A Unified Open-Set Framework for Scalable PUF-Based Authentication of Heterogeneous IoT Devices

TL;DR

This paper introduces a scalable, open-set PUF authentication framework for heterogeneous IoT devices using an OpenGAN classifier, achieving high accuracy and speed without device-specific protocols.

Contribution

It proposes a novel unified PUF authentication method that encodes diverse PUF responses into a common image format, enabling robust, fast, and scalable device verification.

Findings

Achieves 100% closed-set accuracy with up to 45 devices.

Near-zero open-set error rates in heterogeneous PUF data.

Authentication cycle completed in 0.67 seconds on Raspberry Pi.

Abstract

As modern cyber systems scale to include large populations of heterogeneous IoT devices, securing them against impersonation and forgery is a critical cybersecurity challenge. Physical Unclonable Functions (PUFs) offer a lightweight, hardware-rooted trust anchor for IoT security. However, different PUF architectures possess distinct challenge-response spaces and raw response reliabilities, making existing authentication protocols PUF-type specific. To bridge this interoperability bottleneck, this paper proposes a scalable, helper-data-free, open-set PUF authentication framework that leverages an OpenGAN-based classifier to manage heterogeneous fleets of IoT devices. Our method addresses the limitations of traditional database-centric and digital-twin modeling methods by encoding raw responses from diverse PUF types, including strong, weak and hybrid PUFs, into a unified image representation. This enables robust, single-pass classification and impostor rejection. We integrate the classifier into a generic protocol employing hybrid encryption and Bloom filter-based replay detection. Evaluated across four different types of noisy PUF data (Arbiter, SRAM, DRAM, and heterogeneous PUFs), our framework achieves 100% closed-set accuracy and near-zero open-set error rates with up to 45 devices, a significant improvement over the 3 to 5 devices in prior classification-based approaches. Prototyped on a Raspberry Pi, our framework completes one authentication cycle within 0.67 s, approximately 30x faster than the state-of-the-art open-set baselines.