Design and Implementation of Secure Cryptographic System on Chip for Internet of Things

Due to the 4th industrial revolution and the strength of the 5th Generation (5G) era, the Internet of Things (IoT) industry is growing significantly. As a result, the number of IoT devices in various industries, such as smart cars, smart homes, and smart healthcare, and the importance of security for these devices are increasing. This study proposes a design method for a secure cryptographic system on a chip (SecSoC) that can be used in the IoT industry and presents the results of the performance and security evaluations of the implemented chipset. The experimental results demonstrated that the SecSoC is a low-power high-performance cryptographic chip that is safe from external attacks. Compared to conventional smart card integrated circuits, the proposed design includes intrusion detection circuits that can respond to external attacks. At the same time, it supports a physical unclonable function for hiding secret data and cryptographic logic for maintaining integrity and confidentiality. The SecSoC ensured a fast transfer rate up to 110 Mbps and consumed only 95.8 mW when operating at maximum frequency.


I. INTRODUCTION
Today, the prevalence of Internet of Things (IoT) devices is increasing exponentially [1]. Through a variety of networks, IoT devices have created a hyper-connected society, wherein they communicate with one another and exchange data with other IoT devices connected to these networks. The era of IoT has dawned upon us, wherein everything, including people, objects, processes, and data in the real and virtual worlds are interconnected through the Internet, and IoT devices autonomously generate, collect, share, and utilize information without human intervention [2], [3].
The application fields of IoT are expanding, and sensors embedded in IoT devices are accumulating massive and important data. Thus, IoT hacking has become increasingly lucrative, making IoT devices attractive targets for hackers [2], [4]. Furthermore, as the IoT devices used in daily life are The associate editor coordinating the review of this manuscript and approving it for publication was Giovanni Pau. becoming more diverse and universalized, the dangers and impacts of possible security threats are growing. Since IoT devices are always connected to the Internet, cyber hacking attacks are possible through the network. Moreover, owing to their nature, IoT devices, which are used in the external environment as infrastructural and sensor components, are highly likely to be physically manipulated by hackers and used as a route for orchestrating cyber-attacks [5]. When malfunctions or unauthorized manipulations of devices and systems constituting IoT services, such as vehicles, home appliances, and healthcare systems occur, they can cause damage to the lives and property of users, and this damage can spread to the whole of society [6].
Methods for the design and development of secure IoT products include software-and hardware-based approaches [7]. Software-based approaches are cost-effective and easy to implement and update; however, there is a limitation in that the system only protects the security of the operating system [7]. Furthermore, the security of the encryption code can be easily compromised by the security defects in the operating system. In contrast, hardware-based approaches can protect devices from physical attacks, as well as software attacks; reverse engineering is more difficult for hackers to carry out compared to software attacks [8]. The greater the number of security measures embedded in the system hardware, the more difficult it is for hackers to infiltrate the execution paths of processes or deactivate or control processes by leaking critical data [9]. Owing to these security-related advantages of the hardware and the rapid development of semiconductor processes, the recent trend in product development involves using hardware instead of software to develop low-cost and high-performance products [10], [11]. Despite these advantages, hardware-based approaches are vulnerable to external attacks such as: 1) physical probing/manipulation; 2) electrical stimulation, measurement, and analysis; 3) electromagnetic interaction/radiation and analysis; 4) energy and particle exposure; and 5) inspection and reverse engineering. IoTs using these hardware-based approaches are susceptible to cloning. For example, attackers can reverse-engineer smart card integrated circuits (ICs) and change the operation modes of these circuits using information acquired from using overvoltage, light, and environmental stimuli (e.g., temperature and frequency), manipulating data, or duplicating the master key in the memory [12]- [15]. These methods can cause malfunctions in security circuits that have specific cash cards or functions that permit access [16].
To resolve such issues, we designed a secure cryptographic system on a chip (SecSoC) with sensors for intrusion detection and a physical unclonable function (PUF) to hide secret data integrated on an IoT cryptographic chip using hardware security technology. The PUF was adopted to overcome the vulnerabilities of security chips, such as smart card ICs and trusted platform modules (TPMs) requiring the master key to be stored in non-volatile memory. Since the SecSoC has all the functions to respond to various external attacks implemented in one chip, there is a limit to encryption chip attacks with only one bypass of the response function from an attacker's point of view. For example, even if an attacker successfully disables the sensors, it is difficult to find the hidden data generated by the PUF because the hidden data of each chip are different.
The contributions of this study are as follows.
• To defend against external attacks, active shield, light sensor, overvoltage sensor, temperature sensor, frequency sensor, and static random-access memory (SRAM) PUF were integrated into a system on chip (SecSoC) and verified in real test-bed.
• SecSoC is equipped with encryption algorithms and high-speed input/output (IO) interfaces to provide highspeed encryption/decryption performance of 110 Mbps.
• SecSoC satisfies the unpredictability, uniqueness, and robustness requirements of the SRAM PUF. As attacks evolve, semiconductors are no longer safe devices. In order to make a security chip that is safe from external attacks, many semiconductor companies are investing huge budgets in research and development of their own security solutions. The developed security technology evaluates its safety verification through Common Criteria, and uses the verified security chip to apply to e-passport, credit card and USIM. However, there is a limit to access to these security technologies because the security functions developed with a huge budget are managed thoroughly in secret. This paper developed a SecSoC that is safe against various external attacks and can safely store the secret key inside the SecSoC using SRAM PUF technology. The standard of the security function that can respond to external attacks was presented, and it was confirmed that the security function requirement standard was satisfied through the function and performance test of the suggested security function. The implemented system on a chip (SoC) was tested in a laboratory environment, and the results showed that it was a low-power high-performance crypto chip safe from external attacks. Compared to conventional smart card ICs, the proposed design includes intrusion detection circuits that function according to the nature of external attacks and the design supports a PUF for hiding secret data and cryptographic logic for maintaining integrity and confidentiality, respectively.
The remainder of this paper is organized as follows. Section 2 summarizes recent related work on hardware security and the PUF fields. Section 3 presents the design and implementation results of the SecSoC. Section 4 describes the results of evaluating the power consumption of the Sec-SoC and ability to defend itself against external attacks. The section also discusses the PUF characteristics of the SecSoC. Finally, the conclusions are presented in Section 5.

II. RELATED WORK
In this section, related work in the field of hardware security and the PUF, which are applicable to IoT devices, is analyzed. Table 1 summarizes the attacks and countermeasures of related works.

A. HARDWARE SECURITY
IoT devices require the development of lightweight lowpower security technology owing to the limited hardware and battery resources available in their systems. Furthermore, IoT devices are likely to malfunction, leak information, or be used as malware distribution sites because they are implemented using vendor-specific nonstandard protocol stacks and can be easily accessed physically or through the Internet [17]. Various cases of critical data leakages, such as the leakage of user account details and passwords used for authentication purposes and IoT attacks targeting access control vulnerabilities have recently occurred [18]. If attackers steal IoT devices, obtain the public and private keys of the devices by analyzing them, and successfully identify exploitable vulnerabilities, the possible threat of danger becomes more serious because the hackers can then exploit these vulnerabilities on all kinds of similar devices [19].
IoT devices require the development of lightweight lowpower security technology owing to the limited hardware and VOLUME 10, 2022 battery resources available in their systems. Furthermore, IoT devices are likely to malfunction, leak information, or be used as malware distribution sites because they are implemented using vendor-specific nonstandard protocol stacks and can be easily accessed physically or through the Internet [17]. Various cases of critical data leakages, such as the leakage of user account details and passwords used for authentication purposes and IoT attacks targeting access control vulnerabilities have recently occurred [18]. If attackers steal IoT devices, obtain the public and private keys of the devices by analyzing them, and successfully identify exploitable vulnerabilities, the possible threat of danger becomes more serious because the hackers can then exploit these vulnerabilities on all kinds of similar devices [19].
As IoT devices are mainly installed in an environment that is easily exposed to attackers, they are vulnerable to various hardware security attacks, such as side-channel attacks, firmware hacking, and key value extraction. There are various techniques that reinforce hardware security, such as firmware/code encryption, executable space control, reverse engineering prevention techniques, and key protection, which should be applied appropriately depending on the user environment of the IoT devices [20].
To obtain the internal information of IoT devices, attackers can attempt various external attacks. Various response techniques have been studied to prevent external attacks. Ehret et al. [21] and Yang et al [22] analyzed the advantages, disadvantages, and trade-offs of hardware security techniques that could be used for the design of low-power SoCs. Rahman et al. [23] investigated hardware security technologies based on complementary metal-oxide-semiconductors (CMOSs) and analyzed their response coverage for attacks. Weiner et al. [24] and Weiner et al. [25] proposed a lowarea probing detector as a response to micro-probing security threats and compared it with shield or bus encryption methods in terms of area overhead and latency. Lee et al. proposed [26] a robust secure shield structure to respond to invasive attacks, such as focused ion beam (FIB) circuit editing. Mehrabi et al. [27] proposed a hardware security strengthening method using an encryption module. Singh et al. [28] and Takemoto et al. [29] proposed a 128-bit advanced encryption standard (AES) design method as a response to power and electromagnetic side-channel attacks. Vasselle et al. [30] analyzed security vulnerabilities prone to near-field side-channel analysis attacks that should be considered when designing a cryptographic processor, such as an SoC. Rahman and Asadizanjani [31] analyzed the security vulnerabilities of SoCs prone to semi-and non-invasive attacks, such as photon emission analysis, laser-voltage probing/imaging, and laser stimulation.
Chip-level computer security is being actively introduced to reinforce responses to external attacks. Approaches and technologies under this type of security include hardwarebased hypervisors, such as the TPM chip, self-encrypting hard drive, unified extensible firmware interface (UEFI), virtualization technology, and AMD virtualization. Chip vendors and manufacturers are researching and developing security technologies based on various chips and firmware [32], [33]. Hardware security approaches are being used for mobile device security, beginning with the use of smart card ICs. Applications are expanding to involve lightweight devices for IoT security. Early hardware security was used to protect keys in encryption technologies; the universal subscriber identity module (USIM) and secure element (SE) were used for the safe storage of the keys [34]. Hardware security has been developed to guarantee the integrity of IoT devices and offer them protection against cyberattacks. It has been applied to TPM, a secure password processing standard, and to Trustzone, which sets the security boundary of the kernel and creates execution privileges [35]- [37]. Recently, as the importance of IoT security has increased, the security solution under it has been integrated with microcontroller units (MCUs). ARM, a semiconductor and software company, is the leader in setting hardware security standards and releasing platform security architecture (PSA) items; standardization and certification entities standardize IoT security technologies [38]. The SC300 processor is designed specifically for high-performance smart card ICs and embedded security applications [39]. Microcontroller chips provided by STMicroelectronics contain a variety of countermeasures, from the active shield to the cryptographic algorithm [40]. Compared with related hardware security studies, the proposed system on a chip is designed for use in various IoT devices with high-performance interfaces as well as in external attack response technologies.

B. PUF
Owing to the nature of their functions, IoT devices continuously access the wireless network and communicate with external devices. This means that some users can easily access IoT devices through a communication network. As a result, devices are regularly exposed to the threat of hacking [5], [6]. The need for safe and reliable IoT networking solutions for people, objects, and processes in a network that is exposed to external threats is increasing. These solutions include authentication, authorization, and password-security technologies [7]. Security technologies require unique or unpredictable random numbers. In most cases, random numbers are generated outside the devices and stored in nonvolatile memory (NVM). However, as encryption keys stored in an NVM could be leaked by hacking, they need to be stored, managed, and used in a safe environment [41].
To satisfy these security requirements, there is active research on technologies that can prevent hacking attempts at the source by introducing the root of trust, which is a hardware security feature [42]. For example, executed software applications are difficult to modify because they are stored in the read-only memory (ROM) of an MCU; in such cases, a reliable system can be implemented from the early design stage. Recently, active research on PUF has been going underway; it is considered a core technology element for IoT security in a large-scale dense network environment [43], [44]. PUF technology can create physically unclonable semiconductors based on the natural characteristic differences resulting from the fine differences among the similar physical structures of materials in a semiconductor manufacturing process [45]. PUF technology is based on the unpredictability resulting from the mismatched characteristics of circuits of the same design produced in a semiconductor manufacturing process [46]- [50]. As unique values are given to each semiconductor based on the fine differences that occur in a manufacturing process, the devices have unique responses to the same challenge value even though they have all been produced through the same process [51], [52].
The variations in circuit devices are unpredictable and cannot be controlled and replicated from the outside; hence, PUF-based unique key values can be generated and used for encrypting/decrypting these devices. These unique PUF values can never be leaked outside the chip and prove that each device has the corresponding PUF as a suitable user [45]. Hence, key management risks are distributed, and the security management burden of the service provider related to the server can be minimized. In other words, each device has a unique private key for encryption based on its PUF characteristics. Therefore, the server of the service provider only validates terminals through the exchange of public keys; it does not keep the private keys of users, thus lowering the burden on private key management.
An input from the outside to obtain a PUF output is called a ''challenge,'' and the PUF output obtained as a result of the challenge is called a ''response.'' Unlike mathematical functions, a PUF response cannot guarantee a similarity in the output, even if the same input is given. In other words, the responses obtained by applying a challenge to the same chip are not constant and vary. If the Hamming distance between these responses is not large, they are mapped to the same message by applying an error correction code. The PUF can be used for communication channels that mutually authenticate the unique characteristics of devices and can also be used to encrypt transmitted messages. However, the PUF circuit still exhibits a high bit error rate [53], [54]. To solve this problem, it was demonstrated that the error rate of a PUF chip VOLUME 10, 2022 could be reduced by complex post-processing [55]- [57]. This study proposes a simple SRAM cell classification method that can reduce the error rate to 0 without applying complex post-processing. The SecSoC proposed in this study includes attack defense circuits, an SRAM PUF, and a high-speed interface. Compared to a multi-chip solution, this single-chip solution has advantages not only in terms of cost-efficiency but also in terms of the size of the resource-constrained IoT devices. Furthermore, it can support high-performance cryptographic services for a wide range of IoT applications, such as the encryption or decryption of IoT video surveillance systems and hiding a secret key using a PUF.

III. DESIGN AND IMPLEMENTATION OF SECURE CRYPTOGRAPHIC SoC
This section describes the overall structure of the proposed SoC. Further, it explains the detailed specifications and functions of the sensors and PUF.

A. SOC ARCHITECTURE DESIGN
Security hardware design is the most important component of chipsets mounted on mobile devices or IoT devices. The hardware of a chipset needs to be micro in size; it should be able to work at low power and have high reliability. It should also satisfy the necessary high-performance requirements. The hardware structure of the chip is largely composed of five parts: a central processing unit (CPU) and peripherals, a memory unit, IO interfaces, an attack prevention unit, and a password algorithm processing unit. The detailed structure is shown in Fig. 1 (a).
In the SoC, the CPU, running memory, and designed core security logic are integrated into a single chip. The chip supports an AES block password (BLOCK), hash (SHA), hash-based message authentication code (HMAC), elliptic curve cryptography (ECC), and pseudo-random number generator (PRNG). The ARM926EJ-S CPU is embedded in the chip and has a secure digital input output (SDIO), universal serial bus (USB) 2.0, universal asynchronous receiver transmitter (UART), and general-purpose input output (GPIO) as external interfaces. For the CPU, the low-power core ARM926EJ-S was used, and with the compiled SRAM, the internal memory satisfied the small area and high efficiency requirements using the compiled SRAM. For the external I/O, USB 2.0 and SDIO interfaces, which are frequently used in mobile terminals and tablets, were selected. Symmetric and asymmetric key algorithms were implemented in lightweight devices to satisfy the micro-size and low-power requirements. To optimize the encryption and decryption performance, a hardware-based cryptographic interface (CI) function was implemented. Finally, for protection against physical attacks, active shields for defending against chip decapsulation attacks, four analog sensors (voltage, temperature, frequency, and light) for responding to fault injection attacks, and the PUF for the security afforded by its secret key hiding technique were implemented in the chip. For higher performance, the interface of the USB 3.0 chip and the cryptographic processing unit were directly matched. An encryption and decryption communication performance of 2 GB or higher was supported by applying the simultaneous round processing and pipelining technique of the symmetric key algorithm. Table 2 outlines the main components and functions of the chips.
The components of the cryptographic module consist of a hardware interface according to physical/electrical standards, a CI that matches a secure application programming interface (API), and a secure API that matches the applications of the target system. Fig. 1(b) shows the CI that matches the API. A CI is a matching standard that converts API commands to a format in which the cryptographic module can understand and deliver the response corresponding to the given commands.  [14], [24]- [26].

B. HARDWARE SECURITY DESIGN
Possible attack methods targeting semiconductor chips are becoming more advanced and intelligent. Critical data, such as the secret key inside a chip, can be easily hacked using physical stimuli, reverse-engineering, and analysis techniques. A physical attack involves attacking a cryptographic algorithm using physical signals or analysis equipment used for cryptographic modules or devices. Physical attacks can be categorized into invasive, semi-invasive, and non-invasive attacks [14], [24]- [26]. Table 3 summarizes the expected attacks against the SecSoc and the countermeasures for them. The active shield and PUF were used to respond to decapsulation and reverse engineering attacks, which are examples of intrusive attacks. Semi-invasive attacks against laser scanning and electrical stimulation attacks were defended against using light (images) and overvoltage sensors. Non-invasive attacks induced an abnormal operation in the crypto chip by creating an error during its operation. Examples of non-invasive attacks include changing the temperature, applying glitches, and changing frequencies to those outside the operational frequency range. To respond to these attacks, a frequency sensor, temperature sensor, and overvoltage sensor were implemented in the crypto chip.
Four types of attack detection analog sensors were implemented in the chip: overvoltage, temperature, frequency, and light (image) sensors. Two different types of sensors were mounted for the overvoltage, temperature, and light types. The attack detection sensor circuit had the disadvantage of a microcurrent flowing even when it was not operating, thereby increasing its current consumption. Thus, it was designed to allow the switching on and off of individual sensors from the CPU during the initial booting of the crypto chip.

1) FREQUENCY SENSOR
This sensor was designed to determine whether the clock frequency deviated from the reference frequency range by receiving a clock input from the outside and from the output of the internal phase-locked loop (PLL). The circuit is operated by dividing the clock after the clock selection signal written by the CPU is read from the register. The reference frequency is set on the CPU. A HIGH signal is generated when the frequency is faster than the set frequency; a LOW signal is generated if it is slower than the set frequency. After checking this signal, the frequency sensor generates an interrupt in the CPU and notifies the CPU of a frequency attack.

2) LIGHT SENSOR
The light sensor was designed in a two-step structure: sensor 1 and sensor 2. Light sensor 1 determines an attack when a light or laser source is detected by the light-receiving part after the chip package is removed by the attackers. Hereafter, it notifies the CPU through an interrupt. The sensor is designed to adjust its response to light intensity when the register value is changed in the CPU to adjust the sensitivity of the light-receiving part. Light sensor 2 performs the same function as light sensor 1. However, its light-receiving area was designed to be wider than that of light sensor 1. Furthermore, light sensor 2 is placed in the opposite position to light sensor 1, to reduce the possibility of attacks not being detected, depending on the sensor position, especially when attacks such as laser fault injection are carried out.

3) TEMPERATURE SENSOR
The temperature sensor was also designed in a two-step structure: sensor 1 and sensor 2. Temperature sensor 1 was designed to protect the chip from problems that can occur when a crypto chip is operated in an environment outside its permitted temperature range and from physical attacks. By default, it can detect temperatures in the range of −20 to 100 • C in 20 • C sections, and the temperatures measured in each section have an error range of approximately ± 20 • C. Furthermore, the permitted range in which the crypto chip can operate can be set in the register by the CPU. When the chip operates in an environment outside the set temperature, it is notified to the CPU through an interrupt signal. Temperature sensor 2 operates separately from sensor 1. Temperature sensor 1 was designed to detect temperatures in various sections without correcting measurement errors of approximately ±20 • C, whereas temperature sensor 2 was designed to measure the temperature accurately using a correction circuit that could correct measurement errors.

4) OVERVOLTAGE SENSOR
The overvoltage sensor was designed in a two-step structure to protect it from fault injection attacks using voltage. An IO voltage of 3.3 V and a core voltage of 1.2 V were applied to the chip. The overvoltage sensor determines the occurrence of a fault injection attack using voltage by detecting both the IO voltage and core voltage. The overvoltage sensor detects whether a power of 3.9 V or less or a power of 2.4 V is applied based on the I/O voltage of 3.3 V, or whether a power of 1.55 V or higher or a power less than 0.95 V is applied based on the core voltage of 1.2 V. A noise cancellation filter was installed to check the occurrence of 1 µs glitches because a glitch attack using power is expected when a fault injection attack occurs. When abnormal signals are generated in the IO VOLUME 10, 2022 or core power supplies, the overvoltage sensor detects them and generates an interrupt signal. The power measurement level is operated independently, but the same interrupt signals are used by the core and IO power supplies. Overvoltage sensor 1 is a level detector that measures the power level, whereas overvoltage sensor 2 is an edge detector specially designed to measure glitches in power. The overvoltage sensor was designed with two types of rising and falling edge detectors because the methods for suddenly increasing the voltage and stopping the power supply are used for power glitches. The overvoltage detection motion of the circuit was checked using simulation results, and the sensor was designed to detect an overvoltage corresponding to 1.5 times the voltage source on the drain (VDD) or higher applied for 1 ns or longer.

5) EXTERNAL INTRUSION DETECTION SENSOR
Using this is a method of responding to external intrusion attacks. This sensor can actively respond to physical attacks on the chip by connecting a specific pattern to the top metal layer of the chip. The active shield of the chip has four sensor points through which damage to the shield metal is detected.

C. PHYSICAL UNCLONABLE FUNCTION DESIGN
The development of attack technologies for cryptographic systems is to protect existing technologies by preventing cryptographic system attacks. The safety of cryptographic systems is determined by how securely the key information for operating the cryptographic algorithm is managed. For secure management of the encryption key, the current cryptographic system stores the key in a volatile memory and deletes the key information when an attack is detected or stores the key information in a non-volatile memory inside a crypto chip that is more difficult to attack. The former method has the disadvantages of requiring a higher system complexity, being more expensive, and requiring operation management, such as battery replacement, because external battery and attack detection circuits need to be added. The latter method cannot provide the safety to the stored key without a separate attack prevention technology for reverse analysis owing to the development of IC chip reverse analysis technology. Fig. 2 shows the secure communication process between secure IoT node A and normal IoT node B. For secure communication, nodes A and B use secret keys K a and K b , respectively. If node A generates a random number, nonce r, and sends it to node B, node B encrypts its secret key K b and the new random number (nonce t) using nonce r received from node A, and sends a ciphertext and nonce t to node A. Node A decrypts the received ciphertext with nonce r, encrypts K a and K b with the received nonce t, and transmits the encrypted ciphertext to node B. Node B decrypts the session key into the memory after decryption with nonce t, and node A securely stores the session key using the SRAM PUF of SecSoC using address A by PUF.
In this secure communication process between IoT devices, NONCE r and t are generated and used once to generate a 256bit session key. Even if the attacker knows both r and t, the values of K a and K b , which are Secure Keys, are unknown. In addition, Secure Key K a and K b cannot be obtained from ciphertexts because they do not know the operating mode of the block algorithm. Therefore, the secure IoT node is safe for man in the middle attack (MITM). The PUF can be used as an attack and copy-protection technology. It is a physical structure installed in an IC chip and makes use of the uncontrollable and inevitable changes produced in the physical characteristics of chips in the chip manufacturing process. Such changes include the differences in signal delays and the initial values of the static memory cell caused by subtle differences in the length of the metal wires inside the chip. Each chip contains different signal delays or initial values of the memory cell; these can be used to identify specific chips, which is similar to using fingerprints to identify different individuals.
The secure key storage and management structure that uses the PUF is based on the following assumptions: the key is combined with a bit string using the exclusive OR (XOR) operation, resulting in a combination called H, and the string has the same length as the key and a sufficient entropy, which the attacker should never know. Even if H is given to the attackers, they cannot obtain the key unless they know the bit string. In other words, as long as the bit string is not exposed to attackers, the key is still secure even if H is stored in a nonvolatile memory that can be attacked.
A bit string with sufficient entropy can be produced using the PUF. It is assumed that attackers can never know this bit string. This bit string is combined with the key using the XOR operation, and the resulting H is stored in a non-volatile memory. If the key is necessary, the original key can be obtained by generating the same bit string from the PUF and performing the XOR operation with the stored H. The same bit string can be obtained using the PUF by applying the error correction code, and a secure key storage and management structure can be designed using the PUF according to the previously stated assumptions about secure key storage and management as long as the attackers do not know the PUF output. SRAM PUF is a memory-based PUF construction that uses intrinsic random startup cell values to create a challengepair response [59]. The SRAM PUF implemented in this study receives the input of the memory address as a challenge and outputs the data of this address as a response. Here, the SRAM PUF indicates that it is reliable when no change in the output appears for the same input value, even after the power is switched on and off. The SRAM PUF implemented in this study has an error rate of approximately 5.5%; however, the SRAM cells used in the initial starting stage can be scanned and classified into reliable cells that can be used for the PUF. Then, the positions of the reliable cells are registered and used in the PUF. Tests for 0 and 1 output bits are performed nine times each. If the error exceeds the threshold set with a programmable register, it is classified as an erroneous cell. If the same result above the threshold set is obtained by another programmable register, it is classified as a reliable cell. Through this process, a bit error rate of approximately 5.5% can converge to 0%. Fig. 3 (a) shows the implemented SecSoC layout, and Fig. 3 (b) shows an image of the evaluation board. The SecSoC was implemented using a TSMC 65 nm process. The core size was 3600 × 250 µm, the size of the embedded running memory was 256 kB, the external interface was USB 2.0, and 8 kB was allocated for the SRAM PUF. The challenge size was 211 and the response size was 232. The evaluation board was fabricated to test the chip through external interfaces (USB 2.0, SD memory interface, and UART). USB 2.0 is the main data interface that measures the functions and performance of the chip by connecting the PC with the evaluation board, and its functions and performance can be measured by connecting the SD memory interface with a smart device. In addition, the status of the chip can be monitored using the UART. The test is performed by connecting the PC with the evaluation board via the USB and checking the reactions of the chip to various test environments in the data I/O state through the UART output. The conditions of the test environment are related to temperature, light, voltage, frequency, and power waveforms.

A. POWER CONSUMPTION AND PERFORMANCE
To measure the power applied to the chip, the current consumption was measured by connecting a multimeter with the current flowing for the 3.3 V IO voltage, which is the input power of the chip and the 1.2 V core voltage. The current consumption applied to the chip was calculated as the sum of the product of each voltage and the measured current. Fig. 4 (a) shows the result of measuring the power consumption when the operation was on standby while changing the operating frequency and power consumption during the maximum operation. The reduction effect in the clock frequency change induced by the power consumption was observed. When the operation was on standby, the power consumption using the maximum operating frequency was 74.16 mW, and the power consumption measured during the maximum operation was 95.8 mW, thus satisfying the 500 mW requirement. Fig. 4 (b) shows the data processing speed measurement of the AES block password circuit when sending 256 kB data according to the experimental results.

B. DEFENSE FUNCTIONS AND PERFORMANCE TEST 1) EXTERNAL INTRUSION SENSOR
The occurrence of an attack detection interrupt in the CPU was verified by removing the top metal layer, which was used as an active shield. This can be achieved by utilizing a focused ion beam after physically removing the chip package.

2) LIGHT SENSOR
The occurrence of an attack detection interrupt in the CPU was verified by intentionally injecting light using an lightemitting diode (LED) source by physically removing the chip package. The minimum intensity for light detection based on the light sensitivity of the light sensor was verified.  In addition, the possibility of attack detection when 5 mW of light was injected was tested using a laser pointer. For the light attack, the fault injection attack standard in [56] was used. The same experiment was repeated with 100 mW of light. For the light attack, the fault injection attack standard in [57] was used.

3) TEMPERATURE SENSOR
Temperature detection by the temperature sensor was verified by changing the temperature from the outside through the chamber. The temperature detected by the sensor was checked using the UART or joint tag action group (JTAG) by connecting them to the host PC. Then, the temperature was lowered below room temperature through the chamber and was detected by the temperature sensor in an environment, wherein a temperature attack occurred at −20 • C [58]. The temperature value detected by the sensor was checked using the UART by connecting it to a PC. Furthermore, the detection of the temperature by the temperature sensor at 80 • C was verified by raising the temperature above room temperature through the chamber. The detected temperature was verified using the UART by connecting it to the host PC. Fig. 4 (c) shows the results of the experiment describing the occurrence of a CPU interrupt at the set trigger position according to the temperature variations between −20 and 100 • C. Here, SC is the abbreviation for the sample chip, and SC1, SC2, and SC3 denote sample chips no. 1, 2, and 3, respectively.

4) OVERVOLTAGE SENSOR
The operation of the overvoltage sensor was examined while changing the voltage using the control pin of the chip through the power supplier. The variations in the voltage were verified using the UART or JTAG on the host PC.

5) FREQUENCY SENSOR
To carry out the functional test of the frequency sensor used to detect frequency inputs other than the allowed frequency, the crystal (or oscillator) connected from the test board to the chip was removed and the clock signal was inputted to the chip by directly connecting a function generator. Then, we checked whether frequencies other than the permitted ones were inputted while changing the frequency of the function generator. When the frequency was varied, it was difficult to check the error messages through the UART. Thus, the interrupt signal was checked using an oscilloscope by connecting the interrupt signal to the GPIO. Table 4 summarizes the test items and requirements for defense functions and performance test.

C. EVALUATION OF PUF CHARACTERISTICS
The performance of the PUF was evaluated on the basis of randomness and reliability. Randomness refers to the level of difference among the PUF values in each chip produced identically; these values need to be unpredictable. Specifically, randomness includes unpredictability, indicating how random the output bit 0 or 1 is in the same chip, and uniqueness, indicating how different the output bits of two different chips are. Reliability refers to the number of identical PUF values among the implemented chips. This is important because the PUF values, using fine physical process deviations, can be changed depending on external environmental characteristics, such as time and temperature. The unpredictability, uniqueness, and reliability of the SRAM PUF were verified by conducting a total investigation of all the chips of the SRAM PUF. Table 5 lists the PUF evaluation criteria and results.
To use the PUF for IoT security, each device needs to have a different PUF value even if each one has the same design layout (uniqueness). The PUF values need to be difficult to predict (unpredictability), have few errors, and be highly reliable (reliability). Fig. 5 shows the test results for the reliability, uniqueness, and unpredictability of the security requirements. Fig. 5 (a) shows that the Hamming weight inside the PUF is 50%. This indicates that the 0 and 1 output bits appeared evenly. Fig. 5 (b) shows the measurement result of the intra-chip Hamming distance between chips. The Hamming distance  quantifies how different two bit strings are. The inter-chip Hamming distance is calculated by counting the number of the different bits between the bit strings generated by the two chips and then dividing it by the total number of bits. The intra-chip Hamming distance is the average value calculated using the bit strings generated by each chip. In this graph, VOLUME 10, 2022 the difference between the inter-chip and intra-chip Hamming distances denotes the available entropy range. An ideal Hamming distance like that seen with the 0% intra-chip and 50% inter-chip in Fig. 5 (b) can be achieved. Fig. 5 (c) shows a graph of the minimum entropy inside the PUF. The experimental results indicated that when all the challenges were executed, the response results of the PUF would be random and uniform. Fig. 5 (d) shows a graph of the measured results of the internal error rate of approximately 5.5% after the power was switched off for 1 ms. The reliability problem resulting from this error rate was solved by applying a pre-scan to the SRAM PUF implemented in this study. In the initialization process of the startup, the SRAM cell is repeatedly pre-scanned three times. If the resulting values change, the cell is classified as an error cell and is not used. The conventional error rate improvement method using the error correction code can increase the resource overhead and latency, thus producing vulnerability in the security of the chip. We ensured that the chip had reliability, reduced complexity, and latency by using the pre-scan technique instead of using the error correction code. The pre-scan process does not cause performance degradation because it is only performed once in the initialization process, and the position of the error cell is stored in the NVM; it is not used in the PUF operation. Consequently, it was experimentally confirmed that the 0% intra-chip and 50% inter-chip, for which the Hamming distance in Fig. 5 (b) is ideal, could be achieved and the error rate in Fig. 5 (d) was 0% when the pre-scan method was used.
According to the evaluation results, the SecSoC successfully met the design requirements. First, it is very difficult to attack the PUF using reverse engineering. Therefore, it can be assumed that the probability of reading the PUF value is very low. Second, the PUF does not need to generate secret data (e.g., encryption key) outside the chip and can be transmitted under a secure environment inside the chip. The confidential data are generated directly inside the chip by the PUF. Moreover, the data do not need to be stored in the NVM. The private key is not exposed in the chip because it uses the public key encryption method. Table 6 compares the results of this study with the characteristics of commercial chips. For comparison, STMicroelectronic chips, which are most commonly used in smart card ICs, and TPM chips from Infineon were selected. Sensors on smart card ICs only provide environmental monitoring and protection against faults; however, attack detection is not possible, and the PUF is not supported. Since the smart card ICs need to store the master key as plain text in the non-volatile memory inside the chip, the master key can be exposed through a reverse engineering attack. Smart card ICs are mainly used for USIM or credit cards because of the low speed of the IO interface. The TPM chip implements only cryptographic algorithms; therefore, it can only be used within systems equipped with defense circuits against external attacks. In contrast, the SecSoC proposed in this study includes attack defense circuits, PUF, and a high-speed interface. Thus, it can support high-performance cryptographic services for a wide range of IoT applications. Conventional smart card ICs and TPMs have encryption performances of 1 Mbps and 400 kbps, respectively, making them unsuitable for high-performance IoT applications such as encryption or decryption of IoT video surveillance systems. Compared to the safest smart card IC to date, a high-performance, high-reliable encryption chip with excellent encryption performance and security against external attacks has been designed.

V. CONCLUSION AND FURTHER WORK
This study proposes an SoC design method that integrates the cryptographic module used in IoT, the defense logic used against external attacks for hardware security, and the PUF used to hide secret data in a chip. The SecSoC includes an active shield, light sensor, overvoltage sensor, temperature sensor, and frequency sensor to protect the chip from the external environment, as well as the PUF to hide secret data. Since a single chip contains all the circuits for responding to external attacks, it is possible to respond to various attack conditions with only one chip. Since the SRAM PUF is a strong PUF in which a challenge-response pair exists in proportion to the memory size, it is also designed to detect external attacks using sensors so that the key value determined by the PUF cannot be tampered with by outside users. In addition, cryptographic and high-speed IO interfaces are used to provide high-speed encryption/decryption performance. The experimental results proved that the SecSoC designed and implemented in this study is a low-power high-performance crypto chip that is secure against external attacks and is physically unclonable. This chip also ensured a maximum data transfer speed of 110 Mbps and consumed 95.8 mW when the maximum operating frequency was used. As a result of evaluating the performance and security performance of the proposed SeCSoC, it was confirmed that it is superior in terms of providing the implemented SRAM PUF, responding to external attacks, and cryptographic performance compared to the existing smart card IC and TPM chip. Since the types, specific standards, and operation methods of smart IoT's security core functions are not open, there is a limit to safe cryptographic chip design, and the proposed cryptographic chip is expected to contribute a lot to overcome this problem. In future work, the performance and security of the SoC will be tested in a real testbed environment for the IoT environment, in which the SoC implemented in this study will be installed.