3. Outline .
1. Recap
2. Different PUF circuit implementations
3. Performance and security analysis of PUFs
4. Conclusion
4. Outline .
1. Recap
2. Different PUF circuit implementations
3. Performance and security analysis of PUFs
4. Conclusion
5. page 5
Recap .
In the previous lectures, we have introduced
▪ Basics about PUF
▪ Important PUF properties and design considerations
▪ Quantum tunneling PUF
▪ Security applications of PUFs
6. page 6
Key Generation Using PUF .
KDF
Device
Secret
Auxiliary Input
(Optional)
Secret
Key
PUF Array
0 1
0 1
0
1
0
0
0
Readout
Interface
▪ Unique device secret can be derived from the PUF array
▪ Secret key can be further derived by sending the device secret into the
key derivation function (KDF)
8. page 8
PUF responses are consistent .
▪ No bit error found across all tested conditions
→ Wide supply voltage range covering the ULP spec
→ Wide temperature range from -40 °C to 175 °C
0.8 1.0 1.2 1.4 2.0 2.4 2.8 3.2
0
1
2
3
Bit
Error
Rate
(ppm)
Supply Voltage (V)
VDD
VDD2
-40 0 40 80 120 160 200
0
1
2
3
Bit
Error
Rate
(ppm)
Temperature (C)
Wu, et. al, A PUF Scheme using Competing Oxide Rupture with Bit Error Rate Approaching Zero, ISSCC, 2018
9. Outline .
1. Recap
2. Different PUF circuit implementations
3. Performance and security analysis of PUFs
4. Conclusion
10. page 10
Arbiter PUF – based on timing differences .
·
·
·
Arbiter
0/1
“1” “0” “0” “1”
0
1
1
0
N-bit challenge
→ 2
N
possible CRPs
(Strong PUF)
Challenge
Response
J. Lee, et. al, “A Technique to Build a Secret Key in Integrated Circuits for Identification and Authentication Applications,” Symp. VLSI-C 2004
11. page 11
Entity authentication using strong PUFs .
▪ A huge amount of CRPs is needed (cannot reuse a CRP)
▪ Strong PUFs (e.g. Arbiter PUFs) provide such functionality
PUF1
PUF2
PUF3
Ci,1
Ci,2
Ci,3
Ri,1
Ri,2
Ri,3
1. Send random
challenges to PUFs
Ci,2
R’i,2
R’i,2=Ri,2?
1. Send stored
challenges to PUF
2. Verify if the responses are correct
→ Determine if PUF’2 is PUF2
2. Receive responses
and store CRPs
Enroll PUF’2
Authenticate
Server
12. page 12
Arbiter PUF is not an ideal strong PUF .
▪ Linear additive structure: sum of delays
▪ Similar challenges → similar responses
“1” “0”
·
·
·
“0” “1”
Arbiter
0/1
Δt1,1 Δt2,0 ΔtN-1,0 ΔtN,0
+ + + + =
C1:
Δt1,1 Δt2,0 ΔtN-1,1 ΔtN,0
+ + + + Δt1 - ΔtN-1,0 + ΔtN-1,1
=
Addition of N elements >> Difference of one element
Not likely to
change sign
“1” “0” “1” “1”
C2:
Change only
one bit
Δt1
13. page 13
Responses can be easily predicted .
▪ CRPs are highly correlated: low entropy
▪ → Prone to machine learning (ML) attacks
→ Experiments on 65 nm CMOS Arbiter PUF:
only 1000+ CRPs are sufficient to model the
PUF with high accuracy
G. Hospodar, “Machine learning attacks on 65nm Arbiter PUFs: Accurate modeling poses strict bounds on usability,” WIFS 2012
14. page 14
Unpredictability enhanced by XORing .
·
·
·
Arbiter
·
·
·
Arbiter
·
·
·
Arbiter
“1” “0” “0” “1”
0/1
Assume response bit has 5% probability
to flip when changing a challenge bit
XOR by 3 ➔ ~14%
Entropy is summed-up by XORing → more unpredictable
XOR PUF
15. page 15
Reliability is the bottleneck for XOR PUFs .
▪ Assume 100 arbiter PUFs are XORed → BER ~50%
▪ Unpredictable, but not a PUF
BER: 6%
BER: 8%
BER: 4%
BER: ~16%
Errors are also summed-up by XORing
Are there good strong PUFs?
16. page 16
Ring-Oscillator (RO) PUF .
▪ Each RO consists of odd stages of inverting gates
▪ Oscillation frequency depends on logic delays
– Affected by device variations within logic gates
▪ Two identically designed ROs oscillate at different frequencies
EN
EN
17. page 17
RO-PUF based on frequency comparison .
▪ Select two ROs to be compared based on challenge
– N(N-1)/2 challenges → smaller than an arbiter PUFs with the same N
▪ Response is generated by comparing the counter values
MUX
Counter
>?
Counter
MUX
RON
RO2
RO1
0/1
Challenge
Response
18. page 18
SRAM PUF – a classic weak PUF .
▪ 2D array of 1-bit memory cells
▪ Using the mismatch between the cross-coupled inverters
ordline
bitline
bitline
DD DD
6T-SRAM cell
I1 I2
“1” “0”
“0” “1”
Bi-stable states
I1
I2
I2
I1
Two possible outcomes
after power-up
20. page 20
ordline
bitline
bitline
DD DD
identical
identical
Small mismatch causes instability .
▪ Mismatches are random
– Also possible to have very small mismatches
▪ An SRAM can enter noise-sensitive metastable state
– SRAM PUF data may change in different power-ups
50%
“0” “1”
50%
“1” “0”
Bit errors!
21. page 21
Monostable PUFs .
▪ Less sensitive to noise when powering-up
– No metastable state
▪ Readout events are affected by noise → still have bit errors
Alvarez, A., et. “A 15fJ/b static physically unclonable functions for secure chip identification with <2% native
bit instability and 140× inter/intra PUF hamming distance separation in 65nm”, ISSCC 2015
These PUF cells may
cause errors
22. page 22
NAND chain based PUF .
▪ Small VT variations is amplified by inverting logic gates
– Response = 1 if VT1>VT2 (assuming odd stages)
– Response = 0 if VT1<VT2
▪ Monostable behavior → less errors than SRAM PUF
B. Karpinskyy, et. al, “Physically Unclonable Function for Secure Key Generation ith a Key
Error Rate of 2E-38 in 45nm Smart-Card Chips”, ISSCC2016
VT1
VT2
Response
EN
23. page 23
2-bit/cell PUF using two oxide-BD mechanisms .
▪ Oxide-breakdown PUFs using high-k metal gate
– Breakdown to low-resistance (anti-fuse)
– Breakdown to high-resistance (dielectric-fuse)
▪ Experimental results from device-level characterization
– Feasibility for mass production is unknown
E. Hsieh, et. al, “Embedded PUF on 14nm HKMG FinFET platform: A novel 2-bit-per-cell OTP-based memory feasible for IoT secuirty solution in 5G era,” Symp. VLSI-T 2019
WL
BL
1/0 1/0
Metal
High-k
SiO2
D
S
Metal
High-k
SiO2
D
S
Metal
High-k
SiO2
D
S
Metal
High-k
SiO2
D
S
0 / 1 1 / 0
0 / 0 1 / 1
AF DF
24. page 24
A Reconfigurable Resistive-RAM PUF .
▪ Resulting in significant current difference →BER ~0%
▪ PUF cells can be reconfigured (reset both to HRS and “split” again)
– Do we really want a reconfigurable PUF?
– Reconfigurability of RRAM is not ideal [2]
WL
R1 R2
I1 I2
I1>I2
I1<I2
Split
resistance
Vsense
WL
R1 R2
I1 I2
Set R1 to LRS
Reset R2 to HRS
Vsense
WL
R1 R2
I1 I2
Reset R1 to HRS
Set R2 to LRS
Vsense
[1] Y. Pang, et. al, “A reconfigurable RRAM physically unclonable function utilizing post-process randomness source with <6×10-6 native bit error rate,” ISSCC 2019
[2] K. Chuang, et. al, “A Cautionary Note When Looking for a Truly Reconfigurable Resistive RAM PUF,” Trans. CHES 2018
[1]
25. Outline .
1. Recap
2. Different PUF circuit implementations
3. Performance and security analysis of PUFs
- Reliability, Yield, and Randomness
- Security against attacks
4. Conclusion
26. page 26
Smaller VT variation
SRAM PUF is very sensitive to technology .
ordline
bitline
bitline
DD DD
ordline
bitline
bitline
DD DD
VT
σ
PDF
σ=20mV σ=10mV
σ
VT
PDF
More likely to have smaller mismatches
→ More unstable SRAM cells
Technology
Optimization
Technology tuning/optimization (by the foundry) might lead to
performance degradation of an existing SRAM PUF design
27. page 27
Randomness is also sensitive to technology .
* G. Schrijen, and V. Van Der Leest. "Comparative analysis of SRAM memories used as PUF primitives." 2012
Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2012.
ordline
bitline
bitline
DD DD
M1
M2
M3
M4
M5
M6
M1 M2
M3
M5 M6
M4
An example SRAM layout
Not fully symmetric
Possible that Pr(VT2 >VT1)>0.5 due to
deterministic layout/process patterns
*
Some SRAM
designs are
heavily biased
The randomness of a SRAM-PUF may change across technology
platforms, process corners, lots, wafers, and even die locations
28. page 28
Yield issue – reliability and randomness .
▪ Stability/randomness is not qualified → Yield loss
▪ The quality varies a lot due to process variation
PUF
Helper
Data
(NVM)
Post-
processing
Raw PUF-bits
PUF secret
Error-rate < 1e-9
Entropy=256 bit
Fixed for a hardware-PUF
(t and k are fixed)
# error < t-bit
entropy > k-bit
A chip fails the yield test if
raw data is not qualified
29. page 29
SRAM PUFs are prone to aging effects .
Biased-temperature instability (BTI)
effects will make mismatch smaller
→ PUF cell becomes less stable
ordline
bitline
bitline
DD DD
wea
k
nBT
I
0
VDD
power-up
During power-up
Higher current flows through when charging-
up this node, inducing hot-carrier injection
(HCI) stress effect
→ PUF cell becomes less stable
After power-up
ordline
bitline
bitline
DD DD
0V →VDD 0V →0V
HCI
→ Stability and randomness can both be affected by aging
Can also cause permanent bit-flips if aging effect is strong → HW changes
30. page 30
Conventional PUF (e.g. SRAM PUF) Quantum Tunneling PUF
Technology SRAM startup behavior Quantum Tunneling
Inter- HD
(Uniqueness)
45%~50% * 50%
HW
(Randomness)
0.4~0.65 * 0.5
Bit Error Rate
(Robustness)
1.5%~20% * 0%
Device Aging
May cause stability and randomness
degradation
Insensitive to aging
Comparison .
* G. Schrijen, and V. Van Der Leest. "Comparative analysis of SRAM memories used as PUF
primitives." 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE). IEEE, 2012.
31. Outline .
1. Recap
2. Different PUF circuit implementations
3. Performance and security analysis of PUFs
- Reliability, Yield, and Randomness
- Security against attacks
4. Conclusion
32. page 32
ordline
bitline
bitline
DD DD
Probing SRAM PUF data using laser glitches .
▪ Laser stimulation at N1 will increase the
voltage of the left node
→ Induce current flow through P2 and N2
ordline
bitline
bitline
DD DD
D. Nedospasov et. al, “Invasive PUF Analysis,” 2013 Workshop on Failure Diagnosis and Tolerance in Cryptography
0 1 1 0
N1 N2
P1 P2
“Seebeck
voltage”
Laser
Stimulation
→ Induce Heat Current
▪ Laser stimulation at N1 will NOT increase the
voltage of the left node
→ NO current flow through P2 and N2
Laser
Stimulation
Logic states can be distinguished by checking the
“current sensitivity” to laser at certain locations
Measure changes
of supply current
33. page 33
SRAM data identification .
N1 N2
P1 P2
N1 N2
P1 P2
ordline
bitline
bitline
DD DD
0 1
N1 N2
P1 P2
Sensitive locations
ordline
bitline
bitline
DD DD
1 0
N1 N2
P1 P2
Sensitive locations
The image is obtained by
measuring the supply
current fluctuation under
laser stimulation at
different locations
[5] D. Nedospasov et. al, “Invasive PUF Analysis,” 2013 Workshop on Failure
Diagnosis and Tolerance in Cryptography
34. page 34
Attack using data-remanence effect at low-T .
Data remains within SRAM cells even after power-down
[9] N. A. Anagnostopoulos, et al. "Low-temperature data remanence attacks
against intrinsic SRAM PUFs." 2018 21st Euromicro Conference on Digital
System Design (DSD). IEEE, 2018.
35. page 35
Attack example .
Bootloader
SRAM
PUF
Bootloader
SRAM
PUF
Read
Erase
Other
NA
SRAM
PUF
Other
R/W
Pre-erasure
Post-erasure
Boot
flow
Only bootloader has access to
the SRAM power-up state
Non-privileged code
has access to SRAM
data after erasure
Freeze the SRAM after power-up
Data is not overwritten successfully
→ Attacker can read SRAM-PUF data using non-privileged codes
N. A. Anagnostopoulos, et al. "Low-temperature data remanence attacks against intrinsic SRAM
PUFs." 2018 21st Euromicro Conference on Digital System Design (DSD). IEEE, 2018.
36. page 36
Helper data attacks also lead to faults .
▪ SRAM PUF cannot operate without storing helper data in NVM
▪ NVM contents can be erased by heat/radiation
PUF
Helper
Data
(NVM)
Post-
processing
Reconstructed PUF secret will be corrupted if the helper data
storage is subject to attacks
PUF secret
[11] S. Skorobogatov, "Local heating attacks on Flash memory devices." 2009 IEEE
International Workshop on Hardware-Oriented Security and Trust. IEEE, 2009.
→ Modify HD without having write access
[12]
37. page 37
Entropy-loss introduced by ECC .
Example: correcting 100-bit SRAM
with different error correction ratio
ECC corrects up
to 30-bit errors
entropy loss
>80%
Entropy is estimated by guessing probability
The probability of having a correct guessing an 𝑚-bit
data with 𝑡-bit error tolerance is:
Pr 𝑐𝑜𝑟𝑟𝑒𝑐𝑡 𝑔𝑢𝑒𝑠𝑠𝑖𝑛𝑔 = Pr(#𝑒𝑟𝑟𝑜𝑟 ≤ 𝑡)
=
𝑖=0
𝑡
𝑚
𝑖
1 − 𝑝 𝑖𝑝𝑚−𝑖
Where 𝑝 is the success probability of guessing a bit,
which is equal to 0.5 assuming that the 𝑚-bit data is
full-entropy.
The resulting entropy is estimated using the equation:
H = − log2 Pr 𝑐𝑜𝑟𝑟𝑒𝑐𝑡 𝑔𝑢𝑒𝑠𝑠𝑖𝑛𝑔
→ More entropy loss when correcting more errors
38. page 38
Comparison .
Conventional PUFs Quantum Tunneling PUF
Optical Attacks
- Data leakage due to optical
sensitivity
- Fault injected by laser
Insensitive to optical glitches
Temperature Attacks
- Faults induced by varying
temperature
- Data remanence attack at low
temperature
Insensitive to temperature
Voltage glitches
- Faults induced by varying supply
voltage or power-up behavior
Insensitive to supply voltage in a wide
operating range (e.g. 0.8V-1.4V)
Helper data attack
- Fault attacks on helper data
- Helper data manipulation attacks
No helper data → No risk
39. Outline .
1. Recap
2. Different PUF circuit implementations
3. Performance and security analysis of PUFs
4. Conclusion
40. PUFsecurity
page 40
page 40
Conclusion .
Different PUF implementations have been introduced …
▪ Most PUFs do not provide ideal performance
▪ May be vulnerable to different physical attacks
▪ Helper data is not good for entropy and physical security
… quantum tunneling PUF is a better solution