物理複製不能関数における安全性の評価と向上に関する研究 by 山本 大 & Dai Yamamoto
SECURITY EVALUATION AND IMPROVEMENT
OF PHYSICALLY UNCLONABLE FUNCTIONS
DAI YAMAMOTO
THE UNIVERSITY OF ELECTRO-COMMUNICATIONS
MARCH 2015

SECURITY EVALUATION AND IMPROVEMENT
OF PHYSICALLY UNCLONABLE FUNCTIONS
DAI YAMAMOTO
THE UNIVERSITY OF ELECTRO-COMMUNICATIONS
GRADUATE SCHOOL OF INFORMATICS AND
ENGINEERING
A DISSERTATION SUBMITTED FOR
DOCTOR OF PHILOSOPHY IN ENGINEERING
MARCH 2015
– i –

SECURITY EVALUATION AND IMPROVEMENT
OF PHYSICALLY UNCLONABLE FUNCTIONS
SUPERVISORY COMMITTEE:
CHAIRPERSON: PROFESSOR KAZUO SAKIYAMA
MEMBER: PROFESSOR HARUHISA ICHIKAWA
MEMBER: PROFESSOR KAZUO OHTA
MEMBER: PROFESSOR HIROSHI YOSHIURA
MEMBER: PROFESSOR KOICHIRO ISHIBASHI
– iii –

COPYRIGHT BY DAI YAMAMOTO 2015
ALL RIGHTS ARE RESERVED

???????????????????????????
???
????
?????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
?????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
??????????????????????????????????????????
????????????????????????????
???????????????????????????????????
– vii –

SECURITY EVALUATION AND IMPROVEMENT OF
PHYSICALLY UNCLONABLE FUNCTIONS
DAI YAMAMOTO
ABSTRACT
In this thesis, we focus on Physically Unclonable Functions (PUFs), which are expected as one
of the most promising cryptographic primitives for secure chip authentication. Generally, PUF-
based authentication is achieved by two approaches: (A) using a PUF itself, which has multiple
challenge (input) and response (output) pairs, or (B) using a cryptographic function, the secret key
of which is generated from a PUF with a single challenge-response pair (CRP). We contribute to:
(1) evaluate the security of Approach (A), and (2) improve the security of Approach (B).
(1) Arbiter-based PUFs were the most feasible type of PUFs, which was used to construct
Approach (A). However, Arbiter-based PUFs have a vulnerability; if an attacker knows some
CRPs, she/he can predict the remaining unknown CRPs with high probability. Bistable Ring
PUF (BR-PUF) was proposed as an alternative, but has not been evaluated by third parties. In
this thesis, in order to construct Approach (A) securely, we evaluate the diculty of predicting
responses of a BR-PUF experimentally. As a result, the same responses are frequently generated
for two challenges with small Hamming distance. Also, particular bits of challenges have a great
impact on the responses. In conclusion, BR-PUFs are not suitable for achieving Approach (A)
securely. In future work, we should discuss an alternative PUF suitable for secure Approach (A).
(2) In order to achieve Approach (B) securely, a secret key – generated from a PUF response
– should have high entropy. We propose a novel method of extracting high entropy from PUF
responses. The core idea is to eectively utilize the information on the proportion of ‘1’s including
in repeatedly-measured PUF responses. We evaluate its eectiveness by fabricated test chips. As
a result, the extracted entropy is about 1.72 times as large as that without the proposed method.
Finally, we organize newly gained knowledge in this thesis, and discuss a new application of
PUF-based technologies.
– ix –

Contents
Part I Introduction 1
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Research Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Motivation and Contributions of This Thesis . . . . . . . . . . . . . . . . . . . 10
1.3 Towards Future Research Topic . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4 Structure of This Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Part II Physically Unclonable Functions 19
Chapter 2 Properties, Applications, Requirements and Implementations of PUFs . . . 21
2.1 Properties of PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 Applications of PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3 Security Requirements of PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4 Implementations of PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4.1 Delay-based PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4.2 Memory-based PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.4.3 Bistable Ring PUF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 3 Variety Increase of PUF Responses and Its Evaluation on FPGAs . . . . . . 37
3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2 Conventional Methods of Producing PUF Responses . . . . . . . . . . . . . . 38
3.3 Improved Methods of Producing PUF Responses . . . . . . . . . . . . . . . . 40
3.3.1 Concept: Use of the Location Information of Random Latches . . . . . . 40
– xi –
3.3.2 Theoretical Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.4 Performance Evaluation on FPGAs . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4.1 Variety and Shannon Entropy of PUF Responses . . . . . . . . . . . . . 43
3.4.2 Evaluation of PUF Requirements . . . . . . . . . . . . . . . . . . . . . 44
3.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Part III Security Evaluation of PUFs 47
Chapter 4 Dierential and Linear Analysis of Bistable Ring PUFs . . . . . . . . . . . 49
4.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.2 Analytical-based Evaluation Methods . . . . . . . . . . . . . . . . . . . . . . 51
4.2.1 Dierential PUF Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2.2 Linear PUF Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.3 Experimental Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.3.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.3.2 Experimental Results - using Dierential PUF Analysis . . . . . . . . . 56
4.3.3 Experimental Results - using Linear PUF Analysis . . . . . . . . . . . . 60
4.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Part IV Security Improvement of PUFs 65
Chapter 5 Variety Enhancement of PUF Responses and Its Evaluation on ASICs . . . 67
5.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
5.2 Proposed Extension Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.3 Performance Evaluation on ASICs . . . . . . . . . . . . . . . . . . . . . . . . 73
5.3.1 Experimental Environment . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.3.2 ASIC Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
5.3.3 Evaluation of Extension Method . . . . . . . . . . . . . . . . . . . . . . 76
5.3.4 Evaluation of PUF Requirements . . . . . . . . . . . . . . . . . . . . . 80
5.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
– xii –
Part V New Application of PUF-based Techniques 87
Chapter 6 Hardware Obfuscation using PUF-based Techniques . . . . . . . . . . . . . 89
6.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6.2 Sense-amplifier-based PUFs . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.2.1 Sense Amplifier PUF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6.2.2 Hot-Carrier-Injection SA PUF . . . . . . . . . . . . . . . . . . . . . . . 93
6.3 Proposed Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.3.1 Physically Unclonable Circuit . . . . . . . . . . . . . . . . . . . . . . . 95
6.3.2 Proposed Method (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.3.3 Proposed Method (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
6.3.4 Combination of HCI-SA PUCs with Split Fabrication . . . . . . . . . . . 102
6.4 Case Study - Applying Proposed Methods to KASUMI . . . . . . . . . . . . . 102
6.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Part VI Conclusion 107
Chapter 7 Concluding Remarks and Future Research Direction . . . . . . . . . . . . . 109
– xiii –
References 111
Paper Reuse Permission 121
Acknowledgments 127
List of Publications Related and Referred to the Dissertation 129
List of All Publications 131
Author Biography 137
– xiv –
Acronyms
AES Advanced Encryption Standard
AFM Atomic Force Microscopy
ASIC Application Specific Integrated Circuit
BR-PUF Bistable Ring PUF
CLB Configurable Logic Block
CMOS Complementary Metal Oxide Semiconductor
CPLD Complex Programmable Logic Device
CRP Challenge-Response Pair
CTRL Control
DCM Digital Clock Manager
DEMUX Demultiplexor
DFA Dierential Fault Analysis
ECC Error Correcting Code
EEPROM Electrically Erasable Programmable Read Only Memory
FF Flip-Flop
FIB Focused Ion Beam
FPGA Field-Programmable Gate Array
FSA Fault Sensitivity Analysis
HCI-SA Hot Carrier Injection Sense Amplifier
HD Hamming Distance
I/O Input/Output
IC Integrated Circuit
– xv –
INV Inverter
IoT Internet of Things
IP Intellectual Property
LFSR Linear Feedback Shift Register
LPUF Latch-based Physically Unclonable Function
LR Logistic Regression
LSB Least Significant Bit
MUX Multiplexor
N/A Non-Available
NHD Normalized Hamming Distance
NVM Non-Volatile Memory
PC Personal Computer
PUC Physically Unclonable Circuit
PUF Physically Unclonable Function
RAM Random Access Memory
ROM Read Only Memory
RS Reset-Set
SA Sense Amplifier
SEM Scanning Electron Microscope
SRAM Static Random Access Memory
SVM Support Vector Machine
TFF Toggle Flip-Flop
– xvi –
Part I
Introduction

Chapter 1
Introduction
1.1 Research Background
Recently, the concept of the Internet of Things (IoT) [2], or sometimes called the Internet of Ev-
erything (IoE), has been widely spread. Various IoT devices such as vehicles, home appliances,
medical devices and sensing devices are connected to the Internet. A lot of the information col-
lected by such IoT devices is expected to provide us a lot of new services and products in the field
of industry, education, healthcare, transportation, agriculture and energy. For example, location
data from vehicles are useful for mitigating trac congestion, or sensing data from bridges or
tunnels contribute for preventing their breakdown caused by aging degradation. IoT market is
estimated to be worth 3.04 trillion dollars and 30 billion things will be connected in 2020 [57].
In the concept of IoT, all such IoT devices should be genuine and work without malicious intent.
Unfortunately, counterfeiting IoT devices are possible to be manufactured. Some of them may be
controlled by attackers (e.g., work as spy devices), aiming to perform malicious behavior such as
spoofing, tampering and information disclosure. These counterfeits could be included in services
and products based on the concept of IoT, which causes serious security problems. For example,
counterfeit sensors may intentionally overlook the degradation of social infrastructure, which may
lead to its breakdown. The same applies not only for IoT devices but also for their components,
e.g., Integrated Circuit (IC) chips. We can imagine accident risks if such counterfeit and malicious
components are embedded in IoT devices such as vehicles or medical devices.
– 3 –
Authentication Server
(Verifier)
Assumption:
Verifier and Prover secretly 
share the same function f 
1. Generates a random challenge C, 
and sends it to Prover
3. Generates response R
R = f (C)
4. Check R = R’
if R = R’, then Authentication Success
IoT Device
(Prover)
C
2. Generates response R’ 
R’ = f (C), 
and sends it back to Verifier
R
?
f
C
R’
f
Figure. 1.1 Concept of authentication system: R = f (C).
Authentication of IoT Devices
Based on this background, it is quite important to authenticate IoT devices. In the following, we
discuss a common authentication system, in which an authentication server (verifier) authenticates
an IoT device (prover), as shown in Fig. 1.1. It is assumed that the verifier and prover are
connected with each other via network, and both of them have the same function f . In STEP 1,
the verifier generates a random number, i.e., challenge C, and sends it to the prover. In STEP
2, the prover calculates response R0 by inputting the received C into f , which is expressed by
R0 = f (C). Then, the prover sends R0 back to the verifier. In STEP 3, the verifier also calculates
its own response R according to R = f (C). In STEP 4, if R is equal to R0, the authentication
is successful since the verifier recognizes that the prover has the same function f . The root of
security is that only the verifier and prover secretly share the same function f , i.e., any other third
parties do not have the function f . If an attacker know the specification of the function f in some
way, this authentication system will be broken since the attacker can calculate correct R’s for any
C’s.
– 4 –
CR
encsk
fNVM
Physical Attacks: 
accessible to the inside of f
Theoretical Attacks: 
accessible from outside of f
Figure. 1.2 Common structure of f : R = enc(C; sk).
How can we construct this function f ? In order to prevent attackers knowing its specification,
f is generally constructed by using a secret key sk and cryptographic function enc, as shown in
Fig. 1.2. The challenge C, response R and secret key sk correspond to a plaintext, ciphertext and
key for enc, respectively, and their relation is expressed by R = enc(C; sk). The cryptographic
function enc should be based on a secure cryptographic algorithm such as Advanced Encryption
Standard (AES) [51]. Generally, the specification of such cryptographic algorithm is public. The
root of security is, therefore, that only the verifier and prover secretly share the same secret key
sk. The function f can be implemented as software or hardware on an IC chip inside IoT devices.
Threat against the secret key sk
We assume an attacker who wants to counterfeit the IC chip. The goal of the attacker is to reveal
the secret key sk; the functionality of the function f in the IC chip. The attacker has two possible
methods for achieving this purpose: theoretical attack or physical attack. In the following, we
focus on these two threat against sk.
Theoretical attack is defined, in this thesis, to predict the secret key sk on the assumption
that an attacker knows some challenge-response pairs (CRPs) of f . In other words, the attacker
can access only CRPs from outside of f , and cannot access the inside of f . If an attacker can
predict correct responses for any challenges by reference to some known CRPs, this means that
– 5 –
this attacker can emulate the functionality of f . This prediction could be achieved by cryptanal-
ysis methods such as dierential crypt analysis [7] and linear crypt analysis [45]. These methods
enable the attacker to reveal sk inside of f , according to some known CRPs. The attacker who
knows correct sk can emulate the functionality of f . Therefore, it is required for enc to gener-
ate unpredictable and non-biased responses even if some CRPs are known to the attacker. The
above-mentioned prediction is considered to be prevented by time constraints, if the following
two conditions are satisfied:
Requirement (i) The secure cryptographic algorithm (e.g., AES) is used for enc,
Requirement (ii) The entropy of sk is suciently high.
Physical attack is performed against an IC chip itself, on which the function f is actually
implemented. An attacker is assumed to be able to access the inside of f directly. In order to
reveal the functionality of f , the attacker needs to identify the value of the secret key sk. Recently,
various kinds of physical attacks have emerged and been developed to reveal the secret keys
stored in the IC chip. Figure 1.3 shows these physical attacks, which are first classified into two
categories: dynamic attack and static attack. In the dynamic and static attacks, the IC chip is
operated in power-on and power-o state, respectively. First, we focus on dynamic attack, which
is classified into three categories: invasive attack, non-invasive attack and semi-invasive attack.
As mentioned later, fortunately, various countermeasures against these dynamic attacks have been
proposed until now.
1. Invasive attack is based on an assumption that attackers can access the internal of IC chips
directly. For example, invasive attacks include drilling a hole in the IC chip with a Focused
Ion Beam (FIB) based on real-time images obtained from a Scanning Electron Microscope
(SEM), etc., and then using a microprobe to read signal pluses on targeted memory or
wire. Hence we need to use techniques to prevent such invasive attacks, e.g., active shield-
ing techniques [29]. Active shield is a mesh-shaped wire-based circuit covering an IC chip.
If the active shields detect some intrusion into the chip (e.g., cutting or modifying the wire-
based circuit), the IC chip will be forced to shut down and never powers on. However,
shield rerouting attack was proposed as an attack method for this active shield [12]. This
– 6 –
Physical Attacks 
(Revealing Secret Keys)
Dynamic Attacks
(Power-on State)
Invasive Attacks
- Using FIB, Microprobe
Non-Invasive Attacks
- Side Channel Analysis using:
• Power Consumption
• Electromagnetic Radiation
• Photonic Emission
Semi-Invasive Attacks
- Fault Analysis using:
• Laser Beam
• Irregular Voltage or Temperature
• Fluctuated Clock
Static Attacks
(Power-off State) Reverse Engineering
- Microscopy using:
• Optical Microscope
• Electron Microscope (e.g., SEM)
• Scanning Probe Microscopy (e.g., AFM)
Figure. 1.3 Various physical attacks to reveal secret keys.
attack enables attackers to make unprotected field by shortening the active shield circuit.
Countermeasures against this attack have been proposed, such as more geometrically com-
plicated active shield with randomized-topology wire [12], or more logically complicated
shield using a block cipher [15]. Other techniques to prevent invasive attacks include not
only active shield, but also a passive shield, bus static or dynamic scrambling/encryption,
and mixing layout of functional blocks (e.g., Random Access Memory (RAM), a Read
Only Memory (ROM), register, and logic) [70].
2. Non-invasive attack is based on an assumption that attackers obtain some leakage infor-
mation related to the secret key sk from outside of IC chips. One of the typical non-invasive
attacks is side channel analysis such as power analysis [30], electromagnetic analysis [20]
or photonic emission analysis [59]. This side channel analysis enables attackers to identify
the secret key by using the leakage information of power consumption, electromagnetic
leakages or photonic emission. These various kinds of information are leaked from the
IC chips, and easily obtained by a commercially-available oscilloscope. To prevent side
channel analysis, we have to implement the cryptographic function enc by using masking
– 7 –
(randomization) techniques carefully, while keeping the specification of enc. We can also
use hiding techniques of applying jamming noise or continuously changing the timing of
the information leakage. These techniques decrease the correlation between secret keys
and the leaked information.
3. Semi-invasive attack has characteristics of both invasive attacks and non-invasive attacks.
Some of the most typical attacks in this category include fault analysis such as Dierential
Fault Analysis (DFA) [8] (original concept was proposed in [10]) and Fault Sensitivity
Analysis (FSA) [36]. DFA and FSA enable attackers to predict secret keys by using faulty
ciphertexts and faulty behavior from IC chips, respectively. Attackers can obtain such
faulty information by applying external stimuli to IC chips. These external stimuli include
laser beam to targeted memory or wire, irregular supply voltage, high/low environmental
temperature or fluctuated clock signals, etc. To prevent such fault attacks, IC chips should
detect external stimuli and prevent faulty data outputting, or the cryptographic function enc
should be implemented by the randomization techniques.
Next, we focus on static attack, in which reverse engineering is one of the most common
ways to reveal the secret key sk. Generally, sk is stored in various kinds of Non-Volatile Memory
(NVM) such as Mask ROM?Electrically Erasable Programmable Read Only Memory (EEPROM)
and flash memory (flash EEPROM). However, some researchers have reported that the stored
data in these non-volatile memories are possible to be read by using appropriate microscopes, as
mentioned below.
Mask ROM is classified into two types according to its data retaining mechanism; one utilizes
the dierence of physical structures, i.e., existence of physical components such as transistors
or wires, or the other utilizes the dierence of threshold voltages in a pair of transistors, either of
which is biased by ion implantation. In the former type of Mask ROM, storing data 0/1 correspond
to the presence of the physical components. Therefore, it can be observed from its mask pattern,
which is obtained through a process that IC chip is mechanically or chemically polished and
afterwards observed by an optical microscope (see Fig. 5 in [31]). In the latter, there is no visual
dierence between cells storing 0 and 1. However, dopant-selective chemical staining techniques
make the storing data visible clearly (see Fig. 6 in [31]).
– 8 –
A memory cell of EEPROM and Flash EEPROM stores bit information according to the pres-
ence of a charge in its floating gate. This charge existence can be also observed by using Atomic
Force Microscopy (AFM) based techniques (see Fig. 9 in [50]).
From the above discussion, unfortunately, there was no fundamental solution against the
microscopy-based reverse engineering to non-volatile memories storing sk.
Physically Unclonable Function
Physically Unclonable Function (PUF) has been proposed as a novel technique to prevent such
reverse engineering [52]. A PUF implemented on an IC chip (known as Silicon PUF) is a function
which has single input (i.e., challenge Cp) and single output (i.e., response Rp). The relation
between challenges and responses is determined based on physical properties of the IC chip, e.g.,
wire delay, gate delay and gate drive capability, etc. For example, even if we fabricate a pair of
wires with the same length or a pair of the same kind of logic elements, ones of the pairs are
slightly dierent from the others in terms of their physical properties. PUF is a special circuit to
amplify this dierence of physical properties, therefore, can generate a unique response, i.e., 0 or
1. On the other hand, physical structure of PUFs such as wire length or the kind of logic element is
completely identical, the value of response cannot be predicted from its mask pattern obtained by
an optical microscope (superior to Mask ROM). Furthermore, attackers cannot accurately measure
the physical properties of all components in a PUF through the static analysis: reverse engineering.
This is the reason why PUFs have the tolerance to reverse engineering.
There are two approaches to construct the function f using a PUF: In Approach (A), the func-
tion f is constructed using a PUF itself, which is expressed by R = fPUF(C), as shown in Fig. 1.4
(A). The subscript of PUF means that it is constructed by a PUF. In Approach (A), PUFs should
have a large number of CRPs. In Approach (B), the function f consists of sk and enc similar to
Fig. 1.2, while sk is generated from a PUF, as shown in Fig. 1.4 (B). The function f is expressed
by R = enc(C; skPUF), where skPUF means that sk is generated from a PUF (Rp). In Approach (B),
PUFs should have only a limited number of CRPs. In the following, outputs of f and a PUF are
defined as mere “response” (R) and “PUF response” (Rp), respectively.
– 9 –
C (= CP)
f
fPUF
PUF
R (= RP)
Approach (A): R = fPUF(C).
C
R
encskPUF
fPUF
Approach (B): R = enc(C; skPUF).
Figure. 1.4 PUF-based structures of f .
1.2 Motivation and Contributions of This Thesis
In this thesis, we focus on the aforementioned two approaches: Approach (A) and (B). The main
contributions in this thesis consist of two parts. First, we evaluate the security of Approach (A)
and conclude that the use of a kind of PUF improves the tolerance of f to reverse engineering,
however, causes a new vulnerability to the theoretical attack; CRPs can be accurately predicted
by using some known CRPs, according to our experimental results using Field-Programmable
Gate Array (FPGA) chips. Second, we also discuss the security of Approach (B) and indicate
the problem that the diculty of predicting CRPs decreases, while we propose a novel method of
improving the security of Approach (B). The outline is organized as follows.
Security Evaluation of Approach (A): First Contribution
In Approach (A), we assume that the function f is constructed only by a PUF, the number of
CRPs of which is exponential to the bit length of challenges (categorized as Strong PUF in [21]).
We discuss the tolerance of Approach (A) to the aforementioned physical and theoretical attacks.
– 10 –
The physical attacks, especially microscopy-based reverse engineering to reveal the secret key in
f , are impossible since f is constructed based on a Strong PUF itself. Therefore, if we realize a
secure instance of Strong PUF against theoretical attacks, we can construct Approach (A) securely.
Arbiter PUF [35] was considered to be the most promising candidate of secure Strong PUFs. The
theoretical attacks were believed to be dicult because Strong PUFs generate multiple CRPs,
production rules of which are very complicated due to physical properties of the IC chip.
However, Ru¨hrmair et al. [58] reported that the vulnerability to the theoretical attack was
present in Arbiter PUFs. In their attack scenario using machine learning algorithms, if an attacker
obtains thousands of CRPs from an Arbiter PUF, almost all of the remaining unknown CRPs of
the PUF are predictable with the high probability of 0.99. This means that an Arbiter PUF has cor-
relation between CRPs, which enable attackers to emulate the functionality of f , i.e., counterfeit
the function f based on the Arbiter PUF.
Chen et al. proposed Bistable Ring PUF (BR-PUF) as an alternative candidate of a secure
Strong PUF [13]. They claimed that BR-PUF has the strong resistance against response prediction
because of its complex structure and non-linear behavior. For the verification of this resistance, we
consider that the correlation among CRPs should be evaluated experimentally. This evaluation,
unfortunately, has not been performed by third-party researchers yet.
The first contribution of this thesis is that we perform a first third-party security evaluation for
BR-PUFs implemented on FPGAs. The machine-learning-based attack is the first option since
this is very eective for the CRP prediction, while is not suitable as a method of identifying
the reason of the CRP prediction. Hence we evaluate BR-PUFs using two analytical methods:
the predictability tests based on Hamming distance (HD) and conditional probability, proposed
by Majzoobi et al. [44]. In this thesis, we extend these two analytical methods to dierential
PUF analysis and linear PUF analysis, respectively. Both can be associated with well-known
cryptanalysis methods: dierential crypt analysis [7] and linear crypt analysis [45], respectively.
The dierential PUF (crypt) analysis focuses on how dierences in the challenge (plaintext) lead
to dierences in the response (ciphertext). The linear PUF (crypt) analysis is based on the idea that
the response (ciphertext) is linearly approximated by particular bits of the challenge (plaintext).
A truly secure PUF can generate non-biased responses under dierential and linear PUF analysis.
– 11 –
Through our experiments using FPGAs, we demonstrate that BR-PUFs have two types of corre-
lations between challenges and responses, which may cause the easy prediction of PUF responses.
First, through dierential PUF analysis, the same responses are frequently generated for two chal-
lenges with small Hamming distance. A number of randomly-generated challenges and their
variants with Hamming distance of one generate the same responses with the probability of 0.88,
much larger than 0.5 in secure Strong PUFs. Second, through linear PUF analysis, particular
bits of challenges in BR-PUFs have a great impact on the responses. The value of responses be-
comes ‘1’ with the high probability of 0.71 (> 0.5) when just particular 5 bits of 64-bit random
challenges are forced to be zero or one. Our case study supports that BR-PUFs have undesirable
performance in the dierential and linear evaluations; BR-PUFs have some biased CRPs, which
helps an attacker to predict the responses.
In conclusion, BR-PUFs are not suitable as a candidate of secure Strong PUFs for the function
f . As mentioned before, Arbiter PUFs also have the vulnerability to the theoretical attack. There-
fore, currently there seems no secure instance of Strong PUFs which have tolerance to theoretical
attacks. However, many other kinds of conventional PUFs are candidates of secure Strong PUFs
because they have not been suciently evaluated in terms of their tolerance to theoretical attacks,
as far as we know. In order to construct Approach (A) securely, we should continue to pursue a
secure instance of Strong PUFs in future work.
Security Improvement of Approach (B): Second Contribution
In Approach (B), the function f is constructed by a cryptographic function enc, and its input
key sk, which is generated from PUF responses. In contrast of Approach (A), we need only a
limited number of PUF responses for generation of sk. For example, 128 CRPs are enough to
generate 128-bit sk. Furthermore, PUF responses are not accessible from the outside of f , an
attacker cannot directly predict the PUF responses by the same attacks used in Approach (A),
i.e., predicting unknown CRPs of a PUF using some known CRPs. Therefore, the theoretical
attack against Approach (A) cannot be applied to Approach (B). For these reasons, we consider
that Arbiter PUFs and BR-PUFs can be securely used to generate secret keys in Approach (B).
However, we assume that the key sk is generated from an instance of Weak PUF defined in [21],
– 12 –
the number of CRPs of which is quite limited. Especially, we focus on Latch-based PUF (LPUF)
as an instance of Weak PUF because LPUF is suitable for an IC chip with limited hardware
resources due to its low cost per bit.
We discuss the tolerance of Approach (B) to the aforementioned physical and theoretical at-
tacks. The physical attacks, including microscopy-based reverse engineering, are quite dicult
since sk is constructed based on a PUF. The theoretical attacks, i.e., predicting CRPs of f , are
also dicult within an acceptable time period under the following two conditions: (i) enc is con-
structed based on a secure cryptographic algorithm, and (ii) the entropy of sk is suciently high.
Now, we focus on the second condition. The sk is generated from PUF responses, the entropy of
which is higher if factory-manufactured PUFs can generate larger pattern (i.e., variety) of PUF
responses. For example, a full-entropy 256-bit PUF response makes more dicult for attackers to
predict CRPs than a 128-bit PUF response.
However, there is a problem that the entropy of PUF responses could be reduced because some
response bits are inconsistent (random) for repeated measurements, which are regarded as un-
necessary for the generation of reliable secret keys. For example, LPUFs with N Reset-Set (RS)
latches generate ideally N-bit PUF responses, each bit of which corresponds to an output from
each RS latch. The entropy of PUF responses, however, becomes smaller than N bits, since some
RS latches outputting random outputs (hereinafter called “random latches”) are unnecessary, so
should be eliminated in order to generate PUF responses with high reliability. For example, if
LPUF with 128 RS latches has 64 random latches, the maximum entropy of PUF responses re-
duces from 128 bits to 64 bits. Hence the increase of random latches results in reducing the
entropy of PUF responses. In summary, the following two problems should be considered:
 Less than N bits of entropy are generated from LPUFs with N RS latches due to random
latches. This low entropy of PUF responses may make it easy for attackers to predict sk,
and CRPs of the function f .
 If we need a full-entropy 256-bit PUF response, we have to implement extra RS latches,
more than 256 (i.e., spatial solution). However, this spatial solution is not suitable for IoT
devices containing IC chips with limited hardware resources, since we need to make the
area size of RS latches and peripheral circuits as small as possible.
– 13 –
The second contribution of this thesis is that we propose a novel method of extracting high
entropy from PUF responses by utilizing random latches in an LPUF, which commonly do not
contribute for the entropy of PUF responses. The core idea is to eectively utilize the information
on the proportion of ‘1’s in the random number sequence output from some random latches. For
example, first, an N-bit PUF response is generated from an LPUF with N RS latches. Next, we
obtain m samples of this N-bit PUF response for m-times repeated generation. Here, we focus on
m bits of each PUF response bit, especially corresponding to each random latch. The number of
‘1’s in these m bits is dierent from each random latch. In this thesis, we utilize this proportion
information in order to enhance the entropy of PUF responses. This proportion information is
expected to be almost determined during the manufacturing process, therefore, be relatively stable
and reliable once PUFs are manufactured. In contrast to the above-mentioned spatial solution, our
proposed method can be regarded as a temporal solution since we try to extract multi-bit entropy
from an RS latch according to time-domain information, i.e., m samples of N-bit PUF response.
We can implement our proposed method by a software approach because an IC chip commonly
consists not only of a co-processor with a PUF circuit, but also a microprocessor, an RAM, an
ROM, etc. This software approach does not need additional hardware resources, but needs a
slight increase in ROM code size. Here, we discuss the resistance of this software approach to
physical attacks; static and dynamic attacks. We assume that output data from RS latches are
stored in the RAM and processed by the microprocessor. This approach has a resistance against
static analysis (reverse engineering), because the information of PUF responses does not exist
in the RAM in power-o state, so it cannot be read even by using microscopes. In contrast, in
power-on state, an attacker could read the RAM data through some dynamic attacks. Therefore,
the IC chip should be protected by some techniques, e.g., active shield, randomization techniques
or sensors, as mentioned before.
We validate the proposed method according to 73 Application Specific Integrated Circuit
(ASIC) chips, each of which has a LPUF with 256 RS latches:
 From LPUFs with 256 RS latches, 379 bits of entropy can be extracted by the proposed
method, which is approximately 1.72 times as large as 220 bits of entropy extracted by a
conventional method of eliminating random latches.
– 14 –
 In other words, the required number of RS latches for the generation of 256 bits of entropy
is 173 in the proposed method, which is approximately 0.58 times as large as 298 in the
conventional method.
Our case study using manufactured LPUFs supports that the entropy of PUF responses dramat-
ically improves due to the proposed method. PUF responses with high entropy are useful for
high entropy of the secret key sk in the function f , the responses of which are dicult to be pre-
dicted through theoretical attacks. In conclusion, our proposed method contributes for the security
improvement of Approach (B), in which sk is generated using PUF responses.
1.3 Towards Future Research Topic
In the previous section, PUFs are assumed to be used for the construction of the function f ,
which is an authentication part in an IC chip. On the other hand, main features of IC chips
(i.e., IoT devices) are provided by general-purpose part such as audio-video-processing circuit,
communication circuit and cryptographic circuit for message encryption. These circuits are based
on a lot of Intellectual Property (IP) of their designers. Examples of the IP include circuit design
itself, various setting parameters and original algorithms, etc.
Reverse engineering, the same attack against sk on NVMs, also enables an attacker to reveal
the structure and functionality of a circuit (e.g., gate-level netlist) through analyzing its mask
pattern images using microscopes [69]. An attacker obtains the mask pattern images through
de-packaging an IC chip and de-layering individual layers by using grinding machines, corro-
sive chemicals and microscopes. IP leakage to the outside is a big threat to the designers of the
circuits, causing infringement of IP and their counterfeits. The revealed trade secrets enable an
attacker to improve her/his own hardware designs or illegally sell themselves. A countermeasure
against such threat is to use dummy contacts-based camouflage gates [27] [56]. This technique
makes it dicult to identify the functionality of a logic gate according to its mask pattern images.
Consequently, an attacker cannot distinguish an AND gate from an OR gate at top view of the
gates. This countermeasure, however, has not lead to a fundamental solution for the threat. This
is because the camouflaged gates can be identified at side view of them, in principle.
– 15 –
Social engineering is also a cause of the IP leakage. In this thesis, social engineering is defined
as a cause of the IP leakage not through physical analysis of IC chips themselves but through a
malicious person or malware, etc. in external untrusted foundries. Recently, fabless manufacturers
of IC chips have been widely spread, and they commonly provide outside fabrication foundries
with mask pattern information. The foundries, however, are not necessarily trusted for the fabless
manufacturers in terms of protection of confidential information. There is a risk that the mask
pattern information can be leaked not only to the outside foundries but also to malicious parties.
The concept of split fabrication has been well-known as a countermeasure against the IP leakage
through such untrusted foundries. Under the split fabrication, a fabless company separates a circuit
diagram into multiple parts, and each part is manufactured in a dierent foundry. This prevents
each individual foundry from identifying the functionality of the whole circuit.
Hardware Obfuscation using PUF-based Techniques: Third Contribution
In this thesis, we first introduce the concept of a new application based on PUFs, i.e., hardware
obfuscation using our PUF-based technique. We suggest that the PUF-based technique can be
used not only for the construction of an authentication part (e.g., the function f ), but also for the
obfuscation of the general-purpose parts to prevent reverse engineering. Furthermore, we propose
a novel mechanism to combine the PUF-based technique with the concept of split fabrication.
This mechanism enables us to prevent IP leakage both through reverse engineering against IC
chips themselves and through social engineering via external untrusted foundries.
First, in order to prevent reverse engineering, we propose a novel method of designing a part of
logic circuit by using a PUF-based technique. Our aim is to spread the resistance of PUFs against
reverse engineering over the whole of the circuit. In this proposed method, a PUF is regarded
as a secure memory storing 1-bit response, the value of which is used to conceal the function-
ality of a logic gate, e.g., NAND and XOR, etc. An attacker cannot identify the functionality
of such logic gates, and accordingly the whole circuit diagrams even through microscope-based
reverse engineering. It should be noted that we assume not exactly a PUF, but a special PUF-like
component, response of which is controllable by its manufacture. In this thesis, we define this
component as “Physically Unclonable Circuit (PUC)”, which is dierent from a common PUF in
– 16 –
that its response is not generated from its physical property.
Next, to prevent the social engineering, we combine PUCs with the split fabrication. In order
to manufacture a circuit obfuscated by PUCs, a fabless company has to provide external foundries
with all information for its circuit design except the values of PUC responses. IC chips including
the circuit are manufactured in the foundries, while responses of the PUCs are not determined at
this time. The foundries, therefore, cannot identify the functionality of the whole circuit. Finally,
in order to fix the functionality of the whole circuit, trusted foundries or fabless company itself
can determine the responses of PUCs by using small-scale equipment for writing.
Our proposed concept of PUCs is eective in concealing the functionality not only of general-
purpose parts but also of authentication parts in IC chips. As shown in Fig. 1.4 (B), the crypto-
graphic function enc should be constructed using public algorithms (e.g., AES), the security of
which are always being evaluated by many specialists. For this reason, attackers can easily get the
specifications of the public algorithms, so they do not need to perform the reverse-engineering of
enc, just focus on analyzing sk. In order to increase the cost of physical attacks, the cryptographic
algorithms (e.g., S-box specification) can be modified, keeping their cryptographic security, and
be implemented using PUCs. In this case, the attackers have to identify the functionality of enc in
addition to the value of sk. In conclusion, our PUC-based technique is also useful to increase the
costs of reverse engineering against authentication parts. In this thesis, we propose the concept of
PUCs, but need to establish a proof of concept in future work.
1.4 Structure of This Thesis
Figure 1.5 shows the structure of this thesis. In Part I, we described the introduction including the
research background, the motivation and the contributions of this thesis. In Part II, we organize
the knowledge of PUFs; properties, applications, requirements and implementations of PUFs.
Further, we describe our original idea proposed in [78], which is the basis of the proposed method
in Part IV. In Part III, we evaluate the security of BR-PUFs according to dierential PUF analysis
and linear PUF analysis. In Part IV, we propose a novel method of extracting high entropy from
LPUFs by utilizing random latches, and experimentally evaluate the eectiveness of the proposed
– 17 –
Part I: Introduction
Motivation and Contributions of This Thesis
Part II: PUFs
Technical Background of PUFs
Part III: 
Security Evaluation of PUFs
Security Evaluation of Approach (A) 
based on a Strong PUF
Part IV: 
Security Improvement of PUFs
Security Improvement of Approach (B) 
based on a Weak PUF
Part V: 
New Application of 
PUF-based Techniques
Hardware Obfuscation using 
PUF-based Techniques
Part VI: Conclusion
Conclusion and Future Directions
Protection of Authentication Parts Protection of General-Purpose Parts
Figure. 1.5 Structure of this thesis.
method. In Part V, we discuss a future research topic: hardware obfuscation as a new application
of PUF-based techniques. Finally, we conclude this thesis and suggest future research directions
in Part VI.
– 18 –
Part II
Physically Unclonable Functions

Chapter 2
Properties, Applications,
Requirements and Implementations
of PUFs
2.1 Properties of PUFs
A Physically Unclonable Function (PUF) is a function which has single input (i.e., challenge)
and single output (i.e., response). Generally, physical properties, e.g., wire delay, gate delay and
gate drive capability, are slightly dierent between each individual IC chip, and even in the same
chip. General-purpose IC chips for mass production need to work identically by minimizing this
dierence of physical properties. For example, when we apply a plaintext to some cryptographic
circuits, we obtain the same ciphertexts from them. In contrast, multiple PUFs, implemented on
IC chips, generate unique responses for the same challenge. This is because a PUF works as a
special circuit to amplify the dierence of physical properties in IC chips. In spite of these unique
responses, PUFs have a completely identical circuit structure, which makes it quite dicult for
attackers to perform microscopy-based reverse engineering; to identify the value of response by
using PUF layout information (e.g., mask pattern). Further, even if an attacker counterfeits a PUF
on her/his own IC chip by using its layout information revealed through reverse engineering, its re-
– 21 –
PUFs 
ID Generation 
Cryptography
Confidentiality
- Generating Secret Keys
Authentication
- Approach (A)
- Approach (B)
Figure. 2.1 A classification of applications of PUFs.
sponses are completely dierent from those of an original PUF. This is because physical properties
are completely dierent between counterfeit and original IC chips. Hence it is dicult to perform
reverse engineering and counterfeit PUFs, and accordingly predict and reveal PUF responses. In
conclusion, PUFs are expected to be a breakthrough technology for anti-counterfeiting devices,
making cloning impossible even when the design is revealed through microscopy-based reverse
engineering.
2.2 Applications of PUFs
Figure 2.1 shows a classification of applications of PUFs. First, PUFs are considered to be used
as low-cost ID generators. PUFs can generate unique responses in spite of a completely identical
circuit structure, as mentioned before. We, therefore, do not need to write a unique ID at every
chip, which can reduce manufacturing costs. Second, another application of PUFs is cryptogra-
phy: confidentiality and authentication. In the field of the confidentiality, we can securely encrypt
and decrypt sensitive data using PUF-based secret keys since PUFs have high resistance against
reverse engineering. In the field of the authentication, PUFs are regarded as a cryptographic prim-
itive for secure and light-weight chip authentication.
In this thesis, we focus on PUF-based chip authentication, which is generally achieved by two
approaches: (A) using a PUF itself, which has numerous challenge and response pairs (CRPs)
(categorized as Strong PUF in [21]); and (B) using a cryptographic function, and a secret key
which is generated from a PUF with a limited number of CRPs (categorized as Weak PUF in [21]).
– 22 –
2. Obtains R’  from a PUF,
and sends it back to 
Verifier
Authentication Server
(Verifier)
0. Stores CRPs of a PUF 
in its database
1. Selects a challenge C 
from the database, and
send it to Prover
3. Obtains R from its database
4. Check R = R’
if R = R’: Authentication Success
Chip with a PUF
(Prover)
C
R’
?
Challenge Response
.
.
.
.
.
.
C
ffPUFPUF
R’
Figure. 2.2 Approach (A): chip authentication based on Strong PUFs.
Here, we assume a common authentication system, in which an authentication server (verifier)
authenticates an IoT device with an IC chip including a PUF (prover), as shown in Fig. 1.1.
In Approach (A), multiple PUF responses are used for the authentication, as shown in Fig. 2.2.
In advance of the authentication, the verifier securely obtains multiple CRPs from the PUF in the
prover, and stores these CRPs in its database. In the authentication phase, one of the challenge C
listed in the database is sent from the verifier to the prover. The prover obtains a response R0 by
applying C to the PUF, and sends R0 back to the verifier. The verifier compares R0 with R stored
in the database. If R is equal to R0, the authentication is successful, so the verifier can confirm that
the prover (i.e., the PUF) is genuine.
In Approach (B), a limited number of PUF responses are used for the authentication, as shown
in Fig. 2.3. Concretely, the PUF responses are used to generate a secret key skPUF in the prover.
In advance of the authentication, a verifier obtains skPUF from the prover, and stores skPUF in its
database. In the first step of the authentication, a random number C is sent from the verifier to
the prover as a challenge. Then, the prover generates a response R0, which is defined by equation
R0 = enc(C; skPUF). Here, enc(x; y) indicates a cryptographic function, inputs of which are a
– 23 –
Authentication Server
(Verifier)
0. Stores a secret key skPUF
in its database
1. Generates a random number C,
and sends it to the Prover
3. Obtains skPUF from its database,
and calculates R = enc(C, skPUF)
4. Check R = R’
if R = R’: Authentication Success
Chip with a PUF
(Prover)
C
2. Generates R’:
R’ = enc(C, skPUF)
R’
?
C
R’
encskPUF fPUF
Figure. 2.3 Approach (B): chip authentication based on Weak PUFs.
plaintext x and a secret key y. Then, R0 is sent back from the prover to the verifier. The verifier
also calculates R using its-own-generated challenge C and the secret key skPUF in its database.
If R is equal to R0, the authentication is successful. The security of this authentication system
relies on the assumption that the secret key skPUF is secretly shared between the verifier and the
prover. Note that the secret key skPUF is either PUF responses themselves, or can be generated as
an output from a hash function, the input of which is PUF responses.
2.3 Security Requirements of PUFs
Security requirements of PUFs are commonly defined as the following five indexes: reliability,
uniqueness, uniformity, bit-aliasing and unpredictability. Especially, reliability and uniqueness
are the most popular and important of them. The indexes of uniformity and bit-aliasing are first
defined in [43].
Reliability means the consistency of the values of PUF responses for repeated measurements.
When a challenge is repeatedly applied to a certain PUF, all times should produce completely
consistent responses. Reliability is quantitatively evaluated by calculating the Hamming distance
– 24 –
between two arbitrary responses for the same challenge. Reliability is often evaluated as error
rate, which is defined as the Hamming distance divided by the bit length of responses. If the
error rate is zero, the PUF is ideal in terms of reliability; can produce 100% stable responses.
Actually, however, some bits of responses frequently fluctuate; responses have some error bits due
to environmental fluctuations of temperature or supply voltage. For this reason, the applications of
PUFs, including authentication and key generation, cannot be processed without some approaches
to solve these error bits of responses. The first approach is masking; does not use challenges which
produce such fluctuating responses at normal operating condition (room temperature and standard
supply voltage). This masking approach maintains the reliability of responses, but reduces the bit
length of responses. This may cause undesirable eects on uniqueness and unpredictability. The
second approach is correcting; correct the non-reliable responses using Error Correcting Code
(ECC), etc. This approach requires larger redundant data for response correction as the number
of the error bits increases. Such large redundant data increases the required size of ROM, and this
is not suitable for resource-limited IoT devices.
Uniqueness means the independence among responses which are produced from multiple PUFs
to the same challenge. Even when the same challenge is applied to multiple PUFs, completely
dierent responses should be produced. Uniqueness is quantitatively evaluated by calculating the
Hamming distance between responses that are produced by two arbitrary PUFs. If the Hamming
distance is approximately equal to half of the bit length of responses, the PUF is ideal in terms of
uniqueness. If multiple PUFs produce the same responses, an authentication system based on the
PUFs is no longer secure.
Uniformity means the equality of the proportion of ‘0’s and ‘1’s in the bits of responses pro-
duced from a PUF. Ideally, the proportion is approximately 0.5. If not, this uniformity may cause
undesirable eects on uniqueness.
Bit-Aliasing means the dierence of the proportion of ‘0’s and ‘1’s in the bits of responses
that are produced from multiple PUFs for the same challenge. Ideally, this proportion is also
approximately 0.5.
Unpredictability means the diculty of predicting PUF responses. In this thesis, we define
two kinds of unpredictability by each approach of chip authentication: Approach (A) with Strong
– 25 –
PUFs and Approach (B) with Weak PUFs. In Approach (A), the unpredictability is defined such
that attackers cannot predict responses even when some CRPs are public. Specifically, Strong
PUFs should have no correlation between any CRPs, otherwise such correlation may be a clue to
emulate and accordingly counterfeit the functionality of the PUFs. In Approach (B), the number of
CRPs of Weak PUFs is quite limited (in some PUFs, there is only one response), so the same pre-
diction scenario using multiple public CRPs in Approach (A) cannot be applied to Approach (B).
In Approach (B), the unpredictability is defined such that PUF responses, typically used as a secret
key, have a large variety, i.e., the total number/pattern/range of responses produced from factory-
manufactured PUFs. Note that some kinds of Weak PUFs (i.e., memory-based PUFs, described
later) generate one N-bit response, but when we consider the whole of factory-manufactured the
PUFs, the variety of values which the responses can take is from 0 to 2N   1. A small variety of
responses makes it easy for an attacker to predict the response R0, as shown in Fig. 2.3. In other
words, the unpredictability of responses is defined such that the entropy of PUF responses (i.e.,
skPUF) is suciently high.
2.4 Implementations of PUFs
Various kinds of PUFs have been introduced until now. In this thesis, we focus on Silicon PUFs;
that are implemented on digital IC chips. The Silicon PUFs are classified into two categories:
delay-based PUFs and memory-based PUFs, according to their used physical properties. Delay-
based PUFs utilizes delay variations of wires or logic gates, and memory-based PUFs utilizes
process variations in various kinds of memory cells [42]. Further, a Bistable Ring PUF is intro-
duced as a type of PUF, having both properties of memory-based PUFs and delay-based PUFs. As
mentioned before, PUFs are also classified into two categories: Strong and Weak PUFs accord-
ing to the number of their CRPs. Generally speaking, delay-based PUFs correspond to Strong
PUFs, and memory-based PUFs correspond to Weak PUFs, excluding Ring Oscillator PUFs, as
mentioned later.
– 26 –
2.4.1 Delay-based PUFs
Typical delay-based PUFs include Arbiter PUFs [35], Ring Oscillator PUFs [65] and Glitch PUFs
[66] [61] [62]. Arbiter PUFs and Glitch PUFs are classified into Strong PUFs, the strength of
which is to have an exponential number of CRPs. Therefore, these PUFs are used for the afore-
mentioned chip authentication in Approach (A).
Arbiter PUFs
An Arbiter PUF generates 1-bit responses determined by the dierence in the signal delay be-
tween two paths, which is mixed by a challenge, as shown in Fig. 2.4. An Arbiter PUF consists of
an amplification part and an arbiter part, both of which are connected with each other. The process
of producing responses is as follows. Two pulse signals are simultaneously applied to the amplifi-
cation part. These signals propagate through dierent paths, and at last arrive at the arbiter part. A
1-bit response is determined by which signal arrives earlier than the other. Generally, the arbiter
part is implemented by a flip-flop (FF) with a data input and a clock input. If one signal arrives
at the data input earlier than the other signal arrives at the clock input, the response becomes one,
vice versa. A typical implementation of the amplification part includes the N number of 2-to-1
multiplexor (2-1 MUX) pairs, which are connected in series. A multiplexor pair shares its select
line, which determines straight connection or cross connection. A challenge of an Arbiter PUF
corresponds to N-bit select lines of N multiplexor pairs. An Arbiter PUF has N-bit challenges, so
2N dierent propagation paths can be organized. All of these paths are the same length physically,
while they have dierent propagation delay times due to the dierence of physical properties in
IC chips. Hence Arbiter PUFs can produce unique responses.
However, their responses can be accurately predicted through a machine learning attack under
the assumption that some challenge-response pairs are public [58]. This machine learning attack
consists of two phases: learning phase and predicting phase, as shown in Fig. 2.5. This attack
enables attackers to construct of a model of an Arbiter PUF, namely to construct a software-based
counterfeit of the Arbiter PUF. In learning phase, multiple pairs of challenge C and response R
are input to a classifier, e.g., Support Vector Machine (SVM) or Logistic Regression (LR). The
– 27 –
Amplification
Part
Arbiter 
Part
C (N bits)
R (1 bit)
1-bit
FF
・・・
N
・・・
・・・
Figure. 2.4 Structure of an Arbiter PUF introduced in [35].
classifier develops an approximation function between C and R: R  FMLA(C), according to
the given pairs of C and R. In prediction phase, the attacker can obtain the predicted response
R0 = FMLA(C0), where C0 is a given unknown challenge. According to [58], if an attacker obtains
thousands of CRPs from an Arbiter PUF, almost all of the remaining unknown CRPs of the PUF
are predictable with the high probability of 0.99, in their attack scenario using machine learning
algorithms.
Glitch PUFs
The Glitch PUF was proposed to solve this problem of ease of prediction [66] [61] [62]. The
Glitch PUF consists of an 8-bit AES S-box used as a glitch generator and a 1-bit toggle flip-flop
(TFF) used as a glitch counter, as shown in Fig. 2.6. In [76], we claimed that a challenge C should
be 19 bits, the first 16 bits (C1) of which consist of 8-bit Cp and 8-bit Cc because glitches appear
when the input signal of S-box changes from Cp to Cc. The remaining 3 bits (C2) are used to select
1-bit signal from 8-bit output of the S-box. A 1-bit response R is determined by the parity of the
number of the glitches appearing in the selected 1-bit signal. Therefore, this AES S-box-based
– 28 –
Machine Learning
Classifier
(e.g., SVM, LR)
...
(C1, R1) (C2, R2) (CN, RN)
PUF Model
R fMLA(C)
C’ (Unknown)
R’ (Prediction)
PUF Model
R fMLA(C)
Learning Phase Prediction Phase
PUF Model
Construction
Figure. 2.5 Concept of machine learning attack against a PUF.
Glitch PUF has 219 CRPs.
The developers of this PUF suggest that the responses behave like a non-linear function due
to the complexity of the S-box, therefore machine learning attacks are prevented. In [76], we
showed, however, that Glitch PUFs have some weak challenges leading to responses which may
be more easily predictable than others. Further, low robustness against voltage variation, i.e.,
low reliability, is confirmed by an experimental evaluation of an implementation of Glitch PUFs
on Xilinx Spartan-6 FPGAs. The same result of this low reliability is also confirmed by the
developers themselves [61]. The idea of generating unique responses from circuit glitches seems
very interesting and promising, therefore a good candidate of the glitch generator for this PUF,
instead of AES S-boxes, should be discussed in future work.
There are other types of Glitch-based PUFs using dierent glitch generators. The concept
of extracting unique information from glitches on digital circuits is first introduced in [16] [53]
[54], in which a 32-bit combinational multiplier is used for a glitch generator. Further, the de-
lay dierences between two multiplexor chains on FPGAs are used to construct another type of
Glitch-based PUF dedicated to FPGAs [1].
– 29 –
8-bit AES S-box
(Glitch Generator)
1-bit TFF
(Glitch Counter)
Cp
Cc
R
(1 bit)
C2 (3 bits)
8 8 1 1
3
C1 (8 bit Cp, 8 bit Cc)
Figure. 2.6 Structure of a Glitch PUF introduced in [61].
Ring Oscillator PUFs
Ring Oscillator PUFs derive 1-bit responses from the dierence in oscillator frequencies [65].
The oscillator frequencies are aected by the wire delay and gate delay, which make the re-
sponses unique for each individual IC. Figure 2.7 shows a Ring Oscillator PUF which consists of
M number of ring oscillators, one of which is composed of odd number of cascaded inverters as
a ring. The Ring Oscillator PUF derives 1-bit responses from the dierence of oscillator frequen-
cies between two arbitrary ring oscillators. Consequently, 1-bit response becomes zero or one,
depending on which ring oscillator has a higher frequency. Typically, counter circuits are used
for detection of the frequency. The number of CRPs is MC2, which corresponds to the number
of combinations of M ring oscillators taken 2 at a time. Here, aCb is defined as the number of
combinations of a elements taken b at a time. Ring Oscillator PUFs are categorized into Weak
PUFs because the number of CRPs (MC2) is increased to O(M2). On the other hand, in Arbiter
PUFs categorized into Strong PUFs, the number of CRPs (2N) increases exponentially with the
number of multiplexor pairs N.
However, a security issue is reported that ring oscillators, located close to peripheral circuits
(e.g., interface circuits), oscillate with lower frequency than those located far from the peripheral
circuits [48]. This undesirable property may enable an attacker to predict some responses, if
we select two ring oscillators located close to and far from peripheral circuits. Further, some
experimental results show that the ranges of ring oscillator frequencies are directly identified
through electromagnetic analysis [47].
– 30 –
Ring Oscillator 1
Ring Oscillator 2
Ring Oscillator M
Selector Part
(Selecting
2 out of M)
Counter A
Counter B
Comparator
(If A > B, then 
R=0, vice versa)
R
(1 bit)M
C
・・・
Odd Number
・
・
・
Figure. 2.7 Structure of a Ring Oscillator PUF introduced in [65].
2.4.2 Memory-based PUFs
Memory-based PUFs include Static RAM (SRAM) PUFs [21] [23], Flip-flop PUFs [40], Latch-
based PUFs [63] [64] and Butterfly PUFs [34], etc. A common point of these memory-based
PUFs is that their responses are extracted from various kinds of memory cells, e.g., SRAM cell,
flip-flop, latch cell, butterfly cell (cross-coupled latches).
There are two ideas about CRPs of memory-based PUFs: One is that an instance of a memory-
based PUF, including N memory cells, generates only one N-bit response without challenges. In
that sense, these memory-based PUFs can be regarded as secure storage elements, the stored val-
ues of which cannot be specified through their mask pattern images. Another is that this instance
generates N number of 1-bit responses. These responses are obtained from N challenges which
correspond to memory addresses or locations of N memory cells. Even in both ideas, memory-
based PUFs are categorized in Weak PUFs since the number of CRPs increases linearly with the
number of implemented memory cells.
In this thesis, we assume the former idea of CRPs; a memory-based PUF generates an N-bit
response RES :
RES = RN 1 k RN 2 k    k Ri k    k R1 k R0;
– 31 –
where Ri is a unique value outputted from a memory cell i (0  i  N   1) and the operation k
means a concatenation of two variables.
SRAM PUFs
The power-up initial values of SRAM cells are strongly aected by physical properties of the
SRAM cells. Therefore, these initial values can be used as a unique response for each individual
PUF, while they are relatively reproducible. SRAM is commonly embedded in IC chips, therefore
SRAM PUFs can be constructed without some dedicated circuits.
However, SRAM PUFs have two points to be improved. First, when an SRAM PUF is imple-
mented on an FPGA, there is a problem that the power-up values of SRAM cells are automatically
initialized to fixed values, so cannot be used as a unique response. Second, a device power-up op-
eration is required for the generation of every response. Specifically, responses can be produced
only when the device is power on. There are other types of PUFs to overcome these problems.
Flip-flop PUFs
To overcome the first problem of the automatic initialization, Flip-flop PUFs use the power-up
values of flip-flops instead of SRAM cells. Flip-flop PUFs are based on the fact that we can
prevent the initialization of the power-up values of flip-flops on Xilinx FPGAs. In the power-up
state of Xilinx FPGAs, a configuration file stored in external PROM is downloaded to an FPGA.
The configuration file includes the command to initialize the values of flip-flops. Their power-up
values are maintained by eliminating this command from this configuration file. Unfortunately,
Flip-flop PUFs do not solve the second problem.
Latch-based PUFs
A latch-based PUF (LPUF) generates its response without an actual device power up. Each re-
sponse bit corresponds to a metastable value of a latch cell composed of cross-coupled logic gates.
The latch cell can be configured by NAND, NOR, or other types of logic gate. This dierence
does not influence the performance of LPUFs. In this thesis, we assume NAND-based latch cell
as a basic component of LPUFs.
Figure 2.8 shows a latch cell used for LPUFs, having a single combined input A. A generally-
– 32 –
A
B
C
Figure. 2.8 NAND-based latch cell.
used latch cell has two separate input signals connected to an upper NAND gate and a lower one.
The latch cell is in a stable state with outputs (B;C) = (1; 1) when input A = 0, while it temporarily
enters a metastable state right after input A changes from 0 to 1 (= rising edge). Right after this, it
enters into one of two stable states: its outputs are (B;C) = (1; 0) or (B;C) = (0; 1). Theoretically,
the transition to either of these states occurs with equal probability. Actually, however, most latch
cells have a high probability of entering one specific state. This is caused by a slight dierence
of physical properties: the drive capabilities of the two NAND gates or the wire length of the
cross-coupled part. Therefore, these stable states of latch cells are used for the generation of
unique responses. These responses are generated whenever input A changes from 0 to 1; without
an actual device power up.
LPUFs had been considered to be implemented on ASICs. This is because a latch cell was
considered to be impossible to be implemented on FPGAs due to constraints of FPGA synthesis
tools; it has a structure with a cross-coupled combinational loop. In [78], we showed that LPUFs
can be implemented on some Xilinx FPGAs: Spartan-3E and Spartan-6 according to the methods
introduced by Hata et al. [22]. These methods enable us to implement cross-coupled NAND gates
themselves on FPGAs, which are introduced for implementing a latch-based physical random
number generator.
– 33 –
Butterfly PUFs
Butterfly PUFs are assumed to be implemented not on ASICs but on FPGAs. To implement a latch
cell on FPGAs, a basic component of a Butterfly PUF is composed not of cross-coupled NAND
gates but of cross-coupled latches. The cross-coupled latches behave similarly to a NAND-based
latch cell. The output of the Butterfly PUF is triggered by a clock edge signal applied to the
latches, without an actual device power-up.
Variants of SRAM PUFs
The aforementioned memory-based PUFs extract 1-bit entropy from a memory cell maximally. In
contrast, some kinds of PUFs can extract multi-bit entropy from a memory cell.
A MECCA PUF is basically based on an SRAM cell, but has a mechanism for changing the
word line duty cycle of the SRAM cell [33]. The value of the SRAM cell (i.e., response) is
influenced by the duty cycle duration (i.e., challenge).
A data retention voltage of an SRAM cell is utilized for a more informative non-binary identifier
[24]. This type of PUF extracts the data retention voltage of an SRAM cell by repeatedly lowering
its supply voltage and observing the highest voltage at which the SRAM cell fails. The highest
voltage resulting in the fail is unique, therefore it is used to generate a multi-bit response.
These PUFs need a hardware modification to change the duty cycle duration or the SRAM
supply voltage.
2.4.3 Bistable Ring PUF
Bistable Ring PUF (BR-PUF) was proposed as a Strong PUF, and self-evaluated by Chen et al.
[13] [14]. BR-PUFs have both properties of memory-based PUFs and delay-based PUFs. In the
following, we focus on two major dierences between BR-PUFs and Ring Oscillator PUFs: (1)
the structure of a ring, (2) the generation of responses.
(1) A BR-PUF is composed of cascaded inverters (INVs) as a ring (hereinafter called “primitive
BR-PUF”), as shown in Fig. 2.9. A primitive BR-PUF is similar to a Ring Oscillator PUF in terms
of the ring of cascaded inverters. The dierence is that the number of the inverters is not odd but
– 34 –
INV
8
INV
4
INV
6
INV
2
0
1
0
1
0
1
0
1
0b10101010 = 0xAA: A-state.
INV
8
INV
4
INV
6
INV
2
1
0
1
0
1
0
1
0
0b01010101 = 0x55: 5-state.
Figure. 2.9 Two possible stable states on a primitive BR-PUF with 8 inverters.
even (e.g., eight in Fig. 2.9). Hence the primitive BR-PUF does not keep oscillation, but make
the transition from metastable to stable state like memory-based PUFs. After voltage is supplied,
the primitive BR-PUF has two possible stable states, ‘10101010’ (‘A’-state) or ‘01010101’ (‘5’-
state), enumerating inverter’s outputs beginning from INV1. The primitive BR-PUF generates
1-bit response according to which state the ring falls into. BR-PUFs are similar to Ring Oscillator
PUFs in terms of having inverter rings. BR-PUFs also have the same characteristic with LPUFs,
having two possible states.
(2) A primitive BR-PUF generates just one 1-bit response because it consists of one ring, while
a Ring Oscillator PUF includes multiple parallel-implemented rings. To generate multiple 1-bit
responses, the circuit structure of the BR-PUF shown in Fig. 2.10 is presented in [13]. The inverter
in Fig. 2.9 is implemented by a BR-S, which is a basic component of a BR-PUF. The l-th BR-S,
i.e., BR-Sl (1  l  64), is composed of two NOR gates, a 2-to-1 multiplexor (2-1 MUX) and a
1-to-2 demultiplexor (1-2 DEMUX). A 1-bit challenge C[l] is input to the BR-Sl to select either
of the NOR gates. The BR-PUF with 64 BR-Ss has 64-bit challenges to select the NOR gates.
The BR-PUF is organized by 264 dierent types of rings, the NOR gates of which are dierently
selected depending on the values of challenges. Each NOR gate has dierent characteristics,
– 35 –
0         1
2-1 MUX
1-2 DEMUX
0         1
BR-S0
BR-S1
BR-S31 BR-S32
BR-S63
BR-Sl
In[0]
= R (Response)
In[1] In[63]
Out[63]
Out[1]
Out[0] Out[62]
Out[31]
In[32]
C[l]
(Challenge)
In[l]
Out[l]
BR-Sl1
1
11
1 1
1
NOR-0 NOR-1 
Reset
1
Figure. 2.10 Circuit structure of a Bistable Ring PUF.
i.e., drive capability or gate/wire delay. Hence the value of challenges has a great impact on the
decision of stable states, either A-state or 5-state, as claimed by Chen et al., the developers of
BR-PUFs. Therefore, the BR-PUF can generate multiple CRPs without having multiple rings like
Ring Oscillator PUFs. A 1-bit response is extracted from an arbitrary signal between two BR-Ss,
e.g., the output from BR-S63, i.e., Out[63] (=In[0]) in Fig. 2.10. The BR-Sl works as an inverter
when reset signal equals to 0. In contrast, the input and output of BR-Sl, In[l] and Out[l], can
be forced to zero when the reset signal is 1 (i.e., neither A-state nor 5-state). This enables us to
generate responses at any time after power up.
In conclusion, a BR-PUF with N number of BR-Ss has N-bit challenges and generates 2N
number of responses, at any time after power up. That is why BR-PUFs are categorized into
Strong PUFs.
– 36 –
Chapter 3
Variety Increase of PUF Responses
and Its Evaluation on FPGAs
Publication Data
Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka, and
Kouichi Itoh, Variety enhancement of PUF responses using the locations of random outputting
RS latches, Journal of Cryptographic Engineering, 3(4):197-211, 2013.
Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Takao Ochiai, Masahiko Tak-
enaka, and Kouichi Itoh, Uniqueness Enhancement of PUF Responses Based on the Locations
of Random Outputting RS Latches, In Workshop on Cryptographic Hardware and Embedded
Systems 2011 (CHES 2011), volume 6917 of Lecture Notes in Computer Science (LNCS), pages
390–406, Springer, 2011.
3.1 Motivation
We defined the unpredictability of responses as the large variety of responses produced from
factory-manufactured PUFs, as described in Sect. 2.3. This is since factory-manufactured PUFs
are generally more secure if the variety of responses is larger. Concretely, a 256-bit full-entropy
– 37 –
response is more dicult to be predicted than a 128-bit response.
A LPUF with N RS latches, for example, generates one N-bit response, the variety of which
is ideally 2N . However, the actual variety of the response becomes smaller than 2N , which may
make it easy for attackers to predict responses. This small variety is caused by eliminating some
RS latches, outputs of which are inconsistent (random) for repeated measurements. These RS
latches outputting random values (hereinafter called “random latches”) are unnecessary for PUF
responses. This is since these PUF responses are typically used for the generation of reliable
secret keys.
In [78], we introduced an ecient method of using the information entropy of random latches
in order to produce larger variety of responses. We utilized not random outputs of random latches,
but the location information of random latches. Dierently from these random outputs, this lo-
cation information is determined during a manufacturing process, so almost fixed once PUFs
are manufactured. Therefore, we can also maintain the reliability of responses. In this method,
RS latches are classified into three types by their output patterns (0’s, 1’s, and random numbers).
These three types of RS latches are regarded as generating three types of unique values (00/11/10),
respectively. This method can ideally increase the variety of responses from 2N to approximately
3N  21:58N , where N is the number of implemented RS latches in an LPUF.
The structure of this chapter is as follows. In Sect. 3.2, we introduce the conventional meth-
ods of generating responses from LPUFs. In Sect. 3.3, we introduce our method of producing
large variety of responses based on the location information of random latches, and estimate its
eectiveness. In Sect. 3.4, we evaluate the eectiveness of this method through an experimental
system with Spartan-6 FPGAs. Finally, we conclude this chapter in Sect. 3.5.
3.2 Conventional Methods of Producing PUF Responses
The behavior of an RS latch, a basic component of LPUF, was explained in Sect. 2.4. This
section explains the mechanism of an LPUF, shown in Fig. 3.1. An LPUF consists of N parallel-
implemented RS latches, which generate an N-bit response:
RES = RN 1 k RN 2 k    k Ri k    k R1 k R0;
– 38 –
000000...
110100...
001100...
111111...
000000...
RN-1 = 0
R1 = 1
R0 = 0
RN-2 = 0/1
(Random)
R2 = 0/1
(Random)
LATCHN-1
LATCH2
LATCH1
LATCH0
LATCHN-2
.
.
.
Figure. 3.1 Latch-based PUF (conventional method).
where Ri is a unique value outputted from an RS latch i (0  i  N   1) and the operation k means
a concatenation of two variables. Note that the more significant bits of the response correspond
to the outputs of RS latches with larger latch numbers, in order to simplify discussion in this
thesis. When a signal with consecutive rising edges, e.g., a clock signal, is applied to the input
of each RS latch, the stable states after the rising edges fall into one of three patterns: all ‘0’s,
all ‘1’s, or a mixture of ‘0’s and ‘1’s (= random numbers). This random numbers are caused
by each irregular RS latch consisting of two cross-coupled NAND gates, physical properties of
which are almost identical. The LPUF in Fig. 3.1 has some random latches such as LATCH2 and
LATCHN 2. These random latches cause a problem insomuch that the reliability of the response
RES is reduced since their outputs are unstable random numbers. There are two widely-known
conventional approaches to solve this problem.
The first approach (called “conventional method” in this chapter) does not use random latches
for the generation of responses. This approach maintains the reliability of responses, but reduces
– 39 –
the bit length of responses, i.e., the variety of responses, as the number of random latches in-
creases. For example, if LPUF with 128 RS latches (N = 128) in Fig. 3.1 has 40 random latches,
the maximum variety of responses reduces from 2128 to 288. Hence the increase of random latches
results in reducing the variety of reliable responses. Thus it is necessary to implement extra RS
latches in an LPUF in accordance with the number of random latches. However, such a solution is
not suitable for IoT devices containing IC chips with limited hardware resources. This is because
it is necessary to make the area size of RS latches and peripheral circuits as small as possible
in LPUFs in such IoT devices. This first approach also requires a mechanism to detect random
latches.
The second approach uses ECCs to correct the non-reliable responses caused by the random
latches. This approach requires larger redundant data for response correction as the number of
random latches increases. The large redundant data increases the required size of ROM, so this is
not suitable for IoT devices. In addition, an LPUF with n RS latches naturally extracts k(< n) bits
of entropy even if [n; k; d]-code is used as an ECC.
From the above discussion, the first approach is not desirable to extract more entropy from
PUFs. The second approach is essential for memory-based PUFs, used as secure key storage,
although it is not sucient to use this approach alone.
3.3 Improved Methods of Producing PUF Responses
This section describes our method for extracting more entropy from PUFs by utilizing these un-
wanted random latches [78]. This method dramatically improves the variety of responses and
maintains the reliability of responses.
3.3.1 Concept: Use of the Location Information of Random Latches
The conventional LPUF in Fig. 3.1 generates responses based only on RS latches outputting
fixed numbers such as 0’s or 1’s (hereinafter called “fixed latches”). Our LPUF uses the location
information of random latches, rather than the random numbers from the random latches. If an
LPUF with N RS latches has T random latches, then the number of locations of random latches
– 40 –
equals to NCT , which increases the number of dierent representation of LPUFs. Hence, the PUF
based on our method utilizes the entropy derived from the locations of random latches in order
to increase the variety of responses. However, this kind of LPUF requires complex controls to
associate the location of RS latch with the output number, which leads to a large circuit size. In
[78], we introduced a simple and ecient method of solving this problem. This method regards
the three types of output patterns from the RS latches (0’s, 1’s, and random numbers) as ternary
values (00/11/10), respectively. Our method can generate responses with much larger patterns
than conventional methods of eliminating random latches. We describe the details of this method
with reference to Fig. 3.2. When a clock signal is applied to the inputs of the RS latches in our
LPUF, they generate three types of outputs: 0’s, 1’s, and random numbers. According to this
output of the RS latch i (0’s/1’s/random numbers), the output of RS latch i is a 2-bit unique value
S i[1 : 0](= 00=11=10). Stated more precisely, let RES [2N   1 : 0] be the 2N-bit response of our
LPUF. Then
RES [2N   1 : 0] = S N 1 k S N 2 k    k S i k    k S 1 k S 0: (3.1)
3.3.2 Theoretical Estimation
In [78], we theoretically estimated the variety (number) of responses that are produced from our
LPUFs. Let N be the number of implemented RS latches, and T be the number of random latches.
Our PUF generates a response containing ternary values (00/11/10), so the total variety of re-
sponses is ideally 3N . We define this total number as “ideal upper bound” of responses, which
is estimated in consideration of all the possible combinations of the ternary values. Concretely,
the ideal upper bound includes the cases when random latches are few or many. However, the
value of T is in fact almost fixed because it is determined by the kind of IC chip and the way
in which the RS latches are implemented. Therefore, the manufactured PUFs generate less than
3N responses actually. The following theoretically estimates the variety of responses for a given
value of T . The variety of responses arising from the fixed latches is 2N T , while the variety of
responses arising from the random latches is NCT . Therefore, the variety of responses for a given
value of T is estimated to be 2N T  NCT . This value is obviously less than 3N because the variety
– 41 –
LATCHi
LATCHN-1
LATCH2
LATCH1
LATCH0
RES[2N-1:2N-2] = 00
RES[3:2] = 11
RES[1:0] = 00
RES[2i+1:2i] = Si[1:0]
RES[5:4] = 10
000000…
001100…
111111…
000000…
.
.
.
.
.
.
******
.
.
.
.
.
.
.
.
.
.
.
.
Figure. 3.2 Latch-based PUF (improved method in [78]).
of responses for given T corresponds to the T -th term of the binomial expansion of 3N = (2+ 1)N ,
which is 2N T  NCT , the same as the above estimate. We define this variety of responses for a
given value of T as “theoretical bound” of responses. Figure 3.3 shows a comparison between the
theoretical bound of responses for the conventional method of eliminating random latches and the
theoretical bound of responses using our method with various T values and given N(= 128). The
conventional method generates 2N T responses, so the theoretical bound of responses decreases
as the number of random latches increases. In contrast, our method dramatically increases the
theoretical bound of responses. The theoretical bound of responses takes on its maximum value
( 2203) when T is around 43 ( 128=3). Hence, our method dramatically improves the theoretical
bound of responses.
– 42 –
 0
 50
 100
 150
 200
 0  20  40  60  80  100  120
Th
eo
re
tic
al
 b
ou
nd
 o
f r
es
po
ns
es
 [l
og
2]
Number of latches outputting random number (T)
 128
Conventional method
Our improved method
Figure. 3.3 Theoretical bound of responses against the number of random latches (Estimate).
3.4 Performance Evaluation on FPGAs
This section evaluates the eectiveness of our improved method using Xilinx Spartan-6 FPGAs
(XC6SLX16-2CSG324C). We also evaluate reliability and uniqueness, which are the require-
ments of PUFs, as described in Sect. 2.3. An LPUF consists of 128 RS latches, which were
implemented manually. We used 20 actual FPGA chips, but we took the number of chips to be 40
since we implemented two LPUFs on an FPGA chip at two completely dierent locations.
3.4.1 Variety and Shannon Entropy of PUF Responses
According to Fig. 3.3, LPUFs on Spartan-6 FPGAs using the improved method is estimated to
generate approximately 2175 patterns of responses. This estimation is based on that the average
number of random latches was 14 in our implemented LPUFs with 128 RS latches.
The Shannon entropy of the responses is approximately 170.8 bits *1, according to the estima-
– 43 –
tion method described later in Sect. 5.3.3. Our experimental results indicate that an LPUF based
on our method improves the entropy of responses.
3.4.2 Evaluation of PUF Requirements
Reliability
We evaluate the reliability of responses when a supply voltage is changed within the rated voltage
range of Spartan-6 FPGAs (1.14, 1.20, 1.26V). In this evaluation, one response is generated as the
reference at normal operating condition (room temperature and standard supply voltage of 1.20V),
and the remaining 100 responses are generated for analysis at 1.14V, 1.20V or 1.26V.
At 1.20V, the average error rate is approximately 0.0086 with a standard deviation of 0.0054.
Even at 1.14V and 1.26V, the average error rates are approximately 0.053 and 0.048 with a stan-
dard deviation of 0.013 and 0.016, respectively. These error rates are much less than the 0.15
assumed in [11] for stable responses based on a fuzzy extractor [19] with a reasonable size of
redundant data. These results indicate that our LPUF implemented on Spartan-6 FPGAs yields
highly reliable responses.
Uniqueness
Forty 256-bit responses are generated from all 40 FPGAs (one response per FPGA chip). We
evaluate the average of normalized Hamming distances (NHDs) between every combination of
two responses, i.e., 40C2 = 780 combinations. The average of NHDs is approximately 0.49 with a
standard deviation of 0.039. Our LPUFs give responses with a high level of uniqueness.
Note that the ideal average of NHDs is not 0.5 but around 0.44, because our LPUFs do not
generate ‘01’ for 2-bit partial responses. In that sense, the average of 0.49 is a little larger than
the ideal 0.44. This is because the average number of random latches is 14, which is smaller than
43 (=128/3). Consequently, most of the 2-bit partial responses are ’00‘ or ’11‘, so the average of
NHDs approaches 0.5 similar to the conventional LPUF using binary values (0/1).
*1 The value of 167.9, described in [78], is a mistake in calculation. The correct value is 170.8.
– 44 –
3.5 Conclusion
In this chapter, we introduced our method for generating responses from an LPUF based on the
location information of RS latches outputting random numbers. Our introduced LPUF generates
ternary values (00/11/10) in accordance with the three types of output bitstream from RS latches.
This dramatically increases the variety of responses from 2N to 2N T  NCT with N implemented
RS latches and T random latches, which makes it dicult for attackers to predict the responses.
According to our experiment with Spartan-6 FPGA chips, an LPUF with 128 RS latches based
on our method is able to generate responses with 170.8-bit Shannon entropy, which is larger than
128 bits; the maximum Shannon entropy without our method. In Part IV, we propose an extension
method of enhancing the variety of responses over the method described in this chapter.
– 45 –

Part III
Security Evaluation of PUFs

Chapter 4
Differential and Linear Analysis of
Bistable Ring PUFs
Publication Data
Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and Naoya Torii, Security Evaluation of
Bistable Ring PUFs on FPGAs using Dierential and Linear Analysis, In Workshop on Emerging
Aspects in Information Security (EAIS 2014), pages 917–924, IEEE, 2014.
4.1 Motivation
From the view point of designers of PUF-based chip authentication, as shown in Fig. 2.2, we need
a secure Strong PUF, responses of which are dicult to be predicted by an attacker. The BR-PUF,
as proposed by Chen et al. [13], is considered to be a promising candidate of a secure Strong
PUF. In this chapter, we evaluate an implementation of the BR-PUF in terms of the diculty of
predicting responses.
We consider that such diculty can be evaluated by two approaches: numerical-based approach
or analytical-based approach. A machine learning analysis, as introduced by Ru¨hrmair et al. [58],
is one of the most well-known methods in numerical-based approaches. This is a very eective
analysis method of revealing the general correlation between CRPs by applying some CRPs to a
– 49 –
machine learning classifier. However, the evaluation results – whether or not the correlation exists
– depend on the way of applying CRPs to the classifier, or on the ability of the used classifier, etc.
In fact, the response prediction against Arbiter PUFs can succeed if we apply not raw challenges
but smartly-transformed challenges to the classifier; These transformed challenges make it easy
for the classifier to find the correlation between CRPs [58]. On the other hand, Majzoobi et al. in-
troduced two interesting analytical-based methods [44]: (1) the relationship between CRPs’ Ham-
ming distances and (2) the conditional probabilities of response bits with respect to challenge bits.
These methods can reveal very simple kinds of correlation between CRPs. Therefore, a require-
ment of secure Strong PUFs is that no correlation between CRPs is found in these analytical-based
methods. We consider that these analytical-based evaluations should be performed in advance of
the numerical-based evaluation.
In this chapter, we extend these two analytical-based methods to: (1) dierential PUF analysis
and (2) linear PUF analysis. Then, we experimentally evaluate the security of BR-PUFs according
to these extended analytical-based methods. The reason why we focus on the BR-PUF is that it has
the strong resistance against response prediction because of its complex structure and non-linear
behavior, as claimed by its developer [13].
Our contributions in this chapter consist of two parts.
1. We extend two analytical-based evaluation methods [44] to dierential PUF analysis and
linear PUF analysis. These PUF analysis methods are conceptually similar to dierential
crypt analysis [7] and linear crypt analysis [45], respectively.
2. According to dierential and linear PUF analyses, we first evaluate the security of BR-
PUFs implemented on Xilinx Spartan-6 FPGAs. Our case study supports that BR-PUFs
on FPGAs have undesirable performance; The dierential evaluation shows that the same
responses are frequently generated for two challenges with small Hamming distance; The
linear evaluation implies that particular bits of challenges have a strong correlation with
the values of responses. These results are the first time that BR-PUFs have some security
issues of response predictions.
The structure of this chapter is as follows. In Sect. 4.2, we describe the details of the analytical-
– 50 –
based methods: dierential PUF analysis and linear PUF analysis. In Sect. 4.3, we construct an
FPGA-based experimental system containing BR-PUFs, and evaluate the security of BR-PUFs
using these analytical-based methods. Finally, we conclude this chapter in Sect. 4.4.
4.2 Analytical-based Evaluation Methods
To the best of our knowledge, only Majzoobi et al. have published a paper describing some
analytical-based techniques of predicting PUF responses [44]. In this chapter, we extend these
analytical-based techniques into the two important methods: dierential PUF analysis and linear
PUF analysis. These methods are deeply related to the most powerful cryptanalysis methods:
dierential crypt analysis and linear crypt analysis. In the following, we explain these methods,
assuming the case of evaluating BR-PUFs. More importantly, these can be used as universal meth-
ods for evaluating the security of other Strong PUFs. Further, it is expected that other cryptanalysis
methods are also used for PUF analysis in terms of response predictions.
4.2.1 Differential PUF Analysis
In dierential PUF analysis, we evaluate whether or not challenges with small Hamming distance
result in highly correlated responses. A group of challenges with small Hamming distance may
cause the problem that most of NOR gates in a BR-PUF are selected commonly, so the char-
acteristics impacting on the responses are also similar one another. In detail, let R j be the j-th
response obtained from the 64-bit j-th challenge C j (1  j  N), where N is the total number of
CRPs. Here, let ˜Rkj be the response obtained from ˜Ckj , where k is the Hamming distance between
˜Ckj and C j, i.e., HD(C j, ˜Ckj) = k. For example, ˜R1j and R j are expected to have little correlation
in secure PUFs. If a correlation exists, ˜R1j has a possibility to be easily predicted by an attacker
who knows challenge-response pairs (C j;R j). This means that the implemented BR-PUFs have a
serious security issue.
The basic concept of the aforementioned dierential PUF analysis has been introduced as Ham-
ming distances test in [44]. In dierential PUF analysis, we take not only Hamming distance but
also dierent bit locations into consideration. This enables us to evaluate the eect of particular
– 51 –
・・・
・・・
・・・
・・・
・
・
・
#1
#2
#16
C[63] C[0]
Cj
Cjk
~
(I) Type A (k = 4).
・・・
・・・
・・・
・
・
・
・・・
C[63] C[0]
Cj
#1
#2
#4
Cjk
~
(II) Type B (k = 16).
Figure. 4.1 Two types of challenges ˜Ckj (Colored bits are dierent between C j and ˜Ckj).
bits of challenges on responses. In the case for k = 1, the total number of challenges ˜C1j is only
64, where the i-th bit from Least Significant Bit (LSB) is dierent from ˜C j (1  i  64). In the
case where k > 1, however, the number of challenges ˜Ckj is 64Ck, which becomes quite large for
the value of large k. Due to time constraints, it is dicult to evaluate all challenge-response pairs.
We, therefore, propose the method of evaluating the following two types of challenges ˜Ckj : (Type
A) neighboring k bits are dierent between C j and ˜Ckj as shown in Fig. 4.1(I); (Type B) intervals
of 64=k bits are dierent as shown in Fig. 4.1(II). We aim to evaluate the eects of neighbor-
ing NOR gates in Type A, and those of detached NOR gates in Type B. Evaluating both types
enables us to eciently evaluate the eect of challenges on responses, instead of evaluating all
challenge-response pairs. Table 4.1 shows the number of ˜Ckj in the aforementioned types, where
k = 1; 2; 4; 8 and 16. Type B (k = 1) is considered as Non-Available (N/A) since there is no
dierence of challenges in both types.
This dierential PUF analysis is similar to the well-known dierential crypt analysis [7]. The
dierential crypt analysis evaluates the avalanche eect: the eects of the changes of plaintext
bits on ciphertext bits. In the dierential PUF analysis, we also evaluate how dierences in the
challenge lead to dierences in the response.
– 52 –
Table 4.1 Number of challenges for k in both types.
k Type A Type B
1 64 N/A
2 32 32
4 16 16
8 8 8
16 4 4
Sum 124 60
4.2.2 Linear PUF Analysis
In linear PUF analysis, we evaluate whether or not we obtain the same responses with high prob-
ability if certain bits of challenges are forced to zero or one. Forcing bits of challenges means
that particular NOR gates certainly exist in a ring of the BR-PUF. Here, these NOR gates could
be influential NOR gates: irregular gates which have quite dierent circuit characteristics from
other NOR gates. If such influential NOR gates exist in a ring of the BR-PUF, the stable state
is expected to fall into either state with high probability. As a result, the number of independent
CRPs is very small, which is a security problem for Strong PUFs.
We consider that such influential NOR gates may exist; physical properties of some logic gates
in an IC chip may be quite dierent from those of many other ones. This is because of process
variations in the circuit characteristics such as drive capability or gate/wire delay. Especially,
smaller Complementary Metal Oxide Semiconductor (CMOS) process is more strongly aected
by the process variations.
The location of the influential NOR gate is defined by the following two parameters: enforced
bit ( 64) and enforced value (0/1). The enforced bit means the location of the BR-S including the
influential NOR gate. The enforced value represents either NOR gate in the BR-S. For example,
if the enforced bit is 33 and the enforced value is 1, the influential NOR gate is the NOR-1 gate in
BR-S33.
– 53 –
In [44], the basic concept of the linear PUF analysis is introduced, but the eect of only a single
bit of challenges is evaluated in Arbiter PUFs. In contrast, we take multiple bits of challenges on
responses into consideration.
This method is similar to the well-known linear crypt analysis [45]. In linear crypt analysis, an
attacker tries to find linear equations with plaintext bits and ciphertext bits which have a high bias.
4.3 Experimental Evaluation
4.3.1 Experimental Setup
Figure 4.2 shows our experimental system, which consists of two boards: a custom-made board
with a Xilinx Spartan-6 FPGA (XC6SLX16-2CSG324C) and a commercially-available Spartan-
3E starter kit board with a Xilinx Spartan-3E FPGA (XC3S500E-4FG320C). We implemented
the BR-PUF circuit with 64 BR-Ss on the Spartan-6 FPGA, and the peripheral circuits such as
the block RAM and RS232C module on the Spartan-3E FPGA. A Spartan-6 FPGA chip was put
on a socket of the custom-made board, being therefore easily replaceable by another chip. We
evaluated 4 BR-PUFs implemented on 4 Spartan-6 FPGA chips: FPGAx(1  x  4).
Our response acquisition process was as follows. When the RS232C module in the Spartan-3
FPGA received a start command from a Personal Computer (PC), the module sent a start signal to
a control (CTRL) module. The CTRL module got a 64-bit Linear Feedback Shift Register (LFSR)
to generate 2,048 random challenges C j(1  j  2; 048). According to [74], the tap sequence of
the LFSR was set to [64, 63, 61, 60], and the initial value was set to ‘0x123456789ABCDEF0’.
The 64-bit challenge was divided into four 16-bit values, which were sent and stored to the flip-
flops (FFs) on Spartan-6 FPGA. The reset signal to the BR-PUF was changed from 1 to 0, then
the response acquisition was started. Not only 1-bit output but also all of 64-bit output from BR-
Ss was stored into the 64-bit flip-flop. This enables us to confirm whether or not the response
is stable; if the 64-bit value has at least two consecutive 1’s/0’s, the response is regarded as un-
stable state, vice versa. In our experiment, the 64-bit value was stored after sucient time (i.e.,
approximately 6 ms) from the reset signal changing to 0 in order to make the response as stable as
possible. The 64-bit value was sent to a block RAM on the Spartan-3E bit-sequentially, and was
– 54 –
CTRL
Module
(LFSR)
BR-PUF
Digital
Clock
Manager
RS232C
Module
Block
RAM
50 MHz
Oscillator
(on Board)
PC
Spartan-3E
(XC3S500E)
Spartan-6
(XC6SLX16)
Start Signal Clock (50 MHz)
Start Signal
Challenge
16
1
Clock (2.5 MHz)
Response
16-bit
FF
16-bit
FF
16-bit
FF
16-bit
FF
64-bit FF
1-4 DEMUX
64
64
64
1616 16 16
1616 16 16
16
C [63:0]
Out [63:0]Response
Response
Reset
Signal
Figure. 4.2 Experimental system.
– 55 –
transmitted to the user PC through an RS232C port.
Both design and implementation of the BR-PUF are very important because they have a large
impact on the eventual response behavior of the PUF itself. In order to prevent response predic-
tion, the wire lengths between all BR-Ss should be completely identical. However, it is dicult
to exactly control the wire length because logic gates on FPGAs are fixed on grid-pattern lay-
outs. Hence we take great care of the symmetric layout of the BR-PUF as follows. Figure 4.3
shows our custom layout of a BR-PUF with 64 BR-Ss on a Spartan-6 FPGA. The 64 BR-Ss were
implemented on the ring-shaped neighboring Configurable Logic Blocks (CLBs), expecting that
the wire lengths between all BR-Ss are identical. This symmetric layout is expected to make a
uniform ring and a bias of responses as small as possible.
The implementation of BR-PUFs in this thesis is not completely the same as that in the original.
We derive 64-bit outputs from all of the 64 BR-Ss, instead of just one in original. We consider
that the original implementation is not the best option. This is because deriving only one output
may lead to unbalance of capacitive loads on the output of each BR-S, which causes influential
gates. We derive outputs from all of BR-Ss in order to prevent this unbalance.
Before we perform an experimental evaluation, we verify the implemented BR-PUFs according
to the responses R j’s for the 2,048 random challenges C j’s. Average Hamming distance between
two arbitrary 64-bit challenges among the 2,048 challenges is 32.00. This is extremely close to
theoretical value (= 64=2), so our using challenges are enough random. By using these chal-
lenges, we evaluate average hamming distance between two arbitrary responses among the 2,048
responses (i.e., 2048C2 combinations). The results are 0.50, 0.49, 0.49 and 0.46 in four BR-PUFs,
respectively. These are very close to the ideal value (= 0.5), so our implemented BR-PUFs are
verified to generate almost non-biased responses for random challenges.
4.3.2 Experimental Results - using Differential PUF Analysis
This section evaluates BR-PUFs according to dierential PUF analysis; focusing on the correla-
tion among the responses obtained from challenges with small Hamming distance. We generate
184 (= 124 + 60, Type A and Type B in Table 4.1) challenges ˜Ckj for each of 2,048 C j’s. Hence
we obtain the total of 378,880 (= 2; 048  185) CRPs from each BR-PUF.
– 56 –
BR-S63BR-S0
BR-S1
BR-S32
BR-S31
CLB CLB
1-2 DEMUX 2-1 MUXNOR-0 NOR-1 
BR-S16 BR-S47
BR-PUF
Figure. 4.3 Implementation of our BR-PUF with 64 BR-Ss on a Spartan-6 FPGA.
– 57 –
Figure 4.4 shows the ratios of the challenges ˜Ckj which generate the same responses as each
C j. These results are the means of 4 implemented BR-PUFs. From the result of Type A in k = 1,
88.0% of challenges ˜C1j lead to the same responses as C j. This ratio should be around 0.5 in secure
PUFs. The larger the value of k is, the lower the ratios of such challenges are. However, even in
the Type A of ˜C16j where HD(C j, ˜C16j )=16, the probability is approximately 0.665, which is larger
than ideal 0.5. Further, there is almost no dierence between both types in Fig. 4.4. This indicates
that the similarity of responses depends not on the locations of the dierent bits, but just on the
Hamming distance of the challenges. However, the dierent bit locations may have strong eects
on responses in other types of PUFs. If a CRP is known to an attacker, she has a high possibility to
predict the responses for challenges with small Hamming distances by using the known challenge.
Dierent from other Strong PUFs (e.g., Arbiter PUFs), BR-PUFs have the property that the
generation time of responses, i.e., the duration period for stable states, is quite dierent depending
on values of challenges [13]. The generation time has a strong impact on the reliability and
uniqueness of the responses, defined as security requirements of PUFs in Sect. 2.3. Especially, the
responses obtained in a short transient time have little uniqueness*1 among BR-PUFs on FPGAs
because circuit layout influences the responses strongly. Hence we should select and use the only
responses with long transient time, as presented in [13]. In the above-mentioned evaluation
we focus on all of CRPs without consideration of the transient time. We anticipate that highly-
unique responses with the long transient time have a lower similarity, even if the challenges have
a small Hamming distance. To confirm this we obtain the 64-bit outputs of BR-Ss, i.e., responses
for 2,048 C j’s, in a short time of approximately 70s after the reset signal to the BR-PUF is
zero. 1,658 (approximately 80.96%) out of 2,048 C j’s lead to stable responses with alternate
bits. Here, we focus only on the remaining of 390 C j’s and perform the same evaluation as
above mentioned, whose results are shown in Fig. 4.5. The correlation between the value of
responses and the Hamming distance of challenges becomes small, as we expected. However, the
correlation still exists: 68.1% of challenges ˜C1j lead to the same responses as C j’s. This indicates
that the responses of BR-PUFs may be predictable even if we use the selection of CRPs, presented
*1 According to the BR-PUFs on ASICs self-evaluated by the developers through SPICE simulations in [14], the PUF
requirements such as reliability and uniqueness are not aected by the generation time of responses.
– 58 –
 0.50
 0.60
 0.70
0.80
 0.90
 1.0
0  1  2  4  8  16
R
at
io
Hamming distance: k
Type A
Type B
Figure. 4.4 Ratios of challenges ˜Ckj generating the same responses as C j for k in both types.
 0.50
 0.60
 0.70
 0.80
 0.90
 1.0
 0  1  2  4  8  16
R
at
io
Type A
Type B
Hamming distance: k
Figure. 4.5 Ratios of challenges ˜Ckj generating the same responses as C j whose transient time
is longer than 70 s.
– 59 –
by developers of BR-PUFs. In conclusion, this dependency of the responses on the Hamming
distance of challenges might facilitate an attacker to predict most of unknown responses.
4.3.3 Experimental Results - using Linear PUF Analysis
This section evaluates BR-PUFs according to linear PUF analysis; evaluating whether or not BR-
PUFs have irregular BR-Ss containing influential NOR gates, which have a decisive impact on the
value of responses.
Preliminary Experiment
As a preliminary experiment to confirm the existence of influential NOR gates, we analyze the
2,048 CRPs (C j, R j) same as Section 4.3.2. 64-bit challenges of BR-PUFs correspond to the way
of selecting NOR gates in BR-Ss. We extract part of C j’s from 2,048 ones whose certain m (1 
m  5) bits are the same one another, i.e., common NOR gates are selected. Our software program
searches all patterns of selecting m NOR gates (64Cm  2m combinations). Due to time constraints,
we set m to less than 6. Table 4.2 shows the number of responses (=‘1’s) for the part of C j’s. We
explain how to read the table with the specific example of m = 3, as follows. Out of 2,048 there
are 236 C j’s whose 58th, 13rd and 6th LSBs are 1, 0 and 1, respectively. The number of responses
whose values are ‘1’s is 205, which is 86.9% of 236 R j’s. Hence these three NOR gates are
predicted to be influential NOR gates, i.e., (enforced bit, enforced value)= (58; 1); (13; 0); (6; 1).
Table 4.2 also shows the 6 patterns of influential NOR gates for each m. From Table 4.2, we see
that more than 65% of responses become 1 in the BR-PUF with just one influential NOR gate (i.e.,
m = 1). The number of the influential NOR gates is considered to be around 10 in the 64 BR-Ss.
The larger the number of influential NOR gates (= m) is, the larger the percentage of responses
(=‘1’s) is, i.e., the larger impact on the responses. Especially, all responses become 1 when m = 5.
In conclusion, according to the analysis of 2,048 C j’s, we demonstrate that our BR-PUF on an
FPGA chip has influential NOR gates with a decisive impact on the values of responses.
Above-mentioned results are obtained from a BR-PUF on FPGA1. We also confirm that the
other three BR-PUFs on FPGA2, FPGA3 and FPGA4 have influential NOR gates. BR-PUFs on
FPGA1, FPGA2 and FPGA3 generate responses biased to one, while the BR-PUF on FPGA4
– 60 –
outputs responses biased to zero. The locations of influential NOR gates are dierent from each
FPGA. These are caused by the characteristics of BR-Ss.
Main Experiment
We evaluate the responses for much larger number of challenges than 2,048. First, additional 215
C j’s (1  j  215) are obtained by using the LFSR on the Spartan-3E FPGA. Next, we generate
ˆC j’s whose enforced bits are changed to the enforced values according to Table 4.2. This means
that influential NOR gates are definitely included in the rings of our BR-PUF, and the other NOR
gates are selected randomly. Figure 4.6 shows the ratio of responses equal to 1 for ˆC j’s. The
line graph represents the average result of six patterns of influential NOR gates as shown in Table
4.2. The upper and lower bounds for error-bars mean the maximum and minimum results of the
six patterns, respectively. From Fig. 4.6, we see that the responses are biased to one when our
BR-PUF includes influential NOR gates. The probability of responses being one is 71.4% and
54.5% when the number of influential NOR gates is set to 5 and 1, respectively. The reason why
the degree of the bias is smaller than in Table 4.2 is more likely that responses are aected by
other influential NOR gates not shown in Table 4.2. In conclusion, an attacker who knows some
CRPs could reveal the properties (i.e., influential NOR gates) of her target BR-PUF like Table 4.2.
After that, she/he has a high possibility to predict unknown CRPs. To minimize the impact of the
influential NOR gates, special layout and implementation custom-designed for each BR-PUF are
required, however, these increase the manufacturing costs dramatically.
4.4 Conclusion
In this chapter, we organized the evaluation methods for PUFs: dierential PUF analysis and
linear PUF analysis. Based on these methods, we evaluated the probability of a prediction of
the responses R j for challenge C j (1  j  2; 048). We experimentally obtained R j and C j
from four BR-PUF instances, each of which consists of 64 BR-Ss, composed of two NOR gates,
implemented on Xilinx Spartan-6 FPGAs.
According to dierential analysis for BR-PUFs, we demonstrated that approximately 88.0%
and 66.5% of responses become 1 for challenges with Hamming distance of 1 and 16, respectively.
– 61 –
 0.50
0.60
 0.70
 0.80
 0.90
 1.0
 1  2  3  4  5
R
at
io
Number of enforced bits
Figure. 4.6 Ratio of responses (= 1) for ˆC j’s whose m-bit enforced bits are changed to en-
forced values according to Table 4.2.
These results are much larger than about 50% in secure Strong PUFs. Hence an attacker has a
high possibility to predict the responses for challenges with small Hamming distances from her
known CRPs.
According to linear PUF analysis, we demonstrated that BR-PUFs have some influential NOR
gates, which cause a strong bias of responses. The probability of responses being one is 71.4%
and 54.5% when the number of influential NOR gates is 5 and 1, respectively. An attacker has a
high possibility to predict unknown CRPs by specifying the location of influential NOR gates.
Our experimental results are the first time that BR-PUFs present undesirable PUF behavior due
to the response prediction. Independently of our evaluation, Schuster et al. also evaluated their
BR-PUFs implemented on Xilinx Spartan-6 FPGAs, and they found a strongly linear influence
in their BR-PUF implementations [60]. According to us and Schuster et al., BR-PUFs are not
suitable as a candidate of secure Strong PUFs. Arbiter PUFs also have the vulnerability to the
theoretical attack, as mentioned in Sect. 2.4.1. Therefore, currently there seems no secure instance
– 62 –
of Strong PUFs which have tolerance to theoretical attacks. However, many other kinds of PUFs
are still candidates of secure Strong PUFs, including a twisted BR-PUF proposed by Schuster et
al. as an alternative implementation of a BR-PUF [60], or a double Arbiter PUF proposed by
Machida et al. as an alternative implementation of an Arbiter PUF [38] [39]. These candidates
should be evaluated not only by their proposers, but also by third-party researchers. Further,
PUFs should be evaluated on various platforms such as FPGAs and ASICs. In order to construct
Approach (A) securely, we should continue to pursue a secure instance of Strong PUFs in future
work.
As shown in Fig. 2.2, Approach (A) is a basic protocol for chip authentication based on Strong
PUFs. In order to realize secure chip authentication, many researchers have proposed other ad-
vanced protocols, which combine PUFs with cryptographic primitives such as secure NVMs, true
random number generators and hash functions. Delvaux et al. evaluate the security of these ad-
vanced protocols, and conclude that all of them have numerous security and practicality issues
due to the lack of cryptographic properties of Strong PUFs [17]. In conclusion, a secure Strong
PUF (a truly Strong PUF with great cryptographic properties, as mentioned in [17]) is required
both for Approach (A) and for its advanced protocols.
– 63 –
Table 4.2 Influential NOR gates and their impact on a bias of responses.
m Influential NOR gate(s) # of responses (= 1) /
Enforced bit (i-th LSB) : # of responses for challenges
Enforced value (0/1) with left-column’s NORs
1 53:0 701 / 1046 (67.0%)
25:0 716 / 1044 (68.6%)
19:0 700 / 1041 (67.2%)
18:1 678 / 1008 (67.3%)
06:1 682 / 1011 (67.5%)
01:0 709 / 1037 (68.4%)
2 53:0, 25:0 411 / 539 (76.3%)
52:1, 01:0 384 / 505 (76.0%)
37:0, 06:1 384 / 502 (76.5%)
25:0, 18:1 400 / 514 (77.8%)
15:0, 09:0 402 / 528 (76.1%)
09:0, 06:1 384 / 504 (76.2%)
3 58:1, 13:0, 06:1 205 / 236 (86.9%)
54:1, 25:0, 18:1 204 / 239 (85.4%)
53:0, 17:0, 11:0 215 / 252 (85.3%)
43:0, 37:0, 06:1 219 / 257 (85.2%)
25:0, 20:1, 19:0 234 / 275 (85.1%)
25:0, 18:1, 01:0 231 / 271 (85.2%)
4 63:0, 59:0, 37:0, 06:1 124 / 132 (93.9%)
58:1, 52:1, 13:0, 06:1 112 / 120 (93.3%)
54:1, 25:0, 18:1, 01:0 114 / 121 (94.2%)
53:0, 28:1, 11:0, 00:1 122 / 131 (93.1%)
43:0, 40:1, 32:1, 01:0 123 / 132 (93.2%)
27:0, 25:0, 18:1, 06:1 123 / 132 (93.2%)
5 53:0, 51:0, 45:0, 18:1, 07:0 79 / 79 (100%)
58:1, 41:0, 32:1, 19:0, 06:1 76 / 76 (100%)
59:0, 43:0, 32:1, 13:0, 01:0 61 / 61 (100%)
63:0, 59:0, 45:0, 18:1, 17:0 61 / 61 (100%)
52:1, 51:0, 35:1, 20:1, 01:0 45 / 45 (100%)
48:1, 32:1, 26:1, 10:1, 02:1 41 / 41 (100%)
– 64 –
Part IV
Security Improvement of PUFs

Chapter 5
Variety Enhancement of PUF
Responses and Its Evaluation on
ASICs
Publication Data
Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka, Kouichi
Itoh, and Naoya Torii, A new method for enhancing variety and maintaining reliability of PUF re-
sponses and its evaluation on ASICs, Journal of Cryptographic Engineering (Accepted), Springer,
2014.
5.1 Motivation
In order to realize secure PUF-based chip authentication based on Approach (B), as shown in
Fig. 2.3, the variety of PUF responses should be suciently high, as mentioned in Sect. 2.3. We
explained an ecient method of utilizing random latches to increase this variety of responses in
Chap. 3. However, this method does not make the maximum use of the entropy extracted from
random latches in LPUFs. Further, we evaluated the proposed method just on FPGA chips and
– 67 –
not on ASIC chips, which are often used in IoT devices. An evaluation on ASIC chips is very
important because PUF performances are strongly aected by chip properties, which are quite
dierent between FPGA and ASIC chips.
Our contributions in this chapter consist of three parts.
(1) We propose an extension method of enhancing the variety of responses over the basic
method in Chap. 3, while maintaining their reliability. Our extension method utilizes the pro-
portion of ‘1’s in the random numbers outputted from each random latch. This extension method
enables us to distinguish each random latch, while the basic method regards all random latches as
the same. Consequently, our extension method extracts more entropy from random latches than
the basic method, and enhances the variety of responses. However, it is not desirable to use the
value of the proportion of ‘1’s without any consideration. This is because this information is easily
aected by environmental conditions such as temperature and voltage, which causes the problem
of reducing the reliability of responses. To avoid this problem, our extension method categorizes
the random latches not according to the value but the range of the proportion of ‘1’s. The propor-
tion of ‘1’s falls within a particular range of values even when temperature and supplied voltage
fluctuate. As a result, the number of random latches in each category is expected to be relatively
reliable, so can be used to enhance the variety of responses while maintaining reliability. Here,
the most important parameter is the number of the categories K, because a large K is expected to
improve the variety but to worsen the reliability.
(2) We fabricate 73 LPUFs, each of which has 256 RS latches, as 73 ASIC chips on Fujitsu
0.18-m CMOS technology. We evaluate the eectiveness of the extension method and determine
the appropriate value of K. According to our experiments using the 73 chips, the varieties of
responses are 2220, 2314 and 2379 when K = 2; 3; 16, respectively. The extension method (K = 16)
and the basic method (K = 3) generate 1:72 and 1:42 times a larger variety of responses than the
conventional method of simply eliminating random latches (i.e., K = 2), respectively.
(3) We evaluate the reliability of responses against both temperature and voltage fluctuations.
We confirm that all LPUFs in the 73 chips satisfy the security requirements of PUFs even when
K = 16 and both temperature and voltage change to  20 C  60 C and 1.80  0.15 V, re-
spectively. The maximum error rate of responses is approximately 0.096, which is less than the
– 68 –
0.15 assumed in [11] for reliable responses based on ECCs with a reasonable size of redundant
data. Our extension method dramatically enhances the variety of responses while maintaining
reliability, which is very practical and useful.
The structure of this chapter is as follows. In Sect. 5.2, we propose an extension method of
enhancing the variety of responses over the basic method in Chap. 3. In Sect. 5.3, we evaluate the
eectiveness of our extension method using our fabricated ASIC chips, and also evaluate security
requirements of PUFs such as reliability with respect to changing environmental temperature and
power supply voltage. Finally, we conclude this chapter in Sect. 5.4.
5.2 Proposed Extension Method
The conventional LPUF in Fig. 3.1 generates responses based on the output values themselves
(‘0’s or ‘1’s). We introduced the basic method in Chap. 3, which extracts and utilizes the entropy
of locations of random latches, rather than eliminating them. This entropy is equal to log2(NCT ),
where LPUF with N RS latches has T random latches.
In this chapter, we propose a novel extension method which extracts more entropy from random
latches in order to increase the variety of responses. Concretely, our extension method uses the
information of the proportion of ‘1’s (‘0’s) in the random numbers outputted from each RS latch.
The reason why we focus on the proportion of ‘1’s is that this information is dierent for each RS
latch, so is expected to include high entropy. LPUFs using this extension method are expected to
generate a larger variety of responses than the LPUFs using the basic method. However, the value
of the proportion of ‘1’s is likely to be aected by environmental conditions such as temperature
and voltage. Hence we propose a simple and ecient mechanism to keep the responses as reliable
as possible and enhance the variety of responses. This mechanism consists of two processes: a
dividing process and a labeling process. We will look at an example of both processes, after a
general explanation of them.
First, the dividing process must determine an important factor K: the number of output patterns
resulting from RS latches. The basic method distinguishes just three (i.e., K = 3) types of output
patterns from the RS latches (‘0’s, ‘1’s and random numbers). In contrast, the LPUFs using the
– 69 –
extension method distinguish K(> 3) types of RS latches (T0  TK 1). Consequently, LATCHi is
defined as belonging to type Tk(0  k  K   1) as follows:8>>>>>>>>>>>>>>><>>>>>>>>>>>>>>>:
TK 1 if Xi = 1;
TK 2 if K 3K 2 < Xi < 1;
Tk(2  k  K   3) if k 1K 2 < Xi  kK 2 ;
T1 if 0 < Xi  1K 2 ;
T0 if Xi = 0;
where Xi is the percentage of ‘1’s within a certain amount of random numbers. Parameter K is
very significant for the dividing process because it has a great impact on the variety and reliability
of responses. A larger value of K increases the variety of responses, but is anticipated to make
reliability worse. This is because the smaller range of Xi (i.e., the larger value of K) we define, the
more RS latches are distinguished into dierent types before/after temperature or voltage changes.
This leads to large error bits of responses. Therefore a large size of redundant data is necessary
for ECC. Further, a larger value of K causes a larger bit length of responses, which increases the
area size of peripheral circuits (e.g., flip-flops for storing responses). Hence we should determine
the appropriate value of K through experiments using LPUF implementations.
Next, the labeling process determines unique values Lk for each type of Tk, where 0  k 
K   1. In the basic method corresponding to K = 3, the unique values were just simply labeled
as 00/11/10 according to the RS latches outputting ‘0’s, ‘1’s and random numbers, respectively.
When the extension method is used (i.e., K > 3), the unique values Lk can be labeled in various
ways. Figure 5.1 shows a method of labeling the unique value of Lk for each Tk(0  k  K   1)
in various K settings (3  K  16). We will verify if this labeling process is suitable for LPUFs
based on the extension method. This labeling is principally based on the binary represents, where
the unique value corresponding to Tk is simply labeled as k(0  k  K   1). The reason why we
use binary represents is that this simplicity results in almost no additional increase in the design
cost to decide the labeling way. The naive binary represents are, however, not suitable for the
labeling of unique values because PUF performances such as uniqueness and uniformity are not
close to ideal ( 0:50). If we use the naive binary represents, the Hamming weight of a unique
value for TK 1 is not dlog2 Ke except when dlog2 Ke = log2 K (i.e., K = 4; 8; 16). When K = 6,
– 70 –
K
3 4 5 6 7 8 9 10 11 12 13 14 15 16
T15 111115
T14 111115
1110
14
T13 111115
1110
14
1101
13
T12 111115
1110
14
1101
13
1100
12
T11 111115
1110
14
1101
13
1100
12
1011
11
T10 111115
1110
14
1101
13
1100
12
1011
11
1010
10
T9 111115
1110
14
1101
13
1100
12
1011
11
1010
10
1001
9
T8 111115
1110
14
1101
13
1100
12
1011
11
1010
10
1001
9
1000
8
T7 1117
1110
14
1101
13
1100
12
1011
11
1010
10
1001
9
1000
8
0111
7
T6 1117
110
6
1101
13
1100
12
1011
11
1010
10
1001
9
0110
6
0110
6
0110
6
T5 1117
110
6
101
5
1100
12
1011
11
1010
10
0101
5
0101
5
0101
5
0101
5
0101
5
T4 1117
110
6
101
5
100
4
1011
11
0100
4
0100
4
0100
4
0100
4
0100
4
0100
4
0100
4
T3 113
110
6
101
5
100
4
011
3
0011
3
0011
3
0011
3
0011
3
0011
3
0011
3
0011
3
0011
3
T2 113
10
2
010
2
010
2
010
2
010
2
0010
2
0010
2
0010
2
0010
2
0010
2
0010
2
0010
2
0010
2
T1 011
01
1
001
1
001
1
001
1
001
1
0001
1
0001
1
0001
1
0001
1
0001
1
0001
1
0001
1
0001
1
T0 000
00
0
000
0
000
0
000
0
000
0
0000
0
0000
0
0000
0
0000
0
0000
0
0000
0
0000
0
0000
0
Figure. 5.1 Labeling method for unique value Lk corresponding to type Tk.
for example, the unique values L0 and LK 1(= L5) for T0 and TK 1(= T5) are ‘0b000’ (k = 0) and
‘0b101’ (k = 5), respectively. As the number of these two types of RS latches (i.e., fixed latches)
is almost the same in all implemented RS latches, the proportion of ‘1’s in the response bits RES
(i.e., uniformity) is approximately 0.33 ( 2=6), which is smaller than ideal 0.5. Hence the unique
value for TK 1 should be 2dlog2 Ke 1 (e.g., ‘0b111’ when K = 6). The method of labeling described
in Fig. 5.1 satisfies the above-mentioned conditions by simply eliminating the middle range of
binary represents.
The reason why we regard the labeling process as important is that, if the labeling method is
not appropriate, the entropy derived from PUFs becomes lower or the reliability of PUF responses
– 71 –
becomes worse, which increases ECC costs. Further, there are various methods of labeling, and
the Gray code seems to be an eective labeling method. The Gray code realizes high tolerance to
noise, i.e., high reliability of PUF responses. However, the uniqueness becomes lower due to the
same reason as the naive binary represents, as mentioned before. This is why we use the labeling
method as shown in Fig. 5.1.
We explain the dividing and labeling processes for the specific example of when K = 6 in Fig.
5.2, as follows. If LATCH0, LATCH1, LATCH2 and LATCHN 2 include 175, 1,024, 686 and
850 ‘1’s in a data stream of 1,024 bits, X0, X1, X2 and XN 2 are approximately 0.17, 1, 0.67 and
0.83, respectively. LATCHN 1 has no ‘1’s in the data stream, so XN 1 is 0. The extension method
for K = 6 classifies RS latches into six types according to the range of Xi: (T0) Xi = 0, (T1)
0 < Xi  0:25, (T2) 0:25 < Xi  0:50, (T3) 0:50 < Xi  0:75, (T4) 0:75 < Xi < 1 and (T5) Xi = 1,
respectively. According to the labeling method in Fig. 5.1 for K = 6, L0, L1, L2, L3, L4 and L5 are
‘0b000’, ‘0b001’, ‘0b010’, ‘0b101’, ‘0b110’ and ‘0b111’, respectively. Ri, the unique value for
LATCHi (0  i  N   1), is shown in Fig. 5.2. Finally, our LPUF generates a 3N-bit response.
Next we discuss the way of implementing the extension method, consisting of the dividing and
labeling processes. The extension method has to be implemented on a co-processor alone if our
proposed LPUF is to be implemented as a pure-ASIC design. This dedicated circuit on ASICs,
however, causes additional overhead in the circuit area for the PUF implementation. Note that em-
bedded systems consist not only of a co-processor with a PUF circuit, but also a microprocessor,
ROM, RAM, etc. We therefore assume that a software approach enables us to realize both pro-
cesses. Output data from RS latches are stored in the RAM and processed by the microprocessor.
This approach does not need additional hardware resources, but needs a slight increase in ROM
code size. However, this software approach might lead to serious security threat such as response
eavesdropping on the microprocessor or the RAM. Even the hardware approach, implementing
the extension method on the co-processor, might face the same threat, assuming dynamic attacks
described in Chap. I. Concrete ways of implementing the extension method and their security
evaluation are very important and need to be discussed in detail, and this is included in future
work.
– 72 –
000000...
110111...
101101...
111111...
010000...
RN-1=000 (L0)
R1=111 (L5)
R0=001 (L1)
RN-2=110 (L4)
R2=101 (L3)
LATCHN-1
LATCH2
LATCH1
LATCH0
LATCHN-2 .
.
.
XN-1=0 (T0)
XN-2=0.83(T4)
X2=0.67 (T3)
X1=1 (T5)
X0=0.17(T1)
.
.
.
.
.
.
Dividing Process Labeling Process
****** Ri=*** (Lk)LATCHi Xi (Tk)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
Figure. 5.2 Example of the proposed LPUF with the dividing and labeling processes (K = 6).
5.3 Performance Evaluation on ASICs
In this section, we setup our experimental system, and implement LPUFs with multiple RS latches
into ASIC chips. Then, we discuss the appropriate value of K through experimental results using
the ASIC chips. We also evaluate the security requirements of PUFs such as the variety and
reliability of responses by actually generating responses according to the extension method.
5.3.1 Experimental Environment
We setup the experimental evaluation system, as shown in Fig. 5.3. This system consists of two
boards: a custom-made expansion board with six sockets for fabricated chips, and a Spartan-3E
starter kit board [26] with a Xilinx Spartan-3E FPGA (XC3S500E-4FG320C). The expansion
board can evaluate six fabricated chips at the same measurement time. A Complex Programmable
– 73 –
Logic Device (CPLD) was implemented on the expansion board, allowing us to select one target
chip out of the six chips. The core voltage of the chips can be changed by 0:01V using an external
stabilized power supply. The starter kit board possesses peripheral circuits for data acquisition
processes such as a Digital Clock Manager (DCM), a block RAM, an RS232C module and a
SD write module. A 50-MHz clock signal generated by an oscillator on the Spartan-3E board was
applied to the DCM primitive yielding a 2.5-MHz clock signal that was applied to the ASIC chips.
The two boards were connected with user Input/Output (I/O) interfaces by a connector cable. The
clock signal was provided separately through a SMA cable and port from the Spartan-3E board
to the expansion board in order to prevent signal degradation. A micro SD adapter and card were
also connected to the Spartan-3E board to store output data from the chips.
The data acquisition process is as follows. When the RS232C module receives a start command
from a user PC, the module sends a start signal to the control (CTRL) module. The CTRL module
sends a signal S ELskt to a 6-1 multiplexor (MUX) in order to select one socket. It also sends a
signal S ELlat to a 256-1 MUX in the chips to select a target RS latch. First, S ELskt and S ELlat
are set to one and zero, respectively. This means that LATCH0 in the chip on socket 1 is selected
for measurement. The CTRL module measures twenty-one 1,024-bit (=21,504-bit) output streams
from LATCH0 in our evaluation. S ELlat is incremented by 1 from 0 to 255 in order to obtain output
streams from all 256 RS latches. After obtaining all data from the chip, S ELskt is incremented
by 1 from 2 to 6. During this process we evaluate 73 LPUFs implemented on 73 ASIC chips.
The output stream data is stored in the block RAM through an FF, sent to the SD write module,
and written into the micro SD card. The PC can obtain the data via the micro SD card. In our
evaluation, software on the PC provides the dividing and labeling processes rather than this being
done on the chips. We consider that the technique for the processes does not influence PUF
performance because this performance depends just on the output of the RS latches itself.
5.3.2 ASIC Implementation
We fabricated LPUFs on 73 ASIC chips using the Fujitsu 0.18-m CMOS process (CS86 tech-
nology [37]) in order to evaluate LPUFs with the proposed extension method. An RS latch was
custom-designed as a hard-macro in the process of designing an IC mask layout. The purpose of
– 74 –
Block
RAM
SD Write
Module
Spartan-3E
(XC3S500E)
Power
Port
Stabilized 
Power 
Supply GND
VCC
Core Voltage
CTRL
Module
RS232C
Module
50MHz
Oscillator
Clock (2.5MHz)
Clock
(50MHz)
RS232C
DCM
Socket 1
Socket 2
Socket 3
Socket 4
Socket 5
Socket 6
Spartan-3E
starter kit board
LATCH0
LATCH1
LATCH2
LATCH254
FF
LATCH255
A fabricated chip
Output
stream
data
Custom-made
expansion board
SELskt
SELlat
CPLD
Micro SD
Adapter/
Card
Software 
for dividing 
and labeling
User
PC
START
100V AC 
Power Supply
・
・
・
Figure. 5.3 Experimental evaluation system.
– 75 –
this design is to equalize wire lengths between the cross-coupled NAND gates shown in Fig. 2.8.
This enables the RS latch to enter a metastable state more readily and improve the probability of
the RS latch outputting random numbers. We implemented an LPUF with 256 RS latches on a
chip by an automatic placement of the 256 instances of the hard-macro. RS latches in our chips
do not include FFs in front of the two NAND gates [22] [78] in order to reduce circuit area size.
The 73 chips were embedded in DIP-28 non-sealed packages. Note that in fact we fabricated 80
ASIC chips, of which 73 chips work correctly. The other seven chips have problems concerning
the bonding wires, which are disconnected or short-circuited as a result of the non-sealed pack-
ages for other studies (e.g., side channel analysis). The rated supply voltage range of the chips is
1:80  0:15V.
5.3.3 Evaluation of Extension Method
This section evaluates the appropriate value of K according to two metrics: the response error rate
(related to reliability) and the variety of responses.
Figure 5.4 shows the response error rate in each K at each operating condition c as shown in the
upper part of Fig. 5.4. The response error rate is defined as follows with the notation summarized
in Table 5.1. We extract a reference response (RES Ki ) from the i-th ASIC chip (1  i  w, w = 73
in this chapter) in normal operating conditions (room temperature of 27C and a standard supply
voltage of 1.80V) when setting K(3  K  16). Similarly, the response (RES 0K;ci ) is extracted at
an operating condition c. Then, m samples (m = 20 in this chapter) of RES 0K;ci are collected. Here,
RES 0K;ci;t is the t-th (1  t  m) sample of RES 0K;ci . The average of error bits for the parameter K
and the operating condition c (AEBK;c) is defined as follows:
AEBK;c =
1
w  m
wX
i=1
mX
t=1
HDK;ci;t ; (5.1)
where HDK;ci;t = HDfRES Ki ;RES 0K;ci;t g, and HDfx; yg is the Hamming distance between variable x
and y. Our next interest is the response error rate (RERK;c), which is defined as follows:
RERK;c = AEBK;c=RES Kbit; (5.2)
where RES Kbit is the number of response bits obtained from 256 RS latches for K, this being
– 76 –
Table 5.1 Notation summary for this chapter.
Notation Definition
RES A response generated from an LPUF
i Chip number (1  i  73)
K Number of output patterns from RS latches
(determined in the extension method)
RES Ki A response from i-th chip for K
c Operating condition
RES 0K;ci RES Ki generated under c
t Number of measurement
(1  t  m, m = 20 in this work)
RES 0K;ci;t t-th measurement of RES
0K;c
i
AEB Average of error bits defined in Eq. (5.1)
AEBK;c AEB for K under c
RES Kbit Number of bits in RES for K
(= dlog2 Ke  256)
RERK;c Response error rate (= AEBK;c=RES Kbit)
calculated from dlog2 Ke  256.
Basically, from Fig. 5.4, a larger value of K gives a slightly larger response error rate (i.e., a
lower reliability). An unexpected positive result is that the response error rate does not increase
dramatically as the value of K increases. This is because the parameter K only has an impact
on random latches (T1  TK 2) and not on fixed latches (T0 and TK 1). The average number of
random latches is just 36 of the total implemented 256 latches in an our fabricated chip. It is
desirable that RERK;c be less than 0.15 assumed in [11] for a reasonable size of redundant data
in ECC. RERK;c is less than 0.15 for all values of K from 3 to 16 according to Fig. 5.4, which
is the reason why the value of 16 is appropriate for K in our LPUF in terms of the reliability
of responses. However, some LPUFs implemented on dierent types of CMOS process might
include many random latches. In that case, excessively large values of K should not be used since
RERK;c is anticipated to increase, which leads to large costs for ECC.
– 77 –
 0
 0.01
 0.02
 0.03
 0.04
 0.05
 0.06
 0.07
 0.08
 0.09
 0.10
R
es
po
ns
e 
Er
ro
r R
at
e
 3  4  5  6  7  8  9  10  11  12  13  14  15  16
K
-20oC/1.95V
-20oC/1.80V
-20oC/1.65V
+27oC/1.95V
+27oC/1.80V
+27oC/1.65V
+60oC/1.95V
+60oC/1.80V
+60oC/1.65V
Operating Conditions
Figure. 5.4 Response error rate RERK;c for K and c. The decrease between K = 4 and 5 is
due to the value of RES Kbit increasing from 512 to 768. The decrease between K = 8 and 9 is
for the same reason.
Figure 5.5 shows the entropy of responses with respect to K = 3; : : : ; 16, which contains three
graphs: (1) the ideal upper bound on Shannon entropy of responses, (2) the experimental Shannon
entropy and (3) the entropy based on the mutual information of responses. These graphs are
experimentally calculated based on responses derived from the 73 fabricated LPUFs.
First, we explain how the graphs (1) and (2) are constructed. Let the ratios of the RS latches
numbered as LATCHi and classified as types (T0  TK 1) be Pi(T0), : : :, Pi(TK 1), respectively.
Assuming that each RS latch is independent, the Shannon entropy derived from LATCH0 to
LATCH255 are given as
n 1X
i=0
Ei; (5.3)
– 78 –
K
 0
 320
 340
 360
 380
 400
 420
 440
 460
 480
 500
 520
 3  4  5  6  7  8  9  10  11  12  13  14  15  16
R
es
po
ns
e 
En
tro
py
 [b
it]
 (1) Upper Bound 
 (2) Experiment (Shannon)
 (3) Experiment (Mutual Info.)
Figure. 5.5 Estimations of entropy of responses: (1) the ideal upper bound on Shannon en-
tropy of responses, (2) the experimental Shannon entropy, (3) the entropy based on the mutual
information of responses.
where n = 256 and Ei, the Shannon entropy derived from LATCHi, is defined as
Ei =  
K 1X
j=0
Pi(T j) log2 Pi(T j):
The graphs (1) and (2) are given by Eq. (5.3). The graph (1) assumes that the number and
ratio of random latches are 36 and 0.14 ( 36=256) strictly on every chip, respectively. This
value of 36 comes from the average number of random latches in our LPUFs on ASIC chips.
This ideal upper bound is also based on the following two requirements: (a) the numbers of
random latches belonging to all types (T1  TK 2) are equally 36=(K   2), so Pi(T1) = : : : =
Pi(TK 2) = f36=(K   2)g=256, (b) the numbers of fixed latches belonging to T0 and TK 1 are
equally (256   36)=2 = 110, so Pi(T0) = Pi(TK 1) = 110=256.
Next, we explain the graphs (3) as follows. The graph (2) assumes that the responses are
completely reliable; they are identical in both enrollment and reconstruction phase. Actually,
however, the responses have some error bits (i.e., noise) due to environmental fluctuations, there-
– 79 –
fore some bits have to be sacrificed as redundancy bits for error correction. In order to estimate
the entropy bits that actually survive the noise, we calculate I(X; Y): the mutual information be-
tween responses obtained in enrollment (27C/1.80V, normal condition), X, and in reconstruction
( 20C/1.65V, worst condition, described later in Fig. 5.6), Y . This estimation is based on the
method introduced in [25], the core idea of which is presented in [46].
From Fig. 5.5, K increases with the dierence between the experimental results and the upper
bound. This means that a larger value of K cannot necessarily result in a much larger variety of
responses. For example, the experimental Shannon entropy and the entropy based on the mutual
information increase approximately 62 and 45 bits from K = 3 to 8, in contrast, it increases only
16 and 20 bits from K = 8 to 16, respectively. This is because the aforementioned requirement
(a) is not satisfied, that is, there are a lot of random latches outputting random numbers whose
proportion of ‘1’s is very low or high, such as T1 or TK 2. Our LPUFs can generate responses
with maximum variety by setting K = 16 since the response error bit is relatively small with a
larger value of K.
The entropy of responses based on the mutual information is estimated to be 220 bits when
LPUFs using 256 RS latches generate responses eliminating 36 random latches. The LPUFs based
on the basic method, i.e., the extension method for K = 3, generate responses with approximately
314 bits of entropy, which is about 1.42 times as large as 220 bits. Further, the LPUFs using the
extension method for K = 16 generate responses with approximately 379 bits of entropy, which
is about 1.72 times as large as 220 bits and about 1.21 times as large as 314 bits. Our extension
method therefore dramatically increases the Shannon entropy of responses, i.e., the variety of
responses. Note that appropriate values of K depend on the methods of implementing RS latches
and the process technologies of ASIC chips. Hence the values of K should be carefully decided
in consideration of the tradeo between reliability and variety of responses.
5.3.4 Evaluation of PUF Requirements
This section evaluates our LPUFs in terms of the security requirements explained in Sect. 2.3, i.e.,
reliability, uniqueness, uniformity and bit-aliasing at K = 3; 8, and 16. The LPUF based on the
extension method gives the results for reliability and the other three metrics shown in Figs. 5.6
– 80 –
and 5.7, respectively. Our LPUF with 256 RS latches generates a dlog2 Ke  256-bit response.
The reliability of responses is evaluated under the condition that the supply voltage and environ-
mental temperature are changed within the rated voltage range of the ASIC chips (1.65V, 1.80V,
1.95V) and the allowed temperature range of the thermostatic chamber ( 20C, 27C, 60C). Dif-
ferent from Fig. 5.4, this reliability evaluation focuses not on the average but on the histogram
of response error rates when K = 3; 8, and 16. In this evaluation, one response (i.e., RES Ki ) is
generated as a reference at normal operating conditions (27C and 1.80V), and the remaining 20
responses (i.e., RES 0K;ci;t ) are generated for analysis at each condition c at K = 3; 8, and 16 from
i-th ASIC chip. Figures 5.6 shows histograms of normalized Hamming distances (NHD) between
the reference response and each repeated one (i.e., 20  73(chips) = 1,460 elements). For chip i
and sample t, each data element of the reliability histogram is calculated as follows:
NHDK;ci;t =
HDfRES Ki ;RES 0K;ci;t g
dlog2 Ke  256
:
Our LPUFs are the most susceptible to conditions under the low temperature of  20C and the
low supply voltage of 1.65V. Even under this condition and K = 16, the average and maximum
of NHD (i.e., error rate) are approximately 0.064 and 0.096, respectively. These error rates are
much less than the 0.15 assumed in [11] for reliable responses based on a fuzzy extractor [19]
with a reasonable size of redundant data. Hence our result shows that the LPUFs implemented on
ASIC chips with our extension method yields highly reliable responses even under environmental
fluctuations.
The uniqueness evaluation generates a total of 73 responses using all 73 ASIC chips (one re-
sponse per chip). Figures 5.7 (I-a), (I-b) and (I-c) show histograms of NHD between every combi-
nation of two responses, i.e., 73C2 = 2; 628 combinations at K = 3; 8; 16, respectively. The NHDs
between the responses of two arbitrary LPUFs at K = 3, 8 and 16 are approximately 0.489, 0.497
and 0.497, respectively. The ideal NHD at K = 8; 16 is 0.5, so our LPUF gives responses with a
high level of uniqueness. In contrast, the ideal NHD at K = 3 is around 0.444 because ‘10’ is not
used for a unique value (see Fig. 5.1). This is why the NHD at K = 3 is a little smaller than the
others. The NHD is, however, a little larger than the ideal 0.444 because the average number of
random latches is only 36 in our LPUFs, which is smaller than 85 ( 256/3). Consequently, most
– 81 –
 0  0.05  0.10  0.15
Normalized Hamming Distance
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0  0.05  0.10  0.15
Normalized Hamming Distance
-20oC/1.95V
-20oC/1.80V
-20oC/1.65V
+27oC/1.95V
+27oC/1.80V
+27oC/1.65V
+60oC/1.95V
+60oC/1.80V
+60oC/1.65V
 0
 0.10
 0.20
R
at
io
(I) Reliability at K = 3.
 0  0.05  0.10  0.15
Normalized Hamming Distance
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0  0.05  0.10  0.15
Normalized Hamming Distance
-20oC/1.95V
-20oC/1.80V
-20oC/1.65V
+27oC/1.95V
+27oC/1.80V
+27oC/1.65V
+60oC/1.95V
+60oC/1.80V
+60oC/1.65V
 0
 0.10
 0.20
R
at
io
(II) Reliability at K = 8.
 0  0.05  0.10  0.15
Normalized Hamming Distance
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0
 0.10
 0.20
R
at
io
 0  0.05  0.10  0.15
Normalized Hamming Distance
-20oC/1.95V
-20oC/1.80V
-20oC/1.65V
+27oC/1.95V
+27oC/1.80V
+27oC/1.65V
+60oC/1.95V
+60oC/1.80V
+60oC/1.65V
 0
 0.10
 0.20
R
at
io
(III) Reliability at K = 16.
Figure. 5.6 Reliability at various conditions.
of the 2-bit unique values are ‘00’ or ‘11’, so the NHD approaches 0.5.
The uniformity evaluation also generates 73 responses using all 73 ASIC chips, i.e., 73 data
elements. Figures 5.7 (II-a), (II-b) and (II-c) show the uniformity: how uniform the proportion of
‘0’s and ‘1’s is in the response bits of an LPUF at K = 3; 8, and 16, respectively. For our LPUFs
on ASIC chips, the averages of uniformity at K = 3, 8 and 16 are approximately 0.486, 0.485
and 0.484, respectively. Since the ideal uniformity is 0.5 for truly random PUF responses [43],
– 82 –
 0
 0.01
 0.02
 0.03
 0.04
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(I-a) Uniqueness at K = 3.
 0
 0.1
 0.2
 0.3
 0.4
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(II-a) Uniformity at K = 3.
 0
 0.1
 0.2
 0.3
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(III-a) Bit-aliasing at K = 3.
 0
 0.01
 0.02
 0.03
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(I-b) Uniqueness at K = 8.
 0
 0.1
 0.2
 0.3
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(II-b) Uniformity at K = 8.
 0
 0.1
 0.2
 0.3
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(III-b) Bit-aliasing at K = 8.
 0
 0.01
 0.02
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(I-c) Uniqueness at K = 16.
 0
 0.1
 0.2
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(II-c) Uniformity at K = 16.
 0
 0.1
 0.2
 0.3
 0  0.2  0.4  0.6  0.8  1.0
R
at
io
Normalized Hamming Distance
(III-c) Bit-aliasing at K = 16.
Figure. 5.7 PUF performances under normal conditions (27C/1.80V).
our LPUFs almost satisfy the requirement for uniformity. However, we can see two isolated data
elements around 0.34 and 0.67 in three uniformity figures. This is because two particular chips
have more one-typed fixed latches (T0 or TK 1) than the other-typed ones (TK 1 or T0).
The bit-aliasing evaluation measures the dierence in the proportion of ‘0’s and ‘1’s in the 73
Ri’s extracted respectively from the 73 LPUFs corresponding to LATCHi(0  i  255), i.e., 256
data elements. Figures 5.7 (III-a), (III-b) and (III-c) show histograms of the proportion of ‘1’s at
K = 3; 8, and 16, respectively. The averages of bit-aliasing at K = 3, 8 and 16 are approximately
0.486, 0.485 and 0.484, respectively. The ideal bit-aliasing is also 0.5 because, if the bit-aliasing
– 83 –
is close to 0 or 1, it means that dierent ASIC chips may generate nearly identical PUF responses
[43]. Hence our LPUFs satisfy the requirement for bit-aliasing.
If a user wants to generate a secret key from PUF responses, he needs to implement a fuzzy
extractor [19], the functionality of which consists of ECCs for error correction of PUF responses,
and hash functions for entropy compression of PUF responses. In [19], Bo¨sch et al. implemented
fuzzy extractors on FPGAs, which include the repetition code, Golay or Reed-Muller code as
ECCs, and include a Toeplitz-based Hash [32] as a hash function. In [41], Maes et al. proposed
a compact implementation of a fuzzy extractor on an FPGA, which is equipped with BCH code
and SPONGENT-128 [9], as an ECC and a hash function, respectively.
If the uniqueness, uniformity and bit-aliasing of the responses are not close to 0.5 (i.e., close to
0 or 1), this indicates that the responses are biased, so the variety of responses is small, i.e., the
entropy of responses is low. This bias may become a clue for an attacker to predict the responses
and even the output of the fuzzy extractor (i.e., a secret key) through the theoretical attack, as
mentioned in Chap. 1. This is why we evaluate these metrics of PUF responses in addition to the
variety of responses.
Cost
Table 5.2 indicates the processing time and the gate count of an LPUF fabricated on a chip.
The processing time is estimated around 105 ms, this being the total time taken to extract
a 1,024-bit output stream from each RS latch. One way of improving the processing time is
to reduce the bitstream length, which was 1,024 bits in our experiment. However, too short a
length may result in misdividing, an inaccuracy of Xi corresponding to LATCHi. For example,
RS latches outputting a large number of ‘0’s and very few ‘1’s (i.e., T1) might be detected not as
random latches, but as fixed latches (i.e., T0). This misdividing leads to a decrease in reliability of
responses, so our LPUFs make a tradeo between reliability and processing time.
The gate count is obtained by synthesizing the LPUF on the Fujitsu 0.18-m CMOS process
[37] with the Design Compiler 2003.03. Note that one gate is equivalent to a 2-input/1-output
(2-to-1) 1-bit NAND gate. The total gate count of the LPUF, as described in Fig. 5.3, is about
1.2 Kgates. This cost is necessary for extracting constant 379 bits of entropy. We consider,
therefore, that our LPUF is suciently small to be implemented in embedded systems. Note
– 84 –
Table 5.2 Processing time and gate count of our LPUF.
Processing time 105 ms (1,024 cycles @ 2.5 MHz)
Total gate count 1164.3 gates
256 RS latches 512.0 gates
256-to-1 MUX 647.3 gates
1-bit FF 5.0 gates
that our extension method requires additional costs for multiple enrollment and reconstruction
measurements. Here, we do not consider these costs since the concrete way of implementing the
extension method must be careful, as mentioned before.
5.4 Conclusion
In this chapter, we proposed a method of enhancing the variety and maintaining the reliability of
responses from LPUFs. We focused on the information of the proportion of ‘1’s in the output
stream from each random latch. The dividing process classifies implemented RS latches into K
types according to the proportion of ‘1’s in the output stream. The labeling process defines the
unique values generated by K-type RS latches. According to our experiment with 73 fabricated
ASIC chips, LPUFs with 256 RS latches can generate responses with 379-bit entropy based on
the proposed method for K = 16, considering their errors caused by environmental fluctuations.
This is about 1.72 times as large as the 220-bit entropy achieved by a conventional method of
eliminating random latches, and is approximately 1.21 times as large as 314-bit entropy achieved
by our basic method described in Chap. 3, corresponding to the proposed method for K = 3.
Even in the worst case condition ( 20C/1.65V), the error rate of responses is 0.096. This means
that our LPUFs have high robustness (reliability) against both temperature and voltage variation.
Our LPUFs also satisfy the security requirements of PUFs such as uniqueness, uniformity and
bit-aliasing.
The studies, described in Part IV, contribute to the construction of secure PUF-based chip
authentication in Approach (B), as shown in Fig. 2.3. This is since our proposed method of
– 85 –
enhancing the variety of responses makes it dicult for attackers to predict a secret key, i.e.,
skPUF through the theoretical attack. Consequently, the attacker cannot predict the output of a
cryptographic function, i.e., R0 for an unknown challenge.
Future work should include a discussion of the concrete ways of implementing the proposed
method and their security evaluation. Of course, it is reasonable that the proposed method is real-
ized by a CPU-based approach in terms of its implementation cost, as mentioned before. However,
suppose that some IoT devices, e.g., sensors, are required to have limited resources (e.g., not in-
cluding a CPU) due to cost reduction. In this situation, we need to implement the proposed method
as a compact pure-ASIC design with low power consumption, rather than a CPU-based approach.
Therefore, not only CPU-based but also pure-ASIC approaches to implement the proposed method
should be discussed in future work.
– 86 –
Part V
New Application of PUF-based
Techniques

Chapter 6
Hardware Obfuscation using
PUF-based Techniques
Publication Data
Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and Naoya Torii, A Technique using PUFs
for Protecting Circuit Layout Designs against Reverse Engineering, In International Workshop on
Security (IWSEC 2014), volume 8639 of Lecture Notes in Computer Science (LNCS), pages 158–
173, Springer, 2014.
6.1 Motivation
Circuits on an IC chip are roughly classified into two types: circuit for chip authentication and
circuit for other general purposes, as shown in Fig. 6.1.
In the aforementioned chapters, we focus on the circuit for chip authentication, namely, PUF-
based chip authentication. A PUF circuit cannot be counterfeited by reverse engineering since it
is impossible for an attacker to reveal PUF responses even when obtaining mask pattern images of
PUFs. Furthermore, we consider that the attacker extracts the gate-level netlist of the PUF from
its mask pattern, and implements the PUF on her own IC chip. Even in this case, the responses
of her PUF are completely dierent from those of the original PUF due to the dierent physical
– 89 –
Circuit for Authentication:
 PUF-based Chip
Authentication Circuit
• Approach (A)
• Approach (B)
Circuit for General Purposes:
 Audio-Video-Processing Circuit
 Communication Circuit
 I/O Interface Circuit
 Arithmetic Computing Circuit
 Cryptographic Circuit
Integrated Circuit (IC) Chip
Reverse Engineering
Possible
×
○
Impossible
Figure. 6.1 Structure of an IC chip, which consists of circuit for authentication and circuit for
other general purposes.
characteristics between her and original PUFs. Therefore, we can easily distinguish original PUFs
from counterfeit ones according to PUF-based chip authentication protocols, as shown in Figs. 2.2
and 2.3. PUFs are assumed to be eective authentication devices for anti-counterfeiting ICs.
On the other hand, main features of ICs are provided by circuits for general purposes such as
audio-video-processing circuit, communication circuit, I/O interface circuit, arithmetic computing
circuit and even cryptographic circuit for message encryption. These general circuits are based
on a lot of trade secrets (i.e., IP) of their manufactures. For example, the trade secrets consist of
circuit design itself, various setting parameters and original algorithms, etc. These general circuits
are directly implemented on IC chips, hence are basically easily accessible for an attacker through
microscopy-based reverse engineering techniques. The revealed trade secrets enable an attacker
to improve her own IC designs or illegally sell themselves.
In addition to such reverse engineering, social engineering is also one of the most serious ap-
proaches to reveal circuit design. In the past, most of semiconductor companies are integrated
device manufacturers, which are both designing circuit and manufacturing IC chips by them-
selves. For this reason, there is a low risk of the IP leakage. Recently, semiconductor industry
is, however, specialized in design and manufacturing. A fabless company only designs circuit
– 90 –
diagrams, and asks a foundry company to manufacture IC chips. Under this specialization, the
fabless company needs to provide foundry companies with its own IP: design information for the
circuit. There is a serious problem for the fabless company that the IP is likely to be intentionally
or accidentally leaked from the foundries to the third parties. This is because the foundries are not
necessarily trusted companies for the fabless in terms of protection of confidential information.
Furthermore, business competition between companies has recently become fierce. This reduces
the number of foundries which possess the most up-to-date manufacturing facilities and CMOS
processing technology. Such a few surviving foundries are frequently asked to manufacture IC
chips, receiving a lot of kinds of IP from fabless companies in the world. In this situation, we
cannot deny the possibility that the IP is leaked or illegally used for other purposes through the
fabless companies.
The concept of split fabrication is a popular solution for this social engineering [28] [72] [73].
Under the split fabrication, a fabless company separates a circuit diagram into two parts: logic
gates themselves, and wires between the gates. Each part is manufactured in a dierent foundry:
untrusted foundries or trusted foundries for a fabless company. The part of logic gates is man-
ufactured by an external untrusted foundry because the gate manufacturing needs relatively new
CMOS processing technology. In contrast, a trusted foundry manufactures the part of wires by
using relatively common technology. The external foundry is provided with the design informa-
tion only about logic gates. This split fabrication, therefore, prevents the external foundry from
identifying the functionality of the whole circuit.
Our contribution of this chapter is as follows. In this chapter, we first introduce the concept of
a new application of PUF-based techniques; an IP protection technique against both reverse engi-
neering and social engineering. We consider that PUFs should be used not only for authentication
circuits but for protecting circuit design. No discussion on the use of PUFs for protecting general
circuits has been reported yet, as far as we know.
First, to prevent the reverse engineering, we propose a method of designing circuit structure
by using memory-based PUFs. Each memory cell of PUFs can be regarded as a secure memory
storing 1-bit response, the value of which cannot be distinguished from its mask pattern image.
Therefore, the memory cells of memory-based PUFs can be used to conceal the functionality
– 91 –
of a logic gate. Concretely, various logic gates (e.g., NAND, XOR) are designed based on the
combinations of the memory cells. These logic gates are identical, hence, are not possible to be
reverse-engineered using microscopes. An attacker cannot identify the functionality of the whole
circuit using these logic gates. In that sense, our proposed method is a technique for hardware
protection or hardware obfuscation.
Hot Carrier Injection-Sense Amplifier (HCI-SA) PUF is one of the most promising candidates
to realize this proposed method. HCI-SA cell outputs 1-bit response like other memory cell, while
has the following advantages:
Error-free Response: Reliability of responses is 100%.
Controllable Response: The value of response (0 or 1) is fully controllable by manufactures.
Note that the second advantage is based on our original idea. We define “Physically Unclonable
Circuit (PUC)” as a PUF-like component (but not a PUF), responses of which are controlled by
their manufactures, unlike PUFs. In contrast, responses of PUCs cannot be identified by its layout
information, similar to PUFs.
Next, to prevent the social engineering, we combine PUCs with the split fabrication. A fabless
company provides some foundries with all information for circuit designs except the responses
of PUCs. IC chips with a lot of PUCs are manufactured in the foundries, while responses of
PUCs are not determined yet. Then, trusted foundries or fabless company itself determine the
responses of PUCs by using small-scale equipment for writing. For this reason, these foundries
cannot identify the functionality of the whole circuit.
The structure of this chapter is as follows. In Sect. 6.2, we provide an outline of sense-amplifier-
based PUFs. In Sect. 6.3, we propose hardware obfuscation methods of protecting circuit design
using PUCs. We apply the proposed methods to the S-box circuit of a block cipher as a case study
in Sect. 6.4. We discuss promising applications of PUCs and related work in Sect. 6.5. Finally,
we conclude this chapter in Sect. 6.6.
– 92 –
6.2 Sense-amplifier-based PUFs
6.2.1 Sense Amplifier PUF
Sense Amplifier (SA) is a circuit that amplifies the voltage dierence between two signals [6].
The SA is mainly used to sense and refresh one bit of data stored in a memory cell. Figure 6.2
shows the circuit structure of an SA cell, which is regarded as the circuit comparing two signals:
(IN1,IN2). When the voltage level of IN1 is higher than that of IN2, the output signals (OUT1,
OUT2) are (1, 0), and vice versa. Each SA cell has the unique value of the oset voltage: positive
or negative polarity (i.e., bias). This uniqueness is provided by process variation in the SA cell
occurring in the manufacturing process of each IC chip.
The SA PUF, composed of SA cells, utilizes the dierence of each biased oset voltage. When
the voltage level of IN1 is very close to that of IN2, the output signal OUT1 (i.e., response) is
strongly aected by the biased oset voltage. Consequently, the responses can be extracted from
this unique bias. The SA PUF is similar to latch-based PUF in that each SA cell outputs 1-bit
response like an RS latch. SA cells with a large bias can generate highly reliable responses. Some
SA cells have, however, an extremely small bias, which leads to the low reliability of responses.
This is a serious problem for SA PUFs as with other PUFs.
6.2.2 Hot-Carrier-Injection SA PUF
HCI-SA PUF was proposed to solve this problem of the low reliability [6]. The bias of the oset
voltage in the SA cell can be increased by increasing the dierence of threshold voltages VT H’s
between devices N1 and N2. As a result, this increased bias realizes completely reliable responses.
In order to increase the dierence of VT H’s, the VT H’s are forcibly shifted by the HCI aging
stress. The response OUT1 become 1 absolutely when VT H of N1 is much larger (approximately
> 40mV) than that of N2 [6]. This increase in VT H is achieved in one-time HCI stress duration of
125 seconds [6]. This HCI stress is to apply the relatively-low voltage of 3V pulses to a SA PUF
through a peripheral circuit. Therefore, this HCI stress needs only a voltage applying apparatus,
– 93 –
IN1 IN2
OUT1
OUT2
VDD
N1 N2
GND
Figure. 6.2 Sense amplifier circuit (StrongARM) [6].
which can be used in a small-scale facility. The construction of HCI-SA PUFs is composed of the
following two steps.
Step 1: Measuring and memorizing the oset polarity
Step 2: Increasing the dierence of VT H by the HCI stress
In Step1, the value of response (OUT1) in an SA cell is measured and stored into a 1-bit external
memory cell. This step enables us to check which polarity of the oset voltage (i.e., positive or
negative) the SA cell has. In Step2 using HCI stress, the oset after HCI stress becomes the same
sign as the oset before HCI stress and a higher magnitude. This HCI stress realizes completely
reliable responses of HCI-SA PUFs.
– 94 –
6.3 Proposed Methods
In this section, we discuss HCI-SA PUCs, responses of which are controllable by their manufac-
tures. Next, we propose new methods of making a structure of any logic gate using the HCI-SA
PUCs, which prevent the extraction of gate-level netlist from mask pattern images.
6.3.1 Physically Unclonable Circuit
The main purpose of HCI-SA PUFs is to improve the reliability of responses in SA PUFs. There-
fore, the naive response (i.e., oset polarity before HCI stress) is measured and memorized in
Step1, as explained in Sect. 6.2.2. We consider that manufactures of HCI-SA PUFs can skip
Step1 and can freely determine the polarity sign of the oset voltage after HCI stress, regardless
of that before HCI stress (i.e., naive polarity sign). This means that the manufactures are capable
of setting the value of responses after HCI stress as they want. We predict that the amount of HCI
stress becomes larger (more than 125 seconds [6]) because the polarity sign set by manufacturers
is sometimes opposite to the naive polarity sign. If the amount of HCI stress is not sucient, there
is a high possibility that the responses do not achieve prefect reliability. We believe that control-
ling responses is feasible for manufactures. The proof of concept, however, should be performed
based on real IC chips, which includes in future work.
We assume that the polarity signs to HCI-SA PUFs are provided from outside of IC chips. This
is because, if an on-chip instrument is implemented to store the polarity signs, the logic function
consisting HCI-SA cells can be reverse-engineered readily. The developers of HCI-SA PUFs have
proposed a serial and externally controlled reinforcement of the polarity signs in order to reduce
the size of HCI-SA cells [6]. This is why we consider that our assumption is reasonable.
Here, we define Physically Unclonable Circuit (PUC) as a PUF-like component, response of
which is controlled by its manufactures. The reason why we distinguish PUCs from PUFs is that
responses of PUFs are determined only by physical characteristics of ICs (i.e., uncontrollable),
while that of PUCs are controllable. We, therefore, consider that HCI-SA PUCs should not be
categorized into PUFs. Responses of HCI-SA PUCs have the following three characteristics:
– 95 –
Error-free Response: Having perfect reliability.
Controllable Response: Being fully controllable by manufactures.
Tolerance to Reverse Engineering: Not being identified using their mask pattern images.
Note that the third characteristic is realized if HCI-SA PUCs satisfy the following two require-
ments: (1) one-time programmability and (2) undetectability of hot carriers.
(1) We assume that HCI-SA PUCs have one-time programmability under static attacks. How-
ever, if dynamic attacks are performed, attackers may possibly overwrite the HCI eect and may
obtain the information about responses of HCI-SA cells. In order to prevent this reprogramming,
we assume that the HCI writing interfaces should be unavailable once manufacturing IC chips
are complete, or a mechanism to detect the reprograming (e.g., hardware duplication against fault
injection attacks) should be implemented. We consider that the feasibility of the one-time pro-
grammability should be experimentally clarified in future work.
(2) An existence of hot carriers in HCI-SA cells directly corresponds to secret information:
responses of HCI-SA PUCs. Therefore, the hot carriers must be undetectable for the security of
HCI-SA PUCs. In principle, the hot carriers are measurable through microscopy-based reverse
engineering since these hot carriers physically exist in HCI-SA cells. In fact, we can observe the
charge existence in a floating gate of a memory cell of EEPROM or Flash EEPROM, as mentioned
in Chap. 1 However, we believe that it is practically dicult to detect the hot carriers. This reason
is that, the number of the hot carriers in HCI-SA cells is expected to be much smaller than that
of the electric charge in non-volatile memory cells. Therefore, once an attacker performs reverse
engineering such as de-packaging and de-layering of IC chips, the hot carriers will flow out and
change from original state. At the moment, this undetectability is based on an assumption rather
than a fact. We consider that the undetectability of hot carriers should be experimentally clarified
in future work.
6.3.2 Proposed Method (1)
We design the N-input logic gates in general circuits (e.g., AND, OR, XOR, NAND, NOR, XNOR
gates) based on the HCI-SA PUCs. For example, we replace various 2-input conventional logic
– 96 –
gates with the proposed gates using HCI-SA PUCs, as shown in Fig. 6.3. Let A and B be input
signals to a logic gate, and X be an output signal from the gate. The output X of each proposed
gate is obtained as the output from a 4-to-1 multiplexor, inputs of which are 4-bit responses from
HCI-SA PUCs. In the manufacturing process of IC chips, each value of the response is controlled
by the HCI stress according to a truth table for a logic gate. Signals A and B correspond to
selection inputs for a multiplexor. It is impossible for an attacker to identify the value of X in a
proposed gate from its mask pattern images. This is since each mask pattern of the proposed gate
with HCI-SA PUCs is completely identical.
Gate Size of an HCI-SA PUC (HCI-SA Cell)
The gate size of each proposed gate, as shown in Fig. 6.3, is estimated to be 25 gates, where one
gate is equivalent to a 2-input NAND gate. The proposed gate consists of a 1-bit 4-to-1 multiplexor
(= 5 gates according to [4]) and four HCI-SA cells (each cell is 5 gates). The gate size of an HCI-
SA cell is estimated as follows. An HCI-SA cell is equivalent to 10 times of SRAM cell area,
according to developers of HCI-SA PUFs [6]. The gate size of a 1-bit SRAM cell is a half of the
2-input NAND gate (i.e., 0.5 gates) according to our logic synthesis on a 0.18-m ASIC process
[37]. The gate size of the HCI-SA cell is, therefore, estimated to be 5 gates. Note that the HCI-SA
cell does not include the memory cell for storing the oset polarity in Step1, as mentioned in Sect.
6.2.2, because the Step1 is not necessary for manufacturing our proposed gates.
Appropriate Number of Proposed Gates in General Circuits
IC manufactures should replace as many conventional logic gates with proposed gates as possible,
in order to implement general circuits with high tolerance to reverse engineering. Note that the
more proposed gates in a general circuit are, the larger the gate size of the circuit is. Therefore, the
manufactures should take into account the trade-o between the tolerance to reverse engineering
and the gate size.
An attacker has six candidates of a proposed gate, i.e., AND, OR, XOR, NAND, NOR, XNOR.
If a general circuit includes M proposed gates, the total pattern of proposed gates is 6M( 22:58M).
According to the RC5-72 challenge [18], the problem requiring 272 operations has not been solved
by brute force until now. Therefore, at least 28 (obtained by solving 22:58M > 272) proposed gates
– 97 –
A B X
0 0 0
0 1 0
1 0 0
1 1 1
A
B X
{A, B}
HCI-SA PUC (= 1)
HCI-SA PUC (= 0)
HCI-SA PUC (= 0)
HCI-SA PUC (= 0)
X
(I) AND
A B X
0 0 0
0 1 1
1 0 1
1 1 1
A
B X
HCI-SA PUC (= 1)
HCI-SA PUC (= 1)
HCI-SA PUC (= 1)
HCI-SA PUC (= 0)
{A, B}
X
(II) OR
A B X
0 0 0
0 1 1
1 0 1
1 1 0
A
B
X
HCI-SA PUC (= 0)
HCI-SA PUC (= 1)
HCI-SA PUC (= 1)
HCI-SA PUC (= 0)
{A, B}
X
(III) XOR
A B X
0 0 1
0 1 1
1 0 1
1 1 0
A
B X
HCI-SA PUC (= 0)
HCI-SA PUC (= 1)
HCI-SA PUC (= 1)
HCI-SA PUC (= 1)
{A, B}
X
(IV) NAND
A B X
0 0 1
0 1 0
1 0 0
1 1 0
A
B X
HCI-SA PUC (= 0)
HCI-SA PUC (= 0)
HCI-SA PUC (= 0)
HCI-SA PUC (= 1)
{A, B}
X
(V) NOR
A B X
0 0 1
0 1 0
1 0 0
1 1 1
A
B
X
HCI-SA PUC (= 1)
HCI-SA PUC (= 0)
HCI-SA PUC (= 0)
HCI-SA PUC (= 1)
{A, B}
X
(VI) XNOR
Figure. 6.3 Proposed method (1): proposed logic gate using HCI-SA PUCs. Any logic gate
can be replaced with the proposed gates for the tolerance to reverse engineering.
– 98 –
should be applied to the general circuit for preventing brute force guessing. In practice, more than
28 proposed gates are desirable to be implemented because a lot of information may be learned
from the overall circuit structure. In that sense, the number of 28 proposed gates can be considered
to a minimum requirement.
Appropriate Replacement with Proposed Gates
It is important for IC manufactures to choose the appropriate gates to which our proposed method
is applied. This is because, if some logic gates are randomly replaced with the proposed gates,
many of them are isolated, therefore an attacker can easily identify the functionality of proposed
gates. Rajendran et al. have introduced the methods of selecting the appropriate gates in order to
maximize the cost of reverse engineering [56]. The introduced methods can realize that:
 the functionality of the proposed gates can only be resolved by brute force and
 the extracted gate-level netlist produces outputs which are dierent from those of the gen-
uine netlist, 50% output bits dier for every input pattern.
In [56], camouflaged gates were assumed to be used as the countermeasure against the reverse
engineering of ICs, instead of our proposed gates based on HCI-SA PUCs. These camouflaged
gates are similar to our proposed gates, in that the mask pattern images are identical regardless of
the functionality of gates. However, strictly speaking, the camouflaged gates are not completely
identical, especially at side view of them. In contrast, our proposed gates are identical even at side
view. The technique to choose the camouflaged gates, introduced in [56], is also applied to our
proposed gates.
New Threat: Reduction of Gate Candidates Considering Circuit Redundancy
We discuss the new threat which has not been considered in [56]. In general, the structure of
general circuits is optimized to reduce its redundancy by using logic synthesis tools. By excluding
the candidates which cause the circuit redundancy, an attacker might be able easily to identify the
functionality of proposed gates. This is explained by a very simple circuit as shown in Fig. 6.4.
P1 is implemented by the proposed gate based on HCI-SA PUCs, so the functionality of P1 is
unclear for an attacker. The attacker can, however, guess that P1 is not an XOR gate. This is
– 99 –
AB
X?
P1
Figure. 6.4 P1 is implemented by the proposed gate. An attacker cannot identify its function-
ality using its mask pattern images.
because, if P1 is an XOR gate, the functionality of this circuit is equivalent to an XNOR gate. It
is not natural that the functionality of the XNOR gate is implemented using XOR and NOT gates
since these are redundant. Consequently, by taking into consideration the circuit redundancy, an
attacker can reduce the number of candidates of P1 from six to four (AND, OR, NAND, NOR).
The above-mentioned example is based on a very simple circuit, while general circuits consisting
of many logic gates are also exposed to the same threat. This enables an attacker to resolve the
functionality of the proposed gates more eciently than a brute-force approach.
To prevent the aforementioned threat, we propose the idea that designers make a part of a
general circuit redundant before replacing with proposed gates. For example in Fig, 6.4, some
XOR (XNOR) gates are implemented using XNOR (NOR) and NOT gates. After making these
gates redundant, these XOR and XNOR gates are implemented by the proposed gates based on
HCI-SA PUCs. This idea maintains the number of candidates of P1 at six, which forces an attacker
to use a brute-force approach.
6.3.3 Proposed Method (2)
The proposed method (1) can increase the tolerance to reverse engineering of any logic gate, while
the gate size of the proposed gate becomes larger than that of a standard logic gate. To suppress
the increase of the gate size, a simple wire is made redundant and implemented by HCI-SA PUCs
in the proposed method (2).
We focus on the N-input logic gates whose part of input values are constant bits. For example,
we design two types of 2-input XOR gates by using HCI-SA PUCs, as shown in Fig. 6.5. One
– 100 –
in out
1
in out
0
(= Simple wire)
in out
in out
HCI-SA PUC (= 1)
HCI-SA PUC (= 0)
Identical on their 
mask pattern images
Figure. 6.5 Proposed method (2) for 2-input XOR gates.
in out
in out
HCI-SA PUC (= 1)
HCI-SA PUC (= 0)
in out
(NOT gate)
in out
(= No NOT gate
= Simple wire)
Identical on their 
mask pattern images
Figure. 6.6 Proposed method (2) for NOT gate and wire.
type of XOR gate has an input 1, and the other type has an input 0 (equivalent to simple wire).
The input values 1(0) are generated from HCI-SA PUCs which outputs 1(0), respectively. Note
that the latter type of XOR gates can be inserted as many as manufactures want because there are
wires all over the circuit. This increases the tolerance to reverse engineering of general circuits
dramatically because an attacker has to distinguish all of the HCI-SA PUCs outputting 0 or 1.
NOT gates and simple wires are also implemented by HCI-SA PUCs, as shown in Fig. 6.6.
The proposed gates in Figs. 6.5 and 6.6, consist of an HCI-SA cell and an XOR gate. The gate
size of the XOR gate is 2.5 gates [4], so the gate size of the proposed gate is 7.5 gates.
In conclusion, high tolerance to reverse engineering of general circuits can be realized by com-
bining the proposed method (1), as applied to any logic gate, with the proposed method (2), as
applied to any wire with a small gate size.
– 101 –
6.3.4 Combination of HCI-SA PUCs with Split Fabrication
IC chips with HCI-SA PUCs are very suitable for the concept of split fabrication to prevent the
social engineering. A fabless company provides some foundries with all information for circuit
designs including HCI-SA PUCs, except the responses of PUCs. These external foundries can
manufacture IC chips according to the circuit designs, while responses of PUCs are not determined
at this time. Then, trusted foundries or fabless company itself perform the reinforcement process
to provide HCI-SA PUCs with HCI stress. This HCI stress is performed by using relatively small-
scale equipment. This split fabrication prevents these external foundries from identifying the
functionality of the whole circuit masked by HCI-SA PUCs.
6.4 Case Study - Applying Proposed Methods to KASUMI
This section presents a case study of applying the proposed methods to an S-box circuit of KA-
SUMI block cipher [67]. Note that the S-box circuit of KASUMI, properly speaking, does not
need to be protected from reverse engineering because the specification of KASUMI block cipher
is public information. In this case study, we assume that the S-box circuit of KASUMI block
cipher is manufacture’s IP and explain how to use the proposed methods.
Let the 7-bit variable x and y be the input and output of the KASUMI 7-bit S-box S 7, respec-
tively. Figure 6.7(I) shows the structure of circuit for making the 2nd output bit (y[2]) of the S 7.
The proposed methods are applied to five spots labeled by (a), (b), (c), (d) and (e) in Fig. 6.7(I).
Figure 6.7(II) shows the structure of circuit S 7 after applying the proposed methods. In spot (a), an
AND gate is configured by the proposed method (1) shown in Fig. 6.3. In spot (b), 1-bit constant
value applied to an OR gate is generated by an HCI-SA PUC, this being the proposed method (2)
shown in Fig. 6.5. In spots (c) and (d), each NOT gate is replaced with an XOR gate whose one
of input value (=1) is generated by an HCI-SA PUC. In spot (e), the simple wire is implemented
by an XOR gate whose one of input value (=0) is generated by an HCI-SA PUC.
The circuit, as shown in Fig. 6.7(II), is 50 gates larger than the circuit, as shown in Fig. 6.7(I).
Here, we use the equivalencies 1 AND/OR = 1.5 NAND gate and 1 NOT = 0.5 NAND gate,
– 102 –
x[0]
y[2]
1
(d)
(c) (e)
(b)
(a)
x[1]
x[2]
x[3]
x[4]
x[5]
x[6]
(I) Before applying the proposed methods.
⊕
⊕
⊕
HCI-SA PUC (= 1)
HCI-SA PUC (= 0)
HCI-SA PUC (= 0)
HCI-SA PUC (= 0)
(d)
(c)
(e)
(b)
(a) HCI-SA PUC (= 1)
HCI-SA PUC (= 0)
x[0]
x[1]
x[2]
x[3]
x[4]
x[5]
x[6]
HCI-SA PUC (= 1)
HCI-SA PUC (= 1)
y[2]
(II) After applying the proposed methods.
Figure. 6.7 Circuit structure for making the 2nd output bit (y[2]) of the KASUMI 7-bit S-box S 7.
– 103 –
introduced in [4]. The tolerant to reverse engineering can be increased if the proposed methods
are applied to more spots in the S-box circuit. The gate size of a proposed gate is estimated to be
25 gates, and at least 28 proposed gates are needed to prevent brute force guessing, as mentioned in
Sect. 6.3.2. The increase of the gate size is, therefore, estimated to be around 700 (= 25 gates 28)
gates. To our knowledge, the smallest KASUMI circuit to date is 2,990 gates [77]. Therefore, the
KASUMI circuit including these proposed gates is expected to be small enough for IoT devices.
Meanings of Applying the Proposed Methods to S-box Circuit
We discuss the meaning of applying the proposed methods to the circuit of the S-box, the speci-
fication of which is modified from its original. In general, we should use popular cryptographic
algorithm (e.g., AES, KASUMI), the specification of which is open to the public because the se-
curity of the algorithm should always be evaluated by many specialists. However, there are many
other variations of S-Box specification in addition to original one [3]. In some situations?the
specification of an S-box is modified in order for the reduction of area size or power consumption
of the S-box circuit, keeping its cryptographic security [55]. This modified algorithm is very im-
portant as manufacture’s IP, therefore the reverse engineering of the S-box circuit is a big threat to
its designer. Our proposed methods are very useful for protecting the modified S-box circuit. The
modified S-box circuit is used not only in the general circuit for message encryption, but even in
the authentication circuit based on cryptographic algorithms. Furthermore, even if IC manufac-
tures use a public cryptographic algorithm in their ICs, but do not want anyone except themselves
to know about the algorithm, they can use our proposed methods.
6.5 Discussion
Promising Applications of PUCs
The proposed gates are also utilized to protect the intellectual property of FPGAs: circuit infor-
mation of FPGAs, called a bitstream. This bitstream is stored in an external non-volatile memory
(e.g., EEPROM) and is downloaded into an FPGA when power is on since FPGA is a volatile
– 104 –
memory. Here, this bitstream is usually protected by being encrypted with a secret key. This se-
cret key can be stored in another non-volatile memory, or even be produced from PUF responses
[21]. The secret key, however, could be revealed through side-channel attacks [49]. In order
to avoid the threat of side-channel attacks, we consider that the bitstream can be configured by
the proposed gates instead of being encrypted and stored in the external non-volatile memory.
It is reasonable to apply the proposed gates to a part of circuit which is especially valuable and
changeless.
HCI-SA PUCs can be used even for PUFs: circuits for authentication. Specifically, skPUF, as
shown in Fig. 2.3, can be generated from HCI-SA PUCs. This is because there is almost no
dierence of responses between HCI-SA PUCs and other types of memory-based PUFs (e.g.,
latch-based PUF and original HCI-SA PUFs) in terms of the tolerance to reverse engineering
since the both responses are not identified even when their mask pattern is revealed. Responses
of factory-manufactured HCI-SA PUCs have high entropy if they are determined based on cryp-
tographic random number generators. In this case, these HCI-SA PUCs have extremely high
uniqueness, one of the most important requirements of PUFs. Some readers might consider that
non-volatile memory such as Mask ROM or EEPROM can be substituted for HCI-SA PUCs in
terms of storing and outputting the constant value. The non-volatile memory, however, does not
satisfy the third condition (as mentioned in Sect. 6.3.1): tolerance to reverse engineering, the most
important characteristic for PUFs. The HCI-SA PUCs can be regarded as secure memory whose
stored value cannot be identified by its mask pattern.
PUCs will not be necessarily implemented by HCI-SA PUCs in the future. In [5], the relia-
bility of SRAM PUFs can be improved by the accelerated aging of the SRAM cells (e.g., high
temperature of supply voltage). All memory-based PUFs have a possibility to be used as PUCs.
Related Work
Just shortly after our proposal, Wendt et al. proposed a hardware obfuscation technique using Ar-
biter PUFs [75]. Generally, it is dicult to construct any arbitrary logic circuit using PUFs since
the responses of PUFs are uncontrollable, dierently from PUCs. Therefore, Wendt et al. utilize
reconfigurable logic (e.g., FPGAs) to correct the dierence of PUF responses between manufac-
– 105 –
tured IC chips. Hardware obfuscation is achieved by replacing a logic circuit with PUFs and
the reconfigurable logic. This technique, unfortunately, needs additional costs; the reconfigurable
logic must be programmed dierently for every chip due to unique PUF responses. In contrast,
we believe that our PUC-based techniques do not require chip-dependent processes.
6.6 Conclusion
In this chapter, we utilized HCI-SA PUFs, properly speaking, HCI-SA PUCs in order to make the
circuit designs secret. The output from each HCI-SA PUC (HCI-SA cell) is controllable by its
manufacturer, therefore we defined PUCs and PUFs separately. We designed the proposed gates
whose functionalities are equivalent to those of any logic gate (e.g., NAND, XOR) by using HCI-
SA PUCs. The proposed gates were completely identical and impossible to be distinguished by
using its mask pattern images. It is important which logic gates are replaced with the proposed
gates. If the selected gates are not optimized, an attacker can get a hint of the circuit redundancy.
As a result, this enables an attacker to resolve the functionality of them more eciently than a
brute-force approach. We, therefore, proposed another method for implementing a simple wire by
HCI-SA PUCs and realizing high tolerant to reverse engineering with a small increase of gates.
We showed a case study of applying the proposed methods to an S-box circuit of KASUMI block
cipher, assuming that the circuit is manufacture’s IP.
– 106 –
Part VI
Conclusion

Chapter 7
Concluding Remarks and Future
Research Direction
Conclusion
IoT devices can be authenticated through PUF-based authentication protocols: Approach (A)
using Strong PUFs, or Approach (B) using Weak PUFs. PUFs have an advantage over NVMs
such as Mask ROM?EEPROM and flash memory, in that PUFs have the tolerance to physical
attacks, i.e., microscopy-based reverse engineering. The goal of this thesis was to construct PUF-
based authentication securely against theoretical attacks. Specifically, we aim to make it dicult
for attackers to accurately predict responses, which are transferred between verifier and prover.
In Part III, we discussed the security evaluation of Approach (A). Concretely, we focused on
BR-PUFs as a candidate of secure Strong PUFs, and experimentally evaluated the resistance of
BR-PUFs against response prediction. We performed this evaluation according to two methods:
dierential PUF analysis and linear PUF analysis, which were based on well-known cryptanal-
ysis methods. Our evaluation results first showed that BR-PUFs on FPGAs had security issues
of response predictions. Through dierential PUF analysis, the same responses were frequently
generated for two challenges with small Hamming distance. Through linear PUF analysis, partic-
ular bits of challenges in BR-PUFs had a great impact on the responses. As a result, BR-PUFs
– 109 –
are not suitable as a candidate of secure Strong PUFs for Approach (A). In conclusion of Part III,
in order to construct Approach (A) securely, we should continue to pursue a secure instance of
Strong PUFs in future work.
In Part IV, we discussed the security improvement of Approach (B). In order to achieve Ap-
proach (B) securely, a secret key skPUF – generated from a PUF response – should have a large
variety. Hence we proposed a novel method of enhancing the variety of PUF responses while
maintaining their reliability. We utilized the information entropy of random latches, i.e., the pro-
portion of ‘1’s in the random numbers outputted from each random latch. According to our exper-
iment of LPUFs with 256 RS latches, 379 bits of entropy can be extracted by using the proposed
method, which is approximately 1.72 times as large as 220 bits of entropy extracted by the con-
ventional method. In conclusion, our proposed method contributes for the security improvement
of Approach (B).
In Part V, we first introduced the concept of a new application of PUF-based technologies: an
IP protection technique against both reverse engineering and social engineering. Mask pattern
images of general-purpose circuits are very important IP for their manufacturers. We proposed a
method of concealing the functionality of a circuit by using multiple HCI-SA PUCs, responses of
which are controllable. This contributes to the security enhancements of not only PUFs but also
all kinds of circuits, which improves the whole security of IoT devices.
Future Work
Future research direction should include developing PUFs with resistance against dynamic inva-
sive attacks. In fact, a certain kind of PUF such as Coating PUF produces its responses based
on the randomness in the local capacitance of the protective coating on IC chips [71]. The dy-
namic invasive attacks (e.g., FIB or microprobing) change this capacitance, so it is dicult for
the attacker to read the original response. Other types of PUFs are also expected to have the same
resistance against such attacks, which should be experimentally evaluated in a future study. Our
preliminary results have been published in [68].
– 110 –
References
[1] Jason H. Anderson. A PUF design for secure FPGA-based embedded systems. In Asia and
South Pacific Design Automation Conference (ASP-DAC 2010), pages 1–6, 2010.
[2] Luigi Atzori, Antonio Iera, and Giacomo Morabito. The Internet of Things: A Survey.
Computer Networks, 54(15):2787–2805, 2010.
[3] Elad Barkan and Eli Biham. In How Many Ways Can You Write Rijndael? In Advances
in Cryptology (ASIACRYPT 2002), volume 2501 of Lecture Notes in Computer Science
(LNCS), pages 160–175. Springer, 2002.
[4] Lejla Batina, Joseph Lano, Nele Mentens, S. Berna ¨Ors, Bart Preneel, and Ingrid Ver-
bauwhede. Energy, Performance, Area Versus Security Trade-os for Stream Ciphers. In
The State of the Art of Stream Ciphers (ECRYPT 2004), pages 302–310, 2004.
[5] Mudit Bhargava, Cagla Cakir, and Ken Mai. Reliability Enhancement of Bi-Stable PUFs in
65nm Bulk CMOS. In IEEE International Symposium on Hardware-Oriented Security and
Trust (HOST 2012), pages 25–30. IEEE, 2012.
[6] Mudit Bhargava and Ken Mai. A High Reliability PUF Using Hot Carrier Injection Based
Response Reinforcement. In Workshop on Cryptographic Hardware and Embedded Systems
(CHES 2013), volume 8086 of Lecture Notes in Computer Science (LNCS), pages 90–106.
Springer, 2013.
[7] Eli Biham and Adi Shamir. Dierential Cryptanalysis of DES-like Cryptosystems. Journal
of Cryptology, 4(1):3–72, 1991.
[8] Eli Biham and Adi Shamir. Dierential fault analysis of secret key cryptosystems. In Ad-
vances in Cryptology (CRYPTO 1997), volume 1294 of Lecture Notes in Computer Science
(LNCS), pages 513–525. Springer, 1997.
– 111 –
[9] Andrey Bogdanov, Miroslav Knezevic, Gregor Leander, Deniz Toz, Kerem Varici, and In-
grid Verbauwhede. SPONGENT: The Design Space of Lightweight Cryptographic Hashing.
IEEE Transactions on Computers, 62(10):2041–2053, 2013.
[10] Dan Boneh, Richard A. DeMillo, and Richard J. Lipton. On the Importance of Checking
Cryptographic Protocols for Faults. In Advances in Cryptology (EUROCRYPT 1997), vol-
ume 1233 of Lecture Notes in Computer Science (LNCS), pages 37–51. Springer, 1997.
[11] Christoph Bo¨sch, Jorge Guajardo, Ahmad-Reza Sadeghi, Jamshid Shokrollahi, and Pim
Tuyls. Ecient Helper Data Key Extractor on FPGAs. In Workshop on Cryptographic
Hardware and Embedded Systems (CHES 2008), volume 5154 of Lecture Notes in Com-
puter Science (LNCS), pages 181–197. Springer, 2008.
[12] Se´bastien Briais, Jean-Michel Cioranesco, Jean-Luc Danger, Sylvain Guilley, David Nac-
cache, and Thibault Porteboeuf. Random Active Shield. In Workshop on Fault Diagnosis
and Tolerance in Cryptography (FDTC 2012), pages 103–113. IEEE, 2012.
[13] Qingqing Chen, Gyo¨rgy Csaba, Paolo Lugli, Ulf Schlichtmann, and Ulrich Ru¨hrmair. The
Bistable Ring PUF: A New Architecture for Strong Physical Unclonable Functions. In IEEE
International Symposium on Hardware-Oriented Security and Trust (HOST 2011), pages
134–141. IEEE, 2011.
[14] Qingqing Chen, Gyo¨rgy Csaba, Paolo Lugli, Ulf Schlichtmann, and Ulrich Ru¨hrmair. Char-
acterization of the Bistable Ring PUF. In Design, Automation and Test in Europe (DATE
2012), pages 101–109, 2012.
[15] Jean-Michel Cioranesco, Jean-Luc Danger, Tarik Graba, Sylvain Guilley, Yves Mathieu,
David Naccache, and Xuan Thuy Ngo. Cryptographically Secure Shields. In IEEE Inter-
national Symposium on Hardware-Oriented Security and Trust (HOST 2014), pages 25–31.
IEEE, 2014.
[16] James W. Crouch, Hiren J. Patel, Yong C. Kim, and Robert W. Bennington. Creating unique
identifiers on field programmable gate arrays using natural processing variations. In In-
ternational Conference on Field Programmable Logic and Applications (FPL 2008), pages
579–582, 2008.
[17] Jeroen Delvaux, Dawu Gu, Dries Schellekens, and Ingrid Verbauwhede. Secure Lightweight
– 112 –
Entity Authentication with Strong PUFs: Mission Impossible? In Workshop on Crypto-
graphic Hardware and Embedded Systems (CHES 2014), volume 8731 of Lecture Notes in
Computer Science (LNCS), pages 451–475. Springer, 2014.
[18] Distributed.net. Project RC5-72. http://www.distributed.net/RC5.
[19] Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, and Adam Smith. Fuzzy Extractors:
How to Generate Strong Keys from Biometrics and Other Noisy Data. SIAM Journal on
Computing, 38:97–139, 2008.
[20] Karine Gandolfi, Christophe Mourtel, and Francis Olivier. Electromagnetic Analysis: Con-
crete Results. In Workshop on Cryptographic Hardware and Embedded Systems (CHES
2001), volume 2162 of Lecture Notes in Computer Science (LNCS), pages 251–261.
Springer, 2001.
[21] Jorge Guajardo, Sandeep S. Kumar, Geert Jan Schrijen, and Pim Tuyls. FPGA Intrinsic PUFs
and Their Use for IP Protection. In Workshop on Cryptographic Hardware and Embedded
Systems (CHES 2007), volume 4727 of Lecture Notes in Computer Science (LNCS), pages
63–80. Springer, 2007.
[22] Hisashi Hata and Shuichi Ichikawa. FPGA Implementation of Metastability-Based True
Random Number Generator. IEICE Transactions on Information and Systems, 95-D(2):426–
436, 2012.
[23] Daniel E. Holcomb, Wayne P. Burleson, and Kevin Fu. Initial SRAM State as a Fingerprint
and Source of True Random Numbers for RFID Tags. In Workshop on RFID Security and
Privacy (RFIDSec 2007), 2007.
[24] Daniel E. Holcomb, Amir Rahmati, Mastooreh Salajegheh, Wayne P. Burleson, and Kevin
Fu. DRV-Fingerprinting: Using Data Retention Voltage of SRAM Cells for Chip Identifica-
tion. In Workshop on RFID Security and Privacy (RFIDSec 2012), volume 7739 of Lecture
Notes in Computer Science (LNCS), pages 165–179. Springer, 2012.
[25] Tanya Ignatenko, Geert-Jan Schrijen, Boris Skoric, Pim Tuyls, and Frans Willems. Estimat-
ing the Secrecy-Rate of Physical Unclonable Functions with the Context-Tree Weighting
Method. In IEEE International Symposium on Information Theory (ISIT 2006), pages 499–
503. IEEE, 2006.
– 113 –
[26] Xilinx Inc. Spartan-3E Starter Kit. http://www.xilinx.com/products/
boards-and-kits/hw-spar3e-sk-us-g.html.
[27] SypherMedia International. Circuit Camouflage Technology - SMI IP Protection and Anti-
Tamper Technologies, White Paper Version 1.9.8j, 2012.
[28] Meenatchi Jagasivamani, Peter Gadfort, Michel Sika, Michael Bajura, and Michael Fritze.
Split Fabrication Obfuscation: Metrics and Techniques. In IEEE International Symposium
on Hardware-Oriented Security and Trust (HOST 2014), pages 7–12. IEEE, 2014.
[29] Himanshu Kaul, Dennis Sylvester, and David Blaauw. Active Shields: A New Approach to
Shielding Global Wires. In ACM Great Lakes Symposium on VLSI (GLSVLSI 2002), pages
112–117. ACM, 2002.
[30] Paul Kocher, Joshua Jae, and Benjamin Jun. Dierential Power Analysis. In Advances in
Cryptology (CRYPTO 1999), volume 1666 of Lecture Notes in Computer Science (LNCS),
pages 388–397. Springer, 1999.
[31] Oliver Ko¨mmerling and Markus G. Kuhn. Design Principles for Tamper-resistant Smartcard
Processors. In USENIX Workshop on Smartcard Technology (Smartcard 1999), pages 9–20,
1999.
[32] Hugo Krawczyk. LFSR-based Hashing and Authentication. In Advances in Cryptology
(CRYPTO 1994), volume 839 of Lecture Notes in Computer Science (LNCS), pages 129–
139. Springer, 1994.
[33] Aswin Raghav Krishna, Seetharam Narasimhan, Xinmu Wang, and Swarup Bhunia.
MECCA: A Robust Low-Overhead PUF Using Embedded Memory Array. In Workshop
on Cryptographic Hardware and Embedded Systems (CHES 2011), volume 6917 of Lecture
Notes in Computer Science (LNCS), pages 407–420. Springer, 2011.
[34] Sandeep S. Kumar, Jorge Guajardo, Roel Maes, Geert-Jan Schrijen, and Pim Tuyls. Ex-
tended Abstract: The Butterfly PUF: Protecting IP on every FPGA. In IEEE International
Symposium on Hardware-Oriented Security and Trust (HOST 2008), pages 67–70. IEEE,
2008.
[35] Jae W. Lee, Daihyun Lim, Blaise Gassend, G. Edward Suh, Marten van Dijk, and Srinivas
Devadas. A Technique to Build a Secret Key in Integrated Circuits for Identification and
– 114 –
Authentication Applications. In IEEE Symposium on VLSI Circuits 2014, pages 176–179.
IEEE, 2004.
[36] Yang Li, Kazuo Sakiyama, Shigeto Gomisawa, Toshinori Fukunaga, Junko Takahashi, and
Kazuo Ohta. Fault Sensitivity Analysis. In Workshop on Cryptographic Hardware and Em-
bedded Systems (CHES 2010), volume 6225 of Lecture Notes in Computer Science (LNCS),
pages 320–334. Springer, 2010.
[37] Fujitsu Ltd. CS86 Series. http://www.fujitsu.com/downloads/MICRO/fma/pdf/
e620209 CS86 ASIC.pdf.
[38] Takanori Machida, Dai Yamamoto, Mitsugu Iwamoto, and Kazuo Sakiyama. A New Mode
of Operation for Arbiter PUF to Improve Uniqueness on FPGA. In Workshop on Emerging
Aspects in Information Security (EAIS 2014), pages 877–884, 2014.
[39] Takanori Machida, Dai Yamamoto, Mitsugu Iwamoto, and Kazuo Sakiyama. Implementa-
tion of Double Arbiter PUF and Its Performance Evaluation on FPGA. In Asia and South
Pacific Design Automation Conference (ASP-DAC 2015), University Design Contest, pages
6–7, 2015.
[40] Roel Maes, Pim Tuyls, and Ingrid Verbauwhede. Intrinsic PUFs from Flip-flops on Recon-
figurable Devices. In Benelux Workshop on Information and System Security (WISSec 2008),
2008.
[41] Roel Maes, Anthony Van Herrewege, and Ingrid Verbauwhede. PUFKY: A Fully Func-
tional PUF-Based Cryptographic Key Generator. In Workshop on Cryptographic Hardware
and Embedded Systems (CHES 2012), volume 7428 of Lecture Notes in Computer Science
(LNCS), pages 302–319. Springer, 2012.
[42] Roel Maes and Ingrid Verbauwhede. Physically Unclonable Functions: A Study on the
State of the Art and Future Research Directions. In Towards Hardware Intrinsic Security:
Foundation and Practice, pages 3–37. Springer, 2010.
[43] Abhranil Maiti, Vikash Gunreddy, and Patrick Schaumont. A Systematic Method to Evaluate
and Compare the Performance of Physical Unclonable Functions. In Embedded Systems
Design with FPGAs, pages 245–267. Springer, 2013.
[44] Mehrdad Majzoobi, Farinaz Koushanfar, and Miodrag Potkonjak. Testing Techniques for
– 115 –
Hardware Security. In IEEE International Test Conference (ITC 2008), pages 1–10. IEEE,
2008.
[45] Mitsuru Matsui. Linear Cryptanalysis Method for DES Cipher. In Advances in Cryptology
(EUROCRYPT 1993), volume 765 of Lecture Notes in Computer Science (LNCS), pages
386–397. Springer, 1993.
[46] Ueli M. Maurer. Secret Key Agreement by Public Discussion From Common Information.
IEEE Transactions on Information Theory, 39(3):733–742, 1993.
[47] Dominik Merli, Dieter Schuster, Frederic Stumpf, and Georg Sigl. Semi-invasive EM Attack
on FPGA RO PUFs and Countermeasures. In ACM Workshop on Embedded Systems Security
(WESS 2011), pages 1–9. ACM, 2011.
[48] Dominik Merli, Frederic Stumpf, and Claudia Eckert. Improving the Quality of Ring Os-
cillator PUFs on FPGAs. In ACM Workshop on Embedded Systems Security (WESS 2010),
pages 1–9. ACM, 2010.
[49] Amir Moradi, Alessandro Barenghi, Timo Kasper, and Christof Paar. On the Vulnerability of
FPGA Bitstream Encryption Against Power Analysis Attacks: Extracting Keys from Xilinx
Virtex-II FPGAs. In ACM Conference on Computer and Communications Security (CCS
2011), pages 111–124. ACM, 2011.
[50] C. De Nardi, Romain Desplats, Philippe Perdu, Felix Beaudoin, and J.-L. Gauer. Oxide
charge measurements in EEPROM devices. Microelectronics Reliability, 45(9-11):1514–
1519, 2005.
[51] National Institute of Standards and Technology. Advanced Encryption Standard, NIST FIPS
PUB 197. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf,
2001.
[52] Ravikanth S. Pappu. Physical One-Way Functions. PhD thesis, Massachusetts Institute of
Technology (MIT), 2001.
[53] Hiren J. Patel, James W. Crouch, Yong C. Kim, and Tony C. Kim. Creating a Unique
Digital Fingerprint using Existing Combinational Logic. In IEEE International Symposium
on Circuits and Systems (ISCAS 2009), pages 2693–2696. IEEE, 2009.
[54] Hiren J. Patel, Yong C. Kim, J. Todd McDonald, and LaVern A. Starman. Increasing Stability
– 116 –
and Distinguishability of the Digital Fingerprint in FPGAs through Input Word Analysis. In
International Conference on Field Programmable Logic and Applications (FPL 2009), pages
391–396, 2009.
[55] K. Rahimunnisa, S. Sureshkumar, and K. Rajeshkumar. Implementation of AES with New
S-Box and Performance Analysis with the Modified S-Box. In International Conference on
VLSI, Communications and Instrumentation (ICVCI 2011), pages 5–8, 2011.
[56] Jeyavijayan Rajendran, Michael Sam, Ozgur Sinanoglu, and Ramesh Karri. Security Anal-
ysis of Integrated Circuit Camouflaging. In ACM Conference on Computer and Communi-
cations Security (CCS 2013), pages 709–720. ACM, 2013.
[57] IDC Press Release. Finding Success in the New IoT Ecosystem: Market to Reach $3.04
Trillion and 30 Billion Connected “Things” in 2020, IDC Says. http://www.idc.com/
getdoc.jsp?containerId=prUS25237214, 2014.
[58] Ulrich Ru¨hrmair, Frank Sehnke, Jan So¨lter, Gideon Dror, Srinivas Devadas, and Ju¨rgen
Schmidhuber. Modeling Attacks on Physical Unclonable Functions. In ACM Conference
on Computer and Communications Security (CCS 2010), pages 237–249. ACM, 2010.
[59] Alexander Schlosser, Dmitry Nedospasov, Juliane Kramer, Susanna Orlic, and Jean-Pierre
Seifert. Simple Photonic Emission Analysis of AES. In Workshop on Cryptographic Hard-
ware and Embedded Systems (CHES 2012), volume 7428 of Lecture Notes in Computer
Science (LNCS), pages 41–57. Springer, 2012.
[60] Dieter Schuster and Robert Hesselbarth. Evaluation of Bistable Ring PUFs Using Single
Layer Neural Networks. In International Conference on Trust and Trustworthy Computing
(TRUST 2014), volume 8564 of Lecture Notes in Computer Science (LNCS), pages 101–109.
Springer, 2014.
[61] Koichi Shimizu, Daisuke Suzuki, and Tomomi Kasuya. Glitch PUF: Extracting Information
from Usually Unwanted Glitches. IEICE Transactions on Fundamentals of Electronics,
Communications and Computer Sciences, 95-A(1):223–233, 2012.
[62] Koichi Shimizu, Daisuke Suzuki, Toyohiro Tsurumaru, Takeshi Sugawara, Mitsuru Sh-
iozaki, and Takeshi Fujino. Unified Coprocessor Architecture for Secure Key Storage and
Challenge-Response Authentication. IEICE Transactions on Fundamentals of Electronics,
– 117 –
Communications and Computer Sciences, 97-A(1):264–274, 2014.
[63] Ying Su, Jeremy Holleman, and Brian P. Otis. A 1.6pJ/bit 96% Stable Chip-ID Generating
Circuit using Process Variations. In IEEE International Solid-State Circuits Conference
(ISSCC 2007), pages 406–407,611. IEEE, 2007.
[64] Ying Su, Jeremy Holleman, and Brian P. Otis. A Digital 1.6pJ/bit Chip Identification Circuit
Using Process Variations. IEEE Journal of Solid-State Circuits, 43(1):69–77, 2008.
[65] G. Edward Suh and Srinivas Devadas. Physical Unclonable Functions for Device Authen-
tication and Secret Key Generation. In Design Automation Conference (DAC 2007), pages
9–14. ACM, 2007.
[66] Daisuke Suzuki and Koichi Shimizu. The Glitch PUF: A New Delay-PUF Architecture
Exploiting Glitch Shapes. In Workshop on Cryptographic Hardware and Embedded Systems
(CHES 2010), volume 6225 of Lecture Notes in Computer Science (LNCS), pages 366–382.
Springer, 2010.
[67] Third Generation Partnership Project. 3GPP TS 35.202 v7.0.0 Document 2: KASUMI Spec-
ification, 2007.
[68] Naoya Torii, Dai Yamamoro, Masahiko Takenaka, and Tsutomu Matsumoto. Dynamic
Behavior of RS latches using FIB Processing and Probe Connection. Cryptology ePrint
Archive, Report 2014/870, 2014.
[69] Randy Torrance and Dick James. The State-of-the-Art in IC Reverse Engineering. In Work-
shop on Cryptographic Hardware and Embedded Systems (CHES 2009), volume 5747 of
Lecture Notes in Computer Science (LNCS), pages 363–381. Springer, 2009.
[70] Assia Tria and Hamid Choukri. Invasive Attacks. In Encyclopedia of Cryptography and
Security, 2nd Ed., pages 623–629. Springer, 2011.
[71] Pim Tuyls, Geert Jan Schrijen, Boris Skoric, Jan van Geloven, Nynke Verhaegh, and Rob
Wolters. Read-Proof Hardware from Protective Coatings. In Workshop on Cryptographic
Hardware and Embedded Systems (CHES 2006), volume 4249 of Lecture Notes in Computer
Science (LNCS), pages 369–383. Springer, 2006.
[72] Kaushik Vaidyanathan, Bishnu P Das, Ekin Sumbul, Renzhi Liu, and Larry Pileggi. Build-
ing Trusted ICs using Split Fabrication. In IEEE International Symposium on Hardware-
– 118 –
Oriented Security and Trust (HOST 2014), pages 1–6. IEEE, 2014.
[73] Kaushik Vaidyanathan, Renzhi Liu, Ekin Sumbul, Qiuling Zhu, Franz Franchetti, and Larry
Pileggi. Ecient and Secure Intellectual Property (IP) Design for Split Fabrication. In IEEE
International Symposium on Hardware-Oriented Security and Trust (HOST 2014), pages
13–18. IEEE, 2014.
[74] Roy Ward and Timothy C.A. Molteno. Table of Linear Feedback Shift Registers. http:
//www.physics.otago.ac.nz/reports/electronics/ETR2012-1.pdf, 2007.
[75] James B. Wendt and Miodrag Potkonjak. Hardware Obfuscation Using PUF-based Logic.
In IEEE/ACM International Conference on Computer-Aided Design (ICCAD 2014), pages
270–277. IEEE/ACM, 2014.
[76] Dai Yamamoto, Gabriel Hospodar, Roel Maes, and Ingrid Verbauwhede. Performance and
Security Evaluation of AES S-Box-Based Glitch PUFs on FPGAs. In International Confer-
ence on Security, Privacy, and Applied Cryptography Engineering (SPACE 2012), volume
7644 of Lecture Notes in Computer Science (LNCS), pages 45–62. Springer, 2012.
[77] Dai Yamamoto, Kouichi Itoh, and Jun Yajima. Compact Architecture for ASIC and FPGA
Implementation of the KASUMI Block Cipher. IEICE Transactions on Fundamentals of
Electronics, Communications and Computer Sciences, 94-A(12):2628–2638, 2011.
[78] Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka, and
Kouichi Itoh. Variety enhancement of PUF responses using the locations of random out-
putting RS latches. Journal of Cryptographic Engineering, 3(4):197–211, 2013.
– 119 –

Paper Reuse Permission
The contents described in Chapter 3 was published as a journal paper:
Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka,
and Kouichi Itoh, Variety enhancement of PUF responses using the locations of random
outputting RS latches, Journal of Cryptographic Engineering, 3(4):197-211, 2013.
This is an open access article, which permits the use of this dissertation.
– 121 –
We obtained from the International Association for Cryptologic Research (IACR), the permis-
sion to reuse the contents described in Chapter 3 which were first published as a conference paper:
Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Takao Ochiai,
Masahiko Takenaka, and Kouichi Itoh, Uniqueness Enhancement of PUF Responses
Based on the Locations of Random Outputting RS Latches, In Workshop on Cryptographic
Hardware and Embedded Systems 2011 (CHES 2011), volume 6917 of Lecture Notes in
Computer Science (LNCS), pages 390–406, Springer, 2011.
– 122 –
We obtained from IEEE, the permission to reuse the contents described in Chapter 4 which
were published as a conference paper:
Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and Naoya Torii, Security Evalua-
tion of Bistable Ring PUFs on FPGAs using Dierential and Linear Analysis, In Workshop
on Emerging Aspects in Information Security (EAIS 2014), pages 917–924, IEEE, 2014.
– 123 –
We obtained from Springer International Publishing Switzerland, the permission to reuse the
contents described in Chapter 5 which were published as a journal paper:
Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka,
Kouichi Itoh, and Naoya Torii, A new method for enhancing variety and maintaining relia-
bility of PUF responses and its evaluation on ASICs, Journal of Cryptographic Engineering
(Accepted), Springer, 2014.
– 124 –
We obtained from Springer International Publishing Switzerland, the permission to reuse the
contents described in Chapter 6 which were published as a conference paper:
Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and Naoya Torii, A Technique us-
ing PUFs for Protecting Circuit Layout Designs against Reverse Engineering, In Interna-
tional Workshop on Security (IWSEC 2014), volume 8639 of Lecture Notes in Computer
Science (LNCS), pages 158–173, Springer, 2014.
– 125 –

Acknowledgements
This doctoral dissertation consists of a summary of my doctoral research from April 2013
to March 2015 at the Graduate School of Informatics of Engineering of the University of
Electro-Communications (UEC), Tokyo, Japan. I really appreciate all people who have helped
me throughout my life, including this doctoral program.
First of all, I would like to express my sincere gratitude to Professor Kazuo Sakiyama, my
supervisor, who accepted me as a working doctoral student, and has given me a lot of useful advice
in research discussion. I also appreciate him to give me a chance to stay as a visiting researcher
for one year at Computer Security and Industrial Cryptography (COSIC) research group in KU
Leuven, Belgium. This experience was very important for me to build a foundation in the research
field of PUFs.
I also would like to express my appreciation for members of supervisory committee for my
PhD defense: Professor Haruhisa Ichikawa, Professor Kazuo Ohta, Professor Hiroshi Yoshiura
and Professor Koichiro Ishibashi who have given me a lot of valuable advice and suggestion to
improve the presentation of this dissertation.
I really appreciate my collaborated researchers. Associate Professor Mitsugu Iwamoto has
kindly supported me, especially with knowledge on information theory. Dr. Masahiko Takenaka
and Dr. Kouichi Itoh have given me essential inspiration about research direction, through our
daily wonderful discussion.
I am very grateful to Mr. Naoya Torii, my boss in Fujitsu Laboratories Ltd., who allowed me
to start my doctoral program and use research contributions in my doctoral dissertation. I also
express my appreciation to Mr. Ikuya Morikawa, my immediate superior in Fujitsu Laboratories
Ltd., who always understood my doctoral program and gave me valuable advice.
– 127 –
I would like to express my deep gratitude to Professor Ingrid Verbauwhede at COSIC in KU
Leuven, Belgium. She warmly welcomed me as a visiting researcher at COSIC. Thanks to her
support, I was able to have a good time, not only for research discussion on PUFs, but also for
wonderful experience in daily life. Also, special thanks to Dr. Gabriel Hospodar, Dr. Roel Maes
and other colleagues at COSIC for valuable discussions on PUFs during my stay in Leuven.
I have special appreciation to Honorary Professor Koso Murakami and Professor Hideki Tode,
who were my supervisors when I was a graduate student at Osaka University. They provided me
with a foundation on which to build my career as a scientist.
I would like to say thanks to Mr. Takanori Machida who is my closest collaborator in Sakiyama
Laboratory, Assistant Professor Yang Li and Ms. Yoko Ishii who have helped and supported me
at UEC, and all the others who belong to Sakiyama Laboratory, Ohta and Iwamoto Laboratory in
UEC, and Secure Computing Laboratory in Fujitsu Laboratories Ltd.
Last but not least, I would like to acknowledge my friends who have shared happiness and
sadness with me. I am very much thankful to my parents for their understanding, encouragement
and perpetual support. I also appreciate my family, Mariko and Ren. I am sure that I would
never have finished this doctoral dissertation without Mariko’s hearty support and continuous
encouragement.
Dai Yamamoto
March 2015
– 128 –
List of Publications Related and
Referred to the Dissertation
Related Publications
Journal Papers
1. Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka,
Kouichi Itoh, and Naoya Torii, A new method for enhancing variety and maintaining relia-
bility of PUF responses and its evaluation on ASICs, Journal of Cryptographic Engineering
(Accepted), Springer, 2014. (The contents of Chapter 5)
Refereed Conference Papers (with Formal Proceedings)
1. Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and Naoya Torii, Security Evalua-
tion of Bistable Ring PUFs on FPGAs using Dierential and Linear Analysis, In Workshop
on Emerging Aspects in Information Security (EAIS 2014), pages 917–924, IEEE, 2014.
(The contents of Chapter 4)
2. Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and Naoya Torii, A Technique us-
ing PUFs for Protecting Circuit Layout Designs against Reverse Engineering, In Interna-
tional Workshop on Security (IWSEC 2014), volume 8639 of Lecture Notes in Computer
Science (LNCS), pages 158–173, Springer, 2014. (The contents of Chapter 6)
– 129 –
Referred Publications
Journal Papers
1. Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka,
and Kouichi Itoh, Variety enhancement of PUF responses using the locations of random
outputting RS latches, Journal of Cryptographic Engineering, 3(4):197-211, 2013. (The
contents of Chapter 3)
Refereed Conference Papers (with Formal Proceedings)
1. Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Takao Ochiai,
Masahiko Takenaka, and Kouichi Itoh, Uniqueness Enhancement of PUF Responses
Based on the Locations of Random Outputting RS Latches, In Workshop on Cryptographic
Hardware and Embedded Systems 2011 (CHES 2011), volume 6917 of Lecture Notes in
Computer Science (LNCS), pages 390–406, Springer, 2011. (The contents of Chapter 3)
– 130 –
List of All Publications
Journal Papers
1. Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka,
Kouichi Itoh, and Naoya Torii, A new method for enhancing variety and maintaining relia-
bility of PUF responses and its evaluation on ASICs, Journal of Cryptographic Engineering
(Accepted), Springer, 2014.
2. Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Masahiko Takenaka,
and Kouichi Itoh, Variety enhancement of PUF responses using the locations of random
outputting RS latches, Journal of Cryptographic Engineering, 3(4):197-211, 2013.
3. ????,???,????,????,????,????,?????????????
??????????,???????????, J95-A(5):446–455, 2012.
4. Dai Yamamoto, Kouichi Itoh, and Jun Yajima, Compact Architecture for ASIC and FPGA
Implementation of the KASUMI Block Cipher, IEICE Transactions on Fundamentals of
Electronics Communications and Computer Sciences, E94-A(12):2628–2638, 2011.
5. Dai Yamamoto, Jun Yajima, and Kouichi Itoh, Compact Architecture for ASIC Implemen-
tation of the MISTY1 Block Cipher, IEICE Transactions on Fundamentals of Electronics
Communications and Computer Sciences, E93-A(1):3–12, 2010.
6. Kouichi Itoh, Dai Yamamoto, Jun Yajima, and Wakaha Ogata, Collision-based Power At-
tack for RSA with Small Public Exponent, IEICE Transactions on Fundamentals of Elec-
tronics Communications and Computer Sciences, E92-A(5):897–908, 2009.
7. Dai Yamamoto, Hideki Tode, Toshihiro Masaki, and Koso Murakami, Design and Experi-
mental Evaluation of a Scheme for Maximal Improvement of End-to-End QoS in Hetero-
– 131 –
geneous IP Networks, IEICE Transactions on Communications, E91-B(3):733–741, 2008.
Refereed Conference Papers (with Formal Proceedings)
1. Takanori Machida, Dai Yamamoto, Mitsugu Iwamoto, and Kazuo Sakiyama, Implementa-
tion of Double Arbiter PUF and Its Performance Evaluation on FPGA, In Asia and South
Pacific Design Automation Conference (ASP-DAC 2015), University Design Contest, pages
6–7, 2015.
2. Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and Naoya Torii, Security Evalua-
tion of Bistable Ring PUFs on FPGAs using Dierential and Linear Analysis, In Workshop
on Emerging Aspects in Information Security (EAIS 2014), pages 917–924, IEEE, 2014.
3. Takanori Machida, Dai Yamamoto, Mitsugu Iwamoto, and Kazuo Sakiyama, A New Mode
of Operation for Arbiter PUF to Improve Uniqueness on FPGA, In Workshop on Emerging
Aspects in Information Security (EAIS 2014), pages 877–884, IEEE, 2014.
4. Dai Yamamoto, Masahiko Takenaka, Kazuo Sakiyama, and Naoya Torii, A Technique us-
ing PUFs for Protecting Circuit Layout Designs against Reverse Engineering, In Interna-
tional Workshop on Security (IWSEC 2014), volume 8639 of Lecture Notes in Computer
Science (LNCS), pages 158–173, Springer, 2014.
5. Hirotaka Kokubo, Dai Yamamoto, Masahiko Takenaka, Kouichi Itoh, and Naoya Torii,
Evaluation of ASIC Implementation of Physical Random Number Generators using RS
Latches, In International Conference on Smart Card Research and Advanced Applications
(CARDIS 2013), volume 8419 of Lecture Notes in Computer Science (LNCS), pages 3–15,
Springer, 2014.
6. Dai Yamamoto, Gabriel Hospodar, Roel Maes, and Ingrid Verbauwhede, Performance and
Security Evaluation of AES S-Box-based Glitch PUFs on FPGAs, In International Confer-
ence on Security, Privacy and Applied Cryptographic Engineering (SPACE 2012), volume
7644 of Lecture Notes in Computer Science (LNCS), pages 45–62, Springer, 2012.
7. Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Takao Ochiai,
Masahiko Takenaka, and Kouichi Itoh, Uniqueness Enhancement of PUF Responses
– 132 –
Based on the Locations of Random Outputting RS Latches, In Workshop on Cryptographic
Hardware and Embedded Systems (CHES 2011), volume 6917 of Lecture Notes in
Computer Science (LNCS), pages 390–406, Springer, 2011.
8. Dai Yamamoto, Kouichi Itoh, and Jun Yajima, A Very Compact Hardware Implementation
of the KASUMI Block Cipher, In Workshop in Information Security Theory and Practice
Series (WISTP 2010), volume 6033 of Lecture Notes in Computer Science (LNCS), pages
293–307, Springer, 2010.
9. Dai Yamamoto, Jun Yajima, and Kouichi Itoh, A Very Compact Hardware Implementation
of the MISTY1 Block Cipher, In Workshop on Cryptographic Hardware and Embedded
Systems (CHES 2008), volume 5154 of Lecture Notes in Computer Science (LNCS), pages
315–330, Springer, 2008.
10. Dai Yamamoto, Hideki Tode, Toshihiro Masaki, and Koso Murakami, Design and Empir-
ical Evaluation of Control Scheme for End-to-End Delay Stabilization and Packet Loss
Improvement in Broadband IP Network, In International Conference on Computer Com-
munications and Networks (ICCCN 2007), pages 549–555, IEEE, 2007.
11. Dai Yamamoto, Rie Fujita, Hideki Tode, Toshihiro Masaki, and Koso Murakami, A
Method for Guaranteeing End-to-End Delay by Mutual Cooperation between IP Routers,
In IEEE Conference on Local Computer Networks (LCN 2005), pages 511–512, IEEE,
2005.
Refereed Conference Papers (with No Formal Proceedings)
1. Takao Ochiai, Dai Yamamoto, Kouichi Itoh, Masahiko Takenaka, Naoya Torii, Daisuke
Uchida, Toshiaki Nagai, and Shinichi Wakana, Electromagnetic Side-Channel Attack: Ex-
perimental Proof of Local Information, Register-Location of FPGA (Extended abstract), In
Workshop Record of International Workshop on Information Security Applications (WISA
2010), 2010.
– 133 –
Preprints
1. Naoya Torii, Dai Yamamoto, Masahiko Takenaka, and Tsutomu Matsumoto, Dynamic
Behavior of RS latches using FIB Processing and Probe Connection, Cryptology ePrint
Archive, Report 2014/870, 2014.
Presentations
1. ????,???,????,???, FIB????????????? RS??????
?I?, 2015?????????????????? (SCIS 2015), 2B2-3, 2015.
2. ???,????,????,???, FIB????????????? RS??????
?II?, 2015?????????????????? (SCIS 2015), 2B2-4, 2015.
3. ????,???,????,???,????,??????????????????
????????, 2015 ?????????????????? (SCIS 2015), 3B2-2,
2015.
4. ???,????,????, PUF??????????????, 2014???????
??????????? (SCIS 2014), 2A1-1, 2014.
5. ????,???,???,????, FPGA????? Arbiter PUF?????????
??????, 2014?????????????????? (SCIS 2014), 2A1-5, 2014.
6. ?????, ???, ????, ????, ????, RS ??????????????
??????????? ASIC????, 2014??????????????????
(SCIS 2014), 3A3-2, 2014.
7. ???,????,???,????,????,????,????,?????????
?????????? PUF? ASIC????, 2013???????????????
??? (SCIS 2013), 2E2-2, 2013.
8. ???, ????, ????, Bistable Ring PUF ? FPGA ????????, 2013 ??
???????????????? (SCIS 2013), 2E2-3, 2013.
9. ?????, ???, ????, ????, ????, RS ??????????????
– 134 –
?? ASIC????, 2013?????????????????? (SCIS 2013), 2E2-5,
2013.
10. Dai Yamamoto, Kazuo Sakiyama, Mitsugu Iwamoto, Kazuo Ohta, Takao Ochiai,
Masahiko Takenaka, and Kouichi Itoh, [Invited Talk?Uniqueness Enhancement of PUF
Responses Based on the Locations of Random Outputting RS Latches,????????
??????, ISEC2011-68, page 29, 2011.
11. ???,????,???,????,????,????,????,?????????
?????? PUF ??? ID ?????????????????, 2011 ?????
????????????? (SCIS 2011), 2D1-1, 2011.
12. ????,???,????,????,????,????,????,????,???,
????,????,???????????????????????, 2011????
?????????????? (SCIS 2011), 2D3-3, 2011.
13. ???, ????, ????, ????, ????, ????, ????, ????, ??
???????????, 2010 ?????????????????? (SCIS 2010),
3B1-2, 2010.
14. ????,???,????,????,????,????,????,????, SASEBO
??????????????? FPGA ???????, 2010 ??????????
???????? (SCIS 2010), 1B2-4, 2010.
15. ????, ???, ????, ????, ?????????????????????
???????????, 2010 ?????????????????? (SCIS 2010),
2B3-3, 2010.
16. ????, ???, ????, ????, ????, ????, ????, ????, ???
????? FPGA?????????,??????????????, ISEC2009-113,
pages 217–223, 2010.
17. ???,????,???,????????? KASUMI?????????????,
2009?????????????????? (SCIS 2009), 2C2-1, 2009.
18. ????, ???, ????, ????, ????, ????????????????
????????, 2009 ?????????????????? (SCIS 2009), 2A1-3,
2009.
– 135 –
19. ????, ???, ???, ?????, ?????????????????????
?,?????????????????? 2008(CSS 2008), 2008.
20. ???, ???, ????, ????????? MISTY1 ?????????????,
2008?????????????????? (SCIS 2008), 2C2-1, 2008.
21. ???,????,????,????, QoS??????????? End-to-End???
???????,??????????????, NS2006-92, pages 123–128, 2006.
22. ?????,????,???,????,????,????????????????
???????????????????????, ??????????????,
NS2006-40, pages 17–20, 2006.
23. ?????,????,???,????,????,????????????????
?????????????????????????, 2006???????????
??, B-6-96, 2006.
24. ???, ????, ????, ????, ????, End-to ? End ??????????
?????,??????????????, NS2005-94, pages 83–86, 2005.
25. ???,????,????,????,????,????,????????? End-to-
End???????????, 2005?????????????, B-6-59, 2005.
– 136 –
Author Biography
Dai Yamamoto was born in Kobe, Japan, on February 3, 1982. He received the B.E. and M.E.
degrees in information networking from Osaka University, Osaka, Japan, in March 2005 and
March 2007, respectively. He joined FUJITSU LABORATORIES LTD. in April 2007 and he
has worked on the research and development on secure embedded devices. His research inter-
ests include Physically Unclonable Functions (PUFs), physical true random number generators,
and high-ecient hardware implementations of cryptosystems. He was a visiting researcher at
the KU Leuven, Belgium, from October 2011 to October 2012. Since April 2013, he has been
working towards a PhD under the supervision of Professor Kazuo Sakiyama, at the Department
of Informatics in the Graduate School of Informatics and Engineering, The University of Electro-
Communications, Tokyo, Japan. He was awarded the Symposium on Cryptography and Informa-
tion Security (SCIS) paper prize in 2014.
He is a member of the Institute of Electronics, Information and Communication Engineers
(IEICE) of Japan. He was included in program committee members of the 14th International
Workshop on Cryptographic Hardware and Embedded Systems 2012 (CHES 2012), the 15th In-
ternational Workshop on Cryptographic Hardware and Embedded Systems 2013 (CHES 2013),
the 8th International Workshop on Security (IWSEC 2013), the 4th International Symposium on
Highly Ecient Accelerators and Reconfigurable Technologies (HEART 2013), the 9th Interna-
tional Workshop on Security (IWSEC 2014), and Special Session on Architectures and Hardware
for Security Applications (AHSA) of the 17th Euromicro Conference on Digital Systems Design
(DSD 2014) and of the 18th Euromicro Conference on Digital Systems Design (DSD 2015).
– 137 –
