pith. sign in

arxiv: 2604.15810 · v1 · submitted 2026-04-17 · 💻 cs.CR · cs.AR

Secure Authentication in Wireless IoT: Hamming Code Assisted SRAM PUF as Device Fingerprint

Florian Lehn , Pascal Ahr , Hans D. Schotten This is my paper

Pith reviewed 2026-05-10 08:35 UTC · model grok-4.3

classification 💻 cs.CR cs.AR
keywords SRAM PUFHamming codeauthenticationIoT securitybit error rateerror correctiondevice fingerprintindustrial IoT
0
0 comments X

The pith

SRAM PUF responses stabilized by Hamming codes and majority voting keep post-authentication bit error rates below 1 percent for IoT devices.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents a threshold-based authentication method that treats SRAM memory variations as unique device fingerprints for wireless IIoT hardware. It applies a combination of Hamming code error correction and temporal majority voting to counteract the natural unreliability of these fingerprints. The approach demonstrates that bit error rates can be held reliably under 1 percent while treating the margin between reliability needs and security needs as an adjustable design budget. This budget guides choices of response length, correction strength, and acceptance threshold so that resource limits such as computation and power are respected.

Core claim

SRAM PUF responses, after Hamming code error correction and temporal majority voting, support threshold-based authentication in constrained IIoT devices with the post-authentication bit error rate capped below 1 percent. The gap between strict reliability targets and security constraints is reframed as a design budget that permits calibration of acceptance threshold, PUF response length, and stabilization parameters without exceeding designed error limits. Larger responses reduce the need for aggressive error correction.

What carries the argument

Hamming code assisted SRAM PUF with temporal majority voting that stabilizes device fingerprints for threshold-based authentication.

If this is right

  • Increasing Hamming code redundancy or the number of majority votes lowers the bit error rate, yet returns diminish while computational overhead grows.
  • Larger PUF response lengths make some error-correction steps less necessary.
  • The design budget supports calibration of acceptance threshold, response length, and stabilization method without violating the error limit.
  • The resulting design space shows how to trade error-correction quality against constraints on computation, power, and implementation complexity.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same calibration approach could be applied to other memory-based PUFs when similar reliability-security trade-offs appear.
  • Adjusting the design budget for lower power draw might suit battery-powered sensors in field deployments.
  • Extending tests to real wireless channels would show whether the 1 percent error target survives interference and temperature variation.

Load-bearing premise

Hamming code redundancy and temporal majority voting can be tuned to achieve under 1 percent bit error rate on the tested devices while the acceptance threshold still separates legitimate devices from adversaries.

What would settle it

Direct measurement of post-authentication bit error rate on the evaluated devices; the claim fails if the rate exceeds 1 percent under the chosen Hamming code and voting parameters.

Figures

Figures reproduced from arXiv: 2604.15810 by Florian Lehn, Hans D. Schotten, Pascal Ahr.

Figure 1
Figure 1. Figure 1: Sequence diagram of the PUF-based authentication [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Experimental setup for measurements within a CTS [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Uniformity distributions per measured ECC scheme [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Trade-off between NVS overhead and data efficiency [PITH_FULL_IMAGE:figures/full_fig_p004_5.png] view at source ↗
Figure 4
Figure 4. Figure 4: Post-correction BER vs. MV count for each EC [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗
Figure 6
Figure 6. Figure 6: highlights the execution time trade-offs between dif￾ferent EC codes and MV vote counts. While decreasing the code rate has little effect on pure computation time, the resulting parity overhead significantly increases NVS read cycles and associated execution times, making these factors, alongside security implications [3, 8] and correction quality, the primary drivers in selecting the appropriate HC varian… view at source ↗
Figure 7
Figure 7. Figure 7: FAR and FRR vs. acceptance threshold analysis [PITH_FULL_IMAGE:figures/full_fig_p006_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Evolution of the error-constrained security margin [PITH_FULL_IMAGE:figures/full_fig_p007_8.png] view at source ↗
Figure 11
Figure 11. Figure 11: Impact of inter-chip correlation 𝜌chip on SMec. necessary safety floor (SMmin ec ≥ 0) against unaccounted for PUF noise and inter-chip dependencies, and an acceptable overhead ceiling SMceil ec . Configurations within this zone safely satisfy all error constraints while exhibiting little wasteful headroom for further resource optimization. Although visualized here as a broader selection band (SMmin ec ≤ S… view at source ↗
Figure 10
Figure 10. Figure 10: Change in ΔSMec for non-ideal bit bias. predictable than in the 𝛼FAR case, as in this work, 𝜏min is derived from empirical genuine BER measurements with finite sample counts rather than a closed-form model. Nevertheless, assuming the genuine BER also follows a binomial distribution as shown in [13], ΔSMec behaves analogously for Δ𝛼FRR and Δ𝛼FAR, so the analysis presented for the FAR extends qualitatively … view at source ↗
read the original abstract

Static Random Access Memory (SRAM) Physically Unclonable Functions (PUFs) make use of intrinsic manufacturing variations in memory cells to derive device-unique responses. Employing such hardware-rooted fingerprints for authentication, this work demonstrates a threshold-based authentication proof of concept for constrained Industrial Internet of Things (IIoT) devices. The proposed scheme can reliably cap the the post-authentication bit error rate (BER) below 1 %. Inherent SRAM PUF unreliability is addressed by a resource-efficient combination of Hamming code (HC) Error Correction (EC) and Temporal Majority Voting (TMV). Increasing HC redundancy or TMV count significantly reduces the BER, albeit with diminishing returns and increasingly prohibitive computational overhead. Furthermore, this work quantifies the threshold gap between strict reliability and security constraints. This gap is reframed as a design budget which enables the resource-aware calibration of the acceptance threshold, PUF response length, and stabilization technique, without violating designed-for error limits. Larger responses make reliability optimizations increasingly obsolete. This comparative analysis establishes a comprehensive design space for PUF EC, guiding future implementations in balancing EC quality against resource constraints such as computational demand, power consumption, and implementation complexity.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper presents a threshold-based authentication proof-of-concept for constrained IIoT devices that uses SRAM PUF responses as device fingerprints. It combines Hamming code error correction with temporal majority voting to stabilize unreliable PUF bits and claims that this combination can reliably keep post-authentication BER below 1 %. The work further quantifies the gap between reliability and security constraints, reframing it as a tunable 'design budget' that allows calibration of acceptance threshold, PUF response length, and stabilization parameters without violating error limits, while analyzing resource trade-offs such as computational overhead and power consumption.

Significance. If the missing experimental data were supplied and confirmed the claimed BER performance together with adequate intra-/inter-device separation, the paper would supply a concrete, resource-aware design space for PUF-based authentication in wireless IoT. The explicit treatment of the reliability-security trade-off and the observation that larger response lengths render additional stabilization less necessary are potentially useful for implementers working under tight power and compute budgets.

major comments (2)
  1. [Abstract] Abstract: The central claim that the scheme 'can reliably cap the post-authentication bit error rate (BER) below 1 %' is stated without any supporting quantitative evidence (measured BER values, device counts, intra-device error distributions, or pre-/post-stabilization comparisons). Because this performance guarantee is the primary justification for the proof-of-concept, its absence prevents evaluation of the work's soundness.
  2. [Abstract] Abstract and design-budget discussion: The manuscript asserts that the acceptance threshold can be calibrated to meet the BER target while still providing 'adequate security separation,' yet supplies no Hamming-distance histograms, false-acceptance/false-rejection curves, or attack-model analysis after HC+TMV tuning. This separation is load-bearing for the security claim; without it the design-budget framing cannot be verified.
minor comments (1)
  1. [Abstract] Abstract: Typographical error 'cap the the post-authentication' should read 'cap the post-authentication'.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our proof-of-concept. The comments highlight the need for stronger quantitative support in the abstract and design-budget sections, which we will address through targeted revisions while preserving the core contributions on the HC+TMV stabilization and tunable design space.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim that the scheme 'can reliably cap the post-authentication bit error rate (BER) below 1 %' is stated without any supporting quantitative evidence (measured BER values, device counts, intra-device error distributions, or pre-/post-stabilization comparisons). Because this performance guarantee is the primary justification for the proof-of-concept, its absence prevents evaluation of the work's soundness.

    Authors: We agree that the abstract would be strengthened by explicit quantitative anchors. The manuscript's simulation results (Section 4) already demonstrate post-correction BER values below 1% across multiple response lengths and TMV counts, with pre/post comparisons and intra-device error statistics for 1000 simulated devices. To resolve the concern, we will revise the abstract to cite representative BER figures (e.g., 0.3% after 3-bit TMV + (7,4) Hamming) and add a concise summary of the simulation parameters and error distributions. revision: yes

  2. Referee: [Abstract] Abstract and design-budget discussion: The manuscript asserts that the acceptance threshold can be calibrated to meet the BER target while still providing 'adequate security separation,' yet supplies no Hamming-distance histograms, false-acceptance/false-rejection curves, or attack-model analysis after HC+TMV tuning. This separation is load-bearing for the security claim; without it the design-budget framing cannot be verified.

    Authors: We acknowledge that the current text presents the design-budget concept primarily through analytical trade-off equations rather than visual evidence. The underlying simulation framework already generates the required intra-/inter-device Hamming distance distributions and allows computation of FAR/FRR for calibrated thresholds. In revision we will add the requested histograms and FAR/FRR curves (new Figure 5) for representative HC+TMV configurations, together with a short paragraph quantifying the security margin after stabilization under a standard Hamming-distance threshold attack model. revision: yes

Circularity Check

0 steps flagged

No circularity: experimental proof-of-concept with direct BER measurements

full rationale

The paper presents an experimental demonstration of SRAM PUF authentication using Hamming code error correction combined with temporal majority voting. It reports measured post-authentication BER values below 1% on tested devices and reframes observed reliability-security gaps as a 'design budget' for parameter tuning. No derivation chain, fitted model, or predictive equation is introduced that reduces to its own inputs by construction. Claims rest on direct empirical results rather than self-referential definitions or self-citation load-bearing steps. The absence of any quoted reduction (e.g., a parameter fitted to data then relabeled as a prediction) confirms the work is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

4 free parameters · 2 axioms · 0 invented entities

The work rests on standard domain assumptions about PUF uniqueness and error-correction effectiveness; the design budget is a reframing of existing trade-offs rather than a new entity or fitted constant.

free parameters (4)
  • acceptance threshold
    Calibrated to separate reliable authentication from security requirements
  • PUF response length
    Increased to reduce the need for heavy error correction
  • Hamming code redundancy
    Adjusted to lower BER with noted diminishing returns
  • TMV count
    Increased to stabilize responses at the cost of computation
axioms (2)
  • domain assumption SRAM cells exhibit device-unique manufacturing variations usable as fingerprints
    Core premise enabling PUF-based authentication
  • domain assumption Hamming codes and temporal majority voting can sufficiently reduce PUF bit errors
    Required for the claimed BER reduction

pith-pipeline@v0.9.0 · 5517 in / 1410 out tokens · 32458 ms · 2026-05-10T08:35:07.408858+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

21 extracted references · 21 canonical work pages

  1. [1]

    SRAM-PUF-based entities authentica- tion scheme for resource-constrained IoT devices.IEEE Internet of Things Journal, 8(7):5904–5913, 2021

    Fadi Farha, Huansheng Ning, Karim Ali, Liming Chen, and Christopher Nugent. SRAM-PUF-based entities authentica- tion scheme for resource-constrained IoT devices.IEEE Internet of Things Journal, 8(7):5904–5913, 2021. doi: 10.1109/JIOT.2020.3032518

    work page doi:10.1109/jiot.2020.3032518 2021

  2. [2]

    A secure low-cost edge device authentication scheme for the internet of things

    Ujjwal Guin, Adit Singh, Mahabubul Alam, Janice Cañedo, and Anthony Skjellum. A secure low-cost edge device authentication scheme for the internet of things. In2018 31st International Conference on VLSI Design and 2018 17th International Con- ference on Embedded Systems (VLSID), pages 85–90, 2018. doi: 10.1109/VLSID.2018.42

    work page doi:10.1109/vlsid.2018.42 2018

  3. [3]

    Physical unclonable functions (PUF) for IoT devices.ACM Comput

    Abdulaziz Al-Meer and Saif Al-Kuwari. Physical unclonable functions (PUF) for IoT devices.ACM Comput. Surv., 55(14s),

    work page

  4. [4]

    doi: 10.1145/3591464

    work page doi:10.1145/3591464

  5. [5]

    Edward Suh and Srinivas Devadas

    G. Edward Suh and Srinivas Devadas. Physical unclonable functions for device authentication and secret key generation. In2007 44th ACM/IEEE Design Automation Conference, pages 9–14, New York, NY, USA, 2007. Association for Computing Machinery. doi: 10.1145/1278480.1278484

    work page doi:10.1145/1278480.1278484 2007

  6. [6]

    Holcomb, Wayne P

    Daniel E. Holcomb, Wayne P. Burleson, and Kevin Fu. Power-up SRAMstateasanidentifyingfingerprintandsourceoftruerandom numbers.IEEE Transactions on Computers, 58(9):1198–1210,

    work page

  7. [7]

    doi: 10.1109/TC.2008.212

    work page doi:10.1109/tc.2008.212 2008

  8. [8]

    SRAM-based physically unclonable function using lightweight hamming-code fuzzy extractor for energy harvesting beat sensors

    Hoang-Long Pham, Duy-Hieu Bui, Xuan-Tu Tran, and Orazio Aiello. SRAM-based physically unclonable function using lightweight hamming-code fuzzy extractor for energy harvesting beat sensors. In2024 International Conference on Advanced Technologies for Communications (ATC), pages 499–504, 2024. doi: 10.1109/ATC63255.2024.10908150

    work page doi:10.1109/atc63255.2024.10908150 2024

  9. [9]

    Cooney, Karna Prasanna Joshi, and Atul S

    Christoph Lipps, Andreas Weinand, Dennis Krummacker, Christoph Fischer, and Hans D. Schotten. Proof of concept for IoT device authentication based on SRAM PUFs using AT- MEGA 2560-MCU. In2018 1st International Conference on Data Intelligence and Security (ICDIS), pages 36–42, 2018. doi: 10.1109/ICDIS.2018.00013

    work page doi:10.1109/icdis.2018.00013 2018

  10. [10]

    A robust SRAM-PUF key generation scheme based on polar codes

    BinChen,TanyaIgnatenko,FransM.J.Willems,RoelMaes,Erik van der Sluis, and Georgios Selimis. A robust SRAM-PUF key generation scheme based on polar codes. InGLOBECOM 2017 - 2017IEEEGlobalCommunicationsConference,pages1–6,2017. doi: 10.1109/GLOCOM.2017.8254007

    work page doi:10.1109/glocom.2017.8254007 2017

  11. [11]

    SRAMPUFsfordeviceau- thenticationonresource-constrainedsystems

    Manuel Penz, Martina Zeinzinger, Michael Kargl, Florian Eiben- steiner,PhillipPetz,andJosefLanger. SRAMPUFsfordeviceau- thenticationonresource-constrainedsystems. In20259thInterna- tional Conference on Cryptography, Security and Privacy (CSP), pages 169–176, 2025. doi: 10.1109/CSP66295.2025.00035

    work page doi:10.1109/csp66295.2025.00035 2025

  12. [12]

    A spatial majority votingtechniquetoreduceerrorrateofphysicallyunclonablefunc- tions

    Patrick Koeberl, Jiangtao Li, and Wei Wu. A spatial majority votingtechniquetoreduceerrorrateofphysicallyunclonablefunc- tions. InRoderickBloemandPeterLipp,editors,TrustedSystems, pages 36–52, Cham, 2013. Springer International Publishing. doi: 10.1007/978-3-319-03491-1_3

    work page doi:10.1007/978-3-319-03491-1_3 2013

  13. [13]

    Performance evaluation of kubernetes networking approaches across constraint edge environments

    Sara Faour, Mališa Vučinić, Filip Maksimovic, David C. Bur- nett, Paul Mühlethaler, Thomas Watteyne, and Kristofer Pis- ter. TMVS: Threshold-based majority voting scheme for ro- bust SRAM PUFs. In2024 IEEE Symposium on Comput- ers and Communications (ISCC), pages 1–8, 2024. doi: 10.1109/ISCC61673.2024.10733719

    work page doi:10.1109/iscc61673.2024.10733719 2024

  14. [14]

    Reliability enhance- ment of bi-stable PUFs in 65nm bulk CMOS

    Mudit Bhargava, Cagla Cakir, and Ken Mai. Reliability enhance- ment of bi-stable PUFs in 65nm bulk CMOS. In2012 IEEE International Symposium on Hardware-Oriented Security and Trust, pages 25–30, 2012. doi: 10.1109/HST.2012.6224314

    work page doi:10.1109/hst.2012.6224314 2012

  15. [15]

    Evaluationofmicrocontroller-based SRAM PUF and the authentication scheme

    YutingZhangandYunfeiGe. Evaluationofmicrocontroller-based SRAM PUF and the authentication scheme. InProceedings of the 4th International Conference on Computer, Internet of Things and Control Engineering (CITCE ’24), pages 79–86, New York, NY, USA, 2025. Association for Computing Machinery. doi: 10.1145/3705677.3705691

    work page doi:10.1145/3705677.3705691 2025

  16. [16]

    Parhi, and Chris H

    Muqing Liu, Chen Zhou, Qianying Tang, Keshab K. Parhi, and Chris H. Kim. A data remanence based approach to generate 100% stable keys from an SRAM physical unclonable func- tion. In2017 IEEE/ACM International Symposium on Low Power Electronics and Design (ISLPED), pages 1–6, 2017. doi: 10.1109/ISLPED.2017.8009192

    work page doi:10.1109/islped.2017.8009192 2017

  17. [17]

    Remanence decay side- channel: The PUF case.IEEE Transactions on Informa- tion Forensics and Security, 11(6):1106–1116, 2016

    Shaza Zeitouni, Yossef Oren, Christian Wachsmann, Patrick Koeberl, and Ahmad-Reza Sadeghi. Remanence decay side- channel: The PUF case.IEEE Transactions on Informa- tion Forensics and Security, 11(6):1106–1116, 2016. doi: 10.1109/TIFS.2015.2512534

    work page doi:10.1109/tifs.2015.2512534 2016

  18. [18]

    A systematic method to evaluate and compare the performance of physical unclonable functions

    Abhranil Maiti, Vikash Gunreddy, and Patrick Schaumont. A systematic method to evaluate and compare the performance of physical unclonable functions. In Peter Athanas, Dionisios Pnevmatikatos, and Nicolas Sklavos, editors,Embedded Systems Design with FPGAs, pages 245–267. Springer New York, New York, NY, 2013. doi: 10.1007/978-1-4614-1362-2_11

    work page doi:10.1007/978-1-4614-1362-2_11 2013

  19. [19]

    Springer Interna- tional Publishing, Cham, 2018

    Basel Halak.Physically Unclonable Functions. Springer Interna- tional Publishing, Cham, 2018. doi: 10.1007/978-3-319-76804-5

    work page doi:10.1007/978-3-319-76804-5 2018

  20. [20]

    A. K. Jain, A. Ross, and S. Prabhakar. An introduction to biometric recognition.IEEE Transactions on Circuits and Systems for Video Technology, 14(1):4–20, 2004. doi: 10.1109/TCSVT.2003.818349

    work page doi:10.1109/tcsvt.2003.818349 2004

  21. [21]

    Testing 90 nm microcontroller SRAM PUF quality

    Mario Barbareschi, Ermanno Battista, Antonino Mazzeo, and Nicola Mazzocca. Testing 90 nm microcontroller SRAM PUF quality. In2015 10th International Conference on Design & Technology of Integrated Systems in Nanoscale Era (DTIS), pages 1–6, 2015. doi: 10.1109/DTIS.2015.7127360. 10

    work page doi:10.1109/dtis.2015.7127360 2015