On the Effectiveness of the Remanence Decay Side-Channel to Clone Memory-Based PUFs

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8086)


We present a side-channel attack based on remanence decay in volatile memory and show how it can be exploited effectively to launch a non-invasive cloning attack against SRAM PUFs — an important class of PUFs typically proposed as lightweight security primitive with low overhead by using the existing memory of the underlying device. We validate our approach against two SRAM PUF implementations in 65 nm CMOS ASICs. We discuss countermeasures against our attack and propose the constructive use of remanence decay to improve the cloning-resistance of SRAM PUFs.

Moreover, as a further contribution of independent interest, we show how to use our evaluation results to significantly improve the performance of the recently proposed TARDIS scheme, which is based on remanence decay in SRAM and used as a time-keeping mechanism for low-power clock-less devices.


SRAM PUF fault injection attack side-channel analysis data remanence decay 


  1. 1.
    Bhargava, M., Cakir, C., Mai, K.: Comparison of bi-stable and delay-based physical unclonable functions from measurements in 65nm bulk CMOS. In: Custom Integrated Circuits Conference (CICC), pp. 1–4. IEEE (2012)Google Scholar
  2. 2.
    Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 513–525. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  3. 3.
    Bösch, C., Guajardo, J., Sadeghi, A.-R., Shokrollahi, J., Tuyls, P.: Efficient helper data key extractor on FPGAs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 181–197. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Eichhorn, I., Koeberl, P., van der Leest, V.: Logically reconfigurable PUFs: Memory-based secure key storage. In: ACM Workshop on Scalable Trusted Computing (ACM STC), pp. 59–64. ACM (2011)Google Scholar
  5. 5.
    Guajardo, J., Asim, M., Petković, M.: Towards reliable remote healthcare applications using combined fuzzy extraction. In: Towards Hardware-Intrinsic Security. Information Security and Cryptography, pp. 387–407. Springer (2010)Google Scholar
  6. 6.
    Guajardo, J., Kumar, S.S., Schrijen, G.J., Tuyls, P.: Physical unclonable functions and public-key crypto for FPGA IP protection. In: Field Programmable Logic and Applications (FPL), pp. 189–195. IEEE (2007)Google Scholar
  7. 7.
    Guajardo, J., Kumar, S.S., Schrijen, G.J., Tuyls, P.: Brand and IP protection with physical unclonable functions. In: IEEE International Symposium on Circuits and Systems (ISCAS), pp. 3186–3189. IEEE (2008)Google Scholar
  8. 8.
    Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: Cold-boot attacks on encryption keys. Communications of the ACM 52(5), 91–98 (2009)CrossRefGoogle Scholar
  9. 9.
    Holcomb, D., Burleson, W., Fu, K.: Initial SRAM state as a fingerprint and source of true random numbers for RFID tags. In: Workshop on RFID Security, RFIDSec (2007)Google Scholar
  10. 10.
    Holcomb, D., Burleson, W.P., Fu, K.: Power-Up SRAM state as an identifying fingerprint and source of true random numbers. IEEE Transactions on Computers 58(9), 1198–1210 (2009)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Holcomb, D.E., Rahmati, A., Salajegheh, M., Burleson, W.P., Fu, K.: DRV-fingerprinting: Using data retention voltage of SRAM cells for chip identification. In: Hoepman, J.-H., Verbauwhede, I. (eds.) RFIDSec 2012. LNCS, vol. 7739, pp. 165–179. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  12. 12.
    Karakoyunlu, D., Sunar, B.: Differential template attacks on PUF enabled cryptographic devices. In: Workshop on Information Forensics and Security (WIFS), pp. 1–6. IEEE (2010)Google Scholar
  13. 13.
    Kardaş, S., Kiraz, M.S., Bingöl, M.A., Demirci, H.: A novel RFID distance bounding protocol based on physically unclonable functions. In: Juels, A., Paar, C. (eds.) RFIDSec 2011. LNCS, vol. 7055, pp. 78–93. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Katzenbeisser, S., Kocabaş, Ü., Rožić, V., Sadeghi, A.-R., Verbauwhede, I., Wachsmann, C.: PUFs: Myth, fact or busted? A security evaluation of physically unclonable functions (PUFs) cast in silicon. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 283–301. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Koeberl, P., Li, J., Maes, R., Rajan, A., Vishik, C., Wójcik, M.: Evaluation of a PUF device authentication scheme on a discrete 0.13μm SRAM. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 271–288. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  16. 16.
    Koeberl, P., Li, J., Rajan, A., Vishik, C., Wu, W.: A practical device authentication scheme using SRAM PUFs. In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 63–77. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Kumar, S.S., Guajardo, J., Maes, R., Schrijen, G.J., Tuyls, P.: Extended abstract: The butterfly PUF protecting IP on every FPGA. In: Workshop on Hardware-Oriented Security (HOST), pp. 67–70. IEEE (2008)Google Scholar
  18. 18.
    van der Leest, V., Schrijen, G.J., Handschuh, H., Tuyls, P.: Hardware intrinsic security from D flip-flops. In: ACM Workshop on Scalable Trusted Computing (ACM STC), pp. 53–62. ACM (2010)Google Scholar
  19. 19.
    Lim, D., Lee, J.W., Gassend, B., Suh, E.G., van Dijk, M., Devadas, S.: Extracting secret keys from integrated circuits. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 13(10), 1200–1205 (2005)CrossRefGoogle Scholar
  20. 20.
    Maes, R., Tuyls, P., Verbauwhede, I.: Intrinsic PUFs from flip-flops on reconfigurable devices. In: Benelux Workshop on Information and System Security (2008)Google Scholar
  21. 21.
    Merli, D., Schuster, D., Stumpf, F., Sigl, G.: Side-channel analysis of PUFs and fuzzy extractors. In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 33–47. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  22. 22.
    Oren, Y., Renauld, M., Standaert, F.-X., Wool, A.: Algebraic Side-Channel attacks beyond the Hamming weight leakage model. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 140–154. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  23. 23.
    Rahmati, A., Salajegheh, M., Holcomb, D., Sorber, J., Burleson, W.P., Fu, K.: TARDIS: Time and remanence decay in SRAM to implement secure protocols on embedded devices without clocks. In: USENIX Security Symposium, pp. 36–52. USENIX Association (2012)Google Scholar
  24. 24.
    Roy, J.A., Koushanfar, F., Markov, I.L.: EPIC: ending piracy of integrated circuits. Computer 43(10), 30–38 (2010)CrossRefGoogle Scholar
  25. 25.
    Sadeghi, A.R., Visconti, I., Wachsmann, C.: Enhancing RFID security and privacy by physically unclonable functions. In: Towards Hardware-Intrinsic Security. Information Security and Cryptography, pp. 281–305. Springer (2010)Google Scholar
  26. 26.
    Saxena, N., Voris, J.: We can remember it for you wholesale: Implications of data remanence on the use of RAM for true random number generation on RFID tags, RFIDSec 2009 (2009)Google Scholar
  27. 27.
    Selimis, G., Konijnenburg, M., Ashouei, M., Huisken, J., de Groot, H., van der Leest, V., Schrijen, G.J., van Hulst, M., Tuyls, P.: Evaluation of 90nm 6T-SRAM as physical unclonable function for secure key generation in wireless sensor nodes. In: 2011 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 567–570. IEEE (2011)Google Scholar
  28. 28.
    Su, Y., Holleman, J., Otis, B.P.: A digital 1.6 pJ/bit chip identification circuit using process variations. IEEE Journal of Solid-State Circuits 43(1), 69–77 (2008)CrossRefGoogle Scholar
  29. 29.
    Tokunaga, C., Blaauw, D., Mudge, T.: True random number generator with a metastability-based quality control. IEEE Journal of Solid-State Circuits 43(1), 78–85 (2008)CrossRefGoogle Scholar
  30. 30.
    Tuyls, P., Batina, L.: RFID-tags for anti-counterfeiting. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 115–131. Springer, Heidelberg (2006)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  1. 1.Tel-Aviv UniversityIsrael
  2. 2.CASEDTU-DarmstadtGermany
  3. 3.Intel CRI-SCTU DarmstadtGermany

Personalised recommendations