Physical Unclonable Function Based Hardware
Security for Resource Constraint IoT Devices
Muhammed Kawser Ahmed∗ , Venkata P. Yanambaka† , Ahmed Abdelgawad, Kumar Yelamarthi
College of Science and Engineering, Central Michigan University, Mount Pleasant, MI, USA
Email: ∗ ahmed1mk@cmich.edu, † yanam1v@cmich.edu
Abstract—The competitive market of Internet of things(IoT)
technology pushes the manufacturing companies to limit the re-
source of IoT devices for low-cost production and open the doors
for cyber-attacks and malicious practices which is dangerous for
IoT security. Physical Unclonable Function (PUF) based security
keys can be used in this instance which exploit the manufacturing
variation to generate a unique, volatile and ubiquitous key. In this
paper instead of using memory-based PUF, like SRAM or DRAM,
a delay-based PUF (Ring Oscillator) was used to increase the
security of IoT security. This paper presents an implementation
of the physical unclonable function on the Field Programming
Gate Array (FPGA) platform. The generated responses from the
PUF instance implementation shows 100% reliability and 48.18%
uniqueness which are very close to the ideal value and more
suitable for securing resource constraint IoT devices. The time
needed to generate one single instance key was measured to be
44 msec which plays vital role in some IoT applications.
I. I NTRODUCTION
In recent years, the world has seen a significant revolution
in the advancement and improvement of existing technology
systems [1]. It has a created a chain of an ecosystem which has
combined the social, personal and professional lives. Named
as Internet of things(IoT) has put a great change in the
regular patterns of life. But unfortunately, this transfer of
huge digital data lacks the strong cryptographic authentication
system and provides a significant risk of attacks, clones, loss
and misuse [2]. General IoT devices are resource constraint
devices consisting of low processing and computational ability,
small power consumption and weak performances Physical
Unclonable Functions (PUF) has received considerable atten-
tion, to come up with recent cyber-threats. PUF is a Digital
Signature that creates a unique, volatile and ubiquitous key
exploiting the manufacturing process variation without the
presence of any physical storage like EEPROM.
IoT have achieved many research achievements in recent
years, but there are still some sectors in security that need
special attentions. The security issues of the IoT are main cat-
egorized in three different layers. Perception Layer, Network
layer and Application layer [3].
II. P HYSICAL U NCLONABLE F UNCTION
PUF has a unique black box presentation. Depending on the
challenge even if the same design is used on multiple different
PUF, the response will be changed due to process variation.
A set of Challenge Response Pairs (CRPs) can be denoted as
the secret of the PUF.
Oscillator
MUX
Counter
Oscillator
Comparator Output
>?
Oscillator
MUX
Counter
Oscillator
Fig. 1. Ring Oscillator PUF [6]
Emerging attacks on hardware security based on abstract
mathematical functions even though it used robust and solid
data encryption opens the necessity of PUF based security [4].
So far many successful designs are proposed mainly based
on silicon nanotechnology. Existing PUF designs are mainly
Arbiter PUF [5], Ring Oscillator [6], Xor PUF [7], SRAM
PUF [5], Random Access Memory PUF [7], and so on exploit
the intrinsic variance transistor dimension.
There are several metrics or parameters to evaluate the
PUF performance of [8]. Randomness, Bit Error Rate and
Uniqueness are the three most-used metrics among them. The
number of the challenge-response pairs(CRPs) that can be
generated from a single device is a parameter of the strength
of a strong PUF design. Weak PUFs are normally supporting
a relatively small number of CRPs.
Due to low computational power and hardware limitations,
point to point security establishment can be costly. PUF based
digital signature can be the best solution to this problem.
Compared to the other mathematical cryptographic algorithms
such as AES and hash functions including MD5 and SHA,
PUF need limited hardware sizes (digital gates) and cost. Once
the key is generated, the key can be distributed among the IP
network of IoT nodes. SRAM PUF shows poor performance
in the metrics of CRPs and can only generate only single
CRPs. For their reconfigurable nature, FPGA is very suitable
for the faster implementation of cryptographer and security
algorithms.
 9 TABLE II
Hamming Distance C OMPARISON OF P ERFORMANCE OF THE KEYS
8 Gaussian Distrubution

7
Parameters RO PUF [6] SRAM [8] Arbiter PUF [7] This Paper
6 Randomness 46% 49.65% 30% 46.62%
Uniqueness 47.31% 50.1% 40% 48.18%
Reliability 92% 83% 88% 100%
Density

3 Each of the single keys has a length of 256 binary bits. Total
2
of 256 keys was extracted from the FPGA when the length
of each challenge input was 2 bytes. It takes 44 msec for
1 generating a single key from the board. Randomness, which
0 evaluates the probability of generating either ’1’ or ’0’ in the
30 35 40 45 50 55 60 65 response bits from one single PUF device was found 46.62%
Hamming Distance
in the PUF structure. Probability is 50% to obtain ’1’ or ’0’ for
Fig. 2. Hamming Distance of PUF the ideal no bias case. Reliability for the instance was found
100%.
TABLE I Table II compares the performance metrics between differ-
C HARACTERIZATIONS OF THE R ING O SCILLATOR PUF ent PUF instance. Better performance is shown in terms of
reliability and uniqueness.
Parameters Values
FPGA Cyclone 5 Intel Chip IV. C ONCLUSION AND F UTURE R ESEARCH
Edge Device Raspberry Pi 4 This paper presents the implementation of PUF on an FPGA
No of Oscillators 512
Communication Protocol Serial Communication for use in IoT environments. The reconfigurable ring oscillator
Baud Rate 9600 PUF design was used to ensure strong cryptographic security
No of Keys Generated 256 and intended to generate multiple challenge-response pairs
Length of a single generated Key 256 bits
Length of a single Challenge Input 2 bytes (CRPs). One advantage of this implementation is that PUF
Time to Generate one single key 44 m sec key is not stored in any memory or server. This protects
Randomness 46.62% against non-invasive hardware attacks on EEPROM. As a part
Uniqueness 48.18%
Reliability 100% of future work, a new security protocol will be designed for
the IoT with the PUF.
R EFERENCES
III. E XPERIMENTAL R ESULTS [1] A. I. Naimi and D. J. Westreich, “Big Data: A Revolution That
Will Transform How We Live, Work, and Think,” American Journal
The enhanced reconfigurable Ring Oscillator design was of Epidemiology, vol. 179, no. 9, pp. 1143–1144, 04 2014. [Online].
used, which is more stable than traditional Ring PUF and Available: https://doi.org/10.1093/aje/kwu085
is capable of generating improved uniqueness and error-free [2] B. Bulgurcu, H. Cavusoglu, and I. Benbasat, “Information security
policy compliance: An empirical study of rationality-based beliefs and
outputs over varying environmental conditions. In figure 1, it information security awareness,” MIS Quarterly, vol. 34, pp. 523–548,
is shown that one 2:1 multiplexer is used for 2 oscillators with 09 2010.
two 1 byte challenge-response pair. The design can generate [3] M. Jabraeil Jamali, B. Bahrami, A. Heidari, P. Allahverdizadeh, and
F. Norouzi, Iot security. Springer, 01 2020, p. 33.
256 keys (1 key = 256 bit) for authentication. In figure 2, [4] B. Arslan, M. Ulker, S. Akleylek, and S. Sagiroglu, “A study on the use
hamming distance between the keys are calculated. The ideal of quantum computers, risk assessment and security problems,” in 2018
case for the hamming distance is to be 50%. The distance is 6th International Symposium on Digital Forensic and Security (ISDFS),,
03 2018, pp. 1–6.
close to the ideal values and can be used for the authentication [5] R. Maes and I. Verbauwhede, Towards hardware-intrinsic security. Foun-
of IoT devices. dations and practice. Springer, 10 2010, ch. Physically Unclonable
Functions: A Study on the State of the Art and Future Research Direc-
In table I, the overall characterizations of the PUF was tions, pp. 3–37.
given.The PUF code was implemented to the DE10 Stan- [6] A. Maiti and P. Schaumont, “Improved ring oscillator puf: An fpga-
dard Development Kit board. This project synthesizes and friendly secure primitive,” Journal of Cryptology, vol. 24, no. 2, pp.
375–397, Apr 2011. [Online]. Available: https://doi.org/10.1007/s00145-
implements using Quartus Prime 18.1. Since many of the IoT 010-9088-4
devices are connected with embedded systems, the generated [7] C. Herder, M. Yu, F. Koushanfar, and S. Devadas, “Physical unclonable
key was transferred from the FPGA to raspberry Pi for a single functions and applications: A tutorial,” Proceedings of the IEEE, vol. 102,
no. 8, pp. 1126–1141, Aug 2014.
instance to operate as a security key for future authentication. [8] R. S. A. M. D. D. S. Yu, Meng-Day (Mandel); Sowell, “Performance
The communication between FPGA and raspberry Pi UART metrics and empirical results of a puf cryptographic key generation asic,”
(universal asynchronous receiver and transmitter) uses 9600 Proceedings of the IEEE International Symposium on Hardware-Oriented
Security and Trust (HOST), p. 108–115, 2012.
baud rate.