ioPUF+: A PUF Based on I/O Pull-Up/Down Resistors for Secret Key Generation in IoT Nodes

In this work, we present ioPUF+, which incorporates a novel Physical Unclonable Function (PUF) that generates unique fingerprints for Integrated Circuits (ICs) and the IoT nodes encompassing them. The proposed PUF generates device-specific responses by measuring the pull-up and pull-down resistor values on the I/O pins of the ICs, which naturally vary across chips due to manufacturing-induced process variations. Since these resistors are already integrated into the I/O structures of most ICs, ioPUF+ requires no custom circuitry, and no new IC fabrication. This makes ioPUF+ suitable for cost-sensitive embedded systems built from Commercial Off-The-Shelf (COTS) components. Beyond introducing a new PUF, ioPUF+ includes a complete datapath for converting raw PUF responses into cryptographically usable secret keys using BCH error correction and SHA-256 hashing. Further ioPUF+ also demonstrate a practical use case of PUF derive secret keys in securing device-to-device communication using AES-encryption. We implemented ioPUF+ on the Infineon PSoC-5 microcontroller and evaluated its performance across 30 devices using standard PUF metrics. The results show excellent reliability (intra-device Hamming distance of 100.00%), strong uniqueness (inter-device Hamming distance of 50.33%), near-ideal uniformity (50.54%), and negligible bit aliasing. Stability tests under temperature and supply-voltage variations show worst-case bit-error rates of only 2.63% and 2.10%, respectively. We also profiled the resource and energy usage of the complete ioPUF+ system, including the PUF primitive, BCH decoding, SHA-256 hashing, and AES encryption. The full implementation requires only 19.8 KB of Flash, exhibits a latency of 600 ms, and consumes 79 mW of power, demonstrating the suitabilitiy of ioPUF+ for resource-constrained IoT nodes.

💡 Research Summary

The paper introduces ioPUF+, a novel Physical Unclonable Function (PUF) that leverages the inherent pull‑up and pull‑down resistors embedded in the I/O pins of standard integrated circuits to generate device‑specific fingerprints. Unlike many existing PUF designs that require custom analog circuitry, SRAM start‑up behavior, or specialized manufacturing steps, ioPUF+ exploits a feature that is already present in virtually all commercial microcontrollers and ASICs, making it a truly “no‑extra‑hardware” solution suitable for cost‑sensitive, resource‑constrained IoT nodes built from Commercial Off‑The‑Shelf (COTS) components.

The implementation on an Infineon PSoC‑5 platform proceeds as follows: each GPIO pin is programmatically switched among pull‑up, pull‑down, and high‑impedance states; the resulting logical level is read back as a binary value. Because the actual resistance values differ slightly from chip to chip due to process variations, the measured logic levels form a unique, reproducible bit string for each device. This raw response is then passed through a (127, 64) BCH error‑correction code, which can correct up to roughly 2 % bit errors. The authors demonstrate that under worst‑case temperature (‑10 °C to 85 °C) and supply‑voltage (2.7 V to 3.6 V) variations, the raw bit‑error rate never exceeds 2.63 % and 2.10 % respectively, well within the BCH decoder’s capability.

After error correction, the corrected bits are fed into a SHA‑256 hash function, yielding a 256‑bit cryptographic key. Hashing eliminates any residual bias, ensures uniform distribution, and provides the one‑way property required for secure key material. The derived key is then employed in an AES‑128 encryption scheme to protect device‑to‑device communication, illustrating a complete end‑to‑end security flow that does not rely on any external key‑distribution infrastructure.

The authors evaluated the PUF across 30 identical PSoC‑5 boards. Intra‑device Hamming distance (reliability) was measured at 100 %—the same chip reproduced exactly the same response every time. Inter‑device Hamming distance (uniqueness) averaged 50.33 %, essentially the ideal 50 % for a random binary string. Uniformity was 50.54 % and bit‑aliasing was negligible, confirming that the responses are both random‑looking and highly discriminative.

Resource usage was carefully profiled. The entire ioPUF+ stack—including raw PUF measurement, BCH decoding, SHA‑256 hashing, and AES encryption—occupies 19.8 KB of flash memory and about 5.2 KB of RAM. The total latency from initiating a PUF read to obtaining a ready‑to‑use AES key is roughly 600 ms, and the average power consumption during this process is 79 mW. These figures demonstrate that the solution fits comfortably within the tight energy and memory budgets of battery‑operated IoT devices.

In summary, ioPUF+ offers a practical, low‑cost, and low‑power method for generating cryptographically strong secret keys directly from existing hardware features. Its strong statistical properties, robust error correction, and complete key‑derivation pipeline make it an attractive candidate for large‑scale IoT deployments, smart‑city infrastructure, and industrial automation scenarios where traditional key‑management solutions are impractical. The work paves the way for broader adoption of PUF‑based security primitives without the need for custom silicon, thereby lowering barriers to secure IoT at the edge.