SRAM PUF

Rishabh Shukla (Roll No.2019VLSI06)

ABV-Indian Institute of Information Technology and Management Gwalior,

Morena Link Road, Gwalior, Madhya Pradesh, INDIA - 474010.

December 3, 2020

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 1 / 41

 Contents

1 Introduction

2 Classification of PUF

3 Key metrics of PUF

4 6T SRAM PUF

5 Basic Operation of SRAM PUF

6 Key Generation and Enrollment

7 Complete System

8 Aging Effect On SRAM PUF

9 Two-Bit SRAM PUF Cell

10 Conclusion

11 References

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 2 / 41

 Physically Unclonable functions

Physical Unclonable Function (PUF) is a cost-effective security primitive to address

hardware attacks such as cloning, impersonation and Intellectual Property (IP)
violation.

PUFs rely on intrinsic undetectable manufacturing variations in the CMOS process

which can be utilized to generate a unique digital identifier.

It is highly desirable that the PUF be very sensitive to these local mismatches to
give each element a maximized uniqueness / randomness.

At the same time, noise and PVT (process, voltage, temperature) variations should
not affect the PUF output, thus enabling high repeatability and reliability.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 3 / 41

 Properties Of PUF

The challenge response pair (CRP) should be different.

Challenge Response Pair should be easily generated in a short period of time

It should not be possible to model the PUF on the basis of challenge response pair.

Even if a attacker is able to crack the CRP at one instance it should not be able to
do it again i.e multipilicity attack possibility should be low.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 4 / 41

 Classification Of PUF based on Fabrication

Silicon PUF
These types of PUFs are interfaced with other ICs and are fabricated on the same
die as part of the circuit. The process variation during fabrication is captured as a
challenge and the difference in circuit characteristics (timing and delay information)
is produced as a unique response for a given challenge.

Non Silicon PUF

PUFs that are not classified as silicon PUFs are referred as non-silicon PUFs. They
are fabricated in silicon systems but require special fabrication techniques which are
not part of generic CMOS fabrication technology. The response is generated from
the challenge set obtained from the random physical variation in the physical system
rather than the ICs.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 5 / 41

 Classification Of PUF based on Security

Strong PUF
This class of PUFs supports very large number of CRPs. Since access to the PUF’s
CRPs is available to the outside world, protection is provided through very complex
input-output relations and exponential number of CRPs. This type of PUF is
frequently used for device authentication purposes and operates in the range of few
MHz, so even a short duration of eavesdropping can collect many CRPs. However,
all known strong PUFs are vulnerable to one or more type of attack.

Weak PUF
This type of PUF has very few (worst case can be one), fixed challenges and hence
its responses are never given to the public. They are mainly used to derive a secret
key in cryptographic algorithms and are the least susceptible to modeling attacks.
They are also known as Physically Obfuscated Keys (POKs).

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 6 / 41

 Implementation Of PUF

Cover based PUF

They utilize special materials as coating to produce a random response. For
example, in an optical PUF a special layer of light scattering material is randomly
distributed. When a laser beam is incident over the layer, it produces a random
interference pattern which is used as a unique signature.

Delay Based PUF

They utilize the propagation delay between identical circuits in order to derive a
response. Ring oscillator (RO) PUFs are based on frequency variation while switch
based/arbiter PUFs are based on propagation delay.

Memory Based PUF

They produce an output response based on the unpredictable startup state of
feedback-based CMOS memory structures such as latches, flip flops, and Static
RAM (SRAM) cells.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 7 / 41

 Key metrics for PUF

Uniqueness
It is a measure of the average inter-chip Hamming Distance (HD) of the response
obtained from a group of chips. The HD of two strings of bits is simply the number
of bits in which the strings differ. It quantifies how different is one chip from
another. When the process variation is large, the value of uniqueness will also be
large.
An ideal PUF has a uniqueness value of 50percent which means that approximately
half the bits in the responses of the PUFs (for the same input) should be different.

Reliability
It is a measure of how much reliable is the CRP under noise and environmental
variations. For the given challenge, the PUF should give the same response under
varying operating conditions.
The ideal value for reliability is 100percent which means that the PUF should
produce an identical response under widely varying noise and environmental
interference.

Randomness
It is a measure of balance between “0”s and “1”s in the response bits of the PUF
and measures the randomness. The ideal value is 100 percent (i.e. perfect balance).

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 8 / 41

 Key metrics for PUFs (contd..)

correctness
It is a measure of correctness of the response under different operating conditions.
The ideal value is 100 percent.

Bit Aliasing
It is a measure of biasness of a particular response bit across several chips. The ideal
value is 50 percent.

Uniformity
It is a measure of how random is the CRP. For a response to be random, the number
of “0”s and “1”s in the response should occur with equal probability (i.e. 50percent)

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 9 / 41

 Basic application of PUF

Identification
It denotes that an entity, for PUFs and other microelectronics normally a chip, can
be identified by an Identifier (ID). The main requirement is (of course) that the ID is
unique, so that every entity or chip can be identified correctly.

Key Generation
Key generation is an important issue in cryptography. For example to exchange
information securely, a secret key is needed to encrypt and decrypt the information.
Key generation is not trivial since a good key has to be random and sources of true
randomness are rare.

Authentication
After the process of authentication an entity can be trusted, so its ID is verified. To
verify the ID it is typically proven to the verifier that the entity knows, possess or
contains a particular secret. For PUFs, authentication is usually done with a CRP
based protocol.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 10 / 41

 Basic application of PUF

Public-Key Cryptography
In the enrollment phase the first step is again to read out or assign IDs to the
entities. Since authentication relies on a stable key afterwards helper data has to be
generated out of the PUF response which is then stored inside the NVM of the
entity or sent to the verifier. With the helper data a public key is generated which is
sent together with the ID to the verifier and stored in the database.

Private-Key Cryptography
Let us take an example during the enrollment phase the entity generates a
symmetric key out of the PUF response (with help of a fuzzy extractor) and sends it
together with an also generated ID to the verifier. In the authentication phase a
nonce is encrypted with this symmetric key and then sent to the entity which can
decrypt it and send the decrypted nonce back to the verifier.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 11 / 41

 6T SRAM CELL

SRAM Memory consists of SRAM cells from which each saves one bit.
In typical Complementary Metal-Oxide-Semiconductor (CMOS) implementations
one SRAM cell is built out of 6 Metal-Oxide-Semiconductior Field-Effect Transistor
(MOSFET)s and therefore called 6T-SRAM cell.
The figure of typical SRAM cell is shown in the figure below

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 12 / 41

 Basic Operation of SRAM PUF

A 6T SRAM cell consist of two cross coupled inverter as shown in figure below

These cross-coupled inverters have two stable states which are denoted by ’0’ and
’1’, so they build the ’storage’ of the cell.

The word line (WL) is used together with M5 and M6 to control access to the bit
lines BL and BL. Over these bit lines the bits are written as well as read

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 13 / 41

 Basic Operation of SRAM PUF (contd..)

When supplying voltage to Vdd the SRAM cell evolves to one of its operating
points, but it is not immediately clear to which one.

During power-up, Vdd increases towards its final value (e.g. 1.35V).

Due to process variations one of the PMOS transistors (M2 or M4) has a lower
threshold voltage Vth and therefore starts conducting first, so I1 or I2 rises. This
leads to an increasing voltage of the corresponding node Q or Q

Therefore with the process variation, each cell will always start with that same state

Since this reliability together with the uniqueness of different SRAM cells are
important PUF properties, it can be concluded that SRAM Memory can be used as
a PUF.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 14 / 41

 Generation of temperature specific keys in sram puf

We will first see a detailed description of the methodology for data collection and
the data collection system

Then we will see how SRAM PUFs are used as a means to establish key between
two communicating nodes with the temperature of the environment

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 15 / 41

 Generation of temperature specific keys in sram puf
(contd..)

The objective here is to use PUFs to generate keys which change with temperature
with fixed step size.

The response of the PUFs changes with temperatures.

If the distance between the responses at two different consecutive temperatures is

higher than the within class (temperature) hamming distances at those
temperatures, this variation is used to generate temperature dependent keys.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 16 / 41

 Generation of temperature specific keys in sram puf
(contd..)

Data Collection
Data remanence

To collect multiple powerup responses from the SRAMs, maximum retention time is
evaluated at lowest temperature (0žC).
This makes sure that the old values from the SRAMs are erased before evaluating a
new trial.

Memories are devices that store the state in the form of charges. These charges are
lost due to leakages in the devices causing the data to be lost when power is turned
off.

At low temperatures, the leakages are reduced exponentially. The leakage current in
an MOS device is directly proportional to the temperature.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 17 / 41

 Generation of temperature specific keys in sram puf
(contd..)

Following steps are performed for data collection

1. The SRAM chip is soaked at the desired temperature in the heat chamber

2. A microcontroller writes in zeroes in all the cells of the SRAM chips.

3. The power line of the chip is grounded and then the data is read out after a
specified delay

4. Delay is incremented by 20ms and experiment is repeated from step 2 until the
Hamming weight stops increasing furtther

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 18 / 41

 Generation of temperature specific keys in sram puf
(contd..)

A system for data collection is shown below

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 19 / 41

 Key Enrollment and generation

1- Key Enrollment

Enrollment is done to generate Helper data from the key and the PUFs that can be
used later by the system to generate the same key.

Enrollment of keys is done for each temperature step to generate a per temperature
(T) key denoted by KT .

A BCH encoder having a block size of n-bit, message input of k-bit and t number of
correctable errors is used.

To generate a K-bit key, it is divided it into blocks of k bits.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 20 / 41

 Key Enrollment and Generation(contd..)

Per Temperature One Time Key Generator

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 21 / 41

 Key Enrollment and generation(contd..)

1- Key Enrollment

For each block i of k-bit input, a n-bit output codeword CT,i is generated by the
BCH encoder.

This codeword is then offset by the response of the PUF RT,i at the same
temperature T which generates n-bit helper data HT,i.

This helper data will be used later by the system to generate the key for that
temperature.

The enrollment process will be performed for the whole operating temperature range
of the system.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 22 / 41

 Key Enrollment and generation(contd..)

2- Key generation

To generate the key, the temperature is read from the temperature sensor and is
used to read out the correct helper data HT,i from the memory.

This helper data gets offset by the n-bit PUF response R0 T,i.

The response of the PUF is noisy and tends to change over evaluations.

The response used to offset the helper data may be different than the response RT,i
used during enrollment.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 23 / 41

 Key Enrollment and generation(contd..)

Per Temperature Key generation

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 24 / 41

 Key Enrollment and generation(contd..)

2- Key generation

This will produce a corrupted codeword C0 T,i.

The k-bits of the key can be recovered from the invalid codeword as long as the
number of errors in the response is underr the correctable errors t of the BCH code
used.

At the output of the BCH decoder, we will get the enrolled key for that temperature
if the previous condition is satisfied.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 25 / 41

 Complete System

Complete system

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 26 / 41

 Complete System

The complete system is shown in the above slide. When the master node requests
communication with slave node, the slave node generates the key based on its
ambient temperature.

The key is generated using the scheme proposed in the previous section.

The slave node sends its first message, containing information already known to the
master, encrypted with the key generated at temperature T along with its ambient
temperature to establish a secure communication line.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 27 / 41

 Complete System(contd..)

The master node knows the keys for the slave node at each enrolled temperatures.
Using the temperature reported by the slave node, the master node can use the key
for that temperature to decrypt the message packet.

In the case of failure in decryption of the message, the master node will be able to
detect that the reported temperature was fake and the node has been tampered with.

Thus, the key will serve as a proof of temperature.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 28 / 41

 Aging Effect On SRAM PUF

During nominal operations, a digital CMOS circuit in a silicon chip degrades over
time.

Bias Temperature Instability (NBTI) resulting in a temporal increases the threshold

voltage, particularly for a switched-on PMOS transistor.

For simplicity, all the following parameters related to PMOS are treated as positive
values.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 29 / 41

 Aging Effect On SRAM PUF(Contd..)

In Fig. 1, when an SRAM cell stores state zero (Q = 0), P1 is switched off and P2 is
switched on. As a result of NBTI, Vth,P2 will increase while Vth,P1 is not affected.

Also, the fact that P2 is switched on indicates that initially Vth,P2 is smaller than
Vth,P1. Therefore, the temporal tendency of this SRAM cell is that Vth,P2 -
Vth,P1 grows smaller.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 30 / 41

 Aging Effect On SRAM PUF(Contd..)

Smaller Vth,P2 - Vth,P1 means the SRAM cell is more balanced and more likely to
have PUF response bits flip.

From the reliability perspective, this effect deteriorates SRAM PUF as key
generation scheme since more SRAM cells tend to lose stability and randomly flip,
i.e. the reliability of SRAM PUF worsens over time. From the randomness
perspective, more SRAM cells become balanced and unpredictable over
measurements, i.e. more randomness can be harvested based on SRAM PUFs.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 31 / 41

 Aging Effect On SRAM PUF(Contd..)

Additionally, with the introduction of high-permittivity gate dielectrics, Positive Bias

Temperature Instability (PBTI) for a switched-on NMOS transistor is also becoming
more significant

Due to this effect, then NMOS transistor operating with a positive gate-to-source
voltage experiences time dependent threshold voltage increase.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 32 / 41

 Two-Bit SRAM PUF Cell

In Two-Bit SRAM PUF cell, the PMOS transistors in the latch (P1 and P2) have
negligible contribution to the mismatch, since the decision voltage is very close to
VCC

One of the two NMOS pairs (N1/N2 or N3/N4) can be enabled to generate two
orthogonal bits.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 33 / 41

 Two-Bit SRAM PUF Cell(Contd..)

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 34 / 41

 Two-Bit SRAM PUF Cell(Contd..)

The diagram of the circuit is presented in above Figure, together with the
transistors’ sizes of the Si implementation. In parallel to the original N1-N2 pair,
another pair, N3-N4, is instantiated.

To select between the pairs, two switches, S2 and S3, are added, such that before
the decision of the cell only one of them starts to conduct, enabling the flow of
current through only one of the NMOS pairs.

The channel length of S1 is increased, to increase the resistance of the discharge

path and raise the decision voltage towards VCC.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 35 / 41

 Two-Bit SRAM PUF Cell(Contd..)

The decision voltage influences the Hamming Distance (HD) between the two
responses of an array of PUF cells, when one is taken from the N1-N2 pairs and the
second from the N3-N4 pairs.

Ideally, the HD between these responses is required to be near 50 per, such that half
of the bits change their state between the responses. Any number below or above it
hints on an influence from P1/P2 on the response generated by the NMOS pairs.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 36 / 41

 Two-Bit SRAM PUF Cell(Contd..)

In order to have the decision voltage as close as possible to the power rail, two
means are taken.

First, the discharge paths of O and OB are designed to be highly resistive

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 37 / 41

 Two-Bit SRAM PUF Cell(Contd..)

This is achieved by utilizing a high-Vt (threshold voltage) transistor for S1, along
with increasing its channel length to 1um.

This increased, in simulations, the HD in most PVT corners to nearly 50 percent.

However, in very low-Vt PVT corners, i.e. fast process with high temperature, the
effect of this change isn’t sufficient since there, even with high decision voltage, the
PMOS pair conducts enough to affect the decision, resulting in a decreased HD.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 38 / 41

 Two-Bit SRAM PUF Cell(Contd..)

To overcome this issue, a second design change is implemented, and transistors P1,
P2 are also replaced with their high-Vt variation.

This change results in increasing the HD in all PVT corners to nearly 50 percent.

It should be noted that the transistors P1, P2, N1-4, S2, S3 and K1, K2 are
minimum sized and separately laid out, in order to maximize the mismatch between
them.

The rest of the transistors are also high-Vt, to enable efficient layout.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 39 / 41

 Conclusion

The feasibility of using the SRAM PUFs for temperature based key establishment is
studied.

a system for error correction and key generation based on temperature is also
studied.

Future work can be done to narrow down the bits of SRAM that can be used to
distinguish temperature and reduce the response size needed for the SRAM.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 40 / 41

 References I

[1] R. Wang, G. Selimis, R. Maes, and S. Goossens, “Long-term continuous assessment of sram puf and source of random
numbers,” in 2020 Design, Automation Test in Europe Conference Exhibition (DATE), 2020, pp. 7–12.

[2] S. Satpathy, S. K. Mathew, V. Suresh, M. A. Anders, H. Kaul, A. Agarwal, S. K. Hsu, G. Chen, R. K. Krishnamurthy, and
V. K. De, “A 4-fj/b delay-hardened physically unclonable function circuit with selective bit destabilization in 14-nm trigate
cmos,” IEEE Journal of Solid-State Circuits, vol. 52, no. 4, pp. 940–949, 2017.
[3] Y. Gao, Y. Su, W. Yang, S. Chen, S. Nepal, and D. C. Ranasinghe, “Building secure sram puf key generators on resource
constrained devices,” in 2019 IEEE International Conference on Pervasive Computing and Communications Workshops
(PerCom Workshops). IEEE, 2019, pp. 912–917.

[4] L. Lu and T. T.-H. Kim, “A sequence-dependent configurable puf based on 6t sram for enhanced challenge response space,”
in 2019 IEEE International Symposium on Circuits and Systems (ISCAS). IEEE, 2019, pp. 1–5.

[5] C. Q. Liu, Y. Zheng, and C.-H. Chang, “A new write-contention based dual-port sram puf with multiple response bits per
cell,” in 2017 IEEE International Symposium on Circuits and Systems (ISCAS). IEEE, 2017, pp. 1–4.

[6] C. Lipps, A. Weinand, D. Krummacker, C. Fischer, and H. D. Schotten, “Proof of concept for iot device authentication based
on sram pufs using atmega 2560-mcu,” in 2018 1st International Conference on Data Intelligence and Security (ICDIS).
IEEE, 2018, pp. 36–42.
[7] M. Usmani, “Applications of physical unclonable functions on asics and fpgas,” in Masters Theses. University Of
Massachusetts Amherst, 2018, p. 689.

Rishabh Shukla (Roll No.2019VLSI06) (mtvlsi201906@iiitm.ac.in) December 3, 2020 41 / 41