Erik van der Sluis

Buskeeper PUFs, a promising alternative to D Flip-Flop PUFs

Cloning, theft of service and tampering have become serious threats on the revenue and reputation of hardware vendors. To protect their products against these attacks hardware security, based on cryptographic primitives using keys, can be used. These keys are usually stored somewhere in the hardware, so the strength of the security depends on the effort required from attackers to compromise them. Tools for attacking hardware have become very advanced, which has decreased the protection provided by storing a key in memory to a minimum. To protect devices against attacks on their keys, Physically Unclonable Functions (PUFs) can be used. PUFs are primitives that extract secrets from physical characteristics of integrated circuits (ICs) and can be used, amongst others, for secure key storage. This paper introduces a new type of PUF, the Buskeeper. In our study this new type of PUF is evaluated on the properties of reliability and uniqueness. For this purpose several tests have been performed in order to compare the results of Buskeeper PUFs to those of D Flip-Flop (DFF) PUFs from [4] and [14]. This comparison shows that the Buskeeper PUF performs as well as, if not better than, this (already known and generally accepted) PUF type. Since Buskeepers are much more efficient than DFFs in regard to the amount of hardware resources required, we conclude that the Buskeeper PUF is a viable (and probably preferable) alternative to DFF PUFs.

Experimental evaluation of Physically Unclonable Functions in 65 nm CMOS

We present a silicon characterization vehicle implementing six different constructions of intrinsic Physically Unclonable Functions (PUFs). The design contains four different memory-based PUFs, one of which is a novel buskeeper PUF, and two different delay-based PUFs. Test chips are fabricated in 65 nm Low Power (LP) technology, using a standard cell ASIC design flow for the memory-based PUFs and a full custom flow for the delay-based ones. This test vehicle enables a comprehensive experimental evaluation of individual PUF implementations as well as a comparative analysis across different PUF types for the same silicon technology. PUF responses are obtained from 192 device samples and the uniqueness and reliability of the implemented PUFs are evaluated. In addition, the effects of varying temperature and silicon device ageing on the PUF characteristics are extensively studied.

Soft decision error correction for compact memory-based PUFs using a single enrollment

Secure storage of cryptographic keys in hardware is an essential building block for high security applications. It has been demonstrated that Physically Unclonable Functions (PUFs) based on uninitialized SRAM are an effective way to securely store a key based on the unique physical characteristics of an Integrated Circuit (IC). The start-up state of an SRAM memory is unpredictable but not truly random as well as noisy, hence privacy amplification techniques and a Helper Data Algorithm (HDA) are required in order to recover the correct value of a full entropy secret key. At the core of an HDA are error correcting techniques. The best known method to recover a full entropy 128-bit key requires 4700 SRAM cells. Earlier work by Maes et al. has reduced the number of SRAM cells to 1536 by using soft decision decoding; however, this method requires multiple measurements (and thus also power resets) during the storage of a key, which will be shown to be an unacceptable overhead for many applications. This article demonstrates how soft decision decoding with only a single measurement during storage can reduce the required number of SRAM cells to 3900 (a 17% reduction) without increasing the size of en-/decoder. The number of SRAM cells can even be reduced to 2900 (a 38% reduction). This does increase cost of the decoder, but depending on design requirements it can be shown to be worthwhile. Therefore, it is possible to securely store a 128-bit key at a very low overhead in an IC or FPGA.

Efficient implementation of true random number generator based on SRAM PUFs

An important building block for many cryptographic systems is a random number generator. Random numbers are required in these systems, because they are unpredictable for potential attackers. These random numbers can either be generated by a truly random physical source (that is non-deterministic) or using a deterministic algorithm. In practical applications where relatively large amounts of random bits are needed, it is also possible to combine both of these generator types. A non-deterministic random number generator is used to provide a truly random seed, which is used as input for a deterministic algorithm that generates a larger amount of (pseudo-)random bits. In cryptographic systems where Physical Unclonable Functions (PUFs) are used for authentication or secure key storage, an interesting source of randomness is readily available. Therefore, we propose the construction of a FIPS 140-3 compliant random bit generator based on an SRAM PUF in this paper. These PUFs are a source of instant randomness, which is available when powering an IC. Based on large sets of measurements, we derive the min-entropy of noise on the start-up patterns of SRAM memories. The min-entropy determines the compression factor of a conditioning algorithm, which is used to extract a truly random (256 bits) seed from the memory. Using several randomness tests we prove that the conditioned seed has all the properties of a truly random string with full entropy. This truly random seed can be derived in a low cost and area efficient manner from the standard IC component SRAM. Furthermore, an efficient implementation of a deterministic algorithm for generating (pseudo-)random output bits will be proposed. Combining these two functions leads to an ideal way to generate large amounts of random data based on non-deterministic randomness.

Secure key generation from biased PUFs

PUF-based key generators have been widely considered as a root-of-trust in digital systems. They typically require an error-correcting mechanism (e.g. based on the code-offset method) for dealing with bit errors between the enrollment and reconstruction of keys. When the used PUF does not have full entropy, entropy leakage between the helper data and the device-unique key material can occur. If the entropy level of the PUF becomes too low, the PUF-derived key can be attacked through the publicly available helper data. In this work we provide several solutions for preventing this entropy leakage for PUFs suffering from i.i.d. biased bits. The methods proposed in this work pose no limit on the amount of bias that can be tolerated, which solves an important open problem for PUF-based key generation. Additionally, the solutions are all evaluated based on reliability, efficiency, leakage and reusability showing that depending on requirements for the key generator different solutions are preferable.

Security of helper data schemes for SRAM-PUF in multiple enrollment scenarios

Fuzzy commitment and syndrome-based schemes are two well-known helper data schemes used to bind and generate, respectively, a secret key to/from SRAM-PUF observations. To allow the decoder to reconstruct this secret key from a new (verification) observation of an SRAM-PUF, an encoder has to generate so-called helper data. This helper data is a function of an SRAM-PUF enrollment observation and, in case of fuzzy commitment, the secret key. The helper data is assumed to be public and thus must leak no information about the secret key. It is known that both schemes can achieve secrecy capacity equal to the mutual information between enrollment and verification SRAM-PUF observations at zero secrecy leakage, when the observations are unbiased and a single enrollment is performed. We study here the situation when multiple SRAM-PUF observations are used to create multiple secret keys. First, we introduce a symmetry property for multiple SRAM-PUF observations. For such symmetric SRAM-PUFs, we show that, in both helper data schemes, the helper data corresponding to multiple SRAM-PUF observations provide no information about any of the secret keys.