Safeguarding personal and commercial data is paramount in today's world. One company ensuring this trust is Intrinsic ID. The organization has been lauded for safeguarding more than 600 million devices around the world and has become highly regarded in digital security - a testament to the company's commitment to excellence and innovation. It has pioneered the use of Physical Unclonable Functions (PUFs) for security and authentication and Internet of Things (IoT) applications.
As Intrinsic ID celebrates its 15th anniversary, we sat down with one of the company founders, who has contributed profoundly to the security of leading semiconductor companies worldwide.
Pim Tuyls: The work of the company really started back in 2001, when I was working at the Philips Natlab in Eindhoven, also known as Phillips Research. At that time, Philips was in the business of content distribution. We were working with CDs, DVDs, Blu-ray disks, and our team was tasked with finding a way to make sure the content on those disks was secure and protected. Even at that time, we could see that the need for protecting content and securing data would become more pervasive. Flash memories were on the horizon - and we saw that content would be shared in different ways. Therefore security needed to be integrated into the chips that would soon become responsible for vast amounts of data.
At the time we were exploring a concept we called “ambient intelligence,” which was really the idea that intelligent devices and sensors could be everywhere making decisions autonomously. In this environment all the systems involved must be trusted. It was through this work we discovered the innovative ways to apply a technology called Physical Unclonable Functions (PUFs). A PUF harnesses the natural variations within the manufacturing process of integrated circuits to generate a distinct digital identifier. After working with several different types of PUFs, the SRAM PUF, which leverages the behavior of standard SRAM memory, which is available on any chip, was determined to be best suited for commercialization. Proven to be robust, yet lightweight and scalable, SRAM PUFs could be used for a wide range of applications.
SRAM PUF allows us to create a digital fingerprint, which serves various applications such as secure key generation and storage, device authentication, flexible key provisioning, encryption, and chip asset management. Phillips Semiconductors was our first customer but when they spun out of Philips and formed NXP things started to change for us too. It became clear that we needed to stand on our own. So, in 2008, with funding from VC Prime Ventures, we started Intrinsic ID.
Pim Tuyls: PUF is a technology that is comparable to the biometrics of the chip. That's how to think about it, and this is how it differs from traditional solutions. PUFs are highly resistant to physical attacks, as they rely on unique physical properties of each individual device to generate cryptographic keys. This makes them much harder to clone or replicate than traditional methods. Additionally, PUF-based solutions are very difficult to reverse-engineer, as they do not rely on secrets being stored in memory. Finally, PUF-based solutions are highly flexible and scalable, making them well-suited to a wide range of applications and use cases.
SRAM PUF technology is suitable for high-security applications as there are no secrets stored in memory anymore. A secret is extracted from the biometric of the chip. That means that if an attacker gets access to the memory via a microscope or other attack techniques, he will not find any secrets. We are completely unique in this way – we are the only ones in the world providing these solutions with SRAM PUFs.
Pim Tuyls: I think there were a few key moments. One was when we published our initial research paper in 2007 at a leading hardware security conference. Our published paper has been cited over 1500 times and was recently named one of the three “most noticeable” papers in the 25-year history of the annual Conference on Cryptographic Hardware and Embedded Systems (CHES). CHES is the premier venue for research on design and analysis of cryptographic hardware and software implementations and the most noticeable papers were selected based on the objective measure of the number of citations.
Another key moment was when I moved with my family to the U.S., to Silicon Valley, to be close to our semiconductor customers. This certainly gave a big boost to our business. After 2015, we expanded our customer base from chips for government and defense and banking to other semiconductor markets as well. Since then we have gained a majority of the microcontroller and FPGA vendors as customers and our business has grown exponentially. Today we have more than 600 million devices in the field that are secured by our technology.
Pim Tuyls: First of all, I think that we have been quite visionary from the start. We were far ahead when we were at Phillips Research investigating “ambient intelligence.” This is the predecessor to what we now call the Internet of Things (IoT). At that time we already saw that security would be key and essential. The IoT really took off around 2010. At that time, everybody still hoped that they would get away with connecting devices without security. Now, we have seen through several attacks that this is not the case. Around 2015, semiconductor vendors started realizing that if they want to make their customers successful, they need security. Since then, we have seen an increasing use of security in semiconductors. But between 2005 and 2015, we certainly had to educate the market a lot on how essential it is to include security. Without it, so much can go wrong.
Pim Tuyls: I think what we found is the right combination of ingredients. The first one is the strong technology from the Eindhoven area, from Philips Research and the people in this area, who are from the best technical universities the world has to offer. We have combined this with the business mindset and the business spirit of the U.S. West Coast. I think that we are succeeding well in combining those two. It is both. It is not just technology. You need to have strong technology, with patents, and a good product that works. But you also need everything around it, including good sales, marketing, and management.
On top of that, you need to have, I would say, a U.S.-style startup mentality, more or less 24/7, if you want to go after these customers. You need to help your customers, drive innovation, and do what needs to be done to get this going.
Pim Tuyls: That's a good question. I think that it helps a lot. I think what is certainly appreciated by our customers and employees is that Intrinsic ID is founder-led. I believe customers especially appreciate that the founders running the company have a strong technical background and know what's going on. It’s important for customers to feel that the leadership of the company understands their problem – this is what I’ve found is very important. They want to know that even those at the top of the company understand what the products do technically. This creates a sense of trust. Customers also want to work with leaders who know what's happening and can develop a vision based on that – this is also important in the technology industry, to be able to build a vision. You cannot do that from Excel, you need to understand the technology and where it's going. I think that has helped us a lot.
Pim: So, of course, we want to grow further, we want to keep our growth path, and we want to be the number one player. We continuously innovate our products in the sense that the attacks become more sophisticated, and the attackers get smarter. So we must stay on top of that. And, of course, the whole team is doing this. We stay on top of that, we improve our products in various aspects, to make sure that we can deal with the most sophisticated attackers, with new attacks, but can also deal with new use cases. Part of that is also making sure that we are compliant with specific standards and certifications, which is becoming increasingly important for several vertical markets of the IoT.