Reducing amount of helper data in silicon physical unclonable functions (PUFs) via lossy compression

Background

Silicon physical unclonable functions (PUFs) are widely used in emerging hardware security applications, such as device identification, authentication, and cryptographic key generation. PUFs generate unique randomness by exploiting inherent random process variation during fabrication. Among them, static random-access memory (SRAM) PUFs that produce unique signatures with power-up states are appealing because SRAMs are widely available standard components in a multitude of existing integrated circuits (ICs).

As the semiconductor industry starts to reach the limits of Moore’s Law and deploy new packaging techniques such as system-in-package (SiP), where one package contains multiple chiplets (dies) each with their own functionality, spreading functionality over multiple chiplets increases security risks.

With supply chains spanning several different production and assembly facilities, where components from many different vendors are pieced together into a final product, supply-chain security issues need to be considered and PUFs deliver root of trust (RoT) solutions.

However, the major challenge of utilizing silicon PUFs, including SRAM PUFs, lies in the reliability of responses. Ideally, a SRAM PUF bit produces a unique and identical power-up value under each evaluation. In fact, power-up is a cell-specific stochastic process determined jointly by device mismatch, instantaneous noise, and environment variation.

The standard method to ensure PUF reliability in the key derivation context is to use a fuzzy extractor that utilizes an error correction code (ECC). A fuzzy extractor algorithm involves two phases: enrollment and reconstruction. During enrollment, an ECC is used to encode raw PUF responses and compute the code syndrome to be used as helper data for reconstruction. The helper data is assumed to be public and is stored in non-volatile memory.

In some applications of PUF-based key generation for original silicon manufacturers, one-time-programmable (OTP) memory (e.g., fuses) is used, since in these settings the helper data needs to be stored on-die, before the package-level or board-level resources (e.g., high-capacity Flash memory) are available. However, in many platforms—e.g., field-programmable gate arrays (FPGAs)—the amount of OTP memory available is severely limited. As a result, the amount of required helper data should be reduced.

Researchers at The University of Texas at Austin have developed a method for reducing the amount of helper data that needs to be stored, using two innovative techniques as described below.

Technical description

The first technique uses bit-error-rate (BER)-aware lossy compression. The helper data length (HDL) in a fuzzy extractor is directly related to the complexity of the error correcting code and increases rapidly with the increase of bit error rate (BER). Reducing HDL requires users to identify bits with high BER and avoid their use. However, that requires representing and storing the reliability bitmap (mask) whose length needs to also be treated as helper data. A distinction is made between helper data due to (1) the syndrome and (2) the reliability mask. The invention allows a significant reduction of total helper data length (HDL). This is achieved through a bit-error-rate aware lossy com­pression of the reliability map. The invention allows sacrificing a small fraction of reliable bits, by treating them as unreliable, to allow effective compression and large HDL reduction.

In view of the practical costs of production-time error characterization, the second technique enables economically feasible across-temperature per-bit BER evaluation for use in a number of fuzzy extractor optimizations based on bit-selection to reduce overall BER (with or without subsequent compression) using room-temperature only production-time characterization. The technique is based on stochastic concentration theory and allows efficiently forming confidence intervals for average across-temperature BER of a selected set of bits.

By using these joint techniques, BER optimization and bitmap compression algorithm, it is economically feasible to achieve a dramatic reduction in the amount of helper data that needs to be stored in non-volatile memory and/or one-time-programmable memory.

Benefits

Two phase algorithm performing bit-error-rate aware lossy compression of the reliability map in the first phase, resulting in a codebook construction, and in the second phase, where a derived codebook is used to select a better solution that minimizes the overall average error of selected bits.

  • Allows a dramatic reduction in the amount of helper data that needs to be stored in non-volatile memory and/or one-time-programmable memory, such as EPROM or e-Fuse. The cost of such memory is high in both silicon area (cost) and post-manufacture-time configuration.
  • Significant helper data size (HDS) reduction, in mask size with lossy compression; see Table 1 and 2.
  • Reduces the effective average BER that needs to be handled by error-correction coding within a fuzzy extractor. This allows a reduction of implementation cost of the fuzzy extractor.