Challenge Codes for Physically Unclonable Functions with Gaussian Delays: A Maximum Entropy Problem

. Motivated by a security application on physically unclonable functions, we evaluate the probability distributions and R´enyi entropies of signs of scalar products of i.i.d. Gaussian random variables against binary codewords in {± 1 } n . The exact distributions are determined for small values of n and upper bounds are provided by linking this problem to the study of Boolean threshold functions. Finally, Monte-Carlo simulations are used to approximate entropies up to n = 10


Introduction
Suppose we are given a (nonlinear) (n, M ) code C with M codewords c i 2 {±1} n and n i.i.d.standard Gaussian variables X 1 , X 2 , . . ., X n ⇠ N(0, 1).Let X = (X 1 , X 2 , . . ., X n ) and consider the scalar products (1) and the associated sign bits (2) The question addressed in this paper is the following: What is the joint entropy of the sign bits (3) In particular, can we evaluate the maximum entropy H(n) = max C H(C) attained for the full universe code C = {±1} n ?Despite appearances, this problem turns out to be largely combinatorial as shown below.
Definition 1.1 (Challenge code).Let n > 0, M > 0 be two integers.A (n, M ) challenge code C is a subset C ✓ { 1, +1} n of cardinality M .The elements of this subset are called codewords, and the i-th codeword is denoted by c i .By an abuse of notation, we identify the challenge code with the n ⇥ M matrix C, called the challenge matrix, which rows contain all codewords exactly once.The i-th row is c i , and conversely, for any codeword c 2 C, i(c) denotes its row index.
The motivation for this problem comes from hardware security.Modern secure integrated circuits make use of hardware primitives called physically unclonable functions (PUFs) that can generate unique identifiers from challenges, such as described, for example, by Maes [14].More formally, a PUF is a function that takes several challenges c 1 , c 2 , . . ., c M (the so-called challenge code) as inputs and returns the bitvector identifier (b 1 , b 2 , . . ., b M ) [19].PUFs exploit small, uncontrollable physical variations of the manufacturing process that cannot be replicated, hence the name "physically unclonable".The following notion of randomized PUF coincides with that of a PUF at a design stage, when it is not yet instantiated by a foundry fabrication process (cf.[7,Fig. 1]).Definition 1.3 (Randomized PUF).For a fixed (n, M ) challenge code, we define the random PUF as f X , where X = (X 1 , X 2 , . . ., X n ) and X i are i.i.d.standard normal random variables X i ⇠ N (0, 1).
The corresponding random sign vector is then B = (B 1 , . . ., B M ), where with probability distribution We denote |supp(P b )| the cardinality of the support of P b .
To assess the security of a PUF, it is necessary that the entropy of the identifier's distribution is su ciently high.The most natural definition is the Shannon entropy, characterizing the uncertainty about the PUF distribution.Depending on the desired application, other kinds of entropies may be relevant.The most conservative view is to consider the min-entropy H 1 , which can be interpreted as the "cloning" entropy in the worst case, when the PUF to clone is obtained with probability max b2{±1} P b .When using a PUF to generate a key, the min-entropy also characterizes the security of the key, as shown for example in [9].In other settings, the collision entropy allows for a more accurate security bound on the key derivation, as suggested by Skorski [20] and Dodis et al. [10].It accounts for PUF uniqueness, since it is related to the probability that no two generated keys are the same.In contrast, the max-entropy H 0 has no obvious practical interest apart from being an easily computable upper-bound of the Shannon entropy (and of all other Rényi entropies).
Definitions for the di↵erent kinds aforementioned entropies are given below.Each depends on the choice of a challenge code C. Definition 1.4 (Rényi entropies [17]).For ↵ 0, the Rényi entropy of order ↵ is defined as As special cases (taking the limits when ↵ approaches 1 or infinity) we have A well-known property of the Rényi entropies is that H ↵ is non-increasing in ↵.Thus, for any code C, H Definition 1.5 (Full entropy).For any ↵ 0, we define the full entropy H ↵ (n) as the Rényi entropy for the (n, 2 n ) challenge code that contains all possible codewords.The full entropy is highest among all codes, as shown in the following lemma.
Lemma 1.6 (Full entropy is maximal).For any ↵ 0 and any challenge code C, Proof.We prove a stronger result: For any challenge matrix C of an (n, M ) challenge code and challenge matrix C 0 of an (n, M + 1) challenge code where the first M lines are identical to C, H ↵ (C 0 ) H ↵ (C).
Let b be a sign vector associated with Pb  1, we know that ( Pb and ( Pb .Therefore, (7) ( which implies Summing over all P b we obtain (8) The assertion follows by taking the logarithm on both sides of this inequality and multiplying by the negative constant 1 1 ↵ .
The case ↵ < 1 is similar: The inequalities ( 7) and ( 8) are reversed because x ↵ x for x 2 [0, 1], but the constant 1 1 ↵ is positive.Therefore, the same assertion follows.The cases ↵ = 1 and ↵ = 1 are established by taking limits.
Notice that the maximum entropy H ↵ (n) is always attained by a (n, 2 n 1 ) challenge code, by the following symmetry argument: since sgn(c • x) = sgn (( c) • x), the set {±1} n can be partitioned into two opposite sets where codewords in the second set bring no additional entropy.Indeed, adding a codeword c to a code C which already contains c does not change the probabilities of the sign vectors, only their labeling.This leaves all Rényi entropies unchanged.Therefore, it is possible to obtain the maximum entropy with any (n, 2 n 1 ) code C satisfying Table 1 summarizes the notations used in the remainder of this paper.
1.2.Motivation.Definitions 1.2 and 1.3 correspond to a particular PUF that exploits the variability of n distinct delay elements (a so-called "Loop PUF"), where X 1 , X 2 , . . ., X n are independent Gaussian delay di↵erences.This type of PUF has been first described by Cherif et al. [5].A previous modelization of the Loop PUF, obtained via Monte-Carlo simulations of the possible circuit behaviors, showed a distribution of delays close to a Gaussian distribution, as shown in Figure 1.Other types of simulations also suggest a Gaussian distribution of process variations, and thus delay di↵erences, in electronic circuits [4].This motivates the choice of modeling the delay di↵erences of the Loop-PUF as independent Gaussian variables.
Because they share the mathematical model with the Loop-PUF, definitions 1.2 and 1.3 also apply to the Arbiter PUF [11], for which the Gaussian model has been confirmed [15,22], and to the RO-sum PUF [25].
These process variations can then be exploited in di↵erent ways.For example, it is possible to build authentication protocols based on PUFs: an authentication server queries a PUF via a set of challenges and checks the PUF answer against a whitelist.In this way, counterfeit or overproduced chips can be detected.This requires no implementation of costly asymmetric cryptography primitives, and is therefore adapted to low-cost IoT devices.The PUF can also be used to generate a

1.3.1.
Results on the min-entropy.An upper bound of the min-entropy has been derived for the so-called RO-sum PUF by Delvaux et al. in [8].Since this PUF shares the same mathematical bound as the Loop-PUF, this result is also relevant for our analysis.The following upper-bound is valid for odd values of n: This expression is not easy to interpret, but we have the following bound for practical values of n: The min-entropy is therefore at most linear in n for n  251.Because of the inequality H 2  2H 1 , valid for any distribution, we deduce the following bound on the collision entropy: Exact values for small n.Exact results for the entropy and probability distribution of the Loop-PUF have been obtained in certain special cases.Rioul et al.
showed in [18] that the optimal challenge code when M  n is given by a Hadamard code1 C for which one can attain a uniform distribution of the Loop-PUFs, giving The exact calculation of the PUF distribution of n delay elements for M n can be carried out only for very small values of n.Rioul et al. [18] give the exact values of the Loop-PUF distribution, and thus H(C) for all n, M  3 using wellknown closed-form formulas for orthant probabilities of bi-and trivariate normal distributions (see Lemma 2.1).1.3.3.Results on the max-entropy.The max-entropy H 0 (n) is simply the logarithm of the number of di↵erent Loop-PUFs of n delay elements.This number has been computed for small values of n  10, because it actually corresponds to the number of so-called Boolean Threshold Functions (BTF) of n 1 variables.This number was determined up to n = 8 by Winder [24], up to n = 9 by Muroga et al. [16] and finally up to n = 10 by Gruzling [12].Asymptotic estimates have also been published [26].These results are recalled in Section 3.
Unfortunately, the quadratic behavior in n of the max-entropy H 0 (n) somehow overestimates the security of the PUFs, since it is much higher than the min-entropy, which is approximatively linear in n.
1.4.Our contributions.In this work, we extend previous results in two directions.
First, we provide the exact values of the distribution of the Loop-PUF (for all possible challenges) for n = 3 and n = 4.This allows us to compute the exact values of all entropies in these cases.Such an exact computation comes as a surprise since no closed-form expression exists for the orthant probabilities of an M -dimensional Gaussian vector for M 4. In our computation, we leverage on the discrete nature of the challenge code to determine these probabilities up to M = 8.
Second, we introduce a novel algorithm for the simulation of equivalence classes (SEC).The SEC algorithm also finds all equivalence classes of challenge codewords corresponding to the same value of joint probabilities P b .Interestingly, this problem is purely of discrete combinatorial nature.The actual values of the corresponding probabilities are then estimated by Monte Carlo simulation, which allows us to compute all relevant entropies.We provide the resulting values of the entropies H 0 (n), H(n), and H 2 (n) up to n = 10.
The remainder of the paper is organized as follows.Section 2 presents exact values of the distributions and entropies for the cases n = 3 and n = 4. Section 3 recalls results obtained from the study of Boolean threshold functions which will be used later on.The SEC algorithm is presented in Section 4 along with the entropies up to n = 10.Section 5 concludes.

Closed-form expressions
2.1.Preliminaries.In order to determine the closed-form expressions of the PUF distributions up to n = 4, we need the following lemmas.

Lemma 2.1 (Orthant probabilities for the bi-and trivariate normal distribution).
Let n > 0, c 1 and c 2 two challenges, and Let c 3 be a third challenge vector and Y 3 = c 3 • X, and denote the correlation coe cients between Y i and Y j by The bivariate case was already known to Hermite [21].The extension to the trivariate case is a lesser known extension and can be found, for instance, in [3].A short proof of both formulas is given by Rioul et al. in [18].
Proof.Suppose that such a vector ↵ exists.There is at least one component that is di↵erent from 0. Without loss of generality, suppose that ↵ 1 6 = 0. We then have In particular, this implies that , the sign of the right-hand side of the expression is the opposite sign of ↵ 1 .Thus, ↵ 1 = sgn(c 1 • X), which contradicts our hypothesis.
Conversely, suppose that P b = 0. Therefore, the Gaussian vector (c i • X) i is degenerate, and its support is included in a sub-space of R M of dimension < M. In particular, it is included in some hyperplane of equation P M i=1 a i x i = 0, where the a i are not all 0. Since P b = 0, this hyperplane is disjoint from the orthant defined by the signs of b, that is the set x 1 b 1 > 0, x 2 b 2 > 0, . . ., x M b M > 0. Therefore, we have that all a i b i have the same sign, that we can take positive.Since the support is included in the hyperplane defined before, we must have for all X 2 R n , and therefore P M i=1 a i c i = 0.By setting ↵ i = a i , the ↵ i have the same signs as the b i and are not all 0, which concludes the proof.Proof.Permuting the columns or changing corresponds to a permutation or sign changes of the X i .For any s = (s 1 , s 2 , . . ., s n ) 2 { 1, +1} n and 2 S n , the joint distribution of X = (X i ) i and (s i X (i) ) are the same.

2.2.
Case n = 3.By considering the challenge matrix ⌘ , exact probabilities P b can be derived by using the formula for trivariate Gaussian, recalled in Equation ( 13).This yields an entropy of ( 14) For the matrix with four challenges C 4 = ! and the two sign vectors + and + ++, we have that By exploiting symmetries, it follows that eight sign vectors satisfy P ++++ = P ++ = P + + = P + + = P = P ++ = P + + = P ++ = p and for the six remaining sign vectors P +++ = P ++ + = P + ++ = P + = P + = P + .Furthermore, by adding complementary challenges, we have that p = p + 0 = using the generic formula for trivariate normal distributions.
) ⇡ is a rational number (it is in fact equal to 1 6 ), the results for n = 4 are much simpler, compared to the case n = 3.
In order to compute the distribution for the maximal challenge code, we first determine the distributions of smaller codes.Sign vectors with zero probability are determined according to Lemma 2.2.Those of equal probability are found with the help of Lemma 2.3.Using recurrence relations between the probabilities, we are then able to deduce the sign vector distribution for larger codes, when adding one codeword each time.
The first four codewords that are chosen are the lines of a Hadamard matrix of order 4: As recalled before, the sign vector distribution is uniform for this challenge matrix.
The results when adding one additional codeword are summarized below.For the sign vectors, it is understood that the opposite sign vectors are also present in each probability class.

Results from the theory of Boolean threshold functions
Boolean threshold functions (BTF) are a special class of Boolean functions that have been studied at least since the early 1950's.They have a special significance in several domains, such as building Boolean circuits [23], but also in the domain of machine learning [6].More recently, they have even been studied in game theory [13].There are several equivalent definitions of BTF.We adopt the following one.
Definition 3.1 (Boolean Threshold Function).Let n > 0. A Boolean function g : { 1, +1} n 1 !{ 1, +1} is said to be a Boolean threshold function of n 1 variables if there exists a vector of n 1 real numbers, w = (w 1 , . . ., w n 1 ), called the weights of the BTF, as well as a real number w 0 , called the threshold, such that: We have the following equivalence between BTFs with n 1 variables and PUFs with n elements: Proposition 1.Let C be the (n, 2 n 1 ) challenge code containing all codewords starting with 1. Then for any sign vector b, P b > 0 if and only if there exists a BTF of n 1 variables represented by b, that is, the BTF g such that where i(c) represents the index of the codeword c = (1, c 0 ) in the challenge matrix C (see Definition 1.1).
Proof.First, suppose that P b > 0. Thus, there exists Thus, the BTF g, defined by the weights (w 1 , . . ., w n ) and threshold w 0 , is such that g(c 0 ) = 1 exactly where b i(c) = 1.Conversely, if there is a BTF corresponding to b, as shown above, there is at least one element Two results from the analysis of BTF are relevant for the study of Loop-PUFs.First, the exact value for the number of BTF of n 1 variables has been computed up to n = 10 [12].This gives the exact max-entropy for the Loop-PUF up to n = 10, and thus also an upper bound for the other entropies (Shannon, collision entropy, min-entropy).Results are shown below.The number of non-zero probabilities is referenced on Sloane's On-line Encyclopedia of Integer Sequences (OEIS) as sequence A000609 [1].
Second, asymptotic expressions have also been derived [26]: H 0 (n) n 2 = 1.Therefore, the max-entropy is close to n 2 for large values of n.However, the minentropy is only linear in n [8].Because of this gap in the di↵erent entropies, a more careful analysis is necessary in order to determine exact values and estimates of the Shannon and collision entropies.

Equivalent probability classes
There is an inherent symmetry in the PUF problem.Indeed, reordering the random variables X 1 , ..., X n does not change the entropy, and neither does replacing X i with X i because the Gaussian distribution is symmetric.This allows us to find sign vectors with equal probabilities.For the rest of the section, we will suppose that M = 2 n 1 and choose as challenges the first 2 n 1 challenges in lexicographical order, starting with the all 1 challenge vector, up to c 2 n 1 = (1, 1, 1, ..., 1).
Let 2 S n be a permutation, we define X = (X (1) , ..., X (n) ) T .Firstly consider to be a transposition, = (i j) and suppose i 6 = 1, j 6 = 1.Because of the aforementioned considerations, we have that CX and CX have the same distribution.Let C be the matrix obtained from C by applying on the columns (here, by swapping columns i and j).If 1 2 {i, j}, this cannot be directly applied since the lines of C and C are not the same anymore.However, we can notice that if we multiply all the columns of C by the jth column and call the new matrix C 0 , then indeed C 0 is obtained from C by permuting the lines.Thus, if ⇡ is the corresponding permutation, b and (c 1,j b ⇡(1) , c 2,j b ⇡(2) , ..., c 2 n 1 ,j b ⇡(2 n 1 ) ) have the same probability.Since every permutation can be expressed as a composition of transpositions, composing the aforementioned transformations allows to express any permutation .
For the sign changes, take s = (1, ±1, ..., ±1) a vector of n signs, and consider the vector Since the Gaussian distribution is symmetric, we have that CX and CX s have the same distribution.Furthermore, denote by C s the matrix obtained from C where the column i is multiplied by s i .By definition, C s X = CX s .Now, C s can also be obtained from C by permuting some lines.If ⇡ is the corresponding permutation, b and b ⇡ have the same probability.For a vector s of the form ( 1, ±1, ..., ±1), we can simply look at the permutation induced by s = (1, s 2 , s 3 , ..., s n ).We were able to determine equivalence classes up to n = 10.For example, for n = 5, there are 7 equivalence classes, as described below: 1.During the first step, n independent standard normal variables are repetitively sampled.We then take their absolute values, sort them, and record the corresponding sign vector.Because changing the signs and re-ordering the X i does not change the equivalence class, the two sign vectors corresponding to the X i before and after these transformations are equivalent.This way, the same sign vector is always recorded for each equivalence class.This first step therefore allows us to estimate the probabilities of all equivalence classes.2. Second, the algorithm determines the size of each equivalence class.This is necessary in order to estimate the probabilities of individual sign vectors.We use the same method as employed to evaluate the number of Boolean threshold functions, which is described, for instance, by Gruzling [12], section 3.1.2.The estimated probability of a sign vector is then simply the number of occurrences of the equivalence class, divided by the total number of simulations and by the number of elements in that class.This allows us to estimate the entropy up to n = 10.Note that the number of equivalence classes corresponds to the sequence A001532 on Sloane's OIES [2].All results obtained so far are summarized in Figure 2.For cryptographic applications, a key should typically have at least 80 bits of entropy.Therefore, a PUF with n = 10 is insu cient.However, given our findings, a PUF with n = 12 or n = 13 is very likely to exceed this value, which is very interesting from an implementation complexity perspective.

Conclusions and perspectives
The exact values for the probabilities of all the sign vectors were determined for n up to 4. The methods employed might be applied for larger values of n.It is not known, however, if enough equations can be obtained this way to compute the probabilities of all sign vectors.The success of this method might also depend on the order in which challenges are added to the challenge code.
While a naive method would have complexity O(2 2 n 1 ), the SEC algorithm allows to estimate entropies reliably up to n = 10.For larger values of n, however, the SEC algorithm might not be feasible.Using (16) and a quadratic fit on the logarithm of the number of BTF, we can estimate the number of non-zero probabilities for n = 11 to be about 2 77 .The size of each equivalence class does not exceed 2 n n!, the number of pairs of permutations and sign changes.There are thus at least 1.8 • 10 12 equivalence classes for n = 11.Estimating their probabilities individually becomes intractable in time but also in space.Asymptotic formulas for the entropy and collision entropy are therefore necessary to assess the security of the Loop-PUF for larger values of n.
As a perspective, determining the entropies of the Loop-PUF when considering smaller challenge matrices would be of practical interest.Indeed, using less challenges would decrease the time necessary, for instance, to generate a cryptographic key from the PUF.The question of how many challenges to choose, and which ones maximize the entropies, should be addressed in future research.One such solution is a greedy approach, experienced by Rioul et al. in [18].This leads to a piecewise-Hadamard matrix for the challenge matrix, and an almost linear increase in entropy when considering less than 2n codewords.
Despite the relatively simple formulation, the problem of computing the maximal entropy of all possible sign vectors generated by n Gaussian variables has very high complexity, at the order of 2 2 n 1 .Thanks to a careful analysis of that problem, we were able to obtain exact expressions up to n = 4, and tight approximations up to n = 10.However, an exact solution for larger values seems out of reach.Even determining the asymptotic behavior remains an open problem.While it is known that the max-entropy is quadratic in n, and the min-entropy approximately linear in n, asymptotic expressions for the Shannon and collision entropy have not been determined yet.In particular, the Shannon entropy seems to be quadratic in n, which is a very good result for chip designers, since it would allow the production of high security circuits while keeping the number of elements per circuit small.

Figure 1 .
Figure 1.Distribution of delays obtained via circuit simulation

Lemma 2 . 2 (
Zero probabilities).Let b = (b i ) i2[1;M ] be a sign vector.Then P b = 0 if and only if there exists ↵

Lemma 2 . 3 (
Equivalence classes).Suppose that after permuting and/or changing the signs of certain columns of C, one obtains a matrix C 0 that can be obtained by permuting, and then optionally changing the signs, of certain lines from C. Denote the corresponding permutation of the lines by 2 S M , and the following change of signs of the lines by s i 2 {±1} M .Then for any sign vector b = (b i ) i2[1;M ] , b has the same probability as b 0 = (s 1 b (1) , s 2 b (2) , . . ., s M b (M ) ).Such b and b 0 are then said to be in the same equivalence class, or simply equivalent.

Table 2 . 3 Size 3 .
Distribution for n = Case n = 4. Similar techniques have been employed in order to compute entropies with n = 4.Because arcsin( Then, by hypothesis, E b is not empty.It is also an open set, as the preimage of the open set R +⇤ by the continuous function x 2 R n 7 !b i(c) (c • x).As a non-empty open set, E b has non-zero volume.Furthermore, since the multivariate Gaussian distribution is non-degenerate, it has a non-zero probability on E b .Thus, P b > 0.
By definition, we have that CX = C X. Now, because C contains all rows starting with 1, since 1 / 2 {i, j}, C can also be obtained by permuting some rows of C. Let ⇡ be that row permutation, and b = (b 1 , b 2 , ..., b 2 n 1 ) a sign vector.Then, because CX and C X have same distribution, b and b ⇡ , where b ⇡ is obtained from b by applying ⇡ to the coordinates, have same probability.

Definition 4 . 1 .
We say that two sign vectors b and b 0 are equivalent if b can be obtained from b 0 by the actions of the permutations and sign changes s.This defines an equivalence relation on the sign vectors.All sign vectors of a same equivalence class have same probability.

Table 1 .
Summary of Notations.

Table 3 .
Exact entropies for n  4

Table 4 .
Non-zero probabilities for n = 1 to 10