\documentclass[10pt,journal,a4paper]{IEEEtran}
\usepackage[english]{babel}
\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[
    backend=biber,
    style=numeric,
    natbib=true,
    url=false, 
    doi=true,
    eprint=false
    ]{biblatex}
\addbibresource{rotohsm.bib}
\usepackage{amssymb,amsmath}
\usepackage{listings}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage{amsthm}
\usepackage{tabularx}
\usepackage{multirow}
\usepackage{multicol}
\usepackage{tikz}
\usepackage{mathtools}
\DeclarePairedDelimiter{\ceil}{\lceil}{\rceil}
\DeclarePairedDelimiter{\paren}{(}{)}

\usetikzlibrary{arrows}
\usetikzlibrary{chains}
\usetikzlibrary{backgrounds}
\usetikzlibrary{calc}
\usetikzlibrary{decorations.markings}
\usetikzlibrary{decorations.pathreplacing}
\usetikzlibrary{fit}
\usetikzlibrary{patterns}  
\usetikzlibrary{positioning}
\usetikzlibrary{shapes}

\usepackage[binary-units]{siunitx}
\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\usepackage{hyperref}
\usepackage{tabularx}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{ccicons}
\usepackage{subcaption}
\usepackage{float}
\usepackage{footmisc}
\usepackage{array}
\usepackage[underline=false]{pgf-umlsd}
\usetikzlibrary{calc}
%\usepackage[pdftex]{graphicx,color}
\usepackage{epstopdf}
\usepackage{pdfpages}
\usepackage{minted} % pygmentized source code

\renewcommand{\floatpagefraction}{.8}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}

\usepackage{fancyhdr}
\fancyhf{}
\fancyfoot[C]{\thepage}
\newcommand{\includenotebook}[2]{
    \fancyhead[C]{Included Jupyter notebook: #1}
    \includepdf[pages=1,
        pagecommand={\thispagestyle{fancy}\section{#1}\label{#2_notebook}}
        ]{resources/#2.pdf}
    \includepdf[pages=2-,
        pagecommand={\thispagestyle{fancy}}
        ]{resources/#2.pdf}
}

\begin{document}

\title{A High-Security Physical Security Primitive Based On Mechanical Movement}
\author{Jan Götte}
\date{2020-09-15}
\maketitle

\section*{Abstract}

In this paper, we introduce a novel, highly effective countermeasure against physical attacks: Inertial hardware
security modules. Whereas conventional technology can be categorized into systems monitoring a thin boundary (such as
security meshes) and systems monitoring the interior volume (such as the ``enclosure PUF'' of Tobisch et
al.\cite{tobisch2020}). All of these systems have in common that they try to detect attacks by crafting sensors
responding to increasingly minute manipulations of the monitored medium. Our approach is novel in that we reduce the
sensitivity requirement of security meshes and other sensors and increase the complexity of any manipulations by fastly
rotating the security mesh or sensor--presenting a moving target to an attacker. Attempts to tamper with the rotation
itself are easily monitored with commercial MEMS accelerometers and gyroscopes.

Our approach leads to a HSM that can easily be built from off-the-shelf parts by any university electronics lab, yet
offers a level of security that is comparable to even the best commercial offerings.

\section{Introduction}

Long before passwords, access control lists, role-based authentication and other modern concepts of information security
were developed, information was secured by physically locking away the computers that held it.  Nowadays, physical
security concerns have are mostly receded into specialty applications such as credit card processing and medical data
processing. In most other commercial data processing applications, the physical security provided by the average
datacenter is considered to be appropriate.

In modern systems, it is generally considered infeasible to physically secure a whole computer beyond putting a lock on
it. High-level physical security is usually limited to a small physical sizes. Secure enclaves and smartcards provide
security on the scale of a single-chip.  Commercial HSMs provide the functions of a cryptographic co-processor from a
physically secure small circuit board\cite{anderson2020,immler2019}.

\subsection{Technical approaches to physical security}

Shrinking things to the nanoscopic level to secure them against tampering is increasing in popularity. Apple today uses
a secure enclave IC in their line of laptops. Likewise, Google has developed its own security IC with a similar
application\cite{frazelle2019}. Any such security IC provides physical security but does not provide any cryptographic
security. The real-world security of such chips solely rests on the assumption that due to their fine structure, they
are hard to reverse engineer or modify. As of now, this property holds and in the authors' opinion it will likely be a
reasonable assumptions for some years to come.  However, in its essence this is a type of security by obscurity:
Obscurity here meaning the rarity of the equipment necessary to attack these chips\cite{albartus2020,anderson2020}.

\subsection{Hardware Security Modules}

Hardware security modules (HSMs) approach the problem in a different angle: In conformity with Kerckhoff's principle,
instead of hiding the system's structure, the HSM has monitors that wipes all secrets when the slightest manipulation is
detected. Commercial HSMs commonly employ what we call \emph{boundary monitoring}. They have a physical security barrier
that they continuously monitor for holes. Usually, this is a thin foil patterned with two electrical traces that are
folded many times to cover the entire area of the foil--and that are monitored for shorts or breaks. The security
problem thus gets transformed into a manufacturing challenge: How fine can these traces be made so that they break from
even the most gentle attempts at e.g.\ mechanical or chemical manipulation.

In our classification the other type of HSMs are \emph{volumetric} HSMs. Here, the entire interior volume is monitored
for changes using e.g.\ electromagnetic radiation\cite{tobisch2020,kreft2012} or ultrasound. Their security is limited
by the analog sensitivity of their transceivers. Their practicality is limited by their complex transceiver and signal
processing circuitry. They promise to secure larger volumes than boundary monitoring at higher parts cost.

A problem with volumetric designs is their security analysis, which is hard to do without significant guesswork.  To
ensure full volumetric coverage one has to numerically solve the electromagnetic field equations inside the HSM
according to a model of its sensing transceivers.

\subsection{Inertial HSMs: A new approach to physical security}
We are certain that there is still much work to be done and many insights to be gained from further explorations of the
two concepts described above. For example, consider a box with mirrored walls that contains a smaller box suspended on
thin wires that has cameras looking outward in all directions at the mirrored walls. Given that the defender can control
lighting conditions inside this kaleidoscopic box in this application modern cameras can be considered equivalent to or
better than the human eye. Thus, a successful physical attack on this system would likely an ``invisibility cloak''--and
the system would remain secure as long as no such thing exists. This example is a useful point of reference. To be
viable, an HSM technology must be either cheaper, smaller or more sensitive than this strawman setup.

The candidate we wish to introduce in this paper uses a novel approach to sidestep the issues of conventional HSM
concepts and provides radically better security against physical attacks both in theory and in practice.

Our core observation is that any cheap but coarse HSM technology can be made radically more difficult to attack by
introducing fast mechanical motion. As a trivial example, consider an HSM as it is used in ecommerce applications for
credit card payments. Its physical security level is set by the structure size of its security mesh. If an attacker can
tap the mesh's electrical traces in a way the HSM cannot detect, they have circumvented the device's protections. Such
attacks might involve fine drill bits, needles, wires, glue, solder and lasers.

Now consider the same HSM mounted on a large flywheel. In addition to its usual defenses the HSM is now equipped with an
accelerometer that it uses to verify that it is rotating at high speed. How would an attacker approach this HSM? They
would have to either slow down the rotation, which would quickly be sensed by the accelerometer, or they would have to
attack the HSM in motion. The HSM literally becomes a moving target. At slow speeds, rotating the entire attack
workbench might be possible but rotating frames of reference quickly become inhospitable to human life and at some point
the technical means to rotate a CNC attack robot will become inconvenient as well. Electromagnetic or optical attacks
that do not require mechanical contact are more limited in the first place and can be shielded effectively.

\subsection{Contributions}
This work contains the following contributions:
\begin{enumerate}
    \item We present the \emph{Inertial HSM} concept. Inertial HSMs enable cost-effective small-scale production of
        highly secure HSMs.
    \item We discuss possible boundary sensing modes for inertial HSMs.
    \item We explore the design space our inertial HSM concept.
    \item We present a prototype of an inertial HSM.
    % FIXME \item Measurement of the prototype HSM's susceptibility to various types of attack.
\end{enumerate}

\section{Related work} 
% summaries of research papers on HSMs.  I have not found any actual prior art on anything involving mechanical motion
% beyond ultrasound.
In \cite{anderson2020}, Anderson gives a comprehensive overview on physical security. An example they cite is the IBM
4758 HSM whose details are laid out in depth in \cite{smith1998}. This HSM is an example of an industry-standard
construction. Though it is now a bit dated, the construction techniques of the physical security mechanisms have not
evolved much in the last two decades. Apart from some auxiliary temperature and radiation sensors to guard against
attacks on the built-in SRAM memory, the module's main security barrier uses the traditional construction of a flexible
mesh wrapped around the module's core. In \cite{smith1998}, the authors claim the module monitors this mesh for short
circuits, open circuits and conductivity. The fundamental approach to tamper detection and construction is similar to
other commercial offerings\cite{obermaier2018}.

In \cite{immler2019}, Immler et al. describe a HSM based on precise capacitance measurements of a mesh. In contrast to
traditional meshes, the mesh they use consists of a large number of individual traces (more than 32 in their example).
Their concept promises a very high degree of protection. The main disadvantages of their concept are a limitation in
both covered area and component height, as well as the high cost of the advanced analog circuitry required for
monitoring. A core component of their design is that they propose its use as a PUF to allow for protection even when
powered off, similar to a smart card--but the design is not limited to this use.

In \cite{tobisch2020}, Tobisch et al.\ describe a construction technique for a hardware security module that is based
around commodity Wifi hardware inside a conductive enclosure. In their design, an RF transmitter transmits a reference
signal into the RF cavity formed by the conductive enclosure. One or more receivers listen for the signal's reflections
and use them to characterize the RF cavity w.r.t.\ phase and frequency response. Their fundamental assumption is that
the RF behavior of the cavity is inscrutable from the outside, and that even a small disturbance anywhere within the
volume of the cavity will cause a significant change in its RF response. The core idea in \cite{tobisch2020} is to use
commodity Wifi hardware to reduce the cost of the HSM's sensing circuitry. The resulting system is likely both much
cheaper and capable of protecting a much larger security envelope than e.g. the design from \cite{immler2019}, at the
cost of worse and less predictable security guarantees.

While \cite{tobisch2020} approach the sensing frontend cost as their only optimization target, the prior work of Kreft
and Adi \cite{kreft2012} considers sensing quality. Their target is an HSM that envelopes a volume barely larger than a
single chip. They theorize how an array of distributed RF transceivers can measure the physical properties of a potting
compound that has been loaded with RF-reflective grains. In their concept, the RF response characterized by these
transceivers is shaped by the precise three-dimensional distribution of RF-reflective grains within the potting
compound.

Our concept is novel in that mechanical motion has not been proposed before as part of a hardware security module. Most
academic research concentrates on the issue of creating new, more sensitive security barriers for HSMs while commercial
vendors concentrate on means to cheaply manufacture these security barriers. Our concept instead focuses on the issue of
taking any existing, cheap low-performance security barrier and transforming it into a marginally more expensive but
very high-performance one. The closes to a mechanical HSM that we were able to find during our research is an 1988
patent \cite{rahman1988} that describes an mechanism to detect tampering along a communication cable by enclosing the
cable inside a conduit filled with pressurized gas.

\section{Inertial HSM construction and operation}
\subsection{Using motion for tamper detection}
Mechanical motion has been proposed as a means of making things harder to see with the human eye\cite{haines2006} but we
seem to be the first to use it in tamper detection. Let us think about the constraints of our approach.

\begin{enumerate}
    \item We need the sensor's motion to be fairly fast. If any point of the sensor moves slow enough for a human to
        follow, it becomes a weak spot.
    \item We need to keep the sensor's motion inside a reasonable space. Otherwise we could just load our HSM on an
        airplane and assume that mid-flight, airplanes are hard to stop non-destructively.
    \item We need the sensor's motion to be very predictable so that we can detect an attacker trying to stop it.
\end{enumerate}

From this, we can make a few observations.

\begin{enumerate}
    \item Non-periodic linear motion is likely to be a poor choice since it requires a large amount of space, and it is
        comparatively easy to follow something moving linearly.
    \item Oscillatory motion such as linear vibration or a pendulum motion might be a good candidate but for the
        instant at its apex when the vibration reverses direction the object is stationary, which is a weak spot.
    \item Rotation is a very good choice. Not only does it not require much space to execute, but also if the axis of
        rotation is within the HSM itself, an attacker trying to follow the motion would have to rotate around the same
        axis. Since their tangential linear velocity would rise linearly with the radius from the axis of rotation, an
        assumption on tolerable centrifugal force allows one to limit the approximate maximum size and mass of an
        attacker. For an HSM measuring at most a few tens of centimeters across, it is easy to build something that
        rotates too fast for a human to be able to follow it. The axis of rotation is a weak spot, but this can be
        alleviated by placing additional internal sensors around it and locating all sensitive parts of the sensing
        circuit radially away from it.
    \item We do not have to move the entire contents of the HSM. It suffices if we move the tamper detection barrier
        around a stationary payload. This reduces the inertial mass of the moving part and eases data communication and
        power supply of the payload.
\end{enumerate}

\begin{figure}
    \center
    \includegraphics{concept_vis_one_axis.pdf}
    \caption{Concept of a simple rotating inertial HSM. 1 - Axis of rotation. 2 - Security mesh. 3 - Payload. 4 -
    Accelerometer. 5 - Shaft penetrating security mesh.}
    \label{fig_schema_one_axis}
\end{figure}

In a rotating reference frame, at any point the centrifugal force is proportional to the square of the angular frequency
and linearly proportional to the distance from the axis of rotation. We can exploit this fact to create a sensor that
detects any disturbance of the rotation by simply placing a linear accelerometer at some distance to the axis of
rotation. During constant rotation, the linear acceleration tangential to the rotation will be zero. The centrifugal
force is orthogonal to this, and will be constant as long as the angular velocity remains constant (assuming a fixed
axis of rotation). At high angular velocities, considerable forces can be created this way. This poses the engineering
challenge of preventing the whole thing from flying apart, but also creates an obstacle to any attacker trying to
manipulate the sensor.

\subsection{Payload mounting mechanisms}

The simplest way to mount a stationary payload in a rotating security mesh is to drive the rotor using a hollow shaft.
This allows the payload to be mounted on a fixed rod threaded through this hollow shaft along with wires for power and
data. The stationary rod and cables on the axis of rotation inside the hollow shaft are a weak spot of the system, but
this weak spot can be alleviated through either careful construction or a second layer of rotating meshes with a
differnt axis of rotation.

\subsection{Rotating mesh power supply}

There are several options to transfer power to the rotor from its stationary frame.

\begin{enumerate}
    \item Slip ring contacts are a poor candidate as they are limited in their maximum speed and lifetime, and as
        precision mechanical components are expensive.
    \item Inductive power transfer as used in inductive charging systems can be used without modification.
    \item A second brushless motor on the axis of rotation can be used as a generator, with its axis connected to the
        fixed frame and its stator mounted and connected to the rotor.
    \item A bright LED along with some small solar cells may be a practical approach for small amounts of
        energy\footnote{See Appendix \ref{sec_energy_calculations} for a back-of-the-envelope calculation}.
    \item For a very low-power security mesh, a battery specified to last for the lifetime of the device may be
        practical\footnote{See Appendix \ref{sec_energy_calculations}}.
\end{enumerate}

\subsection{Payload cooling}

In boundary-sensing HSMs, cooling of the processor inside is a serious issue since any air
duct or heat pipe would have to penetrate the HSM's sensitive boundary. This problem can be solve by complex and costly
siphon-style constructions, but in commercial systems heat conduction is used exclusively. This severely limiting the
maximum power dissipation of the payload and thus its processing power. In our rotating HSM concept, the rotating mesh
can have longitudindal gaps in the mesh without impeding its function. This allows air to pass through the mesh during
rotation, and one could even integrate a fan into the rotor. This greatly increases the maximum possible power
dissipation of the payload and unlocks much more powerful processing capabilities.

\subsection{Rotating mesh data communication}

As we discussed above, while slip rings are the obvious choice to couple electrical signals through a rotating joint,
they are likely to be too expensive and have too short a life span for our application. Since the only information that
needs to pass between payload and rotor are the occassional status report and a high-frequency heartbeat signal that
acts as the alarm trigger, a simple optocoupler close to the axis of rotation is a good solution.

\section{Design space exploration}

\subsection{Other modes of movement}

Though we decided to use rotation as an easy-to-implement yet secure option, other modes of movement bear promise as
well. Particularly for less high-security applications without strict space constraints, a variant based on a pendulum
motion may be worth investigating as it would simplify the mechanical construction. Power and data transfer to the
moving part could simply be done with very flexible cables.

\subsection{Multiple axes of rotation}

One option to alleviate the weak spot a rotating mesh has at its axis of rotation, a system with two or more axes of
rotation could be used. A single mesh would still suffice in this case, but when evaluating accelerometer readings, the
braking detection algorithm would have to superimpose both.

\subsection{Means of power transmission}
Power transmission from payload to rotor is another point worth investigating. It may be possible to use some statically
mounted permanent magnets with a coil integrated into the rotor's PCB as a low-power generator. While likely
inefficient, this setup would be low-cost and would still suffice for the meager power requirements of the rotor's
monitoring circuitry.

\subsection{Other sensing modes}
Since the security requirement the primary tamper-detection barrier needs to measure up to are much more lenient in the
rotating HSM concept than in traditional HSMs, other coarse sensing modes besides low-tech meshes may be attractive. One
possibility that would also eliminate the need of any active circuitry on the rotor would be to print the inside of the
rotor with a pattern, then have a linear array of reflective optical sensors located close to the rotor along a
longitudinal line. These sensors would observe the printed pattern passing by at high speed, and could compare their
measurements against a model of the rotor. Tampering by drilling holes or slots would show up as adding an offset to
part or all of the pattern. Likewise, the speed of rotation can be deducted directly from a sequence of measurements.

\subsection{Longevity}
A core issue with a mechanical HSM is component longevity. Save for dust and debris clogging up the system's mechanics
the primary failure point are the bearings. A good partner for further development or even commercialization might be a
manufacturer of industrial ducted fans as they are used e.g.\ in servers for cooling. Small industrial fans usually use
BLDC motors and bearings specially optimized for longevity.

\subsection{Transportation of an active device}
A rotating mass responds to torque not co-linear with its axis of rotation with a gyroscopic precession force. In
practice, this means that moving a device containing a spun-up rotating HSM on its inside might induce significant
forces on both the HSM (posing the danger of false alarms) and on the carrier of the device (potentially making handling
challenging). This effect would have to be taken into account in a real-world deployment, especially if the finished
device is to be shipped by post or courier services after spin-up.

\subsection{Hardware prototype}
We are currently working on a hardware prototype that demonstrates the fundamental components of our concept. The
prototype will be based on a security mesh made with a commercial printed circuit board manufacturing process. In our
prototype we intend to use two commercially available hollow-shaft brushless DC (BLDC) motors originally intended for
quadcopter-mounted camera gimbals, one for driving and one for power transfer. The prototype will have a usable internal
volume sufficient to house a small form factor PC ($\approx\SI{2}{\liter}$).

\section{Attacks}
\subsection{Attacks on the mesh}
There are two locations where one can attack a tamper-detection mesh. Either, the mesh itself can be tampered with. This
includes bridging its traces to allow for a hole to be cut. The other option is to tamper with the monitoring circuit
itself, to prevent a damaged mesh from triggering an alarm and causing the HSM to erase its contents. Attacks in both
locations are electronic attacks, i.e. they require electrical contact to parts of the circuit. Traditionally, this
contact is made by soldering, or by placing a probe such as a thin needle. Any kind of electrical contact that does not
involve an electron or ion beam or a liquid requires mechanical contact. We consider none of these forms feasible to be
performed on an object rotating at high speed without a complex setup that rotates along with the object. Thus, we
consider them to be practically infeasible outside of a well-funded, special-purpose laboratory.

\subsection{Attacks on the alarm circuitry}
An electronic attack could also target the alarm circuitry inside the stationary payload, or the communication link
between rotor and payload. The link can easily be proofed by using a cryptographically secured protocol along with a
high-frequency heartbeat message. The alarm circuitry has to be designed such that it is entirely contained within the
HSM's security envelope and has to tolerate environmental attacks such as through temperature, ionizing radiation,
lasers, supply voltage variations, ultrasound or other vibration and gases or liquids. The easiest way to proof an alarm
system against these is to employ adequate filtering of the incoming power supply and use sensors for the others,
triggering an alarm in case extraordinary environmental variations are detected.

\subsection{Fast and violent attacks}
A variation of the above attacks on the alarm circuitry would be an attack that attempts to simply destroy this
circuitry before the alarm can be acted upon. This type of attack might involve things such as a large hammer, or a gun.
Mitigations for this type of attack include putting the entire payload and monitoring circuit in a mechanically robust
enclosure and potting them, and linking all components of the alarm chain in such a way cryptographically and on a
protocol level that the destruction of any of its parts leads to the secrets being destroyed before an attack would be
able to probe them. An implication of this is that the electrical realization of the alarm signal up to its eventual
destination cannot be a simple active-high or active-low line, since neither can be considered fail-safe in this
scenario.

\subsection{Attacks on the rotation sensor}
An attacker trying to stop the rotor to tamper with the mesh may first try to deceive the rotation monitoring circuit
such that it misses the rotor being stopped. In a realization based on a commercial MEMS accelerometer, this attack
could take two forms: An electronic attack on the MEMS sensor, the monitoring microcontroller or the link in between,
and a physical attack on the MEMS sensor itself. The former would be no easier than an electronic attack that attempts
to bridge the mesh traces at the monitoring microcontroller. Thus, we consider it not to be practically feasible outside
of a laboratory built especially for this purpose.

There are several options for the latter attack. A recent paper %FIXME
has shown that accelerometers respond to certain ultrasonic stimuli with bogus measurements. Since this primitive does
not, however, yield accurate control over these bogus measurements, we deem it to be impractical for our scenario.
Another possible attack scenario would be to somehow stop the rotating motion while subjecting the HSM to an external
linear motion. Given the low error margins in the measurements of commercial accelerometers we consider this attack
infeasible. A last type of attack might be to try to physically tamper with the accelerometer's sensing mechanism. MEMS
accelerometers usually use a simple cantilever design, where a proof mass moves a cantilever whose precise position can
be measured electronically. A possible way to attack such a device might be to first decapsulate it using laser ablation
synchronized with the device's rotation. Then, a fast-setting glue such as a cyanoacrylate could be deposited on the
moving MEMS parts in either liquid or gaseous form, locking them in place after hardening. This attack would require
direct access to the accelerometer from the outside and can be prevented by mounting the accelerometer inside the
security envelope. This attack only works if the rate of rotation is constant and is trivially detectable if the rate of
rotation is set to change on a schedule.

\section{Prototype implementation}

%FIXME
FIXME

\section{Conclusion}
In this paper, we have presented inertial hardware security modules, a novel concept for the construction of highly
secure hardware security modules from inexpensive, commonly available parts. We have elaborated the engineering
considerations underlying a practical implementation of this concept. We have analyzed the concept for its security
properties and highlighted its ability to significantly strengthen otherwise weak tamper detection barriers. We have
laid out some ideas for future research on the concept, and we will continue our own research on the topic.

\printbibliography[heading=bibintoc]
\appendix
\subsection{Rotating mesh energy calculations}
\label{sec_energy_calculations}
Assume that the rotating mesh sensor should send its tamper status to the static monitoring circuit at least once every
$T_\text{tx} = \SI{10}{\milli\second}$. At $\SI{100}{\kilo\baud}$ a transmission of a single byte in standard UART
framing would take $\SI{100}{\micro\second}$ and yield an $\SI{1}{\percent}$ duty cycle. If we assume an optical or RF
transmitter that requires $\SI{10}{\milli\ampere}$ of active current, this yields an average operating current of
$\SI{100}{\micro\ampere}$. Reserving another $\SI{100}{\micro\ampere}$ for the monitoring circuit itself we arrive at an
energy consumption of $\SI{1.7}{\ampere\hour\per\year}$.

\subsubsection{Battery power}
\label{sec_energy_calculations_battery}
The annual energy consumption we calculated above is about equivalent to the capacity of a single CR123A
lithium primary cell. Using several such cells or optimizing power consumption would thus easily yield several years of
battery life.

\subsubsection{LED and solar cell}
\label{sec_energy_calculations_led}
Let us assume an LED with a light output of $\SI{1}{W}$ illuminating a small solar cell. Let us pessimistically assume a
$\SI{5}{\percent}$ conversion efficiency in the solar cell. Let us assume that when the rotor is at its optimal
rotational angle, $\SI{20}{\percent}$ of the LED's light output couple into the solar cell. Let us assume that we loose
another $\SI{90}{\percent}$ of light output on average during one rotation when the rotor is in motion. This results in
an energy output from the solar cell of $\SI{1}{\milli\watt}$. Assuming a $\SI{3.3}{\volt}$ supply this yields
$\SI{300}{\micro\ampere}$ for our monitoring circuit. This is enough even with some conversion losses in the step-up
converter boosing the solar cell's $\SI{0.6}{\volt}$ working voltage to the monitoring circuit's supply voltage.

\subsection{Minimum angular velocity}

Let us determine a good target value for our rotating HSM's angular velocity. For simplicity, let us consider two types
of attacker.

\subsubsection{Rotating human attacker}

An attacker might try to rotate along with the HSM to attack the security mesh without triggering the accelerometer. Let
us pessimistically assume that the attacker has the axis of rotation running through their center of mass. The
attacker's body is probably at least $\SI{200}{\milli\meter}$ wide along its shortest back-to-chest axis, resulting in a
minimum radius from axis of rotation to surface of about $\SI{100}{\milli\meter}$. We choose
$\SI{250}{\meter\per\second^2}$ as an arbitrary acceleration well past the range tolerable by humans according to
Wikipedia. Centrifugal acceleration is $a=\omega^2 r$. In our example this results in a minimum angular velocity of
$\omega_\text{min} = \sqrt{\frac{a}{r}} = \sqrt{\frac{\SI{250}{\meter\per\second^2}}{\SI{100}{\milli\meter}}} \approx
16\frac{\pi}{\si{\second}} \approx 500 \text{rpm}$.

\subsubsection{Rotating robot attacker}

An attacker might try to use a robot to attack the rotating mesh. 

\subsubsection{Fooling the accelerometer}

\subsection{Patents and licensing}
During devlopment, we performed several hours of research on prior art for the inertial HSM concept. Yet, we could not
find any mentions of similar concepts either in academic literature or in patents. Thus, we deem ourselves to be the
inventors of this idea and we are fairly sure it is not covered by any patents or other restrictions at this point in
time.

Since the concept is primarily attractive for small-scale production and since cheaper mass-production alternatives are
already commercially available, we have decided against applying for a patent and we wish to make it available to the
general public without any restrictions on its use. This paper itself is licensed CC-BY-SA (see below). As for the
inertial HSM concept, we invite you to use it as you wish and to base your own work on our publications without any fees
or commercial restrictions. Where possible, we ask you to cite this paper and attribute the inertial HSM concept to its
authors.

\center{
    \center{\ccbysa}

    \center{This work is licensed under a Creative-Commons ``Attribution-ShareAlike 4.0 International'' license. The
    full text of the license can be found at:}

    \center{\url{https://creativecommons.org/licenses/by-sa/4.0/}}

    \center{For alternative licensing options, source files, questions or comments please contact the authors.}

    \center{This is version \texttt{\input{version.tex}\unskip} generated on \today. The git repository can be found at:}

    \center{\url{https://git.jaseg.de/rotohsm.git}}
}
\end{document}