New Insights to Key Derivation for Tamper-Evident Physical Unclonable Functions

. Several publications presented tamper-evident Physical Unclonable Functions (PUFs) for secure storage of cryptographic keys and tamper-detection. Unfortunately, previously published PUF-based key derivation schemes do not suﬃciently take into account the speciﬁcs of the underlying application, i.e., an attacker that tampers with the physical parameters of the PUF outside of an idealized noise error model. This is a notable extension of existing schemes for PUF key derivation, as they are typically concerned about helper data leakage, i.e., by how much the PUF’s entropy is diminished when gaining access to its helper data. To address the speciﬁcs of tamper-evident PUFs, we formalize the aspect of tamper-sensitivity , thereby providing a new tool to rate by how much an attacker is allowed to tamper with the PUF. This complements existing criteria such as eﬀective number of secret bits for entropy and failure rate for reliability. As a result, it provides a fair comparison among diﬀerent schemes and independent of the PUF implementation, as its unit is based on the noise standard deviation of the underlying PUF measurement. To overcome the limitations of previous schemes, we then propose an Error-Correcting Code (ECC) based on the Lee metric, i.e., a distance metric well-suited to describe the distance between q -ary symbols as output from an equidistant quantization, i.e., a higher-order alphabet PUF. This novel approach is required, as the underlying symbols’ bits are not i.i.d. which hinders applying previous state-of-the-art approaches. We present the concept for our scheme and demonstrate its feasibility based on an empirical PUF distribution. The beneﬁts of our approach are an increase by over 21% in eﬀective secret bit compared to previous approaches based on equidistant quantization. At the same time, we improve tamper-sensitivity compared to an equiprobable quantization while ensuring similar reliability and entropy. Hence, this work opens up a new direction of how to interpret the PUF output and details a practically relevant scheme outperforming all previous constructions.


Introduction
Tamper-evident PUFs typically evaluate a physical token that obstructs physical access to the IC [TS, EFK + , KA], the whole PCB [IOK + 18, VNK + , ION + ], or generic enclosures [ZHS], e.g., such a token could be a protective coating or a fully-wrapped envelope around a case containing the device.This token comprises physical parameters that are subject to manufacturing variation and thus, can be used as a PUF, i.e., by measuring these variations and applying suitable algorithmic processing, a cryptographic key is generated that subsequently serves as a Key-Encryption-Key (KEK) [Nat].Once an attacker attempts to gain access to the device, the token is partially destroyed which irreversibly causes a change in its physical parameters, i.e., ideally the PUF is sufficiently altered by tampering such that the key derivation fails.It is therefore of utmost importance to optimize this algorithmic part to separate the influence from noise from the effects of tampering.Please note that in this scenario, the physical token is merely used to detect tampering without the practical constraints involved when using battery-backed tamper-detection and response mechanisms [OI].
This concept exceeds the scope of other PUFs commonly implemented in silicon, such as the Ring Oscillator (RO) [SD] or SRAM PUF [GKST, HBF], as these PUFs lack the property of tamper-evidence and only provide key storage that is assumed more secure when compared to non-volatile memory, especially when the device is powered-off.In part, this is owed to the fact that these PUFs are just a component in a larger system and therefore their capability to obstruct physical access is severely limited.As a result, they must still be complemented with other countermeasures such as meshes.Several publications have practically proven that these PUFs lacking tamper-evidence can indeed be attacked with moderate resources available in standard testing labs [HNT + , NSHB, HBNS, TDF + , LTBS].
At their core, all PUFs are based on physical measurement data that is processed by suitable algorithms to generate reliable keys of good cryptographic quality.Some PUF hardware primitives are intrinsically limited to a binary-only output since they are memory based, e.g., the SRAM [GKST, HBF] or Flip-Flop PUF [MTV].For the ease of implementation, others are designed to map quasi-continuous values from the physical domain to a quantized single-bit response by means of a comparator, as it is the case for the RO-PUF and several others.However, this discards large portions of the information provided by the raw PUF response and does not represent a suitable approach for tamper-evident PUFs.It was shown, e.g., for the tamper-evident Coating PUF [TS], that a multi-bit quantization step increases the output entropy and facilitates a first error-reduction step prior to an ECC.
Within the context of tamper-evident PUFs, the raw data as result of the measurement is often non-uniformly distributed, e.g., in case of [TS, IOK + 18] it follows a normal distribution.This data is then subject to an error-reduction technique based on a multi-bit quantization scheme and further processed by an ECC.As demonstrated as part of this work, comparing the performance of the overall scheme purely based on their number of effective secret bits and failure rate is insufficient and largely neglects the specifics of tampering.To be more precise, while errors based on an idealized noise model are often effectively counteracted, some of these schemes still allow values to occur that would otherwise be considered improbable due to the chosen noise model.However, as the physical tampering is unconstrained, altered values occur independently of the stochastic model assumed for the noise and thus, a stricter stance must be taken to rule out such values, too.
To address this challenge, we formalize this aspect which we call "tamper-sensitivity" (TS).Subsequently, we rate previously suggested schemes using this notion of TS and showcase that even more advanced ECC schemes fail to outperform a scenario purely based on a well-chosen quantization in that regard.Afterwards, we propose our scheme based on the Lee metric and a q-ary channel model which exceeds the scope of a large body of PUF ECC work that with an overwhelming majority focused on Hamming distance and the Binary Symmetric Channel (BSC) including but not limited to [JW, DRS, BGS + , YD, Mae, H].

Contributions
In short, this work presents the following four contributions: • A new metric by the name tamper-sensitivity that complements previous properties of PUF-based key derivation such as entropy in effective number of secret bits and failure probability for reliability, in particular for tamper-evident PUFs.
• First application of codes with Lee/Manhattan metric in the domain of PUFs, including updated definitions of Uniqueness and Reliability, two well-known PUF performance criteria to assess empirical PUF data.
• A fair comparison of different PUF key derivation schemes based on different quantization schemes, code constructions such as Code-Offset and Fuzzy Commitment, and code metrics, namely Hamming, Levenshtein, and Lee with regard to aforementioned PUF properties.
• Practical design of a new scheme and comparison to state-of-the-art approaches for tamper-evident PUFs, showcasing a gain of over 21% in effective output secret bits for schemes based on equidistant quantization and a drastically improved tampersensitivity when compared to schemes based on equiprobable quantization.

Organization
A brief outline of our paper is as follows.Related work is discussed in Section 2 which is followed by the formalized description of tamper-sensitivity in Section 3. Subsequently, we introduce our own key derivation scheme in Section 4 based on Limited Magnitude Codes (LMC) and the Lee metric.This new scheme is then evaluated in Section 5 and compared against the state of the art.Eventually, we conclude our work in Section 6.

Notation
Unless specifically noted otherwise, random variables and their distributions are represented by capital letters, whereas numbers and specific realizations of random variables are denoted as small letters.Subscripts refer to indices of vectors, and superscripts show the length of vectors (in either symbols or bit).C is the ECC and c stands for an n-bit codeword with k information bits and p parity bits.
For the helper data W of the ECC, a quantized PUF response Y v with either superscript v as the symbol-wise length with alphabet size q or superscript n as length in bit, the mutual information between PUF response and helper data I(Y v ; W ) measures the information leakage.The min-entropy definition for H∞ (Y v |W ) is given in [DRS]: (2) Throughout this paper, we make use of several distance metrics, namely: d E for Euclidean distance, d Lev for Levenshtein distance, d Lee for Lee distance, d Man for Manhattan distance, d H|2 for Hamming distance applied to bit strings, and d H|S for Hamming distance applied to strings with symbols of a higher-order alphabet.

State of the Art
We align our work with other error-reduction and error-correction techniques for PUFs.To do so, we briefly introduce our PUF system model in Section 2.1.Afterwards, in Section 2.2, we discuss previous work on quantization schemes and bit mappings as means of error-reduction prior to an ECC.Subsequently, in Section 2.3 we briefly consider common ECC proposals for PUFs and explain why they are not suited for our setting.

Model for Tamper-Evident PUFs
Our PUF system model is illustrated in Figure 1 and represents the practical work of, e.g., [TS, IOK + 18, ION + ] in sufficient detail to discuss their PUF key derivation specifics that are of general nature and relevant for future proposals of tamper-evident PUFs, too.From left to right, it comprises the tamper-evident PUF and illustrates all necessary steps to generate a key.The upper part represents the enrollment of the PUF, i.e., the point in time when the PUF is initialized in a secure environment and helper data is created to enable later error correction.The lower part depicts the reconstruction in the field where the PUF key is extracted again to serve as secret input for cryptographic applications.
Each single PUF value denoted as X is drawn from its corresponding physical PUF node.In both [TS] and [IOK + 18], the node from which X is drawn is a capacitor C that is subject to manufacturing variation, i.e., X 1 corresponds to a capacitor C 1 , X 2 to C 2 , and so on.We specifically refer to this as PUF node as opposed to bits, to point out that symbols comprised of multiple bit per node are extracted.This underlying element of a PUF is sometimes also called a PUF primitive and this model is not limited to a specific type of node/primitive.X follows a quasi-continuous Probability Distribution Function (PDF) as illustrated in Figure 2 and is the digital representation of the capacitance obtained by a compensated1 measurement and subsequent conversion by an Analog-to-Digital Converter (ADC).These compensating techniques, such as [TS, BNTM] depend on the specifics of the PUF and are considered outside the scope of this work.Here, we use the term quasi-continuous since in the actual application we do not know the real value (in the sense of continuous) of the PUF nodes and can only practically measure it using a high-resolution measurement circuit.Therefore, X would be typically represented by an integer with its number of bits in binary representation equivalent to the number of bits of the ADC.In total, there are v nodes (i.e., v distinct capacitors) in the PUF and all their values combined are termed PUF device and written as X v , i.e., Figure 1: PUF system model with enrollment and reconstruction.Y is the quantized PUF response and Z the secret bit sequence.Added noise is denoted as (•).
As part of the data acquisition, the PUF values X are always affected by remaining circuit noise N ∈ N (0, σ N ) during reconstruction which makes it necessary to account for this influence by suitable mechanisms, e.g., a combination of quantization scheme and ECC.Noise is assumed to be Gaussian following N (0, σ N ), i.e., it is mean free.Moreover, the noise standard deviation σ N is considered equally distributed across all PUF nodes.If the system has not been tampered with, then the noisy PUF response is Xv = X v + N v .This noise modeling is equivalent to [TS] and also relevant for other systems, such as [ZHS].Now, in the event of tampering with the PUF, the physical PUF nodes from which values are drawn are additionally altered.This effect is denoted as W A ∈ Z, i.e., Xv = X v + N v + W A as indicated in Figure 1.We note that W A does not follow a stochastic model or is otherwise formally constrained.This is owed to the fact that a designer of a tamper-evident PUF will not know (i) which nodes will be affected by tampering, or how many (ii) what the resulting magnitude of the attack is.Hence, regarding the magnitude of W A , we need to implicitly assume that σ N < W A which is supported by the practical attacks in [TS, IOK + 18, ION + ].With respect to the number of nodes affected, it is evident that the best approach will enable tamper detection even in cases when only one node is tampered with.W A is often referred to as shift, and in the noiseless but tampered case, the Euclidean distance d E (X, X) is termed the tamper magnitude.
Magnitude of Noise vs. Tampering.Based on this noise model, it is evident that instances in time may occur where N = 0 for a specific X and at the same time W A ≈ σ N , i.e., tampering would go undetected as its magnitude would essentially be mistaken as noise only.Since the noiseless scenario allows for the maximum tamper magnitude to possibly go undetected, this is the scenario we later choose for analysis purposes, i.e., in a real-world implementation, the undetectable tamper magnitude would be smaller as both noise and tampering would occur at the same time.In all other cases, practically speaking, it is similarly difficult to distinguish the noise from the effects of tampering, as an unexpectedly large magnitude may either be the result of a relatively unlikely noise event, or the result of tampering.Hence, the challenge is to devise a scheme that provides a clear Tamper Detection Threshold TDT of whether the error magnitude should be treated as noise, or as tampering, while not impeding typical PUF reliability requirements.This is achieved by schemes where TDT = u • σ N , with u being as small as possible.
Tamper detection.Here, detection of tampering is the self-determination by the device that Z v = Ẑv and in that sense no different to the case when the device fails because of insufficient reliability.The interesting result of this work is that ECC schemes effectively working under Xv = X v + N v are not automatically the same to effectively detect the effects of W A , i.e., their TDT is sometimes worse compared to schemes providing much less entropy.As additional constraints, we aim at schemes with superior detection of W A while ensuring the following two requirements: • The reliability or device failure rate, written as the mismatch probability P e (Z v ) = Pr[Z v = Ẑv ] shall be < 10 −6 in the presence of noise (without tampering).
• The effective number of secret bits that are extracted from the tamper-evident PUF should be sufficiently large, e.g., H∞ (Y v |W ) > 128 bits (preferably more).

Quantization Schemes and Bit Mappings
Thus far, there are two predominant schemes to quantize normally distributed PUF data.Both schemes are based on subdividing the quasi-continuous PDF based on the distribution of X into intervals.In case of equiprobable quantization [TS], the intervals are chosen such that the intervals occur with equal probability.In contrast, equidistant quantization [IHKS] divides it into intervals of equal width.In order to decrease the probability of an erroneous quantization value Y , an offset is stored as helper data W * during enrollment that shifts the PUF value X to the center of its corresponding quantization interval.For reasons of clarity of explanations, we always assume that symbols of a Higher-Order Alphabet (HOA) are assigned to these intervals as a first processing step even though this was not necessarily included in the original publication, i.e., the PUF output alphabet L is not L = {0, 1} but L = {a, b, c, d, . ..}, whereas |L| is the size of the alphabet which is equivalent to the number of quantization intervals L. Hence, this is referred to as HOA PUF.Both quantization approaches and the assignment of symbols are sketched in Figure 2.
bit mapping of symbols to Gray code (b) Equiprobable quantization.
Figure 2: Visualization of equiprobable and equidistant quantization schemes processing PDF(X) which follows N (µ X , σ X ) based on the parameters given in [TS].
Equiprobable quantization of PUF data was first introduced in [TS] for the tamperevident Coating PUF.As proposed in [TS], each interval is assigned a multi-bit binary representation by means of a Gray code, i.e., neighboring intervals are designed such that their binary representation differs by a one bit substitution error only.Hence, the Hamming distance in binary denoted as d H|2 is 1 for directly neighboring intervals.Please note that for this approach, both symbols and their corresponding binary bit mapping are i.i.d. and uniformly distributed.The processed output prior to the ECC is therefore a binary alphabet.However, for the specific scheme presented in [TS], it was later shown that the length of each individual helper data offsets W * stored for the quantization during enrollment leaks significant amounts of information on the PUF key [IHKS].In addition, ensuring uniformity of bits requires precise knowledge of the underlying PUF distribution and therefore limits the practical relevance of this scheme.
Other equiprobable quantization schemes implement a partitioning scheme to avoid helper data leakage but again require precise knowledge of the distribution [VTO + , SAS].Furthermore, as pointed out in [IHKS] and detailed later as part of this paper, equiprobable quantization is ineffective to ensure good tamper-sensitivity in all scenarios due to the size of the outermost intervals of width Q max , as can be deduced from Figure 2b already.
Equidistant quantization apparently mitigates these effects due to the evenly sized intervals with only minor leakage from the sign of its helper data W * .Moreover, a suboptimal assignment of the interval boundaries relative to the PDF only has an insignificant impact on the resulting entropy of the quantized output, making it a suitable approach, e.g., for [ZHS].However, it comes at the downside of a biased quantized PUF output, i.e., when mapping the symbols to bits, it is evident that the individual positions of the resulting bit string are neither i.i.d.nor uniform.As a result is any fixed-length binary bit mapping of the symbols heavily biased.Correspondingly, when combining equidistant quantization with a fixed-length binary output and a linear fuzzy extractor scheme, significant amounts of secret information would be leaked by the helper data due to the induced bias [IW, DGV + ].
To overcome some of the limitations of equidistant quantization, the authors of [IHL + ] proposed a variable-length bit mapping of the symbols.Hence, as a kind of debiasing step, they follow the information theoretic intuition of assigning shorter binary representations to intervals that occur more often, while assigning longer bit representations to intervals that occur less often.However, the quantized sequence comprised of the values Y is no longer of fixed length which necessitates Varshamov-Tenengolts (VT) codes operating in Levenshtein distance d Lev , accounting not only for substitution errors but also insertions and deletions [Ten, VT].This is due to the fact that more commonly known codes such as Bose-Chaudhuri-Hocquenghem (BCH) and Reed Solomon (RS) are not designed to work on variable-length inputs.While VT-codes are well-suited to operate in Levenshtein metric, their overall capability in terms of error-correction is still quite limited.The specific values of each quantization interval are chosen such that neighboring intervals differ by d Lev = 1 in [IHL + ], i.e., the bit mapping of symbols to binary is similar to a Gray code such that directly neighboring intervals differ by only one substitution or insertion/deletion error.Again, a rather precise knowledge and symmetry of the PDF is required to ensure proper behavior of this scheme, otherwise the debiasing properties are degraded.
As later demonstrated as part of our evaluation in Section 5, the scheme based on equidistant quantization and VT-codes also falls short when it comes to tamper-sensitivity when compared to a scenario only based on equidistant quantization without ECC.This is contrary to the claims of [IHL + ] and shows that formalizing the aspect of tamper-sensitivity is indeed an important step towards developing more tailored schemes for tamper-evident PUFs.Our scheme presented in Section 4 is based on an equidistant quantization, too.Hence, the subsequent ECC operates on the quantized PUF output Y v which is based on symbols with aforementioned properties.Please note that the overall setting in this work deviates quite significantly from scenarios commonly assumed, e.g., for the SRAM PUF.

Error-Correcting Codes for PUFs
A significant amount of work was carried out in the domain of PUFs ranging from formalizing PUFs [AMS + ] to generic ECC constructions, and protocols [CBFH] in addition to analyses in terms of implementation and information efficiency [Mae, HYP, DGV + ].As indicated beforehand, previous work is mostly specifically tailored towards PUFs based on a binary alphabet with only very few exceptions [IHKS, IHL + ].The strong focus on these binary-only PUFs has been a valid requirement due to their ease of physical construction in silicon and widespread availability.While generally being suitable to provide a sufficient reliability even for other scenarios than their intended purpose, the shortcoming of most ECC schemes is related to helper data leakage in W that is caused by biased PUF data and/or insufficiencies of the ECC construction, as detailed in [IW, HPKS, DGV + ].If not considered at all, helper data leakage is a severe security threat, as the anticipated security level is not present in the design.If not systematically counteracted on an algorithmic level, helper data leakage impacts the cost/size of the PUF implementation, as demonstrated for example in [H], where -depending on the chosen ECC construction -the corresponding PUF size would differ by a factor of ∼ 2 to achieve the same security level.Hence, the problem of bias in PUF data and ECC helper data leakage is not completely new and the same is true for ideas of counteracting it.Therefore, when considering new ECC approaches for tamper-evident PUFs and higher-order alphabets, these known effects and existing concepts must be taken sufficiently into account as done in the following.
To remove PUF induced leakage, various debiasing schemes were proposed.Index-Based Syndrome coding (IBS) [YD] is a debiasing technique that also improves the reliability by indexing only reliable PUF response bits.However, the symbols of an equidistant quantization as later used in our scheme all have the same reliability such that IBS is not applicable to the discussed scenario.Moreover, not considering certain bits of the PUF output counteracts the idea of detecting tamper attempts.
The scheme presented in [MvdLvdSW] improves the von Neumann (VN) corrector [vN].For i.i.d.PUF response bits (which is different to our scenario), pairs of consecutive zeros or ones occur with different probabilities, while pairs (1,0) and (0,1) have the same probability.However, the approach is intended for PUFs with small output alphabets.It evaluates groups of elements that occur with the same probability but differ in their sequence, such that an increasing number of elements decreases the probability of these equiprobable events.In [SUHA], it was extended to ternary outputs using reliability information.However, it cannot be efficiently applied to higher-order alphabets.The multi-bit symbol approach in [YHD] is especially suited for PUFs with high bit error probabilities > 20%.It is not explicitly designed for bias reduction but can also handle biased inputs efficiently as well.Additional recent debiasing work includes [H] where again the PUF bits are assumed i.i.d. and coset coding is applied to mitigate the leakage.This idea could be interpreted as combining different equidistant quantization intervals to create a more uniform occurrence of the symbols.However, this again would contradict the idea of tamper-sensitivity as will become evident by the remainder of the paper.
As a result, none of the discussed techniques specifically address biased symbols of a higher-order alphabet.Hence, while they may work on such data, they are designated to perform less efficiently when deriving the key, as supported by our later findings.To the best of our knowledge, the case of Lee metric as distance metric for PUFs has not been considered beforehand.Please note that we are aware of the threat of helper data manipulation attacks [DV].However, for the presented work, we are interested in discussing more fundamental properties of quantization schemes and ECCs.In addition to that, we assume that access to the helper data is also obstructed by the tamper-evident PUF, i.e., attempts to change the helper data would cause the partial destruction of the PUF as any other physical access to the underlying system.An additional privacy amplification step for the resulting output is always advised but considered out of scope.

Tamper-Sensitivity for PUF-based Key Derivation
To further motivate our work, let us briefly discuss an introductory example that hints at the strong need to formalize tamper-sensitivity (TS).When comparing Figure 2a with Figure 2b, then it is striking that the intervals for equidistant quantization are of constant width, whereas the intervals of equiprobable quantization are of unequal width.Consequently, when arbitrarily selecting a value X and subsequently shifting it to the left or right (mimicking an attack), it is easy to see that the magnitude by which X can be shifted without changing the obtained symbol varies between these two different approaches.Clearly, the permissible magnitude of the shift without causing Z v = Ẑv reflects the system's (in)capacity to detect adversarial tampering within X.Therefore, when a system provides good tamper-sensitivity, it is able to detect even the smallest magnitude changes as a result of the tampering W A .
Here, we deliberately describe the term tamper-sensitivity informally without making any assumptions on the processing of X to include processing variants other than those mentioned in this paper, such as [SFIC] or [G].Furthermore, while we are of the opinion that expressing TS in multiples of the noise standard deviation σ N of the underlying measurement circuit is a reasonable choice for the presented work, it may be too limiting for other models or distributions w.r.t. to the noise.Depending on the type of PUF and specifics of the key derivation scheme, TS should be analyzed for a single measured node as TS node or for the whole device as TS device .For detecting tamper attempts, the property of TS appears to be much more important than effective number of secret bits, as later demonstrated.Based on this generic introduction to tamper-sensitivity, we derive two definitions to more precisely capture a system's capability to detect the tampering W A .
Definition 1 (max-TS -Maximum Magnitude Tamper Insensitivity).Defines the maximum magnitude of W A that goes undetected, i.e., max(W A ) for which Z = Ẑ (or Z v = Ẑv ) still holds.The corresponding notation for a PUF node and device are TS max node and TS max device .
max-TS therefore is a worst-case scenario from a defender's point of view.Hence, max-TS should be minimized to enable better detection of an attacker regardless of the circumstances, i.e., independent for the probability of occurrence of the affected PUF symbols or specifics of the attack.We note that for TS on a device level, either the accumulated per-node TS is considered, or it is normalized by the number v of nodes in that system to support comparisons across devices with different number of nodes, as included in Table 2.In contrast, we define min-TS as follows: Definition 2 (min-TS -Minimum Magnitude Tamper Sensitivity).Defines the minimum magnitude of W A that is detected, i.e., min(W A ) for which Z = Ẑ (or Z v = Ẑv ) is achieved.The corresponding notation for a PUF node and device are TS min node and TS min device .
It therefore reflects the best-case scenario from the defender's point of view to enable earliest detection of an attacker.Within practical limits of applications such as [TS, IOK + 18], it is evident that a system performs best when min-TS equals max-TS and approaches the measurement's noise standard deviation σ N , i.e., the smaller the value for TS is, the better is the sensitivity, i.e., this is equivalent to a small TDT.
These definitions have been formulated such that a hierarchy across different PUF key derivation schemes can be created in a meaningful way, e.g., if min-TS(Scheme1) > max-TS( Scheme2) is given, then Scheme2 always provides a better tamper-sensitivity than Scheme1 and thus, a better detection of attempts to physically tamper with the PUF.Similarly to min-entropy as a worst-case scenario for entropy, we are mostly interested in max-TS, as it represents the worst-case for the defender.Though not expressed explicitly, preliminary ideas related to these definitions are contained in [IHKS] w.r.t. the quality of the quantization scheme but not to the extent presented in this work.

Tamper-Sensitivity Equations of Existing Schemes
Let us put the previous definitions to practical use, survey existing schemes, and derive corresponding equations to describe their tamper-sensitivity more analytically.All evaluated schemes have been targeting the scenario of the tamper-evident Coating PUF [TS].However, specific performance numbers will only be shown later in Section 5 when compared against our scheme that is presented in Section 4.
In the following, we refer to these schemes as profiles to have a semantic difference between the underlying theoretical scheme and its tested instance based on specific parameters.In total, we selected five existing profiles, whereas Profile 1,2, 3, and 4 are based on an equidistant quantization.In case of Profile 1, only equidistant quantization is applied without subsequent ECC.Profile 2, 3, and 4 then employ an additional ECC after the equidistant quantization.In contrast, Profile 5 is based on an equiprobable quantization and subsequent ECC.These profiles are further detailed hereafter and later compared against Profile 6 which is based on our proposed solution.

TS of Profile 1 based on equidistant quantization without ECC [IHKS]:
As a baseline, we evaluate the performance of a system that only relies on equidistant quantization without any further processing steps.Following [IHKS], the equidistant quantization is applied to the PUF outputs X.The width Q w of the evenly sized quantization intervals is determined by whereas y is a parameter of choice according to the required reliability, i.e., the Confidence Interval where l = −L/2, . . ., −1, 0, 1, . . ., L/2.Aligning l = 0 and µ X of the Gaussian distribution leads to the highest entropy output while it is slightly decreased by misalignment depending on the choice of y and the relative shift to µ X .However, due to symmetry reasons of the equidistant quantization this decrease is well-bounded and therefore a robust scheme.
Figure 3 illustrates the quantization intervals for m = 4 and L = 16 and an optimal alignment.Each interval is represented by a symbol Q l in [0, L − 1].As the compensated measurement of the PUF response is non-ideal, i.e., affected by noise of the measurement process, values could move to a different interval compared to the time of enrollment.To counteract this, the offsets between each PUF response X i and their corresponding interval center are stored as quantization helper data W * .Upon reconstruction, this offset is applied to the noisy value Xi to shift it towards its formerly considered interval center, i.e., ( Xi The full description is included in [IHKS].When assessing this profile with respect to its tamper-sensitivity, it is best to start with TS max node and visualize its properties as done in Figure 3. Assuming a symbol S at a specific location of the range of values, it is evident that by exceeding its designated quantization interval limits, an erroneous symbol is obtained.The difference between TS max node (P1) and TS min node (P1) is therefore only rooted in a small that represents the smallest possible resolution step of the underlying measurement circuit.For TS max device (P1), the accumulated tampering that goes undetected on a device-level is therefore the result of TS max node (P1) times the number of nodes v in the system.In contrast, TS min device (P1) is limited by TS min node (P1), i.e., a single erroneous node allows detection of physical tampering.The resulting equations are therefore: TS min node (P 1) = TS max node (P 1) + TS min device (P 1) = TS min node (P 1) (5)

TS of Profile 2 based on Fuzzy Commitment and RS codes [JW, HPKS, IHL + ]:
Fuzzy commitment is a well-investigated scheme for PUFs and therefore should be considered within the context of this work, too.While the choice of ECC operating on a higher-order alphabet is not limited to RS codes, we chose them to replicate the results of [IHL + ].The basic idea when combining equidistant quantization with an additional ECC is that by making y of Q w smaller, more entropy can be extracted from the PDF which however does not take into account yet the effects of secrecy leakage by the helper data.At the same time when making y smaller, the failure probability increases and must be counteracted by an ECC which is designated to provide a more flexible approach of counteracting errors when compared to a quantization scheme alone.
Here, we make use of a symbol-based RS code with parameters RS(n, t), i.e., n as block length in symbols and t as errors to be corrected.RS codes belong to a class of codes called Linear Block Codes.They are represented as RS(n, k), where k is the number of message symbols and n the block length.A primitive RS Code is defined by a k × n generator matrix G RS as given in Equation ( 6).RS Codes are Maximum Distance Seperable (MDS), which makes d H|S (RS(n, k)) = d = n − k + 1 .Hence they can detect and correct up to d − 1 errors and t = (d − 1)/2 errors respectively.
where α ∈ GF(2 m ).The ECC input symbols Y are assumed to be of size q = |L| and their distance is rated by the Hamming distance d H|S which states that any substitution error between d H|S (Y v , Ŷ v ) and their symbols, regardless of their actual distance in the underlying domain of X, is counted as d H|S (Y, Ŷ ) = 1.As an example, (Y, Ŷ ) = (a, p) yields d H|S = 1 as shown in Figure 4. Hence, the scheme operates independently from the actual binary representation of the symbols similar to Profile 1. Consequently, when considering TS max node (P2), the largest magnitude of W A without causing detection may span from the very left to the very right side of the range of values.This corresponds to q • Q w for TS max node (P2) and indicates already that the detection of W A is rather limited when compared to Profile 1.Based on a single value X of a node, it is not possible to detect tampering, since any magnitude changes result in d H|S (Y, Ŷ ) = 1 due to how Hamming distance is defined for strings of higher-order alphabets.
Since the number of nodes v and symbols derived thereof may not necessarily be equal to the ECC's block length n, it must be divided by a number of segments z for separate processing.This is often owed to the fact that codes with substantial block length are often impractical to implement, especially in hardware implementations.The equation describing TS max device (P2) therefore covers the tampering corrected by the code in its first summand and the remaining tampering that goes undetected by the quantization is contained in the second summand.For TS min node (P2), tampering cannot be detected within a single node for as long as the error threshold t has not been exceeded.To properly define TS min device (P2), we therefore take into account the first summand of TS max device (P2) but then only add TS min node (P1) causing the minimum error to just exceed the scope of the quantization scheme.The resulting equations for TS of P2 are: TS min node (P 2) = ∞ TS min device (P 2) = z t TS max node (P 2) + TS min node (P 1) (8)

TS of Profile 3 based on Code-Offset and BCH codes [DRS]:
Another well-investigated scheme for PUFs is the Code-Offset method.Similar to Profile 2, equidistant quantization is applied.However, this time, the resulting symbols are mapped to bits using a Gray code, i.e., the binary representation of neighboring quantization intervals differs by a hamming distance of 1 only, as it was done also in [TS] for equiprobable quantization, as later considered in Profile 5.After this bit mapping to Gray coded symbols, a BCH code is applied.BCH codes can also be described as binary RS codes, i.e., they are represented as BCH [n, k, d] GF(2 m ) .Correspondingly, the distance between codewords is counted by the Hamming distance d H|2 .The basic idea of this scheme is as follows: Errors close to the designated value result in a small Hamming distance, while a larger shift will increase the Hamming distance.We observe that L = 2 m , i.e., m as number of bits to encode the intervals.Since m < L, it follows that there exists only one case of the codebook where d H|2 per node is maximized, i.e., d H|2 (Y, Ŷ ) = m.This is the case when the all null bit sequence derived from a node is flipped to the all one bit sequence.In all other cases, d H|2 (Y, Ŷ ) ≤ m − 1 which degrades the tamper-sensitivity of the device.Even worse, some very extreme magnitude shifts may result in only d H|2 (Y, Ŷ ) = 1 due to how a Gray code is constructed.For the example given in Figure 5, when assuming a Gray code as follows: (a ← 0000), (b ← 0001), (c ← 0011), . . ., (p ← 1000), then the largest possible shift while ensuring a Hamming distance of 1 is from the symbol a to the symbol p. Correspondingly, max-TS for this profile results in To write a closed form of TS min node (P3) and TS min device (P3), we assume that the attacker can divide and distribute W A such that indeed only the smallest detectable change in d H|2 per node occurs.For equiprobable quantization this is a symbol residing in any interval with width Q w and shifting to its directly neighboring intervals, thereby causing a single bit substitution error.When t > 1 the ECC is capable of correcting more bits, then multiple nodes with a single bit error within a segment z could be corrected, or larger magnitude shifts within a node (which is not desired with regard to tamper-sensitivity).However, to adhere to the definition of min-TS, we assume that for larger t, indeed t-times the smallest detectable change occured.The resulting equations are therefore: TS min device (P 3) = z t TS min node (P 3) + TS VT-like codes are designed using Levenstein Distance metric.Each derived symbol Y corresponding to a quantization interval is bit mapped to a variable number of bits.Since these bit maps should be uniquely decodable, they are generated using a binary tree, while ensuring d Lev = 1 between neighboring intervals.For a PUF device with v nodes, z number of VT-like code segments can be generated.Since each segment can correct only 1 symbol error, the total number of correctable symbol errors is z.The systematic code construction is described in Equation ( 11) following the notation of [IHL + ].
where (b 1 , b 2 , ..., b m ) is the bit map of (y 1 , y 2 , ..., y v/z ) PUF nodes and (p 1 , ..., p r ) is the binary representation of P given by Equation ( 12).When analyzing the tamper-sensitivity of this profile, it is evident that writing a closed form for TS max node (P4) and TS max device (P4) is difficult, as it depends on the number of quantization intervals and the codebook used to create the variable-length bit mapping 2 .This statement is based on the observation that d Lev (Y, Ŷ ) = 1 is ensured for directly neighboring intervals but larger magnitude changes may still result in distance d Lev = 1, i.e., the attacker may be even encouraged to cause larger magnitude changes that would still be accounted for by the error-correcting capability of the code.We therefore directly 2 For the specific case later considered: TS max node (P 4) = 6 • Qw + Qw/2 for 12 intervals; TS max node (P 4) = 10•Qw +Qw/2 for 14 intervals; and on a device-level: TS max device (P 4) = z t•TS max node (P 4)+(v−z t)•TS max node (P 1) compute max-TS values for the parameters later considered by using the codebooks provided by the authors of [IHL + ] (cf.Appendix A).In contrast, stating min-TS equations is straightforward and visualized in Figure 6.The corresponding equations are TS min node (P 4) = 3 Q w /2 + TS min device (P 4) = TS min node (P 4) (13) owed to the fact that the minimum error to detect is the one just exceeding the errorcorrecting capability of the VT-like code.Similarly to Profile 1, the overall TS min device (P4) is again the same as TS min node (P4), i.e., a single erroneous node triggers the tamper-detection which is a beneficial behavior for improved tamper-sensitivity.

TS of Profile 5 based on Equiprobable Quantization and BCH-based Code-Offset [TS]:
Unlike before, we make use of an equiprobable quantization and refer to [TS] for its formal description.As illustrated in Figure 2b, this approach is characterized by its innermost intervals of width Q min and outermost intervals of width Q max .As described in Section 2.2, the symbols are mapped to a binary representation using a Gray code.A BCH(n, t) code is applied to the resulting output, whereas both n and t are in bits.
One of the challenges for this profile is defining the outermost intervals properly when considering a practical implementation, as equal probability of intervals needs to be ensured also for the outermost intervals that are however limited by the measurement range of the underlying implementation.Values outside of the measurement range cannot be used for tamper-detection.Excluding values with probability of occurrence < 0.1% per node balances the engineering effort for the measurement circuit with the expected excess during production, assuming that devices with values outside of the measurement range are discarded.Hence, at some point in the range of X, the tails of the PDF need to be cut off.If this would not be done, then tamper-sensitivity would not be bounded in the outermost intervals of the equiprobable quantization.This would no longer represent the targeted practical scenario and thus, result in an unfair comparison that we want to avoid.The same has been done in [IHKS] or [WHGS].Regarding the tamper-sensitivity of this profile, we observe similarly to P3 that the specifics of the Gray code significantly affect the tamper-sensitivity.For example, for the scenario presented in [TS], a shift from the left outermost interval to the right would only result in distance 1, as illustrated in Figure 7 when assuming the bit mapping of Figure 2b.max-TS for this profile therefore results in To write a closed form of TS min node (P5) and TS min device (P5), we again assume that the attacker can divide and distribute W A such that indeed only the smallest detectable change in d H|2 per node occurs.For equiprobable quantization this is a symbol residing in Q min and shifting to its neighboring intervals.When t > 1, then multiple nodes could be corrected or larger magnitude shifts within a node.To adhere to the definition of min-TS, we assume that for larger t, indeed t-times the smallest detectable change occured.The resulting equations are therefore: Regarding the fairness of comparison and the design trade-off made w.r.t.Q max , i.e., where to cut off the range of values, we point out that by defining min-TS as given, it is independent from the size of the outermost interval.Hence, it only affects max-TS whereas excluding more values would make Q max smaller but increase excess during the manufacturing process, thereby reducing the yield.

Discussion and Comments Regarding Tamper-Sensitivity
All presented TS equations have in common that they describe a noise-free scenario, as motivated in Section 2.1 for analysis purposes only.This simplifies the equations without affecting their accuracy in describing the fundamental TS property of the scheme.Moreover, we neglect the challenges that arise when trying to define TS for the outermost intervals of a specific profile, i.e., independent of the actual measurement range of the PDF that could be covered and the number of quantization intervals to sample it.We assume that TS is not affected by these practical constraints and instead is purely based on the properties of the underlying scheme.
We also note that excluding values with probability less than 0.1% per node for Profile 5 would result in a yield reduction of 12% overall for a device with 128 nodes.If in contrast less values would be excluded to improve the yield, then at the same time TS in the outermost intervals would be degraded.Since we primarily evaluate TS, we deliberately chose a poor yield as this improves tamper-sensitivity in the outermost interval.We emphasize for Profiles 1,2,3, and 4 that choosing the cut-off for equidistant quantization does not change the tamper-sensitivity behavior in the outermost intervals, as they are always of a fixed width (later, the same applies to Profile 6).Since working with minentropy, changing the number of equidistant quantization intervals while keeping their width constant does not increase the extracted entropy.In general, for analysis of the conceptual schemes only, we suppose that the range of the measurement circuit is not bounded.In a practical setting, both enrollment and reconstruction would be done with a measurement circuit that provides a bounded range.However, since the anticipated yield reduction is independent from the TS properties in case of equidistant quantization, and also heavily depends on the manufacturers business model, i.e., factors outside of the technical scope of this paper, we do not further take this aspect into account.
We point out that our definition of TS assumes unidirectional shifts, i.e., a change in value cannot be in both directions at the same time.This is of particular relevance for Profile 3, 4, and 5, where a shift may move values over intervals that are considered tamper-sensitive.Hence, not the tamper-sensitive area of a PDF is taken into account but indeed the magnitude of the shifts only.Since Profile 5 deviates already at the point of quantization from the other profiles, neither TS min node nor TS max node will reflect the perceived tamper-sensitivity in a practical setting as it will be based on the average tamper-sensitivity that takes into account the probability of occurrence of an affected quantization interval, i.e., it would be necessary to weigh the tamper-sensitivity per interval by its probability of occurrence.However, min-TS and max-TS already provide a quality assessment to sufficiently compare Profile 5 against the other profiles.
As can be derived from the given equations, all schemes behave differently when considering TS max node and TS max device .This already supports the argument that a property is being addressed that otherwise cannot be captured by entropy or failure rate.Please note that while some of the given equations appear highly similar, e.g., TS min node of Profiles 1, 3, 4, and 5, their actual value will still be different when considered under a specific set of parameters.The interested reader may already proceed to Table 2 to see the resulting numbers for the tested profiles.Correspondingly will the visual appearance of the presented Figures for the actual parameters be different, e.g., smaller but more intervals.
Late Tamper Evaluation.Our work focuses on improving the combination of quantization and ECC without additional processing steps.Alternatively, it may be possible for some profiles to further improve tamper detection by studying the magnitude of errors after successful decoding was done, i.e., by computing the Euclidian distance d E ( Ẑ, X) and validating that the result is of a reasonable magnitude, e.g., by requiring d E ( Ẑ, X) ≤ TDT, e.g., TDT = 3 • Q w /2 = 3 • y • σ N for Profile 4. By following this approach for Profile 4, it is possible to limit the error magnitude to TS min node (Profile 4).This is possible since only one error per segment z is covered by the scheme.For other Profiles though, such as Profile 3 and Profile 5, this quickly leads to inconsistencies in how errors are treated.This argument is based on the observation that within a block of length n (in bits), up to t errors (in bits) are corrected.Assuming that m bits per node are derived and t > m (which is the case for the practical scenarios considered), then it is becoming increasingly difficult to formulate a valid late tamper evaluation approach, since the late tamper evaluation will impede with how the ECC operates.Hence, even if such an approach can be successfully applied to any of the existing profiles, the obtained result will still not exceed the min-TS level due to how it has been defined.This is in addition to the potential security threat of first reconstructing the valid secret, before discarding it based on the result of the late tamper evaluation.To the best of the author's knowledge, there are no other publications discussing the specifics of such a late tamper evaluation.
In the next Section, we present our approach based on Limited Magnitude Codes (LMC) in combination with equidistant quantization which is then named Profile 6 as part of the comparison.This enables TS min node to be equal to TS max node and TS min device , as it is the case for Profile 1 but at the same time, be almost twice as tamper-sensitive on a device-level in addition to extracting more entropy.

Limited Magnitude Codes (LMC)
As indicated by our analysis of the previous work, specifically of Profile 3, 4 and 5, mapping higher-order alphabet symbols to an alphabet of lower degree diminishes tampersensitivity by causing an unevenly spread TS in the codebook.However, also building upon inappropriate distance metrics such as Hamming distance over symbols, as done in Profile 2, degrades tamper-sensitivity, as the distance d E (X, X) is not well reflected by d H|S (Y, Ŷ ).To solve these problems, we model the outcome of the equidistant quantization as a q-ary channel as depicted in Figure 8b, i.e., we continue operating on the symbols directly.In contrast to previous works, we rate errors in this channel by the Lee metric d Lee , i.e., symbols of neighboring intervals will have a distance of 1 whereas symbols of larger distance l will have distance l.This is also called the magnitude.Different possible types of magnitude errors are illustrated in Figure 8a.These are classified as asymmetric when unidirectional, symmetric when of equal magnitude in either direction, or bidirectional when in either direction but of unequal magnitude.(a) LMC error types for q = 5 and the designated symbol 2.
q-ary asymmetric channel model for l = 1 between symbols.Non-wrap around channel (solid lines only) and wrap-around channel (solid lines and dashed line as wrap-around).
Figure 8: LMC error types and q-ary channel model.
Elarief et al. [EB] first proposed a code to correct all asymmetric and symmetric errors of limited magnitude in a q-ary channel.While the code proposed by [EB] corrects all magnitude errors, it does not allow to limit the number of magnitude errors corrected by the ECC which is the necessary degree of design freedom we need.To mitigate this shortcoming, Myeongwoon et al. [JL] proposed a modified version of this code called Limited-Magnitude Error Correction Code (LMC).This is based on an RS Encode/Decode step that is additionally introduced to limit the number of correctable errors as later described.Hence, this can be considered as a concatenated code construction of LMC and RS codes, whereas we are not limited to RS codes but could have selected any other code operating on higher-order alphabet symbols.Although the new code by [JL] was intended for bidirectional errors, it is equally applicable to asymmetric and symmetric errors.
The error correction capability of these codes is as follows (cf. Figure 8a): In Asymmetric LMC (A-LMC), a symbol is correctable if the possible error occurs in only one direction.For example, if the symbol is 2 then in A-LMC (l u = 1) the symbol is corrected only if it changes to 3 (error = +1).If the symbol changes to any other value, it is not corrected.Similarly for Symmetric LMC (S-LMC), the error magnitude can be ±1 i.e.
These error types can be considered within the scope of two different q-ary channel models.They are called wrap-around and non-wrap-around channel.In Figure 8b the wrap-around is indicated by a dashed line, whereas all other lines are solid and represent the only valid transitions for the non-wrap-around channel.Hence, for the wrap-around channel, d Lee (q − 1, 0) = 1, whereas for the non-wrap-around channel d Lee (q − 1, 0) = q − 1.Since the underlying application is based on a physical measurement process, the wraparound is not desirable and counteracts the aspect of tamper-sensitivity.Therefore, to minimize TS max node and best reflect d E (X, X) in the quantized symbols Ŷ v , we only make use of the non-wrap-around channel model.The Lee metric in the non-wrap around channel is sometimes also termed Manhattan distance d Man .
For encoding and decoding, the corresponding steps are listed in Algorithm 1 and Algorithm 2 that are described by [JL].The parameters of an LMC are q , q, p and t. q represents the number of values a symbol can take under the influence of an error, while still being within the LMC boundary.q represents the number of quantization intervals.p is the RS code field size GF(p) and t is the error correction capability of RS code.While constructing any LMC, Equation ( 16) must always hold.
The encoding and decoding algorithm is complemented by Algorithm 3 which is instantiated by both LMC Encode and Decode and helps translating an array of elements from one base to another, especially for the description presented here, assuming that q is a power of 2, allowing for a very efficient implemenation as demonstrated by the examples in the appendix.

Algorithm 1: LMC Encode
Data: Step 2: Generate p-ary message symbols using η and encode it using RS(n,t) encoder.*/ 2 η p = baseChange(η, q , p) Step 3: Convert 2t p-ary parity symbols to q-ary symbols The algorithms for encoding and deconding can be used for A-LMC and S-LMC as well, by changing q as in Equation ( 17).If we correct t times a p-ary error, then the maximum number of q -ary errors potentially corrected by LMC is given by t max as defined in Equation 18.Since the minimum number of errors corrected is t, we use t as the number of errors corrected by LMC for notation purposes and also computation of the reliability.However, for max-TS, we indeed use t max .This could be even further improved by making use of the early decoding termination, as introduced in the subsequent paragraph.
Early Decoding Termination: We introduce an additional check on the number of nonzero elements in ε to limit the maximum number of q -ary errors that get corrected.If the number exceeds the chosen threshold t, then a decoding failure can be triggered.
(cf. lines 13 to 16 of Algorithm 2).Once a decoding error occurs, the device should enter a permanent failure mode from which recovery is difficult, e.g., by blowing fuses or zeroization of helper data.This is required to not introduce an obvious timing side-channel in the decoding process and is within the principles of tamper-detection and response.

Secrecy Leakage by Helper Data:
The leakage caused by LMC helper data W is upper bounded using Equation 19, since it is essentially a Code-Offset construction where only the parity is stored.Here, P = z • 2 t • log 2 (p) is the total number of parity bits P generated for z segments of LMCs, based on the RS code operating in the p-ary domain.
The leakage calculation for the first entry of Profile 6 in Table 1 is provided as an example in the following.First, we compute the secrecy leakage.

I(X
Concerning the min-entropy that is extracted on average from a device, we consider each node with parameter y = 2.1 for the equidistant quantization which leads to a min-entropy H∞ (Y ) of 3.4325 bit per node, resulting in an overall min-entropy for a device H∞ (Y v ) with v = 128 nodes of Hence, the effective number of secret bit, i.e., when accounting for the previously computed helper data leakage, is Failure Probability Computation: Based on the presented LMC properties, decoding fails if one of the following conditions is met: 1.The magnitude of error ε exceeds [l d l u ] of the LMC 2. The number of p-ary errors is greater than t, i.e., too many magnitude errors in total To provide a generic description of the failure probability, let r parts constitute a symbol, i.e., the number of unique digits to represent the symbol (radix).Let P part be the error probability of one part and the symbol error probability be P symb .Then the error probability of a symbol is computed as We know that If the incorporated ECC corrects up to t errors then error probability after ECC is given by Equation ( 22).Where P = P symb for RS code and P = P bit for BCH code.P e is the error probability of one block of RS/BCH code.
For the error probability calculation of LMC, we assume that after LMC decode, the q-ary symbol error probability (P e (Z v )) depends only on q -ary errors.The errors of magnitude > q are not used in the calculation since this is considered as tampering.Based on the previous equations, Algorithm 4 provides the approach on how to compute the error probabilities.Please note that it provides an upper bound for the failure probability for LMC cases where log 2 (q)/ log 2 (q ) and log 2 (p)/log 2 (q ) are not integers.The resulting performance numbers for the considered parameters are presented in Table 1, alongside all other profiles.In the following, the tamper-sensitivity of LMC is analyzed.
Algorithm 4: LMC Error Probability Data: P e (Y), q , q, p, z Result: P e (Z v ) // Step 1: Calculate q -ary symbol error probability before RS Decoder using Equation (21) 1 P q _symb = P part ( log 2 (q)/ log 2 (q ) , P e (Y)) // Step 2: Calculate p-ary symbol error probability before RS Decoder using Equation (20) 2 P p_symb = P symb ( log 2 (p)/ log 2 (q ) , P q _symb ) // Step 3: Calculate p-ary block error probability after RS Decoder using Equation (22) 3 P e_block_rs = P e (n, t, P p_symb ) // Step 4: Calculate p-ary symbol error probability after RS Decoder using Equation (21) 4 P p_symb_rs = P part (n, P e_block_rs ) /* Step 5: Calculate q -ary symbol error probability after LMC Decoder using Equation (21) */ 5 P e (Z) = P part ( log 2 (p)/ log 2 (q ) , P p_symb_rs ) /* Step 6: Calculate q-ary block error probability after LMC Decoder using Equation (20).Note, there are k • log 2 (p)/ log 2 (q ) q-ary symbols in 1 block of LMC */ 6 P e (Z z ) = P symb ( k • log 2 (p)/ log 2 (q ) , P e (Z)) /* Step 7: Calculate q-ary device error probability after LMC Decoder using Equation (20).There are z blocks of LMC per device.*/ 7 P e (Z v ) = P symb (z, P e (Z z )) TS of Profile 6 based on Equidistant Quantization and LMC: Following the previous description, LMC corrects t errors within the [l d l u ] boundary.Hence TS max node (P6) is defined using Equation 23.Its first summand is based on the error correction capability of the LMC and the second summand caused by the equidistant quantization.Hence, to cause detection, an additional is required for TS min node (P6).Since LMC decoding fails even if the number of errors is less than t but the magnitude exceeds [l d l u ], TS min device (P6) is equivalent TS min node (P6).This already indicates a significant advantage over the other profiles discussed earlier.Calculating TS max  device (P6) then follows similar principles of the other ECC-based profiles, i.e., if the block length n does not match the input length of symbols v, then multiple segments z must be created.6 where TS min node (P4) is illustrated, i.e., here we illustrate max-TS per node as opposed to min-TS in Figure 6.

Evaluation of Key Derivation Profiles
In this section we discuss the results listed in Table 1 and Table 2 (cf.Appendix B).All former profiles have been tested based on the empirical data of [TS].The corresponding parameters are: µ X = 1.8 • 10 −13 and σ X = 3.6 • 10 −15 .Individual measurements of the nodes are affected by Gaussian distributed, mean-free noise with σ N = 2 • 10 −16 .
Starting with Profile 1 in Table 1, it can be seen that even a basic equidistant quantization scheme without subsequent ECC is sufficient to create a workable solution.This is achieved by values y of 5.4 or larger, i.e., the width of the quantization intervals needs to be relatively large to account for the assumed noise.We note that the extracted min-entropy is only determined by the innermost intervals closest to µ X , i.e., an increasing number of quantization intervals does not increase the min-entropy.The extracted entropy ranges in between 267 bits and 231 bits for a reliability in the range of 10 −6 to 10 −9 .As described by Equation 4, TS max node (P 1) is equivalent to y • σ N , whereas TS max device (P 1) simply scales this number by the number of nodes v in the system.The corresponding numbers for Profile 1 with the best max-TS are therefore 5.4 on a node-level and 692 on a device-level.If we would be considering an increasing number of nodes beyond v = 128, it is clear that the increasing numbers of nodes in the exponent of the error probability computation demand an over-excessively wide quantization interval to be counteracted.Hence, this cannot be considered a flexible engineering solution and should only be considered as a baseline for subsequent comparisons.For all subsequent profiles, we investigate whether a smaller y with an additional ECC can perform better than this.
In Profile 2, a fuzzy commitment based on RS codes is used.While y can be lowered to 2.3 resulting in much smaller and more intervals, the helper data leakage caused by the ECC completely counteracts the gain in min-entropy such that the effective entropy H eff ∞ (accounting for the leakage) extracted from the PUF is less than that of Profile 1.In general, this scheme can be adapted easily to different requirements by adjusting t.However, as the distance metric is based on d H|S , tamper-sensitivity is relatively poor as supported by the obtained results.For both min-TS and max-TS, the results are actually much worse when compared to a scheme based on equidistant quantization only.
With the help of Profile 3, entropy levels reach a similar amount when compared to Profile 1.This is owed to the differences in the underlying Code-Offset construction when compared to the Fuzzy Commitment scheme, as the leakage is upper bounded by the parity, resulting in a reduced leakage when compared to Profile 2. However, extracting more entropy is at the cost of losing tamper-sensitivity.Moreover, TS min node is only defined for t = 1 and therefore represents a strong assumption regarding the attacker as in a practical scenario, the attacker would not be able to divide and distribute the resulting errors to keep them small.Hence, even while the numbers for TS min node indicate a tamper-sensitivity performance close to Profile 1, it cannot be considered a feasible alternative.
For Profile 4, VT-like codes were used with variable-length bit mapping of the symbols.Due to the limitations of these codes, t cannot be chosen arbitrarily and is limited to 1. Consequently, it is not surprising that y cannot be made smaller than 4.24 to still obtain a reliable device.In contrast to Profile 2, a similar max-TS is obtained when compared to Profile 1, while performing worse on a node-level.The extracted entropy is marginally better than Profile 1 but we are of the opinion that the added complexity of carrying out the computation for an ECC does not justify this gain.
In contrast to all previous profiles, we applied an equiprobable quantization in Profile 5 which cannot be used as a standalone solution under the given simulation parameters.The given y of 2.87 in the table applies to Q min only.All other intervals towards Q max are therefore significantly larger.To provide a fair comparison, we chose to exclude values of X with probability of occurrence less than 0.1%, otherwise, tamper-sensitivity in the outermost intervals would not be bounded which would exaggerate the numbers for max-TS unnecessarily.When neglecting the significant quantization helper data leakage by W * , the effective entropy after accounting for the ECC helper data is quite significant, as the equiprobable quantization extracts 3 bits of full entropy per node under this simulated scenario.Regarding tamper-sensitivity, interesting properties are observed.Since the innermost intervals of Q min are relatively small, the earliest possible detection which translates to min-TS on a node-level, is almost within the range of Profile 1.However, most errors that occur are also at or within the range of the innermost intervals.As a result, t must be chosen sufficiently large to account for these errors.This already leads to a suboptimal TS min device behavior.When further analyzing TS max node and TS max device , then the obtained tamper-sensitivity performance is clearly worse when compared to Profile 1 and sometimes equally poor when compared to Profile 2 or Profile 4.
Let us now consider our proposal based on equidistant quantization and LMC under the name Profile 6.It can be seen right away that y is the smallest for all considered profiles.For equidistant quantization, this leads to the best-case in terms of entropy that can be extracted from the PUF PDF.Since the equidistant quantization is quite effective in removing a significant portion of the noise influence, only a fraction of nodes need further correction by the LMC.Mainly due to the transformation of q to p, the overall construction is more efficient when compared to, e.g., Profile 3.This results in a total of ∼ 320 effective number of secret bits, the maximum of all previously considered profiles.In addition to that, it can be seen in Table 1 that the per-node max-TS is similar to Profile 1 while drastically outperforming all other Profiles.However, the most important result is that max-TS on a device level is almost only half of Profile 1.When normalizing TS max device (P6) by the number of nodes, i.e., 395/v = 3.1 [σ N ], then this can be interpreted as the on-average tamper detection threshold per node is, TDT = 3.1 • σ N .This is a significant gain in terms of tamper-sensitivity and effective number of bits, for various different levels of reliability and alphabet sizes.Taking into account that TS min node (P6) is equal to TS max node (P6) and TS min device (P6) is bounded by the min-TS per node of Profile 6, it is evident that the general behavior of LMC mimics the behavior of Profile 1 with regard to the detection of tampering, while performing more effectively which allows to choose a smaller y, resulting in a better entropy and tamper-sensitivity.Overall, this clearly demonstrates the superiority of this scheme and optimized detection of tampering, even when providing a higher reliability when compared to schemes with less reliability.
For the analyzed scenario, in particular the noise model, it appears that this is the optimal method to extract the contained entropy.This is based on the following reasoning: assuming equidistant quantization intervals, then increasing their number towards infinity causes the entropy to approach the differential entropy which is the entropy defined for the continuous case.Extracting more entropy is not possible.Since LMCs operate more efficiently, quantization intervals can be made smaller and therefore more quantization intervals can be used for the same measurement range.This can be done while the loss in reliability is at a much smaller rate when compared to equiprobable quantization, where the errors increase at a much faster rate when increasing the number of intervals.

Conclusion and Outlook
We presented a thorough comparison of state-of-the-art approaches of PUF-based key derivation for tamper-evident PUFs.In addition, we proposed our own scheme that is able to outperform all previous schemes in all relevant aspects, namely: effective number of secret bits, reliability, and tamper-sensitivity.The latter is a new formalized metric to assess the scheme outside of an idealized noise error model based on the noise standard deviation σ N .Intuitively, similar to with physical layer security, sensitivity of a system is bounded by its noise which is why we express this sensitivity in multiples of σ N .We note that the actual assessment of a tamper-evident PUF must still be done individually and that the developed notion of tamper-sensitivity only supports the comparison of the underlying concepts for key generation.
Our comparison clearly demonstrates that the design of previous schemes did not sufficiently take into account the physical tampering that is most important within the context of tamper-evident PUFs.In order to motivate our approach, we provided strong and convincing reasoning as to why the previous schemes fall short in that regard.To overcome their limitations, we applied Limited-Magnitude-Codes based on the Lee/Manhattan metric and a q-ary non-wrap-around channel.Our results indicate that this metric is well-suited to solve the problems specific to tamper-evident PUFs and may generally be able to provide better results when compared to other distance metrics such as Hamming or Levenshtein due to inherent limitations when the number of symbols is less than the number of quantization intervals.We point out that achieving a high level of entropy is still important to thwart attackers that attempt to reconstruct the PUF secret, e.g., by partially obtaining some of its values by probing.
Since our scheme is not limited to custom-made tamper-evident PUFs, we expect that our results can be applied to any other PUF design that allows accessing the quasicontinuous values of the underlying PDF, e.g., [WHGS] or the ones typically implemented in FPGAs such as [BNTM].Hence, our work may serve as a future direction to improve the area efficiency of these PUFs by reducing the number of PUF primitives and extracting their entropy more efficiently.

B Additional Tamper-Sensitivity Results
The following table complements the tamper-sensitivity results of Table 1 regarding min-TS and also provides the numbers for max-TS normalized by the number of nodes v (last column), therefore representing the on-average per-node sensitivity.These numbers enable a comparison across different tamper-evident PUF system designs with varying number of PUF nodes v.

C PUF Metrics based on Lee/Manhattan Metric
Originally defined by Maiti et al. in [MGS, MCMS], the metrics Uniqueness and Reliability based on Hamming distance have become the de facto standard for PUF publications.While various other metrics have been proposed, they can still be considered as a starting point to assess the fundamental PUF properties, i.e., if PUF values sufficiently differ from each other and if they can be reconstructed reliably.While we recommend to always complement them with additional tests, we nevertheless focus on these two most common metrics with regard to higher-order alphabets which is owed to their popularity.The definition of Uniqueness and Reliability is inherently bound to the distance metric used for the subsequent ECC.For higher-order alphabet based PUFs over Hamming distance this has been studied in [ION + ] already.In contrast, we define Uniqueness and Reliability over the Lee or Manhattan distance, depending on the q-ary channel model used, i.e., whether it is used with wrap-around or without.
We note that Uniqueness and Reliability in the binary case, as originally defined by [MGS, MCMS], is normalized by the length v of the considered response (cf. Figure 1).This must be done in an appropriate manner also for responses over Lee/Manhattan distance, as their length is different due to how the distance metrics d Lee and d Man are defined.Lee distance d Lee between two quantized PUF responses, with a field size of q, is defined below in Equation ( 27).It is circular i.e., d Lee (0, q − 1) = 1.
where Y v j = {y j i ; 1 ≤ i ≤ v}, j = 1, 2 and 0 ≤ y j i ≤ q − 1 For LMCs in order to normalize, we apply Plotkin's low rate average distance bound defined in Equation ( 29) for the wrap-around channel [CyCW].
where K is the cardinality of C and D is the average Lee weight [CyCW] given by Equation (30).

D =
(q 2 −1) 4q , odd q q 4 , even q (30) For the practical scenario [ION + ] of v = 128 nodes in a PUF device with field size q = 32, K = q 128 this leads to K −1 ≈ 0. Thus Equation (31) holds which makes it compatible to previous definitions of Uniqueness for binary PUFs [MGS].
For Uniqueness over Manhattan distance, the same is achieved by normalizing the length with v • q.To define the Uniqueness, this leads to Equation (32) for Lee distance and Equation (33) for Manhattan distance.
where k is the number of devices and v the number of nodes in a device which is equivalent to its length in symbols.Please note that the computed outcome of these definitions is quite different to the ones based on Hamming Distance, as the magnitude becomes part of the Uniqueness which is no longer just a change in symbol.Hence, to improve Uniqueness, not only the symbols as such would have to change, but also the occurred magnitude.
Additionally note that the computed outcome of Equation ( 32) compared to Equation ( 33) is quite different, since the normalization factor in front of the sum remains unchanged.
In particular, the result of Equation ( 33) is such that the Uniqueness is bounded to 100% which would be achieved only when for each symbol a maximum magnitude change is observed.In contrast, empirical results for Equation (32) may exceed 100% of Uniqueness when the average Lee weight of Equation ( 30) is exceeded.
To complement the previous Uniqueness definitions, Reliability is defined for both metrics in Equation ( 34) and Equation ( 35) Reliability where m is the number of measurements of same PUF device at different times.Since the channel model corresponding to the work in [ION + ] is without wrap-around, we select Manhattan Distance as the appropriate distance metric.This leads to the results presented in Figure 10, showing both Uniqueness and Reliability.In contrast to similar figures for binary PUFs, Uniqueness appears relatively low which is owed to the fundamentally different definition of Uniqueness over Manhattan distance that combines changes in symbols and magnitude at the same time.To put the outcome into perspective note that for the given parameters, a change in 3.125% corresponds to the case when all comparisons between symbols result in a magnitude of d Man = 1.For the given data, the average Uniqueness is 21.897% which is very close to the case that every compared symbol has a distance d Man = 7 which corresponds to 21.875% of Uniqueness.Considering the fact that this is the first such implementation which differs quite significantly from other PUFs, Uniqueness appears at a reasonable level which could be improved though to make it more unique.In contrast, Reliability is at a very high level.

D Example Calculations of LMC
For convenience reasons and clarity of the algorithmic descriptions, we provide examples of several LMC calculations for the interested reader.They follow the notation of Algorithm 1 and Algorithm 2. Please note that these calculations are based on q = 4, i.e., the radix is a power of two, allowing for a very efficient hardware implementation.These examples include: • Figure 11 illustrating the enrollment process.
• Figure 12 illustrating a successful decoding of the previous example.• Figure 13 illustrating a decoding failure as result of an error exceeding the magnitude.

Figure 3 :
Figure 3: TS max node of Profile 1.Any shift outside of the marked quantization interval causes the detection of a tamper attempt which causes the device to fail (as desired).

Figure 4 :
Figure 4: TS max node of Profile 2.Based on a single value X of a node, it is not possible to detect tampering, since any magnitude changes result in d H|S (Y, Ŷ ) = 1 due to how Hamming distance is defined for strings of higher-order alphabets.

Figure 5 :
Figure 5: TS max node of Profile 3. Please note that for Gray encoded symbols, the resulting distance d H|2 (a, p) = 1, due to how a Gray code is typically constructed.
Figure 6: TS min node of Profile 4.

Figure 7 :
Figure 7: TS max node of Profile 5 for the symbol S as indicated.Based on the Gray code bit mapping as illustrated in Figure 2b and as further detailed in Appendix A.

Figure 9 :
Figure9: TS max node of Profile 6. Please note the difference to Figure6where TS min node (P4) is illustrated, i.e., here we illustrate max-TS per node as opposed to min-TS in Figure6.

Figure 10 :
Figure 10: Uniqueness and Reliability according to Equation (33) and Equation (35) based on the evaluation of 115 covers of [ION + ] with 32 quantization intervals and a 10× oversampling for the measurement.

TS of Profile 4 based on VT-like codes [IHL + ]:
This profile again is based on an equidistant quantization but this time with a variable-length mapping of the symbols Y to bits, as described in [IHL + ].The corresponding code is a VT-like code denoted as VT(•, t) with t as number of errors in d Lev .Due to the limitations of VT-codes, t = 1 always, as multiple insertion/deletion errors can only be corrected when considering multiple segments z.

Table 1 :
Comparison of key derivation schemes for higher-order alphabet PUFs.Profile settings are shared among publications [IHL + , IHKS, TS] and as follows: µ X = 1.8 • 10 −13 and σ X = 3.6 • 10 −15 .Individual measurements of the nodes are affected by Gaussian distributed, mean-free noise with σ N = 2 • 10 −16 .Neglecting leakage from quantization helper data for computation of H eff ∞ , i.e., only leakage by ECC helper data W is considered.Equidistant quantization without ECC (independent of symbol's bit mapping) Equidistant quantization and RS-based Fuzzy Commitment scheme (independent of symbol's bit mapping, n in symbols, t in d H|S ) Equidistant quantization and BCH-based Code-Offset scheme (n in bits, t in d H|2 ) Equidistant quantization, variable-length bit mapping of symbols, VT-like codes (t in d Lev ) Equiprobable quantization, Gray code bit mapping of symbols, BCH-based Code-Offset scheme (n in bits, t in d H|2 ) Equidistant quantization, LMC (lu = 1, l d = −1) with concatenated RS code (n in symbols, t in d Man ) a b Profile 1 (P1): c Profile 2 (P2): d Profile 3 (P3): e Profile 4 (P4): f Profile 5 (P5): g Profile 6 (P6):

Table 2 :
Extended comparison of TS of different profiles for higher-order alphabet PUFs, including min-TS results and max-TS results normalized by the number of nodes v = 128 in the tamper-evident PUF system.