PUFsecurity's PUFcc crypto coprocessor takes care of security-related affairs within a system and allows the CPU to perform its primary functions safely.
The past 30 years have seen three different eras of Internet connectivity: the “Internet of Computers”, “Internet of Smartphones”, and then the “Internet of Things”.
Over this period, there have been two major changes: more than billion devices are now connected to the Internet, and manual operations (or operations with a user) have transformed to fully automated operations (without a user).
“These changes have created more security demands than ever due to the complicated Internet connectivity—thus making unique identity and root of trust a must for each device,” says Dr. Evans Yang, Executive Vice President of PUFsecurity.
Established in 2019, PUFsecurity—a subsidiary of eMemory Inc.—is dedicated to innovating PUF (physical unclonable function)-based security IP solutions by leveraging eMemory’s core technologies, including NeoPUF and NeoFuse.
“NeoPUF is a PUF technology for generating chip fingerprint used as UID/HUK/Root Key, while NeoFuse is an OTP (one-time programmable) memory technology for key storage,” says Dr. Yang. “PUFsecurity brings PUF-based integrated security solutions to the market. Our latest offerings include Secure OTP, Hardware Root-of-Trust Module (PUFrt), Crypto Coprocessor (PUFcc), and Flash Protection Series. PUFsecurity can provides PUF-based security IP solutions with superior performance and cost-efficiency in a wide range of technology platforms with eMemory’s support.”
According to him, there are six key SoC Security factors to consider. One is root-of-trust, which is considered the foundation of security. Second is Secure Boot, which blocks unauthorized OS and applications from running. Protecting data-in-use with secure isolation is the Trusted Execution Environment (TEE). Next is Protect Data-at-Rest, which stores data in an encrypted/obfuscated form with solid access control to prevent leakage; and Protect Data-in-Transit, which utilizes keys to encrypt data before transmission to prevent interception. Finally, there is the Secure OTA Update, which ensures that firmware or software updates in the field come as encrypted ciphertext and that no downgrading is allowed.
“Having a CPU alone cannot attain these six security factors,” Dr. Yang says. “A chip’s design would need a key storage unit and a set of cryptographic algorithms to assist the CPU in performing security functions, including authentication, encryption, decryption, and integrity check to attain these features. In addition, an isolated and secure execution environment is required for separating secure and non-secure operations.”
Limitations of market solutions
PUFsecurity has been educating the industry on security, highlighting that it relies on a “true hardware root of trust”.
“However, the urgent unmet need is that existing solutions lack a comprehensive ‘Hardware Root-of-Trust’,” says Dr. Yang. “For example, when we are using software or enjoying an application, there is an assumption that is ‘each device has its own root of trust to make sure software genuineness and running in a secure execution environment’. However, not all devices can really provide trusted or certified hardware root of trust.”
He goes on to say that Arm emphasizes the necessity of hardware root of trust in the PSA Certified security architecture it promotes. On the other hand, the RISC-V ecosystem is still maturing and needs a fitting solution for crypto coprocessors. Regardless of what types of CPU the designers decide to use, Dr. Yang notes that designers will have to either develop themselves or adopt IPs from third parties to obtain the said security features.
Several issues may arise if designers will choose to develop these security features in-house, such as if their security development team is capable enough; how their development will affect the time to market; if their self-developed security functions can gain certification; how well they can deal with technical issues when they arise; and the cost.
“All of these challenges can be avoided by adopting integrated IPs from capable partners,” says Dr. Yang.
Unique PUF-based crypto coprocessor solution
Which is why PUFsecurity developed the PUFcc, a crypto coprocessor takes care of security-related affairs within a system and allows the CPU to perform its primary functions safely.
When implemented, a hardware-accelerated crypto coprocessor will protect sensitive information and perform security functions far more efficiently than a CPU without siphoning off its computational power. This not only simplifies the system design but also enhances the overall performance.
Offering comprehensive security functions in one drop-in IP, PUFcc is the only product that combines a hardware root of trust (PUFrt) with a full suite of crypto algorithms. Its security boundary is based on the physical isolation using chip fingerprint to establish a complete trusted execution environment (TEE), which is very different from a purely software-based design.
“At the heart of PUFcc is a Riscure-certified hardware root-of-trust module. Riscure is third-party lab for security certification. The hardware root of trust includes eMemory’s patented NeoPUF, which provides a unique chip fingerprint (UID) for each chip, and a tamper-resistant secure OTP for key storage, preventing physical/electrical attacks on critical security parameters,” explains Dr. Yang. “The hardware root of trust also features a true random number generator (TRNG), a dynamic entropy source for generating random key which is used for secure communications.”
It also features a comprehensive and customizable crypto engine. According to Dr. Yang, PUFcc supports a full set of NIST CAVP-certified and OSCCA-compliant cryptographic algorithms.
“Thanks to the modular design, customization remains flexible when customer would like to have design optimization,” he adds.
Apart from its security features, PUFcc also has numerous digital and analog tamper-resistant designs that strengthen security surface, making it a reliable cryptographic coprocessor.
“It is worth mentioning that PUFcc has successfully integrated Arm Cortex-M33 and Corstone-201 and passed the PSA Certified Level 2 Ready security framework test,” says Dr. Yang. “PUFcc is pre-qualified and available in all foundries. It is fully generic and can accelerate the time to market. For partners who look to obtain PSA Certification, adopting PUFcc makes the journey easier.”
PUFsecurity has won the Most Investable Start-up Team award at EE Awards Asia 2022. Now on its second year, EE Awards Asia celebrates the innovation, creativity, and contributions of Asia’s engineering community that have made a difference in the way we work, live, and communicate over the past year. This year, EE Awards Asia has gathered more than 400 entries from 137 companies around the world, vying for 22 award categories.
“We are very honored for receiving this award. It represents a recognition and affirmation from the industry leaders for our technology and leadership,” comments Dr. Yang. “As part of the management team of this young startup, I am so proud of my team, whose effort and outcome allows the opportunity for me to join the other giants in the semiconductor industry receiving EE Awards.”
He firmly believes that chip security is closely related to the future of technological development. “And we are ready to accept the challenges of the future and achieve new heights together with our partners,” he says.
PUFsecurity believes that the PUFcc crypto coprocessor can be used in more application fields.
“We had a complete product development roadmap, from a Secure OTP, Root of Trust module (PUFrt), Crypto Coprocessor (PUFcc),” explains Dr. Yang. “Eventually, we will have a low-power secure element solution up to the chiplet level, which will be announced in 2023. Such a comprehensive product portfolio can support various scales of demands, from function-wise to system-wise level.”
The company also aims to develop total solutions with software firms to help clients establish a complete security ecosystem from edge to cloud.
Stephen Las Marias is the editor of EETimes Asia. He can be reached at firstname.lastname@example.org.