Design and Implementation of Multiplexed and Obfuscated Physical Unclonable Function

Model building attack on Physical Unclonable Functions (PUFs) by using machine learning (ML) techniques has been a focus in the PUF research area. PUF is a hardware security primitive which can extract unique hardware characteristics (i.e., device-specific) by exploiting the intrinsic manufacturing process variations during integrated circuit (IC) fabrication. The nature of the manufacturing process variations which is random and complex makes a PUF realistically and physically impossible to clone atom-by-atom. Nevertheless, its function is vulnerable to model-building attacks by using ML techniques. Arbiter-PUF is one of the earliest proposed delay-based PUFs which is vulnerable to ML-attack. In the past, several techniques have been proposed to increase its resiliency, but often has to sacrifice the reproducibility of the Arbiter-PUF response. In this paper, we propose a new derivative of Arbiter-PUF which is called Mixed Arbiter-PUF (MA-PUF). Four Arbiter-PUFs are combined and their outputs are multiplexed to generate the final response. We show that MA-PUF has good properties of uniqueness, reliability, and uniformity. Moreover, the resilient of MA-PUF against ML-attack is 15% better than a conventional Arbiter-PUF. The predictability of MA-PUF close to 65% could be achieved when combining with challenge permutation technique.


INTRODUCTION
Nowadays, trusted and secured computing solutions are crucially demanding especially with the emergence of the Internet of Things (IoT). Generally, any computing systems can be represented as hardware, firmware, software (i.e., operating system, application, etc.) and data layers. For any computing systems which dealing with sensitive and user-specific data, the trustworthiness of the whole computing system is very important to avoid loss of privacy which can be realized by providing root-of-trust from the hardware layer.
Physical Unclonable Function (PUF) is an innovative technology that able to extract hardware characteristics and manifest them as device-specific responses that can be used as root-of-trust in trusted computing. The intrinsic manufacturing process variations during integrated circuit (IC) fabrication are exploited by PUF such that it can map a set of challenges to a set of responses, uniquely for each PUF instance. The challenge to response mapping or known as challenge-response pairs (CRPs) represents the characteristic of particular hardware. As PUFs can generate unique CRPs based on hardware characteristics, hence PUFs can be used to provide a secure, reliable and trustworthy root-of-trust to any computing systems. Guajardo et al., [1] and Rührmair et al., [2] classified PUFs into Strong-PUFs and Weak-PUFs. Strong-PUFs are PUFs that have an exponential number of CRPs, given as 2 k where k is the number of challenge bits. Meanwhile, Weak-PUFs are the types of PUFs which have a limited number of CRPs, predetermined challenges, and in the extreme case with just only a single challenge. Example of Weak PUFs such as SRAM-PUF [1,3], D Flip-Flop PUF [4], Buttery-PUF [5], Buskeeper-PUF [6], and SR-NOR latch PUF [7]. The terms of 'Strong' and 'Weak' are not meant to indicate the superiority of one PUF to another but merely to classify the PUFs based on their CRPs nature.
In the early development of PUFs, a delay-based PUF known as Arbiter-PUF, fabricated on silicon using TSMC 180-nm technology node was proposed [8,9]. Arbiter-PUF is a type of Strong-PUFs which has k-bit challenge and a total of 2 k CRPs. The functionality of Arbiter-PUF is based on the linearly additive delay which can be easily modelled using machine learning (ML) techniques. The susceptibility of Arbiter-PUF to ML-attack, therefore, has raised concern within the research community of hardware security [2,10]. Several studies in the past have focused on the techniques to increase the resiliency of Arbiter-PUF against MLattack [10,11,12,13,14]. Most of the techniques are using the XOR obfuscation technique which successfully increases the resilience of Arbiter-PUF against ML-attack. However, the XOR technique degrades the reliability of the PUF response.
In this paper, a new derivative of Arbiter-PUF which is called Mixed Arbiter-PUF (MA-PUF) is proposed. Four Arbiter-PUFs are combined and their outputs are multiplexed to generate the final response. The multiplexing technique is applied in MA-PUF instead of the XOR technique to reduce the degradation impact on the PUF reliability. Based on our analysis, MA-PUF has shown good properties of uniqueness, reliability, and uniformity. Moreover, the MA-PUF exhibits resiliency against ML-attack. The main contributions of this work are highlighted below: 1. We propose a new derivative of Arbiter-PUF known as MA-PUF which has good properties of uniqueness and uniformity, close to an ideal value of 50%. The MA-PUF achieves good reliability of about 96%. 2. The proposed MA-PUF has 15% better resiliency against ML-attack as compared to a conventional Arbiter-PUF. A combination of MA-PUF with challenge permutation further increases its resilience against ML-attack. The predictability of the MA-PUF reduces to ≈65% with a challenge permutation technique. The rest of the paper is organized as follows. Section 2 describes the background which related to this work. The architecture of the proposed MA-PUF is discussed in Section 3. Section 4 describes the methods to construct the MA-PUF and to quantify its performance. The analysis of MA-PUF performance and its MLattack resistance is presented in Section 5. Finally, conclusions are drawn in Section 6.

Arbiter-PUF
Lee et al., [8] proposed an Arbiter-PUF which was designed and implemented on silicon using the process technology of TSMC 180-nm. The proposed architecture of k-bit Arbiter-PUF as illustrated in Figure  1. Arbiter-PUF exploits the logic delay and interconnects variations due to limitations during IC fabrication processes. Arbiter-PUF consists of k switching components and an arbiter. Typically, SR-latch is used as an arbiter since it offers fair arbitration from its symmetric circuit topology [15].

93
The switching components can be constructed using two-to-one (2-to-1) multiplexer using logic gates or transmission gates. A rising pulse is applied at the input and propagated through two nominally identical delay paths. The switching component controls the propagation delay paths of the input pulse by setting the bits of the challenge, C = {c1, c2, . . . , ck}. For ck = 0, the path go straight through, while for ck = 1, they are crossed. Due to process variations, each switching component and the interconnect wire exhibits a unique delay. As the rising pulse passes through until k-th switching component, there is a delay difference between the two rising pulses which represented as ∆t. A random response, '0' or '1', is generated by the arbiter (i.e., SR-latch) depending on the difference in arrival times.

Related Work
The Arbiter-PUF discussed in the previous section was constructed based on the linear characteristics of the additive delays caused by the switching components in each stage. Hence, there is a possibility that the adversaries could model the Arbiter-PUF by using ML techniques. A successful model-building attacked on Arbiter-PUF has been described in [9] by using an ML technique known as support vector machine (SVM). To increase the non-linearity in Arbiter-PUF, other derivatives or Arbiter-PUF are proposed such as Feed-Forward Arbiter-PUF [16], XOR-Arbiter-PUF [17] and Lightweight-PUF [18]. These techniques mainly using the XOR technique to obfuscate the challenges and/or responses. Nevertheless, all the aforementioned PUFs are successfully attacked using ML techniques as described in [2]. An important finding as described by Rührmair et al., [2], as the challenge bit length k and the number of XOR increase, the difficulty of an ML to model the PUF increases. Figure 2. l-XOR Arbiter-PUF, k = 32 [19] In recent works, Ye et al., [20] proposed obfuscated PUF by combining the XOR technique and the random start-up values (SUVs) generated by the SRAM cells after the power-up process. However, the susceptibility of the proposed obfuscated PUF against ML-attack has not been presented in [20]. The following work by Ye et al., [12] was a randomized PUF (RPUF) based on the obfuscation of the Arbiter-PUF challenges by using random number generator (RNG). Nevertheless, the number of CRPs used for ML training is too small to have a conclusive finding on its ML-attack resiliency. Machida et al., [21] proposed Double Arbiter-PUF (DA-PUF) which was constructed based on XOR Arbiter-PUF. XOR Arbiter-PUF consists of l number of Arbiter-PUF as in Figure 1 and the final response is generated by XORing l responses. Unlike the XOR Arbiter-PUF, the DA-PUF obfuscated the topk,i and botk,i for i = 1, 2, . . . , l, among l P2 arbiters and the final response is generated by XORing l P2 responses. The DA-PUF exhibits a promising resiliency against MLattack with the predictability of about 69% and 57% respectively for 2-1 DA-PUF and 3-1 DA-PUF [14,22]. However, the XOR technique degrades the reliability of a given PUF. As can be seen in Figure 2, the reliability reduces as l increases. In another study, an Obfuscated-PUF (OB-PUF) is proposed by Gao et al., [11] in which the verifier sent a partial challenge to the prover (i.e., OB-PUF) to increase the complexity of the CRPs mapping. The RNG within an OB-PUF is used to generate a random pattern. Afterwards, the random pattern is padded with a partial challenge which was sent earlier by the verifier to make up a full-length challenge. Further, OB-PUF generates a random response based on the full-length challenge. Elsewhere, Mispan et al., [13] proposed a challenge permutation technique to increase the complexity of the challenge-to-response mapping of an Arbiter-PUF. Both works, [11,13] able to reduce the predictability of a conventional Arbiter-PUF to ≈ 65% for a total training CRPs of 30,000. In recent work, Vatajelu et al., [23] proposed symmetric encryption on Arbiter-PUF challenges using a secret key generated by a Weak-PUF. The proposed technique successfully reduces the predictability of Arbiter-PUF significantly. However, the symmetric encryption incurs area overhead and it is costly to be implemented for resource-constrained pervasive devices. In our work, we explore a new derivative of Arbiter-PUF which imitates the DA-PUF structure but without scarifying the reliability of the PUF response. In Section 5, we will discuss and compare the performance of the proposed MA-PUF with typical Arbiter-PUF and DA-PUF.

PROPOSED MA-PUF
The architecture of the MA-PUF is derived from the Arbiter-PUF, proposed in [8].

METHODOLOGY
The 32-bit MA-PUF (k = 32) circuit has been constructed and simulated using a low-κ 65-nm CMOS technology node with a nominal supply voltage of 1.2V and a room temperature of 25ᴼC. The BSIM4 (V4.5) transistor model was used to simulate the MA-PUF circuit. The Monte Carlo simulation is used to model the manufacturing process variations such as threshold voltage (Vth), effective width, effective length, and oxide thickness. 100 PUF instances were modelled using Monte Carlo simulation by using the built-in statistical variation (3σ variations) in the technology design kit (i.e., fabrication standard). A 32-bit response is generated for each of the PUF instances. In this study, the performance of MA-PUF to resist ML-attack is evaluated following the methodology described in [24]. The Artificial Neural Network (ANN) is employed since it offers the capability of modelling highly non-linear systems and it is implemented in MATLAB environment.

SIMULATION RESULTS AND ANALYSIS
The standard method to quantify the quality of a PUF is described in [25]. The quality parameters are uniqueness, reliability, and uniformity. In this section, these quality metrics of the proposed PUF are discussed. Moreover, the robustness of MA-PUF against ML-attack is also discussed.

Uniqueness
The uniqueness is the ability of a PUF to be uniquely distinguished from a group of PUFs of a similar type. The uniqueness is evaluated using Inter-hamming distance (Inter-HD) and it is given as [25]: where i and j represent two PUF instances under evaluation, each PUF generates n-bit response, Ri(n) and Rj(n), respectively when applied with the same challenge, C = {c1, c2, . . ., ck} and m is the total number of PUF instances. A 32-bit response is generated for each MA-PUF using the methodology described in Section 4. By using the Eq. (1), the uniqueness for 100 32-bit MA-PUF instances is 49.77%. The distribution of uniqueness or Inter-HD is illustrated in Figure 4. The uniqueness of MA-PUF is very close to the ideal value of 50%. Therefore, this indicates that for the same challenge applied to two similar MA-PUFs, it has a higher probability of one MA-PUF that will generate a response of about 50% different compared to the other MA-PUF. Nonetheless, a smaller group of the MA-PUF instances has a uniqueness of less than or more than 50% as indicated by the spread of the Gaussian imitated distribution in Figure 4.

Reliability
The reliability is the ability of a PUF to generate the same response over the environmental uctuations such as temperature and supply voltage when applied with the same challenges. The reliability is evaluated using Intra-HD and it is given as [25]: Further, the reliability of a PUF can be computed based on Intra-HD value and it is defined as: where i represents PUF under evaluation which generate n-bit response, Ri(n) at nominal temperature and supply voltage, R'i,j(n) is the response at different condition (i.e., temperature and/or supply voltage), and m is the number of samples.
To evaluate the reliability, the MA-PUF is subjected to variations in supply voltage (1.2V±10%) and/or ambient temperature from -40ᴼC to 85ᴼC, in which a total of 12 conditions including nominal condition as shown in Figure 5. By using Eq. (2) and (3), the average reliability of MA-PUF under the aforementioned conditions is 96%. Based on our reliability analysis, we found that the reliability of MA-PUF is approximately similar to a conventional Arbiter-PUF. The reliability of MA-PUF under each condition is depicted in Figure  5. A nominal condition, 1.2V and 25ᴼC is used as a reference condition which explains the reliability value of 100%. For example, the response measured at 1.08V and -40ᴼC is compared against the response measured at the reference condition, 1.2V and 25ᴼC. Subsequently, the evaluated reliability (93.22%) is plotted in Figure 5 and this process continues for 11 other conditions. According to [26], an increase in temperature decreases Vth, while also decreasing the electron and hole mobilities, and vice versa. Meanwhile, an increase in supply voltage increases the overdrive voltage and current, while also decreasing the charging/discharging time of loading capacitances, and vice versa. These effects due to temperature and supply voltage variations may counteract during the circuit operation and cause unreliable responses, hence describes the observed reliability pattern in Figure 5.

Uniformity
The uniformity is defined as the proportion of 0`s and 1`s in the response bits of a PUF which characterize the randomness of the PUF response. Ideally, the number of 0`s and 1`s in response must be balanced, hence uniformity is distributed at 50%. The uniformity is evaluated using hamming weight (HW) and it is given as [25]: where ri,j is the j-th binary bit of an n-bit response from a PUF i, for a total of m PUFs. By using the Eq. (4), the uniformity for 100 32-bit MA-PUF instances is 48.34%. The distribution of uniformity is illustrated in Figure 6. Although the mean value of the uniformity is close to the ideal value of 50%, the spread of the uniformity distribution indicates some of the MA-PUFs have unbalanced of 0`s and 1`s.  Table I and compared against conventional Arbiter-PUF and DA-PUF. The MAPUF has a comparable uniqueness and uniformity as compared to the DA-PUF. The MA-PUF has an advantage of better reliability which is ≈ 96% as compared to the DA-PUF, ≈ 88%.

ML-attack
Another important criterion of a given PUF is resiliency against ML-attack. 32,000 CRPs have been collected for ML-attack evaluation using ANN. 30,000 CRPs have been used as a training dataset while 2,000 CRPs have been used as a testing dataset. Figure 7 shows the comparison of the susceptibility to ML-attack. Based on our evaluation, by introducing the mixing element using multiplexer in MAPUF, the predictability of a conventional Arbiter-PUF can be reduced from ≈ 99% down to ≈ 85%. The predictability of the MA-PUF can be further reduced by combining the challenge permutation technique as introduced in [13]. The MA-PUF with challenge permutation achieved ≈ 65% prediction accuracy. The challenge permutation incurs no cost as this technique can be implemented by routing obfuscation. Meanwhile, from our analysis, 3-to-1 DA-PUF shows better resiliency against ML-attack. Nevertheless, as discussed in Section 2.2, the XOR technique used in the DA-PUF degrades its reliability (i.e., estimated reliability degradation, see Figure 2). A similar reliability degradation was also observed in [21]. Figure 7. Comparison of the susceptibility to ML-attack

Area Consumption
For an area estimation, the behavioral model of MA-PUF, Arbiter-PUF, and 3-to-1 DA-PUF have been synthesized using Design Compiler. Table 2 lists the area in gate equivalent (GE) for the aforementioned PUFs. As expected, the area consumption for MA-PUF and 3-to-1 DA-PUF is higher than Arbiter-PUF as their architecture consists of the parallel Arbiter-PUFs. As can be seen from Table 2, MA-PUF has a slightly higher area consumption than 3-to-1 DA-PUF. Despite the highest area consumption, MA-PUF achieves better reliability as compared to 3-to-1 DA-PUF and it achieves better unpredictability against ML-attack as compared to Arbiter-PUF.