WO2018174112A1 - Technology for authenticating device on network - Google Patents

Abstract

[Problem] To improve the reliability of a hardware network using a blockchain, enable the replacement of failed hardware using a private ledger, and economically maintain and manage a system that is a hardware network. [Solution] A blockchain and a private ledger that is provided in a server are used in combination to prevent the falsifying of a history of data transmission and reception between logical nodes linking hardware while ensuring that, even if failed hardware is replaced, the blockchain linked to said hardware is not affected.

Description

Device authentication technology on the network

The present invention relates to a technique for authenticating a device existing on a network.

The number of devices connected to the ever-evolving Internet has increased over the years, and its network structure has become more complex and diversified. However, basically, a client / server (CS) type in which a server having a special function is set as a central node (core node), and such a node does not exist and all nodes are basically It can be roughly divided into peer-to-peer (P2P) types that are connected in an equal form.

A network generally consists of nodes (nodes) and communication lines (links). The first node and the second node are linked by a signal transmission path that is a communication line. For example, a first node and a second node exchange protocol data units (PDUs), which are a form of data, via a signal transmission path. Each of the first node and the second node handles a protocol data unit according to a protocol having a certain consistency.

In the Internet of Things (IoT), these first and second nodes are devices (hardware) that connect to the network and have physical reality, so they are called physical nodes. At this time, it is considered that the first physical node and the second physical node are connected by a signal transmission path having physical reality. Such a signal transmission path transmits a wired / wireless electronic signal or optical signal. A network constructed by a plurality of physical nodes and signal transmission paths in this way is called a physical network.

An address used for recognizing a physical node on a physical network is called a physical address. That is, the first physical node has a first physical address, and the second physical node has a second physical address. Sending data from the first physical node to the second physical node means that data (in this case, a frame) is transmitted from the first physical address to the second physical address through a signal transmission path having physical reality. It is sent.

On the other hand, if the first and second nodes do not have physical reality, these nodes are called logical nodes. A logical node is a node associated with a logical address virtually defined on the network, and is not necessarily associated with specific birdware. A network constructed by a plurality of logical nodes is called a logical network. At this time, the signal transmission path connecting the first logical node and the second logical node does not necessarily have a physical reality.

An address used to recognize a logical node on the logical network is called a logical address. That is, sending data from the first logical node to the second logical node is interpreted as sending data from the first logical address to the second logical address. In practice, the first logical address and the second logical address are sequentially attached to the transferred data as codes. Therefore, when the transfer is repeated, a list of a plurality of logical addresses is attached to the data. This list of logical addresses includes the latest logical address of this data and the past transfer history. In this way, all logical nodes accessing this data can know where and how this data is transferred and which virtual node is currently defined. As described above, data to which a transfer history including the latest logical address is attached is called a block or a logical block. As long as the transfer history is not falsified, the logical block can be properly recognized by the latest logical address.

In recent years, a technology called a public ledger has been in the limelight as a technology that makes it impossible to falsify the transfer history. The most famous public ledger technology is a blockchain designed to make it impossible to tamper with the remittance data of a cryptocurrency called Bitcoin. In other words, the network system prevents unauthorized remittance by preventing falsification of the remittance history.

(Block chain)

Here, the block chain will be briefly described.

Blockchain is a public ledger system in a peer-to-peer (P2P) network. In the P2P type network structure, without assuming the existence of the server that plays the core, all nodes (nodes) connecting to the network are non-core, equal, and secure each other by monitoring each other. It is necessary. That is, it is possible to provide an application that cannot be realized in a client-server network assuming the existence of a core server.

The most important one is a cryptocurrency remittance system called Bitcoin. In Bitcoin, first, the past processing history and the account name to be processed are synthesized and encrypted. It is transferred as an electronic signature and used as a new process. Therefore, the processing means is not left to financial institutions. The updated and forwarded processing history is monitored by many other non-core nodes on the network and certified in a manner similar to majority voting.

Transfer of process history is synonymous with transfer of currency, and an authorized process history is treated like currency. In this way, processing proceeds without going through a specific core like a bank.

The ciphers used for electronic signatures that flow on the network are the simplest to describe with public key cryptography, famous for the metaphor of Alice and Bob. Alice sends Bob her public key in advance. This public key may be stolen by someone on the net. Bob encrypts the letter with Alice's public key and sends it to Alice. To decrypt this encrypted letter, you need a private key that is paired with Alice's public key. Therefore, unless the code is decrypted, even if someone is stolen on the network, the contents of the letter cannot be read. This is because only Alice has the secret key. Alice can decrypt Bob's letter with her private key and read it.

Thus, the public key may be exposed on the network. Therefore, Alice does not only send Bob the public key. However, only Alice who owns the private key can read the letter by decrypting the cipher encrypted with the public key unless the cipher is decrypted. The public key and private key are always generated as a pair, but it must be practically impossible to reproduce the private key from the public key. In other words, decryption means reproducing the secret key from the public key. A letter encrypted with a private key can also be decrypted with a public key.

Another important role of the public key is to become the destination for sending letters to Alice, ie the address on Alice's network. When Bob sends an encrypted letter to the network, it goes into the hands of any recipient connected to the network. If it cannot be solved at this time, it cannot be read. If you can't read it anyway, you agree that you didn't receive it. Therefore, being able to unlock only Alice is equivalent to reaching only Alice. Thus, it becomes clear that another role of the public key is a logical address on the network. Therefore, the public key used in bitcoin is also called a bitcoin address.

For example, a logical node is a wallet that stores cryptocurrencies such as bit coins, and a logical address is assigned in advance. The contents of the wallet contain something with some monetary value (data on currency and equivalent coins, etc.). Furthermore, using some kind of encryption technology, the address and the contents of the wallet can be attached to the wallet as an electronic signature.

For example, such a wallet can be used by installing a dedicated application on hardware such as a personal computer, a tablet, a smartphone, or a smart card. At that time, the contents of the wallet are stored as digital data in the hardware storage in which the dedicated application is installed. For example, in digital processing based on P2P, the hardware manager / owner must take responsibility for managing digital data. This point is different from the client / server type. In the client-server type, financial institutions will take responsibility. Electronic processing with P2P does not require the existence of a financial institution having such a core function.

FIG. 1 shows a chain of processing (N−2, N−1), processing (N−1, N), processing (N, N + 1),. Processing (N-2, N-1) is some processing from wallet (N-2) to wallet (N-1), and processing (N-1, N) is from wallet (N-1) to wallet (N ), And the process (N, N + 1) is some process from the wallet (N) to the wallet (N + 1). However, N is an arbitrary natural number of 3 or more.

Let's say the contents of the wallet (N-1) were 1000 yen transferred from somewhere. Assume that the transfer source of 1000 yen is a wallet (N-2), and further, an electronic signature (N-2) is attached to the 1000 yen. However, 1000 yen is merely an example, and any digital information equivalent to or exchangeable with other monetary values may be used. The wallet (N-1) is the contents of the wallet of 1,000 yen, its digital signature, the private key (N-1) used to create the next digital signature, and a unique public key that makes a pair with it. (N-1). As described above, the public key (N-1) is an address on the network of the wallet (N-1). As an example, a bit coin address is raised.

Next, the hash value (N-1) is obtained from the public key (N-1), the contents of the wallet (N-1), and the digital signature (N-2) using a hash function (SHA-256 as an example). Is generated. This hash value (N-1) is sent to the wallet (N), and the wallet (N) stores it as the contents of the wallet (N). On the other hand, the public key (N) as the address of the wallet (N) and the hash value (N-1) as the contents are encrypted by using the private key (N-1) of the transfer source, and an electronic signature (N-1 ) Is generated and transferred to the wallet (N) together with the hash value (N-1).

In this way, the wallet (N) forms a pair of a hash value (N-1), an electronic signature (N-1), and a pair of a public key (N) and a private key (N) unique to the wallet (N). It will consist of This completes the process of transferring 1000 yen from the wallet (N-1) to the wallet (N).

The hash value (N-1) should contain information that this 1000 yen came from the wallet (N-1). However, since a hash cannot be reversely converted unlike a cipher, the hash value (N-1) cannot be reversely converted (signed) and read. Therefore, an electronic signature (N-1) is attached. This electronic signature (N-1) is obtained by encrypting a public key (N) and a hash value (N-1) together using a secret key (N-1). Therefore, in order to confirm whether or not this electronic signature really came from the wallet (N-1), the digital signature (N-1) was decrypted with the public key (N-1) and the wallet ( Compare with the public key (N) and hash value (N-1) stored in N). As long as the ciphers are not broken, it is true that the digital signature is certainly signed with the private key (N-1). If they do not match, the electronic signature is false. Alternatively, if it coincides with the result of decryption with another public key, for example, the public key (Q), it can be understood that the wallet (Q) having the public key (Q) as an address has illegally processed.

However, another method is required to prove that there is no unauthorized processing in the past history. This is because it is not possible to deny the possibility that a person who properly owns the private key (N-1) will commit fraud by using only the electronic signature. For example, the private key can be misused by the owner. Bitcoin based on P2P tries to prevent it by “proof by work” (PoW). This is believed to be generally successful. “Proof by work” (PoW) is described below.

In FIG. 1, the hash function (SHA-256 as an example) is subsequently obtained from the contents of the public key (N), the wallet (N) (in this case, the hash value (N-1)), and the electronic signature (N-1). To create a hash value (N). The wallet (N) transmits this hash value (N) to the wallet (N + 1), and the wallet (N + 1) stores it as the contents of the wallet (N + 1). On the other hand, the wallet (N) uses the private key (N) to encrypt the public key (N + 1), which is the address of the wallet (N + 1), and this hash value (N), and to create an electronic signature (N) Is generated. Subsequently, the electronic signature (N) is sent to the wallet (N + 1) together with the hash value (N).

From the above, it can be seen that the contents (N-1, N) from the wallet (N-1) to the wallet (N) are recorded as the hash value (N-1) in the contents of the wallet (N). Similarly, it can be seen that the contents (N, N + 1) from the wallet (N) to the wallet (N + 1) are recorded as the hash value (N) in the contents of the wallet (N + 1). Thus, it can be seen that the contents of an arbitrary wallet include all past processing histories in a chain. That is, the latest past hash value represents all past histories.

On the other hand, the number of wallets to be transferred to one wallet is not limited to one as in the example of FIG. In fact, you will often transfer money from multiple wallets to a single wallet. There are also many cases where money is transferred from one wallet to multiple wallets. Thus, it can be seen that the remittance processing history is more complicated. However, there is always only one hash value including the latest history. This is called the root of Merkuru. Therefore, the past can be traced back from the root of Merkuru. As shown in FIG. 2, it is like a tree diagram that branches off from the root of Merkuru. This is called the Mercle tree diagram. In this way, the Merkuru tree is a collection of all past histories arranged in chronological order. That is, this corresponds to the logical block described above. In addition, the root of the Merkuru which is the latest history is a code characterizing the logical block.

For example, the hash value (ABCD) which is the root of Merck is connected to the history corresponding to the hash value (AB) and the hash value (CD). The hash value (AB) is further connected to the past history corresponding to the hash value (A) and the hash value (B), that is, the process (A) and the process (B). The hash value (CD) is further linked to the past history corresponding to the hash value (C) and the hash value (D), that is, the process (C) and the process (D), respectively.

However, since the hash value cannot be inversely converted in the first place, it is impossible to trace the history of remittance processing by decoding the hash value. For example, one way to actually trace the past processing history of the contents of a wallet (N) (hash value (N-1)) is to select any other wallet (M) and use its public key (M) The digital signature (N) is decrypted, and the result is compared with the public key (N) and the hash value (N-1). If they don't match, choose another wallet (M + 1) and use the public key (M + 1) to unlock and do the same. If they match, it can be seen that the transaction was from a wallet (M + 1). At this time, it can be seen that M + 1 is N-1. Subsequently, the public key (N-2) of the wallet (N-2) including the hash value (N-3) can also be searched by the same method. By repeating this operation, the processing history can be traced back. Here, M and N are arbitrary natural numbers.

Thus, it is logically possible to go back in the past processing history, but it is not always necessary to go back in the past history one by one using the hash value in this way. Rather, it is only necessary to collect several hundred to a thousand processes in a lump and approve that these processes actually existed in some way. Specifically, all the hash values other than the roots of Merkle are deleted, and the latest hash value (for example, ABCD) may be used as a code. A collection of processes represented by one code is called a logical block.

The time stamp confirms that there is a collection of past processes represented by the roots of Merkuru (in the above example, hash value (ABCD)). The logical block thus approved is released on the network. Therefore, this is called a public ledger. This approval is a work (work) similar to date authentication in which a document is brought into a notary public office and sealed with a date. Approving a collection of unapproved processes as a new logical block is called “book entry”, and a person who has made a book is given a certain reward in bit coins as a consideration for authentication work. Obtaining bit coins in this way is called mining, and the user of the mining bit coin is called a miner. However, since only one miner can be booked at a time, miners mine ahead. The mined bitcoin is distributed in the market on the logical network.

As an example, this approval work will be briefly described with reference to FIG. First, some hash value related to the approved past logical block is obtained. Next, a collection of unapproved processes existing on the network is found, and the root (hash value) of the Mercle of the collection is acquired. A variable nonce value is added to these two hash values, and further hashed to create a block hash. At this time, SHA-256 is used as a hash function in Bitcoin. Of course, it is also possible to generate a block hash using another hash function.

The nonce value is generally an arbitrary value of 32 bits. A hash value (block hash here) generated including the nonce value is a 256-bit value. 2 to the 256th power is larger than 10 to the 77th power, and it can be seen that the block hash has a huge degree of freedom. Adjusting the nonce value can zero out the first few bits of the block hash. As an example, the probability that the first 16 bits of a newly generated block hash are all zero is 1/16, that is, 1 / 65,536. That is, it can hardly happen by chance.

The hash function is irreversible. Accordingly, it is generally impossible to obtain a nonce value by inverse transformation so as to generate a hash value (here, a block hash) in which the first few bits (16 bits in this example) are zero. In other words, it is necessary to repeat hashing while changing the nonce value until the first few bits of the generated hash value are all zero. Thus, it can be seen that the use of a certain computer or more is indispensable for determining a nonce value for generating a block hash in which the first 16 bits are all zero.

In a P2P network, mining is not a node with a specific core function. Anyone who can utilize more than a certain amount of computer resources can mine. More precisely, a node on P2P utilized by a minor performs a brute force search on the network while changing the nonce value, and a collection of unapproved processes in which the first few digits are all zero. Find out. In other words, it is mined around the network while changing the nonce value. In this way, it is not always necessary to adjust the nonce value for a specific collection of unapproved processes.

In any case, when a block hash whose first few bits (16 bits in this example) are zero is mined, the collection of unapproved processes corresponding to this block hash becomes the newly approved logical block. It is allowed to be linked to the approved past logical block and published. Thus, the logic block book is completed. That is, it is a condition for logical block concatenation that the initial predetermined number of bits is all zero. By repeating mining, a plurality of blocks are connected to form a block chain.

As can be seen from the above, in Bitcoin, the reliability of currency is the reliability of past processing history. Instead of fair certification, blockchain guarantees its reliability. The longer the blockchain extends, the more difficult it is to tamper. For example, when data of a part of logical blocks is rewritten, the connection condition with the logical block connected to the logical block (the first few bits of the block hash are all zero) is not satisfied. Therefore, the nonce value of the logical block must be corrected so that this condition is satisfied. As described above, since the hash function is irreversible, it requires a corresponding calculation. However, when the nonce value of the logical block is adjusted, the nonce value of the subsequent logical block must also be adjusted. Eventually, it is necessary to readjust the nonce values of a plurality of logical blocks connected to the block chain only by falsifying some data. This requires an enormous calculation capability. Thus, the longer the blockchain is, the more difficult it is to tamper with geometrically.

In Bitcoin, currency counterfeiting is falsification or unauthorized copying of past processing history. Since the electronic signature is attached to the processing history as a proof that the processing has been successfully verified, forgery of currency is forgery of the electronic signature. Only the owner of the wallet before possessing the private key necessary for the electronic signature can create the electronic signature unless the cipher is broken. In other words, even if the encryption is not broken, it is possible if a legitimate user of the secret key wants to tamper with the past processing history. However, once the block chain is created as described above, it is difficult to falsify all nonce values that connect the block chains, even if they are legitimate users of the secret key. The longer the blockchain is stretched, the more difficult it becomes. In other words, once the block chain is lengthened, it is almost impossible to tamper with it or edit it. This is called “Proof-of-Work” (PoW).

However, the fraudulent chain may be longer than the regular chain when the fraudulent side's computing power outweighs the computing power distributed to other minors around the world. This is called “51% attack”.

There is a debate that the 51% attack is not realistic because of cost-effectiveness. However, this does not apply to cyber attacks that are used to weaken a group's financial base. For example, let's say that FinTech 2.0 based on blockchain was widely used in a large country. A small country may invest defense costs in mining to paralyze the financial system of this large country. In this case, it would be possible to keep costs lower than the development of nuclear weapons. Also, with the development of cloud mining, it is possible that some traders will temporarily gain 51% attack capability.

In order to prevent such attacks, the powers that will be attacked will need to join the blockchain. If multiple nations participate and no one can attack 51%, the problem will disappear. In this way, the blockchain is P2P, but it will also have an aspect of international information and communication infrastructure.

The idea of the open ledger system that shares the processing history on the P2P network and entrusts the approval work to the minor to ensure the reliability is expected to be applied to a wide range of applications other than bitcoin as an information communication infrastructure. This is because the past processing can be practically impossible at the lowest cost. Demand for databases that cannot be falsified in reality is, for example, health care using accumulated medical data that increases daily, securities transactions that use accumulated processing data that increases daily, and other daily increases that accumulate. Various information services that use big data can be considered. And it is causing a wave of global financial innovation called FinTech 2.0.

There is another point in suppressing the 51% attack. First, do not make the number of attacking nodes infinite. If the address assigned to the node is a logical address such as an IP address, the attacker can acquire an infinite number of attack nodes in the virtual space. Therefore, all nodes connected to P2P must be linked to form a one-to-one pair with the CPU. This idea is called “One-CPU-One-Vote”. For example, a single ballot is an indispensable condition in a system such as majority voting.

Thus, it can be seen that it is necessary to associate the private key with the individual authentication of the hardware having physical reality. However, the secret key is a product of software and has nothing to do with the physical reality. In the first place, software is designed to function even when installed on any hardware designed and manufactured according to the same standard. In other words, it is required to move in the same way regardless of the difference in individual physical reality. Therefore, it has nothing to do with the physical reality. Nevertheless, the IoT network is composed of a myriad of hardware and wired wireless signal transmission paths that connect them to exchange electronic data. Here is both the reason for associating the private key with the physical reality and one hint.

Specifically, the public key and the physical address are linked by some method that is not falsified. The physical address required here must be non-rewritable unlike the MAC address.


(Physical address that cannot be rewritten)

Thus, it is clear that (non-rewritable physical address) is necessary. The method for realizing it may be any software technology, network technology, or hardware technology. In any case, it suffices to be able to relate to a chip that has some form of physical reality by software technology, network technology, hardware technology, or some combination of these technologies.

FIG. 4 is a diagram for explaining the relationship between a physical network in which hardware having (non-rewritable physical address) participates and a logical network utilizing a public ledger. The hardware is a physical node because it has a physical reality and becomes a node constituting a physical network. The preset physical address is linked one-to-one with the secret key by some method. A logical node whose logical address is a public key that forms a pair with the secret key by public key cryptography is paired with the physical node or hardware corresponding thereto.

As shown in FIG. 1, information is transferred between logical nodes using a public key linked to the physical address as a logical address. The hash value (N-1) that is the contents of the wallet (N) is the hash value (N-2) that is the contents of the wallet (N-1), the public key (N-1) that is the logical address, and the electronic signature. (N-2) is hashed together. Here, wallet (N-1), wallet (N), wallet (N + 1),... Correspond to logical node (N-1), logical node (N), logical node (N + 1),. .

Assume that the address of the physical node that forms a pair with the logical node (N-1), that is, the physical address (N-1) has been altered. The private key (N-1) linked one-to-one with the physical address (N-1) is linked one-to-one with the public key (N-1) that is the logical address of the logical node (N-1). . Therefore, falsifying the physical address (N-1) means that the public key (N-1) is falsified at the same time.

As described in FIG. 1, the public key (N-1) is hashed into a hash value (N-1) together with a hash value (N-2) and an electronic signature (N-2). Therefore, alteration of the public key (N-1) is also alteration of the hash value (N-1). In general, the hash value (N-1) is not necessarily the latest hash value, that is, the root of Merck. However, if you tamper with the Merkul tree, that is, some of the logic blocks, you agree that the roots of Merkul have been tampered with.

As shown in FIG. 3, the block hash (N) constituting the contents of the logical block (N + 1) is a hashed form of all the logical blocks (N). The logic block (N) contains the roots of Merkuru. Assuming that the root of this Mercle is altered as described above, the connection condition between the logical block (N) and the logical block (N + 1) is broken. Therefore, it is necessary to readjust the nonce value of the logical block (N) to recover the connection condition. For example, the nonce value of the logical logic block (N) must be recalculated so that the first 16 bits of the block hash (N + 1) are all zero again. Here, since the hash function is irreversible, this calculation requires a certain level of calculation capability.

In this way, even if the nonce value is readjusted (for example) and the first 16 bits are all zeroed, the data after the 17th bit is falsified as long as the root of the Merkuru is falsified. Eventually, the block hash (N-1) is also tampered with, and the connection condition between the logical block (N) and the logical block (N + 1) is destroyed. In the same manner as described above, it is necessary to consume more than a certain amount of computing power to recover the connection condition, and the connection condition between the logical block (N + 1) and the logical block (N + 2) is destroyed. Thus, as long as the block chain continues for a long time, the calculation must be continued to recover the block connection condition.

As long as a sufficiently long block chain is configured in this way, even if it is a part, it is practically impossible to falsify the physical address. If forcibly tampered with, the connection condition between logical blocks will not be satisfied, and the block chain will be destroyed. By using the physical address linked with the secret key in this way, it becomes possible to realize a (non-rewritable physical address) with a public ledger technology such as a block chain.

(Key generation method)

A method of generating a public key that makes a pair with the private key will be described. Broadly speaking, a method using an RSA type key generation device that generates a private key and a public key that form a pair with each other from a certain input, and a public key that forms a pair with the private key by inputting the private key It can be broadly classified into Elgamal type key generation devices to be generated. In any case, it is very difficult to reproduce the secret key from at least the public key. These key generation devices may be a kind of program recorded in a memory, or may be an embedded circuit mounted on a semiconductor chip.

First, the RSA type will be explained. This is an encryption key generation method invented by Rivest Shamir Edelman. (
reference. ) Rivest, Ronald L. Shamir, Adi. Adelman, Len M. (1977-07-04), “A Method for Obtaining Digital Signature and Public-key Cryptsystems”, MIT-LCS-TM-082 (MIT Laboratory for Computer Science) .

In the RSA method, first, an appropriate non-negative integer e is prepared. Usually, 2 to the 16th power plus 1 is adopted, but other positive natural numbers can be adopted. Next, a pair of large two prime numbers {p, q} is generated by some method, and a product n (= pq) thereof is calculated. At this time, {e, n} is a public key. Subsequently, a secret integer d is obtained by further dividing a positive integer whose remainder is 1 by dividing the product of (p−1) and (q−1) by e. However, if {p, q} is known in addition to {e, n}, d can be obtained by calculation. Therefore, {p, q} must be discarded or not leaked to the outside. . If the set of prime numbers {p, q} is stored so as not to leak to the outside, it can be considered that the set {d, p, q} is a secret key.

It is possible to cut out the first few bits from the physical address displayed in code and add 1 to the above e. Alternatively, a positive integer e can be generated by adding 1 to the physical address displayed in code.

It is also possible to generate the prime number {p, q} from the physical address. As an example, 1 is added to the physical address indicated by the code to check whether it is a prime number. If it is a prime number, let p be the prime number. If it is not a prime number, add 1 to see if it is a prime number. This is repeated to determine the prime number p. After determining the prime number p, the same procedure is repeated to determine the prime number q. Thus, the prime number {p, q} can be obtained.

Another example of how to determine the prime number q is to add 2 to the physical address to see if it is a prime number. If it is a prime number, let the prime number be q. If it is not a prime number, add 2 to see if it is a prime number. The prime number q is determined by repeating this.

The number added to the physical address to obtain the prime number p or q is not limited to 1 or 2, but an arbitrary integer (for example, k) can be adopted. At this time, k can be a security parameter. For example, it is possible to select a random number from an integer within a certain range using a physical random number or a pseudo-random number and set it as the security parameter k. In any case, it is possible to repeat the synthesis until the code-addressed physical address and k synthesized by some method become a prime number. As long as the physical address is sufficiently large as a numerical value, both p and q are sufficiently large prime numbers, and the selection of the security parameter k becomes more diverse.

The method of synthesizing the physical address indicated by code and k can perform all arithmetic operations and combinations of addition, subtraction, multiplication, and division, or any bit operation as much as possible. In any case, as long as the physical address (N) or k is sufficiently large as a numerical value, p is a sufficiently large prime number. The k may be an internal input or an external input.

In any case, a method for obtaining a prime number p or q from a physical address includes, as an example, a synthesis step for synthesizing a physical address and an appropriately given variable, and a determination step for determining whether or not the synthesized number is a prime number. And the synthesis step and the determination step are repeated until a prime number is actually obtained. See FIG.

Next, the El Gamal type will be described. This is an encryption key generation method invented by El Gamal. (
reference. ) A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, Taher Elgamal, IEEE Transactions on Information Theory, v. IT-31, n. 4, 1985, pp. 469-472.

In the El Gamal method, first, a large prime number p and its primitive root g are determined. The prime number p and the primitive root g can be selected according to design specifications. Next, a non-negative integer x smaller than p−1 is randomly selected as a secret key. Subsequently, a remainder obtained by dividing the x-th power of the primitive root g by p is set as a public key.

When a proper code conversion is performed from the physical address to obtain a secret key, the physical address and the secret key can be linked. As an example, the secret address may be a physical address represented by a code or a remainder obtained by adding an integer of 1 or more to the physical address and dividing by p−1.

There are multiple specific algorithms for both the RSA key generation method and the El Gamal key generation method. Of these, the DSA method and the ECDSA method, which is an improved version of the DSA method, are often used for electronic signatures. There are many other methods such as the Schnorr method, the random oracle method, and the kramer show method, but the common point between them is that it is actually difficult to generate a secret key from a public key. (Although it cannot be proved mathematically impossible, it can be said that it is difficult to actually generate it.) Also, it is common to generate a digital signature by encrypting a hash value with a private key. It is done. The difference is whether to generate a public key from a secret key, or to generate a public key and a secret key from different input variables. Or there are differences in algebraic problems used for variable transformation. For example, prime factorization, discrete logarithm problem, random oracle assumption, elliptic curve problem, etc.

(System integration)

Consider a large-scale system composed of a large number of hardware. Hacking to this system is nothing but at least one hardware hacking. To keep hacked secrets, you must erase the hardware access history. This is nothing more than falsification of history. Also, in order to take over this system, it is necessary to tamper with at least some of the hardware addresses that are constituent elements.

Therefore, if the physical address and the logical address are connected one-to-one by the method as described above, the system can be protected from hacking by the block chain.

(Hardware specific problems)

However, there is a problem in hardware that has physical reality that is impossible for a logical node that does not have physical reality. That is, logical nodes cannot cause mechanical failure, but hardware always carries the risk of mechanical failure. The failed hardware must be replaced with new hardware to maintain the system.

At this time, if the physical address of the hardware to be replaced is different from the failed hardware, the physical address is also replaced. This is the same as falsifying the physical address. In this way, the logical blocks constituting the block chain are falsified. As a result, the logical block connection condition cannot be satisfied, and the block chain is also destroyed.

In order to prevent such destruction of the block chain, not only the physical address but also information such as history (hash value) and electronic signature recorded in the failed hardware must be transferred to the hardware to be exchanged. However, it is not always possible to retrieve all such information from a failed hardware in its entirety. Rather, it is impossible to maintain and manage the system unless a countermeasure is prepared when it is impossible due to a failure.

For example, if the above system is a large-scale data center, physical addresses are assigned to countless individual drives (SSDs), and each physical address is linked to a logical address on a one-to-one basis, blocking external hacking with a block chain I can do it. In this way, an inexpensive and safe intranet can be constructed.

Such a large-scale data center is composed of a huge number of SSDs so that access such as search from all over the world can always be handled. SSDs are hardware and cannot escape mechanical failure. Regardless of how reliable and failure frequency is, the number of SSDs is enormous, so SSDs must be replaced on a daily basis for maintenance and inspection. Due to the nature of the blockchain, if even one SSD is replaced, the blockchain will be destroyed. This makes it difficult to protect large systems from malicious hackers using blockchain. Even if the information necessary for preventing the blockchain from being broken can be fortunately extracted from the failed hardware, it takes time and labor to actually extract such information, which is not economical.

The present invention has been made in view of the above circumstances, and provides a network management technology in which a logical block is not tampered with even when hardware that is a part of a component is replaced, and a secure intranet using a block chain is provided. The purpose is to build at low cost.

The present invention employs the following means in order to solve the above problems.

In a network consisting of multiple clients and at least one server,
The server has an input / output interface for exchanging data with each client,
Each of the plurality of clients has a unique physical address, sends the physical address to the server through the input / output interface,
The server further includes a key generation device and a synthesis device,
The key generation device and the synthesis device generate a secret key and a public key corresponding to each client from the physical address,
The secret key and the public key are each passed to the corresponding client,

The server generates an authentication variable consisting of a combination of the physical address, the secret key, and the public key for each of the plurality of clients.
Collecting authentication variables corresponding to the plurality of clients and recording them in a private ledger;
It is characterized by
About the network.

The plurality of clients include a first client, a second client, and a third client different from each other,
The key generation device generates a first public key from a first secret key corresponding to the first client;
The synthesizing device generates a second secret key corresponding to the second client from the first public key and a second physical address corresponding to the second client;
The key generation device generates a second public key corresponding to the second client from the second secret key,
The synthesizing device generates a third secret key corresponding to the third client from the second public key and a third physical address corresponding to the third client,
The key generation device generates a third public key from the third secret key;

The first public key and the first secret key form a pair with each other,
The second public key and the second secret key form a pair with each other,
The third public key and the third secret key form a pair with each other;

It is characterized by
About the network.

The second client is replaced by a fourth client having a fourth physical address;
The fourth physical address is transmitted to the server through the input / output interface;

In the private ledger, the authentication variable corresponding to the second client is replaced with a combination including the fourth physical address, the second secret key, and the second public key,

The fourth client is passed the second secret key and the second public key from the server, and is passed the second hash value and the second electronic signature from the first client.

It is characterized by
About the network.

A first logical block with a first time stamp attached at a certain point, a second logical block with a second stamp attached at a certain point before that, and a third stamp at a certain point before that. The attached third logic block is connected to form part or all of the block chain,

The first time stamp is at least a part of a record of a public ledger that collectively approves the first logical block, a first block hash, and a first nonce value;

The second time stamp is at least part of a record of a public ledger that collectively approves the second logical block, a second block hash, and a second nonce value;

The third time stamp is at least part of a record of a public ledger that collectively approves the third logical block, a third block hash, and a third nonce value;

The first block hash is generated by hashing the second block, the second block hash, and the second nonce value together,

The second block hash is generated by hashing the third block, the third block hash, and the third nonce value together,

It is characterized by
About the network.

According to the present invention, it is possible to achieve both the economical efficiency of maintenance management and the improvement of safety of a large-scale system composed of an enormous number of hardware.

The best mode for carrying out the invention will be specifically described below.

(First embodiment)

In general, a plurality of physical nodes constitute a system regardless of the size. Each of the plurality of physical nodes is a kind of hardware, and functions as a system while exchanging data with each other via a signal transmission path. A plurality of physical nodes constituting such a large-scale system can be broadly classified into a core node in charge of core functions and peripheral nodes in charge of some functions in cooperation with the core nodes. Inevitably, the network structure is a client-server type, and therefore, the core node will be referred to as a server and the peripheral nodes as clients.

If such a system is a data center, the client is an SSD as an example. If the system is an SSD, the client is NAND flash as an example and the server is the controller. When the system is a controller, the server is an arithmetic processing unit, and the client is a cache memory or the like.

FIG. 6 shows the client (N−1), the client (N), and the client (N + 1) before being incorporated into the system. A physical address (N-1), a physical address (N), and a physical address (N + 1) are respectively assigned. However, N is a natural number of 2 or more.

FIG. 7 shows a method for authenticating and registering these clients in the server. Incorporating the client into the system for the first time is called initial setting, and resetting authentication registration for maintenance and management is called resetting. The server assigns an input / output interface (I / F) corresponding to each client. Each client transmits a physical address (N-1), a physical address (N), and a physical address (N + 1) to the server via the I / F.

The server uses the physical address (N) received from each client and generates a secret key (N) by an appropriate method. The server further includes a key generation device, and the key generation device generates a public key (N) from the secret key (N) in accordance with an El Gamal type encryption key generation method. Here, the secret key (N) and the public key (N) form a pair. A specific description will be given below in order.

N = 2, and the secret key (1) is generated from the physical address (1). Subsequently, the key generation device generates a public key (1) from the secret key (1). The private key (1) and the public key (1) are passed to the client (1). Thus, a combination of (physical address (1), secret key (1), public key (1)) is formed in the client (1). On the other hand, a combination of (physical address (1), secret key (1), public key (1)) corresponding to client (1) remains in the server. This combination authentication variable is called and registered in the ledger in the server. Since this ledger is kept private outside the server, it can be called a private ledger.

The server further includes a synthesizer. This synthesizing device synthesizes the public key (1) and the physical address (2), and generates a secret key (2) from the synthesis result. Subsequently, the key generation device generates a public key (2) from the secret key (2). The private key (2) and the public key (2) are passed to the client (2). Thus, a combination of (physical address (2), secret key (2), public key (2)) is formed in the client (2). On the other hand, the authentication variables (physical address (2), secret key (2), public key (2)) corresponding to the client (2) remain in the server and are registered in the private ledger in the server.

Thereafter, this operation is repeated while updating N. That is, the synthesizing device synthesizes the physical address (N) and the public key (N-1), and generates a secret key (N) from the synthesis result. Subsequently, the key generation device generates a public key (N) from the secret key (N). Pass the private key (N) and public key (N) to the client (N). Thus, a combination of (physical address (N), secret key (N), public key (N)) is formed in the client (N). On the other hand, the authentication variables (physical address (N), secret key (N), and public key (N)) corresponding to the client (N) remain in the server and are registered in the private ledger in the server.

Next, a specific method for generating a secret key by the synthesizing apparatus will be described. As an example, first, a large prime number p is prepared by an appropriate method. Next, a combination of the physical address (N) and the public key (N-1) is hashed, the result of the synthesis is divided by p-1, and the remainder is used as the secret key (N). Here, the hashing of the physical address includes the role of adjusting the format. If the physical address is already in a format suitable for generating a secret key, it can be omitted. If N = 1, the public key (0) does not exist and is a dummy. Therefore, it is necessary to prepare the initial input on the server side in advance. This initial input may be used instead of the public key (0).

There are various methods by which the combining device combines the physical address and the public key. For example, addition, subtraction, multiplication, division, a combination of these arithmetic operations, a logical operation, and any other bit operation as much as possible can be used.

Thus, a set of (physical address (N), secret key (N), and public key (N)) is stored in the client (N). At the same time, a set of (physical address (N), secret key (N), public key (N)) is registered in order from N = 1 in the private ledger. This private ledger is stored and managed by the server, and is not disclosed to the outside in order to enhance safety.

FIG. 8 shows a method of forming logical blocks by connecting clients after initial setting and resetting by hashing. The logical block generation method is the same as that for bit coins. That is, the combination of the public key (N-1), hash value (N-2) and digital signature (N-2) of the client (N-1) corresponds to the bit coin purse (N-1). In this application, it is a logical node (N-1). This logical node (N-1) is hashed to generate a hash value (N-1). Subsequently, the hash value (N-1) and the public key (N) of the client (N) are collectively encrypted with the secret key (N-1) to generate an electronic signature (N-1). Finally, the client (N-1) sends both the hash value (N-1) and the electronic signature (N-1) to the client (N). In the client (N), a logical node (N) is formed from the public key (N), the hash value (N-1), and the electronic signature (N-1).

Subsequently, the logical node (N) is hashed to generate a hash value (N). Subsequently, the hash value (N) and the public key (N + 1) of the client (N + 1) are collectively encrypted with the secret key (N) to generate an electronic signature (N). Finally, the client (N) sends both the hash value (N) and the electronic signature (N) to the client (N + 1). In the client (N + 1), a logical node (N + 1) is formed from the public key (N + 1), the hash value (N), and the electronic signature (N).

By repeating this operation, a logical block composed of a plurality of logical nodes is formed. The method of transferring a hash value between clients by the method as described above is one method of transferring data between clients. In the case of cryptocurrency, the data is something with a monetary value, and in the case of bitcoin, it is a processing record. (It is actually a hashed hash value.) If the client is a storage such as SSD, this data does not necessarily need a monetary value. Simply hashed data is only transferred between SSDs. Nevertheless, it is possible to form a logical block in this way. That is, a logical block can be formed regardless of the contents of data.

When the client including the logical block is hardware, a method for dealing with hardware mechanical failure is required as described above. That is, the failed hardware must be replaced with new hardware.

Consider the case where the hardware of the client (N) fails as shown in FIG. At this time, the physical address (N) is attached to the failed hardware, and the physical address (N ′) is attached to the new hardware to be replaced with the failed hardware. The private ledger stored in the server records (physical address (N), private key (N), public key (N)). This is an authentication variable corresponding to the client (N). The physical address (N ′) is input to the server via the I / F connecting the failed client (N) and the server. The server edits the private ledger and modifies the authentication variables to (physical address (N ′), secret key (N), public key (N)). Alternatively, it is possible to re-record as (physical address (N '), secret key (N), public key (N); physical address (N)), and to leave a history of hardware (N) exchanged hardware. . Here, there is no need to modify the private key (N) and the public key (N).

FIG. 10 is a diagram illustrating a state after the failed hardware is replaced. Compared with FIG. 8, it can be seen that the logical nodes are exactly the same. That is, the logical node does not have to be tampered with. Thus, by using the server relating to the present embodiment, it is possible to replace the failed hardware without falsifying the logical block.

Assume that before the hardware breaks down, the collection of logical nodes and their data transfer history shown in FIG. 8 are disclosed as logical blocks. A minor who digs up this logical block or a wider range of logical blocks that contain this logical block records it in a public ledger (for example, a block chain). Thereafter, the hardware breaks down, and the hardware is replaced by the method shown in FIG. However, as shown in FIG. 10, in this embodiment, there is no change in the logical node of the client whose hardware has been replaced. Therefore, the logical block is not falsified, and there is no fear of breaking the block chain connection condition.

In this way, by using the private ledger relating to the present embodiment, it becomes possible to replace the failed hardware without destroying the block chain connection condition. Since there is no additional cost for using an external block chain, the intranet composed of the server and the plurality of clients can be protected from external hacking at low cost.

(Second embodiment)

Each time data is exchanged between clients, the hash value that forms part of the logical node changes. Therefore, the logic block also changes. If the time axis is taken on the vertical axis, this change is divided at an appropriate time interval, and a time stamp is attached, it is possible to stack logical blocks that change from bottom to top as shown in FIG. The latest one is the logical block (M), and the last one approved is the logical block (M-1). The previous block is a logical block (M-2). However, in the present embodiment, this time stamp is issued to a server to which a client constituting a logical block is connected. The time stamp is issued at predetermined time intervals determined for the convenience of client maintenance using the server according to the present embodiment.

When the server issues a time stamp, it means that the server approves the logical block at that time on behalf of the public ledger (eg, blockchain). On the other hand, in the blockchain based on the P2P type network, this approval work is performed by an arbitrary minor. In this respect, the approval of the logical block according to the present embodiment is fundamentally different from the conventional method using the block chain. That is, the chain of logical blocks that are vertically continuous in FIG. 11 is different from a normal block chain.

FIG. 12 is a diagram illustrating an example of an approval operation by the server according to the present embodiment. The transition of logic blocks and time stamps are arranged from left to right in the figure. The latest one is the time stamp (M), going back one at a time (M-1), time stamp (M-2), and so on. Similarly, it can be traced back to logical block (M), logical block (M-1), logical block (M-2).

The block hash (M-2) is generated by combining the logical block (M-2) with the block hash (M-3) and an appropriately selected nonce value and hashing them. The block hash (M-1) is generated by combining the block hash (M-2) and an appropriately selected nonce value with the logical block (M-1) and hashing it. In order to generate the next block hash (M), the block hash (M-1) may be hashed together with the logical block (M) and an appropriately selected nonce value.

In bitcoin, the nonce value is generally an arbitrary value of 32 bits. A hash value (block hash here) generated including the nonce value is a 256-bit value. 2 to the 256th power is larger than 10 to the 77th power, and it can be seen that the block hash has an enormous degree of freedom. By appropriately adjusting the nonce value, the first few bits of the block hash can be made zero. As an example, the probability that the first 16 bits of a newly generated block hash are all zero is 1/16, that is, 1 / 65,536. It is almost impossible to happen by chance, and in order to find such a nonce value, a corresponding work is required. The first 16 bits of the block hash are set to zero as a connection condition for connecting a new logical block to an existing logical block. The reason why the number of bits set to zero first is 16 is to adjust so that the frequency at which a new logical block is approved is once every 10 minutes worldwide.

The 16-bit connection condition is for maintaining the reliability of data transfer in the P2P network without management by the server, and the reliability of data transfer between specific clients connected via the server as in the present application. 16 bits is considered to be sufficient to maintain the above. Rather, it may be necessary to reduce the number of bits and shorten the average time required for the server for this embodiment to approve a new logical block.

In view of such a situation, the logical block connection condition in the present application is to set all the first L bits of the block hash to zero. However, L is a natural number smaller than 16. The nonce value relating to the present application is adjusted to satisfy this connection condition.

Thus, the nonce value can be adjusted, a new logical block can be approved, and a time stamp can be issued as shown in FIG. This operation is preferably performed by a server related to the present application.

Thus, the block chain related to the present application is different from the conventional block chain used for bit coins and the like. In the present application, if the maintenance management of a server that approves a new logical block is appropriate, it is possible to prevent alteration of the processing history from the outside. Also, as long as the public encryption that makes the public key and the private key correspond one-to-one is not broken, the logical address and the physical address can be linked as shown in FIG.

As long as the private ledger stored on the server is properly managed, it is impossible to rewrite the physical address from outside the server. In this way, (physical address that cannot be rewritten from the outside) can be realized. Further, even if the failed hardware is replaced, it is not necessary to destroy the block chain related to the present application. This is a feature that does not exist in the conventional block chain that operates only within the logical network (a block chain that does not employ a private ledger related to the present application).

For example, it is conceivable that storages such as SSDs operating in large quantities in data centers handle big data in cooperation with each other. The SSD is an example of the client of the present application, and the history of data exchange between the SSDs is hashed and managed so that it cannot be tampered with in the block chain related to the present application. This management is substantially management by a server that stores a private ledger.

The logical block is updated on the server that controls the data center activities. By using the electronic signature technology and the private ledger stored in the server related to the present application, the physical address of the SSD once initialized by the server can be prevented from being tampered with from the outside. (Physical address that cannot be rewritten from the outside) Also, by using the private ledger inside the server, it is possible to replace a failed SSD without destroying the block chain.

(Third embodiment)

The physical address can be generated from some physical randomness extracted from a cell array in a semiconductor chip having physical reality. Such a chip is called an authentication chip.

FIG. 13 shows an example of a cell array composed of word lines and bit lines. An authentication element is arranged where the word line and the bit line intersect. In this example, the number of rows (number of word lines) is N, and the number of columns (number of bit lines) is M. However, rows and columns can be interchanged at any time.

As an example, each authentication element has at least two terminals (a first terminal and a second terminal), one of a word line and a bit line is connected to the first terminal, and the other is connected to the second terminal. Connecting. Alternatively, as another example, as shown in FIG. 14, the word line is connected to the first control gate and the bit line is connected to the second control gate. Alternatively, as shown in FIG. 15, the bit line is connected to the first control gate, and the word line is connected to the second control gate. In any case, access between the first terminal and the authentication element can be controlled in this way. The second terminal is dropped to the source line, the substrate electrode, or the ground as necessary.

As an example, the authentication element is a resistor (or a conductor). Alternatively, there is a capacitor. Or it is a PN junction. Or it is a Schottky junction. Or there is a transistor. Alternatively, it is a DRAM cell composed of a transistor and a capacitor. Or it is a variable resistance memory cell which consists of a transistor and a variable resistance. Or it is a magnetoresistive memory cell (MRAM) which consists of a transistor and a magnetoresistive. Or it is a spin torque type MRAM (STT-MRAM). Or it is a non-volatile memory cell with a charge storage layer. The charge storage layer may be either a charge trapping layer or a floating gate.

Alternatively, it is a nonvolatile memory cell with a charge storage layer arranged on a NAND type array in which the bit line terminals are intentionally excluded as shown in FIG. Alternatively, as shown in FIG. 17, the transistors are arranged on a NAND type array in which the bit line terminals are intentionally excluded. However, a bit line terminal is connected to one end of a group of authentication elements in series in the bit line direction, and a source line terminal is connected to the other end. Thus, even if the bit line terminal is removed, the authentication element where the bit line and the word line intersect can be read by a normal NAND type reading method. More specifically, a transfer voltage is applied to the word lines (non-selected word lines) of all other authentication elements connected to the bit line (selected bit line) including the authentication element (selected cell) to be read, and other than the selected cell. Turn all switches on. Then, a voltage (read gate voltage) lower than the transfer voltage may be applied to the word line (selected word line) of the selected cell. At this time, an appropriate voltage (read drain voltage) may be applied between the bit line terminal and the source line terminal, and the current flowing between them may be measured.

Here, it is assumed that a part of the plurality of authentication elements on the cell array is destroyed for some reason and becomes a broken bit, or a defective bit that does not exhibit a specified characteristic for some reason. The distribution of such broken bits or defective bits in the cell array is considered to be unique to the semiconductor chip and physically random. Destructive bits are generated probabilistically by intentionally applying some stress to the semiconductor chip, and are randomly distributed on the cell array. The defective bits are generated stochastically due to some uncontrollable variation in the semiconductor chip manufacturing stage, and are randomly distributed on the cell array. In any case, the generation mechanism is not related to any algorithm, so it is physically random.

An example of the method will be specifically described below.

First, a word line is selected using a word line decoder, a bit line is selected using a bit line decoder, and an authentication element selected by each selected word line (selected word line) and bit line (selected bit line). Is the selected cell.

Here, there are two types of authentication elements. The first type is easy to flow current when a read voltage is applied when it is broken, and it is difficult to flow current when it is not broken. Major examples are capacitors, PN junctions, and Schottky junctions. In order to determine whether or not it has been destroyed, it is only necessary to check whether the absolute value of the current when the breakdown determination voltage is applied is higher than the breakdown determination current value or lower than the non-destructive determination current value. However, the destruction determination current value is higher than the non-destruction determination current value.

The second type is less likely to pass current when a read voltage is applied when it is destroyed, and more likely to pass current if it is not destroyed. The main example is a resistor (or conductor). In order to determine whether or not it has been destroyed, it is only necessary to check whether the absolute value of the current when the destruction determination voltage is applied is higher than the nondestructive determination current value or lower than the breakdown determination current value. However, the destruction determination current value is lower than the nondestructive determination current value.

When a plurality of cells are selected and read from a group of authentication elements on the cell array, a plurality of destruction bits are generally found. Alternatively, a defective bit is found that does not exhibit the specified characteristics. The position information on the cell array of the destruction bit or the defective bit is an array composed of a word line number and a bit line number. If the position information of the plurality of broken bits or defective bits is arranged and displayed as a code, an authentication code corresponding to the distribution of the broken bits or defective bits can be obtained. As long as the occurrence of the destruction bit or defective bit is physically random, this authentication code is expected to be unique to the semiconductor chip and physically random. The format of the authentication code is appropriately formed to be a physical address used in the present application.

Let Q be the number of broken bits or defective bits, and R be the number of selected cells. However, Q is a number smaller than R. At this time, the number of authentication codes is equal to the number when Q is selected from R. That is, if R is sufficiently large and the probability of existence of a broken bit or defective bit is not small enough to be ignored, the number of authentication codes is very large.

If Q is 1 gigabyte (1 billion) and R is 1 kilometer (1000), the number in the case of an authentication code is approximately 10 times 6432 times 2.5. That is, when 1 trillion (10 12) semiconductor chips necessary for the trilion node are produced, the probability that the authentication codes of the two semiconductor chip chips will coincide is 4E-6421. . Even if 100 trillion semiconductor chips are supplied, the probability that the authentication codes of the two semiconductor chips will coincide is 4E-6419. This is practically zero.

A Q of 1 G and an R of 1 km corresponds to a defective rate of 1 / 1,000,000. That is, even if it is assumed that the defect rate is so low that the semiconductor chip achieves six sigma (3.4 / 1,000,000 or less), the probability that the authentication codes of the two semiconductor chips will coincide is almost zero. I can say that.

In addition, considering Six Sigma (3.4 / 1,000 or less), it is no problem to use 1 kilobit equivalent to 1 / 1,000,000 or less for other purposes in a 1-gigabit chip product. Therefore, 1 kilobit is allocated to the cell array for the authentication element, and some stress is applied to the cell array for the authentication cell so that almost half is intentionally destroyed. At this time, the number of authentication codes is about 2.7 times 10 to the 299th power. That is, even if 100 trillion semiconductor chips are supplied, the probability that the authentication codes of the two semiconductor chips will coincide is 3.7E-286. That is, it is practically almost zero.

The stress includes various types such as an electrical stress, an optical stress, a mechanical stress, and an electromagnetic field stress.

As an example of electrical stress, first, authentication cells in a part of a region selected for generating an authentication code are simultaneously selected from all cell arrays, and a high voltage pulse is applied to all the selected cells. When each cell is read and the number of non-destructive bits is smaller than the number of destructive bits, only the non-destructive bits are selected and the second high voltage pulse is applied. This process is repeated until the number of non-destructive bits is approximately the same as the number of destructive bits.

As an example of optical stress, a certain amount of X-rays, ultraviolet rays, or the like is irradiated to the authentication element cell array before assembly. The amount of irradiation is adjusted so that the number of non-destructive bits and destructive bits is approximately the same. However, when the area of the cell array for authentication elements is very narrow, stress is similarly applied to other elements. This is a relatively effective method when the entire chip is used as a cell array for authentication elements.

An example of mechanical stress is bending the authentication chip or applying a blow. However, stress is similarly applied to a cell array other than the authentication element cell array. Therefore, this method is effective only when all the chips are used as the authentication element cell array.

An example of electromagnetic field stress is exposing the authentication chip to a strong electromagnetic field. However, stress is similarly applied to a cell array other than the authentication element cell array. Therefore, this method is effective only when all the chips are used as the authentication element cell array.

In any case, as long as destruction of the authentication element occurs stochastically, the authentication code is physically generated randomly. Further, as long as the probability that the authentication codes of the two semiconductor chips are coincidentally coincidentally is practically zero, the authentication code is sufficiently used as a physical address unique to the semiconductor chip.

As described above, the physical address of the present embodiment can be generated from the distribution of the destruction bits in the cell array. Alternatively, the physical address of the present embodiment can be generated from the distribution of defective bits in the cell array. Alternatively, the physical address of the present embodiment can be generated from the distribution of broken bits and defective bits in the cell array.

(Fourth embodiment)

Some memory chip products are provided with a redundant bit line for replacing the bit line in which the defective bit is generated in consideration of the fact that the defective bit is generated in the memory cell at a predetermined ratio or less in advance. Yes. The causes of such defects are various and depend on manufacturing variations in the manufacturing stage of the semiconductor chip (memory chip in this example) and naturally occurring variations in the physical formation process of the members. In general, these variations are uncontrollable. Redundant bit lines are usually not included in the bit capacity of memory chip products. See FIG. 18 as an example.

In FIG. 18, the bit line group arranged in the row direction is divided into two groups. One is a redundant bit line group consisting of a plurality of redundant bit lines, and the other is a normal bit line group consisting of normal bit lines. Let N be the number of rows in the normal bit line group and L be the number of rows in the redundant bit line group. N and L are non-negative integers, and N is larger than L. The bit capacity of the memory chip product corresponds to the number of cells included in this normal bit line group.

If it is found by inspection before shipment that a defective bit satisfying a certain condition is generated in the normal bit line group, the normal bit line including the defective bit is changed to one redundant bit line in the redundant bit line group. assign. Such replacement (reading replacement A, replacement B in the figure) is performed for each normal bit line including a defective bit, and the defective bit can be substantially removed.

More specifically, a peripheral memory (for example, a fuse memory or the like) in which a bit line number of a bit line that has been found defective in a pre-shipment inspection and a bit line number of a redundant bit line that replaces the bit line are mixedly loaded in the peripheral area ). This peripheral memory is referred to when accessing the memory cell. In the present embodiment, information recorded in the peripheral memory is displayed as a code, and is formed into a predetermined format to play the role of a physical address.

An example of a memory chip product that satisfies such conditions is a DRAM. In addition, a flash memory, a phase change memory, a resistance change memory, a magnetoresistance change memory (MRAM), a spin torque type MRAM, and the like can be considered.

Assuming that the number of defective bits detected in the pre-shipment inspection is m, the number in that case is a combination of selecting m from N. That is, C (N, m). Taking into account which redundant bit line to replace each, the number of cases must be further multiplied by the number of permutations that are arranged from L. That is, C (N, m) P (L, m). In other words, the number of cases even when underestimated is about C (N, m).

In the case of a typical 4-gigabit DRAM product, for example, the number of redundant bit lines is about 153,000 with respect to the total number of bit lines of 6,550,000. In other words, the maximum number of rows in which defective bits are generated on the bit lines in the regular bit line group for some reason is acceptable as a mass production DRAM of up to about 153,000. At this time, the number in the case of reassignment to the redundant bit line is equal to the combination of selecting 153,000 out of 6,550,000. The calculation is about 10 to the power of 315, 289 (1E315, 289). That is, even if 100 trillion DRAM chips are supplied, the probability that the authentication codes of the two DRAM chips coincide by chance is 1E-315 and 275. It is practically almost zero.

In the present embodiment, the bit line and the word line can be interchanged. That is, the number of redundant word lines is about 3,044 with respect to the total number of word lines of 4.4 million. Assuming that all redundant word lines are used for replacement, the number in that case is approximately 2.9E10, 938. Although it is much less than the number in the former case, it is still a terribly large number. That is, even if 100 trillion DRAM chips are supplied, the probability that the authentication codes of the two authentication chips will coincide is 1E-10,924. It is practically almost zero.

In this way, an authentication code having a very large information entropy can be generated. What should be noted here is that in this embodiment, no extra bit is allocated to generate the authentication code. That is, the redundant bit line (or redundant word line) is already mounted on the memory chip product, and the same applies to the peripheral memory that records the replacement information. In addition, the probability that the authentication codes of the two semiconductor chips will coincide is small enough to be practically almost zero. This authentication code is sufficient as the physical address of the present application.

The physical address related to the present application is code information assigned to hardware. Or it is the code information allocated to some of the components which comprise hardware. Or it is chip | tip authentication allocated to the semiconductor chip which comprises hardware. The chip authentication is generated based on a physical disorder unique to the semiconductor chip. The semiconductor chip is composed of a plurality of elements, and the plurality of elements are stochastically destroyed by applying a predetermined stress, and a set (distribution) of position information of the destroyed elements is unique to the semiconductor chip. It is characterized by a physical disorder. Alternatively, a plurality of elements constituting the semiconductor chip become probabilistic defective bits due to uncontrollable variations in the manufacturing process. A set (distribution) of position information of the defective bits is a physical disorder unique to the semiconductor chip. The predetermined stress is an electrical stress, a mechanical stress, an electromagnetic field stress, an optical stress, or the like.

By constructing a clever network hardware security system related to the present application, it becomes possible to replace a failed physical node without destroying the blockchain using a private ledger. In this (first embodiment), this block chain uses what is recorded by an arbitrary minor from an external logical network. In other words, it is consistent with the conventional block chain, and can maintain and manage the data center efficiently and safely using an external network. On the other hand (second embodiment), a server that stores a private ledger records logical blocks and configures a unique block chain.

According to the present application, there is a network hardware security system that makes it impossible to tamper with past processing histories, realizes (physical addresses that cannot be rewritten from the outside), and can replace faulty hardware. It becomes possible to construct.

In this application, hashing is frequently used. A hash function may be used for hashing. There are many hash functions such as MD2, MD4, MD5, RIPE-MD160, SHA-256, SHA-384, and SHA-512. Of these, SHA-256 is used in bitcoin as an example.
The technical scope of the present invention is not limited to the above embodiment, and various modifications can be made without departing from the spirit of the present invention.

It will be possible to provide safe and convenient basic technology for IoT business at lower cost

The figure explaining the mechanism of remittance of a cryptocurrency. The figure explaining the dendrogram of Merkuru. The figure explaining the structure of a block chain (public ledger). The figure explaining an example of the concept which links | relates a physical network and a logical network. The figure explaining an example of the method of producing | generating a prime number from the physical address regarding this application. The figure explaining an example of the client before initial setting. The figure explaining an example of the initial setting and resetting of the client regarding this application. The figure which shows the state of the client after initial setting and resetting, and the logical block formed by initial setting and resetting. The figure which shows an example of the method of replacing | exchanging the failed hardware. The figure which shows the state and logic block after replacing the failed hardware. The figure which shows an example of the relationship between the update of a logical block, and a time stamp. The figure which shows an example of the formation method of the block chain characteristic of this application. The figure explaining an example of the cell array of the authentication element in connection with this application. The figure which shows an example of the access method to the authentication element in connection with this application. The figure which shows an example of the access method to the authentication element in connection with this application. The figure explaining the example which is the non-volatile memory cell which the authentication element in connection with this application consists of a transistor with a charge storage layer, and has arranged in NAND type. The figure explaining the example which the authentication element in connection with this application is a transistor, and has arranged in the NAND type. The figure which shows an example of the method of utilizing the defective bit of a memory cell.

Claims (13)

In a network consisting of multiple clients and at least one server,
The server has an input / output interface for exchanging data with each client,
Each of the plurality of clients has a unique physical address, sends the physical address to the server through the input / output interface,
The server further includes a key generation device and a synthesis device,
The key generation device and the synthesis device generate a secret key and a public key corresponding to each client from the physical address,
The secret key and the public key are each passed to the corresponding client.

A network characterized by that.
The server generates an authentication variable consisting of a combination of the physical address, the secret key, and the public key for each of the plurality of clients.
Collecting the authentication variables corresponding to the plurality of clients and recording them in a private ledger;
It is characterized by
The network according to claim 1.
The private ledger is stored in the server and is private to the outside of the server,
The network according to claim 1.
The plurality of clients include a first client, a second client, and a third client different from each other,
The key generation device generates a first public key from a first secret key corresponding to the first client;
The synthesizing device generates a second secret key corresponding to the second client from the first public key and a second physical address corresponding to the second client;
The key generation device generates a second public key corresponding to the second client from the second secret key,
The synthesizing device generates a third secret key corresponding to the third client from the second public key and a third physical address corresponding to the third client,
The key generation device generates a third public key from the third secret key;

The first public key and the first secret key form a pair with each other,
The second public key and the second secret key form a pair with each other,
The third public key and the third secret key form a pair with each other;

It is characterized by
The network according to claim 1.
The synthesizer divides a value obtained by synthesizing the first public key and the second physical address by a predetermined synthesis method by a value obtained by dividing a value obtained by subtracting 1 from a predetermined prime number, The second secret key
It is characterized by
The network according to claim 4.
Forming a first logical node from the first public key, a first hash value, and a first electronic signature;
Forming a second logical node from the second public key, a second hash value, and a second electronic signature;
Forming a third logical node from the third public key, a third hash value, and a third electronic signature;

The second hash is generated by hashing the first logical node,
The third hash is generated by hashing the second logical node,

The second electronic signature is generated by encrypting the second hash value and the second public key with the first secret key,
The third electronic signature is generated by encrypting the third hash value and the third public key with the second secret key.

It is characterized by
The network according to claim 4.
The second client is replaced by a fourth client having a fourth physical address;
The fourth physical address is transmitted to the server through the input / output interface;

In the private ledger, the authentication variable corresponding to the second client is replaced with a combination including the fourth physical address, the second secret key, and the second public key,

The fourth client is passed the second secret key and the second public key from the server, and is passed the second hash value and the second electronic signature from the first client.

It is characterized by
The network according to claim 6.
The first logical node, the second logical node, and the third logical node form part or all of a logical block;

The first logical node corresponds to the first client;
The second logical node corresponds to the second client;
The third logical node corresponds to the third client;

By transferring data from the first client to the second client, the second hash value is updated, the logical block changes,

The server approves the logical block at a predetermined time interval, attaches a time stamp at that time, and records at least a part of the history of changes of the logical block,
The network according to claim 6.
A first logical block with a first time stamp attached at a certain point, a second logical block with a second stamp attached at a certain point before that, and a third stamp at a certain point before that. The attached third logic block is connected to form part or all of the block chain,

The network according to claim 8.
The first time stamp is at least a part of a record of a public ledger that collectively approves the first logical block, a first block hash, and a first nonce value;

The second time stamp is at least part of a record of a public ledger that collectively approves the second logical block, a second block hash, and a second nonce value;

The third time stamp is at least part of a record of a public ledger that collectively approves the third logical block, a third block hash, and a third nonce value;

The first block hash is generated by hashing the second logical block, the second block hash, and the second nonce value together,

The second block hash is generated by hashing the third logical block, the third block hash, and the third nonce value together,

It is characterized by
The network according to claim 9.
Each of the first block hash, the second block hash, and the third block hash is composed of a sequence of a plurality of bits each having a predetermined number of digits,

Each of the plurality of bits is a first value or a second value,

The second nonce value is adjusted such that the first Q digits of the first block hash are the first value;

The third nonce value is adjusted such that the first Q digits of the second block hash are the first value;

The Q is a natural number smaller than 16;

It is characterized by
The network according to claim 10.
Each of the plurality of clients includes a plurality of hardware,
Each of the plurality of hardware includes at least one semiconductor chip;
The semiconductor chip includes at least a cell array,
The cell array is composed of a plurality of authentication elements,

Some of the plurality of authentication elements become defective bits due to uncontrollable variations in the manufacturing stage of the semiconductor chip,
Alternatively, a part of the plurality of authentication elements becomes a destruction bit due to stress intentionally applied to the semiconductor chip,

The physical address is generated according to the distribution of the defective bit or the destructive bit in the cell array.

It is characterized by
The network according to claim 1.
The stress is electrical stress, optical stress, mechanical stress, or electromagnetic field stress.

It is characterized by
The network according to claim 12.

Images