First proofreading

1 files changed, 133 insertions, 126 deletions

diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex
index 64e94b3..074448c 100644
--- a/paper/ihsm_paper.tex
+++ b/paper/ihsm_paper.tex
@@ -355,44 +355,46 @@ evolution of our design, the spinning mesh could even be designed to \emph{be} a
 Conventional HSMs are limited by the construction of their security meshes which rely on plastics as their main
 structural material. The security mesh has to fit the highest components inside the HSM. Since creating a security mesh
 with a non-flat surface is difficult, this means there is an inevitable gap of a few millimeters between the surface of
-the payload CPU and the inside surface of the mesh. This distance is added to several millimeters of epoxy resin that
-the mesh is embedded inside so as to be hard to remove intact. Overall, this leads to a structure approximately a
-centimeter thick that includes several millimeters of poorly thermally conductive epoxy resin~\cite{obermaier2019}.
-Even if ``thermally conductive'' resins would be used, thermal conductivity is limited to a fraction of what can be
-achieved with a heatsink directly attached to the CPU. A modern high-end CPU heatsink with its fan running has a thermal
-resistance from CPU junction to air of around $\SI{0.1}{\kelvin\per\watt}$. If one were to make an HSM's security mesh
-out of an average thermally conductive epoxy with thermal conductivity
-$k=\SI{1}{\watt\per\meter\kelvin}$~\cite{kordyban1998,shabany2009,mgchemicals2017}, the resulting thermal resistance for
-a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would $\SI{2}{\kelvin\per\watt}$, a more than
-10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields a maximum
-power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU cooler.
-Given that for modern high core-count CPUs, power dissipation is mostly linear in core count and for multithreaded
-applications performance is mostly linear in core count this severely limits the achievable performance in a
-traditional, hermetically sealed HSM.
-
-This estimated performance discrepancy matches up with our observation. Vendor of conventional HSMs Thales reports
-$\SI{20}{\kilo Ops\per\second}$ ECC signature operations on NIST Curve P-256 per device of their top-of-range ``Luna HSM
-790''~\cite{thales2021}, which compares to be slightly more than half of the $\SI{36}{\kilo Ops\per\second}$ signing
-operations that \texttt{openssl speed} in single-thread mode is able to do on an AMD Ryzen 7 PRO 4750U laptop CPU at a
-power consumption of $\SI{2.0}{\watt}$ on the active core.
+the payload CPU and the interior surface of the mesh. This distance is added to several millimeters of epoxy resin that
+the mesh must be embedded inside for it to be hard to remove intact. Overall, this leads to a structure approximately a
+centimeter thick that includes several millimeters epoxy resin with particularly poor thermal
+conductivity~\cite{obermaier2019}.  Even if ``thermally conductive'' resins would be used, thermal conductivity is
+limited to a fraction of what can be achieved with a heatsink directly attached to the CPU. A modern high-end CPU
+heatsink with its fan running has a thermal resistance from CPU junction to air of around
+$\SI{0.1}{\kelvin\per\watt}$~\cite{anandtech2015}.
+If one were to make an HSM's security mesh out of an average thermally conductive epoxy with thermal conductivity
+$k\approx\SI{1}{\watt\per\meter\kelvin}$~\cite{kordyban1998,shabany2009,mgchemicals2017}, the resulting thermal
+resistance for a 5-by-5 centimeter, $\SI{5}{\milli\meter}$ thermal interface alone would $\SI{2}{\kelvin\per\watt}$, a
+more than 10-fold increase. For an acceptable temperature delta from junction to air of $\SI{60}{\kelvin}$ this yields a
+maximum power dissipation of only $\SI{30}{\watt}$ compared to a theoretical $\SI{600}{\watt}$ for a conventional CPU
+cooler.  Given that for modern high core-count CPUs, both multithreaded performance and power dissipation are mostly
+linear in core count, this severely limits the achievable performance.
+
+This estimated performance discrepancy matches up with our observation. Thales, a manufacturer of conventional HSMs
+reports $\SI{20}{\kilo Ops\per\second}$ ECC signature operations on NIST Curve P-256 on one of their top-of-range
+``Luna HSM 790''~\cite{thales2021}, which compares to be slightly more than half of the $\SI{36}{\kilo Ops\per\second}$
+signing operations that \texttt{openssl speed} in single-thread mode is able to do on an AMD Ryzen 7 PRO 4750U laptop
+CPU using $\SI{2.0}{\watt}$ of power on the active core. Using today's technology, we expect a performance jump of one
+to two orders of magnitude in computing power to be feasible in an IHSM compared to a conventional HSM.
 
 \subsection{Long-term Operation}
 
-Like with other HSMs, practical use may require an IHSM to continuously run for a decade or even longer. As with other
-setups utilizing HSMs, a setup including IHSMs must be designed in a way that the failure of a small number of IHSMs
+Like with other HSMs, in a practical application an IHSM may have to run continuously for a decade or even longer. As
+with any networked system, a setup including IHSMs must be designed in a way that the failure of a small number of IHSMs
 does not compromise the system's security or reliability. Neither IHSMs nor traditional HSMs can withstand fire or
 flooding, so while a breach of security can be ruled out, a catastrophic failure of the device and erasure of data
 cannot~\cite{heise2021ovh}. Traditionally, this problem is solved by storing all secrets in multiple, geographically
-redundant HSMs~\cite{thales2015hsmha}. The problem of providing fault-tolerance in IHSMs is easier since they are based
-on general-purpose computer hardware and use general-purpose operating systems and thus allow for state-of-the-art
-database replication techniques to be applied. One example of this approach is a 2019 technology
-demonstration~\cite{signal2019} created by the signal.org, the organization running the signal secure messenger app. In
-this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside Intel SGX to
-replicate state between redundant instances.
-
-There are three main categories of challenges to an IHSM's longevity: Failure of components of the IHSM due to age and
-wear, failure of the external power supply and spurious triggering of the intrusion alarm by changes in the IHSM's
-environment. In the following paragraphs we will evaluate each of these categories in its practical impact.
+redundant HSMs~\cite{thales2015hsmha}. On IHSMs this task is aided on the software layer since they are based on
+general-purpose computer hardware and for state-of-the-art database replication techniques to be applied without first
+porting them to an embedded operating system or foreign CPU architecture. A practical example of this approach is a 2019
+technology demonstration~\cite{signal2019} created by the signal.org, the organization running the signal secure
+messenger app. In this demonstration, signal.org have implemented the Raft consensus algorithm~\cite{ongaro2019} inside
+Intel SGX to replicate state between redundant instances.
+
+Excluding natural disasters there are three main categories of challenges to an IHSM's longevity: Failure of components
+of the IHSM due to age and wear, failure of the external power supply and spurious triggering of the intrusion alarm by
+changes in the IHSM's environment. In the following paragraphs we will evaluate each of these categories in its
+practical impact.
 
 \paragraph{Component failure.}
 The failure mode of an IHSM's components is the same as in any other computer system and the same generic mitigation
@@ -411,45 +413,42 @@ considered is power loss. Traditional HSMs solve the need for an always-on backu
 batteries. The low static power consumption of a traditional HSM's simple tamper detection circuitry allows for the use
 of non-replaceable backup batteries. An IHSM in contrast would likely require a rechargeable backup battery since its
 motor requires more power than the mesh monitoring circuit of a traditional HSM. In principle, a conventional
-Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a small, simple UPS
+Uninterruptible Power Supply (UPS) can be used, but in practice a productized IHSM might have a smaller backup battery
 integrated into its case. Conservatively assuming an average operating power consumption of $\SI{10}{\watt}$ for an
 IHSM's motor, a single large laptop battery with a capacity of $\SI{100}{\watt\hour}$~\cite{faa2018} could already power
 an IHSM for 10 hours continuously. If a built-in battery is undesirable, or if power outages of more than a few seconds
 at a time are unlikely (e.g.\ because the IHSM is connected to an external UPS or generator), the IHSM's rotor itself
-can be used as a flywheel for energy storage up to several seconds. By designing the IHSM's rotor to have low friction
-loss and high mass (e.g.\ by coupling it to an actual metal flywheel), longer power outages can be bridged. % FIXME
+can be used as a flywheel for energy storage up to several seconds.
 
 \paragraph{Spurious alarms.}
-A spurious alarm would be as catastrophic as a failure of a critical component of an IHSM. For this reason, the
-likelihood of such an alarm failure must be minimized. In principle, there are two possible causes for a spurious alarm.
-One is a component failure such as a mesh trace breaking under vibration. This failure mode can be mitigated in the same
-way other failure modes are mitigated. The second possible cause is that the device is accelerated in excess of the
-range expected by its designers. There are several possible causes why an IHSM might move during normal operation. The
-IHSM may have to be transported between datacenters or relocated within a dataceter. Other vibrating machinery such as
-backup generators or large hard disk storage arrays may conduct vibration through the rack the IHSM is mounted inside
-into the IHSM. People working in the datacenter might bump the IHSM. Vibrations from nearby traffic such as trains may
-couple through the ground into the datacenter and into the IHSM. Finally, earthquakes will couple through any reasonable
-amount of vibration dampening.
-
-There are two key points to note on vibration dampening. One, the instantaneous mechanical power of a vibrating motion
+Even with all components working to their specification, an IHSM could still catastrophically fail if for some reason
+its alarm would be spuriously activated due to movement of the device.  The likelihood of such an alarm failure must be
+minimized, e.g.\ by employing vibration damping. There are several possible causes why an IHSM might move during
+normal operation. The IHSM may have to be relocated between datacenters. Other vibrating machinery such as backup
+generators or large hard disk storage arrays may conduct vibration through the rack the IHSM is mounted inside and into
+the IHSM. People working in the datacenter might bump the IHSM.  Vibrations from nearby traffic such as trains may
+couple through the ground into the datacenter and into the IHSM.  Finally, earthquakes are a common occurrence in some
+regions of the world and will couple through any reasonable amount of vibration damping.
+
+There are two key points to note on vibration damping. One, the instantaneous mechanical power of a vibrating motion
 is proportional to the square of its amplitude when fixing frequency and the cube of its frequency when fixing
 amplitude. This means that to reach a certain instantaneous acceleration, much more power is needed in a high-frequency
 vibrating motion compared to lower frequencies. This observation interacts the second key point we want to note here:
-An ideal vibration dampener works the better the higher the frequency, and has a lower bound below which it does no
-longer dampen vibration transmission~\cite{kelly1993,beards1996,dixon2007}. In conclusion, these two observations mean
-that if we wish to reduce the likelihood of false detections by our IHSM tamper alarm we can effectively achieve this
-goal by damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach
-accelerations large enough to cause a false alarm.
-
-To put the above relations into perspective, consider that at an angular frequency of $\SI{1000}{rpm}$, we can expect an
-IHSM's tamper sensor to measure an acceleration of about $\SI{100}{g}$.  Even the strongest earthquakes rarely reach a
-Peak Ground Acceleration (PGA) of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku
-earthquake was approximately $\SI{0.3}{g}$. Since earthquake vibrations are low-frequency and happen across a large
-geographic area, they nontheless dissipate a tremendous amound of mechanical power through an absolute acceleration that
-may seem low at first glance, but we can largely ignore them for the purposes of our tamper detection system.  As
-another point of reference, consider a car crash. An acceleration above $\SI{10}{g}$ corresponds to a crash at roughly
+An ideal vibration damper works better with higher frequencies, and has a lower bound below which it does no longer
+damp vibration transmission~\cite{kelly1993,beards1996,dixon2007}. From these two observations it follows that if we
+wish to reduce the likelihood of false detections by our IHSM tamper alarm, we can achieve this goal effectively by
+damping high-frequency shock and vibration, as low-frequency shock or vibration components will not reach accelerations
+large enough to cause a false alarm.
+
+To put this into perspective, consider that at an angular frequency of $\SI{1000}{rpm}$, we can expect an IHSM's tamper
+sensor to measure an acceleration of about $\SI{100}{g}$.  Even the strongest earthquakes rarely reach a Peak Ground
+Acceleration (PGA) of $\SI{0.1}{g}$~\cite{yoshimitsu1990}. The highest PGA measured during the 2011 Tohoku earthquake
+was approximately $\SI{0.3}{g}$. Since earthquake vibrations are low-frequency and happen across a large geographic
+area, they dissipate a tremendous amound of mechanical power despite this at first glance seemingly low absolute
+acceleration. For the purposes of our tamper detection system, we can ignore them.  As another point of reference,
+consider a car crash. An acceleration above $\SI{10}{g}$ corresponds to a crash at roughly
 $\SI{30}{\kilo\meter\per\hour}$~\cite{ika2002}. Thus, an IHSM's tamper detection subsystem will be able to clearly
-distinguish attempts to stop the IHSM's rotation at an amplitude of $\SI{100}{g}$ from external accelerations. External
+distinguish attempts to stop the IHSM's rotation, producing approximately $\SI{100}{g}$ at $\SI{1000}{rpm}$. External
 acceleration that would come close in order of magnitude to the operating centrifugal acceleration at the periphery of
 an IHSM's rotor would likely destroy the IHSM.
 
@@ -461,13 +460,13 @@ respond to tipping with a precession force. This could become an issue when a la
 the manufacturer's premises and its destination data center.  One solution to this problem is to transport the IHSM
 elastically mounted inside a shipping box that is weighted to resist precession forces. To reduce the amount of
 precession, the IHSM should be transported with its axis of rotation pointing upwards and its speed of rotation set to
-the lower end of the range permitted by its application's security requirements. The IHSM's software could allow for a
+the lower end of the range permitted by the application's security requirements. The IHSM's software could allow for a
 temporary ``shipping mode'' to be entered that could slow down the IHSM and increase the tamper sensing accelerometer's
 thresholds.
 
 During shipping, the IHSM will require a continuous power supply. The most practical solution to this challenge is to
 ship the IHSM along with a small backup battery. Following our conservative estimate in Section~\ref{sec-power-failure},
-a 48-hour shipping window as is offered by many courier shipping services could easily be bridged with the equivalent of
+a 48-hour shipping window as offered by many courier shipping services could easily be bridged with the equivalent of
 5-10 laptop batteries. In case a built-in battery backup is not necessary in the IHSM's application, these batteries
 could be connected as an external device akin to a ``power bank'' that is disconnected and sent back to the IHSM's
 manufacturer after the IHSM has been installed.
@@ -477,10 +476,10 @@ manufacturer after the IHSM has been installed.
 
 After outlining the basic mechanical design of an inertial HSM above, in this section we will detail possible ways to
 attack it. At the core of an IHSM's defenses is the same security mesh or other technology as it is used in traditional
-HSMs. This means that in the end an attacker will have to perform the same steps they would have to perform to attack a
+HSMs. This means that ultimately an attacker will have to perform the same steps they would have to perform to attack a
 traditional HSM.  However, they will either need to perform these attack steps with a tool that follows the HSM's
-rotation at high speed or they will first need to defeat the braking sensor. Attacking the IHSM in motion may require
-specialized mechanical tools, CNC actuators or even a contactless attack using a laser, plasma jet or water jet.
+rotation at high speed or they will first need to defeat the braking sensor. Attacking the IHSM in motion requires
+specialized mechanical tools such as CNC actuators or for contactless attack a laser.
 
 \subsection{Attacks that don't work}
 
@@ -494,17 +493,17 @@ attacker willing to invest some effort can also try to uncover the mesh traces b
 mesh, bridging over a part that will subsequently be removed. HSMs attempt to detect such attacks by measuring the mesh
 traces' resistance instead of only checking their continuity~\cite{obermaier2019}. However, if an attacker only wishes
 to disable a small section of the mesh to insert a handful of fine probes into the device, this hardening approach
-becomes challenging. Consider a mesh is covering an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An
-attacker who circumvents a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh using wires with a low
-resistance will change the mesh trace's resistance by approximately
-$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25
-\%$. Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and
-corresponding temperature stability of the mesh material.
+becomes challenging. Consider a mesh that covers an area of $\SI{100}{\milli\meter}$ by $\SI{100}{\milli\meter}$. An
+attacker who short-circuits a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ section of this mesh will change the mesh
+trace's resistance by approximately
+$\frac{\SI{5}{\milli\meter}\cdot\SI{5}{\milli\meter}}{\SI{100}{\milli\meter}\cdot\SI{100}{\milli\meter}} = 0.25 \%$.
+Detecting this change would require a resistance measurement of at least $\SI{9}{bit}$ of precision and corresponding
+temperature stability of the mesh material.
 
 The second way to attack a HSM is to go \emph{around} the mesh. Many commercial HSMs sandwich the payload PCB between
 two mesh-equipped enclosure halves. This design in particular is vulnerable to attempts to stick a fine needle through
 the interface between mesh lid and PCB. Conventional HSMs mitigate this weak spot by wrapping a patterned conductive
-foil that forms the security mesh around the HSM, leaving only the foil's corners and the payload's power and data
+foil around the HSM that forms the security mesh, leaving only the corners and the payload's power and data
 feed-through as potential weak spots.
 
 The third and last way to attack a conventional HSM is to disable the mesh monitoring circuit~\cite{dexter2015}. An
@@ -515,18 +514,26 @@ any fail-open failure modes.
 
 \subsection{Attacks that work on any HSM}
 
-While an IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous
-paragraphs, certain attacks are generic against any HSM technology, conventional or IHSM.  One type of such attacks are
-contactless attacks such as electromagnetic (EM) sidechannel attacks. EM sidechannel attacks can be mitigated by
-shielding and by designing the IHSM's payload such that critical components such as CPUs are physically distant to the
-security mesh, preventing EM probes from being brought close. Conducted EMI sidechannels that could be used for power
-analysis can be mitigated by placing filters on the inside of the security mesh at the point where the power and network
-connections penetrate the
-mesh~\cite{anderson2020}.
+An IHSM provides an effective mitigation against direct attacks on the security mesh as described in the previous
+paragraphs. However, there are certain generic attacks that work against any HSM technology, conventional or IHSM.
+One type of such attacks are contactless attacks such as electromagnetic (EM) sidechannel attacks.
+EM sidechannel attacks can be mitigated by shielding and by designing the IHSM's payload such that critical components
+such as CPUs are physically distant to the security mesh, preventing EM probes from being brought close.
+Conducted EMI sidechannels that could be used for power analysis can be mitigated by placing filters on the inside of
+the security mesh at the point where the power and network connections penetrate the mesh~\cite{anderson2020}.
 Finally, the API between the HSM's payload and the outside world provides attack surface.  Attacks through the network
 interface must be prevented as in any other networked system by only exposing the minimum necessary amount of API
 surface to the outside world, and by carefully vetting this remaining attack surface~\cite{anderson2020}.
 
+IHSMs do not provide an inherent benefit against such contactless attacks. However, there are two mitigating factors in
+play that still give IHSMs an advantage over conventional HSMs in this scenario. Because IHSM meshes can be made using
+more primitive technology than conventional HSM meshes at the same level of security, IHSMs can use larger meshes and
+are less space-constrained. This larger volume allows for a greater physical distance between security-critical
+components from places accessible to an attacker using an electromagnetic side channel probe. By allowing the use of
+conventional server hardware, IHSMs additionally enable the use of modern security techniques such as MMUs and
+well-audited open source software such as OpenSSL that may be unavailable on the embedded processors found in
+conventional HSMs.
+
 \subsection{The Swivel Chair Attack}
 \label{sec_swivel_chair_attack}
 
@@ -556,29 +563,28 @@ kind of mechanical tool.
     \label{fig_attack_robot}
 \end{figure}
 
-
-While it is certainly possible to create a mechanical tool to attack an IHSM in motion, we also consider this attack
-method reasonably remote. Figure~\ref{fig_attack_robot} shows a schematic overview of what such an attack tool would
-have to look like. Most fundamentally, the tool itself has to rotate at the IHSM's speed, and cannot simply rotate the
-IHSM. If the tool were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed
-down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect this attempt. Instead, the
-attack tool has to follow the rotation of the IHSM.  At the high speeds an IHSM would be rotating at, following the
-rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM is not easy. To
-stay within $\pm\SI{5}{\milli\meter}$ of a target over a period of $\SI{10}{\second}$ on an IHSM mesh with radius
-$r=\SI{100}{\milli\meter}$ requires both speeds to be matched to better than
+Figure~\ref{fig_attack_robot} shows a schematic overview of the structure of such a rotating attack tool.
+A first point to note is that the tool itself has to rotate at the IHSM's speed.
+If we were to counter-rotate the IHSM such that relative to a stationary observer the rotor would be slowed
+down, the accelerometer on the rotor would measure lower centrifugal acceleration and detect the manipulation attempt.
+To follow an IHSM's rotation closely enough that a manipulator mounted on the attack tool is stationary w.r.t.\ the IHSM
+is hard. Let us assume a small IHSM mesh with radius $r=\SI{100}{\milli\meter}$.
+To keep a manipulator stationary within a $\SI{5}{\milli\meter}$ by $\SI{5}{\milli\meter}$ window over a period of
+$\SI{10}{\second}$ requires attack tool and IHSM speeds to be matched to an accuracy better than
 $\frac{\SI{5}{\milli\meter}}{\SI{10}{\second}} \cdot \frac{1}{2\pi r} = \SI{8.0}{\milli\hertz} = \SI{0.048}{rpm}$.
-Relative to a realsistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$. Active servo
-control of the attack tool's rotation locked against optical tracking of the IHSM's rotor would likely be the most
-realistic option to achieve this precision. This strict accuracy requirement leads to a complex attack setup.
+Relative to a realsistic IHSM's speed of $\SI{1000}{rpm}$ this corresponds to approximately $\SI{50}{ppm}$.
+Achieving this accuracy would likely require active servo control of the attack tool's rotation that is locked by
+optically tracking of the IHSM's rotor.
 
 If an attacker were to solve the tracking issue, the remaining issue is that they still need to construct a
-remote-controlled manipulator that can be mounted on the attack tool's rotating stage and that is able to actually
-disable the IHSM's mesh. Consider that simply bypassing the mesh e.g. by drilling an undetected hole does not gain an
-attacker much in this scenario, as the payload is stationary and an attack tool rotating at $\SI{1000}{rpm}$ is useless
-against it. Instead, the attacker would have to disable the mesh using the rotating tool, in order to then cut an
-opening into it through which they could insert a stationary tool to attack the payload with. Given the degree of manual
-skill necessary even for normal soldering work, we estimate that creating a remote-controllable manipulator that can be
-used to successfully attack a security mesh is infeasible.
+remote-controlled manipulator that can be mounted on the attack tool's rotating stage that is able to disable the IHSM's
+mesh.
+To complicate matters, the attacker will not succeed by simply drilling a small undetected hole into the mesh.
+While both mesh and attack tool are spinning, the payload is stationary.
+The attacker thus has to create an opening in the mesh large enough that the attacker can insert a second set of
+\emph{stationary} probes to contact the payload.
+In conclusion, we estimate that creating a rotating, remote-controllable manipulator that can be used to successfully
+attack a security mesh is infeasible given the degree of manual skill necessary even for normal soldering work.
 
 \subsection{Mechanical weak spots}
 
@@ -850,6 +856,27 @@ lines indicate centrifugal acceleration as calculated from rotor speed measureme
 measurements and theory closely match. Our frequency measurements are accurate and the main source of error are the
 accelerometer's intrinsic errors as well as error in its placement due to construction tolerances.
 
+\begin{figure}
+    \begin{subfigure}{0.5\textwidth}
+        \center
+        \includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf}
+        \caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time
+        intervals when we manually adjusted speed.}
+        \label{fig-acc-steps}
+    \end{subfigure}
+    \hfill
+    \begin{subfigure}{0.45\textwidth}
+        \center
+        \includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf}
+        \caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation
+        artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to
+        $\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.}
+        \label{fig-acc-stacked}
+    \end{subfigure}
+    \label{fig-acc-traces}
+    \caption{Traces of acceleration measurements during one experiment run.}
+\end{figure}
+
 The accelerometer's primary intrinsic errors are offset error and scale error. Offset error is a fixed additive offset
 to all measurements. Scale error is an error proportional to a measurements value that results from a deviation between
 the device's specified and actual sensitivity. We correct for both errors by first extracting all stable intervals from
@@ -884,27 +911,6 @@ without stopping the rotor.
     \label{fig-acc-theory}
 \end{figure}
 
-\begin{figure}
-    \begin{subfigure}{0.5\textwidth}
-        \center
-        \includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-steps-run50.pdf}
-        \caption{Raw recording of accelerometer measurements during one experiment run. Shaded areas indicate time
-        intervals when we manually adjusted speed.}
-        \label{fig-acc-steps}
-    \end{subfigure}
-    \hfill
-    \begin{subfigure}{0.45\textwidth}
-        \center
-        \includegraphics[width=1.1\textwidth]{../prototype/sensor-analysis/fig-acc-trace-stacked-run50.pdf}
-        \caption{Valid measurements cropped out from \ref{fig-acc-steps} for various frequencies. Intermodulation
-        artifacts from the accelerometer's $\SI{10}{\hertz}$ sampling frequency and the $\SI{3}{\hertz}$ to
-        $\SI{18}{\hertz}$ rotation frequency due to gravity and device vibration are clearly visible.}
-        \label{fig-acc-stacked}
-    \end{subfigure}
-    \label{fig-acc-traces}
-    \caption{Traces of acceleration measurements during one experiment run.}
-\end{figure}
-
 \section{Conclusion}
 \label{sec_conclusion} 
 
@@ -924,10 +930,11 @@ allow the construction of devices secure against a wide range of practical attac
 specialized tools.  The rotating mesh allows longitudinal gaps, which enables new applications that are impossible with
 traditional HSMs.  Such gaps can be used to integrate a fan for air cooling into the HSM, allowing the use of powerful
 computing hardware inside the HSM.  We hope that this simple construction will stimulate academic research into (more)
-secure hardware. We have published all design artifacts of our PoC online, see Appendix~\ref{sec_repo}. The next steps
-towards a practical application of our design will be to design a manufacturable stator/rotor interface with inductive
-power and data transfer integrated into the motor's magnetics and a custom motor driver tuned for the application that
-is able to precisely measure both angular velocity and winding current for an added degree of tamper detection.
+secure hardware. We have published all design artifacts of our PoC online, please refer to Appendix~\ref{sec_repo} for
+details. The next steps towards a practical application of our design will be to design a manufacturable stator/rotor
+interface with inductive power and data transfer integrated into the motor's magnetics and a custom motor driver tuned
+for the application that is able to precisely measure both angular velocity and winding current for an added degree of
+tamper detection.
 
 \printbibliography[heading=bibintoc]