Embedded systems play a crucial role in fueling the growth of the Internet-of-Things (IoT) in application domains such as health care, home automation, transportation, etc. However, their increasingly network-connected nature, coupled with their ability to access potentially sensitive/confidential information, has given rise to a plethora of security and privacy concerns. An additional challenge is the growing number of counterfeit components in these devices, with serious reliability and financial repercussions. Physically Unclonable Functions (PUFs) are a promising security primitive to help address these concerns. Memory-based PUFs are particularly attractive as they can be realized with minimal or no additional hardware beyond what is already present in all embedded systems, i.e., memory. However, current memory-based PUFs utilize only a single memory technology for constructing the PUF, which has many disadvantages including making them vulnerable to certain security attacks. Several of these PUFs also suffer from other shortcomings such as low entropy, limited number of challenge-response pairs, etc. In this paper, we propose the design of a new memory-based combination PUF that tightly integrates (two) heterogeneous memory technologies to address these challenges/ shortcomings. Our design enables us to authenticate an on-chip component and an off-chip component, thereby taking a step towards multi-component authentication in a device, without incorporating any additional hardware. We have implemented a prototype of the proposed combination PUF using a Terasic TR4-230 FPGA development board and several off-the-shelf SRAMs and DRAMs. Measured experimental results demonstrate substantial improvements over current memory-based PUFs including the ability to resist various security attacks. We also propose a lightweight authentication scheme that ensures robust operation of the PUF across environmental and temporal variations. Extensive authentication tests performed on several PUF prototypes achieved a true-positive rate of greater than 97.5 percent across these variations. The absence of any false-positives, even under an invasive attack, further highlighted the effectiveness of the overall design.
Abstract-Embedded systems play a crucial role in fueling the growth of the Internet-of-Things (IoT) in application domains such as health care, home automation, transportation, etc. However, their increasingly network-connected nature, coupled with their ability to access potentially sensitive/confidential information, has given rise to a plethora of security and privacy concerns. An additional challenge is the growing number of counterfeit components in these devices, with serious reliability and financial repercussions. Physically Unclonable Functions (PUFs) are a promising security primitive to help address these concerns. Memory-based PUFs are particularly attractive as they can be realized with minimal or no additional hardware beyond what is already present in all embedded systems, i.e., memory. However, current memory-based PUFs utilize only a single memory technology for constructing the PUF, which has many disadvantages including making them vulnerable to certain security attacks. Several of these PUFs also suffer from other shortcomings such as low entropy, limited number of challenge-response pairs, etc. In this paper, we propose the design of a new memory-based combination PUF that tightly integrates (two) heterogeneous memory technologies to address these challenges/ shortcomings. Our design enables us to authenticate an on-chip component and an off-chip component, thereby taking a step towards multi-component authentication in a device, without incorporating any additional hardware. We have implemented a prototype of the proposed combination PUF using a Terasic TR4-230 FPGA development board and several off-the-shelf SRAMs and DRAMs. Measured experimental results demonstrate substantial improvements over current memory-based PUFs including the ability to resist various security attacks. We also propose a lightweight authentication scheme that ensures robust operation of the PUF across environmental and temporal variations. Extensive authentication tests performed on several PUF prototypes achieved a true-positive rate of greater than 97.5 percent across these variations. The absence of any false-positives, even under an invasive attack, further highlighted the effectiveness of the overall design.
Index Terms-Physically unclonable function, authentication, hardware security, dynamic random access memory, static random access memory, PUF Ç
INTRODUCTION
T HE Internet-of-Things (IoT) is one of the fastest growing technologies across all of computing, revolutionizing a number of application domains such as industrial manufacturing, home automation, wearable computing, etc. Various forecasts project around 50 billion smart devices connected to the IoT by 2020 [1] , [2] . However, this rapid proliferation has brought with it a plethora of new security and privacy concerns. For example, IoT devices frequently access sensitive and confidential information (e.g., physiological signals), which has made them attractive targets for various security attacks [3] , [4] , [5] . Moreover, with the hardware components (integrated circuits, intellectual property cores, etc.) in these systems sourced from manufacturers across the globe, instances of counterfeiting/piracy have increased steadily. Counterfeit components not only have serious reliability implications, but also cause tremendous revenue loss (greater than $100 billion annually) to the electronics industry [6] .
Hardware-intrinsic security mechanisms such as Physically Unclonable Functions (PUFs) [7] offer a secure, lowcost, and robust solution for addressing these challenges. PUFs exploit the random physical variations inherent in the manufacturing process to extract unclonable and instance-specific keys (fingerprints) from a hardware component in an electronic device. By generating keys on demand and eliminating the need for explicitly storing keys in non-volatile memory during deployment, PUFs drastically improve the device's resistance to various attacks. The instance-specific nature of the keys enables us to uniquely identify and authenticate each device [8] based on a challenge-response mechanism, thereby addressing the problems of access control as well as counterfeiting. While a large variety of PUFs have been proposed over the years, memory-based PUFs [9] , [10] , [11] , [12] , [13] , [14] , [15] , [16] , [17] , [18] , [19] , [20] , [21] , [22] , in particular, are attractive options due to the ubiquitous presence of memory in embedded systems (Fig. 1) . Further, they require minimal (or no) additional hardware for their operation, giving them a distinct advantage over other PUF implementations.
Current memory-based PUFs, however, are constructed using a single memory component in the device, i.e., based on a single entropy source. This means that the PUF represents the identity of the component and not that of the system. If the component is removed and transferred to a different system (invasive attack), the identity transfers over as well, which is undesirable. Moreover, the use of a single memory component makes it vulnerable to sophisticated non-invasive attacks [5] . To mitigate these concerns, it is desirable that the PUF be dependent on multiple system components (some of which may be more tightly integrated into the system than others), thereby performing multicomponent authentication. Besides using a single entropy source, several memory-based PUFs also suffer from other shortcomings such as low entropy [16] , [19] and limited number of Challenge-Response Pairs (CRPs) [9] , [11] , [19] .
Recent works [23] , [24] have tried to address a subset of these shortcomings. However, the choice of entropy sources used in these PUF designs renders them unsuitable for multicomponent authentication. They also require the addition of custom hardware to the system and, hence, cannot be implemented using Commercial-Off-The-Shelf (COTS) systems. In this paper, we overcome these limitations by proposing the design of a memory-based combination PUF, henceforth referred to as C-PUF. By tightly integrating heterogeneous memory technologies, C-PUF exhibits high entropy alongside an exponential number of CRPs, and takes the first step towards multi-component authentication in an embedded device. The heterogeneous nature of the entropy sources (memories) used and C-PUF's ability to undergo intrinsic reconfiguration (ability to reconfigure the PUF at runtime without any additional hardware) protects it from various security attacks. C-PUF also features a light-weight authentication scheme to ensure robust operation (authentication) under wide environmental and temporal variations. Specifically, this paper makes the following contributions:
We propose the concept and design of a memorybased combination PUF (C-PUF) that tightly integrates heterogeneous memory technologies to construct a PUF. C-PUF (i) takes a step towards multi-component authentication, (ii) exhibits high entropy and supports a large number of CRPs, (iii) is intrinsically reconfigurable, and (iv) requires minimal or no additional (custom) hardware, hence, can be easily implemented on a COTS device. As a key enabler for authentication using C-PUF, we propose a lightweight scheme that ensures its robust operation under environmental and temporal variations. We also propose two lightweight algorithms that assist the authentication scheme in performing error correction in the generated responses.
We implement, demonstrate, and evaluate several fully-functional prototypes of C-PUF in a real system using two widely-used memory technologies, Static Random Access Memories (SRAMs) and Dynamic Random Access Memories (DRAMs). Extensive authentication tests performed across a wide temperature range (20 C -55 C) and accelerated aging (12 months) achieved greater than 97.5 percent truepositive rate. The absence of any false-positives, even under an invasive attack, further highlights the effectiveness of the overall design. The rest of the paper is organized as follows. Section 2 gives a brief background of various entities that form part of C-PUF's design. This, in turn, sets up the motivation for the work and is presented in Section 3. Next, Section 4 presents the details of C-PUF's design and also discusses the proposed lightweight authentication scheme. Section 5 describes the experimental setup while Section 6 shows the results of the experiments that were performed to validate the design. Section 7 discusses potential attack scenarios and additional design aspects of C-PUF. A summary of prior work is provided in Section 8. Finally, Section 9 concludes the paper.
BACKGROUND
Before describing the proposed design, we provide some requisite background on Physically Unclonable Functions and challenge-response-based authentication. We also discuss the cell structures and PUF mechanisms of two widelyused memories, SRAM and DRAM, that form the basic building blocks of our proof-of-concept implementation. This in turn sets up the motivation for our work.
Physically Unclonable Function (PUF)
A PUF [7] maps a set of challenges to a set of responses based on random physical variations during the manufacturing of a device (containing the PUF). As a result, the challenge-response behavior of the PUF is highly unpredictable. Also, the fact that it is impossible to manufacture a PUF with the same behavior as another makes it unclonable and unique. These features make PUF an ideal candidate for authentication and random number generation [9] , [13] . Randomly generated secret keys are used by various cryptographic applications such as keyed-hash message authentication code (HMAC), encryption/decryption, etc., besides serving as unique fingerprints or signatures that can be used to identify a device. A PUF enables the generation of secret keys on demand rather than permanently storing them in non-volatile memory, drastically reducing the implications of physically invasive attacks. Authentication, described next, can be considered an extension of the above key-generation process but involves a challenge-response mechanism to authenticate the target device.
PUFs have been divided into two broad categories [25] strong PUFs and weak PUFs. Strong PUFs [10] , [13] , [16] , [17] , [22] , [26] can support a very large number of CRPs and are well suited for authentication. On the other hand, Weak PUFs [9] , [11] are primarily used for secret key generation as they support a relatively much smaller number of CRPs.
Challenge-Response-Based Authentication
Authentication can be defined as a process by which a trusted system (authenticator) verifies the identity of an untrusted device (client) before granting it access to any data or resources. It is usually performed using a challengeresponse mechanism [8] , [13] , as depicted in Fig. 2 . The authenticator hosts a service that is restricted to genuine clients only. Note that, in other cases, the authenticator may not host the service itself but only arbitrate access to a server that does. To verify the identity of a client, the authenticator first provides it with a challenge. The client then generates a response to the challenge using its on-board PUF. Prior to this, the authenticator creates a Challenge-Response Pair (CRP) database ( Fig. 2 ) that stores all the challenges and their expected responses from genuine clients. By comparing the current client's response against the one stored in the CRP database, the authenticator infers whether the client is genuine or not. As shown, Client-1 (genuine) passes authentication and is granted access to the service as its response (R 1 ) to the challenge (C) matches with the CRP database. On the contrary, the response (R 2 ) generated by Client-2 (fake) is different from the expected response of a genuine client, and hence Client-2 is not authenticated. Note that, in the present context of device authentication, it is the PUF present inside the client device that responds to the challenges from the authenticator.
SRAM: Structure and PUF Mechanism
Each cell (or bit) in a Static Random Access Memory (SRAM) is arranged in a six-transistor configuration 1 consisting of cross-coupled CMOS inverters (M 1 -M 4 ) and access transistors (M 5 -M 6 ), as shown in Fig. 3 . Powering-up the SRAM causes each cell to reach one of two states, [Q = 1, Q = 0] or [Q = 0, Q=1], depending upon the relative strengths of the transistors as well as noise. Inherent process variations during the manufacturing process cause these strengths to vary across SRAMs (and also within the same SRAM) leading to the data values in every SRAM being different immediately after start-up. This forms the foundation of an SRAM PUF [9] , [11] that follows the power-cycling (power off ! power on ! read SRAM) approach to generate unique start-up values as responses. The challenge, here, specifies the address of the block inside the SRAM from where the start-up value is to be read as well as its size (i.e., number of bits). The bit-value is decided by the charge on the capacitor; full charge implies '1' and no charge implies '0', or vice-versa. This charge leaks over time due to several factors related to the non-ideality of the access transistor and eventually results in the loss of data stored in the cell. This phenomenon is referred to as a bit-flip ('1'!'0' or '0'!'1') in DRAMs. To prevent this, the DRAM memory-controller refreshes the cells (replenishes the charge) periodically (e.g., every 64ms). Due to process variations, the rate of leakage (or bit-flip) varies widely across DRAMs (and within the same DRAM). This forms the basis of the refresh-pausing approach in a DRAM PUF [13] , [16] , [17] , [27] , [28] , in which refresh operations are (intentionally) paused for a certain time-interval, generating unique bit-flip patterns in the DRAM data. This data is then read out and forms the PUF's response. Unlike the SRAM PUF (described above), the parameters in a DRAM PUF's challenge can be extensively varied [13] , supporting an exponential number of CRPs (Section 4.1).
DRAM: Structure and PUF Mechanism
Note that other approaches to realizing SRAM PUFs [10] , [12] , [22] and DRAM PUFs [14] , [15] , [18] have also been developed. However, the power-cycling-based SRAM PUF and the refresh-pausing-based DRAM PUF remain as one of the most popular and widely-adopted in several stateof-the-art systems.
MOTIVATION
Memory-based PUFs require minimal or no additional hardware for their operation as they use components that are already present in most modern embedded systems. As a result, they can be easily implemented on COTS devices, and hence present a distinct advantage over other PUF implementations. However, current memory-based PUFs suffer from several shortcomings, as described below.
Single Component
Current memory-based PUFs use a single memory component (or technology) in their construction, in other words, they are based on a single entropy source (in the system). This means that a PUF represents the identity of the component and not that of the system. Note that some of these components are often loosely integrated into the system (e.g., using a removable/replaceable DRAM SODIMM). As shown in Fig. 5a , an invasive attack may involve (removal and) transfer of one such component to a (different) counterfeit system, transferring the identity as well, and resulting in a successful authentication of the counterfeit system. Moreover, the use of a single memory component in the PUF makes it vulnerable to increasingly sophisticated noninvasive attacks [4] , [5] .
Low Entropy and Few CRPs
To highlight the next shortcoming, we introduce two metrics-entropy and number of CRPs. In the present context of a PUF, entropy [29] manifests itself in the form of-uniqueness and unpredictability. Uniqueness gives a measure of the extent by which one PUF's behavior (response) differs from another (of the same type). Unpredictability, on the other hand, represents the probability of incorrectly predicting the behavior of a PUF. Hence, a PUF with high entropy has both high uniqueness and unpredictability. The second metric, number of CRPs, represents the total number of Challenge-Response Pairs supported by a PUF. As mentioned earlier, strong PUFs support a large number of CRPs, which makes them well-suited for challenge-response-based authentication. Fig. 6 depicts a qualitative comparison of current memory-based PUFs, which were described in the previous section, as per these metrics; a quantitative comparison is presented in Section 6.1. As shown, the (power-cycling-based) SRAM PUF [9] , [11] exhibits high entropy but supports a small number of CRPs due to the existence of very few variable parameters (in its challenge-response mechanism) as well the small extent to which these parameters could be varied because of an SRAM's usually small address-space. Thus, the applicability of the SRAM PUF to challengeresponse-based authentication is severely limited. On the other hand, the (refresh-pausing-based) DRAM PUF [13] , [16] , [17] employs a challenge-response mechanism involving several widely-variable parameters, supporting a large number of CRPs. However, for practical refresh-pause intervals (Section 4.1), the entropy (specifically, uniqueness) exhibited by it is much lower than the SRAM PUF. PUFs based on flash memories [19] , on the other hand, suffer from both low entropy and support for few CRPs.
These shortcomings in current memory-based PUFs motivate the design of C-PUF, which is explained next.
C-PUF DESIGN
C-PUF aims to address the shortcomings of current memorybased PUFs while performing challenge-response-based authentication in a device. Hence, one of the primary motivators behind its design is to (tightly) combine different heterogeneous (memory) components to achieve multi-component authentication in an overall system, as depicted in Fig. 5b . Although there are several choices for these components, we utilized two widely-used memory technologies, SRAM and DRAM, in our prototype implementations. The rationale behind this choice stems from the following observation -an SRAM is usually tightly integrated with the processor and located on the same chip/die, whereas a DRAM is usually more loosely integrated (e.g., as an external SODIMM). As a result, using these memories enables C-PUF to authenticate both an on-chip (SRAM) and off-chip (DRAM) component, thereby taking a key step towards multi-component authentication in a system. Moreover, the spatial distribution (on-chip and off-chip) of the heterogeneous entropy sources (memories) substantially improves C-PUF's ability to resist invasive attacks [3] . Note that an SRAM PUF utilizes the power-cycling approach to generate start-up values as responses. On the other hand, a DRAM PUF's responses comprise of unique bit-flip patterns generated through the refresh-pausing approach. Instead of simply using them in a standalone manner, in C-PUF, we tightly integrate these two approaches, as shown in Fig. 7 . This integration allows the (challengeresponse) behavior of one entropy source to influence that of the other in an unpredictable manner, creating an extremelycomplex overall behavior that can provide substantial resistance to C-PUF against non-invasive attacks [4] , [5] . Also note that the power-cycling and refresh-pausing approaches to SRAM and DRAM PUFs, respectively, were chosen (in the prototype implementations) due to their popularity and wide-adoption in several state-ofthe-art systems. The C-PUF design and the associated authentication scheme are flexible enough to incorporate other approaches as well [10] , [12] , [14] , [15] , [22] . In addition to multi-component authentication, the proposed design also enables C-PUF to exhibit high entropy and support an exponential number of CRPs ( Fig. 6 ), making it particularly suitable for challenge-response-based authentication. Most importantly, all this is achieved while incorporating minimal or no additional hardware, and hence the design can be easily implemented on a COTS device.
We now present the design of C-PUF in detail, beginning with its challenge-response mechanism.
Challenge-Response Mechanism
C-PUF employs a challenge-response mechanism that utilizes both SRAM power-cycling and DRAM refresh-pausing. Fig. 7 presents the complete sequence of operations associated with this mechanism as well as the formats of the challenge and response. Note that while some parameters in the challenge are SRAM-specific, others are DRAM-specific except Id, which represents a unique identifier assigned to a challenge and its corresponding response. These operations are now explained in detail.
[1] First, the authenticator sends a challenge to C-PUF in the proper format, as depicted in Fig. 7 .
The SRAM undergoes power-cycling to generate a start-up value of Size_S bits from a block beginning at address Addr_S.
[3] The start-up value is then corrected for bit-errors in the SRAM Error Correction stage with respect to a previously generated golden (or expected) start-up value, as described in detail in Section 4.2. The information required for this correction is contained in the Error-correction data field of the challenge and is generated (prior to this) during the enrollment phase (explained later in Section 4.4). Note that Errorcorrection data contains information for both SRAM and DRAM error correction. The SRAM/DRAM Error Correction stages are responsible for generating their respective error-correction data as well as performing actual error correction; this shall become clearer in the following paragraphs. [4] The XOR stage repeatedly applies the (bit-wise) mathematical operationxor to the corrected start-up value (CV), generated in the previous stage, and Bitstream_C; Bitstream_C is a random binary sequence of Size_D bytes and is xor-ed across its entire length with CV.
[5] The xor-ed value then moves to the HASH stage, where it is broken down into equally-sized chunks (e.g., 32 bytes), each of which undergoes a mathematical hash operation using SHA-256. The output from each chunk is concatenated together to form the complete hash-ed value (HV). Hashing helps to mask the SRAM start-up value and adds another layer of protection against attacks. [6] HV is applied to the DRAM alongside other parameters viz. Addr_D, Size_D, Wrapper pattern, and Refreshpause interval, to undergo refresh-pausing; we follow a similar methodology as described in [13] in this stage. Specifically, the HV (of Size_D bits) along with the peripheral data, specified by Wrapper pattern, is first written onto a block in the DRAM, whose location is specified by Addr_D. Wrapper pattern is an interesting parameter that was introduced in [13] . It specifies the peripheral data-bits that are written just before the beginning and after the end of the DRAM block, and influences the bit-flip patterns or responses from the DRAM. It can be one of several predefined types, e.g., all '1's, all '0's, checkered, etc. Next, refresh operations to the DRAM are paused for a certain amount of time viz. Refresh-pause interval, followed by reading of the data (from the same block) containing the bit-flip patterns. [7] The readout data undergoes error correction in the DRAM Error Correction stage to account for the biterrors caused during the DRAM's response generation. Similar to SRAM error correction, the information required for this correction is also contained in the Error correction data field of the challenge and is generated (prior to this) during the enrollment phase. [8] The error-corrected DRAM response, Bitstream_R, along with the identifier, Id, comprises the (final) C-PUF response that is sent back to the authenticator. As evident, the SRAM and DRAM Error Correction stages play a pivotal role in C-PUF's challenge-response mechanism. We describe these in detail over the next two sections. 
SRAM Error Correction
SRAM start-up values are affected by environmental and temporal variations, which could hinder C-PUF's ability to perform authentication successfully. To demonstrate the impact of one such variation viz. temperature, we generated start-up values from eight different blocks (32 Bytes in size) each belonging to two different SRAMs and at three different temperatures -20 C, 40 C, and 55 C. Fig. 8 shows the difference, in terms of Hamming Distance (HD), between the start-up values generated at the three temperatures for each of the blocks. The 20 C versus 20 C comparison involves two different start-up values generated at the same 20 C temperature. It can be seen that the difference is as high as 113 bits ($44 percent) between the start-up values generated at 20 C and 55 C for the block numbered 4 in SRAM-1. Hence, temperature variations adversely affect the SRAM's ability to reproduce the same values, which is crucial to performing successful authentication across a wide temperature range. Moreover, the proposed design utilizes a mathematical hash (SHA-256) function to scramble the SRAM start-up values and, hence, even a single bit-error could result in a completely different bitstream being subsequently applied to the DRAM (step [6] ) in Fig. 7 ). Therefore, the start-up values need to undergo perfect error-correction, i.e., all bit-errors must be corrected before moving on the next-stage (XOR). To keep the SRAM/DRAM error-correction infrastructure simple, we utilize one of the most widely-used error-correction codes in memories viz. Hamming Encoder/Decoder (HED). However, we observed that (even n = 7, k = 4) HED was not sufficiently strong to achieve perfect error-correction in some of the SRAMs across a wide temperature range. Hence, we complement HED with our proposed error-correction scheme, which utilizes minimal computational and storage resources. Specifically, the start-up values from SRAM first undergo errorcorrection using HED (with n = 15, k = 11), followed by the proposed scheme. The scheme (explained next) comprises of two algorithms, Algorithms 1 and 2, that deal with the generation of error-correction data and performing actual error correction, respectively. Empirical analysis showed that the scheme can correct ðN À 1Þ=2 bits in every N bits (N is an odd integer). We used N ¼ 7 in our experiments, and hence achieved a maximum fixable error-percentage of 42.8 percent. Note that other error-correction schemes could also be utilized; this is orthogonal to the core idea of this paper.
Algorithm 1. Generation of SRAM Error-Correction Data
Input: V exp = Golden (expected) start-up value from SRAM, N = Number of bits in a segment Output: D = Error correction data
Generation of SRAM Error-Correction Data
Algorithm 1 is utilized by the SRAM Error Correction stage to generate the data that is subsequently used for correcting errors in the SRAM start-up values. Note that the error correction data is always generated with respect to the golden (expected) start-up value. Algorithm 1 starts by dividing the golden start-up value into smaller segments; a segment comprises of a fixed number of bits, N (¼ 7, used here). Each segment is then assigned a representative bit-value depending upon the relative number of one-bits and zero-bits in the segment. The representative bit-value is then expanded to form representative segment; the latter is xor-ed with the segment to generate the correction data for that particular segment. This data from each segment is subsequently combined to form the final error correction data.
SRAM Error Correction and Generation of Representative Start-Up Value
Algorithm 2 is also utilized by the SRAM Error Correction stage and uses the data generated earlier (Algorithm 1) to perform error correction in SRAM start-up values. It starts by dividing the erroneous start-up value (after HED correction) into smaller segments of the same size as in Algorithm 1 (N ¼ 7 bits). Each segment is then xor-ed with its respective correction data to generate the corrected segment. The relative number of one-bits and zero-bits in a corrected segment decides its representative bit-value. All the representative bitvalues are then combined to form the representative start-up value of the SRAM. Note that this representative start-up value is what we refer to as the corrected start-up value (response) of the SRAM throughout the paper; it is propagated to the XOR stage, as shown in Fig. 7 (step [4] ).
DRAM Error Correction
DRAMs are highly susceptible to environmental and temporal variations. To demonstrate the impact of one such variation viz. temperature, we generated DRAM responses from eight different blocks (128 KB in size) each belonging to two different DRAMs and at three different temperatures -20 C, 40 C, and 55 C. Note that all the DRAM-specific parameters in the challenge were kept constant except for Addr_D, which was varied as per the block. Fig. 9 shows the difference, in terms of HD, between the responses generated at the three temperatures for each of the blocks. The 20 C versus 20 C comparison is not shown here as the corresponding HD values are very close to zero. It can be seen that the difference is as high as 5200 bits between the responses generated at 20 C and 55 C for the block numbered 2 in DRAM-1. Thus, the DRAM responses need to be corrected for bit-errors before being sent out to the authenticator as the final response (step [7] in Fig. 7 ). However, unlike the SRAM, perfect error correction is not required as we employ a fuzzy authentication strategy (described in detail in Section 4.4) at the authenticator end to determine the outcome of the authentication process. Hence, we utilize just the Hamming Encoder/Decoder for DRAM error correction in our design. The strength (specified by < n,k > ) of the HED utilized depends upon the particular DRAM module as well as environmental factors; this is described in detail in the following section.
Algorithm 2. SRAM Error Correction and Generation of Representative Start-Up Value
Input: V err = Erroneous start-up value from SRAM (after Hamming Encoder/Decoder correction) to be corrected and converted to V rep , N = Number of bits in a segment, D = Error correction data generated from expected (golden) start-up value
Next, we present the proposed scheme that is utilized for performing authentication using C-PUF. An important step associated with this scheme is the setting of appropriate Match Threshold value, which determines the (authentication) outcome at the authenticator's end. This is also described in detail in the following section.
Authentication Using C-PUF
Two distinct phases are associated with the proposed authentication scheme involving C-PUF-enrollment phase and authentication phase, as shown in Fig. 10 . Both phases utilize the same challenge-response mechanism (described earlier in Section 4.1) for response generation but differ in their objectives. The enrollment phase primarily deals with the generation of the CRP database by subjecting C-PUF to different challenges and recording the generated responses. These responses serve as the golden responses (or expected responses); C-PUF needs to reproduce them later in order to be successfully authenticated. Also, during this phase, data for subsequent error correction is derived from the golden start-up values of the SRAM as well the golden responses from the DRAM. Next, actual authentication of C-PUF happens during the authentication phase, where it is subjected to the same challenges and is expected to reproduce the golden responses. Also, the error-correction data, generated during the enrollment phase, is used here to correct the bit-errors in the SRAM start-up values and the DRAM responses. Finally, the corrected DRAM response is sent to the authenticator, which employs the proposed authentication scheme (based on a fuzzy strategy [13] ) to determine the outcome of the authentication process. At the core of this scheme is Match Threshold (MT), which represents the maximum Hamming Distance by which a response generated during the authentication phase can differ from the golden response, and still result in successful authentication. This is particularly relevant in a memory-based PUF since it is affected by environmental and temporal variations and, hence, an exact match of the responses may not happen even if the PUF is genuine. Accordingly, C-PUF is successfully authenticated only if this HD is less than or equal to the MT value. Note that C-PUF may be expected to operate across a wide range of conditions, e.g., temperature, aging, etc. Hence, given an operating range, there are usually multiple points where C-PUF undergoes the enrollment phase; we refer to these as the enrollment points (E P s). For example, for temperature, we set the E P s at 30 C and 50 C for a sample operating range of [20 C, 55 C] . Similarly, the specific points where C-PUF could possibly undergo the authentication phase are referred to as the authentication points (A P s); the set of all A P s comprises the (complete) operating range. An important question, however, needs to be answeredwhich E P should be chosen for an A P during response comparisons at the authenticator? We answer this by mapping a set of A P s to each E P . In the current implementation of C-PUF, all the A P s in the range-[20 C, 40 C] and (40 C, 55 C] are mapped to E P = 30 C and 50 C, respectively. Hence, a response generated during authentication at A P = 55 C should be compared with the corresponding golden response generated at E P = 50 C to determine the authentication outcome. As mentioned earlier, Match Threshold plays a key role in determining this outcome; we describe the mechanism behind setting its value in the following section.
Note that, due to the exponentially large CRP space of C-PUF, it could be infeasible to store all the CRPs at the authenticator. Hence, we propose that enrollment is performed for a (small) subset of the total CRPs at a time and stored in the CRP database at the authenticator. Once all the challenges in the subset are used-up (for authentication), the C-PUF could undergo enrollment again, generating a new subset. Note that the size (number of CRPs) of the subset could be specified by the user/ authenticator depending upon several factors such as the frequency of authentication, storage space available at the authenticator, etc. 
Setting the Match Threshold (MT) Value
In a practical scenario, the operating conditions during the authentication phase could be very different from that of the enrollment phase. As a result, the responses generated during authentication could widely differ (beyond the MT value) from the corresponding golden responses even after undergoing error correction. This could lead to failed authentication for a genuine C-PUF device. Hence, setting the appropriate MT value is an extremely important step in the C-PUF design cycle. It should be set such that the resulting HD from the response comparisons is less than or equal to it for the genuine device. Hence, in the proposed design, MT is a function of the operating conditions during authentication, e.g., temperature, aging, etc. Moreover, the bit-flip behavior varies substantially across different DRAMs under these operating conditions, as was depicted in Fig. 9 for two such modules at different temperatures. Note that, in the C-PUF design, it is the DRAM's response that serves as the final response and undergoes comparison with the golden response. Hence, MT is also a function of the DRAM module present inside C-PUF.
Setting the MT value begins with choosing the appropriate DRAM error-correction (strength, specified by < n, k > for HED). Specifically, for a given range of operating conditions, we need to choose the error-correction to be employed at each of the enrollment points (E P s). To do this, C-PUF is first made to go through the enrollment phase at an E P using a set of sample challenges (details in Section 4.4.2). This is followed by the authentication phase at the corresponding A P s. The initial difference (without DRAM error correction), D Init , between the responses during authentication and the corresponding golden responses is recorded for each A P . Next, the error-correction is set such that it is strong enough to bring this difference to less than P% of D Init for every A P ; P is an user-specified parameter. So, for each A P ,
In the current design, the P value was set at 10. Finally, the MT value at the A P is calculated as,
ceilðÞ rounds up the value to the nearest higher integer. The whole process is repeated till all the E P s are covered. Fig. 11 depicts the complete process of setting the MT value in the form of a flowchart. Tables 5 and 6 (in Section 6), list the error-correction (strengths) and MT values for several C-PUF instances at different sample A P s. As shown for PUF-1, we choose HED with a strength of < 31; 26 > for E P = 30 C, which caters to A P = 20 C, 30 C, and 40 C. On the other hand, E P = 50 C, which caters to A P = 50 C and 55 C, utilizes HED with a strength of < 15; 11 > . Note that a set of A P s could use the same MT value, for example, all A P s in the range [20 C, 25 C] could use the MT value corresponding to A P = 20 C. Another important parameter in the C-PUF authentication methodology is maximum corrected bits or B Max , specified inside square brackets in Table 6 . B Max sets an upper limit on the maximum number of bits that are corrected in the response generated from the DRAM in the DRAM Error Correction stage (step [6] in Fig. 7 ) during authentication. For each A P , Note that B Max information is contained in the Error-correction data field of the challenge, which is sent to C-PUF during authentication. This parameter is introduced to protect against a certain kind of attack that, we envision, could be mounted on a C-PUF device containing DRAM in the form a removable/replaceable SODIMM. Assuming an attacker has physical access to the device, he/she may be able to replace the DRAM SODIMM with a counterfeit one. During authentication, the DRAM Error Correction data, without the knowledge of the underlying counterfeit DRAM, would try to correct the response of the counterfeit DRAM and bring it closer to the genuine response. Without an upper bound on the maximum number of corrected bits, the HD between the responses could go below the specified MT value, resulting in successful authentication. To prevent such a scenario, C-PUF restricts the error correction to the value specified in B Max . In an actual setting, a red flag could be triggered by the device whenever the number of corrected bits reaches B Max , prompting the authenticator to take action, e.g., re-initiate authentication. Note that, similar to MT, B Max takes into account the behavior of the (genuine) DRAM module as well the current operating conditions. A case-study involving the envisioned attack is presented through experiments in Section 6.4.
DRAM Error Characterization
The previous section presented the methodology for setting the appropriate DRAM error-correction as well as MT, both of which require a good understanding of the DRAM (bitflip) behavior under different operating conditions. We achieve this by performing DRAM error characterization, which was introduced in [13] , [17] . It involves an iterative process where the DRAM is subjected to a set of sample challenges under different operating conditions and made to undergo refresh-pausing to generate the responses. The sample challenges are constructed by varying the different parameters/factors that affect a DRAM, e.g., Bitstream_C, refresh-pause interval, wrapper pattern, etc. Table 1 presents the values of these parameters and operating conditions. An analysis of the generated responses follows, giving us vital insights into the DRAM's behavior. Note that DRAM error characterization presents a one-time overhead only since it needs to be performed once by the designer. Apart from these benefits, it also helps to identify the minimum refreshpause intervals for a DRAM module (or a particular block) that meet the entropy requirements. This, in turn, helps to ensure low operational latency in the design.
Next, we present a design feature of C-PUF that imparts substantial protection against security attacks.
Intrinsic Reconfigurability
Reconfigurability refers to the ability of a PUF to undergo reconfiguration, i.e., modify its challenge-response behavior. The new behavior, which is unpredictable and cannot be modeled based on the knowledge of the behavior prior to reconfiguration, can substantially enhance the PUF's ability to resist various attacks [3] , [4] , [5] . The proposed design achieves reconfigurability in C-PUF intrinsically, i.e., without using any additional resource, unlike [30] . It specifies two modes of reconfiguration in C-PUF -SRAM reconfiguration and DRAM reconfiguration. SRAM reconfiguration involves changing Addr_S in the challengeresponse mechanism, generating (new) start-up values from a different block in the SRAM. DRAM reconfiguration, on the other hand, modifies the Refresh-pause interval, generating new bit-flip patterns from the same DRAM block. Hence, by entering one or both reconfiguration modes, C-PUF can undergo reconfiguration intrinsically and start behaving as a new PUF, as shown through experimental results in Section 6.5. Note that (unlike other parameters) the reconfiguration knobs, Addr_S and Refresh-pause interval, need not vary across different challenges (or authentication runs) except when there is a need for reconfiguration. Also, since the SRAM address space is usually small and could be easily exhausted, we envision that C-PUF would undergo more DRAM reconfigurations than SRAM reconfigurations, as depicted in Section 6.5.
EXPERIMENTAL SETUP
This section provides a brief description of the experimental setup used to validate the C-PUF design. It consists of two Terasic TR4-230 development boards [31] , each containing an Altera Stratix IV GX FPGA, 2 MB SRAM, and 1 GB DDR3 DRAM SODIMM. The SRAM is soldered into the boards and cannot be replaced, unlike the DRAM. Hence, to emulate multiple (five) C-PUF instances, we also used the 16 KB SRAMs in three TI MSP4305438A micro-controllers. Altogether, a total of five C-PUF instances were constructed for validation, each consisting of an SRAM and a DDR3 DRAM SODIMM. As shown in Table 2 , the SRAMs belonged to two different manufactures while the DRAMs were procured from three different manufacturers. Experiments pertaining to varying operating conditions viz. temperature and aging, were performed by operating the TR4-230 development boards inside the Quincy Lab 12-140E Incubator. Fig. 12 shows the complete experimental setup.
The FPGA was programmed with a soft Nios II processor [32] along with an Altera UniPHY DDR3 memory controller for controlling the DRAM. A custom slave running on the processor was also created, which can instruct the memory controller to pause the DRAM refresh operations. To prevent interference to other running applications (on the device), one could utilize the Partial Array Self-Refresh functionality available in LPDDR DRAMs, which allows selective modification (increase) of the refresh-pause interval for a portion of the DRAM (used by C-PUF) [33] . Alternatively, techniques such as selective DRAM refresh and memory ballooning [26] could also be utilized. Similarly, for PUF-1 and PUF-2 that use the SRAM on the TR-230 board, the start-up values were generated by power-cycling the whole board. Alternatively, one could either adopt the mechanism described in [34] that does not require powercycling to generate start-up values or utilize power-gating techniques targeting only the SRAM. For the remaining PUFs, PUF-3 -PUF-5, the SRAM start-up values were generated on a different platform and subsequently transferred to the TR-230 board in real-time. Also, in these proof-of-concept implementations, the operations in the SRAM/DRAM Error Correction, XOR, and the HASH stages were carried out using software (or firmware) executing on the Nios II processor. Alternatively, dedicated on-chip hardware such as a cryptographic engine, ECC for memories, etc., could be utilized either as already-available units or by adding them to the system. Note that the generic architecture of C-PUF, described in this paper, is independent of any specific implementation.
Implementation Overhead and Performance
The C-PUF instances, described above, utilized off-the-shelf (memory) modules already present in an embedded system. Moreover, the various operations-SRAM/DRAM Error Correction, XOR, and the HASH stages were carried out using software (or firmware) executing on the Nios II processor. Hence, there is no additional HW overhead in the current implementation. However, there is some latency overhead, which we present in the form of authentication response time.
The latter, which could be used as a performance metric, represents the time taken by C-PUF to generate an authentication decision, i.e., the time interval between the application of a challenge and the generation of the (final) response during an authentication phase (Section 4.4). There are three primary contributors to the authentication response time. The first one is SRAM power-cycling, which is used to generate the startup values. This process is very fast and takes only a few milliseconds. The second one comprises the various operations performed using software, viz. SRAM/DRAM Error Correction, XOR, and the HASH. The total execution time for these is in the order of a few hundred milliseconds. The third contributor, which most affects the authentication response time, is DRAM refresh-pausing. This process is relatively much slower ($seconds), as shown through the refresh-pause interval parameter values in Table. 3. Therefore, in the current implementation, the authentication response time is primarily the refresh-pause interval (value) used in the challenge. As described in Section 4.4.2, DRAM error characterization can identify the minimum refresh-pause intervals for a DRAM module (or block) that meet the entropy requirements. This could help to ensure low authentication response time in the design.
RESULTS
This section presents the results obtained from experiments conducted to validate our work. It is broadly divided into five sections. In the first two, we analyze the C-PUF design in the light of entropy and number of CRPs, while also comparing it with SRAM and DRAM PUFs. Next, the robustness of the design is showcased through exhaustive authentication tests pertaining to wide temperature variations and aging effects. Thereafter, we emulate an invasive attack on C-PUF and analyze its ability to resist the same. Finally, we present a sample timeline of C-PUF's operation to highlight intrinsic reconfigurability in its design. Table 3 provides a summary of the parameter values (in challenges) used in the different experiments.
Entropy Analysis
As described earlier (Section 3), entropy manifests itself in the from of uniqueness and unpredictability. Hence, we analyze C-PUF in the light of these two qualities and compare it with an SRAM PUF and a DRAM PUF.
Uniqueness
The ability of a PUF in generating unique responses (or fingerprints) forms the very foundation of challenge-responsebased authentication. In the present work, we quantify uniqueness for a PUF as the percentage of bits that are different in the PUF's response when compared to another (same-type) PUF's response. To demonstrate the uniqueness of the responses generated by the proposed design, five C-PUF instances (PUF-1 -PUF-5) were each subjected to ten different challenges at 20 C. Table 3 provides a summary of the parameter values used in the challenges. Note that, unlike during DRAM error characterization, the Bitstream_C field in the challenges consisted of a random sequence of bits, generated using a pseudo-random number generator. Next, for every challenge, the responses (128 KB) generated by one instance was compared against the ones generated by every other instance. Fig. 14a shows the range and average uniqueness resulting from these comparisons for each of the instances. As described in Section 4, C-PUF generates the responses by xoring (in XOR stage) and hash-ing (in HASH stage) the start-up value of the SRAM and subsequently applying it to the DRAM. Hence, one may argue that the uniqueness of the responses generated by C-PUF is contributed by the hash (SHA-256) operation only and the not by the rest of the design. Hence, we generated the responses both with and without the hash operation, as depicted in Fig. 14a . Note that, with the hash operation, response generation follows the generic flow described earlier in Section 4. As shown, a high average uniqueness value of 50 percent (524,288 bits) was obtained for each of the instances, which shows that the instances truly exhibit unique behavior. Due to limited spread of the minimum and maximum values, the range is not shown for this case. Next, without the hash operation, the responses were generated by skipping the HASH stage altogether, i.e., by directly applying the xor-ed start-up value of the SRAM to the DRAM; the resultant comparisons are also shown in Fig. 14a . The average value of 25 percent (337,600 bits) across the instances highlights the uniqueness inherently provided by the C-PUF design. This uniqueness can be visually perceived through Fig. 13 that gives a pictorial representation of the responses generated by the C-PUF instances (with the hash operation) when subjected to the same (one) challenge; each response is a fingerprint of the device containing the instance.
To further showcase the enhanced uniqueness provided by C-PUF, we also compared it with that of an SRAM PUF and DRAM PUF. Using the same memory modules (present in the C-PUF instances), five SRAM PUFs and DRAM PUFs (each) were constructed. Next, these were subjected to the same ten challenges (at 20 C), followed by a similar comparison of the generated responses. Note that the DRAM-specific parameters in the challenges were ignored when generating responses from an SRAM PUF and vice-versa. Also, the response size for an SRAM PUF and DRAM PUF was 32 B and 128 KB, respectively, which is the same as was generated by the respective memory modules in a C-PUF instance. As described earlier, SRAM PUFs exhibit high uniqueness, which is evident in Fig. 14b with an average uniqueness value of 49 percent. On the contrary, the uniqueness exhibited by DRAM PUFs is comparatively much lower (by more than three orders of magnitude), as depicted in Fig. 14c . Hence, for uniqueness, C-PUF closely resembles an SRAM PUF but substantially improves over a DRAM PUF.
Unpredictability
In the present work, we quantify unpredictability as the probability of incorrectly predicting a PUFs response to an unknown challenge with the knowledge of a certain number of (previously-used) CRPs. Ref. [35] captured this notion by investigating the extent of change in the responses when the corresponding challenges were varied by a certain number of bits. We followed a similar methodology and changed the challenges by just one bit. The change observed in the corresponding responses gave us an estimate of the unpredictability in C-PUF. However, as depicted in Fig. 7 , C-PUF's challenge has several variable parameters. The unpredictability analysis was performed for each of these parameters, however, due to lack of space, we discuss and present the results for three of these-Addr_S, Addr_D, and Bitstream_C. Table 4 presents the results of the analysis.
Addr_S specifies the (starting) address of the SRAM block that undergoes power-cycling to generate the start-up values. Five addresses or blocks were (randomly) selected and used to construct five master challenges. Each master challenge has one of the selected addresses as Addr_S; the rest of the parameters (Table 4 ) were chosen randomly but were fixed across all the master challenges. Next, we generated the set of all possible challenges (derived challenges) that differ in just one bit from the master challenge in the Addr_S parameter (i.e., Hamming Distance, HD = 1). Thus, five different sets of derived challenges were generated, each corresponding to a master challenge. Next, C-PUF was subjected to these challenges at 20 C, generating five master responses and five sets of derived responses. In each set, the derived responses were then compared with the master response to generate the HD Response . As shown in Table 4 , changing just one-bit in the challenge changed the response by 524,244 bits (average). Thus, even with the knowledge of a certain number of CRPs, it is near impossible for an attacker to predict the response to a challenge that differs in even one bit from the CRPs.
Addr_D specifies the (starting) address of the DRAM block that undergoes refresh-pausing to generate the bit-flip patterns. Unpredictability analysis was performed by following a similar methodology as with Addr_S (described above). However, in this case, five random DRAM addresses or blocks were used to construct the master challenges, and the derived challenges were generated such that they differ from the master challenge in the Addr_D parameter in just one bit. As shown in Table 4 , changing just one bit in the challenge changed the response by 68 bits (average). Thus, the unpredictability associated with Addr_D is comparatively lower than Addr_S and is indicative of the low entropy/uniqueness of a (refresh-pausing-based) DRAM PUF. However, even with just a one-bit difference in the challenge, the attacker still needs to guess the value and position of (an average) 68 new bits (out of 128 KB), of which there are 128Â1024Â8 C 68 Â 2 68 different possibilities. Moreover, an increase in operating temperature leads to an exponential change and would only make the attackers job more difficult. Hence, C-PUF offers high unpredictability with respect to Addr_D too. Bitstream_C is a random binary sequence that, after undergoing xor and hash with the SRAM start-up values, is written onto the DRAM for refresh-pausing. Following a similar methodology as with the previous two parameters, five random bitstreams were generated to construct five master challenges. The derived challenges were then generated such that they differ from the master challenge in the Bitstream_C parameter in just one bit. As shown in Table 4 , changing just one bit in the challenge changed the response by 167 bits (average). As with Addr_D, the unpredictability associated with Bitstream_C is comparatively lower than Addr_S and is indicative of the low entropy/uniqueness of a (refreshpausing-based) DRAM PUF. However, even with just a one-bit difference in the challenge, the attacker still needs to guess the value and position of (an average) 167 new bits (out of 128 KB), of which there are 128Â1024Â8 C 167 Â 2 167 different possibilities. As before, an increase in operating temperature leads to an exponential change and would only make the attackers job more difficult. Hence, C-PUF also offers high unpredictability with respect to Bitstream_C.
CRP Analysis
C-PUF supports an exponential number of CRPs that makes it suitable for challenge-response-based authentication. To better explain this, we first estimate the number of CRPs supported by an SRAM PUF and a DRAM PUF. We assume the same memory configuration as used in the experiments -2 MB SRAM and 1 GB DRAM, generating 32 B and 128 KB responses, respectively. Accordingly, the number of CRPs supported by the SRAM PUF is N S , where N S ¼ 2 16 and represents the number of 32 B blocks in a 2 MB address-space. Unlike an SRAM PUF, the challenge applied to a DRAM PUF (block) consists of several widely-variable parameters, as explained in Section 4.1. One such parameter is Bitstream_C, which is a random binary sequence of Size_D. Note that Size_D also specifies the size of the DRAM block (128 KB, here). Hence, the total number of ways Bitstream_C could be varied is of the order of 2 128Â1024Â8 . With a 1 GB DRAM module (containing 2 13 blocks) and three possible values for Wrapper patterns and Refresh-pause intervals each, the total CRPs supported by the DRAM PUF equals N D , where N D ¼ 2 128Â1024Â8 Â 2 13 Â 3 Â 3. As described earlier, C-PUF tightly integrates the response generation mechanisms of an SRAM PUF and a DRAM PUF, and hence it supports a total of N C CRPs, where N C ¼ N S Â N D or 2 1;048;608 . Thus, it supports an exponential number of CRPs, which is ideal for challenge-response-based authentication.
Robustness Analysis: Authentication under
Varying Operating Conditions Robustness of a system can be broadly defined as its ability to withstand or function normally under varying environmental and temporal conditions. In the present context of PUF-based authentication, it refers to the PUF's ability to undergo successful authentication under different operating conditions, primarily determined by temperature and aging. We now present a robustness analysis of the proposed C-PUF design.
Authentication under Temperature Variations
As shown earlier in Figs. 8 and 9 , variations in operating temperatures can strongly affect the PUF's responses, thereby hindering its ability to perform authentication. However, through the proposed C-PUF design and the associated authentication scheme, we address this challenge successfully. We demonstrate this for a sample operating range of [20 C, 55 C]. Note that the design is not restricted to this particular range and could easily scale to accommodate wider ranges. As the first step, 100 different challenges were applied to each of the C-PUF instances at two different enrollment points (E P s) -30 C and 50 C. The generated responses served as the golden responses and were stored in the CRP database. Next, to emulate an actual scenario, authentication was performed at five different authentication points (A P s)-20 C, 30 C, 40 C, 50 C, and 55 C, by reapplying the same challenges to the instances. Note that, E P = 30 C and E P = 50 C cater to the lower three and upper two A P s, respectively. Table 5 lists the error-correction utilized for each of the C-PUF instances at different E P s. Next, at each A P , the responses of the C-PUF instances generated during authentication were compared with their respective golden responses to calculate the intra-puf comparison HD, as shown in Fig. 15 . The y-axis represents relative frequency, i.e., the fraction of the total comparisons, either intra-puf or inter-puf (explained later), that yields a certain HD, represented on the x-axis. Table 6 gives the MT values, which were used to determine the authentication outcome, for each of the instances at different A P s. The numbers in square brackets represent the maximum corrected bits, B Max , which was used to restrict the error correction during authentication. Note that the appropriate error-correction as well as MT values, used throughout the experiments, were set using the methodology described earlier in Sections. 4.4.1 and 4.4.2. Overall, the experiments resulted in 2438 successful authentications (out of 2,500), i.e., a true-positive rate of 97.5 percent.
The C-PUF design also avoids any false-positives; an authentication outcome is termed as a false-positive when a counterfeit device is successfully authenticated as a genuine one. In the current design, this could happen when the response generated during authentication by a counterfeit C-PUF instance (say PUF-X) is very close to the golden response of a genuine instance (say PUF-Y), resulting in PUF-X getting falsely authenticated as PUF-Y. To emulate this scenario, we performed inter-puf comparisons, i.e., the golden responses of a C-PUF instance were compared with the responses generated during authentication of every other instance. Fig. 15 shows the relative frequency versus HD for the inter-puf comparisons corresponding to the same 100 challenges and operating conditions. Altogether, a total of 10,000 inter-puf comparisons were carried out. At each A P , the HD resulting from inter-puf comparisons was multiple orders of magnitude higher than the MT value (corresponding to the genuine instance), thus ensuring the absence of any false-positives.
Authentication under Aging Effects
PUFs, like all electronic components, undergo structural degradation over prolonged use, severely affecting their reliability. Hence, robustness to temporal variations (aging effects) is a much-desired attribute in any PUF design. To show that C-PUF is robust to aging affects, we first applied 100 different challenges to two of the C-PUF instances (PUF-1 and PUF-2) at 30 C, and recorded the corresponding golden responses. Next, the instances underwent an accelerated aging process [36] through the application of thermal stress. Specifically, a temperature of 85 C was applied to the instances for 460 hours. To avoid damage to the TR-230 boards from prolonged exposure to high temperature, the aging process was carried out in parts, i.e., the high temperature was applied for 12 hours followed by a cooling time of 4 hours. The Arrhenius equation, typically used for predicting reliability/failure rates, was used to calculate the acceleration factor (AF ) resulting from the applied thermal stress [37] . As per the Arrhenius equation,
where, AF = Acceleration Factor E a = Thermal Activation Energy (value used = 0.5 eV [36] ) k = Boltzmann's Constant (8.63 x 10 -5 eV/K) T use = Use Temperature (value used = 303 K (30 C)) T stress = Stress Temperature (value used = 358 K (85 C)) Using these values, AF was calculated to be $19. Since the thermal stress was applied for 460 hours, this translates to 8740 (19 Â 460) hours or 12 months of natural aging at 30 C. The responses were then generated from the aged instances during authentication (with the same challenges and at 30 C) and compared with the golden ones. Fig. 16 shows the relative frequency versus HD for both intra-puf and inter-puf comparisons. Generally, aging has a much lesser effect on the response-generation process as compared to temperature. In other words, the responses are primarily influenced by temperature and, hence, we set the MT values as per the 30 C enrollment point in Table 6 . This resulted in 198 successful authentications (out of 200), i.e., a 99 percent true-positive rate, and without any false-positives.
Replacing Genuine DRAM with a Counterfeit
Several embedded systems contain DRAMs in the form of Dual In-line Memory Modules (DIMMs) that (unlike SRAMs, which are physically soldered) could be easily detached from the system. An attacker with physical access to the system may be able to replace the genuine DIMMs with counterfeit ones, and then try to undergo authentication. This scenario was emulated using two C-PUF instances, PUF-2 and PUF-4, which represented the genuine systems. First, PUF-2 was made to undergo enrollment at two different E P s -30 C and 50 C, and the corresponding golden responses were recorded; a set of ten different challenges was used in this process. This was followed by authentication at two different A P s -40 C and 55 C, which were catered to by E P = 30 C and 50 C, respectively. The responses generated during authentication were then compared with the corresponding golden responses; these comparisons are termed as genuine-puf response comparisons. Next, a counterfeit PUF, PUF-2C, was built by replacing the DRAM in PUF-2 with the one in PUF-4. Hence, PUF-2C now had the same SRAM as PUF-2 but contained a different (counterfeit) DRAM. Note that the DRAM in PUF-4 was chosen as the replacement in order to emulate the worstcase scenario; the DRAMs (originally) in PUF-2 and PUF-4 have the same make and architecture. The same set of challenges were then applied to PUF-2C, followed by a comparison of the generated responses and the corresponding golden responses (of PUF-2); these comparisons are termed as counterfeit-puf response comparisons. Fig. 17 presents the relative frequency versus HD for both genuine-puf and counterfeit-puf response comparisons. To determine the authentication outcome, we used the MT values corresponding to PUF-2, as specified in Table 6 . This resulted in unsuccessful authentication for each of the challenges and A P s; in other words, the C-PUF design was able to detect the counterfeit PUF and prevent any false-positives. To further emphasize this ability, we built another counterfeit PUF, PUF-4C, which had the same SRAM as PUF-4 but contained the DRAM from PUF-2. The above-described process was repeated, and the resulting comparisons are depicted in Fig. 18 . As before, the counterfeit PUF was detected in each case and no false-positives were generated. 
Intrinsic Reconfigurability: A Sample Timeline
The ability to be intrinsically reconfigured, i.e., modify its challenge-response behavior, can provide C-PUF substantial protection against various attacks (Section 4.5). As described earlier, there are two reconfiguration knobs -Addr_S (SRAM reconfiguration) and Refresh-pause interval (DRAM reconfiguration). To demonstrate that C-PUF's behavior does undergo substantial modification, we reconfigured a C-PUF instance several times and applied the same challenge to it after each reconfiguration. This is depicted in a sample timeline (T 1 -T 8 ) in Fig. 19 , where the instance undergoes a series of DRAM and SRAM reconfigurations. The temperature during the whole process was maintained at 20 C. The difference (in terms of HD) between the response generated after a particular reconfiguration and the one generated after the last SRAM reconfiguration is represented by the x-axis in Fig. 19 . For example, the response generated after the DRAM reconfiguration at T 5 differs from the one generated after the SRAM reconfiguration at T 3 by more than 600 bits. This difference increases to more than 500,000 bits for the two SRAM reconfigurations at T 3 and T 6 . Although not depicted in Fig. 19 , the choice of the Refresh-pause intervals ensures that there is also a substantial difference (that meet entropy requirements) between the responses generated after consecutive DRAM reconfigurations (e.g., at T 4 and T 5 ). Note that the availability of two reconfiguration modes in C-PUF gives it the flexibility to choose one or the other depending on the scenario, as explained in Section 7.2.
DISCUSSIONS
This section provides a brief discussion of potential attack scenarios as well as additional design aspects of C-PUF.
Attack Scenarios
We envision two types of attacks on a device (containing C-PUF)-non-invasive and invasive.
In the current design, the communication between the authenticator and the device (containing C-PUF) is unencrypted. Hence, we assume that an attacker can eavesdrop on this communication and extract some of C-PUF's CRPs used during authentication. This could enable the attacker to mount a non-invasive attack [5] , which exploits a large set of (previously-used) CRPs for generating an approximate model of a PUF's (challenge-response) behavior that could predict the (future) responses. However, successfully mounting such an attack on C-PUF is extremely difficult, as described through the predictability analysis in Section 6.1.2. Specifically, the unpredictable behavior resulting from the coupling (using hash and xor) of two heterogeneous memory technologies, each with its distinct behavior, leads to an extremely-complex overall model in C-PUF. This complexity is further enhanced by the presence of multiple variable parameters in its challengeresponse mechanism, which generates an exponential number of CRPs, as shown in Section 6.2. Lastly, C-PUF's final line of defense against such as an attack lies in its ability to undergo reconfiguration, which completely modifies its challenge-response behavior. For example, C-PUF can be reconfigured after every authentication phase, cycling among the different reconfiguration points in a random or round-robin fashion. In other words, the reconfiguration knobs can be used just like any parameter in the challenge. Hence, to an external attacker trying to model C-PUF's behavior, the responses would seem like coming from multiple completely different PUFs, making the attack extremely time and computation intensive. Due to the above reasons, we believe that C-PUF can provide high resistance (and reduced vulnerability) to a non-invasive attack such as [5] . Note that a formal analysis of C-PUF's vulnerability to such attacks is currently in progress and is planned as a part of future work. Encrypting the communication between the authenticator and device can also help prevent such attacks; however, this is not a requirement for the C-PUF design.
An invasive attack [3] involves physical tampering with the target device and requires physical access to it. We described one such scenario in Section 6.4, where the genuine DRAM module was replaced with a counterfeit one, followed by several authentication attempts. As shown, C-PUF was successfully able to detect this attack and prevent authentication. Mounting such an attack on the SRAM, on the other hand, is extremely difficult; its on-chip location requires the attacker to possess a very high level of expertise and sophisticated resources. Another type of invasive attack could involve memory-line snooping, where the attacker can (non-intrusively) read off the data in off-chip memory lines during authentication. Note that the SRAM start-up values are always hashed before they travel through the offchip memory lines. Since hash (SHA-256, used here) is a oneway function, reading these (hashed) values does not reveal any information about the SRAM's behavior. However, the attacker could be able to read the data written to the DRAM as well as its response. Assuming he/she has access to C-PUF for a considerable amount of time ($minutes/ hours), he/she may then be able to derive a portion of the DRAM's (bit-flip) behavior. However, entirely constructing this behavior requires a very large number of CRPs, which is extremely time and computation intensive due to the huge (exponential) challenge-response space of the DRAM (Section 6.2). In summary, the utilization of heterogeneous memory technologies, which are spatially distributed (onchip and off-chip), substantially improves C-PUF's resistance to such invasive attacks.
C-PUF versus [SRAM PUF + DRAM PUF]
An alternative design (say, SD) could have both an SRAM PUF and a DRAM PUF present in a device but operating independently of each other. C-PUF scores over such a design by providing much stronger defense against noninvasive attacks owing to its more complex (challengeresponse) behavior, as described in the previous section. One manifestation of this complexity is the higher number of CRPs that are supported by C-PUF, as compared to SD. Section 6.2 showed this through a typical SRAM/DRAM configuration in C-PUF. Specifically, if the number of CRPs supported by the SRAM PUF and DRAM PUF are N S and N D , respectively, then C-PUF supports a total of N D ¼ N S Â N D CRPs, as described in Section 6.2. In contrast, SD can support a maximum of N SD CRPs, where N SD ¼ N S þ N D , which is multiple orders of magnitude lower.Moreover, the availability of two reconfiguration modes in C-PUF gives it the flexibility to choose one or the other, depending on the scenario. For example, DRAM reconfiguration could be utilized in case of low available address space in SRAM while SRAM reconfiguration could be performed when fast authentication is required. SD does not have the ability to make these decisions as the constituent PUFs operate independently of each other.
Effect of Variations in Supply Voltage
Variations in supply voltage could affect a PUF's operation. However, due to the presence of on-board voltage/power regulators (in all embedded systems), which closely monitor power supply to the components, this is an extremely rare (and short-duration) phenomenon. Nevertheless, with regards to C-PUF, the SRAM is unaffected by supply-voltage variations as its response-generation mechanism relies on power-cycling or an intentional lowering of supply-voltage as in [34] . The DRAM could see additional bit-errors if the variation goes beyond the manufacturer-specified voltage guardbands [38] , [39] , however, the error-rate is low [38] and can be handled by the authentication scheme employed in C-PUF. The only operations that could be truly affected by supplyvoltage variations are the HASH, XOR, and SRAM/DRAM Error-correction, as they involve arithmetic computations. In such a scenario, its fair to assume that the whole compute sub-system (of the embedded system) is actually paralyzed, affecting all running applications (not only authentication using C-PUF). Hence, if authentication is in progress, it will need to be stopped and re-initiated once the voltage levels are restored.
RELATED WORK
A variety of PUF implementations has been proposed over the years. The concept of silicon PUFs was first introduced in [7] . These PUFs can be easily integrated into electronic circuits and, hence, have been widely adopted in present-day implementations. Memory-based PUFs, in particular, are popular and offer a distinct advantage over other silicon PUFs. They utilize semiconductor memories that are inherent to most embedded devices and require minimal or no additional hardware for their operation. For example, Ref. [9] extracted unique fingerprints and generated true random numbers by using the power-up state (start-up value) of an SRAM chip. Another SRAM-based PUF was presented in [34] , which utilized error-patterns in caches resulting from supply-voltage reduction. This approach enables run-time generation of SRAM fingerprints since it does not require power-cycling. Ref. [10] observed variations in read current with the stored content in an SRAM array and used them to extract unique fingerprints. Write failures are (intentionally) introduced in an SRAM array through a programmable wordline duty-cycle controller for generating unique responses in [12] . Ref. [22] , on the other hand, proposes writing values into a column of SRAM cells, followed by concurrent activation of multiple wordlines. Thus, multiple cells in the column are read at the same time, forming the PUF response. A large body of work has also focused on building DRAM PUFs. Refs. [13] , [17] introduced DRAM (error) characterization as a means to design a low-latency DRAM PUF based on refresh pausing. They also proposed a lightweight scheme that utilizes the PUF towards authentication in a COTS system; Ref [13] also added (true) random number generation capability to the PUF. Refresh pausing was also utilized by another work [26] to design DRAM PUFs that could be implemented using COTS systems. Modifying read access latency to generate error patterns formed the basis of the DRAM PUF presented in [15] . Ref. [14] followed the power-cycling approach in a DRAM to generate unique start-up values, which could be used towards device authentication. Non-volatile memories have also been explored as potential PUF implementations. Refs. [19] , [20] proposed mechanisms to extract device fingerprints from flash memories; the latter also proposed true random number generation using a similar approach. Ref. [21] proposed a scheme that utilizes NVM (e.g., memristor, flash, etc.) cells to realize a PUF without using any helper data (for error correction). A parallel approach to PUF design aimed at achieving reconfigurability in PUFs [13] , [30] , [40] , [41] , i.e., the ability to modify the PUF behavior, when required. Ref. [42] proposed a generic PUF architecture targeted towards preventing modeling attacks.
Combining (the output of) multiple locations of one or several memory blocks located inside an IC to derive unique keys was mentioned in a patent [23] . By using an address decoder that can permute access order across different memory locations/blocks in a potentially unknown manner, the work claims to increase the resistance of the PUF against invasive attacks. However, no physical implementation or test results thereof have been published yet. A similar but non-memory-based PUF was presented in [24] , which proposes combining several onchip entropy sources (e.g., clock sinks) in an optimized manner towards better (overall) entropy and robustness. In comparison to these works, the design space for C-PUF is much wider as it aims to combine both on-chip and off-chip entropy sources towards realizing multi-component authentication in an embedded system. Towards this end, we also proposed and validated a low-overhead authentication scheme, which ensured robust operation of several prototype C-PUF implementations across a wide range of operating conditions. Most importantly, unlike previous work, all this is achieved while incorporating minimal or no additional hardware, enabling easy integration of C-PUF into a COTS system.
Note that the current C-PUF design utilizes some of the components in [13] , [17] , which leveraged the refresh-pausing approach in a DRAM for authentication and random-number generation. C-PUF builds upon [13] , [17] , but goes further by introducing the concept of and taking a step towards realizing multi-component authentication. It also introduces two key-modifications in the DRAM Error Correction stage (compared to [13] , [17] ) -(i) tailoring the (strength of the) DRAM error-correction according to the specific operating point ( Table 5 ) and (ii) introduction of a new parameter, B Max , to protect against a certain kind of attack that could be mounted on a system containing DRAM in the form a removable/replaceable SODIMM.
In this paper, we propose the concept and design of a memory-based combination PUF that tightly integrates two heterogeneous memory technologies to construct a PUF that overcomes several shortcomings of current memory-based PUFs. The design can be easily implemented on a COTS device and takes a step towards multi-component authentication in an embedded system. The PUF was implemented in a real system using several off-the-shelf SRAMs and DRAMs. Experimental results demonstrated substantial improvements over current memory-based PUFs including the ability to resist various attacks. We also proposed a light-weight authentication scheme that ensures robust operation of the PUF across wide environmental and temporal variations. Extensive authentication tests performed on several PUF prototypes achieved greater than 97.5 percent true-positive rate across these variations. The absence of any false-positives, even under an invasive attack, further highlighted the effectiveness of the overall design. Inclusion of other (system) components into the C-PUF design and formal analysis of its vulnerability to non-invasive attacks (e.g., machine-learning based) are currently in progress and are planned as part of future work.
