One of the great problems of the chip industry is that no two chips are alike. Even when chip makers are fabricating the exact same chip product, like an Intel microprocessor, there are always minute and virtually unnoticeable differences from one chip to the next.
The brilliant thing about chip startup Verayo is that it has figured out how to turn this flaw into an advantage. It turns out that using these minute variations is a good way to uniquely identifying a product and thereby defeat product counterfeiting, which is a rampant problem that leads to $600 billion in losses each year.
The San Jose, Calif.-based company is turning the bug of chip variation into a valuable feature by using it to create ID tags that are secure and can’t be cloned, said Anant Agrawal (left), chief executive of Verayo, in an interview. It could be a great way to ensure that products haven’t been counterfeited or tampered with as they are shipped from one location to another, Agrawal said.
Verayo describes the technology as “silicon biometrics,” which is a lot like human fingerprint identification. The technology was dreamed up by Srini Devadas, an electrical engineering and computer science professor at the Massachusetts Institute of Technology. Devadas started the company in 2005 and developed the technology for two years with funding from the U.S. government.
Devadas figured out that each chip has minute physical characteristics that are often viewed as manufacturing flaws on an atomic level. But Devadas thought of them as unique, unclonable identifiers that could verify the authenticity of a chip.
If you send an electrical signal into a chip, you will get a unique response that comes back. That response is different for other chips, and so every response is unique because every chip has different physical unclonable functions, or PUFs. The good thing about these PUFs is they are cheap; they are tiny circuits that add virtually no cost to a chip.
The technology fits well with basic tests for authenticating products. You can give a chip 50 different challenges that produce 50 different responses. You store the responses on a server. Then you put the chip into a radio identification tag (RFID) that can be attached to a retail product as if it were a bar code. When someone buys that product, a reader at the cash register will read the serial number on the tag. The reader then sends the serial number back to the centralized computer in a data center. That server will look up the serial number in its database and sends one of the 50 challenges associated with that specific chip. The reader receives the challenge and it prompts a response from the chip in the tag. That response goes back to the server. If it’s a match, then the chip is verified as authentic.
With this authentication system, the possibilities in anti-counterfeiting systems are big. You can put RFID tags on pill bottles to make sure they are tamper-proof. If someone has changed a pill bottle en route and substituted fake pills, the challenge-response security routine will detect the fake. The device could also be used to issue an exact number of tickets for a transit system.
In October, 2008, the company announced its first unclonable identification chips. Based on customer feedback, the company revised the chips to make them compatible with standard RFID reader systems and cell phones. Verayo also improved its radio for better readability. That revision process took months and the company is now engaged with customers about full-scale production.
There’s another product on the way, too. Customers can use the PUFs to generate an unlimited number of cryptographic keys, which are used to authenticate users on a network. Normally, a chip has a limited number that it can generate and it has to store those keys on the chip’s memory itself. These chips are not so hard to break into and clone. But with PUFs, a chip can dynamically generate a new key that doesn’t have to be stored. And each key is unique to the particular chip that generates it and is thus very hard to counterfeit. If someone tries to physically tamper with a PUF, they would change the characteristics of the PUF and it would no longer work properly.
The result is a higher security device than you can otherwise get with a piece of hardware. Verayo plans to launch a key-generation product sometime in 2010. That device could be used in unclonable SIM cards, the memory cards used to store phone numbers in cell phones. SIM counterfeiting costs cell phone companies a lot of money every year; this way, they can detect the fakes and weed them out. And since PUFs require no storage, they can eliminate some memory requirements for SIM devices, thereby cutting costs.
The key-generation system can also be used in near-field communications, which allows someone to pay for a physical product with a cell phone. In these devices, authenticating a user’s phone is a must. Agrawal said the company is in trials now for its secure RFID tags with three big liquor companies, a cigarette company, and a transit authority. It is already providing tags to the equivalent of the Food and Drug Administration in China. The key systems can also be used in networking hardware, electronic passports, and credit cards.
Agrawal spent 17 years at Sun Microsystems before moving on to startups. He was previously the chief executive of inSilica, a custom chip maker that used low-cost teams in India and Slovenia to design chips. Verayo’s sole investor is Khosla Ventures. Verayo is raising a second round of money now.