Machine Learning Attack and Defense on Voltage Over-scaling-based
  Lightweight Authentication by Zhang, Jiliang & Su, Haihan
1Machine Learning Attack and Defense on Voltage
Over-scaling-based Lightweight Authentication
Jiliang Zhang, Member, IEEE, Haihan Su, Gang Qu, Senior Member, IEEE
Abstract—It is a challenging task to deploy lightweight security
protocols in resource-constrained IoT applications. A hardware-
oriented lightweight authentication protocol based on device sig-
nature generated during voltage over-scaling (VOS) was recently
proposed to address this issue. VOS-based authentication employs
the computation unit such as adders to generate the process
variation dependent error which is combined with secret keys
to create a two-factor authentication protocol. In this paper,
machine learning (ML)-based modeling attacks to break such
authentication is presented. We also propose a challenge self-
obfuscation structure (CSoS) which employs previous challenges
combined with keys or random numbers to obfuscate the current
challenge for the VOS-based authentication to resist ML attacks.
Experimental results show that ANN, RNN and CMA-ES can
clone the challenge-response behavior of VOS-based authentica-
tion with up to 99.65% prediction accuracy, while the prediction
accuracy is less than 51.2% after deploying our proposed ML
resilient technique. In addition, our proposed CSoS also shows
good obfuscation ability for strong PUFs. Experimental results
show that the modeling accuracies are below 54% when 106
CRPs are collected to model the CSoS-based Arbiter PUF with
ML attacks such as LR, SVM, ANN, RNN and CMA-ES.
I. INTRODUCTION
The Internet of Things (IoT) is a novel networking paradigm
which connects a variety of things or objects to the Inter-
net through sensor technology, radio frequency identification
(RFID), communication technology, computer networks and
database technology [1]. According to the IHS forecast [2],
the IoT market will grow from an installed base of 15.4 billion
devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion
in 2025. With the increasing of IoT devices, security issues
have attracted much attention. For example, in 2016, America
suffered the largest DDoS attack in history [3]. The cyber-
attack that brought down much of America internet was caused
by the Mirai botnet, which is a worm-like family of malware
that infected IoT devices and corralled them into a DDoS
botnet [4]. Therefore, secure and efficient defenses need to
be deployed for IoT devices.
Secret key storage and device authentication are two key
technologies for IoT security. Traditional key generation and
This work is supported by the National Natural Science Foundation of
China (Grant NO. 61874042, 61602107), the Hu-Xiang Youth Talent Program
(Grant No. 2018RS3041), the National Natural Science Foundation of Hunan
Province, China (Grant No. 618JJ3072), the 2017 CCF-IFAA RESEARCH
FUND, and the Fundamental Research Funds for the Central Universities.
J. Zhang and H. Su are with the College of Computer Science and
Electronic Engineering, Hunan University, Changsha 410082, China (e-mail:
zhangjiliang@hnu.edu.cn).
G. Qu is with the Department of Electrical and Computer Engi-
neering, University of Maryland, College Park, MD 20742 USA (e-mail:
gangqu@umd.edu).












Arbiter
ĂĂ
ĂĂ
CLK
D
Flip-FlopMultiplex M1 M2 Mn-1 Mn
T r
C1 C2 Cn-1 Cn




Fig. 1. The structure of Arbiter PUF [11].
authentication techniques are based on the classical cryptog-
raphy, which requires expensive secret key storage and high-
complexity cryptographic algorithms. In many IoT applica-
tions, resources like CPU, memory, and battery power are
limited and cannot afford the classic cryptographic security
solutions. Therefore, lightweight solutions for IoT security are
urgent.
Physical unclonable functions (PUFs) [5], [6] and recently
proposed voltage over-scaling (VOS) based authentication [7]
are two emerged lightweight security primitives for IoT device
authentication.
PUFs use a random factor caused by process variations in
the manufacturing process to generate unclonable responses
for challenges to authenticate devices. Since the PUF has
been introduced [9], it has attracted much attention as a
low-cost alternative solution for key generation and device
authentication, and hence many different PUF structures have
been proposed. PUFs can be broadly categorized into strong
PUFs [10]–[14] and weak PUFs [15]–[18]. A weak PUF
produces a small amount of stable CRPs that can be used as
unique keys or seeds for traditional encryption systems. SRAM
PUF [15] and ring oscillator (RO) PUF [16] are typical weak
PUFs. Arbiter PUF [11] is a typical strong PUF, the circuit
structure is shown in Fig. 1. Strong PUFs are based on their
high entropy content and can provide a huge number of unique
CRPs to authenticate the device. However, the current strong
PUFs are vulnerable to machine learning attacks that attackers
can collect a certain number of CRPs to model the PUF easily.
For the traditional Arbiter PUF, a cloned model can be built
with the prediction accuracy above 95% after only collecting
650 CRPs, which means the cloned model can exhibit the
similar challenge-response behavior to the original PUF [19].
Compared with the PUFs, the VOS-based authentication
has two advantages [7]: 1) lower power consumption; 2)
no additional hardware required. Therefore, the VOS-based
authentication is more suitable for resource-constrained IoT
applications. VOS is a common power reduction technology
ar
X
iv
:1
80
7.
07
73
7v
2 
 [c
s.C
R]
  1
8 O
ct 
20
18
2and can be used for approximate computing [20]. The calcu-
lation unit of digital circuits can generate correct results for
all inputs under the normal operating voltage, but calculation
errors may occur in VOS [21]. Meanwhile, the errors generated
by the computing unit in VOS are related to the manufacturing
process variation and hence can be used as hardware finger-
prints for device authentication. Recently, Arafin, Gao and Qu
[7] proposed to use such errors generated by the computing
unit in VOS as the device signatures and designed a two-
factor authentication protocol, named voltage over-scaling-
based lightweight authentication (VOLtA).
This paper proves that the VOLtA is vulnerable to machine
learning (ML) attacks. We first report the ML attacks on
VOLtA in [19]. In this article, 1) we elaborate the details
of ML attacks on VOLtA; 2) In order to resist ML attacks, a
challenge self-obfuscation structure (CSoS) is new proposed
against ML attacks for VOLtA, and it is a general obfuscation
method that also can be used to secure Strong PUFs; 3) we
verify the effectiveness of proposed ML attacks and defense
by HSpice platform using the FreePDK 45nm libraries. The
main contributions of this paper are as follows.
1) We reevaluate the security of VOLtA. For the first time,
we demonstrate that ML attacks such as artificial neural
network (ANN), recurrent neural network (RNN) and
covariance matrix adaptation evolution strategy (CMA-
ES) can break VOLtA successfully. Especially, the pre-
diction accuracy of RNN is up to 99.65%.
2) We propose a CSoS-based ML resistant authentication
protocol that reduces the prediction accuracy of model-
ing to less than 51.2%.
3) The VOS-based two-factor authentication scheme re-
quires a very long key to encrypt the output, which
incurs unacceptable key storage overhead. Our proposed
CSoS-based ML resistant authentication protocol elimi-
nates such weakness.
4) CSoS is not only efficient for VOLtA, but also can be
deployed for strong PUFs and exhibits good obfuscation
ability. After deploying the CSoS, the modeling accuracy
for a Arbiter PUF is below 54% with LR, SVM, ANN,
RNN and CMA-ES when 106 CRPs are collected.
5) CSoS uses the previous challenges combined with keys
or random numbers to obfuscate the current challenge
without changing the structure of the authentication
circuit such as VOS-adders and PUFs. Therefore, it will
not affect the uniqueness and reliability.
The rest of this paper is organized as follows. Section II
introduces some related definitions, concepts and terminolo-
gies. Section III gives a detailed security analysis for VOLtA
and ML attack methods. The CSoS-based ML attacks resistant
authentication is elaborated in Section IV. The detailed exper-
imental results are reported in Section V. Finally, we give the
conclusion in Section VI.
II. PRELIMINARIES
This section will introduce the principle of generating
calculation errors in the VOS circuit and the ML algorithms
which are used to model the VOLtA.
A. Voltage Over-scaling
In digital signal processing systems, the power consumption
P is given by:
P = CLV
2
ddfs (1)
where Vdd is the supply voltage; CL is the effective switching
capacitance; fs is the clock frequency of circuit [21]. Accord-
ing to Eqn. (1), the power consumption P decreases with the
operating voltage Vdd. Some techniques employ this feature
to reduce the power consumption of circuit, such as multiple
supply voltages [22], variable voltage scaling [23] and retiming
technique [24]. The circuit delay τd is given by:
τd =
CLVdd
β(Vdd − Vt)α (2)
where α is the velocity saturation index, β is the gate trans-
conductance and Vt is the device threshold voltage [7]. We
can see from the Eqn. (1) and (2) that power consumption will
decrease quadratically and the delay will increase dramatically
with the decreasing of supply voltage [25]. With the correct
timing constraints, the circuit produces correct outputs for
all inputs. However, when the operating voltage is lowered,
the timing violations may incur calculation errors. In the
approximate computing, the computing unit performs high-
bit calculations in the normal voltage and calculates low-
bits in VOS to generate approximate results and significantly
reduces the power consumption [20], [26], [27]. Furthermore,
the errors produced by the process variation are random and
can be reproduced by the original device but difficult to be
cloned. Therefore, the errors can be used as the hardware
fingerprints to authenticate the devices.
B. Computing Errors
As a common computing unit in digital circuits, ripple carry
adder (RCA) has the potential to preserve process variation
related artifacts [7]. The principle of errors caused by the
circuit delay is described in Fig. 2. The gate circuit and truth
table of a full-adder (FA) are shown in Fig. 2(a) and Fig.
2(b), respectively. Fig. 2(c) gives the process of generating
computing errors, where FA1 is a simplified diagram of Fig.
2(a). For ease of exposition, we assume that the red numbers
marked in Fig. 2(a) are the signal transmission delays of the
logic gates, and there is no delay in FA2. In Fig. 2(c), when the
clock period of the input signal is ‘10’, the first clock period
is as follows.
• At time t = 0, the input pulse signal
{Cin1, A1, B1, A2, B2} = {1, 1, 0, 0, 0};
• At time t = 10, since the delay Dy = 6 + 5 > 10 at
the y-input of OR gate, the signal ’1’ is not transmitted
to y-input, hence the signal at y-input is still ’0’. The
x-input of OR gate delay Dx = 7 < 10, the signal ’0’ is
transmitted to x-input successfully, and thus the Cout1-
output of OR gate is ’0’. The output {S1, S2, Cout2} =
{0, 0, 0} 6= {0, 1, 0}, the first clock period is over.
The second clock period is as follows.
36 7
5
3
2
x
y
A1 B1
Cin1
S1
Cout1
(a)
FA1
Cin1 A1 B1
S1
(c)
FA1
FA2
A2 B2
S2 Cout2
T = 0
Cout1
T = 10
FA1
Cin1 A1 B1
S1
FA2
A2 B2
S2 Cout2
T = 10
Cout1
T = 20
1 1 0 0 0
0 0 0
0 1
0 0 0 1 1
0 1 1
A1 B1 Cin1 S1 Cout1
0 0 0 0 0
0 0 1 1 0
0 1 0 1 0
0 1 1 0 1
1 0 0 1 0
1 0 1 0 1
1 1 0 0 1
1 1 1 1 1
(b)
Cin2 Cin2
Fig. 2. An example of computing error. (a) The gate circuit of a full-adder.
(b) The truth table of the full-adder. (c) The generation process of computing
errors. A n-bit RCA is connected by n full-adders, and 2-bit RCA is depicted
in (c).
• At time t = 10, the input pulse signal
{Cin1, A1, B1, A2, B2} = {0, 0, 0, 1, 1};
• At time t = 20, since Dy = 6 + 5 < 20, the signal ‘1’ of
the first clock period is transmitting in Cout1, and thus
the output {S1, S2, Cout2} = {0, 1, 1} 6= {0, 0, 1}.
As discussed above, the errors produced by the adder in
VOS are related to the current input and the previous inputs.
C. Machine Learning
1) Logistic Regression (LR)
In the device authentication, the response bit is ’0’ or ’1’,
which is a binary classification problem. LR is a fast binary
classification algorithm used in machine learning. As a binary
classification model, logistic regression has multiple inputs,
such as feature vector X = (x1, x2, ..., xn), and the output
Y is obtained by inputting X into the classifier. The formula
of the classifier is Y = g(w0 + w1x1 + w2x2 + ... + wnxn).
Usually, LR uses the sigmoid g(z) = 1/(1 + e−z) to make
Y close to 0 or 1. Arbiter PUFs can be modeled by LR with
the high accuracy [19], [28].
2) Support Vector Machines (SVM)
SVM [29] can perform binary classification by mapping
known training instances into a higher-dimensional space. The
goal of SVM training is to find the most suitable separation
hyperplane and solve the nonlinear classification tasks that
cannot be linearly separated in the original space. The sep-
aration hyperplane should keep the maximum distance from
all vectors of different classifications as much as possible. The
vector with the smallest distance to the separation hyperplane
is called the support vector. The separation hyperplane is
constructed by the two parallel hyperplanes with support
vectors of different classifications. The distance between the
hyperplanes is called the margin. The key of constructing
M
Yt
Xt
= M
Y0
X0
M
Y1
X1
M
Y2
X2
M
Yt
Xt
W
W W W W
Fig. 3. The structure of recurrent neural network
a good SVM is to maximize the margin while minimizing
classification errors and the whole process is regulated by
the regularization coefficient λ. In well-trained SVMs, kernel
functions are often used to solve the problem of support
vector selection and classification difficulties. There are three
frequently-used kernel functions: 1) linear: K(w, z) = zTw
(only solves linearly separable problems); 2) radial basis func-
tion (RBF): K(w, z) = exp((−‖w− z||22)/σ2); 3) multi-layer
perception (MLP): K(w, z) = tanh(αzTw + β). Training a
good SVM classifier always requires to adjust regularization
coefficient λ, σ2 (RBF) or (α, β) (MLP).
3) Artificial Neural Network (ANN)
ANN is interconnected by computational nodes called neu-
rons, which has the adaptive capability. In other words, ANN
can adjust the weight parameters utilizing the prepared training
set to fit the required function. The universal approximation
theorem [30] shows that if a pre-feedback neural network has
a linear output layer and at least one hidden layer with an
activation function such as sigmoid, it can fit any function
with high accuracy as long as there are enough neurons. The
simplest neural network comprises of a layer with several
neurons, called a single layer perceptron (SLP) [31]. For each
neuron, all input vectors are weighted, added, biased, and
applied to an activation function to generate an output. In the
SLP training process, the neuron updates its weights and bias
according to the linear feedback function of the training set
prediction error. When the prediction accuracy or iterations of
trained model reaches the predetermined value, the training
process is terminated. This paper uses a simple 2-layer neural
network structure to model the logic gates and the obfuscation
mechanism with invariable key, and employs a 3-layer ANN
(160 nodes in the first layer, 40 nodes in the second layer and
8 nodes in the third layer) to model VOLtA. In addition, we
use sigmoid as the activation function.
4) Recurrent Neural Network (RNN)
RNN is mainly used to deal with sequence data. In the
traditional neural network model, from the input layer through
the hidden layer to the output layer, the layers are fully
connected and the nodes in the same layer are unconnected.
However, such simple neural network structure is difficult
to handle sequence data. For example, in natural language
processing, it is not enough to comprehend a sentence by
understanding its each word. Neural networks are required
to process the sequence of these words. The previous input
in the sequence will affect the current output, while the
4network needs to recall the previous information and apply it
to the current output calculation. Therefore, the nodes in the
same hidden layer are connected, and the input of the hidden
layer includes the input layer and the previous hidden layer.
Theoretically, RNN can cope with any length sequence data.
However, in order to reduce the complexity, the current output
is usually related to the current input and the previous several
inputs.
Fig. 3 shows a typical RNN structure. The previous input
is forwarded to the next hidden layer through the previous
hidden layer. When the n-bit Ripple Carry Adder is modeled,
the carry bit from the previous full-adder will be used as the
input of next full-adder. In the VOLtA, the current output is
related to the previous and current inputs. Therefore, RNN can
model n-RCA and VOLtA with the extremely high modeling
accuracy. We will discuss the modeling attacks in detail in
Section III.
5) Evolutionary Strategies (ES)
ES [32], [33] is a gradient-free stochastic optimization
algorithm with invariance under some transformations, parallel
scalability and sufficient theoretical analysis. It is appropri-
ate for medium-scale complex optimization problems. ES
constantly searches for a normal distribution by iterations.
Usually, the normal distribution of iterations is written as
N(m,σ2, C). m represents the mean of the central position
of the distribution; σ represents the step size parameter; C
represents the covariance matrix. The essence of the ES
algorithm is to adjust these three parameters to obtain the
best possible search results. How to adjust the step parameters
and covariance matrix has a very important impact on the
convergence rate of the ES algorithm. The basic idea of ad-
justing the parameters is to mutate in the direction of the prob-
ability of generating a satisfactory solution. The covariance
matrix adaptation evolution strategy (CMA-ES) is a global
optimization algorithm developed on the basis of evolution
strategy (ES) [32]. It combines the reliability and globality
of ES with the adaptiveness of covariance matrices, and can
solve complex multiple peak optimization problems. Currently,
CMA-ES has attracted much attention in the optimization field
due to its exceptional performance and efficient computational
[33]. In addition, CMA-ES algorithm does not use gradient
information in the optimization process. Therefore, as long as
the attack model is established, CMA-ES can also effectively
attack VOLtA.
III. SECURITY ANALYSIS AND MODELING ATTACKS ON
VOLTA
This section will introduce the VOLtA and analyze its
security in detail, and finally the several ML algorithms are
proposed to model VOLtA.
A. VOLtA
VOLtA is a two-factor authentication scheme, where two
factors include a secret key K and the adder that generates
errors in VOS (VOS-adder). The authentication protocol is
illustrated in Fig. 4. Assume that Alice is the server and Bob
is the device that carries an adder. The authentication protocol
Device Server
R
eg
is
tr
at
io
n
Bob has an adder and
a Key K = (k1, k2)
Alice has a Key K = (k1, k2) and
the modelM of Bob’s adder
A
u
th
en
ti
ca
ti
o
n
L = adder(C, k1)
R = Lŕk2
Alice selects a random
challenge CC
R
L = Rŕk2 , L = M(C, k1)
if distance(L, L ) < T then
Alice authenticates Bob
(T is the threshold)
ȑ
ȑ
Fig. 4. The voltage over-scaling-based lightweight authentication protocol
[7], where adder() is the function of adder in VOS and distance(L,L′) can
be measured by common distance measurement functions such as Hamming
distance or Euclidean distance.
is divided into two phases. In the registration phase, Bob
has an adder and a key K = {k1, k2}, Alice has a key K
and the adder model M of Bob. In the authentication phase,
1) Alice generates a random challenge C and sends it to
Bob; 2) Bob calculates L = adder(C, k1) using the VOS-
adder, then computes R = L ⊕ k2, and sends R to Alice;
3) Alice calculates L = R ⊕ k2 and L′ = M(C, k1). If the
difference between L and L′ meets the threshold condition,
Alice authenticates Bob.
B. Security Analysis for VOLtA
In VOLtA, devices must carry the adder and the correct key
K, otherwise the authentication would be failure. However, the
constant key has low obfuscation ability. In addition, the VOS-
adder is vulnerable to ML attacks. Therefore, VOLtA suffers
the security issues which will be discussed below.
1) Security Analysis of Constant Key
As shown in Fig. 2(a), the inputs of the full-adder are {A1,
B1, Cin1}, and the outputs are {S1, Cout1}. Assume that the
key k1 is input to A1 and the random challenge C is input to
B1. For 1-bit calculation, the input A1 is unchanged because
k1 is constant. We can see from Fig. 2(b), if A1 = 0, then
S1 = B1 ⊕ Cin1 and Cout1 = B1&Cin1; if A1 = 1, then
S1 = !(B1 ⊕ Cin1) and Cout1 = B1|Cin1. The full-adder
only implements the function of two logic gates after using
the constant key k1, which does not increase the difficulty of
modeling authentication protocol. We need to model a full-
adder without the constant key k1. When the constant key k1
is used, we only need to model the combination of two logic
gates. Besides, the VOLtA uses the key k2 to obfuscate the
output. In what follows, we will further discuss the obfuscation
effectiveness of the key k2.
Assume that R = L ⊕ k2, for 1-bit calculation, if k2 = 0,
then R = L; if k2 = 1, then R = !L, which shows that
when the output is obfuscated by the constant key, the i-
th bit output is always unchanged or flipped. For instance,
when the adder calculates 4 times, the outputs are L1∼4 =
{10111, 00112, ..., 10108}, the key k2 = {11, 02, ..., 18}, and
the responses R1∼4 = {01001, 00112, ..., 01018} after using
the XOR obfuscation. Obviously, when the i-th bit key k2,i =
1, the i-th bit response is inverted such as the underlined parts
5Adder in
VOS
C k1
LͰ k2 = R
= 10110110Ă 10010111 Ă 101
= 11010001Ă 01010010 Ă 100
+
= 01011011Ă 11000110 Ă 011
= 10101110Ă 10100101Ă 110
Ͱ
= 11110101Ă 01100011Ă 101
C
k1
L
k2
R
(a) (b)
= 11110101Ă 01100011Ă 101
= 10010011Ă 11011000 Ă 110
= 00010011Ă 11011001 Ă 011
= 10111010Ă 10110001Ă 111
= 10100111Ă 01100010Ă 001
R1
R2
R3
R4
R5
(c)
Fig. 5. A calculation example of VOLtA. In (a), the challenge C and the
key k1 are calculated by the VOS-adder to generate L, then L and the key
k2 are XORed to generate response R. An example of the computing process
is given in (b), in which the red numbers indicate the computing errors. The
response example of 5 times authentication is shown in (c). We call the data
in red box as horizontal data, and the data in blue box as vertical data.
of R1∼4; when the i-th bit key k2,i = 0, the i-th bit response
remains unchanged. We just need to establish a ML model for
the i-th bit output to implement similar functions.
As analyzed above, the defenses that use constant keys to
obfuscate the output is unable to resist ML attacks.
2) Complexity of Challenge-response Mapping
The VOLtA employs the CRPs to authenticate devices.
The mapping of challenge-response (CR) depends on the
calculation errors generated by a VOS-adder. As long as the
effective and enough CRPs are collected, ML algorithms can
model the VOS-adder to simulate its CR behavior. In the
VOLtA [7], assume that the length of the random challenge
C is 8*n bits, the K is 16*n bits (k1 and k2 are both 8*n
bits), which incurs unacceptable key storage overhead. For
example, if a 52*40 pixels image is used as the challenge
for authentication, the required key K will be 16*52*40 =
33,280 bits. In the case of ignoring the key storage overhead,
we discuss the complexity of CR mapping.
A calculation example of VOLtA is illustrated in Fig. 5.
The adder performs each addition and XOR operation with
the corresponding k1 and k2. Therefore, the horizontal data
are obfuscated by different keys so that horizontal data cannot
be used to train the model with high accuracy. However, from
the perspective of vertical data, the key used by the i-th byte
of C is the same for each time, and the calculation of the data
in the blue box (see Fig. 5(b) and Fig. 5(c)) uses the same
key. Therefore, we can use the data in the blue box to model
the operation of its corresponding byte, and the VOLtA can
be modeled using valid CRPs with high prediction accuracy.
C. Modeling Attacks on VOLtA
As analyzed above, we need to model the logic gates
first. The common logic gates include NOT gate, AND gate,
OR gate and XOR gate, where the XOR gate is linearly
inseparable and hence it is often used to encrypt information
in cryptography. However, the XOR can be implemented by
other logic operations. For example,
a⊕ b = (a&!b)|(!a&b) (3)
where ’!’ is NOT, ’&’ is AND, ’|’ is OR and ’⊕’ is XOR.
Besides, NOT, AND, OR and XOR can be approximated as:
!a = 1− a (4)
a&b ≈ fand(a, b) = sigmoid(20 ∗ a+ 20 ∗ b− 30) (5)
a|b ≈ for(a, b) = sigmoid(20 ∗ a+ 20 ∗ b− 10) (6)
a⊕ b ≈ fxor(a, b) = for(fand(a, 1− b), fand(1− a, b)) (7)
where sigmoid(x) = 1/(1 + e−x), which is a common
activation function in the neural network. Substituting Eqn. (4),
(5) and (6) into Eqn. (3), the approximate Eqn. (7) for XOR
can be obtained. Based on this, we design the neural network
structure shown in Fig. 6(c) to model the XOR gate, where
x1 ≈ a&!b, x2 ≈!a&b and y ≈ x1|x2. To model the required
functions, we expand the number of neurons in the hidden
layer to 10, and set the edges with random weight parameters
to model any logic gate; when the obfuscation mechanism
which employs the constant key is modeled, the weight of
edges is set to the red numbers in Fig. 6(c) and neuron b is
set to a random parameter.
The attack model of VOLtA is shown in Fig.6. Since the
current output in VOLtA is related to the current input and the
previous input, the input of the model is adjusted to learn the
effective mapping between input and output. As shown in Fig.
6(a), the current input is combined with the previous input to
create the actual input Xt = {xt−(m−1), ..., xt−2, xt−1, xt},
where m denotes the number of input bytes, xt denotes t
timing input, and xt−m,i denotes the i-th bit of t−m timing
input. We use the vertical data to model the VOLtA. The neural
network model of 8-bit Ripple Carry Adder (8-RCA) is shown
in Fig. 6(b), the i-th bit of 8-RCA is input to Mi, and Mi−1
serves as the input of Mi, which is a typical RNN structure.
The XOR obfuscation mechanism is shown in Fig. 6(c). All
weight parameters W are random numbers that need to be
adjusted.
IV. CHALLENGE SELF-OBFUSCATION STRUCTURE
To resist ML attacks, this paper proposes a challenge self-
obfuscation structure (CSoS) against ML attacks. This section
will introduce the CSoS and the CSoS-based authentication
protocol for VOLtA in detail. In addition, the hardware im-
plementation and security analysis of CSoS for VOLtA and
Arbiter PUF will be introduced.
A. The CSoS
The errors generated by the VOS-adder are related to input
timing, and the current output is determined by the current
input and the previous input. If the correlation among inputs
is enhanced or the input is obfuscated, ML modeling attacks
would be difficult.
The key idea of CSoS is to combine the previous input
with secret keys and random numbers to generate dynamic
new keys, and exploit the new keys to obfuscate the current
input. The 8-RCA is used as an example, assume that the
challenge C = {c1, c2, ..., ct}, the keys are k1 and k2, and the
obfuscated challenge C ′ = {c′1, c′2, ..., c′t} can be expressed
as:
6Input layer Output 
layer
sigmoid
-20
20b
20
-20
a
1
sigmoid
x2
sigmoid
x1
1
-10
-10
Hidden layer
y
-10
20
20
xt-(m-1),1        xt-2,1    xt-1,1    xt,1 
xt-(m-1),2           xt-2,2    xt-1,2    xt,2 
xt-(m-1),3         xt-2,3    xt-1,3    xt,3 
xt-(m-1),8          xt-2,8    xt-1,8    xt,8 
  
…
  
  …
  
  …
  
  …
  
  …
  
  
…
  
  
…
  
  
…
  
M1 L1
Yt
M2
M3
M8Current input
  …
  
L2
L3
L8
  …
  
L
XOR 
model
Xt
WW
W
W
W
W
W
W
W
W
W
W
(a) (b) (c)
Previous inputs
Fig. 6. The attack model of VOLtA.
k2 C G Cȑ
c1 g1 c1
c2 g2 c2
c3 g3 c3
c4 g4 c4
k2,(i-1)%8+1 ci gi ci
  Ă
  
  Ă
  
  Ă
  
  Ă
  
Ͱk1
Ͱk1
Ͱk1
Ͱk1
Ͱk1
ȑ
ȑ
ȑ
ȑ
ȑ
1
0
1
0
Fig. 7. The obfuscation process of CSoS
c′i = k1 ⊕ gi (8)
gi = f(c1, k2,1)⊕f(c2, k2,2)⊕ ...⊕f(ci−1, k2,(i−2)%8+1)⊕ci
(9)
f(x, y) =
{
x, if y = 1
00...00, if y = 0 (10)
In Eqn. (9), an 8-bit key k2 is used to obfuscate the
intermediate calculation values G = {g1, g2, ..., gt}. For in-
stance, if k2 = 10100101 and k2,i denotes the i-th bit of k2.
The obfuscation process of CSoS is shown in Fig. 7, where
the connection between ci and gi indicates XOR, i.e., g3 is
connected with {c1, c3} to indicate that g3 = c1⊕c3 and g4 is
connected with {c1, c3, c4} to indicate that g4 = c1⊕ c3⊕ c4.
Since the attackers do not know the k1 and k2, it is impossible
to collect the relevant information of obfuscated challenge
C ′. In the authentication, the obfuscated challenge C ′ will be
transmitted as the real challenge to the adder for calculation.
Attackers can only collect the challenge C and the response
corresponding to C ′. In this case, the attackers cannot collect
valid CRPs for modeling attacks.
B. The CSoS-based Authentication Protocol
We propose a CSoS-based ML attacks resistant authenti-
cation protocol for VOLtA. The key K and the VOS-adder
Device Server
R
eg
is
tr
at
io
n
Bob has an adder 
and a Key 
K = (k1, k2, k3)
Alice has a Key K = (k1, k2, k3) 
for i = 1, 2, ... , ω do
    xi = TRNG(8)
X = {x1, x2, ... , xω}
A
u
th
en
ti
ca
ti
o
n
tp = 0
for i = 1, 2, ... , t do
    gi  = ci⊕ tp
    tp = f(ci , k2, (i-1)%8+1)⊕tp
    ci  = gi ⊕ k1
    ri  = adder(ci, k3)⊕ k3
R = {r1, r2, ... , rt}
for i = 1, 2, ... , t do
    ci = TRNG(8)
C = {c1, c2, ... , ct}C
R tp = 0
for i = 1, 2, ... , t do
    gi  = ci ⊕ tp
    tp = f(ci , k2, (i-1)%8+1)⊕tp
    ci  = gi ⊕ k1
    ri  = M(ci, k3)⊕ k3
R = {r1, r2, ... , rt}
X
for i = 1, 2, ... , ω do 
    yi = adder(xi, k3)
Y = {y1, y2, ... , yω} Y
Alice trains adder’s model
M = TrainModel(X, Y)
’
’
’
’’
’ ’ ’ ’
’
CSoS
CSoS
if HD(R, R ) > T then Reject
Fig. 8. The CSoS-based ML attacks resistant authentication protocol.
are used to authenticate devices. The key K consists of three
different keys k1, k2 and k3, where k1 and k2 are used to
obfuscate the challenge in CSoS, and k3 has two functions:
1) used as an input of the adder; 2) encrypting the output of
adder with the XOR operation. The length of k1 and k3 are
8 bits, and k2 can be any length (in this paper, k2 is set to 8
bits). As shown in Fig. 8, the authentication protocol includes
registration and authentication:
Registration
i. Alice and Bob obtain the secret key K = {k1, k2, k3}
through key sharing or other similar methods;
ii. Alice randomly generates an input bitstream X =
{x1, x2, ..., xω}, where ω is the number of bytes of X ,
7S
R
Q(tp)
Q
S
R
Q(tp)
ci,j
Q
M
U
X
1
1
0
k2
k2
gi,j
NOR-type latch
M
U
X
2
1
0
M
U
X
3
1
0Q(tp)
xoror
S
R
ci,j
g
i,
j
Ro Wo Ho Ro Wo Ho
T1 T2 T3 T4
(a) (b)
Fig. 9. (a) The 1-bit input cache structure (ICS). (b) An example of ICS.
TABLE I
THE TRUTH TABLE FOR NOR-TYPE LATCH
S R Q Q Q
′
Functiong
0 0 0 1 0 Hold
0 0 1 0 1 Hold
0 1 0 1 1 Set to 1
0 1 1 0 1 Set to 1
1 0 0 1 0 Set to 0
1 0 1 0 0 Set to 0
1 1 0 1 − −
1 1 1 0 − −
then sends X to Bob;
iii. Bob adds xi and k3 using VOS-adder to generate an
output bitstream Y = {y1, y2, ..., yω}, and sends Y to
Alice;
iv. Alice uses X and Y to train the adder model of Bob.
Authentication
i. Alice generates a random challenge C = {c1, c2, ..., ct},
and sends it to Bob;
ii. Bob employs CSoS to obfuscate challenge C to get the
challenge C ′ = {c′1, c′2, ..., c′t}, and adds c′i and k3 using
VOS-adder, then XORs the calculation result and k3 to
obtain the response R = {r1, r2, ..., rt}, and finally R is
sent to Alice;
iii. Alice obtains the obfuscated challenge C ′ through CSoS
and C, then employs the model M and k3 to generate
the response R′;
iv. Alice calculates the Hamming distance HD(R,R′) be-
tween R and R′. If the HD(R,R′) is greater than the
threshold condition, the authentication fails.
C. Hardware Implementation
In Eqn. 8, gi need to be stored temporarily in the calculation.
Therefore, we design the input cache structure (ICS), as shown
in Fig. 9(a), which consists of some latches and multiplexers
(MUXs). A NOR-type latch is used to store 1-bit gi and the
truth table is given in Table I. When S = R = 0, the circuit
remains in its original state; when S = 0, R = 1, regardless
of the state of Q and Q, there will be Q = 1, Q = 0; when
S = 1, R = 0, regardless of the state of Q and Q , there will
be Q = 0, Q = 1. It is worth noting that S = R = 1 cannot
be employed as an input signal.
ci , i = 1, 2, ... , n
m-ICS
xor
A
u
th
en
ticatio
n
D
ev
iceControl
box
k1
ciȑgi
ri , i = 1, 2, ... , n
k2
(a)
ci , i = 1, 2, ... , n
8-ICS
xor
8-RCA
in VOSWeak
PUF
k1
ciȑgi
ri , i = 1, 2, ... , n
k2
xor
k3
(b)
k3
ci , i = 1, 2, ... , n
64-ICS
xor
64-bit
Arbiter
PUF
TRNG
k1
ciȑgi
ri , i = 1, 2, ... , n
k2
(d)
ci , i = 1, 2, ... , n
64-ICS
xor
64-bit
Arbiter
PUF
Weak
PUF
k1
ciȑgi
ri , i = 1, 2, ... , n
k2
(c)
Fig. 10. (a) The hardware implementation of CSoS. (b) The CSoS for an
8-RCA in VOS. (c) The WCSoS for a 64-bit Arbiter PUF. (d) The TCSoS
for a 64-bit Arbiter PUF.
1-bit input cache structure (ICS) is shown in Fig. 9(a). we
take the j-th bit of gi as an example gi,j , the ICS includes
three operations:
• Read operation (Ro): The NOR-type latch keeps latch-
ing state and outputs tp before calculating gi,j , so that
gi,j = ci,j ⊕ tp.
• Write operation (Wo): After calculating gi,j , the NOR-
type latch is released from the latching state and then gi,j
is written into the NOR-type latch, i.e., tp = gi,j .
• Hold operation (Ho): The NOR-type latch holds latching
state and outputs tp throughout, gi,j = ci,j ⊕ tp, and tp
keeps unchanged until the next operation is performed.
The read, write and hold operations are controlled by a
signal based on the key k2. We assume k2 = 10100101,
and the control signals of ICS are 10100101 10100101 ...
10100101. If the control signal is ’1’, ICS performs the read
and write operation; if the control signal is ’0’, ICS executes
the hold operation. We use the NOR-type latch combined with
three MUXs to implement these operations. Fig. 9(b) gives a
instance of storing gi. Assuming that the single signal duration
of k2 is T , the ’1’ port of MUX1 is a periodic signal ps with
a period of T , and ’0’ port is a low level signal. In the first half
of time T1, k2 = 1, ci,j = 1, ps is connected to the circuit and
transferred to R; in the second half of time T1, S = 0, R = 1,
there is Q(tp) = gi,j = 1. In addition, when executing a single
write operation, we use MUX3 to prevent the updated value
of tp from affecting the value of gi again. Similarly, in the
time period T3, gi,j = 0 is updated to Q(tp). In this way, we
get G = {g1, g2, ..., gt} which is obfuscated by the key k2. In
the obfuscation process, the CSoS just combines the previous
input with keys to obfuscate the current input, and hence does
not affect the original uniqueness and reliability of circuit.
As shown in Fig. 10(a), the CSoS proposed in this paper
consists of the ICS, the control box and some XOR gates.
The key generator is used to generate the key k1 and k2
8for obfuscation. It can be implemented using Weak PUF
and True Random Number Generator (TRNG), named Weak
PUF-based CSoS (WCSoS) and TRNG-based CSoS (TCSoS)
respectively. Fig. 10(b) gives the deployment of CSoS in
VOLtA, which is corresponding to Section IV.B. It is worth
noting that the CSoS is a universal obfuscation method and
hence can also be used for Strong PUFs. In Fig. 10(c) and
10(d), a classic Strong PUF, 64-bit Arbiter PUF, is used as
an example to deploy WCSoS and TCSoS. In the WCSoS,
k1 and k2 are different keys generated by Weak PUF. In the
TCSoS, k1 and k2 are random numbers generated by TRNG.
In order to reduce the complexity of authentication, we make
k1 equal to k2. Moreover, the TCSoS does not require the key
storage and has higher security. For example, if the number
of bits in the TRNG is Tnum = 4 and TRNG(4) = 1010,
k1 = k2 = {1010 1010 ... 1010} has a total of 64 bits. In
authentication, 64×64-bit challenges are input to the device
in the time series to generate 64-bit responses which are sent
to the server. Then the server needs to enumerate all the
possibilities of k1 and k2 and verifies these responses one
by one to authenticate the device (the number of possibilities
is 2Tnum ).
D. Security Analysis
In this study, we assume that the server is trustworthy and
the attacker cannot get the keys and the cloned model stored
in the server.
1) Key Security: Our proposed CSoS combines the previous
input with the secret keys or random numbers to obfuscate the
current input. In the TRNG-based CSoS for Arbiter PUF, if
attackers know the cloned model of Arbiter PUF, they can
enumerate all the random numbers to clone the authentication
protocol. However, the cloned model of Arbiter PUF is se-
curely stored in the server and hence will not be leaked. In
the weak PUF-based CSoS, key generator on the device can
be implemented with the weak PUF [6], [34], [35]. If attackers
get the secret keys, the authentication protocol would be
broken. Side-channel attacks are powerful noninvasive attacks
that exploit the leakage of physical information when the
encryption algorithm is being executed on a system [37].
Several side-channel attacks on weak PUFs have been reported
within the past couple of years [38], [39], and most of the
authors have pointed out potential countermeasures to their
proposed attacks. We don’t propose any solution to prevent
side-channel attacks on weak PUFs because it is beyond the
scope of this article.
2) Brute Force Attacks: Attackers enumerate the keys and
build multiple models to attack. In the weak PUF-based CSoS
for VOLtA, assume that the keys k1 and k3 are 8 bits, k2 is x
bits, the number of models that attackers need to build to pass
the authentication is 2(16+x) which is increased exponentially
with the increasing of x. In the TRNG-based CSoS, the
CSoS uses the TRNG to generate keys k1 and k2 (k1 = k2)
to improve security, which only increases the computational
overhead of server in authentication. In this case, the number
of models that the attackers need to establish is related to
the number of collected CRPs. The attackers need to select
effective training set in massive data and build an efficient
model. Therefore, it is impossible for attackers to clone the
CSoS-based authentication by brute-force attacks.
3) Learning-based Attacks: Attackers try to collect large
amounts of data to conduct ML attacks. The function of
Arbiter PUF can be represented by an additive linear delay
model, and the mathematical model of the Arbiter PUF is
described in [11], [28]. In this model, we can define the final
delay difference ∆ between the upper and the lower path (see
Fig. 1) as:
∆ = Ω · Φ(C) (11)
where Ω = {ω1, ω2, ..., ωn, ωn+1}, the dimensions of Ω
and Φ are both n + 1. The parameter vector Ω represents
the delay of each stage in an Arbiter PUF; the eigenvector
Φ(C) = (φ1(c), ..., φn(c), 1)T represents a function with
the n-bit challenge, while φl(·) is a function that can be
represented by
φl(c) =
n∏
j=l
(1− 2cj), l = 1, ..., n (12)
The vector Ω determines a separate hyperplane in all the
eigenvectors by Ω · Φ(C) = 0. Any challenges have their
vectors Φ(C) located on one side of the hyperplane produce
∆ < 0, and on the other side produce ∆ > 0. Note that
there is non-linear relationship between the challenge C =
(c1, c2, ..., cn) and delay difference ∆, but the feature vector
Φ(C) = (φ1(c), ..., φn(c), 1) is linearly related to ∆. This
makes the application of ML very effective [19], [28], [36].
However, in the CSoS-based Arbiter PUF, the i-th timing
challenge C ′i = (c
′
i,1, c
′
i,2, ..., c
′
i,n), and the final delay differ-
ence ∆ can be represented as:
∆ = Ω · Φ(C ′i) (13)
where Φ(C ′i) = (φ
1(c′i), ..., φ
n(c′i), 1) is a feature vector, and
φl(c′i) =
n∏
j=l
(1− 2c′i,j), l = 1, ..., n (14)
according to Eqn. (8),(9) and (10),
c′i,j = k1,j ⊕ f(c1,j , k2,1)⊕ f(c2,j , k2,2)⊕ ...
⊕ f(ci−1,j , k2,i−1)⊕ ci,j
= Prefixi,j ⊕ ci,j
(15)
where ci,j represents the i-th timing and j-th bit of challenge.
x⊕ y can be expressed by Eqn. (16)
x⊕ y = x+ y − 2x · y (16)
Therefore, the Eqn. (14) for CSoS can be represented as
9φl(c′i) =
n∏
j=l
(1− 2c′i,j)
=
n∏
j=l
(1− 2(Prefixi,j + ci,j − 2Prefixi,j · ci,j))
=
n∏
j=l
(1− 2ci,j)(1− 2Prefixi,j)
=
n∏
j=l
(1− 2ci,j) ·
n∏
j=l
(1− 2Prefixi,j)
(17)
We can see from Eqn. (17), the challenges in i-th timing are
obfuscated by keys and previous challenges (Prefixi,j) in the
CSoS. Even if the challenges are same, the generated obfus-
cated challenges may be different due to the different previous
challenges. Furthermore, some previous challenges are hidden
by keys and not used to obfuscate the current challenge. In our
experiments, RNN fails to attack the CSoS without knowing
which previous challenges are used. Therefore, it is difficult
for attackers to model it with ML methods due to the high
complexity of the obfuscated CRP mapping.
V. EXPERIMENTS AND RESULTS
A. Experimental Setup and Data Collection
We have reproduced the simulation experiments for a 8-
RCA circuit in [7] and performed simulations in the HSpice
platform using the FreePDK 45nm libraries [40]. The python
3.6.4 programming language and the tensorflow 1.6.0 neural
network toolkit are used to conduct modeling attacks. All
experiments are conducted on the Intel(R) Core(TM) i5-7400
CPU @ 3.00GHz, 8G RAM and GeForce GT 720 GPU.
We modify the threshold voltages of the NMOS and PMOS
models in the FreePDK 45nm libraries to simulate process
variations based on the Gaussian Distribution ±7%. The
circuit netlist for the 8-RCA is designed by using the modified
NMOS and PMOS models at random, and then the circuit
simulation is implemented in HSpice, where the simulation
temperature is 25◦C. We collect the challenge-response pairs
(CRPs) generated randomly by this 8-RCA to perform mod-
eling attacks. In addition, we get the first 18 bytes of random
challenge C as vertical data (for the definition of vertical data,
see Section III). To get massive vertical data more efficiently,
the vertical data is arranged as a bit-stream for collection. In
this bit-stream, the signal LOW is maintained for a period
time after completing the 18 bytes calculation, and then the
18 bytes computing is performed again, while massive vertical
data can be produced by such a loop.
We use Hspice to simulate 20,000 CRPs for CSoS. We
also carry out simulation experiments on WCSoS and TCSoS
Arbiter PUF. In our simulation, the delay of the multiplexer
segment of Arbiter PUF is generated by Gaussian Distribution,
which follows the well-established linear additive delay model
for PUFs [10], [11]. In addition, we simulate the TRNG
function with the random.randint() function in Python. 106
CRPs are simulated in the Arbiter PUF experiments.
Fig. 11. Modeling accuracies of RNN on VOLtA with different numbers of
input elements using 10,000 CRPs.
Fig. 12. Modeling accuracies for VOLtA and no-key-VOLtA using 10,000
CRPs.
B. Attacks
ANN, RNN and CMA-ES are used to evaluate the effec-
tiveness of modeling attacks, and RNN is used to attack the
VOLtA and the no-key-VOLtA (VOLtA without keys). 20,000
CRPs for VOLtA and no-key-VOLtA are simulated by using
HSpice. ML models are trained by using 10,000 CRPs and the
rest of 10,000 CRPs are used as the testing set.
1) ML Attacks VOLtA: In the VOLtA, the current output
of adder is related to the current input and the previous input.
Therefore, the single input consists of multiple bytes, which
is recorded as the input Xt = {xt−(m−1), ..., xt−2, xt−1, xt}.
The single output is 1-byte representing the current output
of adder. Fig. 11 shows the modeling accuracies of RNN on
VOLtA with different input bytes using 10,000 CRPs. We use
the Hamming distance to evaluate the modeling accuracy. We
can see from Fig. 11 that when m = 1, only the current
input is used as the training input, the prediction accuracy of
RNN is only 91.54%. With the increasing of m, the modeling
accuracy is further increased. The prediction accuracy reaches
the highest 99.65% at m = 10. Therefore, we take m = 10 to
conduct the following experiments.
The results of ML attacks on VOLtA and no-key-VOLtA are
shown in Fig. 12. When the RNN is used to attack the no-key-
VOLtA, we collect two inputs of the adder as the challenge.
When 500 CRPs are collected, the modeling accuracy of RNN
model is more than 90%; when 10,000 CRPs are collected,
the prediction accuracy is up to 99.52%. Therefore, the no-
key-VOLtA is vulnerable to ML attacks. Next, we use ANN,
10
Fig. 13. Reliability impacted by temperature variation (nominal temperature
is 25◦C).
(a) (b)
Fig. 14. The effectiveness of CSoS-based ML attacks resistant authentication.
RNN and CMA-ES to attack VOLtA. Since the output and
one input have been obfuscated by the key in VOLtA, we only
collect one input of adder as the challenge and the obfuscated
output as the response. When 5,000 CRPs are collected, the
modeling accuracies of ML attacks reach more than 95%;
when collecting 10,000 CRPs, the prediction accuracy of RNN
is up to 99.65%. Therefore, the modeling accuracy of RNN
for VOLtA is just slightly higher than the no-key-VOLtA. In
fact, the adder performs an approximate addition operation in
VOS, where response R = k2 ⊕ adder(C,X), if X is an
input, attackers can guess k2 according to large amounts of
C, X and R; if X is k1, it will reduce the complexity of the
model but increase the model security. Besides, the attackers
need to collect vertical data to attack VOLtA, which requires
to collect more data and consumes more time.
2) VOLtA Reliability: The intra Hamming distance (intra
HD) of the responses is used to evaluate the reliability of
VOLtA. We can see from Fig. 13 that the intra HD is around
0.47% when the temperature decreases from 25◦C to 23◦C,
and it is about 0.62% when the temperature increases from
25◦C to 27◦C. The prediction accuracy of RNN is 99.65%,
while the error generated by the RNN is only 0.35% (see the
red dotted line in Fig. 13), which is less than the error caused
by ±2◦C. Unfortunately, the setting of threshold in VOLtA
must consider the influence of temperature and other factors
on the reliability. When the threshold is determined, the ML
models can reach the threshold condition as well. Therefore,
the VOLtA is vulnerable to ML modeling attacks.
                   
 7 K H  Q X P E H U  R I  W U D L Q L Q J  G D W D
  
  
  
  
  
  
   
 3 U
 H G
 L F
 W L R
 Q 
 D F
 F X
 U D
 F \
  
 
 / 5  D W W D F N V  2 U L J L Q D O  $ U E L W H U  3 8 )
 6 9 0  D W W D F N V  2 U L J L Q D O  $ U E L W H U  3 8 )
 $ 1 1  D W W D F N V  2 U L J L Q D O  $ U E L W H U  3 8 )
 & 0 $  ( 6  D W W D F N V  2 U L J L Q D O  $ U E L W H U  3 8 )
 / 5  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
 6 9 0  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
 $ 1 1  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
 & 0 $  ( 6  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
Fig. 15. Modeling accuracies on the 64-bit Original and WCSoS Arbiter PUF
using 1 million CRPs.
                   
 7 K H  Q X P E H U  R I  W U D L Q L Q J  G D W D
  
  
  
  
  
  
  
 3 U
 H G
 L F
 W L R
 Q 
 D F
 F X
 U D
 F \
  
 
 / 5  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
 6 9 0  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
 $ 1 1  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
 5 1 1  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
 & 0 $  ( 6  D W W D F N V  : & 6 R 6  $ U E L W H U  3 8 )
 / 5  D W W D F N V  7 & 6 R 6  $ U E L W H U  3 8 )
 6 9 0  D W W D F N V  7 & 6 R 6  $ U E L W H U  3 8 )
 $ 1 1  D W W D F N V  7 & 6 R 6  $ U E L W H U  3 8 )
 5 1 1  D W W D F N V  7 & 6 R 6  $ U E L W H U  3 8 )
 & 0 $  ( 6  D W W D F N V  7 & 6 R 6  $ U E L W H U  3 8 )
Fig. 16. Modeling accuracies on the 64-bit WCSoS and TCSoS Arbiter PUF
using 1 million CRPs.
C. Defenses
1) CSoS for VOLtA: The effectiveness of CSoS-based ML
attacks resistant authentication is evaluated. As shown in Fig.
14(a), we set the input byte m = 2, 6, 10, 14, 18; the
training set is from 50 to 10,000. RNN is used to verify the
effectiveness of the proposed protocol, in which the prediction
accuracy selects the maximum during training. From the
experimental results, we can see that even if the training set
or m is increased, the modeling accuracy is still between
50% and 51.2%. The relationship between the iterations and
the modeling accuracy of ML methods is shown in Fig.
14(b). We can see that with the increasing of iterations, the
prediction accuracies of ML methods are oscillating around
50.1%. Therefore, the proposed CSoS-based authentication
exhibits good resistance to learning-based attacks.
2) CSoS for Arbiter PUF: Due to the limited number of
CRPs that Hspice can collect, it is impossible to verify in
VOLtA whether CSoS can still maintain high resistance to
machine learning algorithms in larger data sets. For this reason,
under a large data set for CSoS-based Arbiter PUF, we have
evaluated the influence of ML attacks. We simulated 106
CRPs to conduct this part of the experiment. Ru¨hrmair et al.
[41] demonstrates that modeling attacks can work both on
simulated and silicon data, and the only difference is the case
that the results on simulated data are noise free. However,
by using more CRPs in the training stage, results from the
real silicon could achieve the same accuracy rate (e.g., 99%)
11
                   
 7 K H  Q X P E H U  R I  W U D L Q L Q J  G D W D
  
  
  
  
  
   
 3 U
 H G
 L F
 W L R
 Q 
 D F
 F X
 U D
 F \
  
 
Tnum     
Tnum     
Tnum     
Tnum     
Tnum     
Tnum      
Fig. 17. LR attack results on 64-bit TCSoS Arbiter PUF with different number
of Tnum (Tnum is the bit number of TRNG).
                   
 7 K H  Q X P E H U  R I  W U D L Q L Q J  G D W D
  
  
  
  
  
  
 3 U
 H G
 L F
 W L R
 Q 
 D F
 F X
 U D
 F \
  
 
 ) R U     E L W  D U E L W H U  3 8 )
 ) R U     E L W  D U E L W H U  3 8 )
 ) R U     E L W  D U E L W H U  3 8 )
 ) R U      E L W  D U E L W H U  3 8 )
Fig. 18. LR attack results on TCSoS Arbiter PUF with different number of
bitnum (bitnum is the stage size of Arbiter PUF).
compare to the simulated data. Furthermore, LR, SVM, ANN,
RNN and CMA-ES are used to model WCSoS Arbiter PUF
and TCSoS Arbiter PUF. The experimental results are shown
in Fig. 15 and Fig. 16.
As shown in Fig. 15, we use ML to attack Arbiter PUF
without deploying the obfuscation mechanism. When 5,000
CRPs are collected, the modeling accuracies of ML algorithms
are more than 95%; When 106 CRPs are collected, LR can
achieve 99.87% modeling accuracy. Obviously, the Arbiter
PUF without deploying the defense mechanism can be broken
by ML algorithms easily. When ML methods are utilized to
model WCSoS Arbiter PUF, the modeling accuracy did not
increase significantly as the training set growing. Even if 106
CRPs are collected, the accuracy is still below 54%, which
shows that CSoS still maintains good anti-modeling ability
under the massive data set. In Fig. 16, we compare the WCSoS
Arbiter PUF and TCSos Arbiter PUF modeling attacks, where
a 4-bit TRNG is used in TCSoS. Experimental results that both
TCSoS and WCSoS show good resistance to ML attacks.
TCSoS has high flexibility to deploy different levels of
TRNG based on its own security requirements and afford-
able computing power. As shown in Fig. 17, we use LR
to model the 64-bit TCSoS Arbiter PUF with TRNG bits
Tnum = 0, 1, 2, 4, 8, 16 (Tnum = 0 means TCSoS is not
deployed), when Tnum = 1 and 2, the modeling accuracy of
LR can reach 74.93% and 60.83% respectively, which does not
meet the security requirements; when Tnum = 4 and 8, even
if collecting 106 CRPs, the modeling accuracy of LR is still
TABLE II
MODELING ACCURACIES ON TCSOS ARBITER PUF WITH DIFFERENT
NUMBER OF Tnum AND bitnum USING 105 CRPS.
Tnum MLs
Bitnum
16 32 64 128
0
LR 99.99% 99.99% 99.89% 99.95%
SVM 99.99% 99.97% 99.83% 99.89%
ANN 99.99% 99.99% 99.96% 99.98%
CMA-ES 99.99% 99.99% 99.99% 99.99%
1
LR 75.06% 73.23% 76.04% 74.77%
SVM 71.87% 74.32% 72.39% 75.25%
ANN 78.83% 72.06% 71.67% 80.54%
RNN 76.96% 77.23% 76.79% 73.36%
CMA-ES 79.36% 76.07% 78.26% 73.60%
2
LR 59.96% 61.23% 59.58% 63.03%
SVM 56.51% 66.32% 58.11% 64.05%
ANN 61.33% 58.74% 57.70% 60.22%
RNN 58.73% 64.54% 61.96% 67.14%
CMA-ES 58.28% 56.23% 63.31% 62.26%
4
LR 53.35% 52.85% 52.73% 52.86%
SVM 52.05% 51.81% 52.14% 52.23%
ANN 53.07% 53.16% 53.12% 51.99%
RNN 52.18% 51.87% 51.59% 52.83%
CMA-ES 53.06% 52.30% 51.96% 52.30%
8
LR 51.73% 52.49% 51.83% 52.38%
SVM 51.57% 52.81% 51.77% 52.49%
ANN 52.13% 52.16% 51.69% 51.37%
RNN 52.13% 51.80% 51.97% 52.43%
CMA-ES 52.09% 51.27% 52.36% 51.97%
16
LR 51.99% 52.37% 51.55% 51.69%
SVM 52.26% 51.59% 51.72% 52.50%
ANN 51.87% 52.32% 51.92% 52.42%
RNN 52.32% 52.29% 51.87% 52.69%
CMA-ES 52.28% 51.98% 52.31% 51.72%
below 54%. It is worth mentioning that when Tnum = 16,
LR only has a modeling accuracy of 51.63%. However, the
computational cost of server authentication at this time will be
216 = 65, 536 times more than normal conditions. Therefore,
Tnum = 4 or 8 is the empirical value we recommended in the
actual deployment.
Next, we verify the effectiveness of TCSoS (Tnum = 4)
for Arbiter PUF with different stage sizes. As shown in
Fig. 18, regardless of the stage size of Arbiter PUF, the
modeling accuracy of ML for TCSoS has been reduced and
finally stabilized around 54%. Hence, TCSoS provides good
obfuscation ability for Arbiter PUFs with different stage sizes.
Moreover, we also verify the effectiveness of different ML
algorithms on TCSoS-based Arbiter PUF with different Tnum
and bitnum (stage size). Table II gives detail experimental data
which demonstrate that TCSoS can effectively obfuscate the
mapping relationship of CRPs in Arbiter PUF with different
stage sizes and shows good resistance to several ML attack
methods.
VI. CONCLUSION
In this paper, we have reevaluated the security of the
VOS-based authentication protocol and implemented several
high-accuracy ML modeling attacks on VOLtA. Experimental
results show that the VOLtA is vulnerable to ML attacks,
and the prediction accuracy of RNN is up to 99.65%. To
12
resist the ML attacks on the VOLtA, this paper proposes
a novel challenge self-obfuscation structure (CSoS), which
lowers the prediction accuracy of ML on the VOLtA to 51.2%.
Furthermore, our proposed CSoS exhibits good obfuscation
ability for both VOLtA and strong PUFs. We collect 106 CRPs
of a Arbiter PUF deployed with CSoS and modeled it using
LR, SVM, ANN, RNN and CMA-ES. The experimental results
show that modeling accuracy is reduced to 54%.
REFERENCES
[1] Wikipedia, ”Internet of things,” [Online]. Available:
https://en.wikipedia.org/wiki/Internet of things
[2] “Smart Summit Asia: Identifying Key Technology Drivers for
Wider Adoption of Connected Solutions,” [Online]. Available:
https://technology.ihs.com/587648, 2017.
[3] “DDoS attack that disrupted internet was largest of
its kind in history, experts say,” [Online]. Available:
https://www.theguardian.com/technology/2016/oct/26/ddos-attack-
dyn-mirai-botnet, 2016.
[4] M. Antonakakis et al., “Understanding the Mirai Botnet This paper is
included in the Proceedings of the Understanding the Mirai Botnet,”
USENIX Secur., 2017.
[5] U. Ru¨hrmair and D. E. Holcomb, “PUFs at a glance,” in Design,
Automation and Test in Europe (DATE), 2014, pp. 1-6.
[6] J. L. Zhang, G. Qu, Y. Q. Lv, and Q. Zhou, “A survey on silicon PUFs
and recent advances in ring oscillator PUFs,” J. Comput. Sci. Technol.,
vol. 29, no. 4, pp. 664-678, 2014.
[7] M. T. Arafin, M. Gao, and G. Qu, “VOLtA: Voltage Over-scaling Based
Lightweight Authentication for IoT Applications,” 2017 22nd Asia and
South Pacific Design Automation Conference (ASP-DAC). IEEE, pp. 336-
341, 2017.
[8] H. Su and J. Zhang, “Machine Learning Attacks on Voltage Over-scaling-
based Lightweight Authentication,” Asian Hardware Oriented Security
and Trust Symposium, 2018.
[9] R. Pappu, B. Recht, J. Taylor, N. Gershenfeld, “Physical one-way
functions,” Science, vol. 297, no.5589, pp.2026-2030, Sep. 2002.
[10] J. W. Lee, Daihyun Lim, B. Gassend, G. E. Suh, M. van Dijk, and S.
Devadas, “A technique to build a secret key in integrated circuits for
identification and authentication applications,” in 2004 Symposium on
VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.04CH37525),
pp. 176-179.
[11] D. Lim, J. W. Lee, B. Gassend, G. E. Suh, M. van Dijk, and S. Devadas,
“Extracting Keys from Integrated Circuits,” IEEE Trans. Very Large Scale
Integr. Syst., vol. 13, no. 10, pp. 1200-1205, 2005.
[12] A. Vijayakumar and S. Kundu, “A Novel Modeling Attack Resistant PUF
Design based on Non-linear Voltage Transfer Characteristics,” in Design,
Automation And Test in Europe (DATE), 2015, 2015, pp. 653-658.
[13] M. Majzoobi, F. Koushanfar, and M. Potkonjak, “Lightweight secure
PUFs,” IEEE/ACM Int. Conf. Comput. Des. Dig. Tech. Pap. ICCAD, vol.
1, no. 1, pp. 670-673, 2008.
[14] D. P. Sahoo, S. Saha, D. Mukhopadhyay, R. S. Chakraborty, and
H. Kapoor, “Composite PUF: A new design paradigm for Physically
Unclonable Functions on FPGA,” Proc. IEEE Int. Symp. Hardware-
Oriented Secur. Trust. HOST 2014, pp. 50-55, 2014.
[15] D. E. Holcomb, W. P. Burleson, and K. Fu, “Initial SRAM state as a
fingerprint and source of true random numbers for RFID tags,” Proc.
Conf. RFID Secur., vol. 58, no. 9, pp. 1-12, 2007.
[16] G. E. Suh and S. Devadas, “Physical Unclonable Functions for Device
Authentication and Secret Key Generation,” in 44th ACM/IEEE Design
Automation Conference, pp.9-14, 2007.
[17] P. Tuyls, G.-J. Schrijen, B. skoric, J. van Geloven, N. Verhaegh, and
R. Wolters, “Read-Proof Hardware from Protective Coatings,” Cryptogr.
Hardw. Embed. Syst., pp. 369-383, 2006.
[18] M. Sauer, P. Raiola, L. Feiten, B. Becker, U. Ru¨hrmair, and I. Polian,
“Sensitized path PUF: A lightweight embedded physical unclonable
function,” Proc. Des. Autom. Test Eur., pp. 680-685, 2017.
[19] J. Zhang and L. Wan, “CMOS: Dynamic Multi-key Obfuscation Struc-
ture for Strong PUFs,” 2018.
[20] R. Venkatesan, A. Agarwal, K. Roy, and A. Raghunathan, “MACACO:
Modeling and analysis of circuits for approximate computing,” in
IEEE/ACM International Conference on Computer-Aided Design, Digest
of Technical Papers, ICCAD, pp. 667-673, 2011.
[21] J. N. Chen and J. H. Hu, “Energy-Efficient Digital Signal Processing via
Voltage-Overscaling-Based Residue Number System,” IEEE Trans. Very
Large Scale Integr. Syst., vol. 21, no. 7, pp. 1322-1332, Jul. 2013.
[22] F. Z. Rokhani and G. E. Sobelman, “Low-power bus transform coding
for multilevel signals,” in IEEE Asia-Pacific Conference on Circuits and
Systems, Proceedings, APCCAS, 2006, pp. 1272-1275.
[23] V. Gutnik and A. P. Chandrakasan, “Embedded power supply for low-
power DSP,” IEEE Trans. Very Large Scale Integr. Syst., vol. 5, no. 4,
pp. 425-435, Dec. 1997.
[24] N. Chabini and W. Wolf, “Reducing dynamic power consumption in
synchronous sequential digital designs using retiming and supply voltage
scaling,” IEEE Trans. Very Large Scale Integr. Syst., vol. 12, no. 6, pp.
573-589, Jun. 2004.
[25] R. Liu and K. K. Parhi, “Power reduction in frequency-selective FIR
filters under voltage overscaling,” IEEE J. Emerg. Sel. Top. Circuits Syst.,
vol. 1, no. 3, pp. 343-356, 2011.
[26] J. Han and M. Orshansky, “Approximate Computing: An Emerging
Paradigm For Energy-Efficient Design,” IEEE Test Symposium, vol. 370,
pp. 1-6, 2013.
[27] H. Li, J. Hu, and J. Chen, “A novel low-power filter design via reduced-
precision redundancy for voltage overscaling applications,” IEEE Glob.
Telecommun. Conf., pp. 3282-3287, 2013.
[28] U. Ru¨hrmair, F. Sehnke, J. Selter, G. Dror, S. Devadas, and J. Schmid-
huber, “Modeling attacks on physical unclonable functions,” Proc. 17th
ACM Conf. Comput. Commun. Secur, p. 237-249, 2010.
[29] C. M. Bishop, “Pattern Recognition and Machine Learning”,Information
Science and Statistics, Springer-Verlag New York, Inc., pp.049901, 2006.
[30] K. Hornik, “Approximation capabilities of multilayer feedforward net-
works,” Neural Networks, vol. 4, no. 2, pp. 251-257, 1991.
[31] F. Rosenblatt, “The Perceptron - A Perceiving and Recognizing Automa-
ton,” Math. Stat, 1957.
[32] N. Hansen and A. Ostermeier, “Completely Derandomized Self-
Adaptation in Evolution Strategies,” Evol. Comput., vol. 9, no. 2, pp.
159-195, Jun. 2001.
[33] N. Hansen, “The CMA Evolution Strategy: A Tutorial,” 2016.
[34] Z. H. Pang, J. Zhang, Q. Zhou, S. Q. Gong, X. Qian and B. Tang,
“Crossover Ring Oscillator PUF,” in 2017 18th International Symposium
on Quality Electronic Design (ISQED), pp. 237-243, 2017.
[35] Q. Ma, C. Gu, N. Hanley, C. Wang, W. Liu, and M. ONeill, “A machine
learning attack resistant multi-PUF design on FPGA,” in 2018 23rd Asia
and South Pacific Design Automation Conference (ASP-DAC)., 2018, pp.
97-104.
[36] J. Ye, Y. Hu, and X. Li, “VPUF: Voter based physical unclonable
function with high reliability and modeling attack resistance,” in 2017
IEEE 23rd International Symposium on On-Line Testing and Robust
System Design (IOLTS), 2017, pp. 74-79.
[37] P. C. Kocher, “Timing Attacks on Implementations of Diffie-Hellman,
RSA, DSS, and Other Systems,” 1996, pp. 104-113.
[38] D. Merli, D. Schuster, F. Stumpf, and G. Sigl, “Side-Channel Analysis
of PUFs and Fuzzy Extractors,” in International Conference on Trust and
Trustworthy Computing, 2011, pp. 33-47.
[39] D. Merli, J. Heyszl, B. Heinz, D. Schuster, F. Stumpf, and G. Sigl,
“Localized electromagnetic analysis of RO PUFs,” in IEEE International
Symposium on Hardware-Oriented Security and Trust (HOST), 2013, pp.
19-24.
[40] J. E. Stine et al., “FreePDK: An Open-Source Variation-Aware Design
Kit,” IEEE International Conference on Microelectronic Systems Educa-
tion, pp. 173-174, 2007.
[41] U. Ru¨hrmair et al., “PUF Modeling Attacks on Simulated and Silicon
Data,” IEEE Trans. Inf. Forensics Secur., vol. 8, no. 11, pp. 1876-1891,
Nov. 2013.
