdf: ../chapter-template.tex %.tex ../common-packages.tex ../common-defs.tex ../main.bib version.tex + pdflatex -shell-escape -jobname chapter $< + biber --input-directory=.. $* + pdflatex -shell-escape -jobname chapter $< + biber --input-directory=.. $* + pdflatex -shell-escape -jobname chapter $< .PHONY: preview preview: - biber chapter || true - pdflatex -shell-escape '\def\thesispreviewmode{}\input{chapter.tex}' + biber --input-directory=.. chapter || true + pdflatex -shell-escape -jobname chapter ../chapter-template.tex version.tex: chapter.tex echo "${VERSION_STRING}" > $@ .PHONY: update-figures update-figures: - @python figures/update_figures.py figures + @python ../update_figures.py figures .PHONY: clean clean: diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..5edff5d --- /dev/null +++ b/Makefile @@ -0,0 +1,43 @@ + +SHELL := bash +.ONESHELL: +.SHELLFLAGS := -eu -o pipefail -c +.DELETE_ON_ERROR: +MAKEFLAGS += --warn-undefined-variables +MAKEFLAGS += --no-builtin-rules + +CHAPTERS := $(shell find -maxdepth 1 -type d -name 'chapter-*') + +VERSION_STRING := $(shell git describe --always --tags --long) + +all: clean thesis.pdf + +# We need three runs for biblatex's defernumbers +%.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex + pdflatex -shell-escape $< + biber $* + pdflatex -shell-escape $< + biber $* + pdflatex -shell-escape $< + +.PHONY: preview +preview: + biber --input-directory=.. chapter || true + pdflatex -shell-escape thesis.tex + +version.tex: thesis.tex $(addsuffix /chapter.tex,${CHAPTERS}) + echo "${VERSION_STRING}" > $@ + +.PHONY: update-figures +update-figures: + @for ch in ${CHAPTERS};\ + do \ + test -d $$ch/figures &&\ + python update_figures.py $$ch/figures || true;\ + done + +.PHONY: clean +clean: + rm -f **.aux **.bbl **.bcf **.log **.blg + rm -f **.out **.run.xml **/texput.log + diff --git a/chapter-conclusion/chapter.tex b/chapter-conclusion/chapter.tex new file mode 100644 index 0000000..2e0b672 --- /dev/null +++ b/chapter-conclusion/chapter.tex @@ -0,0 +1 @@ +\chaptertitle{Conclusion} diff --git a/chapter-hsms/chapter.tex b/chapter-hsms/chapter.tex new file mode 100644 index 0000000..ace8d26 --- /dev/null +++ b/chapter-hsms/chapter.tex @@ -0,0 +1 @@ +\chaptertitle{Hardware Security Modules in the Wild} diff --git a/chapter-ihsm/Makefile b/chapter-ihsm/Makefile new file mode 120000 index 0000000..3322dc4 --- /dev/null +++ b/chapter-ihsm/Makefile @@ -0,0 +1 @@ +../Chapter_Makefile \ No newline at end of file diff --git a/chapter-ihsm/chapter.tex b/chapter-ihsm/chapter.tex new file mode 100644 index 0000000..88c636a --- /dev/null +++ b/chapter-ihsm/chapter.tex @@ -0,0 +1,995 @@ +\chaptertitle{Inertial Hardware Security Modules} + +\begin{abstract} + In this paper, we introduce a novel countermeasure against physical attacks: Inertial Hardware Security Modules + (IHSMs). Conventional systems have in common that their security requires the crafting of fine sensor structures + that respond to minute manipulations of the monitored security boundary or volume. Our approach is novel in that we + reduce the sensitivity requirement of security meshes and other sensors and increase the complexity of any + manipulations by rotating the security mesh or sensor at high speed---thereby presenting a moving target to an + attacker. Attempts to stop the rotation are easily monitored with commercial MEMS accelerometers and gyroscopes. + Our approach leads to an HSM that can easily be built from off-the-shelf parts by any university electronics lab, + yet offers a level of security that is comparable to commercial HSMs. We have built a proof-of-concept hardware + prototype that demonstrates solutions to the concept's main engineering challenges. As part of this + proof-of-concept, we have found that a system using a coarse security mesh made from commercial printed circuit + boards and an automotive high-g-force accelerometer already provides a useful level of security. +\end{abstract} + +\section{Introduction} + +While information security technology has matured a great deal in the last half-century, physical security did not keep +up with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often +allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is +in. + +Currently, servers and other computers are rarely physically secured as a whole. Servers sometimes have a simple lid +switch and are put in locked ``cages'' inside guarded facilities. This usually provides a good compromise between +physical security and ease of maintenance. To handle highly sensitive data in applications such as banking or public key +infrastructure, general-purpose and low-security servers are augmented with dedicated, physically secure cryptographic +co-processors such as trusted platform modules (TPMs) or hardware security modules (HSMs). Using a limited amount of +trust in components such as the CPU, the larger system's security can then be reduced to that of its physically secured +TPM~\cite{newman2020,frazelle2019,johnson2018}. +Like smartcards, TPMs rely on a modern IC being hard to tamper with. Shrinking things to the nanoscopic level to secure +them against tampering is a good engineering solution for some years to come. However, in essence, this is a type of +security by obscurity: Obscurity here referring to the rarity of the equipment necessary to attack modern +ICs~\cite{albartus2020,anderson2020}. + +In contrast to TPMs and Smartcards, HSMs rely on an active security barrier usually consisting of a fragile foil with +conductive traces. These traces are much larger scale than a smart card IC's microscopic structures and instead are +designed to be very hard to remove intact. While we are certain that there still are many insights to be gained in both +technologies, we wish to introduce a novel approach to sidestep the manufacturing issues of both and provide radically +better security against physical attacks. Our core observation is that any cheap but coarse HSM technology can be made +much more difficult to attack by moving it very quickly. + +For example, consider an HSM as it is used in online credit card payment processing. Its physical security level is set +by the structure size of its security mesh. An attack on its mesh might involve fine drill bits, needles, wires, glue, +solder, and lasers~\cite{drimer2008}. Now consider the same HSM mounted on a large flywheel. In addition to its usual +defenses, this modified HSM is now equipped with an accelerometer that it uses to verify that it is spinning at high +speed. How would an attacker approach this HSM? They would have to either slow down the rotation---which triggers the +accelerometer's monitoring circuit---or they would have to attack the HSM in motion. The HSM literally becomes a moving +target. At slow speeds, rotating the entire attack workbench might be possible---but rotating frames of reference +quickly become inhospitable to human life (see Section~\ref{sec_swivel_chair_attack}). Since non-contact electromagnetic +or optical attacks are more limited in the first place and can be shielded, we have effectively forced the attacker to +use an ``attack robot''. + +This paper contains the following contributions: +\begin{enumerate} + \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective, small-scale production of + highly secure HSMs. + \item We discuss possible tamper sensors for inertial HSMs. + \item We explore the design space of our inertial HSM concept. + \item We present our work on a prototype inertial HSM (Figure~\ref{prototype_picture}). + \item We present an analysis of the viability of using commodity MEMS accelerometers as braking sensors. + % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack. +\end{enumerate} + +\begin{figure} + \center + \includegraphics[width=12cm]{prototype_pic2.jpg} + \caption{The prototype as we used it to test power transfer and bidirectional communication between stator and + rotor. This picture shows the proof-of-concept prototype's configuration that we used for accelerometer + characterization (Section~\ref{sec_accel_meas}) without the vertical security mesh struts that connect the circular + top and bottom outer meshes.} + \label{prototype_picture} +\end{figure} + +In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this +basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will +analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof-of-concept hardware +prototype. In Section~\ref{sec_proto} we will elaborate on the design of this prototype. In Section~\ref{sec_accel_meas} +we present our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof-of-concept +prototype. We conclude this paper with a general evaluation of our design in Section~\ref{sec_conclusion}. + +\section{Related work} +\label{sec_related_work} +% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion +% beyond ultrasound. + +In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper +detection. + +HSMs are an old technology that traces back decades in its electronic realization, initially being conceived by the US +NSA during the second world war~\cite{boak1973}. Today's common approach of monitoring meandering electrical traces on a +fragile foil that is wrapped around the HSM essentially transforms the security problem into the challenge to +manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019, anderson2020}. There has been +some research on monitoring the HSM's interior using e.g.\ electromagnetic radiation~\cite{tobisch2020, kreft2012} or +ultrasound~\cite{vrijaldenhoven2004} but none of this research has found widespread adoption yet. + +HSMs can be compared to physical seals~\cite{anderson2020}. Both are tamper-evident devices. The difference is that an +HSM continuously monitors itself whereas a physical seal only serves to record tampering and requires someone to examine +it. This examination can be done by eye in the field, but it can also be carried out in a laboratory using complex +equipment. An HSM in principle has to have this examination equipment built-in. + +Physical seals are used in a wide variety of applications. The most interesting ones from a research point of view that +are recorded in public literature are those used for the monitoring of nuclear material under the International Atomic +Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically Unclonable Functions +(PUFs), though their development predates that of PUFs by several decades. The seal is created in a way that +intentionally causes large, random device-to-device variations. These variations are precisely recorded at deployment. +At the end of the seal's lifetime, the seal is returned to a lab and closely examined to check for any deviations from +the seal's prior recorded state. The type of variation used in these seals includes random scratches in metal parts and +random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the uncontrollably random +distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the precise three-dimensional +surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}. + +The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote +reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a +monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil like it is used in +commercial HSMs. + +The self-destruct built into an HSM serves as a strong tamper deterrent. For illustration, compare an HSM to a computer +inside a locked safe when opposing a well-funded attacker with plenty of time. In~\cite{boak1973}, Boak asserts that +absent an HSM's capability to self-destruct, the best safes can only withstand brute force attacks by an expert for +several minutes. While the state of electronics has advanced rapidly since Boak's 1973 lecture, the hardness of steel +has not increased correspondingly. Thus, we can conclude that even today, against a ``smart, well-equipped opponent with +plenty of time'' as noted by Boak, this self-destruction functionality is essential. + +In~\cite{anderson2020}, Anderson gives a comprehensive overview of physical security. An example HSM that he cites is +the IBM 4758, the details of which are laid out in-depth in~\cite{smith1998}. This HSM is an example of an +industry-standard construction. Although its turn of the century design is now a bit dated, the construction techniques +of the physical security mechanisms have not evolved much in the last two decades. Besides some auxiliary temperature +and radiation sensors to guard against attacks on the built-in SRAM memory, the module's main security barrier uses the +common construction of a flexible mesh foil wrapped around the module's core. In~\cite{smith1998}, the authors state +that the module monitors this mesh for short circuits, open circuits, and conductivity. Other commercial offerings use +similar approaches to tamper detection~\cite{obermaier2018,drimer2008,anderson2020,isaacs2013}. + +Shifting our focus from industry use to the academic state of the art, in~\cite{immler2019}, Immler et al. describe an +HSM based on precise capacitance measurements of a security mesh, creating a PUF from the mesh. In contrast to +traditional meshes, they use a large number of individual traces (more than 30 in their example). Their concept +promises a very high degree of protection but is limited in the board area covered and component height, as well as the +high cost of the advanced analog circuitry required for monitoring. A core component of their design is that they +propose its use as a PUF to allow for protection even when powered off, similar to a smart card---but the design is not +limited to this use. + +In~\cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based on +a WiFi transceiver inside a conductive enclosure. In their design, a reference signal is sent into the RF cavity formed +by the conductive enclosure. One or more receivers listen for the signal's reflections and use them to characterize the +phase and frequency response of the RF cavity. The assumption underlying their system is that the RF behavior of the +cavity is inscrutable from the outside and that any small disturbances within the volume of the cavity will cause a +significant change in its RF response. A core component of the work of Tobisch et al.~\cite{tobisch2020} is that they +use commodity WiFi hardware, so the resulting system is likely both much cheaper and capable of protecting a much larger +security envelope than designs using finely patterned foil security meshes such as~\cite{immler2019}, at the cost of +worse and less predictable security guarantees. Where~\cite{tobisch2020} use electromagnetic radiation, Vrijaldenhoven +in~\cite{vrijaldenhoven2004} uses ultrasound waves traveling on a surface acoustic wave (SAW) device to a similar end. + +While Tobisch et al.~\cite{tobisch2020}\ approach the sensing frontend cost as their primary optimization target, the +prior work of Kreft and Adi~\cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume +barely larger than a single chip. They theorize how an array of distributed RF transceivers can measure the physical +properties of a potting compound that has been loaded with RF-reflective grains. In their concept, the RF response +characterized by these transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains +within the potting compound. + +To the best of our knowledge, we are the first to propose a mechanically moving security barrier as part of a hardware +security module. Most academic research concentrates on the issue of creating new, more sensitive security barriers for +HSMs~\cite{immler2019} while commercial vendors concentrate on means to certify and cheaply manufacture these security +barriers~\cite{drimer2008}. Our concept instead focuses on the issue of taking any existing, cheap low-performance +security barrier and transforming it into a marginally more expensive but high-performance one. The closest to a +mechanical HSM that we were able to find during our research is a 1988 patent~\cite{rahman1988} that describes a +mechanism to detect tampering along a communication cable by enclosing the cable inside a conduit filled with +pressurized gas. + +\section{Inertial HSM construction and operation} +\label{sec_ihsm_construction} + +Fast mechanical motion has been proposed as a means of making things harder to see with the human eye~\cite{haines2006} +and is routinely used in military applications to make things harder to hit~\cite{terdiman2013} but we seem to be the +first to use it in tamper detection. + +The core questions in the design of an inertial HSM are the following: + +\begin{enumerate} + \item What \textbf{type of motion} to use, such as rotation, pendulum motion, or linear motion. + \item How to construct the \textbf{tamper detection sensor}. + \item How to \textbf{detect braking} of the IHSM's movement. + \item The \textbf{mechanical layout} of the system. +\end{enumerate} + +We will approach these questions one by one in the following subsections and conclude this section with an exploration +of the practical implications that these aspects of IHSM construction have on IHSM operation, but first, we will +motivate our concept with two use cases and outline our attacker model. + +\subsection{Use Cases and Attacker Model} + +The target application of an IHSM is high-risk data processing. This risk can be implied by either high-value data, or +by difficult physical security constraints. Our goal with IHSMs is to eventually arrive at a system that, at low cost, +can persist against a smart, well-funded adversary such as a secret service or organized cyber-crime. We apply +Kerckhoff's principle and consider the attacker to have white-box access to the IHSM's hard-, firm- and software. We +consider the attacker to have persistent access to the device and that they may be willing to spend weeks or months +performing a single attack. + +% In case a randomized security mesh is used (cf.\ Section\ \ref{mesh-gen}) and the mesh is shielded from observation +% (e.g.\ optical or x-ray), we consider the concrete randomized routing of the mesh traces secret. + +By targeting this pessimistic attacker model, we increase the real-world utility of IHSMs. Consider a group of +healthcare providers intending to analyze a large database of patient health information. Accumulating potentially +millions of sensitive medical records on a single system for such processing poses an inherent risk as this system +becomes a valuable target for organized cyber-criminals looking for ransom. IHSMs permit a level of physical security +against e.g.\ a bribed insider that is as good as the level of network security afforded by modern firewalls and +cryptographic protocols. + +On the other end of the spectrum, consider a real-time group video communication provider. Relaying and transcoding +video data between participants is hard to solve without trusting the server, but at the same time latency requires that +the server is physically located close to its users. Given the global history of privacy-invasive cyber-attacks by +secret services and other well-funded attackers, this may pose an issue. In this scenario, IHSMs enable the secure +deployment of trusted server components closer to the user, or even at the network edge, where physical security is +challenging. + +An application with a similar scenario is manipulation-proof audit logging. Since IHSMs are connected to backup power, +they can continue to record log messages from other nearby devices even during catastrophic disruption such as +large-scale power outages. In this use case, the IHSM assumes two functions: That of a trusted, highly available data +storage and that of a trusted timestamping service. + +\subsection{Inertial HSM motion} +\label{sec_ihsm_motion} + +Against the background of these use cases, we will now elaborate on the four questions we formulated in the introduction +to this section, starting with that on \emph{type of motion}. There are several ways how we can approach motion. +Periodic, aperiodic and continuous motion could serve the purpose. There is also linear motion as well as rotation. We +can also vary the degree of electronic control in this motion. + +The primary constraint on an IHSM's motion pattern is that it needs to be (almost) continuous to not expose any weak +spots during instantaneous standstill of the HSM. Additionally, it has to stay within a confined space. For space +efficiency, linear motion would have to be periodic, like that of a pendulum. Such periodic linear motion will have to +quickly reverse direction at its apex so the device is not stationary long enough for this to become a weak spot. + +In contrast to linear motion, rotation is space-efficient and can be continuous if the axis of rotation is inside the +device. When the axis is fixed, rotation will expose a weak spot close to the axis where tangential velocity is low. +Faster rotation can lessen the security impact of this fact at the expense of power consumption and mechanical stress, +but it can never eliminate it. More effective mitigations are additional tamper protection at the axis and having the +HSM perform a compound rotation that has no fixed axis. + +High speed gives rise to large centrifugal acceleration, which poses the engineering challenge of preventing rapid +unscheduled disassembly of the device, but it also creates an obstacle to any attacker trying to manipulate the device +in what we call a \emph{swivel chair attack} (see Section~\ref{sec_swivel_chair_attack}). An attacker trying to follow +the motion would have to rotate around the same axis. By choosing a suitable angular frequency we can prevent an +attacker from following the device's motion since doing so would subject them to impractically large centrifugal forces. +Essentially, this limits the approximate maximum size and mass of an attacker under an assumption on tolerable +centrifugal force. + +In this paper, we focus on rotating IHSMs for simplicity of construction. For our initial research, we focus on systems +with a fixed axis of rotation due to their simple construction but we do wish to note the challenge of hardening the +shaft against tampering that any production device would have to tackle. + +\subsection{Tamper detection mesh construction} + +IHSMs do not eliminate the need for a security barrier. To prevent an attacker from physically destroying the moving +part, tamper detection such as a mesh is still necessary. In this subsection, we will consider ways to realize this +security barrier. In industry, mesh membranes are commonly used for tamper detection. Such membranes are deployed in +systems for a variety of use cases ranging from low-security payment processing to high-security certificate management. +From this, we can conclude that a properly implemented mesh \emph{can} provide a practical level of security. In +contrast to this industry focus, academic research has largely focused on ways to fabricate enclosures that embed +characteristics of a Physically Unclonable Function as a means of tamper detection~\cite{tobisch2020,immler2019}. By +using stochastic properties of the enclosure material to form a PUF, such academic designs leverage signal processing +techniques to improve the system's security level by a significant margin. + +In our research, we focus on security meshes as our IHSM's tamper sensors. The cost of advanced manufacturing +techniques and special materials used in fine commercial meshes poses an obstacle to small-scale manufacturing and +academic research. The foundation of an IHSM security is that by moving the mesh, even a primitive, coarse mesh such as +one made from a low-cost PCB becomes very hard to attack in practice. This allows us to use a simple construction using +low-cost components. Additionally, the use of a mesh enables us to only spin the mesh itself and its monitoring circuit +and keep the payload inside the mesh stationary for reduced design complexity. Tamper sensing systems such as RF +fingerprinting that monitor the entire volume of the HSM instead of only a thin boundary layer would not allow for this +degree of freedom in an IHSM. They would instead require the entire IHSM to spin including its payload, which would +entail costly and complex systems for data and power transfer from the outside to the spinning payload. + +\subsection{Braking detection} + +The security mesh is a critical component in the IHSM's defense against physical attacks, but its monitoring is only one +half of this defense. The other half consists of a reliable and sensitive braking detection system. This system must be +able to quickly detect any slowdown of the IHSM's rotation. Ideally, a sufficiently sensitive sensor is able to measure +any external force applied to the IHSM's rotor and should already trigger a response at the first signs of a +manipulation attempt. + +While the obvious choice to monitor rotation would be a magnetic or optical tachometer sensor attached to the IHSM's +shaft, this would be a poor choice for our purposes since optical and magnetic sensors are susceptible to contact-less +interference from outside. We could use feedback from the motor driver electronics to determine the speed. When using a +BLDC motor, the driver electronics precisely know the rotor's position at all times. However, this approach might allow +for attacks at the mechanical interface between the mesh and the motor's shaft. If an attacker can decouple the mesh +from the motor e.g.\ by drilling, laser ablation, or electrical discharge machining (EDM) on the motor's shaft, the +motor could keep spinning at its nominal frequency while the mesh is already standing still. + +Instead of a stator-side sensor, a rotor-side inertial sensor such as an accelerometer or gyroscope placed inside the +spinning mesh monitoring circuit would be a good component to serve as an IHSM's tamper sensor. A gyroscope would need +to be placed close to the IHSM's shaft where centrifugal force is low, and would directly measure changes in angular +velocity. An accelerometer could be placed anywhere on the rotor and would measure centrifugal acceleration. + +Modern, fully integrated MEMS accelerometers are very precise. By comparing acceleration measurements against a model of +the device's mechanical motion, deviations can quickly be detected. This limits an attacker's ability to tamper with the +device's motion. It may also allow remote monitoring of wear of the device's mechanical components such as bearings: +MEMS accelerometers are fast enough to capture vibrations, which can be used as an early warning sign of failing +mechanical components~\cite{kvk2019,sh2016,adc2019,e2013}. + +In a spinning IHSM, an accelerometer mounted at a known radius with its axis pointing radially will measure centrifugal +acceleration. Centrifugal acceleration rises linearly with radius, and with the square of frequency: $a=\omega^2 r$. For +a given accelerometer and target speed of rotation, the accelerometer's location should be chosen to maximize dynamic +range. A key point here is that for speeds between $500$ and $\SI{1000}{rpm}$, centrifugal acceleration already becomes +very large at a radius of just a few $\si{\centi\meter}$. At $\SI{1000}{rpm}\approx\SI{17}{\hertz}$ and at a +$\SI{10}{\centi\meter}$ radius, centrifugal acceleration already is above $\SI{1000}{\meter\per\second}$ or $100\,g$. +Due to this large acceleration, the off-axis performance of the accelerometer has to be considered. Suitable high-$g$ +accelerometers for the large accelerations found on the circumference of an IHSM's rotor are mostly used in automotive +applications. + +To evaluate the feasibility of accelerometers as tamper sensors we can use a simple benchmark. Let us assume an IHSM +spinning at $\SI{1000}{rpm}$. To detect any attempt to brake it below $\SI{500}{rpm}$, we have to detect a difference in +acceleration of a factor of $\frac{\omega_2^2}{\omega_1^2}=4$. Even without maximizing the accelerometer's dynamic range +through optimal placement, any commercial MEMS accelerometer will suffice. Only to detect slow deceleration, the +sensor's drift characteristics may have to be taken into account. + +In Section~\ref{sec_accel_meas} below, we conduct an empirical evaluation of a commercial automotive high-$g$ MEMS +accelerometer for braking detection in our prototype IHSM. + +\subsection{Mechanical layout} + +With our IHSM's components taken care of, what remains to be decided is how to put together these individual components +into a complete device. A basic spinning HSM might look as shown in Figure~\ref{fig_schema_one_axis}. Visible are the +axis of rotation, an accelerometer on the rotating part that is used to detect braking, the protected payload, and the +area covered by the rotating tamper detection mesh. Note that we only have to move the tamper protection mesh, not the +entire contents of the HSM, keeping most of the HSM's mass stationary. This reduces the moment of inertia of the +rotating part. It also eliminates the need for rotating data and power connections to the payload, which can be +supplied through a hollow shaft instead. In our proof-of-concept prototype, we accept a weak spot at the point where the +shaft penetrates the mesh to simplify mechanical construction. + +\begin{figure} + \center + \includegraphics{concept_vis_one_axis.pdf} + \caption{Concept of a simple spinning Inertial HSM. 1 - Shaft. 2 - Security mesh. 3 - Payload. 4 - + Accelerometer. 5 - Shaft penetrating security mesh.} + \label{fig_schema_one_axis} +\end{figure} + +The spinning mesh must be designed to cover the entire surface of the payload, but it suffices if it sweeps over every +part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air +to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious +issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be +solved with complex and costly siphon-style constructions, so in commercial systems, heat conduction is used +exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power. +Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more +powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an +evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan. + +Conventional HSMs are limited by the construction of their security meshes which rely on plastics as their main +structural material. The security mesh has to fit the highest components inside the HSM. Since creating a security mesh +with a non-flat surface is difficult, this means there is an inevitable gap of a few millimeters between the surface of +the payload CPU and the interior surface of the mesh. This distance is added to several millimeters of epoxy resin that +the mesh must be embedded inside for it to be hard to remove intact. Overall, this leads to a structure approximately a +centimeter thick that includes several millimeters of epoxy resin with particularly poor thermal +conductivity~\cite{obermaier2019}. Even if ``thermally conductive'' resins would be used, thermal conductivity is +limited to a fraction of what can be achieved with a heatsink directly attached to the CPU. A modern high-end CPU +heatsink with its fan running has a thermal resistance from CPU junction to air of around +$\SI{0.1}{\kelvin\per\watt}$~\cite{anandtech2015}. +If one were to make an HSM's security mesh out of an average thermally conductive epoxy with thermal conductivity +$k\approx\SI{1}{\watt\per\meter\kelvin}$~\cite{kordyban1998,shabany2009,mgchemicals2017}, the resulting thermal +resistance for a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would be $\SI{2}{\kelvin\per\watt}$, +a more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$, this +yields a maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a +conventional CPU cooler. Given that for modern high core-count CPUs both multithreaded performance and power +dissipation are mostly linear in core count, this severely limits the achievable performance. + +This estimated performance discrepancy matches up with our observation. Thales, a manufacturer of conventional HSMs +reports $\SI{20}{\kilo Ops\per\second}$ ECC signature operations on NIST Curve P-256 on one of their top-of-range +``Luna HSM 790''~\cite{thales2021}, which compares to be slightly more than half of the $\SI{36}{\kilo Ops\per\second}$ +signing operations that \texttt{openssl speed} in single-thread mode is able to do on an AMD Ryzen 7 PRO 4750U laptop +CPU using $\SI{2.0}{\watt}$ of power on the active core. Using today's technology, we expect a performance jump of one +to two orders of magnitude in computing power to be feasible in an IHSM compared to a conventional HSM. + +\subsection{Long-term Operation} + +Without settling on a particular design for an IHSM yet, from the previous sections we have already gained an +understanding of what an IHSM would look like in practice. In the following paragraphs, we will draw some conclusions on +how its design will affect the day-to-day operation of an IHSM. +Like other HSMs, in a practical application, an IHSM may have to run continuously for a decade or even longer. As with +any networked system, a setup including IHSMs must be designed in a way that prevents the failure of one or several +IHSMs on the network from compromising the whole system's security or reliability. Neither IHSMs nor traditional HSMs +can withstand fire or flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and +erasure of data cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple, +geographically redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are +based on general-purpose computer hardware and allow for state-of-the-art database replication techniques to be applied +without first porting them to an embedded operating system or foreign CPU architecture. A practical example of this +approach is a 2019 technology demonstration~\cite{signal2019} created by signal.org, the organization running the signal +secure messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} +inside Intel SGX to replicate state between geographically redundant enclaves. + +Excluding natural disasters, there are three main categories of challenges to an IHSM's longevity: Failure of components +of the IHSM due to age and wear, failure of the external power supply, and spurious triggering of the intrusion alarm by +changes in the IHSM's environment. In the following paragraphs, we will evaluate each of these categories in their +practical impact. + +\paragraph{Component failure.} +The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation +techniques apply. The expected lifetime of electronic components can be increased by using higher-spec components and by +reducing thermal, mechanical, and electrical stress. To reduce vibration stress on both rotor and stator, the rotor must +be balanced. The main mechanical failure mode of an IHSM's is likely to be failure of the shaft bearings. By +incorporating knowledge from other rotating devices that have a long lifetime such as cooling fans, this failure mode +can be mitigated. Another noteworthy mechanical failure mode of an IHSM is dust buildup on the optical components of the +communication link. This failure mode can be mitigated by routing cooling airflow such that it does not go past the +communication link's optical components, as well as by filtering cooling air at the device's intakes. + +\paragraph{Power failure.} +\label{sec-power-failure} +After engineering an IHSM's components to survive years of continuous operation, the next major failure mode to be +considered is power loss. Traditional HSMs solve the need for an always-on backup power supply by carrying large backup +batteries~\cite{obermaier2019}. The low static power consumption of a traditional HSM's simple tamper detection +circuitry allows for the use of non-replaceable backup batteries. An IHSM in contrast would likely require a +rechargeable backup battery since its motor requires more power than the mesh monitoring circuit of a traditional HSM. +In principle, a conventional Uninterruptible Power Supply (UPS) can be used, but in practice, a productized IHSM might +have a smaller battery integrated. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ +for an IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could +already power an IHSM for 10 hours continuously. $\SI{10}{\watt}$ is a reasonable high estimate given that there are +large industrial fans rated at lower wattages, e.g. Sunon \partno{CF2207LBL-000U-HB9}, a $\SI{250}{\milli\meter}$ +diameter $\SI{7.8}{\meter^3\per\minute}$ axial fan rated at $\SI{6.6}{\watt}$. If a built-in battery is undesirable or +if power outages of more than a few seconds are unlikely (e.g.\ because of an external UPS), the IHSM's rotor itself can +be used as a flywheel for energy storage. + +\paragraph{Spurious alarms due to vibration.} +Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason +its alarm would be spuriously activated due to movement of the device. The likelihood of such an alarm failure must be +minimized, e.g.\ by employing vibration damping. There are several possible causes why an IHSM might move during normal +operation. The IHSM may have to be relocated between data centers, or a worker may bump the IHSM. Additionally, the +effect of normal mechanical vibration on the IHSM's tamper sensors has to be considered. During normal operation, +vibration from outside sources such as backup generators and nearby traffic (e.g. trains) may couple into the IHSM +through the building. Since IHSMs are rotating machines they will themselves cause some amount of vibration and thus +vibration isolation is a reasonable design requirement. Besides everyday sources of mechanical noise, (usually +harmless) earthquakes are a common occurrence in some regions of the world and will couple through any reasonable amount +of vibration damping. + +None of these sources of mechanical noise are likely to cause a false alarm. For reference, consider an IHSM running at +an angular velocity of $\SI{1000}{rpm}$. A tamper sensor mounted at a radius of $\SI{100}{\milli\meter}$ will measure a +constant centrifugal acceleration of approximately $100\,g$. Literature on car crashes shows that accelerations above +$10\,g$ in the car's structural components correspond to a crash at $\SI{30}{\kilo\meter\per\hour}$ and +above~\cite{ika2002,german2007}. Measurements of the Peak Ground Acceleration (PGA) of severe earthquakes show that +even the strongest earthquakes rarely reach a PGA of $\SI{0.1}{g}$~\cite{yoshimitsu1990} with the 2011 Tohoku earthquake +at approximately $\SI{0.3}{g}$. + +Instantaneous acceleration increases linearly with frequency, but likewise, simple vibration dampers work better with +higher frequencies~\cite{kelly1993,beards1996,dixon2007}, To reduce the likelihood of false detections, it is enough to +damp high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations +large enough to cause a false alarm. For instance, an earthquake's low-frequency vibrations dissipate a tremendous +amount of mechanical power across a large geographic area, but due to their low absolute instantaneous acceleration, +we can ignore them for the purposes of our tamper detection system. An IHSM's tamper detection subsystem will be able +to clearly distinguish attempts to stop the IHSM's rotation from normal environmental noise by their magnitude. Any +external acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the +periphery of an IHSM's rotor would likely destroy the IHSM. + +\subsection{Transportation} + +While unintentional acceleration is unlikely to cause false alarms in an IHSM when simple vibration damping is employed, +there is an issue when intentionally moving an IHSM: The IHSM's rotor stores significant rotational energy and will +respond to tipping with a precession force. This could become an issue when a larger IHSM is transported between e.g.\ +the manufacturer's premises and its destination data center. The simple solution to this problem is to transport the +IHSM elastically mounted with its axis pointing upwards inside a shipping box that is weighted to resist precession +forces. + +During shipping, the IHSM will require a continuous power supply. Following our conservative estimate in +Section~\ref{sec-power-failure}, 48-hour courier shipping could easily be bridged with the equivalent of 5-10 laptop +batteries. In applications that do not require a backup battery built-in to the IHSM (e.g. due to existing UPS backup), +the IHSM could be shipped connected to an external battery akin to a ``power bank'' that is sent back to the IHSM's +manufacturer after the IHSM has been installed. Long-distance shipping can be facilitated through compatibility with +standards used for powered refrigerated shipping containers. + +\subsection{Graceful Failover and Maintenance} + +As described above, failure can never be fully prevented. However, finely-grained monitoring of operational parameters +may be capable of recognizing some types of failure such as backup battery failure, mechanical wear, or +over/undertemperature conditions some time before alarm levels have been reached and all secrets must be destroyed. +This type of early warning allows for the implementation of a graceful failover mechanism. Similar to hot spares in hard +disk arrays, a number of IHSMs might share a hot spare IHSM that is running, but that does not yet contain any secrets. +Once an IHSM detects early warning signs of an impending failure, it can then transfer its secrets to the hot spare +using replication technologies as mentioned in the previous paragraph, then delete its local copies. This would allow +for the graceful handling of device failures due to both age and disasters such as fires. + +When such failovers happen, IHSMs provide a key benefit compared to traditional HSMs. Since an IHSM is not permanently +potted and its security mesh is mechanically robust, it can be stopped and disassembled to repair a faulty component +such as a worn-out bearing or a defective payload component such as a RAM module or an SSD. A faulty IHSM can be +refurbished like a normal server. Its disassembly does not require any special equipment. + +The primary challenge in repairing IHSMs is purely operational. It has to be ensured that an attacker lying in wait +cannot seize the opportunity of the IHSM's defenses shutting down to implant a hardware trojan. A possible approach +would be to have the IHSM contain a cryptographic identity that it uses to authenticate its status to its operator, and +that is destroyed along with the payload's secrets when the IHSM is tampered with. The IHSM's operator could then +provide a cryptographically authenticated maintenance token to a trusted technician that allows the technician to power +down this particular IHSM during a set time window. The technician can then physically repair the IHSM and return it +into service, after which the operator can use the IHSM's identity to verify that the repair was conducted as intended. +Using a physical token instead of powering off the IHSM remotely prevents the accidental unsupervised stopping of an +IHSM due to operator error. + +To decrease the risk posed by a rogue technician, similar to the DNSSEC root key signing ceremonies~\cite{iana21}, +arbitrarily complex procedures can be implemented that could, for example, require each maintenance procedure to be +accompanied by several independent witnesses. + + +\section{Attacks} +\label{sec_attacks} + +After outlining the basic mechanical design of an inertial HSM as well as the fundamentals of its long-term operation +above, in this section, we will detail possible ways to attack it. At the core of an IHSM's defenses is the same +security mesh or other technology as it is used in traditional HSMs. This means that ultimately an attacker will have to +perform the same steps they would have to perform to attack a traditional HSM. However, they will either need to +perform these attack steps with a tool such as a CNC actuator or a laser that follows the HSM's rotation at high speed, +or they will first need to defeat the braking sensor. + +\subsection{Attacks that don't work} + +In the sections below, we will go into detail on such attacks on IHSMs. To put these attack approaches into perspective, +we will start with a brief overview of attacks on conventional HSMs that the IHSM is defended against. + +In principle, there are three ways to attack a conventional HSM. The hard way is to go through the security mesh without +triggering the alarm, e.g.\ with a probe that is finer than the mesh's spacing. For larger probes, an attacker can +laboriously uncover, then bridge the mesh traces to allow part of the mesh to be removed. Some HSMs attempt to detect +such attacks by measuring mesh resistance~\cite{obermaier2019}, but this is limited by available measurement precision. +If an attacker only wishes to disable a small section of the mesh to insert a handful of fine probes into the device, +this hardening approach becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ by +$\SI{100}{\milli\meter}$. An attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of +this mesh will change the mesh trace's resistance by approximately +$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$. +Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding +temperature stability of the mesh material. + +The second way to attack an HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between +two halves of an enclosure~\cite{obermaier2019}. This design is vulnerable to attempts to stick a fine needle through +the interface between lid and PCB~\cite{dexter2015}. Conventional HSMs mitigate this weak spot by wrapping a patterned +conductive foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data +feed-through as potential weak spots. + +The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An +attacker may need to insert several probes to wiretap the payload processor's secrets, but if poorly implemented, they +may be able to disable the mesh monitor with only one. This type of attack can be mitigated by careful electronic +design that avoids single points of failure as well as fail-open failure modes. + +\subsection{Attacks that work on any HSM} + +An IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous +paragraphs. However, there are certain generic attacks that work against any HSM technology, conventional or IHSM. +One type of these attacks are contactless attacks such as electromagnetic (EM) side-channel attacks. +EM side-channel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components +such as CPUs are physically distant to the security mesh, preventing EM probes from being brought close. +Conducted EMI side-channels that could be used for power analysis can be mitigated by placing filters on the inside of +the security mesh at the point where the power and network connections penetrate the mesh~\cite{anderson2020}. +Finally, the API between the HSM's payload and the outside world provides attack surface. Attacks through the network +interface must be prevented as in any other networked system by only exposing the minimum necessary amount of API +surface to the outside world, and by carefully vetting this remaining attack surface~\cite{anderson2020}. + +IHSMs do not provide an inherent benefit against such contactless attacks. However, there are two mitigating factors in +play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using +simpler technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and are less +space-constrained. This larger volume allows for a greater physical distance between security-critical components and +places accessible to an attacker using an electromagnetic probe for EM side-channel attacks. + +Another type of attack that is possible against all types of HSMs are software attacks. Flaws in an HSM's software such +as memory safety errors in its external-facing APIs can lead to a full compromise of the HSM's +secrets~\cite{ledger2019}. Like a traditional HSM, an IHSM has to expose some API to the outside world to be useful. +For both, the hardening techniques are the same as in any other networked system and include the reduction of attack +surface e.g. through firewalling, fuzz testing, and formal verification. In IHSMs these mitigations are easier to +implement since they allow the use of conventional server hardware and well-audited open source software, instead of +hard-to-audit proprietary code on an embedded platform. + +\subsection{The Swivel Chair Attack} +\label{sec_swivel_chair_attack} + +If we assume whoever integrates the payload into an IHSM has done adequate work and prevented all contactless attacks, +we are left with attacks that aim at mechanically bypassing the IHSM's security mesh. The first type of attack we will +consider is the most basic of all attacks: a human attacker holding a soldering iron trying to rotate herself along with +the mesh using a very fast swivel chair. Let us pessimistically assume that this co-rotating attacker has their center +of mass on the axis of rotation. The attacker's body is likely on the order of $\SI{200}{\milli\meter}$ wide along its +shortest axis, resulting in a minimum radius from axis of rotation to surface of about $\SI{100}{\milli\meter}$. +Wikipedia lists horizontal g forces in the order of $\SI{20}{g}$ as the upper end of the range tolerable by humans for a +duration of seconds or above. We thus set our target acceleration to +$\SI{100}{g}\;\approx\;\SI{1000}{\meter\per\second^2}$, a safety factor of $5$ past that range. Centrifugal +acceleration is $a=\omega^2 r$. In our example, this results in a minimum angular velocity of $f_\text{min} = +\frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} +\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this, we can conclude that even at moderate speeds of +$\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some +kind of mechanical tool. + +\begin{figure} + \center + \includegraphics[width=6cm]{attack-robot.pdf} + \caption{Schematic overview of a robotic rotating-stage attack. An optical sensor (1) observes the IHSM's rotation + and adjusts the setpoint of a servo motor (2) that rotates the attack stage (3). On the rotating attack stage, a + remote-controlled manipulator (4) is mounted that deactivates the security mesh (7) and creates an opening (5). + Through this opening, a human operator can then insert tools such as probes to read out sensitive information from + the actual payload (6).} + \label{fig_attack_robot} +\end{figure} + +Figure~\ref{fig_attack_robot} shows a schematic overview of the structure of such a rotating attack tool. The tool +itself has to rotate at the IHSM's speed because counter-rotating the IHSM instead, the accelerometer on the rotor would +measure lower centrifugal acceleration and detect the manipulation attempt. Following the IHSM's rotation closely +enough to allow for remote-controlled manipulation of the IHSM is hard. Let us assume a small IHSM mesh with radius +$r=\SI{100}{\milli\meter}$. To keep a manipulator stationary within a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ +window over a period of $\SI{10}{\second}$ requires attack tool and IHSM speeds to be matched to an accuracy better than +$\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$. +Relative to a realistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Achieving +this accuracy would likely require active servo control of the attack tool's rotation that is locked, e.g.\ optically, +to the IHSM's rotor. + +If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a +remote-controlled manipulator that is able to disable the IHSM's mesh. This manipulator would have to be tolerant to +high g forces so that it can be mounted on the attack tool's rotating stage. Drilling only a small hole is not enough +in this case since, while the mesh is moving, the payload is stationary. Instead, using the rotating manipulator, the +attacker has to create an opening in the mesh large enough to place a \emph{stationary} probe on the payload. We +estimate that creating a rotating, remote-controllable manipulator that can be used to successfully attack a security +mesh is infeasible given the degree of manual skill necessary even for normal soldering work. + +\subsection{Mechanical weak spots} + +As we elaborated in the previous paragraphs, we consider a fast-moving mesh to offer a strong tamper detection +capability based on the assumption that the mesh is moving too fast to tamper. However, depending on the type of motion +used, the mesh's actual speed may vary by location and over time. Our example configuration of a rotating mesh moves +continuously and does not have any time-dependent weak spots. It does, however, have a weak spot where the shaft +penetrates the mesh at the axis. The mesh's tangential velocity decreases close to the shaft, and the shaft itself may +allow an attacker to insert tools such as probes into the device through the opening it creates. Conventional HSMs also +have to take precautions to protect their power and data connections. In conventional HSMs, power and data are routed +into the enclosure along a meandering path through the PCB or through flat flex cables sandwiched in between security +mesh foil layers~\cite{smith1998}. As a result of these precautions, in conventional HSMs, this interface rarely is a +mechanical weak spot. In inertial HSMs, careful engineering is necessary to achieve the same effect. +Figure~\ref{shaft_cm} shows variations of the shaft interface with increasing complexity. + +\begin{figure} + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_a.pdf} + \caption{Cross-sectional view of the basic configuration with no special protection of the shaft. Red: moving + mesh -- Black: stationary part.} + \label{shaft_cm_a} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_b.pdf} + \caption{An internal, independently rotating disc greatly decreases the space available to attackers at the + expense of another moving part and a second moving monitoring circuit.} + \label{shaft_cm_a} + \end{subfigure} + \hfill + \begin{subfigure}[t]{0.3\textwidth} + \center + \includegraphics[width=4cm]{ihsm_shaft_countermeasures_c.pdf} + \caption{A second moving tamper detection mesh also enables more complex topographies.} + \label{shaft_cm_a} + \end{subfigure} + \caption{Mechanical countermeasures to attacks through or close to the shaft of a fixed-axis rotating IHSM.} + \label{shaft_cm} +\end{figure} + +\subsection{Attacking the mesh in motion} + +To disable the mesh itself, an attacker can choose two paths. One is to attack the mesh itself, for example by bridging +its traces. The other option is to tamper with the monitoring circuit to prevent a damaged mesh from triggering an +alarm~\cite{dexter2015}. Attacks in both locations require electrical contact to parts of the circuit. Traditionally, +this is done by soldering a wire or by placing a probe. We consider this type of attack hard to perform on an object +spinning at high speed. Possible remaining attack avenues may be to rotate an attack tool in sync with the mesh or to +use a laser or ion beam fired at the mesh to cut traces or carbonize parts of the substrate to create electrical +connections. Encapsulating the mesh in a potting compound and shielding it with a metal enclosure as is common in +traditional HSMs will significantly increase the complexity of such attacks. + +\subsection{Attacks on the rotation sensor} + +Instead of attacking the mesh in motion, an attacker may also try to first stop the rotor. To succeed, they would need +to falsify the rotor's MEMS accelerometer measurements. We can disregard electronic attacks on the sensor or the +monitoring microcontroller because they would be no easier than attacking the mesh traces. What remains would be +physical attacks of the accelerometer's sensing mechanism. In a MEMS accelerometer, a proof mass moves a cantilever +whose precise position is measured electronically. A topic of recent academic interest has been acoustic attacks +tampering with these mechanics~\cite{trippel2017}, but such attacks do not yield sufficient control to precisely falsify +sensor readings. A possible more invasive attack may be to first decapsulate the sensor MEMS using laser ablation +synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the +MEMS, locking the mechanism in place. This type of attack can be mitigated by mounting the accelerometer in a shielded +location inside the security envelope and by varying the rate of rotation over time. + +\subsection{Attacks on the alarm circuit} + +Besides trying to deactivate the tamper detection mesh, an electronic attack could also target the alarm circuitry +inside the stationary payload or the communication link between rotor and payload. The link can be secured using a +cryptographically secured protocol like one would use for wireless radio links along with a high-frequency heartbeat +message. The alarm circuitry has to be designed such that it is entirely contained within the HSM's security envelope. +Like in conventional HSMs, it has to be built to either tolerate or detect environmental attacks using sensors for +temperature, ionizing radiation, laser radiation, supply voltage variations, ultrasound or other vibration, and gases or +liquids. If a wireless link is used between the IHSM's rotor and stator, this link must be cryptographically secured. +To prevent replay attacks, link latency must continuously be measured, so this link must be bidirectional. +% If it were unidirectional, an attacker could +% act as a Man-in-the-Middle and replay the mesh's authenticated ``no alarm'' signal at slightly below real-time speed +% (say at $\SI{99}{\percent}$ speed). The receiver would not be able to distinguish between this attack and ordinary +% deviations in the transmitter's local clock frequency. Thus, after some time the attacker can simply stop the rotor and +% break the mesh while replaying the leftover recorded ``no alarm'' signal. Given the frequency stability of commercial +% crystals, this would yield the attacker several seconds of undisturbed attack time per hour of recording time. + +\subsection{Fast and violent attacks} + +A variation of the above attacks on the alarm circuitry is to use a tool such as a large hammer or a gun to simply +destroy the part of the HSM that erases data in response to tampering before it can perform its job. To mitigate this +type of attack, the HSM must be engineered to be either tough or brittle: Tough enough that the tamper response +circuitry will reliably withstand any attack for long enough to carry out its function or brittle in a way that during +any attack, the payload is reliably destroyed before the tamper response circuitry. + +\section{Proof-of-concept Prototype implementation} +\label{sec_proto} + +As we elaborated above, the mechanical component of an IHSM significantly increases the complexity of any attack even +when implemented using only common, off-the-shelf parts. In view of this amplification of design security, we have +decided to validate our theoretical studies by implementing a proof-of-concept prototype IHSM +(Figure~\ref{prototype_picture}). The main engineering challenges we set out to solve in this proof-of-concept prototype +were: + +\begin{enumerate} + \item A mechanical design suitable for rapid prototyping that can withstand at least $\SI{500}{rpm}$. + \item The automatic generation of security mesh PCB layouts for quick adaption to new form factors. + \item Non-contact power transmission from stator to rotor. + \item Non-contact bidirectional data communication between stator and rotor. +\end{enumerate} + +We will outline our findings on these challenges one by one in the following paragraphs. + +\subsection{Mechanical design} + +We sized our proof-of-concept prototype to have sufficient payload space for a Raspberry Pi single-board computer to +approximate a traditional HSM's processing capabilities. We use printed circuit boards as the main structural material +for the rotating part, and 2020 aluminium extrusion for its mounting frame. Figure~\ref{fig_proto_mesh} shows the +rotor's mechanical PCB designs. The design uses a $\SI{6}{\milli\meter}$ brass tube as its shaft, which is sufficiently +narrow to pose a challenge to an attacker. The rotor is driven by a small hobby quadcopter motor. Our prototype +incorporates a functional PCB security mesh. As we observed previously, this mesh only needs to cover every part of the +system once per revolution, so we designed the longitudinal PCBs as narrow strips to save weight. + +\subsection{PCB security mesh generation} +\label{mesh-gen} + +Our proof-of-concept security mesh covers a total of five interlocking mesh PCBs (Figure~\ref{mesh_gen_sample}). A sixth +PCB contains the monitoring circuit and connects to these mesh PCBs. To speed up design iterations, we automated the +generation of this security mesh through a plugin for the KiCAD EDA +suite\footnote{\url{https://blog.jaseg.de/posts/kicad-mesh-plugin/}}. Figure~\ref{mesh_gen_viz} +visualizes the mesh generation process. First, the target area is overlaid with a grid. Then, the algorithm produces a +randomized tree covering the grid. Finally, individual mesh traces are traced according to a depth-first search through +this tree. We consider the quality of the plugin's output sufficient for practical applications. Together with +FreeCAD's KiCAD StepUp plugin, this results in an efficient toolchain from mechanical CAD design to production-ready PCB +files. + +\begin{figure} + \begin{subfigure}{0.35\textwidth} + \center + \includegraphics[height=7cm]{proto_3d_design.jpg} + \caption{The 3D CAD design of the proof-of-concept prototype.} + \end{subfigure} + \hfill + \begin{subfigure}{0.6\textwidth} + \includegraphics[width=8cm]{rotor_stator.jpg} + \center + \caption{Assembled mechanical prototype rotor (left) and stator (right) PCB components.} + \end{subfigure} + \caption{Our proof-of-concept prototype IHSM's PCB security mesh design} + \label{fig_proto_mesh} +\end{figure} + +\begin{figure} + \begin{subfigure}{\textwidth} + \center + \includegraphics[width=9cm]{mesh_gen_viz.pdf} + \caption{Overview of the automatic security mesh generation process. 1 - Example target area. 2 - Grid overlay. + 3 - Grid cells outside of the target area are removed. 4 - A random tree covering the remaining cells is + generated. 5 - The mesh traces are traced along a depth-first walk of the tree. 6 - Result.} + \label{mesh_gen_viz} + \end{subfigure} + \begin{subfigure}{\textwidth} + \center + \includegraphics[width=6cm]{mesh_scan_crop.jpg} + \caption{Detail of a PCB produced with a generated mesh.} + \label{mesh_gen_sample} + \end{subfigure} + \caption{Our automatic security mesh generation process} + \label{mesh_gen_fig} +\end{figure} + +\subsection{Power transmission from stator to rotor} + +The spinning mesh has its own autonomous monitoring circuit. This spinning monitoring circuit needs both power and data +connectivity to the stator. To design the power link, we first need to estimate the monitoring circuit's power +consumption. We base our calculation on the (conservative) assumption that the spinning mesh sensor should send its +tamper status to the static monitoring circuit at least once every $T_\text{tx} = \SI{10}{\milli\second}$. At +$\SI{100}{\kilo\baud}$, a transmission of a one-byte message in standard UART framing would take +$\SI{100}{\micro\second}$ and yield a $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF transmitter that +requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of +$\SI{100}{\micro\ampere}$. This value is comparable to a reasonable estimation of the current consumption of the +monitoring circuit itself. In our prototype, we used ST Microelectronics STM32 Series ARM Cortex-M microcontrollers. To +get an estimate on the current consumption of an energy-optimized design we will refer to the datasheet of the +\partno{STM32L486JG}\footnote{\url{https://www.st.com/resource/en/datasheet/stm32l486jg.pdf}}, a representative member +of ST's \partno{STM32L4} low-power sub-family that provides hardware acceleration for AES256. A good target for an +implementation of a secure cryptographic channel on this device would be the noise protocol framework~\cite{perrin2018}. +While the initial handshake for key establishment uses elliptic-curve cryptography and may take several hundred +milliseconds~\cite{tschofenig2015}, the following payload data transfer messages require only symmetric cryptographic +primitives. The \partno{STM32L486JG} datasheet lists the microcontroller's typical operating current at around +$\SI{8}{\milli\ampere}$ at $\SI{48}{\mega\hertz}$ clock speed and lists a sleep current of less than +$\SI{1}{\micro\ampere}$ in low-power standby mode with RTC enabled. The AES peripheral is listed with less than +$\SI{2}{\micro\ampere\per\mega\hertz}$ typical current consumption. A typical high-$g$ accelerometer for an IHSM +application would be ST Microelectronics' \partno{H3LIS331DL}. Its +datasheet\footnote{\url{https://www.st.com/resource/en/datasheet/h3lis331dl.pdf}} lists a typical current consumption +between $\SI{10}{\micro\ampere}$ in low-power mode with output sampling rate up to $\SI{10}{\hertz}$ and +$\SI{300}{\micro\ampere}$ in normal operating mode with output sampling rate up to $\SI{1}{\kilo\hertz}$. Given the low +amount of data that has to be processed in our application (hundreds of bytes per second), if we assume a duty cycle of +$\SI{1}{\percent}$ of active data processing vs.\ sleep mode at the given clock speed we arrive at a total estimated +current consumption of our microcontroller of less than $\SI{100}{\micro\ampere}$. Thus, reserving +$\SI{100}{\micro\ampere}$ for the monitoring circuit on top of the $\SI{100}{\micro\ampere}$ for the transceiver circuit +we arrive at an energy consumption of $\SI{1.7}{\ampere\hour}$ per year. + +This annual energy consumption is close to the capacity of a single CR123A lithium primary cell. By either using several +such cells or by optimizing power consumption, several years of battery life could easily be reached. In our proof of +concept prototype, we decided against using a battery to reduce rotor mass and avoid balancing issues. + +We also decided against mechanically complex solutions such as slip rings or electronically complex ones such as +inductive power transfer. Instead, we chose a simple setup consisting of a stationary lamp pointing at several solar +cells on the rotor. At the monitoring circuit's low power consumption power transfer efficiency is irrelevant, so this +solution is practical. Our system uses six series-connected solar cells mounted on the end of the cylindrical rotor +that are fed into a large $\SI{33}{\micro\farad}$ ceramic buffer capacitor through a Schottky diode. This solution +provides around $\SI{3.0}{\volt}$ at several tens of $\si{\milli\ampere}$ to the payload when illuminated using either +a $\SI{60}{\watt}$ incandescent light bulb or a flicker-free LED studio light of similar brightness\footnote{LED lights +intended for room lighting exhibit significant flicker that can cause the monitoring circuit to reset. Incandescent +lighting requires some care in shielding the data link from the light bulb's considerable infrared output.}. + +\subsection{Data transmission between stator and rotor} + +Besides power transfer from stator to rotor, we need a reliable, bidirectional data link to transmit mesh status and a +low-latency heartbeat signal. We chose to transport an $\SI{115}{\kilo\baud}$ UART signal through a simple IR link for a +quick and robust solution. The link's transmitter directly drives a standard narrow viewing angle IR led through a +transistor. The receiver has an IR PIN photodiode reverse-biased at $\frac{1}{2}V_\text{CC}$ feeding into an +\partno{MCP6494} general purpose opamp configured as a $\SI{100}{\kilo\ohm}$ transimpedance amplifier. As shown in +Figure \ref{photolink_schematic}, the output of this TIA is amplified one more time before being squared up by a +comparator. Our design trades off stator-side power consumption for a reduction in rotor-side power consumption by +using a narrow-angle IR led and photodiode on the rotor, and wide-angle components at a higher LED current on the +stator. Figure~\ref{ir_tx_schema} shows the physical arrangement of both links. The links face opposite one another and +are shielded from one another by the motor's body in the center of the PCB. + +% We used an \partno{MCP6494} quad CMOS op-amp. At a specified $\SI{2}{\milli\ampere}$ current +% consumption it is within our rotor's power budget, and its Gain Bandwidth Product of $\SI{7.5}{\mega\hertz}$ yields a +% useful transimpedance in the photodiode-facing TIA stage. + +\begin{figure} + \begin{subfigure}{0.3\textwidth} + \includegraphics[width=4.5cm]{ir_tx_schema.pdf} + \caption{Basic layout, view along axis of rotation. 1 + - Rotor base PCB. 2 - Stator IR link PCB. 3 - Motor. 4 - receiver PIN photodiode. 5 - transmitter IR LED.} + \label{ir_tx_schema} + \end{subfigure} + \hfill + \begin{subfigure}{0.65\textwidth} + \includegraphics[width=9cm]{photolink_schematic.pdf} + \caption{Schematic with sample component values. C2 is highly dependent on the photodiode characteristics and + stray capacitances.} + \label{photolink_schematic} + \end{subfigure} + \caption{IR data link implementation} +\end{figure} + +\subsection{Evaluation} + +The proof-of-concept hardware worked as intended. Both rotating power and data links performed well. As we expected, the +mechanical design vibrated at higher speeds but despite these unintended vibrations, we were able to reach speeds in +excess of $\SI{1000}{rpm}$ by clamping the device to the workbench. Even at high speeds, both the power link and the +data links continued to function without issue. + +By design, our prototype is not yet a production-ready solution. Its main limitation is the small payload volume that +can house one or two Raspberry Pi single-board computers but does not allow for more powerful hardware such as a +contemporary server mainboard. Being constructed without access to a proper mechanical workshop, its imprecise +construction leads to vibration at high speeds. Its optical communication links in breadboard construction function and +need to be translated into manufacturable PCBs, and its security mesh has to be optimized for security. Finally, a motor +driver solution needs to be selected that allows for direct digital control of motor speed. Overall, the prototype +soundly demonstrated the viability of the IHSM concept and we are confident that all of these limitations can be +conclusively solved in a new iteration that might be a ``beta'' version of a practical IHSM, built in a mechanical +workshop. + +\section{Using MEMS accelerometers for braking detection} +\label{sec_accel_meas} + +In our proof-of-concept prototype, for braking detection we chose an accelerometer placed on the circumference of our +prototype's rotor for two reasons: First, it avoids the likely issue of high centrifugal acceleration falsifying +gyroscope measurements. Second, by orienting one axis of the accelerometer radially, we can avoid exceeding the +accelerometer's range even when rapidly accelerating or decelerating. Rapid angular acceleration or deceleration +produces high tangential linear acceleration or deceleration in our sensor, but the radially-oriented axis of the +accelerometer only experiences an amount of centrifugal acceleration that is bounded by the rotor's momentary angular +velocity and never exceeds the device's specified operating conditions. + +Using our prototype, we performed an evaluation of an \partno{AIS1120} commercial automotive MEMS accelerometer as a +braking sensor. The device is mounted inside our prototype at a radius of $\SI{55}{\milli\meter}$ from the axis of +rotation to the center of the device's package. The \partno{AIS1120} provides a measurement range of $\pm 120\,g$. At +its 14-bit resolution, one LSB corresponds to $15\,\mathrm{m}g$. + +Our prototype IHSM uses a motor controller intended for use in RC quadcopters. In our experimental setup, we manually +control this motor controller through an RC servo tester. In our experiments, we externally measured the device's speed +of rotation using a magnet fixed to the rotor and a reed switch. The reed switch output is digitized using a USB logic +analyzer at a sample rate of $\SI{100}{\mega\hertz}$. We calculate rotation frequency as a $\SI{1}{\second}$ running +average over interval lengths of the debounced captured signal\footnote{A regular frequency counter or commercial +tachometer would have been easier, but neither was available in our limited COVID-19 home office lab.}. + +The accelerometer is controlled from the \partno{STM32} microcontroller on the rotor of our IHSM prototype platform. +Timed by an external quartz, the microcontroller samples accelerometer readings at $\SI{10}{\hertz}$. Readings are +accumulated in a small memory buffer, which is continuously transmitted out through the prototype platform's infrared +link. Data is packetized with a sequence number indicating the buffer's position in the data stream and a CRC-32 +checksum for error detection. On the host, a Python script stores all packets received with a valid checksum in an +SQLite database. + +Data analysis is done separately from data capture. An analysis IPython notebook reads captured packets and reassembles +the continuous sample stream based on the packets' sequence numbers. The low $\SI{10}{\hertz}$ sample rate and high +$\SI{115}{\kilo Bd}$ transmission speed lead to a large degree of redundancy with gaps in the data stream being rare. +This allowed us to avoid writing retransmission logic or data interpolation. + +Figure~\ref{fig-acc-steps} shows an entire run of the experiment. During this run, we started with the rotor at +standstill, then manually increased its speed of rotation in steps. Areas shaded gray are intervals where we manually +adjust the rotor's speed. The unshaded areas in between are intervals when the rotor speed is steady. +Figure~\ref{fig-acc-stacked} shows a magnified view of these periods of steady rotor speed. In both graphs, orange +lines indicate centrifugal acceleration as calculated from rotor speed measurements. Visually, we can see that +measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the +accelerometer's intrinsic errors as well as error in its placement due to construction tolerances. + +\begin{figure} + \begin{subfigure}{0.5\textwidth} + \center + \includegraphics[width=1.1\textwidth]{fig-acc-trace-steps-run50.pdf} + \caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time + intervals when we manually adjusted speed.} + \label{fig-acc-steps} + \end{subfigure} + \hfill + \begin{subfigure}{0.45\textwidth} + \center + \includegraphics[width=1.1\textwidth]{fig-acc-trace-stacked-run50.pdf} + \caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation + artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to + $\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.} + \label{fig-acc-stacked} + \end{subfigure} + \label{fig-acc-traces} + \caption{Traces of acceleration measurements during one experiment run.} +\end{figure} + +The accelerometer has two main intrinsic errors. Offset error is a fixed additive offset to all measurements. Scale +error is an error proportional to a measurements value that results from a deviation between the device's specified and +actual sensitivity. We correct for both errors by first extracting all stable intervals from the time series, then +fitting a linear function to the measured data. Offset error is this linear function's intercept, and scale error is its +slope. We then apply this correction to all captured data before plotting and later analysis. Despite its simplicity, +this approach already leads to a good match of measurements and theory modulo a small part of the device's offset +remaining. At high speeds of rotation, this remaining offset does not have an appreciable impact, but due to the +quadratic nature of centrifugal acceleration, at low speed, it causes a large relative error of up to $\SI{8}{\percent}$ +at $\SI{95}{rpm}$. + +After offset and scale correction, we applied a low-pass filter to our data. The graphs show both raw and filtered data. +Raw data contains significant harmonic content. This content is due to vibrations in our prototype as well as gravity +since we tested our proof-of-concept prototype lying down, with its shaft pointing sideways. FFT analysis shows that +this harmonic content is a clean intermodulation product of the accelerometer's sample rate and the speed of rotation +with no other visible artifacts. + +Figure~\ref{fig-acc-theory} shows a plot of our measurement results against frequency. Data points are shown in dark +blue, and theoretical behavior is shown in orange. From our measurements, we can conclude that an accelerometer is a +good choice for an IHSM's braking sensor. A simple threshold set according to the sensor's calculated expected +centrifugal force should be sufficient to reliably detect manipulation attempts without resulting in false positives. +Periodic controlled changes in the IHSM's speed of rotation allow offset and scale calibration of the accelerometer on +the fly, without stopping the rotor. + +\begin{figure} + \center + \includegraphics[width=0.7\textwidth]{fig-acc-theory-meas-run50.pdf} + \caption{Centrifugal acceleration versus angular frequency in theory and in our experiments. Experimental + measurements are shown after correction for offset and scale error. Above \SI{300}{rpm}, the relative error is + below $\SI{0.5}{\percent}$. Below $\SI{300}{rpm}$, the residual offset error has a large impact ($0.05\,g$ absolute + or $8\%$ relative at $\SI{95}{rpm}$.)} + \label{fig-acc-theory} +\end{figure} + +\section{Conclusion} +\label{sec_conclusion} + +In this paper, we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of +advanced hardware security modules from simple components. We analyzed the concept for its security properties and +highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design +by creating a proof-of-concept hardware prototype. In this prototype, we have demonstrated practical solutions to the +major electronics design challenges: Data and power transfer through a rotating joint, and mechanized mesh generation. +We have used our prototype to perform several experiments to validate the rotary power and data links and the onboard +accelerometer. Our measurements have shown that our proof-of-concept solar cell power link works well and that our +simple IR data link already is sufficiently reliable for telemetry. Our experiments with an \partno{AIS1120} automotive +MEMS accelerometer showed that this part is well-suited for braking detection in the range of rotation speed relevant to +the IHSM scenario. + +Overall, our findings validate the viability of IHSMs as an evolutionary step beyond traditional HSM technology. IHSMs +offer a high level of security beyond what traditional techniques can offer even when built from simple components. They +allow the construction of devices secure against a wide range of practical attacks in small quantities and without +specialized tools. The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with +traditional HSMs. Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful +computing hardware inside the HSM. We hope that this simple construction will stimulate academic research into (more) +secure hardware. We published all design artifacts of our PoC online, please refer to Appendix~\ref{sec_repo} for +details. The next steps towards a practical application of our design will be to design a manufacturable stator/rotor +interface with inductive power and data transfer integrated into the motor's magnetics and a custom motor driver tuned +for the application that is able to precisely measure both angular velocity and winding current for an added degree of +tamper detection through the measurement of external forces acting on the rotor. + diff --git a/chapter-ihsm/figures/attack-robot.pdf b/chapter-ihsm/figures/attack-robot.pdf new file mode 100644 index 0000000..543fe66 Binary files /dev/null and b/chapter-ihsm/figures/attack-robot.pdf differ diff --git a/chapter-ihsm/figures/attack-robot.pdf.latex_meta b/chapter-ihsm/figures/attack-robot.pdf.latex_meta new file mode 100644 index 0000000..0a0c897 --- /dev/null +++ b/chapter-ihsm/figures/attack-robot.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/attack-robot.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/attack-robot.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/concept_vis_one_axis.pdf b/chapter-ihsm/figures/concept_vis_one_axis.pdf new file mode 100644 index 0000000..ea37280 Binary files /dev/null and b/chapter-ihsm/figures/concept_vis_one_axis.pdf differ diff --git a/chapter-ihsm/figures/concept_vis_one_axis.pdf.latex_meta b/chapter-ihsm/figures/concept_vis_one_axis.pdf.latex_meta new file mode 100644 index 0000000..c573cdc --- /dev/null +++ b/chapter-ihsm/figures/concept_vis_one_axis.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/concept\_vis\_one\_axis.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/concept\_vis\_one\_axis.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/fig-acc-theory-meas-run50.pdf b/chapter-ihsm/figures/fig-acc-theory-meas-run50.pdf new file mode 100644 index 0000000..bae7ce8 Binary files /dev/null and b/chapter-ihsm/figures/fig-acc-theory-meas-run50.pdf differ diff --git a/chapter-ihsm/figures/fig-acc-theory-meas-run50.pdf.latex_meta b/chapter-ihsm/figures/fig-acc-theory-meas-run50.pdf.latex_meta new file mode 100644 index 0000000..79fbf10 --- /dev/null +++ b/chapter-ihsm/figures/fig-acc-theory-meas-run50.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/fig-acc-theory-meas-run50.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/fig-acc-theory-meas-run50.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/fig-acc-trace-stacked-run50.pdf b/chapter-ihsm/figures/fig-acc-trace-stacked-run50.pdf new file mode 100644 index 0000000..47fb023 Binary files /dev/null and b/chapter-ihsm/figures/fig-acc-trace-stacked-run50.pdf differ diff --git a/chapter-ihsm/figures/fig-acc-trace-stacked-run50.pdf.latex_meta b/chapter-ihsm/figures/fig-acc-trace-stacked-run50.pdf.latex_meta new file mode 100644 index 0000000..93e6f45 --- /dev/null +++ b/chapter-ihsm/figures/fig-acc-trace-stacked-run50.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/fig-acc-trace-stacked-run50.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/fig-acc-trace-stacked-run50.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/fig-acc-trace-steps-run50.pdf b/chapter-ihsm/figures/fig-acc-trace-steps-run50.pdf new file mode 100644 index 0000000..c1bc499 Binary files /dev/null and b/chapter-ihsm/figures/fig-acc-trace-steps-run50.pdf differ diff --git a/chapter-ihsm/figures/fig-acc-trace-steps-run50.pdf.latex_meta b/chapter-ihsm/figures/fig-acc-trace-steps-run50.pdf.latex_meta new file mode 100644 index 0000000..4cc29b8 --- /dev/null +++ b/chapter-ihsm/figures/fig-acc-trace-steps-run50.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/fig-acc-trace-steps-run50.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/fig-acc-trace-steps-run50.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/goette_inertial_hsms_v1_5_eprint.pdf b/chapter-ihsm/figures/goette_inertial_hsms_v1_5_eprint.pdf new file mode 100755 index 0000000..8fdb2b9 Binary files /dev/null and b/chapter-ihsm/figures/goette_inertial_hsms_v1_5_eprint.pdf differ diff --git a/chapter-ihsm/figures/goette_inertial_hsms_v1_5_eprint.pdf.latex_meta b/chapter-ihsm/figures/goette_inertial_hsms_v1_5_eprint.pdf.latex_meta new file mode 100644 index 0000000..9e723fb --- /dev/null +++ b/chapter-ihsm/figures/goette_inertial_hsms_v1_5_eprint.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/goette\_inertial\_hsms\_v1\_5\_eprint.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/goette\_inertial\_hsms\_v1\_5\_eprint.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/ihsm b/chapter-ihsm/figures/ihsm new file mode 160000 index 0000000..6739570 --- /dev/null +++ b/chapter-ihsm/figures/ihsm @@ -0,0 +1 @@ +Subproject commit 67395704d1b44def970b9395369cddbb49405bba diff --git a/chapter-ihsm/figures/ihsm_shaft_countermeasures_a.pdf b/chapter-ihsm/figures/ihsm_shaft_countermeasures_a.pdf new file mode 100755 index 0000000..6f1f857 Binary files /dev/null and b/chapter-ihsm/figures/ihsm_shaft_countermeasures_a.pdf differ diff --git a/chapter-ihsm/figures/ihsm_shaft_countermeasures_a.pdf.latex_meta b/chapter-ihsm/figures/ihsm_shaft_countermeasures_a.pdf.latex_meta new file mode 100644 index 0000000..4147184 --- /dev/null +++ b/chapter-ihsm/figures/ihsm_shaft_countermeasures_a.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/ihsm\_shaft\_countermeasures\_a.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/ihsm\_shaft\_countermeasures\_a.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/ihsm_shaft_countermeasures_b.pdf b/chapter-ihsm/figures/ihsm_shaft_countermeasures_b.pdf new file mode 100755 index 0000000..9ad0f95 Binary files /dev/null and b/chapter-ihsm/figures/ihsm_shaft_countermeasures_b.pdf differ diff --git a/chapter-ihsm/figures/ihsm_shaft_countermeasures_b.pdf.latex_meta b/chapter-ihsm/figures/ihsm_shaft_countermeasures_b.pdf.latex_meta new file mode 100644 index 0000000..94ffc1b --- /dev/null +++ b/chapter-ihsm/figures/ihsm_shaft_countermeasures_b.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/ihsm\_shaft\_countermeasures\_b.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/ihsm\_shaft\_countermeasures\_b.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/ihsm_shaft_countermeasures_c.pdf b/chapter-ihsm/figures/ihsm_shaft_countermeasures_c.pdf new file mode 100755 index 0000000..5e01be2 Binary files /dev/null and b/chapter-ihsm/figures/ihsm_shaft_countermeasures_c.pdf differ diff --git a/chapter-ihsm/figures/ihsm_shaft_countermeasures_c.pdf.latex_meta b/chapter-ihsm/figures/ihsm_shaft_countermeasures_c.pdf.latex_meta new file mode 100644 index 0000000..e2cddbf --- /dev/null +++ b/chapter-ihsm/figures/ihsm_shaft_countermeasures_c.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/ihsm\_shaft\_countermeasures\_c.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/ihsm\_shaft\_countermeasures\_c.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/ir_tx_schema.pdf b/chapter-ihsm/figures/ir_tx_schema.pdf new file mode 100644 index 0000000..0e44ca5 Binary files /dev/null and b/chapter-ihsm/figures/ir_tx_schema.pdf differ diff --git a/chapter-ihsm/figures/ir_tx_schema.pdf.latex_meta b/chapter-ihsm/figures/ir_tx_schema.pdf.latex_meta new file mode 100644 index 0000000..5d36066 --- /dev/null +++ b/chapter-ihsm/figures/ir_tx_schema.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/ir\_tx\_schema.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/ir\_tx\_schema.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/mesh_gen_viz.pdf b/chapter-ihsm/figures/mesh_gen_viz.pdf new file mode 100644 index 0000000..7ded2fc Binary files /dev/null and b/chapter-ihsm/figures/mesh_gen_viz.pdf differ diff --git a/chapter-ihsm/figures/mesh_gen_viz.pdf.latex_meta b/chapter-ihsm/figures/mesh_gen_viz.pdf.latex_meta new file mode 100644 index 0000000..f997bd9 --- /dev/null +++ b/chapter-ihsm/figures/mesh_gen_viz.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/mesh\_gen\_viz.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/mesh\_gen\_viz.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/mesh_scan_crop.jpg b/chapter-ihsm/figures/mesh_scan_crop.jpg new file mode 100644 index 0000000..baa8e6c Binary files /dev/null and b/chapter-ihsm/figures/mesh_scan_crop.jpg differ diff --git a/chapter-ihsm/figures/mesh_scan_crop.jpg.latex_meta b/chapter-ihsm/figures/mesh_scan_crop.jpg.latex_meta new file mode 100644 index 0000000..c20334e --- /dev/null +++ b/chapter-ihsm/figures/mesh_scan_crop.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/mesh\_scan\_crop.jpg?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/mesh\_scan\_crop.jpg} \ No newline at end of file diff --git a/chapter-ihsm/figures/photolink_schematic.pdf b/chapter-ihsm/figures/photolink_schematic.pdf new file mode 100644 index 0000000..3284427 Binary files /dev/null and b/chapter-ihsm/figures/photolink_schematic.pdf differ diff --git a/chapter-ihsm/figures/photolink_schematic.pdf.latex_meta b/chapter-ihsm/figures/photolink_schematic.pdf.latex_meta new file mode 100644 index 0000000..4c0f2ec --- /dev/null +++ b/chapter-ihsm/figures/photolink_schematic.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/photolink\_schematic.pdf?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/photolink\_schematic.pdf} \ No newline at end of file diff --git a/chapter-ihsm/figures/proto_3d_design.jpg b/chapter-ihsm/figures/proto_3d_design.jpg new file mode 100644 index 0000000..f527828 Binary files /dev/null and b/chapter-ihsm/figures/proto_3d_design.jpg differ diff --git a/chapter-ihsm/figures/proto_3d_design.jpg.latex_meta b/chapter-ihsm/figures/proto_3d_design.jpg.latex_meta new file mode 100644 index 0000000..ebd32e8 --- /dev/null +++ b/chapter-ihsm/figures/proto_3d_design.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/proto\_3d\_design.jpg?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/proto\_3d\_design.jpg} \ No newline at end of file diff --git a/chapter-ihsm/figures/prototype_early_comms_small.jpg b/chapter-ihsm/figures/prototype_early_comms_small.jpg new file mode 100644 index 0000000..506da48 Binary files /dev/null and b/chapter-ihsm/figures/prototype_early_comms_small.jpg differ diff --git a/chapter-ihsm/figures/prototype_early_comms_small.jpg.latex_meta b/chapter-ihsm/figures/prototype_early_comms_small.jpg.latex_meta new file mode 100644 index 0000000..d2f17b7 --- /dev/null +++ b/chapter-ihsm/figures/prototype_early_comms_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/prototype\_early\_comms\_small.jpg?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/prototype\_early\_comms\_small.jpg} \ No newline at end of file diff --git a/chapter-ihsm/figures/prototype_pic.jpg b/chapter-ihsm/figures/prototype_pic.jpg new file mode 100644 index 0000000..2200d6d Binary files /dev/null and b/chapter-ihsm/figures/prototype_pic.jpg differ diff --git a/chapter-ihsm/figures/prototype_pic.jpg.latex_meta b/chapter-ihsm/figures/prototype_pic.jpg.latex_meta new file mode 100644 index 0000000..1ac8c9c --- /dev/null +++ b/chapter-ihsm/figures/prototype_pic.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/prototype\_pic.jpg?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/prototype\_pic.jpg} \ No newline at end of file diff --git a/chapter-ihsm/figures/prototype_pic2.jpg b/chapter-ihsm/figures/prototype_pic2.jpg new file mode 100644 index 0000000..7838a75 Binary files /dev/null and b/chapter-ihsm/figures/prototype_pic2.jpg differ diff --git a/chapter-ihsm/figures/prototype_pic2.jpg.latex_meta b/chapter-ihsm/figures/prototype_pic2.jpg.latex_meta new file mode 100644 index 0000000..198dc87 --- /dev/null +++ b/chapter-ihsm/figures/prototype_pic2.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/prototype\_pic2.jpg?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/prototype\_pic2.jpg} \ No newline at end of file diff --git a/chapter-ihsm/figures/rotor_stator.jpg b/chapter-ihsm/figures/rotor_stator.jpg new file mode 100644 index 0000000..904052b Binary files /dev/null and b/chapter-ihsm/figures/rotor_stator.jpg differ diff --git a/chapter-ihsm/figures/rotor_stator.jpg.latex_meta b/chapter-ihsm/figures/rotor_stator.jpg.latex_meta new file mode 100644 index 0000000..8dc00fc --- /dev/null +++ b/chapter-ihsm/figures/rotor_stator.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm.git/plain/paper/rotor\_stator.jpg?h=67395704d1b44def970b9395369cddbb49405bba} +\def\resourcerev{6739570} +\def\resourcerepo{ihsm.git} +\def\resourcepath{paper/rotor\_stator.jpg} \ No newline at end of file diff --git a/chapter-introduction/chapter.tex b/chapter-introduction/chapter.tex new file mode 100644 index 0000000..be889d5 --- /dev/null +++ b/chapter-introduction/chapter.tex @@ -0,0 +1 @@ +\chaptertitle{Introduction} diff --git a/chapter-nice-coils/chapter.tex b/chapter-nice-coils/chapter.tex new file mode 100644 index 0000000..d5071ae --- /dev/null +++ b/chapter-nice-coils/chapter.tex @@ -0,0 +1,881 @@ +\chaptertitle{Rotation-Invariant Wireless Power Transfer using Twisted Multi-Layer PCB Inductors} + +\begin{abstract} + We present \emph{twisted inductors}, a generalization of planar single- or two-layer spiral inductors as well as + planar toroidal inductors. Compared to conventional planar spiral inductors, twisted inductors generate a magnetic + field with better rotational symmetry, resulting in decreased output ripple in Wireless Power Transfer applications + with an axially rotating receiver. Additionally, we found that twisted inductors can simultaneously yield a + significantly improved self-resonant frequency and a higher inductance in the same area as a conventional planar + spiral inductor, up to \qty{50}{\percent} improved SRF and \qty{6.5}{\percent} increased inductance among our test + samples. We base our conclusions on several simulations and an extensive set of practical measurements. +\end{abstract} + +\section{Introduction} + +Inductive Wireless Power Transfer (WPT) is a widely used technology supported by a large corpus of research literature +\cite{awuahNovelCoilDesign2023, batraEffectFerriteAddition2015, curranModelingCharacterizationPCB2015, +fanSimultaneousWirelessPower2024, leeSimpleWirelessPower2017, liWirelessPowerTransfer2015, +maierContributionSystemDesign2019, mooreApplicationsWirelessPower2019, mouEnergyEfficientAdaptiveDesign2017, +mouWirelessPowerTransfer2015, mullenEffectMisalignmentInductive, rezmeritaSelfMutualInductance2017, +zhangWirelessPowerTransfer2019}. +While working on a novel application of Inductive WPT in a Inertial Hardware Security Module (IHSM) as previously +published in\textcite{gotteCantTouchThis2022}, we found ourselves presented with an unusual set of constraints +attempting WPT through a rotating joint using a PCB inductor---a set of constraints that does not yet seem to be +addressed adequately in the existing literature on inductive WPT. + +Our application poses the challenge of transferring power between a stationary and a rotating part of an +IHSM\cite{gotteCantTouchThis2022} through a pair of WPT inductors located on the IHSM's axis of rotation. To reduce +manufacturing cost of both parts, and to reduce weight and thereby inertia as well as susceptibility to vibration in the +rotating part, we decided to use inductors that are directly patterned onto the IHSM's printed circuit boards. The +primary constraint that results from this choice is that the PCB manufacturing processes' pattern resolution results in +a strict upper limit to the turn count that can be achieved in an inductor with a given area. + +We found that at such small turn counts, a simple spiral PCB inductors exhibits a \emph{slightly} asymmetric field, +which means that the coupling coefficient of two such inductors oscillates at one cycle per revolution when the +inductors are rotated on-axis, even if both inductors are perfectly coaxially aligned. + +In other inductive wireless power transfer systems, this oscillation is mitigated by one of several factors: First, for +this effect to matter in the first place, the two coils have to be rotating with respect to one another. In ferrite or +iron-cored inductors, the core is the single major factor shaping the magnetic field, and evens out any small effect +asymmetric windings might have. In wire-wound inductors, the often higher turn count and the tightly packed, circular +wires reduce this effect to almost nothing. Finally, the output ripple caused by this oscillation can be filtered +through a voltage regulator or by using a large decoupling capacitor on the secondary side where those components can be +accomodated on the rotating part given the centrifugal forces resulting from a concrete design's rate of rotation. + +While there exist a corpus of prior work focusing on efficient power transfer between two coils whose position relative +to one another cannot be precisely controlled as is the case in wireless phone charging systems as well as in proposed +WPT electric vehicle charges, +% TODO cite +it is generally assumed that the two coils remain (almost) stationary with respect to one another. + +There exists a small body of work on inductive power transfer through rotating +joints\cite{fanSimultaneousWirelessPower2024}, +but here the focus lies on higher power budgets than our application requires, which often requires ferrite or iron-core +inductors. + +Our application is unique in that it requires power transfer through a joint that is constantly rotating at high speed, +while we simultaneously want to avoid heavy components on the (rotating) receiver side. (Liquid) electrolytic capacitors +cannot be used due to the large centrifugal acceleration that the rotating part experiences, and other heavy components +such as large ceramic or polymer electrolytic capacitors or ferrite-core power inductors are inadvisable since they will +exert large stresses onto their solder joints and the surrounding assembly due to the same centrifugal acceleration. +Any imbalance caused by tolerances in the placement of heavy components or the precise shape of their solder fillets +can cause detrimental vibration. + +\subsection{Twisted inductors} + +To solve this conundrum, we applied a principle inspired by rectangular or octagonal RFIC inductor design as well as by +the polygonal basket-woven air coils used in early radio sets. In this paper, we propose a novel way of laying out +circular PCB inductors that twists the inductor's windings around one another using a ring of vias each on the inside +and outside of the inductor's windings. Applying some math, we show that we can layout a twisted inductor for any number +of twists that is co-prime to the inductor's turn count, and that in fact, our approach opens up a large design space +for inductor layouts that interpolate between planar spiral inductors on one end, and planar toroidal inductors on the +other end. Our approach thus generalizes a number of previous approaches to the design of planar inductors. + +We observe that in high-frequency applications, a moderate number of twists increases the spacing between the beginning +and end of the inductor's conductor, where the majority of the inductor's AC current flows. This decreases the parasitic +capacitance of the inductor and raises its self-resonant frequency, raising its maximum possible operating frequency and +improving its efficiency at lower operating frequencies. We note that the principle behind this reduction in distributed +capacitance coincides with the intuition that led to the creation of honeycomb or basket-woven inductors in early radio +sets more than a hundred years ago, before the invention of ferrites. + +\subsection{Contributions} +In this paper, we introduce twisted inductors, a novel technique of laying out planar inductors that both improves +rotational symmetry in rotating wireless power transfer interface as well as quality factor in other applications. We +provide detailed layout instructions, including a mathematical analysis of the available parameter space and an +analytical model of both inductance and DC equivalent series resistance of our scheme. Validating our scheme, we provide +laboratory measurements of the basic parameters of a number of test specimens comparing our scheme to conventional +techniques. We furhter performed a number of FEM simulations to validate our inductance and ESL approximations. Finally, +to analyze the degree of rotational symmetry in our proposed scheme, we provide the results of a large number of +automated measurements of coupling between pairs of inductors under various rotations, offsets, distances and load +conditions. + +\section{Related Work} + +% TODO cite fanSimultaneousWirelessPower2024 below (rotating joint) +% TODO cite \cite{mullenEffectMisalignmentInductive} below (misaligned coils) + +\subsection{A Short Historical Diversion on Basket-Woven Air Coils} + +Since the early days of radio engineering, the parasitic capacitance of inductors has been a point of +concern\cite{nesperHandbuchDrahtlosenTelegraphie1921,flemingPrinciplesElectricWave1910}. Going back to the early days of +wireless telegraphy after the turn of the twentieth century, coils with high inductance were needed for the construction +of both transmitters and receivers, but the ferrites that would later permit their compact construction were still being +developed. The ferromagnetic core material of choice back then was laminated iron, which was only useful at low +frequencies due to eddy current losses. As a result, the inductors in radio circuits of the era were constructed as +air-core coils. While air core inductors are immune to core saturation, the poor magnetic permeability of air +necessitates a large number of wide turns of wire to reach useful inductance values, which for reasons of practicality +or leakage inductance often could not be wound as a single layer cylindrical coil. This could be resolved by winding an +inductor with many turns on multiple layers, which improves compactness and leakage inductance, but this in turn gives +rise to increased distributed capacitance as now turns with a large voltage differential are layered right on top of +each other. + +Back then, a number of ways were devised to decrease distributed capacitance in multilayer inductors. These methods can +be divided into two general categories: Optimizing the connecting order of turns to minimize the voltage differential +between adjacent turns---a technique that is still used to this day\cite{lopeFirstSelfResonant2021}, and optimizing the +winding schema to increase the separation between turns. The main technique in the first category concerns winding the +turns of a cylindrical multilayer inductor not layer by layer, but instead layering them diagonally, effectively +connecting adjacent turns in a diagonal zigzag pattern. Then as now, wound inductors applying this technique were not +feasible to manufacture reliably by machine, but the technique can be closely replicated in PCB inductors as shown in +\textcite{leePrintedSpiralWinding2011a}. The main limiting factors in a PCB implementation are the requirement for a +large number of vias inside the inductor's turns limiting the achievable turn count\footnote{In PCBs, as opposed to +ICs, vias limit the achievable turn count when they need to be placed in-line inside the turns as opposed to on the +inside or outside because a PCB's minimum trace/space widths are usually much smaller than the smallest feasible via, +consisting of a minimum-size drill surrounded by a minimum-size annular ring.} and increasing ESR through the thin trace +sections that are necessary to accomodate the via structure, as well as the layer pairing limitations when blind vias +are used in multilayer PCBs. + +\begin{figure} + \begin{center} + \subcaptionbox{\raggedright A honeycomb coil in \textcite{saackeRadiotechnikIIIEmpfanger1926}}{ + \includegraphics[width=0.25\linewidth]{saacke-radiotechnik-3-ledionspule.jpg}} + \subcaptionbox{\raggedright A basket-woven coil in \textcite{kleinSpulenUndSchwingungskreise1941}}{ + \includegraphics[width=0.25\linewidth]{klein-spulen-schwingkreise-korbspule.jpg}} + \end{center} + \caption{Illustrations of honeycomb and basket-woven coils from the early days of wireless radio.} + \textbf{TODO}: Not final graphics. Get proper scans for camera-ready version + \label{fig_illust_honeycomb_basket} +\end{figure} + +This lack of a way to wind high frequency inductors with a machine led to the creation of a number of related winding +schemes that include honeycomb and basket woven coils +\cite{eppenAnforderungenEinzelteileRundfunkempfanger1927, +filbigLehrbuchHochfrequenztechnik1942, +kleinSpulenUndSchwingungskreise1941, +meinkeTaschenbuchHochfrequenztechnik1956, +nottebrockSpulen1950, +struttVerstarkerUndEmpfanger1951, +wiggeRundfunktechnischesHandbuch1930, +zicknerSpulen1927}. The simplest such winding technique is the universal winding as described in depth by +\textcite{querfurthCoilWindingDescription1954}. In a simple, cylindrical wire-wound inductor, the windings are laid down +one right next to the other, until the end of the winding area is met, where the winding direction is reversed. One +layer of such windings forms a helix whose pitch is equal to the wire diameter. A universal winding uses the same +helical scheme reversing at the coil ends, but uses a helical pitch larger than the wire diameter to form a structure +similar to a spool of sewing thread. + +Other winding techniques include honeycomb and basket woven coils, some contemporary examples of which are shown in +Figure\ \ref{fig_illust_honeycomb_basket}. In a honeycomb coil, like in an universal winding, subsequent winding layers +are wound at a criss-cross pattern. The characteristic feature of honeycomb coils is that the winding machine is +adjusted to produce large air gaps between adjacent windings on the same layer. When multiple layers like this are +stacked, a three-dimensional rhomboid pattern results that is vaguely reminiscent of a honeycomb's structure. + +In basket-woven coils, a mandrel consisting of an odd number of sticks pointing either radially or axially is used, and +the wire is woven between adjacent sticks in an alternating direction. While visually similar to honeycomb coils, this +winding technique is more suited to homebrew construction and less amenable to mass production by machine. In axially +basket-woven coils, the mandrel can be pulled out after the coil is finished. Like honeycomb coils, the resulting +structure can be made mechanically stable with some lacquer, with the turns carrying the layers where they cross. + +Both construction techniques apply similar principles to those leading to the improved high-frequency behavior of +twisted inductors that we describe in this paper. Interestingly, the winding schemes of both honeycomb and basket-woven +coils are also governed by the same coprimality condition between the number of turns and the number of inversions +within each turn that we describe for our twisted inductors below, although we could not find an example in contemporary +literature where this condition was explicitly stated \cite{eppenAnforderungenEinzelteileRundfunkempfanger1927, +kleinSpulenUndSchwingungskreise1941, wiggeRundfunktechnischesHandbuch1930, querfurthCoilWindingDescription1954}. + +\subsection{PCB inductor design for wireless power transfer} + +For wireless power transfer, air-core inductors with or without ferrite magnetic shielding are the standard solution. +Since in most applications, an air gap of several millimeters between the sending and receiving assemblies is expected, +adding a ferrite core does not result in a large improvement in coupling. Meanwhile, in many WPT applications, +especially for charging portable devices or medical implants, some misalignment between the sending and receiving coils +is expected. Using the available space with an air-core inductor that has a large cross-sectional area reduces the +impact of this misalignment. + +Looking at such WPT inductors, they tend to be mostly planar coils with only a few layers, so implementing them in a PCB +process seems natural. Using a PCB for the inductor has the potential to reduce implementation cost since PCBs are +cheap, and they can also serve as structural support. + +Implementing inductors in PCBs has a number of disadvantages. First, due to the limited layer count of common PCB +processes, and due to structure size limitations, the number of windings that can be fit into a given volume is much +lower than in wire-wound inductors. Second, due to a PCB's copper layers being thin compared to its dielectric +substrate, PCB inductors tend to have poor DC resistance. A PCBs' thin but wide trace cross-section helps with +skin effect compared to a solid conductor. However, PCBs can still not approach the performance of litz wire used in +high-frequency WPT coils, which commonly use wire diameters in the tens of micrometer +range\cite{zhaoDesignOptimizationLitzWire2023}. \textcite{lopeFrequencyDependentResistancePlanar2014} and +\textcite{nomotoSplittingConductorsCoils2024} propose a mitigation that aims to emulate a litz wire's structure in +large, high-current PCB inductors, but their mitigation is heavily limited by the structure size achievable in common +PCB manufacturing processes\cite{nguyenReviewComparisonSolid2020}. + +A further factor that limits the high-frequency performance of PCB inductors is distributed capacitance. Not only do +large air coils exhibit more parasitic capacitance than much smaller ferrite-core inductors simply due to their size, +when implemented in a PCB process a large fraction of the electrical fields responsible for this capacitance pass +through the PCB's substrate, not air. The relative permittivity $\epsilon_r$ of common PCB substrates typically lies in +the range of $4$ to $5$\cite{mumbyDielectricPropertiesFR41989}, which increases the distributed capacitance compared to +a pure air-core inductor by approximately that same factor. + +\subsection{Twisted Inductors in RFIC Design} + +Planar inductors are commonly used in RF ICs. In RFIC design, the major challenges are area optimization and precisely +predicting the inductor's characteristics during the design phase. Common optimizations include applying a variable +trace pitch to reduce distributed capacitance\cite{lopez-villegasImprovementQualityFactor2000}, and applying variable +trace width to decrease equivalent series resistance while preserving total inductance and quality +factor\cite{hsuAnalyticalDesignAlgorithm2008}. + +In RFICs, inductors are commonly designed as \emph{balanced} inductors with a grounded central node. Such designs +interleave two counter-wound planar spiral inductors on the same layer with the help of some jumper connections on a +second layer\cite{daneshDifferentiallyDrivenSymmetric2002,martinMultiturnTwistedInductor2016}. The use of such designs +in RFIC design is mainly focused on their electrical symmetry, so that the two input ports can be fed with a fully +differential signal, with the inductor loading both driver outputs equally across the inductor's frequency range. + +Setting the inversion count to $k=1$ in our proposed scheme as shown below yields the counterwound scheme that is +commonly used for two-layer planar +inductors\cite{lopeFirstSelfResonant2021,sproHighVoltageInsulationDesign2021,leePrintedSpiralWinding2011a}, and +which has been used to stack planar coils for more than a century\cite{flemingPrinciplesElectricWave1910}. + +% They note that the main point behind the design is electrical symmetry of the two ports to make driving the thing +% differentially cleaner. We should adopt this observation for our inductors, which likewise are electrically symmetric +% when compared to a single-layer spiral inductor. + +\subsection{Inductive Wireless Power Transfer in Practice} + +Inductive WPT has been proposed in a large number of +scenarios\cite{zhangWirelessPowerTransfer2019,mouWirelessPowerTransfer2015}, each of which comes with a set of unique +constraints. When WPT is used to charge an electric toothbrush, the implementation cost of the system is critical, while +efficiency and total power output are of little concern. Mechanically, in an electric toothbrush's charging system, the +position and spacing of the transmitter and receiver coils can easily be controlled down to millimeter precision. + +In contrast to this, wireless smartphone charging is a much more demanding application. Here, the total cost of the +system is only secondary, but the receiver's form factor is critical, and total power output as well as efficiency +become major objectives. At the same time, in wireless smartphone charging, position tolerances are very coarse, and the +two coils in the charging base and in the phone may be positioned more than a centimeter off-axis, with a gap of several +millimeters and potentially not even in parallel planes. + +Power transfer across large distances is even more of a concern in implantable medical +devices\cite{mooreApplicationsWirelessPower2019}. Where a wireless phone charger must be able to bridge distances of a +few millimeters, an implantable medical device might be situated underneath several centimeter of tissue and bones. At +the same time, cost is of (almost) no concern in this medical application, which enables the use of complex +manufacturing techniques, customized electronic components and exotic materials. + +While all of the aforementioned applications transfer somewhere between a few hundred milliwatts and several watts of +power, at the other end of the spectrum there is a large body of research suggesting the use of inductive wireless power +transfer for the charging of electric vehicles +(EVs)\cite{liWirelessPowerTransfer2015,mouEnergyEfficientAdaptiveDesign2017}. In this application, the wireless power +transfer system usually replaces the conventional wired charging connector, which improves the systems' user experience +given the strong force required to seat or unseat these rather large connectors, as well as the heft of the required +water-cooled cables. In this application, size is of (almost) no concern, but at charging rates up to tens of kilowatt, +efficiency becomes critical. When charging an EV at a rate of 10 kW, an efficiency improvement of just $0.1\%$ +corresponds to a reduction in power dissipation of 10 W. Besides the monetary cost of the power lost this way, each +small improvement enables a reduction in size of heat sinks and other cooling components, which directly translates to a +decrease in cost. + +\subsection{Air-Core Inductors for Inductive Power Transfer} + +Across application areas, air-core inductors are often used for wireless power transfer since in most applications, an +air gap of several millimeters or more is expected, and adding a ferrite core would not change the system's performance +by much in these circumstances. A common way to use ferrites in WPT applications is by magnetically shielding the +inductor's back side with a ferrite plate such that the field does not extend beyond the coil's back side, thereby +increasing the intended mutual inductance while simultaneously reducing eddy current losses when the WPT coils are +placed near metal +objects\cite{batraEffectFerriteAddition2015,leeSimpleWirelessPower2017,muehlmannMutualCouplingModeling2012}. + +\section{Twisted Inductor Design} + +In this section, we will provide a detailed derivation of the layout of twisted inductors. We can approach this layout +by construction. Let us first consider a simple, planar, circular spiral coil with a fixed pitch. We will ignore trace +width for now, and consider the trace a thin wire. We will assume the inductor's ports are both located on the positive +$x$-Axis. We can rotate it so its first port aligns with the $x$-Axis. To minimize the loop area of the inductor's +connections, inductors are usually designed with both ports close to one another, so we can also assume its second port +aligns with the $x$-Axis. + +The trace trajectory of a standard planar spiral inductor can be parameterized in polar coordinates $r, \varphi$ based +on an Archimedean spiral: \todo{For the lulz, cite Archimedes here} + +\begin{equation} + r = a\cdot\varphi + \label{eqn_arch_spi_basic} +\end{equation} + +An Archimedean spiral defined this way always starts at the origin, and it continues to infinity. Let us re-parameterize +this spiral to a curve parameter $t$ with range $\left[0,1\right]$, such that $t=0$ corresponds to the start of the +inductor and $t=1$ corresponds to its end. As is customary in PCB inductors, we place the inductor's start on its outer +circumference. To make handling of this easier, we introduce a variable $r' \in \left[0,1\right]$ representing the +radius normalized to the spiral's width. Let $n$ be the turn count of our inductor. The resulting parametrization is: + +\begin{align} + \varphi &= 2\pi n t\\ + r' &= 1 - t \\ + r &= r_1 + r' \left(r_2 - r_1\right) + \label{eqn_simple_spiral_ind} +\end{align} + +The resulting spiral trace starts at radius $r_2$ on the positive $x$ axis, and spirals inward until it meets $r_1$. In +its PCB realization, at $r_1$, a via would be placed to connect the end of the spiral trace to a jumper trace on another +layer of the PCB leading back to the start. + +To improve layer utilization, a common technique in PCB inductor design is to use both layers of the PCB for the +inductor's spiral trace, instead of only using the bottom layer for a straight jumper trace. Using both layers this way +allows for wider traces, which lowers resistive losses. We can accomodate this optimization in our definition by +re-defining our normalized radius to allow both positive and negative values, defining negative values to designate +traces on the PCB's bottom layer as follows. Figure\ \ref{fig_nk_interleave_illust} shows both a simple and a two-layer +spiral inductor. + +\begin{align} + \varphi &= 2\pi n t\\ + r' &= 1 - 2 t \\ + r &= r_1 + \left|r'\right| \left(r_2 - r_1\right) + \label{eqn_twolayer_spiral} +\end{align} + +\subsection{From Spiral to Twisted Inductor} + +Extending the above parametrization of a spiral inductor's layout, we propose planar \emph{twisted inductors} based on +two core observations: + +\begin{itemize} + \item When using an archimedean spiral, multiple such spirals using the same pitch can be interleaved by spreading + out their start and end points at regular angular intervals. + \item In a two-layer spiral inductor as shown in Figure\ \ref{fig_nk_interleave_illust}, we can adjust the turn + count of the pair of traces to move the end point of the bottom layer trace anywhere on the inductor's outer + radius. +\end{itemize} + +Combining these two observations, we find that by choosing a number $k$ of inversions, i.e. layer jumps, that is coprime +to the number of total turns of the inductor $n$, we achieve a layout where all $k$ pairs of top and bottom-layer traces +naturally connect in series, with the resulting spirals on the top and bottom layers interleaving cleanly. Figure\ +\ref{fig_nk_interleave_illust} shows a layout with $n=3$ turns with both a single inversion ($k=1$) as in a conventional +two-layer inductor, and with $k=2$ inversions, creating two interleaved spirals on both the top and the bottom layer of +the PCB. Figure\ \ref{fig_nk_complex_illust} in Appendix\ \ref{sec_appendix_layout_examples} shows additional layout +examples for other values of $n$ and $k$. For $k=0$, we get a standard single-layer planar spiral inductor for any turn +count $n$, and for $k=1$ we get a standard two-layer planar spiral inductor for any turn count $n$. In this paper, we +will call all layouts with $k\ge 2$ \emph{Twisted Inductors}. + +\begin{figure} + \begin{center} + \includegraphics[width=\linewidth]{nk_interleave_illust.pdf} + \end{center} + \caption{single-layer spiral inductor's layout (left), a conventional two-layer planar inductor's layout (middle), + and a twisted inductor with two inversions (right). All three inductors have $n=3$ turns. Traces on the PCB top + side are shown in red, traces on the bottom side in blue. In the twisted inductor, each layer contains two + archimedean spirals that interleave at a regular spacing. The four spirals of the inductor are connected in series + such that they form three total turns.} + \label{fig_nk_interleave_illust} +\end{figure} + +Figure\ \ref{fig_nk_chinese_remainder_illust} illustrates how we arrive at the coprimality requirement. +\todo{Cleanly handle $k=0$ case.} +If we plot the spiral in polar coordinates on a cartesian plot we observe that for a $n$-turn coil with $k$ inversions, +the trace crosses the $\varphi$ axis once for each inversion, wrapping around $r$. Likewise, it crosses the $r$ axis +once for each turn of the inductor, wrapping around $\varphi$. Based on this, we can re-label the angular axis in steps +from $0$ to $k$, and re-label the radial axis in steps from $0$ to $n$. Labelling the new angular axis $i$ and the new +radial axis $j$, in the resulting integer lattice, the trace has slope $1$. We can state the trace's trajectory as a +function of a curve parameter $t \in [0, nk]$ as $f(t) = (i, j) = (t \mod n, t \mod k)$. To produce a valid inductor, +the trace must not intersect anywhere. Thus, the system of congruences + +\begin{align} + t &\equiv i \mod n\\ + t &\equiv j \mod k +\end{align} + +must have a unique solution $t \in [0, nk]$ for all $(i, j)$. This statement corresponds exactly to the Chinese +Remainder Theorem, which states that this solution is unique when $k$ and $n$ are coprime. + +\begin{figure} + \begin{center} + \includegraphics[width=0.8\linewidth]{nk_chinese_remainder_illust.pdf} + \end{center} + \caption{Illustration of the winding pattern of two twisted inductors. The upper plots show the inductor's actual + layout with the traces on each side of the substrate colored in red (top) and blue (bottom), respectively. The lower + plots show the same traces, but \emph{unwrap} the annulus by plotting the traces' polar coordinates on cartesian + axes. The left axis labels show the normalized radius, with $0$ being at the inductor's inner diameter, $1$ being at + its outer diameter on the top layer, and $-1$ being at its outer diameter on the bottom layer. The top and right + axes labels show the axis scaled to match indices $i\in\left[0, n\right]$ and $j\in\left[0, k\right]$, + respectively.} + \label{fig_nk_chinese_remainder_illust} +\end{figure} + +\subsubsection{Ohmic Resistance} + +The arc length $l$ of a spiral can be calculated from its turn count $n$ and the average of its inner and outer diameter +$\frac{2 r_1 + 2 r_2}{2}=r_1+r_2$ as $l = n\pi\left(r_1 + r_2\right)$. Since going from a standard inductor to a twisted +inductor does not change its turn count or dimensions, the combined arc length of all traces of the twisted inductor +does not change. Twisted inductors require two additional vias per inversion, which will increase DC resistance +slightly, but the contribution of these vias will remain small in practical applications since the overall number of +vias is still no more than a couple per turn, and since each via only bridges the short distance between the inductor's +layers.\todo{Does the skin effect affect the influence of vias?} + +As a general expression, for a standard or twisted inductor with turn count $n$ and twist count $k$, given via +resistance $R_\text{via}$ we derive a first order approximation of the inductor's DC resistance as follows. + +\begin{equation} + R_L = n\pi\frac{r_1 + r_2}{2} + \left(2k-1\right)R_\text{via} +\end{equation} + +\subsubsection{Inductance} + +Even for geometrically simple inductors, analytically calculating their inductance is a surprisingly hard problem whose +complexity quickly escalates with the inductor's geometric complexity, with realistic wire shapes as opposed to +approximations assuming an infinitely thin wire, or when taking into account differing magnetic permeabilities of +air or dielectrics and core materials. Instead, a number of approximations are commonly used. A commonly referenced +approximation for the inductance of planar spiral inductors is given by \textcite{mohanSimpleAccurateExpressions1999}, +whose current-sheet approximation for circular planar spiral inductors we will use here to estimate our inductor's +inductance. The current-sheet approximation from \textcite{mohanSimpleAccurateExpressions1999} reads: + +\begin{equation} + \label{eqn_mohan_approx} + L = \frac{\mu n^2 d_\text{avg} c_1}{2}\left(\ln\left(c_2/\rho\right)+c_3\rho+c_4\rho^2\right) +\end{equation} + +In this equation, $c_{1-4}$ denote four empirically determined coeficcients that together describe the coil's shape. The +values for circular coils are $c_{1-4}=(1.00, 2.46, 0.00, 0.20)$. $\mu$ is the magnetic permeability of air (for an +air-core inductor), $n$ is the number of turns, $d_\text{avg}$ is the \emph{average} turn radius, i.e. $d_\text{avg} = +2\frac{r_1 + r_2}{2} = r_1 + r_2$. $\rho = \frac{r_2-r_1}{r_2+r_1}$ is the planar spiral inductor's \emph{fill ratio}. +The fill ratio encodes the fact that the inductor's turns have less flux linkage the closer to the inductor's center we +get. While turns close to the outside have good flux linkage due to their inner area overlapping well with that of other +turns, turns close to the center not only have a loop area that is only a fraction of that of turns further outwards, +the closer we get to the center, the larger is also the fraction of the field lines returning as leakage flux on the +outside of the inner turn that pass through the inner part of turns further outwards, flipping the sign and contributing +\emph{negative} mutual inductance. + +As Equation\ \ref{eqn_mohan_approx} approximates the inductor's whole set of windings as a single, uniform current +sheet, the turn count only appears as a single factor of $n^2$ in the equation, with $\rho$ and $c_{1-4}$ correcting for +the inductor's geometry. To account for twisted inductors, we can separate the inductor into a set of $2k$ simple planar +spiral inductor \emph{branches} that are connected in series by the twisted inductor's vias. Compared to a simple spiral +inductor, for each branch, the inductance according to Equation\ \ref{eqn_mohan_approx} stays the same except that the +factor $n^2$ drops to $\left(\frac{n}{2k}\right)^2$ because the $n$ windings are evenly distributed across the $2k$ +branches. Let us now make two assumptions. First, we will assume that the flux linkage between both sides of the +inductor is approximately one. This assumption is grounded in the fact that for practical designs, the substrate +thickness will be small compared to the inductor's diameter. Second, we will for now ignore the spiral inductor's field +asymmetry and assume that the flux linkage between two intertwined branches on the same side of the substrate is +approximately one. In our measurements below we show that for simple spiral inductors this asymmetry, while problematic +in our application, is small in absolute terms, and grows smaller with increasing turn count. + +Based on these two assumptions, we can model the twisted inductor as a set of $2k$ series-connected spiral inductors +that are perfectly coupled, with full flux linkage. This results in the total series inductance gaining back the factor +$\frac{1}{2k^2}$ that each branch lost, resulting in identical inductances for a simple planar spiral inductor and a +twisted inductor with the same size and turn count according to Equation\ \ref{eqn_mohan_approx}. This approximation +introduces an error due to the imperfect flux linkage between the two sides of the substrate, and between two spiral +branches located at an angular offset from each other. In our experiments, we found that for our test inductors, +compared to inductances measured with an LCR meter, this error is below \qty{10}{\percent} for $n=5$ turns or more, and +for our test samples matches the performance of Equation\ \ref{eqn_mohan_approx} for the simple planar spiral inductor +case. + +\subsection{CAD Integration} + +To allow for easy design with twisted inductors and to speed up the laboratory prototyping we performed for this paper, +we created a tool that generates arbitrary twisted inductor layouts, and that is able to output these layouts as PCB +footprint files for the open source KiCad EDA CAD tool. We integrated the ESR and ESL approximations as derived above +with our tool, so that it provides immediate design feedback when generating inductors. In order to minimize ESR and +maximize PCB area utilization, we made the tool automatically calculate the largest possible trace width when given a +minimum clearance specification. + +To handle outputting PCB geometry in a format that can be read from KiCad, we utilized the open source EDA file format +library \emph{gerbonara}\todo{Cite gerbonara}. To support the FEM simulations that are described in the next section +below, our tool contains functionality to map gerbonara's geometry representation into that of gmsh\todo{Cite gmsh}, the +FEM mesher that we chose to interface with Elmer FEM\todo{Cite Elmer}. + +Our inductor design tool is available in this paper's supplementary material as well as at the git repository linked at +the end of this paper. + +\section{FEM Simulation} + +To validate our analytical approximations, we performed a series of FEM simulations in Elmer FEM. For a number of +inductor layouts, we performed simulations to determine ohmic resistance and inductance. Due to limitations in our +gmsh/Elmer toolchain, we were unable to run simulations for parasitic capacitance and self-resonance, or for coupling +behavior of coil pairs. We found that for these cases which require larger, more complex meshes, gmsh would frequently +crash during meshing, and where we were able to produce meshes, Elmer would only converge for some of them. While these +are problems that can be solved through either a more skillful description of the problem in gmsh and Elmer, or by using +more robust software such as Simulia CST, we decided to instead experimentally measure these quantities instead +(Section\ \ref{sec_experiments}). + +\paragraph{Ohmic Resistance} +Determining ohmic resistance by FEM is reasonably easy. In Elmer FEM, we can use the built-in joint static current and +joule heating solver to determine the ohmic resistance at a given current. + +\paragraph{Inductance} +We let Elmer determine inductance by first using its coil solver to determine the volumetric current density in our mesh +given a test current, then applying its magnetodynamics solver to solve the electromagnetic field. Elmer provides +routines to derive the total magnetic field energy $U_\text{mag}$ from an EM field solution. Since we have only our +inductor under test inside the simulation volume, with test current $I_\text{test}$, we can then derive the inductor's +inductance according to the well-known relation\todo{Find decent source}: + +\begin{equation} + L = \frac{2\cdot U_\text{mag}}{I_\text{test}^2} +\end{equation} + +\section{Experimental Validation} +\label{sec_experiments} + +To experimentally validate our design with real-world inductors, we produced test coupons with a number of variations of +twisted inductors with winding count $n$ between $1$ and $25$, and twist count ranging from $k=0$ (simple single-sided +spiral inductor) to $k=37$. All test inductors had an inner diameter of \qty{15}{\milli\meter} and an outer diameter of +\qty{35}{\milli\meter}. + +\subsection{Inductance and DC resistance} + +We measured the inductance and DC resistance of each test coupon using a Keysight U1733C LCR meter at +\qty{100}{\kilo\hertz} for inductance and a Keysight 34465A multimeter in four-wire configuration for DC resistance. We +further determined the self-resonant frequency of each inductor using a LiteVNA64 handheld vector network analyzer. The +results of our measurements are shown in Table\ \ref{tab_coupons}. + +We found our inductance approximation to be accurate within \qty{10}{\percent} and our ESR approximation to be accurate +within \qty{20}{\percent} for inductors with three turns or more. For lower turn-count inductors, inductance +measurements are difficult because the small absolute inductances involved are easily disturbed by stray inductances, +and ESR measurements are affected by contact and trace resistance even when measurements are taken in four-wire mode. + +In accordance with our design intuition, we found that for high turn count inductors, the doubled trace width that is +afforded by splitting a simple spiral inductor across two PCB layers in any two-layer configuration improves ESR by +approximately a factor of two. Going from a simple single-layer spiral inductor to a simple two-layer spiral inductor +($k=1$), we observe that the resulting inductance decreases by up to \qty{15}{\percent}. We suspect that the main factor +leading to this decrease is radial magnetic flux leakage through the PCB material between the inductor's layers. +Comparing simple two-layer inductors with $k=1$ to the twisted inductors with larger $k$ values that we propose in this +paper, we observe almost identical performance for $k>1$ with decreases of less than \qty{0.5}{\percent} going from +$k=1$ to $k=3$ irrespective of turn count. From these measurements we can conclude that the flux linkage of twisted +inductors almost perfectly matches that of simple two-layer inductors. + +Finally, while not particularly relevant for our application, we decided to evaluate the high-frequency performance of +twisted inductors. We found that going from a single-layer spiral inductor to a two-layer spiral inductor decreases the +self-resonant frequency, this effect being more pronounced with higher turn count. Intuitively, this makes sense if we +consider the mechanics of inductor self-resonance. The primary contributor to self resonance, particularly in higher +turn count inductors, is capacitive coupling between the inductor's windings. In a single-layer spiral inductor, this +effect gets partially mitigated since the strongest coupling exists between adjacent windings, which here have only a +small voltage differential as only a fraction of the inductor's total voltage appears across each winding. Compared to +this, when the inductor is constructed as a simple two-layer inductor with $k=1$, now the start and end windings of the +inductor, which have the highest voltage differential, are located right on top of each other with the substrate in +between. Making things worse, common PCB substrates have a relative permittivity much larger than air (usually around +$4$). + +Interestingly, we observe that this decrease in high-frequency performance is eventually counteracted by increasing +inversion count $k$. While our test samples focused on smaller turn counts, we observe an increase from an SRF of +\qty{8.9}{\mega\hertz} for a standard $n=25,k=1$ inductor to \qty{10.6}{\mega\hertz} for $n=25,k=13$. Prompted by this +observation, we produced another set of samples focusing on this aspect. We report our results of this investigation in +the following section. + +In conclusion to the above measurement results, we observe that twisted inductors \emph{improve} high-frequency +performance compared to simple two-layer inductors while closely matching them in ESR and inductance. While they peform +worse than simple single-layer inductors in high-frequency performance, the increased trace width that two-layer +inductors allow for lowers resistive losses by approximately a factor of four. In applications where resistive losses +lead to the choice of a two-layer inductor, twisted inductors provide improved high-frequency performance at no +additional cost and without compromising other performance parameters. + +\begin{table*} + \begin{tabular}{cc|cccc|cccc|ccc} + \multicolumn{2}{c|}{\textbf{Parameters}}& + \multicolumn{4}{c|}{\textbf{Design values}}& + \multicolumn{4}{c|}{\textbf{Simulation results}}& + \multicolumn{3}{c}{\textbf{Measurements}}\\ + $n$& + $k$& + $L \left[\unit{\micro\henry}\right]$& + Error $\left[\unit{\percent}\right]$& + $R \left[\unit{\ohm}\right]$& + Error $\left[\unit{\percent}\right]$& + $L \left[\unit{\micro\henry}\right]$& + Error $\left[\unit{\percent}\right]$& + $R \left[\unit{\ohm}\right]$& + Error $\left[\unit{\percent}\right]$& + $L \left[\unit{\micro\henry}\right]$& + $f_\text{res} \left[\unit{\mega\hertz}\right]$& + $R \left[\unit{\ohm}\right]$\\\hline + + \rowcolor[gray]{0.9} + $1$& $0$& $0.03$& $-86.2$& $0.0076$& $-86.8$& $0.038$& $-42.1$& $0.008$& $-77.5$& $0.054$& $457.585$&$0.0142$\\ + $1$& $3$& $0.03$& $-93.1$& $0.0095$& $-49.9$& $0.039$& $-43.6$& $0.008$& $-78.8$& $0.056$& $\textbf{465.07}$& $\textbf{0.0143}$\\ + $1$& $4$& $0.03$& $-103.4$& $0.0108$& $-38.6$& $0.040$& $-47.5$& $0.008$& $-87.5$& $\textbf{0.059}$& $460.08$& $0.015$\\ + $1$& $5$& $0.03$& $-89.7$& $0.0123$& $-35.3$& $0.041$& $-34.1$& $0.009$& $-84.4$& $0.055$& $460.08$& $0.0166$\\\hline + \rowcolor[gray]{0.9} + $2$& $0$& $0.16$& $10.0$& $0.0252$& $-26.7$& $0.126$& $-14.3$& $0.026$& $-22.7$& $0.144$& $266.24$& $0.0319$\\ + \rowcolor[gray]{0.9} + $2$& $1$& $0.12$& $-28.4$& $0.0253$& $-12.1$& $0.127$& $-17.3$& $0.024$& $-18.3$& $0.149$& $\textbf{245.51}$& $\textbf{0.0284}$\\ + $2$& $3$& $0.12$& $-31.0$& $0.0270$& $-7.9$& $0.128$& $-18.8$& $0.025$& $-16.4$& $\textbf{0.152}$& $240.52$& $0.0291$\\ + $2$& $5$& $0.12$& $-26.7$& $0.0299$& $-0.2$& $0.130$& $-13.1$& $0.027$& $-11.1$& $0.147$& $225.5$& $0.03$\\\hline + \rowcolor[gray]{0.9} + $3$& $0$& $0.26$& $-19.6$& $0.0755$& $-5.0$& $0.285$& $-9.1$& $0.077$& $-2.9$& $0.311$& $192.95$& $0.0792$\\ + \rowcolor[gray]{0.9} + $3$& $1$& $0.26$& $-10.0$& $0.0454$& $-1.6$& $0.262$& $-9.5$& $0.044$& $-4.8$& $\textbf{0.287}$& $\textbf{145.71}$& $0.0461$\\ + $3$& $4$& $0.26$& $-9.6$& $0.0479$& $5.0$& $0.265$& $-7.9$& $0.046$& $1.1$& $\textbf{0.286}$& $\textbf{145.71}$& $\textbf{0.0455}$\\\hline + \rowcolor[gray]{0.9} + $5$& $0$& $0.73$& $-9.6$& $0.2357$& $-0.4$& $0.760$& $-5.3$& $0.240$& $1.4$& $0.8$& $125.415$&$0.2366$\\ + \rowcolor[gray]{0.9} + $5$& $1$& $0.73$& $4.5$& $0.0755$& $-3.1$& $0.670$& $-3.4$& $0.074$& $-5.1$& $\textbf{0.693}$& $61.345$& $0.0778$\\ + $5$& $3$& $0.73$& $4.3$& $0.0763$& $4.7$& $0.671$& $-3.4$& $0.074$& $1.8$& $\textbf{0.694}$& $\textbf{70.285}$& $0.0727$\\ + $5$& $7$& $0.73$& $4.4$& $0.0802$& $16.2$& $0.675$& $-2.8$& $0.077$& $12.7$& $\textbf{0.694}$& $68.05$& $\textbf{0.0672}$\\\hline + \rowcolor[gray]{0.9} + $10$& $0$& $2.90$& $-2.4$& $0.7539$& $-2.3$& $2.900$& $-2.4$& $0.761$& $-1.4$& $2.97$& $62.835$& $0.7713$\\ + \rowcolor[gray]{0.9} + $10$& $1$& $2.90$& $6.3$& $0.2513$& $7.6$& $2.700$& $-0.7$& $0.250$& $7.1$& $\textbf{2.718}$& $24.076$& $0.2322$\\ + $10$& $3$& $2.90$& $6.4$& $0.2520$& $10.5$& $2.700$& $-0.5$& $0.250$& $9.8$& $2.714$& $\textbf{28.571}$& $0.2255$\\ + $10$& $7$& $2.90$& $6.4$& $0.2554$& $16.9$& $2.700$& $-0.5$& $0.252$& $15.8$& $2.713$& $28.072$& $\textbf{0.2122}$\\\hline + \rowcolor[gray]{0.9} + $25$& $0$& $18.15$& $1.1$& $3.7693$& $-3.9$& $18.000$& $0.3$& $3.800$& $-3.0$& $17.955$& $24.84$& $3.9156$\\ + \rowcolor[gray]{0.9} + $25$& $1$& $18.15$& $6.7$& $1.8843$& $9.7$& $16.900$& $-0.2$& $1.900$& $10.4$& $16.938$& $8.84$& $1.7024$\\ + $25$& $3$& $18.15$& $6.8$& $1.8851$& $13.2$& N/A& N/A& N/A& N/A& $16.919$& $8.595$& $1.636$\\ + $25$& $13$& $18.15$& $6.7$& $1.9016$& $18.9$& $16.900$& $-0.2$& $1.900$& $18.8$& $16.931$& $\textbf{10.555}$& $\textbf{1.5429}$\\ + $25$& $37$& $18.15$& $6.0$& $2.0197$& $15.9$& $17.100$& $0.2$& $2.000$& $15.1$& $\textbf{17.066}$& $10.31$& $1.698$\\ + + \end{tabular} + \caption{Inductor sample design parameters and measured characteristics. All inductors have outer diameter + \qty{35}{\milli\meter} and inner diameter \qty{15}{\milli\meter}. The missing values in the simulation results + columns result from the solver failing to converge. Bolded values highlight the best performing two-layer coil + of each turn count. Shaded rows indicate conventional single-layer ($k=0$) or two-layer ($k=1$) planar + inductors.} + \label{tab_coupons} +\end{table*} + +\subsection{Inductance and Frequency Behavior of Larger Coils} + +To investigate the high-frequency behavior of twisted inductors further, we produced and measured 15 additional sample +inductors, this time larger than before, and with more turns. The parameters of these new samples and our measurement +results are shown in Table\ \ref{tab_wide_coils}. In these results, we can identify three clear trends. First, the ESR +of twisted inductors is generally poorer when compared to two-layer spiral inductors. This increase in ESR is due to the +large number of vias used in these sample inductors. It should be noted that while twisted inductors have worse ESR +compared to conventional two-layer inductors, their ESR is still better than that of a single-layer inductor. Our second +observation is that in every set of samples from this second run of physically larger inductors, twisted inductors +outperform conventional inductors in self-resonant frequency by a considerable margin with an increase in SRF of up to +\qty{50}{\percent} in our samples. + +Our third observation is that unlike in the smaller inductors from Table\ \ref{tab_coupons}, in these larger instances, +twisted inductors show increased inductance by approximately \qty{3.7}{\percent} for our smallest samples, and +\qty{6.5}{\percent} for our largest samples. This behavior indicates that large twisted inductors indeed behave like a +combination between a conventional planar spiral inductor and a conventional planar toroidal inductor. Comparing the +magnitude of this increase with the measurements listed in Table\ \ref{tab_wide_coils} for planar toroidal inductors, we +see that this effect exceeds what one would reach by a simple series configuration of both styles of inductor, +indicating a contribution from flux linkage. + +\begin{table} + \begin{tabular}{cc|cc|ccc|c} + $d_1$& + $d_2$& + $n$& + $k$& + $L$& + $R_\text{ESR}$& + $f_\text{Res}$& + $C_\text{p}$\\ + $\left[\unit{\milli\meter}\right]$& + $\left[\unit{\milli\meter}\right]$& + & + & + $\left[\unit{\micro\henry}\right]$& + $\left[\unit{\ohm}\right]$& + $\left[\unit{\mega\hertz}\right]$& + $\left[\unit{\pico\farad}\right]$\\\hline + \rowcolor[gray]{0.9} + $25$&$40$&$1$ &$150$& $5.00$& $11.0$& N/A& N/A\\ + \rowcolor[gray]{0.9} + $25$&$40$&$53$ &$1$& $120$& $\mathbf{19.6}$& $18.0$& $0.65$\\ + $25$&$40$&$53$ &$50$& $121$& $22.6$& $\mathbf{27.5}$& $\mathbf{0.28}$\\ + $25$&$40$&$53$ &$100$& $123$& $26.9$& $26.5$& $0.29$\\ + $25$&$40$&$53$ &$150$& $\mathbf{125}$& $33.2$& $24.0$& $0.35$\\\hline + \rowcolor[gray]{0.9} + $50$&$65$&$1$ &$300$& $10.2$& $21.9$& N/A& N/A\\ + \rowcolor[gray]{0.9} + $50$&$65$&$53$ &$1$& $270$& $\mathbf{35.7}$& $10.0$& $0.94$\\ + $50$&$65$&$53$ &$100$& $272$& $41.9$& $\mathbf{15.8}$& $\mathbf{0.37}$\\ + $50$&$65$&$53$ &$200$& $277$& $50.1$& $13.3$& $0.52$\\ + $50$&$65$&$53$ &$300$& $\mathbf{280}$& $65.0$& $13.8$& $0.48$\\\hline + \rowcolor[gray]{0.9} + $75$&$90$&$1$ &$480$& $17.3$& $35.5$& N/A& N/A\\ + \rowcolor[gray]{0.9} + $75$&$90$&$53$ &$1$& $441$& $\mathbf{50.7}$& $7.00$& $1.17$\\ + $75$&$90$&$53$ &$160$& $444$& $60.8$& $\mathbf{10.0}$& $\mathbf{0.57}$\\ + $75$&$90$&$53$ &$320$& $461$& $76.2$& $8.75$& $0.72$\\ + $75$&$90$&$53$ &$480$& $\mathbf{470}$& $92.9$& $8.00$& $0.84$\\ + \end{tabular} + \caption{Inductor sample design parameters and measured characteristics for a number of physically larger, + ring-shaped inductors. $L$ and $R_\text{ESR}$ have been measured with a Keysight U1733C handheld LCR meter. + $f_\text{Res}$ has been measured with a LiteVNA VNA. $C_p$ has been calculated for the simple parallel LC + resonator model from $f_\text{Res}$ and $L$. $f_\text{Res}$ was not be measured for the $n=1$ case since these + are just planar toroidal inductors, which show different resonance characteristics compared to planar spiral or + multi-turn twisted inductors. Bolded values highlight the best performance among the coils of one size. Shaded + rows indicate conventional planar toroidal ($n=1$) or two-layer planar spiral inductors ($k=1$).} + \label{tab_wide_coils} +\end{table} + + +\subsection{Coupling and its Sensitivity to Radial Offset} + +While our accidential findings that twisted inductors improve high-frequency performance are certainly welcome and may +benefit a range of applications, the key performance criterion in our rotating WPT application is the voltage ripple +that appears on the secondary side of a WPT link when one of the inductors is rotating. To experimentally evaluate the +magnitude of this ripple in a realistic scenario across a large set of rotations and relative displacements, we created +a test setup consisting of a 3D gantry built from an old 3D printer, with a fourth rotation axis provided by a small +servo that allows us to position two inductor test coupons at arbitrary offsets and angles to one another while +measuring their coupling. + +\todo{pics of 3d printer test setup} + +\begin{figure} + \begin{center} + \includegraphics[width=.85\linewidth]{test_schematic.pdf} + \end{center} + \caption{The test schematic used in all measurements. For direct coupling factor measurements, the load resistor was + disconnected. We measure voltage at the output of the function generator to account for drop in its internal output + resistance.} + \label{fig_test_schematic} +\end{figure} + +To evaluate a realistic scenario, we loaded the secondary inductor with a resistive load of \qty{10}{\ohm}, while +providing a signal at a \qty{300}{\kilo\hertz} carrier frequency to the primary inductor from a Siglent SDG6022X +function generator as shown in Figure\ \ref{fig_test_schematic}. We measured both the input and output voltages +of the coupled inductor pair using Keysight 34465A multimeters in AC RMS mode. The results of these measurements, with +the voltage ratio between the coupled inductors' input and output voltages graphed across one revolution in Figure\ +\ref{fig_symmetry_3turn_n_twist} for a set of three-turn inductors with multiple inversion numbers $k$. A plot for a set +of 10-turn inductors is shown in Figure\ \ref{fig_symmetry_10turn_n_twist} in the Appendix. A key observation here is +that while the asymmetry in the inductor's field is impossible to distinguish visually in field plots, the ripple +induced by rotation is considerable. Figure\ \ref{fig_field_plot_3d} shows a 3D plot of an inductor's coupling. While in +the plot the field looks perfectly rotationally symmetric, the sharp dropoff with radial offset (equivalent to a large +gradient) magnifies any small asymmetry and leads to the ripple voltages we have listed in Table\ \ref{tab_coupons}, +in some cases amounting to several percent of total RMS output voltage. + +\begin{figure} + \begin{center} + \includegraphics[width=\linewidth]{symmetry_3turn_n_twist.pdf} + \end{center} + \caption{RMS output voltage of the test circuit from Figure\ \ref{symmetry_test_circuit} for three pairs of matching + inductors with one inductor rotating w.r.t.\ the other. The inductors have $n=3$ turns each and $k=0$, $k=1$, and + $k=3$, respectively. For each $k$, voltage curves are plotted for a number of different radial offsets + between the two inductor's centers.} + \label{fig_symmetry_3turn_n_twist} +\end{figure} + +From the ripple plots in Figures\ \ref{fig_symmetry_3turn_n_twist} and \ref{fig_symmetry_10turn_n_twist} we observe +slightly lower coupling for $k>0$ compared to a single-layer spiral inductor, which is in line with our previous +inductance measurements. Across one revolution, we find that single-layer spiral inductors exhibit the worst voltage +ripple, with simple two-layer inductors with $k=1$ already improving ripple by a large margin. While increasing $k$ +above $1$ does not siginificantly decrease the amplitude of this ripple further, it shifts the ripple into higher +frequencies that are easier to passively filter on the WPT link's secondary side in our application. + +\subsection{Total Coupling Variation} + +In practical WPT setups, the transmitter and receiver coils are rarely aligned perfectly. To analyze the behavior of our +test inductors under offset and rotation, we had our measurement setup sweep through the full range of rotation of each +of the two inductors when placed at a fixed height of \qty{1}{\milli\meter} and radial offset of \qty{4}{\milli\meter}. +The resulting plots show the variation in RMS output voltage compared to its mean across all rotations as a percentage +plotted against both angular dimensions. Figure\ \ref{fig_rms_ripple_n3} shows the resulting coupling plot for a set of +three-turn inductors, and Figure\ \ref{fig_rms_ripple_n5} for a set of five-turn inductors. Measurements for 10- and for +25-turn inductors are shown in Figures \ref{fig_rms_ripple_n10} and \ref{fig_rms_ripple_n25} in the Appendix. + +Plotting the results of these experiments as well as a series of experiments at a \qty{1}{\milli\meter} radial offset +against inversion count $k$, we arrive at the graph in Figure\ \ref{fig_k_ripple_plot}. In this graph, we see that +twisted inductors improve ripple compared to conventional designs, even at a low inversion count such as $k=3$. + +From these plots, we can draw a number of conclusions. First, our primary objective of reducing coupling variation +across rotations works, with twisted inductors ($k>1$) showing a further improvement over simple two-layer inductors, +which prove to be better than simple single-layer spiral inductors. As one would expect, this gain is greatest for +inductors with low turn count, as their turns deviate the furthest from a set of ideal, concentric circles. For the +our test inductor with an inner diameter of \qty{15}{\milli\meter} and an outer diameter of \qty{35}{\milli\meter}, +$k=3$ inversions already provided an improvement over standard configurations, with still better performance observed +for $k=7$ inversions. + +\todo{concrete coupling factor measurements} + +\begin{figure} + \begin{center} + \includegraphics[width=.85\linewidth]{k_ripple_plot.pdf} + \end{center} + \caption{RMS Voltage ripple in a model rotating WPT setup with $R_L=\qty{10}{\ohm}$ as a percentage of total RMS + output voltage, plotted against inductor inversion count $k$. Measurements were taken with a number of different + coils with turn count $n$ between a single turn and $25$ turns. Measurements were taken at two different radial coil + offsets of $r=\qty{1}{\milli\meter}$ and $\qty{4}{\milli\meter}$. Coil distance was $d=\qty{1}{\milli\meter}$ in all + cases. The shaded area indicates conventional coil layouts, with the remainder of the plot showing twisted + inductors.} + \label{fig_k_ripple_plot} +\end{figure} + +\begin{figure} + \begin{center} + \includegraphics[width=.6\linewidth]{field_plot_3d_n5_k0.pdf} + \end{center} + \caption{The coupling between a pair of identical coils (here two simple spiral inductors with $n=5$ and $k=0$) + visualized in three dimensions. The $x$ and $y$ axis show in-plane displacement, and the $z$ axis shows output + amplitude in arbitrary units. Height and rotation are fixed to \qty{1}{\milli\meter} and \qty{0}{\degree}, + respectively. The most prominent aspects of this plot are that coupling falls off steeply with distance, and that + the rotation-dependent variation is small in comparison. The circular valley around the central peak is the region + where one inductor is mostly outside the other inductors, and intersects the field lines returning from the other + inductor's back, leading to a negative coupling coefficient.} + \label{fig_field_plot_3d} +\end{figure} + +\begin{figure} + \begin{center} + \includegraphics[width=.75\linewidth]{rms_ripple_double_rotation_n3_r4.pdf} + \end{center} + \caption{RMS ripple magnitude as a percentage of mean RMS output voltage, plotted against the rotation of each of + the two inductors. The two coils were kept at a constant \qty{4}{\milli\meter} radial offset, and the output coil + was loaded with a \qty{10}{\ohm} load. All RMS ripple plots in this paper share the same color scale to allow for + visual comparison. This figure shows four variants of 3-turn coils, plots for $n=5$ can be found in Figure\ + \ref{fig_rms_ripple_n5} and plots for $n=\{10,25\}$ in Figures \ref{fig_rms_ripple_n10} and \ref{fig_rms_ripple_n25} + in the Appendix.} + \label{fig_rms_ripple_n3} +\end{figure} + +\begin{figure} + \begin{center} + \includegraphics[width=.75\linewidth]{rms_ripple_double_rotation_n5_r4.pdf} + \end{center} + \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 5-turn coils.} + \label{fig_rms_ripple_n5} +\end{figure} + +\section{Future Work} + +On the practical side, as part of our inductor design tool, we extended the EDA file format library gerbonara with code +to automatically map gerbonara's geometry description to the gmsh FEM mesher. This code may be of independent interest +since it allows for the extraction of FEM meshes from not just individual planar components, but PCBs in any file format +supported by gerbonara such as KiCad's native file format, as well as the Gerber file format supported by the majority +of EDA tools. + +On the theoretical side, the fact that our twisted inductor model generalizes both one- or two-layer planar spiral +inductors as well as planar toroidal inductors would make the deduction of key parameters such as inductance and +distributed capacitance by mathematical analysis or by finite element methods interesting. + +\section{Conclusion} + +In this paper, we introduced a novel layout approach for planar, multi-layer inductors loosely inspired by classic +basket-wound inductors used in the early days of radio. Our \emph{twisted} inductors generalize several types of +conventional planar inductors including conventional single- or two-layer planar spiral inductors as well as planar +toroidal inductors. For inversion count parameter $k\ge 2$, twisted inductors produce magnetic field distributions that +have better rotational symmetry along the inductor's main axis compared to either single- or two-layer planar spiral +inductors, which yields lower output ripple in Wireless Power Transfer through rotating joints and enables the use of +smaller and lighter secondary-side circuitry, improving efficiency. + +Furthermore, besides the advantages twisted inductors show in our particular application, we found that our sample +twisted inductors have up to \qty{50}{\percent} improved self-resonant frequency as well as up to \qty{6.5}{\percent} +increased inductance compared to conventional two-layer planar spiral inductors. + +We base our evaluation on laboratory measurements on a set of 39 sample inductors in total, including an automated, +four-dimensional mapping of the coupling between a pair of identical inductors. We provide both an analytical +description of twisted inductor construction as well as a set of Open-Source tools for their design, available at the +link at the end of this paper. + +% FIXME make this end up in the thesis appendix +%\appendix +%\section{Supplemental plots} +% +%\begin{figure} +% \begin{center} +% \includegraphics[width=\linewidth]{symmetry_10turn_n_twist.pdf} +% \end{center} +% \caption{Coupled RMS output voltage of three pairs of matching inductors with $n=10$ turns each and $k=0$, $k=1$, +% and $k=3$, respectively, shown as in Figure\ \ref{fig_symmetry_3turn_n_twist}} +% \label{fig_symmetry_10turn_n_twist} +%\end{figure} +% +%\begin{figure} +% \begin{center} +% \includegraphics[width=.75\linewidth]{rms_ripple_double_rotation_n10_r4.pdf} +% \end{center} +% \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 10-turn coils.} +% \label{fig_rms_ripple_n10} +%\end{figure} +% +%\begin{figure} +% \begin{center} +% \includegraphics[width=.75\linewidth]{rms_ripple_double_rotation_n25_r4.pdf} +% \end{center} +% \caption{RMS ripple magnitude as shown in Figure\ \ref{fig_rms_ripple_n3} for four different 25-turn coils.} +% \label{fig_rms_ripple_n25} +%\end{figure} +% +%\section{Layout examples} +%\label{sec_appendix_layout_examples} +% +%\begin{figure*} +% \begin{center} +% \includegraphics[width=.75\textwidth]{nk_complex_illust.pdf} +% \end{center} +% \caption{Layout examples for a number of combinations of turn count $n$ and inversion count $k$. Note that in this +% illustration we chose values for $n$ and $k$ such that all pairs are coprime.} +% \label{fig_nk_complex_illust} +%\end{figure*} +% diff --git a/chapter-nice-coils/figures/divide_by_zero.pdf b/chapter-nice-coils/figures/divide_by_zero.pdf new file mode 100644 index 0000000..fbf0d5a Binary files /dev/null and b/chapter-nice-coils/figures/divide_by_zero.pdf differ diff --git a/chapter-nice-coils/figures/divide_by_zero.pdf.latex_meta b/chapter-nice-coils/figures/divide_by_zero.pdf.latex_meta new file mode 100644 index 0000000..02d25d8 --- /dev/null +++ b/chapter-nice-coils/figures/divide_by_zero.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/divide\_by\_zero.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/divide\_by\_zero.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/field_plot_3d_n3_k4.pdf b/chapter-nice-coils/figures/field_plot_3d_n3_k4.pdf new file mode 100644 index 0000000..2513222 Binary files /dev/null and b/chapter-nice-coils/figures/field_plot_3d_n3_k4.pdf differ diff --git a/chapter-nice-coils/figures/field_plot_3d_n3_k4.pdf.latex_meta b/chapter-nice-coils/figures/field_plot_3d_n3_k4.pdf.latex_meta new file mode 100644 index 0000000..4cc9bbd --- /dev/null +++ b/chapter-nice-coils/figures/field_plot_3d_n3_k4.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/field\_plot\_3d\_n3\_k4.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/field\_plot\_3d\_n3\_k4.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/field_plot_3d_n5_k0.pdf b/chapter-nice-coils/figures/field_plot_3d_n5_k0.pdf new file mode 100644 index 0000000..d7470e7 Binary files /dev/null and b/chapter-nice-coils/figures/field_plot_3d_n5_k0.pdf differ diff --git a/chapter-nice-coils/figures/field_plot_3d_n5_k0.pdf.latex_meta b/chapter-nice-coils/figures/field_plot_3d_n5_k0.pdf.latex_meta new file mode 100644 index 0000000..24e8b02 --- /dev/null +++ b/chapter-nice-coils/figures/field_plot_3d_n5_k0.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/field\_plot\_3d\_n5\_k0.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/field\_plot\_3d\_n5\_k0.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/k_ripple_plot.pdf b/chapter-nice-coils/figures/k_ripple_plot.pdf new file mode 100644 index 0000000..f07a012 Binary files /dev/null and b/chapter-nice-coils/figures/k_ripple_plot.pdf differ diff --git a/chapter-nice-coils/figures/k_ripple_plot.pdf.latex_meta b/chapter-nice-coils/figures/k_ripple_plot.pdf.latex_meta new file mode 100644 index 0000000..fb17668 --- /dev/null +++ b/chapter-nice-coils/figures/k_ripple_plot.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/k\_ripple\_plot.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/k\_ripple\_plot.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/klein-spulen-schwingkreise-korbspule.jpg b/chapter-nice-coils/figures/klein-spulen-schwingkreise-korbspule.jpg new file mode 100644 index 0000000..871d485 Binary files /dev/null and b/chapter-nice-coils/figures/klein-spulen-schwingkreise-korbspule.jpg differ diff --git a/chapter-nice-coils/figures/klein-spulen-schwingkreise-korbspule.jpg.latex_meta b/chapter-nice-coils/figures/klein-spulen-schwingkreise-korbspule.jpg.latex_meta new file mode 100644 index 0000000..e091019 --- /dev/null +++ b/chapter-nice-coils/figures/klein-spulen-schwingkreise-korbspule.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/klein-spulen-schwingkreise-korbspule.jpg?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/klein-spulen-schwingkreise-korbspule.jpg} \ No newline at end of file diff --git a/chapter-nice-coils/figures/nice-coils b/chapter-nice-coils/figures/nice-coils new file mode 160000 index 0000000..8c76006 --- /dev/null +++ b/chapter-nice-coils/figures/nice-coils @@ -0,0 +1 @@ +Subproject commit 8c76006f5f093e1668896c2da613ed66bd34bba5 diff --git a/chapter-nice-coils/figures/nk_chinese_remainder_illust.pdf b/chapter-nice-coils/figures/nk_chinese_remainder_illust.pdf new file mode 100644 index 0000000..4088f1f Binary files /dev/null and b/chapter-nice-coils/figures/nk_chinese_remainder_illust.pdf differ diff --git a/chapter-nice-coils/figures/nk_chinese_remainder_illust.pdf.latex_meta b/chapter-nice-coils/figures/nk_chinese_remainder_illust.pdf.latex_meta new file mode 100644 index 0000000..21545f5 --- /dev/null +++ b/chapter-nice-coils/figures/nk_chinese_remainder_illust.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/nk\_chinese\_remainder\_illust.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/nk\_chinese\_remainder\_illust.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/nk_combined.pdf b/chapter-nice-coils/figures/nk_combined.pdf new file mode 100644 index 0000000..c135992 Binary files /dev/null and b/chapter-nice-coils/figures/nk_combined.pdf differ diff --git a/chapter-nice-coils/figures/nk_combined.pdf.latex_meta b/chapter-nice-coils/figures/nk_combined.pdf.latex_meta new file mode 100644 index 0000000..92ffedf --- /dev/null +++ b/chapter-nice-coils/figures/nk_combined.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/nk\_combined.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/nk\_combined.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/nk_complex_illust.pdf b/chapter-nice-coils/figures/nk_complex_illust.pdf new file mode 100644 index 0000000..906e226 Binary files /dev/null and b/chapter-nice-coils/figures/nk_complex_illust.pdf differ diff --git a/chapter-nice-coils/figures/nk_complex_illust.pdf.latex_meta b/chapter-nice-coils/figures/nk_complex_illust.pdf.latex_meta new file mode 100644 index 0000000..92e85a3 --- /dev/null +++ b/chapter-nice-coils/figures/nk_complex_illust.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/nk\_complex\_illust.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/nk\_complex\_illust.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/nk_interleave_illust.pdf b/chapter-nice-coils/figures/nk_interleave_illust.pdf new file mode 100644 index 0000000..fb4d164 Binary files /dev/null and b/chapter-nice-coils/figures/nk_interleave_illust.pdf differ diff --git a/chapter-nice-coils/figures/nk_interleave_illust.pdf.latex_meta b/chapter-nice-coils/figures/nk_interleave_illust.pdf.latex_meta new file mode 100644 index 0000000..2971774 --- /dev/null +++ b/chapter-nice-coils/figures/nk_interleave_illust.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/nk\_interleave\_illust.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/nk\_interleave\_illust.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/nk_simple_illust.pdf b/chapter-nice-coils/figures/nk_simple_illust.pdf new file mode 100644 index 0000000..b4fbb2f Binary files /dev/null and b/chapter-nice-coils/figures/nk_simple_illust.pdf differ diff --git a/chapter-nice-coils/figures/nk_simple_illust.pdf.latex_meta b/chapter-nice-coils/figures/nk_simple_illust.pdf.latex_meta new file mode 100644 index 0000000..23c48d4 --- /dev/null +++ b/chapter-nice-coils/figures/nk_simple_illust.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/nk\_simple\_illust.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/nk\_simple\_illust.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/rms_ripple_double_rotation_n10_r4.pdf b/chapter-nice-coils/figures/rms_ripple_double_rotation_n10_r4.pdf new file mode 100644 index 0000000..b3925b6 Binary files /dev/null and b/chapter-nice-coils/figures/rms_ripple_double_rotation_n10_r4.pdf differ diff --git a/chapter-nice-coils/figures/rms_ripple_double_rotation_n10_r4.pdf.latex_meta b/chapter-nice-coils/figures/rms_ripple_double_rotation_n10_r4.pdf.latex_meta new file mode 100644 index 0000000..8ec68ad --- /dev/null +++ b/chapter-nice-coils/figures/rms_ripple_double_rotation_n10_r4.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/rms\_ripple\_double\_rotation\_n10\_r4.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/rms\_ripple\_double\_rotation\_n10\_r4.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/rms_ripple_double_rotation_n25_r4.pdf b/chapter-nice-coils/figures/rms_ripple_double_rotation_n25_r4.pdf new file mode 100644 index 0000000..b1cd232 Binary files /dev/null and b/chapter-nice-coils/figures/rms_ripple_double_rotation_n25_r4.pdf differ diff --git a/chapter-nice-coils/figures/rms_ripple_double_rotation_n25_r4.pdf.latex_meta b/chapter-nice-coils/figures/rms_ripple_double_rotation_n25_r4.pdf.latex_meta new file mode 100644 index 0000000..0bed8da --- /dev/null +++ b/chapter-nice-coils/figures/rms_ripple_double_rotation_n25_r4.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/rms\_ripple\_double\_rotation\_n25\_r4.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/rms\_ripple\_double\_rotation\_n25\_r4.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/rms_ripple_double_rotation_n3_r4.pdf b/chapter-nice-coils/figures/rms_ripple_double_rotation_n3_r4.pdf new file mode 100644 index 0000000..b35defe Binary files /dev/null and b/chapter-nice-coils/figures/rms_ripple_double_rotation_n3_r4.pdf differ diff --git a/chapter-nice-coils/figures/rms_ripple_double_rotation_n3_r4.pdf.latex_meta b/chapter-nice-coils/figures/rms_ripple_double_rotation_n3_r4.pdf.latex_meta new file mode 100644 index 0000000..f48fffc --- /dev/null +++ b/chapter-nice-coils/figures/rms_ripple_double_rotation_n3_r4.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/rms\_ripple\_double\_rotation\_n3\_r4.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/rms\_ripple\_double\_rotation\_n3\_r4.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/rms_ripple_double_rotation_n5_r4.pdf b/chapter-nice-coils/figures/rms_ripple_double_rotation_n5_r4.pdf new file mode 100644 index 0000000..520d179 Binary files /dev/null and b/chapter-nice-coils/figures/rms_ripple_double_rotation_n5_r4.pdf differ diff --git a/chapter-nice-coils/figures/rms_ripple_double_rotation_n5_r4.pdf.latex_meta b/chapter-nice-coils/figures/rms_ripple_double_rotation_n5_r4.pdf.latex_meta new file mode 100644 index 0000000..d51ee5c --- /dev/null +++ b/chapter-nice-coils/figures/rms_ripple_double_rotation_n5_r4.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/rms\_ripple\_double\_rotation\_n5\_r4.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/rms\_ripple\_double\_rotation\_n5\_r4.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/saacke-radiotechnik-3-ledionspule.jpg b/chapter-nice-coils/figures/saacke-radiotechnik-3-ledionspule.jpg new file mode 100644 index 0000000..89eb58d Binary files /dev/null and b/chapter-nice-coils/figures/saacke-radiotechnik-3-ledionspule.jpg differ diff --git a/chapter-nice-coils/figures/saacke-radiotechnik-3-ledionspule.jpg.latex_meta b/chapter-nice-coils/figures/saacke-radiotechnik-3-ledionspule.jpg.latex_meta new file mode 100644 index 0000000..2066f80 --- /dev/null +++ b/chapter-nice-coils/figures/saacke-radiotechnik-3-ledionspule.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/saacke-radiotechnik-3-ledionspule.jpg?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/saacke-radiotechnik-3-ledionspule.jpg} \ No newline at end of file diff --git a/chapter-nice-coils/figures/setup_overview.jpg b/chapter-nice-coils/figures/setup_overview.jpg new file mode 100644 index 0000000..332e03a Binary files /dev/null and b/chapter-nice-coils/figures/setup_overview.jpg differ diff --git a/chapter-nice-coils/figures/setup_overview.jpg.latex_meta b/chapter-nice-coils/figures/setup_overview.jpg.latex_meta new file mode 100644 index 0000000..14acc45 --- /dev/null +++ b/chapter-nice-coils/figures/setup_overview.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/setup\_overview.jpg?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/setup\_overview.jpg} \ No newline at end of file diff --git a/chapter-nice-coils/figures/setup_probe.jpg b/chapter-nice-coils/figures/setup_probe.jpg new file mode 100644 index 0000000..c8083b3 Binary files /dev/null and b/chapter-nice-coils/figures/setup_probe.jpg differ diff --git a/chapter-nice-coils/figures/setup_probe.jpg.latex_meta b/chapter-nice-coils/figures/setup_probe.jpg.latex_meta new file mode 100644 index 0000000..f97263d --- /dev/null +++ b/chapter-nice-coils/figures/setup_probe.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/setup\_probe.jpg?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/setup\_probe.jpg} \ No newline at end of file diff --git a/chapter-nice-coils/figures/setup_probe_small.jpg b/chapter-nice-coils/figures/setup_probe_small.jpg new file mode 100644 index 0000000..9476b19 Binary files /dev/null and b/chapter-nice-coils/figures/setup_probe_small.jpg differ diff --git a/chapter-nice-coils/figures/setup_probe_small.jpg.latex_meta b/chapter-nice-coils/figures/setup_probe_small.jpg.latex_meta new file mode 100644 index 0000000..971cbc3 --- /dev/null +++ b/chapter-nice-coils/figures/setup_probe_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/setup\_probe\_small.jpg?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/setup\_probe\_small.jpg} \ No newline at end of file diff --git a/chapter-nice-coils/figures/svg_vis_paper.png b/chapter-nice-coils/figures/svg_vis_paper.png new file mode 100644 index 0000000..f68cc11 Binary files /dev/null and b/chapter-nice-coils/figures/svg_vis_paper.png differ diff --git a/chapter-nice-coils/figures/svg_vis_paper.png.latex_meta b/chapter-nice-coils/figures/svg_vis_paper.png.latex_meta new file mode 100644 index 0000000..abfcd8c --- /dev/null +++ b/chapter-nice-coils/figures/svg_vis_paper.png.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/svg\_vis\_paper.png?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/svg\_vis\_paper.png} \ No newline at end of file diff --git a/chapter-nice-coils/figures/svg_vis_paper_plain.png b/chapter-nice-coils/figures/svg_vis_paper_plain.png new file mode 100644 index 0000000..10b0087 Binary files /dev/null and b/chapter-nice-coils/figures/svg_vis_paper_plain.png differ diff --git a/chapter-nice-coils/figures/svg_vis_paper_plain.png.latex_meta b/chapter-nice-coils/figures/svg_vis_paper_plain.png.latex_meta new file mode 100644 index 0000000..94a635f --- /dev/null +++ b/chapter-nice-coils/figures/svg_vis_paper_plain.png.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/svg\_vis\_paper\_plain.png?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/svg\_vis\_paper\_plain.png} \ No newline at end of file diff --git a/chapter-nice-coils/figures/symmetry_10turn_n_twist.pdf b/chapter-nice-coils/figures/symmetry_10turn_n_twist.pdf new file mode 100644 index 0000000..cb2d726 Binary files /dev/null and b/chapter-nice-coils/figures/symmetry_10turn_n_twist.pdf differ diff --git a/chapter-nice-coils/figures/symmetry_10turn_n_twist.pdf.latex_meta b/chapter-nice-coils/figures/symmetry_10turn_n_twist.pdf.latex_meta new file mode 100644 index 0000000..13fb039 --- /dev/null +++ b/chapter-nice-coils/figures/symmetry_10turn_n_twist.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/symmetry\_10turn\_n\_twist.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/symmetry\_10turn\_n\_twist.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/symmetry_3turn_n_twist.pdf b/chapter-nice-coils/figures/symmetry_3turn_n_twist.pdf new file mode 100644 index 0000000..5629093 Binary files /dev/null and b/chapter-nice-coils/figures/symmetry_3turn_n_twist.pdf differ diff --git a/chapter-nice-coils/figures/symmetry_3turn_n_twist.pdf.latex_meta b/chapter-nice-coils/figures/symmetry_3turn_n_twist.pdf.latex_meta new file mode 100644 index 0000000..5d2f400 --- /dev/null +++ b/chapter-nice-coils/figures/symmetry_3turn_n_twist.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/symmetry\_3turn\_n\_twist.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/symmetry\_3turn\_n\_twist.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/test_schematic.pdf b/chapter-nice-coils/figures/test_schematic.pdf new file mode 100644 index 0000000..3867200 Binary files /dev/null and b/chapter-nice-coils/figures/test_schematic.pdf differ diff --git a/chapter-nice-coils/figures/test_schematic.pdf.latex_meta b/chapter-nice-coils/figures/test_schematic.pdf.latex_meta new file mode 100644 index 0000000..92ec6c0 --- /dev/null +++ b/chapter-nice-coils/figures/test_schematic.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/test\_schematic.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/test\_schematic.pdf} \ No newline at end of file diff --git a/chapter-nice-coils/figures/twolayer_spiral.pdf b/chapter-nice-coils/figures/twolayer_spiral.pdf new file mode 100644 index 0000000..999d136 Binary files /dev/null and b/chapter-nice-coils/figures/twolayer_spiral.pdf differ diff --git a/chapter-nice-coils/figures/twolayer_spiral.pdf.latex_meta b/chapter-nice-coils/figures/twolayer_spiral.pdf.latex_meta new file mode 100644 index 0000000..ad1d981 --- /dev/null +++ b/chapter-nice-coils/figures/twolayer_spiral.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/nice-coils.git/plain/paper/figures/twolayer\_spiral.pdf?h=8c76006f5f093e1668896c2da613ed66bd34bba5} +\def\resourcerev{final-tpel-submission-2025-01-27-1-g8c76006} +\def\resourcerepo{nice-coils.git} +\def\resourcepath{paper/figures/twolayer\_spiral.pdf} \ No newline at end of file diff --git a/chapter-qkd/chapter.tex b/chapter-qkd/chapter.tex index 3fdf6a5..3a28245 100644 --- a/chapter-qkd/chapter.tex +++ b/chapter-qkd/chapter.tex @@ -1,178 +1,4 @@ -\documentclass[11pt,a4paper,notitlepage,twoside]{report} -\usepackage[ngerman, english]{babel} -\usepackage[utf8]{inputenc} -\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.8cm]{geometry} -\usepackage[T1]{fontenc} -\usepackage{amssymb} -\usepackage{amsmath} -\usepackage{listings} -\usepackage{eurosym} -\usepackage{wasysym} -\usepackage{extdash} -\usepackage{amsthm} -\usepackage{mwe} -\usepackage{tabularx} -\usepackage{multirow} -\usepackage{multicol} -\usepackage{tikz} -\usepackage{mathtools} -\usepackage{setspace} -\usepackage{titlesec} -\usepackage{fancybox} -\usepackage{fancyhdr} -\usepackage[binary-units,per-mode=fraction]{siunitx} -\usepackage[hidelinks]{hyperref} -\usepackage{commath} -\usepackage{graphicx,color} -\usepackage{ccicons} -\usepackage{subcaption} -\usepackage{float} -\usepackage{footmisc} -\usepackage{array} -\usepackage[underline=false]{pgf-umlsd} -\usetikzlibrary{calc} -\usepackage{epstopdf} -\usepackage{pdfpages} -\usepackage{etoolbox} -\usepackage{catchfile} -\usepackage{minitoc} -\usepackage{minted} % pygmentized source code -%\usepackage[pdftex]{graphicx,color} -%\usepackage{showframe} % Useful for page layout debugging - -\DeclareSIUnit{\baud}{Bd} - -\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} -\DeclarePairedDelimiter{\paren}{(}{)} - -\usepackage[ - backend=biber, - style=numeric, - natbib=true, - url=false, - doi=true, - eprint=false, - % Make the split online / other resource bibliographies behave - defernumbers=true, - ]{biblatex} -\addbibresource{../main.bib} -\DeclareSourcemap{ - \maps[datatype=bibtex]{ - \map{ - \step[fieldsource=doi,final] - \step[fieldset=isbn,null] - \step[fieldset=issn,null] - \step[fieldset=url,null] - } - \map{ - \step[fieldsource=isbn,final] - \step[fieldset=issn,null] - \step[fieldset=url,null] - } - } -} - -\renewcommand{\thesection}{\arabic{section}} -\renewcommand{\thesubsection}{\arabic{section}.\arabic{subsection}} -\renewcommand{\thesubsubsection}{\arabic{section}.\arabic{subsection}.\arabic{subsubsection}} - -% Re-define heading formats to force single line spacing -\titleformat{\section}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{} -\titleformat{\subsection}{\normalfont\large\bfseries\singlespacing}{\thesubsection}{1em}{} -\titleformat{\subsubsection}{\normalfont\large\bfseries\singlespacing}{\thesubsubsection}{1em}{} - -\newcommand{\degree}{\ensuremath{^\circ}} -\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} -\definecolor{todoboxcolor}{RGB}{251 224 252} - -\pagestyle{fancy} - -\fancyhead[C]{} -\fancyhead[ER]{\footnotesize% - \ifdefined\thesispreviewmode % - (draft \texttt{\input{version.tex}\unskip}) % - \fi % -\leftmark} -\fancyhead[OL]{\footnotesize\rightmark} -\fancyhead[EL,OR]{\thepage} - -\fancyfoot[LCR]{} - -\fancypagestyle{plain}{% - \fancyhf{}% - \renewcommand{\headrulewidth}{0pt}% - \renewcommand{\footrulewidth}{0pt}% -} - -\raggedbottom - -\renewcommand{\chaptermark}[1]{\markboth{Chapter \thechapter: #1}{}} -\renewcommand{\sectionmark}[1]{\markright{\thesection\ #1}} -\addtolength{\headwidth}{\marginparsep} -\addtolength{\headwidth}{\marginparwidth} -\addtolength{\headwidth}{-1cm} - -\newcommand{\todo}[1]{ - \ifdefined\thesispreviewmode - \marginpar{ - \setlength{\fboxsep}{2mm} - \shadowbox{ - \parbox{3cm}{ - \singlespacing - \raggedright - \textsf{ - \small\textbf{To do}\\ - \footnotesize#1 - } - } - } - } - \fi -} - -\newcommand{\todoplaceholder}[1]{\textbf{TODO}\todo{#1}} - -% https://tex.stackexchange.com/questions/30720/footnote-without-a-marker -\newcommand\blfootnote[1]{% - \begingroup - \renewcommand\thefootnote{}\footnote{#1}% - \addtocounter{footnote}{-1}% - \endgroup -} - -\newcommand{\figurepath}{figures} -\graphicspath{{\figurepath}} -\newcommand{\figureattrib}[1]{% - \input{\figurepath/#1.latex_meta} % - \scriptsize - \ifdefined\thesispreviewmode\resourcestate\ \resourcescale\\\fi% - Resource: % - \texttt{\resourcerepo/\resourcepath} % - rev \texttt{\resourcerev} % - (\underline{\href{\resourceurl}{link}})% -} - -\newcommand{\draftgraphics}{\ifdefined\thesispreviewmode\textcolor{red}{\bfseries Not final graphics. }\fi} -\newcommand{\camerareadygraphics}{\ifdefined\thesispreviewmode Camera-ready graphics. \fi} -\newcommand{\scaledgraphics}[1]{\ifdefined\thesispreviewmode scaled-#1\else#1\fi} - -\newcommand{\imgsource}[4]{\scriptsize% - Image source: #1, #2 (\underline{\href{#4}{link}}). % - Licensed #3.} - -\hyphenation{a-me-na-ble} - -\begin{document} -\dominitoc -\faketableofcontents - -\chapter{Physical Security in Quantum Key Distribution} -\ifdefined\thesispreviewmode -{\Large \textbf{Draft build}, git revision \texttt{\input{version.tex}}} -\fi -\minitoc -\newpage -\setstretch{1.3} +\chaptertitle{Physical Security in Quantum Key Distribution} \section{Cryptography in the Age of Quantum Computers} @@ -1061,17 +887,3 @@ gears which need to constantly maintain an area of contact, both co-rotating and \end{figure} \section{Outlook} - -\clearpage % clearpage flushes all figures. force this here so we don't get figures floating in between references. -% TODO when breaking this out into a template for building both the whole thesis and individual chapters, we have to -% decide whether we want to keep the bibliography per-chapter or only once for the whole thesis. In the latter case, we -% probably want to replace subbibintoc with bibintoc, or add a custom "bibliography" chapter and adjust the second -% bibliography's heading -\newrefcontext[labelprefix={W}] -\printbibliography[type={online},title={Web sources},heading=subbibintoc] -\newrefcontext -\printbibliography[nottype={online},resetnumbers,heading=subbibintoc] - -\appendix - -\end{document} diff --git a/chapter-qkd/figures/ihsm-secondary-mesh b/chapter-qkd/figures/ihsm-secondary-mesh index 3a7edbd..6011599 160000 --- a/chapter-qkd/figures/ihsm-secondary-mesh +++ b/chapter-qkd/figures/ihsm-secondary-mesh @@ -1 +1 @@ -Subproject commit 3a7edbd1127cacc8f4c90376595b894105f3d479 +Subproject commit 601159904f4269366e29d85c2e90cbf000157f4f diff --git a/chapter-sampling-mesh-monitor/chapter.tex b/chapter-sampling-mesh-monitor/chapter.tex new file mode 100644 index 0000000..7174e8f --- /dev/null +++ b/chapter-sampling-mesh-monitor/chapter.tex @@ -0,0 +1,1105 @@ +\chaptertitle{High Fidelity Security Mesh Monitoring using Low-Cost, Embedded Time Domain Reflectometry} + +\begin{abstract} + Security Meshes are patterns of sensing traces covering an area that are used in Hardware Security Modules (HSMs) + and other systems to detect attempts to physically intrude into the device's protective shell. State-of-the-art + solutions manufacture meshes in bespoke processes from carefully chosen materials, which is expensive and makes + replication challenging. Additionally, state-of-the-art monitoring circuits sacrifice either monitoring precision or + cost efficiency. In this paper, we present an embeddable security mesh monitoring circuit constructed from low-cost, + standard components that utilizes Time Domain Reflectometry (TDR) to create a unique fingerprint of a mesh. Our + approach is both low-cost and precise, and enables the use of inexpensive standard Printed Circuit Boards (PCBs) as + security mesh material. We demonstrate a working prototype of our TDR circuit costing less than \price{10}{\euro} in + components that achieves both time resolution and rise time better than \qty{200}{\pico\second}---a $25\times$ + improvement over previous work. We demonstrate our prototype's capability to detect and localize faults in several + practical attack scenarios including probing using a high impedance oscilloscope probe and a patching attempt using + micro soldering. +\end{abstract} + +\section{Introduction} + +% Bei Diss-Citations in der bib dazu schreiben, dass das ne Diss ist. +% 2.2 / 2.3 Wie related? Warum interessant? In Intro erwähnen? +% In Intro herausstellen, dass TDR-Setup neu ist. + +% Storyline für Intro: Wir sind die ersten die die Auflösung hinbekommen, und deshalb geht bei uns TDR. +% Time for 256 times oversampling: 710 ms. 384 times: 1056 ms. + +Security meshes continue to be the state of the art for tamper sensing in applications where sophisticated physical +attacks such as attempts at drilling or sawing through the device's enclosure to place probes must be prevented. Common +applications for such meshes include Hardware Security Modules (HSMs) used to store and process cryptographic keys +applying security standards such as +FIPS-140-2\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} or ISO/IEC +24759\cite{ISOIEC24759}. Other applications include card payment terminals where PCI PTS HSM +standards\cite{pcisecuritystandardscouncilPaymentCardIndustry2021} are applicable. Security meshes usually consist of +two or more conductive traces that are laid out in a meandering pattern to cover a surface. A sensing circuit +electrically monitors these traces to detect attempts at penetrating this surface. + +As is often the case with security technologies, in practice a tension exists between the level of security offered by a +particular security mesh implementation and its implementation cost. Commercial designs often only coarsely monitor the +conductivity of the mesh traces and are incapable of detecting attacks that manipulate small parts of the mesh. The most +secure meshes are made in custom manufacturing processes. Materials such as polymer substrates are specifically chosen +such that the mesh is difficult to manipulate without breaking it. A drawback of this approach is that the specialized +manufacturing processes are difficult to replicate and that the resulting cost of the mesh is high. In some +lower-security applications such as card payment terminals, simpler approaches are still commonly used for their ease of +implementation. Often, standard copper/polyimide Flexible Printed Circuits (FPCs) or even standard Printed Circuit +Boards (PCBs) are used because of the wide availability of manufacturing services. + +Several academic approaches exist that target low-cost\cite{ + vasileActiveTamperDetection2017, + vasileTemperatureSensitiveActive2017, + dupontMiniaturizedUltraLowPowerTamper2022, + vasileProtectingSecretsAdvanced2019, +} or high-performance mesh monitoring\cite{ + immlerBTREPIDBatterylessTamperresistant2018, + immlerSecurePhysicalEnclosures2018, + garbTamperSensitiveDesignPUFBased, +}. Some academic works even try to replace the security mesh with entirely different tamper sensing primitives\cite{ + staatAntiTamperRadioSystemLevel2022, + vaiSecureArchitectureEmbedded2015,}. +High-performance mesh monitoring approaches try to characterize the mesh's physical properties with high accuracy, but +often come at the cost of specialized, expensive circuitry. Low-cost approaches utilize advanced analog techniques in +their circuitry to extract precise measurements using few components. They trade off measurement precision for lower +component cost. Besides simple monitoring, detecting tamper attempts by replacing the mesh with a macro-scale Physically +Unclonable Function (PUF) has also been researched\cite{ + immlerBTREPIDBatterylessTamperresistant2018, + staatAntiTamperRadioSystemLevel2022, + vaiSecureArchitectureEmbedded2015,}, albeit this comes with complex monitoring circuits that utilize expensive, +specialty components. + +\begin{figure} + \centering + \includegraphics[width=0.6\textwidth]{pic_board_setup_2_small_censored.jpg} + \caption{Measurement setup. Shown are the test specimen board on the left, and the frontend board with one of the + four pulse amplifiers in the center. The frontend board is powered through a USB-C connection, and data is sent to a + computer through a Single-Wire Debug (SWD) interface. The grid in the background has \qty{10}{\milli\meter} pitch. + Note: Author names and institutional affiliation were removed from this picture for peer review.} + \label{fig_pic_board} +\end{figure} + +To enable the use of less expensive, commodity materials such as Printed Circuit Boards (PCBs) without compromising +security, mesh integrity must be monitored with high fidelity. In this paper, we present a low-cost monitoring circuit +for security meshes that combines Time Domain Reflectometry (TDR) with equivalent time sampling. Our approach provides +high measurement fidelity and enables the use of meshes made from less expensive materials in high-security +applications. + +Our circuit generates a very fast pulse with a rise time lower than \qty{200}{\pico\second} that is broadcast into the +mesh. While the pulse traverses the mesh, parts of its energy are reflected on imperfections inside the mesh, including +those caused by tampering attempts. Our circuit uses a fast, low-cost equivalent time sampling frontend to receive, +amplify and record these reflections to create a \emph{fingerprint} of the mesh that is highly sensitive to changes +caused by tampering. + +We demonstrate a working prototype of our design and present practical measurements of its electrical parameters as well +as its performance under several practical attack scenarios. A photo of our prototype setup including a security mesh +specimen is shown in Figure\ \ref{fig_pic_board}. + +Compared to previous academic designs, our approach can be implemented at a lower cost using exclusively inexpensive, +commercially available mass-market components. Our TDR frontend improves upon previous, delay-based approaches in +monitoring fidelity\cite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}. Our design achieves +sufficient sensitivity to detect high-impedance oscilloscope probes despite such probes being specifically designed to +conduct measurements without disturbing the circuit under test. Unlike previous, capacitance-based approaches, our +design is compatible with inexpensive signal switch ICs, enabling the protection of arbitrarily large meshes at minimal +cost without compromising sensitivity. + +The contributions of our work are as follows: + +\begin{itemize} + \item To our knowledge, our design is the first to apply a low-cost embedded differential Time Domain Reflectometry + (TDR) frontend to security mesh monitoring. Our design achieves pulse rise times below \qty{200}{\pico\second}, + a $25\times$ improvement over the closest previous + work\cite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}. + \item Our approach provides higher fidelity compared to state-of-the-art security mesh conductivity monitoring or + previous low-cost approaches. It enables the use of meshes manufactured using less advanced technologies such as + standard FPC or PCB processes. Our TDR frontend produces 70 data points for each meter of mesh length, resulting + in a measurement density per mesh area of \qty{200}{\bit\per\centi\meter^2} when using a + $\qty{200}{\micro\meter}$ pitch mesh manufactured in a standard low-cost PCB process. + \item We present a working prototype along with extensive experimental results, including laboratory performance + measurements. We practically demonstrate that our design is able to not only detect but distinguish and even + localize attacks in several realistic attack scenarios. + \item Our design is based entirely on commercially available, inexpensive mass-market components. It can be + replicated and improved without access to bespoke production equipment or semiconductor manufacturing + capabilities. To facilitate further research and practical applications, we publish our prototype under an Open + Source license. +\end{itemize} + +\section{Related Work} + +Tamper sensing meshes are used in numerous applications from Hardware Security Modules (HSMs) to card payment +terminals\cite{andersonCryptographicProcessorsASurvey2006,tehranipoorHardwareSecurityPrimitives2023}. Despite their +widespread use, security mesh design and monitoring is covered by a sparse research corpus. Commercially, +security-by-obscurity is often considered a good idea and little detail is published on physical security +implementations\cite{andersonSecurityEngineeringGuide2020}. + +Patent literature gives a partial view of commercial developments in this area. Even in recent patents such as\cite{ + brodskyTamperRespondentAssemblyFlexible2019, % IBM. ok, mentions conductivity monitoring but mostly on mesh + nortonTamperDetectingCases2019, % HP. ok, mentions continuity monitoring only but mostly on mesh + razaghiTamperDetectionSystem2020, % Square. ok. mentions what is effectively conductivity monitoring + wesselhoffTamperResponsiveSensor2020, % Cryptera. ok. Very basic, only uses the mesh in the power supply. + leekTamperDetection2021, % Texas Instruments. ok. Monitors capacitance. + chockPointSaleTerminal2009, % Zilog. ok. Monitors conductivity and tries to detect emulation. +} +from HSM manufacturers IBM and HP, ATM component manufacturer Cryptera, payment terminal manufacturer Stripe, and chip +manufacturers Texas Instruments and Zilog, cited monitoring methods are basic and do not go beyond a simple measurement +of resistance or capacitance. + +Academic research in the area is more advanced and spans both improvements to security meshes and their monitoring +circuits\cite{ + immlerBTREPIDBatterylessTamperresistant2018, + dupontMiniaturizedUltraLowPowerTamper2022, + vasileProtectingSecretsAdvanced2019}, +as well as approaches that entirely replace the security mesh with other primitives based on e.g.\ radio frequency or +optical measurements that aim to sense tampering +with a device\cite{staatAntiTamperRadioSystemLevel2022,vaiSecureArchitectureEmbedded2015}. A drawback of techniques +aiming to replace security meshes with other sensor types is that it is difficult to prove such sensors do not have +blind spots. + +\subsection{Security Mesh Monitoring and Design} + +\paragraph{Meshes as capacitive PUFs.} +\textcite{ + immlerBTREPIDBatterylessTamperresistant2018, + obermaierMeasurementSystemCapacitive2018, + garbTamperSensitiveDesignPUFBased} +propose one of the most advanced security mesh designs in the current academic state of the art. They use a specialized +security mesh as a Physically Unclonable Function (PUF), combining tamper sensing with cryptographic key storage. In +their design, the mesh consists of a cross-hatch pattern made from several dozen individually addressable capacitive +electrodes. They manufacture their meshes in a specialized process that results in unpredictable, random variations in +capacitance between electrodes. They propose an analog frontend that measures the precise mutual capacitance of each +pair of electrodes\cite{obermaierMeasurementSystemCapacitive2018} using an approach similar to +\textcite{satoToucheEnhancingTouch2012}, and they use the resulting capacitance matrix as the basis of their PUF. In +further work, they demonstrate a custom IC integrating the monitoring +circuit\cite{garbFORTRESSFORtifiedTamperResistant2021}. + +Advantages of their system include high sensitivity to modifications, as well as that as a PUF, the system does not +require a continuous power supply. Disadvantages include the limited mesh size a single circuit can support due to +dynamic range constraints, the specialized manufacturing process needed for the mesh as well as the high cost of the +monitoring circuit. Common physical security standards require systems to actively destroy all key material when +tampering is detected\cite{ + usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002, + ISOIEC24759, + pcisecuritystandardscouncilPaymentCardIndustry2021}. +Like other PUF-based systems, their system naturally lacks this capability. + +% FIXME go more into multiplexing larger meshes in our system below +Key differences of our system include: +\begin{itemize} + \item Our system can cover larger meshes without loss of precision using a single TDR frontend through multiplexing. + + \item Our system supports meshes manufactured using standard, low-cost PCB processes. + + \item Our design requires only widely available, low-cost commodity components, for each of which alternatives + from other manufacturers are available. + + \item Our approach has improved resiliency to electromagnetic interference and works with unshielded meshes. +\end{itemize} + +\paragraph{Bridge measurement of capacitive interdigital meshes.} \textcite{dupontMiniaturizedUltraLowPowerTamper2022} +introduce a simple analog circuit approach for monitoring meshes laid out as a set of capacitive interdigital structures +not unlike the combs found in Micro-Electromechanical System (MEMS) accelerometers and gyroscopes. They subdivide the +mesh into four equal-size quadrants, each containing two equal-size interdigital electrodes. They connect the resulting +eight electrodes in a capacitive bridge configuration and measure the bridge's balance using a simple analog monitoring +circuit based on homodyne detection. Advantages of their system include the simple, low-power monitoring circuit made +from basic, cheap components and the capability to work with single-layer meshes such as those produced using Laser +Direct Structuring (LDS). From a security point of view, a drawback of their approach is that to achieve its low-power +usage, measurement resolution is sacrificed and all information on the mesh's state is collapsed into a single, scalar +measurement. + +\paragraph{Frequency-domain mesh characterization.} +\textcite{vasileProtectingSecretsAdvanced2019} introduce a monitoring method where they feed a variable-frequency signal +into one end of a continuous mesh trace, and measure the power of the signal coming out of the other end. In essence, +their setup measures $S_{12}$ magnitude in a similar way to a network analyzer. + +Advantages of their design include the simple implementation and the potentially robust nature of frequency-domain +measurements. Disadvantages include a nonstandard three-layer mesh stackup, as well as the susceptibility of the system +to attack by emulation given that the log power sensor they are using at the mesh output is designed to be insensitive +to any signal characteristics apart from total signal power. + +\paragraph{Time domain mesh monitoring.} +Time-Domain Reflectometry has been proposed for tamper sensing in nuclear arms control +applications\cite{parsonsTamperRadiationResistant1977}. However, compared to our design, the systems proposed in this +field are usually much larger, using standard benchtop measurement equipment to perform TDR. Additionally, they target +lower time resolution since they are designed to monitor spans of cable up to several hundred meters in length. + +Closest to our proposal in the academic corpus is the work of +\textcite{vasileActiveTamperDetection2017,vasileTemperatureSensitiveActive2017}, where they propose monitoring the time +domain response of a mesh using a circuit made from a pulse generator and a fast Analog-to-Digital Converter (ADC). To +avoid an expensive, high-speed digital processing pipeline, their design is centered around a specialized high-speed ADC +that has a built-in sample memory. Using this part, they capture a pulse at high speed after it traverses the mesh. +Subsequently, they slowly process the captured data from memory. + +Advantages of their design include better sensitivity to changes in total mesh trace length compared to simple +continuity monitoring and the low complexity of their analog frontend. Disadvantages include the reliance on a specialty +ADC that cannot easily be replaced with any other commercially available component and the coarse time resolution. + +Key differences between their design and our proposal include: +\begin{itemize} + \item Their design is sensitive to total length, but not to the location of faults. Their design measures the mesh's + \emph{transmission} characteristic, which collapses detail about faults along the mesh into a small number of + ADC samples at the pulse edge. Using such a measurement, it is not possible to localize faults. In contrast, our + approach measures the signal's \emph{reflected} component, which spreads information over time and enables us to + localize faults. + + \item Our design uses only inexpensive, widely available parts. All parts in our design can easily be substituted + for other, similar parts from different manufacturers. + + \item Our approach provides $25\times$ higher time resolution through Equivalent Time Sampling. This is a + fundamental limitation of their design, as the cost of ADCs and their associated circuitry increases steeply + with speed\footnote{ For reference, the least expensive ADC available at distributor DigiKey that would match + the \qty{200}{\pico\second} time resolution of our approach would cost \price{320}{\euro} at quantity 100 and + require national security clearance for export from its manufacturer in the USA.}. +\end{itemize} + +\subsection{Equivalent Time Sampling} + +Today, systems that digitize high-speed signals usually use a fast ADC, sometimes preceded by one or several +downconverting mixers. This development was enabled by both the increasing availability of ADCs capable of digitizing +hundreds of megasamples per second at a reasonable resolution, and by the increase in speed of CPUs, +FPGAs, and other components of the digital processing chain. However, this is largely a development of this +millennium--meanwhile, signals far into the gigahertz range have been studied since the advent of radar technology in +the Second World War\cite{kahrs50YearsRF2003}. Enabled by the progress from vacuum tubes to semiconductor devices, +equivalent time sampling became the technology of choice for the latter half of the twentieth century until around the +turn of the millennium the introduction of high-speed digital processing and fast ADCs enabled real-time conversion up +into higher microwave frequencies, today reaching beyond the \qty{100}{\giga\hertz} boundary. + +\textcite{kahrs50YearsRF2003} trace back the style of four-diode balanced bridge sampling gate that we use to a vacuum +tube implementation presented in \textcite{chanceWaveforms1949}. This style of sampling gate found application in a +number of sampling oscilloscopes throughout the twentieth century in several oscilloscope sampling frontends such as +HP's 187B\cite{HP187BDualTrace1962}. + +While initially equivalent time sampling was used to circumvent technological limitations, more recently it has also +been used to achieve cost-optimized designs\cite{houtman1GHzSamplingOscilloscope2000}. Going along similar principles, +\textcite{polasekReflektometrCasoveOblasti2020} presents a design for a minimal sampling TDR circuit that uses a CMOS +clock generator IC along with a CML fanout buffer for pulse generation. The circuit improves upon the double sampling +design first presented by \textcite{houtman1GHzSamplingOscilloscope2000} to reconstruct a downsampled copy of the input +signal in the analog domain before digitization. + +\subsection{Low-Cost Time Domain Reflectometry} + +\textcite{bencivenniTimeDomainReflectometer2013} present an FPGA-based embedded reflectometer design. Since their design +is based on an early FPGA family dating back to 2003 that lacked the speed and the adjustable I/O delay features of more +modern FPGA families, their design uses the FPGA's logic resources to achieve adjustable delays. +\textcite{negreaSequentialSamplingTime2009} show an equivalent time sampling TDR that uses specialized adjustable delay +line ICs for pulse generation. \textcite{lee16psresolutionRandomEquivalent2003} achieve very high time resolution in an +equivalent time sampling TDR system by using a vernier approach to pulse generation, such that their system is limited +by analog bandwidth, not time resolution. \textcite{trebbelsMiniaturizedFPGABasedHighResolution2013} show another +FPGA-based TDR. Their system also uses a part from the same early FPGA family as +\textcite{bencivenniTimeDomainReflectometer2013}, and they work around its lack of precise timing primitives by +generating a low-frequency sine wave through DDS, which they filter, and then sample using a comparator - a similar +approach to the timing generation in \textcite{houtman1GHzSamplingOscilloscope2000}. Additionally, they avoid the need +for a discrete ADC by implementing a $\Delta\Sigma$ loop around a fast comparator, trading off slower acquisition time +for lower hardware complexity. They use a \qty{5.5}{\volt\per\nano\second} slew rate wideband amplifier IC to generate +their stimulus pulse, achieving a rise time of \qty{2}{\nano\second}. As a result, similar to +\textcite{lee16psresolutionRandomEquivalent2003}, their design is limited by analog bandwidth--here resulting from the +nanosecond-scale stimulus rise time--not by frontend time resolution. Compared with this and other previous approaches, +our proposed system is not only faster, but presents a more balanced trade-off between time resolution and analog +bandwidth. + +\section{Monitoring a Security Mesh using Time Domain Reflectometry} + +Time Domain Reflectometry (TDR) is a well-known technique that is used to locate faults along a signal channel such as a +copper cable, or an optical fiber. In TDR, a pulse is sent into the beginning of the channel. While the pulse traverses +the channel, any fault such as a discontinuity in electrical impedance or optical density causes part of the pulse to +travel back in a partial reflection. TDR monitors these reflections returning to the beginning of the channel by +recording the signal measured at it after the pulse has been sent. When the pulse reaches the end of the channel, +depending on termination it can be reflected to travel back to the beginning, which allows measurement of the channel's +length. + +\subsection{Attacks on a Security Mesh Viewed Using TDR} + +In this paper, we apply TDR to monitor a security mesh for changes caused by an attack. Our prototype setup consists of +a custom circuit board containing a low-cost embedded TDR frontend that can be connected to a security mesh specimen to +measure its response, creating a fingerprint of the mesh. In a standard PCB manufacturing process, we construct a +security mesh with a ground plane underneath that works similarly to previous work\cite{ + immlerBTREPIDBatterylessTamperresistant2018, + obermaierMeasurementSystemCapacitive2018, + garbTamperSensitiveDesignPUFBased}. +When viewed in the microwave domain, such meshes constitute what is essentially a delay line. Security meshes commonly +use a pair of two traces to capture short circuit conditions between adjacent traces, which we treat as a differential +pair for improved resiliency against electromagnetic interference. We constructed our frontend such that it excites the +two traces differentially, but allows for both single-ended and differential measurements. + +In an intact mesh, we expect our frontend to record no significant reflections until the stimulus pulse has traversed +the mesh's traces both ways, at which point we expect a large response whose polarity and amplitude depend on the +termination on the far end of the mesh. In our prototype circuit, we made this termination configurable to expand the +range of possible measurement configurations and to enable self-calibration of the circuit. + +When an attacker attempts to tamper with the mesh, they will cause an impedance discontinuity. Cuts of one or both +traces or a short circuit between both traces will result in a total reflection of the incident pulse at the location +of the fault, which our circuit will easily detect as the delay of the response changes. However, beyond these simple +cases, our approach can also detect more subtle changes. For instance, a short circuit between two points along the same +mesh trace will also result in a change in delay along this trace. Furthermore, even just probing a mesh trace with an +oscilloscope probe will add the probe's input capacitance, which is usually in the order of several Picofarad, to one +point along the trace, resulting in an impedance step that can be detected by TDR. The TDR approach is thus able to not +only detect but distinguish and even localize several types of faults or attacks in a mesh. + +% FIXME subsection on routing and daisychaining + +\section{Circuit Design and Driving Approach} + +\begin{figure} + \centering + \hspace*{-7mm} + \includegraphics[height=80mm]{block_diagram.pdf} + \caption{Block diagram of our prototype sampling TDR security mesh monitoring circuit.} + \label{fig_block_diagram} +\end{figure} + +A TDR can be broken down into three basic components. First, we need a source of fast pulses (or fast edges!) to +stimulate the mesh. Second, we need a coupler that allows us to couple the stimulus pulses into the mesh, and their +reflections out of it. Finally, we need a fast ADC to capture the reflections. + +Figure\ \ref{fig_block_diagram} shows a block diagram of our design\footnote{Full schematics are available in this +paper's supplementary material.}. At the core of our design lies an equivalent time sampling setup, where two +diode bridge sampling gates alternately sample the two traces of the mesh. +Since physical attacks happen on a time scale of minutes or hours, we do not need a fast acquisition rate. Equivalent +time sampling uses fast sampling gates to sample a high-frequency signal at a low frequency that is suitable for direct +conversion through an ADC. This reduces the requirements of our data acquisition and signal processing fronted from +gigasamples per second to mere megasamples, well within the range that a commodity microcontroller can handle. + +A challenge in equivalent time sampling is precisely phase-synchronizing the sampling pulse to the fundamental frequency +of the input signal, which is usually implemented by using a high-speed comparator. In a TDR-style frontend like ours, +this expensive component can be avoided because the stimulus signal is generated in the frontend, simplifying the +challenge of generating a synchronized sampling pulse at an adjustable phase to the stimulus pulse. + +Since an intact mesh has low insertion loss, the amplitude of the response of an intact mesh is large. Thus, we do not +need a high dynamic range in either the frontend amplifiers or in the ADC, enabling the use of commodity operational +amplifiers (opamps) and the built-in ADC of a commodity microcontroller. Further, the strong signal allows us to use a +comparatively lossy \qty{-6}{\deci\bel} resistive tee instead of a directional coupler. A resistive tee does not provide +directionality, but in our case, the incident pulse can never interfere with reflections at the sampling output of the +divider because of causality. + +To implement our sub-nanosecond sampler, we chose a simple four-diode bridge sampling gate made from commodity +\partno{BAT17-04W} RF Schottky diodes, which offer turn-on times better than \qty{100}{\pico\second} at +\price{0.13}{\euro} per device at quantity 1000. The four-diode configuration requires only two dual diode packages. In +contrast to \textcite{polasekReflektometrCasoveOblasti2020,houtman1GHzSamplingOscilloscope2000}, in our system, double +sampling is not necessary - instead, we follow the sampling gate directly with an amplifier feeding into the internal +ADC of our microcontroller. We use an internal timer peripheral of the same microcontroller to generate both stimulus +and sample pulses such that we can easily phase-lock the internal ADC to the same timer. + +We base our circuit around an \partno{STM32G474RB} microcontroller, a \price{5}{\euro}-class commodity ARM +microcontroller. Besides adequate processing speed for its price class, this microcontroller offers two features that +are critical to our design. First, its internal ADCs are both higher resolution and faster than those of older parts. +Second, it is one of a few parts in its series that include a \emph{high-resolution timer} (\partno{HRTIM}) peripheral +that provides several outputs that can be controlled with better than \qty{200}{\pico\second} resolution through +per-output, self-calibrating delay line circuitry. We use this peripheral to produce both the stimulus pulse and the +phase-adjustable sampling pulse. + +While the HRTIM peripheral allows us to finely adjust the phase of its output waveform, the digital output structures of +the \partno{STM32G4} series are still limited to nanosecond-scale rise and fall times with the datasheet quoting +$t_r=t_f=\qty{1.7}{\nano\second}$ into a \qty{10}{\pico\farad} load when using the fastest GPIO output drive strength +setting and a \qty{3.3}{\volt} supply\cite{stmicroelectronicsSTM32G474xBDatasheet2021}. We work around this issue by +applying two circuit tricks. First, we send its output through a fast amplifier to square up the edges to a rise time +better than \qty{500}{\pico\second}. The remaining challenge is that while we now have pulses with crisp edges, due to +constraints of the HRTIM peripheral, at more than \qty{10}{\nano\second}, these pulses are still too wide to be useful. +We solve this issue by applying a clip line\cite{tektronixinc.TektronixS6Sampling1982} pulse forming network at the +output of the amplifier--i.e.\ we connect the amplifier's output to the load in parallel with a short, terminated +transmission line stub. The length of this stub determines the pulse width. + +\subsection{Driver Selection} + +Several types of amplifiers can be used in our pulse shaping application. Common to all options, we require differential +outputs. In practice, for most parts, this means we are looking for a part with Current Mode Logic (CML) outputs. CML is +a differential signaling standard that is widely used in high-speed logic. In CML, a current source feeds a pair of +transistors that steer current between the two outputs of the differential pair. By steering current between the two +outputs, common-mode currents are minimized which both reduces the effect of power supply impedance at the transmitter +and reduces electromagnetic emissions from the differential pair's PCB traces. In our experiments, we considered several +parts and settled on four parts for evaluation in this paper: A \partno{74LVC2G157} standard logic IC, two display +protocol redrivers, \partno{PI3HDX12211} and \partno{TDP0604}, as well as \partno{MAX3748}, a limiting amplifier for +optical networking applications. We implemented four variants of our prototype using a steady hand under a microscope as +shown in Figure\ \ref{fig_pic_amps}. + +One notable omission from our tests was the series of CML-output comparators made by Analog Devices due to the cost of +these devices. + +\begin{figure} + \centering + \begin{subfigure}{0.23\textwidth} + \centering + \includegraphics[width=0.9\textwidth]{pic_74lvc_small.jpg} + \caption{74LVC2G157} + \end{subfigure} + \begin{subfigure}{0.23\textwidth} + \centering + \includegraphics[width=0.9\textwidth]{pic_max3748_small.jpg} + \caption{MAX3748} + \end{subfigure} + \begin{subfigure}{0.23\textwidth} + \centering + \includegraphics[width=0.9\textwidth]{pic_tdp0604_small.jpg} + \caption{TDP0604} + \end{subfigure} + \begin{subfigure}{0.23\textwidth} + \centering + \includegraphics[width=0.9\textwidth]{pic_pi3hdx_small.jpg} + \caption{PI3HDX12211} + \end{subfigure} + \caption{Circuit-board implementation of the four pulse amplifier variants of the design. Amplifiers were mounted + dead bug style on a piece of copper tape connected to one of the supply rails and hooked up with + \qty{120}{\micro\meter} diameter wire according to their respective datasheets. Supply rails were hooked up using + copper tape where possible to reduce series impedance. Additional \qty{10}{\micro\farad} MLCC power supply + decoupling capacitors were placed close to the ICs on the copper tape to reduce loop area.} + \label{fig_pic_amps} +\end{figure} + +\paragraph{Standard logic ICs.} +As a baseline, we evaluated the \partno{74LVC2G157} standard logic IC. This IC contains a single multiplexer, however, +we are not interested in the multiplexer functionality. The interesting trivia about this chip is that it also is one of +the only \partno{74} series standard logic parts that have complimentary outputs. According to manufacturer +specifications, at a comparable \qty{20}{\pico\farad} load, \partno{74LVC} series parts have slightly faster rise and +fall times compared to our \partno{STM32} microcontroller's digital IO +pins\cite{renesaselectronicscorporationApplicationNoteAN2242019}. + +\paragraph{Optical Networking Chipsets.} +A category of CML-output drivers suitable for our application is a class of optical networking chipset ICs. While +today, the construction of optical transmitters has moved to direct bonding of optical components and driver ICs to +minimize parasitics, discrete driver ICs for some chipsets from the mid-2000s era are still available at reasonable +cost. Both the laser driver used to drive the transmitter laser diode, and the limiting amplifier used to amplify the +receiver photodiode's output can be used in our application, with the limiting amplifier part requiring less additional +circuitry in our application due to its lack of output bias control. In our evaluation below, we include the +\partno{MAX3748} limiting amplifier as a representative part from this category that is still commercially available. A +drawback of relying on a part like this is that its future availability is uncertain given the evolution of the +industry. + +\paragraph{Bus Redrivers.} +The final category of amplifiers suitable for our pulse shaping needs is redrivers intended for high-speed data +interfaces such as USB 3, PCI Express, HDMI, or DisplayPort. All of these interfaces use CML drivers, with differential +voltage levels usually in the order of \qtyrange{600}{1000}{\milli\volt}. \emph{Redriver} ICs are intended to be used to +amplify the sensitive high-speed bus signal at the edge of a PCBA, either before it leaves the board through a connector +to ensure adequate signal levels at the connector, or after it enters through a connector to compensate for loss in the +PCB traces between the connector and the signal's destination. For our application, redrivers intended for HDMI and +DisplayPort applications are most suitable, as they can usually be configured to act as simple amplifiers without +processing any protocol logic on the signals that are amplified. In contrast, both USB 3 and PCIe redrivers often +implement power saving features that try to parse parts of the actual signal transmitted through them, which are hard to +bypass in our application. + +Redrivers can be classified according to their way of operation. \emph{Retimers} include a full +serialization/deserialization (SerDes) setup and parse the low-level protocol of the bus to reconstruct bit-level +timing. We focus only on simpler redrivers that only contain amplifiers and (analog) equalizers here. + +Amplifying redrivers can be separated into two classes: Limiting and linear redrivers. A limiting redriver is configured +to have a high gain such that a small input signal will be amplified to the full output voltage swing. Limiting +redrivers are well-suited for our application, but they have come out of fashion since they interfere with link training +and with power saving features of protocols like USB 3. + +Linear redrivers are constructed with a low gain instead. Sufficient to compensate for wiring losses, their gain is low +enough to leave them transparent to bus protocol features such as link training or power saving features. To compensate +for their reduced gain, linear redrivers usually contain configurable equalizers that can be used to apply targeted +enhancements for particular signal defects, such as boosting high-frequency gain or providing a set amount of overshoot. +Where available, in our prototype variants we set these equalization features to provide maximum gain. + +In our evaluation below, we include \partno{PI3HDX12211} as a linear redriver intended for DisplayPort and HDMI +applications, as well as \partno{TPD0604} as a ``hybrid'' linear or limiting redriver for HDMI applications, configured +for limiting mode in our experiments. An attractive feature of both of these chips as well as comparable devices is that +they usually include at least four independent channels, so only one chip is needed for both pulse paths. Additionally, +they are consumer mass market parts, resulting in a low price. For instance, \partno{PI3HDX12211} is available at +\price{2.11}{\euro} in single quantity and less than \price{1.30}{\euro} at a quantity of several hundred at distributor +LCSC, and \partno{TPD0604} is available at \price{4.72}{\euro} and \price{3.44}{\euro}, respectively, at distributor +Mouser. + +\subsection{Cost Breakdown} + +Table\ \ref{tab_bom} shows a breakdown of the cost of the main components of our prototype, resulting in a total +component cost of less than \price{10}{\euro}. We did not include power supply components in this breakdown as our +circuit is meant to be embedded into a payload circuit that will already have sufficient power supplies. + +Due to its \partno{HRTIM} peripheral, the \partno{STM32G4} microcontroller is the component of our design that is +hardest to replace. However, this part can still be replaced with a wide range of FPGAs, which commonly include +digitally configurable delay lines on their IO pins for signal de-skewing. For instance, the \partno{ODELAY} primitive +of Xilinx 7 Series FPGAs provides the same $\frac{1}{32}$ clock cycle resolution that the \partno{STM32G4} +\partno{HRTIM} peripheral provides while supporting higher input clock frequencies. + +\begin{table} + \centering + \begin{tabular}{c|c|c|l} + \textbf{Part number}&\textbf{Amount}&\textbf{Cost in \euro}&\textbf{Description}\\\hline + PI3HDX12211&1&1.37&Pulse amplifier\\ + STM32G474RB&1&3.51&Main microcontroller\\ + OPA1656&1&1.25&Sampling post-amplifier\\ + TMUXHS4212&2&0.64&Signal routing switch\\ + SKYA21003&2&0.49&Termination switch\\ + 74LVC2G157&2&0.15&Pulse pre-conditioning\\ + BAT17-04W&4&0.12&Sampling gates\\ + &25&0.01&Various MLCC capacitors\\ + &25&0.01&Various resistors\\\hline + \multicolumn{2}{r}{}&\textbf{9.67}&\textbf{Total} + \end{tabular} + \caption{A cost breakdown of the major components of our design. Listed prices are for 1000 pieces order quantity to + make prices more comparable between distributors. The number of switches necessary for signal routing and + termination depends on the specific mesh signal routing of the application. Numbers shown here are for our + prototype, which can measure a mesh from both ends and supports short, open and matched termination.} + \label{tab_bom} +\end{table} + +\subsection{Measurement Principle and Scan Scheduling} +\label{sec_scan_schedule} + +The goal of a time domain reflectometer is to send a pulse into the Device Under Test (DUT)--i.e.\ in our application, +the mesh--and to record all reflections returning from the DUT afterwards. In something like a security mesh whose +traces might only be a few meters long in total, the time span between the pulse being sent and the last reflections +from the very end of the mesh arriving is in the order of several tens of nanoseconds. Directly recording a response at +this timescale would be infeasible using a commodity microcontroller, so we utilize an equivalent time sampling +approach. + +As shown in Figure\ \ref{fig_block_diagram}, our analog frontend contains amplifiers that produce the stimulus pulse, a +sampling gate with amplifiers, and a coupler that couples the pulse into the mesh and couples the reflections back into +the sampling gate. A microcontroller controls this frontend with two primary signals: A stimulus pulse, and a sampling +pulse. By adjusting the timing between these two pulses every time a stimulus pulse is sent, the microcontroller can +select a particular point in time after the stimulus pulse to record using the sampling gate. By slowly sweeping across +the whole time span, the microcontroller can reconstruct the waveform of the reflected signal at the sampling gate +across one period of the stimulus pulse. The recording rate of this waveform is limited by the repetition rate of the +stimulus pulse as well as the time step size. + +The attainable repetition rate of our stimulus and sampling circuits is limited by two main components. First, the +sampling post-amplifier's bandwidth limits the maximum sample rate. In our design, we chose an \partno{OPA1656} +\qty{50}{\mega\hertz} Gain-Bandwidth Product (GBP) FET input low noise operational amplifier. We need a FET input part +to avoid loading the sampling gate. The comparatively high GBP and the low noise input stage of this device allow us to +amplify small signals that could result from weak reflections in small impedance discontinuities inside the mesh. + +The second major factor limiting repetition rate is the microcontroller's ADC speed, as well as the speed of the +software processing the ADC's output. At full \qty{12}{b} resolution, this corresponds to a sampling rate of +approximately \qty{4}{MSps}. The microcontroller contains five ADCs, which can be interleaved to achieve higher rates. + +Combining these factors, we conservatively decided on a sampling rate of \qty{1}{MSps} across both channels of the +differential pair. At this sampling rate, it is feasible to control the sample timing on a sample-by-sample basis. For +all measurements in this paper, we use a sequential sampling approach where the microcontroller takes a series of +measurements for oversampling at a particular delay, and then increases the delay by one \partno{HRTIM} output clock +interval. + +In our prototype, one sweep of a \qty{188}{\nano\second} time span consisting of $1024$ data points took +\qty{710}{\milli\second} at $256\times$ oversampling and \qty{1.1}{\second} at $384\times$ oversampling. The time span +corresponds to \qty{28}{\meter} of mesh length, which at a \qty{200}{\micro\meter} pitch corresponds to a mesh area of +\qty{113}{\centi\meter\squared} and at a \qty{1}{\milli\meter} pitch corresponds to +\qty{565}{\centi\meter\squared}. Using the same microcontroller, by optimizing timing, moving oversampling processing +out of the interrupt handler, and by interleaving four of the microcontroller's five ADC peripherals, the lower limit of +acquisition time of a $1024$-point scan is \qty{33}{\milli\second} for $256\times$ oversampling and +\qty{49}{\milli\second} for $384\times$ oversampling. + +While for our development, sequential scanning is adequate, in a future practical application, two simple optimizations +would decrease the time to detection for an attack. First, in a practical application, the range of scanned delays +should be adjusted to the length of the particular security mesh in use. For this paper, we always +scanned a time range of $1024$ points at \qty{184}{\pico\second} spacing starting before one stimulus pulse and ending +shortly before the next stimulus pulse so that any waveform artifacts will be visible. In a practical application, there +would be little information gained by sampling much beyond the edges of the expected mesh response, so the scan window +should be kept small to increase scan rate. + +Secondly, in a practical application, the feature that is most relevant to detect tamper attempts is the trailing edge +of the mesh's response. This trailing edge corresponds to the return of the stimulus pulse's reflection at the far end +of the mesh. Any attack that affects the impedance even only of part of the mesh has a high chance of affecting its +delay, and thus this trailing edge is likely to move. In a practical application, it would thus be efficient to use a +heuristic scan schedule instead of the sequential scan we are using in our research prototype. Such a heuristic schedule +would sample delays near the expected trailing edge of the particular mesh in use more frequently compared to delays +that lie somewhere else, such as in the middle of the mesh's return window. + +\section{Experimental Evaluation} + +To validate our design, we performed a two-fold evaluation. First, we measured the performance of our sampling circuit +as a time-domain reflectometer. The most relevant figure to our mesh monitoring application is the pulse generators' +rise time, which determines the frontend's bandwidth and consequently the level of detail that we are able to extract +from a connected mesh during one scan. Since we aim at fingerprinting a connected mesh, not at performing absolute +measurements, we do not need to characterize or de-embed the transfer function of our TDR frontend. + +Second, we characterized the end-to-end performance of our design on a mesh test specimen, and we evaluated its +performance on several realistic tamper attempts. As a baseline characterization, in Section\ \ref{sec_attack_short} we +will show measurements of both short and open mesh traces, allowing us to evaluate our designs' capacity to spatially +localize faults. Building upon this baseline, in Section\ \ref{sec_attack_probe} we will then demonstrate a probing +attack, in which we measured our design's response to a standard \qty{100}{\mega\hertz} bandwidth +$\qty{10}{\mega\ohm}||\qty{10}{\pico\farad}$ oscilloscope probe. Compared to the baseline open/short test, this provides +a greater challenge due to the probe's intentionally high impedance and minimal capacitive loading. Concluding our +attack tests, in Section\ \ref{sec_attack_bridge} we demonstrate a bridging attack that attempts to repair a break +created in the mesh through drilling. + +\subsection{Rise Time Measurement} + +We measured two figures of merit to characterize frontend speed. First, as shown in Section\ \ref{sec_spec_risetime} +below, we measured pulse rise time at the mesh interface using a Keysight N9020A MXA \qty{26.5}{\giga\hertz} signal +analyzer to evaluate the rise time of our pulse generator. This figure indicates the raw performance of our pulse +generator. Second, we used our circuit to perform a TDR measurement of a mesh test specimen and measured the rise time +of the sampling pulse as seen by the circuit itself. This figure indicates the actual measurement performance of our +circuit. In general, this rise time is different from the raw pulse rise time because of the non-linear characteristic +of the sampling Schottky pairs. Depending on the IC, our pules generator produces output waveforms with +\qtyrange{470}{3200}{\milli\volt} differential voltage swing. Since the sampling diode pairs start to conduct at a +combined forward voltage of approximately \qty{300}{\milli\volt}, they will transition from high impedance to low +impedance during a corresponding \qty{300}{\milli\volt} window at the middle of the strobe pulse's edge. Thus, even if +the strobe pulse shows a low-pass response with rounding at both ends, as long as its slew rate +$\frac{\mathrm{d}V}{\mathrm{d}t}$ during the zero crossing is fast enough, the pulse will still result in a sharp +turn-on knee of the sampling diodes. + +\subsubsection{Stimulus Pulse Rise Time at the Mesh} +\label{sec_spec_risetime} + +\begin{figure} + \begin{center} + \begin{subfigure}{0.48\textwidth} + \centering + \includegraphics[width=\textwidth]{fig_spec_risetime_74lvc.pdf} + \caption{74LVC2G157} + \label{fig_spec_risetime_74lvc} + \end{subfigure} + \unskip\begin{subfigure}{0.48\textwidth} + \centering + \includegraphics[width=\textwidth]{fig_spec_risetime_max3748.pdf} + \caption{MAX3748} + \label{fig_spec_risetime_max3748} + \end{subfigure} + + \begin{subfigure}{0.48\textwidth} + \centering + \includegraphics[width=\textwidth]{fig_spec_risetime_tdp0604.pdf} + \caption{TDP0604} + \label{fig_spec_risetime_tdp0604} + \end{subfigure} + \unskip\begin{subfigure}{0.48\textwidth} + \centering + \includegraphics[width=\textwidth]{fig_spec_risetime_pi3hdx.pdf} + \caption{PI3HDX12211} + \label{fig_spec_risetime_pi3hdx} + \end{subfigure} + \end{center} + \caption{Spectrum measurements and re-constructed time domain pulse edge shape of the stimulus pulse measured at the + mesh interface for each of the four driver ICs. Amplitudes were normalized for rise time plots. The $\frac{1}{f}$ + curve in the spectrum plots shows the peak amplitude of the frequency components of an ideal infinite-bandwidth + square wave. The horizontal gray lines in the time domain plots show thresholds used for rise time calculation.} + \label{fig_spec_risetime} +\end{figure} + +To measure the rise time of our frontend's pulse generator, we measured the stimulus output at the mesh interface using +a Keysight N9020A MXA \qty{26.5}{\giga\hertz} signal analyzer\footnote{The spectrum analyzer used significantly exceeded +the capabilities of the fastest oscilloscopes we had access to, so it was the more appropriate choice of measurement +instrument.}. All measurements were taken with the prototype's mesh interface connected to the spectrum analyzer through +a bias tee configured for DC blocking followed by a \qty{20}{\deci\bel} attenuator for protection. Since both stimulus +and sampling pulses are generated using identical circuits, we can transfer those results to the sampling pulse modulo +amplifier output loading effects. + +Figure\ \ref{fig_spec_risetime} and Table\ \ref{tab_edge_risetime} show the resulting measurements. For ease of +interpretation, we projected the measurements from the frequency domain (upper traces) back into the time domain (lower +traces), and extracted rise time measurements from those traces. Our measurements show that, as expected, the bare +\partno{74LVC}-series logic gate has the slowest rise time at approximately \qty{500}{\pico\second}. All three amplifier +variants we implemented showed significantly improved rise time, with the \partno{PI4HDX12211} achieving below +\qty{200}{\pico\second}, and the other two showing around \qty{120}{\pico\second}. A noteworthy detail is that +\partno{MAX3748} and \partno{TDP0604} only achieved a low output signal amplitude, which stems from a combination of +them having low output amplitude by design and of our circuit loading their outputs heavily. Since their amplitude is +only marginally within the knee region of the RF Schottky diodes used in the sampling bridges, in these variants, +the sampling gates end up slower than the raw pulse rise time value alone would suggest. + +\subsubsection{Self-Characterization} + +\begin{figure} + \begin{center} + \includegraphics[width=\textwidth]{fig_edge_risetime.pdf} + \end{center} + \caption{One edge of the stimulus pulse with no mesh connected measured by the board itself, using different + amplifier ICs. For each IC, ten traces are shown. The vertical scale is in Volts at the sampling amplifier output.} + \label{fig_edge_risetime} +\end{figure} + +\begin{table} + \begin{center} + \begin{tabular}{r|cccc} + \textbf{IC} + &\partno{74LVC2G157} + &\partno{MAX3748} + &\partno{TDP0604} + &\partno{PI3HDX12211}\\\hline + + \textbf{$t_r$ (Self-Characterization)}& + \qty{916}{\pico\second}& + \qty{743}{\pico\second}& + \qty{333}{\pico\second}& + \qty{264}{\pico\second}\\ + + \textbf{$t_r$ (Stimulus at Mesh)}& + \qty{573}{\pico\second}& + \qty{125}{\pico\second}& + \qty{119}{\pico\second}& + \qty{191}{\pico\second}\\ + + \textbf{Stimulus Pulse $V_{pp}$}& + \qty{1600}{\milli\volt}& + \qty{236}{\milli\volt}& + \qty{254}{\milli\volt}& + \qty{430}{\milli\volt}\\ + + \textbf{Effective Slew Rate}& + \qty{2.79}{\volt\per\nano\second}& + \qty{1.89}{\volt\per\nano\second}& + \qty{2.13}{\volt\per\nano\second}& + \qty{2.25}{\volt\per\nano\second} + \end{tabular} + \end{center} + \caption{Single-ended stimulus edge rise times for different amplifier ICs. The single-ended rise times of both + positive and negative half of the differential pair have been averaged. External measurements are from Figure\ + \ref{fig_spec_risetime}, measuring the stimulus pulse at the mesh interface. $V_{pp}$ measurements are taken at the + mesh interface. Effective slew rates are calculated from the external measurements and pulse $V{pp}$.} + \label{tab_edge_risetime} +\end{table} + +Figure\ \ref{fig_edge_risetime} shows the result of our self-characterization experiments, where we used the frontend to +measure its own pulse shape. These results correspond to the actual rise time we can expect in practical measurements. +In these experiments, we ran a measurement using $256\times$ oversampling at \qty{12}{b} ADC resolution. The plots show +voltage at the amplifier output voltage against time in \unit{\nano\second}. The absolute value of the amplifier output +voltage is not relevant here - only the rise time is. Since we use some of these amplifiers--particularly the redriver +ICs--well outside of their intended application, the actual voltage they develop across the nonlinear load that our +sampling gate's diode bridge presents depends on implementation details of the amplifier's CML output stage. To maximize +ADC resolution and minimize ringing, we tuned gain and bandwidth of each post-sampling amplifier for each IC. Ringing in +the amplifier output leads to jitter in the ADC's sampling period to directly feeding through to the ADC output value. +Since in \partno{STM32} MCUs, the ADC is clocked independently of the rest of the system, its sampling timing is poorly +controlled and this jitter causes a significant error unless the amplifier is well-compensated. The key figure for us is +how fast our sampling gate turns on, not how hard, so we can largely ignore the units on the graph's vertical scale. + +Table\ \ref{tab_edge_risetime} shows rise times calculated from each trace, averaged across both traces of the +differential pair. From these results and from the graphs in Figure\ \ref{fig_edge_risetime} we can see that in the +optical networking limiting amplifier produces slower edges than the measurements from Figure\ \ref{fig_spec_risetime} +would suggest. We suspect that this is caused by its low output amplitude resulting in part from its specifications and +in part from a poor match between its CML output structure and the nonlinear impedance presented by the sampling diode +bridges. Surprisingly, even the \partno{74LVC2G157} baseline unit has a rise time of less than \qty{1}{\nano\second}. We +estimate that this is caused by the large output voltage swing of this part, going from ground to its $V_{CC}$ at +\qty{3.3}{\volt}. Due to the construction of our sampling gate, its switching happens in the short period between its +input differential voltage crossing zero and it rising above the combined forward voltage of the Schottky diodes. Thus, +while the \partno{74LVC} might produce slow edges overall, its large output swing results in a high slew rate in the +critical region around the zero crossing that mostly determines the speed of the sampling gates. + +We observed the best result overall with the \partno{PI3HDX12211} redriver, resulting in a rise time of +\qty{264}{\pico\second}. In this test specimen, we fed the pulse through the amplifier twice since we had two unused +channels, and we used \qty{200}{\pico\second} clip lines on the amplifier's output for pulse shaping. We could only use +the clip lines in this specimen as in all other specimens, the amplifiers' output did not contain sufficient harmonic +content such that it was still able to turn on the sampling gate's diode bridge when used with the clip line. + +\subsection{Mesh Specimen Characterization} + +\begin{table} + \begin{center} + \begin{tabular}{r|cccc} + \textbf{Specimen} + &1 + &2 + &3 + &4\\\hline + + \textbf{Size}& + $35\times\qty{70}{\milli\meter}$& + $35\times\qty{70}{\milli\meter}$& + $35\times\qty{70}{\milli\meter}$& + $35\times\qty{70}{\milli\meter}$\\ + + \textbf{Area}& + $\qty{24.5}{\centi\meter^2}$& + $\qty{24.5}{\centi\meter^2}$& + $\qty{24.5}{\centi\meter^2}$& + $\qty{24.5}{\centi\meter^2}$\\\hline + + \textbf{Trace width}& + \qty{150}{\micro\meter}& + \qty{200}{\micro\meter}& + \qty{300}{\micro\meter}& + \qty{500}{\micro\meter}\\ + + \textbf{Trace spacing}& + \qty{150}{\micro\meter}& + \qty{200}{\micro\meter}& + \qty{300}{\micro\meter}& + \qty{500}{\micro\meter}\\ + + \textbf{Trace pitch}& + \qty{300}{\micro\meter}& + \qty{400}{\micro\meter}& + \qty{600}{\micro\meter}& + \qty{1.00}{\milli\meter}\\\hline + + \textbf{Trace length}& + \qty{1.07}{\meter}& + \qty{1.93}{\meter}& + \qty{2.86}{\meter}& + \qty{3.86}{\meter}\\ + + \textbf{Approximate Delay}& + \qty{7.1}{\nano\second}& + \qty{13}{\nano\second}& + \qty{19}{\nano\second}& + \qty{26}{\nano\second}\\ + \end{tabular} + \end{center} + \caption{Specifications of mesh test specimens used in the experiments in this paper. All four specimens were placed + on a single, four-layer, \qty{1.0}{\milli\meter} thickness PCB. The meshes were placed two per side on the outer + layers, and the inner layers were used as ground. Approximate signal delays were calculated using wave velocity + $v=\frac{c}{\sqrt{\epsilon_r}}\approx\frac{c}{2}$\cite{wheelerTransmissionLinePropertiesParallel1965} assuming + $\epsilon_r\approx 4$\cite{mumbyDielectricPropertiesFR41989} for the test specimens' \partno{FR-4} substrate.} + \label{tab_mesh_spec} +\end{table} + +To measure the practical performance of our prototype, we created a set of security mesh test specimens. Four specimens +each cover the same area using four different mesh pitches using two, looped mesh traces according to the design +specifications listed in Table\ \ref{tab_mesh_spec}. The four specimens have a trace length ratio of approximately +$1:2:3:4$. As a baseline validation of our prototype as well as the mesh design, we performed TDR measurements of each +mesh specimen using each amplifier variant of our prototype. Figure\ \ref{fig_mesh_length} shows the results of these +measurements. The graphs show the step response resulting from an edge entering the mesh, and its reflection arriving +back at the start after traversing the mesh back and forth. + +We validated the results from Figure\ \ref{fig_mesh_length} by calculating speed of light in our mesh specimen's +substrate based on them. The resulting measurements are shown in Table\ \ref{tab_speed_of_light}. All amplifier +configurations yield comparable measurements of approximately \qty{1.6}{\meter\per\second}, which corresponds well with +the expected signal propagation velocity in \partno{FR-4} PCB material of +\qty{1.5d8}{\meter\per\second}\cite{wheelerTransmissionLinePropertiesParallel1965,mumbyDielectricPropertiesFR41989}. + +An interesting aspect of the graphs in Figure\ \ref{fig_mesh_length} is that all except the \partno{74LVC} graph show a +dispersion effect increasingly rounding out the trailing edge of the response with longer mesh lengths. We suspect this +effect stems from higher-frequency components coupling into adjacent trace segments further up or down the mesh more +easily, spreading high-frequency components of the response signal out throughout time and effectively creating a +low-pass response. We suspect the poor visibility of this effect in the \partno{74LVC} measurements is a result of this +variant's pulse amplifier output amplitude being very large, allowing reflected response components to forward-bias the +sampling gate's diode bridges, resulting in amplitude clipping. + +From this dispersion effect follows a key point for the design of practical security meshes: To increase the temporal +resolution of TDR mesh monitoring, meshes should be broken up into relatively short segments that are multiplexed +through signal switching. Where this is not desirable, the mesh can be treated as a microwave circuit design that can be +optimized through the electronic CAD/electromagnetic simulation co-design approach used for such circuits. + +\begin{figure} + \begin{center} + \includegraphics[width=\textwidth]{fig_mesh_length.pdf} + \end{center} + \caption{TDR responses captured using our design with each of four candidate pulse amplifier ICs and four mesh test + specimens. The shown time range covers the primary reflection of the stimulus pulse's falling edge. The vertical + scale of all four graphs is in Volts at the ADC. For clarity, only one channel of the response is shown.} + \label{fig_mesh_length} +\end{figure} + +\begin{table} + \begin{center} + \begin{tabular}{r|cccc|c} + &\multicolumn{4}{c|}{Specimen}&\\ + Pulse amplifier IC& + 1& + 2& + 3& + 4& + Calculated speed of light $c$ + \\\hline + + \partno{PI3HDX12211}& + \qty{16.9}{\nano\second}& + \qty{26.0}{\nano\second}& + \qty{36.4}{\nano\second}& + \qty{46.1}{\nano\second}& + $\qty{1.59d8}{\meter\per\second}$\\ + + \partno{74LVC2G157}& + \qty{17.1}{\nano\second}& + \qty{26.4}{\nano\second}& + \qty{36.6}{\nano\second}& + \qty{48.2}{\nano\second}& + $\qty{1.55d8}{\meter\per\second}$\\ + + \partno{MAX3748}& + \qty{17.2}{\nano\second}& + \qty{26.4}{\nano\second}& + \qty{36.6}{\nano\second}& + \qty{45.6}{\nano\second}& + $\qty{1.59d8}{\meter\per\second}$\\ + + \partno{TDP0604}& + \qty{17.0}{\nano\second}& + \qty{26.2}{\nano\second}& + \qty{36.5}{\nano\second}& + \qty{45.8}{\nano\second}& + $\qty{1.59d8}{\meter\per\second}$\\ + \end{tabular} + \end{center} + \caption{Speed of light and time offset calculated from delays read from the graphs in Figure\ + \ref{fig_mesh_length}. $c$ is the speed of light determined by linear fit.} + \label{tab_speed_of_light} +\end{table} + +\subsection{Tamper tests} + +After validating our prototype's electrical performance as well as our mesh specimen designs in the previous sections, +we performed a series of experiments where we performed tampering attempts on a mesh specimen while monitoring it using +our TDR prototype, capturing responses both before and after tampering. We performed two sets of experiments. + +\subsubsection{Short and Open Circuits} +\label{sec_attack_short} + +\begin{figure} + \begin{center} + \includegraphics[width=\textwidth]{fig_manip_shape.pdf} + \end{center} + \caption{TDR responses captured using our design under three short- and one open-circuit scenario. The distance from + mesh start to Location 1, 2, and 3 is \qty{558}{\milli\meter}, \qty{125}{\milli\meter} and \qty{850}{\milli\meter}, + respectively. The cut is approximately halfway through the mesh. Left and right plots show the positive and negative + trace of the differential pair, respectively. Black traces show baseline measurements in between attacks. The + baselines show vertical offsets due to temperature drift, which causes a small DC offset in our design. The vertical + scale is in Volts at the ADC.} + \label{fig_manip_shape} +\end{figure} + +In our first experiment, we tested both short and open-circuit conditions. We tested a short circuit between the two +mesh traces in three locations as well as a cut trace halfway through the mesh. Figure\ \ref{fig_pic_specimens} in +Appendix\ \ref{appendix_photos} shows photos of our test specimen. Figure\ \ref{fig_manip_shape} shows the result of our +experiment. The graphs show a clear response of our monitoring circuit to all four tampering scenarios. Short and open +circuit conditions can clearly be distinguished from each other, and in all cases, the fault location can be determined +with sub-nanosecond precision, corresponding to several centimeters in distance along the mesh. + +\subsubsection{Probing by Oscilloscope Probe} +\label{sec_attack_probe} + +\begin{figure} + \begin{center} + \includegraphics[width=\textwidth]{fig_probe_shape.pdf} + \end{center} + \caption{The circuit's TDR response under a probing attack using an oscilloscope probe. Black traces are a series of + un-probed baseline measurements taken between attacks. All traces are plotted relative to a separate baseline trace + taken at the beginning of the experiment. The top and bottom plots show the two halves of the differential pair.} + \label{fig_probe_shape} +\end{figure} + +In our second experiment, we probed each of the three locations from the test specimen shown in Figure\ +\ref{fig_pic_specimens} in the Appendix once at each trace of the trace pair using a Rigol \partno{PVP3150} $\times +1/\times 10$ oscilloscope probe set to $\times 10$ mode. We grounded the probe's ground clip to the mesh ground and used +the probe without tip attachment. + +Using the \partno{PI3HDX12211} variant of our prototype, we measured the mesh's TDR response while probing. Figure\ +\ref{fig_manip_shape} shows the resulting TDR traces. Oscilloscope probes are specifically designed to disturb the +circuit under test as little as possible, with this one being specified as presenting as a \qty{10}{\mega\ohm} resistive +load in parallel with a \qty{10}{\pico\farad} capacitance when used in $\times 10$ mode as we did here. Since the +resulting disturbance to the TDR traces is smaller than those in Figure\ \ref{fig_manip_shape}, we post-processed the +traces by subtracting a baseline trace taken before the measurements. To highlight drift in the baseline trace, we +include additional baseline traces taken in between and after measurements using the same post-processing. + +In each trace, the mesh was probed in one of three locations as in Figure\ \ref{fig_manip_shape}, and on one of the two +mesh traces. The time range shown in the graph covers the primary reflection of the stimulus pulse's rising edge. We can +clearly see a distinct response to each of the three probing attempts with the only caveat being that the response of +the two mesh traces is asymmetrical due to asymmetry in our sampling frontend when measuring such low signal levels. +Interestingly, this asymmetry is fully compensated by the fact that we excite the mesh differentially, and as a result +probing either trace distorts their shared electromagnetic field, and impacts measurements on \emph{both} traces. +Particularly on the first trace, we can distinguish which trace was probed, as well as where it was probed, in a single +measurement. + +\subsubsection{Circumvention Through Micro-Soldering} +\label{sec_attack_bridge} + +\begin{figure} + \centering + \begin{subfigure}{0.78\textwidth} + \centering + \includegraphics[width=\textwidth]{fig_drill_mod_shape.pdf} + \label{fig_drill_mod_shape_plot} + \end{subfigure} + \begin{subfigure}{0.2\textwidth} + \centering + \includegraphics[width=\textwidth]{pic_manip_microsoldering_small.jpg} + \vspace*{2mm} + \label{fig_drill_mod_shape_pic} + \end{subfigure} + \caption{The circuit's TDR response under a manipulation attack bridging part of a trace to allow a + \qty{300}{\micro\meter} drill to penetrate. The mesh pitch is \qty{240}{\micro\meter}. Red traces show + measurements with a looped wire patch comparable to \textcite{immlerSecurePhysicalEnclosures2018}, black traces + show the same gap bridged with a minimally short straight piece of wire. The left and right plots show the two + halves of the differential pair. The photo shows the looped wire patch with a \qty{1}{\milli\meter} pitch ruler + for reference. Traces are normalized as in Figure\ \ref{fig_probe_shape}.} + \label{fig_drill_mod_shape} +\end{figure} + +While our proposed measurement setup significantly increases the level of effort required from an attacker, as long as +standard PCBs are used, PCB rework techniques that are widely used in the industry for PCB repair can be applied. If we +assume a standard PCB process with \qty{100}{\micro\meter} trace/space design rules, a drilling attack targeting a +\qty{300}{\micro\meter} hole size as proposed by \textcite{immlerSecurePhysicalEnclosures2018} will break at least one +trace. Patching the resulting break using a wire is possible, but with increasing wire length, the TDR response of the +mesh is increasingly distorted. We experimentally performed an attack comparable to the one shown by +\textcite{immlerSecurePhysicalEnclosures2018} on a \qty{240}{\micro\meter} pitch mesh specimen. Figure\ +\ref{fig_drill_mod_shape} shows our modification and the resulting change in TDR response. As we can see, adding even +just a few millimeters of wire will measurably and consistently distort the TDR response. + +\subsection{Countermeasures} + +As shown above, PCB security meshes can be manipulated using industry-standard micro-soldering techniques. Keeping the +length of any patch wires as short as possible, it is conceivable that the impact on TDR response could be kept below +detection thresholds. Our setup provides increased resistance against such attacks since the entire attack would have to +be carried out without electrically contacting either mesh trace. In particular, soldering would have to be done using a +minimal amount of solder as well as a bespoke, insulated soldering iron tip. While manufacturing such a tool out of a +material like sintered ceramic is conceivable, to our knowledge, no such tool exists on the market. + +Furthermore, the actual drilling would have to happen with a dielectric drill bit, placing special attention on +evacuating conductive copper chips before they can create shorts to nearby traces. Again, it is conceivable that such a +tool could be manufactured, but to our knowledge, such a tool is not currently available as a standard component on the +market. + +Finally, any probes penetrating the mesh would have to be placed such that their presence in the vicinity of the mesh +traces does not disturb the TDR response. In particular, we have observed that even touching the mesh will distort the +response, so modifications would have to be carried out with great care, likely using micromanipulators or similar +specialized equipment. + +The PCI PTS HSM DTR standard\cite{pcisecuritystandardscouncilPaymentCardIndustry2021a} contains a useful framework for +thinking about attacker capabilities. Applying their taxonomy, our monitoring system raises the skill level required for +a patching attack from a \emph{skilled} attacker to an \emph{expert} attacker, and the equipment requirement from +\emph{standard} equipment to \emph{bespoke} equipment such as dielectric drill bits and ceramic soldering tips. + +\section{Future Work} + +\paragraph{Design variants.} While the \partno{STM32G4}'s \partno{HRTIM} peripheral offers edge position control at a +precision of $\frac{1}{32}$ system clock cycle using an automatically adjusted delay-locked loop at each output driver, +due to the comparatively slow maximum system clock speed of \qty{168}{\mega\hertz}, this still only results in a timing +resolution of \qty{184}{\pico\second}. While we have demonstrated this is sufficient to detect and localize several +attack variants, it would be interesting to increase time resolution since in our measurements, we observed that the +end-to-end jitter of our sampler is low enough that our circuit would benefit from finer delay control. In our +prototype, we implemented a--so far unused--adjustable power supply for the \partno{74LVC} series buffer in between the +\partno{HRTIM} outputs and the pulse amplifier. By adjusting this buffer's power supply through one of the +microcontroller's digital-to-analog converter (DAC) channels, we expect that it should be possible to exploit the supply +voltage dependency of the propagation delay of \partno{74LVC} series CMOS logic to create a digitally controllable delay +with picosecond resolution. The internal DLL of the \partno{HRTIM} peripheral is likely implemented similarly. + +% FIXME reword for publication +\paragraph{System design.} The work we presented in this paper is complementary to the work previously presented by +\textcite{gotteCantTouchThis2022}, where the authors improved security of a simple security mesh made from standard PCBs +through mechanical motion. We are currently working on a prototype combining both approaches and incorporating heuristic +scan scheduling as mentioned in Section\ \ref{sec_scan_schedule} for a cost-efficient yet powerful physical security +primitive. + +\paragraph{Auxiliary applications.} In this work, we have presented a design for a low-cost, embedded TDR frontend. +Besides security mesh monitoring, through multiplexing this TDR frontend could be used for other system monitoring +tasks from tamper sensing to system health monitoring. For instance, \textcite{vaiSecureArchitectureEmbedded2015} +propose an approach for checking the integrity of a PCBA using an external Vector Network Analyzer (VNA) attached to +test points on the PCBA's Power Distribution Network (PDN). TDR can produce fingerprints similar to a VNA, and it would +be interesting to measure parts of the secure subsystem other than its security mesh using our TDR frontend. + +\section{Conclusion} + +In this paper, we presented a design for a low-cost frontend for integrity monitoring of security meshes in applications +such as HSMs based on the principles of sub-nanosecond Time Domain Reflectometry. Our design repurposes an inexpensive +HDMI redriver IC to produce sharp edges for the TDR stimulus, and applies a microwave clip line to form fast pulses for +TDR sampling. Our design creates a detailed fingerprint of the intact mesh's condition that not only captures the length +of the mesh's traces but also reflects the impedance at every point along the mesh. + +Beyond simply detecting faults or manipulations that disturb the mesh without causing breaks, we have demonstrated our +prototype circuit's capability to distinguish and physically localize faults inside the mesh in several practical attack +scenarios with even careful attacks causing strong disturbances in the generated fingerprint. + +Compared to the state of the art, our approach enables the monitoring of larger meshes, at higher sensitivity and lower +cost. Our is easy to replicate, does not require any specialized or custom components, and unlocks high-security +applications for security meshes made using low-cost, standard PCB manufacturing processes. + +% FIXME put into actual appendix +%\appendix +%\section{Additional photos} +%\label{appendix_photos} +% +%\begin{figure}[h!] +% \centering +% \begin{subfigure}{0.45\textwidth} +% \centering +% \includegraphics[width=0.8\textwidth]{pic_short_2_small.jpg} +% \label{fig_pic_specimens_short} +% \caption{Short circuit test specimen} +% \end{subfigure} +% \begin{subfigure}{0.45\textwidth} +% \centering +% \includegraphics[width=0.8\textwidth]{pic_cut_1_small.jpg} +% \label{fig_pic_specimens_open} +% \caption{Cut trace test specimen} +% \end{subfigure} +% \caption{Photos of the short circuit and cut trace test specimens. In the specimen shown on the left, in each of the +% three marked locations, both traces of the mesh were exposed. To measure short circuit response, the traces were +% shorted in one of the locations using a soldering iron. In the specimen shown on the right, one trace was +% exposed and cut in the marked location. To measure baseline values, the test specimen shown on the right was +% used with the trace temporarily repaired.} +% \label{fig_pic_specimens} +%\end{figure} +% +% diff --git a/chapter-sampling-mesh-monitor/figures/block_diagram.pdf b/chapter-sampling-mesh-monitor/figures/block_diagram.pdf new file mode 100644 index 0000000..1e88444 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/block_diagram.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/block_diagram.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/block_diagram.pdf.latex_meta new file mode 100644 index 0000000..4603e95 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/block_diagram.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/block\_diagram.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/block\_diagram.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_drill_mod_shape.pdf b/chapter-sampling-mesh-monitor/figures/fig_drill_mod_shape.pdf new file mode 100644 index 0000000..11a2435 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_drill_mod_shape.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_drill_mod_shape.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_drill_mod_shape.pdf.latex_meta new file mode 100644 index 0000000..755915e --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_drill_mod_shape.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_drill\_mod\_shape.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_drill\_mod\_shape.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_edge_risetime.pdf b/chapter-sampling-mesh-monitor/figures/fig_edge_risetime.pdf new file mode 100644 index 0000000..a929d06 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_edge_risetime.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_edge_risetime.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_edge_risetime.pdf.latex_meta new file mode 100644 index 0000000..608e38c --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_edge_risetime.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_edge\_risetime.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_edge\_risetime.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_manip_shape.pdf b/chapter-sampling-mesh-monitor/figures/fig_manip_shape.pdf new file mode 100644 index 0000000..bd8a83e Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_manip_shape.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_manip_shape.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_manip_shape.pdf.latex_meta new file mode 100644 index 0000000..92d59bb --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_manip_shape.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_manip\_shape.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_manip\_shape.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_mesh_length.pdf b/chapter-sampling-mesh-monitor/figures/fig_mesh_length.pdf new file mode 100644 index 0000000..fcadfad Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_mesh_length.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_mesh_length.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_mesh_length.pdf.latex_meta new file mode 100644 index 0000000..c5b8421 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_mesh_length.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_mesh\_length.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_mesh\_length.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_probe_shape.pdf b/chapter-sampling-mesh-monitor/figures/fig_probe_shape.pdf new file mode 100644 index 0000000..703300c Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_probe_shape.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_probe_shape.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_probe_shape.pdf.latex_meta new file mode 100644 index 0000000..f83eb4e --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_probe_shape.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_probe\_shape.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_probe\_shape.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_74lvc.pdf b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_74lvc.pdf new file mode 100644 index 0000000..3c084df Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_74lvc.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_74lvc.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_74lvc.pdf.latex_meta new file mode 100644 index 0000000..4072188 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_74lvc.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_spec\_risetime\_74lvc.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_spec\_risetime\_74lvc.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_max3748.pdf b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_max3748.pdf new file mode 100644 index 0000000..a109968 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_max3748.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_max3748.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_max3748.pdf.latex_meta new file mode 100644 index 0000000..f3427b8 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_max3748.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_spec\_risetime\_max3748.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_spec\_risetime\_max3748.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_pi3hdx.pdf b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_pi3hdx.pdf new file mode 100644 index 0000000..d0542c1 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_pi3hdx.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_pi3hdx.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_pi3hdx.pdf.latex_meta new file mode 100644 index 0000000..0164e49 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_pi3hdx.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_spec\_risetime\_pi3hdx.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_spec\_risetime\_pi3hdx.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_tdp0604.pdf b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_tdp0604.pdf new file mode 100644 index 0000000..7c8f6ac Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_tdp0604.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_tdp0604.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_tdp0604.pdf.latex_meta new file mode 100644 index 0000000..b90a58b --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/fig_spec_risetime_tdp0604.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/fig\_spec\_risetime\_tdp0604.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/fig\_spec\_risetime\_tdp0604.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/ihsm-sampling-mesh-monitor-hw b/chapter-sampling-mesh-monitor/figures/ihsm-sampling-mesh-monitor-hw new file mode 160000 index 0000000..6a88f43 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/ihsm-sampling-mesh-monitor-hw @@ -0,0 +1 @@ +Subproject commit 6a88f43e08e5cfff61b3ff1e5c2829a9590d7424 diff --git a/chapter-sampling-mesh-monitor/figures/manip_pearson_corr.pdf b/chapter-sampling-mesh-monitor/figures/manip_pearson_corr.pdf new file mode 100644 index 0000000..cff5ce0 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/manip_pearson_corr.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/manip_pearson_corr.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/manip_pearson_corr.pdf.latex_meta new file mode 100644 index 0000000..0274d2c --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/manip_pearson_corr.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/manip\_pearson\_corr.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/manip\_pearson\_corr.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/patch_pearson_corr.pdf b/chapter-sampling-mesh-monitor/figures/patch_pearson_corr.pdf new file mode 100644 index 0000000..8f5527c Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/patch_pearson_corr.pdf differ diff --git a/chapter-sampling-mesh-monitor/figures/patch_pearson_corr.pdf.latex_meta b/chapter-sampling-mesh-monitor/figures/patch_pearson_corr.pdf.latex_meta new file mode 100644 index 0000000..fa01d3b --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/patch_pearson_corr.pdf.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/patch\_pearson\_corr.pdf?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/patch\_pearson\_corr.pdf} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_74lvc.jpg b/chapter-sampling-mesh-monitor/figures/pic_74lvc.jpg new file mode 100644 index 0000000..5a00364 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_74lvc.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_74lvc.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_74lvc.jpg.latex_meta new file mode 100644 index 0000000..2c4a925 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_74lvc.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_74lvc.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_74lvc.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_74lvc_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_74lvc_small.jpg new file mode 100644 index 0000000..cb3a397 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_74lvc_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_74lvc_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_74lvc_small.jpg.latex_meta new file mode 100644 index 0000000..f2628a2 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_74lvc_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_74lvc\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_74lvc\_small.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup.jpg b/chapter-sampling-mesh-monitor/figures/pic_board_setup.jpg new file mode 100644 index 0000000..be5b1b3 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_board_setup.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_board_setup.jpg.latex_meta new file mode 100644 index 0000000..3f7f9c4 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_board_setup.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_board\_setup.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_board\_setup.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup_2.jpg b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2.jpg new file mode 100644 index 0000000..4198a2f Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup_2.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2.jpg.latex_meta new file mode 100644 index 0000000..4908dd6 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_board\_setup\_2.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_board\_setup\_2.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small.jpg new file mode 100644 index 0000000..255b55e Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small.jpg.latex_meta new file mode 100644 index 0000000..755e728 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_board\_setup\_2\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_board\_setup\_2\_small.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small_censored.jpg b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small_censored.jpg new file mode 100644 index 0000000..cd5e58e Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small_censored.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small_censored.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small_censored.jpg.latex_meta new file mode 100644 index 0000000..c81bb09 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_board_setup_2_small_censored.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_board\_setup\_2\_small\_censored.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_board\_setup\_2\_small\_censored.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_board_setup_small.jpg new file mode 100644 index 0000000..9ef03ab Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_board_setup_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_board_setup_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_board_setup_small.jpg.latex_meta new file mode 100644 index 0000000..04a0f42 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_board_setup_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_board\_setup\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_board\_setup\_small.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_cut_1.jpg b/chapter-sampling-mesh-monitor/figures/pic_cut_1.jpg new file mode 100644 index 0000000..295a0ee Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_cut_1.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_cut_1.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_cut_1.jpg.latex_meta new file mode 100644 index 0000000..8a69284 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_cut_1.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_cut\_1.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_cut\_1.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_cut_1_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_cut_1_small.jpg new file mode 100644 index 0000000..4c72a9b Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_cut_1_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_cut_1_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_cut_1_small.jpg.latex_meta new file mode 100644 index 0000000..6e3574b --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_cut_1_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_cut\_1\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_cut\_1\_small.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering.jpg b/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering.jpg new file mode 100644 index 0000000..21c1dd5 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering.jpg.latex_meta new file mode 100644 index 0000000..56c1c12 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_manip\_microsoldering.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_manip\_microsoldering.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering_small.jpg new file mode 100644 index 0000000..10f057c Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering_small.jpg.latex_meta new file mode 100644 index 0000000..459b8e9 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_manip_microsoldering_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_manip\_microsoldering\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_manip\_microsoldering\_small.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_max3748.jpg b/chapter-sampling-mesh-monitor/figures/pic_max3748.jpg new file mode 100644 index 0000000..f8d2ea4 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_max3748.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_max3748.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_max3748.jpg.latex_meta new file mode 100644 index 0000000..2269f8e --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_max3748.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_max3748.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_max3748.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_max3748_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_max3748_small.jpg new file mode 100644 index 0000000..65d51cc Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_max3748_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_max3748_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_max3748_small.jpg.latex_meta new file mode 100644 index 0000000..c1947b2 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_max3748_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_max3748\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_max3748\_small.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_pi3hdx.jpg b/chapter-sampling-mesh-monitor/figures/pic_pi3hdx.jpg new file mode 100644 index 0000000..135a1e2 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_pi3hdx.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_pi3hdx.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_pi3hdx.jpg.latex_meta new file mode 100644 index 0000000..d838b24 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_pi3hdx.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_pi3hdx.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_pi3hdx.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_pi3hdx_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_pi3hdx_small.jpg new file mode 100644 index 0000000..0089516 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_pi3hdx_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_pi3hdx_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_pi3hdx_small.jpg.latex_meta new file mode 100644 index 0000000..8d637f9 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_pi3hdx_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_pi3hdx\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_pi3hdx\_small.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_short_1.jpg b/chapter-sampling-mesh-monitor/figures/pic_short_1.jpg new file mode 100644 index 0000000..38786ad Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_short_1.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_short_1.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_short_1.jpg.latex_meta new file mode 100644 index 0000000..eaf4283 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_short_1.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_short\_1.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_short\_1.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_short_2.jpg b/chapter-sampling-mesh-monitor/figures/pic_short_2.jpg new file mode 100644 index 0000000..ab067a2 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_short_2.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_short_2.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_short_2.jpg.latex_meta new file mode 100644 index 0000000..17b008b --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_short_2.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_short\_2.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_short\_2.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_short_2_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_short_2_small.jpg new file mode 100644 index 0000000..2c3edf2 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_short_2_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_short_2_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_short_2_small.jpg.latex_meta new file mode 100644 index 0000000..5f588ca --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_short_2_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_short\_2\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_short\_2\_small.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_tdp0604.jpg b/chapter-sampling-mesh-monitor/figures/pic_tdp0604.jpg new file mode 100644 index 0000000..6f33bfe Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_tdp0604.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_tdp0604.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_tdp0604.jpg.latex_meta new file mode 100644 index 0000000..eaa0512 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_tdp0604.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_tdp0604.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_tdp0604.jpg} \ No newline at end of file diff --git a/chapter-sampling-mesh-monitor/figures/pic_tdp0604_small.jpg b/chapter-sampling-mesh-monitor/figures/pic_tdp0604_small.jpg new file mode 100644 index 0000000..b1867a6 Binary files /dev/null and b/chapter-sampling-mesh-monitor/figures/pic_tdp0604_small.jpg differ diff --git a/chapter-sampling-mesh-monitor/figures/pic_tdp0604_small.jpg.latex_meta b/chapter-sampling-mesh-monitor/figures/pic_tdp0604_small.jpg.latex_meta new file mode 100644 index 0000000..a62dd06 --- /dev/null +++ b/chapter-sampling-mesh-monitor/figures/pic_tdp0604_small.jpg.latex_meta @@ -0,0 +1,6 @@ +\def\resourcestate{\draftgraphics} +\def\resourcescale{} +\def\resourceurl{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git/plain/paper/pic\_tdp0604\_small.jpg?h=6a88f43e08e5cfff61b3ff1e5c2829a9590d7424} +\def\resourcerev{v0-draft-41-g6a88f43} +\def\resourcerepo{ihsm-sampling-mesh-monitor-hw.git} +\def\resourcepath{paper/pic\_tdp0604\_small.jpg} \ No newline at end of file diff --git a/chapter-smpc/chapter.tex b/chapter-smpc/chapter.tex index 2b57b2e..cc9ea5b 100644 --- a/chapter-smpc/chapter.tex +++ b/chapter-smpc/chapter.tex @@ -1,178 +1,4 @@ -\documentclass[11pt,a4paper,notitlepage,twoside]{report} -\usepackage[ngerman, english]{babel} -\usepackage[utf8]{inputenc} -\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.8cm]{geometry} -\usepackage[T1]{fontenc} -\usepackage{amssymb} -\usepackage{amsmath} -\usepackage{listings} -\usepackage{eurosym} -\usepackage{wasysym} -\usepackage{extdash} -\usepackage{amsthm} -\usepackage{mwe} -\usepackage{tabularx} -\usepackage{multirow} -\usepackage{multicol} -\usepackage{tikz} -\usepackage{mathtools} -\usepackage{setspace} -\usepackage{titlesec} -\usepackage{fancybox} -\usepackage{fancyhdr} -\usepackage[binary-units,per-mode=fraction]{siunitx} -\usepackage[hidelinks]{hyperref} -\usepackage{commath} -\usepackage{graphicx,color} -\usepackage{ccicons} -\usepackage{subcaption} -\usepackage{float} -\usepackage{footmisc} -\usepackage{array} -\usepackage[underline=false]{pgf-umlsd} -\usetikzlibrary{calc} -\usepackage{epstopdf} -\usepackage{pdfpages} -\usepackage{etoolbox} -\usepackage{catchfile} -\usepackage{minitoc} -\usepackage{minted} % pygmentized source code -%\usepackage[pdftex]{graphicx,color} -%\usepackage{showframe} % Useful for page layout debugging - -\DeclareSIUnit{\baud}{Bd} - -\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} -\DeclarePairedDelimiter{\paren}{(}{)} - -\usepackage[ - backend=biber, - style=numeric, - natbib=true, - url=false, - doi=true, - eprint=false, - % Make the split online / other resource bibliographies behave - defernumbers=true, - ]{biblatex} -\addbibresource{../main.bib} -\DeclareSourcemap{ - \maps[datatype=bibtex]{ - \map{ - \step[fieldsource=doi,final] - \step[fieldset=isbn,null] - \step[fieldset=issn,null] - \step[fieldset=url,null] - } - \map{ - \step[fieldsource=isbn,final] - \step[fieldset=issn,null] - \step[fieldset=url,null] - } - } -} - -\renewcommand{\thesection}{\arabic{section}} -\renewcommand{\thesubsection}{\arabic{section}.\arabic{subsection}} -\renewcommand{\thesubsubsection}{\arabic{section}.\arabic{subsection}.\arabic{subsubsection}} - -% Re-define heading formats to force single line spacing -\titleformat{\section}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{} -\titleformat{\subsection}{\normalfont\large\bfseries\singlespacing}{\thesubsection}{1em}{} -\titleformat{\subsubsection}{\normalfont\large\bfseries\singlespacing}{\thesubsubsection}{1em}{} - -\newcommand{\degree}{\ensuremath{^\circ}} -\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} -\definecolor{todoboxcolor}{RGB}{251 224 252} - -\pagestyle{fancy} - -\fancyhead[C]{} -\fancyhead[ER]{\footnotesize% - \ifdefined\thesispreviewmode % - (draft \texttt{\input{version.tex}\unskip}) % - \fi % -\leftmark} -\fancyhead[OL]{\footnotesize\rightmark} -\fancyhead[EL,OR]{\thepage} - -\fancyfoot[LCR]{} - -\fancypagestyle{plain}{% - \fancyhf{}% - \renewcommand{\headrulewidth}{0pt}% - \renewcommand{\footrulewidth}{0pt}% -} - -\raggedbottom - -\renewcommand{\chaptermark}[1]{\markboth{Chapter \thechapter: #1}{}} -\renewcommand{\sectionmark}[1]{\markright{\thesection\ #1}} -\addtolength{\headwidth}{\marginparsep} -\addtolength{\headwidth}{\marginparwidth} -\addtolength{\headwidth}{-1cm} - -\newcommand{\todo}[1]{ - \ifdefined\thesispreviewmode - \marginpar{ - \setlength{\fboxsep}{2mm} - \shadowbox{ - \parbox{3cm}{ - \singlespacing - \raggedright - \textsf{ - \small\textbf{To do}\\ - \footnotesize#1 - } - } - } - } - \fi -} - -\newcommand{\todoplaceholder}[1]{\textbf{TODO}\todo{#1}} - -% https://tex.stackexchange.com/questions/30720/footnote-without-a-marker -\newcommand\blfootnote[1]{% - \begingroup - \renewcommand\thefootnote{}\footnote{#1}% - \addtocounter{footnote}{-1}% - \endgroup -} - -\newcommand{\figurepath}{figures} -\graphicspath{{\figurepath}} -\newcommand{\figureattrib}[1]{% - \input{\figurepath/#1.latex_meta} % - \scriptsize - \ifdefined\thesispreviewmode\resourcestate\ \resourcescale\\\fi% - Resource: % - \texttt{\resourcerepo/\resourcepath} % - rev \texttt{\resourcerev} % - (\underline{\href{\resourceurl}{link}})% -} - -\newcommand{\draftgraphics}{\ifdefined\thesispreviewmode\textcolor{red}{\bfseries Not final graphics. }\fi} -\newcommand{\camerareadygraphics}{\ifdefined\thesispreviewmode Camera-ready graphics. \fi} -\newcommand{\scaledgraphics}[1]{\ifdefined\thesispreviewmode scaled-#1\else#1\fi} - -\newcommand{\imgsource}[4]{\scriptsize% - Image source: #1, #2 (\underline{\href{#4}{link}}). % - Licensed #3.} - -\hyphenation{a-me-na-ble} - -\begin{document} -\dominitoc -\faketableofcontents - -\chapter{Multiparty Computation in Scalable Hardware Security Modules} -\ifdefined\thesispreviewmode -{\Large \textbf{Draft build}, git revision \texttt{\input{version.tex}}} -\fi -\minitoc -\newpage -\setstretch{1.3} +\chaptertitle{Multiparty Computation in Scalable Hardware Security Modules} \section{Fast MPC and Slow HSMs} @@ -320,16 +146,3 @@ circuits. \section{Outlook} -\clearpage % clearpage flushes all figures. force this here so we don't get figures floating in between references. -% TODO when breaking this out into a template for building both the whole thesis and individual chapters, we have to -% decide whether we want to keep the bibliography per-chapter or only once for the whole thesis. In the latter case, we -% probably want to replace subbibintoc with bibintoc, or add a custom "bibliography" chapter and adjust the second -% bibliography's heading -\newrefcontext[labelprefix={W}] -\printbibliography[type={online},title={Web sources},heading=subbibintoc] -\newrefcontext -\printbibliography[nottype={online},resetnumbers,heading=subbibintoc] - -\appendix - -\end{document} diff --git a/chapter-template.tex b/chapter-template.tex new file mode 100644 index 0000000..80097a7 --- /dev/null +++ b/chapter-template.tex @@ -0,0 +1,29 @@ +\documentclass[11pt,a4paper,notitlepage,twoside]{report} +\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.8cm]{geometry} + +\input{common-packages} +\input{common-defs} +\newcommand{\figurepath}{figures} +\graphicspath{{\figurepath}} + +\newcommand{\chaptertitle}[1]{ +\faketableofcontents +\chapter{#1} +\ifdefined\thesispreviewmode +{\Large \textbf{Draft build}, git revision \texttt{\input{version}}} +\fi +\setstretch{1} +\minitoc +\newpage +\setstretch{1.3} +} + +\begin{document} + +\input{chapter} + +\chapterbibliography + +\appendix + +\end{document} diff --git a/common-defs.tex b/common-defs.tex new file mode 100644 index 0000000..9fda573 --- /dev/null +++ b/common-defs.tex @@ -0,0 +1,135 @@ +\DeclareSIUnit{\baud}{Bd} + +\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil} +\DeclarePairedDelimiter{\paren}{(}{)} + +\usepackage[ + backend=biber, + style=numeric, + natbib=true, + url=false, + doi=true, + eprint=false, + refsection=chapter, + % Make the split online / other resource bibliographies behave + defernumbers=true, + ]{biblatex} +\addbibresource{main.bib} +\DeclareSourcemap{ + \maps[datatype=bibtex]{ + \map{ + \step[fieldsource=doi,final] + \step[fieldset=isbn,null] + \step[fieldset=issn,null] + \step[fieldset=url,null] + } + \map{ + \step[fieldsource=isbn,final] + \step[fieldset=issn,null] + \step[fieldset=url,null] + } + } +} + +\renewcommand{\thesection}{\arabic{section}} +\renewcommand{\thesubsection}{\arabic{section}.\arabic{subsection}} +\renewcommand{\thesubsubsection}{\arabic{section}.\arabic{subsection}.\arabic{subsubsection}} + +% Re-define heading formats to force single line spacing +\titleformat{\section}{\normalfont\large\bfseries\singlespacing}{\thesection}{1em}{} +\titleformat{\subsection}{\normalfont\large\bfseries\singlespacing}{\thesubsection}{1em}{} +\titleformat{\subsubsection}{\normalfont\large\bfseries\singlespacing}{\thesubsubsection}{1em}{} + +\dominitoc + +\newcommand{\degree}{\ensuremath{^\circ}} +\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} +\definecolor{todoboxcolor}{RGB}{251 224 252} + +\pagestyle{fancy} + +\fancyhead[C]{} +\fancyhead[ER]{\footnotesize% + \ifdefined\thesispreviewmode % + (draft \texttt{\input{version.tex}\unskip}) % + \fi % +\leftmark} +\fancyhead[OL]{\footnotesize\rightmark} +\fancyhead[EL,OR]{\thepage} + +\fancyfoot[LCR]{} + +\fancypagestyle{plain}{% + \fancyhf{}% + \renewcommand{\headrulewidth}{0pt}% + \renewcommand{\footrulewidth}{0pt}% +} + +\raggedbottom + +\renewcommand{\chaptermark}[1]{\markboth{Chapter \thechapter: #1}{}} +\renewcommand{\sectionmark}[1]{\markright{\thesection\ #1}} +\addtolength{\headwidth}{\marginparsep} +\addtolength{\headwidth}{\marginparwidth} +\addtolength{\headwidth}{-1cm} + +\newcommand{\todo}[1]{ + \ifdefined\thesispreviewmode + \marginpar{ + \setlength{\fboxsep}{2mm} + \shadowbox{ + \parbox{3cm}{ + \singlespacing + \raggedright + \textsf{ + \small\textbf{To do}\\ + \footnotesize#1 + } + } + } + } + \fi +} + +\newcommand{\todoplaceholder}[1]{\textbf{TODO}\todo{#1}} + +% https://tex.stackexchange.com/questions/30720/footnote-without-a-marker +\newcommand\blfootnote[1]{% + \begingroup + \renewcommand\thefootnote{}\footnote{#1}% + \addtocounter{footnote}{-1}% + \endgroup +} + +\newcommand{\figureattrib}[1]{% + \input{\figurepath/#1.latex_meta} % + \scriptsize + \ifdefined\thesispreviewmode\resourcestate\ \resourcescale\\\fi% + Resource: % + \texttt{\resourcerepo/\resourcepath} % + rev \texttt{\resourcerev} % + (\underline{\href{\resourceurl}{link}})% +} + +\newcommand{\draftgraphics}{\ifdefined\thesispreviewmode\textcolor{red}{\bfseries Not final graphics. }\fi} +\newcommand{\camerareadygraphics}{\ifdefined\thesispreviewmode Camera-ready graphics. \fi} +\newcommand{\scaledgraphics}[1]{\ifdefined\thesispreviewmode scaled-#1\else#1\fi} + +\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}} +\newcommand{\partno}[1]{\textsf{\small#1}} +\newcommand{\price}[2]{#1 #2} + +\newcommand{\imgsource}[4]{\scriptsize% + Image source: #1, #2 (\underline{\href{#4}{link}}). % + Licensed #3.} + +\newcommand{\chapterbibliography}{ + \clearpage % clearpage flushes all figures. force this here so we don't get figures floating in between references. + \newrefcontext[labelprefix={W}] + \printbibliography[type={online},title={Web sources},heading=subbibintoc] + \newrefcontext + \printbibliography[nottype={online},resetnumbers,heading=subbibintoc] +} + +\hyphenation{a-me-na-ble} + diff --git a/common-packages.tex b/common-packages.tex new file mode 100644 index 0000000..0791dea --- /dev/null +++ b/common-packages.tex @@ -0,0 +1,40 @@ +\usepackage[ngerman, english]{babel} +\usepackage[utf8]{inputenc} +\usepackage[T1]{fontenc} +\usepackage{amssymb} +\usepackage{amsmath} +\usepackage{listings} +\usepackage{eurosym} +\usepackage{wasysym} +\usepackage{extdash} +\usepackage{amsthm} +\usepackage{mwe} +\usepackage{tabularx} +\usepackage{multirow} +\usepackage{multicol} +\usepackage{tikz} +\usepackage{mathtools} +\usepackage{setspace} +\usepackage{titlesec} +\usepackage{fancybox} +\usepackage{fancyhdr} +\usepackage[binary-units,per-mode=fraction]{siunitx} +\usepackage[hidelinks]{hyperref} +\usepackage{commath} +\usepackage{graphicx,color} +\usepackage{ccicons} +\usepackage{subcaption} +\usepackage{float} +\usepackage{footmisc} +\usepackage{array} +\usepackage[underline=false]{pgf-umlsd} +\usetikzlibrary{calc} +\usepackage{epstopdf} +\usepackage{pdfpages} +\usepackage{etoolbox} +\usepackage{catchfile} +\usepackage{colortbl} +\usepackage{minitoc} +\usepackage{minted} % pygmentized source code +%\usepackage[pdftex]{graphicx,color} +%\usepackage{showframe} % Useful for page layout debugging diff --git a/thesis.tex b/thesis.tex new file mode 100644 index 0000000..d9e74f2 --- /dev/null +++ b/thesis.tex @@ -0,0 +1,41 @@ +\documentclass[11pt,a4paper,notitlepage,twoside]{report} +\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.8cm]{geometry} + +\input{common-packages} +\input{common-defs} + +\newcommand{\figurepath}{} +\newcommand{\chaptertitle}[1]{ +\chapter{#1} +\setstretch{1} +\minitoc +\newpage +\setstretch{1.3} +} + +\newcommand{\dochapter}[1]{ + \renewcommand{\figurepath}{#1/figures} + \graphicspath{{\figurepath}} + \input{#1/chapter.tex} + + \chapterbibliography +} + +\begin{document} + +\ifdefined\thesispreviewmode +{\Large \textbf{Draft build}, git revision \texttt{\input{version}}} +\fi + +\dochapter{chapter-introduction} % Status: TODO +\dochapter{chapter-hsms} % Status: TODO +\dochapter{chapter-ihsm} % Status: Copy-paste done, build works, integration TODO +\dochapter{chapter-qkd} % Status: Re-integration of changes from workshop paper TODO +\dochapter{chapter-smpc} % Status: TODO +\dochapter{chapter-sampling-mesh-monitor} % Status: Copy-paste done, build works, integration TODO +\dochapter{chapter-nice-coils} % Status: Copy-paste done, build works, integration TODO +\dochapter{chapter-conclusion} % Status: Copy-paste done, build works, integration TODO + +\appendix + +\end{document} diff --git a/update_figures.py b/update_figures.py new file mode 100644 index 0000000..3b4f05d --- /dev/null +++ b/update_figures.py @@ -0,0 +1,119 @@ +#!/usr/bin/env python3 + +import shutil +import textwrap +import subprocess +import sys +import fnmatch +import warnings +import filecmp +from pathlib import Path + +import click + +FILENAME_PATTERNS = ['*.svg', '*.png', '*.jpg', '*.pdf', '*.eps'] + + +def git(*args, repo=None): + cmd = ['git'] + if repo: + cmd += ['-C', str(repo)] + proc = subprocess.run([*cmd, *args], check=True, capture_output=True, text=True) + return proc.stdout + proc.stderr + +def remote_url(repo=None): + branch = 'unknown' + try: + branch = git('branch', '--show-current', repo=repo).strip() + remote = git('config', f'branch.{branch}.remote', repo=repo).strip() + except subprocess.CalledProcessError: + warnings.warn(f'Cannot identify git remote for branch {branch} in repo {repo or ""}, using first remote') + + remote = git('remote', repo=repo).strip().splitlines()[0].strip() + if not remote: + raise SystemError(f'Repo {repo or ""} has no remotes configured.') + + return git('remote', 'get-url', remote, repo=repo).strip() + +def paths(s): + return [Path(line.strip()) for line in s.strip().splitlines()] + +def tex_escape(s): + s = str(s) + s = s.replace('_', r'\_') + return s + + +@click.command() +@click.argument('figure_dir', default='.', type=click.Path(exists=True, file_okay=False, path_type=Path)) +def cli(figure_dir): + figure_dir = figure_dir.resolve() + figure_files = set(fn.name for fn in figure_dir.iterdir() + if fn.is_file() and any(fnmatch.fnmatch(fn.name.lower(), pat) for pat in FILENAME_PATTERNS)) + + submodules = [p for p in paths(git('submodule', 'foreach', '--quiet', 'pwd')) + if p.parent == figure_dir] + + repo_matches = {} + for mod in submodules: + for fn in paths(git('ls-tree', '-r', 'HEAD', '--name-only', '--full-tree', repo=mod)): + if fn.name in figure_files: + if fn.name in repo_matches: + prev_mod, prev_fn = repo_matches[fn.name] + warnings.warn(f'Ambiguous match for {fn.name}: found {mod / fn} in addition to previous match of {prev_mod / prev_fn}.') + else: + repo_matches[fn.name] = (mod, fn) + + meta_file = lambda suffix: figure_dir / (fig_fn + suffix) + + for fig_fn, (mod, mod_fn) in repo_matches.items(): + fig_file = figure_dir / fig_fn + mod_file = mod / mod_fn + scale = "" + if filecmp.cmp(fig_file, mod_file): + print(f'{fig_fn} is up to date, updating metadata.') + else: + shutil.copy(mod_file, fig_file) + if fig_file.suffix.lower() in ('.png', '.jpg'): + subprocess.run(['magick', fig_file, + '-resize', '1000x1000>', + figure_dir / f'scaled-{fig_file.name}'], + check=True) + scale = "scaled down for preview" + print(f'Scaled {fig_fn} for preview') + + elif fig_file.suffix.lower() == '.svg': + subprocess.run(['inkscape', f'--export-filename={fig_file.with_suffix(".eps")}', fig_file], + check=True) + print(f'Rendered {fig_fn} to EPS') + + print(f'Updated {fig_fn} from {mod_fn}.') + + repo_url = remote_url(repo=mod) + + url_prefix = repo_url.replace('git@git.jaseg.de:', 'https://git.jaseg.de/') + repo_name = repo_url.replace('git@git.jaseg.de:', '').replace('https://git.jaseg.de/', '') + git_rev = git('rev-parse', 'HEAD', repo=mod).strip() + cgit_url = f'{url_prefix}/plain/{mod_fn}?h={git_rev}' + + git_tag = git('describe', '--always', '--tags', repo=mod).strip() + + state = r'\camerareadygraphics' if 'camera-ready' in fig_fn or 'final' in fig_fn else r'\draftgraphics' + meta_file('.latex_meta').write_text(textwrap.dedent(fr''' + \def\resourcestate{{{state}}} + \def\resourcescale{{{scale}}} + \def\resourceurl{{{tex_escape(cgit_url)}}} + \def\resourcerev{{{tex_escape(git_tag)}}} + \def\resourcerepo{{{tex_escape(repo_name)}}} + \def\resourcepath{{{tex_escape(mod_fn)}}} + ''').strip()) + + unmatched = figure_files - set(repo_matches.keys()) + if unmatched: + print() + print('Unmatched files:', file=sys.stderr) + for fn in unmatched: + print(fn, file=sys.stderr) + +if __name__ == '__main__': + cli()