“We could publish the chip design in the New York Times and people could go and create their own chip. In the end, the signature that matches the chip that you have and the one somebody else created will be very different,” says Vivek Khandelwal, vice president of marketing at Verayo.
That doesn’t mean that the PUF circuits are infallible. Someone could defeat the system by getting their hands on the list of challenge-response pairs, for instance, if those aren’t kept secured. The circuits are meant to be just one aspect of a cryptographic system, a so-called “primitive” that acts as the basis for further encryption. Massimo Rimondini, a postdoc at Roma Tre University in Rome, and his colleagues studied a security system based on one of Verayo’s chips.
“The technology in itself is very promising for authentication purposes,” Rimondini says. “On the other hand, effectively exploiting it depends on the security and efficiency with which authentication-related information is handled in the back end–and this is what we have been heading our research for.”
Wayne Burleson, a professor of engineering at the University of Massachusetts, Amherst, says PUFs make sense as part of a lightweight, low-cost cryptography on RFID chips. “But they do not provide a complete security solution,” he says. “They are just a building block. Higher-level cryptosystems can still be broken despite the security and integrity of the PUF.”
“The security of the password scheme is comparable to the security of conventional password schemes,” says Devadas. The advantage is that this should be a cheaper way to provide that security. “For most applications, they want a modicum of security and low costs.”
And Khandelwal points out that more complex, and more secure, systems can be built for applications where people are willing to spend the money. Verayo has contracts with the U.S. Department of Defense, where more expensive, more secure systems are expected. A public transportation agency trying to cut down on forgery doesn’t need that level of defense. “You don’t really need a full crypto system for a ticket that is going to be thrown away after 10 uses,” he says.
Verayo, which has $6 million in backing from Khosla Ventures, has just launched a line of PUF circuits for sale to manufacturers of RFID systems. Other companies, such as Philips spinoff Intrinsic ID, in the Netherlands, and Cornell spinoff Veratag are also developing PUF-based security systems.