Physical unclonable function (PUF), sometimes also called physically unclonable function, is a physical entity that is embodied in a physical structure and is easy to evaluate but hard to predict.
All PUFs are subject to environmental variations such as temperature, supply voltage and electromagnetic interference, which can affect their performance. Therefore, rather than just being random, the real power of a PUF is its ability to be different between devices, but simultaneously to be the same under different environmental conditions.
One way to categorise the numerous PUF concepts is by how the source of variation within each PUF is measured.[1] For instance some PUFs examine how the source of uniqueness interacts with, or influences, an electronic signal to derive the signature measurement while others examine the effects on the reflection of incident light, or another optical process. This also typically correlates with the intended application for each PUF concept. As an example, PUFs that probe uniqueness through electronic characterization are most suitable for authenticating electronic circuits or components due to the ease of integration. On the other hand, PUFs that authenticate physical objects tend to probe the PUF using a second process, such as optical or radio frequency methods, that are then converted into electronic signal forming a hybrid measurement system. This allows for easier communication at a distance between the separate physical authenticating tag or object and the evaluating device.
One major way that PUFs are categorized is based on examining from where the randomness or variation of the device is derived.[2] This source of uniqueness is either applied in an explicit manner, through the deliberate addition of extra manufacturing steps, or occurring in an implicit manner, as part of the typical manufacture processes. For example, in the case of electronic PUFs manufactured in CMOS, adding additional CMOS components is possible without introducing extra fabrication steps, and would count as an implicit source of randomness, as would deriving randomness from components that were already part of the design to start with. Adding, for example, a randomized dielectric coating for the sole purpose of PUF fingerprinting would add additional manufacturing steps and would make the PUF concept or implementation fall into the explicit category. Implicit randomness sources show benefit in that they do not have additional costs associated with introducing more manufacturing steps, and that randomness derived from the inherent variation of the device’s typical manufacture process cannot be as directly manipulated. Explicit randomness sources can show benefit in that the source of randomness can be deliberately chosen, for instance to maximize variation (and therefore entropy yield) or increase cloning difficulty (for example harnessing randomness from smaller feature sizes).
In a similar manner to the classification of a PUF by its randomness source, PUF concepts can be divided by whether or not they can evaluate in an intrinsic manner.[3] An PUF is described as intrinsic if its randomness is of implicit origin and can evaluate itself internally. This means that the mechanism for characterizing the PUF is intrinsic to, or embedded within, the evaluating device itself. This property can currently only be held by PUFs of entirely electronic design, as the evaluation processing can only be done through the involvement of electronic circuitry, and therefore can only be inseparable to an electronic randomness probing mechanism. Intrinsic evaluation is beneficial as it can allow this evaluation processing and post-processing (such as error correction or hashing) to occur without having the unprocessed PUF readout exposed externally. This incorporation of the randomness characterization and evaluation processing into one unit reduces the risk of man-in-the-middle and side-channel attacks aimed at the communication between the two areas.
PUF name | Measurement process | Randomness source | Intrinsic evaluation? | Year |
---|---|---|---|---|
Via PUF[4] [5] | Fully Electronic | Implicit | Intrinsic | 2015 |
Delay PUF[6] | 2002 | |||
SRAM PUF[7] | 2007 | |||
Metal resistance PUF[8] | 2009 | |||
Bistable Ring PUF[9] | 2011 | |||
DRAM PUF[10] | 2015 | |||
Digital PUF[11] | 2016 | |||
Oxide Rupture PUF[12] | 2018 | |||
Coating PUF[13] | Explicit | Extrinsic | 2006 | |
Quantum Electronic PUF[14] | 2015 | |||
Optical PUF[15] [16] | Optical | 2002 | ||
Quantum Optical PUF[17] | 2017 | |||
RF PUF[18] | RF | 2002 | ||
Magnetic PUF[19] | Magnetic | Implicit | 1994 |
The Via PUF technology is based on "via" or "contact" formation during the standard CMOS fabrication process. The technology is the outcome of the reverse thinking process. Rather than meeting the design rules, it makes the sizes of Via or Contact be smaller than the requirements in a controlled manner, resulting in unpredictable or stochastic formation of Via or Contact, i.e. 50% probability of making the electrical connection. The technology details are published in 2020[4] [5] for the first time while the technology is already in mass production in 2015 by ICTK. Few characteristics of Via PUF are followings:
The Via PUF based Hardware RoT (Root of Trust) chips are currently applied in various markets such as telecommunications, appliances, and IoT devices in the forms of Wifi/BLE modules, smart door locks, IP cameras, IR sensor hub, etc. The technology supports the security functionalities such as anti-counterfeiting, secure boot, secure firmware copy protection, secure firmware update and secure data integrity.
A delay PUF exploits the random variations in delays of wires and gates on silicon. Given an input challenge, a race conditionis set up in the circuit, and two transitions that propagate along different paths are compared to see which comes first. An arbiter, typically implemented as a latch, produces a 1 or a 0, depending on which transition comes first. Many circuits realizations are possible and at least two have been fabricated. When a circuit with the same layout mask is fabricated on different chips, the logic function implemented by the circuit is different for each chip due to the random variations of delays.
A PUF based on a delay loop, i.e., a ring oscillator with logic, in the publication that introduced the PUF acronym and the first integrated PUF of any type. A multiplexor-based PUF has been described,[20] as has a secure processor design using a PUF[21] and a multiplexor-based PUF with an RF interface for use in RFID anti-counterfeiting applications.[22]
These PUFs use the randomness in the power-up behavior of standard static random-access memory on a chip as a PUF. The use of SRAM as a PUF was introduced in 2007 simultaneously by researchers at the Philips High Tech Campus and at the University of Massachusetts.[23] [24] Since the SRAM PUF can be connected directly to standard digital circuitry embedded on the same chip, they can be immediately deployed as a hardware block in cryptographic implementations, making them of particular interest for security solutions. SRAM-based PUF technology has been investigated extensively. Several research papers explore SRAM-based PUF technology on topics such as behavior, implementation, or application for anti-counterfeiting purposes.[25] [26] Notable is the implementation of secure secret key storage without storing the key in digital form.[24] [26] [27] SRAM PUF-based cryptographic implementations have been commercialized by Intrinsic ID,[28] a spin-out of Philips, and as of 2019, are available on every technology node from 350 nm down to 7 nm.
Due to deep submicron manufacturing process variations, every transistor in an Integrated Circuit (IC) has slightly different physical properties. These lead to small differences in electronic properties, such as transistor threshold voltages and gain factor. The start-up behavior of an SRAM cell depends on the difference of the threshold voltages of its transistors and other transistor parameters. An SRAM cell has two stable states, which normally represent the zero and one logical states. If the transistors of an SRAM cell were identical, the cell will be perfectly balanced and it will randomly start into one of the two stable states. However, even the smallest differences between transistor parameters will create a cell imbalance and will push the SRAM cell into one of the two stable states with a higher probability than the other state.[29] Given that most SRAM cells have its own preferred state every time they are powered, from an SRAM array of cells a unique and random pattern of zeros and ones can be obtained. This pattern is like a chip’s fingerprint, since it is unique to a particular SRAM and hence to a particular chip.
SRAM PUF response is a noisy fingerprint since a small number of the cells, close to equilibrium is unstable. In order to use SRAM PUF reliably as a unique identifier or to extract cryptographic keys, post-processing is required.[30] This can be done by applying error correction techniques, such as ‘helper data algorithms’[31] or fuzzy extractors.[32] These algorithms perform two main functions: error correction and privacy amplification. This approach allows a device to create a strong device-unique secret key from the SRAM PUF and power down with no secret key present. By using helper data, the exact same key can be regenerated from the SRAM PUF when needed.
An operational IC slowly but gradually changes over time, i.e. it ages. The dominant aging effect in modern ICs that at the same time has a large impact on the noisy behavior of the SRAM PUF is NBTI. Since the NBTI is well understood, there are several ways to counteract the aging tendency. Anti-aging strategies have been developed that cause SRAM PUF to become more reliable over time, without degrading the other PUF quality measures such as security and efficiency.[33]
SRAM PUFs were initially used in applications with high security requirements, such as in defense, to protect sensitive government and military systems, and in the banking industry, to secure payment systems and financial transactions. In 2010, NXP started using SRAM PUF technology to secure SmartMX-powered assets against cloning, tampering, theft-of-service and reverse engineering.[34] Since 2011, Microsemi is offering SRAM PUF implementations to add security to secure government and sensitive commercial applications on the company's flash-based devices and development boards.[35] More recent applications include: a secure sensor-based authentication system for the IoT,[36] incorporation in RISC-V-based IoT application processors to secure intelligent, battery-operated sensing devices at the edge,[37] and the replacement of traditional OTP-plus-key-injection approaches to IoT security in high-volume, low-power microcontrollers and crossover processors.[38]
Some SRAM-based security systems in the 2000s refer to "chip identification" rather than the more standard term of "PUF." The research community and industry have now largely embraced the term PUF to describe this space of technology.
The Butterfly PUF is based on cross-coupling of two latches or flip-flops.[39] The mechanism being used in this PUF is similar to the one behind the SRAM PUF but has the advantage that it can be implemented on any SRAM FPGA.
The metal resistance-based PUF derives its entropy from random physical variations in the metal contacts, vias and wires that define the power grid and interconnect of an IC.[40] [41] [42] There are several important advantages to leveraging random resistance variations in the metal resources of an IC including:
The Bistable Ring PUF or BR-PUF was introduced by Q. Chen et al. in.[43] The BR-PUF is based on the idea that a ring of even number of inverters has two possible stable states. By duplicating the inverters and adding multiplexers between stages, it is possible to generate exponentially large number of challenge-response pairs from the BR-PUF.
Since many computer systems have some form of DRAM on board, DRAMs can be used as an effective system-level PUF. DRAM is also much cheaper than static RAM (SRAM). Thus, DRAM PUFs could be a source of random but reliable data for generating board identifications (chip ID). The advantage of the DRAM PUF is based on the fact that the stand-alone DRAM already present in a system on a chip can be used for generating device-specific signatures without requiring any additional circuitry or hardware. Tehranipoor et al. presented the first DRAM PUF that uses the randomness in the power-up behavior of DRAM cells. Other types of DRAM PUFs include ones based on the data retention of DRAM cells,[44] and on the effects of changing the write and read latency times used in DRAMs.[45] [46]
Digital PUF overcomes the vulnerability issues in conventional analog silicon PUFs. Unlike the analog PUFs where the fingerprints come from transistors' intrinsic process variation natures, the fingerprints of digital circuit PUFs are extracted from the VLSI interconnect geometrical randomness induced by lithography variations. Such interconnection uncertainty however is incompatible to CMOS VLSI circuits due to issues like short circuit, floating gate voltages etc. for transistors. One solution is to use strongly skewed latches to ensure the stable operating state of each CMOS transistor hence ensuring the circuit itself is immune against environmental and operational variations.
Oxide rupture PUF is a type of PUF benefiting from randomness obtained from inhomogeneous natural gate oxide properties occurring in IC manufacturing process. Along with the truly random, un-predictable and highly stable properties, which is the most ideal source for physical unclonable function. IC design houses can strongly enhance security level by implementing oxide rupture PUF in its IC design, without concerns about the reliability and life time issue and can get rid of the additional costs from complicated ECC (Error Correction Code) circuits. Oxide rupture PUF can extract uniformly-distributed binary bits through amplification and self-feedback mechanism, the random bits are activated upon enrollment, and due to a large entropy bit pool, users are provided the desired flexibility to choose their own key-generation and management approaches. Security level can be upgraded by oxide rupture PUF's intrinsic truly randomness and invisible features.
A coating PUF[47] [48] can be built in the top layer of an integrated circuit (IC). Above a normal IC, a network of metal wires is laid out in a comb shape. The space between and above the comb structure is filled with an opaque material and randomly doped with dielectric particles. Because of the random placement, size and dielectric strength of the particles, the capacitance between each couple of metal wires will be random up to a certain extent. This unique randomness can be used to obtain a unique identifier for the device carrying the Coating PUF. Moreover, the placement of this opaque PUF in the top layer of an IC protects the underlying circuits from being inspected by an attacker, e.g. for reverse-engineering. When an attacker tries to remove (a part of) the coating, the capacitance between the wires is bound to change and the original unique identifier will be destroyed. It was shown how an unclonable RFID tag is built with coating PUFs.[49]
As the size of a system is reduced below the de Broglie wavelength, the effects of quantum confinement become extremely important. The intrinsic randomness within a quantum confinement PUF originates from the compositional and structural non-uniformities on the atomic level. The physical characteristics are dependent on the effects of quantum mechanics at this scale, whilst the quantum mechanics are dictated by the random atomic structure. Cloning this type of structure is practically impossible due to the large number of atoms involved, the uncontrollable nature of processes on the atomic level and the inability to manipulate atoms reliably.
It has been shown that quantum confinement effects can be used to construct a PUF, in devices known as resonant-tunneling diodes. These devices can be produced in standard semiconductor fabrication processes, facilitating mass-production of many devices in parallel. This type of PUF requires atom-level engineering to clone and is the smallest, highest bit density PUF known to date. Furthermore, this type of PUF could be effectively reset by purposely overbiasing the device to cause a local rearrangement of atoms.
A magnetic PUF exists on a magnetic stripe card. The physical structure of the magnetic media applied to a card is fabricated by blending billions of particles of barium ferrite together in a slurry during the manufacturing process. The particles have many different shapes and sizes. The slurry is applied to a receptor layer. The particles land in a random fashion, much like pouring a handful of wet magnetic sand onto a carrier. To pour the sand to land in exactly the same pattern a second time is physically impossible due to the inexactness of the process, the sheer number of particles, and the random geometry of their shape and size. The randomness introduced during the manufacturing process cannot be controlled. This is a classic example of a PUF using intrinsic randomness.
When the slurry dries, the receptor layer is sliced into strips and applied to plastic cards, but the random pattern on the magnetic stripe remains and cannot be changed. Because of their physically unclonable functions, it is highly improbable that two magnetic stripe cards will ever be identical. Using a standard-sized card, the odds of any two cards having an exact matching magnetic PUF are calculated to be 1 in 900 million. Further, because the PUF is magnetic, each card will carry a distinctive, repeatable and readable magnetic signal.
An optical PUF which was termed POWF (physical one-way function)[53] [16] consists of a transparent material that is doped with light scattering particles. When a laser beam shines on the material, a random and unique speckle pattern will arise. The placement of the light scattering particles is an uncontrolled process and the interaction between the laser and the particles is very complex. Therefore, it is very hard to duplicate the optical PUF such that the same speckle pattern will arise, hence the postulation that it is "unclonable".
Leveraging the same quantum derived difficulty to clone as the Quantum Electronic PUF, a Quantum PUF operating in the optical regime can be devised. Imperfections created during crystal growth or fabrication lead to spatial variations in the bandgap of 2D materials that can be characterized through photoluminescence measurements. It has been shown that an angle-adjustable transmission filter, simple optics and a CCD camera can capture spatially-dependent photoluminescence to produce complex maps of unique information from 2D monolayers.
The digitally modulated data in modern communication circuits are subjected to device-specific unique analog/RF impairments such as frequency error/offset and I-Q imbalance (in the transmitter), and are typically compensatedfor at the receiver which rejects these non-idealities. RF-PUF,[54] [55] and RF-DNA[56] [57] [58] utilize those existing non-idealities to distinguish among transmitter instances. RF-PUF does not use any additional hardware at the transmitter and can be used as a stand-alone physical-layer security feature, or for multi-factor authentication, in conjunction with network-layer, transport-layer and application-layer security features.