increases implementation complexity. There are security considerations
in the exposure of error-correcting
bits that need to be addressed in any
PUF error-correction scheme.
6 These
considerations have been addressed
in the past ten years, leading to commercial products that use PUFs to provide key generation capability enabled
through manufacturing variation. For
example, a PUF was integrated into an
ARM-based SoC (system-on-a-chip)
from Xilinx19 for secure firmware load
during the device boot process.
The focus here is on the authentication use case. The goal is to bring
authentication to applications where
conventional cryptographic approaches are too expensive and cumbersome,
and enable pervasive dynamic challenge/response authentication of physical items.
Differential Measurements
To make silicon PUFs viable, one main
obstacle to overcome is preventing
changes in environmental conditions
(for example, temperature, voltage)
from overwhelming minuscule manu-facturing-variation-induced measurements. One of the key insights in early
PUF research6 was to use differential
measurements, which was later proven
to be highly effective in silicon. Before
then, the characterization of manufacturing variation required expensive
semiconductor test equipment and a
lot of evaluation time, and it was not
obvious how to do so very quickly in an
in-circuit fashion (without expensive external equipment) and in a manner that
is robust to environmental changes. To
the extent that temperature, voltage,
and other environmental effects impact
the differential measurements equally,
their effects cancel out, thereby allowing the minute manufacturing-varia-tion-induced effects to be manifested
in the PUF response measurements.
This is a general principle that was successfully employed in many subsequent
silicon PUF circuits. A survey of different PUF approaches as they relate to
authentication was published in 2015.4
The first custom silicon PUF imple-
mentation from MIT was the arbiter PUF,
7
shown in the dash-lined box in Figure
1. This is referred to as a “basic” arbi-
ter PUF building block to distinguish
it from more complex constructs to be
number) can be used to enable the au-
thentication verification server to look
up the correct key for the device being
queried. Here, the public identifier is
being used for its proper purpose, to
identify, and not as the primary means
to authenticate. The response cannot
be simply replayed to the server by a
man-in-the-middle adversary because
the server uses a different unpredict-
able challenge each time.
Cryptographic implementations of
a challenge/response protocol require
two items on the device:
Keyed cryptographic module. The device needs a cryptographic primitive
such as a block cipher or hash function
that uses a secret key.
Obfuscated secret key. The device
needs a secret key that is securely
stored, using, for example, secure non-volatile memory that is obfuscated
and not publicly readable. Nonvolatile
memory technologies are known to
be subject to reverse-engineering attacks, where the secret-key bits that are
stored can be recovered.
9 Layout obfuscation is viewed as important in making key recovery more difficult.
Today, many products do not have
dynamic authentication because cryptographic approaches may be too expensive or unusable in a passive circuit
setting where energy to power the cryptographic circuit is harvested from an
external RF field source (for example,
a dedicated RFID reader or an NFC, or
near-field communication-enabled,
smartphone). A lower-complexity and
inexpensive implementation of a challenge/response protocol would allow
authentication to become more pervasive, especially if it could be integrated
with a modern mobile smartphone in a
manner that is easy to use.
There is an alternative method of
implementing a challenge/response
protocol with integrated measurement
capability. The approach requires neither a keyed cryptographic module nor
an obfuscated secret key on the silicon
device. The idea emerged at MIT more
than 10 years ago.
6 This article discusses what the research community
has learned since then in terms of using silicon PUFs (physical unclonable
functions) for challenge/response authentication, how PUFs have been deployed to combat counterfeiting, and
what some of the open problems are.
Silicon Physical
Unclonable Function
Silicon PUF circuits generate output
response bits based on a silicon device’s manufacturing variation. The
variation is difficult to control or reproduce since it is within the tolerances of
the semiconductor fabrication equipment.
6 The devices are manufactured
identically from the same mask, and
there is no secret-key programming to
make each device respond differently
even to the same challenge. When the
same challenge is applied to different
devices, each device outputs a different
response. When the same challenge
is applied repeatedly to the same device, the PUF outputs a response that is
unique to the manufacturing instance
of the PUF circuit, though some of the
response bits may flip from query to
query. This is because the response is
produced based on a physical (versus a
purely algorithmic) evaluation, which
is subject to physical evaluation noise
that depends on temperature, voltage,
and other environmental effects.
PUFs have two broad classes of applications:
14
Authentication. In the authentication
use case, the silicon device is deemed
authentic if the response from an authentication query is close enough in
Hamming distance to a reference response obtained during a provisioning
process. This is similar to the false-pos-itive and false-negative behavior found
in human biometric systems, where
noisy mismatching bits can be “
forgiven” using a threshold-based comparison. To prevent replay attacks, challenges are not reused. Early research at MIT
showed that identically manufactured
circuitry could produce unique challenge/response pairs on different silicon instances of the same circuit, and
it was argued that for any given device,
the response is difficult to predict when
subject to a random challenge.
Key generation. If, instead of a
threshold-based authentication, the
PUF is to serve as a secret-key generator, only a fixed number of response
bits need to be generated from the
PUF. These bits can serve as symmetric key bits and can be used in a secure
processor.
15 Since cryptographic keys
are required to be bit exact, the basic PUF circuit needs to be enhanced
with error-correction logic, which