A Survey on the Security of PUFs

Physical Unclonable Function (PUF) is an essential security block in security systems, which can be used for authentication and key generation. Its security is related to the security of the entire security system, thus it has received widespread attention and it is necessary for designers and users to know the security threats and solutions for PUFs before working on PUFs. The paper mainly introduces and summarizes a variety of side-channel attacks, machine learning attacks, and corresponding countermeasures for PUFs. Side-channel attacks are usually combined with machine learning attacks to improve the effectiveness of attacks. Attackers can use machine learning methods to achieve mathematical modeling of PUFs and most of the existing PUFs are vulnerable to machine learning attacks.


Introduction
For modern communication systems, mobile computing, and Internet of Things (IoT) which are widely applied in our modern life, security is significant. Various cryptographic algorithms and protocols are utilized to ensure the security of these applications. PUFs can be used to realize identity authentication and generate keys for cryptographic algorithms and protocols. Compared with the traditional secure authentication method where a physically secure Non-volatile Memory (NVM) is used to store the identity authentication code and keys, PUFs have advantages in resource consumption and security due to their lightweight structures and the information loss after power failure. The security problems of most security algorithms are not mainly derived from the algorithms but from the security blocks in the algorithms. PUF is an essential security block in security systems whose security is related to the security of the whole system directly. To ensure the security of PUFs, it is necessary to understand the existing attack methods and corresponding countermeasures. The attacks on PUFs mainly include side-channel attacks and machine learning attacks. Side-channel attacks are conducted based on the obtained side-channel information, such as power attack, electromagnetic attack, and fault attack. Machine learning attacks model PUFs to predict unknown outputs with various machine learning algorithms. For different attack methods, corresponding countermeasures are proposed to resist the attacks and improve the security of PUFs. For side-channel attacks, the principle of countermeasures is to prevent side-channel information leakages, such as shielding and obfuscation operations. For machine learning attacks, the increasing of non-linearity in PUFs can increase the difficulty of machine learning attacks, such as XOR operations. Side-channel attacks are usually combined with machine learning attacks to conduct more effective attacks for PUFs

Attack method
3.1.1. Power attack. Power attack is to obtain the leaked information of circuit state by detecting the change of power consumption or current trajectory during circuit state transition. It can be divided into simple power analysis and differential power analysis. Simple power analysis can be conducted for APUF, XOR APUF [5], and lightweight PUF [6]. The principle of the attack is to confirm the transition of the latch in the arbiter PUF based on the power trajectory, and the power trajectory can be obtained based on the measurement of the amount of current drawn from the power supply during the transition. Based on the power analysis, the status of the latch as the arbiter in an APUF can be judged, and then the corresponding output can be revealed. For the XOR APUFs and lightweight PUFs composed of multiple parallel APUFs, simple power analysis can be used to determine the number of 0s and 1s stored in the latch or arbiter, but the specific output of an APUF can not be determined. Thus, different analysis methods need to be applied to attack the PUFs according to different structural characteristics [7]. For lightweight PUFs, a divideand-conquer method is utilized where each of the parallel APUFs is attacked with selected CRPs after using simple power analysis to obtain the total number of 1s or 0s in all the responses. The selected CRPs make the outputs of all parallel APUFs be 1s or 0s to determine the output of each PUF. With the attack method, attackers can achieve high-precision modeling of each APUF, and then realize the high-accuracy attack for lightweight PUF [7]. For XOR APUFs, differential power analysis can be used to conduct an attack based on the comparison between the power trajectories obtained before and after the generation of a response, and the gradient optimization algorithm to obtain the fitted model with the smallest variance [8].

Fault attack.
Fault attacks are conducted based on the fault information or behaviors. The reliability of actual PUFs can not reach 100% due to noise, such as thermal noise and environmental changes, and it can be used as the side-channel information in fault attacks. The reliability-based CMA-ES machine learning attack is an effective attack method for XOR APUFs, which uses the divide-and-conquer method to achieve the attack. Each APUF in an XOR APUF is attacked separately and the unreliability introduced by other APUFs is treated as noise. Thus, the addition of an APUF is considered as an addition of extra noise, which makes the relationship between the complexity of machine learning attacks and the number of APUFs change from an exponential relationship to a linear relationship greatly reducing the difficulty of the attack and breaking the security of XOR PUFs [9]. If attackers can access the PUF and operate it, more fault information can be obtained to improve the fault attack by adjusting the power supply voltage or changing the environmental conditions, which is called fault injection. The increase in the proportion of unstable CRPs from active adjustment accelerates fault attacks and improves the accuracy of the attack.

Electromagnetic attack.
Electromagnetic attacks are mainly applied to the PUFs based on oscillators, such as RO PUFs. The information about oscillator frequency is leaked from electromagnetic information. For the electromagnetic attacks of RO PUFs, the frequency amplitude spectrum can be calculated from the obtained electromagnetic trajectories. The frequency range of a RO is identified by the high difference peak in all the frequency amplitude differences, where a small frequency amplitude difference close to 0 represents no oscillation only with noise and a high frequency amplitude difference represents the occurrence of oscillation of a RO. The area with ROs placed can also be identified by the average frequency difference. The frequency of a RO is obtained by comparing the frequency amplitude spectrum where the same frequency with high frequency amplitude difference in two frequency amplitude spectrums corresponds to the RO which is used for the two corresponding comparisons to generate responses. The obtained frequency and the corresponding ROs can be combined to generate a model of the RO PUF [10].

Power attack countermeasures.
To prevent power attacks, we can balance the power for different outputs of the critical gates. For example, a dual-rail circuit [11] is used to charge and discharge the two data rails of each gate in each clock cycle. Each rail is charged equally, and it is completely discharged for each cycle regardless of the data. The dual-rail circuit involves predischarge and calculation cycles, and the overall capacitor charging and discharging is always a constant. Besides, complementary operations can be applied to resist power attacks where two complementary circuits perform complementary operations. The complementary operations corresponding to two different outputs 0 and 1 are performed at the same time, so the total power corresponding to different actual outputs is consistent. For example, two symmetrical latches with two inverted outputs can be used to balance the power for APUFs.

Fault attack countermeasures.
Based on the principle of fault attacks, fault detection can be applied to detect faults in time to prevent information leakage, and then improve the resistance to fault attacks, such as spatial redundancy and temporal redundancy. For the PUFs with restrictions on access and control of attackers, fault attacks can be prevented by limiting the number of reused challenges to reduce the available fault information. For example, if each challenge is only used once, attackers can not get the fault or reliability to conduct fault attacks. Besides, different PUF designs have been proposed to overcome the issue of reliability with stronger resistance against reliability-based attacks, such as the MPUF [12] based on a single MUX and multiple APUFs as shown in figure 3. The rate of reliability decline of MPUF is lower than XOR APUFs as the number of APUF increases, which has less fault information and higher resistance to reliability-based attacks than XOR APUFs.

Electromagnetic attack countermeasures.
To reduce the electromagnetic leakage to improve the resistance to electromagnetic attacks, transistor-level countermeasures can be used, such as transistorlevel balance. However, transistor-level countermeasures increase the design cost and reduce the circuit performance. In the worst case, a large number of balanced units is needed for each critical component with careful placement and routing, which greatly increases the design cost. Another countermeasure for the electromagnetic attacks based on micro-probes can be achieved by preventing micro-probes from approaching the PUFs. Detecting package opening may be a solution, which is limited by the demand for special packaging materials and the greatly increased manufacturing cost. Another possible method is to install an active shield on or around the chip with PUFs, which is limited by the power required to drive the signal through the shield. Besides, an electromagnetic sensor can be designed to detect the proximity of the probe to resist electromagnetic attacks, such as a sensor based on an LC oscillator. When the probe is close to the PUF, the electrical coupling will occur between the probe and the nearby sensor, which will interfere with the original magnetic field of the sensor causing the proximity of the probe detected by the sensor [13]. Besides, the resistance to electromagnetic attacks can be improved through a special compact layout, such as placing adjacent RO chains according to sine waves and cosine waves to make the electromagnetic leakage of adjacent ROs overlap. The overlap makes the electromagnetic detector cannot distinguish the frequency of each RO, which reduces the vulnerability to electromagnetic attacks [14]. The special working modes of RO PUFs can also improve the resistance against electromagnetic attacks, such as only using a RO once or comparing all ROs at the same time to prevent the frequency of each RO from being distinguished. However, both the special working modes will increase hardware overhead.

Attack method
Machine learning attack is a powerful attack method, which can be divided into three types: white-box attack, gray-box attack, and black-box attack according to the attacker's knowledge. The black-box attacks are the simplest method based on the collected inputs and outputs, without the demands of the knowledge of the attacked party. However, the black-box attacks have the lowest attack accuracy due to the lack of information about the attacked party. On the contrary, white-box attacks require a full understanding of the internal structure and working conditions of the attacked party. Attackers need to model the attacked party and conducted machine learning attacks based on the model for white-box

Countermeasure
To improve the resistance of PUFs against machine learning attacks, the main countermeasure is to increase the difficulty of the attacks by increasing the nonlinearity in the PUFs. Many variants are proposed to improve the resistance, such as XOR PUFs [5] as shown in figure 4. The outputs of multiple identical PUFs are XORed to produce the final output in XOR PUFs with higher resistance to machine learning attacks. However, XOR PUFs are still vulnerable to machine learning attacks, such as LR attack [15] and reliability-based CMA-ES attack [9]. Besides, other variants, such as lightweight PUF, feedforward APUF [16] and interpose PUF (IPUF) [17], can also be broken by machine learning attacks. For example, the accuracy of LR attack on the 128-bit lightweight PUF with 5XORs can reach 99%, the accuracy of CMA-ES attack on the 128-bit feedforward APUF with 10 feedforward loops can reach 97% [18], and the accuracy of Deep Learning based model building attack on the 128-bit (4,4) IPUF can reach 97.68%. Therefore, the mathematical unclonability of PUFs is still a critical issue in security.

Conclusion
To ensure the security of a PUF design, it is necessary to consider the potential security threats of PUFs. It is important to understand the existing attacks and corresponding countermeasures for PUFs. The paper introduces the popular side-channel attacks, machine learning attacks, and corresponding countermeasures for PUFs as shown in table 1, which helps designers and users clarify the security issues and corresponding solutions of PUFs to work on the security of PUFs more effectively.