Nested Tailbiting Convolutional Codes for Secrecy, Privacy, and Storage

Thomas Jerkovits Onur Günlü Vladimir Sidorenko [email protected] [email protected] Gerhard Kramer German Aerospace Center TU Berlin [email protected] WeÃ§ling, Germany Berlin, Germany [email protected] TU Munich Munich, Germany

ABSTRACT them as physical “one-way functions” that are easy to compute and A key agreement problem is considered that has a biometric or difficult to invert [33]. physical identifier, a terminal for key enrollment, and a terminal There are several security, privacy, storage, and complexity con- for reconstruction. A nested convolutional code design is proposed straints that a PUF-based key agreement method should fulfill. First, that performs vector quantization during enrollment and error the method should not leak information about the secret key (neg- control during reconstruction. Physical identifiers with small bit ligible secrecy leakage). Second, the method should leak as little error probability illustrate the gains of the design. One variant of information about the identifier (minimum privacy leakage). The the nested convolutional codes improves on the best known key privacy leakage constraint can be considered as an upper bound vs. storage rate ratio but it has high complexity. A second variant on the secrecy leakage via the public information of the first en- with lower complexity performs similar to nested polar codes. The rollment of a PUF about the secret key generated by the second results suggest that the choice of code for key agreement with enrollment of the same PUF [12]. Third, one should limit the stor- identifiers depends primarily on the complexity constraint. age rate because storage can be expensive and limited, e.g., for internet-of-things (IoT) device applications. Similarly, the hardware CCS CONCEPTS cost, e.g., hardware area, of the encoder and decoder used for key agreement with PUFs should be small for such applications. • Security and privacy → Information-theoretic techniques. There are two common models for key agreement: the generated- KEYWORDS secret (GS) and the chosen-secret (CS) models. An encoder extracts a nested codes, information privacy, tailbiting, convolutional codes, secret key from an identifier measurement for the GS model, while physical unclonable functions for the CS model a secret key that is independent of the identifier ACM Reference Format: measurements is given to the encoder by a trusted entity. In the clas- Thomas Jerkovits, Onur Günlü, Vladimir Sidorenko, and Gerhard Kramer. sic key-agreement model introduced in [1] and [31], two terminals 2020. Nested Tailbiting Convolutional Codes for Secrecy, Privacy, and Stor- observe correlated random variables and have access to a public, age. In 2020 ACM Workshop on Information Hiding and Multimedia Security authenticated, and one-way communication link; an eavesdropper (IH&MMSec’20), June 22–24, 2020, Denver, CO, USA. ACM, New York, NY, observes only the public messages called helper data. The regions USA, 11 pages. https://doi.org/10.1145/3369412.3395063 of achievable secret-key vs. privacy-leakage (key-leakage) rates for the GS and CS models are given in [19, 26]. The storage rates 1 INTRODUCTION for general (non-negligible) secrecy-leakage levels are analyzed in Irises and fingerprints are biometric identifiers used to authenticate [23], while the rate regions with multiple encoder and decoder mea- and identify individuals, and to generate secret keys [4]. In a digital surements of a hidden source are treated in [16]. There are other device, there are digital circuits that have outputs unique to the key-agreement models with an eavesdropper that has access to a device. One can generate secret keys from such physical unclonable sequence correlated with the identifier outputs, e.g., in[6, 8, 12, 22]. arXiv:2004.13095v1 [cs.IT] 27 Apr 2020 functions (PUFs) by using their outputs as a source of randomness. This model is not realistic for PUFs, unlike physical-layer security Fine variations of ring oscillator (RO) outputs, the start-up behavior primitives and some biometric identifiers that are continuously of static random access memories (SRAM), and quantum-physical available for physical attacks. PUFs are used for on-demand key readouts through coherent scattering [37] can serve as PUFs that reconstruction, i.e., the attack should be performed during execu- have reliable outputs and high entropy [11, 18]. One can consider tion, and an invasive attack applied to obtain a correlated sequence permanently changes the identifier output [11, 13]. Therefore, we Permission to make digital or hard copies of all or part of this work for personal or assume that the eavesdropper cannot obtain a sequence correlated classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation with the PUF outputs. on the first page. Copyrights for components of this work owned by others than ACM Two classic code constructions for key agreement are code-offset must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fuzzy extractors (COFE) [10] and the fuzzy commitment scheme fee. Request permissions from [email protected]. (FCS) [21], which are based on a one-time padding step in combi- IH&MMSec ’20, June 22–24, 2020, Denver, CO, USA nation with an error correcting code. Both constructions require © 2020 Association for Computing Machinery. a storage rate of 1 bit/symbol due to the one-time padding step. A ACM ISBN 978-1-4503-7050-9/20/06...$15.00 https://doi.org/10.1145/3369412.3395063 Slepian-Wolf (SW) [38] coding method, which corresponds to syn- codes. In Section 5, we propose a design procedure for the new drome coding for binary sequences, is proposed in [5] to reduce the nested TBCCs adapted to the key agreement with PUFs problem. storage rate so that it is equal to the privacy-leakage rate. It is shown Section 6 compares the estimated decoding complexity of TBCCs in [14] that these methods do not achieve the key-leakage-storage and PCs. Section 7 illustrates the significant gains from nested boundaries of the GS and CS models. convolutional codes designed for practical PUF parameters as com- Wyner-Ziv (WZ) [42] coding constructions that bin the observed pared to previously-proposed nested PCs and other channel codes sequences are shown in [14] to be optimal deterministic code con- in terms of the key vs. storage rate ratio. structions for key agreement with PUFs. Nested random linear codes are shown to asymptotically achieve boundary points of the 2 PRELIMINARIES key-leakage-storage region. A second WZ-coding construction uses 2.1 Notation a nested version of polar codes (PCs) [3], which are designed in [14] F Fa×b for practical SRAM PUF parameters to illustrate that rate tuples Let 2 denote the finite field of order 2 and let 2 denote the set that cannot be achieved by using previous code constructions can of all a × b matrices over F2. Rows and columns of a × b matrices be achieved by nested PCs. are indexed by 1,..., a and 1,...,b, and hi, j is the element in the Fa A closely related problem to the key agreement problem is i-th row and j-th column of a matrix H. 2 denotes the set of all Wyner’s wiretap channel (WTC) [41]. The main aim in the WTC row vectors of length a over F2. With 0a×b we denote the all-zero problem is to hide a transmitted message from the eavesdropper matrix of size a × b. A linear block code over F2 of length N and FN that observes a channel output correlated with the observation of dimension K is a K-dimensional subspace of 2 and denoted by (N, K). A variable with superscript denotes a string of variables, a legitimate receiver. There are various code constructions for the n WTC that achieve the secrecy capacity, e.g., in [2, 25, 28, 30], and e.g., X =X1 ... Xi ... Xn, and a subscript denotes the position of a some of these constructions use nested PCs, e.g., [2, 28]. Similarly, variable in a string. A random variable X has probability distribution nested PCs are shown in [7] to achieve the strong coordination PX . Calligraphic letters such as X denote sets, and set sizes are capacity boundaries, defined and characterized in [9]. written as |X|. Enc(·) is an encoder mapping and Dec(·) is a decoder We design codes for key agreement with PUFs by constructing mapping. Hb (x) = −x log x −(1−x) log(1−x) is the binary entropy nested convolutional codes. Due to the broad use of nested codes in, function, where we take logarithms to the base 2. The ∗-operator is e.g., WTC and strong coordination problems, the proposed nested defined as p∗x = p(1−x)+(1−p)x. A BSC with crossover probability n n convolutional code constructions can be useful also for these prob- p is denoted by BSC(p). X ∼ Bern (α) is an independent and lems. A summary of the main contributions is as follows. identically distributed (i.i.d.) binary sequence of random variables T with Pr[Xi = 1] = α for i = 1, 2,...,n. H represents the transpose • We propose a method to obtain nested tailbiting convolu- of the matrix H. Drawing an element e from a set E uniformly at tional codes (TBCCs) that are used as a WZ-coding construc- random is denoted by tion, which is a binning method used in various achievability $ schemes and can be useful for various practical code con- e ←−E. (1) structions. • We develop a design procedure for the proposed nested con- 2.2 Convolutional Codes volutional code construction adapted to the problem of key Denote the parameters of a block code generated by a binary con- agreement with biometric or physical identifiers. This is an volutional encoder as (N, K), where N is the blocklength and K is extension of the asymptotically optimal nested code con- the code dimension (in bits). At each time step, the convolutional structions with random linear codes and PCs proposed in encoder receives k input bits and generates n output bits. The num- K [14]. We consider binary symmetric sources and binary sym- ber of clock cycles needed to encode K bits is ℓ = k . We consider metric channels (BSCs). Physical identifiers such as RO PUFs convolutional encoders with a single shift register only. The shift with transform coding [15] and SRAM PUFs [29] are modeled register consists of m delay cells, where m is also called the memory by these sources and channels. of the encoder. The bit value stored in the i-th delay cell at time • We design and simulate nested TBCCs for practical source (i) step t is denoted by st ∈ F2 for i = 1,...,m. For a given binary and channel parameters obtained from the best PUF design in (1) (2) (k) −6 input vector ut = ut ,ut ,...,ut of length k at time step t, the the literature. The target block-error probability is PB = 10 (1) (2) (n) and the target secret-key size is 128 bits. We illustrate that encoder outputs a binary vector ct = ct ,ct ,...,ct of length one variant of nested codes achieves the largest key vs. stor- n. The encoder can be described by the state-space representation age rate ratio but it has high decoding complexity. Another of the encoder circuit such that the output ct is variant of nested codes with lower decoding complexity T T achieves a rate ratio that is slightly greater than the rate ct = st · C + ut · D (2) ratio achieved by a nested PC. We also illustrate the gaps to ( ) ( ) ( ) where s = s 1 ,s 2 ,...,s m is the vector describing the content the finite-length bounds. t t t t of the shift register, C ∈ Fn×m is the observation matrix, and This paper is organized as follows. In Section 3, we describe 2 D ∈ Fn×k is the transition matrix. The content of the shift register the GS and CS models, and give their rate regions that are also 2 for the next clock cycle at time step t + 1 is then evaluated for binary symmetric sequences. We summarise in Sec- T T tion 4 our new nested code construction that uses convolutional st+1 = st · A + ut · B (3) (k) ut . . ( ) u 3 t De (2) ut ...

eB ... ( ) u 1 ... t (1) (2) ... (m) + st + st + + st ...

(n) ct . . C . + . (2) ct (1) ct

Figure 1: Encoder circuit of convolutional codes described in Section 2.2.

∈ m×m ∈ m×k ( ) where A F2 is the system matrix and B F2 is the control TBCC. The weight enumerator polynomial A X is then defined as matrix. For the case of a single shift register we have that the system N matrix is given by def Õ d A(X) = Ad X . (5) d=0 0 0 A = 1×(m−1) (4) To compute the weight enumerator and to determine the distance I(m−1)×(m−1) 0(m−1)×1 spectrum we use the approach described in [40]. Consider the state m m transition matrix T(X) of size 2 × 2 , where every entry ti, j (X) is d ( − )×( − ) either X , where d is the Hamming weight of the output produced where I ∈ F m 1 m 1 is the identity matrix. For sim- (m−1)×(m−1) 2 by the encoder when going from the state labeled with i to the state (1) plicity, first entry of the input tuple ut is always an input to the labeled with j, or 0 if there is no possible transition between the ( T | ) ( | ) shift register and thus we can write B = e1 eB and D = 0n×1 De , aforementioned states. Therefore, we have where e1 is the unit row vector having a 1 in the first position and ( ) ℓ( ) ∈ m×(k−1) ∈ n×(k−1) A X = Tr T X (6) 0 everywhere else, eB F2 , and De F2 . The corresponding encoder circuit is shown in Figure 1. Elements of a vector where Tℓ(X) denotes multiplication of the matrix T(X) with itself entering a square box, which represents one of the aforementioned ℓ times and Tr(·) denotes the trace. matrices, depicts a vector-matrix multiplication, and the box with the addition symbol depicts an elementwise vector-vector addition. 3 PROBLEM FORMULATION Therefore, the encoder of the convolutional code can be described ( ) by the three matrices eB, C, and De. We denote such an encoder by Consider the GS model in Figure 2 a , where a biometric or physical X [eB, C, De]. source output is used to generate a secret key. The source , noisy Using the tailbiting method from [20, Chapter 4.8], we avoid hav- measurement Y, secret key S, and storage W alphabets are finite ing a rate loss, unlike the zero-tail termination method. We have sets. During enrollment, the encoder observes the i.i.d. identifier out- N N = ℓn R = k tailbiting convolu- put X , generated according to some PX , and computes a secret key and the resulting code rate is n .A N tional code (TBCC) can be represented by a tailbiting trellis using S ∈ S and public helper data W ∈ W as (S,W ) = Enc(X ). During ℓ sections and 2m states per section. The codewords correspond reconstruction, the decoder observes a noisy source measurement N N to all possible paths in the trellis, where starting and ending states Y of the source output X through a memoryless measurement coincide. TBCCs can be decoded by using the wrap around Viterbi channel PY |X in addition to the helper data W . The decoder esti- N algorithm (WAVA) [36]. This decoder is suboptimal but performs mates the secret key as Sb= Dec(Y ,W ). Furthermore, Figure 2(b) close to the performance of the maximum likelihood decoder. shows the CS model, where a secret key S ′ ∈ S is embedded into ′ N ′ Let Ad be the number of codewords of Hamming weight d for the helper data asW = Enc(X , S ). The decoder for the CS model ′ ′ d = 0, 1,..., N , which characterizes the distance spectrum of a estimates the secret key as Sb = Dec(Y N ,W ). ′ ′ SS Sb Sb Rgs,bin of the GS model for this case is the union of the bounds

(a) (b) (a) (b) 0 ≤ Rs ≤ 1 − Hb (q ∗ pA) Rℓ ≥ Hb (q ∗ pA) − Hb (q) (a) N (a) N (S,W ) = Enc X (a)W Sb = Dec Y ,W Rw ≥ Hb (q ∗ pA) − Hb (q) (16) ′ (b) N ′ ( ) ′ ′ (b) N ′ W = Enc X , S b W Sb = Dec Y ,W over all q ∈ [0, 0.5] [19], which follows by using an auxiliary random variable U such that PX |U ∼ BSC(q) due to Mrs. Gerber’s lemma [42]. The rate tuples on the boundary of the region Rgs,bin Rs are uniquely defined by the ratio . We therefore use this ratio as PX (·) X N PY |X (·) Y N Rw the metric to compare our nested TBCCs with previously-proposed Enrollment Reconstruction nested PCs and channel codes. A larger key vs. storage rate ratio suggests that the code construction is closer to an achievable point Figure 2: The (a) GS and (b) CS models. that is on the boundary of the region Rgs,bin, which is an optimal tuple. We next focus on the GS model for code constructions. All results can be extended to the CS model by using an additional Definition 3.1. A key-leakage-storage tuple (Rs , Rℓ, Rw ) is achiev- one-time padding step [12]. able for the GS and CS models if, given any ϵ > 0, there is some log |S | 4 NESTED CONVOLUTIONAL CODE N ≥ 1, an encoder, and a decoder such that Rs = N and CONSTRUCTION def PB = Pr[Sb, S] ≤ ϵ (reliability) (7) In this section, we sketch the main steps to obtain a nested con- 1 struction for convolutional codes. Furthermore, we give two explicit I(S;W ) ≤ ϵ (secrecy) (8) N algorithms to find good code constructions. The first algorithm ad- 1 dresses the search of a good error correcting code (N, Ks), denoted H(S) ≥ Rs − ϵ (key uniformity) (9) N by Cs, and the second algorithm finds a (N, Kq) code Cq used as a 1 vector quantizer such that Cs is a subcode of Cq, i.e., Cs ⊆ Cq. log W ≤ Rw + ϵ (storage) (10) N 1 N 4.1 Nested Convolutional Codes I(X ;W ) ≤ Rℓ + ϵ (privacy) (11) N Using the encoder circuit depicted in Figure 1, we construct two where for the CS model, S and W in the constraints should be codes Cq and Cs such that Cs ⊆ Cq. Let Cq be the (N , Kq) TBCC replaced by, respectively, S ′ and W ′. with memory m and Kq = ℓkq generated by using the encoder [ ] ( T | ) ∈ The key-leakage-storage regions Rgs and Rcs for the GS and CS defined by the matrices eB, eC, De . Recall that B = e1 eB with eB ×( − ) ×( − ) models, respectively, are the closures of the sets of achievable tuples m kq 1 ( T | ) ∈ n kq 1 F2 and D = 0 De with De F2 . By removing the for the corresponding models. ♢ i-th column of eB and De simultaneously, one obtains a new encoder kq − 1 Theorem 3.2 ([19]). The key-leakage-storage region Rgs for the that generates a code of rate , which is a subcode of the GS model is the union of the bounds n original code. This is true, since the new code corresponds to all 0 ≤ R ≤ I(U ;Y) (12) codewords by encoding the original code but restricting to all inputs s ( ) where u i = 0. By “freezing” further input bits we can therefore Rℓ ≥ I(U ; X) − I(U ;Y) (13) t obtain a subcode of rates Rw ≥ I(U ; X) − I(U ;Y) (14) 1 2 kq − 1 Rs = , ,..., . (17) over all PU |X such that U − X − Y form a Markov chain. Similarly, n n n the key-leakage-storage region Rcs for the CS model is the union of 1 To obtain codes with rates of better granularity between and the bounds in (12), (13), and n kq − 1 that are not in (17), we can freeze input bits in a time-variant Rw ≥ I(U ; X). (15) n manner. That is, by using the encoder ℓ times, we can freeze a These regions are convex sets. The alphabet U of the auxiliary random different amount of input bits in different clock cycles. This allows variable U can be limited to have size |U| ≤ |X| + 1. Deterministic to obtain codes of rates encoders and decoders suffice to achieve these regions. ℓ ℓ + 1 Kq Rs = , ,..., . (18) Suppose the transform-coding algorithms proposed in [15] are N N N applied to RO PUFs or any PUF circuits with continuous-valued Denote the parameters of the subcode, obtained by freezing input N outputs to obtain X that is almost i.i.d. according to a uniform bits accordingly, as (N, Ks). Note that by freezing input bits in a N N 1 Bernoulli random variable, i.e., X ∼ Bern ( 2 ), and the channel time-variant manner, Ks is not necessarily a multiple of ℓ. Further- PY |X is a BSC(pA) for pA ∈ [0, 0.5]. The key-leakage-storage region more, the procedure can be applied also to add columns to eB and 1 kq Algorithm 1: Search for (N, Ks) TBCC Cs, Rs = Algorithm 2: Search for (N, K ) TBCC C , R = n q q q n Input :n, m, K , P , W (maximum number of iterations) m×(k − ) n×(k − ) s B max Input :m, k , k , W , C, B ∈ F s 1 , D ∈ F s 1 ∈ n×m q s max es 2 es 2 Output:C F2 ×( − ) ×( − ) ∈ m kq 1 ∈ n kq 1 Output:eBq F2 , Deq F2 1 Initialize: 1 Initialize: 2 pc ← 0 3 C ← 0 2 eBq ← (eBs|0) 3 Deq ← (Des|0) 4 for w ← 1 to Wmax do 4 d ← 0 ′ $ n×m 5 C ←− F 2 5 A ← 0 ′ 6 Compute A for the (N , Ks) TBCC generated by [0, C , 0] d ← for d = 0,..., N using (5) and (6) 6 for w 1 to Wmax do ′ UB ′ ′ $ m×(kq−ks) 7 ( , ) = 7 ←− Find pc such that: PB Ad pc PB B F2 ′ $ ×( − ) 8 if pc ≥ pc then ′ ←− n kq ks ′ 8 D F2 9 pc ← pc ′ ′ 9 B ← (B |B ) ← ′ eq es 10 C C ′ ′ 10 Deq ← (Des|D ) 11 return C 11 Compute dfree and Afree for [eBq, C, Deq] 12 if dfree > d or (dfree = d and Afree < A) then 13 d ← dfree De to generate a supercode. The design procedure of the nested 14 A ← Afree convolutional code construction is split into two steps: ′ 15 eBq ← eBq 1 ′ (1) Search for a good error correcting code C of rate R = = 16 Deq ← Deq s s n Ks at given target block error probability P by finding an 17 return eBq, Deq N B appropriate matrix C. (2) Expand the low rate code by finding appropriate matrices kq Kq pc at a given target block error probability PB is returned as the eB and De to obtain a good code of rate Rq = = that n N output of Algorithm 1. achieves a low average distortion q. 1 4.3 Design of a Convolutional Code for Vector Note that for the first step we restrict to codes of rate R = s n Quantization and hence the matrices eB and De are vanishing. The first step can 1 In this section, an algorithm to obtain a high rate code from an also be performed for codes of any rate R > , but then also the s n existing low rate convolutional encoder is explained. The algorithm appropriate matrices eB and De have to be found accordingly. is presented in Algorithm 2. The inputs are the system matrix, the observation matrix, and the transition matrix of the low rate code 4.2 Design of a Convolutional Code for Error with rate k Correction R = s . (20) s n For fixed parameters n, m, and Ks, we try to find a matrix C such By randomly adding k − k columns to both, the system and the that the resulting (N, Ks) TBCC Cs at a given target block error q s transition matrix of a code of high rate probability PB can be operated on a noisy BSC with large crossover probability pc. To evaluate PB we use the union bound, see, e.g., kq R = (21) [34], and the distance spectrum of the code. This gives an upper q n bound on P under maximum likelihood decoding. The bound is B is constructed. The algorithm performs a random search and returns given by the best configuration. As selection metrics, the free distance and N d its multiplicity are chosen. The free distance d of a convolutional def Õ Õ d free P ≤ PUB(A ,p ) = A pi (1 − p )d−i (19) code is defined as the minimum Hamming weight between any B B d c d i c c d=dmin i=⌈d/2⌉ two differing paths in the state transition diagram [20, Chapter 3]. Due to linearity of convolutional codes, d is also the minimum where d is the minimum distance of the code. free min Hamming weight over the nonzero paths. We denote by A the The design of the code C is performed by a purely random free s multiplicity of paths that have Hamming weight d . To find a search of the matrix C as described in Algorithm 1. This algorithm free 1 good high rate code, we use dfree and Afree to select the best encoder. searches the best TBCC of rate R = by randomly generating s n The BEAST algorithm described in [20, Chapter 10] is a fast method different matrices C. The matrix C of the code that yields the largest to compute dfree and Afree. The selection criterion is as follows: Keep the code with largest dfree and in case of a tie decide for the 6 ESTIMATED DECODING COMPLEXITY code with smaller Afree. We compare the decoding complexities of TBCCs and PCs. Since the real complexity of decoding depends on the hardware imple- 5 DESIGN OF NESTED CONVOLUTIONAL mentation, we only estimate the complexity for both code classes CODES FOR PUFS by using standard decoding algorithms. The WAVA algorithm performs standard Viterbi decoding on Algorithms 1 and 2 are combined to find good nested code construc- the tailbiting trellis of the TBCC in a circular fashion. That means tions for the coding problem described in Section 3. Two TBCCs the decoder runs over the trellis several times and at each iteration C and C of the same length N are needed such that C ⊆ C . Let s q s q the probabilities of the starting states of the trellis are updated K and K denote the dimensions of C and C , respectively, and q s q s according to the probabilities of the ending states of the previous Kq Ks let Rq = N and Rs = N denote their code rates. The objective iteration. Therefore, the WAVA algorithms scales with the complex- Ks is to maximize the key vs. storage rate ratio. Since Rs = and ity of a standard Viterbi decoder times the number of iterations. N For simplicity, we consider the worst case complexity and hence let Kq − Ks Rw = , we have V denote the number of maximum iterations of the WAVA decoder. N According to [27], let κ be the complexity of a standard Viterbi −1 decoder with indices Rs Ks Rq = = − 1 . (22) • F for Forney trellis, R K − K R w q s s • P for precomputation, • M for merged or minimal trellis. Therefore, we maximize R and minimize R simultaneously. s q N To reconstruct the key S of size Ks (in bits) the code Cs has to We have for the total of number n of trellis sections correct errors on the artifical BSC channel with crossover probabil- k+m κF ∝ N · 2 (24) ity pc = q ∗ pA at a given target PB. The code Cq serves as a vector N quantizer with average distortion q such that [14] κ ∝ 2k+m + 2n (25) P n { − } pc − pA ∝ · min k,n k +m q ≤ . (23) κM N 2 . (26) 1 − 2p A By scaling these complexities with the maximum number of WAVA The design procedure is then as follows: iterations V we obtain the desired complexities of decoding a TBCC. For decoding on the Forney trellis, we can reuse the branch met- 1 − (1) Choose m and n to design a TBCC of rate Rs = by using rics computed in the first WAVA iteration in the following V 1 n iterations and; therefore, we obtain Algorithm 1. N (2) Obtain the corresponding value ofpc where the code achieves WAVA k+m κF ∝ (n + V − 1) 2 (27) the target block error probability PB by Monte Carlo simula- n tions. WAVA N k+m n κP ∝ V · 2 + 2 (28) (3) Construct code Cq from Cs by using Algorithm 2 such that n WAVA min{k,n−k }+m (23) is satisfied. κM ∝ VN · 2 . (29) The last step in this procedure is executed by applying Algorithm 2 Overall we have that the complexity κWAVA of decoding a TBCC is incrementally as follows: n o κWAVA ∝ min κWAVA,κWAVA,κWAVA . (30) (0) (0) 2 F P M (1) Initialization: Start constructing a code Cq of rate Rq = n For error correction and vector quantization, we obtain different from code C (Algorithm 1). s complexities since we have different values for k. For the error (2) Set i ← 1. correcting code we have k = ks = 1 and for the vector quantizer (i) (i) i + 2 (i−1) (3) Construct a code Cq of rate Rq = from code Cq code we have k = kq, where kq is the largest value needed to achieve n (Algorithm 2). a rate of Rq such that kq = nRq . The complexity of the vector (i) quantizer can be reduced by considering decoding over the trellis (4) If the average distortion achieved by the code Cq satisfies the constraint given in (23), stop; else increment i ← i + 1 with the time-variant frozen input bit values, since all branches and go to step (3). that do not correspond to the frozen input bit value can be removed. For simplicity, we will only consider the complexity over the time- The final code Cq is the code in the last iteration. To obtain code invariant trellis. rates in between those steps we randomly freeze inputs of the For the PCs under successive cancellation list (SCL) decoding [39] encoder in a time-variant manner as described in Section 4. Since with a list size L, we have a complexity proportional to LN log2 N . in each iteration the code is optimized for the minimum distance This complexity is independent of the code rate and thus applies to of the code, we can only freeze inputs on the last added input. This Cs and Cq. All decoding complexities are summarized in Table 1. way we guarantee to preserve the minimum distance of the code Note that for the Viterbi decoder parallelization up to a factor of (i−1) (i) m for the next iteration due to Cq ⊆ Cq . 2 can be easily achieved since all state nodes in a trellis section Table 1: Complexities of the error correcting code Cs and vec- 10−4 tor quantizer code Cq for PCs and TBCCs.

MC RCU Code class Complexity of Cs Complexity of Cq TBCC, m = 11 (UB) B

P TBCC, m = 11 (simul.) − WAVA ∝ ( − ) N m ∝ ( − ) N kq+m 10 5 TBCC κF n + V 1 n 2 n + V 1 n 2 TBCC, m = 8 (UB) TBCC, m = 8 (simul.) WAVA ∝ N ( · m n) ∝ N · kq+m n TBCC κP n V 2 + 2 n V 2 + 2

WAVA ∝ · 1+m ∝ · min{kq,n−kq }+m TBCC κM VN 2 VN 2

10−6 PC ∝ LN log2 N ∝ LN log2 N Block Error Probability can be processed independently. For the SCL decoding of PCs, parallelization cannot be achieved without changing the decoder’s error correction performance since each decoded bit sequentially 10−7 depends on the previously decoded ones. 0.02 0.04 0.06 0.08 0.1 0.12 0.14 Crossover Probability p 7 PERFORMANCE EVALUATIONS FOR PUFS c In this section, the performance of TBCCs designed by the proposed Figure 3: Error correcting performance of different codes procedure for the PUF setting is presented. We consider PUF devices 1 with Ks = 128 bits and Rs = over a BSC with crossover with p = 0.0149, target block error probability P = 10−6 and 3 A B probability pc. The MC and RCU bounds for the same code a key size of Ks = 128 bits. These values correspond to the best parameters are given as references. RO PUF designs in the literature [17]. We construct TBCCs with 1 1 rates Rs = 3 and Rs = 4 , and with memories m = 8 and m = 11. 10−4 As a reference, we also give a PC construction using the approach described in [14]. Without puncturing we can only provide a PC 1 MC construction for the case of Rs = 4 , since for a key size of Ks = 128 1 RCU and code rate Rs = 3 we would have N = 384 which is not a power of two. All simulations for the PCs are performed by using SCL PC, L = 8 (simul.) B

P TBCC, m = 11 (UB) decoding with a list size of L = 8. We also compute the results − 1 10 5 for the rate 8 PC presented in [14] but now for pA = 0.0149 and TBCC, m = 11 (simul.) Rs TBCC, m = 8 (UB) give the resulting key vs. storage rate ratio . All simulations Rw TBCC, m = 8 (simul.) for the TBCCs are performed by using the WAVA algorithm with a maximum of V = 4 iterations. The final results of all discussed codes are given in Table 2. 10−6

7.1 Error Correction Performance Block Error Probability The construction of the nested code design starts with the error 1 1 correcting code C . We design two TBCCs with R = and R = s s 3 s 4 4 by using Algorithm 1 with Wmax = 10 . Results of the Monte Carlo simulations as well as the bound (19) are shown in Figures 3 and 4 10−7 for the two TBCCs. 0.04 0.06 0.08 0.1 0.12 0.14 0.16 0.18 0.2 To bound the code performance on a BSC for a given block length Crossover Probability pc and code rate we use two finite length bounds, namely the meta converse (MC) and the random coding union (RCU) bound from [35]. The MC gives a lower bound and the RCU an upper bound on the Figure 4: Error correcting performance of different codes 1 1 with Ks = 128 bits and Rs = over a BSC with crossover block error probability. For Rs = 4 , we observe that the TBCC 4 with m = 11 outperforms the PC, whereas the TBCC with m = 8 probability pc. The MC and RCU bounds for the same code performs worse. We also observe that for all considered codes there parameters are given as references. is still a gap to the finite length bounds. −6 Table 2: Parameters of the designed codes for Ks = 128 bits, pA = 0.0149 and PB ≤ 10 and complexities for Cs and Cq, WAVA WAVA WAVA |W| respectively. For the TBCCs also the type of complexity (κF ,κM or κP ) which is minimal is given. log2 is the amount of helper data in bits.

Rs Code m Rs pc q¯ Rq Rw log2 |W| Complexity Cs Complexity Cq Rw

1 WAVA ∝ 21.00 WAVA ∝ 21.58 TBCC 11 3 0.0545 0.0408 0.8047 0.4714 181 0.7072 κP 2 κM 2

1 WAVA ∝ 18.00 WAVA ∝ 18.58 TBCC 8 3 0.0365 0.0223 0.8906 0.5573 214 0.5981 κP 2 κM 2

1 WAVA ∝ 21.00 WAVA ∝ 23.00 TBCC 11 4 0.0837 0.0709 0.6680 0.4180 214 0.5981 κP 2 κM 2

1 WAVA ∝ 18.01 WAVA ∝ 20.00 TBCC 8 4 0.0640 0.0507 0.7441 0.4941 253 0.5059 κP 2 κM 2

1 15.17 15.17 PC - 4 0.0778 0.0648 0.6875 0.4375 224 0.5714 ∝ 2 ∝ 2

1 16.32 16.32 PC - 8 0.1819 0.1721 0.3584 0.2333 239 0.5358 ∝ 2 ∝ 2

0.06 0.09 1 1 1 − Hb (q) + 2 log2(N )/N 1 − Hb (q) + 2 log2(N )/N TBCC, m = 8 (simul.) TBCC, m = 11 (simul.) TBCC, m = 11 (simul.) 0.08 TBCC, m = 8 (simul.) 0.05 ¯ ¯ q q PC, L = 8 (simul.)

0.07 0.04 0.06 Average Distortion 0.03 Average Distortion 0.05

0.02 0.04 0.7 0.75 0.8 0.85 0.9 0.66 0.68 0.7 0.72 0.74 Vector Quantizer Code Rate Rq (bits/symbol) Vector Quantizer Code Rate Rq (bits/symbol)

Figure 5: Code rate of the vector quantizer code Cq vs. aver- Figure 6: Code rate of the vector quantizer code Cq vs. aver- −6 −6 age distortion q¯ for N = 384 bits and PB ≤ 10 . age distortion q¯ for N = 512 bits and PB ≤ 10 .

7.2 Vector Quantization Performance We plot the approximate bound on the rate achieved for a given distortion from [24]. The approximated rate for block length N is 4 Using the approach described in Section 4 and setting Wmax = 10 , ( ) def log (N ) 1 we construct high rate codes to be used as a vector quantizer. Using R approx = 1 − H (q) + 2 + O (31) q b 2N N Monte Carlo simulations, we plot the rate of these codes Rq vs. the measured average distortion q¯ in Figures 5 and 6 for N = 384, where O(·) denotes the big O notation. This approximation does 1 1 corresponding to Rs = 3 , and for N = 512, corresponding to Rs = 4 , not consider the effect of the constraint that the error correcting respectively. code designed in the previous subsection has to be a subcode of 0.9

(Rw , Rs ) projection of Rgs,bin Finite length non-achievability Finite length approximation R + R = 1 1 1 0.8 s w FCS & COFE, Rs = 3 FCS & COFE, Rs = 4 1 1 1 TBCC, m = 11, Rs = 3 TBCC, m = 8, Rs = 3 TBCC, m = 11, Rs = 4 1 1 1 TBCC, m = 8, Rs = 4 PC, L = 8, Rs = 4 PC, L = 8, Rs = 8 0.7 1 1 SWC, Rs = 4 [5] SWC, Rs = 3 [5]

0.6

0.5 (bits/symbol) s R

0.4

0.3 Secret-key Rate

0.2

0.1

0 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Storage Rate Rw (bits/symbol)

Figure 7: Storage-key rates for the GS model with pA = 0.0149. The (0.1118, 0.8882) bits/symbol point is the best possible point achieved by SW-coding (SWC) constructions such as polar codes (PCs) in [5], which lies on the dashed line representing Rw + Rs = H(X). The PCs are designed by applying the design procedure proposed in [14] for WZ-coding with the SCL decoder with −6 list size of L. The block-error probability satisfies PB ≤ 10 and Ks = 128 bits for all codes. The finite length non-achievability bound and its approximation for Ks = 128 bits is depicted as well. the vector quantizer of rate Rq. Therefore, this bound only gives For the nested WZ-coding construction, where we have a vector an approximate achievable bound on the rate of the high-rate code quantizer and an error correcting code, we plot a finite length non- that is used as a vector quantizer without having any constraint. achievability (converse) bound. For a fixed key size of Ks = 128 1 bits and p = 0.0149, we evaluate the MC non-achievability bound The bound is plotted by neglecting the O term. A N for the error correcting code and combine this bound using (23) Using (23), we obtain the target distortion for the code to be with the non-achievability bound from [24, (2.186)] for the vector designed, which allows to find a lower bound on the required rate quantizer code. A slightly tighter version of the non-achievability Rq of the vector quantizer. The results are shown in Table 2. Ob- bound for the vector quantizer code can be found in [32]. To achieve serve that vector quantization performance of all codes is similar. a distortion of q, any vector quantizer code of blocklength N must Therefore, the code that has the best error correction performance satisfy [24, (2.186)] yields the smallest rate for vector quantization, which corresponds ⌊N q⌋ to the smallest amount of helper data. Õ N − ≥ 2N (1 Rq ). (32) j j=0 7.3 Overall Performance Similar to the achievability bound discussed in Section 7.2, (31) is Combining the results of the error correction and the vector quan- used to approximate also the non-achievability bound in (32). The tizer performance, we can evaluate the key vs. storage rate ratio combination of the MC bound and the converse bound for the vector by using (22). The intermediate and final results are listed in Ta- quantizer performance establishes a non-achievability bound on ble 2, and the achieved (Rw , Rs ) tuples for all mentioned codes are the best rate tuples that can be achieved for given parameters by our depicted in Figure 7. WZ-coding construction. In Figure 7, we plot this non-achievability bound using (32) and its approximation using (31). Note that the REFERENCES zigzag behaviour of the bound in (32) is due to the floor function. [1] Rudolf Ahlswede and Imre Csiszár. 1993. Common randomness in information We observe a gap between these bounds and achieved rate tuples theory and cryptography - Part I: Secret sharing. IEEE Trans. Inf. Theory 39, 4 (July 1993), 1121–1132. https://doi.org/10.1109/18.243431 by the designed codes. [2] Mattias Andersson, Vishwambhar Rathi, Ragnar Thobaben, Jörg Kliewer, and The FCS and COFE have the key vs. storage rate ratio of Mikael Skoglund. 2010. Nested polar codes for wiretap and relay channels. IEEE Commun. Lett. 14, 8 (Aug. 2010), 752–754. https://doi.org/10.1109/LCOMM.2010. 08.100875 Rs [3] Erdal Arikan. 2009. Channel polarization: A method for constructing capacity- = Rs (33) Rw achieving codes for symmetric binary-input memoryless channels. IEEE Trans. Inf. Theory 55, 7 (July 2009), 3051–3073. https://doi.org/10.1109/TIT.2009.2021379 as the storage rate is 1 bit/symbol for these constructions. The [4] Patrizio Campisi. 2013. Security and privacy in biometrics. London, U.K.: Springer- Verlag. SW coding constructions such as the syndrome coding method [5] Bin Chen, Tanya Ignatenko, Frans M.J. Willems, Roel Maes, Erik van der Sluis, proposed in [5] achieve the ratio and Georgios Selimis. 2017. A robust SRAM-PUF key generation scheme based on polar codes. In IEEE Global Commun. Conf. Singapore, 1–6. https://doi.org/10. 1109/GLOCOM.2017.8254007 Rs Rs = (34) [6] Remi A. Chou and Matthieu R. Bloch. 2014. Separation of reliability and secrecy Rw 1 − Rs in rate-limited secret-key generation. IEEE Trans. Inf. Theory 60, 8 (Aug. 2014), 4941–4957. https://doi.org/10.1109/TIT.2014.2323246 [7] Remi A. Chou, Matthieu R. Bloch, and Jörg Kliewer. 2015. Polar coding for which improves on the FCS and COFE. WZ coding constructions empirical and strong coordination via distribution approximation. In IEEE Int. with nested PC we constructed for pA = 0.0149 based on the design Symp. Inf. Theory. Hong Kong, China, 1512–1516. https://doi.org/10.1109/ISIT. procedure given in [14] achieves even larger ratios. The largest 2015.7282708 1 [8] Imre Csiszár and Prakash Narayan. 2000. Common randomness and secret key key vs. storage rate ratio is achieved by the TBCC with Rs = 3 generation with a helper. IEEE Trans. Inf. Theory 46, 2 (Mar. 2000), 344–366. Rs https://doi.org/10.1109/18.825796 and m = 11 such that = 0.7072. These results suggest that R [9] Paul W. Cuff, Haim H. Permuter, and Thomas M. Cover. 2010. Coordination w Capacity. IEEE Trans. Inf. Theory 56, 9 (Sep. 2010), 4181–4206. https://doi.org/10. increasing the code rate Rs and the memory size of TBCCs allows 1109/TIT.2010.2054651 a larger key vs. storage rate ratio. [10] Yevgeniy Dodis, Rafail Ostrovsky, Leonid Reyzin, and Adam Smith. 2008. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38, 1 (Jan. 2008), 97–139. https://doi.org/10.1007/978-3-540- 8 CONCLUSION 24676-3_31 [11] Blaise Gassend. 2003. Physical random functions. Master’s thesis. M.I.T., Cam- We proposed a nested convolutional code construction, which might bridge, MA. be useful for various achievability schemes. For the key agreement [12] Onur Günlü. 2018. Key Agreement with Physical Unclonable Functions and Bio- problem with PUFs, we proposed a design procedure for the nested metric Identifiers. Ph.D. Dissertation. TU Munich, Germany. published by Dr. Hut Verlag. code construction using TBCCs to obtain good reliability, secrecy, [13] Onur Günlü and Onurcan İşcan. 2014. DCT based ring oscillator physical unclon- privacy, storage, and cost performance jointly. We implemented able functions. In IEEE Int. Conf. Acoustics Speech Sign. Process. Florence, Italy, 8198–8201. https://doi.org/10.1109/ICASSP.2014.6855199 nested convolutional codes for practical source and channel param- [14] Onur Günlü, Onurcan İşcan, Vladimir Sidorenko, and Gerhard Kramer. 2019. eters to illustrate the gains in terms of the key vs. storage rate ratio Code Constructions for Physical Unclonable Functions and Biometric Secrecy as compared to previous code designs. We observe that one variant Systems. IEEE Trans. Inf. Forensics Security 14, 11 (Nov. 2019), 2848–2858. https: //doi.org/10.1109/TIFS.2019.2911155 of nested convolutional codes achieves a higher rate ratio than all [15] Onur Günlü, Tasnad Kernetzky, Onurcan İşcan, Vladimir Sidorenko, Gerhard other code designs in the literature but it may have a high hardware Kramer, and Rafael F. Schaefer. 2018. Secure and reliable key agreement with cost. Another variant of nested convolutional codes with low com- physical unclonable functions. Entropy 20, 5 (May 2018). https://doi.org/10.3390/ e20050340 plexity is illustrated to perform similarly to the best previous codes [16] Onur Günlü and Gerhard Kramer. 2018. Privacy, secrecy, and storage with in the literature. We also computed known finite-length bounds for multiple noisy measurements of identifiers. IEEE Trans. Inf. Forensics Security 13, our code construction to show the gaps between the performance 11 (Nov. 2018), 2872–2883. https://doi.org/10.1109/TIFS.2018.2834303 [17] Onur Günlü and Rafael F. Schaefer. 2020. Low-complexity and Reliable Trans- of the designed codes and these bounds. forms for Physical Unclonable Functions. In IEEE Int. Conf. Acoustics, Speech, Signal Process. Barcelona, Spain. to appear. [18] Tanya Ignatenko, Geert jan Schrijen, Boris Skoric, Pim Tuyls, and Frans Willems. ACKNOWLEDGMENTS 2006. Estimating the Secrecy-Rate of Physical Unclonable Functions with the Context-Tree Weighting Method. In IEEE Int. Symp. Inf. Theory. Seattle, WA, This work was performed while O. Günlü was with the Chair of 499–503. https://doi.org/10.1109/ISIT.2006.261765 Communications Engineering, Technical University of Munich. O. [19] Tanya Ignatenko and Frans M. J. Willems. 2009. Biometric systems: Privacy Günlü was supported by the German Federal Ministry of Educa- and secrecy aspects. IEEE Trans. Inf. Forensics Security 4, 4 (Dec. 2009), 956–973. https://doi.org/10.1109/TIFS.2009.2033228 tion and Research (BMBF) within the national initiative for “Post [20] Rolf Johannesson and Kamil Zigangirov. 2015. Fundamentals of Convolutional Shannon Communication (NewCom)” under the Grant 16KIS1004, Coding (2 ed.). 1–667 pages. https://doi.org/10.1002/9781119098799 [21] Ari Juels and Martin Wattenberg. 1999. A fuzzy commitment scheme. In ACM and by the German Research Foundation (DFG) under grant KR Conf. Comp. Commun. Security. New York, NY, 28–36. https://doi.org/10.1145/ 3517/9-1. V. Sidorenko is on leave from the Institute for Information 319709.319714 Transmission Problems, Russian Academy of Sciences. His work [22] Ashish Khisti, Suhas N. Diggavi, and Gregory W. Wornell. 2012. Secret-key generation using correlated sources and channels. IEEE Trans. Inf. Theory 58, 2 was supported by the European Research Council (ERC) under (Feb. 2012), 652–670. https://doi.org/10.1109/TIT.2011.2173629 the European UnionâĂŹs Horizon 2020 research and innovation [23] Manabu Koide and Hirosuke Yamamoto. 2010. Coding theorems for biometric programme (grant agreement No 801434) and by the Chair of Com- systems. In IEEE Int. Symp. Inf. Theory. Austin, TX, 2647–2651. https://doi.org/ 10.1109/ISIT.2010.5513689 munications Engineering at the Technical University of Munich. [24] Victoria Kostina. 2013. Lossy Data Compression: Nonasymptotic Fundamental The work of G. Kramer was supported by an Alexander von Hum- Limits. Ph.D. Dissertation. Princeton University, NJ, USA. boldt Professorship endowed by the BMBF. [25] Onur Ozan Koyluoglu and Hesham El Gamal. 2012. Polar coding for secure [34] Gregory Poltyrev. 1994. Bounds on the decoding error probability of binary transmission and key agreement. IEEE Trans. Inf. Forensics Security 7, 5 (Oct. linear codes via their spectra. IEEE Trans. Inf. Theory 40, 4 (July 1994), 1284–1292. 2012), 1472–1483. https://doi.org/10.1109/TIFS.2012.2207382 https://doi.org/10.1109/18.335935 [26] Lifeng Lai, SiuWai Ho, and H. Vincent Poor. 2011. Privacy-security trade-offs [35] Yury Polyanskiy, H. Vincent Poor, and Sergio Verdu. 2010. Channel Coding in biometric security systems - Part I: Single use case. IEEE Trans. Inf. Forensics Rate in the Finite Blocklength Regime. IEEE Trans. Inf. Theory 56, 5 (May 2010), Security 6, 1 (Mar. 2011), 122–139. https://doi.org/10.1109/TIFS.2010.2098872 2307–2359. https://doi.org/10.1109/TIT.2010.2043769 [27] Wenhui Li, Vladimir Sidorenko, Thomas Jerkovits, and Gerhard Kramer. 2019. On [36] Rose Y. Shao, Shu Lin, and Marc P. C. Fossorier. 2003. Two decoding algorithms Maximum-Likelihood Decoding of Time-Varying Trellis Codes. In International for tailbiting codes. IEEE Trans. Commun. 51, 10 (Oct. 2003), 1658–1665. https: Symposium Problems of Redundancy in Information and Control Systems. Moscow, //doi.org/10.1109/TCOMM.2003.818084 Russia, 104–109. [37] Boris Škorić. 2012. Quantum readout of physical unclonable functions. [28] Ruoheng Liu, Yingbin Liang, H. Vincent Poor, and Predrag Spasojevic. 2007. Int. J. Quantum Inf. 10, 1 (Feb. 2012), 1250001. https://doi.org/10.1142/ Secure Nested Codes for Type II Wiretap Channels. In IEEE Inf. Theory Workshop. S0219749912500013 Tahoe City, CA, 337–342. https://doi.org/10.1109/ITW.2007.4313097 [38] David Slepian and Jack Wolf. 1973. Noiseless coding of correlated information [29] Roel Maes, Pim Tuyls, and Ingrid Verbauwhede. 2009. A Soft Decision Helper sources. IEEE Trans. Inf. Theory 19, 4 (July 1973), 471–480. https://doi.org/10. Data Algorithm for SRAM PUFs. In IEEE Int. Symp. Inf. Theory. Seoul, Korea, 1109/TIT.1973.1055037 2101–2105. https://doi.org/10.1109/ISIT.2009.5205263 [39] Ido Tal and Alexander Vardy. 2015. List Decoding of Polar Codes. IEEE Trans. Inf. [30] Hessam Mahdavifar and Alexander Vardy. 2011. Achieving the secrecy capacity Theory 61, 5 (May 2015), 2213–2226. https://doi.org/10.1109/TIT.2015.2410251 of wiretap channels using polar codes. IEEE Trans. Inf. Theory 57, 10 (Oct. 2011), [40] Jack K. Wolf and Andrew J. Viterbi. 1996. On the weight distribution of linear 6428–6443. https://doi.org/10.1109/TIT.2011.2162275 block codes formed from convolutional codes. IEEE Trans. Commun. 44, 9 (Sep. [31] Ueli Maurer. 1993. Secret key agreement by public discussion from common 1996), 1049–1051. https://doi.org/10.1109/26.536907 information. IEEE Trans. Inf. Theory 39, 3 (May 1993), 2733–742. https://doi.org/ [41] Aaron D. Wyner. 1975. The wire-tap channel. Bell Labs Tech. J. 54, 8 (Oct. 1975), 10.1109/18.256484 1355–1387. https://doi.org/10.1002/j.1538-7305.1975.tb02040.x [32] Lars Palzer and Roy Timo. 2016. A converse for lossy source coding in the finite [42] Aaron D. Wyner and Jacob Ziv. 1973. A theorem on the entropy of certain binary blocklength regime. In Int. Zurich Seminar Commun. Zurich, Switzerland, 15–19. sequences and applications: Part I. IEEE Trans. Inf. Theory 19, 6 (Nov. 1973), https://doi.org/10.3929/ethz-a-010645199 769–772. https://doi.org/10.1109/TIT.1973.1055107 [33] Ravikanth Pappu. 2001. Physical one-way functions. Ph.D. Dissertation. M.I.T., Cambridge, MA.