A Brief Tutorial on Mixed Signal Approaches to Combat Electronic Counterfeiting

As integrated circuit (IC) designs become more and more complex, the globalization of the IC supply chain has become inevitable. Because multiple entities are required to design, fabricate, test, and distribute an IC, the need for reliable security and assurance methods to maintain trust throughout the entire supply chain has never been more critical. This tutorial introduces a variety of mixed-signal approaches to combat electronic counterfeiting. An LDO-based odometer capable of accurately classifying ICs as new or aged is presented as a promising method for detecting counterfeit and recycled ICs. Additionally, this tutorial discusses the use of physical unclonable functions (PUFs) as primitives for generating cryptographic keys for digital signatures, encryption, or authentication. The design process of all PUFs is introduced and the key characteristics and evaluation metrics of state-of-the-art PUFs are defined. Finally, to promote digital IP protection, several methods for camouflaged digital gates are presented and analyzed. The threshold voltage defined (TVD) logic families discussed are capable of implementing any N-to-1 logic function and are highly resilient to reverse engineering attacks.


I. INTRODUCTION
F OR SEVERAL decades now, as electronic systems have become more interconnected and integrated circuits (ICs) have become increasingly complex, the semiconductor industry has readily moved towards globalization in order to maintain consistent progress with reasonable overhead. Especially with the advancement of the Internet of Things (IoT) era, it is unfeasible for a single company to oversee every step of the IC supply chain. It has become more profitable and efficient for companies to specialize within a single step, whether it is IP/IC design, system integration, fabrication, or distribution, and rely on other companies to fulfill the remaining steps. Although this promotes consistent advancement and affordability of cutting-edge technologies, the necessity for hardware security is now more critical than ever before. Electronic counterfeiting has been an ever-increasing problem in the semiconductor industry. The counterfeit chip market size is staggering and believed to impact more than $169 billion of electronic devices annually [1], but the financial impact is only one result of electronic counterfeiting. Counterfeit parts do not undergo the strict verification and testing process that authentic parts do. Hence, these defective and unverified parts can compromise the security and reliability of entire electronic systems [2]. Other concerns associated with electronic counterfeiting include public safety and national security infrastructures, unfair competition and loss of reputation, financing for terrorist groups and organized crime, and several other economic factors such as lost tax revenue and job creation/retainment.
As hardware security methods continue to develop and mature, the rate of electronic counterfeit components shows This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ VOLUME 4, 2023 99 no sign of slowing down. In 2012, [1] found that counterfeit parts reported had quadrupled since 2009 and [3] reported that an incident with a counterfeit part occurred every 15 seconds. Unfortunately, with the onset of the pandemic-induced chip shortage [4], [5], counterfeit electronic components have only become more prevalent. When components are not readily available consumers are willing to pay more, creating an opportune situation for counterfeiters. As technology continues to advance, counterfeit ICs are becoming more sophisticated and thus, harder to detect. Additionally, there are many different types of electronic counterfeiting such as cloning, recycling, and rebranding [6]. In order to effectively combat electronic counterfeiting and maintain trust throughout the IC supply chain, anticounterfeiting techniques must be reliable throughout the entire IC life cycle and robust enough to detect all types of counterfeiting. An astounding number of counterfeit prevention and detection techniques have been proposed in the pursuit of minimizing power consumption, design overhead, and silicon area without sacrificing robustness or reliability.
To the best of the authors' knowledge at the time of publication, the current literature regarding tutorials or surveys on electronic counterfeit detection either focuses mostly on categorizing counterfeit detection methods or presents general counterfeit detection methods that are not up to date. To bridge the current gap in information, this tutorial introduces and explores a variety of state-of-the-art mixed-signal approaches to combat counterfeiting that have proved to be exceptionally effective. Due to the staggering number and diversity of anti-counterfeiting techniques today, it is not possible to sufficiently cover every emerging technique in this paper alone. Instead, this tutorial focuses on three promising and unique anti-counterfeiting techniques. In Section II, techniques for counterfeit chip detection are discussed and the progressive design of an LDO-based odometer for classifying an IC's age is analyzed. Section III presents the uses of physical unclonable functions (PUFs) to generate cryptographic keys used for digital signatures, authentication, and encryption. This section also details the PUF design steps and defines useful PUF characteristics and evaluation metrics. Section IV introduces camouflaged digital gates that can be used for logic obfuscation to combat counterfeiting through reverse engineering. Two types of threshold voltage defined (TVD) families are analyzed in this section. Finally, this work is concluded in Section V.

II. LDO-BASED ODOMETER A. COUNTERFEIT COMPONENTS: RECYCLED AND REMARKED ICS
Counterfeit chips are best described as unlicensed copies which do not meet design and functionality standards, are defective or used, and/or are distributed in violation of intellectual property (IP) laws [7]. Within the semiconductor manufacturing domain, the taxonomy of counterfeit methods is broken into 7 different types [8]: recycled, remarked, overproduced, out-of-spec/defective, cloned, forged documentation, and tampered. Among them, remarked and recycled parts reportedly occupy the lion's share of the global counterfeit chip market. Recycling alone accounted for 80% in 2010 [9]. Thus, the following subsections will focus on several effective methods for detecting remarked and recycled chips.
A recycled component in the semiconductor market would make several stopovers before reaching the end of its shelf life. By the time it is integrated with a new system, the effects of aging and usage are almost always apparent functionally. Physically, the recycling process takes the old chip from a discarded system and re-inserts it into the supply chain as a new chip. The typical pipeline is shown in Figure 1.
Proper disposal of electronic waste is a global issue that has created avenues for the emergence of first-stage recycling centers. After the chips are extracted and cleaned, remarking allows them to enter the market as new components. Remarking involves changing the specification of a recycled or new component by changing its markings.
Apart from remarking recycled components, new components can be remarked to change their designation. Consumer-grade ICs can be remarked for use in automobiles, which may compromise the safety of drivers, passengers, and pedestrians. One instance of particular interest is a suspected remarking incident that provided Intel microprocessor chips to undercover agents as military-grade for use in helicopters [10]. As mentioned in Section II-A, both counterfeit techniques can compromise national security installations if they are deployed in critical systems.

B. COUNTERFEIT CHIP DETECTION
General counterfeit detection initially involved the use of electrical tests and physical inspection. Electrical tests mainly compare functional and parametric benchmark values from an original device to a unit-under-test (UUT), while physical inspection uses various advanced imaging methods to compare the UUT's physical features to an original chip [11], [12], [13]. Apart from the manual requirements of the two techniques described, they both require substantial investment in equipment and facilities. The emergence of physical unclonable functions (PUFs) and combat die and IC recycling (CDIR) sensors has allowed ICs to be authenticated in the supply chain. PUFs, which are the focus of Section III in this paper, create unique identification functions for chips that can be verified when required [14]. CDIR is both odometer-based and sensor-based using frequency differences from paired ring oscillators (ROs); one is used under normal operation, and the other serves as a standing [15]. RO frequency degrades with aging because the transistors in the RO get slower with time and usage. Both hardware security primitives are only suitable for digital ICs, especially because they require additional logic and input/output (I/O) pins, which are limited in analog/mixed-signal (AMS) ICs. Hence, an effective method needs to be developed to deal with recycled and remarked AMS ICs. For a more thorough review of digital designfor-anti-counterfeit (DfAC) circuits and their limitations in AMS chips, we refer the reader to Alam et al. [16].
One of the more recent electrical test methods for specifically detecting recycled AMS ICs estimates the age of an analog IC using statistical methods. It relies on an accurate simulation model of the entire design and is susceptible to process, power supply, and environmental variations [17]. Applying the concept of built-in assessment mechanisms as used in digital ICs, researchers have looked at using linear dropout regulators (LDOs) in analog designs.

C. LINEAR DROPOUT REGULATORS
The LDO is a direct current (DC) linear regulator used to maintain a regular output voltage in an IC powered by a high-voltage input [18]. Small electronic devices and microprocessors, which have become common in daily life, employ LDOs to manage voltage and power supplies. The main parts of an LDO as shown in Figure 2 are: • Feedback loop with an error amplifier (EA) • Pass transistor (PT) • Resistor divider The PT operates as a variable resistor; it is controlled by the output of the EA, which in turn is controlled by the resistor divider output. The output voltage, V OUT , is scaled down by the resistor divider, R 1 and R 2 , to generate the voltage FB. The EA then compares FB with a fixed voltage reference (V REF ), which is usually supplied externally. As mentioned above, the output of the EA controls the gate voltage of the PT to regulate the overall voltage output. For example, if the FB is smaller than V REF , the gate voltage of PT is increased, raising the current flowing through the PT, thus increasing V OUT . The dropout voltage is vital to the operation of an LDO; it is the input-to-output differential voltage below which the LDO cannot provide a stable voltage. In other words, the dropout voltage for an LDO is the drain-to-source voltage that appears across the PT. Any input below the dropout voltage will affect the stability of the output supply.
It is also important to note that LDOs have low area overhead, low output noise, and offer stability with varying loads [18]. Although in Figure 2 the PT is a PMOS transistor, a variety of pass devices can be used, including NPN and PNP bipolar transistors.

D. POWER SUPPLY REJECTION RATIO
The power supply rejection ratio (PSRR) is used to assess the performance of an LDO by measuring its ability to limit the variations of the input power supply at its output. Apart from the power supply, the variations may be generated from other circuit parts connected to the same supply [19]. PSRR may be measured at various frequencies for a single operational amplifier. It is usually expressed in decibels, or dB, as seen in (1).
where v OUT and v IN are the magnitudes of the voltage ripples at the output and input, respectively [20]. The PSRR in (1) generally becomes less negative (degrades) as the ripple frequency of the input signal increases. In order to stabilize the operation of an LDO, its output is often connected to an external capacitor (C OUT in Figure 2). This allows the user to easily set the C OUT value to meet the required PSRR specifications for a particular application.

E. LDO AGING AND PSRR DEGRADATION
As any IC is used over time, the devices within that IC experience a slight degradation in performance. The relationship between chip aging and device degradation is the foundation for the counterfeit detection techniques described in this subsection. As mentioned previously, LDOs are a critical component in most electronic systems and are almost always active. Therefore, if a relationship can be defined between the IC aging process and an LDO's performance, it would be possible to determine the actual age of nearly any electronic system. This information could then be compared to the system's expected age and performance to effectively detect counterfeit ICs.
A previous work involving LDO-based aging, [21], characterizes the hot carrier injection (HCI) aging effect on different performance metrics of a basic LDO to improve yield. Building upon this, [22] focuses exclusively on the degradation of LDO PSRR due to aging in order to aid in counterfeit detection. Because the PSRR is a direct measure of an LDO's ability to reject noise present at v IN , the performance of the transistors between v IN and v OUT is critical. The PT separates these two voltages and is often very large in size compared to other transistors in the design. Thus, any aging effects on the PT will directly affect the PSRR. Additionally, the gain bandwidth of the EA directly affects PSRR and aging can be distinctly detected in the decreased bandwidth of the PSRR curve [22].
A typical PSRR curve for an LDO is shown in Figure 3. The curve can be broken into two regions, the low-and highfrequency regions, separated by the unity gain bandwidth frequency, ω REG , where the DC loop gain becomes one. The PSRR curve in the low-frequency region is mainly defined by the DC loop gain, which consists of the individual gains of the EA, PT, and resistor divider. The DC loop gain has little effect on the PSRR curve in the high-frequency region. Instead, this region is dominated by the parasitics between the LDO input and output, C OUT , the gate and drain of PT, and the PCB. Therefore, a single PSRR response curve can be used to identify the aging degradation in transistors and parasitics in LDOs separately.
Reference [23] provides examples of the degradation of capacitances due to electrical stress over time, while [22] presents analysis and experimental results detailing the aging effect due to DC stress on PSRR and the PT I-V curve in a typical LDO. The experiments were performed on four LDO chips fabricated in 65nm technology. DC stress involves placing the LDOs under a thermostream at 105 • C while operating with a load current of 1mA and maintaining 1V at its output. The supply voltage (v IN ) used is 10% above the standard 1.2V (1.32 V) while V REF applied at EA is set to 0.6V. Using temperature and voltage acceleration results from [24], five days of real-time aging can be produced in only six hours. Figure 3 shows the results of DC stress on PSRR degradation with 4 and 6 hours of exposure. With 4 hours of DC stress, the DC PSRR of the LDOs degrades by approximately 1 dB, while 6 hours of aging increases degradation by 1.6 dB. The degradation is due to changes in threshold voltage, drain-to-source resistance, and transconductance of both the EA and PT, which in turn reduces the loop gain. The outcome of this experiment is a critical foundation for LDO-based odometers in AMS ICs.

1) LDO PSRR DEGRADATION FOR STAND-ALONE RECYCLED DETECTION
Chowdhury et al. combine LDO PSRR degradation with machine learning (ML) to detect recycled AMS ICs [25]. The input features available to the authors are PSRRs from new and aged LDOs from multiple vendors. The ML models are used by the framework to classify recycled and new LDOs. For supervised learning, they train and test on samples from the same vendor. This is done using the K-nearest neighbors (KNN) algorithm, which uses distances between similar data points to assign groupings. No labels are used for unsupervised learning, which is implemented using k-means clustering. K-means partitions data points into separate clusters using mean-based similarities. Semi-supervised learning is also applied using training samples from only one of the four vendors and is tested on another. The proposed technique and experiments rely on the accessibility of the LDO output pin and artificial aging of the LDOs. The latter is due to the unavailability of recycled chips among the commercial off-the-shelf chips used [25].
Results show that the supervised method yields an average accuracy of 97% on test data, but requires both new and aged LDOs from each vendor. The semi-supervised technique mitigates this by using information from one vendor and testing on different vendors, albeit with a reduced classification accuracy (minimum average accuracy of 69.27%). Finally, the availability of a golden LDO from a vendor allows classification using the unsupervised method. The artificial aging process (alternative case described above) improves the age prediction accuracy to as much as 86.19%.

2) LDO PSRR DEGRADATION FOR RECYCLED SOC DETECTION
A system-on-chip (SoC) has multiple blocks with different supply voltage requirements. For AMS blocks, power supply noise needs to be suppressed; this is executed by the ripple-free and noise-regulating LDOs. Building off the stand-alone detection mechanism in the previous subsection, Chowdhury et al. propose an application for a complete SoC [26]. It involves the analysis of the LDO connected to the power distribution network (PDN). However, the LDO must have output capacitors. Most LDOs have an output pin coupled to an external capacitor to stabilize the LDO loop. For ones without the capacitor, advanced reverse engineering techniques are required. Hence, the authors assume the presence of the external capacitor during experimentation. The method also leverages supervised and unsupervised Gaussian mixture models. The main steps outlined by the authors are as follows: i. Identification of a viable SoC for the proposed method: An ideal candidate must have LDOs for power regulation with output capacitors. ii. Reverse engineering the output pin of LDOs: The output pin with a functioning output capacitor must be identified by the user.

iii. PSRR measurement of sample LDOs in suspect SoC:
A small noise signal is coupled to the voltage supply pin while recording the corresponding power spectrum at the LDO's output pin. The PSRR is simply calculated by subtracting the input noise spectrum from the output power spectrum. The sample PSRR readings from suspect SoCs containing LDOs are used as input to the ML tool for automated detection. iv. Identification of suitable ML tools: Like the standalone version, this process relies on supervised, unsupervised, and semi-supervised learning (see Figure 4). However, supervised ML uses golden data from PSRR readings of original new and aged samples. Semisupervised ML is reported to detect recycled SoCs even without golden data from a specific manufacturer. It is even able to use data from standalone LDOs for training. Unsupervised ML presents a significant drop-off in accuracy but can be used in the absence of labels. v. Identification of suitable ML algorithms to develop ML tools: The authors highlight the family of Gaussian mixture models (GMMs) to develop the ML tools that are used to detect recycled SoCs. The supervised ML method yields a maximum accuracy of 90% for new SoCs, and 83% for aged ones. The semi-supervised version yields an average accuracy of 96% for the first case involving new and old samples of standalone LDOs of one vendor at a time. The second case supplements the first case by applying the synthetic aging technique used in the standalone technique. This improves the average accuracy to 98%. The worst performer is the unsupervised method; although it does not require labels, the use of golden data only provides a classification accuracy of 90%.

3) LDO-BASED ODOMETER TO COMBAT IC RECYCLING
Another set of authors utilized the LDO embedded in an SoC by modifying its design to still measure PSRR degradation [27]. The concept by Acharya et al. uses a designed odometer to classify a new or aged chip. The odometer measures the changes in performance parameters between a reference PT and a used one. Its design is more aligned with the CDIR odometer used in [27]. A PMOS PT is used with two main feedback paths, as seen in Figure 5. This is different from the normal LDO shown in Figure 2. The four switches (SW1, SW2, SW3, and SW4) are used to switch between the paths and are connected to the gate and drain of both PTs. The odometer has two main modes, normal operation and measurement. There is also a test mode postfabrication where SEL_S and SEL_R are switched between 0 and 1 equally to balance initial aging.
In its normal mode, the normal path's PT will age while the reference PT stays under low stress to avoid aging. The stressed PT's threshold voltage will be affected. The degraded parameter will then affect the LDO's PSRR value. The measurement mode, similar to the test mode, can be used to monitor changes in parameters as the LDO switches from stressed to reference paths. The authors suggest the use of a simple oscillator with a 50% duty cycle to switch between SEL_S and SEL_R.
They also add a one-class support vector machine (SVM) with a radial basis function (RBF) for effectiveness on smaller samples and computing similarity between two sample points, respectively. It is trained on different instances of the original LDO odometer. This classifier uses PSRR measurements of different LDO chips taken during the measurement mode and classifies each chip as authentic or recycled. An additional linear regression-based classifier is trained to predict how long the chip has been recycled or used. For the SVM, the accuracy starts out at 57% after an hour of aging and climbs up to 98% after five days.

4) LDO PSRR FOR REMARKED DETECTION
Chowdhury et al. also adopted a PSRR-based method for remarked detection [28]. In this case, remarked components refer to both new and recycled fakes with new markings or designations. The framework measures PSRR at different operating voltages and temperature levels of commercial and automotive-grade LDOs.
The experiment reveals that commercial-grade LDOs for a specific vendor and their analogous automotive-grade version behave differently with respect to input voltage variation. This knowledge is used to build ML algorithms to detect corresponding grades. The ML algorithms consist of a KNNbased industrial and commercial clustering model (labeled training data) and an unsupervised k-means algorithm with at least one known golden LDO and the rest unlabeled. The supervised method registers an accuracy of up to 95% in both classes, while the unsupervised method only reaches 75% [28].

5) SELF-CONTAINED LDO ODOMETER FOR RECYCLED CHIP DETECTION
The latest addition to the LDO-based odometer family is a self-contained LDO-based odometer capable of counterfeit detection with on-chip measurement. This design does not require external equipment to measure LDO PSRR [29]. Unlike [27], this iteration does not need separate enable pins for the reference and normal paths, so no switching between the two paths is required. The authors utilize a single pin to enable or disable an aging measurement mode. Both reference and normal paths are used during measurement mode, hence an attacker cannot age the reference path separately. For this implementation, inverter delay chains, XOR gates, and ring oscillators are added to the LDO design [29].
All LDO-based odometer methods known to the author at the time of publication are compiled in Table 1, and the prediction result efficiency of each method is presented for direct comparison.

A. BACKGROUND AND BASICS OF PUFS
As the capabilities of ICs and electronic devices continue to expand and mature, there has always been a need for secure methods of communication, device authentication, and data protection. One solution to these problems is to use cryptographic keys, which are strings of data that can be used for digital signatures, encryption, or authentication. Conventionally, cryptographic keys were stored in non-volatile memory (NVM) [30], such as EEPROM, but this practice is very expensive in terms of both design area and cost. Unfortunately, NVM is also highly susceptible to both invasive [31] and non-invasive [32], [33] attacks, allowing a user to tamper with or even extract the cryptographic key.
Rather than storing the keys in memory, a physical unclonable function (PUF) generates a secret key based on the physical characteristics of an IC. The same PUF design implemented on two different ICs will generate two unique keys due to the inherent variability in the fabrication process. As a result, PUFs feature a relatively small area and minimal design overhead, while also being very difficult to predict or clone.
The authentication protocol of the PUF can be organized into two phases [34], enrollment and verification, as seen in Figure 6. The enrollment phase must take place at a secure and trusted step in the IC fabrication/distribution cycle. During enrollment, a PUF is introduced to a series of inputs (challenges), and the PUF's outputs (responses) are observed and recorded. The challenge-response pairs (CRPs) of each chip are then stored in a secure location. The verification phase occurs immediately after enrollment as the chip moves through untrusted environments. To verify the chip's authenticity a subset of its current CRPs is compared to the CRPs obtained during enrollment. If the CRPs match, the chip is considered authentic, otherwise the chip is considered fraudulent or compromised.

1) PUFS IN PRACTICAL APPLICATIONS
Although the basic function of a PUF is quite simple, researchers have devised countless applications that rely on PUFs to provide secure methods of authentication, encryption, data transfer, and more. This subsection introduces a variety of practical applications that have been proposed.
The nature of the ever-growing Internet of Things (IoT) relies upon communication between a vast number of sensors and electronic systems. This inter-device communication in IoT and other applications such as wireless sensor networks and smart grids is highly vulnerable to a broad range of security outbreaks. A variety of authentication and key agreement (AKA) protocols that employ PUFs are presented and explored in [35]. AKA protocols are used for one-time password generation to allow communicating devices to mutually authenticate each other and establish a secure communication channel. The PUF generally provides a unique key based on a CRP to be used in the AKA protocol which allows for credential flexibility, denial of service (DoS) resistance, and efficiency. Some AKA protocols discussed include a biometric authentication scheme that combines fingerprint biometrics with PUFs [36], a PUF-based entropy pump used for password improvement in implanted devices [37], and lightweight authentication schemes suitable for wearable devices [38].
Umar et al. [39] proposes a secure and anonymous intervehicular authentication protocol using PUFs for use in vehicular ad-hoc networks (VANETs) as the concept of a smart city continues to progress. Existing protocols in VANETs required heavy computation and communication costs, and were also vulnerable to many security threats such as impersonation, replay, and DoS attacks. By utilizing PUFs, a lightweight privacy-preserving authentication protocol allowed for secure and efficient data transmission over a public channel.
Similarly, PUFs have been proposed to improve security in many other fields including health monitoring in industrial cyber-physical systems [40], RFID tag authentication in supply chains [41], and secure data transmission for big data processing and cloud computing [42].

B. PUF DESIGN
Although there has been an astounding variety of PUF architectures and topologies, any PUF design can typically be divided into 4 steps [43]: an entropy source, a 1-bit analogto-digital converter (ADC), stabilization, and error-correcting code. These steps, illustrated in Figure 7, are described in more detail in the following subsections.

1) ENTROPY SOURCE
The fabrication process of an IC is never perfect. In fact, the same shape or doping can never be recreated exactly, so there will always be some variation or mismatch between features that, under ideal conditions, should be identical. While typical designs try to mitigate or remove these imperfections, PUFs harness these imperfections to create truly unique and random cryptographic keys.
Conventional PUFs could be grouped into two categories: delay-based or memory-based [44]. The entropy source of the delay-based PUFs, such as the arbiter PUF [45] or ring oscillator (RO) PUF [30], comes from the mismatch in digital gate delays. Memory-based PUFs, such as the static random-access memory (SRAM) PUF [46], use the metastability of digital memory cells as their entropy source.
In the pursuit of more stable and secure PUFs, recent approaches have extended beyond the conventional approaches and utilize entropy sources that maximize the mismatch between devices. The hybrid PUF [47], an extension of the SRAM PUF, combines both delay and metastability for use as an entropy source to improve mismatch. The 2-Transistor (2T) [48] and NAND PUFs [49] utilize mismatch in device dimensions and threshold voltage to generate and amplify a voltage statically, proving more stable than the dynamic delay-based and metastability-based PUFs. The current mirror PUF [50] amplifies another static entropy source, the difference between PMOS and NMOS mirrored currents. Similarly, the leakage-based PUF [51] relies on the mismatch in transistor leakage currents for entropy. The proportional-to-absolute-temperature (PTAT) PUF [52] uses the voltage difference between pairs of PTAT circuits as an entropy source that is robust against temperature and supply variations.

2) 1-BIT ADC
Every PUF is built around an entropy source that results from variability in the fabrication process, but this entropy source must be converted into a digitized value in order to provide any meaningful output. This conversion process is fundamentally a 1-bit ADC and is usually implemented through local digitization or differential comparison. Local digitization uses the entropy source to generate a value (usually a voltage) in a single-ended structure and then amplifies that value locally, as in [48] and [49], to create the PUF response. Alternatively, differential comparison directly compares two identical structures with similar functionality to determine the response. Positive feedback, comparators, and D flip-flops (DFFs) are commonly used for differential comparison.
Most entropy sources follow a Gaussian distribution as shown in Figure 8(a). In this example, a differential comparison quantifies a negative voltage difference, V, as 0 and a positive V as 1. A large V means that the entropy source is stable regardless of noise and PVT variations, while a small V tends to be unstable. Figure 8(b) shows the relation between mismatch and ADC requirements. A low-resolution ADC is capable of quantifying large mismatches, but without stabilization techniques, a high-resolution, power-hungry ADC will be required for small mismatches.

3) STABILIZATION TECHNIQUES
The stabilization process generally follows the digitization of the entropy source. In the case of Figure 9, a comparator is used to digitize its inherent voltage offset, V OS . It can be seen that a large V OS will produce a stable digital output, regardless of noise, but as V OS becomes smaller than the noise amplitude, the output becomes unstable and occasionally produces an incorrect response. At the cost of increased data processing time, many different techniques, such as burn-in, temporal majority voting (TMV), and masking, can be employed to stabilize the PUF response.
Burn-in uses an accelerated device aging process to increase inherent mismatch. The effects of this process are displayed in Figure 10(a), where it can be seen that after aging, the V os distribution has been spread out, resulting in fewer unstable bits. Unfortunately, this technique takes a significant amount of time, thus increasing production costs. It may also be difficult to localize the aging process to only affect the PUF devices, this may compromise the performance of other designs on the same IC.
Unlike burn-in, TMV is performed during post-processing. The TMV determines the final PUF response based on the most common value occurring within a sliding window as seen in Figure 10(b). This technique essentially averages the output over time so that occasional incorrect outputs will not affect the final response. A TMV window will increase PUF stability at the cost of increased data processing time.
Masking is a technique in which unstable PUF bits are masked, or excluded, from the final PUF response. To generate a mask, each PUF output is observed over several evaluations and any bit that changes its value is marked as a dark bit. As shown in Figure 10(c), the dark bits are masked and do not appear in the final PUF output. In certain analog PUFs, the masking technique can be improved by using a tilting mechanism, which adds a differential offset to each PUF cell in the positive and negative directions to increase the region in which we determine a bit to be unstable or dark. A larger tilt will mark more bits as dark and will ensure a more stable final PUF response. Masking not only increases the data processing time required to generate the mask but also reduces the total number of PUF bits generated for each response, reducing the strength of the PUF and wasting area.

4) ERROR-CORRECTING CODE
Error-correcting code (ECC) is the final step in PUF design, occurs at the post-processing stage, and is used to achieve 100% stability in the PUF response. ECC techniques are widely used in communications systems to control or correct errors that may occur in data transmission. Due to some similarities in PUF response generation, these ECC techniques can be applied to PUFs as well. Systematic low leakage coding (SLLC) [53] and index-based syndrome coding (IBS) [54] are both based on syndrome coding schemes. Additionally, a maximum likelihood decoding scheme uses symbols derived from PUF response bits in [55] for ECC.

C. PUF CHARACTERISTICS
It is evident from the many PUFs mentioned in the previous subsection, that PUFs can vary significantly from one another. With countless entropy sources available, as well as many digitization and stabilization methods, it becomes incredibly difficult to accurately categorize and directly compare PUFs. Even though there is so much diversity amongst PUFs, there are 4 key characteristics that are inherent to PUF designs: unclonable, uniqueness, randomness, and reliability (repeatability).

1) UNCLONABLE
According to the name, all PUFs must be unclonable. It should be extremely difficult to predict and replicate any given PUF exactly. This comes from the fact that the functionality of the PUF is not determined by the design, but instead generates its responses based on unpredictable variations and mismatches that result from the fabrication process.

2) UNIQUENESS
The main product of any PUF is its challenge-response pair (CRP). A challenge (input) is introduced to the PUF which then provides a response (output). The uniqueness of a PUF ensures that each unique challenge produces a unique response. The uniqueness of a PUF is often used to categorize PUFs as 'weak' or 'strong' depending on the number of unique CRPs a PUF exhibits.

3) RANDOMNESS
Randomness is related to uniqueness but it applies to identical PUFs fabricated on different ICs. If each PUF on different ICs receives the same challenge, they should all produce unique responses. This characteristic of randomness makes it exceedingly difficult to predict and clone a PUF exactly.

4) RELIABILITY/REPEATABILITY
Reliability, sometimes referred to as repeatability, ensures that any single PUF can reproduce the same CRP despite PVT variations or device aging. This ensures that independent of the operating environment, the cryptographic information generated by the PUF can be reliably extracted. Reliability is a direct measure of the stability of each PUF bit and is critical to ensure the security of the chip for its entire lifecycle.

D. PUF PERFORMANCE METRICS
In order to directly compare a diverse group of PUFs, it is important to be able to consistently and accurately quantify the 4 PUF characteristics described in Section III-C. A 256-bit PUF response is illustrated in Figure 11 [47]. Each PUF bit along the y-axis is evaluated for every clock cycle and its output is listed along the x-axis. This figure will be referenced in the following subsections to describe the evaluations that are required to fully characterize state-of-the-art PUF designs.

1) INSTABILITY & BIT ERROR RATE
Two critical evaluations for any PUF are the instability and the bit error rate (BER), which are both indicators of the reliability/repeatability of a PUF. Any PUF bit that flips at least once throughout N evaluations is considered to be an unstable bit, as shown in Figure 11 in the rightmost column. Instability is the measure of the total number of unstable bits in a PUF as given by Oftentimes, proposed PUFs will list both native instability and instability, which measure the number of unstable bits before and after stabilization techniques, respectively.
A bit flip occurs whenever a PUF bit changes value. The BER compares each PUF evaluation to the golden data, or expected output, over a number of evaluations as given by It is expected that after a sufficient number of evaluations, the BER should approach a constant number. Ideally, the instability and BER would both be 0%, meaning that there are no unstable bits in the PUF.

2) ROBUSTNESS
In order to further demonstrate the reliability of a PUF, it is common practice to measure the instability of multiple chips across an acceptable range of voltage supplies and temperatures. This evaluation exhibits a PUF's resilience to the effects of noise at different operating conditions and ensures that the cryptographic information can be repeated consistently. Once again, the ideal instability would be 0% across all PVT variations.

3) HAMMING DISTANCE & AUTOCORRELATION
Hamming Distance (HD) consists of two measurements, intra-die HD and inter-die HD, which indicate a PUF's reliability and randomness, respectfully. The intra-die HD, HD intra , measures the difference in the responses of one particular PUF instance evaluated many times with the same challenge. Ideally, the PUF response would be repeated exactly and there would be no differences measured, giving an HD intra of 0%. Alternatively, the inter-die HD, HD inter , measures the difference in the responses of two different PUF instances evaluated many times with the same challenge. If the PUF design is truly random, then each PUF bit has an equal chance to be a 0 or 1, and when compared to another PUF response, half the bits should be the same, giving an ideal HD inter of 50%. The mean and standard deviations of HD intra and HD inter are plotted and an HD separation value is generally given as Autocorrelation is another common measurement among state-of-the-art PUFs and measures the autocorrelation function of PUF responses between different ICs, similar to HD inter . Ideally, the autocorrelation between two PUF responses should be 0 and the 95% confidence bound should be minimal.

4) SPATIAL DISTRIBUTION
Generally, PUFs are designed as a physical array of cells. To further evaluate the randomness of a PUF, one can evaluate each PUF cell and average the responses across multiple PUFs for each PUF cell location in the array. Ideally, across multiple PUFs, each PUF cell location should average 50% (half 1's and half 0's). This gives a visual indicator of whether there are any systematic mismatches in the PUF design, or if it truly appears random.

5) POWER CONSUMPTION
Even though PUFs are only accessed during limited times, the power consumption of the design remains an important measurement. The power consumption is typically measured in energy/bit and typical state-of-the-art designs exhibit total power consumption of sub-pJ/bit.

E. STATE-OF-THE-ART PUFs
Recently, several unique state-of-the-art PUFs have been proposed. Two such designs, the metal-via resistance (MVR) PUF [43] and the cross-coupled impedance-based (CCI) PUF [56], employ novel techniques in one or more design steps that are briefly presented in the following subsections. Additionally, Table 2 below compares many different state-of-art PUFs and their performance metrics that were discussed in the previous subsection.

1) METAL-VIA RESISTANCE PUF
Vias are one of the least controlled elements in a semiconductor fabrication process, meaning that the actual via shape and ideal via shape can differ significantly as displayed in  Figure 12(a). The MVR PUF utilizes the inherent parasitic resistance between multiple layers of metals and vias as a static entropy source. The optimal layout of each metal-via resistor, shown in Figure 12(b), was designed to meet the minimal DRC guidelines to maximize mismatch while using minimal silicon area. A symmetric bridge configuration is designed with the metal-via resistors to generate a voltage difference as shown in Figure 12(c). The MVR PUF also simplifies the PUF design process by combining the digitization and stabilization steps with a back-end incremental ADC (IADC). The self-programmable IADC readily adjusts its resolution based on the value of the voltage difference in order to eliminate the need for post-processing stabilization techniques.
The MVR PUF, fabricated in a 65nm CMOS technology, achieves a native instability and BER of less than 1.45% and 0.12% with 5000 evaluations, respectively. The HD intra and HD inter were measured to be 0.0016 and 0.4980, respectively, resulting in an HD separation of more than 310×. The power consumption of the PUF without and with the IADC was measured to be 18 pJ/bit and 746.5 pJ/bit, respectively.

2) CROSS-COUPLED IMPEDANCE-BASED PUF
In a typical PUF cell, the voltage difference, V, generated by an entropy source follows a Gaussian distribution as shown in Figure 13(a), and has a high likelihood of falling within the unstable region highlighted in red. Conventional solutions usually rely on higher-resolution ADCs or stabilization methods, but the CCI PUF incorporates equally weighted positive and negative feedback paths to create a bimodal distribution as shown in Figure 13(b). With this configuration, very few V values fall within the unstable region, relaxing the need for digitization and stabilization techniques. The output impedance is used as the entropy source in CCI PUF. Using the cross-coupled impedance boosting technique in Figure 13(c), the mismatch between devices is significantly increased. The proposed PUF cell used to generate a voltage difference is shown in Figure 13(d).
The CCI PUF, fabricated in a 65nm LP CMOS technology, demonstrated a native instability of only 1.06%. The HD intra and HD inter were measured to be 0.0031 and 0.4986, respectively, resulting in an HD separation of over 160×. The power consumption of the CCI PUF was measured to be approximately 6 pJ/bit.

A. INTRODUCTION
Globalization became essential to reducing design and fab costs for the semiconductor industry. From the RTL design to product shipping, two or more companies are involved in the modern (IC) supply chain. During this process, semiconductor intellectual properties (IPs), which refer to some reusable units of logic cells or chip layouts, are used to indicate the licenses and proprietorship of the designs. It can be a soft IP in a form of HDL/RTL, a hard IP in GDSII form, or a firm IP such as a fully placed netlist, which is a compromise between the former two forms. There are many methods for counterfeiting and theft that challenge the vulnerabilities of the IP, such as reverse engineering, obtaining copies of the design illegally, and even using a piece of IP that is improperly licensed. Among these, reverse engineering is one of the biggest threats, with recent advances in various imaging techniques [62]. Reverse engineering utilizes frontend techniques such as de-packaging/de-layering and backend techniques such as automated plasma focused ion beam (FIB) [63] to observe the functionalities and interconnections between the transistors of an IP, which eventually leads to the reconstruction of the netlist and the original design. There are commercial entities such as ChipWorks [64] that offer IC reverse engineering services on top-notch process technologies. Reverse engineering provides non-infringement evidence, finds licensing opportunities, uncovers the patents for purchase, and even builds better patents out of the originals. Although reverse engineering provides an opportunity to learn about diverse IPs/ICs, it inevitably runs into illegal issues related to security.
To prevent cloning and counterfeiting through means of reverse engineering, various methods of logic obfuscation and camouflaging techniques have been developed. Early solutions camouflaged digital gates by simply adding dummy contacts and paths to make all digital gates look identical [65]. Other methods aimed to hamper the reverse engineering process by filling in empty space with entire dummy gates [66] or implementing logic functions with primitive programmable standard cells [67]. Eventually, a logic obfuscation technique called logic locking was proposed which inserted additional logic gates into original designs. These logic gates, known as key gates, would then require a specific input in order for the entire block to demonstrate proper functionality [68], [69]. Unfortunately, early logic locking methods were vulnerable to Boolean satisfiability (SAT) attacks [70]. A promising solution emerged in which some gates in a design would be replaced by lookup tables (LUTs) or other reconfigurable logic blocks [71]. Blocks like LUTs are able to represent any logic function for a given number of inputs, thus increasing the search space of a SAT attack when probing for the correct key. The main downside to LUT-based obfuscation is that in order to achieve sufficient resiliency to reverse engineering attacks, considerable area, delay, and power costs must be incurred. To avoid significant design overheads while still evading invasive and non-invasive attacks, covert gates were proposed as a new cell camouflaging technique [72]. Covert gates can be easily identified as regular logic cells, but the introduction of a dummy pin or pins into the gate causes an erroneous netlist to be generated using modern reverse engineering techniques.
A promising camouflage technique has developed recently in which logic families use different threshold voltage devices [73], [74], [75]. These logic families use different threshold transistors with identical layouts to realize a given logic gate function. Due to the identical physical appearance of the transistors, it is extremely hard to discern different functionalities strictly from de-layering. However, these techniques are sensitive to PVT variations. The threshold voltage defined (TVD) logic family proposed in [76] provides a more PVT-robust solution, but the number of transistors used increases exponentially with an increased number of inputs. To remedy this, [62] presents an enhanced threshold voltage defined (E-TVD) logic family that reduces the number of transistors required for a large number of inputs dramatically without compromising the robustness across PVT variations.

B. THRESHOLD VOLTAGE DEFINED (TVD) LOGIC FAMILY
Standard CMOS technologies provide transistors with different threshold voltages (VT), such as low VT transistors (LVT), standard VT transistors (SVT), and high VT transistors (HVT). When comparing the current conductance of similarly sized LVT, SVT, and HVT transistors, the following relation holds true: Such characteristic enables the implementation of different Boolean functions using the same circuitry. Reference [76] proposes a sense amplifier-based TVD logic family, and a 2-input TVD logic family is illustrated in Figure 14(a). The pull-down transistors in parallel (TVD transistors in the shaded box), consist of all possibilities of the input combination and replace the input pair of the sense amplifier. When the clock is low, the TVD logic operates in the pre-charge phase, and when the clock goes high, the evaluation phase starts. During the pre-charge phase, nodes VO and VOb will be pulled to '1', and the outputs get reset to '0' (where '1': high and '0': low). When it comes to the evaluation phase, only one of the parallel paths from both differential sides will be conducted. Because of the VT differences of the transistors in each path, the current pulled by one side will be larger than the other thus pulling down either VO or VOb. Figure 14(b) shows examples of NAND and XNOR gate implementations with this TVD logic family. For the NAND gate, if the input combination is AB = '11', the LVT devices between nets 1 and 3 will be turned on, as well as the HVT devices between nets 2 and 3. Since I LVT > I HVT according to (5), VO will be pulled down to '0' during the evaluation phase, thus OUT and OUTb get set to '0' and 1', respectfully. For all the other input combinations, the LVT devices implemented on the opposite side will cause more current flow between nets 2 and 3 which sets OUT and OUTb to '1' and '0', respectively. Therefore, the NAND logic is achieved. The same topology is used to configure the XNOR and other Boolean functions.
The differential implementation enhances the PVT robustness of this TVD logic family, however, the total number of transistors used and stacked for this TVD logic structure increases exponentially when the number of inputs increases. Figure 15 shows a 3-input TVD logic family gate, where 32 more transistors are used in the stack structure. For N number of inputs, 2N·2N TVD transistors along with N stacked TVD transistors are required to perform the function, which is not only costly for area and power but also a larger loading effect for the preceding stage that drives those inputs.

C. ENHANCED THRESHOLD VOLTAGE DEFINED (E-TVD) LOGIC FAMILY
In order to solve the exponential relationship between the number of inputs and the number of TVD transistors required, [62] proposes to change the stacked-transistor TVD structure to a parallel configuration. Figure 16(a) shows a 2-input E-TVD logic family gate. Here, inputs A and B act as the differential input pair of the sense amplifier, which will determine the current path under input combinations of '11' and '00'. To operate properly under the input combinations of '01' and '10', additional current paths are added at node VS. Instead of one current path determining the logic output in the TVD logic family, here two current paths together make the decision. Figure 16(b) illustrates the implementation of
the NAND and XNOR gate with the E-TVD logic family structure. For the NAND gate, when the inputs are '11', node VS gets pulled down by the Ab-B path, thus the total current flowing between nets 1 and 3 becomes I LVT , which is larger than the current I HVT flowing between nets 2 and 3. As a result, OUT and OUTb are set to '0' and '1' respectfully during the evaluation phase. For the input combinations of '01' and '10', node VS will be pulled high, and thus the second current path will be conducted. Since the LVT device between nets 2 and 3 will always conduct more current than the opposite side, where an HVT device is driven by node VS, VOb will always get pulled down thus OUT goes to '1' during the evaluation phase. Hence, the NAND logic is achieved. The XNOR gate uses the same topology and so do the other Boolean functions. This implementation removes the stacked TVD transistors, which significantly reduces the total number of TVD transistors. Figure 17 shows a 3-input E-TVD logic family gate, where a total of 18 TVD transistors are used, compared with 48 TVD transistors required in the original TVD logic family structure. The reduction in the number of transistors makes the implementation more area and power efficient, as shown in Figure 18. For a 3input logic gate with identical transistor geometry, E-TVD is able to reduce the area by 34%, and an 80% reduction is expected for a 4-input implementation. Table 3 summarizes the number of transistors required in each structure depending on the number of inputs, N. With advantages in area, power, and delay, the E-TVD logic family is highly suitable for implementing multi-input logic gates with obfuscation against reverse engineering.

V. CONCLUSION
As the semiconductor industry continues to advance it has become impossible for a single entity to carry out every step required for IC fabrication, from design to distribution. The progression towards globalization in the IC industry leaves the IC supply chain vulnerable to electronic counterfeiting attacks. This brief tutorial has focused on introducing several mixed-signal approaches to electronic counterfeit detection and prevention. First, the utility of LDOs in counterfeit detection is highlighted and an LDO-based odometer capable of classifying a chip as new or aged is introduced. In the following section, PUFs are introduced as a unique and unclonable method for cryptographic key generation. The design steps of a PUF are presented, as well as a PUF's defining characteristics and the measurement evaluations that quantify those characteristics. Finally, this tutorial covers camouflaged digital gates as a useful method for implementing multi-input digital gates that are resilient to reverse engineering.