# **PUFs: Myth, Fact or Busted?** A Security Evaluation of Physically Unclonable Functions Cast in Silicon

**Christian Wachsmann** 

christian.wachsmann@trust.cased.de TU Darmstadt / CASED, Germany

#### Joint work with:

Stefan Katzenbeisser, Ünal Kocabaş TU Darmstadt / CASED, Germany Ahmad-Reza Sadeghi

TU Darmstadt / CASED and Fraunhofer SIT Darmstadt, Germany

Vladimir Rožić, **Ingrid Verbauwhede** 

KU Leuven, ESAT/COSIC, Leuven, Belgium











# **The Big Picture**



**Computing Device** generates, stores and processes security-critical information **Computing Device** 

Cryptography can be used to protect information

Cryptography relies on secrets that must be protected on the devices



**G** CASED

# The Need for Secure Hardware

## However: Cryptographic secrets can be leaked by physical attacks



Invasive Attacks (mechanical probing, FIB, etc.)



**Side-Channel Analysis** (SPA, DPA, timing, fault injection, etc.)

Requires physical protection mechanisms

Algorithmic countermeasures exist

## Classic security hardware often too complex and too expensive



## **Promising:**

# **Physically Unclonable Functions (PUFs)**





**G**CASED

## **PUF Concept**



## PUFs exploit random variations of manufacturing process that make each individual sample of a device unique on the physical level



# **Example: SRAM PUF**





# **Common Assumptions**

## Unclonability

PUF is unique due to unpredictable variations of manufacturing process

#### Robustness

PUF always returns similar PUF responses when queried with the same challenge

## Unpredictability

PUF's challenge/response behavior is pseudo-random

Fundamental for PUF-based crypto/security primitives

#### Tamper-evidence

Physical analysis of PUF changes its challenge/response behavior



# **Typical Applications**

- Device identification/authentication (e.g., anti-counterfeiting)
- Secure key-storage
- Binding hardware and software (e.g., IP protection)
- Building block in cryptographic and security solutions (e.g., encryption/attestation)



# **Benefits of using PUFs**

## No secure memory required

Cryptographic secret derived from the PUF response when needed

Intrinsic protection against invasive hardware attacks

Physical modifications of the (PUF) circuit assumed to change device fingerprint



## However:

## Security properties of PUF-based solutions unclear

## Gap between PUF implementations and PUF models in the literature

- Often idealized / not all properties of PUF implementations reflected
- Include security parameters that cannot be determined in practice

## Existing analysis results of PUF implementations difficult to compare

- Varying test conditions (different technologies, test cases)
- Different analysis methods (theoretical, empirical, different metrics)
- Unavailability of test data sets



🜌 Fraunhofer

CASED

LINIVERSITÄT

11 System

Security Lab

## Our goal:

# Meaningful evaluation and fair comparison of the most common PUF types in ASIC



**G** CASED

# **Our Contribution**

- First large scale evaluation of real PUF implementations in ASIC 96 ASICs with multiple instantiations of most common PUF types
- PUF evaluation framework for the most important PUF properties Empirical assessment of the robustness and unpredictability property





# **More Details on PUFs**



# **PUF ASIC and Test Setup**



#### **UNIQUE ASIC**

- 96 ASICs manufactured in TSMC 65 nm CMOS multi-project wafer run
- Includes 5 most common intrinsic PUFs (see table) and noise generator
- PUFs designed by our partners Intrinsic ID and KU Leuven in UNIQUE project

| PUF Class    | PUF Type               | No. of PUF<br>instances per ASIC |
|--------------|------------------------|----------------------------------|
| Delay-based  | Arbiter                | 256                              |
|              | <b>Ring Oscillator</b> | 16                               |
| Memory-based | SRAM                   | 4 (8 kB each)                    |
|              | Flip-flop              | 4 (1 kB each)                    |
|              | Latch                  | 4 (1 kB each)                    |



#### Test setup

- ASIC test board of Sirrix AG
- Xilinx Virtex 5 FPGA
- PC / Matlab (not shown)







# How big is the impact of noise?

**S**CASED

## Myth:

## PUFs are robust to varying operating conditions.





CHES 2012





# **Evaluation Strategy: Robustness**

#### Common metric for robustness: bit error rate (BER)





# **Evaluation Results: Robustness**

## **Test Cases**

- Temperature: -40°C to +85°C
- Supply Voltage: ±10% VDD
- Noise core: On/Off

| PUF-Type               | Average Bit Error Rate<br>(over all test cases) |
|------------------------|-------------------------------------------------|
| SRAM                   | < 7%                                            |
| Ring oscillator        | < 6%                                            |
| Arbiter                | < 6%                                            |
| Flip-Flop and<br>Latch | < 15% BER<br>(impractical in some applications) |

## Can be compensated by existing error correction schemes



# **Example: Voltage Variation**

Arbiter PUF, Ring Oscillator (RO) and Latch PUF sensitive to supply voltage variations

Flip-Flop (DFF) and SRAM PUF not affected by supply voltage variations



See paper for graphs of other test cases.





# How unpredictable are PUF responses?



**G** CASED

## Myth:

# PUFs responses can be predicted if other challenge/response pairs are known.

# BUSTED

## Depends on the PUF type.





**G** CASED

# **Evaluation Strategy: Unpredictability**

#### We use Shannon entropy as metric for unpredictability



We are interested in the average uncertainty in a response Y(x) in case all other responses  $W_x$  are known.

That is, we are interested in the conditional entropy:

$$H(Y|W) = -\sum_{x \in X} Pr[Y(x), W_x] \cdot \log_2 Pr[Y(x)|W_x]$$



**SRAM-PUF** 

#### Computationally infeasible to determine the underlying probability distributions



# **Our Approach to Entropy Estimation**

#### **Observation:**

- Typical electronic PUF structure: Array of electronic components (memory cells, ring oscillators, switch blocks)
- Common assumption: Distant components do not significantly affect each other
  ⇒ Entropy estimation only considers responses from neighboring components

Hence, we estimate H(Y|W) with:

$$H(Y|W') = -\sum_{x \in X} Pr[Y(x), W_x'] \cdot \log_2 Pr[Y(x)|W_x']$$

Further, we estimate the corresponding conditional min-entropy:

 $H_{\infty}(Y|W') = -\log_2 \max_{x \in X} \{Pr[Y(x)|W_x']\}$ 



SRAM-PUF

Similar assumptions hold for Flip-Flop, Latch, Ring Oscillator and Arbiter PUFs



# **Evaluation Results: Unpredictability**

## **Test Cases**

- Temperature: -40°C to +85°C
- Supply Voltage: ±10% VDD
- Noise core: On/Off

| PUF-Type               | Unpredictability                                                       |
|------------------------|------------------------------------------------------------------------|
| SRAM                   | Entropy and min-entropy > 80%<br>(almost ideal)                        |
| Ring<br>oscillator     | Entropy ≈75%; min-entropy < 2%<br>(too low for some applications)      |
| Arbiter                | Entropy and min-entropy < 1%<br>(far too low; model building possible) |
| Flip-Flop<br>and Latch | Strongly dependent on temperature (may enable attacks)                 |

## PUF must be carefully chosen depending on the requirements of the underlying use case



Scale CASED

# **Conclusion and Future Work**

## We presented

- First large-scale evaluation of real PUF implementations in ASIC
- PUF evaluation framework for the robustness and unpredictability properties

## **Current and future work**

- Extension of the evaluation framework
  - More test cases (e.g., aging tests)
  - Other PUF properties (e.g., tamper-evidence, unclonability)
- Analysis of other PUF types







# Thank you!



## **Christian Wachsmann**

christian.wachsmann@trust.cased.de









