An RFID-based Technology for Electronic Component and System Counterfeit Detection and Traceability

Kun Yang, Domenic Forte, and Mark Tehranipoor

ECE Dept., University of Connecticut
{kuy12001, forte, tehrani}@engr.uconn.edu

Abstract—The vulnerabilities in today’s supply chain have raised serious concerns about the security and trustworthiness of electronic components and systems. Testing for device provenance, detection of counterfeit integrated circuits/systems, and traceability are challenging issues to address. In this paper, we develop a novel RFID-based system suitable for electronic component and system Counterfeit detection and System Traceability called CST. CST is composed of different types of on-chip sensors and in-system structures that provide the information needed to detect multiple counterfeit IC types (recycled, cloned, etc.), verify the authenticity of the system with some degree of confidence, and track/identify boards. Central to CST is an RFID tag employed as storage and a channel to read the information from different types of chips on the printed circuit board (PCB) in both power-off and power-on scenarios. Simulations and experimental results using Spartan 3E FPGAs demonstrate the effectiveness of this system. The efficiency of the radio frequency (RF) communication has also been verified via a PCB prototype with a printed slot antenna.

I. INTRODUCTION

Today’s electronic components and systems supply chain suffers from counterfeiting and lacks of traceability. More than twelve million counterfeit parts were reported from 2007 to 2012 [1], and this number is on the rise [2]. An electronic component is defined as counterfeit if its performance, provenance, age, etc. are misrepresented by the vendor, manufacturer, or distributor. Another issue is that for larger systems, integrated circuits (ICs) and subassemblies pass through many hands on multiple continents before they are ultimately installed in their final applications [3]. Without proper traceability, such components could be subjected to tampering, theft, and counterfeiting. Traceability can provide device identification/tracking as it moves from one entity to another in the supply chain.

Typically an electronic device will go through a process as shown in Figure 1, which contains several vulnerabilities. At the component level, a chip can be cloned, tampered, overproduced, etc. [4] [5] [6]. At the board and system levels, similar exploitations have also been observed [7] [8] [9]. Among the ones shown in Figure 1, those vulnerabilities that can be addressed by our proposed approach are highlighted with underline.

Among the various vulnerabilities, we focus on detection of counterfeit ICs, tampered boards and their traceability. In general, counterfeit parts can be divided into the following categories: (i) lower grade parts that are “re-marked” as higher grade parts; (ii) defective parts that should have been discarded or destroyed by original component manufacturers (OCMs), original equipment manufacturers (OEMs) or distributors; (iii) recycled (used) parts sold as new parts; (iv) overproduced parts generated (OCMs), original equipment manufacturers (OEMs) or distributors; (v) parts cloned using reverse engineering and intellectual property (IP) piracy; (vi) tampered parts including malicious alterations. Here, we refer to boards with unauthorized substitution of chips as tampered boards.

Since counterfeits normally do not meet the requirements of specific application risks, their inclusion could jeopardize the security and reliability of the systems that unknowingly use them. Unfortunately, the vast majority of existing physical and electrical detection solutions for counterfeit electronic parts are too complex to be used in practice, and the industry lacks simple and effective mechanisms to detect and/or prevent counterfeiting at a low cost [6]. In order to ensure the safety and reliability of critical systems, finding an effective, low-cost, reliable and universal solution to combat counterfeit systems is essential.

So far, there has not been a one-size-fits-all solution to address these challenging problems. Various schemes have been proposed over the past decade to address counterfeit ICs. For example, physical unclonable functions (PUFs) exploit inherent process variations in silicon to provide low-cost authentication for ICs [10]. On-chip, lightweight CDIR sensors are designed to effectively detect recycled ICs [11]. Hardware metering restricts the number of manufactured ICs produced by untrusted foundry [12]. EPIC [13] uses a combinational chip-locking system and a chip-activation protocol based on public-key cryptography to render IP infringement impractical. Unfortunately, all the above measures are directed against one or at most two types of counterfeit ICs and none of them address counterfeit boards. In addition, test data can only be extracted when the whole system is powered on, which makes them incapable of tracking-and-tracing electronic products in the supply chain when the chips/boards are not powered.

Apart from the above primitives and on-chip structures, stand-alone RFID tags have been used to identify/track electronic products. RFID tags with fingerprints based on their minimal power responses, measured at multiple frequencies, have been proposed as a way to uniquely identify the objects to which they are attached [14]. Another method of creating RF fingerprints exploits the near-field RF effects between the multiple antennas of the RFID reader and the uniquely modified substrate of the RFID tags [15]. However, current RFID tags are stand-alone and lack a physical connection with the objects to which they are attached; thus, the RFID reader will make the wrong decision if, for example, an authentic tag is attached to a counterfeit system/PCB. Besides, the RFID tag data is usually static and cannot be updated to reflect the latest hardware conditions such as chip usage time, chip aging, chip grade, and the authenticity of chips on a PCB.

In this paper, we propose a universal platform for electronic component and system Counterfeit detection and System Traceability called CST that addresses the above-mentioned limitations of present solutions. Our main contributions are as follows:

- We propose CST, a general infrastructure that is aimed at the next generation of electronic systems to combat counterfeit and enhance supply chain management. CST requires the following: (1) sensors embedded inside the chips; (2) an RFID tag with an embedded PUF; and (3) a PCB antenna on the board.
- We design a module that extracts data (physical and environmental) captured by different sensors, structures, and hardware security primitives embedded inside different chips. This data is non-intrusively collected (i.e., with no impact on chip functionality, timing, and performance) by an RFID tag which can be read by an RFID reader.

Figure 1: Electronic components and systems supply chain vulnerabilities.
This eliminates the need for expensive testing, enables contactless detection from multiple different chips and boards simultaneously (thereby drastically reducing the authentication time), and can be used to retrieve chip/board information even when the chips/boards are not powered on.

- We develop several new realizations of sensors/structures found in the literature for our system and use each to cover specific counterfeit chip types.
- To enable board identification/authentication in CST, we propose a novel board ID generator that combines the tag PUF and sensor outputs from each chip on a PCB. The board ID can be used to track a PCB that is stolen and to detect illegal tampering/replacement of chips on the PCB.

The rest of this paper is organized as follows: Section II describes the basic framework, operating modes, and communication flow of the proposed CST system. Section III introduces the building blocks of CST system and fully analyzes the working principles of each part. In Section IV, the performance of the CST is verified by simulation and experimental analysis. Finally, we conclude in Section V.

II. CST ARCHITECTURE AND BASIC OPERATION

The proposed CST system is targeted at next generation systems to enable complete chip-level and board-level authentication and traceability.

A. Overview of System Architecture

1) CST System: Figure 2 shows the proposed CST system. The analog front end and part of the digital control unit (i.e., a FM0/Miller encoder, a pulse-interval encoding (PIE) decoder, an encryption/decryption engine, a cyclic redundancy check (CRC) unit and a random number generator (RNG)) of the RFID tag are standard RFID components [16] [17]. All the remaining parts are the contributions of this paper (highlighted with light green color). CST is composed of a PCB slot antenna, an RFID tag with a board identifier generator (BIG) and a physically unclonable function (PUF), and CST sensors inside various chips on a PCB, as shown in Figure 2(a). The role of the antenna is to receive/transmit RF waves emitted from/to a reader. The RFID tag works as an interface between CST sensors and the RFID reader. Each chip gathers its own internal information (chip usage time, chip ID, chip grade, etc.) from the on-chip CST sensors. The RFID tag is responsible for (i) collecting and storing information from each chip and the board during operation; (ii) decoding received commands and encoding transmitted CST sensor data including the board ID. All the components described above are supported by mature technologies and should not add significant cost to the next-generation systems.

2) Chip Internal Structure: Figure 2(b) illustrates a chip with a number of CST sensors ($S_1$, $S_2$, ..., $S_n$) embedded within it. These sensors send their measured data to the RFID tag periodically when the system is powered on or the chips are being used in the field. A light-weight controller inside the RFID tag manages the updating of CST sensors and arbitrates the bus race.

3) Internal Structure of RFID Tag: The RFID tag consists of two parts: the analog front end and the digital baseband control, as shown in Figure 2(c). The analog front end includes an internal oscillator to provide a clock signal for digital parts, a demodulator to demodulate the RF signals from the RFID reader, a voltage multiplier to boost up the power supply extracted from RF wave and drive all the other parts, and a backscattering modulator to modulate UHF wave with CST sensor data. The non-volatile memory (EEPROM) inside the RFID tag stores CST sensor data, passwords and other configuration variables. Note that while it is possible for an attacker to perform physical attacks to retrieve the information stored in the EEPROM [18], such attacks are expensive and protection against them is outside the scope of this paper. We are more concerned with attack capabilities of the majority of attackers rather than advanced persistent threats (APTs) [19]. By protecting the RF channel with a secure protocol [20] [21] [22], it is impossible for the malicious reader to intercept data communicated by or overwrite secret data stored in the tag.

4) Internal Structure of the Digital Control Unit in the RFID Tag: Figure 2(d) illustrates the internal structure of the digital control unit in the RFID tag, which is composed of a controller (FSM), a FM0/Miller encoder, a PIE decoder, an encryption/decryption engine, a sequencer, a CRC unit, a RNG, a PUF and a BIG. The controller is responsible for the coordination and management of each individual unit. The PIE decoder translates the commands and control parameters from the RFID reader, which is made up of a command parser and a packet parser. The FM0/Miller encoder encodes the backscattered CST sensor data. The sequencer sorts different CST sensor data bits and check bits. The CRC unit will generate 16-bit cyclic-redundancy checks (CRC16s) to ensure the integrity of transmitted data. The RNG unit will generate 16-bit random numbers (RN16s) to XORed with transmitted data. The encryption/decryption engine is responsible for encrypting/decrypting CST sensor data with advanced encryption standard (AES) [20] or some other cryptographic algorithms.

B. Operating Modes

There are two operating modes for the proposed CST system: System Operation mode and Tag Access mode. In System Operation mode, as shown in Figure 3(b), the system is conducting regular functional operations. Chip, represents an arbitrary chip on the board. ($S_1$, $S_2$, ..., $S_n$) denote $n$ different sensors inside Chipi, ($S_1$ Bank, $S_2$ Bank, ..., $S_n$ Bank) are $n$ memory blocks allocated to $n$ sensors in the non-volatile memory of the RFID tag. Different types of CST sensors ($S_1$, $S_2$, ..., $S_n$) in different chips on the board can individually update their data to the memory inside the RFID tag according to predefined priorities. The entire system is powered on by the power supply on the board. As shown in Figure 3(c), all the sensors can be divided into three categories: (a) sensors that need to be updated only once over the life cycle (e.g., Electronic Chip ID [23]); (b) sensors that need to be updated every time the system is powered on (e.g., PUF [10]); and (c) sensors that need to be frequently updated when the system is powered on (e.g., the counter-based combating die/IC recycling (CDIR) sensor). (1) – (3) denote the CST sensor priorities. Sensors of type (a) will be updated the first time the system is powered on. Sensors of type (b) are of a higher priority than sensors of type (c). When updating condition is satisfied, updating requests are sent to the RFID tag by the sensors of type (c). If the bus is not busy, the sample clock will be transmitted to sensors of type (c) to synchronize data transmission. In Tag Access mode, as illustrated in Figure 3(a), the RFID tag will be
powered by the RF electromagnetic waves emitted by the RFID reader. Everything except the RFID tag is powered down. After verifying the identities and states of both sides, the RFID reader will issue commands to the RFID tag on the board, and the RFID tag will send corresponding CST sensor data back to the RFID reader.

Figure 3: (a) Tag Access mode, (b) System Operation mode, and (c) CST sensor update priority.

C. Communication Flow

Mutual authentication between the reader and the tag is needed during communication. The communication flow between the RFID reader and the RFID tag (during Tag Access mode) is fully compatible with EPC Class-1 Generation-2 UHF RFID protocol [24]. Note that here we just implement the basic pseudo random number and password based authentication protocol for the purpose of simplicity. More secure AES based protocols [20] and hash-based protocols [25] [21] [22] are recommended for CST. Discussion of secure RFID protocols is out of the scope of this paper.

III. CST SYSTEM SENSORS

Different types of sensor data will be stored in different places of tag’s non-volatile memory and updated periodically when the CST system is powered on. In the following, we briefly describe four sensors commonly mentioned in the literature and one new sensor which are used by CST. Table I lists each sensor and its purpose. We limit ourselves to these for brevity but many other sensors and on-chip structures can be used by the CST system as well depending on the applications the PCB is used in.

<table>
<thead>
<tr>
<th>Sensor Type</th>
<th>Function</th>
</tr>
</thead>
<tbody>
<tr>
<td>CDIR_CTR</td>
<td>Tracks chip usage time (fine granularity) and detects recycled ICs.</td>
</tr>
<tr>
<td>CDIR_RO</td>
<td>Tracks chip usage time (coarse granularity) and detects recycled ICs.</td>
</tr>
<tr>
<td>PUF</td>
<td>1. Uniquely identifies silicon chips. 2. Detects cloned and overproduced ICs.</td>
</tr>
<tr>
<td>ECID</td>
<td>Protects the chip against remarking and overgrading.</td>
</tr>
<tr>
<td>Board ID</td>
<td>1. Identifies and tracks boards in the supply chain. 2. Detects board cloning and overproduction. 3. Detects unauthorized substitution of chips on the board. (e.g., mod-chips in video game consoles).</td>
</tr>
</tbody>
</table>

Multiple types of counterfeits can be detected using different types of CST sensors/primitives. Note that we use the terms sensors and primitives interchangeably. This section will discuss our implementations of the sensors shown in Table I. Since many of the original implementations [10] [11] [26] of these sensors were imagined for different platforms than ours, we have developed new practical realizations for each sensor making them suitable for meeting the CST system’s objectives. We also propose a novel board ID generator in this section.

1) Counter-based CDIR: The first two sensors we discuss are called combating die/IC recycling (CDIR) sensors and belong to sensors of type (c). The counter-based CDIR sensor (CDIR_CTR) [11] can be used to track chip usage time and detect recycled ICs. Even an extremely short chip usage time can be detected by this sensor. Figure 4 shows our implementation. The contribution of this paper is highlighted with light green color. The four most active nets of the functional circuit, marked as sw[0-3], are selected as the trigger signal of the CDIR_CTR sensor. If and only if all four nets are transitioned to high level, a positive edge pulse will be generated by the AND gate to drive counter1. In order not to update the CDIR_CTR memory bank inside the RFID tag too frequently, the minimum four bits of counter1 will be filtered by a bit-wise AND operation with 16’hFFFF to produce a value for flag, which is a new design of this paper. The benefit of this modification is that we do not need to request updates too frequently and thus avoid a bus race. A timer triggered by the system clock will periodically check whether flag is larger than zero or not. If the value of flag is larger than zero, the value of counter1 will be sent to a shift register. Simultaneously, a request update (reupdate) signal will be sent to the RFID tag control logic. If the RFID tag is not busy, sample clocks will be sent to CDIR_CTR. Subsequently the CDIR_CTR data will be shifted out bit by bit by the sample clock. The CDIR_CTR data associated with Chip, can indicate whether the chip is new or used.

2) RO-based CDIR: Figure 5 shows the structure of the RO-based combating die/IC recycling sensor (CDIR_RO) [11], which consists of a reference ring oscillator (RO), a stressed RO, two counters, a timer, a subtractor and a shift register. The contribution of this paper is highlighted with light green color: CDIR_RO belongs to sensors of type (b). Unlike CDIR_CTR, CDIR_RO does not require any memory element to store the chip usage time, since it is solidified in the frequency difference between two ROs. However, the granularity of detection for CDIR_RO is larger than CDIR_CTR. The stressed RO will be under DC stress when the chip is powered on. The reference RO will be disconnected from power using the sleep transistors, and thus will experience minimal aging effects. The reference RO will oscillate only when the RFID tag is reading CDIR_RO data from the specific chip. As the stressed RO has gone through aging effects, the time delay of the inverters composing RO will increase. As a result, the oscillating period of the stressed RO will be larger than that of the reference RO. Therefore, the value of counter_ref will be larger than that of counter_str. In the original design, a multiplexer is exploited to select one of the two ROs and a counter is responsible for measuring the oscillating cycles of the selected one. In this paper, two identical counters measure the oscillating cycles of the two ROs simultaneously during a pre-specified time period, which is controlled by the timer. CDIR_RO data will be obtained by subtracting the value of counter_str from the value of counter_ref, which is a new design of this paper. By comparing CDIR_RO data at time t with initial CDIR_RO data, one can determine whether the chip of interest is recycled or not. The benefit of this modification is that we do not need any external equipment.

3) PUF: PUF is a security primitive that exploits IC manufacturing process variations to uniquely identify and authenticate each chip. Cloned and overproduced ICs can be detected using PUFs. Typical PUFs include delay-based PUF [10], butterfly PUF [27] and bi-stable ring PUF [28]. The CST system can adopt all different types of PUFs. Here we present the popular RO-PUF as a sensor/primitive of type (b). Figure 6 shows the structure of the PUF implemented in the CST system, which consists of
CTR and ECID are already ready, so CTR and ECID need less processing time. In contrast, CDIR RO board, which we refer to as board tampering. Figure 7 shows the structure of the board ID generator, which is integrated inside the RFID tag. The board ID in our CST system is generated by combining the tag PUF and each individual chip’s PUF with a special function. The function should be such that (i) the ID generated for each board is unique for all the boards in the population and (ii) it is very sensitive to any changes to the chips on the board (e.g., replacing one chip with a counterfeit or modified chip). In the worst case, even if the attacker could intercept the communication between the tag and chips and figure out the chip PUFs, it is still impossible for the attacker to clone the board ID since the tag PUF never leaves the tag.

We propose two functions in this paper. In both cases, we choose the bit width of the board ID to be equal to the bit width of the tag and chip PUFs but other functions could work differently. Our first function is as follows. We perform a bitwise exclusive OR on the tag PUF and all chip PUFs. Assuming there are one tag PUF ($PUF_0$) and L different chip PUFs ($PUF_1, PUF_2, \ldots, PUF_L$), the board ID based on the first option can be calculated as:

$$BoardID = \text{bitxor}(PUF_0, PUF_1, PUF_2, \ldots, PUF_L)$$

Our second function is as follows. We count the number of ones and zeroes at the same bit location for the tag PUF and all chip PUFs. Assuming there are one $N−bit$ tag PUF ($PUF_0$) and L different $N−bit$ chip PUFs, the $i_{th}$ bit of the board ID based on the second option can be calculated as:

$$BoardID(i) = \begin{cases} 1, & \text{if } \sum_{j=0}^{L} PUF_j(i) > \frac{L+1}{2} \\ 0, & \text{if } \sum_{j=0}^{L} PUF_j(i) < \frac{L+1}{2} \end{cases}, \quad i = 1, 2, \ldots, N$$

We compare the uniqueness and sensitivity to changes of both proposed functions using a CST prototype in the results section.

IV. RESULTS AND ANALYSIS

In this section, we evaluate CST operation via simulations, a prototype implementation with 90nm Xilinx Spartan-3E FPGAs and a PCB prototype with a printed slot antenna. All the results are used to verify that each function of the CST system is performed correctly. Firstly, we estimate the sensor overheads via design tools to show that the system is non-intrusive (i.e., little impact on area, power, timing, etc.). Secondly, the FPGA prototype was used to verify the digital parts of the system, and compare the uniqueness and sensitivity to changes of the proposed board ID functions. Note that we do not include results for most of the sensors since they are available in prior work. Thirdly, the RF communication efficiency of the system was analyzed using the PCB prototype. Finally, we evaluate the system robustness to different types of potential attacks.

A. Simulation Results

Synopsys Design Compiler (DC) is used to synthesize the CST sensors embedded inside various chips. Table II shows the area and power overhead based on IBM 130nm CMOS SBF-DM technology. Taking into consideration the large quantity of information these sensors can provide, an overhead of this order is acceptable. Sensor updates and processing time of each sensor should be as short as possible. After placement and routing, the Synopsys Verilog Compiler Simulator (VCS) is used to analyze the timing of the CST sensors. Table III shows the updating periods and processing time of the CST sensors. When sampling clocks from the RFID tag arrive, CDIR_CTR and ECID are already ready, so CDIR_CTR and ECID need less processing time. In contrast, CDIR_RO

Figure 5: A RO-based CDIR sensor.

Figure 6: An implementation of RO-PUF.

4) Electronic Chip ID (ECID): The ECID, which belongs to sensors of type (a), will provide general information about chips, including chip grade, classification and manufacturer, to protect the chip against IC remarking. An ECID is generated by connecting certain bits of a latch array to power and the other bits to ground with tiehi and tieio cells. These cells act as one-time programmable (OTP) cells. When one of the two counters reaches the pre-specified value more quickly, it will disable the other counter immediately, which is a new design of this paper. If all the clock cycles of the upper RO reach the pre-specified value first, 0 will be output as the response to the challenge; otherwise, 1 will be output as the response to the challenge. Compared with traditional RO-PUF [26], which compares the number of oscillations of two selected ROs in a fixed time interval (comparison time), this new implementation eliminates the need for a comparator and a timer (recording the comparison time), and thus saves area overhead and harvest time. Once a one bit output is generated, the challenge request signal will be activated, requiring that the LFSR generate a new challenge. The responses for all subsequent challenges are concatenated to form a large unique chip response which is sent to the RFID tag and stored. In this paper, we assume an implementation of a reliable RO-PUF. The reliability analysis of such PUFs is outside the scope of this paper.

5) Board ID: The board ID we design here is primarily targeted for board identification and tracking in the supply chain. In addition, the board ID can be used to detect unauthorized substitution of original chips on board, which we refer to as board tampering. Figure 7 shows the structure of our proposed board ID generator, which is integrated inside the RFID tag. The board ID in our CST system is generated by combining the tag PUF and each individual chip’s PUF with a special function. The function should be such that (i) the ID generated for each board is unique for all the boards in the population and (ii) it is very sensitive to any changes to the chips on the board (e.g., replacing one chip with a counterfeit or modified chip). In the worst case, even if the attacker could intercept the communication between the tag and chips and figure out the chip PUFs, it is still impossible for the attacker to clone the board ID since the tag PUF never leaves the tag.

We propose two functions in this paper. In both cases, we choose the bit width of the board ID to be equal to the bit width of the tag and chip PUFs but other functions could work differently. Our first function is as follows. We perform a bitwise exclusive OR on the tag PUF and all chip PUFs. Assuming there are one tag PUF ($PUF_0$) and L different chip PUFs ($PUF_1, PUF_2, \ldots, PUF_L$), the board ID based on the first option can be calculated as:

$$BoardID = \text{bitxor}(PUF_0, PUF_1, PUF_2, \ldots, PUF_L)$$

Our second function is as follows. We count the number of ones and zeroes at the same bit location for the tag PUF and all chip PUFs. Assuming there are one $N−bit$ tag PUF ($PUF_0$) and L different $N−bit$ chip PUFs, the $i_{th}$ bit of the board ID based on the second option can be calculated as:

$$BoardID(i) = \begin{cases} 1, & \text{if } \sum_{j=0}^{L} PUF_j(i) > \frac{L+1}{2} \\ 0, & \text{if } \sum_{j=0}^{L} PUF_j(i) < \frac{L+1}{2} \end{cases}, \quad i = 1, 2, \ldots, N$$

We compare the uniqueness and sensitivity to changes of both proposed functions using a CST prototype in the results section.

IV. RESULTS AND ANALYSIS

In this section, we evaluate CST operation via simulations, a prototype implementation with 90nm Xilinx Spartan-3E FPGAs and a PCB prototype with a printed slot antenna. All the results are used to verify that each function of the CST system is performed correctly. Firstly, we estimate the sensor overheads via design tools to show that the system is non-intrusive (i.e., little impact on area, power, timing, etc.). Secondly, the FPGA prototype was used to verify the digital parts of the system, and compare the uniqueness and sensitivity to changes of the proposed board ID functions. Note that we do not include results for most of the sensors since they are available in prior work. Thirdly, the RF communication efficiency of the system was analyzed using the PCB prototype. Finally, we evaluate the system robustness to different types of potential attacks.

A. Simulation Results

Synopsys Design Compiler (DC) is used to synthesize the CST sensors embedded inside various chips. Table II shows the area and power overhead based on IBM 130nm CMOS SBF-DM technology. Taking into consideration the large quantity of information these sensors can provide, an overhead of this order is acceptable. Sensor updates and processing time of each sensor should be as short as possible. After placement and routing, the Synopsys Verilog Compiler Simulator (VCS) is used to analyze the timing of the CST sensors. Table III shows the updating periods and processing time of the CST sensors. When sampling clocks from the RFID tag arrive, CDIR_CTR and ECID are already ready, so CDIR_CTR and ECID need less processing time. In contrast, CDIR_RO
and PUF have to generate sensor data in real time and thus consume more processing time.

Table II: Overhead analysis of CST sensors

<table>
<thead>
<tr>
<th>Sensor</th>
<th># of cells</th>
<th>Area Overhead (µm²)</th>
<th>Dynamic Power Overhead (µW)</th>
<th>Leakage Power Overhead (nW)</th>
</tr>
</thead>
<tbody>
<tr>
<td>CDIR_CTR</td>
<td>186</td>
<td>28.28</td>
<td>127.4</td>
<td>37.57</td>
</tr>
<tr>
<td>CDIR_RO</td>
<td>255</td>
<td>343.08</td>
<td>123.55</td>
<td>43.11</td>
</tr>
<tr>
<td>PUF</td>
<td>132</td>
<td>409.28</td>
<td>106.33</td>
<td>48.67</td>
</tr>
<tr>
<td>ECID</td>
<td>28</td>
<td>342</td>
<td>17.68</td>
<td>4.55</td>
</tr>
<tr>
<td>Four sensors</td>
<td>1026</td>
<td>21235</td>
<td>519.28</td>
<td>220.94</td>
</tr>
</tbody>
</table>

Table III: Updating periods and processing time of CST sensors

<table>
<thead>
<tr>
<th>Sensor</th>
<th>Updating Period (µs)</th>
<th>Processing Time (µs)</th>
</tr>
</thead>
<tbody>
<tr>
<td>CDIR_CTR</td>
<td>6554</td>
<td>3</td>
</tr>
<tr>
<td>CDIR_RO</td>
<td>Once each time powered on</td>
<td>5007</td>
</tr>
<tr>
<td>PUF</td>
<td>Once each time powered on</td>
<td>99.60</td>
</tr>
<tr>
<td>ECID</td>
<td>Once</td>
<td>3</td>
</tr>
</tbody>
</table>

B. Experimental Analysis

The digital part of the CST system was implemented on 90nm Xilinx Spartan-3E FPGAs, in order to verify its effectiveness in working as a channel to collect board- and chip-related ID and usage information. Two Spartan 3E FPGAs were used to work as the RFID reader and the RFID tag respectively. Flash M25P16 on board was employed to store the CST sensor data. An SPI bus was utilized to connect the FPGA chip and the Flash M25P16. The test and measurement setup is shown in Figure 8 (a). Figure 8 (b) shows the FPGA layout of the RFID tag digital part with ring oscillators highlighted. For CDIR_RO, reference RO and stressed RO should be placed at symmetrical locations and next to each other to reduce the influence of process and environmental variations. Similarly, the upper and lower 32 ROs of PUF should be also symmetrically placed and close to each other.

Figure 8: (a) Experimental setup and (b) FPGA layout of the RFID tag digital part.

15 Spartan 3E FPGAs were employed to generate 15 128-bit board IDs, with 17 PUFs implemented on each board. Figure 9 illustrates the hamming distance distributions of board IDs based on Equation 1 and Equation 2 respectively. The mean values of hamming distances for both board IDs are 63.371(49.51% out of 128) and 53.3143(41.65% out of 128) respectively. Hamming distance mean value of the first board ID is closer to the half of board ID bit-width 128 which is ideal. Hamming distance distributions based on both equations approximate normal distribution. Experimental results demonstrate that the first board ID is more effective at identifying boards. Similarly, for CDIR, reference CDIR and stressed CDIR, the upper and lower 32 ROs of PUF should be also symmetrically placed and close to each other.

Figure 9: Hamming distance distribution of board IDs.

We also evaluated the RF communication efficiency of the system’s on-board antenna by performing identification using an actual RFID reader. Our experimental platform is set up as shown in Figure 10 (a). Figure 10 (b) shows the reading efficiency. When the reading distance is smaller than 4 meters, the reading rate is larger than 50 reads/sec, which means that the RFID reader can finish reading 50 boards per second. No bit error occurs throughout our experiments. Experimental results demonstrate that the RF communication between the RFID reader and the RFID tag is effective and efficient for implementing track-and-trace in the supply chain.

C. Security Evaluation

Table V lists the potential system-level attacks towards general board-level systems (including our proposed CST system), their attack cost before/after mitigation, and mitigation methods. The board ID can be used to detect unauthorized chip replacement. The tag clone can be prevented by embedding a PUF in the tag. By placing the transmission lines linking the tag and chips on the internal layers of PCB, using chip package with hidden pins/leads (e.g., ball grid array package) and an embedded EEPROM, we can reduce the vulnerability of probing attacks. Further protection towards the communication between the tag and chips is available by encryption. By encrypting the memory data bus and hiding the secret data in a random location, we can ensure the security and integrity of the secret data stored in the EEPROM (but this is admittedly quite expensive).

Figure 10: (a) Experimental setup for evaluating RF performance and (b) RFID reading efficiency.

V. Conclusion

This paper presents the first RFID-based system suitable for electronic component and system counterfeit detection and system traceability. The effectiveness of this system has been verified through simulations and experimental results. Compared with existing approaches, CST has the following merits: (1) it is the first platform to detect multiple types of
counterfeits; (2) it supports board identification and tracking in the supply chain even when the system is powered off; (3) the test overhead is much lower than existing tests because an RFID reader can extract the information from multiple boards simultaneously and in a contactless fashion. In future work, we aim to build on this concept to address more well-funded attackers with greater capabilities.

REFERENCES


### Table IV: Board ID sensitivity towards PUF replacement

<table>
<thead>
<tr>
<th>Function</th>
<th>Board ID (128 bits) variance</th>
</tr>
</thead>
<tbody>
<tr>
<td></td>
<td>Board I</td>
</tr>
<tr>
<td>F1: #1 to #10</td>
<td>45.60%</td>
</tr>
<tr>
<td>F2: # of ones &gt; # of zeros ?</td>
<td>18%</td>
</tr>
</tbody>
</table>

### Table V: System level security evaluation

<table>
<thead>
<tr>
<th>Attack target</th>
<th>Attack approach</th>
<th>Attack cost before mitigation</th>
<th>Attack cost after mitigation</th>
<th>Mitigation</th>
</tr>
</thead>
<tbody>
<tr>
<td>Chip</td>
<td>Replace the original chip with an illegal substitute (e.g., a counterfeit IC).</td>
<td>Low</td>
<td>Extremely High</td>
<td>Detect malicious chip replacement via board IDs generated over tag PUF and all chip PUFs.</td>
</tr>
<tr>
<td>Chip interconnection</td>
<td>Intercept the communication between the tag and chips to obtain the chip-related information.</td>
<td>Low</td>
<td>High</td>
<td>1. Place the transmission lines, linking the tag and chips, on the internal layers of PCB. 2. Use chip package with hidden pins/leads. 3. Encrypt the communication between the tag and chips.</td>
</tr>
<tr>
<td>RFID tag</td>
<td>Clone the tag to evade counterfeit detection.</td>
<td>Medium</td>
<td>Extremely High</td>
<td>Embed a PUF in the tag.</td>
</tr>
<tr>
<td>EEPROM</td>
<td>1. Decap EEPROM and microprobe the data bus to gain secret data (e.g., password and board ID). 2. Decap EEPROM and use expensive equipment (e.g., an electro-optical probe) to sense the value of EEPROM bit cells.</td>
<td>High</td>
<td>Extremely High</td>
<td>1. Encrypt memory data bus. 2. Hide the secret data in a random location.</td>
</tr>
<tr>
<td>RF channel</td>
<td>Use a malicious reader to access the tag and steal secret data.</td>
<td>Low</td>
<td>Extremely High</td>
<td>1. Access is protected through password. 2. Data transmission is XORed with random numbers. 3. Apply AES encryption. 4. Apply hash-based secure protocol.</td>
</tr>
</tbody>
</table>