QuiddiKey®
Intrinsic ID QuiddiKey is a hardware IP solution that enables device manufacturers and designers to secure their products with internally generated, device-unique cryptographic keys without the need for adding costly, security-dedicated silicon. QuiddiKey uses the inherently random start-up values of SRAM as a physical unclonable function (PUF), which generates the entropy required for a strong hardware root of trust. QuiddiKey IP can be applied easily to almost any chip – from tiny microcontrollers (MCUs) to high-performance systems-on-chip (SoCs). SRAM is a standard component available upon initial release of any process technology; because it uses SRAM as a PUF source, Quiddikey IP can be used with any foundry and process-node technology. QuiddiKey has been deployed and proven in hundreds of millions of devices certified by EMVCo, Visa, CC EAL6+, PSA, IoXt, and governments across the globe.
Features
- Uses standard SRAM start-up values as a PUF to create a hardware root of trust
- Root key is never stored, but re-created from the PUF each time it is needed
- Offers key provisioning, wrapping, and unwrapping to enable secure key storage across the supply chain and for the lifetime of the device
- Keys are bound to the device and can only be recreated and accessed on the device they have been created on
- Configurations can be customized for your application
- Custom driver API for easy integration
- Deployed in hundreds of millions of production devices over more than a decade
Benefits
- Offers a higher level of security than traditional key storage in NVM such as secure flash, OTP or e-fuses
- Enables designers to create and store an unlimited number of keys securely in unprotected NVM on/off chip
- Minimizes overhead through optimized hardware design
- Eliminates the need for centralized key management and programming
- Highly reliable secure key storage solution in the most advanced technology nodes
Why You Need QuiddiKey
Secure supply chain: Each QuiddiKey user can generate an unlimited number of device-unique keys. None of these keys are ever stored on the device. This means that each user in the supply chain can derive their own device-unique keys and import and protect other secrets, without these keys or secrets being known to the manufacturer or other supply-chain users. The QuiddiKey wrapping functionality enables supply-chain applications and IP to be securely and reliably protected – for the lifetime of the device – prior to being deployed in the field.
Protection against reverse-engineering, counterfeiting/cloning: QuiddiKey protects firmware IP by encrypting it with a PUF-derived encryption key that is locked to the hardware instance of the device. If the firmware IP tied to a device with QuiddiKey is copied to other device instances, these rogue devices cannot unlock the IP or use it, because every device has a different hardware fingerprint.
Other use cases: Secure key storage, flexible key provisioning, HW-SW binding, secure communication, authentication
QuiddiKey Configurations
QuiddiKey is available in off-the-shelf configurations with size ranging between 24k and 50k gates. Configurations differ according to functionality, performance and compliance, enabling options customized to the needs of your application (options are shown in parentheses in the chart, below; configurations that include options will have gate-counts at the higher end of the range).
| QuiddiKey Configurations | QuiddiKey-Safe | QuiddiKey-Plus |
|---|---|---|
| Generate device-unique keys | ✓ | ✓ |
| Generate random values | ✓ | ✓ |
| Wrap and unwrap keys | (✓) |
|
| Size (k gates) | 24 | 38-50 |
| Security strength (bits) | 256 | 256 |
| Maximum key length (bits) | 4096 | 4096 |
| Time to root key (k cycles) | 149 | 50-68 |
| SRAM required for PUF (KB) | 2 | 2-4 |
| NIST approved algorithms | AES, SHA-256, HMAC-SHA |
|
| CAVP for DRBG (NIST SP 800-90A) | (✓) |
|
| Interface | APB | APB |
| Logic BIST | (✓) | (✓) |
| SRAM health checks | ✓ | ✓ |
| SRAM anti-aging | ✓ | ✓ |
| Diagnostics | ✓ | ✓ |
| Driver | ✓ | ✓ |
| Attack countermeasures | ✓ | Extended |
Operational Range
QuiddiKey has been deployed on MCUs/SoCs/ASICs in a diverse set of foundry/process node combinations. SRAM PUF responses across this diverse array have been qualified for use with QuiddiKey in a wide range of operational environments, over years of field operation.
Deliverables
QuiddiKey IP can be integrated easily into any semiconductor design across all foundries and process nodes. Standard deliverables include:
- Synthesizable RTL netlist (VHDL and Verilog)
- VHDL test bench with supporting files
- Design Compiler synthesis constraints (tcl)
- QuiddiKey Driver API for easy integration
- QuiddiKey register description (IP-XACT)
- Datasheet, integration manual and driver documentation
Driver Eases Integration
The QuiddiKey driver eases the use of the QuiddiKey HW IP for developers in an embedded software environment. It is delivered as C source code and comes with a reference manual, integration tests and the QuiddiKey register description.
