Take a moment and have some t: Hypothesis testing on raw PUF data

Abstract

Systems based on PUFs derive secrets from physical variation and it is difficult to measure the security level of the obtained PUF response bits in practice. We evaluate raw PUF data to assess the quality of the physical source to detect undesired imperfections in the circuit to provide feedback for the PUF designer and improve the achieved security level. Complementing previous work on correlations across a PUF structure, we apply Welch's i-test to quantify the indistinguishability between distributions of different PUF responses, i.e., the values from on-chip locations measured across multiple devices. The threshold levels of the i-test depend on the number of evaluated PUF cells and the desired confidence of the hypothesis test. These i-values are computed from the statistical moments, such as mean and variance, of the tested distributions and indicate if they were not drawn from the same source. We identify that the quantization of the raw PUF data evaluates different statistical moments. Therefore, it is important to evaluate the indistinguishability of the raw PUF data concerning the critical moment which is used by the quantizer. To demonstrate the benefits of the presented evaluation method, we apply this test to public, real-world RO PUF data. As result, the designer is given specific information to optimize later processing steps or the underlying PUF structure. Complementing tests of the NIST 800-90b test suite further substantiate the chosen approach.