Modeling attacks on strong physical unclonable functions strengthened by random number and weak PUF

“…However, given that the obfuscation mechanism is not proven to be stronger than for two pioneering proposals, i.e., Slender PUFs by Rostami et al [20] and Noise Bifurcation PUFs by Yu et al [25], both of which were broken by Becker and Tobisch [6], [7] even when instantiated with a (costly) 4-XOR PUF, it is unclear why one or more non-XORed Arbiter PUFs would suddenly suffice. • For the RPUF protocol [10], [22], the exploitation of its LFSR is not unexpected, given that Delvaux et al [4,Chapter 5] previously reported similar problems for other PUF-based authentication protocols. The most notable resemblance is to the protocol of Van Herrewege et al [31], where an attacker also takes advantage of the LFSR by generating overlapping challenge streams.…”

“…As the randomizing effect of nonce n is bypassed through this sliding-window technique, an unprotected Arbiter PUF remains. 4) New Protocol Version: Independently of the above thirdparty security analysis 1 , the authors of the RPUF protocol [10] continued their investigative efforts and were able to mount a successful machine-learning attack based on simulated annealing and ES [22]. In an attempt to maintain the original security claim, they specified a lesser efficient version of the protocol.…”

“…org/) on November 23, 2017 and appeared online as part of Report 2017/1134 a few days later. The key dates for the VTS 2018 article [22], which updates the specification of the RPUF protocol, were as follows: the initial paper submission was due on October 28, 2017, the camera-ready version was due on February 9, 2018, and the paper was added to IEEE Xplore on May 31, 2018.…”

“…A design choice that impacts both the resource consumptions and the machine-learning resistance of the protocol is thus unmade. Furthermore, the authors of the OB-PUF protocol [9] did not specify a mechanism for expanding and dealing with the noise of its 3-bit responses r. Lastly, the LFSR used in the RPUF protocol [10], [22] is underspecified, even though its most intuitive instantiation would allow for overlapping challenge streams and, consequentially, an impersonation attack.…”

“…• On the bright side, the original version of the RPUF protocol [10] allows for an overall efficient implementation. To resist machine-learning attacks, however, the modified protocol version [22] requires not one but five or more Arbiter PUFs laid-out in parallel, thereby incurring a loss of competitiveness with respect to PUFs-based key generation. For those who are looking for a small-sized alternative, which remains unbroken to date, we refer to the so-called lockdown protocols of Yu et al [23].…”

Machine-Learning Attacks on PolyPUFs, OB-PUFs, RPUFs, LHS-PUFs, and PUF–FSMs

“…However, given that the obfuscation mechanism is not proven to be stronger than for two pioneering proposals, i.e., Slender PUFs by Rostami et al [20] and Noise Bifurcation PUFs by Yu et al [25], both of which were broken by Becker and Tobisch [6], [7] even when instantiated with a (costly) 4-XOR PUF, it is unclear why one or more non-XORed Arbiter PUFs would suddenly suffice. • For the RPUF protocol [10], [22], the exploitation of its LFSR is not unexpected, given that Delvaux et al [4,Chapter 5] previously reported similar problems for other PUF-based authentication protocols. The most notable resemblance is to the protocol of Van Herrewege et al [31], where an attacker also takes advantage of the LFSR by generating overlapping challenge streams.…”

“…As the randomizing effect of nonce n is bypassed through this sliding-window technique, an unprotected Arbiter PUF remains. 4) New Protocol Version: Independently of the above thirdparty security analysis 1 , the authors of the RPUF protocol [10] continued their investigative efforts and were able to mount a successful machine-learning attack based on simulated annealing and ES [22]. In an attempt to maintain the original security claim, they specified a lesser efficient version of the protocol.…”

“…org/) on November 23, 2017 and appeared online as part of Report 2017/1134 a few days later. The key dates for the VTS 2018 article [22], which updates the specification of the RPUF protocol, were as follows: the initial paper submission was due on October 28, 2017, the camera-ready version was due on February 9, 2018, and the paper was added to IEEE Xplore on May 31, 2018.…”

“…A design choice that impacts both the resource consumptions and the machine-learning resistance of the protocol is thus unmade. Furthermore, the authors of the OB-PUF protocol [9] did not specify a mechanism for expanding and dealing with the noise of its 3-bit responses r. Lastly, the LFSR used in the RPUF protocol [10], [22] is underspecified, even though its most intuitive instantiation would allow for overlapping challenge streams and, consequentially, an impersonation attack.…”

“…• On the bright side, the original version of the RPUF protocol [10] allows for an overall efficient implementation. To resist machine-learning attacks, however, the modified protocol version [22] requires not one but five or more Arbiter PUFs laid-out in parallel, thereby incurring a loss of competitiveness with respect to PUFs-based key generation. For those who are looking for a small-sized alternative, which remains unbroken to date, we refer to the so-called lockdown protocols of Yu et al [23].…”

Machine-Learning Attacks on PolyPUFs, OB-PUFs, RPUFs, LHS-PUFs, and PUF–FSMs

Modeling Attacks and Efficient Countermeasures on Interpose PUF

Analysis and Characteristics of Physically Unclonable Functions