Secure Key Generation from Biased PUFs
 27 Citations
 4.4k Downloads
Abstract
PUFbased key generators have been widely considered as a rootoftrust in digital systems. They typically require an errorcorrecting mechanism (e.g. based on the codeoffset method) for dealing with bit errors between the enrollment and reconstruction of keys. When the used PUF does not have full entropy, entropy leakage between the helper data and the deviceunique key material can occur. If the entropy level of the PUF becomes too low, the PUFderived key can be attacked through the publicly available helper data. In this work we provide several solutions for preventing this entropy leakage for PUFs suffering from i.i.d. biased bits. The methods proposed in this work pose no limit on the amount of bias that can be tolerated, which solves an important open problem for PUFbased key generation. Additionally, the solutions are all evaluated based on reliability, efficiency, leakage and reusability showing that depending on requirements for the key generator different solutions are preferable.
Keywords
Code Word Physically Unclonable Function Repetition Code Outer Code Helper Data1 Introduction
A Physically Unclonable Function (PUF) implemented on an integrated circuit (IC) can be used as a hardware rootoftrust for a digital system, e.g. to generate and store the system’s private master keys. These PUFbased key generators provide a secure and efficient alternative for protected nonvolatile memories (e.g. Flash, EEPROM, antifuses, etc.). For such applications, a highquality PUF is needed which is both unpredictable as well as reliable, i.e. PUF responses are random per instantiation but repeatable with limited noise over time and under all circumstances. To achieve this, both entropy extraction (for unpredictability) and errorcorrection coding (for reliability) are required in key generators. A secure key derivation function is used for entropy extraction to derive a cryptographic key from a random seed. For errorcorrection, a commonly used technique is the codeoffset method that stores helper data during an enrollment phase, which is later used to correct bit errors that occur in the PUF response when reconstructing the key. This helper data should not provide any information about the key, because it is generally stored and/or transferred publicly.
It has recently been pointed out [9] that if a PUF does not have full entropy, information about the secret key material is leaked by the helper data. If this entropy leakage becomes too large, the derived key will not have full entropy; this poses a serious threat to the security of the key generator. The main focus of this work is the development of (pre)processing methods that prevent this leakage in case of biased PUFs. Using innovative approaches, the overhead of these algorithms on PUF size is minimized, while guaranteeing reliability of the system.
Related Work. PUFbased key generators based on errorcorrecting codes were firstly introduced in [13] for Arbiter PUFs and later on in [5] for SRAM PUFs, both using a configuration based on linear block codes. Efficiency optimizations were proposed based on code concatentation [1] and softdecision decoding [10, 17]. Later key generators based on ring oscillator PUFs were presented in [18, 22]. Potential security issues can arise with these key generators when their input (i.e. the PUF response) does not have full entropy, see e.g. [6], which was recently emphasized strongly in [9].
Contributions. The primary contribution of this work is the introduction of a number of solutions that prevent entropy leakage between helper data and the secret of a PUFbased key generator, in case of i.i.d. but biased PUF response bits. The presented solutions are all scalable in that they can handle an arbitrary amount of PUF response bias, given that the available PUF response is large enough to provide a sufficient input bits. This solves an important open problem with existing PUFbased key generators, which was even hypothesized to be unsolvable in [9]. The introduced methods are all proven to be secure and are compared based on their reliability, efficiency, leakage and reusability. This comparison shows that depending on requirements for the key generator, different solutions are preferable. Additionally, this work provides a new model for entropy leakage due to PUF bias as well as a model for the relation between PUF bias and the bit error rate of the corresponding PUF. The first model is an improvement over existing models, e.g. as used in [9], while the second model is a new concept which is an extension on the models from [14].
2 PUFbased Key Generation and Bias
2.1 General Construction
 1.
Reliability: if the occurence of (bit) errors between X and \(X'\) is limited, then with high probability \(K'\) will be equal to K.
 2.
Security: if X is sufficiently unpredictable, then K is secure even to a party which observes W.
2.2 Entropy Leakage
If X has full entropy then the entropy leakage as given by (2) becomes zero and \(H(SW) = k\). Hence, in that case S remains fully random and can be used as a secure input for key derivation. However, if X does not have full entropy, the entropy leakage might no longer be zero and S might not be completely unpredictable after observation of W. In the following, we study the effect of reduced entropy of X on the security of S, and in particular what occurs when X suffers from bias.
2.3 Entropy Leakage Due to PUF Bias
The most common cause of reduced entropy of X is the presence of global bias on the bits of X, i.e. globally ‘0’bits occur consistently more often than ‘1’bits or viceversa. We say that an nbit PUF response X is pbiased (\(0 \le p \le 1\)) if the apriori expected number of ‘1’bits in X is \(p \cdot n\), or p is the apriori probability of a random bit of a PUF response evaluating to ‘1’. An unbiased PUF has \(p=50\,\%\), but from experiments it is clear for most PUFs p deviates slightly from \(50\,\%\), or even significantly (see e.g. [7, 8, 13]).
 For codes with a simple structure, a closed expression for \(H(X\mathbf {H}^\mathbf {\top })\) can be derived. In particular for repetition codes it holds that:^{6}with \(f(t;n,p) = p^{t}(1p)^{nt}+p^{nt}(1p)^{t}\).$$\begin{aligned} H(X\mathbf {H_{rep}}^\mathbf {\top }) = \sum _{t=0}^{n1} \left( {\begin{array}{c}n1\\ t\end{array}}\right) f(t;n,p) \log _2 f(t;n,p) \end{aligned}$$(5)

For nontrivial but relatively short codes (e.g. \(n < 32\)), the distribution of \(X\mathbf {H}^\mathbf {\top }\) can be determined exhaustively from the known distribution of X. \(H(X\mathbf {H}^\mathbf {\top })\) then follows from the distribution of \(X\mathbf {H}^\mathbf {\top }\).
Figure 2(a) shows \(H(SW)\) for repetition codes with a pbiased PUF.^{7} Both the lower bound (4) and the exact calculation (5) are shown. It is clear that for \(p \not \approx 50\,\%\), the lower bound is not tight and significantly underestimates the remaining entropy; e.g. for \(n= 5\) the lower bound reaches zero for \(p=24\,\%\), while exact calculation shows that about 0.35 bit of entropy is actually still left. The lower bound is hence rather pessimistic for biases not close to \(50\,\%\) and a more exact calculation is preferable. This also partially refutes the socalled “repetition code pitfall” as stated in [9] which was solely based on the pessimistic conclusions from (4).
On the other hand, it is clear from Fig. 2(a) that a biased PUF response still severely reduces the remaining entropy of the seed S. This could be problematic, in particular for key generators deploying concatenated codes with a repetition code as the inner code, as shown next.
2.4 Effect of PUF Bias on a PUFbased Key Generator
In [10], one of the most efficient key generators to date^{8} was proposed using a concatenation of \(r=15\times \) a (24, 12)Golay code word for the outer code and a (8, 1)repetition code as inner code. The decoder consists of a hardinsoftout repetition decoder and a softinhardout Golay decoder. This construction extracts a 128bit key with a failure rate \(<10^{6}\), from 2880 PUF response bits with average bit error rate \(\le 15\,\%\).^{9} As a safety measure for reduced PUF entropy, the seed S from which the key is derived has a length of \(15 \times 12 = 180\) bits.^{10} We will study the effect of global PUF bias on this construction, and how much protection this implemented safety measure offers.
From Fig. 2(b) it is clear that bias significantly affects the remaining seed entropy for this realistic key generator. For \(p < 41.8\,\%\) (\(p > 58.2\,\%\)), the remaining entropy (lower bound) even falls below 128 bits, and the input of the key derivation function has potentially less than 128 bits of entropy. Hence one can no longer claim that the derived 128bit key has full entropy.^{13} Hence, the safety measure of using a 180bit seed effectively keeps this key generator secure for PUFs with a bias \(41.8\,\% \le p \le 58.2\,\%\).
Effect of scaling the seed length of the key generator from [10].

The conclusions about the studied key generator from [10], as summarized by Fig. 2(b) and Table 1, can be generalized to all key generators of the same design. The details differ slightly depending on the used codes, but the tendencies are always the same: global bias on PUFs relatively quickly reduces the remaining seed entropy, and increasing seed length has only a limited effect on the bias resistance and comes at a high cost in PUF size. This restricts the efficient use of key generators like Fig. 1 to PUFs with a limited global bias, roughly in the order \(50\,\% \pm 10\,\%\). Since many experimentally studied PUF constructions have a global bias within this range, this is not necessarily problematic. However, for other PUFs with larger bias this key generator design cannot be used, and it was hypothesized (e.g. in [9]) that secure key derivation from such PUFs is impossible. In the following we will counter this by presenting a number of solutions that efficiently generate secure keys from PUFs with arbitrarily large global bias. These solutions are generic, so they could be used to deal with other (than global) types of bias with only minor modifications.
3 Debiasing Solutions
3.1 Basic Concept

Reliability. A debiasing step should not compromise the reliability of the key generator. This requirement excludes many potential debiasing options that blow up the bit error rate of the enrolled bit string. On the other hand, certain debiasing solutions allow for an intelligent combination of debiasing and errorcorrection, as shown next.

Efficieny. A debiasing step typically compresses or discards part of the PUF response, hence introducing a debiasing overhead. It will become clear that basic debiasing methods have a rather high overhead. We propose innovative optimizations specifically tailored for PUFbased key generation which significantly reduce overhead.

Leakage. Debiasing typically also produces side information during enrollment which is required during reconstruction. This debiasing dataD hence needs to be stored/transfered publicly with the codeoffset helper data W, potentially introducing new entropy leakage. For each presented debiasing method, we will prove that the combined entropy leakage of the debiasing data D and helper data W is zero.

Reusability. The classic codeoffset scheme from Fig. 1 is reusable as shown in [2]. This means that the same PUF can be enrolled many times, each time producing a different key K and helper data W, without leaking more entropy than under just one single enrollment. This property does not necessarily hold when a debiasing step is used. We will investigate the reusability of each proposed debiasing method.
3.2 CVN: Classic von Neumann (VN) Debiasing

Reliability. A nice feature of debiasing methods like CVN is that they hardly affect the error rate of the PUF response bits, contrary to other methods such as hash functions or XORcombiners.^{15} This is the main motivation to use a von Neumannlike extractor as a debiasing step in a PUFbased key generator. Therefore, all following proposed debiasing solutions are variants of this classic von Neumann debiasing.
 Efficiency. If X is a pbiased nbit PUF response, then the number of unbiased bits retained by CVN is binomially distributed with parameters \((\lfloor \tfrac{n}{2}\rfloor ,2p(1p))\). The debiasing overhead of CVN is hence very high; even when the input X is already unbiased, CVN will still discard on average Open image in new window of the bits. However, in practical situations this ratio is even lower; to obtain Y unbiased bits with a maximum failure rate \(p_{\text {fail}}\), n needs to be large enough to meet:E.g. for \(Y=1000\), \(p=50\,\%\) and \(p_{\text {fail}}=10^{6}\), this yields \(n \ge 4446\), or a debiasing overhead factor of about 4.4. If X is actually biased this even becomes worse; e.g. for \(p=30\,\%\), \(n \ge 5334\) or a factor of 5.3.$$\begin{aligned} F_{\text {bino}}^{1}\!\left( p_{\text {fail}};\lfloor \tfrac{n}{2}\rfloor ,2p(1p)\right) \ge Y . \end{aligned}$$(7)

Leakage. Due to the properties of CVN, Y will be perfectly random regardless of the bias on X, and hence according to (2) we have \(I\left( S;W\right) = 0\). However, since CVN debiasing also produces public information D, we need to consider \(I\left( S;(W,D)\right) \) instead. It can be shown that \(I\left( S;(W,D)\right) = 0\) for CVN (proof, see full version [16]), hence the combination of (W, D) leaks no information on the seed S.

Reusability. A key generator using CVN for debiasing is not reusable. An example of the insecurity from enrolling the same PUF more than once is shown in Fig. 5. Here one learns from the helper data \(W^{(1)}\) of the first enrollment that the first and fifth bit of \(X^{(1)}\) are equal since they are both XORed with the same 2bit repetition code word. In the second enrollment, \(X^{(2)}\) a noisy version of \(X^{(1)}\) is enrolled, with differing bits marked in black. Because of these few differing bits, the first and fifth bit of \(X^{(2)}\) are now enrolled in two different code words. However, from the first enrollment one has learned that these two bits are equal. From this knowledge, one can deduce that the two code words in the second enrollment, and their corresponding seed bits, are also equal (with high probability). The 2bit seed \(S^{(2)}\) hence has only two possible values instead of four. In general, one can say that \(I\left( S^{(2)};(W^{(1)},D^{(1)},W^{(2)},D^{(2)})\right) > I\left( S;(W,D)\right) = 0\) and hence there is (more) leakage when the PUF is enrolled more than once. The reason for this reuse insecurity is the stochastic nature of the CVN step which is caused by random bit errors in between enrollments. Due to these differing bits, enrolled bits can shift between code words in between enrollments, which causes this particular type of leakage.
3.3 PairOutput (2OVN) and MultiPass TupleOutput VN Debiasing (MPTOVN)
 1.
Instead of using only the first bit of each selected pair as in CVN, both bits of a selected pair are retained, hence the name pairoutput von Neumann or 2OVN debiasing.
 2.
The most inner code in the codeoffset scheme is an evenlength repetition code (e.g. 4 bits in Fig. 6(a)).

Reliability. The reliability analysis of 2OVN is comparable to CVN and is explained in more detail in Sect. 4.1.
 Efficiency. It is clear that the debiasing overhead of 2OVN is about half that of CVN. The constraint on n now becomes:E.g. for \(Y=1000\), \(p=50\,\%\) and \(p_{\text {fail}}=10^{6}\), this yields \(n \ge 2322\), or a debiasing overhead factor of about 2.3, and for \(p=30\,\%\), \(n \ge 2794\) or an overhead factor of 2.8.$$\begin{aligned} F_{\text {bino}}^{1}\!\left( p_{\text {fail}};\lfloor \tfrac{n}{2}\rfloor ,2p(1p)\right) \ge \tfrac{Y}{2} . \end{aligned}$$(8)

Leakage. It can be shown that \(I\left( S;(W, D)\right) = 0\) still holds for 2OVN debiasing.This appears counterintuitive since Y is no longer i.i.d. but contains explicit dependencies, i.e. for each pair \((Y_{2i1},Y_{2i})_{i>0}\) it holds that \(Y_{2i1} = \overline{Y_{2i}}\) or the parity is odd. However, note that the codeoffset helper data of a repetition code anyway discloses the parities of all bit pairs of Y used within the same code word. Hence if a bit pair is used within the same repetition code word, as guaranteed by the 2OVN modifications, it is no problem that its parity is known since it would have been disclosed anyway. More intuitively, one can see (e.g. in Fig. 6(a)) that the known dependencies in Y do not help an outsider in predicting anything about S from (W, D).

Reusability. 2OVN debiasing is not reusable for the same reasons as CVN debiasing (see Sect. 3.2).
For MPTOVN to be leakagefree, it needs to be ensured that bits which were retained as a \(2^i\)bit tuple are always used within the bounds of a single repetition code word for calculating the helper data. This could entail that retained tuples need to be reshuffled or that a retained tuple is cropped when a code word bound is reached; e.g. in Fig. 6(b) the final two bits are discarded, they cannot be used for the next code word. Depending on the method used, it could be needed to keep track in which pass a certain bit pair was retained. In Fig. 6(b), this is done by letting D have three possible values for each bit pair, i.e. ‘not retained’ (00), ‘retained in first pass’ (01) or ‘retained in second pass’ (10). The leakage and reusability analysis for MPTOVN are the same as for 2OVN.
3.4 \(\epsilon \)2OVN: PairOutput VN Debiasing with Erasures
 1.
During enrollment 2OVN debiasing is applied, yet bit pairs which are not retained by 2OVN are not completely discarded but replaced with erasure symbols (\(\epsilon \)), hence the name pairoutput von Neumann debiasing with erasures or \(\epsilon \)2OVN. The length of Y (i.e. the number of symbols) is hence equal to the length of X.
 2.The most inner code is again an evenlength repetition code (e.g. 6 bits in Fig. 7). The codeoffset helper data between the code words and Y is calculated with the \(\epsilon \)XOR operation denoted as , which is defined as the regular XOR (\(\oplus \)) if both operands are regular bits, but produces an \(\epsilon \) if one or both of its operands is an \(\epsilon \).
 3.
During reconstruction, the noisy code words will also contain \(\epsilon \) symbols. These are to be treated as regular bit erasures by the decoder, which hence needs to be able to handle both errors and erasures. Figure 7 uses a concatenated code of an inner 6bit repetition code and an (exemplary) (4, 2) outer code. The repetition code is decoded with a hardinsoftout decoder which treats erasures as nonpreferential code bits. The outer code is decoded with a softinhardout decoder (i.c. a trivial minimumdistance list decoder) to retrieve the seed S.

Reliability. It is evident that \(\epsilon \)2OVN debiasing impacts the reliability of a key generator, since the used errorcorrecting code needs to be able to deal with bit errors caused by noise, as well as with erasures caused by bias. For an nbit pbiased PUF response X, the probability of having \(\tfrac{e}{2}\) erasures is binomially distributed with parameters \((\lfloor \tfrac{n}{2}\rfloor ,p^2+(1p)^2)\). In Sect. 4.2, it is demonstrated how this affects the reliability/efficiency of a realistic key generator.

Efficiency.\(\epsilon \)2OVN is very efficient in terms of debiasing overhead factor \(\tfrac{X}{Y}\), since \(X = Y\). However, the cost for \(\epsilon \)2OVN sits in the fact that a more powerful errorcorrecting code (hence with a smaller code rate) needs to be used to account for the introduced erasures. For \(\epsilon \)2OVN debiasing, reliability and efficiency need to be considered together, as demonstrated in Sect. 4.2.

Leakage. The \(\epsilon \)2OVN debiasing method does not produce any explicit debiasing data D. All required information is contained in W which uses the symbols 0, 1 and \(\epsilon \). For leakage, we need to consider \(I\left( S;W\right) \) again, but now in the new setting of \(\epsilon \)2OVN. It can be shown that classic von Neumann debiasing with erasures is leakagefree (proof, see full version [16]). From this, the security of pairoutput von Neumann debiasing with erasures follows in the same manner as for 2OVN due to the fact that the most inner code is a repetition code.

Reusability.\(\epsilon \)2OVN debiasing is reusable, i.e. \(I\left( S^{(i)};(W^{(1)},W^{(2)},\ldots )\right) = I\left( S;W\right) = 0\) (proof, see full version [16]). This means that the same PUF can be enrolled an arbitrary number of times without the combination of all produced helper data strings leaking anything about any of the enrolled seeds. A key generator with \(\epsilon \)2OVN debiasing (re)gains this property since the debiasing is no longer stochastic: randomly differing bits between enrollments do no longer affect the selection of bit pairs since all bit pair positions are always retained. Unfortunately, \(\epsilon \)2OVN cannot be extended to multiple passes in the same manner as MPTOVN without compromising the reusability property.
4 Objective Comparison of Debiasing Solutions
4.1 Relation Between PUF Bias and Bit Error Rate
Similarly to global bias, we define the global bit error rate to be \(p_e\) if the apriori expected number of differing bits between two evaluations X and \(X'\) of the same nbit PUF response is \(p_e \cdot n\), or put otherwise \(p_e\) is the apriori probability that \(X_i \ne X_i'\) for a random bit i of a PUF.
Comparison of debiasing solutions for the codeoffset key generator from [10]. The fixed point bit error rate is set to \(p_{e@50\%}= 15\,\%\). The key generator is failure rate \(< 10^{6}\).
4.2 Comparison of Debiasing Solutions
The different debiasing solutions proposed in Sect. 3 are evaluated and compared to each other in an objective manner. The evaluation is done for the key generator from [10], which uses a repetition codeGolay code concatenation. The results are shown in Table 2. Three different debiasing solutions are compared amongst each other and against the case when no debiasing is used (see also Table 1)^{17}. The row marked with a * is the best proposal from [10] and is used as reference case. To make the comparison objective, the effective bit error rate \(p_e\) for each simulation scales with the bias level according to \(f_{{\text {bias}}}(p;p_{e@50\%})\) as shown in Fig. 8(b) with \(p_{e@50\%}=15\,\%\) corresponding to the error rate assumed in [10] and other works. For realistic simulations, the channel model from Fig. 8(a) is used, so 0bits and 1bits have different error probabilities in case of bias.
The three debiasing methods have different properties. 2OVN and 2PTOVN have a nonzero enrollment failure rate; it is possible that insufficient bits are retained after debiasing for successful enrollment. Also, for both of these systems the errorcorrecting code used does not change depending on the amount of bias (only the size of the PUF changes for maintaining reliability), while for \(\epsilon \)2OVN the repetition length scales with the amount of bias and enrollment is always successful. The PUF size overhead in comparison to * also varies between the mehods. It is clear that the 2PTOVN is the most efficient method considering this parameter (only 1.70 times the amount of * is required to deal with the extreme case of 25 % bias), but this method does not allow reuse for enrolling multiple keys. If this property is required \(\epsilon \)2OVN provides a strong alternative, which requires more PUF data (2.57\(\times \) * at 25 % bias), but provides a combination of properties that was not known to date.
5 Conclusion
This work solves the open problem of secure key generation from biased PUFs using codeoffsetbased constructions. This is accomplished without compromising the secret key’s security and for arbitrary bias levels. Existing conventional methods will lead to leakage on the secret key when the PUF is too biased, whereas our proposed debiasing techniques prevent this leakage, while maintaining the high reliability and for some solutions even the reusability of the key generator. This comes at a cost of PUF size overhead, but using innovative approaches we were able to limit this overhead and design a key generator based on the requirements at hand.
Remaining open questions and interesting future research directions include: how to further optimize the efficiency of these debiasing solutions, and how to prevent key leakage for PUFs which suffer from reduced entropy for reasons other than bias, e.g. because of bit correlations.
Footnotes
 1.
In this work, unpredictability of random variables is expressed by Shannon entropy, as is done in many earlier work on this subject, e.g. [7]. Note that Shannon entropy serves as a lower bound for average guesswork [19]. For a stronger (less practical) provable security notion, the more pessimistic minentropy measure should be used.
 2.
Note that \(H(XW) = H(SW)\), see [16]. This shows the equivalence in security (in terms of entropy) for a key generated from S or X.
 3.
E.g., a variant thereof appeared before in an early version of [21].
 4.
This has led to some confusion and occasional misinterpretations, i.e. under or overestimations of the leakage. A discussion on this is e.g. found in [3].
 5.
Note that in particular for a too high bias this entropy bound even becomes negative, making it absolutely clear that this is a pessimistic lower bound.
 6.
 7.
Only \(p \le 0.5\) is shown; entropyvsbias graphs are symmetrical around \(p=0.5\).
 8.
Efficient in terms of PUF size, while following the design of Fig. 1 and using only a single enrollment measurement per derived key.
 9.
The key generator from [10] is based on an SRAM PUF, but in this work we make abstraction of the actual PUF used. Our analysis and solutions apply to all PUF types with i.i.d. response bits suffering from bias.
 10.
 11.
Since bits of X are assumed i.i.d., which particular bits from X are considered for the entropy calculation is of no importance.
 12.
\(X_{1:n_1}\mathbf {H_{rep}}^\mathbf {\top }\) and \(X_{1:n_2}\mathbf {H_2}^\mathbf {\top }\) are not necessarily independent.
 13.
Note that this does not directly imply that the key becomes predictable, just that it is potentially less unpredictable than it should be according to its length.
 14.
Note that we cannot increase beyond \(r=31\), without increasing the length of the repetition code, otherwise the failure rate gets too large.
 15.
Von Neumann extractors have a small effect on bit error rate, shown in Sect. 4.1.
 16.
This is just one possible exemplary representation of (W, D).
 17.
Failure rates differ slightly from the results in Table 1 which were extrapolated from [10]. For objective comparison, the results of Table 2 are based on a new simulations, with the Hackett Golay decoder from [10] implemented in Matlab. The single Golay decoding failure rate \(p_{{\text {Golayfail}}}\) is estimated as the \(95\,\%\)confidence upper bound from the simulations; the actual values for \(p_{{\text {Golayfail}}}\) are hence likely smaller. The total reconstruction failure rate is computed as \(1(1p_{{\text {Golayfail}}})^{r}\).
References
 1.Bösch, C., Guajardo, J., Sadeghi, A.R., Shokrollahi, J., Tuyls, P.: Efficient helper data key extractor on FPGAs. In: Oswald, E., Rohatgi, P. (eds.) CHES 2008. LNCS, vol. 5154, pp. 181–197. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 2.Boyen, X.: Reusable cryptographic fuzzy extractors. In: ACM Conference on Computer and Communications Security–CCS 2004, pp. 82–91. ACM Press, New York (2004)Google Scholar
 3.Delvaux, J., Gu, D., Schellekens, D., Verbauwhede, I.: Helper data algorithms for PUFbased key generation: overview and analysis. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 34(1), 14 (2014)Google Scholar
 4.Dodis, Y., Ostrovsky, R., Reyzin, L., Smith, A.: Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1), 97–139 (2008)zbMATHMathSciNetCrossRefGoogle Scholar
 5.Guajardo, J., Kumar, S.S., Schrijen, G.J., Tuyls, P.: FPGA intrinsic PUFs and their use for IP protection. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 63–80. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 6.Ignatenko, T., Willems, F.: Information leakage in fuzzy commitment schemes. IEEE Trans. Inf. Forensics Secur. 5(2), 337–348 (2010)CrossRefGoogle Scholar
 7.Katzenbeisser, S., Kocabaş, U., Rožić, V., Sadeghi, A.R., Verbauwhede, I., Wachsmann, C.: PUFs: myth, fact or busted? a security evaluation of physically unclonable functions (PUFs) cast in Silicon. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 283–301. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 8.Koeberl, P., Li, J., Maes, R., Rajan, A., Vishik, C., Wójcik, M.: Evaluation of a PUF device authentication scheme on a discrete 0.13um SRAM. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 271–288. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 9.Koeberl, P., Li, J., Rajan, A., Wu, W.: Entropy loss in PUFbased key generation schemes: the repetition code pitfall. In: IEEE International Symposium on HardwareOriented Security and Trust (HOST), pp. 44–49 (2014)Google Scholar
 10.van der Leest, V., Preneel, B., van der Sluis, E.: Soft decision error correction for compact memorybased PUFs using a single enrollment. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 268–282. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 11.Lily, C.: NIST Special Publication 800–108: Recommendation for Key Derivation Using Pseudorandom Functions (revised) (2009)Google Scholar
 12.Lily, C.: NIST Special Publication 800–56C: Recommendation for Key Derivation through ExtractionthenExpansion (2011)Google Scholar
 13.Lim, D., Lee, J., Gassend, B., Suh, G., van Dijk, M., Devadas, S.: Extracting secret keys from integrated circuits. IEEE Trans. Very Large Scale Integr. VLSI Syst. 13(10), 1200–1205 (2005)zbMATHCrossRefGoogle Scholar
 14.Maes, R.: An accurate probabilistic reliability model for silicon PUFs. In: Bertoni, G., Coron, J.S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 73–89. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 15.Maes, R.: Physically Unclonable Functions  Constructions, Properties and Applications. Springer, Heidelberg (2013)zbMATHCrossRefGoogle Scholar
 16.Maes, R., van der Leest, V., van der Sluis, E., Willems, F.: Secure key generation from biased PUFs. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. xx–yy, Cryptology ePrint Archive, Report 2015/831, this is the full version of this work (including all appendices). Springer, Heidelberg (2015). http://eprint.iacr.org/
 17.Maes, R., Tuyls, P., Verbauwhede, I.: Lowoverhead implementation of a soft decision helper data algorithm for SRAM PUFs. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 332–347. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 18.Maes, R., van Herrewege, A., Verbauwhede, I.: PUFKY: a fully functional PUFbased cryptographic key generator. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 302–319. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 19.Massey, J.L.: Guessing and entropy. In: IEEE International Symposium on Information Theory (ISIT), p. 204 (1994)Google Scholar
 20.von Neumann, J.: Various techniques used in connection with random digits. In: Applied Math Series 12. National Bureau of Standards, USA (1951)Google Scholar
 21.Skoric, B., de Vreede, N.: The spammed code offset method. Cryptology ePrint Archive, Report 2013/527 (2013). http://eprint.iacr.org/
 22.Yu, M.D.M., M’Raihi, D., Sowell, R., Devadas, S.: Lightweight and secure PUF key storage using limits of machine learning. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 358–373. Springer, Heidelberg (2011) CrossRefGoogle Scholar