Analysis of the Strict Avalanche Criterion in variants of - - PowerPoint PPT Presentation

▶

Nov 12, 2023 418 likes •679 views

Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions Akhilesh Anilkumar Siddhanti 1 , Srinivasu Bodapati 2 , Anupam Chattopadhyay 3 , Subhamoy Maitra 4 , Dibyendu Roy 5 and Pantelimon St a 6

SLIDE 1

Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions

Akhilesh Anilkumar Siddhanti1, Srinivasu Bodapati2, Anupam Chattopadhyay3, Subhamoy Maitra4, Dibyendu Roy5 and Pantelimon St˘ anic˘ a6

1Georgia Institute of Technology, Atlanta, USA

akhilesh@gatech.edu

2Indian Institute of Technology Mandi, Mandi, India

srinivasu@iitmandi.ac.in

3Nanyang Technological University, Singapore, Singapore

anupam@ntu.edu.sg

4Indian Statistical Institute, Kolkata, India

subho@isical.ac.in

5ERTL(E), STQC, Kolkata, India

roydibyendu.rd@gmail.com

6Naval Postgraduate School, Monterey, USA

pstanica@nps.edu

Indocrypt, 2019

SLIDE 2

Outline

◮ Background on Physically Unclonable Functions ◮ Theoretical Estimation of Bias on Different PUFs ◮ S–PUF Construction: Improving the SAC Property ◮ Constructions of Sn–PUF ◮ Our Experimental Study on S–PUF ◮ Conclusion

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 2 / 25

SLIDE 3

Background on Physically Unclonable Functions

Arbiter-based PUF

It is a physical one-way pseudorandom function from an n-dimension space {−1, 1}n, referred to as challenge to a one bit output, called response. It is based on following parameters: ◮ Challenge: C = (C0, · · · , Cn−1), Ci ∈ {−1, 1}, i = 0, . . . , n − 1, ◮ Delay parameters: pi, qi, ri and si, which are selected randomly from a normal distribution, ◮ Response: r ∈ {0, 1}, which should look like random.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 3 / 25

SLIDE 4

Background on Physically Unclonable Functions

Arbiter-based PUF can be modeled as: ∆(n) = α1P0 + (α2 + β1)P1 + . . . + (αn + βn−1)Pn−1 + βnPn, (1) where Pk = n

i=k+1 Ci, for k = 0, 1, . . . , n − 1, Pn = 1,

αi = (pi−qi)

+ (ri−si)

, βi = (pi−qi)

− (ri−si)

. ◮ Response r will be either 0/1 depending upon the sign of ∆(n).

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 4 / 25

SLIDE 5

Background on Physically Unclonable Functions

◮ Consider mapping T(x) = (1+x)

, then T(−1) = 0, T(1) = 1. ◮ With this transformation, a PUF with n length input will become a pseudorandom function which takes n bit string as input and

utputs a bit.

◮ Hence, a PUF with n length input can be seen as a Boolean function f : {0, 1}n → {0, 1} involving n variables.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 5 / 25

SLIDE 6

Background on Physically Unclonable Functions

Figure 1: An Arbiter PUF with n inputs.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 6 / 25

SLIDE 7

Background on Physically Unclonable Functions

◮ k-XOR PUF: r = k

i=1 zi; Here zi is the output from i-th PUF,

i = 1, . . . , k. ◮ Feedforward PUF: A feedforward PUF uses an arbiter over the first t1 stages, and feeds the input to the switch t2 as Ct2.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 7 / 25

SLIDE 8

Background on Physically Unclonable Functions

Example

Consider one PUF with parameters α1, α2, β1, β2, which takes input of length 2: ∆(2) = α1C1C2 + (α2 + β1)C2 + β2.

1. For α1 = 0.5, α2 = −0.5, β1 = 0.5, β2 = 0.3

∆(2) = 0.5C1C2 + (−0.5 + 0.5)C2 + 0.3 = 0.5C1C2 + 0.3 For challenge (−1, 1), output will be 0.

2. For α1 = 0.5, α2 = −0.5, β1 = 0.5, β2 = 0.6

∆(2) = 0.5C1C2 + (−0.5 + 0.5)C2 + 0.6 = 0.5C1C2 + 0.6 For challenge (−1, 1), output will be 1. Due to the involvement of delay parameters (system parameters) the

utput from a PUF should look like random.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 8 / 25

SLIDE 9

◮ Expectation: Output from PUF will be random looking in nature. ◮ Observation: Output from PUF has nonrandomness. Consider two inputs x, x, where the first coordinates of x and x are of

pposite in sign. Let z and

z be the outputs corresponding to x and x respectively. # Inputs # XOR Sign Altered Position Pr[z = z] # Samples 16 1 0.8878 1024 16 9 1 0.5463 1024

Table 1: Experimental Bias on PUFs

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 9 / 25

SLIDE 10

Theoretical Estimation of Bias on PUF

Our Goal

Estimate the Pr[z = z], where z, z are the output bits corresponding to challenges Cx and C

x respectively.

We first consider two inputs x, x to the PUF by modifying the sign of C1.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 10 / 25

SLIDE 11

Theoretical Estimation of Bias on a PUF

Lemma 1

Let x and x be two inputs to an n inputs PUF, where the first coordinates of x and x are of opposite in sign. Let z and z be the

utputs corresponding to x and
x. Then

Pr[z = z] = 1

2 +

2 − 2 π tan−1 1 √2n−1

Lemma 2

For two inputs x and x differing in the tth coordinate, we have Pr[z = ˜ z] = 1

2 +

2 − 2 π tan−1 2t−1 2n−2t+1

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 11 / 25

SLIDE 12

Theoretical Estimation of Bias on a PUF

Proof: From the Lemma 1 we have Pr[z = z] = 1 2 + 1 2 − 2 π tan−1

√2n − 1 . Now let us observe the bias for flipping tth bit of the input. Revisiting Equation (1), we have (without any sign flips): ∆(C) = α1(C1 · · · Ct · · · Cn) + (α2 + β1)(C2 · · · Ct · · · Cn) + · · · + (αt + βt−1)(Ct · · · Cn) + (αt+1 + βt)(Ct+1 · · · Cn) + · · · + (αn + βn−1)Pn−1 + βnPn. Flipping the sign of tth bit results in the following expression: ∆(C) = −[α1(C1 · · · Ct · · · Cn) + (α2 + β1)(C2 · · · Ct · · · Cn) + · · · + (αt + βt−1)(Ct · · · Cn)] + (αt+1 + βt)(Ct+1 · · · Cn) + · · · + (αn + βn−1)Pn−1 + βnPn.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 12 / 25

SLIDE 13

Theoretical Estimation of Bias on a PUF

We know that α ∼ N(0, σ1 √2t − 1) and X ∼ N(0, σ1 √2n − 2t + 1), where

α = α1(C1 · · · Ct · · · Cn) + (α2 + β1)(C2 · · · Ct · · · Cn) + (αt + βt−1)(Ct · · · Cn)

and X = (αt+1 + βt)(Ct+1 · · · Cn) + . . . + (αn + βn−1)Pn−1 + βnPn. ◮ It can be observed that ∆(C) will not change its sign iff |α| < |X|. ◮ So we need to calculate Pr

|α| < |X|
to find the required

probability. ◮ By following the proof of Lemma 1 (see our article) it can be shown that Pr[z = ˜ z] = 1 2 + 1 2 − 2 π tan−1

2t − 1

2n − 2t + 1

(2)

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 13 / 25

SLIDE 14

Theoretical Estimation of Bias on r XOR PUF

Using Piling-up lemma we obtain the bias of r-XOR PUFs.

Lemma 3

Let x and x be two inputs to an n inputs r-XOR PUF, where the first coordinates of x and x are of opposite in sign. If z and z are the outputs corresponding to x and x, then Pr[z = z] = 1

2 + 2r−1ǫr, where

ǫ =

2 − 2 π tan−1 1 √2n−1

.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 14 / 25

SLIDE 15

Theoretical Estimation of Bias on Other PUFs

Other Theoretical Results (See Our Article)

◮ Estimation of bias on feedforward PUF. ◮ Estimation of bias on a PUF with a combiner function under the assumption that the probability of output of each PUF changes is constant p.

PUF Type Combiner Function Experimental Theoretical and parameters Probability Probability1 k-XOR f = x1 + x2 + x3 + x4, n = 10 and k = 4 0.630 0.629 (n, k)-MPUF f = x1x5x6 + x2x5x6 + x2x5 + x3x5x6 0.759 0.760 +x3x6 + x4x5x6 + x4x5 + x4x6 + x4 n = 10 and k = 2

Table 2: Experimental verification with variants of Arbiter PUFs.

1Theorem 2 of our article

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 15 / 25

SLIDE 16

S-PUF Construction: Improving the SAC Property

Figure 2: S-PUF construction with only two Arbiter PUFs

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 16 / 25

SLIDE 17

S-PUF Construction: Improving the SAC Property

Design rationale: ◮ Pr[z = ˜ z] = 1

2 +

2 − 2 π tan−1 2t−1 2n−2t+1

2 + ǫ′, where

ǫ′ = 1

2 − 2 π tan−1 2t−1 2n−2t+1.

◮ Putting bias ǫ′ = 0 we have: ǫ′ = 1

2 − 2 π tan−1 2t−1 2n−2t+1 = 0

= ⇒ tan−1

2t−1 2n−2t+1 = π 4 =

⇒ t = ⌈ n+1

2 ⌉ or ⌊ n+1 2 ⌋.

◮ For even n we have experimentally observed that t = ⌊ n+1

2 ⌋ i.e.,

t = n

2 provides the lowest bias. For odd n the bias will be lowest for

t = n+1

2 .

◮ As in general n is even, we assume t = n

2 .

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 17 / 25

SLIDE 18

Bias in the S-PUF Construction

(a) Bias for S-PUF construction involving only two Arbiter PUFs (b) Bias for S-PUF construction involving 4 Arbiter PUFs

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 18 / 25

SLIDE 19

Constructions of Sn-PUFs

◮ We use a combiner function which will take inputs from several S-PUFs and produce a 1-bit response. We call this new PUF construction, an Sn-PUF. ◮ We consider M-M (Maiorana-McFarland) bent function f(x, y) = φ(x) · y + g(x) as combiner function. ◮ For our combiner function we assume g(y) = 0 (as it provides good reliability), i.e., the combiner function is f(x, y) = φ(x) · y.

Arbiters used Input to the combiner Reliability2 Nonlinearity Pr[z = 0] 24 12 0.81 2016 0.4922 28 14 0.78 8128 0.4960 32 16 0.76 32640 0.4980 Table 3: S-PUF with f(x, y) = φ(x) · y as combiner function

2Reliability of PUF translates to how efficiently a PUF can reproduce the same

response bits under different situations.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 19 / 25

SLIDE 20

Our Experimental Study

◮ Nexys-4 Artix-7 FPGA is used to test the performance of the design. ◮ Multiplexers in the Arbiter data path are placed using the constraints. ◮ The parameters are calculated based on the hamming distance of the responses. ◮ The characteristics of the PUF are categorized based on three parameters:

Device :

Uniqueness : uniqueness of the response from one device to other. Bit-aliasing : Any bit permanently sourced to Vdd/Gnd.

Time :

Reliability : Variations in the response over ages. The variations in the temperature, voltage and process may influence the PUF response.

Space :

Uniformity : Measures the proportion of 1’s and 0’s in the response

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 20 / 25

SLIDE 21

Our Experimental Study

Figure 3: Intra chip and Inter chip Hamming Distance of 128-bit S-PUF; This is plotted using the response from Artix-7 board.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 21 / 25

SLIDE 22

Our Experimental Study

Figure 4: Reliability of a 128-bit S-PUF on a Nexys-4 DDR Artix-7 FPGA

◮ From this plot, it can be observed that the reliability of the PUF is very good. The error occurred can be recovered using the error correction mechanism such as BCH.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 22 / 25

SLIDE 23

Our Experimental Study

Parameter Proposed Ring oscillator Original CHAR CHAR & MAJ S-PUF PUF [1] Design [2] Uniqueness 50 % 49.22 48.52 45.60 45.60 Uniformity 49.9% 48.5 51.06 50.60 50.54 Reliability 92 % 99.99 92.00 98.87 99.58 Bit-aliasing 51.7 % 47.89 43.52 43.52 43.52

Table 4: Comparison of the S-PUF with few existing designs

1. B. Srinivasu, P. Vikramkumar, A. Chattopadhyay, K. Lam. CoLPUF: A Novel

Configurable LFSR-based PUF. In: IEEE Asia Pacific Conference on Circuits and Systems (APCCAS), 2018, 358–361.

2. C. Gu, N. Hanley and M. O’neill. Improved Reliability of FPGA-Based PUF

Identification Generator Design. ACM Trans. Reconfigurable Technol. Syst. Vol. 10, No. 3, 20:1–20:23, July 2017.

The designs presented in [2] have two variations one with the post characterization(CHAR) and other one including the error correction capability (CHAR & MAJ).

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 23 / 25

SLIDE 24

Conclusion

◮ We have provided theoretical estimation of biases on several PUFs. ◮ We noticed that these biases do not depend on the delay parameters. ◮ From our theoretical estimates, the biases of several PUFs with large inputs can be determined, which is not possible, computationally. ◮ Further, we introduce a new construction of a PUF, which

vercomes these biases.

◮ The proposed S-PUF is implemented in an Artix-7 FPGA and we

bserve that the S-PUF has good uniqueness, bit-aliasing and

uniformity, reliability.

Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 24 / 25

SLIDE 25