Beruflich Dokumente
Kultur Dokumente
1, FEBRUARY 2012
333
I. INTRODUCTION
N on-chip Physical Unclonable Function (PUF) is a chipunique, hardware challenge/response function. Its challenge-response relationship is determined by deep submicrometer-level variations in a chip. This variation, known as manufacturing process variation, is caused by uncontrollable deviations in the chip manufacturing process. The imprint of this
variation remains permanent1 in the postfabrication phase of a
chip, and is unique from one chip to another manufactured from
the same mask. The complex and random nature of this variation
makes a PUF practically very hard to be cloned. In addition, the
sensitivity of the variation imprint to physical probing renders a
PUF to be tamper-resistant against invasive attacks. These qualManuscript received October 21, 2010; revised June 03, 2011; accepted August 01, 2011. Date of publication August 22, 2011; date of current version
January 13, 2012. This work was supported by the National Science Foundation under Grant 0964680 and Grant 0855095. The associate editor coordinating the review of this manuscript and approving it for publication was
Dr. Ramesh Karri.
The authors are with the Department of Electrical and Computer Engineering,
Virginia Tech, Blacksburg, VA 24061 USA (e-mail: abhranil@vt.edu).
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TIFS.2011.2165540
1In
334
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012
Based on the frequencies, it is clear that the two chips are distinct. However, the traditional rank-based method cannot treat
them as different chips. The frequency ranks of both the chips
are given as follows (with the lowest frequency having the first
rank and the highest one having the last rank):
II. BACKGROUND
In this section, we will explain the advantages of an identitymapping function for a real-valued PUF such as the RO-PUF.
We also discuss related work.
Using these metrics, subsets of frequencies can generate a distribution defined as -value
A. Motivation
In an RO-PUF with ring oscillators, the CRPs are based on
a set of RO frequencies,
. The frequency
of an individual RO is a function of the total delay around the
oscillator loop which varies randomly from one RO to the other
due to process variation. Hence, the pattern of frequencies is
unique for each chip. According to the traditional RO-PUF, the
CRPs are determined by the ranking of individual RO frequencies [22]. However, this has a limitation that we demonstrate
using a simple example. Suppose two chips with four ROs have
the following set of frequencies (we use hypothetical values as
an example):
CRPs proposed by the traditional PUF are also not informationtheoretically independent.
335
336
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012
tains exponentially many CRPs. It is also very difficult to predict an unknown response bit from a strong PUF by analyzing
some already-known CRPs. Moreover, a complete determination of all CRPs in a strong PUF must be impossible within
several days or weeks due to an exponential number of CRPs
and a finite read-out time of a response [18]. The number of
CRPs produced by the proposed PUF can grow exponentially
with area. Though our proposed PUF has a finite read-out time
for a response (of the order of a millisecond), the complete CRP
set with a small number of ROs can still be read within a reasonable period of time. However, since the number of CRPs will
grow exponentially with the number of ROs, the time required
to evaluate the complete set of CRPs of a larger PUF will also
increase. Therefore, the proposed PUF stands more likely as a
candidate for strong PUF.
A strong PUF is ideal for device authentication application
as it possesses a large number of CRPs. A server-based authentication mechanism with remotely deployed devices seems one
of the suitable applications of this PUF. The scenario has been
depicted in Fig. 2. The proposed PUF is enrolled in a trusted environment, and its CRPs (
) along with the necessary helper
data ( ) are measured and stored in a server. After the PUF is
deployed in field where the operating environment is not trustworthy, the server sends a challenge ( ) along with its helper
data ( ) to the deployed PUF, and the PUF replies with a response . If the response matches with that stored in the server,
the PUF is successfully authenticated.
III. PUF SYSTEM MODEL
In a real-valued PUF, like the RO-PUF, generation of the
process variation information in terms of a physical quantity
(such as RO frequency), and subsequent quantization are two
separate but related components. This leads to the designers
flexibility to tune each component separately to optimize the
overall PUF design. However, it requires an approach with a
well-defined partitioning of the design that helps in improving
the quality of a PUF. Fig. 3(a) shows the PUF system model
used in this paper. We distinguish three components: sample
measurement, identity mapping, and quantization. We discuss
each of them in this section. While quantization or digitization of process variation information has been proposed earlier,
e.g., in RO-PUF [22], Arbiter PUF [7], [6], and FPGA-based reconfigurable PUF [16], the introduction of the identity-mapping
function is the contribution of this work.
A. Sample Measurement
The main functionality of the sample measurement is to characterize the effect of random process variation that remains permanent in the postfabrication phase of a chip. In a sample measurement, a digital challenge ( ) is applied to the PUF to produce a vector of physical measurements representing the identity of a device. In the example of the RO-PUF in Fig. 3(b), the
challenge selects 2 out of 4 oscillators. The frequencies of the
RO pair are measured.
However, environmental noise such as ambient temperature
variation, supply voltage fluctuation, and thermal noise negatively affect the sample measurement resulting in noisy PUF
outputs. Additionally, factors like metastability, and systematic
process variation can also degrade the PUF output. For example,
the Arbiter PUF, which exploits the delay variation between a
pair of configurable delay paths, has an error in its output due to
the metastability in the arbiter flip-flop when the setup-hold time
is violated [17]. Moreover, bit-aliasing4 in PUF output can occur
due to systematic variation. Though these issues can be mitigated
by error-correction methods, addressing them at the sample
measurement level can also improve the PUF reliability and the
entropy extraction significantly. This eventually simplifies the
subsequent error-correction process resulting in reduced cost.
B. Identity Mapping
In this section, we describe an approach to identity mapping,
based on a Test Statistic (TS). We will demonstrate that this TS
improves over known schemes in terms of generating CRPs. We
first introduce the concept of TS. A TS is an expression that
transforms a set of measurement data into a set of numbers that
can be used to test a hypothesis. In the example of the traditional
RO-PUF [Fig. 3(b)], the TS is the frequency difference of the selected RO pair. This difference which varies from device to device is used to map the identity of a device to a binary signature.
Complementary to the TS, we propose a nonparametric testing
approach to evaluate whether our TS is able to distinguish several chips well. We present analysis results using on-chip data.
1) Hypothesis Testing: One set of hypotheses of interest in
comparison of all chips is
4In bit-aliasing, different chips produce nearly identical PUF signatures that
may result in false positives in chip authentication
337
Therefore,
. Similarly,
contains all possible
triplets of RO frequencies
. Likewise,
.
We now define the random variable
that assigns a real
number to each outcome of
(2)
The weight factor
can include additional information
about the design. In our case, we assign it the Euclidean distance
between the ROs,
and
on the chip. In the implementation
section, we will describe how the ROs are assigned spatial coordinates.
is the absolute difference between the pair of RO
frequencies
and
. To make the function a nonlinear
5By
338
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012
C. Quantization
In the quantization phase of PUF design, binary response bits
are generated from a set of real-valued PUF measurements. For
example, in the traditional RO-PUF, a pair of RO frequencies
are converted to binary bits by a simple comparison method
[22]. Unlike the RO-PUF, the SRAM PUF [1], the Arbiter PUF
[7], [6], and the Butterfly PUF [4] perform a direct time-todigital conversion, and they do not require a separate quantization step. In our case, quantization needs to be applied on
the -values generated by the identity-mapping function. Apart
from the simple comparison method, there are other methods of
quantization that can convert a set of real-valued quantities into
a set of binary numbers. These methods are widely discussed in
the area of biometrics where similar conversion is used to generate key/signature from biometric data of an individual. For
the quantization of the values, we evaluated several standard
quantization methods that are used in the biometric applications
including the Shielding function [8], the reliable bit extraction
method [23]. Based on the comparison results, we selected the
Shielding function. It has the property to shield any knowledge
about the real-valued quantities that it quantizes from being revealed through the quantized binary output leading to its name.
We briefly introduce the method of Shielding function.
In the operation of a PUF, there are two phases: a) In the enrollment phase of the PUF, a reference response bit is generated at normal operating condition by applying a challenge ,
and is stored in a secure database for subsequent operation of
the PUF. b) In the evaluation phase, the PUF is supplied with
the challenge to generate a noisy version of called . In the
Shielding function, the range of a value is divided in several
equal intervals with a width during the enrollment phase. The
intervals are alternatively assigned 0 and 1. Any
of a
where
such that
.
is the average of
.
is the binary digit assigned to the interval in which
resides.
During the response evaluation, a binary output
is derived as
follows:
(4)
where
is a noisy version of
339
TABLE II
DETAIL OF THE IMPLEMENTED DESIGN
A. Sample Measurement
The part of the circuit shown in the gray box measures the
RO frequencies from an array of ROs. The ROs are placed in
a 2-D array. The (
) position of an RO in the array is used to
calculate the Euclidean distance between an RO pair. The RO at
the left-most location of the bottom row of the array is assigned
the coordinate (0,0), and the rest are assigned coordinates with
respect to it. An -bit challenge input enables one of the
ring oscillators at a time (usually,
), and the frequency
of the enabled RO is measured with a 24-bit counter. The individual RO frequencies are stored in the memory MEM1. This is
a one-time operation.
B. Identity Mapping
We used
and the
as the Euclidean distance
in (2) defined in Section III-B2. It requires an integer squareroot and a multiplication operation. The square-root module is
implemented using a nonrestoring algorithm with the iterative
method [5]. This implementation results in lower throughput
but smaller area. A 4 8 bit pipelined multiplier is used for
the multiplication operation. The compare-subtract module is
used to compute the absolute difference of two RO frequencies.
One of the operands for the compare-subtract module comes
directly from the memory MEM1 and the other operand is provided through the memory element REG. The values are generated using three steps.
Step 1Since the factor
is constant, the memory
MEM2 is initialized with all possible pairwise distances using
the input from the micro-controller. It is subsequently overwritten by the corresponding
values in Step 2.
Step 2According to the definition of , all the values are
the combination of the
values [refer to (2)]. To minimize the
number of multiplication and square-root operations, all the required
values are calculated at a time, and stored in memory
MEM2. This a one-time operation during the PUF operation.
All the responses can be generated by reusing these values as
explained in the Step 3.
Step 3During the generation of a PUF response, the required
value is generated by summing the appropriate
values (2) stored in MEM2. This summation operation takes
place in the accumulator.
C. Quantization
The micro-controller calculates the sum
(4), and compares it with the appropriate interval of the Shielding function
to generate the binary response that is sent to the PC.
V. RESULTS
A prototype circuit with 16 ROs has been built on a Xilinx
Spartan 3E S500 FPGA. An RO with five inverters is created
as a hard macro, and instantiated to create a 2 8 array. A
Picoblaze micro-controller core is used with an UART interface to communicate with the PC. The total FPGA resource
used after place and route is 456 slices along with 2 Block
RAMs. A Spartan 3E S500 FPGA has 4656 slices in total.
Hence, less than 10% [
%
%] of
the available resource is used by the implementation making
enough resources available to implement other circuits on
340
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012
341
TABLE IV
PUF UNIQUENESS WITHOUT IDENTITY MAPPING
where
is the th sample of .
is the intrachip Hamming Distance of the chip . It indicates the number
of unreliable bits in PUF responses. Hence a lower value of it
results in more PUF reliability.
The reliability of the PUF responses is measured over varying
environmental conditions. We tested the PUF responses for nine
different ambient temperatures from 0 C to 70 C using a convection heat chamber to cover the allowed operating range of
the used FPGA. We also tested them for 20% of the supply
voltage of the FPGA core using a dc regulated power supply.
All the measurements are taken with 100 samples for a single
FPGA chip. Figs. 10 and 11 shows a comparison of the reliability for the PUF with the identity-mapping function and the
one without the identity-mapping function. The trend shows
that the PUF with the identity-mapping function is more reliable than the PUF without the identity mapping for both varying
voltage and temperature. Though the exact reason for this observation cannot be confirmed without a detailed analysis, one
of the possible reasons might be as follows. Since a value is
a summation of several frequency differences, the variations in
the individual frequency differences are averaged out. We plan
to investigate the reliability factor in more detail as part of our
future work. Fig. 12 shows the error rate of the proposed PUF as
a percentage of the number of unreliable bits at different temperatures and supply voltages. For this experiment, only one level
342
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012
Fig. 12. Error rate of the PUF with the identity mapping using single quantization level.
343
values.
have the same range. Additionally, even if there exist overlaps among different values, response bits from the overlapped values do not have correlation as each of the
values have their own quantization width based on their
individual variances. This is supported by the experimental
results. Table III shows that the response bits are fairly
equally distributed between 0 and 1.
4) Differential attack In this scenario, we observe
and then replace
with
and
observe
. The objective is to predict
from these two observed responses. For
each
, there are
possible
pairs
.
We now calculate
for each 105 pairs. The possible values of the HW are 0,
1, 2. We divide 105 responses in three groups:
,
, and
. We then count how many 1
bits have been produced by
in total by
each of those three group. For example, if the group with
has response bits out of 105
bits, and bits out of are 1, then
% should
be around 50% for an unbiased PUF. Figs. 18, 19, and 20
show the scenarios for
,
, and
,
respectively. Each of the scenarios include data for all individual 16 ROs ( -axis) for all 125 chips tested ( -axis).
The results show that none of the scenarios suggest any
bias that can lead to a successful differential attack.
5) Model building through machine learning Ruhmair et
al. proposed model building attacks on several PUF architectures using machine learning techniques [18], [20]. The
technique that has been used to attack the RO-PUF is a
quick sorting method to determine the relative ranking of
the RO frequencies. This technique is particularly suitable
for attacking the traditional RO-PUF as its responses can
be constructed purely based on frequency ranking without
the need of knowing the absolute frequency values. However, in the proposed PUF, the final response is derived
after the transformation of RO frequencies to values and
then a random assignment of binary values by the quantization method. Therefore, the sorting technique will not
work against the proposed PUF as it does not depend on
344
IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012
. Average
%.
. Average
%.
. Average
%.
REFERENCES
[1] J. Guajardo, S. S. Kumar, G.-J. Schrijen, and P. Tuyls, FPGA intrinsic
PUFs and their use for IP protection, in Proc. 9th Int. Workshop on
Cryptographic Hardware and Embedded Systems (CHES07), 2007,
pp. 6380.
[2] R. Helinski, D. Acharyya, and J. Plusquellic, A physical unclonable
function defined using power distribution, in Proc. 46th Ann. Design
Automation Conf. System Equivalent Resistance Variations, New York,
2009, pp. 676681, DAC, ACM.
[3] I. Kim, A. Maiti, L. Nazhandali, P. Schaumont, V. Vivekraja, and H.
Zhang, From statistics to circuits: Foundations for future physical unclonable functions, in Towards Hardware-Intrinsic Security. New
York: Springer, 2010.
[4] S. Kumar, J. Guajardo, R. Maes, G.-J. Schrijen, and P. Tuyls, Extended abstract: The butterfly puf protecting IP on every FPGA, in
Proc. IEEE Int. Workshop on Hardware-Oriented Security and Trust,
2008 (HOST 2008), 2008, pp. 6770.
[5] Y. Li and W. Chu, Implementation of single precision floating point
square root on FPGAS, in 5th Ann. IEEE Symp. Proc. FPGAs for
Custom Computing Machines, Apr. 1997, pp. 226232.
[6] D. Lim, Extracting Secret Keys From Integrated Circuits, M.Sc.
Thesis, MIT, Cambridge, MA, 2004.
[7] D. Lim, J. Lee, B. Gassend, G. Suh, M. van Dijk, and S. Devadas, Extracting secret keys from integrated circuits, IEEE Trans. Very Large
Scale Integr. (VLSI) Syst., vol. 13, no. 10, pp. 12001205, Oct. 2005.
[8] J.-P. Linnartz and P. Tuyls, New shielding functions to enhance
privacy and prevent misuse of biometric templates, in Proc. 4th
Int. Conf. Audio- and Video-Based Biometric Person Authentication
(AVBPA03), 2003, pp. 393402.
[9] R. Lopes, I. Reid, and P. Hobson, The two-dimensional Kolmogorovsmirnov test, in Proc. XI Int. Workshop on Advanced Computing and
Analysis Techniques in Physics Research, Amsterdam, The Netherlands, 2007.
[10] R. Maes, P. Tuyls, and I. Verbauwhede, Low-overhead implementation of a soft decision helper data algorithm for SRAM PUFs, in Proc.
11th Int. Workshop on Cryptographic Hardware and Embedded Systems (CHES09), 2009, pp. 332347.
[11] R. Maes and I. Verbauwhede, Physically unclonable functions: A
study on the state of the art andfuture research directions, in Towards
Hardware-Intrinsic Security. New York: Springer, 2010.
[12] A. Maiti, J. Casarona, L. McHale, and P. Schaumont, A large scale
characterization of RO-PUF, in Proc. IEEE Int. Symp. 2010 Hardware-Oriented Security and Trust (HOST), 2010, pp. 9499.
[13] A. Maiti and P. Schaumont, Improved ring oscillator PUF: An
fpga-friendly secure primitive, J. Cryptology, pp. 123, 2010, DOI:
10.1007/s00145-010-9088-4.
[14] M. Majzoobi, A. Elnably, and F. Koushanfar, FPGA time-bounded
unclonable authentication, in Proc. 12th Int. Conf. Information Hiding
(IH10), 2010, pp. 116.
[15] M. Majzoobi, F. Koushanfar, and M. Potkonjak, Testing techniques
for hardware security, in Proc. IEEE Int. Test Conf., 2008 (ITC 2008),
pp. 110.
[16] M. Majzoobi, F. Koushanfar, and M. Potkonjak, Techniques for design and implementation of secure reconfigurable PUFs, ACM Trans.
Reconfig. Technol. Syst., p. 2:5:1-5:33, Mar. 2009.
[17] D. Ranasinghe, D. Lim, S. Devadas, D. Abbott, and P. Cole, Random
numbers from metastability and thermal noise, Electron. Lett., vol. 41,
no. 16, pp. 1314, 2005.
[18] U. Rhrmair, F. Sehnke, J. Slter, G. Dror, S. Devadas, and J. U.
Schmidhuber, Modeling attacks on physical unclonable functions,
in Proc. 17th ACM Conf. Computer and Communications Security
(CCS10), 2010, pp. 237249.
[19] U. Ruhrmair, J. Solter, and F. Sehnke, On the Foundations of Physical
Unclonable Functions 2009 [Online]. Available: http://eprint.iacr.org/
2009/277.pdf
345
Inyoung Kim received the Ph.D. degree from the Department of Statistic, Texas A & M University.
She is an Assistant Professor at the Department of
Statistics since 2007. Before then, she was trained
as a postdoctoral research associate in the Division
of Biostatistics, the Department of Epidemiology
and Public Health, Yale University. Her research
interests focus on developing semi/nonparametric
statistical methods and theory using regression
splines to address issues in several areas (epidemiology, genomics, and information security). Both the
Frequentist and Bayesian methods have been developed.