專題文章

2021/01/06

The Four Angles of Examining PUF

Dr. Meng-Yi Wu (PUFsecurity, the subsidiary of eMemory)

The security of AIoT devices has become increasingly important. In order to ensure that the system’s security functions are working effectively and protecting every node and edge device from information security risks, it is important to generate a unique root of trust in the security system rooted in the chip. In addition to the traditional pre-injection key method, the use of a natural root key, PUF (Physical Unclonable Function), is the latest advanced solution that provides a higher level of protection in the production process and chip security. The security and reliability, as well as the design planning and mass production of the overall security module need to be taken into consideration when integrating PUF into chip designs. In this article, we will use NeoPUF as an example to discuss the issues that might be encountered when using PUF.

I. Randomness:

NeoPUF creates entropy in two parallel transistors based on quantum tunneling mechanism (Refer to PUFSeries 3). The concept is like flipping a coin to determine the chances of heads and tails. The high voltage will be applied to NeoPUF until one of the oxides begins to have a tunneling current which determines an output value of either 0 or 1. Since each bit is an effective static entropy, NeoPUF can easily achieve an entropy pool of any capacity. We could exam the randomness of NeoPUF by using the min-entropy analysis from NIST 800-90B; its value is 0.988 and perfectly fits the IID characteristics. On the other hand, SRAM PUF often has process dependency problems, such as even-odd bit lines, even-odd word lines, or special dependencies (WL/BL Even-Odd or Pattern effect), which are unavoidable in the semiconductor manufacturing processes. SRAM PUF also requires additional pre-screening and post-processing procedures for error correction.

How do you judge whether a PUF is truly random? Is it affected by sample size? Figure 1 illustrates the relationship between Hamming Weight (HW) and key length. The area between the blue and red curves represents a reasonable HW (3sigma confidence level) distribution. Using a 128-bit key length as an example, there is a 99.7% chance that the samples will obtain a hamming distance of 37% to 63%.

Based on this theory, examining PUFs from a different perspective will lead to an interesting question given that a 128-bit PUF value is arbitrarily obtained, can we determine whether the PUF is truly random or non-random based on the Hamming weight result? The answer is hard to judge. Obviously, the PUF length is too short and the entropy pool is too small. Therefore, it impossible to obtain effective min-entropy analysis and effectively evaluate whether the sequence is truly random or not. In contrast, if the PUF entropy pool of each chip is 2048 bits or higher (such as NeoPUF), the randomness can be easily evaluated by statistical sampling methods, allowing it to be easily implemented in the chip....More