TWI781544B - Integrated circuit device and method and system of generating a security key for an integrated circuit device - Google Patents

Abstract

Systems and methods of generating a security key for an integrated circuit device include generating a plurality of key bits with a physically unclonable function (PUF) device. The PUF device can include a random number generator that can create random bits. The random bits may be stored in a nonvolatile memory. The number of random bits stored in the nonvolatile memory allows for a plurality of challenge and response interactions to obtain a plurality of security keys from the PUF device.

Description

Integrated circuit device and method and system for generating a security key for an integrated circuit device

This case relates to an integrated circuit device, in particular to an integrated circuit device including a physically non-replicable function generator and a method and system for generating a security key for the integrated circuit device.

With the increasing reliance on computer systems and the Internet in many areas such as personal communications, shopping, banking, commerce, etc., the need for improved network security has also increased. Many security measures are available, including encryption. A physically non-copyable function is a physical object embodied in a physical structure that can be used to produce output. The output is easy to evaluate, but the output is difficult or almost impossible to predict. Physically non-reproducible function outputs can be used as unique identifiers or keys in secure computing and communications.

Individual physically non-reproducible functional devices must be easy to manufacture, but virtually impossible to reproduce, even given the precise manufacturing process that produces them. In this respect, it is the hardware analog of a one-way function. Physically non-clonable functions are typically implemented in integrated circuits and are often used for required application.

This case discloses a method for generating a security key for an integrated circuit device, including generating a plurality of key bits with a random number generator, storing the key bits in a non-volatile memory, and The key bits in volatile memory generate the security key.

This case also discloses an integrated circuit device including a physically non-replicable function generator. The physically non-clonable function generator outputs two or more secure keys. Each security key includes a plurality of key bits. The physical non-clonable function generator includes static random access memory, one-time programmable device, scrambler, input address scrambler, controller and output register. The SRAM is read after initialization to provide one or more of the key bits. The one-time programmable device stores key bits read from the SRAM, and provides one of two or more security keys according to the key bits after receiving the address. The scrambler scrambles the key bits read from the SRAM. The scrambler is one of a bit folding circuit or a linear feedback shift register. The input address scrambler receives an input address and scrambles the input address to generate an address provided to the one-time programmable device. The controller is used to control the functions of the static random access memory and the one-time programmable device. The controller further receives the key size indicator signal, and sets the output register to store a number of bits according to the key size indicator signal for the security key.

This case also discloses a system for generating a security key for an integrated circuit device, including a random number generator, an input address scrambler, a one-time programming device and output register. The random number generator includes static random access memory and linear feedback shift register. The SRAM is read after initialization to provide a plurality of bits. The linear feedback shift register scrambles bits read from the SRAM into scrambled key bits. The input address scrambler receives an input address, scrambles the input address into a scrambled address, and provides the scrambled address. The one-time programmable device communicates with the feedback shift register and the input address scrambler to: store scrambled key bits provided from the feedback shift register such that the scrambled key bits and bits The address is associated, the scrambled address is received from the input address scrambler, the address associated with the scrambled key bit is determined, the address matches the scrambled address, and the read has the scrambled address The scrambled key bits of the address of the address match, and the scrambled key bits are provided as a security key. The output register communicates with the one-time programmable device. The output register receives the security key from the one-time programmable device and outputs the security key.

100: Physically non-clonable function devices/generators (physically non-clonable function circuits, physically non-clonable functions, integrated circuit devices, authentication circuits)

102: Controller

104: random number generator

106: Static Random Access Memory Array (SRAM)

108: Scrambler

110: Non-volatile memory (memory, processing memory, one-time programmable, one-time programmable device, antifuse one-time programmable, component)

112:Built-in self-test

114: Verification component (verification block)

116: Input port (input address block)

118: output register

120: output port (output)

122: signal (input signal)

124: request (input challenge signal, address, signal)

126: signal (output signal, output ready signal)

128: Signal (output signal, output)

202: random number generator and/or random number generator interface (random number generator interface, functional component)

204: Non-volatile memory interface

206: Initial write to non-volatile memory

208: Verification of non-volatile memory

210: Random number generator bit scrambler

212: Closing of non-volatile memory

214: key size determiner

216: Input/Output Interface (Functional Components)

300: Data structure

302: Reserved bits

304: Address (address data, fields)

306: random number (part, field, random bit)

308:part(key, keysize)

310: ellipsis

402: Reset signal (signal)

404: Reset or start signal

406: Signal (reset or start signal)

408: Signal (test signal)

410a: signal

410b: signal

412: signal

414: signal

416: signal

418: Status check signal (signal, input signal)

420: signal

422: signal

424: Signal (status, output signal)

426: signal

428:Signal

430a: signal

430b: signal

432: signal (message)

434: arc

436: signal

438: Key Size Signal (Key Size Indicator Message, Key Size Indicator Signal, Signal)

440: signal

442: Inquiry signal (signal, address signal)

444: signal (address)

446: Signal (address input signal, input address)

448: signal (address signal)

450: signal

452: signal

454: signal

456: signal

500: method

508: Operation

512: Operation

516: Operation

520: Operation

524: Operation

528: Operation

532: Operation

536: Operation

540: Operation

544: Operation

548:Operation

600: method

608: Operation

612: Operation

616:Operation

620: Operation

624: Operation

628: Operation

632: Operation

700: method

708: Operation

712: Operation

716: Operation

720: Operation

724: Operation

728:Operation

732: Operation

736:Operation

740: Operation

744: Operation

748:Operation

800: method

808: Operation

812:Operation

816:Operation

820: Operation

824:Operation

828:Operation

Aspects of the present disclosure are best understood from the following Detailed Description when read with the accompanying figures. Note that, in accordance with the standard practice in the industry, various features are not drawn to scale. In fact, the dimensions of the various features may be arbitrarily increased or reduced for clarity of discussion.

FIG. 1 is a block diagram illustrating aspects of an example physically non-clonable function generator/device according to examples of the present application.

FIG. 2 is a block diagram illustrating aspects of the example controller of FIG. 1 according to an example of the present application.

FIG. 3 is a block diagram illustrating aspects of an example data structure for the physically non-clonable function device of FIG. 1 according to an example of the present application.

4A is a communication diagram illustrating aspects of communication between components of a physically non-clonable function device according to examples of the present application.

4B is another communication diagram illustrating aspects of communication between components of a physically non-clonable function device according to examples of the present application.

5 is a process flow diagram illustrating aspects of a method for storing random numbers in non-volatile memory of a physically non-clonable function device according to an example of the present application.

6 is a process flow diagram illustrating aspects of an example method for generating a physically non-copyable functional security key according to examples of the present application.

7 is another process flow diagram illustrating aspects of a method for storing random numbers in non-volatile memory of a physically non-clonable function device according to examples of the present application.

8 is a process flow diagram illustrating aspects of a method for determining the state of a physically non-clonable function device according to an example of the present application.

The following disclosure provides many different embodiments, or examples, for implementing different features of the presented subject matter. Specific examples of components and configurations are described below to simplify the present disclosure. Of course, these are examples only, and are not intended to be limiting. For example, in the description below, the formation of a first feature on or over a second feature may include wherein the first feature and the second feature Examples in which features are formed in direct contact may also include examples in which additional features are formed between first and second features such that the first and second features may not be in direct contact. Additionally, this disclosure may repeat reference numerals and/or letters in various instances. This repetition is for simplicity and clarity, and by itself does not indicate a relationship between the various examples and/or configurations discussed.

As mentioned above, a physical unclonable function (PUF) is a physical object embodied in a physical structure that can be used to produce an output that is easy to evaluate but nearly impossible to predict. Integrated circuit (IC) devices typically include electronic circuits formed on a semiconductor substrate or "wafer" formed from a semiconductor material such as silicon. The components of an IC device are formed on a substrate by photolithography rather than being constructed one item at a time. The electronic devices formed on the substrate are interconnected by conductors or wires, and the conductors or wires are also formed on the substrate by photolithography. Although manufactured in batches, each IC device is unique due to physical randomness, even using the same manufacturing process materials. This inherent variation can be extracted and used as its unique identifier, just like human DNA. According to the examples disclosed herein, such variation is used to establish a unique IC device signature that functions as a physically non-clonable function because it is unique, device-specific, non-copiable (cannot be imitated or copied), repeatable wait.

FIG. 1 is a block diagram illustrating an example of an integrated circuit device that may include a physically unclonable function (PUF) device in accordance with aspects of the present disclosure. Set/generator 100. An integrated circuit device includes a substrate forming an electronic device, which may be any of various types of devices implemented by integrated circuits, such as a processing device or a memory device. The physically non-clonable function device 100 is configured to receive the challenge through the input port 116 . In response to the challenge, the authentication circuit is configured to provide a response in the form of a security key, which is output by the physical non-clonable function circuit 100 via the output port 120 . As noted above, the physically non-clonable function 100 is constructed based on the occurrence of different physical process variations during the fabrication of integrated circuits. Such static physical variations allow the integrated circuit to have a unique fingerprint (or unique fingerprints) specific to the integrated circuit. When a specific challenge is received via the input port 116, a corresponding unique response is generated. An integrated circuit capable of generating multiple fingerprints is a strongly physically irreproducible function because multiple challenge and response pairs can be used.

Using certain physically non-clonable function generation techniques, some of the underlying security key bits may differ from one generation of physically non-clonable functions to another. In this disclosure, such key bits are referred to as random bits. In general, random bits are not suitable for key generation because messages encrypted with a key with random bits may not be reliably decrypted. The useful bits are collected and identified to generate a unique and secure key for each integrated circuit device. In some examples disclosed herein, rather than keeping a record of key bits used to generate a security key, scrambled random bits are maintained. In the example shown in FIG. 1 , a scrambled version of the random bits is stored in non-volatile memory 110 . Generating the security key includes accessing the memory 110 and then outputting the response key.

The physical non-copyable function device 100 is used to generate The security key of each key bit. As described above, a security key is provided in response to a received challenge and is unique to a particular integrated circuit device 100 due to inherent variations in the manufacturing process of the device. In some examples, the physically non-clonable function device 100 includes a random number generator 104, for example, a memory array such as a static random access memory (SRAM) array, wherein the memory cells of the array generate secure The key bits of the key. The size of the SRAM array or the number of memory cells of the SRAM array used for key generation may be determined based on the size of the required security key.

The processing memory 110 is provided for physically non-copyable function data processing. In the illustrated example, processing memory 110 is nonvolatile memory (NVM). In some examples, the processing memory 110 is a one-time programmable (One-Time Programmable; OTP) memory or device. Hereinafter, the processing memory 110 may be interchangeably referred to as a non-volatile memory (nonvolatile memory; NVM) 110 or a one-time programmable (One-Time Programmable; OTP) 110, however, it should be noted that the processing memory 110 is not Limited to non-volatile memory or one-time programmable memory or devices.

A request 124 for a security key is received in the form of a challenge. The input address block 116 handles such requests or queries to ensure the validity of the queries before presenting them to the processing memory 110 . Based on the valid request, the processing memory 110 retrieves the security key. In some instances, the input address field Block 116 processes the request by scrambling the input address to randomize the request for the security key sent to processing memory 110 .

In the example circuit shown in FIG. 1 , the memory used to store the scrambled bits includes non-volatile memory disposed on the physically non-clonable function device 100 itself. In other examples, the memory is located external to the physically non-clonable function device 100 . In FIG. 1 , the memory is an antifuse one-time programmable 110 , which marks an identified address of scrambled random bits in a physically non-clonable function 100 . As will be discussed further below, the one-time programmable 110 initially contains no information. During the debug process, the one-time programmable 110 is updated with the scrambled bits and address at the end of each of a plurality of steps. At the end of all steps, the one-time programmable 110 will contain information about all scrambled bits. The physically non-clonable function 100 uses this information to generate a security key in response to a received challenge. The illustrated example further includes a controller 102 . In the example where non-volatile memory 110 is implemented via one-time programmable 110, controller 102 interfaces with one-time programmable 110 for read and write modes.

The illustrated authentication circuit 100 further includes an input address block 116 that provides an interface external to the physically non-clonable function device 100 . For example, the input address block 116 initiates access to the physical non-clonable functional device 100 and tracks all transactions related to one-time programmable 110 access and data collection.

The physically non-clonable function device 100 captures inherent differences between manufactured devices to generate a physically non-clonable function signature. For example, there are physically non-copyable functions based on delay chains, where physically non-copyable Function converts changes (differences) to delayed changes. Delay-chain-based physically non-reproducible functions use a set of delay chains consisting of logic gates. Each chain will have different latencies due to static changes in components. A signature for the random number can be generated from a random number generator (RNG) 104 by sampling the delay.

Another approach is based on the physically non-reproducible functions of memory, where changes in devices in bistable elements are converted to produce a "1" or a "0". Such memory-based physically non-replicable functions include, for example, static random access memory, dynamic random access memory (dynamic random access memory; DRAM), magnetoresistive random access memory (magnetoresistive random access memory); Any one of various memory cell arrays such as MRAM, resistive random-access memory (RRAM), and read-only memory (ROM). A particular type of memory-based physically non-clonable function is an SRAM physically non-clonable function, which includes a static random access memory (SRAM) array 106 . These physically non-copyable functions utilize small memory cell changes to generate signatures. For example, an SRAM array can generate a signature from the start-up state of a cell that is random and unique among different SRAMs.

In some configurations, the random number generator 104 includes a memory array upon which the physically non-copyable functions are based. For example, this static random The physical non-clonable function of the machine access memory uses the memory initial data content (power-on condition) of the SRAM array 106 to generate the security key. Bits of the generated key that do not change state from one power cycle to the next are called stable bits. However, attempting to identify and record each stable bit to be used in key generation would require a significant amount of time, and recording the stable bits may expose the key generation to side attacks. Additionally, due to environmental influences, noise, and aging that may affect the memory's stable bits, a large number of additional bits will be required to correct errors.

As noted above, some examples implement a physically non-clonable function generator via SRAM. For example, the physical non-clonable function signature can be generated by using the power-on state of the SRAM device. Even though SRAM devices include symmetric cells (bits), manufacturing variances may still cause each bit of the SRAM device to tend to be in a high state when the SRAM device is powered on (i.e. , logic "1") or low state (ie, logic "0"). These initial power-on states of the bits are distributed randomly throughout the SRAM device, which causes variability that can be defined by a physically non-clonable function to generate the unique key of the SRAM device.

In other examples where SRAM is used as a physically non-clonable function generator, the security key is generated by comparing the access speeds (e.g., read speeds) of two memory cells of a memory device. every bit. In such an example, since the physical non-clonable function signature is based on a comparison of read speeds, no iterations are required to power on and off the memory device.

Regardless of the type of SRAM-based random number generator 104, the bits or signatures of the SRAM 106 can be scrambled. Scrambling the SRAM bits further randomizes the already randomized bits from the SRAM 106 and prevents security from being compromised by reading the SRAM 106, which This is because the bits stored in the one-time programmable memory 110 are different from the bits read from the SRAM 106 . The scrambler 108 may be a bit folding circuit. In other configurations, the scrambler 108 may be a linear feedback shift register (LFSR), optionally paired with one or more XOR gates. Regardless of the type of scrambler, the read SRAM bits can be scrambled or changed to a new configuration, which makes the physically non-clonable function 100 difficult to corrupt because the SRAM Even if the bank is read, it is not the same as the bit stored in the one-time programmable 110.

Another component of the physically non-clonable function 100 may be a built-in self-test (BIST) 112 . Built-in self-test 112 may determine the functionality or proper operation of one-time programmable 110 and/or random number generator 104 . Built-in self-test 112 can send and receive signals from one-time programmable 110 and random number generator 104 to determine that both components 110, 104 are functioning and are functioning properly. This operational information can be communicated back to the controller 102 .

The verification component 114 may verify information or data stored in the one-time programmable device 110 and/or from the random number generator 104 . For example, the random number generator 104 can store the bits in the one-time programmable 110, and verify the group Component 114 can then read the bits from one-time programmable 110 and compare them with the information in the scratchpad of random number generator 104 to determine whether the bits have been properly written to the one-time programmable 110. Any type of information resulting from this verification can then be sent to the controller 102 for further operations. In other cases, the one-time programmable 110 may also verify the information being read and sent to the output register 118 . In this way, the controller 102 can determine whether the output to the output register 118 has been sent and/or is correct.

The output register 118 may store bits from the one-time programmable 110 for output from the physically non-clonable function 100 . The output register 118 can be configured by the controller 102 to change the size of the key or the amount of response bits that will be sent from the physically non-clonable function 100 . In at least some configurations, the output port 120 can output a set number of bits, such as 16 bits, in parallel or serial format. The output register 118 can store keys of different sizes that can be larger than the 16 bits of the output 120 . Therefore, the output register 118 can be used to store the entire output key to be sent from the output 120 as one or more signals 128 . After the output port 120 obtains all key bits from the output register 118 in one or more consecutive reads and sends the entire key as a signal 128, the output port 120 may send the key bits in a number of signals 128 Bits, for example, 16 bits are sent at a time.

The output port 120 may be a parallel or serial port that sends a signal 128 to another device or function on the integrated circuit or external to the physically non-clonable function 100 . The output port 120 can have a set number of bits that the output port 120 can send in any one signal 128, for example 16 bits. Output port 120 may send continuous or repeated output until the entire key is provided as output signal 128 .

The physically non-clonable function 100 may also include an input address block 116 . The input address block 116 accepts an input challenge signal 124, which may include an address. The address can be sent by the input address block 116 to the one-time programmable 110 to retrieve a key with that address. The key may be output as a response to the challenge signal as described herein. In at least some configurations, the input address block 116 may also scramble the addresses 124 . In this way, the output key is randomized from this address and the key is prevented from being determined by repeated challenges and responses. The scrambler in the input address block 116 can be a linear feedback shift register or other circuits.

A set of functions or components of the controller 102 may be as shown in FIG. 2 . Functional components 202 through 216 may represent different types of functions or processes performed or generated by controller 102 . These various functions may be embodied as firmware loaded into the controller 102 from memory, or may be permanently embodied as gates or other hardware in the integrated circuit of the controller 102 . Regardless, these different functions contribute to generating the output of the physically non-clonable function 100 and control the different functions available from the physically non-clonable function 100 .

The random number generator and/or random number generator interface 202 can interact with the random number generator 104 . Thus, the controller 102 can read from or write to the SRAM 106 in at least some configurations. In addition, the controller 102 can enable the SRAM 106 or the random number generator 104 . Controller 102 may also interface with scrambler 108 . Thus, the controller 102 can enable the scrambler 108, affect the way the scrambler functions, self-scrambler 108 to read information, or use the scrambler 108 to perform other operations.

The controller 102 may also include a non-volatile memory interface 204 . The non-volatile memory interface 204 can interact with the non-volatile memory 110 . Therefore, the controller 102 can read or write information to the non-volatile memory 110 . In some configurations, the controller 102 may only be able to read certain portions of the non-volatile memory 110 . For example, controller 102 may determine whether one-time programmable 110 has been programmed with a random number. Additionally, the controller 102 may enable the one-time programmable 110 or perform other operations including, for example, causing the one-time programmable 110 to send a key to the output register 118 .

The non-volatile memory initial write function 206 can perform a first initial storage of random numbers to the non-volatile memory 110 . This initial write function 206 of the non-volatile memory enables the SRAM 106 to provide data to the scrambler 108 , which can then be read or written to the one-time programmable 110 . Therefore, the non-volatile memory initial write function 206 controls the process of storing nonces into the non-volatile memory 110 .

The verification function 208 of the non-volatile memory can verify through the verification block 114 that the information written to the one-time programmable 110 is the same as the information provided in the register of the scrambler 108 . Therefore, the controller 102 can interact with the verification block 114 , the random number generator 104 and the one-time programmable programming 110 to determine whether correct data is written from the random number generator 104 to the one-time programmable programming 110 .

In some configurations, the controller 102 can be used as a scrambler to scramble bits from the SRAM 106 using the optional random number generator bit scrambler function 210 . In this way, the controller 102 acts as a scrambler 108 . Accordingly, the controller 102 may include bit folding circuit functionality, linear feedback shift register circuitry/function, or other types of scrambling techniques. The controller 102 can provide the necessary bit scrambling for the one-time programmable 110 .

After the non-volatile memory 110 stores the random number scrambled from the scrambler 108 , the shutdown function 212 of the non-volatile memory can stop writing to the non-volatile memory 110 . Therefore, the controller 102 can also cause the one-time programmable device 110 to set one or more bits indicating that the one-time programmable device 110 has been written and the key has been stored. Furthermore, when the physically non-clonable function 100 is enabled, the controller 102 can read the set bits from the one-time programmable 110, and then based on the state in which the one-time programmable 110 is programmed, can set, for example, 1 and/or Bits of 0 are written to the SRAM 106 to prevent reading the boot state of the SRAM.

Key size determiner 214 may be an interface that may receive signal 122 indicating the key size desired as output. The key size determiner 214 may then interact with the output register 118 to set the size of the register for storing and receiving bits associated with a key having the set key size. Thereafter, the controller 102 can control the output register 118 to send the key to the output port 120 .

The input/output interface 216 can interact with circuits, devices, functions, etc. outside the physically non-clonable function 100 . The input signal 122 can be sent to the input/output interface 216 of the controller 102 to perform certain functions. In addition, the I/O interface 216 may also send the signal 126 or other signals sent from the physically non-clonable function 100 . The input/output interface 216 can be Interacts with output register 118 and/or output port 120 to send output signals 126 , 128 . The output signals 126 , 128 may include indications that the output 128 is ready in the output register 118 and/or the output port 120 . When a challenge (possibly with an address) is received to request a security key, the input/output interface 216 may also interact with the input address block 116, which may receive the address and The address is scrambled to receive an indication at the controller that the address has been received. The input address block 116 may provide an address to the non-volatile memory 110 to have a key read, which is placed in the output register 118 . Therefore, external communication can be controlled by the input/output interface 216 of the controller 102 .

An example of a data structure 300 that may represent random bits stored as a key in the one-time programmable 110 may be shown in FIG. 3 . Data structure 300 may have different fields or sections than those shown and provided in FIG. 3 . As indicated by ellipses 310, there may be more or fewer fields or sections than shown in FIG. 3 . Data structure 300 may include one or more reserved bits 302 , a portion of one or more addresses 304 associated with one or more nonces 306 . Reserved bits 302 may be one or more bits used to provide information to controller 102 or other components within physically non-clonable function 100 . For example, reserved bits 302 may have one or more bits set to indicate that one-time programmable 110 has been programmed with the key stored as nonce 306 .

The address 304 is a set of random numbers in the indication part 306 or a set of identifiers (identifier; ID) or data associated therewith. Address 304 may be specified or targeted by input address block 116 . The nonce 306 associated with the address 304 can request a key from the data structure 300 by using the address 304 to extract address 304.

The nonce 306 is a collection of scrambled bits from the SRAM 106 stored in the one-time programmable 110 . These nonces 306 are keys that can be accessed or extracted from or during a challenge/response. Random numbers 306 in sections such as section 308 may be entered into data structure 300 . In other configurations, portion 308 represents a random set of bits equal to the key. These portions 308 may include output bits that are sent to the output register 118 and then to the output port 120 . Thus, there may be several keys 308 within the nonce accessible. This large number of random bits that can be packed into a security key allows the flexibility of using one-time programmable 110 to provide many different security keys.

Examples of various signaling that may occur in the physically non-clonable function 100 may be shown in Figures 4A and 4B. The controller 102 can receive the reset signal 402 into the input/output interface 216 . The reset signal 402 may be an external signal for resetting the physically non-clonable function 100 . In response to the reset signal 402 , the controller 102 may send a reset or enable signal 404 to the random number generator 104 , eg, to the SRAM 106 , and/or send a signal 406 to the one-time programmable 110 .

Additionally, the controller 102 may send a test signal 408 to the BIST 112 . Built-in self-test 112 may request the status of random number generator 104 and/or one-time programmable 110 in signals 410a and 410b. Random number generator 104 may respond with this state in signal 412 , and non-volatile memory 110 may respond with this state in signal 414 . This status information may be sent from BIST 112 back to controller 102 in signal 416 . The controller 102 can then be aware of the status of the different components within the physically non-clonable function 100 and, if desired, report the status externally. Accordingly, these signals 402 to 416 represent signaling for resetting and/or self-testing to determine that the internal circuitry of the physically irreproducible function 100 is functioning properly.

Next, the controller 102 may receive a status check signal 418 . In response to the signal 418 , the controller 102 can use the signal 420 to query the status of the one-time programmable memory 110 from the non-volatile memory 110 . The signal 420 may indicate that the controller 102 is reading the reserved bits 302 from the data structure 300 . Reserved bit 302 may indicate whether one time programmable 110 has already been programmed. This information can be sent back to the controller 102 or read by the controller 102 . Controller 102 may then receive signal 422 and output the status in signal 424 . Status 424 may indicate whether one-time programmable 110 has been programmed.

If the one-time programmable 110 has not been programmed, the controller 102 can then be used to store information into the one-time programmable 110 . During this sequence of signals, the controller 102 may send a signal 426 to the random number generator 104 to begin generating the scrambled numbers to be stored in the one-time programmable 110 . Random number generator 104 may then provide these scrambled numbers to one-time programmable 110 in signal 428 . Bits can be read into one-time programmable 110 one bit at a time, although SRAM 106 can be read in 16-bit blocks or other sized blocks. The random bits can be stored in the non-volatile memory 110 .

After reading a set of bits into one-time programmable 110, one-time programmable 110 and random number generator 104 may each send the stored bits to verification block 114 as signals 430a and 430b. Verify block 114 It can be determined whether the bits stored in the one-time programmable 110 are the same as the bits output from the random number generator 104 . If the bits pass verification, the verification block 114 may send a signal 432 back to the controller 102 indicating the verification. If the verification block 114 indicates that the bits are different, the controller 102 may receive a signal 432 indicating a write failure. Then, the controller 102 can cause the SRAM 106 to resend the scrambled bits to the one-time programmable 110 . If the verification fails twice, the controller 102 may output an error as the signal 122 . However, if the verification is correct, the controller 102 may indicate that the process of storing random bits to the one-time programmable 110 will continue, as represented by arc 434 .

In some examples, controller 102 may continue the process represented by arc 434 . After all possible random bits are stored in the one-time programmable 110, the controller 102 may send a signal 436 to burn-in the one-time programmable 110 and prevent the one-time programmable 110 from receiving more bits. Therefore, the one-time programmable 110 may not be able to store any more bits at this time, but can be used in the challenge and response process to generate or provide a key.

The controller 102 may also receive the key size signal 438 shown in FIG. 4B. The key size signal 438 may indicate the size of the key to be output by the physically unclonable function 100 . In response to signal 438 , controller 102 may then send signal 440 to output register 118 to set the key size based on the information in signal 438 . Therefore, the output register 118 may provide available storage capacity for all bits of the key requested as output.

The controller 102 may then receive a challenge signal 442 to request a key. This signal 442 can trigger the controller 102 to send a signal 444 to the one-time Programmable 110 is ready to receive address input as a challenge. The controller 102 can also interface with the input address block 116 to determine when an input address is received and to control the output of the address to the one-time programmable 110 . An input address may be received at input address block 116 in signal 446 . The input address may then be scrambled, and the scrambled address may be sent as signal 448 to one-time programmable 110 . The one-time programmable 110 can access the address in the address data 304 and read out the random number 306 associated with the received address. The associated nonce 306 represents the key, which may then be sent as a signal 450 to the output register 118 and/or the verification block 114 (not shown). Output register 118 may then provide the key in signal 452 to output port 120 in smaller portions. The controller 102 can also send a signal 454 to indicate that the output register 118 and/or the output port 120 are ready for output. The output key may be sent from the output port 120 in a continuous signal 456 after receiving an indication that the output is acceptable.

5 is a process flow diagram generally illustrating aspects of an exemplary method 500 for generating random numbers and storing them in one-time programmable 110 in accordance with aspects of the present disclosure. The general sequence of operations of method 500 is illustrated in FIG. 5 . Method 500 may include more or fewer operations or steps, or the order of operations or steps may be configured differently than in FIG. 5 . The method 500 may be performed as a set of computer-executable instructions executable by a processor of the controller 102 such as the physically non-clonable function 100 and encoded or stored on a computer-readable medium. In addition, the method 500 can be implemented with a processor, an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (Field Programmable Gate Array; FPGA), system on chip (System on Chip; SOC), another integrated circuit or other hardware devices (eg, controller 102 ) associated gates or circuits are implemented. Hereinafter, the method 500 will be explained with reference to the systems, components, devices, modules, circuits, firmware, software, signals, data structures, methods, etc. described in conjunction with FIGS. 1-4B and 6-8. however, those skilled in the art will understand that some or all of the operations of method 500 may be performed by or using elements different from those described below.

In operation 508, registers, devices, components, and controller 102 may be reset. The input/output interface 216 of the controller 102 can receive the reset signal 402 as part of the signal 122 . The reset signal 402 instructs the controller 102 to reset or initiate the physically non-clonable function 100 . Next, the random number generator interface 202 can send a reset or enable signal 404 to the SRAM 106 . The NVM interface 204 can send a reset or enable signal 406 to the one-time programmable 110 . The controller 102 may also send a test signal 408 to the BIST 112 to test the functionality of other components.

Next, in operation 512 , the built-in self-test 112 may perform a self-test on the random number generator 104 and/or the one-time programmable 110 . The non-volatile memory 110 and random number generator 104 can return a response to the built-in self-test 112, which can indicate whether those components 104, 110 are functioning and functioning properly. This self-test information can then be sent back to the controller 102 .

In operation 516 , the controller 102 may then receive an optional status check signal 418 and then perform a status check on the one-time programmable 110 . check. The status check may be initiated by an input signal 418 received by the I/O interface 216 of the controller 102 . In other cases, the controller 102 may check the status without an input signal. The non-volatile memory interface 204 of the controller 102 can send a signal 420 to the one-time programmable device 110 to determine the status of the one-time programmable device 110 . The signal 420 reads the reserved bit 302 in the one-time programmable 110 to determine whether the reserved bit indicates that the one-time programmable 110 has been written into a random bit and locked.

Reserved bits may have a bit to indicate that the one-time programmable 110 has been written and/or locked. In another configuration, two or more bits may be set to indicate that the one-time programmable 110 has been written to and/or locked. For example, reserved bits may be read and analyzed by a majority vote of three or more bits to determine that the one-time programmable 110 has been written and/or locked. Then, the controller 102 can determine the state of the one-time programmable 110 based on the reserved bits. This status can be sent out by the I/O interface 216 as an output signal 424 .

In operation 520 , the non-volatile memory initial write function 206 of the controller 102 may then power up the SRAM 106 of the random number generator 104 . Specifically, the NVM initial write function 206 enables or initializes the SRAM 106 . The initialization may provide a random first set of bits in the SRAM 106 based on the uniqueness of the SRAM 106 . In operation 524, the unique random bits may be read from the SRAM 106 by the initial write function 206 to the non-volatile memory. Next, in operation 528, the read bits may be sent to the scrambler 108, where In the scrambler, the random bits from the SRAM 106 are scrambled. The bits may be scrambled by a bit folding circuit or a linear feedback shift register such that the location in the scrambler 108 is different from the location read from the SRAM 106 . Next, in operation 532 , the scrambled bits may be stored in a register or memory of the scrambler 108 to be stored in the one-time programmable 110 .

In operation 536 , the random number generator 104 may write the scrambled bits to the one-time programmable 110 from the scratchpad having the scrambled bits. In some configurations, the one-time programmable 110 can receive only one bit per clock cycle. In this way, if the bit register in the scrambler 108 has more than one bit, the random number generator 104 can send from the random number generator 104 to the one-time programmable 110 once per clock cycle. one bit. The bits are written into the one-time programmable 110 until the bit-block has been written. At this point, the bit-block can be read from the one-time programmable 110 to the verification block 114 .

In operation 540 , the verification block 114 may compare the block of bits sent from the one-time programmable 110 with the bits from the scratchpad of the scrambler 108 . The verification block 114 determines whether two bit-blocks are the same. If the blocks are not the same, a message 432 can be sent to the verify function 208 of the non-volatile memory of the controller 102, and the controller can then restart the process to write the block of bits to the one-time programmable 110 again . If the blocks are the same, a signal 432 indicating a positive comparison may be sent to the verify function 208 of the non-volatile memory of the controller 102, and the process continues.

At this time, in operation 544, the controller 102 may determine whether there is More random bits are to be stored in the one-time programmable 110 . If the one-time programmable 110 is not full and there are more bits to store, method 500 may proceed with YES to operation 524 to store the next block of bits. However, if the one-time programmable device 110 has a complete set of random bits stored in the one-time programmable device 110, then the method 500 may proceed to operation 548 with a "NO", wherein the controller 102 may lock once in operation 548 programmable 110.

In operation 548 , the non-volatile memory disable function 212 of the controller 102 may lock the one-time programmable device 110 by setting the reserved bit 302 in the one-time programmable device 110 . Thus, the shutdown function 212 of the non-volatile memory of the controller 102 prevents any further data storage within the one-time programmable memory 110 . At this point, the nonce stored in the one-time programmable 110 is stored in the field 306 as a set of possible keys 308 . Each random bit 306 may be associated with an address 304 . To obtain the key, one-time programmable 110 accepts an address that matches the address in field 304 . If the address information matches, the one-time programmable 110 can read the random bits associated with the received address and send the set of data as a key to the output register 118 .

FIG. 6 is a process flow diagram generally illustrating aspects of an exemplary method 600 for generating a security key in accordance with aspects of the present disclosure. A sequence of operations of method 600 is illustrated in FIG. 6 . Method 600 may include more or fewer operations or steps, or the order of operations or steps may be configured differently than shown in FIG. 6 . Method 600 may be executed by a processor such as controller 102 of physically non-clonable function 100 and A set of computer-executable instructions encoded or stored on a computer-readable medium for execution. Additionally, method 600 may be performed by gates or circuitry associated with a processor, application specific integrated circuit, field programmable gate array, system-on-chip, integrated circuit, or other hardware device (eg, controller 102 ). Hereinafter, the method 600 will be explained with reference to the systems, components, devices, modules, circuits, firmware, software, signals, data structures, methods, etc. described in conjunction with FIGS. 1-5 and 7-8. however, those skilled in the art will appreciate that some or all of the operations of method 600 may be performed by or using elements different from those described below.

In operation 608, the physically non-clonable function 100 may receive the address as a challenge. Address input signal 446 (part of signal 124 ) may be sent to input address block 116 . This input address 446 may be accompanied by a challenge signal 442 or other signal that may be sent to the controller 102 as part of the signal 122 . The address signal 442 may be received by the controller 102 and then when the address signal 448 is provided, another signal 444 may be sent to the one-time programmable 110 to initiate the response with the key by the one-time programmable 110 .

Optionally, in operation 612 the input address block 116 may scramble the input address 446 . The input address block 116 may also include a linear feedback shift register or other types of scramblers. The input address block 116 may scramble the input address 446 to make the provided security key more random. In operation 616 , the scrambled address may then be sent as signal 448 to the one-time programmable 110 to access the one-time programmable 110 . Thus, the input address block 116 provides the scrambled address to the one-time programmable 110 to retrieve the desired security key.

In operation 620 , the key size determiner 214 of the controller 102 may receive the key size indicator signal 438 . Controller 102 may use this key size indicator message 438 to set the output key size in output register 118 by sending signal 440 to output register 118 . This key size information may also be stored in the controller 102 . Thereafter, in operation 620, when acquiring the key, the controller 102 may determine the key size. Controller 102 may access stored information regarding key sizes and provide this information to one-time programmable 110 and/or output register 118 .

Next, in operation 624 , the one-time programmable 110 may retrieve the stored random bit 306 associated with the received address 444 within the data structure 300 . Therefore, one-time programmable 110 can scan address 304 that is the same as or matches address 444 . When a match is found, the one-time programmable 110 may retrieve a nonce 306 associated with this address 304 ; the one-time programmable 110 may retrieve a number of bits associated with the key size 308 set by the controller 102 .

This key information may then be sent as signal 450 to output register 118 in operation 628 . The output register 118 can accept the full key size. The output register 118 may then output the bits stored in the output register 118 as a signal 452 to the output port 120 to be sent out as a signal 456 (which may be part of the signal 128 ). In some cases, output port 120 may accept a smaller portion of the data stored in key 308 in output register 118 . Thus, the output register 118 can repeatedly send data to the output port 120 . In operation 632, the output register 118 can read a portion of the keys in the register, and pass through the output port 120 This is sent out until the entire key is sent as signal 456 . In at least some cases, the I/O interface 216 of the controller 102 may send an output ready signal 126 when the key is ready to be sent.

FIG. 7 is a process flow diagram generally illustrating aspects of an exemplary method 700 for generating random numbers for storage in one-time programmable 110 in accordance with aspects of the present disclosure. The general sequence of operations of method 700 is illustrated in FIG. 7 . Method 700 may include more or fewer operations or steps, or the order of operations or steps may be configured differently than shown in FIG. 7 . Method 700 may be performed as a set of computer-executable instructions executable by a processor of controller 102 such as physically non-clonable function 100 and encoded or stored on a computer-readable medium. Additionally, method 700 may be performed by gates or circuitry associated with a processor, application specific integrated circuit, field programmable gate array, system-on-chip, integrated circuit, or other hardware device (eg, controller 102 ). Hereinafter, method 700 will be explained with reference to the systems, components, devices, modules, circuits, firmware, software, signals, data structures, methods, etc. described in connection with FIGS. Those skilled in the art will appreciate that some or all of the operations of method 700 may be performed by or using elements other than those described below.

In operation 708, registers, devices, components, and controller 102 may be reset. The input/output interface 216 of the controller 102 may receive the reset signal 402 as part of the signal 122 . The reset signal 402 instructs the controller 102 to reset or initiate the physically non-clonable function 100 . The random number generator interface 202 can then send a reset or enable signal 404 to the SRAM 106 . The non-volatile memory interface 204 can reset or enable The activation signal 406 is sent to the one-time programmable 110. The controller 102 can also send a test signal 408 to the BIST 112 to test the functionality of other components.

In operation 712 , the built-in self-test 112 may then perform a self-test on the random number generator 104 and/or the one-time programmable 110 . The non-volatile memory 110 and random number generator 104 can return a response to the built-in self-test 112, which can indicate whether those components 104, 110 are functioning and functioning properly. This self-test information can then be sent back to the controller 102 .

In operation 716 , the controller 102 may then receive an optional status check signal 418 and then perform a status check on the one-time programmable 110 . A status check may be initiated by an input signal 418 received by the I/O interface 216 of the controller 102 . In other cases, the controller 102 may check the status without an input signal. The non-volatile memory interface 204 of the controller 102 can send a signal 420 to the one-time programmable device 110 to determine the status of the one-time programmable device 110 . The signal 420 reads the reserved bit 302 in the one-time programmable 110 to determine whether the reserved bit indicates that the one-time programmable 110 has been written into a random bit and locked.

Reserved bits may have a bit to indicate that the one-time programmable 110 has been written and/or locked. In another configuration, two or more bits may be set to indicate that the one-time programmable 110 has been written to and/or locked. For example, reserved bits may be read and analyzed by a majority vote of three or more bits to determine that the one-time programmable 110 has been written and/or locked. Then, the controller 102 can determine the state of the one-time programmable 110 based on the reserved bits. This state can be made by the input/output interface 216 is sent out as output signal 424 .

In operation 720 , the non-volatile memory initial write function 206 of the controller 102 may then power up the SRAM 106 of the random number generator 104 . Specifically, the NVM initial write function 206 enables or initializes the SRAM 106 . The initialization may provide a random first set of bits in the SRAM 106 based on the uniqueness of the SRAM 106 . In operation 724, the unique random bits may be read from the SRAM 106 by the initial write function 206 to the non-volatile memory. Next, in operation 728 , the read bits may be sent to the scrambler 108 where random bits from the SRAM 106 are scrambled. A bit folding circuit or a linear feedback shift register can scramble the bits so that the bits in the scrambler 108 are different from the bits read from the SRAM 106 . Next, in operation 732 , the scrambled bits may be stored in a register or memory of the scrambler 108 to be stored in the one-time programmable 110 .

In operation 736 , the random number generator 104 may write the scrambled bits to the one-time programmable 110 from the scratchpad having the scrambled bits. In some configurations, the one-time programmable 110 can receive only one bit per clock cycle. Thus, if the bit register in the scrambler 108 has more than one bit, the random number generator 104 can send one bit from the random number generator 104 to the one-time programmable 110 once per clock cycle. Yuan. The bits are written to the one-time programmable 110 until the bit-block has been written. At this point, the bit-block can be read from the one-time programmable 110 to verify Block 114.

In operation 740 , the verification block 114 may compare the block of bits sent from the one-time programmable 110 with the bits from the scratchpad of the scrambler 108 . The verification block 114 determines whether two bit-blocks are the same. If the blocks are not the same, a message 432 can be sent to the verify function 208 of the non-volatile memory of the controller 102, and the controller can then restart the process to write the block of bits to the one-time programmable 110 again . If the blocks are identical, a signal 432 indicating a positive comparison is sent to the verify function 208 of the non-volatile memory of the controller 102 and processing continues.

At this time, at operation 744 , the controller 102 may determine whether there are more random bits to store the one-time programmable 110 . If the OTP is not full and there are more bits to store, method 700 may proceed with YES to operation 720 to store the next block of bits. However, if the one-time programmable 110 has a complete set of random bits stored in the one-time programmable device 110, the method 700 may proceed to operation 748 with a "NO" where the controller 102 may lock the one-time programmable 110 . In operation 744 , there may be more random bits to be stored in the one-time programmable 110 . However, the size of the SRAM 106 may be smaller than the one-time programmable 110 , for example, the size of the one-time programmable 110 may be 16 kbit, while the size of the SRAM 106 may be 1 kbit. Under these circumstances, the SRAM 106 can be re-initialized by the controller 102 to restart the process of reading random bits. In this way, several iterations of initializing and reading bits from the SRAM 106 can be used for writing to the larger one-time programmable 110 . Therefore, method 700 Operation 720 is returned instead of operation 724 in several iterations, as shown in FIG. 5 .

In operation 748 , the non-volatile memory disable function 212 of the controller 102 can lock the one-time programmable device 110 by setting the reserved bit 302 in the one-time programmable device 110 . Thus, the shutdown function 212 of the non-volatile memory of the controller 102 prevents any further data storage within the one-time programmable memory 110 . At this point, the nonce stored in the one-time programmable 110 is stored in the field 306 as a set of possible keys 308 . Each random bit 306 may be associated with an address 304 . To obtain the key, one-time programmable 110 accepts an address that matches the address in field 304 . If the address information matches, the one-time programmable 110 can read the random bits associated with the received address, which sends the set of data as a key to the output register 118 .

FIG. 8 is a process flow diagram generally illustrating aspects of an exemplary method 800 for initiating a process with a physically non-clonable function 100 in accordance with aspects of the present disclosure. The general sequence of operations of method 800 is illustrated in FIG. 8 . Method 800 may include more or fewer operations or steps, or the order of operations or steps may be configured differently than shown in FIG. 8 . Method 800 may be performed as a set of computer-executable instructions executable by a processor of controller 102 such as physically non-clonable function 100 and encoded or stored on a computer-readable medium. Additionally, method 800 may be performed by gates or circuitry associated with a processor, application specific integrated circuit, field programmable gate array, system-on-chip, integrated circuit, or other hardware device (eg, controller 102 ). In the following, reference will be made to the Method 800 is explained in terms of systems, components, devices, modules, circuits, firmware, software, signals, data structures, methods, etc.; however, those skilled in the art will appreciate that some or all of the operations of method 800 may be implemented by or using Elements different from those described below are performed.

In operation 808, registers, devices, components, and controller 102 may be reset. The input/output interface 216 of the controller 102 can receive the reset signal 402 as part of the signal 122 . The reset signal 402 instructs the controller 102 to reset or initiate the physically non-clonable function 100 . The random number generator interface 202 can then send a reset or enable signal 404 to the SRAM 106 . The NVM interface 204 can send a reset or enable signal 406 to the one-time programmable 110 . The controller 102 may also send a test signal 408 to the BIST 112 to test the functionality of other components.

In operation 812 , the built-in self-test 112 may then perform a self-test on the random number generator 104 and/or the one-time programmable 110 . The non-volatile memory 110 and random number generator 104 can send a response back to the built-in self-test 112, which can indicate whether those components 104, 110 are functioning and functioning properly. This self-test information can then be sent back to the controller 102 .

In operation 816 , the controller 102 may then receive the optional status check signal 418 and then perform a status check on the one-time programmable 110 . A status check may be initiated by an input signal 418 received by the I/O interface 216 of the controller 102 . In other cases, the controller 102 may check the status without an input signal. The non-volatile memory interface 204 of the controller 102 can send a signal 420 to the one-time programmable 110 to The state of the one-time programmable 110 is determined. The signal 420 reads the reserved bit 302 in the one-time programmable 110 to determine whether the reserved bit indicates that the one-time programmable 110 has been written into a random bit and locked.

Reserved bits may have a bit to indicate that the one-time programmable 110 has been written and/or locked. In another configuration, two or more bits may be set to indicate that the one-time programmable 110 has been written to and/or locked. For example, reserved bits may be read and analyzed by a majority vote of three or more bits to determine that the one-time programmable 110 has been written and/or locked. In operation 820, the controller 102 may then determine the state of the one-time programmable 110 based on the reserved bits. This status can be sent out by the I/O interface 216 as an output signal 424 .

If the lock bit is set, the method 800 proceeds with YES to operation 824 , where the controller 102 can write the bit to the SRAM 106 . Here, after initialization, the SRAM 106 may contain a set of bits that are the same as or similar to those bits written or provided to the scrambler and then written to the one-time programmable 110 . To prevent these bits from being read and possibly allow an external device or function to determine the contents of the one-time programmable 110, the controller 102 may write the bits (eg, 1 and/or 0) to the SRAM 106 to change the content stored in the SRAM 106 . In this way, if the SRAM 106 is read, the content in the SRAM 106 will be different from the content used to establish the key in the one-time programmable 110 .

If it is determined that the lock bit is not set, then in operation 828, process 800 may proceed with NO to store the random bit in the one-time programmable 110 in. The storage of random bits in operation 828 may be similar to the process described in conjunction with FIG. 5 and FIG. 7 .

Thus, the disclosed embodiments provide, inter alia, a physically non-clonable function that can generate a unique signature from SRAM or random number generator. The signatures can be stored in non-volatile memory, where the signatures do not change due to changes in heat or lifetime of the integrated circuit. In previous SRAM-based devices, the signature in the SRAM may change with time and heat. In other past one-time programmable physically non-clonable functions, their previous physically non-clonable functions required external ports to store the bits in the one-time programmable. This external port to the physically non-clonable function is a security weakness of the physically non-clonable function because the port can be used to write to or read from the one-time programmable. In aspects herein, the SRAM inside the physically non-clonable function does not use external ports, and thus reduces or eliminates the risk of reprogramming. Furthermore, by utilizing components inside physically non-clonable functions, aspects of this paper do not need to provide foundry information about physically non-clonable functions. Even with the above differences, a physically non-clonable function device can have many challenge/response pairs because of the large number of bits stored in the one-time programmable.

Therefore, the physically non-clonable function device herein provides a reliable way to generate multiple signatures as challenge and response pairs for security functions. The physically non-reproducible functions herein have enough entropy (randomness) between each physically non-reproducible function to guarantee uniqueness. Finally, physically non-clonable functions prevent reprogramming attacks and "cold boot" attacks.

Aspects of the present disclosure include a method of generating a security key for an integrated circuit device, comprising: generating a plurality of key bits with a random number generator; storing the plurality of key bits in non-volatile memory body; and generate a security key according to the stored plurality of key bits.

In one embodiment, a method of generating a security key for an integrated circuit device, wherein the random number generator comprises a static random access memory, wherein after initialization of the static random access memory, The body reads the key bits. In an embodiment, a method of generating a security key for an integrated circuit device, wherein the random number generator further includes a scrambler for scrambling the key bits read from the SRAM . In an embodiment, a method of generating a security key for an integrated circuit device, wherein the scrambler is one of a bit folding circuit or a linear feedback shift register.

In one embodiment, a method of generating a security key for an integrated circuit device, wherein the non-volatile memory comprises a one-time programmable device. In an embodiment, a method of generating a security key for an integrated circuit device, wherein the key bits are stored in a one-time programmable device, and wherein the key bits represent two or more security keys . In an embodiment, a method of generating a security key for an integrated circuit device, wherein a one-time programmable OTP device receives an address and retrieves a security key associated with the address. In an embodiment, a method of generating a security key for an integrated circuit device, wherein an address is scrambled before providing it to a one-time programmable device. In one embodiment, a method of generating a security key for an integrated circuit device further includes receiving a key size indicator, and according to the key size indication character sets a key size for the security key. In one embodiment, the method of generating a security key for an integrated circuit device further includes outputting the security key in response to receiving the address. In one embodiment, a method of generating a security key for an integrated circuit device further includes locking the one-time programmable OTP device after storing the key bits, wherein the lock bit is set in the one-time programmable device to Indicates that the one-time programmable device is locked, wherein the one-time programmable device does not store additional bits after the lock bit is set. In one embodiment, the method of generating a security key for an integrated circuit device further includes determining whether a lock bit is set.

In one embodiment, a method of generating a security key for an integrated circuit device, wherein the random number generator comprises static random access memory, and the non-volatile memory comprises a one-time programmable device, wherein the static random access memory The access memory stores fewer bits than the one-time programmable device, and the SRAM is initialized two or more times to provide key bits to the one-time programmable device.

Another aspect of the disclosure includes an integrated circuit device having a physically non-clonable function generator for outputting two or more security keys, each security key comprising a plurality of key bits, wherein the physically non-clonable function generator comprises: static random access memory, which is read after initialization to provide one or more of the plurality of key bits; a one-time programmable device, It: stores bits read from an SRAM controller; and provides one of two or more security keys upon receipt of an address.

In one embodiment, an integrated circuit device wherein the physically non-reproducible The function generator further includes a scrambler, which scrambles the key bits read from the SRAM. In one embodiment, the integrated circuit device, wherein the scrambler is one of a bit folding circuit or a linear feedback shift register.

In one embodiment, the integrated circuit device, wherein the physical non-copyable function generator further includes an input address scrambler, the input address scrambler receives the input address and scrambles the input address to generate a The address of the programmable device.

In one embodiment, the integrated circuit device, wherein the physically non-clonable function generator further includes a controller for controlling functions of the static random access memory and the one-time programmable device; and an output register, wherein The controller further receives the key size indicator signal and sets an output register to store a number of bits according to the key size indicator signal for the security key.

Another aspect of the disclosure includes a system for generating security keys for an integrated circuit device, which may have a random number generator comprising: static random access memory, which after initialization is read to provide a number of bits; a linear feedback shift register, which scrambles a plurality of bits read from SRAM; an input address scrambler, which: receives an input address ; scrambling an input address into a scrambled address; providing a scrambled address; a one-time programmable) device in communication with a linear feedback shift register and an input address scrambler, which: stores from a linear Feedback scrambled bits provided by shift register; associating scrambled bits with addresses; receiving scrambled addresses from input address scrambler; an associated address that matches the scrambled address; reads the scrambled bits having an address that matches the scrambled address; provides the scrambled bits as a security key; and the one-time An output register for programmable device communication, the output register: receives a security key from the one-time programmable device; and outputs the security key.

In one embodiment, a system for generating a security key for an integrated circuit device, further comprising a controller that controls functions of the SRAM and the one-time programmable device; receives a key size indicator signal; and The output register is set to store a number of bits according to the key size indicator signal for the security key.

The foregoing outlines features of several examples so that those skilled in the art may better understand aspects of the disclosure. Those skilled in the art will appreciate that this disclosure may be readily utilized as a basis for designing or modifying other processes and structures to achieve the same purposes and/or achieve the same advantages as the examples presented herein. Those skilled in the art should also realize that such equivalent constructions do not depart from the spirit and scope of the present disclosure, and that they can make various changes, substitutions and alterations herein without departing from the spirit and scope of the present disclosure.

100: Physically non-clonable function devices/generators (physically non-clonable function circuits, physically non-clonable functions, integrated circuit devices, authentication circuits)

102: Controller

104: random number generator

106: Static Random Access Memory Array (SRAM)

108: Scrambler

110: Non-volatile memory (memory, processing memory, one-time programmable, one-time programmable device, antifuse one-time programmable, component)

112:Built-in self-test

114: Verification component (verification block)

116: Input port (input address block)

118: output register

120: output port (output)

122: signal (input signal)

124: request (input challenge signal, address, signal)

126: signal (output signal, output ready signal)

128: Signal (output signal, output)

Claims (10)

A method for generating a security key for an integrated circuit device, comprising the following steps: a random number generator generates a plurality of key bits; a non-volatile memory stores the key bits, the non-volatile The non-volatile memory includes a one-time programmable device; a physical non-copyable function generator generates the security key according to the key bits stored in the non-volatile memory; and the physical non-copyable function generator is in locking the one-time programmable device after storing the key bits, wherein a lock bit is set in the one-time programmable device to indicate that the one-time programmable device is locked, wherein after setting the lock bit, The one-time programmable device does not store extra bits. The method as recited in claim 1, wherein the random number generator comprises a static random access memory, wherein after initializing the static random access memory, the keys are read from the static random access memory bit, wherein the random number generator further includes a scrambler, which scrambles the key bits read from the static random access memory, and the scrambler is a bit folding circuit or One of the linear feedback shift registers. The method of claim 1, wherein the one-time programmable device receives an address and retrieves the security key associated with the address. The method of claim 1, wherein the key bits are stored in the one-time programmable device, and wherein the key bits represent two or more security keys. The method of claim 1, wherein the one-time programmable device receives an address, and retrieves the security key associated with the address, before providing the address to the one-time programmable device scrambling it, the method further comprising the steps of: receiving a key size indicator; setting a key size of the security key according to the key size indicator; and outputting the security key. The method as claimed in claim 1, further comprising the following steps: the physically non-copyable function generator determines whether to set the lock bit. The method as described in claim 1, wherein the random number generator comprises a static random access memory, and the non-volatile memory comprises a one-time programmable device, wherein the static random access memory is more than the one-time The one-time programmable device stores few bits, and the SRAM is initialized two or more times to provide the key bits to the one-time programmable device. An integrated circuit device comprising: a physically non-clonable function generator outputting two or more security keys, each of the security keys comprising a plurality of key bits, wherein the physically non-clonable function generator comprising: a static random access memory which is read after initialization to provide one or more of the key bits; a one-time programmable device which: stores from the static random access memory The key bits read by the body; and after receiving an address, provide one of two or more of the security keys according to the key bits; a scrambler whose scrambling the key bits read from the SRAM, wherein the scrambler is one of a bit folding circuit or a linear feedback shift register; an input bit an address scrambler that receives an input address and scrambles the input address to generate the address provided to the one-time programmable device; a controller for controlling the SRAM and functions of the one-time programmable device; and an output register, wherein the controller further receives a key size indicator signal, and according to the key size used for the security key The indicator signal sets the output register to store a number of bits. A system for generating a security key for an integrated circuit device comprising: a random number generator comprising: a static random access memory which is read after initialization to provide a plurality of bits and a linear feedback shift register that scrambles the bits read from the SRAM into a plurality of scrambled key bits; an input address scrambler, which: receives an input address; scrambles the input address into a scrambled address; and provides the scrambled address; a one-time programmable device in conjunction with the linear feedback shift register and The input address scrambler communicates to: store the scrambled key bits provided from the linear feedback shift register; associate the scrambled key bits with an address; The input address scrambler receives the scrambled address; determines the address associated with the scrambled key bits, the address matches the scrambled address; reads the scrambled key bits of the address matched by the scrambled address; and providing the scrambled key bits as the security key; and an output register which is associated with the primary programmable device communication, the output register: receiving the security key from the one-time programmable device; and outputting the security key. The system as recited in claim 9, further comprising: a controller that: controls functions of the SRAM and the one-time programmable device; receives a key size indicator signal; and sets the output temporary The memory stores a number of bits according to the key size indicator signal for the security key.

Images