IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO.

1, FEBRUARY 2012

333

A Robust Physical Unclonable Function With

Enhanced Challenge-Response Set
Abhranil Maiti, Member, IEEE, Inyoung Kim, and Patrick Schaumont, Senior Member, IEEE

AbstractA Physical Unclonable Function (PUF) is a promising

solution to many security issues due its ability to generate a dieunique identifier that can resist cloning attempts as well as physical tampering. However, the efficiency of a PUF depends on its
implementation cost, its reliability, its resiliency to attacks, and the
amount of entropy in it. PUF entropy is used to construct cryptographic keys, chip identifiers, or challenge-response pairs (CRPs)
in a chip authentication mechanism. The amount of entropy in a
PUF is limited by the circuit resources available to build a PUF. As
a result, generating longer keys or larger sets of CRPs may increase
PUF circuit cost. We address this limitation in a PUF by proposing
an identity-mapping function that expands the set of CRPs of a
ring-oscillator PUF (RO-PUF) with low area cost. The CRPs generated through this function exhibit strong PUF qualities in terms
of uniqueness and reliability. To introduce the identity-mapping
function, we formulate a novel PUF system model that uncouples
PUF measurement from PUF identifier formation. We show the
enhanced CRP generation capability of the new function using a
statistical hypothesis test. An implementation of our technique on
a low-cost FPGA platform shows at least 2 times savings in area
compared to the traditional RO-PUF. The proposed technique is
validated using a population of 125 chips, and its reliability over
varying environmental conditions is shown.
Index TermsPhysical unclonable function (PUF), challenge-response pair (CRP), entropy, ring oscillator, identity mapping.

I. INTRODUCTION

N on-chip Physical Unclonable Function (PUF) is a chipunique, hardware challenge/response function. Its challenge-response relationship is determined by deep submicrometer-level variations in a chip. This variation, known as manufacturing process variation, is caused by uncontrollable deviations in the chip manufacturing process. The imprint of this
variation remains permanent1 in the postfabrication phase of a
chip, and is unique from one chip to another manufactured from
the same mask. The complex and random nature of this variation
makes a PUF practically very hard to be cloned. In addition, the
sensitivity of the variation imprint to physical probing renders a
PUF to be tamper-resistant against invasive attacks. These qualManuscript received October 21, 2010; revised June 03, 2011; accepted August 01, 2011. Date of publication August 22, 2011; date of current version
January 13, 2012. This work was supported by the National Science Foundation under Grant 0964680 and Grant 0855095. The associate editor coordinating the review of this manuscript and approving it for publication was
Dr. Ramesh Karri.
The authors are with the Department of Electrical and Computer Engineering,
Virginia Tech, Blacksburg, VA 24061 USA (e-mail: abhranil@vt.edu).
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TIFS.2011.2165540
1In

this paper, we do not consider chip aging effects.

ities turn a PUF into a promising solution for applications such

as device authentication, cryptographic key generation, and intellectual property (IP) protection. A large number of response
bits from a PUF are necessary because of the following reasons.
1) A larger set of PUF responses leads to longer cryptographic
keys, which may offer stronger cryptographic strength.
2) In a device authentication process, PUF challenge-response pairs (CRPs) are exchanged between the authentication authority and the device to be authenticated. Since
the CRPs are public information, and since they are transferred over insecure channels, an adversary can capture
and reuse this information. To prevent such a replay attack,
a CRP should not be used more than once. However, this
requires a large set of CRPs in order to authenticate a
device a significant number of times before the CRP set is
exhausted. Moreover, a longer device identifier composed
of many response bits can authenticate a bigger population
of devices with less error.
3) A number of PUF response bits cannot be used reliably as
they are erroneous or unstable in nature due to noise effects
and environmental variations. To compensate for the error,
additional response bits need to be generated.
The number of CRPs that can be extracted from a PUF is
directly related with the amount of entropy present in it. In an
information-theoretic sense, the entropy in a PUF can be quantified as the total number of independent CRPs that can be derived
from a PUF. By independent CRPs, we mean that by knowing
a CRP , one cannot guess or predict another CRP even with
a low probability, i.e., the mutual information,
is zero,
. However, the amount of entropy in a PUF circuit is
limited by the number of circuit components used to construct
the PUF. For example, in a ring-oscillator PUF (RO-PUF), the
source of entropy is a group of RO frequencies [22]. Hence, to
produce a large number of independent CRPs, one may have to
pay a price in terms of increased area cost.
In this work, we show that the source of entropy in a PUF can
be processed through an identity-mapping function to increase
the number of CRPs. These CRPs, though not independent with
each other in information-theoretic sense, exhibit strong PUF
qualities in terms of uniqueness and reliability. We emphasize
that the proposed function does not increase the entropy extracted from a PUF. However, the distinct advantage that we get
out of this function is that using a smaller area, a chip can produce a significantly large set of CRPs that are useful for security
applications even if the entropy is limited by the circuit resource.
These extended sets of CRPs could be termed as pseudoindependent CRPs of a PUF. This is similar to the idea of a pseudorandom number generator which is used to produce a stream of

1556-6013/$26.00 2011 IEEE

334

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

bits that are statistically indistinguishable from a truly random

sequence of numbers. With a detailed security analysis, we show
that the proposed PUF can prevent relevant attacks against it.
We demonstrate the complete idea by proposing a system model
that divides a PUF design in different components. In this paper,
we explain our idea using the RO-PUF. However, it can be applied to any PUF that produces real-valued responses. The main
contributions of our work are:
1) The PUF System Model and the Identity-Mapping
Function: We present the RO-PUF using a system model
consisting of three components: a) the sample measurement, b) the identity mapping, and c) the quantization. The
novel contribution of this model is the identity-mapping
function. The number of CRPs obtained with the identity-mapping function is exponential as a function of area.
Hence, a small increase in area results in a large number
of additional CRPs.
2) Statistical Testing: We analyze the identity-mapping
function using a statistical hypothesis test to demonstrate
the enhanced CRP generation capability of the proposed
function. According to our knowledge, this is the first work
to employ statistical hypothesis test for PUF analysis.
3) Design Implementation: We implement a prototype hardware of the enhanced PUF on a low-cost, commercial,
off-the-shelf FPGA. We also characterize it over a group
of 125 FPGAs. Moreover, we test it over varying temperature and supply voltage, and provide PUF reliability data.
The rest of this paper is organized as follows. In Section II, we
discuss the motivation behind the proposed technique and compare it with existing related work. In Section III, we introduce
the PUF system model, and discuss the identity-mapping function in detail. We also present the analysis result from the statistical hypothesis test in this section. Section IV discusses the
implementation prototype. Experimental results are presented
in Section V. A security analysis of the proposed technique is
presented in Section VI. We conclude the paper in Section VII
with future research plans.

Based on the frequencies, it is clear that the two chips are distinct. However, the traditional rank-based method cannot treat
them as different chips. The frequency ranks of both the chips
are given as follows (with the lowest frequency having the first
rank and the highest one having the last rank):

Therefore, the traditional method will fail to distinguish them. It

might be argued that with a higher number of ROs, there will be
a low probability that two chips will have an identical ranking.
However, we aim to develop a technique that can distinguish
two chips even if they have a small number of ROs. We show
that postprocessing of the RO frequencies can still distinguish
these two chips with four ROs. We propose a function, called
identity mapping, that converts the difference between a pair of
RO frequencies using a nonlinear power function, and a distribution of the resulting quantity is used to create PUF responses.
Before defining the identity-mapping function formally, we first
show a simple example based on the previous dataset. First, we
create all possible frequency subsets. The two chips have the
following subsets:

Next, we evaluate the set of distances between the frequency

subsets. For example, a Euclidean metric for tuples and triples
of frequencies would be as follows:

II. BACKGROUND
In this section, we will explain the advantages of an identitymapping function for a real-valued PUF such as the RO-PUF.
We also discuss related work.

Using these metrics, subsets of frequencies can generate a distribution defined as -value

A. Motivation
In an RO-PUF with ring oscillators, the CRPs are based on
a set of RO frequencies,
. The frequency
of an individual RO is a function of the total delay around the
oscillator loop which varies randomly from one RO to the other
due to process variation. Hence, the pattern of frequencies is
unique for each chip. According to the traditional RO-PUF, the
CRPs are determined by the ranking of individual RO frequencies [22]. However, this has a limitation that we demonstrate
using a simple example. Suppose two chips with four ROs have
the following set of frequencies (we use hypothetical values as
an example):

Fig. 1 shows the kernel density plot of these two distributions.2

It shows that two distributions are different from each other.
We want to exploit this property of RO-PUF to produce a larger
set of CRPs compared to the traditional method. Since ROs
can form a total of
subsets, the total number of
-values is also
. Therefore,
response
bits can be generated from these -values using a quantization method that we will discuss after we formally construct the
identity-mapping function. In contrast, the traditional method
sets the upper bound on the number of CRPs as
[22].
2Kernel density estimation is a statistical technique to infer the distribution
of a population based on a finite sample of data [9]

MAITI et al.: ROBUST PUF WITH ENHANCED CHALLENGE-RESPONSE SET

Fig. 1. Kernel density plot distinguishing two chips.

Moreover, the bit-extraction method proposed in [22] can produce only

response bits using all possible
pairwise comparisons among RO frequencies. Both of these
quantities are smaller than that in our proposed approach. We
note that the CRPs generated through the proposed function are
not information-theoretically independent3 CRPs whereas the
limit
represents a set of independent CRPs. However,
our security analysis shows that our CRPs can prevent relevant
attacks exploiting dependent CRPs, thus preserving the security
requirement of a PUF. This presents a new perspective that the
strict notion of information-theoretically independent CRPs can
be bypassed by the proposed function leading to an efficient application of PUF.
B. Related Work
In the previous section, we showed that appropriate postprocessing can expand the number of CRPs in an RO-PUF exponentially with respect to the number of ROs. The traditional
RO-PUF does not propose any such method. Helinski et al. introduced another real-valued PUF that exploits random variations in the equivalent resistance of the on-chip power distribution grid [2]. This PUF also does not show any postprocessing like the proposed one. Furthermore, a recent work involving RO-PUF by Meng Day et al. emphasizes on memoryless key storage with improved error correction using techniques such as BCH coding and ReedMuller coding [25]. It
uses index-based syndrome coding (a soft decision encoder) that
reduces the number of errors in the encoded (quantized) output
of the PUF, and lowers the entropy leakage through the helper
data used to recover original responses from noisy PUF outputs.
This eventually reduces the complexity of the error-correction
method. We instead focus on low-cost expansion of PUF CRP
set in the prequantization phase of a PUF. Though we use a
helper data function to quantize PUF outputs, our main focus
is to maximize the number of CRPs using the identity-mapping
function before the quantization (encoding).
In an SRAM PUF, a soft decision helper data algorithm
has been used to estimate the error probability of individual
3

CRPs proposed by the traditional PUF are also not informationtheoretically independent.

335

SRAM cell outputs separately [10]. This reduces the entropy

loss caused by the assumption of an average error probability
for all the cells. However, determining the error probability of
individual RAM cells requires multiple measurements. In our
approach, we work with ring oscillators rather than RAM cells,
which need to be measured only once.
Recently, Yin et al. proposed a sorting algorithm to extract
response bits from an RO-PUF while improving their reliability
[24]. The main goal of the algorithm is to maximize the number
of response bits using the traditional rank-based method. On the
other hand, our method exploits a transformation function that
is completely different from a rank-based method as explained
in Section II-A.
A recent FPGA-based PUF technique has been proposed
using the delay characterization of reconfigurable logic with
respect to the global clock pulse [14]. The security of the
technique is dependent on the significant time difference between simulation and on-chip execution of hardware circuit
as well as the difficulty of bit-stream reversal. On the contrary, our method is based on RO frequency variability and
postprocessing. Moreover, the security of our proposed PUF
is conditional neither on the simulation-versus-execution time
disparity nor on the assumption of bit-stream irreversibility.
In one of our previous works related to PUF, we focused on
mitigating the effect of systematic process variation on RO-PUF
as well as enhancing the PUF reliability using a reconfigurable
RO structure [13]. In this work, we instead focus on solving the
problem of lower CRPs versus higher circuit cost in an RO-PUF.
In another work, we carried out a large-scale characterization of
the RO-PUF based on a large population of FPGA chips to study
the distribution of process variation as well as to demonstrate
the feasibility of the PUF technique over a significantly large
population of chips [12].
The preliminary idea of expanding the CRP set of an RO-PUF
using the identity-mapping function has been presented in [3].
In that work, entropy of a PUF using the proposed identitymapping function was estimated with the assumption that each
value is independently generated and selected randomly to
create a PUF response bit. In this work, we will present further
findings about the proposed technique. We will show that the
values from the identity-mapping function can produce a significantly large number of CRPs using fewer ring oscillators.
Though these values are not information-theoretically independent with each other, they can produce PUF response bits
that show strong PUF qualities in terms of uniqueness and reliability. The distinct advantage is that using a smaller area, a chip
can produce a significantly large set of useful CRPs necessary
for security applications even if the entropy is limited by the
circuit resource. In fact, the importance of this type of approach
has been mentioned by Maes et al. in the context of overall PUF
research scenario [11]. A security analysis has been presented
explaining how the expanded set of CRPs are protected from
possible attacks that may exploit dependencies among values.
C. Classification and Application of the Proposed PUF
Ruhrmair et al. classified different PUFs in terms of factors
such as number of CRPs and difficulty of predicting PUF responses [19]. According to their definition, a strong PUF con-

336

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Fig. 2. Application scenario for the proposed PUF.

tains exponentially many CRPs. It is also very difficult to predict an unknown response bit from a strong PUF by analyzing
some already-known CRPs. Moreover, a complete determination of all CRPs in a strong PUF must be impossible within
several days or weeks due to an exponential number of CRPs
and a finite read-out time of a response [18]. The number of
CRPs produced by the proposed PUF can grow exponentially
with area. Though our proposed PUF has a finite read-out time
for a response (of the order of a millisecond), the complete CRP
set with a small number of ROs can still be read within a reasonable period of time. However, since the number of CRPs will
grow exponentially with the number of ROs, the time required
to evaluate the complete set of CRPs of a larger PUF will also
increase. Therefore, the proposed PUF stands more likely as a
candidate for strong PUF.
A strong PUF is ideal for device authentication application
as it possesses a large number of CRPs. A server-based authentication mechanism with remotely deployed devices seems one
of the suitable applications of this PUF. The scenario has been
depicted in Fig. 2. The proposed PUF is enrolled in a trusted environment, and its CRPs (
) along with the necessary helper
data ( ) are measured and stored in a server. After the PUF is
deployed in field where the operating environment is not trustworthy, the server sends a challenge ( ) along with its helper
data ( ) to the deployed PUF, and the PUF replies with a response . If the response matches with that stored in the server,
the PUF is successfully authenticated.
III. PUF SYSTEM MODEL
In a real-valued PUF, like the RO-PUF, generation of the
process variation information in terms of a physical quantity
(such as RO frequency), and subsequent quantization are two
separate but related components. This leads to the designers
flexibility to tune each component separately to optimize the
overall PUF design. However, it requires an approach with a
well-defined partitioning of the design that helps in improving
the quality of a PUF. Fig. 3(a) shows the PUF system model
used in this paper. We distinguish three components: sample
measurement, identity mapping, and quantization. We discuss
each of them in this section. While quantization or digitization of process variation information has been proposed earlier,
e.g., in RO-PUF [22], Arbiter PUF [7], [6], and FPGA-based reconfigurable PUF [16], the introduction of the identity-mapping
function is the contribution of this work.

Fig. 3. (a) PUF System Model. (b) Example implementation: RO-PUF.

A. Sample Measurement
The main functionality of the sample measurement is to characterize the effect of random process variation that remains permanent in the postfabrication phase of a chip. In a sample measurement, a digital challenge ( ) is applied to the PUF to produce a vector of physical measurements representing the identity of a device. In the example of the RO-PUF in Fig. 3(b), the
challenge selects 2 out of 4 oscillators. The frequencies of the
RO pair are measured.
However, environmental noise such as ambient temperature
variation, supply voltage fluctuation, and thermal noise negatively affect the sample measurement resulting in noisy PUF
outputs. Additionally, factors like metastability, and systematic
process variation can also degrade the PUF output. For example,
the Arbiter PUF, which exploits the delay variation between a
pair of configurable delay paths, has an error in its output due to
the metastability in the arbiter flip-flop when the setup-hold time
is violated [17]. Moreover, bit-aliasing4 in PUF output can occur
due to systematic variation. Though these issues can be mitigated
by error-correction methods, addressing them at the sample
measurement level can also improve the PUF reliability and the
entropy extraction significantly. This eventually simplifies the
subsequent error-correction process resulting in reduced cost.
B. Identity Mapping
In this section, we describe an approach to identity mapping,
based on a Test Statistic (TS). We will demonstrate that this TS
improves over known schemes in terms of generating CRPs. We
first introduce the concept of TS. A TS is an expression that
transforms a set of measurement data into a set of numbers that
can be used to test a hypothesis. In the example of the traditional
RO-PUF [Fig. 3(b)], the TS is the frequency difference of the selected RO pair. This difference which varies from device to device is used to map the identity of a device to a binary signature.
Complementary to the TS, we propose a nonparametric testing
approach to evaluate whether our TS is able to distinguish several chips well. We present analysis results using on-chip data.
1) Hypothesis Testing: One set of hypotheses of interest in
comparison of all chips is

4In bit-aliasing, different chips produce nearly identical PUF signatures that
may result in false positives in chip authentication

MAITI et al.: ROBUST PUF WITH ENHANCED CHALLENGE-RESPONSE SET

337

This set of hypotheses is equivalent to the following:5

To decide whether or not we reject

, we need to make a
decision rule which is constructed using the TS. Hence, we develop a new TS using the identity-mapping function explained
in Section II-A, and propose to use its distribution as a unique
on-chip fingerprint. We want to evaluate whether our TS is able
to distinguish chips clearly. For testing our hypothesis, we use
KolmogorovSmirnov nonparametric test [21]. It is used to
show whether two underlying distributions differ or not. Since
this test does not specify what that underlying distribution is,
it is a nonparametric test.
2) Proposed Q TS: To describe the construction of the identity-mapping function, we first define some notations, and introduce a model to explain our approach in detail. Let
be the
frequency value for the th measurement of the th RO in chip
, where
,
, and
. Using
these frequencies, we consider the following model which is expressed as a function of unknown parameters and an additive
error term:
(1)
where
is the fixed unknown mean frequency of the th RO
in the th chip, and
is a random measurement error.
is estimated by averaging
over a sample size of
assuming a normal distribution of error
with
zero mean. Using
from a chip , we define a sample space
which is the set of possible outcomes of an experiment in which
RO frequencies are selected from
RO frequencies where
. (For the simplicity of discussion, we omit the subscript assuming the subsequent analysis is done for the chip, .)
For example,
contains all possible pairs of RO frequencies

Therefore,
. Similarly,
contains all possible
triplets of RO frequencies
. Likewise,
.
We now define the random variable
that assigns a real
number to each outcome of

(2)
The weight factor
can include additional information
about the design. In our case, we assign it the Euclidean distance
between the ROs,
and
on the chip. In the implementation
section, we will describe how the ROs are assigned spatial coordinates.
is the absolute difference between the pair of RO
frequencies
and
. To make the function a nonlinear
5By

distribution, we mean the distribution of RO frequencies.

one, may be any real number except 1. For example, we may

assign
or . In our case, we assign it as 0.5. Corresponding to each of the
combinations in , there is one
value. Therefore, for all possible values of
, the
total number of values is
. While the ideal value of is , the construction of can be computationally expensive when
is large.
In that case, we can reduce while ensuring that the resulting
total number of values still remains large. In this case,
. Once and are chosen, the
set of values is defined as
with
. can
be quantized as needed to create a suitable response space.
3) Evaluation of the Q TSs: We evaluated the TS using
RO frequency data from a set of 125 FPGA chips. We considered 16 ROs from each chip with 100 measurements for each
RO. [
in (1).] For given
,
, and
, we obtained values and used
them as TS values. We then tested the hypothesis whether the
distributions of values are the same among chips using KolmogorovSmirnov (KS) test. In a KS test, a parameter -value
is derived. A -value is the probability of obtaining a value for
a TS that is as extreme as or more extreme than the observed
value, assuming the null hypothesis is true. A low value of
denotes two distributions are different, and a value close to 1
denotes they are similar. We compare the test result with the traditional method which builds the response based on the rank
of each RO frequency. We note that the hypothesis is tested on
the results of identity mapping, not on the quantized identifier.
There are
pairwise comparisons among
125 chips. The KolmogorovSmirnov (KS) test suggests that
there is a strong statistical evidence that the distributions of
all chips are different because almost all the -values for all
possible comparisons between any two chips are very small
(almost zero). This is shown in Fig. 4 where the majority of
the -values are 0 represented by the bottom plane of the 3-D
plot while there are a very few occurrences of higher values.
Please note that even the highest -value shown in the graph is
still smaller than
which indicates negligible similarity.
Hence, all the chips are distinguished well.
We then further compare our method with the traditional
method using 4 ROs. For each chip, we randomly select 4 ROs
out of 16 ROs and perform this random sampling 10 000 times.
We then calculate the proportion of times that each method fails
to reject
when
is true, where
: two chips are the same
and
: two chips are different. For example, for one particular
pair of chips, using the traditional method, 421 out of 10 000
samples are indistinguishable, while our method identified all
the samples. Hence, the estimated proportions of the traditional
method and our method are 0.0421 and 0, respectively, for this
case. We calculated these proportions for all the pairs. Using
the traditional method, the average proportion is 0.0417. The
minimum and maximum proportions are 0.0407 and 0.0425,
respectively. Using our approach, the average proportion is
0.0028. The minimum and maximum proportions are 0 and
0.0055, respectively (Table I). Hence, our approach identifies
chips better than the traditional method with a fairly small
number of ROs.

338

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Fig. 5. Architecture of our robust PUF.

Fig. 4. Result of KS Test using 125 chips.
TABLE I
WHEN
IS TRUE, WHERE
PROPORTION OF TIMES OF FAILURE TO REJECT
: 2 CHIPS ARE THE SAME,
: 2 CHIPS ARE DIFFERENT

chip falling within an interval is assigned the corresponding

binary digit to create . A helper data
, based on , is generated so that a noisy
is correctly placed in the same interval
as
during the evaluation phase. The helper data during the
enrollment is derived as follows:
(3)

C. Quantization
In the quantization phase of PUF design, binary response bits
are generated from a set of real-valued PUF measurements. For
example, in the traditional RO-PUF, a pair of RO frequencies
are converted to binary bits by a simple comparison method
[22]. Unlike the RO-PUF, the SRAM PUF [1], the Arbiter PUF
[7], [6], and the Butterfly PUF [4] perform a direct time-todigital conversion, and they do not require a separate quantization step. In our case, quantization needs to be applied on
the -values generated by the identity-mapping function. Apart
from the simple comparison method, there are other methods of
quantization that can convert a set of real-valued quantities into
a set of binary numbers. These methods are widely discussed in
the area of biometrics where similar conversion is used to generate key/signature from biometric data of an individual. For
the quantization of the values, we evaluated several standard
quantization methods that are used in the biometric applications
including the Shielding function [8], the reliable bit extraction
method [23]. Based on the comparison results, we selected the
Shielding function. It has the property to shield any knowledge
about the real-valued quantities that it quantizes from being revealed through the quantized binary output leading to its name.
We briefly introduce the method of Shielding function.
In the operation of a PUF, there are two phases: a) In the enrollment phase of the PUF, a reference response bit is generated at normal operating condition by applying a challenge ,
and is stored in a secure database for subsequent operation of
the PUF. b) In the evaluation phase, the PUF is supplied with
the challenge to generate a noisy version of called . In the
Shielding function, the range of a value is divided in several
equal intervals with a width during the enrollment phase. The
intervals are alternatively assigned 0 and 1. Any
of a

where
such that
.
is the average of
.
is the binary digit assigned to the interval in which
resides.
During the response evaluation, a binary output
is derived as
follows:
(4)
where

is a noisy version of

and not the complement of

IV. ROBUST PUF IMPLEMENTATION

In this section, we describe our prototyping effort for the proposed solution. The prototype includes a PC and an FPGA configured with the modified RO-PUF (shown by the dotted box in
Fig. 5). During the enrollment of the PUF, several samples of
the values are taken using a set of challenge inputs
(refer
to Fig. 5) and a set of reference PUF responses ( ) are derived
and stored in the PC along with the corresponding helper data
( ) for the Shielding function [refer to (3)]. During the PUF
response evaluation, the PC sends and
to the PUF to derive the response .
The PUF has an 8-bit micro-controller with a data-path to
implement the sample measurement of the RO frequencies, the
generation of the
values for the identity mapping, and the
quantization of the values. Details of the implementation are
shown in Fig. 5. All the control signals and memory addresses
are supplied by the 8-bit micro-controller unit (the control signals, the address bus, clock inputs are not shown for simplicity).
The statistical hypothesis test is not a part of the implementation,
and has been separately done. We now discuss the implementation in detail.

MAITI et al.: ROBUST PUF WITH ENHANCED CHALLENGE-RESPONSE SET

339

TABLE II
DETAIL OF THE IMPLEMENTED DESIGN

A. Sample Measurement
The part of the circuit shown in the gray box measures the
RO frequencies from an array of ROs. The ROs are placed in
a 2-D array. The (
) position of an RO in the array is used to
calculate the Euclidean distance between an RO pair. The RO at
the left-most location of the bottom row of the array is assigned
the coordinate (0,0), and the rest are assigned coordinates with
respect to it. An -bit challenge input enables one of the
ring oscillators at a time (usually,
), and the frequency
of the enabled RO is measured with a 24-bit counter. The individual RO frequencies are stored in the memory MEM1. This is
a one-time operation.
B. Identity Mapping
We used
and the
as the Euclidean distance
in (2) defined in Section III-B2. It requires an integer squareroot and a multiplication operation. The square-root module is
implemented using a nonrestoring algorithm with the iterative
method [5]. This implementation results in lower throughput
but smaller area. A 4 8 bit pipelined multiplier is used for
the multiplication operation. The compare-subtract module is
used to compute the absolute difference of two RO frequencies.
One of the operands for the compare-subtract module comes
directly from the memory MEM1 and the other operand is provided through the memory element REG. The values are generated using three steps.
Step 1Since the factor
is constant, the memory
MEM2 is initialized with all possible pairwise distances using
the input from the micro-controller. It is subsequently overwritten by the corresponding
values in Step 2.
Step 2According to the definition of , all the values are
the combination of the
values [refer to (2)]. To minimize the
number of multiplication and square-root operations, all the required
values are calculated at a time, and stored in memory
MEM2. This a one-time operation during the PUF operation.
All the responses can be generated by reusing these values as
explained in the Step 3.
Step 3During the generation of a PUF response, the required
value is generated by summing the appropriate
values (2) stored in MEM2. This summation operation takes
place in the accumulator.
C. Quantization
The micro-controller calculates the sum
(4), and compares it with the appropriate interval of the Shielding function
to generate the binary response that is sent to the PC.
V. RESULTS
A prototype circuit with 16 ROs has been built on a Xilinx
Spartan 3E S500 FPGA. An RO with five inverters is created
as a hard macro, and instantiated to create a 2 8 array. A
Picoblaze micro-controller core is used with an UART interface to communicate with the PC. The total FPGA resource
used after place and route is 456 slices along with 2 Block
RAMs. A Spartan 3E S500 FPGA has 4656 slices in total.
Hence, less than 10% [
%
%] of
the available resource is used by the implementation making
enough resources available to implement other circuits on

the FPGA besides the PUF. Table II shows a summary of

the implementation including the total number of challenges
available, total area consumed, total dynamic power dissipation, and the cycles required for different operations. The
cycle counts showing the delay overhead does not include the
communication with the PC using UART. To evaluate one
single response bit using ROs, the required number of cycles
is
.
For example, a challenge consisting of 4 ROs will take approximately 1.5 ms to derive the response using a 50-MHz clock. We
note that this includes the one-time overhead of RO frequency
measurement and the
calculation denoted by 73 920 cylces.
In a particular session of PUF CRP extraction, this overhead
is incurred only once, and is not required to be calculated for
each response bit extracted.
A. Evaluation of PUF Responses
As a secure hardware primitive, a PUF is required to generate
random yet chip-specific responses. At the same time, the reliability of PUF responses under varying operating conditions is
crucial. These qualities of a PUF can be evaluated using two
main factors:
Uniqueness is an estimate of the ability of a PUF to generate random responses as well as to uniquely distinguish
different chips based on the generated responses.
Reliability is an estimate of the reproducibility of the
PUF responses over varying operating conditions (such as
varying ambient temperature, fluctuating supply voltage).
These factors are estimated using
PUF
response bits generated from each of a group of 125 FPGAs.
1) PUF Uniqueness: We estimate the uniqueness of a PUF
by three parameters.
a) Average Interchip Hamming Distance (HD): With a
pair of chips, and
, both having -bit responses,
and , respectively, for the same challenge , the average interdie HD among a group of chips is defined as follows:
%
This is an average of all possible pairwise HDs among chips.
This expression is an estimate of the interchip variation in terms
of PUF responses, and not the actual probability of the interchip
process variation.
b) HW : The Hamming Weight (HW) of an -bit response
from the chip
.
is the th binary bit of an -bit
response from a chip . This is an estimate of the uniformity of
PUF responses.

340

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Fig. 7. Uniformity of PUF responses using identity mapping.

Fig. 6. Distribution of interchip Hamming Distance of PUF responses using
identity mapping.
TABLE III
PUF UNIQUENESS USING IDENTITY MAPPING

c) HW : The Hamming Weight (HW) for each th bit poacross chips

. This is an
sition
estimate of bit-aliasing in PUF responses. In bit-aliasing, different chips produce nearly identical PUF responses that may
result in false positives in chip authentication.
For truly random PUF responses, all three of these parameters should have an ideal value of 50%. In this experiment,
is 65519 and is 125. Fig. 6 shows the interchip HD for all
comparisons. It is clear from the figure that the
distribution is centered around 50% which is the ideal value for
truly random PUF responses. Also in Table III, the minimum
value of 49.21% of the interchip HD shows that any pair of
FPGAs in the experiment has at least 32 241 (
% of 65 519)
different response bits. Thus, the PUF with the identity-mapping function is able to distinguish the FPGAs clearly. Figs. 7
and 8 show the uniformity of PUF responses
from 125
FPGAs, and the bit aliasing
for each of the 65 519 bit
positions, respectively. The average value of 50.02% for
(Table III) shows that the PUF with the identity-mapping function can produce response bits that are fairly uniformly distributed between 0s and 1s. The plot in Fig. 7 shows that
the deviation from the average is small.
On the other hand, bit-aliasing
is also found to be
around 50% (Fig. 8). However, more importantly, the minimum
value of 31.2% and the maximum value of 68.8% in Table III
show that all the bit positions are fairly different from a complete bit-aliasing. A value of 0% at the th bit would mean all the
chips produce 0 at that bit position while 100% would mean all
the chips produce 1. Both these cases are complete bit-aliasing.
In Section III-B3, it was shown using the hypothesis test that
an RO-PUF with the identity-mapping function is better than
a traditional rank-based RO-PUF both using a smaller number
of ROs. Here we present a uniqueness comparison analysis
between the PUF with the identity-mapping function and the
one without it. Both the designs implement the quantization

Fig. 8. Bit aliasing of PUF responses using identity mapping.

using the Shielding function. This is done in order to show the

advantage of introducing the identity-mapping function while
keeping the other two components of the PUF system model,
the sample measurement and the quantization, the same. For
the PUF without the identity mapping, we directly quantized
the raw frequencies from 16 ROs using the Shielding function
to produce 16 response bits. It is done for all 125 FPGAs.
Table IV shows the PUF uniqueness without the identitymapping function. Though both have an average around 50%,
it is evident that the PUF with the identity-mapping function
has a smaller deviation from the average. On the contrary, the
PUF without the identity mapping has a large deviation with
the minimum and the maximum being 6.25% and 93.75%, respectively (Table IV). The minimum value shows that there is
a high probability that two chips will map to the same identifier
value, in particular under environmental variations. However,
it is not the case for the PUF with the identity-mapping function as the minimum is 49.21%. Since both of them use 16 ROs,
it is clear that a more efficient PUF can be designed using the
identity-mapping function compared with a PUF without identity mapping. We note here that the minimum and maximum
value of bit-aliasing in the PUF without the identity mapping
are, respectively, higher and lower than those in the proposed
PUF. However, the average of bit-aliasing in the proposed PUF
is around 50% and the majority are centered around the average
as shown in Fig. 8.
We further compared our proposed technique with a perfectly
random source. Using Matlab simulation, we generated 125 uniformly distributed, 65 519-bit long binary responses and calcu-

MAITI et al.: ROBUST PUF WITH ENHANCED CHALLENGE-RESPONSE SET

341

TABLE IV
PUF UNIQUENESS WITHOUT IDENTITY MAPPING

Fig. 10. Reliability comparison for supply voltage variation.

Fig. 9. Comparison of interchip HD between the PUF with identity mapping

and a random source of response.

lated the uniqueness. Fig. 9 shows the interchip HD distribution

of the proposed PUF overlapped on that of the random source.
It is clear from the figure that the proposed PUF behaves very
similar to a random source.
Regarding the area cost, our implementation of the PUF with
the identity mapping uses 456 slices including measurement
and communication circuitry. Though our implementation uses
2 Block RAM units, they are used for Picoblaze instruction
memory, and to store 120
values (MEM2 in Fig. 5). It is
reasonable to assume that the PUF without the identity mapping would also need a Picoblaze-like unit for the control and
communication, and a memory space to store RO frequencies.
Though the PUF without the identity mapping does not require
the circuit for generating
values, scaling up the number of
CRPs involves significant increase in area as one CRP requires
an RO consuming four slices on the used platform.
In the traditional RO-PUF, 128 response bits have been produced using 1024 ROs with the help of a 1-out-of-8 scheme to
enhance the reliability [22]. Without the reliability scheme, it
needs two ROs for 1 bit response leading to a total of 256 ROs
for 128 response bits. Hence, the required number of slices just
for implementing the ROs is
. Therefore, only
the ROs in the traditional method uses
times
more area compared to the total area (with all the required components) consumed by the proposed method while the proposed
method can produce 65 519 bits compared to 128 bits produced
by the traditional method.
2) PUF Reliability: Though the PUF responses are expected
to be static, factors such as temperature variation, supply voltage
fluctuation, and thermal noise introduce errors in them, and thus
affect the reproducibility of the PUF responses.
To estimate the PUF reliability, we extract an -bit reference
response
from the chip at the normal operating condition (at room temperature using the normal supply voltage). The
same -bit response is extracted at a different operating condition (different ambient temperature or different supply voltage)

Fig. 11. Reliability comparison for ambient temperature variation.

with a value . samples of

are taken for each of the operating conditions. For the chip , the PUF reliability is estimated
as follows:
%

where
is the th sample of .
is the intrachip Hamming Distance of the chip . It indicates the number
of unreliable bits in PUF responses. Hence a lower value of it
results in more PUF reliability.
The reliability of the PUF responses is measured over varying
environmental conditions. We tested the PUF responses for nine
different ambient temperatures from 0 C to 70 C using a convection heat chamber to cover the allowed operating range of
the used FPGA. We also tested them for 20% of the supply
voltage of the FPGA core using a dc regulated power supply.
All the measurements are taken with 100 samples for a single
FPGA chip. Figs. 10 and 11 shows a comparison of the reliability for the PUF with the identity-mapping function and the
one without the identity-mapping function. The trend shows
that the PUF with the identity-mapping function is more reliable than the PUF without the identity mapping for both varying
voltage and temperature. Though the exact reason for this observation cannot be confirmed without a detailed analysis, one
of the possible reasons might be as follows. Since a value is
a summation of several frequency differences, the variations in
the individual frequency differences are averaged out. We plan
to investigate the reliability factor in more detail as part of our
future work. Fig. 12 shows the error rate of the proposed PUF as
a percentage of the number of unreliable bits at different temperatures and supply voltages. For this experiment, only one level

342

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Fig. 12. Error rate of the PUF with the identity mapping using single quantization level.

Fig. 13. Operational setup of the proposed PUF.

of quantization has been implemented using the Shielding function.

VI. SECURITY ANALYSIS
The proposed PUF generates CRPs that are not fully independent in the information-theoretic sense. This may give rise
to security threats such as prediction attack in which the adversary attempts to predict the value of an unknown response bit
using an already-known response bit. In this section, with the
help of a security analysis of the implementation of our technique, we show that this threat can be averted.
We assume that the PUF security is not violated during the
enrollment phase, and no information about the PUF is leaked
during this period. We analyze the security vulnerability when
the PUF is in use in a hostile environment. We assume that an
adversary can observe challenges
, responses
, and helper
data
of the PUF. He can also adaptively apply and
to
observe corresponding responses. The input challenge
creates the RO frequency subset, the identity-mapping function
generates the -values, and the quantization method converts
the -values to binary response bits using
as shown in
Fig. 13. By
, we denote the binary response produced through the
value between a pair of ring oscillators,
and
. Similarly,
denotes the binary response produced through the
value between
,
, and
. The security analysis is based on two subgroups
of 2 and 3 ROs out of the 16 ROs. However, the security analysis
can be applied similarly to the subgroups with a higher number
of ROs. We consider six different scenarios to assess the security risk of the proposed PUF.
1) Uniformity of response To begin with, we evaluate the
proportion of 0/1 in the derived response bits. A set
of uniformly distributed response bits are essential to prevent an attacker from guessing if a response of a particular
chip is biased towards a particular binary value. A similar method has been used by Majzoobi et al. as single bit
probability in evaluating security of Arbiter PUF [15]. The
value of
in Table III shows that the proposed PUF
produces response bits with a proportion of 0/1 that is
very close to 50% thus excluding any bias.

Fig. 14. Response conditioned by challenge for groups of 2 ROs. Average

%.

2) Response conditioned by challenge In this scenario, we

check if there is any correlation between a challenge and
a response when we keep a part of a particular challenge
fixed while changing the other part of the challenge. A similar technique has been employed in [15] as conditional
probability. For a challenge with 2 ROs, we keep one of
the ROs fixed while changing the other. The fixed ring
oscillator, say
, can form 15 response bits given by
,
,
. We calculate the
,
%
.
quantity
(HW denotes Hamming weight.) For an unbiased PUF,
it will generate a value of 50% on an average meaning
that fixing an RO as part of the challenge produces 0s
and 1s with equal probability. Fig. 14 shows the distribution of the above quantity for all 16 ROs for 125
FPGA chips tested. It shows that the sample set is averaged around 50% with no obvious trend to suggest any
type of bias. We carried out the similar test for groups of
3 ROs. We kept a pair of ROs out of the 3 ROs fixed while
changing the remaining one. The fixed pair of ROs, say
,
, can form 14 response bits given by
,
,
,
. We calculate the
quantity
,
,
%,
. For an unbiased PUF, this quantity should also
produce a value 50%. Fig. 15 shows the distribution for
120 possible pairs
. It also shows that there is no
prominent trend in the result to suggest a bias.
3) Inter-response dependency test In the proposed PUF,
the building blocks for all
values are the
values
(2). We want to see if we can predict responses from
values by observing responses from corresponding
values. In particular, we test if it is possible to predict
,
,
by knowing
,
,
,
, and
. We first observe
all possible values of
. There are
a total of 560 such responses. Now, corresponding to
each of these 560 responses, we calculate the quantity
.

MAITI et al.: ROBUST PUF WITH ENHANCED CHALLENGE-RESPONSE SET

343

Fig. 17. Distribution of

Fig. 15. Response conditioned by challenge for groups of 3 ROs. Average
%.

Fig. 16. Inter-response dependency.

It has four possible values: 3, 2, 1, and 0. We divide

560 responses in four groups:
,
,
, and
. Now, we count how many
1 bits have been produced by
in
total for each of those four groups. The HW information of the responses from
values should not have
any correlation with the corresponding response from
value, i.e.,
. For example, if the
group with
has
response bits out of 560
bits, and
bits out of
are 1,
then
% (shown as probability of response
1 on the -axis in Fig. 16) should be around 50% for an
unbiased PUF. This will indicate that it is difficult to construct
by knowing
,
, and
. Fig. 16 shows that
all the four cases are centered around 50% over a set of
125 chips. Therefore, this result shows that inter-response
dependency is not present in the proposed PUF.
In this context, we analyze the dependencies among
values using their distributions. Fig. 17 shows distributions of different values (taken from an arbitrary chip
from the pool of 125 chips). Each of the distributions has
different mean and variance. This shows that they do not

values.

have the same range. Additionally, even if there exist overlaps among different values, response bits from the overlapped values do not have correlation as each of the
values have their own quantization width based on their
individual variances. This is supported by the experimental
results. Table III shows that the response bits are fairly
equally distributed between 0 and 1.
4) Differential attack In this scenario, we observe
and then replace
with
and
observe
. The objective is to predict
from these two observed responses. For
each
, there are
possible
pairs
.
We now calculate
for each 105 pairs. The possible values of the HW are 0,
1, 2. We divide 105 responses in three groups:
,
, and
. We then count how many 1
bits have been produced by
in total by
each of those three group. For example, if the group with
has response bits out of 105
bits, and bits out of are 1, then
% should
be around 50% for an unbiased PUF. Figs. 18, 19, and 20
show the scenarios for
,
, and
,
respectively. Each of the scenarios include data for all individual 16 ROs ( -axis) for all 125 chips tested ( -axis).
The results show that none of the scenarios suggest any
bias that can lead to a successful differential attack.
5) Model building through machine learning Ruhmair et
al. proposed model building attacks on several PUF architectures using machine learning techniques [18], [20]. The
technique that has been used to attack the RO-PUF is a
quick sorting method to determine the relative ranking of
the RO frequencies. This technique is particularly suitable
for attacking the traditional RO-PUF as its responses can
be constructed purely based on frequency ranking without
the need of knowing the absolute frequency values. However, in the proposed PUF, the final response is derived
after the transformation of RO frequencies to values and
then a random assignment of binary values by the quantization method. Therefore, the sorting technique will not
work against the proposed PUF as it does not depend on

344

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 1, FEBRUARY 2012

Fig. 18. Differential attack scenario with HW

. Average

%.

Fig. 19. Differential attack scenario with HW

. Average

%.

6) Reverse engineering attack An attacker may try to gain

knowledge of the RO frequencies or the values to construct . At the input, even if an adversary knows the value
of , i.e., the RO subset, the corresponding -value is calculated within the FPGA chip and never comes out of the
chip. This gives two advantages:
i) Even though
and
are not completely independent,
predicting
by knowing
is not possible because no information about any values is accessible.
ii) Since
values are not accessible, reverse engineering
of the original RO frequencies from values becomes
impossible.
On the other hand, at the output, there are two possible points
of vulnerability: the helper data
of the Shielding function
and the response . An attacker may try to predict an unknown
response bit
from its public helper data
or from a known
response bit
. However, an attacker faces difficulties
due to the following reasons.
1) The probability that information about leaked by
is
of the order of
for the Shielding function [8] when
,
of the quantization interval, is the
standard deviation of . Therefore, predicting using
with high probability is difficult.
2) In a traditional RO-PUF, is evaluated by pair-wise comparison of RO frequencies. As a result, only the knowledge
of the ranking of the RO frequencies can reveal . Unlike
direct comparison, the Shielding function maps arbitrary
binary bits to -values. Therefore, to predict an unknown
response , one has to estimate the absolute value of corresponding which is difficult.
Finally, it should be mentioned that there is a possibility of sidechannel attack on the proposed PUF. This is because the proposed implementation uses arithmetic units such as square-root,
multiplier. It also makes use of intermediate storage (MEM1
and MEM2 in Fig. 5). Using the side-channel power and timing
measurements, one can try to read the frequency values. Though
we did not consider side-channel attack in this work, we consider it as an important security issue and keep it as a part of
future work.
VII. CONCLUSION

Fig. 20. Differential attack scenario with HW

. Average

%.

the ranks of RO frequencies. The similar reason is valid

for the reverse engineering attack as will be discussed as
the next scenario.

In this work, we proposed a new technique to design a PUF

with enhanced CRP set having low area cost. The novel identity-mapping function using a new TS derived from the RO frequencies increased the number of CRPs significantly compared
to the traditional method. Though the CRPs generated through
the proposed technique are not information-theoretically independent, it has been clearly shown that they possess strong PUF
behavior. We demonstrated the feasibility of the proposed technique with a prototype implementation and statistical test results. The experimental result shows high uniqueness as well
as reliability in the PUF outputs with a significantly low area
footprint. A detailed security analysis showed that the proposed
PUF can resist relevant attack risks.
In future, we plan to evaluate the resiliency of this technique
to other attacks such as side-channel attacks. We also intend to
explore other methods of identity mapping, further optimization
of the hardware, and improvement of PUF reliability.

MAITI et al.: ROBUST PUF WITH ENHANCED CHALLENGE-RESPONSE SET

REFERENCES
[1] J. Guajardo, S. S. Kumar, G.-J. Schrijen, and P. Tuyls, FPGA intrinsic
PUFs and their use for IP protection, in Proc. 9th Int. Workshop on
Cryptographic Hardware and Embedded Systems (CHES07), 2007,
pp. 6380.
[2] R. Helinski, D. Acharyya, and J. Plusquellic, A physical unclonable
function defined using power distribution, in Proc. 46th Ann. Design
Automation Conf. System Equivalent Resistance Variations, New York,
2009, pp. 676681, DAC, ACM.
[3] I. Kim, A. Maiti, L. Nazhandali, P. Schaumont, V. Vivekraja, and H.
Zhang, From statistics to circuits: Foundations for future physical unclonable functions, in Towards Hardware-Intrinsic Security. New
York: Springer, 2010.
[4] S. Kumar, J. Guajardo, R. Maes, G.-J. Schrijen, and P. Tuyls, Extended abstract: The butterfly puf protecting IP on every FPGA, in
Proc. IEEE Int. Workshop on Hardware-Oriented Security and Trust,
2008 (HOST 2008), 2008, pp. 6770.
[5] Y. Li and W. Chu, Implementation of single precision floating point
square root on FPGAS, in 5th Ann. IEEE Symp. Proc. FPGAs for
Custom Computing Machines, Apr. 1997, pp. 226232.
[6] D. Lim, Extracting Secret Keys From Integrated Circuits, M.Sc.
Thesis, MIT, Cambridge, MA, 2004.
[7] D. Lim, J. Lee, B. Gassend, G. Suh, M. van Dijk, and S. Devadas, Extracting secret keys from integrated circuits, IEEE Trans. Very Large
Scale Integr. (VLSI) Syst., vol. 13, no. 10, pp. 12001205, Oct. 2005.
[8] J.-P. Linnartz and P. Tuyls, New shielding functions to enhance
privacy and prevent misuse of biometric templates, in Proc. 4th
Int. Conf. Audio- and Video-Based Biometric Person Authentication
(AVBPA03), 2003, pp. 393402.
[9] R. Lopes, I. Reid, and P. Hobson, The two-dimensional Kolmogorovsmirnov test, in Proc. XI Int. Workshop on Advanced Computing and
Analysis Techniques in Physics Research, Amsterdam, The Netherlands, 2007.
[10] R. Maes, P. Tuyls, and I. Verbauwhede, Low-overhead implementation of a soft decision helper data algorithm for SRAM PUFs, in Proc.
11th Int. Workshop on Cryptographic Hardware and Embedded Systems (CHES09), 2009, pp. 332347.
[11] R. Maes and I. Verbauwhede, Physically unclonable functions: A
study on the state of the art andfuture research directions, in Towards
Hardware-Intrinsic Security. New York: Springer, 2010.
[12] A. Maiti, J. Casarona, L. McHale, and P. Schaumont, A large scale
characterization of RO-PUF, in Proc. IEEE Int. Symp. 2010 Hardware-Oriented Security and Trust (HOST), 2010, pp. 9499.
[13] A. Maiti and P. Schaumont, Improved ring oscillator PUF: An
fpga-friendly secure primitive, J. Cryptology, pp. 123, 2010, DOI:
10.1007/s00145-010-9088-4.
[14] M. Majzoobi, A. Elnably, and F. Koushanfar, FPGA time-bounded
unclonable authentication, in Proc. 12th Int. Conf. Information Hiding
(IH10), 2010, pp. 116.
[15] M. Majzoobi, F. Koushanfar, and M. Potkonjak, Testing techniques
for hardware security, in Proc. IEEE Int. Test Conf., 2008 (ITC 2008),
pp. 110.
[16] M. Majzoobi, F. Koushanfar, and M. Potkonjak, Techniques for design and implementation of secure reconfigurable PUFs, ACM Trans.
Reconfig. Technol. Syst., p. 2:5:1-5:33, Mar. 2009.
[17] D. Ranasinghe, D. Lim, S. Devadas, D. Abbott, and P. Cole, Random
numbers from metastability and thermal noise, Electron. Lett., vol. 41,
no. 16, pp. 1314, 2005.
[18] U. Rhrmair, F. Sehnke, J. Slter, G. Dror, S. Devadas, and J. U.
Schmidhuber, Modeling attacks on physical unclonable functions,
in Proc. 17th ACM Conf. Computer and Communications Security
(CCS10), 2010, pp. 237249.
[19] U. Ruhrmair, J. Solter, and F. Sehnke, On the Foundations of Physical
Unclonable Functions 2009 [Online]. Available: http://eprint.iacr.org/
2009/277.pdf

345

[20] F. Sehnke, C. Osendorfer, J. Slter, J. Schmidhuber, and U. Rhrmair,

Policy gradients for cryptanalysis, in Proc. 20th Int. Conf. Artificial
Neural Networks: Part III (ICANN10), 2010, pp. 168177.
[21] M. A. Stephens, EDF statistics for goodness of fit and some comparisons, J. Amer. Statist. Assoc., vol. 69, no. 347, pp. 730737, 1974.
[22] G. E. Suh and S. Devadas, Physical unclonable functions for device
authentication and secret key generation, in Proc. 44th Ann. Design
Automation Conf. (DAC07), 2007, pp. 914.
[23] P. Tuyls, A. Akkermans, T. Kevenaar, G.-J. Schrijen, A. Bazen, and
R. Veldhuis, Practical biometric authentication with template protection, in Audio- and Video-Based Biometric Person Authentication of
Lecture Notes in Computer Science, T. Kanade, A. Jain, and N. Ratha,
Eds. Berlin, Heidelberg, Germany: Springer, 2005, vol. 3546, pp.
436446, DOI: 10.1007/1152792345.
[24] C.-E. Yin and G. Qu, Lisa: Maximizing RO PUFs secret extraction,
in Proc. 2010 IEEE Int. Symp. Hardware-Oriented Security and Trust
(HOST), 2010, pp. 100105.
[25] M.-D. M. Yu and S. Devadas, Secure and robust error correction for
physical unclonable functions., IEEE Des. Test, vol. 27, pp. 4865,
Jan. 2010.

Abhranil Maiti (S05M06) received the B.E.

degree in instrumentation engineering from Jadavpur
University, Kolkata, India, in 2002, and the M.S. degree in electrical engineering from Illinois Institute
of Technology, Chicago, in 2006. He is currently
working toward the Ph.D. degree at the Department
of Electrical and Computer Engineering, Virginia
Tech, Blacksburg.
His research interests include embedded system
security and secure hardware design.

Inyoung Kim received the Ph.D. degree from the Department of Statistic, Texas A & M University.
She is an Assistant Professor at the Department of
Statistics since 2007. Before then, she was trained
as a postdoctoral research associate in the Division
of Biostatistics, the Department of Epidemiology
and Public Health, Yale University. Her research
interests focus on developing semi/nonparametric
statistical methods and theory using regression
splines to address issues in several areas (epidemiology, genomics, and information security). Both the
Frequentist and Bayesian methods have been developed.

Patrick Schaumont (S01M05SM06) received

the M.S. degree in computer science from Rijksuniversiteit Ghent, Belgium, in 1990, and the Ph.D. degree in electrical engineering from UCLA, in 2004.
He is an Associate Professor in computer engineering at Virginia Tech, Blacksburg. His research
interests include design of, and design methodologies for, secure embedded systems. He has served on
the program committee of international conferences
in this field such as CHES, DATE, DAC, IEEE
HOST, and IEEE MEMOCODE, and as guest editor
for IEEE Design and Test Magazine, ACM Transactions on Reconfigurable
Technology and Systems, and IEEE TRANSACTIONS ON COMPUTER-AIDED
DESIGN OF INTEGRATED CIRCUITS.