Integrating Physical Unclonable Functions with Machine Learning for the Authentication of Edge Devices in IoT Networks

Abstract

Edge computing (EC) faces unique security threats due to its distributed architecture, resource-constrained devices, and diverse applications, making it vulnerable to data breaches, malware infiltration, and device compromise. The mitigation strategies against EC data security threats include encryption, secure authentication, regular updates, tamper-resistant hardware, and lightweight security protocols. Physical Unclonable Functions (PUFs) are digital fingerprints for device authentication that enhance interconnected devices’ security due to their cryptographic characteristics. PUFs produce output responses against challenge inputs based on the physical structure and intrinsic manufacturing variations of an integrated circuit (IC). These challenge-response pairs (CRPs) enable secure and reliable device authentication. Our work implements the Arbiter PUF (APUF) on Altera Cyclone IV FPGAs installed on the ALINX AX4010 board. The proposed APUF has achieved performance metrics of 49.28% uniqueness, 38.6% uniformity, and 89.19% reliability. The robustness of the proposed APUF against machine learning (ML)-based modeling attacks is tested using supervised Support Vector Machines (SVMs), logistic regression (LR), and an ensemble of gradient boosting (GB) models. These ML models were trained over more than 19K CRPs, achieving prediction accuracies of 61.1%, 63.5%, and 63%, respectively, thus cementing the resiliency of the device against modeling attacks. However, the proposed APUF exhibited its vulnerability to Multi-Layer Perceptron (MLP) and random forest (RF) modeling attacks, with 95.4% and 95.9% prediction accuracies, gaining successful authentication. APUFs are well-suited for device authentication due to their lightweight design and can produce a vast number of challenge-response pairs (CRPs), even in environments with limited resources. Our findings confirm that our approach effectively resists widely recognized attack methods to model PUFs.

1. Introduction

The Internet of Things (IoT) has facilitated the transformation of traditional computing devices into physical objects, integrating sensors and software that enable them to exchange meaningful data within their environments. In 2022, around 31 billion “things” were connected, and this is projected to reach 75 billion by 2025 [1,2,3]. The data processing should be carried out closer to the data source for mission-critical real-time applications [4]. A concept where data processing occurs at the network’s edge was proposed to address the limitations of cloud computing and is termed edge computing (EC) [5,6]. EC manages data closer to end users, thus improving response times, reducing latency, and delegating computational tasks to edge nodes [7]. Gartner predicted that 75% of the enterprise data will be processed at the edge instead of cloud-based servers by 2025 [8]. The limited computational, storage, and power capabilities of typical edge devices make them vulnerable to unauthorized access by adversaries and restrict the implementation of robust security measures. Although the hierarchical EC architecture improves data security by distributing it across multiple nodes, it also creates opportunities for hackers by exposing the communication links between edge devices and the cloud [9]. EC leverages various technologies to construct its network, creating opportunities for multiple types of attacks. Traditional data security and privacy techniques, originally designed for centralized computational and storage systems of cloud computing, might not meet the unique requirements of a distributed edge computing (EC) ecosystem  [10,11]. The synergy between EC and AI can result in immediate data processing and decision-making at the data source itself, further reducing delay and bandwidth requirements [12,13]. Artificial Intelligence (AI), machine learning (ML), data mining, and deep learning techniques are utilized for static and dynamic malware analysis, including anomaly detection. AI enhances the ability to detect, predict, and respond to threats effectively. ML, a subset of AI, is used to create and refine security models capable of understanding and adapting to new conditions [14,15]. An effective learning algorithm can leverage a trained model derived from labeled data to identify emerging security and privacy risks [16].

Traditional machine learning (ML) technologies rely on centralized cloud servers for model training, which raises concerns about data security and often faces resistance from data owners. Federated Learning (FL), an encrypted and distributed ML approach, enables multiple parties to collaborate on developing a model without exposing their raw data [17,18]. Blockchains offer solutions for FL-based intelligent edge computing (EC) as a ledger technology, leveraging its unique features such as decentralization, immutability, and traceability [19]. However, the distributed nature of blockchain may not be ideal for the EC paradigm. The massive volume of data increases the cost of managing blockchain nodes and storing data. Furthermore, large data volumes generate massive blocks, causing unacceptable verification and propagation delays in an EC environment. Additionally, duplicating IoT data across all nodes leads to inefficient use of storage resources [20]. Physical Unclonable Functions (PUFs) are cryptographic constructs that exploit the inherent physical variations in electronic devices to generate unique outputs. These outputs act as device-specific fingerprints for authentication, key generation, and other security applications [21]. PUFs can be integrated with edge devices, either as a stand-alone Application-Specific Integrated Circuit (ASIC), a subsection of a System-on-Chip (SoC), or within a Field-Programmable Gate Array (FPGA). Reconfigurable architectures, such as FPGAs, are the preferred choice for PUF implementation due to their flexibility, rapid development cycles, and optimal balance between high computational performance and energy efficiency [22,23,24]. Further ML with PUFs will improve data security in EC by enhancing device authentication, cryptographic key generation, and anomaly detection. ML optimizes PUF performance by improving noise immunity, adapting to available resources, increasing fault tolerance, enabling dynamic authentication, lightweight cryptographic solutions, and secure IoT device management [21,25,26].

This study introduces a unified authentication framework built around an Arbiter PUF (APUF) and its corresponding model to identify security threats. We further propose training the device-specific PUF model using ML algorithms and deploying these models across the edge nodes. A lightweight, dynamically configurable APUF, compatible with FPGA platforms, has been developed and features a minimal area requirement and strong reproducibility. The APUF was realized on an Altera Cyclone IV E FPGA (fabricated with 60 nm technology), exhibiting static power consumption ranging from 38 mW to 163 mW at 85 °C. The prediction accuracy of three commonly used machine learning models remained below 63%. The key contributions of this work are summarized as follows:

• Grasping the concept of PUFs and their performance metrics, supported by illustrative examples.
• The development of a basic Arbiter PUF, focusing on the placement and routing of the switch blocks and logic elements. The design is deployed on an ALINX 400 board from Alinx Electronic Limited, Shanghai, China, featuring an Altera Cyclone IV FPGA to assess its PUF performance metrics.
• The utilization of Arbiter PUFs in security protocols and the design of a structure that integrates an Arbiter PUF to resist ML attacks.

The rest of the paper is organized as follows: Section 2 introduces us to edge computing and the challenges associated with the proposed concept. Section 3 discusses the role of Edge AI in ensuring real-time decision-making capabilities in decentralized, resource-constrained environments. Section 4 details the implementation of the proposed APUF, which includes a discussion on the RTL design process, timing closure, critical paths, placement, and routing mapping, as well as some common application scenarios. Section 5 presents the experimental setup along with a comprehensive performance evaluation based on numerous metrics. Lastly, Section 6 concludes our discussion by emphasizing key opportunities and potential directions for future research.

2. Edge Computing

A decentralized approach is taken for EC implementation, thus processing data near its source and minimizing latency [27]. It can operate as a stand-alone computing platform or collaborate with other components, such as the cloud [28]. The fundamental architecture of EC is illustrated in Figure 1.

The EC architecture can be structured into three layers: front-end, near-end, and far-end. The front-end layer includes end devices such as sensors and actuators, which facilitate better interaction and improved responsiveness for end users. Gateways, responsible for managing most of the network traffic within an EC network, are placed in the near-end layer. This layer handles data computation and storage, making it a critical component of the architecture. In contrast, the far-end layer consists of cloud servers, which, while offering significant computational and data storage capabilities, are located farther from the end devices—resulting in much higher latency [29]. Tasks performed on the edge include computational offloading, data storage, caching, processing, request distribution, and delivering services from the cloud to users. Therefore, the edge data path must be designed to meet the requirements for reliability, security, and privacy [30]. Adversaries may attempt to compromise IoT devices or sensors to gain access to sensitive information, including financial details, bank card data, location information, and health records [31].

2.1. Security and Privacy Challenges

Data transactions between front-end sensing devices and EC nodes are based on numerous wired and wireless communication standards. Similarly, data transmission between EC nodes and the cloud takes place over either public or private networks. However, these communication channels often lack robust security measures, rendering them susceptible to security and privacy threats [31,32]. Key security concerns include authentication, access control, intrusion detection, and privacy [33]. Furthermore, the distributed nature of EC-enabled IoT networks broadens the attack surface, as each node, server, and communication channel presents potential opportunities for attackers to exploit vulnerabilities [34,35]. EC introduces unique attack surfaces due to its distributed architecture and proximity to data sources [36].

2.1.1. Data Security and Privacy Threats Classification

As an extension of cloud computing, EC inherits several security challenges commonly associated with cloud environments. In addition, EC faces a unique set of security and privacy risks, such as man-in-the-middle attacks, Distributed Denial of Service (DDoS) attacks, and various other forms of intrusion attempts [33]. Adversaries frequently target EC servers during three key stages: communication, computation, and storage [31,37]. Traditional cloud-based security approaches are often unsuitable for EC due to its limited resources. As a result, specialized security solutions are necessary to ensure the reliability and efficiency of IoT applications in EC environments [5]. The associated data security threats and challenges in EC are summarized in

Table 1. Classification of edge security threats.

Type of Threat	Description
Hardware or software malware	Software malware exploits vulnerabilities in the operating systems, applications, or network protocols of EC systems. In contrast, hardware malware intrudes at the physical or firmware level, leveraging vulnerabilities in the hardware or its microcode. Malware such as Trojans, worms, and viruses can cause privacy leakage, power depletion, and degraded system performance [38].
Physical tampering and attacks	Physical attacks attempt to gain unauthorized access to and manipulate IoT devices or EC infrastructure. Adversaries might alter hardware characteristics, extract sensitive information, or insert malicious components [39].
Routing information attacks	The routing of data packets in a network can be maliciously manipulated by redirecting or dropping packets [31]. Such attacks include routing loops, false error messages, blackhole attacks (diverting data to incorrect destinations), and grayhole attacks (selectively dropping packets), as well as wormhole attacks, hello flood attacks, and Sybil attacks, which introduce nodes with fake identities [40].
DDoS attacks	Edge servers can be overwhelmed by massive data volumes that exceed network capacity during DDoS attacks, thereby disrupting their responses to legitimate users and posing ransom threats to service providers [41].
Privacy leakage	Privacy threats are amplified when legitimate entities, including edge data centers, infrastructure providers, service providers, and end nodes, have access to user data. In an open IoT ecosystem operating across various trust domains, it becomes difficult to authenticate the trustworthiness of service providers [10].
Eavesdropping or sniffing	Adversaries covertly listen to users’ conversations and data transactions, gaining access to user data, passwords, and communication networks [31]. By eavesdropping, they effectively mask themselves within the system environment, making detection difficult [13].
Jamming attacks	Attackers deliberately flood the communication network with falsified data to deplete its communication, computing, and storage resources [31]. In a jamming attack, the network is disrupted and rendered inoperable by the continuous transmission of random data bits or the emission of radio frequency (RF) signals [42].
Integrity attacks against machine learning	Attackers can compromise the training of machine learning models by manipulating or injecting deceptive data into the training datasets. They may also exploit existing vulnerabilities without directly interfering with the training process [31].

.

2.1.2. Data Security Measures

Data security and privacy protection techniques require an integrated approach that combines advanced technologies, robust policies, and proactive strategies. A strong encryption mechanism is essential for establishing a protective barrier for data stored at edge nodes and during transmission. Enhanced access controls, multi-factor authentication mechanisms, and regular security assessments help mitigate data privacy and security risks arising from internal threats and potential data manipulation. Advanced anonymization techniques and differential privacy methods enable service providers to preserve client privacy while extracting meaningful insights from raw data. Comprehensive data governance frameworks ensure ethical data handling practices throughout the data lifecycle. Secure data transmission protocols and adherence to regulatory standards help ensure compliance with data protection laws. A brief overview of mitigation strategies against EC data security threats is presented below.

• Data anonymization and pseudonymization: Anonymization drops the personally identifiable information (PII) from datasets, thus preventing their association with individuals during data analysis [43]. In contrast, pseudonymization is the processing of personal data so that it cannot be linked to a specific individual without additional information [44].
• Encryption: Data encryption converts data into an unreadable format, accessible only through specific secret information, commonly referred to as a key [45]. Lightweight encryption is ideal for resource-constrained edge devices, while blockchain-based encryption secures decentralized edge networks through immutability.
• Secure data aggregation (SDA): SDA optimally compresses data, removes redundancy, and lowers power consumption [46]. In this technique, edge devices encrypt their own data using homomorphic encryption techniques before transmitting it to the EC nodes [40].
• Differential privacy (DP): The DP technique adds random noise to data, obscuring users’ sensitive information before it is shared on the network. Unlike traditional privacy protection methods, DP focuses on protecting individual data rather than the entire dataset [47].
• Federated Learning (FL): FL enables the training of deep learning models across multiple participants or computing nodes while keeping data security and privacy intact. It supports the collaborative training of ML and DL models by leveraging local data on edge devices and sending only the updated model parameters to a central cloud server [48].
• Access control and authentication: Edge devices frequently join and leave IoT networks dynamically, necessitating a connectivity framework that ensures security by authenticating the various devices within the network. Additionally, an access control mechanism should govern and monitor authorization to regulate access to network resources [49].
• Trusted execution environments (TEEs): TEEs provide a hardware-based secure sandbox to shield sensitive programs. A TEE establishes a secure and isolated region within edge devices through the application of both hardware and software techniques [50,51]. It typically includes key components such as secure bootstrapping, which ensures the system initializes in a trusted state; isolated execution, which safeguards data and computations; and secure input/output mechanisms, such as sealed storage for protecting data at rest. TEEs also support remote attestation, enabling a remote party to verify the integrity and trustworthiness of a communication peer within the TEE [52].
• Blockchains for decentralized security: Blockchain is a shared, decentralized, and distributed state machine in which a chain of blocks is linked through address pointers based on hash values [53]. A peer-to-peer model facilitates the storage and management of ledger data across multiple computers within the network. Integrating blockchain enables the distribution of computing and storage resources within the EC environment while also reducing the blockchain’s storage and computational load on performance-sensitive devices [54].
• Secure software and firmware updates: The use of software or firmware updates can help reduce potential threats posed by the malicious actions of cybercriminals [55]. IoT devices rely on Over-the-Air (OTA) updates throughout their lifecycle to address bugs and apply patches to their firmware. However, a device’s security can be compromised if the server-side firmware database is breached [56].
• Data minimization: This technique reduces the collection, processing, and storage of redundant data, thereby mitigating the risks of data breaches, unauthorized access, and misuse. This can be achieved through deduplication, which eliminates redundancy by retaining only a single copy of the data [57].
• Policy-based governance: Cultural beliefs, legal frameworks, and ethical practices collectively shape the concept of privacy. The General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) aim to protect privacy rights through effective data management [58].
• Edge-aware intrusion detection systems (IDSs): An IDS is a software- or hardware-based solution designed to detect malicious activities on data networks. IDSs can be categorized into two classes based on their detection approach: signature-based and anomaly-based techniques. A signature-based system compares monitored events against a database of known intrusion techniques, while an anomaly-based system learns the system’s normal behavior and flags any deviations [59].
• Secure multi-party computation (SMPC): It is a cryptographic method that enables collaborative computations among multiple participants [60]. The protocol ensures that no participant gains access to information beyond the final computational results, provided that at least some participants follow the protocol. It restricts access to inputs, intermediate computations, and metadata such as value frequency distributions [61]. Consequently, SMPC eliminates the need for a trusted third party, as all computations are carried out exclusively by the participants [62].
• Privacy-preserving AI models: AI-based applications enable real-time anomaly detection, allowing systems to identify and mitigate potential threats. Machine learning (ML) algorithms analyze network data patterns to predict vulnerabilities and implement countermeasures [63]. Edge AI deploys ML algorithms on end devices, enabling data processing at the network edge [64]. Integrating AI with edge computing (EC) also promotes context-aware processing and decision-making directly on edge devices [65].
• Audit and monitoring: The integrity of user data at the edge is crucial for network operations and often relies on a third-party auditing platform (TPA) [66]. Networks that implement stringent security policies should be audited using data that includes authentication and authorization attempts [40]. Security audit methodologies incorporate cyber risk management, cybersecurity assessments, compliance evaluations, penetration testing, intrusion simulations, and emulation simulations [67].
• Emerging trends: Quantum computing is an emerging technology that leverages quantum bits (qubits) instead of binary digits, enabling significantly faster computations than traditional computers. Quantum-Edge Cloud Computing (QECC) is an innovative approach that combines the computational power of quantum computing, the low-latency advantages of EC, and the scalability of cloud computing [68]. Another approach gaining traction is AI-powered EC, which deploys ML models for efficient, secure, and effective operations. Threat intelligence plays a crucial role in identifying, analyzing, and mitigating cybersecurity threats. Large datasets are analyzed on threat intelligence platforms powered by AI and ML to uncover patterns that can reveal cyber threats [69].

2.2. PUF-Based Authentication Mechanism

IoT systems utilize diverse sensing devices and physical nodes, making them vulnerable to counterfeiting and tampering. Therefore, robust security measures, like assigning unique identifiers to devices, implementing reliable mutual authentication, and ensuring encrypted data transmission between devices and the cloud, are essential [70]. Authentication is crucial for securing IoT networks by preventing unauthorized access to nodes and data. However, due to the limited storage, computational resources, and bandwidth of IoT nodes, it is challenging for the network to support extensive encryption technologies or implement sophisticated security mechanisms [71]. PUFs exploit inherent physical differences in devices to generate unique cryptographic keys for applications such as identification and authentication [72,73]. When an input called a “challenge” is applied to a PUF, it produces a corresponding output, or “response,” determined by each device’s unique and complex physical properties. This response cannot be reproduced, as it relies on uncontrollable physical variations introduced during the manufacturing process of edge devices [74].

As illustrated in Figure 2, the same challenge input presented to different PUFs produces unique responses. A collection of challenge inputs and their corresponding response outputs extracted from a PUF is called a challenge-response pair (CRP) set. The size of the CRP set categorizes PUFs as either strong or weak. A PUF with an exponentially large number of CRPs relative to the number of challenge bits is classified as a strong PUF, whereas weak PUFs have a more limited CRP set. Consequently, strong PUFs are suitable for complex cryptographic protocols, whereas weak PUFs are primarily used for key storage [75]. Weak PUFs, such as Ring Oscillators (ROs) and SRAM PUFs, are commonly utilized for key generation purposes. In contrast, strong PUFs include the Arbiter PUF (APUF) and its various enhancements, such as the XOR APUF, Feedback-Forward PUF (FFPUF), and Lightweight PUF (LPUF), which are used in device authentication [76].

2.2.1. Arbiter PUFs

An APUF is a delay-based PUF circuit that derives its output response bits from the time delay differences between two identical signal propagation paths. A race condition is created by simultaneously launching a common signal through both paths. The path that completes first determines the output response bit. These path-to-path delay variations arise due to device-specific manufacturing imperfections, yielding unique and effectively unpredictable responses for each chip [77].

Figure 3 illustrates signal propagation through two symmetrical paths consisting of switching elements, such as multiplexers, ultimately reaching an arbiter circuit that determines the output based on the race result. If the delay in the upper path exceeds that of the lower path, the response is ‘0’; otherwise, it is ‘1’ [78]. An APUF consists of n delay stages, each containing two input multiplexers that switch the signals based on the applied challenge bits. An arbiter at the end evaluates the response bit based on which signal arrives first—either on the top or bottom line. The signals propagate through the two delay paths, competing to reach the end first. The output is set to ‘1’ if the signal reaching the latch’s data input (D) is faster; otherwise, the output is ‘0’. The delay differences of the individual APUF stages combine additively, meaning the total delay difference between the two signals is the sum of the delay differences across all stages. A challenge bit $c_i=-1$ swaps the two signals and can be modeled by multiplying the delay difference $\delta \left(i\right)$ at stage i by −1. In this way, a recursive formula, as shown in Equation (1), can be constructed to model the delay difference $\delta \left(i\right)$ at stage i.

$$\delta \left(i\right)=\delta (i-1,c)·c_i+s_i\left(c_i\right)$$

(1)

where $s_i\left(c_i\right)$ is the delay difference introduced at stage i for challenge $c_i$. The sign of the final delay difference $\delta \left(n\right)$ at stage-n then defines the response bit. Challenge inputs $C=\{c_1,c_2,\dots ,c_n\}\in {\{0,1\}}^n$ decide the propagation path of the signal through the circuit. Two signals race through the circuit, and a D-flipflop or a D-latch finally determines the 1-bit response ‘r’ $\in \{0,1\}$. The input at the top propagates to the top output, whereas the bottom input comes out from the bottom output for $c_j=0$, and the top input comes out from the bottom output and vice-versa in the case of $c_j=1$.

For stage j:

• ${\delta }_{j,0}$: top path delay for $c_j=0$;
• ${\delta }_{j,1}$: top path delay for $c_j=1$;
• ${\delta }_{j,2}$: bottom path delay for $c_j=0$;
• ${\delta }_{j,3}$: bottom path delay for $c_j=1$.

The above delay variations differ significantly from device to device due to inherent manufacturing variations. The total delay difference $\delta$ at the $n^{\mathrm{th}}$ stage is expressed as a linear combination of the delay differences at each stage. The output response of the APUF is determined by the sign of $\delta$, as shown in Equation (2), where

$$\delta =\sum _{j=1}^N{w}_j{\varphi }_j$$

(2)

A feature vector ${\varphi }_j$ in Equation (3), derived from the challenge bits, is typically defined as

$${\varphi }_j=\prod _{j=k}^N(1-2c_j)$$

(3)

$w_j$ in Equation (4) is a weight representing the delay difference for stage-j, which is a function of the physical variations:

$$w_j={\displaystyle \frac{({\delta }_{j,0}-{\delta }_{j,1})+({\delta }_{j,2}-{\delta }_{j,3})}{2}}$$

(4)

The response r given in Equation (5) is determined by the sign of the delay difference [79] $\delta$, i.e.,

$$r=\left\{\begin{array}{cc}1,\hfill & \delta \ge 0\hfill \\ 0,\hfill & \delta <0\hfill \end{array}\right.$$

(5)

Studies have demonstrated that APUFs can be compromised by machine learning (ML) attacks using a relatively small set of CRPs. This vulnerability stems from the fundamentally linear and additive characteristics of the mathematical model of the PUF. Consequently, subsequent improvements in APUF design have primarily focused on enhancing resistance to ML-based attacks.

2.2.2. PUF Performance Matrices

The ISO/IEC DIS 20897 manual specifies security constraints for PUFs operating in batch or stand-alone modes. The security requirements for PUFs are expected to comply with ISO/IEC 20897-1, and their evaluation should follow ISO/IEC 20897-2 [80,81]. Numerous researchers have considered PUF key metrics, as shown in Figure 4, to develop a comprehensive framework for assessing the performance of PUFs [82,83,84]. Two key metrics for evaluating the security and authentication performance of PUFs are the False Acceptance Rate (FAR) and the False Rejection Rate (FRR). The FRR refers to the likelihood that a valid input, such as a challenge-response pair (CRP), is mistakenly rejected by the PUF. Conversely, the FAR represents the probability that an invalid CRP is erroneously accepted. The balance between the intra-Hamming distance (intra-HD) and inter-Hamming distance (inter-HD) significantly influences both FAR and FRR [85]. A crucial performance measure in this context is the Equal Error Rate (EER), which occurs when the FAR and FRR values are equal.

2.2.3. Temperature and Voltage Variations

Process-induced variations in devices are leveraged by PUFs to generate unique and unclonable authentication keys. However, fluctuations in temperature and voltage can compromise the reliability of their outputs. In particular, the error rate in APUFs can reach up to 10% under varying environmental conditions, which may cause protocol failures when PUFs are integrated with cryptographic functions [86]. Temperature changes affect transistor current levels, significantly altering signal propagation delays and, consequently, PUF responses. Researchers have proposed a Temporal Majority Voting (TMV) technique to reduce response variability, coupled with a reusable fuzzy extractor and associated helper data for error correction [87]. This approach achieved Bit Error Rates (BERs) of less than 1.5% under optimal temperatures and 8% under extreme conditions.

Anandakumar et al. evaluated their XOR-APUF design under temperature variations ranging from 0 °C to 85 °C and supply voltage variations between 0.95 V and 1.05 V, demonstrating perfect reliability (100%) through the use of the TMV scheme. Additionally, an Online Reliability Evaluation (ORE) method for APUFs implemented using a 40 nm process achieved 100% reliability across a voltage range of 0.8 V to 1.4 V and an operating temperature range of 0 °C to 80 °C [88]. Another PUF design, based on a Current Mirror Inverter, maintained a uniformity of 0.49 and an inter-Hamming distance (inter-HD) of 0.50 while operating under temperatures from −30 °C to 60 °C and voltage variations between 0.7 V and 1.5 V [89].

2.3. Research Methodology

Figure 5 illustrates the proposed authentication scheme, in which the FPGA device embeds a PUF alongside a machine learning (ML) model. During the initial setup, a dataset comprising challenges, their corresponding PUF responses, and timestamps is extracted to train the selected ML model. This framework offers a structured approach using Python 3.12.3 native libraries to identify the most suitable ML model for authentication, key generation, and security tasks. By training the selected algorithm on diverse datasets that might not be clean, may be noisy, and may have corrupted inputs, the model’s robustness against errors is significantly enhanced.

2.3.1. CRP Data Generation and Collection

The dataset comprises 100,000 challenge–response pairs (CRPs) stored in a single .csv file. Each row contains the challenge input applied to the APUF and the corresponding 1-bit response. Since all entries are aligned by their row offsets, the data in each column is directly related; for example, the first line shows the first challenge and its resulting response. Both challenge and response signals were captured from the input/output pins of the FPGA using a 16-channel logic analyzer and then exported to a .csv file. The CRPs were generated sequentially at the circuit level, with a 20 ns interleaving period between each pair.

Correlation tests quantify the similarity between different variables, making them invaluable for assessing the security of PUFs. If an attacker gains access to a subset of highly correlated secret bits, they may be able to infer the remaining bits. A correlation matrix heat map of our APUF CRPs is shown in Figure 6 to visualize the relationship among response bits across the entire dataset. For a robust PUF, all off-diagonal entries in the correlation matrix should be close to zero, indicating minimal mutual information. Any pronounced off-diagonal correlations could reveal structural weaknesses, potentially enabling attackers to build predictive models. The diagonal of the heat map naturally consists of ones since each bit is perfectly correlated with itself, but near-zero off-diagonal values characterize the ideal defense.

2.3.2. Data Preprocessing

Data and feature engineering-based preprocessing steps were performed to ensure high-quality and usable data. In the data engineering phase, raw CRP measurements were transformed into a clean, well-structured dataset. This involved removing or adjusting outliers, imputing missing values, smoothing random noise, and correcting inconsistencies to ensure the data was accurate and reliable. During the feature engineering stage, model-specific variables were extracted and tailored.

2.3.3. Dataset Splitting

To estimate the performance of the intended ML model, the CRP dataset was split into a training set and a testing set. Typically, 80% of the total dataset is used for training, and the remaining 20% is used for testing. This split is crucial for assessing the vulnerability of a PUF to modeling attacks, where the model must predict responses for previously unseen challenges.

2.3.4. Model Selection and Training

To model PUF CRP data and predict their response outputs, we selected five machine learning algorithms: Support Vector Machine (SVM), logistic regression (LR), Multi-Layer Perceptron (MLP), random forest, and gradient boosting. Each algorithm is thoroughly described in the following subsections, including the governing equations.

2.4. ML Algorithms

2.4.1. Support Vector Machine (SVM)

SVM, introduced by Vapnik, is a supervised learning algorithm that builds a model from labeled training data to make classification decisions [90]. An SVM seeks the optimal hyperplane $a·x+b=0, x_i\in {\mathbb{R}}^n$ that best separates the data points $x_i$ such that all points of a given class lie on the same side of the plane. The resulting decision function is $y\left(x\right)=sign(a·x+b)$, where sign is a function that returns +1 or −1 depending on the input sign. During training, each sample $x_i$ is paired with its class label $y_i$, and the algorithm identifies the hyperplane that maximizes the margin between classes by solving an optimization problem over the training set [91]. At the end of the training cycle, the SVM yields the support vectors that derive the optimal hyperplane and the weights $a_i$ associated with each input feature for predicting the class label y. A linear SVM classifier, once trained, relies solely on a weight vector and a bias term to operate. Even a modest microcontroller can compute ⟨a, x⟩ + b with minimal RAM/flash memory requirement. The resource-constrained IoT devices can serve as efficient classifiers with limited power and computational requirements. SVMs can also dynamically update the training patterns whenever a new pattern occurs during classification. SVM treats every feature of data equally [92].

2.4.2. Logistic Regression (LR)

The likelihood of an event and its applicability to classification problems is determined by LR. Data prediction is carried out through the application of statistics principles of previously observed datasets. A logistic sigmoid function accepts input data and outputs an integer between zero and one [93,94]. LR is an iterative ensemble learning process that integrates multiple classifiers for evaluating the relationship between various independent variables and the categorical dependent variable [95]. The sigmoid, or logistic function of Equation (6), plays a crucial role in logistic regression by transforming predicted values into probabilities.

$$y\left(x\right)={\displaystyle \frac{1}{1+e^{-2}}}$$

(6)

The function $y\left(x\right)$ represents a predicted probability ranging from 0 to 1, where x is the input, e is the base of the natural logarithm, and y is the output value. In device authentication, the response bit is either ‘0’ or ‘1’, making it a binary classification task. LR is a commonly used and efficient algorithm for binary classification in machine learning. As a binary classifier, logistic regression takes multiple inputs in the form of a feature vector $X=(x_1,x_2,\dots ,x_n)$ and produces an output based on the classifier’s function defined as $Y=g(w_0+w_1{x}_1+w_2{x}_2+\dots +w_n{x}_n)$. Usually, LR uses the $y\left(x\right)$ of Equation (6) to make Y close to 0 or 1. Arbiter PUFs can be modeled by LR with high prediction accuracy [96,97].

2.4.3. Random Forest (RF)

RF is a supervised classification algorithm that creates forests with many decision trees. Numerous decision trees ensemble together to form a random forest, and its prediction is based on the average predictions of each component tree [98]. Three hyperparameters are set before training the RF algorithm: node size, the number of trees, and the number of features sampled. Each ensemble tree includes a data sample drawn from the training set with a replacement called the bootstrap sample. About one-third of the training data is set aside as test data, known as the out-of-bag (OOB) sample. Further randomness of training data is introduced through the “bagging” feature. The classification attributes of RF are leveraged in anomaly detection, user-to-root attack detection, remote-to-local attack detection, etc. However, RF performance deteriorates if the number of trees exceeds a threshold, making the algorithm slow and ineffective in real time [99].

Assume a dataset given in Equation (7),

$$\mathcal{D}={\left\{\left(x_i,y_i\right)\right\}}_{i=1}^N$$

(7)

where ${\mathrm{x}}_i=\left[x_{i1},x_{i2},\dots ,x_{id}\right]$ is a d-dimensional feature vector, and ${\mathrm{y}}_i\in \{0,1\}$ is used for binary classification. In a bootstrap sampling, each tree ${\mathrm{T}}^{\left(b\right)}$ draws a sample ${\mathcal{D}}^{\left(b\right)}\subset \mathcal{D}$.

The RF prediction for an input x is given for the classification and probability output in Equations (8) and (9), respectively.

$$\widehat{y}=mode\left(T^{\left(1\right)}\left(x\right),T^{\left(2\right)}\left(x\right),\dots ,T^{\left(B\right)}\left(x\right)\right)$$

(8)

and

$$P(y=1\mid x)={\displaystyle \frac{1}{B}}\sum _{b=1}^{B}1\left\{T^{\left(b\right)}\left(x\right)=1\right\}$$

(9)

Moreover, RF minimizes the classification error, as shown in Equation (10).

$$\mathcal{E}={\displaystyle \frac{1}{N}}\sum _{i=1}^N\ell \left({\widehat{y}}_i,y_i\right)$$

(10)

2.4.4. Multi-Layer Perceptron (MLP)

An MLP is a type of feedforward artificial neural network (ANN) consisting of an input layer, one or more hidden layers, and an output layer, with each hidden layer comprising numerous interconnected neurons. During training, each neuron computes a weighted sum of its inputs, applies a nonlinear activation function, and transmits the output to the next layer. Key design parameters include the number of hidden layers, the number of neurons per layer, and the choice of activation functions. The optimization process often employs grid search and cross-validation techniques; however, it requires a substantial amount of labeled data as well as significant computational resources. On the downside, MLPs are prone to overfitting and may not perform well against rapidly evolving attack strategies. Their effectiveness is typically evaluated using metrics such as accuracy, precision, recall, and F1 score [100].

The summation and activation functions at each node of the hidden layers of MLP are illustrated using Equation (11) [101].

$$s_m=\sum _{i=1}^N{w}_{im}\times f_n+b_m$$

(11)

where $w_{im}$ is the connection’s weight between the first node $f_n$ and the hidden node, while $b_m$ is the bias associated with the hidden node m. The output node $y_m$ is represented by Equation (12) below.

$$y_m={\mathrm{func}}_{\mathrm{sig}}\left(s_m\right)$$

(12)

where ${\mathrm{func}}_{\mathrm{sig}}$ is a sigmoid function and computed using Equation (13).

$${\mathrm{func}}_{\mathrm{sig}}={\displaystyle \frac{1}{1+e^{-s_m}}}$$

(13)

The ultimate output function from node ‘m’ is given below in Equation (14)

$${\mathrm{ally}}_m=\sum _{i=1}^m{w}_{im}\times {\mathrm{y}}_m+b_m$$

(14)

and the final output is

$${\mathrm{finaly}}_m={\mathrm{func}}_{\mathrm{sig}}\left(all{y}_m\right)$$

(15)

2.4.5. Gradient Boosting (GB)

GB, also known as stochastic gradient boosting or a gradient boosting machine, combines gradient descent with ensemble boosting methods to build a sequence of decision trees that progressively refine model accuracy. In this method, many weak learners are trained and combined to form a single, powerful predictor. GB builds a robust predictive model that identifies malicious behaviors or intrusions based on patterns in sensor and network traffic data. Boosting is an ensemble supervised learning approach that improves model performance by combining weak learners during the gradient boosting process. In contrast to the bagging technique, which draws random samples to reduce variance, boosting prioritizes data points based on past errors to lower bias [102,103]. GB optimizes a loss function by minimizing the gradients of the loss for the predictions. However, GB is prone to overfitting and requires the careful tuning of hyperparameters. The loss function in Equation (16) optimizes an objective function $\mathcal{L}$, which includes a loss term and a regularization term,

$$\mathcal{L}=\sum _{i=1}^{n}l(y_i,{\widehat{y}}_i)+\sum _{k=1}^K\Omega \left(f_k\right)$$

(16)

where $ł(y_i,{\widehat{y}}_i)$ is the loss function, and $\Omega \left(f_k\right)$ represents the regularization applied to each tree.

3. Edge Artificial Intelligence

The workload on edge devices varies dynamically with time and location. Therefore, EC must be optimized for computational offloading, resource allocation, latency improvement, energy consumption, and overall user experience. Integrating AI with EC enables the storage and processing of large amounts of IoT data, providing application services in a decentralized, real-time mode with intelligent decision-making capabilities [104]. Hua et al. outline the motivation for combining AI and EC, highlighting the mutual benefits of this integration [105,106].

• AI-driven solutions address challenges such as task scheduling, resource management, delay reduction, energy efficiency, and privacy and security concerns encountered during the development of EC.
• Cloud-based AI training and inference can lead to considerable delays and raise concerns regarding data privacy and security. By hosting AI tasks closer to the edge nodes, EC enhances stability, reliability, and user experience, effectively addressing these challenges.

The complexity, scale, and precision of AI models vary significantly, and even efficient algorithms may not always be sufficient. Edge devices host a diverse range of AI algorithms, such as regression and classification models, clustering techniques, and natural language processing (NLP) algorithms, which are driven by recent innovations and real-world applications. Despite the promising advantages of Edge AI, its deployment and usability face several roadblocks, as discussed below:

• The management of large volumes of data in Edge AI presents a major challenge, as edge devices frequently collect real-time data that may be incomplete or noisy, leading to inaccurate predictions and reduced performance.
• Compatibility challenges arise due to the diverse nature of hardware, software, and communication protocols. Edge devices have distinct specifications, architectures, and interfaces, making seamless integration with other devices and systems complex and non-trivial.
• The integration of Edge AI with other systems introduces data security threats. Edge devices often handle sensitive information, such as personal health records, financial data, and biometric details, making them prime targets for data breaches, cyberattacks, and privacy violations.
• Edge AI systems frequently encounter scalability challenges that affect performance, reliability, and flexibility. Techniques such as load balancing, parallel processing, and distributed computing help mitigate these issues while enhancing system efficiency.

3.1. AI for Security

AI-assisted EC enables the collection, storage, and processing of large volumes of IoT data. The convergence of EC and AI has given rise to a new discipline—AI at the edge, or edge intelligence. Edge AI provides faster, real-time decision-making capabilities in decentralized, resource-constrained environments [104]. AI models, as illustrated in Figure 7, hosted at the network edge, leverage machine learning (ML) algorithms that dynamically learn from data patterns to identify known threat signatures and predict previously unseen threats. These algorithms establish a baseline of normal behavior for edge devices and network segments through continuous monitoring and analysis of IoT data. Early-stage anomaly detection enables quick investigation and timely responses, minimizing the impact of potential security breaches. AI algorithms can also apply advanced encryption techniques to data at the edge, ensuring compliance with data protection regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). AI models—such as neural networks and anomaly detection algorithms—can detect fraudulent manipulation of sensor data or unauthorized access to control systems in industrial environments [107]. Edge AI encompasses four key domains: (i) edge caching, (ii) edge training, (iii) edge inference, and (iv) edge offloading. Edge caching collects, generates, and stores data from edge devices and their surroundings to support edge applications. Edge training utilizes local data and computational resources at the edge to mitigate the need for high-bandwidth data transfers to the cloud. Edge inference focuses on running AI algorithms directly at the edge to enable real-time decision-making. Edge offloading distributes computationally intensive tasks by relocating them from edge devices to the cloud for further processing [108].

AI models at the edge enable edge devices to make quicker decisions without relying on cloud services [109]. Thus, AI potentially offers IoT security, including the following:

• Threat detection:It detects unidentified threats in real time by analyzing network traffic, system logs, and other data sources.
• Access control: Reinforces access control mechanisms at edge devices by analyzing user behavior and identifying anomalies using AI.
• User authentication: User behavior and irregularities, like login attempts, can be monitored and detected using AI-based biometric data analysis, such as fingerprint recognition, facial recognition, and voice identification.
• Network security: AI effectively examines and responds to real-time cyberattacks by analyzing network traffic data from numerous sources, such as firewalls and intrusion detection systems.
• Vulnerability detection: AI identifies vulnerabilities in IoT devices and applications by examining code and configuration files. It can simulate attacks to uncover weaknesses and provide security updates or patch recommendations.
• Predictive maintenance: AI can predict potential device failures and security vulnerabilities by analyzing historical data and patterns.

However, security measures should be integrated throughout the entire AI lifecycle, from training to inference, as AI systems are vulnerable to various threats. These include evasion attacks, which manipulate models to produce incorrect outputs; data poisoning, where adversaries corrupt the training data; and privacy threats, such as membership inference and model inversion attacks, which can compromise sensitive information [110].

As shown in Figure 8, machine learning (ML) is a subfield of Artificial Intelligence (AI) capable of identifying meaningful patterns or relationships from data. In contrast, DL is a subfield of ML that uses artificial neural networks (ANNs) to structure algorithms in a way that mimics human learning. Generative AI (GAI) produces original content by analyzing and learning patterns from existing data—generating text, images, videos, or code that resemble the training data without exactly replicating it [111]. ML algorithms can be broadly classified into three categories: supervised learning, unsupervised learning, and reinforcement learning [112,113,114,115].

• Supervised learning: ML algorithms process labeled training data to learn a function capable of mapping new data samples. Supervised learning is further categorized into classification and regression tasks. Classification involves mapping inputs to discrete values, whereas regression maps inputs to continuous values. Examples of classification-based supervised ML methods include Support Vector Machines (SVMs) and random forests, while linear regression and logistic regression are commonly used for regression tasks.
• Unsupervised learning: This detects patterns within input data without the need for labeled training data. It is widely applied in enhancing network security functions such as authentication, access control, anti-jamming strategies, and malware detection. Unsupervised learning is typically divided into two main categories: clustering and dimensionality reduction. Clustering organizes similar data instances based on shared features, while dimensionality reduction aims to reduce the number of features in a dataset while retaining as much relevant information as possible. Common unsupervised ML techniques include k-means and k-nearest neighbors (KNN) for clustering and principal component analysis (PCA) and singular value decomposition (SVD) for dimensionality reduction.
• Reinforcement learning (RL): This is a feedback-driven machine learning approach that enables learning through trial and error. In IoT networks, RL helps nodes autonomously make decisions for various networking tasks such as routing, scheduling, and resource allocation. The RL agent learns environmental dynamics solely from collected data without any prior knowledge to determine the best actions for achieving networking objectives. Common RL techniques include Monte Carlo and Temporal Difference (TD) learning for prediction, as well as SARSA and Q-learning for control.

Hussain et al. introduced a mobile edge computing (MEC)-based anomaly detection framework that utilizes AI to enhance the efficiency of anomaly detection in cellular networks. Their approach employs a deep Convolutional Neural Network (CNN) with fewer parameters compared to a feedforward deep neural network (DNN), achieving an accuracy range of 70% to 96% [116]. Jedidi et al. proposed a Dynamic Trust Security Approach (DTSA) that integrates AI to strengthen security and trust management for Industrial Internet of Things (IIoT) devices in edge computing environments [117]. Their AI model evaluates key metrics, including Mean Time Between Failures (MTBFs), Packet Loss Rate (PLS), Response Time (RT), and Energy Efficiency (EE), to assign trust scores to IIoT devices.

Kohli et al. introduced an advanced intrusion detection system (IDS) to improve the security of Intelligent Transportation Systems (ITSs). This framework combines AI and EC to identify cyber threats in vehicular networks by leveraging statistical thresholds and deep learning techniques. It employs Convolutional Neural Networks (CNNs) to model normal vehicular behavior and detect anomalies using Reconstruction Error Analysis, achieving an accuracy range of 97.5% to 100% [118]. Yao et al. developed a security framework called Authentication, Detection, and Defense for Secure EC (A2DSEC), which operates through three key modules: authentication, detection, and defense. This framework combines blockchain-based authentication, anomaly detection, and proactive defense mechanisms, effectively identifying DDoS and injection attacks within 1.1 to 1.5 s [119]. The integration of blockchain and edge computing (IBEC) enhances the functionality of resource-constrained edge devices by utilizing edge servers as blockchain nodes and miners. As a decentralized ledger, blockchain leverages peer-to-peer (P2P) networks, cryptographic techniques, and distributed storage, ensuring both security and immutability [120].

Federated Learning (FL)

An innovative framework conceived by Google researchers, called Federated Learning (FL), enables data holders to collaboratively train an ML model without the need to share their local datasets. This approach effectively mitigates key challenges related to communication overhead, data privacy, and legal compliance. The FL training process involves five stages, beginning with a selection of an appropriate ML model to be hosted on an edge-based centralized FL server. Next, the server deploys client selection algorithms, such as Federated Client Selection (FedCS), to randomly choose a subset of available clients [121]. Subsequently, the current global model is distributed among the selected clients for local training. These clients train the model on their local datasets and retransmit the updated model parameters back to the edge servers. The centrally located edge servers then aggregate the updated parameters using techniques like Federated Averaging (FedAvg) to yield an improved global model [122].

FL is typically classified into three categories: horizontal FL, which involves clients with similar feature spaces but different data samples; vertical FL, which includes clients with common data samples but different feature sets; and federated transfer learning, which involves clients with datasets that differ in both sample space and feature space [48]. Let N = $\{1,2,\dots ,K\}$ denote a set of K clients having dataset $D_{k\in K}$ each. The aggregate weight of the models at the client site is determined by the ratio of the size of the data set used for training the models to the size of the entire training data set and is given by Equation (17) [123]:

$$w_t^G=\sum _{k=1}^K{\displaystyle \frac{\left|D_k\right|}{\left|D\right|}}{w}_t^k$$

(17)

Here, $w_t^k$ and $w_t^G$ are the local models of client k and the global model, respectively, in the $t^{th}$ training round. $D_k$ is the dataset at client k, and D is the entire set of training data on all K clients given by $D_{\mathrm{I}}={\cup }_{k=1}^K{D}_k$.

FL intends to learn the model under the edge devices’ storage and limited processing capability constraints, periodically update the model parameters, and communicate them to edge or cloud servers. Thus, the goal of FL is to minimize the objective function or average training loss given by Equation (18) [124],

$$w^{min}F\left(w\right),F\left(w\right)=\sum {k=1}^m{p}_k{F}_k\left(w\right)$$

(18)

where m is the total number of devices participating in training, $p_k$ specifies the relative weight of influence attributed to each device, and $F_k\left(w\right)$ in Equation (19) is the local objective function of the kth device.

$$F_k\left(w\right)={\displaystyle \frac{1}{n_k}}\sum _{i=1}^{n_k}{f}_i\left(w,x_i,y_i\right)$$

(19)

where $n_k$ is the data volume of the kth device, and $f_i\left(w,x_i,y_i\right)$ is the loss function of the model with the parameter w on the instance (xi, yi) in the kth device-local dataset. The optimization process within FL focuses on minimizing the value associated with the local loss function.

3.2. Edge AI Platforms

A robust edge AI platform should be capable of catering to diverse project needs, reducing latency, efficiently processing data, minimizing power consumption, featuring a compact and lightweight design, and providing effective heat dissipation. Several platforms are available to meet these requirements, including PyTorch Mobile, OpenVINO, NVIDIA Jetson, BrainChip Akida™, Caffe2, and MXNet. TensorFlow Lite is particularly valuable for developers aiming to deploy machine learning models on edge devices. OpenVINO (Open Visual Inference and Neural Network Optimization) is an open-source toolkit specifically developed to optimize and deploy deep learning models from the cloud to edge environments. Developed by Intel, it accelerates AI inference across various applications such as generative AI, video, audio, and language processing while supporting models from popular frameworks like PyTorch, TensorFlow, and ONNX. OpenVINO’s deployment versatility spans CPUs, GPUs, and FPGAs, with costs influenced by model size, complexity, and hardware selection. Notably, it offers optimized inference performance while consuming less power than conventional CPU-based solutions.

The standard OpenVINO workflow, as depicted in Figure 9, consists of two key components: the Model Optimizer and the Inference Engine. The Model Optimizer is a command-line tool that operates across platforms to convert pre-trained models into an Intermediate Representation (IR) optimized for Intel hardware. This IR format is then utilized by the Inference Engine, a set of libraries that provide a unified API for performing inferences across different hardware platforms. The Inference Engine processes the IR and enables the seamless integration of AI inferences into applications.

4. Proposed Method

Although edge AI/ML promises numerous benefits, it faces several roadblocks, including limited computational capabilities, data management challenges, model complexity and maintenance, resource allocation issues, and data privacy concerns [125]. PUFs are lightweight, hardware-based security solutions that can enhance trust, data security, and privacy in edge AI without requiring substantial computational resources. When combined with ML-based anomaly detection, PUFs can help identify adversarial attacks. AI models trained on challenge–response pairs generated by PUFs can detect tampering or unauthorized access attempts [126].

As shown in the proposed model in Figure 10, an arbiter PUF is implemented on an Intel Cyclone IV FPGA to generate unique device signatures used to encrypt AI or ML models before deployment. This method ensures that AI models are executed only on authenticated devices, preventing malicious reverse engineering attempts. IoT devices typically exhibit recognizable patterns in user interactions and communication with edge/cloud servers. Machine learning models can be trained to analyze these interaction patterns and network traffic characteristics. Such ML-based solutions are commonly applied for user authentication, data access control, and detecting DDoS attacks. Supervised ML techniques—including Support Vector Machines (SVM), Naïve Bayes, k-nearest neighbors, deep neural networks, and random forests—are widely used to identify network intrusions, malware, DDoS attacks, and spoofing attempts.

Implementation of APUF

Originally, FPGAs were primarily used for proof-of-concept (PoC) and prototype development. However, they continue to be valuable in applications that demand high performance, low latency, and real-time adaptability. As a result, FPGAs are especially well-suited for tasks that require rapid prototyping, hardware acceleration, customization, and long-term reliability. Cyclone IV devices are composed of logic elements (LEs), which include four-input lookup tables (LUTs), memory blocks, and multipliers, as listed in

Table 2. Cyclone IV E (EP4CE10) device resources.

Resources	#
Logic elements (LEs)	10,320
Embedded memory (Kbits)	414
Embedded 18 × 18 multipliers	23
General-purpose PLLs	2
Global clock networks	10
User I/O banks	8
Maximum user I/O	179

. The M9K memory block provides 9 Kbits of embedded SRAM and can be configured as single-port, simple dual-port, or true dual-port RAM, as well as FIFO buffers or ROM. In delay-based PUFs, such as arbiter PUFs implemented on FPGAs, the propagation delays of input and output signals through LUTs determine their responses. Additionally, the placement of LUTs on the FPGA fabric and the routing between them impact propagation delays, ultimately affecting the behavior of the arbiter PUF.

The internal architecture of LEs in Altera Cyclone IV FPGAs is depicted in Figure 11. Each LE comprises a flip-flop, a lookup table (LUT) configurable as either a four-input, one-output, or a three-input, one-output LUT, and fast carry logic. A total of 16 LEs are stacked into a Logic Array Block (LAB), and depending on the FPGA family version, the device may include up to 8000 LABs. Each LE contains a configurable register that can be set to operate as a D, T, JK, or SR flip-flop. The clock and clear input signals to these registers can be sourced from the global clock network, general-purpose I/O pins, or internal logic. LEs can be configured to operate in two distinct modes. The normal mode is used to implement general-purpose logic and combinational functions, supporting up to four data inputs from the local interconnect of the LAB. The second operating mode is the arithmetic mode, which is optimized for arithmetic functions such as adders, counters, accumulators, and comparators. In arithmetic mode, the LE functions as a 2-bit full adder with a carry chain, and the output is available in both registered and unregistered versions from the LUT. This versatile structure of the LEs enables designers to optimally implement a wide range of digital logic and arithmetic operations.

Intel Quartus Prime 18.1 software configures the operating mode of each LE based on the design logic, optimization constraints, and synthesis settings. FPGA design implementation begins with the logic synthesis stage, followed by a planning stage that manages periphery placement, clock allocation, and early global retiming. During the subsequent placement stage, LEs are assigned and grouped into Adaptive Logic Modules (ALMs) and LABs on the FPGA. This stage also ensures the correct positioning of block RAM and DSP elements within the FPGA fabric, which is in accordance with the user’s design. Finally, in the routing stage, all connections in the design are established using the programmable routing fabric of the FPGA, ensuring proper signal flow across the chip [127].

5. Experimental Results and Analysis

5.1. Experimental Setup

The robustness of APUFs against malicious attacks is evaluated by deploying the proposed architecture on the ALINX AX4010 FPGA development board. The distinct responses of APUFs to challenge inputs serve as a means of device authentication, preventing unauthorized access to IoT networks. The design is implemented using Quartus® Prime Standard Edition version 18.1, as depicted in Figure 12. A 64-bit APUF is implemented on an Altera, Cyclone IV EP4CE10F17C8 FPGA from Intel, Santa Clara, CA, USA (60 nm technology, 1.2 V, 256-pin FBGA). In our experiments, an FPGA is designated as an IoT node incorporating an embedded PUF for authentication. Since the objective of this study is to leverage default routing, we allow the FPGA tool to place APUF components autonomously without applying placement constraints, manual routing, or hard macros.

The proposed APUF-based authentication scheme utilizes an LFSR-based random generator, implemented on the FPGA, which inputs a 64-bit challenge to the APUF circuit, and the corresponding responses are collected. FPGA resource utilization for APUF implementation includes 81 (out of 10,320) LEs, 129 registers, 68 (out of 92) available I/Os, and a maximum frequency ($f_{\max }$) of 98.97 MHz. A database of approximately 100,000 unique challenge-response pairs (CRPs) is collected using a logic analyzer and stored in a .csv file. During the authentication stage, a challenge from the CRP database is presented to the PUF, and the generated response is compared with the stored response associated with that challenge for verification.

The outline of the complete flow for generating the PUF response is shown in Algorithm 1. The APUF and pseudo-random generator are modeled using the VHDL programming language. The design is then synthesized into a circuit comprising the LEs available on the FPGA chip. Logical synthesis optimizes the design and maps it onto FPGA resources such as LEs, ALMs, or dedicated logic blocks. All design files, including third-party netlists, are integrated into a single project database. The functional correctness of the synthesized design is verified through RTL simulation without considering timing closure.

During the fitting stage, the Quartus Fitter tool automatically places the LEs, which may result in varying path delays in the APUF, regardless of the challenge inputs. However, the chip’s floorplan can be manually adjusted using the Chip Planner. Timing analysis is performed to estimate the propagation delays across all routing paths in the fitted circuit, followed by timing simulations. Finally, the designed circuit is implemented on the target FPGA chip by programming the configuration switches to configure the LEs and establish the required wiring connections.

Algorithm 1. Arbiter PUF

Input: N: number of challenge bits per PUF instance  $challenge\left[N\right]$: vector of size N bits  $clk$: system clock signal  Output: response bit  /*$\phantom{(}$ Initialization $\phantom{(}$                                                        */

The reproducibility of a PUF evaluates how consistently it generates the same response on a given device, like FPGAs. It is quantified by the intra-device Hamming distance (intra-HD), and a perfectly reproducible PUF achieves an average intra-HD of 0% [73]. Figure 13 represents the intra-HD metrics of the proposed APUF against CRP size, and it is benchmarked with the works of other researchers in

Table 3. CRPs performance metrics of APUF-Variants.

Hardware Platforms	Uniformity	Intra-HD	Uniqueness	Ref.
Artix7 FPGA	51.22%	-	50.81%	[128]
Xilinx XC2S200 FPGA	49%	5%	45–50%	[129]
Virtex-5 FPGA	54.78%	-	4.7%	[130]
Virtex-5 FPGA	42.34%	-	36.75%	[131]
Artix-7 FPGA	57.64%	-	51.34%	[132]
Artix-7 FPGA	51.84%	-	46.21%	[133]
HSPICE 65 nm ptm	55.69%	11.36%	42.12%	[134]
Cyclone IV	49.28%	10.81%	38.6%	Proposed APUF

, along with other performance metrics. Moreover, our extracted CRP data have an estimated proportion of 1’s(p) at 0.4928 and a Shannon entropy (H) of 0.9794, which is quite close to the ideal values of 0.5 and 1.

Figure 14 is a confusion matrix (also known as an error matrix), which is a visual representation of classification algorithm performance. It is one of the key evaluation tools used to assess how well a model performs. From this matrix, several performance metrics can be derived, such as precision, recall, and F1 score. The top left cell represents the number of true positives (TPs), indicating correctly predicted positive instances. The cell below TP shows false positives (FPs), which are negative instances incorrectly classified as positive. The top-right cell corresponds to false negatives (FNs), representing positive instances that were mistakenly predicted as negative. The bottom right cell indicates the true negatives (TNs), referring to correctly identified negative instances. The confusion matrices for four selected classifiers are used to derive model performance metrics, as shown in

Table 4. Estimation of PUF confusion matrix.

Regression	TP	TN	FP	FN	Accuracy	Precision	Recall	FDR	F1-Score
LR	94,021	89,470	58,170	58,161	0.612	0.617783	0.6178195	0.393999	0.617801
RF	148,545	143,658	3982	3637	0.974588	0.973893	0.976101	0.026971	0.974996
MLP	146,580	142,454	5186	5602	0.964019	0.965829	0.9631888	0.035126	0.964507
GB	94,021	89,470	58,170	58,161	0.612	0.617783	0.6178195	0.393999	0.617801

, using Equations (20)–(24).

$$\mathrm{Accuracy}={\displaystyle \frac{\mathrm{TP}+\mathrm{TN}}{\mathrm{TP}+\mathrm{FP}+\mathrm{FN}+\mathrm{TN}}}$$

(20)

$$\mathrm{Precision}={\displaystyle \frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}}$$

(21)

$$\mathrm{Recall}={\displaystyle \frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FN}}}$$

(22)

$$\mathrm{False}\mathrm{Discovery}\mathrm{Rate}\left(\mathrm{FDR}\right)={\displaystyle \frac{\mathrm{FP}}{\mathrm{FP}+\mathrm{TP}}}$$

(23)

$$\mathrm{F}1-\mathrm{Score}=2·{\displaystyle \frac{\mathrm{Precision}·\mathrm{Recall}}{\mathrm{Precision}+\mathrm{Recall}}}$$

(24)

In ML, parameters are generally categorized into model parameters and hyperparameters. Model parameters are learned from the training data, whereas the user predefines hyperparameters before the training process begins [135]. Hyperparameters influence what the model can learn and significantly affect its ability to generalize to unseen data [136].

Table 5. ML model parameters.

ML Model	Hyperparameters	Range	Selected Value
SVM	C, $\gamma$, Kernel	[0.1, 0.2, 0.3, 0.4], [0.001, 0.01, 0.1, 1], RBF	10, 0.1, RBF
LR	Regularization C, Max Iterations	[0.001, 0.01, 0.1, 1], [50, 100, 200, 1000]	0.1, 100
MLP	Hidden Layers, Learning Rate, Epoch	[[64, 32], [128, 64], [100]], [0.001, 0.01, 0.1], 100 (Early Stopping)	[100], 0.01, Early Stopping
RF	n_estimators, max_depth, criterion	[50, 100, 200], [5, 15, 25], entropy	100, 15, entropy
GB	n_estimators, learning_rate, max_depth, loss	[50, 100, 200], [0.01, 0.05, 0.1], [3, 5, 7], log_loss	100, 0.1, 3, log_loss

lists the tuning details of ML models used in our work.

5.2. Machine Learning-Based Modeling Attacks

The behavior of the PUFs can be modeled by analyzing their CRPs, thus making them vulnerable to ML attacks. Numerous ML algorithms, such as k-nearest neighbor (KNN), random forest (RF), logistic regression (LR), decision tree (DT), and Support Vector Machine (SVM), have been used to predict PUF responses, with SVMs being widely recommended. The resilience of the PUFs against ML-based attacks is an indicator of their security. The ML model was developed in Python 3.12.3 within a Version Control System (VCS) environment. It began with the collection and preprocessing of APUF CRP data, which is normalized and cleaned to suit ML purposes. Suitable models, such as SVM, LR, or a feedforward artificial neural network (ANN), an MLP model for device classification, supervised random forest clustering for anomaly detection, and an ensemble gradient boosting technique, were implemented using Python libraries like scikit-learn, pandas, and pypuf. The workflow proceeds with training and evaluating the model by dividing the data into training and testing sets, refining the model’s parameters, and evaluating accuracy metrics to ensure effective generalization to new challenges without overfitting. The extracted CRPs were used to train the intended ML model capable of predicting responses against specific challenges.

Table 6. Comparing ML accuracy of APUF models in the literature.

Learning Model	Challenge Bits	Prediction Rate	Training CRP	Ref.
LR	64	66.5%	40,000	[133]
SVM	64	74.7%	40,000	[133]
LR	64	97%	40,000	[137]
LR	64	99%	6500	[138]
SVM	64	86.31%	1000	[130]
LR	64	80%	40,000	[139]
LR/SVM	64	51.22%/52.61%	2,097,152	[128]

lists the prediction accuracy of APUF-based ML models available in the literature of varying CRP sizes. The results obtained by the researchers establish that accuracy does not significantly increase beyond 80% with additional CRPs, demonstrating the robust defense of the PUFs against such attacks.

The linear characteristics of delay-based PUFs, like APUFs, align well with SVM, which is trained on 80% of CRPs to predict specific response bits [140]. It is established that the ML models with an adequate number of CRPs can mimic the target device and gain access to sensitive data [141]. Next, we will discuss the resilience of APUFs against ML attacks, as well as the accuracy of ML models in predicting response outputs for random challenge inputs. The resistance of APUFs to modeling attacks is evaluated to determine how easily an attacker could predict the responses of the PUF based on its challenges. APUF CRPs were collected to test the modeling attack accuracy against various modeling techniques, such as gradient boosting, Multi-Layer Perceptron (MLP), Support Vector Machine (SVM), logistic regression (LR), and random forest, as shown in Figure 15.

The resilience of a strong PUF against ML attacks is a key indicator of its suitability in a secure IoT network. The resistance against ML attacks on APUF is established using various ML modeling techniques against varying CRP sample sizes, and this is summarized in

Table 7. ML prediction accuracy versus the CRPs of proposed APUF.

Learning Model	Number of CRP’s
	50	2155	4261	6366	8472	105,77	12,683	14,788	16,894	19,000
SVM	54.6%	60.7%	61.6%	61.2%	61.3%	61.2%	61.1%	61.1%	61.1%	61.1%
LR	55.8%	63.5%	63.5%	63.5%	63.5%	63.5%	63.5%	63.5%	63.5%	63.5%
MLP	57%	93.7%	94.3%	94.9%	94.9%	95.3%	95.4%	95.2%	96.3%	95.4%
Random forest	49.7%	85%	91.6%	94%	93.9%	94.8%	95.9%	95.2%	95.5%	95.9%
Gradient Boosting	56.3%	63%	63.4%	63.8%	63.1%	63.2%	63.3%	62.5%	62.7%	63%

. It verifies that the accuracy of SVM, LR, and gradient boosting does not go beyond 63%.

6. Conclusions

Hardware authentication is critical for edge computing and extremely important to instill trust and confidence among end users about their data privacy. The APUF leverages delay variations from inherent manufacturing variations, generating an exponential number of CRPs and, thus, making it suitable for authentication in numerous IoT applications. In this paper, we conducted a security analysis of silicon-based APUF devices. Due to the lack of standardized benchmark datasets for the performance evaluation of PUFs and establishing their resilience against authentication breaches, we designed an experimental setup that extracts CRPs from an FPGA-based APUF. The integration of PUFs with FPGAs provides a strong synergy, combining the security benefits of PUFs with the natural flexibility and rapid time-to-market advantages of FPGAs. The relationship between the CRP is established through ML analysis and modeling. Using the Scikit-learn framework, we launched attacks on the APUF using SVM, LR, and ensemble GB algorithms, achieving prediction accuracies of 61.1%, 63.5%, and 63%, respectively. The SVM working principle is based on maximum-margin classification, LR estimates outcomes based on probabilities using the logistic function, and ensemble GB builds a powerful model by iteratively combining multiple weak learners. The APUF design implemented on an Altera Cyclone IV FPGA was subjected to 64-bit input challenges from a Linear Feedback Shift Register (LFSR). A single-bit response from APUF was collected and saved against each challenge bit. This setup uses only 129 registers and 81 LEs, consuming less than 1% of the total resources of the FPGA. Approximately 100K CRPs were extracted and analyzed against security-based evaluation metrics such as uniformity, reliability, and ML-based model accuracy. APUFs are the natural choice for device authentication and cryptographic key generation in resource-limited environments of IoTs, and they are on the verge of notable advancements.

Future research on APUFs should focus on areas targeted to enhance their performance and capabilities, including the following:

• A robust approach against temperature and voltage variations, in addition to aging-induced errors in APUF responses.
• APUFs are vulnerable to newer attack forms, such as ML-based modeling. Research should focus on incorporating nonlinear or complex designs to complicate ML modeling attempts.
• APUFs design approaches should be scalable and optimal in terms of area, power, and latency. Integration with 5G/6G networks, blockchains, and ML supports scalable, intelligent, and resilient security architectures.
• The integration of APUFs with different PUF types can create hybrid systems that leverage complementary strengths to enhance the uniqueness and unpredictability of responses.
• Advances in APUF technology will require standard evaluation and benchmarking metrics. Future research should be focused on creating testing frameworks that define comprehensive performance indicators for assessing uniqueness, reliability, and security.
• Future works should focus beyond traditional silicon-based designs, as emerging materials and technologies could redefine APUFs.