 Hello and welcome to my presentation about our contribution machine learning of physical unclonable functions using helper data, revealing a pitfall in the fuzzy commitment scheme. This is joint work of Christoph Frisch, Michael Pehl and myself Immanuel Strider. Christoph and Michael are affiliated with the Technical University of Munich. Myself is associated with the Fraunhofer Institute for Applied and Integrated Security in Garching, nearby Munich. The outline of this talk is as follows. I will give a short recap of the principles of physical unclonable functions. Afterwards, I will explain the fuzzy commitment scheme, which is a core part of the attack. This is followed by the actual attack sketch and few results of our work. Finally, some concluding words and possible mitigations. Let's get started with the recap of PUFS. PUFS are security primitives, which are based on manufacturing variations introduced, for example, during the doping process. The manufacturing variations are different for each device. Therefore, these variations can be used to extract device-specific randomness with simple circuits. There are a broad variety of proposed PUFS circuits like Arbiter PUFS, Ring Oscillator PUFS, SRAM PUFS and many to come because of ongoing research. It is an often disputed topic how to classify PUFS. However, the only relevant classification for our contribution is the difference between single-challenge PUFS and multi-challenge PUFS. Only multi-challenge PUFS are relevant for this talk. Multi-challenge PUFS allow the configuration of the internal building blocks by applying a challenge. We only consider multi-challenge PUFS with a binary output, so for each challenge either 0 or 1 is returned. Another assumption is that the multi-challenge PUFS can be modeled as a linear combination of its building blocks. In our contribution we only consider ring oscillator SRAM PUFS and Arbiter PUFS. However, we think that the attack should also be possible for all other PUFS which were successfully attacked by a machine learning model. All known multi-challenge PUFS have been successfully modeled by machine learning attacks if the attacker has unrestricted access to the challenge response pairs. Because PUFS use physical device variations, their responses are noisy. One way to mitigate the noise is the fuzzy commitment scheme, which contains error correction capabilities. There is the idea that if one uses the fuzzy commitment scheme, the PUF responses are not accessible by an attacker. Therefore, it seems as if the fuzzy commitment scheme could be a countermeasure against machine learning attacks of multi-challenge PUFS. In our contribution we show that this idea has to be refuted. So, let's take a closer look at the fuzzy commitment scheme. The fuzzy commitment scheme has two phases. The rollout phase is performed once in a secure environment. The second phase, the reconstruction phase, is performed in field. In the left bottom corner we see the secret S, which is fed through the error correction encoder. The error correction codes add redundancy to the secret. The resulting code words C are then masked by the multi-challenge PUF. We consider the resulting helper data as well as the challenge storage as publicly accessible. To achieve a reasonable trade-off between code rate and implementation costs, error correction codes are often split into an outer and an inner code. In the reconstruction phase, the helper data is unmasked by applying the same challenges to the multi-challenge PUF as in the rollout phase. Since we are now in the reconstruction phase, the PUF responses are potentially noisy. Therefore, the code word contains also noisy bits. The code words are then corrected by the error correction code and the secret is returned. How can we extract machine learning inputs and labels while having access to the challenges and the helper data? Let's take a closer look at the rollout phase. To sketch our attack I have exchanged the ECC encoder which contains multiple codes with the repetition code. We know that the challenge storage and the helper data storage are publicly accessible. So the basic idea is to train a machine learning model which takes the challenges and the helper data bits. However, that's not possible because the PUF masks the code word. But we know one additional thing. We know how the fuzzy commitment scheme generates the helper data bits. This only depends on the generator matrix of the used error correction code. We now rewrite this generator matrix. This is the rewritten matrix representation of the fuzzy commitment scheme. At the top I have exchanged the generic generator matrix of the error correction code with the generator matrix of a repetition code. In general, a repetition code repeats the input bits a number of times to add redundancy. For the sake of simplicity, in this example I have used the repetition code which repeats each bit three times. At the bottom we see the identity matrix. We conclude that each helper data bit is a combination of the same secret bit and an individual PUF response. Since we know the helper data bits we can XOR them. We rewrite this and see that the secret which is unknown cancels out. So the responses are in a direct connection with the challenges. By XORing the helper data bits such that the secret cancels out we learn a comparison between two PUF challenges. For more complex codes the search for all these XOR equations is NP-hard. Since we want very small XOR equations of same length we can use brute force. Let's take a look at a little example how to derive these XOR equations. We have a secret which has in this example only two bits, one and zero. The secret is fed bitwise into the error correction code. In this example a repetition code which repeats every bit three times. Each code word has to be masked by the PUF. Therefore we need six challenges which are applied to the multiple challenge PUF to receive six response bits. With these responses the two code words are masked and stored as helper data. Please note that the repetition code returns only two possible code words, the all zero or the all one code word. Let's take a look at the first code word and how this knowledge helps. Based on the helper data word and the knowledge that the repetition code only returns two code words we can guess two possible PUF response strings for this code word. The PUF responses have both the same transition pattern between the bits. Therefore we can formulate XOR equations which account for both possibilities. These labels are independent of the two possible PUF response strings. Note that the training inputs and labels can only be created within the borders of the helper data words. The more redundancy the code word has the more XOR equations can be created. The next step is to find an approximator which infers by examples a mapping between challenge pairs and the result of our XOR equations. Since in the fuzzy commitment scheme both challenges are fed into the same PUF instance we can specify the approximator further. In the presented case of the repetition code the approximator has to approximate the same PUF instance twice. This construction of an internally cloned approximator instance can be modeled by a Ziamis neural network. The Ziamis neural network has multiple copies of the same neural network which share their trainable weights. All neural networks get one challenge. The label with which the neural network is trained is the XORed helper data bit. With this neural network we were able to derive a comparison between challenges. Set of speaking that we do not claim that this approximator is the best or the only possible one. We trained this network by applying many challenge pairs. So we have this neural network but yet not the correct key. To derive the key we have to perform the attack phase. Let's get back to our example. Our machine learning model can approximate the response difference between two challenges. Additionally the approximator does not depend on any unknown secret anymore. To exploit the machine learning model we have to fix one challenge as a hypothesis. In this example I have fixed challenge zero. However we could use any challenge in the challenge storage. We then build challenge pairs with all other challenges. These pairs represent a comparison between each challenge of the storage with the fixed challenge. We feed the challenge pairs into our trained Ziamis neural network. The noisy response difference string is either the original or the inverse of the original response string of the multi-challenge path. This depends on the challenge we fixed. If the original response of the fixed challenge was zero we would receive the original response string of the path. Otherwise the inverse. At this point in our attack we can exploit the Farsi commitment scheme again by using the reconstruction phase to correct erroneous bits in our noisy response. Since the repetition code in our example can correct one error per code word let's assume the noisy response string looks like this. The false bit is marked in orange. As in the Farsi commitment scheme we XOR the path response with the helper data. Instead of speaking that the code word has the wrong bit too. However after the repetition code the false bit is corrected and the secret is derived. That is the end of our attack sketch. As already mentioned for more complex codes the XOR equations are more difficult to derive and more XORs are involved. Let's take a look at some results. Here we see results of an attack using the repetition code and a simulated 128 ring oscillator sum puff. On the X axis of all plots we see the number of used challenge response pairs. All four plots show different steps in the attack. The top two plots show the accuracy and the validation accuracy of our machine learning model during training. These information would also be available for an attacker. On the bottom left we see the success rate after using the trained machine learning model to decode all challenges. On the bottom right we see the success rate after having corrected the noisy response string of our machine learning model with the Farsi commitment scheme. When comparing the top right and the bottom left plot we can clearly see that the validation accuracy is a good indicator of the success of our attack. Additionally if we compare the bottom two plots we can see that the Farsi commitment scheme itself is reliably correcting ironious bits of the noisy response string of the machine learning model. With only 800 challenge response pairs we were able to break this simulated ring oscillator sum puff. We wanted to substantiate the notion that the redundancy per codeword of the used error correction code has a big impact on our attack. On the left side we see the growth rate of the number of XOR equations for three different repetition codes given the challenge response number. Can be seen that the number of derivable XOR equations grows faster for codes with more redundancy. On the right side we see the mean puff success rate of our attack. We can see a clear connection between the number of derivable XOR equations and the learnability of the machine learning model. The more XOR equations the faster the learning rate and the better the generalization of the machine learning model. Another question is the influence of the choice of the fixed challenge. In this plot we see the median puff success rate of our attack given the challenge response number for three different choices of the fixed challenge. All fixed challenges were evaluated against the same machine learning model. All three fixed challenges saturate at around 89%. However the slope is different for each reference challenge. We conclude that there could be potential to choose a good or a bad fixed challenge. Yet we could not explain this behavior and consider this task as an unsolved problem. Using publicly accessible ring oscillator measurements we built 1328 ring oscillator sum puffs. For every of these 1300 puffs and every challenge response number we trained 10 machine learning models and evaluated the attack. We see that also with real ring oscillator measurements it is possible to conduct this attack. Also with 800 challenge response pairs it is very likely to find the original or the inverse of the puff key. We repeated this experiment with a simulated arbiter puff. The results show more variance but in at least one out of 10 tries we could break the puff with 800 challenge response pairs. Interestingly due to more variance in some instances even with 400 challenge response pairs a high percentage of the secret bits could be decoded correctly. However this information is not available for an attacker. Let us summarize. In case of a repetition code with seven bits only a single key is necessary to learn a simple ring oscillator sum puff and arbiter puff. We have tested our attack with different and more complex codes however I leave that for the interested reader of our paper. We conclude that the fuzzy commitment scheme or any fuzzy extractor scheme does not counter the entropy loss of the underlying puff. Given that the puff is not perfect we think that the only way to counter such machine learning attacks is the limitation of the number of challenge response pairs. Another approach to mitigate this attack could be the usage of more complex and monolithic error correction codes. These codes lead to more XORs in the XOR equations and therefore more non-linearity which is harder to learn for a machine learning model. I thank for your attention and interest in this topic.