## Invasive PUF Analysis

Dmitry Nedospasov Clemens Helfmeier Jean-Pierre Seifert Christian Boit Technische Universität Berlin Chair for Security in Telecommunications (SECT) and Chair for Semiconductor Devices (HLB)

Fault Diagnosis and Tolerance in Cryptography



picture by Wikimedia/John L. Wiley http://flickr.com/jw4pix



#### The SRAM PUF Idea

## SRAM PUF – basic idea

SRAM cell logic:



Apply power to SRAM, inverters get compared.



## PUF response generated

- noise background makes error correction required
- SRAM is already built-in to most devices



## Cloning SRAM PUFs The Clone **29AM Procedure – Episode I**



## 1. Characterization



# 2. Manufacturing (HOST 2013)

picture by Wikimedia/Eva Rinaldi

Invasive PUF Analysis

HOST 2013 3 / 22



#### **Cloning SRAM PUFs**

## Backside FIB trimming





C. Helfmeier et. al., HOST 2013: Cloning Physically Unclonable Functions

Nedospasov, Helfmeier, Seifert, Boit

Invasive PUF Analysis





- 2 Experimental Setup
- The Seebeck Effect on CMOS Devices
- 4 Results on SRAM PUF & Register Logic

## 5 Impact









- $\alpha$  is the Seebeck coefficient.
- $\blacktriangleright~\alpha_{\rm metal}:~0.001\,{\rm mV}\,{\rm K}^{-1}$  to  $0.01\,{\rm mV}\,{\rm K}^{-1}$
- $\alpha_{\text{silicon}}$ :  $0.2 \,\mathrm{mV} \,\mathrm{K}^{-1}$  to  $0.4 \,\mathrm{mV} \,\mathrm{K}^{-1}$





- $\alpha$  is the Seebeck coefficient.
- $\blacktriangleright~\alpha_{\rm metal}:~0.001\,{\rm mV}\,{\rm K}^{-1}$  to  $0.01\,{\rm mV}\,{\rm K}^{-1}$
- $\alpha_{\text{silicon}}$ :  $0.2 \,\mathrm{mV} \,\mathrm{K}^{-1}$  to  $0.4 \,\mathrm{mV} \,\mathrm{K}^{-1}$





- $\alpha$  is the Seebeck coefficient.
- $\blacktriangleright~\alpha_{\rm metal}:~0.001\,{\rm mV}\,{\rm K}^{-1}$  to  $0.01\,{\rm mV}\,{\rm K}^{-1}$
- $\alpha_{\text{silicon}}$ :  $0.2 \,\mathrm{mV} \,\mathrm{K}^{-1}$  to  $0.4 \,\mathrm{mV} \,\mathrm{K}^{-1}$





























- absorption at source and drain significant
- large Seebeck voltage generated only in silicon
- additional voltage generated at illuminated drain contacts



#### Seebeck Effect on CMOS Gates













#### Seebeck Effect on CMOS Gates





## **MOS Transistor Output Characteristic**



output voltage



## **MOS Transistor Output Characteristic**





#### Seebeck Effect on CMOS Gates













**MOS Transistor Transfer Characteristic** 

linear





**MOS Transistor Transfer Characteristic** 

logarithmic linear log. output current log  $l_{
m D}$ output current  $\mathit{l}_{\mathrm{D}}$   $[\mu\mathrm{A}]$ 1 μA 50 25  $\Delta I$ "off"  $sub-V_{TH}$ operation 0 10 pA 0 V $V_{\text{TH}}$  $\frac{1}{2}V_{\rm DD}$ 0 V $V_{\rm TH}$  $\frac{1}{2}V_{\rm DD}$ input voltage  $U_{GS}$ input voltage  $U_{CS}$ 

















- stimulation at transistor in on state
- measurement at transistor in off state
- sub- $V_{TH}$ -operation: very low currents need to be measured
- works with all CMOS logic gates though more complex









# Results on SRAM PUF & Register Logic **SRAM (PUF) Characterization**





## Results on SRAM PUF & Register Logic Increased SRAM size

#### full image

#### enlarged section



► ATMega328P SRAM PUF PoC implementation, ≈ 600 nm
 ► ≈ 500 × 8 bit of SRAM, single trace



## Results on SRAM PUF & Register Logic Shrinking Technology

#### full image

#### enlarged section



- ▶ ATXMega128A1 SRAM PUF PoC implementation,  $\approx 300 \, \mathrm{nm}$
- $\approx$  900  $\times$  8 bit of SRAM, single trace



## Results on SRAM PUF & Register Logic Reading Synthesized Logic





## Results on SRAM PUF & Register Logic Reading Synthesized Logic





#### Impact

#### Semi-Invasive Memory Reading



- Memory Encryption Decryption (MED) unit of Infineon SLE66PE
- halted by reduced power supply  $(0.7 \,\mathrm{V})$
- SRAM retains contents but reset prevents erasure



## Impact Clone **CRAR** – **Episode II**

## Requirements

- circuit at least partly powered
  - connect device, be careful with light, sensors, etc.
- static, no running clock
  - clock: invasively control, reduce supply voltage, ...
  - reset: prevent data erasure, only required for registers
- Iow and constant current consumption
  - destructively disconnect loads, reduce supply voltage, ...

#### Benefits

- extract logic state of SRAM and register in single trace
- scalable to huge areas



## Summary

## Clone **ZRAM** – Episode II

#### SRAM

- we know whats in there
- PUF: very easy characterization
- Register
  - we can find out what's in there
  - PUF: well ... just as SRAM
  - as part of other type of PUF: better but still vulnerable
- PUFs are only part of the system



# Thank you for your attention!

#### This work has been supported by:



picture by Arne Hückelheim FDTC 2013 21 / 22

Nedospasov, Helfmeier, Seifert, Boit

Invasive PUF Analysis



## **6T-Cell SRAM Layout**

