Content uploaded by Fatemeh Ganji

Author content

All content in this area was uploaded by Fatemeh Ganji on Aug 29, 2016

Content may be subject to copyright.

Strong Machine Learning Attack against PUFs

with No Mathematical Model

Fatemeh Ganji, Shahin Tajik, Fabian F¨aßler, and Jean-Pierre Seifert

Security in Telecommunications,

Technische Universit¨at Berlin and Telekom Innovation Laboratories,

Berlin, Germany

{fganji,stajik,jpseifert}@sec.t-labs.tu-berlin.de

fabian.faessler@campus.tu-berlin.de

Abstract. Although numerous attacks revealed the vulnerability of dif-

ferent PUF families to non-invasive Machine Learning (ML) attacks, the

question is still open whether all PUFs might be learnable. Until now,

virtually all ML attacks rely on the assumption that a mathematical

model of the PUF functionality is known a priori. However, this is not

always the case, and attention should be paid to this important aspect

of ML attacks. This paper aims to address this issue by providing a

provable framework for ML attacks against a PUF family, whose under-

lying mathematical model is unknown. We prove that this PUF family is

inherently vulnerable to our novel PAC (Probably Approximately Cor-

rect) learning framework. We apply our ML algorithm on the Bistable

Ring PUF (BR-PUF) family, which is one of the most interesting and

prime examples of a PUF with an unknown mathematical model. We

practically evaluate our ML algorithm through extensive experiments on

BR-PUFs implemented on Field-Programmable Gate Arrays (FPGA).

In line with our theoretical ﬁndings, our experimental results strongly

conﬁrm the eﬀectiveness and applicability of our attack. This is also

interesting since our complex proof heavily relies on the spectral proper-

ties of Boolean functions, which are known to hold only asymptotically.

Along with this proof, we further provide the theorem that all PUFs

must have some challenge bit positions, which have larger inﬂuences on

the responses than other challenge bits.

Keywords: Machine Learning, PAC Learning, Boosting Technique, Fourier Analysis,

Physically Unclonable Functions (PUFs).

©IACR 2016. This article is the ﬁnal version submitted by the author(s) to the

IACR and to Springer-Verlag on June 6th, 2016. The version published by Springer-

Verlag is available at 10.1007/978-3-662-53140-2 19. Personal use of this material

is permitted. Permission from Springer-Verlag and IACR must be obtained for all

other uses, in any current or future media, including reprinting/ republishing this

material for advertising or promotional purposes, creating new collective work, for

resale or redistribution to servers or lists, or reuse of any copyrighted component of

this work in other work.

1 Introduction

Nowadays, it is broadly accepted that Integrated Circuits (ICs) are subject to

overbuilding and piracy due to the adaption of authentication methods relying on

insecure key storage techniques [24]. To overcome the problem of secure key stor-

age, Physically Unclonable Functions (PUFs) have been introduced as promising

solutions [15, 30]. For PUFs, the manufacturing process variations lead eventu-

ally to instance-speciﬁc, and inherent physical properties that can generate vir-

tually unique responses, when the instance is given some challenges. Therefore,

PUFs can be utilized as either device ﬁngerprints for secure authentication or as

a source of entropy in secure key generation scenarios. In this case, there is no

need for permanent key storage, since the desired key is generated instantly upon

powering up the device. Regarding the instance-speciﬁc, and inherent physical

properties of the PUFs, they are assumed to be unclonable and unpredictable,

and therefore trustworthy and robust against attacks [26]. However, after more

than a decade of the invention of PUFs, the design of a really unclonable phys-

ical function is still a challenging task. Most of the security schemes relying on

the notion of PUFs are designed based on a “design-break-patch” rule, instead

of a thorough cryptographic approach.

Along with the construction of a wide variety of PUFs, several diﬀerent types

of attacks, ranging from non-invasive to semi-invasive attacks [18,19,33,39], have

been launched on these primitives. Machine learning (ML) attacks are one of

the most common types of non-invasive attacks against PUFs, whose popularity

stems from their characteristics, namely being cost-eﬀective and non-destructive.

Moreover, these attacks require the adversary to solely observe the input-output

(i.e., so called challenge-response) behavior of the targeted PUF. In this at-

tack scenario, a relatively small subset of challenges along with their respective

responses is collected by the adversary, attempting to come up with a model

describing the challenge-response behavior of the PUF. In addition to heuris-

tic learning techniques, e.g., what has been proposed in [33, 34], the authors

of [12–14] have proposed the probably approximately correct (PAC) learning

framework to ensure the delivery of a model for prespeciﬁed levels of accuracy

and conﬁdence. One of the key results reported in [12–14] is that knowing about

the mathematical model of the PUF functionality enables the adversary to estab-

lish a proper hypothesis representation (i.e., mathematical model of the PUF),

and then try to PAC learn this representation. This gives rise to the question

of whether a PUF can be PAC learned without prior knowledge of a precise

mathematical model of the PUF.

Bistable Ring PUFs (BR-PUF) [7] and Twisted Bistable Ring PUFs (TBR-

PUF) [37] are examples of PUFs, whose functionality cannot be easily translated

to a precise mathematical model. In an attempt, the authors of [37,41] suggested

simpliﬁed mathematical models for BR-PUFs and TBR-PUFs. However, their

models do not precisely reﬂect the physical behavior of these architectures.

In this paper, we present a sound mathematical machine learning framework,

which enables us to PAC learn the BR-PUF family (i.e., including BR- and

TBR-PUFs) without knowing their precise mathematical model. Particularly,

2

our framework contributes to the following novel aspects related to the security

assessment of PUFs in general:

Exploring the inherent mathematical properties of PUFs. One of the

most natural and commonly accepted mathematical representation of a PUF is

a Boolean function. This representation enables us to investigate properties of

PUFs, which are observed in practice, although they have not been precisely

and mathematically described. One of these properties exhaustively studied in

our paper is related to the “silent” assumption that each and every bit of a

challenge has equal inﬂuence on the respective response of a PUF. We prove that

this assumption is invalid for all PUFs. While this phenomenon has been already

occasionally observed in practice and is most often attributed to implementation

imperfections, we will give a rigorous mathematical proof on the existence of

inﬂuential bit positions, which holds for every PUF.

Strong ML attacks against PUFs without available mathematical

model. We prove that even in a worst case scenario, where the internal function-

ality of the BR-PUF family cannot be mathematically modeled, the challenge-

response behavior of these PUFs can be PAC learned for given levels of accuracy

and conﬁdence.

Evaluation of the applicability of our framework in practice. In order

to evaluate the eﬀectiveness of our theoretical framework, we conduct extensive

experiments on BR-PUFs and TBR-PUFs, implemented on a commonly used

Field Programmable Gate Array (FPGA).

2 Notation and preliminaries

This section serves as brief introduction into the required background knowledge

and known results to understand the approaches taken in this paper. For some

more complex topics we will occasionally refer the reader to important references.

2.1 PUFs

Note that elaborate and formal deﬁnitions as well as formalizations of PUFs

are beyond the scope of this paper, and for more details on them we refer the

reader to [3, 4]. In general, PUFs are physical input to output mappings, which

map given challenges to responses. Intrinsic properties of the physical primitive

embodying the PUF determine the characteristics of this mapping. Two main

classes of PUFs, namely strong PUFs and weak PUFs have been discussed in the

literature [16]. In this paper we consider the strong PUFs, brieﬂy called PUFs.

Here we focus only on two characteristics of PUFs, namely unclonablity and

unpredictability (i.e., so called unforgeability). Let a PUF be described by the

mapping fPUF :C → Y , where fPUF(c) = y. In this paper, we assume that the

issue with noisy responses (i.e., the output is not stable for a given input) must

have been resolved by the PUF manufacturer. For an ideal PUF, unclonablity

means that for a given PUF fPUF it is virtually impossible to create another

3

physical mapping gPUF 6=fPUF, whose challenge-response behavior is similar to

fPUF [3].

Moreover, an ideal PUF is unpredictable. This property of PUFs is closely

related to the notion of learnability. More precisely, given a single PUF fPUF and

a set of challenge response pairs (CRPs) U={(c, y)|y=fPUF (c) and c∈ C}, it

is (almost) impossible to predict y0=fPUF(c0), where c0is a random challenge

so that (c0,·)/∈U. In this paper we stick to this (simple, but) classical deﬁnition

of unpredictability of a PUF, and refer the reader to [3, 4] for more reﬁned

deﬁnitions.

2.2 Boolean Functions as representations of PUFs

Deﬁning PUFs as mappings (see Section 2.1), the most natural mathemati-

cal model for them are Boolean functions over the ﬁnite ﬁeld F2. Let Vn=

{c1, c2, . . . , cn}denote the set of Boolean attributes or variables, where each at-

tribute can be true or false, commonly denoted by “1” and “0”, respectively.

In addition, Cn={0,1}ncontains all binary strings with nbits. We associate

each Boolean attribute ciwith two literals, i.e., ci, and ci(complement of ci). An

assignment is a mapping from Vnto {0,1}, i.e., the mapping from each Boolean

attribute to either “0” or “1”. In other words, an assignment is an n-bits string,

where the ith bit of this string indicates the value of ci(i.e., “0” or “1”).

An assignment is mapped by a Boolean formula into the set {0,1}. Thus,

each Boolean attribute can also be thought of as a formula, i.e., ciand ciare

two possible formulas. If by evaluating a Boolean formula under an assignment

we obtain “1”, it is called a positive example of the “concept represented by

the formula” or otherwise a negative example. Each Boolean formula deﬁnes

a respective Boolean function f:Cn→ {0,1}. The conjunction of Boolean at-

tributes (i.e., a Boolean formula) is called a term, and it can be true or false (“1”

or “0”) depending on the value of its Boolean attributes. Similarly, a clause that

is the disjunction of Boolean attributes can be deﬁned. The number of literals

forming a term or a clause is called its size. The size 0 is associated with only

the term true, and the clause false.

In the related literature several representations of Boolean functions have

been introduced, e.g., juntas, Monomials (Mn), Decision Trees (DTs), and De-

cision Lists (DLs), cf. [29, 31].

A Boolean function depending on solely an unknown set of kvariables is

called a k-junta. A monomial Mn,k deﬁned over Vnis the conjunction of at most

kclauses each having only one literal. A DT is a binary tree, whose internal

nodes are labeled with a Boolean variable, and each leaf with either “1” or “0”.

A DT can be built from a Boolean function in this way: for each assignment a

unique path form the root to a leaf should be deﬁned. At each internal node, e.g,

at the ith level of the tree, depending on the value of the ith literal, the labeled

edge is chosen. The leaf is labeled with the value of the function, given the

respective assignment as the input. The depth of a DT is the maximum length

of the paths from the root to the leafs. The set of Boolean functions represented

by decision trees of depth at most kis denoted by k-DT. A DL is a list Lthat

4

contains rpairs (f1, v1),...,(fr, vr), where the Boolean formula fiis a term and

vi∈ {0,1}with 1 ≤i≤r−1. For i=r, the formula fris the constant function

vr= 1. A Boolean function can be transformed into a decision list, where for

a string c∈Cnwe have L(c) = vj, where jis the smallest index in Lso that

fj(c) = 1. k-DL denotes the set of all DLs, where each fiis a term of maximum

size k.

Linearity of Boolean Functions Here, our focus is on Boolean linearity, which

must not be confused with the linearity over other domains diﬀerent from F2.

A linear Boolean function f:{0,1}n→ {0,1}features the following equivalent

properties, cf. [29]:

–∀c, c0∈ {0,1}n:f(c+c0) = f(c) + f(c0)

–∃a∈ {0,1}n:f(c) = a·c.

Equivalently, we can deﬁne a linear Boolean function fas follows. There is some

set S⊆ {1, . . . , n}such that f(c) = f(c1, c2, . . . , cn) = Pi∈Sci.

Boolean linearity or linearity over F2is closely related to the notion of cor-

relation immunity. A Boolean function fis called k-correlation immune, if

for any assignment cchosen randomly from {0,1}nit holds that f(c) is inde-

pendent of any k-tuple (ci1, ci1, . . . , cik), where 1 ≤i1< i2<· · · < ik≤n. Now

let deg(f) denote the degree of the F2-polynomial representation of the Boolean

function f. It is straightforward to show that such representation exists. Siegen-

thaler proved the following theorem, which states how correlation immunity can

be related to the degree of f.

Theorem 1. (Siegenthaler Theorem [29, 38]) Let f:{0,1}n→ {0,1}be a

Boolean function, which is k-correlation immune, then deg(f)≤n−k.

Average Sensitivity of Boolean Functions The Fourier expansion of Boolean

functions serves as an excellent tool for analyzing them, cf. [29]. In order to de-

ﬁne the Fourier expansion of a Boolean function f:Fn

2→F2we should ﬁrst

deﬁne an encoding scheme as follows. χ(0F2) := +1, and χ(1F2) := −1. Now the

Fourier expansion of a Boolean function can be written as

f(c) = X

S⊆[n]

ˆ

f(S)χS(c),

where [n] := {1, . . . , n},χS(c) := Qi∈Sci, and ˆ

f(S) := Ec∈U [f(c)χS(c)]. Here,

Ec∈U [·] denotes the expectation over uniformly chosen random examples. The

inﬂuence of variable ion f:Fn

2→F2is deﬁned as

Infi(f) := Prc∈U [f(c)6=f(c⊕i)],

where c⊕iis obtained by ﬂipping the i-th bit of c. Note that Infi(f) = PS3i(ˆ

f(S))2,

cf. [29]. Next we deﬁne the average sensitivity of a Boolean function fas

I(f) :=

n

X

i=1

Infi(f).

5

2.3 Our Learning Model

The Probably Approximately Correct (PAC) model provides a ﬁrm basis for

analyzing the eﬃciency and eﬀectiveness of machine learning algorithms. We

brieﬂy introduce the model and refer the reader to [23] for more details. In the

PAC model the learner, i.e., the learning algorithm, is given a set of examples to

generate with high probability an approximately correct hypothesis. This can be

formally deﬁned as follows. Let F=∪n≥1Fndenote a target concept class that

is a collection of Boolean functions deﬁned over the instance space Cn={0,1}n.

Moreover, according to an arbitrary probability distribution Don the instance

space Cneach example is drawn. Assume that hypothesis h∈Fnis a Boolean

function over Cn, it is called an ε-approximator for f∈Fn, if

Pr

c∈DCn

[f(c) = h(c)] ≥1−ε.

Let the mapping size :{0,1}n→Nassociate a natural number size(f) with

a target concept f∈Fthat is a measure of complexity of funder a target

representation, e.g., k-DT. The learner is a polynomial-time algorithm denoted

by A, which is given labeled examples (c, f (c)), where c∈Cnand f∈Fn. The

examples are drawn independently according to distribution D. Now we can

deﬁne strong and weak PAC learning algorithms.

Deﬁnition 1 An algorithm Ais called a strong PAC learning algorithm for the

target concept class F, if for any n≥1, any distribution D, any 0< ε, δ < 1,

and any f∈Fnthe follwing holds. When Ais given a polynomial number of

labeled examples, it runs in time polynomial in n,1/ε,size(f),1/δ, and returns

an ε-approximator for funder D, with probability at least 1−δ.

The weak learning framework was developed to answer the question whether

a PAC learning algorithm with constant but insuﬃciently low levels of εand δ

can be useful at all. This notion is deﬁned as follows.

Deﬁnition 2 For some constant δ > 0let algorithm Areturn with probability

at least 1−δan (1/2−γ)-approximator for f, where γ > 0.Ais called a weak

PAC learning algorithm, if γ= Ω (1/p(n,size(f)) for some polynomial p(·).

The equivalence of weak PAC learning and strong PAC learning has been

proved by Freund and Schapire in the early nineties in their seminal papers [9,35].

For that purpose boosting algorithms have been introduced.

Deﬁnition 3 An algorithm Bis called a boosting algorithm if the following

holds. Given any f∈Fn, any distribution D,0< ε, δ < 1,0< γ ≤1/2, a

polynomial number of labeled examples, and a weak learning algorithm WL re-

turning an (1/2−γ)-approximator for f, then Bruns in time, which is polyno-

mial in n,size(f),1/γ,1/ε,1/δ and generates with probability at least 1−δan

ε-approximator for funder D.

6

Algorithm 1 Canonical Booster

Require: Weak PAC learner WL, 0 < ε, δ < 1, 0 < γ ≤1/2, p olynomial number of examples, ithat

is the number of iterations

Ensure: Hypothesis hthat is an ε-approximator for f

1: D0=D, use WL to generate an approximator h0for funder D0

2: k= 1

3: while k≤i−1do

4: Build a distribution Dkconsisting of examples, where the previous approximators

h0,··· , hk−1can predict the value of fpoorly

5: use WL to generate an approximator hkfor funder Dk

6: k=k+ 1

7: od

8: Combine the hypotheses h0,··· , hi−1to obtain h, where each hiis an (1/2−γ)-approximator

for funder Di, and ﬁnally his an ε-approximator for funder D

9: return h

The construction of virtually all existing boosting algorithms is based pri-

marily on the fact that if WL is given examples drawn from any distribution D0,

WL returns a (1/2−γ)-approximator for funder D0. At a high-level, the skeleton

of all such boosting algorithms is shown in Algorithm 1.

2.4 Non-linearity of PUFs over F2and the Existence of Inﬂuential

Bits

Section 2.2 introduced the notion of Boolean linearity. Focusing on this notion

and taking into account the deﬁnition of PUFs mentioned in Section 2.1, now we

prove the following theorem that is our ﬁrst important result. For all PUFs, when

represented as a Boolean function, it holds that their degree as F2-polynomial

is strictly greater than one. This will then lead us to the following dramatic

consequence. There exists no PUF, in which all of its challenge bits have an

equal inﬂuence.

Theorem 2. For every PUF fPUF :{0,1}n→ {0,1}, we have deg(fPUF )≥2.

Consequently, for every PUF it holds that not all bit positions within respective

challenges are equally inﬂuential in generating the corresponding response.

Proof: Towards contradiction assume that fPUF is Boolean linear over F2and

unpredictable. From the unpredictability of fPUF it follows that the adversary

has access to a set of CRPs U={(c, y)|y=fPUF(c) and c∈ C}, which are

chosen uniformly at random, however, the adversary has only a negligible prob-

ability of success to predict a new random challenge (c0,·)/∈U(as he cannot

apply fPUF to this unseen challenge). Note that the size of Uis actually polyno-

mial in n. Now, by the deﬁnition of linearity over F2, cf. Section 2.2, we deduce

that the only linear functions over F2are the Parity functions, see also [29,38].

However, there are well-known algorithms to PAC learn Parity functions in gen-

eral [8, 20]. Thus, now we simply feed the right number of samples from our

CRP set Uinto such a PAC learner. For the right parameter setting, the re-

spective PAC algorithm delivers then with high probability an ε-approximator

hfor our PUF fPUF such that Pr[f(c0) = h(c0)] ≥1−ε. This means that with

7

Vinitial

(a)

R

C

G

V(t)

(b)

Fig. 1: (a) The logical circuit of an SRAM cell. (b) The small signal model of

bistable element in metastability

high probability, the response to every randomly chosen challenge can be cal-

culated in polynomial time. This is of course a contradiction to the deﬁnition

of fPUF, being a PUF. Hence, fPUF cannot be linear over F2. In other words,

for every PUF fPUF we have deg(fPUF)≥2. Moreover, in conjunction with the

above mentioned Siegenthaler Theorem, we deduce that every PUF is at most

an n−2-correlation immune function, which indeed means that not all of its

challenge bits have an equal inﬂuence on the respective PUF response.

Theorem 2 states that every PUF has some challenge bits, which have some

larger inﬂuence on the responses than other challenge bits. We call these bits

“loosely” as inﬂuential bits1.

3 PUF Architectures

In this section, we explain the architectures of two intrinsic silicon PUFs, namely

the BR- and TBR-PUFs, whose internal mathematical models are more compli-

cated than other intrinsic PUF constructions. In an attempt, we apply simple

models to describe the functionality of these PUFs. However, we believe that

these models cannot completely reﬂect the real characteristics of the BR-PUF

family, and their concrete, yet unknown model should be much more complex.

3.1 Memory-Based PUFs

BR-PUFs can be thought of as a combination of memory-based and delay-based

PUFs. Memory-based PUFs exploit the settling state of digital memory circuits,

e.g., SRAM cells [16, 21] consisting of two inverters in a loop (see Figure 1a)

and two transistors for read and write operation. Due to manufacturing pro-

cess variations the inverters have diﬀerent electrical gains, when the cell is in

the metastable condition. In the metastable condition the voltage of one of the

inverters is equal to Vm, where Vmis an invalid logic level. Moreover, the in-

vertes have diﬀerent propagation delays due to the diﬀerences in their output

resistance and load capacitance. One can model the SRAM cell architecture as

1Note that the existence of such inﬂuential bits has been also noticed by several other

experimental research papers. However, none of them has been able to correctly and

precisely pinpoint the mathematical origin of this phenomenon.

8

c[1] c[2] c[i] c[i+1]

r

reset

c[i+2]c[i+3]c[n-1]c[n]

Fig. 2: The schematic of a BR-PUF with nstages. The response of the PUF can

be read between two arbitrary stages. For a given challenge, the reset signal can

be set low to activate the PUF. After a transient period , the BR-PUF might be

settled to an allowed logical state.

a linear ampliﬁer with gain G, when Vinitial is close to the metastable voltage

Vm[40], see Figure 1b. In order to predict the metastable behavior, we have [40]

Vinitial(0) = Vm+V(0),

where V(0) is a small signal oﬀset from the metastable point. To derive V(t) we

can write the equation of the circuit as follows.

G·V(t)−V(t)

R=C·dV (t)

dt .

By solving this equation, we obtain V(t) = V(0) ·et/τs, where τs=RC/G −

1, c.f. [40]. The time required to reach a stable condition increases as Vinitial

approaches the metastable point and V(0) approaches 0. On the other hand, it

can approach inﬁnity, if V(0) = 0, however, in practice this is not the case due

to the presence of noise. Nevertheless, there is no upper bound on the settling

time of the SRAM cell to one of the stable states. Therefore, the settling state of

the SRAM cells cannot be predicted after power-on. One can thus use the logical

addresses of SRAM cells as diﬀerent challenges and the state of the SRAM cells

after power-on as PUF responses.

3.2 Bistable Ring PUF

SRAM PUFs are believed to be secure against modeling attacks. This can be

explained by the fact that knowing the state of one SRAM PUF after power-on

does not help the attacker to predict the response of other SRAM cells. However,

in contrast to delay-based PUFs, e.g., arbiter PUFs [25], the challenge space of

an SRAM PUF is not exponential. Therefore, if an adversary gets access to

the initial values stored in the SRAM cells, the challenge-response behavior of

the SRAM PUF can be emulated. In order to combine the advantages oﬀered by

9

c[1] c[2] c[n-1] c[n]

r

reset

Fig. 3: The schematic of a TBR-PUF with nstages. The response of the PUF is

read after the last stage. For a given challenge, the reset signal can be set low

to activate the PUF. After a transient period, the BR-PUF might be settled to

an allowed logical state.

delay-based PUFs and memory-based PUFs, namely, exponential challenge space

and the unpredictability, a new architecture called BR-PUF was introduced by

[7]. A BR-PUF consists of nstages (nis an even number), where each stage

consists of two NOR gates, one demultiplexer and one multiplexer, see Figure 2.

Based on the value of the ith bit of a challenge applied to the ith stage, one of

the NOR gates is selected. Setting the reset signal to low, the signal propagates

in the ring, which behaves like an SRAM cell with a larger number inverters.

The response of the PUF is a binary value, which can be read from a predeﬁned

location on the ring between two stages, see Figure 2.

The ﬁnal state of the inverter ring is a function of the gains and the propa-

gation delays of the gates. According to the model of the SRAM circuit in the

metastable state provided in Section 3.1, one might be able to extend the elec-

trical model and analyze the behavior of the inverter ring. Applying a challenge,

the ring may settle at a stable state after a oscillation time period. However,

for a speciﬁc set of challenges the ring might stay in the metastable state for an

inﬁnite time, and the oscillation can be observed in the output of the PUF.

The analytical models of the metastable circuits introduced in Section 3.1

are valid for an ASIC implementation and respective simulations. Although few

simulation results of BR-PUF are available in the literature, to the best of our

knowledge there are no results for a BR-PUF implemented on an ASIC, and ex-

perimental results have been limited to FPGA implementations. In this case, the

BR-PUF model can be further simpliﬁed by considering the internal architecture

of the FPGAs. The NOR gates of the BR-PUF are realized by dedicated Lookup

Tables (LUTs) inside an FPGA. The output of the LUTs are read from one of

the memory cells of the LUT, which have always stable conditions. Hence, it

can be assumed that there is almost no diﬀerence in the gains of diﬀerent LUTs.

As a result, the random behavior of the BR-PUF could be deﬁned by the delay

diﬀerences between the LUTs.

3.3 Twisted Bistable Ring PUF

Although the mathematical model of the functionality of a BR-PUF is unknown,

it has been observed that this construction is vulnerable to bias and simple linear

10

Fig. 4: Our roadmap for proving the PAC learnability of BR-PUF family, whose

mathematical model is unknown

approximations [37]. Hence, the TBR-PUF, as an enhancement to BR-PUFs, has

been introduced [37]. Similar to BR-PUFs, a TBR-PUF consists of nstages (n

is an even number), where each stage consists of two NOR gates. In contrast

to BR-PUF, where for a given challenge only one of the NOR gates in each

stage is selected, all 2ngates are selected in a TBR-PUF. This can be achieved

by placing two multiplexers before and two multiplexers after each stage and

having feedback lines between diﬀerent stages, see Figure. 3. As all NOR gates

are always in the circuit, the challenge speciﬁc bias can be reduced.

4 PAC Learning of PUFs without Prior Knowledge of

Their Mathematical Model

When discussing the PAC learnability of PUFs as a target concept, two scenar-

ios should be distinguished. First, the precise mathematical model of the PUF

functionality is known, and hence, a hypothesis representation is known to learn

the PUF. This scenario has been considered in several studies, e.g., [12–14],

where diﬀerent hypothesis representations have been presented for each individ-

ual PUF family. Second, due to the lack of a precise mathematical model of the

respective PUF functionality, to learn the PUF a more sophisticated approach

is required. Therefore, the following question arises: is it possible to PAC learn a

PUF family, even if we have no mathematical model of the physical functionality

of the respective PUF family? We answer this question at least for the BR-PUF

family. Our roadmap for answering this question, more speciﬁcally, the steps

taken to prove the PAC learnability of BR-PUF family in the second scenario,

is illustrated in Figure 4. While theoretical insights into the notions related to

the ﬁrst two blocks have been presented in Section 2.4, which are valid for all

PUF families, Section 4.1 provides more speciﬁc results for the BR-PUF family

(i.e., . According to these new insights, in Section 4.2 we eventually prove that

BR-PUF family (which lack a precise mathematical model) can nevertheless be

PAC learned (see last two blocks in Figure 4).

4.1 A Constant Upper Bound on the Number of Inﬂuential Bits

First, we reﬂect the fact that our Theorem 2 is in line with the empirical results

obtained by applying heuristic approaches, which are reported in [37, 42]. Al-

though here we compare their results for BR- and TBR-PUFs with our results,

11

Table 1: Statistical analysis of the 2048 CRPs, given to a 64-bit BR-PUF [42].

The ﬁrst column shows the rule found in the samples, whereas the second column

indicates the estimated probability of predicting the response.

Rule Est. Pr.

(c1= 0) →y= 1 0.684

(c9= 0) ∧(c6= 1) →y= 1 0.762

(c25 = 0) ∧(c18 = 1) ∧(c1= 0) →y= 1 0.852

(c27 = 0) ∧(c25 = 0) ∧(c18 = 1) ∧(c6= 1) →y= 1 0.932

(c53 = 0) ∧(c51 = 0) ∧(c45 = 0) ∧(c18 = 1) ∧(c7= 0) →y= 1 1

our proof of having inﬂuential bits in PUF families in general, speaks for itself,

and is one of the novel aspects of this paper.

In an attempt to assess the security of BR-PUFs, Yamamoto et al. have im-

plemented BR-PUFs on several FPGAs to analyze the inﬂuence of challenge bits

on the respective responses [42]. They have explicitly underlined the existence

of inﬂuential bits, and found so called prediction rules. Table 1 summarizes their

results, where for each type of the rules (monomials of diﬀerent sizes) we report

only the one with the highest estimated response prediction probability. In ad-

dition to providing evidence for the existence of inﬂuential bits, the size of the

respective monomials is of particular importance for us. As shown in Table 1,

their size is surprisingly small, i.e., only ﬁve.

Similarly, the authors of [37] translate the inﬂuence of the challenge bits to

the weights needed in artiﬁcial neural networks that represent the challenge-

response behavior of BR-PUFs and the TBR-PUFs. They observed that there

is a pattern in these weights, which models the inﬂuence of the challenge bits. It

clearly reﬂects the fact that there are inﬂuential bits determining the response of

the respective PUF to a given challenge. From the results presented in [37], we

conclude that there is at least one inﬂuential bit, however, the precise number

of inﬂuential bits has not been further investigated by the authors.

Inspired by the above results from [37,42], we conduct further experiments.

We collect 30000 CRPs from BR-PUFs and TBR-PUFs implemented on Altera

Cyclone IV FPGAs. In all of our PUF instances at least one inﬂuential bit is

found, and the maximum number of inﬂuential bits (corresponding to the size of

the monomials) is just a constant value in all cases . For the sake of readability,

we present here only the results obtained for one arbitrary PUF instance.

Our results shown in Table 2 are not only aligned with the results reported

in [37, 42], but also reﬂect our previous theoretical ﬁndings. We could conclude

this section as follows. There is at least one inﬂuential bit determining the re-

sponse of a BR-PUF (respectively, TBR-PUF) to a given challenge. However,

for the purpose of our framework their existence is not enough, and we need an

upper bound on the number of inﬂuential bits.

Looking more carefully into the three diﬀerent datasets, namely our own and

the data reported in [37, 42], we observe that the total number of inﬂuential

bits is always only a very small value. Motivated by this commonly observed

phenomenon, we compute for our PUFs (implemented on FPGAs) the average

12

Table 2: Our statistical analysis of the 30000 CRPs, given to a 64-bit BR-PUF.

The ﬁrst column shows the rule found in the sample, whereas the second column

indicates the estimated probability of predicting the response.

Rule Est. Pr.

(c61 = 1) →y= 1 0.71

(c11 = 1) →y= 1 0.72

(c29 = 1) →y= 1 0.725

(c39 = 1) →y= 1 0.736

(c23 = 1) →y= 1 0.74

(c46 = 1) →y= 1 0.745

(c50 = 1) →y= 1 0.75

(c61 = 1) ∧(c23 = 1) →y= 1 0.82

(c61 = 1) ∧(c11 = 0) →y= 1 0.80

(c23 = 1) ∧(c46 = 1) →y= 1 0.86

(c39 = 1) ∧(c50 = 1) →y= 1 0.85

(c61 = 1) ∧(c11 = 1) ∧(c29 = 1) →y= 1 0.88

(c50 = 1) ∧(c23 = 1) ∧(c46 = 1) →y= 1 0.93

(c50 = 1) ∧(c23 = 1) ∧(c46 = 1) ∧(c39 = 0) →y= 1 0.97

(c50 = 1) ∧(c23 = 1) ∧(c11 = 0) ∧(c39 = 0) ∧(c29 = 1) →y= 1 0.98

(c50 = 1) ∧(c23 = 1) ∧(c46 = 1) ∧(c39 = 0) ∧(c29 = 1) →y= 1 0.99

(c50 = 1) ∧(c23 = 1) ∧(c46 = 1) ∧(c39 = 0) ∧(c29 = 1) ∧(c11 = 0) →y= 1 0.994

(c50 = 1) ∧(c23 = 1) ∧(c46 = 1) ∧(c39 = 0) ∧(c29 = 1) ∧(c61 = 0) →y= 1 0.995

(c50 = 1) ∧(c23 = 1) ∧(c46 = 1) ∧(c39 = 0) ∧(c29 = 1) ∧(c61 = 1) ∧(c11 = 0) →y= 1 1

sensitivity of their respective Boolean functions2. Averaging over many instances

of our BR-PUFs, we obtain the results shown in Table 3 (TBR-PUFs scored

similarly). This striking result3lead us to the following plausible heuristic.

“Constant Average Sensitivity of BR-PUF family”: for all practical val-

ues of nit holds that the average sensitivity of a Boolean function associated

with a physical n-bit PUF from the BR-PUF family is only a constant value.

Finally, some relation between the average sensitivity and the strict avalanche

criterion (SAC) can be recognized, although we believe that the average sensi-

tivity is a more direct metric to evaluate the security of PUFs under ML attacks.

2As explained in Section 2.2, for a Boolean function f, the inﬂuence of a variable

and the total average sensitivity can be calculated by employing Fourier analysis.

However, in practice this analysis is computationally expensive. Instead, it suﬃces

to simply approximate the respective average sensitivity. This idea has been exten-

sively studied in the learning theory-related and property testing-related literature

(see [22], for a survey). Here we describe how the average sensitivity of a Boolean

function, representing a PUF, can be approximated. We follow the simple and ef-

fective algorithm as explained in [32]. The central idea behind their algorithm is to

collect enough random pairs of labeled examples from the Boolean function, which

have the following property: (c, f (c)) and (c⊕i, f(c⊕i)), i.e., the inputs diﬀer on a

single Boolean variable.

3Note that it is a known result and being folklore, cf. [29], that randomly chosen n-bit

Boolean functions have an expected average sensitivity of exactly n/2.

13

Table 3: The average sensitivity of n-bit BR-PUFs.

n The average sensitivity

4 1.25

8 1.86

16 2.64

32 3.6

64 5.17

4.2 Weak Learning and Boosting of BR-PUFs

The key idea behind our learning framework is the provable existence of inﬂu-

ential bits for any PUF and the constant average sensitivity of BR-PUFs in our

scenario. These facts are taken into account to prove the existence of weak learn-

ers for the BR-PUF family. We start with the following theorem (Theorem 3)

proved by Friedgut [11].

Theorem 3. Every Boolean function f:{0,1}n→ {0,1}with I(f) = kcan

be ε-approximated by another Boolean function hdepending on only a constant

number of Boolean variables K, where K= exp (2 + p2εlog2(4k/ε)/k)k

ε,and

ε > 0is an arbitrary constant.

We explain now how Theorem 3 in conjunction with the results presented in

Section 4.1 help us to prove the existence of a weak learner (Deﬁnition 2) for

the BR-PUF family.

Theorem 4. Every PUF from the BR-PUF family is weakly learnable.

Proof: For an arbitrary PUF from the BR-PUF family, consider its associated

but unknown Boolean function that is denoted by fPUF (i.e., our target concept).

Our weak learning framework has two main steps. In the ﬁrst step, we identify

a (weak) approximator for fPUF, and in the second step this approximator is

PAC learned (in a strong sense). Still, we can guarantee only that the total

error of the learner does not exceed 1/2−γ, where γ > 0, as we start with a

weak approximator of fPUF. The ﬁrst step relies on the fact that Theorem 2

ensures the existence of inﬂuential bits for fPUF, while we can also upper bound

I(fPUF) by some small constant value kdue to the Constant Average Sensitivity

heuristic. According to the Theorem 3 there is a Boolean function hthat is an

ε-approximator of fPUF, which depends only on a constant number of Boolean

variables Ksince kand εare constant values, independent of n. However, note

that hdepends on an unknown set of Kvariables. Thus, our Boolean function

his a so called K-junta function, cf. [29]. More importantly, for constant Kit

is known that the K-junta function can be PAC learned by a trivial algorithm

within OnKsteps, cf. [2, 5, 6]. This PAC algorithm is indeed our algorithm

WL that weakly learns fPUF. Carefully choosing the parameters related to our

approximators as well as the PAC learning algorithm, we ensure that WL returns

a 1/2−γ-approximator for fPUF and some γ > 0.

Applying now the canonical booster introduced in Section 2.3 to our WL

proposed in the proof of Theorem 4 and according to Deﬁnition 3, our weak

14

(a) (b) (c)

Fig. 5: The settling time of the BR-PUF response: (a) the PUF response after a

transient time reaches a stable logical state “1”. (b) after a transient time the

PUF response is “0”. (c) the PUF response does not settle and oscillates for an

undeﬁned time period.

learning algorithm can be transformed into an eﬃcient and strong PAC learning

algorithm.

Corollary 1 BR-PUFs are strong PAC learnable, regardless of any mathemat-

ical model representing their challenge-response behavior.

5 Results

5.1 PUF implementation

We implement BR and TBR-PUFs with 64 stages on an Altera Cyclone IV

FPGA, manufactured on a 60nm technology [1]. It turns out that most PUF

implementations are highly biased towards one of the responses. Therefore, we

apply diﬀerent manual routing and placement conﬁgurations to identify PUFs

with a minimum bias in their responses. However, it is known that by reducing

the bias in PUF responses, the number of noisy responses increases [27].

Finding and resolving the noisy responses are two of the main challenges in

the CRP measurement process. In almost all PUF constructions it can be pre-

dicted, at which point in time a generated response is valid and can be measured.

For instance, for an arbiter PUF one can estimate the maximum propagation

delay (evaluation period) between the enable point and the arbiter. After this

time period the response is in a valid logical level (either “0” or “1”) and does

not change, and afterwards by doing majority voting on the responses generated

for a given challenge the stable CRPs can be collected. However, in the case of

BR-PUF family, for a given challenge the settling time of the response to a valid

logical level is not known a priori, see Figure 5. Furthermore, it is not known

whether the response to a given challenge would not be unstable after observing

the stable response during some time period (see Section 3.1). Therefore, the

majority voting technique cannot be employed for BR-PUFs and TBR-PUFs.

To deal with this problem, for a given challenge we read the response of the PUF

at diﬀerent points in time, where at each point in time 11 measurements are con-

ducted additionally. We consider a response being stable, if it is the same at all

these diﬀerent measurement time points. Otherwise, the response is considered

being unstable, and the respective CRP is excluded from our dataset.

In order to observe the impact of the existing inﬂuential bits on our PUF re-

sponses, ﬁrst we apply a large set of challenges chosen uniformly at random, and

15

(a) (b)

Fig. 6: The impact of the inﬂuential bits on the responses of the PUF: (a) the

response of the PUF is “0”. (b) unstable responses. Here the y-axis shows the

percentage of the challenges, whose bits are set to either “0” or “1”, whereas the

x-axis shows the bit position.

then measure their respective responses. Afterwards, for both possible responses

of the PUF (i.e., “0” and “1”) we count the number of challenge bits, which are

set to either “0” or “1”, see Figure 6. It can be seen that some challenge bits

are more inﬂuential towards a certain response. These results are the basis for

our statistical analysis presented in Section 4.1. We also repeat this experiment

in the scenario, where the response of the PUF is unstable — in this case we

observe almost no inﬂuential challenge bits. The most important conclusion that

we can draw from these experiments is that a PUF with stable responses has

at least one inﬂuential bit, which can already predict with low probability the

response of the PUF to a respective challenge.

5.2 ML results

To evaluate the eﬀectiveness of our learning framework, we conduct experiments

on CRPs collected from our PUF, whose implementation is described in Sec-

tion 5.1. As discussed and proved in Section 4, having inﬂuential bits enables us

to deﬁne a prediction rule, where this rule can serve as a hypothesis representa-

tion, which fulﬁlls the requirements of a weak learner. The algorithm WL proposed

in the proof of the Theorem 4 relies on the PAC learnability of K-juntas, where

Kis a small constant. However, it is known that every eﬃcient algorithm for

learning K-DTs (i.e., the number of leaves is 2K) is an eﬃcient algorithm for

learning K-juntas, see, e.g., [28]. Furthermore, it is known that DLs generalize

K-DTs [31]. Moreover, a monomial Mn,K is a very simple type of a K-junta,

where only the conjunction of the relevant variables is taken into account. There-

fore, for our experiments we decide to let our weak learning algorithms deliver

DLs, Monomials, and DTs.

To learn the challenge-response behavior of BR- and TBR-PUFs using these

representations, we use the open source machine learning software Weka [17]. One

may argue that more advanced tools might be available, but here we only aim to

demonstrate that publicly accessible, and oﬀ-the-shelf software can be used to

launch our proposed attacks. All experiments are conducted on a MacBook Pro

with 2.6 GHz Intel Core i5 processor and 10GB of RAM. To boost the prediction

16

Fig. 7: The relation between the theoretical upper bound on the error of the

ﬁnal model returned by Adaboost, the number of iterations, and K. The graph

is plotted for k= 2, ε0= 0.01, and n= 64. Here, ε0= 0.01 denotes the error of

the K-junta learner.

accuracy of the model established by our weak learners, we apply the Adaptive

Boosting (AdaBoost) algorithm [10]; nevertheless, any other boosting framework

can be employed as well. For Adaboost, it is known that the error of the ﬁnal

model delivered by the boosted algorithm after Titeration is theoretically upper

bounded by QT

t=1 p1−4γ2, c.f. [36]. To provide a better understanding of the

relation between K, the number of iterations, and the theoretical bound on the

error of the ﬁnal model, a corresponding graph4is shown in Figure 7.

Our experiments in Weka consist of a training phase and a testing phase. In

the training phase a model is established from the training data based on the

chosen representation. Afterwards, the established model is evaluated on the test

set, which contains an unseen subset of CRPs. The size of the training sets in our

experiments are 100 and 1000, whereas the test set contains 30000 CRPs. Our

experiments demonstrate that the weak learning of our test set always results in

the delivery of a model with more than 50% accuracy as shown in the ﬁrst rows

of Table 4 and Table 5.

By boosting the respective models with AdaBoost, the accuracy is dramati-

cally increased, see Table 4 and Table 5. It can be observed that after 50 iterations

of Adaboost applied to the weak model generated from 100 CRPs, the predic-

tion accuracy of the boosted model is increased to more than 80% for all three

representations. By increasing the number of samples to 1000 CRPs, the predic-

tion accuracy is further increased up to 98.32 % for learning the BR-PUFs, and

99.37 % for learning the TBR-PUFs under DL representations. It is interesting

to observe that the simplest representation class, i.e., Monomials clearly present

the greatest advantage given by the boosting technique. As explained in [36] this

is due to avoiding any overﬁtting tendency.

4Note that at ﬁrst glance the graph may seem odd as after a few iterations the error

is close to 1, although we start from a weak learner, whose error rate is strictly

below 0.5. As explained in [36, pp. 57-60], and shown in their Figure 3.1, this is due

to Adaboosts’s theoretical worst-case analysis, which is only asymptotically (in T)

meaningful.

17

Table 4: Experimental results for learning 64-bit BR-PUF and TBR-PUF, when

m= 100. The accuracy (1 −ε) is reported for three weak learners. The ﬁrst

row shows the accuracy of the weak learner, whereas the other rows show the

accuracy of the boosted learner.

# boosting iterations BR-PUF TBR-PUF

MnDT DL MnDT DL

0 (No Boosting) 54.48 % 66.79 % 67.24 % 65.18 % 72.29 % 74.84 %

10 67.12 % 74.25 % 76.99 % 76.96 % 79.22 % 81.36 %

20 77.53 % 80.53 % 80.89 % 82.05 % 85.73 % 86.71 %

30 81.32 % 83.13 % 83.14 % 84.93 % 88.34 % 89.4 %

40 82.65 % 83.91 % 84.6 % 88.11 % 89.67 % 90.22 %

50 82.65 % 85.62 % 85.5 % 90.05 % 89.69 % 91.58 %

Table 5: Experimental results for m= 1000 (the same setting as for the Table 4).

# boosting iterations BR-PUF TBR-PUF

MnDT DL MnDT DL

0 (No Boosting) 63.73 % 75.69 % 84.59 % 64.9 % 75.6 % 84.34 %

10 81.09 % 85.49 % 94.2 % 79.9 % 87.12 % 95.05 %

20 89.12 % 91.08 % 96.64 % 88.28 % 91.57 % 97.89 %

30 93.24 % 93.24 % 97.50 % 93.15 % 93.9 % 98.75 %

40 95.69 % 94.28 % 97.99 % 96.73 % 95.05 % 99.13 %

50 96.80 % 95.04 % 98.32 % 98.4 % 95.96 % 99.37 %

6 Conclusion

As a central result, which speaks for itself, we have proved that in general the

responses of all PUF families are not equally determined by each and every bit

of their respective challenges. Moreover, the present paper has further addressed

the issue of strong PAC learning of the challenge-response behavior of PUFs,

whose functionality lacks a precise mathematical model. We have demonstrated

that representing BR- and TBR-PUFs by Boolean functions, we are able to

precisely describe the characteristics of these PUFs as observed in practice. This

fact results in developing a new and generic machine learning framework that

strongly PAC learns the challenge-response behavior of the BR-PUF family.

The eﬀectiveness and applicability of our framework have also been evaluated by

conducting extensive experiments on BR-PUFs and TBR-PUFs implemented on

FPGAs, similar to experimental platforms used in the most relevant literature.

Last but not least, although our strong PAC learning framework has its own

novelty value, we feel that our Theorem 3 and the precise mathematical descrip-

tion of the characteristics of BR-PUFs and TBR-PUFs are the most important

aspects of our paper. We strongly believe that this description can help to ﬁll

the gap between the mathematical design of cryptographic primitives and the

design of PUFs in real world. As an evidence thereof, we feel that the Siegen-

thaler Theorem and the Fourier analysis that are well-known and widely used

in modern cryptography may provide special insights into the physical design of

secure PUFs in the future.

18

Acknowledgements

We would like to thank Prof. Dr. Frederik Armknecht for the fruitful discussion

as well as pointing out the Siegenthaler’s paper. Furthermore, the authors greatly

appreciate the support that they received from Helmholtz Research School on

Security Technologies.

References

1. Altera: Cyclone IV Device Handbook. Altera Corporation, San Jose (2014)

2. Angluin, D.: Queries and Concept Learning. Machine Learning 2(4), 319–342

(1988)

3. Armknecht, F., Maes, R., Sadeghi, A., Standaert, O.X., Wachsmann, C.: A For-

malization of the Security Features of Physical Functions. In: Security and Privacy

(SP), 2011 IEEE Symp. on. pp. 397–412 (2011)

4. Armknecht, F., Moriyama, D., Sadeghi, A.R., Yung, M.: Towards a Uniﬁed Secu-

rity Model for Physically Unclonable Functions. In: Topics in Cryptology-CT-RSA

2016: The Cryptographers’ Track at the RSA Conf. vol. 9610, p. 271. Springer

(2016)

5. Arvind, V., K¨obler, J., Lindner, W.: Parameterized Learnability of K-juntas and

Related Problems. In: Algorithmic Learning Theory. pp. 120–134. Springer (2007)

6. Blum, A.L., Langley, P.: Selection of Relevant Features and Examples in Machine

Learning. Artiﬁcial Intelligence 97(1), 245–271 (1997)

7. Chen, Q., Csaba, G., Lugli, P., Schlichtmann, U., R¨uhrmair, U.: The Bistable

Ring PUF: A New Architecture for Strong Physical Unclonable Functions. In:

Hardware-Oriented Security and Trust (HOST), 2011 IEEE Intl. Symp. on. pp.

134–141. IEEE (2011)

8. Fischer, P., Simon, H.U.: On Learning Ring-Sum-Expansions. SIAM Journal on

Computing 21(1), 181–192 (1992)

9. Freund, Y.: Boosting a Weak Learning Algorithm by Majority. Information and

Computation 121(2), 256–285 (1995)

10. Freund, Y., Schapire, R.E.: A Decision-Theoretic Generalization of On-line Learn-

ing and an Application to Boosting. Journal of Comp. and System Sciences 55(1),

119–139 (1997)

11. Friedgut, E.: Boolean Functions with Low Average Sensitivity Depend on Few

Coordinates. Combinatorica 18(1), 27–35 (1998)

12. Ganji, F., Tajik, S., Seifert, J.P.: Let Me Prove it to You: RO PUFs are Provably

Learnable, The 18th Annual Intl Conf. on Information Security and Cryptology

(2015)

13. Ganji, F., Tajik, S., Seifert, J.P.: Why Attackers Win: On the Learnability of XOR

Arbiter PUFs. In: Trust and Trustworthy Computing, pp. 22–39. Springer (2015)

14. Ganji, F., Tajik, S., Seifert, J.P.: PAC Learning of Arbiter PUFs. Journal of Cryp-

tographic Engineering Special Section On Proofs 2014, 1–10 (2016)

15. Gassend, B., Clarke, D., Van Dijk, M., Devadas, S.: Silicon Physical Random Func-

tions. In: Proc. of the 9th ACM Conf. on Comp. and Communications Security.

pp. 148–160 (2002)

16. Guajardo, J., Kumar, S.S., Schrijen, G.J., Tuyls, P.: FPGA Intrinsic PUFs and

their Use for IP Protection. In: Cryptographic Hardware and Embedded Systems–

CHES 2007, pp. 63–80. Springer (2007)

19

17. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The

WEKA Data Mining Software: An Update. ACM SIGKDD Explorations Newslet-

ter 11(1), 10–18 (2009)

18. Helfmeier, C., Boit, C., Nedospasov, D., Seifert, J.P.: Cloning Physically Unclon-

able Functions. In: Hardware-Oriented Security and Trust (HOST), 2013 IEEE

Intl. Symp. on. pp. 1–6 (2013)

19. Helfmeier, C., Nedospasov, D., Tarnovsky, C., Krissler, J.S., Boit, C., Seifert, J.P.:

Breaking and Entering through the Silicon. In: Proc. of the 2013 ACM SIGSAC

Conf. on Comp. & Communications Security. pp. 733–744. ACM (2013)

20. Helmbold, D., Sloan, R., Warmuth, M.K.: Learning Integer Lattices. SIAM Journal

on Computing 21(2), 240–266 (1992)

21. Holcomb, D.E., Burleson, W.P., Fu, K.: Initial SRAM State as a Fingerprint and

Source of True Random Numbers for RFID Tags. In: Proc. of the Conf. on RFID

Security. vol. 7 (2007)

22. Kalai, G., Safra, S.: Threshold Phenomena and Inﬂuence: Perspectives from Mathe-

matics, Comp. Science, and Economics. Computational Complexity and Statistical

Physics, St. Fe Inst. Studies in the Science of Complexity pp. 25–60 (2006)

23. Kearns, M.J., Vazirani, U.V.: An Introduction to Computational Learning Theory.

MIT press (1994)

24. Koushanfar, F.: Hardware Metering: A Survey. In: Introduction to Hardware Se-

curity and Trust, pp. 103–122. Springer (2012)

25. Lee, J.W., Lim, D., Gassend, B., Suh, G.E., Van Dijk, M., Devadas, S.: A Technique

to Build a Secret Key in Integrated Circuits for Identiﬁcation and Authentication

Applications. In: VLSI Circuits, 2004. Digest of Technical Papers. 2004 Symp. on.

pp. 176–179 (2004)

26. Maes, R.: Physically Unclonable Functions: Constructions, Properties and Appli-

cations. Springer Berlin Heidelberg (2013)

27. Maes, R., van der Leest, V., van der Sluis, E., Willems, F.: Secure Key Generation

from Biased PUFs. In: Cryptographic Hardware and Embedded Systems–CHES

2015, pp. 517–534. Springer (2015)

28. Mossel, E., O’Donnell, R., Servedio, R.A.: Learning Functions of k Relevant Vari-

ables. Journal of Comp. and System Sciences 69(3), 421–434 (2004)

29. O’Donnell, R.: Analysis of Boolean Functions. Cambridge University Press (2014)

30. Pappu, R., Recht, B., Taylor, J., Gershenfeld, N.: Physical One-way Functions.

Science 297(5589), 2026–2030 (2002)

31. Rivest, R.L.: Learning Decision Lists. Machine learning 2(3), 229–246 (1987)

32. Ron, D., Rubinfeld, R., Safra, M., Samorodnitsky, A., Weinstein, O.: Approximat-

ing the Inﬂuence of Monotone Boolean Functions in O(√n) Query Complexity.

ACM Trans. on Computation Theory (TOCT) 4(4), 11 (2012)

33. R¨uhrmair, U., Sehnke, F., S¨olter, J., Dror, G., Devadas, S., Schmidhuber, J.: Mod-

eling Attacks on Physical Unclonable Functions. In: Proc. of the 17th ACM Conf.

on Comp. and Communications Security. pp. 237–249 (2010)

34. Saha, I., Jeldi, R.R., Chakraborty, R.S.: Model Building Attacks on Physically

Unclonable Functions using Genetic Programming. In: Hardware-Oriented Security

and Trust (HOST), 2013 IEEE Intrl. Symp. on. pp. 41–44. IEEE (2013)

35. Schapire, R.E.: The Strength of Weak Learnability. Machine learning 5(2), 197–227

(1990)

36. Schapire, R.E., Freund, Y.: Boosting: Foundations and Algorithms. MIT press

(2012)

20

37. Schuster, D., Hesselbarth, R.: Evaluation of Bistable Ring PUFs using Single Layer

Neural Networks. In: Trust and Trustworthy Computing, pp. 101–109. Springer

(2014)

38. Siegenthaler, T.: Correlation-Immunity of Nonlinear Combining Functions for

Cryptographic Applications (Corresp.). Information Theory, IEEE Transactions

on 30(5), 776–780 (1984)

39. Tajik, S., Dietz, E., Frohmann, S., Seifert, J.P., Nedospasov, D., Helfmeier, C., Boit,

C., Dittrich, H.: Physical Characterization of Arbiter PUFs. In: Cryptographic

Hardware and Embedded Systems–CHES 2014, pp. 493–509. Springer (2014)

40. Weste, N.H.E., Harris, D.: CMOS VLSI Design: A Circuits and Systems Perspec-

tive. Addison Wesley, fourth edn. (2010)

41. Xu, X., R¨uhrmair, U., Holcomb, D.E., Burleson, W.P.: Security Evaluation and

Enhancement of Bistable Ring PUFs. In: Radio Frequency Identiﬁcation, pp. 3–16.

Springer (2015)

42. Yamamoto, D., Takenaka, M., Sakiyama, K., Torii, N.: Security Evaluation of

Bistable Ring PUFs on FPGAs using Diﬀerential and Linear Analysis. In: Comp.

Science and Information Systems (FedCSIS), 2014 Federated Conf. on. pp. 911–918

(2014)

21