Lightweight and Machine Learning Attack Resistant Physical ...1372527/FULLTEXT01.pdf · DEGREE PROJECT IN INFORMATION AND COMMUNICATION TECHNOLOGY, SECOND CYCLE, 30 CREDITS STOCKHOLM

IN DEGREE PROJECT INFORMATION AND COMMUNICATION TECHNOLOGY,SECOND CYCLE, 30 CREDITS

, STOCKHOLM SWEDEN 2019

Lightweight and Machine Learning Attack Resistant Physical Unclonable Functions

OSKAR NÄSLUND

KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

Lightweight and MachineLearning Attack Resistant

Physical Unclonable Functions

Oskar Näslund2019/11/04

This thesis project was carried outat the school of Electrical Engineering

and Computer Science at KTH in KistaStockholm, Sweden

Supervisor: Professor Mark SmithSchool of EECSKTH Royal Institute of Technology

Examiner: Professor Elena DubrovaSchool of EECSKTH Royal Institute of Technology

KTH Royal Institute of TechnologySchool of Electrical Engineering and Computer Science

Acknowledgement

I would like to thank Professor Elena Dubrova for her excellent guidance throughout the project,and for almost always being available. She should also be appropriately credited for the designspecific analysis included in chapter 5.1.1. Furthermore, I would like to thank Bernhard Degenand Anders Gawell for bringing excellent peers during the PyPyf projects. Finally, I would liketo thank Yang Yu and Kalle Ngo for their respective contribution of APUF placement on FPGAboards.

Abstract

More and more embedded devices such as smart home appliances are being connected to the Inter-net. Implementing lightweight security at a low cost thus becomes increasingly relevant to preventmalicious network entries using less protected devices. Physical Unclonable Functions (PUFs),and more specifically Arbiter Physical Unclonable Functions (APUFs), are cryptographic prim-itives that have looked promising for achieving the mentioned requirements. Unfortunately, theAPUF as well as many constructions based on it have either been shown weak to machine learningmodeling attacks or are not sufficiently lightweight to fit on small embedded devices. Throughoutthe thesis, software called PyPuf has been used to simulate APUFs. By implementing file pars-ing in PyPuf it is now possible to generate a software model of an APUF realized in hardware.This thesis explores methods of protecting the APUF from machine learning modeling attacks.Together with a team of researchers at KTH, Royal Institute of Technology in Stockholm, I pro-pose a lightweight PUF construction called the Cyclic Redundancy Check Physical UnclonableFunction (CRC-PUF), in which inputs are obfuscated using a technique based on a Cyclic Redun-dancy Check (CRC). By changing the CRC generator polynomial between input evaluations, theprobability of successfully recovering the obfuscated input is at most 2−86 for 128-bit inputs. Theoutput protection technique of combining multiple APUF chains was also explored by comparingXOR with majority vote.

Sammanfattning

Fler och fler inbyggda enheter så som smarta hushållsapparater ansluts till internet. Att imple-mentera hårdvarueffektiv säkerhet till ett lågt pris blir därför mer och mer relevant för att förhindraillvilliga nätverksintrång av mindre skyddade enheter. Physical Unclonable Functions (PUFs), ochmer specifikt Arbiter Physical Unclonable Functions (APUFs), är krypografiska primitiv som harsett lovande ut för att uppnå de nämnda kraven. Oturligt nog har APUF-konstruktionen, såväl som många andra konstruktioner som baseras på den antingen visats vara svaga mot model-leringsattacker baserade på maskininlärning, eller inte varit tillräckligt lättviktiga för att kunnaanvändas på små inbyggda enheter. Under projektet har mjukvaran PyPuf använts för att simuleraAPUFs. Genom att implementera filparsning i PyPuf är det nu möjligt att generera en mjukvaru-model av en APUF realiserad i hårdvara. Denna avhandling undersöker metoder att försvaraAPUF-konstruktionen mot modelleringsattacker baserade på maskininlärning. Tillsammans meden grupp av forskare på KTH, Kungliga Tekniska Högskolan i Stockholm, föreslår jag en lättvik-tig PUF-konstruktion som kallas Cyclic Redundancy Check Physical Unclonable Function (CRC-PUF), i vilken inmatningar döljs med hjälp av en teknik som är baserad på en Cyclic RedundancyCheck (CRC). Genom att ändra generatorpolynomet hos CRC mellan inmatningsutvärderingarså minskar sannolikheten att framgångsrikt utvinna inmatningen till som mest 2−86 för 128-bitarsinmatningar. Utmatningsskyddstekniken att kombinera flera APUF-kedjor var undersökt,genom att jämföra XOR med majoritetsomröstning.

Contents

Abstract i

Abstract in Swedish i

List of Figures v

List of Tables vi

Acronyms vii

1 Introduction 11.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.4 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.4.1 Benefits, Ethics and Sustainability . . . . . . . . . . . . . . . . . . . . . . . 21.5 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.6 Delimitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.7 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Physical Unclonable Function 52.1 Challenges and Responses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Physical Unclonable Function Applications . . . . . . . . . . . . . . . . . . . . . . 5

2.2.1 Secret Key Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2.2 Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.3 Arbiter Physical Unclonable Function . . . . . . . . . . . . . . . . . . . . . . . . . 72.3.1 APUF Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3.2 The APUF Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.4 Modeling Attacks on APUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.5 APUF Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.5.1 Combiner Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.5.1.1 XOR Combiner Function . . . . . . . . . . . . . . . . . . . . . . . 122.5.1.2 Majority Vote Combiner Function . . . . . . . . . . . . . . . . . . 13

2.5.2 Complex APUF Constructions . . . . . . . . . . . . . . . . . . . . . . . . . 142.5.2.1 The Interpose Physical Unclonable Function . . . . . . . . . . . . 142.5.2.2 The Ising Physical Unclonable Function . . . . . . . . . . . . . . . 14

iii

3 New Countermeasures 193.1 Challenge Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3.1.1 Cyclic Redundancy Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.1.2 Linear Feedback Shift Register . . . . . . . . . . . . . . . . . . . . . . . . . 203.1.3 Almost XOR-Universal Hash Functions . . . . . . . . . . . . . . . . . . . . 203.1.4 The CRC-PUF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

3.1.4.1 The Initialization Stage . . . . . . . . . . . . . . . . . . . . . . . . 213.1.4.2 The Evaluation Stage . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2 CRC-PUF Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233.3 Response Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.4 Correlation Power Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 The PyPuf Project 274.1 PyPuf Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274.2 PyPuf Learner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284.3 PyPuf Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284.4 PyPuf File Parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284.5 PyPuf Majority Vote Combiner Function . . . . . . . . . . . . . . . . . . . . . . . 29

5 Evaluation 315.1 CRC-PUF Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

5.1.1 Design Specific Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.1.1.1 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 315.1.1.2 Hardware Cost Analysis . . . . . . . . . . . . . . . . . . . . . . . . 32

5.1.2 Statistical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.1.2.1 Uniformity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.1.2.2 Uniqueness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.2 Majority Vote Combiner Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 35

6 Conclusion 376.1 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

6.1.1 CRC-PUF Polynomial Generation and PyPuf Compatibility . . . . . . . . . 386.1.2 Side-Channel Analysis Hypothesis . . . . . . . . . . . . . . . . . . . . . . . 38

References 40

List of Figures

2.1 An n-bit Arbiter Physical Unclonable Function. . . . . . . . . . . . . . . . . . . . . 82.2 A switch block implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.3 An arbiter implementation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.4 A 2-bit Arbiter Physical Unclonable Function. . . . . . . . . . . . . . . . . . . . . . 102.5 An n-bit 2-XOR Arbiter Physical Unclonable Function. . . . . . . . . . . . . . . . 132.6 A 4-bit i = 1 (2, 3)-Interpose Physical Unclonable Function. . . . . . . . . . . . . . 152.7 An (X ∗ Y )-bit Ising Physical Unclonable Function. . . . . . . . . . . . . . . . . . 17

3.1 An 8-bit Linear Feedback Shift Register. . . . . . . . . . . . . . . . . . . . . . . . . 223.2 An n-bit re-configurable Linear Feedback Shift Register. . . . . . . . . . . . . . . . 223.3 An n-bit Cyclic Redundancy Check Physical Unclonable Function. . . . . . . . . . 23

5.1 Hamming Weight distribution and Uniformity. . . . . . . . . . . . . . . . . . . . . 345.2 Hamming Distance distribution and Uniqueness. . . . . . . . . . . . . . . . . . . . 355.3 XOR combiner learning accuracy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365.4 XOR- and majority vote combiner learning accuracies. . . . . . . . . . . . . . . . . 36

6.1 An n-bit Arbiter Physical Unclonable Function with power trace obfuscation. . . . 38

v

List of Tables

2.1 Truth table for a 2-bit Arbiter Physical Unclonable Function example. . . . . . . . 10

3.1 Linear Feedback Shift Register states for the Cyclic Redundancy Check PhysicalUnclonable Function example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3.2 NAND gates required to implement a k-input majority vote. . . . . . . . . . . . . . 25

5.1 Linear Feedback Shift Register state recovery probabilities. . . . . . . . . . . . . . 325.2 Area measurements of common gates. . . . . . . . . . . . . . . . . . . . . . . . . . 335.3 Area comparison of Arbiter Physical Unclonable Function based constructions. . . 335.4 Area comparison using NAND gate implemented majority vote. . . . . . . . . . . . 35

vi

Acronyms

APUF Arbiter Physical Unclonable Function.

CPA Correlation Power Analysis.

CRC Cyclic Redundancy Check.

CRC-PUF Cyclic Redundancy Check Physical Unclonable Function.

CRP Challenge Response Pair.

FPGA Field Programmable Gate Array.

GE Gate Equivalent.

HD Hamming Distance.

HW Hamming Weight.

IC Integrated Circuit.

Interpose PUF Interpose Physical Unclonable Function.

Ising PUF Ising Physical Unclonable Function.

LFSR Linear Feedback Shift Register.

LR Logistic Regression.

LTF Linear Threshold Function.

ML Machine Learning.

MV APUF Majority Vote Arbiter Physical Unclonable Function.

PUF Physical Unclonable Function.

PyPuf Python Physical Unclonable Function.

SCA Side-Channel Analysis.

XOR APUF XOR Arbiter Physical Unclonable Function.

vii

1 | Introduction

A Physical Unclonable Function (PUF) is a cryptographic primitive that has been a subject of alot of research over the recent years. A PUF is a circuit that generates a random but consistentunique signature, depending on its physical characteristics. PUFs are impossible to clone due tomanufacturing process variations that cannot be controlled. A PUF can be placed on an IntegratedCircuit (IC), and be used as part of a device authentication protocol. Metaphorically speaking, itcan act as a digital fingerprint for the IC it is placed on.

1.1 Background"A chain is only as strong as its weakest link" is a fitting proverb in times when a refrigerator hasbeen confirmed involved in a botnet sending spam emails [1]. As interest develops for the Internetof Things, more and more embedded devices such as smart home appliances are being connectedto the Internet. Implementing lightweight security at a low cost thus becomes an increasinglyrelevant topic, to prevent malicious network entries using less protected devices.

Due to their low production cost, lightweight device authentication, and tamper-resistant keystorage PUFs are a possible solution to this problem. The Arbiter Physical Unclonable Function(APUF) is a lightweight, strong, modelable delay-based PUF construction that has been subjectto research over the recent years. Being modelable means that an authenticating instance cancreate a software model of the APUF upon creation, which simplifies authentication. The APUFis not flawless, however, as the modelability also has its security implications. Several MachineLearning (ML) modeling attacks have proven to be a significant threat, both to the default APUFdesign, but also to more complex designs implementing countermeasures to stop the attacks, asattack methods are being refined. Examples of designs based on the APUF that are implementingcountermeasures to ML attacks are the k-XOR APUF introduced by Lim et al. (2005) [2], theInterpose PUF introduced by Nguyen et al. (2018) [3], and the Ising PUF introduced by Awanoand Sato (2018) [4].

1.2 ProblemsThe countermeasures that are mentioned in section 1.1 are large compared to the default APUF,which is shown in section 5.1.1.2. Maintaining the lightweight characteristic similar to that ofthe APUF, while also protecting against ML attacks could be advantageous for small embeddeddevices such as sensors and identification tags. Are there unexplored, more lightweight means ofprotecting the APUF from ML attacks compared to existing countermeasures?

Another possible threat to the APUF is Side-Channel Analysis (SCA). SCA is a collectionname for non-invasive physical attacks that, instead of breaking a cryptographic algorithm itself,

1

targets the weakness of its hardware implementation. The purpose of the attacks is usually toextract a secret key, which can then be used to easily decrypt confidential messages. CorrelationPower Analysis (CPA) is a branch of SCA that exploits that different operands consume differentamounts of power. Can SCA break the default APUF design and if so, are there a lightweightcountermeasures against such attacks?

1.3 Purpose

The purpose of the thesis project is to investigate existing methods, and then suggest new lightweightones of protecting the APUF from the threats of ML modeling attacks and SCA.

1.4 Goals

The first goal is to find a way of creating software models of PUFs implemented in hardware.The second goal is to explore new lightweight countermeasures that protect the APUF from MLattacks.

1.4.1 Benefits, Ethics and SustainabilityThe cryptography subject is always controversial to some extent. The author has explored methodsthat can potentially allow illegal access to intellectual property, sensitive data, or otherwise personalinformation. It is, however, important to consider that successful attacks lead to vulnerabilityawareness and countermeasures which, in turn, can lead to modifications that future encryptionstronger. One historical example of this is how the secure hash function SHA-1 was proven to beweaker than expected. As of 2014, Google announced that they would phase it out in favor ofothers for certificate signatures in HTTPS [5]. Furthermore, the work is mainly focused on APUFsimulations using software called PyPuf. Performing simulations is a sustainable way of exploringa topic prone to changes in the near future.

1.5 Methodology

This thesis project is of quantitative character with a positivism assumption. By testing theories ina deductive approach a phenomenon can be evinced or dismissed, eventually leading to verification,or falsification of the hypotheses, being that:

• There are unexplored, more lightweight means of protecting the APUF from ML attackscompared to existing countermeasures.

• SCA can break the default APUF design but there are lightweight countermeasures againstsuch attacks.

An experimental strategy fits the problem, where large amounts of collected data can be analyzedstatistically to evaluate the significance of the results. A new APUF construction implementingsuggested countermeasures can be evaluated using statistical PUF metrics, reliability, and bystudying relationships between training data amount and modeling accuracy.

Page 2

1.6 DelimitationsWhile there are many different PUF designs, this project focuses on the Arbiter Physical Unclon-able Functions (APUFs), and to mitigate their vulnerability to Logistic Regression (LR), a MLattack method. Furthermore the report deals with one of many PUF applications, namely deviceauthentication.

1.7 OutlineChapter 2 provides the theoretical background for the report, with a focus on PUFs. It describeswhat a PUF is, what PUFs can be used for, and describes a few relevant existing PUF designs.Chapter 3 suggests new countermeasures to protect the APUF. Chapter 4 elaborates on the detailsof the simulation software PyPuf and then clarifies how and why PyPuf was modified. Chapter 5presents statistical, and design specific analyzes to support claims regarding the theoretical perfor-mance of the CRC-PUF. It also includes a comparison between the combiner functions XOR andmajority vote based on modifications made to PyPuf. Chapter 6 describes the conclusions, reflectson the introduction and evaluation chapters, and suggests future work.

Page 3

2 | Physical Unclonable Function

A Physical Unclonable Function (PUF) is a physical entity realized in a physical device, for exam-ple, an integrated circuit. A PUF exploits manufacturing process variation to produce a responsethat is easy to compute for someone possessing the PUF, but very difficult to predict by anyoneelse.

When the physical components of a circuit are created, their characteristics will always differat least slightly from the specification. For wires, these characteristics include, but are not limitedto: length, thickness, and material impurities. No component is ideal or identical to another, andsince process variations cannot be controlled it is impossible to create a hardware clone of a PUF.While two PUFs can have similar, or even identical properties, which first off is extremely unlikely,it is impossible to purposely replicate a hardware PUF that way.

2.1 Challenges and ResponsesDuring manufacturing, each PUF of identical design acquires individual properties, and whilePUFs could generate the same signature, in theory, the probability is extremely low. PUFs canbe seen as very large truth tables, where the number of entries depends on the number of inputsof the PUF. Two PUFs are effectively interchangeable if and only if their respective truth tablesare identical. The number of entries e as a function of number of inputs n is exponential e = 2n.Providing two PUFs with low bias and statistical properties that are discussed later in this chapter,the probability of acquiring two PUFs with identical truth tables is approximately 1

22n .Within the context, input vectors are called challenges and output vectors are called responses.

Sets of challenges and responses naturally occur together, and are commonly referred to as aChallenge Response Pairs (CRPs). PUFs are typically classified as weak or strong, depending onhow challenges can be applied to them. A weak PUF no challenge, while a strong PUF can acceptup to all 2n challenges of length n bits.

2.2 Physical Unclonable Function ApplicationsPUFs have several applications. This report will initially touch on how PUFs can be used as ameans of storing secret keys, and then introduce and focus mainly on the concept of using APUFsfor device authentication

2.2.1 Secret Key StorageBefore diving into the importance of secret keys themselves, it is a good idea to have generalknowledge of why they emerged in the field. In the 19:th century, Auguste Kerckhoffs stated

5

that "a cryptosystem should be secure even if everything about the system, except the secretkey, is public knowledge". His words can sound counterintuitive at first and most likely wereat the time they were spoken. Today this theory is widely accepted and goes under the nameKerckhoffs’s Principle. Before this principle, the theory of Security through Obscurity was morecommon knowledge. But how can it be beneficial to reveal the details of the algorithm to anyoneother than the receiver?

• Two heads are better than oneIt is extremely difficult to construct a secure encryption algorithm. Revealing the detailsof the algorithm allow other knowledgeable cryptographers to attempt finding possible fun-damental flaws. If this causes the algorithm to be broken, it is at least proven to be aninsecure algorithm, but it can also possibly address a problem that can be prevented in afuture design. However, if the algorithm is not broken after a considerable amount of time,it might be a good implementation. It is easy to understand how the process of algorithmevaluation becomes a more difficult task for a group keeping a secret, which would be thecase for a designer of a secret algorithm.

• The human factorKeeping a secret is not a trivial task. If the security of an algorithm is achieved throughobscurity, the algorithm can be completely compromised if information is leaked in any form.Secret details of an algorithm are vulnerable regardless of being implemented in software orhardware. The former to debuggers, and the latter to physical attacks such as micro-probing,and decapsulation. If a secret key is leaked, it does not affect the algorithm.

Intrinsic-ID published a white paper called "PUF: the secure silicon fingerprint" [6] that describestheir patented SRAM PUF. The SRAM PUF is an example of a weak PUF, but remember thisdoes not imply poor performance. Assuming that SRAM is uninitialized, the cell state pattern ofeach SRAM upon startup is random but consistent. The SRAM cell state can be interpreted as aBoolean number, that appears when the SRAM is powered on but is hidden otherwise. Considera board that uses this Boolean number as a secret key for encryption. The secret key can then bere-generated and erased on demand, giving the SRAM PUF an advantage compared to techniquesthat rely on permanently imprinting the secret key on the device [7].

Some traditional secret keys storage methods are: fuses, flash, electrically erasableprogrammable read-only memory (EEPROM), and battery supported SRAM. These methods arenot without weaknesses, however. Fuses are difficult or impossible to update or erase, and thevolatile memory-based approaches have been shown to struggle with data remanence, meaning thatresiduals of data may remain after erasure [8]. Cooling volatile memory increase data remanencesignificantly, allowing recovery of otherwise erased data.

2.2.2 Device AuthenticationOut of the suggested applications of PUFs, the main focus of this project lies in device authen-tication, as mentioned in section 1.6. Devices in this context, are semiconductor devices, such asmicroprocessors. Authentication is the process of proving authenticity, meaning that the device inquestion is the right device. When a device is being authenticated, it is typically challenged with128 challenges, and to prove its authenticity, it must produce responses that correspond to theprovided challenges. This is similar to how Message Authentication Code works in a lot of devicestoday. Message Authentication Code is a widespread technology that consists of information con-catenated to a message, the purpose of which is to prove integrity and authenticity, meaning thatthe message content was not altered and that the sender is who they say they are.

Page 6

To use an APUF for a device authentication protocol, at least a subset of its CRPs must be knownby an authenticating instance. Two methods of achieving this are:

1. Several CRPs are measured and stored on a server.

2. A learned model of the specific PUF is stored on a server.

The strength of the former is that as long as the PUFs physical properties remain stable, themeasured CRPs will be very accurate. This is further elaborated on in section 2.3. The methoddoes, however, have an issue having to do with the number of stored CRPs. As the numberincreases, so does the required server storage space, but if the number is too low, however, theauthenticating instance will quickly run out of ones that have not previously been used. Keep inmind that this protocol is supposed to work in an untrusted environment. An attacker that iseavesdropping on the line, can store CRPs that are used. If the authenticating instance reusesCRPs, the same attacker can use the acquired CRPs to have their unauthentic device accepted.The latter will be further discussed after introducing the modelability of PUFs in section 2.4.Compared to the former, the problem with the latter is how to prevent an attacker from creatingtheir PUF model, rather than exhausting secure CRPs.

To securely authenticate a device a single challenge is far from enough. But while the secu-rity increases with the amount of challenges to evaluate, so does necessary data transmission ifchallenges are sent one by one. A common approach is therefore to transmit a single so-calledseed challenge, that is expanded into 128 challenges on-chip using a Linear Feedback Shift Reg-ister (LFSR). Some examples of this can be seen in the work of Yu, Dubrova, Näslund, and Tao(2018) [9]. Sections 3.1 and 5.1.1.2 goes into further detail of this concept, as it plays an importantrole in a method of protecting the input of a PUF construction that is introduced later.

2.3 Arbiter Physical Unclonable FunctionThe APUF is one of several strong PUF constructions. APUFs are delay-based silicon PUFs oftype {0, 1}n → {0, 1}. n challenge bits are thus evaluated to a single response bit. A block diagramof a n-bit APUF (later referenced as an APUF chain), meaning that challenges each contain n-bits,can be seen in Figure 2.1. Two identical pulses are simultaneously sent through the two symmetricpaths A marked green, and B marked purple. The pulses race towards the blue arbiter at theend of the chain, but due to the physical properties of each wire segment, it is difficult to knowwhich pulse will arrive first. The purpose of the arbiter is to determine which of the two paths wasquicker, and convey the result by outputting 0 or 1 accordingly, which is the APUF’s response r.Onthe way they pass through several orange switch blocks. Each switch block has one straight-wire-and one crossed-wire configuration. Which configuration is selected inside the i:th switch blockdepends on the value of the i:th challenge bit ci. If ci is 0, the straight-wire configuration is chosen,otherwise ci is 1 meaning that the crossed-wire configuration is chosen instead. Regardless of howmany times the paths are crossed, A is always the path leading to the arbiter’s upper input, andB is always the path leading to the arbiter’s lower input. A switch block can be implementedusing two multiplexers, which is shown in Figure 2.2. An arbiter can be implemented using a singleD-type flip-flop, by feeding path A into the data input D and path B into the enable input E,which is shown in Figure 2.3. When the rising edge of the pulse traversing path B arrives at E,the flip-flop’s output Q takes on the value of D. If the rising edge of path A arrives before that ofB, Q becomes 1 shortly after the rising edge of path B enables the flip-flop. If the rising edge ofpath B arrives before that of A, the flip-flop is enabled and Q is updated to the value of D, whichis 0.

Page 7

Mathematically, the APUF function f can be described by Equation 2.1, where sign is defined assign(x) = 1 if x ≥ 0 and sgn(x) = 0 otherwise, and ∆(C) is the delay difference of paths A and Bfor the challenge C

f(C) = sign(∆(C)) (2.1)

Arbiter

A

B

r = {0,1}

c1 = 0 c2 = 1 cn-1 = 1 cn = 0

Figure 2.1: Block diagram of an n-bit APUF evaluating the challenge C = {0, 1, ..., 1, 0}. PathA, leading to the arbiter’s upper input, is marked green and path B, leading to the arbiter’s lowerinput, is marked purple.

Page 8

AA

BB

cn = 0

1

1

0

0

A

A

B

B

cn = 1

1

1

0

0

Figure 2.2: Block diagramshowing how switch blockscan be implemented usingtwo multiplexers. The twoswitch blocks are respondingto the challenge bit values 0and 1, respectively.

Arbiter

A

B

1

0

Time

Vol

tage

Time

Vol

tage

Arbiter

A

B

0

1

Time

Vol

tage

TimeV

olta

ge

Figure 2.3: Block diagram showing how arbiters can beimplemented using one D-type flip-flop. The two arbitersare responding to the scenarios B < A, and A < B,respectively. When the rising edge of path B arrives Qbecomes the present value in D. The upper arbiter showsthe case when B arrives before A, (B < A). The lowerarbiter shows the case when A arrives before B, (A < B).

Page 9

2.3.1 APUF Example

Consider a single chain 2-bit APUF, shown in Figure 2.4. Provided connection delays d01 throughd24 we can calculate its corresponding truth table by comparing the sum of delays of each path.Let us thus assume that connection delays have the following values1:

d11 = 1.120 ns d12 = 0.977 ns d13 = 1.030 ns d14 = 0.820 nsd21 = 1.030 ns d22 = 1.100 ns d23 = 1.180 ns d24 = 1.010 ns

r = {0,1}

c1

Arbiter

Ad11

d12

d13

d14

d21

B

d22

d23

d24

c2

Figure 2.4: A 2-bit APUF with challenge C = c1, c2 and response r.

The delays of paths A and B can then be calculated for every challenge C = [c1, c2]. In accordancewith the theory presented in section 2.3, the expected APUF response r is then given by theinequality (A < B), which is presented in Table 2.1.

Table 2.1: Truth table for the APUF in Figure 2.4, according to the assumedconnection delays.

C c1 c2 Path A Path B A < B r0 0 0 d11 + d21 = 2.150 ns d12 + d22 = 2.077 ns False 01 0 1 d12 + d24 = 1.987 ns d11 + d23 = 2.300 ns True 12 1 0 d14 + d21 = 1.850 ns d13 + d22 = 2.130 ns True 13 1 1 d13 + d24 = 2.040 ns d13 + d22 = 2.000 ns False 0

An n-bit APUF can implement any n input boolean function, depending on how its connectiondelay values are distributed. This APUF example incidentally implements the two input XOR-function, but note that APUFs typically have much larger n values. This is merely a learningexample to further explain the concept of APUFs.

1The values each have three significant figures, and are pseudo randomly generated according to a Gaussiandistribution with mean µ = 1 and standard deviation σ = 0.1.

Page 10

2.3.2 The APUF ModelIn addition to being classified as weak or strong, PUFs can be divided into modelable PUFs andnon-modelable PUFs. Being modelable means that there exists a model which description size isconsiderably smaller than the size of the function implemented by the PUF [10]. Equation 2.2shows a linear additive delay model for the delay difference between paths A and B that is of sizen+ 1 modeling an n-input APUF.

∆(C) =n+1∑i=1

wiΦi(C) = 〈w,Φ(C)〉 (2.2)

where wi are elements of the delay vector w, defined according to Equation 2.3, and Φi are elementsof the parity vector Φ, defined according to Equation 2.4.

wi

= δ0,i − δ1,i, for i = 1= δ0,i−1 + δ1,i−1 + δ0,i − δ1,i, for 2 ≤ i ≤ n= δ0,i + δ1,i, for i = n+ 1

(2.3)

δci,i is the time difference between the two active connection delays of switch block i when beingchallenged by ci. Consider the 2-bit APUF in Figure 2.4. When challenge bits c1 = 0 and c2 = 1the straight-wire configuration is selected for switch block 1, and the crossed-wire configuration isselected for switch block 2. Thus the time difference between the two active connection delays inthe switch blocks are δc1,1 = ∆(d11, d12) and δc2,2 = ∆(d23, d24).

Φi

=

n∑j=i

(1− 2cj), for 1 ≤ i ≤ n

= 1, for i = n+ 1(2.4)

where cj is the j:th challenge bit in the challenge C. Important to note is that cj uses a notationof cj ∈ {1,−1} here, something that is further discussed in section 4.1.

2.4 Modeling Attacks on APUFsOne strength of PUFs that is suggested in their name is unclonability. It should be physicallyimpossible to purposely replicate a PUF. It should also be difficult to figure out a PUF’s responsefor anyone else than its owner. With sufficient information on how a modelable PUF instancebehaves it is, however, possible to create a model of it. An accurate model can then be used togenerate responses for any challenge. The APUF modelable, thus vulnerable to modeling attacks.Modeling attacks can be categorized as Classical ML Modeling Attacks, or Reliability-Based MLModeling Attacks.

Classical ML Modeling Attacks on APUFs were introduced by Lim et al. (2005) when 64-bitAPUFs were shown modelable using the supervised learning model Support-Vector Machine [2].Since then both the default-, and the k-XOR APUFs have been shown modelable using LR, forconstructions when k is low enough. First for k ≤ 5 by Rührmair et al. (2010) [11], then later fork ≤ 7 and k ≤ 9 by Tobisch and Becker (2015) [12], for challenges of sizes 128-bits 64-bits respec-tively. The k-XOR APUF is described further in section 2.5.1, and LR is a supervised classificationmachine learning algorithm that uses labeled data to perform gradient based optimization. In thiscontext labeled data refer to challenges for which the correct response is known, CRPs, which areused to train the model thus improving the model weights. LR excels at binary classification,

Page 11

meaning that provided input variables, it is good at determining an output that can only assumetwo different values.

Reliability-Based Modeling Attacks on APUFs were introduced by Delvaux and Verbauwhede(2013) when APUFs were shown modelable without using an ML algorithm [13]. Reliability-Based ML Modeling Attacks was introduced when Becker and Kumar (2014) adopted the previousidea and proposed a fault attack based on machine learning [14]. In contrast to Classical MLModeling Attacks, Reliability-Based ML Modeling Attacks works by applying the same challengeover and over. The objective of the latter is to repeatedly measure the reliability of the APUFand draw conclusions of the characteristics of the APUF instance. This is possible due to theproportionality between reliability and the delay difference between paths A and B. Exposure toextreme external conditions such as temperature can cause an APUF to produce unreliable results,thus exacerbating the weakness to the attack. The method was refined by Becker (2015) when itwas made compatible with the k-XOR APUF by adding a divide-and-conquer strategy [15]. Usingthis technique attacking a k-XOR APUF is possible without exposure to heat or other externalfactors.

2.5 APUF CountermeasuresOver the years various countermeasures have been suggested mainly to prevent ML modelingattacks.

2.5.1 Combiner FunctionsTo increase the complexity of an APUF Lim et al. (2005) suggested a countermeasure that combinesk parallel APUF chains, called the k-XOR APUF. Each of the k APUF chains evaluates the samechallenge but will, produce a response according to the APUF chain’s unique response pattern.The k responses are called a set of responses, and are then combined into a single bit using aboolean function. That is, a function f mapping a binary vector of length k into a single binaryvalue f : {0, 1}k → {0, 1}.

While any boolean function could be used to accomplish the combining, not all choices wouldresult in a great combiner. It is a good idea to choose a function that produces ones and zeroesequally often to avoid bias. An example of a very biased, and therefore bad combiner function isAND. The operation output of AND is one if and only if all of its inputs are ones as well. If ANDwas implemented as a combiner function in an APUF with k chains, the ratio of zeroes to oneswould be (2k − 1) : 1.

2.5.1.1 XOR Combiner Function

The most prevalent unbiased combiner function is the parity function XOR. The operation outputof XOR is one if there are an odd number of ones as input, and zero otherwise. Using a notationof one for true, and zero for false, the operator realizes the expression in Equation 4.1. Where ri

is the i:th response bit of the response set R, % the modulo operator, and k being the amount ofPUF chains, thus also the number of responses in a response set.

XOR(R) = (k∑

i=1ri)%2 (2.5)

The XOR combiner function can be applied to any amount of PUF chains k, regardless of it beingeven or odd, and its output is furthermore always affected by each bit in the set of response bits.A block diagram of an n-bit 2-XOR APUF is shown in Figure 2.5.

Page 12

r = {0,1}

c2c1 cn-1 cn

Arbiter 2

Arbiter 1

Figure 2.5: A block diagram of an n-bit 2-XOR APUF. For each challenge, the two arbiter chainsgenerate an individual response bit, the two response bits are then combined using the XORfunction.

2.5.1.2 Majority Vote Combiner Function

Another function that might be a combiner candidate is majority vote. The operation output ofmajority vote is one if the input contains more ones than zeroes, and false otherwise. Using anotation of one for true, and zero for false, the operator realizes the expression in Equation 2.6.Where ri is the i:th response bit of the response set R, and k being the amount of PUF chains,thus also the number of responses in a response set.

MV (R) =⌊∑k

i=1 ri

k

⌋(2.6)

Majority voting serves an important purpose for Triple Modular Redundancy, a fault tolerancetechnique used extensively in safety-critical systems. By having redundant similar2 logic gates orcircuits in this fashion, a system failure can be avoided as long as the majority are still workingcorrectly, which is where majority voting comes in. Note that if the majority of components fail,majority voting can no longer prevent a system failure. While a Triple Modular Redundant systemcan only tolerate single component faults, a higher degree of fault tolerance can be achieved byfurther increasing the level of modular redundancy. Hardware redundancy is an effective method ofimproving reliability significantly but, increases hardware cost quite substantially as well. Valianthas showed that the formula-size complexity of n-input majority vote functions can be boundedabove by a function of order O(n5.3) (1984) [16].

The PUF construction mentioned in section 2.5.1 by Wisiol et al. also uses majority votingsimilarly. Their construction is called XOR Majority Vote APUF. The purpose of the majority

2It is worth noting how the word similar here is used to underline a slight difference between the mentionedcomponents. While hardware redundancy can be implemented with multiple supposedly identical components fromthe same vendor, it is common to use components from different vendors. This might not be completely intuitiveat first but serves important purposes. Components from different vendors are less likely to share vulnerabilities.Perhaps one vendor’s component is more sensitive to heat than the components of the other vendors. It also nullifiesthe risk of having a component with a critical design flaw causing a system failure on its own.

Page 13

voting is also reliability increase, to reduce the need for error correction code. A difference betweenthe two kinds of majority voting is that Triple Modular Redundancy uses hardware redundancy,whereas the XOR Majority Vote APUF uses time redundancy. The strength of time redundancycompared to hardware redundancy is that little additional hardware is required. The drawbackis that the evaluation of challenges occur sequentially several times, thus requiring significantlylonger to generate a response.In the context of this thesis project, majority voting serves a different purpose, namely that ofbeing a combiner function. Majority voting can be applied to a design with any number of APUFchains k, but there is an important special case to consider. If k is even, and the number of onesand zeroes are equal a vote tie will occur. In Equation 2.6 this issue is dealt with using the flooroperator, which could be replaced by the ceiling operator, depending on the desired behavior inthe case of a tie. There is an issue with both these approaches, however. To construct an unbiasedPUF is it of utmost importance to avoid unnecessary bias. Which is why k is often restricted to oddvalues. This can be considered a slight versatility disadvantage compared to the XOR combiner.

2.5.2 Complex APUF ConstructionsTwo PUF constructions that are extensions of the APUF are the Interpose Physical UnclonableFunction and the Ising Physical Unclonable Function.

2.5.2.1 The Interpose Physical Unclonable Function

The Interpose Physical Unclonable Function (Interpose PUF) is a design that was proposed byNguyen et al. (2018) [3]. The design consists of two layers, an upper layer formed by an n-bitk-XOR APUF, and a lower layer formed by an (n+ 1)-bit y-XOR APUF, being denoted as a n-bit(k, y)-Interpose PUF.

The upper layer, which consists of k APUF chains with n switch blocks, produces a responseby evaluating an n-bit challenge, exactly like an ordinary n-bit k-XOR APUF. This response bit isimportant as it plays a role for the lower layer. The lower layer, which consists of y APUF chainswith (n + 1) switch blocks, produces the Interpose PUF output bit rL by evaluating an (n + 1)-bit challenge. The purpose of the upper layer is to produce a response bit rU that is interposedbetween bits i and i+1 of the challenge that is evaluated by the lower layer. The inventors suggestusing a 64-bit (1, 10)-Interpose PUF and interposing the upper layer response after the 32:nd bitof the lower layer. With the suggested parameter values they conclude that the design should besecure against LR, basing the proof on the fact that 64-bit 10-XOR APUFs are regarded secure tothe same attacks. A block diagram of a 4-bit i = 1 (2, 3)-Interpose PUF is shown in Figure 2.6.It should be noted that this figure lacks certain details that are present in the previous APUFfigures, the two layers consist of nothing else than one XOR APUF each.

2.5.2.2 The Ising Physical Unclonable Function

The Ising Physical Unclonable Function (Ising PUF) is a design that was proposed by Awano andSato (2018) [4]. The construction is inspired by the interaction of spins in Ising computing, amathematical model of ferromagnetism. The design consists of a two-dimensional grid of lengths(X,Y ) with cells indexed (i, j). Each cell contains a 4-bit APUF and control logic to make thedesign function.

Each cell is effectively initialized according to an (X ∗ Y )-bit challenge, where each challengebit determines the initial response value of one cell APUF each. Each cell is then challenged tentimes, in rounds called annealing. In each round of annealing, every cell is challenged serially,handled by an X- and Y -decoder. The challenges of each cell APUF depends on the response of

Page 14

c2c1 c3 c4

c2c1 c3 c4rU

rU = {0,1}

Upper Layer

Lower Layer

rL = {0,1}

Lower Arbiter 2

Lower Arbiter 3

Lower Arbiter 1

Upper Arbiter 1

Upper Arbiter 2

Figure 2.6: A block diagram of a 4-bit i = 1 (2, 3)-Interpose PUF. The parameters are not chosenaccording to the configuration suggested by the inventors of the design. This configuration ischosen to describe the construction and does not claim to be optimal in other contexts.

Page 15

its adjacent cell APUFs. A block diagram of a (X ∗ Y )-bit Ising PUF is shown in Figure 2.7. Forany cell (i, j) that is not located at the edge of the grid, the challenges are given by the responsesof cells (i, j ± 1) and (i± 1, j). This process is repeated in each annealing round. After all roundsof annealing are completed, the Ising PUF produces a response according to the output of an XORoperation applied to all cell’s most recent responses. Note that the figure is an abstraction of thereal design, meaning that a lot of logic is not shown.

As mentioned in section 2.4 changes in external conditions can affect the reliability of anAPUF. An APUF with this problem is called a dark-cell in this context, and to prevent the errorsproduced by a dark-cell from propagating across the grid there is a countermeasure called thedark-cell elimination scheme. Cells are marked with the dark-cell flag if the simulated responsesof the cell APUF are not identical in 20◦C and 100◦C. Using the dark-cell flag the dark-cellelimination scheme then ensures that each dark-cell APUF is substituted for a 4-bit XOR. Amongwith a response register and other control logic, the 4-bit XOR is present in each cell, but is unusedunless enabled by the dark-cell flag.

Page 16

Cell (i, j)

c1 = r(i+1, j)

c3(i+1, j) = r

c3 = r(i-1, j)

c1(i-1, j) = r

c 4 =

r(i,

j-1)

c 2(i,

j-1)

= r

c 2 =

r(i,

j+1)

c 4(i,

j+1)

= r

Arbiter

(i-1, j-1) (i, j-1) (i+1, j-1)

(i-1, j) (i, j) (i+1, j)

(i-1, j+1) (i, j+1) (i+1, j+1)

(i-1, 0) (i, 0) (i+1, 0)(0, 0)

(0, i-1)

(0, i)

(0, i+1)

(i-1, Y) (i, Y) (i+1, Y)(0, Y)

(X, 0)

(X, i-1)

(X, i)

(X, i+1)

(X, Y)

Figure 2.7: A block diagram of an (X ∗ Y )-bit Ising Physical Unclonable Function. The Isinggrid consists of X ∗ Y cells, each containing a 4-bit APUF. Each cell APUF evaluates challengesconsisting of the four responses of the adjacent cell APUFs.

Page 17

3 | New Countermeasures

Two APUF countermeasures against ML modeling attacks were explored throughout the project,protecting the APUF input and output, respectively. The former by a proposed lightweight APUFconstruction, and the latter by exploring a non-traditional combiner function for parallel APUFs.There was also an attempt to neutralize the threat of SCA, another possible threat to APUFs thatis introduced in section 1.2.

3.1 Challenge Protection

One method of protecting the input of the APUF was formed together with a team of KTHresearchers. It is a lightweight PUF construction that we call the Cyclic Redundancy CheckPhysical Unclonable Function (CRC-PUF). In theory the CRC-PUF is compatible with any PUFof type {0, 1}n → {0, 1}, but hereby it is assumed to be an APUF. We wrote a paper about theCRC-PUF [17] that was submitted to-, and published by the Workshop on Machine Learning forCyber-Crime Investigation and Cybersecurity (MaL2CSec). We were invited to the workshop held2019-06-20 in Stockholm, where Dubrova presented the PUF construction.

3.1.1 Cyclic Redundancy CheckAs the name suggests, the CRC-PUF has drawn inspiration from Cyclic Redundancy Checks(CRCs) and is partly based on Dubrova’s previous work [18]. CRC is an error-detection code basedon polynomial division, which is usually used primarily to detect unintentional data alterations,such as transmission noise. However, in this context that is not the purpose of the CRC, whichinstead is to expand seed challenges, similarly to what was explained in section 2.2.2.

Let GF (2) denote a finite field of two elements, GF (2) = {0, 1}. Let us then assume animplicit bijection between the n bit strings p ∈ GF (2n) and the polynomials p(x) =

∑n−1i=0 pix

i

over GF (2), so that the coefficients (p0, . . . , pn−1) ∈ GF (2n) of p(x) correspond to the bits of p.Given a polynomial g(x) of degree n over GF (2), an n-bit CRC for the message polynomial M(x)is computed according to Equation 3.1. [17]

CRCg(M) = M(x) · xn mod g(x) (3.1)

For a CRC, g(x) is called a generator polynomial. The coefficients of CRCg(M) constitute theCRC check bits. CRC can be implemented in hardware using a LFSR with g(x) as a generatorpolynomial [19]. Keep in mind that some strong PUF constructions already use LFSRs, but forthe purpose of reducing data transmission by expanding seed challenges on-chip, as explained insection 2.2.2.

19

3.1.2 Linear Feedback Shift RegisterAn LFSR is a feedback shift register that, when clocked, updates the bit sn−1, according to alinear function of selected bits from the previous state. The selected bits that affect the firstbit of the next state are called taps. An example of a LFSR can be seen in Figure 3.1. Itscurrent state is Si = [0, 1, 1, 0, 1, 0, 1, 0]. The next state value of s7, hereby called s+

7 , is updatedaccording to the result of the linear function XOR of the four taps, being s0, s2, s4, and s5. Inthis case s+

7 = 1 ⊕ 0 ⊕ 0 ⊕ 0 = 1, giving Si+1 = [1, 0, 1, 1, 0, 1, 0, 1]. Using the same logic, thenext s+

7 = 1 ⊕ 1 ⊕ 1 ⊕ 1 = 0, giving Si+2 = [0, 1, 0, 1, 1, 0, 1, 0]. One way of expressing the linearfunction of an LFSR is called generator polynomial (also called feedback polynomial and connectionpolynomial) and is denoted g(x). g(x) explains which state bits s+

n−1 depends on. For the example,the resulting polynomial is g(x) = x5 ⊕ x4 ⊕ x2 ⊕ x0.

3.1.3 Almost XOR-Universal Hash FunctionsAlmost XOR-universal hash functions are important for the CRC-PUF security analysis in sec-tion 5.1.1.1. An almost-universal hash function is a keyed function with the property that, for anypair of messages, the probability that the outputs of the hash function on these two messages areequal is small [20].

The probability is taken over the choice of the key and the meaning of “small" usually stated asa parameter of the definition. A slightly stronger variant, an almost XOR-universal hash function,has the property that, for any constant from the output space of the function, the probability forthe XOR of the outputs of the hash function on the two inputs is equal to a given constant, is small.Almost-universal- and almost XOR-universal hash functions are important information-theoretictools in cryptography [21]. More formally, almost XOR-universal hash functions are defined asfollows:

Let l, n ∈ N,K, be a finite set, and ε > 0. For a set S, we write A← K to denote that A is chosenuniformly at random from K. In the definitions below, we use capital letters to denote randomvariables and lower-case letters to denote specific values. Let H = {ha : {0, 1}l → {0, 1}n | a ∈ K}be a family of hash functions.

H is a universal family of hash functions if:

∀x 6= x′ ∈ {0, 1}l

PrA←K [hA(x) = hA(x′)] ≤ 2−n

H is an ε-almost-universal family of hash functions if:

∀x 6= x′ ∈ {0, 1}l

PrA←K [hA(x) = hA(x′)] ≤ ε

H is an ε-almost-XOR-universal family of hash functions if:

∀x 6= x′ ∈ {0, 1}l, y ∈ {0, 1}n

PrA←K [hA(x)⊕ hA(x′) = y] ≤ ε

Page 20

A CRC with an irreducible1 generator polynomial as key function was shown to be an ε-almost-XOR-universal family of hash functions by Krawczyk (1994) [22], given that ε = (l + n)/2n−1, lbeing the message size and n the CRC size, provided that the CRC is encrypted with a one-timepad of size n. His results were later extended to include the case of arbitrary reducible, and oddpolynomials by Dubrova, Näslund, Selander, and Lindqvist (2018) [18].

One-time pad is an encryption technique that encodes a message using a randomized secret keyof identical length. The encryption is achieved by applying bit-wise XOR between the two and isunbreakable as long as the same secret key is not used more than once.

3.1.4 The CRC-PUFSimilar to the PUF constructions that expands seed challenges with an on-chip LFSR, the CRC-PUF uses an LFSR for seed challenge expansion. There is a notable difference, however. Thesecurity of the CRC-PUF depends on using a different polynomial g(x) for each seed challenge ex-pansion. Thus it requires an LFSR with re-configurable connections, where the other constructionscan settle with a constant polynomial. Re-configurable LFSRs are sometimes used in applicationsthat need to support multiple CRC standards [23], and techniques for constructing re-configurableLFSRs are well known.

A block diagram of a re-configurable LFSR can be seen in Figure 3.2. Being re-configurablemeans that the generator polynomial g(x) is non-constant, thus changing which bits that affect b0.For the CRC-PUF, g(x) can be seen as a secret key of the design, which needs to be known byboth the prover and verifier.

Two inputs are required, a generator polynomial and a seed challenge. The former is used toconfigure the LFSR, thus affecting how new states are calculated. The latter is used as an initialstate.

3.1.4.1 The Initialization Stage

The LFSR is then clocked n times without producing an output, with the reason being to preventan eavesdropping attacker from figuring out what challenge is being applied to the APUF. This isfurther explained in the section 5.1.1.1. Assuming a Fibonacci configuration, every LFSR updatefollows the state transition function L : GF (2n)→ GF (2n) defined by Equation 3.2.

sn−1sn−2. . .s0

→

l(s0, . . . , sn−1)sn−1. . .s1

(3.2)

(s0, . . . , sn−1) ∈ GF (2n) are variables representing values of the current LFSR state and l :GF (2n) → GF (2) is the linear function in Equation 3.3, which is defined by the generator poly-nomial g(x) in Equation 3.4, where “⊕” is the GF (2) addition.

l(s0, . . . , sn−1) =n−1∑i=0

gisi (3.3)

g(x) =n−1∑i=0

gixi ⊕ xn (3.4)

1A polynomial over GF (2) is irreducible if it cannot be factored over GF (2).

Page 21

S7 S6 S5 S4 S3 S2 S1 S0

0 1 1 0 1 0 1 0

Figure 3.1: Block diagram of an 8-bit LFSR with four taps, being s0, s2, s4, and s5. Thecurrent LFSR state is Si = [0, 1, 1, 0, 1, 0, 1, 0]. The value of s+

7 would be updated according tos+

7 = 1⊕ 0⊕ 0⊕ 0 = 1, giving the next state Si+1 = [1, 0, 1, 1, 0, 1, 0, 1].

Sn-1 Sn-2 S1 S0

g0g1gn-2gn-1

Figure 3.2: Block diagram of an n-bit re-configurable LFSR. gi controls if the i:th state variablesi becomes a tap or not.

Page 22

Let Si denote the LFSR state at clock step i, i ∈ 0, 1, . . .. Then, during the initialization stage theLFSR goes through the following states:

S0 = CS1 = L(C)S2 = L2(C). . .Sn = Ln(C)

3.1.4.2 The Evaluation Stage

The n:th output Sn and its m− 1 consecutive states are then applied to an APUF as challenges,producing an m-bit response vector R according to equations 3.5 and 3.6, where f : GF (2n) →GF (2) is the APUF function defined by Equation 2.1.

R = [r1, r2, ..., rm] (3.5)ri = f(Ln+i−1(C)) (3.6)

For each new response, the LFSR is reconfigured to a new polynomial g(x) selected uniformly atrandom from some class of polynomials over GF (2)2 and known to the legitimate parties only. Ablock diagram of an n-bit CRC-PUF can be seen in Figure 3.3

n-bit reconfigurable LFSR

n-stage APUF

Challenge C= (c1,...,cn)

Response R= (r1,...,rm)

Polynomial g(x)

Figure 3.3: Block diagram of an n-bit CRC-PUF [17].

3.2 CRC-PUF ExampleConsider an 8-bit CRC-PUF, with the LFSR in Figure 3.1. It is initialized by the seed challengeC(x) = x6 + x5 + x3 + x1), and which current state variables affect the next state value s+

7 isdetermined by to the generator polynomial g(x) = x5 + x4 + x2 + x0. Table 3.1 below presentsthe 16 first LFSR states. Note that the polynomials in the table are replaced by the vectorrepresentations C and g, respectively. The polynomials of C, g or any LFSR state Si can beretrieved by multiplying the corresponding row vector with the transpose X ′ of the row vector X.C(x) = C ∗X ′, and g(x) = g ∗X ′.

2Irreducible, odd, or arbitrary.

Page 23

The first LFSR state S0 is given by C, S0 = [0, 1, 1, 0, 1, 0, 1, 0]. When the LFSR is clocked for thefirst time, the value of the highest order next state variable s+

7 is updated according to Equation 3.7,and the other state variables assume the value of their neighbour with higher rank.

s+7 = s5 ⊕ s4 ⊕ s2 ⊕ s0 = 1⊕ 0⊕ 0⊕ 0 = 1 (3.7)

The resulting LFSR state is then S1 = [1, 0, 1, 1, 0, 1, 0, 1]. When the LFSR is clocked for the secondtime, the value of the highest order next state variable s++

7 is updated according to Equation 3.8,and the other state variables, again, assume the value of their neighbour with higher rank.

s+7 + = s+

5 ⊕ s+4 ⊕ s

+2 ⊕ s

+0 = 1⊕ 1⊕ 1⊕ 1 = 0 (3.8)

The resulting LFSR state is then S2 = [0, 1, 0, 1, 1, 0, 1, 0], and so on. The initialization, andevaluation stages explained in sections 3.1.4.1 and 3.1.4.2, are marked red and green, respectively.The rounds in the initialization stage are performed to conceal C, whereas the rounds in theevaluation stage are performed to produce the states S8 through S15. An 8-bit strong PUF, suchas an 8-bit APUF then interprets these states as challenges, and evaluates them to produce an8-bit response vector according to Equation 3.5. Note that the suggested CRC-PUF configurationis a 128-bit version, but due to the exponential scaling of truth tables, an 8-bit example is usedhere.

Table 3.1: The LFSR state variables for the CRC-PUF example are shown in thered cells for the initialization stage, and in the green cells for the evaluation stage.

X x7 x6 x5 x4 x3 x2 x1 x0

C 0 1 1 0 1 0 1 0g 0 0 1 1 0 1 0 1S s7 s6 s5 s4 s3 s2 s1 s0 s+

7S0 0 1 1 0 1 0 1 0 1S1 1 0 1 1 0 1 0 1 0S2 0 1 0 1 1 0 1 0 1S3 1 0 1 0 1 1 0 1 1S4 1 1 0 1 0 1 1 0 0S5 0 1 1 0 1 0 1 1 0S6 0 0 1 1 0 1 0 1 0S7 0 0 0 1 1 0 1 0 1S8 1 0 0 0 1 1 0 1 0S9 0 1 0 0 0 1 1 0 1S10 1 0 1 0 0 0 1 1 0S11 0 1 0 1 0 0 0 1 0S12 0 0 1 0 1 0 0 0 1S13 1 0 0 1 0 1 0 0 0S14 0 1 0 0 1 0 1 0 0S15 0 0 1 0 0 1 0 1 1

3.3 Response ProtectionTo protect responses, a study of combiner functions was conducted. The idea was to examinemajority vote as an alternative to the traditional XOR combiner function of parallel APUF chains.

Page 24

The design is hereby called the n-bit k-Majority Vote Arbiter Physical Unclonable Function (MVAPUF). The hypothesis of the experiment was that majority vote would be easier to model. Unlikefor the XOR combiner, the output of a majority vote combined set of responses does not necessarilydepend on each response bit. A single response bit flip can be irrelevant if the other APUF chainsform a strong majority. A Python script was written to calculate the amount of NAND gatesrequired to implement k-input majority vote, assuming the implementation consisting exclusivelyof NAND gates. The results can be seen in Table 3.2. Implementation and result of the responseprotection attempt is further elaborated on in sections 4.5 and 5.2.

Table 3.2: Number of NAND gates that arerequired to implement a k-input majority vote.

n k 2-input NAND gates128 3 6128 5 47128 7 242128 9 1131

3.4 Correlation Power AnalysisTo better understand the concept of SCA an exercise was set up. Its objective was to extractthe secret key for the encryption algorithm Advanced Encryption Standard on a smart card. Thepower traces were collected by someone else beforehand and were provided in a file containingpower consumption amplitude samples at different times. This left only the task of writing a scriptto perform the CPA. The secret key was initially unknown, but would successively be revealed onebyte at a time. The script was written in MATLAB, and consists of the following simplified steps:

• Propose a power model hypothesis, being HW for this attack.

• Take a known plaintext and perform the first round of Advanced Encryption Standard usingall possible byte combinations, for each of the bytes in the secret key one at a time.

• Calculate the hypothetical power consumption using the acquired ciphertext and the powerconsumption model.

• Choose the secret key byte according to the power consumption that matches that of thepower traces the most, and then repeat the process for all remaining secret key bytes.

Provided that power traces can be collected from an APUF it could be possible to apply a similarmethod. However, FPGA implementations are probably a significantly more challenging targetcompared to the smart card described above. The idea was to measure power consumption byusing an electromagnetic probe held over the power pin of the FPGA containing the APUF. Whenevaluating a challenge, the power consumption of the arbiter and register were different dependingon the response bit flip occurrence. Unfortunately, this approach was not explored further, but anoteworthy hypothesis is left in section 6.1.2.

Page 25

4 | The PyPuf Project

To facilitate analysis, PUFs are commonly simulated in software. Some benefits that softwaresimulations have compared to hardware implementations are redesign versatility and resource con-servation.

PyPuf is an example of a project simulating PUFs in software. The name PyPuf is derivedfrom the programming language Python, concatenated with the abbreviation Physical UnclonableFunction and is, as the name suggests, Python-based. PyPuf is free software shared with the GNUGPLv3 and is available to anyone at GitHub1. PyPuf consists of three modules. Being simula-tion, learning, and experimentation. The experimentation model can be used to run reproducibleexperiments. However, for this project the main functionality was accessed through commandline scripts, some existing, and others created. The simulation and learning models are thereforeemphasized below.

4.1 PyPuf SimulationMore specifically PyPuf focuses on some PUF constructions introduced in chapter 2, such as theAPUF, and the XOR PUF. These PUF constructions are simulated using a broad class calledLTF_array that creates arrays of Linear Threshold Functions (LTFs). In the book Analysis ofBoolean Functions [24] Ryan O’Donnell goes into great detail of what LTFs are, but in this contextit is enough to know that LTFs are useful to simulate the above mentioned PUF constructions.

Thus far, this report has mostly used the {0, 1} bit notation, indicating False and True respec-tively. This bit notation is excels at describing relative voltages, which is of course very common inelectronics. In PyPuf this notation is supported, but that appears to be the case mostly for com-patibility reasons. The more common bit notation in PyPuf is the {1,−1} bit notation, indicatingFalse and True, respectively. Specifically note that 1 corresponds to False in this notation.

This seems to be the notation that O’Donnell prefers using as well. A plausible reason for usingthis notation is that notation choice influence required mathematical operations to perform certaincalculations. The mathematical operations that describe the {0, 1} XOR function was shown inEquation 2.5. However, the {1,−1} XOR function can be described with a product, according toEquation 4.1. Majority voting is a function that becomes significantly easier to compute in the{1,−1} bit notation. Comparing the complexities of equations 2.6 and 4.2 it should be assumedthat the choice of notation was conscious and thoughtful.

What the simulation module does is creating an initial LTF array, hereby called instance.Function arguments can be used to specify desired PUF properties such as amount of APUF chainsk and challenge bits n, among with other parameters. The instance is assigned weight values thatvaguely correspond to the physical characteristics of the wires of a hardware-implemented APUF.

1The version as described in this report can be found at https://github.com/nils-wisiol/pypuf

27

https://github.com/nils-wisiol/pypuf

The process manufacturing variations are simulated by choosing each weight value according toa Gaussian distribution around a theoretically reasonable nominal value, much like what occursuncontrollably during manufacturing.

XOR(R) =k∏

i=1ri (4.1)

MV (R) =k∑

i=1ri (4.2)

4.2 PyPuf LearnerPyPuf’s learning algorithm is based on LR and Resilient Backpropagation, and was implementedby Sölter [25] and Rührmair et al. [11]. What the learner module does is creating a second LTFarray, hereby called model. According to Kerckhoffs’s principle, it is assumed that the attackeris aware of the PUF architecture, meaning that the model is created with the same propertiesas that of the simulated instance. The purpose of the model is to learn from, and eventuallyreproduce the behavior of the instance as closely as possible. A model is usually trained usinga small fraction of all possible CRPs, but a well trained model should still be able to evaluate anunlabeled2 challenge with the same result as the instance it is attempting to resemble.

A poor choice for training would be to select the first i consecutive CRPs. The resulting modelwould replicate the weights of the switch blocks corresponding to the least significant bits verywell, but it would not have any training for the switch blocks corresponding to the most significantbits at all. Training and testing in PyPuf is performed using random challenges. This is generally agood method of CRP selection, as the training and testing data sizes are typically large, reducingthe risk of statistical outliers affecting the training performance. This is accomplished by theiteratively adjusting the model’s weight values to mimic the response pattern of the instance,using Resilient Backpropagation.

The tools module is filled with functions. In order to measure the accuracy with which themodel can reproduce responses of the instance the function approx_dist is called. From aselected amount of testing challenges that are chosen randomly, it returns the relative amount oferroneous responses. PyPuf has a lot more complicated features, most of which were not exploredin detail.

4.3 PyPuf ModificationsPyPuf has been invaluable throughout this degree project. PyPuf provided a solid base in itsdefault state, no questions asked. However, being open source and therefore possible to enhancefurther was important for the CRC-PUF construction. Two modifications to PyPuf that weredeveloped during this thesis project are described below.

4.4 PyPuf File ParsingAs explained in section 4, the accuracy analysis of PyPuf, in its default state, was based purely onsimulated APUF instances. The purpose of the first modification was to add further compatibility

2A challenge that has not been used for training of the model.

Page 28

with APUFs implemented in hardware, directly addressing the first project goal. The idea wasto train and test the created software APUF model using CRPs from the hardware APUF. Themodification was implemented in cooperation with Bernhard Degen and Anders Gawell, and thegroup was provided the CRP files generated on FPGAs, but had to modify PyPuf to parse the fileand correctly process the CRP data. This contribution is currently present in the main version ofPyPuf.

The tools module was modified in several ways. A function, parse_file, was added to readselected lines from a file containing CRPs. The format is assumed to be one CRP per line. Eachline contains the n challenge bits, followed by a single response bit. Every bit is separated bywhitespace, i.e. one or more spaces. Two different notations are supported; using either 1 and -1,or 0 and 1 to denote single bits. The existing code base required some changes. The TrainingSetdata structure was modified to allow importing given CRPs, rather than randomly generating them.Additionally, a new version of the existing distance (or accuracy) approximation, approx_dist,had to be made. The problem was that it only worked on two functions, whereas it needed to workon a learned function and a testing CRP set. Besides the modifications to the tools module, anew module was introduced as well. It is called crp_learn and serves as an interface between theuser and the library functions.

4.5 PyPuf Majority Vote Combiner FunctionPrevious to this project, PyPuf implemented the combiner functions: XOR, and modulo of innerproduct. If a majority voting combiner function was available in PyPuf, evaluating its performancecompared to the typical XOR combiner function would be trivial. However, seeing as it was not,the performance comparison would have to wait. Integrating additional combiner functions inPyPuf was somewhat challenging, primarily because grasping the purpose of the different codesegments was time-consuming.

In the logistic_regression module, a function majority_vote_combiner was added to per-form the majority voting operation, and ensuring that amount of APUF chains k was odd, toprevent the case of vote ties explained in section 2.5.1.2. Then the LTF_array module was modi-fied to allow selection of the additional combiner function option.

Page 29

5 | Evaluation

In this chapter the proposed methods are evaluated in the order they were introduced.

5.1 CRC-PUF Evaluation

Naturally, not all PUFs perform equally well. This is true both when comparing two PUF designsto one another, but also when comparing two PUF instances from the same design. Below areanalysis methods to facilitate the comparison, for both cases. For the former, methods are describedin sections 5.1.1 and 5.1.1.1. For the latter, methods are described in section 5.1.2.

5.1.1 Design Specific Analysis

Embedded system design is a constant trade-off between performance and cost. Approachingthe CRC-PUF with these traits in mind should provide good insight into potential strengthsand weaknesses. The performance is evaluated by a security analysis, essentially discussing howdifficult it should be to break in theory. The cost is evaluated by a hardware cost analysis, primarilycomparing the hardware usage of this design to that of other similar designs. It should, however, benoted that different PUF designers have different requirement specifications in mind. Performanceand cost are not necessarily the only limitations of a designer.

5.1.1.1 Security Analysis

Due to the time complexity of an exhaustive search being min(2n, 2m), we suggest choosing chal-lenges and responses of the same size, m = n. Furthermore, it is essential to avoid an all-zeroseed challenge. The reason is that regardless of how many times the LFSR is clocked, or what itschosen generator polynomial is, it will remain in the original state forever.

Consider a scenario where an attacker is eavesdropping on the channel, whose goal is to createa model of the PUF from the transmitted CRPs, much like what was made possible in PyPufexplained in 4.4. The attacker would thus not have physical access to the PUF itself, preventinga physical attack, such as CPA introduced in section 3.4. The attacker would have to recover thecorrect m LFSR states after the initialization stage.

If the LFSR is reconfigured to a new polynomial g(x) selected uniformly at random fromsome class of polynomials over GF (2), and an all-zero challenge is not applied, the probability ofrecovering the LFSR state after the initialization stage is at most ε. Where ε depends on the typeof the polynomial g(x), according to Table 5.1, which Dubrova, Näslund, Selander, and Lindqvistpresented (2018) [18].

31

Table 5.1: State recovery attack success probabilities for different types of polynomials.

Response Challenge Attack success probability ε forsize size the different types of polynomials

m, bits n, bits Arbitrary [18] Odd [18] Irreducible [22]32 32 2−18.16 2−18.82 2−25.00

48 48 2−29.30 2−30.15 2−40.42

64 64 2−39.82 2−40.77 2−56.00

96 96 2−65.58 2−66.26 2−87.42

128 128 2−86.03 2−87.06 2−119.00

We applied the Classical ML Modeling Attack LR of PyPuf to test the modeling accuracy of asingle 128-bit response R if the attacker is aware of g(x). The results showed that the predictionaccuracy is at most 75% per bit, meaning that the prediction accuracy for 128 bits is at most(0.75)128 ≈ 2−53. Therefore, for a 128-bit CRC-PUF, the probability that an attacker correctlypredicts the response for any challenge that has not been used in the past is at most 2−86×2−53 =2−139. Again, this is slower than an exhaustive response search. Furthermore, it should not bepossible to apply the Reliability-Based ML Modeling Attack described in section 2.4, as the LFSRpolynomial changes between sessions.

5.1.1.2 Hardware Cost Analysis

As the thesis title suggests, the proposed CRC-PUF is supposed to be lightweight, in the sensethat it is hardware efficient. Sections 2.2.2 and 3.1 briefly touched on how LFSRs can be usedto expand seed challenges on chip to reduce data transfer between verifier and prover. This is atechnique that is used by other ML attack resistant APUF constructions, including the k-XORAPUF [2] and the Interpose PUF [3].

The overhead of using a re-configurable n-bit LFSR is n 2-input AND gates and at most n− 12-input XOR gates. Compared to adding k − 1 n-stage APUFs as in k-XOR APUF case, oranother n + 1-stage APUF to the construction as in the Interpose PUF case, this seems like anefficient implementation. Table 5.3 compares the hardware cost of the CRC-PUF to that of otherAPUF constructions in terms of Gate Equivalent (GE), a unit of measurement for circuit area thatis technology-independent. For CMOS technology, the GE is usually considered the area of thesmallest two-input NAND gate in the library.

Note that the 128-bit APUF with the lowest GE, is a plain APUF that lacks countermeasuresagainst ML attacks. It is included in the table as a base reference. The number 4100 GE forthe Ising PUF is taken from [4] where a 64-input Ising PUF design is evaluated. Other numbersare derived from circuit diagrams of the respective designs, using the gate parameters specified inTable 5.2. Assuming a 65nm CMOS implementation, a 128-bit re-configurable LFSR has a GEof 2067. An alternative countermeasure is to use a full-strength cryptographic hash function suchas a 128-bit SHA-3 [26], which has a GE of 34743. By comparing the two it becomes clear thatthe latter is significantly, namely 16.8 times, larger, thus requiring considerably more resources.Note that two constructions occur twice. The k-XOR APUF appears in the smallest configurationsthat are considered secure for both 64-, and 128-bits. There are also two present Interpose PUFconfigurations. The former is the 128-bit (1, 1)-Interpose PUF, the smallest 128-bit design. Thelatter is the recommended configuration that the authors consider secure against LR.

Page 32

Table 5.2: Gate Equivalent for common gatesand flip-flops in 65 nm CMOS technology.

Gate Gate Equivalent

2-input NAND 12-input AND 1.52-input XOR 2.52-to-1 MUX 2.5flip-flop 6.25

Table 5.3: Area comparison of some APUF based PUF constructions.

n PUF type GE GE (PUF type)GE (APUF)

128 APUF [2] 646 164 10-XOR APUF [2] 3285 5.09128 8-XOR APUF [2] 5188 8.03128 (1,1)-Interpose PUF [3] 1298 2.0164 (1,10)-Interpose PUF [3] 3570 5.6764 Ising PUF [4] 4100 6.34128 CRC-PUF 1156 1.78

5.1.2 Statistical Analysis

The two evaluation metrics uniformity and uniqueness are frequently used to determine the sta-tistical properties of PUFs. This section assumes the APUF bit notation described in section 2.3,ci ∈ {0, 1} and ri ∈ {0, 1}.

5.1.2.1 Uniformity

The uniformity metric P describes the distribution of ones and zeroes from an amount of responses.To achieve the highest unpredictability, and thus avoiding a bias towards either value, the responseprobability of zeroes and ones should be equal. The uniformity, P , is calculated as the HammingWeight (HW) of a set of responses according to Equation 5.2. HW is calculated as the number ofnon-zero values of a vector according to Equation 5.1, where ri denotes the i:th bit of the responser. When dealing with the binary values one and zero, HW is the same as a sum of response. Notethat this is not true for a notation used in PyPuf discussed in section 4.1, even though a sumof a vector in that notation provides similar information. Figure 5.1 shows the HW distributionof 10000 128-bit responses obtained from 10000 CRC-PUF instances. Much like the underlyingweights of the APUF it appears to have a Gaussian distribution. The average HW is 64.0995,which is close to the ideal value n/2 = 64.0, which corresponds to P = 50.0777%.

HW (R) =n∑

i=0ri (5.1)

Page 33

P (R) = 1j

j∑j=1

HW (Ri)n

(5.2)

0

100

200

300

400

500

600

700

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81 85 89 93 97 101105109113117121125

Nu

mb

er

of

resp

on

ses

Hamming Weight

Figure 5.1: Hamming Weight distribution of 10.000 128-bitresponses obtained from 10.000 CRC-PUF instances [17].

5.1.2.2 Uniqueness

The uniqueness metric U describes how different the responses of two PUFs are compared to oneanother. Similar to how HW is used for uniformity, Hamming Distance (HD) is used for uniqueness,which can be seen in Equation 5.4. HD is effectively HW of the result of bit-wise XOR betweentwo response vectors from different PUFs, according to Equation 5.3. By applying XOR to thetwo response vectors we acquire a vector that contains zeroes for every index where the valuesof the two response vectors were equal, and ones otherwise. HW is then applied to calculate theamount of indexes with different values. Figure 5.2 shows the HD distribution of 499500 pairs of128-bit responses obtained from 1000 CRC-PUF instances. Much like for uniformity, the desireduniqueness is n/2 = 64.0. The average HD is here 63.9971, which corresponds to the uniquenessU = 49.9978%.

HD(R1, R2) =n∑

i=0r1i ⊕ r2i (5.3)

U(R1, R2) = 2k(k − 1)

∑ ∑ HD(R1, R2)n

(5.4)

Page 34

0

5000

10000

15000

20000

25000

30000

35000

40000

1 5 9

13

17

21

25

29

33

37

41

45

49

53

57

61

65

69

73

77

81

85

89

93

97

101

105

109

113

117

121

125

Nu

mb

er

of

pai

rs o

f re

spo

nse

s

Hamming Distance

Figure 5.2: Hamming Distance distribution of 499.500pairs of 128-bit responses obtained from 1.000 CRC-PUFinstances [17].

5.2 Majority Vote Combiner EvaluationUsing the result of Table 3.2, the GE of the 128-bit k-MV APUF are compiled in Table 5.4. Asexplained in section 2.5.1.2, k is chosen odd to avoid vote ties. For k = 1, no combiner is necessaryand the GE is thus the same as for an ordinary 128-bit APUF. Given that the 8-XOR APUF isconsidered secure, the table does not include constructions with more than k = 9 APUF chains.

Table 5.4: Area comparison of 128-bit k-MV APUF constructionsusing a majority vote implemented exclusively with NAND gates.

n PUF type GE GE (PUF type)GE (APUF)

GE(MV)GE (PUF type)

128 APUF [2] 646 1 0128 3-MV APUF 1944 3.01 0.0008128 5-MV APUF 3277 5.07 0.0143128 7-MV APUF 4764 7.37 0.0508128 9-MV APUF 6945 10.75 0.1629

To evaluate the performance of the majority vote combiner function it was compared to that ofXOR. Using various functions from the PyPuf tools module, as well as the two combiner functions,a script was written to print the accuracy with which the trained APUF model managed to learnthe simulated APUF instance. To evaluate how the majority vote performed, learning accuracieswere collected for different amounts of CRPs used for training the APUF model. As the script wascalled from the command line, the data collection process was automated using a bash script torun the script measuring accuracy several times with the amount of training data being a variableduring the data collection process.

This would give a rough estimate of how many CRPs would be necessary to create a good modelof the APUF. Figures 5.3 and 5.4 both show plots comparing learning accuracies as functions oftraining data amount. The former compares two XOR APUFs, the blue line is data for an XORAPUF with a single chain, effectively an ordinary APUF, and the orange line is data for an XORAPUF with two chains. The latter compares an XOR APUF with three chains, the blue line, witha majority vote APUF with three chains, the orange line. For the sake of reducing collection timesignificantly, the plots have resolutions of 10, and 1000 training data, respectively.

Page 35

Figure 5.3: A plot of the learning accuracy as a function oftraining data amount for two XOR APUFs, with a singlearbiter chain in blue, and with two arbiter chains in orange.

Figure 5.4: A plot of the learning accuracy as a functionof training data amount for an XOR APUF in blue, anda Majority Vote APUF in orange, each with three arbiterchains.

Page 36

6 | Conclusion

The PyPuf file parsing modification introduced in section 4.4, was designed to address the firstproject goal. Since its implementation, the modification has been used to validate the challenge-response synchronization of several FPGA APUF implementations. Thus I conclude that the firstproject goal is successfully addressed.

Both the challenge-, and response protection countermeasures introduced in sections 3.1 and 3.3were designed to address the second project goal. For the challenge protection I show that the pro-posed CRC-PUF is: lightweight compared to similar, secure APUF constructions1, secure againstthe suggested ML attack methods2, and produces good statistical PUF properties3. It is, however,important to note that in its current state, the construction uses secret keys when one of the mainbenefits of using PUFs is to avoid that requirement. One solution for this is on-chip generation ofgenerator polynomials, perhaps using another APUF. This does create a minor conflict with thehardware cost analysis in section 5.1.1.2, which is currently a little biased, as it does does not takepolynomial generation into consideration. Unfortunately, this should approximately increase theGE of the CRC-PUF to that of the (1,1)-Interpose PUF configuration. The configuration thatthe Interpose PUF creators consider secure, however, is the (1,10)-Interpose PUF, implying thatthe (1,1)-Interpose PUF is not considered secure. Another polynomial generation technique thatcomes to mind is the SRAM PUF, described in section 2.2.1. Unfortunately, it would not workfor the purpose as it is a weak PUF, thus generating a constant secret key when the CRC-PUFrequires variable secret key generation.

For the response protection I have shown that majority vote is a working alternative to thecommon XOR function. The hypothesis in 3.3 was partially correct in that for low amounts oftraining data the MV APUF achieves a much higher modeling accuracy compared to that of theXOR APUF. The hypothesis was, however, incorrect in that for higher amounts of training datathe former requires a significantly higher amount of CRPs to achieve a similar modeling accuracy.The shape of the MV APUF modeling accuracy function strongly differs from that of the XORAPUF, which looks a lot like a sigmoid function. I conclude that the fact that majority vote isnot always dependent on all responses as mentioned in section 3.3 is what explains the appearanceof the modeling accuracy function. It would be interesting to see how the two compare for higherk-values, but unfortunately it was not feasible to produce with the approach that was used. Therun time of the modeling accuracy evaluation script grows with amount of training data, and as kincreases, so does the training data amount that is necessary to achieve a given modeling accuracy.

The fifth column of Table 5.4 shows how the GE of the combiner grows exponentially in pro-portion to the rest of the design. Realistically, this is not a problem as the 128-bit 8-XOR APUF isconsidered secure. If ML modeling attacks manage to break constructions combining more APUFchains, however, the exponential GE relation is far from negligible.

1In terms of gate equivalent.2Assuming the suggested configuration, where: length(C) = m = n = 128.3In terms of uniformity and uniqueness.

37

Power Trace Concealing

Arbiter

Response Producing

Arbiter

A

B

r = {0,1}c1 = 0 c2 = 1 cn-1 = 1 cn = 0

r = {1,0}

A

_B

Figure 6.1: An n-bit APUF implementing a power trace concealing obfuscation technique.

6.1 Future WorkFuture work is divided in two major branches. Refining the CRC-PUF, and to keep working onthe mostly discarded project of attacking FPGA implemented APUFs using SCA.

6.1.1 CRC-PUF Polynomial Generation and PyPuf CompatibilityAs explained, the CRC-PUF is not a complete design yet. The secret key requirement of theCRC-PUF might partly defeat the purpose of using a PUF in the first place. As mentioned earlierin the chapter, the secret key generation can be solved by another APUF, but looking into thisproblem is mostly left for someone else interested in finishing the CRC-PUF construction.

Another way of proceeding on the CRC-PUF development process would be to implementsupport for it in PyPuf. A provisional C++ script of the CRC-PUF written by Dubrova wasported into PyPuf by Bernhard Degen, but full compatibility appears to be a demanding task.

6.1.2 Side-Channel Analysis HypothesisThe hypothesis was that FPGA placed APUFs would be vulnerable to the attack in one way oranother. However, assuming a HW power model, adding output concealing copies of each arbiterand register cleverly could obfuscate the power traces. This idea is shown in Figure 6.1 and shouldprevent occurrence determination of bit flips happening from zero to one, or one to zero. Theinputs to the concealing arbiter are cross-coupled, which following the notation in section 2.3means that B and A are connected to D and E, respectively. As the arbiters decide which linearrives first at the time the E is set, one evaluation occurs when A finishes, and the other whenB finishes. It should be noted that this obfuscation technique might be even more vulnerable to asimilar attack that instead assumes a HD power model. Unfortunately, this hypothesis could notbe proven correct or false, as more time was spent on the ML attack prevention techniques, andthis project branch was left mostly unsolved.

Page 38

Bibliography

[1] E. Holm, “The role of the refrigerator in identity crime,” Cyber-Security and Digital Forensics,vol. 1, 2016.

[2] D. Lim, J. W. Lee, B. Gassend, G. E. Suh, M. Van Dijk, and S. Devadas, “Extracting secretkeys from integrated circuits,” IEEE Transactions on Very Large Scale Integration (VLSI)Systems, vol. 13, no. 10, pp. 1200–1205, 2005.

[3] P. H. Nguyen, D. P. Sahoo, C. Jin, K. Mahmood, U. Rührmair, and M. van Dijk, “Theinterpose PUF: Secure PUF design against state-of-the-art machine learning attacks.” IACRCryptology ePrint Archive, vol. 2018, p. 350, 2018.

[4] H. Awano and T. Sato, “Ising-PUF: A machine learning attack resistant PUF featuring latticelike arrangement of arbiter-PUFs,” in 2018 Design, Automation & Test in Europe Conference& Exhibition (DATE). IEEE, 2018, pp. 1447–1452.

[5] Google. (2014) Gradually sunsetting SHA-1. https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html. [Online; accessed 2019-08-07].

[6] S. Intrinsic-ID, “PUF: the secure silicon fingerprint,” White Paper, 2016.

[7] Intrinsic-ID. (2019) Intrinsic id SRAM PUF technology. https://www.intrinsic-id.com/sram-puf/. [Online; accessed 2019-07-31].

[8] S. Skorobogatov, “Physical attacks on tamper resistance: progress and lessons,” in Proc. of2nd ARO Special Workshop on Hardware Assurance, Washington, DC, 2011.

[9] Y. Yu, E. Dubrova, M. Näslund, and S. Tao, “On designing PUF-based TRNGs with knownanswer tests,” in 2018 IEEE Nordic Circuits and Systems Conference (NORCAS): NORCHIPand International Symposium of System-on-Chip (SoC). IEEE, 2018, pp. 1–6.

[10] E. Dubrova, “Physical unclonable functions,” Lecture Slide in IL1333 Hardware Security atKTH, Royal Institute of Technology, February 2019.

[11] U. Rührmair, F. Sehnke, J. Sölter, G. Dror, S. Devadas, and J. Schmidhuber, “Modelingattacks on physical unclonable functions,” in Proceedings of the 17th ACM conference onComputer and communications security. ACM, 2010, pp. 237–249.

[12] J. Tobisch and G. T. Becker, “On the scaling of machine learning attacks on PUFs withapplication to noise bifurcation,” in International Workshop on Radio Frequency Identification:Security and Privacy Issues. Springer, 2015, pp. 17–31.

39

https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

https://security.googleblog.com/2014/09/gradually-sunsetting-sha-1.html

https://www.intrinsic-id.com/sram-puf/

https://www.intrinsic-id.com/sram-puf/

[13] J. Delvaux and I. Verbauwhede, “Side channel modeling attacks on 65nm arbiter PUFs ex-ploiting CMOS device noise,” in 2013 IEEE International Symposium on Hardware-OrientedSecurity and Trust (HOST). IEEE, 2013, pp. 137–142.

[14] G. T. Becker, R. Kumar et al., “Active and passive side-channel attacks on delay based PUFdesigns.” IACR Cryptology ePrint Archive, vol. 2014, p. 287, 2014.

[15] G. T. Becker, “The gap between promise and reality: On the insecurity of XOR arbiter PUFs,”in International Workshop on Cryptographic Hardware and Embedded Systems. Springer,2015, pp. 535–555.

[16] L. G. Valiant, “Short monotone formulae for the majority function,” Journal of Algorithms,vol. 5, no. 3, pp. 363–366, 1984.

[17] E. Dubrova, O. Näslund, B. Degen, A. Gawell, and Y. Yu, “CRC-PUF: a machine learningattack resistant lightweight PUF construction,” Workshop on Machine Learning for Cyber-Crime Investigation and Cybersecurity (MaL2CSec’2019), 2019.

[18] E. Dubrova, M. Näslund, G. Selander, and F. Lindqvist, “Message authentication based oncryptographically secure CRC without polynomial irreducibility test,” Cryptography and Com-munications, vol. 10, no. 2, pp. 383–399, 2018.

[19] S. W. Golomb et al., Shift register sequences. Aegean Park Press, 1967.

[20] D. R. Stinson, “Universal hashing and authentication codes,” Designs, Codes and Cryptogra-phy, vol. 4, no. 3, pp. 369–380, 1994.

[21] ——, “On the connections between universal hashing, combinatorial designs and error-correcting codes,” Congressus Numerantium, pp. 7–28, 1996.

[22] H. Krawczyk, “LFSR-based hashing and authentication,” in Annual International CryptologyConference. Springer, 1994, pp. 129–139.

[23] J. Birch, L. G. Christensen, and M. Skov, “A programmable 800 Mbit/s CRC check/generatorunit for LANs and MANs,” Computer networks and ISDN systems, vol. 24, no. 2, pp. 109–118,1992.

[24] R. O’Donnell, Analysis of boolean functions. Cambridge University Press, 2014.

[25] J. Sölter, “Cryptanalysis of electrical PUFs via machine learning algorithms,” Ph.D. disserta-tion, MSc thesis, Technische Universität München, 2009.

[26] M. J. Dworkin, “Sha-3 standard: Permutation-based hash and extendable-output functions,”NIST Pub Series: Federal Inf. Process. Stds., Report 202, 2015.

Page 40

TRITA -EECS-EX-2019:653

www.kth.se

Documents

Lightweight and Machine Learning Attack Resistant Physical ...1372527/FULLTEXT01.pdf · DEGREE PROJECT IN INFORMATION AND COMMUNICATION TECHNOLOGY, SECOND CYCLE, 30 CREDITS STOCKHOLM