liu17data

Abstract

Temporal majority voting (TMV) and bit masking were used in previous works to identify and store the location of unstable or marginally stable SRAM cells. However, TMV requires a long test time and significant hardware resources. In addition, the number of repetitive power-ups required to find the most stable cells is prohibitively high. To overcome the shortcomings of TMV, we propose a novel data remanence based technique to detect SRAM cells with the highest stability for reliable key generation. This approach requires only two remanence tests: writing ‘1’ (or ‘0’) to the entire array and momentarily shutting down the power until a few cells flip. We exploit the fact that the cells that are easily flipped are the most robust cells when written with the opposite data. The proposed method is more effective in finding the most stable cells in a large SRAM array than a TMV scheme with 1,000 power-up tests. Experimental studies show that the 256-bit key generated from a 512 kbit SRAM using the proposed data remanence method is 100% stable under different temperatures, power ramp up times, and device aging.

Introduction

(good introduction, the authors distinguish between “strong” and “weak” PUFs)

• Strong PUFs like Arbiter PUF [1] and ring oscillator PUF [2] can generate an exponential number of unique challenge response pairs (CRPs), making them suitable for authentication applications without the use of encryption algorithms.

• Weak PUFs on the other hand, can only generate a linear number of CRPs and hence are used for key generation. Keys generated by weak PUFs can be used in conjunction with encryption algorithms for authentication applications [3]. The main requirement for keys generated by weak PUFs is that their value should not change with temperature and voltage changes, or with device aging.

• (talking about the overhead caused by TMV and other solutions in the state-of-the-art) → This is very time consuming and difficult to implement in a high-volume production flow.

  • Error Correcting Codes (ECC) can be used to correct the unstable outputs using a software algorithm. However, ECC may leak secret information and introduce extra design complexity and communication overhead.

  • Finding the strongest cells in a large SRAM array requires a prohibitively large number of repetitive tests and may involve changing the voltage and/or temperature.

DATA REMANENCE BASED STABLE KEY SELECTION

Data remanence based approach

If the entire array is initialized to 0’s, the first bits to flip to 1’s after the short power down period are the strongest ‘1’ bits in the array.

Open

Open

As shown in Fig. 2, the first few bits to flip after the brief power down period are ones that are strongly biased to the opposite value.

Characterization of data remanence effect

• Testbed: off-the-shelf SRAM chips from Microchip Technology

• The first step is to determine the appropriate power down time. If the power down time is too long, then the data stored in the array is completely collapsed and the SRAM will power up to its uninitialized state.

• The SRAM chips we tested were fabricated in an ultra-low leakage technology, requiring a relatively long power down time to observe data remanence effects. We expect a much shorter data remanence time (e.g. microseconds) for SRAMs built in advanced CMOS technologies.

→ The overall data remanence trends will be agnostic to the technology node.

• the cells start to flip after a power down period of about 130ms. When the power down period increases to about 600ms, the flip ratio reaches 50% which corresponds to the SRAM power up state.

• In short, compared to TMV, the proposed technique requires not only fewer power-ups (hundreds or thousands → 2) but also shorter power down periods (600ms → 200ms) which significantly reduces the overall test time.

• Depending on the number of stable cells we want to select, the amount of data remanence needs to be tuned accordingly by changing the power off period.

• if we want to sort the cells from strongest ‘0’ to balanced ‘0’, we first write data ‘1’ to the whole array and sweep the power down period from 100ms to 600ms for the SRAM chips used in our experiment.

• When applying the data remanence method to generate stable keys, we only select the strongest cells.

• Depending on how many stable bits we want to select, we can vary the power off period. For example, for a 256-bit key, we select roughly 128 stable ‘0’s and 128 stable ‘1’s from 512 kbit cells. The power off period should be around 185ms.

• To determine the 256 most stable bits from a 512 kbit SRAM array using TMV, which is only 256/512k = 0.05%, we may need millions of repetitive power up tests for TMV, which is impractical.

• Note that we perform this extensive test on one of the chips to determine the appropriate power down period of all chips.

• An attractive feature of the data remanence test is that it can be performed at any temperature.

• The top 0.05% stable cells found from the power down sweep test will remain stable at different temperatures and voltage conditions.

SRAM PUF MEASUREMENT RESULTS

This section shows detailed measurement results verifying that the stable cells selected using our proposed technique are indeed stable across different environmental and aging conditions

Uniqueness of key

The maximum number of bits for encryption algorithms like AES, is usually 256 bits [3]. So, the target number of bits for our SRAM PUF based key generation is 256 bits.

• 256 bit keys generated from 4 different SRAM chips showing an average interchip Hamming distance of 0.4935, confirming the uniqueness of the keys.

• Note that the precise location of the stable bits is different in each SRAM chip.

Effect of power ramp up time and temperature

• Note that during the SRAM power up, the state is resolved during the very beginning of the power supply ramp up, so the final power supply level will not affect the stability of the SRAM PUF.

• Instead, the ramp up rate of the power supply may have an effect on the stability of the responses.

Effect of device aging

• Bias temperature instability (BTI) is known to be the dominant aging mechanism in SRAM cells due to the low activity factor and DC stress nature [11,12]. BTI manifests as an increase in threshold voltage, and occurs when PMOS or NMOS transistors are biased with a negative or positive gate voltage.

• Depending on the data stored in the SRAM cell during stress, BTI can either emphasize or de-emphasize the process variation induced mismatch.

  • Emphasizing the mismatch will harden the responses and make them more stable, while de-emphasizing the mismatch will have the opposite effect

• Since our goal is to verify the stability under the worst case condition, we stress the SRAM array with the power-up state which will decrease the mismatch between the two cross-coupled inverters.

• The SRAM PUF responses of the selected 256/512/1024 most stable cells are read out every hour and the intra-chip Hamming distances are calculated against the fresh response.

• We can see that the stable cells selected using the proposed technique are 100% stable throughout the entire stress experiment. TMV leads to 8% bit flips at the end of the 72 hour stress period, while the number of bit flips for randomly selected cells is 15%.