a provable key destruction scheme based on memristive ...10.1038... · 1 supplementary figures...
TRANSCRIPT
Articleshttps://doi.org/10.1038/s41928-018-0146-5
A provable key destruction scheme based on memristive crossbar arraysHao Jiang1,2, Can Li 1,2, Rui Zhang1, Peng Yan1, Peng Lin1, Yunning Li1, J. Joshua Yang 1*, Daniel Holcomb 1* and Qiangfei Xia 1*
1Department of Electrical and Computer Engineering, University of Massachusetts, Amherst, MA, USA. 2These authors contributed equally: Hao Jiang and Can Li. *e-mail: [email protected]; [email protected]; [email protected]
SUPPLEMENTARY INFORMATION
In the format provided by the authors and unedited.
NAtuRe eLeCtRoNiCs | www.nature.com/natureelectronics
1
Supplementary Figures
Supplementary Figure 1 | Different types of differential pairs that output “1” or “0”.
a, The scatter plot of the average conductance difference of each differential pair (∆G =
GLRS,left – GLRS,right) and the probabilities of outputting “1” across 200 trials. b, As an
example of Type 1, the right memristor cell in the differential pair is born in HRS and
cannot switch, in which case GLeft(LRS) is always larger than GRight(LRS) and this
differential pair reliably outputs “1”. As an example of Type 2, both devices in the
differential pair can switch back and forth normally between LRS and HRS. However, the
right cell always has a larger conductance than the left at LRS (GLeft(LRS) < GRight(LRS))
and such a differential pair produces a reliable “0”.
GLeft
(LRS)
GRight
(LRS)
GRight
(LRS)G
Left (LRS)
GLeft
(HRS)
GRight
(HRS)
Type 1
Type 2
Pro
bab
ility
of “1”
thro
ug
h s
witch
ing
cycle
s
Average ∆G (mS)
a b
Cou
nts
(#
)C
ou
nts
(#
)
Conductance (mS)
Conductance (mS)
90
80
70
60
50
40
30
20
10
00 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45
90
80
70
60
50
40
30
20
10
0-0.1 0 0.2 0.3 0.4 0.5 0.6 0.70.1−1 −0.5 0 0.5 1
0
0.5
1
2
Supplementary Figure 2 | A zoom in image of part of the chip and a typical IV curve
for the hafnium oxide memristor. a, A false colour top view scanning electron
microscopic (SEM) image of the fabricated 1T1R crossbar array with TE line (column
wire), BE line (row wire), gate wire and memristor cell labeled. b, A typical current-voltage
(I-V) switching curve. The BE line is grounded during the measurement. To switch the
device to low resistance state (LRS), a positive DC voltage sweep from 0 V to 2 V to 0 V
is applied to the TE line with a 1.1 V gate voltage on the transistor. To turn off the device,
a 0 V to – 1.6 V to 0 V voltage sweep is applied to the TE line with a 5 V gate voltage. The
black arrows indicate the switching directions.
5 μm
Memristor
Gate wire
TE line
BE line
a b
3
Supplementary Figure 3 | Effect of fingerprint size on inter-class and intra-class
Hamming distances. Increasing the fingerprint size yields a better separation between
intra-class and inter-class Hamming distances. Two/four adjacent 128-bit fingerprints are
combined to get a 256/512-bit fingerprint while the extra 128-bit fingerprints are discarded
(e.g. 31 128-bit fingerprints from chip #5 during each cycle and hence they can generate
15 256-bit fingerprints. The extra 128-bit fingerprint is not used).
Intra-class Inter-class
256-bit
512-bit
Mean: 0.1363
Standard deviation: 0.0596
Mean: 0.134
Standard deviation: 0.0548
Mean: 0.5002
Standard deviation: 0.033
Mean: 0.5008
Standard deviation: 0.025
0 0.2 0.4 0.6 0.8 10
500
1000
1500
Normalized Hamming distance
Co
un
ts (
#)
0 0.2 0.4 0.6 0.8 10
100
200
300
Normalized Hamming distance
Co
un
ts (
#)
0 0.2 0.4 0.6 0.8 10
2
4
6x 10
4
Normalized Hamming distance
Co
un
ts (
#)
0 0.2 0.4 0.6 0.8 10
1
2
3x 10
4
Normalized Hamming distance
Co
un
ts (
#)
4
Supplementary Figure 4 | Effect of temperature on the LRS and HRS resistances. The
device was switched for 50 cycles at room temperature and 85 0C with a 1.6 V gate voltage
on the series transistor. The distribution of both LRS and HRS resistances do not show
evident changes, suggesting that the memristor fingerprint is insensitive to temperature
changes. This is consistent with a previous report for HfOx based memristors1.
5
Supplementary Figure 5 | Effect of cycling on the LRS and HRS resistances. More
than 1010 open-loop switching cycles are achieved from the Ta/HfO2/Pt device (5 µm × 5
µm). Electrical pulses of 1 µs width and different amplitudes (1.35 V for SET and -1.7 V
for RESET) are applied on the Ta electrode while the Pt electrode is grounded during the
cycling test. There is no evident change in the LRS resistance while clear degradation (blue
dashed line) of HRS resistance during cycling.
6
Supplementary Figure 6 | Integrating security and computing functionalities in one
array. a, The extracted memristor fingerprints before b, the conductance writing of the
same crossbars for the discrete cosine transformation (DCT) (top part) and inverse DCT
(bottom part). c, The extracted fingerprints afterwards. The conductance matrix can be
used for various computing applications2. d, Normalized Hamming distances of 128-bit
fingerprints before and after the conductance writing, centered at 0.21 with a standard
deviation of 0.045.
b
“1”
“0”
FPbefore
a
“1”
“0”
FPafter
c d
10 20 30
40
80
120
10 20 30
40
80
120
20 40 60
20
40
60
80
100
120
2
3
4
5
6
7
8x 10
−4
7
Supplementary Table
Information about all 5 chips
Columns used Numbers of 128-bit fingerprint generated
each trial/cycle
Array/Chip #1 62 31
Array/Chip #2 64 32
Array/Chip #3 56 28
Array/Chip #4 64 32
Array/Chip #5 62 31
Information about Figure 3 and 4
Number of Chips Trials/Cycles Total counts
Inter-class in
Figure 3 5 2 23562
Intra-class in
Figure 3 5 100 762300
Intra-class in
Figure 4d 1 (5th chip) 2 31
Inter-class in
Figure 4d 5 1 3813
Intra-class in
Figure 4e 1 (5th chip) 2 15
Inter-class in
Figure 4e 5 1 915
Supplementary Table 1 | Detailed information about chips and results in Figures 3
and 4. Totally we have used 5 chips. Some unresponsive columns resulted from poor probe
landing were not used. Each two neighboring columns generate 128-bit fingerprint. The
statistic of inter-class fractional Hamming distance of 128-bit fingerprints from two cycles
of 5 chips contains (32×2+31×2+282
) × 2 = (1542) × 2 = 23562 counts in total. The two cycles
are chosen before and after 100 cycles (the 50th and 151st). The intra-class results of 128-
bit fingerprints collected from 5 chips across 100 switching cycles (51st to 150th) are based
on (1002) × (32 × 2 + 31 × 2 + 28 × 1) = 762300 counts. The distribution of Hamming
distances of 128-bit fingerprints (Fig. 4d) from the same chip (Chip #5) in between Fig.4
a and Fig. 4c contains 31 counts in total. The distribution of Hamming distances of 128-bit
fingerprints from different chips (Fig. 4d) here is based on the comparison of each of the
second 31 128-bit fingerprints from this chip (Fig. 4c) with those known 128-bit
fingerprints from all other 4 chips. There are totally 31 × (31 + 32 + 28 + 32) = 31 ×
123 = 3813 counts. For the results in Fig. 4e, two adjacent 128-bit fingerprints are
combined to get a 256-bit fingerprint (4 neighbouring columns) and the extra 128-bit
fingerprint is just discarded. Hence, the distribution of Hamming distances of 256-bit
fingerprints from the same chip contains 15 counts while the inter-class result contains
15 × (15 + 16 + 14 + 16) = 15 × 61 = 915 counts.
8
Supplementary Notes
Supplementary Note 1 | Different types of differential pairs.
The differential pairs that have a high and low probability of taking the “1” value can be
seen as reliable “1” and “0” bits, respectively. The scatter plot in Supplementary Figure 1a
shows the correlation between the average conductance difference of each differential pair
(∆G = GLRS,left – GLRS,right) and the probability of outputting a “1” bit from that pair in each
trial across switching cycles. A larger |∆G| suggests a higher probability that the differential
pair can produce a reliable “1” or “0”. Pairs having comparable LRS conductance between
the left and right devices can produce either “0” or “1” due to cycle-to-cycle variations.
There are a number of different factors that determine whether a given differential pair will
produce a “0” or “1” bit, which will influence how reliably that bit value is produced and
how unique the fingerprint will be. The reliable bits for which the differential pairs always
output “1” or “0” are resulted from several different mechanisms. Type 1: Some memristor
cells in the arrays are born at LRS/HRS with extremely high/low conductance (stuck
devices). These faulty cells will not respond to voltage pulses. Increased number of Type
1 cells in an array will lead to lower entropy of the keys. As such, a memristor crossbar
array with a higher yield is preferred for higher entropy, which can be achieved by further
improvement of the fabrication procedure. Type 2: Variation in the electrode morphology,
thickness of the oxide film and defect concentration within the switching layer could lead
to evident difference in the morphology of conduction channel(s) after the electroforming
or first ON-switching step. Cells with narrower conduction channel(s) or lower defect
concentrations in conduction channel(s) tend to have lower LRS conductance. Type 3:
Variation in fabrication process could lead to metal wires with different geometries and
9
hence varied series resistances. Cells with thicker or shorter metal electrodes have higher
LRS conductance.
In the current work, the series resistances from electrodes and routing wires are
much lower compared with the measured LRS resistances of the devices (~20 vs. ~2000
Ω), therefore Type 3 cases are negligible. Supplementary Figure 1b shows typical examples
for Types 1 and 2 cases. The chance for Type 1 cases to occur is dependent on the yield,
and that for Types 2 and 3 cases is related to intrinsic stochastic switching dynamics and
process variation. Stochasticity in switching is intrinsic to memristors3,4, and process
variation exists even in commercial foundries. As a result, our memristor fingerprint can
be applied to crossbar arrays made in a foundry.
With proper device engineering, the uniqueness and reliability of the memristor
fingerprint can be improved. For example, randomly dispersed nanoclusters can be
incorporated into the switching layer. Depending on the properties of the materials, cells
with embedded nanoclusters may always show higher5/lower6 LRS conductance than those
without nanoclusters, providing reliable bits (Type 2) throughout switching cycles. The
randomness in the distribution of metal nanoclusters can also improve the uniqueness of
the fingerprints.
Supplementary Note 2 | Detailed logic locking/unlocking scheme with provable key
destruction.
In logic locking, to prevent unlicensed use, a designer embeds mechanisms in a design that
render it “locked” after fabrication until the IP owner activates or unlocks it. As a standard
assumption in logic locking, the chip logic is designed to be unlocked by application of a
common key (CK) to unlocking inputs7. The protocol for logic locking/unlocking using a
memristor array is schematically shown in Fig. 5a and described in detail as follows.
10
Device enrollment. After a chip is fabricated, all memristors on the chip are set to LRS, its
embedded physical fingerprint FPchip is extracted (Fig. 5b) and sent to the IP owner through
the chip’s crypto interface. Asymmetric cryptography is used for the crypto interface so
that FPchip is encrypted on the chip with the IP owner’s public key (Mpub) as EMpub(FPchip),
which can only be decrypted by the corresponding private key Mpri. Different from Mpub
that can be hard wired in the logic of all chips, Mpri is known only to the IP owner, who
decrypts it as DMpri(EMpub(FPchip)) to learn the fingerprint FPchip and stores it in a secure
database. As a result, at this stage, only the IP owner knows the fingerprint of the chip
FPchip. After that, the chip can generate a random key (Kchip) and write it to the memristor
crossbar array, in which case the fingerprint is now obscured underneath the key. Kchip will
then be sent to the IP owner through the crypto interface, encrypted asymmetrically as
EMpub(Kchip). After the IP owner decrypts the message as DMpri(EMpub(Kchip)), Kchip is now
known to the IP owner and again stored in a secure database. At this time, the IP owner
knows both the key and the fingerprint hiding underneath the key, and the device itself
only possesses the key.
Unlocking logic. To initiate logic unlocking for this particular chip instance at the user’s
request, the designer sends the chip an input key (IK), which is the common key (CK)
symmetrically encrypted with Kchip (IK = EKchip(CK)) (Fig. 5c). The use of symmetric
cryptography, where the encryption and the decryption use the same key, will allow the
device to decrypt IK into CK as long as it possesses Kchip. The chip stores IK permanently
into arbitrary non-secret storage. At run time, the logic on the chip decrypts IK to produce
CK (CK=DKchip(IK)) which unlocks the logic gates and allows the chip to function
correctly.
11
Relocking logic. While the unlocking procedure described above is ordinary, the unique
feature of our approach is that it allows for relocking the logic in a trusted way (Fig. 5d).
The relock procedure starts with the user giving an “erase-key” command to the memristor
array, which switches all devices to LRS and generates a new fingerprint measurement
(FP’chip) from the same cells that stored Kchip. The newly generated FP’chip is sent to the
designer through the crypto interface as EMpub(FP’chip) and then the chip designer obtains
FP’chip after decryption (DMpri(EMpub(FP’chip))) to compare it against the known FPchip in its
database that was previously generated by the same cells. If Hamming distance between
FP’chip and FPchip is within the range of expected distances for same-chip fingerprints, the
chip designer confirms that 1) FP’chip is from the specific memristor array that previously
stored Kchip, and that 2) Kchip has been irreversibly destroyed to regenerate the fingerprint.
Since Kchip is now erased and cannot be recovered, the chip can no longer decrypt IK into
CK to unlock the logic at runtime. In this setting, the chip has used the recovered fingerprint
to prove that the key that was obscuring the fingerprint is now destroyed. It should be noted
that, since the user doesn’t know Kchip (only the IP owner had the private key to read it),
the user has no way to re-write Kchip and cannot decrypt IK to CK in order to unlock the
device for future operation. Our work experimentally demonstrated the feasibility of our
provable key destruction with memristor crossbar arrays for practical applications.
Supplementary Note 3 | Detailed discussion on the threat model of the proposed
provable key destruction for logic locking/unlocking.
We use a scenario of logic locking to demonstrate an application of key destruction. Logic
locking is a known technique to prevent a contract foundry from overproducing sellable
copies of an IP owner’s design without their knowledge. Locking thwarts overproduction
12
by fabricating locked chips that must be individually unlocked before they are usable. The
first threat to model is the foundry that wants to overproduce and unlock chips to sell them.
It is assumed that overproduced chips are functionally identical to the contracted chips, as
they would be produced with the same (correct) mask set. The output of the memristor
array is always either a fingerprint FPchip or the randomly generated Kchip, neither of which
are guessable by the foundry. The foundry does not possess the IP owner's private key and
cannot break public key cryptography to learn Kchip or FPchip. Therefore, because the
foundry does not know Kchip, the foundry cannot produce a value that would decrypt to the
common key (CK). The second threat to model is an end user with a legitimately unlocked
IP, that wants to keep the IP unlocked while convincing the IP owner that it has been
relocked. This adversary is also unable to break public key crypto, but can intercept,
generate, replay, or deny all messages sent to or from the locking circuitry. To succeed,
this adversary must either forge a proof of key destruction, or legitimately destroy the key
and then illegitimately unlock the logic. Illegitimately unlocking the circuit is identical to
the problem of a foundry wanting to unlock chips, so we focus here on forging a proof of
key destruction. Forging the key destruction would require generating FP'chip without
erasing Kchip from the memristor state. If FP’chip could be generated, then the adversary
could encrypt FP'chip with public key Mpub and send it to the IP owner as the forged proof
of key destruction. The end user could also try to collude with the enroller to learn an
encrypted value FP’chip and then replay that later to forge destruction despite not knowing
FP’chip. This is prevented using a cryptographic nonce (number or bit string used only once)
such that the asymmetrically encrypted value is FPchip XORed with a cryptographic nonce
13
chosen by the IP owner after device enrollment. The cryptographic nonce prevents replay
attacks as shown in Figure 5.
Supplementary References
1. Jiang, Z. et al. et al. Microsecond transient thermal behavior of HfOx-based
resistive random access memory using a micro thermal stage (MTS). IEEE
Electron. Dev. Meet. 21.3.1–21.3.4 (San Francisco, CA, USA, 2016).
2. Li, C. et al. Analogue signal and image processing with large memristor
crossbars. Nat. Electron. 1, 52-59 (2018).
3. Jiang, H. et al. A novel true random number generator based on a stochastic
diffusive memristor. Nat. Commun. 8, 882 (2017).
4. Guan, X., Yu, S. & Wong, H. S. P. On the switching parameter variation of metal-
oxide RRAM—part I: physical modeling and simulation methodology. IEEE
Transac. Electron Dev. 59, 1172–1182 (2012).
5. Arai T., Ohta A., Makihara K. & Miyazaki S. Impact of embedded Mn nanodots
on resistive switching characteristics of Si-rich oxides as measured in Ni-
electrode metal–insulator–metal diodes. Jpn. J. Appl. Phys. 55, 06GH07 (2016).
6. Yoon, J. H. et al. Highly improved uniformity in the resistive switching
parameters of TiO2 thin films by inserting Ru nanodots. Adv. Mater. 25, 1987-
1992 (2013).
7. Roy., J. A., Koushanfar, F., & Markov, I. L. EPIC: ending privacy of integrated
circuits. Computer, 43, 30-38 (2010).