Breaking XOR Arbiter PUFs without Reliability Information

Niloufar Sayadi CWI Amsterdam, The Netherlands Phuong Ha Nguyen eBay, CA, United States Marten van Dijk CWI Amsterdam, The Netherlands Vrije Universiteit Amsterdam, The Netherlands University of Connecticut, CT, United States Chenglu Jin CWI Amsterdam, The Netherlands

Abstract

Unreliable XOR Arbiter PUFs were broken by a machine learning attack, which targets the underlying Arbiter PUFs individually. However, reliability information from the PUF was required for this attack.

We show that, for the first time, a perfectly reliable XOR Arbiter PUF, where no reliability information is accessible, can be efficiently attacked in the same divide-and-conquer manner. Our key insight is that the responses of correlated challenges also reveal their distance to the decision boundary. This leads to a chosen challenge attack on XOR Arbiter PUFs. The effectiveness of our attack is confirmed through PUF simulation and FPGA implementation.

Keywords XOR Arbiter PUFs $\cdot$ PUF Modeling Attacks $\cdot$ Chosen Challenge Attacks $\cdot$ Reliability-based Attacks

1 Introduction

The unique process manufacturing variation on every chip can be leveraged to create a Physical Unclonable Function (PUF) as a fingerprint for the device [7]. A vector of bits is applied to the PUF as the PUF challenge, and a unique response is generated by the PUF as output. PUFs are useful for device authentication and secret key management [11, 17, 8].

One classical design of silicon PUFs is Arbiter PUF (APUF), which measures the delay differences of two competing paths determined by a challenge and produces a one-bit response depending on which path is faster [7]. Ideally, the challenge-response pairs (CRPs) of an APUF are only determined by process variation and thus unpredictable to an attacker. However, the behavior of any APUF can be easily modeled by machine learning (ML) attacks after collecting many CRPs of the APUF [16]. A precise mathematical model of a PUF allows the attacker to violate the security properties of the PUF and thus successfully impersonate a legitimate user in authentication or retrieve secret keys managed by the PUF.

XOR Arbiter PUF (XOR APUF) was introduced as a security enhancement of the APUF design. It XORs multiple parallel APUF response bits together to form a response bit of the XOR APUF. XOR APUF has been considered a promising candidate for secure strong PUF design since their introduction in 2007 [17] until Becker presented a reliability-based ML modeling attack that linearly scales with respect to the number of the underlying APUFs in 2015 [1]. The reliability-based attack relies on the fact that the reliability of a CRP under the measurement noise reveals whether the response is close to the response decision boundary where the value of the response bit will be flipped. This extra information allows attackers to implement a divide-and-conquer strategy to attack individual APUFs in an XOR APUF, rather than the whole XOR APUF [1].

One limitation of the reliability-based attack is that it has to access the reliability information of individual CRPs by repeated measurement. Following this line of thinking, countermeasures have been proposed to thwart or prevent the leakage of reliability information by designing super reliable XOR APUFs [20] or blocking repeated measurements using an access control interface [9].

Although large noisy XOR APUF has been shown vulnerable [1], no attack is known to be able to model large noise-free XOR APUF successfully. In this paper, we show that, for the first time, the XOR APUF can be modeled when it is impossible to collect the reliability information of CRPs. Therefore, the XOR APUF design is completely broken in both reliable and unreliable cases. Note that the proposed attack requires the attackers to choose the challenges applied to the PUF; however, it does not mean that we assume a stronger adversarial model than the reliability-based attack because the reliability-based attack is also one kind of chosen challenge attack, as it chooses to measure the same CRPs repeatedly.

In our attack, we choose a bunch of challenges around a randomly selected challenge with only a one-bit difference in their $\Psi$ vectors (a $\Psi$ vector is a transformed challenge based on Eq. 2), and then we check how many surrounding challenges will lead to a flipped response bit from the response of the centroid challenge. The flipping probability reveals how close the centroid challenge is to the response decision boundary, where the response bit flips. Relying on this fact, we propose a chosen challenge attack that can model individual APUFs in an XOR APUF and thus break the security of XOR APUF completely, even in the case when state-of-the-art reliability-based attacks fail.

Our experimental results in Sec. 4.1 show that the proposed attack can model individual APUFs in a perfectly reliable XOR APUF with a high prediction accuracy, while the reliability-based attacks fail to work [1]. As shown in our experiments in Sec. 4.2, our attack can also model the XOR APUF when the PUF is practically unreliable. Finally, we also validate our attack by attacking XOR APUFs implemented on a real FPGA.

1.1 Contributions

We make the following contributions in this paper:

•

We introduce a novel chosen challenge attack on unreliable and, more importantly, perfectly reliable XOR-Arbiter PUFs¹¹1To support open science and facilitate follow-up research, the source code of our attack will be made publicly available upon the acceptance of the paper..
•

We evaluate the effectiveness of the proposed attack using a PUF simulation under various conditions, including various noise levels, sampling rates, and the number of flips.
•

We demonstrate the practicality of our attack by attacking a real XOR APUF implemented on an FPGA.
•

We discuss an effective countermeasure against our attack.

1.2 Organization

We present the necessary background of APUF, XOR APUF, and the reliability-based attacks in Sec. 2. The proposed chosen challenge attack is discussed in Sec. 3. Sec. 4 presents the experimental results and a fair comparison with the state-of-the-art reliability-based attacks. An effective countermeasure is discussed in Sec. 5, followed by some other related work in Sec. 6. The paper concludes in Sec. 7.

2 Background

2.1 Arbiter PUFs and XOR Arbiter PUFs

An Arbiter PUF (APUF) is a strong PUF that consists of $n$ consecutive delay stages that lead to an arbiter. The stages are identical 2-to-1 multiplexers that lead the top and bottom signals based on the challenge bits that are applied to their $select$ inputs. In the last stage, the top and bottom signals have an accumulated delay difference due to the differences in the delay of every stage introduced by process variations. Finally, the arbiter outputs a ‘1’ or ’0’ bit depending on which signal arrives at the arbiter faster.

The behavior of an APUF can be captured by a Linear Additive Delay Model [11]

\begin{split}\Delta=w[0]\Psi[0]+...+w[n]\Psi[n]=\langle W,\;\Psi\rangle\end{split},

(1)

where $W$ is the weight vector, $\Psi$ is the parity (or feature) vector and $n$ is the number of challenge bits or the number of delay stages. The weight vector $W$ defines the character of the APUF, and it is determined only by process variations. For $\Delta\geq 0$ , the response $r=0$ , otherwise $r=1$ . The parity vector $\Psi$ is solely based on the challenge vector $c$ in the following way:

\begin{split}\Psi[n]=1\hskip 4.0ptand\hskip 4.0pt\Psi[i]=\prod_{j=i}^{n-1}(1-2c[j]),i=0,...,n-1.\end{split}

(2)

A $k$ -XOR APUF is constructed by $k$ APUFs that are fed by the same challenge, and their response bits are XORed together. Unlike APUFs, XOR APUFs have a non-linear model due to the added XOR. Thus, it is generally believed that XOR APUFs are much harder to model than APUFs, and the difficulty grows exponentially in $k$ when the reliability-based attack was unknown [16].

2.2 Reliability-Based Attacks on XOR APUFs

Unlike the classical machine learning modeling attacks on PUFs that use response bits directly for training, in a reliability-based modeling attack, the reliability information derived from repeated measurement of CRPs is used for modeling. The response to each challenge is measured multiple times to compute the reliability of the CRP. This reliability gives information about the delay difference $\Delta$ of an APUF component in an XOR APUF under the evaluated challenge. This is because when $|\Delta|$ is smaller than a threshold value $\epsilon$ , the CRP is unreliable, and the response can easily be flipped between $0$ and $1$ ; otherwise, the CRP is reliable, and the response is consistent. Also, in an XOR APUF, if one of the underlying APUFs is unreliable, then the overall XOR APUF is also unreliable. This is why the reliability information reveals the delay information of the individual APUF and allows a divide-and-conquer strategy to model individual APUFs in an XOR APUF. In [1], Becker used a popular evolution strategy-based optimization algorithm, Covariance Matrix Adaptation Evolution Strategy (CMA-ES), to learn the weight vector of the APUF along with the threshold value $\epsilon$ . For this purpose, a set of challenges $C_{i}$ is randomly generated, and the reliability $R_{i}$ is measured for every challenge using Eq. 3, where $M$ is the number of measurements per CRP.

R_{i}=|\frac{M}{2}-\sum_{i=1}^{M}{r_{i}}|

(3)

Then, Becker used CMA-ES to optimize the PUF model by maximizing the Pearson correlation coefficient of the measured reliability and the predicted reliability based on the PUF models in the current iteration of the CMA-ES algorithm. The algorithm will converge to the model of an underlying APUF in the attacked XOR APUF. By executing the CMA-ES algorithm multiple times, all APUF models in the XOR APUF will be modeled eventually.

An enhanced reliability-based attack on XOR APUF was presented by Nguyen et al., which utilizes a more accurate reliability model to improve the prediction accuracy or attack efficiency [15]. Tobisch et al. demonstrated that it is also possible to use a gradient-based optimization to launch reliability-based attacks [18].

3 Proposed Attack on XOR APUFs

3.1 Motivation

To the best of our knowledge, the reliability-based attack is still the most efficient attack on XOR APUFs. However, if no reliability information is available to the attacker, then none of the reliability-based attacks [1, 15, 18] would work. As shown in [20], by implementing a majority voting at the end of every APUF in an XOR APUF, one can boost the reliability of the APUFs and the overall XOR APUF arbitrarily. Although this defense may incur a performance overhead, it is very effective in stopping the reliability-based attack because the attacker cannot find a noisy CRP to derive its reliability. Another potential countermeasure that could paralyze the reliability-based attacks is the (logical) erasable PUF interface [9, 10]. The access to each individual CRP can be controlled by the interface, and then, it is impossible to remeasure the responses of an erased challenge anymore. Thus, it prevents the attacker from deriving the reliability information even if the underlying PUF is still noisy.

Our proposed attack can defeat both of the countermeasures since we do not rely on reliability information.

3.2 Adversarial Model

We assume the same adversarial model as the reliability-based attack [1]. The attackers can apply any challenges they want to the PUF and only get the responses of the queried challenges back, i.e., no other side channel information. The only difference is that we choose to measure correlated CRPs, but the reliability-based attacks choose to measure the same CRPs repeatedly.

3.3 Chosen Challenge Attack

Key Idea. In this strategy, we focus on manipulating $\Psi$ and investigate how it affects the delay model (Eq. 1). Suppose that there is a flip in the $\Psi$ vector of the delay model; then, this flip will lead to a different coefficient for one of the weight vector elements. Note that a challenge $c$ consists of only $0$ or $1$ , but a $\Psi$ vector only contains $1$ or $-1$ , according to Eq. 2. Thus, after one flip in $\Psi$ (from $1$ to $-1$ or from $-1$ to $1$ ), the delay difference $\Delta$ would be changed from $\Delta_{1}$ to $\Delta_{2}$ , as shown in Eq. 4. Whether this change leads to a flipped response bit reveals whether $\Delta$ flips its sign, i.e., whether $|\Delta|<2|w[1]|$ , in the case of Eq. 4. This is the key enabler of our attack on APUFs.

\begin{split}\begin{cases}\Delta_{1}=w[0]{\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}-}w[1]-w[2]+...+w[n]\\ \Delta_{2}=w[0]{\color[rgb]{1,0,0}\definecolor[named]{pgfstrokecolor}{rgb}{1,0,0}+}w[1]-w[2]+...+w[n]\end{cases}\end{split}

(4)

This relation also allows us to attack individual APUFs in an XOR APUF. Statistically speaking, if there is a flip in $\Psi$ , it is unlikely that the response of an APUF will be flipped. But if the response of one APUF is flipped, this flip will be propagated to the output of the XOR and be observable by the attacker, assuming this flip in $\Psi$ does not flip the responses of the other APUFs. Of course, multiple APUF responses can be flipped occasionally, but we will use the Pearson correlation coefficient as a robust indicator to deal with the “noise” introduced by multiple APUF response flips.

Detailed Steps. Algorithm 1 shows the pseudo-code of the proposed chosen challenge attack, and it models the PUF using the flipping probability information. To compute the flipping probability, we first choose a challenge $c$ randomly in the challenge space and then convert it to the corresponding $\Psi$ according to Eq.2. Then we randomly sample $m$ $\Psi_{i}$ vectors that has a Hamming distance of 1 from $\Psi$ :

\begin{split}d_{H}(\Psi,\Psi_{i})=1.\end{split}

(5)

The Hamming distance of $1$ means only one bit is different between $\Psi$ and $\Psi_{i}$ . Practically speaking, if one bit $\Psi[i]$ is flipped, then two consecutive bits ( $c[i-1]$ and $c[i]$ ) should be flipped in the corresponding challenge $c$ , except for $i=0$ , then only $c[0]$ needs to be flipped.

Fig.1 illustrates the main idea of our attack. For any randomly chosen $\Psi$ (e.g., $\Psi_{a}$ , $\Psi_{b}$ , or $\Psi_{c}$ ), the $m$ sampled points with $d_{H}=1$ are on the circular radius to the centroid of $\Psi$ . If the $\Psi$ is close to the response decision boundary, it is more likely that the responses to the sampled neighboring $\Psi_{i}$ vectors are different from the response of $\Psi$ .

Note that in Algorithm 1 and accordingly in our code of experimental works, the non-flipping probability value is used. The non-flipping probability is calculated as in Eq.6.

\begin{split}F=1-\frac{\sum_{i=1}^{m}|r_{i}-r|}{m}\end{split}

(6)

The responses $r_{i}$ and $r$ in the Eq.6 are the PUF response of the sampled neighboring $\Psi_{i}$ and the centroid $\Psi$ , respectively, and $m$ is the number of sampled $\psi_{i}$ around a centroid $\Psi$ .

Refer to caption — Figure 1: Geometric illustration of the chosen $\Psi$ vectors and their relation with the linear response decision boundary in the $\Psi$ space. Note that this diagram is for illustration purposes only, as the $\Psi$ space is never a 2-D space. The decision boundary is always linear due to the linear delay model in Eq. 1.

Thus, after sampling many random challenges and their surrounding challenges, we get a dataset of $(\Psi,F)$ pairs as Eq. 7.

\mathcal{Z}=\{(\Psi_{1},F_{1}),...(\Psi_{i},F_{i}),...,(\Psi_{N},F_{N})\},

(7)

where $N$ is the size of the training dataset in our attack.

Then, the CMA-ES algorithm is used to find the optimal $W$ model for individual APUF in an XOR APUF. To start the procedure, K random models are generated. For each model $W_{j}$ , the $\Delta$ is calculated for each $\Psi$ vector included in $\mathcal{Z}$ , and the predicted non-flipping probability $F^{{}^{\prime}}$ is computed according to Eq.8. The linear relationship of $F$ and $F^{\prime}$ will be discussed in Sec. 3.4.

F^{{}^{\prime}}=|\Delta|=|\langle W,\;\Psi\rangle|

(8)

The objective function of CMA-ES is the Pearson correlation coefficient $\rho_{j}$ between the measured non-flipping probability ( $F_{1}$ ,…, $F_{N}$ ) and the predicted non-flipping probability ( $F^{{}^{\prime}}_{1}$ ,…, $F^{{}^{\prime}}_{N}$ ). Inside the CMA-ES algorithm, an $L$ number of $w$ APUF models with the highest $\rho_{j}$ value are kept in each iteration to generate a new generation of $K$ models. After $T$ iterations, the CMA-ES outputs the model with the highest Pearson correlation coefficient $\rho$ as the best model. When attacking an XOR APUF, the CMA-ES algorithm would converge to one of the individual APUFs in the XOR APUF. We can repeat the whole process, and eventually, all the APUFs of an XOR APUF will be modeled after a sufficient number of CMA-ES runs; therefore, the whole model of XOR APUF is revealed.

Algorithm 1 Chosen Challenge Attack

1:procedure Chosen Challenge Attack

2: for

t\leftarrow 1

N

\triangleright

Training Data Collection

3: randomly select a challenge

c

4: transform

c

into

\Psi

based on Eq. 2

r\leftarrow PUF(c)

6: for

i\leftarrow 1

m

7: randomly generate

\Psi_{i}

s.t.

d_{H}(\Psi,\Psi_{i})=1

8: transform

\Psi_{i}

into

c_{i}

by inverse Eq. 2

r_{i}\leftarrow PUF(c_{i})

10: end for

11:

F_{t}=1-\frac{\sum_{i=o}^{m-1}|r_{i}-r|}{m}

12:

\mathcal{Z}=\{(\Psi_{i},F_{i})\}_{i=1}^{N}

13: end for

14: generate K random models: {

W_{1}

,…,

W_{j}

,…,

W_{K}

}

15: for

j\leftarrow 1

K

\triangleright

Optimization

16: for

h\leftarrow 1

N

17:

F^{\prime}_{j,h}=|\Delta|=|\langle W_{j},\;\Psi_{h}\rangle|

18: end for

19:

F^{\prime}_{j}=\{F^{\prime}_{j,h}\}^{N}_{h=1}

20:

\rho_{j}=Correlation(F,F_{j}^{\prime})

21: end for

22: CMA-ES uses

L

out of the

K

models of

W

with the highest

\rho

to generates K new models.

23: repeat lines (15-22) for

T

iteration to maximize

\rho

and output the optimized model

W

24:end procedure

3.4 A Unified Theoretical Foundation of Our Attack and the Reliability-based Attacks

As shown in [2, 15], the non-flipping probability $F$ (or reliability) of a CRP in an APUF, under some perturbations, has a relationship with the delay difference $\Delta$ of the CRP and the standard deviation $\sigma$ of the perturbations as follows.

\Delta/\sigma=\sum_{i=0}^{n}{(w[i]/\sigma)\Psi[i]}=-\Phi^{-1}(F)

(9)

In a reliability-based attack, the perturbations come from environmental noise, and thus $\sigma$ is the standard deviation of the environmental noise with a normal distribution $\mathcal{N}(0,\sigma)$ . Similarly, in our proposed chosen challenge attack, the perturbations come from the flipped $\Psi$ bit, so $\sigma$ is the standard deviation of the perturbation ( $2W[i]$ ) caused by one flip in $\Psi$ . Note that each weight vector component $W[i]$ in an APUF is believed to follow a normal distribution $\mathcal{N}(0,\sigma/2)$ . This normal distribution assumption is widely used in APUF simulations and is validated in real APUF implementations in the past research [1, 15, 16].

Eq. 9 can be approximated as Eq.10 if $F\in[0.1,0.9]$ .

\Delta/\sigma\approx F

(10)

Due to the linear relationship between the measured non-flipping probability $F$ and the delay model $\Delta$ , which is also the predicted non-flipping probability $F^{\prime}$ , we can select the best-fitting models among random models and then optimize them in every iteration of the CMA-ES algorithm to generate an accurate model of an underlying APUF.

3.5 Comparison with Reliability-based Attacks

The proposed attack shares many similarities with the reliability-based attack in [15], which is an enhanced version of the attack in [1]. Both our attack and the reliability-based attacks need to choose the CRPs to be measured, and they all exploit the fact that the non-flipping probability (or the reliability) has a linear relationship with the delay difference $\Delta$ . Most importantly, both our attack and the reliability-based attack can learn individual APUFs in an XOR APUF in a divide-and-conquer manner and scale linearly w.r.t. the number of XORs.

Actually, the proposed chosen challenge attack can be viewed as a generalization of the reliability-based attack. As we will show in Sec. 4.3, our chosen attack does not have to restrict the hamming distance to 1; the known reliability-based attacks are a special case of our chosen challenge attack when the hamming distance is 0, and the perturbation is caused by small environmental noise instead of flips in $\Psi$ . Also, our attack methodology is more widely applicable, including attacking perfectly reliable XOR APUFs.

4 Experimental Evaluation

In our experiments, we use a commercial laptop with Intel(R) Core(TM) i9-10885H CPU and 16.0 GB RAM for the simulations, and we use a Nexys 4 DDR DIGILENT board for the FPGA XOR APUF implementations. All the APUFs or XOR APUFs being attacked are 64-bit long. Some of our source codes are modified from the GitHub repository²²2https://github.com/scluconn/DA_PUF_Library of the enhanced reliability-based attack [15].

4.1 Attacking Perfectly Reliable PUFs in Simulation

We first want to study the sensitivity of the modeling accuracy w.r.t. the number of samples ( $m$ ) around every centroid challenge. We tested various numbers of samples on a perfectly reliable 2-XOR APUF using the proposed attack, each with $150\times 10^{3}$ $(\Psi,F)$ pairs. As shown in Fig. 2, using 16 samples or more, the prediction accuracy of individual APUFs would be considerably high, and by increasing the number of samples from 16 to 64, there is not much remarkable improvement in accuracy. Therefore, we use 16 samples for the rest of our experiments.

Figure 2: Prediction Accuracy of the Chosen Challenge Attack on 64-bit 2-XOR APUF with different number of samples

m

The results in Table 1 show that the proposed chosen challenge attack can attack individual APUFs in a perfectly reliable XOR APUF with high accuracy. In contrast, the reliability-based attacks do not work in the same condition. The prediction accuracy of the original Becker’s attack (directly copied from [1]) on noisy XOR APUFs with the same number of XORs and the same number of challenge-reliability pairs is also shown in Table 1.

Table 1: The modeling accuracy of the individual APUFs in a simulated reliable XOR APUF.

#XORs	Training Dataset Size	Our Attack	Becker’s Attack^a
1	$20\times 10^{3}$	98.6% - 99.0%	98.3% - 99.3%
4	$150\times 10^{3}$	97.6% - 98.6%	99.1% - 99.7%
8	$300\times 10^{3}$	95.8% - 98.0%	99.1% - 99.7%
16	$500\times 10^{3}$	93.6% - 94.8%	98.7% - 99.6%

^a Since Becker’s attack does not work on a reliable PUF, we cannot make a fair comparison. The last column presents the results of Becker’s attack on an unreliable 128-bit PUF reported in [1].

4.2 Attacking Practically Unreliable PUFs in Simulation

The proposed attack works not only with reliable PUFs but also on practically unreliable PUFs. In every APUF simulation, a noise term independently drawn from $\mathcal{N}(0,\sigma_{N})$ is added to $\Delta$ for every measurement. As shown in Table 2, when $\sigma_{N}=0.0055$ and even with more noise as $\sigma_{N}=0.01$ , the accuracy of the chosen challenge attack is considerably high, and the XOR APUF could be modeled. Note that the weight vectors of APUFs are drawn from $\mathcal{N}(0,1)$ in the simulation. The two noise level parameters $\sigma_{N}$ are inherited from the noisy PUF simulation2, and they correspond to two reliability levels measured by [15] on their APUF FPGA implementations. We also reproduced the results of the enhanced reliability-based attack on the same targets using the authors’ open-source codes2 so that the two attacks can be properly compared in Table 2. In the reliability-based attack, each challenge-reliability pair is derived from 17 measurements, just like each $(\Psi,F)$ pair is derived from 17 CRPs in our chosen challenge attack. The measured reliability of each PUF is also reported in Table 2. It is measured as the percentage of CRPs that do not flip within 10 measurements. Note that we only evaluate our attacks on odd number XOR APUFs in all the following experiments to avoid the influence of the systemic bias in the responses of even number XOR APUFs [21].

From Table 2, we notice that, in general, the proposed attack has slightly lower accuracy than the enhanced reliability-based attack. This is because the perturbation in $\Delta$ in the reliability-based attack is smaller than the perturbation introduced by one flip in $\Psi$ in our attack. This means that in the dataset collected for the chosen challenge attack, it is more likely that more than one APUF responses get flipped, and this is considered as noise in our attack and negatively affects the training.

Table 2: The modeling accuracy of the individual APUFs in a simulated noisy XOR APUF.

#XORs	Training Dataset Size	$\sigma_{Noise}$	Our Attack	Attack in [15]	Reliability
1	$20\times 10^{3}$	0.0055	98.6% - 99.6%	99.2% - 99.6%	99.41%
1	$20\times 10^{3}$	0.01	99.0% - 99.4%	100.00% - 100.00%	98.67%
3	$150\times 10^{3}$	0.0055	97.0% - 98.2%	99.2% - 99.6%	98.10%
3	$150\times 10^{3}$	0.01	98.0% - 99.0%	99.6% - 100%	98.53%
5	$300\times 10^{3}$	0.0055	98.8% - 99.4%	98.2% - 98.6%	96.83%
5	$300\times 10^{3}$	0.01	97.8% - 98.2%	99.4% - 99.6%	94.20%
7	$300\times 10^{3}$	0.0055	96.0% - 98.4%	99.4% - 99.8%	95.84%
7	$300\times 10^{3}$	0.01	98.0% - 98.4%	99.2% - 99.4%	92.91%
15	$500\times 10^{3}$	0.0055	93.0% - 95.2%	99.4% - 99.8%	91.27%
15	$500\times 10^{3}$	0.01	94.2% - 97.4%	99.8% - 99.8%	85.10%

4.3 Extending to More Bit Flips Attacks in Simulation

We would like to extend the idea of our proposed attack and investigate whether flipping more bits in $\Psi$ can lead to a successful attack. Table 3 presents the prediction accuracy of individual APUFs in an XOR APUF with $d_{H}=2$ and three different noise levels $\sigma_{N}$ . The results show that the XOR APUFs still could be modeled with acceptable accuracy values. However, as expected, the accuracy is lower than the one-flip attacks because likely more multiple APUF response flips occur in the training dataset.

Table 3: The modeling accuracy of the individual APUFs in a simulated XOR APUF under the 2-flip attack.

#XORs	Training Dataset Size	$\sigma_{Noise}$	Modeling Accuracy
1	$20\times 10^{3}$	0	98.4% - 99.0%
		0.0055	99.4% - 99.8%
		0.01	99.2% - 99.8%
3	$150\times 10^{3}$	0	94.4% - 96.0%
		0.0055	98.2% - 98.8%
		0.01	97.0% - 99.2%
5	$300\times 10^{3}$	0	91.2% - 93.0%
		0.0055	97.4% - 97.6%
		0.01	97.0% - 98.0%
7	$300\times 10^{3}$	0	92.8% - 95.2%
		0.0055	93.8% - 94.6%
		0.01	92.4% - 92.8%

4.4 Attacking FPGA Implemented PUFs

Last but not least, we evaluate the proposed attack on XOR APUFs implemented on an FPGA. Table 4 shows the modeling accuracy of the individual APUFs under the proposed attack. The high accuracy presented in Table 4 validates the effectiveness of our attack in practice.

Table 4: The modeling accuracy of the individual APUFs in a real XOR APUF on Xilinx FPGA.

$\#$ XORs	Training Dataset Size	Modeling Accuracy
1	$20\times 10^{3}$	99.0 $\%$ - 99.3 $\%$
3	$75\times 10^{3}$	98.0 $\%$ - 98.4 $\%$
5	$75\times 10^{3}$	97.3 $\%$ - 98.0 $\%$
7	$75\times 10^{3}$	96.6 $\%$ - 97.6 $\%$
9	$75\times 10^{3}$	96.2 $\%$ - 96.3 $\%$

5 Countermeasures

One straightforward but effective countermeasure against our attack is to add a one-way function in front of an XOR PUF and enforce that the one-way function and the PUF must be evaluated as a whole: $R=PUF(OWF(C))$ as suggested in [6]. Then, an attacker cannot choose any specific PUF challenges to be evaluated anymore. However, this countermeasure may not be ideal to implement in a lightweight application scenario, e.g., RFID tags, due to the area overhead incurred by a one-way function. Also, this countermeasure does not stop reliability-based attacks.

6 Other Related Work

Prior to this work, some other studies on (adaptively) chosen challenge attacks on APUF have been proposed. For example, active learning methods can improve the efficiency of modeling by collecting informative CRPs, i.e., the CRPs with the highest uncertainty [19]. Adaptively choosing CRPs to measure based on optimization theory is used in [13]. However, all the above chosen challenge attacks can only attack single APUFs, not XOR APUFs.

The relationship of input bit flips and output bit flips of an XOR APUF has been well studied in the form of strict avalanche criteria, predictability test, and input sensitivity [3, 12, 14]. However, the understanding has been mainly used for assessing the machine learning resilience of a PUF [4] and for inspiring new PUF design ideas [5]. The most recent and relevant study in this line of research is a chosen challenge attack exploiting output transitions [12]. The attack also intentionally collects pairs of CRPs, which flip the response bit of an XOR APUF with limited input flips in raw challenges (instead of the $\Psi$ vectors in our attack). However, the authors directly used the collected CRPs for machine learning training to attack an XOR APUF as a whole. Thus, they only achieved up to 50% reduction in the required number of CRPs in attacking XOR APUFs, while our attack can attack individual APUFs instead of the XOR APUF as a whole.

Several recent attempts have been made to attack XOR APUFs using reliability-based [1, 15, 18] and classical machine learning attacks [16, 22]. They either have to use reliability information or cannot scale linearly with respect to the number of XORs.

7 Conclusion

In this work, we use the non-flipping probability of chosen challenges instead of the reliability for attacking individual APUFs in XOR APUFs. The unified theoretical foundation shows that our attack generalizes the reliability-based attacks, and thus, our attack method is applicable in more scenarios, including perfectly reliable PUFs. We validate our attack experimentally using simulation and FPGA implementations.

References

[1] Georg T. Becker. The gap between promise and reality: On the insecurity of XOR arbiter pufs. In Tim Güneysu and Helena Handschuh, editors, Cryptographic Hardware and Embedded Systems - CHES 2015 - 17th International Workshop, Saint-Malo, France, September 13-16, 2015, Proceedings, volume 9293 of Lecture Notes in Computer Science, pages 535–555. Springer, 2015.
[2] Jeroen Delvaux and Ingrid Verbauwhede. Side channel modeling attacks on 65nm arbiter pufs exploiting CMOS device noise. In 2013 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2013, Austin, TX, USA, June 2-3, 2013, pages 137–142. IEEE Computer Society, 2013.
[3] Fatemeh Ganji, Sarah Amir, Shahin Tajik, Domenic Forte, and Jean-Pierre Seifert. Pitfalls in machine learning-based adversary modeling for hardware systems. In 2020 Design, Automation & Test in Europe Conference & Exhibition, DATE 2020, Grenoble, France, March 9-13, 2020, pages 514–519. IEEE, 2020.
[4] Fatemeh Ganji, Domenic Forte, and Jean-Pierre Seifert. Pufmeter a property testing tool for assessing the robustness of physically unclonable functions to machine learning attacks. IEEE Access, 7:122513–122521, 2019.
[5] Fatemeh Ganji, Shahin Tajik, Pascal Stauss, Jean-Pierre Seifert, Mark M. Tehranipoor, and Domenic Forte. Rock’n’roll pufs: crafting provably secure pufs from less secure ones (extended version). J. Cryptogr. Eng., 11(2):105–118, 2021.
[6] Blaise Gassend, Dwaine E. Clarke, Marten van Dijk, and Srinivas Devadas. Controlled physical random functions. In 18th Annual Computer Security Applications Conference (ACSAC 2002), 9-13 December 2002, Las Vegas, NV, USA, pages 149–160. IEEE Computer Society, 2002.
[7] Blaise Gassend, Dwaine E. Clarke, Marten van Dijk, and Srinivas Devadas. Silicon physical random functions. In Vijayalakshmi Atluri, editor, Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, Washington, DC, USA, November 18-22, 2002, pages 148–160. ACM, 2002.
[8] Deniz Gurevin, Chenglu Jin, Phuong Ha Nguyen, Omer Khan, and Marten van Dijk. Secure remote attestation with strong key insulation guarantees. IEEE Transactions on Computers, 2023.
[9] Chenglu Jin, Wayne P. Burleson, Marten van Dijk, and Ulrich Rührmair. Erasable pufs: Formal treatment and generic design. In Chip-Hong Chang, Ulrich Rührmair, Stefan Katzenbeisser, and Patrick Schaumont, editors, Proceedings of the 4th ACM Workshop on Attacks and Solutions in Hardware Security Workshop, ASHES@CCS 2020, Virtual Event, USA, November 13, 2020, pages 21–33. ACM, 2020.
[10] Chenglu Jin, Wayne P. Burleson, Marten van Dijk, and Ulrich Rührmair. Programmable access-controlled and generic erasable PUF design and its applications. J. Cryptogr. Eng., 12(4):413–432, 2022.
[11] Daihyun Lim, Jae W. Lee, Blaise Gassend, G. Edward Suh, Marten van Dijk, and Srinivas Devadas. Extracting secret keys from integrated circuits. IEEE Trans. Very Large Scale Integr. Syst., 13(10):1200–1205, 2005.
[12] Chia-Chih Lin and Ming-Syan Chen. Learning from output transitions: A chosen challenge strategy for ML attacks on pufs. In IEEE/ACM International Symposium on Low Power Electronics and Design, ISLPED 2023, Vienna, Austria, August 7-8, 2023, pages 1–6. IEEE, 2023.
[13] Yuntao Liu, Yang Xie, Chongxi Bao, and Ankur Srivastava. An optimization-theoretic approach for attacking physical unclonable functions. In Frank Liu, editor, Proceedings of the 35th International Conference on Computer-Aided Design, ICCAD 2016, Austin, TX, USA, November 7-10, 2016, page 45. ACM, 2016.
[14] Phuong Ha Nguyen, Durga Prasad Sahoo, Rajat Subhra Chakraborty, and Debdeep Mukhopadhyay. Security analysis of arbiter PUF and its lightweight compositions under predictability test. ACM Trans. Design Autom. Electr. Syst., 22(2):20:1–20:28, 2017.
[15] Phuong Ha Nguyen, Durga Prasad Sahoo, Chenglu Jin, Kaleel Mahmood, Ulrich Rührmair, and Marten van Dijk. The interpose PUF: secure PUF design against state-of-the-art machine learning attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2019(4):243–290, 2019.
[16] Ulrich Rührmair, Frank Sehnke, Jan Sölter, Gideon Dror, Srinivas Devadas, and Jürgen Schmidhuber. Modeling attacks on physical unclonable functions. In Ehab Al-Shaer, Angelos D. Keromytis, and Vitaly Shmatikov, editors, Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8, 2010, pages 237–249. ACM, 2010.
[17] G. Edward Suh and Srinivas Devadas. Physical unclonable functions for device authentication and secret key generation. In Proceedings of the 44th Design Automation Conference, DAC 2007, San Diego, CA, USA, June 4-8, 2007, pages 9–14. IEEE, 2007.
[18] Johannes Tobisch, Anita Aghaie, and Georg T. Becker. Combining optimization objectives: New modeling attacks on strong pufs. IACR Trans. Cryptogr. Hardw. Embed. Syst., 2021(2):357–389, 2021.
[19] Yuejiang Wen and Yingjie Lao. PUF modeling attack using active learning. In IEEE International Symposium on Circuits and Systems, ISCAS 2018, 27-30 May 2018, Florence, Italy, pages 1–5. IEEE, 2018.
[20] Nils Wisiol and Marian Margraf. Why attackers lose: design and security analysis of arbitrarily large XOR arbiter pufs. J. Cryptogr. Eng., 9(3):221–230, 2019.
[21] Nils Wisiol and Niklas Pirnay. Short paper: XOR arbiter pufs have systematic response bias. In Joseph Bonneau and Nadia Heninger, editors, Financial Cryptography and Data Security - 24th International Conference, FC 2020, Kota Kinabalu, Malaysia, February 10-14, 2020 Revised Selected Papers, volume 12059 of Lecture Notes in Computer Science, pages 50–57. Springer, 2020.
[22] Nils Wisiol, Bipana Thapaliya, Khalid T. Mursi, Jean-Pierre Seifert, and Yu Zhuang. Neural network modeling attacks on arbiter-puf-based designs. IEEE Trans. Inf. Forensics Secur., 17:2719–2731, 2022.