Physically unclonable functions (PUFs) form a promising innovative primitive that are increasingly gaining traction in the domains of authentication and secret key storage [1, 2, 3]. Instead of storing secrets in digital memory, PUFs derive a secret from the physical characteristics of an integrated circuit (IC) that form an inherent part of the device. Such a PUF can be obtained, as even though the mask and manufacturing process is relatively similar among ICs built for a particular purpose, each IC is actually unique due to normal manufacturing variability.
This unique behavior after manufacturing stems from a static randomness due to technological dispersion. This static randomness was characterized by Pelgrom 
, and is known to follow a normal distribution. Unfortunately, PUF outputs are also subject todynamic randomness due to measurement noise, which is detrimental to the reliability of a PUF as a source for cryptographic elements.
In this paper, we understand the information theoretic limits of key generation using PUFs, given this static and dynamic randomness in the system. As discussed in [1, 2], one of the central use-cases for PUFs is secret key generation, where this key is subsequently utilized in a variety of cryptographic algorithms. A higher key generation rate implies greater security guarantees for the overall system, and therefore, our focus is to understand its limits, and to characterize coding schemes that approach these limits.
I-a Related Work and Our Contributions
There is already a considerable body of work on combining PUFs with error correction coding schemes to obtain reliable keys or secrets . Conventionally, these have combined BCH/RS codes with PUFs. More recently,  presents simulation results on the combination of a polar code with a PUF, setting the stage for such a combination to be understood analytically. In parallel work to this paper, the authors et al.  uncover the connection between PUF key generation problem and Wyner-Ziv problem . And they study a nested polar codes construction scheme based on .
In this work, we present a PUF key generation scheme based on a previously well studied model called generated-secret (GS) model. In , the authors present the region of achievable secret-key vs. privacy-leakage (key vs. leakage) rates for the GS model. In this paper, we show that the optimal key generation rate is achievable using algebraic binning with linear codes, and uncover the relation between PUF key generation problem and Slepian-Wolf problem. Further, we present encoding and decoding algorithms using polar codes that achieve the optimal rate. Finally, we present simulation results to showcase the performance of our scheme.
Compared to existing literature, we find that our scheme results in a relatively straightforward interpretation of the PUF key generation problem, and results in a key generation rate that is optimal for the GS model for PUFs. This is further expanded on in later sections of the paper.
The remainder of this paper is organized as follows. Section II provides the system model for PUF and formally defines the problem. Section III shows the algebraic binning method and polar code construction achieving the maximal key generation rate. Section IV compares our method to the existing other methods. Section V presents the simulation result. Finally, Section VI concludes the paper and gives future directions.
Ii System Model
represents the element-wise modulo-2 summation. A binary symmetric channel (BSC) with crossover probabilityis denoted by BSC(). represents a binary quantizer that quantizes to and to .
A physically unclonable function (PUF) can be mathematically represented fairly simply as
where is the PUF output, is the static randomness and the dynamic randomness independent of . As stated earlier in the introduction, is the desired “signal", which is corrupted by the “noise” when observed at the output of a PUF.
In most conventional systems today, the PUF output is quantized immediately after observation. Most models in literature assume the output passes through a binary quantizer . It can be easily shown that , are distributed as , and , where is independent of , distributed as Bernoulli(), where is a function of and . From now on, we use to represent , to represent and to represent . Thus we have our PUF model with binary quantization as
where is the PUF output, and . Note that from the nature of PUF we do not have access to . Indeed, in the real world applications, both and are PUF outputs, which gives a different crossover probability in the model. But since it does not change the model (BSC), in the remaining part of this paper, we abuse the notations that we stick to the above model while both and represent PUF outputs and is the parameter that measures the noise between two PUF outputs.
As mentioned earlier, we follow the generated-secret (GS) model for key generation of PUFs, as depicted in Figure 1. For a given sequence , our task is to design an encoder that generates a helper sequence and a key and a decoder that authenticates the key. This is such that, for a particular PUF, the probability of successful authentication goes to as goes to infinity. Let and ,
Define the key generation rate as , we desire to determine the maximal key generation rate
Iii PUF System Design Using Polar Codes
In this section, we first state our main theorem and show the optimal key generation rate is achievable with algebraic binning using linear codes. Note that, the result can also be obtained by random binning, but algebraic binning offers greater insights for PUF key generation system design. Therefore, we choose to use an algebraic binning framework going forward.
Iii-a Algebraic Binning Using Linear Codes
Given a PUF and an associated key generation rate , there exists a linear code such that
The basic idea is to generate the bins as the cosets of a “good" parity-check code. Let an binary parity check code specified by the binary parity-check matrix . The code contains all -length binary vectors whose syndrome is equal to zero, where here multiplication and addition are modulo 2. Assuming that all rows of are linearly independent, there are codewords in , so the code rate is . Given some general syndrome , the set of all -length vectors satisfying is called a coset . Define a decoding function , where , is equal to the vector with the minimum Hamming weight, where ties are broken evenly. It follows from linearity that the coset is a shift of the code by the vector , i.e.,
where the -length vector is the coset leader.
Decoding of this parity-check code amounts to quantizing to the nearest vector in with respect to the Hamming distance. This vector, , can be computed by syndrome decoding using the function
We may view the decoder above as a partition of to decision cells of size each, which are all shifted versions of the basic “Voronoi” set
Each of the members of is a coset leader for a different coset. The enrollment and authentication procedures with this algebraic binning are summarized in Algorithm 1. And the corresponding system model is shown in Figure 2.
Since our PUF model is a BSC with crossover probability . We are interested in “good" parity check codes over BSC that are capacity achieving, i.e., they have a rate arbitrarily close to for large enough. Note that and , together with Algorithm 1 will grant us the desired result.
First, we show for any enrollment sequence and the corresponding PUF output , the block error probability is vanishingly small. Note that the decoding computation in Algorithm 1 is unique, so unlike in random binning we never have ambiguous decoding. Hence, noting from the PUF model and from (3) that , a decoding error event amounts to so the probability of decoding error is
which by good BSC code is smaller than .
Next, we show the optimal rate is . Because the total number of typical sequences are , maximizing the key generation rate is equivalent to minimize the number of bins (cosets)
Here we need the following Slepian-Wolf bound for distributed source coding.
Theorem 2 (Slepian-Wolf ).
For the distributed source coding problem for the source drawn i.i.d., the achievable rate region is given by
To establish the connection between GS model and Slepian-Wolf problem, we see the two PUF outputs and are the correlated source for Slepian-Wolf problem, and the number of bins in GS model is equivalent to the rate of the first source in Slepian-Wolf problem
The proof shows the key generation rate is achievable with a “good” coset partition, in a sense that each coset is a “good” parity check code over BSC(). It is a general statement, as long as one can find the “good” coset partition with each coset a “good” parity check code for some channel, the key generation rate is achievable for that channel.
Iii-B Polar Codes for PUFs
Polar codes are popular linear block codes, introduced by Arikan in . A binary polar code can be specified by , where is the block length, is the number of information bits encoded per codeword, is the set of indices of the frozen bits and is a vector of frozen bits, which is known to both encoder and decoder.
Iii-B1 Encoding of Polar Codes
For an polar code, the encoding operation for a message vector , is performed using a generator matrix,
where is a bit-reversal permutation matrix, and denotes the Kronecker product.
Given a message vector , the codewords are generated as
where corresponds to the information bits indices. So are the information bits and are the frozen bits.
Iii-B2 Decoding of Polar Codes
Polar codes achieve the channel capacity asymptotically in code length, when decoding is done using the successive-cancellation (SC) decoding algorithm. The SC decoder observes
and generates an estimateof . The th bit of the estimate depends on the channel output and the previous bit decisions , denoted by . It uses the following decision rules,
where is the th likelihood ratio (LR) at length . We omit further details in SC decoding for limited space, readers can get the full knowledge of SC decoding in .
Iii-C Applying Polar Codes to PUFs
Given the PUF model as a BSC(), block length and rate , we have the polar code with parameters . And the algebraic binning with polar code is shown in Algorithm 2.
For PUF, every key generation rate , there exist a polar encoder and decoder, such that
As introduced in , polar code can be represented as
By inversion of , we have the syndrome and the key as
Now for each PUF observation , we treat it as a codeword of polar code with parameters . So we use a set of polar code . Because has full rank, for any , , and . So . We proved that is a coset partition of and each coset code with coset leader is a channel code for the channel. According to the Theorem 3 in , we have for rate , the block error probability for polar coding under successive cancellation decoding satisfies
Although polar codes cannot guarantee each coset code is a good channel code such that
on average, we obtain a good coset partition as required by Theorem 1. ∎
Iii-D Achievable Scheme for Unquantized PUFs: The Gaussian Case
As mentioned earlier, a vast majority of PUF outputs are quantized to a binary alphabet right after generation. However, for the unquantized PUF model (again, we abuse the notations such that are outputs of the PUF), we use a lattice based coding scheme as below.
Definitions: Lattice is a discrete subgroup of . Quantization with respect to is . Fundamental Voronoi region of is . Volume of the Voronoi region of is
. Normalized second moment ofis where . A pair of Lattices are said to be nested if .
We use nested lattices for coset partitioning and algebraic binning. The encoder block with input and output is implemented by lattice modulo operation
We use as a helper data. As in Figure 2, for the decoder block with input , helper data , and output , we perform
where , the decoder output is
If we use nested lattices satisfying with high probability, it follows that
with high probability. Since
it also means that
with high probability. In other words, the helper data cancels the effect of noise .
The lattice codebook is defined by the set . The code rate is given by where is the volume of the fundamental Voronoi region of a lattice. We use nested lattices with parameters , , and . Nested lattices good for Gaussian channel coding  can be used to achieve a rate up to with vanishing error probability. In practice, polar lattices [12, 13] can be used for polynomial-time processing.
Iv Comparisons with Existing Methods
There are several existing method proposed for the GS model.
The authors et al.  establish the connection between Wyner-Ziv problem and the GS model. They describe the key-leakage-storage region for GS model. However, for GS model, according to the definitions, storage rate and privacy rate are the same since , where is a function of in GS model. It is also reflected in Theorem 1 in  as and have the same bound. So the key-leakage-privacy region can be treated as key-leakage region or key-storage region. We describe the optimal point of the key-storage region by the algebraic binning argument. The authors et al.  also show a polar code construction based on the nested polar code in  to achieve the key-leakage-storage region, which give the maximual key generation rate as for given PUF noise as a BSC(), where is a chosen parameter for the first step vector quantization (VQ) in the nested polar code. Since , we have our optimal rate greater than their optimal rate , and the storage . Notice that the both equalities can be achieved if , but at this point they lose the nested polar code construction. The reason for the degradation in their result is that there exists a gap between Wyner-Ziv problem having distortion (reflected as the first step VQ in the nested polar code construction) and the GS model requiring an exact recovery of the key. So the VQ step introducing the distortion is not necessary for GS model. In all, we offer a better rate with a simpler implementation.
The authors et al.  offer an LDPC based scheme for PUF. Their scheme does not optimize the key generation rate since the LDPC does not necessarily form a coset partition.
V Simulation Results
We simulate the system in Figure 2 with the polar code construction in Section III-C with MATLAB. If we use PUFs in a field programmable gate array (FPGA) as the randomness source, we must satisfy a block error probability of at most . Consider a BSC() with crossover probability , which is a common value for SRAM PUFs.
First, we consider the block length and we design polar code with rate for the BSC() channel. We evaluate the block error probability performance of this code with SC decoder and SC list (SCL) decoder with list size 8 respectively for a BSC with a range of crossover probability, as shown in Figure. 3. It shows the SCL decoder has better performance, and achieves a block error probability of at a crossover probability . For comparison, we achieve the key generation rate with crossover probability and block error probability , better than the crossover probability and block error probability tuple in .
By algebraic binning, we show that “good” coset partition is needed to achieve the optimal key generation rate for PUFs. Thus we offer a principle in general for PUF key generation system design. And we design a polar code-based system for PUFs that achieve better key generation rate than existing methods. In future work, we will further study the “good” code for unquantized PUFs.
This work was supported by the NSF and the ONR.
-  Gassend, Blaise, Dwaine Clarke, Marten Van Dijk, and Srinivas Devadas. “Silicon physical random functions.” In Proceedings of the 9th ACM conference on Computer and communications security, pp. 148-160. ACM, 2002.
-  Suh, G. Edward, and Srinivas Devadas. “Physical unclonable functions for device authentication and secret key generation.” In Proceedings of the 44th annual Design Automation Conference, pp. 9-14. ACM, 2007.
-  Guajardo, Jorge, Sandeep S. Kumar, Geert Jan Schrijen, and Pim Tuyls. “FPGA intrinsic PUFs and their use for IP protection.” In CHES, vol. 4727, pp. 63-80. 2007.
-  Pelgrom, Marcel JM, Aad CJ Duinmaijer, and Anton PG Welbers. “Matching properties of MOS transistors.” IEEE Journal of solid-state circuits vol. 24, no. 5 (1989): 1433-1439.
-  Cover, Thomas M., and Joy A. Thomas. Elements of information theory. John Wiley Sons, 2012.
-  Ignatenko, Tanya, and Frans MJ Willems. “Biometric systems: Privacy and secrecy aspects.” IEEE Transactions on Information Forensics and Security vol. 4, no. 4 (2009): 956-973.
-  Arikan, Erdal. “Channel polarization: A method for constructing capacity-achieving codes for symmetric binary-input memoryless channels.” IEEE Transactions on Information Theory vol. 55, no. 7 (2009): 3051-3073.
-  B. Chen, T. Ignatenko, F. M. Willems, R. Maes, E. van der Sluis, and G. Selimis, “A robust SRAM-PUF key generation scheme based on polar codes,” July 2017, [Online]. Available: arxiv.org/abs/1701.07320.
-  Onur Gunlu, Onurcan Iscan, Vladimir Sidorenko, and Gerhard Kramer, “Wyner-Ziv Coding for Physical Unclonable Functions and Biometric Secrecy Systems,” Sep 2017, [Online]. Available: https://arxiv.org/abs/1709.00275
-  Korada, Satish Babu, and Rudiger Urbanke. “Polar codes for slepian-wolf, wyner-ziv, and gelfand-pinsker.” In Information Theory (ITW 2010, Cairo), 2010 IEEE Information Theory Workshop on, pp. 1-5. IEEE, 2010.
-  Muelich, Sven, and Martin Bossert. “A New Error Correction Scheme for Physical Unclonable Functions.” In SCC 2017; 11th International ITG Conference on Systems, Communications and Coding; Proceedings of, pp. 1-6. VDE, 2017.
-  Yan, Yanfei, Cong Ling, and Xiaofu Wu. “Polar lattices: where Ar?kan meets Forney.” In Information Theory Proceedings (ISIT), 2013 IEEE International Symposium on, pp. 1292-1296. IEEE, 2013.
-  Y. Yan, L. Liu, and C. Ling, “Polar lattices for strong secrecy over the mod- Gaussian wiretap channel,” Jan. 2014. [Online] Available: arXiv:1401.4532 [cs.IT]
-  U. Erez and R. Zamir, “Achieving on the AWGN channel with lattice encoding and decoding,” IEEE Trans. Inf. Theory, vol. 50, no. 10, pp. 2293–2314, Oct. 2004.
-  Wyner, Aaron, and Jacob Ziv. “The rate-distortion function for source coding with side information at the decoder.” IEEE Transactions on information Theory vol. 22, no. 1 (1976): 1-10.
-  Bosch, Christoph, et al. “Efficient helper data key extractor on FPGAs.” Cryptographic Hardware and Embedded Systems CHES 2008 (2008): 181-197.