Available via license: CC BY 4.0
Content may be subject to copyright.
IEEE TRANSACTIONS ON MICROWAVE THEORY AND TECHNIQUES 1
Physical-Layer Identification of Wireless IoT Nodes
Through PUF-Controlled Transmitter
Spectral Regrowth
Qiang Zhou , Graduate Student Member, IEEE, Yan He , Graduate Student Member, IEEE,
Kaiyuan Yang , Member, IEEE, and Taiyun Chi, Member, IEEE
Abstract— Securing low-power Internet-of-Things (IoT) sensor
nodes is a critical challenge for the widespread adoption of IoT
technology due to their limited energy, computation, and storage
resources. As an alternative to the traditional wireless security
solution based on cryptography, there has been growing interest
in RF physical-layer security, which promises a lower overhead
and energy cost. In this work, we demonstrate energy-efficient
physical-layer identification, a.k.a., RF fingerprinting, designed
specifically for resource-constrained IoT nodes. To enhance the
identification performance beyond prior demonstrations using
off-the-shelf radios, we propose a minor modification to the radio
frontend by integrating a digital physically unclonable function
(PUF). The PUF controls the transmitter (TX) spectral regrowth
as the RF fingerprint (RFF), enhancing its uniqueness and
identification space beyond solely relying on transistor intrinsic
process variations. As a proof of concept, a 2.4-GHz physical-
layer identification is implemented in the GlobalFoundries 45-nm
CMOS SOI process. It achieves 4.7-dBm output power and
36% efficiency, which are comparable to state-of-the-art low-
power 2.4-GHz power amplifiers (PAs). Additionally, it demon-
strates significant improvement in RFF reliability, uniqueness,
and identification space over prior physical-layer identification
demonstrations. The identification rate and security performance
of the proposed approach under different attack models are also
discussed.
Index Terms— Identification, Internet-of-Things (IoT),
physical-layer security, physically unclonable function (PUF),
power amplifier (PA), RF fingerprint (RFF), spectral regrowth.
I. INTRODUCTION
IT IS projected that by 2025, ∼75 billion Internet-of-Things
(IoT) devices will be deployed for applications, such as
wearable electronics, smart homes, and smart cities, all of
which involve collecting, communicating, and processing vast
amounts of private or critical data. While IoT applications
incorporate some familiar, well-resourced devices such as
smartphones, they also involve a large number of “low-
end” wireless sensor nodes that are easy targets for hackers.
Manuscript received 23 March 2023; revised 10 June 2023 and 24 July
2023; accepted 28 July 2023. This work was supported in part by the
Semiconductor Research Corporation (SRC) under Task HWS 2990.001.
(Qiang Zhou and Yan He contributed equally to this work.) (Corresponding
authors: Qiang Zhou; Taiyun Chi.)
The authors are with the Department of Electrical and Computer Engineer-
ing, Rice University, Houston, TX 77005 USA (e-mail: peterzhou@rice.edu;
yanhe@rice.edu; kyang@rice.edu; taiyun.chi@rice.edu).
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TMTT.2023.3305055.
Digital Object Identifier 10.1109/TMTT.2023.3305055
Securing resource-constrained IoT nodes is widely considered
one of the most significant barriers to overcome for large-scale
IoT adoption [1].
Traditionally, wireless network security has been entirely
protected using public-key-based cryptography [2]. However,
most IoT nodes lack energy and storage resources required
to implement advanced cryptographic algorithms [3]. For
example, the energy per bit of AES-128 encryption can be
10×–100×larger than that of a typical IoT edge processor,
and the ECC authentication can consume even more energy
than a typical Bluetooth radio [4].
A common energy-efficient alternative to public-key infras-
tructures is based on preshared keys [5]. To further enable
low-cost key generation and storage, physically unclonable
functions (PUFs) have been developed over the past two
decades, which leverage device physical variabilities as unique
secret keys [6],[7]. However, pre-shared keys present a critical
security challenge—if the secret key is stolen, the integrity of
the entire security system is at risk. In addition to common
software and firmware attacks that could compromise keys,
research also unveils the possibility of side-channel attacks
against key storage [8]. Even though PUFs feature unclonabil-
ity and do not store keys directly in the digital domain, the
extracted keys are still used in digital cryptography, and thus,
still vulnerable to digital cloning attacks by impersonators.
Recently, there has been growing interest in RF
physical-layer security [9],[10],[11],[12],[13],[14],[15],
which exploits the hardware properties to enhance wireless
security with a lower energy cost. Physical-layer security has
great potential for carrying out low security-level tasks (such
as identification) and complementing digital cryptography for
more advanced primitives (such as multi-factor authentica-
tion). Leveraging the concept of physical-layer security, in this
work, we propose to extend the PUF concept to RF frontends
that are actually responsible for wireless communications.
Specifically, we aim to demonstrate energy-efficient physical-
layer identification, a.k.a., RF fingerprinting, for wireless IoT
nodes [16]. The key observation behind RF fingerprinting is
that physical radio waveforms contain unique RF impairments
that are bonded to specific transmitters (TXs). RF imper-
sonation attacks by duplicating such RF impairments often
require expensive and high-end hardware, such as high-speed
and high-resolution digital-to-analog converters (DACs) [17].
This makes RF impersonation attacks much more challenging
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE TRANSACTIONS ON MICROWAVE THEORY AND TECHNIQUES
Fig. 1. Different from conventional identification methods where device IDs
are inserted in the header, physical-layer identification enables continuous
identification at any moment during communications.
than digital cloning attacks that traditional digital PUFs are
vulnerable to. Additionally, unlike conventional identifications
where device IDs are inserted in the header, which can be
easily hacked and only checked once per packet, RF fin-
gerprinting enables continuous identification at any moment
during communications [18], leading to a tighter bond between
the data packet and device (see Fig. 1).
The rest of this article is organized as follows. Section II
outlines our key idea of leveraging PUF-controlled spectral
regrowth as the RF fingerprint (RFF), which significantly
enhances the identification performance beyond prior demon-
strations using off-the-shelf radios. Section III presents the
design details of the proof-of-concept physical-layer iden-
tification chip. Section IV shows the measurement results.
Section Vdiscusses the security performance using different
security models. Finally, Section VI concludes this article.
II. PUF-CON TROL LED SPECTRAL
REG ROWTH AS THE RFF
In wireless communication systems, device-dependent RF
impairments generated by various building blocks in the
TX chain, such as DAC nonlinearity, mixer I-Q mismatch,
LO carrier frequency offset (CFO), and power amplifier (PA)
nonlinearity, can serve as RFFs. The wireless channel between
the TX and RX can also be used as an RFF due to its
location-dependent multipath effect and Doppler shift [19].
The performance of physical-layer identification can be
benchmarked using three key performance metrics: 1) reli-
ability, which characterizes the fingerprint resilience against
different environmental conditions; 2) uniqueness, which indi-
cates the fingerprint probability distribution across all devices
in the network; and 3) identification space, which specifies
the fingerprint dynamic range. Although there have been prior
physical-layer identification demonstrations using off-the-shelf
radios such as NI USRP [17],[20], they all suffer from limited
identification performance because the physical-layer security
aspect of off-the-shelf radios is typically not optimized in the
design phase.
In this article, we present two key ideas (see Fig. 2) to
enhance the identification performance and enable on-device
lightweight RFF feature extraction that is compatible with the
capabilities of low-end IoT nodes.
First, we choose to use the TX spectral regrowth as the
RFF [see Fig. 2(a)]. This is because, while wireless standards
typically impose stringent in-band requirements (such as I/Q
mismatch and EVM), the specification for spectral regrowth is
Fig. 2. (a) Leveraging TX spectral regrowth as the RFF for identification.
(b) On-chip digital PUF enables control of the RFF probability distribution
and enlarges the identification space beyond native process variations.
Fig. 3. Security model of the proposed physical-layer identification scheme.
relatively relaxed for low-power IoT standards, such as Blue-
tooth and Zigbee. By leveraging spectral regrowth as the RFF,
we ensure a large identification space without compromising
the in-band signal quality, as long as the spectrum mask is
satisfied.
Second, we propose a minor modification to the RF frontend
design by adding a digital PUF [see Fig. 2(b)]. Instead of
solely relying on native process variations to generate different
nonlinearity behaviors for different TX devices, the digital
PUF can control the RFF probability distribution in a more
predictable manner to enhance fingerprint uniqueness. It also
enlarges the RFF dynamic range, enabling us to fully utilize
the entire identification space.
In our proposed physical-layer security model (see Fig. 3),
the PUF key of the TX Alice serves as the root of trust,
which is determined once the chip is fabricated and established
during the chip enrollment phase. This PUF key is encoded
in the spectral regrowth using a lookup table (LUT), a DAC,
and PA’s nonlinearity (see Section III-B for details). Alice’s
spectral regrowth is then digitized and securely stored in a
database as the golden key. On the RX side (Bob), both the
received in-band signal and spectral regrowth are processed
and digitized. Given secure access to the database, Bob can
continuously verify Alice’s identity by comparing the received
spectral regrowth with the golden key. If the verification fails,
the current command will be declined, and communication
between Alice and Bob will be terminated. It is notewor-
thy that this security model can be extended to facilitate
mutual authentication, where both Alice and Bob can verify
each other’s identities, as long as Alice has access to Bob’s
golden spectral regrowth. This mutual authentication adds an
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
ZHOU et al.: PHYSICAL-LAYER IDENTIFICATION OF WIRELESS IoT NODES 3
Fig. 4. Chip architecture and PA schematic.
Fig. 5. PA power cell adopts the MGTR technique, including a main path biased using VBM and an auxiliary path biased using VBA. Different devices
generate unique PUF output strings and corresponding VBA, resulting in different IM3.
additional layer of security to the communication between
Alice and Bob.
III. PHYSICAL-LAYER IDENTIFICATION CHIP
IMPLEMENTATION
To demonstrate the advantages of the proposed
PUF-controlled spectral regrowth as the RFF, we implement
a proof-of-concept 2.4-GHz physical-layer identification
chip [16] in the GlobalFoundries 45-nm CMOS SOI process
and use Bluetooth standard as a demonstration vehicle. The
chip architecture is shown in Fig. 4. It consists of three major
building blocks: a 2.4-GHz low-power PA, a digital security
engine, and a spectral regrowth and in-band power (IBP)
monitoring circuit. This section presents the implementation
details of these three building blocks.
A. 2.4-GHz PA
As shown in Fig. 4, the PA power cell is biased using the
multiple gated transistors (MGTRs) technique [21], including
a main path and an auxiliary path. The main path is biased
through the center tap of the input balun using a fixed biasing
voltage (VBM). The auxiliary-path biasing voltage (VBA) is
generated by the digital PUF followed by a DAC.
Spectral regrowth arises from the transistor nonlinearity,
which can be analyzed using the two-tone test, as shown
in Fig. 5. Modeling the large-signal transconductance non-
linearity up to the third order (Gm3) and sending a two-tone
input A(cosω1t+cosω2t) to the PA, the differential output
current contains the fundamental contents and two third-order
intermodulation (IM3) tones. The simulated transistor Gm1
and Gm3of a W/L=468.16 µm/40 nm transistor against
the biasing voltage is shown in Fig. 5. It can be seen that
Gm3turns from positive to negative when the transistor shifts
its operating condition from weak inversion to strong inver-
sion [22]. In our design, VBM is biased lower than the transition
point, while VBA is biased higher than that. As a result, the
combined Gm3is kept small to satisfy the close-in spectrum
mask, which is <−26 dBc for power integrated between
1 and 1.5 MHz from the carrier for Bluetooth standard [23].
Meanwhile, different devices generate different PUF output
strings and the resulting VBA, thus exhibiting different IM3.
We would like to emphasize that although the device intrin-
sic process variations (such as the VTH variation) can lead to
different IM3 for different devices even without using the PUF,
the PUF-controlled VBA enables two unique advantages. First,
it significantly enlarges the identification space. The simulated
histogram of IM3 and fundamental output power variations
under a fixed VBA of 220 mV (i.e., without using the PUF) is
plotted in Fig. 6, showing a 1σIM3 variation of only 2.1 dB.
Such a small IM3 variation would make RFF classification
a challenging task, especially for resource-constrained IoT
nodes. On the contrary, when PUF is integrated, the tuning
range of PUF-controlled VBA can be designed to be far larger
than the intrinsic VTH variation (e.g., 220–320 mV tuning
range in this design). As a result, a significantly larger IM3
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE TRANSACTIONS ON MICROWAVE THEORY AND TECHNIQUES
Fig. 6. Simulated histogram of IM3 and fundamental power introduced by
the PA intrinsic VTH variation without PUF.
Fig. 7. PA output network with built-in harmonic rejection.
variation of 14.7 dB is achieved in the simulation. Second,
since the RFF variations are dominated by the PUF output,
which has a uniform distribution across all the devices, the
probability distribution of the RFF can be well-controlled to
enhance its uniqueness (see details in Section III-B). In con-
trast, the distribution of PA intrinsic variations (such as the
VTH variation) can be challenging to control in practice.
Given the low biasing voltages for VBM and VBA used in
this design, a high PA efficiency is naturally achieved [24].
However, one potential concern with this biasing scheme is
the substantial second and third harmonic contents at the PA
output, which may violate the FCC requirement on harmonic
levels. For devices operating in the 2.4-GHz ISM band, FCC
requires a harmonic emission of <−41 dBm. Solely relying on
the MGTR technique is insufficient to meet this requirement,
as the second and third harmonic leakages are found to
be −24.3 and −33.1 dBm, respectively, in our simulation.
Therefore, we include additional harmonic rejection to the
PA output matching network design (see Fig. 7). At the
fundamental frequency f0, the network realizes the optimum
load-pull impedance (60 // 20 nH) for the power cell to
achieve high efficiency. The harmonic rejection is achieved
by adding low- (or high-) impedance paths to the transformer
to reduce the voltage (or current) transformation at the har-
monics. Specifically, at 2 f0, a harmonic trap is implemented
using the capacitor C2p and the inductor L2s at the center
tap of the primary winding [25]. Additionally, a parallel LC
resonator at 2 f0is added to the secondary winding to prevent
2f0current flowing into the antenna load. At 3 f0,C3pand two
symmetrically embedded branches inside the transformer form
a third-harmonic open circuit [26]. The two parallel 3 f0L C
resonators at the secondary winding provide further rejection.
Note that the harmonic rejection components only contribute
0.4 dB additional loss in the EM simulation, ensuring minimal
degradation to the PA efficiency. The proposed harmonic
rejection output network is verified in the testing, achieving
<−48.5 dBm for the second harmonic and <−61.5 dBm for
the third harmonic at 0 dBm output power.
B. Digital Security Engine
The on-chip digital security engine consists of a PUF,
a LUT, and a DAC, as shown in Fig. 8. An 8-bit inverter-chain-
based PUF is employed as the entropy source [7]. To guarantee
the output reproducibility, i.e., zero bit error rate during testing,
four independent inverter cells are implemented for each bit,
and a self-screening validity detection circuit is designed to
find the cell that does not present a single error during the
enrollment. The overall power consumption of the digital
security engine is 251 µW, with the PUF, LUT, and DAC,
consuming 250, 0.2, and 1 µW, respectively.
The PUF design also employs a temporal majority voting
(TMV) mechanism [27], implemented using a 5-bit up/down
counter to filter out the noise at the PUF output to improve
the PUF stability (see Fig. 8). In this technology node, the
inverters based on regular threshold voltage transistors (RVTs)
suffer from a low voltage gain, as shown in Fig. 9. As a
result, a four-stage RVT-inverter-chain-based PUF has a wide
distribution, where the PUF output does not always reach rail
to rail, making it susceptible to noise. To address this issue,
we stack ultrahigh threshold voltage transistors (UVTs) on
RVT as an inverter cell (see Fig. 8), which has a much higher
gain, and thus a probability distribution that well separates
0 and 1 (see Fig. 9).
To monitor the stability of the PUF output, a 2-D flip-flop-
based valid checker is added to produce an “Invalid” signal
once the PUF output is unstable, i.e., a particular bit of the
PUF output changes from 1 to 0 or 0 to 1 (see Fig. 10).
In this case, another PUF cell from the four independent PUF
cells within each bit will be selected. An up counter is also
added to enable the automatic selection of the stable cell. The
possibility that all four PUF cells are unstable is quite small.
Note that the PUF output typically needs to be accessed
externally for enrollment and to mask the unstable cells, which
may introduce a security hazard. In this design, the PUF
output can be distinguished using the spectral regrowth at
the PA output, so only the “Invalid” signal is exposed to
the chip I/Os, instead of the actual PUF output string. Since
the “Invalid” signal does not contain any secret information,
overall enhanced security can be achieved.
The probability distribution of the spectral regrowth at the
PA output is determined by the probability density function
(pdf) of the PUF and the transfer function between the spectral
regrowth and PUF output string. We integrate the TX spectral
regrowth over a narrow frequency window as out-of-band
leakage power (OOBLP), in which the power spectral density
(PSD) presents the most significant variations across all the
devices. The raw PUF output pdf is uniform; however, the
transfer function between OOBLP and VBA is nonlinear [28],
resulting in an excessively high probability when OOBLP is
low (see Fig. 11). To alleviate this problem, a LUT is inserted
between the PUF and DAC to predistort the probability
distribution of the PUF output. Combining the OOBLP-VBA
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
ZHOU et al.: PHYSICAL-LAYER IDENTIFICATION OF WIRELESS IoT NODES 5
Fig. 8. Schematic of the digital security engine.
Fig. 9. Stacked inverter as the PUF cell.
transfer function and LUT weighting, this scheme can realize
a uniform distribution for OOBLP and minimizes the chance
that two devices present very similar RFF, achieving the best
fingerprint uniqueness.
C. Spectral Regrowth and IBP Monitoring Circuit
In practical deployment, a spectral regrowth monitoring
circuit is needed at the RX to extract the RFF. Instead
of designing the entire RX chain, here, we implement the
spectral regrowth monitoring circuit at the TX output through
a capacitive coupler [29] to simplify the design and testing
[see Fig. 12(a)]. It consists of a power detector (PD) to
measure the IBP and a down-conversion mixer followed by
a low-pass filter (LPF) to monitor the spectral regrowth. The
PD is verified through testing—its measured output voltage
increases monotonically with the PA output power, as shown
in Fig. 12(a).
For the down-conversion chain, its linearity requires special
attention since the strong in-band signal and weak spectral
regrowth are both down-converted to the IF. Specifically, the
IM3 generated by the down-conversion chain has to be much
smaller than the amplified PA output IM3 [see Fig. 12(b)], as
|3
4α3A3
Fund.|≪|α1AIM3|(1)
where AFund.and AIM3 are the amplitudes of the fundamental
and IM3 tones at the down-conversion chain input, respec-
tively, α1is the gain of the down-conversion chain, and α3is
the third-order nonlinearity coefficient.
Given that AIM3 can be 31 dB lower than AFund.in the
simulation, the desired AIIP3 of the down-conversion chain can
Fig. 10. Schematic of the validity detection circuit and its timing diagram.
be derived as
AIIP3 =s4
3|α1
α3
| ≫ sA3
Fund.
AIM3
=0.31 V.(2)
To satisfy this linearity requirement, we optimize the mixer
biasing voltage such that the mixer output IM3 components are
minimized, as shown in Fig. 12(c). The simulated AIIP3 of the
down-conversion chain is 1.19 V. In this case, only 0.67 mV
of IM3 is generated by the down-conversion chain, which is
negligible compared to the amplified PA IM3 of 9.66 mV.
The differential mixer output is converted to single-ended
through an instrumentation amplifier, followed by an LPF with
a cut-off frequency fc=6 MHz. The LPF output can be
readily sampled by an off-the-shelf ADC.
IV. MEASUREMENT RES ULTS
The physical-layer identification chip is wire-bonded to a
PCB for testing. A chip micrograph is shown in Fig. 13.
The chip input signal is generated by an arbitrary wave-
form generator (AWG), and the output is monitored using a
spectrum analyzer (SA). This section presents the measured
PUF-controlled spectral regrowth and its RFF performance.
A. Spectral Regrowth Evaluation
We first disable the on-chip PUF and feed VBA off-chip.
To characterize the PA nonlinearity against VBA, a two-tone
signal at 2.5 GHz ±1 MHz is sent to the chip input. For
PA chip #1, changing VBA from 220 to 320 mV introduces
a 14.1 dB IM3 variation and a 1.6 dB fundamental power
variation at the PA output [see Fig. 14(a)]. Tested under
18 chips, a consistent IM3 variation of >13.4 dB and a con-
sistent fundamental power variation of <1.6 dB are achieved,
as shown in Fig. 14(b). The measured IM3 and fundamental
power variations agree well with our simulations. Moreover,
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6 IEEE TRANSACTIONS ON MICROWAVE THEORY AND TECHNIQUES
Fig. 11. Probability distribution of the OOBLP with and without the LUT. A uniform distribution is achieved for the OOBLP using the proposed PUF
engineering scheme.
Fig. 12. (a) Schematic of the spectral regrowth and IBP monitoring circuit, and the measured power detector output voltage and system efficiency versus
the IBP. (b) IM3 components generated by the down-conversion chain need to be minimized. (c) Simulated mixer conversion gain versus its biasing voltage.
Fig. 13. Chip micrograph.
it demonstrates that using spectral regrowth as the RFF allows
for a significantly larger identification space compared to the
in-band signal.
Next, the PA input is fed with a 2-Mb/s π/4-DQPSK signal,
the same modulation used in the Bluetooth-enhanced data rate
(EDR) mode. When VBA is changed from 220 to 320 mV,
integrating the spectral regrowth from 1.2 to 1.3 MHz away
from the carrier introduces an 11.9 dB OOBLP variation at the
PA output, as shown in Fig. 15(a). Given the small modulation
Fig. 14. (a) Measured PA output spectra under the two-tone test. (b) Summary
of fundamental power and IM3 variations of 18 chips when PUF is disabled.
bandwidth, the lower sideband and higher sidebands of the
spectrum closely resemble each other, so we only use the
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
ZHOU et al.: PHYSICAL-LAYER IDENTIFICATION OF WIRELESS IoT NODES 7
Fig. 15. (a) Measured PA and IF output spectra and EVM under 2-Mb/s
π/4-DQPSK modulation. (b) Summary of IBP and OOBLP variations of
18 chips when PUF is disabled.
Fig. 16. Measured histogram of OOBLP from 16×18 =288 virtual devices.
lower sideband for the OOBLP calculation. As a comparison,
the IBP varies by only 1.4 dB, and the measured EVM only
ranges from 2.8% to 4.7% [see Fig. 15(a)]. The measured
OOBLP variation and IBP difference at the down-converted
IF output are consistent with the PA output when adjusting
VBA, demonstrating the effectiveness of the built-in spectral
regrowth monitoring circuit. Again, 18 chips are measured
during the modulation testing. A consistent OOBLP variation
of >11.5 dB and a consistent IBP variation of <1.5 dB are
achieved. Since the measured spectrum with VBA = 320 mV
is on the borderline of the spectrum mask, to avoid potential
violations and leave an additional 1 dB margin, we can slightly
reduce the VBA tuning range by setting the maximum VBA to
310 mV.
Finally, we turn on the digital security engine to directly
bias VBA on-chip. The ideal situation would be to measure
the OOBLP across a large number of physical devices, which
can be quite challenging for lab testing. With the help of our
PUF design that utilizes four independent inverter cells for
each bit, we are able to select different cells, and in turn,
generate different PUF output strings to create multiple virtual
devices on one chip. In the testing, 16 PUF output strings are
generated per chip, and the OOBLP of 16 ×18 =288 virtual
devices are collected. The histogram of the measured OOBLP
is shown in Fig. 16, presenting a close-to-uniform distribution.
This validates the proposed PUF and LUT engineering scheme
to control the probability distribution of the RFF (see Fig. 11).
Fig. 17. (a) Measurement uncertainty against different VBWs under a fixed
VBA of 230 mV. (b) Measurement uncertainty for different biasing voltages
with VBW = 10 Hz.
Fig. 18. Identification rate against the number of devices NTX under different
averages with VBW = 10 Hz.
B. Characterization of Measurement Uncertainty, Reliability,
and Uniqueness of RFF
To further evaluate the reliability and uniqueness of the
spectral regrowth as the RFF, we perform a study on the
intra- and inter-device RFF variations. Intra-device variation
characterizes the RFF reliability under varying environmental
conditions; inter-device variation measures the RFF probability
distribution across all the devices. Their definitions are adopted
from the intra- and inter-Hamming distances, which are widely
used as benchmarks for digital PUFs [7].
1) Measurement Uncertainty: Before delving into intra- and
inter-device variations, we first investigate the RFF measure-
ment uncertainty against the video bandwidth (VBW) of the
SA. A large VBW can introduce measurement errors, causing
the OOBLP reading to vary across different measurements
even under the same environmental condition. To quantify this
uncertainty, we connect the PA output directly to the SA and
then measure the OOBLP under different VBWs, as shown
in Fig. 17(a). Each histogram plot represents the summary of
1000 independent measurements. As can be seen, a smaller
VBW results in a smaller standard deviation of the measured
OOBLP, due to more stable reading from the SA. With a
VBW of 10 Hz, the 1σvariation is 0.6%. A similar standard
deviation is obtained at other VBA values using the same 10-Hz
VBW, as shown in Fig. 17(b).
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
8 IEEE TRANSACTIONS ON MICROWAVE THEORY AND TECHNIQUES
Fig. 19. Measured power difference between OOBLP and IBP under (a) distance, (b) temperature, and (c) supply voltage variations, and nine detailed
histograms under different environmental conditions with VBA = 230 mV.
False identification can happen in practice due to mea-
surement uncertainty, which becomes more significant as
the number of devices NTX increases. With the measured
histogram at different VBA, we benchmark the identification
rate against NTX in Fig. 18. Ideally, for NTX devices, their
RFF values should be uniformly distributed from RFFmin to
RFFmax . Without losing generality, we assume the ideal RFF
of the ith device to be
RFFi=RFFmin +(RFFmax −RFFmin)·(i−1)/ NTX.(3)
We can then define the threshold to distinguish between the
ith and i+1th devices, as
Thresholdi,i+1=(RFFi+RFFi+1)/2.(4)
The measured RFF of an unknown device under test (DUT)
is compared with the Thresholdi,i+1∀i∈1,2, . . .,NTX −1,
based on which its device ID is determined. A successful
identification is achieved if the determined ID matches its
actual ID; otherwise, it is considered a false identification.
As shown in Fig. 18, based on a single-shot measurement, a
>95% identification rate can be realized when NTX is <67.
Note that the identification rate can be improved by using the
average OOBLP reading since the measurement uncertainty
is reduced by averaging (see Fig. 18). For example, with an
average of 100, the maximum NTX can be identified with a
95% identification rate increases to 612. Here, we utilize time-
moving averages, which can be realized using a digital FIR
LPF with low hardware overhead.
2) Intra-Device Variation: To decouple the intra-device
variation from the measurement uncertainty introduced by the
SA, 10 Hz VBW and an average of over 1000 measurements
are used for data collection. To characterize intra-device varia-
tions against the distance between the TX and RX, we perform
over-the-air measurements in a lab environment, where we fix
the TX location and move the RX. Additionally, to characterize
intra-device variations against the temperature and supply
voltage, we place the PA sample in a temperature chamber
with its output directly connected to the SA.
The power difference between OOBLP and IBP is recorded
under different TX-RX distances, temperatures, and supply
voltages, each measured with multiple VBA settings, as shown
in Fig. 19. As IBP varies due to environmental changes,
we use the power difference between OOBLP and IBP as
the RFF and plug into (3) and (4) for the identification rate
calculation. The measured RFF variation is less than 1 dB
across different environmental conditions, demonstrating the
robustness of the RFF. Temperature- and supply-independent
biasing techniques can be potentially incorporated into the PA
design to further improve the RFF reliability. The identification
rate is calculated again under measured distance, temperature,
and supply voltage variations. As shown in Fig. 20, a >95%
identification rate can be realized for NTX <67 with an
average of 100.
3) Inter-Device Variation: The inter-device variation is a
metric that measures the uniqueness of the RFF, i.e., how
distinct the RFF is when compared to those of other devices.
Since we only have 18 packaged physical devices, it is
necessary to synthesize a large number of virtual devices to
arrive at statistically meaningful conclusions. Since our prior
work using a similar PUF cell design [30] has demonstrated
a close-to-ideal uniform distribution, here, we assume the
PUF output can generate 64 equally spaced biasing voltages
from 220 to 320 mV as 64 virtual devices for each chip.
Then, we measure the OOBLP for all 64 biasing voltages
programmed by an external power supply across 18 chips to
synthesize an overall 64 ×18 = 1152 virtual devices. The VTH
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
ZHOU et al.: PHYSICAL-LAYER IDENTIFICATION OF WIRELESS IoT NODES 9
Fig. 20. Identification rate against the number of devices NTX under distance,
temperature, and supply voltage variations.
Fig. 21. Measured OOBLP histogram of 64 ×18 = 1152 virtual devices.
variation of each chip is calibrated in this testing such that
the PUF dominates the OOBLP distribution. This calibration
is done by tuning the DAC programming range. The OOBLP
histogram of all virtual devices, as shown in Fig. 21 presents a
close-to-ideal uniform distribution, demonstrating the unique
benefit of controlling the RFF distribution using an on-chip
PUF.
C. PA Performance Benchmark
While the major focus of this work is to demonstrate
physical-layer identification, we would like to emphasize that
adding such a capability incurs minimal design, size, and
performance overhead on the transceiver frontends. As shown
in the performance comparison table (see Table I), this design
achieves output power, efficiency, and linearity that are com-
parable to those of state-of-the-art Bluetooth PAs [31],[32].
V. DISCUSSIONS ON THE SECURITY PERFORMANCE
A. Adversarial Model
Here, we consider an adversary who aims to falsely authen-
ticate itself as a legitimate device, thereby compromising
the authenticity of the communication. We assume that the
adversary can passively eavesdrop, arbitrarily generate in-band
data and manipulate the transmitted spectral regrowth within
the capabilities of off-the-shelf equipment. Our adversarial
model covers a wide range of such equipment, from low-
cost software-defined radios (SDRs) such as NI USRP to
powerful benchtop high-speed DACs such as AWGs, which
are common instruments for RF impersonation attacks [33].
Note that the state-of-the-art Keysight AWG M8190A has an
effective number of bits (ENOB) of only 8 at the Nyquist
frequency of ∼5 GHz, corresponding to 50 dB SNR. Given
TABLE I
COMPARISON WITH 2.4 GHZLOW-POW ER PA
that the PSD of the OOBLP can be ∼35 dB lower than that of
the in-band signal, the SNR for the OOBLP is only ∼15 dB,
which is insufficient to accurately reproduce all the OOBLP
levels for identifying up to 612 devices (see Fig. 18). Attacks
using custom-developed sophisticated hardware and software
exceed the security level of our proposed protocol and are
beyond the scope of this research.
B. Attacks and Defenses
We demonstrate the effectiveness of our security model
by analyzing the resistance against the following attacks:
1) Replay attack [34]; 2) Modification attack; 3) Denial of
sleep (DoSL) attack [35]; and 4) Man-in-the-middle (MitM)
attack [36]. These attacks are known to be effective against
Bluetooth devices. We assume these attacks are performed
within the adversarial capability defined in Section V-A.
1) Replay Attack: As shown in Fig. 22(a), the adversary
Eve records Alice’s waveform and then impersonates Alice
by replaying the prerecorded waveform. Since Eve cannot
accurately control its OOBLP, Bob will be able to detect the
incorrect leakage power and reject the communication.
2) Modification Attack: In the Modification attack [see
Fig. 22(b)], Eve records Alice’s waveform and then modifies
the message without changing identification signatures when
retransmitting the signal to Bob. Compared with the Replay
attack, the Modification attack is more demanding for Eve to
implement, but the damage it can cause is more severe. Despite
its effort to preserve the original identification signatures, its
incorrect OOBLP will still be detected by Bob, and therefore
its attack will be rejected.
3) DoSL Attack: DoSL attack aims at exhausting Bob’s
battery by frequently inducing unnecessary energy-consuming
duties [see Fig. 22(c)], i.e., decoding messages, transmission,
etc. It is a popular form of denial of service (DoS) attack that
most IoT devices are vulnerable against, as it is challenging
to detect abnormal uses of high energy-consuming tasks.
DoSL can be easily thwarted by the proposed security model
because: 1) all commands sent by Eve, either using replay
or modification attack, will be rejected and 2) it is a lot less
power-consuming to perform the proposed physical-layer
identification than traditional public-cryptography-based
authentication. Therefore minimal energy is wasted by an
illegitimate attacker.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10 IEEE TRANSACTIONS ON MICROWAVE THEORY AND TECHNIQUES
Fig. 22. Attack models of (a) replay attack, (b) modification attack, (c) DoSL
attack, and (d) MitM attack.
4) MitM Attack: MitM attacks the authenticity of the com-
munication, as shown in Fig. 22(d). The attacker aims to
control the back-and-forth communications between Alice and
Bob. Relay attack is the most prevalent form of MitM in
Bluetooth devices. When Alice and Bob are located further
than the allowed communication distance, Eve can place two
TXs that are close to Alice and Bob, respectively, and relay the
communications between them. Relay attack has been used to
hack many Bluetooth-enabled devices, most infamously key-
less vehicles [37]. Based on previous discussions, a successful
MitM attack is not possible when the attacker’s capabilities are
constrained within our adversarial model, as MitM relies on
fundamental attack techniques such as Replay and Modifica-
tion attacks.
VI. CONCLUSION
In this article, we present a new approach to realiz-
ing physical-layer identification of resource-constrained IoT
nodes. Compared to existing demonstrations using off-the-
shelf radios, we propose a slight modification to the TX
frontend design by integrating a digital PUF. The digital PUF
allows us to control the RFF probability distribution in a
predictable fashion to enhance the RFF uniqueness. It also
enlarges the RFF dynamic range so we can take full use of
the entire identification space. A 2.4-GHz physical-layer iden-
tification chip is implemented in the GlobalFoundries 45-nm
CMOS SOI process. In addition to achieving competitive
PA performance, it demonstrates significant improvements in
the identification performance in terms of RFF reliability,
uniqueness, and identification space compared to prior demon-
strations. Our results highlight the potential of PUF-controlled
RF impairments as an effective RFF for IoT nodes.
ACKNOWLEDGMENT
The authors would like to thank GlobalFoundries for chip
fabrication and the members of the Rice Integrated Systems
and Electromagnetics (RISE) Laboratory, Houston, TX, USA,
for their valuable technical discussions and support.
REFERENCES
[1] V. A. Thakor, M. A. Razzaque, and M. R. A. Khandaker, “Lightweight
cryptography algorithms for resource-constrained IoT devices: A
review, comparison and research opportunities,” IEEE Access, vol. 9,
pp. 28177–28193, 2021.
[2] D. Costa, S. Figuerêdo, and G. Oliveira, “Cryptography in wireless
multimedia sensor networks: A survey and research directions,” Cryp-
tography, vol. 1, no. 1, p. 4, Jan. 2017.
[3] W. Trappe, R. Howard, and R. S. Moore, “Low-energy security: Limits
and opportunities in the Internet of Things,” IEEE Secur. Privacy,
vol. 13, no. 1, pp. 14–21, Jan. 2015.
[4] K. Yang, D. Blaauw, and D. Sylvester, “Hardware designs for security
in ultra-low-power IoT systems: An overview and survey,” IEEE Micro,
vol. 37, no. 6, pp. 72–89, Nov. 2017.
[5] F. Bersani and H. Tschofenig, The EAP-PSK Protocol: A Pre-Shared Key
Extensible Authentication Protocol (EAP) Method, document RFC 4764,
2007, pp. 1–64.
[6] K. Yang, Q. Dong, D. Blaauw, and D. Sylvester, “8.3 A 553F2 2-
transistor amplifier-based physically unclonable function (PUF) with
1.67% native instability,” in IEEE Int. Solid-State Circuits Conf. (ISSCC)
Dig. Tech. Papers, Feb. 2017, pp. 146–147.
[7] D. Li and K. Yang, “25.1 A 562F2 physically unclonable function with
a zero-overhead stabilization scheme,” in IEEE Int. Solid-State Circuits
Conf. (ISSCC) Dig. Tech. Papers, Feb. 2019, pp. 400–402.
[8] B. Yang, K. Wu, and R. Karri, “Scan based side channel attack on
dedicated hardware implementations of data encryption standard,” in
Proc. Int. Conf. Test, Oct. 2004, pp. 339–344.
[9] X. Lu, S. Venkatesh, B. Tang, and K. Sengupta, “4.6 space-time
modulated 71-to-76 GHz mm-wave transmitter array for physically
secure directional wireless links,” in IEEE Int. Solid-State Circuits Conf.
(ISSCC) Dig. Tech. Papers, Feb. 2020, pp. 86–88.
[10] S. Venkatesh, X. Lu, B. Tang, and K. Sengupta, “Secure space–time-
modulated millimetre-wave wireless links that are resilient to distributed
eavesdropper attacks,” Nature Electron., vol. 4, no. 11, pp. 827–836,
Nov. 2021.
[11] M. I. W. Khan et al., “A 0.31-THz orbital-angular-momentum (OAM)
wave transceiver in CMOS with bits-to-OAM mode mapping,” IEEE J.
Solid-State Circuits, vol. 57, no. 5, pp. 1344–1357, May 2022.
[12] R. T. Yazicigil, P. Nadeau, D. Richman, C. Juvekar, K. Vaidya, and
A. P. Chandrakasan, “Ultra-fast bit-level frequency-hopping transmitter
for securing low-power wireless devices,” in Proc. IEEE Radio Freq.
Integr. Circuits Symp. (RFIC), Jun. 2018, pp. 176–179.
[13] R. T. Yazicigil et al., “Beyond crypto: Physical-layer security for Internet
of Things devices,” IEEE Solid StateCircuits Mag., vol. 12, no. 4,
pp. 66–78, Fall 2020.
[14] Y. Shen, J. Xu, J. Yi, E. Chen, and V. Chen, “Class-E power ampli-
fiers incorporating fingerprint augmentation with combinatorial security
primitives for machine-learning-based authentication in 65 nm CMOS,”
IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 69, no. 5, pp. 1896–1909,
May 2022.
[15] N. S. Mannem, T.-Y. Huang, E. Erfani, S. Li, and H. Wang, “A mm-
wave transmitter MIMO with constellation decomposition array (CDA)
for keyless physically secured high-throughput links,” in Proc. IEEE
Radio Freq. Integr. Circuits Symp. (RFIC), Jun. 2021, pp. 199–202.
[16] Q. Zhou, Y. He, K. Yang, and T. Chi, “12.3 exploring PUF-controlled
PA spectral regrowth for physical-layer identification of IoT nodes,” in
IEEE Int. Solid-State Circuits Conf. (ISSCC) Dig. Tech. Papers, vol. 64,
Feb. 2021, pp. 204–206.
[17] B. Chatterjee, D. Das, S. Maity, and S. Sen, “RF-PUF: Enhancing IoT
security through authentication of wireless nodes using in-situ machine
learning,” IEEE Internet Things J., vol. 6, no. 1, pp. 388–398, Feb. 2019.
[18] B. Danev and S. Capkun, “Transient-based identification of wireless
sensor nodes,” in Proc. Int. Conf. Inf. Process. Sensor Netw., Apr. 2009,
pp. 25–36.
[19] W. Wang, Z. Sun, S. Piao, B. Zhu, and K. Ren, “Wireless physical-
layer identification: Modeling and validation,” IEEE Trans. Inf. Forensics
Security, vol. 11, no. 9, pp. 2091–2106, Sep. 2016.
[20] W. Hou, X. Wang, J.-Y. Chouinard, and A. Refaey, “Physical layer
authentication for mobile systems with time-varying carrier frequency
offsets,” IEEE Trans. Commun., vol. 62, no. 5, pp. 1658–1667,
May 2014.
[21] T. Joo, B. Koo, and S. Hong, “A WLAN RF CMOS PA with large-
signal MGTR method,” IEEE Trans. Microw. Theory Techn., vol. 61,
no. 3, pp. 1272–1279, Mar. 2013.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
ZHOU et al.: PHYSICAL-LAYER IDENTIFICATION OF WIRELESS IoT NODES 11
[22] C. Fager, J. C. Pedro, N. B. de Carvalho, H. Zirath, F. Fortes, and
M. J. Rosario, “A comprehensive analysis of IMD behavior in RF
CMOS power amplifiers,” IEEE J. Solid-State Circuits, vol. 39, no. 1,
pp. 24–34, Jan. 2004.
[23] Bluetooth. (2021). Bluetooth Specification Version 5.3. [Online]. Avail-
able: https://www.bluetooth.com/specifications/specs/core-specification-
5-3
[24] Y. Hu, X. Zhang, and T. Chi, “A 28 GHz hybrid-beamforming transmitter
array supporting concurrent dual data steams and spatial notch steering
for 5G MIMO,” in Proc. IEEE Custom Integr. Circuits Conf. (CICC),
Apr. 2021, pp. 1–2.
[25] S. Li, T. Chi, T.-Y. Huang, M.-Y. Huang, D. Jung, and H. Wang,
“A buffer-less wideband frequency doubler in 45-nm CMOS-SOI with
transistor multiport waveform shaping achieving 25% drain efficiency
and 46–89 GHz instantaneous bandwidth,” IEEE Solid-State Circuits
Lett., vol. 2, no. 4, pp. 25–28, Apr. 2019.
[26] I. Ju, Y. Gong, and J. D. Cressler, “Highly linear high-power 802.11ac/ax
WLAN SiGe HBT power amplifiers with a compact 2nd-Harmonic-
Shorted four-way transformer and a thermally compensating dynamic
bias circuit,” IEEE J. Solid-State Circuits, vol. 55, no. 9, pp. 2356–2370,
Sep. 2020.
[27] S. Satpathy et al., “A 4-fJ/b delay-hardened physically unclonable func-
tion circuit with selective bit destabilization in 14-nm trigate CMOS,”
IEEE J. Solid-State Circuits, vol. 52, no. 4, pp. 940–949, Apr. 2017.
[28] X. Zhang, S. Li, D. Huang, and T. Chi, “A millimeter-wave three-
way Doherty power amplifier for 5G NR OFDM,” IEEE J. Solid-State
Circuits, vol. 58, no. 5, pp. 1256–1270, May 2023.
[29] T. Chi, J. S. Park, S. Li, and H. Wang, “A millimeter-wave polarization-
division-duplex transceiver front-end with an on-chip multifeed self-
interference-canceling antenna and an all-passive reconfigurable can-
celler,” IEEE J. Solid-State Circuits, vol. 53, no. 12, pp. 3628–3639,
Dec. 2018.
[30] Y. He, D. Li, Z. Yu, and K. Yang, “ASCH-PUF: A ‘zero’ bit error rate
CMOS physically unclonable function with dual-mode low-cost stabi-
lization,” IEEE J. Solid-State Circuits, vol. 58, no. 7, pp. 2087–2097,
2023.
[31] M. Babaie et al., “A fully integrated Bluetooth low-energy transmitter
in 28 nm CMOS with 36% system efficiency at 3 dBm,” IEEE J. Solid-
State Circuits, vol. 51, no. 7, pp. 1547–1565, Jul. 2016.
[32] S. Yang, J. Yin, H. Yi, W.-H. Yu, P.-I. Mak, and R. P. Martins,
“A 0.2-V energy-harvesting BLE transmitter with a micropower manager
achieving 25% system efficiency at 0-dBm output and 5.2-nW sleep
power in 28-nm CMOS,” IEEE J. Solid-State Circuits, vol. 54, no. 5,
pp. 1351–1362, May 2019.
[33] B. Danev, H. Luecken, S. Capkun, and K. El Defrawy, “Attacks on
physical-layer identification,” in Proc. 3rd ACM Conf. Wireless Netw.
Secur., Mar. 2010, pp. 89–98, doi: 10.1145/1741866.1741882.
[34] K. Ritvanen and K. Nyberg, “Upgrade of Bluetooth encryption and key
replay attack,” in Proc. 9th Nordic Workshop Secure-IT Syst., vol. 28,
2004, pp. 1–13.
[35] J. Uher, R. G. Mennecke, and B. S. Farroha, “Denial of sleep attacks
in Bluetooth low energy wireless sensor networks,” in Proc. MILCOM
IEEE Mil. Commun. Conf., Nov. 2016, pp. 1231–1236.
[36] T. Melamed, “An active man-in-the-middle attack on Bluetooth smart
devices,” Int. J. Saf. Secur. Eng., vol. 8, no. 2, pp. 200–211, 2018.
[37] A. Francillon, B. Danev, and S. Capkun, “Relay attacks on passive
keyless entry and start systems in modern cars,” IACR Cryptol. ePrint
Arch., vol. 2010, p. 332, Jan. 2010.
Qiang Zhou (Graduate Student Member, IEEE)
received the B.S. degree from Peking University,
Beijing, China, in 2019, and the M.S. degree
from Rice University, Houston, TX, USA, in 2022,
where he is currently pursuing the Ph.D. degree
at the Department of Electrical and Computer
Engineering.
His research interests include hardware security
integrated circuits and systems.
Mr. Zhou was a recipient of the Student Research
Competition Award (First Place) at 2021 IEEE Texas
Symposium on Wireless and Microwave Circuits and Systems.
Yan He (Graduate Student Member, IEEE) received
the B.S. degree in electronic science and technol-
ogy from Zhejiang University, Hangzhou, China,
in 2018. He is currently pursuing the Ph.D. degree
at the Department of Electrical and Computer
Engineering, Rice University, Houston, TX, USA,
advised by Prof. Kaiyuan Yang.
His current research interests include analog and
mixed-signal integrated circuits design for power
management and hardware security.
Mr. He has received the Best Paper Award at
the 2021 IEEE Custom Integrated Circuits Conference (CICC). He was
a recipient of the 2021–2022 IEEE Solid-State Circuits Society (SSCS)
Predoctoral Achievement Award.
Kaiyuan Yang (Member, IEEE) received the B.S.
degree in electronic engineering from Tsinghua Uni-
versity, Beijing, China, in 2012, and the Ph.D.
degree in electrical engineering from the University
of Michigan, Ann Arbor, MI, USA, in 2017.
He is currently an Associate Professor of electri-
cal and computer engineering with Rice University,
Houston, TX, USA, where he also leads the Secure
and Intelligent Micro-Systems (SIMS) Laboratory.
His research interests include low-power integrated
circuit and system design for secure and intelligent
microsystems, bioelectronics, hardware security, and mixed-signal computing.
Dr. Yang has been serving as a TPC member for multiple international
conferences. He was a recipient of the 2022 National Science Foundation
(NSF) CAREER Award and the 2016 IEEE Solid-State Circuits Society
(SSCS) Predoctoral Achievement Award. He was also a recipient of Best Paper
Awards from premier conferences across multiple fields, including 2022 ACM
Annual International Conference on Mobile Computing and Networking
(MobiCom), 2021 IEEE Custom Integrated Circuit Conference (CICC),
2016 IEEE International Symposium on Security and Privacy (Oakland),
and 2015 IEEE International Symposium on Circuits and Systems (ISCAS),
and several best paper award nominations. His research was also recognized as
the research highlight at Communications of the ACM and ACM GetMobile
magazines, the cover of Nature Biomedical Engineering journal, and IEEE
Top Picks in Hardware and Embedded Security. He has been serving as
an Associate Editor for IE EE TRANSACTIONS ON VERY LARG E SCAL E
INT EGRATI ON (VLSI) SYST EMS (TVLSI).
Taiyun Chi (Member, IEEE) received the B.S.
degree (Hons.) from the University of Science and
Technology of China (USTC), Hefei, China, in 2012,
and the Ph.D. degree from the Georgia Institute of
Technology, Atlanta, GA, USA, in 2017.
He is currently an Assistant Professor with the
Department of Electrical and Computer Engineering,
Rice University, Houston, TX, USA. His research
interests include RF/millimeter-wave/terahertz inte-
grated circuits and integrated bio-sensors and
bio-actuators.
Dr. Chi is a Technical Program Committee (TPC) Member of the IEEE
Custom Integrated Circuits Conference (CICC) and International Microwave
Symposium (IMS). His research group has received the 2021 IEEE CICC Best
Student Paper Award, the 2021 IEEE IMS Advanced Practice Paper Award
Finalist, the 2021 Texas Wireless Symposium Student Research Competition
Award (First Place), and the 2022 IEEE RFIC Symposium Best Student Paper
Award Finalist. He was a recipient of the USTC Guo Moruo Presidential
Scholarship in 2012, the Microwave Theory and Techniques Society (MTT-S)
Graduate Fellowship for Medical Applications in 2016, the IEEE CICC
Best Paper Award in 2017, the IEEE Solid-State Circuits Society (SSCS)
Predoctoral Achievement Award in 2017, the Sigma Xi Best Ph.D. Thesis
Award (Georgia Tech Chapter) in 2018, the National Science Foundation
(NSF) CAREER Award in 2023, and the Rice School of Engineering Teaching
and Research Excellence Award in 2023. He is also the TPC Co-Chair of the
IEEE Texas Symposium on Wireless and Microwave Circuits and Systems.
This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
