Q&A PUF Cafe Episode 4
Vincent: How is a PUF enrolled without an HSM?
Pieter: The answer is that the PUF will generate a seed and from this seed the secure enclave will generate the root keys every time at boot. And these root keys will be the same every time. So, there is no need to program them and so there is no need for an HSM. The root keys will be used throughout the device. And the device identities, used to authenticate devices, are generated at every boot as well, while the PUFs make sure that root keys and identities will be the same every time the device boots.
Vincent: Are the size of the PUF memory and the key length programmable?
Pieter: Maybe that's more a question for you, Vincent, because it's purely PUF related. The secure enclave can support that from our side. Maybe about the PUF part itself, Vincent, you can come back on that?
Vincent: Yes, indeed. It depends on the key length that you need. The size of the memory that is required to derive the key with the PUF will vary based on the key lengths that you need. And there are definitely several options there.
Yes. On to the next question. How are the keys that are generated inside the secure enclave used?
Pieter: The keys that are being generated inside the secure enclave are usually used within the secure enclave. So, they are used there to authenticate or encrypt/decrypt, sign messages and certificates, or whatever other security services are required. But they can actually also be transported out of the secure enclave, so transferred to the user or the application level. But then the secure enclave will provide a secure flow and an API to do that in the most secure way. This makes sure that that the chain of trust and the chain of security is maintained.
Vincent: Is this solution silicon-proven? Is it in mass production or not?
Pieter: Yes, it is. As I mentioned, the joint solution where the Intrinsic ID PUF is integrated into our eSecure product has been provided for example to Silicon Labs. We have gone into full production with that product and with the so-called Secure Vault technology on their devices. So this is in full production, as we speak. Not only with Silicon Labs, but with several other companies in various application fields as well.
Vincent: There's another question. Where do I get the total solution? So, the secure enclave with a PUF? Whom should I contact?
Pieter: That doesn't really matter. You contact either Intrinsic ID or Silex Insight. We are in close contact to each other. So if you contact Silex Insight, you can get the complete solution from us. If you contact Intrinsic ID, they will refer you to us and you also get the total solution. Also the licensing can run through one channel only, because we have a sublicensing partnership as well.
Vincent: Another question here, which is more focused at the PUF. Does the PUF require characterization in the target silicon? Maybe I can take this one, Pieter.
If you look at the, at the SRAM PUF from Intrinsic ID, the example that Pieter used, typically those PUFs don't require specific characterization in the target silicon. Intrinsic ID has extensive experience with integrating PUFs in all kinds of technology nodes down to 7nm and 5nm. So unless there is any reason to suspect that it's not standard six-transistor SRAM that is being used in that specific process node, there is no need for any additional characterization. But if customers really want to do it, then of course there is a whole process to support them and show them all the test results. So it depends on customers, whether or not they want to do an additional characterization on top of all the reliability information that we can provide them upfront.