Physically Unclonable Function: a

Promising Security Primitive for

Internet of Things

Debdeep Mukhopadhyay, Rajat Subhra Chakraborty,

Phuong Ha Nguyen and Durga Prasad Sahoo

Secured Embedded Architecture Laboratory (SEAL)

Department of Computer Science and Engineering
Indian Institute of Technology Kharagpur
Kharagpur, West Bengal, INDIA – 721302
E-mail: {debdeep.mukhopadhyay,rschakraborty,
phuongha.ntu,dpsahoo.cs}@gmail.com
An Overview
 Definition of Internet of Things
(IoT)
 The term Internet of Things
was first used by Kevin
Ashton in 1999.
 Refers to uniquely
identifiable objects (things)
and their virtual
representations in an
Internet-like structure
Management

Education
Retail
IoT
Applications
IoTs can revolutionize quality of
Food Logistics life

Pharmaceuticals
 Applications of IoT:
Indian Context
 Nano-sensors can be used to
monitor water quality at
reduced cost
 Nano-membranes can assist in
the treatment of waste-water.
 Food Control: Control
geographical origin, Food
production management,
Nutrition calculations
 Sensor technologies can monitor
vulnerable environments and prevent or
limit natural disasters.
 E-governance:
◦ Warehouse, management
 Inventory control
◦ Port management
 ETAs, ETDs
 Ships, boats, containers, etc.
 Pharmaceuticals:
◦ Intelligent tags for drugs
◦ Drug usage tracking, Pharmaceuticals:
Product websites
◦ RFIDs can be used to track the origin of
safe drugs thereby reducing counterfeits.
--> Enable the emergency treatment to be given
faster and more correct.
 Security for IoT…

Source: Patrick Koeberl – Security Architect at Intel Labs, Intel

Corporation, IDF14
5
 Hardware Root of Trust

Just enough security for each end points

Source: Patrick Koeberl – Security Architect at Intel Labs, Intel
Corporation, IDF14
6
 Trustworthy Handling of large
Number of Devices

Source: Patrick Koeberl – Security Architect at Intel Labs, Intel

Corporation, IDF14
7
Trust in IoT

• 50 Billion Devices
to be connected by
2020!
• Devices need to
trust the owner and
also each other.
• Devices connected
through
heterogeneous
network, and are
resource
constrained.
8
 Whom can you Trust?
 What do we know about the device?
◦ Is it running the correct software?
◦ Is it genuine?
 We need to guarantee:
◦ Integrity
◦ Privacy
◦ Quality
 IoT endpoints operate under resource
constraints:
◦ CPU
◦ Memory
◦ Energy
◦ Communications
Trust is a major enabler
 Traditional Security features do not for IoT
scale down!
◦ The Trusted Computing Base (TCB) must be as
small as possible!
Are there more optimal solutions for the
hardware root of trust?
PUF in the context of IoT

Response3
Challenge

Response1
Response2

• The responses have to be unpredictable.

• Should not be able to modeled using mathematical
analysis.
• The responses should also be unique and
independent.
• That is knowledge of one response, should not leak
information of the others!
10
 What is a PUF?
 Fingerprint of Devices

 A challenge-response mechanism in which the mapping

between an applied input (“challenge”) and the
corresponding observed output (“response”) is dependent
on the complex and variable nature of a physical material

 The challenge-response mapping is unclonable (ideally)

and instance-specific (depends on manufacturing process
variations evident in ASICs)

n-bit Challenge(C) PUF n-bit Response (R)

11
An Example with a simple SR-Latch

in

 Make the input in=1, y=1, y’=1.

 Make the input in=0, both of the
following states are possible:
◦ y=1, y’=0 Source of randomness!

◦ y=0, y’=1
12
 From Theory to Practice
 FPGAs are ideal for security implementations
◦ In-house and high-performance
◦ Programmability is an added feature
◦ But careful implementation is needed.

module SR(in , Q, Qbar); in

input in; Qbar
output Q, Qbar; OR
AND
nand N1(Q, ~in, Qbar);
nand N2(Qbar, ~in, Q);
LUT2
LUT1
endmodule

Q
The non-determinism and
hence the randomness is
gone!
13
 Another Attempt
module SR(in, Q, Qbar
);
input in; Qbar
in OR
output Q, Qbar;
(* KEEP = "TRUE" *) wire w1, w2; w1
nand N1(Q, ~in, w1);
nand N2(Qbar, ~in, w2); w2
assign w1 = Qbar;
assign w2 = Q; Q
endmodule OR

 This design has the non-determinism as

expected!
 We can also design using NAND primitives.
14
The Silicon Space
Values of Q
 Mismatch in driving 0 1 1 0 1
capabilities of the
gates (x1,y1) (x2,y2) (x3,y3) (x4,y4) (x5,y5)

 Difference in
routing delays of (x6,y6) (x7,y7) (x8,y8) (x9,y9) (x10,y10)
the feedback path
◦ a Latch cell will give
(x11,y11) (x12,y12) (x13,y13) (x14,y14) (x15,y15)
either 0 or 1 as
output.
◦ Depends on the (x16,y16) (x17,y17) (x18,y18) (x19,y19) (x20,y20)

(x,y) position of the

silicon area. (x21,y21) (x22,y22) (x23,y23) (x24,y24) (x25,y25)

ICISS 2011
15
 Advantage PUF!!
World without PUF
 Trusted party embeds and tests
secret keys in a secure non-
volatile memory (NVM)
 EEPROM adds additional
complexity to manufacturing
 Adversaries may physically
extract secret key from non-
volatile memory
World with PUF
 Intrinsic properties of device
is used to generate secret key.
 Key never leaves the IC’s
cryptographic boundary, nor
be stored in a non-volatile
memory.
 Key is deleted after usage in
de- or encryption process
16
 PUFs for Identification

 Protect against ASIC substitution and counterfeits without using

cryptographic operations

Authentic
Untrusted ??? Is this the
Device A
Supply Chain / authentic
PUF PUF Device A?
Environments
Challenge Response

Record Challenge Response’

Challenge Response

1001010 010101
1011000 101101 =?
0111001 000110
Database for Device A IC rejected if Response’ does not
match the enrolled Response 17
An IoT Test-Bed

Typically comprise of
sensor nodes, micro-
processors, embedded
processors, network
gateways, and finally
the cloud.

RFID tag prototypes interfaced with an FPGA (like Nexys-2)

RFID reader acts as a translator from IPv6 to a tag-specific

communication interface (IPv6 makes ubiquitous computing
feasible by providing unique identifiers to all connected
objects)
Threats from Model Building Attacks

Threats from machine learning

algorithms:
Attempt to develop a
model from the observed
Challenge-Response Pairs
(CRPs)

19
Threats from Side Channel Attacks

Terminal Data input

IC chip

Data output
00111…

Power supply

Measure power Guess secret information

consumption stored on IC chip memory

Power
consumption

Secret
information 0 0 1 1 1
 Lightweight PUFs and PUF Composition
Layers of PUF

I O
N U
P T
U P
Challenge
T U
Response
T
L Combiners
A L
Y A
E Y
R E
R
ML Attacker

Side
Channel
Attacker
21
A Side Channel and Machine
Learning Resistant Ideal
PUF Composition.
Reference: Composite PUF: A new design paradigm for Physically
Unclonable Functions on FPGA. IEEE HOST 2014: 50-55
iPUF design proposal is selected as finalist in “CyberSEED
Hardware Challenge”, 2014 (http://www.csi.uconn.edu/cybersecurity-
week)
Security Analysis for the
IoT Testbed
Secured Implementation
of ciphers

PUFs/IC s
for ciphers
leaked
Information

PUFs

Side Channels in the IoT

Mallory
 Outline
 Part-I: PUF Fundamentals
 PUF Fundamentals
 Applications of PUF
 Part-II: Lightweight PUF Design
 Approach 1: Lightweight PUF Primitives
 Approach 2: Combining PUF Primitives and Crypto
Primitives
 Approach 3: Combining PUF Primitives
 Part-III: Attacks and iPUF Design
 Machine Learning based Modeling Attacks
 Side Channel based Modeling Attacks
 Cryptanalysis
 iPUF: secure and lightweight PUF
 Part-IV: Authentication Protocols
 Reverse Fuzzy Extractor Protocol
 Slender PUF Protocols 24
 Part I:
PUF Fundamentals

25
Physically Unclonable Function (PUF)?

 Fingerprint of Devices

 A challenge-response mechanism in which the mapping

between an applied input (“challenge”) and the
corresponding observed output (“response”) is dependent
on the complex and variable nature of a physical material

 The challenge-response mapping is unclonable (ideally)

and instance-specific

n-bit Challenge(C) PUF n-bit Response (R)

26
 PUF Properties
 Evaluatable: given PUF and x, it is easy to evaluate y = PUF(x).

 Unique: PUF(x) contains some information about the identity of

the physical entity embedding PUF.

 Reproducible: y = PUF(x) is reproducible up to a small error.

 Unclonable: given PUF, it is hard to construct a procedure PUF’

PUF '  PUF and x  C PUF ' ( x)  PUF ( x) up to a small error.

 Unpredictable: given only a set, Q  {( xi , yi  PUF ( xi )} , it is hard to

predict yc = PUF(xc) up to a small error, for xc a random challenge
such that ( xc ,.)Q .

 One-way: given only y and the corresponding PUF instance, it is

hard to find x such that PUF(x) = y.

 Tamper-evident: altering the physical entity embedding PUF

transforms PUF →PUF’ such that with high probability
x  C PUF ( x)  PUF ' ( x) .
27
 Quality Metrics for PUF

Uniqueness Reliability

r1 r2 r3 r1 r2 r3

PUF 1 PUF 2 PUF 3 PUF 1 PUF 1 PUF 1

Devices Time
C C

 Uniformity: ratio of 0’s and 1’s in response

 Bit-dependency: autocorrelation coefficient of
response

28
 PUF Examples: Optical PUF
 Optical PUF was proposed by Pappu et al. with the
original name “Physical One-Way Functions
(POWFs)”

 Made of transparent optical medium containing

bubbles. Shining a laser beam through the medium
produces a speckle pattern (response) that
depends on the exact position/direction of
incoming beam

29
 Silicon PUFs
 We are interested in PUF circuits, i.e. Silicon PUFs

 The dominant device for IC design is MOSFET

 Silicon PUFs utilize the unavoidable and

unpredictable manufacturing process variation
effects of modern deep-submicron MOSFET
devices

 Usually, from CMOS circuit design perspective,

process variation is a challenge, but is useful for
PUF design

 Impact of process variation becomes more

pronounced at advanced technology nodes
30
 Source of Variations in MOSFETs
 Scaling in CMOS deep
submicron process
technology ( < 100nm
channel length)
 Lack of efficiency in
fabrication process
 Introduces variations in
MOS device’s physical
parameters:
• Gate length (L)
• Gate width (W)
• Threshold Voltage (Vth)
• Oxide thickness (tox)
CMOS scaling  Limitation in fabrication process  Variation in
MOS device’s physical parameters  Variation in Circuit parameters
(e.g., propagation delay, leakage current, etc)  Existence of
randomness 31
 Distinguishable Variations in
CMOS Circuit Behavior
 Ring Oscillator Oscillating Frequency

FPGA 1 FPGA 2

FPGA 3 FPGA 4

FPGA-specific behavior  FPGA fingerprint

32
Applications of PUF

33
 Why are PUFs Important?
Security without PUF
 Trusted party embeds and tests
secret keys in a secure location
(NVM)
 EEPROM adds additional
complexity to manufacturing
 Adversaries may physically
extract secret key from non-
volatile memory
Security with PUF
Intrinsic properties of device is
used to generate secret key.
Key never leaves the IC’s
cryptographic boundary, nor be
stored in a non-volatile memory.
Key is deleted after usage in de-
or encryption process
34
 PUF in Use: Low-cost HW
Authentication
 Protect against IC/FPGA substitution and counterfeits
without using cryptographic operations

Authentic Untrusted Is this the

Device A Supply Chain ???
authentic
PUF / PUF Device A?
Environments
Challenge Response

Record Challenge Response’

Challenge Response

1001010 010101
1011000 101101 =?
0111001 000110
Database for Device A

35
 PUF in Use: Private/Public Key
Pair Generation

Private key

Seed
Key Public key
ECC + PUF
Generation

 PUF response is used as a random seed to a private/

public key generation algorithm
 No secret needs to be handled by a manufacturer
 A device generates a key pair on-chip, and outputs a
public key
 The public key can be endorsed at any time

36
PUF in Use: PUF based Pseudo
Random Function

 A randomized 3-round Luby-Rackoff cipher.

 Round functions are replaced PUF instances.
 This is a keyless cipher.
[ Armknecht et al., ASIACRYPT 2009 ]
37
Part-II: Lightweight PUF Design

38
 Classification of PUF (1/3)
Based on entropy source:

 PUFs using explicitly-introduced randomness

 Optical PUF
 Coating PUF
 PUFs using intrinsic randomness
 Delay PUF
 SRAM PUF
 Butterfly PUF
 Bistable ring PUF
 Magnetic PUF
 Metal Based PUF

39
 Classification of PUF (2/3)
Based on embedding device Physics:

 Optical PUF
 Coating PUF
 Silicon PUF
 Magnetic PUF
 Metal Based PUF
 Acoustic PUF

40
 Classification of PUF (3/3)
Based on security of challenge-response behavior:
 Strong PUF
 It must have a very large challenge set,
since otherwise the adversary can simply
query all challenges and no unknown
challenges are, and
 it is infeasible to built an accurate model of
the PUF based on observed challenge-
response pairs (CRPs), or in other words
the PUF is unpredictable.
 Weak PUF
 It has small challenge-response set or
 Easy to build an accurate model based on
observed CRPs.
41
 PUF Taxonomy
 Lightweight PUFs are composed of different
types of PUF building blocks

42
 PUF Primitive 1: Arbiter PUF
(APUF)

 Composed of n two-port switching stages, for an

n-bit challenge size
 n-bit challenge => 2n possible paths
 Unique path selected by a challenge
 Accumulated delay at the end of the path is
compared by an arbiter circuit (usually, an edge-
triggered D flip-flop)
 Arbiter gives 1-bit decision
 Advantages: Simple structure, low hardware
overhead (each stage is two 2:1 MUXes)
 Disadvantage: susceptible to modeling attacks 43
 PUF Primitive 2: Feed Forward
Arbiter PUF

 It is possible to have a linear model for classical

Arbiter PUF that results in easy modeling attack
on it
 Feed Forward Arbiter is used to introduce non-
linearity
44
 PUF Primitive 3: Ring Oscillator
PUF (ROPUF)

 An n-bit applied challenge selects two different ROs from

a bank of 2n ROs
 Process variation implies ROs have different oscillation
frequencies
 Compare frequencies of two oscillators using counters
 Comparator gives decision
 Advantage: Difficult to model
 Disadvantage: Exponential hardware requirement 45
 PUF Example 4: SRAM PUF

SRAM PUF cell

structure

 Power-up initial value of SRAM cell can be used

response, cell address is the challenge
 SRAM fabrication compatible with digital logic
process in regular ICs
 FPGA implementation of SRAM PUF is very difficult
(since SRAM modules are cleared by default on
power-up)
46
Approach 2: Combination of Crypto
Primitives and Insecure PUFs
 Controlled PUF – Hash PUF [Gassend et al. 2002 ]
 N-bit challenges, 1-bit response
 N-bit hash functions as input and output networks
 N Arbiter PUFs

47
 Approach 2: Combination of Crypto
Primitives and Insecure PUFs (Contd.)

 Lightweight Secure PUF [Majzoobi et al. 2010]

 N-bit challenges, k-bit response
 Lightweight input and output networks

48
Approach 3: Combination of PUFs
 k-XOR PUF [Lee 2005]
 N-bit challenges, 1-bit response
 k Arbiter PUFs

49
 Design 3: Combination of PUFs
(Contd.)
 Composite PUF [Sahoo et al. 2014]
 Multiple levels of PUF primitives are used
 N-bit challenges, 1-bit response

50
 Part-III: Security Analysis,
secure and lightweight PUF-
iPUF

51
 Security Evaluation of PUF
 Unclonability:
- Cannot be achieved using traditional cryptographic techniques
- Two types of unclonability:
- Physical unclonability
- A PUF is physically unclonable if a physical copy of the
PUF with similar challenge/response behaviour cannot
be made, even by the manufacturer (existential
unclonabiliy).
- Mathematical unclonability
- it is not possible to construct a mathematical
approximator which can predict the response
to an arbitrary challenge applied to a given PUF instance,
with a large probability of success

 Unpredictability:
- Adversary can’t predict response of a new challenge form a
known set of CRPs
 PUF Attack Overview
Clone PUF

Mathematical Physical
Clone Clone

Contactless Mechanical Side channel

Probing Probing Probing

 Four paths leading to a PUF cloning attack

 Creating a physical clone of the PUF is considered infeasible
 The creation of a mathematical clone requires that the raw PUF
response(s)
 Non-invasive attack methods using side channel analysis on the PUF
 Invasive attack involving mechanical probing of r’
 Attackers with access to contactless probing equipment can use a
semi-invasive methodology to obtain the data of interest
 PUF Attacks
Brute Force:
 To save every Challenge Response Pairs (CRPs)
 Physical Access to PUF is required

Replay Attack:
 Eavesdropping CRPs and play them back

Modelling Attack (or Machine Learning Attack):

 Take the advantage between relationship between challenge the
challenge/response
 Build a PUF model using Machine Learning (ML) methods:
- Support Vector Machine (SVM)
- Artificial Neural Network (ANN)
- Logistic Regression (LR)
- Evolution Computing
 Set of CRPs needed to train ML algorithm
 Security Notion
 A PUF P with n-bit challenge and m-bit
response is considered as secure if it satisfies
the following conditions:
 No algorithm to predict the response R produced by an
arbitrary PUF instance when an arbitrary challenge with
probability of success greater than 2-m
 No algorithm to predict the response R for an arbitrary
challenge with high probability of success, with sub-
exponential time and space complexity
 No algorithm to predict the response R for an arbitrary
challenge with high probability of success, with sub-
exponential data complexity. “Data” in this context is the
challenge-response pair (CRP) database

55
Linear Delay Model of Arbiter PUF
[D. Lim, M.S. Thesis, MIT, 2002]

1  Ci 1 1  Ci 1
d top (i  1)  ( pi 1  d top (i ))  ( si 1  d bottom(i ))
2 2
1  Ci 1 1  Ci 1
d bottom(i  1)  (qi 1  d top (i ))  (ri 1  d bottom(i ))
2 2
where Ci {1,1} denotes the challenge bit of the i-th stage
Linear Delay Model of Arbiter PUF
(contd.)

(n)  d top  d bottom

(i  1)  Ci 1(i)   i 1Ci 1  i 1

pn  q n  rn  sn
n 
2
pn  q n  rn  sn
n 
2
Linear Delay Model of Arbiter PUF
Let pk be the parity of challenge bits:
n
pi   Ci and pn  1
i  k 1

(n)  1 p0  ( 2  1 ) p2   ( n  n1 ) pn1  n pn

  P, D 
where P  ( p0 , p1 , , pn ) and D  (1 ,  2  1 , ,  n  n1 , n )
An Arbiter PUF is a linear classifier of random challenge vectors in
n-dimensional space, where n is the total number of challenge bits

Apply Support Vector Machine (SVM) using:

 Parity vectors X are n-dimensional feature vectors
 Constant vector d is the normal to the hyperplane that
classifies challenges into two classes
Reported Modeling Attack Results

Modeling Attacks by Machine Learning (Rührmair et al.)

Logistic Regression success rate
• Arbiter
 99.9% using 18K CRPs in 0.6 sec. (64 taps)
• XOR Arbiter
 99% using 12K CRPs in 3 min 42 secs (4 XOR, 64 taps).
• Lightweight Arbiters
 99% using 12K CRPs in 1 hour and 28 mins (4 XORs, 64
taps).
• Feed-forward Arbiters
 99% using 5K CRPs in 47 mins and 7 secs (7 FF, 64 taps).
 Reported Modeling Attack Results
(contd.)
 [D. Lim, M.S. Thesis, MIT, 2002]
 Worked on computer simulation model of Arbiter PUF
 Claimed 100% modeling accuracy by applying SVM (PUF
size and training set size not mentioned)
 [Maes et al, IEEE WIFS’12]
 Silicon (ASIC) data
 ASIC fabricated in 65 nm CMOS technology
 64-bit Arbiter PUF
 500 CRPs as training set
 Claims ~90% prediction accuracy using SVM
 [CSE Dept., IIT-KGP]
 Silicon (FPGA Data)
 64-bit Arbiter PUF
 5000 CRPs as training set
 ~96% prediction accuracy using SVM
 Side Channel Analysis
 Methodology
 Using the side channel information to get more
knowledge of the internal performance of algorithms
 The information are execution time, power
consumption, electro-magnetic emission, etc.
 Side Channel Attack setup

61
 Side Channel Analysis (contd.)
 Example

62
Side Channel Based Modeling Attack-
Attack on LSPUF
 The attack is based on power analysis and
machine learning based modeling attack
 The Lightweight Secure PUF is a study case

63
 Attack on LSPUF (contd.)
 The attack is based on power analysis and
machine learning based modeling attack
 The Lightweight Secure PUF is a study case

64
 Attack on LSPUF (contd.)
 Power consumption is maximum

65
 Attack on LSPUF (contd.)
 Power consumption is maximum

66
 Attack on LSPUF (contd.)
 Power consumption is maximum

67
 Attack on LSPUF (contd.)
 Power consumption is minimum

68
 Attack on LSPUF (contd.)
 Power consumption is not minimum or maximum

69
 Attack on LSPUF (contd.)
 Power consumption is not minimum or maximum

70
Side Channel Based Modeling Attack-
Attack on LSPUF (contd.)
 Power consumption which is not minimum or
maximum is not useful
 Power consumption which is maximum and
minimum is useful because the intermediate values
(r0,r1,r2,r3,r4,r5) are exposed via the power traces,
i.e., all 1’s or 0’s
 The adversary collects the set of challenges of
which the power consumption is maximum or
minimum
 For each APUFi a set of CRPs (Ci,ri) is collected, i.e.
(Ci,1) (max) or (Ci,0) (min). A model of each APUFi
can be built by using the machine learning model
attack
 LSPUF is not secure against SCA-based ML

71
Side Channel Based Modeling Attack-
Attack on k-XOR PUF
 The SCA-based ML does not work for k-XOR PUF
 All APUFi have the same set (C,0) or (C,1). Thus all
the models are the same. This fact contradicts that
all APUFi are different

72
 Cryptanalysis
 Methodology
 Analyzing the structure to find the flaw. After that,
applying some algorithms to develop an algorithm to
predict the response of a given challenge in efficient
way
 Cryptanalysis-based Modeling Attack on LSPUF
 Cryptanalysis of Composite PUF

73
 Cryptanalysis: LSPUF
Security notion: no algorithm predicting the response
(R0,R1,…, R3) with accuracy larger than 2-4

74
Cryptanalysis: LSPUF (contd.)
Fact 1: APUF can be modeled if a set of CRPs is
provided

75
Cryptanalysis: LSPUF (contd.)
Fact 2: k-XOR PUF is secure against modeling
attack (ML) if k > 6

76
Cryptanalysis: LSPUF (contd.)
Flaw: The output network has a flaw

77
Cryptanalysis: LSPUF (contd.)
Flaw: The output network has a flaw

78
Cryptanalysis: LSPUF (contd.)
Flaw: The output network has a flaw. The number
of APUFs in Vi is only 2. Vi is known because Ri
and Ri+1 is known

79
Cryptanalysis: LSPUF (contd.)
Flaw: The output network has a flaw. The number
of APUFs in Vi is only 2. Vi is known because Ri
and Ri+1 is known

80
Cryptanalysis: LSPUF (contd.)
Attack Steps:
1.From R0, R1, …, R(n-1) we can construct V0, V1,
…, V(n-2)
2.All Vi depends on only two rj and rk. So, we can
model all (n-1) Vi by using ML
3.We need to make a guess on bit R0 and then
combine that guess with all V0, …, V(n-2) to solve
all response bits R1,..,R(n-1)
4.The accuracy of the attack is 1/2 instead of 2-m

81
Cryptanalysis: Composite PUF
Security notion: no algorithm predicting the
response R with accuracy larger than 1/2

82
 Cryptanalysis: Composite PUF
(contd.)
1.The challenge space C is divided into 16
classes: CL0, …., CL15
2.All the challenges in the same class has
the same response. CL0 => R0, …,
CL15=>R15
3.Algorithms to build those classes and
their corresponding responses
4. Algorithm to define the corresponding
class for a given challenge C

83
Cryptanalysis: Composite PUF
(contd.)

84
Cryptanalysis: Composite PUF
(contd.)
1: How to define
a class?

85
Cryptanalysis: Composite PUF
(contd.)
1: How to define
a class?

2: How to
define the
number of
classes?

86
 Cryptanalysis: Composite PUF
(contd.)
1: How to define
a class?

3: How to
determine
the class 2: How to
where c define the
belongs to number of
? classes?

87
 Cryptanalysis: Composite PUF
(contd.)
1: How to define
a class?

3: How to
determine
4: How to 2: How to
the class
determine define the
where c
R0? number of
belongs to
? classes?

88
Cryptanalysis: Define a class

89
Cryptanalysis: Defining a Class

Equal

90
Cryptanalysis: Defining a Class
We define a class based on the output of Level 1 or the
input of Level 2

Equal Equal

91
Cryptanalysis: Number of Classes

1. We define a class based on the output of

Level 1 or the input of Level 2
2. The number of different values of output of
Level 1 is the number of classes
3. Since we have 4 output bits of Level 1, there
are 24 = 16 classes: CL0, …, CL15

92
 Cryptanalysis: Assumptions
 Assumption 1: For each space of sub-challenge Ci, we can divide it
into two subsets S(i,0) and S(i,1) according to the output of PUFi – ri. If
two Ci and Ci’ belong same S(i,0) or S(i,1) then PUFi(Ci)=PUFi(Ci’)
 Assumption 2:, we can construct all S(i,0)s and S(i,1)s then we have 8
sets, i.e.,
1. S(0,0), S(0,1)
2. S(1,0), S(1,1)
3. S(2,0), S(2,1)
4. S(3,0), S(3,1)
Let i=(i0,i1,i2,i3) then we can define the class CLi , i=0,..,15, is the sets
of all challenge C=(C0,C1,C2,C3) such that
1. C0 in S(0,i0)
2. C1 in S(1,i1)
3. C2 in S(2,i2)
4. C3 in S(3,i3)
93
Cryptanalysis: Assumptions

94
Cryptanalysis: Assumptions (contd.)
 Assumption 3: all S(i,0)s and S(i,1)s are constructed, i.e., S(0,0), S(0,1),
S(1,0), S(1,1), S(2,0), S(2,1), S(3,0), S(3,1) and all 16 classes
CL0, CL1,…, CL15 are defined based on those sets already.
Class determination: now, for a given challenge C=(C0,C1,C2,C3) we
can determine the class CLi where C belongs as follows:
1. C0 in S(0,0) or S(0,1) => i0
2. C1 in S(1,0) or S(1,1) => i1
3. C2 in S(2,0) or S(2,1) => i2
4. C3 in S(3,0) or S(3,0) => i3
Then i=(i0,i1,i2,i3) is the class index.

95
Cryptanalysis: Assumptions (contd.)
 Assumption 3: all S(i,0)s and S(i,1)s are constructed, i.e., S(0,0),
S(0,1) , S(1,0), S(1,1), S(2,0), S(2,1), S(3,0), S(3,1) and all 16 classes
CL0, CL1,…, CL15 are defined based on those sets already.
Determination of response Ri of a class CLi : since all S(i,0) and S(i,1)
are given and i=(i0,i1,i2,i3), Ci=(C0, C1, C2, C3) where
1. Take one C0 in S(0,i0)
2. Take one C1 in S(1,i1)
3. Take one C2 in S(2,i2)
4. Take one C3 in S(3,i3)
Response Ri of CLi is :=PUF(Ci).

Hence all the assumptions will be valid if we can construct an

algorithm to construct all the sets S(0,0), S(0,1), …, S(3,0), S(3,1).

96
Cryptanalysis: S(0,0) and S(0,1)
 We show an algorithm to construct the sets
S(0,0) and S(0,1) for PUF0 first
 Then all the remaining sets can be
constructed in a similar way
 Definition of S(0,0) (or S(0,1)): this is the set
of all sub challenge C0s such that the outputs
of PUF0 are the same

97
Cryptanalysis: S(0,0) and S(0,1)
(contd.)

98
Cryptanalysis: S(0,0) and S(0,1)
(contd.)

Equal

99
Cryptanalysis: S(0,0) and S(0,1)
(contd.)

Equal Pr(R= R’)=1

100
Cryptanalysis: S(0,0) and S(0,1)
(contd.)

Not Equal

101
Cryptanalysis: S(0,0) and S(0,1)
(contd.)

Not Equal Pr(R = R’)=1/2

102
Cryptanalysis: S(0,0) and S(0,1)
(contd.)
• If C and C’ belong to same set, S(0,0), then
their response Pr(R=R’)=1
• If C and C’ belong to different sets, then
their response Pr(R=R’)= 1/2
• We fix C0 and C0’, try K different values
(C1, C2, C3):
1. If C and C’ belong to same set, then
Pr(R=R’) =1
2. If C and C’ belong to different sets, then
Pr(R=R’) =1/2^K
Thus if K is big, we can determine whether C
and C’ belong to the same or not with very
high accuracy. This fact means that the
sets S(0,0) and S(0,1) can be constructed
by observing the response R.

103
 Cryptanalysis: S(0,0) and S(0,1)
(contd.)
• If C and C’ belong to same set, S(0,0), then
their response Pr(R=R’)=1
• If C and C’ belong to different sets, then
their response Pr(R=R’)= 1/2
• We fix C0 and C0’, try K different values
(C1, C2, C3):
1. If C and C’ belong to same set, then
Pr(R=R’) =1
2. If C and C’ belong to different sets, then
When all S(i,0), S(i,1) are Pr(R=R’) =1/2K
constructed, then all Thus if K is big, we can determine whether C
classes CLi are defined and C’ belong to the same or not with very
and their corresponding high accuracy. This fact means that the
Ri can be determined sets S(0,0) and S(0,1) can be constructed
by observing the response R
Finally, a response of a
given challenge C can be
predicted with 100%
accuracy 104
Summary for Lightweight PUFs

Crypt. ML SCA-ML HW Multiple outputs

Attack Attack Attack
APUF Yes No No Light No

HASHPUF Yes Yes Unknown Heav Yes

y
LSPUF No No No Light Yes

XORPUF Yes Yes Yes Light No

Composite No No No Light Yes

PUF

105
iPUF: secure and lightweight PUF

As mentioned previous, all the existing lightweight and secure PUFs

are not secure or not lightweight. Thus, a new PUF design is developed
based on the cryptanalysis of composite PUF. The new design is called
iPUF

106
iPUF: PUF qualities

107
iPUF: security analysis and design
features

iPUF is proved such as:

1. It is secure against Cryptanalytic Attacks.

2. It is secure against Side Channel Attacks.

Moreover, iPUF is:

1. lightweight.
2. able to produce multiple outputs by modifying the
structure.

108
 Part IV:
PUF-based Authentication
Protocols

109
 Protocols

We consider the following authentication

protocols:
1.Naïve authentication
2.Reverse Fuzzy Extractor Authentication
3.Slender PUF Protocol

110
 Authentication Protocol

Authentication Protocol is a process with

can allow two parties to authenticate to
each others.
The protocols are based on the following
things
1. What do you know: password, secret key
2. What do you have: token, identity card
3. Who are you: bio-authentication, your
finger print etc.

111
Naïve Authentication

112
 Naïve Authentication

Limitations:
1. The bare CRPs are used.
2. If adversary can collect the CRPs,
then she can imitate a legal client.

113
Reverse Fuzzy Extractor Protocol

 The helper data concept is used.

 R is reference response
 Helper data h=Gen(R).
 For a noisy response R’, we have
R=Reprod(h,R’).
 Gen is not an expensive operation
 Reprod is an expensive operation

114
Reverse Fuzzy Extractor Protocol
(contd.)

115
 Slender PUF Protocol

 A model of weak PUF is made and

the host keeps it
 The information of CRP is hidden

116
Slender PUF Protocol (contd.)

117
 Slender PUF Protocol

New contribution:
Instead of storing CRPs, we use a WEAK PUF
which we can model. However, the security of this
protocol is still not clear.

118
 References
 Daihyun Lim. Extracting Secret Keys from Integrated Circuits. Master's
thesis,MIT, USA, 2004
 Ahmed Mahmoud, Ulrich Ruhrmair, Mehrdad Majzoobi, and Farinaz
Koushanfar. Combined Modeling and Side Channel Attacks on Strong
PUFs. IACR Cryptology ePrint Archive, 2013:632, 2013.
 Mehrdad Majzoobi, Farinaz Koushanfar, and Miodrag Potkonjak.
Lightweight secure PUFs. In Proc. of the 2008 IEEE/ACM International
Conference on Computer-Aided Design(ICCAD), pages 670{673,
Piscataway, NJ, USA, 2008. IEEE Press
 Stefan Mangard, Elisabeth Oswald, and Thomas Popp. Power analysis
attacks revealing the secrets of smart cards. Springer, 2007.
 Durga Prasad Sahoo, Phuong Ha Nguyen, Debdeep Mukhopadhyay,
and Rajat Subhra Chakraborty. A Case of Lighweight PUF
Constructions: Cryptanalysis and Machine Learning Attacks. 2014.
under submission.
 Durga Prasad Sahoo, Sayandeep Saha, Debdeep Mukhopadhyay,
Rajat Subhra Chakraborty, and Hitesh Kapoor. Composite PUF: A New
Design Paradigm for Physically Unclonable Functions on FPGA. In
IEEE International Symposium on Hardware-Oriented Security and
119
Trust (HOST), 2014.
 References (contd.)
 Ulrich Ruhrmair, Frank Sehnke, Jan Solter, Gideon Dror, Srinivas
Devadas, and Jurgen Schmidhuber. Modeling attacks on physical
unclonable functions. In Proc. of 17th ACM conference on Computer
and communications security(CCS), pages 237{249, New York, NY,
USA, 2010. ACM.
 A. Herrewege, S. Katzenbeisser, R. Maes, R. Peeters, A.-R.Sadeghi, I.
Verbauwhede, and C. Wachsmann. Reverse fuzzy extractors: Enabling
lightweight mutual authentication for pufenabled rfids. In Financial
Cryptography and Data Security, volume 7397 of Lecture Notes in
Computer Science, pages 374–389. Springer Berlin Heidelberg, 2012..
 M. Majzoobi, M. Rostami, F. Koushanfar, D. Wallach, and S. Devadas.
Slender puf protocol: A lightweight, robust, and secure authentication by
substring matching. In Security and Privacy Workshops (SPW), 2012
IEEE Symposium on, pages 33–44, May 2012.
 Blaise Gassend, Dwaine Clarke, Marten van Dijk, and Srinivas
Devadas. Controlled Physical Random Functions. In Proc. of 18th
Annual Computer Security Applications Conference( ACSAC ), page
149, Washington, DC, USA, 2002. IEEE Computer Society.
120
 Part V:
Demonstration – Arbiter PUF
on Xilinx Artix-7 FPGA

121
PUF Lab Setup

122
 Arbiter PUF

 Composed of n two-port switching stages, for an

n-bit challenge size
 n-bit challenge => 2n possible paths
 Unique path selected by a challenge
 Arbiter gives 1-bit decision
 Advantages: Simple structure, low hardware
overhead (each stage is designed two 2:1 MUXes)
123
 Design Overview

FPGA

controls challenge
128-bit PicoBlaze
challenge PC
Arbiter Microcontroller response
PUF response

124
 Switch Design
switch_2to2 (inT, inB, cT,cB, outT, outB);

input inT; // Upper input signal

input inB; // lower input signal
input cT; // Control input
input cB; // Control input
output outT; // Upper output signal
output outB; // Lower output signal

(*LOCK_PINS = "all"*)
mux_21 MUXT(
.ins({inB,inT}),
.ctrls(cT),
.out(outT)
);

(*LOCK_PINS = "all"*)
mux_21 MUXB(
.ins({inT,inB}),
.ctrls(cB),
.out(outB)
);

endmodule 125
 Parallel Paths
module switchChain #( parameter nStage = 16)( inT, inB, cT, cB, outT, outB );
input inT,inB;
input [nStage-1:0] cT, cB;
output outT, outB;

wire [nStage:0] netT;

wire [nStage:0] netB;
assign outT = netT[nStage]; // Output signal from upper and lower paths
assign outB = netB[nStage];
assign netT[0] = inT; // Input trigger signal for puf
assign netB[0] = inB;
// Generate chain of switches
genvar i;
generate
for(i = 0; i < nStage; i = i + 1) begin:STAGE
(*KEEP_HIERARCHY = "TRUE"*)
switch_2to2 SW (
.inT(netT[i]),
.inB(netB[i]),
.cT(cT[i]),
.cB(cB[i]),
.outT(netT[i+1]),
.outB(netB[i+1])
);
end
endgenerate
endmodule

126
 Arbiter
module arbiter (clk,din,dout);

input clk;
input din;
output reg dout;

always @(posedge clk) begin

dout <= din;
end

endmodule
D 1
clk

D 0
clk
Arbiter Operation

127
 APUF Design
module apufClassic #(parameter nStage = 128)( clk, tigSignal, c,respReady,respBit);
input clk, tigSignal;
input [nStage-1:0] c; // Challenge for upper and lower paths
output respReady, respBit;

wire pathT;
wire pathB;
reg tigReg;

assign respReady = (pathT & pathB); // status of response

always@(posedge clk) // to reduce the bias in trigger signal
tigReg <= tigSignal;

// Chain of switches
(*KEEP_HIERARCHY = "TRUE"*)
switchChain #(.nStage(nStage) ) SWITCH_CHAIN(
.inT(tigReg),
.inB(tigReg),
.cT(c),
.cB(c),
.outT(pathT), // to arbiter
.outB(pathB) // to arbiter
);

// Arbiter
arbiter A(
.din(pathT),
.clk(pathB),
.dout(respBit)
);

endmodule 128
 Ideal Arbiter PUF

 Path-pair selected by a challenge should

symmetric
 Nominal delay difference should be 0

 It is difficult to achieve in FPGA

 But, we can reduce delay bias by manual

placement of Switches and Arbiter

129
 Placement of 128-bit APUF
INST "APUF/SWITCH_CHAIN/STAGE[0].SW/MUXU/Mmux_out11" BEL = A6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[0].SW/MUXL/Mmux_out11" BEL = B6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[0].SW/MUXU/Mmux_out11" LOC = SLICE_X2Y2;
INST "APUF/SWITCH_CHAIN/STAGE[0].SW/MUXL/Mmux_out11" LOC = SLICE_X2Y2;

INST "APUF/SWITCH_CHAIN/STAGE[1].SW/MUXU/Mmux_out11" BEL = A6LUT;

INST "APUF/SWITCH_CHAIN/STAGE[1].SW/MUXL/Mmux_out11" BEL = B6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[1].SW/MUXU/Mmux_out11" LOC = SLICE_X2Y3;
INST "APUF/SWITCH_CHAIN/STAGE[1].SW/MUXL/Mmux_out11" LOC = SLICE_X2Y3;

INST "APUF/SWITCH_CHAIN/STAGE[127].SW/MUXU/Mmux_out11" BEL = A6LUT;

INST "APUF/SWITCH_CHAIN/STAGE[127].SW/MUXL/Mmux_out11" BEL = B6LUT;
INST "APUF/SWITCH_CHAIN/STAGE[127].SW/MUXU/Mmux_out11" LOC = SLICE_X2Y129;
INST "APUF/SWITCH_CHAIN/STAGE[127].SW/MUXL/Mmux_out11" LOC = SLICE_X2Y129;

INST "APUF/tigReg" BEL = AFF;

INST "APUF/tigReg" LOC = SLICE_X2Y1;

INST "APUF/tigSignal_inv1_INV_0" BEL = B6LUT;

INST "APUF/tigSignal_inv1_INV_0" LOC = SLICE_X3Y1;

INST "APUF/ARBITER/dout" BEL = BFF;

INST "APUF/ARBITER/dout" LOC = SLICE_X1Y130;

INST "APUF/respReady1" BEL = A6LUT;

INST "APUF/respReady1" LOC = SLICE_X1Y130;

130
 Quality Metrics

Uniqueness Reliability

r1 r2 r3 r1 r2 r3

PUF 1 PUF 2 PUF 3 PUF 1 PUF 1 PUF 1

Devices Time
C C

 Uniformity: ratio of 0’s and 1’s in response

131
Thank You for Your Attention!

132