
Nano-scale 'fingerprint' could boost security - merah
http://www.bbc.co.uk/news/science-environment-34780787
======
eveningcoffee
The original paper
[http://www.nature.com/articles/srep16456](http://www.nature.com/articles/srep16456)
is named _" Using Quantum Confinement to Uniquely Identify Devices"_

The main problem they are trying to solve is how to prevent reading out the
chip level unique ids that are saved in IC. They solve this by using
consistency in quantum level imperfections to generate chip level unique ids.

I am more interested about the claim presented in the BBC article: _" And the
interesting thing is that you can't clone them. To clone them, you'd
effectively have to measure [the fingerprints] atom-by-atom. You just can't do
it."_

Would this work because of the measurement uncertainty principle? I.e. you
will change the state of something when you measure it? Or do they think that
it is _just too complicated_ to read out the key?

~~~
kyboren
TL;DR: First steps to a new type of PUF.

What follows is my definitely-not-expert analysis. I'll try to answer your
questions as best I can.

===== Before =====

Traditional PUFs are considered "unclonable" because they rely on
uncontrollable manufacturing variation. It's not that it's impossible to
create a function which gives the same output (so, they're not really
unclonable), it's that the function implemented by each chip's PUF is
different, and reverse engineering it requires very expensive and invasive
physical inspection of minute characteristics of each part of each chip's PUF.
So, cloning is very difficult and expensive, and all this work would only get
you one chip's clone.

This is usually good enough, because PUFs are (AFAIK) generally used[1]
primarily to make each known good chip uniquely identifiable. If the
manufacturer has a set of known challenge-response pairs for all chips they've
ever made, counterfeiting[2] becomes virtually impossible. The best you can do
is clone some authentic chip. If you just make your own chip, the
manufacturer's DB doesn't contain your challenge-response pairs and you'll be
found out. If you clone a chip, then first you have to buy each chip you wish
to clone (so why bother counterfeiting?), then do expensive, invasive reverse
engineering, then program your clone, and the end result is a clone of a chip
you already have, and which appears to be older than the chip really is, not
newer.

===== Now =====

This work seems to be the first steps for a smaller, "more unclonable" PUF.
Supposedly, their PUF is so dependent on nanoscale properties that the sort of
invasive physical investigation you would typically do now almost certainly
modifies the function implemented. I think it's not about relying on the
uncertainty principle: if it were, then the output of the PUF would not be
deterministic, which is _not_ what you want! Oh, and their PUF should be more
compact than other PUFs (in terms of bits/μm2).

===== So what =====

I'm not really sure why this is in BBC News. PUFs are nothing new. The article
touts the potential applications of PUFs, but doesn't explain how this
construction is novel. I guess it's just a fluff piece to show their British
readers that, "Hey, we're on the cutting edge of technology!"

[1] I suspect PUFs are also used to in Apple's newer iPhones as the "UID":
input to a KDF for wrapping crypto keys, but this is pure speculation.

[2] The main kinds of counterfeits I hear people wanting to use PUFs to combat
are a) unauthorized spins (the fab just makes more chips and sells them on the
side), b) rebranded old chips (pop off a chip from some discarded electronics,
sand the surface, print a new serial number, and present it as new), and c)
actual counterfeit chips (entirely new designs purporting to implement the
same functionality as some other chip).

~~~
eveningcoffee
Thanks! Few clarifications:

 _If you clone a chip, then first you have to buy each chip you wish to clone
(so why bother counterfeiting?)_

Your maybe do not want to sell a lot of chips but only one chip to one
specific buyer and also add some additional payload.

 _I think it 's not about relying on the uncertainty principle: if it were,
then the output of the PUF would not be deterministic, which is not what you
want!_

What I meant was that do they claim that their method works because you could
not measure the quantum object without changing its state or they just say
that it is just too complicated.

