Securing Internet of Things (IoT) endpoints is a difficult task. Engineers cannot simply repurpose PC security solutions for the IoT environment. Pim Tuyls shares his thoughts on embedded security, securing the chips deployed in the IoT, and Intrinsic ID’s SRAM physical unclonable function (PUF) technology.
 
Pim Tuyls (CEO/Founder)

C. J. Abate: Tell us about your background, particularly your work at Philips Research, and what led you to found Intrinsic ID.
 
Pim Tuyls: I started working in Philips on optimizing the pro- duction of certain components in cathode ray tubes — yes, the old televisions. The project was very successful — so successful, that when I finished, I was given the latitude to select my next assignment. I saw great potential in the combination of cryptography and physics. I pitched this idea to manage- ment and they gave me the go-ahead to assemble a team and start the project. After creating the security team at Philips, I started with a focus on content protection. The new idea was to encrypt the content on a carrier — a disc or chip — with a key extracted from the physics of the carrier itself. In that way, the content could not be cloned without cloning the carrier too, at the nano level! After a few years, we spun the technology and the team out of Philips to form Intrinsic ID.
 
C. J.: What would you say is the biggest misconception among electrical engineers about IoT security?
 
Pim: It is either that security in the endpoints is not required or that IoT security is already done. Many engineers still think that one can reuse the principles and components developed for a PC and just apply them to the IoT environment. Given the huge number and cost of IoT devices, such an approach would not be economically viable. A new set of technologies is needed to secure the IoT in billions of devices.
 
C. J.: What is SRAM physical unclonable function (PUF)? What are its benefits and applications?
 
Pim: Without getting too deep into the physics, a PUF is based on the fact every chip is slightly different due to deep sub-micron manufacturing variability, even though two or more chips might have been produced with the same manufacturing process. As a result, when a chip is initially powered up, its threshold voltages and other physical characteristics are slightly different from all other chips, enabling us to derive the PUF for that chip, and therefore its unique identity. In the case of the SRAM PUF, it is embodied in the start-up behavior specifically of the SRAM memory on the chip. Since SRAM is a standard semiconductor component that exists in all technology nodes and processes, and that is present on almost every digital chip, the SRAM PUF scales very well. It can be used on almost every embedded device independent of whether the chip was built in old technology nodes such as 180 nm or very new ones, such as 7 nm, which is the leading edge in today’s semiconductor technology. Furthermore, the SRAM PUF can be instantiated by software and can be easily evaluated on existing devices. Intrinsic ID enables this with our BroadKey.

C. J.: Is PUF technology used for microcontroller authentication?
 
Pim: Yes, it is, and we will soon see many applications where it is being used.
 
C. J.: Why is PUF technology well suited for the IoT?
 
Pim: It is present on almost every device; hence, it scales very well. Further, it can be used on devices that don’t have nonvolatile memory on board and hence that don’t have any other option. Finally, it can be implemented at a very low cost since the SRAM is already present on the chip and a software approach is possible.
 
C. J.: Many companies claim to provide IoT security and embedded security. What is unique about Intrinsic ID?
 
Pim: Intrinsic ID is unique in the fact that it brings a way to give every smart device an unclonable identity using the “fingerprint” of the chip. This means that this is low cost and scalable. It also solves the problem that unique identities and a hardware-based root of trust don’t have to be injected from the outside, which is a costly and nonscalable proposition.
 
C. J.: I’ve read in various places that PUF technology is “lightweight” alternative to traditional crypto solutions. How “lightweight” is it?
 

Pim: It is lightweight in the sense that it fits on small devices. In our approach, we combine it with lightweight crypto solutions. So far, we have been able to implement it in the small- est devices such as sensors and MCUs, as well as very large devices such as FPGAs.
 
C. J.: In an Intrinsic ID webinar, you were quoted as saying: “While Facebook connects roughly 1.5 billion people, Intrinsic ID addresses the need for authentication for the Internet of Things – which is expected to connect more than 50 billion devices by 2020.” That’s a huge market. Can your solutions address security for everything from 32- bit chips to 8-bit chips?
 
Pim: Yes, our solutions work from 8-bit to 32-bit chips. When I made that statement, I was trying to illustrate the magni- tude of securing the Internet of Things. The number of people connected by Facebook is huge, and not a trivial accomplishment. But it pales in comparison to the IoT’s scale. And as your question pointed out, it’s really much more difficult to connect so many devices at different technologies — and to do so securely and economically.
 
C. J.: Tell us about your core products and the sort of customers using them.
 
Pim: We have two flagship products, QuiddiKey and Broad- Key. Both generate an Unclonable Identity from the SRAM PUF. QuiddiKey is targeted toward semiconductor manufacturers, such as NXP and Microsemi. BroadKey has a much wider range because it is delivered as software and therefore can be deployed at any stage of an IoT product’s lifecycle. BroadKey can be applied by semiconductor manufacturers and OEMs toward present and future designs, but it can also deal with existing devices. We refer to this as a brownfield deployment, in contrast with a brand-new greenfield.
 

You can read the entire interview in Elektor Business 5/2018, which is slated for publication in September 2018.