Ensuring IoT Security

The number of connected devices, machines, sensors, or things that are linked with each other over open communication networks on the Internet of Things (IoT) has exploded. Processes are remotely monitored through networks of smart devices. And every device represents a potential entry point for malicious intrusion – into the device itself or the network to which it’s connected.

Root-of-trust (RoT) technology is becoming a requirement for securing connected devices, their data, and, by extension, the entire infrastructure with which they communicate. But, RoT technology shouldn’t be limited to hardware design, confining IoT developers to functions programmed at manufacture. The Synopsys Software-based PUF IP embedded solutions democratize RoT technology by uncoupling it from silicon fabrication, ensuring IoT application developers can access, understand, and implement it at scale.


  • Uses standard SRAM as a physical unclonable function (PUF) to create a hardware-based trust anchor
  • Easy and collision-free identification of billions of devices (from various vendors)
  • Offers key provisioning, secure key storage, symmetric and asymmetric key cryptography
  • Keys are never stored but re-created from the PUF each time they are needed
  • Keys are bound to the device and can only be recreated and accessed on the device on which they have been created
  • Allows for data encryption on the fly (streaming AES, hash, MAC)
  • NIST SP 800-90A/B compliant random number generator


  • No need for an additional security chip into the device – no SE/TPM needed
  • A trust anchor can be installed later in the supply chain or even remotely retrofitted on deployed devices
  • Works on all MCUs, CPUs
  • Offers stronger protection than traditional key storage in NVM
  • Seamlessly integrates with other crypto such as Mbed TLS, wolfSSL, and OpenSSL
  • Synopsys PUFs are post-quantum secure and genuine, with no sensitive key material stored
  • Proven PUF technology with 500M+ devices in the field

Security Based on SRAM PUF

The Synopsys Software-based PUF IP products use the inherently random start-up values of SRAM as a PUF from which a device-unique identity and root key are generated. The root key is never stored and is only available (in-volatile memory) when needed. This means the key is never present in persistent memory – even when the chip is powered down – which raises the security significantly and eliminates the need for OTP or other secure memory.

An unlimited number of keys can be derived from the root key using the NIST-compliant key-derivation function. Synopsys Software-based PUF IP also offers random values generated by a NIST 800-90A/B-compliant random number generator. All Synopsys Software-based PUF IP features are accessed by the host software via the API.

Synopsys Software-based PUF IP - 100

The Synopsys Software-based PUF - 100 API enables IoT developers to generate unique device identities, secure cryptographic keys, and random values. It enables easy and collision-free identification of billions of devices from various vendors. Synopsys Software-based PUF - 100 can also be integrated as a hardware-based trust anchor for Mbed TLS, OpenSSL, wolfSSL, and other libraries, extending the chain of trust beyond just a single device.

Synopsys Software-based PUF IP - 200

Synopsys Software-based PUF IP - 200 IP is a secure key generation, management, and storage solution for any IoT device. It offers functions to wrap and manage secret keys and encrypt data, which can then be stored in unprotected memory or securely transmitted over the network. The Synopsys Software-based PUF IP - 200 also offers random values generated by a NIST 800-90A/B-compliant random number generator and a collision-free unique device identity.

Synopsys Software-based PUF IP - 300

Every device needs an unclonable identity, which consists of a secret key, a public key, and a certificate, to solve security problems in IoT systems, such as authentication, product lifecycle management, reverse engineering, and cloning.

The biggest challenge is getting these credentials into the device and keeping the secret key secret. This can be achieved by using Synopsys Software-based PUF IP - 300, which offers the strongest protection of the device secret key and the strongest authentication via unclonable identities. Synopsys Software-based PUF IP - 300 offers all the features of Software-based PUF - 200. In addition, Synopsys Software-based PUF IP - 300  offers asymmetric cryptography: public key crypto functions such as ECDSA sign and verify, and ECDH shared secret. PKI elements, such as ECIES and certificate signing request (CSR) are optional.

Operating Ranges

SRAM PUF responses have been qualified for use with the Synopsys Software-based PUF IP products in a wide range of operational environments over years of field operation:

  • All major fabs from 0.35 μm to 5 nm
  • Temperature range from -55°C to 150°C [-67°F to 300°F]
  • Voltage supply variation +/- 20%
  • Lifetime > 25 years


  • Target-specific library (C-code)
  • Datasheet
  • API reference manual
  • Code examples (e.g. of integration with Mbed TLS, OpenSSL, wolfSSL)
  • NIST documentation
  • Application notes


The Synopsys Software-based (SW-based) PUF IP products are available in off-the-shelf configurations with sizes ranging between 6.3 kB and 29 kB. Configurations differ according to functionality, performance, and compliance.



SW-based PUF -100 Standard

SW-based PUF-100 FIPS 140-3 Ready

SW-based PUF - 200 Standard

SW-based PUF - 200 FIPS 140-3 Ready

SW-based PUF - 300 Standard

SW-based PUF - 300 FIPS 140-3 Ready 

Security strength (bits)

128 / 256

128 / 256

128 / 256

128 / 256

128 / 256

128 / 256

Code size (kB)



10 / 13

11 / 14

16-21 / 19-28

17-23 / 20- 29

SRAM for PUF (KiB)

0.7 / 1.0

2.8 / 4.0

0.7 / 1.0

2.8 / 4.0

0.7 / 1.0

2.8 / 4.0

Activation Code (bytes)

672 / 984

672 / 984

672 / 984

672 / 984

672 / 984

672 / 984

Device-unique identifier (UID)

Generate device-unique keys

Generate random values

Wrap and unwrap secrets    

Encryption on the fly    

Public key crypto functions*        

PKI elements**        



NIST CAVP certification

NIST SP 800-90B compliant entropy source for RNG  



* Includes ECDSA sign and verify, ECDH shared secret, standard elliptic-curve support set: P256, P384, P521
** Elliptic curve integrated encryption scheme (ECIES), certificate signing request (CSR), self-signed certificates (SSC)

Markets and Applications | Certifications





  • Automotive
  • Chiplets
  • Financial services
  • Internet of things
  • Manufacturing
  • Medical
  • Memory
  • Sensors
  • Wearables
  • Microcontrollers
  • Anti-counterfeiting
  • Device-to-host Authentication
  • Secure key storage
  • Flexible key provisioning
  • HW-SW binding
  • Supply chain protection