

# *Design of a hardware Root-of-Trust on embedded systems*

**Eros Camacho-Ruiz**

## **Supervisors:**

Dr. Piedad Brox Jiménez

Prof. Francisco Vidal Fernández Fernández

Sevilla, March 13th 2024

# Introduction

Cybersecurity

Information  
security



**NIST**  
National Institute of  
Standards and Technology  
U.S. Department of Commerce



# Introduction

## Hypothesis

Contributing to improve the security of information using hardware solutions in IoT environments where restrictions are usually stronger.

## How ?

Proposing a Root-of-Trust composed of different modules that have been designed separately.

Use Cases to demonstrate the feasibility of the dissertation

# Overview



# What is a PUF ?

***Physical Unclonable Function  
(PUF)***



***Key Obfuscation***



***Device identification***



# What is a PUF ?

## Response Characteristics

### Unique



### Unpredictable



### Reliable



# A novel RTN-based PUF

Patent: WO/2023/202843

MÉTODO Y DISPOSITIVO PARA FUNCIÓN FÍSICA  
NO CLONABLE (PUF) BASADA EN RUIDO  
TELEGRÁFICO ALEATORIO (RTN)

## ***Random Telegraph Noise (RTN)***

***Low biasing voltages → Prevent aging***



***Handle the RTN***

***Maximum Parameter  
Fluctuation  
(MPF)***



**Cumulative difference between the  
maximum and the minimum in a time  
interval of a drain  
CURRENT / VOLTAGE trace**

# A novel RTN-based PUF: Schematic



# A novel RTN-based PUF: Architecture



# A novel RTN-based PUF: Metrics

## Probability

$$P = \max\left( n_0/L, n_1/L \right)$$

Number of zeros/ones  $\rightarrow n_0 / n_1$

Number of measurements  $\rightarrow L$

## Metrics



## Bit Selection Method

# A novel RTN-based PUF: Evaluation

## *Evaluation*



## *Low-level design*

Is it feasible to build a PUF based on RTN?

How sizes and biasing conditions can alter the PUF performance?

How non-idealities of the circuitry needed to get the response can affect the PUF performance?

**Differential Current mode**

# A novel RTN-based PUF: Evaluation #1

***Is it possible to obtain a reliable response from this PUF?***

**Comparing with similar area PUFs**

**32-bit response**

|                               | [7] Mispan, IEE E Prime 2015 | [8] Mispan, IOLT S 2016 | [9] Zhuang, IEE E TCAS I, 2020 | This diss.   |
|-------------------------------|------------------------------|-------------------------|--------------------------------|--------------|
| <b>Reliability (%)</b>        | 91.58                        | -                       | 94.2                           | <b>99.8</b>  |
| <b>HD<sub>inter</sub> (%)</b> | 50.23                        | 49.9                    | 49.9                           | <b>49.99</b> |
| <b>HW (%)</b>                 | -                            | 53.94                   | 53.94                          | <b>50.09</b> |

**Comparing with similar quality metrics PUFs**

**128-bit response**

|                               | [14] Yoshinaga ISCAS 2016 | [12] Santana-Andreo, Integration, 2022 | This diss.   |
|-------------------------------|---------------------------|----------------------------------------|--------------|
| <b>Reliability (%)</b>        | 99.99                     | 99.99                                  | <b>99.99</b> |
| <b>HD<sub>inter</sub> (%)</b> | 48.0                      | -                                      | <b>49.97</b> |
| <b>HW (%)</b>                 | -                         | 50                                     | <b>49.96</b> |
| <b>Technology</b>             | 65-nm                     | 65-nm                                  | 65-nm        |
| <b>Number of transistors</b>  | 34,816<br>(2,048 17T-ROs) | 4,992<br>(832 6T-SRAM cells)           | <b>2,286</b> |

# A novel RTN-based PUF: Evaluation #2

***How sizes and biasing conditions can alter the PUF performance?***

↑ Larger Transistors  
↑ Stable Pairs

↓ Smaller Transistors  
↓ Area Cost per Bit

**OPTIMUM BIASING**  
 $|V_{GS}| = 0.8 \text{ V}$  &  $|V_{DS}| = 1.2 \text{ V}$

**OPTIMUM SIZE**  
 $80 \times 60 \text{ nm}^2$

# A novel RTN-based PUF: Evaluation #3

***How non-idealities of the circuitry needed to get the response can affect the PUF performance?***

**Non-idealities of the circuitry can affect the performance of the PUF**

**MCF Extractor and Comparator must be carefully designed**

**The on-resistance and off-resistance of the transistor selector can affect the performance**

# Low-level design of the RTN-based PUF

Evaluation



Low-level design

Analog design flow

Differential Voltage mode

1. Avoiding potential issues in current sensing
2. Examination of different ICC in CC method can improve the PUF quality.
3. In case aging impacts the PUF, adjusting voltage levels is a simple task.

# Low-level design: floorplan



# Low-level design: array design

**4,096 transistors**



**OPTIMUM SIZE**

$$L = 100\text{nm}$$

$$W = 2\mu\text{m}$$

$$t_{\min} = 10\text{us}$$

Voltage to ASB

Phase A:  
transistor #1 is  
being used to  
obtain the  
response

At time  $t=t_s$ , Phase B is active:  
transistor #2 is selected to  
obtain a new response bit

VD#2

The ASB can process  
the entropy source  
when the voltage is  
stable here

VD#1

Time

$t_s$

$th_1$

$th_2$

$th_3$

# Low-level design: ASB design



| <i>Circuit</i> | <i>Static Error (mV)</i> |          |
|----------------|--------------------------|----------|
|                | $\mu$                    | $\sigma$ |
| $PDH_{MAX}$    | 0.5319                   | 0.141    |
| $PDH_{MIN}$    | 0.8405                   | 0.250    |



# Low-level design: ASB design



# Low-level design: ASB design



## Comparator design



# Low-level design: ASB design



# Low-level design: Milestone - I

## MILESTONE-I

An RTN-based PUF in UMC 65nm

### Primary PUF

A 4096 unit cell PUF, each cell containing:

- CMOS transmission gate
- Transistor (entropy source)
- Digital selection

### Secondary PUF

Same as the Primary 4096 PUF

### Bias and ICC generation

ICC: current used to bias the Transistors, apply the constant-current method and extract the RTN-based entropy



### Test section

Containing:

- A smaller version of the primary PUF (1024 Array).
- 2 ASB systems
- Accelerated aging capabilities

# Hash Functions



# Hash Functions

- 
- Competitive trade-off between time and area
  - Comparison with the SATO
  - Design of a highly configurable IP: AXI4-Lite
  - Drivers to use the IP module
  - ASIC implementation of the SHA-256

## SHA-2 Core



## Message Schedule



## SHA-2 IP



# SHA-2

| <b>Ref</b>        | <b>Platform</b> | <b>SHA-2 ver.</b> | <b>Area<br/>(Slices)</b> | <b>Frequency<br/>(MHz)</b> | <b>Throughput<br/>(Gbps)</b> | <b>Efficiency<br/>(Mbps/Slice)</b> |
|-------------------|-----------------|-------------------|--------------------------|----------------------------|------------------------------|------------------------------------|
| [89]              | Virtex          | SHA-256           | 755                      | 174.00                     | 1.370                        | 1.830                              |
| [90]              | Virtex          | SHA-256           | 6136                     | 35.10                      | 2.077                        | 0.338                              |
| [91]              | Virtex-5        | SHA-256           | 387                      | 202.54                     | 1.580                        | 4.190                              |
| [92]              | Virtex-4        | SHA-256           | 610                      | 170.75                     | 1.345                        | 2.200                              |
| [93]              | Virtex-5        | SHA-256           | 1895                     | 411.30                     | 3.290                        | 1.740                              |
| <b>This diss.</b> | <b>Virtex-7</b> | <b>SHA-256</b>    | <b>282</b>               | <b>191.13</b>              | <b>1.630</b>                 | <b>5.784</b>                       |
| [89]              | Virtex          | SHA-512           | 1667                     | 141.00                     | 1.780                        | 1.010                              |
| [91]              | Virtex-5        | SHA-512           | 874                      | 176.06                     | 2.200                        | 2.580                              |
| [94]              | Virtex-5        | SHA-512           | 1080                     | 129.00                     | 0.826                        | 0.765                              |
| <b>This diss.</b> | <b>Virtex-7</b> | <b>SHA-512</b>    | <b>576</b>               | <b>173.52</b>              | <b>2.221</b>                 | <b>3.856</b>                       |

## SHA-2 IP Interface



| <b>SHA-2</b>       | <b>Message Length</b>  |                        |
|--------------------|------------------------|------------------------|
| <b>Instance</b>    | <b>&lt; Block Size</b> | <b>&gt; Block Size</b> |
| <b>SHA-224</b>     | x0.68                  | x0.87                  |
| <b>SHA-256</b>     | x0.67                  | x0.87                  |
| <b>SHA-384</b>     | x1.54                  | x2.35                  |
| <b>SHA-512</b>     | x1.44                  | x2.32                  |
| <b>SHA-512/224</b> | x1.64                  | x2.35                  |
| <b>SHA-512/256</b> | x1.64                  | x2.37                  |

# SHA-256 low-level design



1. Inferring registers and memory cells instead of BRAMs.
2. Adding an interface

# SHA-256 low-level design



| Module                | Cell Count (GE) | Cell Area( $\mu\text{m}^2$ ) | Net Area( $\mu\text{m}^2$ ) | Total Area( $\mu\text{m}^2$ ) |
|-----------------------|-----------------|------------------------------|-----------------------------|-------------------------------|
| <b>SIFO</b>           | 261             | 1317.240                     | 742.423                     | <b>2059.663</b>               |
| <b>PISO</b>           | 516             | 2507.400                     | 1479.523                    | <b>3986.923</b>               |
| <b>Control</b>        | 52              | 181.440                      | 2594.252                    | <b>2775.692</b>               |
| <b>SHA-256 (Core)</b> | 19350           | 118787.400                   | 70292.775                   | <b>189080.175</b>             |
| <b>Total</b>          | 20179           | 122793.480                   | 75108.973                   | <b>197902.453</b>             |



# SHA-256 low-level design tests

## NIST Test Vector

```
##### TEST NIST: 10 #####
LENGTH: 80
MSG: 74cb9381d89f5aa73368
HASH_NIST: 73d6fad1caaa75b43b21733561fd3958bdc555194a037c2addec19dc2d7a52bd
HASH_SHA2: 73d6fad1caaa75b43b21733561fd3958bdc555194a037c2addec19dc2d7a52bd
```

CORRECT

```
##### TEST NIST: 69 #####
LENGTH: 4472
MSG: 9d64d891d99bb8aba23a29a8f69b32482714e031d31dde3317b046d000f6b7fc421fa8212d91fb66dc46d531\eeafdf5ea40302a215351f746c0c42523ba5a3e98bb7b13870d04bf3e0e13425c4fdc11a505ed57c90a90fbc447242b3ee032\68a29594dd73c705808efc16a059e08dd118b4a34f178175151760de963f89d34c92b12e9b58ace694fadd73a576193b80bf\ed0074bf5074cfba9e21da980fb366f39e76d1b8073e88ebf2d8d623827bad051f736d02e02688185fbc7ccaea69244fae2c\15146e63b8ed0cb496f494b4b272bc8aac94c8f0dadb45fd015ab25b210170acd9f05afcc1786b758c6bc87d3d93449497d7\637a345db161ecc9f00fc9b37677a4de55701f189fba0afba63baaf1584fc36d5819212a5299b39b2c0daad0302aea20d654\4e3829f0b726b68686e7681ac3a91f543dc79f2da30aecb30d23e252e7a661fcb619a98056f61d46e1fe473fd3d11b1c6bb\c80be54d20cee843e0f4f65d7d49032f523e6a4830abacf56de9f46bd7c86865ad4359230a9f5dafc928b61c9456a1fbf142\7a53cb82dff264eb2de7f9feaf739a47aa64c4a2fd70772f026a33cf1451e852a9e47ae083a159f62e23c0cae8402f775d84\f77044204b765fb8e418d6ccb7dd7dacc74b148cbda95991f4c3cf65dd60e6f61b8dce59e6ad127b2dda65b3d0416a0f4939\2f1f107354c4de6fa14f1482db5a9961f867b921ef33697a4db4d22cf37e69211fd2f2c2944f16252a86755baf0509835ee4\33733a743f8f0b493e0eae8cb
HASH_NIST: db593a375cb27df689cd78b5154949e5bc30094a05d704c0295d547385176662
HASH_SHA2: db593a375cb27df689cd78b5154949e5bc30094a05d704c0295d547385176662
```

CORRECT

# SHA-3



- SHA-3 family has relatively fewer implementation costs and is much faster
- SHA-3 family is noted as PQC primitive
- SHA-3 is based in the Keccak algorithm

# SHA-3



# SHA-3

## SHA-3 IP



# SHA-3

| <b>Ref</b>        | <b>Platform</b>  | <b>SHA-3 ver.</b> | <b>Area<br/>(Slices)</b> | <b>Throughput<br/>(Gbps)</b> | <b>Efficiency<br/>(Mbps/Slice)</b> |
|-------------------|------------------|-------------------|--------------------------|------------------------------|------------------------------------|
| [88]              | Virtex-6         | SHA3-512          | 1406                     | 16.51                        | 11.47                              |
| [107]             | Virtex-6         | SHA3-512          | 2296                     | 18.78                        | 8.17                               |
| [110]             | Virtex-5         | SHA3-512          | 1163                     | 7.80                         | 6.06                               |
| <b>This diss.</b> | <b>Virtex-7</b>  | <b>SHA3-512</b>   | <b>1456</b>              | <b>17.97</b>                 | <b>12.34</b>                       |
| [109]             | Virtex-7         | SHA3-256          | 1618                     | 20.08                        | 12.90                              |
| [108]             | Virtex-7         | SHA3-256          | 1418                     | 14.30                        | 11.97                              |
| <b>This diss.</b> | <b>Virtex-7</b>  | <b>SHA3-256</b>   | <b>1566</b>              | <b>29.25</b>                 | <b>18.68</b>                       |
| [111]             | Zynq-7000        | SHA3-224          | 1424                     | 12.8                         | 8.98                               |
| <b>This diss.</b> | <b>Zynq-7000</b> | <b>SHA3-224</b>   | <b>1577</b>              | <b>30.00</b>                 | <b>19.02</b>                       |

# SHA-3

## SHA-3 IP Interface



### SHA-3

#### *Instance*

#### *Message Length*

#### *< Block Size*

#### *> Block Size*

|                 |       |        |
|-----------------|-------|--------|
| <b>SHA3-224</b> | x6.23 | x10.89 |
| <b>SHA3-256</b> | x6.41 | x11.71 |
| <b>SHA3-384</b> | x6.77 | x14.54 |
| <b>SHA3-512</b> | x7.33 | x19.93 |
| <b>SHAKE128</b> | x2.80 | x8.18  |
| <b>SHAKE256</b> | x3.07 | x9.64  |

# Post-Quantum Cryptography

## Quantum Computers



# Post-Quantum Cryptography



**OpenSSL**  
Cryptography and SSL/TLS Toolkit



Implementing the polynomial multiplier in HW

NTRU (IEEE 1363.1)

Accelerating N cycles when a 0 is found in the blind polynomial

Can we use this strategy with NTRU Round-3 ?

The number of non-zeros of the blind polynomial is not constant

Disclosing information that has to be hided through **timing attacks**

NTRU (Round-3)

New Strategy

Confident Limit



# PQC: NTRU

$$e(x) = (h(x) \times r(x) + m(x)) \bmod q$$



| Coefficient value | Control Signal  | Output AU                       |
|-------------------|-----------------|---------------------------------|
| $r_j$             | $[r_j^1 r_j^0]$ |                                 |
| 0                 | 00              | $c_{k-1} = c_k$                 |
| 1                 | 01              | $c_{k-1} = c_k + h_i$           |
| -1                | 11              | $c_{k-1} = c_k + \bar{h}_i + 1$ |

Parallelization strategy



## IP Interface



| N   | max <sub>coef</sub> | Max. Eff. | M  | LUTs | FFs | BRAM | Acc. (x) |
|-----|---------------------|-----------|----|------|-----|------|----------|
| 509 | 400                 | LUT       | 4  | 285  | 119 | 4.5  | 20.67    |
|     |                     | FF        | 7  | 437  | 124 | 7.5  | 30.28    |
|     |                     | BRAM      | 8  | 584  | 205 | 4.5  | 32.81    |
| 509 | 509                 | LUT       | 6  | 348  | 105 | 6.5  | 23.40    |
|     |                     | FF        | 7  | 399  | 106 | 7.5  | 26.00    |
|     |                     | BRAM      | 8  | 556  | 187 | 4.5  | 28.35    |
| 677 | 516                 | LUT       | 8  | 476  | 128 | 8.5  | 37.46    |
|     |                     | FF        | 10 | 582  | 133 | 10.5 | 43.08    |
|     |                     | BRAM      | 11 | 801  | 251 | 6.0  | 45.49    |
| 677 | 677                 | LUT       | 8  | 451  | 108 | 8.5  | 31.23    |
|     |                     | FF        | 10 | 558  | 113 | 10.5 | 36.40    |
|     |                     | BRAM      | 11 | 773  | 231 | 6.0  | 38.64    |
| 821 | 625                 | LUT       | 8  | 510  | 129 | 8.5  | 40.06    |
|     |                     | FF        | 12 | 713  | 133 | 12.5 | 51.89    |
|     |                     | BRAM      | 13 | 981  | 287 | 7.0  | 54.25    |
| 821 | 821                 | LUT       | 8  | 481  | 109 | 8.5  | 32.94    |
|     |                     | FF        | 12 | 679  | 113 | 12.5 | 43.74    |
|     |                     | BRAM      | 13 | 929  | 267 | 7.0  | 45.99    |
| 701 | 533                 | LUT       | 6  | 433  | 130 | 6.5  | 32.26    |
|     |                     | FF        | 10 | 634  | 133 | 10.5 | 43.54    |
|     |                     | BRAM      | 11 | 881  | 273 | 6.0  | 46.32    |
| 701 | 701                 | LUT       | 6  | 403  | 110 | 6.5  | 25.52    |
|     |                     | FF        | 10 | 605  | 113 | 10.5 | 36.62    |
|     |                     | BRAM      | 11 | 854  | 253 | 6.0  | 39.18    |

# PQC: NTRU SCA

| Coefficient value<br>$r_j$ | Control Signal<br>$[r_j^1 r_j^0]$ | Output AU                       |
|----------------------------|-----------------------------------|---------------------------------|
| 0                          | 00                                | $c_{k-1} = c_k$                 |
| 1                          | 01                                | $c_{k-1} = c_k + h_i$           |
| -1                         | 11                                | $c_{k-1} = c_k + \bar{h}_i + 1$ |

Can that lead somehow to a leak of information ?

Single Power Analysis (SPA)



There is leakage of information



Applying countermeasures ...



# PQC: NTRU SCA

## First Countermeasure



## Second Countermeasure



## Third Countermeasure

**Not using 0's in the multiplication operation**

More closer ...



# Proof-of-Concept



# PoC: HMAC



```
root@pynq:/home/xilinx/HMAC_v2# ./HMAC -m 0123456789 -t -s 4
--- HMAC (SHA3-512) ---
--- ID: 64000 ---

key (l=128):
8b6a3d58f5a47386a10e57042ab7080f

hmac_hw:
df8cf65eaf693d6631d8bcd2402a9cdf5d8e5e5a1875fc05171f9df06667
0ad40ac4110c2d72605a44dba10a395412bf361008ab750b5f8c48b05f01f984

hmac_sw:
df8cf65eaf693d6631d8bcd2402a9cdf5d8e5e5a1875fc05171f9df06667
0ad40ac4110c2d72605a44dba10a395412bf361008ab750b5f8c48b05f01f984

HW Time:      ( 154 us.)
SW Time:      ( 1088 us.)
Acc.:          7.06
```

# PoC: NTRU



```
root@pynq:/home/xilinx/NTRU_3Round_DEMO# ./Demo_509 -k -v 1
--- HARDWARE INITIALIZATION ---
Generating keys ...
Generating random seed ... --- ID: 64000 --- Complete
Seed: 0ac419a81eb21924a30f7729a07a2c879e8055dbb30e3ad21c4913c0b4e8ba3a1ec31e7205642d6f66c9fde398a7245c
Complete
Storing keys ... Complete

root@pynq:/home/xilinx/NTRU_3Round_DEMO# ./Demo_509 -e -v 1
--- HARDWARE INITIALIZATION ---
Loading public key ... Complete
Generating shared secret and ciphertext in SW and HW/SW...
Performing SHA3-256 in HW ... Complete
Complete

Time SW: 14906 us.
Time HW: 2208 us.
Acceleration: 6.750906

Storing ciphertext ... Complete
ss: fba94ea952da1c062cfb1a3d3340f075d49acdd0e6ceb3f055a435b6243eef4e
root@pynq:/home/xilinx/NTRU_3Round_DEMO# ./Demo_509 -d -v 1
--- HARDWARE INITIALIZATION ---
Loading secret key ... Complete
Loading ciphertext ... Complete
Recovering shared secret in SW and HW/SW...
Performing SHA3-256 in HW ... Complete Complete

Time SW: 45425 us.
Time HW: 32515 us.
Acceleration: 1.397048

ss_SW: fba94ea952da1c062cfb1a3d3340f075d49acdd0e6ceb3f055a435b6243eef4e
ss_HW: fba94ea952da1c062cfb1a3d3340f075d49acdd0e6ceb3f055a435b6243eef4e
```

# Conclusions

The establishment of a hardware RoT significantly bolsters the security of an embedded system. This enhancement is not only robust but also efficient, making it a critical component in the design of secure systems. The considerations for implementation within the framework of the IoT have led to a streamlined design of the RoT. This design is mindful of the constraints of IoT devices, particularly the size of transistors or the occupancy of logic resources in terms of FPGA implementations. The result is a compact yet powerful RoT that fits within the limited resources of IoT devices while providing robust security. In addition to the primary conclusion, there are several other insights extracted from this dissertation. These insights shed light on various aspects of the cryptosystem and contribute to our understanding of its design and implementation. They serve as valuable outcomes that can guide future research and development in this field. These conclusions are:

# Conclusions

1. Taking inspiration of the CIA triad as model designed to guide policies for information security, the design of a RoT that encompasses a set of crypto primitives is a suitable solution. The approach taken in this dissertation is primarily from a hardware-oriented perspective. This proposed RoT has included a PUF, which can be used as an identifier generator. They also incorporate hash functions, represented by SHA-2 and SHA-3, which are essential for ensuring data integrity. Moreover, it includes a cryptographic primitive that can securely accelerate the computation of PQC algorithms. One such PQC algorithm is NTRU, which is known for its security and efficiency. The integration of these components within a RoT provides a robust and secure hardware solution for addressing the principles of the CIA Triad in the IoT framework.

# Conclusions

2. The initial module developed in this dissertation was a PUF based on a typically undesirable phenomenon known as RTN. Several architectures were proposed in which, basically, the response of the PUF is obtained comparing one metric that encapsulate all the RTN information, the MPF. The initial stages involved designing and evaluating the PUF from a software perspective, which included conducting several simulations. Once positive results were obtained from these simulations, the next phase involved integrating this PUF into an ASIC. This process followed an analog design flow, culminating in the creation of the first silicon-based RTN-PUF, referred to as MILESTONE-I. The successful results of this endeavor led to the filing of an international patent.

# Conclusions

3. The following modules developed were those associated with hash functions. After studying the mathematical background of both selected hash functions (SHA-2 and SHA-3), the first step involved implementing the RTL in an FPGA. To this end, a comprehensive set of parameters was incorporated into the integration of these hash functions into IP modules, allowing the implementation of any of the hash versions collected in the standards. One of these designs, specifically SHA-256, was chosen for integration into an ASIC, following a fully digital design flow.

# Conclusions

4. The final module that was developed was related to the acceleration of one of the algorithms selected by NIST in the third round of the PQC contest: the NTRU. In that algorithm, the critical component is the polynomial multiplication. To address this, a RTL design was developed, incorporating all the parameter sets outlined in the documentation. Consideration was given not only to performance but also to potential information leakage associated with timing and power attacks. The results demonstrated that it is feasible to enhance the speed of the algorithm while adding an additional layer of security against SCAs.

# Conclusions

5. Lastly, a final design of the RoT was proposed, integrating all modules into a single hardware platform. This comprehensive design was evaluated in various scenarios, demonstrating the reusability of each module. The results were highly promising, underscoring the effectiveness of this integrated approach in enhancing the security and efficiency of the embedded systems.

IMSE  
-cnm



Instituto de  
Microelectrónica  
de Sevilla

# Introduction



# Introduction



<https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot-1/@@download/fullReport>



<https://www.enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things/@@download/fullReport>

# Introduction



<https://qubip.eu/>

# Introduction



# PUF: Architecture



(a) Current-mode configuration comparing with a reference.



(b) Current-mode configuration comparing with another transistor.



(c) Voltage-mode configuration comparing with a reference.



(d) Voltage-mode configuration comparing with another transistor.

# PUF: Bit Selection Method and Metrics



$$HD_{intra} = \frac{1}{m} \sum_{t=1}^m \frac{HD(R_i, R'_{i,t})}{n} \times 100\%$$

$$HD(x,y) = \sum_{j=1}^l |x_j - y_j|$$

$$HD_{inter} = \frac{2}{k(k-1)} \sum_{i=1}^{k-1} \sum_{j=i+1}^k \frac{HD(R_i, R_j)}{n} \times 100\%$$

$$HW = \frac{1}{n} \sum_{l=1}^n r_{i,l} \times 100\%$$