Available via license: CC BY 4.0

Content may be subject to copyright.

1

Polynomial Bounds for Learning Noisy Optical

Physical Unclonable Functions and Connections to

Learning With Errors

Apollo Albright, Boris Gelfand, and Michael Dixon

Abstract—It is shown that a class of optical physical unclonable

functions (PUFs) can be learned to arbitrary precision with arbi-

trarily high probability, even in the presence of noise, given access

to polynomially many challenge-response pairs and polynomially

bounded computational power, under mild assumptions about

the distributions of the noise and challenge vectors. This extends

the results of Rh¨

uramir et al. (2013), who showed a subset of

this class of PUFs to be learnable in polynomial time in the

absence of noise, under the assumption that the optics of the PUF

were either linear or had negligible nonlinear effects. We derive

polynomial bounds for the required number of samples and

the computational complexity of a linear regression algorithm,

based on size parameters of the PUF, the distributions of the

challenge and noise vectors, and the probability and accuracy of

the regression algorithm, with a similar analysis to one done

by Bootle et al. (2018), who demonstrated a learning attack

on a poorly implemented version of the Learning With Errors

problem.

I. INTRODUCTION

The security of a cryptographic system depends on the

security of the keys and encryption mechanisms it uses.

Traditional cryptographic systems that store sensitive or pro-

prietary information in non-volatile memory are susceptible

to having this information copied to a malicious machine.

One solution to this problem is to use a physical unclonable

function (PUF) [1], [2]. A PUF is a type of one-way physical

system characterized by instance-speciﬁc random physical

properties arising from manufacturing process variations. A

PUF can be probed or challenged with external stimuli to

give speciﬁc responses, which depend on random variations

during the manufacturing process and are ideally impossible

to predict or invert without directly interrogating the PUF.

PUFs are often characterized by some form of randomness

or disorder inherent in the manufacturing process, which is

ideally impossible for any party to reproduce, or clone, exactly.

This unclonability property makes PUFs ideal for technology

protection, anti-tamper attestation, and cryptographic protocols

such as key generation that require an entropy source for

secure random number generation protocols since they cannot

be directly copied like digital keys or code stored in non-

volatile memory [1]–[3].

By sending the PUF a sequence of challenges and checking

that it returns the correct responses, one can verify the PUF’s

Apollo Albright, Boris Gelfand, and Michael Dixon are with Los Alamos

National Laboratory, Los Alamos, New Mexico (e-mail: aalbright@lanl.gov;

bgelfand@lanl.gov; mdixon@lanl.gov)

Apollo Albright is also with Reed College, 3203 SE Woodstock Blvd,

Portland, Oregon 97202 USA

integrity. One measure of the strength of a PUF is the number

of challenge-response pairs (CRPs), which are unique pairs

(C, R)of challenges Cand responses R. A PUF in which the

number of CRPs scales polynomially with a security parameter

n(which may be the physical size or number of inputs of

the system) is classiﬁed as “weak” since its behavior can be

fully determined by polynomial-time read-out attacks, whereas

a PUF that has exponentially many CRPs is classiﬁed as

“strong” since it is not vulnerable to these sorts of brute-force

attacks [4].

Many current PUF designs are implemented in electronic

circuits and use signal race conditions set by the inherent

randomness in silicon manufacturing [4]. Examples of silicon-

based PUFs include the Arbiter PUF [3], [5], [6], Ring Oscilla-

tor PUFs [7], and static random-access memory (SRAM) PUFs

[8]–[10]. Many of these designs, such as the Arbiter PUF and

its variants, have been demonstrated to be machine learnable

[11]–[20]. Once an adversary has a model of the PUF, they can

encode it in a separate chip to create a functional copy of it. In

addition, physical clones of SRAM PUFs were created using

a focused ion beam circuit edit in [21], further limiting the

application of silicon PUFs that rely on race conditions for

implementing secure and unclonable physical cryptographic

protocols.

Optical PUFs, ﬁrst introduced in [1], [22], were one of

the ﬁrst suggested PUF designs. Optical PUFs consist of an

optical medium, typically some kind of resin, with strongly

scattering material, such as microscopic glass beads, randomly

distributed within. When coherent laser light hits the medium,

it undergoes many scattering events as it passes through the

sample, resulting in a noisy image called a speckle pattern on

the opposite side. A challenge for the optical PUF therefore

consists of the position and angle of incidence of the laser

source, and the response is an image of the speckle pattern.

While the optical PUFs presented in [1], [22] were experi-

mentally shown to be resistant to modeling attacks by Support

Vector Machines (SVMs) [23], they are still classiﬁed as weak

PUFs since they suffer from a polynomially bounded set of

CRPs due to the optical structure having nonzero correlation

lengths and angles [1], making very small changes in the

orientation of the incident laser result in highly correlated

speckle patterns [23]. The correlation lengths and angles can

be reduced greatly by using nonlinear optical media [1], [24];

however the number of CRPs is still polynomially bounded

by the precision of the laser alignment system. Because of

this polynomial bound on the number of available CRPs, an

arXiv:2308.09199v1 [cs.LG] 17 Aug 2023

2

Fig. 1. A schematic of an optical PUF with a mask. By varying the laser’s

position (x, y)and angle (θ, φ)relative to the scattering token and selecting

which blocks of the mask are transparent, one can control which areas of

the scattering pattern are illuminated. The resulting speckle pattern can be

recorded by a camera. In the integrated optical PUF design proposed in [23],

the laser’s position and angle are ﬁxed, and in the original optical PUF of

[1], which did not feature a mask, the laser hits the scattering token directly.

adversary can efﬁciently generate a model of the PUF just by

enumerating every possible CRP, regardless of measurement

noise. Furthermore, the original optical PUFs require a very

precise token positioning system and are prone to misalign-

ment error, making them somewhat unreliable.

These issues were addressed in [23] with the introduction of

integrated optical PUFs. In the original non-integrated optical

PUFs, the relative position of the laser and the scattering

medium can be varied as part of the challenge. In contrast, an

integrated optical PUF ﬁxes the relative positions of the laser,

the PUF, and the camera. In order to input different challenges,

the authors of [23] propose to send the incoming laser beam

through a collimating lens and a spatial light modulator,

such as a liquid-crystal display (LCD) mask, allowing parts

of the PUF’s surface to be selectively illuminated (Fig. 1).

Thus, a challenge for the integrated PUF in [23] consists

of a speciﬁc image on the mask, and the response is the

corresponding speckle pattern. Since the number of mask

images is exponentially large in the number of pixels, optical

PUFs with a mask have exponentially many CRPs, and are

thus classiﬁed as “strong”. Since integrated optical PUFs do

not have any moving parts, they are not as reliant on the exact

position and angle of the incident laser and are less susceptible

to environmental changes than the ones in [1], [22].

It was shown in [23] that, in the absence of external noise,

integrated optical PUFs using a mask and scattering media

with linear optical properties are susceptible to linear regres-

sion algorithms since the electric ﬁeld amplitudes of speckle

patterns from different challenges add together linearly. By

generating a basis of the challenge space, it is possible for an

adversary to predict the behavior of a linear combination of

these basis challenges since the corresponding response will

be the same linear combination of the responses.

In this paper, we extend this result to show that optical

PUFs with a mask are also learnable in polynomial time when

the external noise either has a bounded magnitude or if it

follows a subgaussian distribution. Our analysis based on an

a proof in [25] for the solvability of the “Integer Learning

with Errors” problem, an easier variant of the Learning with

Errors (LWE) problem that does not use modular reduction in

the ﬁeld Z/pZ. More speciﬁcally, in Section II-C we examine

the physics of the PUF and show that, within a linear optical

regime, the responses can be written as a linear function of

the challenges. In Section III, we describe how to reduce the

problem of learning an integrated optical PUF (or equivalently,

a particular challenge position of a non-integrated optical PUF)

with a mask from noisy CRPs to the equivalent problem of

solving a polynomially large system of noisy equations. We

prove a polynomial bound for the number of samples required

to learn the PUF, based on the number of pixels in the LCD

mask, the number of pixels in the output, the distribution

of the challenge and noise vectors, the accuracy to which

the PUF should be learned, and the desired probability of

learning. We conclude Section III-B by expressing this bound

asymptotically in Eq. 15 and the time complexity of the linear

regression algorithm in Eq. 16, and we extend this result to

include weakly nonlinear regimes in Section III-C. The effects

of Kerr nonlinearity on the resistance of optical PUFs to

physical cloning attacks was discussed in [26], however to our

knowledge there have been no studies on learning attacks of

nonlinear optical PUFs. Since the linear regression algorithm

runs in polynomial time and produces, with arbitrarily high

probability, an arbitrarily good approximation to the PUF, we

know these types of optical PUFs are learnable under the

probably approximately correct (PAC) framework, which has

previously been used to demonstrate the learnability of various

other PUF designs [15]–[20]. Table Igives results from the

literature as well as our contributions for the learnability of

optical PUFs.

II. PRELIMINARIES

A. Notation

For a vector x∈Rn, the p-norm ∥x∥pof x, for p≥1is

given by ∥x∥p= (|x1|p+·· · +|xn|p)1/p. Unless otherwise

stated, ∥x∥will always refer to the Euclidean norm ∥x∥2. For

a matrix A∈Rm×n, the operator norm ∥A∥op is given by

∥A∥op = sup

∥x∥= 1 ∥Ax∥.

We denote the maximum real eigenvalue of a square matrix

Aby λmax(A), and similarly λmin (A)denotes the minimum

real eigenvalue. The transpose of a matrix Ais written as AT.

With this in mind, the operator norm of Acan be expressed

as its largest singular value,

∥A∥op =qλmax (AAT).(1)

We write X∼χto say a random variable Xis sampled

according to a distribution χ. The expectation of Xis denoted

E[X]and its variance Var(X) = E[X2]−E[X]2. We denote

by Pr[Y]the probability of event Y.

B. Subgaussian Probabilitiy Distributions

A variable Xis called τ-subgaussian for some τ > 0if for

all s∈R,

E[exp(sX)] ≤exp τ2s2

2.

3

TABLE I

LEARNABILITY RESULTS OF OPTICAL PUFS.

Design Illumination CRP Space Linear Weakly Nonlinear Strongly Nonlinear

Noiseless Noisy Noiseless Noisy Noiseless Noisy

Integrated No Mask 1trivial trivial trivial trivial trivial trivial

Non-Integrated No Mask O(poly(n)) [1], [23] [1], [23] Section III-A Section III-A Section III-A Section III-A

Integrated Mask O(exp(n)) [23] Section III-B Section III-C Section III-C ? ?

Non-Integrated Mask O(exp(n)) Section III-B Section III-B Section III-C Section III-C ? ?

Subgaussian random variables are very useful for our analysis

since they are subject to very strong tail bounds (at least as

strong as those for a Gaussian distribution). The following

lemmas describe useful properties of subgaussian distributions,

and they will be used in Section III to bound the error an

adversary would have when trying to learn the behavior of

the PUF. The proofs for Lemmas II.2,II.3,II.4, and II.6 can

be found in [25].

Lemma II.1 ( [27], Lemma 2.2).Any distribution over Rwith

mean zero and supported over a bounded interval [−a, a]is

a-subgaussian.

Lemma II.2 ( [25], Lemma 2.4).Aτ-subgaussian random

variable Xhas the following properties:

E[X] = 0 and E[X2]≤τ2.

Lemma II.3 ( [25], Lemma 2.6).Let Xbe a τ-subgaussian

random variable. Then for all t > 0,

Pr[X > t]≤exp −t2

2τ2.(2)

Lemma II.4 ( [25], Lemma 2.7).Let X1, . . . , Xnbe indepen-

dent random variables such that Xiis τi-subgaussian. For all

µ1, . . . , µn∈R, the random variable X=µ1X1+·· ·+µnXn

is τ-subgaussian, where

τ2=µ2

1τ2

1+· ·· +µ2

nτ2

n.

A random vector x∈Rnis called τ-subgaussian if for

all unit vectors u∈Rn, the inner product ⟨u,x⟩is a τ-

subgaussian random variable. By this deﬁnition, a random

vector xthat has components xithat are all independent τ-

subgaussian random variables is τ-subgaussian. Similarly to

subgaussian random variables, subgaussian vectors also have

strong tail bounds.

Lemma II.5. Let vbe a τ-subgaussian random vector in Rn.

Then

Pr[∥v∥ ≥ t]≤2nexp −t2

2τ2n.

Proof. ∥v∥ ≥ tonly if at least one of its components vi

satisﬁes |vi| ≥ t/√n. However, vican be written as the inner

product ⟨v, ei⟩, where eiis the i-th standard basis vector.

Similarly, −vi=⟨v,−ei⟩. Since the standard basis vectors are

unit vectors in Rn, and since vis τ-subgaussian, this means

that each of the components v1, . . . , vn,−v1,...,−vnis τ-

subgaussian. Fixing s=t/√n, we can use Eq. 2to get

Pr[∥v∥ ≥ t]≤Pr |v1| ≥ s+· ·· + Pr |vn| ≥ s

≤2nexp −t2

2τ2n.

Lemma II.6 ( [25], Lemma 2.9).Let xbe a τ-subgaussian

random vector in Rnand A∈Rm×n. Then y=Ax is a

τ′-subgaussian random vector in Rm, with τ′=τ·

AT

op.

C. Physics of the PUF

In the absence of nonlinear optical effects, the behavior of

the PUF is governed by the linear wave equation

∇2−1

c2

∂2

∂t2ε(r)Ψ(r, t) = J(r, t),(3)

where ε(r)is the dielectric of the scattering token at a position

r, which encodes values of the dielectric of the glass beads

used as scatterers, as well as the dielectric inside the optical

resin [24]. The resin and the scatterers are both assumed to

be locally isotropic, meaning that their dielectric coefﬁcients

are independent of the direction of polarization. Ψ(r, t)is a

complex scalar ﬁeld which encodes the amplitude and phase

of the electric ﬁeld at a position (r)and a time t. Finally,

J(r, t)is a monochromatic source term such that J(r, t) =

J0(r) exp(−iω0t)and Ψ(r, t) = ψ(r) exp(−iω0t). Eq. 3can

then be rewritten as

∇2+ω2

0

c2ε(r)ψ(r) = J0(r),

where J0(r)is the amplitude of the source term at a given

location, ψ(r)is the amplitude of the electric ﬁeld, and ω0is

the angular frequency of the source. Given the linearity of Eq.

3, if the PUF receives challenges c1and c2and gives responses

r1and r2, respectively, then if it receives the challenge c1+c2,

the corresponding response will be r1+r2.

Nonlinear optical effects occur in all optical media, but

they are usually insigniﬁcant if the magnitude of the elec-

tromagnetic ﬁeld is much smaller than the ﬁelds within the

molecules and atoms of the material. When incident light is

of a sufﬁcient intensity in a nonlinear medium, the polar-

ization of the medium begins to depend non-linearly on the

electromagnetic ﬁelds. For media that are locally isotropic,

this nonlinearity means the index of refraction depends on the

4

intensity of the transmitted electromagnetic ﬁelds [28]. This

gives the nonlinear wave equation

∇2+ω2

0

c2εr,|ψ(r)|2ψ(r) = J0(r).

In general, εcan be written as a power series in the ﬁeld

intensity |ψ(r)|2. The nonlinear wave equation can thus be

rewritten according to [24], [29] as

"∇2+ω2

0

c2

∞

X

k=0

εk(r)|ψ(r)|2k#ψ(r) = J0(r).(4)

In the limit as the nonlinear effects go to 0, such as if the

medium has weak nonlinear properties or if the laser in the

PUF is being run at lower intensities such that all the nonlinear

effects are small, the nonlinear component can be truncated

after the ε0(r)term, and Eq. 4is equivalent to Eq. 3. For

stronger nonlinearity or very high laser intensities, more terms

of the power series are necessary, though the nonlinear terms

are small corrections except for in very extreme cases, as each

successive εkterm is typically much smaller than the one

before it [28], [29].

D. Learning With Errors

Learning With Errors (LWE) is a computational problem

that has been used as a basis for the security of various

candidate post-quantum encryption schemes in lattice-based

cryptography [30]–[32]. In LWE, one is tasked with learning

a secret vector s∈Zn

pgiven polynomially many pairs

(ai, bi)∈Zn+1

p, where bi=⟨ai,s⟩+eimod p, the aiare

uniformly distributed in Zn

p, and the eiare sampled from a

discrete Gaussian distribution on Zp. It was shown in [30]

that properly parameterized LWE is at least as hard as several

worst-case variants of lattice problems such as the Shortest

Independent Vectors Problem (SIVP), and the Gap Shortest

Vector Problem (GapSVP), which are conjectured to be hard

for both classical and quantum computers.

Continuous Learning With Errors (CLWE) was introduced

in [33] as a continuous variant of LWE, with quantum re-

ductions from the same lattice problems (SIVP, GapSVP, etc.)

that underlie the hardness of LWE. Later, the authors [34]

demonstrated polynomial-time reductions between LWE and

CLWE, showing that the two problems are equivalently hard.

In CLWEβ,γ, for parameters appropriate β , γ > 0, one needs

to ﬁnd a secret unit vector s∈Rngiven polynomially many

pairs of the form (ai,bi)∈Rn+1, where bi=γ⟨ai,s⟩+ei

mod 1, the aiare distributed according to a continuous

Gaussian distribution in Rnwith covariance matrix In/(2π),

and the error terms eiare sampled from a continuous Gaussian

distribution on Rwith variance β2/(2π).

E. PAC-Learning

The Probably Approximately Correct (PAC) framework is

a general model for evaluating the learnability of classes of

functions ﬁrst described in [35]. The general idea behind

PAC learning is that in order to successfully learn a target

concept or function, one should, with high probability, produce

a hypothesis that is a good approximation of the target concept.

PAC learning has previously been used to prove the theoretical

learnability of various PUF designs [15]–[20]. In this work, we

use the agnostic PAC framework described in [36] to deﬁne

PAC-learnability as follows:

A class of functions H:X→Y, called the hypothesis

class, is said to be PAC-learnable if there exists an algorithm A

such that, for all ε > 0and δ∈(0,1), and any target concept

h0∈H, then with a set Sof m=O(poly(1/ε, 1/δ, n))

samples drawn according to a distribution Don X×Y, the

algorithm Awill output a hypothesis hS:X→Ysuch that

Pr

S∼D R(hS)−inf

h∈H R(h)≤ε≥1−δ,

according to some generalization error, or risk function R.

If the algorithm also terminates in O(poly(1/ε, 1/δ, n)) time,

then it is called an efﬁcient PAC learning algorithm.

In our case, since we want to learn PUFs that essentially

encode linear systems, the functions in the hypothesis class

are just linear functions in nvariables. Since linear functions

in can be encoded as inner products of coefﬁcient vectors h

and variable vectors x, we will set the risk function R(h)

to be the maximum difference between the value ⟨h,x⟩of

the hypothesis function and ⟨h0,x⟩, the value of the target

concept. Thus, the PAC condition can be rewritten as

Pr

S∼D max

x∈X|⟨h−h0,x⟩| ≤ ε≥1−δ. (5)

As we will show in Section III, a simple linear regression

algorithm can provably efﬁciently PAC-learn the PUF, under

the mild assumption that the error distribution is subgaussian

or can be shifted by a constant offset to produce a subgaussian

distribution.

In order for a PUF design to be secure against polynomially

bounded adversaries, it cannot be efﬁciently PAC-learned. In

other words, any algorithm that satisﬁes the PAC condition

should either require exponentially many (in 1/ε,1/δ, or n)

samples or terminate after an exponentially long time. As

mentioned in Section II-D, appropriately parameterized LWE

and CLWE are conjectured to be hard to solve under hardness

assumptions for worst-case lattice problems [30], [33]. Thus,

under those hardness assumptions, they cannot be efﬁciently

PAC-learned since any algorithm that could efﬁciently PAC-

learn LWE or CLWE would be able to solve those worst-case

lattice problems in polynomial time.

III. LEARNING OPT IC AL PUF B EHAVI OR

Throughout this section, we will assume that the distribution

of measurement noise in the PUF responses is subgaussian.

Any nonzero mean in the noise terms will appear as a

constant term that can be discarded at the end of the learning

algorithm. If the noise is sampled from a distribution with

unbounded support, we can choose to reject samples with too

large of noise. By forcing all the responses to have bounded

noise, Lemma II.1 ensures that the noise distribution either is

subgaussian or can be shifted by a constant offset to give a

subgaussian distribution.

5

Fig. 2. In a non-integrated optical PUF, the laser’s position (x, y)and

direction of incidence (θ, ϕ)can be varied as aprt of the challenge. Positional

(±ℓ) and angular (±α) uncertainty in the alignment system means that

the number of distinct challenge orientations scales polynomially with the

physical size of the scattering token and the precision of the alignment system.

In Section III-C, we perform a perturbative analysis for the

PUF responses within a weakly nonlinear regime, where terms

of quadratic and higher order in the nonlinear correction are

considered negligible. This type of analysis implicitly assumes

that the PUF responses are dominated by linear effects, with

only a few low-degree nonlinear terms that make up a small

correction. This is true for optical PUFs containing lasers

of low power or using materials that have weak nonlinear

optical properties, such that the magnitude of the optical

electromagnetic ﬁeld from the laser is much smaller than the

ﬁelds within the molecules and atoms of the material, and thus

can be treated as a small perturbation to the linear behavior

[28].

A. Learning Non-Integrated Optical PUFs

A non-integrated optical PUF, such as the original optical

PUF in [1], allows for the (x, y)position and (θ, ϕ)angular

orientation of the laser to be changed relative to the scattering

token as part of the challenge (Figure 2). Given a challenge

position and angle (x, y, θ, ϕ), assume that uncertainty in the

alignment system causes the actual position and angle of the

laser to vary by up to ±ℓand ±α, respectively. Thus, in order

for a particular laser orientation to correspond to a unique

challenge, the positions of each challenge need to be separated

by a spatial distance of at least 2ℓin the xand ydirections, and

by an angular distance of at least 2αin the θand ϕdirections.

Thus, if the scattering token can be illuminated over a surface

area A=L2, with an angle of incidence anywhere on a

hemisphere (θ, ϕ ∈[0, π ]), the number of distinct orientations

of the laser relative to the scattering token is bounded above

by

#of distinct orientations ≤π2L2

16α2ℓ2,

which scales polynomially in the physical size Lof the token,

as well as in the spatial and angular precisions 1/ℓ and 1/α

of the alignment system.

Because the position of the light source is ﬁxed relative

to the scattering token in an integrated PUF, learning the

behavior of an integrated PUF is equivalent to learning the

behavior of a particular challenge position and orientation of

a non-integrated PUF that uses the same scattering token.

In particular, this implies that any algorithm that learns an

integrated optical PUF in polynomial time can be extended to

learn a non-integrated optical PUF in polynomial time simply

by applying that algorithm for each of the polynomially many

orientations of the non-integrated PUF.

B. Linear Scattering Media

A challenge to the PUF consists of a speciﬁc pattern on the

LCD mask, which determines what parts of the PUF medium

are illuminated by the laser (Fig. 1). We can describe the j-th

pixel in a particular challenge image on the mask by a real

number bjbetween 0 and 1 that describes what proportion

of the incident radiation gets transmitted through that pixel.

A challenge bto the PUF can then be written as a vector

b= (b1, . . . , bN)∈[0,1]N, where Nis the number of pixels

in the LCD screen.

At a given pixel in the detector, the complex amplitude aof

the electric ﬁeld can be written as a function a(b)If the PUF

medium is linear, a(b)can be written as a linear function

a(b) = a(b1, . . . , bN) =

N

X

j=1

bjtj,

where the tjare complex transmission coefﬁcients that encode

how the amplitude and phase of the light passing through

pixels bjis transmitted to that part of the detector. If the

speckle pattern is picked up with a charge-coupled device

(CCD) or a similar camera chip, then the response fPUF(b)

measures the intensity |a|2of the laser light at that location,

so it is quadratic in the bj:

fPUF(b) = |a(b)|2=

N

X

j=1

N

X

k=1

bjbktjt∗

k,

where t∗

kdenotes the complex conjugate of tk. We can

deﬁne the new vectors c= (1, c1, . . . , cn)∈[0,1]n+1 and

s= (s0, s1, . . . , sn)∈[0,1]n+1 such that fPUF(c) = ⟨c,s⟩,

where each component ciis a monomial of total degree at

most 2in the bj, and where the ﬁrst component in cand s

representing a constant offset. For an adversary to successfully

learn the PUF, they will need to determine an approximate

candidate vector ˆ

ssuch that |⟨c,s⟩ − ⟨c,ˆ

s⟩| < ε. In other

words, they want to be able to approximate the PUF’s behavior

to within εfor any possible challenge c.

The problem of learning the PUF can thus be written

as a problem of determining ˆ

sfrom noisy CRPs. For any

given challenge ci, the adversary will have access to the

pair (ci,⟨ci,s⟩+ei), where without loss of generality, ei

is a τe-subgaussian random noise term, which could, for

example, arise from random measurement error or random

ﬂuctuations in the transparency of the pixels in the LCD. If the

measurement noise eihas nonzero mean, then that will show

up in the s0constant term, which we can throw out at the end.

If the noise is sampled from a distribution with unbounded

support, we can choose to reject samples with too large of

noise. In particular, given α > 0such that Pr[|ei|< α]>1/2,

we can reject samples that we know have |ei|> α and then use

the same analysis as for distributions with bounded support. In

this case we will need (with overwhelming probability) around

twice as many CRPs as we would otherwise, and Eqs. 15–18

will all pick up an extra factor of Msince for a given challenge

6

ci, the error |ei|may not be simultaneously less than αacross

all Mpixels in the CCD.

We can express a PUF response rias

ri=⟨ci,s⟩+ei,

and we can combine the expressions for a set of mCRPs to

get

Cs +e=r,

where ciis the i-th row of the m×nmatrix C, and likewise for

the error and response vectors eand r. While the pairs (ci, ri)

appear to be similar to samples generated for LWE or CLWE,

they are are not subject to modular reduction, which removes

key information about the risamples that can otherwise be

leveraged to learn s, as described in [25].

In order to learn s, we produce an estimate ˆ

signores the

error vector esuch that Cˆ

s≈r. Assuming that CTCis

invertible (and we will provide a condition for this to be true),

this is done by solving for ˆ

s, giving the least-squares estimate

ˆ

s=CTC−1CTr.

Once we have our estimate, we can now bound the estimation

error εbetween a legitimate PUF response ⟨c,s⟩and the

approximate PUF response ⟨c,ˆ

s⟩. Since Cs +e=r, we get

the relation

ˆ

s−s=CTC−1CTe,(6)

which by Lemma II.6 is a τ′-subgaussian random vector,

where

τ′=τe·

CTC−1CT

op

=τe· ∥M∥op ,

where M=CTC−1CT. By Eq. 1, this is equal to

τ′=τerλmax MMT=τe

pλmin (CTC).(7)

The matrix CTCcan be written as

m

X

i=1

cT

ici,

a sum of mouter product matrices, one for each challenge.

By Lemma III.1, we can see that each of these matrices has

exactly one nonzero eigenvalue equal to ∥ci∥2.

Lemma III.1. For any row vector x∈Rn, the eigenvalues of

the outer product matrix xTxare ∥x∥2and 0.

Proof. First note that if ∥x∥= 0, then xTxis just the zero

matrix, which only has eigenvalue 0. Assume that ∥x∥>0,

and let u∈Rnbe a nonzero eigenvector of xTx. Then

xTxu =λufor some λ∈C. If xu = 0, then we have

that xTxu =xT·0 = 0=λu. Since ∥u∥>0, we know

that λ= 0. If xu = 0, multiplying on both sides by xgives

xxTxu =xλu. However, xxT=∥x∥2, and λcommutes

with xon the right side giving ∥x∥2xu =λxu, from which

it follows that λ=∥x∥2.

Outer products of real vectors are always real and symmet-

ric. In addition, since none of their eigenvalues are negative

by Lemma III.1, the cT

iciare positive semideﬁnite. The

maximum eigenvalue of these matrices is λmax =∥ci∥2.

Since chas ncomponents, each within the interval [0,1],

we know that ∥c∥2≤n. This combination of properties

(real symmetric, positive semideﬁnite, and bounded maximum

eigenvalue) allows us to use a matrix Chernoff bound to ﬁnd

a bound on the minimum eigenvalue of their sum.

Proposition III.2 (Matrix Chernoff II [37]).Consider a ﬁnite

sequence {Ai}m

i=1 of independent, random, symmetric, and

positive semi-deﬁnite matrices of dimension dthat satisfy

λmax(Ai)≤R, for some R≥0. Compute the minimum

eigenvalue of the sum of expectations:

µmin := λmin m

X

i=1

E[Ai]!.

Then

Pr "λmin m

X

i=1

Ai!≤(1 −α)µmin#≤dexp −α2µmin

2R

for all α∈[0,1].

To determine µmin, ﬁrst note that since all the care

identically and independently distributed, their expectation is

the same. Thus, we have that

µmin =λmin m

X

i=1

EcTc!=m·λmin E[cTc].(8)

Since E[cTc]is a real symmetric matrix, by the spectral theo-

rem there exists an orthogonal matrix Psuch that PTE[cTc]P

is diagonal. Since the expectation operator is linear, this means

that E(cP)TcPis diagonal, and that the eigenvalues of

E[cTc]are λj=E[(cP)2

j]. Using P, we can rewrite an

individual response rias

ri=ciP,PTs+ei,

with the matrix expression for mresponses

r=CPPTs+e.

If there exists some jsuch that λj= 0, then for any

challenge ci, the component (ciP)j= 0, meaning that fPUF

is independent of the speciﬁc value of the j-th component of

PTs. Thus, we can instead work with the challenges ˜

ci=ciP

and ˜

s=PTs, where the j-th components corresponding to

eigenvalues λj= 0 are removed. Let ˜

Cbe the matrix with

j-th row ˜

cj, and compute the estimate ˆ

˜

sby taking

ˆ

˜

s=˜

CT˜

C−1˜

CTr.

After obtaining ˆ

˜

s, we can replace the removed indices ˆ

˜sjwith

any number and left multiply by Pto obtain ˆ

sas before, where

for any challenge c, we have ⟨c,s⟩=⟨˜

c,˜

s⟩, and likewise for

the estimate. By switching to using ˜

ci, we can ensure that the

expected outer product is diagonal and has a nonzero minimum

eigenvalue. Since the eigenvalues of orthogonal matrices all

have modulus 1, and since ˜

chas at most as many components

as c, we can still ﬁx R=nsince ∥˜

c∥ ≤ ∥c∥. Let ξ=

λmin E[˜

cT˜

c]such that µmin =mξ in Eq. 8.

7

Setting α= 1/2in Proposition III.2, we can bound the

minimum eigenvalue of ˜

CT˜

Cby

Pr λmin ˜

CT˜

C≤mξ

2≤nexp −mξ

8n.(9)

If we want to pick msuch that the probability in Eq. 9is less

than or equal to exp(−η), for η > 0, then it sufﬁces to pick

msuch that

m≥8n

ξ(η+ ln n).(10)

So, if Eq. 10 is satisﬁed, we know that ˜

CT˜

Cis invertible, and

we have from Eq. 7that, with probability at least 1−exp(−η),

τ′=τer2

mξ .

In this case, by Lemma II.5, we have that

Pr

˜

s−ˆ

˜

s

≥ε

√n≤2nexp −ε2mξ

4n2τ2

e.(11)

If we pick msuch that the probability in Eq. 11 is less than

or equal to exp(−η), then it sufﬁces to pick msuch that

m≥4n2τ2

e

ε2ξ(η+ ln(2n)).(12)

Taking Eqs. 10 and 12 into account, we can see that if we set

m≥max 8n

ξ(η+ ln n),4n2τ2

e

ε2ξ(η+ ln(2n)),(13)

then we know that, for any challenge c∈[0,1]n,

|⟨c,s⟩−⟨c,ˆ

s⟩| =D˜

c,˜

s−ˆ

˜

sE≤ ∥˜

c∥

˜

s−ˆ

˜

s

≤ε.

Thus, |⟨c,ˆ

s⟩ − fPUF| ≤ ε, with probability at least (1 −

exp(−η))2. Thus, the probability of simultaneously predict

fPUF to within εfor all Mpixels in the CCD is at least

(1−exp(−η))2M. If we want to achieve a good estimate with

probability at least 1−δ, for δ∈(0,1), then since

(1 −exp(−η))2M≥1−2Mexp(−η)

for all η > 0, then to have (1 −exp(−η))2M≥1−δ, it

sufﬁces to ﬁx

η≥ln 2M

δ.

Substituting this value of ηinto Eq. 13 implies that it sufﬁces

to ﬁx

m≥max 8n

ξln 2Mn

δ,4n2τ2

e

ε2ξln 4Mn

δ.(14)

Since n=O(N2), Eq. 14 gives an asymptotic bound on the

required number of CRPs of

m=ON4τ2

e

ε2ξln MN 2

δ.(15)

In order to obtain ˆ

s, we need to compute the product

ˆ

˜

s=˜

CT˜

C−1˜

CTr,

which has time complexity O(n2m)with basic matrix mul-

tiplication. Computation of the inverse ˜

CT˜

C−1

requires

O(n3)time using Gaussian elimination, as does diagonal-

ization of E[cTc]using a singular value decomposition [38].

Thus, the overall time complexity for learning the PUF for all

Mpixels in the speckle pattern is asymptotically given by

ON8τ2

e

ε2ξln MN 2

δ,(16)

which is polynomially bounded in N,M,ε, and δ. In

particular, this means that the PUF is efﬁciently PAC-learnable

if it uses linear scattering media.

It should be noted that the approach here cannot be used to

solve appropriately implemented instances of LWE or CLWE.

In particular, from Eq. 6, we can see that the difference

between the actual value for the secret sand the least-squares

estimate ˆ

smultiplies the error by CTC−1CT. Because in

LWE Cis sampled uniformly from Zm×n

p, and all operations

in LWE take place in Zp, this acts to magnify the error vector

e, which leads to ˆ

s−sbeing distributed according to very wide

Gaussian distribution. When reduced mod p, this distribution

becomes computationallly indistinguishable from the uniform

distribution on Zp[30]. It is also clear that this approach

cannot be applied CLWE since multiplicative inverses in R/Z

are not well-deﬁned, so CTC−1cannot even be computed

in principle.

C. Nonlinear Scattering Media

Because nonlinear optical effects are generally small, we

will analyze the case where the PUF contains a weakly

nonlinear dielectric using a perturbative approach, which as-

sumes that the characteristic size of the nonlinear effects is

much smaller than the characteristic size of the linear effects,

and that terms of quadratic or higher order in the small

parameters are of negligible size. In Eq. 4, we will simplify

by moving the factor of ω2

0/c2into the εkterms. Suppose

that ψ=ψL+δψNL can be written as a linear term ψLand

a small nonlinear term δψNL , where δψNL ≪ψLsuch that

|ψ|k≈ |ψL|k(1 + kδψNL /ψL), and where ψLsolves the linear

wave equation

∇2+ε0(r)ψL(r) = J0(r).

Further, assume that the dielectric behaves mostly linearly,

with ε=ε0+δεNL , where again δεNL ≪ε0with small

measurable nonlinear effects up to degree d. Cancelling terms

quadratic in the small parameters gives

ε0+δεNL =ε0+

d

X

k=1

δεk|ψ|2k≈ε0+

d

X

k=1

δεk|ψL|2k.

Substituting into Eq. 4and simplifying by keeping only terms

at most linear in the small parameters gives an expression for

ψNL in terms of powers of ψL:

∇2+ε0(r)δψNL (r) = −

d

X

k=1

δεk(r)ψL(r)|ψL(r)|2k

As we saw in the linear case, ψLcan be written as a complex

linear combination of the coefﬁcients bj. Because ψis linear in

the bj,|ψL|2kis a polynomial of degree 2kin the bj, meaning

8

that ψis a polynomial of degree 2d+1 in the bj. Thus, fPUF ≈

|ψ|2is a polynomial of degree 4d+ 2 in the bj. From here,

we can follow the same procedure as in the linear case by

encoding the challenge vector cwhich has n=O(N4d+2)

components, each of which is a monomial of total degree at

most 4d+ 2 in the bj. We can use the same bounds as before

to get an asymptotic bound on the required number of CRPs

of

m=ON8d+4τ2

e

ε2ξln MN 4d+2

δ,(17)

as well as a time complexity bound of

ON16d+8τ2

e

ε2ξln MN 4d+2

δ.(18)

While these bounds grow much more quickly than for the

linear case, they are still polynomial for a ﬁxed value of d

(generally d= 1 or 2 [29]), so the PUF is still efﬁciently

PAC-learnable.

IV. CONCLUSION

A. Results

In Section II, we examined the underlying physics of

integrated optical PUFs with masks and demonstrated that,

with linear optics, the PUF acts as a quadratic polynomial of

the challenge components bi. We introduced the PAC-learning

framework, under which the task of learning the behavior

of PUF in the presence of random noise, is equivalent to

the problem of learning a noisy linear system in O(N2)

dimensions. By making this reduction, we were able to show in

Section III-B the convergence of a linear regression algorithm,

based on mild assumptions about the noise distribution. We

found an asymptotic bound in Eq. 15 for the number of CRPs

required to learn the PUF behavior, based on the size Nof

the LCD mask, the number of pixels Min the speckle pattern

detector, the accepted error εin learning the PUF behavior,

and the probability 1−δof learning the PUF, as well as

the distributions of the challenge vectors and random sample

noise. The time complexity for a naive implementation of this

algorithm was computed in Eq. 16 to be

ON8τ2

e

ε2ξln MN 2

δ.

In particular, this means that optical PUFs with linear optics

are efﬁciently PAC-learnable since they can be represented

exactly by a polynomial. Finally, in Section III-C we did a

perturbative analysis of PUF designs containing dielectrics

with nonlinear optical properties. We showed that, under the

assumption that the nonlinear effects were relatively small, the

PUF still acts as a polynomial in the challenge components bi,

with the degree of the polynomial determined by the highest

order of polarization susceptibility, and thus can be learned

with access to polynomially many CRPs in polynomial time

(Eqs. 17,18).

Since the computational complexity of the regression al-

gorithm is polynomial, learning the PUF is not hard for an

adversary with polynomially-bounded computational resources

who has access to the challenges and noisy speckle data.

While the bounds given in Eqs. 15–18 grow very quickly

with N, it should be noted they are generic polynomial

bounds for a particular type of learning algorithm and are just

intended to show that the optical PUFs considered are PAC-

learnable with a polynomial sample and time complexity. A

more sophisticated analysis of the linear regression algorithm

may provide tighter bounds, and more sophisticated learning

approaches would likely require a much smaller sample set to

learn the PUF in less time.

B. Future Work

In order for an integrated or non-integrated optical PUF

to be plausibly secure against these types of adversaries, it

cannot just use linear or weakly nonlinear scattering media.

To increase security, the raw speckle patterns could be cryp-

tographically hashed, although this approach is susceptible to

side-channel attacks if an adversary can avoid the hashing op-

eration to access the raw speckle patterns. In order to maintain

security while avoiding a post-processing step, different PUF

architectures or materials need to be used. If alignment of the

optical tokens is not an issue, the non-integrated optical PUFs

described in [1], [22] were shown to be resilient to machine

learning attacks by Support Vector Machines with linear

kernels in [23]. However, the total number of CRPs in non-

integrated optical PUFs only scales polynomially with the PUF

size and alignment precision, which permits polynomial time

read-out attacks, though such attacks may not be practically

feasible due to limited read-out speed when aligning the PUF

scattering tokens [1].

One possible approach that retains the integrated design is

to dope the scatterers in linear optical systems with “quantum

dot” materials such as those described in [29]. These are

nanoparticles of semiconductor material that exhibit strong

nonlinear properties at low light intensities. Nonlinear optical

systems are harder to model than linear systems since Eq. 4,

the nonlinear wave equation governing the behavior of these

systems, requires higher degree polynomials to approximate,

making the task of learning the system much more difﬁcult. In

addition, increasing the power of the laser will also increase

the strength of the nonlinear effects and make the higher-order

nonlinear terms more relevant, again increasing the required

degree of a polynomial approximation. Furthermore, if the

nonlinear optical effects are comparable in size to the linear

ones, the perturbative technique used in Section III-C is no

longer applicable, meaning the PUF may be much harder to

learn.

Another option is to use nonlinear materials that are not

centrosymmetric such that their scattering properties are de-

pendent on the polarization of the light passing through them

[28], [29]. Because the dielectric constants of such materials

are dependent on orientation, one must treat the electric ﬁeld

within the material as the laser propagates as a full vector

ﬁeld instead of a scalar ﬁeld. Furthermore, when using nonlin-

ear non-centrosymmetric media, the perturbative technique in

Section III-C gives an expression for the nonlinear term which

contains a square root of a polynomial, meaning it cannot be

reduced to a high degree linear system in the monomial terms

like it could with isotropic materials.

9

In an ideal PUF design, one would embed a general

case of an appropriately parameterized cryptographically hard

problem within the PUF’s behavior. This approach is partially

used in the Lattice PUF [39]; however all of the arithmetic

required to implement such a cryptographic protocol should

ideally be performed physically within the PUF structure itself,

rather than just using the PUF to store a secret key. If a PUF

framework is designed with this methodology, in order for an

adversary to learn an instance of the PUF, they need to solve

a general case of the cryptographic hard problem. Thus, either

the adversary’s learning attack cannot run in polynomial time

(as that would provide a general polynomial time solution to

the cryptographic problem) or the hardness assumptions for

that problem cannot hold. In order to embed LWE or CLWE in

an optical PUF, one would need to perform modular arithmetic

operations directly within the optical system, which requires

further research. Modular reduction could also be achieved in a

post-processing step; however any post-processing step opens

up opportunities for side-channel attacks if an adversary can

avoid it.

V. ACKN OWLE DG EM ENT S

This research was supported by the Information Science

and Technology Institute, the Nuclear Weapons Cyber As-

surance Laboratory (NWCAL), and the Laboratory Directed

Research and Development program of Los Alamos National

Laboratory (LANL) under project numbers 20210529CR-

IST and 20220800DI. LANL is operated by Triad National

Security, LLC, for the National Nuclear Security Admin-

istration of the U.S. Department of Energy (Contract No.

89233218CNA000001). Approved for unlimited public re-

lease: LA-UR-23-29328.

REFERENCES

[1] P. S. Ravikanth, Physical One-Way Functions. PhD thesis, Massachusetts

Institute of Technology, 2001.

[2] B. Gassend, D. Clarke, M. van Dijk, and S. Devadas, “Controlled phys-

ical random functions,” in 18th Annual Computer Security Applications

Conference, 2002. Proceedings., pp. 149–160, 2002.

[3] G. E. Suh and S. Devadas, “Physical unclonable functions for device

authentication and secret key generation,” in Proceedings of the 44th

annual design automation conference, pp. 9–14, 2007.

[4] T. McGrath, I. E. Bagci, Z. M. Wang, U. Roedig, and R. J. Young,

“A PUF taxonomy,” Applied Physics Reviews, vol. 6, no. 1, p. 011303,

2019.

[5] B. Gassend, D. Clarke, M. Van Dijk, and S. Devadas, “Silicon physical

random functions,” in Proceedings of the 9th ACM Conference on

Computer and Communications Security, pp. 148–160, 2002.

[6] J. Lee, D. Lim, B. Gassend, G. Suh, M. van Dijk, and S. Devadas, “A

technique to build a secret key in integrated circuits for identiﬁcation

and authentication applications,” in 2004 Symposium on VLSI Circuits.

Digest of Technical Papers (IEEE Cat. No.04CH37525), pp. 176–179,

2004.

[7] L. Bossuet, X. T. Ngo, Z. Cherif, and V. Fischer, “A PUF based on a

transient effect ring oscillator and insensitive to locking phenomenon,”

IEEE Transactions on Emerging Topics in Computing, vol. 2, no. 1,

pp. 30–36, 2014.

[8] J. Guajardo, S. S. Kumar, G.-J. Schrijen, and P. Tuyls, “FPGA intrinsic

PUFs and their use for IP protection,” in Cryptographic Hardware and

Embedded Systems - CHES 2007 (P. Paillier and I. Verbauwhede, eds.),

(Berlin, Heidelberg), pp. 63–80, Springer Berlin Heidelberg, 2007.

[9] D. E. Holcomb, W. P. Burleson, and K. Fu, “Power-up SRAM state as

an identifying ﬁngerprint and source of true random numbers,” IEEE

Transactions on Computers, vol. 58, no. 9, pp. 1198–1210, 2008.

[10] R. Maes, P. Tuyls, and I. Verbauwhede, “Intrinsic PUFs from ﬂip-ﬂops

on reconﬁgurable devices,” in 3rd Benelux workshop on information and

system security (WISSec 2008), vol. 17, p. 2008, Citeseer, 2008.

[11] D. Lim, J. Lee, B. Gassend, G. Suh, M. van Dijk, and S. Devadas,

“Extracting secret keys from integrated circuits,” IEEE Transactions on

Very Large Scale Integration (VLSI) Systems, vol. 13, no. 10, pp. 1200–

1205, 2005.

[12] U. R¨

uhrmair, F. Sehnke, J. S¨

olter, G. Dror, S. Devadas, and J. Schmidhu-

ber, “Modeling attacks on physical unclonable functions,” in Proceed-

ings of the 17th ACM conference on Computer and communications

security, pp. 237–249, 2010.

[13] S. Tajik, H. Lohrke, F. Ganji, J.-P. Seifert, and C. Boit, “Laser fault

attack on physically unclonable functions,” in 2015 Workshop on Fault

Diagnosis and Tolerance in Cryptography (FDTC), pp. 85–96, 2015.

[14] F. Ganji, J. Kr¨

amer, J.-P. Seifert, and S. Tajik, “Lattice basis reduction

attack against physically unclonable functions,” in Proceedings of the

22nd ACM SIGSAC Conference on Computer and Communications

Security, pp. 1070–1080, 2015.

[15] F. Ganji, S. Tajik, and J.-P. Seifert, “Why attackers win: on the

learnability of XOR arbiter PUFs,” in Trust and Trustworthy Computing:

8th International Conference, TRUST 2015, Heraklion, Greece, August

24-26, 2015, Proceedings 8, pp. 22–39, Springer, 2015.

[16] F. Ganji, S. Tajik, F. F¨

aßler, and J.-P. Seifert, “Strong machine learning

attack against PUFs with no mathematical model,” in Cryptographic

Hardware and Embedded Systems–CHES 2016: 18th International Con-

ference, Santa Barbara, CA, USA, August 17-19, 2016, Proceedings 18,

pp. 391–411, Springer, 2016.

[17] F. Ganji, S. Tajik, and J.-P. Seifert, “PAC learning of arbiter PUFs,”

Journal of Cryptographic Engineering, vol. 6, pp. 249–258, 2016.

[18] F. Ganji, S. Tajik, F. F¨

aßler, and J.-P. Seifert, “Having no mathematical

model may not secure PUFs,” Journal of Cryptographic Engineering,

vol. 7, pp. 113–128, 2017.

[19] F. Ganji, On the learnability of physically unclonable functions.

Springer, 2018.

[20] D. Chatterjee, D. Mukhopadhyay, and A. Hazra, “Interpose puf can be

pac learned.” Cryptology ePrint Archive, Paper 2020/471, 2020. https:

//eprint.iacr.org/2020/471.

[21] C. Helfmeier, C. Boit, D. Nedospasov, and J.-P. Seifert, “Cloning phys-

ically unclonable functions,” in 2013 IEEE International Symposium on

Hardware-Oriented Security and Trust (HOST), pp. 1–6, 2013.

[22] R. Pappu, B. Recht, J. Taylor, and N. Gershenfeld, “Physical one-way

functions,” Science, vol. 297, no. 5589, pp. 2026–2030, 2002.

[23] U. R ¨

uhrmair, C. Hilgers, S. Urban, A. Weiersh¨

auser, E. Dinter,

B. Forster, and C. Jirauschek, “Optical PUFs reloaded,” Cryptology

ePrint Archive, 2013.

[24] S. E. Skipetrov and R. Maynard, “Instabilities of waves in nonlinear

disordered media,” Phys. Rev. Lett., vol. 85, pp. 736–739, Jul 2000.

[25] J. Bootle, C. Delaplace, T. Espitau, P.-A. Fouque, and M. Tibouchi,

“LWE without modular reduction and improved side-channel attacks

against BLISS,” in Advances in Cryptology – ASIACRYPT 2018

(T. Peyrin and S. Galbraith, eds.), (Cham), pp. 494–524, Springer

International Publishing, 2018.

[26] G. M. Nikolopoulos, “Effects of kerr nonlinearity in physical unclonable

functions,” Applied Sciences, vol. 12, no. 23, p. 11985, 2022.

[27] S. Boucheron, G. Lugosi, and P. Massart, Concentration Inequalities:

A Nonasymptotic Theory of Independence. Oxford University Press, 02

2013.

[28] G. New, Introduction to Nonlinear Optics. Cambridge University Press,

2011.

[29] D. F. Eaton, “Nonlinear optical materials,” Science, vol. 253, no. 5017,

pp. 281–287, 1991.

[30] O. Regev, “On lattices, learning with errors, random linear codes,

and cryptography,” in Proceedings of the Thirty-Seventh Annual ACM

Symposium on Theory of Computing, STOC ’05, (New York, NY, USA),

p. 84–93, Association for Computing Machinery, 2005.

[31] V. Lyubashevsky, C. Peikert, and O. Regev, “On ideal lattices and

learning with errors over rings,” J. ACM, vol. 60, nov 2013.

[32] A. Bogdanov, M. C. Noval, C. Hoffmann, and A. Rosen, “Public-

key encryption from continuous LWE.,” IACR Cryptol. ePrint Arch.,

vol. 2022, p. 93, 2022.

[33] J. Bruna, O. Regev, M. J. Song, and Y. Tang, “Continuous LWE,”

in Proceedings of the 53rd Annual ACM SIGACT Symposium on

Theory of Computing, STOC 2021, (New York, NY, USA), p. 694–707,

Association for Computing Machinery, 2021.

[34] A. Gupte, N. Vafa, and V. Vaikuntanathan, “Continuous LWE is as hard

as LWE & applications to learning gaussian mixtures,” arXiv preprint

arXiv:2204.02550, 2022.

10

[35] L. G. Valiant, “A theory of the learnable,” Communications of the ACM,

vol. 27, no. 11, pp. 1134–1142, 1984.

[36] M. Mohri, A. Rostamizadeh, and A. Talwalkar, Foundations of machine

learning. MIT press, 2018.

[37] J. A. Tropp, “User-friendly tail bounds for sums of random matrices,”

Foundations of Computational Mathematics, vol. 12, pp. 389–434, aug

2011.

[38] M. Holmes, A. Gray, and C. Isbell, “Fast SVD for large-scale matrices,”

in Workshop on Efﬁcient Machine Learning at NIPS, vol. 58, pp. 249–

252, 2007.

[39] Y. Wang, X. Xi, and M. Orshansky, “Lattice PUF: A strong physical

unclonable function provably secure against machine learning attacks,”

2019.

Apollo Albright Apollo Albright is completing his undergraduate studies at

Reed College in Portland, Oregon, USA, where he is majoring in mathematics

and physics. He is also an undergraduate research associate with the Analytics,

Intelligence, and Technology Division of Los Alamos National Laboratory.

His research interests include classical and post-quantum cryptography, com-

binatorics, graph theory, and quantum and many-body physics.

Boris Gelfand Dr. Gelfand is a security researcher and systems engineer at

Los Alamos National Labs and has many years’ experience working as a

contractor with DoD, DOE, and the IC. Notably he was the chief designer

and architect of the National Cyber Range and has been the PI of advanced

research programs including many from DARPA. He holds a PhD in computer

science, as well as degrees in mathematics and physics. Prior to coming to

Los Alamos, he worked for Lockheed Martin in the Advance Technologies

Laboratory.

Michael Dixon Michael J. Dixon is a senior cyber security research scientist

and principal investigator in LANL’s Advanced Research in Cyber Systems

group and Nuclear Weapons Cyber Assurance Laboratory specializing in

applied cryptography, secure machine learning and artiﬁcial intelligence, anti-

tamper technologies, and provable security using formal methods. Michael

holds a Bachelor of Science and Engineering in Computer Science from

the University of Michigan, College of Engineering, and attended MIT for

graduate studies as an Advanced Study Program Fellow researching post-

quantum and lattice-based cryptography.