Analysis of the Strict Avalanche Criterion in variants of - PowerPoint PPT Presentation

Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions Akhilesh Anilkumar Siddhanti 1 , Srinivasu Bodapati 2 , Anupam Chattopadhyay 3 , Subhamoy Maitra 4 , Dibyendu Roy 5 and Pantelimon St˘ a 6 anic˘ 1 Georgia Institute of Technology, Atlanta, USA akhilesh@gatech.edu 2 Indian Institute of Technology Mandi, Mandi, India srinivasu@iitmandi.ac.in 3 Nanyang Technological University, Singapore, Singapore anupam@ntu.edu.sg 4 Indian Statistical Institute, Kolkata, India subho@isical.ac.in 5 ERTL(E), STQC, Kolkata, India roydibyendu.rd@gmail.com 6 Naval Postgraduate School, Monterey, USA pstanica@nps.edu Indocrypt, 2019

Outline ◮ Background on Physically Unclonable Functions ◮ Theoretical Estimation of Bias on Different PUFs ◮ S–PUF Construction: Improving the SAC Property ◮ Constructions of S n –PUF ◮ Our Experimental Study on S–PUF ◮ Conclusion Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 2 / 25

Background on Physically Unclonable Functions Arbiter-based PUF It is a physical one-way pseudorandom function from an n -dimension space {− 1 , 1 } n , referred to as challenge to a one bit output, called response. It is based on following parameters: ◮ Challenge: C = ( C 0 , · · · , C n − 1 ) , C i ∈ {− 1 , 1 } , i = 0 , . . . , n − 1 , ◮ Delay parameters: p i , q i , r i and s i , which are selected randomly from a normal distribution, ◮ Response: r ∈ { 0 , 1 } , which should look like random. Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 3 / 25

Background on Physically Unclonable Functions Arbiter-based PUF can be modeled as: ∆( n ) = α 1 P 0 + ( α 2 + β 1 ) P 1 + . . . + ( α n + β n − 1 ) P n − 1 + β n P n , (1) where P k = � n i = k +1 C i , for k = 0 , 1 , . . . , n − 1 , P n = 1 , α i = ( p i − q i ) + ( r i − s i ) , β i = ( p i − q i ) − ( r i − s i ) . 2 2 2 2 ◮ Response r will be either 0 / 1 depending upon the sign of ∆( n ) . Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 4 / 25

Background on Physically Unclonable Functions ◮ Consider mapping T ( x ) = (1+ x ) , then T ( − 1) = 0 , T (1) = 1 . 2 ◮ With this transformation, a PUF with n length input will become a pseudorandom function which takes n bit string as input and outputs a bit. ◮ Hence, a PUF with n length input can be seen as a Boolean function f : { 0 , 1 } n → { 0 , 1 } involving n variables. Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 5 / 25

Background on Physically Unclonable Functions Figure 1: An Arbiter PUF with n inputs. Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 6 / 25

Background on Physically Unclonable Functions ◮ k -XOR PUF: r = � k i =1 z i ; Here z i is the output from i -th PUF, i = 1 , . . . , k . ◮ Feedforward PUF: A feedforward PUF uses an arbiter over the first t 1 stages, and feeds the input to the switch t 2 as C t 2 . Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 7 / 25

Background on Physically Unclonable Functions Example Consider one PUF with parameters α 1 , α 2 , β 1 , β 2 , which takes input of length 2 : ∆(2) = α 1 C 1 C 2 + ( α 2 + β 1 ) C 2 + β 2 . 1. For α 1 = 0 . 5 , α 2 = − 0 . 5 , β 1 = 0 . 5 , β 2 = 0 . 3 ∆(2) = 0 . 5 C 1 C 2 + ( − 0 . 5 + 0 . 5) C 2 + 0 . 3 = 0 . 5 C 1 C 2 + 0 . 3 For challenge ( − 1 , 1) , output will be 0 . 2. For α 1 = 0 . 5 , α 2 = − 0 . 5 , β 1 = 0 . 5 , β 2 = 0 . 6 ∆(2) = 0 . 5 C 1 C 2 + ( − 0 . 5 + 0 . 5) C 2 + 0 . 6 = 0 . 5 C 1 C 2 + 0 . 6 For challenge ( − 1 , 1) , output will be 1 . Due to the involvement of delay parameters (system parameters) the output from a PUF should look like random. Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 8 / 25

◮ Expectation: Output from PUF will be random looking in nature. ◮ Observation: Output from PUF has nonrandomness. Consider two inputs x , � x , where the first coordinates of x and � x are of opposite in sign. Let z and � z be the outputs corresponding to x and � x respectively. # Inputs # XOR Sign Altered Position Pr [ z = � z ] # Samples 16 0 1 0 . 8878 1024 16 9 1 0 . 5463 1024 Table 1: Experimental Bias on PUFs Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 9 / 25

Theoretical Estimation of Bias on PUF Our Goal Estimate the Pr [ z = � z ] , where z , � z are the output bits corresponding to challenges C x and C � x respectively. We first consider two inputs x , � x to the PUF by modifying the sign of C 1 . Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 10 / 25

Theoretical Estimation of Bias on a PUF Lemma 1 Let x and � x be two inputs to an n inputs PUF, where the first coordinates of x and � x are of opposite in sign. Let z and � z be the outputs corresponding to x and � x . Then � π tan − 1 � �� z ] = 1 2 − 2 1 1 Pr [ z = � 2 + . √ 2 n − 1 Lemma 2 x differing in the t th coordinate, we have For two inputs x and � � π tan − 1 � � z ] = 1 1 2 − 2 2 t − 1 Pr [ z = ˜ 2 + . 2 n − 2 t +1 Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 11 / 25

Theoretical Estimation of Bias on a PUF Proof: From the Lemma 1 we have � � � � 1 z ] = 1 2 − 2 1 π tan − 1 Pr [ z = � 2 + √ 2 n − 1 . Now let us observe the bias for flipping t th bit of the input. Revisiting Equation (1), we have (without any sign flips): ∆( C ) = α 1 ( C 1 · · · C t · · · C n ) + ( α 2 + β 1 )( C 2 · · · C t · · · C n ) + · · · + ( α t + β t − 1 )( C t · · · C n ) + ( α t +1 + β t )( C t +1 · · · C n ) + · · · + ( α n + β n − 1 ) P n − 1 + β n P n . Flipping the sign of t th bit results in the following expression: ∆( C ) = − [ α 1 ( C 1 · · · C t · · · C n ) + ( α 2 + β 1 )( C 2 · · · C t · · · C n ) + · · · + ( α t + β t − 1 )( C t · · · C n )] + ( α t +1 + β t )( C t +1 · · · C n ) + · · · + ( α n + β n − 1 ) P n − 1 + β n P n . Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 12 / 25

Theoretical Estimation of Bias on a PUF √ 2 t − 1) and X ∼ N (0 , σ 1 √ 2 n − 2 t + 1) , We know that α ∼ N (0 , σ 1 where α = α 1 ( C 1 · · · C t · · · C n ) + ( α 2 + β 1 )( C 2 · · · C t · · · C n ) + ( α t + β t − 1 )( C t · · · C n ) and X = ( α t +1 + β t )( C t +1 · · · C n ) + . . . + ( α n + β n − 1 ) P n − 1 + β n P n . ◮ It can be observed that ∆( C ) will not change its sign iff | α | < | X | . � � ◮ So we need to calculate Pr | α | < | X | to find the required probability. ◮ By following the proof of Lemma 1 (see our article) it can be shown that � � 1 � z ] = 1 2 − 2 2 t − 1 π tan − 1 Pr [ z = ˜ 2 + . (2) 2 n − 2 t + 1 Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 13 / 25

Theoretical Estimation of Bias on r XOR PUF Using Piling-up lemma we obtain the bias of r -XOR PUFs. Lemma 3 Let x and � x be two inputs to an n inputs r -XOR PUF, where the first coordinates of x and � x are of opposite in sign. If z and � z are the outputs z ] = 1 2 + 2 r − 1 ǫ r , where corresponding to x and � x , then Pr [ z = � � π tan − 1 � � � 1 2 − 2 1 ǫ = . √ 2 n − 1 Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 14 / 25

Theoretical Estimation of Bias on Other PUFs Other Theoretical Results (See Our Article) ◮ Estimation of bias on feedforward PUF. ◮ Estimation of bias on a PUF with a combiner function under the assumption that the probability of output of each PUF changes is constant p . PUF Type Combiner Function Experimental Theoretical Probability 1 and parameters Probability k -XOR f = x 1 + x 2 + x 3 + x 4 , n = 10 and k = 4 0 . 630 0 . 629 ( n, k ) -MPUF f = x 1 x 5 x 6 + x 2 x 5 x 6 + x 2 x 5 + x 3 x 5 x 6 + x 3 x 6 + x 4 x 5 x 6 + x 4 x 5 + x 4 x 6 + x 4 0 . 759 0 . 760 n = 10 and k = 2 Table 2: Experimental verification with variants of Arbiter PUFs. 1 Theorem 2 of our article Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 15 / 25

S-PUF Construction: Improving the SAC Property Figure 2: S-PUF construction with only two Arbiter PUFs Indocrypt 2019 Analysis of the Strict Avalanche Criterion in variants of Arbiter-based Physically Unclonable Functions 16 / 25