Strengthening PUFs using Composition Zhuanhao Wu, Hiren Patel, Manoj Sachdev and Mahesh V. Tripunitara University of Waterloo Waterloo, Ontario, Canada {zhuanhao.wu,hiren.patel,msachdev,tripunit}@uwaterloo.ca ABSTRACT We explore the idea of composing PUFs with the intent that the resultant PUF is stronger than the constituent PUFs. Prior work has proposed a construction, which subsequent work has shown to be weak. We revisit this prior construction and observe that it is actually weaker than previously thought when the constituent PUFs are arbiter PUFs. This weakness is demonstrated via our adaptation of the previously proposed Logistic Regression (LR) attack. We then propose new constructions called PUFs-composed-with-PUFs (P ◦P ). In particular, we retain a two-layer construction, but allow the same input to the composite PUF to be input to more than one constituent PUF at the first layer. We explore this family of constructions, with arbiter PUFs serving as the constituent PUFs. In particular, we identify several axes which we can vary, and empirically study the resilience of our constructions compared to the prior construction and one another from the standpoint of LR attacks. As insight in to why our family of constructions is stronger, we prove, under some idealized conditions, that the lower-bound on an attacker is indeed higher under our constructions than the upper-bound on an attacker for the prior construction. As such, our work suggests that composition can be a promising approach to strengthening PUFs, contrary to what prior work suggests. CCS CONCEPTS • Security and privacy → Embedded systems security; Hard- ware attacks and countermeasures. KEYWORDS Physical Unclonable Functions ACM Reference Format: Zhuanhao Wu, Hiren Patel, Manoj Sachdev and Mahesh V. Tripunitara. 2019. Strengthening PUFs using Composition. In Proceedings of ACM Conference (Conference’17). ACM, New York, NY, USA, 8 pages. https://doi.org/10.1145/ nnnnnnn.nnnnnnn 1 INTRODUCTION With the advent of Internet-of-Things (IoT) revolution, the number of distributed and unsupervised mobile computing devices contin- ues to increase, and experts believe there will be approximately Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. Conference’17, July 2017, Washington, DC, USA © 2019 Association for Computing Machinery. ACM ISBN 978-x-xxxx-xxxx-x/YY/MM. . . $15.00 https://doi.org/10.1145/nnnnnnn.nnnnnnn 100 billion connected devices by 2020 [16]. For such wide ranging devices, authentication for counterfeit prevention and secure com- munication is an important consideration. Physically Unclonable Functions (PUF)s have recently been proposed as replacements for non-volatile memories and on-die fuses that are prone to physi- cal attacks for storing chip identifying digital signatures and seed generators to other cryptographic functions [9, 17]. PUFs use inher- ent manufacturing process variability to create circuits that appear physically identical at design time, but produce distinct, die-specific responses to input requests (or challenges) following fabrication. Each chip may contain many such challenge response-pairs (CRP)s. PUF architectures can be categorized as strong or weak. The main difference is that a strong PUF must support a large CRP space. Over the years, several strong PUF architectures have been proposed [2]. However, most of these PUFs have also been shown to be susceptible to successful modeling attacks. Through modeling at- tacks, an adversary can mimic the behavior of the strong PUF with a high prediction accuracy (around 95% or higher) rendering them ineffective [1, 14]. An interesting approach proposed in [3] was to compose PUFs such that the resultant PUF offered improved secu- rity, which they called composite PUF (CPUF). The central thesis underlying the approach was that compositions allowed increasing the CRP space while also preserving the performance properties of the resultant PUF. In a later work, the authors themselves identi- fied that the CPUF was also susceptible to a two-phase modeling attack [4] called the cryptanalysis attack (CA-ATK). They showed that CA-ATK, although successful in modeling CPUF, required an enumeration of a large CRP to conduct the attack. In this paper, we start by reviewing CA-ATK, and show that for certain constructions of CPUF, its susceptibility to an attack is much worse than previously considered. Specifically, we propose an enhancement to CA-ATK that uses logistic regression (LR) called LR-CA-ATK to rid the need for the large number of enumerations on constructions of CPUF using arbiter PUFs (ARB-PUFs). Despite this, we contend that PUF compositions can offer an approach for strengthening PUFs even in the presence of the LR-CA-ATK, but, they require careful constructions. In particular, the manner in which the challenges are mapped to inputs of the PUFs can signifi- cantly contribute to the strengthening of the resultant composite PUF. We theoretically show that mapping functions can take a cen- tral role in strengthening the CPUF against the LR-CA-ATK, and also provide supporting empirical validation. 1.1 Contributions We revisit the idea of composing PUFs, each of whose domains is smaller than {0, 1} i , to yield a PUF whose domain is {0, 1} i , and has strength Θ(i ) 1 . When we say “a strength of Θ(i ),” we mean that 1 We use Θ(·) to denote an asymptotic tight bound, and O (·) to denote an asymptotic upper-bound in a manner that is customary in computing[10].