2. What is Physical Unclonable Function(PUF)
A PUF is a chip unique, hardware challenge/response function implemented in a physical
device that makes the device practically unclonable.
It’s a promising solution to many security issues due to its ability to generate unique identifier
It can be treated as the hardware version of “one way function”
3. Efficiency of a PUF depends on
Implementation Cost
Reliability
Resiliency to Attacks
Amount of Entropy
4. Limitations of Existing PUFs
PUF entropy is used to construct cryptographic keys, chip identifiers or challenge-response
pairs (CRPs) in a chip authentication mechanism. But the existing models have lower length of
CRPs
Amount of entropy in a PUF is limited by the circuit resources available to build a PUF. Hence
generating longer keys or larger sets of CRPs may increase cost
5. Contribution of The Paper
The limitation shown on previous slide is addressed by the authors proposing an identity-mapping
function that extends the set of CRPs of a ring-oscillator PF(RO-PUF) with low area cost.
CRPs generated through this function exhibit strong PUF qualities in terms of strong uniqueness
and reliability.
To introduce identity-mapping function, the authors formulated a novel PUF system model that
uncouples PUF measurement from PUF identifier formation.
The implementation of their technique on low cost FPGA showed at least 2 times savings in
area compared to the traditional RO-PUF.
Using small area, a chip can produce a significantly large set of CRPs that are useful for security
applications even if the entropy is limited by circuit resource. The extended set of CRPs is
termed as Pseudo independent CRPs
6. Requirement of Large number of
Response bits
Large set of PUF CRPs leads to longer cryptographic keys
To prevent replay playback
To compensate for error
7. Main Contributions
The PUF System Model and the Identity-Mapping Function. It has 3 components
I)The sample measurement
II)The identity Mapping
III)The quantization
Statistical Testing: First work of using statistical hypothesis test for PUF analysis
Design Implementation: Implementation of prototype hardware on a low-cost, commercial, off-the-
shelf FPGA. Characterized over a group of 125 FPGAs and also tested over varying
temperature and supply voltage.
8. Background
An RO-PUF with m ring oscillators, The CRPs are based on a set of m RO frequencies,
◦ f= {f1,f2…..fm}
The frequency of an individual RO is a function of the total delay around the oscillator loop
which varies due to process variation
◦ fi= F(Ti);
So the pattern of frequencies is unique for each chip
9. Motivation
In traditional RO-PUF, the CRPs are generated by the ranking of individual RO frequencies.
But it has a limitation.
Lets 2 chips each with 4 RO frequencies
chip1=(RO1=52,RO2=49,RO3=48,RO4=50)
chip2=(RO1=36,RO2=30,RO3=29,RO4=32)
The frequency ranks of the chips are
chip1=(RO1=4th,RO2=2nd,RO3=1st,RO4=3rd)
chip2=(RO1=4th,RO2=2nd,RO3=1st,RO4=3rd)
Though the chips are different the tradition rank based technique will not distinguish them.
10. Identity Mapping Function
The authors addressed the problem of the previous slides using Identity mapping function
I) First all possible frequency subset is created for each chip
II) Then the set of distances between the frequency subsets is evaluated using Euclidean metric
tuples and triples
And a distribution of Q values is formed
11. So now the two chips are well distinguished
Which is obvious from the Kernel Density plot
Of the two distributions Qchip1 and Qchip2.
12. Identity Mapping Function
What's the benefit we get
We can now distinguish the chip pair even with small number of RO frequencies.
Total Q values for m frequencies are 2^m-m-1.
Larger set of CRPs can be formed as responses can be generated after quantizing Q values.
So 2^m – m -1 response bits out of m RO frequencies.
13. Classification and Application of the
Proposed PUF
PUF is classified in terms of factors like Number of CRPs Difficulty of predicting PUF response.
So a strong PUF should contain exponentially many CRPs.
A good PUF should have the following properties:
I) Difficult to predict an unknown response from the analysis of some already known response.
II) A complete determination of all CRPs must be impossible within several days or weeks due to
exponential number of CRPs and finite read out time.
The proposed PUF possess all these properties making itself a candidate of strong PUF.
A strong PUF is ideal for device authentication as it possesses a large number of CRPs.
For example a server based authentication mechanism with remotely deployed devices.
14. The scenario is shown in the right figure
Proposed PUF is enrolled in a trusted
environment and its CRPs along with necessary
helper data (W) is stored in server.
The deployment is done in an untrusted
Environment. The server sends challenge C
Along with helper data (W) to the deployed PUF.
If response R sent by deployed PUF matches the one stored
In server the PUF is successfully authenticated.
15. System Model of the PUF
The proposed PUF has 3 components
I) Sample Measurement
II) Identity Mapping
III) Quantization
16. Sample Measurement
It characterizes the effect of random process variation that remains permanent in the post
fabrication phase of a chip
Digital challenge (C) is applied to the PUF to produce a vector of physical measurements
In the implementation of RO-PUF challenge C select 2 out of 4 oscillators. The frequencies of
the RO pair is measured
17. Identity Mapping
The authors described identity mapping based on Test Statistics (TS).
A TS is an expression that transforms a set of measurement data into a set of numbers that can be used to test a hypothesis
In the implementation of the RO-PUF TS is the frequency difference.
This frequency difference which varies from device to device is used to map the identity of a device to a binary signature.
Complementary to the TS, the authors proposed a nonparametric testing approach to evaluate whether the TS is able to distinguish
several chips well
Hypothesis Testing:
H0: the distribution of all chips are the same.
Ha: the distributions of all chips are different.
To decide whether H0 can be rejected we need to make a decision rule based on TS. The proposed TS using identity mapping function
shown previously can work as unique on-chip fingerprint for the chips.
For Testing the hypotheses the authors used Kolmogorov–Smirnov nonparametric test.
18. Proposed Q TS
For the description of the construction of the identity-mapping function lets fijl be the frequency for the lth
measurement of the j th RO in chip i, where i=i…n, j=1…m and l=1….r.
fijl is expressed a function of unknown parameters and an additive error term
fijl=fij+eijl
Where fij is the fixed unknown mean frequency of the jth RO in the ith chip, and eijl is a random measurement error. fij is
measured by averaging fijl over a sample size of 100(l=1,2,3…100) assuming a normal distribution of error eijl with zero
mean
Using fij from chip i a sample space St is defined which is the set of possible outcomes of t RO frequencies out of m RO
frequencies where 2<=t<=m.
Like S2={(f1,f2),(f1,f3),(f1,f4),…..(fm-1,fm)}
Here |S2| = mC2
We now define a random variable Qt that assigns a random variable X to each outcome of St
Qt: StX such that
20. Evaluation of the Q TS
Evaluation is done using RO frequency data from a set of 125 FPGA chips
16 RO from each chip is considered with 100 measurements for each chip
So in the evaluation 1<=i<=125 , 1<=j<=16 and 1<=l<=100
For e=0.5, m=16 and t=16 Q is formed and used as TS( Test Statistics) values.
Then using Kolmogorov-Smirnov (KS) the hypothesis whether the distributions of Q values are the same among
different chips.
In a KS test, a parameter p value is derived which is the probability of obtaining a value for a TS that is as extreme
as or more extreme than the observed value. Assuming the null hypothesis is true
A low value of p denotes the distributions are different and a value of p close to 1 denotes the 2 distributions are
same.
There are 125C2=7750 pairwise comparisons among the chips
The authors compared the test result with the test result of tradition response based on rank of each frequency.
21. From the 3D plot on the right we see most of the p
Values are close to 0 differentiating the different chip
Pairs
For comparison with the traditional rank based
Method the authors selected 4 ROs out of 16 from
Each chip and performed this random sampling
10000 times. It is calculated how many times each
method fails to reject H0 when Ha is true.
H0: Two chips are same
Ha: Two chips are different
Traditional method fails 421 times but the proposed method 0 times.
So the average proportion for the proposed approach is 0 and the traditional approach is .0421. After calculation
for all pairs the proportion for traditional method is found to be 0.0417 while the max and min are 0.0425 and
.0407 respectively. But for the proposed method the average proportion is .0028 with max .0055 and min 0.
23. Quantization
In the quantization phase binary response bits are generated from real valued PUF
measurements
Quantization is applied on the Q values generated from Identity mapping
Shielding Function is used for quantization rather than the comparison approach used by
traditional PUF. They evaluated 2 quantization approaches Shielding Function and Reliable bit
extraction method and chose Shielding function as better one. It has the property to shield any
knowledge about the real-valued quantities.
24. Operation of Shielding Function
The proposed PUF has 2 phases enrollment and evaluation phase. In the enrollment phase, a
reference response bit r is generated at normal operating condition by applying a challenge , and
is stored in a secure database for subsequent operation of the PUF. In the evaluation phase, the
PUF is supplied with the challenge c to generate a noisy version of r called r’.
In the shielding function the range of Q values is divided in several equal intervals with a width
q during the enrollment phase.
The intervals are alternately assigned “0” and “1”.
Any Qti in chip i falling within an interval is assigned the corresponding binary digit to create rti.
A helper data Wti, based on q is generated so that a noisy Q’ti is correctly placed in the same
interval as Qti during the evaluation phase.
25. Operation of Shielding Function
The helper data during enrollment is derived using the equation:
During response evaluation, a binary output r’ti is derived as follows:
26. Robust PUF implementation
Prototyping effort for the proposed PUF includes a PC and an FPGA configured with the
modified RO-PUF
The architecture is shown in the figure
During enrollment several samples of Q values are
taken using challenge input C and a set of response R is
generated and stored in PC along with the helper data
W for shielding function
During response evaluation PC sends C and W to get
R
27. The PUF has 8 bit microcontroller with a data-path to implement the sample measurement of
the RO frequencies, the generation of the Q values for the identity mapping, and the
quantization of the Q values.
All the control signals and memory addresses are supplied by the microcontroller unit
The statistical hypothesis test is not a part of the implementation and has been done
separately
28. Sample Measurement
The circuit in the gray box measures the RO frequencies from an array of m ROs. The ROs are
placed in a 2-D array. The (x,y) position of an RO in the array is used to calculate the Euclidean
distance between RO pair.
An n bit challenge input C enables one of the m ROs at a time usually m=2^n and the frequency
of the RO is measured with a 24 bit counter.
The individual RO frequencies are stored in the memory MEM1
29. Identity Mapping
The authors used e=0.5 and w(xu)(xv) as the Euclidean distance
It requires an integer square root and a multiplication operation
The compare-subtract module is used to compute the absolute difference of 2 RO frequencies
One of the operands for the compare-subtract module comes directly from the memory MEM1 and
the other operand is provided through the memory element REG
The Q values are generated using 3 steps:
I) Step 1: Since the factor is constant, the memory MEM2 is initialized with all possible
pairwise distances using the input D from the micro-controller. It is subsequently overwritten by the
corresponding Q2 values in Step 2.
II)Step 2:—All the Q values are the combination of the Q2 values All the required Q2 values
are calculated at a time, and stored in memory MEM2.
III)Step 3: The required Q value is generated by summing the appropriate Q2 values stored in
MEM2.The summation operation takes place in accumulator
30. Quantization
The microcontroller calculates the sum W+Q and compares it with the appropriate interval of
the shielding function to generate the binary response that is sent to the PC.
31. Result
Prototype circuit with 16 ROs has been built on a Xilinx Spartan 3E S500 FPGA which has 4656 slices
The implementation used only 456 slices i.e. (456/4656*100=9.8%) less than 10% of the available
resource.
Table on the right shows a summary of the implementation
To evaluate a single response bit using t ROs, the
required number of cycles is
=66000+16C2+78+20*tC2+100=73920+20*tC2+100
For example a challenge consisting of 4 ROs will take 1.5 ms
to derive the response using a 50 MHz clock. We note that this includes the one-time overhead of RO
frequency measurement and the Q2 calculation denoted by 73 920 cylces.
32. Evaluation of PUF responses
The qualities of a PUF can be evaluated through 2 main factors
Uniqueness: Uniqueness is an estimate of the ability of a PUF to generate random
responses as well as to uniquely distinguish different chips based on the generated responses.
Reliability: Reliability is an estimate of the reproducibility of the PUF responses over
varying operating conditions (such as varying ambient temperature, fluctuating supply voltage).
The factors are estimated using 65519 (=2^16-16-1) PUF response bits generated from each of a
group of 125 FPGAs.
33. PUF Uniqueness
Uniqueness of a PUF is estimated by 3 parameters
I) Average Interchip Hamming Distance (HD):With a pair of chips, i and j (j!=i), both having n-bit
responses, Ri and Rj, respectively, for the same challenge C, the average interdie HD among a group
of chips is defined as follows
푛 푟푖, 푠 . ri,s is the
II) HWn: The Hamming Weight (HW) of an n-bit response from the chip i = 푠=1
s th binary bit of an n-bit response from a chip . This is an estimate of the uniformity of PUF responses
III) HWs: The Hamming Weight (HW) for each sth bit position (1<=s<=n) across k chips = 푘 푠=1
푟푖, 푠 .
This is an estimate of bit aliasing in PUF responses.
34. Fro truly random PUF responses all 3 of these parameters should have an ideal value of 50%
Using the proposed approach the values found are shown in the following table
Without the use of Identity mapping in traditional approach the values are following:
So its clear that traditional method fails many times in distinguishing the chips.
35. PUF Reliability
To extract the PUF reliability, the authors extract an n-bit reference response (Ri) from the chip i
at the normal operating condition. The same n-bit response is extracted at different operating
condition with a value R’i. x samples of R’I are taken for each of the operating conditions. For the
chip i the PUF reliability is estimated as
The authors tested the PUF response for 9 different temperatures from 0-90 degree C and at +-
20% of the supply voltage using a DC regulated power supply. The bottom figures represents the
result
36. Area cost and Robust Response
In traditional PUF 128 response bits have been produced using 1024 ROs. Without reliability
scheme total 256 ROs is required for 128 bit response. So total 256*4=1024 slices are required
just for implementing the ROs
Therefore only ROs in the traditional PUF uses 1024/456=2.25 times more area compared to
the total area consumed by the proposed method
At the same time the proposed method produces 65519 bits of response compared to 128 bits
of the traditional approach
37. Security analysis
I) Uniformity of response: The ratio of “0/1” is close to 50% (Value of HWn) thus the response is not biased to any
binary value. So the attacker can not predict a chip response easily as the response has uniformity of “0” and “1”.
II) Response conditioned by challenge: It is checked whether there is any correlation between a challenge and
response. For a challenge with 2 ROs, we keep one of the ROs fixed while changing the other. The fixed RO can
form 15 response bits, R(ROa,ROi) for 1<=i<=15 a!=i.
The quantity 1/15 15 푖=1
퐻푊 푅 푅푂푎, 푅푂푖 ∗ 100% 푎! = 푖 ; is calculated. For an unbiased PUF it should
generate 50% meaning that fixing an RO as part of the challenge produces “0s” and “1s” with equal probability.
For the proposed PUF its found around 50%. Same is the case found taking 3 ROs and keeping a pair fixed while
varying other.
III) Inter-response dependency test: In the proposed PUF, the building blocks for all Q values are the Q2 values.
The authors checked whether its possible to know the response from Q3 values observing corresponding
responses from Q2 values. So whether its possible to predict R(ROa,ROb,ROc) knowing R(ROa,ROb), R(ROb,ROc)
and R(ROa,ROc). For each response HW(R(ROa,ROb), R(ROb,ROc) , R(ROa,ROc) ) is calculated and it would
produce value HW=3,2,1 and 0. Now its counted how many “1” bits have been produced by R(ROa,ROb,ROc) in
total for each of these 4 groups. There are total 16C3=560 R(ROa,ROb,ROc).
Its found that that for each group the probability of response “1” is around 50% showing there is no inter-response
dependency.
38. The inter-response dependency is clear from the following curve
IV) Differential Attack: R(ROa,ROb) and R(ROa,ROc) is observed. Then its observed whether we can predict
R(ROb,ROc) from these two responses. For each ROa there are total 15C3=105 (ROb,ROc) pairs.
We now calculate HW(R(ROa,ROb), R(ROa,ROc) ) for each 105 pairs. The possible values of HW are 2,1 and 0.We
then count how many “1” bits have been produced by R(ROb,ROc) in total by each of these subgroups. The
probability of response “1” is found around 50% indicating that there is no successful differential attack.
39. V) Model building through machine learning: It’s the technique that has been used to attack the RO-PUF using
quick sorting method to determine the relative ranking of the RO frequencies.
This technique is particularly suitable for traditional PUF as its responses can be constructed purely based on
frequency ranking without the knowledge of absolute frequency values.
In the proposed PUF this technique doesn’t have any effect as response is generated after the transformation RO
frequencies to Q values and then a random assignment of binary value using quantization.
VI) Reverse engineering attack : An attacker may try to gain the knowledge of RO frequencies or Q values to
construct R. But the attacker will not be able to know the Q values as they are calculated within FPGA chip and
never come out of the FPGA chip. It has 2 advantages
a) Even if Qi and Qj are not completely independent the attacker has no way to access either of them.
b) Reverse engineering is impossible as Q values are not accessible.
At the output, there are 2 possible points of vulnerability: helper data W and response R. An attacker may try to
predict an unknown response Ri from helper data W or from a known response Rj (i!=j)
40. But the attacker faces difficulty due to the following reasons:
◦ A) The probability that R is leaked by W is of the order 10^-5 for the shielding function when q/σ=1,
q= width of quantization interval and σ is the standard deviation of Q values. So knowing W attacker
can’t predict R.
◦ B)To predict an unknown response Ri one has to estimate the absolute value of corresponding Q which
is difficult
41. Future Work
The authors mentioned one drawback of their model. That’s side Channel Attack.
The proposed method uses arithmetic units such as square-root, multiplier and intermediate
storage such as MEM1 ,MEM2 which make the model vulnerable to Side Channel Attack
Using the side-channel power and timing measurements, one can try to read the frequency
values