 Hello, I'm Rei Ueno from Tohoku University, Japan. Today, I'm going to present out a paper, Regestion Sampling Schemes for Extracting Uniform Distribution from Bias Paths. Physically Unclosable Functions, Paths are essential for constructing secure and trustable information systems nowadays. Paths are exploit process variations to generate hardware intrinsic numbers, and Paths are used as hardware root of trust due to its physical vulnerability and tamper-evident features. Paths are classified into strong and weak Paths. Strong Path, such as the Arbiter Path, has large input space and many applications of strong Paths with entity authentication using challenge and response protocol. In contrast, weak Paths has a limited input space. The large Path is a typical example of weak Paths. This figure shows an N-bit large Path. The input of this large Path is given by only set signal. And the large Path consists of any latches to generate an N-bit response. Such weak Paths are mainly used for cryptographic key generation. In this talk, we focus on key generation based on weak Paths. Maybe you know, Path response usually includes the noise for repeated observations. Path noise leads to inconsistency between enrolled and reconstructed cryptographic keys, which potentially contaminates security and reliability of Path-based key generation system. Therefore, 5G extractor FE is commonly used in Path-based key generation to tolerate Path noise by error-correcting code, ECC. This figure shows a block diagram of FE with code offset. This figure is for enrollment, and the light is for reconstruction. In enrollment, we generate random sheet F using random number generator, RNG, and enroll cryptographic key using key derivation function, KDF. KDF is usually realized by cryptographic hash function, such as KJAC, or universal hash, such as TOPLIT hash. In addition, we also generate helper data W by exploring ECC encoded result of S and Path response. In reconstruction, we first calculate noisy ECC code word from W and noisy Path response. And then we perform ECC decoding to reconstruct S and K. Here, helper data is stored in common non-volatile memory NVM on device with Path. This indicates that attacker can observe helper data. Therefore, we show design key generation system such that attacker has difficulty in predicting random seed and Path response through observation of helper data. In other words, we should consider conditional entropy of random seed given helper data. The conditional entropy should be greater than sigma from realizing sigma bit key generation. If Path response is completely unpredictable for attacker, the conditional entropy is equal to length of random seed, and the sigma bit key generation is easily realized using sigma bit random seed. However, the conditional entropy significantly decreases by increase of Path bias. The decrease of conditional entropy is called entropy leakage. Entropy leakage is sometimes critical because of difficulty in fabricating completely unbiased Path. Intuitively, entropy leakage is explained using wiretap channel model for FE presented in just 2017. This here shows the wiretap channel model for FE. Here, attacker receives helper data and code offset with Path response is considered as binary symmetric chart where the error probability is given by Path bias as shown here. Therefore, if Path bias is large, attacker obtains information of S through ECC decoding of W. In case of bias path, we should render random seed longer than sigma to realize sigma bit key generation. This is called entropy buffer. This table shows Path size required for reliable 128 bit key generation with buffering entropy. Required Path size rapidly grows with increase of Path bias, especially when P sub 1 is greater than 0.58. If Path bias is considerably large, it is difficult to realize key generation with practical Path size. To solve the problem of bias, deviasing schemes have been developed to extract unbiased bit strings from bias upon response. Motivation behind deviasing is realizing key generation more efficiently than by following entropy. So far, efficiency of deviasing schemes has been evaluated by Path size required for reliable 128 bit key generation, like shown in this figure. Fondueman collector VNC-based deviasing is a pioneering scheme. In this scheme, Path response is divided into blocks consisting of two continuous bits. Then, VNC extracts deviasing bit from block with value of 1 0 or 0 1, like here, and blocks with value of 0 0 and 1 1 discount. Probability of value of 1 and 0 in extracted bits, that is deviasing data V, given by an identical value, and therefore extracted bit stringed unbiased. VNC-based deviasing uses an additional helper data named deviasing data. Deviasing data indicates the address of the discarded bits to reproduce V from no different response at reconstruction. Many deviasing schemes have been presented so far. Although some schemes to tolerate Path bias problem were presented in around 2010, entropy loss in Path-based key generation was analytically reported in 2014, and VNC-based deviasing was presented in just 2015, as an analytical and explicit solution for secure key generation from bias path in 2015. In just 2016, tight bonds of mean entropy loss through helper data was shown. The result clarified the necessity of deviasing schemes for bias path. After that, many deviasing schemes based on bias approaches were presented to improve ascension. Exchange deviasing based on fee reduces path and NVM savings for key generation. That reaction of hardware cost is highly demanded for wider application and deployment of Path-based key generation. In this talk, we present a new deviasing scheme and its fee construction for more efficient Path-based key generation. The proposed fee is named acceptance or rejection AR-based fee. The proposed scheme extracts uniform distribution from bias path response based on principle of rejection sampling. Its efficiency is higher than conventional ones. The proposed fee can be implemented if solely RNG and bit-parallel logic operations at enrollment, and no critical additional operation is required at reconstruction. Since enrollment basically is not real-time processing and computational resources at reconstruction is sometimes rather severe, this is preferable feature other than FE. In addition, the proposed FE can be applied to path-having biases depending on set addresses, while all conventional schemes are assumed on global bias. Moreover, our scheme can be extended to turn-ary path response based on empirical path-noise model for more efficient Path-based key generation, as well as previous studies. The performance of proposed FE is evaluated through simulation of 128-bit key generation. As a result of simulation, we confirmed that proposed FE achieves the smallest path and or NVM sizes for path with various biases and bit error rates. And at most 55% and 72% smaller path and NVM sizes than conventional methods. Before explaining the proposed scheme, I introduced two bias models of path. First one is global bias model, which is employed in previous studies on path-based key generation and bias. Here, all between path-response have an identical bias of piece of one and piece of zero. Another one presented in our paper is named cell-bias bias model or local bias model. Here, each width in path-response has unique bias depending on its set address. This figure shows overview of cell-bias bias model. In this figure, we have five paths with 10-bit response. In this path, the cell has bias of 0.3. The first cell has 0.2. The third cell is 0.7 and so on. We suppose the expected value of bias is all cells are equal to global bias, as shown here. Even if path has no global bias, it may have non-negligible cell-bias bias. This here shows example of such path. More precisely, cells in left half tend to output many ones, whereas right cells are biased to zero. Although the global bias is 0.5, mean entropy of such path is significantly worse than ER unbiased path. Many paths are known to have such cell-bias bias. For example, cell-bias path may have bite-wise and worldwide bias depending on physical layout. Such bias can be explained through instant of cell-bias bias. Cell-bias bias model can represent wide range of biases found in practical paths and therefore can be considered as a generalization of path bias. I can briefly introduce rejection sampling. Maybe you know, rejection sampling is a method for deriving target distribution from proposal distribution. Here, target distribution means distribution actually needed, but not directly available. Proposal distribution is easily available distribution. This figure shows overview of rejection sampling. Here, target distribution is indicated by red, and proposal distribution is in blue. We first obtain a sample A from proposal distribution like here. Then, we generate random number B from uniform distribution between zero and density of proposal distribution after A, like this. If B is smaller than density of target distribution after A, then we accept this sample. Otherwise, we reject it. Thus, accept samples for target distribution. In general, proposal distribution is frequently given by uniform distribution because it is easily available using an RNG. However, in the context of path devising, we consider uniform distribution as target distribution, and P7 bias value distribution as proposal distribution because only such bias distribution is obtained from bias paths. Then, I explain proposal scheme. The basic idea of proposal scheme is rather simple. We perform rejection sampling in bit-wide manner. Since the value of ISL is considered to follow P7 bias value distribution, we can obtain P7 bias value distribution as proposal distribution, and derive unbiased load bit-spring by rejection sampling. More precisely, this figure shows the value of ISL as belay distribution. To render it to uniform, the measure value is discarded with appropriate probability, as shown here. All minor values are retained in order to extract bit-spring as long as possible. The figure shows the example of extraction with bias bit-spring by rejection sampling. Here, in this example, P1 is greater than P0, and Y is the measure value for all cells. Therefore, some cells having value of Y are rejected with probability of 0.57, and all cells are retained. We can easily confirm that extracted bit-spring is unbiased. This slide shows the ARBase FE construction, which instantiates the proposal idea essentially. The major features of ARBase FE are reproducible rejection sampling. RRS operation is applied to power efforts at enrollment, and accepted cell location, ACE operation is applied at reconstruction. Although standard rejection sampling is not reproducible procedure, it is not directly used for performance of key generation. Therefore, ARBase operation generates accepted cell location data, ACL data, D, which indicates the location of retained or rejected cells, like VACBase FE. Then, a device bit-spring is reproduced by referring to the ACL data in ACE operation at reconstruction. I explain how to implement RRS and ACE operations efficiently. First, we generate ACL data, D, which determines cell acceptance and rejection. Initially, we generate a bit-spring H, where ice bit of H is given by 1 if the cell is biased to 1, and otherwise, the ice bit of H is given by 0, highlighted by blue and red. This bit-spring H is identical and used for all path systems. Then, we take bit-parallel XOR of X and H as Y, like here. Separately, we generate random number R, where ice bit of R has a bias corresponding to bias of ice path cell. Finally, we obtain ACL data as bit-parallel OR of H and R, and also obtain device bit-spring by accepting and rejecting path steps of X according to ACL data. We can prove this procedure correctly performed rejection sampling with the smallest rejection probability, and therefore, this is optimal and easy to implement. On the other hand, because ACL data is the input of ACE operation, it obtains the device bit-spring by just referring to ACL data. Therefore, no longer is RNG or other logical operations required at reconstruction. This slide summarizes the major features of AR-based FE. First, we proved there is no entropy leakage through pair of helper data and ACL data. This means sigma-width random seed simply realizes sigma-width key generation, and ACL data can be stored in common NBEM, as well as helper data. The AR-based FE extracts device bit-spring with expected length of 2 mp-subdero from m-width path response. This is higher or comparable than conventional schemes. Since AR-based FE extracts device bit-spring in swastik manner, a selected bit-spring may be too short to perform enrollment. However, probability of such enrollment failure can be smaller than thresholds by determining path size appropriately. Enrollment failure probability can be fiddly calculated based on inverse cumulative mass function or binomial distribution of AR-based FE. In contrast, reconstruction failure probability is not contaminated through RRS and HEE operations. This means HEE can be designed in the same way as conventional FE research devices. Finally, computational overhead is given to only enrollment as RNG and bit-parallel operations. While reconstruction requires no computational overhead. I didn't validate the effectiveness of AR-based FE through performance evaluation. This evaluation follows previous works. I simulated 128-bit key generation to evaluate path and NBEM sizes for different biases and bit error rates. Our bias and bit error rates are given by ranges shown here. I used a coordinate code with outer BCH code and inner repetition code. In addition, enrollment and reconstruction failure probabilities determine such that they are smaller than one micro. I determined path size and corresponding NBEM sizes such that path size is minimized under these conditions. I here compare AR-based FE with these three conventional methods, but see our paper for comparison with other methods because it was difficult to evaluate all methods in the 5th manner. These figures show path size for 128-bit key generation using proposer and conventional FE. Horizontal axis is path bias and vertical axis is path size. As you can see, AR-based FE indicated by red curve has the smallest path size for most biases. We confirmed AR-based FE achieves at most 55% smaller path size than conventional ones and NBEM size is basically consistent with path size. These results clearly show AR-based FE can reduce hardware cost for implementing path-based key generation system and thus we confirmed effectiveness of proposer method. Let me summarize my talk. We present a new devising scheme under each FE construction for reducing hardware cost of path-based key generation system. Proposal scheme is based on principle of rejection sampling. Computational overhead is given to only enrollment that is RNG and bit parallel operations while reconstruction requires no computation overhead. In addition, proposal scheme is the first devising scheme applicable to local biases or supervised biases depending on serial addresses while all conventional schemes cannot be applied to it. We evaluate the performance of proposer FE through simulation of 128-bit key generation. The result shows that proposal scheme can achieve smaller path and NBEM size for various paths. Moreover, proposal scheme can be extended to standard response for improved efficiency. The other world implementation evaluation of proposal FE remains as a future work. It would be important to extend proposal FE to secure path-based youth for wider range of applications. That's all. Thank you for your attention.