jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jaseg:proof-3
Branches Tags
jaseg:main
jaseg:final
jaseg:proof-3
jaseg:proof-2
jaseg:draft-integrated-v1
jaseg:draft-1-qkd-v1
...
compare: jaseg:main
Branches Tags
jaseg:main
jaseg:final
jaseg:proof-3
jaseg:proof-2
jaseg:draft-integrated-v1
jaseg:draft-1-qkd-v1

41 commits
proof-3 ... main

Author SHA1 Message Date
jaseg
be300652f3 Add TDR pulse gen diagram 2026-05-31 10:52:00 +02:00
jaseg
5348007d86 Work on slides 2026-05-31 10:32:47 +02:00
jaseg
be4806c22a Slides: Initial WIP draft 2026-05-29 20:15:49 +02:00
jaseg
58fa0820fe Add hs3 paper reference 2026-04-30 18:41:21 +02:00
jaseg
c5e8e88fc6 Harris pres: Add author contact information 2026-03-23 21:15:05 +01:00
jaseg
7719fd5a3a Add source references 2026-03-23 21:00:53 +01:00
jaseg
6c461a2711 Add harris presentation 2026-03-23 20:57:08 +01:00
jaseg
90a24c0cf1 Remove academic CV 
This is a TUDa specific requirement for submission. It should not be
included in published versions.
 2026-03-23 08:10:23 +01:00
jaseg
17e38b5ce6 Add git revision to bibliographic info in PDFs 2026-01-20 17:21:29 +01:00
jaseg
c486c8e603 Finish up conclusion 2026-01-20 17:17:17 +01:00
jaseg
82247241ed fix up intro and conclusion 2026-01-20 07:48:08 +01:00
jaseg
29c6a1ca1e unfuck intro a bit 2026-01-20 07:11:50 +01:00
jaseg
20ede2208c sampling mesh mon paper: layout fixes 2026-01-19 21:06:46 +01:00
jaseg
9bc64c0764 remove done todo 2026-01-19 21:05:28 +01:00
jaseg
a364c80a15 Add DOI and URN from TUPrints 2026-01-19 20:57:21 +01:00
jaseg
bb744cb11f SMPC chapter: Improve wording and fix spelling 2026-01-19 17:20:20 +01:00
jaseg
bf66366603 Make ihsm related work flow better 2026-01-19 07:03:33 +01:00
jaseg
fe9dd77606 Clean up bibliography 2026-01-17 18:27:49 +01:00
jaseg
ac71191a66 fix undefined references 2026-01-17 17:21:39 +01:00
jaseg
2affa1fd0a Improve abstract wording, sampling mesh mon chapter 2026-01-17 12:39:16 +01:00
jaseg
0a930bbd7d Add more future work 2026-01-17 12:26:10 +01:00
jaseg
fd178fa4ee Improve qkd chapter conclusion, remove redundant attack considerations 
inherited from paper version
 2026-01-17 12:21:14 +01:00
jaseg
83b48f11e6 Review WIP 2026-01-14 18:23:59 +01:00
jaseg
2a1743e155 Finish up abstract 2026-01-14 18:09:20 +01:00
jaseg
ddecb69057 Update bibliography 2026-01-09 22:31:01 +01:00
jaseg
50b25576b3 Zotero updated itself, update bib 2025-12-04 15:10:39 +01:00
jaseg
05ab13a684 SMPC chapter WIP, add missing photos 2025-12-03 16:47:51 +01:00
jaseg
594b345ff9 Fix photo embedding 2025-12-02 19:38:50 +01:00
jaseg
82ac0196a7 Add graphics to SMPC chapter 2025-12-02 19:33:38 +01:00
jaseg
8b0d25cadb Add new plots to sampling mesh monitor chapter 2025-12-02 17:10:43 +01:00
jaseg
535365ea67 Include the remaining useful bits of benny's review 2025-12-01 16:35:46 +01:00
jaseg
6fd1d985d4 Include last of Olga's comments 2025-12-01 16:26:07 +01:00
jaseg
229bb34b09 Add itemized contributions list to intro 2025-12-01 16:03:08 +01:00
jaseg
d7b381307c Improve and manually translate abstract 2025-12-01 15:01:28 +01:00
jaseg
5046c79d1c Improve start of abstract 2025-12-01 13:33:01 +01:00
jaseg
0533e4bc33 Add missing label 2025-11-28 18:14:22 +01:00
jaseg
18956ffe75 Finish the rest of leo's annotations 2025-11-28 18:10:56 +01:00
jaseg
75c0da19d8 More notes from leo included 2025-11-28 16:47:45 +01:00
jaseg
2584232b70 Layout adjustments, export one-sided option 2025-11-28 16:31:57 +01:00
jaseg
fa6c2e9f0d Include first of leo's notes 2025-11-28 15:24:14 +01:00
jaseg
6218217d49 Add sources 2025-11-27 13:06:14 +01:00
35 changed files with 4670 additions and 940 deletions
Download patch file Download diff file Expand all files Collapse all files

32
Makefile
View file

@ -14,20 +14,34 @@ all: thesis.pdf
# We need three runs for biblatex's defernumbers
%.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex
pdflatex -shell-escape -jobname thesis '\def\thesispreviewmode{}\input{$<}'
pdflatex -shell-escape -jobname $* '\def\thesispreviewmode{}\input{$<}'
biber $*
pdflatex -shell-escape -jobname thesis '\def\thesispreviewmode{}\input{$<}'
pdflatex -shell-escape -jobname thesis '\def\thesispreviewmode{}\input{$<}'
pdflatex -shell-escape -jobname $* '\def\thesispreviewmode{}\input{$<}'
pdflatex -shell-escape -jobname $* '\def\thesispreviewmode{}\input{$<}'
echo
echo "Undefined biblatex references:"
grep -A2 'Package biblatex Warning: The following entry could not be found' thesis.log | sed -n '3~4{s/(biblatex) *//;p}' || echo "<None>"
#.PHONY: preview
final:
pdflatex -shell-escape $<
biber $*
pdflatex -shell-escape $<
pdflatex -shell-escape $<
%-oneside.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex
pdflatex -shell-escape -jobname $*-oneside '\def\thesispreviewmode{}\def\thesisoneside{}\input{$<}'
biber $*-oneside
pdflatex -shell-escape -jobname $*-oneside '\def\thesispreviewmode{}\def\thesisoneside{}\input{$<}'
pdflatex -shell-escape -jobname $*-oneside '\def\thesispreviewmode{}\def\thesisoneside{}\input{$<}'
echo
echo "Undefined biblatex references:"
grep -A2 'Package biblatex Warning: The following entry could not be found' thesis.log | sed -n '3~4{s/(biblatex) *//;p}' || echo "<None>"
%-final.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex abstract.tex abstract-de.tex
pdflatex -jobname $*-final -shell-escape $<
biber $*-final
pdflatex -jobname $*-final -shell-escape $<
pdflatex -jobname $*-final -shell-escape $<
%-final-oneside.pdf: %.tex common-packages.tex common-defs.tex main.bib version.tex
pdflatex -shell-escape -jobname $*-final-oneside '\def\thesisoneside{}\input{$<}'
biber $*-final-oneside
pdflatex -shell-escape -jobname $*-final-oneside '\def\thesisoneside{}\input{$<}'
pdflatex -shell-escape -jobname $*-final-oneside '\def\thesisoneside{}\input{$<}'
version.tex: thesis.tex $(addsuffix /chapter.tex,${CHAPTERS})
echo "${VERSION_STRING}" > $@

80
abstract-de.tex
View file

@ -4,38 +4,56 @@
\adjustmtc
\addcontentsline{toc}{chapter}{Kurzzusammenfassung}
\todo{Re-translate, manually check translation}
\marginpar{This section is a machine-translated copy of the English abstract below.}
Mit kryptografischen Fortschritten und Techniken wie der formalen Verifizierung, die zu immer sichererer Software
führen, rückt die Hardwareebene in den Fokus der aktuellen Computersicherheitsforschung. Der Stand der Technik in
der Hardwaresicherheit stützt sich jedoch oft noch auf den Einsatz mikroelektronischer Integration, um Sicherheit durch
Verschleierung zu erreichen, anstatt aufgrundlegendere Sicherheitsgarantien. Manchmal wird auch Manipulationsschutz auf
Systemebene eingesetzt, der jedoch aufgrund der hohen Kosten und der geringen Leistung von Geräten wie
Hardware-Sicherheitsmodulen (HSMs) nach wie vor auf Nischenanwendungen beschränkt ist.
\marginpar{This section is a translated copy of the English abstract below.}
Im Laufe der letzten Jahrzehnte habe Fortschritte in der Kryptographie sowie Techniken wie formale Verifikation den
Stand der Softwaresicherheit stetig verbessert. Gleichzeitig hat das Gebiet der Hardwaresicherheit mit diesen
Entwicklungen nicht Schritt halten können. Trotz Fortschritten in Teilgebieten wie der Resilienz gegenüber
Seitenkanalangriffen und Physical Unclonable Functions (PUFs) ist der Stand der Technik in der Hardwaresicherheit
nach wie vor auf die Verwendung mikroelektronischer Strukturen fokussiert. Solche erreichen einen Grad der Security
by Obscurity, liefern jedoch keine fundierteren Sicherheitsgarantien. Systemweite Manipulationsschutzmaßnahmen
werden nur vereinzelt in Geräten wie z.B.\ Hardware-Sicherheitsmodulen (HSMs) und Kartenzahlungsterminals
eingesetzt. Insbesondere HSMs werden aufgrund ihrer hohen Kosten und geringen Rechenleistung nur in
Nischenanwendungen wie z.B.\ der Zertifikatsausstellung im Transport Layer Security (TLS)-System sowie der
Zahlungsdatenverarbeitung eingesetzt.
In dieser Arbeit stellt Jan Sebastian Götte das Inertial Hardware Security Module (IHSM) vor, eine neue Architektur für
kostengünstige Hardware-Sicherheitsmodule, die einen hohen aktiven Manipulationsschutz bieten und gleichzeitig
Rechenleistungen unterstützen, dieim Vergleich zu herkömmlichen HSMs viel größer, schwerer und leistungsstärker sind. In
einem IHSM wird das kostspielige und schwer zu beschaffende Manipulationserkennungsgitter eines herkömmlichen HSM durch
ein Mesh aus einfachen Leiterplatten ersetzt, das sich mit hoher Geschwindigkeitum die Nutzlast dreht. Da sich das Mesh
dreht, kann es nicht manipuliert werden, und die Sicherheit herkömmlicher Mesh, die in maßgeschneiderten
Fertigungsprozessen hergestellt werden, kann mit viel einfacheren und kostengünstigeren Konstruktionstechnikenerreicht
werden. Die Dissertation präsentiert Lösungen für wichtige technische Herausforderungen bei der Konstruktion von IHSMs,
darunter ein hochsymmetrischesplanares Induktionsspulendesign für die rotierende drahtlose Energieübertragung und ein
hochpräzises Überwachungssystem für kostengünstige Sicherheitsgitter.
In dieser Dissertation wird das Inertiale Hardware-Sicherheitsmodul (IHSM) vorgestellt, eine neue Architektur für
Hardware-Sicherheitsmodule. IHSMs stellen einen hoch sicheren, aktiven Manipulationsschutz bereit.
Gleichzeitig können mithilfe der IHSM-Technologie kryptographische Rechnersysteme von wesentlich größeren
Abmessungen, Gewicht und elektrischer Leistungsaufnahme geschützt werden, als es in konventionellen HSMs möglich
ist. IHSMs ersetzen die kostenintensiven und in der Herstellung aufwendigen Meshes
(Manipulationserkennungsmembranen) konventioneller HSMs durch eine Konstruktion, in der Meshes aus einfachen
Platinen aufgebaut werden. Diese Meshes rotieren schnell um das geschützte Rechnersystem, was eine unerkannte
Manipulation verhindert. IHSMs erreichen so mithilfe wensentlich einfacherer und kostengünstiger
Konstruktionstechniken ein Sicherheitsniveau, das dem konventioneller Manipulationsschutzmembranen gleicht, die in
spezialisierten Herstellungsprozessen gefertigt werden. In der Dissertation werden die Ergebnisse einer
Übersichtsstudie vorgestellt, die etwa 30 echte Implementierungen socher Meshes untersucht. In der Studie werden
Kriterien für die Entwicklung sicherer Meshes abgeleitet, anhand derer das IHSM-Konzept kontextualisiert wird. Um
die Notwendigkeit sicherer Hardware zu erörtern, wird in dieser Dissertation darüber hinaus eine Analyse einiger
problematischer Aspekte des Hardwaresicherheitskonzeptes der Deutschen elektronischen Patientenakte vorgestellt.
Unter Anwendung der IHSM-Technologie schließt die Dissertation mit zwei Analysen von Anwendungsfällen, die durch die
erhöhte Größe und Verlustleistungsfähigkeit von IHSMs ermöglicht werden. In der ersten Analyse wird ein IHSM-gesicherter
Relaisknoten für Quantenschlüsselverteilungssysteme (QKD) vorgeschlagen, der deren praktische Implementierung über
beliebige Entfernungen ermöglicht, wasaufgrund grundlegender physikalischer Einschränkungen vertrauenswürdige
Relaisstationen erfordert. In der Studie werden IHSMs für solchehochsicheren QKD-Relais angepasst, indem der
IHSM-Netzdurchgang mit einem sekundären manipulationssensitiven Netz gesichert wird. In diesem Aufbau wird
ein Klammerdesign vorgeschlagen, das den Durchgang durch Glasfasern mit geringen Verlusten unterstützt.
Um den Weg für zukünftige, praktische Implementierungen der IHSM-Technologie zu bereiten, werden weiterhin Lösungen
für wichtige Schlüsselprobleme der Konstruktion von IHSMs vorgestellt. Diese Lösungen umfassen ein neues Konzept für
rotationssymmetrische Planarspulen für die drahtlose Energieübertragung an rotierende Empfänger, sowie ein
hochpräzises und dennoch kostengünstiges Überwachungssystem für Meshes. Dieses Überwachungssystem beruht auf dem
Prinzip der Zeitbereichsreflektometrie und erkennt selbst fortgeschrittene Angriffstechniken zuverlässig. In
praktischen Versuchen zeigte sich, dass das System ausreichend empfindlich ist, um mehrere identische Kopien
desselben Meshes voneinander zu unterscheiden, was auf PUF-ähnliche Eigenschaften hindeutet.
Der zweite vorgeschlagene Anwendungsfall passt ein IHSM-Gehäuse an die Anforderungen hinsichtlich Größe, Leistung und
Wärmeableitung eines Hochleistungsservers an, um gemeinsam genutzte sichere Multiparty-Computing-Workloads (MPC) zu
unterstützen. MPC ist in der Praxis durch Netzwerkbandbreite und Latenzbedingungen eingeschränkt, die ohne physisch
sichere Knoten nicht vermieden werden können. Herkömmliche HSMskönnen MPC-Workloads nicht bedienen, da ihre
kryptografische Leistung um viele Größenordnungen zu gering ist. Ein durch IHSM gesicherter MPC-Knoten umgeht diese
Einschränkungen und eröffnet ein neues Leistungsspektrum.
In der Dissertation werden zwei konkrete Anwendungsszenarien erläutert, die erst durch das größere Volumen und die
höhere Leistungsaufnahme möglich werden, die die IHSM-Technologie ermöglicht. Im ersten Anwendungsszenario wird eine
IHSM-geschützte Zwischenstation vorgeschlagen, um die durch physikalische Grundgesetze sonst stark eingeschränkte
erreichbare Entfernung eines Quantenschlüsselaustausch (QKD)-Systems zu vergrößern. Im Rahmen dieses
Anwendungsszenarios wird ein sekundäres Mesh vorgestellt, dass die Achsdurchführung des primären IHSM-Meshes
zusätzlich schützt. Weiterhin wird in der Fallstudie der Entwurf eines mechanischen Trägers für diese zusätzlich
geschützte Achsdurchführung vorgestellt, der das QKD-System im inneren des IHSM mit der Außenwelt über
verlustarme Glasfaserleitungen verbindet.
In der zweiten Fallstudie wird ein Konzept vorgestellt, das mithilfe IHSM-geschützter, leistungsstarker
Serverhardware kolokierte Secure Multiparty Computation (MPC)-Berechnungen ermöglicht. Hierzu wird IHSM-Technologie
an die Anforderungen leistungsstaker Serverhardware in Größe, Leistungsaufnahme, und ableitbarer Verlustleistung
angepasst. Wird MPC praktisch eingesetzt, werden Knoten über mehrere Rechenzentren verteilt um einen Single Point of
Failure zu vermeiden. Diese Verteilung führt jedoch zu geringer Netzwerkbandbreite und hohen Latenzen zwischen den
MPC-Knoten, was die erreichbare MPC-Rechenleistung stark einschränkt. Durch den Einsatz von IHSMs können physisch
gesicherte MPC-Knoten innerhalb desselben Rechenzentrums betrieben werden, was durch die damit erreichbare höheren
Bandbreiten und geringeren Latenzen einen Leistungsbereich der MPC-Berechnungen erschließt.
\end{otherlanguage}

55
abstract.tex
View file

@ -3,33 +3,40 @@
\adjustmtc
\addcontentsline{toc}{chapter}{Abstract}
%Through advancements in cryptography, nowadays it is feasible to construct networked computer systems that for all
%intents and purposes cannot be hacked over the network. Correctly applying cryptographic protocols and techniques such
%as formal verification, it can be ensured that a software implementation is a flawless representation of its theoretical
%model, and that the theoretical model is secure given universally accepted cryptographic assumptions. Despite
In the past decades, cryptographic advancements and techniques like formal verification have steadily improved software
security. Meanwhile, the field of hardware security has not kept pace. Research has made progress in subfields such as
resilience to Side-Channel Attacks (SCA) and Physical Unclonable Functions (PUFs). However, the state of the art still
often relies on microelectronic integration to achieve security by obscurity insted of more fundamental security
guarantees. While effective, system-level tamper protection is only used in few devices such as Hardware Security
Modules (HSMs) and card payment terminals. Due to the high cost and low performance of HSMs in particular, they remain
relegated to niche applications such as Transport Layer Security (TLS) certificate issuance and payment data processing.
With cryptographic advancements and techniques like formal verification leading to increasingly secure software, the
hardware level advances into the focus of contemporary applied computer security research. However, the state of the art
in hardware security still often relies on the use of microelectronic integration to achieve security by obscurity over
more fundamental security guarantees. System-level tamper protection is sometimes used, but remains relegated to niche
applications due to the high cost and low performance of devices like Hardware Security Modules (HSMs).
In this thesis, we introduce the Inertial Hardware Security Module (IHSM), a new architecture for low-cost hardware
security modules that provide high-level active tamper protection, while supporting computing payloads of much larger
size, weight and power dissipation compared to conventional HSMs. In an IHSM, the costly and difficult to source
tamper-sensing mesh of a conventional HSM is replaced by a mesh made from simple PCBs that is rotating at high speed
around the payload. Since the mesh is rotating at high speed, it cannot be manipulated, and the security of conventional
meshes created in bespoke manufacturing processes can be achieved using much simpler and less expensive construction
techniques. We present the results of a survey of approximately 30 real world tamper sensing mesh implementations. Based
on our findings, we deduce design criteria for secure meshes and contextualize our design. We further motivate the
necessity of secure hardware by presenting an analysis of problematic aspects in the hardware security design of
Germany's new national electronic health record system.
In this thesis, Jan Sebastian Götte introduces the Inertial Hardware Security Module (IHSM), a new architecture for
low-cost hardware security modules that provide high-level active tamper protection, while supporting computing payloads
of much larger size, weight and power dissipation compared to conventional HSMs. In an IHSM, the costly and difficult to
source tamper-sensing mesh of a conventional HSM is replaced by a mesh made from simple PCBs that is rotating at high
speed around the payload. Since the mesh is rotating, it cannot be manipulated, and the security of conventional meshes
created in bespoke manufacturing processes can be achieved using much simpler and less expensive construction
techniques. The thesis presents solutions to key engineering challenges in IHSM construction including a highly
symmetric planar inductor design for rotating wireless power transfer and a high-fidelity monitoring system for low-cost
security meshes.
To pave the way for practical implementations of IHSM technology, we present solutions to key engineering challenges in
IHSM construction. We present a design and analysis of highly symmetric planar inductors for rotating wireless power
transfer that improves self-resonant frequency by up to \qty{58}{\percent} and inductance by up to \qty{6.5}{\percent}
in our tests. Complementing this research, we present a high-fidelity, low-cost monitoring system for security meshes
that is based on the principles of Time-Domain Reflectometry (TDR), reaching \qty{184}{\pico\second} time resolution. We
validate our system and find that it is able to reliably detect several classes of advanced physical attacks. We find
that our system is sensitive enough to detect differences between identical copies of the same mesh, suggesting PUF-like
properties.
Applying IHSM technology, the thesis concludes with analyses of two use cases that are unlocked by the increased
size and power dissipation capability of IHSMs. In the first analysis, an IHSM-secured relay node for Quantum Key
Distribution (QKD) systems is proposed, enabling their practical implementation across arbitrary distances, which
requires trusted relay stations due to fundamental physical limitations. In the study, IHSMs are adapted for such
high-security QKD relays by securing the IHSM mesh passthrough with a secondary tamper-sensing mesh. In this setup, a
bracket design is proposed that supports passing through optical fibers at low loss.
Applying IHSM technology, we analyse two use cases that are unlocked by the increased size and power dissipation
capability of IHSMs. In the first analysis, an IHSM-secured relay node for Quantum Key Distribution (QKD) systems is
proposed, enabling their practical implementation across arbitrary distances, which requires trusted relay stations due
to fundamental physical limitations. In the study, IHSMs are adapted for such high-security QKD relays by securing the
IHSM mesh passthrough with a secondary tamper-sensing mesh. In this setup, a bracket design is proposed that supports
passing through optical fibers at low loss.
The second proposed use case adapts an IHSM enclosure to the size, power and thermal dissipation requirements of a
high-power server to support co-located secure Multiparty Computation (MPC) workloads. In practical MPC deployments,

27
ai-llm-use-disclosure.tex
View file

@ -6,25 +6,26 @@
This thesis has been written during the years of 2020 - 2025. In this time, Artificial Intelligence (AI) technology
including Large Language Models (LLMs) has entered widespread adoption. I have used such LLM systems in the preparation
of this thesis. At the time this thesis was written, LLMs were a powerful and useful technology, but often produced
wrong output. Thus, I used the following list of observations to guide my LLM use during the writing of this thesis.
wrong output. Thus I used the following list of observations to guide my LLM use during the writing of this thesis.
\begin{enumerate}
\item Passing text through an LLM is an imprecise operation. Especially when large amounts of text are passed
through an LLM, despite clear instructions such as ``only fix spelling errors,'' the LLM output might deviate
from the source text. Therefore, the document text should never be passed through the LLM, and the LLM should be
prompted to point out problems, or to produce a list of suggestions for improvements instead.
\item LLMs are really bad at summarizing text that contains novel concepts. LLM summaries of text often converge to
a re-stating of the general consensus on the text's main topic. Where the source text deviates from conventional
wisdom or makes novel points, an LLM summary will likely mis-represent those conclusions. Additionally, LLMs are
bad at capturing the point of a text. Unless extreme care is taken when prompting, it is easy to lead an LLM to
produce an inaccurate summary of a text that agrees with the prompt, but misses the gist of the text. Therefore,
extreme caution should be applied when using an LLM for summarization, and LLM output should be checked
diligently in such instances.
\item LLMs are bad at generating text from scratch. Especially on topics of academic interest that are novel and
that do not have well-known answers that can be found in the training corpus for these models, in general they
will not produce useful text when prompted. Therefore, LLMs should never be used to generate novel text.
\item LLMs are really bad at giving references. Prompts that ask for academic references on a topic are likely to
produce non-existing ``hallucinated'' references. The existing references an LLM is most likely to dig up
\item Contemporary LLMs are bad at summarizing text that contains novel concepts. LLM summaries of text often
converge to a re-stating of the general consensus on the text's main topic. Where the source text deviates from
conventional wisdom or makes novel points, an LLM summary will likely mis-represent those conclusions.
Additionally, LLMs are bad at capturing the point of a text. Unless extreme care is taken when prompting, it is
easy to lead an LLM to produce an inaccurate summary of a text that agrees with the prompt, but misses the gist
of the text. Therefore, extreme caution should be applied when using an LLM for summarization, and LLM output
should be checked diligently in such instances.
\item Contemporary LLMs are bad at generating text from scratch. Especially on topics of academic interest that are
novel and that do not have well-known answers that can be found in the training corpus for these models, in
general they will not produce useful text when prompted. Therefore, LLMs should never be used to generate novel
text.
\item Contemporary LLMs are bad at giving references. Prompts that ask for academic references on a topic are likely
to produce non-existing ``hallucinated'' references. The existing references an LLM is most likely to dig up
usually occur on the first page of a web search on the topic, or are frequently cited in literature on the
topic. Thus, LLMs should never be directly queried for references. When researching a new concept, a better use
of an LLM is the generation of query strings for search engines like Google Scholar.

42
chapter-conclusion/chapter.tex
View file

@ -3,22 +3,29 @@
political tool, and it confers on the field an intrinsically moral dimension.}
\chapter{Conclusion}
In this thesis, we propose Inertial Hardware Security Modules (IHSMs), a new approach to physical security that combines
conventional tamper-sensing meshes with physical movement to bootstrap a highly secure system from low-security,
off-the-shelf parts, solving our first research question introduced in Chapter~\ref{chapter-intro}. To motivate our
research, we use the German national digital health record system as an example demonstrating the difficulties in
achieving useful hardware security in practice. Besides some minor cryptographic oddities, our analysis reveals at least
one essential specification mistake that negates the hardware security of the system by unnecessarily introducing a
poorly protected HSM. With this motivation in mind, we support the construction of concretely secure IHSMs by providing
deep analyses of two key engineering challenges in IHSM construction, mesh monitoring and power transfer. Solving our
second research question, we propose a low-cost TDR-based mesh monitoring system that exceeds the capabilities of
previous systems from academic or from patent literature. Our system is capable of monitoring large meshes while
simultaneously providing detailed results. Our TDR-based mesh monitoring system is of independent interest, since it can
also be integrated into traditional HSM designs. We additionally propose a new, generalized design for high-frequency
PCB inductors with low parasitic capacitance. Our design provides better bandwidth and lower parasitic capacitance
compared to the state of the art without increasing implementation cost. We conclude this thesis with two chapters
elaborating on two new use cases that are made possible by IHSM technology due to its ability to protect large payloads
that have high power consumption. Together, these results answer our third and final research question.
In this thesis, we provided an examination of the field of Hardware Security Modules both from an academic perspective
and with regards to their practical implementation. We answered our first research question introduced in
Chapter~\ref{chapter-intro} on the current state of the art in Chapters~\ref{chapter-epa} and \ref{chapter-survey},
providing a comprehensive view of practical implementations. Chapter~\ref{chapter-epa} motivates our research using the
German national digital health record system as an example that demonstrates the difficulties in achieving practical
hardware security. Besides some minor cryptographic oddities, our analysis reveals at least one essential specification
mistake that negates the hardware security of the system by unnecessarily introducing a poorly protected HSM. In
Chapter~\ref{chapter-survey}, we answer our second research question in a detailed survey of a wide range of devices
that utilize tamper-sensing meshes, distilling a set of criteria for the design of secure tamper-sensing meshes. In
Chapter~\ref{chapter-ihsm}, we propose Inertial Hardware Security Modules (IHSMs), a new approach to physical security
that combines conventional tamper-sensing meshes with physical movement. IHSMs enable bootstrapping a highly secure
system from low-security, off-the-shelf parts, thereby solving our third research question on achieving physical
security without bespoke components. We support the construction of concretely secure IHSMs by providing deep analyses
of two key engineering challenges in IHSM construction, mesh monitoring and power transfer. Solving our fourth research
question on mesh monitoring fidelity, we propose a low-cost TDR-based mesh monitoring system that exceeds the
capabilities of previous systems from academic or from patent literature. Our system is capable of monitoring large
meshes while simultaneously providing detailed results. Our TDR-based mesh monitoring system is of independent interest,
since it can also be integrated into traditional HSM designs. Solving our fifth research question on ripple reduction
for rotating Wireless Power Transfer for IHSMs, we propose a new, generalized design for high-frequency PCB inductors
with low parasitic capacitance. Beyond our IHSM application, our design provides better bandwidth and lower parasitic
capacitance compared to the state of the art without increasing implementation cost. We conclude this thesis with two
chapters elaborating on two new use cases that are made possible by IHSM technology due to its ability to protect large
payloads that have high power consumption. Together, these results answer our sixth and final research question.
The research presented in this thesis is aimed at advancing both academic research and applied engineering in hardware
security. We believe that by publishing our research including its artifacts under open source licenses, we provide the
@ -51,6 +58,9 @@ directions that we consider worthwhile for future investigation.
long bearing life is challenging at the high rotation speed necessary at a small overall diameter. Finally, at high
speeds, precisely balancing the whole assembly to avoid vibrations that could lead to early mechanical failure is
difficult.
\item Tackling motor control algorithms for IHSMs and developing tamper sensors based on counter-electromotive force as
a defense-in-depth measure.
\item Integrating the IHSM hardware concept with software research on secure enclave and cryptographic coprocessors.
\item Exploring IHSM applications beyond what we outlined in this thesis. For instance, one application of recent
interests would be physically securing GPUs used for AI training. The background for such work could be either
export control motivations, or a concern for security and privacy of user input, training data, or even trained

173
chapter-epa/chapter.tex
View file

@ -7,39 +7,41 @@
}
\chaptertitle{The German ePA: A Motivating Counter-Example}
\label{chapter-epa}
\todo{FIXME: Proper citation here}
\sourceattrib{This part is based on a short paper written by me and presented by me at the HS3 workshop at ESORICS
2025.}
\sourceattrib{This part is based on a short paper written by Jan Sebastian Götte and presented by Jan Sebastian Götte at
the HS3 workshop at ESORICS 2025~\cite{gotteGermanyRollingOut2026}.}
Looking at the landscape of computer security solutions, we are presented with a wide variety of vendors and products
that may give the impression that hardware security is a solved problem. Vendors sell various claims rangning from
\emph{You don't need hardware security, just do it in the cloud!}~\cite{
\emph{``You don't need hardware security, just do it in the cloud!''}~\cite{
utimacoWhatCloudHSM2025,
microsoftOverviewAzureCloud,
ibmCloudHSM2016,
amazonAWSCloudHSM,
googleCloudHSMCloud2025,
WhatCloudHSM}
to \emph{Buy our HSM and you will be secure!}~\cite{utimacoUseCases,thalesLunaNetworkHardware}. In
to \emph{``Buy our HSM and you will be secure!''}~\cite{utimacoUseCases,thalesLunaNetworkHardware}. In
practice, things are not as easy and even well-intentioned projects still often go awry on the hardware security
dimension. To motivate our research into physical security in this thesis, in this chapter we will have a look at one
such project that was done by capable people with the best intentions, yet it resulted in a hardware security design
that is dangerously inadequate for the purpose.
Beginning May 2025, after several delays, Germany has started the nation-scale rollout of its new electronic medical
record system, named ePA (short for \emph{elektronische Patientenakte}, ``electronic patient record''). The system aims
to create a national database accessible to all healthcare providers that holds the complete electronic medical records
of all publically insured people living in Germany. The system aims to replace paper-based workflows that are
error-prone and lead to healthcare providers often only having access to a subset of patient's medical records. Data in
scope for the system includes medical letters, laboratory results, and medical imaging files.
record system, named ePA (short for \emph{elektronische Patientenakte}, ``electronic patient
record'')~\cite{kochNochVieleUnklarheiten2025}. The system aims to create a national database accessible to all
healthcare providers that holds the complete electronic medical records of all publically insured people living in
Germany. The system aims to replace paper-based workflows that are error-prone and lead to healthcare providers often
only having access to a subset of patient's medical records. Data in scope for the system includes medical letters,
laboratory results, and medical imaging files.
Due to Germany's mandatory health insurance laws, the system's user base encompasses the majority of all German
residents. People who have replaced their public health insurance with private insurance as of now are not subject to
the system. In Germany, by law private health insurance is only available to people from the top 10th percentile of
household income. This means that the system disproportionally affects people who have low income, creating an equity
issue. While it is possible to opt out from the use of the new digital record, the process of opting out is difficult.
Additionally, the government and health insurance providers have publically depicted the system in a one-sidedly
positive way, meaning that it is unlikely the majority of people subject to the system have a comprehensive
residents, approximately 90\%. People who have replaced their public health insurance with private insurance as of now
are not subject to the system. In Germany, by law private health insurance is only available to people from the top 10th
percentile of household income. This means that the system disproportionally affects people who have low income,
creating an equity issue. While it is possible to opt out from the use of the new digital record, the process of opting
out is difficult. Additionally, the government and health insurance providers have publically depicted the system in a
one-sidedly positive way, meaning that it is unlikely the majority of people subject to the system have a comprehensive
understanding of the system's benefits and risks that would be necessary for an informed decision.
While there has been loud criticism of the system's security from civil society organizations such as digital rights
@ -48,7 +50,7 @@ been demonstrated practically, this criticism has largely been ignored by the po
that despite this civil society outrage and the system's large scale, it has received little attention from the academic
cryptography and information security community.
In this chapter, we aim to point out some unconventional cryptographic engineering decisions in the system. In
In this chapter, we aim to highlight some unconventional cryptographic engineering decisions in the system. In
particular, we point out that the system's core per-user secrets are kept in a rudimentary key escrow system whose
security is based on engineering assumptions, not on cryptographic principles. Furthermore, we observe that by
specification, the individual user keys of the system are derived from a per-user cleartext salt based on a system-wide
@ -60,40 +62,35 @@ long-term secret with only 256 bits of entropy\footnote{
The current standard only requires one escrow service, and drops the entropy requirement of the root keys from 512
bits to 256 bits. The apparent reason for the long-term nature of these keys is that they are updated manually.
}. Finally, we note that according to specification, the only physical security requirement for the protection of this
highly sensitive secret is a ``hard, opaque potting material'', with no tamper detection and response required. We
belive that Inertial HSMs provide a path forward for systems like this, enabling physical security in applications that
currently rely on insecure, legacy systems. Even if for regulatory reasons a poorly secured conventional HSM without
active tamper sensing is chosen, it would be conceivable to construct an IHSM enclosure \emph{around} this conventional
HSM, in effect retrofitting the missing active tamper-sensing envelope.
highly sensitive secret is a ``hard, opaque potting material'', with no tamper detection and response required.
We base our analysis of the ePA on the system's publicly available standards in their latest version as of the writing
of the paper underlying this chapter in April 2025, describing version 3.0 of the healthcare record system \cite{
gematikSpezifikationAktensystemEPA2025,
gematikUbergreifendeSpezifikationVerwendung2024,
}. We note that the implementation might well deviate from these standards and be more secure---however, with the
system's history of flaws, we believe this is unlikely to be the case. The reference implementation provided by the
specification authority \cite{GithubRepositoryERPFD} follows the specified minimum requirements closely. As of now,
there is no meaningful way for either the public or for researchers such as us to ascertain the concrete implementation
security of the system.
}. We note that hypothetically, the implementation might deviate from these standards and be more secure. The reference
implementation provided by the specification authority \cite{GithubRepositoryERPFD} follows the specified minimum
requirements closely. As of now, there is no meaningful way for either the public or for researchers such as us to
ascertain the concrete implementation security of the system.
\section{The Design of ePA}
ePA is embedded into Germany's national public healthcare backend system ``Telematikinfrastruktur'' (TI). TI is a highly
complex system, and a detailed description would exceed the limits of this analysis. Briefly put, TI consists of a
shared demilitarized zone (DMZ) that parties like insurance providers and healthcare providers connect to through a VPN.
At the client location, usually an individual doctor's office or a hospital, this VPN connection is terminated by a
specialized VPN appliance named ``Konnektor'' that simultaneously acts as a trusted component inside the client network
hosting some software for purposes such as authentication. The Konnektor contains several smart cards that store keys
used for authentication. Konnektor devices are offered by several vendors and healthcare providers like doctor's offices
are indivudally responsible for purchasing and maintaining a Konnektor.
ePA is embedded into Germany's national public healthcare backend system ``Telematikinfrastruktur'' (abbreviated TI;
German for ``telematics infrastructure''). TI is a highly complex system, and a detailed description would exceed the
limits of this analysis. Briefly put, TI consists of a shared demilitarized zone (DMZ) that parties like insurance
providers and healthcare providers connect to through a VPN. At the client location, usually an individual doctor's
office or a hospital, this VPN connection is terminated by a specialized VPN appliance named ``Konnektor'' that
simultaneously acts as a trusted component inside the client network hosting some software for purposes such as
authentication. The Konnektor contains several smart cards that store keys used for authentication. Konnektor devices
are offered by several vendors and healthcare providers like doctor's offices are indivudally responsible for purchasing
and maintaining a Konnektor.
% FIXME: Is there a threat/trust model of the system that you could summarise in a few sentences?
Every person enrolled in the system as well as every healthcare professional providing services under it is issued an ID
card that contains a smart card with keys to authenticate towards the central infrastructure. The primary use of these
smart cards up to now is that when an enrolled person visits a healthcare provider, they will insert their ID card into
a terminal so the healthcare provider can automatically fetch their personal information such as name, birth date,
address and enrollment status from their insurance provider.
smart cards previously was to automatically provide personal information such as name, birth date, address and insurance
enrollment status when an enrolled person visits a healthcare provider.
ePA is implemented inside the TI system. Its centralized services are accessed by healthcare providers through the TI's
VPN, and by patients through proxy servers connected to TI's VPN. Patient records are encrypted and decrypted inside
@ -103,8 +100,8 @@ approved implementations of this server-side infrastructure.
With the current version of the specificatoin, the overall architecture of ePA heavily relies on Trusted Execution
Environments (TEEs). Data processing on the server side is done in plaintext inside TEEs, with some cryptographic key
management delegated to a Hardware Security Module. While attacks on the TEEs are considered in the system, the HSMs are
assumed to be perfectly secure, and the system does not include mitigations for a compromised HSM. The primary
management delegated to a Hardware Security Module (HSM). While attacks on the TEEs are considered in the system, the
HSMs are assumed to be perfectly secure, and the system does not include mitigations for a compromised HSM. The primary
motivation for plaintext processing seems to be to enable large-scale data analysis for research purposes without
requiring consent or cooperation of the people whose records are being
processed~\cite{gematikWhitepaperDatenschutzUnd2025}.
@ -117,23 +114,25 @@ unclear on the exact mechanism of key derivation, in previous versions of the st
random salt, and the healthcare ID number of the enrolled person was used in SHA256-HKDF. The specification requires
that a new root key is generated once a year, but as far as we can tell, record key rollover is not done automatically
but is only meant to be done when the \emph{user} requests it, and old root keys must be retained forever to ensure old
records can be accessed.
records can be accessed. Through this lack of automatic key rollover combined with the need to retain root keys
indefinitely, attack surface is maximized and incremental compromises of the system over long time spans become possible.
\subsection{Related Work}
\subsection{Previous Analyses}
The state-owned company specifying the system commissioned several security assessments of the system relating to the
key escrow service. \textcite{fischlinKryptographischeAnalyseSpezifikation2021} focuses on the cryptographic
dimension of the key escrow service used in an older version of the standard, and is now obsolete.
\textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a higher level, and focuses on the
cryptography of the inner protocol layers spoken between the system's components. Industry research organization
\emph{gematik}, the state-owned company specifying the system, commissioned several security assessments of the system
relating to the key escrow service.
\citeauthor{fischlinKryptographischeAnalyseSpezifikation2021}~\cite{fischlinKryptographischeAnalyseSpezifikation2021}
focuses on the cryptographic dimension of the key escrow service used in an older version of the standard, and is now
obsolete. \textcite{slanySicherheitsanalyseZurSicherheit2020} approaches the system at a higher level, and focuses on
the cryptography of the inner protocol layers spoken between the system's components. Industry research organization
Fraunhofer SIT was comissioned for a structured, theoretical assessment of attack paths to the system
\cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of
independent academic security research on the system.
\cite{fraunhofersitAbschlussberichtSicherheitsanalyseGesamtsystems2024}. We are not currently aware of independent
academic security research on the system.
The design and operation of the system have been independently described in detail by civil society activists, who have
demonstrated several successful attacks on the system. \textcite{tschirsichHackerHinOder0100} demonstrated how they
demonstrated several successful attacks on the system. \textcite{tschirsichHackerHinOder2019} demonstrated how they
could trivially acquire each of the smartcards as well as the Konnektor necessary for accessing the system.
\textcite{tschirsichKonnteBisherNoch0100} summarize the history of attacks demonstrated on the system and show multiple
\textcite{tschirsichKonnteBisherNoch2024} summarize the history of attacks demonstrated on the system and show multiple
practical attacks on various parts of the system's implementation.
\section{Concerning Cryptographic Engineering Choices}
@ -143,11 +142,11 @@ by no means an exhaustive list, and is only meant to underscore why we believe t
\subsection{Use of Key Escrow}
First, the system's general approach of using a key escrow service instead of securely storing the keys inside the
system's already existing smart card infrastructure is concerning, given that this key escrow service poses a
centralized security risk. The system's designers made this decision since it was deemed important that access to an
encrypted record can be restored quickly after an insurance ID card is lost, without requiring the cooperation of the
healthcare providers holding the primary copies of the person's medical records.
Key escrow describes a concept that was originally devised during the 1990ies out of a fear that the widespread
availability of strong encryption would stifle the ability of law enforcement agencies to wiretap communications in the
prosecution of crime. At the core of the concept rests the idea that a trusted \emph{key escrow} service should hold a
copy of every private key in use. In case the government wants to access one of these keys, the key escrow service can
provide this access\textcite{andersonSecurityEngineeringGuide2020,jarvisCryptoWarsFight2020}.
While key escrow services have been a topic of political debate in decades past, in the cryptographic community,
consensus generally is that they are a bad idea since they pose a centralized target for attack, and increase attack
@ -158,8 +157,16 @@ surface \cite{
rogawayMoralCharacterCryptographic2015,
}.
Our first concern is the system's general approach of using a key escrow service instead of securely storing the keys
inside the system's already existing smart card infrastructure. Like any other key escrow system, this key escrow
service poses a centralized security risk. The system's designers made this decision since it was considered important
that when an encrypted record must be restored after an insurance ID card is lost, it can be re-created without the
cooperation of the healthcare providers holding the primary copies of the person's medical records.
\subsection{Cryptographic Design}
\todo{Feedback from HS3 reviewer: I feel that this section is a mix-up of critique on the cryptographic design and the
approach to privacy protection and data minimisation. How are they linked? I'm missing some discussion here.}
The system's overall cryptographic design is intentionally kept simple. The standard explicitly mentions that symmetric
primitives have been preferred over asymmetric primitives in the core key escrow functions due to the risk of an attack
on asymmetric primitives in the long term. Notably, other advanced cryptographic techniques such as secret sharing
@ -174,28 +181,25 @@ For instance, the system leaks a person's insurance ID number to the key escrow
requested. Along with the timing and frequency of these requests, this leaks information on the person's condition to
the key escrow service in an identifiable way.
% TODO I feel that this section is a mix-up of critique on the cryptographic design and the approach to privacy
% protection and data minimisation. How are they linked? I'm missing some discussion here.
\subsection{A Realistic Attacker Model}
We observe that the system as a whole does not appear to be designed to defend against well-resourced adversaries. The
series of practical attacks that have been demonstrated on the system confirm this impression. In
\textcite{tschirsichKonnteBisherNoch0100} summarize a series of successful attacks. Attacks include social engineering
resulting in access to copies of smartcards enabling accessing patient records, using misconfigured Konnektor VPN
appliances with their LAN DMZ and authentication interface exposed on the public internet, circumventing video-based
authentication processes resulting in duplicate file keys being provided, classis SQL injection on a backend service
maintaining an authentication database, accessing all national patient records through brute-force enumeration of weak
identifiers, and several more.
We observe that the system as a whole does not appear to be designed to defend against well-resourced adversaries. A
series of demonstrated practical attacks on the system, none of which required advanced capabilities, confirm this
impression. In \textcite{tschirsichKonnteBisherNoch2024} summarize a series of successful attacks. Attacks include
social engineering resulting in access to copies of smartcards enabling accessing patient records, using misconfigured
Konnektor VPN appliances with their local network DMZ and authentication interface exposed on the public internet,
circumventing video-based authentication processes resulting in duplicate file keys being provided, classis SQL
injection on a backend service maintaining an authentication database, accessing all national patient records through
brute-force enumeration of weak identifiers, and several more.
We believe that a system like this must be designed to withstand well-resourced adversaries such as enemy secret
We believe that a system like this must be designed to withstand well-resourced adversaries such as foreign secret
services, since the medical data stored in such as information on chronic illness, sexually transmittable disease or
severe food allergies has intelligence value. Repeated breaches of national digital infrastructure such as the 2015
breach of the US Office of Personnel Management \cite{barrettUSSuspectsHackers2015} or the 2024 compromise of US
telecommunications wiretapping systems \cite{mennChineseGovernmentHackers2024} demonstrate that such state-sponsored
attacks on national digital infrastructure are a realistic concern. A possible scenario in the ePA system would be an
enemy secret service gaining access to one of the HSMs storing the systems' root secrets, extracting the root secret by
an advanced physical attack, then being able to decrypt captured encrypted health records at will. Similarly, a
foreign secret service gaining access to one of the HSMs storing the systems' root secrets, extracting the root secret
by an advanced physical attack, then being able to decrypt captured encrypted health records at will. Similarly, a
nation-state adversary might have access to an exploit allowing the compromise of the system's TEEs, which would enable
the extraction of any patient records being processed in plaintext inside these TEEs.
@ -203,19 +207,20 @@ the extraction of any patient records being processed in plaintext inside these
Physical security has received some consideration in the system's specification. First, smart cards are used extensively
for authentication. Second, Hardware Security Modules are used in key locations of the system to process some
cryptographic secrets. The core of the system's key escrow service is implemented inside an HSM. However, it is notable
that the actual security level required for this HSM is only FIPS 140-2 level 3
\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}. FIPS 140-2 is a US government
standard that used to be popular for the specification of HSMs. However, not only has FIPS 140-2 been superseded by FIPS
140-3 since 2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security
level 3 mostly provides logical separation of cryptographic functions from other logic and is not very meaningful in the
context of physical attacks. The only physical requirement of FIPS 140-2 level 3 is that the HSM has a hard, opaque
coating. This coating is specified to be tamper-evident, but notably no active tamper detection or response features are
required by this standard~\cite{andersonSecurityEngineeringGuide2020}. In contrast to the newer FIPS 140-3 standard and
the related ISO/IEC 19790 \cite{ISOIEC19790} as well as ISO/IEC 24759 \cite{ISOIEC24759} standards, FIPS 140-2 does not
make any particular requirements regarding resistance to side-channel attacks. The lack of tamper response, unspecified
resistance to side-channel attacks and the fact that the ePA specification only requires the long-lived key escrow root
key inside the HSM to have 256 bits of entropy lead to an unsatisfactory overall constellation.
cryptographic secrets. The core of the system's key escrow service is implemented inside an HSM that is part of a
redundant HSM cluster. However, it is notable that the actual security level required for this HSM is only FIPS 140-2
level 3 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}. FIPS 140-2 is a US
government standard that used to be popular for the specification of HSMs. However, not only has FIPS 140-2 been made
obsolete by FIPS 140-3 in 2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019},
its security level 3 mostly provides logical separation of cryptographic functions from other logic and is not very
meaningful in the context of physical attacks. The only physical requirement of FIPS 140-2 level 3 is that the HSM has a
hard, opaque coating. This coating is specified to be tamper-evident, but notably no active tamper detection or response
features are required by this standard~\cite{andersonSecurityEngineeringGuide2020}. In contrast to the newer FIPS 140-3
standard and the related ISO/IEC 19790 \cite{ISOIEC19790} as well as ISO/IEC 24759 \cite{ISOIEC24759} standards, FIPS
140-2 does not make any particular requirements regarding resistance to side-channel attacks. The lack of tamper
response, unspecified resistance to side-channel attacks and the fact that the ePA specification only requires the
long-lived key escrow root key inside the HSM to have 256 bits of entropy lead to an unsatisfactory overall
constellation.
\section{Conclusion}
@ -242,5 +247,7 @@ that better accomodate real-world use cases.
We believe that Inertial HSMs can address this use case by cleanly separating the physical security primitive into a
retargetable design that can be applied to entire servers if needed, and augment or replace technology like conventional
HSMs or trusted execution environments to provide high-level hardware security.
HSMs or trusted execution environments to provide high-level hardware security. Before introducing IHSMs in
Chapter~\ref{chapter-ihsm}, in the following chapter, we will first complement this chapter's outlook on the state of
the art in hardware security with a survey of tamper sensing meshes in a wide range of real world devices.

275
chapter-hsms/chapter.tex
View file

@ -14,7 +14,7 @@ being used in the late 19\textsuperscript{th} century, around the widespread com
active tamper sensing meshes are used in a wide array of devices ranging from card payment terminals to atomic bombs.
In this chapter, we will start with a brief history of tamper sensing meshes. Complementing our historical analysis, we
will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will analyze
will present the results of a survey of a range of real-world devices that use tamper sensing meshes and we will examine
their implementation. We will analyze the gaps left by the current state of the art in commercial practice, and evaluate
how Inertial HSMs could close these gaps to make secure hardware accessible to a wider range of applications. The
contributions in this chapter are as follows:
@ -27,8 +27,8 @@ contributions in this chapter are as follows:
illustrating them.
\item From our sample, we extract several design patterns that can be applied to increase the security of a design.
\item We note security flaws in several of our samples.
\item We provide the results of CT measurements of multiple samples, and we evaluate their impact on tamper sensing
mesh security.
\item We provide the results of Computed Tomography (CT) imaging of multiple samples, and we evaluate their impact
on tamper sensing mesh security.
\end{itemize}
\section{The History of Tamper Sensing Meshes}
@ -70,9 +70,9 @@ the widespread adoption of cryptography in commercial applications~\cite{
One early practical uses of tamper sensing meshes for information security as opposed to the security of some physical
good is documented in notes on a series of lectures given by Dr.~David~G. Boak, a specialist in communications security
and signal intelligence at the US National Security
Agency~\cite{nsaHistoryUSCommunications1973,nsaHistoryUSCommunications1981}. In this lecture series, Boak mentions that
around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time were
large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
Agency~\cite{boakHistoryUSCommunications1981,boakHistoryUSCommunications1973}. In this lecture series, Boak mentions
that around World War \RN{2}, the US became concerned about the security of their ciphering machines, which at the time
were large, fridge-sized electro-mechanical contraptions. Initially, simple safes were used to protect those
devices---however, as Boak notes, the US was well aware that they could not build a safe that a well-equipped specialist
could not break open within an hour. As a solution, the NSA started development on what we would today call a Hardware
Security Module by encapsulating a crypto coprocessor in a tamper sensing envelope. Boak observes that as a tamper
@ -111,24 +111,29 @@ history of nuclear material passing through these facilities.
When using sensors to monitor treaty compliance, the IAEA has to consider the possibility of a host state tampering with
its sensors to abuse nuclear material without being noticed. Historically, the IAEA has responded to this threat by the
extensive use of tamper-indicating enclosures and of seals. In both systems, the approach taken is that the enclosure or
seal is treated similarly to what these days, in computing we call a Physically Uncloneable Function. The enclosure or
seal is manufactured in a process that leaves an unpredictable and uncontrollable pattern of manufacturing variations
such as surface imperfections. A process used in the IAEA is to package devices in aluminium enclosures passivated in a
bright color, which leaves a random, microscopic pattern of pits in the surface from the etching step. Before such a
device is deployed in the field, it is precisely measured from all sides. Later on, after field deployment, its
integrity can then be checked by comparing its current state to these initial measurements. The underlying assumption is
that drilling or cutting into something like a metal enclosure will leave detectable traces, and that perfectly
replicating an object including features such as minute surface imperfections is infeasible even to a nation
state~\cite{iaea2011}.
extensive use of tamper-indicating enclosures and of seals\footnote{
Note that in IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper
indication''. The IAEA distinguishes between active tamper indication, which we conventionally call tamper
detection, and passive tamper indication, which we conventionally call tamper evidence. Tamper indicating devices
include seals, but also the aforementioned uniquely characterizable enclosures, which IAEA terminology calls
intrinsically tamper-indicating. An example for an active tamper indicating device would be a seismic sensor at the
bottom of a borehole that has been back-filled with concrete such that any attempt to reach the sensor would be
well-visible in the sensor's own readings~\cite{simmonsHowInsureThat1988}.
}. In both systems, the approach taken is that the enclosure or seal is treated similarly to what these days, in
computing we call a Physical Unclonable Function (PUF). The concept of a PUF centers on electronic component
manufactured such that random manufacturing variations can later be measured by the finished circuit. The core idea is
that since these manufacturing variations are random, they can be used as a source for cryptographic entropy.
Furthermore, the concept is based on the assumption that these manufacturing variations cannot be controlled, hence
making the device \emph{unclonable}.
In IAEA terminology, both tamper detection and tamper evidence are combined into the term ``tamper indication''. The
IAEA distinguishes between active tamper indication, which we conventionally call tamper detection, and passive tamper
indication, which we conventionally call tamper evidence. Tamper indicating devices include seals, but also the
aforementioned uniquely characterizable enclosures, which IAEA terminology calls intrinsically tamper-indicating. An
example for an active tamper indicating device would be a seismic sensor at the bottom of a borehole that has been
back-filled with concrete such that any attempt to reach the sensor would be well-visible in the sensor's own
readings~\cite{simmonsHowInsureThat1988}.
Similar to a PUF, in the IAEA's application an enclosure or seal is manufactured in a process that leaves an
unpredictable and uncontrollable pattern of manufacturing variations such as surface imperfections. A process used in
the IAEA is to package devices in aluminium enclosures passivated in a bright color, which leaves a random, microscopic
pattern of pits in the surface from the etching step. Before such a device is deployed in the field, it is precisely
measured from all sides. Later on, after field deployment, its integrity can then be checked by comparing its current
state to these initial measurements. The underlying assumption is that drilling or cutting into something like a metal
enclosure will leave detectable traces, and that perfectly replicating an object including features such as minute
surface imperfections is infeasible even to a nation state~\cite{iaea2011}.
With smarter electronics becoming more affordable in both monetary and in power budget, over the decades, other active
tamper sensors have received attention as well. The IAEA reports on attempts at burying sensors such as piezoelectric
@ -148,12 +153,12 @@ and ATMs to the ATM pin pads themselves, which encrypt the customer's PIN right
of card payment terminals.
HSMs are used for highly sensitive operations even outside of the financial industry, although their adoption is
hampered by their high cost. These applications include key management in the TLS certificate infrastructure. In this
chapter, we will analyze a commercial HSM that was used in the key management infrastructure of a premium TV provider.
Other applications include mail franking machines, where they are used to protect the credit counter and franking data,
with one such unit analyzed in this chapter. Furthermore, we have identified several models of key safes that in Germany
are mounted externally on public buildings to provide keys to emergency services, and which include tamper sensing
meshes on their door and interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
hampered by their high cost. In this chapter, we will analyze a commercial HSM that was used in the key management
infrastructure of a premium TV provider as one example of such uses. Examples of other applications include mail
franking machines, where they are used to protect the credit counter and franking data, with one such unit analyzed in
this chapter. Furthermore, we have identified several models of key safes that in Germany are mounted externally on
public buildings to provide keys to emergency services, and which include tamper sensing meshes on their door and
interior walls to detect attempts at drilling into them~\cite{SD04203RB25D5,
krusesicherheitssystemeDatenblattKRUSEFWSchlusseldepot2018}. Finally, we have found a processing unit used in a series
of mid-2000s era slot machines in Germany that includes a tamper sensing mesh, presumably to prevent modification or
cloning. This device will also be analyzed later in this chapter.
@ -196,6 +201,13 @@ basic construction and layout has not changed much since the early 1990ies~\cite
macphersonImprovementsSecurityEnclosures1993,
macphersonTamperRespondentEnclosure1999}.
Concluding this brief history of tamper sensing meshes, we find that they were initially developed for sensitive
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
adoption of PCB and FPC production processes enabled their use as inexpensive, high-resolution substrates for such
meshes.
\subsection{Monitoring Circuit Approaches}
Tamper sensing meshes are most effective when they are continuously monitored using a backup power supply while the rest
@ -213,7 +225,7 @@ To achieve low power consumption, a popular technique known since at least
1902~\cite{suttonElectricallyprotectedStructure1902} and still used
today~\cite{cesanaTamperResistantCard2001,razaghiCircuitBoardHold2019} is to measure the deviation of the mesh's
end-to-end ohmic resistance from its baseline value. This measurement can be implemented either by directly comparing a
mesh trace's resistance with a reference resistor, or using a wheatstone bridge. Bridge circuits were already used
mesh trace's resistance with a reference resistor, or using a Wheatstone bridge. Bridge circuits were already used
in early tamper sensing mesh implementations~\cite{
ElektrischeSicherheitseinrichtungSchutze1932,
hamPrintedcircuitTypeSecurity1971,
@ -225,34 +237,29 @@ in early tamper sensing mesh implementations~\cite{
Besides tamper sensing meshes, environmental sensors such as temperature or light sensors are frequently used as a
secondary line of defence in HSMs and similar devices. By placing such sensors in the device and verifying the device is
within its nominal operating environment, tampering can be made less convenient. Modern security standards often mandate
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device. A multitude of other
sensors have been proposed, including humidity sensors, vibration sensors, light sensors, magnetometers, and radiation
sensors such as X-ray sensors have been proposed. While the implementation cost of most sensor types is low, each
additional environmental sensor comes with an increased false alarm rate. Anecdotally, we have heard of light sensors
being removed from a datacenter HSM product because they caused frequent false alarms despite extensive efforts like
custom injection-molded plastic light baffles at all air vents of the device designed to prevent ingress of outside
light.
% FIXME citations?
the implementation of at least a temperature sensor to prevent cold-boot attacks on a device~\cite{
usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019,
ISOIEC19790}.
A multitude of other sensors have been proposed, including vibration sensors, light sensors,
magnetometers, and radiation sensors such as X-ray sensors have been proposed. While the implementation cost of most
sensor types is low, each additional environmental sensor comes with an increased false alarm
rate~\cite{andersonSecurityEngineeringGuide2020}.
\section{A Survey of Meshes in the Wild}
Concluding the brief history of tamper sensing meshes above, we find that they were initially developed for sensitive
military applications, and their use in civil applications is a recent phenomenon. The implementation of tamper sensing
meshes in civil applications was likely catalyzed by two advancements in electronics. First, electronic components
became less expensive and more integrated reducing the cost overhead of tamper sensing circuits. Second, the mass-scale
adoption of PCB and FPC production processes enabled their use as inexpensive, high-resolution substrates for such
meshes. In this section, we will examine a large sample of recent devices that include tamper sensing meshes to gain an
In this section, we will examine a large sample of recent devices that include tamper sensing meshes to gain an
understanding of how they are implemented, and what security level they are targeted towards. Since we were unable to
acquire a nuclear weapon for our research, we limited our survey to commercial devices with a focus on card payment
terminals, which represent the most varied class of device incorporating such meshes.
acquire a nuclear weapon for our research, we limited our survey to commercial devices. While we analyzed devices across
a broad spectrum of applications, our survey includes a large variety of card payment terminals, which represent the
most varied class of device incorporating such meshes.
\subsection{Specimen Selection}
Given their niche applications and high cost, devices incorporating tamper sensing meshes tend to be hard to find. For
this survey, we chose 30 total devices including 23 different models of card payment terminals, and 7 other devices.
Some devices were procured by dumpster diving, while most were sourced from ebay. The majority of these were sold by
electronic waste recycling companies. A complete list of our specimens can be found in
Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Some devices were procured by intercepting electronic waste, while most were sourced from ebay in Februrary and March
2025. The majority of these were sold by electronic waste recycling companies. A complete list of our specimens can be
found in Table~\ref{tab_hsm_survey_sample_list}. External photos of each device are shown in
Figure~\ref{fig_hsm_survey_sample_pics} and internal photos are shown in
Figure~\ref{fig_hsm_survey_sample_internal_pics}. In the following sections, we will go into detail on the classes of
devices we selected for this study.
@ -353,12 +360,11 @@ skimming that aim to exfiltrate card data and PINs entered by the customer. The
Council (PCI SSC), an association of all major western credit card network operators assumes the role of the de-facto
standardization organization in the card payment space. Due to the international scale of the large credit card
networks, almost all payment terminals on the market irrespective of their country of origin are certified under PCI SSC
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well and provide a higher level
of security than one might expect from an industry association.
standards. Adding on to PCI's ecosystem impact, its security standards are thought out well.
One reason for the high level of physical security standards in card payment applications both on the client side
(payment terminals) and on the server side (HSM appliances) is that the finance industry has been reluctant to adopt
modern cryptography. Not only are modern cryptographic protocols like Secure Multiparty Computation (SMPC) or
modern cryptography. Not only are modern cryptographic protocols like secure Multiparty Computation (MPC) or
Zero-Knowledge Proofs (ZKPs) not commonly used. Even asymmetric cryptography has only been adopted reluctantly, and
ancient ciphers such as Triple DES are still commonly referenced in industry
standards~\cite{pcisecuritystandardscouncilPaymentCardIndustry2025}. As a result, increased hardware security is
@ -373,19 +379,19 @@ terminals are cost-sensitive devices, which is reflected in the construction of
When credit card payments are handled on the web as opposed to in a physical store, HSMs are used in data centers to
handle plaintext payment data such as credit card numbers. Such HSM appliances are usually standalone rackmount devices
and are used across application domains. Depending on the application, these HSMs can be programmed with custom code, or
can be used as coprocessors through an API. In practice, the standalone appliances are just low-end computers in a
rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this survey, we obtained two
devices labelled as HSMs. We were only able to procure two such devices since they are expensive, and even used
specimens of older models are usually listed for several hundreds to several thousands of EUR. Unfortunately, one of the
devices we obtained did not contain any security meshes in its case, and thus would not provide adequate protection
against advanced attacks. The other specimen we procured was a 2011 model Utimaco CryptoServer LAN. Our unit was a
white-label variant procured by premium TV encryption technology provider Irdeto, presumably used in Germany to produce
cryptographic key streams for TV signal encryption. We bought the device from a recycling company specialized on
datacenter components. The device was sold with any HDDs removed. The device consisted of an older mainboard for
embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of DDR2 RAM, which was connected to the
HSM add-in card through PCI. The device contained a small Lithium backup battery on the add-in card, and another, larger
battery in an enclosure at the front of the device that was connected to the card through a cable. The device did not
contain any obvious case intrusion sensors.
can be used as coprocessors through an API~\cite{LunaNetworkHSM}. In practice, the standalone appliances are just
low-end computers in a rackmount enclosure that expose the API of an internal HSM add-in card to the network. In this
survey, we obtained two devices labelled as HSMs. We were only able to procure two such devices since they are
expensive, and we found that even used specimens of older models are usually listed for several hundreds to several
thousands of Euro. Unfortunately, one of the devices we obtained did not contain any security meshes in its case, and
thus would not provide adequate protection against advanced attacks. The other specimen we procured was a 2011 model
Utimaco CryptoServer LAN. Our unit was a white-label variant procured by premium TV encryption technology provider
Irdeto, presumably used in Germany to produce cryptographic key streams for TV signal encryption. We bought the device
from a recycling company specialized on datacenter components. The device was sold with any HDDs removed. The device
consisted of an older mainboard for embedded applications containing an Intel Core 2 Duo-brand processor and 2 GiB of
DDR2 RAM, which was connected to the HSM add-in card through PCI. The device contained a small Lithium backup battery on
the add-in card, and another, larger battery in an enclosure at the front of the device that was connected to the card
through a cable. The device did not contain any obvious case intrusion sensors.
\subsubsection{ATM Encrypting Pin Pads}
@ -607,6 +613,7 @@ list, we will address several common structural features that we observed across
\label{hsm_fig_materials}
\end{figure}
\todo{FIXME: Add scale / structure size to photos?}
Regular Printed Circuit Boards are frequently used to implement tamper sensing meshes as shown in
Figure~\ref{hsm_fig_materials_pcb_rigid}. PCB production is a highly advanced, large-scale industry and PCBs are
inexpensive, commodity products. PCBs can be manufactured with many layers, at almost arbitrary total thickness, and
@ -700,11 +707,11 @@ across the contact as shown in Figure~\ref{hsm_fig_connector_elastomeric}, but t
soldering. Hand soldering increases unit cost over mechanized soldering techniques such as wave soldering or reflow
soldering.
FPCs are suitable for use with standard Zero Insertion Force (ZIF) FPC connectors as shown in
Figure~\ref{hsm_fig_connector_fpc} that directly mate to a contact area, called \emph{gold fingers} in industry terms,
on the FPC. Both FPCs and rigid PCBs can be used with standard board-to-board stacking connectors such as the one
visible in the center of Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's
back side to ensure the solder joints don't break from mechanical stress when connecting or disconnecting.
FPCs are suitable for use with standard FPC connectors as shown in Figure~\ref{hsm_fig_connector_fpc}. These connectors
mate directly to a contact area on the FPC, called \emph{gold fingers} in industry terms. Both FPCs and rigid PCBs can
be used with standard board-to-board stacking connectors such as the one visible in the center of
Figure~\ref{hsm_fig_connector_stack}, but their use on FPCs requires a stiffener on the FPC's back side to ensure the
solder joints don't break from mechanical stress when connecting or disconnecting.
In our survey, we frequently found elastomeric connectors used to connect to both flexible and rigid tamper sensing mesh
assemblies. Elastomeric connectors such as the one shown in the center of Figure~\ref{hsm_fig_connector_elastomeric} are
@ -802,7 +809,7 @@ Thermoforming is a cheap industry standard process, but applied to flexible circ
only 2.5-dimensional structures can be created since the starting product is always a planar sheet. Second, the sheet
cannot be cut or contain slots or large holes before forming since it needs to be kept under a constant tension from all
sides to ensure it evenly stretches into the mold. Finally, the depth achievable in such a process is rather limited,
with no sample in our survey exceeding \qty{2}{\milli\meter}\todo{Get proper number}. Higher depths would require
with no sample in our survey exceeding \qty{2}{\milli\meter}.\todo{Get proper number} Higher depths would require
extensive deformation of the mesh circuit's plastic substrate, which could lead to tears in the mesh traces since the
particle-based conductive inks used for screen-printed electronics are inelastic. Among our samples, we saw two
instances of thermoformed meshes. First, all recent Ingenico terminals (\sampleno{H06,H13,H23,H24}) integrated an ink
@ -840,7 +847,7 @@ access by probes.
\label{fig_ingenico_forming}
\end{figure}
specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
Specimen~\sampleno{H12}, shown in Figure~\ref{hsm_fig_3d_struct_vacuum_form}, displays one further design defect. The mesh
shown does not extend to the edges of the plastic cover it has been molded into. When this cover is placed on top of a
PCB to protect components on the PCB from tampering, this leaves a large gap between the bottom edge of the mesh and the
PCB surface, through which probes can be inserted to access either the payload circuit or the mesh monitoring circuitry.
@ -928,15 +935,69 @@ terminal. While a similar result could also be achieved by milling a slot into t
PCB, the economics of PCB manufacturing are such that it may be more cost-effective to bond two standard-thickness PCBs
on top of one another instead.
Figure~\ref{hsm_fig_3d_sandwich_lid} finally shows an advanced construction technique that uses a custom PCB with a
large indent milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base
PCB. This PCB lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A
ground plane filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the
cavity. Below this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
Figure~\ref{hsm_fig_3d_sandwich_lid} shows an advanced construction technique that uses a custom PCB with a large indent
milled into its underside soldered on top of a base PCB to create a protected cavity on top of the base PCB. This PCB
lid shows a complex internal structure. It is built up in a custom stackup with a total of six layers: A ground plane
filling the top layer, then two orthogonal planar mesh layers covering the inside of the lid above the cavity. Below
this standard mesh stackup are two that are used to create a via fence structure similar to that shown in
Figure~\ref{hsm_fig_3d_sandwich_via_fence} in an attempt to protect the sides around the central cavity. Below these two
via fence layers, at the bottom of the PCB is one more layer containing the pads connecting it to the base PCB.
\subsubsection{Tabular results}
\subsubsection{CT Imaging}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
\caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.}
\label{hsm_fig_ingenico_potted_ct_cut}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_geom.pdf}
\caption{CT 3D reconstruction of the mesh's trace geometry.}
\label{hsm_fig_ingenico_potted_ct_3d}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(specimen~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
% FIXME put the CT people in the acknowledgements! Also the microwave people!
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\
specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is
to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we
experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an
industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the
resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In
this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil,
and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this
information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that
the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through
one of the mesh's traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
mesh.
\subsubsection{Results summary}
Below is a table representing which features discussed in the sections above we found in which of our samples. Overall,
we commonly found a combination of a rigid PCB mesh in the specimen's main PCB and and flexible meshes formed into a lid
@ -969,7 +1030,7 @@ reverse engineering.
\newcolumntype{M}{>{\centering\arraybackslash}p{4mm}}
\setlength{\tabcolsep}{0pt}
\begin{tabular}{ll|MMMMM|MMMM|MMMMM|MMMMM|MMMMM|MMM|MM}
&&\multicolumn{29}{c}{\textbf{Mesh}}\\
&&\multicolumn{29}{c}{\textbf{Specimen}}\\
\textbf{Feature} & \textbf{Figures} &
1 & 2 & 3 & 4 & 5 & 6 & 8 & 9 & 10 & 11 & 12 & 13 & 14 & 15 & 16 & 17 & 18 & 19 & 20 & 21 & 22 & 23 & 24 & 25 & 27 & 28 & 30 & 31 & 32
\\\hline
@ -1135,64 +1196,12 @@ Integrated contact pads & \ref{hsm_fig_connector_fpc}
& & & \\ % 30 - 32
\end{tabular}
\caption{Feature matrix of all specimens analyzed.}
\caption[Feature matrix of all specimens analyzed.]{Feature matrix of all specimens analyzed. Dots indicate presence
of a feature. The figures column lists which figures above contain examples of a particular feature.}
\label{tab_hsm_survey_sample_results}
\end{table}
\end{landscape}
\subsubsection{CT Imaging}
\begin{figure}
\centering
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_contact_joint.pdf}
\caption{CT section cut with part of a mesh layer and the crimped metal mesh contacts visible.}
\label{hsm_fig_ingenico_potted_ct_cut}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{mesh_geom.pdf}
\caption{CT 3D reconstruction of the mesh's trace geometry.}
\label{hsm_fig_ingenico_potted_ct_3d}
\end{subfigure}
\quad
\begin{subfigure}[t]{0.45\textwidth}
\centering
\includegraphics[width=\linewidth]{ingenico_hsm_module.jpg}
\caption{Photo of the HSM module seated on the payment terminal's main PCB.}
\label{hsm_fig_ingenico_potted_seated}
\end{subfigure}
\caption[Potted module CT images]{Optical photograph and CT pictures of a potted HSM module
(specimen~\sampleno{H18}).}
\label{hsm_fig_ingenico_potted}
\end{figure}
% FIXME put the CT people in the acknowledgements! Also the microwave people!
Hardware manufacturers implementing security meshes often attempt to keep the meshes' layouts hidden as a way of
security by obscurity. In practice, this can take the form of opaque potting compounds (cf.
Figure~\ref{hsm_fig_ingenico_potted_seated}), opaque cover layers (cf. Figure~\ref{hsm_fig_materials_gold_lds}), and
burying the mesh beneath other features such as PCB ground planes (cf. Figure~\ref{hsm_fig_3d_sandwich_lid}, e.g.\
specimens~\sampleno{H03}, \sampleno{H17} and \sampleno{H32}). To circumvent such attempts, an obvious attack vector is
to use radiographical imaging techniques such as X-ray or CT imaging. To evaluate CT imaging as an attack method, we
experimentally imaged the potted HSM module of specimen~\sampleno{H18}, an Ingenico payment terminal, using an
industrial CT. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the
resulting CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In
this cut, we can clearly identify a mesh layer with multiple traces, four solid metal contacts crimped to the mesh foil,
and two unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this
information to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that
the mesh of the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through
one of the mesh's traces should be possible without breaking the trace.
Figure~\ref{hsm_fig_ingenico_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
mesh.
\section{Discussion}
In our survey, we have seen the technological state of the art to which tamper-sensing meshes have evolved since the

493
chapter-hsms/pres-harris.tex Normal file
View file

@ -0,0 +1,493 @@
\documentclass[aspectratio=169]{beamer}
\usetheme{default}
\usepackage[T1]{fontenc}
\usepackage{textcomp}
\usepackage{graphicx}
\usepackage{subcaption}
\usepackage{siunitx}
\usepackage{booktabs}
\usepackage{array}
\usepackage{ragged2e}
\usepackage{colortbl}
\usepackage{pdflscape}
\usepackage[percent]{overpic}
\usepackage[backend=biber,style=numeric,sorting=none]{biblatex}
\addbibresource{../main.bib}
\graphicspath{{figures}}
% Define custom commands if not already defined
\newcommand{\surveypic}[2]{
\begingroup
\setlength{\fboxsep}{0.2mm}
\begin{overpic}[percent,height=10mm]{#2}
\put(100,85){\makebox[0pt][r]{\colorbox{white}{\footnotesize H#1}}}
\end{overpic}
\endgroup
}
\newcommand{\sampleno}[1]{#1}
\title{Tamper-Sensing Meshes in the Wild}
\author{\textbf{Jan Sebastian Götte} \& Björn Scheuermann\\TU Darmstadt\\contact: \texttt{research@jaseg.de}}
\date{2026-03-24}
\begin{document}
\begin{frame}
\titlepage
\end{frame}
\begin{frame}{What is a Tamper Sensing Mesh?}
\begin{itemize}
\item Embedded looped conductor covering a surface
\item Detects physical intrusion
\begin{itemize}
\item Drills, saws, lasers etc.
\end{itemize}
\item Triggers some tamper response
\begin{itemize}
\item Deleting keys
\item Raising alarms
\item Explosions?
\end{itemize}
\item Widely used in HSMs, payment terminals, ATMs, nuclear weapons
\end{itemize}
\end{frame}
\begin{frame}{The History of Tamper-Sensing Meshes}
\begin{itemize}
\item \textbf{1870}: First patents using literal wire meshes to protect bank vaults~\cite{ImprovementProtectingSafes1870,ImprovementElectromagneticEnvelopes1870}
\item \textbf{1902}: Multi-layer, orthogonal meshes documented~\cite{suttonElectricallyprotectedStructure1902}
\item \textbf{1971}: Printed circuit technology adopted~\cite{hamPrintedcircuitTypeSecurity1971}
\item \textbf{1990s}: Widespread commercial adoption with cryptographic applications
\end{itemize}
Other, hard to date examples: NSA use for protecting ciphering machines~\cite{boakHistoryUSCommunications1973,boakHistoryUSCommunications1981}, US use in nuclear weapons~\cite{carterManagingNuclearOperations1987}
\end{frame}
\begin{frame}{Commercial Applications Today}
\begin{itemize}
\item Datacenter HSMs (Key management, payment processing)
\item Card Payment Terminals (PIN encryption)
\item ATM Encrypting Pin Pads (PIN encryption)
\item Key Safes for Emergency services access (Germany only?)
\item Mail Franking Machines (credit counter)
\item Slot Machines (likely for DRM)
\end{itemize}
\end{frame}
\begin{frame}{Our Survey}
\textbf{Sample Size}: 30 devices
\textbf{Device Types}:
\begin{itemize}
\item 23 Card payment terminals (Verifone, Ingenico, SumUp, etc.)
\item 3 ATM Encrypting Pin Pads (NCR, Sagem)
\item 2 HSM modules (SafeNet, Utimaco)
\item 1 Franking machine
\item 1 German slot machine CPU
\end{itemize}
\end{frame}
\begin{frame}{Mesh Materials and Structure Sizes Observed}
\begin{itemize}
\item \textbf{Rigid PCB (FR-4):} Photolithographic etching, \SIrange{100}{200}{\micro\meter}
\item \textbf{Polyimide/Copper FPC:} Photolithographic etching, \SIrange{100}{200}{\micro\meter}
\item \textbf{Silver ink FPC:} Screen printing, \SIrange{500}{3000}{\micro\meter}
\item \textbf{Carbon ink FPC:} Screen printing, \SIrange{500}{3000}{\micro\meter}
\item \textbf{Gold laser direct structuring:} Laser Direct Structuring, \SIrange{50}{200}{\micro\meter}
\item \textbf{IBM/Gore mesh:} Printed, \SIrange{200}{1500}{\micro\meter}
\end{itemize}
\end{frame}
\begin{frame}{Survey Specimens - External Photos}
\begin{figure}
\centering
\footnotesize
\begin{tabular}[c]{cccccc}
\surveypic{02}{survey_diag_S02.jpg}&
\surveypic{03}{survey_diag_S03.jpg}&
\surveypic{04}{survey_diag_S04.jpg}&
\surveypic{05}{survey_diag_S05.jpg}&
\surveypic{06}{survey_diag_S06.jpg}&
\surveypic{08}{survey_diag_S08.jpg}\\
\surveypic{09}{survey_diag_S09.jpg}&
\surveypic{10}{survey_diag_S10.jpg}&
\surveypic{11}{survey_diag_S11.jpg}&
\surveypic{12}{survey_diag_S12.jpg}&
\surveypic{13}{survey_diag_S13.jpg}&
\surveypic{14}{survey_diag_S14.jpg}\\
\surveypic{15}{survey_diag_S15.jpg}&
\surveypic{16}{survey_diag_S16.jpg}&
\surveypic{17}{survey_diag_S17.jpg}&
\surveypic{18}{survey_diag_S18.jpg}&
\surveypic{19}{survey_diag_S19.jpg}&
\surveypic{20}{survey_diag_S20.jpg}\\
\surveypic{21}{survey_diag_S21.jpg}&
\surveypic{22}{survey_diag_S22.jpg}&
\surveypic{23}{survey_diag_S23.jpg}&
\surveypic{24}{survey_diag_S24.jpg}&
\surveypic{25}{survey_diag_S25.jpg}&
\surveypic{27}{survey_diag_S27.jpg}\\
\surveypic{28}{survey_diag_S28.jpg}&
\surveypic{29}{survey_diag_S29.jpg}&
\surveypic{30}{survey_diag_S30.jpg}&
\surveypic{31}{survey_diag_S31.jpg}&
\surveypic{32}{survey_diag_S32.jpg}&
\\
\end{tabular}
\end{figure}
\end{frame}
\begin{frame}{Survey Specimens - Internal Photos}
\begin{figure}
\centering
\footnotesize
\begin{tabular}[c]{cccccc}
\surveypic{01}{survey_internal_09_S01.jpg}&
\surveypic{02}{survey_internal_20_S02.jpg}&
\surveypic{03}{survey_internal_11_S03.jpg}&
\surveypic{04}{survey_internal_03_S04.jpg}&
\surveypic{05}{survey_internal_10_S05.jpg}&
\surveypic{06}{survey_internal_08_S06.jpg}\\
\surveypic{08}{survey_internal_24_S08.jpg}&
\surveypic{09}{survey_internal_13_S09.jpg}&
\surveypic{10}{survey_internal_23_S10.jpg}&
\surveypic{11}{survey_internal_17_S11.jpg}&
\surveypic{12}{survey_internal_19_S12.jpg}&
\surveypic{13}{survey_internal_02_S13.jpg}\\
\surveypic{14}{survey_internal_00_S14.jpg}&
\surveypic{15}{survey_internal_04_S15.jpg}&
\surveypic{16}{survey_internal_05_S16.jpg}&
\surveypic{17}{survey_internal_22_S17.jpg}&
\surveypic{18}{survey_internal_21_S18.jpg}&
\surveypic{19}{survey_internal_26_S19.jpg}\\
\surveypic{20}{survey_internal_12_S20.jpg}&
\surveypic{21}{survey_internal_15_S21.jpg}&
\surveypic{22}{survey_internal_16_S22.jpg}&
\surveypic{23}{survey_internal_07_S23.jpg}&
\surveypic{24}{survey_internal_06_S24.jpg}&
\surveypic{25}{survey_internal_25_S25.jpg}\\
\surveypic{27}{survey_internal_18_S27.jpg}&
\surveypic{28}{survey_internal_14_S28.jpg}&
\surveypic{30}{survey_internal_29_S30.jpg}&
\surveypic{31}{survey_internal_27_S31.jpg}&
\surveypic{32}{survey_internal_28_S32.jpg}&
\\
\end{tabular}
\end{figure}
\end{frame}
\begin{frame}{Mesh Trace Layouts}
\begin{columns}[T]
\begin{column}{0.5\textwidth}
\centering
\begin{overpic}[width=.45\textwidth]{hsm_mesh_offset.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
\hspace{1mm}
\begin{overpic}[width=.45\textwidth]{hsm_mesh_orthogonal.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
\vspace{5mm}
\begin{overpic}[width=.45\textwidth]{hsm_utimaco_mesh_gore.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\hspace{1mm}
\begin{overpic}[width=.45\textwidth]{hsm_mesh_stack_epp.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
\end{column}
\begin{column}{0.45\textwidth}
\raggedright
\textbf{A:} Offset layers (H12)
\textbf{B:} Orthogonal patterns (H14)
\textbf{C:} Orthogonal + area pattern (H30)
\textbf{D:} Spaced layers (H28)
\end{column}
\end{columns}
\end{frame}
\begin{frame}{Mesh Materials and Manufacturing}
\centering
\begin{tabular}{lll}
\begin{overpic}[width=.22\textwidth]{trace_material_copper_pcb.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{trace_material_copper_flex.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{trace_material_silver.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\\[3mm]
\begin{overpic}[width=.22\textwidth]{trace_material_contact_gold_lds.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{trace_material_carbon.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries E}}
\end{overpic}
&
\begin{tabular}[b]{@{}l@{}}
\textbf{A:} Rigid PCB (H10) \\
\textbf{B:} Flexible PCB (H15) \\
\textbf{C:} Silver ink (H14) \\
\textbf{D:} Laser Direct Structuring (H32) \\
\textbf{E:} Carbon ink (H30)
\end{tabular}
\end{tabular}
\end{frame}
\begin{frame}{Mesh Connection Methods}
\centering
\begin{tabular}{ccc}
\begin{overpic}[width=.20\textwidth]{connector_castellated_edge.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
&
\begin{overpic}[width=.20\textwidth]{connector_elastomeric.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
&
\begin{overpic}[width=.20\textwidth]{connector_rf_gasket.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\\[2mm]
\begin{overpic}[width=.20\textwidth]{connector_zif_fpc_2.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
&
\begin{overpic}[width=.20\textwidth]{connector_stacking.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries E}}
\end{overpic}
&
\begin{overpic}[width=.20\textwidth]{connector_metal_dome.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries F}}
\end{overpic}
\end{tabular}
\vspace{3mm}
\small
\textbf{A:} Direct soldering (H05) \quad
\textbf{B:} Elastomeric connector (H31) \quad
\textbf{C:} EMI gasket (H14) \\
\textbf{D:} FPC connector (H20) \quad
\textbf{E:} Stacking connector (H17) \quad
\textbf{F:} Tactile dome (H06)
\end{frame}
\begin{frame}{3D Mesh Construction Styles}
\centering
\begin{tabular}{lll}
\begin{overpic}[width=.22\textwidth]{hsm_3d_style_fold_overlap.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{hsm_3d_style_fold_no_overlap.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{3d_construction_lds_top.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\\[3mm]
\begin{overpic}[width=.22\textwidth]{hsm_3d_style_vacform.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
&
\begin{overpic}[width=.22\textwidth]{3d_construction_cards_standalone.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries E}}
\end{overpic}
&
\begin{tabular}[b]{@{}l@{}}
\textbf{A:} Folded with overlap (H03) \\
\textbf{B:} Folded without overlap (H14) \\
\textbf{C:} Laser Direct Structuring (H32) \\
\textbf{D:} Thermoformed (H12) \\
\textbf{E:} House-of-Cards (H08)
\end{tabular}
\end{tabular}
\end{frame}
\begin{frame}{Thermoforming Example}
\begin{columns}[T]
\begin{column}{0.48\textwidth}
\centering
\includegraphics[width=.6\textwidth]{survey_formed_mesh_before.jpg}\\
\small Before removing lacquer
\end{column}
\begin{column}{0.48\textwidth}
\centering
\includegraphics[width=.6\textwidth]{survey_formed_mesh_after.jpg}\\
\small After removing lacquer
\end{column}
\end{columns}
\vspace{3mm}
\centering
\small Formed cavities in printed foil mesh specimen H24
\end{frame}
\begin{frame}{Sandwich-Style Construction}
\begin{columns}[T]
\begin{column}{0.5\textwidth}
\centering
\begin{overpic}[width=.45\textwidth]{3d_construction_offset_mesh_delayered_contrast_improved.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries A}}
\end{overpic}
\hspace{1mm}
\begin{overpic}[width=.45\textwidth]{3d_construction_via_stitch_mesh_delayer_2.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries B}}
\end{overpic}
\vspace{3mm}
\begin{overpic}[width=.45\textwidth]{3d_construction_planar_stack.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries C}}
\end{overpic}
\hspace{1mm}
\begin{overpic}[width=.45\textwidth]{3d_construction_cavity_2.jpg}
\put(5,92){\colorbox{white}{\footnotesize\bfseries D}}
\end{overpic}
\end{column}
\begin{column}{0.45\textwidth}
\raggedright
\textbf{A:} Obstacle mesh coupons (H17)
\textbf{B:} Via-fence meshes (H24)
\textbf{C:} Planar sandwich stack (H24)
\textbf{D:} PCB lid with cavity (H14)
\end{column}
\end{columns}
\end{frame}
\begin{frame}{Security Issues Observed}
\begin{itemize}
\item Incomplete mesh coverage
\item Meshes not overlapping at edges leaving gaps for probe insertion
\item Gaps at mesh-PCB interfaces
\item Thermoformed cavities with enlarged structure size at corners
\item In one case, an opaque lacquer was easily removed with acetone (without damaging the mesh!)
\item Trace patterns visible through cover layers due to surface unevenness
\end{itemize}
\end{frame}
\begin{frame}{Design Recommendations (1/2)}
\begin{itemize}
\item Commodity PCB manufacturing process design rules in the \SIrange{100}{200}{\micro\meter} range are better than the state of the art in mesh structure size
\item Avoid ink printing processes or thermoforming because of their large structure size
\item Carefully think about your literal corner cases (and edges)!
\begin{itemize}
\item Overlap meshes where possible.
\end{itemize}
\item Use potting and cover layers, but verify that they work
\begin{itemize}
\item Check that you \emph{actually} can't see what's below
\item Test their chemical resistance (and that of your mesh)
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Design Recommendations (2/2)}
\begin{itemize}
\item Mixing tough potting or enclosure materials and fragile mesh materials makes life harder for an attacker
\begin{itemize}
\item Consider using steel instead of plastic (also helps against X-ray inspection!)
\item Use thin substrates and thin conductive layers for the mesh
\item Balance adhesion so removing potting / cover layers tears away traces below
\end{itemize}
\item Overlap mesh layers at a 50\% structure size offset
\item Space (some) mesh layers apart in Z direction to constrain attack tools
\item Use a pressure-sensitive connection method like tactile domes or elastomeric conncetors
\end{itemize}
\end{frame}
\begin{frame}
\centering
\Huge Thank you!
\vspace{1cm}
\Large Questions?
\texttt{research@jaseg.de}
\end{frame}
\begin{frame}
\centering
Long-form version of this presentation in my thesis (pre-release, to be published this summer):
\url{https://jaseg.de/thesis-final-web.pdf}
\includegraphics{thesis_qr.png}
\end{frame}
\begin{frame}{Specimen List (1/2)}
\footnotesize
\begin{tabular}{c>{\RaggedRight\arraybackslash}p{25mm}>{\RaggedRight\arraybackslash}p{35mm}ll}
\toprule
\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type} & \textbf{Year} \\
\midrule
H01 & PED & Verifone & VX 570 & ca. 2010 \\
H02 & Slot machine & Merkur / ADP & Sam 12 EC2 & ca. 2012 \\
H03 & EPP & Sagem & USA1315-4240 & 2014 \\
H04 & EPP & Sagem & USA1316-5120 & 2007 \\
H05 & PED & Xac & xAPT-103 & 2014 \\
H06 & PED & Ingenico & iCT250-11T1860A & 2016-17 \\
H08 & PED & Sagem & NOR4100-4220 & 2012 \\
H09 & PED & Hypercom & M4230 & 2010 \\
H10 & PED & Worldline & YOMANI XR & 2016 \\
H11 & PED & Banksys & C-ZAM Smash & 2004 \\
H12 & PED & Hypercom & Optimum P2100 & 2010 \\
H13 & PED & Ingenico & iCT 220-11T2938A & 2016 \\
H14 & PED & Verifone & H5000 & 2016 \\
H15 & PED & Verifone & MX 925 & 2018 \\
H16 & PED & Verifone & V200c CTLS & 2021 \\
H17 & PED & Verifone & VX 680 & 2014 \\
\bottomrule
\end{tabular}
\end{frame}
\begin{frame}{Specimen List (2/2)}
\footnotesize
\begin{tabular}{c>{\RaggedRight\arraybackslash}p{25mm}>{\RaggedRight\arraybackslash}p{35mm}ll}
\toprule
\textbf{ID} & \textbf{Device} & \textbf{Manufacturer} & \textbf{Type} & \textbf{Year} \\
\midrule
H18 & PED & Ingenico & i7910 & 2010 \\
H19 & PED & Banksys & XENTA & 2004-2011 \\
H20 & PED & Verifone & VX 520 3G & 2017 \\
H21 & PED & Verifone & V400m Plus 4G & 2018 \\
H22 & PED & Ingenico & Move 3500 & 2020 \\
H23 & PED & Ingenico & iPP 350-11T1718A & 2015 \\
H24 & PED & Ingenico & iWL255-01T2117A & 2016 \\
H25 & Franking Mach. & Neopost & IJ-25 & ca. 2001 \\
H27 & PED & Sumup & AIR1E205 & 2021 \\
H28 & EPP & NCR & 5814 UEPP & 2019 \\
H29 & HSM & SafeNet & VBD-05 & 2018 \\
H30 & HSM & Irdeto & Mayflower & 2011 \\
H31 & PED & SumUp & SumUp 3G & 2019 \\
H32 & PED & SumUp & SumUp Air & 2022 \\
\bottomrule
\end{tabular}
\vspace{3mm}
\tiny PED: Pin Entry Device; EPP: Encrypting Pin Pad; HSM: Hardware Security Module
\end{frame}
\begin{frame}[allowframebreaks]{References}
\printbibliography[heading=none]
\end{frame}
\end{document}

62
chapter-ihsm/chapter.tex
View file

@ -16,8 +16,8 @@
\section{Introduction}
\sourceattrib{This part is adapted from a paper written by me and presented by me at CHES
2022~\cite{gotteCantTouchThis2022}.}
\sourceattrib{This part is adapted from a paper written by Jan Sebastian Götte and Prof.\ Dr.\ Björn Scheuermann and
presented by Jan Sebastian Götte at CHES 2022~\cite{gotteCantTouchThis2022}.}
While information security technology has matured a great deal in the last half-century, physical security did not keep
up with the pace of the remainder of this industry. Given the right skills, physical access to a computer still often
allows full compromise. The physical security of modern server hardware hinges on what lock you put on the room it is
@ -74,8 +74,7 @@ This chapter contains the following contributions:
\label{prototype_picture}
\end{figure}
In Section~\ref{sec_related_work}, we will give an overview of the state of the art in HSM physical security. On this
basis, in Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will
In Section~\ref{sec_ihsm_construction} we will elaborate the principles of our Inertial HSM approach. We will
analyze its weaknesses in Section~\ref{sec_attacks}. Based on these results we have built a proof-of-concept hardware
prototype. In Section~\ref{sec_proto} we will elaborate on the design of this prototype. In Section~\ref{sec_accel_meas}
we present our characterization of an automotive MEMS accelerometer IC as a rotation sensor in this proof-of-concept
@ -86,12 +85,9 @@ prototype. We conclude this chapter with a general evaluation of our design in S
% summaries of research papers on HSMs. I have not found any actual prior art on anything involving mechanical motion
% beyond ultrasound.
In this section, we will briefly explore the history of HSMs and the state of academic research on active tamper
detection.
HSMs are an old technology that traces back decades in its electronic realization, initially being conceived by the US
NSA during the second world war~\cite{boak1973}. Today's common approach of monitoring meandering electrical traces on a
fragile foil that is wrapped around the HSM essentially transforms the security problem into the challenge to
As we elaborated in Chapter~\ref{chapter-survey}, HSMs are an old technology that traces back decades in its electronic
realization. Today's common approach of monitoring meandering electrical traces on a fragile foil that is wrapped around
the HSM essentially transforms the security problem into the challenge to
manufacture very fine electrical traces on a flexible foil~\cite{isaacs2013, immler2019,
andersonSecurityEngineeringGuide2020}. There has been some research on monitoring the HSM's interior using e.g.\
electromagnetic radiation~\cite{tobisch2020, kreft2012} or ultrasound~\cite{vrijaldenhoven2004} but none of this
@ -102,22 +98,6 @@ difference is that an HSM continuously monitors itself whereas a physical seal o
requires someone to examine it. This examination can be done by eye in the field, but it can also be carried out in a
laboratory using complex equipment. An HSM in principle has to have this examination equipment built-in.
Physical seals are used in a wide variety of applications. The most interesting ones from a research point of view that
are recorded in public literature are those used for the monitoring of nuclear material under the International Atomic
Energy Authority (IAEA). Most of these seals use the same approach that is used in Physically Unclonable Functions
(PUFs), though their development predates that of PUFs by several decades. The seal is created in a way that
intentionally causes large, random device-to-device variations. These variations are precisely recorded at deployment.
At the end of the seal's lifetime, the seal is returned to a lab and closely examined to check for any deviations from
the seal's prior recorded state. The type of variation used in these seals includes random scratches in metal parts and
random blobs of solder (IAEA metal cap seal), randomly cut optical fibers (COBRA seal), the uncontrollably random
distribution of glitter particles in a polymer matrix (COBRA seal prototypes) as well as the precise three-dimensional
surface structure of metal parts at microscopic scales (LMCV)~\cite{iaea2011}.
The IAEA's equipment portfolio does include electronic seals such as the EOSS. These devices are intended for remote
reading, similar to an HSM. They are constructed from two components: A cable that is surveilled for tampering, and a
monitoring device. The monitoring device itself is in effect an HSM and uses a security mesh foil like it is used in
commercial HSMs.
The self-destruct built into an HSM serves as a strong tamper deterrent. For illustration, compare an HSM to a computer
inside a locked safe when opposing a well-funded attacker with plenty of time. In~\cite{boak1973}, Boak asserts that
absent an HSM's capability to self-destruct, the best safes can only withstand brute force attacks by an expert for
@ -261,9 +241,9 @@ security barrier. In industry, mesh membranes are commonly used for tamper dete
systems for a variety of use cases ranging from low-security payment processing to high-security certificate management.
From this, we can conclude that a properly implemented mesh \emph{can} provide a practical level of security. In
contrast to this industry focus, academic research has largely focused on ways to fabricate enclosures that embed
characteristics of a Physically Unclonable Function as a means of tamper detection~\cite{tobisch2020,immler2019}. By
using stochastic properties of the enclosure material to form a PUF, such academic designs leverage signal processing
techniques to improve the system's security level by a significant margin.
characteristics of a PUF as a means of tamper detection~\cite{tobisch2020,immler2019}. By using stochastic properties of
the enclosure material to form a PUF, such academic designs leverage signal processing techniques to improve the
system's security level by a significant margin.
In our research, we focus on security meshes as our IHSM's tamper sensors. The cost of advanced manufacturing
techniques and special materials used in fine commercial meshes poses an obstacle to small-scale manufacturing and
@ -343,12 +323,16 @@ shaft penetrates the mesh to simplify mechanical construction.
The spinning mesh must be designed to cover the entire surface of the payload, but it suffices if it sweeps over every
part of the payload once per rotation. This means we can design longitudinal gaps into the mesh that allow outside air
to flow through to the payload. In traditional boundary-sensing HSMs, cooling of the payload processor is a serious
issue since any air duct or heat pipe would have to penetrate the HSM's security boundary. This problem can only be
solved with complex and costly siphon-style constructions, so in commercial systems, heat conduction is used
exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its processing power.
Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This unlocks much more
powerful processing capabilities that greatly increase the maximum possible power dissipation of the payload. In an
evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan.
issue since any air duct or heat pipe would have to penetrate the HSM's security boundary~\cite{
petriePartIITechnical,
curetHardwareSecurityModule2025,
zhangTamperrespondentAssembliesPorous2023,
dragoneVentedTamperrespondentAssemblies2020}.
This problem can only be solved with complex and costly siphon-style constructions, so in commercial systems, heat
conduction is used exclusively~\cite{isaacs2013}. This limits the maximum power dissipation of the payload and thus its
processing power. Using longitudinal gaps in the mesh, our setup allows direct air cooling of regular heatsinks. This
unlocks much more powerful processing capabilities that greatly increase the maximum possible power dissipation of the
payload. In an evolution of our design, the spinning mesh could even be designed to \emph{be} a cooling fan.
Conventional HSMs are limited by the construction of their security meshes which rely on plastics as their main
structural material. The security mesh has to fit the highest components inside the HSM. Since creating a security mesh
@ -581,7 +565,8 @@ acceleration is $a=\omega^2 r$. In our example, this results in a minimum angula
\frac{1}{2\pi}\sqrt{\frac{a}{r}} = \frac{1}{2\pi}\sqrt{\frac{\SI{1000}{\meter\per\second^2}}{\SI{100}{\milli\meter}}}
\approx \SI{16}{\hertz} \approx \SI{1000}{rpm}$. From this, we can conclude that even at moderate speeds of
$\SI{1000}{rpm}$ and above, a manual attack is no longer possible and any attack would have to be carried out using some
kind of mechanical tool.
kind of mechanical tool. Literature supports this conclusion, with loss of orientation reported as early as at
\SI{70}{rpm} in an observer located on the axis of rotation~\cite{fowlerInvestigationFlowProcesses1966}.
\begin{figure}
\center
@ -976,7 +961,7 @@ the fly, without stopping the rotor.
\section{Conclusion}
\label{sec_conclusion}
In this chapter, we introduced Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of
In this chapter, we introduce Inertial Hardware Security Modules (IHSMs), a novel concept for the construction of
advanced hardware security modules from simple components. We analyzed the concept for its security properties and
highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We validated our design
by creating a proof-of-concept hardware prototype. In this prototype, we have demonstrated practical solutions to the
@ -1001,5 +986,6 @@ Chapter~\ref{chapter_sampling_mesh_mon}, we will introduce a low-cost tamper sen
Time Domain Reflectometry. Using this approach, we can further strengthen the security of meshes created using simple
manufacturing processes in an IHSM. In Chapter~\ref{chapter-nice-coils}, we approach the question of a
rotation-invariant wireless inductive power supply for an IHSM and provide a planar inductor layout that minimizes
voltage ripple with IHSM rotation.
voltage ripple with IHSM rotation. In Chapters~\ref{chapter-qkd} and \ref{chapter-smpc}, we will analyze two use cases
benefitting from IHSMs and tailor the IHSM concept to their requirements.

313
chapter-introduction/chapter.tex
View file

@ -8,49 +8,12 @@
\chaptertitle{Introduction}
\label{chapter-intro}
% New draft:
%
% Passionate statement about democracy and academic freedom
%
% We live in times of rising fascist and authoritarian sentiment worldwide. While computer science and cryptography are
% often portrayed as politically neutral technologies, their practice is a political act and can have grave real-world
% consequences.
% maybe: Within mathematics and computer science, the field of cryptography is unique in that it smainstream views
% link to cypherpunks, hackers
% Hardware Security Modules (HSMs) are an example of such a political technology. The core function of HSMs is to
% protect cryptographic secrets against \emph{any} physical attack. Even though they are widely used in finance and
% business applications, in their design, they curiously embody the radical idiology of the cypherpunk and hacker
% movements.
%
% We believe physically secure devices like HSMs can be a keystone technology in the creation of secure systems for
% communication and computation in a free, democratic society. However, while current state-of-the art commercial
% devices can be expected to resist a fascist police force or even some authoritarian states' secret services, their
% physical security is still lacking due to misaligned ecosystem incentices. As Anderson put it,
% todo cite: betrusted
%
%
% Meanwhile in academia,
% In this thesis, we aim to significantly advance the field of hardware security module construction. We publish all
% designs, code and data as open source to create the groundwork for future research, and sow the seeds for a new
% generation of secure hardware that will be able to resist a rising tide of fascist and authoritarian movements.
%
%
%
% Research questions:
% 1. can hsm w/o proprietary mesh?
% 2. how do meshes look like in practice?
% 3. can we improve monitoring?
% 4. can we solve power transfer issue
% 5. applications
%
\emph{No Gods, No Masters} is an anarchist slogan originating in the 19\textsuperscript{th} century that expresses a
rejection of authorities~\cite{broussaisOriginesDeviseAnarchiste2022,guerinNoGodsNo2005,blomNoGodsNo2025}. In modern
cryptography, it is generally seen as best practice to have the least amount of parties possible involved in any
computation.
Most cryptographic problems are easily solved by involving a trusted third party (TTP).
Yet, cryptographers have time and again vocally rejected attempts to involve third parties in cryptographic
protocols~\cite{
rejection of authorities~\cite{broussaisOriginesDeviseAnarchiste2022,guerinNoGodsNo2005,blomNoGodsNo2025}. Despite its
origin in a different era, it encapsulates an approach that is commonly followed in modern cryptography. In
cryptography, it is considered best practice to have the least amount of parties possible involved in any computation.
Most cryptographic problems are easily solved by involving a trusted third party (TTP). Yet, cryptographers have time
and again vocally rejected attempts to involve third parties in cryptographic protocols~\cite{
abelsonRisksKeyRecovery1997,
abelsonKeysDoormats2015,
andersonSecurityEngineeringGuide2020,
@ -72,8 +35,8 @@ and even general computation~\cite{
aumannSecurityCovertAdversaries2010,
chorPrivateInformationRetrieval}
in a decentralized way that avoids trusted authorities.
While politically, this blanket rejection of authority represents a fringe viewpoint, in cryptography it has a long
tradition originating with the Cypherpunk and Hacker movements~\cite{
While politically, the anarchist blanket rejection of authority represents a fringe viewpoint, in cryptography it has a
long tradition originating with the Cypherpunk and Hacker movements~\cite{
andersonCypherpunkEthicsRadical2022,
hughesCypherpunksManifesto,
jarvisCryptoWarsFight2020,
@ -86,7 +49,9 @@ systems are still routinely compromised~\cite{
goldmanUnrestrainedChineseCyberattackers2025,
scott-railtonWhoseAuthorityPegasus2024,
quintinSomethingRememberUs2024,
marczakGraphiteCaughtFirst2025}.
marczakGraphiteCaughtFirst2025,
PredatorFilesTechnical2023,
PakistanMassSurveillance2025}.
A fundamental flaw of any practical cryptographic system is that secure algorithms have to run on hardware, and even
today, average computing hardware provides little physical security~\cite{
gotzfriedCacheAttacksIntel2017,
@ -95,11 +60,11 @@ today, average computing hardware provides little physical security~\cite{
moghimiTPMFAILTPMMeets2020}.
\emph{Hardware Security Modules} are a class of devices specifically designed to execute cryptographic algorithms while
providing strict physical security guarantees, but these systems are expensive,
and their physical security is often questionable (cf.~Chapter~\ref{chapter-survey})~\cite{
and their physical security is often questionable~\cite{
obermaier2018,
andersonSecurityEngineeringGuide2020}.
As \textcite{andersonSecurityEngineeringGuide2020} writes on HSMs and their security standards:
% FIXME page numbers
andersonSecurityEngineeringGuide2020},
which we will elaborate further in Chapter~\ref{chapter-survey}. \textcite{andersonSecurityEngineeringGuide2020} writes
on HSM security:
\begin{quote}
Security economics remains a big soft spot, with security chips being in many ways a market for lemons. A banker
@ -110,7 +75,6 @@ As \textcite{andersonSecurityEngineeringGuide2020} writes on HSMs and their secu
understand that level 3 can sometimes be defeated with a Swiss army knife. The buying incentive there is compliance,
and where real security clashes with operations its not surprising to see weaker standards designed to make
compliance easier.
\begin{flushright}
\textit{\textcite{andersonSecurityEngineeringGuide2020} p. 629}
\end{flushright}
@ -128,74 +92,101 @@ cryptographic engineering is Kerckhoffs' principle\footnote{
as well as a translation of the cited part from French. The original source is
\textcite{kerckhoffsCryptographieMilitaire1883}.
}, named after Dutch military cryptographer Auguste Kerckhoffs. Kerckhoffs' principle expresses that the security of a
cryptographic system should only depend on the secrecy of its keys, not on the secrecy of its design. In this way,
Kerckhoff's principle states the opposite of the widespread industry practice of \emph{Security by Obscurity}, which
aims to achieve security by making it sufficiently costly to cryptoanalyze a system that the attempt becomes
unattractive. All existing commercial HSM designs as well as some existing academic related work violate this principle
by keeping details of their implementation such as the precise mesh dimensions and manufacturing methods secret. By
publishing all details of our research into HSMs and their components, we provide the foundation for future independent
research.
cryptographic system should only depend on the secrecy of its keys, not on the secrecy of its design. Existing
commercial designs routinely contravene Kerckhoff's principle by applying the widespread industry practice of
\emph{Security by Obscurity}. Even in academic related work, the principle is sometimes violated by omitting
implementation and methodological details in the interest of patents and commercial exploitation. By publishing all
details of our research into HSMs and their components, we provide the foundation for future independent research.
Complementary to Kerckhoff's principle is the principle of least authority, which describes that in a secure system each
component should only have access to the smallest set of capabilities necessary to fulfill its purpose. Applying both to
a cryptographic system means that the system's design should be transparent and not include any hidden components or
opaque parts that cannot be inspected, and that the system's keys should be scoped to place the least amount of trust
possible in each participating party. Existing HSMs are an example of a violation of the principle of least authority
since they elevate the HSM manufacturer to a single point of failure. The tamper sensing mesh foils used in conventional
HSMs are made in proprietary, bespoke processes, and cannot be manufactured independently. Our proposed design can be
replicated from standard components and eliminates this issue.
Beyond applying Kerckhoffs' principle, publishing our design also enables independent replication. Our design is
based entirely on standard components and does not require bespoke manufacturing processes. Both commercial and academic
existing HSM tamper sensing designs require bespoke manufacturing methods or custom integrated circuits
(ICs)~\cite{
obermaierPUFfilmMethodProducing2023,
immler2019,
garbTamperSensitiveDesignPUFBased,
immlerBTREPIDBatterylessTamperresistant2018}. Custom ICs require a large up-front financial commitment to produce.
Bespoke manufacturing methods may require custom machines, training, and specialty materials, also incurring a high
startup cost. This creates a single point of failure in the manufacturer, and opens up an opportunity for a hardware
supply-chain attack~\cite{harrisonSoKSecurityArchitects2025}. Such supply chain attacks can be mitigated by
independently manufacturing our design.
\section{Research Questions and Contributions}
%%%
\section{A Note on Hardware Security Module Terminology}
Based on the current state of the field of hardware security, we deduce three overarching research questions for this
thesis that progress from theory to practical deployment.
In this thesis, we use the term \emph{Hardware Security Module (HSM)} to refer to a security device that has the
following three properties.
\begin{enumerate}
\item Can we achieve physical security without relying on conventional tamper-sensing meshes?
\item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar
measurement?
\item Can we create the support components necessary to integrate a system that provides a practical security
guarantee?
\item A HSM targets the prevention of any conceivable physical attack. In particular, this includes intrusion attempts
such as careful drilling or cutting into the device from any direction.
\item A HSM includes tamper sensors that when triggered result in an active tamper response, usually deleting all
cryptographic secrets and rendering the device inoperable.
\item A HSM's tamper sensing and response subsystem is continuously powered from a backup power supply, usually a
battery. Loss of power triggers the tamper response.
\end{enumerate}
To answer our first research question, we propose the Inertial Hardware Security Module (IHSM), a new type of HSM that
extends the high level of protection offered by the modern cryptographic software stack down to the hardware level,
enabling secure computation in insecure places.
This use of the term \emph{HSM} aligns with common usage of the term both in the academic literature and in everyday
conversation. Particularly the requirement of active tamper detection and response is crucial to distinguish a HSM from
simpler devices such as TPMs, smart cards or secure enclaves in SoCs. Note that our use of the term HSM is slightly
different from its use in government standards, from its use in the PCI SSC (Payment Card Industry Security Standards
Council) standards, and from its industry use.
To answer our second question, we propose improvements to the state of the art in HSM tamper sensors such as the use of
low-cost, embeddable Time-Domain Reflectometry (TDR) that not only improve the security of IHSMs, but that can even be
applied to conventional HSMs.
In industry, the term HSM is often used for solutions that are only logically segregated and that do not include any
particular defense against hardware attacks. Our conjecture is that this is a consequence of the standardization
landscape, where for applications outside of card payment processing the US FIPS
140-22~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} standard was central to
the industry. Despite encompassing both devices that include active tamper detection and response, FIPS 140-2 did not
draw a distinction in its terminology between the two classes.
Finally, we answer our last research question by showing in two case studies how an end-to-end design of an IHSM-secured
data processing system could look like. Both case studies concern scenarios that IHSMs unlock that were previously
infeasible using conventional HSMs: Datacenter-scale Secure Multiparty Computation (SMPC) and long-range Quantum Key
Distribution (QKD) networks. As part of this effort we provide a solution adapting and improving upon the state of the
art in wireless power transfer to supply a rotating inertial HSM with a clean, stable power supply.
\subsection{Use in government standards}
We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs
can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure
computation in insecure places even to small organizations such as university research departments, NGOs and small
businesses.
Under the still widely used US national standard FIPS 140 in in its 2002 version
2~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}, a HSM would be called a
\emph{Multiple-Chip Cryptographic Module} that conforms to the standard's \emph{Security Level} 4 out of 4. Interesting
to note are that only level 4 requires any active tamper detection and response, so devices compliant only up to levels
3 and below do not align with our HSM definition. Futher of note is that according to the standard, a single-chip
solution does not require any tamper detection and response either to meet the standard's security level 4, which is in
misalignment with our definition. The standard's 2019 updated version FIPS
140-3~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019} defers to the
international standards ISO/IEC 19790 and 24759.
%\section{Cryptographic Principles and Physical Reality}
ISO/IEC 19790~\cite{ISOIEC19790} and ISO/IEC 24759~\cite{ISOIEC24759} call what we call a HSM a \emph{Hardware
Cryptographic Module} corresponding with the standards \emph{Security Level 4}. However, these standards only require
active tamper detection and response when cryptographic secrets are transmitted in plaintext between chips.
%Let's take a basic videoconferencing system as an example. In our example system's deployment, users log on to a central
%conference server, which receives and distributes the users' video streams. Allowing backdoor access to the video
%streams to some third party like a datacenter operator or a state would violate Kerckhoffs' principle since it would
%have to be hidden from the systems' participants, who would therefore not have a complete view of the systems' deployed
%architecture. The principle of least authority would also be violated since in almost all cases, such a backdoor access
%system would not see legitimate use. As a result, it would possess capabilities that almost never would be essential to
%the proper function of the videoconference system.
\subsection{Use in card payment processing (PCI SSC) standards}
%In their design, almost all modern software -- especially open source -- cleanly applies these principles. However, the
%practical reality after deployment almost always deviates from them. While backdoors are vanishingly rare in modern
%open-source software, practical deployments usually are vulnerable to physical attacks. Computer hardware generally is
%not designed with a local attacker with advanced physical attack capabilities in mind since no mitigation can fully
%prevent them---such attacks usually can only be detected, or at best slowed down. As a result, commonplace attacks
%against modern software often involve taking over the hardware at some point in the chain. Even End-to-End-Encrypted
%(E2EE) communication systems can be compromised if one of the encrypted channel's endpoints can be physically
%compromised. Corresponding \emph{digital forensics} capabilities are commonplace among state actors, and are available
%as a turnkey solution on the market.
The Payment Card Industry Security Standards Council (PCI SSC) is an association of credit card network operators that
defines standards for all layers of card payment processing, from card payment terminals in stores to the handling of
payment data in online shop backend systems.
PCI SSC terminology aligns with our definition and with common everyday use of the term HSM. In PCI SSC terminology, a
HSM is a crytographic device that has active tamper detecion and response circuitry. However, PCI SSC terminology
differs from our use of the term HSM in one nuance: In PCI SSC terminology, a HSM is specifically a datacenter device
used for backend processing of payment data. The general class of ``hardware devices performing some security function
with or without particular physical security requirements'' that ISO/IEC 19790 and other standards call a \emph{Hardware
Cryptographic Module}, in PCI SSC terminology is termed \emph{Secure Cryptographic Device (SCD)} in more recent standard
versions, which was updated from the previous term \emph{Tamper-Resistant Security Module (TRSM)}. Other than HSMs, PCI
SSC includes smartcards and card payment terminals in this category. Card payment terminals, referred to as
\emph{Pin-Entry Device (PED)} in PCI SSC standards, have to include a surprising amount of active tamper detection and
response functionality including partial coverage of areas like their main cryptographic processor and smart card reader
by battery-backed tamper-sensing meshes. Under our definition, these devices can be classified as a type of HSM.
\subsection{Tamper-Sensing Meshes}
In this thesis, we use the terms \emph{Tamper-Sensing Mesh} and \emph{Security Mesh} synonymous. We use both terms to
refer to any electrical circuit whose path is laid out to cover a surface with the intent of detecting attempts at
drilling, cutting or otherwise manipulating this surface. While the term \emph{Security Mesh} is more concise, it is
less clear to people unfamiliar with the matter. It is also polysemous, and depending on context can also refer to woven
or stamped metal meshes used as fences or as screens in front of windows to prevent break-ins. As a result, it is harder
to use in online searches, and when using Large Language Models (LLMs), it frequently leads to amusing hallucinations.
% FIXME note leo: Das ganze wirkt wie ein guter baustein für eine Einleitung. Für einen Terminologie übersicht ist es
% ansonsten auch eigentlich zu lang.
% Splitte das vielleicht auf, ein paar mehr details in den Abstract um die HSM definition etwas zu präzisieren, den rest
% in die Intro?
%%%
\section{Inertial Hardware Security Modules}
@ -218,26 +209,110 @@ IHSMs are a new design approach that utilizes mechanical motion to create secure
components. IHSMs solve the issue of creating an impenetrable tamper-sensing envelope by replacing the bespoke
tamper-sensing mesh foil with a set of simple, rigid meshes made from commodity Printed Circuit Boards (PCBs) that are
rotating at high speed. In motion, these simple PCB tamper-sensing meshes are as secure as the much more sophisticated
bespoke foils used in conventional HSMs, yet they are simpler and less expensive to manufacture. To verify that the mesh
is rotating correctly, an accelerometer is placed on the rotating mesh, and its centrifugal force reading is used to
validate its path of motion.
bespoke foils used in conventional HSMs against an attacker with access to commercially available tools, yet they are
simpler and less expensive to manufacture. To verify that the mesh is rotating correctly, an accelerometer is placed on
the rotating mesh, and its centrifugal force reading is used to validate its path of motion.
IHSMs enable the protection of much larger payloads compared to conventional mesh designs, and they can support larger
power dissipation. Combined with their low cost, this enables the implementation of high-level hardware security in
applications that previously would not have been possible to secure.
IHSMs are the first fully open source HSM with advanced tamper sensing features. Across application domains, IHSMs can
be applied to gain resistance to physical attacks in scenarios where conventional HSMs were not used because of cost,
computing power or implementation effort. Where conventional HSMs come as fully integrated devices that only expose
limited APIs to their users, IHSMs at their core are just an enclosure that the user can put whatever hardware they need
into, adapting the tamper response to their application's needs. Since the simpler tamper-sensing mesh construction of
IHSMs scales to larger payload volumes, entire servers can be protected---something that is impossible with conventional
HSMs. Since the mesh in an IHSM is constantly moving, unlike a mesh in a conventional HSM, it does not have to entirely
cover the payload. Instead, it can have gaps that allow for air flow between outside and inside, enabling active cooling
of the IHSM's payload. This cooling capability sharply increases computing power by increasing feasible payload power
dissipation by two orders of magnitude.
To the best of our knowledge, IHSMs are the first fully open source, replicable HSM with advanced tamper sensing
features. Across application domains, IHSMs can be applied to gain resistance to physical attacks in scenarios where
conventional HSMs were not used because of cost, computing power or implementation effort. Where conventional HSMs come
as fully integrated devices that only expose limited APIs to their users, IHSMs at their core are just an enclosure that
the user can put whatever hardware they need into, adapting the tamper response to their application's needs. Since the
simpler tamper-sensing mesh construction of IHSMs scales to larger payload volumes, entire servers can be
protected---something that is impossible with conventional HSMs. Since the mesh in an IHSM is constantly moving, unlike
a mesh in a conventional HSM, it does not have to entirely cover the payload. Instead, it can have gaps that allow for
air flow between outside and inside, enabling active cooling of the IHSM's payload. This cooling capability increases
computing power by increasing feasible payload power dissipation by orders of magnitude~\cite{kordyban1998}.
\section{Conclusion}
\section{Research Questions and Contributions}
Based on the current state of the field of hardware security, we deduce six overarching research questions for this
thesis that progress from theory to practical deployment.
\begin{enumerate}
\item What is the state of the art in commercial tamper sensing mesh implementations?
\item What are criteria and approaches for the design of secure tamper sensing meshes?
\item Can we achieve physical security without relying on a conventional tamper-sensing meshes that requires a
bespoke manufacturing process?
\item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar
measurement?
\item Can we improve the ripple voltage performance of Wireless Power Transfer (WPT) through rotating joints to
adapt it to IHSM applications?
\item What applications does our IHSM technology open up through its increase in power dissipation and size
capabilities?
\end{enumerate}
We answer our first research question in two parts. In Chapter~\ref{chapter-epa}, we analyze the hardware security
design of Germany's new national electronic health record system. Our analysis unveils a combination of problematic
choices resulting from conflicting constraints and lack of awareness. In Chapter~\ref{chapter-survey}, we present the
results of a survey across approximately 30 real world tamper sensing mesh implementations, analyzing common design
features.
The second half of our survey in Chapter~\ref{chapter-survey} answers our second research question. From our analysis of
a large corpus of devices, we deduce a list of design criteria that can be applied to increase the security of any
tamper sensing mesh implementation. To answer our third research question, in Chapter~\ref{chapter-ihsm} we propose the
Inertial Hardware Security Module (IHSM), a new type of HSM that extends the high level of protection offered by the
modern cryptographic software stack down to the hardware level, enabling secure computation in insecure places. IHSMs
can be built from basic, off-the-shelf components and do not require bespoke manufacturing processes. To answer our
fourth research question, in Chapter~\ref{chapter_sampling_mesh_mon} we propose improvements to the state of the art in
HSM tamper sensors based on the use of low-cost, embeddable Time-Domain Reflectometry (TDR). Our improvements can be
applied to both IHSMs and to conventional HSMs. IHSMs come with unique power supply constraints since their rotating
mesh must be continuously powered. A straightforward solution utilizes Wireless Power Transfer using planar inductors,
but existing WPT designs exhbit a ripple voltage due to an asymmetry of conventional planar inductors. This leads to our
fifth research question, which we solve in Chapter~\ref{chapter-nice-coils} with the design and experimental evaluation
of a new, generalized class of \emph{twisted} planar inductors that reduces voltage ripple in rotating shaft setups.
A finding of independent interest is that compared to conventional two-layer planar inductors, in our experiments our
proposed inductor design improved self-resonant frequency by up to \qty{50}{\percent} and increased inductance by up to
\qty{6.5}{\percent}. Finally, we answer our last research question by showing in two case studies how an end-to-end
design of an IHSM-secured data processing system could look like. Both case studies concern scenarios that IHSMs unlock
that were previously infeasible using conventional HSMs: In Chapter~\ref{chapter-qkd}, we explore how IHSMs enable
long-range Quantum Key Distribution (QKD) networks using trustable physically secured relay nodes and in
Chapter~\ref{chapter-smpc} we elaborate how datacenter-scale Secure Multiparty Computation (SMPC) clusters can be
created using IHSM enclosures with commercial server hardware.
\section{Contributions}
Through this thesis, we make contributions advancing the state of hardware securty across several related sub-fields.
Our contributions include:
\begin{enumerate}
\item We conduct the first large-scale survey of tamper sensing measures in the real world, analyzing approximately
30 devices.
\item From our real world observations, we systematize tamper sensing mesh construction techniques and we provide a
list of criteria improving mesh security.
\item We experimentally analyze the impact of Computed Tomography (CT) imaging on mesh security.
\item We propose the IHSM, a new concept for HSM design based on a rotating mesh that increases payload size and
power dissipation capacity while simultaneously allowing for simpler meshes constructed from standard
components.
\item We show experimental results on IHSM mesh performance obtained with a prototype IHSM.
\item We introduce an algorithm for the automatic layout of tamper-sensing meshes and its implementation on top of a
popular, open-source Electronic Design Automation (EDA) tool.
\item We introduce a high-fidelity mesh monitoring approach that uses Time-Domain Reflectometry (TDR).
\item We show a low-cost implementation of our TDR monitoring approach.
\item We evaluate the performance of our TDR monitoring implementation and demonstrate its response to a large
set of attacks. We show that it reliably distinguishes identical copies of the same mesh specimen, suggesting
PUF-like behavior.
\item We introduce a generalized design approach for low-loss planar inductors that out-peform prior approaches in
parasitic capacitance, self-resonant frequency and rotational symmetry.
\item We apply our design approach to the problem of Wireless Power Transfer to the rotating mesh of an IHSM.
\item We conduct an exhaustive experimental evaluation of the rotational symmetry of a large set of planar WPT
inductors created using our approach.
\item We analyze physically secure Quantum Key Distribution relays as an IHSM use case and develop a low-loss fiber
optic passthrough that supports an additional, secondary, independently rotating mesh shielding the shaft
passthrough of the IHSM's primary mesh.
\item We explore IHSMs for co-located high performance Multiparty Computation (MPC) setups. We demonstrate a
fan-driven IHSM mesh concept for high-availability scenarios that removes motors as a single point of failure
while providing sufficient airflow for cooling high-power server components.
\end{enumerate}
We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs
can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure
computation in insecure places even to small organizations such as university research departments, NGOs and small
businesses.
Looking at the practice of applied hardware security, we observe that despite ample availability of commercial solutions
promising easy hardware security, clearly there is still a lack of solutions that provide the adaptability necessary for

34
chapter-nice-coils/chapter.tex
View file

@ -22,8 +22,9 @@ any misalignment or contamination by dust can increase wear and cause intermitta
An IHSM's data link can easily be realized using optical communication. Although power transfer using light is also
possible---and we have in fact demonstrated it in our first prototype IHSM---it comes at the disadvantage of a heavy
rotating assembly since large solar cells are needed, and it has poor end-to-end efficiency. For the large-scale meshes
needed in a high-performance IHSM tailored to SMPC applications, we engineered a better solution: A rotation-invariant
inductive Wireless Power Transfer link.
needed in a high-performance IHSM such as one tailored to SMPC applications as we will propose later in
Chapter~\ref{chapter-smpc}, we engineered a better solution: A rotation-invariant inductive Wireless Power Transfer
link.
While Wireless Power Transfer (WPT) is widely used and can be implemented in many different ways~\cite{
awuahNovelCoilDesign2023,
@ -120,15 +121,16 @@ rotation ripple at low turn counts.
\subsection{Twisted inductors}
To solve these issues, we propose a layout for circular PCB inductors that uses a number of series-connected interleaved
spirals to achieve a topological equivalent to a torus knot from mathematical knot theory. Our layout twists the
inductor's windings around one another by connecting the interleaved spiral segments with a ring of vias each on the
inside and outside of the inductor's windings. Our approach provides better performance beyond our particular use case,
and improves over conventional contemporary planar inductors applying similar principles to those which inspired the
polygonal basket-woven air coils used in early radio sets. We show that we can layout a twisted inductor for any number
of layer inversions that is co-prime to the inductor's turn count. Our approach opens up a design space for inductor
layouts that interpolate between planar spiral inductors on one end, and planar toroidal inductors on the other end. Our
approach thus generalizes a super-set to a number of previous approaches to the design of planar inductors.
To solve these issues, in this chapter we propose a layout for circular PCB inductors that uses a number of
series-connected interleaved spirals to achieve a topological equivalent to a torus knot from mathematical knot theory.
Our layout twists the inductor's windings around one another by connecting the interleaved spiral segments with a ring
of vias each on the inside and outside of the inductor's windings. Our approach provides better performance beyond our
particular use case, and improves over conventional contemporary planar inductors applying similar principles to those
which inspired the polygonal basket-woven air coils used in early radio sets. We show that we can layout a twisted
inductor for any number of layer inversions that is co-prime to the inductor's turn count. Our approach opens up a
design space for inductor layouts that interpolate between planar spiral inductors on one end, and planar toroidal
inductors on the other end. Our approach thus generalizes a super-set to a number of previous approaches to the design
of planar inductors.
We observe that in high-frequency applications, a moderate number of layer inversions increases the spacing between the
beginning and end of the inductor's conductor, where the majority of the inductor's AC current flows. This decreases the
@ -154,6 +156,10 @@ Our contributions on this matter include:
\section{Related Work}
In this section we will give an overview on related work from two primary angles. First, we will approach our question
from the application side, examining literature on Wireless Power Transfer. To conclude, we will then consider our
inductor design question from the fundamentals of inductor design.
\subsection{Inductive WPT in Practice}
Inductive WPT has been proposed in a large number of
@ -271,11 +277,11 @@ voltage differential.
The connecting order of turns was optimized at the assembly level by stacking coils in a particular
way~\cite{flemingPrinciplesElectricWave1910} and at the component level by winding coils in a particular way to minimize
the voltage differential between adjacent turns---a technique that is still used to this
day~\cite{lopeFirstSelfResonant2021}. The main winding optimization in the first category concerns winding the
day~\cite{lopeFirstSelfresonantFrequency2021}. The main winding optimization in the first category concerns winding the
turns of a cylindrical multilayer inductor not layer by layer, but instead layering them diagonally, effectively
connecting adjacent turns in a diagonal zigzag pattern. Then as now, wound inductors applying this technique were not
feasible to manufacture reliably by machine, but the technique can be closely replicated in PCB inductors as shown in
\textcite{leePrintedSpiralWinding2011a}. The main limiting factors in a PCB implementation are the requirement for a
\textcite{leePrintedSpiralWinding2011}. The main limiting factors in a PCB implementation are the requirement for a
large number of vias inside the inductor's turns limiting the achievable turn count\footnote{In PCBs, as opposed to
integrated circuits (ICs), vias limit the achievable turn count when they need to be placed in-line inside the turns as
opposed to on the inside or outside because a PCB's minimum trace/space widths are usually much smaller than the
@ -373,7 +379,7 @@ two core observations:
\end{description}
Setting the inversion count to $k=1$ in our proposed scheme yields the conventional two-layer counterwound
scheme~\cite{lopeFirstSelfResonant2021,sproHighVoltageInsulationDesign2021,leePrintedSpiralWinding2011a}.
scheme~\cite{lopeFirstSelfresonantFrequency2021,sproHighVoltageInsulationDesign2021,leePrintedSpiralWinding2011}.
\begin{figure}
\begin{center}

102
chapter-qkd/chapter.tex
View file

@ -57,7 +57,7 @@ requirements of a QKD system.
\end{figure}
In this chapter, we present several designs and a mechanical prototype adapting the Inertial Hardware Security Module
(IHSM) concept first proposed by \textcite{gotteCantTouchThis2022} to a QKD relay node. IHSMs replace the tamper sensing
(IHSM) concept that we developed in Chapter~\ref{chapter-ihsm} to a QKD relay node. IHSMs replace the tamper sensing
security mesh foil that is wrapped around the payload in conventional HSMs by a tamper-sensing cage made from
conventional circuit board material by spinning this cage at a high speed. On its own, circuit board material provides
lower tamper security than the tamper sensing foils made using bespoke manufacturing processes that are used in
@ -242,14 +242,15 @@ common fibers is usually in the range of
\subsection{Multi-fiber passthrough design}
To approach the security of the data and power connections passing through the IHSM's unprotected shaft,
\textcite{gotteCantTouchThis2022} list some shielding methods that use an independently rotating secondary tamper
sensing mesh on the inside of the primary mesh, located right next to the primary mesh's axis opening. This secondary
mesh makes accessing the payload using probes inserted through the shaft much more difficult.
\textcite{gotteCantTouchThis2022} only present conceptual drawings of these schemes, and focus on electrical signals. In
this chapter, building on these concepts, we present mechanical designs of three variations of a fiber passthrough for
IHSMs that are adapted to the limited bending radius of optical fiber: A simple disc cover, offset labyrinth meshes, and
interlocking gear meshes. We present a mechanical prototype of our offset labyrinth mesh design.
To approach the security of the data and power connections passing through the IHSM's unprotected shaft, in our
introduction of the IHSM concept in Chapter~\ref{chapter-ihsm} we listed some shielding methods that use an
independently rotating secondary tamper sensing mesh on the inside of the primary mesh, located right next to the
primary mesh's axis opening. This secondary mesh makes accessing the payload using probes inserted through the shaft
much more difficult. In our introduction in Chapter~\ref{chapter-ihsm}, we only presented conceptual drawings of these
schemes, and focused on electrical signals. In this chapter, building on these concepts, we present mechanical designs
of three variations of a fiber passthrough for IHSMs that are adapted to the limited bending radius of optical fiber: A
simple disc cover, offset labyrinth meshes, and interlocking gear meshes. We present a mechanical prototype of our
offset labyrinth mesh design.
\subsection{Simple disc cover}
@ -461,11 +462,11 @@ the amount of inter-mesh space necessary for power and data feedthroughs as well
meshes, on the other hand, this pitch increases by the offset distance. Even for a small offset this quickly adds up to
an unwieldy total mesh size.
In this section, we conceptually introduce a solution to this problem that allows for larger offsets using a design
where the two meshes interlock like gears. This does mean that the two meshes' rotation must be synchronized, but it
increases the design space of offset labyrinth meshes. For instance, in a gear setup, the wide sides of the inter-mesh
zones can be aligned to lie on the same side, so fiber passthrough can be realized more easily even without the need to
spiral the fiber around the axes of rotation.
We conceptually introduce a solution to this problem that allows for larger offsets using a design where the two meshes
interlock like gears. This does mean that the two meshes' rotation must be synchronized, but it increases the design
space of offset labyrinth meshes. For instance, in a gear setup, the wide sides of the inter-mesh zones can be aligned
to lie on the same side, so fiber passthrough can be realized more easily even without the need to spiral the fiber
around the axes of rotation.
\subsection{Mesh synchronization}
@ -474,78 +475,33 @@ In this setup, the mesh tabs act like gear teeth. Depending on the ratio between
meshes do not have to rotate at the same rate of rotation and harmonic ratios are possible. Additionally, unlike actual
gears which need to constantly maintain an area of contact, both co-rotating and counter-rotating setups are possible.
\section{Physical attacks and countermeasures}
\label{sec_attacks}
In this section we will consider possible ways to attack an IHSM-secured QKD relay, as well as potential
countermeasures.
\subsection{Attacks on the IHSM mesh}
There are two ways an attacker could attack the mesh itself if an adequate speed of rotation such as \qty{1000}{\rpm} is
used~\cite{gotteCantTouchThis2022}: Either, an attacker would have to slow down the mesh so they can perform a manual
attack, or they would have to use a robot. The first class of attack would require the attacker to falsify the readings
of the centrifugal accelerometer. MEMS accelerometers are complex devices, and the simplest way to falsify its readings
would be to attach a circuit to the accelrometer's data bus that overrides the measurement result data. Creating such a
circuit is easy, the challenge the attacker would have to overcome would be to access this bus and attach this circuit
to the mesh in motion without stopping or disturbing it. At high speeds, this would necessarily require a custom attack
robot.
\subsection{Contactless attacks on the payload}
Contactless attacks such as electromagnetic (EM) side-channel attacks or optical fault injection attacks on the payload
could conceivably be conducted from the outside of the mesh. The efficacy of EM side-channel as well as fault injection
attacks decays quickly with increased distance between probe and target, and they can be counteracted by simply placing
the QKD relay's components such that they are spaced apart from the mesh. Optical attacks, on the other hand can be
carried out even at a distance using appropriate focusing optics. The easiest way to prevent such attacks would be to
place the payload into an opaque enclosure inside the mesh.
An additional variant of optical attacks would be using a laser to cut or drill into the payload. Such attacks can be
impeded through several defense-in-depth measures. First, the payload QKD relay should be designed such that destroying
any part of it such as connecting wires or fibers causes it to fail secure. Irrespective of attacks, this is a
reasonable design objective anyway given that components could fail, and a component failure should never put the device
in an insecure state. Further, similar to other optical attacks, a shield can be used to prevent laser cutting or
drilling attacks as well with the only difference being the kind of shield. To prevent laser cutting or drilling, a
thick metal shield can be used. The large thermal mass, high thermal conductivity and reflective surface of such a
shield makes it difficult to cut. There are lasers such as pulsed Nd:YAG lasers that can cut even thick steel, but these
this cutting produces a large amount of metal plasma and debris, which would likely destroy the payload in the process.
To make sure any active laser attack is quickly detected, as a final line of defense, both mesh and payload should
include wideband optical sensors in their array of environmental tamper sensors. For instace, high-power pulsed lasers
do not deposit much heat into their target because the surface of the target is vaporized by the laser pulse too
quickly, and thus might not trigger a simple temperature alarm inside the payload. In contrast, optical sensors even
outside of the laser's wavelength range would have no trouble detecting the light emitted from the metal plasma created
by the laser's pulses on impact with the payload.
\subsection{Fast, mechanical attacks on the payload}
A final class of attacks are mechanical attacks where an attacker mechanically compromises the IHSM QKD relay so quickly
that the tamper alarm mechanism has no time to act. An instance of such an attack would be using a gun to fire a bullet
at the payload, aiming to selectively destroy parts of it that are involved in tamper alarm response before they can
act. This class of attack can be counteracted in similar ways as the previously mentioned optical attacks. Destruction
of parts of the payload should never let it fall into an insecure state, meaning that such an attack alone should never
be enough to compromise the QKD relay. There is little one can do to prevent destruction of the payload by projectile or
by explosive, but a thick metal shield around the payload would make it more difficult to selectively target part of it
using a projectile.
\section{Outlook}
\label{sec_outlook}
\subsection{Achievable security guarantees}
Like conventional HSMs, Inertial HSMs are only ever an engeineering answer to a security question. In contrast with
cryptographic solutions that can achieve provable, information-theoretic security in some cases, an IHSM's security
Like conventional HSMs, Inertial HSMs are only ever an engineering answer to a security question. In contrast with
cryptographic solutions that in some cases can achieve provable, information-theoretic security, an IHSM's security
rests upon an assumption on the engineering capabilities of an attacker. In contrast to conventional HSMs, which
achieve this engineering assumption through the manufacture of hard-to-manipulate tamper sensing meshes, Inertial HSMs
achieve it by rotating their tamper sensing mesh. In a conventional HSM, increasing the security of the tamper sensing
mesh requires fine-tuning a bespoke manufacturing process. In contrast, increasing the security of an IHSMs simply
requires making the rotor faster.
While QKD systems provide theroetically impervious security guarantees based on fundamental laws of physics, they too
are engineered systems embedded into a macroscopic world. As such, while the physics at their core might be sound
similar to how the cryptography at the heart of a HSM might be provable, like HSMs they also cannot side-step requiring
engineering solutions to security questions at the system level. As such, IHSMs complement QKD implementations, and
provide the system-level security barrier necessary for the protection of a QKD node's quantum components.
\subsection{Trust bootstrapping}
A key question in any trusted hardware deployment is how to bootstrap trust in a new device when faced with the
possibility of supply-chain attacks. Conventional HSMs are only manufactured by a single manufacturer, and the common
solution is to just trust that manufacturer. The HSM's manufacturer can factory-provision an identity key to the HSM
that can be used to ascertain the HSM's integrity during shipping to the customer.
When considering the security of a system, we often assume a steady state, where the system is already secure at the
start and then needs to resist some attack. A key question in any practical trusted hardware deployment is how to
bootstrap this initial trust in a new device when faced with the possibility of supply-chain attacks. Conventional HSMs
are only manufactured by a single manufacturer, and the common solution is to just trust that manufacturer. The HSM's
manufacturer can factory-provision an identity key to the HSM that can be used to ascertain the HSM's integrity during
shipping to the customer.
One of the key components of IHSM technology is that it does not require specialized components, or potting of the
payload. While an IHSM could be manufactured and sold as a complete unit like a conventional HSM, their more modular

91
chapter-sampling-mesh-monitor/chapter.tex
View file

@ -6,8 +6,8 @@ it.}
\section{Introduction}
\sourceattrib{This chapter is adapted from a paper written by me that will be presented by me at CHES
2026~\cite{gotteHighFidelitySecurity2026}.}
\sourceattrib{This part is adapted from a paper written by Jan Sebastian Götte and Prof.\ Dr.\ Björn Scheuermann that
will be presented by Jan Sebastian Götte at CHES 2026~\cite{gotteHighFidelitySecurity2026}.}
Security meshes continue to be the state of the art for tamper sensing in applications where sophisticated physical
attacks such as attempts at drilling or sawing through the device's enclosure to place probes must be prevented. Common
applications for such meshes include Hardware Security Modules (HSMs) used to store and process cryptographic keys
@ -19,15 +19,18 @@ two or more conductive traces that are laid out in a meandering pattern to cover
electrically monitors these traces to detect attempts at penetrating this surface.
As is often the case with security technologies, in practice a tension exists between the level of security offered by a
particular security mesh implementation and its implementation cost. Commercial designs often only coarsely monitor the
conductivity of the mesh traces and are incapable of detecting attacks that manipulate small parts of the mesh. The most
particular security mesh implementation and its implementation cost. In Chapter~\ref{chapter-survey}, we have examined a
broad range of real-world security meshes. We found that the majority of implementations use simple construction
approaches and coarse structure sizes, which results in limited security when only monitoring macroscopic parameters of
the mesh such as electrical continuity or resistance. The coarse monitoring approaches based on trace continuity that
are used in many commercial designs are incapable of detecting attacks that manipulate small parts of the mesh. The most
secure meshes are made in custom manufacturing processes. Materials such as polymer substrates are specifically chosen
such that the mesh is difficult to manipulate without breaking it. A drawback of this approach is that the specialized
manufacturing processes are difficult to replicate and that the resulting cost of the mesh is high. In some
lower-security applications such as card payment terminals, simpler approaches are still commonly used for their ease of
implementation. Often, standard copper/polyimide Flexible Printed Circuits (FPCs) or even standard Printed Circuit
Boards (PCBs) are used because of the wide availability of manufacturing services.
\todo{Integrate new scope plots!}
manufacturing processes are difficult to replicate and that the resulting cost of the mesh is high~\cite{isaacs2013}. In
some lower-security applications such as card payment terminals, simpler approaches are still commonly used for their
ease of implementation. Often, standard copper/polyimide Flexible Printed Circuits (FPCs) or even standard Printed
Circuit Boards (PCBs) are used because of the wide availability of
manufacturing services.
Inertial HSMs are one approach that enables the use of less expensive, commodity materials in high-security
applications. Several other academic approaches exist that target low-cost~\cite{
@ -45,7 +48,7 @@ applications. Several other academic approaches exist that target low-cost~\cite
High-performance mesh monitoring approaches try to characterize the mesh's physical properties with high accuracy, but
often come at the cost of specialized, expensive circuitry. Low-cost approaches utilize advanced analog techniques in
their circuitry to extract precise measurements using few components. They trade off measurement precision for lower
component cost. Besides simple monitoring, detecting tamper attempts by replacing the mesh with a macro-scale Physically
component cost. Besides simple monitoring, detecting tamper attempts by replacing the mesh with a macro-scale Physical
Unclonable Function (PUF) has also been researched~\cite{
immlerBTREPIDBatterylessTamperresistant2018,
staatAntiTamperRadioSystemLevel2022,
@ -148,8 +151,8 @@ blind spots.
obermaierMeasurementSystemCapacitive2018,
garbTamperSensitiveDesignPUFBased}
propose one of the most advanced security mesh designs in the current academic state of the art. They use a specialized
security mesh as a Physically Unclonable Function (PUF), combining tamper sensing with cryptographic key storage. In
their design, the mesh consists of a cross-hatch pattern made from several dozen individually addressable capacitive
security mesh as a Physical Unclonable Function (PUF), combining tamper sensing with cryptographic key storage. In their
design, the mesh consists of a cross-hatch pattern made from several dozen individually addressable capacitive
electrodes. They manufacture their meshes in a specialized process that results in unpredictable, random variations in
capacitance between electrodes. They propose an analog frontend that measures the precise mutual capacitance of each
pair of electrodes~\cite{obermaierMeasurementSystemCapacitive2018} using an approach similar to
@ -753,7 +756,47 @@ its switching happens in the short period between its input differential voltage
combined forward voltage of the Schottky diodes. Thus, while the \partno{74LVC} might produce slow edges overall, its
large output swing results in a high slew rate in the critical region around the zero crossing.
We observed the best result overall with the \partno{PI3HDX12211} redriver, resulting in a rise time of
\begin{figure}
\begin{center}
\begin{subfigure}{0.45\textwidth}
\centering
\includegraphics[width=\textwidth]{edge_sampling_pulse_scope.pdf}
\vspace*{-5mm}
\caption{Sampling pulse}
\label{fig_osc_risetime_samp}
\end{subfigure}
\unskip\begin{subfigure}{0.45\textwidth}
\centering
\includegraphics[width=\textwidth]{edge_stimulus_pulse_scope_normalized.pdf}
\vspace*{-5mm}
\caption{Stimulus pulse}
\label{fig_osc_risetime_stim}
\end{subfigure}
\end{center}
\vspace*{-5mm}
\caption[Pulse risetime oscilloscope measurements]{Oscilloscope measurements of the sampling pulse probed
differentially (left) and of the stimulus pulse probed single-ended and normalized (right). The 74LVC pulse is
plotted on the right Y axis in the left plot due to its large amplitude. In the right plot, it is not shown
since our measurement setup did not allow for a measurement of this amplitude.}
\label{fig_osc_risetime}
\end{figure}
Figure~\ref{fig_osc_risetime} shows the sampling and stimulus pulse edges measured using a Siglent SDS7404A
\qty{4}{\giga\hertz} oscilloscope. The stimulus pulse was directly measured single-ended, and the sampaling pulse was
measured differentially through a Siglent SAP2500D \qty{2.5}{\giga\hertz} active differential probe. These measurements
support the conclusion from Figure~\ref{fig_spec_risetime} that in raw edge risetime, \partno{MAX3748} and
\partno{TDP0604} perform fastest, with \partno{PI3HDX12211} being slightly slower. They also exhibit the large
differences in amplitude that we expect cause the differences in actual measurement performance as shwon in
Figure~\ref{fig_edge_risetime}. Note that due to the differences in measurement methodology, a direct comparison of the
rise times is not possible between these plots. The spectrum measurements do not convey amplitude information and
discard low-frequency content, but due to the very large bandwidth of the spectrum analyzer used, they will represent
the true risetime the closest. In both the self-characterization and the oscilloscope measurements, the displayed
risetime is contaminated by the measurement system. In case of the self-characterization, the stimmulus rise time is
folded into the measurement result, leading in the displayed risetime being slower by a factor of $\sqrt{2}$. Similarly,
in the oscilloscope measurements, the combined risetime of the oscilloscope frontend and active probe contaminate the
results.
We observed the best overall performance with the \partno{PI3HDX12211} redriver, resulting in a rise time of
\qty{264}{\pico\second}. In this test specimen, we fed the pulse through the amplifier twice since we had two unused
channels, and we used \qty{200}{\pico\second} clip lines on the amplifier's output for pulse shaping. We only used clip
lines here and for \partno{TDP0604} since the other amplifiers' output did not contain sufficient harmonic content.
@ -805,7 +848,7 @@ lines here and for \partno{TDP0604} since the other amplifiers' output did not c
\qty{2.86}{\meter}&
\qty{3.86}{\meter}\\
\textbf{Approximate Delay}&
\textbf{Approx. Delay}&
\qty{7.1}{\nano\second}&
\qty{13}{\nano\second}&
\qty{19}{\nano\second}&
@ -819,13 +862,13 @@ lines here and for \partno{TDP0604} since the other amplifiers' output did not c
\label{tab_mesh_spec}
\end{table}
To measure the practical performance of our prototype, we created a set of tamper sensing mesh test specimens. Each
specimen contains four separate meshes with the same area. Table~\ref{tab_mesh_spec} shows the design specifications.
Each specimen contains four separate meshes on the outer layers of a four-layer, \qty{1.0}{\milli\meter} thickness PCB,
two equal-size meshes on each side. The inner layers were used as ground. Figure\ \ref{fig_mesh_length} shows the
results of a baseline measurement of each mesh using each design variant. The step response resulting from an edge
entering the mesh and its reflection arriving back at the start after traversing the mesh back and forth is clearly
visible.
To measure the practical performance of our prototype, we created a set of tamper sensing mesh test specimens using the
algorithm described in Chapter~\ref{chapter-ihsm}. Each specimen contains four separate meshes with the same area.
Table~\ref{tab_mesh_spec} shows the design specifications. Each specimen contains four separate meshes on the outer
layers of a four-layer, \qty{1.0}{\milli\meter} thickness PCB, two equal-size meshes on each side. The inner layers were
used as ground. Figure\ \ref{fig_mesh_length} shows the results of a baseline measurement of each mesh using each design
variant. The step response resulting from an edge entering the mesh and its reflection arriving back at the start after
traversing the mesh back and forth is clearly visible.
We validated the results from Figure\ \ref{fig_mesh_length} by calculating speed of light in our mesh specimen's
substrate based on them. The resulting measurements are shown in Table\ \ref{tab_speed_of_light}. All amplifier
@ -865,7 +908,7 @@ switching.
2&
3&
4&
Calculated speed of light $c$
Calculated $c$
\\\hline
\partno{PI3HDX12211}&
@ -897,8 +940,8 @@ switching.
$\qty{1.59d8}{\meter\per\second}$\\
\end{tabular}
\end{center}
\caption[Speed of light calculations]{Speed of light and time offset calculated from delays read from the graphs in
Figure\ \ref{fig_mesh_length}. $c$ is the speed of light determined by linear fit.}
\caption[Speed of light calculations]{Speed of light $c$ and time offset calculated from delays read from the graphs
in Figure\ \ref{fig_mesh_length}. $c$ is the speed of light determined by linear fit.}
\label{tab_speed_of_light}
\end{table}

BIN
chapter-sampling-mesh-monitor/figures/edge_sampling_pulse_scope.pdf Normal file
View file

Binary file not shown.

BIN
chapter-sampling-mesh-monitor/figures/edge_stimulus_pulse_scope_normalized.pdf Normal file
View file

Binary file not shown.

2
chapter-sampling-mesh-monitor/figures/sampling-mesh-monitor

@ -1 +1 @@
Subproject commit b4dc58286d039b1d0f70ea86f9e1f2cc538d8fbb
Subproject commit cd33cff0e8b3284f26a4b87c9c9d40ae226dceed

248
chapter-smpc/chapter.tex
View file

@ -5,34 +5,39 @@
were a necessary precondition for the legalization of same sex marriage. This is also why those maintaining
positions of power will always encourage the freedom to talk about ideas, but never to act.}
\chaptertitle{Case Study: Multiparty Computation in Scalable Hardware Security Modules}
\label{chapter-smpc}
Inertial Hardware Security Modules do not only support much larger payloads compared to conventional HSMs, they also
support much higher power dissipation since they allow for direct air cooling of their payload. Because they rotate at
high speed, IHSM meshes do not need to be contiguous to provide adequate security. While a non-contiuous rotating mesh
might theoretically allow a stationary attack tool to quickly penetrate, then retract through one of the mesh's gaps
while the mesh is rotating, the time available for such an attack would be too short for a practical attack. For a mesh
with three vertical connecting segments (cf.\ Figure~\ref{fig_proto_mesh} in Chapter~\ref{chapter-ihsm}) rotating at
\qty{1000}{\rpm}, this time would be in the order of \qty{20}{\milli\second}. Conventional HSM monitoring circuits often
require a similar amount of time to react to an attack~\cite{obermaier2018}.
support much higher power dissipation since they allow for direct air cooling of their payload. The tamper-sensing
membrane of a conventional HSM must be continuous to provide security, so any heat dissipated by the payload must pass
through it. Since the polymers used in tamper sensing membranes are poor conductors of heat, and since security benefits
from a thicker tamper sensing assembly (cf.\ Chapter~\ref{chapter-survey}), power dissipation in conventional HSMs is
limited~\cite{
petriePartIITechnical,
curetHardwareSecurityModule2025,
zhangTamperrespondentAssembliesPorous2023,
dragoneVentedTamperrespondentAssemblies2020}.
Similar to how the increase in payload \emph{size} unlocks new applications such as the Quantum Key Distribution relay
use case we presented in Chapter~\ref{chapter-qkd}, this increase in sustainable power dissipation by a factor of
several hundred also unlocks a number of new applications. Especially applications that require large amounts of
computing power benefit from IHSM technology, as their needs fundamentally cannot be met by conventional HSMs.
Because IHSMs rotate at high speed, IHSM meshes do not need to be contiguous to provide adequate security. While a
non-contiguous rotating mesh might theoretically allow a stationary attack tool to quickly penetrate, then retract
through one of the mesh's gaps while the mesh is rotating, the time available for such an attack would be too short for
a practical attack (cf.\ Chapter~\ref{chapter-ihsm}). For a mesh with three vertical connecting segments (cf.\
Figure~\ref{fig_proto_mesh} in Chapter~\ref{chapter-ihsm}) rotating at \qty{1000}{\rpm}, this time would be in the order
of \qty{20}{\milli\second}. Conventional HSM monitoring circuits would likely require a similar amount of time to react
to an attack~\cite{obermaier2018}.
Similar to how the increase in payload \emph{size} of IHSMs compared to conventional HSMs unlocks new applications such
as the Quantum Key Distribution relay use case we presented in Chapter~\ref{chapter-qkd}, the increase in sustainable
power dissipation enabled by air cooling also unlocks a number of new applications. Especially applications that require
large amounts of computing power benefit from IHSM technology, as their needs fundamentally cannot be met by
conventional HSMs.
One such application that does not translate to conventional HSMs due to its need for large amounts of computing power
is Multiparty Computation (MPC). MPC is a cryptographic construct that allows several networked parties to jointly
perform a computation in such a way that the inputs to the computation remain private to the parties providing them, and
no single party must be trusted for the computation to produce the correct result. Conceptually, MPC is similar to a
secret sharing scheme that shares not just data, but computation between untrusted parties. The computation primitive
MPC offers is a cryptographic answer to the question of how to bootstrap trust in a computing system.
\todo{In this chapter, cite academic publications and patents on HSM cooling!}
%The most challenging scenarios in computing arise when multiple
%parties such as manufacturers and operators, servers and clients, or sellers and buyers need to interact through
%computation. In many practical situations, it is impossible to create a single computer that can be trusted by every
%participant. MPC is a generic solution to a multitude of such scenarios reducing the problem of creating a single,
%shared computer everyone can trust simultaneously to everyone creating their own computer that they only can trust.
MPC offers is a cryptographic tool for bootstrapping trust in a distributed computing system.
We can deconstruct the problem of trust in computing into two largely disjunct parts: Establishing trust in a computing
system during its creation is one, and maintaining this trust throughout its life is the other. For the second part of
@ -46,41 +51,43 @@ they cannot target all systems simultaneously and we give them too little time t
A limitation of both approaches is that in either case, while the party creating or acquiring the system can trust it,
they cannot prove its trustworthiness to other parties. MPC solves this issue by allowing every party to contribute
their trusted system to the protocol, cryptographically bootstrapping common trust in the computation and its
their own trusted system to the protocol, cryptographically bootstrapping common trust in the computation and its
output\footnote{
In fact, MPC does more than just bootstrapping from each participant trusting their own system to a trusted shared
computation. In an MPC protocol providing semi-honest or better security, MPC even \emph{relaxes} each party's trust
requirement from trusting their own system to trusting that any $n$-of-$k$ out of all systems contributing to the
requirement from trusting their own system to trusting any $n$-of-$k$ out of all systems contributing to the
protocol.
}.
\section{Fast MPC and Slow HSMs}
MPC is a uniquely powerful cryptographic primitive, yet it has still not found widespread practical adoption. This is
because MPC is extremely resource-intensive to run. MPC protocols exist on a continuum trading off between extreme
memory and bandwidth requirements on one end and intense computational requirements on the other end. At a first glance,
MPC and Hardware Security Modules look like they would complement each other well, but HSMs cannot keep up with the
intense computational requirements posed by MPC.
MPC is a uniquely powerful cryptographic primitive, yet it has still not found widespread practical adoption. To a large
extent, this is because MPC is extremely resource-intensive to run. MPC protocols exist on a continuum trading off
between extreme memory and bandwidth requirements on one end and intense computational requirements on the other end. At
a first glance, MPC and Hardware Security Modules look like they would complement each other well, but HSMs cannot keep
up with the computational requirements posed by MPC.
Using P-256 curve ECC key generation as a benchmark, commercially available HSMs are quoted to perform between 3500 and
22000 cryptographic operations per second~\cite{
Using P-256 curve ECC key generation as a benchmark, commercially available HSMs are quoted to perform between 3,500 and
22,000 cryptographic operations per second~\cite{
kumarIBMZ16Performance2025,
ThalesLunaNetwork2024,
Utrust_GP_HSM_Se_Series_Datasheet_ENpdf,
}. Meanwhile, an MPC protocol doing something as simple as a single AES encryption, corresponding to 7000 logic
}. Meanwhile, an MPC protocol doing something as simple as a single AES encryption, corresponding to 7,000 logic
gates~\cite{wangGlobalScaleSecureMultiparty2017}, requires tens of thousands of cryptographic operations when performed
in MPC. As a result, applying conventional HSMs to MPC at any practical scale is infeasible by multiple orders of
magnitude. Literature on MPC commonly uses server hardware as a platform for benchmarks.
magnitude. Literature on MPC commonly uses server hardware as a platform for benchmarks, which has power dissipation and
processing speeds well beyond that of conventional HSMs.
HSMs are slow compared to contemporary computers because they are limited in their power dissipation, and power
dissipation is largely proportional to processing speed. In the limited fields where HSMs have found commercial
application, this limitation was never considered important and market forces pushing towards faster HSMs remain
light\todo{Can we find a citation here?}. Fundamentally, conventional HSMs must envelope the entire payload in a tamper
sensing mesh to detect drilling attacks, but a tamper sensing mesh that is impermeable to a drill is also impermeable to
air. As a result, any heat conducted from the HSMs processor to the outside world must pass through the mesh. At the
same time, the mesh cannot be thinned either because thinning it would enable micro-drilling attacks. The result of
these constraints is a high thermal resistance between the HSM's processor and an external heat sink, which limits
maximum power dissipation to a fraction of what is achieved in modern CPUs or even GPUs.
application, this limitation was never considered important and market forces pushing towards faster HSMs appear to
remain light with the issue receiving little attention in either academic or manufacturer publications on the topic.
Fundamentally, conventional HSMs must envelope the entire payload in a tamper sensing mesh to detect drilling attacks,
but a tamper sensing mesh that is impermeable to a drill is also impermeable to air. As a result, any heat conducted
from the HSMs processor to the outside world must pass through the mesh. At the same time, the mesh cannot be thinned
either because thinning it would enable micro-drilling attacks. The result of these constraints is a high thermal
resistance between the HSM's processor and an external heat sink, which limits maximum power dissipation to a fraction
of that of modern CPUs or even GPUs.
A secondary limitation of conventional HSMs is that the highly specialized tamper sensing foils used in their
construction often cannot be scaled to arbitray sizes without incurring unsustainable process yields due to the
@ -92,10 +99,9 @@ components such as memory, power supplies and any internal heat spreading compon
Inertial HSMs solve this issue since they allow their payload to be air cooled without compromising security, and they
expand the feasible security boundary size from the several hundred milliliters offered by conventional HSMs to several
liters and more, enabling the integration of standard, off-the-shelf server components such as mainboards, CPUs, CPU
coolers, and power supplies. In this chapter, we will first provide a short overview of the theory of MPC before
elaborating a design of an IHSM tailored to MPC tasks including performance calculations and unique design aspects. We
will conclude with an outlook of applications unlocked by our design as well as promising areas for future improvements
of our design.
coolers, and power supplies. In this chapter, we will first provide a short overview illustrating a basic MPC protocol
for context before elaborating a design of an IHSM tailored to MPC tasks. We will conclude with an outlook of
applications unlocked by our design as well as promising areas for future improvements of our design.
\section{The Fundamentals of Multiparty Computation}
@ -122,7 +128,8 @@ real-world settings where parties do not have stable identities such as peer-to-
mostly interesting as a research tool since protocols assuming a semi-honest adversary can often be upgraded to covert
or malicious security at some performance tradeoff. In a practical setting, a semi-honest secure MPC protocol would not
provide additional security over just having one party run the computation except in some situations where inadvertent
side-channel leakage is a concern.
side-channel leakage is a concern. Using HSMs to secure protocol participants' cryptographic computations complements
both the covert and malicious security models.
\subsection{Oblivious Transfer}
@ -141,19 +148,17 @@ Transfer Extensions (OTe)\cite{ishaiExtendingObliviousTransfers2003}. Using OTe,
base Oblivious Transfer instances can be extended into an arbitrarily large number of Oblivious Transfer instances using
only invocations of a pseudo-random function (PRF) such as a cryptographic hash function.
\subsection{Boolean MPC with Yao's Garbled Circuits}
% Yao's Garbled Circuits
Yao's Garbled Circuits (GC) protocol is one of the oldest Multiparty Computation protocols, dating back to the 1980ies.
In Yao's GC, two parties jointly compute a function that is represented as a circuit of binary logic gates by evaluating
the circuit gate by gate. In Yao's GC, one party, generator, creates a random \emph{garbled} representation of the
circuit and sends it to the other party, the evaluator, who computes its output. The core idea in Yao's GC is that every
wire $w_i$ in the circuit is assigned two random cryptographic secret keys $w_i^b$, called wire labels, one $w_i^0$ for
the logical value $0$ and one $w_i^1$ for the value $1$. The mapping from logic values to these keys is assigned
randomly by the generator, and unknown to the evaluator~\cite{
yaoHowGenerateExchange1986,
beaverComplexitySecureProtocols1990,
evansPragmaticIntroductionSecure,
}.
\subsection{A basic MPC protocol: Boolean MPC with Yao's Garbled Circuits}
As a basic example of the approach taken by MPC protocols, we will give a brief overview of Yao's Garbled Circuits (GC)
protocol. Yao's GC is one of the oldest Multiparty Computation protocols, dating back to the 1980ies. In Yao's GC, two
parties jointly compute a function that is represented as a circuit of binary logic gates by evaluating the circuit gate
by gate. In Yao's GC, one party, generator, creates a random \emph{garbled} representation of the circuit and sends it
to the other party, the evaluator, who computes its output. The core idea in Yao's GC is that every wire $w_i$ in the
circuit is assigned two random cryptographic secret keys $w_i^b$, called wire labels, one $w_i^0$ for the logical value
$0$ and one $w_i^1$ for the value $1$. The mapping from logic values to these keys is assigned randomly by the
generator, and unknown to the
evaluator~\cite{yaoHowGenerateExchange1986,beaverComplexitySecureProtocols1990,evansPragmaticIntroductionSecure}.
Gates are represented in Yao's GC as truth tables with one row for every combination of input wire values. Each row of
these truth tables contains the output wire label (i.e. secret key) corresponding to the gate's logical output value for
@ -188,28 +193,8 @@ evaluations of a pseudorandom function such as a cryptographic hash or a cipher.
Garbled Circuit is many times slower than performing it in the clear. Intuitively, each single-bit gate in the garbled
circuit results in several cryptographic operations with input and output sizes of dozens or hundreds of bits.
Practically useful functions such as AES encryption have circuit implementations measuring thousands or tens of
thousands of gates, meaning these costs quickly escalate for practical problem sizes~\cite{
boyarNewCombinationalLogic2010,
songhoriTinyGarbleHighlyCompressed2015,
}.
% FIXME This entire connecting section
%\subsection{Practical Application}
%\subsubsection{Preprocessing and Online Phases}
%\subsubsection{Constant-Round MPC}
% \subsection{Performance}
% zahurTwoHalvesMake2015,wangGlobalScaleSecureMultiparty2017,kellerMPSPDZVersatileFramework2020,dalskovFantasticFourHonestMajority
% \subsection{Practical Deployments}
% \subsection{Solutions}
% \subsection{Hardware Security Applied to MPC}
% Hardware security primitives can be applied in several roles in an MPC protocol.
thousands of gates, meaning these costs quickly escalate for practical problem
sizes~\cite{boyarNewCombinationalLogic2010, songhoriTinyGarbleHighlyCompressed2015}.
\section{A High-Performance IHSM for MPC Applications}
@ -219,24 +204,17 @@ implemented using CPU processing. The technology comes with an unavoidable incre
each single plaintext computation or gate results in several cryptographic operations.
A naive implementation might attempt to implement MPC using an HSM by simply offloading all cryptographic operations to
the HSM. In practice, this is not a workable solution due to the slow processing speed of conventional HSMs.
Conventional HSMs use low-power embedded processors since their encapsulation using potting and security meshes impedes
heat transfer, limiting power dissipation.
In the near term, absent radical developments in either MPC theory or in the speed and power efficiency of processing
hardware, the only feasible solution for HSM-protected MPC at any practical scale is to find a way to protect an entire
server-class computer. As elaborated above, IHSMs are a natural fit for this requirement since they allow for large,
air-cooled payloads.
%\subsection{Hardware Requirements}
the HSM. In practice, this is not a workable solution due to the slow processing speed of conventional HSMs. In the near
term, absent radical developments in either MPC theory or in the speed and power efficiency of processing hardware, the
only feasible solution for HSM-protected MPC at any practical scale is to find a way to protect an entire server-class
computer. IHSMs are a natural fit for this requirement since they allow for large, air-cooled payloads.
As a baseline performance target, we consider a commodity server mainboard in CEB or ATX form factor, populated with a
high-end server CPU and a large amount of RAM. As MPC systems do not usually require a great amount of storage, we can
largely ignore storage for our size and power calculations.\todo{Refer to performance numbers from research above here}
As a result, we end up with a total maximum power dissipation of approximately \qty{420}{\watt} as shown in
Table~\ref{tab_power_budget}. Dissipating this amount of power using air cooling is within the capabilities of commodity
server cooling components~\cite{coroamaPossibleFutureTrends2025}.
largely ignore storage for our size and power calculations. As a result, we end up with a total maximum power
dissipation of approximately \qty{420}{\watt} as shown in Table~\ref{tab_power_budget}. Dissipating this amount of power
using air cooling is within the capabilities of commodity server cooling
components~\cite{coroamaPossibleFutureTrends2025}.
\begin{table}
\centering
@ -255,16 +233,16 @@ server cooling components~\cite{coroamaPossibleFutureTrends2025}.
A common type of side-channel attack on cryptographic systems are power analysis attacks. In such attacks, the supply
current of the target processing system is measured at high speed while the target is performing cryptographic
computations. By aggregating the results of a large number of the resulting power traces, it is often possible to infer
the value of secret data such as cryptographic keys. To mitigate this type of attack, not only do we have to place the
CPU, mainboard, and memory inside of the HSM's tamper-sensing barrier, but also the power supply. A secondary benefit of
placing the power supply inside the tamper-sensing barrier is that it simplifies the power wiring between the outside of
the IHSM cage and the payload. Supplying the \qty{12}{\volt} power rails that commodity mainboard commonly use requires
tens of Ampere. To carrie such high current, the wiring has to be sized accordingly. In an IHSM, even thick wires can
easily be passed through the mesh cage, but such wiring requires a large opening at the shaft on one end of the cage,
which creates a literal security gap. Placing the power supply inside of the cage reduces the size of the wires needed
since the power supply steps down a lower current \qty{240}{\volt} input to the system's high-current \qty{12}{\volt}
rails. According to DIN VDE 0298-4\todo{Citation?}, a pair of \qty{1.5}{\milli\meter^2} conductors is sufficient for
more than \qty{3}{\kilo\watt} of load under worst-case conditions.
the value of secret data such as cryptographic keys. To mitigate this type of attack, we propose placing the system's
power supply inside the IHSM envelope. A secondary benefit of placing the power supply inside the tamper-sensing barrier
is that it simplifies the power wiring between the outside of the IHSM cage and the payload. Supplying the
\qty{12}{\volt} power rails that commodity mainboard commonly use requires tens of Ampere. To carry such high current,
the wiring has to be sized accordingly. In an IHSM, even thick wires can easily be passed through the mesh cage, but
such wiring requires a large opening at the shaft on one end of the cage, which creates a literal security gap. Placing
the power supply inside of the cage reduces the size of the wires needed since the power supply steps down a lower
current \qty{240}{\volt} input to the system's high-current \qty{12}{\volt} rails. Using DIN VDE 0298-4\todo{Citation?}
as a reference, a pair of \qty{1.5}{\milli\meter^2} conductors is sufficient for more than \qty{3}{\kilo\watt} of load
under worst-case conditions.
\subsection{Software Considerations}
@ -286,31 +264,61 @@ software without effectively running a system emulation and incurring a massive
Intel and AMD contain hardware features that provide transparent DRAM encryption. These hardware features would be
necessary when securing an entire sever in an MPC setup with IHSMS technology.
% \subsection{Fast Zeroization of Non-Customizable Memories}
% Thermite experiements and paper
\subsection{A Joint Cooling and IHSM Envelope Powertrain}
In this section, we will present a sketch of a design for an IHSM envelope large enough to fit a small server mainboard,
and that provides air cooling to the payload. Our sketch solves the engineering issue of moving such an IHSM envelope
while simultaneously providing cooling to the payload.
% FIXME picture!
Our proposed design is based on the idea of using the cooling fans' airflow to power the rotation of the IHSM envelope.
Using the basic cylindrical design, the IHSM envelope consists of two discs above and below the payload that are
connected through vertical struts containing part of the tamper-sensing mesh on the outside of the payload. We propose
widening these vertical connecting struts, and angling them such that the entire envelope becomes a centrifugal
impeller. By letting air flow into the envelope from the side, and back out through its top and bottom, the envelope
assumes the same configuration used in centrifugal cooling fans. A secondary advantage of this concept is that we do not
need a motor on the envelope's shaft, saving vertical space and one difficult to source part. Furthermore, the cooling
fans can be located on the outside of the envelope in an easily accessible location, and can be set up in a redundant
way such that a failed cooling fan can be replaced while the system continues operation. The only disadvantage of this
solution over a direct motor drive is noise. To achieve the speed necessary for sufficient security at the large
envelope diameter of an MPC accelerator application, high-airflow fans must be used, which are very noisy when at full
speed. We consider this a valid tradeoff since such a system would be deployed in a datacenter where high noise levels
are acceptable.
\begin{figure}
\centering
\begin{subfigure}{0.45\textwidth}
\centering
\includegraphics[width=\textwidth]{setup_0001.jpg}
\caption{}
\label{fig_setup_left}
\end{subfigure}
\hspace*{5mm}
\begin{subfigure}{0.45\textwidth}
\centering
\includegraphics[width=\textwidth]{setup_0002.jpg}
\caption{}
\label{fig_setup_right}
\end{subfigure}
\caption{Conceptual demonstrator of the fan-driven IHSM primary mesh approach.}
\label{fig_setup}
\end{figure}
\todo{Finish sketch!}
Our proposed design is based on the idea of using the cooling fans' airflow to power the rotation of the IHSM envelope.
Figure~\ref{fig_setup} shows a conceptual demonstration of this approach. Using a basic cylindrical design, the IHSM
envelope consists of two discs above and below the payload that are connected through vertical struts on the outside of
the payload. We propose widening these vertical connecting struts, and angling them such that the entire envelope
becomes a centrifugal impeller. By letting air flow into the envelope from the side, and back out through its top and
bottom, the envelope assumes the same configuration used in centrifugal cooling fans. Tamper sensing meshes are placed
inside the vertical struts as well as along the horizontal discs at the top and at the bottom.
Laying out an IHSM this way has several advantages. First, we save some vertical space by removing the motor from the
shaft of the mesh. Second, on top of driving the mesh, the airflow also serves to cool the payload. Finally, this
approach eliminates the motor driving the mesh as a single point of failure. In a basic IHSM design as we introduced it
in Chapter~\ref{chapter-ihsm}, this motor is a critical component as its failure would lead to the mesh accelerometer
triggering the deceleration tamper alarm. Using a brushless motor type the number of wear components in this motor can
be reduced to the motor's shaft bearings. A complication in the practical manufacturing of IHSMs at a small scale is
that small-scale production does not allow for a custom-made motor. Limiting the selection to off-the-shelf brushless
motors leads to an unpredictability of bearing life due to the cost of precision bearings. Complicating things, bearing
specifications are not usually included in motor datasheets.
Compared to the market for off-the-shelf small brushless motors, cooling fans are easier to shop for. A large selection
of products with various form factors and specifications is available, and manufacturers usually give detailed
information on both performance and lifetime. Industrial and server cooling fans are commonly rated for uninterrupted
24/7 operation. The cooling fans can be located on the outside of the envelope in an easily accessible location. Like in
many servers, they can be set up in a redundant way such that a failed cooling fan can be replaced while the system
continues to operate.
The main drawback of a fan-driven IHSM is the amount of airflow necessary. To maximize payload volume, the fan blades
must be kept as narrow as possible. Narrow fan blades work best at high air speed, but high air speed requires the fan
to have high airflow. Besides limiting fan selection and increasing power consumption, high airflow fans also are noisy.
Despite these limitations, we consider fan-driven IHSMs a valid tradeoff since such a system would most likely be
deployed in a datacenter where high noise levels are acceptable.
\section{Outlook}

BIN
chapter-smpc/figures/setup_0001.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 353 KiB

BIN
chapter-smpc/figures/setup_0002.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 316 KiB

49
common-defs.tex
View file

@ -7,11 +7,13 @@
\usepackage[
backend=biber,
style=numeric,
backref=true,
natbib=true,
url=false,
doi=true,
eprint=false,
refsegment=chapter,
date=iso,
]{biblatex}
\addbibresource{main.bib}
\DeclareSourcemap{
@ -52,12 +54,20 @@
\ifdefined\thesispreviewmode %
(draft \texttt{\input{version.tex}\unskip}) %
\fi %
\leftmark}
\fancyhead[OL]{\footnotesize\rightmark}
\leftmark}
\fancyhead[OL]{\footnotesize%
\ifdefined\thesisoneside %
\leftmark%
\ifdefined\thesispreviewmode %
\\(draft \texttt{\input{version.tex}\unskip}) %
\fi %
\else%
\rightmark%
\fi}
\fancyhead[EL,OR]{\thepage}
\fancyfoot[LCR]{}
\setlength{\headheight}{13.6pt}
\fancypagestyle{plain}{%
\fancyhf{}%
\renewcommand{\headrulewidth}{0pt}%
@ -165,12 +175,45 @@
\printbibliography[nottype={online},nottype={patent},heading=subbibliography,resetnumbers=false,segment=\therefsegment]
}
% Fix for random mixed date formats, generated with claude.ai
% Redefine the date printing macro
\renewbibmacro*{date}{%
\iffieldundef{year}
{}
{\printtext{%
\thefield{year}%
\iffieldundef{month}
{}
{-\mkdatezeros{\thefield{month}}%
\iffieldundef{day}
{}
{-\mkdatezeros{\thefield{day}}}}%
}}%
}
% Redefine urldate printing
\renewbibmacro*{urldate}{%
\iffieldundef{urlyear}
{}
{\printtext[urldate]{%
\thefield{urlyear}%
\iffieldundef{urlmonth}
{}
{-\mkdatezeros{\thefield{urlmonth}}%
\iffieldundef{urlday}
{}
{-\mkdatezeros{\thefield{urlday}}}}%
}}%
}
% end fix
\newrefcontext{defref}
\hyphenation{a-me-na-ble}
\hyphenation{da-ta-cen-ter}
\hyphenation{Si-cher-heits-mo-du-l}
\hyphenation{Si-cher-heits-mo-du-le}
\babelhyphenation[ngerman]{Si-cher-heits-mo-dul}
\setstretch{1.3}

BIN
defence/pearson-corr-1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
defence/pearson-corr-sample-1.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 24 KiB

21
defence/pearson-corr-sample.tex Normal file
View file

@ -0,0 +1,21 @@
\documentclass[convert={density=500}, border=2pt, varwidth=3in]{standalone}
\usepackage{amsmath}
\usepackage{amssymb}
\begin{document}
\begin{align*}
r_{X, Y} &= \frac{
\sum_{i=1}^n(x_i - \overline{x})(y_i - \overline{y})
}{
\sqrt{
\sum_{i=1}^n(x_i-\overline{x})^2
}
\sqrt{
\sum_{i=1}^n(y_i-\overline{y})^2
}
}
\end{align*}
\end{document}

12
defence/pearson-corr.tex Normal file
View file

@ -0,0 +1,12 @@
\documentclass[convert={density=500}, border=2pt, varwidth=2in]{standalone}
\usepackage{amsmath}
\usepackage{amssymb}
\begin{document}
\begin{align*}
\rho_{X,Y} &= \frac{\mathrm{cov}\left(X, Y\right)}{\sigma_X \sigma_Y}
\end{align*}
\end{document}

BIN
defence/phd defence pulse shaping.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 73 KiB

957
defence/phd defence pulse shaping.svg Normal file
View file

@ -0,0 +1,957 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
width="370mm"
height="130mm"
viewBox="0 0 370 130"
version="1.1"
id="svg1"
inkscape:version="1.4.3 (0d15f75042, 2025-12-25)"
sodipodi:docname="phd defence pulse shaping.svg"
inkscape:export-filename="phd defence pulse shaping.png"
inkscape:export-xdpi="96"
inkscape:export-ydpi="96"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<sodipodi:namedview
id="namedview1"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:showpageshadow="2"
inkscape:pageopacity="0.0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#d1d1d1"
inkscape:document-units="mm"
showguides="true"
inkscape:zoom="0.76530729"
inkscape:cx="755.90551"
inkscape:cy="186.19972"
inkscape:window-width="1920"
inkscape:window-height="1011"
inkscape:window-x="0"
inkscape:window-y="0"
inkscape:window-maximized="1"
inkscape:current-layer="layer1">
<sodipodi:guide
position="248.21932,98.214501"
orientation="1,0"
id="guide87"
inkscape:locked="false" />
</sodipodi:namedview>
<defs
id="defs1">
<rect
x="953.65973"
y="610.6676"
width="100.02054"
height="89.777473"
id="rect80" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect19" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect21" />
<rect
x="746.53888"
y="302.1705"
width="227.89349"
height="103.19007"
id="rect52" />
<rect
x="746.53888"
y="302.1705"
width="208.64201"
height="116.03049"
id="rect53" />
<rect
x="746.53888"
y="302.1705"
width="208.64201"
height="116.03049"
id="rect60" />
<rect
x="746.53888"
y="302.1705"
width="208.64201"
height="116.03049"
id="rect61" />
<rect
x="953.65973"
y="610.6676"
width="100.02054"
height="89.777473"
id="rect81" />
<rect
x="746.53888"
y="302.1705"
width="208.64201"
height="116.03049"
id="rect101" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect19-0" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect121" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect122" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect121-3" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect122-8" />
<rect
x="746.53888"
y="302.1705"
width="171.10724"
height="119.79226"
id="rect127" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect121-1" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect122-9" />
<rect
x="746.53888"
y="302.1705"
width="129.1076"
height="122.65836"
id="rect52-1" />
<rect
x="746.53888"
y="302.1705"
width="129.1076"
height="122.65836"
id="rect150" />
<rect
x="746.53888"
y="302.1705"
width="129.1076"
height="122.65836"
id="rect174" />
<rect
x="746.53888"
y="302.1705"
width="237.56361"
height="114.82543"
id="rect174-6" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect19-7" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect21-6" />
<rect
x="746.53888"
y="302.1705"
width="446.81161"
height="78.359024"
id="rect203" />
<rect
x="746.53888"
y="302.1705"
width="237.56361"
height="114.82543"
id="rect255" />
<rect
x="746.53888"
y="302.1705"
width="129.1076"
height="122.65836"
id="rect52-1-6" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect121-3-4" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect256" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect257" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect258" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect259" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect260" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect262" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect263" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect264" />
<rect
x="746.53888"
y="302.1705"
width="208.64201"
height="116.03049"
id="rect60-2" />
<rect
x="746.53888"
y="302.1705"
width="208.64201"
height="116.03049"
id="rect266" />
<rect
x="746.53888"
y="302.1705"
width="208.64201"
height="116.03049"
id="rect267" />
<rect
x="746.53888"
y="302.1705"
width="322.63501"
height="112.18803"
id="rect271" />
<rect
x="746.53888"
y="302.1705"
width="262.04547"
height="116.59021"
id="rect21-8" />
<rect
x="746.53888"
y="302.1705"
width="322.63501"
height="112.18803"
id="rect271-3" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect121-3-5" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect121-3-5-5" />
<rect
x="746.53888"
y="302.1705"
width="262.04547"
height="116.59021"
id="rect21-8-1" />
<rect
x="746.53888"
y="302.1705"
width="206.97021"
height="116.59021"
id="rect89" />
<rect
x="746.53888"
y="302.1705"
width="262.04547"
height="116.59021"
id="rect90" />
</defs>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-52.874035,-113.01615)">
<rect
style="fill:#fff6d5;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:3, 3;stroke-dashoffset:0"
id="rect268"
width="42.333237"
height="66.035202"
x="342.47104"
y="145.78185" />
<rect
style="fill:#ffd5d5;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:3, 3;stroke-dashoffset:0"
id="rect18"
width="70.229004"
height="28.407305"
x="-272.7662"
y="162.84944"
transform="scale(-1,1)" />
<path
style="fill:#ffffff;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 251.1584,167.71079 v 19.77278 l 17.12372,-9.88639 -17.12372,-9.88639"
id="path10"
sodipodi:nodetypes="cccc" />
<path
style="fill:#ffffff;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 209.28026,167.71079 v 19.77278 l 17.12372,-9.88639 -17.12372,-9.88639"
id="path12"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 251.1584,174.2632 H 220.62936"
id="path13" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 251.1584,180.93116 H 220.62936"
id="path14" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 209.28026,174.2632 H 178.75122"
id="path15" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 209.28026,180.93116 H 178.75122"
id="path16" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 311.97135,174.2632 H 262.5075"
id="path17"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 311.97135,180.93116 H 262.5075"
id="path18"
sodipodi:nodetypes="cc" />
<g
id="g39"
transform="translate(-13.828868,-2.4200519)" />
<g
id="g270"
transform="translate(86.653142,-178.07344)">
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,51.585057,220.89179)"
id="text60"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect60);display:inline"><tspan
x="779.99356"
y="326.43329"
id="tspan3">BAT17-04W</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,50.646671,229.58019)"
id="text61"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Source Sans Pro';-inkscape-font-specification:'Source Sans Pro';text-align:center;white-space:pre;shape-inside:url(#rect61);display:inline"><tspan
x="778.60694"
y="326.43329"
id="tspan4">RF Schottky</tspan></text>
</g>
<g
id="g68"
transform="translate(155.9321,-23.998135)">
<g
id="g59"
transform="rotate(-135,217.33697,188.46118)">
<rect
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-dashoffset:0"
id="rect54"
width="20.126814"
height="20.126814"
x="202.02536"
y="163.96376" />
<g
id="use56"
transform="matrix(1,0,0,-1,2.73499,327.96666)"
style="stroke-linecap:round;stroke-linejoin:round">
<path
style="fill:#ffffff;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 212.74389,161.19528 v 5.53995 l -4.79585,-2.76997 4.79585,-2.76998"
id="path90"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 209.09885,165.96187 v 0.85302 h -1.15081 v -2.84963"
id="path91"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 206.79721,161.96865 v -0.85302 h 1.15081 v 2.84963"
id="use91"
sodipodi:nodetypes="cccc" />
</g>
<g
id="use57"
transform="matrix(1,0,0,-1,2.735,348.06531)"
style="stroke-linecap:round;stroke-linejoin:round">
<path
style="fill:#ffffff;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 212.74389,161.19528 v 5.53995 l -4.79585,-2.76997 4.79585,-2.76998"
id="path92"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 209.09885,165.96187 v 0.85302 h -1.15081 v -2.84963"
id="path93"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 206.79721,161.96865 v -0.85302 h 1.15081 v 2.84963"
id="use93"
sodipodi:nodetypes="cccc" />
</g>
<g
id="use58"
transform="rotate(90,200.68751,165.3609)"
style="stroke-linecap:round;stroke-linejoin:round">
<path
style="fill:#ffffff;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 212.74389,161.19528 v 5.53995 l -4.79585,-2.76997 4.79585,-2.76998"
id="path94"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 209.09885,165.96187 v 0.85302 h -1.15081 v -2.84963"
id="path97"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 206.79721,161.96865 v -0.85302 h 1.15081 v 2.84963"
id="use97"
sodipodi:nodetypes="cccc" />
</g>
<g
id="use59"
transform="rotate(90,210.75092,175.42431)"
style="stroke-linecap:round;stroke-linejoin:round">
<path
style="fill:#ffffff;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 212.74389,161.19528 v 5.53995 l -4.79585,-2.76997 4.79585,-2.76998"
id="path98"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 209.09885,165.96187 v 0.85302 h -1.15081 v -2.84963"
id="path99"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 206.79721,161.96865 v -0.85302 h 1.15081 v 2.84963"
id="use99"
sodipodi:nodetypes="cccc" />
</g>
</g>
<g
id="use67">
<rect
style="fill:#ffffff;stroke:#000000;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-dashoffset:0"
id="rect100"
width="2.7993064"
height="6.9347825"
x="209.44197"
y="178.0285" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000;stop-opacity:1"
d="m 210.84162,188.1468 v -3.18352"
id="path100"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000;stop-opacity:1"
d="m 210.84162,178.0285 v -3.18352"
id="path101"
sodipodi:nodetypes="cc" />
</g>
<use
x="0"
y="0"
xlink:href="#use67"
id="use68"
transform="translate(1.6482057e-6,41.765435)" />
</g>
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000;stop-opacity:1"
d="m 381.00554,178.32411 h 9.08403"
id="path76"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;opacity:1;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000;stop-opacity:1"
d="m 338.42306,178.38047 h 14.11886"
id="path79"
sodipodi:nodetypes="cc" />
<g
id="g117"
transform="matrix(0,1,1,0,86.037856,-9.6307419)">
<g
id="use116"
transform="translate(215.79323,-70.783667)">
<rect
style="font-variation-settings:normal;fill:#ffffff;fill-opacity:1;stroke:#f9f9f9;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect102"
width="4.5996766"
height="1.8177247"
x="-34.179646"
y="178.76157" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,183.76281 v -3.18352"
id="path102"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,178.76156 v -3.18352"
id="path103"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,178.76156 h 4.599677"
id="path110"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,180.57929 h 4.599677"
id="path112"
sodipodi:nodetypes="cc" />
</g>
<g
id="use117"
transform="translate(222.46119,-70.859177)">
<rect
style="font-variation-settings:normal;fill:#ffffff;fill-opacity:1;stroke:#f9f9f9;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect112"
width="4.5996766"
height="1.8177247"
x="-34.179646"
y="178.76157" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,183.76281 v -3.18352"
id="path113"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,178.76156 v -3.18352"
id="path114"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,178.76156 h 4.599677"
id="path115"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,180.57929 h 4.599677"
id="path116"
sodipodi:nodetypes="cc" />
</g>
</g>
<rect
style="font-variation-settings:normal;opacity:1;fill:#e3d7f4;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect119"
width="68.967163"
height="41.859745"
x="64.002045"
y="156.69553" />
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,5.2759552,144.60139)"
id="text20"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:29.3333px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect21-8);display:inline"><tspan
x="774.22896"
y="329.32216"
id="tspan5">Pulse Amplifier</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,-126.52602,93.775442)"
id="text18-2"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt';text-align:center;white-space:pre;shape-inside:url(#rect19-0);display:inline"><tspan
x="773.14281"
y="326.85384"
id="tspan6">STM32G474</tspan></text>
<path
style="fill:#ffffff;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 167.35324,167.73901 v 19.77279 l 17.12372,-9.8864 -17.12372,-9.88639"
id="path120-5"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 167.35324,177.62541 H 132.96921"
id="path16-0"
sodipodi:nodetypes="cc" />
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,-48.680475,116.45311)"
id="text121"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt';text-align:center;white-space:pre;shape-inside:url(#rect121-3);display:inline"><tspan
x="772.99958"
y="326.85384"
id="tspan7">74LVC2G157</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,12.7494,69.082544)"
id="text121-3"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt';text-align:center;white-space:pre;shape-inside:url(#rect121-3-5);display:inline"><tspan
x="772.28343"
y="326.85384"
id="tspan8">PI3HDX12211</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,-49.475329,125.14987)"
id="text122"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:29.3333px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect122-8);display:inline"><tspan
x="757.34809"
y="329.32216"
id="tspan9">Single-Ended
</tspan><tspan
x="757.87804"
y="365.98879"
id="tspan10">to Differential </tspan><tspan
x="771.97893"
y="402.65542"
id="tspan11">Conversion</tspan></text>
<g
id="g271"
transform="translate(-345.1311,41.371294)">
<rect
style="font-variation-settings:normal;opacity:1;fill:#ffffff;fill-opacity:1;stroke:#000000;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect123"
width="43.775135"
height="27.05452"
x="499.15863"
y="79.648224" />
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,300.87774,-0.17833149)"
id="text127"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt';text-align:center;white-space:pre;shape-inside:url(#rect127);display:inline"><tspan
x="768.51196"
y="326.85384"
id="tspan12">Adjustable </tspan><tspan
x="786.47423"
y="360.18721"
id="tspan13">Voltage </tspan><tspan
x="774.55364"
y="393.52059"
id="tspan14">Regulator</tspan></text>
</g>
<g
id="use132"
transform="rotate(90,157.72608,367.98634)">
<rect
style="font-variation-settings:normal;fill:#ffffff;fill-opacity:1;stroke:#f9f9f9;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect116"
width="4.5996766"
height="1.8177247"
x="-34.179646"
y="178.76157" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,183.76281 v -3.18352"
id="path117"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,178.76156 v -3.18352"
id="path118"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,178.76156 h 4.599677"
id="path119"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,180.57929 h 4.599677"
id="path120"
sodipodi:nodetypes="cc" />
</g>
<g
id="g143"
transform="matrix(0,1,1,0,170.92142,-9.6502219)">
<g
id="use142"
transform="translate(215.79323,-70.783667)">
<rect
style="font-variation-settings:normal;fill:#ffffff;fill-opacity:1;stroke:#f9f9f9;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect120"
width="4.5996766"
height="1.8177247"
x="-34.179646"
y="178.76157" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,183.76281 v -3.18352"
id="path121"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,178.76156 v -3.18352"
id="path122"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,178.76156 h 4.599677"
id="path123"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,180.57929 h 4.599677"
id="path124"
sodipodi:nodetypes="cc" />
</g>
<g
id="use143"
transform="translate(222.46119,-70.859177)">
<rect
style="font-variation-settings:normal;fill:#ffffff;fill-opacity:1;stroke:#f9f9f9;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect124"
width="4.5996766"
height="1.8177247"
x="-34.179646"
y="178.76157" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,183.76281 v -3.18352"
id="path125"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m -31.879804,178.76156 v -3.18352"
id="path126"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,178.76156 h 4.599677"
id="path127"
sodipodi:nodetypes="cc" />
<path
style="font-variation-settings:normal;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.7;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;stop-color:#000000"
d="m -34.179644,180.57929 h 4.599677"
id="path128"
sodipodi:nodetypes="cc" />
</g>
</g>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,-142.04825,144.60139)"
id="text270"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:29.3333px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect271);display:inline"><tspan
x="803.32076"
y="329.32216"
id="tspan15">Microcontroller</tspan></text>
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
d="M 175.9151,172.6822 V 148.07404"
id="path73" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
d="M 154.02753,134.54678 H 98.485632 v 22.14876"
id="path77"
sodipodi:nodetypes="ccc" />
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,103.29647,93.921487)"
id="text121-3-4"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt';text-align:center;white-space:pre;shape-inside:url(#rect121-3-5-5);display:inline"><tspan
x="819.5426"
y="326.85384"
id="tspan16">Input</tspan></text>
<g
id="g87"
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
transform="translate(10.878009,7.7533681)">
<path
id="path104"
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m 284.21784,205.97009 c -1e-5,0.70399 1.16966,1.27468 2.61252,1.27468 1.44285,0 2.61252,-0.57069 2.61251,-1.27468"
sodipodi:nodetypes="csc" />
<ellipse
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
id="ellipse104"
cx="-286.83035"
cy="179.00661"
rx="2.6125116"
ry="1.274675"
transform="scale(-1,1)" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 289.44287,179.00661 v 26.96348"
id="path105"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 284.21784,179.00661 v 26.96348"
id="path106"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 286.83035,207.24477 v 4.57746"
id="path107" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 284.21784,205.97009 H 279.4833"
id="path108"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 286.83035,178.98444 v -5.79542"
id="path109"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 281.60398,211.82223 h -4.24137"
id="path78"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 288.95104,211.82223 h -4.24137"
id="path111"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
d="m 279.48329,205.97009 v 5.85214"
id="path87" />
</g>
<g
id="g87-2"
transform="matrix(1,0,0,-1,10.877997,347.45222)">
<path
id="path104-2"
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
d="m 284.21784,205.97009 c -1e-5,0.70399 1.16966,1.27468 2.61252,1.27468 1.44285,0 2.61252,-0.57069 2.61251,-1.27468"
sodipodi:nodetypes="csc" />
<ellipse
style="font-variation-settings:normal;vector-effect:none;fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;-inkscape-stroke:none;stop-color:#000000"
id="ellipse104-6"
cx="-286.83035"
cy="179.00661"
rx="2.6125116"
ry="1.274675"
transform="scale(-1,1)" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 289.44287,179.00661 v 26.96348"
id="path105-1"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 284.21784,179.00661 v 26.96348"
id="path106-0"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 286.83035,207.24477 v 4.57746"
id="path107-6" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="M 284.21784,205.97009 H 279.4833"
id="path108-1"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 286.83035,178.98444 v -5.79542"
id="path109-5"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 281.60398,211.82223 h -4.24137"
id="path78-9"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#000000;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 288.95104,211.82223 h -4.24137"
id="path111-4"
sodipodi:nodetypes="cc" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
d="m 279.48329,205.97009 v 5.85214"
id="path87-9" />
</g>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,61.195785,144.60139)"
id="text20-1"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:29.3333px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect21-8-1);display:inline"><tspan
x="818.55834"
y="329.32216"
id="tspan17">Clip Line</tspan></text>
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
d="m 366.7737,150.84685 h -54.80235 v 0 23.41635"
id="path88" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round"
d="M 366.77373,205.9141 H 311.97135 V 180.93116"
id="path89"
sodipodi:nodetypes="ccc" />
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,177.7178,93.921487)"
id="text89"
style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:26.6667px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt';text-align:center;white-space:pre;shape-inside:url(#rect89);display:inline"><tspan
x="808.53348"
y="326.85384"
id="tspan18">Output</tspan></text>
<text
xml:space="preserve"
transform="matrix(0.26458333,0,0,0.26458333,130.52701,144.60139)"
id="text90"
style="font-style:normal;font-variant:normal;font-weight:600;font-stretch:normal;font-size:29.3333px;line-height:1.25;font-family:'Inter 24pt';-inkscape-font-specification:'Inter 24pt Semi-Bold';text-align:center;white-space:pre;shape-inside:url(#rect90);display:inline"><tspan
x="777.58052"
y="329.32216"
id="tspan19">Sampling Gate</tspan></text>
</g>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 42 KiB

1508
defence/phd defence slide drafts.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 42 MiB

BIN
defence/phd defence tdr principle.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 57 KiB

376
defence/phd defence tdr principle.svg Normal file
View file

@ -0,0 +1,376 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
width="100mm"
height="60mm"
viewBox="0 0 100 60"
version="1.1"
id="svg1"
inkscape:version="1.4.3 (0d15f75042, 2025-12-25)"
sodipodi:docname="phd defence tdr principle.svg"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<sodipodi:namedview
id="namedview1"
pagecolor="#ffffff"
bordercolor="#000000"
borderopacity="0.25"
inkscape:showpageshadow="2"
inkscape:pageopacity="0.0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#d1d1d1"
inkscape:document-units="mm"
inkscape:zoom="1.6739708"
inkscape:cx="150.83896"
inkscape:cy="138.29393"
inkscape:window-width="1920"
inkscape:window-height="1011"
inkscape:window-x="0"
inkscape:window-y="0"
inkscape:window-maximized="1"
inkscape:current-layer="layer1" />
<defs
id="defs1">
<rect
x="551.65271"
y="309.45667"
width="62.353214"
height="50.517651"
id="rect11" />
<rect
x="551.65271"
y="309.45667"
width="62.353214"
height="50.517651"
id="rect12" />
<rect
x="551.65271"
y="309.45667"
width="62.353214"
height="50.517651"
id="rect11-0" />
<rect
x="551.65271"
y="309.45667"
width="62.353214"
height="50.517651"
id="rect11-0-9" />
<rect
x="551.65271"
y="309.45667"
width="62.353214"
height="50.517651"
id="rect11-0-0" />
<rect
x="551.65271"
y="309.45667"
width="62.353214"
height="50.517651"
id="rect25" />
</defs>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(-63.811274,-50.604338)">
<g
id="g3"
transform="matrix(0.24012329,0,0,0.23457606,81.922797,65.216881)"
style="stroke-width:2.10674;stroke-dasharray:none">
<rect
style="fill:#ffffff;stroke:#1a1612;stroke-width:2.10674;stroke-linejoin:round;stroke-dasharray:none"
id="rect1"
width="52.476543"
height="40.305092"
x="74.212349"
y="54.643913" />
<g
id="g2"
transform="translate(-3.7859123,-1.9406318)"
style="stroke-width:2.10674;stroke-dasharray:none">
<path
style="fill:#ffffff;stroke:#1a1612;stroke-width:2.10674;stroke-linejoin:round;stroke-dasharray:none"
d="M 123.31803,65.720385 85.155036,87.753797"
id="path1" />
<path
style="fill:#ffffff;stroke:#1a1612;stroke-width:2.10674;stroke-linejoin:round;stroke-dasharray:none"
d="M 123.31803,87.753797 85.155036,65.720385"
id="path2" />
</g>
</g>
<g
id="g4"
transform="translate(31.446729,-5.2641985)">
<rect
style="fill:#ffffff;stroke:#1a1612;stroke-width:0.5;stroke-linejoin:round;stroke-dasharray:none"
id="rect1-3"
width="12.600841"
height="9.4546099"
x="42.850857"
y="71.155426" />
<path
style="fill:#ffffff;stroke:#1a1612;stroke-width:0.499999;stroke-linejoin:round;stroke-dasharray:none"
d="m 44.314411,78.24975 h 3.904353 v -5.010587 h 4.229716 v 5.010587 h 2.082322"
id="path3"
sodipodi:nodetypes="cccccc" />
</g>
<circle
style="fill:#ffffff;stroke:#1a1612;stroke-width:0.499999;stroke-linejoin:round;stroke-dasharray:none"
id="path4"
cx="80.598007"
cy="91.641884"
r="6.5220127" />
<path
style="fill:#ffffff;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 112.40881,80.178084 h 9.96623"
id="path5"
sodipodi:nodetypes="cc" />
<path
style="fill:#ffffff;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 122.37504,80.178084 v -4.030459 h 3.4442 v 4.030459 h 3.44421"
id="path6"
sodipodi:nodetypes="ccccc" />
<path
style="fill:#ffffff;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 129.26345,80.178084 v -4.030459 h 3.4442 v 4.030459 h 3.44421"
id="path7"
sodipodi:nodetypes="ccccc" />
<path
style="fill:#ffffff;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 136.15186,80.178084 v -4.030459 h 3.4442 v 4.030459 h 3.44421"
id="path8"
sodipodi:nodetypes="ccccc" />
<path
style="fill:#ffffff;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 143.04027,80.178084 v -4.030459 h 3.4442 v 4.030459 h 3.44421"
id="path9"
sodipodi:nodetypes="ccccc" />
<path
style="fill:none;stroke:#1a1612;stroke-width:0.3;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 118.71556,72.618668 h 1.69044 c 0.8343,-0.02487 0.96416,-3.389326 1.59899,-3.225756 0.48905,0.126012 -0.0471,3.225756 0.82615,3.225756 h 1.84447"
id="path11"
sodipodi:nodetypes="ccscc" />
<g
id="g12"
transform="matrix(1.1890548,0,0,1.1890548,-20.775141,-10.295906)"
style="stroke-width:0.841004">
<text
xml:space="preserve"
transform="scale(0.26458333)"
id="text11"
style="font-size:10.6667px;line-height:10.5322px;font-family:Lemon;-inkscape-font-specification:Lemon;text-decoration-color:#000000;writing-mode:lr-tb;direction:ltr;white-space:pre;shape-inside:url(#rect11);display:inline;fill:none;stroke:#1a1612;stroke-width:1.5893;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"><tspan
x="551.65234"
y="317.93003"
id="tspan6"><tspan
style="font-family:'Inter 24pt SemiBold';-inkscape-font-specification:'Inter 24pt SemiBold, ';fill:#000000;stroke:none"
id="tspan5">Z</tspan></tspan></text>
<text
xml:space="preserve"
transform="matrix(0.16085311,0,0,0.16085311,59.294945,33.617914)"
id="text12"
style="font-size:10.6667px;line-height:10.5322px;font-family:Lemon;-inkscape-font-specification:Lemon;text-decoration-color:#000000;writing-mode:lr-tb;direction:ltr;white-space:pre;shape-inside:url(#rect12);display:inline;fill:none;stroke:#1a1612;stroke-width:2.61419;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"><tspan
x="551.65234"
y="317.93003"
id="tspan8"><tspan
style="font-family:'Inter 24pt SemiBold';-inkscape-font-specification:'Inter 24pt SemiBold, ';fill:#000000;stroke:none"
id="tspan7">term</tspan></tspan></text>
</g>
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 149.92868,80.178084 v 4.324963"
id="path12" />
<g
id="g16"
transform="translate(9.0092604,4.3073374)">
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 140.91941,88.369128 v 4.324963"
id="path13" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 142.94854,92.694091 h -4.05827"
id="path14"
sodipodi:nodetypes="cc" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 142.17512,93.79642 h -2.51145"
id="path15"
sodipodi:nodetypes="cc" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 141.45505,94.86319 h -1.0713"
id="path16"
sodipodi:nodetypes="cc" />
</g>
<rect
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
id="rect16"
width="3.2248845"
height="8.1734142"
x="148.31622"
y="84.503052" />
<text
xml:space="preserve"
transform="matrix(0.31460408,0,0,0.31460408,-38.393695,-27.642884)"
id="text11-6"
style="font-size:10.6667px;line-height:10.5322px;font-family:Lemon;-inkscape-font-specification:Lemon;text-decoration-color:#000000;writing-mode:lr-tb;direction:ltr;white-space:pre;shape-inside:url(#rect11-0);display:inline;fill:none;stroke:#1a1612;stroke-width:1.5893;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"><tspan
x="551.65234"
y="317.93003"
id="tspan10"><tspan
style="font-family:'Inter 24pt SemiBold';-inkscape-font-specification:'Inter 24pt SemiBold, ';fill:#000000;stroke:none"
id="tspan9">Mesh</tspan></tspan></text>
<g
id="g18"
transform="matrix(0.54818411,0,0,0.52713488,61.970729,38.534926)"
style="stroke-width:0.558081;stroke-dasharray:none">
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,0.616548 0.5605,-0.616548"
id="path17" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,-0.616548 0.5605,0.616548"
id="path18" />
</g>
<path
style="fill:none;stroke:#1a1612;stroke-width:0.3;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 145.10975,83.740846 h -1.69044 c -0.8343,0.0249 -0.96416,3.38932 -1.59899,3.22575 -0.48905,-0.12601 0.0471,-3.22575 -0.82615,-3.22575 h -1.84447"
id="path19"
sodipodi:nodetypes="ccscc" />
<g
id="g21"
transform="matrix(-0.54818411,0,0,-0.52713488,201.85459,117.82459)"
style="stroke-width:0.558081;stroke-dasharray:none">
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,0.616548 0.5605,-0.616548"
id="path20" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,-0.616548 0.5605,0.616548"
id="path21" />
</g>
<g
id="g18-1"
transform="matrix(0.54818411,0,0,0.52713488,32.981996,45.838032)"
style="stroke-width:0.558081;stroke-dasharray:none">
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,0.616548 0.5605,-0.616548"
id="path17-8" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,-0.616548 0.5605,0.616548"
id="path18-7" />
</g>
<g
id="g18-3"
transform="matrix(-0.54818411,0,0,0.52713488,160.38558,54.563203)"
style="stroke-width:0.558081;stroke-dasharray:none">
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,0.616548 0.5605,-0.616548"
id="path17-7" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,-0.616548 0.5605,0.616548"
id="path18-5" />
</g>
<path
style="fill:none;fill-opacity:1;stroke:#1a1612;stroke-width:0.5;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 86.898427,70.618534 h 4.170574 v 9.558567 h 8.673909"
id="path22"
sodipodi:nodetypes="cccc" />
<path
style="fill:none;fill-opacity:1;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 99.74291,85.428682 h -8.780343 v 6.400233 h -3.845234"
id="path23" />
<path
style="fill:none;fill-opacity:1;stroke:#1a1612;stroke-width:0.499999;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 74.315839,91.552506 c 1.162887,-0.268434 1.677432,3.187804 2.134029,3.292669 0.844521,0.193958 1.315889,-6.385784 2.13403,-6.385784 1.183523,0 1.021225,6.385784 2.134029,6.385784 0.759208,0 1.363034,-6.385784 2.134029,-6.385784 1.018512,0 1.296598,6.890369 2.13403,6.385784 0.468664,-0.282388 0.82304,-4.114815 2.134029,-3.292669"
id="path24"
sodipodi:nodetypes="csssssc" />
<g
id="layer1-7"
transform="translate(-25.02147,9.3303218)">
<text
xml:space="preserve"
transform="matrix(0.31460408,0,0,0.31460408,-48.737596,-33.80712)"
id="text11-6-8"
style="font-size:10.6667px;line-height:10.5322px;font-family:Lemon;-inkscape-font-specification:Lemon;text-decoration-color:#000000;writing-mode:lr-tb;direction:ltr;white-space:pre;shape-inside:url(#rect11-0-9);display:inline;fill:none;stroke:#1a1612;stroke-width:1.5893;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"><tspan
x="551.65234"
y="317.93003"
id="tspan12"><tspan
style="font-family:'Inter 24pt SemiBold';-inkscape-font-specification:'Inter 24pt SemiBold, ';fill:#000000;stroke:none"
id="tspan11">Coupler</tspan></tspan></text>
</g>
<text
xml:space="preserve"
transform="matrix(0.31460408,0,0,0.31460408,-102.80337,-40.812044)"
id="text11-6-1"
style="font-size:10.6667px;line-height:10.5322px;font-family:Lemon;-inkscape-font-specification:Lemon;text-align:center;text-decoration-color:#000000;writing-mode:lr-tb;direction:ltr;white-space:pre;shape-inside:url(#rect11-0-0);display:inline;fill:none;stroke:#1a1612;stroke-width:1.5893;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
x="31.176607"
y="0"><tspan
x="569.15198"
y="317.93003"
id="tspan14"><tspan
style="font-family:'Inter 24pt SemiBold';-inkscape-font-specification:'Inter 24pt SemiBold, ';fill:#000000;stroke:none"
id="tspan13">Pulse </tspan></tspan><tspan
x="557.78996"
y="328.67985"
id="tspan16"><tspan
style="font-family:'Inter 24pt SemiBold';-inkscape-font-specification:'Inter 24pt SemiBold, ';fill:#000000;stroke:none"
id="tspan15">Generator</tspan></tspan></text>
<text
xml:space="preserve"
transform="matrix(0.31460408,0,0,0.31460408,-102.80337,3.0114252)"
id="text25"
style="font-size:10.6667px;line-height:10.5322px;font-family:Lemon;-inkscape-font-specification:Lemon;text-align:center;text-decoration-color:#000000;writing-mode:lr-tb;direction:ltr;white-space:pre;shape-inside:url(#rect25);display:inline;fill:none;stroke:#1a1612;stroke-width:1.5893;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
x="31.176607"
y="0"><tspan
x="562.15716"
y="317.93003"
id="tspan18"><tspan
style="font-family:'Inter 24pt SemiBold';-inkscape-font-specification:'Inter 24pt SemiBold, ';fill:#000000;stroke:none"
id="tspan17">Sampler</tspan></tspan></text>
<path
style="fill:none;stroke:#1a1612;stroke-width:0.3;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 89.5926,68.72123 h 1.69044 c 0.8343,-0.02487 0.96416,-3.389326 1.59899,-3.225756 0.48905,0.126012 -0.0471,3.225756 0.82615,3.225756 h 1.84447"
id="path11-1"
sodipodi:nodetypes="ccscc" />
<g
id="g18-5"
transform="matrix(0.54818411,0,0,0.52713488,32.847772,34.637488)"
style="stroke-width:0.558081;stroke-dasharray:none">
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,0.616548 0.5605,-0.616548"
id="path17-5" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,-0.616548 0.5605,0.616548"
id="path18-4" />
</g>
<path
style="fill:none;stroke:#1a1612;stroke-width:0.3;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 95.74733,94.005475 h -1.69044 c -0.8343,0.02487 -0.96416,3.389326 -1.59899,3.225756 -0.48905,-0.126012 0.0471,-3.225756 -0.82615,-3.225756 h -1.84447"
id="path25"
sodipodi:nodetypes="ccscc" />
<g
id="g27"
transform="matrix(-0.54818411,0,0,-0.52713488,152.49216,128.08922)"
style="stroke-width:0.558081;stroke-dasharray:none">
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,0.616548 0.5605,-0.616548"
id="path26" />
<path
style="fill:#ffffff;fill-opacity:1;stroke:#1a1612;stroke-width:0.558081;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none"
d="m 113.89313,61.654747 h 4.62411 l -2.04582,-0.616548 0.5605,0.616548"
id="path27" />
</g>
</g>
</svg>
Side by side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
defence/slides.odp Normal file
View file

Binary file not shown.

BIN
defence/slides.pdf Normal file
View file

Binary file not shown.

74
hsm-terminology-notes.tex
View file

@ -1,74 +0,0 @@
\chapter*{A Note on Hardware Security Module Terminology}
\adjustmtc
\addcontentsline{toc}{chapter}{A Note on Hardware Security Module Terminology}
In this thesis, we use the term \emph{Hardware Security Module (HSM)} to refer to a security device that has the
following three properties.
\begin{enumerate}
\item A HSM targets the prevention of any conceivable physical attack. In particular, this includes intrusion attempts
such as careful drilling or cutting into the device from any direction.
\item A HSM includes tamper sensors that when triggered result in an active tamper response, usually deleting all
cryptographic secrets and rendering the device inoperable.
\item A HSM's tamper sensing and response subsystem is continuously powered from a backup power supply, usually a
battery. Loss of power triggers the tamper response.
\end{enumerate}
This use of the term \emph{HSM} aligns with common usage of the term both in the academic literature and in everyday
conversation. Particularly the requirement of active tamper detection and response is crucial to distinguish a HSM from
simpler devices such as TPMs, smart cards or secure enclaves in SoCs. Note that our use of the term HSM is slightly
different from its use in government standards, from its use in the PCI SSC (Payment Card Industry Security Standards
Council) standards, and from its industry use.
In industry, the term HSM is often used for solutions that are only logically segregated and that do not include any
particular defense against hardware attacks. Our conjecture is that this is a consequence of the standardization
landscape, where for applications outside of card payment processing the US FIPS
140-22~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} standard was central to
the industry. Despite encompassing both devices that include active tamper detection and response, FIPS 140-2 did not
draw a distinction in its terminology between the two classes.
\section{Use in government standards}
Under US national standard FIPS 140 in in its 2002 version
2~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}, a HSM would be called a
\emph{Multiple-Chip Cryptographic Module} that conforms to the standard's \emph{Security Level 4}. Interesting to note
are that only security level 4 requires any active tamper detection and response, so its security levels 3 and below do
not align with our HSM definition. Futher of note is that according to the standard, a single-chip solution does not
require any tamper detection and response either to meet the standard's security level 4, which is in misalignment with
our definition. The standard's 2019 updated version FIPS
140-3~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019} defers to the
international standards ISO/IEC 19790 and 24759.
ISO/IEC 19790~\cite{ISOIEC19790} and ISO/IEC 24759~\cite{ISOIEC24759} call what we call a HSM a \emph{Hardware
Cryptographic Module} corresponding with the standards \emph{Security Level 4}. However, these standards only require
active tamper detection and response when cryptographic secrets are transmitted in plaintext between chips.
\section{Use in card payment processing (PCI SSC) standards}
The Payment Card Industry Security Standards Council (PCI SSC) is an association of credit card network operators that
defines standards for all layers of card payment processing, from card payment terminals in stores to the handling of
payment data in online shop backend systems.
PCI SSC terminology aligns with our use and with common everyday use of the term HSM. In PCI SSC terminology, a HSM is a
crytographic device that has active tamper detecion and response circuitry. However, PCI SSC terminology differs from
our use of the term HSM in one nuance: In PCI SSC terminology, a HSM is specifically a datacenter device used for
backend processing of payment data. The general class of ``hardware devices performing some security function with or
without particular physical security requirements'' that ISO/IEC 19790 and other standards call a \emph{Hardware
Cryptographic Module}, in PCI SSC terminology is termed \emph{Secure Cryptographic Device (SCD)} in more recent standard
versions, which was updated from the previous term \emph{Tamper-Resistant Security Module (TRSM)}. Other than HSMs, PCI
SSC includes smartcards and card payment terminals in this category. Card payment terminals, referred to as
\emph{Pin-Entry Device (PED)} in PCI SSC standards, have to include a surprising amount of active tamper detection and
response functionality including partial coverage of areas like they system's main cryptographic processor and smart
card reader by battery-backed tamper-sensing meshes.
\section*{Tamper-Sensing Meshes}
\addcontentsline{toc}{subsection}{Tamper-Sensing Meshes}
In this thesis, we use the terms \emph{Tamper-Sensing Mesh} and \emph{Security Mesh} synonymous. We use both terms to
refer to any electrical circuit whose path is laid out to cover a surface with the intent of detecting attempts at
drilling, cutting or otherwise manipulating this surface. While the term \emph{Security Mesh} is more concise, it is
less clear to people unfamiliar with the matter. It is also polysemous, and depending on context can also refer to woven
or stamped metal meshes used as fences or as screens in front of windows to prevent break-ins. As a result, it is harder
to use in online searches, and when using Large Language Models (LLMs), it frequently leads to amusing hallucinations.

557
main.bib
View file

File diff suppressed because one or more lines are too long

17
thesis.tex
View file

@ -1,5 +1,10 @@
\documentclass[11pt,a4paper,notitlepage,twoside]{book}
\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.8cm]{geometry}
\ifdefined\thesisoneside %
\documentclass[11pt,a4paper,notitlepage,oneside]{book}
\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.5cm]{geometry}
\else %
\documentclass[11pt,a4paper,notitlepage,twoside]{book}
\usepackage[a4paper, top=3cm, bottom=3.5cm, inner=3.5cm, outer=5cm, marginpar=3.5cm]{geometry}
\fi %
\input{common-packages}
\input{common-defs}
@ -8,6 +13,7 @@
\newcommand{\chaptertitle}[1]{
\chapter{#1}
\printchapterquote
%FIXME note leo: remove minitocs?
\begin{spacing}{1.1}
\minitoc
\end{spacing}
@ -27,15 +33,16 @@
\input{titlepage.tex}
\frontmatter
%\chapter*{Akademischer Werdegang}
%\includepdf[pages=-]{lebenslauf-en-akademischer-werdegang-diss.pdf}
\input{abstract-de.tex}
\input{abstract.tex}
\input{ai-llm-use-disclosure.tex}
\input{hsm-terminology-notes.tex}
\clearpage
\tableofcontents
\listoffigures
\listoftables
%\listoffigures
%\listoftables
\mainmatter
\dochapter{chapter-introduction} % Status: In pretty good shape

10
titlepage.tex
View file

@ -55,10 +55,16 @@
Darmstadt, Technische Universität Darmstadt, 2025
\noindent
URN: TBD FIXME
URN: https://nbn-resolving.de/urn:nbn:de:tuda-tuda-150469
\noindent
Tag der mündlichen Prüfung: TBD FIXME
DOI: https://doi.org/10.26083/tuda-7720
\noindent
Document revision: \input{version}
\noindent
Tag der mündlichen Prüfung: TBD
\noindent
Veröffentlicht unter CC-BY-SA 4.0 International