Designing a Photonic Physically Unclonable Function Having Resilience to Machine Learning Attacks

TL;DR

The paper tackles the vulnerability of conventional PUFs to ML-based attacks by evaluating a photonic PUF using a computational Jones-calculus model to generate large synthetic CRP datasets. It demonstrates that photonic PUFs, especially when final responses are built from less-significant interim bits, exhibit favorable properties—near-ideal uniqueness, uniformity, and bit aliasing—and require significantly more CRPs for ML attacks to surpass chance. These findings suggest that photonic PUFs can be more resilient to ML threats in practice, owing to nonlinear, hard-to-model challenge–response mappings and reduced risk of data leakage through side channels. The work also outlines concrete future directions, including optimization of PUF interpretations, broader attack testing, and validation with fabricated PIC-based PUF data under realistic noise conditions.

Abstract

Physically unclonable functions (PUFs) are designed to act as device 'fingerprints.' Given an input challenge, the PUF circuit should produce an unpredictable response for use in situations such as root-of-trust applications and other hardware-level cybersecurity applications. PUFs are typically subcircuits present within integrated circuits (ICs), and while conventional IC PUFs are well-understood, several implementations have proven vulnerable to malicious exploits, including those perpetrated by machine learning (ML)-based attacks. Such attacks can be difficult to prevent because they are often designed to work even when relatively few challenge-response pairs are known in advance. Hence the need for both more resilient PUF designs and analysis of ML-attack susceptibility. Previous work has developed a PUF for photonic integrated circuits (PICs). A PIC PUF not only produces unpredictable responses given manufacturing-introduced tolerances, but is also less prone to electromagnetic radiation eavesdropping attacks than a purely electronic IC PUF. In this work, we analyze the resilience of the proposed photonic PUF when subjected to ML-based attacks. Specifically, we describe a computational PUF model for producing the large datasets required for training ML attacks; we analyze the quality of the model; and we discuss the modeled PUF's susceptibility to ML-based attacks. We find that the modeled PUF generates distributions that resemble uniform white noise, explaining the exhibited resilience to neural-network-based attacks designed to exploit latent relationships between challenges and responses. Preliminary analysis suggests that the PUF exhibits similar resilience to generative adversarial networks, and continued development will show whether more-sophisticated ML approaches better compromise the PUF and -- if so -- how design modifications might improve resilience.

Figures (8)

• Figure 1: The photonic PUF cell. It is comprised of three trench couplers, connected by waveguides. There are two outputs, which are used to create the final outputs from interim cells, as shown in Figure \ref{['fig:photonic_puf_architecture']}.
• Figure 2: The photonic PUF. A single challenge is sent to each of $24$ cells, which each produce two interim responses. Each of those interim responses has $24$ bits, and the final response for the given challenge is made from one bit of each of either Output $1$'s or Output $2$'s interim responses. For example, we might create a final response by combining the bits at index three (highlighted in red) of Output $1$'s interim responses, or by combining the bits at index five (highlighted in green) of Output $2$'s interim responses.
• Figure 3: Interim responses and PUF interpretation construction for a single challenge applied to ten PUFs. Interim responses from either Output $1$ or Output $2$ are used to form $24$ different PUF interpretations. The zeroth interpretation combines the bits with index zero, the first interpretation combines the bits with index one, etcetera. This process is repeated for whichever of Output $1$ or Output $2$ was not previously used. The entire process generates a total of $48$ interpretations for each of ten PUFs, providing a total of $480$ PUFs' worth of data.
• Figure 4: PUF interpretations for $N$ challenges, each applied to ten different PUFs. In the datasets for this paper, $N=212$,$929$. The analysis of the following sections is applied across the ten PUFs for each PUF interpretation. For example, we analyze the ten PUFs for interpretation zero, the ten PUFs for interpretation one, etcetera. This allows for assessing which interpretations provide PUFs with the best properties.
• Figure 5: Challenge-response distribution for four PUF interpretations. All are for PUF zero and Output $1$ interpretations: Subfigure a) is interpretation zero, Subfigure b) is interpretation $14$, Subfigure c) is interpretation nine, and Subfigure d) is interpretation $21$. The exhibited trend holds for all nine other PUFs considered, and for Output $2$ bit interpretations, as well. These plots are simply representative examples.