Unclonable 'silicon DNA' secures RFID tags

PORTLAND, Ore. — Counterfeiters today copy radio-frequency identification (RFID) tags by "cloning" the chips inside them. But making an exact copy of Verayo's new M4H RFID tags is impossible, because they contain silicon "DNA" that uniquely identifies them, according to the company.

Verayo Inc. (San Jose, Calif.) announced its unclonable chip technology two years ago but has been concentrating on other applications, such as securing military chips, field-programmable gate arrays (FPGAs) and secure-door access cards. Applying the approach to mass-market RFID tags required a tweak to the authentication technology.

All of Verayo's products are based on a physically unclonable function (PUF) cast as a circuit. PUFs use random variations in the delays of wires and gates on a chip—the chip's silicon DNA—to create a unique response when challenged during an authentication session.

When presented with an input challenge, a race condition is set up in the circuit as two transitions propagate along different paths. An arbiter, implemented as a latch, produces a 1 or a 0, depending on which transition comes out of the circuit first.

In Verayo's authentication regime, a 64-bit pulse train challenge is issued to the serial PUF circuit, whereupon the chip returns a 64-bit pulse train response that is unique to its manufacturing variations. Since the challenge/response pairs for each chips are unique, they can be cataloged in a database at the factory, then compared with those returned during interrogations later in the field.

For instance, if the circuit is embedded into a secure-door entry card reader, whenever the card is used a computer would compare the real-time response from the card with the database of known correct responses for that card. If they match, then the card would be deemed authentic, and the door latch would be released.

But an online database of challenge/response pairs is not a viable solution for the millions of RFID tags used in applications such as mass-transit commuter cards. Thus Verayo invented its M4H variation, with an authentication scheme that does not require an online database.

"Our new chip for RFIDs combines the strengths of our unclonable PUF technology with the lower-cost and offline authentication needs of mass-market applications, from transit passes for public transportation to consumer product anti-counterfeiting," said Vivek Khandelwal, Verayo's vice president of marketing and business development.

The key to offline authentication is the new DNA readout capability, which identifies the process variations for the particular PUF circuit. Verayo uses the readout capability at the factory to extract the silicon DNA and then disables the readout feature. The extracted silicon DNA is subsequently encrypted and written back to the RFID chip in its nonvolatile memory.

After that, whenever the card is waved in front of a reader, the reader will decrypt the PUF circuit's DNA, simulate the circuit in software and then compare the calculated response to the real-time response from a challenge issued to the RFID tag. If the tag's response matches the calculated response, then the card is authentic. If it does not match, then the card must be counterfeit.

Cloned cards will consistently fail the test, Verayo says, because their PUF circuit response will not match the value calculated from the silicon DNA.