A low-area design of two-factor authentication using DIES and SBI for IoT security

Internet of things (IoTs) is an integration of heterogeneous physical devices which are interconnected and communicated over the physical Internet. The design of secure, lightweight and an effective authentication protocol is required, because the information is transmitted among the remote user and numerous sensing devices over the IoT network. Recently, two-factor authentication (TFA) scheme is developed for providing the security among the IoT devices. But, the performances of the IoT network are affected due to the less memory storage and restricted resource of the IoT. In this paper, the integration of data inverting encoding scheme (DIES) and substitution-box-based inverter is proposed for providing the security using the random values of one-time alias identity, challenge, server nonce and device nonce. Here, the linearity of produced random values is decreased for each clock cycle based on the switching characteristics of the selection line in DIES. Moreover, the linear feedback shift register is used in the adaptive physically unclonable function (APUF) for generating the random response value. The APUF–DIES-IoT architecture is analyzed in terms of lookup table, flip flops, slices, frequency and delay. This APUF–DIES-IoT architecture is analyzed for different security and authentication performances. Two existing methods are considered to evaluate the APUF–DIES-IoT architecture such as TFA-PUF-IoT and TFA-APUF-IoT. The APUF–DIES-IoT architecture uses 36 flip flops at Virtex 6; it is less when compared to the TFA-PUF-IoT and TFA-APUF-IoT.


Introduction
Internet of things (IoT) contains huge amount of devices that interconnected over the public Internet [1,2].IoT denotes the network of devices, machines, objects and other physical system that has the capacities of computing, embedded sensing and communication.This device supports the systems to sense and transmit the real-time data with the physical world [3,4].The high intelligent facility provided by the IoT improves the human's daily lives.Examples of the IoT applications include smart industries, smart home, smart transportation, smart health care and smart cities [5,6].The design process and miniaturizing processing techniques are used to improve the IoT.Hence, an improved design process and communication protocol result in high energy storage capacity, high data rate and significant computing capacity [7,8].The information exchange between the IoT devices is affected due to the theft, privacy violation and cyber-attacks.In order to overcome the aforementioned issues, the cryptography techniques are accomplished to enable the secure communication [9,10].Generally, the architecture of complex software/ hardware is used to create the random number sequences for delivering the public and private keys.Next, the public and private keys are used to accomplish the security in IoT applications [11,12].
Some of the examples used to provide the security in IoT are proxy-based key agreement protocol [13], malware detection mechanism [14], lightweight block cipher [15], lightweight elliptic curve cryptography [16], PHOTON hash function [17] and so on.Key management is considered as an important constraint in IoT, because of the huge amount of devices and restricted resources in the network.
In key management, the frequent generation of modern keys is difficult during key generation phase.Moreover, the frequent generation of modern keys causes higher energy consumption and reduces the device lifetime [18].Therefore, the development of security is difficult in the resource-constrained hardware platforms such as radio frequency Identification and sensors.The resource constraints of the IoT device are complex cryptographic functions, area and energy that cause a large overhead for IoT devices.For example, the advanced encryption standard (AES) is not appropriate for resource-constrained applications, because of its deficiency in area and energy/power [19].Subsequently, the physically unclonable function (PUF) circuit is developed as capable hardware security technique for low-overhead security applications, since the working principle of PUF is mainly based on the variation effects of nano-scale device-level process [20].Moreover, the data is protected using the data flipping in Bose-Chaudhuri-Hocquenghem codes [21].This flip method is also used to prevent the information loss in the super-resolution technology [22].The main motivation of this work is to improve the security of the IoT device while minimizing the hardware utilization of the APUF-DIES-IoT architecture.
The major contributions of the paper are given as follows: • The DIES using SBI is used to generate the random values of the AID, challenge, server nonce and device nonce that are used to improve the security for 1 3 A low-area design of two-factor authentication using DIES… the device to server communications.An automatic generation of AID, challenge, server nonce and device nonce is used to decrease the hardware utilization.• Moreover, the aforementioned 4 values are generated with high randomness for each clock cycle using an appropriate switching between the selection lines.• Next, the APUF is used to generate response value with higher randomness using LFSR.Accordingly, the TFA and security characteristics are analyzed to evaluate the performances of the APUF-DIES-IoT architecture.The overall organization of the paper is given as follows: Sect. 2 provides the literature survey about the recent techniques about the security mechanisms in the IoT.The problems found from the existing research and solutions for the problems are stated in Sect.3. Section 4 provides the detailed description about the APUF-DIES-IoT architecture.The results and discussion of the APUF-DIES-IoT architecture are described in Sect. 5. Finally, the conclusion is made in Sect.6.

Related works
The literature survey about the existing techniques related to the PUF and security mechanisms used in the IoT is given in Table 1.

Problem statement
The problems found from the literature survey and solutions for the problems are described in this section.
In lightweight mutual authentication protocol [24], the authentication latency is less, only when the PUF is processed with lesser message size.For an effective IoT system, the delay between the data transmission is should be less for achieving the faster data transmission.An addition of system components leads to make the IoT system susceptible with security threats [22].Additionally, the code generated by the TFA-PUF is identical to the all clock cycles.Hence, these code values are easily predicted by the hackers [28].The manual incorporation of challenge values leads to increase in the hardware utilization that affects the delay and operating frequency.Moreover, the generation of AID, challenge, device nonce and server nonce is same for all iteration.So, it is easy to predict by the hackers during the IoT communication.[23] The quasi-cyclic low-density parity-check (QC-LDPC) bit-flipping decoders were presented to obtain the post-quantum cryptography.Next, the architecture of the QC-LDPC was optimized for effectively computing the time-consuming vector matrix multiplications of the bit-flipping decoding process.Subsequently, this decoder was used to choose the resource-performance trade-off without considering the factors of the underlying code.Here, the inputs, the intermediate values and the outputs permitted for managing the underlying codes were saved by using the Block RAMs (BRAM) instead of flip flops The optimized QC-LDPC was helped to improve the design efficiency However, the utilization of BRAM was high in the hardware utilization that increased the area of the overall QC-LDPC architecture Aman et al. [24] The lightweight mutual authentication protocol was developed for IoT systems using PUF.This mutual authentication protocol was developed for 2 scenarios of IoT systems such as (1) for the communication between server and IoT device and (2) for the communication between two different IoT devices.The PUF-based challenge-response mechanism was used to define the mutual authentication protocol.On the other hand, the mutual authentication protocol has one unique feature that it doesn't require to save any secrets in the IoT devices This lightweight mutual authentication protocol was used to minimize storage, communication overhead and computation However, the authentication latency was minimized only by decreasing the amount of messages transmitted among the devices 1 3 A low-area design of two-factor authentication using DIES… The two-factor (smart card and password) user authentication with the RSA cryptosystem was presented in multi-server environments for providing the less complexity and security against the attacks.Meanwhile, the RSA-based multi-server authentication protocol was used to support the mutual authentication and session key agreement among the server and application server.
Next, the Burrows-Abadi-Needham (BAN) logic was used to establish the freshness of the session key and accuracy of the mutual authentication The RSA-based authentication protocol was effective in terms of complexity when compared to the conventional algorithms.Further, this multi-server authentication protocol was flexible and it contained the user-friendly password change phase The hardware utilization was not analyzed in this RSA cryptosystem Qu and Tan [26] The two-factor user authentication was developed with key agreement system using elliptic curve cryptosystem (ECC).This ECC-based two-factor user authentication has five different phases such as system initializing phase, the registration phase, login phase, authentication phase and password change phase.Initially, the public and private were computed in the system initializing phase.In the registration phase, appropriate information was submitted to the server, when the user required the authorization.Subsequently, the user inserted the smart card for server login in login phase and mutual authentication was obtained in the authentication phase Further, the user has updated the password, when the user was required to change the password But, the computation cost of the ECC-based two-factor user authentication and key agreement was high when compared to other algorithms Gope and Sikdar [28] The privacy-preserving two-factor authentication (TFA) protocol was developed for IoT devices.This privacy-preserving TFA protocol was used to support the anonymous communication between the IoT device and server installed in the control and data unit.The PUF was considered as one of the authentication factors for the privacypreserving TFA protocol and this PUF was characterized by a challenge-response pair.
This PUF was used to generate the arbitrary string of bits, i.e., response using the bit string as input challenge The TFA was secured even when the adversary has the physical access to the IoT device.The security features of PUFs were exploited to provide effective the security features for IoT devices The code generated by the PUF was identical for all the clock cycles.Hence, the identical code generated by the PUF was easily detected by the unauthorized users 1 3 A low-area design of two-factor authentication using DIES…

Solution
The random generation of AID, challenge, device nonce and server nonce at each clock cycle using the selection line switching property of DIES using SBI effectively improves the security against the unauthorized users.Here, the SBM uses the substitution-box (S-box) operation to generate the 8-bit seed value for the DIES by using the substitution process.An automatic generation of AID, challenge, device nonce and server nonce using DIES helps to minimize the number of logical elements during the implementation.Hence, the less amount of hardware utilization increases the speed of the APUF-DIES-IoT architecture that minimizes the delay and increases the operating frequency.

APUF-DIES-IoT architecture
In APUF-DIES-IoT architecture, the DIES using SBI is used to generate the random values of AID, challenge, device nonce and server nonce at each clock cycle that increases the security against the hackers.Moreover, the APUF is used to generate the random response values using the LFSR.The overall process of the APUF-DIES-IoT architecture is divided into two phases such as setup phase and authentication phase.The process of the setup phase and authentication phase are described in the following section.

Setup phase
The IoT device produces the identify number (ID) and request during the setup phase as well as the ID and request are connected to the server.Figure 1 shows the operation of the setup phase.More specifically, the green and blue color blocks in Fig. 1 represent the IoT device and server.The values received from the IoT devices are kept in the server and the challenge value is created using the ID.Next, the generated challenge values are associated with the same IoT device.Here, the value of challenge is used to form the response value by using the APUF.The response values, i.e., R1, R2, ..Rn are kept in the server that are used to generate the synchronization key (SK) , master key (MK) , fake identity (FI) and one-time alias identity (AID) .Subsequently, the generated values of SK, MK, FI and AID are kept in the IoT devices to accomplish the security.The same process of setup process of APUF-DIES-IoT architecture is carried out for all the IoT devices.This setup phase is two-factor authentication, because the SK, MK, FI and AID are generated only when receiving the request from the devices.This process is performed for every IoT devices which improves the security.Additionally, the pairs of fake identity and synchronization keys are generated by the server as shown in Eq. (1).
where the fake identity is represented as fid 1 , fid 2 , … , fid n , synchronization key is represented as k 1 , k 2 , … , k n and the n specifies the number of IoT devices. (1)

Authentication phase
The accessing authorization is precisely provided to the IoT devices, when the device and server nonce is matched during the authentication phase.Figure 2 shows the authentication phase of the APUF-DIES-IoT architecture.Similar to the setup phase, the green and blue color blocks represent the IoT device and server.
In authentication phase, the AID is verified by the random number request and the request message (M1) is transmitted to the served for accomplishing the communication, since the request message M1 is stored in the device and it is expressed in Eq. ( 2).A low-area design of two-factor authentication using DIES… where N * d = N d ⊕ K ds .The random number created during the communication is represented N d and secret key is represented as K ds .
The response value, challenge and master key are stored, when the AID is matched in the authentication phase.Otherwise, the generated request is discarded over the IoT device.Subsequently, the hash key response and server nonce N s are generated using the server.The server creates the response mes- sage (M2) as shown in Eq. (3).
where the challenge value is represented as , h specifies the one-way hash function.Then, the M3 is gener- ated using IoT device when the response is matched during the interaction and this M3 is expressed in Eq. ( 4). where . The FE.Gen specifies the helper data generation algorithm, R ′ specifies the APUF output, hd is the helper data, k is key element and V 1 specifies the key hash response.
The Fuzzy Extractor recovery module is used to address the noise caused in the operation of PUF.The PUF generates the random number at each clock cycle which is compared with key hash response value.Therefore, the IoT device receives the authorization from the server, when the server nonce and device nonce exist in the key hash function.Once the Device 1 is authenticated, the next IoT device (Device 2) performs the same authentication operation.The authentication phase process is performed for each and every IoT devices which APUF values are updated in setup phase itself.

Adaptive PUF
The APUF is designed using LFSR that is identical to the shift register with feedback.The LFSR is mainly used because of its lesser gate computation, lesser computation cost and better statistical properties.The conventional LFSR provides the same random value after certain clock period that affects the security of the IoT system.The reason for using LFSR is to design the APUF to provide the random response value.However, the LFSR provides the same random value after certain clock period.But, the APUF-DIES-IoT architecture considers different IoT devices in each clock cycle to accomplish the security over the system.Hence, there is no possibility of acquiring the same response value from the APUF, because each IoT has the different ID and challenge values which are used to obtain the different responses from the APUF.In the LFSR, the flip flop output is given as feedback to the input of the XOR gate and then the output of the XOR gate is given as input for the 1 st flip flop.In the shift register, the initial value is saved that is referred as seed value.This LFSR is used to generate the random sequence of the bits and the feedback output is given to the XOR gate, since the XOR gate is used to improve the confusion property of LFSR.Specifically, the difference between the response values is high by using this XOR gate.Moreover, this LFSR has the capability for generating the possible stats at the period of N = 2n − 1 , where n is the amount of registers.The possible states from the LFSR also exclude all zero state.In general, the IoT device creates the challenge value and it is given to the server for obtaining the authorization.The conventional PUF module generates the same response for all the clock cycles.Hence, the identical value of responses has the possibility to predict by the unauthorized user.But the APUF used in the proposed method generates the different response values for each and every clock cycle.Equation (5) specifies the challenge input values given to the LFSR.Next, the response output from the LFSR is specified in Eq. (6).
where the values of c[0] − c [7] and r[0] − r [7] represent the challenge values and response values, respectively.
The generation of response for IoT devices is expressed as follows: In this APUF, the generation of response is performed at the positive edge of the clock signal.Next, the response is generated from the challenge value, when the clock signal becomes positive edge.Therefore, the variation in the bit pair using APUF at each clock cycle creates the difficulty for response value prediction by unauthorized users.Further, the APUF is used to achieve the secure communication between the devices based on the frequent change of bit position pair.

Data inverting encoding scheme
In this proposed method, DIES is developed to improve security of lightweight cryptography.The developed DIES uses the confusion property similar to the S-box that processes the 8-bit input data to provide the 8-bit data in output.The size of input and output in DIES are identical, but it provides the different values in output.The input and output of the encoder module are represented as 8 bit, respectively.This DIES increases the randomness in AID, challenge, device nonce and server nonce by independently controlling the odd and even bits of multiplier and multiplicand, the Odd Invert and Even Invert bit, respectively.This will reduce linearity in random data by ( 5) challenge(C) = {c [7], c [6], c [5], c [4], c [3], c [2], c [1], c[0]} (6) Response(R) = {r [7], r [6], r [5], r [4], r [3], r [2], r [1] A low-area design of two-factor authentication using DIES… comparing the switching activity for the four possible cases of the Full, No, Odd and Even Invert lines (00, 01, 10, 11) and then choosing the value with the smallest switching activity to reduce computational cost.In particular, the input toggling sequences 01 → 10 and 10 → 01 are resulting in 4 times more switching events.The two-phase switching sequence is introduced in order to reduce total power consumption.Encoder module is designed which encodes random number generator based on number of zeroes and ones sequences or its run length.It defines the data to be inverted based on zeroes and ones.It consists of internal modules such as shift register, even counter, odd counter, comparator and inverter shown in Fig. 3 and over all data flipping architecture is shown in Fig. 4.
For the instance, the calculation of AID using DIES is described as follows.
At first, 8-bit input seed value (in) is obtained from the S-box-based inverter and then this 8 bit in value is given as input to the ones calculation for calculating the ones, zeroes, odd and even values of input.In ones calculation process, the counter is zero during reset as well as the counter is incremented by 1 when the counter is less than 9. Consider the values of ones, zeroes, odd and even values are 0000 .Subsequently, the ones, zeroes, odd and even values are calculated for each bit of seed value (i.e., totally 8 bits).
The calculation of ones, zeroes, odd and even values for 0 th bit, when 0 th bit is equal to 1 and 0 is expressed in Eqs. ( 7) and ( 8).
If the 0 th bit is equal to 1, the output is 1010 .Otherwise it is equal to 0100.
Similarly, the calculation of the ones, zeroes, odd and even values for the remaining 7 bits is performed and it is concatenated at the end of ones calculation.Accordingly, the 4-bit values of ones, zeroes, odd and even values are given as input for comparator to obtain the 2 bits of selection line values (Table 2).
Further, the input seed value is modified based on the selection line value that is used to increase the randomness between the AID values generated in each clock cycle.The calculation of AID for the selection line of 00, 01, 10 and 11 is given in Eqs. ( 9), (10), (11) and (12), respectively.[7], ∼ in [6], in [5], ∼ in [4], in [3], ∼ in [2], in [1], ∼ in[0]} Similarly, the challenge, device nonce and server nonce are calculated by using the aforementioned process of DIES.The generated AID, challenge, device nonce and server nonce are used to establish the secure communications between the device and server communication.

S-box-based Inverter
In this SBI, an 8-bit seed value is generated for improving the randomness of the AID, challenge, device nonce and server nonce from the DIES.The combination of DIES and SBI is used to generate the unpredictable keys that helps to improve the security among the device to server communication.Figure 5 shows the architecture of the SBI.Initially, a 8-bit random is considered as an input for this SBI which is represented as D .Meanwhile, the input 8-bit value is transformed by using the inverter that is represented as D ′ .The 8-bit random value D is stored in the Register 1 and it is truncated into 2 four bits as shown in Eq. ( 13).
Next, these truncated data's T1 and T2 are given to the S-box (substitution-box) that performs the substitution process as shown in Table 3.The S-box generates s S1 and S2 for the truncated data of T1 and T2 , respectively.
After completing the S-box process, the data of S1 and S2 are given to the adder for generating the 4-bit value, i.e., out1 .On the other hand, a 4-bit value of out2 is generated for the D ′ .Further, both the out1 and out2 are concatenated together that generates the 8-bit value (in) as shown in Eq. ( 14).Here, the out2 value is taken as MSB and out1 value is taken as LSB for the 8-bit in value.The designed SBI uses the 8-bit input to provide the 8-bit output value, so the developed SBI is 8-bit design.The generated in value is utilized in the DIES to generate the unpredictable AID, challenge, device nonce and server nonce for each clock cycle and for each plain text.This kind of generation for AID, challenge, device nonce and server nonce creates the difficulty to the hackers which are trying to identify the key values.Therefore, the confidentiality of the data transferred from the device to the server is improved using this APUF-DIES-IoT architecture.

Simulation setup
The APUF-DIES-IoT architecture is designed and implemented in the Xilinx software that is operated with the 4 GB RAM with 500 GB hard disk system.The logical elements used in the authentication and setup phase are designed by using the Verilog language.The hardware utilization of the APUF-DIES-IoT architecture is analyzed by using the Xilinx 14.4 software.Further, the verification of the authentication phase and setup mode is obtained using the Modelsim 10.5 software.

Results and discussion
At first, the setup phase is established to each IoT device and this setup phase is mainly processed using control signals.The clock, enable and reset are enabled as control signals for these devices.The enable and rest signals are varied according to the amount of devices connected to the server.In this phase, totally 100 ns is required to process the single cycle.The 100 ns is separated as 50 ns and 50 ns for the positive and negative clock edge.Moreover, the rising edge and 1 are used to define the edge type and logical value, respectively.The phase control signal of this setup phase is represented as 0. For the remaining control signals, the value is denoted as 1 for operating the setup with acceptable losses.
The setup phase is given to the main block, once the input block is set in the APUF-DIES-IoT architecture.The device generates the ID of the device and request to the server, when the input value is applied into the main block.The challenge value is generated for the devices according to the request.Subsequently, the generated challenge value is processed on the server and this server generated the response for the respective devices.Here, the process of response generation in the server is done by two devices such as PUF and adaptive PUF.The input given to the module is considered as the control signals and challenge values.The conventional PUF generates only the standard response due to its standard challenge value.Hence, there is no variation in the generated response value which is easily hacked by the unauthorized users to process the preserved data.On the other hand, the APUF generates the response values with higher randomness based on its feedback process and random bit pair consideration during APUF XOR operation.
A low-area design of two-factor authentication using DIES… The IoT devices get the random number that is helpful in authentication phase, once the response is generated in the server.In this APUF-DIES-IoT architecture, the challenge, AID, device nonce and server nonce are generated by using the combination of DIES and SBI.The independent control over the odd and even bits of multiplier and multiplicand, the Odd Invert and Even Invert bit is used to increase the randomness of the challenge, AID, device nonce and server nonce.The switching activity between the selection line is used to minimize the linearity between the values.Next, the simulation waveform of the overall process of DIES using SBI is shown in Fig. 6.
The control signals of Fig. 6 are clk and rst as well as the 8-bit input is termed as.in[7 ∶ 0] .From the input given of DIES (11010000) , the ones, zeroes, even and odd are calculated to obtain the random AID, challenge, device nonce and server nonce.The values of ones, zeroes, even and odd are 0001, 0000, 0001 and 0000 , respectively.Subsequently, the selection line is selected by using the values of ones, zeroes, even and odd.Further, the output obtained from the DIES method is 10000101 , i.e., 108.The analysis of the input and output using DIES operation is shown in Fig. 7.
After completing the setup phase, all the IoT device registers their own ID numbers in server and receive an adequate response from the server.Server nonce and device nonce are given as input to the IoT devices.Each IoT device verifies the values of the device and server nonce to verify whether these values exist in the received server and device nonce are not.Subsequently, the new key hash response and helper data are generated by separating the server nonce using IoT device.Accordingly, the generated values are given as input to server to get the authentication.The device nonce and server nonce are presented in the key hash response of the server.Finally, the server provides the authentication for the IoT devices, when the IoT device nonce is exist in the key hash function.The hardware utilization and security analysis of the APUF-DIES-IoT architecture is given in the following section.

FPGA results and analysis
The hardware utilization of the APUF-DIES-IoT architecture is analyzed with two existing architecture such as TFA-RPUF-IoT architecture and TFA-PUF-IoT architecture [28].These architectures are designed using Verilog language and the hardware utilization for the aforementioned architectures is given in Table 4.The graphical illustration of the hardware utilization comparison for APUF-DIES-IoT developed in Spartan 6 is shown in Fig. 8.Meanwhile, the comparison of the APUF and conventional PUF [28] is given in Table 5. Next, the graphical illustration of the hardware utilization comparison for PUF and APUF module in Spartan 6 is shown developed in Fig. 9.
From Table 4 and Fig. 7, it is known that the proposed APUF-DIES-IoT architecture achieves better performance when compared to both the TFA-RPUF-IoT and TFA-PUF-IoT [28].For example, the LUT, slices and flip flops of APUF-DIES-IoT in Spartan 6 FPGA are 10, 10 and 35, respectively, which are less than the TFA-RPUF-IoT and TFA-PUF-IoT [28].Moreover, the higher frequency of the APUF-DIES-IoT architecture, i.e., 533.67 at MHz shows that it has higher operating speed than the remaining architectures.The hardware utilization of the APUF-DIES-IoT architecture is improved due to its automatic generation of AID, challenge, device nonce and server nonce.Next, Table 5 and Fig. 8 show the analysis of hardware utilization for both the PUF and APUF.The APUF used in the APUF-DIES-IoT architecture utilizes less amount of hardware resources than the conventional PUF architecture [28].However, the hardware utilization of the Virtex 6 is higher than the Spartan 6, because of requires high amount of logical elements to create the design.Further, Table 6 shows that the DIES uses 5 slices, 7 LUT, 7 flip flops during implementation in Virtex 6 device.Here, the automatic generation of the AID, challenge, server nonce and device nonce is used to reduce the logical elements of the APUF-DIES-IoT architecture than the conventional PUF architecture [28].
Tables 7 and 8 show the analysis of the TFA and security performances for the APUF-DIES-IoT architecture along with two existing architecture such as TFA-RPUF-IoT and TFA-PUF-IoT [28].Tables 7 and 8 show the comparison of APUF-DIES-IoT architecture with existing researches [25][26][27][28] and TFA-RPUF-IoT to analyze the authentication and security features.The clock synchronization, secure algorithm, device security and attacks are evaluated during TFA and the outputs (i.e., Yes or No) are tabulated in the respective portions.Next, the safety against the attacks, two-factor secrecy, mutual authentication and PUF model are analyzed in the security analysis.For both the analysis, the random response for each clock is evaluated for PUF-IoT [28] and APUF-DIES-IoT.The TFA-RPUF-IoT and APUF-DIES-IoT architectures are provided better performances than the existing researches [25][26][27][28] because the TFA-RPUF-IoT and APUF-DIES-IoT generate the random input data even when the input remains    A low-area design of two-factor authentication using DIES…

Table 7
Analysis of TFA performances for different security architectures of IoT Security property Amin [25] Han [26] Xie [27] TFA-PUF-IoT [28] TFA same for all clock cycle.The code generated by all clock cycles is same in the TFA-PUF [28].Therefore, the code generated by the TFA-PUF can easily predict by the hackers [28].However, the random values such as AID, challenge, device nonce and server nonce generated by the DIES are used to improve the security against the hackers.The APUF-DIES-IoT architecture also obtains lesser hardware utilization than the TFA-RPUF-IoT.Therefore, the APUF-DIES-IoT architecture is referred as better when compared to the existing security mechanisms developed in the IoT.

Security analysis
The different security analysis is evaluated for this APUF-DIES-IoT architecture.

Session Key agreement
The IoT device and server share the same session key, once the mutual authentication is completed in the IoT.Here, the side channel attack affects the transmission line during the data transmission.If the side channel attack occurred in the APUF-DIES-IoT architecture, the secret key agreement is not encrypted based on the session key corruption.The server doesn't give the authentication for the IoT devices, even when the secret key is changed in the IoT.Hence, the proposed APUF-DIES-IoT architecture has the capacity to provide the session key agreement.

Conclusion
In this paper, the combination of DIES and SBI is introduced to provide the random values of AID, challenge, server nonce and device nonce for accomplishing the secure communication.The security is additionally improved based on the random A low-area design of two-factor authentication using DIES… seed value generated by using the SBI.The selection line switching property helps to increase the randomness of AID, challenge, server nonce and device nonce between all clock cycles.Additionally, the LFSR is used in the APUF to generate the random response for every clock cycle.The combination of APUF and DIES effectively improves the security in the IoT system.Hence, the communication between the IoT devices to the server is secured by using the proposed APUF-DIES-IoT architecture.Moreover, the automatic generation of the AID, challenge, server nonce and device nonce is used to minimize the logical elements used in the APUF-DIES-IoT architecture.Accordingly, the delay and operating frequency of the APUF-DIES-IoT architecture are improved during the server to device communication.From the performance analysis, it is known that the proposed APUF-DIES-IoT architecture has better performance than the conventional architectures such as TFA-PUF-IoT and TFA-RPUF-IoT.The proposed APUF-DIES-IoT architecture designed in the Virtex 6 uses 36 flip flops; it is less when compared to the conventional TFA-PUF-IoT and TFA-RPUF-IoT architectures.In the future, different optimized architectures will be implemented to reduce the hardware utilization and improve the security.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made.The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material.If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.To view a copy of this licence, visit http:// creat iveco mmons.org/ licen ses/ by/4.0/.

Fig. 1
Fig. 1 Process of setup phase

Fig. 5
Fig. 5 Architecture of the S-box-based inverter

Fig. 6 Fig. 7
Fig. 6 Simulation waveform of the overall process of DIES

1 3 A 4
low-area design of two-factor authentication using DIES… Table Analysis of hardware utilization for different security architectures

Fig. 9 6 Fig. 8
Fig. 9 Hardware utilization comparison of PUF and APUF for Spartan 6 •The APUF-DIES-IoT architecture considers different IoT devices in each clock cycle to accomplish the security over the system.Hence, there is no possibility of acquiring the same response value from the APUF, because each IoT has the different ID and challenge values which are used to obtain the different responses from the APUF

Table 1
Related work

Table 5
Analysis of hardware utilization for conventional PUF and APUF

Table 6
Analysis of hardware utilization for DIES used in the APUF-DIES-IoT architecture

Table 8
Analysis of security performances for different security architectures of IoT