1
Sensor Physical Unclonable Functions
Kurt Rosenfeld and Efstratios Gavas and Ramesh Karri
Polytechnic Institute of NYU
Brooklyn, NY
Email: kurt@isis.poly.edu
Abstract—We propose a novel variety of sensor that extends
the functionality of conventional physical unclonable functions to
provide authentication, unclonability, and verification of a sensed
value. This new class of device addresses the vulnerability in typi-
cal sensing systems whereby an attacker can spoof measurements
by interfering with the analog signals that pass from the sensor
element to the embedded microprocessor. The concept can be
applied to any type of analog sensor.
I. I NTRODUCTION
For sensing applications it is desirable that the system pro-
vide some degree of assurance regarding the authenticity and
veracity of measurements. One scheme for achieving this is to
couple the sensor with a trusted cryptography module which
digitally signs the sensor data. Unfortunately, that scheme can
provide only limited assurance because the sensor is separate
from the crypto module. As a result, the crypto module has
no mechanism for verifying the sensor data before signing it.
Sensor-crypto separation is an architectural vulnerability.
challenge
vulnerable
a) uC sensor
response
analog signal
challenge
b) uC sensor
response
deception
Fig. 1: The naı̈ve secure sensor architecture does not bind
the sensing with the cryptography, allowing the analog link
between the sensing element and the crypto processor to be
easily attacked.
In the naı̈ve architecture shown in Fig. 1, we illustrate how
an attacker could interpose circuitry between the sensor and
the microcontroller. Using this extra circuitry, the attacker
could cause the microcontroller to falsely report the sensed
data. Our work aims to make this and other sensor attacks
impractical.
A. Related Work
The technique of integrating a physical quantity into a
PUF challenge-response calculation is new, but the security
of sensors in general has been studied. Secure remote sensors
This work was partly supported by NSF award numbers 0831349 and
0621856.
have been developed for high security applications such as
nuclear and chemical materials tracking [1]. Cryptographic
protocols and infrastructures have been developed for securing
communication in sensor networks [2]. However, neither can
extend the trust perimeter to include the sensing element itself.
Our work also builds on work from the PUF community.
PUFs have emerged over the past decade as a potent tool for
hardware authentication and key generation at low cost [3][4].
Their low cost makes them particularly attractive for use in the
cost-sensitive sensor market and they serve as the foundation
for our work. Specifically, our example sensor makes use of
non-homogeneous coatings, which have been used to achieve
per-chip uniqueness and unclonability [5][6] in conventional
PUFs. We also make use of comparisons of on-chip quantities
that are selected by the challenge, a concept borrowed from
ring-oscillator PUFs [7].
The problem of protecting analog sensor data before it
enters the crypto-enabled digital domain is related to the
problem that digital rights management (DRM) systems have
of protecting the media after it leaves the crypto-enabled
digital domain. This “analog hole” has been a vexing program
for the content protection community [8].
Additionally, related work exists in the media forensics
literature with camera image sensors. Digital photos can be
forensically attributed to the camera that took them because
of distinctive anomalies introduced by camera image sensors
[9]. These features, like a PUF, are unique to each sensor
that is fabricated, and are reasonably stable across time and
environmental conditions. However, unlike a PUF, they are not
functions in the sense of having a challenge and a response.
B. Our Contribution
We propose an architecture that eliminates sensor-crypto
separation. By merging sensing with cryptography, we raise
the strength of the assurances that the system can provide. The
device we propose is a form of PUF that co-mingles sensing
with challenge-response processing. We provide the following:
• definition of the security properties of the new device,
• a candidate design that targets those properties,
• a protocol used for making secure measurements, and
• an analysis of the candidate design.
C. Security Properties
A traditional PUF [10] is a physical device that takes in a
challenge and ideally produces a response with the following
properties:

CHALLENGE BITS STANDARD RESPONSE BITS
PUF
PHYSICAL QUANTITY
SENSOR RESPONSE BITS
CHALLENGE BITS
PUF
Fig. 2: A conventional silicon PUF has a binary input and a
binary output. The sensor PUF has a binary input, physical
quantity being sensed, and a binary output.
1) For a given binary challenge, a PUF always produces
the same response.
2) One challenge-response pair leaks nothing about other
pairs.
3) The manufacturer of the PUF cannot predetermine the
mapping.
The variation that we propose extends conventional PUFs
by including two inputs: a physical quantity and a traditional
binary challenge. This system, which we call a sensor physical
unclonable function, has the following as its ideal properties:
1) For a given challenge and a given sensed quantity, the
sensor PUF always produces the same response.
2) One challenge-quantity-response triple leaks nothing
about other triples.
3) The manufacturer of the sensor PUF cannot predeter-
mine the challenge-quantity-response mapping.
The third property on both lists is known as manufacturer
resistance. Here, the manufacturer is considered a potential
adversary. From a black-box point of view, a PUF looks like
a message authentication code (MAC) operation. From the
outside it is difficult to distinguish a true PUF from a MAC
operation with an embedded key. If the adversary replaces the
PUF with a MAC module, the adversary could predetermine
the mapping without the user’s knowledge. Manufacturer
resistance is limited in practice.
A trivial example of a sensor PUF is actually found in
the temperature dependence of a conventional silicon PUFs.
The output depends on the challenge and the temperature.
Our objective is to measure physical quantities other than
temperature.
II. C ANDIDATE S ENSOR PUF
We present an example of a sensor PUF that measures
light level. The inputs to the device are light and a series
of challenge bits. The output is a series of response bits.
The light sensor PUF is profoundly different from Pappu’s
optical PUF [11]. Pappu’s challenge is a beam of coherent
light and the response is the light that scatters when the
coherent beam passes through a mixture containing tiny beads.
Pappu’s optical PUF does not measure a physical quantity.
Where a conventional PUF has a single input, the challenge,
the sensor PUF has two inputs. Operational protocols for using
conventional and sensor PUFs dictate that the challenge not be
reused in the field. The physical quantity input to a sensor PUF
can be repeated in the field without compromising security. It
is only the challenge bits that need to be excluded from reuse.
2
A. Structure
The candidate sensor PUF we propose consists of an array
of on-chip photodiodes, a coating, and some on-chip circuitry,
as shown in figure 3. The photodiodes are organized in
groups of three. A coating containing swirls of dark material
in a translucent base is applied onto the sensor area. The
nonuniform optical transmittance of the coating results in
per-chip variations in the optical sensitivity of each of the
photodiodes.
COATING
PD1 PD2 PD3 PD1 PD2 PD3 PD1 PD2 PD3
offset slope offset slope
generator gen generator gen
offset slope
generator gen
adder adder adder
GL.1 GL.2 GL.n GR.1 GR.2 GR.n
P
RAW
Q BITS
Summation Control Logic
output
control
Stream Cipher
challenge
Conventional PUF
Fig. 3: The analog portion of the light level sensor PUF
includes the coating, the photodiode groups, the switches, the
summing junctions, and the analog comparator. The challenge
applied to the sensor PUF determines the keystream input
to the control circuit, which controls the random selection
of left gate signals GL.i and the right gate signals GR.i,
which determine the set of sensors that are included in the
summations. The left and right sums are compared, producing
one raw bit.
Each of the three identical photodiodes (P D1 , P D2 , and
P D3 ) within a sensor group has its own approximately linear
response function. The slope of the response function is gen-
erated by photodiode P D3 (see Fig. 4b) and slope generator
circuit. The slope is determined by the optical transmittance of
the coating covering the photodiode, along with non-varying
factors (photodiode area, quantum efficiency, etc) and external
factors such as temperature.
The offset of the response function for the group is de-
termined by the optical transmittance from the light source to
photodiodes P D1 and P D2 (see Fig. 4a). The offset generator
produces a DC voltage that is determined by the coating on
the sensor PUF as it independently affects each photodiode
group.
As shown in Fig. 3, the currents from each photodiode group
are brought to two summing junctions where independent
subsets of these currents are added together to produce two
currents, P and Q. These currents are compared to produce
one bit of the raw binary result. The input challenge determines
 3

B. Protocol
−
PD1 PD2
OPAMP1
−
PD3

−
The conventional PUF that is used as a component of the
+ OPAMP3

+ +
sensor PUF must be enrolled before the sensor PUF itself can
− be enrolled. The exact procedure enrolling the conventional
OPAMP2 +
− V_bias

D1 D2
+ PUF depends on what kind of conventional PUF is used. The
design and operation of conventional PUFs is outside the scope
(a) offset generator (b) slope generator of this paper but has been developed by the PUF community
[12].
Fig. 4: a) The offset generator produces a DC voltage that is The enrollment procedure for the sensor PUF consists of
determined by the optical transmittance of the coating at the the following steps for each point along the sensor domain:
sites of photodiodes P D1 and P D2 . b) The slope generator 1) The enrolling party randomly selects (and removes) a
produces a voltage proportional to the light input at photodiode challenge-response pair from the database. The chal-
P3 . lenge is sent to the conventional PUF and the response
is used as a cipher key.
200 300 2) The enrolling party generates a unique random challenge
150
200 and sends it to the sensor PUF.
3) The sensor PUF uses the challenge to initialize the
Output of Summations

100
100
50 measurement logic, generates a vector of raw bits, and
0
0 sends the raw bits back to the enrolling party, encrypted.
−50
−100
4) The enrolling party decrypts the raw response bits and
−100 −200 inserts the challenge-measurement-response triple into
−150 −300 the database.
−100 −50 0 50 100 −100 −50 0 50 100

(a)
Sensor Input
(b) Making a measurement with the sensor PUF has the fol-
200 150
lowing steps.
100
100 1) The querying party sends a challenge to the device. This
50
Output of Summations

Output of Summations

0
−100
−200
−300
−100 −50 0 50
Sensor Input
(c)
Fig. 5: In all four subfigures, the sensor input level is on the
x-axis and the electrical response is on the y-axis. Subfigure
(a) shows eight photodiode group response lines generated by
simulation of the candidate light sensor PUF. The bold line is
the sum of the eight lines. Subfigures (b), (c), and (d) show
pairs of response lines that occur for different values of the
left and right gate signals. Assuming a sensor input value of
10 and assuming that solidline > dashedline is interpreted
as a “1”, evaluating the comparisons for the line pairs shown
in (b), (c), and (d) gives the raw bit sequence “0”, “1”, “0”.
In our simulations, the raw bit sequences are 256 bits long.
which of the sensor groups will be included in the summations
producing P and Q.
0
challenge is used to establish a volatile shared secret key
−50
between the querying party and the sensor PUF.
−100 2) The sensor PUF makes a conventional measurement and
−150 sends the encrypted conventional measurement to the
−200 querying party. This measurement is the claim.
100
−250
−100 −50 0 50 100 3) The querying party randomly selects (and removes) an
Sensor Input
(d) entry in the challenge-measurement-response database
that matches the claimed measurement. The querying
party sends the challenge to the sensor PUF.
4) The sensor PUF initializes the measurement logic using
the challenge, performs n comparisons to generate an
n-bit vector of raw bits, encrypts them, and sends them
to the querying party.
5) The querying party decrypts the raw bits and com-
pares them to the response that is in the challenge-
measurement-response database. If the Hamming dis-
tance is below a threshold, the measurement claim has
been validated.
III. A NALYSIS AND E XPERIMENTAL R ESULTS
In order to throughly develop the analysis of the sensor PUF,
the candidate sensor PUF was studied using:
• SPICE simulations of the analog modules,

The gate signals that control the summations shown in figure • a C program to simulate the statistical operations of the

3 are generated by summation control logic. A conventional sensor PUF,

silicon PUF is used as a component in the architecture, to • analysis according to standard models, and

transform the public challenge into a volatile secret initializa- • discrete implementation of critical analog modules.

tion vector for the stream cipher. The stream cipher generates
a keystream that is used by the summation control logic for A. Assumptions
selecting which gate signals to enable at for each comparison. We assume that the optical coating is a non-homogeneous
The summation control logic shifts the raw response bits from mixture of two epoxy-like materials which attenuate the wave-
the comparator into a shift register. lengths of interest: one material has an optical transmittance
 4

0.012 0.04 0.018

of 0.25, and the other material has an optical transmittance 0.010

0.03
0.016

0.014

of 0.75. Additionally, we assume the transmittances affecting 0.008 0.012

P(cutpoint = x)
P(offset)
0.010

P(ratio)
0.006 0.02
0.008
each of the photodiode are independent and uniformly dis- 0.004 0.006
0.01

tributed along the range {0.25, 0.75}. Lastly, we assume that

0.004
0.002
0.002

0.000 0.00 0.000

the photodiodes that are operated in the reverse-biased mode 0 1 2

ratio
3 4 5 −30 −20 −10 0
offset
10 20 30 −100 −50 0
sensor input value x
50 100

have an approximately linear current-versus-light response. (a) ratio PDF (b) offset PDF (c) cut point PDF

B. Distribution of Cut Points
To evaluate the sensing resolution of the sensor PUF, we
analyze the probability distribution of the cut points in the
sensing domain. The cut points define the intervals in the
sensing domain that can be distinguished by the sensor’s
response. Each cut points is the x-coordinate of the intersection
of the response lines formed by the left and right summations
shown in the previous section and illustrated in figure 5. Since
we have designed each sensor group response function to have
an independent slope and offset, we can statically analyze the
expected crossing points which determine the cut points.
The offset of the voltage-versus-light response of each
Fig. 6: Plot (a) shows the distribution of the offset generator
current ratios observed in simulation. Plot (b) is the density
function of the offset signal of each individual photodiode
group. In plot (c) the green trace shows the probability density
function of the cut points in the sensor input domain, as
observed in simulation. The red trace shows the Cauchy
density function for χ = 0 and γ = 20.
140
120
100

Hamming distance
photodiode group follows from the linearity of photodiodes
80
and the simplified Shockley ideal diode equation.
VD
60
ID = IS e VT (1)
We assume that all of the photodiodes have equal intrinsic 40

response, and the differences in their actual response are

20
caused purely by the differences in their coatings. Using this,
we can calculate the offset voltage as follows: 0
−30 −20 −10 0 10 20 30
sensor input
ci,1
IP Di,1 = IP Di,2 (2)
ci,2 Fig. 7: Hamming distance for five statistically independent
VD = VT (ln ID − ln IS ) (3) instances of the candidate sensor PUF
   
ci,1
VDi,1 = VT ln IP Di,2 − ln IS (4)
ci,2
  where Bb is the offset of line B, Ab is the offset of line
ci,1
VDi,1 = VT ln + ln IP Di,2 − ln IS (5) A, Am is the slope of line A, and Bm is the slope of line B.
ci,2 The numerator is the difference of two independent random


VDi,2 = VT ln IP Di,2 − ln IS (6) variables and the PDF is given by the cross-correlation of their
ci,1 density functions. The same applies to the denominator.
VDi,1 − VDi,2 = VT ln (7)
ci,2 Since we approximate the slopes and offsets of the sum
where IP Di,1 is the current in photodiode 1 in photodiode lines as Gaussian, the numerator and denominator are also
group i. Gaussian. Simulation results support the zero-mean Gaussian
The slopes of the response function are simply proportional model for these variables. The cut points are the ratio of
to ci,3 , the optical transmittance of the coating affecting these zero mean Gaussian variables, and the resulting ratio
photodiode 3 in photodiode group i. distribution is Cauchy. This result is further supported by the
The offset generator takes two uniform random variables simulation results, as shown in figure 6c.
and calculates their ratio. This results in a uniform ratio
distribution, as shown in figure 6a. The natural log of the ratio
distribution produces the distribution shown in figure 6b. C. Hamming Distance
The sum lines are the sum of logs of uniform ratio distribu- To evaluate whether the raw response of the sensor PUF is
tions. Since these distributions have finite mean and variance, brittle with respect to changes in the input, we simulated the
we can invoke the central limit theorem to infer that the raw sensor response. For several randomly chosen challenges
resulting distribution is approximately Gaussian. and randomly generated instances of the candidate sensor PUF,
To determine the cut point, we considered the random we selected a reference sensor input value and measured the
variable that represents the x-coordinate of intersection of the Hamming distance between the raw response for the reference
two sum lines that are selected by the challenge. The cut point input and the raw response for sensor input values in the
in the sensor input domain is at: neighborhood of the reference value.
Bb − Ab In figure 7, the Hamming distance is shown for five sta-
cut = (8) tistically independent instances of the candidate sensor PUF
Am − Bm

design. The raw bit vectors are 256 bits in length. A reference
bit vector is taken for arbitrary reference sensor input values
-10, 0, and 10 using a reference challenge. While continuing
to apply the reference challenge, the sensor input value is then
swept from -30 to 30, in steps of 1, while the resulting raw
output bits are compared with the raw output bits produced for
each of the reference sensor inputs. From the figure, we see
that the candidate sensor PUF’s raw response is not brittle with
respect to the sensor input. For a given challenge, measuring
a set of close physical quantities will generate a set of raw bit
responses that are close in code space. This makes it suitable
for error correction using a linear code. However, it also means
that the raw bit responses leak information. If a challenge is
repeated (which should never happen in practice), an attacker
can infer from the raw bit responses whether the sensor inputs
are close or far. From a practical standpoint, this problem is
addressed by encrypting the response that is sent back to the
querying party.
Figures 6c and 7 define the range and sensitivity of the sen-
sor PUF with respect to the physical quantity being measured.
The Cauchy PDF of the cut points peaks at the origin and
falls to half of its peak value at x = 20. The cut point density
determines the sensitivity (slope) of the Hamming distance to
differences in physical input value. From a design standpoint,
the gains of the offset generator and slope generator circuits
can be tuned to widen or narrow the cut point PDF, which
in turn widens or narrows the range of the sensor. Outside
the useful range of physical quantity values, the raw response
saturates, converging to a fixed pattern for a given challenge.
D. Verification of Offset Generator
The simulations of the behavior of the candidate light sensor
PUF assume that the offset generator produces a voltage that
is independent of the sensor input. If the offset generator’s
output is affected by the sensor input, the response will be
nonlinear. Linearity is not a requirement for the light sensor
PUF to function, but the assumption does simplify analysis.
We validated the independence assumption with SPICE sim-
ulation and with experimental data in the lab using discrete
optoelectronic components, shown in figures 8a and 8b.
IV. D ISCUSSION
Sensor modules are often deployed in the field, outside the
trust perimeter of those who are deploying them. They are sub-
ject to tampering. A motivated attacker can disassemble, break,
or modify any part of a sensor module. The attacker can also
attempt to substitute an inauthentic sensor. These attacks will
be much more difficult to execute against a sensor PUF than
a conventional sensor. The most straightforward tampering
attack is to decouple the sensing from the challenge-response
calculation. For example, if the calculation is performed by
a microcontroller with an analog input and the sensor has an
analog output connected to the microcontroller, that analog
voltage is vulnerable to tampering.
5
100 100
80 80
offset voltage (mV)
offset voltage (mV)
60 60
40 40
20 20
0 0
10−4 10−3 10−2 10−1 10−4 10−3 10−2 10−1
LED drive current (A) LED drive current (A)
(a) (b)
Fig. 8: The offset generator circuit shown in figure 4a was
constructed and tested using light from an LED driven by a
variable current source. The offset voltage is plotted across the
range of currents for three different relative transmittances. We
see ±2.5% variation over the range.
A. Substitution
The resistance of a sensor PUF to being substituted by an
inauthentic sensor comes from two things. First, the attacker
needs to defeat the conventional PUF within the sensor PUF
architecture. Without defeating that, the attacker is unable to
establish a shared crypto key. Second, without knowledge of
the slopes and offsets of the sensor responses, it is impossible
for the attacker to know what response corresponds to a par-
ticular physical quantity and a challenge sent by the querying
party.
B. Tampering
The main objective of the sensor PUF is to defend against
the low-budget attack of tampering with the analog signal
that goes from the sensing element to the microprocessor. In
the candidate light sensor PUF, tampering with the analog
signal is not a low-budget attack. The attacker could probe
the on-chip signals while sweeping the physical quantity with
the goal of learning the slopes and offsets of each of the
photodiode groups. This would have to be done without
disturbing the optical coating. This could only be done in a
properly-equipped lab by skillful staff. The candidate sensor
PUF thus significantly raises the cost of a tampering attack.
There is a tradeoff between tamper resistance and robustness
of operation. Assuming that protocol outlined in subsection
II-B is followed, a threshold is applied to the Hamming dis-
tance between the enrolled response and the response produced
when the sensor has been deployed. Beyond this threshold, the
sensor’s response will be rejected. To an extent, the threshold
can minimized by extracting more challenge-response-pairs
during enrollment so the distance between the claim and the
enrolled measurement is small, thus minimizing the expected
distance of the raw responses. Even without constraints on the
duration of the enrollment process or the size of the database,
physical variation puts a practical lower bound on the threshold
that can be used for reliable results. If the threshold is too
high, the attacker can perform a less accurate and therefore
cheaper extraction of the sensor’s physical unique features,
thus weakening the security of device. The optimal threshold
balances these concerns.

C. Manufacturer Resistance
Many sensors are high-volume, low-cost items and are
subject to the risks of outsourced fabrication and assembly
[13]. If there are significant monetary or strategic incentives
for breaking the security of the system, and not too much risk,
then a rational model of human behavior predicts that such an
attempt will be made. The issue of manufacturer resistance
is not absolute. It has gradations of strength in the context
of conventional PUFs and the same applies to sensor PUFs.
Since the application of the optical coating is a security-critical
procedure, it can be delayed until after the chips are delivered
from the foundry, assuming they are not packaged. This
somewhat reduces the risk of the manufacturer predetermining
the responses instead of faithfully executing the design that
produces random a challenge-response function. Nevertheless,
a determined adversary with control over the mask and chip
fabrication can manipulate the behavior of conventional silicon
PUFs, sensor PUFs, and practically any other IC.
D. Sensor Decoupling
Sensor decoupling means that the entire sensor unit is
separated from the physical quantity it is intended to measure.
For example, a thermometer can be placed inside an insulated
box, causing it to report the temperature inside the box instead
of the ambient temperature. This threat depends on what is
being sensed and how the sensor is deployed. This important
problem is unfortunately outside the scope of the assurances
provided by a sensor PUF.
V. F UTURE W ORK
The sensor PUF is a promising mechanism for securing
remote sensors. The effects of temperature are very important
for conventional PUFs and sensor PUFs as well [14]. We are
currently evaluating temperature effects in the candidate sensor
PUF design.
The candidate design uses a conventional PUF for commu-
nication security. This allows the raw bits from the comparator
to be sent back to the querying party, which in turn allows
fuzzy matching to be performed by the querying party. Error
correction is well established for conventional PUFs [15], and
can be applied to sensor PUFs as well. If error correction
coding is applied in the sensor PUF to obtain a precisely
repeatable response across time and environmental conditions,
the sensor PUF would obtain interesting capabilities. For
example, a message could be encoded so that the sensor
PUF can decrypt it only under bright light, or only in the
dark, or, for an alcohol sensor PUF, only when the alcohol
concentration is in a certain range.
Delay-arbiter PUFs have been used to sense the dielectric
coefficient and position of materials that are in close proximity
to the silicon die containing the PUF [6]. With a suitable
coating, this effect could be the basis for a strain gauge or
load cell sensor PUF.
The raw response bits generated by the comparator leak
information about what the raw response will be for other
physical quantities with the same challenge. In our candidate
design, we encrypt the output to prevent an attacker from
6
exploiting this leakage. It would be better if the sensor PUF
had this property as an integral part of the basic challenge-
measurement-response functionality. How to achieve this is
an open problem.
R EFERENCES
[1] B. Schoeneman and S. Blankenau, “Secure sensor slatform (SSP) for
materials’ sealing and monitoring applications,” Proceedings of Inter-
national Carnahan Conference On Security Technology, pp. 29 – 32,
Oct. 2005.
[2] F. Bagci, T. Ungerer, and N. Bagherzadeh, “SecSens - Security ar-
chitecture for wireless sensor networks,” Proceedings of International
Conference on Sensor Technologies and Applications, pp. 449 –454,
Jun. 2009.
[3] G. Suh and S. Devadas, “Physical unclonable functions for device
authentication and secret key generation,” Proceedings of ACM/IEEE
Design Automation Conference, pp. 9 –14, Jun. 2007.
[4] J. Guajardo, S. S. Kumar, G. J. Schrijen, and P. Tuyls, “FPGA intrinsic
PUFs and their use for IP protection,” in CHES, 2007, pp. 63–80.
[5] D. Roy, J. Klootwijk, N. Verhaegh, H. Roosen, and R. Wolters, “Comb
capacitor structures for on-chip physical uncloneable function,” IEEE
Transactions on Semiconductor Manufacturing, vol. 22, no. 1, pp. 96–
102, Feb. 2009.
[6] P. Tuyls, G. J. Schrijen, B. Skoric, J. van Geloven, N. Verhaegh, and
R. Wolters, “Read-proof hardware from protective coatings,” in CHES,
2006, pp. 369–383.
[7] V. Vivekraja and L. Nazhandali, “Circuit-level techniques for reliable
physically uncloneable functions,” IEEE International Workshop on
Hardware-Oriented Security and Trust, pp. 30–35, Jul. 2009.
[8] E. Diehl and T. Furon, “Copy watermark: closing the analog hole,” Pro-
ceedings of IEEE International Conference on Consumer Electronics,
pp. 52 – 53, Jun. 2003.
[9] J. Lukas, J. Fridrich, and M. Goljan, “Digital camera identification from
sensor pattern noise,” IEEE Transactions on Information Forensics and
Security, vol. 1, no. 2, pp. 205 – 214, Jun. 2006.
[10] B. Gassend, D. Clarke, M. van Dijk, and S. Devadas, “Controlled phys-
ical random functions,” Proceedings of Computer Security Applications
Conference, pp. 149 – 160, 2002.
[11] R. Pappu, “Physical one-way functions,” Massachusetts Institute of
Technology, Tech. Rep., 2001.
[12] G. Suh and S. Devadas, “Physical unclonable functions for device
authentication and secret key generation,” Proceedings of IEEE/ACM
Design Automation Conference, pp. 9–14, June 2007.
[13] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, and B. Sunar, “Trojan
detection using IC fingerprinting,” Proceedings of IEEE Symposium on
Security and Privacy, pp. 296–310, May 2007.
[14] G. Qu and C.-E. Yin, “Temperature-aware cooperative ring oscillator
PUF,” Proceedings of IEEE International Workshop on Hardware-
Oriented Security and Trust, pp. 36–42, July 2009.
[15] M.-D. Yu and S. Devadas, “Secure and robust error correction for
physical unclonable functions,” IEEE Design Test of Computers, vol. 27,
no. 1, pp. 48–65, Jan.-Feb. 2010.