The Wiretap Channel for Capacitive PUF-Based Security Enclosures

In order to protect devices from physical manipulations, protective security enclosures were developed. However, these battery-backed solutions come with a reduced lifetime, and have to be actively and continuously monitored. In order to overcome these drawbacks, batteryless capacitive enclosures based on Physical Unclonable Functions (PUFs) have been developed that generate a key-encryption-key (KEK) for decryption of the key chain. In order to reproduce the PUF-key reliably and to compensate the effect of noise and environmental influences, the key generation includes error correction codes. However, drilling attacks that aim at partially destroying the enclosure also alter the PUF-response and are subjected to the same error correction procedures. Correcting attack effects, however, is highly undesirable as it would destroy the security concept of the enclosure. In general, designing error correction codes such that they provide tamper-sensitivity to attacks, while still correcting noise and environmental effects is a challenging task. We tackle this problem by first analyzing the behavior of the PUF-response under external influences and different post-processing parameters. From this, we derive a system model of the PUF-based enclosure, and construct a wiretap channel implementation from q-ary polar codes. We verify the obtained error correction scheme in a Monte Carlo simulation and demonstrate that our wiretap channel implementation achieves a physical layer security of 100 bits for 306 bits of entropy for the PUF-secret. Through this, we further develop capacitive PUF-based security enclosures and bring them one step closer to their commercial deployment.


Introduction
Devices deployed for high-security applications, such as Hardware Security Modules (HSMs) [BB19], have to withstand tampering attacks. For this purpose, cryptographic modules require a physical boundary in the form of enclosures or coatings [Fed08,ISO17,ISO12] that can detect a tamper event and trigger an alarm, zeroing all relevant Critical Security Parameters (CSPs) on the device. The first generation of enclosures contained meshes of electrodes that continuously monitor resistivity to determine whether a tamper-event occurred [OI18, W.L, IMJFC13,Adv12]. However, monitoring required a continuous power supply in the form of batteries, which reduced the overall lifetime of the device and came with a higher sensitivity towards environmental influences.
Printed Circuit Board (PCB). To detect whether a tamper event occurred, light from Light-Emitting Diodes (LEDs) is sent through the polymer waveguide, and the created light patterns are analyzed. A drawback of the optical waveguide polymer PUF is, however, that it does not protect the whole device but only the top area of the PCB. Optical PUFs were also applied to smartcards by Esbach et al. [EFK + 12]. Another electromagnetic PUF arranges antennas within an electromagnetic-sensitive sealing material [TZP20]. The wavelength of the radio signals varies due to manufacturing variations of the sealing material. The measurement of the channel state information between antennas determines whether a tamper event occurred. A similar approach is the anti-tamper radio proposed by Staat et al. [STZP21]. Smaller-scale PUFs coatings aim to protect small areas on integrated circuits (ICs). One such example was proposed by Tuyls et al. [TSŠ + 06], where the capacitance of randomly arranged particles within a coating is measured in order to determine a tamper event. Zhang et al. [ZHW + 21] recently proposed Switched-Capacitor PUFs as protection of electrical circuits from manipulation. Another technology closely related to challenge-response PUFs is a 3D hardware canary introduced by Briais et al. [BCC + 12]. Here, a security-sensitive circuit is surrounded by a wire cage. A spatially distributed chain of functions placed at the vertices of the cage forms the hardware canary. A challenge has to be answered by a correct response to attest to the canary's integrity. The main difference between PUFs and hardware canaries is that hardware canaries are constructed through an algorithm, while PUFs are based on random manufacturing variations. Capacitive PUF-based enclosures [IOK + 18, ION + 19] protect larger areas and entire PCBs, as discussed in more detail in Section 3.

Error Correction Codes
The application of Physical Unclonable Functions requires a sufficient level of reliability under environmental changes. For this purpose, PUF-key generation includes an error correction step. There are various error correction codes of PUFs that focus on optimizing the code in terms of implementation overhead, decoding complexity and hardware resources [BGS + 08, MVHV12, HKS20, MHK + 19, PMB + 15] applying Bose Chaudhuri Hocquenghem (BCH), Reed Solomon or Reed Muller Codes. Another way of reducing the implementation overhead is by including soft and reliability information [MTV09a,MTV09b,MPB18,HOSB16]. Apart from implementation efficiency, secrecy leakage is a known issue for PUFs. Hence, several schemes were proposed to tackle this problem, focusing either on information leakage due to bias in the PUF-response [MLSW16, BY19, IHL + 19] or on the reduction of helper data leakage [CW19,BY21]. Müelich and Bossert circumvented the leakage problem by proposing a novel secure sketch, where no additional helper data is required [MB17]. One of the main goals of the error correction code is to optimize the failure probability. This was the objective of Chen et al., who applied Polar Codes to SRAM PUFs [CIW + 17]. In the context of PUF-based enclosures, achieving tamper-sensitivity is a significant issue, as we will see in the subsequent section. An attempt to ensure high-sensitivity to attacks while still correcting environmental effects was proposed by Immler and Uppund, who applied Limited Magnitude Codes (LMCs) [IU19], where only errors of a certain magnitude are corrected.

Wiretap Coding and PUFs
The task of an error correction code for PUFs is to target the noise effects in the PUFresponse to derive an error-free secret key. Wiretap codes, on the other hand, have an additional feature: not only can they correct errors in the noisy PUF-response, but they also incorporate a security aspect. Wyner has shown in [Wyn75] that additional randomness besides the error correction capability is necessary to achieve security. Consequently, not every error correction code applied to PUFs is a suitable wiretap code. Hence, several papers have studied wiretap codes, in particular for PUFs. They have been introduced for PUFs in [HÖ17] for codes of up to length 64 bit. In [BY19] and [BY21] the authors extend this preceding work to larger binary polar codes. However, in comparison to the proposed approach in this work, there are three major differences: (i) In the state-of-the-art applications of wiretap coding for PUFs, the goal is debiasing instead of physical layer security. (ii) The attacker in the state-of-the-art approaches is assumed to be weaker than in this work: In [HÖ17, BY19,BY21], the attacker receives the helper data as output of his channel. Hence the whole PUF-response is interpreted as error induced over the wiretapper's channel. In this work, the received message is degraded in comparison to the legitimate channel only based on the impact of a drilling attack. (iii) We operate on q-ary instead of binary polar codes; the enclosure PUF in this work allows for a higher-order quantization, and thus, more entropy can be extracted from the PUF than in a binary case. Consequently, we propose a novel scheme because any PUF error correction cannot detect an attacker, and the previous wiretap codes for PUFs do not match our attacker model and the non-binary response of our enclosure PUF. This is detailed in the following sections.

Key Generation for Capacitive PUF-Based Enclosures
The capacitive PUF-based enclosure requires several blocks: The measurement of the PUFresponse (3.1), processing of the analog PUF-data before quantization (3.2), quantizing analog data to symbols (3.3), and finally, error-correction on these symbols including key generation (3.4). Previous work on the capacitive enclosure, including an overview of the system components, is summarized in Subsection 3.1. An overview of post-processing steps, as proposed in [ION + 19, IOK + 18], is given in 3.2.1. To enhance the existing PUF-model, we provide a detailed analysis of the impact of temperature effects and drilling attacks on the enclosure in Section 3.2. Our analysis is based on the measured PUF-responses obtained from [ION + 19]. In Section 3.3, we analyze the distortion and error for different types of quantization. The goal of our analysis is to obtain an estimate for the error probability of our channel model and to investigate binary and q-ary channel models. Section 3.4 focuses on the different possible key generation schemes for the PUF-model and q-ary channels.

The Capacitive Enclosure
The 18.5 cm × 9 cm capacitive envelope (B-TREPID) [IOK + 18] consists of two layers, each with 16 copper (Cu) electrodes (Rx and Tx) -arranged in a meander structure -that are separated by an insulating layer of polyimide (PI). The electrodes have a width and distance of 100 µm, as depicted in Figure 1. To reduce the impact of alternating electric fields on the capacitive measurement, the top and bottom of the envelope were extended by an additional shielding layer of Cu [Obe19, IOK + 18], leading to an overall thickness of approximately 0.3 mm. Together with a cable for external communication, the envelope is wrapped around a casing containing the protected PCB, depicted in Figure 2. The Cu electrodes overlap and form 16 × 16 absolute capacitances, which are, however, not suitable for the evaluation as a PUF since they depend on global manufacturing variations. The actual PUF-response is, hence, formed by measuring the difference between these absolute values, resulting in 128 differential capacitances with an estimated maximum entropy of 560 bits. These differential capacitances are obtained by measuring two Txelectrodes (Tx pair) against one Rx-electrode. From the PUF-response, a secret KEK is derived (key enrollment) and repeatedly reproduced (key reproduction). A drilling attack with a diameter of 300 µm destroyes two of the electrodes, leading to a loss of 80 bits of entropy [IOK + 18] in the unprocessed PUF-response, which alters the reproduced key.
To measure the PUF-response, a discrete measurement circuit was developed [OIHS18]. Since this circuit was optimized in terms of accuracy and not size, a smaller measurement IC of approximately 5 mm×5 mm was developed and integrated into the envelope [FIU + 18]. The IC measures 16 differential capacitances in parallel, which decreases the measurement time. However, the optimization in terms of space and time comes at the expense of accuracy.
A microcontroller carries out the post-processing of the PUF-response on the PCB running the Embedded Key Management System (EKMS) [OHHS18,GOFK21]. The EKMS is a hardened FreeRTOS with integrated key management and key generation. This also includes the error correction algorithm to compensate for noise and environmental effects.
To cover only parts of a device, an enclosure (COVER) was developed, which differs from the envelope (B-TREPID) in its use case and mesh arrangement. COVER, in contrast to the envelope, is not wrapped around the device but only covers the top or bottom area of the PCB.
We measured and statistically analyzed the PUF-distribution of 50 envelopes (B-TREPID) [IOK + 18] and 115 enclosures (COVER) [ION + 19]. The differential capacitances of B-TREPID and COVER are both Gaussian distributed and behave equivalently under external influences. However, their overall range in femtofarads differs, which makes merging both data sets difficult. In general, the distribution of COVER is broader compared to B-TREPID. Since the COVER data is more extensive than the B-TREPID data, the following analysis will focus on data obtained from the COVER.

Analysis of the PUF-Response
This section covers an analysis of the measured capacitances and how they are affected by temperature changes and drilling attacks.

General Overview
For the following analysis, the PUF-response was measured with the discrete circuit [OIHS18]  . Measuring a single differential capacitance -also called "node" -with the discrete circuit takes 390 µs on average, while the differential measurement time for the entire enclosure amounts to 50 ms.

Noise Distribution
Despite low-noise components and noise filtering within the measurement circuit, an inevitable noise caused by the full setup of the enclosure and the measurement system still remains. The noise plays a major role in the quantization of the PUF-response, which is discussed in Subsection 3.3. The noise distribution was statistically determined from 200 consecutive measurements of the same COVER. It is well-approximated through a Gaussian with a standard deviation of 1.7 fF corresponding to 129 points [Obe19] centered around µ = 0 fF.

Post-Processing
After measuring the PUF-response, several post-processing steps are necessary before the generation (or reproduction) of the PUF-key. Figure 3 depicts the three steps of post-processing with analog helper data generation: 1. Shift of TX groups (normalization) 2. Generation of quantization mapping 3. Generation of analog helper data The raw differential capacitances are obtained by measuring two Tx electrodes against one Rx electrode. We will refer to each of these Tx-pairs measured against all other Rx electrodes as a Tx group. However, global manufacturing variations in the thickness of  the electrodes lead to offsets in the raw differential capacitance of some of the Tx groups [OIHS18]. In order to remove the dependency on these global variations of each Tx group, we subtract the group mean in the first step. We will refer to the Tx group shift as "normalization".
In the second step, the PUF-response is quantized, hence, it is divided into quantization intervals. To reduce the quantization error, the PUF-values of each interval are shifted to the center of the interval (step 3), which further reduces the quantization error (see [IHKS16]). This offset is stored as analog helper data. Even though, this step reduces the quantization error, it is not sufficient to compensate all errors stemming from noise, let alone environmental changes, as we will see in the following. Subsection 3.3 will discuss quantization in more detail.

Temperature Distribution
Environmental effects, for example, changes in temperature and humidity, alter the measured PUF-response. The effects of electromagnetic interference were considered in the design of the PUF and the measurement circuit. A copper shielding was added to the envelope to counteract the effect of alternating electric fields. Without the shielding, reliably measuring the differential capacitances is not possible. The effects of external magnetic fields are counteracted by the narrow excitation frequency and canceled out through the meander structure of the PUF. Hence, for the following analysis, we focus solely on temperature effects. Fig. 4 shows the absolute capacitances for temperatures between −20°C and 60°C. The corresponding differential capacitances are depicted in Fig. 5a before normalization (Tx group shift) and in Fig. 5b after. Apart from a shifted mean, the normalized distribution ( Fig. 5b) also appears more narrow than the distribution of the raw capacitances (Fig. 5a). The normalized distribution exhibits a lower variance, as all Tx group means are shifted separately. Fig. 5c depicts the change in the measured differential capacitance compared to a reference distribution at 20°C. The maximum difference amounts to 1500 points at 60°C (Fig. 5d), where most node changes are within [−700, +700] points. Fig. 5e and Fig. 5f depict histograms of the differential capacitance for temperatures between 0°C and 60°C before and after normalization. The Gaussian fits show that -in both cases -as the temperature increases, the distribution broadens, even though the standard deviation is of a smaller magnitude (∆σ = 207) after normalization. In the case of the raw distribution, the mean is shifted to the right as the temperature increases. Drifts in Differential Capacitance (c) Change in differential capacitance due to temperature changes compared to reference measurement (at 20°C) before Tx group shift. Drifts in Differential Capacitance (d) Change in differential capacitance due to temperature changes compared to reference measurement (at 20°C) after Tx group shift. (f) Distribution of the differential capacitance (with Gaussian fit) for temperatures between 0°C and 60°C after Tx group shift. Figure 5: Analysis of the differential capacitance under temperature changes.
The enclosure protects devices that have to resist large environmental changes in the field that depend on the reliability requirements for the particular use case. For instance, the security policy for the HP Atalla Ax160 PCI HSM [Hew] states that for temperatures outside of the range [−20°C, 100°C], a tamper-event is generated. Hence, an envelope or COVER protecting such a device will have to withstand temperature changes outside of the interval [−20°C, 60°C]. Larger temperatures create even larger offsets in the raw differential data and, thus, broaden the distribution.

Attack Distribution
The envelope and COVER are designed to withstand drilling attacks with a diameter of 300 µm since both the width and distance of the electrodes are 100 µm. Hence, a drilling attack destroys at least two electrodes. As we will see, drilling attacks affect the enclosure in two different ways. Fig. 6 shows the change in the PUF-response due to such a drilling attack before and after normalization. The normalization reduces the large offsets and shifts points outside of the [−10000, +10000] back to the the distribution center. Values outside of the ±10000 fullscale range (highlighted in grey) are subjected to non-linear effects (clipping) during the measurement. Since, in general, values outside of that range are also possible during a regular measurement, a simple check for values outside of the full-scale range is not   sufficient to determine an attack. Furthermore, attacks with smaller drilling diameters might lead to more minor changes in the differential capacitance. The changes in Figure 6 show that the attack "muddles up" the differential capacitances of the affected Tx groups. These burst errors have to be considered in the error correction. Apart from burst errors, drilling attacks also lead to a broadening of the PUF-distribution. Fig. 7a and 7b depict the histograms of the PUF-response before and after the attack with and without normalization. Before the normalization (Fig. 7a), the distribution broadens significantly with a change in standard deviation by 3295 points. In the case of normalization, the broadening of the distribution is reduced to 787 points since through an attack, a specific Tx group will be more affected than others. However, it still significantly exceeds the broadening due to temperature changes.

Quantization of the PUF-Response
Quantization is an essential step in post-processing the PUF-response, as discussed in Subsection 3.2. In the following, we discuss previous quantization schemes that were analyzed in the context of the capacitive PUF-based envelope. Based on the analysis of the PUF in the previous subsections, we determine how different choices of quantization intervals affect the PUF-response.

Previous Work on Quantization
Before analyzing the choice of quantization intervals in more detail, we first give an overview of previous quantization schemes discussed in the context of the PUF-based security enclosure. Note that, the quantization does not signify the mapping from continuous to discrete capacitive values in this case. However, it represents an additional step performed on the already discretized PUF-response -after the Analog-to-Digital Converter (ADC) -to reduce the impact of noise during a regular measurement. Previous discussions on quantization schemes -in the the envelope context -focused on the advantages and disadvantages of equidistant versus equiprobable quantization intervals [IHKS16, IHL + 19, IU19, ION + 19]. Equiprobable intervals lead to a uniform distribution of the normalized capacitances, while equidistant intervals distribute the capacitances unevenly. In the case of equiprobable quantization, the analog helper data, stored to shift the PUF-data to the middle of the interval, might leak information about the location of the PUF-data within the distribution. However, since the helper data reside within the enclosure boundary, they are difficult to access. Apart from this comparison, previous work also comprised variable-length quantization with equidistant intervals. This approach maps the PUF-response to binary values of variable length in order to optimize the per-bit minimum entropy [IHL + 19]. The authors tailored the variable-length mapping to Varshamov-Tenengolts (VT) codes, performing a single insertion, deletion, or substitution. However, variable-length codes are susceptible to increased error propagation in case critical bits or symbols are lost; this may require synchronization correction and, thus, complicates the decoding process [GN98,CRR98]. Another drawback is that a single PUF-node might be distributed over several intervals, which makes its behavior in terms of external influences, like attacks or environmental changes, less predictable. The choice of an optimal quantization scheme is a non-trivial task, especially for noisy sources [GN98]. In the following, we aim at providing more clarity on the quantization behavior by investigating the effect of noise and external influences.

Quantization and Distortion
The quantization of the PUF-response follows two goals. On the one hand, the choice of quantization intervals determines the entropy of the PUF-key, and hence, should yield sufficient accuracy. On the other hand, the intervals should be chosen such that the quantized PUF-response is reliable enough, with a decreased susceptibility to noise. The optimization of both goals is mutually exclusive and comes with a particular trade-off. Apart from this trade-off, the quantization also determines the leakage of the PUF-response.
Equidistant intervals leak information about the PUF through varying symbol probabilities, while equiprobable quantization leaks information through the analog helper data. Hence, in both cases, we accept an unavoidable information leakage. The quantization quality can be measured as distortion [GN98] and describes how well the original variable x can be reproduced through the quantizationx. In the following, we consider a simple distortion measure d, which for a sequence of length n reads: We simulated the distortion for a set of 1000 noisy PUF-responses, as depicted in Figure 8a, for equidistant (blue), equiprobable (red), and k-means (green) quantization from a total of 5 to 200 intervals. We see that the distortion will not decrease further at a certain number of intervals. This threshold depends on the amount of noise (σ n = 65, σ n = 129, and σ n = 258) that occurs during a regular PUF-measurement. The number of interval shifts for a PUF-response is depicted in Figure 8b. We see that, in general, equidistant quantization has a lower probability of interval shifts occuring. The reason for this is that the innermost intervals of an equiprobable (or k-means) quantization are very narrow, and hence, more minor offsets will have a higher impact compared to equidistant quantization. We also see that the difference in interval changes between the three cases (T = 20°, T = 60°, attack) will grow with an increasing number of intervals. Quantized values should be encoded such that the distance between adjacent intervals is minimized. For binary numbers, this could be represented by a Gray code mapping. Figure 9 depicts the Bit Error Ratio (BER) for Gray code mapping comparing PUF   measurements at T = 20°, and T = 60°, against a drill attack. We see that -for a number of intervals ≤ 64 -the BER at an elevated temperature can be distinguished from the BER of a drill attack. However, for a large number of quantization intervals, both curves approach the same BER. This is due to the Gray Code mapping, where each interval is represented by a binary number of log 2 (m) bits, where m is the number of intervals. Within the adjacent log 2 (m) intervals, each interval change -that corresponds to a bit flip -increases the Hamming distance of the encoded value by one. However, when the corresponding PUF-node is changed by more than log 2 (m) intervals, the Hamming distance decreases again. Figure 9 depicts the bit error rates for Gray encoding with different quantization schemes and temperatures.
Previous assumptions led to a choice of 40 equidistant quantization intervals with a width of 500 points [IHKS16]. This corresponds to 3.9σ n , where 99.99% of values from the noise distribution are within the confidence interval. In general, we see that equidistant quantization leads to a lower BER and a smaller number of interval changes.
For 40 intervals, we see that the distortion has not yet reached the threshold, and the difference in interval shifts is still relatively small. The distortion for equidistant intervals and k-means reaches the threshold at approximately 100 intervals; however, the BER for Gray encoding decreases significantly from 64 intervals to 128. A similar behavior can be observed for non-local and balanced Gray Codes and the binary representation of consecutive decimal numbers. Codes with a larger number of bits, for instance, Johnson code, lead to an even faster decrease of the BER due to a large number of bits per symbol.
Hence, these binary mappings do not describe the error behavior of Figure 8b accurately enough, and what is more, even benefit the attacker when the number of intervals increases. In general, modeling the enclosure through a binary channel is difficult. Thus, we focus on a q-ary channel model for our wiretap channel implementation in Section 4.
Quantization represents the final step of post-processing. The quantized and encoded PUF-response is the input to the key generation, which is discussed in the following. Note that although we employ a wiretap code to increase security, we still utilize schemes for error correction.

Generating Keys from Physical Unclonable Functions
In the following, we give an overview of key generation schemes and discuss their suitability for the capacitive PUF-based enclosure.

Key Generation Schemes
When it comes to choosing a key generation scheme, one can either consider pointer-based schemes, where additional reliability information about the PUF is included, or linear schemes, where a key is generated without considering properties of the PUF. In the first case, the advantage of additional reliability comes at the expense of discarding certain PUF-bits. Applying pointer-based methods to the enclosure leads to "blind spots"; hence, only reliable parts of the PUF-response constitute the PUF-key. Thus, the PUF-key becomes less susceptible to changes through an attack, making pointer-based schemes [YD10, HMSS12, HWRL + 13, YHD15] unsuitable for the capacitive enclosure. A variety of linear schemes do not consider reliability information about the PUF and, hence, derive a key based on the complete PUF-response. One of the first schemes proposed for PUFs, the Fuzzy Commitment [JW99], which was extended by adding the quantization and post-processing steps for the capacitive enclosure, is depicted in Figure 10. It consists of two major steps: (i) During the enrollment at the manufacturer, a key is chosen and the corresponding helper data are generated; to be more precise, a true random number R generates the secret S, which is then encoded to the codeword C. (ii) In the reproduction phase, the key is repeatedly restored through measuring the PUF-response during the regular operation of the protected device. In the enrollment phase, the measured and normalized PUF-response X is quantized q(x), and the analog helper data W are generated and stored in NVM. From the codeword together with the quantized PUF-response X, the helper data W are calculated and stored in NVM to end the enrollment. The "channel" is obtained by repeatedly reproducing the PUF-reponse that is subjected to noise n , environmental effects like temperature changes t , and possible drilling attacks a . This can be seen as a "faulty" codeword "transmitted" over a noisy channel, that when decoded during reconstruction, yields the secret S. In order to verify the secret, which is a KEK, the key chain is decrypted. If this is successful, the secret S is valid. Otherwise, the alarm and zeroization are triggered. 1 The Fuzzy Extractor [DRS04] is another scheme, which is similar to the Fuzzy Commitment. In this case, however, the PUF-response and not a true random number constitutes the secret, which is why the secret is hashed in order to reduce helper data leakage. A scheme, where no random number from a True Random Number Generator (TRNG) is generated, is the Syndrome Construction [DRS04,DORS08]. Just as in case of the Fuzzy Extractor, the secret is equivalent to the PUF-response, which makes additional hashing necessary. In the basic Syndrome Construction, the helper data W = X H T are defined via the parity check matrix H. The reconstruction consists of minimizing the error e in W = ( X + e) H T . In [CIW + 17]. This approach is implemented in the context of polar codes, however, as we will see in Section 4 it is not suitable for wiretap coding. Another scheme that does not require an additional random number R is Systematic Low Leakage Coding (SLLC) [HYP15]. In this case, the PUF-response X = X S + X M is split into the secret X S and a part X M for masking. The helper data is defined as W = X S P ⊕ X M . SLLC has the drawback that hashing is required. Furthermore, it can only be applied to systematic codes, where the information and redundancy are separated.

Key enrollment Key reproduction
S noisy channel Figure 10: Key generation via Fuzzy Commitment including post-processing and quantization.
A key generation scheme based on the secure sketch that does not require additional helper data was proposed by Müelich and Bossert [MB17]. The Helper Data Algorithm (HDA) is necessary to create a codeword from the PUF-response, however, Müelich and Bossert constructed the code, such that the PUF-response corresponds to a codeword. A drawback that the authors described was the increased complexity of their scheme. For the capacitive PUF-based enclosure, we choose the Fuzzy Commitment as depicted in Figure 10 due to two main reasons: (i) This allows for a full flexibility regarding the key. Because the key is generated from a TRNG, a second enrollment is possible e.g. after transport (see [GOFK21]). Besides, no hash function is required. (ii) As discussed in Section 4.2.2, it is necessary for the wiretap setting to introduce randomness. This is not possible for key generation schemes such as Syndrome constructions or SLLC because the key and helper data only depend on the PUF response without additional randomness. As the overall key generation scheme has been chosen, the next step is to find a suitable encoder and decoder for the error correction.

Previous Error Correction Codes
Several error correction codes were proposed for the enclosure, for instance, Reed Solomon, BCH, or VT codes [IU19, IHL + 19]. However, a major issue regarding error correction in the context of the enclosure is that the chosen code might correct changes in the PUF-response that originate from an attack. Many of the previously proposed schemes do not address this problem.
To tackle this issue, error correction based on Limited Magnitude Codes (LMCs) was proposed [IU19,JL12], where only the Least Significant Bits (LSBs) of each of the PUFsymbols are corrected. Through this, the error correction is restricted to the neighboring intervals, leaving larger offsets caused by an attack unchanged. In general, LMCs provide a simple method to incorporate tamper-sensitivity without considering complex error patterns.
In order to describe the more complex patterns of burst errors and changes in the PUFdistribution, we propose a wiretap channel implementation based on polar codes. By choosing Polar Codes, we are able to model both effects -environmental influences and attacks -separately, as we will see in the next section. This separation requires a wiretap code and is not feasible with regular PUF error correction codes.

Implementing the Wiretap Channel
The applied error correction code has to be able to distinguish between environmental changes and an attack. A theoretical model that incorporates this separation between two different channels, is the wiretap channel [Wyn75, OW85,CK06]. In the following, we model the error behavior of the enclosure with the help of the wiretap channel, and propose an implementation based on polar codes.

The Wiretap Channel and Attacker Model
The wiretap channel originally regards the problem of a wiretapper eavesdropping on a discrete, memoryless channel [Wyn75]. Wyner showed that a reliable transmission with a finite capacity is possible, while achieving approximately perfect secrecy. For this, he assumed that the wiretapper eavesdrops the transmission via a second channel. Hence, the goal is to provide a reliable transmission on the main channel, hiding it from the second channel accessed by the wiretapper. In general, there exist different assumptions for error probability and secrecy [OW85]. The separation into a legitimate and a noisy channel can be applied to the capacitive PUFbased enclosure in order to improve the error correction. We adapt the wiretap channel for our purposes, see Figure 11, such that on the main channel, the codeword C = X ⊕ W is "transmitted" with error probability p 1 , considering changes in the PUF-distribution that stem from noiseˆ n and temperature changesˆ t . On the second channel, the codeword is additionally affected by changes due to an attackˆ a , which leads to a different error probability p 2 . Previous polar code implementations of wiretap channels in the PUF-context focused on binary silicon PUFs and hiding secrecy leakage from unstable or biased PUF-bits [HÖ17, BY19,BY21]. These wiretap codes dissected their implementation into a regular channel and a channel where the distorted helper data is transmitted. Our use case and code construction significantly differ from previous implementations since the helper data do not have any relevance in our case. We construct the wiretap channel from a channel modeling the regular transmission of the PUF-response, while the other channel models the PUF-response under attack, e.g., through a drilling attack. What is more, our code construction is based on q-ary polar codes. To the best of our knowledge, we are, hence, the first to provide a wiretap channel design and implementation with higher-order alphabet PUFs targeting physical layer security. Regardingˆ a , we define our attacker to have two possibilities: (i) When the overall device enclosed by the PUF is powered off, the attacker can remove the envelope. He can then

Key enrollment Key reproduction
dec dec S S noisy channels Figure 11: A wiretap channel adaptation for measurement noiseˆ n , environmental changeŝ try to decrypt the data that has been secured by the PUF key. (ii) During runtime of the device, he can drill a hole into the envelope and try to gain access to the sensitive data in a minimally invasive way to prevent zeroization. An investigation of micro-drilling attacks, magnetic probing, and bypassing of electrodes was published by Garb et al. [GSHO21] in the context of the capacitive PUF-based enclosure, including countermeasures. The enclosure was designed [ION + 19, IOK + 18] to withstand 250-300 µm diameter drilling attacks that can be reliably detected. Smaller holes are achieved through laser beams with high aspect ratios. Focused Ion Beams (FIBs) are, in general, more suited for processing surface structures. An attempt to drill a deep hole with FIBs will lead to debris at the bottom of the hole due to the removed material, making small holes with a diameter of approximately 10 µm infeasible. However, with lasers and high aspect ratios, small holes in the two-digit micrometer range are, in general, achievable. The thickness of the casing and an additional potting material hinder an attacker from reaching the components on the PCB since a deeper hole comes with a larger diameter. Another factor is the probing of critical components, which is limited by the shaft width of the probing needle. The tip length of the smallest commercially available probing needles amounts to 3.3-5 mm, while the shaft width is usually in the higher two-digit micrometer range and will, hence, not fit through an arbitrarily small hole. The reach of the probing needle can be further limited by increasing the casing thickness. Since small holes, in general, require additional countermeasures that can not be achieved through error correction, we focus on detecting holes with a diameter of 250-300 µm. The envelope provides good protection against fault injection since it covers the entire device. The only component that can be externally accessed is the voltage supply. However, voltage glitching is mainly hampered by monitoring the voltage supply. Also, hardware-based countermeasures through an optimized choice of electronic components make voltage glitching attacks practically infeasible. When switching out the PUF-based solution against a battery-backed system, the power supply will reside within the boundary of the enclosure, leaving no attack point for Laser Fault Injection (LFI) or glitching attacks. However, even in this case, faults induced by radiation are still conceivable and have to be counteracted by extensive software hardening. In the following, we provide an implementation of the wiretap channel through q-ary polar codes such that in either attack scenario, (i) and (ii), security is achieved. Our code construction can be applied to other single-challenge PUFs in the context of error correction. In our system model, the PUF serves as a KEK that protects the other critical security parameters in the key chain. Also, device authentication can be achieved by creating additional key pairs [GOFK21].

Polar Codes
Polar codes were introduced by Stolte [Sto03] and later reintroduced by Arıkan [Ari09]. Arıkan showed that polar codes achieve the capacity of a binary-input discrete memoryless channel (DMC) under successive cancellation (SC) decoding. Later works extended Arıkan's result to polar codes defined over a binary extension field, i.e., polar codes with symbols from the extension field F q , where q is a power of two. Yuan and Steiner introduced the construction of polar codes using a kernel defined over an extension field [YS18]. Besides, polar codes also provide a capacity-achieving construction for the wiretap channel with symmetric component channels [MV11]. Unlike previous polar codes for PUFs [HÖ17, BY19, BY21], we focus on a generalized q-ary polar code to extract more entropy and a longer secret from the PUF. Our analysis in Subsection 3.3 showed that modeling the PUF-response with a binary symmetric channel led to small changes in the PUF-response from a tampering attempt. Thus, to use a valid wiretap coding scenario that guarantees a higher security level, we need to shift to a higher quantization level. The fact that the PUF-response is analog motivates even further the usage of a quantization process with more than just two levels. The advantages of a q-ary model for the enclosure are an increased sensitivity towards tampering and a higher extraction of entropy. In the following, we discuss the encoder and decoder for the capacitive PUF-based enclosure and the code construction.

Encoder and Decoder
Figure 12 defines a polar code over a finite field F q [YS18]. Similarly to binary polar codes [Ari09], q-ary polar codes are based on a process called channel polarization. Let the source output be two q−ary symbols (u 1 , u 2 ) and let their encoded version be two q−ary symbols (c 1 , c 2 ). Then the relation between those two vectors is where α is an optimization parameter [YS18], F 2 (α) is the polarization matrix, which in the q−ary case depends on α. As illustrated in Figure 12, two copies of the same physical channel (defined by the channel law P (y|c)) are polarized into two virtual channels. The first channel with an input u 1 and an output (y 1 , y 2 ) has a lower rate than the physical channel, and the second channel that inputs u 2 and outputs (y 1 , y 2 , u 1 ) has a higher rate than the physical channel [Ari09]. This case can be generalized for a code length n > 2, as depicted in Figure 13. The information symbols u = (u 1 , u 2 , u 3 , u 4 , . . . , u n ) are encoded using a polar transform that yields the codeword c = (c 1 , c 2 , c 3 , c 4 , . . . , c n ). The relation between u and c can be written as where F 2 (α) ⊗ log 2 n denotes the log 2 n−fold Kronecker product of the matrix F 2 (α) with itself. The channel output is denoted by y = (y 1 , y 2 , y 3 , y 4 , . . . , y n ), which represents the erroneous observation of c. Similarly, n physical channels will be polarized into channels with a rate higher than the physical one, and into channels with a lower rate than the physical channel [Ari09]. Arıkan showed that with n → ∞, the channel polarization results in either perfect or useless channels, i.e., channels with capacity 1 or 0. These results were also later generalized to the q−ary case [PB12]. However, for short or moderate code length, the channel polarization is far from the asymptotic one, thus, allowing some channels to be considered as mediocre, i.e., neither perfect nor useless. The aim of the code construction is to find the best polarized channels and transmit information over those and freeze the other channels, i.e., transmit a predetermined frozen value over the bad channel that contains no information. We will use the symbol 0 as a frozen value and we denote the frozen positions by the set F. The decoder is depicted in Figure 14. The task of the decoder is to determine an estimatê u = (û 1 ,û 2 ,û 3 ,û 4 , . . . ,û n ) of the source vector, knowing the received y and the frozen positions F and their values. SC decoding is the original decoding algorithm that Arikan proposed for polar codes under which they achieve capacity [Ari09].   Figure 13: Polar encoder SC decoding is a decoding strategy that allows the use of soft information and can be implemented recursively due to the structure of polar codes. The main idea is that the soft information is propagated from the right to the left (see Figure 14) and check node operations are performed (depicted with an XOR operation and iterated asc i in Figure 14). Then after the soft information has reached the very top left positions (the positions ofû = (û 1 ,û 2 , . . . ,û n ) in Figure 14), a hard decision must be performed by taking into consideration the soft information available. Then, the hard decision is propagated from left to right , thus, allowing the decoder to successively decide on the bits that were most likely transmitted. The hard decision is then "mixed" with the soft information for the variable node operation (depicted with a bullet point and called v i in Figure 14). Moreover, since the decoder knows the positions and the values of the frozen bits, it can bypass the hard estimation for those particular positions and "decide" on the correct information. However, hard decisions can mislead to a miscorrected symbol, thus allowing errors to be propagated for later hard decisions. This issue was solved by Tal and Vardy in their work in [TV11], where they introduced successive cancellation list (SCL) decoding. SCL decoding allows the decoder to pursue many choices for an information position once it needs to make a hard decision for a non-frozen symbol. However, to allow a practically feasible decoder, a certain list size L was introduced. Once the list of paths has been filled up (when L possible paths are stored in the list stack), the decoder needs to discard the most unlikely paths and only pursue the most likely ones. The work in [TV11] showed that even the smallest possible L = 2 decoder improved the performance compared to SC decoding and almost maximum likelihood decoding performance was achieved by a relatively small list size L = 32 for some parameters [TV11]. For the q−ary case, the authors in [YS18] proposed a pruned SCL decoder that only pursues the paths that are within a threshold δ of reliability. The main difference to conventional SCL decoding is that the list does not have to be full to start pruning. The performance is very comparable  Figure 14: Polar decoder to the conventional SCL decoding, but the number of operations is significantly reduced in the case where transmission occurs over a good channel [YS18]. Tal and Vardy [TV11] showed that indeed polar codes suffer from a bad weight distribution compared to other state-of-the-art codes since many times the transmitted codeword was part of the final decoding list but was not the most likely to be picked. Thus, a modification of the decoding is needed such that it picks -with a high probability -the transmitted codeword from the final list (if it is a member of it). This can be achieved by a code concatenation with CRC [TV11] or by deploying a hash computation of all the candidates of the final list [CIW + 17].

Code Construction
The aim of our code construction is to determine the polarized channels that are "bad" for the attacker channel and "good" for the legitimate channel affected by noise and temperature changes. We estimate the quality of the polarized channels by using the Monte-Carlo code construction [Ari09] for both types of channels (legitimate and eavesdropper). However, since we will operate on a short length regime (the length of the polar code n is much smaller than infinity), we cannot have fully polarized symbol channels. In [MV11], a polar code construction is presented that achieves the secrecy capacity of a wiretap channel when the channel components are symmetric. This polar code construction allows the polarization of the symbol-channels u i ← y 1 , y 2 , . . . , y n , u 1 , . . . u i−1 for the channels of the legitimate receiver and the eavesdropper. Then, the polarized symbol-channels that are "very bad" are frozen, i.e., the input symbol is set to a fixed value, the polarized symbolchannels that are "good" for the legitimate receiver but "bad" for the eavesdropper are used to transmit information symbols and finally, the polarized symbol channels that are "good" for both receivers are used to transmit random symbols that carry no information.
In order to estimate the quality of the polarized symbol-channels we need a realistic channel model for both the legitimate receiver and attacker (eavesdropper). In general, at least one Tx and one Rx electrode will be destroyed through an attack with a 250 to 300 µm drill. As explained in Section 3, the PUF-response is analog, and a natural solution is to quantize it. A temperature change or a tampering attempt, as shown in Subsection 3.2, can change the value of the PUF-response. Thus, the changed value may fall into another quantization level other than the original one. Therefore, this effect can be modeled using a q-ary channel with non-zero crossover probabilities. We simulated the probability matrix for all possible symbol changes with 100,000 PUF-responses drawn from the PUF-distribution considering the changes in the PUF-response as modeled in Section 3. We model the legitimate and attacker channel through q-ary channels for 8, 16, and 32 equiprobable intervals. In contrast to equidistant quantization, equiprobable intervals provide the required uniformly distributed input symbols at the polar encoder. A bias in the distribution of the input symbols can lead to additional leakage that has to be taken into consideration [CW19]. We observed that the channel for the legitimate receiver is not symmetric and therefore every P (y i |c j ) = p i,j can be different for i, j ∈ {0, 1, . . . , q − 1}. We obtained the p i,j from simulating 100,000 PUF-responses for the legitimate and the attacker channel with the system model parameters described in Section 3. The simulation was done under consideration of the PUF-post-processing steps with and without analog helper data.
Since our PUF consists of 8 Tx pairs and 16 Rx electrodes, its response will contain 128 values quantized into 128 q-ary symbols. We use a code-offset solution for error correction and, thus, need to construct a polar code of length n = 128. Note that the length of the polar code is independent of the value of the quantization level q. We construct the Polar Code through a Monte Carlo simulation [Ari09]. The core idea of the Monte Carlo code construction is to use uncoded transmission (encode n symbols into a codeword of n symbols) and to add noise to the codeword according to the channel model. Then, SC decoding is performed over the received vector using the soft information of the channel model. The decoding is done as usual, except that after a hard decision, the decoder checks if the decision was correct or not, counts the occurrence of incorrect decisions, and -if necessary -changes the decision to the correct symbol. The idea behind this construction method is to estimate the probability that the decoding of a symbolû i is wrong given correct previous hard decisions (û 1 , . . . ,û i−1 ) = (u 1 , . . . , u i−1 ). If we ran this algorithm infinitely many times, the estimated probabilities would be the real ones, but a sufficiently good estimation can be achieved with finitely many runs. We perform this estimation method for both channels, namely the legitimate and the attacker one. We freeze the channels that are very bad (high probability of an erroneous decision) for both channels. We also transmit random symbols for the channels that are very good (probability of an erroneous decision ≈ 0) and use all others for transmitting information symbols. We then calculate the entropy in bits for the attacker, by taking into account the estimations from the Monte Carlo construction. For every polarized channel symbol where information is transmitted, we check the distribution of a SC decoding. We checked that many outcomes were uniformly distributed among the extension field (ensuring maximum entropy), and some outcomes were leaning a bit more towards the correct symbol. However, the fact that we can ensure uniformly distributed input symbols (due to equiprobable quantization) does not allow the attacker to guess using the probability of each symbol (MAP decoding). An entropy of s bits means that the attacker can at its best case brute-force 2 s options for the decoding process. For SCL decoding this means that the list size L should be at least L > 2 s large in order to have the correct codeword in the final list. Due to the code-offset construction, we add the PUF-response to a codeword of the polar code generated randomly and store the helper data. The results from the Monte Carlo code construction are listed in Table 1 for three different numbers of intervals q, with and without analog helper data W . Legitimate symbol channels with a probability for incorrect decoding below the threshold d are selected to estimate the entropy of the attacker channel H att in bits. Hence, this threshold is also a measure of the overall reliability of the legitimate channel. The selection results in a number of symbols that are good for the legitimate channel n s . This scheme can reliably reproduce n s symbols containing an entropy of H secret = n s · log 2 (q) bits. The dimension of the code is k = n s in this wiretap construction. H secret corresponds to the bit length of the secret in conventional PUF key scenarios without wiretap secrecy leakage. These bits can be directly used as a symmetrical encryption key or hashed to fit into a certain key length.
Of the reliable symbols n s , n f symbols are also good for the attacker channel and have to be randomized. An attacker receives the remaining n s − n f symbols exhibiting a high error rate from noisy to entirely random. The complexity for an attacker is expressed through H att = − ns i p s,i log 2 (p s,i ), where p s,i denotes the symbol error rate after an attack. H att determines the physical layer security level of the wiretap PUF scheme. As the parameter d determines the number of symbols n s , this parameter relates to the security level and enables a trade-off between security and reliability; a stricter threshold d selects only the most reliable bits, but also reduces the number of legitimate bits n s for the secret and the complexity for an attacker H att . As the first Monte Carlo simulation only yielded per-symbol error rates, we performed another Monte Carlo simulation to obtain the Frame Error Rate (FER) for specific code construction parameters of Table 1 with the SC and SCL decoder. The simulation results are listed in Table 2 for a temperature of T = 20°. The FER is the probability of the PUF secret being wrongly decoded.
The results show that we obtain a PUF-secret with up to 306 bit length with 8 intervals, and 275 bits for 32 intervals, while reaching a FER in the order of 10 −6 . The entropy of the attacker channel amounts to 100 bits for 8 intervals. For 32 intervals, the brute force effort for the attacker is reduced to 2 57 , while still preserving 275 bits of entropy for the PUF-secret. The polar code design supports temperature changes in the range [+5°, +35°], which is compatible with the operating temperatures of state-of-the-art network HSMs [Gro, Hew]. Polar codes are praised for their low encoding and decoding complexity, especially for the binary case. The encoding and the SC decoding can be performed in O(n log n) time, while SCL decoding is performed in O(L · n log n) [TV11,BSPB15]. As for the q−ary polar codes, the check node and variable operations require O(q log q) and O(q), respectively, instead of O(1) for the binary case. For a low number of intervals, the decoding complexity for q-ary codes reaches a low number of additional operations, which makes even q-ary polar codes suitable for implementation on a microcontroller.

Conclusion
In this paper, we constructed a wiretap channel for the capacitive PUF-based enclosure from q-ary polar codes, and modeled the effects of attacks on the PUF-response. First, we analyzed how temperature changes and drilling attacks affect the PUF-distribution based on real data obtained from measurements of the PUF-response. From this analysis, we derived a system model of the enclosure considering the impact of the PUF post-processing and different choices of quantization intervals. To construct the polar code for our Higher Order Alphabet PUF, we modeled the error behavior of the capacitive PUF-based enclosure through q-ary channels, and selected the best symbol channels for the legitimate wiretap channel, while minimizing the good symbol channels for the attacker. The wiretap code protects the information stored in these symbols, a code property that non-wiretap codes could not achieve. With a Monte Carlo simulation for 8, 16, and 32 intervals and two different decoders, we demonstrated a physical layer security of 100 bits, while preserving 306 bits of entropy for the PUF-secret.