A Theoretical Framework for the Analysis of Physical Unclonable Function Interfaces and Its Relation to the Random Oracle Model

Analysis of advanced physical unclonable function (PUF) applications and protocols relies on assuming that a PUF behaves like a random oracle; that is, upon receiving a challenge, a uniform random response with replacement is selected, measurement noise is added, and the resulting response is returned. In order to justify such an assumption, we need to rely on digital interface computation that to some extent remains confidential—otherwise, information about PUF challenge–response pairs leak with which the adversary can train a prediction model for the PUF. We introduce a theoretical framework that allows the adversary to have a prediction model (with a typical accuracy of 75% for predicting response bits for state-of-the-art silicon PUF designs). We do not require any confidential digital computing or digital secrets, while we can still prove rigorous statements about the bit security of a system that interfaces with the PUF. In particular, we prove the bit security of a PUF-based random oracle construction; this merges the PUF framework with fuzzy extractors.


Introduction
A Physical Unclonable Function (PUF) is a device that takes a challenge as input and measures a corresponding response bit as output [Pappu et al., 2002, Gassend et al., 2002].Responses depend on manufacturing variations in the PUF that are practically unclonable with current existing technology.Nevertheless, a PUF's behavior may be modeled by training a prediction model based on a set of challenge response pairs (CRPs).For this reason, a PUF design can be broken if an attacker achieves a significant accuracy of a trained prediction model. 1ince physical unclonable functions have been introduced as a security primitive [Pappu et al., 2002, Gassend et al., 2002], a variety of applications have been proposed [Lim et al., 2005, Suh and Devadas, 2007, Lee et al., 2004], including many advanced cryptographic protocols, e.g.Key Agreement, Oblivious Transfer and Bit Commitment [Brzuska et al., 2011, Rührmair, 2010, Ostrovsky et al., 2013].The security analysis of these advanced applications and protocols 2 relies on assuming that a PUF behaves like a random oracle; upon receiving a challenge, a uniform random response with replacement is selected, measurement noise is added, and the resulting response is returned.This assumption turns out to be too strong because (1) in practical implementations the PUF returns biased response bits, and (2) classical ML and advanced ML attacks [Rührmair et al., 2010b, 2013, 2014, Ganji et al., 2016, Becker, 2015, Wisiol et al., 2020, Tobisch et al., 2021] demonstrate that a prediction model for response bits with accuracy typically up to 75% can be trained and this defeats the random oracle assumption.
To counter the response bit bias problem, literature introduces a PUF interface that implements a fuzzy extractor (FE) [Dodis et al., 2004, Kang et al., 2014, Delvaux et al., 2016, Fuller et al., 2020, Ueno et al., 2020].Upon sufficient min entropy in response vectors, random (unbiased) bit strings can be extracted using a FE.To counter accurate training of a prediction model by the attacker, we eliminate access to challenge response pairs by the attacker.In other words, we have a Trusted Computing Base (TCB) that implements the PUF together with a FE interface isolated from the attacker -it assumes that the interface computes in a confidential digital computing environment (confidential TCB).
The above solution is satisfactory if we use a weak PUF that only has a few CRPs for masking/obfuscating a secret key based on a single response vector (we want to re-measure responses whenever we want access to the de-obfuscated key -for this we already need a confidential TCB).The FE generates and publishes so-called helper information p which is needed to extract a random bit string from the measured response vector with which the secret is masked.This helper information does leak some information about the response vector -after all, we use FE because the response vector does not have full min entropy (i.e., it is not uniformly distributed over bit vectors).If we only publish one or a couple p, then it is realistic to assume that this does not help the adversary to gain sufficient information about challenge response pairs for training an accurate prediction model.
On the other hand, if for other applications a strong PUF is used with an 'exponentially large' challenge space, then many helper data p is published and in theory this can help the adversary in gathering statistical information about CRPs and train a prediction model (even though, in practice, we have no idea how to accomplish this).The strong PUF with FE interface still needs the confidential TCB in order to make it impossible for the adversary to observe processed CRPs directly (otherwise, just based on these observed CRPs, a prediction model can be trained).
We notice that the computational FE based on the LPN problem in [Herder et al., 2016, Jin et al., 2017] also publishes helper data, but here it can be proven that this data does not reveal underlying information about CRPs3 (in fact, the computational FE is used to implement a random oracle based on a weak PUF with just one response vector).But also here the LPN interface is in a confidential TCB (its digital computation is not allowed to be observed by the adversary).
This paper introduces a new framework for rigorously reasoning about the security of PUF interfaces.We get rid of the confidential TCB and allow the adversary access to a training set of challenge response pairs.Only the way how these pairs can be adaptively selected is restricted.We take a pre-challenge as input to a collision resistant hash function to generate a challenge for the PUF; this is the only way the PUF may get accessed by both legitimate users and adversaries, no confidential digital computing is required.We construct and analyze the bit security of a PUF based Random Oracle.
The main problem that we solve is how to connect security definitions for PUFs to (computational) hardness problems on which PUF interfaces (such as FE) are based.Our framework aims at strong PUFs with an 'exponentially large' challenge space.
• We define a PUF device in Section 3 followed by an extended PUF interface GETRESPONSE that first applies a collision resistant hash to a pre-challlenge.We introduce the concept of (canonical) system induced CRP distribution, where a system interfaces with the PUF and only uses CRPs of its 'liking,' i.e., have a 'nice distribution.' • We define reliability and bias with respect to system induced CRP distributions in Section 4. Conditioned on previously collected CRPs, the bias of a new CRP may change due to correlation.We characterize the amount of change by ϵ corbias and show how ϵ corbias gets amplified due to post-processing of CRPs (Lemma 6).
• In Section 5 we show an interface that improves reliability by using repeated measurements and we analyse ϵ corbias of the resulting system induced CRP distribution.Similarly, in Section 6 we show an interface based on the Von Neumann extractor for reducing bias [Von Neumann, 1951].We show how resulting response bits behave as unbiased uniformly drawn bits in Lemma 9 and as a consequence explain a condition in (5) which allows us to replace the Von Neumann system induced CRP distribution by a 'uniform' one in a future reduction proof.
• We define PUF security with correlated CRPs in Section 7 and define the adversarial A U -model which does not require a confidential TCB (i.e., we do not require any confidential digital computing or digital secrets), and only requires the adversary to access the PUF through GETRESPONSE.We prove the 'Ber transformation lemma' (Lemma 12) which states that a (prediction) error reducing oracle can be constructed leading to error bits that are statistically independent and Bernoulli distributed.The bit error rate is essentially equal to one minus the accuracy of the best prediction model the adversary can construct (based on limited resources; number of collected CRPs and run time).
• Section 8 defines system security where the system interface has access to the PUF.We define a separation game and argue this is at most an exponential factor more difficult than the original system security game.We provide a number of definitions of properties of the underlying hardness problem.These definitions lead to the 'PUF separation theorem' in the A U -model (Theorem 19) where PUF assumptions and mathematical hardness assumptions are separated, still leading to a bit security of the overall system.
• Section 9 constructs a PUF based random oracle (PRO).We characterize failure probabilities and analyse the security using Theorem 19.In order to prove some of the needed properties of the underlying hardness problem, we show how the Von Neuman system induced distribution can be replaced by a uniform one, how the Ber transformation lemma can be used to construct a problem instance without needing access to the PUF, and how the hardness of the resulting problem is related to residual min entropy (as in secure sketches but now related to Bernoulli noise).This results in the final 'PUF based random oracle theorem' in the A U -model (Theorem 22).
The final PRO primitive justifies how a PUF can be used to simulate a random oracle as explained at the start of the introduction, even in the presence of an adversary who is able to achieve a typical accuracy of a prediction model of 75%, and even if no confidential TCB (i.e., no confidential digital computing and no digital secrets) is assumed.The latter allows PRO to execute in the presence of an adversary who can observe all digital computation and digital secrets.PRO only requires PUF access control through GETRESPONSE.Our results can be easily plugged into the analysis of PUF-based protocols, like key exchange [Brzuska et al., 2011], oblivious transfer [Brzuska et al., 2011, Rührmair, 2010], bit commitment [Damgård and Scafuro, 2013], and multi-party computation [Badrinarayanan et al., 2017], where PUFs are all assumed to be random oracles.The presented work closes a major gap in current PUF literature.

Related Work
Existing PUF definitional frameworks.Since the introduction of PUFs, many attempts have been made to formally define PUFs.Most of the existing PUF definitional frameworks oversimplified the reality and omitted the fact that real PUFs produce errors in their responses due to environmental/measurement noises [Rührmair et al., 2009, Jin et al., 2020, 2022].Rührmair et al. first partitioned PUFs into weak PUFs and strong PUFs based on the sizes of their challenge spaces, and then they defined strong PUFs as a physical random function that produce perfectly reliable outcomes and cannot be physically or mathematically cloned within a certain amount of time given to the adversary [Rührmair et al., 2009].Jin et al. extended the framework to include stateful erasable PUFs and stateful programmable access-controlled PUFs, where the stateful PUFs can keep an internal state and alter CRPs based on its internal state and certain policies [Jin et al., 2020[Jin et al., , 2022]].However, in the above definitions, PUFs are always assumed to be noise-free with help from some error-correcting mechanisms.Our framework takes noises into account and precisely discusses how the noises/biases will affect the security of the PUFs.
Noisy PUF behaviours are modelled in [Armknecht et al., 2010, Brzuska et al., 2011, Armknecht et al., 2011].Brzuska et al. defined PUFs as a noisy random function whose error rate for any given challenge response pair is within a noise bound [Brzuska et al., 2011].However, the definition did not capture the bias presented in PUF responses.Armknecht et al. briefly discussed a PUF definition in [Armknecht et al., 2010] and further extended it in [Armknecht et al., 2011].The definitions in [Armknecht et al., 2010] and [Armknecht et al., 2011] captured both physical properties and algorithmic properties of PUFs, including the reliability of PUFs.However, the definitions also over simplified the reality and assumed no bias or correlations in PUF responses.
Fuzzy extractors.Fuzzy extractors are used to extract a reliable and uniformly distributed output from a noisy and biased output, e.g., biometrics [Dodis et al., 2004] and PUF responses [Delvaux et al., 2016, Kang et al., 2014, Ueno et al., 2020].All existing fuzzy extractor studies focus on improving their capability of error correcting and the min-entropy left in the final output of the fuzzy extractors, assuming the distribution/bias of the PUF responses are known to the adversary and that there is no or only spatial correlation between responses.These assumptions effectively constrained the fuzzy extractor theory to be applied to only weak PUFs rigorously.In our work, we consider a much stronger adversary who has a prediction model with a meaningful prediction accuracy, e.g., 75% accuracy of a one-bit PUF output.This is a realistic case for strong PUFs under modeling attacks; even some strong PUFs are claimed to be secure against certain attacks, the adversary can still build a prediction model of the PUF with a meaningful accuracy better than random guess using the concerned attacks [Nguyen et al., 2019, Rührmair et al., 2010b].Our work effectively closes the gap and provides a solid foundation for using fuzzy extractors on strong PUFs securely.
Existence of strong PUFs.In this work, we are mainly interested in conventional strong PUFs whose challenge space is exponentially large with respect to the physical size of the PUFs [Rührmair et al., 2009].However, if one wants to use a weak PUF in our interface, one needs to assume a confidential computing environment, where no leakage is allowed directly from the weak PUF to the adversary.This security assumption is not ideal when we want to minimize (or eliminate) the confidential computing environment for stronger security.
Given the recent development in the lightweight strong PUF area, the existence of strong PUFs may be deemed unclear.For example, XOR arbiter PUFs [Suh and Devadas, 2007] have been considered as a standard lightweight strong PUF design, until they were broken by reliability-based attacks [Becker, 2015].The introduction of interpose PUF (iPUF) showed new hope for realizing a practical lightweight strong PUFs that are secure agianst both classical modelling attacks and reliability-based attacks [Nguyen et al., 2019].However, the security of iPUFs has been proved to be weaker than the authors originally thought in novel attacks [Wisiol et al., 2020, Tobisch et al., 2021, Wisiol et al., 2022].Although the existence of a secure lightweight strong PUF design is still unclear, our framework is still needed as soon as (just like in designs for symmetric key encryption) a strong PUF design survives for a significant number of years.Indeed, strong PUF design is still an active research area and many new designs show great potential in defending against known attacks [Wisiol, 2021].

Physical Unclonable Functions
In this section we formally define a PUF and introduce an extended PUF functionality (which is a PUF with a small interface).In the next sections we define reliability, bias, and security.
Definition 1 (Physical Unclonable Functions [Jin et al., 2022]) A PUF P is a physical system that can be stimulated with so-called challenges c i from a challenge set C P = {0, 1} λ , upon which it reacts by producing corresponding responses r i from a response set R P ⊆ {0, 1} m .Each response r i shall depend on the applied challenge, but also on manufacturing variations in P that are practically unclonable with currently existing technology.The tuples (c i , r i ) are called the challenge response pairs (CRPs) of P. We often refer to λ as the security parameter of the PUF.■ This definition explicitly mentions that a hardware copy or clone of a PUF P cannot be manufactured due to uncontrollable manufacturing variations which provide the randomness from which responses are extracted.This leaves in question whether, rather than hardware cloning P, a software simulator, which sufficiently accurately predicts responses, can be constructed and learned.Here, we assume that the adversary has access to P and can use P as an oracle to query a list of challenge response pairs which are used to train a simulator in the form of a machine learning model which predicts responses given input challenges.
The querying of P can be adaptive and this can possibly be exploited by the adversary.For example, comparing responses of neighboring challenges that have small Hamming distance may reveal detailed information about small subsets of manufacturing variations in the PUF design.In order to eliminate this possibility in practice, we process challenges by applying a one-way function before giving it as input to the PUF circuitry where the manufacturing variations are used to extract response bits.This leads to the extended PUF discussed next.
Extended PUF.We consider an extended PUF design, called GETRESPONSE in Algorithm 1, which first applies a collision resistant hash function (which implies one-wayness, see Appendix A) to an input c pre which we call a pre-challenge.The output of the hash function serves as the input challenge c to a PUF P. The extended PUF functionality returns P's response.The input-output pair (c pre , r) of GETRESPONSE can be used to compute a CRP (c = Hash(c pre ), r).
The extended PUF design describes a small PUF interface that cannot be circumvented by the adversary; we assume the interface is immutable with respect to the adversary, hence, the adversary cannot freely choose the processed challenges that are input to P. It can observe all intermediate digital computation of the PUF interface and see (or compute itself) the processed challenges that lead to CRPs for training a machine learning model.
The adversary cannot exert 'fine-grained' control over the output of the hash function.Therefore, from a practical perspective, the adversary cannot adaptively choose challenges whose hashes are designed to be equal or even close in Hamming distance.This property is not formally implied by requiring the hash to be collision resistant, but it is used in related literature like Controlled PUFs [Gassend et al., 2008].We will formalize the security of GETRESPONSE as a whole in later sections -and argue that from a practical perspective the best known methods for predicting a silicon PUF's behavior is by using machine learning techniques based on CRPs that were generated without searching for pre-challenges that lead to hash evaluations that are close4 in Hamming distance, but just use randomly5 chosen pre-challenges that lead to random challenges (according to the uniform distribution over the challenge space).
Algorithm 1 Extended PUF interface 1: procedure GETRESPONSE(c pre ) 2: c = Hash(c pre ) 3: return r 5: end procedure CRP distributions from the legitimate user/system perspective.We will analyze the security of a system that calls PUF P through GETRESPONSE.We will assume that such a system will always call GETRESPONSE for either (1) a new true random pre-challenge c pre or (2) a previously selected pre-challenge c pre (this yields multiple measurements of the same response bit and, as we will explain, can be used to enhance reliability).To select new pre-challenges according to a uniform distribution turns out to be important in our security analysis (for proving a reduction step).For this reason we define the canonical distribution of GETRESPONSE that corresponds to a system calling GETRESPONSE for new true random pre-challenges: Definition 2 (System induced canonical CRP distribution) By Y * we define the distribution of CRPs generated by GETRESPONSE when called by a system S for new pre-challenges: We call Y * the system induced canonical CRP distribution and Y the system induced canonical challenge distribution.
If system S only calls GETRESPONSE for new pre-challenges c pre that are uniform random, then In practice, a system S does not want to generate a true random pre-challenge for every new GETRESPONSE call.Instead pre-challenges will be generated in batches using a formula of the kind c pre,u = Hash(seed∥u), where seed is a true random bit string and u is simply an n u -bit index representing some integer in {0, . . ., 2 nu − 1}.
Since different batches of pre-challenges use their own truly random seed, these batches are statistically independent.Within a batch, since Hash is collision resistant and therefore one-way, we may assume in practice that the different c pre,u are 'independent' and 'random.'The set of corresponding challenges generated by GETRESPONSE, {Hash(c pre,u )} 2 nu −1 u=0 , defines some 'distribution' Y.And for practical purposes we may assume that Y is close to a uniform distribution over {0, 1} λ (in the context of e.g. the statistical distance).We will simply assume that Y is the uniform distribution.Nevertheless, Definition 2 is sufficiently general to capture arbitrary Y (and we will see that the security analysis of our main theorems will not explicitly depend on Y and hold for a wide range of Y).A cryptographically secure PRG based scheme for generating pre-challenges is sketched in Appendix B.
Our framework in the remainder of the paper is formulated for general system induced canonical challenge distributions Y.We notice that a system S may use the system induced canonical distribution Y * over CRPs, to extract another distribution over CRPs.In the setting above, corresponding to each batch, system S may decide to only use a subset of challenges generated by GETRESPONSE, {Hash(c pre,u )} u∈U , for some U ⊆ {0, . . ., 2 nu − 1}.For example, by using repeated measurements, only 'reliable' CRPs corresponding to the challenges indexed by U are selected.This will correspond to another (non-canonical) system induced distribution over CRPs since r ← P(c) for reliable challenges c is less vulnerable to measurement noise, hence, most of the time the same response r is output by P(c).For this reason, next definitions will be for arbitrary CRP distributions Y * and we always say system induced distribution to indicate that in our context the definitions are from the system's perspective, i.e., from how the system uses GETRESPONSE (and not how the adversary uses GETRESPONSE to find an accurate prediction model for PUF P).See Appendix C for more detail.

Reliability and Bias
Reliability.The GETRESPONSE interface does not fully eliminate an adaptive attack.Even though we argued that the adversary cannot adaptively choose distinct challenges whose hashes are designed to fit a-priori defined properties, the adversary can still repeat the same challenge.Since PUF P is a physical device, it suffers from measurement noise (due to temperature and voltage variations, and aging).This means that repeating the same input challenge to P (the most basic form of an adaptive attack) can result in different response bits.This allows an adversary to measure the 'reliability' according to the next definition and construct challenge-reliability pairs rather than challenge-response pairs.Since the reliability of a response bit teaches more information compared to a single sample of a response bit, this can lead to more advanced and more efficient machine learning of a PUF simulator.So, reliability information helps the adversary.
Definition 3 (PUF Reliability) Due to measurement noise, the responses of the same challenge may not always be the same.We define the failure probability p c of PUF P with respect to a challenge c ∈ C P as where r, r ′ ∈ R P and the probability is over measurement noise.
From the legitimate user/system perspective we define the reliability of P with respect to c as 1 − p c .Let Y be a system induced challenge distribution.The overall reliability of P with respect to Y is defined as In Arbiter PUF [Gassend et al., 2002] like designs such as the iPUF [Nguyen et al., 2019] or XOR Arbiter PUF [Suh and Devadas, 2007], two stimuli race against each other following complementary paths indicated by a challenge c.Which stimulus arrives first determines the response bit r ∈ {0, 1}.The difference in arrival times of the stimuli is modeled as a difference in aggregated delays that characterize each of the two paths.Without measurement noise, this is a deterministic function.With measurement noise, the arrival times may vary and as a result the response bit flips.Let p c be the probability that the response bit flips due to measurement noise given a selected challenge c.Different challenges indicate different complementary paths over which stimuli race against each other.And for this reason the p c are generally different for different c.We assume that challenge c is selected uniformly from the challenge space, denoted by {0, 1} λ .This gives rise to a distribution of p c with respect to the uniform distribution of c over the challenge space {0, 1} λ .So, if r is a first measurement, r ′ a second measurement, and e = r + r ′ (XOR operation) represent the error between the two, then the probability r ̸ = r ′ is equal to where the probability is over uniformly selected c, which defines distribution Y (in this example).We denote this probability by δ and assume δ ≤ 1/2.In practice, we have δ ≤ 10% (in general, temperature variations, voltage variations, and aging keep δ below 10% [Herder et al., 2014]).
Bias.In practice, PUF produces biased responses, due to systematic design (architectural) biases [Wisiol andPirnay, 2020, SAHOO et al., 2016] or manufactured biases [Zhou et al., 2017].This leads to system induced distributions over CRPs that experience bias.The next definition formalizes this concept.
Definition 4 (PUF Bias) Let Y * be a system induced distribution over challenge response pairs C P × R P defined as a ppt algorithm with oracle access to PUF P. We may project Y * to a distribution Y over the challenge space C P by defining We define bias q Y * r of PUF P with respect to a response r ∈ R P as where the probability is over measurement noise and c ← Y.We may also introduce knowledge of side information in the form of other known CRPs that affects the bias (because it is correlated with Y and Y * ): The bias of P with respect to Y and side information side is defined as By q Y we denote the bias for empty side information side.■ From a legitimate user/system's perspective, we want a high overall reliability and a bias close to 1/|R P | such that responses (corresponding to c ← Y) used by the system have the most information content.Notice that if the bias is close to 1, then the PUF always generates the same response regardless the input challenge.Hence, the PUF becomes predictable.In order to use a PUF for the purpose of identification, authentication, key masking, etc., it needs to be unpredictable, that is, a bias sufficiently close to 1/|R P |.
Correlation.In order to model correlation among CRPs, we need a definition that takes a distribution over multiple challenges into account and considers correlation between their responses.As an example in Section 5, this allows us to reason about how the bias is effected if one uses only 'reliable' CRPs where reliable CRPs are extracted by a (simple) interface with access to GETRESPONSE.
Definition 5 (PUF Correlation) Let Υ P be a set of system induced distributions over challenge response pairs.Let λ be the security parameter of PUF P, that is, C P = {0, 1} λ .Suppose that there exists an ϵ corbias ≥ 0 such that for all d ≥ 1 with d = poly(λ), for all distributions Y * (j) ∈ Υ P , 0 ≤ j ≤ d − 1, over challenge response pairs , where {(c j , r j ) ← Y * (j) } d−1 j=0,̸ =h reflects knowledge of explicit CRP values drawn from the other distributions Y * (j) , j ̸ = h.Then we say that PUF P has correlation bias at most ϵ corbias over set of distributions Υ P .■ In this definition we talk about using the PUF from a legitimate user's perspective.Here, a system may want to query the PUF multiple (d) times and want to use the outputted response to e.g.extract some keys.It is important to know whether the outputted response bits are correlated or whether they can be assumed more or less statistically independent.The latter is often assumed even if e.g.only 'reliable challenge-response pairs' are used by the system (corresponding to a specific distribution Y * ).
The definition given above does not yet model security, that is, there is no adversarial algorithm trying to use 'intelligence' to predict responses.This will be discussed in Section 7. Here, we model the amount of correlation among CRPs due to the intrinsic properties of the PUF itself.For example, consider the case where two CRPs are independently chosen according to the canonical system induced Y * , that is, (c 0 , r 0 ) ← Y * and (c 1 , r 1 ) ← Y * .If c 0 and c 1 happen to be close in Hamming distance, then values r 0 and r 1 are correlated.If the Hamming distance between c 0 and c 1 is large, then r 0 and r 1 behave as statistically independent variables.For large λ, challenges c 0 ← Y and c 1 ← Y chosen uniformly from C P = {0, 1} λ generally have large Hamming distance.So, from a practical implementation perspective only with probability exponentially small in λ we observe correlation among r 0 and r 1 .We can extend this argument to d CRPs if d = poly(λ).Therefore, ϵ corbias decreases in parameter λ and is exponentially small in λ for Υ P = {Y * }.
Next sections will show that non-canonical system induced CRP distributions (used in this paper) have an ϵ corbias that scales 'linearly' with the exponentially small ϵ corbias for the canonical system induced CRP distribution.This allows us to conclude that ϵ corbias is exponentially small for the whole set Υ P of system induced CRP distributions (used in this paper).
The next lemma shows how Definition 5 can be used to analyse ϵ corbias for more general distributions.Its proof is in Appendix D.
Lemma 6 Suppose that PUF P has correlation bias at most ϵ corbias over set of system induced distributions Υ P and let λ be the security parameter of P. Consider products Ȳ * with {Y * (i,j) } ⊆ Υ P and d = poly(λ).Let X be a distribution statistically independent of all Ȳ * (i) .For each i, define a new distribution (ĉ i , ri ) ← Ŷ * (i) over the CRP space represented by some ppt algorithm that takes a drawing (c i , ri ) ← Ȳ * (i) and a drawing x ← X as input.Let side be a random variable statistically independent of x ← X such that for j ∈ {1, . . ., h} do 6: end for 8: if all r j are equal then end while 13: return (c pre , r) 14: end procedure In Algorithm 2 we present a simple interface that improves reliability.The interface changes a uniform selection from challenges to a selection among challenges that lead to 'reliable responses.'For h > 1, GETRELIABLECRP h reduces probability δ = E Y [p c ] as defined in Definition 3. The same measurement r j = GETRESPONSE(c pre ) is repeated h times and only if all measured responses are equal, the agreed upon response r is returned.The probability that all h measurements agree is equal to p h c + (1 − p c ) h where c = Hash(c pre ).This shows that the while loop will take (E Y [p h c + (1 − p c ) h ]) −1 iterations in expectation over the canonical system distribution c ← Y.For sufficiently small h, this is a small enough number and the GETRELIABLECRP h interface can be used in practice.
In order to avoid using a True Random Number Generator (TRNG) for selecting c pre ← R C P = {0, 1} λ , we will generate a sequence of pre-challenges c pre,a as defined in (1) (for u = a), where a is the iteration count of the while loop.In order to do this we need to know how to a-priori represent a, i.e., we select a fixed n a -bit representation of a for use in (1).This limits GETRELIABLECRP h to at most 2 na loop iterations.As argued above we may choose n a small and still have low failing probability (the probability that no reliable CRP is found after 2 na loop iterations).
Seed seed in (1) can be given as input to GETRELIABLECRP h and selected at random by the system calling GETRELIABLECRP h .Since the hash function is collision resistant and therefore one-way, an adversary who observes the outputted c pre cannot extract seed and a.However, knowledge about seed and a would in addition teach the adversary a − 1 unreliable CRPs corresponding to c pre,u , 0 ≤ u ≤ a − 1.If this needs to be avoided (in order to limit the adversary in applicable attack techniques), then the legitimate user/system should discard seed as soon as GETRELIABLECRP h (seed) has been called (otherwise seed can be leaked to an adversary and the adversary can extract a from seed and c pre = Hash(seed∥a) by using repeated hash evaluations).
The outputted r corresponds to a reliable challenge c, that is, a challenge which has demonstrated to give rise to repeated consistent measurements of the response.This means that such challenges lead to an increased reliability: If GETRESPONSE(c pre ) measures a response r ′ for c = Hash(c pre ) at a later time, then with probability p c we have r ̸ = r ′ (i.e., e = 1).However, for h > 1, the challenges are picked from the 'subset of reliable challenges,' that is, c is selected with probability , which defines a new distribution Y h , where Y 1 denotes the canonical system induced distribution.This implies: Lemma 7 Let Y * h be the system induced distribution that generates CRPs according to GETRELIABLECRP h .Then, the overall reliability with respect to Y h is equal to 1 − δ h with ■ δ h reduces the original δ 1 = δ since the smaller p c are counted more in the sum because of the larger (1 − p c ) h term.δ 1 = δ has a typical value of 10% [Herder et al., 2014] and we may assume that for relatively small h, GETRELIABLECRP h achieves a couple percentage points smaller δ h [Zhou et al., 2017].
Our argument shows how the legitimate user may want to use an interface that selects reliable CRPs.The adversary can still use the GETRESPONSE interface which covers the whole CRP space uniformly with respect to Y 1 .The task of the adversary is to use access to GETRESPONSE (possibly emulating GETRELIABLECRP h ) to learn a model with which s/he can predict the reliable response used by the legitimate user.
The new distribution Y * h yields a new bias q Y * h .From a mathematics perspective, we cannot conclude q 1 .However, in practice there is no reason to assume that reliable challenges according to Y * h will have a different bias.
Lemma 8 Let Y * h be the system induced distribution that generates CRPs according to GETRELIABLECRP h where the while loop iterates at most 2 na times (and a failure is returned if no reliable CRP is found after 2 na iterations).Suppose that PUF P has correlation bias at most ϵ corbias over distribution Y * 1 .Then, P has correlation bias at most The proof follows from Lemma 6 by noting that GETRELIABLECRP h uses at most 2 na iterations and within each iteration Y * 1 corresponding to GETRESPONSE is sampled h times.As discussed before, we expect ϵ corbias = negl(λ) where λ is the security parameter of PUF P.Then, for 2 na = poly(λ), we also have a correlation bias negl(λ) over distribution Y * h .

Reducing Bias
Algorithm 3 Creating CRPs with reduced bias 1: procedure NEUMANN-GETRELIABLECRP h 2: F ound =false 3: while F ound =false do 4: (c pre , r) ←GETRELIABLECRP h 5: end while 9: return (c pre , r) 10: end procedure In order to reduce bias significantly, we can use the Von Neumann trick which we also use in TRNG designs [Von Neumann, 1951].Algorithm 3 lists the pseudo code of a simple Von Neumann interface where we use GETRELIABLECRP h twice in each while loop iteration until the two responses r and r ′ are different.We only output the first generated pre-challenge response pair.The second application of GETRELIABLECRP h is used to simulate a probability distribution of a coin that tells the algorithm when to accept the first generated pre-challenge response pair.Given the first generated pre-challenge response pair (c pre , r), the algorithm accepts and outputs this pair only if the second generated pre-challenge response pair is of the form (c ′ pre , r ′ = r + 1).The probability that this happens is equal to where Y * h is the system induced distribution of challenge response pairs generated by GETRELIABLECRP h (here, c ′ = Hash(c ′ pre ) and c = Hash(c pre ) are selected according to distribution Y h , and (c, r) ← Y * h ).The probability that (c, r) is generated in the first pre-challenge response pair is equal to Pr((c, r) ← Y * h ).Together with (4) this can be used to characterize Y * neu,h , the probability that NEUMANN-GETRELIABLECRP h leads to CRP (c, r).In NEUMANN-GETRELIABLECRP h we will use an iteration count b for the while loop, an index i ∈ {0, 1} for c pre and c ′ pre in a loop iteration, and an iteration count a for the while loop in GETRELIABLECRP h .This allows us to use a seed seed as input and generate a sequence of pre-challenges Hash(seed∥a∥i∥b) as in (1).The proof of the lemma below is in Appendix E.
Lemma 9 (Bias Von Neumann Trick) Let (Y * neu,h ) ×d denote the system induced distribution that generates challenge response vectors c = (c 0 , . . ., c d−1 ) and r = (r 0 , . . ., r d−1 ) according to NEUMANN-GETRELIABLECRP h where the while loop is at most called 2 n b times.Suppose that PUF P has correlation bias at most ϵ corbias over a canonical system induced distribution Y * 1 .Then, Finally, since NEUMANN-GETRELIABLECRP h outputs reliable CRPs, Lemma 7 shows that the overall reliability with respect to An interesting notion is the so-called Hellinger distance between distribution q (Y * neu,h ) ×d r over response vectors in {0, 1} d and the uniform distribution over {0, 1} d , see [Yasunaga, 2021].Application of Lemma 9 shows that this is bounded by if the latter is ≤ 1.In Section 9 we will want to have this Hellinger distance at most 2 −(κ+5.946)/2, where κ represents the number of secure bits extracted from the PUF, and apply the theory of [Yasunaga, 2021]; we will use this to show that we can replace distribution q by the uniform distribution in our setting.This translates to the condition As a final remark, we notice that the adversary can still use the biased responses from GETRESPONSE to train a machine learning model for predicting responses.The Von Neumann trick only helps the legitimate user/system to get close to uniformly generated response bits.

PUF Security
The following definition, inspired by [Jin et al., 2022], defines the hardness of being able to software clone a PUF, i.e., the hardness of training an adversarial algorithm with oracle access to the PUF such that it can reliably predict responses for new randomly chosen challenges.Here, we only consider adversaries who can learn/observe digital information.
Definition 10 (PUF Security with Correlated CRPs (inspired by [Jin et al., 2022])) We define a security game SecGamePUFCor(P, Υ P , A, k, t) for PUF P, where Υ P is a set of system induced distributions Y * over challenge response pairs in C P × R P (each Y * is represented as a ppt algorithm with oracle access to P), A is a ppt poly(t) algorithm7 , and k represents the number of queries to P by A: 1.For j = 1, . . ., k, A adaptively selects a challenge ĉj ∈ C P and receives8 rj ← P(ĉ j ).Note that, A is not able to get more responses beyond r1 , ..., rk , due to the hardware unclonability of PUF P.
, that is, A knows the ppt algorithm which simulates Y * (j) with oracle access to P.Even though A has no access to P in this step, A can make use of the knowledge that c j ← Y (j) (where Y (j) is the projection of Y * (j) on the challenge space).
A 'wins' the game if r ′ h = r h .Notice that the XOR value r ′ j + r j is equal to the prediction error of the guess r ′ j outputted by A. We want to model how the probability of winning is conditioned on prediction errors, in other words, how are prediction errors for j ̸ = h correlated with not making a prediction error for h (i.e., r ′ h = r h ).P is called a (k, t, ϵ corpred )-secure PUF for correlations with respect to A and set of distributions Υ P if A has an ϵ corpred advantage in predicting (any) r h : Let λ be the security parameter of PUF P. For all d = poly(λ), advantage where ϵ corpred represents the security9 , and q Y * (h) is the bias with respect to Y * (h) of P. The probabilities are taken over (c j , r j ) ← Y * (j) , over measurement noise, and over all random procedures that A employs in the security game.A's advantage defines the software unclonability of PUF P when P's responses for challenges from distribution Y (j) need to be predicted.■ Notice that the security game captures the scenario where the adversary has access to the PUF and uses this time to gather CRPs with which a machine learning model is trained.At a later moment access to the PUF is lost and the adversary uses its machine learning model to predict responses in order to impersonate the PUF or learn sensitive information whose confidentiality depends on private PUF responses.The predictive advantage ϵ corpred mainly depends on the amount of training data represented by k.The amount of computing time for training the 'best' model is a less important resource.For this reason we do not specify an explicit bound on the running time T of adversary A in our definition, other than it being poly(t) large enough for covering all practical adversaries.
Soundness.The special case d = 1 defines advantage This advantage does not take into account the additional advantage about correlations among different responses corresponding to randomly chosen challenges.
Our definition of ϵ corpred is sound in that we can always realize ϵ corpred = 0 by defining the following simple adversary: The adversary always outputs the response r that maximizes q (0) in ( 6).This achieves10 ϵ corpred = 0.
Adversary A U .For both the legitimate user as well as the adversary, we consider the hash based interface GETRE-SPONSE as the sole means for accessing PUF P: In order to access PUF P, the adversary cannot circumvent GETRESPONSE; in addition GETRESPONSE is immutable with respect to the adversary.
This assumption can be realized by means of 'hardware isolation' where PUF P is only accessible through the hardware interface defined by GETRESPONSE.For example, in a secure processor architecture like Intel SGX [Costan and Devadas, 2016] this access control can be implemented by micro code which represents GETRESPONSE and only allow access to the PUF by this micro code.
Given that adversary A can only access P through the GETRESPONSE interface in step 1, we essentially restrict A's adaptive strategy by forcing access to P through the collision resistant hash Hash.We will denote this type of adversary by A U .Notice that because of the hash function, it is not clear how the adversary can search for good challenges that help best in training an accurate prediction model.Current state of the art analysis seems to indicate that the adversary may simply consider the hash function as an obstacle limiting selection of challenges c j ∈ C P according to a uniform distribution (just like the canonical system induced distribution) with the possibility to repeat challenges.
Definition 11 An adversarial model for a PUF P defines how adversarial ppt algorithms A can have access to P. By A x -model for P we denote a specific adversarial model where superscript x is a commonly understood abbreviation/name of the access restrictions to P imposed on adversaries A that are within the A x -model.
Adversarial ppt algorithms A within the A U -model for P cannot circumvent GETRESPONSE in order to access P (this includes the implicit assumption that GETRESPONSE is immutable with respect to the adversary).
We write A x ⊆ A U to mean that the A x -model is weaker than the A U -model, i.e., when compared to the A U -model, the A x -model imposes more restrictions on how adversaries can access P. ■ In practice A U is powerful enough to train a machine learning model for P with a typical accurate prediction probability at most 75% (as in the iPUF paper [Nguyen et al., 2019]) for practical values of k (the amount of training data) and any practical run time T .This means that ϵ corpred is at most 25% in the worst case.Notice that this is quite different from the intrinsic PUF correlation modeled by ϵ corbias .Given such a large ϵ corpred in practice, we need to be careful when designing a secure system that relies on a PUF.
We refer to Appendix H for an extensive discussion on weaker adversarial models A x ⊆ A U .
Ber Transformation Lemma.We are ready to define a special oracle O with knowledge of all prediction errors e j = r ′ j + r j , 0 ≤ j ≤ d − 1, and who uses this knowledge to correct errors e j = 1 as follows (see Appendix F for the proof): Lemma 12 (Ber transformation lemma) Let P be a (k, t, ϵ corpred )-secure PUF for correlations with respect to A and set of system induced distributions Υ P .Let us consider SecGamePUFCor(P, Υ P , A, k, t) where A outputs predictions {r ′ j } d−1 j=0 of responses {r j } d−1 j=0 corresponding to distributions Y * (j) ∈ Υ P .Then there exists an oracle O which takes predictions {r ′ j } d−1 j=0 as input and outputs partially corrected predictions {r" j } d−1 j=0 such that • if r ′ j is without error, then also r" j is without error, that is, r" j = r j and • each r" j = r j + êj where êj cannot be distinguished from a Bernoulli distribution Ber(1 − (q Y * (j) + ϵ corpred )) with all êj statistically independent.

■
The Ber transformation lemma is the main tool for proving our main theorem on the hardness of solving problem instances related to system security guarantees for a system with oracle access to P.

Interface Security
Imagine a system S with oracle access to a PUF P. Suppose that proving a security guarantee of S entails proving the hardness of solving an instance of some class of problems.Explicitly, we want to prove that any problem instance generated by some problem distribution Q is hard.The difficulty of showing this hardness comes from the fact that system S has oracle access to P, hence, also Q uses P to generate the parameters of a problem instance that corresponds to the security guarantee of S. We denote this by Q P .
Definition 13 (System Security) Let Q P be a ppt algorithm with oracle access to a PUF P that generates 'problem instances.'Let VER(q, s) be an algorithm that takes a problem q ← Q P and a solution s as input and outputs whether s is a correct solution to q.
We define SecGameSys(Q, P, Υ P , A, k, T ), where Υ P is a set of system induced distributions Y * over challenge response pairs in C P × R P (each Y * is represented as a ppt algorithm with oracle access to P), A is a ppt algorithm, k represents the number of queries to P by A, and T indicates the cumulative number of computational steps needed by A to play the security game: 1.For j = 1, . . ., k, A adaptively selects a challenge ĉj ∈ C P and receives rj ← P(ĉ j ).(This is step 1 of security game SecGamePUF.) 2. A problem instance g ← Q P is generated.Let {r 0 , . . ., r d−1 } be the responses on which g depends.Let {c 0 , . . ., c d−1 } be the set of distinct challenges queried to P by Q that correspond to {r 0 , . . ., r d−1 }.Let Y * (j) ∈ Υ P be the distributions implemented by Q for generating CRPs (c j , r j ) ← Y * (j) .
indicates the ppt algorithm that uses oracle access to P which Q uses to draw challenges c j and collect a corresponding response.A also receives problem instance g (which parameters depend on the CRPs collected by Q) and computes a solution s.
A 'wins' the game if VER(g, s) returns true.
Q P is called (k, T, ϵ win )-system secure with respect to A and set of probability distributions Υ P if the probability of winning is at most Pr(true ← VER(g, s)) ≤ ϵ win .

■
Even though the adversary may have ϵ corpred up to 25% in SecGamePUFCor, we want ϵ win to be exponentially small in some security parameter that defines Q.
Seperating the PUF.On one hand we want Q to generate instances of a hard problem if P cannot be simulated by an adversary in probabilistic polynomial time.On the other hand this requires us to show that such simulation cannot be accurate enough even given the generated problem instance by Q P .But this may reveal through the generated problem instance information about the responses generated by P that were used by Q, and as a result prediction of these responses can be more accurate.
We have cyclic reasoning: In a sense we want to assume that the problem instance itself is hard so that it cannot be used in the prediction of the used responses in the formulation of the problem instance.And if this is true, then the adversary can discard the problem instance when predicting the used responses, which leads to a ϵ corpred .This can in turn be used to prove that the problem instance of Q is indeed hard to begin with.To break this cyclic reasoning we need a separability assumption as defined below where we reformulate the steps of SecGameSys in an equivalent new way and a slightly modified 'separated' way as follows: Definition 14 (Separation Game) We reformulate SecGameSys(Q, P, Υ P , A, k, T ) by splitting A in two algorithms A 0 and A 1 where A 0 is in charge of step 1 and step 3 is split into • A 0 is given set D and problem g and outputs a prediction {r ′ j } of the responses {r j } measured in step 2 by Q.
• A 1 is given set D, problem g, and {r ′ j } and computes a solution s of g.
Let A x -model be some adversarial model for P. Clearly, A 1 can play the role of the original A all by itself, hence, the probability of winning is still (equivalently) at most ϵ win if Q P is (k, T, ϵ win )-system secure with respect to all A = (A 0 , A 1 ) in the A x -model and set of probability distributions Υ P .
The separated game SecGameSysSep(Q, P, Υ P , A, k, T ) for a pair A = (A 0 , A 1 ) is defined as the game above where • A 0 does not have access to problem g, and • A 1 does not have access to set D.
Let ϵ winsep be an upper bound on the probability of winning SecGameSysSep over all A = (A 0 , A 1 ) within the A x -model.
If there exists a constant c sep such that then we call Q P c sep -separable within the A x -model.■ Our ultimate goal is to separate PUF P out of the equation, that is, we want to reduce Q P to Q B where B is some predefined probability distribution over CRPs.This allows us to consider the hardness of Q B which is a pure mathematical problem which does not involve a concrete physical device.
Let λ be a security parameter related to the class of problems Q B .We will see that in order to prove αλ-bit security of Hence, c sep can be as large as exponential in λ.Notice that c sep measures the multiplication factor increase in winning the system security game compared to winning the 'separated' system security game.As we have no idea how to design an adversarial strategy that combines all information (CRP pairs and problem instance g) in a more intelligent way than what is proposed in the separation game, it is unlikely that an attacker will be able to realize a multiplicative factor gain that is exponential in λ.Setting c sep = 2 λ/2 in the worst-case seems large enough.
Hardness of Q.In order to separate the problem of predicting P from solving problems g ← Q P , we introduce the next definition.It defines under what circumstances solving g, given predictions of responses from P that were sampled by Q P to formulate g, is equivalent to solving a similar problem as a function of only the prediction errors.
This is a reasonable assumption since in practice the system that measures responses of the PUF will for example use these to mask a key or store it as secret information for later use in an authentication or identification protocol.When demasking the key or when the identity of a PUF is verified, the PUF is measured a second time.The difference between the first and the second measurements should have a small number of measurement errors allowing demasking and identity verification.The adversary cannot measure the PUF a second time but tries to predict/estimate the used responses.Its success in demasking and extracting the key or impersonating the identity of the PUF depends on the number of prediction errors.This is exactly what we formalize in the next definitions.
Definition 15 (Error based reduction) In step 4 of SecGameSep adversary A 1 solves problem instance g ← Q P given guesses {r ′ j } d−1 j=0 of the responses {r j } d−1 j=0 queried by Q to P in order to generate g.In this sense g can be thought of as a function of {r j } d−1 j=0 , denoted by g({r j } d−1 j=0 ), and A 1 can be thought of as solving an extended problem instance Let R be the distribution that generates the vector pair ({r ).We define Q R as the distribution that generates problems g ext .
Suppose that there exists another formulation of a problem instance g ′ such that solving g ext can be reduced to solving where g ′ has no other dependency on {r ′ j } d−1 j=0 or {r j } d−1 j=0 except through the 'errors' {e j = r ′ j + r j } d−1 j=0 .That is, • there exists a ppt algorithm s ← TRAN(s ′ , {r ′ j } d−1 j=0 ) and an algorithm VERE(g ′ , s ′ ) which returns true if and only if VER(g, TRAN(s ′ , {r ′ j } d−1 j=0 )) returns true.
If the above property holds, then we call g ′ an error based reduction of g.Let E be the distribution that generates the error vector {e j = r ′ j + r j } d−1 j=0 .We define Q E as the distribution that generates problems g ′ (by replaying SecGameSep as explained above).We call Q E with (TRANS, VERE) the error based reduction of Q R with VER in SecGameSep.If such Q E exists, then we say that Q R has an error based reduction.

■
Reasoning about the hardness of Q = Q E for a known representation of an error vector distribution E is a pure mathematical problem that does not depend on a concrete physical PUF device P -we have not yet accomplished this as the error vector distribution is implicitly defined by the exact functioning of P. The next definition formalizes the hardness of Definition 16 (Mathematical hardness assumption for Q) Define HardnessQError( Q, VERH, A, T ) as a game where A is a ppt algorithm that takes a problem instance ĝ ← Q as input and runs at most T computational steps after which it outputs a guess ŝ.Adversary A wins the game if VERH(ĝ, ŝ) returns true, that is, ŝ is a solution of problem ĝ.We call Q (T, ϵ hard )-hard if the probability of winning HardnessQError is at most ϵ hard .
We may consider ϵ hard to be a function of T .If for all T , In HardnessQError A plays the role of A 1 in SecGameSep without access to set D. In other words, A only knows that parameters have been generated using distributions R and E respectively.A does not know to which challenges these correspond to and as a consequence does not know a distribution R or E conditioned on the used challenges, which could have given A more information for finding a solution ŝ.In SecGameSep we model the increased probability of winning, if such knowledge were available, by the multiplicative factor c sep .
We next define how the bit securities of In the remainder of the paper, rather than referring to R, we say Q E is an error based equivalent of Q P up to factor e equiv and if such Q E exists, then we say that Q P has an error based equivalent up to factor e equiv .■ The next definition defines what it means when problems Q E become easier to solve if some of the errors produced by E are magically corrected.
Definition 18 (Q in the presence of an error reducing oracle) Let E be a distribution that generates error vector {e j } d−1 j=0 .Let O be an oracle that takes as input an error vector {e j } d−1 j=0 and corrects some of the errors e j = 1 by computing a new error vector {ê j } d−1 j=0 with êj = 0 if e j = 0 is already without error, and êj ∈ {0, 1} if e j = 1 (depending on O's strategy this may correct the error to êj = 0).We call such oracle O an error reducing oracle.
all error reducing oracles O, then we say that Q E becomes simpler in the presence of an error reducing oracle.■ This assumption seems to be a natural one since fewer prediction errors for the adversary should make it easier for the adversary to, for example, demask a key or impersonate a PUF.The above framework for reasoning about the hardness of Q P will allow us to prove precise security guarantees.Our framework allows the following main separation theorem (its proof is in Appendix G), which we apply in the next section (where we prove the validity of some of the conditions in the theorem): Theorem 19 (PUF separation theorem) • Let A x -model be some adversarial model with A x ⊆ A U .
• Suppose that P is a (k, t, ϵ corpred )-secure PUF for correlations with respect to all A that are within the A x -model and with respect to a set of system induced CRP distributions Υ P .Let q Υ = sup Y * ∈Υ q Y * and define τ = 1 − (q Υ + ϵ corpred ).
• Define B to be the distribution that generates statistically independent errors êj ← Ber(τ ).Assume that Q B is λ-bit secure.
• Assume that Q P has an error based equivalent Q E up to factor e equiv = O(log 2 λ).And assume that Q E becomes simpler in the presence of an error reducing oracle.
• Assume that Q P is c sep -separable within the A x -model with c sep = 2 αλ for some α ∈ [0, 1).
Then, for T = poly(t), Q P is (k, T, ϵ win )-system secure with respect to all A within the A x -model and set of system induced distributions Υ P with ϵ win ≤ c sep • T 2 e equiv 2 −λ , which is negl(λ).■

PUF based Random Oracle
Algorithms 4 and 5 code the interface of an RO primitive based on a PUF P. To get an input output pair, GETRE-SPONSE is called multiple times through GETRELIABLECRP h which is in turn called multiple times in NEUMANN-GETRELIABLECRP h .This leads to a pre-challenge vector c prevec of λn bits (we will discuss how to compress this in a next remark).
We follow the code-offset sketch construction [Dodis et al., 2004] based on a suitable code, see Definition 20 below, to compute helper data p and we hash the corresponding response vector r vec down to κ bits, where κ is the residual min entropy of code C with respect to an appropriate Bernoulli distribution (discussed later).See Appendix I for a discussion on how suitable codes relate to secure sketches.
Definition 20 (Suitable Codes) Let C be a set of M binary code words of length n, i.e., C ⊆ {0, 1} n and |C| = M .Let Dec be a decoding algorithm for C.
We define the decoding failure probability of C with respect to measurement noise M as ρ = Pr(w ̸ = Dec(w + e), w ← R C, e ← M).
We define the residual min entropy of C with respect to B as where e and p are jointly distributed according to e ← B, p = w + e with w ← R C.
We define the min entropy loss of C due to coset imbalance with respect to B and subset size T as θ = log 2 (1 + θ ′ ) for Pr(e ∈ T ) Pr(e ∈ C + l) − Pr(e ∈ T ) , where e ← B; θ is a function of subset size T .■ To get an output from an input, we first call GETRESPONSE multiple times to get an estimate rvec of r vec .We use the code-offset sketch construction to first decode p + rvec to a code word w which is then used to recover rvec .The result is hashed down to ŝ.The failure probability P r(ŝ ̸ = s) = P r(r vec ̸ = r vec ) = P r( ŵ ̸ = w) is equal to the decoding failure probability ρ of C with respect to a distribution M representing measurement noise: Since only reliable CRPs from GETRELIABLECRP h are used, we may assume that M behaves like Ber(δ h ) and ρ(δ h ) is a function of δ h .
The RO interface represented by GETIO-RO h and GETOUTPUT-RO should have a small (decoding) failure probability ρ for typical PUF measurement noise and should produce a secret s that has κ bits, where κ is at least the security parameter (bit security) of the system using secret s (as a result of interfacing with RO).
In Algorithms 4 and 5 we us a hash Hash κ which extracts a random κ-bit string s from an n-bit response vector.For simplicity we assume Hash κ in the random oracle model, but note that this can be replaced by a strong randomness extractor based on a universal family of hash functions [Micciancio and Walter, 2018], see our security analysis below.
Pre-challenge vector compression.As for GETRELIABLECRP h and NEUMANN-GETRELIABLECRP h we generate a sequence of pre-challenges based on an input seed.This will avoid the use of a TRNG; notice that we can also use seed as input to a hash function for selecting a random code word w ← R C. In addition we compress the λn-bit representation of c prevec down to (n a + n b ) • n bits.
Failure detection.We notice that GETIO-RO may also output another hash Hash ′ (s) of s.GETOUTPUT-RO can use this hash of s to verify against the same hash of ŝ.This allows it to detect whether there is a failure to produce ŝ = s.If detected, then GETOUTPUT-RO outputs a fail.
• Correctness.We call (F io−ro , F out−ro ) a pair of failure probabilities for PRO if • the probability GETIO(seed) fails over a random uniformly chosen seed is at most F io−ro , • the probability that GETOUTPUT(aux) fails over (aux, •) ← GETIO(seed) is at most F out−ro , and • if (aux, s) ← GETIO(seed) and ŝ ← GETOUTPUT(aux) (both do not fail), then ŝ = s.
• Security.Let Q P output problem instances aux by calling (aux, s) ← GETIO-RO h ; the associated problem for an adversary A is to guess the correct solution s (when GETIO-RO h does not fail) by playing SecGameSys(Q, P, Υ P , A, k, T ), where Υ P is the set of system induced CRP distributions used by PRO.Suppose that the probability that the adversary wins is at most ϵ win (k, T ) as a function of k (number of PUF queries by A) and T (run time of A).We say that PRO has κ-bit security for k PUF queries with respect to A with run time poly(t) if, for T = poly(t), ϵ win ≤ T 2 −κ .

■
Theorem 22 (PUF based Random Oracle theorem) GETRESPONSE with GETIO-RO and GETOUTPUT-RO of Algorithms 4 and 5 with pre-challenge vector compression and a hash Hash ′ for failure detection define a PUF-based random oracle PRO: • With respect to correctness, PRO has a pair of failure probabilities (F io−ro,h , F out−ro,h ) defined by • With respect to security, • Suppose that P has challenge space C P = {0, 1} λ with correlation bias at most .
over canonical system induced CRP distributions Y * 1 , where n is the length of the code words in C and λ = Ω(κ).
• Let A x be an adversarial model with A x ⊆ A U .
• Suppose that P is a (k, t, ϵ corpred )-secure PUF for correlations with respect to A that are within the A x -model and with respect to system induced CRP distribution Y * neu,h .Define and let B be the distribution that generates statistically independent errors êj ← Ber(τ ).
• Assume that Q P is c sep -separable within the A x -model for c sep = 2 κ−5.946 .
• Suppose that C is a binary linear code and has a min entropy loss of at most θ due to coset imbalance with respect to B and subset size 2 κ (for θ to be a small constant, this requires the dimension of C to be Ω(κ)).
Suppose that the residual min entropy of C with respect to B is at least 2κ + θ.
Then, for T = poly(t) we have Q P is (k, T, ϵ win )-system secure with respect to all A within the A x -model for system induced distribution Y * neu,h for ϵ win ≤ T 2 −κ .
We may replace hash Hash κ in the random oracle model by a strong randomness extractor; this requires c sep = 2 κ−10.892 and residual min entropy at least 3κ + θ + 10.892 (an additional min entropy loss due to the leftover hash lemma).■ Concrete parameter setting.Appendix J discusses Theorem 22 and shows a concrete parameter setting.

Conclusion
In literature we have seen how a FE interface on top of a weak PUF uses CRPs for obfuscating a single key; this requires confidential computing.Computational FE based on the LPN problem still requires confidential computing but can extract many random bit strings out of a weak PUF.We may also apply FE to a strong PUF in order to generate many random bit strings; even though this also requires and uses confidential computing, the generated helper data can in theory be used to learn information about CRPs for training a prediction model -no rigorous security analysis capturing this attack possibility exists.Our framework allows rigorous security proofs for PUF interfaces.In particular, the PRO design leads to a random oracle with small failure probability for which the bit security is precisely characterized.PRO does not rely on any confidential digital computing or digital secrets and the adversary is allowed to train and use a PUF prediction model with accuracy typically up to 75%.This closes a major gap in PUF literature.Our framework, lemmas and theorems can be used to analyse the security of other PUF interfaces as well.

A Cryptographic Hash Function
Definition 23 (Cryptographic Hash Functions) A cryptographic hash function y = Hash(x) with a security parameter λ is a cryptographic primitive that takes as input a message x ∈ {0, 1} lx and generates (in poly(l x ) time) a digest y ∈ {0, 1} ly , where l x ≥ l y .A family of cryptographic hash functions with parameters l x and l y is a set of cryptographic hash functions {Hash s (x)} s∈{0,1} lx , where s plays the role of 'seed.'The family of cryptographic hash functions is secure if l x = O(λ) and satisfies the following three properties: 1. Preimage Resistance.Given y = Hash s (x) : x ← R {0, 1} lx , s ← R {0, 1} lx , the probability Adv HashPre that there exists a ppt adversary A(1 lx , s) who can output x ′ ∈ {0, 1} lx : y = Hash s (x ′ ) is negligible in λ.A pre-image resistant hash function is also called a one-way function.

■
Definition 24 (Hash Function in the Random Oracle Model) We define a random oracle with respect to the uniform distribution over {0, 1} ly as a function RO(x) that takes as input a message x ∈ {0, 1} lx and outputs a message y that is uniformly selected from {0, 1} ly with replacement (meaning that if an input x is queried twice then RO returns the same output value y for both queries) -let R(l x , l y ) be the set of all such random oracle functions.
We may define a hash function in the random oracle model as follows: This defines the standard random oracle model and this definition of the hash function satisfies Adv HashCol ≤ T 2 /2 lx where T = poly(l x ) is the number of queries by adversary A(1 lx ) to Hash RO(•) (x) = RO(x) [Canetti et al., 2004].
If we consider a family of hash functions with parameters l x = O(λ) and l y in the random oracle model, then we have the property that for all ppt distinguishers D the following distinguishing advantage is negligible in l x : ) .

■ B Using a PRG for Generating Pre-Challenges
From a cryptographic perspective we want to provide a solid provable pre-challenge generation scheme that leads to uniform Y.A cryptographically secure solution is to use a Pseudo Random Generator (PRG) based on e.g. the subset iterate construction using a hash from a hash function family that has collision resistant hashes [Boldyreva and Kumar, 2012].Based on a seed, PRG(seed) can be efficiently computed and the resulting bit sequence can be split into a sequence of 2 nu pre-challenges.The resulting distribution of challenges is computationally indistinguishable from a uniform distribution over {0, 1} λ with respect to some security parameter and related advantage.By choosing appropriate parameters, the resulting distribution over challenges is ϵ-close in statistical distance to the uniform distribution for some ϵ exponentially small in the security parameter.By using the method in [Yasunaga, 2021] we can replace the resulting distribution over challenges by the uniform distribution in our security analysis of the system's security guarantee. 11We do not detail this construction and in the paper we simply assume that the Hash-based solution yields a system induced canonical challenge distribution Y close enough to the uniform distribution.

C System Induced CRP Distributions
Since we assume that system S can only access the PUF through GETRESPONSE, this means that S can only query PUF P by challenges drawn from a canonical system induced distribution Y 1 with replacement.That is, S can repeatedly ask the PUF for responses for the same challenge c.And whenever the PUF is queried for a new challenge, then this challenge must be chosen according to Y 1 .This induces certain types of distributions over the challenge space: If S asks for a response of the same challenge c exactly h times and observes for some i ≤ h/2 that h − i have the same response bit r and the other i response bits are the complement r + 1 (xor), then it is as if the challenge c with response r is drawn from a distribution over the challenge space C P = {0, 1} λ which causes either i or h − i measurement errors (each with probability p c ).In other words, c ← Y h,i with .
System S cannot a-priori decide to choose c ← Y h,i , but after its repeated measurements it will turn out that c ← Y h,i for some h and i that match observations.We may define the response of c to be the majority vote of the observed responses (or if there is no majority, 0 or 1 is selected as response with probability 1/2).Denote this majority vote by r.
Then this process defines (c, r) ← Y * h,i .System S draws Y * h,i from the set according to some probabilistic process.Our security game SecGameSys gives the adversary the exact knowledge of which Y * (j) ∈ Υ P was selected.

D Correlation among CRPs
Definition 5 about correlation among CRPs is sound in that we can prove natural properties given by the next lemmas.
First, rather than conditioning on knowledge of explicit CRP values {(c j , r j )} d−1 j=0,̸ =h , we may have partial knowledge about the CRP values in the form of a random variable side which is correlated to {(c j , r j )} d−1 j=0,̸ =h but independent from (c h , r h ) given {(c j , r j )} d−1 j=0,̸ =h , and we expect to still have the same ϵ corbias .Second, we may define response vectors of multiple bits by calling GETRESPONSE multiple times; we also want to know the bias of such response vectors which we expect to be the product of the biases of each of the response bits separately corrected with ϵ corbias .Third, we may define a new distribution which post-processes random drawings from distributions in Υ P and want to characterize ϵ corbias .
Lemma 25 Suppose that PUF P has correlation bias at most ϵ corbias over set of system induced distributions Υ P and let λ be the security parameter of P. Let (c j , r j ) ← Y * (j) ∈ Υ P be random variables12 and let side be a random variable such that is a Markov chain with d = poly(λ).Then, in Definition 5 we have for all r, q . We have Notice that the lemma follows from q Y (h) r (side) = Pr(r|side) and q The next lemma generalizes Lemma 25 to system induced distributions over vectors of CRPs: Lemma 26 Suppose that PUF P has correlation bias at most ϵ corbias over set of system induced distributions Υ P and let λ be the security parameter of P. Consider the product Ȳ * with {Y * (i,j) } ⊆ Υ P and d = poly(λ) which outputs a vector of challenges ci = (c i,0 , . . ., c i,d−1 ) and a vector of responses ri = (r i,0 , . . ., r i,d−1 ).Let side be a random variable such that

■
Proof of Lemma 26.The proof of the lemma follows by generalizing the following argument: For d = 2 we have ri = (r 0 , r 1 ) and by Lemma 25 we have r1 (1 ± ϵ corbias ).
Generalizing this argument to d > 2 yields The lemma follows from Lemma 6 generalizes the previous lemma to system induced distributions over post-processed vectors of CRPs: Proof of Lemma 6.We may characterize Pr(r ← Ŷ * (h) ) as a distribution where G is a polynomial time algorithm that represents distribution Ŷ * (h) .In a way G defines a set of tuples (r h,0 , . . ., r h,d−1 , x) that lead to outputting r (G is not probabilistic, it uses randomness x in a deterministic way).Let G(x, r) be the set of response bit vectors (r h,0 , . . ., r h,d−1 ) for which G together with input x outputs r.Let p x = Pr(x ← X ).Then, by using the statistical independence of x and by using the notation of the previous Lemma 26, This derivation holds for side and also for the special case where side is empty.By using Lemma 26, this shows that r .

E Bias Von Neumann Trick
Suppose that PUF P has correlation bias at most over distribution Y * h , see Lemma 8.Then, according to Definition 5, probability (4) is equal to q Y h r+1 • (1 ± ϵ corbias,h ).The probability that r is generated in the first pre-challenge response pair is equal to We conclude that the probability of an iteration producing the final output r is equal to This is the same for r = 0 and r = 1.The probability that an iteration is not yet producing the final output is therefore equal to ).This teaches that it takes the while loop at most (1 − 2q Y h 0 q Y h 1 (1 + ϵ corbias,h )) −1 iterations in expectation to finish.
From (7) we infer This shows how the Von Neumann trick reduces the bias q Y h down to only ϵ corbias,h /(1 − ϵ corbias,h ) above 1/2.This trick helps the legitimate user/system to generate close to unbiased bits.
Let Y * neu,h indicate the distribution of a single CRP outputted by NEUMANN-GETRELIABLECRP h .Our derivation above proves Now assume that NEUMANN-GETRELIABLECRP h has at most 2 n b loop iterations where in each iteration GETRELIABLECRP h is called twice.Applying Lemma 6 (see also the resemblance to Lemma 8) teaches us that the correlation bias over distribution Y * neu,h is at most Let c = (c 0 , . . ., c d−1 ) and r = (r 0 , . . ., r d−1 ) be vectors of challenges and responses generated by NEUMANN-GETRELIABLECRP h .Let (Y * neu,h ) ×d denote the distribution that generates such challenge response vectors.By the triangle inequality, Our previous analysis proves Combining derivations proves Lemma 9.

F The Ber Transformation Lemma
By using the same proof technique that shows Lemma 25, we can prove the next lemma.
Lemma 27 Let P be (k, t, ϵ corpred )-secure for correlations.Then for any random variable side such that This lemma shows that the advantage holds for all side information side that correlates with {e j } d−1 j=1,̸ =h but is statistically independent of e h given {e j } d−1 j=1,̸ =h , where e j = r j + r ′ j for j ̸ = h are the prediction/guess errors (addition here is XOR): The adversary can select its own challenges and request corresponding measurements of responses in step 1 of the game in order to train a prediction model.A-priori the adversary cannot indicate a predicate (in the form of side information) of its own choice that should be satisfied by the measured responses in step 2 and corresponding prediction errors in step 3. So, one cannot merge in step 1 the conditional knowledge of such a predicate (side).
The security game states that guess r ′ h for challenge c h cannot be improved by adversary A beyond advantage ϵ corpred even if a combination of challenges (excluding c h ) is known that corresponds to a joint statistical distribution of responses that satisfies a certain specified relation (or predicate), coded by side, with respect to guesses/predictions of these responses by A.
We are ready to define a special oracle O with knowledge of all errors e j = r ′ j + r j , 0 ≤ j ≤ d − 1, and who uses this knowledge to correct errors e j = 1 as follows: Suppose e j for 0 ≤ j ≤ h − 1 have already been corrected to e j + cor j using the next randomized process implemented by O.The oracle considers (side h is empty for h = 0) and computes The corrected error vector {e j + cor j } d−1 j=0 has the property that only errors e h = 1 are corrected (with probability b h ) and no new errors that did not exist before are introduced.
Notice that this correction procedure has the property (e h , side h ) → cor h .In particular, (e h−1 , side h−1 ) → cor h−1 for h ≥ 1.Hence, for h ≥ 1 we have the Markov chain and, by using induction in h, we have . This shows that Lemma 27 applies and we conclude α h ≤ τ h , hence, where

Combining all equations yields
and, for the partially corrected errors êj = e j + cor j , This shows that {ê j } d−1 j=0 cannot be distinguished from a distribution where êj ← Ber(1 − τ j ) and the êj are statistically independent from one another.This proves the Ber transformation Lemma 12.

G PUF Separation Theorem
We now prove Theorem 19: Proof.Suppose that Q P is (k, T, ϵ win )-system secure with respect to all A within the A x -model and set of distributions Υ P .We first apply Definition 14 which states that where ϵ winsep is an upper bound on the probability of winning SecGameSysSep(Q, P, Υ P , A, k, T ) over all A = (A 0 , A 1 ) within the A x -model.
In separation game SecGameSysSep adversary A 0 disregards the knowledge of the problem instance g ← Q P .This means that A 0 plays the steps of SecGamePUFCor(P, Υ P , A 0 , k, T ), see Definition 10.The goal of A 0 is to provide estimates {r ′ j } which are most useful for A 1 .In separation game SecGameSysSep adversary A 1 disregards knowledge D and solves problem instance g as a function of {r j } with knowledge of estimates {r ′ j }.This is equivalent to solving the extended problem g ext from Q R , see Definition 15.The theorem states that Q P has an error based equivalent Q E up to factor e equiv , where, see Definition 15, E is the distribution that generates error vector {e j = r ′ j + r j }.According to Definition 17, if See Definition 18, since Q E is assumed to become simpler in the presence of an error reducing oracle, A 0 will help A 1 in achieving the largest upper bound on the winning probability in ( 9) by minimizing the number of prediction errors.We conclude that A 0 plays SecGamePUFCor where A 0 's goal is to maximize Adv PUFCor
The theorem states that P is a (k, t, ϵ corpred )-secure PUF for correlations with respect to A 0 (which is within the A x -model) and with respect to a set of CRP distributions Υ P .(Notice that T = poly(t) and indeed ϵ corpred applies to A 0 which runs at most T accumulative computation steps.)Now we apply the Ber transformation lemma (Lemma 12): There exists an error reducing oracle O, see Definition 18, with the additional property that O • E outputs an error vector {ê j } where each entry êj cannot be distinguished from a Bernoulli distribution Ber(1 − (q Y * (j) + ϵ corpred )) with all êj statistically independent.This in turn implies the existence of an error reducing oracle O which reduces errors even more such that E • O outputs an error vector {ê j } where each entry êj cannot be distinguished from a Bernoulli distribution Ber(τ ) (where τ is defined in the theorem statement) and all êj statistically independent.We have The theorem assumes that Q B is λ-bit secure, see Definition 16.Since Q E is assumed to become simpler in the presence of an error reducing oracle, if . This means that we can substitute λ ′ = λ in (9).Together with ( 8), e equiv = O(log λ), and c sep = 2 αλ for some α < 1, the theorem follows.
Interpretation.The list of assumptions made by the separation theorem starts by assuming an adversarial model that is at least restricted by A U meaning that the PUF must be accessed through the GETRESPONSE functionality.There may be further restrictions for the adversary.We further assume that P is a secure PUF for correlations; see our earlier discussion, an adversary who uses ML for constructing a response prediction model for the interpose PUF generally will see prediction errors with probability τ ≤ 25%.This covers the best known methods for creating a prediction model.The theorem shows how such a large τ can still lead to a secure scheme.
For the scheme we assume an underlying hardness problem Q that uses responses as input.In practice, the legitimate user re-measures responses and is able to perform some 'decoding' operation which mathematically means that the re-measured responses can be xorred with the responses in the instance of the hardness problem.This will naturally transform the problem into an equivalent one that only depends on the measurement errors.The adversary can do the same for its predicted responses and his problem will become equivalent to one that only depends on prediction errors (predicted responses can be discarded if the actual responses are nearly uniform, e.g., due to application of the Von Neumann trick).Section 9 demonstrates our main example.Generally, the smaller the expected number of errors, the more efficient algorithms for finding solutions become.From this perspective, it is natural to assume that the equivalent problem becomes simpler in the presence of an error reducing oracle.
The assumption that states that Q P is separable simply stems from the observation that known attacks and their analysis in literature always perform or assume this two step attack approach where first PUF responses are predicted (separate from the actual problem instance), after which the problem instance is solved using the predicted responses.By only requiring a large c sep = 2 αλ this assumption is likely satisfied.All of the above reduces the analysis of the system's security to a mathematical problem: By proving that Q B is hard, we can use the theorem to show that Q P is system secure.Here, we generally assume T = poly(λ).
Security protocols that use PUFs.SecGameSys models a general system S whose security guarantee reduces to the hardness of some problem statement Q P .Here, S does not need to be limited to the non-interactive setting.S can be an interactive protocol between colluding or non-colluding participants that each own or transmit PUFs from one party to another.When using multiple PUFs, we need to generalize oracle access to multiple PUFs in SecGameSys.When modeling multiple participants in a protocol, S replays protocol executions.Typically, different hardness problems Q P model the different honest-but-curious or malicious parties.And oracle access to an underlying PUF P by such a hardness problem may be further constrained by the protocol implemented by S. This would imply that in our game(s) adversary A U is further restricted by assuming a larger Trusted Computing Base (TCB) for the PUF interface; the TCB implements some extended immutable interface (with or without including confidential processing) which restricts the adversary in its access to CRPs (ĉ i , ri ) (in step 1 of SecGameSys).

H Adversarial PUF Models
We have already provided a detailed discussion on the A U -model (representing adversaries who cannot circumvent GETRESPONSE for accessing PUF P).In this section we discuss other more restricted adversarial models, explain the role of k, and compare our definition with that of [Jin et al., 2022].
Adversary A N .This adversary has no access to the PUF at all and cannot learn any CRPs in step 1 of SecGamePUFCor or SecGameSys; we have k = 0.In particular, this means that its best strategy is predicting response bits according to the bias of the PUF, that is, ϵ corpred = 0.
For example, in the LPN-PUF [Herder et al., 2016, Jin et al., 2017], a PUF with only one CRP 14 is used and the corresponding response is assumed to remain private with respect to an adversary.The whole LPN-PUF interface is assumed to be in a TCB while powered on.In powered off mode, the LPN-PUF interface circuitry can be observed and this allows the adversary to learn fused-in keys.The LPN-PUF solves this problem by not depending on fused-in keys.
A second example is a simple masked memory which essentially obfuscates one single key key by using hardware circuitry that has (1) a pre-challenge fused in with which a vector r of response bits corresponding to a sequence of different challenges can be queried from a PUF, and (2) has fused in the vector key + r from which key can be extracted given 15 r.In this setting the TCB disallows the adversary to observe r when the key masking interface is powered on.When powered off, the adversary can read the fused in challenge and key + r.This is the same model as for the LPN-PUF (with the difference that the LPN-PUF can generate many input output pairs).
Adversary A N R .If we disallow repeated measurements in step 1 of SecGamePUFCor or SecGameSys, then we have adversary A N R ⊆ A U .Here, we assume that whenever the adversary is present, it cannot freely query PUF P, it can only query or observe queries of CRPs that are new to the adversary; they have distinct challenges, hence, challenges and CRPs are not repeated in the adversary's observation.
The imposed restriction on the adversary may be due to a system implementation which has a secure initialization phase where we assume no presence of an adversary at all, and a normal mode of operation which never repeats queries to the PUF and which resulting CRPs can be observed by the adversary.Here, we make the adversary weaker, rather than being able to call GETRESPONSE, only the digital computations (including CRPs) of past normal mode operation can be observed by the adversary.This restriction can be enforced by hardware isolation mechanisms for access control 16  where for example only the system 'enclave' is allowed access to GETRESPONSE.Such a system may execute a series of 'sessions' and the considered adversary may observe all but one session.The security guarantee is about the unobserved session for which we want to prove that the adversary cannot impersonate the session or extract sensitive information from the session.All the other observed sessions give the adversary a number of CRPs with non-repeating challenges (in step 1 of SecGamePUFCor or SecGameSys).We find ourselves in the A N R model.To guarantee this model, normal operation of the system may include a mechanism for checking whether 14 The used PUF is a ring oscillator PUF which can be used to measure the same response again and again. 15Circuitry for correcting measurement noise may also be included. 16Not for implementing confidential computing.challenges have not yet been queried in normal operation before.This can be done by using a Merkle tree very much like the logical erasable PUF interface of [Jin et al., 2022].
The weaker A N R can only learn challenge response pairs but cannot learn challenge reliability pairs for which a response for a challenge needs to be repeatedly measured.This means that the adversary can only use classical machine learning to train a prediction model for the PUF.This reduces ϵ corpred .In fact silicon PUF designs, such as the XOR Arbiter PUF, that may have ϵ corpred closer to 40-50% (i.e., the adversary has very accurate predictions) for advanced (reliability based) machine learning, can have a much lower ϵ corpred around 25% for classical machine learning.We conclude that the XOR Arbiter PUF can possibly be used in the A N R model, while we may consider it broken in the A U model.
If we are allowed to use the XOR Aribiter PUF, then we prefer this design over the iPUF since it has smaller area size and is more reliable, but more important we prefer the XOR Arbiter PUF for the following reason: A U corresponds to an adversary who can use CRPs for repeated challenges.This means that advanced ML attacks based on challengereliability pairs can be utilized.In this context, the current state-of-the-art strong silicon PUF design is the Interpose PUF (iPUF) [Nguyen et al., 2019].The iPUF is a combination of two XOR Arbiter PUFs that are connected through a kind of forwarding mechanism (where the response bit of the 'top' XOR Arbiter PUF is inserted in the middle of the challenge for the 'lower' XOR Arbiter PUF).The iPUF has seen recent ML based attacks [Tobisch et al., 2021, Wisiol et al., 2020, 2022] and calls the existence of a strong PUF into question.Even though the published attacks still seem to leave concrete parameter settings for which the iPUF attacks have not yet been demonstrated, it remains an open problem for how long such settings remain secure (and parameter settings cannot be chosen too 'large' as this hurts the reliability of the iPUF).It may very well be, that the iPUF design itself will need to be adapted by replacing Arbiter PUFs with Feed Forward Arbiter PUFs together with an extended new ML based security analysis.For this reason, rather than assuming the security of the iPUF will not be broken, i.e., Adv PUFCor A R ≤ ϵ corpred ≈ 25% for the iPUF in Definition 10, for all practical parameter settings, we assume the A N R setting where we can rely on the XOR Arbiter PUF.The security under classical machine learning attacks of the XOR Arbiter PUF has been well studied.
Notice that in a XOR Arbiter PUF design with λ = 64 challenge bits per Arbiter PUF and say x = 10 Arbiter PUFs in total, we can use a pre-challenge as input to a hash function or PRG that outputs the concatenation of x different challenges for each of the x Arbiter PUFs.This means that the Hamming distance argument for ϵ corbias in Section 3 is over xλ = 640 bits and we expect ϵ corbias to be exponentially small in xλ even though we only use challenges of size λ for the individual Arbiter PUFs.We notice that the XOR Arbiter PUF and iPUF are defined by copying the same challenge to the different component Arbiter PUFs.We strongly suggest to use a hash function or PRG as described in Section 3 and Appendix B in order to compute different challenges for each of the Arbiter PUFs as this will allow us to argue a 'negligibly' small ϵ corbias for practical parameter settings17 .
As a final remark, suppose that only GETRESPONSE is in the TCB together with a Merkle tree interface used for checking that challenges have not yet been queried in normal operation before.The secure initialization phase GETRELIABLECRP h produces reliable CRPs that will be consumed in normal operation in the presence of an adversary, who, if h > 1 and if GETRELIABLECRP h is implemented using a seed which is published by the system (we describe such an example in Section 9, see ( 12)), can extract information about repeated response measurements (the adversary can reconstruct challenges that were found not to produce reliable responses as well as observe the used reliable challenge; this allows a form of advanced ML that uses reliability information).Therefore, in the A N R model the initialization phase can only use GETRELIABLECRP h if h = 1.Adversary A R−x .In the A U -model adversaries can repeat measurements of CRPs as they wish.A R−x defines a slight restriction where the number of repeated measurements is controlled/restricted to x.This can be implemented by using a Merkle tree very much like the programmable access controlled PUF interface of [Jin et al., 2022].
For example, we may consider a system with initialization phase and normal operation as discussed above where we now allow the adversary to also be sometimes present to and observe the digital computations done in the initialization phase (we still want to prove a security guarantee for normal system operation based on CRPs generated during the initialization phase when no adversary was present).If the initialization phase is such that CRPs are only measured at most once during initialization, then in total the adversary may obtain two measurements for each challenge: One coming from the initialization phase and the other coming from normal operation.In this example we have x = 2.This provides only limited reliability information to the adversary and it is an open problem whether ϵ corpred remains around 25% (or slightly higher) for the XOR Arbiter PUF.
If we use GETRELIABLECRP h in initialization mode and if we do not assume its computations are confidential, then x = h + 1 reflecting h measurements in GETRELIABLECRP h during the initialization phase and one repeated measurement using GETRESPONSE during normal operation.(If in normal mode a measurement is repeated as in GETRELIABLECRP h ′ in order to use the majority vote which is more reliable, then x = h + h ′ .)Role of k.Our definitions explicitly include parameter k in the first steps of our security games.It indicates the maximum number of responses an adversary is allowed to measure.Upper bound k is of crucial importance as this indicates the amount of CRPs an adversary can use to build a prediction model.
For example, when using ML to train a prediction model for a silicon PUF, then the amount of training data indicates the accuracy of the resulting prediction model.That is, the more training data (the larger k), the higher the prediction advantage Adv PUFCor A and the higher ϵ corpred as a result.Parameter k indicates how often the adversary can have access to the PUF.See [Nguyen et al., 2019, Wisiol et al., 2022, Tobisch and Becker, 2015, Rührmair et al., 2010b] for studies on the trade-off between the amount of training data and prediction accuracy.
The most effective implemented attack18 on the iPUF turns out to be a classical ML attack [Wisiol et al., 2022] (by combining the multilayer perceptron attack [Mursi et al., 2019] with the splitting attack [Wisiol et al., 2020]).This is in line with the original iPUF security analysis where it was shown that state-of-the-art reliability based attacks at that moment cannot be applied, and therefore the security of the iPUF is reduced to the best known classical ML attack on the XOR Arbiter PUF.In [Wisiol et al., 2022] it is shown the 9,10,11-XOR Arbiter PUFs can be learned with 98% accuracy by using 45M, 119M, and 325M CRPs respectively.This leads to breaking the (11,11)-iPUF using 2 • 325 = 750M CRPs.Extrapolating shows that to accurately learn a (20,20)-iPUF one needs roughly 1 week CRP data collection at 1MHz CRP frequency for a total of about 605B CRPs.If the legitimate user plans to query the iPUF at most twice (for e.g.initialization and normal operation) for 150B CRPs (the maximum number expected to be used in a 10-year time frame), then additional access control can be added in order to limit the querying of the iPUF to 300B CRPs (after which it locks).This means that the attacker can only collect a smaller portion of the needed 605B CRPs for 98% accuracy, hence, the prediction accuracy will be significantly lower.This fits our framework.
However, due to the many component Arbiter PUFs, the (20,20)-iPUF will suffer overall reliability.Formula (26) in [Nguyen et al., 2019] shows that the measurement noise rate (20,20)-iPUF is equal to )/2 with β the noise rate of a single Arbiter PUF.If we want to achieve a 10% noise rate for the (20,20)-iPUF, then we need to be able to implement very reliable Arbiter PUFs with measurement noise rate β = 0.75%.This is an engineering problem that needs to be solved unless a new follow-up PUF design avoids the XOR operation (which amplifies measurement noise) and as a result is much more reliable by design.
As another example, when using a so-called weak PUF with at most (typically) one CRP, we assume the adversary cannot access the PUF at all and we are in the A N -model.For a weak PUF that has a 'polynomial' number of CRPs which can possibly be read out one-by-one, we may explicitly mention the number k of CRPs an adversary is able to query.In practice this may be established by introducing a throttling time added to each PUF measurement in normal operation; assuming an adversary can at most have access to the PUF for a small amount of time implies a small enough k.Another option is to implement a logical erasable PUF like interface that keeps track in a Merkle tree of how many times a challenge has been queried.
Since, for weak PUFs, we are in the A N -model or have restricted access by the adversary to a small k (lots smaller than the number of CRPs of the weak PUF), a crypto protocol or primitive that relies on the weak PUF must make use of the fact that the adversary can gather such little knowledge about CRPs that no accurate prediction model can be constructed at all 19 .That is, we assume ϵ corpred is much closer to a couple percent points (rather than 25% for Arbiter PUF based designs where machine learning can be used to train on a large number of CRPs).
The security definition of [Jin et al., 2022] merges steps 1 and 2 of SecGamePUFCor in multiple rounds.In our definition this is equivalent to having d rounds, where each round i implements part of step 1 for an adaptive selection of k i challenges and at the end generates (c i , r i ) ← Y * (i) of step 2 and gives a (c i , Y * (i) ) to the adversary.Each step 1 of a round is restricted in that the adversary may not query P(c i ) for any i.At the end in step 3 the adversary picks one of the c h and predicts the corresponding response.In our A U model we may combine all the rounds together into a single step 1 and single step 2 as is done in our definition: Due to the statistically independent selection of new challenges by A U in step 1 of each round, A U cannot use the received information (challenges c i ) in step 2 of each round for improving an adaptive strategy for querying the PUF in step 1 for subsequent rounds.Since the adversary is in this way limited in its adaptive strategy, the steps of each round may as well be reordered by bundling all steps 1 into one step 1 as in SecGamePUFCor and bundling all steps 2 into one step 2. This gives the exact formulation of SecGamePUF.That is, the definition in [Jin et al., 2022] does explicitly talk about information gained from physical side channels, which we do not explicitly cover.A rigorous modeling of how challenge response pairs (c j , r j ) are distributed according to some Y * (j) due to how a system interfaces with the PUF lacks in [Jin et al., 2022].Also correlation among CRPs is not explicitly considered.The definition in [Jin et al., 2022] corresponds to using empty side information side in Lemma 27.

I Secure Sketches and Suitable Codes
By adding an appropriate interface between a PUF and the system using the PUF, PUFs can be used by the system to extract random secret bit strings.The interface is designed to correct measurement errors and at the same time amplify the privacy of the corrected responses with respect to adversaries.The main tool for accomplishing this goal is called a secure sketch [Dodis et al., 2004]: Definition 28 A sketch is a pair (SSGen, SSRep) of efficient ppt algorithms.For x ← X , p ← SSGen(x) computes helper data p ∈ P. We assume x ∈ {0, 1} n .Let x be a noisy measurement of x, i.e., x = x + e for some error vector e ← M. On input x and p, x ← SSRep(x, p) computes an error corrected version of x.We have the following properties: • Correctness: If the Hamming weight of error vector e is wt(e) ≤ t, then x = x is correctly reconstructed.If the Hamming weight of e is wt(e) > t, no guarantee can be made, hence, the failure probability is at most P r(wt(e) > t) where e ← M and M is a probability distribution representing measurement noise.
• Security: The sketch is L-secure if the min-entropy loss Here, H ∞ (x) = − log 2 max x P r(x ← X ), and where x and p are jointly distributed according to x ← X and p ← SSGen(x).H∞ (x | p) is called the residual min entropy.

■
A secure sketch can be used to construct a fuzzy extractor which outputs a string that is nearly uniform and can therefore be used as a secret key.The main idea is to use a so-called (strong) randomness extractor to output a nearly uniform string on input x from the secure sketch.Universal hash functions lead to good randomness extractors but add a significant min entropy loss (due to the left-over hash lemma).By using a cryptographic hash function in the random oracle, which we do in this paper (for simplicity), the added min entropy loss is zero.The hash function reduces the reconstructed x down to the number of bits given by ( 10).
The code-offset secure sketch [Dodis et al., 2004] uses a binary code C with decoding algorithm Dec (e.g., a BCH code, or the more recent Polar code achieve small decoding failure probability in practice [Arikan and Telatar, 2009]).It defines • p ← SSGen(x) as p = x + w for a uniformly random code word w ∈ C, and • x ← SSRep(x, p) as x = p + Dec(x + p).Here, x + p = x + x + w = e + w and decoding e + w returns w if wt(e) is small enough.If w is returned, then x = p + w = x.
The failure probability of the sketch is equal to the decoding failure probability of the decoding algorithm for code C under noise e ← M.
The code-offset secure sketch construction can be combined with a PUF if we require a code C with the properties listed in Definition 20.These properties will allow us to prove a stronger security guarantee than what is offered by a secure sketch.A secure sketch only assumes that the adversary knows the helper data p while in our case the adversary can also predict responses that were used by the sketch in the first place.
To remind the reader, 1.We define the decoding failure probability of C with respect to measurement noise M as ρ = Pr(w ̸ = Dec(w + e), w ← R C, e ← M).
2. We define the residual min entropy of C with respect to B as where e and p are jointly distributed according to e ← B, p = w + e with w ← R C.
3. We define the min entropy loss of C due to coset imbalance with respect to B and subset size T as θ = log 2 (1 + θ ′ ) for , where e ← B; θ is a function of subset size T .
For the PUF based Random Oracle construction, we assume that the decoding failure probability ρ of C with respect to measurement noise M can be sufficiently accurately simulated (for practical purposes) by modeling M as a Ber(δ h ) Bernoulli distribution with δ h defined in (3) that generates error vectors e ← Ber(δ h ) where each error entry has probability δ h to be equal to 1.This makes the decoding failure probability ρ a function of δ h .
Also, (in our security analysis) B will be defined as a Ber(τ ) Bernoulli distribution that generates error vectors e ← B where each error entry has probability τ > δ to be equal to 1. Hence, the residual min entropy κ is a function of τ .Below we prove a lower bound on the residual min entropy for a binary linear code and distribution Ber(τ ).Notice that the cardinality |L| = 2 n−k and for r/n ≤ 1/2, By choosing h(r/n) = 1 − (k − log 2 √ 2n)/n, we have that L covers at most as many vectors as the Hamming sphere around the all-zero vector of radius r.In truth L represents a Voronoi region and may not be spherical in shape; nevertheless, for upper bounding Pr(e ∈ L) this is a reasonable approximation (in order to get an idea of how to set parameters).By morphing the actual Voronoi region L into a sphere, we exchange less likely error probabilities by more likely error probabilities.For r/n < τ < 1/2, this implies where the right hand side upper bounds follows from Hoeffding's inequality 20 .We have 20 Hoeffding [Hoeffding, 1994] proved a stronger upper bound: The binomial sum is upper bounded by where h(.) is the binary entropy function.
In order to have a small enough decoding failure probability, we cannot exceed the capacity of the Bernoulli distribution with bit error rate δ, i.e., k ≤ This yields the following lemma.
Lemma 29 Let C be a binary linear [n, k] code.Suppose that dimension k = (1 − h(δ ′ ))n + log 2 √ 2n, where h(.) is the binary entropy function.Let B be the Bernoulli distribution with bit error rate 1/2 > τ ≥ δ ′ .Then, the residual min entropy of C with respect to e ← B has lower bound

■
Coarse upper bound on the min entropy loss due to coset imbalance.By the triangle inequality, we have wt(c + l) ≤ wt(c) + wt(l).This allows us to derive and, since l is the coset leader in C + l with T ⊆ C + l, wt(l) .
We define the weight enumerator of code C as the polynomial

This proves
Pr(e ∈ T ) .
From this we conclude .
Let us assume that C looks like a Binomial distribution.That is, for small x, the weight enumerator of code C is approximately a scaled version of the polynomial corresponding to the whole space C = {0, 1} n , Assume therefore that there exists a constant γ such that This assumption gives .
Lemma 30 Let C be a binary linear [n, k] code.Suppose that dimension k = (1 − h(δ ′ ))n + log 2 √ 2n, where h(.) is the binary entropy function.Let B be the Bernoulli distribution with bit error rate 1/2 > τ ≥ δ ′ .Suppose that the weight enumerator polynomial W (x) of C behaves like a scaled version of the Binomial distribution the min entropy loss of C due to coset imbalance with respect to B and subset size T is at most θ ≤ 1. ■ Secrecy capacity.We notice that a polar code can be used to achieve the so-called secrecy capacity of the wire-tap channel asymptotically [Mahdavifar and Vardy, 2011].Here, the legitimate user receives messages over the main channel which produces noise according to M (in our notation).The adversary receives the same messages over a wire-tap channel which add noise from B (in our notation).Since δ < τ , the secrecy capacity is equal to h(τ ) − h(δ), where h(.) is the binary entropy function.This means that messages of length (h(τ ) − h(δ)) • n bits can be encoded in n-bit polar code words such that the legitimate receiver can reconstruct the message bits after receiving the noisy message over the main channel, and the adversary receives a noisy version of the message which has close to zero mutual (Shannon) information with the reconstructed message.In our definition we work with min entropy as this has shown to model the best possible prediction of adversaries (for more understanding, see literature on fuzzy extractors and secure sketches).

J PUF based Random Oracle Theorem
Pre-challenge vector compression.We discussed how GETRELIABLECRP h can use a random input seed which which pre-challenges are computed.We argued that this avoids the use of a TRNG.Here, we may also extend GETIO-RO h with an input seed with as goal to not only avoid the use of a TRNG in the underlying calls to GETRELIABLECRP h , but also to provide a compressed representation of the generated vector of pre-challenges c prevec .The main idea is to keep loop count number j for the loop that calls NEUMANN-GETRELIABLECRP h , the loop count number b for the loop that defines NEUMANN-GETRELIABLECRP h , the index i = 0 or i = 1 for the two calls to GETRELIABLECRP h in a single loop in NEUMANN-GETRELIABLECRP h , and a loop count number a in GETRELIABLECRP h .In GETRELIABLECRP h we call GETRESPONSE(c pre ) for We remember the loop counts a and b for each j of the associated c pre = Hash(seed∥a∥0∥b∥j) returned by NEUMANN-GETRELIABLECRP h in GETIO-RO h .We denote these loop counts by a j and b j .The sequence of pre-challenges returned by GETIO-RO h are now defined by c pre,j = Hash(seed∥a j ∥0∥b j ∥j).
(12) Notice that we can also use seed as input to a hash function for selecting a random code word w ← R C; also here we can avoid using a TRNG.
In order to avoid collisions in the hash function, we need all a j to be of fixed length/size, say n a bits, and all b j to be of fixed size, say n b bits.This means that the respective loops may run out before a 'good' pre-challenge was found, and this leads to a failure probability for GETIO-RO h .We will analyse this next.As a remark we note that we have compressed the λn bits of c prevec down to (n a + n b ) • n bits.
Failure probabilities.See Definition 3, the probability that all h measurements for a c = Hash(c pre ) in GETRELIABLECRP h agree is equal to p h c + (1 − p c ) h .Since we assume Hash in the random oracle model with respect to Y 1 (corresponding to GETRESPONSE), the different challenges c = Hash(c pre ) for c pre defined by (11) for 0 1, and i ∈ {0, 1} are randomly drawn from Y 1 .This shows that each while loop in GETRELIABLECRP h called during the execution of GETIO-RO h will take (E Y1 [p h c + (1 − p c ) h ]) −1 iterations in expectation.For small h, this is a small number and for this reason we can set n a to a small number.If GETRELIABLECRP h cannot find a reliable CRP after 2 na loop iterations, then GETRELIABLECRP h fails.This leads to failing probability ) which we can design to be very small for n a large enough.(Notice that F rel,1 = 0.) Our analysis of NEUMANN-GETRELIABLECRP h shows in (7) that, conditioned on GETRELIABLECRP h not failing, the probability that an iteration in NEUMANN-GETRELIABLECRP h produces a final output is equal to ).Hence, the failing probability of NEUMANN-GETRELIABLECRP h not being able to find distinct responses r 0 ̸ = r 1 (that lead to the final output) in 2 n b loop iterations is equal to , which can be made small for large enough n b .This leads in turn to the failing probability F io−ro,h of GETIO-RO h .Since GETIO-RO h does not fail only if none of the n calls to NEUMANN-GETRELIABLECRP h fail, we have ) For appropriately chosen n a and n b in relation to n, this can be made small in practice.
We already discussed the failure probability F out−ro,h of GETOUTPUT-RO which is equal to the decoding failure probability ρ of C with respect to distribution M representing measurement noise.We may assume that ρ is approximately equal to the failure probability of C with respect to distribution Ber(δ h ): ) where δ h indicates the dependency of ρ on δ h for the Bernoulli distribution.
Correctness.Our analysis shows that Algorithms 4 and 5 define an RO-like correctness property according to the following lemma.
Lemma 31 We define a random oracle with failure probability RO P as the pair (GETIO-RO, GETOUTPUT-RO) of Algorithms 4 and 5 where c prevec is compressed by means of a seed and where another hash of s is used to detect a failure in GETOUTPUT-RO.Algorithms (GETIO-RO, GETOUTPUT-RO) have access to a PUF P through GETRESPONSE.Upon input seed, GETIO-RO either generates a pair (aux, s) ← GETIO-RO(seed) (where aux represents c prevec , helper data p, and the other hash of s) or fails.Upon input aux, GETOUTPUT-RO either generates ŝ ← GETOUTPUT-RO(aux) or fails.
We call RO P correct with respect to the pair of failure probabilities (F io−ro,h , F out−ro,h ) if • the probability GETIO-RO(seed) fails over a random uniformly chosen seed is at most F io−ro,h , • the probability that GETOUTPUT-RO(aux) fails over (aux, •) ← GETIO-RO(seed) is at most F out−ro,h , and • if (aux, s) ← GETIO-RO(seed) and ŝ ← GETOUTPUT-RO(aux) (both do not fail), then ŝ = s.F io−ro,h is upper bounded by the combination of ( 13), ( 14) and (15) which can be made small for large enough n a and n b .F out−ro,h is approximated by ( 16).■ Security.Larger h for a given code C implies smaller F out−ro,h .One needs to design a good combination of h with a suitable code C such that F out−ro,h is small enough and the residual min entropy κ is large enough21 for generating secrets.We analyse the security in the next lemma.
Lemma 32 Let P be a PUF and let Q P output problem instances aux by calling (aux, s) ←GETIO-RO h ; the associated problem for the adversary is to guess the correct solution s (when GETIO-RO h does not fail).
• Suppose that P has challenge space C P = {0, 1} λ with correlation bias at most . over a canonical system induced CRP distribution Y * 1 , where n is the length of the code words in C and λ = Ω(κ).
• Let A x -model be some adversarial model with A x ⊆ A U .
• Suppose that P is a (k, t, ϵ corpred )-secure PUF for correlations with respect to all A that are within the A x -model and with respect to system induced CRP distribution Y * neu,h .Define τ = 1/2 − (h2 na ϵ corbias + ϵ corpred ) and let B be the distribution that generates statistically independent errors êj ← Ber(τ ).
• Assume that Q P is c sep -separable within the A x -model for c sep = 2 κ−5.946 .
• Suppose that C is a binary linear code and has a min entropy loss of θ due to coset imbalance with respect to B and subset size 2 κ (for θ to be a small constant, this requires the dimension of C to be Ω(κ)).Suppose that the residual min entropy of C with respect to B is at least 2κ + θ.
Then, for T = poly(t), we have that Q P is (k, T, ϵ win )-system secure with respect to all A within the A x -model for system induced distribution Y * neu,h for ϵ win ≤ T 2 −κ , which is negl(κ).We may call κ the bit security of Q P for k queries (or training data for learning a prediction model of the PUF) within the A x -model.■ A useful reduction result.We notice that HardnessQError fits the definition of a security game, see [Yasunaga, 2021]: "An n-bit security game is a game played by an adversary interacting with a challenger.At the beginning of the game, the challenger chooses a uniformly random secret x ∈ {0, 1} n , represented by the random variable X.At the end of the game, the adversary outputs some value v, represented by the random variable V .The goal of the adversary is to output v such that R(x, v) = 1, where R is a Boolean function.The adversary may output a special symbol ⊥ such that R(x, ⊥) = 0 for any x.During the game, adversary or challenger may obtain a sample from a distribution Q.The success probability of the adversary is P r(R(X, V ) = 1, V ̸ = ⊥), where the probability is taken over the randomness of the entire security game, including the randomness of the adversary."In our case the challenger obtains a sample ĝ ← Q (the role of X) and the adversary guesses ŝ ̸ = ⊥ (the role of V ) given ĝ.The success probability of the adversary is Pr(VERH(ĝ, ŝ)) ≤ ϵ hard (VERH plays the role of R).(The ⊥ symbol can capture the special case in which Q fails to produce a proper problem instance ĝ or the adversary declares a failure of attack.)The definition of bit security is consistent with the so-called bit security for a primitive based on a security game.
Q may query some probability distribution (other than the E or R mentioned above).For example, Q may query q (Y * neu,h ) ×d r as a distribution over response vectors r of length d.Now we can apply Theorem 1 in [Yasunaga, 2021] together with (5) and noting that the derivation of Lemma 9 proves that q (Y * neu,h ) ×d r and the uniform distribution U over {0, 1} d form a so-called 2 −(κ+5.946)/2-Hellinger close pair: Lemma 33 Let Q with query access to the uniform distribution U over {0, 1} d be (κ + 5.946)-bit secure.Suppose that PUF P has correlation bias at most ϵ corbias over the distribution Y * 1 of CRPs generated by GETRESPONSE.Consider q (Y * neu,h ) ×d r with n a and n b satisfying (5).Then, Q with query access to q In the the proof of our security lemma we will see how Q E also queries a uniform distribution U and how Q R can be seen as querying q (Y * neu,h ) ×d r instead.
Proof of Lemma 32.See Definition 15, in order to win Q R , adversary A 1 needs to guess the correct extracted secret s given knowledge of aux = (c prevec , p), where p = r vec + w with w ← R C, and given a predicted response vector r ′ vec .
Since s is a result of a hash evaluation in the random oracle model, the adversary either needs to guess the correct r vec (by computing/solving information about r vec ) or guess s according to a uniform distribution (and verify against the hash of s used for detecting failures).The latter has a success probability of q2 −κ , where q ≤ T is the total number of guesses and T is the running time of the adversary (hence, the adversary can at most guess and verify T values for s).
The remaining time T − q can be used for computing information about r vec .Since s is a result of the random oracle model, the adversary can at best use s in combination with its hash for detecting failures to exclude at most T vector values r vec (if there is a successful attempt, then this is covered by the q2 −κ probability above).In other words, knowledge about s translates in the best case to knowing a set T of cardinality |T | = T for which r vec / ∈ T .This is used in the next derivation (instead of knowledge of s).We may equivalently cast problem instances of Q R as the task to guess the correct e vec given c prevec , e vec + w, r vec + e vec , and r vec ̸ ∈ T .In order to create such a problem instance, Q R can be simulated by (1) querying r vec = r according to probability q (Y * neu,h ) ×n r conditioned on r ̸ ∈ T , where n is the length of the response vector, and ( 2) querying e vec according to distribution E as defined in Definition 15 (and draw w ← R C).In other words, given e vec + w and e vec ̸ ∈ T ′ , the adversary needs to guess e vec .We redefine this problem as Q E and conclude that Q E is an error based equivalent of Q R up to factor e equiv = 5.946, see Definition 15.Also, clearly, Q E becomes simpler in the presence of an error reducing oracle.These properties satisfy one of the conditions of Theorem 19.
For B = Ber(τ ), we define Q B as a distribution that generates problem instances where the adversary needs to guess e vec given e vec + w, e vec ̸ ∈ T ′ , and e vec ← B.
The residual min entropy of code C with respect to B is assumed to be 2κ + θ bits.The min entropy loss of C due to coset imbalance with respect to B and subset size T is at most θ.By Lemma 29, we have H∞ (e | p, e ̸ ∈ T ) ≥ −θ + H∞ (e | p) ≥ 2κ, where e and p are jointly distributed according to e ← B, p = w + e with w ← R C. We may conclude that Q B is 2κ-bit secure (notice that this means that we use κ ′ = 2κ for λ in Theorem 19).
We satisfy all conditions of Theorem 19 and conclude that for running time T − q, the probability of winning ϵ win ≤ c sep • (T − q)2 5.946 2 −2κ = (T − q)2 −κ .
Adding the guessing probability q2 −κ proves the lemma.
Strong randomness extractor.The construction also depends on the hash function Hash κ used for extracting secret s in GETIO-RO h and GETOUTPUT h .Hash κ can be replaced by a strong randomness extractor and this eliminates assuming Hash κ in the random oracle model.
The main idea is to use a universal family H of hash functions ∈ {0, 1} n → {0, 1} m of size |H| = 2 d .Universal means that for all x, x ′ ∈ {0, 1} n with x ̸ = x ′ , the probability that H(x) = H(x ′ ) is at most 2 −m where the probability is taken over uniform random H ∈ H.The randomness extractor is defined as Ext(x, H) = H(x).If m = k + 1 − 2 log(1/ϵ), then Ext is a (k, ϵ)-Hellinger extractor according to the Leftover Hash Lemma for Hellinger, see Theorem 3 in [Yasunaga, 2021].This means that for every random variable X over {0, 1} n with min entropy at least k, it holds that the Hellinger distance between distribution (Ext(X, U d ), U d ) and U m+d is at most ϵ.Here, U d is the random variable representing a uniform drawing from {0, 1} d indicating the used hash function H ∈ H and U m+d can be regarded as an (m + d)-bit output of a function evaluated in X that cannot be distinguished from a random oracle, hence, U m+d draws uniform (m + d)-bit strings.In GETIO-RO h we select H ← R H (this can also be given as input to GETIO-RO h together with seed as discussed earlier in this section) and evaluate s = Ext(r vec , H) = H(r vec ) instead of s = Hash κ (r vec ) and return ((c prevec , p, H), s).GETOUTPUT-RO receives the additional input H and computes ŝ = H(r vec ).By setting ϵ = 2 −(κ"+5.946)/2, we require m = k − κ" − 4.946, i.e., k = m + κ" + 4.946.We want to output m = κ random bits (coded in s), hence, k = κ" + κ + 4.946.This means that we require a residual min entropy of C with respect to B of at least k.
By setting ϵ = 2 −(κ"+5.946)/2, we may conclude from Theorem 1 in [Yasunaga, 2021] that if our RO construction with distribution (Ext(X, U d ), U d ) replaced by U m+d leads to a Q R which is (κ" + 5.946)-bit secure, then Q R with randomness extractor Ext is κ"-bit secure.In our proof above this implies that Q R with randomness extractor has error based equivalent Q E up to a factor e equiv = 2 • 5.946; we now apply Theorem 1 in [Yasunaga, 2021] twice and set κ" = κ ′ + 5.946 in the proof of our security lemma.We compensate for this by requiring c sep = 2 κ−2•5.946 .Also notice that in the proof of our security lemma we set κ ′ = 2κ + θ, hence, the residual min entropy of C with respect to B must be at least k = κ" + κ + 4.946 = κ ′ + κ + 10.892 = 3κ + θ + 10.892 (rather than 2κ + θ in our security lemma for Hash κ in the random oracle model).This shows how the leftover hash lemma introduces an extra (significant) min entropy loss.
Interpretation -A TCB without confidential digital computing or digital secrets.Assuming that current-state-ofthe-art advanced ML attacks on the iPUF train prediction models with accuracy at most a concrete number of percentage points less than 100%, then concrete parameter settings exist for meeting the conditions of Lemma 32 with A x = A U .The parameter setting gives rise to a more efficient PUF-based random oracle PRO (in computation and number of calls to GETRESPONSE) if the prediction accuracy is lower (e.g., more in the range of 75%).
The adversarial A U -model is very strong: The TCB does not include any confidential digital computing or digital secrets.For example, using a fuzzy extractor (that is, a combination of a secure sketch with a randomness extractor) without considering the adversarial capability of being able to train a prediction model for the underlying PUF means that no CRPs should be revealed to the adversary -the very weak A N -model.This means that the fuzzy extraction computation must be done in a confidential computing environment, e.g., implemented by specialized isolated hardware or a general purpose secure processor architecture.But even in this weak model, helper data can reveal information about the bits in the response vector, after all we only require a residual min entropy of a much smaller number of bits compared to the length of the vector out of which a secret bit string is extracted.And information about response bits may allow an adversary to train some sort of prediction model -at least in theory this may be possible22 (although we do not know how to do this in practice).Our framework clarifies the situation.Our analysis shows that an PUF based random oracle can be constructed and implemented, and without a TCB that requires some form of confidential digital computing.
We notice that we may use hardware isolation to further restrict access to the PUF.For example the PRO primitive may execute in its own 'enclave' and allowing only the PRO enclave access to GETRESPONSE.The PRO enclave may use a Merkle tree approach like the one for programmable erasable PUFs in [Jin et al., 2022] to limit the GETRESPONSE usage per challenge.This enforces the A R−x -model (with x at least h + 1).Other system applications may connect to the PRO-primitive through local attestation (which can be made secret-free by using Sanctum's approach that implements a physical isolated channel between enclaves using the concept of mailboxes).
The A R -model (A R = A R−1 ) can only be realized if h = 1 and GETIO-RO h computations cannot be observed.This either assumes PRO is part of a system enclave where adversaries can only be present during 'normal operation' (during which only GETOUTPUT-RO is called) or we have a TCB that computes GETIO-RO 1 in a confidential executing environment.
Concrete parameter setting.The various conditions of Theorem 22 are realistic: We already discussed why ϵ corbias is expected to be negl(λ) for Y 1 close to the uniform distribution (and for this reason we assume λ = Ω(κ) so that the upper bound (5) on ϵ corbias can hold).We are in the A U model where the adversary has access to GETRESPONSE (and may have additional access restrictions).We expect τ ≥ 25% for reasonable training data set sizes k and large t, hence, the condition T = poly(t) just translates into assuming feasible computing times for a real adversary in practice.The separability assumption states in this context that we do not know how to find a much more efficient method that learns how to predict the response vector r ′ vec from training data together with the helper data aux (the winning probability cannot be improved beyond an exponentially large multiplicative factor of order 2 κ ).
As a first example, we choose a polar code of length n = 2 13 and dimension k = (1 − h(δ))n + log 2 √ 2n = 0.531 • n + 7 = 4357 (the polar code is known for achieving capacity for large n).This leads to an estimated κ ≤ 173, see Lemma 29 with δ ′ = δ.By choosing κ = 128 we are allowed to choose a larger δ ′ = 0.147 > δ in Lemma 29 (by using the stronger lower bound) and this decreases k to k = 0.398 • n + 7 = 3266 which improves the decoding capability of the polar code achieving a smaller decoding failure probability ρ for measurement noise δ = 0.1.
Also notice that k is 25.5 times larger than κ making θ ≤ 1 a realistic assumption on the min entropy loss due to coset imbalance (the size of a coset is about 2 25.5•κ , where T = poly(t) ≪ 2 κ ).If the weight enumerator polynomial of C looks like a scaled version of the Binomial distribution (i.e., C looks like a random code), then a precise argument follows from Lemma 30 (with γ ≈ 2 20 ).
We require ϵ corbias ≤ 2 −(κ+5.946)/(2n(1 + κ)), which is realized if λ is a multiple of κ.Each component Arbiter PUF in e.g. the iPUF design gets its own challenge of 64 bits generated out of a pre-challenge.Since there is a multiple number of component Arbiter PUFs, we have that λ is indeed a multiple larger than κ = 128.

1 h=0
Pr(e h + cor h | side h ) with Pr(e h + cor h = 0 | side h ) = Pr(e h = 0 | side h )Pr(e h + cor h = 0 | side h , e h = 0) +Pr(e h = 1 | side h )Pr(e h + cor h = 0 | side h , e h = 1), Lower bound on the residual min entropy.Consider a [n, k] binary linear code C. For each x ∈ {0, 1} n , the set x + C defines a coset of C. Let l ∈ x + C be of minimal weight; we call this the coset leader.Let L be the set of all coset leaders.Since C is linear, we can write C + L = {0, 1} n .Hence, we can write p = c + l for c ∈ C and l ∈ L in a unique way.For T ⊆ {0, 1} n with cardinality |T | = T , this allows us to derive E p [max e Pr(e | p, e ̸ ∈ T )] = c + l) Pr(p = c + l, e ̸ ∈ T ) Pr(e = l, p = c + l) = c∈C l∈L Pr(e ∈ C + l)/2 k Pr(e ∈ C + l, e ̸ ∈ T )/2 k Pr(e = l, c) = l∈L Pr(e ∈ C + l) Pr(e ∈ C + l, e ̸ ∈ T ) Pr(e = l).By assuming a min entropy loss of θ = log 2 (1 + θ ′ ) of C due to coset imbalance with respect to Ber(τ ) and subset size T , we have max T Pr(e ∈ C + l) Pr(e ∈ C + l, e ̸ ∈ T ) ≤ max T ⊆C+l Pr(e ∈ C + l) Pr(e ∈ C + l, e ̸ ∈ T ) = max T ⊆C+l Pr(e ∈ C + l) Pr(e ∈ C + l) − Pr(e ∈ T ) = 1 + max T ⊆C+l Pr(e ∈ T ) Pr(e ∈ C + l) − Pr(e ∈ T ) ≤ 1 + θ ′ = 2 θ .This allows us to continue the previous derivation and obtain E p [max e Pr(e | p, e ̸ ∈ T )] ≤ l∈L 2 θ • Pr(e = l) = 2 θ • Pr(e ∈ L).We notice that, for T equal to the empty set, we have equalities in the derivations above for θ = 0.This proves H∞ (e | p, e ̸ ∈ T ) ≥ −θ + H∞ (e | p), and H∞ (e | p) = − log 2 Pr(e ∈ L).
Suppose that C has a min entropy loss of θ due to coset imbalance with respect to B and subset size T = |T |.Then, H∞ (e | p, e ̸ ∈ T ) ≥ −θ + H∞ (e | p).
Now consider Q R u where distribution q(Y * neu,h ) ×n ris replaced by the uniform distribution U.By Lemma 33 for d = n and the assumed upper bound onϵ corbias , if Q R u is (κ ′ + 5.946)-bit secure, then Q R is κ ′ -bit secure.Let T ′ = {(r vec + e vec ) + r | r ∈ T }.Notice that for Q R u ,Pr(e vec | c prevec , e vec + w, r vec + e vec , r vec ̸ ∈ T ) = Pr(e vec | c prevec , e vec + w, e vec ̸ ∈ T ′ ) = Pr(e vec | e vec + w, e vec ̸ ∈ T ′ ).