Circuit Authentication based on Ring-Oscillator PUFs

Susana Eiroa and Iluminada Batuone
Dept. Electronics and Electromagnetism (University of Seville)
Microelectronics Institute of Seville (IMSE-CNMS-CSIC)
Seville, Spain
{eiroa, lumi}@imse-cnms.csic.es

Abstract—The use of Ring Oscillator PUFs to provide circuit authentication is analyzed in this paper. The limitations of the previously reported approach in terms of false rejection (due to high intra-die variations) and false acceptance (due to small inter-die variations) are discussed. These limitations are overcome by a new proposal that does not increase considerably hardware complexity and, besides, provides lower power consumption and/or higher speed to achieve high security requirements. All these issues are illustrated with experimental results obtained with FPGAs from Xilinx.

I. INTRODUCTION

Nowadays, it is needed to authenticate not only the person that uses a device (using secret keys, passwords, etc.) but also the device itself. This means that both the software and hardware of the device (its circuitry) should be authentic. Circuit authentication consists in verifying the trustworthiness of the hardware. This is becoming so important that design-for-trust challenges are being defined (similarly to design-for-test challenges) [1]. The concept of authentication means a 1 to 1 validation, that is, a verifier validates that the circuit is which it claims to be. Similarly, circuit identification is a 1 to N validation process because, in this case, a verifier identifies which, out of the N possible circuits, the circuit is. Both procedures require a pre-verification stage usually called “enrollment” in which the unique and distinctive features (also called “template”) of the circuit have to be stored. In the case of authentication, only the template of the circuit to be authenticated must be stored while in the case of identification the N templates must be recorded. In any case, the key point is to obtain a good template that allows distinguishing an authentic circuit from a fake one (impostor). A usual solution is to employ a template consisting in a digital number, also known as identification number or ID number [2]-[3].

Silicon Physical Unclonable Functions (PUFs) have been proposed as a cost-effective way to produce identifiers that exploit the random variability of the circuit fabrication process [5]. Exploiting the power consumption variability in different realizations of the same circuit, leakage-based PUFs have been proposed [2]. The different leakage current consumption of each circuit, which is an analog number, is translated into a digital ID number. However, such translation is complex and requires a cost both in hardware as in power consumption, which may modify the ID itself. Memory-based PUFs such as SRAM and butterfly PUFs are based in the different start-up values of cross-coupled circuits [4]. The use of memory-based (cross-coupled NOR gates) PUFs for ID creation is described in [3]. This solution is very efficient in terms of readout speed and power consumption, but suffers from the lack of reliability, which can be improved by increasing the length of the ID, making a long number of readouts to reduce the noise, or increasing the signal to noise ratio of the circuit evaluation process. The delay variability in different physical realizations of the same circuit is exploited by arbiter and ring oscillator (RO) PUFs [6]. The basis for using these delay-based PUFs for circuit authentication is presented in [6]. In particular, the use of ring oscillator (RO) PUFs is receiving attention for its simplicity, reliability, and uniqueness [7]. Its main drawbacks are power consumption and dependability on, mainly, power supply variations [3], [8].

This paper proposes a new method to provide circuit authentication based on RO PUFs reducing the problems of power consumption and power supply variations. The paper is organized as follows. Section II reviews the basic RO PUF scheme employed for hardware authentication and illustrates its limitations with experimental results obtained with Spartan 3 FPGAs from Xilinx. Section III presents a new approach that provides better performance for authentication. This is also illustrated with experimental results. Finally, conclusions are given in Section IV.

II. USING RO PUFS FOR AUTHENTICATION

A. Basic RO PUF structure

Fig. 1 illustrates the delay PUF based on Ring Oscillators firstly proposed by Su et al. in [6]. The structure is composed of a group of identically laid-out ring oscillators. This way, the slight difference frequency of each ring oscillator is due to manufacturing variation of the physical device where the PUF is included. The procedure to obtain bit strings from these elements is to compare the frequencies between pairs of ring oscillators. The output bits from the same sequence of
oscillator pair comparisons will vary from chip to chip. The circuit determines the difference between frequencies by using two counters that measure the number of oscillations along some fixed amount of time. The counter that counts higher amount of periods corresponds to the ring oscillator with higher frequency. In order to determine the output of the PUF structure, a comparator is placed after the counters, in such a way that the resultant bit is ‘1’ if the upper oscillator in the floorplan has higher frequency than the lower one, and ‘0’ in other case. If $n$ pairs are compared the bit string (ID number) obtained has $n$ bits.

The ID number generated in the authentication stage is compared with the template stored in the enrollment stage. Since they are digital numbers, such comparison is performed by calculating the Hamming Distance (HD). In order to allow certain tolerance, a threshold is usually defined, so that, if the difference is below or equal to the threshold, the circuit is authenticated while otherwise it is considered as impostor. A measure to determine the quality of an authentication process is to evaluate the values of the False Acceptance Rate (FAR) and False Rejection Rate (FRR). The ideal situation is to find a threshold so that both FAR and FRR are zero. In the one side, the ideal situation is that the ID number generated by the PUF is always the same (the PUF is completely reliable). Hence, the threshold can be selected as zero and a circuit is rejected if the HD with the template is bigger than zero. However, the PUF is not completely reliable. Such reliability is measured by the average inter-die HD, as follows (being $x$ the number of samples):

$$\text{Intradie}_{-\text{dist}} = \frac{1}{x} \sum_{j=1}^{x} \frac{\text{dist}(R_i, R_{ij}^{'})}{n} \times 100$$  \hfill (1)

Due to noise, temperature or power supply variations, the same pair of oscillators in the same device may output the opposite value in the authentication stage to that registered in the enrollment stage (‘1’ instead of ‘0’ or vice versa). This phenomenon is a decrement in the value of the average inter-die distance. The problem is that if the inter-die distance decreases and the intra-die distance increases, the authentication process can fail, as illustrated in the following.

Due to the influence of the system, it is quite common that responses of the PUF in different devices show bit aliasing, that is, there are bits in the ID numbers of different devices that always take the same value. The consequence of this phenomenon is a decrement in the value of the average inter-die distance. The problem is that if the inter-die distance decreases and the intra-die distance increases, the authentication process can fail, as illustrated in the following.

$$\text{Intradie}_{-\text{dist}} = \frac{1}{x} \sum_{j=1}^{x} \frac{\text{dist}(R_i, R_{ij}^{'})}{n} \times 100$$  \hfill (2)

The model used in [7] to analyze the total delay in a ring oscillator (which determines the behavior of the ring oscillator PUF) is the following:

$$d_{\text{ROI}} = d_{\text{AVG}} + d_{\text{PV}} + d_{\text{noise}}$$  \hfill (3)

The delay $d_{\text{PV}}$ is the nominal delay of the ring oscillator, which depends on its components (more or less inverters, gates, etc.) and how they are distributed and interconnected. It is the same for all identically laid-out oscillators. The delay $d_{\text{PV}}$ due to process variation. It may vary from one oscillator to other but it is static, that is, it is assumed to be constant over time in a given physical realization (neglecting possible ageing effects). The delay $d_{\text{noise}}$ represents a noisy and dynamic component that changes over time. The effect of noise can be removed by counting a big number of intervals because the media of the noise is assumed to be zero. Hence, if noise is removed and identical as oscillators from each compared, order differences in frequencies only depend on the fabrication process of the chip that includes the PUF. Assuming that variations in the fabrication process are random, this means that the average inter-die HD is ideally 50%.

However, the response of the Ring Oscillator PUF depends on the rest of the circuitry in the system, as described in [8]. This is mainly caused by the sensitivity of oscillation frequency to power supply variations within the chip. Hence the model in (3) should be refined as follows (neglecting noise):

$$d_{\text{ROI}} = d_{\text{AVG}} + d_{\text{PV}} + d_{\text{SYSTEM}}$$  \hfill (4)

Due to the influence of the system, it is quite common that responses of the PUF in different devices show bit aliasing, that is, there are bits in the ID numbers of different devices that always take the same value. The consequence of this phenomenon is a decrement in the value of the average inter-die distance. The problem is that if the inter-die distance decreases and the intra-die distance increases, the authentication process can fail, as illustrated in the following.

**B. Experimental Results**

In order to obtain the FAR and FRR curves and the distribution of the genuine and fake population for the basic scheme of RO-based authentication described above, a sort of measurements have been performed. A PUF made with a matrix of 32 identical Ring Oscillators has been implemented into a sort of XC3S200 Spartan 3 FPGAs from Xilinx. The matrix has been placed in the center of the device, with the oscillators placed as close as possible from each other in order to avoid deterministic gradients in the variations of the fabrication process. Each ring oscillator has 4 inverters and 1 NAND gate that serves to enable it. It occupies one CLB (Configurable Logic Block), with the same occupation of slices (the placement is controlled by the synthesis) so as to ensure identical oscillators. The frequency of the enabled oscillator is measured by comparing the results of its associated counter with the count of a reference counter working at the board frequency of 50 MHz. The counter...
associated to the oscillators has 32 bits. It is stopped when the reference counter counts $2^{13}$ system clock cycles, what makes a total of 65.53 ms. The reason for using this long count time is to ensure noise removal so as to evaluate frequency changes due only to variations in the fabrications process.

Since the PUF behavior depends on the system where it is included, the PUF has not been studied alone (as reported in other works) but has been analyzed inside a whole security system, similar to that described in [9]. The system contains the PUF structure, a pseudo-random number generator of 32 bits based on non-linear feedback shift registers, and a short version of Keccak [b=400] sponge hash function with line width of 8 bits and 18 rounds [10]. In order to avoid the possible influences of changes in the system, a unique bit stream has been generated from the VHDL code of the whole system. This has been done using ISE environment provided by Xilinx. The objective is to measure only the possible variations due to the fabrication process. The same bit stream has been loaded into 8 different FPGAs and the output values of the counters that measure the frequencies of the 32 oscillators have been recorded 8 times for each FPGA.

From each matrix of 32 oscillators, an ID number with 28 bits is obtained because 28 comparisons are performed. This ID is compared with the rest of IDs obtained from other measurements of the same FPGA (intra-die data) and from other FPGAs (inter-die data). The comparisons performed have been the following:

- **Intra-die data:** The amount of intra-die comparisons for each device is 28. This is the number of different pairs that can be formed with 8 measurements of each device. As they are 8 devices, the genuine population of the authentication process is formed by $8 \times 28 = 224$ samples.

- **Inter-die data:** Each measurement of each device is compared with the 8 samples of the rest of the devices (64 comparisons between a pair of devices). Since 28 different pairs can be considered, the resulting comparisons form a population of $64 \times 28 = 1792$ samples. This forms the impostor population.

Fig. 2 shows the Hamming Distance with their templates of the genuine and impostor populations. The average intra-die HD is 2.5% instead of 0% while the average inter-die HD is 30.62% instead of 50%. The maximum value of the intra-die HD is 14.29% while the minimum value of the inter-die HD is 10.71%. Hence, as there is overlapping between both populations, there would be always a small probability of error in the authentication whatever the threshold is chosen. This effect appears clearly represented in Fig. 3. The FAR and FRR overlap showing the same value (EER, equal error rate) of 0.45% for a threshold of 14.2%. Such EER value can vary from 0.45% to 2% easily if there are variations in the power supply, temperature, etc.

The usual practice to avoid this problem is to employ more oscillator pairs to obtain more bits (64, 128, and 256 ring oscillators are employed in [7]). The problem of such solution is the increase in power consumption. Using the Xilinx Xpower tool provided in the ISE environment, each oscillator shows a power consumption of around 20 µW. Another drawback can be the time needed to generate the ID number (which increases with the number of oscillators if bits are generated serially). Hence, the generation of a large ID number could be power hungry, noisy, slow, and possibly more vulnerable to side channel attacks. To avoid such problems, the novel proposal discussed in the following is not to employ more oscillator pairs but more bits per pair.

### III. A NOVEL RO PUF-BASED AUTHENTICATION

The approach described above codifies the frequency difference between two oscillators with just one bit, because it is only codified the sign of such difference. A drawback of such coarse quantization is, for example, bit aliasing: variations in the fabrication process can be masked by the influence of the surrounding elements to the PUF. Such influence produces variations in the $V_{dd}$ that feeds the oscillators in such a way that one of the oscillators in the pair can be always faster than the other in all the devices [8]. The novel scheme proposed herein is to use the complete resolution of the frequency difference measurement. By using more bits of the counter that counts oscillations, better discrimination between devices can be obtained. In other words, the authentication is improved by using an adder-subtractor instead of a comparator to measure the frequency difference between oscillator pairs.

If the counter associated with a ring oscillator counts $osc_{count}$ oscillations during the $2^{13}$ clock cycles of the
measured as follows:

\[ \text{freq}_{\text{RO}} = \text{osc\_count} \times \frac{50\text{MHz}}{2^{15}} \quad (5) \]

Subtracting two counts (\text{osc\_count}_A \text{ and } \text{osc\_count}_B), the frequency difference between two oscillators (\text{diff}) can be measured as follows:

\[ \text{diff} = (\text{osc\_count}_A - \text{osc\_count}_B) \times \frac{50\text{MHz}}{2^{15}} \quad (6) \]

These measurements have been evaluated with the same FPGA samples described in the previous section. The maximum value of \text{diff\_freq} obtained for all the pairs has been 15.6 MHz. This means that:

\[ (\text{osc\_count}_A - \text{osc\_count}_B)_{\text{max}} = \frac{15.6 \times 2^{15}}{50} \quad (7) \]

Hence, 14 bits are enough to codify each \text{diff}. Considering, as in the previous section, 28 oscillator pairs, the ID number now has 28*14=392 bits (which means a template size of 49 bytes). The distance between the ID number generated in the enrollment stage and the ID number now has 28*14=392 bits (which means a template size of 49 bytes). The distance between the ID number generated in the enrollment stage and the 1792 samples of the impostor population versus such distance. The FAR and FRR are represented in Fig. 5. The dispersion of the genuine population is smaller than in the previous approach. Only several samples force to use a threshold of 0.61 MHz to achieve a FRR of zero. Even though, the FAR is zero. The proposed approach presents a security area of 0.61 MHz, among the genuine and false population. This represents a margin of 25.5% of the universe of discourse of the possible distances. Hence, it is possible not only to obtain a system with a FAR and FRR equal to zero by choosing a threshold in the range of 0.61 MHz to 1.22 MHz, but also if the threshold is selected with a value in the middle of this interval, it is possible to allow a variance of 0.305 MHz in both the genuine and the false populations while the FAR and FRR are still zero. This makes the authentication proposal robust against noise, temperature, and V_{dd} variations.

IV. CONCLUSIONS

The new approach for hardware authentication based on RO PUFs improves the results of previously reported approaches because it achieves not only false acceptance rate (FAR) and false rejection rate (FRR) of zero per cent but also enough error margin to be robust against noise, temperature, and V_{dd} variations. In addition, it requires a smaller number of ring oscillators, which means that authentication is performed with less power consumption and higher speed. All these advantages are obtained with no substantial increment in the size and complexity of the hardware required. This has been illustrated with experimental results from FPGAs from Xilinx.

REFERENCES