Physical unclonable function

History

Early references about systems that exploit the physical properties of disordered systems for authentication purposes date back to Bauder in 1983 and Simmons in 1984. Naccache and Frémanteau provided an authentication scheme in 1992 for memory cards. The terms POWF (physical one-way function) and PUF (physical unclonable function) were coined in 2001 and 2002, the latter publication describing the first integrated PUF where unlike PUFs based on optics, the measurement circuitry and the PUF are integrated onto the same electrical circuit (and fabricated on silicon).

From 2010 onwards till 2013, PUF gained attention in the smartcard market as a promising way to provide “silicon fingerprints”, creating cryptographic keys that are unique to individual smartcards.

Concept

PUFs depend on the uniqueness of their physical microstructure. This microstructure depends on random physical factors introduced during manufacturing. These factors are unpredictable and uncontrollable which makes it virtually impossible to duplicate or clone the structure.

Rather than embodying a single cryptographic key, PUFs implement challenge–response authentication to evaluate this microstructure. When a physical stimulus is applied to the structure, it reacts in an unpredictable (but repeatable) way due to the complex interaction of the stimulus with the physical microstructure of the device. This exact microstructure depends on physical factors introduced during manufacture which are unpredictable (like a fair coin). The applied stimulus is called the challenge, and the reaction of the PUF is called the response. A specific challenge and its corresponding response together form a challenge–response pair or CRP. The device's identity is established by the properties of the microstructure itself. As this structure is not directly revealed by the challenge-response mechanism, such a device is resistant to spoofing attacks.

Using a fuzzy extractor or key extractor PUFs can also be used to extract a unique strong cryptographic key from the physical microstructure. The same unique key is reconstructed every time the PUF is evaluated. The challenge-response mechanism is then implemented using cryptography.

PUFs can be implemented with a very small hardware investment. Unlike a ROM containing a table of responses to all possible challenges, which would require hardware exponential in the number of challenge bits, a PUF can be constructed in hardware proportional to the number of challenge and response bits. In some cases PUFs can even be built from existing hardware with the right properties.

Unclonability means that each PUF device has a unique and unpredictable way of mapping challenges to responses, even if it was manufactured with the same process as a similar device, and it is infeasible to construct a PUF with the same challenge–response behavior as another given PUF because exact control over the manufacturing process is infeasible. Mathematical unclonability means that it should be very hard to compute an unknown response given the other CRPs or some of the properties of the random components from a PUF. This is because a response is created by a complex interaction of the challenge with many or all of the random components. In other words, given the design of the PUF system, without knowing all of the physical properties of the random components, the CRPs are highly unpredictable. The combination of physical and mathematical unclonability renders a PUF truly unclonable.

Because of these properties PUFs can be used as a unique and untamperable device identifier. PUFs can also be used for secure key generation and storage as well as for a source of randomness.

Types of PUFs

All PUFs are subject to environmental variations such as temperature, supply voltage and Electromagnetic interference, which can affect their performance. Therefore, rather than just being random, the real power of a PUF is its ability to be different between devices, but simultaneously to be the same under different environmental conditions on the same device.

Different sources of physical randomness can be used in PUFs. A distinction is made between PUFs in which physical randomness is explicitly introduced and PUFs that use randomness that is intrinsically present in a physical system.

PUFs using explicitly-introduced randomness

This type of PUF can have a much greater ability to distinguish devices from one another and have minimal environmental variations compared to PUFs that utilize intrinsic randomness. This is due to the use of different underlying principles and the ability for parameters to be directly controlled and optimized.

PUFs using intrinsic randomness

Unlike PUFs that utilize explicitly-introduced randomness, PUFs using intrinsic randomness are highly attractive because they can be included in a design without modifications to the manufacturing process.

Since many computer systems have some form of DRAM on board, DRAMs can be used as an effective system-level PUF, which has been presented by Tehranipoor et al., , for the first time. DRAM is also much cheaper than static RAM (SRAM). Thus, DRAM PUFs could be a source of random but reliable data for generating board identifications (chip ID). The advantage of the DRAM PUF is based on the fact that the stand-alone DRAM already present in a system on a chip can be used for generating device specific signatures without requiring any additional circuitry or hardware. PUFs intrinsic to DRAM ICs have not been explored extensively. s a system-level security PUF.

Error correction

In many applications it is important that the output is stable. If the PUF is used for a key in cryptographic algorithms it is necessary that error correction will be done to correct any errors caused by the underlying physical processes and reconstruct exactly the same key each time under all operating conditions. In principle there are two basic concepts: Pre-Processing and Post-Processing Error Correction.

Availability

Attacks on PUFs

Not all proposed PUFs are unclonable and many have been successfully attacked in a laboratory environment.

A research team from Berlin Institute of Technology was able to clone an SRAM PUF within 20 hours using tools readily available in university failure analysis labs. In this work only SRAM (Static RAM) cells of a microcontroller were read out.

University research has shown that delay-based PUF implementations are vulnerable to side channel attacks and recommends that countermeasures be employed in the design to prevent this type of attack. Also, improper implementation of PUF could introduce "backdoors" to an otherwise secure system. In June 2012, Dominik Merli, a scientist at Fraunhofer Research Institution for Applied and Integrated Security (AISEC) further claimed that PUF introduces more entry points for hacking into a cryptographic system and that further investigation into the vulnerabilities of PUFs is required before PUFs can be used in practical security-related applications. The presented attacks are all on PUFs implemented in insecure systems, such as FPGA or Static RAM (SRAM). It is also important to ensure, that the environment is suitable for the needed security level.

Recently, studies have also emerged claiming it is possible to attack certain kinds of PUFs with low-cost equipment in a matter of milliseconds. A team at Ruhr Universität of Bochum, Germany demonstrated a method to create a model of XOR Arbiter PUFs and thus be able to predict their response to any kind of challenge. Their method requires only 4 CRPs which even on resource constrained devices should not take more than about 200ms to produce. Using this method and a $25 device or an NFC-enabled smartphone, the team was able to successfully clone RFID cards stored in the wallet of users while it was in their back pocket.