ioPUF+: A PUF Based on I/O Pull-Up/Down Resistors for Secret Key Generation in IoT Nodes

In this work, we present ioPUF+, which incorporates a novel Physical Unclonable Function (PUF) that generates unique fingerprints for Integrated Circuits (ICs) and the IoT nodes encompassing them. The proposed PUF generates device-specific responses by measuring the pull-up and pull-down resistor values on the I/O pins of the ICs, which naturally vary across chips due to manufacturing-induced process variations. Since these resistors are already integrated into the I/O structures of most ICs, ioPUF+ requires no custom circuitry, and no new IC fabrication. This makes ioPUF+ suitable for cost-sensitive embedded systems built from Commercial Off-The-Shelf (COTS) components. Beyond introducing a new PUF, ioPUF+ includes a complete datapath for converting raw PUF responses into cryptographically usable secret keys using BCH error correction and SHA-256 hashing. Further ioPUF+ also demonstrate a practical use case of PUF derive secret keys in securing device-to-device communication using AES-encryption. We implemented ioPUF+ on the Infineon PSoC-5 microcontroller and evaluated its performance across 30 devices using standard PUF metrics. The results show excellent reliability (intra-device Hamming distance of 100.00%), strong uniqueness (inter-device Hamming distance of 50.33%), near-ideal uniformity (50.54%), and negligible bit aliasing. Stability tests under temperature and supply-voltage variations show worst-case bit-error rates of only 2.63% and 2.10%, respectively. We also profiled the resource and energy usage of the complete ioPUF+ system, including the PUF primitive, BCH decoding, SHA-256 hashing, and AES encryption. The full implementation requires only 19.8 KB of Flash, exhibits a latency of 600 ms, and consumes 79 mW of power, demonstrating the suitabilitiy of ioPUF+ for resource-constrained IoT nodes.