Available via license: CC BY 4.0

Content may be subject to copyright.

https://doi.org/10.1007/s00145-023-09475-1

J Cryptol (2023) 36:35

Research Article

A Theoretical Framework for the Analysis of Physical

Unclonable Function Interfaces and Its Relation to the

Random Oracle Model∗

Marten van Dijk

CWI, Amsterdam, The Netherlands

Department of Computer Science, Vrije Universiteit van Amsterdam, Amsterdam, The Netherlands

Electrical and Computer Engineering Department, University of Connecticut, Storrs, CT, USA

marten.van.dijk@cwi.nl

Chenglu Jin

CWI, Amsterdam, The Netherlands

chenglu.jin@cwi.nl

Communicated by Svetla Nikova.

Received 22 November 2022 / Revised 30 June 2023 / Accepted 30 June 2023

Abstract. Analysis of advanced physical unclonable function (PUF) applications and

protocols relies on assuming that a PUF behaves like a random oracle; that is, upon

receiving a challenge, a uniform random response with replacement is selected, mea-

surement noise is added, and the resulting response is returned. In order to justify such

an assumption, we need to rely on digital interface computation that to some extent re-

mains conﬁdential—otherwise, information about PUF challenge–response pairs leak

with which the adversary can train a prediction model for the PUF. We introduce a the-

oretical framework that allows the adversary to have a prediction model (with a typical

accuracy of 75% for predicting response bits for state-of-the-art silicon PUF designs).

We do not require any conﬁdential digital computing or digital secrets, while we can

still prove rigorous statements about the bit security of a system that interfaces with the

PUF. In particular, we prove the bit security of a PUF-based random oracle construction;

this merges the PUF framework with fuzzy extractors.

Keywords. Physical unclonable function (PUF), Fuzzy extractor, Random oracle,

Trusted computing base (TCB), PUF interfaces.

1. Introduction

A physical unclonable function (PUF) is a device that takes a challenge as input and mea-

sures a corresponding response bit as output [1,2]. Responses depend on manufacturing

variations in the PUF that are practically unclonable with currently existing technology.

∗This paper was reviewed by Frederik Armknecht.

© The Author(s) 2023

0123456789().: V,-vol

35 Page 2 of 64 M. van Dijk, C. Jin

Nevertheless, a PUF’s behavior may be modeled by training a prediction model based on

a set of challenge–response pairs (CRPs). For this reason, a PUF design can be broken

if an attacker achieves a signiﬁcant accuracy of a trained prediction model.1

Since physical unclonable functions have been introduced as a security primitive [1,2],

a variety of applications have been proposed [5–7], including many advanced crypto-

graphic protocols, e.g., key agreement, oblivious transfer, and bit commitment [8–10].

The security analysis of these advanced applications and protocols2relies on assuming

that a PUF behaves like a random oracle; upon receiving a challenge, a uniform random

response with replacement is selected, measurement noise is added, and the resulting

response is returned. This assumption turns out to be too strong because (1) in practical

implementations, the PUF returns biased response bits, and (2) classical ML and ad-

vanced ML attacks [11–17] demonstrate that a prediction model for response bits with

accuracy typically up to 75% can be trained and this defeats the random oracle assump-

tion. For example, FPGA implementations of the interpose PUF in [18] showed that the

bias of individual Arbiter PUFs ranges from 50.2% to 61.6%. The highest prediction

accuracy on interpose PUF entities under the best-known attacks by then was around

75% given 200,000 training challenge–response pairs. Although a follow-up work [16]

proposed an attack that can improve the prediction accuracy on iPUF by means of an

iterative approach, the prediction accuracy of the ﬁrst iteration is still not higher than

75%.

To counter the response bit bias problem, the literature introduces a PUF interface

that implements a fuzzy extractor (FE) [19–23]. Upon sufﬁcient min-entropy in response

vectors, random (unbiased) bit strings can be extracted using a FE. To counter the accurate

training of a prediction model by the attacker, we eliminate access to challenge–response

pairs by the attacker. In other words, we have a trusted computing base (TCB) that

implements the PUF together with a FE interface isolated from the attacker—it assumes

that the interface computes in a conﬁdential digital computing environment (conﬁdential

TCB).

The above solution is satisfactory if we use a weak PUF that only has a few CRPs

for masking/obfuscating a secret key based on a single response vector. (We want to

re-measure responses whenever we want access to the de-obfuscated key—for this, we

already need a conﬁdential TCB.) The FE generates and publishes so-called helper in-

formation p, which is needed to extract a random bit string from the measured response

vector with which the secret is masked. This helper information does leak some infor-

mation about the response vector—after all, we use FE because the response vector does

not have full min-entropy (i.e., it is not uniformly distributed over bit vectors). If we

only publish one or a couple of p, then it is realistic to assume that this does not help

the adversary gain sufﬁcient information about challenge–response pairs for training an

accurate prediction model.

1Public PUFs [3] and SIMPL systems [4] which base their security on the time differences between

physical execution and model simulation is out of the scope of the paper and is not captured by our deﬁnitional

framework and analysis. They do not provide similar security properties as conventional PUFs, so they should

be treated as different types of security primitives.

2PUF identiﬁcation and authentication only rely on hypothesis testing based on comparing collected CRPs

with re-measured CRPs.

A Theoretical Framework for the Analysis Page 3 of 64 35

On the other hand, if, for other applications, a strong PUF is used with an ‘expo-

nentially large’ challenge space, then many helper data pis published, and in theory,

this can help the adversary in gathering statistical information about CRPs and train a

prediction model (even though, in practice, we have no idea how to accomplish this).

The strong PUF with FE interface still needs the conﬁdential TCB in order to make it

impossible for the adversary to observe processed CRPs directly. (Otherwise, just based

on these observed CRPs, a prediction model can be trained.)

We notice that the computational FE based on the LPN problem in [24,25]also

publishes helper data, but here it can be proven that this data does not reveal underlying

information about CRPs.3(In fact, the computational FE is used to implement a random

oracle based on a weak PUF with just one response vector.) But also here, the LPN

interface is in a conﬁdential TCB. (Its digital computation is not allowed to be observed

by the adversary.)

This paper introduces a new framework for rigorously reasoning about the security of

PUF interfaces. We get rid of the conﬁdential TCB and allow the adversary access to a

training set of challenge–response pairs. Only the way how these pairs can be adaptively

selected is restricted. We take a pre-challenge as input to a cryptographic hash function

to generate a challenge for the PUF4; this is the only way the PUF may get accessed by

both legitimate users and adversaries, and no conﬁdential digital computing is required.

We construct and analyze the bit security of a PUF-based random oracle as a main

example/demonstration of our theoretical framework.

Our main motivation for getting rid of the conﬁdential TCB of a PUF interface is, ﬁrst

of all, of a more philosophical nature: In a more general context, we have an overarching

system that queries a PUF and wants to base its security guarantees on (random) bit

strings extracted from the PUF’s responses. Some form of conﬁdential computing of

the system’s functionality is required as its security guarantees will generally depend

on keeping the PUF derived bit strings conﬁdential. Since calling a bit-string a ‘secret

key’ does not actually make it secret [26], such a system generally implements key

renewal strategies for which the PUF is queried again. Here, the system relies on using

the PUF with an interface to again generate fresh secret bit strings even though previous

digital secrets have been leaked to the adversary. If the PUF interface itself relies on

conﬁdential digital computation in order to be able to keep on generating fresh secret

bit strings, then the adversary will recognize the PUF interface as a weak link and an

attractive point of attack. Rather than defending the conﬁdentiality of computing of the

PUF interface by means of a hardware design that isolates the PUF with the interface

from the adversary so that no point of attack exists, is it possible to minimize the TCB

and not require any form of conﬁdential digital computing in the PUF interface and as

a consequence not require any secret digital keys or digital information that needs to be

kept secret from the adversary? This question of minimizing the TCB by instead relying

3Also, the LPN construction does not suffer a min-entropy loss due to the leftover hash lemma as in FE.

4We assume the hash function interface cannot be circumvented by the adversaries, and the hash function

is correctly computed on pre-challenges. Note that this assumption is much weaker than the assumption of

having any conﬁdential TCB, as any information in the hash function interface is public. Also, it is not veryhard

to guarantee the integrity of the hash function interface in practice; we just need to implement it in hardware

circuitry as long as the adversaries do not tamper with the circuitry or inject faults in the computation, which

is usually costly and requires extensive physical access.

35 Page 4 of 64 M. van Dijk, C. Jin

on certain computational hardness assumptions is at the heart of security research. This

paper shows that this can be done (at least in theory) for a PUF interface that corrects

measurement errors and extracts random bit strings. In order to accomplish this, we need

to build a new theoretical framework (language) for capturing the exact computational

assumptions that replace the assumption of a conﬁdential TCB.

In future work, we will show how veriﬁable computing can be based on such a PUF

interface (a ﬁrst blueprint toward this goal is given in [27]): Here, a client outsources

computing to a single compute node. (We do not consider outsourcing computing over

multiple compute nodes in order to implement a Byzantine fault-tolerant scheme which

allows a third of the used compute nodes to be adversarial.) Suppose that the compute

node can be trusted to execute the compute job inside an environment that is protected

from having an adversary tamper with its computing ﬂow. That is, the adversary cannot

violate the speciﬁed or expected behavior of the compute job. Even if the ﬁnal computed

result is correct, it needs to be communicated back to the client. This means that the

compute node must engage in a remote attestation protocol with the client and be able

to sign the computed result using a secret digital key. In [28], a one-time session key-

based signature scheme (coined OTS-SKE) is presented, which in combination with

our proposed PUF-based random oracle (used for masking all session keys) can offer

remote attestation with the following property: Even of all but one session signing key is

leaked, then a signature for the session of which the session key is not leaked cannot be

impersonated, and other new signatures for older sessions can also not be impersonated.

(The latter property is tricky and requires the features of the OTS-SKE scheme.) Based on

the theory presented in this paper, we can show that to accomplish this security guarantee,

no conﬁdential TCB is needed for the PUF interface or signing. (Signing uses a session

key extracted from memory whose content is masked by our PUF-based random oracle.)

This shows that remote attestation, and by extension, veriﬁable computing, does not need

to rely on conﬁdential digital computing in that previous session keys and other digital

information leaked to the adversary cannot be used to impersonate a signature in the

current session or impersonate new signatures for older (observed) sessions. This will

show for the ﬁrst time how PUFs can be used to bootstrap such veriﬁable computation

without conﬁdential TCB.

The main problem that we solve is how to connect security deﬁnitions for PUFs to

(computational) hardness problems on which PUF interfaces (such as FE) are based.

Our framework aims at strong PUFs with an ‘exponentially large’ challenge space.

•We deﬁne a PUF device in Sect. 3followed by an extended PUF interface GetRe-

sponse that ﬁrst applies a cryptographic hash to a pre-challenge. We introduce the

concept of (canonical) system-induced CRP distribution, where a system interfaces

with the PUF and only uses CRPs of its ‘liking,’ i.e., have a ‘nice distribution.’

•We deﬁne reliability and bias with respect to system-induced CRP distributions

in Sect. 4. Conditioned on previously collected CRPs, the bias of a new CRP may

change due to correlation. We characterize the amount of change by corbi as and

show how corbias gets ampliﬁed due to post-processing of CRPs (Lemma 6).

•In Sect. 5, we show an interface that improves reliability by using repeated measure-

ments, and we analyze corbias of the resulting system-induced CRP distribution.

Similarly, in Sect. 6, we show an interface based on the von Neumann extractor

A Theoretical Framework for the Analysis Page 5 of 64 35

for reducing bias [29]. We show how resulting response bits behave as unbiased

uniformly drawn bits in Lemma 11 and, as a consequence, explain a condition in

(5) which allows us to replace the von Neumann system-induced CRP distribution

by a ‘uniform’ one in a future reduction proof.

•We deﬁne PUF security with correlated CRPs in Sect. 7and deﬁne the adversar-

ial AU-model, which does not require a conﬁdential TCB (i.e., we do not require

any conﬁdential digital computing or digital secrets), and only requires the adver-

sary to access the PUF through GetResponse. We prove the ‘Ber transformation

lemma’ (Lemma 14) which states that a (prediction) error-reducing oracle can be

constructed, leading to error bits that are statistically independent and Bernoulli

distributed. The bit error rate is essentially equal to one minus the accuracy of the

best prediction model the adversary can construct (based on limited resources, the

number of collected CRPs, and run time).

•Section 8deﬁnes system security where the system interface has access to the PUF.

We deﬁne a separation game and argue this is, at most, an exponential factor more

difﬁcult than the original system security game. We provide a number of deﬁnitions

of properties of the underlying hardness problem. These deﬁnitions lead to the ‘PUF

separation theorem’ in the AU-model (Theorem 22) where PUF assumptions and

mathematical hardness assumptions are separated, still leading to a bit security of

the overall system. We discuss a range of weaker adversarial models Ax⊆AUin

Sect. 9.

•In order to merge the concept of fuzzy extractors with our framework, we intro-

duce ‘suitable’ codes and discuss and prove properties about their related residual

min-entropy in Sect. 10. This is used in Sect. 11 to construct a PUF-based random

oracle (PRO). We characterize failure probabilities and analyze the security using

Theorem 22. In order to prove some of the needed properties of the underlying

hardness problem, we show how the von Neumann system-induced distribution

can be replaced by a uniform one, how the Ber transformation lemma can be used

to construct a problem instance without needing access to the PUF, and how the

hardness of the resulting problem is related to residual min-entropy (as in secure

sketches but now related to Bernoulli noise). This results in the ﬁnal ‘PUF-based

random oracle theorem’ in the AU-model (Theorem 28).

The ﬁnal PRO primitive justiﬁes how a PUF can be used to simulate a random oracle,

as explained at the start of the introduction, even in the presence of an adversary who is

able to achieve a typical accuracy of a prediction model of 75%, and even if no conﬁden-

tial TCB (i.e., no conﬁdential digital computing and no digital secrets) is assumed. The

latter allows PRO to execute in the presence of an adversary who can observe all digital

computation and digital secrets. PRO only requires PUF access control through GetRe-

sponse. Our results can be easily plugged into the analysis of PUF-based protocols, like

key exchange [8], oblivious transfer [8,9], bit commitment [30], and multi-party com-

putation [31], where PUFs are all assumed to be random oracles. The presented work

closes a major gap in the current PUF literature (Table 1).

35 Page 6 of 64 M. van Dijk, C. Jin

Tab l e 1. Index of all deﬁnitions, lemmas, and theorems.

PUF—Intrinsic properties

Deﬁnition 1CRPs and hardware unclonability of PUFs

Deﬁnition 2System-induced CRP distributions

Deﬁnition 3PUF reliability

Deﬁnition 4PUF bias

Deﬁnition 5PUF correlation (corbi as ), which can be assumed to be exponentially

small for Arbiter-based PUF designs

Lemmas 6,7,8Effect of composition of system-induced CRP distributions on correlation

Lemmas 9,10 Characterization of bias and the improved reliability as a result of majority

voting

Lemma 11 Characterization of the reduced bias as a result of applying the von

Neumann trick

Figure 1Diagram relating all concepts

PUF—security

Deﬁnition 12 PUF security game with correlations inspired by [32]

Deﬁnition 13 Adversarial model

Lemma 14,15 Ber transformation lemma

System security

Deﬁnition 16 System security game where the system interfaces with and queries a PUF

Deﬁnition 17 Separation game where the adversary ﬁrst predicts responses and next

solves the system’s instance of a computational hard problem

Deﬁnitions 18,19,20,21 Error-based reduction; Bit security; Error-based equivalent; Effect of an

error-reducing oracle

Theorem 22 PUF separation theorem

Figure 2Diagram explaining the ﬂow of the security reduction leading to the PUF

separation theorem

PUF-based Random Oracle (PRO)

Deﬁnitions 23,24 Secure sketch; Suitable codes

Lemma 25,26 Upper bound on the residual min-entropy

Deﬁnition 27 PRO correctness and bit security

Theorem 28, Lemma 29 Construction

2. Related Work

Existing PUF deﬁnitional frameworks. Since the introduction of PUFs, many attempts

have been made to formally deﬁne PUFs. Most of the existing PUF deﬁnitional frame-

works oversimpliﬁed the reality and omitted the fact that real PUFs produce errors in their

responses due to environmental/measurement noises [32–34]. Rührmair et al. [33]ﬁrst

partitioned PUFs into weak PUFs and strong PUFs based on the sizes of their challenge

spaces, and then, they deﬁned strong PUFs as physical random functions that produce

perfectly reliable outcomes and cannot be physically or mathematically cloned within a

certain amount of time given to the adversary. Jin et al. [32,34] extended the framework

to include stateful erasable PUFs and stateful programmable access-controlled PUFs,

where the stateful PUFs can keep an internal state and alter CRPs based on its internal

state and certain policies. However, in the above deﬁnitions, PUFs are always assumed

to be noise-free with help from some error-correcting mechanisms. Our framework takes

A Theoretical Framework for the Analysis Page 7 of 64 35

noises into account and precisely discusses how the noises/biases will affect the security

of the PUFs.

Noisy PUF behaviors are modeled in [8,35,36]. Brzuska et al. deﬁned PUFs as a noisy

random function whose error rate for any given challenge–response pair is within a noise

bound [8]. However, the deﬁnition did not capture the bias presented in PUF responses.

Armknecht et al. brieﬂy discussed a PUF deﬁnition in [35] and further extended it

in [36]. The deﬁnitions in [35] and [36] captured both physical properties and algorithmic

properties of PUFs, including the reliability of PUFs. However, the deﬁnitions also

oversimpliﬁed the reality and assumed no bias or correlations in PUF responses.

Fuzzy extractors. Fuzzy extractors are used to extract a reliable and uniformly dis-

tributed output from a noisy and biased output, e.g., biometrics [19] and PUF re-

sponses [20,21,23]. All existing fuzzy extractor studies focus on improving their ca-

pability of error correction and the min-entropy left in the ﬁnal output of the fuzzy

extractors, assuming the distribution/bias of the PUF responses are known to the adver-

sary and that there is no or only spatial correlation between responses. These assumptions

effectively constrained the fuzzy extractor theory to be applied to only weak PUFs rigor-

ously. In our work, we consider a much stronger adversary who has a prediction model

with a meaningful prediction accuracy, e.g., 75% accuracy of a one-bit PUF output. This

is a realistic issue for strong PUFs under modeling attacks; even though some strong

PUFs are claimed to be secure against certain attacks, the adversary can still build a

prediction model of the PUF with a meaningful accuracy better than random guessing

using the concerned attacks [11,18]. Our work effectively closes the gap and provides a

solid foundation for using fuzzy extractors on strong PUFs securely.

Existence of strong PUFs. In this work, we are mainly interested in conventional strong

PUFs whose challenge space is exponentially large with respect to the physical size of

the PUFs [33]. However, if one wants to use a weak PUF in our interface, one needs

to assume a conﬁdential computing environment, where no leakage is allowed directly

from the weak PUF to the adversary. This security assumption is not ideal when we want

to eliminate (or minimize) the conﬁdential computing environment for stronger security.

Given the recent development in the lightweight strong PUF area, the existence of

strong PUFs may be deemed unclear. For example, XOR Arbiter PUFs [6] have been

considered as a standard lightweight strong PUF design, until they were broken by

reliability-based attacks [15]. The introduction of interpose PUF (iPUF) showed new

hope for realizing a practical lightweight strong PUF that is secure against both classical

modeling attacks and reliability-based attacks [18]. However, the security of iPUFs has

been proven to be weaker than the authors originally thought in novel attacks [16,17,37].

Although the existence of a secure lightweight strong PUF design is still unclear, our

framework is still needed as soon as (just like in designs for symmetric key encryption) a

strong PUF design survives for a signiﬁcant number of years. Indeed, strong PUF design

is still an active research area and many new designs show great potential in defending

against known attacks [38].

We notice that Sect.9describes a taxonomy of various adversarial models. One set-

ting is about a system executing a series of ‘sessions’ where the adversary observes all

but one session and where the security guarantee is about the unobserved session. This

ﬁts the remote attestation protocol example explained in the introduction where a re-

35 Page 8 of 64 M. van Dijk, C. Jin

mote adversary can obtain a footprint observing digital computation and digitally stored

values. Proper implementation will not allow the adversary toenforce repeated measure-

ments and therefore the adversary cannot obtain reliability information. This adversarial

model, denoted by ANR in Sect. 9, restricts the adversary to ‘classical’ CRP-based ML

attacks rather than ‘advanced’ challenge–reliability pair-based ML attacks. This allows

us to still be able to use the XOR Arbiter PUF design in the remote attestation example.

However, as discussed in Sect.9, the amount of training data dictates the effectiveness

of the used ML attack and in the remote attestation setting this forces the use of a XOR

Arbiter PUF with a number of Arbiter PUFs that degrades reliability too much. It is

clear that different adversarial models allow different types of strong PUF designs, and

there is the ongoing research question of ﬁnding strong PUF designs with better security

reliability trade-offs.

3. Physical Unclonable Functions

In this section, we formally deﬁne a PUF and introduce an extended PUF functionality

(which is a PUF with a small interface). In the next sections, we deﬁne reliability, bias,

and security.

Deﬁnition 1. (Physical Unclonable Functions [32]) A PUF Pis a physical system

that can be stimulated with so-called challenges cifrom a challenge set CP={0,1}λ,

upon which it reacts by producing corresponding responses rifrom a response set

RP⊆{0,1}m. Each response rishall depend on the applied challenge, but also on

manufacturing variations in Pthat are practically unclonable with currently existing

technology. The tuples (ci,ri)are called the challenge–response pairs (CRPs) of P.We

often refer to λas the security parameter of the PUF.

This deﬁnition explicitly mentions that a hardware copy or clone of a PUF Pcan-

not be manufactured due to uncontrollable manufacturing variations which provide the

randomness from which responses are extracted. This leaves in question whether, rather

than hardware cloning P, a software simulator, which sufﬁciently accurately predicts

responses, can be constructed and learned. Here, we assume that the adversary has ac-

cess to Pand can use Pas an oracle to query a list of challenge–response pairs which

are used to train a simulator in the form of a machine learning model which predicts

responses given input challenges.

The querying of Pcan be adaptive and this can possibly be exploited by the adversary.

For example, comparing responses of neighboring challenges that have a small Hamming

distance may reveal detailed information about small subsets of manufacturing variations

in the PUF design. In order to eliminate this possibility in practice, we process challenges

by applying a one-way function before giving it as input to the PUF circuitry where the

manufacturing variations are used to extract response bits. This leads to the extended

PUF discussed next.

Extended PUF. We consider an extended PUF design, called GetResponse in Algo-

rithm 1, which ﬁrst applies a cryptographic hash function (which implies one-wayness,

A Theoretical Framework for the Analysis Page 9 of 64 35

see Appendix A) to an input cpre which we call a pre-challenge. The output of the hash

function