Making Sense Of PUFs

As security becomes a principal design consideration, physically unclonable functions (PUFs) are seeing renewed interest as new players emerge onto the market. PUFs can play a central role in hardware roots of trust (HRoTs), but the messaging in the market can make it confusing to understand the different types of PUF as well as their pros and cons.

PUFs leverage some uncertain aspect of some natural phenomenon to generate a unique, unpredictable, repeatable, random number. As described in a paper, “PUFs at a Glance” by Rührmair and Holcomb, “Their key idea is to exploit the ‘random physical disorder’ or the ‘manufacturing variations’ that occur in almost all physical systems on small length scales.” The generated number must be readable reliably, regardless of the temperature, voltage, or any other condition. Critically, they must be impossible to read by an unauthorized entity. The fact that no one can determine or guess the value is what makes them “unclonable.” PUFs are therefore usually heavily tamper-proofed to thwart efforts to learn the PUF value or values.

There is a wide range of proposed PUF technology, including optical. The scope of this article will be restricted to silicon-based PUFs that can be implemented monolithically with other CMOS circuits. In this case, the PUFs make use of something that is otherwise not considered useful — process variation. An effective PUF takes advantage of the minute differences between chips. The structures to be sampled must be numerous enough to provide high entropy over all of the devices to be built.

Weak and strong PUFs
Broadly speaking, there are two categories of PUFs, “weak” and “strong.” Those names are misleading because it would seem that strong PUFs would provide greater security, which is not the case. Instead, the two are used in very different ways.

Weak PUFs provide a single value — or perhaps a small number (low hundreds) of values. Most frequently, the PUF is simply accessed and a value returned. Strong PUFs, by contrast, have thousands to millions of values — the more the better. With a strong PUF, the act of requesting one of those values is referred to as a “challenge”; the value received is the “response.” As it turns out, weak PUFs currently provide the strongest security; strong PUFs have not yet proven themselves secure enough to be deployed commercially.

A third middle ground that some refer to as “controlled” PUFs aims to protect strong PUFs by preventing the direct readout of the responses. “A controlled PUF … uses a Strong PUF as a building block, but adds control logic that surrounds the PUF. The logic prevents challenges from being applied freely to the PUF and hinders direct read-out of its responses,” notes a paper by Ruhrmair et al.

Many PUF types require initialization during manufacturing — typically during final test. This step is referred to as “enrollment.” The enrollment is the first time that the variations in the chip are leveraged to create a value, and depending on the type of PUF, it has different effects. The specifics for the more common types are described below.

Using PUF data
While dedicated HRoT chips exist, it’s becoming increasingly common for them to be added to microcontrollers or other processors intended for secure applications.

“Customers ask for them as a backup to existing roots of trust,” said Helena Handschuh, a Rambus Security Technologies fellow. A monolithic implementation makes it harder to break the security. Tamper-proof measures are still needed, but it becomes harder for an attacker to break into since the HRoT isn’t isolated in its own chip.

Because weak PUFs are typically treated as having a single value, they are used differently from strong PUFs. Additional values, if there are any, may serve for different modes. But in each case, the PUF is used as if it had only one value.

Examples of how weak PUFs can be used include:

• Using the value as a root key or seed for deriving other keys. Many times, these are session keys, used once and then discarded. It is possible to treat the value as a private key, generating a public key from it. While this works mathematically, it means that the device itself is performing some of the functions of a certificate authority (CA), so some sort of certificate would also need to be generated to provide authentication. Because the company would be acting as its own CA in that case, the company would have to be recognized as a trusted source — as trusted as a standard CA would be.
• Using the value as a key for encrypting another key — a so-called “key-encryption key,” or KEK. In this case, the key being protected would be obtained through a standard provisioning process, likely at final test. Here the PUF is used to provide an extra layer of protection for the provisioned key.
• Using the value as an additional source of entropy for a conventional HRoT. While that’s a function often provided by true random-number generators (TRNGs), by definition, a TRNG generates a new value every time, while a PUF generates the same value every time. It becomes another factor in the generation of keys or other secrets that will vary from device to device.
• If a weak PUF has enough challenge/response pairs, then each response could return one bit of a key. An attacker would need to know which challenges to use and in which order — if they had access to those numbers. Good physical security could keep this cloaked from view.

Strong PUFs leverage their high number of values for challenge/response authentication. During final test, enrollment involves generating an enormous list of challenge/response pairs. These pairs are stored with the authority that will be performing the authentication.

When authentication is required, the authority goes to the list of challenge/response pairs and randomly selects a challenge. That challenge is sent to the device, which responds with its value. If the value is wrong, then the authentication fails. If the value matches what the authority has in the database, then authentication succeeds. That challenge is then removed from the list so that it’s never used again, protecting against replay attacks by anyone monitoring the authentication process.

Fig. 1: Challenges and responses with a strong PUF. Each pair can be used only once, creating a need for a huge number of pairs to last the lifetime of the device. Source: Bryon Moyer/Semiconductor Engineering

It’s because each challenge can be used only once that so many challenge/response pairs are needed. There needs to be enough pairs to last the lifetime of the device. In all likelihood, only a small percentage of the possible pairs will be used.

Attacks on PUFs
The reason that weak and strong PUFs appear to be poorly named is that today’s weak PUFs are more secure than today’s strong PUFs. “They seem to have gotten the weak and the strong upside down,” Rambus’ Handschuh observed. Weak PUFs are vulnerable only to physical attacks. Attempts to view or detect the contents of the PUF are blocked by tamper-proofing. Attempts to detect the contents or the output electrically are made more difficult by leaving the PUF off except when generating a value on request by the host system.

Strong PUFs can be protected by similar means, but that leaves one significant successful attack that, to date, no strong PUF has avoided. Although challenge/response pairs are discarded after one use, an attacker can monitor some number of pairs as they’re exchanged — or even by injection of the challenges to measure the responses. As noted in a paper by Ganji et al, “In this attack scenario, a relatively small subset of challenges along with their respective responses is collected by the adversary, attempting to come up with a model describing the challenge-response behavior of the PUF.” This is referred to as a modeling attack.

Daniel Holcomb, assistant professor at the University of Massachusetts (and co-author of the PUFs at a Glance paper), noted that some companies try to block this sort of attack by cloaking the responses so that they can’t be measured or modeled. But no commercial strong PUF has yet emerged. “It’s an open question as to whether strong PUFs could even be done,” he said.

The Rührmair paper notes that, “Weak PUFs are only susceptible to model-building attacks if a Strong PUF, embedded in some hardware system, is used to derive the physically obfuscated key.” Speaking specifically for SRAM-based weak PUFs, another paper by Helfmeier et al says that, “As the response of each individual SRAM bit is relatively independent of its neighbors, modeling attacks are not possible in SRAM.” Weak PUFs with more than one challenge/response are still hard to crack this way because there are two few pairs to allow machine learning algorithms to learn the pattern.

Specific kinds of PUFs
In theory, there are an enormous number of possible ways to implement a PUF, as illustrated in a PUF taxonomy. “There have been so many PUF proposals that the industry has pushed back,” said Michael Chen, director of design for security at Mentor, a Siemens Business. But only a very few have been commercialized, and all of those have been of the weak variety.

SRAM-based PUFs have been in the market the longest. The idea here is that the powering up of an SRAM cell creates a race between the transistors (usually the PMOS) as to which turns on first. Slight variations from cell to cell matter. These PUFs can be found in secure microcontrollers (MCUs), especially those used in internet-of-things (IoT) devices.

There is a fair bit of noise, however, in the power-up fingerprint of an SRAM array. Some cells are too unstable to be useful. Others are far more stable, but they still benefit from the use of error-correction codes. In order to stabilize the entire array, enrollment of an individual device identifies which cells to include in the PUF calculation (excluding those that are too unstable), and that data is stored in non-volatile memory (NVM). This referred to as “helper data.” Erasing the helper data makes the originally enrolled key unreproducible.

Long-term reliability is important. “IoT devices will be out there for years,” noted Pim Tuyls, CEO of Intrinsic ID. “They need to be secure 10 to 15 years from now.”

There is one aging mechanism that has affected SRAM-based PUFs, although a remedy is currently in use. The effect is called negative-bias temperature instability (NBTI). With NBTI, a negative gate bias such as that seen by the PMOS transistors results in carriers fixing themselves under the gate oxide above the channel. These carriers don’t move, so they don’t participate in the channel current; their only effect is to change the threshold voltage V_T. Once the negative bias is removed, those charges can drift away to some extent over the following hours or days, but not completely, leaving the V_T changed.

The solution to this is, after reading the PUF value, to write the opposite of the enrolled state into the array. This places a negative bias on the opposing PMOS devices, moving their VTs a little. Since it’s the difference between V_Ts that ultimately determines the value, then the anti-aging response keeps the gap between the two V_Ts from closing to the point where the outcome could not be trusted to remain constant for the life of the device. Holcomb agreed this was a good thing to do.

Intrinsic ID has the biggest footprint in the industry at present with its SRAM PUF. Its uses a 2Kb array to create a 256-bit full-entropy key. In addition to the helper data and ECC, Intrinsic uses a hashing function (which it calls a “fuzzy extractor”) to add entropy and compress the readout into the 256 bits. The PUF operates only at power-up and then shuts down. The company sells its PUF as IP. That IP doesn’t include the NVM for helper data. The expectation is that the system already will have NVM, either internally or externally, and the helper data takes very little room in that memory. This allows it to offer IP at advanced CMOS nodes where NVM isn’t available. In that case, external NVM would be used.

Silicon Labs is using Intrinsic ID’s PUFs in some of its MCUs. “We implemented SRAM PUF technology that has the longest proven track record of reliability in the market,” said Mike Dow, senior product manager for IoT security at Silicon Labs, in a PUF technology overview. “In our implementation, we limit the use of the PUF to create a … KEK, which is used to wrap (encrypt) other keys in the system and store them in internal or external memory.” Because of the encryption, Silicon Labs can store keys in any memory rather than specific secure memory, which would be more expensive and have a fixed size that might not allow expansion later.

KEK derivation happens only at power-up, and the KEK is accessed only when needed to limit the amount of time available for attacks. They can also implement this with a requirement for a second 128-bit key as an initial vector to act as a second authentication factor.

Another PUF mechanism uses V_T comparison as a way to generate randomness. This is what SRAM PUFs also do, but in this case it’s individual transistors rather than full SRAM bit cells. This is a proprietary approach developed by Maxim Integrated for its own internal use (although it might do some strategic licensing). “As a semiconductor company with analog expertise, we’re taking advantage of random small variations between the V_Ts of different transistors,” said Scott Jones, Maxim Integrated’s managing director of embedded security. There is very little noise in this approach, so the company doesn’t use ECC or any other addition of entropy.

Maxim Integrated implements this as an array of transistors, but they’re not hard-wired together. “Just using the threshold wasn’t reliable enough,” Jones said. The concern was that, if two transistors happened to have V_Ts too close to each other, then aging might move the thresholds closer together or even past each other, making the PUF unrepeatable over time. In order to deal with this, enrollment identifies pairs of transistors in the array that have widely spaced V_Ts. The pair may not be next to each other. Storing the pair relationships is a form of helper data for this PUF.

“At a high level, the pairing memory is per-chip randomized in terms of storage,” Scott said. “Everything stored is encrypted, and any time a key is derived a per-instance random access sequence is used to obtain pair information.”

Maxim Integrated says it doesn’t need a lot of redundancy for this. It can extract a 256-bit key from 512 transistor pairs. It specifies a 10-year life across the temperature range of -40 to 125°C using an aging model that it says is accurate to 5 ppb. The PUF is turned on only for key retrieval, which can be completed in 10μs.

Just as the first two mechanisms are closely related, so are the next two. The first is oxide rupture, and it leverages the variation between the exact voltages at which oxide layers will break down. Oxide rupture is the mechanism behind one-time programmable (OTP) anti-fuses, but full hard breakdown could create visible evidence that an attacker could exploit.

eMemory’s materials describe its PUF as being based on oxide rupture, but further conversation indicates that its positioning is evolving. There appear to be no commercial vendors of full oxide-rupture PUFs. Instead, we look to the next type of PUF: quantum-tunneling PUFs.

Quantum-tunneling PUFs leverage something close to breakdown, but it’s not the hard, destructive breakdown that an OTP anti-fuse would experience. In an IEEE paper from Imec and KU Leuven, the authors describe their use of “soft breakdown” that leverages “trap-assisted tunneling.” eMemory is also changing its description from oxide rupture to quantum tunneling. Finally, newcomer Crypto Quantique has debuted its quantum-tunneling PUF.

In all of these cases, transistors are paired and driven by the same gate voltage. As that voltage is raised, one or the other gate will “break down.” This refers less to a catastrophic low-resistance path created by breakdown than it does to the exponential relationship between gate voltage and resulting tunneling current in this regime. It also relates to oxide thickness.

“We use barriers less than 3 nm thick,” said Shahram Mossayebi, Crypto Quantique CEO and founder. “The tunneling is exponentially sensitive to barrier thickness.”

That ensures a big difference between the current on the tunneling side versus the other side.

Fig. 2: A quantum tunneling cell. Source: eMemory

While the initial enrollment breakdown isn’t destructive, it does “form” the conduction path for future PUF extractions. eMemory describes enrollment as creating Si-O dangling bonds as traps, and those remain during future read operations.

Fig. 3: Quantum-tunneling enrollment (left) and PUF extraction (right). Ideally, 50% of the cells will conduct through the left oxide and 50% through the right. Measurement shows that this ideal behavior is closely followed by real-world devices. The cell state is dictated by which side conducts at a higher level. Source: eMemory

It’s also unlikely, but possible, for both oxide layers to conduct. If that happens, then the readout could be considered equivalent to having only one side blow. For instance, one could arbitrarily decide that, as long as the left oxide conducts, it will be interpreted as a one, whether or not the right oxide conducts. A zero would result only when only the right side conducts.

A full PUF can be formed as an array of these cell interconnected in a NOR arrangement. It’s a weak PUF, although it does have a limited number of challenge/response pairs. Effectively, each row can be a response, so the challenge effectively becomes the row address (at least, internally). But there aren’t enough rows to qualify this as a strong PUF.

Fig. 4: A full array of quantum-tunneling cells configured as a NOR array. Source: eMemory

Crypto Quantique is using its PUF to create a private key for use with public-key infrastructure (PKI). Their provisioning process sends that key to their server, which creates a certificate with the accompanying public key based on that private key.

There is one possible source of confusion based upon Crypto Quantique’s claims of having a post-quantum-safe approach. While most concerns about quantum computers breaking security relate to factoring public keys to determine a private key, this notion is different. It’s about quantum computers cracking the PUF key. The company claimed to be the only one with a “future-proof” PUF approach and that other PUFs could be cracked through quantum computers. The papers it sent explaining the concern, however, relate to modeling attacks against strong PUFs. These quantum-tunneling PUFs are weak PUFs, so modeling attacks don’t apply. Intrinsic ID, Maxim Integrated, and eMemory all confirmed there are no known successful non-physical attacks against weak PUFs.

There is another type of PUF that lends itself particularly well to FPGA implementations: the Butterfly PUF. This circuit sets up instability between set/reset inputs and data inputs, requiring the block to settle into a stable state. Which state that is becomes the PUF state. No one has commercialized this PUF to date.

Fig. 5: A butterfly PUF. Excitation on the preset and clear inputs creates instability on the cross-coupled inputs with a random but consistent settling state. Source: Intrinsic ID

Finally, there is another PUF that was commercially available, but appears no longer to be so. It’s an arbiter PUF, which leverages the race condition between two paths. A signal is sent down two multiplexer paths for many stages. At each stage, a challenge bit determines which side of the multiplexer will be used for that stage. These select bits then constitute challenges, with the result being the response. But there aren’t nearly enough combinations to qualify this as a strong PUF. From a size standpoint, Holcomb said that a 128-stage version is the equivalent of about 500 gates.

Fig. 6: An arbiter PUF. A race condition is set up between the data and clock paths of the final flip-flop. The challenge bits determine which path each signal takes. Source: Bryon Moyer/Semiconductor Engineering

The only company that offered this PUF was Verayo. [The company appears to have closed down. Semiconductor Engineering contacted both an ex-founder, who was not with the company when it closed, and another person that he pointed us to, which yielded no response. Further, the web site is blank and the last known phone number does not work.]

The economics of PUFs
PUFs aren’t free. The silicon area consumed by them varies greatly by PUF type. Security is important, so, as Handschuh described it, “People ask for these without really knowing why. It’s just that they’ve heard they should.” That said, designers may have customers who want security, but they may not be willing to pay much for it. That creates tension for a technology that can help to check the “security” box while claiming a patch of silicon on the die. This clearly becomes more of a challenge for low-cost chips, since they can tolerate very little in the way of additional cost.

Because they sell PUF IP on the open market, Intrinsic ID and eMemory were asked for examples of the size of their PUFs. Intrinsic ID gave an example of QuiddiKey-Plus design at the 7nm node occupying around 0.006mm². That doesn’t include the NVM for helper data, but because the system likely already has NVM, that’s not an incremental cost. eMemory’s Sean Wang, Senior Project Manager of Marketing Development Department, quoted “around 0.1x mm² for 5nm to 55nm platforms with 2K PUF and 4K OTP. The charge pump, [an] analog circuit, will dominate the IP area, and it is independent of process node.” Wang noted that the high-voltage circuits can be shared with any other OTP used on the same chip, helping to amortize that cost.