Multilayer Perceptron Attack
Multilayer Perceptron (MLP) was first used by Alkatheiri and Zhuang [AZ17] to model Feed-Forward Arbiter PUFs. In follow-up work, Aseeri et al. [AZA18] launched MLP-based modeling attacks against XOR Arbiter PUFs. Thereafter, Mursi et al. [MTZAA20] and Wisiol et al. [WMSZ21] modified the network and parameters used by Aseeri et al. to reduce data complexity of the attack.
pypuf contains two closely related MLP-based modeling attacks. The state-of-the-art attack by Wisiol et al. [WMSZ21] and a re-implementation of the attack by Aseeri et al. [AZA18] using tensorflow/Keras.
Example Usage [WMSZ21]
To run the attack, CRP data of the PUF token under attack is required. Such data can be obtained through experiments on real hardware, or using a simulation. In this example, we use the pypuf XOR Arbiter PUF simulator:
>>> import pypuf.simulation, pypuf.io
>>> puf = pypuf.simulation.XORArbiterPUF(n=64, k=5, seed=1)
>>> crps = pypuf.io.ChallengeResponseSet.from_simulation(puf, N=500000, seed=2)
To run the attack, we configure the attack object with the challenge response data and attack parameters. The parameters
need careful adjustment for each choice of security parameters in the PUF. Then the attack is run using the
pypuf.attack.MLPAttack2021.fit() method.
>>> import pypuf.attack
>>> attack = pypuf.attack.MLPAttack2021(
... crps, seed=3, net=[2 ** 4, 2 ** 5, 2 ** 4],
... epochs=30, lr=.001, bs=1000, early_stop=.08
... )
>>> attack.fit()
Epoch 1/30
...
495/495 [==============================] - ... - loss: 0.0... - accuracy: 0.9... - val_loss: 0.0670 - val_accuracy: 0.9750
<pypuf.attack.mlp2021.MLPAttack2021.Model object at 0x...>
>>> model = attack.model
The model accuracy can be measured using the pypuf accuracy metric pypuf.metrics.accuracy().
>>> import pypuf.metrics
>>> pypuf.metrics.similarity(puf, model, seed=4)
array([0.97])
Example Usage [AZA18]
The implementation of the modeling attack by Aseeri et al. [AZA18] in pypuf is very similar to the version by Wisiol et al. [WMSZ21] given above, with notable differences in the parameter settings given to the attack, in the memory management, and framework used. While the attack by Aseeri et al. uses scikit learn, pypuf’s implementation is Keras-based. To run the original attack using pypuf, use the network size as defined by Aseeri et al., i.e. \((2^k, 2^k, 2^k)\), and set the activation function of the hidden layers to ReLU. pypuf does not support the memory management introduced by Aseeri et al.
>>> puf = pypuf.simulation.XORArbiterPUF(n=64, k=5, seed=1)
>>> crps = pypuf.io.ChallengeResponseSet.from_simulation(puf, N=800000, seed=2)
>>> attack = pypuf.attack.MLPAttack2021(
... crps, seed=3, net=[2 ** 5, 2 ** 5, 2 ** 5],
... epochs=30, lr=.001, bs=1000, early_stop=.08,
... activation_hl='relu',
... )
>>> model = attack.fit()
Epoch 1/30
...
>>> pypuf.metrics.similarity(puf, model, seed=4)[0] > .9
True
Note that this is only an approximation of the original work of Aseeri et al., further differences may exist.
Applicability [WMSZ21]
The attack is noise-resilient and successfully models XOR Arbiter PUFs even if the available training data has response (label) noise [WMSZ21].
This implementation is also suitable to conduct the splitting attack [WMPN19] on the Interpose PUF [WMSZ21].
API
- class pypuf.attack.MLPAttack2021(crps: ChallengeResponseSet, seed: int, net: List[int], epochs: int, lr: float, bs: int, early_stop: float, patience: int | None = None, activation_hl: str = 'tanh')
Multilayer-Perceptron modeling attack for XOR Arbiter PUFs.
Inspired by the works of Alkatheiri and Zhuang [AZ17] and Aseeri et al. [AZA18], introduced by Mursi et al. [MTZAA20] and Wisiol et al. [WMSZ21].
- __init__(crps: ChallengeResponseSet, seed: int, net: List[int], epochs: int, lr: float, bs: int, early_stop: float, patience: int | None = None, activation_hl: str = 'tanh') None
Initialize the Multilayer Perceptron modeling attack, using the parameters given.
Note that the complexity of the attack depends crucially on the parameters defined here. The attack by Aseeri et al. [AZA18] uses a network size of \((2^k, 2^k, 2^k)\) to model \(k\)-XOR Arbiter PUFs and the ReLU activation function. An advancement of this attack [WMSZ21] uses \((2^{k-1}, 2^k, 2^{k-1})\) and the tanh activation function to model the same with far less required challenge-response data.
- Parameters:
crps (
pypuf.io.ChallengeResponseSet) – Challenge-response data observed from the PUF under attack. 99% of CRP data will be used as training data, 1% will be used as validation set.seed (
int) – Random seed for model initialization. Success of the attack may depend on the seed, in particular when little challenge-response data is used.net (
List[int]) – Hidden-layer sizes for the multilayer perceptron. Note that the layers are all dense, i.e. fully connected.epochs (
int) – Maximum number of epochs performed.lr (
float) – Learning rate of the Adam optimizer used for optimization.bs (
int) – Number of training examples that are processed together. Larger block size benefits from higher confidence of gradient direction and better computational performance, smaller block size benefits from earlier feedback of the weight adoption on following training steps.early_stop (
float) – Training will stop when validation loss is below this threshold.patience (
Optional[int]) – Training will stop when validation loss did not improve for the given number of epochs. Counter is not reset after validation improved in one epoch.activation_hl (
str) – Activation function used on the hidden layers.
- fit() Model
Using tensorflow, runs the attack as configured and returns the obtained model.
Note
Tensorflow will write to stdout.
Todo
Currently, a copy of the challenges is created to compute the features for learning. This essentially doubles memory consumption. If the challenges can be overwritten, this can be performed in-situ to reduce memory footprint of the attack.
- Returns:
Model of the XOR Arbiter PUF under attack.
- property history: dict | None
After
fit()was called, returns a dictionary that contains information about the training process. The dictionary contains lists of length corresponding to the number of executed epochs:lossthe training loss,val_lossthe validation loss,accuracythe training accuracy, andval_accuracythe validation accuracy.
- property model: Simulation | None
The model that was obtained running the
fit()method,Noneiffit()was not run yet.
Performance [WMSZ21]
The pypuf implementation is tested using tensorflow 2.4 on Intel Xeon E5-2630 v4 attacking \(n\)-bit \(k\)-XOR Arbiter PUFs. Memory recorded here may be higher than actually needed by the most recent version of the attack.
reliability |
n |
k |
CRPs |
success rate |
duration |
cores |
memory |
|---|---|---|---|---|---|---|---|
1.00 |
64 |
4 |
150k |
10/10 |
<1 min |
40 |
1 GiB |
1.00 |
64 |
5 |
200k |
10/10 |
<1 min |
20 |
3 GiB |
1.00 |
64 |
6 |
2M |
10/10 |
<1 min |
40 |
2 GiB |
1.00 |
64 |
7 |
4M |
10/10 |
<1 min |
40 |
3 GiB |
1.00 |
64 |
8 |
6M |
7/10 |
13 min |
4 |
|
1.00 |
64 |
9 |
45M |
10/10 |
16 min |
40 |
14 GiB |
1.00 |
64 |
10 |
119M |
7/10 |
291 min |
40 |
41 GiB |
1.00 |
64 |
11 |
325M |
10/10 |
1898 min |
40 |
104 GiB |
1.00 |
128 |
4 |
1M |
9/9 |
<1 min |
40 |
1 GiB |
1.00 |
128 |
5 |
1M |
10/10 |
<1 min |
40 |
2 GiB |
1.00 |
128 |
6 |
10M |
9/10 |
<1 min |
20 |
5 GiB |
1.00 |
128 |
7 |
30M |
10/10 |
2 min |
20 |
20 GiB |
1.00 |
256 |
4 |
6M |
10/10 |
1 min |
40 |
6 GiB |
1.00 |
256 |
5 |
10M |
10/10 |
3 min |
40 |
11 GiB |
1.00 |
256 |
6 |
30M |
0/8 |
– |
40 |
33 GiB |
1.00 |
256 |
7 |
100M |
1/10 |
8 min |
40 |
98 GiB |
0.85 |
64 |
4 |
180k |
9/10 |
<1 min |
4 |
<1 GiB |
0.85 |
64 |
5 |
150k |
10/10 |
<1 min |
4 |
<1 GiB |
0.85 |
64 |
6 |
2M |
10/10 |
<1 min |
4 |
1 GiB |
0.85 |
64 |
7 |
4M |
9/9 |
3 min |
4 |
2 GiB |