PUF-Based Dynamic Authentication

Updated 27 October 2025

PUF-based dynamic authentication is a security approach that exploits inherent, device-specific physical randomness to generate unpredictable, session-unique cryptographic responses.
It employs an enrollment phase to register unique challenge–response pairs and utilizes dynamic key renewal to resist cloning, replay, and side-channel attacks.
Practical implementations span IoT, FPGA, and quantum networks, emphasizing low overhead, robust error correction, and scalable, hardware-rooted security.

Physical Unclonable Function (PUF)-Based Dynamic Authentication

A Physical Unclonable Function (PUF)-Based Dynamic Authentication system utilizes the inherent, device-specific randomness of microelectronic devices as a cryptographically strong, hardware-rooted identity and derives dynamic responses for each authentication session. Unlike static key storage, PUF-based dynamic authentication provides resilience against invasive attacks, mathematical modeling, replay, cloning, and side-channel attacks by leveraging challenges that stimulate entropy sources to yield unpredictable, session-specific identifiers. Implementations vary from analog and digital memory PUFs (such as SRAM, DRAM, ReRAM) to noise-based and quantum-inspired primitives, and can address classical, IoT, and quantum networking use cases.

1. Foundational Principles and PUF Classes

The key principle of PUF-based dynamic authentication is the extraction of device-unique responses from physically unpredictable entropy sources under a defined challenge. The primary classes of PUFs include:

Weak PUFs: Characterized by a limited set of challenge–response pairs (CRPs); manufacturer could, in principle, clone the device ("Physical uncloneable function hardware keys utilizing Kirchhoff-law-Johnson-noise secure key exchange and noise-based logic" (Kish et al., 2013)).
Strong PUFs: Provide an exponentially large set of CRPs, ideally unclonable even by the manufacturer.
Ultra-Strong PUFs: Extend the strong model by dynamically renewing their entropy (i.e., key) with each authentication session using unconditionally secure processes.

PUFs are physically instantiated in a variety of substrates:

Digital memory-based: SRAM (Chen et al., 2017, Kietzmann et al., 2023), DRAM (Najafi et al., 2023), ReRAM (Afghah et al., 2017).
Delay-based: Arbiter, Ring Oscillator (Spenke et al., 2016, Wang et al., 2023).
Noise-based: Johnson-noise and KLJN systems (Kish et al., 2013).
RF/Analog: Process variation in RF front-ends interpreted as an analog PUF (Chatterjee et al., 2018, Chatterjee et al., 2018).
Quantum: Manipulation of quantum unitaries or entangled states (Galetsky et al., 2022, Goswami et al., 15 Apr 2025, Konteli et al., 20 Oct 2025).
Software-inspired/Machine Learning: Emulation via trained ML models mimicking PUF-like behavior (Hossain et al., 4 Aug 2025).

2. Enrollment, Challenge–Response, and Key Generation

Enrollment is a one-time process during which the device's entropy source is characterized, and reference CRPs (or cryptographically distilled keys) are securely stored or registered with a verifying authority. Depending on implementation:

SRAM-PUFs: On device power-up, the contents of uninitialized SRAM cells are read as a bitstring. Due to environmental noise, error correction (fuzzy extractors, ECC, or hash-based verification) is often used to consistently regenerate the device key (Chen et al., 2017, Kietzmann et al., 2023).
- Key generation process is typically: extract raw bitstring $R$ , compute a helper string $W$ and secret key $S$ (e.g., $W = (RG^{-1})[\text{frozen bits}]$ , $S = (RG^{-1})[\text{info bits}]$ ), reconstruct $S$ using ECC at each authentication (Chen et al., 2017).
KLJN Ultra-Strong PUFs: The authentication device and the verifier/lock perform a physical key exchange using Johnson noise of resistors (Kish et al., 2013). This yields a new, fresh key per communication session ( $S_U = 4k_BT R$ for spectral density), making the scheme non-clonable and forward-secure.
Noise-Based Logic (NBL) PUFs: String verification via RTW-based hyperspace vector products further authenticates stored secrets, with error probability dropping exponentially with the number of exchanged bits ( $P(m) = 2^{-m}$ ) (Kish et al., 2013).
DRAM/Entropy-Feature PUFs: EPUF extracts a bitmap from DRAM under modified timing parameters, computes the entropy of each row $E_j = -\sum_i p_i \log_2 p_i$ , producing robust, stable binary responses without needing ECC blocks (Najafi et al., 2023).
ReRAM and Multi-State PUFs: Response generated as a multi-state fingerprint function of environment-induced physical variation $(VE = (E_0, ..., E_n))$ , then corrected via ML-driven compensation (Afghah et al., 2017).
Hybrid/Software PUFs: An ML model (linear regression or DNN) trained on PUF CRPs generates per-device fingerprints; synthetic dynamic keys are generated per session and authenticated over blockchain protocols (Hossain et al., 4 Aug 2025).
Quantum and Entangled Systems: Authentication is achieved by encoding the PUF output or CRP bits into measurement bases for entangled quantum states, leveraging the indistinguishability and unforgeability properties of quantum measurement (e.g., reduced density matrices yielding maximal mixing; adversary’s success rate upper-bounded by $2^{-m}$ for $m$ -bit response) (Galetsky et al., 2022, Goswami et al., 15 Apr 2025, Konteli et al., 20 Oct 2025).

3. Dynamic Authentication Workflows and Protocol Design

Dynamic PUF authentication protocols replace static keys or stored CRP lists with session-unique interactions, ensuring resilience to replay, modeling, and side-channel attacks:

One-Time Pad Model: After a KLJN exchange, each key is used for a single challenge–response execution and then discarded (Kish et al., 2013).
Challenge-Obfuscation and LFSR-APUFs: Linear Feedback Shift Registers in cascade with conventional APUFs obfuscate incoming challenges, dynamically scrambling the CH-RSP mapping for every session and applying a device-unique Cover function: $r = \text{Cover(APUF(LFSR(challenge)))}$ (Wang et al., 2023).
Reconfigurable PUFs: On FPGAs, dormant hardware regions are configured at authentication time, ensuring no CRP collection is possible prior to use (Spenke et al., 2016).
OS-Level Integration: Boot-time code collects SRAM startup states as PUF fingerprints before software stack initialization, extracting seeds or keys used for dynamic device authentication (Kietzmann et al., 2023).
IoT Protocols: Lightweight protocols on constrained devices use low-cost operations (XOR, hash), session-key updates via dynamic CRPs, and do not require direct Internet connectivity, improving scalability for BLE/Zigbee-class nodes (Gupta et al., 2023).
Deep Learning Assisted Models: Raw (and possibly noisy) PUF outputs are transformed (e.g., into 2D images or latent codes), and device identity is verified by ML classifiers aware of the platform's noise characteristics, allowing for dynamic and group authentication via phenotype recognition (Fei et al., 6 Mar 2024, Mefgouda et al., 16 Oct 2024).
Quantum-Networked Protocols: PUFs determine measurement basis or Bell state selection in distributed entangled authentication, with verification relying on quantum features such as local indistinguishability and exponential suppression of adversary success probability (Goswami et al., 15 Apr 2025, Konteli et al., 20 Oct 2025).

4. Security Analysis and Threat Resistance

PUF-based dynamic authentication mechanisms offer defense-in-depth against both classical and advanced attacks:

Non-Clonability and Forward Security: Session keys or responses are ephemeral, generated dynamically and never repeated, even on accidentally cloned or side-channel-extracted devices (Kish et al., 2013).
Resistance to ML Attacks: Obfuscation schemes (LFSR pre-processing, remote reconfigurable PUFs, challenge selection avoidance) enlarge the effective CRP space or prevent input–output structure modeling, thwarting regression, SVM, and DNN attacks (Wang et al., 2023, Spenke et al., 2016, Mefgouda et al., 16 Oct 2024).
Tamper Resistance and Side-Channel Mitigation: Flash memory integration for key storage, zero-standby power modes, distributed and concealed PUF element placement (e.g., MeLPUF) increase physical tamper resistance (Kish et al., 2013, Vega et al., 2020).
Quantum Security Enhancements: Local indistinguishability and maximal mixing (e.g., for Bell states), and single-shot exponential suppression of adversarial guessing probability, even when the hardware PUF is weak, are key for quantum protocols (Goswami et al., 15 Apr 2025).
Blockchain Integration: Dynamic software fingerprints generated via ML-PUFs, when combined with consensus layer defenses (hash rate escalation, whitelisting, secure routing, Sybil countermeasures) ensure resilience to 51%, phishing, routing, and Sybil attacks within distributed ledgers (Hossain et al., 4 Aug 2025).

5. Practical Implementations, Resource Considerations, and Performance

Diverse instantiations illustrate the trade-offs between security, implementation complexity, and resource overhead:

Scheme	Key Features and Overhead	Notable Metrics
KLJN Ultra-Strong PUF	Hardware noise, renewal per use, flash	Perfect secrecy, session refresh
LFSR-APUF	Obfuscated, dynamic, FPGA-implementable	51.79% prediction rate (near random)
SRAM-PUF + Polar Codes	Helper data, ECC, error robust	$10^{-9}$ failure prob. @ 15% BER
DRAM/EPUF	Bitmap entropy, no ECC, helper streams	100% reliability, 47.79% uniqueness
RF-PUF	ML classifier, RF features, analog	$<10^{-3}$ false detect for 4800 nodes
MeLPUF	Logic-level, distributed, low overhead	49.82% inter-HD, 2.57% intra-HD (FPGA)
OS-Level PUF/Riot	Pre-boot SRAM fingerprint, fuzzy ext.	256-bit secure seed in 14ms (M3)
Quantum PUF/HEPUF	Entangled auth, local indistinguish.	$\sim 2^{-m}$ adversary suppression
SoftPUF	ML fingerp., blockchain, software-only	Linear regression, SHA-512 defense

Systems are engineered for compatibility with ultra-constrained hardware (IoT, microcontrollers), FPGAs, and even emerging photonic quantum platforms. Common patterns include:

Fast per-session authentication: (e.g., $0.78$–$0.93$ ms per 700-bit DRAM PUF response (Najafi et al., 2023)).
Low hardware cost: MeLPUF and PUFBind show minimal FPGA resource consumption, enabling scalable deployment (Vega et al., 2020, Swaroopa et al., 14 Jan 2025).
No or minimized CRP database: Remote-reconfigurable arbiter PUFs and deep learning authentication (LPUF-AuthNet, PhenoAuth) avoid static CRP storage (Spenke et al., 2016, Mefgouda et al., 16 Oct 2024).
Resilient error correction: SRAM-PUF and memory-based approaches (using polar codes, helper data/entropy filtering) deliver sub- $10^{-9}$ reconstruction failures (Chen et al., 2017, Kietzmann et al., 2023).

6. Domain-Specific Applications and Evolving Use Cases

PUF-based dynamic authentication is adopted and evolving across a spectrum of domains:

IoT Security: Embedded at OS level (RIOT), or via hardware primitives (SRAM/DRAM/ReRAM) or lightweight ML frameworks, enabling low-power, low-memory, and batch-authentication protocols (Kietzmann et al., 2023, Gupta et al., 2023, Najafi et al., 2023, Hossain et al., 4 Aug 2025).
FPGA/Embedded: Binding software to hardware (PUFBind) achieves runtime binary authentication with zero operational overhead (Swaroopa et al., 14 Jan 2025).
Infrastructure Security: IED authentication in substations employs challenge-based bit comparison across analog signatures, thwarting hardware counterfeiting (Jadhav et al., 2023).
Quantum Networking: Switching QKD links among arbitrary nodes with dynamic PUF-authenticated sessions combines scalability with information-theoretic security (Konteli et al., 20 Oct 2025, Goswami et al., 15 Apr 2025).
Blockchain: Integration of ML-driven SoftPUF software-based keys for legacy device authentication, with decentralized consensus protocol defenses (Hossain et al., 4 Aug 2025).
Group/Mutual Authentication: PhenoAuth and LPUF-AuthNet frameworks support group protocols and split learning, facilitating scalable, ML-resistant dynamic authentication (Fei et al., 6 Mar 2024, Mefgouda et al., 16 Oct 2024).

7. Future Trends and Open Research Questions

Key directions emerging in the field include:

Integration with Quantum and Post-Quantum Cryptography: Quantum PUF paradigms and hybrid protocols leveraging local indistinguishability and tolerant entanglement are under active development for next-generation networks (Galetsky et al., 2022, Goswami et al., 15 Apr 2025).
Extending to Software-Defined and Cloud Platforms: ML-based SoftPUF and dynamic deployment protocols open avenues for retrofitting authentication on legacy and cloud-integrated devices (Hossain et al., 4 Aug 2025).
Strengthening ML Robustness: As attacks on PUF modeling become more sophisticated, greater emphasis is placed on protocol obfuscation, channel noise, and on-the-fly CRP transformation (Wang et al., 2023, Mefgouda et al., 16 Oct 2024).
Resource Adaptation for 6G and Massive IoT: Lightweight, DNN-enabled, and split-trained authentication frameworks (e.g., LPUF-AuthNet) are key for scaling up to massive device populations under future 6G requirements (Mefgouda et al., 16 Oct 2024).
Operational Resilience and Lifecycle Management: Addressing entropy degradation due to aging, environmental drift, and potential for denial-of-service via authentication overload is necessary for systems with long deployment lifetimes (Kietzmann et al., 2023, Afghah et al., 2017).
Formal Security Metrics and Composability: Continued development of formal models (e.g., AVISPA validation, entropy quantification, explicit adversary bounds) is needed to establish composable guarantees for complex and blended threat environments (Gupta et al., 2023, Goswami et al., 15 Apr 2025).

In summary, PUF-based dynamic authentication encapsulates a diverse set of hardware and protocol mechanisms, offering a path towards resilient, hardware-rooted, and scalable authentication for evolving threats in traditional, IoT, and quantum-based networks.