The unique properties of PUFs provide several advantages over traditional public key infrastructure (PKI) constructions. In general, PUFs provide two core properties: tamper detection for a larger circuit, and to act as a noisy random oracle. The first property follows from the physical design of the PUF itself. As the PUF relies on unclonable hardware tolerances (e.g. wire delays, resistance, etc.), any modification to either the PUF or the attached integrated circuit will irreversibly alter the PUF's mapping from challenges to responses. The second property is assumed in ideal theoretical models, where PUFs are treated as oracles that provide (noisy) responses to challenges, where the mapping between challenges and responses cannot be modeled or duplicated in hardware. Rührmair et al. (“Modeling attacks on physical unclonable functions,” Proceedings of the 17th ACM conference on Computer and Communications Security, CCS'10, pages 237-249, New York, 2010, ACM (“Rührmair I”)) have refuted the claim of modeling robustness, and propose a hardware construction resilient to such attacks (Rührmair et al., “Applications of high-capacity crossbar memories in cryptography,” IEEE Trans. Nanotechnology. 10(3):489-498, May 2011 (“Rührmair II”)). Thus, theoretical constructions assuming that PUFs cannot be modeled remain interesting, as existing PUF hardware can be replaced with Rührmair et al.'s (Rührmair II) proposed design.
Literature on physically unclonable functions (PUFs) evaluates the properties of PUF hardware design (e.g., Gassend et al., “Silicon physical random functions,” Proceedings of the 9th ACM conference on Computer and Communications Security, CCS'02, pages 148-160, New York, 2002, ACM.; Katzenbeisser et al., “PUFs: Myth, fact or busted?A security evaluation of physically unclonable functions (PUFs) cast in Silicon,” CHES, pages 283-301, Springer, 2012; Ravikanth, “Physical One-Way Functions,” Ph.D. Thesis, 2001; Rührmair II; Suh et al., “Physical Unclonable Functions for Device Authentication and Secret Key Generation,” Proceedings of the 44th Annual Design Automation Conference,” DAC'07, pages 9-14, New York, 2007, ACM; Yu et al., “Recombination of Physical Unclonable Functions,” GOMACTech, 2010 (“Yu I”)), provides formal theoretical models of PUF properties, and designs protocols around those definitions (cf. Armknecht et al., “A formalization of the security features of physical functions,” Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP'11, pages 397-412, Washington, D.C., 2011; Brzuska et al., “Physically uncloneable functions in the universal composition framework,” Advances in Cryptology-CRYPTO 2011-31st Annual Cryptology Conference, vol. 6841 of Lecture Notes in Computer Science, page 51. Springer, 2011; Frikken et al., “Robust authentication using physically unclonable functions,” Information Security, vol. 5735 of Lecture Notes in Computer Science, pages 262-277, Springer Berlin Heidelberg, 2009; Handschuh et al., “Hardware intrinsic security from physically unclonable functions,” Towards Hardware-Intrinsic Security, Information Security and Cryptography, pages 39-53, Springer Berlin Heidelberg, 2010; Kirkpatrick et al., “PUF ROKs: A hardware approach to read-once keys,” Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, ASIACCS'11, pages 155-164, New York, 2011, ACM; Paral et al., “Reliable and efficient PUF-based key generation using pattern matching,” Hardware-Oriented Security and Trust (HOST), 2011 IEEE International Symposium, pages 128-133. June 2011; Rührmair et al., “PUFs in Security Protocols: Attack Models and Security Evaluations,” 2013 IEEE Symposium on Security and Privacy, pages 286-300, 2013 (“Rührmair III”); van Dijk et al., “Physical Unclonable Functions in Cryptographic Protocols: Security Proofs and Impossibility Results,” Cryptology ePrint Archive, Report 2012/228, 2012; Wu et al., “On foundation and construction of physical unclonable functions,” Cryptology ePrint Archive, Report 2010/171, 2010; Yu et al., “Lightweight and Secure PUF Key Storage using limits of Machine Learning,” Proceedings of the 13th International Conference on Cryptographic Hardware and Embedded Systems, CHES'11, pages 358-373, Berlin, Heidelberg, 2011, Springer-Verlag (“Yu II”)).
Ravikanth introduced the notion of physical one-way functions in his Ph.D. dissertation. The physical construction is based on optics, using the speckle pattern of a laser fired through a semi-transparent gel to construct an unclonable and one-way function. This seminal work led to more realistic constructions of physically unclonable functions (PUFs) that did not rely on precise mechanical alignment and measurements.
Gassend et al. introduce the notion of PUFs constructed through integrated circuits. This work improves upon the original physical one-way function construction using optics by Ravikanth by removing the precise requirements necessary for mechanical alignment and output measurement. By implementing PUFs in integrated circuits, the hardware is widely available, and easy to integrate into existing systems.
Suh et al. introduced the ring oscillator construction of a PUF, which has many desirable properties. Specifically, the ring oscillator design is easy to implement in hardware, robust, and unpredictable. The authors demonstrate that ring oscillator constructions exhibit 46% inter-chip variation, yet have only 0.5% intra-chip variation.
Rührmair et al. describe a candidate direction to alleviate the problems with existing PUF constructions caused by machine learning demonstrated in Rührmair I. They introduce the notion of a super high information content (SHIC) PUF. A SHIC-PUF contains a large amount of information (e.g. 1010 bits) while having a self-imposed slow readout rate that is not circumventable by construction. Thus, if an adversary attempts to acquire the full challenge-response pair set, the time required to achieve this would exceed the lifetime of the device. Using lithographic crossbar memory, a small PUF would require at least three years of continuous reading to fully model. As nanotechnology develops, the promise of a nonlithographic crossbar (≈10-nm) would require decades to fully model. Thus, the security of the SHIC-PUF is independent of the computational abilities of the adversary and inherently linked to the physical construction. Further, the crossbar can be used as an overlay PUF, which protects the underlying circuitry.
Yu I describe PUF constructions that treat the unique hardware characteristics of devices as genetic material. Similar to genetic recombination, these properties may be recombined to produce output with different characteristics than the original material. In the authors' construction, a PUF may be altered to provide NIST certifiable random output, an exponential challenge space and real-valued outputs. True random output is a necessary characteristic for use in cryptographically strong authentication protocols. The real valued output facilitates soft decision error correction, where both the signal and strength are reported (Yu et al., “Secure and Robust Error Correction for Physical Unclonable Functions,” IEEE Des. Test, 27 (1):48-65, January 2010, (“Yu III”)). Finally, the authors also demonstrate how to construct a multi-modal PUF, with separate generation and authentication modes.
Katzenbeisser et al. evaluate the assumed properties of various PUF constructions, finding that many lack essential characteristics of an ideal PUF. The arbiter, ring oscillator, SRAM, flip-flop and latch PUF constructions are compared for robustness and unpredictability in varying environmental conditions. While all PUF constructions are acceptably robust, the arbiter PUF has low entropy while flip-flop and latch PUFs are heavily affected by temperature fluctuations. A drawback for ring oscillators is low min-entropy, while SRAM lacks an exponential input space. However, both ring oscillator and SRAM designs more closely approximate an ideal PUF.
Next, we review the literature on applying PUFs to cryptographic protocols, and developing formal models to evaluate the security of PUF-dependent protocols.
Handschuh et al. give a high level description of how PUFs can be applied to anti-counterfeit and intellectual property domains. The authors outline the shortcomings of existing property protection approaches, which is primarily key storage design. By employing PUFs, the secret key is no longer duplicable, as PUFs are by design unclonable.
Rührmair I describe attacks on a variety of PUF constructions, including arbiter and ring oscillator designs. The modeling attacks require only a linear number of challenge response pairs with respect to the structural parameters of the PUF constructions. In constructions where the attacks require superpolynomially many challenge response pairs, the underlying construction grows superpolynomially in the number of components. Thus, the underlying construction becomes infeasible to build, and the designer and adversary face the same asymptotic difficulty. The attacks presented are sufficient to break most PUF constructions in production, and demonstrate that other approaches seem to meet with exponential increases in complexity for both defender and adversary.
Wu et al. demonstrate that a PUF with l-bit input, m-bit output and n components does not implement a random function when
  n  <            m2      ℓ        c  for some constant c. That is, the size of a random function family must be equal to the size of the output domain. Letting  be a function family of PUFs and  be the output domain, we have that =2m2l. However, when
                  ℱ              =          n      <                        m          ⁢                                          ⁢                      2            ℓ                          c              ,then
          ℱ        =                    2                              2                          m              ⁢                                                          ⁢                              2                ℓ                                              c                    <              2                  m          ⁢                                          ⁢                      2            ℓ                                =                          ℨ                    .      This information theoretic bound establishes PUFs with
  n  <            m      ⁢                          ⁢              2        ℓ              c  components as a pseudorandom function family. In order for such PUF families to implement a proper psuedorandom family, confusion and diffusion of the input are necessary. The authors show how to construct a physically unclonable pseudorandom permutation by using a PUF to generate the key for a block cipher. Finally, the authors construct a secure helper data algorithm called the majority voting dark bit for error correction that is more efficient than standard soft decision error correcting codes.
Yu II describe a machine learning based rationale for security by considering an adversary's advantage against PUFs with a given classification error. By assuming that a PUF with k bits in the parameter requires at least k challenge-response pairs to gain a classification advantage, the authors conclude that a classification error rate of 0.5 is equivalent to security. Technically, the authors should specify that this result would only apply to PUFs with a single bit output. By removing the assumption that the output of a PUF is independent and identically distributed (i.i.d.), the complexity of the PUF can be reduced in addition to reducing the complexity of the error correcting code.
Kirkpatrick et al. describe how to use PUFs to generate read-once keys, where upon use the key is immediately destroyed and further use is impossible. Such a construction would facilitate one-time programs as proposed by Goldwasser et al. (“One-time Programs.” Proceedings of the 28th Annual Conference on Cryptology: Advances in Cryptology, CRYPTO 2008, pages 39-56, Berlin, Heidelberg, 2008, Springer-Verlag). The PUF-ROK construction requires integration with a register that stores an initial seed value, which is the effective security parameter. The PUF and register are in a feedback loop, so upon reading the output of the PUF the initial key is permanently destroyed. The authors also describe how to allow decryption with read-once keys in an arbitrary order. Thus, an effective k-read key can be constructed.
Armknecht et al. give formal security definitions for the desirable properties of a PUF. Existing models did not allow the broad range of PUF constructions to be accurately modeled, for example by requiring the PUF to act as a physical one-way function. With the introduction of PUFs that output only a single bit, inversion becomes trivial. The authors' PUF model requires robustness, physical unclonability and unpredictability, and formal security definitions and games are given to demonstrate that a PUF construction is secure. This facilitates the use of PUFs in cryptographic protocols, where the security of protocols must be reducible to existing hard problems.
Brzuska et al. construct cryptographic protocols for oblivious transfer, bit commitment and key exchange using PUFs in a univerally composable framework. The universally composable (UC) framework of Canetti (“Universally Composable Security: A new paradigm for cryptographic protocols,” Proceedings of the 42nd IEEE Symposium on Foundations of Computer Science, FOCS'01, Washington, D.C., 2001, IEEE Computer Society) facilitates security proofs of protocols to be derived from sub-protocols in an arbitrary system.
The work of van Dijk et al. improves upon the work of Brzuska et al. by considering more realistic attack scenarios for cryptographic protocols involving PUF devices. Specifically, the authors' new security model focuses on when an adversary has access to the PUF device during a protocol. The authors demonstrate that any protocol for oblivious transfer or key exchange based solely on the use of a PUF is impossible when the adversary has posterior access to the PUF. Similar impossibility results are given for other security models, even when the PUF is modeled as an ideal random permutation oracle. The authors introduce formal security definitions in three models, and give novel protocols for bit commitment, key exchange and oblivious transfer under a subset of these models. Finally, the authors demonstrate that the application of Brzuska et al. to the universally composable framework of Canetti is not valid in these security models, and should be considered an open problem.