phd-thesis/chapter-introduction/chapter.tex

\chapterquote{Meredith Whittaker~\cite{greenbergSignalMoreEncrypted2024}}{
    It’s not for lack of ideas or possibilities. It’s that we actually have to start taking seriously the shifts that
    are going to be required to do this thing—to build tech that rejects surveillance and centralized control—whose
    necessity is now obvious to everyone.
}

\chaptertitle{Introduction}
\label{chapter-intro}

\emph{No Gods, No Masters} is an anarchist slogan originating in the 19\textsuperscript{th} century that expresses a
rejection of authorities~\cite{broussaisOriginesDeviseAnarchiste2022,guerinNoGodsNo2005,blomNoGodsNo2025}. Despite its
origin in a different era, it encapsulates an approach that is commonly followed in modern cryptography. In
cryptography, it is considered best practice to have the least amount of parties possible involved in any computation.
Most cryptographic problems are easily solved by involving a trusted third party (TTP). Yet, cryptographers have time
and again vocally rejected attempts to involve third parties in cryptographic protocols~\cite{
    abelsonRisksKeyRecovery1997,
    abelsonKeysDoormats2015,
    andersonSecurityEngineeringGuide2020,
    rogawayMoralCharacterCryptographic2015,
}.

Considerable research has been focused on creating a versatile set of tools to perform tasks as diverse as secure
communication~\cite{
    alwenDoubleRatchetSecurity2019,
    marlinspikeDoubleRatchetAlgorithm2025,
    dowlingFlexibleAuthenticatedConfidential2020,
    sasySoKMetadataProtectingCommunication2024},
oblivious database access~\cite{
    chorPrivateInformationRetrieval,
    aguilar-melchorXPIRPrivateInformation2016,
    reichertMenhirObliviousDatabase2024},
and even general computation~\cite{
    goosInformationTheoreticallySecure1999,
    aumannSecurityCovertAdversaries2010,
    chorPrivateInformationRetrieval}
in a decentralized way that avoids trusted authorities.
While politically, the anarchist blanket rejection of authority represents a fringe viewpoint, in cryptography it has a
long tradition originating with the Cypherpunk and Hacker movements~\cite{
    andersonCypherpunkEthicsRadical2022,
    hughesCypherpunksManifesto,
    jarvisCryptoWarsFight2020,
    marlinspikeWeShouldAll2013},
and extending throughout mainstream academic cryptography.

While the aforementioned cryptographic tools enable a large gamut of use cases in theory, in practice cryptographic
systems are still routinely compromised~\cite{
    gellmanNSAInfiltratesLinks2013,
    goldmanUnrestrainedChineseCyberattackers2025,
    scott-railtonWhoseAuthorityPegasus2024,
    quintinSomethingRememberUs2024,
    marczakGraphiteCaughtFirst2025,
    PredatorFilesTechnical2023,
    PakistanMassSurveillance2025}.
A fundamental flaw of any practical cryptographic system is that secure algorithms have to run on hardware, and even
today, average computing hardware provides little physical security~\cite{
    gotzfriedCacheAttacksIntel2017,
    Lipp2018meltdown,
    Kocher2018spectre,
    moghimiTPMFAILTPMMeets2020}.
\emph{Hardware Security Modules} are a class of devices specifically designed to execute cryptographic algorithms while
providing strict physical security guarantees, but these systems are expensive,
and their physical security is often questionable~\cite{
    obermaier2018,
    andersonSecurityEngineeringGuide2020},
which we will elaborate further in Chapter~\ref{chapter-survey}. \textcite{andersonSecurityEngineeringGuide2020} writes
on HSM security:

\begin{quote}
    Security economics remains a big soft spot, with security chips being in many ways a market for lemons. A banker
    buying HSMs probably won’t be aware of the huge gap between FIPS\footnote{Anderson here refers to the US national
    HSM security standard FIPS
    140~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002,
    usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}} level 3 and level 4, and
    understand that level 3 can sometimes be defeated with a Swiss army knife. The buying incentive there is compliance,
    and where real security clashes with operations it’s not surprising to see weaker standards designed to make
    compliance easier.
    \begin{flushright}
        \textit{\textcite{andersonSecurityEngineeringGuide2020} p. 629}
    \end{flushright}
\end{quote}

In this thesis, we aim to fill this gap in easily obtainable, secure hardware and extend the level of protection
afforded by cryptographic protocol design down the technology stack to the hardware level. We propose a new HSM design
that unlike existing designs can be manufactured at low cost and without access to specialized tools.

% Go into drawbacks of existing HSMs

We publish our design fully open source, including all detials necessary for replication. A fundamental principle in
cryptographic engineering is Kerckhoffs' principle\footnote{
    \textcite{petitcolasKerckhoffsPrinciplesCryptographie} contains a high-quality OCR'ed copy of the original source,
    as well as a translation of the cited part from French. The original source is
    \textcite{kerckhoffsCryptographieMilitaire1883}.
}, named after Dutch military cryptographer Auguste Kerckhoffs. Kerckhoffs' principle expresses that the security of a
cryptographic system should only depend on the secrecy of its keys, not on the secrecy of its design. Existing
commercial designs routinely contravene Kerckhoff's principle by applying the widespread industry practice of
\emph{Security by Obscurity}. Even in academic related work, the principle is sometimes violated by omitting
implementation and methodological details in the interest of patents and commercial exploitation. By publishing all
details of our research into HSMs and their components, we provide the foundation for future independent research.

Beyond applying Kerckhoffs' principle, publishing our design also enables independent replication. Our design is
based entirely on standard components and does not require bespoke manufacturing processes. Both commercial and academic
existing HSM tamper sensing designs require bespoke manufacturing methods or custom integrated circuits
(ICs)~\cite{
    obermaierPUFfilmMethodProducing2023,
    immler2019,
    garbTamperSensitiveDesignPUFBased,
    immlerBTREPIDBatterylessTamperresistant2018}. Custom ICs require a large up-front financial commitment to produce.
Bespoke manufacturing methods may require custom machines, training, and specialty materials, also incurring a high
startup cost. This creates a single point of failure in the manufacturer, and opens up an opportunity for a hardware
supply-chain attack~\cite{harrisonSoKSecurityArchitects2025}. Such supply chain attacks can be mitigated by
independently manufacturing our design.

%%%
\section{A Note on Hardware Security Module Terminology}

In this thesis, we use the term \emph{Hardware Security Module (HSM)} to refer to a security device that has the
following three properties.

\begin{enumerate}
\item A HSM targets the prevention of any conceivable physical attack. In particular, this includes intrusion attempts
        such as careful drilling or cutting into the device from any direction.
\item A HSM includes tamper sensors that when triggered result in an active tamper response, usually deleting all
        cryptographic secrets and rendering the device inoperable.
\item A HSM's tamper sensing and response subsystem is continuously powered from a backup power supply, usually a
        battery. Loss of power triggers the tamper response.
\end{enumerate}

This use of the term \emph{HSM} aligns with common usage of the term both in the academic literature and in everyday
conversation. Particularly the requirement of active tamper detection and response is crucial to distinguish a HSM from
simpler devices such as TPMs, smart cards or secure enclaves in SoCs. Note that our use of the term HSM is slightly
different from its use in government standards, from its use in the PCI SSC (Payment Card Industry Security Standards
Council) standards, and from its industry use.

In industry, the term HSM is often used for solutions that are only logically segregated and that do not include any
particular defense against hardware attacks. Our conjecture is that this is a consequence of the standardization
landscape, where for applications outside of card payment processing the US FIPS
140-22~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002} standard was central to
the industry. Despite encompassing both devices that include active tamper detection and response, FIPS 140-2 did not
draw a distinction in its terminology between the two classes.

\subsection{Use in government standards}

Under the still widely used US national standard FIPS 140 in in its 2002 version
2~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}, a HSM would be called a
\emph{Multiple-Chip Cryptographic Module} that conforms to the standard's \emph{Security Level} 4 out of 4. Interesting
to note are that only level 4 requires any active tamper detection and response, so devices compliant only up to levels
3 and below do not align with our HSM definition. Futher of note is that according to the standard, a single-chip
solution does not require any tamper detection and response either to meet the standard's security level 4, which is in
misalignment with our definition. The standard's 2019 updated version FIPS
140-3~\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019} defers to the
international standards ISO/IEC 19790 and 24759.

ISO/IEC 19790~\cite{ISOIEC19790} and ISO/IEC 24759~\cite{ISOIEC24759} call what we call a HSM a \emph{Hardware
Cryptographic Module} corresponding with the standards \emph{Security Level 4}. However, these standards only require
active tamper detection and response when cryptographic secrets are transmitted in plaintext between chips.

\subsection{Use in card payment processing (PCI SSC) standards}

The Payment Card Industry Security Standards Council (PCI SSC) is an association of credit card network operators that
defines standards for all layers of card payment processing, from card payment terminals in stores to the handling of
payment data in online shop backend systems.

PCI SSC terminology aligns with our definition and with common everyday use of the term HSM. In PCI SSC terminology, a
HSM is a crytographic device that has active tamper detecion and response circuitry. However, PCI SSC terminology
differs from our use of the term HSM in one nuance: In PCI SSC terminology, a HSM is specifically a datacenter device
used for backend processing of payment data. The general class of ``hardware devices performing some security function
with or without particular physical security requirements'' that ISO/IEC 19790 and other standards call a \emph{Hardware
Cryptographic Module}, in PCI SSC terminology is termed \emph{Secure Cryptographic Device (SCD)} in more recent standard
versions, which was updated from the previous term \emph{Tamper-Resistant Security Module (TRSM)}. Other than HSMs, PCI
SSC includes smartcards and card payment terminals in this category. Card payment terminals, referred to as
\emph{Pin-Entry Device (PED)} in PCI SSC standards, have to include a surprising amount of active tamper detection and
response functionality including partial coverage of areas like their main cryptographic processor and smart card reader
by battery-backed tamper-sensing meshes. Under our definition, these devices can be classified as a type of HSM. 

\subsection{Tamper-Sensing Meshes}

In this thesis, we use the terms \emph{Tamper-Sensing Mesh} and \emph{Security Mesh} synonymous. We use both terms to
refer to any electrical circuit whose path is laid out to cover a surface with the intent of detecting attempts at
drilling, cutting or otherwise manipulating this surface. While the term \emph{Security Mesh} is more concise, it is
less clear to people unfamiliar with the matter. It is also polysemous, and depending on context can also refer to woven
or stamped metal meshes used as fences or as screens in front of windows to prevent break-ins. As a result, it is harder
to use in online searches, and when using Large Language Models (LLMs), it frequently leads to amusing hallucinations.

% FIXME note leo: Das ganze wirkt wie ein guter baustein für eine Einleitung. Für einen Terminologie übersicht ist es
% ansonsten auch eigentlich zu lang.
% Splitte das vielleicht auf, ein paar mehr details in den Abstract um die HSM definition etwas zu präzisieren, den rest
% in die Intro?
%%%

\section{Inertial Hardware Security Modules}

In this thesis, we propose Inertial Hardware Security Modules (IHSMs) to fill the gap of protecting systems that handle
highly sensitive data but that cannot use conventional HSMs for cost or performance reasons. In a system with a secure
software stack, the role of a HSM is to secure the hardware part of the stack. The basic approach of a HSM is to combine
a secure software stack with tamper sensors connected to a fast self-destruct mechanism. The tamper sensors are tasked
with detecting any physical attack an attacker could mount on the device. Common classes of such sensors include
environmental sensors such as temperature or radiation sensors that detect attempts at causing controllable faults in
the HSM by heating, cooling or irradiating it. Building on the basic protection offered by such sensors,
\emph{tamper-sensing meshes} are often employed. These \emph{meshes} are flexible foils containing circuit traces that
are attached to the HSM's enclosure to detect attempts at penetrating the shell of the device with probes.
Tamper-sensing meshes usually are the primary line of defense against most physical attacks. They are very effective at
mitigating a large variety of physical attacks, but they are difficult to construct securely as they usually require
bespoke manufacturing processes. As a result, they are currently only used in niche applications, and even there not
every realization is equally secure. The self-destruct mechanism can be hardware or software that quickly and securely
destroys all cryptographic secrets, thereby rendering the device worthless to an attacker. 

IHSMs are a new design approach that utilizes mechanical motion to create secure tamper-sensing meshes from simple
components. IHSMs solve the issue of creating an impenetrable tamper-sensing envelope by replacing the bespoke
tamper-sensing mesh foil with a set of simple, rigid meshes made from commodity Printed Circuit Boards (PCBs) that are
rotating at high speed. In motion, these simple PCB tamper-sensing meshes are as secure as the much more sophisticated
bespoke foils used in conventional HSMs against an attacker with access to commercially available tools, yet they are
simpler and less expensive to manufacture. To verify that the mesh is rotating correctly, an accelerometer is placed on
the rotating mesh, and its centrifugal force reading is used to validate its path of motion.

IHSMs enable the protection of much larger payloads compared to conventional mesh designs, and they can support larger
power dissipation. Combined with their low cost, this enables the implementation of high-level hardware security in
applications that previously would not have been possible to secure.

To the best of our knowledge, IHSMs are the first fully open source, replicable HSM with advanced tamper sensing
features. Across application domains, IHSMs can be applied to gain resistance to physical attacks in scenarios where
conventional HSMs were not used because of cost, computing power or implementation effort. Where conventional HSMs come
as fully integrated devices that only expose limited APIs to their users, IHSMs at their core are just an enclosure that
the user can put whatever hardware they need into, adapting the tamper response to their application's needs. Since the
simpler tamper-sensing mesh construction of IHSMs scales to larger payload volumes, entire servers can be
protected---something that is impossible with conventional HSMs. Since the mesh in an IHSM is constantly moving, unlike
a mesh in a conventional HSM, it does not have to entirely cover the payload. Instead, it can have gaps that allow for
air flow between outside and inside, enabling active cooling of the IHSM's payload. This cooling capability increases
computing power by increasing feasible payload power dissipation by orders of magnitude~\cite{kordyban1998}.

\section{Research Questions and Contributions}

Based on the current state of the field of hardware security, we deduce six overarching research questions for this
thesis that progress from theory to practical deployment.

\begin{enumerate}
    \item What is the state of the art in commercial tamper sensing mesh implementations?
    \item What are criteria and approaches for the design of secure tamper sensing meshes?
    \item Can we achieve physical security without relying on a conventional tamper-sensing meshes that requires a
        bespoke manufacturing process?
    \item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar
        measurement?
    \item Can we improve the ripple voltage performance of Wireless Power Transfer (WPT) through rotating joints to
        adapt it to IHSM applications?
    \item What applications does our IHSM technology open up through its increase in power dissipation and size
        capabilities?
\end{enumerate}

We answer our first research question in two parts. In Chapter~\ref{chapter-epa}, we analyze the hardware security
design of Germany's new national electronic health record system. Our analysis unveils a combination of problematic
choices resulting from conflicting constraints and lack of awareness. In Chapter~\ref{chapter-survey}, we present the
results of a survey across approximately 30 real world tamper sensing mesh implementations, analyzing common design
features.

The latter half of our survey in Chapter~\ref{chapter-survey} answers our second research question. From our analysis of
this large corpus of devices, we deduce a list of design criteria that can be applied to increase the security of any
tamper sensing mesh implementation.

To answer our third research question, in Chapter~\ref{chapter-ihsm} we propose the Inertial Hardware Security Module
(IHSM), a new type of HSM that extends the high level of protection offered by the modern cryptographic software stack
down to the hardware level, enabling secure computation in insecure places. IHSMs can be built from basic, off-the-shelf
components and do not require bespoke manufacturing processes.

To answer our fourth research question, in Chapter~\ref{chapter_sampling_mesh_mon} we propose improvements to the state
of the art in HSM tamper sensors based on the use of low-cost, embeddable Time-Domain Reflectometry (TDR). Our
improvements can be applied to both IHSMs and conventional HSMs.

IHSMs come with unique power supply constraints since their rotating mesh must be continuously powered. A
straightforward solution utilizes Wireless Power Transfer using planar inductors, but existing WPT designs exhbit a
ripple voltage due to an asymmetry of conventional planar inductors. This leads to our fifth research question, which
we solve in Chapter~\ref{chapter-nice-coils} with the design and experimental evaluation of a new, generalized class of
\emph{twisted} planar inductors that reduces voltage ripple in rotating shaft setups.

Finally, we answer our last research question by showing in two case studies how an end-to-end design of an IHSM-secured
data processing system could look like. Both case studies concern scenarios that IHSMs unlock that were previously
infeasible using conventional HSMs: In Chapter~\ref{chapter-qkd}, we explore how IHSMs enable long-range Quantum Key
Distribution (QKD) networks using trustable physically secured relay nodes and in Chapter~\ref{chapter-smpc} we
elaborate how  datacenter-scale Secure Multiparty Computation (SMPC) clusters can be created using IHSM enclosures with
commercial server hardware.

\section{Contributions}

Through this thesis, we make contributions advancing the state of hardware securty across several related sub-fields.
Our contributions include:

\begin{enumerate}
    \item We conduct the first large-scale survey of tamper sensing measures in the real world, analyzing approximately
        30 devices.
    \item From our real world observations, we systematize tamper sensing mesh construction techniques and we provide a
        list of criteria improving mesh security.
    \item We experimentally analyze the impact of Computed Tomography (CT) imaging on mesh security.
    \item We propose the IHSM, a new concept for HSM design based on a rotating mesh that increases payload size and
        power dissipation capacity while simultaneously allowing for simpler meshes constructed from standard
        components.
    \item We show experimental results on IHSM mesh performance obtained with a prototype IHSM.
    \item We introduce an algorithm for the automatic layout of tamper-sensing meshes and its implementation on top of a
        popular, open-source Electronic Design Automation (EDA) tool.
    \item We introduce a high-fidelity mesh monitoring approach that uses Time-Domain Reflectometry (TDR).
    \item We show a low-cost implementation of our TDR monitoring approach.
    \item We evaluate the performance of our TDR monitoring implementation and demonstrate its response to a large
        set of attacks. We show that it reliably distinguishes identical copies of the same mesh specimen, suggesting
        PUF-like behavior.
    \item We introduce a generalized design approach for low-loss planar inductors that out-peform prior approaches in
        parasitic capacitance, self-resonant frequency and rotational symmetry. 
    \item We apply our design approach to the problem of Wireless Power Transfer to the rotating mesh of an IHSM.
    \item We conduct an exhaustive experimental evaluation of the rotational symmetry of a large set of planar WPT
        inductors created using our approach.
    \item We analyze physically secure Quantum Key Distribution relays as an IHSM use case and develop a low-loss fiber
        optic passthrough that supports an additional, secondary, independently rotating mesh shielding the shaft
        passthrough of the IHSM's primary mesh.
    \item We explore IHSMs for co-located high performance Multiparty Computation (MPC) setups. We demonstrate a
        fan-driven IHSM mesh concept for high-availability scenarios that removes motors as a single point of failure
        while providing sufficient airflow for cooling high-power server components.
\end{enumerate}

We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs
can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure
computation in insecure places even to small organizations such as university research departments, NGOs and small
businesses.

Looking at the practice of applied hardware security, we observe that despite ample availability of commercial solutions
promising easy hardware security, clearly there is still a lack of solutions that provide the adaptability necessary for
some real use cases at low enough cost. By publishing the tamper-sensing technology we developed during the making of
this thesis as open source hardware designs, we aim to provide this missing building block to provide high-level
hardware security in real-world applications. Our hardware designs can be adapted to devices ranging from Single-Board
Computers (SBCs) to servers, they are compatible with non-computing applications like Quantum Key Distribution (QKD) and
their design approaches can even be integrated into existing HSM designs to provide better security at little additional
cost.