1 Introduction

Internet of things (IoT) contains huge amount of devices that interconnected over the public Internet [1, 2]. IoT denotes the network of devices, machines, objects and other physical system that has the capacities of computing, embedded sensing and communication. This device supports the systems to sense and transmit the real-time data with the physical world [3, 4]. The high intelligent facility provided by the IoT improves the human’s daily lives. Examples of the IoT applications include smart industries, smart home, smart transportation, smart health care and smart cities [5, 6]. The design process and miniaturizing processing techniques are used to improve the IoT. Hence, an improved design process and communication protocol result in high energy storage capacity, high data rate and significant computing capacity [7, 8]. The information exchange between the IoT devices is affected due to the theft, privacy violation and cyber-attacks. In order to overcome the aforementioned issues, the cryptography techniques are accomplished to enable the secure communication [9, 10]. Generally, the architecture of complex software/ hardware is used to create the random number sequences for delivering the public and private keys. Next, the public and private keys are used to accomplish the security in IoT applications [11, 12].

Some of the examples used to provide the security in IoT are proxy-based key agreement protocol [13], malware detection mechanism [14], lightweight block cipher [15], lightweight elliptic curve cryptography [16], PHOTON hash function [17] and so on. Key management is considered as an important constraint in IoT, because of the huge amount of devices and restricted resources in the network. In key management, the frequent generation of modern keys is difficult during key generation phase. Moreover, the frequent generation of modern keys causes higher energy consumption and reduces the device lifetime [18]. Therefore, the development of security is difficult in the resource-constrained hardware platforms such as radio frequency Identification and sensors. The resource constraints of the IoT device are complex cryptographic functions, area and energy that cause a large overhead for IoT devices. For example, the advanced encryption standard (AES) is not appropriate for resource-constrained applications, because of its deficiency in area and energy/power [19]. Subsequently, the physically unclonable function (PUF) circuit is developed as capable hardware security technique for low-overhead security applications, since the working principle of PUF is mainly based on the variation effects of nano-scale device-level process [20]. Moreover, the data is protected using the data flipping in Bose–Chaudhuri–Hocquenghem codes [21]. This flip method is also used to prevent the information loss in the super-resolution technology [22]. The main motivation of this work is to improve the security of the IoT device while minimizing the hardware utilization of the APUF–DIES-IoT architecture.

The major contributions of the paper are given as follows:

  • The DIES using SBI is used to generate the random values of the AID, challenge, server nonce and device nonce that are used to improve the security for the device to server communications. An automatic generation of AID, challenge, server nonce and device nonce is used to decrease the hardware utilization.

  • Moreover, the aforementioned 4 values are generated with high randomness for each clock cycle using an appropriate switching between the selection lines.

  • Next, the APUF is used to generate response value with higher randomness using LFSR. Accordingly, the TFA and security characteristics are analyzed to evaluate the performances of the APUF–DIES-IoT architecture.

  • The APUF–DIES-IoT architecture considers different IoT devices in each clock cycle to accomplish the security over the system. Hence, there is no possibility of acquiring the same response value from the APUF, because each IoT has the different ID and challenge values which are used to obtain the different responses from the APUF

The overall organization of the paper is given as follows: Sect. 2 provides the literature survey about the recent techniques about the security mechanisms in the IoT. The problems found from the existing research and solutions for the problems are stated in Sect. 3. Section 4 provides the detailed description about the APUF–DIES-IoT architecture. The results and discussion of the APUF–DIES-IoT architecture are described in Sect. 5. Finally, the conclusion is made in Sect. 6.

2 Related works

The literature survey about the existing techniques related to the PUF and security mechanisms used in the IoT is given in Table 1.

Table 1 Related work
Full size table

3 Problem statement

The problems found from the literature survey and solutions for the problems are described in this section.

In lightweight mutual authentication protocol [24], the authentication latency is less, only when the PUF is processed with lesser message size. For an effective IoT system, the delay between the data transmission is should be less for achieving the faster data transmission. An addition of system components leads to make the IoT system susceptible with security threats [22]. Additionally, the code generated by the TFA-PUF is identical to the all clock cycles. Hence, these code values are easily predicted by the hackers [28]. The manual incorporation of challenge values leads to increase in the hardware utilization that affects the delay and operating frequency. Moreover, the generation of AID, challenge, device nonce and server nonce is same for all iteration. So, it is easy to predict by the hackers during the IoT communication.

3.1 Solution

The random generation of AID, challenge, device nonce and server nonce at each clock cycle using the selection line switching property of DIES using SBI effectively improves the security against the unauthorized users. Here, the SBM uses the substitution-box (S-box) operation to generate the 8-bit seed value for the DIES by using the substitution process. An automatic generation of AID, challenge, device nonce and server nonce using DIES helps to minimize the number of logical elements during the implementation. Hence, the less amount of hardware utilization increases the speed of the APUF–DIES-IoT architecture that minimizes the delay and increases the operating frequency.

4 APUF–DIES-IoT architecture

In APUF–DIES-IoT architecture, the DIES using SBI is used to generate the random values of AID, challenge, device nonce and server nonce at each clock cycle that increases the security against the hackers. Moreover, the APUF is used to generate the random response values using the LFSR. The overall process of the APUF–DIES-IoT architecture is divided into two phases such as setup phase and authentication phase. The process of the setup phase and authentication phase are described in the following section.

4.1 Setup phase

The IoT device produces the identify number (ID) and request during the setup phase as well as the ID and request are connected to the server. Figure 1 shows the operation of the setup phase. More specifically, the green and blue color blocks in Fig. 1 represent the IoT device and server. The values received from the IoT devices are kept in the server and the challenge value is created using the ID. Next, the generated challenge values are associated with the same IoT device. Here, the value of challenge is used to form the response value by using the APUF.

Fig. 1
figure 1

Process of setup phase

Full size image

The response values, i.e., \(R1, R2,..Rn\) are kept in the server that are used to generate the synchronization key \(\left( {{\text{SK}}} \right)\), master key \(\left( {{\text{MK}}} \right)\), fake identity \(\left( {{\text{FI}}} \right)\) and one-time alias identity \(\left( {{\text{AID}}} \right)\). Subsequently, the generated values of \({\text{SK}}, {\text{MK}}, {\text{FI}}\) and \({\text{AID}}\) are kept in the IoT devices to accomplish the security. The same process of setup process of APUF–DIES-IoT architecture is carried out for all the IoT devices. This setup phase is two-factor authentication, because the \({\text{SK}}, {\text{MK}}, {\text{FI}}\) and \({\text{AID}}\) are generated only when receiving the request from the devices. This process is performed for every IoT devices which improves the security. Additionally, the pairs of fake identity and synchronization keys are generated by the server as shown in Eq. (1).

$$\left( {{\text{FD}},{\text{ SK}}} \right) = \left\{ {\left( {fid_{1} ,{ }k_{1} } \right),{ }\left( {fid_{2} ,{ }k_{2} } \right), \ldots ,\left( {fid_{n} ,{ }k_{n} } \right){ }} \right\}$$
(1)

where the fake identity is represented as \(fid_{1} ,{ }fid_{2} , \ldots ,{ }fid_{n}\), synchronization key is represented as \(k_{1} ,{ }k_{2} , \ldots ,{ }k_{n}\) and the \(n\) specifies the number of IoT devices.

4.2 Authentication phase

The accessing authorization is precisely provided to the IoT devices, when the device and server nonce is matched during the authentication phase. Figure 2 shows the authentication phase of the APUF–DIES-IoT architecture. Similar to the setup phase, the green and blue color blocks represent the IoT device and server.

Fig. 2
figure 2

Flowchart of the authentication phase

Full size image

In authentication phase, the \({\text{AID}}\) is verified by the random number request and the request message \(\left( {M1} \right)\) is transmitted to the served for accomplishing the communication, since the request message \(M1\) is stored in the device and it is expressed in Eq. (2).

$$M1:\left\{ {{\text{AID}},N_{d}^{*} } \right\}$$
(2)

where \(N_{d}^{*} = N_{d} \oplus K_{ds}\). The random number created during the communication is represented \(N_{d}\) and secret key is represented as \(K_{ds}\).

The response value, challenge and master key are stored, when the AID is matched in the authentication phase. Otherwise, the generated request is discarded over the IoT device. Subsequently, the hash key response and server nonce \(\left( {N_{s} } \right)\) are generated using the server. The server creates the response message \(\left( {M2} \right)\) as shown in Eq. (3).

$$M2:\left\{ {C,{ }N_{s}^{*} ,V_{0} } \right\}$$
(3)

where the challenge value is represented as \(C\); \(N_{s}^{*} = K_{ds} \oplus N_{s}\) and \(V_{0} = h\left( {N_{d} \left| {\left| {K_{ds} } \right|} \right|N_{s}^{*} } \right)\), \(h\) specifies the one-way hash function. Then, the \(M3\) is generated using IoT device when the response is matched during the interaction and this \(M3\) is expressed in Eq. (4).

$$M3:\left\{ {R_{{{\text{new}}}}^{*} { },V_{1} ,{ }hd^{*} } \right\}$$
(4)

where \(R_{{{\text{new}}}}^{*} = k \oplus R_{{{\text{new}}}}^{^{\prime}} ,{ }R_{{{\text{new}}}}^{^{\prime}} = {\text{RPUF}}_{{D_{i} }} \left( {C_{{{\text{new}}}} } \right),{ }C_{{{\text{new}}}} = h(C_{i} |{|}K_{i} {)},{ }hd^{*} = h\left( {K_{ds} \left| {\left| k \right|} \right|hd} \right),{ }hd = h(K_{ds} ||N_{s} ) \oplus hd^{*} ,{ }k = {\text{FE.Rec}}\left( {R,\,hd} \right),{ }R^{^{\prime}} = {\text{RPUF}}_{{D_{i} }} \left( C \right)\) and \(V_{1} = h(N_{s} \left| {\left| k \right|} \right|R_{{{\text{new}}}}^{*} ||hd^{*} )\). The \({\text{FE}}.{\text{Gen}}\) specifies the helper data generation algorithm, \(R^{\prime}\) specifies the APUF output, \(hd\) is the helper data, \(k\) is key element and \(V_{1}\) specifies the key hash response.

The Fuzzy Extractor recovery module is used to address the noise caused in the operation of PUF. The PUF generates the random number at each clock cycle which is compared with key hash response value. Therefore, the IoT device receives the authorization from the server, when the server nonce and device nonce exist in the key hash function. Once the Device 1 is authenticated, the next IoT device (Device 2) performs the same authentication operation. The authentication phase process is performed for each and every IoT devices which APUF values are updated in setup phase itself.

4.3 Adaptive PUF

The APUF is designed using LFSR that is identical to the shift register with feedback. The LFSR is mainly used because of its lesser gate computation, lesser computation cost and better statistical properties. The conventional LFSR provides the same random value after certain clock period that affects the security of the IoT system. The reason for using LFSR is to design the APUF to provide the random response value. However, the LFSR provides the same random value after certain clock period. But, the APUF–DIES-IoT architecture considers different IoT devices in each clock cycle to accomplish the security over the system. Hence, there is no possibility of acquiring the same response value from the APUF, because each IoT has the different ID and challenge values which are used to obtain the different responses from the APUF. In the LFSR, the flip flop output is given as feedback to the input of the XOR gate and then the output of the XOR gate is given as input for the 1st flip flop. In the shift register, the initial value is saved that is referred as seed value. This LFSR is used to generate the random sequence of the bits and the feedback output is given to the XOR gate, since the XOR gate is used to improve the confusion property of LFSR. Specifically, the difference between the response values is high by using this XOR gate. Moreover, this LFSR has the capability for generating the possible stats at the period of \(N = 2n - 1\), where \(n\) is the amount of registers. The possible states from the LFSR also exclude all zero state.

In general, the IoT device creates the challenge value and it is given to the server for obtaining the authorization. The conventional PUF module generates the same response for all the clock cycles. Hence, the identical value of responses has the possibility to predict by the unauthorized user. But the APUF used in the proposed method generates the different response values for each and every clock cycle. Equation (5) specifies the challenge input values given to the LFSR. Next, the response output from the LFSR is specified in Eq. (6).

$${\text{challenge}} \left( C \right) = \left\{ {c\left[ 7 \right],c\left[ 6 \right],c\left[ 5 \right],c\left[ 4 \right],c\left[ 3 \right],c\left[ 2 \right],c\left[ 1 \right],c\left[ 0 \right]} \right\}$$
(5)
$${\text{Response}} \left( R \right) = \left\{ {r\left[ 7 \right],r\left[ 6 \right],r\left[ 5 \right],r\left[ 4 \right],r\left[ 3 \right],r\left[ 2 \right],r\left[ 1 \right],r\left[ 0 \right]} \right\}$$
(6)

where the values of \(c \left[ 0 \right] - c \left[ 7 \right]\) and \(r \left[ 0 \right] - r \left[ 7 \right]\) represent the challenge values and response values, respectively.

The generation of response for IoT devices is expressed as follows:

$$\begin{gathered} {\text{always}}\,@\,\left( {{\text{posedge}} {\text{clk}}} \right) \hfill \\ \quad {\text{if}} \left( {{\text{rst}}} \right) \hfill \\ \quad {\text{Response}} \left( R \right) = {\text{Challenge}} \left( C \right) \hfill \\ \quad {\text{Else}} \hfill \\ \quad {\text{Response}} \left( R \right) = \left\{ {r\left[ {0\left] { \wedge }{r} \right[3\left] {, r} \right[7:1} \right]} \right\} \hfill \\ \end{gathered}$$

In this APUF, the generation of response is performed at the positive edge of the clock signal. Next, the response is generated from the challenge value, when the clock signal becomes positive edge. Therefore, the variation in the bit pair using APUF at each clock cycle creates the difficulty for response value prediction by unauthorized users. Further, the APUF is used to achieve the secure communication between the devices based on the frequent change of bit position pair.

4.4 Data inverting encoding scheme

In this proposed method, DIES is developed to improve security of lightweight cryptography. The developed DIES uses the confusion property similar to the S-box that processes the 8-bit input data to provide the 8-bit data in output. The size of input and output in DIES are identical, but it provides the different values in output. The input and output of the encoder module are represented as 8 bit, respectively. This DIES increases the randomness in AID, challenge, device nonce and server nonce by independently controlling the odd and even bits of multiplier and multiplicand, the Odd Invert and Even Invert bit, respectively. This will reduce linearity in random data by comparing the switching activity for the four possible cases of the Full, No, Odd and Even Invert lines (00, 01, 10, 11) and then choosing the value with the smallest switching activity to reduce computational cost. In particular, the input toggling sequences 01 → 10 and 10 → 01 are resulting in 4 times more switching events. The two-phase switching sequence is introduced in order to reduce total power consumption. Encoder module is designed which encodes random number generator based on number of zeroes and ones sequences or its run length. It defines the data to be inverted based on zeroes and ones. It consists of internal modules such as shift register, even counter, odd counter, comparator and inverter shown in Fig. 3 and over all data flipping architecture is shown in Fig. 4.

Fig. 3
figure 3

Encoder module

Full size image
Fig. 4
figure 4

Architecture of DIES

Full size image
Table 2 Calculation selection line
Full size table

For the instance, the calculation of AID using DIES is described as follows.

At first, 8-bit input seed value (in) is obtained from the S-box-based inverter and then this 8 bit in value is given as input to the ones calculation for calculating the ones, zeroes, odd and even values of input. In ones calculation process, the counter is zero during reset as well as the counter is incremented by 1 when the counter is less than 9. Consider the values of ones, zeroes, odd and even values are \(0000\). Subsequently, the ones, zeroes, odd and even values are calculated for each bit of seed value (i.e., totally 8 bits).

The calculation of ones, zeroes, odd and even values for \(0\)th bit, when \(0\)th bit is equal to 1 and 0 is expressed in Eqs. (7) and (8).

$$\begin{gathered} {\text{ones}} = {\text{ones}} + 1 \hfill \\ {\text{zeroes}} = {\text{zeroes}} \hfill \\ {\text{even}} = {\text{even}} + 1 \hfill \\ {\text{odd}} = {\text{odd}} \hfill \\ \end{gathered}$$
(7)

If the \(0\)th bit is equal to 1, the output is \(1010\). Otherwise it is equal to \(0100\).

$$\begin{gathered} {\text{ones}}\,{ = }\,{\text{ones}} \hfill \\ {\text{zeroes}} = {\text{zeroes}} + 1 \hfill \\ {\text{even}} = {\text{even}} \hfill \\ {\text{odd}} = {\text{odd}} \hfill \\ \end{gathered}$$
(8)

Similarly, the calculation of the ones, zeroes, odd and even values for the remaining 7 bits is performed and it is concatenated at the end of ones calculation. Accordingly, the 4-bit values of ones, zeroes, odd and even values are given as input for comparator to obtain the 2 bits of selection line values (Table 2).

Further, the input seed value is modified based on the selection line value that is used to increase the randomness between the AID values generated in each clock cycle. The calculation of AID for the selection line of 00, 01, 10 and 11 is given in Eqs. (9), (10), (11) and (12), respectively.

$${\text{AID }} = \left\{ {\sim {\text{in}}} \right\}$$
(9)
$${\text{AID}} = \left\{ { {\text{in}}\left[ 7 \right], \sim {\text{in}}\left[ 6 \right],\,{\text{in}}\left[ 5 \right],\sim {\text{in}}\left[ 4 \right],\,{\text{in}}\left[ 3 \right],\sim {\text{in}}\left[ 2 \right],\,{\text{in}}\left[ 1 \right],\sim {\text{in}}\left[ 0 \right]} \right\}$$
(10)
$${\text{AID}} = \left\{ {\sim {\text{in}}\left[ {7\left] {,\,{\text{in}}} \right[6\left] {,\sim {\text{in}}} \right[5\left] {,\,{\text{in}}} \right[4\left] {,\sim {\text{in}}} \right[3\left] {,\,{\text{in}}} \right[2\left] {,\sim {\text{in}}} \right[1\left] {,\,{\text{in}}} \right[0} \right]} \right\}$$
(11)
$${\text{AID}} = \sim {\text{out}}$$
(12)

Similarly, the challenge, device nonce and server nonce are calculated by using the aforementioned process of DIES. The generated AID, challenge, device nonce and server nonce are used to establish the secure communications between the device and server communication.

4.5 S-box-based Inverter

In this SBI, an 8-bit seed value is generated for improving the randomness of the AID, challenge, device nonce and server nonce from the DIES. The combination of DIES and SBI is used to generate the unpredictable keys that helps to improve the security among the device to server communication. Figure 5 shows the architecture of the SBI.

Fig. 5
figure 5

Architecture of the S-box-based inverter

Full size image

Initially, a 8-bit random is considered as an input for this SBI which is represented as \(D\). Meanwhile, the input 8-bit value is transformed by using the inverter that is represented as \(D^{\prime}\). The 8-bit random value \(D\) is stored in the Register 1 and it is truncated into 2 four bits as shown in Eq. (13).

$$\begin{aligned} T1 = & D\left[ {7:4} \right] \\ T2 = & D\left[ {3:0} \right] \\ \end{aligned}$$
(13)

Next, these truncated data’s \(T1\) and \(T2\) are given to the S-box (substitution-box) that performs the substitution process as shown in Table 3. The S-box generates s \(S1\) and \(S2\) for the truncated data of \(T1\) and \(T2\), respectively.

Table 3 S-box operation
Full size table

After completing the S-box process, the data of \(S1\) and \(S2\) are given to the adder for generating the 4-bit value, i.e., \({\text{out}}1\). On the other hand, a 4-bit value of \({\text{out}}2\) is generated for the \(D^{\prime}\). Further, both the \({\text{out}}1\) and \({\text{out}}2\) are concatenated together that generates the 8-bit value \(\left( {{\text{in}}} \right)\) as shown in Eq. (14). Here, the \({\text{out}}2\) value is taken as MSB and \({\text{out}}1\) value is taken as LSB for the 8-bit \(in\) value.

$${\text{in}} = \left\{ {{\text{out}}2 \left[ {7:4} \right],\,{\text{out}}1 \left[ {3:0} \right]} \right\}$$
(14)

The designed SBI uses the 8-bit input to provide the 8-bit output value, so the developed SBI is 8-bit design. The generated \({\text{in}}\) value is utilized in the DIES to generate the unpredictable AID, challenge, device nonce and server nonce for each clock cycle and for each plain text. This kind of generation for AID, challenge, device nonce and server nonce creates the difficulty to the hackers which are trying to identify the key values. Therefore, the confidentiality of the data transferred from the device to the server is improved using this APUF–DIES-IoT architecture.

5 Simulation setup

The APUF–DIES-IoT architecture is designed and implemented in the Xilinx 14.4 software that is operated with the 4 GB RAM with 500 GB hard disk system. The logical elements used in the authentication and setup phase are designed by using the Verilog language. The hardware utilization of the APUF–DIES-IoT architecture is analyzed by using the Xilinx 14.4 software. Further, the verification of the authentication phase and setup mode is obtained using the Modelsim 10.5 software.

5.1 Results and discussion

At first, the setup phase is established to each IoT device and this setup phase is mainly processed using control signals. The clock, enable and reset are enabled as control signals for these devices. The enable and rest signals are varied according to the amount of devices connected to the server. In this phase, totally 100 ns is required to process the single cycle. The 100 ns is separated as 50 ns and 50 ns for the positive and negative clock edge. Moreover, the rising edge and 1 are used to define the edge type and logical value, respectively. The phase control signal of this setup phase is represented as 0. For the remaining control signals, the value is denoted as 1 for operating the setup with acceptable losses.

The setup phase is given to the main block, once the input block is set in the APUF–DIES-IoT architecture. The device generates the ID of the device and request to the server, when the input value is applied into the main block. The challenge value is generated for the devices according to the request. Subsequently, the generated challenge value is processed on the server and this server generated the response for the respective devices. Here, the process of response generation in the server is done by two devices such as PUF and adaptive PUF. The input given to the module is considered as the control signals and challenge values. The conventional PUF generates only the standard response due to its standard challenge value. Hence, there is no variation in the generated response value which is easily hacked by the unauthorized users to process the preserved data. On the other hand, the APUF generates the response values with higher randomness based on its feedback process and random bit pair consideration during APUF XOR operation.

The IoT devices get the random number that is helpful in authentication phase, once the response is generated in the server. In this APUF–DIES-IoT architecture, the challenge, AID, device nonce and server nonce are generated by using the combination of DIES and SBI. The independent control over the odd and even bits of multiplier and multiplicand, the Odd Invert and Even Invert bit is used to increase the randomness of the challenge, AID, device nonce and server nonce. The switching activity between the selection line is used to minimize the linearity between the values. Next, the simulation waveform of the overall process of DIES using SBI is shown in Fig. 6.

Fig. 6
figure 6

Simulation waveform of the overall process of DIES

Full size image

The control signals of Fig. 6 are \({\text{clk}}\) and \({\text{rst}}\) as well as the 8-bit input is termed as.

\({\text{in}}\left[ {7:0} \right]\). From the input given of DIES \(\left( {11010000} \right)\), the ones, zeroes, even and odd are calculated to obtain the random AID, challenge, device nonce and server nonce. The values of ones, zeroes, even and odd are \(0001, 0000, 0001\) and \(0000\), respectively. Subsequently, the selection line is selected by using the values of ones, zeroes, even and odd. Further, the output obtained from the DIES method is \(10000101\), i.e., 108. The analysis of the input and output using DIES operation is shown in Fig. 7.

Fig. 7
figure 7

Simulation waveform of the DIES operation

Full size image

After completing the setup phase, all the IoT device registers their own ID numbers in server and receive an adequate response from the server. Server nonce and device nonce are given as input to the IoT devices. Each IoT device verifies the values of the device and server nonce to verify whether these values exist in the received server and device nonce are not. Subsequently, the new key hash response and helper data are generated by separating the server nonce using IoT device. Accordingly, the generated values are given as input to server to get the authentication. The device nonce and server nonce are presented in the key hash response of the server. Finally, the server provides the authentication for the IoT devices, when the IoT device nonce is exist in the key hash function. The hardware utilization and security analysis of the APUF–DIES-IoT architecture is given in the following section.

5.2 FPGA results and analysis

The hardware utilization of the APUF–DIES-IoT architecture is analyzed with two existing architecture such as TFA-RPUF-IoT architecture and TFA-PUF-IoT architecture [28]. These architectures are designed using Verilog language and the hardware utilization for the aforementioned architectures is given in Table 4. The graphical illustration of the hardware utilization comparison for APUF–DIES-IoT developed in Spartan 6 is shown in Fig. 8. Meanwhile, the comparison of the APUF and conventional PUF [28] is given in Table 5. Next, the graphical illustration of the hardware utilization comparison for PUF and APUF module in Spartan 6 is shown developed in Fig. 9.

Table 4 Analysis of hardware utilization for different security architectures
Full size table
Table 5 Analysis of hardware utilization for conventional PUF and APUF
Full size table
Fig. 9
figure 8

Hardware utilization comparison of PUF and APUF for Spartan 6

Full size image

From Table 4 and Fig. 7, it is known that the proposed APUF–DIES-IoT architecture achieves better performance when compared to both the TFA-RPUF-IoT and TFA-PUF-IoT [28]. For example, the LUT, slices and flip flops of APUF–DIES-IoT in Spartan 6 FPGA are 10, 10 and 35, respectively, which are less than the TFA-RPUF-IoT and TFA-PUF-IoT [28]. Moreover, the higher frequency of the APUF–DIES-IoT architecture, i.e., 533.67 at MHz shows that it has higher operating speed than the remaining architectures. The hardware utilization of the APUF–DIES-IoT architecture is improved due to its automatic generation of AID, challenge, device nonce and server nonce. Next, Table 5 and Fig. 8 show the analysis of hardware utilization for both the PUF and APUF. The APUF used in the APUF–DIES-IoT architecture utilizes less amount of hardware resources than the conventional PUF architecture [28]. However, the hardware utilization of the Virtex 6 is higher than the Spartan 6, because of requires high amount of logical elements to create the design. Further, Table 6 shows that the DIES uses 5 slices, 7 LUT, 7 flip flops during implementation in Virtex 6 device. Here, the automatic generation of the AID, challenge, server nonce and device nonce is used to reduce the logical elements of the APUF–DIES-IoT architecture than the conventional PUF architecture [28].

Fig. 8
figure 9

Hardware utilization comparison of APUF–DIES-IoT for Spartan 6

Full size image
Table 6 Analysis of hardware utilization for DIES used in the APUF–DIES-IoT architecture
Full size table

Tables 7 and 8 show the analysis of the TFA and security performances for the APUF–DIES-IoT architecture along with two existing architecture such as TFA-RPUF-IoT and TFA-PUF-IoT [28]. Tables 7 and 8 show the comparison of APUF–DIES-IoT architecture with existing researches [25,26,27,28] and TFA-RPUF-IoT to analyze the authentication and security features. The clock synchronization, secure algorithm, device security and attacks are evaluated during TFA and the outputs (i.e., Yes or No) are tabulated in the respective portions. Next, the safety against the attacks, two-factor secrecy, mutual authentication and PUF model are analyzed in the security analysis. For both the analysis, the random response for each clock is evaluated for PUF-IoT [28] and APUF–DIES-IoT. The TFA-RPUF-IoT and APUF–DIES-IoT architectures are provided better performances than the existing researches [25,26,27,28] because the TFA-RPUF-IoT and APUF–DIES-IoT generate the random input data even when the input remains same for all clock cycle. The code generated by all clock cycles is same in the TFA-PUF [28]. Therefore, the code generated by the TFA-PUF can easily predict by the hackers [28]. However, the random values such as AID, challenge, device nonce and server nonce generated by the DIES are used to improve the security against the hackers. The APUF–DIES-IoT architecture also obtains lesser hardware utilization than the TFA-RPUF-IoT. Therefore, the APUF–DIES-IoT architecture is referred as better when compared to the existing security mechanisms developed in the IoT.

Table 7 Analysis of TFA performances for different security architectures of IoT
Full size table
Table 8 Analysis of security performances for different security architectures of IoT
Full size table

5.3 Security analysis

The different security analysis is evaluated for this APUF–DIES-IoT architecture. The APUF–DIES-IoT architecture has higher confidentiality than the existing TFA-PUF-IoT architecture [28] and TFA-RPUF-IoT architecture.

5.3.1 Session Key agreement

The IoT device and server share the same session key, once the mutual authentication is completed in the IoT. Here, the side channel attack affects the transmission line during the data transmission. If the side channel attack occurred in the APUF–DIES-IoT architecture, the secret key agreement is not encrypted based on the session key corruption. The server doesn’t give the authentication for the IoT devices, even when the secret key is changed in the IoT. Hence, the proposed APUF–DIES-IoT architecture has the capacity to provide the session key agreement.

6 Conclusion

In this paper, the combination of DIES and SBI is introduced to provide the random values of AID, challenge, server nonce and device nonce for accomplishing the secure communication. The security is additionally improved based on the random seed value generated by using the SBI. The selection line switching property helps to increase the randomness of AID, challenge, server nonce and device nonce between all clock cycles. Additionally, the LFSR is used in the APUF to generate the random response for every clock cycle. The combination of APUF and DIES effectively improves the security in the IoT system. Hence, the communication between the IoT devices to the server is secured by using the proposed APUF–DIES-IoT architecture. Moreover, the automatic generation of the AID, challenge, server nonce and device nonce is used to minimize the logical elements used in the APUF–DIES-IoT architecture. Accordingly, the delay and operating frequency of the APUF–DIES-IoT architecture are improved during the server to device communication. From the performance analysis, it is known that the proposed APUF–DIES-IoT architecture has better performance than the conventional architectures such as TFA-PUF-IoT and TFA-RPUF-IoT. The proposed APUF–DIES-IoT architecture designed in the Virtex 6 uses 36 flip flops; it is less when compared to the conventional TFA-PUF-IoT and TFA-RPUF-IoT architectures. In the future, different optimized architectures will be implemented to reduce the hardware utilization and improve the security.