A Physical Unclonable Function with Redox-based Nanoionic Resistive
  Memory by Kim, Jeeson et al.
1A Physical Unclonable Function with
Redox-based Nanoionic Resistive Memory
Jeeson Kim, Student Member, IEEE, Taimur Ahmed, Hussein Nili, Jiawei Yang, Doo Seok Jeong,
Paul Beckett, Sharath Sriram, Member, IEEE, Damith C. Ranasinghe, Member, IEEE,
and Omid Kavehei, Senior Member, IEEE
Abstract—A unique set of characteristics are packed in emerging nonvolatile reduction-oxidation (redox)-based resistive switching
memories (ReRAMs) such as their underlying stochastic switching processes alongside their intrinsic highly nonlinear current-voltage
characteristic, which in addition to known nano-fabrication process variation make them a promising candidate for the next generation
of low-cost, low-power, tiny and secure Physically Unclonable Functions (PUFs). This paper takes advantage of this otherwise
disadvantageous ReRAM feature using a combination of novel architectural and peripheral circuitry. We present a physical one-way
function, nonlinear resistive Physical Unclonable Function (nrPUF), potentially applicable in variety of cyber-physical security applications
given its performance characteristics. We experimentally verified performance of Valency Change Mechanism (VCM)-based ReRAM
in nano-fabricated crossbar arrays across multiple dies and runs. In addition to a massive pool of Challenge-Response Pairs (CRPs),
using a combination of experimental and simulation, our proposed PUF shows a reliability of 98.67%, a uniqueness of 49.85%, a
diffuseness of 49.86%, a uniformity of 47.28%, and a bit-aliasing of 47.48%.
Index Terms—Physical unclonable function, resistive random access memory, emerging nonvolatile memory.
F
1 INTRODUCTION
R EDOX based resistive memories (ReRAMs) are anemerging class of two-terminal nonvolatile memory
technology. They are one of the most promising devices
for conventional and unconventional information pro-
cessing and memory applications [1]–[3]. They can be
integrated on-chip with conventional CMOS technology.
Thanks to their highly nonlinear resistance behavior,
their read-out speed can be programmed to be fast or
slow, with higher or lower power consumptions, respec-
tively. As there are countless choices of material, these
devices can also be fabricated with an aim for ultra-high
density digital memories or behave like an analog mem-
ory with multiple stable states. Unlike SRAM, DRAM
and FLASH technologies, these devices do not rely
• J. Kim, P. Beckett and O. Kavehei are with Nanoelectronic and Neuro-
inspired Research Laboratory, RMIT University, VIC 3000, Australia.
E-mails: {jeeson.kim,pbeckett,omid.kavehei}@rmit.edu.au.
• T. Ahmed, S. Sriram, J. Kim and O. Kavehei are with the Functional Ma-
terials and Microsystems Research Group, RMIT University, VIC 3000,
Australia.
E-mails: {taimur.ahmed,sharath.sriram}@rmit.edu.au.
• H. Nili is with the Department of Electrical and Computer Engineering,
University of California, Santa Barbara, CA 93106 USA.
E-mail: hnili@ece.ucsb.edu.
• J. Yang is with Wenzhou Medical University, China.
E-mail: yangjw@wibe.ac.cn.
• D. S. Jeong is with the Electronic Materials Research Centre, Korea
Institute of Science and Technology, 136-791 Seoul, Republic of Korea.
E-mail: dsjeong@kist.re.kr.
• D. C. Ranasinghe and J. Kim are with the Auto-ID Labs, School of
Computer Science, The University of Adelaide, SA 5005, Australia.
E-mail: damith.ranasinghe@adelaide.edu.au.
Manuscript received ; revised . This work was supported by Australian
Research Council under grant DP140103448 and National Natural Science
Foundation of China under Grant 61501332.
on charge storage and retention on a capacitor, rather
they exploit a new type of underlying physics that is
based on a mixed ionic-electronic conduction mechanism
and hence, it is a resistance retention-based technology.
These memories have also surpassed nonvolatile FLASH
technology in almost any aspect; They offer orders of
magnitude higher endurances and write speed than
FLASH, they have eliminated FLASH memory’s need for
high voltage supply and cumbersome erase procedure,
and they offer all these advantages at a potentially lower
volume fabrication cost [4]–[9]. ReRAMs could be made
potentially denser than FLASH and like FLASH they
can go vertical (3D) and ensure zero-power consumption
when on stand-by [10]–[12].
Security and privacy applications of such device as
part of broader cyber-physical system industry ranging
from nation-wide power grids, small scale health care
system to Internet of Things (IoT) and solutions based
on radio frequency identification (RFID) [13], [14]. For
instance, IoT demands challenging security solutions
with features such as interoperability, scalability and
lightweight process [14], [15]. In such area, power and
performance demanding environment, Physical Unclon-
able Functions (PUFs) could be a suitable solution [16]–
[22].
A 19th century scientist, Auguste Kerckhoffs once
stated, a system should be secure even if everything about the
system, except the key, is a public knowledge [23]. Building
on this principle, PUF’s very fundamental feature is the
ability to remove the requirement of storing secrets and
leave any other system feature as public knowledge [24],
[25]. Secrets in PUF are intrinsically encrypted in physi-
cal implementation randomness –e.g. silicon fabrication
ar
X
iv
:1
61
1.
04
66
5v
1 
 [c
s.E
T]
  1
5 N
ov
 20
16
2process, for which there is no way to reverse engineer
the system but to characterize every single component of
the system. It is therefore very difficult, if not impossible,
to make an identical copy of the system even by the use
of identical processes, facilities and material [26]. The
basic idea of a PUF is to gain advantage of otherwise dis-
advantageous physical system manufacturing non-idealities.
These non-idealities can be classified into spatial and
temporal variations. Spatial variations include process
variations such as dimensions, random dopant fluctu-
ations, line-edge roughness, which manifest themselves
as conventionally undesirable features such as threshold
voltage variation and offset in CMOS and other electrical
characteristics of solid-state devices. Temporal variation
includes noise, supply power, temperature fluctuations,
transient effects as common effects in both conventional
and emerging technologies. One unique property that
is unique to ReRAM devices, is their random oxygen
vacancy profile.
Fig. 1(a) and (b), shows a direct evidence of oxygen
vacancy profile in our devices (true for all ReRAMs) [27].
This pattern is likely to change with every switching as
the formation and rupture of nano-filaments in certain
location is an stochastic phenomenon. This pattern is
also varying from device-to-device. The tricky part about
this spatio-temporal random oxygen vacancy profile
in ReRAMs is that once programming is finished, the
profile stays fixed under no or small magnitudes of
energy delivered to our Valency Change Mechanism
(VCM)-based ReRAMs. Temporal and transient aspects
of this nano-conductive filament pattern is more pro-
found when the device is switching or is in its Low
Resistance State (LRS). It can also be concluded that
when a filament becomes the main path of conducting
current between electrodes, ReRAM’s LRS’s conductance
is almost independent of device contact sizes and thier
variation, while in High Resistance State (HRS), the
nano-conductive filament pattern is fixed, unique to each
device, and their height are much less than LRS’s nano-
filaments. Dimensional and line-edge roughness varia-
tions are also mainly effecting HRS. Therefore, oxygen
vacancy profile could be consider as a perfectly spatial
parameter when a ReRAM device is in its HRS. It is
important to note that discussions around oxide-trap-
induced effects such as burst or random telegraph noise
are outside the scope of this paper due to the relatively
low frequency nature of the phenomenon.
These systematic, random and spatial variations in
CMOS has been harnessed to produce tiny differences in
identical circuit and system performance. For instance,
small differences in delay has been the source of spa-
tial randomness in arbiter PUFs (Arb-PUFs) and ring-
oscillator PUFs (RO-PUFs) [14], [28], [29]. SRAM-PUF is
another example. SRAM’s metastability is widely used as
another source of randomness. Process variation in im-
plementation of SRAM’s latch and read-out/addressing
transistors could make its switch to “1” or “0” more
likely than the other after setting up a metasptable
Fig. 1: In-situ Scanning Probe Microscopy (SPM) of con-
ductivity is shown in 2D (a) and 3D (b) maps. It shows
a top view of oxygen deficient amorphous SrTiO3−x
(a-STO) layer, also known as the switching layer, in
our ReRAM devices after removing top metal electrode
layers for this experiment. The pattern illustrates profile
of nano-filaments of heights of 5 nm, which are conduct-
ing channels between two metal electrodes in ReRAMs.
Formation and rupture of these nano-conductive fila-
ments are possible when enough energy is delivered via
an application of current. There are countless evidence,
including our device characteristics, that there are two
or more distinctive thresholds after which formation and
rupture of these filaments take place and each time that
occurs, the spatial pattern (location) of these filaments
and also their height, shape and intensity could also be
different. This adds a temporal feature to the oxygen va-
cancy profile. However, it is observed that when working
significantly below –voltage– thresholds, location, shape,
height and intensity of these filaments are reliably fixed
and unique to each device.
condition [30]–[33]. While some CMOS PUFs are custom
designed, many have been reported on field array logics
such as Field-Programmable Gate Array (FPGA). That
unfortunately created systematic bias issues as there is
no ultimate control over interconnect length [34].
While silicon technology has started a new ground-
breaking wave of security primitive solutions, the game
is still on for true random key generators that are
highly secure, cheap, small and energy-efficient [35].
The device-to-device randomly variant oxygen vacancy
profile in VCM ReRAMs provides another dimension
that if utilized appropriately could pave the way for
3Fig. 2: ReRAM electrical characteristic and structure. (a) Experimental current-voltage (I-V ) signature of our a-STO
ReRAM bipolar switching behavior. As a representative signature curve of thousands of measured I-V characteristics
on multiple devices, this is measured by a DC double voltage sweeping. Arrows and numbers on the response I
curve indicate voltage sweeping directions and the order of sweeping operations. Inset: highlights nonlinearity of
I-V curve when device is in its HRS and applied voltages are significantly below threshold. These voltages are
called READ voltages in this paper. (b) Optical microscope image of a 6× 8 ReRAM crossbar array and schematic
of our ReRAM material stack. (c) Schematic of how ReRAM crossbar could be integrated with CMOS.
implementation of highly secure nonvolatile memory
(NVM)-based PUFs. In this work, we propose a novel
PUF architecture based on nonvolatile ReRAM crossbar
arrays. Contributions of this work include:
• Introducing a nonlinear ReRAM-based PUF and
presenting its full analysis.
– This includes, assessment of important PUF met-
rics based on a mix of extensive experimental
analysis and simulation.
• Employing the idea of dummy cells and arrays to
strengthen nrPUF against side-channel power mon-
itoring attacks.
The paper is organized as follows: Section 2 discuss
properties of ReRAMs and proposes nrPUF and its cir-
cuit and architectural level operation. nrPUF character-
ization and experimental results of fabricated ReRAM
arrays are illustrated. Section 3 analyses nrPUF perfor-
mance metrics and discusses simulation results. Finally,
Section 4 summarizes the work.
2 NONLINEAR RESISTIVE PUF
2.1 Electrical properties of ReRAM
Measured signature bipolar switching behavior of our
VCM ReRAM devices is depicted in Fig. 2(a) at room
temperature. Device switching characteristic becomes
available when an irreversible electro-forming step is
completed. An electro-forming step forces the device to
switch from its pristine state to its LRS. Beyond that
point the device is capable of switching between its LRS
and HRS, when enough energy is delivered to the device
in form of applied current. Our device SET (HRS→LRS)
and RESET (LRS→HRS) switching thresholds are around
800 mV and -750 mV, respectively, as it is shown in
Fig. 2(a). For electro-forming a maximum sweep voltage
range of 2.5 to 3.2 V and current compliance range 100
to 500 µA was used. The switching behavior is known
to be caused by the formation and rupture of one or
more filamentary paths through the oxide layer between
Top Electrode (TE) and Bottom Electrode (BE) [27],
[36]. This is shown in Fig. 1. Switching sequence (1-
4) is shown in Fig. 2(a) and the device was initially
in its HRS. Electrical characterization and measurement
data was gathered with Keithley 4200 Semiconductor
Characterization System. It is worths noting that electro-
forming and its impact on spatio-temporal characteristics
of oxygen vacancy profile is an interesting topic which
is outside the scope of this paper and underpins further
investigation.
Using standard photolithography we designed and
fabricated a stack of the following materials to imple-
ment our VCM ReRAM devices. A 20 nm Pt and its 5 nm
Ti adhesion layer are deposited on a SiO2/Si substrate
as BE using electron-beam evaporation. An amorphous
SrTiO3, a-STO, (33 nm) film is subsequently sputtered
through a shadow mask and in the next step, a 5 nm Pt
as buffer metal layer is e-beam evaporated on the a-STO
layer. Then, two layers of a-STO films were sputtered
in different conditions; A 30 nm oxygen deficient (OD)
a-STO layer on a normal 3 nm a-STO. Finally, a Pt/Ti
(20 nm/10 nm) is formed by e-beam evaporation as TE.
All deposition steps were processed at room temperature
and a crossbar optical image and its material stack is
shown in Fig. 2(b). The crossbar array consists of 8
columns of TEs and 6 rows of BEs. When a voltage
below switching threshold (Fig. 2(a)’s inset), known as
READ voltage, is applied to the TE, it produces a current
that can be read-out from BE. Full details on fabrica-
tion process can be found in Refs. [27], [36]. ReRAM
switching layer in our devices is an amorphous OD
SrTiO3−x (a-STO), where x represents the level of oxygen
deficiency created by a combination of processes within
4Fig. 3: (a) Device-to-device (D2D) variation in HRS
and LRS. State resistance variation of HRS and LRS
are extracted from 58 devices at different READ volt-
ages between 0.1 and 0.5 V. As Fig. 2(a)’s inset sug-
gests, nonlinearity of I-V characteristics causes semi-
exponential increase in HRS current with every 100 mV
increase in voltage. Therefore, as READ voltage in-
creases, ROFF/RON ratio decreases. (b) Resistance sys-
tematic variation induced by temperature change from,
near zero degree of Celsius, 275◦ K, to 450◦ K.
the material stack during fabrication and engineered by
a detailed micro/nano-fabrication development recipe.
To highlight Fig. 3(a) shows one main device-to-device
(D2D) variation of our VCM ReRAM HRS and LRS at
different READ voltages. In this paper, we only use HRS.
Measurements remark that HRS is widely distributed
over a decade in the range of 100 kΩ to 1 MΩ. Fig. 3(b)
demonstrates temperature dependence of the ReRAM
cell. It shows thermal activation of current transport
through the cells in the temperature range 275◦ to 450◦ K.
Although measured resistance transition over multiple
devices is substantial, the behavior suggests a trend that
can be considered in our peripheral read-out circuitry
for nrPUF.
2.2 Circuit and Architecture
The proposed nrPUF structure is shown in Fig. 4. The
overall system architecture consists of multiple VCM
ReRAM crossbars, two sense amplifiers and bit genera-
tors. The system accepts parallel streams of 64-bit inputs
that each is called a challenge and produces 64-bit output
that is called a response. Each challenge produces 1-
bit response. Fig. 4(a) illustrates a modified StrongARM
(mSAL) latch. We added transistors M13, M14 and M15
to better control the flow of current when sensing is
enabled using the signal, SenEn. The current mirror and
control transistor in the left hand side and highlighted in
red are serving dummy cells/arrays and are not part of
the mSAL circuit and we discuss its effects on supply
power signal-to-noise ratio (SNR) later in the paper.
Original idea and full description of the sensing circuitry
can be found in Refs. [37], [38]. The mSAL circuit consists
of two identical parts, highlighted in green and blue that
are competing to own the output, Vx and Vy. Assuming
negligible mismatch between peer transistors (e.g. M1
and M2), the state of the latch should be identified by
the mismatch between IP and IQ. As Fig. 4(b) illus-
trates, these two currents are directly passing through
a selection of multiple ReRAM devices which are all
programmed in their HRS. Due to the randomly different
oxygen vacancy profile of these devices, one of the
currents will be higher than the other, which means
voltages at nodes P and Q will not be identical. That
causes an unbalance in the current that is drawn by M1
and M2 after a pre-charge mode (SenEn=0) that charged
nodes P, Q, X and Y to VDD. The unbalance will push the
latch (transistors M3−6) towards Vx=VDD, Vy=0 or Vx=0,
Vy=VDD.
One of the most important systematic bias that needs
to be mitigated is the offset generated as the result of
mismatch between current mirror pairs, M1,11 and M2,12,
and M3−6 of the latch. It is known that in conventional
StrongARM circuit, dominant contributors to the offset
are M1 and M2 [37]. In this case, we need to extend
that set to include M11 and M12. Due to the fact that
our architecture uses only two mSAL circuits, as shown
in Fig. 4(c), there are plenty of room for mitigating M1,2
offset contribution. It is very well-known that such offset
in a FET (field effective transistor) is the direct result
of mismatch in threshold voltages which is the conse-
quence of process variation. According to the renowned
Pelgrom’s Law,
σ∆VT ∝
1√
WL
, (1)
where W , L and σ∆VT representing length and width of
transistor channel and standard deviation of threshold
voltage mismatch, sampled from thousands of pairs [39],
[40], to avoid creating a systematic bias in our CMOS,
M1,11,2,12 should be as large as possible.
In the proposed PUF, input challenge either directly or
through a set of linear-feedback shift registers (LFSRs),
which are not shown in Fig. 4(b) diagram, randomly
activates 1, 2, 3, 4 or 5 columns out of N columns and
exactly two rows out of M rows for each of the IP,Q,D
currents. In this paper, N=M=128, therefore, a massive
pool of Challenge-Response-Pairs (CRPs) are expected
as it is shown in Section 3. Other array characteristics
such as sneak-current paths (array parasitic currents)
are data and addressing pattern dependent, and hence,
are included in our analysis but their individual role
5Fig. 4: Proposed nrPUF block diagram, interconnections and read-out circuitry. (a) Represents a modified StrongARM
Latch (mSAL) that its original design and analysis could be found in Refs. [37], [38]. Transistors M7−10,13−15 are
acting as pre-charge and sensing mode triggers. This sensing enable (SenEn) signal could identify throughput of
the system. The aim is to have an ideal probability of 50% for each response bit to be either 1 or 0 at each phase
that SenEn=0. We want this randomness to be dominated by VCM ReRAM devices and not the mSAL. The current
mirrors for IP and IQ that are drawn from a crossbar array (CBA), (b), are assumed to have current mirror (CM) gain
of K=1. The highlighted red part, ID, represents a dummy section that aims to confuse power signal and reduce its
SNR in order to further diminish nrPUF protection against side-channel power monitoring attacks. (b) Illustrates
a CBA with its relevant analog/current and digital multiplexers (Current MUX, aMUX, and MUX) accepting q-bit
input challenge (InC) as input and selects a subset of columns (out of M ) to be connected to READ voltage supply
and a subset of rows (out of N ) to be connected to IP, IQ and ID. All ReRAMs cells are programmed to be in
their HRS. (c) shows nrPUF clock diagram with two CBAs and mSALs. Part A’s output, whether one or l-bit is
considered as hidden challenge as it directly influences, alongside InC, response bit generation at the output of
Part B.
were not studied in this paper. Fig. 4(c) demonstrates
that the input challenge (InC) is applied to two crossbar
arrays A and B (CBA A and CBA B) and mSALs produce
relevant output bits. For every operation, output bit of
the first part, called Hidden Challenge (HiC) in this
paper, influences selection of rows and columns in the
second part. As its name suggests, it acts as a hidden
challenge that participate in response bit generation and
it could be multiple bits for different structures and
requirements. While all parts are directly involved in
response bit generation, the part highlighted in red,
dummy, aim to confuse power consumption signal in
order to reduce the adversarial chance in using side-
channel power monitoring.
2.3 Operation
READ voltage of nrPUF operation is chosen from the
set of READ voltages highlighted in Fig. 3. As our read-
out is current based, we aim to choose the lowest READ
voltage possible to guarantee no destruction to the stored
state. Due to inherent variation of ReRAM crossbar
arrays, conductances of cells are widely distributed and
that variation is ultimately translated to read-out current.
Selected output of ReRAM crossbars are set as:
Irow,i =
CS∑
k=1
gi,jkVREAD, (2)
where gi,jk denotes conductance of cell located at (i, jk)
node, i represents a device row location selected by ana-
log/current multiplexer (aMUX), jk is a column location
by decoder block and CS is total number of columns se-
lected. The aMUX utilizes a group of transmission gates
for passing analog current inputs to its output. For tem-
perature considerations, a temperature sensing circuitry
could be beneficial alongside Fig. 4(a). After read-out,
current distribution is the root source of PUF unique-
ness. In Section 2.1, we showed individual ReRAM cell
resistance distribution, see Fig. 3(a). In this work, we
fixed CS=5. It utilizes a wider distribution than one or
two column selection methods. Suppose I1, I2, . . . , ICS
are CS number of independent random variables (a cell
read-out current) with mean µ1, µ2, . . . , µCS and variance
σ21 , σ
2
2 , . . . , σ
2
CS . Then the mean and variance of the linear
combination Irow =
∑CS
k=1 Ik are defined as:
µIrow =
CS∑
k=1
µk (3)
6and
σ2Irow =
CS∑
k=1
σ2k, (4)
respectively. This shows that Irow distribution as well as
its standard deviation increase with higher CS. This is
shown in Fig. 5(a). Since nrPUF deals with comparison
of electrical characteristics (linear sum of CS number
of cells’ read-out current), the wider variation distri-
bution provides the advantage of reducing possibility
that selected comparator objects are in indistinguishable
range. The high CS method has another merit in that
it increases the challenge space as well as prevents re-
vealing of the PUF’s variation fingerprint to adversaries
attempting to characterize the PUF. Column and row
selection on CBA A is entirely driven by a q-bit challenge
using decoder and aMUXs block, see Fig. 4(b) and (c).
A CMOS unit selects 2 × l rows and each provides
IA,row, and performs l pairs of current comparison in
order to deliver l-bit HiC as an input of CBA B’s CMOS
unit. In this work l=1, and hence two rows in each
operation is selected. While column selection is based on
q-bit challenge ideally through decoders and LFSRs, an
internally generated l-bit HiC participates in selection of
CBA B’s columns and rows in order to produce, IB,rows,
and finally generates 1-bit final response for nrPUF. The
number of selection can be adjusted considering the size
of ReRAM crossbar array and can be set as log2
(
M
2
)
,
where M is the number of rows in CBA. Total number
of CRPs (NCRP) also depends on the size of ReRAM
crossbar arrays and it can be estimated as:
NCRP =
(
N
CS
)
×
(
M
2
)
× l, (5)
where M, N are the sizes of CBA (M ×N ). It is worth
recalling that CS is the number of selected columns and
l is the HiC bit length.
3 PERFORMANCE EVALUATION
3.1 Avalanche characteristic
A PUF should be a one-way function that ideally there
is no link between its input and output. When this prop-
erty is achieved, it becomes nearly impossible to guess
challenge bits by observing corresponding response bits
and vice versa [41]. CRPs should also be unrelated, so
that knowing one CRP has no impact on predicting other
unknown CRPs regardless of their similarity [42]. This
can be better described as following;
1) Response bits should have similar probability over
challenge space [43]. For each response bit, the
probabilities of being “1” or “0” should likely to be
equal, i.e, Prob(r = 1) = Prob(r = 0) = 50%.
2) Response bit transition rate to a set of challenges
with Hamming Distance (HD) = i should be 50%,
where 1≤ i ≤ q and q is a length of a challenge. Con-
sider q-bit reference challenge (CRef ) and a challenge
(Ci) with HD=1 from CRef . When i ∈ {1, . . . , S}
Fig. 5: Cells read-out distribution and avalanche behav-
ior of nrPUF. (a) Row cells read-out current distribution
for different CS. As CS increases from 1 and 5, read-
out current distribution becomes wider and its deviation
(σ), therefore, increases from 132 nA to 290 nA. (b)
Using the method we demonstrated in (b), this part
shows a comparison between output transition rates
when we have only one crossbar in the system (no
HiC) compared to system shown in Fig. 4(a) with dual
crossbar arrays. The results are shown for CS=5 and
x-axis demonstrates number of changes in selection of
columns. When column transition value is j, it means
our five selected columns, out of 128 available columns,
are different from a reference selection of five columns
with HD=j. For all column transitions, we select two
rows (l=1 in Equ. (5)). The y-axis demonstrates number
of changes in selection of a pair of rows. When row
transition value is k, it means our two selected rows,
out of 128 available rows, are different from a reference
selection of two rows with HD=k. The color-map shows
output transition rate for each choice of row and column
transitions compared to a reference of two row and five
column selections. The more green the map is the closer
the outcome is to the ideal case of a balance response,
which means a 50% output transition rate.
all with HD=1 from CRef , we have a vector of
size S of responses to those challenges. To meet
the strict avalanche criterion (SAC) requirement,
ri⊕rRef , which represents whether a transition in ith
response bit occured compared to the reference re-
sponse (rRef ), should result in a balanced vector of S
responses. It means we should ideally observe a bal-
anced (50%) number of “1”s and “0”s in the output
vector. In other words, Prob(rS ⊕ rRef=1)=50% [44].
7Although it is very difficult, if not impossible, to
prove unclonability mathematically, literature has shown
that some PUFs are predictable [34], [45]–[48]. For high
immunity to these attacks, it is desirable to have the two
properties mentioned above [14], [28]. In most PUFs,
the first property may be obtained, but the second,
avalanche behavior, is more difficult. This is particularly
the case for linear Arb-PUF structure. The example uti-
lizes sequence stages of four terminal switches with two
inputs and two outputs. Each switch is controlled by
a single bit which identifies the switch configuration.
The fundamental idea is that, due to process variations,
delays of an identical signal at the input arriving at two
different output pins are slightly different. Every stage
contains two multiplexers connecting inputs to outputs.
In a low-throughput delay-based PUF architecture, in-
dependence among CRPs is hard to achieve. There exist
attempts to design nonlinear PUF architectures and ex-
amples includes XOR PUF [14] and Feed-Forward Arb-
PUFs (FF Arb-PUFs) [28], [29]. XORing in Arb-PUFs is
a powerful method to randomize this irregular output
to generate a balanced output. An XOR PUF consists of
multiple Arb-PUFs and an XOR function which XORs
the responses of Arb-PUFs. They show improvement
on SAC after adding the XOR function [49]. Another
example, FF Arb-PUFs, utilize one or few switch(es) that
are independent of input. It means that feed-forward
creates some hidden information and the PUF achieves
a higher degree of complexity [29], [46].
In Fig. 5(c), a PUF with single crossbar array structure
shows a biased output bit transition rate, and this is
the particular case of low HD between row and column
selections. Compared to single crossbar, the proposed
nrPUF, dual crossbars, provides a significantly improved
response bit stream balance and SAC.
3.2 Attacks
Possible attacks on PUFs are various both on software
and hardware level [50]. For PUFs with limited number
of CRPs, NCRP, such as SRAM-PUFs, it may be possible
to characterize the entire structure by direct probing
and/or side-channel power monitoring attack [51], [52].
It is also known that a high NCRP makes model-building
attacks possible more effective via machine learning anal-
ysis on large collection of output data. This immediately
implies that PUFs with small throughputs will be less
vulnerable to machine learning attacks. ReRAM-based
PUFs may have the potential to mitigate these issues
by providing adjustable throughput e.g. by adjusting
sense amplifier, nanowire and overall parasitic capaci-
tance at the output of each crossbar. Also, they adopt
a random selection of a subset of memory cells and
comparing the current passing through them in a total
analog fashion [11], [53]. Using this method, a PUF with
M ×N crossbar size obtains at least as N times as many
challenges as RO-PUF with M number of RO stages [53].
3.2.1 Simple and differential power analysis attacks
One of effective security threat targeting system imple-
mentation of cryptographic algorithms is side-channel
attacks. Power analysis has been effectively used against
different sensitive items such as smart-card microproces-
sors [54], [55]. Differential Power Analysis (DPA) goal is
to extract correlations between data and supply power
fluctuations. Therefore, in systems that generating “1”
and “0” in the output consume different current DPA
will be an effective statistical tool that given enough
traces is cable of extracting tiny correlations. Other
power analysis techniques include correlation power
analysis based on the Hamming distance model and
partitioning power analysis [54], [56]–[59].
The proposed nrPUF is using differential current anal-
ysis as the means to generate output bit therefore there-
fore correleation between the total current consump-
tion and output bit diminishes. Additionally, we have
exploited dummy arrays (as explained in Section 2),
in order to reduce any potential correlations even fur-
ther. The relatively low-cost and effective performance
of ReRAM technology offers the possibility of dummy
array introduction to enable the capability of confusing
power consumption pattern.
Power analysis attacks in general could be evaluated
by signal-to-noise ratio (SNR) between the single-bit
unit power consumption and the standard deviation
of power leakage [59]. In nrPUF, we analyzed power
consumption for generation of 2000 output bits. An input
challenge dependent selection of 5 columns with 20
ReRAMs identifies the output bit, while one or more
ReRAM on dummy arrays are randomly selected at
the same time in order to achieve confusion. Due to
random nature of selection of dummy arrays and de-
vices involved in the process, invasive attacks such as
laser cutting of interconnects would unlikely result in a
functioning nrPUF without dummy devices.
Fig. 6 illustrates our SNR analysis result as a function
of number of dummy devices involved in confusing
power signal. As expected, the more the number of
dummy devices are the lower SNR becomes and there-
fore it is possible to adjust such performance for different
applications according to their sensitivity.
3.3 PUF metrics
We evaluated nrPUF against key PUF metrics in this
part. Extensive circuit level Cadence simulations were
followed up with rigorous Matlab analysis consider-
ing experimental data collected form a wide range of
identical devices on same or different dies. Measured
variations in current were fed into these simulations and
devices were working under minimum READ voltage
to be similar to experiments. There assumed noise and
uncertainty on supply power line and existence of faulty
devices (e.g. stuck-at-ON) in both crossbars. The follow-
ing lists our considerations for analysis:
8Fig. 6: Role of dummy ReRAMs in lowering Signal-
to-Noise Ratio (SNR) in an attempt to make supply
power signal unrecoverable and unrelatable to output
bit generation. Number of dummy ReRAMs is directly
relevant to the magnitude of ID in Fig. 4(a) and (b).
• There is 10% 3σ READ supply voltage variation at
any READ voltages,
• A temperature fluctuation of ±10◦ K at any working
temperature,
• An undetectable current difference of ∆I=±20 nA,
where ∆I=IP-IQ,
• 90% of HRS programmed devices were successful,
therefore, 10% of ReRAMs are assumed to be stuck-
at-ON (in their LRS range, see Fig. 3(a)), and
• Measured ReRAM’s HRS variations have lognormal
distribution, see Fig. 3(a). These data were imported
into analytical analysis flow to evaluate nrPUF.
We use the following notations and definitions for nrPUF
evaluation:
p Number of PUF instances.
n Number of response bits.
tr Number of trials on the same PUF instance.
ri,j j
th bit of ith response.
c Number of challenges.
3.3.1 Hamming Weight (HW) test
HW test calculates inter- and intra-PUF responses in
order to detect bit bias toward “0” or “1”. HW tests
include uniformity (UF) and bit-aliasing (BA). Average
UF and BA results are shown in Fig. 7(a) and (b) and
both are closely distributed near 50%.
Uniformity (UF) is an intra-response HW assessment to
evaluate a balance of “0”s or “1”s in a response vector.
Ideally, UF should show a perfect balance. UF is defined
as:
UF =
1
n
n∑
j=1
ri,j × 100%, (6)
where ri,j is jth bit of an n bit response to ith challenge.
In Fig. 7(a), red distribution curve represents the best-
case UF of nrPUF when random challenges (zero or
slightly larger than zero correlation between them) gen-
erate a response. It is closely distributed near to its ideal
UF of 50%. The worst-case UF is when challenges are not
random and have high similarities with HDchallenge ≤ 5
considering a challenge length of 64-bit. Results shows
the worst-case nrPUF, is normally distributed with µ of
47.28% and standard deviation of 11.09%. In contrast,
UF of single crossbar structure is poorly centered and
is rather uniformly distributed. This shows nrPUF could
better satisfy desirable SAC behavior.
Bit-Aliasing (BA) is a measure that shows the degree
of similarity across responses from different PUFs (inter-
HW). Ideally, a PUF should avoid identical responses,
hence, BA should be 50%. BA can be calculated as:
BA =
1
p
p∑
i=1
ri,j × 100%, (7)
where ri,j is jth bit of an n bit response from an ith PUF
instance. It is shown that average BA of nrPUF is 47.48%
with deviation of 5.03%.
3.3.2 Hamming Distance (HD) test
HD test calculates the HD of inter- and intra-PUF re-
sponses in order to assess how unique PUFs are. HD
tests include uniqueness (UQ) and diffuseness (DF).
Average UQ and DF results are shown in Fig. 7(c) and
(d) and both are closely distributed near 50%.
Uniqueness (UQ) is an inter-PUF HD test and an indi-
cator of the PUF’s information bits that can be extracted
by evaluating a degree of difference between responses
of different PUFs to identical challenges. Truly random
PUF should achieve UQ close to the ideal value of 50%.
Average UQ is defined as:
UQ =
1(
p
2
) p−1∑
i=1
p∑
j=i+1
HD(Ri, Rj)
n
× 100%, (8)
where HD(Ri, Rj) is the HD between n bit responses to
a challenge from a pair of ith and jth PUF instances.
Diffuseness (DF) is an intra-PUF HD measurement, is
to analyze a degree of response difference from different
sets of challenges applied to the same PUF [60]. DF is
defined as:
DF =
1(
c
2
) c−1∑
i=1
c∑
j=i+1
HD(Ri, Rj)
n
× 100%, (9)
where HD(Ri, Rj) is the HD between n bit responses to
a pair of ith and jth challenge from a PUF instance.
3.4 Reliability
PUFs are expected to demonstrate high reliability. Reli-
ability shows PUF’s ability to reproduce same response
to the same challenge over time and under significant
spatio-temporal variations. In other words, it is defined
as the probability that response bit rt that is generated at
time t to be reproduced at a ∆t later and rt = rt+∆t. An
ideal PUF should provide 0% difference in its responses
to identical challenges and this is represented by Bit
9Fig. 7: nrPUF Performance evaluations. (a) Worst-case
uniformity (UF) comparison of response bit-stream of a
nrPUF and a single crossbar structure. Red curve shows
ideal distribution for UF, and it is clear that nrPUF is
closer to the ideal UF than single crossbar-based PUFs.
nrPUF’s UF shows a well-balanced “0”s and “1”s in its
response bit-stream. (b) nrPUF’s bit-aliasing is shown.
Each bit of nrPUF responses are assessed by calculating
BA over 1000 PUF instances. The result indicate a well-
balanced ratio of “1”s and “0”s across responses. (c)
Uniqueness (UQ) and (d) diffuseness (DI) of nrPUF are
demonstrated under a number of extreme temporal and
transient nature uncertainty, such as supply voltage,
temperature and sensing margin fluctuations.
Error Rate (BER) definition below:
BER =
1(
tr
2
) tr−1∑
i=1
tr∑
j=i+1
HD(Ri, Rj)
n
× 100%, (10)
where HD(Ri, Rj) is the HD between responses to ith
and jth application of a challenge to a PUF. Ideal relia-
bility (RE) is 100% and is defined as:
RE = 100%− BER. (11)
Fig. 8: Bit Error Rate (BER) of nrPUF. (a) Reliability
of nrPUF at a range of column number selection (CS)
choices between 1 and 5 under supply voltage, tem-
perature and sensing margin fluctuations. Reliability is
significantly improved as CS increases. (b) Average BER
over multiple nrPUF analysis is shown as a function of
CS and mSAL error margin of ∆I=±10 to ±100 nA.
The reason for adopting a group of ReRAMs instead
of a single device is to raise immunity against temporal
variations. Although a single device comparison method
has obvious advantages of consuming lower power, it
has a poor reliability. When a PUF response stability
is not guaranteed, the system requires an additional
error correction module integrated with the PUF device
and it increases costs, throughput and overall power
consumption [66], [67].
Based on current distribution results, we evaluated
reliability of nrPUF under different conditions. For each
measurement set, we use 500 random challenges and
each challenge is repeated for 50 trials in a PUF in-
stance. Results clearly show the advantage of selecting
multiple columns (CS=5) over one or two column(s)
(CS=1 or 2) selection method. Scattered cross symbols
in Fig. 8(a) represent average BER of 50 trials to 500
challenges. We assume SA margin for this work is 20 nA.
Mean value of BER µBER, which is 3.45% for CS=1
reduces by increasing CS. This is 2.39%, 1.87%, 1.61%
and µ 1.33% for CS=2, 3, 4 and 5, respectively. As CS
and mSAL’s sensitivity increases, lower BER could be
achieved (see Fig. 8(b)). Table 1 presents a comparison
between different proposed ReRAM PUFs. As the Table
suggests, the proposed nrPUF could potentially achieve
a closer performance metrics to the ideal, while all cited
works have used similar mix of experimental-simulation
analysis.
10
TABLE 1: Comparison of crossbar PUFs.
NanoPPUF M-PUF MemristorPUF mrSPUF CPR-PUF nrPUF
Reference [61] [62] [63] [64], [65] [11] This work
Crossbar 4×4 8 bits 1MB cells 128×128 1024×1024 2×128×128
Minimum cell size 6F 2 – 4F 2 4F 2 4F 2 2×4F 2
Memory state LRS/HRS LRS/HRS – LRS HRS HRS
Uniqueness (%) 49 49.85 ∼ 48/50/55(BC/Typ/WC) 50.07 ∼ 49.95 49.85
Reliability (%) – – – 92.5(WC) ∼ 98 98.67
Diffuseness (%) 49 – – 49.96 – 49.86
Uniformity (%) – 49.99 – 50.76 – 47.28
Bit-aliasing (%) – 49.99 – 49.99 – 47.48
CRPs calculation – – –
N×(Mi )×(
M−i
i )
2
(
N
2
)× (M
2
) (
N
5
)× (M
2
)× log2 (M2 )
Total CRPs† – – – ∼ 3.7× 1018 ∼ 106 ∼ 2.7× 1013
BC: Best-case
F : ReRAM feature size
Typ: Typical-case
WC: Worst-case
†: Calculated for N=M=128 and i=5 for mrSPUF.
– Not mentioned
Excluding peripheral circuitry contribution, experi-
mentally measured worst-case power consumption per
ReRAM per response bit considering READ voltage of
100 mV results power consumptions as low as 100 nW.
While simple estimation of power consumption based
on this figure will be far from realistic total power
consumption, specially by mSAL, it raises confidence
in applicability of nrPUF. It is worth noting ReRAM
arrays consume almost zero power while on stand-by.
Data retention at the mentioned READ voltages has
also been guaranteed for years at 85◦ C. Unlike start-up
issues with SRAM-PUF [68], we believe nrPUF should
provide a more reliable power-up phase thanks to their
non-volatility and long data retention. According to our
experimental observations of fastest pulse measurements
using Keithley 4225-PMU, peripheral circuitry would
dominate nrPUF throughput, which can be designed to
have a range of operational speeds including slow read-
outs as suggested in Ref. [69].
4 CONCLUSION
In summary, we present a novel nrPUF based on mea-
sured data collected from a range of ReRAM devices on
one or multiple dies, fabricated under identical condi-
tions. nrPUF utilizes a relatively simple ReRAM crossbar
structure, minimizing its design phase to nanofabrica-
tion masks design. To improve unpredictability, nrPUF
utilizes two crossbars with a hidden challenge passing
from the first part to the second. We demonstrated
that such feature could improve avalanche behavior
and uniformity while maintaining other performance
metrics close to ideal. Various PUF performance met-
rics have be analyzed. A uniformity of 47.28%, bit-
aliasing of 47.48%, diffuseness of 49.86% and unique-
ness of 49.85% are found. The PUF’s multiple column
selection flexibility also offered a reliability of 98.67%
under extreme process, voltage, temperature and sensing
margin fluctuations. Additionally, we utilized a set of
dummy ReRAMs to reduce nrPUF’s supply power SNR,
although our read-out circuitry resulted in no meaning-
ful relationship between power consumption and output
bit generation of “1” or “0”. ReRAM devices in nrPUF
are programmed in their HRS to (1) take advantage of
highly spatially driven variations in HRS and (2) reduces
power consumption. Crossbar aspects such as resistance-
pattern dependent sneak current paths (parasitic current
via neighboring cells) are also intrinsically contributing
to nrPUF performance but their specific role in nrPUF
operation is currently under investigation.
REFERENCES
[1] S. Choi, P. Sheridan, and W. D. Lu, “Data clustering using
memristor networks,” Scientific Reports, vol. 5, 2015.
[2] R. Legenstein, “Computer science: Nanoscale connections for
brain-like circuits,” Nature, vol. 521, no. 7550, pp. 37–38, 2015.
[3] M. Prezioso, F. Merrikh-Bayat, B. Hoskins, G. Adam, K. K.
Likharev, and D. B. Strukov, “Training and operation of an inte-
grated neuromorphic network based on metal-oxide memristors,”
Nature, vol. 521, no. 7550, pp. 61–64, 2015.
[4] R. Waser and M. Aono, “Nanoionics-based resistive switching
memories,” Nature Materials, vol. 6, no. 11, pp. 833–840, 2007.
[5] H.-S. P. Wong and S. Salahuddin, “Memory leads the way to better
computing,” Nature Nanotechnology, vol. 10, no. 3, pp. 191–194,
2015.
[6] P. W. Coteus, J. U. Knickerbocker, C. H. Lam, and Y. A. Vlasov,
“Technologies for exascale systems,” IBM Journal of Research and
Development, vol. 55, no. 5, pp. 14–1, 2011.
[7] I. Valov, E. Linn, S. Tappertzhofen, S. Schmelzer, J. Van den
Hurk, F. Lentz, and R. Waser, “Nanobatteries in redox-based
resistive switches require extension of memristor theory,” Nature
Communications, vol. 4, p. 1771, 2013.
[8] R. Waser, R. Dittmann, G. Staikov, and K. Szot, “Redox-based
resistive switching memories–nanoionic mechanisms, prospects,
and challenges,” Advanced materials, vol. 21, no. 25-26, pp. 2632–
2663, 2009.
[9] D. B. Strukov, “Endurance-write speed tradeoffs in nonvolatile
memories,” Applied Physics A, vol. 122, no. 4, pp. 1–4, 2016.
11
[10] K. Tsunoda, K. Kinoshita, H. Noshiro, Y. Yamazaki, T. Iizuka,
Y. Ito, A. Takahashi, A. Okano, Y. Sato, T. Fukano et al., “Low
power and high speed switching of Ti-doped NiO ReRAM under
the unipolar voltage source of less than 3 V,” in IEEE International
Electron Devices Meeting (IEDM), 2007, pp. 767–770.
[11] P.-Y. Chen, R. Fang, R. Liu, C. Chakrabarti, Y. Cao, and S. Yu,
“Exploiting resistive cross-point array for compact design of
physical unclonable function,” in IEEE International Symposium on
Hardware Oriented Security and Trust–HOST, 2015, pp. 26–31.
[12] Z. Hu, J. M. M. L. Comeras, H. Park, J. Tang, A. Afzali, G. S.
Tulevski, J. B. Hannon, M. Liehr, and S.-J. Han, “Physically
unclonable cryptographic primitives using self-assembled carbon
nanotubes,” Nature Nanotechnology, vol. 11, no. 6, pp. 559–565,
2016.
[13] C. Konstantinou, M. Maniatakos, F. Saqib, S. Hu, J. Plusquellic,
and Y. Jin, “Cyber-physical systems: A security perspective,” in
20th IEEE European Test Symposium (ETS), 2015, pp. 1–8.
[14] G. E. Suh and S. Devadas, “Physical unclonable functions for
device authentication and secret key generation,” in Proceedings
of the 44th annual Design Automation Conference, 2007, pp. 9–14.
[15] E. Damiani, S. D. C. di Vimercati, and P. Samarati, “New
paradigms for access control in open environments,” in Proceed-
ings of the 5th IEEE International Symposium on Signal Processing
and Information Technology, 2005, pp. 540–545.
[16] J. Rajendran, R. Karri, J. B. Wendt, M. Potkonjak, N. McDonald,
G. S. Rose, and B. Wysocki, “Nano meets security: Exploring
nanoelectronic devices for security applications,” Proceedings of
the IEEE, vol. 103, no. 5, pp. 829–849, 2015.
[17] B. Sˇ koric´, P. Tuyls, and W. Ophey, “Robust key extraction
from physical uncloneable functions,” in Applied Cryptography and
Network Security, 2005, pp. 407–422.
[18] V. van der Leest and P. Tuyls, “Anti-counterfeiting with hardware
intrinsic security,” in IEEE Design, Automation & Test in Europe
Conference & Exhibition (DATE), 2013, pp. 1137–1142.
[19] J. Guajardo, S. S. Kumar, G. J. Schrijen, and P. Tuyls, “Brand
and IP protection with physical unclonable functions,” in IEEE
International Symposium on Circuits and Systems (ISCAS), 2008, pp.
3186–3189.
[20] D. C. Ranasinghe and P. H. Cole, “Confronting security and
privacy threats in modern RFID systems,” in Fortieth Asilomar
Conference on Signals, Systems and Computers (ACSSC), 2006, pp.
2058–2064.
[21] S. Devadas, E. Suh, S. Paral, R. Sowell, T. Ziola, and V. Khan-
delwal, “Design and implementation of PUF-based ‘unclonable’
RFID ICs for anti-counterfeiting and security applications,” in
IEEE International conference on RFID, 2008, pp. 58–64.
[22] P. H. Cole and D. C. Ranasinghe, “Networked RFID systems and
lightweight cryptography,” London, UK: Springer. doi, vol. 10, pp.
978–3, 2008.
[23] K. Auguste, “La cryptographie militaire,” Journal des sciences
militaires, vol. 9, pp. 5–38, 1883.
[24] L. Zhang, Z. H. Kong, C.-H. Chang, A. Cabrini, and G. Torelli,
“Exploiting process variations and programming sensitivity of
phase change memory for reconfigurable physical unclonable
functions,” IEEE Transactions on Information Forensics and Security,
vol. 9, no. 6, pp. 921–932, 2014.
[25] J. Zhang, Y. Lin, Y. Lyu, and G. Qu, “A PUF-FSM binding
scheme for FPGA IP protection and pay-per-device licensing,”
IEEE Transactions on Information Forensics and Security, vol. 10,
no. 6, pp. 1137–1150, 2015.
[26] L. Zhang, X. Fong, C.-H. Chang, Z. H. Kong, and K. Roy, “Highly
reliable spin-transfer torque magnetic ram-based physical unclon-
able function with multi-response-bits per cell,” IEEE Transactions
on Information Forensics and Security, vol. 10, no. 8, pp. 1630–1642,
2015.
[27] H. Nili, S. Walia, A. E. Kandjani, R. Ramanathan, P. Gutruf,
T. Ahmed, S. Balendhran, V. Bansal, D. B. Strukov, O. Kavehei
et al., “Donor-induced performance tuning of amorphous SrTiO3
memristive nanodevices: Multistate resistive switching and me-
chanical tunability,” Advanced Functional Materials, vol. 25, no. 21,
pp. 3172–3182, 2015.
[28] D. Lim, J. W. Lee, B. Gassend, G. E. Suh, M. Van Dijk, and
S. Devadas, “Extracting secret keys from integrated circuits,” IEEE
Transactions on Very Large Scale Integration (VLSI) Systems, vol. 13,
no. 10, pp. 1200–1205, 2005.
[29] B. Gassend, D. Lim, D. Clarke, M. Van Dijk, and S. Devadas,
“Identification and authentication of integrated circuits,” Concur-
rency and Computation: Practice and Experience, vol. 16, no. 11, pp.
1077–1098, 2004.
[30] J. Guajardo, S. S. Kumar, G.-J. Schrijen, and P. Tuyls, “FPGA
intrinsic PUFs and their use for IP protection,” in International
workshop on Cryptographic Hardware and Embedded Systems, 2007,
pp. 63–80.
[31] D. E. Holcomb, W. P. Burleson, K. Fu et al., “Initial SRAM state as
a fingerprint and source of true random numbers for RFID tags,”
in Proceedings of the Conference on RFID Security, vol. 7, 2007.
[32] S. S. Kumar, J. Guajardo, R. Maes, G.-J. Schrijen, and P. Tuyls, “The
butterfly PUF protecting IP on every FPGA,” in IEEE International
Workshop on Hardware-Oriented Security and Trust–HOST, 2008, pp.
67–70.
[33] Y. Su, J. Holleman, and B. P. Otis, “A digital 1.6 pJ/bit chip
identification circuit using process variations,” IEEE Journal of
Solid-State Circuits, vol. 43, no. 1, pp. 69–77, 2008.
[34] U. Ruhrmair, J. Solter, F. Sehnke, X. Xu, A. Mahmoud, V. Stoy-
anova, G. Dror, J. Schmidhuber, W. Burleson, and S. Devadas,
“PUF modeling attacks on simulated and silicon data,” IEEE
Transactions on Information Forensics and Security, vol. 8, no. 11,
pp. 1876–1891, 2013.
[35] Defense Advanced Research Projects Agency (DARPA), Microsys-
tems Technology Office/MTO Broad Agency Announcement.
(2014) Supply chain hardware integrity for electronics defense
(SHIELD).
[36] H. Nili, S. Walia, S. Balendhran, D. B. Strukov, M. Bhaskaran,
and S. Sriram, “Nanoscale resistive switching in amorphous
perovskite oxide (a-SrTiO3) memristors,” Advanced Functional Ma-
terials, vol. 24, no. 43, pp. 6741–6750, 2014.
[37] B. Razavi, “The StrongARM latch: A circuit for all seasons,” IEEE
Solid-State Circuits Magazine, vol. 7, no. 2, pp. 12–17, 2015.
[38] T. Kobayashi, K. Nogami, T. Shirotori, Y. Fujimoto, and O. Watan-
abe, “A current-mode latch sense amplifier and a static power
saving input buffer for low-power architecture,” in Symposium on
VLSI Circuits, 1992, pp. 28–29.
[39] P. R. Kinget, “Device mismatch and tradeoffs in the design of
analog circuits,” IEEE Journal of Solid-State Circuits, vol. 40, no. 6,
pp. 1212–1224, 2005.
[40] M. J. Pelgrom, A. C. Duinmaijer, A. P. Welbers et al., “Matching
properties of MOS transistors,” IEEE Journal of solid-state circuits,
vol. 24, no. 5, pp. 1433–1439, 1989.
[41] R. A. Rueppel, “Correlation immunity and the summation gener-
ator,” in Advances in Cryptology–CRYPTO’85 Proceedings, 1985, pp.
260–272.
[42] A. Maiti, I. Kim, and P. Schaumont, “A robust physical unclonable
function with enhanced challenge-response set,” IEEE Transactions
on Information Forensics and Security, vol. 7, no. 1, pp. 333–345,
2012.
[43] M. Rostami, M. Majzoobi, F. Koushanfar, D. Wallach, and S. De-
vadas, “Robust and reverse-engineering resilient PUF authentica-
tion and key-exchange by substring matching,” IEEE Transactions
on Emerging Topics in Computing, vol. 2, no. 1, pp. 37–49, 2014.
[44] A. F. Webster and S. E. Tavares, “On the design of S-boxes,” in
Advances in Cryptology–CRYPTO’85 Proceedings, 1985, pp. 523–534.
[45] M. Majzoobi, F. Koushanfar, and M. Potkonjak, “Testing tech-
niques for hardware security,” in IEEE International Test Conference
(ITC), 2008, pp. 1–10.
[46] K. F. Majzoobi, Mehrdad and M. Potkonjak, “Techniques for
design and implementation of secure reconfigurable PUFs,” ACM
Transactions on Reconfigurable Technology and Systems (TRETS),
vol. 2, no. 1, pp. 5:1–5:33, 2009.
[47] U. Ru¨hrmair, F. Sehnke, J. So¨lter, G. Dror, S. Devadas, and
J. Schmidhuber, “Modeling attacks on physical unclonable func-
tions,” in Proceedings of the 17th ACM Conference on Computer and
Communications Security, 2010, pp. 237–249.
[48] S. Tajik, E. Dietz, S. Frohmann, J.-P. Seifert, D. Nedospasov,
C. Helfmeier, C. Boit, and H. Dittrich, “Physical characterization
of arbiter PUFs,” in International Workshop on Cryptographic Hard-
ware and Embedded Systems, 2014, pp. 493–509.
[49] M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. De-
vadas, “Slender PUF protocol: A lightweight, robust, and secure
authentication by substring matching,” in IEEE Symposium on
Security and Privacy Workshops-SPW, 2012, pp. 33–44.
12
[50] M. Roel, “Physically unclonable functions: Constructions, proper-
ties and applications,” Ph.D. dissertation, Ph. D. thesis, Disserta-
tion, University of KU Leuven, 2012.
[51] C. Helfmeier, C. Boit, D. Nedospasov, and J.-P. Seifert, “Cloning
physically unclonable functions,” in IEEE International Symposium
on Hardware-Oriented Security and Trust–HOST, 2013, pp. 1–6.
[52] U. Ru¨hrmair, H. Busch, and S. Katzenbeisser, “Strong PUFs:
models, constructions, and security proofs,” in Towards Hardware-
Intrinsic Security. Springer, 2010, pp. 79–96.
[53] L. Zhang, X. Fong, C.-H. Chang, Z. H. Kong, and K. Roy,
“Optimizating emerging nonvolatile memories for dual-mode
applications: Data storage and key generator,” IEEE Transactions
on Computer-Aided Design of Integrated Circuits and Systems, vol. 34,
no. 7, pp. 1176–1187, 2015.
[54] P. Kocher, J. Jaffe, B. Jun, and P. Rohatgi, “Introduction to differ-
ential power analysis,” Journal of Cryptographic Engineering, vol. 1,
no. 1, pp. 5–27, 2011.
[55] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining
smart-card security under the threat of power analysis attacks,”
IEEE Transactions on Computers, vol. 51, no. 5, pp. 541–552, 2002.
[56] E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis
with a leakage model,” in International Workshop on Cryptographic
Hardware and Embedded Systems, 2004, pp. 16–29.
[57] Y. Fei, Q. Luo, and A. A. Ding, “A statistical model for DPA with
novel algorithmic confusion analysis,” in International Workshop on
Cryptographic Hardware and Embedded Systems, 2012, pp. 233–250.
[58] Q. Luo and Y. Fei, “Algorithmic collision analysis for evaluating
cryptographic systems and side-channel attacks,” in IEEE Interna-
tional Symposium on Hardware-Oriented Security and Trust (HOST),
2011, pp. 75–80.
[59] Y. Fei, A. A. Ding, J. Lao, and L. Zhang, “A statistics-based funda-
mental model for side-channel attack analysis.” IACR Cryptology
ePrint Archive, vol. 2014, p. 152, 2014.
[60] Y. Hori, T. Yoshida, T. Katashita, and A. Satoh, “Quantitative and
statistical performance evaluation of arbiter physical unclonable
functions on FPGAs,” in IEEE International Conference on Reconfig-
urable Computing and FPGAs (ReConFig), 2010, pp. 298–303.
[61] J. Rajendran, G. S. Rose, R. Karri, and M. Potkonjak, “Nano-PPUF:
A memristor-based security primitive,” in IEEE Computer Society
Annual Symposium on VLSI (ISVLSI), 2012, pp. 84–87.
[62] G. S. Rose, N. McDonald, L.-K. Yan, and B. Wysocki, “A write-
time based memristive PUF for hardware security applications,”
in IEEE/ACM International Conference on Computer-Aided Design
(ICCAD), 2013, pp. 830–833.
[63] P. Koeberl, U¨. Kocabas¸ , and A.-R. Sadeghi, “Memristor PUFs:
a new generation of memory-based physically unclonable func-
tions,” in Proceedings of the Conference on Design, Automation and
Test in Europe, 2013, pp. 428–431.
[64] Y. Gao, D. C. Ranasinghe, S. F. Al-Sarawi, O. Kavehei, and D. Ab-
bott, “Memristive crypto primitive for building highly secure
physical unclonable functions,” Scientific Reports, vol. 5, 2015.
[65] ——, “mrPUF: A novel memristive device based physical unclon-
able function,” in Applied Cryptography and Network Security, 2015,
pp. 595–615.
[66] M. D. Yu and S. Devadas, “Secure and robust error correction
for physical unclonable functions,” IEEE Design Test of Computers,
vol. 27, no. 1, pp. 48–65, 2010.
[67] Y. Oren, A.-R. Sadeghi, and C. Wachsmann, “On the effectiveness
of the remanence decay side-channel to clone memory-based
PUFs,” in International Workshop on Cryptographic Hardware and
Embedded Systems, 2013, pp. 107–125.
[68] M. Cortez, A. Dargar, S. Hamdioui, and G.-J. Schrijen, “Modeling
SRAM start-up behavior for physical unclonable functions,” in
2012 IEEE International Symposium on Defect and Fault Tolerance in
VLSI and Nanotechnology Systems (DFT), 2012, pp. 1–6.
[69] U. Ru¨hrmair, C. Jaeger, M. Bator, M. Stutzmann, P. Lugli, and
G. Csaba, “Applications of high-capacity crossbar memories in
cryptography,” IEEE Transactions on Nanotechnology, vol. 10, no. 3,
pp. 489–498, 2011.
