To address the demand for low-cost, off-the-shelf hardware–compatible Physical Unclonable Functions (PUFs) in IoT node key generation, this paper proposes a lightweight PUF mechanism leveraging process variations in commercial chips’ I/O pull-up/pull-down resistors. The approach requires no IC design or fabrication modifications and extracts device-unique fingerprints solely from standard I/O structures. It enables end-to-end conversion from raw responses to cryptographically secure keys via resistance measurement, BCH error correction, and SHA-256 hashing, integrated within an AES-secured communication pipeline. Evaluated on 30 commercial MCUs, the PUF achieves 100% intra-chip Hamming distance consistency, 50.33% inter-chip uniqueness, 50.54% response uniformity, and a worst-case bit error rate <2.63%. The implementation occupies only 19.8 KB of flash memory, consumes 79 mW, and incurs a key generation latency of 600 ms.

In this work, we present ioPUF+, which incorporates a novel Physical Unclonable Function (PUF) that generates unique fingerprints for Integrated Circuits (ICs) and the IoT nodes encompassing them. The proposed PUF generates device-specific responses by measuring the pull-up and pull-down resistor values on the I/O pins of the ICs, which naturally vary across chips due to manufacturing-induced process variations. Since these resistors are already integrated into the I/O structures of most ICs, ioPUF+ requires no custom circuitry, and no new IC fabrication. This makes ioPUF+ suitable for cost-sensitive embedded systems built from Commercial Off-The-Shelf (COTS) components. Beyond introducing a new PUF, ioPUF+ includes a complete datapath for converting raw PUF responses into cryptographically usable secret keys using BCH error correction and SHA-256 hashing. Further ioPUF+ also demonstrate a practical use case of PUF derive secret keys in securing device-to-device communication using AES-encryption. We implemented ioPUF+ on the Infineon PSoC-5 microcontroller and evaluated its performance across 30 devices using standard PUF metrics. The results show excellent reliability (intra-device Hamming distance of 100.00%), strong uniqueness (inter-device Hamming distance of 50.33%), near-ideal uniformity (50.54%), and negligible bit aliasing. Stability tests under temperature and supply-voltage variations show worst-case bit-error rates of only 2.63% and 2.10%, respectively. We also profiled the resource and energy usage of the complete ioPUF+ system, including the PUF primitive, BCH decoding, SHA-256 hashing, and AES encryption. The full implementation requires only 19.8 KB of Flash, exhibits a latency of 600 ms, and consumes 79 mW of power, demonstrating the suitabilitiy of ioPUF+ for resource-constrained IoT nodes.