Aging Reinforces DMFB Security

Aging has a greater impact on DMFBs as compared to their CMOS counterpart. As described earlier in Section 2.3, it is known that DMFBs degrade quickly and must be discarded within a few hours [62]; the short lifetime can be attributed to the rapid degradation of electrodes during DMFB operation. Several experimental and analytical methods have studied the causes of electrode degradation in order to identify DMFB fabrication methods that can enhance reliability [187]. In our framework, we take advantage of DMFB electrode degradation to enhance system security against potential attacks. We exploit the fact that electrodes can withstand only a limited number of actuations before dielectric breakdown occurs [179]. Therefore, an attacker can make only a limited number of attempts to break the security scheme (i.e., guess the secret key through trial and error) before the DMFB fails.

Next we examine two DMFB-related parameters in more detail to characterize and evaluate the security countermeasure: (1) the number of electrode actuations per electrode; (2) the thickness of the dielectric layer. Electrode degradation (or lifetime) can be analyzed on the basis of the threshold voltage needed to transport a droplet between adjacent electrodes based on the electrowetting phenomenon.

Number of Electrode Actuations

The degradation model for the electrodes in Section 2.3 describes the impact of excessively using an electrode on its lifetime. According to this analysis, an electrode’s lifetime can be divided into three regions: reliable operation, safety margin, and breakdown (Figure 2.7). In the reliable operation region, the threshold voltage needed for actuation is constant. Then, it increases linearly in the safety margin region. Finally, in the breakdown region, a significant increase in the threshold voltage is required to transport a droplet; this increase, in turn, quickly leads to dielectric breakdown and electrode failure [270].

Thickness of the Dielectric Layer

Thickness of the dielectric layer plays a crucial role in determining the lifetime of a DMFB. It is desirable to make the dielectric thinner in order to reduce the voltage required for actuation—the thinner the dielectric, the lower is the actuation voltage. However, the breakdown voltage imposes a lower limit on the dielectric thickness.

We can design and fabricate a DMFB such that it permits reliable actuation only for a certain duration, thus limiting the usability of the DMFB if an attacker attempts to obtain the secret key through brute-force trial and

FIGURE 10.4

Electrowetting threshold and dielectric breakdown voltage versus dielectric thickness.

error. For example, given the dielectric thickness d_e = 2.3 /mi for the dielectric material considered in Figure 10.4, the designer can derive the breakdown voltage (120 V) and the threshold voltage (90 V) from Figure 2.7. Using these two values, we can use Figure 2.7 to determine the maximum number N_act of allowable electrode actuations (N_act = 260, in this case) for reliable execution of the DMFB. Since each attempt to run the target bioassay with a random key leads to a known number of electrode actuations, IS act can be used to derive an upper limit n_act (n_act « Nact) on the number of attempts that an attacker can make before the chip breaks down.

Encryption Security Analysis and Simulation Results

In this section, a detailed security analysis is provided to evaluate the effectiveness of microfluidic encryption. Microfluidic encryption is applied to three benchmark assays —in-vitro, PCR, and Protein [286]—and area and performance overheads are obtained. We have used a custom C++ program to encrypt a given assay by optimally inserting multiplexers into the sequencing graph. Two multiplexer-insertion algorithms have been implemented: (i) a baseline method in which multiplexers are randomly inserted at various positions in the sequencing graph; (ii) the proposed greedy algorithm. The open-source DMFB synthesis tool [86] is used to synthesize assays. For the synthesis flow, we used list scheduler, left-edge placer, and the modified maze router [86].

Security Analysis

In this subsection, we examine the security benefits associated with the use of fluidic multiplexers.

Number of Electrode Actuations: Figure 10.5 shows the maximum number of electrode actuations corresponding to the number of multiplexers being used. Without encryption, in-vitro, PCR, and Protein assays require 8, 2, and 22 actuations, respectively. These numbers increase in a linear fashion with the number of multiplexers, necessitating an increase in the dielectric thickness in order to retain the same lifetime of the DMFB. On the other hand, a fixed dielectric thickness will degrade the life-time of the DMFB with an increase in the number of multiplexers. For example, in-vitro assay requires a maximum of 8 actuations per electrodes. If the dielectric thickness is chosen as 2.3 pm, the maximum number of actuations that is possible before breakdown can be calculated (from Figure 2.7 and Figure 10.4) to be 250. This implies that with 2.3 pm dielectric thickness, a DMFB can reliably execute the in- vitro assay яг 31 times. However, with eight multiplexers, the number of times the DMFB can be used is reduced to « 4. Hence an attacker will

FIGURE 10.5

Change in the number of electrode actuations with an increase in the number of multiplexers.

get very few attempts to guess the secret key by trial and error, and security of the DMFB is significantly enhanced. By carefully choosing the dielectric thickness and the number of multiplexers, the designer cannot only protect the DMFB against a brute-force attack, but also quantify the strength of this countermeasure. Since DMFBs are disposable and intended for one-time use, a reduction in the number of times that it can be used does not affect its applicability in practice.

Protection Against Brute-Force Attacks: The number of multiplexers defines a security metric for microfluidic encryption. As discussed in Section 10.2, the designer can carefully choose the number of multiplexers and the DMFB dielectric thickness to thwart attacks. For example, with a 2.3 /mi dielectric thickness and an eight-bit key, an attacker can be limited to only five brute-force attempts. Therefore, the attacker cannot exhaustively try all 256 possible keys.

It may be noted that the microfluidic encryption is based on one common secret key to activate all the DMFB chips, as all these chips are generated based on the same encrypted sequencing graph. As shown in [103, 97], there exists significant chip-to-chip variability in DMFB fabrication, characterization, measurements. Such inherent variability can be incorporated into the proposed fluidic encryption framework, via side-channel fingerprinting schemes [10], to ensure unique key for DMFBs. Efficient designs of side-channel fingerprinting is left for future work.

Protection Against Hardware Trojan Attacks: The hardware Trojan attacks described in Chapter 9 manipulate the assay outcome by altering the sequencing graph. In order to launch such a manipulation-based attack, the attacker must have a prior knowledge of the assay. The proposed microfluidic encryption obfuscates the assay; therefore, the attacker can no longer alter the assay to get a meaningful outcome that can pass scrutiny.

DMFB Supply-Chain Security: In the proposed framework, any party in the DMFB supply chain other than the biocoder can be malicious. To ensure security, the biocoder will provide the designer only an encrypted sequencing graph for the assay, but does not hand over the secret key. Without the secret key, a malicious designer is thwarted from extracting the assay protocol, and hence, cannot steal the IP. A malicious foundry can overproduce DMFBs, but without the secret key, overproduced DMFBs will be useless. In the same way, it is evident that the proposed microfluidic encryption provides protection against counterfeiting.

Area Overhead

The area overhead is calculated as the number of electrodes in the electrode array. Figure 10.6 shows the area overhead corresponding to the number of multiplexers, where “0 multiplexer” represents no encryption. We have considered up to eight multiplexers. The number of electrodes increases linearly with the number of multiplexers. Eight multiplexers lead to 286%, 139%, and

FIGURE 10.6

Change in number of electrodes with an increase in the number of multiplexers.

170% increase in the number of electrodes for in-vitro, PCR, and Protein assays, respectively. The increase in the DMFB footprint will be much less than the increase in the number of electrodes, because in real DMFBs, the input/output pads are much larger than the actual microfluidic array. As shown in Figure 8.9(b), for a fabricated biochip (described in Chapter 8), 32 input/output pads consume more area than the 5x5 electrode array. We can keep the number of I/Os the same for the larger number of electrodes by sharing control pins. As a result, the impact on DMFB area can be minimized. Note that these results are specific to the synthesis tool that we have used. While the results are likely to be slightly different for other synthesis tools, we expect the trends to hold.

Bioassay Execution-Time Overhead

Figure 10.7 and 10.8 show the execution-time overhead corresponding to the insertion of multiplexers using the baseline (random) method and the proposed optimization method, respectively. As shown in Figure 10.7, the random insertion of multiplexers result in a sharp increase in the execution time for all the three assays. For example, with 8 randomly inserted multiplexers, the execution time of in-vitro and PCR assays increase by 10X, whereas it is only 2X for Protein assay. Each additional multiplexer adds as much as one second of execution-time overhead. For the proposed optimization method, the execution-time overhead is considerably less for the largest assay (20% increase in execution-time overhead for Protein assay), but it is comparable

FIGURE 10.7

Execution-time overhead associated with the random insertion of multiplexers.

FIGURE 10.8

Execution-time overhead associated with the greedy insertion of multiplexers.

to the overhead for random insertion for the two smaller assays. This is because for smaller assays, there are only a few possible locations where multiplexers can be inserted and random insertion is as effective as optimized placement. For emerging cyber-physical on-chip bioassay protocols that target complex applications, e.g., gene-expression analysis (Chapter 2), random insertion will be significantly more intrusive than the proposed optimized placement.