mrPUF: A Novel Memristive Device Based Physical Unclonable Function

Abstract

Physical unclonable functions (PUFs) exploit the intrinsic complexity and irreproducibility of physical systems to generate secret information. They have been proposed to provide higher level security as a hardware security primitive. Notably PUFs are an emerging and promising solution for establishing trust in an embedded system with low overhead with respect to energy and area. Most current PUF designs traditionally focus on exploiting process variations in CMOS (Complementary Metal Oxide Semiconductor) technology. In recent years, progress in nanoelectronic devices such as memristors has demonstrated the prevalence of process variations in scaling electronics down to the nano region. In this paper we exploit the extremely large information density available in the nanocrossbar architecture and the large resistance variations of memristors to develop on-chip memristive device based PUF (mrPUF). Our proposed architecture demonstrates good uniqueness, reliability and improved number of challenge-response pairs (CRPs). The proposed mrPUF is validated using nanodevices characteristics obtained from experimental data and extensive simulations. In addition, the performance of our mrPUF is compared with existing memristor based PUF architectures. Furthermore, we analyze and demonstrate the improved security with respect to model building attacks by expounding upon the inherent nature of nanocrossbar arrays where we use the independence between nanocrossbar columns to generate responses to challenges.

1 Introduction

Modern security systems establish the authenticity of products or identity of users based on the principle of protecting ‘keys’ required for securing systems and allowing secret key to be obtained solely by authorized participants. However, developments in invasive and non-invasive physical tampering methods such as micro-probing, laser cutting, and power analysis and monitoring have made it possible to extract digitalized secret information from integrated circuits (ICs), and consequently compromising conditional access systems by using illegal copies of the secret information. Tamper proofing techniques used in smartcards to protect the secret keys such as cutting power or tripping tamper-sensitive circuitry that leaks the secret information have shown to be vulnerable to physical attacks [1]. For instance, an adversary can remove a smartcard package and reconstruct the layout of the circuit using chemical and optical methods. Even the data in some types of non-volatile memories, such as electrically erasable programmable read-only memory (EPROM) can be revealed by sophisticated tampering methods. To protect secret information, the emerging area of physical unclonable functions (PUFs) promise a reliable and highly-secure approach and is receiving increasing attention. Note that PUFs express inherent and unclonable instance-specific features of physical systems and provide an alternative to storing keys on insecure hardware devices [2, 3]. A PUF produces an output signal (response) to an external physical excitation signal (challenge). The response is a function of the physical properties of the system such as signal delay variations across identical integrated circuits and the applied challenge. A significant advantage in using PUFs is that the key is not digitally stored in the memory of a device (such as smart cards) but is extracted from device specific characteristics in response to an external stimulus. Besides the aforementioned device authentication and identification, PUFs can be used for cryptographic key generation and more complicated cryptographic protocols such as oblivious transfer (OT), bit commitment (BC), key exchange (KE) [4–8].

Conventional PUFs such as Ring Oscillator PUF, Arbiter PUF, SRAM (static random access memory) PUF exploit uncontrollable process variations in conventional CMOS fabrication technology. Although technological developments in CMOS devices such as FinFET enhanced device operations in ultra deep sub-micron technologies, such developments are expected to confront the physical limitation imposed by the continuing trend towards smaller feature sizes [46]. Consequently, CMOS based PUF designs will also face a roadblock in terms of providing secure physical unclonable functions in the future.

Recent developments in nanoelectronics demonstrated a potentially low-cost and high-performa nce nonionic nonvolatile resistive memory device called the memristor (in literatures, memristor and memristive device is used interchangeably) [9–11]. Memristors have inherent randomness due to fabrication process variations (i.e., thickness, cross-sectional area). This inherent randomness provides opportunities for building up physical unclonable functions with high performance. Furthermore, these nanodevices are easy to fabricate and are compatible with CMOS fabrication processes offering a potentially low cost security primitive.

The proposed mrPUF architecture, which combines nano-crossbars and current mirror controlled ring oscillators, and the proposed authentication mechanism are unique and have not been considered in the past to the best of our knowledge. Our architecture allows the extraction of secret information by exploiting the abundant variations in nanodevices and nanofabrication. A summary of our contributions in this paper are:

1. 1.

   We propose a novel PUF architecture that exploits the fabrication variations inherent in nano-electronic devices. In particular we exploit the significant variations in the resistance values on a nanocrossbar structure based resistive memory to build mrPUF.

2. 2.

   We conduct extensive studies to evaluate mrPUF and demonstrate its superior performance with respect to key performance metrics: diffuseness; uniqueness; and reliability.

3. 3.

   We show that mrPUF is resistant to model building attacks by exploiting characteristics inherent to nanocrossbar arrays, in particular the independence of information in individual columns, to develop a challenge selection strategy for a direct authentication mechanism using a mrPUF. We also demonstrate the significantly large number of challenge response pairs possible with our proposed architecture when compared to existing memristor based PUF designs.

The rest of this paper is organized as follows: Sect. 2 presents related work; The mrPUF architecture is presented in Sect. 3; Sect. 4 evaluates mrPUF’s performance metrics and compares it with other PUF structures in the literature; Sect. 5 presents two applications of mrPUF with respect to key generation and challenge response pairs based authentication protocol, and analyses their security; Sect. 6 compares mrPUF with other memristor based PUFs and Sect. 7 concludes this paper.

2 Related Work

Over the years, a number of PUF structures have been proposed, built and analyzed. These include time delay based PUFs such as the Arbiter PUF [2, 12] (APUF), Feed-Forward APUF [13], An arbiter based PUF built on current starved inverters [14], Ring-Oscillator PUF [15] (RO-PUF), and Glitch PUF [16]; Memory-based PUFs leveraging device mismatch such as SRAM PUF [17, 18], Latch PUF [19], Flip-flop PUF [20, 21], Butterfly PUF [22]. A comprehensive review of different PUF architectures can be found in [23, 24].

Here we introduce the RO-PUF as our mrPUF will integrate it. In addition, we provide a brief review of nanocrossbar arrays and memristive devices which our PUF architecture utilizes. Furthermore, we briefly review previous memristor based PUF architectures.

2.1 RO-PUF

The RO-PUF is one of the leading microelectronic PUF designs because of its relatively high reliability. A typical RO-PUF circuit consists of k ring-oscillators, two k-to-1 multiplexers that select a pair of ring-oscillators, \(\mathrm{RO}_i\) and \(\mathrm{RO}_j\), two counters and a comparator, as shown in Fig. 1. All the ring-oscillators in this structure are identical. Ideally, the frequency of each oscillator is unique, however, because the oscillating frequency is a function of the physical device parameters, which are subject to device process variation, the oscillation frequencies of each oscillator are not all identical. Therefore, the oscillation frequencies of each pair is compared by counting this frequency using a digital counter. If \(f_i < f_j\) (where \(f_i\) and \(f_j\) are the oscillating frequencies of \(\mathrm{RO}_i\) and \(\mathrm{RO}_j\), respectively) the digital comparator output will be ‘0’, otherwise ‘1’. The pairing of oscillators is controlled using two digital multiplexers, each use a subset of the input challenge bits to select an oscillator.

Fig. 1.

A conventional ring-oscillator PUF (RO-PUF)

In order to avoid an extremely large number of bits in counters, it is important to design relatively slow oscillators with an oscillation frequency of the order of hundreds of MHz. Therefore, depending on the technology, 50–100 inverters are needed for one RO to produce a frequency in this range [23, 25]. This design constraint will increase costly area and power overhead. In contrast, we propose an ring oscillator design that slows the oscillating frequency by using only a fraction of the number of inverters used in a RO-PUF.

Fig. 2.

(a) Nanocrossbar array of nanoionic memristive devices. (b) Illustrates the operation principles of a memristive device. The top electrode contains active ionic which stands for low resistance, while the bottom electrode is poor ionic region. Gray arrow indicates the ionic motion. The memristive device switches from OFF to ON with a positive potential difference between the top electrode and bottom electrode corresponding to ‘SET’ operation as one or more conductive filaments grow or form, while switches from ON to OFF with a negative potential difference between the top electrode and bottom electrode as the filaments disrupt (Color figure online).

2.2 Nanocrossbar Arrays and Memristive Devices

Crossbar arrays of metal-oxide based devices have attracted much attention in recent decades because of their high information density, compatibility with current CMOS technology, and simple implementation. The nanocrossbar array consists of parallel horizontal wires on top and perpendicular vertical wires at the bottom. At each junction, a two terminal device with or without a nonlinear selector element is formed and acts as a switch.

A nanocrossbar array structure is shown in Fig. 2(a) where each nanodevice is located at the crosspoint of the top and bottom wires. When reading a targeted memristive device, reading voltage is applied to the selected word line and the current of the selected bit line is sensed to determine the state of the memristive device. For other unselected word lines and bit lines, they can be connected to ground or floating. Floating is preferred since it consumes much less power. During reading it is important to note that there also exists many sneak path currents (red line) besides the desired read current (blue line).

Recently, a number of nanoscale electronic device implementations have emerged that include resistive switching and memristive devices. Realization of a solid-state memristive device [9–11], namely the memristor, shown in Fig. 2(b), presents a new opportunity for realizing ultra high density memory arrays together with nanocrossbar structures [31]. The unique properties of such devices are the non-volatile memory and nanoscale dimensions.

In redox (reduction-oxidation) based resistive switching devices there are two major types of devices available: (i) electrochemical metalization (ECM) memory; and (ii) valence change memory (VCM) [48]. Both are examples of memristive device realizations. The memristor is a solid-state device consisting of a thin-film semiconductor sandwiched between two metal contacts. Inside a memristive element there is a built-in concentration gradient of anions (VCM systems) or cations (ECM systems) together with a temperature gradient which is a direct result of current passing through the conductive channel (conductive filament) and is known as Joule-heating. The ionic gradient consists of rich and poor ionic regions. The rich ionic region (top region in Fig. 2(b)) gives rise to low resistance, \(R_\mathrm{ON}\), and the poor ionic region (bottom region in Fig. 2(b)) is responsible for high resistance, \(R_\mathrm{OFF}\). The basic operating principle of the memristive device is shown in Fig. 2(b). A positive/negative voltage between two terminals of the memristive device will form/disrupt the filaments, and hence push the device in its ON/OFF state. Once memristive device has been programmed its memristance will remain unchanged even if its power supply is disconnected.

2.3 Memristor-Based PUFs

Because of the interesting properties of memristors discussed earlier, researchers have started investigating the feasibility of memristors for building a PUF [30, 35, 43, 45]. Two of these studies [35, 45] employ a time and voltage constrained write mechanism (weak-write) to force each memristor to an undefined logic region (neither logic ‘1’ or ‘0’). Subsequently, these memristors attain an unpredictable logic state due to process variations that influence memristance. Similar to SRAM PUF, a memristor PUF [35, 45] is only capable of producing a limited number of CRPs. More significantly, the PUF in [35, 45] requires a calibration procedure to determine the weak-write parameters (time and voltage) to force memristors into the undefined logic region.

In [44] the author leveraged sneak path currents inherent in memristor-based nanocrossbars and bidirectional features to build up a nano Public Physical Unclonable Functions (PPUF). Unlike PUFs, security of the PPUF no longer relies on the secrecy of its physical parameters that define its uncontrollable variations and the model of a PPUF that exactly matches the PPUF hardware behavior is publicly known to every one. The security of a PPUF is based on the time difference (several orders of magnitude) between fast execution time on PPUF hardware to acquire correct response and the much longer time required to compute the response correctly using the PPUF model. In fact, PUFs and PPUFs are hardware primitives with different requirements for authentication and other security services. Moreover, the nano PPUF always needs accurate measurements of its physical parameters to obtain through an accurate model of the nano PPUF that is inconvenient and expensive. Although the PPUF provides an alternative to securely storing challenge response pairs, the poor reliability of the nano PPUF designs still need to be addressed. We refer readers to [41] for a more comprehensive overview.

Our preliminary design of mrPUF was first outlined in [30] where we illustrated the possibility to use the significantly increased variations in high state and low state of memristor resistance in a nanocrossbar array together with an RO-PUF. In this paper we build on our initial concept outline. It should be noted that in this paper, we only exploit abundant resistance variations in \( R_\mathrm{ON}\) state in individual memristors to achieve a more reliable PUF architecture. In addition, we evaluate key PUF performance metrics of mrPUF and analyze the security of the PUF based applications: key generation, and device authentication, which are not investigated in our previous work.

3 mrPUF

3.1 Concept

It has been shown that the memristor can be used to store digital states by utilizing the two distinct resistance values of the memristor, namely ON and OFF resistances, referred to as \( R_\mathrm{ON} \) and \( R_\mathrm{OFF} \). These resistances are random variables with log-normal distribution values [10]. Figure 3 illustrates the distribution of these resistances after an initial programming step of randomly selected binary values in a nanocrossbar array. As mentioned in Sect. 2.2, variations in memristors is prevalent when their dimensions approach the nano-scale region. These inherent variations can be effectively utilized to design a novel PUF architecture, as we will demonstrate in this article.

Fig. 3.

Experimental resistance variation extracted from a \(40 \times 40\) nanocrossbar array (1600 memristors) from the experimental data [10].

A memristor-based nanocrossbar architecture has the ability to combine large number of memristive devices in a compact area, and hence, has the ability to store a very large amount of information within a small physical size. When reading a targeted memristor resistance value, in addition to the current through the targeted memristor, there exist a number of other current paths that are commonly referred to as sneak path currents that result in an inaccurate reading of the targeted memristor device value (see Fig. 2). To suppress sneak path currents, a number of techniques are proposed [10]. Three of the leading techniques at the center of attention in today’s industry and academic research community to suppress sneak path currents are; (i) an intrinsic current-rectifying behavior [10, 50] which is translated into an extremely high current-voltage nonlinearity as shown in Fig. 4; (ii) having a highly nonlinear series element with a transistor-like or a diode-like behavior; and (iii) Complementary resistive switches (CRS) [38]. Presently, the first solution appears more promising than the two latter approaches due to its ability to maintain competing memory features such as small area and the highly nonlinear self-rectifying feature in these solid-state devices. As for CRS, the read operation is destructive and multilevel capability of the memristive device can not be used. In fact, sneak path current in nanocrossbar arrays mitigates the effect of process variations in individual memristors during readout. So intrinsic diode characteristic of the memristor helps maintain the process variations influence on resistance of memristor during readout; this is desirable for a PUF design aiming to exploit process variation.

Fig. 4.

Memristor with intrinsic diode characteristic.

In [42] the authors demonstrated that resistance variation is more prevalent in \( R_\mathrm{ON}\) state than in \(R_\mathrm{OFF}\) state due to the thickness of memristors. Furthermore, in [27] it was demonstrated that resistance is resilient to temperature and telegraph noise (refers to resistance fluctuations due to electrons captured or released again near or inside the filament) in \( R_\mathrm{ON} \) state more than in \( R_\mathrm{OFF} \) state. For these reasons only the \( R_\mathrm{ON} \) state is used to construct the mrPUF architecture (i.e. we initially program the entire nanocrossbar to store the logic value ‘1’) to reduce susceptibility to both temperature increases and telegraph noise and consequently increase the reliability of the PUF architecture. The sources of variations exploited in our mrPUF are listed below:

1. 1.

   Memristor manufacturing variations: These variations are prevalent in the nanoscale region, and can be due to variation in device layer thicknesses, dimensions, or doping.

2. 2.

   Programing variations: In the first programing operation (i.e., programming the state to ‘0’ or ‘1’), it will introduce variations because the filament location and width in memristor are random.

3. 3.

   CMOS device manufacturing variations: CMOS device properties due to inherent CMOS process variations, although CMOS process variations in CMOS components such as decoder, ring oscillators is very small compared with the first two listed sources.

3.2 mrPUF Architecture

The proposed mrPUF architecture shown in Fig. 5(a) comprises two key components: a \( M \times N \) nanocrossbar array and two current mirror-controlled ring oscillators (CM-ROs), shown in Fig. 5(b). Individual memristor variations in the nanocrossbar array is the source of mrPUF’s secrecy. While the CM-RO that has i (in this work, \( i=5 \)) inverters translates the analog resistance variations of a individual memristor into frequency for digitizing the analog variations to facilitate measurements.

Fig. 5.

Memristor-based nanocrossbar PUF architecture, mrPUF. (a) All memristors are in the ON state, the red color (or dark) marked memristors are selected memristors in the nanocrossbar array. (b) Current controlled RO (CM-RO). One current mirror configures all the inverters in a RO structure, \(M_i\) is the selected memristor in nanocrossbar array, Although variations in the oscillation frequency of each RO is slightly influenced by the threshold voltage variations in the CMOS transistor composing the starved inverter and current mirror structures, the overall variation in the oscillation frequency is primarily determined by the variations in memresistance of \(M_i\) if the supply voltage, \( \mathrm V_{DD} \), is kept constant (Color figure online).

Challenge bits are used to provide the address bits for both the analog multiplexer and the decoder. The decoder is used to select one column of the nanocrossbar array. Two analog \( M\times 1 \) multiplexers select two rows acting as bit lines. For example, we can select the red marked memristors (one memristor between Row\(_{2} \) and Col\(_{2}\) and the other memristor between Row\(_{M-1}\) and Col\(_{2}\)) after applying a single challenge. It should be noted that in this reading scheme the two randomly selected memristors have to be from the same column.

Each selected memristor is then used to control the current in the current mirror structure used to starve the current in each inverter in the ring oscillator loop, resulting in a current starved ring oscillator structure. So, the oscillation frequency is a direct function of this current which in turn is a direct function of the value of the memristor. The oscillation frequency of each oscillator is measured using a counter (as in RO-PUF). The outputs from the two counting circuits are compared and a response bit is generated accordingly. The reason only 5 inverters are used in one CM-RO is that the oscillation frequency is already down to decades of MHz (as illustrated in Fig. 7) by using 5 inverters due to a current starved ring oscillator structure.

A challenge is presented as an address to a decoder and a multiplexer as shown in Fig. 5. Subsequently, the outputs of CM-RO are compared to generate a response to the challenge. In the mrPUF architecture illustrated in Fig. 5 the number of possible challenge response pairs (CRPs) are \(N \times {M \atopwithdelims ()2}\). Where N and M are the number of columns and rows, respectively, in the nanocrossbar array.

In contrast to RO-PUF, which uses an array of ROs, the proposed mrPUF efficiently uses two 5-stage CM-ROs which are re-configured using the nanocrossbar and consequently result in a significant area reduction and ease of reading as the output frequency is substantially reduced to facilitate accurate counting. Also unlike the memristor-based PUF in [35] where the goal is to sense the value of the resistance to determine the binary value of a target element in nanocrossbar array, we translate a memristance value into a frequency through a CM-RO. The advantages of this approach are:

1. 1.

   Use of significantly smaller number of ring oscillators and only 5 inverter stages to build each ring oscillator.

2. 2.

   Mitigate some of the undesirable variations in responses caused by power supply and temperature fluctuations as we employ a differential structure to generate a response bit.

3. 3.

   Unlike in [35] we do not need complex circuitry to readout a memory cell and we do not directly expose full physical information (binary value in memory) at each junction of a nanocrossbar array.

4 mrPUF Evaluation

4.1 Simulation Environment and Settings

We conduct extensive experiments to evaluate our mrPUF architecture. The simulation was carried out using Cadence tools. In these simulations the mrPUF was built using a \( 40 \times 40 \) nanocrossbar array with 1.25 \(\mathrm \Omega \) segment resistance for nano-wires and two 5-stage CM-ROs as shown in Fig. 5. Each memristor is programmed to \( R_\mathrm{ON} \) where the value of \( R_\mathrm{ON}\) is selected from the log-normal distribution shown in Fig. 3. It should be noted here that the log-normal distribution values are extracted from the fabricated experimental data in [10]. Readout is achieved using a 1 V supply voltage. Our selected voltage ensures that we are operating below the memristor’s threshold voltage and ensures the device memristance does not alter with respect to time. In these simulations we use the GPDK 90 nm standard CMOS technology in Cadence with a 1.0 V supply voltage. The memristor model is adapted from [36, 49] and written in Verilog-A language. The simulated results of our memristor model shown in Fig. 6 agrees well with experimental results published in [10].

Fig. 6.

Memristor with intrinsic diode characteristics. Red dash line is obtained from experimental data [10, 32] and the dot line depicts the accuracy of the simulated results produced by our memristor model written by Verilog-A language and used in generating the simulation results in our study (Color figure online).

We simulated a \( 40\times 40 \) nanocrossbar array architecture shown in Fig. 5 and obtained 31,200 CRPs using 15 bit length challenges.

4.2 Performance

There are a number of performance measures proposed in the literature for evaluating PUFs. We have selected fundamental metrics to demonstrate the performance of mrPUF using uniqueness, uniformity, diffuseness and reliability as proposed in [40] and [29]. Detailed definitions and explanations of these metrics for evaluating PUF architecture can be found therein. In addition to PUF performance we firstly investigate the frequency distribution of CM-RO to ensure that the frequency is indeed, mainly, a function of the resistance of the selected individual memristor.

Fig. 7.

The plot on the left shows the frequency distribution and the plot on the right shows the resistance distribution in a \( 40 \times 40 \) nanocrossbar array. As expected, the frequency distribution agrees well with the resistance distribution.

Frequency Distribution. To test whether the frequency is determined by the variations from the resistance distribution of memristors in the nanocrossbar array, we readout all of the frequencies in one mrPUF instance from CM-RO configured by challenge bits, which select a target memristor in the nanocrossbar. The number of frequencies are equal to the number of memristors in nanocrossbar array (i.e. 1600). The frequency distribution is shown in Fig. 7. It can be seen that, as expected, the frequency distribution follows a log-normal distribution. For comparison, we show the resistance distribution in the nanocrossbar array in Fig. 7 as well. The close alignment of the frequency distribution and the resistance distribution plots illustrates that the dominant variation determining the mrPUF response is from the inherent random variations of individual memristors in the nanocrossbar array (which is more prevalent in the nano-region) instead of the CMOS technology variations in the peripheral CMOS circuitry. Detailed relationship between CM-RO’s frequency and memristor’s resistance is shown in Fig. 8 where we can see how the frequency of a CM-RO is determined by the resistance of a memristor.

Fig. 8.

The relationship between CM-RO’s frequency and memristor’s resistance. The circuit is shown in Fig. 5(b).

Uniformity. Randomness or uniformity is an indicator of the balance of ‘0’ and ‘1’ in the response vector. An ideal PUF should show that a ‘0’ or ‘1’ response is equiprobable. For mrPUF our results show that the probability of a ‘0’ or ‘1’ response is very close to 50 % (probability of ‘1’ is 50.34 % as shown in Fig. 9(a)).

Diffuseness measures the difference between responses for different challenges applied to the same PUF. Diffuseness quantifies the information content that can be extracted from a PUF. Diffuseness is measured by calculating the mean of Hamming Distance (HD) for all the possible responses generated by the PUF. Diffuseness for an ideal PUF is 50 %.

Note the mrPUF, like the APUF, only produces a 1 bit response for a given challenge. To obtain a binary response vector, we apply a randomly selected set of challenges to the mrPUF, and then we concatenate these single response bits to a multiple bit response vector. Here, we use responses with 128 bits, therefore we apply 100 sets of 128 random challenges to the mrPUF. Subsequentially, we gain one hundred 128 bit responses to evaluate the diffuseness. The HD among these 100 responses is shown in Fig. 9(b). The mean of HD is 64.10 bits out of the 128 bit response, then the diffuseness is calculated as 50.08 % close to the expected value of 50 %.

Fig. 9.

(a) Uniformity or randomness of mrPUF: probability of output logic ‘1’ and ‘0’ are close to 50 %, which are 50.34 % and 49.66 % for logic ‘1’ and logic ‘0’ respectively. (b) Diffuseness of the mrPUF: mean of HD among 100 randomly generated responses is 64.10 bits out of 128 bits (50.08 %)

Uniqueness. When applying the same challenge set to different PUFs, the responses from different PUFs are expected to be different due to intrinsic variations of each PUF. This is a highly desirable characteristic that be capable of distinguish one PUF from a large population. Uniqueness is the inter-device performance that can be measured by inter-HD. The mean of hamming distance is uniqueness expected to be 50 % as an ideal value.

We use 100 different mrPUF instances to evaluate the uniqueness and the result is shown in Fig. 10. It can be observed that the mean of inter HD for the mrPUF is 64.22 bits out of the 128 bit response and this value agrees with that expected from an ideal PUF (i.e. 64 bits). The uniqueness is 50.17 %.

Fig. 10.

Uniqueness evaluation: mean of inter HD among 100 responses generated from 100 PUF instances for the same given challenge is 64.22 bits out of 128 bits (50.17 %).

Reliability. Reliability or steadiness indicates stability of the PUF output bits, i.e. the ability to consistently generate the same response to a corresponding challenge. Reliability of an ideal PUF should be strong (100 %). However, because noise (environmental variations, instabilities in circuit, aging) are unavoidable, there are always uncertain factors affecting the response. Reliability is measured by intra-chip HD among different samples of PUF response bits to the same challenge set applied to the same PUF instance.

A reference response Ref\( _{\textit{i}} \) is recorded at normal operating condition (27\(^\circ \)C and 1.0 V supply voltage for our simulation), then a response Ref\( ^{'}_{\textit{i}} \) is extracted at a different operating condition but using the same set of challenges as before. After samples of Ref\( ^{'}_{\textit{i}} \) are collected, the HD between Ref\( _{\textit{i}} \) and Ref\( ^{'}_{\textit{i}} \) is calculated. An ideal PUF’s intra HD between Ref\( _{\textit{i}} \) and Ref\( ^{'}_{\textit{i}} \) should be 0 bits. Reliability can also be described by Bit Error Rate (BER), which is the percentage of flipped (error) bits (also called measurement noise) out of response bits due to noise.

Under simulation settings, we would always obtain the same responses for the same challenges if the temperature and voltage conditions do not change. In other words, the BER caused by measurement noise can not be evaluated. However, it is feasible to evaluate reliability under different temperature and supply voltages as discussed below.

Fig. 11.

Bit error rate (BER) under different temperature (left) and voltage (right) deviations.

We evaluate the reliability of two mrPUF instances and the results obtained are shown in Fig. 11. We obtained a 500 bit length response by repeatedly challenging mrPUFs under four different voltages: 0.8 V; 0.9 V; 1.1 V; and 1.2 V. The temperature settings used for the evaluation was 27\(^\circ \)C. Worst-case BER is 2.6 % under \( \pm 20\,\% \) deviation and 0.65 % under \( \pm 10\,\% \) deviation from nominal power supply voltage of 1.0 V.

The resistance temperature coefficient of memristive devices in ON state is similar to a metallic resistor [26, 37]. Therefore, we used metallic resistor temperature coefficient to conduct reliability evaluation under different temperature conditions. Reliability tests were repeated for four different ambient temperatures (\(-20^\circ \)C, \(0^\circ \)C, \(50^\circ \)C, \(85^\circ \)C). The supply voltage used in these tests was 1.0 V. Worst BER of the two mrPUFs is 4.4 % when the temperature is \(85^\circ \)C.

5 Applications and Security Analysis

5.1 Cryptographic Key Generation

It is impractical to use raw responses of a PUF as cryptographic keys directly because the BER is higher than the industrial standard of BER that is in the order of \( 10^{-6}\) (the industrial standard of BER for cryptographic key generation) [6]. As illustrate in [28], a fuzzy extractor can be used to correct the raw response and hash the corrected response to build a cryptographic key.

For example, to obtain 63 secret bits with a BER rate lower than \( 10^{-6} \), the BCH(255,63,61) code can be used to correct raw PUF responses. Our mrPUF is expected to generate 11 unreliable bits out of a 255 bit response considering the worst-case BER of 4.4 %. The BCH(255,63,61) code can correct up to 61/2 errors out of 255 bits. Therefore, a BER of \( 3.9\times 10^{-7} \), lower than the desired \( 10^{-6} \), can be obtained by using the BCH code. However, the syndrome generated from the BCH code can reveal at most 192 \( (255-63) \) bits of information and therefore there are 63 secret bits that can be used from the 255 bits response. Hence an attacker has to guess at least 63 bits to find the correct PUF response. In general, as proposed in [15], the regenerated response can be hashed to obtain a fixed size key or serve as a seed for a key generation algorithm.

5.2 Authentication

Our PUF can also be directly used for device authentication using a simple challenge-response based authentication protocol. The authentication protocol follows 5 steps [15, 33, 34]:

• First: A trusted party applies randomly chosen challenges to obtain responses and saves these CRPs in a database for future authentication (characterization of the PUF) before the PUF (as part of an integrated circuit) is sent to end-users. This is called the provision phase.

• Second: Whenever an end-user needs to authenticate the authenticity of the product to which the PUF has been integrated, the user requests an authentication from the trusted party.

• Third: The trusted party randomly selects a challenge from those stored securely in a database and sends it securely to the end-user. Subsequently, the end-user applies the challenge to their PUF and obtains a response.

• Fourth: The user securely sends the obtained response to the trusted party.

• Fifth: The trusted party compares the received response with the response stored. If they are close to each other, within an expected BER, authenticity of the product integrated with a PUF is established.

In order to prevent a replay attack by a passive attacker, a single CRP is only used once. This is possible because of the large number of CRPs that can be generated from a mrPUF.

To evaluate PUF security there are two analysis approaches: (i) evaluate the internal entropy of the PUF; and (ii) evaluate the number of independent CRPs produced by the PUF, or in other words, the number of CRPs needed by an adversary to build a model of the physical PUF with a high prediction accuracy. In terms of the first approach, it has been demonstrated that the internal entropy of the PUF does not provide the attacker information to break a PUF, even if the entropy is very low. In addition, it is not clear that the internal entropy is a good indicator of a PUF’s security as highlighted in [47]. While the second approach is a better way to evaluate the security of a PUF [47]. So we use the second approach to evaluate the security of mrPUF.

PUFs such as APUF and RO-PUF have shown that after exposing a specific number of CRPs an attacker gains enough knowledge to build a model to predict responses for a given unused challenge [13, 39, 47]. This model building attack can threaten our mrPUF. In this section, we are going to illustrate how to avoid such a model building attack by leveraging properties inherent to our mrPUF architecture and a challenge selection strategy.

Fig. 12.

mrPUF access mechanism resilient to model building attacks by using information from independent columns: firstly, we use CRPs generated from one randomly selected Secure Column, after \( N_\mathrm{CRP} \) (number of CRPs required to train the attacker’s model to acquire needed prediction accuracy) CRPs are used, this column becomes an Insecure Column. Secondly, we move to another randomly selected Secure Column. The column currently in use while its number of CPRs exposed is below \(N_\mathrm{CRP}\) is labeled Inuse Column.

We assume the attacker does not have authority to physically access the mrPUF. The CRPs they can acquire is only from eavesdropping. Consider the mrPUF shown in Fig. 5 with N columns and M rows. Each challenge will select one column and two rows. In other words, each challenge selects two memristors in the same column but from different rows, then the resistance of these two memristors are translated into frequencies by two CM-ROs to generate a single response bit. Now, if we only consider memristors in one column within the nanocrossbar array, we can model a mrPUF instance as a k ring oscillators PUF. From [47] we can obtain an estimate of the number of CRPs needed to train a machine learning based model to achieve an error rate of \( \epsilon \) as

$$\begin{aligned} N_\mathrm{CRP} \approx \frac{k(k-1)(1-2\epsilon )}{2+\epsilon (k-1)} \end{aligned}$$

(1)

where \( N_\mathrm{CRP} \) is the number of CRPs needed to train a machine learning classifier and k is the number of RO in RO-PUF. The total number of CRPs in RO-PUF is \( NT_\mathrm{CRP} \), which is equal to \( k\times (k-1)/2 \). If an attacker wants to impersonate the PUF through building a predictive model, the error rate of the predictions of the model should be less than \( \epsilon \), or the trusted party can still distinguish the impersonated PUF from the original PUF. Based on Eq. 1, to achieve a prediction accuracy of 1-\( \epsilon \), an adversary needs \( N_\mathrm{CRP} \) CRPs to train a machine learning classifier.

It is noticeable that each challenge applied to mrPUF only selects two memristors in the same column, therefore information exposed in one column does not leak any information related to other columns. This property can be exploited to avoid machine learning based model building attacks through careful challenge selection.

In this paper, we propose a challenge selection strategy outlined in Fig. 12 to avoid model building attacks. The nanocrossbar columns are separated into three categories. If CRPs produced from one column have never been used, then this column is a Secure Column, since there is no information exposed to an adversary thus far. Under the condition that we only use CRPs from one column, the adversary needs \( N_\mathrm{CRP} \) CRPs to train their machine learning classifier and build a model of the memristor related delays for a given column. Thus if \( N_\mathrm{CRP} \) CRPs generated (obtained using Eq. 1) from the Inuse Column has been used then this column becomes an Insecure Column because an adversary may have gathered enough CPRs to build a model and can potentially predict the response to future challenges with high accuracy. If the number of used CRPs generated from the column is still less than \( N_\mathrm{CRP} \), the column is an Inuse Column.

In our mrPUF, each column can be used to generate \( N_\mathrm{CRP} \) secure CRPs because the attacker cannot predict the response with a high enough accuracy (1–\( \epsilon \)) unless \( N_\mathrm{CRP} \) CRPs are exposed. After more than \( N_\mathrm{CRP} \) CRPs generated from the Inuse Column are exposed, the Inuse Column becomes an Insecure Column. We do not use CRPs generated from this Insecure Column again. Since each column is independent, the attacker is unable to use their existing knowledges to construct a model of the subsequent Secure Columns. This process can continue until all Secure Columns have been exhausted.

By using our proposed challenge selection mechanism in Fig. 12, we can make mrPUF more resilient to model building attacks. To increase security using our proposed mechanism above, it is better to set N >  M. In this way, we are able to obtain more independent columns.

6 Comparison

Here we compare mrPUF with other memristor based PUFs. However, Comparison with nano PPUF is not presented because the nano PPUF has been developed to meet the requirements for a public PUF, where the need to build a model of a nano PPUF requires highly accurate measurements of each individual memristor in the nanocrossbar array in the provisioning phase. Furthermore, since the performance evaluations of RO-PUF, APUF and SRAM PUFs are acquired from experimental data, it is unfair to compare these with our simulated result. So here, we compare our mrPUF with existing memristor based PUFs where their results are also from simulation based studies.

Table 1. Comparison with memristor based PUFs

Since all the PUFs in Table 1 are based on large uncontrollable variations in nanofabrication and nanodevices, the uniqueness and uniformity are all close to the ideal value of 50 %. We do not compare reliability performance because there is no such information presented in other memristor based PUFs. In Table 1, whether a nanocrossbar is used or not determines the circuit density. In terms of the CRP number, M and N denote the number of rows and columns, respectively, in a nanocrossbar array. In particular, for the PUF presented in [45], M denotes the number of memristors used in the PUF architecture. The number of CRPs of the other two memristor based PUFs is equal to the number of memristors. As for our mrPUF, it can be seen that it is capable of yielding a significantly larger number of CRPs.

In summary, we have evaluated the uniqueness, randomness performance of mrPUF. In addition, we also investigate the reliability under different temperature and voltage conditions. Such evaluation is missing in the currently published memristor based PUFs. Moreover, we have also analyzed the security of our mrPUF for two potential applications and proposed a challenge selection strategy to avoid model building attacks when mrPUF is used directly for authentication applications.

7 Conclusion

In this paper, we present a novel PUF architecture named mrPUF. Our approach exploits the robustness of RO-PUFs and exploits the large variations in nanodevices as well as the high information density available in nanocrossbar structures to create a novel PUF. Our architecture not only achieves sound reliability, uniqueness, diffuseness, but also improves the number of available CRPs in comparison with other recent memristor based PUF architectures. In particular, we show that mrPUF achieves higher levels of security due to the inherent features of nanocrossbar arrays that the information in one column is independent from other columns. We also demonstrate a mechanism using mrPUF in an authentication protocol that is resistant to model building attacks by the proposed challenge selection strategy.

A limitation of our work is that our experiments are conducted based on device simulations, albeit using de-facto industry standard modelling tools and experimentally verified process variations, rather than physical realizations, Addressing this limitation forms the subject of our future work. Furthermore, in our future work we will investigate the possibility of building a re-configurable and strong memeristive device based PUF architecture [51] by exploiting the variations induced during re-programming and increasing the number of CRPs significantly.