Detecting Recycled Commodity SoCs: Exploiting Aging-Induced SRAM PUF
  Unreliability by Gao, Yansong et al.
Detecting Recycled Commodity SoCs:
Exploiting Aging-Induced SRAM PUF Unreliability
Yansong Gaoa,∗, Hua Mab, Said F. Al-Sarawia, Derek Abbotta, Damith C. Ranasingheb
aSchool of Electrical and Electronic Engineering, The University of Adelaide, Adelaide, SA 5005, Australia
bSchool of Computer Science, The University of Adelaide, SA 5005, Australia
Abstract
A physical unclonable function (PUF), analogous to a human fingerprint, has gained an enormous amount of attention
from both academia and industry. SRAM PUF is among one of the popular silicon PUF constructions that exploits
random initial power-up states from SRAM cells to extract hardware intrinsic secrets for identification and key generation
applications. The advantage of SRAM PUFs is that they are widely embedded into commodity devices, thus such a PUF
is obtained without a custom design and virtually free of implementation costs. A phenomenon known as ‘aging’ alters
the consistent reproducibility—reliability—of responses that can be extracted from a readout of a set of SRAM PUF cells.
Similar to how a PUF exploits undesirable manufacturing randomness for generating a hardware intrinsic fingerprint,
SRAM PUF unreliability induced by aging can be exploited to detect recycled commodity devices requiring no additional
cost to the device. In this context, the SRAM PUF itself acts as an aging sensor by exploiting responses sensitive to aging.
We use SRAMs available in pervasively deployed commercial off-the-shelf micro-controllers for experimental validations,
which complements recent work demonstrated in FPGA platforms, and we present a simplified detection methodology
along experimental results. We show that less than 1,000 SRAM responses are adequate to guarantee that both false
acceptance rate and false rejection rate are no more than 0.001.
Keywords: Anti-counterfeiting, Recycled SoCs, SRAM PUF, hardware security
1. Introduction
Electronic components are increasingly integrated and
introduced into every domain of our lives. They are perva-
sively employed in Internet of Thing (IoT) devices such as
wireless sensors in smart homes and health-care applica-
tions in civilian use cases to military and aerospace compo-
nents in defense. However, over the past decade, counter-
feit electronic components or integrated circuits (ICs) have
flooded into every aspect of supply chains [1]. Counterfeit
ICs pose great concerns for: i) governments, threating na-
tional security or civilian safety due to their poor quality
leading to lower performance or malfunctions that may re-
sult in critical system failures—e.g., transportation, hos-
pital and power-station facilities, in addition, to tax rev-
enue losses; ii) industry, they cause direct revenue loss and
further ruin brand value; iii) consumers, they can induce
potential safety concerns when they are employed in secu-
rity or health critical applications due to the low quality
and reliability issues [2].
∗Corresponding author
Email addresses: yansong.gao@adelaide.edu.au (Yansong
Gao), mary.ma@adelaide.edu.au (Hua Ma),
said.alsarawi@adelaide.edu.au (Said F. Al-Sarawi),
derek.abbott@adelaide.edu.au (Derek Abbott),
damith.ranasinghe@adelaide.edu.au (Damith C. Ranasinghe)
Combating counterfeit ICs involves securing untrusted
supply chains resulting from the globalization of the semi-
conductor industry; one needs to trace, check and de-
tect counterfeits along the supply chain within their life-
cycles. Among various countermeasures, the physical un-
clonable function (PUF) is one promising lightweight hard-
ware security primitive that assigns each IC with a unique
identifier upon its creation, similar to fingerprints of hu-
mans [3, 4, 5, 6]. Since PUF exploits manufacturing ran-
domness, it is impossible for the counterfeiter to physi-
cally clone such instance-specific identifiers in the atom-
by-atom level. Thus, the PUF is able to prevent coun-
terfeiting ICs from several sources including cloned and
overproduced ones. However, they were not considered
to detect remarked and recycled counterfeit ICs [2] until
recent work from [7]. Extending PUF’s functionality to de-
tect remarked or recycled ICs is considerably valuable, as
they contribute to more than 80% of reported counterfeit
incidents [8].
Previous PUF applications focused on identification or
authentication and key generation applications [9, 10]. In
both, it is desirable for a PUF to regenerate the same re-
sponse (output) when queried by the same challenge (in-
put). However, in practice, the reliability of responses cor-
responding to certain challenges are affected by variations
in environmental factors and aging effects. In typical PUF-
based applications, for instance, cryptographic key genera-
Preprint submitted to Integration, The VLSI Journal April 4, 2019
ar
X
iv
:1
70
5.
07
37
5v
1 
 [c
s.C
R]
  2
1 M
ay
 20
17
Figure 1: SRAM cell [19]. Vth difference in the transistors results
into repeatable random power-up states either in ‘1’ or ‘0’.
tion requiring highly stable responses [11], it is imperative
to improve PUF reliability and correct potential bit er-
rors prior to deriving a key. In PUF-based authentication
applications [12, 3], it is still preferable to maximize re-
liability to reduce the number of response bits needed to
uniquely identify a PUF instance from a large population
and increase the complexity of modeling attacks by an ad-
versary [13, 14, 15].
In contrast, we take advantage of unavoidable unre-
liability of responses resulting from aging effects to pro-
vide a high degree of assurance to sense the period of
aging experienced by PUF integrated ICs. In particu-
lar, we consider exploiting SRAM PUFs that are avail-
able in most commodity electronic systems or system on
chips (SoCs), where neither additional area cost nor cus-
tom modification is required, to detect recycled commod-
ity SoCs. The SRAM PUF is more suitable in this context
in comparison with other popular silicon PUF structures
such as Arbiter PUFs (APUF) and Ring Oscillator PUFs
(ROPUFs) [16, 17, 18] do requiring additional cost such as
adding logic circuitry into existing electronic components
using customized designs. Our work complement the re-
cent work in [7] utilizing SRAM PUFs to detect recycled
devices demonstrated on FPGA platforms. We summarize
our contributions below:
1. We evaluate and validate detection of recycled SoCs
by using ubiquitously deployed micro-controllers that
are commonly embedded with SRAM memories.
2. We develop a simplified aging sensitive response (ASR)
selection methodology and detail how to systemically
evaluate and quantify the detection capability. The
detection is cost-free to the commodity SoCs since all
the computations are left to the resource-rich verifier
that carries out the detection.
3. Our investigations with experimental results demon-
strate that the aging-induced unreliability of SRAM
PUFs in SoCs can effectively detect recycled SoCs
with very high accuracy. Our ASR methodology al-
lows to use less than 1,000 SRAM responses to en-
sure that both false rejection rate (FRR) and false
acceptance rate (FAR) are less than 0.001. In addi-
tion, experimental results validate that the detection
accuracy increases with prolonged aging periods.
The rest of the paper is organized as follows. Related
work is introduced in Section 2. In Section 3, we de-
tail the simplified ASR selection methodology and how
to systematically evaluate the detection capability. The
simplified response selection approach during the provi-
sioning phase is introduced in order to improve the de-
tection efficiency in the recycled hardware detection phase
by employing responses that are more sensitive to aging
effects. Then comprehensive experimental results from off-
the-shelf commodity microcontrollers embedded SRAM PUFs
are given in Section 4. In Section 5 we conclude this arti-
cle.
2. Background and Related Work
2.1. SRAM PUF
Unlike the other two popular silicon PUF construc-
tions, ROPUFs and APUFs that exploit time delay dif-
ferences [3] to extract secrets, SRAM PUFs [20, 19] lever-
age the threshold voltage Vth mismatch between two cross-
coupled inverters of a SRAM cell resulting from manufac-
turing randomness. As a memory cell, a write operation
forces the SRAM cell to transition into one of two digital
states, e.g., ‘0’ or ‘1’. When a cell is powered up or no
write operation is occurred, the SRAM cell tends to prefer
a repeatable power-up state—also referred as a response—
either being ‘1’ (AB=01) or ‘0’ (AB=10). As an example,
if the Vth,P1 is slightly smaller than Vth,P2 , at power-up,
M1 starts conducting before M2, thus, A = 1. This in
turn prevents M2 switching on. As a consequence, the
SRAM cell at power-up prefers to be ‘0’ (AB=10). Larger
|Vth,P1 − Vth,P2 | leads to more repeatable power-up states
or more reliable responses when the cell is used to regener-
ate the response. Such a repeatable power-up state differs
from cell to cell and chip to chip as well, thus, a map of
the power-up states of a set of SRAM cells can be treated
as a unique identifier, or the SRAM memory array can be
treated as a PUF. In particular, the readout SRAM power-
up state is referred to as the response, while the address
of the SRAM cell is referred to as the challenge.
2.2. Sensing Aging with SRAM PUFs
However, some of SRAM PUF responses are not repro-
ducible due to that fact that the Vth difference of a selected
cell is not dominant in the presence of noise from envi-
ronmental factors such as supply voltage and temperature
variations and aging effects. In elementary PUF-oriented
identification and authentication applications, those un-
reliable responses are undesirable. In contrast, and just
as undesirable fabrication randomness is extracted to cre-
ate instance-specific PUFs to derive a physical insepara-
ble trust anchor for a hardware device, a PUF response’s
sensitivity to environmental factors and aging can also be
utilized to secure sensing. In this context, sensing func-
tionality is derived from a PUF and the PUF lends itself
as a sensor to guarantee the veracity of sensed data [21,
22, 23, 7, 24].
2
Detecting recycled devices using SRAM PUFs by con-
sidering those PUF responses sensitive to aging effects was
recently received attention and initially investigated in [7].
Guo et al. used SRAM cells in FPGA platforms for exper-
imental validations. We complement this initial investiga-
tion using SRAM memory in pervasively deployed off-the-
shelf micro-controllers as they are commonly deployed in
many SoCs ranging from home appliances to various sen-
sors in the Internet of Things (IoT) era. We present a sim-
pler methodology of selecting aging sensitive response bits
and detail a systematic approach to evaluate and quantify
recycled SoC detection capability supported by experimen-
tal data.
2.3. SRAM Aging
Silicon ICs performance deteriorates gradually over time
attributing to various factors such as hot carrier injection
(HCI), time-dependent dielectric breakdown (TDDB) and
bias temperature instability (BTI) [25, 7]. The negative
BTI (NBTI) plays dominant aging effect in modern ICs,
especially for switched-on pMOS transistors [25].
The NBTI effect increases the threshold voltage of pMOS
transistors when a transistor is ‘on’. Considering the ex-
ample in Section 2.1 where the SRAM is powered up with-
out a write operation. Consider that we already knew
AB=10, where the M1 is ‘on’ and experiences a gradually
increased Vth,P1 due to the NBTI, while the Vth,P2 remains
or changes negligibly with respect to Vth,P1 . Hence, over
time, Vth,P1 > Vth,P2 . As a consequence, the regenerated
responses over the life of such cells tend to shift from being
reliably generated ‘0’ to ‘1’. Though anti-aging strategies
are possible [25], its expensive time and monetary cost pro-
hibit a counterfeiter to do so, especially for low-end ICs.
The bit flipping over time caused by the response sensitiv-
ity to aging is undesirable for conventional PUF applica-
tions, but can be exploited to detect recycled commodity
SoCs widely embedded with SRAM memories.
3. Detection Methodology
Only a small fraction of SRAM responses are sensitive
to aging over time; we will experimentally show this in
Section 4. In other words, most response bits are actually
reproduced consistently across a wide range of operating
conditions and aging effects. Such response bits are desir-
able for elementary PUF authentication and key genera-
tion applications, but cannot be utilized for sensing aging
as they are invariant to aging effects.
Therefore, we need to first efficiently select and deter-
mine those ASRs during the provisioning phase—after the
SoCs are fabricated but prior being delivered through a(n)
(insecure) supply chain—to facilitate detection of recycled
SoCs in the detection phase later on. Hence, we develop a
simplified methodology of selecting and determining ASRs
followed by elaborating on how to systematically evaluate
the detection capability utilizing those ASRs.
Before delving into detailed descriptions, we give a
number of useful definitions to ease the following descrip-
tions, especially the systematic detection capability evalu-
ations.
3.1. Preliminaries
Definition 1. InterA-distance. The interA-distance is
a random variable describing the distance between two
PUF responses RPreA,RPostA produced before aging and
after aging by applying the same challenge—address in
case of a SRAM PUF—to the same PUF, hence,
DinterA = dist(R
PreA,RPostA) (1)
where RPreA,RPostA are two responses generated before
and after aging by applying the same challenge to the same
PUF.
Definition 2. IntraA-distance. The intraA-distance is
a random variable describing the distance between two
PUF responses RA,RA
′
re-evaluated on the same PUF,
using the same challenge before aging.
DintraA = dist(R
A,RA
′
) (2)
where RA,RA
′
are two responses obtained from the same
PUF using the same chosen challenge before aging.
The dist(.;.) can be any well-defined and appropri-
ate distance metric over the responses. In this paper, re-
sponses are always bit vectors and the used distance metric
is Hamming distance (HD) or fractional Hamming distance
formally defined below:
Definition 3. Hamming distance. For bit vectors X1
and X2 with the same length l, the HD between them is
defined as:
fHD(X1,X2) =
l∑
i=1
X1 ⊕X2. (3)
Definition 4. Fractional Hamming distance. Built
upon Eq. (3), the fractional Hamming distance (FHD) is
defined as:
fFHD(X1,X2) =
fHD(X1,X2)
l
. (4)
Readers who are familiar with PUFs will notice that
the definition of the interA-distance is similar to the inter-
distance of PUFs that measures the difference between
two responses from two distinct PUF instances given the
same challenge. The difference is that the interA-distance
is evaluated across differing aging periods subject to the
same PUF instance, the inter-distance is, however, evalu-
ated across different PUF instances.
The intraA-distance is similar to the intra-distance of
PUF responses that measures the difference between two
responses reproduced from two distinct evaluations by ap-
plying the same challenge to the same randomly chosen
3
PUF instance. The main difference is that the intra-distance
does not consider the source of aging, it simply treats any
environmental fluctuation, e.g., supply voltage, temper-
ature and also aging effects as noise sources. However,
in this work, we are able to finely fix the supply voltage
and temperature, only thermal noise is treated as a noise
source. The aging effects is not a noise source but is ex-
ploited to detect aging devices.
Similar to the inter-distance and intra-distance distri-
bution of PUFs explained in detail in [26], both of the
interA-distance and intraA-distance can be assumed to fol-
low a binomial distribution B(n, p). The binomial prob-
ability estimator of interA-distance and intraA-distance
distributions are referred to as pˆinterA and pˆintraA, respec-
tively. In general, the pˆinterA is the probability that R
PreA 6=
RPostA, see Definition 1, and the pˆintraA is the probability
that RA 6= RA′ , see Definition 2.
3.2. Detecting Capability
Figure 2: Illustration of distribution of interA-distance and intraA-
distance for a 64-bit response.
Clearly one single challenge-response pair or CRP is
not able to correctly detect an aged device. We need to
use multiple response bits or a number of CRPs to mini-
mize the error for: i) mistakenly accepting a response from
a PUF that has not undergone aging, referred as false ac-
ceptance rate (FAR); and ii) falsely rejecting an authentic
response when it a regenerated from an aged PUF, re-
ferred as false rejection rate (FRR). It is imperative to
minimize both FAR and FRR in practice. More generally,
FAR stands for the probability of incorrectly regarding a
new device as an aged one. While FRR stands for the
probability of an aged device being falsely rejected as a
new device.
These two undesirable errors are illustrated in Fig. 2.
The right tail of the intraA-distance distribution indicates
the FRR, while the left tail of the interA-distance distri-
bution depicts the FAR. When the length of response bits
or the number of CRPs, n, and the threshold nth used
for achieving a desirable FAR and FRR, and considering
that both interA-distance and intraA-distance follow a bi-
nomial distribution, FAR and FRR can be formally ex-
pressed following work in [27, 26]:
FRR = 1−
nth∑
i=0
(
n
i
)
(pˆintraA)
i(1− pˆintraA)(n−i), (5)
FAR =
nth∑
i=0
(
n
i
)
(pˆinterA)
i(1− pˆinterA)(n−i). (6)
Based on (5) and (6), we can see that the FRR and
FAR depend on the pˆintraA and pˆinterA, the threshold nth,
and the number of employed CRPs n. For example, sup-
posing n is 64 as shown in Fig. 2, a large nth benefits
the false rejection rate but aggravates the false acceptance
rate, and vice versa for a small nth. We want to minimize
both FAR and FRR in practice. There exists a threshold
value to make both FAR and FRR equal. We refer this
interested threshold value as equal error threshold, termed
nEER. Consequentially, when both error rates are equal,
we refer this equal rate as equal error rate (EER) follow-
ing Roel’s work [26]. For a discrete distribution, there may
not be an nEER for which FAR is equal to FRR, and in
that case, nEER and EER are defined as in [26]:
nEER = argmin
nth
{max{FAR(nth),FRR(nth)}}, (7)
EER = max{FAR(nEER),FRR(nEER)}. (8)
Given binomial probability estimator pˆinterA and pˆintraA,
the task is to find minimal number of CRPs, n, for ensuring
an acceptable EER that meet desired requirements.
To increase the capability of distinguishing recycled de-
vices from new ones and minimize both FAR and FRR,
it is imperative to increase the difference between pˆintraA
and pˆinterA. We can visually observe this in Fig. 2. For
example, when the interA-distance distribution shifts to
right and intraA-distance distribution keeps same, it is
clear that both FAR and FRR will be reduced as the over-
lapped area becomes small. Therefore, we introduce an
approach to select SRAM responses that are of higher sen-
sitivity to aging to increase the difference between pˆintraA
and pˆinterA.
3.3. Selecting ASRs
It has been shown when a SRAM cell is under high tem-
perature, Vth increases in a similar manner to that caused
by aging [7]. Therefore, during provisioning phase, the
SRAM PUF responses can be re-evaluated under room
temperature (RT) and high temperature (HT), respec-
tively, to select aging sensitive responses (ASRs). Notably,
the high temperature setting is only necessary during the
provisioning phase and is not required during the detection
phase. The ASR selection follows Algorithm 1.
The proposed ASR selection method is straightforward
and simpler in comparison with [7]. During the provision-
ing phase, the response r is regenerated N times under RT
4
Algorithm 1 Selecting ASRs
1: procedure selection (PUF, RT, HT)
2: for i = 1 : N do
3: generating response rRTi under RT using PUF;
4: end for
5: for i = 1 : N do
6: generating response rHTi under HT using PUF;
7: end for
8: if (all rRTi same) && (all rHTi same) && (rRT 6=rHT)
then
9: select aging sensitive response r;
10: return
11: else
12: discard response r;
13: return
14: end if
15: end procedure
and HT respectively. The r is selected as an ASR when
all regenerated r are same under RT and HT, respectively,
but exhibit opposite values. For example, the regenerated
r exhibits ‘1’ for all N evaluations under RT and ‘0’ for
all N evaluations under HT. Then this r is selected as a
ASR. Otherwise, it is discarded and will not be utilized for
detecting aging SoCs in the afterward detection phase.
When ASRs are selected, there pˆintraA and pˆinterA can
be heuristically evaluated. We assume pˆintraA is less than
pˆinterA, and this is true as we will show in Section 4.
4. Experimental Results
4.1. Experiment Setup
SRAM PUF CRP dataset is collected from three chip-
KIT Pro MX7 microcontroller boards. From each board,
we read power-up states from 262,144 SRAM cells as SRAM
PUF responses. The nominal power supply voltage is
3.25 V. We are able to change the voltage from 3.125 V to
3.50 V. We found that the voltage, however, has negligi-
ble effects on the SRAM PUF reliability under test, which
agrees with other experimental results [26]. Therefore, we
focus on SRAM PUF reliability performance as shown in
Fig. 3 that is pˆintraA before aging under nine different tem-
perature corners: −5◦C, 15◦C, 25◦C, 35◦C, 45◦C, 55◦C,
65◦C, 75◦C, 85◦C. The room temperature 25◦C is treated
as the nominal or reference corner. We are mostly inter-
ested in the pˆintraA under RT, which is approximately 6%
as shown in Fig. 3.
To test the aging influence on the SRAM PUF re-
sponse’s reliability, we put the microcontroller board in
the oven of 80◦C to accelerate the aging. For expected
NBTI aging, the acceleration factor (AF) is expressed [25]:
AF = (
Vstress
Vnominal
)
α
m ·exp(Eaa
k
·( 1
Tstress
− 1
Tnominal
)· 1
m
)
, (9)
where the parameters setting are: the gate voltage expo-
nent α = 3.5; the time exponent m = 0.25; the appar-
ent activation energy Eaa = −0.02eV ; and Boltzmann’s
−5 15 25 35 45 55 65 75 850
5
10
temperature (°C)
p in
tra
A
(%
)
SRAM PUF1
SRAM PUF2
SRAM PUF3
Figure 3: pˆintraA of three SRAM PUFs across three microcontrollers
under nine temperature corners, reference temperature is 25◦C.
constant k = 8.62 × 10−5eV/K. We only consider tem-
perature resulted stress, where Vstress = Vnominal, Tstress =
80◦C, Tnominal = 25◦C. As a consequence, we are able to
obtain AF=11.03.
1 2 30
2
4
6
8
10
pro
ba
bili
ty 
(%
)
SRAM PUF No
pintraA pinterA pinterA − pintraA
Figure 4: pˆintraA and pˆinterA of three SRAM PUFs evaluated under
nominal supply voltage, 3.25 V, and nominal or room temperature,
25◦C.
After 48 hours of accelerated aging that is equal to 22.1
days of effective NBTI device aging under normal working
conditions in the field, we calculate the pˆinterA under RT
using a strategy of randomly selecting responses. Results
in Fig. 4 imply that pˆinterA is only slightly higher than
pˆintraA. More specifically, the difference between pˆinterA
and pˆintraA is only around 1%. This indicates that only a
small fraction of responses are sensitive to aging. We can
see from our analyses in Section 3.2 that using a random
response selection strategy for recycled SoCs detection is
cumbersome.
Next, we first implement the ASR selection approach
outlined in Algorithm 1 and then demonstrate the sig-
nificantly improved difference between pˆinterA and pˆintraA
that consequently facilitates the detection capability.
4.2. ASR Detection Capability Results
We apply the ASR selection according to Algorithm 1.
Noting that both pˆintraA and pˆinterA are a function of N ,
which is number of a response reevaluated under a given
5
3 4 5 6 7 8 90
10
20
30
pro
ba
bili
ty 
(%
)
N
3 4 5 6 7 8 90
2000
4000
6000
nu
mb
er 
of 
AS
Rs
N
pintraA pinterA pinterA − pintraA
( b )
( a )
Figure 5: (a) Mean of pˆintraA, pˆinterA and pˆinterA− pˆinterA as a func-
tion of N . A larger pˆinterA− pˆinterA and, at the same time, a smaller
pˆintraA are desirable in practice, which is achieved by increasing N .
(b) Average of number of selected ASRs as a function of N .
RT and HT. The purpose of the selection process is to
increase the difference between pˆinterA and pˆintraA whilst
also making sure that the pˆintraA is small as well. Mean
of pˆinterA, pˆintraA, and pˆinterA − pˆintraA as a function of N
settings for those selected ASRs are depicted in Fig. 5 (a).
We can see that pˆintraA, when ASR is implemented, is al-
ways larger than the pˆintraA of around 6% without ASR
selection, see Fig. 4, this is because the ASRs are also
tending to be erroneous when they are regenerated under
RT before aging. However, the pˆinterA is increased faster,
therefore, larger pˆinterA − pˆintraA is achieved. In addition,
the pˆintraA decreases as the N increases with slightly im-
proved pˆinterA− pˆintraA. Overall, as we shall see in Table 1,
a larger N yields a higher detection capability.
In Fig. 5 (b), the number of selected ASRs out of
262,144 responses are depicted. We can expect that the
number of ASRs to decrease as N increases because less
number of responses are able to satisfy the selection crite-
rion in Algorithm 1. Therefore, a larger N leads to less
number of selected ASRs but higher sensitivity to aging
for those selected ASRs.
In Table. 1, we give results of quantitatively evalua-
tions of n—minimal bit length of the response to meet the
EER, and nth or nEER of SRAM PUF being used to detect
recycled SoCs under different pˆinterA and pˆintraA. We can
see from Table. 1, the necessary bit length of n decreases
as N is increasing. For example, n is reduced by more
than 63% by increasing N from three to nine whilst both
FAR and FRR are guaranteed to be less than 0.001. This
validates the high efficacy of the presented ASR selection
methodology. Using ASRs that are more sensitive to aging
expedite the detecting of recycled commodity SoCs as less
response bits need to be acquired during an evaluation.
In addition, the volume needed to securely store reference
ASRs in database is reduced or relaxed.
Besides the above 48 hrs accelerated aging period, we
also test the detection capability given two other acceler-
ated aging periods: 18 hrs and 108 hrs—equal to 8.3 and
49.6 days of SoC operation in the field. The evaluated de-
tection capability is detailed in Table 2. We set N = 9 for
all evaluations. We can see that longer aging periods are
easier to detect with fewer number of ASRs while guaran-
teeing the same detection capability, e.g., EER threshold.
In practice, given the same n, if the FAR is more critical
than FRR—this maybe the case as FAR poses a security
concern by mistakenly accepting recycled SoCs, a smaller
nth can be adopted.
5. Conclusion
In this study, we experimentally validate the use of em-
bedded SRAMs in off-the-shelf microcontrollers to detect
the periods that SoCs work in the field. It is validated that
both FAR and FRR can be less than 10−4 when the SoCs
experiences only nine days aging. The simplified ASR se-
lection method considerably reduces the necessary number
of SRAM PUF response bits to achieve the required detec-
tion capability by employing responses that exhibit higher
sensitivity to aging effects. In addition, adding the abil-
ity of aging sensing to the popular SRAM PUF extends its
function to secure IC supply chains by not only preventing
cloned and overproduced ICs but also from recycled ones.
Most importantly, detection of recycled commercial SoCs
embedded with SRAM memories requires no modification
to the original design, and thus cost-free is achieved.
Acknowledgment
This research was supported by the Australian Re-
search Council Discovery Program (DP140103448). We
acknowledge support from China Scholarship Council
(201306070017). We thank the help from Dr Alex Di-
novitser for oven setup and Mr Danny Di Giacomo for
experiment setup. We also thank useful discussions with
Mr. Zimu Guo and Dr. Domenic Forte.
References
[1] K. M. Gregory, Counterfeit electronic parts flood U.S. market,
accessed: 2017-02-05.
[2] U. Guin, K. Huang, D. DiMase, J. M. Carulli, M. Tehranipoor,
Y. Makris, Counterfeit integrated circuits: a rising threat in the
global semiconductor supply chain, Proceedings of the IEEE
102 (8) (2014) 1207–1228.
[3] G. E. Suh, S. Devadas, Physical unclonable functions for de-
vice authentication and secret key generation, in: Proc. Design
Automation Conf. (DAC), 2007, pp. 9–14.
[4] C. Jin, M. van Dijk, Secure and efficient initialization and au-
thentication protocols for SHIELD, IEEE Transactions on De-
pendable and Secure Computing.
[5] Y. Gao, D. C. Ranasinghe, S. F. Al-Sarawi, O. Kavehei, D. Ab-
bott, Emerging physical unclonable functions with nanotechnol-
ogy, IEEE Access 4 (2016) 61–80.
6
Table 1: Quantitative evaluation of necessary bit length of the response for successful detection under different pˆinterA and pˆintraA that are
determined by N .
EER < 10−2 EER < 10−3 EER < 10−4
N pˆintraA pˆinterA pˆinterA − pˆintraA n nEER FAR∗FRR∗ n nEER FAR∗FRR∗ n nEER FAR∗FRR∗
3 20.70% 25.45% 4.75 % 1706 393 −2.01−2.01 3005 692 −3.01−3.00 4347 1001 −4.01−4.01
4 17.55% 22.84% 5.29 % 1251 252 −2.01−2.00 2191 441 −3.00−3.01 3171 638 −4.00−4.01
5 14.98% 20.87% 5.89 % 914 163 −2.01−2.00 1611 287 −3.01−3.00 2330 415 −4.00−4.01
6 13.07% 19.32% 6.25 % 746 120 −2.00−2.01 1314 211 −3.01−3.00 1906 306 −4.00−4.01
7 11.54% 18.28% 6.74 % 603 89 −2.02−2.02 1052 155 −3.00−3.01 1528 225 −4.01−4.02
8 10.30% 16.73% 6.43 % 606 81 −2.01−2.01 1065 142 −3.01−3.00 1546 206 −4.00−4.01
9 9.26% 15.78% 6.52 % 551 68 −2.01−2.00 974 120 −3.01−3.04 1406 173 −4.01−4.03
Note: the ∗ symbol indicates log10(·) of the value.
Table 2: Quantitative evaluation of necessary bit length of the response for successful detection under different pˆinterA and pˆintraA that are
related to aging period, where N = 9.
EER < 10−2 EER < 10−3 EER < 10−4
Aging period (Days) pˆinterA − pˆintraA n nEER FAR∗FRR∗ n nEER FAR∗FRR∗ n nEER FAR∗FRR∗
8.3 3.32 % 1870 199 −2.00−2.01 3294 350 −3.00−3.01 4764 506 −4.00−4.01
22.1 6.52 % 551 68 −2.01−2.00 974 120 −3.01−3.04 1406 173 −4.01−4.03
49.6 8.61 % 330 43 −2.02−2.01 584 76 −3.01−3.04 840 109 −4.01−4.02
Note: the ∗ symbol indicates log10(·) of the value.
[6] A. B. Alvarez, W. Zhao, M. Alioto, Static physically unclonable
functions for secure chip identification with 1.9–5.8% native bit
instability at 0.6–1 V and 15 fJ/bit in 65 nm, IEEE J. Solid-
State Circuits 51 (3) (2016) 763–775.
[7] Z. Guo, M. T. Rahman, M. M. Tehranipoor, D. Forte, A zero-
cost approach to detect recycled SoC chips using embedded
SRAM, in: Proc. Symp. Hardware Oriented Security and Trust
(HOST), IEEE, 2016, pp. 191–196.
[8] U. Guin, D. Forte, M. Tehranipoor, Design of accurate low-
cost on-chip structures for protecting integrated circuits against
recycling, IEEE Transactions on Very Large Scale Integration
(VLSI) Systems 24 (4) (2016) 1233–1246.
[9] Y. Gao, G. Li, H. Ma, S. F. Al-Sarawi, O. Kavehei, D. Ab-
bott, D. C. Ranasinghe, Obfuscated challenge-response: A se-
cure lightweight authentication mechanism for PUF-based per-
vasive devices, in: Proc. Int. Conf. Pervasive Computing and
Communication (Percom) Workshops, 2016, pp. 1–6.
[10] M.-D. M. Yu, S. Devadas, Pervasive, dynamic authentication of
physical items, Queue 14 (6) (2016) 70.
[11] R. Maes, A. Van Herrewege, I. Verbauwhede, PUFKY: A fully
functional PUF-based cryptographic key generator, in: Crypto-
graphic Hardware and Embedded Systems (CHES), 2012, pp.
302–319.
[12] D. C. Ranasinghe, P. H. Cole, Confronting security and privacy
threats in modern RFID systems, in: Proc. Fortieth Asilomar
Conf. Signals, Systems and Computers, 2004, pp. 2058–2064.
[13] D. Lim, Extracting secret keys from integrated circuits, Mas-
ter’s thesis, Massachusetts Institute of Technology (2004).
[14] U. Ruhrmair, J. Solter, F. Sehnke, X. Xu, A. Mahmoud,
V. Stoyanova, G. Dror, J. Schmidhuber, W. Burleson, S. De-
vadas, PUF modeling attacks on simulated and silicon data,
IEEE Trans. Inf. Forensics Security 8 (11) (2013) 1876–1891.
[15] G. T. Becker, The gap between promise and reality: On the
insecurity of XOR Arbiter PUFs, in: Cryptographic Hardware
and Embedded Systems (CHES), 2015, pp. 535–555.
[16] C. Herder, M.-D. Yu, F. Koushanfar, S. Devadas, Physical un-
clonable functions and applications: A tutorial, Proceedings of
IEEE 102 (2014) 1126–1141.
[17] J.-L. Zhang, G. Qu, Y.-Q. Lv, Q. Zhou, A survey on silicon
PUFs and recent advances in ring oscillator PUFs, Journal of
Computer Science and Technology 29 (4) (2014) 664–678.
[18] Y. Cao, L. Zhang, C.-H. Chang, S. Chen, A low-power hybrid
RO PUF with improved thermal stability for lightweight ap-
plications, IEEE Trans. Comput.-Aided Design Integr. Circuits
Syst. 34 (7) (2015) 1143–1147.
[19] D. E. Holcomb, W. P. Burleson, K. Fu, Initial SRAM state as a
fingerprint and source of true random numbers for RFID tags,
in: Proceedings of the Conference on RFID Security, 2007.
[20] Y. Su, J. Holleman, B. Otis, A 1.6 pj/bit 96% stable chip-id
generating circuit using process variations, in: Solid-State Cir-
cuits Conference, 2007. ISSCC 2007. Digest of Technical Papers.
IEEE International, IEEE, 2007, pp. 406–611.
[21] K. Rosenfeld, E. Gavas, R. Karri, Sensor physical unclon-
able functions, in: Proc. IEEE. Int. Symp. Hardware Oriented
Hardware-Oriented Security and Trust (HOST), 2010, pp. 112–
117.
[22] U. Ru¨hrmair, J. Martinez-Hurtado, X. Xu, C. Kraeh, C. Hilgers,
D. Kononchuk, J. J. Finley, W. P. Burleson, Virtual proofs of re-
ality and their physical implementation, in: Proc. IEEE Symp.
Security and Privacy (S&P), 2015, pp. 70–85.
[23] K. C. Baby, S. Aung, N. Schwesinger, Finite element analysis
of differential capacitive PUF sensors, in: Sensors Applications
Symposium (SAS), IEEE, 2016, pp. 1–6.
[24] H. Ma, Y. Gao, O. Kavehei, D. C. Ranasinghe, A PUF sensor:
Securing physical measurements, in: Proc. Int. Conf. Pervasive
Computing and Communication (Percom) Workshops, 2017.
[25] R. Maes, V. van der Leest, Countering the effects of silicon aging
on SRAM PUFs, in: Proc. Symp. Hardware-Oriented Security
and Trust (HOST), IEEE, 2014, pp. 148–153.
[26] M. Roel, Physically unclonable functions: Constructions, prop-
erties and applications, Ph.D. thesis, Ph. D. thesis, Dissertation,
University of KU Leuven (2012).
[27] D. Lim, J. W. Lee, B. Gassend, G. E. Suh, M. Van Dijk, S. De-
vadas, Extracting secret keys from integrated circuits, IEEE
7
Trans. Very Large Scale Integr. (VLSI) Syst. 13 (10) (2005)
1200–1205.
8
