New Mathblocks-Based Feistel-Like Ciphers for Creating Clone-Resistant FPGA Devices

: The Secret Unknown Cipher (SUC) concept was introduced a decade ago as a promising technique for creating pure digital clone-resistant electronic units as alternatives to the traditional non-consistent Physical Unclonable Functions (PUFs). In this work, a very special unconventional cipher design is presented. The design uses hard-core FPGA (Field Programmable Gate Arrays) -Mathblocks available in modern system-on-chip (SoC) FPGAs. Such Mathblocks are often not completely used in many FPGA applications; therefore, it seems wise to make use of such dead (unused) modules to fabricate usable physical security functions for free. Standard cipher designs usually avoid deploying multipliers in the cipher mapping functions due to their high complexity. The main target of this work is to design large cipher classes (e.g., cipher class size > 2 600 ) by mainly deploying the FPGA speciﬁc mathematical cores. The proposed cipher designs are novel hardware-oriented and new in the public literature, using fully new unusual mapping functions. If a random unknown selection of one cipher out of 2 600 ciphers is self-conﬁgured in a device, then a Secret Unknown Cipher module is created within a device, making it physically hard to clone. We consider the cipher module for free (for zero cost) if the major elements in the cipher module are making use of unused reanimated Mathblocks. Such ciphers are usable in many future mass products for protecting vehicular units against cloning and modeling attacks. The required self-reconﬁgurable devices for that concept are not available now; however, they are expected to emerge in the near future.


Introduction
One of the most significant security threats to emerging electronic devices is cloning or theft of identity. Therefore, the security requirements are steadily growing to face such threats and challenges. In the last decades, several proposals were introduced for identifying an electronic device by using a secret stored key in an embedded non-volatile memory (NVM) [1]. Unfortunately, such technology has been proven inefficient against physical attacks [2]. Alternatively, Physically Unclonable Functions (PUFs) were proposed to serve as unclonable identities for electronic devices [3,4] as an alternative to key storage in NVM [4]. The main idea of PUFs is to seek a physical mapping out of the intrinsic properties or physical structures of a device. However, major results showed that PUF technologies suffer from lacking consistency over a long period of time due to several factors such as noise, aging, metastability, sensitivity to temperature, supply voltage variations, and other factors [4]. Moreover, PUF output response bits suffer from being non-uniformly distributed [4], which leads to offering more correlations between PUF input/ output pairs or the so-called Challenge-Response Pairs (CPRs), in other words simplifying the modeling attacks. In this case, a set of CRPs can be given as a training set to a Machine learning (ML) algorithm, which constructs a predictive model of the PUF. For instance,

•
The state of the art of currently used unknown functions such as PUFs, PUF-based unknown key generation, etc. is critically presented showing their vulnerabilities and drawbacks in Section 2.

•
The concept of the Secret Unknown Ciphers (SUCs) and their creation process toward building clone-resistant devices are presented in Section 3.

•
The usage of hard-core arithmetic modules in designing the proposed unknown ciphers/functions are explained in Section 4 based on the existing resources of a modern FPGA technology such as Microsemi Smart-Fusion ® 2.

•
New cipher classes based on mainly deploying multipliers in the ring of integers as Feistel-like ciphers classes are presented in Section 5.

•
Sample hardware modeling and a complexity evaluation of such cipher classes and their security analysis are discussed and investigated in Sections 6-8.

New Contributions:
This work is a new approach and improvement to follow our recent publications [12][13][14] toward developing unknown cipher functions to serve as digital PUFs. This paper introduces novel Mathblocks-based involutions for a Feistel-like class of new Secret Unknown Ciphers (SUCs) structures within modern FPGA devices. The new involutions are proved to exhibit efficient combined confusion and diffusion at the same time. The overall resulting security quality and implementation efficiency is shown to exceed the conventional cipher structures in anti-cloning applications.

State of the Art on Unclonable Electronic Units
In the following, PUFs and other proposals based on PUFs are summarized as unknown physical functions. Firstly, intrinsic PUFs [3] as unknown functions are presented. Then, PUF-based unknown key generation for a block cipher, especially for a pseudo-random function (PRF) [15], are investigated. Finally, a block cipher deploying PUFs [16] as an unknown function is presented. The following three technical discussions on PUFs are presented with some details as being closely related to the objectives of our cipher proposal.

PUFs as Unkown/Random Functions
This is a case of describing PUFs as unknown functions, where a formalization of a PUF technology can be presented and described as follows: Definition 1. Let Γ PUF be a set of certain PUFs, and PUF ∈ Γ PUF . Then, PUF is defined as a mapping that is easy to compute, hard to invert, unpredictable, and derived from the random behavior of a complex physical object/device: where * is a Kleene star and {0, 1} * is the set of all possible binary strings with finite lengths. Note that a PUF is fundamentally considered to be a mapping from {0, 1} * to {0, 1} * [9]. According to [17], if a PUF can respond to every challenge from {0, 1} * by a response from {0, 1} * , then a PUF is a one-way function. However, PUFs practically do not fulfill the requirements of a one-way function [18]. In this case, a PUF is defined as a mapping from a finite domain to a finite range, Furthermore, the number of all possible PUFs is theoretically upper bounded by the number of all possible mappings from {0, 1} m to {0, 1} n , If |Γ PUF | = 2 n·2 m , then PUFs are seen as unknown/random functions [19]. Unfortunately, there is no guarantee that a physical object/device can produce this huge number of distinct mappings. This can be deduced through the following approaches. First, it is assumed that a PUF is "an isolated physical system S which fits into a sphere of radius R [18]". The maximum entropy H S (information content) of PUFs is upper bounded in its volume, as follows [20], where the constant α is related to physical quantities such as the speed of light, etc. [18].
The second approach uses the information capacity concept [19]. In this case, PUF is defined as a silicon device that implements a deterministic function, where the silicon object consists of N silicon cells, such as memory bits, flip-flops, etc. In this case, the maximum information capacity/entropy I max of such a PUF is given in [19] as, I max ≤ N·C bits (5) where C 1 is the information capacity of one cell. According to Equations (4) and (5), it is concluded that the information capacity of PUFs is limited and upper bounded. Therefore, the cardinality of Γ PUF is upper bounded as, This implies that a PUF from a Γ PUF is not a random function [19].

PUF-Based Unkown Key Generation for Pseudo-Random Fuctions
This is a case of using an unknown key for a known cipher [15] where a PUF-based key generation for a standard block cipher can be simply constructed by choosing a conventional cipher and taking the key source as the PUF output/response K to some known input Z 0 .
The resulting cipher with the unknown key K behaves precisely as a randomly chosen function from {0, 1} n to {0, 1} m . Therefore, the resulting cipher's behavior fulfills the requirements to represent a PRF. As the cipher is public, the attack complexity is 2 m , where m is the size of the unknown key K.
In [21], PUF-based key generation for cryptographic application was practically investigated. Sadeghi et al. [15] combined key storage and strong PUF to produce an unknown key for a cipher, as shown in Figure 1. This proposal achieves a high level of security, where the PUF's response approaches a PRF behavior, and it becomes hard to be impersonated or to be modeled. Unfortunately, the resulting cipher structure still requires an additional complex fuzzy extractor and helper data to make the PUF respond with a consistent output (unknown key K). In [21], PUF-based key generation for cryptographic application was practically investigated. Sadeghi et al. [15] combined key storage and strong PUF to produce an unknown key for a cipher, as shown in Figure 1. This proposal achieves a high level of security, where the PUF's response approaches a PRF behavior, and it becomes hard to be impersonated or to be modeled. Unfortunately, the resulting cipher structure still requires an additional complex fuzzy extractor and helper data to make the PUF respond with a consistent output (unknown key K).

A Block Cipher Deploying PUFs as Unkown Round Functions
In this case, an unknown cipher is created by using PUFs as a part of the cipher mappings. In [16], a block cipher deploying PUFs was proposed, where a cipher is constructed as three cascaded Feistel cipher rounds with PUFs as round functions (see Figure 2). The resulting cipher fulfills the requirements of being a PRF. In [19], Wu and O'Neill determined the necessary condition for a block cipher deploying PUFs to become a PRF. The results showed that such a cipher should have a high level of diffusion and confusion to become a PRF. In Figure 2, a Feistel cipher based on PUFs represents an efficient

A Block Cipher Deploying PUFs as Unkown Round Functions
In this case, an unknown cipher is created by using PUFs as a part of the cipher mappings. In [16], a block cipher deploying PUFs was proposed, where a cipher is constructed as three cascaded Feistel cipher rounds with PUFs as round functions (see Figure 2). The resulting cipher fulfills the requirements of being a PRF.  In [21], PUF-based key generation for cryptographic application was practically investigated. Sadeghi et al. [15] combined key storage and strong PUF to produce an unknown key for a cipher, as shown in Figure 1. This proposal achieves a high level of security, where the PUF's response approaches a PRF behavior, and it becomes hard to be impersonated or to be modeled. Unfortunately, the resulting cipher structure still requires an additional complex fuzzy extractor and helper data to make the PUF respond with a consistent output (unknown key K).

A Block Cipher Deploying PUFs as Unkown Round Functions
In this case, an unknown cipher is created by using PUFs as a part of the cipher mappings. In [16], a block cipher deploying PUFs was proposed, where a cipher is constructed as three cascaded Feistel cipher rounds with PUFs as round functions (see Figure 2). The resulting cipher fulfills the requirements of being a PRF. In [19], Wu and O'Neill determined the necessary condition for a block cipher deploying PUFs to become a PRF. The results showed that such a cipher should have a high level of diffusion and confusion to become a PRF. In Figure 2, a Feistel cipher based on PUFs represents an efficient In [19], Wu and O'Neill determined the necessary condition for a block cipher deploying PUFs to become a PRF. The results showed that such a cipher should have a high level of diffusion and confusion to become a PRF. In Figure 2, a Feistel cipher based on PUFs represents an efficient structure as a PRF, but it still requires additional helper data in addition to the PUFs to produce consistent outputs.

The Concept of Secret Unknown Ciphers Modules as PUF Alternatives
The unknown cipher concept is an entirely new security paradigm in the public literature. The unknown cipher here does not deal with protecting the communications or the links between at least two parties, as a sender and a receiver, which requires the cipher to be commonly known to both parties (Kerckhoffs's principle). In particular, the SUC is fundamentally designed for the identification process to serve as a clone-resistant identity [22]. We postulate that "unclonability" is only possible if unknown structures are created. Therefore, a cipher designed to be embedded as a structure that is unknown to anybody (including its designer) does not violate Kerckhoff's principle. On the other hand, SUC should not be confused with "security by obscurity", where the cipher is designed by a cryptographer, known to the manufacturer, and then kept secret and obscure.
SUC creation is a very challenging task. Figure 3 illustrates the SUC creation concept in a non-volatile (NV) FPGA device having internal self-reconfiguration capability. A large class of ciphers {C 1 , C 2 . . . C σ } are first created σ → ∞ and offered for selection. Then, a single-event process triggers a true random number generator (TRNG), leading to select randomly an unknown cipher choice C j from the infinite number σ of the created distinct ciphers. After this process, all the dashed entities in Figure 3 are then irreversibly killed and fully removed from the chip.
non-volatile (NV) FPGA device having internal self-reconfiguration capability. A large class of ciphers {C1, C2 … Cσ} are first created → ∞ and offered for selection. Then, a single-event process triggers a true random number generator (TRNG), leading to select randomly an unknown cipher choice Cj from the infinite number σ of the created distinct ciphers. After this process, all the dashed entities in Figure 3 are then irreversibly killed and fully removed from the chip.
The resulting cipher is a secret yet unknown cipher, and is a non-repeatable selection. It is even an unknown choice to the cipher designer/creator himself. The "Secret Unknown Cipher" (SUC) is realizable in an emerging VLSI device that allows self-creation of permanent unknown usable secret structures as "an electronic mutation", as indicated in [23]. Note that for the functionality of the concept, there is no need to publish the SUC creation procedure/program of the cipher class, which is designated from now on as the "GENIE" as a smart cipher designer. However, for worst-case security analysis, we assume that the cipher creating "GENIE" is published.
Following other cryptographers who use the term Oracle (inspired by the gods) to describe a theoretical black box model, the term GENIE is inspired from the oriental folk tales of One Thousand and One Nights. In the tales, a powerful ghost called GENIE can make all wishes come true; however, nobody knows how the GENIE can grant all wishes. In the ultimate case, our GENIE is a powerful cryptographer who can virtually create all possible ciphers of a given size.   The resulting cipher is a secret yet unknown cipher, and is a non-repeatable selection. It is even an unknown choice to the cipher designer/creator himself. The "Secret Unknown Cipher" (SUC) is realizable in an emerging VLSI device that allows self-creation of permanent unknown usable secret structures as "an electronic mutation", as indicated in [23]. Note that for the functionality of the concept, there is no need to publish the SUC creation procedure/program of the cipher class, which is designated from now on as the "GENIE" as a smart cipher designer. However, for worst-case security analysis, we assume that the cipher creating "GENIE" is published.

Creation Concept of Unknown Ciphers as Clone-Resistant Entities/Modules
Following other cryptographers who use the term Oracle (inspired by the gods) to describe a theoretical black box model, the term GENIE is inspired from the oriental folk tales of One Thousand and One Nights. In the tales, a powerful ghost called GENIE can make all wishes come true; however, nobody knows how the GENIE can grant all wishes. In the ultimate case, our GENIE is a powerful cryptographer who can virtually create all possible ciphers of a given size.

Creation Concept of Unknown Ciphers as Clone-Resistant Entities/Modules
The proposed SUC is conceptually based on the following principle: "the only secret which can be kept unrevealed is the one which nobody knows" [13]. From a practical point of view, if the cipher creator itself cannot predict and foretell exactly the created cipher, then the cipher is considered as not known when the cipher class size σ → ∞ . Figure 4 illustrates a possible SUC creation that is assumed to be processed in a secure environment. The process may proceed as follows: 1. TA randomly selects a set { , … } of cleartext vectors out of the 2 possible combinations, where n is the size of the SUC input/output space in bits. 2. TA stimulates the SoCA device to encipher the cleartext vectors into the ciphertexts {y1, … yT} using its SUC within the device. 3. The resulting T-(xi ,yi) pairs are stored as secret pairs in the individual (personal) device records by the TA. The records have to be kept secret for later use. As the created TRNG bits are fully and exclusively responsibly for creating the SUC, and as TRNG bits are unpredictable, non-repeatable, and unknown, the resulting created SUC in the SoC device is also unknown and unpredictable, such that:

Secret X/Y pairs Records
For every t > 0. This implies that where n is the bit size of the SUC input/output space and kt is the bit size of the cipher's secret key. In addition, SUC has the property of being able to generate a large number of distinct CRPs as SUC creation phase:

1.
A trusted authority (TA) injects one-time into a system-on-chip (SoC) device the software package "GENIE" as an SUC creator for a short time (as much time as required to create an unknown cipher, usually a few milliseconds).

2.
Then, the GENIE is internally triggered to generate/select a permanent and unpredictable secure cipher with the help of an internal, non-repeatable, unpredictable, and unknown bit stream from the in-chip TRNG.

3.
After creating an SUC, the GENIE is completely and irreversibly deleted. What remains is a non-removable and unchangeable operational cipher (a SUC) that nobody knows.

SUC personalization phase:
4. TA randomly selects a set {x 1 , . . . x T } of cleartext vectors out of the 2 n possible combinations, where n is the size of the SUC input/output space in bits.

5.
TA stimulates the SoC device to encipher the cleartext vectors into the ciphertexts {y 1 , . . . y T } using its SUC within the device. 6.
The resulting T-(x i , y i ) pairs are stored as secret pairs in the individual (personal) device records by the TA. The records have to be kept secret for later use.
As the created TRNG bits are fully and exclusively responsibly for creating the SUC, and as TRNG bits are unpredictable, non-repeatable, and unknown, the resulting created SUC in the SoC device is also unknown and unpredictable, such that: For every t > 0. This implies that where n is the bit size of the SUC input/output space and k t is the bit size of the cipher's secret key.
In addition, SUC has the property of being able to generate a large number of distinct CRPs as cleartext/ciphertext pairs, which is upper bounded by 2 n . This counteracts the lack of CR space in the case of traditional analog PUFs. The created cipher SUC t is a result of the TRNG t random sequence that is not known to anybody. Moreover, it is highly probable that for any two-time points t 1 and t 2 , Therefore, each resulting SoC device has its individual SUC with a probability 1 − 1 σ → 1 .
How to Use an SUC? Figure 5 shows a generic two-way identification protocol using such SUCs for authenticating a personalized SoC A device.
The created cipher SUCt is a result of the TRNGt random sequence that is not known to anybody. Moreover, it is highly probable that for any two-time points t1 and t2, Therefore, each resulting SoC device has its individual SUC with a probability ( ) How to Use an SUC? Figure 5 shows a generic two-way identification protocol using such SUCs for authenticating a personalized SoCA device.
An SUC-based identification protocol may proceed as follows: 1. A secret pair (xi ,yi) is randomly chosen from the TA's secret records of SoCA. Then, the TA challenges the SoCA device by the cryptogram yi over an insecure channel. 2. The SoCA device responds by sending the decrypted cleartext x'i. 3. If x'i = xi, then the SoCA device is deemed to be authentic, and the pair (xi ,yi) is then marked as a used pair and never used again avoiding replay attack for highest security.

Accept
Notice: !! never use the pair X i , Y i again !! yes Reject no One-time ticket Figure 5. Two-way identification protocol over an insecure channel.

Modeling Attacks and Clone-Resistance Measures
Machine learning (ML) can be deployed to create a predictive model of an unknown function, algorithm, and/or concept by analyzing some training data [24]. Such a learning approach can be used for cryptanalysis [25], especially for modeling attacks on PUFs [5]. In a special case, if a learner L can predict the output of a PRF such as f based on past training data such as (x1,f(x1)), …, ( xq, f(xq)), then L can be used to distinguish the output of this PRF f [24], and f is not a secure PRF.
A secure PRF concept postulates that the output of PRF is statistically independent of the training data and uncorrelated with any learner [24]. Therefore, if a designed SUC is a secure PRF, then there is no ML algorithm that can build a predictive model for such an SUC. In this case, the SUC is a modeling-resistant structure.
On the other hand, cloning an entity indicates the ability of reproducing the same entity. The unclonability of an SUC comes from the fact that nobody knows its structure. The important issue that the cipher designer faces is how to generate a cipher that the designer himself cannot predict.
The cloning-resistance entropy (HCRE) for an SUC is proportional to the number σ of all possible choices of a randomly selected SUC, so that HCRE is defined as: An SUC-based identification protocol may proceed as follows:

1.
A secret pair (x i , y i ) is randomly chosen from the TA's secret records of SoC A . Then, the TA challenges the SoC A device by the cryptogram y i over an insecure channel.

2.
The SoC A device responds by sending the decrypted cleartext x' i .

3.
If x' i = x i , then the SoC A device is deemed to be authentic, and the pair (x i , y i ) is then marked as a used pair and never used again avoiding replay attack for highest security.

Modeling Attacks and Clone-Resistance Measures
Machine learning (ML) can be deployed to create a predictive model of an unknown function, algorithm, and/or concept by analyzing some training data [24]. Such a learning approach can be used for cryptanalysis [25], especially for modeling attacks on PUFs [5]. In a special case, if a learner L can predict the output of a PRF such as f based on past training data such as (x 1 ,f (x 1 )), . . . , ( x q , f (x q )), then L can be used to distinguish the output of this PRF f [24], and f is not a secure PRF.
A secure PRF concept postulates that the output of PRF is statistically independent of the training data and uncorrelated with any learner [24]. Therefore, if a designed SUC is a secure PRF, then there is no ML algorithm that can build a predictive model for such an SUC. In this case, the SUC is a modeling-resistant structure.
On the other hand, cloning an entity indicates the ability of reproducing the same entity. The unclonability of an SUC comes from the fact that nobody knows its structure. The important issue that the cipher designer faces is how to generate a cipher that the designer himself cannot predict.
The cloning-resistance entropy (H CRE ) for an SUC is proportional to the number σ of all possible choices of a randomly selected SUC, so that H CRE is defined as: If H CRE is a significant cryptographically large value, then the proposed SUC is claimed to be cloning resistance. The SUC design proposal is targeting H CRE > 500 bits; that is, the cloning complexity is larger than 2 500 cycles and/or memory bits.
In the following sections, a cipher creation strategy deploying modern VLSI devices as non-volatile FPGAs is presented. The key objective of this work is to use existing FPGA resources in an efficient way for creating very large classes of cipher structures and particularly by using the existing hard cores of arithmetic mathematical blocks called (Mathblocks). Such blocks are capable of multiplying and adding what would be the basic building blocks of the proposed SUC cipher structures to come up with low-cost realization possibilities by consuming available structures.

New SUC Implementation Strategy and Target FPGA Environment
The only non-volatile flash-based FPGA technology with programmable cells is available via Microsemi Smart-Fusion ® 2 devices. Some of the main features of the Smart-Fusion ® 2 FPGAs are flash-based fabric cells, a microcontroller subsystem based on an ARM Cortex-M3 processor, and high-speed hard cores of arithmetic Mathblocks called MACCs, including multipliers and adders [26].
The integrated MACCs are optimized to efficiently perform a DOT product mode as a 9 × 9 (8 × 8 unsigned integers) multiplication and a normal mode as an 18 × 18 (17 × 17 unsigned integers) multiplication, as shown in Figures 6 and 7 If HCRE is a significant cryptographically large value, then the proposed SUC is claimed to be cloning resistance. The SUC design proposal is targeting HCRE >500 bits; that is, the cloning complexity is larger than 2 500 cycles and/or memory bits.
In the following sections, a cipher creation strategy deploying modern VLSI devices as non-volatile FPGAs is presented. The key objective of this work is to use existing FPGA resources in an efficient way for creating very large classes of cipher structures and particularly by using the existing hard cores of arithmetic mathematical blocks called (Mathblocks). Such blocks are capable of multiplying and adding what would be the basic building blocks of the proposed SUC cipher structures to come up with low-cost realization possibilities by consuming available structures.

New SUC Implementation Strategy and Target FPGA Environment
The only non-volatile flash-based FPGA technology with programmable cells is available via Microsemi Smart-Fusion ® 2 devices. Some of the main features of the Smart-Fusion ® 2 FPGAs are flash-based fabric cells, a microcontroller subsystem based on an ARM Cortex-M3 processor, and high-speed hard cores of arithmetic Mathblocks called MACCs, including multipliers and adders [26].
The integrated MACCs are optimized to efficiently perform a DOT product mode as a 9 x 9 (8 x 8 unsigned integers) multiplication and a normal mode as an 18 x 18 (17 x 17 unsigned integers) multiplication, as shown in Figure 6  The new proposed implementation strategy is specially characterized for mainly using the following building blocks: • The hard-core FPGA multiplier modules as shown in Figure 7 should be deployed as a backbone of the designed ciphers. The major novelty of the designed ciphers lies in using such hard-core multipliers (in normal mode) in the involution function, which includes both confusion and Figure 6. A DOT product mode of SmartFusion ® 2 FPGA using MACCs [26]. MACCs: high-speed hard cores of arithmetic Mathblocks [26].

The reason for this special building blocks selection:
This implementation strategy is fully unusual in standard cipher designs as multipliers result with very high hardware complexity. However, in such FPGA technology, plenty of such multipliers may not be used in many applications and are left as dead entities. Deploying unused/dead modules for creating SUC structures is considered as a value creating a "reanimation process" of dead entity in this very special case.
The other DOT product mode of Figure 6 is also an objective of the author in ongoing research, which is outside of the scope of this paper. The new proposed implementation strategy is specially characterized for mainly using the following building blocks: • The hard-core FPGA multiplier modules as shown in Figure 7 should be deployed as a backbone of the designed ciphers. The major novelty of the designed ciphers lies in using such hard-core multipliers (in normal mode) in the involution function, which includes both confusion and diffusion properties at the same time.

•
The 4-bit look-up tables (LUT) cells should be used as small so-called Golden S-Boxes as lightweight nonlinear mappings having adequate security properties where each Golden S-Box requires just 4 × 4-input LUTs [26].

The reason for this special building blocks selection:
This implementation strategy is fully unusual in standard cipher designs as multipliers result with very high hardware complexity. However, in such FPGA technology, plenty of such multipliers may not be used in many applications and are left as dead entities. Deploying unused/dead modules for creating SUC structures is considered as a value creating a "reanimation process" of dead entity in this very special case.
The other DOT product mode of Figure 6 is also an objective of the author in ongoing research, which is outside of the scope of this paper. Figure 8 illustrates a possible functional layout after generating an SUC in a FPGA that uses MACCs interacting with some logical components LUTs consumed from the FPGA fabric and a minor software service program. This combination of MACCs and logic implemented components results in the desired target SUC of this proposal.
The ultimate security level of the SUC in FPGA technology is attained if the cipher locations in the layout are random and unknown. Note that the random and individual location of each SUC minimizes the risk of physical attacks considerably. This is even true when the adversary tries to obtain information by probing points inside the chip [27]. Random unknown allocating of the SUC structures physically in the FPGA layout is the subject of ongoing research and is outside the scope of this work.
which is outside of the scope of this paper. Figure 8 illustrates a possible functional layout after generating an SUC in a FPGA that uses MACCs interacting with some logical components LUTs consumed from the FPGA fabric and a minor software service program. This combination of MACCs and logic implemented components results in the desired target SUC of this proposal.

A New Feistel-Like Cipher Class
A new design strategy for a Luby-Rackoff cipher is presented below by replacing the XOR operation with a new powerful self-inverse mapping (Latin Square). The proposed mappings design is based on deploying the MACCs in the ring of integers modulo 2 n in the SmartFusion ® 2 FPGA technology.
Several block ciphers were classified as a Feistel cipher [28] such as the data encryption standard (DES) [29], Camellia [30], LBlock [31], etc. In [32], Biham and Shamir replaced some of the XOR operations in DES by the addition of mod 2 n . The resulting cipher becomes more resistant against differential cryptanalysis. A new construction of the Luby-Rackoff cipher as ψ(h, f , f , h) was presented in [33], where f is a PRF, and h is a universal hash function. The resulting cipher structure ψ(h, f , f , h) uses addition mod 2 n instead of XOR operation. This work is inspired by the following fact from [34]: "let X = 2 n -1, Y = 1 be the integer representation of a two n-bit block. In this case, the X+Y mod 2 n is equal to zero, where all bits in X are changed in the cryptogram, whereas X⊕Y is equal to n − 1 ones and a zero in the last significant bit, which means, only the last significant bit is changed [34]". These results show that the same level of security between an XOR-based Luby-Rackoff cipher and the addition of a mod 2 n -based Luby-Rackoff [34] is attainable.
The first step toward replacing the XOR operation of DES by another operation was taken in [35]. The proposed cipher is constructed based on * operation, which is defined as a Latin square. Following this work, a new design for a Luby-Rackoff cipher is proposed by replacing the * (non-involutive) operation with a new MACC-based self-inverse (involutive) mapping. The resulting new cipher class is usable for self-created SUCs. where a and b are two n-bit words.
In [36], Klimov generalized Rivest's construction of permutation polynomials (PPs) [37] resulting with invertible mappings with T-functions properties as follows: a d x d be a generalized polynomial with integral coefficients.
Let Π 2 denote the set of all polynomials P : Z 2 n × Z 2 n → Z 2 n of two variables of degree 1 in the form: where a, b, c ∈ Z 2 n . In this case, any polynomial P from Π 2 is defined as a mapping having two inputs such as (L, R) and one output P(L, R) in Z 2 n . [37]. The polynomial P(L,R) defined in Equation (11) over the ring Z 2 n is a Latin square if both functions P(L, C) and P(C, R) are permutations over Z 2 n , for any C ∈ Z 2 n .

Definition 3 (Latin Square)
The following theorem determines the main requirements on P(L, R) = aL + bR to become a Latin square over Z 2 n .
holds true for every L and R.
The following theorem determines the main requirements on a Latin square P(L, R) = aL ± ⊕ bR to reach such self-inverse mapping in two variables (L, R) with respect to L over Z 2 n .
Theorem 3. Let n > 1 and P(L, R) = aL ± ⊕ bR be a Latin square with a, b odd coefficients over Z 2 n . P is a self-inverse mapping with respect to L if a = 1 · · · 1 n = 2 n − 1.
Applying mod 2 n results with P(P(L, R), R) mod 2 n = L Let Π i denote special classes of self-inverse mappings with respect to L from Π 2 ; for i = 1, 2, 3, as follows:  Corollary 5. For n > 3, the cardinality of the class of all possible ζ over Z 2 n is |Π i | = 2 n−1 ; for i = 1, 2, 3.
It can also simply proven that the π i mappings are involutions for any R, as shown in Figure 10. Throughout the following sections, the focus lies on the class of mapping π 1 (L) = aL + bR. The other cases of "⊕" and "-" can be similarly investigated.
Therefore, |Π | = | |. | | = 1.2 = 2 . □ It can also simply proven that the mappings are involutions for any R, as shown in Figure  10. Throughout the following sections, the focus lies on the class of mapping ( ) = + . The other cases of "⨁" and "-" can be similarly investigated.  In a further round construction, when replacing the XOR operation in a Luby-Rackoff cipher with P(L, R) = aL + bR results in a new mapping defined as follows: It can be simply proven that ζ ( f )(L, R) is also an involution for any (L, R). Figure 11 shows the core mapping ζ of the new proposed Feistel-like cipher. The statistical properties of the multiplication and addition ensure that all the input bits will be affected (diffusion). Moreover, this construction is low-cost, since the SmartFusion ® 2 FPGA contains specific MACCs that are often readily available as unused components. Figure 12 illustrates a proposed Feistel-like extended cipher round structure η. The round's input data is 2n-bits, which splits into two branches of n-bits (L: left and R: right). Then, ζ-involution is applied on both branches (L, R), where the inner function f is applied only on R.
Then, the round structure includes two mappings, namely: ζ involution followed by a swap involution mapping. The t-rounds of the proposed ciphers are using the same two involutions in each round with different b parameters, which can be seen as round keys.
Note that the total number σ of all possible constructible ciphers as an SUC class as Feistel-like ciphers η having t rounds depends generally on the total number µ of all possible inner functions f, where µ = 2 n2 n . σ = max µ {(2 n−1 ) t µ} = (2 n−1 ) t 2 n2 n = 2 t(n−1)+n2 n The main advantage of the described "involutive" cipher structure is that the same function can be used for both encryption and decryption operations, differing only in using the keys in a reverse order.
It can be simply proven that ( )( , ) is also an involution for any (L, R). Figure 11 shows the core mapping of the new proposed Feistel-like cipher. The statistical properties of the multiplication and addition ensure that all the input bits will be affected (diffusion). Moreover, this construction is low-cost, since the SmartFusion®2 FPGA contains specific MACCs that are often readily available as unused components.   construction is low-cost, since the SmartFusion®2 FPGA contains specific MACCs that are often readily available as unused components.

Distinguishing Attack on the Proposed Feistel-Like Cipher
Let B 2n (F 2n ) denote a set of all possible permutations (functions) from {0, 1} 2n to {0, 1} 2n , where the cardinality of B 2n (F 2n ) is |B 2n | = 2 2n ! (|F 2n | = 2 n2 n ), respectively. Furthermore, let f U ← F randomly choose the function f from F according to a probability uniform distribution U over F where F is the set of all possible functions from {0, 1} n to {0, 1} n .
The proposed Feistel-like cipher η is defined as a permutation of B 2n on a pair (L i , R i ) from {0, 1} n × {0, 1} n where i = 1, 2, . . . q. The evaluation of the distinguishing attack on the proposed Feistel-like cipher is carried out by deploying the core mapping ζ as a mapping in different ciphering configurations. These structures can be developed based on distinguishing attack scenarios. The generic attacks [38] on one, two, and three identical rounds of the proposed Feistel-like cipher η is explained in "Appendix A". The results show that none of the η( f ), η( f , f ), and η( f , f , f ) are PRPs (Pseudorandom Permutations).
To design a PRP cascade from a single PRF, it is required to have at least three different rounds of η using a single PRF f U ← F with different parameters in the π mapping to attain a structure that is indistinguishable from a truly random permutation. The new structure of a Feistel-like cipher η( f , f , f ) should consequently include at least three subsequent different π mappings as follows: where f U ← F , and b j b k b l , which are acting as different round keys. Now, let η t ( f ) denote η( f , · · · , f t ) with t different odd values of b i ; i = 1, · · · , 2 n−1 . In this case, to prove that η 3 ( f ) is a PRP, a distinguishing experiment should be applied on η 3 ( f ). To attain that goal the following two Lemmas need to be valid for η 3 ( f ): where f U ← F and P G defined as: Proof. (See "Appendix B").

Lemma 7.
(PRF Switching Lemma [39]): For a distinguishing experiment, let E be a block cipher defined over (K, X), where, |X| = 2 2n . Consider an adversary (distinguisher) Ψ that makes at most q queries to its challenger. Then,

Distinguishing Experiment η 3 (f):
Step 1: For the proposed Feistel-like cipher η 3 ( f ) defined over (K, X), where |X| = 2 2n . Consider an adversary (distinguisher) Ψ that interacts with a challenger acting as follows: • The challenger randomly chooses one bit b Step 2: The adversary Ψ submits to a challenger a polynomial number of queries (q) such as (L i , R i ), where i = 1, · · · , q.
Step 3: The adversary terminates the experiment by returning b . According to Lemma 6, the advantage of Ψ to distinguish between η 3 ( f ) and a random function is: Adv Now, the PRF Switching Lemma [39] (Lemma 7) stated that, So that, Adv The last result in Equation (22) concerning the proposed Feistel-Like ciphers shows that it attains the same security bound as that of the Luby-Rackoff cipher.

New π i -Mappings Hardware Structure and Its Complexity
In this section, the π i mappings are modeled and implemented in Microsemi Smart-Fusion ® 2 FPGA technology.
The hardware complexity of each implemented π i mapping was evaluated based on the number of consumed MACCs, LUTs (Look Up Tables), and DFFs (Delay Flip Flop), where the hardware realization of these mappings is fundamentally implemented based on using a wide multiplier of size larger than 18 × 18. Here, a wide multiplier is efficiently implemented by using a cascade of many MACCs [26]. The chosen FPGA from the Microsemi FPGAs family is a Smart-Fusion ® 2 M2S025, which contains 27,696 LUTs, 27,696 DFFs, and 34 MACCs. Figure 13 illustrates the resource utilization for π 1 mapping with an input size of n = 17 and 18 bits. The consumed resources of π 1 mapping with n = 17 bits are two MACCs and 17 LUTs. Here, a wide multiplier is efficiently implemented by using a cascade of many MAACs [26]. The chosen FPGA from the Microsemi FPGAs family is a Smart-Fusion ® 2 M2S025, which contains 27,696 LUTs, 27,696 DFFs, and 34 MAACs. Figure 13 illustrates the resource utilization for π1 mapping with an input size of n = 17 and 18 bits. The consumed resources of π1 mapping with n = 17 bits are two MAACs and 17 LUTs.
For n = 32 and 34 bits as input size, two wide multipliers were deployed. In this case, each wide multiplier is realized as a cascade of four MAACs. Figure 14 shows the required number of MAACs to build two wide multipliers consuming 32 LUTs for n = 32, and 34 LUTs for n = 34. For n = 32 and 34 bits as input size, two wide multipliers were deployed. In this case, each wide multiplier is realized as a cascade of four MACCs. Figure 14 shows the required number of MACCs to build two wide multipliers consuming 32 LUTs for n = 32, and 34 LUTs for n = 34. Figure 15 shows the required number of MACCs to implement π 2 and π 3 mappings with the input sizes of n = 17, 18, 32, and 34.
Note that two MACCs are required when n = 17 or 18, and two wide multipliers are implemented as a cascade of MACCs for n = 32 or 34.

Possible Feistel-Like Inner Function Design
The need for a simple low-cost implementation of the inner functions of the proposed cipher ( ) led to deploy a huge class of cryptographically significant mappings. In this section, the necessary design strategy for the inner function with good cryptographic properties is presented.

Golden 4-Bit S-Boxes as Basic Building Elements for the Mapping of f
In [40], Saarinen showed that only four classes of S-Boxes (4-bit to 4-bit mapping) can affinely transform the resistance properties against linear cryptanalysis (LC) and differential cryptanalysis (DC) to all S-Box classes. These optimal 4-bit S-Boxes are called golden S-Boxes (GS). Moreover, a new equivalence relation is defined based on two bit permutation matrices , , two values , ∈ , and two XOR operations as follows, where is a GS for = 0,1,2,3 (see Table 1) and ∈ . The cardinality of the class of all possible such GSs is then, Figure 15. FPGA implementation of π 2 and π 3 mappings for input sizes n = 17, 18, 32, and 34 bits.

Possible Feistel-Like Inner Function Design
The need for a simple low-cost implementation of the inner functions f of the proposed cipher η t ( f ) led to deploy a huge class of cryptographically significant f mappings. In this section, the necessary design strategy for the inner function f with good cryptographic properties is presented.

Golden 4-Bit S-Boxes as Basic Building Elements for the Mapping of f
In [40], Saarinen showed that only four classes of S-Boxes (4-bit to 4-bit mapping) can affinely transform the resistance properties against linear cryptanalysis (LC) and differential cryptanalysis (DC) to all S-Box classes. These optimal 4-bit S-Boxes are called golden S-Boxes (GS). Moreover, a new equivalence relation is defined based on two bit permutation matrices P i , P j , two values a, b ∈ F 4 2 , and two XOR operations as follows, where GS j is a GS for k = 0, 1, 2, 3 (see Table 1) and x ∈ F 4 2 . Table 1 shows the four GS seeds that satisfy the ideal properties for all class members [40]. Table 1. Four golden S-Boxes (GS) seeds for S-Box generators [40]. DC: differential cryptanalysis, LC: linear cryptanalysis. ε: linear probability bias, p: differential characteristics probability.
The cardinality of the class of all possible such GSs is then, where 4 is the number of GS seeds, GS j , (2 4 ) 2 is the number of all possible a, b parameter choices a, b ∈ F 4 2 , and (4!) 2 is the number of all possible bit permutation matrices P i , P j . Figure 16 shows possible hardware mapping blocks for the GS generator according to Equation (23). The resulting generated S-Boxes exhibit equivalent cryptographic security performance.  Implementation according to (23)

Bricklayer Function as a Possible Inner Function f
One of the simplest architectures of the inner function of the proposed Feistel-like cipher can be considered as a bricklayer function [41]. Here, the proposed bricklayer function can be seen as a Boolean function that is composed of parallel components or GSs of smaller inputs [41]. As the currently known GSs have an input/output size of 4 x 4 bits, only 32 bits are used for the inner function, since the maximum size of 34 is not divisible by 4. To make use of the full 34 bits, a further design adaptation is required. This is the objective of future research. In this case, the proposed bricklayer function is simply constructed as shown in Figure 17 and mathematically defined as: where = ( , ⋯ , ) and ∈ {0,1} : for every > 0.

How Can the SUC-Creating GENIE Work?
The SUC creation process is performed by a GENIE program that will run in an enrollment process for each device. Assume that the GENIE would realize a Feistel-like cipher with a bricklayer function as an inner function delineated in Figure 17, where the input data size is 2n = 64. The GENIE may randomly create the proposed cipher as follows: • The GS generator according to Equation (23) requires 128 storage bits for each GS seed and 16

Bricklayer Function as a Possible Inner Function f
One of the simplest architectures of the inner function of the proposed Feistel-like cipher can be considered as a bricklayer function [41]. Here, the proposed bricklayer function can be seen as a Boolean function that is composed of parallel components or GSs of smaller inputs [41]. As the currently known GSs have an input/output size of 4 × 4 bits, only 32 bits are used for the inner function, since the maximum size of 34 is not divisible by 4. To make use of the full 34 bits, a further design adaptation is required. This is the objective of future research. In this case, the proposed bricklayer function is simply constructed as shown in Figure 17 and mathematically defined as: where x = (x 1 , · · · , x 8 ) and x i ∈ {0, 1} 4 : for every i > 0.

GENIE complexity:
A total of 496 + 160 = 656 TRNG bits and 896 memory storage bits in addition to about 18 instruction cycles are needed to create a single cipher choice. Notice that the total number σ of all possible SUCs of the proposed Feistel-like ciphers η with 16-rounds is

A Possible Prototype Hardware Implementation
To implement one of the possible compact versions of the proposed cipher with an input size of 2n = 64 bits, the architecture of Figure 18 is proposed as a recursive round-based implementation [42].

How Can the SUC-Creating GENIE Work?
The SUC creation process is performed by a GENIE program that will run in an enrollment process for each device. Assume that the GENIE would realize a Feistel-like cipher with a bricklayer function as an inner function delineated in Figure 17, where the input data size is 2n = 64.
The GENIE may randomly create the proposed cipher as follows: • The GS generator according to Equation (23) requires 128 storage bits for each GS seed and 16 storage bits for each possible bit permutation matrix. Therefore, the GS generator requires a total of 4 × 128 + 24 × 16 = 896 storage bits for the four GS seeds and 24 possible bit permutation matrices.

•
The GENIE generates randomly eight GSs for f by randomly selecting all the parameters of Equation (23) through the TRNG output bit stream. Note that according to Equation (23), the GENIE consumes 20 × 8 GSs = 160 TRNG bits to create all eight GSs where each generated GS requires 20 bits, namely: 2 bits for selecting one GS seed out of four GS seeds, 2 × 4 = 8 bits for selecting the parameters a, b ∈ F 4 2 , and 2 × 5 = 10 bits for selecting the two permutation matrices P i , P j out of all 24 permutation matrices.

•
The GENIE consumes additionally 31 × 16 rounds = 496 TRNG bits for all 16 round keys to be stored in 31 LUTs. A round key is the 31-bits b i parameter in the mapping aL + b i R; in each round i for i = 1 . . . ,16.

•
When the GENIE completes the cipher creation, the GENIE deletes itself fully and irreversibly.
Overall GENIE complexity: A total of 496 + 160 = 656 TRNG bits and 896 memory storage bits in addition to about 18 instruction cycles are needed to create a single cipher choice. Notice that the total number σ of all possible SUCs of the proposed Feistel-like ciphers η with 16-rounds is

A Possible Prototype Hardware Implementation
To implement one of the possible compact versions of the proposed cipher with an input size of 2n = 64 bits, the architecture of Figure 18 is proposed as a recursive round-based implementation [42].

A Possible Prototype Hardware Implementation
To implement one of the possible compact versions of the proposed cipher with an input size of 2n = 64 bits, the architecture of Figure 18 is proposed as a recursive round-based implementation [42].  The aim of the designed structure is to iterate one cipher round η(f ), where a state machine is deployed to run the 16 cipher rounds using a state register of 64 bits and a 64-bit multiplexer, in which each cipher round is executed in one clock cycle.
Furthermore, a new technique of key scheduling was presented in [13] storing the 16 round keys in 31 LUTs, as shown in Figure 18. The keys are arbitrarily and randomly chosen by the GENIE. Table 2 shows the resulting hardware complexity of the sample proposed SUC implementation in a SmartFusion ® 2 SoC FPGA. Further, more optimized implementations are under investigation. The implementation is aiming to evaluate the hardware complexity. A real implementation procedure is currently not possible, as Microsemi does not allow self-reconfiguration in its current devices. This is expected in future device generations.

Security Analysis and Evaluation
In this section, modeling attacks on the proposed SUC are discussed and the security level of the proposed SUC is evaluated by using the cryptanalysis of a cipher with secret components. Then, a quantum exhaustive search for SUC-Model is presented.

Modeling Attacks on SUC
In modeling attacks, the adversary tries to construct an ML algorithm that behaves indistinguishably from the original function (such as PUF) on almost all CRPs [5]. According to Section 5.2, the proposed SUC is a secure PRF. This implies that the output of the SUC is statistically independent of (x 1 , SUC(x 1 )), . . . , (x q , SUC(x q )) and uncorrelated with any learner. Therefore, there is no ML algorithm that can build a predictive model for such SUCs.

Cryptanalysis of a Cipher with Secret Components
For more practical analysis, we identify an SUC from σ = 2 649 different SUCs in Equation (26), where the cipher input size is 2n = 64 bits. Thus, the successful prediction of the adversary is possible with a probability, 1 In [43], an attack on a block cipher with secret components analyzes only the known plaintext-ciphertext pairs attack to recover the secret cipher components one by one. According to this attack scenario and assuming that the adversary tries to attack one SUC as a Feistel-like cipher, the worst-case scenario is when only GSs are unknown components ignoring the round keys, as they may be reachable. It is also assumed that the adversary knows the parameters of the SUC without being able to access the round's inputs and outputs.
The adversary starts by gathering selected T pairs of plaintexts of the form [43], where L i ∈ F 32 2 , and r j ∈ F 28 2 ; for 0≤ i, j ≤ T. After that, the adversary finds all pairs {x,y} from P L,r such that: where 0 k denotes the bit block of k zeros. Then, the adversary determines the counter set C({x,y}) based on the corresponding ciphertext differences of all L i , r j as follows, where e ∈ F 4 2 . In order to recover only one GS, the adversary uses C({x,y}) to count how often only one active GS is involved in the ciphertext difference, if the following is met, Let D e be the set of all {x,y} pairs that hold Equation (31). According to [43], if the hamming weight hw(e) = 1, then finding four sets of form D e is enough to determine uniquely the targeted GS. Finding three sets of form D e determines eight possible S-Boxes as candidates, etc.
To evaluate this attack, the minimum number of active GSs in any differential trials through all 16 rounds is required to be found, where a differential trail is a sequence of the input and output differences in each round. This leads to following definition: Definition 5. In DC, an S-box is active in a differential trail if and only if its input difference is non-zero [44].
An exhaustive search was performed for a sample of 20,000 different ciphers using the following properties: • The right left subblock is R = 0 and the left subblock is L = (L 1 , L 2 , L 3 , L 4 , L 5 , L 6 , L 7 , L 8 ), where L, R ∈ Z 2 32 and L j ∈ Z 2 4 for j = 1, . . . ,8.

•
Let ∆L 1 = ∆x denote all possible differences, for all x ∈ Z 2 4 . Then, the input difference of a generated f is ∆L = (∆x 0 28 ) .

•
If the input difference of a GS i is non-zero, then the output difference will be non-zero.

•
Applying ζ mapping on any zero-differential values will produce a zero-differential value.

•
Applying ζ-mapping on any non-zero-differential values will produce either a non-zero-differential value or a zero-differential value if it is a multiple of 2 4 . Figure 19 illustrates an experimental security analysis on 20,000 randomly selected different ciphers from the proposed class to figure out the minimum number of differentially active GSs. It was found that after four rounds and for all 20,000 ciphers, at least 12 to 18 GSs (out of 32) were differentially active (shown as colored circles). After increasing the number of rounds, the active GSs increased proportionally. The ciphers having only 12 active GSs after four rounds mostly stayed in the bottom in their number of active boxes (marked as bold blue circles) but never diverted far away from the remaining sample ciphers. After 10 rounds, at least 48 GSs (out of 80) were active. The security analysis in made based on the worst case active GSs.

• Let
= denote all possible differences, for all ∈ ℤ . Then, the input difference of a generated f is = ( ||0 ).
• If the input difference of a GSi is non-zero, then the output difference will be non-zero.
• Applying ζ mapping on any zero-differential values will produce a zero-differential value.
• Applying ζ-mapping on any non-zero-differential values will produce either a non-zero-differential value or a zero-differential value if it is a multiple of 2 4 . Figure 19 illustrates an experimental security analysis on 20,000 randomly selected different ciphers from the proposed class to figure out the minimum number of differentially active GSs. It was found that after four rounds and for all 20,000 ciphers, at least 12 to 18 GSs (out of 32) were differentially active (shown as colored circles). After increasing the number of rounds, the active GSs increased proportionally. The ciphers having only 12 active GSs after four rounds mostly stayed in the bottom in their number of active boxes (marked as bold blue circles) but never diverted far away from the remaining sample ciphers. After 10 rounds, at least 48 GSs (out of 80) were active. The security analysis in made based on the worst case active GSs.
Therefore, it can be concluded that the proposed SUC is sufficiently secure against any adversary who just analyzes the plaintext-ciphertext pairs.

Post-Quantum Exhaustive Search for SUC Model
In cryptography, Grover's algorithm is considered to be a special case of a more general search algorithm for quantum exhaustive searches [39]. For instance, Grover's algorithm finds k 0 from K in √ |K| steps by querying a given function φ : K → {0, 1} defined as: To identify an SUC from all generated Feistel-like ciphers by using Grover's algorithm, √ σ steps are required, which results practically with, √ σ ≈ 2 649 2 ≈ 2 325 steps.
As a consequence, the proposed Feistel-like ciphers are even secure for post-quantum attacks.

Discussion and Conclusions
Designing a Secret Unknown Cipher Generator together with large adequate cipher classes is a very challenge task. The resulting SUC hardware complexity should be as low as possible to allow flexible and fast production. On the other hand, very large cipher classes are required with acceptable security quality, which may increase the complexity of the created cipher structure and its creating GENIE. The paper proposes a trade-off in an FPGA environment by "reanimating" certain unused arithmetic units to come up with acceptable practical hardware complexity. The new designed cipher class is restricted in its building block resources as it is using only certain hard-core arithmetic units.
The resulting complexities of the proposed designs are quite promising, consuming less than 1% of the device resources in one of the smallest SoC FPGAs. The proposed created SUCs are supposed to serve as a digital PUF alternative to the analog traditional PUFs. Our proposal exhibits attractive properties and is efficiently usable in emerging future IoT applications.
Furthermore, the security levels of the resulting SUC class are scalable. The proposed SUC as a Feistel-like cipher has a high level of security proportional to the hardware complexity. Moreover, the cipher design is a modified version of a well-investigated Luby-Rackoff cipher structures, which have been exposed to intensive review in the public literature. We expect to attain the same security bounds of the Luby-Rackoff cipher classes. As the cipher design is equivalent to a PRF in its design, there is no ML algorithm that can attack such SUCs as in the traditional PUFs. Finally, the resulting SUC's security level can cope easily with post-quantum security requirements as well by minor scaling on their complexity.
In summary, a new hardware-oriented cipher design for SUCs optimized for practical real-world environment is introduced.
Most FPGA applications do not consume all of the FPGA resources in particular powerful and complex multiplier cores. The ultimate goal of the SUC design is to embed the SUC in the FPGA without cutting resources from the functional FPGA duties. The reason is that embedding SUCs and personalization is processed at the very late stage by the end manufacturer before releasing the products to the market. This allows the end manufacturer to attain the highest security, as all the subcontractors would have no influence on the security management. In other words, the end manufacturer can easily produce his different components outside his factory without having any fear that the subcontractor would be able to clone his products, as subcontractors are fully out of the security process. Any produced component cannot be used without the SUC approval of the end manufacturer. Then, cloning by pirate companies or subcontractors is prohibited and the original product's royalties are fully protected.

Zero-Cost Aspects:
The cipher design is deploying mainly hard-core (complex) multipliers as major building blocks, which may be available unused in modern system-on-chip (SoC) FPGA devices. The ultimate target of the cipher design is to allow "reanimating" spare unused multiplier cores to convert devices into clone-resistant units at possibly zero cost. Zero cost is assumed to be attained when embedding such an SUC module in a device does not consume any area cut from the usual application resources.
An ongoing research to devise many other new alternative implementations in future reconfigurable VLSI devices is in progress.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A
The generic attacks on one, two, and three rounds of the proposed Feistel-like cipher follows the work of Patarin [38].
The one round Feistel-like cipher is described as: For one round: The adversary can just test if S i = R i for every i. This will happen with 100% probability after one query. Therefore, one round of the proposed Feistel-like cipher is not a PRP.
For two rounds: The proposed Feistel-like cipher η 2 ( f )(L i , R i ) can be described as: If b 1 = b 2 , the adversary chooses two pairs (L 1 , R 1 ) and (L 2 , R 2 ), where R 1 = R 2 and L 1 L 2 . Then, the adversary can just test if S 1 − S 2 = a(L 1 − L 2 ). This will happen with 100% probability after four queries. Therefore, the proposed Feistel-like cipher with two rounds is not a PRP.
Then, the adversary can just test if S 3 = aS 2 + S 1 for a = 1 · · · 1 n . This will happen with 100% probability after at most O 2 n+1 = O 2 n+1 + 2 n queries. Therefore, the proposed Feistel-like cipher with three identical rounds is not a PRP.

Appendix B
The proof of Theorem 6 follows the framework of Maurer [45].
Proof of Theoem 6. Assume without loss of generality that the q pairs (L i , R i ) are distinct. According to Equation (18), the outputs of the first, second, and third round are (R i , X i ), (X i , S i ), and (S i , T i ), respectively. Let A X be the event where {X i } q i=1 is distinct, and let A S be the event where are distinct. Now, if the event A X occurs, then the values S i = aR i + b k f (X i ) are random for i = 1, . . . q, where b k f (X i ) is a multiplication of two random values. On the other hand, f U ← F and b l U ← {0, 1} n−1 ; therefore, if the event A S occurs, then the values T i = aX i + b l f (S i ) are random for i = 1, . . . q. In this case, η 3 ( f ) behaves precisely similar to a randomly chosen function from F 2n , and the probability of distinguishing between η 3 ( f ) and a random function from F 2n is: where A X (A S ) in the complementary event of A X (A S ) occurring when ) are not distinct, respectively.
For i j, and according to the main assumption that the q pairs (L i , R i ) are distinct, Pr X i = X j , and Pr A S = q 2 1≤i< jq where q 2 is the number of choosing two equal values X i = X j S i = S j out of q from A X (A S ), respectively. On the other hand, the q pairs (L i , R i ) are distinct by the assumption, and Pr X i = X j and Pr S i = S j are computed as, Pr X i = X j = 2 −n ; R i R j 0; R i = R j , and Pr S i = S j = 2 −n ; X i X j 0; X i = X j .