Enabling Authentication with PUF-based Security

Synopsys is the world’s leading provider of security IP for embedded systems based on physical unclonable function (PUF) technology. The technology provides an additional level of hardware security by utilizing the inherent uniqueness of each and every silicon chip. The IP can be delivered as IP or software and applied easily to almost any chip – from tiny microcontrollers to high-performance FPGAs – and at any stage of a product’s lifecycle. It is an important component for a hardware root of trust to validate payment systems, secure connectivity, authenticate sensors, and protect sensitive government and aerospace data and systems. Synopsys PUF IP has been deployed and proven in hundreds of millions of devices certified by EMVCo, Visa, CC EAL6+, PSA, ioXt, and governments across the globe. Our secure and robust PUF technology leverages a unique identifier (ID) intrinsically present in the silicon, seamlessly enabling the highest level of security in the most cost-effective way.

Identifiers extracted from a PUF cannot be cloned, guessed, stolen, or shared, and keys don’t remain stored on the system, providing the highest level of protection. Synopsys provides different products that utilize its PUF technology:

  • Synopsys PUF IP integrates a PUF with crypto accelerators, securing MCUs for the IoT, and has a variant for the automotive market called Synopsys AP PUF IP
  • Synopsys PUF IP – Software makes the deployment and usability of hardware-based security easy. It works on all MCUs /CPUs, lowers the cost of a secure design, and improves time to market. 
  • Synopsys PUF FPGA-X binds sensitive data, such as FPGA bitstream, designs, IP, and encryption keys, to the hardware of the FPGA. 

Use Cases for Synopsys PUF include:

  • Key Vault: The best-known use case for PUF technology is creating and storing the cryptographic root key for a device. The cryptographic root key created by the PUF does not require key injection and it cannot be copied from one device to the next. This is because it is never stored, but rather it is reconstructed from the device’s silicon fingerprint every time it is needed. Since this fingerprint is different for every chip, there is no way for an attacker to copy a key from one device to another. 
  • Firmware IP Protection: What if an IoT device stores sensitive data that needs to be protected? This could be valuable IP that contains proprietary secrets or measurement data that is privacy sensitive or system critical. That is when the device requires a secure vault. In a secure vault, any data can be stored securely and physically bound to the hardware of the device. This can be achieved easily with a PUF by encrypting all sensitive data with a key derived from the PUF root key.
  • Edge-to-Cloud Security: To set up a secure channel between an IoT device and the cloud based on a public key infrastructure (e.g., a transport layer security (TLS) connection with a cloud service), the device and cloud exchange certificates. These certificates authenticate the entities to each other. To produce a certificate for authenticating a device, a public/private key pair is produced from the PUF fingerprint.

Resources