Algorithm 2 Multi-layered security model using PUF: Client is an existing User [2]

Objective: The seven layer cloud model consisting of FPGA clouds verifies the identity of a client FPGA ($U_A$) who is requesting access. The cloud model provides application access for the genuine client ($U_i$). Prerequisites: An n-bit input, 1-bit output XOR PUF $P_1$ is reconfigured in all layers of the $Cloud-FPGA$. There exists a PUF for every authenticated user. PUF $P_{ij}$ represents the identity of the user i in the cloud layer j. A combined mathematical model $M_i$ representing all the K PUFs in the cloud layers, resides with each user $U_i$. $Cloud-FPGA$ and user $U_i$ have agreed on a fixed encoding scheme $E\left(\right)$ and a decoding scheme $D(.)$, such that for any binary string $x,E(.)$ and $D(.)$ are injective, $X=E\left(x\right)$ and $D\left(X\right)=x$. $Cloud-FPGA$ and user $U_i$ have agreed on a shuffling scheme $Y=S(X,rand)$, and $S^{\prime }(Y,rand)=X$ where $rand$ is a random number. Input: S, $P_{CT}$, $D{B}_{FW}$, $D{B}_{META}$, $D{B}_{VAULT}$, $D{B}_{IPS}$, $D{B}_{ANTIMAL}$ Tenant session: S Contents of session packets:$P_{CT}$ Contents of FW: $D{B}_{FW}$ Contents of $TENAN{T}_{META}:D{B}_{META}$ Contents of $TENAN{T}_{VAULT}:D{B}_{VAULT}$ Contents of $IPS:D{B}_{IPS}$ Contents of $ANTIMALWARE:D{B}_{ANTIMAL}$ Note: $D{B}_j$ represents content $DB$ of layer j Output: A value in variable S to show that the application access is granted ($S=1$) or denied ($S=0$).

Steps: 1. Initialize $V=1$, $E=1$, $Flag=0$ 2. $U_B$ requests $U_A$, for an introduction to access application A 3. $U_A$ to $MP$: request introduction of $U_B$ to cloud layers $C_j$ 4. $MP$ to $U_A$: $MP$ sends a random number $rand$ and a set of challenges $C{H}_p$ consisting of q challenge bits each of length ‘n’. 5. $U_A$ calculates the following: $RA{m}_{p,j}=MA\left(C{H}_{p,j}\right)$, $p=1\dots q$, $j=1\dots K$ $RAm=\{RA{m}_{p,j}$, $1\le p\le q$, $1\le j\le K$ $C{A}_A$=$S\left(E\left(RAm\right),rand\right)$ 6. $U_A$ to $MP$: certificate $C{A}_A$ 7. foreach layer jdo (a) Initialize $Mem=0$, $Match=0$ (b) If ($E=1$) i. $MP:RA{m}_{p,j}=S^{\prime }\left(D\left(C{A}_A\right),rand\right)$ ii. $MP$ to $Cloud-C_j$: Set of challenges $C{H}_p$ and $RA{m}_{p,j}$ iii. $Cloud-C_i$ calculates the following $RA{f}_{p,j}=PA\left(C{H}_{p,j}\right),p=1\dots q,j=1\dots K$ $N_{Aj}=(1-\frac{{\sum }_{(p=1)}^q(R_{Amp}⨁R_{Afp}}{q})$ if$NAj\ge 0.99$$Mem=1$ iv. if ($P_{CT}$$\in D{B}_j$, |$D{B}_j\in \{D{B}_{FW},$$D{B}_{META},$$D{B}_{VAULT}\}$ AND $P_{CT}\notin D{B}_j$, |$D{B}_j\in \{D{B}_{IPS},$$D{B}_{ANTIMAL}$} ); $Match=1$ v. if ($Mem\&\&Match$), $E=1$; proceed to next higher layer vi. else Exit; set $E=0$, $Flag=0$ 8. if$V=1$; Verified introducing client (a) foreach layer jdo i $Cloud-FPGA$, $C_j$ initiates DPR and configures a new PUF $P_{B,j}$, PUF $P_{B,j}$ represents the identity of the $U_B$ in the cloud layer j ii $C_j$ to $MP$ PUF modeling parameters $para{m}_j$ (b) $MP$ generates a combined Mathematical model $M_B$ of all PUFs $P_{B,j}$ in the cloud layers (c) $MP$ generates obfuscated bitstreams of PUF mathematical model $M_B$ (d) $MP$ initiates remote dynamic partial reconfiguration of PUF $M_B$ in the dynamic partition of the $client-FPGA$$U_B$ (e) $Flag=1$ and exit; follow protocol-1. $U_B$ is same as any other existing client.