Available via license: CC BY 4.0
Content may be subject to copyright.
https://doi.org/10.1007/s00145-023-09475-1
J Cryptol (2023) 36:35
Research Article
A Theoretical Framework for the Analysis of Physical
Unclonable Function Interfaces and Its Relation to the
Random Oracle Model∗
Marten van Dijk
CWI, Amsterdam, The Netherlands
Department of Computer Science, Vrije Universiteit van Amsterdam, Amsterdam, The Netherlands
Electrical and Computer Engineering Department, University of Connecticut, Storrs, CT, USA
marten.van.dijk@cwi.nl
Chenglu Jin
CWI, Amsterdam, The Netherlands
chenglu.jin@cwi.nl
Communicated by Svetla Nikova.
Received 22 November 2022 / Revised 30 June 2023 / Accepted 30 June 2023
Abstract. Analysis of advanced physical unclonable function (PUF) applications and
protocols relies on assuming that a PUF behaves like a random oracle; that is, upon
receiving a challenge, a uniform random response with replacement is selected, mea-
surement noise is added, and the resulting response is returned. In order to justify such
an assumption, we need to rely on digital interface computation that to some extent re-
mains confidential—otherwise, information about PUF challenge–response pairs leak
with which the adversary can train a prediction model for the PUF. We introduce a the-
oretical framework that allows the adversary to have a prediction model (with a typical
accuracy of 75% for predicting response bits for state-of-the-art silicon PUF designs).
We do not require any confidential digital computing or digital secrets, while we can
still prove rigorous statements about the bit security of a system that interfaces with the
PUF. In particular, we prove the bit security of a PUF-based random oracle construction;
this merges the PUF framework with fuzzy extractors.
Keywords. Physical unclonable function (PUF), Fuzzy extractor, Random oracle,
Trusted computing base (TCB), PUF interfaces.
1. Introduction
A physical unclonable function (PUF) is a device that takes a challenge as input and mea-
sures a corresponding response bit as output [1,2]. Responses depend on manufacturing
variations in the PUF that are practically unclonable with currently existing technology.
∗This paper was reviewed by Frederik Armknecht.
© The Author(s) 2023
0123456789().: V,-vol
35 Page 2 of 64 M. van Dijk, C. Jin
Nevertheless, a PUF’s behavior may be modeled by training a prediction model based on
a set of challenge–response pairs (CRPs). For this reason, a PUF design can be broken
if an attacker achieves a significant accuracy of a trained prediction model.1
Since physical unclonable functions have been introduced as a security primitive [1,2],
a variety of applications have been proposed [5–7], including many advanced crypto-
graphic protocols, e.g., key agreement, oblivious transfer, and bit commitment [8–10].
The security analysis of these advanced applications and protocols2relies on assuming
that a PUF behaves like a random oracle; upon receiving a challenge, a uniform random
response with replacement is selected, measurement noise is added, and the resulting
response is returned. This assumption turns out to be too strong because (1) in practical
implementations, the PUF returns biased response bits, and (2) classical ML and ad-
vanced ML attacks [11–17] demonstrate that a prediction model for response bits with
accuracy typically up to 75% can be trained and this defeats the random oracle assump-
tion. For example, FPGA implementations of the interpose PUF in [18] showed that the
bias of individual Arbiter PUFs ranges from 50.2% to 61.6%. The highest prediction
accuracy on interpose PUF entities under the best-known attacks by then was around
75% given 200,000 training challenge–response pairs. Although a follow-up work [16]
proposed an attack that can improve the prediction accuracy on iPUF by means of an
iterative approach, the prediction accuracy of the first iteration is still not higher than
75%.
To counter the response bit bias problem, the literature introduces a PUF interface
that implements a fuzzy extractor (FE) [19–23]. Upon sufficient min-entropy in response
vectors, random (unbiased) bit strings can be extracted using a FE. To counter the accurate
training of a prediction model by the attacker, we eliminate access to challenge–response
pairs by the attacker. In other words, we have a trusted computing base (TCB) that
implements the PUF together with a FE interface isolated from the attacker—it assumes
that the interface computes in a confidential digital computing environment (confidential
TCB).
The above solution is satisfactory if we use a weak PUF that only has a few CRPs
for masking/obfuscating a secret key based on a single response vector. (We want to
re-measure responses whenever we want access to the de-obfuscated key—for this, we
already need a confidential TCB.) The FE generates and publishes so-called helper in-
formation p, which is needed to extract a random bit string from the measured response
vector with which the secret is masked. This helper information does leak some infor-
mation about the response vector—after all, we use FE because the response vector does
not have full min-entropy (i.e., it is not uniformly distributed over bit vectors). If we
only publish one or a couple of p, then it is realistic to assume that this does not help
the adversary gain sufficient information about challenge–response pairs for training an
accurate prediction model.
1Public PUFs [3] and SIMPL systems [4] which base their security on the time differences between
physical execution and model simulation is out of the scope of the paper and is not captured by our definitional
framework and analysis. They do not provide similar security properties as conventional PUFs, so they should
be treated as different types of security primitives.
2PUF identification and authentication only rely on hypothesis testing based on comparing collected CRPs
with re-measured CRPs.
A Theoretical Framework for the Analysis Page 3 of 64 35
On the other hand, if, for other applications, a strong PUF is used with an ‘expo-
nentially large’ challenge space, then many helper data pis published, and in theory,
this can help the adversary in gathering statistical information about CRPs and train a
prediction model (even though, in practice, we have no idea how to accomplish this).
The strong PUF with FE interface still needs the confidential TCB in order to make it
impossible for the adversary to observe processed CRPs directly. (Otherwise, just based
on these observed CRPs, a prediction model can be trained.)
We notice that the computational FE based on the LPN problem in [24,25]also
publishes helper data, but here it can be proven that this data does not reveal underlying
information about CRPs.3(In fact, the computational FE is used to implement a random
oracle based on a weak PUF with just one response vector.) But also here, the LPN
interface is in a confidential TCB. (Its digital computation is not allowed to be observed
by the adversary.)
This paper introduces a new framework for rigorously reasoning about the security of
PUF interfaces. We get rid of the confidential TCB and allow the adversary access to a
training set of challenge–response pairs. Only the way how these pairs can be adaptively
selected is restricted. We take a pre-challenge as input to a cryptographic hash function
to generate a challenge for the PUF4; this is the only way the PUF may get accessed by
both legitimate users and adversaries, and no confidential digital computing is required.
We construct and analyze the bit security of a PUF-based random oracle as a main
example/demonstration of our theoretical framework.
Our main motivation for getting rid of the confidential TCB of a PUF interface is, first
of all, of a more philosophical nature: In a more general context, we have an overarching
system that queries a PUF and wants to base its security guarantees on (random) bit
strings extracted from the PUF’s responses. Some form of confidential computing of
the system’s functionality is required as its security guarantees will generally depend
on keeping the PUF derived bit strings confidential. Since calling a bit-string a ‘secret
key’ does not actually make it secret [26], such a system generally implements key
renewal strategies for which the PUF is queried again. Here, the system relies on using
the PUF with an interface to again generate fresh secret bit strings even though previous
digital secrets have been leaked to the adversary. If the PUF interface itself relies on
confidential digital computation in order to be able to keep on generating fresh secret
bit strings, then the adversary will recognize the PUF interface as a weak link and an
attractive point of attack. Rather than defending the confidentiality of computing of the
PUF interface by means of a hardware design that isolates the PUF with the interface
from the adversary so that no point of attack exists, is it possible to minimize the TCB
and not require any form of confidential digital computing in the PUF interface and as
a consequence not require any secret digital keys or digital information that needs to be
kept secret from the adversary? This question of minimizing the TCB by instead relying
3Also, the LPN construction does not suffer a min-entropy loss due to the leftover hash lemma as in FE.
4We assume the hash function interface cannot be circumvented by the adversaries, and the hash function
is correctly computed on pre-challenges. Note that this assumption is much weaker than the assumption of
having any confidential TCB, as any information in the hash function interface is public. Also, it is not veryhard
to guarantee the integrity of the hash function interface in practice; we just need to implement it in hardware
circuitry as long as the adversaries do not tamper with the circuitry or inject faults in the computation, which
is usually costly and requires extensive physical access.
35 Page 4 of 64 M. van Dijk, C. Jin
on certain computational hardness assumptions is at the heart of security research. This
paper shows that this can be done (at least in theory) for a PUF interface that corrects
measurement errors and extracts random bit strings. In order to accomplish this, we need
to build a new theoretical framework (language) for capturing the exact computational
assumptions that replace the assumption of a confidential TCB.
In future work, we will show how verifiable computing can be based on such a PUF
interface (a first blueprint toward this goal is given in [27]): Here, a client outsources
computing to a single compute node. (We do not consider outsourcing computing over
multiple compute nodes in order to implement a Byzantine fault-tolerant scheme which
allows a third of the used compute nodes to be adversarial.) Suppose that the compute
node can be trusted to execute the compute job inside an environment that is protected
from having an adversary tamper with its computing flow. That is, the adversary cannot
violate the specified or expected behavior of the compute job. Even if the final computed
result is correct, it needs to be communicated back to the client. This means that the
compute node must engage in a remote attestation protocol with the client and be able
to sign the computed result using a secret digital key. In [28], a one-time session key-
based signature scheme (coined OTS-SKE) is presented, which in combination with
our proposed PUF-based random oracle (used for masking all session keys) can offer
remote attestation with the following property: Even of all but one session signing key is
leaked, then a signature for the session of which the session key is not leaked cannot be
impersonated, and other new signatures for older sessions can also not be impersonated.
(The latter property is tricky and requires the features of the OTS-SKE scheme.) Based on
the theory presented in this paper, we can show that to accomplish this security guarantee,
no confidential TCB is needed for the PUF interface or signing. (Signing uses a session
key extracted from memory whose content is masked by our PUF-based random oracle.)
This shows that remote attestation, and by extension, verifiable computing, does not need
to rely on confidential digital computing in that previous session keys and other digital
information leaked to the adversary cannot be used to impersonate a signature in the
current session or impersonate new signatures for older (observed) sessions. This will
show for the first time how PUFs can be used to bootstrap such verifiable computation
without confidential TCB.
The main problem that we solve is how to connect security definitions for PUFs to
(computational) hardness problems on which PUF interfaces (such as FE) are based.
Our framework aims at strong PUFs with an ‘exponentially large’ challenge space.
•We define a PUF device in Sect. 3followed by an extended PUF interface GetRe-
sponse that first applies a cryptographic hash to a pre-challenge. We introduce the
concept of (canonical) system-induced CRP distribution, where a system interfaces
with the PUF and only uses CRPs of its ‘liking,’ i.e., have a ‘nice distribution.’
•We define reliability and bias with respect to system-induced CRP distributions
in Sect. 4. Conditioned on previously collected CRPs, the bias of a new CRP may
change due to correlation. We characterize the amount of change by corbi as and
show how corbias gets amplified due to post-processing of CRPs (Lemma 6).
•In Sect. 5, we show an interface that improves reliability by using repeated measure-
ments, and we analyze corbias of the resulting system-induced CRP distribution.
Similarly, in Sect. 6, we show an interface based on the von Neumann extractor
A Theoretical Framework for the Analysis Page 5 of 64 35
for reducing bias [29]. We show how resulting response bits behave as unbiased
uniformly drawn bits in Lemma 11 and, as a consequence, explain a condition in
(5) which allows us to replace the von Neumann system-induced CRP distribution
by a ‘uniform’ one in a future reduction proof.
•We define PUF security with correlated CRPs in Sect. 7and define the adversar-
ial AU-model, which does not require a confidential TCB (i.e., we do not require
any confidential digital computing or digital secrets), and only requires the adver-
sary to access the PUF through GetResponse. We prove the ‘Ber transformation
lemma’ (Lemma 14) which states that a (prediction) error-reducing oracle can be
constructed, leading to error bits that are statistically independent and Bernoulli
distributed. The bit error rate is essentially equal to one minus the accuracy of the
best prediction model the adversary can construct (based on limited resources, the
number of collected CRPs, and run time).
•Section 8defines system security where the system interface has access to the PUF.
We define a separation game and argue this is, at most, an exponential factor more
difficult than the original system security game. We provide a number of definitions
of properties of the underlying hardness problem. These definitions lead to the ‘PUF
separation theorem’ in the AU-model (Theorem 22) where PUF assumptions and
mathematical hardness assumptions are separated, still leading to a bit security of
the overall system. We discuss a range of weaker adversarial models Ax⊆AUin
Sect. 9.
•In order to merge the concept of fuzzy extractors with our framework, we intro-
duce ‘suitable’ codes and discuss and prove properties about their related residual
min-entropy in Sect. 10. This is used in Sect. 11 to construct a PUF-based random
oracle (PRO). We characterize failure probabilities and analyze the security using
Theorem 22. In order to prove some of the needed properties of the underlying
hardness problem, we show how the von Neumann system-induced distribution
can be replaced by a uniform one, how the Ber transformation lemma can be used
to construct a problem instance without needing access to the PUF, and how the
hardness of the resulting problem is related to residual min-entropy (as in secure
sketches but now related to Bernoulli noise). This results in the final ‘PUF-based
random oracle theorem’ in the AU-model (Theorem 28).
The final PRO primitive justifies how a PUF can be used to simulate a random oracle,
as explained at the start of the introduction, even in the presence of an adversary who is
able to achieve a typical accuracy of a prediction model of 75%, and even if no confiden-
tial TCB (i.e., no confidential digital computing and no digital secrets) is assumed. The
latter allows PRO to execute in the presence of an adversary who can observe all digital
computation and digital secrets. PRO only requires PUF access control through GetRe-
sponse. Our results can be easily plugged into the analysis of PUF-based protocols, like
key exchange [8], oblivious transfer [8,9], bit commitment [30], and multi-party com-
putation [31], where PUFs are all assumed to be random oracles. The presented work
closes a major gap in the current PUF literature (Table 1).
35 Page 6 of 64 M. van Dijk, C. Jin
Tab l e 1. Index of all definitions, lemmas, and theorems.
PUF—Intrinsic properties
Definition 1CRPs and hardware unclonability of PUFs
Definition 2System-induced CRP distributions
Definition 3PUF reliability
Definition 4PUF bias
Definition 5PUF correlation (corbi as ), which can be assumed to be exponentially
small for Arbiter-based PUF designs
Lemmas 6,7,8Effect of composition of system-induced CRP distributions on correlation
Lemmas 9,10 Characterization of bias and the improved reliability as a result of majority
voting
Lemma 11 Characterization of the reduced bias as a result of applying the von
Neumann trick
Figure 1Diagram relating all concepts
PUF—security
Definition 12 PUF security game with correlations inspired by [32]
Definition 13 Adversarial model
Lemma 14,15 Ber transformation lemma
System security
Definition 16 System security game where the system interfaces with and queries a PUF
Definition 17 Separation game where the adversary first predicts responses and next
solves the system’s instance of a computational hard problem
Definitions 18,19,20,21 Error-based reduction; Bit security; Error-based equivalent; Effect of an
error-reducing oracle
Theorem 22 PUF separation theorem
Figure 2Diagram explaining the flow of the security reduction leading to the PUF
separation theorem
PUF-based Random Oracle (PRO)
Definitions 23,24 Secure sketch; Suitable codes
Lemma 25,26 Upper bound on the residual min-entropy
Definition 27 PRO correctness and bit security
Theorem 28, Lemma 29 Construction
2. Related Work
Existing PUF definitional frameworks. Since the introduction of PUFs, many attempts
have been made to formally define PUFs. Most of the existing PUF definitional frame-
works oversimplified the reality and omitted the fact that real PUFs produce errors in their
responses due to environmental/measurement noises [32–34]. Rührmair et al. [33]first
partitioned PUFs into weak PUFs and strong PUFs based on the sizes of their challenge
spaces, and then, they defined strong PUFs as physical random functions that produce
perfectly reliable outcomes and cannot be physically or mathematically cloned within a
certain amount of time given to the adversary. Jin et al. [32,34] extended the framework
to include stateful erasable PUFs and stateful programmable access-controlled PUFs,
where the stateful PUFs can keep an internal state and alter CRPs based on its internal
state and certain policies. However, in the above definitions, PUFs are always assumed
to be noise-free with help from some error-correcting mechanisms. Our framework takes
A Theoretical Framework for the Analysis Page 7 of 64 35
noises into account and precisely discusses how the noises/biases will affect the security
of the PUFs.
Noisy PUF behaviors are modeled in [8,35,36]. Brzuska et al. defined PUFs as a noisy
random function whose error rate for any given challenge–response pair is within a noise
bound [8]. However, the definition did not capture the bias presented in PUF responses.
Armknecht et al. briefly discussed a PUF definition in [35] and further extended it
in [36]. The definitions in [35] and [36] captured both physical properties and algorithmic
properties of PUFs, including the reliability of PUFs. However, the definitions also
oversimplified the reality and assumed no bias or correlations in PUF responses.
Fuzzy extractors. Fuzzy extractors are used to extract a reliable and uniformly dis-
tributed output from a noisy and biased output, e.g., biometrics [19] and PUF re-
sponses [20,21,23]. All existing fuzzy extractor studies focus on improving their ca-
pability of error correction and the min-entropy left in the final output of the fuzzy
extractors, assuming the distribution/bias of the PUF responses are known to the adver-
sary and that there is no or only spatial correlation between responses. These assumptions
effectively constrained the fuzzy extractor theory to be applied to only weak PUFs rigor-
ously. In our work, we consider a much stronger adversary who has a prediction model
with a meaningful prediction accuracy, e.g., 75% accuracy of a one-bit PUF output. This
is a realistic issue for strong PUFs under modeling attacks; even though some strong
PUFs are claimed to be secure against certain attacks, the adversary can still build a
prediction model of the PUF with a meaningful accuracy better than random guessing
using the concerned attacks [11,18]. Our work effectively closes the gap and provides a
solid foundation for using fuzzy extractors on strong PUFs securely.
Existence of strong PUFs. In this work, we are mainly interested in conventional strong
PUFs whose challenge space is exponentially large with respect to the physical size of
the PUFs [33]. However, if one wants to use a weak PUF in our interface, one needs
to assume a confidential computing environment, where no leakage is allowed directly
from the weak PUF to the adversary. This security assumption is not ideal when we want
to eliminate (or minimize) the confidential computing environment for stronger security.
Given the recent development in the lightweight strong PUF area, the existence of
strong PUFs may be deemed unclear. For example, XOR Arbiter PUFs [6] have been
considered as a standard lightweight strong PUF design, until they were broken by
reliability-based attacks [15]. The introduction of interpose PUF (iPUF) showed new
hope for realizing a practical lightweight strong PUF that is secure against both classical
modeling attacks and reliability-based attacks [18]. However, the security of iPUFs has
been proven to be weaker than the authors originally thought in novel attacks [16,17,37].
Although the existence of a secure lightweight strong PUF design is still unclear, our
framework is still needed as soon as (just like in designs for symmetric key encryption) a
strong PUF design survives for a significant number of years. Indeed, strong PUF design
is still an active research area and many new designs show great potential in defending
against known attacks [38].
We notice that Sect.9describes a taxonomy of various adversarial models. One set-
ting is about a system executing a series of ‘sessions’ where the adversary observes all
but one session and where the security guarantee is about the unobserved session. This
fits the remote attestation protocol example explained in the introduction where a re-
35 Page 8 of 64 M. van Dijk, C. Jin
mote adversary can obtain a footprint observing digital computation and digitally stored
values. Proper implementation will not allow the adversary toenforce repeated measure-
ments and therefore the adversary cannot obtain reliability information. This adversarial
model, denoted by ANR in Sect. 9, restricts the adversary to ‘classical’ CRP-based ML
attacks rather than ‘advanced’ challenge–reliability pair-based ML attacks. This allows
us to still be able to use the XOR Arbiter PUF design in the remote attestation example.
However, as discussed in Sect.9, the amount of training data dictates the effectiveness
of the used ML attack and in the remote attestation setting this forces the use of a XOR
Arbiter PUF with a number of Arbiter PUFs that degrades reliability too much. It is
clear that different adversarial models allow different types of strong PUF designs, and
there is the ongoing research question of finding strong PUF designs with better security
reliability trade-offs.
3. Physical Unclonable Functions
In this section, we formally define a PUF and introduce an extended PUF functionality
(which is a PUF with a small interface). In the next sections, we define reliability, bias,
and security.
Definition 1. (Physical Unclonable Functions [32]) A PUF Pis a physical system
that can be stimulated with so-called challenges cifrom a challenge set CP={0,1}λ,
upon which it reacts by producing corresponding responses rifrom a response set
RP⊆{0,1}m. Each response rishall depend on the applied challenge, but also on
manufacturing variations in Pthat are practically unclonable with currently existing
technology. The tuples (ci,ri)are called the challenge–response pairs (CRPs) of P.We
often refer to λas the security parameter of the PUF.
This definition explicitly mentions that a hardware copy or clone of a PUF Pcan-
not be manufactured due to uncontrollable manufacturing variations which provide the
randomness from which responses are extracted. This leaves in question whether, rather
than hardware cloning P, a software simulator, which sufficiently accurately predicts
responses, can be constructed and learned. Here, we assume that the adversary has ac-
cess to Pand can use Pas an oracle to query a list of challenge–response pairs which
are used to train a simulator in the form of a machine learning model which predicts
responses given input challenges.
The querying of Pcan be adaptive and this can possibly be exploited by the adversary.
For example, comparing responses of neighboring challenges that have a small Hamming
distance may reveal detailed information about small subsets of manufacturing variations
in the PUF design. In order to eliminate this possibility in practice, we process challenges
by applying a one-way function before giving it as input to the PUF circuitry where the
manufacturing variations are used to extract response bits. This leads to the extended
PUF discussed next.
Extended PUF. We consider an extended PUF design, called GetResponse in Algo-
rithm 1, which first applies a cryptographic hash function (which implies one-wayness,
A Theoretical Framework for the Analysis Page 9 of 64 35
see Appendix A) to an input cpre which we call a pre-challenge. The output of the hash
function