# Post Quantum Cryptographic Keys Generated with Physical Unclonable Functions

^{*}

## Abstract

**:**

## Featured Application

**Using physical unclonable functions (PUFs), in support of networks secured with a public key infrastructure, to generate, on demand, the key pairs needed for lattice and code PQC algorithms.**

## Abstract

## 1. Introduction

**[Section 2]:**The lattice and code-based cryptographic algorithms under consideration for standardization by NIST are presented. These algorithms are well documented, and the software stack written in C can be downloaded for IoT implementation. The schemes are based on the generation of random numbers, and the computation of public–private key pairs. The digital signature algorithms (DSA), and key encapsulation mechanisms (KEM) are not more complex to implement with PQC than with the existing asymmetrical cryptographic schemes.

**[Section 3]:**We present some of the challenges associated with the use of PUF technology to secure PKI architectures. The proposed methods are based on existing cryptographic schemes, and commercially available PUFs. We present how the response based cryptographic (RBC) scheme can overcome the bit error rates (BER) that occur when keys are generated from physical elements. Finally, we present some hardware considerations in the implementation of PQC for PKI.

**[Section 4]:**In this section, we propose schemes that use PUFs to generate the public–private key pairs for lattice and code-based cryptography. We show how the combination of random number generators, combined with the streams generated by the PUF can generate key pairs with relatively low error rates. We show how the error in these streams can be corrected using a search engine.

**[Section 5]:**Finally, in the implementation and experimental section, we compare cryptographic schemes and algorithms. We analyze the experimental results comparing the efficiency of RBC operating with various PQC schemes, ECC, and advanced encryption standard (AES). As expected, asymmetrical schemes are slower than AES; however, the performance of the selected PQC algorithms is encouraging for the implementation of PUF-based architecture, using the RBC to handle the expected BER.

## 2. Lattice and Code-Based Post Quantum Cryptography

#### 2.1. Learning with Error Cryptography

**t**, and matrix

**A**with

**t**=

**A**.

**s**cannot hide the vector

_{1}**s**; however, the addition of a “small” vector of error

_{1}**s**with

_{2}**t**=

**A**.

**s**+

_{1}**s**, makes it hard to distinguish the vectors

_{2}**s**and

_{1}**s**from

_{2}**t**. The vector

**s**needs to be small enough for the encryption/decryption cycles, but large enough to prevent a third party from uncovering the private key (

_{2}**s**;

_{1}**s**) from the public information (

_{2}**t**;

**A**). The public–private cryptographic key pair generation for client device i can be based on polynomial computations in a lattice ring, and is described in Figure 1:

- The generation of a first data stream called seed
**a**that is used for the key generation; in the case of LWE, the seed_{(i)}**a**is shared openly in the network._{(i)} - The generation of a second data stream called seed
**b**that is used to compute a second data stream for the private key_{(i)}**Sk**; the seed_{(i)}**b**is kept secret._{(i)} - The public key
**Pk**is computed from both data streams and is openly shared._{(i)} - The matrix
**A**is generated from seed_{(i)}**a**._{(i)} - The two vectors
**s**and_{1(i)}**s**are generated from seed_{2(i)}**b**._{(i)} - The vector
**t**is computed:_{(i)}**t**←_{(i)}**A**+_{(i)}s_{1(i)}**s**._{2(i)} - Both seed
**a**and_{(i)}**t**become the public key_{(i)}**Pk**._{(i)} - Both
**s**and_{1(i)}**s**become the private key_{2(i)}**Sk**._{(i)}

- Generate a masking vector of polynomials
**y**. - Compute vector
**A**.**y**and set**w**to be the high-order bits of the coefficients in this vector._{1} - Create the challenge
**c**, as the hash of the message and**w**._{1} - Compute intermediate signature
**z**=**y**+**c**.**s**._{1} - Set parameter
**β**to be the maximum coefficient of**c**.**s**._{1} - If any coefficient of
**z**is larger than**γ**−_{1}**β**, then reject and restart at step 1. - If any coefficient of the low-order bits of
**A**.**z**–**c**.**t**is greater than**γ**−_{2}**β**, then reject and restart at step 1.

**γ**, and

_{1}, γ_{2}**β**are set such that the expected number of repetitions is between 4 and 7.

**w**to be the high-order bits of

_{1}’**A**.

**z**–

**c**.

**t**and accept if all coefficients of

**z**are less than

**γ**–

_{1}**β**and if

**c**is the hash of the message and

**w**.

_{1}’- The public and private keys of both parties are constructed as described in Figure 1.
- Person A sends Person B their public key.
- Person B randomly generates a symmetric key and encapsulates it in a ciphertext with the public key of person A.
- Person B sends the ciphertext to person A.
- Person A decapsulates the ciphertext with their private key.
- Both parties now have the symmetric key in their possession.

#### 2.2. Learning with Rounding Cryptography

- Similar to LWE, seed
**a**is used to generate matrix_{(i)}**A**._{(i)} - Seed
**b**is used to generate vector_{(i)}**s**._{(i)} - The vector t
_{(i)}is computed: t_{(i)}← A_{(i)}. s_{(i)}+ h_{(i)}. - Both seed
**a**and_{(i)}**t**become the public key_{(i)}**Pk**._{(i)} **s**becomes the private key_{(i)}**Sk**._{(i)}

- The seed
**a**and_{(i)}**t**is extracted from public key to encrypt the message_{(i)}**m.** - Matrix
**A**and vector_{(i)}**s’**are generated._{(i)} - The vector
**t’**is computed by rounding the product of_{(i)}**A**:_{(i)}. s’_{(i)}**t’**._{(i)}← A’_{(i)}. s’_{(i)}+ h_{(i)} - Polynomial
**v’**is calculated as:_{(i)}**v’**_{(i)}= t_{(i)}. s’_{(i)}. **v’**is used to encrypt the message_{(i)}**m**which denoted as**c**_{m.}- Ciphertext consists of
**c**and_{m}**t’**_{(i).}

- v
_{(i)}is calculated as: v_{(i)}= t’_{(i)}. s_{(i)}. - The message m’ is decrypted by reversing computations with v
_{(i)}and c_{m}.

- Saber PKE key generation is used to return seed
**a**,_{(i)}**t**and_{(i)}**s**_{(i)}. - Both seed
**a**and_{(i)}**t**become the Saber KEM public key_{(i)}**Pk**._{(i)} - The hashed public key
**Pkh**is generated using SHA3-256._{(i)} - Parameter
**z**is randomly sampled. **z, Pkh**and_{(i)}**s**become the Saber KEM secret key._{(i)}

- Message
**m**and public key**Pk**are hashed using SHA3-256._{(i)} - Saber PKE encryption is used to generate ciphertext.
- Hash of the
**Pk**and ciphertext are concatenated, then hashed to encapsulate the key._{(i)}

- Message
**m’**is decrypted by using Saber PKE Decryption. - The decrypted message
**m’**and hashed public key**Pkh**are hashed to generate K’._{(i)} - Ciphertext
**c’**is generated from saber PKE Encryption for message_{m}**m’.** - If c
_{m}= c’_{m}then the K = Hash(K’,c), if not, K = Hash(z,c).

#### 2.3. NTRU Cryptography

**Nth**degree of TRUncated polynomial ring) arithmetic, are also based on lattice cryptography. The parameters of the scheme include a large prime number N, a large number

**q**and a small number

**p**that are both used for modulo arithmetic. Two numbers

**df**and

**dg**are used to truncate the polynomials

**f**and

_{(i)}**g**. The key generation cycle for client device (i), as shown in Figure 2, is the following:

_{(i)}- Generation of the two truncated polynomials
**f**and_{(i)}**g**from seed_{(i)}**a**and seed_{(i)}**b**._{(i)} - Computation of
**Fq**, which is the inverse of polynomial_{(i)}**f**modulo_{(i)}**q**. - Computation of
**Fp**, which is the inverse of polynomial_{(i)}**f**modulo_{(i)}**p**. - Computation of polynomial
**h**:_{(i)}**h**← p._{(i)}**Fq**._{(i)}**g**._{(i)} - The private key
**Sk**is {_{(i)}**f**;_{(i)}**Fp**}._{(i)} - The public key
**Pk**is_{(i)}**h**._{(i)}

**f**and

_{(i)}**g**are not always usable, they are subject to some pre-conditions such as invertible modulo

_{(i)}**p**and

**q**. The client device needs to try several possible random numbers, and select the ones giving acceptable private keys. Once sufficient public and private keys are available, the encryption of the plaintext message

**m**,

**m**∈ {−1, 0, 1}

^{N}is done by finding the random polynomial

**r**,

**r**∈ {−1, 0, 1}

^{N}, which uses a corresponding parameter

**d**, and calculating the ciphertext with the equation

_{r}**e**≡

**r**.

**h + m**(mod

**q**). To retrieve

**m**from

**e**, we first calculate

**a**≡

**f**.

**e**(mod

**q**) and lift the coefficients of

**a**to be between ±𝑞/2. Then,

**a**(mod

**p**) is equal to m. [23].

**H**. Using the short basis, a user signs by finding the closest vector

**v**to

**c**. The signature is (salt,

**s**=

**c**–

**v**), verified by checking if

**s**is short and

**H**(msg ǁ salt) − s is a point on the lattice (verified using the long basis [24]).

#### 2.4. Code-Based Cryptography

**GF(2**. The parameters are an irreducible polynomial of degree

^{m})**t**, field exponent

**m**, and code length

**n**. The resulting code has error-correction capability of

**t**errors, the information-containing part of the code word has a size of

**k**=

**n − m × t**and has generator matrix

**G**with a size of

**k × n**[14,15].

- Seed
**a**is used to create a random invertible binary_{(i)}**k × k**scrambling matrix**S**._{(i)} - Seed
**b**is used to create a random_{(i)}**n × n**permutation matrix**P**._{(i)} - The public key
**Pk**=_{(i)}**Ĝ**_{(i)}is computed with the generator matrix**G**:**Ĝ**_{(i)}←**S**._{(i)}**G**.**P**_{(i)} - The private key
**Sk**is {_{(i)}**G**;**S**_{(i)}^{−1},**P**_{(i)}^{−}.^{1}}

**G**, an irreducible polynomial of degree

**t**, the field exponent

**m**, and the code length

**n**, the encryption process involves the following steps:

- Create the public key,
**Ĝ**_{(i)}as described above. - Multiply the message
**m**by**Ĝ**_{(i)}**,**creating the ciphertext message $\widehat{m}$. - Add a random error vector
**e**of Hamming weight**t**to $\widehat{m}$ to obtain the ciphertext**c.**

**c**, a decoding algorithm, and the private key {

**G**;

**S**

**, decryption involves the following steps:**

_{(i)}^{−1}, P_{(i)}^{−1}}- Compute ĉ = c
**P**._{(i)}^{−1} - Use the decoding algorithm to correct the errors to obtain $\widehat{m}$.
- Obtain the original message by computing
**m**= $\widehat{m}$.**S**._{(i)}^{−1}

**Input:**Syndrome polynomial s, Goppa polynomial g of degree t

**Patterson (s, g):**

**t**=**s**^{−1}mod**g**.- $t=\sqrt{t+x}$.
- Find polynomials a, b such that
**b**.**t**≡ mod**g**with deg(a) ≤ |**t**/2| and deg(b) ≤ |(**t**-1)/2| using the extended Euclidean algorithm. - Calculate and return the error locator polynomial,
**e**=**a**^{2}+**x**.**b**^{2}.

**Input**: Polynomial to factor p, trace polynomial t, basis index i

**Berlekamp Trace (p, t, i):**

- if deg(p) ≤ 1
- return the root of p.
- p
_{0}= gcd(p, t(B_{i}. x)). - p
_{1}= gcd(p, 1 + t(B_{i}. x)).

_{0}, i + 1), berlekampTrace (p

_{1}, i + 1).

## 3. Public Key Infrastructure

#### 3.1. Public-Private Key Pairs

**Pk**

_{(2)}of Client 2 encapsulates the shared secret key of Client 1, that can only be viewed by the client (2), thanks to their private key

**Sk**

_{(2)}that reverses the encapsulation. Client 1 uses their private key

**Sk**

_{(1)}to digitally sign a message that is verified with the public key

**Pk**

_{(1)}, providing non-alteration and non-repudiation in the transaction. The trust and integrity of such an architecture relies on the following:

- The secure generation and distribution of the public–private key pairs to the client devices that are participating in the PKI.
- The identification of the client devices, and trust in their public keys.
- The sharing of the public keys among participants.

#### 3.2. PKI with Network of PUFs

^{256}and it would be nearly impossible to authenticate a user in a fixed time without the use of parallel computing. High-performance computing HPC and graphics processing unit (GPU) technologies are valuable to enhance the ability of the CA to validate the public key generated by the client devices. For instance, graphics processing units (GPUs) can be employed to parallelize and accelerate the authentication process. By using a GPU, the server can search over multiple keys in parallel.

#### 3.3. Implementation of PQC Algorithms for PKI

_{q}[X]/(X

_{n}+1), and matrix/vector expansion via an extendable output function (XOF). Therefore, any attempt to optimize Dilithium should target these operations. We describe below the literature that focuses on such optimizations.

## 4. PUF-Based Key Distribution for PQC

#### 4.1. PUF-Based Key Distribution for LWE Lattice Cryptography

**a**, which is public information. However, Seed k that is needed for the generation of the private key

_{(i)}**Sk**

_{(i)}is generated from the PUF. The outline of a protocol generating a key pair for LWE cryptography is the following:

- The CA uses a random numbers generator and hash function to be able to point at a set of addresses in the image of the PUF-i.
- From these addresses, a stream of bits called Seed K’ is generated by the CA.
- The CA communicates to the Client (i), through a handshake, the instructions needed to find the same set of addresses in the PUF.
- Client (i) uses the PUF to generate the stream of bits called Seed K. The two data streams Seed K and Seed K’ are similar, however slightly differ from each other due to natural physical variations and drifts occurring in the PUFs.
- [If needed, Client (i) applies error correcting codes to reduce the difference between Seed K and Seed K’; the corrected, or partially corrected, data stream is used to generate the vectors
**s**and_{1(i)}**s**]_{2(i)} - Client (i) independently uses a random numbers generator (a) to generate a second data stream Seed
**a**, which is used for the computation of the matrix_{(i)}**A**._{(i)} - The vector t
_{(i)}is computed:**t**←_{(i)}**A**+_{(i)}s_{1(i)}**s**._{2(i)} - The private key
**Sk**is {_{(i)}**s**;_{(1(i)}**s**}._{2(i)} - The public key
**Pk**is {_{(i)}**a**;_{(i)}**t**}._{(i)} - Client (i) communicates to the CA, through the network, the public key
**Pk**;_{(i)} - The CA uses a search engine to verify that
**Pk**is correct. The search engine initiates the validation by generating a public key from Seed a_{(i)}_{(i)}and Seed K’ with lattice cryptography codes. If the resulting public key is not**Pk**, an iteration process gradually injects errors into Seed K’ and computes the corresponding public keys. The search converges when a match in the resulting public key is found, or when the CA concludes that the public key should be bad._{(i)} - If the validation is positive, the public key
**Pk**is posted online by the RA._{(i)}

#### 4.2. PKI Architecture with PUF-Based Key Distribution and LWE

**a**, while the PUFs and their images are used for the independent generation of the vectors

_{(i)}**s**and

_{1(i)}**s**. The role of the CA is to check the validity of the vectors

_{2(i)}**t**, and to transmit both the seeds

_{(i)}**a**the vectors

_{(i)}**t**to the RA, which maintain a ledger with valid public keys. Such an architecture is secured assuming the following conditions:

_{(i)}- The enrollment process in which the PUFs are characterized to generate their image is accurate and not compromised by the opponent.
- The database stored in the CA that contains the image of the PUFs for the i client devices is protected from external and internal attacks.
- The PUFs embedded in each client device are reliable, unclonable, and tamper resistant.
- The key generation process, KEM, and DSA are protected from side channel analysis.

#### 4.3. PUF-Based Key Distribution for LWR Lattice Cryptography

_{1(i)}, while a constant vector h

_{(i)}can be generated independently. The public vector t

_{(i)}is computed in a similar way: t

_{(i)}← A

_{(i)}. s

_{1(i)}+ h

_{(i)}.

#### 4.4. PUF-Based Key Distribution for NTRU Lattice Cryptography

**K**, to compute both the public key

**Pk**, and the private key

_{(i)}**Sk**. In our implementation, Seed

_{(i)}**K**feeds the hash functions SHA-3, and SHAKE, to generate a long stream of bits, then compute the two polynomials

**f**and

_{(i)}**g**.

_{(i)}**f**and

_{(i)}**g**are not always usable due to pre-conditions, therefore a scheme to try several possible ways of addressing the PUF has to be developed. One way is to implement a deterministic method that is known by both the client device and the CA, which can have a negative impact on the latencies. We preferred the solution driven by the client device that asks the CA to initiate new handshakes. The summary of the method used to generate the key pairs for NTRU cryptography is the following:

_{(i)}- The CA uses random numbers to point at a set of addresses in the image of the
**PUF-i**. - From these addresses, a stream of bits called Seed
**K’**is generated by the CA. - The CA sends the handshake to the client (i) to find the same addresses.
- Client (i) uses the PUF to generate Seed
**K**. - Client (i) applies error correction to Seed
**K**and generates the truncated polynomials**f**and_{(i)}**g**._{(i)} - Computation of
**Fp**and_{(i)}**Fq**and verify that the pre-conditions are fulfilled._{(i)} - If needed, ask for a new handshake and iterate.
- The polynomial h
_{(i)}is computed: h_{(i)}← p · Fq_{(i)}· g_{(i)}. - The private key
**Sk**is {_{(i)}**f**;_{(i)}**Fp**}._{(i)} - The public key
**Pk**is_{(i)}**h**._{(i)} - Client (i) communicates to the CA, through the network, the public key
**h**._{(i)} - The CA uses a search engine to verify that
**h**is correct._{(i)} - If the validation is positive, the public key
**h**is posted online by the RA._{(i)}

**Fp**(i) and

**Fq**(i) and verify that the pre-conditions are fulfilled; if needed ask for a new handshake and iterate”, could be handled differently to minimize backward and forward communications cycles between the CA and the client device. One example of implementation is to have a pre-arranged way to modify the seed generated by the PUF and its image. When the CA fails to validate the public key, several pre-arranged modifications of Seed K’ will be tested.

#### 4.5. PUF-Based Key Distribution for Code-Based Cryptography

**K**that is generated from the PUF to compute the two matrixes

**S**and

_{(i)}**P**. The brief outline of the protocol for generating key pairs for code-based cryptography is the following:

_{(i)}- The CA uses random numbers to point at a set of addresses in the image of the
**PUF-i**. - From these addresses, a stream of bits called Seed
**K’**is generated by the CA. - The CA sent the handshake to the client (i) to find the same addresses.
- Client (i) uses the PUF to generate Seed
**K**. - Client (i) applies ECC) on Seed
**K**and generates the matrixes**S**and_{(i)}**P**._{(i)} - Computation of
**S**and_{(i)}^{−1}**P**_{(i)}^{−}.^{1} - The public key
**Pk**=_{(i)}**Ĝ**_{(i)}is computed with the generator matrix**G**:**Ĝ**_{(i)}←**S**·_{(i)}**G**·**P**_{(i)}. - The private key
**Sk**is {_{(i)}**G**;**S**._{(i)}^{−1}, P_{(i)}^{−1}} - Client (i) communicates to the CA, through the network, the public key
**Ĝ**_{(i)}. - The CA uses a search engine to verify that
**Ĝ**_{(i)}is correct. - If the validation is positive, the public key
**Ĝ**_{(i)}is posted online by the RA.

## 5. Experimental Evaluation

#### 5.1. Experimental Methodology

#### 5.2. Evaluation of the Effective Key Throughput

^{8}keys per second. ECC Secp256r1 performed the second slowest at 4.77 × 10

^{4}keys per second. The post-quantum algorithms largely performed better than ECC with 1.97 × 10

^{5}and 6.83 × 10

^{5}keys per second for CRYSTALS-Dilithium 2 and LightSABER respectively. qTESLA-p-I was the worst performing PQC and overall cryptosystem out of all five at 2.24 × 10

^{4}keys per second.

## 6. Conclusions and Future Work

^{5}seeds per second with CRYSTALS-Dilithium 2 and LightSABER, which is faster than what we measured with mature algorithms such as the ones with elliptic curves. The experimental evaluation conducted in this work, with the RBC, also lets us conclude that the pre-selection by NIST of CRYSTALS-Dilithium for DSA and SABER for KEM are promising from a performance standpoint. Our results show that the key generation performance is at least comparable to that of ECC. The PQC algorithms under consideration are excellent in an environment targeting PUF-based key exchange. The AES hardware-accelerated AES-NI implementation yields roughly 220 million keys per second throughput on a single machine, which serves a practical real world upper bound for future hardware-accelerated PQC implementations.

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Acknowledgments

## Conflicts of Interest

## Disclaimer

## References

- Koblitz, N.; Menezes, A. A Riddle Wrapped in an Enigma. 2015. Available online: http://eprint.iacr.org/2015/1018 (accessed on 18 May 2015).
- Kiktenko, E.; Pozhar, N.; Anufriev, M.; Trushechkin, A.; Yunusov, R.; Kurochkin, Y.; Lvovsky, A.; Fedorov, A. Quantum Secured Blockchains. Open Source. arXiv
**2018**, arXiv:1705.09258v3. [Google Scholar] - Semmouni, M.; Nitaj, A.; Belkasmi, M. Bitcoin Security with Post Quantum Cryptography. 2019. Available online: https://hal-normandie-univ.archives-ouvertes.fr/hal-02320898 (accessed on 19 October 2019).
- Campbell, R. Evaluation of Post-Quantum Distributed Ledger Cryptography. Open Access, JBBA. 2019; Volume 2. Available online: https://doi.org/10.31585/jbba-2-1-(4)2019 (accessed on 16 March 2019).
- Kampanakisy, P.; Sikeridisz, D. Two Post-Quantum Signature Use-Cases: Non-issues, Challenges and Potential Solutions. In Proceedings of the 7th ETSI/IQC Quantum Safe Cryptography Workshop, Seattle, WA, USA, 5–7 November 2019. [Google Scholar]
- Ding, J.; Chen, M.-S.; Petzoldt, A.; Schmidt, D.; Yang, B.-Y. Rainbow; NIST PQC Project Round 2, Documentation. In Proceedings of the 2nd NIST Standardization Conference for Post-Quantum Cryptosystems, Santa Barbara, CA, USA, 22–24 August 2019. [Google Scholar]
- NIST Status Report of Phase 3 of PQC Program, NISTIR.8309. Available online: https://www.nist.gov/publications/status-report-second-round-nist-post-quantum-cryptography-standardization-process (accessed on 22 July 2020).
- Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schwabe, P.; Seiler, G.; Stehlé, D. CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation. Part of the Round 3 Submission Package to NIST. Available online: https://pq-crystals.org/dilithium (accessed on 19 February 2021).
- Fouque, P.-A.; Hoffstein, J.; Kirchner, P.; Lyubashevsky, V.; Pornin, T.; Prest, T.; Ricosset, T.; Seiler, G.; Whyte, W.; Zhang, Z. Falcon: Fast-Fourier Lattice-Based Compact Signatures over NTRU, Specification v1.2. Available online: https://falcon-sign.info/falcon.pdf (accessed on 1 October 2020).
- Peikert, C.; Pepin, Z. Algebraically Structured LWE Revisited; Springer: Berlin/Heidelberg, Germany, 2019; pp. 1–23. [Google Scholar]
- IEEE Computing Society. IEEE Standard 1363.1-2008—Specification for Public Key Cryptographic Techniques Based on Hard Problems over Lattices; IEEE: Piscataway, NJ, USA, 2009. [Google Scholar]
- Regev, O. New lattice-based cryptographic constructions. J. ACM
**2004**, 51, 899–942. [Google Scholar] [CrossRef] - Casanova, A.; Faugere, J.-C.; Macario-Rat, G.; Patarin, J.; Perret, L.; Ryckeghem, J. GeMSS: A Great Multivariate Short Signature; NIST PQC Project Round 2, Documentation. Available online: https://csrc.nist.gov/Projects/post-quantum-cryptography/round-2-submissions (accessed on 3 January 2017).
- McEliece, R.J. A Public-Key Cryptosystem Based on Algebraic Coding Theory; California Institute of Technology: Pasadena, CA, USA, 1978; pp. 114–116. [Google Scholar]
- Biswas, B.; Sendrier, N. McEliece Cryptosystem Implementation: Theory and Practice. In Post-Quantum Cryptography. PQCrypto. Lecture Notes in Computer Science; Buchmann, J., Ding, J., Eds.; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5299. [Google Scholar]
- Regev, O. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. In Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing—STOC’05, Baltimore, MD, USA, 22–24 May 2005; ACM: New York, NY, USA, 2005; pp. 84–93. [Google Scholar]
- Lyubashevsky, V. Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures. Available online: https://www.iacr.org/archive/asiacrypt2009/59120596/59120596.pdf (accessed on 31 December 2009).
- D’Anvers, J.-P.; Karmakar, A.; Roy, S.; Vercauteren, F. Saber: Module-LWR Based Key Exchange, CPA-Secure Encryption and CCA-Secure KEM. Cryptology ePrint Archive, Report 2018/230. Available online: https://eprint.iacr.org/2018/230 (accessed on 7 May 2018).
- Bos, J.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.; Schwabe, P.; Seiler, G.; Stehle, D. CRYSTALS—Kyber: A CCA-Secure Module-Lattice-Based KEM. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK, 24–26 April 2018; pp. 353–367. [Google Scholar]
- Hülsing, A.; Rijneveld, J.; Schanck, J.; Schwabe, P. High-Speed Key Encapsulation from NTRU. IACR Cryptol. Available online: https://www.iacr.org/archive/ches2017/10529225/10529225.pdf (accessed on 28 August 2017).
- Banerjee, A.; Peikert, C.; Rosen, A. Pseudorandom functions and lattices. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Springer: Berlin/Heidelberg, Germany, 2012; pp. 719–737. [Google Scholar]
- Alwen, J.; Stephan, K.; Krzysztof, P.; Daniel, W. Learning with rounding, revisited. In Proceedings of the Annual Cryptology Conference, Athens, Greece, 26–30 May 2013; Springer: Berlin/Heidelberg, Germany, 2013; pp. 57–74. [Google Scholar]
- Nurshamimi, S.; Kamarulhaili, H. NTRU Public-Key Cryptosystem and Its Variants. Int. J. Cryptol. Res.
**2020**, 10, 21. [Google Scholar] - Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for Hard Lattices and New Cryptographic Constructions. In Proceedings of the 14th Annual ACM Symposium on Theory of Computing. pp. 197–206. Available online: https://doi.org/10.1145/1374376.1374407 (accessed on 25 August 2008).
- Heyse, S. Post-Quantum Cryptography: Implementing Alternative Public Key Schemes on Embedded Devices. Ph.D. Thesis, For the Degree of Doktor-Ingenieur of the Faculty of Electrical Engineering and Information Technology at the Ruhr-University Bochum, Bochum, Germany, 2013. [Google Scholar]
- Menezes, A.; van Oorschot, P.; Vanstone, S. Some Computational Aspects of Root Finding in GF(q
^{m}); Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1989; Volume 358. [Google Scholar] - Papakonstantinou, I.; Sklavos, N. Physical Unclonable Function Design Technologies: Advantages & Tradeoffs; Daimi, K., Ed.; Computer and Network Security; Spinger: Berlin/Heidelberg, Germany, 2018; ISBN 978-3-319-58423-2. [Google Scholar]
- Herder, C.; Yu, M.; Koushanfar, F. Physical Unclonable Functions and Applications: A Tutorial. Proc. IEEE
**2014**, 102, 1126–1141. [Google Scholar] [CrossRef] - Cambou, B.; Orlowski, M. Design of Physical Unclonable Functions with ReRAM and Ternary states. In Proceedings of the Cyber and Information Security Research Conference, CISR-2016, Oak Ridge, TN, USA, 5–7 April 2016. [Google Scholar]
- Cambou, B.; Telesca, D. Ternary Computing to Strengthen Information Assurance, Development of Ternary State based public key exchange. In Proceedings of the SAI-2018, Computing Conference, London, UK, 10–12 July 2018. [Google Scholar]
- Taniguchi, M.; Shiozaki, M.; Kubo, H.; Fujino, T. A Stable Key Generation from PUF Responses with A Fuzzy Extractor for Cryptographic Authentications. In Proceedings of the IEEE 2nd Global Conference on Cons Electronics (GCCE), Tokyo, Japan, 1–4 October 2013. [Google Scholar]
- Kang, H.; Hori, Y.; Katashita, T.; Hagiwara, M.; Iwamura, K. Cryptography Key Generation from PUF Data Using Efficient Fuzzy Extractors. In Proceedings of the 16th International Conference on Advanced Communication Technology, Pyeongchang, Korea, 16–19 February 2014. [Google Scholar]
- Delvaux, J.; Gu, D.; Schellekens, D.; Verbauwhede, I. Helper Data Algorithms for PUF-Based Key Generation: Overview and Analysis. IEEE Trans. Comput. Des. Integr. Circuits Syst.
**2014**, 34, 889–902. [Google Scholar] [CrossRef] [Green Version] - Cambou, C.; Philabaum, D.; Booher, D. Telesca; Response-Based Cryptographic Methods with Ternary Physical Unclonable Functions. In Proceedings of the 2019 SAI FICC Conference, San Francisco, CA, USA, 14–15 March 2019. [Google Scholar]
- Cambou, B. Unequally powered Cryptograpgy with PUFs for networks of IoTs. In Proceedings of the IEEE Spring Simulation Conference, Tucson, AZ, USA, 29 April–2 May 2019. [Google Scholar]
- Cambou, B.; Philabaum, C.; Booher, D. Replacing error correction by key fragmentation and search engines to generate error-free cryptographic keys from PUFs. CryptArchi
**2019**. Available online: https://in.nau.edu/wp-content/uploads/sites/223/2019/11/Replacing-Error-Correction-by-Key-Fragmentation-and-Search-Engines-to-Generate-Error-Free-Cryptographic-Keys-from-PUFs.pdf (accessed on 21 March 2021). - Cambou, B.; Mohammadi, M.; Philabaum, C.; Booher, D. Statistical Analysis to Optimize the Generation of Cryptographic Keys from Physical Unclonable Functions. Available online: https://link.springer.com/chapter/10.1007/978-3-030-52243-8_22 (accessed on 16 July 2020).
- Nejatollahi, H.; Dutt, N.; Ray, S.; Regazzoni, F.; Banerjee, I.; Cammarota, R. Post-Quantum Lattice-Based Cryptography Implementations. ACM Comput. Surv.
**2019**, 51, 1–41. [Google Scholar] [CrossRef] - Emeliyanenko, P. Efficient Multiplication of Polynomials on Graphics Hardware. In Proceedings of the 8th International Symposium on Advanced Parallel Processing Technologies, Rapperswil, Switzerland, 24–25 August 2009; pp. 134–149. [Google Scholar]
- Akleylek, S.; Dağdelen, Ö.; Tok, Y. On The Efficiency of Polynomial Multiplication for Lattice-Based Cryptography on Gpus Using Cuda. In Cryptography and Information Security in the Balkans; Springer: Berlin/Heidelberg, Germany, 2016. [Google Scholar]
- Longa, P.; Naehrig, M. Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography. Comp. Sci. Math. IACR
**2016**, 124–139. [Google Scholar] [CrossRef] - Greconici, D.; Kannwischer, M.; Sprenkels, D. Compact Dilithium Implementations on Cortex-M3 and Cortex-M4. IACR Cryptol. ePrint Arch.
**2020**, 2021, 1–24. [Google Scholar] - Roy, S. SaberX4: High-Throughput Software Implementation of Saber Key Encapsulation Mechanism. In Proceedings of the 37th IEEE International Conference on Computer Design, ICCD 2019, Abu Dhabi, United Arab Emirates, 17–20 November 2019; pp. 321–324. [Google Scholar]
- Farahmand, F.; Sharif, M.; Briggs, K.; Gaj, K. A High-Speed Constant-Time Hardware Implementation of NTRUEncrypt SVES. In Proceedings of the International Conference on Field-Programmable Technology (FPT), Naha, Okinawa, Japan, 10–14 December 2018; pp. 190–197. [Google Scholar] [CrossRef]

**Figure 1.**Example of public–private key generation for LWE based cryptography. The matrix

**A**and vectors

_{(i)}**S**and

_{1(i)}**S**are generated from random number generators. The vector

_{2(i)}**t**is computed from these elements for the generation of the key pair.

_{(i)}**Figure 2.**Example of key generation for NTRU cryptography. The polynomials

**f**and

_{(i)}**g**and are generated from random number generators, from which the inverses

_{(i)}**Fq**and

_{(i)}**Fp**are computed. The public key

_{(i)}**h(i)**is also computed from these polynomials.

**Figure 3.**Example of key generation for code-based cryptography. The two matrixes

**S**

**and**

_{(i)}**P**are generated from random number generators. The key pairs are computed from the matrixes, and the generator matrix G.

_{(i)}**Figure 4.**Communication protocol between two client devices with shared public keys. Each client device is set with its key pair. For KEM, Client 1 uses the public key of Client 2 to encrypt a shared key; Client 2 retrieves the key with their private key. For DSA, Client 1 signs a message with their private key, Client 2 verifies the message with the public key of Client 1.

**Figure 5.**Physical unclonable function (PUF)-based public key infrastructure (PKI). The Certificate Authority (CA) verify the validity of the public keys and transfer them to the Register Authority (RA). The key pairs are generated from the PUFs embedded in each client device. The architecture enables cloud-based peer-to-peer secure transactions protected by asymmetrical cryptography.

**Figure 6.**PUF-based key pair generation for learning with error (LWE). The private keys, i.e., vectors

**S**and

_{1(i)}**S**, are generated from the seed K that is extracted from the PUF. The matrix

_{2(i)}**A**continues to be generated from a random number. The search engine of the CA has access to an image of the PUF, and can independently validate the validity of public key, which is posted by the RA for cloud-based transactions. A new key pair can be generated, and validated by the CA, at each handshake cycle.

_{(i)}**Figure 7.**PUF-based public key infrastructure (PKI) with LWE cryptography. The use of PUFs in the PKI network does not impact the user experience during peer-to-peer secure communication. The ability to generate one time use key pairs, and authenticate each client device at each transaction, enhances the root of trust. Such PUF based architectures are only valid if the latencies are kept below a few seconds.

**Figure 8.**PUF-based key pair generation for NTRU. After each handshake, the polynomials

**g**and

_{(i)}**f**are generated from the Seed K that is extracted from the PUF. The public and private key pairs are computed from these two polynomials. The search engine of the CA can independently validate the validity of public key with the image of the PUF.

_{(i)}**Figure 9.**PUF-based key pair generation for code-based cryptography. The two matrixes

**S**and

_{(i)}**P**are generated from the Seed K that is extracted from the PUF. As was done in the previously presented PQC schemes, the search engine of the CA has access to an image of the PUF and can independently verify the validity of the public key.

_{(i)}**Figure 10.**Key performance index (KPI) and the effective throughput in keys per second achieved by the response based cryptographic (RBC) search engine powered with AMD Ryzen 9 3900X. Benchmark of the post quantum cryptographic (PQC) algorithms are compared to the reference codes AES 256 and ECC.

**Figure 11.**Maximum effective throughput relative to the performance of ECC Secp256r1 achieved for each response based cryptographic (RBC) cryptosystem implementation powered by AMD Ryzen 9 3900X. Light SABER performance is approximately 14 times faster than elliptic curve cryptography (ECC).

**Table 1.**Breakdown of the fraction of the time hashing and extendable output function XOF compared with the time performing polynomial multiplication. Both SABER and CRYSTALS are constrained by the polynomial multiplication. The light versions considered in the post quantum cryptographic (PQC) implementations of hashing and XOF functions such as SHA3 with SHAKE are extremely effective.

Hashing and XOF | Polynomial Multiplication | Reference | |
---|---|---|---|

SABER | ~30% | ~60% | Our benchmarks |

CRYSTALS-Dilithium | ~42% | ~33% | Our benchmarks |

NTRU | second bottleneck | first bottleneck | [40,41] |

**Table 2.**Selected cryptosystems, parameter sets, whether the PQC algorithms are NIST round 3 candidates, specialized instructions employed in the implementations, and our motivation for selecting the algorithm and its configuration.

Algorithm | Parameter Set | NIST Candidate | Instructions | Selection Reason |
---|---|---|---|---|

AES | AES256 | N/A | AES-NI, SSE | Benchmark: HW implementation Lacks DSA and KEM capabilities |

ECC | Secp256r1 | N/A | AVX, SSE | Benchmark: mainstream for PKI Uses 256-bit long keys for DSA |

qTESLA | p-I | Dropped | AVX, SSE | PQC dropped by NIST: too slow DSA uses relatively small keys |

CRYSTALS-Dilithium | 2 | Phase 3 | AVX, SSE | Active LWE PQC algorithm One of preferred DSA scheme |

SABER | LightSABER | Phase 3 | AVX, SSE | Active LWR PQC algorithm One of the preferred KEM scheme |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Cambou, B.; Gowanlock, M.; Yildiz, B.; Ghanaimiandoab, D.; Lee, K.; Nelson, S.; Philabaum, C.; Stenberg, A.; Wright, J.
Post Quantum Cryptographic Keys Generated with Physical Unclonable Functions. *Appl. Sci.* **2021**, *11*, 2801.
https://doi.org/10.3390/app11062801

**AMA Style**

Cambou B, Gowanlock M, Yildiz B, Ghanaimiandoab D, Lee K, Nelson S, Philabaum C, Stenberg A, Wright J.
Post Quantum Cryptographic Keys Generated with Physical Unclonable Functions. *Applied Sciences*. 2021; 11(6):2801.
https://doi.org/10.3390/app11062801

**Chicago/Turabian Style**

Cambou, Bertrand, Michael Gowanlock, Bahattin Yildiz, Dina Ghanaimiandoab, Kaitlyn Lee, Stefan Nelson, Christopher Philabaum, Alyssa Stenberg, and Jordan Wright.
2021. "Post Quantum Cryptographic Keys Generated with Physical Unclonable Functions" *Applied Sciences* 11, no. 6: 2801.
https://doi.org/10.3390/app11062801