Why attackers win: On the learnability of XOR arbiter PUFs

Abstract

Aiming to find an ultimate solution to the problem of secure storage and hardware authentication, Physically Unclonable Functions (PUFs) appear to be promising primitives. While arbiter PUFs utilized in cryptographic protocols are becoming one of the most popular PUF instances, their vulnerabilities to Machine Learning (ML) attacks have been observed earlier. These attacks, as cost-effective approaches, can clone the challenge-response behavior of an arbiter PUF by collecting a subset of challenge-response pairs (CRPs). As a countermeasure against this type of attacks, PUF manufacturers shifted their focus to nonlinear architectures, such as XOR arbiter PUFs with a large number of arbiter PUF chains. However, the natural question arises whether an XOR arbiter PUF with an arbitrarily large number of parallel arbiter chains can be considered secure. On the other hand, even if a mature ML approach with a significantly high accuracy is adopted, the eventual delivery of a model for an XOR arbiter PUF should be ensured. To address these issues, this paper presents a respective PAC learning framework. Regarding our framework, we are able to establish a theoretical limit on the number of arbiter chains, where an XOR arbiter PUF can be learned in polynomial time, with given levels of accuracy and confidence. In addition, we state how an XOR arbiter PUF with noisy responses can be provably PAC learned. Finally, on the basis of learning theory concepts, we conclude that no secure XOR arbiter PUF relying on current IC technologies can be manufactured.