Challenging the security of "A PUF-based hardware mutual authentication protocol" Articles uri icon

publication date

  • November 2022

start page

  • 199

end page

  • 210


  • November


  • 169

International Standard Serial Number (ISSN)

  • 0743-7315

Electronic International Standard Serial Number (EISSN)

  • 1096-0848


  • Recently, using Physical Unclonable Functions (PUF) to design lightweight authentication protocols for constrained environments such as the Internet of Things (IoT) has received much attention. In this direction, Barbareschi et al. recently proposed PHEMAP in Journal of Parallel and Distributed Computing, a PUF based mutual authentication protocol. Also, they extended it to the later designed Salted PHEMAP, for low-cost cloud-edge (CE) IoT devices. This paper presents the first third-party security analysis of PHEMAP and Salted PHEMAP to the best of our knowledge. Despite the designer's claim, we show that these protocols are vulnerable to impersonation, de-synchronization, and traceability attacks. The success probability of the proposed attacks is `1', while the complexity is negligible. In addition, we introduce two enhanced lightweight authentication protocols based on PUF chains (called PBAP and Salted PBAP), using the same design principles as PHEMAP and Salted PHEMAP. With the performance evaluation and the security analysis, it is justified that the two proposed schemes are practically well suited for use in resource-constrained IoT environments.


  • Computer Science
  • Electronics


  • authentication; iot; phemap; puf; security analysis