Pim Tuyls is the Founder and CEO of Intrinsic ID. He initiated the work on Physical Unclonable Functions (PUFs) that forms the basis of Intrinsic ID’s silicon fingerprinting technology. The original work on PUFs was carried out at Philips Research, where Pim was Principal Scientist and managed the cryptography cluster. In 2008 he founded Intrinsic ID and led the technology development. Pim has headed the company since 2010 and raised new funding in 2012 to address the growing market of mobile and IoT security. In 2015 he moved the headquarters from the Netherlands to Silicon Valley. Pim Tuyls holds a Ph.D. in mathematical physics from Leuven University, holds 50+ patents and is widely accepted for his work in the field of SRAM PUFs and security for embedded applications.
I know that Intrinsic ID just celebrated its 10-year anniversary, tell me how you launched Intrinsic ID.
Yes, in October last year. It’s been very exciting, with the ups and downs most startups go through. I was at Philips, working on optimizing the production of certain components in Cathode Ray Tubes (yes, the old televisions). The project was very successful, so successful that when I finished I was given the opportunity to select my next assignment. I saw great potential in the combination of cryptography and physics, so I pitched this idea to management and they gave me the OK to assemble a team and start the project. At the end of 2001 I started a new project in the Natlab of Philips.
I had absolutely no idea where this would lead. The only intuition I had was that a higher level of security could be achieved where physics and cryptography intersect. This was a completely open field, no algorithms, no mathematics, no books and no concrete physical examples were known. It was a desert with wild ideas.
After creating the security team at Philips Research, I started with a focus on content protection. The new idea was to encrypt the content on a carrier – a disc or chip – with a key extracted from the physics of the carrier itself. In that way the content could not be cloned without cloning the carrier too, at the nano level.
It sounds like you weren’t yet focusing on semiconductor physics.
Not yet. Not exclusively at least. At that time we measured chips acoustically, laid down special circuits and covered them with a protective coating: The coating PUF. But the semi manufacturers did not like these coating materials in the fabs. We needed a mass-scale solution that would work with a standard semiconductor component. The coating PUF turned out to be a nice piece of technology that would not see the light of day in the real world.
During a brainstorm session in the Natlab, we started thinking about what happens with volatile memories when a chip starts up. We thought that, since there is a voltage on the cells, there should be data in it. That’s how the SRAM PUF idea was born and, through Philips Semiconductors, we had access to lots of data from modern chip technology. The first SRAM data that came in showed very good uniqueness and fairly low noise levels, which was perfectly correctable with our refined helper data algorithms.
Things started going faster now, almost too good to be true. But in 2006 Philips was evaluating its business portfolio and decided to go in a new strategic direction. So it spun off the semi division into what is now NXP. And a few years later we spun out the security technology and the team Philips to form Intrinsic ID.
Content protection, encrypting content on a disc or a chip – this doesn’t sound like what I think of when speaking about “Internet of Things.”
Correct. This was long before the IoT caught hold in the way we see it today, and certainly before anyone, at least most people, were talking about IoT security. In 2014 it started to become clear that the Internet of Things would start taking off and that we had a play there. About that time I decided to move with my family to Silicon Valley and run the company from here. There were just two of us in the U.S. office at the time but we established key relationships with top semiconductor companies that are delivering chips for IoT-connected products.
Let’s drill down on your key technology, SRAM PUF.What are its benefits and applications?
Without getting too deep into the physics, a PUF is based on the fact every chip is slightly different due to deep submicron manufacturing variability, even though two or more chips might have been produced with the same manufacturing process. As a result, when a chip is initially powered up, its threshold voltages and other physical characteristics are slightly different from all other chips, enabling us to derive the PUF for that chip, and therefore its unique identity.
In the case of SRAM PUF, it is embodied in the start-up behavior specifically of the SRAM memory on the chip. Since SRAM is a standard semiconductor component that exists in all technology nodes and processes, and that is present on almost every digital chip, the SRAM PUF scales very well. It can be used on almost every embedded device independent of whether the chip was built in old technology nodes such as 180 nanometers or very new ones, such as 7 nanometers, which is the leading edge in today’s semiconductor technology. Furthermore, the SRAM PUF can be instantiated by software and can be easily evaluated on existing devices. Intrinsic ID enables this with our BroadKey. I’m very proud of the work our team has done with BroadKey, by the way. BroadKey has started to receive award recognition, including the IoT Breakthrough award announced in early January.
Why is PUF technology well suited for the IoT?
Because SRAM is present on almost every device, it scales very well. Further it can be used on devices that don’t have non-volatile memory on board, and hence that don’t have any other option. Finally, it can be implemented at a very low cost since the SRAM is already present on the chip and a software approach is possible.
Now that it’s been a few years, what misconceptions do you think people have about IoT security?
Sometimes I come across people who believe either that security in the endpoints is not required, or that IoT security is already done. Many people still think that one can re-use the principles and components developed for a PC and just apply them to the IoT environment. Given the huge number and cost of IoT devices, that’s just not economically viable. A new set of technologies is needed to secure the IoT in billions of devices.
A lot of companies claim to provide IoT security. What is different about Intrinsic ID?
Intrinsic ID is unique in the fact that we bring a way to give every smart device an unclonable identity using the natural “fingerprint” of the chip. This means that this is low cost and scalable. It also solves the problem that unique identities and a hardware-based root of trust don’t have to be injected from the outside, which is a costly and non-scalable proposition.
I found a comment you made a while back where you said: “While Facebook connects roughly 1.5 billion people, Intrinsic ID addresses the need for authentication for the Internet of Things – which is expected to connect more than 50 billion devices by 2020.” That’s an interesting comparison.
I was trying to illustrate the magnitude of securing the Internet of Things. The number of people connected by Facebook is huge, and not a trivial accomplishment. But it pales in comparison to the IoT’s scale. There will be many more devices than people on our planet. It’s really much more difficult to connect so many devices at different technologies – and to do so securely and economically. Yes, our solutions work from 8-bit to 64-bit and beyond chips.
Tell us about your core products and the sort of customers using them.
We have two flagship products QuiddiKey and BroadKey. Both generate an Unclonable Identity from the SRAM PUF and integrate those with crypto functionalities and higher layer SW stacks such as TLS.
QuiddiKey is targeted toward semiconductor manufacturers, such as NXP and Microsemi. BroadKey has a much wider range because it is delivered as software and therefore can be deployed at any stage of an IoT product’s lifecycle. BroadKey can be applied by semiconductor manufacturers and OEMs toward present and future designs, but it can also deal with existing devices. We refer to this as a “brownfield” deployment, in contrast with a brand new green field.
Can customers use your security solutions in currently deployed products? What if a company didn’t design for security in the first stage product development?
Yes, BroadKey in particular is targeted and suitable for currently deployed products. Via an OTA, BroadKey can be downloaded to deployed devices in the field and inject a HW root of trust in those devices. We essentially enable our customers to go back in time and fix the security on their product.
At the RSA Conference in April 2018, you announced that Intrinsic ID is now securing more than 100 million devices. What is the significance of reaching that milestone?
It’s a pretty significant milestone. It means our products work in a real-life environment. It is important to note that we have not had one failure so far! And since then the number has increased – we are actually in more than 125 million now.
What has been the biggest business-related challenge you’ve faced since launching Intrinsic ID in 2008?
I’m not sure I can come up with just one. In the early days the growing pains of launching a startup presented a wide range of challenges, usually associated with all the “firsts” involved – first employees, delivering the first product, making the first sale. We got past those, but new challenges came. Where is the market going, and what should be our next product to make sure we stay ahead? How do we deliver on the demands from our latest customer? How will we be able to support users while at the same trying to add new customers? The challenges never really stop, they are just different depending on the stage where the company finds itself at any particular time. This is what makes it so much fun to build a startup.