CT PUF: Configurable Tristate PUF Against Machine Learning Attacks for IoT Security

Physical unclonable function (PUF) is a promising lightweight hardware security primitive for resource-limited Internet-of-Things (IoT) devices. Strong PUFs are suitable for lightweight device authentication because it can generate quantities of challenge-response pairs. Unfortunately, while the machine learning (ML) techniques have benefited various areas, such as Internet, industrial automation, robotics and gaming, they pose a severe threat to PUFs by easily modelling their behavior. This article first shows that even a recently reported dual-mode PUF can be cloned by ML (prediction accuracy of up to 95%). To solve this issue, we propose a configurable tristate (CT) PUF which can flexibly perform as an arbiter PUF, a ring oscillator (RO) PUF, or a bistable ring (BR) PUF with a bitwise XOR-based mechanism to obfuscate the relationship between the challenge and the response, hence resisting the ML attacks. An authentication protocol for the use in IoT security is presented. The CT PUF is implemented on Xilinx ZedBoard FPGAs with placement and routing details described. The experimental results show that the modelling accuracy of logistic regression (LR), support vector machine (SVM), covariance matrix adaptation evolutionary strategies (CMA-ES), and artificial neural network (ANN) is close to 60% (50% as the ideal number in theory) while meeting the PUF requirements for uniformity, reliability, and uniqueness. The hardware overhead and power consumption are slight. The entire project has been open sourced.