PUF-FSM: A Controlled Strong PUF by Gao, Yansong & Ranasinghe, Damith C.
XXXX 1
PUF-FSM: A Controlled Strong PUF
Yansong Gao and Damith C. Ranasinghe
Abstract—Physical unclonable functions (PUF), as hardware
security primitives, exploit manufacturing randomness to extract
instance-specific challenge (input) response (output) pairs (CRPs).
Since its emergence, the community started pursuing a strong
PUF primitive that is with large CRP space and resilient to
modeling building attacks. A practical realization of a strong
PUF is still challenging to date. This paper presents the PUF
finite state machine (PUF-FSM) that is served as a practical
controlled strong PUF. Previous controlled PUF designs have the
difficulties of stabilizing the noisy PUF responses where the error
correction logic is required. In addition, the computed helper
data to assist error correcting, however, leaks information, which
poses the controlled PUF under the threatens of fault attacks
or reliability-based attacks. The PUF-FSM eschews the error
correction logic and the computation, storage and loading of
the helper data on-chip by only employing error-free responses
judiciously determined on demand in the absence of an Arbiter
PUF with a large CRP space. In addition, the access to the
PUF-FSM is controlled by the trusted entity. Control in means
of i) restricting challenges presented to the PUF and ii) further
preventing repeated response evaluations to gain unreliability
side-channel information are foundations of defensing the most
powerful modeling attacks. The PUF-FSM goes beyond authen-
tications/identifications to such as key generations and advanced
cryptographic applications built upon a shared key.
Index Terms—Physical uncloanble function, APUF, error-free
responses, statistical model, modeling attacks, fault attacks.
I. INTRODUCTION
Physical unclonable function (PUF), as a hardware security
primitive, exploits manufacturing variations to extract secrets
on demand [1], [2]. PUFs are increasingly adopted to provide
security for pervasive and ubiquitous distributed resource-
constraint smart Internet of Thing (IoT) devices as an alter-
native to storing a digital secret in the non-volatile memory
(NVM). In fact, digital keys in the NVM is vulnerable to
various attacks, especially, when there is no dedicated room in
cost sensitive IoT devices to implement expensive protection
mechanisms. By using a PUF, there is no digital secret—
must be securely stored—involved, the hardware itself is the
secret key that is originated from true randomness, therefore,
the secret cannot be duplicated and holds higher resistance to
attacks, especially invasive attacks [3].
Since the first silicon PUF, Arbiter PUF (APUF), being
coined in 2002 [4], the PUF community has never stopped
pursuing on the so-called strong PUFs that not only have a
large challenge response pair (CRP) space but also resilient
to modeling attacks. Applications of the strong PUF range
from elementary identifications and authentications to key
generations and more advanced cryptographic protocols such
as key exchange and oblivious transfer [5]. Though there does
Y. Gao and D. C Ranasinghe are with the Auto-ID Labs, School of
Computer Science, The University of Adelaide, SA 5005, Australia. e-mail:
{yansong.gao, damith.ranasinghe}@adelaide.edu.au.
exist strong PUFs such as the Optical PUF [6] and the SHIC
PUF [7], a practical and lightweight strong PUF realization
seamlessly compatible with current CMOS technology turns
out to be challenging [8] in front of modeling attacks such as
logistic regression (LR) and recently revealed more powerful
Covariance Matrix Adaptation Evolution Strategy (CMA-ES)
attacks, which have broken previously deemed practical strong
PUFs including XOR-APUF, Feedforward APUF, Lightweight
Secure PUF [9], [10], [11] and even Slender PUF [12], [13].
Yu et al. [14] recently presented a practical strong PUF
through upper-bounding the available number of CRPs by
an adversary. In this work, gaining new CRPs materials has
to be implicitly authorized by the trusted entity, the concept
of limiting access to CRPs is alike to controlled PUFs [3],
detailed in Section II-B. Yu et al. [14] further introduce a PUF
device side nonce to prevent fault attacks or noise side-channel
information based attacks [12], [13].
We continue the efforts into pursuing a practical and
lightweight strong PUF coined as the PUF-FSM. For au-
thentication, the PUF-FSM gets around one major limitation
of [14] in terms of available secure authentication times
(rounds). Beyond authentication, it enables key generation,
key exchange and more advanced cryptographic applications
with no reliance on on-chip ECC and the associated helper
data. Eventually, the PUF-FSM is a practical controlled PUF
realization. Contributions of our work are fourfold:
• We present a practical and lightweight strong PUF re-
alization termed as PUF-FSM, also a controlled strong
PUF, enabling a wide spread of applications.
• We, for the first time, eschew the ECC and helper data to
build a controlled PUF. We only employ large number of
available error-free responses in absence of the APUFs.
• We post-process the responses to prevent traditional ma-
chine learning attacks such as LR that usually requires
direct relationship between challenge and response.
• We prevent noise side-channel information based attacks
(fault attacks) such as the CMA-ES attacks by using
device side nonce inherited from [14] to disable observing
repeated evaluated responses or outputs when the same
challenge is maliciously applied.
Section II introduces related work, especially, judiciously se-
lection of error-free responses from a statistical APUF model.
Section III details the PUF-FSM design and analyzes its
security; Wide spread of applications of the PUF-FSM are
presented in Section IV; Section V concludes this paper.
II. RELATED WORK
A. APUF Model for Error-Free Response Generation
1) Modeling APUF: The APUF consists of k stages of
two 2-input multiplexers as shown in Fig. 1, or any other
ar
X
iv
:1
70
1.
04
13
7v
2 
 [c
s.C
R]
  2
5 J
an
 20
17
XXXX 2
Fig. 1. An arbiter PUF (APUF) circuit.
units forming two signal paths. To generate a response bit,
a signal is applied to the first stage input, while the challenge
C determines the signal path to the next stage. The input
signal will race through each multiplexer path (top and bottom
paths) in parallel with each other. At the end of the APUF
architecture, an arbiter, e.g., a latch, determines whether the
top or bottom signal arrives first and hence results in a logic
‘0’ or ‘1’ accordingly.
It has been shown that an APUF can be modelled via a
linear additive model because a response bit is generated by
comparing the summation of each time delay segment in each
stage (two 2-input multiplexers) depending on the challenge
C, where C is made up of (c1||c2||...||ck) [9], [15], [10]. The
notations in this section following [9], [10]. The final delay
difference tdif between these two paths is expressed as:
tdif = ω
TΦ, (1)
where ω and Φ are the delay determined vector and the
parity vector, respectively, of dimension k+1 as a function of
C. We denote σ1/0i as the delay in stage i for the crossed (ci =
1) and uncrossed (ci = 0) signal path through the multiplexers,
respectively. Hence σ1i is the delay of stage i when ci = 1,
while σ0i is the delay of stage i when ci = 0. Then
ω = (ω1, ω2 ... ωk, ωk+1)T , (2)
where ω1 = σ
0
1−σ11
2 , ω
i =
σ0i−1+σ
1
i−1+σ
0
i−σ1i
2 for all i = 2, ..., k
and ωk+1 = σ
0
k+σ
1
k
2 , also
Φ(C) = (Φ1(C), ...,Φk(C),1)T, (3)
where Φj(C) = Πki=j (1− 2ci) for j = 1, ..., k.
2) Reliable Response Determination: Suppose the ω is
known, given a challenge C, the Φ(C) is determined. Then
the tdif is calculated. Noting that tdif eventually comprises
two important useful information: i) sgn(tdif ) determines the
binary response; ii) the reliability of this response. If the tdif is
far alway from zero, then this gives such a challenge with full
confidence to reproduce the response without any erroneous.
In practice, physically measuring the tdif is hard, if not
possible. Xu et al. [16] recently exploit machine learning
techniques, specifically Support Vector Machine (SVM), to
learn the ω using a small collection of CRPs. Once an accurate
ω is learned through the SVM, the tdif is able to be accurately
predicted given an unseen C. Then the corresponding response
and its associated reliability is judiciously determined. If a
challenge results in a tdif that is far way from zero, then its cor-
responding response is error-free. Xu et al. [16] demonstrate
PUF
control logic
ECC
helper data
challenge response
Fig. 2. Generalized controlled PUF construction.
that almost 80% randomly given challenges guarantee error-
free responses across a wide range of operating conditions
(temperature, voltage) as well as considering aging effects.
However, exploiting those error-free responses, especially,
in a secure manner was not considered. We take the first step
towards to securely exploiting those error-free responses to
construct a strong PUF
B. Controlled PUF
The controlled PUF [17], [3] proposed by Gassend et al. is
a strong PUF construction. A controlled PUF is a PUF that is
combined with a control logic limiting the ways in which the
PUF can be evaluated. In general, without permission from a
trusted entity, the controlled PUF is locked, no response will
be meaningfully evaluated. When a user is authorized a CRP,
more CRPs can be extracted. This is alike key management,
where more session keys can be derived from a master key. In
practice, the controlled PUF is built as a means that the PUF
and its control logic play complementary roles. As illustrated
in Fig. 2, the PUF prevents invasive attacks on the control
logic, at the same time, the control logic protects the PUF
from protocol level attacks. For example, the APUF delay
wires wrap the control logic. If invasive attacks attempt to
probing the control logic, it is more likely that the PUF secret
will be altered and damaged. The control logic halts adaptively
evaluations on PUFs with no permission from the trusted
entity.
The responses in the controlled PUF have to be post-
processed, e.g., hashed. Previous works [17], [3] usually held
an assumption that the error correction code (ECC) logic
and the associated helper data are default parts of a PUF.
In practice, the ECC logic and storing of helper data are
always expensive, especially for most low-end IoT devices.
In addition, availability of the helper data is a non-trivial task
in practice, especially when the key renewal is occurred. In
this context, the user randomly picks up a seed challenge
and queries the output—e.g., hashed responses—from the con-
trolled PUF. Fully characterization of all possible CRP given
a PUF that has exponential number of CRPs, in particular
the popular employed APUF, and sequentially computing all
possible helper data is infeasible. The helper data given the
user randomly chosen challenges cannot be always guaranteed.
Most importantly, usage of helper data poses the controlled
PUF under potential threaten from modeling attacks exploiting
noise side-channel information leakage [18], [19], [13].
The PUF-FSM is the first practical controlled PUF without
using ECC along with the associated helper data and with an
XXXX 3
PUF FSM
hash
S OE
C
key
R
RNG nonce
control logic
Fig. 3. General structure of the PUF-FSM. Only the correct sequential
challenges produced R can unlock the SOE. If the enable signal SOE
is disabled, the hash output is meaningless by presenting random values.
Otherwise, the key is generated based on part of the response R, Rsecret,
and the nonce, where key=HASH(Rsecret, nonce).
explicit countermeasure to reliability-based fault attacks.
C. Finite State Machine (FSM)
Finite state machine (FSM) is a popular sequential logic. In
a FSM, the next state depends on both the input (transaction
edge) and the current state. The FSM has been employed
for IC active metering [20], [21], [22]. In this context, the
FSM combines with a unique chip identifier, usually a weak
PUF, where PUF responses act as transaction edges to unlock
a function such as an Intellectual Property (IP). The PUF
response given a challenge, here, act as a secret key. Previous
works [20], [21], [22] extract a constant secret or a key from
the noisy PUF responses. Please note that requirements on the
on-chip ECC and helper data are still existed.
Our work employs the FSM as a control logic to realize
the said controlled PUF. We release large number of challenge
secret pairs. Neither ECC nor the helper data is necessary. Be-
yond IC active metering, our work enables authentication, key
generation, key exchange and more advanced cryptographic
protocols where a shared secret is required.
III. PUF-FSM: DESIGN AND SECURITY ANALYSIS
A. PUF-FSM Structure
The PUF-FSM structure is generalized in Fig. 3. It consists
of a PUF, a FSM, a hash and a random number generator
(RNG) block. Similar to priori work [14], the direct PUF
responses can only be evaluated by the trusted entity in a
secure environment to build APUF statistical model(s), and
the direct access is destroyed afterwards, e.g., through fusing
the wire.
During deployment, a set of n sequential challenges, Cset, is
issued by the trusted entity, e.g., the server, the corresponding
error-free responses R with length n is produced. The R is
sequentially fed into the FSM controlling the transitions of the
FSM states. Note that before the operation, the FSM resets to
S0. Only a series of correct TR—sub-response enabling the
state traverse from the current state to the next state—is able
to guarantee the FSM transitioning into the SOE that is an acti-
vation to unlock the key output. In this context, only the server
who owns the statistical APUF model is capable of issuing a
correct challenge set, Cset to unlock the SOB to generate a
meaningful output as a key. The key is HASH(Rsecret, nonce),
the Rsecret is partial of R and formation of Rsecret will be
S0
S11
S12
S13
1 2TR1 2
0001
0110
1001
1100
1001
0111
level
=3
depth
TR TR TR
S2
S31
S32
S33
3 4TR3 4
1010
1000
0011
1011
1001
0100
TR TR TR
S4
S51
S52
S53
5 6TR5 6
1110
0101
0000
1101
0001
1100
TR TR TR
SOED
=3L
Fig. 4. FSM example with five levels (L = 5) and three depths (D = 3).
When the transition edge TRld, eg., 1100, is fed, current state S(l−1)d, eg.,
S12, transitions into Sld, eg., S22. The applied TRld remains the FSM at its
current state, marked by the returning arrow.
3
0111 0110 1001 0011 1100 0000 1111 1010 1001 1100 0000 1100 0111 0011
S12S0 S12S12 S2S2 S31S2 SOE
n bits R
TR1 1TR TR2 TR2 TR2 TR 3TR 3TR 4TR 5TR 5TR 6TR
S4 S4 S53
Rsecret
key= Rsecret , nonce)(hash
Fig. 5. Part of n-bit R, Rsecret is hashed to generate the key. All rest bits
after reaching the enable signal SOE are not contributing to the key. Note
that the FSM example in Fig. 4 is used for state traverse illustration that is
marked by the dotted red line.
described and clear soon. Whenever the SOE is disabled, the
output presents random values.
An exemplary FSM construction is depicted in Fig. 4. At
the beginning of the PUF-FSM operation, the FSM resets to
its initial state S0. Let’s assume that the TR1 is 0110, then
S0
0110−−−→ S12. Similarly if the TR1 is 0001, then S0 0001−−−→ S11.
If TR1 is from none of {0001, 0110, 1001}, or in other words
the TR1 is fed, then S0
TR1−−→ S0. Note that when the TR is fed,
the FSM remains at its current state. In this case example, for
even states S0, S2, S4, the TRl having D transition edges that
can lead it to any of the following D states, rest TRl have only
one correct transition edge that leads it to the following state.
Though other FSM structures can be envisioned, the FSM
in our proposal has L—always an odd number—internal state
layers (levels); each odd internal layer has D parallel states. A
constant number, L+ 1, of TRl is a must to reach to the SOE.
Both the TRl and TRl are 4-bit in this case example, therefore,
the number of TRl, and the maximum number of TRl, nlmax,
in together is n4 , where we assume that the n is always a
multiplication of 4 for convenience. In practice, the SOE can
be activated in a way by applying L+1 TRl and nl TRl, noting
that nl ≤ nlmax. The meaningful key will be given only after
all n bits in R are fed into FSM—or n clock cycles past–
and the SOE is activated/reached. The key is a hash function
of part of the R that is the all sequentially fed L+ 1 TRl and
nl TRl. An example illustration of the key formation is shown
in Fig. 5—the state traverse path is illustrated in Fig. 4 in
the dotted red line. Once the SOE is reached, the rest TRl are
neglected—will not be hashed to generate the key. It is worth
to stress again that the rest response bits are still fed into the
FSM as redundant bits to hide the length of Rsecret.
XXXX 4
1) Device Nonce: The device nonce is exploited to pre-
vent observing repeatedly evaluated responses given the same
challenge [12], [13], [19]. The security rationale shall be
clear in Section III-B. Nonce is part of the key, where the
key=HASH(Rsecret, nonce). It is reminded that the key will
differ under each evaluation considering the freshed nonce
even the same Cset issued by the trusted entity is repeatedly
applied. The nonce is visible, the security relies on the Rsecret.
2) Design Highlights: (1) Only under a correct set of
sequential challenges, Cset, the final state SOE of the FSM
can be reached or activated; (2) the number of TRl, nl, before
reaching the SOE and the number of TRl, nlmax − nl, after
reaching the SOE are flexible configured that is controlled
and only known by the trusted entity; (3) a meaningful key is
presented only when the SOE is activated and all n error-free
response bits are fed into the FSM. If the SOE is disabled,
a random value is presented; (4) device nonce is employed
to prevent repeatedly responses’ observations given the same
maliciously applied challenge.
B. Security Analyses
1) Adversary Model: We consider the same assumption for
controlled PUFs [17], [3] that physical attacks on the control
logic is more likely to alter or even destroy the PUF itself.
The adversary can eavesdrop the communication channel and
arbitrarily apply challenges to the PUF-FSM input to observe
the PUF-FSM output. Furthermore, the nonce is visible. The
adversary attempts to obtain useful information to learn the
APUF model in the PUF block.
2) Brute-force Attacks: As for an adversary, the proba-
bility of discovering a meaningful key through guessing a
correct Cset without the assistance from the trusted entity is
expressed:
Probability = (
D
2nTR
)
L+1
2 × ( 1
2nTR
)
L+1
2 , (4)
where the nTR is the length of TRl. In the case example of
Fig. 4, the nTR is four. For each even layer, the probability
of guessing one correct transition edge is ( D2nTR ), while the
probability of guessing a correct transition edge for given an
old layer is ( 12nTR ).
The brute-force attack becomes computationally infeasible
as the FSM state layer L or the nTR increases. In addition,
even an adversary luckily guesses a correct Cset that unlocks
the SOE, (s)he is actually incapable of recognizing it. Output
from the PUF-FSM looks random to the adversary under
each evaluation without prior knowledge of a correct Cset
attributing to the refreshed nonce.
3) Modeling Attacks: The plausible attacks on strong PUFs
are modeling attacks. Numerous works [9], [10], [11], [12],
[13] have shown the vulnerability of the strong PUFs to
modeling attacks. Those deemed but later breakable strong
PUFs include XOR-APUF, Feedforward APUF, Lightweight
Secure PUF and even Slender PUF.
In PUF-FSM, arbitrarily CRP collection is disabled by
any party except the trusted entity during the secure en-
rollment phase. After the enrollment phase, the response is
never directly exposed unless hashing and its usage is further
controlled by the FSM. The control logic as shown in Fig. 3
first protects the underlying APUF(s) from modeling attacks
such as LR and SVM where knowledge of responses is
necessary [9], [10].
As to perform recent revealed modeling attacks exploit-
ing the helper data information [19], [13], in other words,
the unreliability information of a given CRP, knowledge of
which challenge is unreliable is a premise. Unlike traditional
modeling attacks, e.g, LR, reliability-based fault CMA-ES
attacks [13] do not require the knowledge of the response value
for a given challenge. Such a powerful CMA-ES attack even
threatens the security of a controlled PUF that employs the
helper data. In our PUF-FSM, there is no helper data involved.
Thus, exploitation of information leakage from the helper data
to perform reliability-based attacks is excluded.
Now without using the device nonce, we examine the means
of finding unreliable challenges by observing the PUF-FSM
output rather than gaining information from the helper data. By
applying arbitrarily challenges to the PUF-FSM and without
priori knowledge of a correct Cset, there is no information
that can be observed and used by the adversary to discover
the unreliable challenges. This lies on the fact that the output
of the PUF-FSM is random or meaningless, if the enable signal
SOE is locked/disabled. The complexity of unlocking the SOE
without the participation of the trusted entity is same to the
brute-force attacks given in (4).
We note that there still exists a potential way to determine
an unreliable challenge through exhaustive search under the
assumption that a priori Cset has been eavesdropped and now
the adversary is holding the physical PUF-FSM. The adversary
chooses an unused challenge Cx to replace one challenge
Ci in the eavesdropped Cset to observe the output of the
PUF-FSM. If Cx is an unreliable challenge and its response
contributes to the TR. Then under repeatedly evaluations, the
adversary can determine such an unreliable challenge when
the key and random output are iteratively exhibited. If Cx is
unreliable and its response contributes to the TRl. Then under
repeatedly evaluations, an unreliable challenge is determined
when two differing keys are iteratively exhibited. Through
continuous exhaustive searching, other unreliable challenges
can be determined as well to perform reliability-based attacks.
By employing the device nonce alike [14], no matter the
Cx is unreliable or not, due to the nonce being refreshed each
evaluation, observing the same key by repeatedly applying the
same challenge is infeasible. Thus, discovery of the unreliable
challenge is disabled. The reliability-based attack [12], [13]
is, as a result, prevented.
IV. APPLICATIONS
A. Mutual Authentication
The PUF-FSM achieves mutual rather than common uni-
directional authentication. Recall that only a trusted entity
has the capability of issuing a correct challenge sequence to
activate the SOE. As a consequence, only the PUF-FSM device
and the trusted entity know the Ssecret.
When the PUF-FSM is transfered to the user. The trusted
entity issues a Cset and sends them to the user may through
XXXX 5
insecure communication channels. The user presents the Cset
to the PUF-FSM and sends both the nonce and the PUF-
FSM output (key) back to the trusted entity. The trusted entity
computes a key, HASH(Rsecret, nonce), and compares it with
the key received. If they are same, the user holding the PUF-
FSM is authenticated. Once the user is authenticated, the
user applies the same Cset again to the PUF-FSM to obtain
a refreshed output (key). The user asks the refreshed key
computed by the trusted entity after sending out the nonce. The
trusted entity is authenticated by the user only if the received
computed key is same to the key produced by the PUF-FSM.
B. Key Exchange
Following the foregoing mutual authentication, we consider
the key exchange scenario between the user and the trusted
entity. The user applies the same Cset and sends the nonce
to the trusted entity. But there is no key (shared key) sending
between two parties. Now only the user who holds the PUF-
FSM and the trusted entity know the shared key. The user
obtains it from the PUF-FSM, while the server computes it by
hashing the Rsecret and the nonce.
C. Controlled PUF
Served as a controlled PUF, intermediate benefits of the
PUF-FSM are the exclusion of the on-chip ECC logic and the
usage of helper data, which finally release the constraints on
a practical realization of the controlled PUF. In addition, no
ECC and helper data eliminates potential security concerns
on previous controlled PUF designs from modeling attacks,
where the helper data leaks information [13], [18], [19].
1) Key Obtain: As an intentional design purpose, the
controlled PUF restricts the means in which a PUF can be
evaluated. Who holds the PUF-FSM is unable to evaluate it to
obtain a 〈Cset,Rsecret〉—〈, 〉 means a tuple—without permis-
sion from the trusted entity. To acquire a 〈Cset,Rsecret〉, first,
the mutual authentication is performed to establish trustiness
between the trusted entity and the user who needs to hold
the physical PUF-FSM. Then the trusted entity issues a fresh
set of challenges to the user who is now authorized with a
〈Cset,Rsecret〉.
2) Key Renewal: Once the user is authorized with a
〈C,Rsecret〉, (s)he is able to renew arbitrary keys from the
PUF-FSM. The Rsecret can be treated as a master secret,
where all other sub-keys, HASH(Rsecret, nonce), are available.
Given a known nonce, the user and the trusted entity can
retrieve sub-keys or sub-session keys without issuing a new
challenge set. A shared key between two parties indeed enable
a wide variety of standard cryptographic protocols to be
implemented [3].
V. CONCLUSION
We have presented a practical controlled strong PUF, PUF-
FSM, by (1) exploiting error-free responses in absence of
an APUF and (2) controlling the means of evaluating the
PUF by using a control logic. The PUF-FSM requires neither
on-chip ECC nor helper data that were usually must when
extracting a key. As a controlled PUF, it holds the promise of
a cost-effective way to increase resistance to various attacks,
especially invasive attacks, for IoT devices. Security analyses
demonstrate that the PUF-FSM is resilient to modeling attacks.
REFERENCES
[1] G. E. Suh and S. Devadas, “Physical unclonable functions for device
authentication and secret key generation,” in Proc. Design Automation
Conf. (DAC). ACM, 2007, pp. 9–14.
[2] C. Herder, M.-D. Yu, F. Koushanfar, and S. Devadas, “Physical unclon-
able functions and applications: A tutorial,” Proc. IEEE, vol. 102, pp.
1126–1141, 2014.
[3] B. Gassend, M. V. Dijk, D. Clarke, E. Torlak, S. Devadas, and P. Tuyls,
“Controlled physical random functions and applications,” ACM Trans-
actions on Information and System Security, vol. 10, no. 4, p. 3, 2008.
[4] B. Gassend, D. Clarke, M. Van Dijk, and S. Devadas, “Silicon phys-
ical random functions,” in Proc. Conf. Computer and communications
security. ACM, 2002, pp. 148–160.
[5] U. Ruhrmair and M. Van Dijk, “PUFs in security protocols: Attack
models and security evaluations,” in IEEE Symposium on Security and
Privacy (SP), 2013, pp. 286–300.
[6] R. Pappu, B. Recht, J. Taylor, and N. Gershenfeld, “Physical one-way
functions,” Science, vol. 297, no. 5589, pp. 2026–2030, 2002.
[7] U. Ruhrmair, C. Jaeger, M. Bator, M. Stutzmann, P. Lugli, and G. Csaba,
“Applications of high-capacity crossbar memories in cryptography,”
IEEE Trans. Nanotechnol., vol. 10, no. 3, pp. 489–498, 2011.
[8] A. Vijayakumar, V. C. Patil, C. B. Prado, and S. Kundu, “Machine
learning resistant strong puf: Possible or a pipe dream?” in Int. Symp.
Hardware Oriented Security and Trust (HOST). IEEE, 2016, pp. 19–24.
[9] U. Ruhrmair, J. Solter, F. Sehnke, X. Xu, A. Mahmoud, V. Stoyanova,
G. Dror, J. Schmidhuber, W. Burleson, and S. Devadas, “PUF modeling
attacks on simulated and silicon data,” IEEE Trans. Inf. Forensics
Security, vol. 8, no. 11, pp. 1876–1891, 2013.
[10] U. Ru¨hrmair, F. Sehnke, J. So¨lter, G. Dror, S. Devadas, and J. Schmid-
huber, “Modeling attacks on physical unclonable functions,” in CCS,
2010, pp. 237–249.
[11] M. Majzoobi, F. Koushanfar, and M. Potkonjak, “Testing tech-
niques for hardware security,” in Proc. Int. Test Conf. ITC, 2008,
DOI:10.1109/TEST.2008.4700636.
[12] G. T. Becker, “The gap between promise and reality: On the insecurity
of XOR Arbiter PUFs,” in Cryptographic Hardware and Embedded
Systems (CHES). Springer, 2015, pp. 535–555.
[13] G. T. Becker, “On the pitfalls of using Arbiter-PUFs as building blocks,”
IEEE Trans. Comput.-Aided Design Integr. Circuits Syst, vol. 34, no. 8,
pp. 1295–1307, 2015.
[14] M.-D. Yu, M. Hiller, J. Delvaux, R. Sowell, S. Devadas, and I. Ver-
bauwhede, “A lockdown technique to prevent machine learning on
PUFs for lightweight authentication,” IEEE Transactions on Multi-Scale
Computing Systems, 2016, DOI:10.1109/TMSCS.2016.2553027.
[15] D. Lim, “Extracting secret keys from integrated circuits,” Ph.D. disser-
tation, Massachusetts Institute of Technology, 2004.
[16] X. Xu, W. Burleson, and D. E. Holcomb, “Using statistical models
to improve the reliability of delay-based PUFs,” in Proc. Symp. VLSI.
IEEE, 2016, pp. 547–552.
[17] B. Gassend, D. Clarke, M. Van Dijk, and S. Devadas, “Controlled phys-
ical random functions,” in Proc. Annual Computer Security Applications
Conf. IEEE, 2002, pp. 149–160.
[18] G. T. Becker, R. Kumar et al., “Active and passive side-channel attacks
on delay based PUF designs.” IACR Cryptology ePrint Archive, vol.
2014, p. 287, 2014.
[19] J. Delvaux, D. Gu, D. Schellekens, and I. Verbauwhede, “Helper data
algorithms for PUF-based key generation: Overview and analysis,” IEEE
Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 34, no. 6, pp.
889–902, 2015.
[20] F. Koushanfar and G. Qu, “Hardware metering,” in Proc. Design
Automation Conf. ACM, 2001, pp. 490–493.
[21] F. Koushanfar, “Provably secure active ic metering techniques for piracy
avoidance and digital rights management,” IEEE Trans. Inf. Forensics
Security, vol. 7, no. 1, pp. 51–63, 2012.
[22] J. Zhang, Y. Lin, Y. Lyu, and G. Qu, “A PUF-FSM binding scheme
for FPGA IP protection and pay-per-device licensing,” IEEE Trans. Inf.
Forensics Security, vol. 10, no. 6, pp. 1137–1150, 2015.
[23] M. Majzoobi, F. Koushanfar, and Potkonjak, “Lightweight secure PUFs,”
in Proc. IEEE/ACM Int. Conf. Computer-Aided Design, 2008, pp. 670–
673.
