Harnessing Chaos to Protect Devices from Hackers

The key to creating the improved PUF is chaos, a topic that Gauthier has studied for decades. No other PUFs have used chaos in the way demonstrated in this study, he said.

The researchers created a complex network in their PUFs using a web of randomly interconnected logic gates. Logic gates take two electric signals and use them to create a new signal.

“We are using the gates in a non-standard way that creates unreliable behavior. But that’s what we want. We are exploiting that unreliable behavior to create a type of deterministic chaos,” Gauthier said.

The chaos amplifies the small manufacturing variations found on the chip. Even the smallest differences, when amplified by chaos, can change the entire class of possible outcomes – in this case, the secrets that are being produced, according to Charlot.

“Chaos really expands the number of secrets that are available on a chip. This will likely confuse any attempts at predicting the secrets,” Charlot said.

One key to the process is letting the chaos run just long enough on the chip, according to Gauthier. If you let it run too long, it becomes – well, too chaotic.

“We want the process to run long enough to create patterns that are too complex for hackers to attack and guess. But the pattern must be reproducible so we can use it for authentication tasks,” Gauthier said.

The researchers calculated that their PUF could create 10⁷⁷ secrets. How big is that number? Imagine if a hacker could guess one secret every microsecond – 1 million secrets per second. It would take the hacker longer than the life of the universe, about 20 billion years, to guess every secret available in that microchip, Gauthier said.

As part of the study, the researchers attacked their PUF to see if it could be successfully hacked. They attempted machine learning attacks, including deep learning-based methods and model-based attacks – all of which failed. They are now offering their data to other research groups to see if they can find a way to hack it.

Gauthier said the hope is that PUFs like this could help beef up security against even state-sponsored hacker attacks, which are generally very sophisticated and backed up with a lot of computer resources.

For example, Russia is suspected of backing the SolarWinds hack that was uncovered in December. That hack reportedly gained access to email accounts of officials in the Department of Homeland Security and the department’s cybersecurity staff.

“It is a constant battle to come up with technology that can stay ahead of hackers. We are trying to come up with technology that no hacker – no matter your resources, no matter what supercomputer you use – will be able to crack.”

The researchers have applied for an international patent for their PUF device.

The goal of the team is to move beyond research and to move quickly to commercialize the technology. Gauthier and two partners recently founded Verilock, with a goal of bringing a product to market within a year.

“We see this technology as a real game changer in cybersecurity. This novel approach to a strong PUF could prove to be virtually un-hackable,” said Jim Northup, CEO of Verilock.