CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCECon urren y Computat.: Pra t. Exper. 2003; 3:1{20 Prepared using peauth. ls [Version: 2002/09/19 v2.02℄Identi� ation andAuthenti ation of IntegratedCir uitsBlaise Gassend1, Daihyun Lim1, Dwaine Clarke1,Marten van Dijk2, Srinivas Devadas1�1 Massa husetts Institute of Te hnology, Laboratory for Computer S ien e, Cambridge, MA02139, USA2 Prof Holstlaan 4, Eindhoven, The NetherlandsSUMMARYThis paper des ribes a te hnique to reliably and se urely identify individual integrated ir uits (ICs) based on the pre ise measurement of ir uit delays and a simple hallenge-response proto ol. This te hnique ould be used to produ e key- ards that are morediÆ ult to lone than ones involving digital keys on the IC. We onsider potential venuesof atta k against our system, and present andidate implementations. Experiments onField Programmable Gate Arrays show that the te hnique is viable, but that our urrentimplementations ould require some strengthening before it an be onsidered as se ure.key words: Authenti ation, identi� ation, physi al random fun tion, physi al se urity, smart ard,tamper resistan e, un lonability1. Introdu tionWe des ribe a te hnique to identify and authenti ate arbitrary integrated ir uits (IC's) basedon a prior delay hara terization of the IC. While IC's an be reliably mass-manufa tured tohave identi al digital logi fun tionality, the premise of our approa h is that ea h IC is uniquein its delay hara teristi s due to inherent variations in manufa turing a ross di�erent dies,wafers, and pro esses. While digital logi fun tionality relies on timing onstraints being met,di�erent ICs with the exa t same digital fun tionality will have unique behaviors when these onstraints are not met, be ause their delay hara teristi s are di�erent.Resear hers have proposed the addition of spe i� ir uits that produ e unique responsesdue to manufa turing variations in IC's su h that these IC's an be identi�ed [13℄. However,with these te hniques, the fo us is simply on assigning a unique identi�er to ea h hip, withouthaving se urity in mind. In order to authenti ate an IC, a key has to be pla ed within theIC, a ess to the key has to be restri ted to ryptographi primitives, and the IC has to beCopyright 2003 John Wiley & Sons, Ltd.

2 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADASmade tamper resistant, so attempts by the adversary to determine the key destroys the key.In essen e, digital information has to be hidden in the IC. This information an then be usedto simply identify the IC, or it an be used to enable a wide range of appli ations that rely onkeyed ryptographi primitives.Making an IC tamper-resistant to physi al atta ks is a hallenging problem and is re eivingsome attention [3℄. Numerous atta ks are des ribed in the literature. These atta ks may beinvasive, e.g., removal of the pa kage and layers of the IC; or non-invasive, e.g., di�erentialpower analysis [11℄, that attempts to determine the key by stimulating the IC and observingthe power and ground rails. IBM's PCI Cryptographi Copro essor en apsulates a 486- lasspro essing subsystem within a tamper-sensing and tamper-responding environment where one an run se urity-sensitive pro esses [17℄. However, providing high-grade tamper resistan e,whi h makes it impossible for an atta ker to a ess or modify the se rets held inside a devi e,is expensive and diÆ ult [1, 2℄.We propose that authenti ation be based on hidden delay or timing information orresponding to a ir uit rather than digital information. We will argue that the level oftamper resistan e required to hide delay information is signi� antly less than for digitalinformation. Invasive methods to determine devi e and wire delays will invariably hange thedelay of the devi es or wires upon removal of the pa kage or metal layers. Further, non-invasiveatta ks that are sometimes su essful in dis overing se ret digital keys su h as di�erential poweranalysis [11℄ and ele tromagneti analysis [15℄ are not as well suited for breaking delay-basedauthenti ation. Another important di�eren e between hiding digital information versus timinginformation is that in the former ase the manufa turer an produ e many ICs with the samehidden digital key, but it is very hard, if not impossible, for a manufa turer to produ e twoICs that are identi al in terms of their delay hara teristi s.To elaborate, our thesis is that there is enough manufa turing pro ess variations a rossICs with identi al masks to uniquely hara terize ea h IC, and this hara terization anbe performed with a large signal-to-noise ratio. The hara terization of an IC involves thegeneration of a set of hallenge-response pairs. To authenti ate ICs we require the set of hallenge-response pairs to be hara teristi of ea h IC. For reliable authenti ation, we requirethat environmental variations and measurement errors do not produ e so mu h noise that theyhide inter-IC variations. We will show in this paper, using experiments and analysis, that we an perform reliable authenti ation.The rest of this paper will be stru tured as follows: We des ribe the notion of a physi alrandom fun tion, whi h is what we are trying to implement in Se tion 2. An overview ofour approa h to identify and authenti ate ICs based on delays is given in Se tion 3. Then,in Se tion 4 we des ribe some appli ations, in parti ular a se ure key ard appli ation. We onsider plausible atta ks on PUFs in Se tion 5. Se tion 6 presents a andidate PUF ir uitbased on delay measurement, and dis usses its identi� ation hara teristi s. Se tion 7 presentsa se ond andidate ir uit that ompares two delays, and goes over relevant experimentalmeasurements. Finally, Se tion 8 shows how these andidate ir uits an be atta ked in theadditive delay model.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 32. De�nitionsDe�nition 1. A Physi al Random Fun tion (PUF)y is a fun tion that maps hallenges toresponses, that is embodied by a physi al devi e, and that veri�es the following properties:1. Easy to evaluate: The physi al devi e is easily apable of evaluating the fun tion in a shortamount of time.2. Hard to predi t: From a polynomial number of plausible physi al measurements (in parti ular,determination of hosen hallenge-response pairs), an atta ker who no longer has the devi e,and who an only use a polynomial amount of resour es (time, matter, et .) an only extra ta negligible amount of information about the response to a randomly hosen hallenge.In the above de�nition, the terms short and polynomial are relative to the size of the devi e,whi h is the se urity parameter. In parti ular, short means linear or low degree polynomial.The term plausible is relative to the urrent state of the art in measurement te hniques andis likely to hange as improved methods are devised.In previous literature [16℄ PUFs were referred to as Physi al One-Way Fun tions,and realized using 3-dimensional mi ro-stru tures and oherent radiation. We believe thisterminology to be onfusing be ause PUFs do not mat h the standard meaning of one-wayfun tions [14℄. A PUF is a one-way fun tion in the sense that it is hard to re onstru t thephysi al system from hallenge-response pairs. However, unlike a one-way fun tion, a PUFdoes not require going from the response to the hallenge to be hard. For a PUF, all thatmatters is that going from a hallenge to a response without using the devi e is hard.De�nition 2. A type of PUF is said to be Manufa turer Resistant if it is te hni ally impossibleto produ e two identi al PUFs of this type given only a polynomial amount of resour es (time,money, sili on, et .).Manufa turer resistant PUFs are the most interesting form of PUF as they an be used tomake systems that are unique without having to trust the manufa turer of the devi e.In this paper, the PUFs we produ e from delay measurements don't truly �t the hard topredi t riterion of the PUF de�nition, as a part of the response may be easy to predi t. Thereare methods to get around this subtle di�eren e that are not des ribed here [7, 8℄.3. Delay-Based Authenti ation3.1. Statisti al Delay VariationWhen a ir uit is repli ated a ross dies or a ross wafers, manufa turing variations auseappre iable di�eren es in ir uit delays. A ross a die, devi e delays vary due to mask variations;yPUF a tually stands for Physi al Un lonable Fun tion. It has the advantage of being easier to pronoun e,and it avoids onfusion with Pseudo-Random Fun tions.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

4 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADASthis is sometimes alled the system omponent of delay variation. There are also randomvariations in dies a ross a wafer, and from wafer to wafer due to, for instan e, pro esstemperature and pressure variations, during the various manufa turing steps. The magnitudeof delay variation due to this random omponent an be 5% or more for metal wires, and ishigher for gates ( f. Chapter 12 of [5℄). Delay variations of the same wire or devi e in di�erentdies have been modeled using Gaussian distributions and other probabilisti distributions [4℄.We brie y note here that in our experiments, the standard deviation of path delays in ourexample ir uits a ross di�erent FPGAs was in the range of 400 parts per million.3.2. Environmental E�e tsOn- hip measurement of delays an be arried out with very high a ura y, and therefore thesignal-to-noise ratio when delays of orresponding wires a ross two or more ICs are ompared isquite high, provided environmental variation is low. However, temperature and power supplyvoltage have a signi� ant e�e t on the absolute values of ir uit delays [19℄. To keep thesignal-to-noise ratio high under signi� ant environmental variations, we require ompensateddelay measurement ( f. Se tion 6.2.1). Using ompensated delay measurement, we an keepthe variation due to standard deviation suÆ iently below inter- hip variation to allow reliableidenti� ation despite a wide range of environmental variations.3.3. Generating Challenge-Response PairsAs we mentioned in the introdu tion, manufa turing variations have been exploited to identifyindividual ICs. However, the identi� ation ir uits used so far generate a stati digital response(whi h is di�erent for ea h IC). We propose the generation of many hallenge-response pairsfor ea h IC, where the hallenge an be a digital (or possibly analog) input stimulus, and theresponse depends on the transient behavior of the IC, and an be a pre ise delay measure, adelay ratio, or a digital response based on measured delay or ratios.The transient behavior of the IC depends on the network of logi devi es as well as thedelays of the devi es and inter onne ting wires. Assuming the IC is ombinational logi , aninput pair hv1; v2i produ es a transient response at the outputs. Ea h input pair stimulates apotentially di�erent set of paths in the IC. If we think of ea h input pair as being a hallenge,the transient response of the IC will typi ally be di�erent for ea h hallenge.The number of potential hallenges grows with the size and number of inputs to the IC.Therefore, while two ICs may have a high probability of having the same response to aparti ular hallenge, if we apply many hallenges, then we an distinguish between the twoICs. More pre isely, if the standard deviation of the measurement error is Æ, and the standarddeviation of inter-FPGA variation is �, then for Gaussian distributions, the number of bitsthat an be extra ted for one hallenge is up to 12 log2(1+�=Æ) (though this limit is diÆ ult torea h in pra ti e). By using multiple independent hallenges, we an extra t a large numberof identi� ation bits from an IC. A tually produ ing a huge number of bits is diÆ ult to doin pra ti e with multiple hallenges be ause the responses to hallenges are not independent.However, it is mu h easier to extra t the information from the measurements if we are willingto get less than the maximum number of bits, and in the ase where Æ << �.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 5Upon every su essful authenti ation of a given IC, a set of hallenge-response pairs ispotentially revealed to the adversary. This means that the same hallenge-response pair annotbe used again. If the adversary an learn the entire set of hallenge-response pairs, he an reatea model of a ounterfeit IC. To implement this method, a database of hallenge-response pairshas to be maintained by the entity that wishes to identify the IC. This database need only overa small subset of all the possible hallenge-response pairs. However, it has to be kept se ret asthe se urity of the system only relies on the atta ker not being able to predi t whi h hallengeswill be made. If the database ever runs out of hallenge-response pairs, it may be ne essary to\re harge" it, by turning in the IC to the authority that performs the authenti ation.4. Appli ations4.1. Se ure Key ardThe simplest appli ation for PUFs is to make tamper-resistant, unforgeable key ards. Thisappli ation was �rst des ribed in [16℄. We will argue in Se tion 5 that sili on PUFs are diÆ ultto forge and, as a result, these key ards are diÆ ult to lone. The ards an also be ombinedwith biometri s to help identify users.These ards an be used for authenti ated identi� ation, in whi h someone or somethingwith physi al a ess to the ard an use it to gain a ess to a prote ted resour e. The generalmodel is that of a prin ipal with the key ard presenting it to a terminal at a lo ked door.The terminal an onne t via a private, authenti hannel to a remote, trusted server. Theserver has already established a private list of Challenge-Response Pairs (CRPs) with the ard.When the prin ipal presents the ard to the terminal, the terminal onta ts the server usingthe se ure hannel, and the server replies with the hallenge of a randomly hosen CRP inits list. The terminal forwards the hallenge to the ard, whi h determines the response. Theresponse is sent to the terminal and forwarded to the server via the se ure hannel. The server he ks that the response mat hes what it expe ted, and, if it does, sends an a knowledgmentto the terminal. The terminal then unlo ks the door, allowing the user to a ess the prote tedresour e. The server should only use ea h hallenge on e, to prevent replay atta ks; thus, theuser is required to se urely renew the list of CRPs on the server periodi ally.4.2. Controlled PUFsAs we have implemented them in this paper, ard-PUFs an be used for authenti atedidenti� ation, as des ribed above. However, unlike the PUFs from [16℄, sili on PUFs an bea ompanied on the same hip with ontrol logi that restri ts a ess to the PUF. In this asewe have a Controlled PUF. By using the methods des ribed in [7, 9℄, a ontrolled PUF an beused to establish a shared se ret between a remote party and a trusted hip. Be ause of theway the se ret is embedded in the PUF, it is mu h harder for an adversary to impersonatethe trusted hip than it would be if the hip had a se ret stored on itself in digital form. Thisimproved resistan e to physi al atta ks is the prin ipal advantage of using a PUF.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

6 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADASThe appli ations of Controlled PUFs are all the appli ations that an bene�t from havinga shared se ret between a hip and a remote party. Digital rights management, set-top boxesand distributed omputation are examples of su h appli ations. More details an be foundin [7, 9℄.5. Atta ksThere are many possible atta ks on sili on PUFs { we des ribe some of them in this se tion.5.1. Dupli ationTo break the authenti ation methodology, the adversary an fabri ate a \ ounterfeit" IC ontaining the PUF that produ es exa tly the same responses as the original IC/PUF forall hallenges. A spe ial ase of this atta k o urs when an IC manufa turer attempts toprodu e two identi al ICs from s rat h.Given the statisti al variation inherent in any manufa turing pro ess, we argue that it isinfeasible to produ e an IC pre isely enough to determine the PUF that it embodies. Whenprodu ing two ICs in identi al onditions (same produ tion line, same position on wafer,et .) the manufa turing variations are suÆ ient to make the two resulting PUFs signi� antlydi�erent. The probability that the two ICs will have identi al PUFs is very low, implyingthat the adversary will have to fabri ate a huge number of ICs, and make omprehensivemeasurements on ea h one, in order to reate and dis over a mat h. This is a very expensiveproposition, both e onomi ally and omputationally speaking.We would like to draw the reader's attention to the fa t that the pro ess variations thatwe are building our se urity on annot be easily eliminated by the manufa turer. Thesevariations limit the manufa turer's ability to redu e IC feature size, and must also be takeninto a ount when studying a ir uit's timing onstraints. Any redu tion in pro ess variationwould dire tly lead to improved performan e, so this is an a tive area of resear h. As anillustration, Chapter 14 of [5℄ studies the impa t of pro ess variations on ir uit design, andshows that as pro esses improve, relative variations in rease rather than de rease.It is be ause a sili on PUF is based on un ontrollable pro ess variations, that we laim thatsili on PUFs are manufa turer resistant ( f. Se tion 2), at least in the ase of ICs that aremade in state of the art pro esses.5.2. Timing-A urate ModelAlternately, the adversary an attempt to reate a timing-a urate model of the original PUFand simulate the model to respond to hallenges, in e�e t reating a \virtual ounterfeit." Thea ura y of this model has to be omparable to the a ura y of reliable (on- hip) ir uit delaymeasurement in order to produ e a su essful virtual ounterfeit. Here, the adversary has threeoptions, dire t measurement, exhaustive enumeration of hallenges, and model-building usingobserved responses based on a subset, i.e., a polynomial number of hallenges.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 75.2.1. Dire t MeasurementThe adversary an attempt to dire tly measure devi e delays of the ir uit by probing ormonitoring omponents inside the devi e. He an then use these measured delays in a more orless sophisti ated timing model.In order to do this at the level of a ura y required to break authenti ation, he will haveto remove the pa kage and insert probes. Indeed, non-invasive atta ks su h as di�erentialpower analysis [11℄ and ele tromagneti analysis [15℄ extra t information about olle tions ofdevi es, not individual devi es. Probing with suÆ ient pre ision is likely to be very diÆ ultbe ause the adversary runs the risk of hanging the ir uit delays while probing. Intera tionsbetween the probe and the ir uit will dire tly in uen e the ir uit. Moreover, in order toinsert his probes, the adversary will potentially have to damage overlaid wires. Be ause of thehigh apa itive oupling between neighboring wires ( f. [6℄ for the importan e of apa itive oupling between wires), damage to these overlaid wires ould signi� antly hange the delaythat is to be measured.How best to lay out the PUF ir uit to make it highly sensitive to invasive atta ks is adire tion for further resear h.5.2.2. Exhaustive ModelClearly, a model an be built by exhaustively enumerating all possible hallenges, but this isintra table, sin e there are an exponential number of possible hallenges.5.2.3. Model Building Using Challenge SubsetThe adversary an use a publi ly available mask des ription of the IC/PUF and apply hallenges and monitor responses and attempt to build a timing-a urate model.We �rst note that reating a urate timing models given mask information is an intensivearea of resear h. Even the most detailed ir uit models have a resolution that is signi� antly oarser than the resolution of reliable delay measurement. If an adversary is able to �nda general method to determine polynomial-sized timing models that are a urate to withinmeasurement errors, this would represent a breakthrough. However, the adversary has a slightlydi�erent problem { he needs to build a highly a urate model of a parti ular IC, to whi h hehas a ess, and to whi h he an apply hallenges and monitor responses.The transient response of an IC is a non-linear and non-monotoni fun tion of the delaysof wires and devi es in the IC. The adversary has to guess a general enough parameterizablemodel (e.g., delay of a devi e is dependent on load apa itan e and transitions of neighboringdevi es), and obtain enough responses to well- hosen hallenges su h that he obtains a systemof equations that an be inverted to obtain the parameters of his model. The PUF designer'sjob is to make this task as diÆ ult as possible.In Se tion 8 we will return to modeling atta ks when onsidering the diÆ ulty of modelingour proposed authenti ation ir uits.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

8 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADASb = 0i(a) ib = 1(b) b

. . .

Pseudorandom Function

AND

switch

challengebbbb1 2 3 127 128( )Figure 1. The swit h blo k de�nes di�erent ir uits for hallenge bits of zero (a) or one (b). In theMAX-delay ir uit, they are ombined into a long hain ( ).6. The MAX Cir uitFinding a delay ir uit that produ es a satisfa tory PUF that is provably hard to break isdiÆ ult be ause of the numerous di�erent types of atta ks that are possible. It is un lear how lassi al hard problems su h as fa torization or dis rete logarithm ould be embedded in theanalog behavior of a physi al system.This se tion shows a andidate ir uit that we have performed experiments on. We onje tured in [10℄ that this ir uit would be diÆ ult to break in the additive delay model, inwhi h we assume that the delay of a omplex ir uit an be exa tly broken up into a sum ofdelays of omponents that make it up. More re ent work that is presented in Se tion 8 suggeststhat our onje ture was in orre t. Therefore, to reate a PUF that is se ure in the additive delaymodel, modi� ations will be needed to make this ir uit more diÆ ult to analyze. Se tion 8.4suggests some improvements that ould be made. We believe that the sheer omplexity ofdetermining ir uit delays pre isely enough as the ir uit gets more ompli ated will turnout to be suÆ ient to prevent modeling atta ks on PUFs. Papers su h as [12℄ show just howdiÆ ult pre ise delay simulation an be.The ir uit for whi h we will measure delays is depi ted in Figure 1( ). A hallenge ofn = 128 bits is transformed by a pseudorandom fun tion into a bit pattern b = (b1; : : : ; bn).The bits bi ontrol swit hes. If bi = 0, the swit h is un rossed as in Figure 1(a). If bi = 1,the swit h is rossed as in Figure 1(b). To get a response from this ir uit, we present a risingedge on its input. That edge is split into two ompeting edges that independently propagatethrough the swit hes until they rea h the AND gate. When the slowest of the two edges rea hesthe AND gate, an edge appears on the output of the ir uit. The response of the ir uit is thetime it took for the edge on the input to produ e an edge on the output.In the additive delay model, this response of the ir uit for a given hallenge an be expressedas the max of two sums of elementary path delays. Thus we learly see the need for the ANDCopyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 9gate. Without it, responses would be linear ombinations of elementary delays, and obtainingelementary delays from hallenge-response pairs would redu e to solving a linear system ofequations. With the AND gate, ea h hallenge-response pair produ es two andidate equations,only one of whi h a tually holds. Ideally for k pairs, the adversary would have 2k di�erentsystems of equations to hoose from, though we expe t an intelligent adversary to be able toeliminate many of these possibilities.If the adversary is able to dire tly hose the bi that gets presented to the devi e then there areeasy ways for him redu e the number of systems of equations he must deal with. For example,by hoosing two sets of bi that only di�er for two neighboring stages, there is a high likelihoodthat the same path was the slowest in both ases, in this way only two of the four possiblesystems of equations need to be onsidered. With a little more work, the individual delays inthe ir uit an on e again be found by solving a linear system of equations. To prevent thistype of atta k, we do not allow the adversary to dire tly hose the bi values dire tly. An error orre ting ode would be suÆ ient to prevent the atta k we des ribed by for ing the adversaryto hose di�erent values of bi that have a minimum Hamming distan e from ea h other. Weprefer to use a pseudorandom fun tion as it allows us to prevent any kind of hosen hallengeatta k, even though the minimum Hamming distan e property isn't guaranteed.One more pre aution is ne essary. If one elementary delay is mu h longer than all the others,then it will always be in the slowest path through the ir uit, whi h on e again redu es theadversary's work to solving a linear system of equations. This problem is parti ularly seriousif the same elementary delay is parti ularly long on all instan es of the devi e. To preventthis problem, the delay ir uit we request that the ir uit be designed to be as symmetri alas possible. That way, knowledge of the ir uit layout annot help the adversary guess whi hpath through the ir uit is the slowest. Moreover, with these pre autions, the likelihood thatone elementary delay will be mu h longer than the others through random pro ess variationsis kept to a minimum.6.1. Cir uit detailsIn order to prove that identi� ation is possible using delay variations between IntegratedCir uits, we have implemented a PUF on Xilinx Spartan 2 FPGAs.z In these tests, identi al ir uits were pla ed on di�erent FPGAs, and the resulting PUFs were ompared. Our goal inthis se tion is to show that the identi� ation is possible given the measurement noise levelsand manufa turing variations that we have observed.Be ause we do not have full ontrol over the ir uits that are implemented in an FPGA, afew ompromises have to be made relative to the theoreti al design:� First, the unpredi tability of the MAX- ir uit relies on having a ir uit with a high levelof symmetry between paths. The general purpose routing infrastru ture of an FPGAmakes it diÆ ult to produ e pre isely mat hed paths. Therefore the FPGA ir uits thatzThe exa t omponents that were used were the XC2S200PQ208-5. We would like to thank Tara Sainath andAjay Sudan for help with these experiments.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

10 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADAS...

...Figure 2. Measuring the MAX ir uit with a self-os illating loopwe worked with do not have the degree of symmetry that would be required for a PUFto be se ure. However, sin e the asymmetry is the same a ross all omponents, it doesnot make any hange to the diÆ ulty in identifying omponents, whi h is what we willbe dis ussing in this se tion.� The se ond limitation of FPGAs, is that the la k of analog omponents makes itimpra ti al to dire tly measure the delay of a path through the ir uit with the pre isionthat we require. To get around this problem, we use self-os illating loops ontaining thepath for whi h we want to measure the delay. Using digital ir uitry, we an pre iselymeasure the frequen y of the self os illating loops over a few tens of thousands of periods.Note, however, that the use of self os illating loops to measure delays is not ideal, and shouldnot be used for a produ tion design. First it drasti ally in reases the time (and power) that isrequired to evaluate the PUF. Worse, it makes the frequen y that is being measured, whi his the response of the PUF to a hallenge, vulnerable to di�erential power analysis. This isnot very problemati for a key ard appli ation, but an be fatal in the ase of ControlledPUFs [9℄. Se tion 7 shows an alternative measurement method.Figure 2 shows how a self os illating loop is built around the delay ir uit. Sin e this self-os illating loop has to be used both for rising and falling transitions, the AND gate that ombines the two paths of the delay ir uit of Figure 1( ) has been repla ed by a more ompli ated ir uit that swit hes when the slowest transition, be it rising or falling, rea hesit. The ir uit is essentially a ip- op that hanges state when both outputs from the delay ir uit are at the same level.The dotted box indi ates a deli ate part of the ir uit that annot be implemented exa tlyas shown without running the risk of produ ing glit hing in the output. In the FPGA itis implemented by a lookup table. In an implementation with simple logi , it should beimplemented in normal disjun tive form. The representation that was used here was simply hosen for ease of understanding.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 116.2. Robustness to Environmental VariationSo far, all our dis ussion has onsidered that path delays in a ir uit are onstant for a given omponent. In reality, this is far from true. Environmental perturbations an a ount forvariations that are large enough to mask out the small manufa turing variations we are tryingto measure. Therefore, they must be taken into a ount.6.2.1. Temperature and Voltage CompensationParameters su h as temperature or supply voltage ause variations in delay that are ordersof magnitude greater than the manufa turing variations we are interested in. For a 30 degreeCelsius hange in temperature, the delays vary on the order of 5%. This is to be omparedwith inter- hip variations that are well below 1% on this size of ir uit.Fortunately, we have found that environmental variations operate roughly proportionally onall the delays in our ir uit, and therefore, they an be ompensated for by always workingwith delay ratios instead of absolute delays. Therefore, we pla e two di�erent self-os illatingloops on the FPGA. We run both self-os illating loops to get two frequen ies, and take a ratioof the two frequen ies as the PUF's response.On e ompensation has been applied, the variation with temperature is only slightly abovemeasurement error. However, as the variation in reases, so does the error. For very largetemperature hanges (30 degrees Celsius is getting lose to the limits), we an no longerexpe t to reliably re ognize a PUF. If more temperature variation needs to be a ommodated,it is possible to hara terize the PUF on e when it is hot and on e when it is old (more stepsare possible for large temperature ranges). During use, one of these two ases will apply, sothe PUF will be orre tly re ognized.Up to now, we have assumed that temperature is uniform a ross the integrated ir uit. Ifthat is not the ase then temperature ompensation is likely not to work well. With the ir uitpresented here, the paths are heated in a uniform way by the transitions that are runningthrough them. With other ir uits in whi h transitions only rea h some parts of the ir uit, wehave observed non uniform heating whi h an ause unreliable measurement results. Therefore,we re ommend the use of ir uits that get heated in a uniform way during use.6.2.2. Interferen e With Other Sub-SystemsAnother kind of environmental interferen e that has to be onsidered is the intera tion betweena self-os illating loop, and other ir uitry on the integrated ir uit.Experiments in whi h we measure the frequen y of a loop os illating alone, or at the sametime as other loops show that the interferen e is very small. This has been demonstrated in [8℄where the interferen e was provided by seven self-os illating loops, and on e again in our latestexperiments where the frequen ies of the two loops that are being measured an be measuredsimultaneously or su essively. In ea h ase, the interferen e aused by the other self-os illatingloops is of the same order of magnitude as measurement error.There is however one ase in whi h interferen e is non negligible. It is the ase when theinterferen e is at almost the same frequen y as the self-os illating loop. In that ase, the loop'sCopyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

12 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADAS

0.96 0.97 0.98 0.99 1 1.01 1.02 1.03

prob

abili

ty d

ensi

ty

compensated measurementFigure 3. Distribution of responses to randomly sele ted hallenges. Ea h response is the ratio of thefrequen ies of two simultaneously-running loops. As an be seen, when the loop frequen ies are too lose, the loops lo k and the response is unity.frequen y tends to lo k on the perturbating frequen y. Be ause of this, we re ommended notto simultaneously measure the two frequen ies that will get ombined into a ompensatedmeasurement. Figure 3 shows the result of lo king on ompensated measurements: values nearunity have been for ed towards unity by the lo king phenomenon.6.2.3. AgingThrough prolonged use, the delays of an integrated ir uit are known to shift. We have notyet studied the e�e t that aging might have on a PUF. In parti ular, if the hanges due toaging are big enough, we might not be able to re ognize a PUF after it has undergone mu huse. Studying these aging e�e ts is an important aspe t that must be overed by future work.6.3. Identi� ation AbilitiesTo test our ability to distinguish between FPGAs, we generated a number of pro�les for manydi�erent FPGAs in di�erent onditions. A pro�le is made up of 128 hallenge-response pairs.All the pro�les were established using the same hallenges.Two pro�les an be ompared in the following way: For ea h hallenge look at the di�eren ebetween the responses. You an then look at the distribution of these di�eren es. If most ofthem are near zero, then the pro�les are lose. If they are far from zero then the pro�les aredistant. During our experiments, the distribution of di�eren es was typi ally Gaussian, whi hallows us to hara terize the di�eren e between two pro�les by a standard deviation.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 13

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

1e-06 1e-05 0.0001 0.001 0.01

Abe vs. Hal

Abe vs. Abe, same conditions

Abe vs. Abe 10 deg. Celsius hotter

Abe vs. Walt

Abe vs. Abe, different test boards

Abe vs. Abe 20 deg. Celsius hotterAbe vs. Abe 30 deg. Celsius hotterFigure 4. Comparing the FPGA alled Abe at room temperature with itself in various onditions, orwith other FPGAs. The verti al axis indi ates the probability that for a given hallenge, the di�eren ein response will be lower than the value in parts per million that is indi ated on the horizontal axis.These plots illustrate the typi al behavior we en ountered in our experiments with many FPGAs.Figure 4 shows the di�eren es between the pro�le for an FPGA alled Abe on Blaise's testboard at room temperature, and a number of other pro�les (� is the standard deviation):� Another pro�le of Abe on Blaise's test board at room temperature (� � 1 � 10�5). This hara terizes measurement noise.� A pro�le of Abe on Tara's test board at room temperature (� � 2:5 � 10�5). This givesan idea of the e�e ts of power supply variations between ard readers.� Pro�les of Abe on Blaise's test board at 10, 20 and 30 degrees Celsius above roomtemperature (� � 5 � 10�5 to 1:5 � 10�4).� Pro�les of FPGAs Hal andWalt on Blaise's test board at room temperature (� � 4�10�4).The above standard deviations were typi al a ross di�erent FPGAs and omparisons ofdi�erent pairs of FPGAs.Clearly, it is possible to tell FPGAs apart. Though our ability to tell them apart depends onhow mu h environmental variation we need to be able to tolerate. Even with 30 degree Celsiusvariations, ea h hallenge is apable of providing 0.7 bits of information about the identity ofthe FPGA. This goes up to 1.5 bits if only 10 degree Celsius variations are allowed.If we want to distinguish between 1 billion di�erent omponents we need a suÆ ient numberof bits to identify 1018 � 260 omponents (this is be ause of the birthday paradox). Gettingthose 60 bits of information requires from 40 to 90 hallenges depending on the temperatureCopyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

14 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADAS

Figure 5. The arbiter ir uit is like the MAX ir uit ex ept that the AND gate is repla ed by anarbiter. The arbiter de ides whi h of the two signals rea hes it �rst and outputs a bit.variations that we are willing to tolerate. We assume that the responses are essentiallyindependent of ea h other be ause, if we assume that ea h stage ontributes a few bit ofinformation, then we �nd that there is an order of magnitude more information in the ir uitthan we need.The numbers that are given here are very dependent on the PUF ir uit that is onsidered.In the ir uit that we studied in [8℄ we had a signal to noise ratio that was mu h better than weobserved in the urrent ir uit. We believe that by paying more attention to how our ir uitis laid out, we will be able to build PUFs for whi h more bits an be extra ted from ea h hallenge.7. The Arbiter Cir uitMeasuring delays using self-os illating ir uits as we did in Se tion 6 is easy and pre ise.However, to get a pre ision in the hundreds of parts per million requires tens to hundreds ofthousands of lo k y les, whi h implies that thousands of edges will have to be propagatedthrough the delay ir uit ea h time we want to measure a single delay. This means thatmeasurement is slow. To make delay measurement faster, we would like to do a more dire tmeasurement, whi h only needs to run a single edge through the delay ir uit. This is not atrivial task given that in our experiments, we have to measure the delays with pre isions onthe order of tens of pi ose onds.The method that we have hosen to explore is to use an arbiter. The arbiter has two inputs,whi h are both low initially. The arbiter waits for one of the inputs to go high, at whi h timeits output indi ates whi h input went high �rst.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 15

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5

0 0.2 0.4 0.6 0.8 1

Pro

babi

lity

Den

sity

Pr(response = 1)

P(Pr(response=1)<1/23) = 0.56

P(Pr(response=1)>22/23) = 0.38

(a) Inter-Chip variation 0

0.005

0.01

0.015

0.02

0.025

0 0.2 0.4 0.6 0.8 1

Pro

ba

bili

ty D

en

sity

Pr(Response=1)

P(Pr(response=1) < 1/200) = 0.4075

P(Pr(response=1) > 199/200) = 0.5887

(b) Repeated measurementFigure 6. Probability distribution for a hallenge of outputting 1: a ross multiple di�erent hips (a),or when measurement is made repeatedly on the same hip (b). Triangles show experimental data,while the urve shows a theoreti al �t. For the inter- hip variation, an ideal implementation wouldhave an inverted urve whi h the highest likelihood near 50%.Figure 5 shows the stru ture of arbiter ir uit and its operation. We are assuming as forthe MAX ir uit that the hallenge has been passed through a pseudorandom fun tion beforebeing fed into the delay ir uit. Two signals ra e through the delay paths that are de�ned bythe hallenge input bits. At the end of ir uit, the arbiter de ides whi h signal arrived �rstand outputs a bit.If the di�eren e in delay for the two ra ing paths isn't mu h larger than the inter- hipvariation in delay, then the value of the output bit is likely to be di�erent from one hip toanother, whi h makes identi� ation possible. For this reason, it is highly desirable for thearbiter ir uit to be designed to be as symmetri al as possible. This way, all the hallengeswill have outputs that vary from hip to hip. Unfortunately, as we shall see, our FPGAimplementation was not very symmetri al so most of the bits have little identi� ation valuefor us, whi h in reases the number of measurements that have to be made before a devi e anbe identi�ed.7.1. Experimental Results7.1.1. Inter-Chip VariationTo study the hara teristi s of our FPGA implementation of the arbiter ir uit, we measuredresponses for 100,000 hallenges a ross 23 FPGAs, on 16 di�erent layouts of the delay ir uit.For ea h hallenge-layout pair, we al ulated the probability of a response bit being 1.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

16 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADASFigure 6(a) shows the distribution of those probabilities. Assuming that delays have a Gaussianvariation from hips to hip, and a Gaussian variation from hallenge to hallenge, themeasurements we made suggest that there is about 25 times more variation due to hallengesthan to inter- hip variation. Only 6% of hallenges a tually have a response that hanged atleast on e from hip to hip in our experiments. We are urrently produ ing an ASIC test hip with a delay ir uit that was laid out by hand to maximize symmetry. This way mostof the hallenges should produ e useful identi� ation information (or none at all if a skew isintrodu ed between the two paths).To study how di�erent hips are from ea h other, we look at the number of hallenges in our100,000 hallenge test set that hange from one hip to another; this is alled the Hammingdistan e. In our experiments with 23 FPGAs, the average Hamming distan e between hipswas 1049, roughly 1.05% of the hallenges.7.1.2. Measurement NoiseTo evaluate measurement noise, we measured a set of 100,000 hallenges 200 times ea h, on 16di�erent layouts of the delay ir uit. Challenges that didn't return the same value ea h timewere ounted as unreliable. In this way, we found that about 0.1% of hallenges were unreliableon the PUF arbiter ir uit. This is more than ten times less than the distan e between twodistin t omponents; identifying hips using this ir uit is easy.When onsidering this number, one should keep in mind that the hallenges that areunreliable are most likely the ones that have omparable delays for both of the ra ing paths, i.e.,pre isely the ones that are useful for identi� ation purposes. Therefore, in a more symmetri al ir uit, the number of useful hallenges for identi� ation will in rease hand in hand with themeasurement noise.Figure 6(b) shows how the probability of outputting 1 is distributed for the set of hallengesand layouts that was measured. The same Gaussian based analysis we did for inter- hipvariation shows that there is about 450 times more variation from hallenge to hallengethan due to measurement noise, that is about 18 times more inter- hip variation than noise.7.1.3. Temperature variationA ni e aspe t of the arbiter ir uit is that it ompares the delays of two paths through the ir uit. Thus, it automati ally does temperature ompensation. This makes post pro essingsimpler than it was for the MAX ir uit.Figure 7 shows the amount of noise introdu ed by temperature variation. We made a pro�lefor 100,000 hallenges at the referen e temperature of 28 degrees Celsius and al ulated itsdistan e from the response ve tor at in reasingly higher temperatures. Even with a hangein temperature greater than 40 degrees Celsius, the noise is only about 0.3%, well below theinter- hip variation of 1.05%Overall, the arbiter ir uit has qualitatively omparable performan e to the delaymeasurement ir uit. If the proportion of hallenges that are useful for identi� ation an bein reased, it will be mu h faster to use than the delay measurement ir uit, whi h makes it anex ellent andidate for PUF appli ations.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 17

0

0.2

0.4

0.6

0.8

1

1.2

1.4

0 5 10 15 20 25 30 35 40

No

ise

%(N

)

Temperature difference(celsius)

Best Model Limit (0.61%)

Inter FPGA Variation (1.05%)

Measurement noise (0.098%)

Temp variation

Figure 7. Variation in normalized Hamming distan e when a hip is ompared with itself at a di�erenttemperature. The inter- hip variation and our best model-building atta k are shown for omparison.8. Modeling Atta ksAs we saw in Se tion 5.2, it must be diÆ ult for atta kers to build an a urate timing modelof our ir uit if we want to prevent them from impersonate it. To evaluate the diÆ ulty ofthis type of atta k we have tried to arry it out ourselves. The results we have to date suggestthat the basi MAX and arbiter ir uits are not diÆ ult enough to model, ontrarily to whatwe had onje tured in [10℄.8.1. Additive-Delay ModelWe model the ir uits using an additive delay model. In this model, we assume that the delayof a path through the ir uit is the sum of the delays of the elementary omponents that makeit up. Knowing all the elementary omponent delays an atta ker an al ulate the ir uit delayfor any hallenge. The atta ker's task is to �nd the elementary delays. Assuming that gettingthe elementary delays by opening the ir uit and doing dire t measurement is impra ti al, wesee that an atta ker will have to infer those delays from the outputs of the devi e on a numberof hallenges. Be ause of the pseudorandom fun tion that has been pla ed in the ir uit, the hallenges that the adversary has to work with are e�e tively random.The ir uits we have onsidered in se tions 6 and 7 are made up of a sequen e of identi alstages, ea h ontaining a swit h blo k. The swit h blo k an be modeled by using 4 delays asshown in Figure 8(a). But this representation ontains redundan y, and does not reveal all thestru ture of the system of delays. Indeed, the ir uit an be rewritten as in Figure 8(b). In this�gure, the delays have been separated into four distin t omponents: u = (a+b+ +d)=4 thatis ommon to all paths, v = (a+ b� � d)=4 for the di�eren e between rossed and straightpaths, x = (a � b+ � d)=4 for the di�eren e between paths that start at the top and pathsCopyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

18 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADASb

a

c

d(a)v

−v

v

−v

0

1

0

1y

−y

x

−x

u

u

uu(b)

y

−y

0

0

b1

y

−y

n

n

...

...

y

−y1

1

bn

u0

1 −vn

nb

0

1−v

v1

1

b1

vn

... ( )Figure 8. Elementary swit h model before (a) and after (b) simpli� ation. The resulting simpli�edmodel of a swit h-based delay ir uit ( ). Delays are measured between dots.that start at the bottom, and y = (a�b� +d)=4 for the di�eren e between paths that end atthe top and paths that end at the bottom. When we put all the stages together, the rewrittenform is easy to simplify. Ex ept at the �rst stage, the x terms merge with the y terms from theprevious stage. Be ause they are identi al for both paths and ommute with the swit hes, theu and v terms an be moved to the front of the ir uit before the paths bran h apart. Finallyall the u terms an be merged. What remains is depi ted in Figure 8( ).All together the n swit hed stages are modeled by using 2n+ 2 parameters instead of 4n.This result was to be expe ted as there are 2n�2 wires that onne t two stages; where exa tlyalong ea h wire we hoose to end one swit h and start the next is irrelevant whi h leads aredundant parameter. For the arbiter ir uit, only n+1 parameters are ne essary, as the termsthat appear before the paths split are ommon to both paths, and only the di�eren e betweenthe two delays is onsidered by the arbiter.Algebrai ally, the delay of one path an be expressed asu+ nXi=1(�1)bivi + nXi=0(�1)piyiwhere the parity ve tor pi = bi � � � � � bn is the number of times the paths ex hange betweenthe end of stage i and the end of the ir uit, and � denotes the XOR operation. The delayof the other path is similar ex ept that the yi terms hange sign. The delay an be seen asthe sum of a onstant u, the dot-produ t of the hallenge ve tor bi with a ve tor vi, andthe dot-produ t of the parity ve tor pi with a ve tor yi. For the arbiter ase only the se onddot-produ t remains as the rest is ommon to both paths.8.2. The Per eptron AlgorithmThe per eptron algorithm [18℄ is the simplest available algorithm for training single layeredneural networks. In su h a network, the output of a neuron is omputed by taking the dot-produ t of an input ve tor (typi ally a ve tor of +1 and -1) with a ve tor of weights, andCopyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 19 omparing the result with a threshold. To train a neuron on a set of input ve tors, one simplyiterates through the input ve tors. If an input produ es the orre t output, nothing is hanged.If an input produ es an in orre t output, ea h one of the neuron's weights in hanged in thedire tion that would tend to make it produ e the orre t result.If the training set an be learned by the neural network (i.e., if the two output values an beseparated by a hyper-plane in the input spa e), then the per eptron algorithm onverges to asolution that satis�es all the training ases. If not, a slightly improved version of the algorithm an be used, whi h onverges to the set of weights that maximizes the number of training asesthat the neuron orre tly de ides.A ording to the analysis we did in Se tion 8.1 the arbiter ir uit an be viewed as a neuron,where the weights are a fun tion of the elementary ir uit delays, and the input ve tor is asimple fun tion of the hallenge bits. Therefore, we an expe t the arbiter ir uit to be veryeasy to build a model for under the additive delay model. What remains to be seen is whetherthe additive delay model is pre ise enough to produ e a model that an be used to impersonatea physi al devi e.Be ause of the MAX operation, and be ause it has a real valued output, the MAX ir uit annot be redu ed exa tly to the per eptron algorithm, however, we found that a slightlymodi�ed algorithm gives ex ellent results. The method is as follows: �rst the model is initializedwith random elementary delays. Then for ea h example in the training set, the output of the ir uit is al ulated. Based on how far the output is from the desired output, the elementarydelays on the path that was sele ted by the MAX fun tion are adjusted to bring the output loser to the desired value. In numeri al experiments, we found that this method usuallyperfe tly learned the training set (in rare ases it gets stu k far from the orre t solution, butslightly di�erent starting parameters then lead to perfe t onvergen e). When noise was addedto the experiments, the algorithm onverged to within the amount of noise that was added.At this point, we must on lude that if the additive delay model applies suÆ iently pre iselyto our ir uits, then a model building atta k is possible and even easy. This does not ne essarilymean that the real ir uits an be modeled though, as the additive delay model is not pre iseenough to properly model the real devi e.8.3. Modeling ExperimentsTo try to get an idea of how mu h our ir uit deviates from the additive delay model, weattempted to train a model of the arbiter ir uit using 90,000 hallenge-response pairs measuredon our FPGA implementation. When evaluated on a di�erent set of 100,000 hallenge-responsepairs, the failure rate of the model was only about 3.3%. This is greater than the inter- hipvariation, so one would be better o� using a di�erent FPGA than using our model whenattempting to impersonate a hip.Our initial hypothesis for these disappointing (from the atta ker's point of view) results wasthat we were getting interferen e between the two paths through the delay ir uit. Indeed, theswit h omponent in the delay path is implemented by using a pair of multiplexers, that ea hhave the hallenge bit and both of delay paths as inputs. In Xilinx FPGAs, ombinational logi is mainly implemented using 4 input lookup tables. In parti ular, in the ir uit we implemented,the multiplexers were being implemented as lookup tables. These lookup tables are laid outCopyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

20 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADAS?

?

?

?

?

?

?

?

A

B

A

B

C

O

?

?

?

?

?

?

?

?

A rising, B = 0, C = 0 A rising, B = 1, C = 0

11

1

1 0

0

0

0

C

C = 1C = 0 Unused

A = 0, B = 0

A = 1, B = 1

A = 0, B = 1

A = 1, B = 0

O

11

1

1 0

0

0

0

0

A

B

C

C = 1C = 0 Unused

A = 0, B = 0

A = 1, B = 1

A = 0, B = 1

A = 1, B = 0

O

MultiplexerMultiplexer

Decode

Decode

0

Figure 9. In a lookup table implementation of a multiplexer, the path that is taken by a rising edgeon input A to get to output O depends on the state of input B.as 4 by 4 grids of SRAM ells as shown in Figure 9. As the �gure shows, a rising edge thatgoes through the multiplexer takes a di�erent path through the grid depending on the valueof the spe tator input that is not urrently sele ted. To take this di�eren e into a ount wouldrequire a more omplex model than the one we had onsidered.To verify this hypothesis, we re-synthesized our ir uit using the MUXCY omponent thatis part of the FPGA's fast arry logi , hoping that this omponent would be implemented insu h a way that the path through the multiplexer does not depend on the spe tator input.This was a reasonable assumption as most multiplexer implementations have this property.This time, the per eptron algorithm gave us a model that had a failure rate of 0.61%. This isstill above measurement noise, even with 40 degree Celsius variations in temperature, but iswell below inter- hip variation ( f. Figure 7).At this point, we annot say that the arbiter ir uit of Figure 5 is broken, but an extremelysimple modeling e�ort has been able to get un omfortably lose to measurement noise forone implementation of the arbiter ir uit. Similar experiments are urrently underway for theMAX ir uit.8.4. Hardening the Cir uitOur experimental results suggest that the ir uits we have proposed to date are not as strongagainst modeling atta ks as we would like. A number of dire tions an be taken to try to makethe ir uit stronger, evaluating these options will be the obje t of future work.Feed forward arbiter: An arbiter is pla ed at an intermediate point in the ir uit. Its outputdrives one of swit hes later on in the ir uit as in Figure 10(a). Many su h arbiters ouldbe added to the ir uit for in reased diÆ ulty. The major problem with this approa h isthat it adds dis ontinuities in the ir uit, i.e., onditions in whi h a slight hange in anelementary delay (due to noise, for example) an lead to a huge di�eren e in the delay ofa path. Moreover, this ir uit an easily be expressed in the additive delay model, andwe fear that a variant of the per eptron algorithm would be able to break it.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

IDENTIFICATION AND AUTHENTICATION OF INTEGRATED CIRCUITS 21arbiter

......

100b 101b 127b b128

switch

challenge (a)Output

OutputInput

Control

Control

Input

(b) b b

......

Sw

itch

Sw

itch

i i+1( )Figure 10. Candidate methods to defeat additive delay modeling: feed-forward arbiter to generateunknown hallenge bits (a), variable-delay bu�er implementation (b) and use ( ).Variable delay bu�ers: Here we try to add intera tions between the paths through the ir uit, reprodu ing the e�e ts of the lookup-table multiplexer implementation. This isdone by using what we all a variable delay bu�er ( f. Figure 10), a omponent thatdire tly passes a signal from its input to its output, but that does so at a di�erent speeddepending on the state of its other input. This approa h is ni e as it leads to ontinuousbut non-monotoni ir uits (the delay of the ir uit is a ontinuous fun tion of theelementary ir uit delays, but the total delay might de rease as the delay of an elementarydelay in reases). Moreover, by putting some e�ort into the delay hara teristi s of thevariable delay bu�er, the ir uit an be made hard to model in the additive delay model.Change the ir uit topology: So far we have only explored an extremely simple ir uittopology, there are s ores of other possibilities left to explore. The three things to aimfor are reliability, variability and modeling diÆ ulty. To a hieve reliability one major riterion is that the total ir uit delay should vary slowly with the elementary omponentdelays. For variability (two hips with di�erent delays have di�erent responses), that samevariation should not be too slow. The hardest part, how to reate modeling diÆ ulty,remains essentially an open problem.9. Con lusionIn this paper we have presented a te hnique for delay-based ir uit authenti ation and ondu ted preliminary experiments that show that it is viable. By using this method, it ispossible to store se rets on a hip in a way that is less vulnerable to invasive atta ks thantraditional digital methods.Experimental results have shown that there is enough variations between integrated ir uitsfor identi� ation purposes, and that the e�e t of temperature and power supply voltageCopyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls

22 B. GASSEND, D. LIM, D. CLARKE, M. VAN DIJK, S. DEVADASvariations an be mitigated, allowing robust identi� ation. More experiments are ne essaryunderstand the e�e ts of ir uit aging on identi� ation ability.We have argued that delay-based authenti ation is not sus eptible to onventional atta ksthat attempt to dis over a se ret, hidden key. The most plausible atta k we have foundagainst our devi es is the model-building atta k. Our experiments suggest that the urrentimplementation of our devi es ould be vulnerable to this type of atta k, but we have suggesteda number of me hanisms that might prevent them.While a number of problems need to be solved in order to use delay-based authenti ationin appli ations su h as smart ard authenti ation and software li ensing, we believe that thisis a promising dire tion for future resear h.REFERENCES1. R. Anderson and M. Kuhn. Tamper Resistan e - a Cautionary Note. In Pro eedings of the Se ond UsenixWorkshop on Ele troni Commer e, pages 1{11, Nov. 1996.2. R. Anderson and M. Kuhn. Low Cost Atta ks on Tamper Resistant Devi es. In IWSP: InternationalWorkshop on Se urity Proto ols, LNCS, 1997.3. R. J. Anderson. Se urity Engineering: A Guide to Building Dependable Distributed Systems. John Wileyand Sons, 2001.4. D. S. Boning and S. Nassif. Models of Pro ess Variations in Devi e and Inter onne t. In W. B.A. Chandrakasan and F. Fox, editors, Design of High Performan e Mi ropro essor Cir uits, hapter 6.IEEE Press, 2000.5. D. Chinnery and K. Keutzer. Closing the Gap Between ASIC & Custom. Kulwer A ademi Publishers,2002.6. F. Dartu and L. T. Pileggi. Cal ulating worst- ase gate delays due to dominant apa itan e oupling. InPro eedings of the 34th annual onferen e on Design automation onferen e, pages 46{51. ACM Press,1997.7. B. Gassend. Physi al Random Fun tions. Master's thesis, Massa husetts Institute of Te hnology, Jan.2003.8. B. Gassend, D. Clarke, M. van Dijk, and S. Devadas. Sili on Physi al Random Fun tions . In Pro eedingsof the Computer and Communi ation Se urity Conferen e, May 2002.9. B. Gassend, D. Clarke, M. van Dijk, and S. Devadas. Controlled physi al random fun tions. In Pro eedingsof 18th Annual Computer Se urity Appli ations Conferen e, De ember 2002.10. B. Gassend, D. Clarke, M. van Dijk, and S. Devadas. Delay-based ir uit authenti ation and appli ations.In Pro eedings of the 2003 ACM Symposium on Applied Computing, Mar h 2003.11. P. Ko her, J. Ja�e, and B. Jun. Di�erential Power Analysis. Le ture Notes in Computer S ien e,1666:388{397, 1999.12. Y. Liu, S. R. Nassif, L. T. Pileggi, and A. J. Strojwas. Impa t of inter onne t variations on lo k skew ofa gigahertz mi ropro essor. In Design Automation Conferen e. IEEE/ACM, June 2000.13. K. Lofstrom, W. R. Daas h, and D. Taylor. IC Identi� ation Cir uit Using Devi e Mismat h. InPro eedings of ISSCC 2000, pages 372{373, February 2000.14. A. J. Menezes, P. C. van Oors hot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press,1996.15. J.-J. Quisquater and D. Samyde. Ele troMagneti Analysis (EMA): Measures and Counter-Measures forSmart Cards. In Pro eedings of Smart Card Programming and Se urity (E-smart 2001), LNCS 2140,pages 200{210, September 2001.16. P. S. Ravikanth. Physi al One-Way Fun tions. PhD thesis, Massa husetts Institute of Te hnology, 2001.17. S. W. Smith and S. H. Weingart. Building a High-Performan e, Programmable Se ure Copro essor. InComputer Networks (Spe ial Issue on Computer Network Se urity), volume 31, pages 831{860, April 1999.18. S. Theodoridis and K. Koutroumbas. Pattern Re ognition. A ademi Press, 2003.19. N. Weste and K. Eshraghian. Prin iples of CMOS VLSI Design: A Systems Perspe tive. Addison Wesley,1985.Copyright 2003 John Wiley & Sons, Ltd. Con urren y Computat.: Pra t. Exper. 2003; 3:1{20Prepared using peauth. ls