The present disclosure relates to a system and a method for identifying or authenticating circuits using static identifiers. More particularly, the present disclosure relates to a system and a method for identifying or authenticating circuits using physical fingerprints, such as the data retention voltage (DRV) of static random access memory (SRAM).
RFID circuits can be identified or authenticated using static identifiers stored in non-volatile memory or through the use of identifying physical characteristics. Physical characteristics have several security advantages over static identifiers, including immutability and resistance to cloning and tampering. The physical characteristics can be viewed as an identifying fingerprint of a given device. More formally, physical fingerprints may be a component of a particular type of physical unclonable function (PUF) that is originally described as a physically obfuscated key, and more recently as a weak PUF.
A wide variety of PUFs and fingerprints based on custom or pre-existing integrated circuit components have been developed. The identifying features used by custom designs include MOSFET drain-current, timing race conditions, and the digital state taken by cross-coupled logic after a reset.
IC identification based on pre-existing circuitry is demonstrated using SRAM power-up state, and physical variations of ash memory. A secret key unique to each IC may be derived using the statistical delay variations of wires and transistors across ICs. Circuit-level techniques have been explored for increasing the reliability of SRAM PUFs. An experimental evaluation of low-temperature data remanence on a variety of SRAMs has been provided, and SRAM remanence in RFID has been studied as a limitation to SRAM-based true random number generation.
Previous works have used error correction to construct secret keys from noisy PUF sources; however, this is expensive in terms of gates and other resources. To give an idea of the cost of error correction, BCH codes previously used with PUFs include one to correct 21 errors among 127 raw bits in creating a 64-bit key, and to correct 102 errors among 1023 raw bits in creating a 278-bit key. A derivative of power-up SRAM state has been used as a secret key; however, it requires an error correction code and imposes SRAM space overhead. An SRAM helper data algorithm has been introduced to mask unreliable bits using low-overhead post-processing algorithms. Recently, a method of error correction for PUFs using a new syndrome coding scheme has been proposed to minimize the information leaked by the error correction codes. This approach has been extended for SRAM PUFs. A new lightweight authentication scheme has been designed using PUFs that does not require the reader to store a large number of PUF challenge and response pairs.
If used for identification or constructing secret keys, fingerprint observations must be consistent over time. Sensing the microscopic variations that make each device unique while also minimizing the impact of noise is a fundamental concern in PUFs. Much effort is spent on error correction of somewhat-unreliable fingerprints or PUF outputs. Error correcting codes are expensive in terms of the number of raw bits required to create a reliable key, and more so if the number of correctable errors must be large.
There is a need for methods and systems for chip fingerprint that are more reliable across trials and would not need error correction or need only slight error correction.
A new fingerprinting method that is more reliable across trials than comparable previous approaches is disclosed herein below.
The method for chip fingerprinting of these teachings uses Data Retention Voltage (DRV) in SRAM as the identifier. The DRV of an SRAM is the minimum voltage at which its cells can retain state. DRV fingerprints are found to be more informative than other approaches for fingerprinting SRAM that have been proposed in research and commercially. The physical characteristics responsible for DRV are imparted randomly during manufacturing and therefore serve as a natural barrier against counterfeiting. The method of these teachings has the potential for wide application, as SRAM cells are among the most common building blocks of nearly all digital systems including smart cards and programmable RFID tags.
According to one aspect, the present disclosure provides a method and a system for characterizing an electronic device. The method comprises determining a physical fingerprint of an electronic device comprising a static random access memory (SRAM) array, using selected memory cells of the SRAM array, wherein the physical fingerprint comprises data retention voltages respectfully corresponding to the selected memory cells and storing data associated with the physical fingerprint in a database.
In one embodiment, determining the data retention voltage comprises a) writing a binary state in a first memory cell of the selected memory cells, b) applying a test voltage to a supply node of the first memory cell, and c) determining, after a predetermined wait time, whether a data retention failure occurs in the first memory cell. In one embodiment, if the data retention failure does not occur, reducing the test voltage by a predetermined step voltage, and repeating steps a), b), and c) until the data retention failure occurs. In one embodiment, the test voltage ranges from about 300 mV to about 20 mV, and the predetermined step voltage ranges from about 10 mV to about 140 mV, and the predetermined wait time ranges from about 2 ms to about 5 s.
In one embodiment, step a) of the method comprises writing the binary state in a non-volatile memory cell, and step c) of the method comprises reading, after the predetermined wait time, a logic state in the first memory cell, comparing the logic state in the first memory cell with the binary state in the non-volatile memory cell, and determining that the data retention failure occurs, if the logic state in the first memory cell differs from the binary state in the non-volatile memory cell. If the data retention failure occurs, then the test voltage is output as the data retention voltage of the first memory cell.
According to another aspect, the present disclosure provides a method and a system for identifying an electronic device. The method comprises characterizing a test device comprising a static random access memory (SRAM) array, wherein selected memory cells of the SRAM array respectfully comprises data retention voltages corresponding to a physical fingerprint of the test device, and comparing the physical fingerprint with a predetermined fingerprint stored in a database to determine whether the physical fingerprint and the predetermined fingerprint are within-class or between-class, wherein the predetermined fingerprint is associated with a target device to be identified.
In one embodiment, comparing the physical fingerprint with the predetermined fingerprint comprises calculating a distance between the first data retention voltage pairs associated with the physical fingerprint and the second data retention voltage pairs associated with the predetermined fingerprint. In one embodiment, calculating the distance comprises respectively subtracting the first data retention voltage pairs from the second data retention voltage pairs to obtain voltage difference pairs, respectively squaring elements of the voltage difference pairs to obtain voltage difference squares, and summing the voltage difference squares to obtain a value representing the distance. In one embodiment, if the distance is less than a predetermined value, the physical fingerprint and the predetermined fingerprint are within-class, and the test device is identified as the target device, and if the distance is greater than or equal to a predetermined value, the physical fingerprint and the predetermined fingerprint are between-class, and the test device is not identified as the target device. The physical fingerprint and the predetermined fingerprint are within-class, if the physical fingerprint and the predetermined fingerprint are generated from identical sets of memory cells in an identical device.
Given the low cost of the several bytes of SRAM that are used for DRV fingerprinting, a relatively significant practical cost may be associated with the generation of the test voltages for characterizing the DRVs. Emerging devices such as computational RFIDs can use software routines to extract DRVs, but as contactless devices they must generate all test voltages on-chip. On-chip dynamic control of SRAM supply voltage is assumed in the low-power literature at least since work on drowsy caches. Supply voltage tuning has also been applied with canary cells to detect potential SRAM failures, and as a post-silicon technique to compensate for process variation and increase manufacturing yields.
For a better understanding of the present teachings, together with other and further needs thereof, reference is made to the accompanying drawings and detailed description.
a shows that 98.6% of SRAM cells with strongly 0 DRV reliably power-up to state 0, as observed by a mean power-up state of 0;
b shows that 95.1% of SRAM cells with strongly 1 DRV reliably power-up to state 1, as observed by a mean power-up state of 1;
a and 6b show within-class and between-class distances of 16-bit fingerprints;
a and 7b show that Tradeoff points of precision and recall for trials of DRV fingerprints are generally closer to the ideal result of perfect precision and recall;
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
The following detailed description presents the currently contemplated modes of carrying out the invention. The description is not to be taken in a limiting sense, but is made merely for the purpose of illustrating the general principles of the invention, since the scope of the invention is best defined by the claims.
As used herein, the singular forms “a,” “an,” and “the” include the plural reference unless the context clearly dictates otherwise.
Except where otherwise indicated, all numbers expressing quantities of ingredients, reaction conditions, and so forth used in the specification and claims are to be understood as being modified in all instances by the term “about.”
A data retention failure may occur when an SRAM cell spuriously flips state due to insufficient supply voltage. The data retention voltage (DRV) of an SRAM array signifies the minimum supply voltage at which all SRAM cells can store an arbitrary state. DRV is studied in the literature as a limit to supply voltage scaling. Various simulation models and silicon measurements show modern SRAM DRVs to be under 300 mV.
Most existing literature focuses on cases where the supply voltage of the circuit remains safely above DRV. While remaining above DRV, the supply voltage can be adjusted to reduce leakage power, compensate for manufacturing variability, or compensate for environmental variations.
Each SRAM cell uses the positive feedback of cross-coupled inverters to hold a state on two complementary storage nodes. Retention failures may occur at low supply voltages because the low voltage weakens the positive feedback of the cross-coupled inverters. Due to asymmetric process variation, at some low supply voltages, a transition from a written state to the opposite state becomes inevitable; observations about the direction of such transitions and the voltages at which they occur are the basis for DRV fingerprints. Any collection of SRAM cells has a distinctive DRV fingerprint because of its unique random process variation.
The DRVs of SRAM cells may be characterized by repeatedly lowering the SRAM supply voltage and observing the highest voltage at which each cell fails. If the SRAM supply node also supplies the processing core, then the low voltages used for the characterization may cause the core to reset and lose its state.
The experiments described in this disclosure avoid this difficulty by using non-volatile memory to maintain persistency across the low voltages. However, a custom integrated circuit designed for DRV fingerprinting can also avoid this difficulty by using an SRAM supply node that is decoupled from the nominal supply node of the processor. This is often done, for example, in power-gated circuits where unused on-chip functional blocks are turned off entirely while the chip as a whole remains powered. The DRV of an SRAM cell c may be characterized with a pair vc0, vc1. Each vcw (w=0 or 1) in the pair represents the highest voltage at which cell c will have a retention failure after state w is written to it. In principle, vc0 and vc1 are real-valued (i.e., a continuous value); but in practice, each of vc0 and vc1 may be approximated using one of N, for example, N=(300 mV−20 mV)/Δ discrete values as shown, in one embodiment, in Algorithm 1. With Δ set at 10 mV, in one instance, not a limitation of these teachings, in the instance in which N=28, the N=28 possible discrete values for vc0 and vc1 are {20 mV; 30 mV; : : : ; 290 mV}. The frequency of observing different DRV pairs is shown in the joint probability distribution function of variables vc0 and vc0 in
2.1. Experimental Setup
The DRV of SRAM cells may be examined using Algorithm 1 implemented in the exemplary embodiments given below. Exemplary embodiments are presented below to elucidate the present disclosure, but it should be noted that the present teachings are not limited only to those exemplary embodiments. A microcontroller runs a program that sets all available memory bits to either 1 or 0. The supply voltage is then decreased to a value between 300 mV and 20 mV (Δ=10 mV) for 5 seconds. When supply voltage is restored to 3V, the program stores the content of SRAM to the flash memory. Note that a conservatively long wait time of twait=5 s is used to avoid missing marginal failures. Simulations using a procedure similar to Algorithm 1 for tuning the supply voltage show that waiting for twait=2 ms at a reduced supply voltage is sufficient to observe retention failures. An Agilent U2541A-series data acquisition (DAQ) unit controls the supply voltage and the timing of when voltage is raised and lowered. Thermal tests are conducted inside of a Sun Electronics EC12 Environmental Chamber and an OSXL450 infrared non-contact thermometer with +/−2° C. accuracy is used to verify the temperature. All experiments use instances of Texas Instruments MSP430 F2131 microcontrollers with 256 bytes of SRAM, of which 240 bytes are available for DRV fingerprinting. The DRV of each cell is characterized 20 times. The total runtime to characterize all 240 bytes of SRAM on a chip once using Algorithm 1 is given by tproc in Eq. 1, and is 140 seconds for the conservative case of Δ=10 mV and twait=5 s.
2.2. Information Content of SRAM Cell DRV
The DRV of each cell has N2 possible outcomes representing all combinations of N outcomes for vc0 and the N outcomes for vc1 (in this particular embodiment, N=28). The DRV of each cell is then a random variable X with N2 outcomes denoted xi (i.e., x—{0}through x_(N2−1)). The total entropy H(X) is the expected information value of the DRV of an unknown cell. Entropy depends (per Eq. 2) on the probabilities of each DRV outcome, denoted p(xi). In the ideal case where all N2 outcomes are equally likely (e.g., p(xi)=1/N2, for all xi), each DRV would have almost 10 bits of entropy. Applying Eq. 2 to the decidedly non-uniform outcome probabilities of
Eq. 1 shows that runtime is inversely proportional to Δ. Accordingly, it is considered information loss, when Δ is made larger than 10 mV.
H(X)=−Σip(xi)log p(xi) (2)
2.3. Observations about Strong and Weak Cells
The N2 possible DRV characterizations (
The variation-dependent behavior of an SRAM cell occurs somewhere between 20 mV and 300 mV for each cell; above 300 mV all cells can reliably hold either the 0 or the 1 state, and below 20 mV no cells can do so. When a cell produces a strongly 0 or strongly 1 characterization, it means (per Algorithm 1) that, for any one written state, the supply voltage can be lowered all the way through the sensitive region down to 20 mV and then raised back up without causing a data retention failure. Therefore, a strongly 0 or strongly 1 characterization indicates a strong preference for one state over the other at all supply voltages. A weak characterization is when each written state flips at some voltage within the sensitive region, and neither state can be retained when the supply voltage is lowered down to 20 mV.
Both strong and weak DRV characterizations are largely repeatable across trials.
2.4. Relation to Power-Up State
It is known that SRAM cells consistently power-up to the same state in a majority of trials. Cells with highly reliable power-up states tend to be the same cells with strong DRV characterizations.
A DRV fingerprint is obtained from a single characterization of a set of adjacent cells within an SRAM. A k-bit fingerprint Fi comprises cell characterizations vi0, vi1, vi+10, vi+11 . . . vi+(k−1)0, vi+(k−1)1.
The difference between fingerprints is the sum of the differences between their corresponding single-cell characterizations. Recalling that each DRV is a point vc0, vc1 in 2-dimensional space, the distance between two DRVs is defined according to the square of their distance along each dimension (Eq. 3). For comparison, a second metric used is the Hamming distance between power-up trials; this is shown by Eq. 4, where pi is the state of the i-th bit of SRAM after a power-up.
Since the metric for a difference between fingerprints can be a multidimensional distance or a Hamming distance, the distance between fingerprints, as used herein, is measured in “distance units,” where a distance unit can be volts2 (or millivolts2), when the distance is expressed in terms of the sum of squares of differences in voltage, or can be dimensionless, as in the case of a Hamming distance.
3.1. Identification at Nominal Temperature
At the nominal operating temperature of 29° C., three experiments compare DRV fingerprints with power-up fingerprints. These experiments are explained in the following subsections; the first shows the histograms of distances between fingerprints, and the second and third evaluate the accuracy of distance-based matching.
3.1.1. Histogram of Distances Between Fingerprints
A first experiment shows that DRV fingerprints are repeatable and unique, as is necessary for successfully identifying chips within a population. Within-class pairings are of multiple fingerprints generated by the same set of cells on the same device. Between-class pairings are from different sets of cells on the same device, or from any sets of cells on different devices. The similarity of any two fingerprints is quantified by a distance, and this distance is the basis for determining the correct identity of a fingerprint. If within-class fingerprint pairings consistently have smaller distances than between-class pairings, then it is possible to determine identity by choosing an appropriate threshold that separates the two classes. The histograms of within-class and between-class distances for DRV and power-up fingerprints are shown in
3.1.2. Accuracy of Top Match
The next experiment performed at nominal temperature evaluates how reliably a single within-class DRV fingerprint can be identified among a population. This experiment matches a single 16-bit target fingerprint against a population containing another fingerprint from the same cells and one fingerprint from each of the 239 remaining locations across 2 chips. A positive result occurs if the closest match among the 240 possibilities is from the same SRAM cells as the target. The results of the top match experiment are shown in Table 3; the column labeled “co-top” shows the percentage of trials where there are multiple top matches and one of them correctly matches the target. Multiple top matches are relatively common in Hamming distance matching due to the small number of possible distances between fingerprints. Compared to power-up fingerprints, matching based on DRV fingerprints is 28% more likely to have the correct match be closer to the target (i.e., separated by a smaller distance) than all incorrect matches.
3.1.3. Precision and Recall
The top match experiment is generalized to the case of identifying multiple correct matches among a larger population, and again shows DRV fingerprints to outperform power-up fingerprints. In this experiment, the goal is to find all correct matches in the population, without also finding too many incorrect matches. In doing so, the distance that is considered to be the threshold between a correct and incorrect match can be adjusted. If the threshold is too low, then correct matches may not be identified, but if the threshold is too high then false positives will occur. Recall refers to the fraction of within-class pairings under the threshold, and precision refers to the fraction of pairings under the threshold that are within-class. Increasing the threshold may sacrifice precision for recall, and decreasing the threshold may sacrifice recall for precision. An ideal result is for both precision and recall to be 1; this result occurs if all correct matches are identified as within-class (perfect recall) with no incorrect ones identified as within-class (perfect precision).
The precision and recall plots of
3.2. Impact of Temperature Variations
Given that DRV fingerprints would likely be used in real-world scenarios without precisely-controlled temperatures, this experiment explores the impact of temperature on DRV fingerprints. This experiment is similar to the experiment of subsection 3.1.1, but the pairs of fingerprint observations used to generate the within-class distances are now made at different temperatures. The results are shown in
As demonstrated hereinabove, SRAM DRV fingerprints are static identifiers of a device, and it a simple characterization procedure and matching algorithms has been disclosed to use them as such. DRV fingerprints are similar to previously demonstrated power-up fingerprints, but they provide a more informative non-binary identifier of each cell. As a result of this, DRV fingerprints are identified up to 28% more reliably than are power-up fingerprints.
Embodiments of the present disclosure can be included in methods and systems for identification or authentication.
The SRAM DRV fingerprints can be obtained upon fabrication of the SRAM and stored in a memory, such as a database. A circuit or object can be identified or authenticated by characterizing the SRAM DRV, using algorithm I disclosed above, and comparing the resulting SRAM DRV to the database. A system of these teachings for identification/authentication, in one embodiment, includes a measurement system, as disclosed herein above, for characterizing the SRAM DRV and an analysis subsystem for comparing the resulting SRAM DRV to the database. In one instance, the measurement system includes at least one processor and computer usable media having computer readable code that causes the at least one processor to execute algorithm I. In one embodiment, the database storing the SRAM DRV fingerprints may be implemented in a remote server hardware accessible to the analysis subsystem through a communication network (e.g., local area network, wide area network, wired/wireless network, etc.). The analysis subsystem, in one instance, also includes at least one processor and computer usable media that has computer readable code that causes the at least one processor to retrieve the SRAM DRV fingerprint and compare the SRAM DRV obtained from the characterization to the fingerprint.
For the purposes of describing and defining the present teachings, it is noted that the term “substantially” may be utilized herein to represent the inherent degree of uncertainty that may be attributed to any quantitative comparison, value, measurement, or other representation. The term “substantially” may also be utilized herein to represent the degree by which a quantitative representation may vary from a stated reference without resulting in a change in the basic function of the subject matter at issue.
Further, for the purposes of describing and defining the present teachings, it is noted that the term “configured to” may be utilized herein to represent a computer usable media having computer readable code embodied therein, the computer readable code being executed in a processor to perform certain method steps.
Although embodiments of the present invention has been described in detail, it is to be understood that these embodiments are provided for exemplary and illustrative purposes only. Various modifications and changes may be made by persons skilled in the art without departing from the spirit and scope of the present disclosure as defined in the appended claims.
This application claims the benefit of priority to U.S. Provisional Application No. 61/666,082, filed on Jun. 29, 2012, the entire contents of which are incorporated herein by reference in its entirety and for all purposes.
This invention was made partially with U.S. Government support from the NSF grants CNS-0964641, CNS-0923313, CNS-0845874, and SRC task 1836.074.
Number | Date | Country | |
---|---|---|---|
61666082 | Jun 2012 | US |