Internet of Things (IoT) applications to provide effective and lightweight solutions for device authentication. However, an attacker can collect challenge–response pairs (CRPs) of a strong PUF, to build a machine learning (ML) model and mimic its behavior, ie, predicting the responses of unseen challenges with high accuracy. Although several PUFs have been proposed to resist such modeling attacks, they incur high hardware overhead. Developing a …
Physical unclonable functions (PUFs) have been adopted in many resource-constrained Internet of Things (IoT) applications to provide effective and lightweight solutions for device authentication. However, an attacker can collect challenge–response pairs (CRPs) of a strong PUF, to build a machine learning (ML) model and mimic its behavior, i.e., predicting the responses of unseen challenges with high accuracy. Although several PUFs have been proposed to resist such modeling attacks, they incur high hardware overhead. Developing a PUF primitive with low hardware cost and high resistance to ML attacks is thus a crucial task. In this article, we propose the first response–feedback-based lightweight anti-ML-attack PUF (FLAM-PUF). It is only composed of one arbiter PUF (APUF) and one Galois linear-feedback shift register (LFSR), with some basic logic gates, reducing more than 62% hardware cost compared with the state-of-the-art robust strong PUFs. Specifically, FLAM-PUF leverages a cost-effective feedback loop structure to dynamically control and update the LFSR configuration. FLAM-PUF has two main characteristics: 1) it feeds back a 1-bit response in every cycle to intentionally poison the data of the CRP set for training. To resist ML-based modeling attacks, the 1-bit response can randomly update one coefficient of the feedback polynomial to implant more complex correlations into the model built by attackers and 2) it takes advantage of an bit response feedback-controlled reconfigurable Galois LFSR to enlarge the original challenge space of the APUF. Extensive experimental results show that the proposed FLAM-PUF achieves near-optimal uniformity, uniqueness, and reliability. Our scheme works well under standard attack models with public crucial initial information. In particular, the prediction accuracy of modeling attacks against FLAM-PUF is nearly 50% under the four widely used ML algorithms, i.e., support vector machines (SVMs), logistic regression (LR), covariance matrix adaptation evolution strategy (CMA-ES), and deep neural networks (DNNs), indicating excellent resistance against these ML attacks.