GSA Forum GSA Forum Homepage
home Articles semiconductor member news foundry focus back-end alley supply chain chronicles industry reflections global trends and insights private showing innovator spotlight forum archives
Articles AdvertisementsTSMC

Hardware Intrinsic Security: Better Security, Lower Cost and Faster Time-to-Market

Pim Tuyls, Chief Technology Officer and Founder, Intrinsic-ID

Valuable and sensitive information is stored on carriers, such as discs, memory devices and embedded devices (e.g., bank passes, smart cards and radio frequency identification (RFID) tags), or is transported over a network to the end user. To protect this information, cryptographic techniques, such as encryption and signing algorithms, are used. The algorithms used are often made public, but use a secret key that is stored securely in the system.

If the secret key is leaked, the system cannot guarantee protection. Encryption with today's state-of-the-art cryptographic algorithms works well. However, since the secret keys are stored in everyday objects, such as smart cards, attackers can easily subject such objects to physical attacks with various tools to gain access to the secret keys. Although these tools (e.g., optical, atomic force, scanning electron, laser scanning and confocal microscopes, focused ion beams and laser cutters) are sophisticated, they have become more and more widespread and affordable for many parties.

The traditional methods of protecting secret keys are approaching their limits and increase both cost and time-to-market.

A low-cost but strong secret key storage technology is a critical link in an affordable but strong security system. It is a necessary requirement for ICs in smart cards, defense and governmental applications, e-health systems, passports, etc. that protect valuable and sensitive data and upon failure would cause not only huge financial losses, but also brand and reputation damage.

Limitations of Current Key Storage Mechanisms

Off-chip storage of a secret key is vulnerable to an attack that taps the bus between the external memory and the chip.1 Therefore, current key storage mechanisms store secret keys on the device that carries out security operations.

A number of approaches exist to permanently store keys in a device: read-only memory (ROM) storage; fuse-based storage mechanisms (e.g., poly fuses, laser fuses, e-fuses and antifuses); floating gate-based storage mechanisms (e.g., Flash, electrically erasable programmable read-only memory (EEPROM) and erasable programmable read-only memory (EPROM) storage cells); and battery-backed volatile memory mechanisms (e.g., battery-backed random access memory (RAM)). Each of these approaches has strengths and weaknesses in terms of security, cost, time-to-market, flexibility, reliability and trust throughout the supply chain.

Security

The fundamental security flaw of all the approaches previously mentioned is the permanent presence of a key in digital form within the device. Even when the device is powered down, a determined attacker has a range of physical tools available to gain access to the key.

Cost

Floating gate-based technologies require six to 10 additional mask steps, adding significant cost. These technologies as well as antifuse-based techniques require a charge pump, which also adds to the cost of a device. Many non-volatile memory (NVM) technologies have a potentially negative impact on yield, which may only become apparent late in the supply chain for one-time programmable (OTP) memory.

Time-to-Market

With the exception of battery-backed RAM and ROM, the memory technologies previously mentioned are non-standard components and are options only in later generations of a new process node. This can cause a substantial delay in time-to-market.

Flexibility

ROM and EEPROM, as well as fuse-based memories, are OTP and hence do not allow for updates in the field.

Reliability

Battery-backed RAM is limited by the battery; when the battery is no longer functional, the key is lost. Flash, on the other hand, has reliability problems at high temperatures due to charge leakage.

Supply Chain Trust

While all the existing key storage approaches seek to protect against one aspect of counterfeiting — making a copy or clone of a device — they do nothing to address the other aspect of counterfeiting: manufacturing overproduction.

A New Approach Needed: Hardware Intrinsic Security

There is clearly a gap in hardware security that is playing into the hands of determined attackers. To counter this increasing threat, a radical new approach to key storage is needed, in which:

  • The key is not stored in digital form on the device.
  • The key is extracted from the device only when required.
  • The key, once used, can be removed from all internal registers and memories.

A new approach that extracts the key from a device's intrinsic properties without being stored fulfills these criteria and overcomes many of the current approaches' limitations. The implementation of such an approach — called hardware intrinsic security (HIS) — eliminates the need for technology-dependent components or embedded NVM.

HIS has the following advantages in terms of security, cost, time-to-market, flexibility, reliability and trust throughout the supply chain:

Security

An approach centered on the device's intrinsic properties offers an unparalleled security level since the key is not present when the device is switched off. HIS provides key storage without storing the key.

Cost

HIS does not require additional mask steps or additional analog components, reducing cost.

Time-to-Market

HIS is ready to use with the newest process nodes and without extensive supply chain qualifications needed to implement options such as NVM. Some HIS implementations use standard components which do not require test silicon to qualify the solution on specific process nodes.

Flexibility

HIS keys are field-upgradeable.

Reliability

The HIS approach offers reliability against a wide range of external influences such as temperature and voltage variations and humidity.

Supply Chain Trust

The device-unique nature of the HIS approach enables a chip activation step to make the chip functional in its system environment. Reporting capabilities can protect against overproduction and provide secure relationships throughout the supply chain.

The Key to HIS: Physical Unclonable Functions

A physical unclonable function (PUF) is a physical structure embedded in an IC that is very hard to clone due to its unique micro- or nano-scale properties that originate from inherent, deep-submicron manufacturing process variations. PUFs enable the new HIS approach, as PUFs are used as the hardware from which the key is extracted.

PUFs have been extensively investigated and recognized as a powerful, new security primitive. Originally, PUFs were added to a device to make it unclonable. The fact that the hardware's intrinsic properties can be used as a PUF is an important and powerful insight that makes secure and low-cost HIS implementations possible.

Hardware "Biometrics"

There is a striking similarity between intrinsic PUFs and biometrics. An intrinsic PUF can be seen as the electronic fingerprint of an IC. The ways of working with PUFs and biometrics are also very similar. Both require a registration phase, during which attributes are measured, processed and stored so that either the biometric or electronic fingerprint can then be used for authentication and/or key storage purposes.

Using PUFs in an HIS System

To use a PUF in an HIS system, three functional modules are needed: a PUF measurement circuit, an activation code constructor and a key extractor.

PUF Measurement Circuit

A PUF measurement circuit is able to read out the device-unique characteristics of the PUF. This measured value is also known as the PUF response.

To be used in an HIS system, a PUF measurement circuit must meet the following requirements:

Low Cost

The measurement circuit should be low cost and easy to implement (i.e., with standard components).

Resistant to Physical Attack

During a physical attack meant to find the behavior of the structure, the functional behavior of the PUF should change such that tampering is detectable.

Not Based on a Secret

The PUF measurement circuit should not be based on a closely guarded secret. If there is no secret, even the manufacturer does not have an advantage in making a clone of the PUF.

Reliable

The PUF responses created by the measurement circuit should exhibit a low amount of noise in a wide range of temperature environments, in environments with electromagnetic radiation, or in environments that cause the device's operating voltage to change. The noise level must be sufficiently low even after years in service.

Example: SRAM PUF

The static random access memory (SRAM) PUF is the best-known PUF based on standard components.

When a voltage is applied to a memory cell, it chooses its logical preference state—1 or 0—based on a complex interaction between several physical variables. The string determined by all the preference start-up values of the memory cells of an SRAM array forms a random identifier that uniquely identifies the SRAM. This identifier is the PUF response.

In the case of an SRAM PUF, the PUF measurement circuit is simply a circuit that reads out the start-up values of a specific range of SRAM that is exclusively reserved for this purpose.

Activation Code Constructor

The activation code constructor module computes the activation code that is needed by the key extractor module. The activation code contains error correction data needed to remove the noise from the PUF data and information about the compression function needed to extract randomness. This module can be implemented on the same IC where the key extractor is located, or as part of an external device or service.

Key Extractor

The key extractor module converts noisy PUF responses into a robust secret key by implementing noise cancellation and randomness extraction algorithms using the error correction data provided by the activation code constructor module.

Noise Cancellation

Secret keys must always be the same. Physical measurements are typically noisy, which introduces variation that must be removed before the measurements can be used to create secret keys.

Randomness Extraction

Secret keys offer security, based on the fact that they are completely random. Physical measurements have a high degree of randomness, but are usually not uniformly random. The key extractor processes the physical data and extracts the randomness with some compression functions, generating a uniformly random key.

The key extractor module can be implemented on an IC, or as a software module that runs on an embedded processor.

HIS System Function

Together, these three modules, the PUF measurement circuit, the key extractor and the activation code constructor, comprise a powerful HIS system.

Typically, the activation code constructor is used only once in the so-called enrollment phase. The activation code constructor takes as input the PUF data and, optionally, the key that needs to be reconstructed in the future. If no key is input, a random key is determined. Once the activation code is generated, it is stored in a memory that is accessible by the key extractor. This memory may be external to the device on which the key extractor is implemented and does not need to be secure.

Each time the device needs to use the secret key, a new PUF measurement is done and the key extractor reconstructs the key from the measured PUF data and the stored activation code. This is called the reconstruction phase. The reconstruction phase is typically carried out each time the key is needed throughout the lifetime of the device. Both the enrollment and reconstruction phases are illustrated in Figure 1.

Figure 1. Schematic Overview of the Enrollment and Reconstruction Phases

Figure 1

During enrollment (top), the activation code constructor is used to generate an activation code depending on the input PUF data and a (user) key. During the reconstruction phase (bottom) the key extractor is used to reconstruct the same key based on a PUF measurement and the activation code.

Chip Activation: Enhancing Trust in the Supply Chain

The per-device uniqueness inherent to PUFs enables an activation step that configures the IC to become functional in its system environment. During activation, a trusted party translates the chip's electronic fingerprint to the activation code that correctly configures the IC. This interaction can take place securely over the Internet with a trusted party, or can be deployed in tamper-proof equipment at the production line. Chip activation also includes a reporting mechanism that prevents manufacturing overproduction.

Counterfeiting Also Addressed

A secure and unclonable key storage system implemented with PUFs not only protects secret keys, but when combined with good cryptology, also provides a strong anti-counterfeiting system. The unclonable key can be used as a unique identifier and transfer its unclonability to the product in which it is embedded. To detect whether a product has been counterfeited, an authenticity check is performed—usually a protocol between a "reader" and the component to be verified.

Conclusions

Hardware cloning, theft of service and tampering are serious issues which are exacting a growing toll on semiconductor company revenue. Secret key storage is a cornerstone of hardware security, but current approaches to this critical function fall short in terms of security and cost.

A radical new approach—HIS—is available today to prevent cloning of semiconductor products and to preserve revenue. HIS uses PUFs to generate the secret key. No key is actually stored in hardware, thereby significantly raising the level of security available beyond traditional methods.

Importantly, HIS provides this enhanced security while also providing critical benefits in terms of cost, time-to-market, flexibility, reliability and trust throughout the supply chain.

About the Author

Dr. Tuyls initiated work on PUFs within Philips Research in 2002. PUFs are now at the heart of Intrinsic-ID's technology development. As a principal scientist, he managed the cryptography cluster at Philips Research, in which the initial research work on PUFs was carried out. Later, he transferred this work to Intrinsic-ID and headed technology development. Since 2004, Dr. Tuyls has remained a visiting professor at the COSIC institute of the Katholieke Universiteit Leuven. His inventions have resulted in numerous patents. He is widely acclaimed for his work in the security field and, in particular, PUFs. Several of Dr. Tuyls' papers relating to PUFs have been published at leading security conferences. He co-authored the book "Security with Noisy Data," which was published by Springer in 2007. You can reach Pim Tuyls at pim.tuyls@intrinsic-id.com or +31 40 851 90 20.

References

1Note that in systems where the external memory is encrypted, there still needs to be an on-chip key to decrypt the data from the memory as it is being read or written.

Back to Articles Home
Advertisements
Siliconaire
Chartered Semiconductor
Forum Home | Articles | Semiconductor Member News | Foundry Focus | Back-End Alley | Supply Chain Chronicles | Industry Reflections
Global Trends & Insights | Private Showing | Innovator Spotlight | Forum Archives | GSA Home