Open hardware-based and patent-free Physical Unclonable Function (PUF)

[synctext]

PUF technology is an emerging technology to store the essential part of a self-sovereign identity, the private key, in a tamper-proof manner. The private key is storage becomes volatile by using PUF technology [Patents].

Good intro:

• https://en.wikipedia.org/wiki/Physical_unclonable_function
• "Physically Unclonable Functions: A Study on the State of the Art and Future Research Directions"
• MIT intro slides

Commercial product with SRAM PUF. Notes on how to use this feature

For TUDelft publication on PUF technology: "Modeling SRAM start-up behavior for physical unclonable functions". Lots more by Said Hamdioui plus Haji Akhundov. More Delft reports:

• Design & development of public-key based authentication architecture for IoT devices using PUF
• Reliability Assessment and Test Methods for Anti-counterfeiting Technology
• More sophisticated 2015 work PUFs in general, SRAM PUFs in particular, can be used as a secure cryptographic key storage mechanism . Fig. 1 shows how such mechanism can be integrated to create a PUF based key storage system.

The popular 6Ts SRAM cell (see Fig. 2(a)) consists of two cross-coupled CMOS inverters formed by four transistors (Q 1 with Q5 and Q2 with Q6) and two pass transistors (Q3 and Q4). The pass transistors are used to access the cell for read and write operations. The bitline (BL), the compliment bitline (BLB) and the wordline (WL) are used to access the cell.

We simulate the start-up behavior of an SRAM cell using SPICE and BSIM4 65nm models. Process variation PDF for 65nm :

Boris Škorić from Eindhoven has published work in this field:

• exotic quantum theory work, Quantum Key Recycling with eight-state encoding (The Quantum One Time Pad is more interesting than we thought)
  • Flowchart_description_of_security_primitives_for_C.pdf
  • Reconfigurable Physical Unclonable Functions - Enabling technology for tamper-resistant storage
  • Anti-counterfeiting, Key Distribution, and Key Storage in an Ambient World via Physical Unclonable Functions
  • Physical Unclonable Functions for enhanced security of tokens and tags (2006)

Open Source Sandia National Laboratories PUF Analysis Tool

Please find related PUF software and articles for next meeting.

[asajim]

• Cryptographic Key Generation from PUF Data https://github.com/karanahujax/PUF
• Hardware PUF FPGA implementation https://github.com/snikrepmada/puf
• Modular library for manipulating physically-uncloneable functions https://github.com/ainfosec/PUFlib
• Implemention and Simulation of Physically Unclonable Function (PUF) | IIT KGP https://github.com/vduddu/PhysicallyUnclonableFunction
• https://github.com/SergioAGonzalez/Physically-Unclonable-Function
• Simulation and Learning of Physically Unclonable Functions https://github.com/nils-wisiol/pypuf
• An implementation of Lightweight Secure Physically Unclonable Function. https://github.com/praveendath92/securePUF
• Security Monitoring of FPGAs using Physically Unclonable Functions https://github.com/julieeen/pufmon

[synctext]

using standard PC board, "Investigating SRAM PUFs in large CPUs and GPUs" with code listings: https://arxiv.org/pdf/1507.08514.pdf DDR3: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4168438/ https://users.wpi.edu/~martin/MQP/edwardsetal.pdf

[asajim]

Note:

2 main parts of PUF

• physical part: a physical system that is very difficult to clone due to uncontrollable process variations during manufacturing
• operational part: a set of challenges C_i(stimuli) has to be available to which the system responds with a set of sufficiently different responses R_i

R_i <- PUF(C_i) : a response R_i is generated when challenging a PUF with a challenge C_i

• challenge: input to PUF
• response: output from PUF
• challenge response pair / CRP: an applied challenged and its measured response

Two distance measures of PUFs

1. inter distance: distance between applying a challenge to two different PUFs
2. intra distance: distance between applying a challenge twice to a PUF

Type of PUFs based on design

• non electronic PUFs
  • optical PUF
  • paper PUF
  • CD PUF
  • RF-DNA
  • magnetic PUF
  • acoustic PUF
• analog electronic PUFs
  • V_T PUF
  • power distribution PUF
  • coating PUF
  • LC PUF
• intrinsic PUFs
  • requirement to be intrinsic
  • PUF and the measurement equipment should be fully integrated
  • has to be available naturally during the manufacturing process
  • delay based intrinsic PUFs
  • arbiter PUF: introduce a digital race condition on two paths on a chip and have an arbiter circuit to decide which one won the race
    • attack on arbiter PUFs
    • model building attack: attack using a mathematical model of the PUF created from observing CRP queries which able to predict the response to an unseen challenge with relatively high accuracy
  • ring oscillator PUF: output of a digital line is inverted and fed back to its input, creating an asynchronously oscillating loop.
    • attack:
    • driving a sinusoidal signal on the ground plane of a ring oscillator can cause it to lock to that signal
    • electromagnetic radiation from the ring oscillator PUF can be used to steal the output bits
  • memory based intrinsic PUFs
  • SRAM PUF: random physical mismatch in the cell caused by manufacturing variability determines the power up behavior (can be zero, one, or no preference).
    • need a device powered up to enable response generator
    • if a SRAM cell is powered on and set to the '0' for a long time(~10 days), then on subsequent power-on sequences, the cell is more likely to skew toward the '1' state.
    • attack:
    • if one could insert a write command, then it could leverage the NBTI(negative bias temperature instability) to deliberately force individual bits toward 1
    • if one could modify the temperature, one could potentially cause the PUF to fail by running the PUF outside its design area
    • an attacker with access to the power channel could potentially control the stability of some of the SRAM PUF bits
  • butterfly PUF: cross coupling two transparent data latches. using the clear functionalities of the latches, an unstable state can be introduced after which the circuit converges back to one of the two stable states.
    • introduced because SRAM PUF is not possible in FPGA since the SRAM cells is always reseted to zero after power up in FPGA
    • doesn't need a device powered up. can be run using a reset button
  • latch PUF: two NOR gates are cross coupled. it will converge to a stable state depending on the internal mismatch between the electronic components.
  • flip flop PUF
    • inter and intra distance can be improved using 1-out-of-9 majority voting
  • conceptual PUFs
  • physically obfuscated keys(POK): a key is permanently stored in a physical way, makes it hard to learn the key by probing attack.
    • invasive attack should destroy the key and make further use impossible
  • controlled PUF(CPUF): combination of PUF and a control layer in which the PUF is inseparably embedded.
    • advantage:
    • a hash function to generate the responses of the PUF can prevent chosen challenge attacks
    • final responses more reliable because exists an error correction algorithm
    • no link between the responses and the physical details because the error corrected outputs is already affected by the hash function
    • the hash function generating the challenges can take additional inputs
  • reconfigurable PUF
    • extends the regular CRP behavior of a PUF with an additional operation(reconfiguration)
  • quantum readout PUF
    • replace the regular challenges and responses with qunatum states
  • SIMPL system and PPUFs: use PUF as a part of a public key like algorithm. rely on systems which can be modeled
    • SIMPL: simulation possible but laborious
    • PPUF: public PUF

Type of PUFs based on number CRPs

• strong PUFs
  • properties
  • large enough CRPs
  • stable responses
  • unable to be predicted on a new challenge
  • not feasible to manufacture two PUFs with the same response
  • readout only reveals the response, no internal functionality is leaked
  • typically used for authentication
  • ex: non electronic PUFs
• weak PUFs
  • properties:
  • a small number of CRPs
  • responses are stable and robust to various conditions and multiple readings
  • responses are unpredictable
  • impractical to manufacture two devices with the same physical fingerprint
  • usually used for key storage
  • ex: intrinsic PUFs

Property of PUF

• evaluatable
• unique
• reproducible
• unclonable
• unpredictable
• one way
• tamper evident

Technique to reduce noise

• use differential design techniques to cancel out first order environmental dependencies
• employ multiple error correction techniques. may leak bits of the secret key
• use soft decision coding: take advantage of the reliability information of a given response bit to improve error correction performance

Application

• authentication using strong PUFs
  • phase
  • enrollment: gather CRPs from a PUF then stored its measured response. server must either store enough CRPs so that it will not run out, or it must periodically recharge the table by establishing secure communication with an authenticated client and requesting responses to new challenges.
  • verification: apply a challenge from CRP database and compare the PUF response with the corresponding response from the database
• cryptographic key generation using weak PUFs
  • using SRAM: power on the SRAM and observe the memory state
  • using ring oscillator PUF: pairwise compares each of the oscillators in order to measure the correct ordering of oscillation frequency
  • statistical and systematic noise must be corrected/mitigated to get a stable set of unique bits
• secret key generation using two phase algorithm
  • in generation phase, the PUF is queried and the algorithm produces a secret key together with some additional information called helper data. both stored in a db by the verifier
  • in reproduction phase, the verifier presents the helper data to the algorithm which uses it to extract the same key from the PUF as in the generation step. thus, the PUF and the verifier have established a shared secret key
• authentication using weak PUFs
  • get unique bits using steps same as key generation. supplement the weak PUF with a hardware HMAC(hash message authentication code) or AES implementation.
• hardware entangled cryptography
  • keyless: never stored a secret digital key in the memory during running the algorithm

[asajim]

Extra readings:

• Power-Up SRAM State as an Identifying Fingerprint and Source of True Random Numbers http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=4674345
• Physical Unclonable Functions and Applications A Tutorial http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6823677
• Physical Unclonable Functions in Theory https://link.springer.com/book/10.1007%2F978-1-4614-5040-5
• PUF-Based Authentication http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7372589
• Intelligent Voltage Ramp-Up Time Adaptation for Temperature Noise Reduction on Memory-Based PUF Systems http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7086032

[synctext]

We have various Raspberry Pi model B+ 1.2 hardware. This enables quick and dirty prototyping, possibly even using the Python language :-) Goal: obtain SRAM chips and build the first completely patent-free functional PUF. Entropy and efficiency are not yet important. Key goal is raw uninitialized memory readout:

[synctext]

First operational prototype! @hakhundov thnx for the help Solid progress within this master thesis project, it only started a few weeks ago. Hardware: Arduino microcontroller board based on the ATmega2560 and the attached 1 Mbit Serial SRAM device, a 23LC1024 by Microchip

void Spi23LC1024Read32(uint32_t address, uint8_t cs_pin, uint8_t* buff)
{
  uint32_t i; 
  uint8_t read_page; 

  digitalWrite(cs_pin, LOW);  
  SPI.transfer(READ);
  SPI.transfer((uint8_t)(address >> 16));
  SPI.transfer((uint8_t)(address >> 8)); 
  SPI.transfer((uint8_t)address);

  for (i = 0; i < 32; i++)
  {
      read_page = SPI.transfer(0x00);
      buff[i] = read_page;
//      Serial.println(read_page);
  }
  digitalWrite(cs_pin, HIGH);   
}

The skeleton open source repo for dumping the raw uninitialized memory using SPI. Next steps:

• Generate a repeatable stable key from the PUF
• Conduct statistics on multiple chips
• Encode real Bitcoin money with this PUF and throw away the private key backup

[synctext]

Possibly focus on the unstable bit plots of your hardware (see related work with 1432 repeats in their experiment).

[asajim]

Screenshot of some initialized bit from SRAM 23LC1024

[asajim]

Analysis result of 10 SRAMs 23LC1024:

• Length of bits: 524288

• Error rate : HD_intra

  • Chip A

  Trial	Percentage	Trial	Percentage
  1-2	6.082	4-5	9.9506
  1-3	7.7051	4-6	6.9349
  1-4	6.8663	4-7	8.0402
  1-5	7.873	4-8	7.7639
  1-6	6.9855	4-9	7.6435
  1-7	7.2454	4-10	7.6799
  1-8	7.5687	5-6	9.1993
  1-9	7.2191	5-7	7.4078
  1-10	7.468	5-8	8.4509
  2-3	8.6838	5-9	7.8018
  2-4	6.562	5-10	8.3223
  2-5	7.7629	6-7	8.7847
  2-6	6.9269	6-8	6.8184
  2-7	7.2704	6-9	7.7551
  2-8	7.1337	6-10	7.4833
  2-9	7.3326	7-8	9.4198
  2-10	7.3507	7-9	7.0019
  3-4	8.5606	7-10	8.2121
  3-5	7.3215	8-9	9.4183
  3-6	7.7497	8-10	7.4265
  3-7	7.5497	9-10	8.9273
  3-8	8.0381	Average	7.7612
  3-9	7.6992
  3-10	7.8569

  • Chip B

  Trial	Percentage	Trial	Percentage
  1-2	6.082	4-5	14.0671
  1-3	17.3315	4-6	18.2364
  1-4	10.7126	4-7	9.8345
  1-5	11.6255	4-8	11.4786
  1-6	16.1285	4-9	10.9003
  1-7	8.3687	4-10	10.6834
  1-8	9.8106	5-6	19.245
  1-9	9.2964	5-7	8.6985
  1-10	9.3699	5-8	10.0874
  2-3	17.5978	5-9	9.7273
  2-4	11.0285	5-10	9.8099
  2-5	9.6994	6-7	15.9054
  2-6	16.4299	6-8	16.6573
  2-7	6.9164	6-9	16.7065
  2-8	7.7953	6-10	16.3008
  2-9	6.5567	7-8	9.3674
  2-10	8.2033	7-9	6.9199
  3-4	21.2311	7-10	7.3133
  3-5	18.1519	8-9	9.3613
  3-6	22.8647	8-10	7.0589
  3-7	16.8978	9-10	8.3097
  3-8	17.9262	Average	12.5627
  3-9	17.8011
  3-10	17.5449

  • Chip C

  Trial	Percentage	Trial	Percentage
  1-2	10.8824	4-5	7.4434
  1-3	8.7843	4-6	5.8161
  1-4	5.9719	4-7	7.5268
  1-5	6.645	4-8	6.0389
  1-6	6.4054	4-9	7.3385
  1-7	7.4108	4-10	7.1592
  1-8	6.7316	5-6	7.5882
  1-9	7.2378	5-7	6.4375
  1-10	7.4419	5-8	7.0164
  2-3	11.24	5-9	6.5716
  2-4	11.0952	5-10	7.761
  2-5	10.6113	6-7	8.3586
  2-6	11.0249	6-8	5.7781
  2-7	10.8328	6-9	7.2788
  2-8	10.9295	6-10	6.982
  2-9	10.7895	7-8	8.4063
  2-10	11.718	7-9	6.5107
  3-4	7.5392	7-10	8.0725
  3-5	6.4995	8-9	8.4778
  3-6	7.0576	8-10	6.6582
  3-7	7.2412	9-10	9.5219
  3-8	7.3402	Average	7.9896
  3-9	7.2651
  3-10	8.0933

  • Chip D

  Trial	Percentage	Trial	Percentage
  1-2	6.7345	4-5	7.1304
  1-3	7.8135	4-6	6.0789
  1-4	5.7829	4-7	6.6591
  1-5	6.0434	4-8	6.8254
  1-6	6.2969	4-9	7.151
  1-7	6.5582	4-10	7.0904
  1-8	6.6002	5-6	7.1722
  1-9	7.1306	5-7	5.5597
  1-10	6.9281	5-8	6.7965
  2-3	6.9502	5-9	6.4697
  2-4	6.9239	5-10	6.7322
  2-5	6.2742	6-7	7.1476
  2-6	6.7131	6-8	6.1714
  2-7	6.2298	6-9	7.173
  2-8	7.2662	6-10	6.4951
  2-9	6.0541	7-8	8.2115
  2-10	7.9168	7-9	6.3772
  3-4	7.6412	7-10	7.0303
  3-5	5.9769	8-9	8.4719
  3-6	6.8117	8-10	6.4634
  3-7	6.4489	9-10	8.0864
  3-8	7.2931	Average	6.8517
  3-9	7.1804
  3-10	7.4638

  • Chip E

  Trial	Percentage	Trial	Percentage
  1-2	6.7755	4-5	9.2545
  1-3	7.0812	4-6	7.3246
  1-4	6.0455	4-7	7.6738
  1-5	7.1392	4-8	6.938
  1-6	6.8558	4-9	7.5983
  1-7	7.0478	4-10	7.0763
  1-8	6.5832	5-6	7.5672
  1-9	7.0509	5-7	6.2265
  1-10	6.9611	5-8	6.6469
  2-3	7.004	5-9	6.9952
  2-4	7.7753	5-10	6.802
  2-5	6.745	6-7	7.4224
  2-6	6.7026	6-8	5.9156
  2-7	6.8577	6-9	6.872
  2-8	6.5651	6-10	6.4373
  2-9	6.1806	7-8	7.0766
  2-10	7.3462	7-9	6.3091
  3-4	7.3589	7-10	6.5325
  3-5	6.4674	8-9	7.7736
  3-6	6.8447	8-10	5.7634
  3-7	6.439	9-10	8.0118
  3-8	6.5107	Average	6.9422
  3-9	7.0162
  3-10	6.8268

  • Chip F

  Trial	Percentage	Trial	Percentage
  1-2	27.1589	4-5	8.2947
  1-3	9.2539	4-6	6.4476
  1-4	6.2378	4-7	7.3557
  1-5	7.5745	4-8	34.2325
  1-6	6.815	4-9	30.8353
  1-7	7.5186	4-10	31.3452
  1-8	34.6121	5-6	7.7827
  1-9	30.9467	5-7	6.204
  1-10	31.4474	5-8	34.049
  2-3	27.1378	5-9	30.8346
  2-4	27.0651	5-10	31.1426
  2-5	27.0945	6-7	8.1606
  2-6	26.9812	6-8	34.3065
  2-7	26.7403	6-9	30.7816
  2-8	35.4019	6-10	31.127
  2-9	27.191	7-8	33.8577
  2-10	31.7429	7-9	30.7608
  3-4	9.271	7-10	31.3335
  3-5	6.4936	8-9	25.7486
  3-6	7.8421	8-10	38.4926
  3-7	6.9645	9-10	29.8098
  3-8	34.3254	Average	23.1380
  3-9	31.2311
  3-10	31.2592

  • Chip G

  Trial	Percentage	Trial	Percentage
  1-2	30.9244	4-5	7.1833
  1-3	31.3438	4-6	5.8313
  1-4	30.5687	4-7	6.184
  1-5	30.8924	4-8	6.1567
  1-6	30.7596	4-9	6.5289
  1-7	30.8796	4-10	5.7943
  1-8	30.8508	5-6	7.7049
  1-9	31.1146	5-7	5.678
  1-10	30.8455	5-8	6.4911
  2-3	6.4001	5-9	6.119
  2-4	6.3498	5-10	6.1172
  2-5	6.3095	6-7	7.0299
  2-6	6.4522	6-8	5.6992
  2-7	5.8577	6-9	6.5065
  2-8	6.3229	6-10	5.7087
  2-9	5.7344	7-8	6.9311
  2-10	6.6299	7-9	5.4096
  3-4	6.786	7-10	5.8287
  3-5	5.8531	8-9	7.5041
  3-6	6.5462	8-10	5.5023
  3-7	5.7865	9-10	6.6526
  3-8	6.4398	Average	11.2140
  3-9	6.4705
  3-10	5.9484

  • Chip H

  Trial	Percentage	Trial	Percentage
  1-2	6.0785	4-5	6.9252
  1-3	6.4398	4-6	5.4329
  1-4	5.3385	4-7	5.9002
  1-5	6.2418	4-8	5.6095
  1-6	5.9374	4-9	6.2401
  1-7	6.0266	4-10	5.9355
  1-8	5.768	5-6	7.1335
  1-9	6.3738	5-7	5.3658
  1-10	5.9666	5-8	5.862
  2-3	6.1245	5-9	5.7343
  2-4	6.142	5-10	6.2738
  2-5	5.7472	6-7	6.6795
  2-6	6.2355	6-8	5.5019
  2-7	5.505	6-9	6.2641
  2-8	5.8399	6-10	5.9393
  2-9	5.3432	7-8	6.3194
  2-10	6.558	7-9	5.442
  3-4	7.1125	7-10	6.2063
  3-5	5.7018	8-9	6.9389
  3-6	6.5788	8-10	5.2359
  3-7	5.8632	9-10	6.8449
  3-8	6.3824	Average	6.0772
  3-9	6.0089
  3-10	6.3753

  • Chip I

  Trial	Percentage	Trial	Percentage
  1-2	6.7987	4-5	6.9332
  1-3	7.0353	4-6	5.6768
  1-4	5.9519	4-7	8.0698
  1-5	6.3478	4-8	6.3568
  1-6	4.7359	4-9	7.9906
  1-7	8.4538	4-10	8.2537
  1-8	6.5176	5-6	5.8767
  1-9	8.2117	5-7	7.4392
  1-10	8.4187	5-8	6.4816
  2-3	6.5826	5-9	7.6454
  2-4	6.5372	5-10	8.3921
  2-5	6.1874	6-7	8.728
  2-6	6.1346	6-8	5.8584
  2-7	7.6418	6-9	7.7726
  2-8	6.4419	6-10	7.9506
  2-9	7.2533	7-8	8.8476
  2-10	9.0769	7-9	8.2598
  3-4	7.4375	7-10	9.9754
  3-5	5.5424	8-9	8.6067
  3-6	6.1556	8-10	7.8409
  3-7	7.6746	9-10	10.631
  3-8	6.7116	Average	7.3801
  3-9	7.795
  3-10	8.8755

  • Chip J

  Trial	Percentage	Trial	Percentage
  1-2	33.992	4-5	33.9983
  1-3	26.828	4-6	27.894
  1-4	35.3519	4-7	36.5005
  1-5	30.541	4-8	36.9864
  1-6	31.0614	4-9	41.4785
  1-7	38.0184	4-10	34.4908
  1-8	37.3796	5-6	32.4898
  1-9	37.7329	5-7	34.9257
  1-10	32.1466	5-8	40.8855
  2-3	35.3977	5-9	36.0008
  2-4	28.1361	5-10	33.707
  2-5	31.5569	6-7	33.2224
  2-6	40.9666	6-8	37.4508
  2-7	41.6573	6-9	38.3183
  2-8	30.9916	6-10	40.3366
  2-9	32.6914	7-8	41.2573
  2-10	29.8189	7-9	36.3432
  3-4	35.9982	7-10	34.477
  3-5	33.6782	8-9	40.8859
  3-6	35.2671	8-10	40.4091
  3-7	37.87	9-10	38.1588
  3-8	35.8656	Average	35.3573
  3-9	37.5826
  3-10	30.3308

• Correlation between chips : HD_inter

  Chip	Distance	Chip	Distance	Chip	Distance
  A-B	43.6893	C-D	43.4456	E-J	52.2658
  A-C	42.2104	C-E	44.3532	F-G	47.4783
  A-D	41.9696	C-F	47.4196	F-H	47.2308
  A-E	42.2708	C-G	45.1793	F-I	47.2683
  A-F	47.2261	C-H	43.8046	F-J	50.4721
  A-G	42.6347	C-I	43.7189	G-H	43.8912
  A-H	41.4901	C-J	43.7189	G-I	44.34
  A-I	42.0946	D-E	43.9279	G-J	51.2718
  A-J	52.8622	D-F	47.6746	H-I	43.1551
  B-C	45.2513	D-G	44.5411	H-J	43.1551
  B-D	45.1153	D-H	43.2771	I-J	51.9932
  B-E	44.8195	D-I	43.6286
  B-F	47.6519	D-J	52.3345
  B-G	45.843	E-F	47.5444
  B-H	44.6717	E-G	47.5444
  B-I	44.0061	E-H	47.5444
  B-J	51.887	E-I	43.8124

• Symmetry / Mean Value : μ Value on x-axis: 0 means stable 0, 10 means stable 1 (during 10 profiling trials always show value 1).

  • Chip A

  • Chip B

  • Chip C

  • Chip D

  • Chip E

  • Chip F

  • Chip G

  • Chip H

  • Chip I

  • Chip J

  Trial	Chip A	Chip B	Chip C	Chip D	Chip E	Chip F	Chip G	Chip H	Chip I	Chip J
  1	0.70444	0.65413	0.67792	0.67154	0.66951	0.67436	0.39929	0.67015	0.6804	0.4638
  2	0.71046	0.67092	0.63187	0.67346	0.66432	0.45244	0.66373	0.66669	0.67188	0.36353
  3	0.70704	0.55552	0.66939	0.67027	0.66498	0.66716	0.66306	0.66688	0.67475	0.46679
  4	0.70769	0.63304	0.67174	0.66945	0.66909	0.66898	0.66229	0.66489	0.6766	0.37207
  5	0.70518	0.64051	0.67176	0.67366	0.66217	0.67028	0.66254	0.66728	0.67376	0.49239
  6	0.70531	0.56874	0.67242	0.67048	0.66616	0.67209	0.66615	0.66755	0.67693	0.44919
  7	0.70515	0.66405	0.67216	0.66851	0.66483	0.67028	0.66407	0.66727	0.65952	0.42395
  8	0.7064	0.67635	0.67217	0.67679	0.66492	0.37272	0.66525	0.66563	0.67609	0.43165
  9	0.70454	0.67488	0.67125	0.67322	0.66638	0.41456	0.66491	0.66798	0.65815	0.37533
  10	0.70709	0.67682	0.66889	0.67404	0.66536	0.41809	0.66555	0.66749	0.65373	0.37946
  Average	0.7063	0.6415	0.6680	0.6721	0.6658	0.5681	0.6377	0.6672	0.6702	0.4218

• Correlation between bits

  • Chip A

  • Chip B

  • Chip C

  • Chip D

  • Chip E

  • Chip F

  • Chip G

  • Chip H

  • Chip I

  • Chip J

Summary

• Chip F and J show high error rate. Reprofiling maybe needed or consider profile another SRAM.
• Chip J shows the highest inconsistency, such as the highest unstable bits compared to other chips
• Mean value of chip A-E and G-I is between 0.6~0.7. Debiasing maybe needed to deal with entropy leak.

[asajim]

Analysis result of 10 SRAMs 23K256:

• Error rate : HD_intra

  • Chip A

  Trial	Percentage	Trial	Percentage
  1-2	3.2104	4-5	0
  1-3	15.6128	4-6	6.3354
  1-4	9.4604	4-7	3.125
  1-5	9.4604	4-8	12.5
  1-6	9.375	4-9	6.3354
  1-7	6.3354	4-10	0
  1-8	9.4604	5-6	6.3354
  1-9	9.375	5-7	3.125
  1-10	9.4604	5-8	12.5
  2-3	12.5732	5-9	6.3354
  2-4	6.25	5-10	0
  2-5	6.25	6-7	9.4604
  2-6	6.3354	6-8	12.5854
  2-7	3.125	6-9	0
  2-8	12.5	6-10	6.3354
  2-9	6.3354	7-8	9.375
  2-10	6.25	7-9	9.4604
  3-4	6.3477	7-10	3.125
  3-5	6.3477	8-9	12.5854
  3-6	6.2378	8-10	12.5
  3-7	9.4727	9-10	6.3354
  3-8	6.3477	Average	7.2681
  3-9	6.2378
  3-10	6.3477

  • Chip B

  Trial	Percentage	Trial	Percentage
  1-2	3.125	4-5	0
  1-3	3.125	4-6	3.125
  1-4	6.25	4-7	3.125
  1-5	6.25	4-8	3.125
  1-6	3.125	4-9	3.125
  1-7	3.125	4-10	0
  1-8	3.125	5-6	3.125
  1-9	9.375	5-7	3.125
  1-10	6.25	5-8	3.125
  2-3	6.25	5-9	3.125
  2-4	3.125	5-10	0
  2-5	3.125	6-7	0
  2-6	0	6-8	0
  2-7	0	6-9	6.25
  2-8	0	6-10	3.125
  2-9	6.25	7-8	0
  2-10	3.125	7-9	6.25
  3-4	9.375	7-10	3.125
  3-5	9.375	8-9	6.25
  3-6	6.25	8-10	3.125
  3-7	6.25	9-10	3.125
  3-8	6.25	Average	3.8889
  3-9	6.25
  3-10	9.375

  • Chip C

  Trial	Percentage	Trial	Percentage
  1-2	9.375	4-5	6.25
  1-3	12.5	4-6	3.125
  1-4	15.625	4-7	9.375
  1-5	15.625	4-8	3.125
  1-6	12.5	4-9	9.375
  1-7	12.5	4-10	6.25
  1-8	12.5	5-6	3.125
  1-9	12.5	5-7	3.125
  1-10	15.625	5-8	3.125
  2-3	3.125	5-9	3.125
  2-4	6.25	5-10	6.25
  2-5	6.25	6-7	6.25
  2-6	3.125	6-8	0
  2-7	3.125	6-9	6.25
  2-8	3.125	6-10	3.125
  2-9	3.125	7-8	6.25
  2-10	6.25	7-9	0
  3-4	9.375	7-10	9.375
  3-5	3.125	8-9	6.25
  3-6	6.25	8-10	3.125
  3-7	0	9-10	9.375
  3-8	6.25	Average	6.5278
  3-9	0
  3-10	9.375

  • Chip D

  Trial	Percentage	Trial	Percentage
  1-2	3.125	4-5	0
  1-3	0	4-6	3.125
  1-4	0	4-7	3.125
  1-5	0	4-8	9.375
  1-6	3.125	4-9	6.25
  1-7	3.125	4-10	3.125
  1-8	9.375	5-6	3.125
  1-9	6.25	5-7	3.125
  1-10	3.125	5-8	9.375
  2-3	3.125	5-9	6.25
  2-4	3.125	5-10	3.125
  2-5	3.125	6-7	0
  2-6	0	6-8	6.25
  2-7	0	6-9	3.125
  2-8	6.25	6-10	0
  2-9	3.125	7-8	6.25
  2-10	0	7-9	3.125
  3-4	0	7-10	0
  3-5	0	8-9	3.125
  3-6	3.125	8-10	6.25
  3-7	3.125	9-10	3.125
  3-8	9.375	Average	3.4028
  3-9	6.25
  3-10	3.125

  • Chip E

  Trial	Percentage	Trial	Percentage
  1-2	9.375	4-5	3.125
  1-3	3.125	4-6	0
  1-4	3.125	4-7	3.125
  1-5	6.25	4-8	6.25
  1-6	3.125	4-9	3.125
  1-7	6.25	4-10	6.25
  1-8	9.375	5-6	3.125
  1-9	6.25	5-7	6.25
  1-10	9.375	5-8	3.125
  2-3	6.25	5-9	6.25
  2-4	6.25	5-10	9.375
  2-5	3.125	6-7	3.125
  2-6	6.25	6-8	6.25
  2-7	3.125	6-9	3.125
  2-8	0	6-10	6.25
  2-9	3.125	7-8	3.125
  2-10	6.25	7-9	0
  3-4	0	7-10	3.125
  3-5	3.125	8-9	3.125
  3-6	0	8-10	6.25
  3-7	3.125	9-10	3.125
  3-8	6.25	Average	4.4444
  3-9	3.125
  3-10	6.25

  • Chip F

  Trial	Percentage	Trial	Percentage
  1-2	6.25	4-5	9.375
  1-3	0	4-6	3.125
  1-4	3.125	4-7	3.125
  1-5	6.25	4-8	3.125
  1-6	0	4-9	3.125
  1-7	0	4-10	6.25
  1-8	0	5-6	6.25
  1-9	0	5-7	6.25
  1-10	3.125	5-8	6.25
  2-3	6.25	5-9	6.25
  2-4	9.375	5-10	3.125
  2-5	6.25	6-7	0
  2-6	6.25	6-8	0
  2-7	6.25	6-9	0
  2-8	6.25	6-10	3.125
  2-9	6.25	7-8	0
  2-10	3.125	7-9	0
  3-4	3.125	7-10	3.125
  3-5	6.25	8-9	0
  3-6	0	8-10	3.125
  3-7	0	9-10	3.125
  3-8	0	Average	3.3333
  3-9	0
  3-10	3.125

  • Chip G

  Trial	Percentage	Trial	Percentage
  1-2	37.4901	4-5	32.7511
  1-3	30.3726	4-6	31.7192
  1-4	37.2875	4-7	26.8303
  1-5	33.8646	4-8	27.4223
  1-6	33.3057	4-9	23.1911
  1-7	36.6817	4-10	25.0099
  1-8	35.3886	5-6	16.3128
  1-9	40.5415	5-7	24.8974
  1-10	34.853	5-8	21.3528
  2-3	30.3673	5-9	32.774
  2-4	24.107	5-10	26.4194
  2-5	28.4019	6-7	20.1088
  2-6	25.861	6-8	16.5802
  2-7	24.8386	6-9	30.7121
  2-8	18.2156	6-10	22.7097
  2-9	16.3616	7-8	14.328
  2-10	15.3172	7-9	20.9961
  3-4	34.5127	7-10	25.6187
  3-5	26.416	8-9	22.9813
  3-6	24.0345	8-10	20.1324
  3-7	26.3783	9-10	23.5802
  3-8	26.1486	Average	26.8027
  3-9	33.7124
  3-10	25.2361

  • Chip H

  Trial	Percentage	Trial	Percentage
  1-2	10.9886	4-5	3.125
  1-3	13.6429	4-6	9.375
  1-4	10.6361	4-7	3.125
  1-5	7.5111	4-8	9.3845
  1-6	14.1136	4-9	3.125
  1-7	7.9819	4-10	6.25
  1-8	13.6524	5-6	12.5
  1-9	7.9819	5-7	6.25
  1-10	4.8569	5-8	6.2595
  2-3	9.375	5-9	6.25
  2-4	6.25	5-10	3.125
  2-5	9.375	6-7	6.25
  2-6	3.125	6-8	12.5095
  2-7	3.125	6-9	6.25
  2-8	9.3845	6-10	9.375
  2-9	3.125	7-8	12.5095
  2-10	6.25	7-9	0
  3-4	9.375	7-10	3.125
  3-5	6.25	8-9	12.5095
  3-6	12.5	8-10	9.3845
  3-7	12.5	9-10	3.125
  3-8	6.258	Average	7.8653
  3-9	12.5
  3-10	9.375

  • Chip I

  Trial	Percentage	Trial	Percentage
  1-2	12.5	4-5	3.125
  1-3	25	4-6	9.375
  1-4	3.125	4-7	3.125
  1-5	6.25	4-8	12.5
  1-6	12.5	4-9	6.25
  1-7	6.25	4-10	6.25
  1-8	15.625	5-6	12.5
  1-9	9.375	5-7	6.25
  1-10	9.375	5-8	9.375
  2-3	18.75	5-9	9.375
  2-4	15.625	5-10	3.125
  2-5	12.5	6-7	12.5
  2-6	12.5	6-8	15.625
  2-7	18.75	6-9	9.375
  2-8	9.375	6-10	9.375
  2-9	21.875	7-8	15.625
  2-10	9.375	7-9	9.375
  3-4	21.875	7-10	9.375
  3-5	18.75	8-9	18.75
  3-6	18.75	8-10	6.25
  3-7	18.75	9-10	12.5
  3-8	15.625	Average	12.0833
  3-9	15.625
  3-10	15.625

• Correlation between chips : HD_inter

  Chip	Distance	Chip	Distance	Chip	Distance
  A-B	38.1189	B-G	50.3627	D-H	35.1218
  A-C	55.3516	B-H	46.8273	D-I	56.4375
  A-D	54.4436	B-I	38.7500	E-F	46.8750
  A-E	48.1335	C-D	52.5625	E-G	44.5309
  A-F	46.3909	C-E	41.1875	E-H	56.1425
  A-G	48.0590	C-F	62.5000	E-I	49.0625
  A-H	48.7304	C-G	47.0799	F-G	45.4072
  A-I	47.6296	C-H	60.2231	F-H	36.2866
  B-C	43.7500	C-I	36.5625	F-I	55.4375
  B-D	51.5625	D-E	51.3125	G-H	40.7709
  B-E	58.1250	D-F	35.9375	G-I	54.8479
  B-F	41.7500	D-G	47.2983	H-I	53.7284
  				Average	47.9805

• Symmetry / Mean Value : μ Value on x-axis: 0 means stable 0, 10 means stable 1 (during 10 profiling trials always show value 1).

  • Chip A

  • Chip B

  • Chip C

  • Chip D

  • Chip E

  • Chip F

  • Chip G

  • Chip H

  • Chip I

  Trial	Chip A	Chip B	Chip C	Chip D	Chip E	Chip F	Chip G	Chip H	Chip I
  1	0.7179	0.625	0.5625	0.59375	0.59375	0.6875	0.56113	0.6544	0.5625
  2	0.6875	0.59375	0.46875	0.625	0.625	0.6875	0.65527	0.65625	0.5625
  3	0.68652	0.59375	0.4375	0.59375	0.625	0.6875	0.64708	0.6875	0.4375
  4	0.75	0.5625	0.46875	0.59375	0.625	0.65625	0.65451	0.71875	0.53125
  5	0.75	0.5625	0.46875	0.59375	0.59375	0.75	0.59658	0.6875	0.5
  6	0.68665	0.59375	0.5	0.625	0.625	0.6875	0.57595	0.625	0.5
  7	0.71875	0.59375	0.4375	0.625	0.65625	0.6875	0.61593	0.6875	0.5625
  8	0.6875	0.59375	0.5	0.625	0.625	0.6875	0.61771	0.62493	0.53125
  9	0.68665	0.53125	0.4375	0.65625	0.65625	0.6875	0.59054	0.6875	0.46875
  10	0.75	0.5625	0.46875	0.625	0.6875	0.71875	0.64575	0.65625	0.46875
  Average	0.7121	0.5813	0.475	0.6156	0.6312	0.6937	0.616	0.6686	0.5125

• Correlation between bits

  • Chip A

  • Chip B

  • Chip C

  • Chip D

  • Chip E

  • Chip F

  • Chip G

  • Chip H

  • Chip I

Summary

• 23K256 show more unreliable result compared to 23LC1024. For example, the error rate is higher than 23LC1024.

[asajim]

Result of PUF trial using repetition code as ECC

key length: 128 bit

key:       01010111001100110100000101010001       00101011011110000110110001010001       01110011010000110100011101101011       01000001011001110011110100111101

base file for comparison: ascii-coded binary file 171017B/1.c

Algorithm for PUF using repetition code

1. generate/read key (128 bits)
2. produce a repetition of the key (here, repetition length is 16, 64 or 128) (128 bits x 128/64/16 repetition = 16k / 8k / 2k bits)
3. first bits (16k / 8k / 2k bits) of the base file are XORed with repetition of bit key to produce helper data.
4. helper data is XOR with bit from the destination file.
5. decode repetition encoding (vote the majority of the result of previous step to reconstruct the key).
6. compare the reconstructed key with the actual key

• repetition: 128

  Chip	Folder	File	Difference	Difference (%)	Chip	Folder	File	Difference	Difference (%)
  A	171017A	1	6	4.7%	B	171017B	1	0	0.0%
  		2	0	0.0%			2	0	0.0%
  		3	11	8.6%			3	0	0.0%
  		4	1	0.8%			4	0	0.0%
  		5	8	6.3%			5	0	0.0%
  		6	3	2.3%			6	0	0.0%
  		7	3	2.3%			7	0	0.0%
  		8	3	2.3%			8	0	0.0%
  		9	1	0.8%			9	0	0.0%
  		10	1	0.8%			10	0	0.0%
  C	171017C	1	0	0.0%	D	171017D	1	1	0.8%
  		2	0	0.0%			2	0	0.0%
  		3	0	0.0%			3	4	3.1%
  		4	0	0.0%			4	0	0.0%
  		5	7	5.5%			5	8	6.3%
  		6	1	0.8%			6	0	0.0%
  		7	0	0.0%			7	0	0.0%
  		8	1	0.8%			8	0	0.0%
  		9	0	0.0%			9	0	0.0%
  		10	3	2.3%			10	0	0.0%
  E	171017E	1	1	0.8%	F	181017F	1	58	45.3%
  		2	0	0.0%			2	32	25.0%
  		3	9	7.0%			3	45	35.2%
  		4	2	1.6%			4	37	28.9%
  		5	4	3.1%			5	48	37.5%
  		6	1	0.8%			6	57	44.5%
  		7	0	0.0%			7	77	60.2%
  		8	0	0.0%			8	82	64.1%
  		9	0	0.0%			9	85	66.4%
  		10	20	15.6%			10	94	73.4%
  G	181017G	1	76	59.4%	H	181017H	1	30	23.4%
  		2	18	14.1%			2	13	10.2%
  		3	28	21.9%			3	34	26.6%
  		4	29	22.7%			4	30	23.4%
  		5	9	7.0%			5	12	9.4%
  		6	21	16.4%			6	17	13.3%
  		7	41	32.0%			7	26	20.3%
  		8	42	32.8%			8	22	17.2%
  		9	12	9.4%			9	18	14.1%
  		10	34	26.6%			10	13	10.2%
  I	181017I	1	11	8.6%	J	181017J	1	18	14.1%
  		2	0	0.0%			2	82	64.1%
  		3	4	3.1%			3	70	54.7%
  		4	0	0.0%			4	31	24.2%
  		5	0	0.0%			5	64	50.0%
  		6	0	0.0%			6	60	46.9%
  		7	0	0.0%			7	107	83.6%
  		8	1	0.8%			8	69	53.9%
  		9	0	0.0%			9	23	18.0%
  		10	9	7.0%			10	44	34.4%

• repetition: 64

  Chip	Folder	File	Difference	Difference (%)	Chip	Folder	File	Difference	Difference (%)
  A	171017A	1	2	1.6%	B	171017B	1	0	0.0%
  		2	5	3.9%			2	0	0.0%
  		3	13	10.2%			3	0	0.0%
  		4	0	0.0%			4	0	0.0%
  		5	10	7.8%			5	0	0.0%
  		6	16	12.5%			6	0	0.0%
  		7	0	0.0%			7	0	0.0%
  		8	0	0.0%			8	0	0.0%
  		9	9	7.0%			9	0	0.0%
  		10	1	0.8%			10	0	0.0%
  C	171017C	1	8	6.3%	D	171017D	1	7	5.5%
  		2	6	4.7%			2	1	0.8%
  		3	17	13.3%			3	12	9.4%
  		4	1	0.8%			4	3	2.3%
  		5	29	22.7%			5	13	10.2%
  		6	8	6.3%			6	1	0.8%
  		7	15	11.7%			7	1	0.8%
  		8	9	7.0%			8	1	0.8%
  		9	6	4.7%			9	1	0.8%
  		10	17	13.3%			10	7	5.5%
  E	171017E	1	17	13.3%	F	181017F	1	71	55.5%
  		2	20	15.6%			2	39	30.5%
  		3	32	25.0%			3	49	38.3%
  		4	21	16.4%			4	35	27.3%
  		5	22	17.2%			5	51	39.8%
  		6	24	18.8%			6	63	49.2%
  		7	18	14.1%			7	105	82.0%
  		8	25	19.5%			8	108	84.4%
  		9	18	14.1%			9	128	100.0%
  		10	37	28.9%			10	128	100.0%
  G	181017G	1	66	51.6%	H	181017H	1	35	27.3%
  		2	51	39.8%			2	21	16.4%
  		3	48	37.5%			3	34	26.6%
  		4	52	40.6%			4	28	21.9%
  		5	50	39.1%			5	24	18.8%
  		6	68	53.1%			6	10	7.8%
  		7	57	44.5%			7	34	26.6%
  		8	45	35.2%			8	27	21.1%
  		9	59	46.1%			9	20	15.6%
  		10	52	40.6%			10	23	18.0%
  I	181017I	1	11	8.6%	J	181017J	1	18	14.1%
  		2	7	5.5%			2	119	93.0%
  		3	8	6.3%			3	18	14.1%
  		4	6	4.7%			4	48	37.5%
  		5	5	3.9%			5	22	17.2%
  		6	8	6.3%			6	17	13.3%
  		7	7	5.5%			7	128	100.0%
  		8	7	5.5%			8	28	21.9%
  		9	7	5.5%			9	49	38.3%
  		10	9	7.0%			10	18	14.1%

• repetition: 16

  Chip	Folder	File	Difference	Difference (%)	Chip	Folder	File	Difference	Difference (%)
  A	171017A	1	27	21.1%	B	171017B	1	0	0.0%
  		2	15	11.7%			2	0	0.0%
  		3	33	25.8%			3	0	0.0%
  		4	22	17.2%			4	0	0.0%
  		5	30	23.4%			5	0	0.0%
  		6	27	21.1%			6	0	0.0%
  		7	14	10.9%			7	0	0.0%
  		8	27	21.1%			8	0	0.0%
  		9	21	16.4%			9	0	0.0%
  		10	21	16.4%			10	0	0.0%
  C	171017C	1	48	37.5%	D	171017D	1	35	27.3%
  		2	52	40.6%			2	34	26.6%
  		3	44	34.4%			3	33	25.8%
  		4	50	39.1%			4	38	29.7%
  		5	37	28.9%			5	34	26.6%
  		6	50	39.1%			6	42	32.8%
  		7	57	44.5%			7	39	30.5%
  		8	47	36.7%			8	34	26.6%
  		9	48	37.5%			9	33	25.8%
  		10	49	38.3%			10	36	28.1%
  E	171017E	1	28	21.9%	F	181017F	1	35	27.3%
  		2	40	31.3%			2	120	93.8%
  		3	31	24.2%			3	26	20.3%
  		4	42	32.8%			4	27	21.1%
  		5	33	25.8%			5	29	22.7%
  		6	43	33.6%			6	26	20.3%
  		7	38	29.7%			7	40	31.3%
  		8	29	22.7%			8	120	93.8%
  		9	38	29.7%			9	120	93.8%
  		10	31	24.2%			10	120	93.8%
  G	181017G	1	65	50.8%	H	181017H	1	17	13.3%
  		2	58	45.3%			2	15	11.7%
  		3	56	43.8%			3	16	12.5%
  		4	54	42.2%			4	25	19.5%
  		5	52	40.6%			5	19	14.8%
  		6	61	47.7%			6	27	21.1%
  		7	74	57.8%			7	20	15.6%
  		8	54	42.2%			8	19	14.8%
  		9	69	53.9%			9	25	19.5%
  		10	60	46.9%			10	12	9.4%
  I	181017I	1	19	14.8%	J	181017J	1	35	27.3%
  		2	24	18.8%			2	35	27.3%
  		3	11	8.6%			3	120	93.8%
  		4	7	5.5%			4	35	27.3%
  		5	16	12.5%			5	111	86.7%
  		6	15	11.7%			6	40	31.3%
  		7	22	17.2%			7	35	27.3%
  		8	21	16.4%			8	120	93.8%
  		9	14	10.9%			9	44	34.4%
  		10	30	23.4%			10	113	88.3%

Result:

• 0% error should only produced when comparing with the chip used as the base file
  • 16 as repetition code is acceptable
• Choosing too large repetition code makes multiple chips resulting in the same key. This is undesirable. Thus, choosing a correct length that can correct acceptable error rate in the same chip without introducing two correct key from different chips is a challenge.
• Further improvement:
  • use a better ECC
  • choose a stable bit as the input for XOR (here, we only choose the first "length of repetition * length of key" bits)

[hakhundov]

@asajim is the 'difference' between the reconstructed key and the actual key?

[asajim]

@hakhundov yes it is.

[hakhundov]

@asajim roughly speaking, it seems that the noise in the subsequent PUF measurements is way too big from seeing the results. A 100% difference would mean that there are >= 31 errors in every codeword (rep(64) case). Hence the fractional hamming distance between the reference and subsequent measurement must be at least 0.5. This is just an unreliable PUF. Btw, I don't see this noise in the tables above (profiling). I might be wrong of course.

[asajim]

@hakhundov I think I haven't explained my data clearly. One folder refers to a single chip with 10 measurements. Folder 171017A refers to chip A, and measurement was performed on Oct 17th, 2017. Different folders refer to different chips, but with the same type. If I understand correctly, '100% difference between two chips' means it is a correct PUF. In rep(64), the one that's not acceptable is when a different chip produce the same key (difference = 0%, e.g. 171017A produce the same key with the base file 171017B). In rep(16), only chip B that produce the same as the base file (measurement 1 on folder 171017B). It would also be unacceptable if PUF measurements on the same chip produce difference key.

[asajim]

Trial of implementing BCH

• Chip used to generate: Chip D
• File to generate key: trial-1 (1.c)
• Difference between trial 1 and trial n every 511 bits in percentage

Index	Trial 2	Trial 3	Trial 4	Trial 5	Trial 6	Trial 7	Trial 8	Trial 9	Trial 10
1	9.3933	11.1546	8.0235	8.6106	6.8493	9.3933	8.4149	10.1761	8.6106
2	8.6106	10.9589	1.5656	4.6967	6.2622	8.4149	4.6967	6.2622	9.7847
3	7.045	5.0881	5.0881	3.5225	3.1311	6.8493	4.3053	9.3933	8.0235
4	11.3503	9.589	6.4579	11.1546	9.3933	7.6321	11.3503	7.4364	18.9824
5	5.4795	6.0665	6.0665	5.8708	4.1096	6.6536	4.6967	4.3053	9.9804
6	4.1096	6.4579	4.501	7.2407	2.9354	7.6321	7.045	4.501	7.6321
7	5.2838	9.9804	6.2622	9.3933	7.8278	6.4579	7.2407	8.4149	6.8493
8	7.045	8.2192	1.3699	3.9139	4.501	7.6321	4.1096	7.2407	3.9139
9	3.5225	5.6751	0.3914	6.8493	4.1096	3.5225	3.5225	3.9139	4.6967
10	5.2838	5.0881	6.4579	4.6967	8.2192	7.6321	8.2192	7.8278	3.7182
11	9.3933	18.0039	9.3933	7.2407	10.1761	14.4814	9.9804	10.5675	14.6771
12	7.4364	9.1977	10.3718	3.1311	8.8063	6.0665	5.8708	6.2622	5.0881
13	4.6967	5.2838	6.2622	7.045	7.2407	3.7182	6.2622	6.8493	5.8708
14	12.9159	13.3072	8.8063	12.1331	9.589	14.09	6.2622	11.3503	10.9589
15	9.9804	8.0235	7.8278	8.4149	4.501	8.2192	4.1096	9.1977	6.6536
16	8.2192	11.546	7.045	5.2838	6.8493	4.6967	4.6967	8.0235	3.7182
17	7.045	8.2192	6.0665	4.6967	4.8924	3.9139	4.6967	6.4579	7.2407
18	7.2407	3.7182	4.6967	4.6967	0.7828	7.045	3.7182	6.6536	5.2838
19	5.0881	3.1311	3.1311	5.2838	2.9354	5.4795	6.4579	9.1977	4.501
20	6.0665	11.7417	3.3268	10.1761	4.8924	8.2192	4.501	12.9159	5.8708
21	8.6106	6.6536	2.9354	9.589	2.7397	5.4795	6.4579	7.045	4.3053
22	5.8708	9.1977	5.2838	6.2622	9.002	5.8708	6.6536	6.4579	7.4364
23	9.3933	8.4149	7.2407	1.1742	7.4364	4.6967	9.1977	4.8924	7.6321
24	3.5225	6.4579	1.5656	3.7182	1.7613	3.3268	2.3483	1.3699	3.1311
25	0.5871	9.7847	3.1311	3.3268	10.1761	2.7397	9.9804	9.589	8.6106
26	9.589	11.9374	8.2192	9.3933	10.1761	4.501	8.6106	5.6751	8.2192
27	7.045	9.9804	5.2838	8.4149	4.1096	3.5225	4.8924	9.9804	5.2838
28	4.8924	2.544	3.1311	3.7182	4.1096	4.8924	2.9354	5.2838	3.3268
29	3.7182	3.3268	2.3483	1.9569	5.4795	6.8493	3.1311	4.1096	3.5225
30	3.3268	4.3053	2.9354	3.7182	2.3483	3.3268	6.0665	2.544	2.7397
31	6.2622	2.9354	0.9785	5.8708	5.2838	5.8708	6.0665	8.0235	4.3053
32	9.589	8.6106	6.2622	8.6106	8.2192	8.8063	12.5245	10.5675	12.3288
33	9.9804	1.7613	9.3933	5.2838	7.8278	5.6751	6.0665	7.8278	7.2407
34	6.0665	9.1977	3.3268	6.4579	9.1977	5.0881	10.1761	6.6536	6.2622
35	5.2838	5.2838	2.1526	7.6321	6.2622	5.0881	8.4149	7.045	5.4795
36	4.1096	4.1096	4.501	2.3483	3.5225	4.1096	4.3053	4.6967	7.2407
37	4.1096	5.6751	6.8493	8.2192	7.045	8.4149	5.4795	6.6536	9.002
38	7.045	5.0881	3.3268	7.4364	2.7397	9.7847	5.8708	5.0881	3.9139
39	7.4364	5.8708	3.5225	3.9139	1.9569	3.9139	4.3053	4.501	1.3699
40	8.8063	13.3072	8.2192	9.1977	2.7397	9.7847	7.8278	8.4149	11.546
41	2.3483	9.002	1.3699	3.5225	1.5656	6.4579	3.5225	5.2838	2.1526
42	8.4149	7.4364	8.2192	7.045	2.544	5.8708	9.002	4.501	6.6536
43	7.8278	10.7632	6.8493	8.4149	9.3933	10.7632	10.1761	7.4364	8.4149
44	3.9139	9.3933	9.002	9.1977	6.8493	8.2192	12.1331	6.6536	11.3503
45	5.4795	8.0235	5.6751	4.8924	7.2407	3.9139	10.3718	10.1761	9.3933
46	3.9139	8.4149	4.501	4.8924	10.1761	2.544	7.2407	7.8278	8.6106
47	1.5656	2.1526	1.3699	1.7613	1.7613	3.7182	2.3483	3.9139	2.3483
48	3.5225	6.4579	1.9569	5.4795	7.8278	4.3053	3.1311	4.3053	5.2838
49	6.8493	7.045	9.9804	4.501	6.6536	5.2838	2.544	6.2622	3.1311
50	6.0665	9.9804	2.7397	5.8708	11.546	9.7847	8.2192	5.0881	6.8493
51	3.9139	13.8943	6.4579	10.1761	6.2622	7.8278	10.9589	3.1311	10.7632
52	5.8708	7.4364	4.1096	5.8708	7.6321	5.0881	4.501	4.6967	6.4579
53	6.8493	9.1977	8.4149	9.3933	8.2192	12.5245	3.3268	11.1546	11.9374
54	10.9589	8.0235	10.9589	10.1761	9.1977	12.5245	6.6536	11.546	8.4149
55	5.2838	5.4795	10.3718	3.9139	4.8924	7.045	9.589	10.3718	8.0235
56	4.3053	6.6536	2.9354	8.2192	4.6967	3.1311	5.8708	8.2192	6.0665
57	5.6751	8.4149	4.1096	10.9589	7.6321	6.6536	4.8924	12.9159	6.0665
58	5.8708	3.5225	2.9354	4.501	0.7828	3.9139	4.1096	5.0881	1.7613
59	8.4149	9.002	3.9139	5.0881	8.2192	4.3053	6.0665	8.0235	3.1311
60	3.1311	5.0881	6.6536	1.5656	3.7182	5.6751	2.1526	5.8708	1.9569
61	1.7613	7.4364	3.5225	3.7182	3.3268	4.3053	7.2407	6.8493	5.2838
62	12.3288	16.047	13.3072	10.3718	15.4599	13.6986	9.9804	13.8943	16.2427
63	10.7632	6.6536	1.3699	4.8924	6.0665	12.3288	6.2622	7.6321	9.7847
64	3.3268	5.8708	3.9139	6.0665	2.7397	5.8708	1.5656	7.4364	3.3268
65	5.0881	1.9569	5.6751	3.3268	7.6321	4.8924	6.0665	6.6536	4.8924
66	11.546	5.4795	5.0881	6.6536	7.4364	7.045	14.8728	5.4795	9.3933

• BCH parameter:

  • n: 511
  • k: 31
  • t: 109
  • This parameter is chosen because it can correct up to 21.3% (109/511). It is needed because the maximum difference of every 511 bits between trials on chip D is 18.9824% (trial 10 index 4).

• Key length: 2046

• Total bits used: 33726

  

  Scheme from Cryptographic Key Generation from PUF Data Using Efficient Fuzzy Extractors with altered K bits

• Result: Difference of the generated key between each chip with chip D

  Index Trial	Chip A	Chip B	Chip C	Chip D	Chip E	Chip F	Chip G	Chip H	Chip I	Chip J
  1	39.5%	45.4%	43.2%	0.0%	45.2%	44.6%	51.5%	41.4%	43.5%	52.5%
  2	39.1%	44.5%	45.8%	0.0%	45.4%	52.3%	41.4%	41.5%	43.8%	55.6%
  3	39.8%	48.7%	43.4%	0.0%	45.9%	44.5%	42.1%	41.5%	44.3%	52.5%
  4	39.4%	46.4%	43.1%	0.0%	44.6%	45.4%	42.2%	42.2%	43.9%	52.6%
  5	39.8%	46.3%	43.1%	0.0%	45.3%	43.9%	41.8%	40.9%	45.1%	49.7%
  6	40.3%	47.8%	42.5%	0.0%	45.2%	44.4%	41.7%	40.8%	43.5%	51.4%
  7	40.2%	44.0%	43.2%	0.0%	45.9%	44.6%	41.6%	41.4%	46.3%	53.3%
  8	39.2%	44.4%	43.3%	0.0%	45.3%	54.4%	42.4%	40.9%	43.9%	52.6%
  9	39.9%	43.7%	43.9%	0.0%	45.2%	55.5%	41.4%	41.3%	45.1%	53.9%
  10	40.0%	44.0%	43.0%	0.0%	45.3%	52.7%	41.9%	41.8%	44.7%	54.1%

  • The result is acceptable because the only chip that can generate correct key is chip D.

[synctext]

PUF starts to become usable! 19 chips in total, 9 of type 23K256 not that good (e.g. 34% error rate), 8 out of 10 from 23LC1024 type usable. ("23K256 show more unreliable result compared to 23LC1024")

• Will the helper data leak the private key with too large repetition code? When exactly (math expression)?
• expression for statistical significance of amount of bit profiling tests (N=10 in several above experiments)
• in initial experiments only used first 16k in repetition code or half of the memory (profiling).
• profile which 16k block of the memory is stable and usable to reconstruct 128 bits reliably.
• goal is reliable PUF storage of a 256-bit secp256k1 private key from Bitcoin
• ToDo: buy 1 more totally different PUF candidate chip (10x), one similar bit different fab/fabrication batch of the 23LC1024 (10x).

[asajim]

Result on 18 23LC1024 SRAMs

	Mean	Average Hamming Distance Per 511 Bits on 33726 Bits (%)	Maximum Hamming Distance Per 511 Bits on 33726 Bits ()
A	0.7043	7.6834	20.3523
B	0.6588	6.899	22.5049
C	0.6791	5.0173	17.8082
D	0.6731	5.0667	14.6771
E	0.669	5.8144	15.4599
F	0.6714	6.1634	16.8297
G	0.6573	5.0985	13.8943
H	0.6716	4.9489	14.6771
I	0.6786	4.9849	15.0685
J	0.6638	5.1019	13.6986
K	0.6809	6.7253	20.7436
L	0.6677	5.1019	16.6341
M	0.6645	6.3726	16.2427
N	0.6756	5.0129	11.9374
O	0.6733	4.9302	14.4814
P	0.6677	5.2771	15.6556
Q	0.6743	6.7998	18.7867
R	0.6738	5.1741	15.4599
S	0.6699	5.0530	14.0900
T	0.6890	5.6327	13.8943
U	0.6772	5.3263	14.8728
V	0.6683	5.1357	16.6341
W	0.6783	5.4622	14.8728

• Symmetry / Mean Value : μ

  • Chip A

  • Chip B

  • Chip C

  • Chip D

  • Chip E

  • Chip F

  • Chip G

  • Chip H

  • Chip I

  • Chip J

  • Chip K

  • Chip L

  • Chip M

  • Chip N

  • Chip O

  • Chip P

  • Chip Q

  • Chip R

  • Chip S

  • Chip T

  • Chip U

  • Chip V

  • Chip W

[synctext]

• 30 minute measurements for 20 iteration of only the first 32Kbit per chip, shown above Can we automate and speed up this process? Goal: measurement taken during night and weekend without manually swapping memory chips. Scale to 64 or 128 chips even? links? or search
• BCH code run on PC, but consumes too much memory for Arduino board (compiler warning).
• select a different code

[synctext]

Progress:

• Byte-oriented error correcting code
• sync with 10th floor; use their hardware testing lab equipement; Haji sync {note: be aware of NDA matters}
• Architecture:
  • use PUF to store a key
  • use PUF to generate a key
• Quick Said informal analysis: "building a software-only solution using SRAM signatures".
• Obviously we should not make any public security claims!
  • this is an untested student prototype
  • getting it "passport-grade" is still a distant dream
• new SRAM is 26 pins, not yet functional on Arduino

[asajim]

Novel profiling methodology, published in 2017 :

• Data remanence based approach to generate stable keys from SRAM PUF:
  • writing ‘1’ (or ‘0’) to the entire array and momentarily shutting down the power until a few cells flip.
  • the cells that are easily flipped are the most robust cells when written with the opposite data
  • required system to do profiling: NI PXI system

[synctext]

Status:

• finished PUF architecture picture. (56 bits helper data, 7 bit key)
• BCH code operational (Wikipedia: The Bose, Chaudhuri, and Hocquenghem (BCH) codes form a large class of powerful random error-correcting cyclic codes. This class of codes is a remarkable generalization of the Hamming code for multiple-error correction.)
• no unit testing yet in the software-only PUF, please read tutorial. Write tests, code coverage needs to be included in thesis.
• write a problem description with key storage of cybercurrency (or focus on authentication if you want).
• conducted a voltage drop experiment: simply disconnect the supply pin. No effect, even 10 seconds interrupt keeps the memory value intact.
  • Possible next step, disconnect all SPI pins?
  • explore how to create an experimental setup for voltage drop.
  • Tutorial; writing analog voltages in Anrduino command analogWrite(mypin, 127). Relevant?

[asajim]

Problem Statement

Implement an open source key storage system using SRAM-PUF scheme, where the SRAM is general purpose SRAM available on the market.

Steps:

1. investigate the characteristic of SRAM PUF types
2. search and analyse existing secure key storage method using SRAM PUF
3. design a scheme to enable secure PUF key storage using off-the-shelf SRAM
4. propose a system that will be able to store key, which consists of software and hardware components
5. evaluate the solution by constructing the system, experimenting and conducting performance analysis
   1. investigate hardware that suitable for the scheme
   2. profile SRAMs to look for stable bits
   3. choose an efficient error correcting code and determine its parameter to fit the SRAM
   4. construct the complete software, which contained the error correcting code and combine it with hardware
6. explore possible improvements on the system for a future research

Main contribution

• provide a complete system for key storage using off-the-shelf SRAM

Scheme for storing 7 bits key

• this scheme is only for storing 7 bits. Thus, to save 256 bits key, one need to repeat this block 37 times (37*7 > 256).
• storing 7 bits key, require 63 bits value from SRAM. Thus, to save 256 bits key, it requires 2331 bits. If we use 23LC1024 which has 1Mbit (1048576 bits) memory, it only use 0.22% of its total memory.
• beside saving the helper data on the device, we also need to store the location of SRAM memory that we want to read.

[asajim]

Complete scheme for storing 256 bits key

[asajim]

Method for looking stable bits in 23LC1024:

• Choose first n required bits: majority is not stable
• TMV (temporal majority voting)
  • repetitively test the PUF using the same challenge and take the majority value of the responses as the final output.
  • Increasing the number of repetitive tests allows the tester to find keys that are more stable.
  • Involves a large number of tests (e.g. 100’s or 1000’s of power-ups for SRAM PUF)
  • Use QSKJ auto step up-down converter to test the effect of voltage difference
  • Haven't done testing on different temperature
  • Current result:
  • Choose n required consecutive bits, starting for random position: not satisfying.
  • Choose n required bits, split into 37 sections. Each sections contains 64 bits consecutively: not satisfying.
  • Choose n required bits, split into 37*8 sections. Each sections contains 8 bits consecutively: not satisfying.
  • Choose n required bits, can be located anywhere. This is the best result compared to other methods but still haven't found the really stable one.
• Data remanence
  • writing ‘1’ (or ‘0’) to the entire array and momentarily shutting down the power until a few cells flip.
  • the cells that are easily flipped are the most robust cells when written with the opposite data.
  • use National Instrument PXI System
  • not done yet, because we haven't got an access to the testing system

[synctext]

Progress feedback:

• Goal: minimal viable product for stable bits with software-only PUF
  • postpone as much as possible
  • First a weak PUF, obviously we want to move beyond that to a strong PUF
  • After operational MvP: expand with superior security, temperature effects, voltage drops, etc.
• detected some sort of correlation effect between PUF bits
• quick query: Statistical tests to determine spatial correlations in the response behavior of PUFs
• no stability of PUF bits yet (with Arduino BCH coding)
• unknown cause; suspecting the SPI-based 23LC1024 hardware itself
• think of an experiment to check the effect of reading memory to the bit value / neighbours
• For final thesis experiment: have a pool of stable bits to enable a challenge/response protocol?
• simplified open source versions of "Slender PUF Protocol: A Lightweight, Robust, and Secure Authentication by Substring Matching"
• fancy attacker claim: resilient against all known machine learning attacks (DISCLAIMER: if carefully designed)
• we might need high-capacity SRAM for this pool of stable bits.
• research question, can software-only solution ever compare to dedicated PUF fancy hardware

[asajim]

Possible improvement:

• check the number of stable neighbours to get the actual stable bits (Bit Selection Algorithm). Currently, to get the stable bits, we only check a stable bit without considering its neighbours. Also, beside the effect of voltage, check the effect of temperature and aging
• use another SRAM (CY62256NLL-PXC)
• try to implement some attempt from Reliability Enhancement of Bi-Stable PUFs in 65nm Bulk CMOS, especially the Directed Accelerated Aging and Multiple Evaluation
• Tools to do data remanence methodology, National Instrument PXI SRAM test system, is not available in the university.

Critical points:

• finding stable bits
• helper data is store in the arduino memory -> unencrypted
• table of stable bits location -> security sensitive and need to be protected
• to use the PUF, a user needs to input a password which is used for encrypting the location of stable bits
• if a user inputs the correct password
  1. system will decrypt the table
  2. get the stable bits location
  3. get stable bits value
  4. used the stable bits value and helper data for reconstruction of the key (main point of PUF)

privacy amplification: a process that allows two parties to distill a secret key from a common random variable about which an eavesdropper has partial information (cited from Generalized Privacy Amplification). in PUF that used for generating a key, privacy amplification usually done by applying a hash function on a chunk of SRAM bits

[asajim]

Current progress on SRAM 23LC1024:

• able to collect SRAM data automatically
• able to turn off and on SRAM
• able to manipulate voltage to SRAM programmatically

Current method on determine the stable bits (3 stages):

• Stage 1: Collect data from SRAM on every location
• Stage 2: Locate the stable bits using the collected data
• Stage 3: Iteratively test the current stable bits to get more stable bits

Result:

• stable bits from automatically collected data are more unstable than the manually collected data (manually plug-unplug the arduino to reset SRAM). The reason might be because the manually collected data are gathered from multiple days enrollment which introduce more variation in testing condition.

Current progress on CY62256N SRAM:

• able to collect data
• no yet able to collect SRAM data automatically
• from the manually collected data, an early analysis was done and it might be more stable than 23LC1024. This might be because it use an older technology (90nm) and has a significantly bigger size which possibly make a bit in it more robust to neighbouring bits variation, temperature and voltage effect.

[synctext]

Voltage level control from software? Great progress. Congrats. Can you do slow increase and fast turnon of voltage and effect on stability? Please make a list of potential experiments to run fir a week.

[asajim]

Current experiment:

• another trial of automatic SRAM memory retrieval
  • hamming distance between each attempt is around 7-10%
  • trying to get the stable bit using the flow from diagram in previous comment
    1. calculate the stable bit
    2. calculate the rank of that stable bit based on number of stable neighbours
    3. use n highest rank bits as bits for PUF
    4. result is not satisfying

• try to use data remanence method

  • write 1/0's on all bits
  • turn off for a short time
  • turn it on again
  • get the first bits that change value:
    • if write 1's on all location, bits that change quickly to 0 is strong zero
    • if write 0's on all location, bits that change quickly to 1 is strong one

  • result:

    	Write 0's on All		Write 1's on All
    Time	0's Count	1's Count	0's Count	1's Count
    0.1 s	1048576	0	0	1048576
    	1048576	0	0	1048576
    	1048576	0	0	1048576
    	1048576	0	0	1048576
    0.11 s	1048512	0	256	1048320
    	1048512	0	32	1048544
    	1048512	64	288	1048288
    	1048512	0	320	1048256
    0.12 s	1048064	512	544	1048032
    	1048224	352	416	1048160
    	1048192	384	576	1048000
    	1048000	576	384	1048192
    0.13 s	1047456	1120	640	1047936
    	1047296	1280	640	1047936
    	1047360	1216	544	1048032
    	1047296	1280	576	1048000
    	1046976	1600	1184	1047392
    0.14 s	1047072	1504	800	1047776
    	1046848	1728	672	1047904
    	1046560	2016	1216	1047360
    	1046368	2208	1184	1047392
    0.15 s	1046560	2016	1536	1047040
    			1376	1047200
    			1472	1047104
    			1248	1047328
    0.16 s			1376	1047200
    			1824	1046752
    			1888	1046688
    			1600	1046976
    0.17 s			2432	1046144
    			2048	1046528
    			2144	1046432
    			2144	1046432

    • combine 2208 strong 1's bits and 2144 strong 0's
    • iteratively recheck the stability of the combined strong bits by resetting the SRAM and checking their values
    • after 300th rechecking, we get 2406 strong bits
    • it's still not stable. when comparing their values using short delay on resetting the SRAM, they're stable. otherwise, their bit values will change
    • this result is a disproof of the concept shown by data remanence approach. just because the bits change their value quickly, doesn't they are stable throughout SRAM lifetime

Next experiment:

• do the same experiments shown above on another SRAM (CY62256N)

Possible related authentication protocols:

• A Lockdown Technique to Prevent Machine Learning on PUFs for Lightweight Authentication
• Lightweight Highly Secure PUF Protocol for Mutual Authentication and Secret Message Exchange
• Realizing Strong PUF from Weak PUF via Neural Computing

[synctext]

Status update:

• difference between measurements in a single minute and ones days apart. ToDo: measurement plan time-dependancy
• conflicting results with prior work on same SRAM
• a thesis only needs something like 7 nice graphs of experiments and your're DONE.
• stable bits usable the next minute, but not next week is critical for PUF concept. Thesis provides a deep understanding of this phenomenon. "multi-day stability". Confirm or reject this conjecture.
• "multi-day stability" findings needs to hold for multiple SRAM types
• measurement setup
• "We designed a custom measurement kernel for PUF profiling. It is specifically designed to be generic and usable for all types of PUF profiling measurements. Our PUF-Profile kernel waits for measurement commands on the serial link after booting. We designed a dedicated protocol for voltage control, read bytes, write bytes, and memory disable/enable."
• "calculate the rank of that stable bit based on number of stable neighbours". ToDo: measurement plan to determine the degree of neighbor influence?
• Goal is to seek: 2000 stable "0"s and 2000 stable "1"s. then we seek and discard more unstable bits until until 2368 bits remain. Then we can store reliably 256 bits with error coding. Equal to 32 Bytes, a sufficiently sized random seed for a Bitcoin wallet generator
• So methodology:
  • First step: use data remanence method (multiple passes, takes time) (100-170 ms OFF)
  • Second step (with 4000+ bits remaining): check stability after cold-start. (at least 10 seconds OFF)
  • no processed measurement results yet of effect beyond 10 seconds (e.g. 1 day)
• done initial voltage ramp-up measurements, no processed measurement results yet
• PUF stability 101 lessons:
  • determine SRAM fabrication depandancy
  • 100 ms OFF, determine bit flips. "0" or "1" bias of bits
  • determine neighbor influence, bit flips if all other bits are "0"s or "1"s, or random patterns (according to literature, its a unique 1 and 0 pattern dependent)
  • 10 seconds OFF determine stability of these bit flips.
  • 10000 seconds OFF determine if there is a difference between sort-term and long-term stability
  • stable bits, also with different ramp-up voltage
  • stable bits, also with different temperatures
  • we ignore the aging effect, new hardware versus old stuff

ToDo: From weak PUF to strong PUF.

Please write the first thesis chapter and 2-ish pages of measurement resutls.

[asajim]

First thesis draft: thesis-2.pdf

[synctext]

• title brainstorm with strongest concept early in title: "A strong software-only PUF using off-the-shelf SRAM"
• cite your figure sources
• add self-sovereign identity concept
• possibly add the TUDelft stack (https://www.google.nl/search?q=Laws+for+creating+trust+in+the+blockchain+age)
• Chapter 3 SRAM PUF Open Problems, written currently as a loose tutorial. Too similar to Chapter 2, gap with 4. possible storyline Current state-of-the-art in this field consists of one-off prototypes and specific proprietary implementations. This fields lacks a Arduino, Linux, or GCC type of open reference implementation. No wide agreement exists on a which approach yields the strongest security properties. We believe the next challenge for this field is to discover a common approach. Furthermore the field needs to move beyond isolated single-person projects and single-company approaches towards a mature and sharing ecosystem. The field SRAM PUFs needs a single implementation which is continuously improved upon for many years to come and is supported by the majority of the academic and commercial parties.
• Chapter 4, why software-only in the first lines or earlier chapter
• "Key Storage Scheme", please revise into a 4.1 section and call it "system Architecture".
• discuss you capabilities; or design principles; or functional requirements: strong authentication, generation keys, store given secret key, and storing keys of Bitcoins in SRAM PUF
• Chapter 5.1 Selecting off-the-shelf SRAM
• Chapter 5 Implementation and Basic Voltage Experiments "we implemented a fully functionaly software-only PUF and released it as open source."
• All measurements as raw data point, connected by straight lines. no smooth curve fitting which eliminates any noise.
• Chapter 6 with Advanced PUF experiments?

ToDo: focus on strong authentication, state-of-the-art protocols, open source code, HMAC, Bitcoin ECC, Secp256k1, etc.

[asajim]

Revision 2 - Thesis Draft

Notes:

• extend the related work explanation
• is data protection and key storage a suitable idea for thesis? there are already many authentication scheme. data protection can relate better to self-sovereign identity mentioned in the introduction part

[synctext]

Introduction chapter storyline remarks:

• This thesis is focused on the SRAM PUF type. We decided to focus our research on the SRAM PUF because of the simplicity of the architecture, ease of experimentation, and the availability of components.
• After decades of failure we never solved the identity problem, yet we have Pub/Priv key crypto since 1984 by Chaum World Economic Forum study.
• proposed solution: everyone keeps their secret keys secure and solely in their possession
  • keeping secret keys secure is the cardinal problem to solve
  • no central storage of private keys; honeypots for cyber attacks
• thus we need to solve identity and secure key storage in a decentral manner: every user storing their own secrets under their full control is known as self-sovereign identity.
• This thesis aims to address the problem of self-sovereign identity and keeping your secret key really secret.
• Our goal is to store a private cryptocurrency key. Thus secure wallet.
• strong PUF

Chapter 2 : "Introduction to Security"

• very broad
• use as the first paragraphs of your thesis; move to beginning of intro chapter.
• define https://www.google.nl/search?q=Data+Protection+Scheme in thesis

Problem description chapter:

• We address two problems in this thesis
  • devise a first secure Data Protection Scheme based on the strong properties of PUF technology
  • create an open ecosystem for the evolution of both our data protection scheme and our strong PUF

Security analysis: loss of PUF hardware, loss of password, loss of both, etc.

General comments:

• PUF generated key or PUF-generated seed in Figure 5.1
• 6.7.1 Neighbour Stability Analysis Not easy to understand what you did and why. Needs a pointer back to relevant Chapter which explains PUF stuff.
• strong PUF chapter ideas?
• brainstorm. The final thesis experiment: Bitcoin PUF transfer. On one Arduino board the helper data+SRAM is inserted and the private key of a Bitcoin is stored. The voltage is turned off. The helper data stored on an SDcard + SRAM is transferred to another Arduino board. It is powered on a magically the key is re-constructed. We show the performance of the reconstruction process here: hardware boot x ms, voltage stabilisation y ms, error decoding z ms, etc.

Typos:

• one of the main leaders in SRAM PUF
  • They also have another solution for SRAM PUF
  • implement PUFs within their design
  • "There are 500 data of SRAM bits value used for this chip." page 34 ?

[asajim]

Latest draft: thesis.pdf

[synctext]

• "if bit values with length 1000 is the goal, a set of 1000 locations is required as an input to PUF device" is there a scientific motivation for the number of bits required?
• Section 3.2 opening sentence should be less modest. Too much intro text. More like: our aim is to make a strong PUF with significantly more combinations then the number of atoms on earth, guessed to be at least 10^49. Brute force attacks should be infeasible.
• "resistant to a brute force attack of more than 10^25 trials."
• Arduino merely 8k internal SRAM, significantly restricting our choice of error correcting codes.
• Table with real products. key related work. machine learning attack and side channel attack resilience Active and Passive Side-Channel Attacks on Delay Based PUF Designs
• sell your final experiment more. Final experiment section: "Concluding experiment with cybercurrency". as the final grand experiment of this thesis we store the private key of cybercurrency. We believes this proves the usefulness and viability of this work for realistic use-cases. etc.
• For graduation: please donate your work to our repo. Add a 1-3 page readme.md, fancy photo, copied from thesis.tex and move all your code, board design, full docs/thesis.tex to https://github.com/Tribler/strong-software-based-Physical-Unclonable-Function

[synctext]

we would like a fully operational PUF of your design and development environment in our lab. redo the Bitcoin experiment.

[asajim]

Thesis draft:

thesis.pdf

[synctext]

Please provide @qstokkink with 4 out of your 5 operational SRAM puf chips. Three Arduino + interface board plus sources to get it operational and profile each PUF bit. Allows us to do parallel profiling. Additional microSDcard for storage of helper data + adapter to interface with Arduino.

[synctext]

• Figure 4.8 + 4.9 Remanence Graph of CY62256NLL; please provide raw measurements in graph. Optionally connect those sample points with a line, remove smooth polished line.
• Discuss your code coverage and provide a table with lines of code + percentage covered.

[asajim]

Latest draft: thesis.pdf

[synctext]

sell your stuff even more, like this in abstract: As the grand concluding experiment of this thesis we store the private key of a Bitcoin with the physical security protection of our PUF.

[asajim]

Final thesis report: thesis.pdf

Thesis repository : software-based-PUF

• contains source codes and latex files to generate thesis report

@synctext I think the issue title should be changed into "Open software-based and patent-free Physical Unclonable Function (PUF) " not "Open hardware-based and patent-free Physical Unclonable Function (PUF) "

[synctext]

Congrats on your TUDelft master degree! Official thesis .pdf download repo: https://repository.tudelft.nl/islandora/object/uuid%3A4f879ecf-95d5-4482-8931-8c40abde0e79 "Open-Source Software-Based SRAM-PUF for Secure Data and Key Storage Using Off-The-Shelf SRAM"

[nymble]

What makes this patent free?
The technologies as described have numerous patents that cover the SRAM-PUF mechanisms.

[synctext]

What makes this patent free? The technologies as described have numerous patents that cover the SRAM-PUF mechanisms.

@nymble Good point. We have not yet done a thorough prior work. This thesis is build upon early scientific papers and early work by Delft ourselves. The 2003 patents describe systems like "During an enrollment phase, Alice 16 issues a challenge C to source P 20 and receives a response A from source P 20". Our approach avoids this with "store this given private key generation seed".

[manasviaudichya311]

how the generated secret key and seed for the random number are stored inside the secure storage of sram? Is the secret key ever stored inside in the sram or it is generated everytime we need to encrypt or decrypt anything?

[synctext]

@rahulsharma311 This is a stand-alone implementation for research purposes.

Is the secret key ever stored inside in the sram

The secret key is generated from physical properties upon startup. As stated above, "the private key is storage becomes volatile by using PUF". There is no secure sram storage, the PUF is designed to be airgapped and challenge/response interfaced as an isolated component. In a decade this could become a standard component within a smartphone to achieve passport-grade digital identity.

[synctext]

New master students always welcome. This project has been without an active master student for a while. Closing this issue until a new person can work on this.