1. Physically Unclonable Function: a Promising Security Primitive for Internet of Things
Debdeep Mukhopadhyay, Rajat Subhra Chakraborty, Phuong Ha Nguyen and Durga Prasad Sahoo
Secured Embedded Architecture Laboratory (SEAL)
Department of Computer Science and Engineering
Indian Institute of Technology Kharagpur
Kharagpur, West Bengal, INDIA –
{debdeep.mukhopadhyay,rschakraborty,

2. An Overview

3. Definition of Internet of Things (IoT)
The term Internet of Things was first used by Kevin Ashton in 1999.
Refers to uniquely identifiable objects (things) and their virtual representations in an Internet-like structure
Management
Education
Food
Pharmaceuticals
IoT Applications
Retail
Logistics
IoTs can revolutionize quality of life

4. Applications of IoT: Indian Context
Sensor technologies can monitor vulnerable environments and prevent or limit natural disasters.
E-governance:
Warehouse, management
Inventory control
Port management
ETAs, ETDs
Ships, boats, containers, etc.
Pharmaceuticals:
Intelligent tags for drugs
Drug usage tracking, Pharmaceuticals: Product websites
RFIDs can be used to track the origin of safe drugs thereby reducing counterfeits.
--> Enable the emergency treatment to be given faster and more correct.
Nano-sensors can be used to monitor water quality at reduced cost
Nano-membranes can assist in the treatment of waste-water.
Food Control: Control geographical origin, Food production management, Nutrition calculations

5. Security for IoT…
Source: Patrick Koeberl – Security Architect at Intel Labs, Intel Corporation, IDF14

6. Hardware Root of Trust Just enough security for each end points
Source: Patrick Koeberl – Security Architect at Intel Labs, Intel Corporation, IDF14

7. Trustworthy Handling of large Number of Devices
Source: Patrick Koeberl – Security Architect at Intel Labs, Intel Corporation, IDF14

8. Trust in IoT 50 Billion Devices to be connected by 2020!
Devices need to trust the owner and also each other.
Devices connected through heterogeneous network, and are resource constrained.

9. Whom can you Trust? What do we know about the device?
Is it running the correct software?
Is it genuine?
We need to guarantee:
Integrity
Privacy
Quality
IoT endpoints operate under resource constraints:
CPU
Memory
Energy
Communications
Traditional Security features do not scale down!
The Trusted Computing Base (TCB) must be as small as possible!
Trust is a major enabler for IoT
Are there more optimal solutions for the hardware root of trust?

10. PUF in the context of IoT
Response3
Challenge
Response1
Response2
The responses have to be unpredictable.
Should not be able to modeled using mathematical analysis.
The responses should also be unique and independent.
That is knowledge of one response, should not leak information of the others!

11. What is a PUF? Fingerprint of Devices
A challenge-response mechanism in which the mapping between an applied input (“challenge”) and the corresponding observed output (“response”) is dependent on the complex and variable nature of a physical material
The challenge-response mapping is unclonable (ideally) and instance-specific (depends on manufacturing process variations evident in ASICs)
n-bit Challenge(C)
PUF
n-bit Response (R)

12. An Example with a simple SR-Latchin
Make the input in=1, y=1, y’=1.
Make the input in=0, both of the following states are possible:
y=1, y’=0
y=0, y’=1
Source of randomness!

13. From Theory to Practice
FPGAs are ideal for security implementations
In-house and high-performance
Programmability is an added feature
But careful implementation is needed.
module SR(in , Q, Qbar);
input in;
output Q, Qbar;
nand N1(Q, ~in, Qbar);
nand N2(Qbar, ~in, Q);
endmodule in
Qbar
AND OR
LUT2
LUT1 Q
The non-determinism and hence the randomness is gone!

14. Another Attempt This design has the non-determinism as expected!
module SR(in, Q, Qbar );
input in;
output Q, Qbar;
(* KEEP = "TRUE" *) wire w1, w2;
nand N1(Q, ~in, w1);
nand N2(Qbar, ~in, w2);
assign w1 = Qbar;
assign w2 = Q;
endmodule
Qbar in OR w1 w2 Q OR
This design has the non-determinism as expected!
We can also design using NAND primitives.

15. The Silicon Space Mismatch in driving capabilities of the gates
Values of Q
Mismatch in driving capabilities of the gates
Difference in routing delays of the feedback path
a Latch cell will give either 0 or 1 as output.
Depends on the (x,y) position of the silicon area. 1 1 1
(x1,y1)
(x2,y2)
(x3,y3)
(x4,y4)
(x5,y5)
(x6,y6)
(x7,y7)
(x8,y8)
(x9,y9)
(x10,y10)
(x11,y11)
(x12,y12)
(x13,y13)
(x14,y14)
(x15,y15)
(x16,y16)
(x17,y17)
(x18,y18)
(x19,y19)
(x20,y20)
(x21,y21)
(x22,y22)
(x23,y23)
(x24,y24)
(x25,y25)
ICISS 2011

16. Advantage PUF!! World without PUF World with PUF
Trusted party embeds and tests secret keys in a secure non-volatile memory (NVM)
EEPROM adds additional complexity to manufacturing
Adversaries may physically extract secret key from non-volatile memory
World with PUF
Intrinsic properties of device is used to generate secret key.
Key never leaves the IC’s cryptographic boundary, nor be stored in a non-volatile memory.
Key is deleted after usage in de- or encryption process
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

17. PUFs for Identification
Protect against ASIC substitution and counterfeits without using cryptographic operations
Authentic
Device A
PUF
Untrusted Supply Chain / Environments
???
Challenge
Response
Is this the
authentic
Device A? =?
Response’
Database for Device A
Record
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.
IC rejected if Response’ does not match the enrolled Response

18. An IoT Test-Bed
Typically comprise of sensor nodes, micro-processors, embedded processors, network gateways, and finally the cloud.
RFID tag prototypes interfaced with an FPGA (like Nexys-2)
RFID reader acts as a translator from IPv6 to a tag-specific communication interface (IPv6 makes ubiquitous computing feasible by providing unique identifiers to all connected objects)

19. Threats from Model Building Attacks
Threats from machine learning algorithms:
Attempt to develop a model from the observed Challenge-Response Pairs (CRPs)

20. Threats from Side Channel Attacks
Data input
Terminal
IC chip
Data output
00111…
Power supply
Measure power consumption
Guess secret information stored on IC chip memory
With side channel attacks it is possible to break implementations of cryptosystems even though no mathematical attack is known to solve the underlying problem. With SPA, one power trace is sufficient to reveal the secret.
Power consumption 1 1 1 1
Secret information

21. Lightweight PUFs and PUF Composition
Layers of PUF I N P U T L A Y E R O U T P L A Y E R
Combiners
Challenge
Response
ML Attacker
Side Channel Attacker

22. A Side Channel and Machine Learning Resistant Ideal PUF Composition.
 Reference: Composite PUF: A new design paradigm for Physically Unclonable Functions on FPGA. IEEE HOST 2014: 50-55 
iPUF design proposal is selected as finalist in “CyberSEED Hardware Challenge”, 2014 (

23. Security Analysis for the IoT Testbed
Secured Implementation of ciphers
PUFs/IC s for ciphers
leaked
Information
Mallory
PUFs
Side Channels in the IoT

24. Outline Part-I: PUF Fundamentals Part-II: Lightweight PUF Design
Applications of PUF
Part-II: Lightweight PUF Design
Approach 1: Lightweight PUF Primitives
Approach 2: Combining PUF Primitives and Crypto Primitives
Approach 3: Combining PUF Primitives
Part-III: Attacks and iPUF Design
Machine Learning based Modeling Attacks
Side Channel based Modeling Attacks
Cryptanalysis
iPUF: secure and lightweight PUF
Part-IV: Authentication Protocols
Reverse Fuzzy Extractor Protocol
Slender PUF Protocols

25. Part I:
PUF Fundamentals

26. Physically Unclonable Function (PUF)?
Fingerprint of Devices
A challenge-response mechanism in which the mapping between an applied input (“challenge”) and the corresponding observed output (“response”) is dependent on the complex and variable nature of a physical material
The challenge-response mapping is unclonable (ideally) and instance-specific
n-bit Challenge(C)
PUF
n-bit Response (R)

27. PUF Properties
Evaluatable: given PUF and x, it is easy to evaluate y = PUF(x).
Unique: PUF(x) contains some information about the identity of the physical entity embedding PUF.
Reproducible: y = PUF(x) is reproducible up to a small error.
Unclonable: given PUF, it is hard to construct a procedure PUF’
up to a small error.
Unpredictable: given only a set, , it is hard to predict yc = PUF(xc) up to a small error, for xc a random challenge such that
One-way: given only y and the corresponding PUF instance, it is hard to find x such that PUF(x) = y.
Tamper-evident: altering the physical entity embedding PUF transforms PUF →PUF’ such that with high probability .

28. Quality Metrics for PUF
Uniqueness Reliability
PUF 1
PUF 3
PUF 2 C
Devices r2 r3 r1
PUF 1 C
Time r2 r3 r1
Uniformity: ratio of 0’s and 1’s in response
Bit-dependency: autocorrelation coefficient of response

29. PUF Examples: Optical PUF
Optical PUF was proposed by Pappu et al. with the original name “Physical One-Way Functions (POWFs)”
Made of transparent optical medium containing bubbles. Shining a laser beam through the medium produces a speckle pattern (response) that depends on the exact position/direction of incoming beam
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

30. Silicon PUFs We are interested in PUF circuits, i.e. Silicon PUFs
The dominant device for IC design is MOSFET
Silicon PUFs utilize the unavoidable and unpredictable manufacturing process variation effects of modern deep-submicron MOSFET devices
Usually, from CMOS circuit design perspective, process variation is a challenge, but is useful for PUF design
Impact of process variation becomes more pronounced at advanced technology nodes
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

31. Source of Variations in MOSFETs
Scaling in CMOS deep submicron process technology ( < 100nm channel length)
Lack of efficiency in fabrication process
Introduces variations in MOS device’s physical parameters:
Gate length (L)
Gate width (W)
Threshold Voltage (Vth)
Oxide thickness (tox)
CMOS scaling  Limitation in fabrication process  Variation in MOS device’s physical parameters  Variation in Circuit parameters (e.g., propagation delay, leakage current, etc)  Existence of randomness

32. Distinguishable Variations in CMOS Circuit Behavior
Ring Oscillator Oscillating Frequency
FPGA 1
FPGA 2
FPGA 3
FPGA 4
FPGA-specific behavior  FPGA fingerprint

33. Applications of PUF

34. Why are PUFs Important? Security without PUF Security with PUF
Trusted party embeds and tests secret keys in a secure location (NVM)
EEPROM adds additional complexity to manufacturing
Adversaries may physically extract secret key from non-volatile memory
Security with PUF
Intrinsic properties of device is used to generate secret key.
Key never leaves the IC’s cryptographic boundary, nor be stored in a non-volatile memory.
Key is deleted after usage in de- or encryption process
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

35. PUF in Use: Low-cost HW Authentication
Protect against IC/FPGA substitution and counterfeits without using cryptographic operations
Authentic
Device A
PUF
Untrusted Supply Chain / Environments
???
Challenge
Response
Is this the
authentic
Device A? =?
Response’
Database for Device A
Record

36. PUF in Use: Private/Public Key Pair Generation
Seed
Public key
ECC + PUF
Private key
Key
Generation
PUF response is used as a random seed to a private/ public key generation algorithm
No secret needs to be handled by a manufacturer
A device generates a key pair on-chip, and outputs a public key
The public key can be endorsed at any time

37. PUF in Use: PUF based Pseudo Random Function
A randomized 3-round Luby-Rackoff cipher.
Round functions are replaced PUF instances.
This is a keyless cipher.
[ Armknecht et al., ASIACRYPT 2009 ]

38. Part-II: Lightweight PUF Design

39. Classification of PUF (1/3) Based on entropy source:
PUFs using explicitly-introduced randomness
Optical PUF
Coating PUF
PUFs using intrinsic randomness
Delay PUF
SRAM PUF
Butterfly PUF
Bistable ring PUF
Magnetic PUF
Metal Based PUF

40. Classification of PUF (2/3) Based on embedding device Physics:
Optical PUF
Coating PUF
Silicon PUF
Magnetic PUF
Metal Based PUF
Acoustic PUF

41. Classification of PUF (3/3)
Based on security of challenge-response behavior:
Strong PUF
It must have a very large challenge set, since otherwise the adversary can simply query all challenges and no unknown challenges are, and
it is infeasible to built an accurate model of the PUF based on observed challenge-response pairs (CRPs), or in other words the PUF is unpredictable.
Weak PUF
It has small challenge-response set or
Easy to build an accurate model based on observed CRPs.

42. PUF Taxonomy
Lightweight PUFs are composed of different types of PUF building blocks

43. PUF Primitive 1: Arbiter PUF (APUF)
Composed of n two-port switching stages, for an n-bit challenge size
n-bit challenge => 2n possible paths
Unique path selected by a challenge
Accumulated delay at the end of the path is compared by an arbiter circuit (usually, an edge-triggered D flip-flop)
Arbiter gives 1-bit decision
Advantages: Simple structure, low hardware overhead (each stage is two 2:1 MUXes)
Disadvantage: susceptible to modeling attacks

44. PUF Primitive 2: Feed Forward Arbiter PUF
It is possible to have a linear model for classical Arbiter PUF that results in easy modeling attack on it
Feed Forward Arbiter is used to introduce non-linearity

45. PUF Primitive 3: Ring Oscillator PUF (ROPUF)
An n-bit applied challenge selects two different ROs from a bank of 2n ROs
Process variation implies ROs have different oscillation frequencies
Compare frequencies of two oscillators using counters
Comparator gives decision
Advantage: Difficult to model
Disadvantage: Exponential hardware requirement

46. PUF Example 4: SRAM PUF
SRAM PUF cell structure
Power-up initial value of SRAM cell can be used response, cell address is the challenge
SRAM fabrication compatible with digital logic process in regular ICs
FPGA implementation of SRAM PUF is very difficult (since SRAM modules are cleared by default on power-up)

47. Approach 2: Combination of Crypto Primitives and Insecure PUFs
Controlled PUF – Hash PUF [Gassend et al ]
N-bit challenges, 1-bit response
N-bit hash functions as input and output networks
N Arbiter PUFs

48. Approach 2: Combination of Crypto Primitives and Insecure PUFs (Contd
Lightweight Secure PUF [Majzoobi et al. 2010]
N-bit challenges, k-bit response
Lightweight input and output networks

49. Approach 3: Combination of PUFs
k-XOR PUF [Lee 2005]
N-bit challenges, 1-bit response
k Arbiter PUFs

50. Design 3: Combination of PUFs (Contd.)
Composite PUF [Sahoo et al. 2014]
Multiple levels of PUF primitives are used
N-bit challenges, 1-bit response

51. Part-III: Security Analysis, secure and lightweight PUF-iPUF

52. Security Evaluation of PUF
Unclonability:
- Cannot be achieved using traditional cryptographic techniques
- Two types of unclonability:
- Physical unclonability
- A PUF is physically unclonable if a physical copy of the
PUF with similar challenge/response behaviour cannot
be made, even by the manufacturer (existential
unclonabiliy).
- Mathematical unclonability
- it is not possible to construct a mathematical
approximator which can predict the response
to an arbitrary challenge applied to a given PUF instance,
with a large probability of success
Unpredictability:
- Adversary can’t predict response of a new challenge form a
known set of CRPs
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

53. PUF Attack Overview Contactless Probing Mechanical Probing
Side channel Probing
Mathematical Clone
Physical
Clone
Clone PUF
Four paths leading to a PUF cloning attack
Creating a physical clone of the PUF is considered infeasible
The creation of a mathematical clone requires that the raw PUF response(s)
Non-invasive attack methods using side channel analysis on the PUF
Invasive attack involving mechanical probing of r’
Attackers with access to contactless probing equipment can use a semi-invasive methodology to obtain the data of interest
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

54. PUF Attacks Brute Force: Replay Attack:
To save every Challenge Response Pairs (CRPs)
Physical Access to PUF is required
Replay Attack:
Eavesdropping CRPs and play them back
Modelling Attack (or Machine Learning Attack):
Take the advantage between relationship between challenge the challenge/response
Build a PUF model using Machine Learning (ML) methods:
- Support Vector Machine (SVM)
- Artificial Neural Network (ANN)
- Logistic Regression (LR)
- Evolution Computing
Set of CRPs needed to train ML algorithm
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

55. Security Notion
A PUF P with n-bit challenge and m-bit response is considered as secure if it satisfies the following conditions:
No algorithm to predict the response R produced by an arbitrary PUF instance when an arbitrary challenge with probability of success greater than 2-m
No algorithm to predict the response R for an arbitrary challenge with high probability of success, with sub- exponential time and space complexity
No algorithm to predict the response R for an arbitrary challenge with high probability of success, with sub- exponential data complexity. “Data” in this context is the challenge-response pair (CRP) database

56. Linear Delay Model of Arbiter PUF [D. Lim, M.S. Thesis, MIT, 2002]
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.
denotes the challenge bit of the i-th stage

57. Linear Delay Model of Arbiter PUF (contd.)
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

58. Linear Delay Model of Arbiter PUF
Let pk be the parity of challenge bits:
where
An Arbiter PUF is a linear classifier of random challenge vectors in n-dimensional space, where n is the total number of challenge bits
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.
Apply Support Vector Machine (SVM) using:
Parity vectors X are n-dimensional feature vectors
Constant vector d is the normal to the hyperplane that classifies challenges into two classes

59. Reported Modeling Attack Results
Modeling Attacks by Machine Learning (Rührmair et al.)
Logistic Regression success rate
Arbiter
99.9% using 18K CRPs in 0.6 sec. (64 taps)
XOR Arbiter
99% using 12K CRPs in 3 min 42 secs (4 XOR, 64 taps).
Lightweight Arbiters
99% using 12K CRPs in 1 hour and 28 mins (4 XORs, 64 taps).
Feed-forward Arbiters
99% using 5K CRPs in 47 mins and 7 secs (7 FF, 64 taps).
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

60. Reported Modeling Attack Results (contd.)
[D. Lim, M.S. Thesis, MIT, 2002]
Worked on computer simulation model of Arbiter PUF
Claimed 100% modeling accuracy by applying SVM (PUF size and training set size not mentioned)
[Maes et al, IEEE WIFS’12]
Silicon (ASIC) data
ASIC fabricated in 65 nm CMOS technology
64-bit Arbiter PUF
500 CRPs as training set
Claims ~90% prediction accuracy using SVM
[CSE Dept., IIT-KGP]
Silicon (FPGA Data)
5000 CRPs as training set
~96% prediction accuracy using SVM
It is reducing costs and raising security. But, how ? Consider two worlds : 1) Without PUF and 2) with PUF.

61. Side Channel Analysis Methodology
Using the side channel information to get more knowledge of the internal performance of algorithms
The information are execution time, power consumption, electro-magnetic emission, etc.
Side Channel Attack setup

62. Side Channel Analysis (contd.)
Example

63. Side Channel Based Modeling Attack-Attack on LSPUF
The attack is based on power analysis and machine learning based modeling attack
The Lightweight Secure PUF is a study case

64. Attack on LSPUF (contd.)
The attack is based on power analysis and machine learning based modeling attack
The Lightweight Secure PUF is a study case

65. Attack on LSPUF (contd.)
Power consumption is maximum

66. Attack on LSPUF (contd.)
Power consumption is maximum

67. Attack on LSPUF (contd.)
Power consumption is maximum

68. Attack on LSPUF (contd.)
Power consumption is minimum

69. Attack on LSPUF (contd.)
Power consumption is not minimum or maximum

70. Attack on LSPUF (contd.)
Power consumption is not minimum or maximum

71. Side Channel Based Modeling Attack-Attack on LSPUF (contd.)
Power consumption which is not minimum or maximum is not useful
Power consumption which is maximum and minimum is useful because the intermediate values (r0,r1,r2,r3,r4,r5) are exposed via the power traces, i.e., all 1’s or 0’s
The adversary collects the set of challenges of which the power consumption is maximum or minimum
For each APUFi a set of CRPs (Ci,ri) is collected, i.e. (Ci,1) (max) or (Ci,0) (min). A model of each APUFi can be built by using the machine learning model attack
LSPUF is not secure against SCA-based ML

72. Side Channel Based Modeling Attack-Attack on k-XOR PUF
The SCA-based ML does not work for k-XOR PUF
All APUFi have the same set (C,0) or (C,1). Thus all the models are the same. This fact contradicts that all APUFi are different

73. Cryptanalysis Methodology
Analyzing the structure to find the flaw. After that, applying some algorithms to develop an algorithm to predict the response of a given challenge in efficient way
Cryptanalysis-based Modeling Attack on LSPUF
Cryptanalysis of Composite PUF

74. Cryptanalysis: LSPUF
Security notion: no algorithm predicting the response
(R0,R1,…, R3) with accuracy larger than 2-4

75. Cryptanalysis: LSPUF (contd.)
Fact 1: APUF can be modeled if a set of CRPs is provided

76. Cryptanalysis: LSPUF (contd.)
Fact 2: k-XOR PUF is secure against modeling attack (ML) if k > 6

77. Cryptanalysis: LSPUF (contd.)
Flaw: The output network has a flaw

78. Cryptanalysis: LSPUF (contd.)
Flaw: The output network has a flaw

79. Cryptanalysis: LSPUF (contd.)
Flaw: The output network has a flaw. The number of APUFs in Vi is only 2. Vi is known because Ri and Ri+1 is known

80. Cryptanalysis: LSPUF (contd.)
Flaw: The output network has a flaw. The number of APUFs in Vi is only 2. Vi is known because Ri and Ri+1 is known

81. Cryptanalysis: LSPUF (contd.)
Attack Steps:
From R0, R1, …, R(n-1) we can construct V0, V1, …, V(n-2)
All Vi depends on only two rj and rk. So, we can model all (n-1) Vi by using ML
We need to make a guess on bit R0 and then combine that guess with all V0, …, V(n-2) to solve all response bits R1,..,R(n-1)
The accuracy of the attack is 1/2 instead of 2-m

82. Cryptanalysis: Composite PUF
Security notion: no algorithm predicting the response R with accuracy larger than 1/2

83. Cryptanalysis: Composite PUF (contd.)
The challenge space C is divided into 16 classes: CL0, …., CL15
All the challenges in the same class has the same response. CL0 => R0, …, CL15=>R15
Algorithms to build those classes and their corresponding responses
Algorithm to define the corresponding class for a given challenge C

84. Cryptanalysis: Composite PUF (contd.)

85. Cryptanalysis: Composite PUF (contd.)
1: How to define a class?

86. Cryptanalysis: Composite PUF (contd.)
1: How to define a class?
2: How to define the number of classes?

87. Cryptanalysis: Composite PUF (contd.)
1: How to define a class?
3: How to determine the class where c belongs to ?
2: How to define the number of classes?

88. Cryptanalysis: Composite PUF (contd.)
1: How to define a class?
3: How to determine the class where c belongs to ?
4: How to determine R0?
2: How to define the number of classes?

89. Cryptanalysis: Define a class

90. Cryptanalysis: Defining a Class
Equal

91. Cryptanalysis: Defining a Class
We define a class based on the output of Level 1 or the input of Level 2
Equal
Equal

92. Cryptanalysis: Number of Classes
We define a class based on the output of Level 1 or the input of Level 2
The number of different values of output of Level 1 is the number of classes
Since we have 4 output bits of Level 1, there are 24 = 16 classes: CL0, …, CL15

93. Cryptanalysis: Assumptions
Assumption 1: For each space of sub-challenge Ci, we can divide it into two subsets S(i,0) and S(i,1) according to the output of PUFi – ri. If two Ci and Ci’ belong same S(i,0) or S(i,1) then PUFi(Ci)=PUFi(Ci’)
Assumption 2:, we can construct all S(i,0)s and S(i,1)s then we have 8 sets, i.e.,
S(0,0), S(0,1)
S(1,0), S(1,1)
S(2,0), S(2,1)
S(3,0), S(3,1)
Let i=(i0,i1,i2,i3) then we can define the class CLi , i=0,..,15, is the sets of all challenge C=(C0,C1,C2,C3) such that
C0 in S(0,i0)
C1 in S(1,i1)
C2 in S(2,i2)
C3 in S(3,i3)

94. Cryptanalysis: Assumptions

95. Cryptanalysis: Assumptions (contd.)
Assumption 3: all S(i,0)s and S(i,1)s are constructed, i.e., S(0,0), S(0,1), S(1,0), S(1,1), S(2,0), S(2,1), S(3,0), S(3,1) and all 16 classes
CL0, CL1,…, CL15 are defined based on those sets already.
Class determination: now, for a given challenge C=(C0,C1,C2,C3) we can determine the class CLi where C belongs as follows:
C0 in S(0,0) or S(0,1) => i0
C1 in S(1,0) or S(1,1) => i1
C2 in S(2,0) or S(2,1) => i2
C3 in S(3,0) or S(3,0) => i3
Then i=(i0,i1,i2,i3) is the class index.

96. Cryptanalysis: Assumptions (contd.)
Assumption 3: all S(i,0)s and S(i,1)s are constructed, i.e., S(0,0), S(0,1) , S(1,0), S(1,1), S(2,0), S(2,1), S(3,0), S(3,1) and all 16 classes
CL0, CL1,…, CL15 are defined based on those sets already.
Determination of response Ri of a class CLi : since all S(i,0) and S(i,1) are given and i=(i0,i1,i2,i3), Ci=(C0, C1, C2, C3) where
Take one C0 in S(0,i0)
Take one C1 in S(1,i1)
Take one C2 in S(2,i2)
Take one C3 in S(3,i3)
Response Ri of CLi is :=PUF(Ci).
Hence all the assumptions will be valid if we can construct an algorithm to construct all the sets S(0,0), S(0,1), …, S(3,0), S(3,1).

97. Cryptanalysis: S(0,0) and S(0,1)
We show an algorithm to construct the sets S(0,0) and S(0,1) for PUF0 first
Then all the remaining sets can be constructed in a similar way
Definition of S(0,0) (or S(0,1)): this is the set of all sub challenge C0s such that the outputs of PUF0 are the same

98. Cryptanalysis: S(0,0) and S(0,1) (contd.)

99. Cryptanalysis: S(0,0) and S(0,1) (contd.)
Equal

100. Cryptanalysis: S(0,0) and S(0,1) (contd.)
Pr(R= R’)=1
Equal

101. Cryptanalysis: S(0,0) and S(0,1) (contd.)
Not Equal

102. Cryptanalysis: S(0,0) and S(0,1) (contd.)
Not Equal
Pr(R = R’)=1/2

103. Cryptanalysis: S(0,0) and S(0,1) (contd.)
If C and C’ belong to same set, S(0,0), then their response Pr(R=R’)=1
If C and C’ belong to different sets, then their response Pr(R=R’)= 1/2
We fix C0 and C0’, try K different values (C1, C2, C3):
If C and C’ belong to same set, then Pr(R=R’) =1
If C and C’ belong to different sets, then Pr(R=R’) =1/2^K
Thus if K is big, we can determine whether C and C’ belong to the same or not with very high accuracy. This fact means that the sets S(0,0) and S(0,1) can be constructed by observing the response R.

104. Cryptanalysis: S(0,0) and S(0,1) (contd.)
If C and C’ belong to same set, S(0,0), then their response Pr(R=R’)=1
If C and C’ belong to different sets, then their response Pr(R=R’)= 1/2
We fix C0 and C0’, try K different values (C1, C2, C3):
If C and C’ belong to same set, then Pr(R=R’) =1
If C and C’ belong to different sets, then Pr(R=R’) =1/2K
Thus if K is big, we can determine whether C and C’ belong to the same or not with very high accuracy. This fact means that the sets S(0,0) and S(0,1) can be constructed by observing the response R
When all S(i,0), S(i,1) are constructed, then all classes CLi are defined and their corresponding Ri can be determined
Finally, a response of a given challenge C can be predicted with 100% accuracy

105. Summary for Lightweight PUFs
Crypt.
Attack ML
SCA-ML Attack HW
Multiple outputs
APUF
Yes No
Light
HASHPUF
Unknown
Heavy
LSPUF
XORPUF
Composite
PUF

106. iPUF: secure and lightweight PUF
As mentioned previous, all the existing lightweight and secure PUFs are not secure or not lightweight. Thus, a new PUF design is developed based on the cryptanalysis of composite PUF. The new design is called iPUF

107. iPUF: PUF qualities

108. iPUF: security analysis and design features
iPUF is proved such as:
It is secure against Cryptanalytic Attacks.
It is secure against Side Channel Attacks.
Moreover, iPUF is:
lightweight.
able to produce multiple outputs by modifying the structure.

109. PUF-based Authentication Protocols
Part IV:
PUF-based Authentication Protocols

110. Protocols We consider the following authentication protocols:
Naïve authentication
Reverse Fuzzy Extractor Authentication
Slender PUF Protocol

111. Authentication Protocol
Authentication Protocol is a process with can allow two parties to authenticate to each others.
The protocols are based on the following things
What do you know: password, secret key
What do you have: token, identity card
Who are you: bio-authentication, your finger print etc.

112. Naïve Authentication

113. Naïve Authentication Limitations: The bare CRPs are used.
If adversary can collect the CRPs, then she can imitate a legal client.

114. Reverse Fuzzy Extractor Protocol
The helper data concept is used.
R is reference response
Helper data h=Gen(R).
For a noisy response R’, we have R=Reprod(h,R’).
Gen is not an expensive operation
Reprod is an expensive operation

115. Reverse Fuzzy Extractor Protocol (contd.)

116. Slender PUF Protocol A model of weak PUF is made and the host keeps it
The information of CRP is hidden

117. Slender PUF Protocol (contd.)

118. Slender PUF Protocol New contribution:
Instead of storing CRPs, we use a WEAK PUF which we can model. However, the security of this protocol is still not clear.

119. References
Daihyun Lim. Extracting Secret Keys from Integrated Circuits. Master's thesis,MIT, USA, 2004
Ahmed Mahmoud, Ulrich Ruhrmair, Mehrdad Majzoobi, and Farinaz Koushanfar. Combined Modeling and Side Channel Attacks on Strong PUFs. IACR Cryptology ePrint Archive, 2013:632, 2013.
Mehrdad Majzoobi, Farinaz Koushanfar, and Miodrag Potkonjak. Lightweight secure PUFs. In Proc. of the 2008 IEEE/ACM International Conference on Computer-Aided Design(ICCAD), pages 670{673, Piscataway, NJ, USA, IEEE Press
Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power analysis attacks revealing the secrets of smart cards. Springer, 2007.
Durga Prasad Sahoo, Phuong Ha Nguyen, Debdeep Mukhopadhyay, and Rajat Subhra Chakraborty. A Case of Lighweight PUF Constructions: Cryptanalysis and Machine Learning Attacks under submission.
Durga Prasad Sahoo, Sayandeep Saha, Debdeep Mukhopadhyay, Rajat Subhra Chakraborty, and Hitesh Kapoor. Composite PUF: A New Design Paradigm for Physically Unclonable Functions on FPGA. In IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), 2014.

120. References (contd.)
Ulrich Ruhrmair, Frank Sehnke, Jan Solter, Gideon Dror, Srinivas Devadas, and Jurgen Schmidhuber. Modeling attacks on physical unclonable functions. In Proc. of 17th ACM conference on Computer and communications security(CCS), pages 237{249, New York, NY, USA, ACM.
A. Herrewege, S. Katzenbeisser, R. Maes, R. Peeters, A.-R.Sadeghi, I. Verbauwhede, and C. Wachsmann. Reverse fuzzy extractors: Enabling lightweight mutual authentication for pufenabled rfids. In Financial Cryptography and Data Security, volume 7397 of Lecture Notes in Computer Science, pages 374–389. Springer Berlin Heidelberg,
M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas. Slender puf protocol: A lightweight, robust, and secure authentication by substring matching. In Security and Privacy Workshops (SPW), IEEE Symposium on, pages 33–44, May 2012.
Blaise Gassend, Dwaine Clarke, Marten van Dijk, and Srinivas Devadas. Controlled Physical Random Functions. In Proc. of 18th Annual Computer Security Applications Conference( ACSAC ), page 149, Washington, DC, USA, IEEE Computer Society.

121. Demonstration – Arbiter PUF
Part V:
Demonstration – Arbiter PUF
on Xilinx Artix-7 FPGA

122. PUF Lab Setup

123. Arbiter PUF
Composed of n two-port switching stages, for an n-bit challenge size
n-bit challenge => 2n possible paths
Unique path selected by a challenge
Arbiter gives 1-bit decision
Advantages: Simple structure, low hardware overhead (each stage is designed two 2:1 MUXes)

124. PicoBlaze Microcontroller
Design Overview
128-bit
Arbiter PUF
PicoBlaze Microcontroller PC
FPGA
controls
challenge
response

125. Switch Design switch_2to2 (inT, inB, cT,cB, outT, outB);
input inT; // Upper input signal
input inB; // lower input signal
input cT; // Control input
input cB; // Control input
output outT; // Upper output signal
output outB; // Lower output signal
(*LOCK_PINS = "all"*)
mux_21 MUXT(
.ins({inB,inT}),
.ctrls(cT),
.out(outT) );
mux_21 MUXB(
.ins({inT,inB}),
.ctrls(cB),
.out(outB)
endmodule

126. Parallel Paths
module switchChain #( parameter nStage = 16)( inT, inB, cT, cB, outT, outB );
input inT,inB;
input [nStage-1:0] cT, cB;
output outT, outB;
wire [nStage:0] netT;
wire [nStage:0] netB;
assign outT = netT[nStage]; // Output signal from upper and lower paths
assign outB = netB[nStage];
assign netT[0] = inT; // Input trigger signal for puf
assign netB[0] = inB;
// Generate chain of switches
genvar i;
generate
for(i = 0; i < nStage; i = i + 1) begin:STAGE
(*KEEP_HIERARCHY = "TRUE"*)
switch_2to2 SW (
.inT(netT[i]),
.inB(netB[i]),
.cT(cT[i]),
.cB(cB[i]),
.outT(netT[i+1]),
.outB(netB[i+1]) );
end
endgenerate
endmodule

127. Arbiter D 1 clk Arbiter Operation module arbiter (clk,din,dout);
input clk;
input din;
output reg dout;
clk) begin
dout <= din;
end
endmodule
clk D 1
Arbiter Operation

128. APUF Design
module apufClassic #(parameter nStage = 128)( clk, tigSignal, c,respReady,respBit);
input clk, tigSignal;
input [nStage-1:0] c; // Challenge for upper and lower paths
output respReady, respBit;
wire pathT;
wire pathB;
reg tigReg;
assign respReady = (pathT & pathB); // status of response
clk) // to reduce the bias in trigger signal
tigReg <= tigSignal;
// Chain of switches
(*KEEP_HIERARCHY = "TRUE"*)
switchChain #(.nStage(nStage) ) SWITCH_CHAIN(
.inT(tigReg),
.inB(tigReg),
.cT(c),
.cB(c),
.outT(pathT), // to arbiter
.outB(pathB) // to arbiter );
// Arbiter
arbiter A(
.din(pathT),
.clk(pathB),
.dout(respBit)
endmodule

129. Ideal Arbiter PUF Path-pair selected by a challenge should symmetric
Nominal delay difference should be 0
It is difficult to achieve in FPGA
But, we can reduce delay bias by manual placement of Switches and Arbiter

130. Placement of 128-bit APUF
INST "APUF/SWITCH_CHAIN/STAGE[0].SW/MUXU/Mmux_out11" BEL = A6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[0].SW/MUXL/Mmux_out11" BEL = B6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[0].SW/MUXU/Mmux_out11" LOC = SLICE_X2Y2;
INST "APUF/SWITCH_CHAIN/STAGE[0].SW/MUXL/Mmux_out11" LOC = SLICE_X2Y2;
INST "APUF/SWITCH_CHAIN/STAGE[1].SW/MUXU/Mmux_out11" BEL = A6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[1].SW/MUXL/Mmux_out11" BEL = B6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[1].SW/MUXU/Mmux_out11" LOC = SLICE_X2Y3;
INST "APUF/SWITCH_CHAIN/STAGE[1].SW/MUXL/Mmux_out11" LOC = SLICE_X2Y3;
INST "APUF/SWITCH_CHAIN/STAGE[127].SW/MUXU/Mmux_out11" BEL = A6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[127].SW/MUXL/Mmux_out11" BEL = B6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[127].SW/MUXU/Mmux_out11" LOC = SLICE_X2Y129;
INST "APUF/SWITCH_CHAIN/STAGE[127].SW/MUXL/Mmux_out11" LOC = SLICE_X2Y129;
INST "APUF/tigReg" BEL = AFF;
INST "APUF/tigReg" LOC = SLICE_X2Y1;
INST "APUF/tigSignal_inv1_INV_0" BEL = B6LUT;
INST "APUF/tigSignal_inv1_INV_0" LOC = SLICE_X3Y1;
INST "APUF/ARBITER/dout" BEL = BFF;
INST "APUF/ARBITER/dout" LOC = SLICE_X1Y130;
INST "APUF/respReady1" BEL = A6LUT;
INST "APUF/respReady1" LOC = SLICE_X1Y130;

131. Quality Metrics r2 r3 r1 r2 r3 r1 Uniqueness Reliability
PUF 1
PUF 3
PUF 2 C
Devices r2 r3 r1
PUF 1 C
Time r2 r3 r1
Uniformity: ratio of 0’s and 1’s in response

132. Thank You for Your Attention!