A Novel Key Generation Scheme Using Quaternary PUF Responses and Wiretap Polar Coding
11 A Novel Key Generation Scheme Using QuaternaryPUF Responses and Wiretap Polar Coding
Yonghong Bai,
Student Member, IEEE,
Zhiyuan Yan,
Senior Member, IEEE
Abstract —Physical unclonable functions (PUFs) are widelyconsidered in secret key generation for resource constraineddevices. However, PUFs require additional hardware overhead.In this paper, we focus on developing a PUF-efficient, robust,and secure key generation scheme. First, a novel method forextracting quaternary PUF responses is proposed to increase theentropy of a PUF response, in which a 2-bit response is extractedfrom evaluating a single PUF cell multiple times. The probabilitymasses of the responses can be adjusted by setting parametersappropriately. Then, a chosen secret model based fuzzy extractor(FE) is designed to extract secret keys from the quaternary PUFresponses. To improve the security of this FE, it is modeled as awiretap channel system, and wiretap polar coding is adopted toreduce secrecy leakage. An upper bound of secrecy leakage is alsogiven in this paper, and it suggests that an arbitrarily small (evenzero) leakage can be achieved by properly choosing parametersof the quaternary PUF responses generation. Comparison resultsshow that the required number of PUF cells to achieve the samelevel of secrecy in our scheme is as low as half that of the state-of-the-art schemes.
Index Terms —physical unclonable functions, quaternary PUFresponse, wiretap polar coding.
I. I
NTRODUCTION P HYSICAL unclonable functions (PUFs) are used in secretkey generations [1] [2] [3] [4]. PUF outputs depend onrandom physical factors introduced in manufacturing processand environmental noise. These factors make the output ofPUFs unpredictable and unclonable. To use PUFs in keygeneration, two important issues need to be addressed: notprecisely reproducible and biased PUF outputs.Fuzzy extractors (FEs) [5] are designed to derive keys fromunstable and biased PUF bits. As shown in Fig. 1, a secret seedis a random string that is used to derive an enrolled key throughthe key derivation function (KDF). Firstly, the FE generatesa helper data using a PUF string and the codeword based onthe secret seed, and then a legal user reconstructs the secretseed using the helper data and a noisy PUF string. Since theinformation of the secret seed is leaked from the helper dataif the PUF bits are biased [1] [3], debiasing was proposedto mitigate or reduce the secrecy leakage of FEs, such as VonNeumann correctors [3] and biased-masking [4]. In these PUFbased key generation schemes, one PUF cell returns only onebit data upon an evaluation. If the PUF bits are not reusable formulti-enrollment, the number of PUF cells increases with thenumber of generated keys, which is undesirable for resourceconstrained devices. Therefore, a PUF-efficient key generation
Yonghong Bai and Zhiyuan Yan are with the Department of Electrical andComputer Engineering, Lehigh University, Bethlehem, PA, 18015 USA (e-mail: [email protected]; [email protected]).
Encoder
Secret seed s Codeword x ⊕ Helper data x ⊕ b ⊕ Decoder
Enrollment Reconstruction x ⊕ e KDF Enrolled
Key k PUFs b ⊕ Noise e b '= b+e s ' KDFReconstructed key k ' Figure 1: Fuzzy extractor. scheme is very important. A direct way to increase the PUFefficiency is that more bit data are derived from a single PUFcell. A method of the quaternary PUF response derivation is in-troduced in [2]. However, the quaternary responses are used fordebiasing, rather than generating keys directly. In this paper,we propose an FE in which the quaternary PUF responses aredirectly used for generating keys. Like the binary PUF outputs,quaternary PUF responses are not precisely reproducible andbiased. Hence, we use quaternary polar codes to hide thesecrecy leakage caused by the biased quaternary responsesand robustly generate keys. To the best of our knowledge,it is the first non-binary fuzzy extractor that derives secretkeys from quaternary PUF responses. The main contributionsof this paper are as follows:1) A quaternary response is extracted from a single PUFcell based on the PUF model in [6]. In this method, theprobability masses of quaternary responses is adjustedby properly setting parameters.2) A chosen secret model based FE is designed usingquaternary PUF responses and modeled as a wiretapchannel system to analyze its security.3) Wiretap polar coding is adopted in the FE. A new upperbound on secrecy leakage is derived. The upper boundbecomes tighter when the mask length increases, andcan be made arbitrarily small (even zero) by properlychoosing parameters of the quaternary PUF responsesgeneration.Comparison results show that the required number of PUFcells to achieve the same level of secrecy in our scheme is aslow as half that of the state-of-the-art schemes.II. R
EVIEWS
A. Probabilistic reliability model of PUFs
To describe probabilistic behavior of a PUF cell, it is suf-ficient to use one-probability (a random variable), whichis the probability that the PUF cell returns ‘ ’ upon a a r X i v : . [ c s . CR ] F e b Figure 2: The probability density function and cumulative distributionfunction of one-probability with λ = 0 . and λ = 0 . . random evaluation [6]. The one-probabilities of differentPUF cells are independent and identically distributed randomvariables with probability density function (PDF) f( x ) = λ ϕ ( λ − λ Φ − ( x )) ϕ (Φ − ( x )) and cumulative distribution function (CDF) F( x ) = Φ( λ Φ − ( x ) − λ ) , where Φ is the standard normalcumulative distribution function, ϕ is the standard normalprobability density function with two parameters λ and λ (see Fig. 2 for an example). B. Wiretap polar coding
In polar codes, N independent and identical DMCs are usedto generalize N synthesized channels whose capacities arepolarized [7]. The synthesized channels with high capacitiesare called good channels, while others with relatively lowcapacities are called bad channels. Information symbols aresent through the good channels, and hence the receiver canrecover the information with high probability. The generatormatrix of a polar code with length N is an N × N matrix G [8]. Let u = (cid:2) u u · · · u N − (cid:3) be a source word, and itscodeword x = uG .In a wiretap channel, Alice sends messages to Bob throughmain channels, while an eavesdropper Eve receives the mes-sages from wiretap channels. Wiretap polar coding is proposedto protect the communications between Alice and Bob in [9].If the wiretap channel is stochastically degraded with respectto the main channel, Bob can recover the sent messages withhigh probability, whereas the probability that Eve can recoverthe message approaches zero [9]. Let the transition matrices ofthe wiretap and main channels be W w and W m , respectively.If there is a channel with a transition matrix W that holds W w = W W m , the wiretap channel will be stochasticallydegraded with respect to the main channel so that the channelsthat are good for Eve are good for Bob too and the channelsthat are bad for Bob are bad for Eve too [9]. Hence, in thewiretap polar coding, indices { , , · · · , N − } is divided intothree disjoint subsets: R : Indices of the channels good for both Bob and Eve, S : Indices of the channels good for Bob but bad for Eve, F : Indices of the channels bad for both Bob and Eve.The source word u of polar codes is also partitioned intothree parts: mask r , secret message s , and frozen symbols f ,and they are sent through the synthesized channels that areindex by R , S , and F , respectively. Mask symbols are sentthrough the channels that are good for both Bob and Eve,and hence Eve would recover the mask symbols with highprobability. However, the mask symbols are useless randomsymbols. The secret message is sent through the channels good for Bob but bad for Eve, and hence only Bob can recover thesecret message with high probability.III. Q UATERNARY FUZZY EXTRACTORS
In this section, we will introduce our PUF-efficient key gener-ation scheme. First, we present the quaternary PUF responsesgeneration method, and then we give the quaternary fuzzyextractor setup and its corresponding wiretap channel model.
A. Extraction of quaternary PUF responses
Similar to the method in [2], the extraction of the quaternaryPUF response of a PUF cell is based on its one-frequency (the proportion of ‘ ’s in multiple PUF cell evaluations). Thequaternary response of the i -th PUF cell q i ( f i ) = , if f i ∈ [0 , a ) , , if f i ∈ [ a, b ) , , if f i ∈ [ b, c ) , , if f i ∈ [ c, , where , , , and are four elements of Galois field GF(4), a < b < c are parameters, and f i is the one-frequency of the i -th PUF cell. Let p , p , p , and p be the probabilities ofthe quaternary PUF response being , , , and , respectively.As the number of trials increases towards infinity, the one-frequency approaches the one-probability of a PUF cell, andhence, if a = F − ( ) , b = F − ( ) , and c = F − ( ) ,then p = p = p = p = . In practice, the numberof trials is not infinity. If the number of trials is small,it is hard to differentiate two close one-probability values.The larger the number of trials, the closer one-frequency and one-probability are. The small mean square errors betweenthe experimental and theoretical error counts for a moderatenumber of evaluations in [6] demonstrate, if indirectly, that thedifference between one-frequency and one-probability is smallwith sufficient number of evaluations. To save time, PUF cellscan be read offline to accumulate the ‘ ’s for evaluating their one-frequencies . B. Quaternary fuzzy extractor and wiretap channel model
Our quaternary FE is based on well studied chosen secretmodel, which is shown in Fig. 3. In the enrollment phase,a random quaternary string s is chosen to be a secret seed,and then an enrolled key is extracted from s using a KDF.A helper data is generated to help the reconstruction of thekey in the future. First, N quaternary PUF responses q areextracted from N PUF cells, and then they are added (symbol-wise addition in GF(4)) to the quaternary codeword x of s toget a helper data x + q . The helper data is published, and weassume attackers can access it. In the reconstruction phase, N new quaternary PUF responses q (cid:48) are extracted from the samePUF cells and they are added to the helper data to generate x + q + q (cid:48) = x + e . Then, using x + e the polar decodergenerates the decoded secret seed to reconstruct the key.The quaternary FE is modeled as a wiretap channel systemas shown in Fig. 3. The codeword x is the message sent byAlice and y = x + e is the received message of Bob from Encoder s z=x + q y=x+ex Main channels W i r e t a p c h a nn e l s Alice BobEveEncoder
Secret seed s Codeword x Helper data x+q
DecoderEnrollment Reconstruction x+q+q ' =x+es ' KDFKDF KDF k Decoder
EnrolledKey k Reconstructed key k ' q '= q+e q q ' Quaternary response extractor q s ' KDF k ' PUF cells
Figure 3: A quaternary fuzzy extractor and its wiretap channel model. N independent main channels, where e = q + q (cid:48) is the noisevector of the N main channels. Ideally q = q (cid:48) . However,since PUF bits are not precisely reproducible, q and q (cid:48) couldbe different. A × transition probability matrix W m = t t t t t t t t t t t t t t t t consists of the transition probabilities of the main channel,where t jk for j ∈ { , , , } and k ∈ { , , , } is thetransition probability from input j to output k . Similarly, thehelper data x + q is treated as the outputs of N independentwiretap channels, where q is the noise vector of the N wiretap channels. Hence, the transition probability matrix ofthe wiretap channel is W w = p p p p p p p p p p p p p p p p . To evaluate W m , we first use the CDF of the one-probability to generate the one-probabilities of multiple cells.Second, we extract two quaternary responses from everyPUF cell. Then, we use the numbers of quaternary valuesto estimate the transition probability. For example, if thereare t PUF cells whose original quaternary responses are and the number of , , , and among these t cells in thesecond quaternary responses is w , x , y , and z , respectively,then the transition rates r = wt , r = xt , r = yt , and r = zt , where r ij for i ∈ { , , , } and j ∈ { , , , } is the transition rate from input i to output j . Our simulationresults show that the rate that the quaternary response does notchange is very high. We use the transition rates to approximatethe transition probabilities in our simulations. For the wiretapchannel, when p = p = p = p = , the wiretap channelis completely noisy. In this case, as long as W is a × matrix whose each element is , then W w = W W m holdsso that the wiretap channel will be stochastically degradedwith respect to the main channel.As long as the wiretap channel is stochastically degradedwith respect to the main channel, the non-binary wiretap polarcodes of [9] can be applied in our fuzzy extractor. The genie-aided simulation of [8] is used to construct the polar codes.We get the error rate of each channel through the genie-aidedsimulation and order the channels with increasing error rates.The first r (length of mask) indices from the list for mask, the next s (length of secret seed) indices for secret seed,and the remaining indices are for frozen symbols. Codewordsare generated based on the recursive encoding algorithm in[8]. In the reconstruction phase, firstly we compute the initialLLRs for the channel outputs and then send them to the listdecoder [8] to generate the estimated secret seed to reconstructthe enrolled key. More details of the encoding and decodingalgorithms can be found in [8].IV. A NALYSIS OF SECRECY LEAKAGE
The wiretap polar coding in [9] is used in our FE to preventeavesdroppers from recovering secret seed s . The N × N generator matrix G of a quaternary polar code with length N is written as (cid:2) G R G S G F (cid:3) T , where G R , G S , and G F consist of rows of G that are indexed by R , S , and F , respectively. (cid:2) G R G S (cid:3) T and G R will be the generatormatrix of an ( N, r + s ) linear code C and an ( N, r ) linearcode C , respectively, where r and s are the size of R and S , respectively. Hence, C ⊆ C . In the following theorem,we give the upper bound on the secrecy leakage of our keygeneration scheme. Theorem 1.
In our key generation scheme, if p = p = p = − p and p ∈ (cid:2) , (cid:3) , the upper bound of secrecy leakage is log (cid:104) N |C | (cid:80) v ∈C p N − w ( v ) (cid:0) − p (cid:1) w ( v ) (cid:105) , where |C | is the sizeof C and w ( v ) is the Hamming weight of v . Theorem 1 is proved in the appendix. If we add onemore mask symbol, the row ( g ) of G indexed by the po-sition of the added mask symbol is added to the genera-tor matrix of C . If g ∈ C , then C does not change.Else, the dimension of C increases by one and C be-comes C (cid:48) = {C , g + C } . Since g / ∈ C , then g + C will be the proper coset of C and F g + C ( p )F C ( p ) ≤ forall p ∈ [ , based on Theorem 1.19 in [10], where F C ( p ) = |C| (cid:80) v ∈C p N − w ( v ) ( − p ) w ( v ) . Hence, the up-per bound of secrecy leakage will be log (cid:2) N F C (cid:48) ( p ) (cid:3) =log (cid:104) N F C ( p )+F g + C ( p )2 (cid:105) ≤ log (cid:2) N F C ( p ) (cid:3) , whichmeans that the upper bound on the secrecy leakage can bereduced by increasing the mask length. If p = p = p = − p , the secrecy leakage is reduced to a negligible value byincreasing the mask length. In addition, Theorem 1 suggeststhat when p = p = p = p = , the secrecy leakage ≤ log (cid:104) N |C | (cid:80) v ∈C N − w ( v ) 14 w ( v ) (cid:105) = 0 . Table I: Comparisons of the key generation methods. p , p , p , and p are the probabilities of the quaternary PUF response being , , ,and , respectively. For a fair comparison, all schemes are designed to generate a -bit key with failure probability ≤ − . Quaternary channelparameters PUF entropy Mask Secrecy leakage Code Block Failure probabilityState-of-the-artkey generations - [1] [3] [11], ∈ [1 , [2] - [2] [3] [4],negligible [11] [12] Golay [3]RM [11] [4] - ≤ − [2] [4] [11]This work p = p = p = p = .
25 2 0 0 ( , ) qua-ternary polar . × − p = . , p = p = p = .
245 1 .
999 12 ≤ .
056 2
V. S
IMULATIONS AND COMPARISONS
We compare our key generation scheme with other state-of-the-art schemes in Table II.In our scheme, when p = p = p = p = , the entropyof the quaternary PUF response will be two, which is twicethat of other key generation schemes in [1] [3] [11]. Hence,the required number of PUF cells in our scheme is as low ashalf that of the schemes in [1] [3] [11]. If p , p , p , and p are not exactly (an example is given in Table II), the entropywill be less than .Some key generation schemes with debiasing, such as VonNeumann correctors [3] and biased-masking [4], have zeroleakage, and some key generation schemes [12] [11] havenegligible secrecy leakage. When p = p = p = p = ,our scheme has zero leakage without mask. If p = 0 . and p = p = p = 0 . , the upper bound of the secrecyleakage in Theorem 1 is . with -symbol mask.In our simulation, we aim to generate -bit key withfailure probability ≤ − . We consider SRAM-PUFs with λ = 0 . and λ = 0 . [6], whose average bit error rate(ABER) is . . Under such an ABER, the PUF-based keygeneration schemes in [2] [4] [11] can reconstruct a secret keywith failure probability ≤ − . A (256, 64) quaternary polarcode is used in our simulation. The list decoding [8] with fourlists is used in our simulation. When p = p = p = p = ,only one block is enough to generate -bit key. When p = 0 . and p = p = p = 0 . , symbols are usedas mask and each block can generate -bit key. Hence, twoblocks are needed in this case. The failure probability of ourkey reconstruction is . × − .Many error correction codes have been considered in PUFbased key generations, such as Golay codes [3], Reed-Muller(RM) codes [11] [4], and binary polar codes [12]. The com-plexity of these codes is well studied. Hence, by comparingthe complexity of binary and quaternary polar decoders, weindirectly compare the complexity of our scheme with that ofother state-of-the-art schemes. In the following, we providea rough comparison of the computational complexities forbinary and quaternary polar decoders with single list.In a binary polar code decoder, the following two functionsare used to update the LLRs of a pair of bits [13] f ( λ , λ ) = sign( λ ) sign( λ ) min ( | λ | , | λ | ) , g ( λ , λ , γ ) = (1 − γ ) λ + λ , where λ and λ are two inputs LLRs of the two bits, sign( λ ) returns the sign of λ , min {| λ | , | λ |} returns the minimumvalue of | λ | and | λ | , and γ is the partial sum of previously decoded bits. When the code length is N bits, f and g functionsare called N log N times in a decoding process, respectively.As shown in Table II, There are five basic operations in f : twoabsolute value operations, a minimum operation, and two signoperations. In the g function, if γ = 0 , its output will be λ + λ , otherwise its output will be λ − λ . Hence, a g functionneeds one multiplexer, one addition, and one subtraction.In a quaternary polar codes with Reed-Solomon kernel G RS [8], four symbols u = (cid:2) u u u u (cid:3) are decodedtogether. There are four functions f , f , f , and f to updatethe LLR of the first, second, third, and fourth symbols,respectively. When the code length is N bits (to compare withthe binary decoder we assume N = 2 × n , n = 1 , , , · · · ), f , f , f , and f are called N log N times in a decodingprocess, respectively. In f , the updated LLRs of four values[8]: ˆ λ (0)0 = 0 , ˆ λ (1)0 ≈ max (cid:0) R (cid:0)(cid:2) , u (cid:3)(cid:1)(cid:1) − max (cid:0) R (cid:0)(cid:2) , u (cid:3)(cid:1)(cid:1) , ˆ λ (2)0 ≈ max (cid:0) R (cid:0)(cid:2) , u (cid:3)(cid:1)(cid:1) − max (cid:0) R (cid:0)(cid:2) , u (cid:3)(cid:1)(cid:1) , ˆ λ (3)0 ≈ max (cid:0) R (cid:0)(cid:2) , u (cid:3)(cid:1)(cid:1) − max (cid:0) R (cid:0)(cid:2) , u (cid:3)(cid:1)(cid:1) , where (cid:2) i, u (cid:3) for i = 0 , , , is the symbol vector u with u = i , R( u ) = − (cid:80) r =0 λ ( x r ) r , λ ( x r ) r is the inputLLR of the r -th symbol with x r for i = 0 , , , ( x = (cid:2) x x x x (cid:3) = u G RS ), and max (cid:0) R (cid:0)(cid:2) i, u (cid:3)(cid:1)(cid:1) for i = 0 , , , returns the maximum value of all R (cid:0)(cid:2) i, u (cid:3)(cid:1) results. There are = 64 combinations of u , and hence R function is called times in f . Since an R functionneeds three additions, the number of addition operations is . In addition, a maximum operation is needed to findthe maximum number from the results of R (Max-64 inTable II). Finally, the four LLRs of f is generated after threesubtraction operations. Similarly, f , f , and f need , ,and addition operations, respectively. f needs a maximumoperation to find the maximum number from results of R (Max-16 in Table II) and f needs a maximum operation tofind the maximum number from results of R (Max-4 in TableII).Table II shows that the binary polar decoder uses only afew simple operations. However, the quaternary polar decoderuses a lot of addition and maximum operations.VI. C ONCLUSION
A secure, robust, and efficient fuzzy extractor based on qua-ternary PUF responses and wiretap polar coding is proposedin this paper. To analyze the secrecy leakage, we build the
Table II: Computational complexity of binary and quaternary polar decoders. The code lengths of the binary and quaternary polar codes are N bits ( N = 2 × n , n = 1 , , , · · · ). function Number Mux Min Max-64 Max-16 Max-4 Add Sub Sign AbsoluteBinary f N log N - 1 - - - - - N log N - -Quaternary f N log N - - - - f N log N - - - - f N log N - - - - f N log N - - - - - wiretap channel model for the fuzzy extractor. The wiretappolar coding is adopted in the fuzzy extractor to hide secrecyleakage and ensure the robustness of the key generation. Theupper bound of the secrecy leakage is proposed in this paper,and we show that the leakage can be zero by properly settingparameters of the quaternary PUF responses generation.A PPENDIX : P
ROOF OF T HEOREM s ∈ { , , , } s and the outputs of wiretapchannels z ∈ { , , , } N SL = I ( s ; z ) = H ( z ) − H ( z | s )= (cid:88) z Pr { z | s } log Pr { z | s } − (cid:88) z Pr { z } log Pr { z } , (1)where I is a mutual information function and H is a binaryentropy function. To compute H ( z | s ) , first we have Pr { z | s i } = (cid:88) x ∈ x i + C Pr { x | s i } Pr { z | x , s i } = 14 r (cid:88) x ∈ x i + C Pr { z | x } = 14 r (cid:88) x ∈ x i + C p N − d ( x , z )0 ( 1 − p d ( x , z ) = 14 r (cid:88) v ∈ z − x i −C p N − w ( v )0 ( 1 − p w ( v ) , where s i is the i -th secret message, x i = s i G S , d is a Hamming distance function, and w ( v ) is the Ham-ming weight of v . Set { z − x i − C , z ∈ { , , , } N } and { z − C , z ∈ { , , , } N } are the same for agiven s i , and so are { Pr { z | s i } , z ∈ { , , , } N } and { Pr { z | s = 0 } , z ∈ { , , , } N } . Hence, H ( z | s ) = − (cid:80) z Pr { z | s = 0 } log Pr { z | s = 0 } , where Pr { z | s = 0 } = r (cid:80) v ∈ z −C p N − w ( v )0 ( − p ) w ( v ) . To compute H ( z ) , we have Pr { z } = s (cid:88) i =1 Pr { s i } Pr { z | s i } = s (cid:88) i =1 Pr { s i } (cid:88) x ∈ x i + C Pr { x | s i } Pr { z | x , s i } = s (cid:88) i =1 s (cid:88) x ∈ x i + C r Pr { z | x } = 14 r + s (cid:88) x ∈C p N − d ( x , z )0 ( 1 − p d ( x , z ) = 14 r + s (cid:88) v ∈ z −C p N − w ( v )0 ( 1 − p w ( v ) . Define a new function F C ( p ) = 1 |C| (cid:88) v ∈C p N − w ( v ) ( 1 − p w ( v ) . (2)Hence, Pr { z | s = 0 } = F z −C ( p ) , (3) Pr { z } = F z −C ( p ) . (4) Lemma 2.
For an ( N , k ) code C and all z ∈ { , , , } N , (cid:80) z F z −C ( p ) = 1 .Proof. Let q = − p and m = | z − C| , and (cid:80) z F z −C ( p ) = m [ mp N q q q + mN p N − q q q + m (cid:0) N (cid:1) p N − q q q + · · · + m (cid:0) Nh (cid:1)(cid:0) N − hi (cid:1)(cid:0) N − h − ij (cid:1)(cid:0) N − h − i − jk (cid:1) p h q i q j q k + · · · + mp q q q N ] = (cid:80) N ! h ! i ! j ! k ! p h q i q j q k = ( p + 3 q ) N = 1 .Based on (3), (4), and Lemma 2, SL = (cid:88) z F z −C ( p ) log F z −C ( p ) − (cid:88) z F z −C ( p ) log F z −C ( p )= (cid:88) z F z −C ( p ) log F z −C ( p )F C ( p ) + (cid:88) z F z −C ( p ) log F C ( p )F z −C ( p ) . (5) Lemma 3.
For code C and all z ∈ { , , , } N , if ≤ p ≤ , (cid:80) z F z −C ( p ) log z −C ( p )F C ( p ) ≤ .Proof. Recall the weight distribution function of a code C [10] A C ( w ) = (cid:80) Ni =0 n i w i , where n i is number of codewords withHamming weight i ( i = 0 , , · · · , N ), then the new functionin (2) will be F C ( p ) = |C| [ p N + n p N − ( − p ) + · · · + n N ( − p ) N ] = |C| p N [1 + n ( − p p ) + · · · + n N ( − p p ) N ] = |C| p N A C ( − p p ) . If z / ∈ C , z − C will be the proper coset of C , and then F z −C ( p )F C ( p ) = A z −C ( − p p ) A C ( − p p ) ≤ − ( p − ) r +1 p − ) r +1 ≤ for all p ∈ [ , according to the Theorem 1.19 in [10]. Lemma 4.
For codes C , C , and all z ∈ { , , , } N , (cid:80) z F z −C ( p ) log C ( p )F z −C ( p ) ≤ log (cid:2) N F C ( p ) (cid:3) . Proof. (cid:80) z F z −C ( p ) log C ( p )F z −C ( p ) = (cid:80) z F z −C ( p ) log F C ( p ) − (cid:80) z F z −C ( p ) log F z −C ( p )= log F C ( p ) + H (F z −C ( p )) ≤ log F C ( p ) + 2 N = log (cid:2) N F C ( p ) (cid:3) .Based on (2), (5), Lemma 3, and Lemma 4, we get SL ≤ log (cid:104) N |C | (cid:80) v ∈C p N − w ( v ) (cid:0) − p (cid:1) w ( v ) (cid:105) for all p ∈ (cid:2) , (cid:3) . R EFERENCES[1] J. Delvaux, D. Gu, D. Schellekens, and I. Verbauwhede, “Helper dataalgorithms for PUF-based key generation: Overview and analysis,”
IEEETransactions on Computer-Aided Design of Integrated Circuits andSystems , vol. 34, no. 6, pp. 889–902, Nov. 2014.[2] M. Suzuki, R. Ueno, N. Homma, and T. Aoki, “Quaternary debiasingfor physically unclonable functions,” in . IEEE, May 2018, pp.7–12.[3] R. Maes, V. van der Leest, E. van der Sluis, and F. Willems, “Securekey generation from biased PUFs,” in
International Workshop on Cryp-tographic Hardware and Embedded Systems . Springer, Sep. 2015, pp.517–534.[4] R. Ueno, M. Suzuki, and N. Homma, “Tackling biased PUFs throughbiased masking: A debiasing method for efficient fuzzy extractor,”
IEEETransactions on Computers , vol. 68, no. 7, pp. 1091–1104, July 2019.[5] Y. Dodis, L. Reyzin, and A. Smith, “Fuzzy extractors: How to generatestrong keys from biometrics and other noisy data,” in
Internationalconference on the theory and applications of cryptographic techniques .Springer, May 2004, pp. 523–540.[6] R. Maes, “An accurate probabilistic reliability model for silicon PUFs,”in
International Workshop on Cryptographic Hardware and EmbeddedSystems . Springer, Aug. 2013, pp. 73–89.[7] E. Arikan, “Channel polarization: a method for constructing capacity-achieving codes for symmetric binary-input memoryless channels,”
IEEETransactions on Information Theory , vol. 55, no. 7, pp. 3051–3073, Jul.2009.[8] N. Cheng, R. Zhang, Y. Ge, W. Shi, Q. Zhang, and X. S. Shen, “Encoderand list decoder of Reed-Solomon kernel based polar codes,” in . IEEE, Oct. 2016, pp. 1–6.[9] A. Torfi, S. Soleymani, S. M. Iranmanesh, H. Kazemi, R. A. Shirvani,and V. T. Vakili, “Polar coding for achieving the capacity of marginalchannels in nonbinary-input setting,” in . IEEE, Mar. 2017, pp.1–6.[10] T. Klove,
Codes for error detection . Singapore: World ScientificPublishing Co. Pte. Lte, 2007.[11] M. Hiller and A. G. ¨Onalan, “Hiding secrecy leakage in leaky helperdata,” in
International Conference on Cryptographic Hardware andEmbedded Systems . Springer, Sep. 2017, pp. 601–619.[12] Y. Bai and Z. Yan, “A secure and robust key generation method usingphysical unclonable functions and polar codes,” in
Signal ProcessingSystems (SiPS), 2019 IEEE International Workshop on . IEEE, Oct.2019, pp. 1–6.[13] C. Leroux, I. Tal, A. Vardy, and W. J. Gross, “Hardware architectures forsuccessive cancellation decoding of polar codes,” in