#### Secure your digital life™



# Silicon PUFs and PUF-based Key Storage

Roel Maes Intrinsic-ID, Eindhoven (NL)

June 6, 2014 Summerschool: Design and security of cryptographic algorithms and devices for real-world applications Šibenik, Croatia

Course and a second

# **Roots of Trust**



Secure your digital life™

# **Physical Key Storage**





- Alternative to NVM-based key storage: PUF-based key storage
- Main advantages:
  - Key not present when device is powered down
  - Key depends on device intrinsic randomness

#### **PUFs: Physically Unclonable Functions**

On many levels, PUFs are more like fingerprints than like programmed keys:

| Human Fingerprint                                             | PUF                                                   | Programmed Key                                              |  |
|---------------------------------------------------------------|-------------------------------------------------------|-------------------------------------------------------------|--|
| <b>Unique</b> per person                                      | <b>Unique</b> per device                              | No guarantee of uniqueness                                  |  |
| Inherent from birth                                           | Inherent from production                              | Programmed after<br>production                              |  |
| Impossible to<br>"clone" humans with<br>the same fingerprints | Infeasible to<br>"clone" devices with<br>the same PUF | <i>Easy</i> to program<br>many devices with<br>the same key |  |

#### Silicon PUFs: classification & advantages

• Many PUF(-like) proposals in myriad of materials, techniques, ...



➡ Non-electronic PUFs, e.g. paper-based, optical PUFs, ...

- Advantages of <u>silicon</u> PUFs:
  - Standard manufacturing with implicitly present randomness
  - Completely embedded in evaluating device
  - Easy integration with digital circuits  $\rightarrow$  crypto implementations



Secure your digital life™





#### Silicon PUF Constructions: general idea

#### Silicon PUF construction =

a silicon circuit whose response (y) is mainly determined by process variations (PV) and the applied challenge (x)

- <u>Ideal</u> silicon PUF: y = f(PV, x)
- Silicon PUFs <u>in practice</u>:
  y = f (PV, x; ...
  PUF behavior
  Temp, V<sub>dd</sub>, Noise, Device age, ...
  Unreliable
  Deterministic offset, Structural bias ...)
  Biased



### **Delay-based silicon PUFs**

• Silicon process variations randomly affect delay of digital circuits



Arbiter PUF exploits race conditions between identically designed delay lines



Secure your digital life™

# **Delay-based silicon PUFs**

• **Ring Oscillator PUFs** exploit *frequency variability* amongst identically designed ring oscillator circuits



Glitch PUF exploits variability in *glitch behavior* of identically designed combinatorial circuits



### **Bi-stable memory based PUFs: SRAM PUF**

Silicon process variations cause device "mismatch"



• **SRAM PUF** based on mismatch between "matched" invertors in *SRAM* 



### **Bi-stable memory based PUFs: SRAM PUF**

• Silicon process variations cause device "mismatch"



• **SRAM PUF** based on mismatch between "matched" invertors in *SRAM* 

cell

Typical SRAM array Power-up Pattern



#### **Bi-stable memory based PUFs: other elements**

• Similar PUF behavior in other memory cells



Secure your digital life™



Secure your digital life™

#### **Basic PUF properties: uniqueness**





**Inter**-distance = 15 bit = 46.88%

**INTRINSIC ID** 

Secure your digital life™



- Complete (100%) unpredictability = guessing every bit  $\rightarrow$  50% prediction accuracy  $H(X) = -\sum p(x) \log_2 p(x)$
- Use <u>entropy</u> to express unpredictability:
  - − 50% accuracy  $\rightarrow$  100% entropy  $\rightarrow$  100% "guessing" and 0% "insight"
  - − 62.5% accuracy  $\rightarrow$  95.4% entropy  $\rightarrow$  95.4% "guessing" and 4.6% "insight"

Unpredictability  $\rightarrow$  95.4% entropy

Secure your digital life™

# **Basic PUF properties: "physical unclonability"**

- Technical infeasibility/impossibility to create "non-unique" PUF instantiations
  - Due to **uncontrollable** random process variations



Secure your digital life™

#### **Silicon PUF-based applications**

Device identification

- Device authentication
  - Some variant of:



Cryptographic key generation



# **Key generation/storage with Silicon PUFs**

• Discrepancy between PUF response and crypto key:



- Key Generator:
  - Improves *reproducibility* by taking care of intra-distance of response = correct bit errors
  - Improves *unpredictability* by extracting unpredictable part of response = compress & accumulate entropy

Secure your digital life™

#### **PUF-based key generation: Error correction**





Secure your digital life™

#### **PUF-based key generation: Error correction**



 Result: reproducibility improves drastically, but unpredictability decreases due to helper data leakage

#### **PUF-based key generation: Entropy extraction**



- Result: Sufficient unpredictability achieved by accumulating and compressing response bits
- Extracted key length ≤ total accumulated entropy

Secure your digital life™

#### **PUF-based key generation: Fuzzy Extractor**

• Combination of error correction and entropy extraction:





#### **Practical PUF-based key generators**

- To give you some idea of realistic systems (from literature):
  - All for <u>128-bit keys</u>:

|                                      | PUF type            | PUF size           | PUF error rate | Error Correction                                          | Key failure rate |
|--------------------------------------|---------------------|--------------------|----------------|-----------------------------------------------------------|------------------|
| Boesch et al.,<br>[CHES-2008]        | SRAM PUF            | 3696 bits          | 15%            | Repetition + Golay<br>(hard decision)                     | 10-6             |
| Maes et al.,<br>[CHES-2009]          | SRAM PUF            | 1536 bits          | 15%            | Repetition + Reed-Muller<br>(soft decision, multi enroll) | 10 <sup>-6</sup> |
| van der Leest et al.,<br>[CHES-2012] | SRAM PUF            | 2880 bits          | 15%            | Repetition + Golay<br>(soft decision, single enroll)      | 10-6             |
| Maes et al.,<br>[CHES-2012]          | Ring Oscillator PUF | 848<br>oscillators | 13%            | Repetition + BCH<br>(hard decision)                       | 10 <sup>-9</sup> |

- PUF error rate significantly affects error correction and PUF size
  - Key failure rate has less impact

#### **Towards PUF-based user applications**



Secure your digital life™

#### **PUFs: Recent Developments**

- Physical Attacks on PUFs
  - PUFs, like all physical crypto primitives, can be susceptible to physical attacks

#### • E.g.

- EM analysis on ring oscillator PUFs
- Remanence decay attack on SRAM PUFs
- Photon Emission Analysis (PEA) on SRAM PUFs
- Invasive attacks

| [Merli et al., TRUST 2011]     |
|--------------------------------|
| [Oren et al., CHES 2013]       |
| [Helfmeier et al., HOST 2013]  |
| [Nedospasov et al., FDTC 2013] |

• Countermeasures are possible

#### **Recent Developments: Aging and Anti-Aging** (for SRAM PUFs)

- SRAM PUF "natural aging"
  - Power-up behavior: fastest transistor (of matched pair) closes first
  - NBTI aging: closed transistors become slower over time
  - Result: power-up behavior changes over time hence: <u># bit errors increases over time</u>
- SRAM PUF "anti-"aging
  - Long-term storage of the power-up state inverse reinforces the power-up behavior Result: <u># bit errors decreases over time!</u> [Maes et al., HOST 2014]
  - A similar effect (HCI) can also be applied in an accelerated manner immediately after production to improve the reliability of an SRAM PUF from the start [Bhargava et al, CHES 2013]

#### **Summary**

- A silicon PUF is a process variation dependent circuit
  - → effectively a "device fingerprint"
    - **Delay-based** constructions: arbiter PUF, ring oscillator PUF, ...
    - **Memory-based** constructions: SRAM PUF, D flip-flop PUF, ...
    - "Physically unclonable": process variations are beyond manufacturer's control
- PUFs are typically *noisy* and *biased*, crypto keys are not...
  → PUF-based key generator: PUF → KeyGen → Crypto Key
  - Improve robustness with **error-correction** techniques → **helper data**
  - Improve unpredictability with **entropy accumulation**

#### ппппппппп





Secure your digital life™