[go: up one dir, main page]

WO2025209994A1 - Controllable physically unclonable function - Google Patents

Controllable physically unclonable function

Info

Publication number
WO2025209994A1
WO2025209994A1 PCT/EP2025/058757 EP2025058757W WO2025209994A1 WO 2025209994 A1 WO2025209994 A1 WO 2025209994A1 EP 2025058757 W EP2025058757 W EP 2025058757W WO 2025209994 A1 WO2025209994 A1 WO 2025209994A1
Authority
WO
WIPO (PCT)
Prior art keywords
challenge
response
key
function
physically unclonable
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2025/058757
Other languages
French (fr)
Inventor
Marc Xander MAKKES
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fortaegis Technologies Holding BV
Original Assignee
Fortaegis Technologies Holding BV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fortaegis Technologies Holding BV filed Critical Fortaegis Technologies Holding BV
Publication of WO2025209994A1 publication Critical patent/WO2025209994A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3278Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]

Definitions

  • Fig. 1 is a block diagram of an implementation of the system.
  • Fig. 2 is a flow chart of a first implementation of the method
  • Fig. 4 is a flow chart of a third implementation of the method.
  • Fig. 6 illustrates a first part of the method of Fig. 5;
  • Figs. 9 and 10 illustrate a second part of a fifth implementation of the method
  • Figs. 11 and 12 illustrate a second part of a sixth implementation of the method.
  • Figs. 13-15 illustrate a second part of a seventh implementation of the method
  • the one or more processors 5 are configured to receive, via the at least one input interface 3, from a further system 21, a request to establish a secure channel which comprises a challenge, provide the challenge to the physically unclonable function 6 to cause the physically unclonable function 6 to determine a response based on the challenge, generate a shared secret based on the response, provide the secure channel by encrypting communication to be transmitted via the at least one output interface 4 to the further system 21 with the shared secret and/or decrypting communication received via the at least one input interface 3 from the further system 21 with the shared secret.
  • a step 101 comprises receiving, from a further system, a request to establish a secure channel.
  • the request comprises a challenge.
  • a step 103 comprises providing the challenge to a physically unclonable function to cause the physically unclonable function (PUF) to determine a response based on the challenge received in step 101.
  • a step 105 comprises generating a shared secret based on the response determined in step 103.
  • a step 107 comprises providing the secure channel by encrypting communication to be transmitted to the further system with the shared secret and/or decrypting communication received from the further system with the shared secret.
  • the further system has the same challengeresponse pair and is therefore able to generate the same shared secret.
  • a step 161 comprises receiving, from a further system, a request to establish a secure channel.
  • the request comprises a challenge and helper data.
  • Step 103 comprises providing the challenge to a physically unclonable function to cause the physically unclonable function (PUF) to determine a response based on the challenge received in step 161.
  • a step 163 comprises producing a key based on the response determined in step 103 and the helper data received in step 161.
  • Step 109 comprises receiving from the further system, over the secure channel, a further request to use a service provided by the system.
  • a step 164 comprises checking the type of the further request received in step 109. If the requested service involves the generation of a new cryptographic key, then a step 165 is performed after step 164.
  • Step 165 comprises obtaining a further challenge without obtaining helper data, as no helper data has been associated with the further challenge yet.
  • Step 165 may comprise generating the further challenge with a random number generator, for example.
  • Step 173 comprises producing a further key based on the further response determined in step 113 and the further helper data obtained in step 171.
  • Step 143 comprises determining a further input for a further hash function based on the further key produced in step 173 and at least one of the challenge received in step 101, the response determined in step 103, the key produced in step 163, and the shared secret generated in step 135.
  • Step 145 comprises (re)generating the cryptographic key by applying the further hash function to the further input determined in step 143. Step 109 is repeated or step 117 is performed after step 145 has been performed.
  • Fig. 6 illustrates a first part of the method of Fig. 5, i.e. the process of setting up a secure channel. This process is also described in the paper “Flowchart description of security primitives for controlled physical unclonable functions” in relation to figure 3 of this paper.
  • the system comprises CPUF chip 11.
  • the CPUF chip 11 comprises a PUF 33, a reproduce (“Rep”) function 34 of a regeneration function, a first cryptographic hash function 35, and a secure channel (SC) handler 36.
  • the functions 34 and 35 and the handler 36 may be performed by one or more processors.
  • the helper data w2 (203) suffices to reproducibly reconstruct a string from noisy measurements, yet leaks only a negligible amount of information about the extracted key.
  • the counterpart of the generate function is the reproduce function, which was discussed in relation to Fig. 6 and which reconstructs the original output from the noisy output data of the PUF.
  • the second cryptograph hash function 45 directly outputs a secret key sk
  • Fig. 8 shows the regeneration of a previously generated cryptographic key.
  • the first part of the method is performed as described in relation to Fig. 6.
  • the further challenge c2 is obtained (e.g. from the further system or external storage means) and provided to the PUF 33.
  • the reproduce function 34 reconstructs the secret s from the output r2 of the PUF 33 and the helper data w2 (which may be obtained from the further system or external storage means, for example).
  • the reconstructed secret s is then hashed with the second cryptographic hash function 45.
  • the CPUF chip 11 further comprises a symmetric encryption function 53 and on-chip secure storage 54.
  • Fig. 11 further shows that the secret key sk output by the second cryptographic hash function 45, as described in relation to Fig. 7, is provided to the symmetric encryption function 53.
  • the symmetric encryption function 53 then encrypts data d, obtained from secure storage 54, with the (symmetric) secret key sk.
  • the encrypted data enc s k(d) is stored on the external storage means 23 along with the challenge c2 and the helper data w2.
  • the encryption is tied to (part of) the CRP that was used to establish the secure channel.
  • Fig. 12 shows that in addition to the components shown in Fig. 8, the CPUF chip 11 further comprises a symmetric decryption function 63 and a CPU 64.
  • Fig. 12 also shows that the further challenge c2 that is provided to the PUF 33 in Fig. 8 and the helper data w2 that is provided to the reproduce function 34 in Fig. 8 are obtained from the external storage means 23.
  • Fig. 12 further shows that the (symmetric) secret key sk output by the second cryptographic hash function 45, as described in relation to Fig. 8, is provided to the symmetric decryption function 63.
  • the encrypted data enc S k(d) is obtained from the external storage means 23 and the (symmetric) secret key sk is then used by the symmetric decryption function 63 to decrypt the encrypted data enc s k(d) and store the data on on-chip secure storage 54.
  • the data d can be used by the CPU 64.
  • the data d in the secure storage 54 may be modified by the CPU 64 and the modified data d may be encrypted again in the manner described in relation to Fig. 11.
  • the decryption is tied to (part of) the CRP that was used to establish the secure channel. If the decryption is performed over a different secure channel than the encryption, then the encrypted data enc s k(d) will not be decrypted. Since the challenge c2 and the helper data w2 are stored on the external storage means 23, there is no need for the user or external program to keep a local copy of these values.
  • Figs. 13-15 illustrate a second part of a seventh implementation of the method in which a user or external program requests the system to generate a public key, and optionally a certificate which comprises the pubic key, or to sign data with the private key corresponding to this public key.
  • the user of external program may request the system to verify a signature with a regenerated public key.
  • the seventh implementation is an extension of the fourth implementation.
  • the cryptographic key comprises a private key
  • the generation of the new secret (private) key which has been illustrated in Fig. 7, precedes the generation of the public key which corresponds to the private key
  • the regeneration/restoration of the secret (private) key which has been illustrated in Fig. 8, precedes the signing of the data with this private key and the optional verification of the signature with the regenerated public key which corresponds to the private key.
  • Fig. 13 shows that in addition to the components shown in Fig. 7, the CPUF chip 11 further comprises a private key generation function 73, a public key generation function 74, and a certificate generation function 75.
  • Fig. 13 further shows that a secret key sk, in this case a private key, is generated based on the output of the second cryptographic hash function 45, as described in relation to Fig. 7.
  • the output of the second cryptographic hash function 45 h(s) is provided to the private key generation function 73.
  • the output of the of the second cryptographic hash function 45 is used as a seed to generate the private key sk.
  • a corresponding public key pk is derived by public key generation function 74.
  • the public key pk may be transmitted to the further system from which the request is received.
  • a certificate 79 may be generated by certification generation function 75.
  • this certificate 79 may include further challenge c2 and helper data w2. By including these values in the certificate, the user or external program does not have to store them separately.
  • the certificate 79 may be transmitted to the further system from which the request is received.
  • the generation of the private key sk and the corresponding public key pk is tied to (part of) the CRP that was used to establish the secure channel.
  • the user/program may supply the PUF 33 and reproduce function 34 with the further challenge c2 and the helper data w2, e.g. from certificate 79.
  • the CPUF chip 11 may retrieve the certificate 79 from storage (where the storage may even be encrypted using the afore-mentioned encryption/decryption function). If the further challenge c2 and the helper data w2 from certificate 79 are used, it needs to be verified that the signature of the certificate authority (CA) is correct.
  • CA certificate authority
  • Fig. 14 shows that a secret key sk, in this case a private key, is generated based on the output of the second cryptographic hash function 45, as described in relation to Fig. 8.
  • the output of the second cryptographic hash function 45 h(s) is provided to the private key generation function 73, which generates a private key sk.
  • the private key sk is used by the signing function 85 to generate a signature over a hash of data m of a message 83.
  • the hash has been obtained by applying the third cryptographic hash function 84 to the data m.
  • the resulting signature 86 i.e. sign s k(h(m), may be used inside the CPUF chip 11 or may be sent outside of the CPUF chip 11.
  • Fig. 15 shows that in addition to the components shown in Fig. 8, the CPUF chip 11 further comprises a private key generation function 73, a public key generation function 74, a third cryptographic hash function 84, and a signature verification function 91.
  • a user or external program In order to verify a signature, a user or external program first has to setup a secure channel, which is managed by the SC-handler 36. Once the secure channel is established, the user/program can invoke the verification function/service.
  • the user/program may supply the PUF 33 and reproduce function 34 with the further challenge c2 and the helper data w2, e.g. from certificate 79.
  • the CPUF chip 11 may retrieve the certificate 79 from storage (where the storage may even be encrypted using the afore-mentioned encryption/decryption function). If the further challenge c2 and the helper data w2 from certificate 79 are used, it needs to be verified that the signature of the certificate authority (CA) is correct.
  • CA certificate authority
  • Fig. 15 shows that a secret key sk, in this case a private key, is generated based on the output of the second cryptographic hash function 45, as described in relation to Fig. 8.
  • the output of the second cryptographic hash function 45 h(s) is provided to the private key generation function 73, which generates a private key sk. From the private key sk, a corresponding public key pk is derived by public key generation function 74.
  • a hash of data m of message 83 is obtained by applying the third cryptographic hash function 84 to data m.
  • the public key pk, the hash h(m), and the signature 86 are input into the signature verification function 91.
  • the signature verification function 91 outputs a true or false, depending on whether the signature 86 is correct or not, i.e. depending on whether the signature has been created from the data m with the private key sk or not.
  • the signature 86 and the data 83 may be stored in the CPUF system, e.g. in the CPUF chip 11, or may be stored outside the CPUF system, e.g. received from the further system of the user or external program.
  • the result of the verification is sent to the further system of the user or external program.
  • the signature 86 can also be verified without the CPUF chip 11, because the public key pk is public, by letting the CPUF chip 11 verify the signature 86, it can be verified that it was indeed the CPUF chip 11 that generated the private key with which the signature was signed. If the verification function/service is invoked over a secure channel that was setup using a different CRP than the secure channel over which the public key/signature creation function/service was invoked, the verification result will be negative (false).
  • the CPUF chip 11 described above may also be used for other applications than decryption/encryption of data on external storage means, creation of public keys/signatures, signing of data, and verification of signatures.
  • the CPUF chip 11 may also be used for authentication, certified execution of programs, creation of proof-of-execution, and certified measurements, for example.
  • Certified execution of programs means that the PUF can only be accessed by programs.
  • the programs access the PUF by using two primitive processes whose outputs depend on the program containing these primitives.
  • the process of creating proof-of-execution is a process that produces, together with a computation output, a certificate (called e-certificate) which proves to the user of a specific processor chip that a specific computation was carried out on that specific processor chip, and that the computation was executed and produces the given computed output.
  • data may be encrypted/decrypted with an asymmetric cryptographic key instead of a symmetric cryptographic key.
  • the user or external program may request the CPUF system to create a public key, and optionally a certificate, and another user or another external program may encrypt data with this public key.
  • the user or external program requests the CPUF system to decrypt the encrypted data.
  • the CPUF chip 11 first regenerates the private key. The CPUF system then transmits the decrypted data to the further system of the user or external program over the secure channel.
  • Various embodiments of the invention may be implemented as a program product for use with a computer system, where the program(s) of the program product define functions of the embodiments (including the methods described herein).
  • the program(s) can be contained on a variety of non-transitory computer-readable storage media, where, as used herein, the expression “non-transitory computer readable storage media” comprises all computer-readable media, with the sole exception being a transitory, propagating signal.
  • the program(s) can be contained on a variety of transitory computer-readable storage media.
  • Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information is permanently stored; and (ii) writable storage media (e.g., flash memory, floppy disks within a diskette drive or hard-disk drive or any type of solid-state random-access semiconductor memory) on which alterable information is stored.
  • the computer program may be run on the processor 302 described herein.
  • the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

A system for establishing secure channels with multiple further systems of multiple users comprises a physically unclonable function (33) and at least one processor configured to receive from a further system, a request to establish a secure channel which comprises a challenge, provide the challenge to the physically unclonable function to determine a response based on the challenge, generate a shared secret based on the response, provide the secure channel by encrypting and/or decrypting communication with the further system with the shared secret, receive from the further system, over the secure channel, a further request to use a service provided by the system, obtain a further challenge (201), provide the further challenge to the physically unclonable function to determine a further response (202) based on the further challenge, and generate a cryptographic key (206) based on the further response and the challenge and/or the response (205).

Description

CONTROLLABLE PHYSICALLY UNCLONABLE FUNCTION
FIELD OF THE INVENTION
The invention relates to a system for establishing secure channels with multiple further systems of multiple users.
The invention further relates to a method of establishing secure channels between a system and multiple further systems of multiple users.
The invention also relates to computer program products enabling a computer system to perform such a method.
BACKGROUND OF THE INVENTION
A Physical Unclonable Function (PUF) refers to a function that is implemented as a physical system in such a way that the output for an input is obtained by applying the input stimulus to the physical system and observing the resulting behavior. The interaction between the stimulus and the physical system is unpredictable, depending on essentially random elements within the physical system. This makes it impossible to obtain the output without having had direct access to the physical system, and also renders it impractical to reproduce the physical system itself. PUFs are typically low in manufacturing costs and easy to evaluate for practical applications.
Conventionally, an input or stimulus that a PUF accepts is called a challenge. The output of a PUF, that is, the behavior the PUF exhibits after interaction with the stimulus, is called a response. A pair comprising a challenge and the corresponding response of a PUF is called a challenge-response pair. Some types of PUFs allow a wide range of different inputs, some types allow a more limited range of inputs, or may even allow only a single input. The property that the PUF produces the same response to a challenge c that is presented multiple times, is preferable, but not necessary and, in practice, most PUFs do not possess it. As long as the multiple responses are sufficiently close to each other, the PUF can be usefully applied.
Since the interaction between a stimulus and the physical system cannot be predicted without access to the system, the PUF is hard to characterize and therefore to model. The output of a particular PUF for an input can therefore only be obtained using the particular physical system underlying the particular PUF. Possession of a challenge-response pair is proof that at some point the challenge was offered to the unique physical system that underlies the PUF. Because of this property, i.e., the property that challenge-response pairs are coupled to a unique physical device, a PUF is called unclonable. By equipping a device with a PUF, the device also becomes unclonable.
US 2020/0412556 Al discloses a method of operating an authentication server based on a PUF. The authentication server transmits a Challenge-Response Pair (CRP) update request message to a user device when a CRP update event occurs, receives a CRP update response message from the user device, generates a secret key, decrypts the response message, and updates the CRP in the database.
A Controlled PUF (CPUF) comprises a PUF and a control layer that restricts a user’s access to the PUF input and output. The CPUF is especially beneficial if a system has multiple users or sessions accessing the same computational device. Different types of CPUFs exists. As a first example, WO 03/090259 A2 describes the control layer creating a hash of a program to be executed on the system which wants to access the PUF and providing a response to a challenge or pre-challenge that depends on this hash.
As a second example, the paper “Flowchart description of security primitives for controlled physical unclonable functions” by Boris Skoric, and Marc X. Makkes, published in International Journal of Information Security 9, 2010, describes a CPUF which only allows access to PUF functionality only when a secure channel has been established. All communications and iterations need to pass though the secure channel handler. Everything that happens with in the CPUF is considered secure against invasive attacks.
Applications of a PUF have been developed which involve the generation of a cryptographic key, e.g. a private key for digitally signing messages and a corresponding public key for verifying the signatures. For example, WO 11/089143 describes generation of a first cryptographic key and a second cryptographic key based on the output of a PUF and use of the second cryptographic key to encrypt and decrypt the first cryptographic key to avoid that the first cryptographic key needs to be regenerated. This makes it possible to exchange a time consuming key generation process for the first cryptographic key by a less time consuming key derivation process for the second cryptographic key. However, a drawback of the PUF described in WO 11/089143 is that it is not secure against invasive attacks.
SUMMARY OF THE INVENTION
It is advantageous to provide a system, which comprises a PUF and can be used to generate a cryptographic key based on output of the PUF in a manner that is more secure against invasive attacks. It is advantageous to provide a method, which can be used to generate a cryptographic key based on output of a PUF in a manner that is more secure against invasive attacks.
In a first aspect, a system for system for establishing secure channels with multiple further systems of multiple users comprises a physically unclonable function, at least one input interface, at least one output interface, and at least one processor configured to receive, via the at least one input interface, from a further system, a request to establish a secure channel, the request comprising a challenge, provide the challenge to the physically unclonable function to cause the physically unclonable function to determine a response based on the challenge, generate a shared secret based on the response, and provide the secure channel by encrypting communication to be transmitted via the at least one output interface to the further system with the shared secret and/or decrypting communication received via the at least one input interface from the further system with the shared secret.
The at least one processor is further configured to receive, via the at least one input interface, from the further system, over the secure channel, a further request to use a service provided by the system, obtain a further challenge, provide the further challenge to the physically unclonable function to cause the physically unclonable function to determine a further response based on the further challenge, and generate a cryptographic key based on the further response and at least one of the challenge and the response.
Although it would be possible to make a system more secure against invasive attacks by simply having the system generate a symmetric key with a CPUF instead of a PUF, by additionally using, as part of the cryptographic key generation, at least a part of the challenge-response pair that was used to setup the secure channel, the cryptographic key is tied to the challenge-response pair, which prevents replay attacks. The cryptographic key can be regenerated as long as the same challenge-response pair is used to establish the secure channel. There is normally no need to use a different challenge-response pair to establish a secure channel with the same CPUF system for the same user.
The cryptographic key may be generated based directly on the challenge and/or the response, or may be generated indirectly based on the challenge and/or the response, e.g. based on a hash of the challenge or based on a key or shared secret generated from the response. The mere fact that the challenge and/or the response is determined after another value does not mean that the challenge and/or the response is based on this other value. It needs to be possible to regenerate the cryptographic key as long as the same challenge-response pair is used to establish the secure channel.
The at least one processor may be configured to produce a key based on the response, determine input for a hash function based on the key, generate the shared secret by applying the hash function to the input, produce a further key based on the further response, determine a further input for a further hash function based on the further key and at least one of the challenge, the response, the key, and the shared secret, and generate the cryptographic key by applying the further hash function to the further input. By using a hash function, machine language attacks to the PUF may be prevented. Instead of, or in addition to, including at least one of the challenge, the response, the key, and the shared secret in the further input, at least one of the challenge, the response, the key, and the shared secret may be provided to the physically unclonable function, along with the further challenge, to cause the physically unclonable function to determine the further response.
The at least one processor may be configured to obtain helper data associated with the further challenge and produce the further key based on the further response and the helper data. The helper data allows a reproduce function to reconstruct original output of a PUF from the new noisy output data of the PUF. The helper data is generated based on the original noisy output data of the PUF when the original output is generated.
The cryptographic key may comprise a symmetric key. In this case, the further request may, for example, request access to data stored on external storage means connected to the system and the at least one processor may be configured to obtain encrypted data from the external storage means and decrypt the encrypted data with the symmetric key.
The at least one processor may be configured to obtain the further challenge from the external storage means before providing the further challenge to the physically unclonable function. This has as benefit that the user or the external program does not need to have a local copy of the further challenge, but the system can directly decrypt the data. If helper data is used, the helper data may also be stored on the external storage means.
Alternatively, the cryptographic key may comprise a private key. In this case, the further request may, for example, request the system to sign data and the at least one processor may be configured to obtain the data and create a signature of the data with the private key.
In the case the cryptographic key comprises a private key, the further request may alternatively request the system to decrypt encrypted data, for example, and the at least one processor may be configured to receive the encrypted data from the further system via the at least one input interface, decrypt the encrypted data with the private key, and transmit the decrypted data to the further system via the at least one output interface.
The at least one processor may be configured to generate a public key which corresponds to the private key and transmit the public key to the further system via the at least one output interface. For example, the at least one processor may be configured to generate a certificate which includes the public key and transmit the certificate to the further system via the at least one output interface. The at least one processor may be configured to include the further challenge, and optionally the associated helper data, in the certificate.
In a second aspect, a method of establishing secure channels between a system and multiple further systems of multiple users comprises receiving from a further system, a request to establish a secure channel, the request comprising a challenge, providing the challenge to a physically unclonable function to cause the physically unclonable function to determine a response based on the challenge, generating a shared secret based on the response, and providing the secure channel by encrypting communication to be transmitted to the further system with the shared secret and/or decrypting communication received from the further system with the shared secret.
The method further comprises receiving from the further system, over the secure channel, a further request to use a service provided by the system, obtaining a further challenge, providing the further challenge to the physically unclonable function to cause the physically unclonable function to determine a further response based on the further challenge, and generating a cryptographic key based on the further response and at least one of the challenge and the response. The method may be performed by software running on a programmable device. This software may be provided as a computer program product.
Moreover, a computer program for carrying out the methods described herein, as well as a non-transitory computer readable storage-medium storing the computer program are provided. A computer program may, for example, be downloaded by or uploaded to an existing device or be stored upon manufacturing of these systems.
A non-transitory computer-readable storage medium stores at least a first software code portion, the first software code portion, when executed or processed by a computer, being configured to perform executable operations for establishing secure channels between a system and multiple further systems of multiple users.
The executable operations comprise receiving from a further system, a request to establish a secure channel, the request comprising a challenge, providing the challenge to a physically unclonable function to cause the physically unclonable function to determine a response based on the challenge, generating a shared secret based on the response, and providing the secure channel by encrypting communication to be transmitted to the further system with the shared secret and/or decrypting communication received from the further system with the shared secret.
The executable operations further comprise receiving from the further system, over the secure channel, a further request to use a service provided by the system, obtaining a further challenge, providing the further challenge to the physically unclonable function to cause the physically unclonable function to determine a further response based on the further challenge, and generating a cryptographic key based on the further response and at least one of the challenge and the response.
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a device, a method or a computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a "circuit", "module" or "system." Functions described in this disclosure may be implemented as an algorithm executed by a processor/microprocessor of a computer. Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied, e.g., stored, thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a computer readable storage medium may include, but are not limited to, the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store, a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber, cable, RF, etc., or any suitable combination of the foregoing. Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java(TM), Smalltalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor, in particular a microprocessor or a central processing unit (CPU), of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer, other programmable data processing apparatus, or other devices create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the fimction/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s).
It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustrations, and combinations of blocks in the block diagrams and/or flowchart illustrations, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
BRIEF DESCRIPTION OF THE DRAWINGS
These and other aspects of the invention are apparent from and will be further elucidated, by way of example, with reference to the drawings, in which:
Fig. 1 is a block diagram of an implementation of the system; and
Fig. 2 is a flow chart of a first implementation of the method;
Fig. 3 is a flow chart of a second implementation of the method;
Fig. 4 is a flow chart of a third implementation of the method;
Fig. 5 is a flow chart of a fourth implementation of the method;
Fig. 6 illustrates a first part of the method of Fig. 5;
Figs. 7 and 8 illustrate a second part of the method of Fig. 5;
Figs. 9 and 10 illustrate a second part of a fifth implementation of the method;
Figs. 11 and 12 illustrate a second part of a sixth implementation of the method; and
Figs. 13-15 illustrate a second part of a seventh implementation of the method;
Corresponding elements in the drawings are denoted by the same reference numeral.
DETAILED DESCRIPTION OF THE DRAWINGS
Fig. 1 is a block diagram of an implementation of the system for establishing secure channels with multiple further systems of multiple users. The system 1 comprises a CPUF chip 11. The CPUF chip 11 comprises one or more processors 5, e.g. one or more computer cores, an input interface 3, an output interface 4, a physically unclonable function (PUF) 6, memory 7, and one or more cryptographic accelerators. The input interface 3 and output interface 4 may be realized by a network interface.
The one or more processors 5 are configured to receive, via the at least one input interface 3, from a further system 21, a request to establish a secure channel which comprises a challenge, provide the challenge to the physically unclonable function 6 to cause the physically unclonable function 6 to determine a response based on the challenge, generate a shared secret based on the response, provide the secure channel by encrypting communication to be transmitted via the at least one output interface 4 to the further system 21 with the shared secret and/or decrypting communication received via the at least one input interface 3 from the further system 21 with the shared secret.
The one or more processors 5 are further configured to receive, via the at least one input interface 3, from the further system 21, over the secure channel, a further request to use a service provided by the system 1, obtain a further challenge, provide the further challenge to the physically unclonable function 6 to cause the physically unclonable function 6 to determine a further response based on the further challenge, and generate a cryptographic key based on the further response and at least one of the challenge and the response. The cryptographic key may be used to decrypt and encrypt data stored on an external storage means 23, for example.
A first implementation of the method of establishing secure channels between a system and multiple further systems of multiple users is shown in Fig. 2. The method may be performed by system 1 of Fig. 1, for example.
A step 101 comprises receiving, from a further system, a request to establish a secure channel. The request comprises a challenge. A step 103 comprises providing the challenge to a physically unclonable function to cause the physically unclonable function (PUF) to determine a response based on the challenge received in step 101. A step 105 comprises generating a shared secret based on the response determined in step 103. A step 107 comprises providing the secure channel by encrypting communication to be transmitted to the further system with the shared secret and/or decrypting communication received from the further system with the shared secret. The further system has the same challengeresponse pair and is therefore able to generate the same shared secret.
A step 109 comprises receiving from the further system, over the secure channel, a further request to use a service provided by the system. A step 111 comprises obtaining a further challenge. Step 111 may comprise retrieving the further challenge from an external storage means or internal memory, receiving the further challenge from the further system, or generating the further challenge with a random number generator, for example.
A step 113 comprises providing the further challenge obtained in step 111 to the physically unclonable function to cause the physically unclonable function to determine a further response based on the further challenge. A step 115 comprises generating a cryptographic key based on the further response determined in step 113 and at least one of the challenge received in step 101 and the response determined in step 103. The requested service is provided with this cryptographic key.
If the further response is determined based on the challenge and/or the response, a cryptographic key generated based on the further response is considered to be generated based on the challenge and/or the response. In other words, step 115 comprises generating a cryptographic key based on the further response determined in step 113, wherein the cryptographic key is generated in step 115, and/or the further response is determined in step 113, further based on the challenge and/or the response determined in step 103.After step 115, step 109 may be repeated and another request to use a service provided by the system may be received, after which the method proceeds as shown in Fig. 2. Alternatively, a step 117 may be performed after step 115. In step 117, the secure channel is terminated. After step 117, step 101 may be repeated and another request to establish a secure channel may be received (the request normally comprising the same challenge used in the first iteration of step 101), after which the method proceeds as shown in Fig. 2.
Secure channels may be established between the system and multiple further systems of multiple users by using the same steps 101-117. A request received from another further system in step 101 will include a different challenge.
A second implementation of the method of establishing secure channels between a system and multiple further systems of multiple users is shown in Fig. 3. The implementation of Fig. 3 is an extension of the implementation of Fig. 2. In the implementation of Fig. 3, step 105 of Fig. 3 has been implemented by steps 131, 133, and 135 and step 115 of Fig. 3 has been implemented by steps 141, 143, and 145.
Step 131 comprises producing a key based on the response determined in step 103. Step 133 comprises determining input for a hash function based on the key produced in step 131. Step 135 comprises generating the shared secret by applying the hash function to the input determined in step 133. By using a hash function, machine language attacks to the PUF may be prevented.
Step 141 comprises producing a further key based on the further response determined in step 113. Step 143 comprises determining a further input for a further hash function based on the further key produced in step 141 and at least one of the challenge received in step 101, the response determined in step 103, the key produced in step 131, and the shared secret generated in step 135. Step 145 comprises generating the cryptographic key by applying the further hash function to the further input determined in step 143. The further hash function used in step 145 may be the same as the hash function used in step 135.
A third implementation of the method of establishing secure channels between a system and multiple further systems of multiple users is shown in Fig. 4. The implementation of Fig. 4 is an alternative to the implementation of Fig. 3, although both embodiments could also be combined. In the implementation of Fig. 4, step 113 of Figs. 2 and 3 is implemented by a step 151 and step 143 of Fig. 3 is replaced with a step 153.
Step 151 comprises providing the further challenge obtained in step 111 and at least one of the challenge received in step 101, the response determined in step 103, the key produced in step 131, and the shared secret generated in step 135 to the physically unclonable function to cause the physically unclonable function to determine the further response. Step 153 comprises determining the further input for the further hash function based on the further key produced in step 141.
A fourth implementation of the method of establishing secure channels between a system and multiple further systems of multiple users is shown in Fig. 5. The implementation of Fig. 5 is an extension of the implementation of Fig. 3.
A step 161 comprises receiving, from a further system, a request to establish a secure channel. The request comprises a challenge and helper data. Step 103 comprises providing the challenge to a physically unclonable function to cause the physically unclonable function (PUF) to determine a response based on the challenge received in step 161. A step 163 comprises producing a key based on the response determined in step 103 and the helper data received in step 161.
Step 133 comprises determining input for a hash function based on the key produced in step 163. For example, the input may consist of just this key. Step 135 comprises generating a shared secret by applying a hash function to the input determined in step 133. Step 107 comprises providing the secure channel by encrypting communication to be transmitted to the further system with the shared secret generated in step 135 and/or decrypting communication received from the further system with the shared secret generated in step 135.
Step 109 comprises receiving from the further system, over the secure channel, a further request to use a service provided by the system. A step 164 comprises checking the type of the further request received in step 109. If the requested service involves the generation of a new cryptographic key, then a step 165 is performed after step 164. Step 165 comprises obtaining a further challenge without obtaining helper data, as no helper data has been associated with the further challenge yet. Step 165 may comprise generating the further challenge with a random number generator, for example.
Step 113 comprises providing the further challenge obtained in step 111 to the physically unclonable function to cause the physically unclonable function to determine a further response based on the further challenge. Step 167 comprises producing a further key based on the further response determined in step 113. Step 167 further comprises generating further helper data associated with the further challenge. Step 169 comprises storing the helper data, e.g. on external storage means or for later transmission to the further system.
Step 143 comprises determining a further input for a further hash function based on the further key produced in step 167 and at least one of the challenge received in step 101, the response determined in step 103, the key produced in step 163, and the shared secret generated in step 135. Step 145 comprises generating a cryptographic key by applying the further hash function to the further input determined in step 143. Step 109 is repeated or step 117 is performed after step 145 has been performed.
If the requested service involves the regeneration of a previously generated cryptographic key, then a step 171 is performed after step 164. Step 171 comprises obtaining a further challenge and further helper data associated with the further challenge. The further challenge and the further helper data may be retrieved from external storage means or internal memory or may be received from the further system. In the latter case, steps 109 and 171 may be combined. Step 113 comprises providing the further challenge obtained in step 111 to the physically unclonable function to cause the physically unclonable function to determine a further response based on the further challenge.
Step 173 comprises producing a further key based on the further response determined in step 113 and the further helper data obtained in step 171. Step 143 comprises determining a further input for a further hash function based on the further key produced in step 173 and at least one of the challenge received in step 101, the response determined in step 103, the key produced in step 163, and the shared secret generated in step 135. Step 145 comprises (re)generating the cryptographic key by applying the further hash function to the further input determined in step 143. Step 109 is repeated or step 117 is performed after step 145 has been performed.
Fig. 6 illustrates a first part of the method of Fig. 5, i.e. the process of setting up a secure channel. This process is also described in the paper “Flowchart description of security primitives for controlled physical unclonable functions” in relation to figure 3 of this paper. The system comprises CPUF chip 11. The CPUF chip 11 comprises a PUF 33, a reproduce (“Rep”) function 34 of a regeneration function, a first cryptographic hash function 35, and a secure channel (SC) handler 36. The functions 34 and 35 and the handler 36 may be performed by one or more processors.
The further system of a user who wants to, or an external program that wants to, setup a secure channel to the system transmits a request to establish a secure channel. The request, which is received in step 161, comprises a challenge cl and helper data wl . The challenge cl is provided to the PUF 33 to cause the PUF 33 to determine a response rl based on the challenge cl (in step 103 of Fig. 5). Then, the reproduce function 34 produces a key k based on the response rl and the helper data wl (in step 163). Next, a shared secret R is generated by applying first cryptographic hash function 35 to the key k (in step 135). The shared secret R is used by the SC handler 36 to handle the secure communication channel with the user or external program (in step 107).
Figs. 7 and 9 illustrate a second part of the method of Fig. 5. Fig. 7 shows the generation of a new cryptographic key. Fig. 7 shows that in addition to the PUF 33 and the SC handler 36, the CPUF chip 11 comprises a random number generator (RNG) 43, a generate (“Gen”) function 44 of the regeneration function, and a second cryptographic hash function 45.
Before the second part of the method is performed, first the first part of the method is performed as described in relation to Fig. 6. Thus, first a secure channel is setup between the CPUF system and the user or external program using a challenge-response pair (CRP). Once the secure channel has been established, the user or program can access the CPUF functions/services, of which some involve the generation of a cryptographic key.
The random number generator 43 generates a random number c2 (201), which is used as a challenge for the PUF 33 and also stored at least temporarily. Alternatively, the challenge c2 may be received from the further system of the user or external program. The response r2 (202) of the PUF 33 is input into the generate function 44 (in step 167). This generate function is typically a Fuzzy Extractor, also known as a helper data scheme, which was introduced as a primitive that achieves both information reconciliation and privacy amplification.
The helper data w2 (203) (a.k.a. redundancy data or public data) suffices to reproducibly reconstruct a string from noisy measurements, yet leaks only a negligible amount of information about the extracted key. The counterpart of the generate function is the reproduce function, which was discussed in relation to Fig. 6 and which reconstructs the original output from the noisy output data of the PUF.
The outputted secret s (204) of the generate function 44 is used as the input of the second cryptographic hash function 45 (in step 145). The second cryptograph hash function 45 may be the same function as or a different function than the first cryptographic hash function 35 of Fig. 6. In addition, the whole or part of the challenge-response pair cl,rl
(205) that was used to setup the secure channel, and possibly the helper data wl as well, is obtained from the SC handler 36 and included in the input for second cryptograph hash function 45. In addition, other user information might be included, such as username of system password.
The second cryptograph hash function 45 directly outputs a secret key sk
(206) or the secret key (sk) is generated based on the output of the second cryptograph hash function 45. Due to the input to the second cryptograph hash function 45, the secret key sk (206) is linked to a specific challenge-response pair.
Fig. 8 shows the regeneration of a previously generated cryptographic key.
As described in relation to Fig. 7, before the second part of the method is performed, first the first part of the method is performed as described in relation to Fig. 6. Then, the further challenge c2 is obtained (e.g. from the further system or external storage means) and provided to the PUF 33. Next, the reproduce function 34 reconstructs the secret s from the output r2 of the PUF 33 and the helper data w2 (which may be obtained from the further system or external storage means, for example). The reconstructed secret s is then hashed with the second cryptographic hash function 45. Again, the whole or part of the challengeresponse pair cl,rl that was used to setup the secure channels, and possibly the helper data wl as well, is obtained from the SC handler 36 and included in the input for second cryptograph hash function 45. As a result, the secret key sk is restored/regenerated.
Figs. 9 and 10 illustrate a second part of a fifth implementation of the method. Fig. 9 shows an alternative to Fig. 7. Fig. 10 shows an alternative to Fig. 8. In this fifth implementation, the whole or part of the challenge-response pair cl,rl that was used to setup the secure channel is still obtained from the SC handler 36, but is now used as input for the PUF 33 instead of being included in the input for the second cryptographic hash function 45.
Figs. 11 and 12 illustrate a second part of a sixth implementation of the method in which a user or external program requests encryption of data to external storage means 23 connected to the CPUF system and requests access to this encrypted data (after decryption). The sixth implementation is an extension of the fourth implementation. In this sixth implementation, the cryptographic key is a symmetric key, the generation of the new (symmetric) cryptographic key, which has been illustrated in Fig. 7, precedes the encryption of data with this symmetric key, and the regeneration/restoration of the (symmetric) cryptographic key, which has been illustrated in Fig. 8, precedes the decryption of the encrypted data with this symmetric key. Fig. 11 shows that in addition to the components shown in Fig. 7, the CPUF chip 11 further comprises a symmetric encryption function 53 and on-chip secure storage 54. Fig. 11 further shows that the secret key sk output by the second cryptographic hash function 45, as described in relation to Fig. 7, is provided to the symmetric encryption function 53. The symmetric encryption function 53 then encrypts data d, obtained from secure storage 54, with the (symmetric) secret key sk. The encrypted data encsk(d) is stored on the external storage means 23 along with the challenge c2 and the helper data w2. The encryption is tied to (part of) the CRP that was used to establish the secure channel.
Fig. 12 shows that in addition to the components shown in Fig. 8, the CPUF chip 11 further comprises a symmetric decryption function 63 and a CPU 64. Fig. 12 also shows that the further challenge c2 that is provided to the PUF 33 in Fig. 8 and the helper data w2 that is provided to the reproduce function 34 in Fig. 8 are obtained from the external storage means 23. Fig. 12 further shows that the (symmetric) secret key sk output by the second cryptographic hash function 45, as described in relation to Fig. 8, is provided to the symmetric decryption function 63.
The encrypted data encSk(d) is obtained from the external storage means 23 and the (symmetric) secret key sk is then used by the symmetric decryption function 63 to decrypt the encrypted data encsk(d) and store the data on on-chip secure storage 54. After decryption, the data d can be used by the CPU 64. The data d in the secure storage 54 may be modified by the CPU 64 and the modified data d may be encrypted again in the manner described in relation to Fig. 11.
Uike the encryption, the decryption is tied to (part of) the CRP that was used to establish the secure channel. If the decryption is performed over a different secure channel than the encryption, then the encrypted data encsk(d) will not be decrypted. Since the challenge c2 and the helper data w2 are stored on the external storage means 23, there is no need for the user or external program to keep a local copy of these values.
Figs. 13-15 illustrate a second part of a seventh implementation of the method in which a user or external program requests the system to generate a public key, and optionally a certificate which comprises the pubic key, or to sign data with the private key corresponding to this public key. Optionally, the user of external program may request the system to verify a signature with a regenerated public key.
The seventh implementation is an extension of the fourth implementation. In this seventh implementation, the cryptographic key comprises a private key, the generation of the new secret (private) key, which has been illustrated in Fig. 7, precedes the generation of the public key which corresponds to the private key, and the regeneration/restoration of the secret (private) key, which has been illustrated in Fig. 8, precedes the signing of the data with this private key and the optional verification of the signature with the regenerated public key which corresponds to the private key.
Fig. 13 shows that in addition to the components shown in Fig. 7, the CPUF chip 11 further comprises a private key generation function 73, a public key generation function 74, and a certificate generation function 75. Fig. 13 further shows that a secret key sk, in this case a private key, is generated based on the output of the second cryptographic hash function 45, as described in relation to Fig. 7. The output of the second cryptographic hash function 45 h(s) is provided to the private key generation function 73. In other words, the output of the of the second cryptographic hash function 45 is used as a seed to generate the private key sk.
From the private key sk, a corresponding public key pk is derived by public key generation function 74. The public key pk may be transmitted to the further system from which the request is received. From public key pk, a certificate 79 may be generated by certification generation function 75. In addition to public key pk, this certificate 79 may include further challenge c2 and helper data w2. By including these values in the certificate, the user or external program does not have to store them separately. The certificate 79 may be transmitted to the further system from which the request is received. The generation of the private key sk and the corresponding public key pk is tied to (part of) the CRP that was used to establish the secure channel.
Fig. 14 shows that in addition to the components shown in Fig. 8, the CPUF chip 11 further comprises a private key generation function 73, a third cryptographic hash function 84, and a signing function 85. In order to sign data, e.g. a document or a message, a user or external program first has to setup a secure channel, which is managed by the SC- handler 36. Once the secure channel is established, the user/program can invoke the signing function/service.
The user/program may supply the PUF 33 and reproduce function 34 with the further challenge c2 and the helper data w2, e.g. from certificate 79. Alternatively, the CPUF chip 11 may retrieve the certificate 79 from storage (where the storage may even be encrypted using the afore-mentioned encryption/decryption function). If the further challenge c2 and the helper data w2 from certificate 79 are used, it needs to be verified that the signature of the certificate authority (CA) is correct.
Fig. 14 shows that a secret key sk, in this case a private key, is generated based on the output of the second cryptographic hash function 45, as described in relation to Fig. 8. The output of the second cryptographic hash function 45 h(s) is provided to the private key generation function 73, which generates a private key sk. The private key sk is used by the signing function 85 to generate a signature over a hash of data m of a message 83. The hash has been obtained by applying the third cryptographic hash function 84 to the data m. The resulting signature 86, i.e. signsk(h(m), may be used inside the CPUF chip 11 or may be sent outside of the CPUF chip 11.
Fig. 15 shows that in addition to the components shown in Fig. 8, the CPUF chip 11 further comprises a private key generation function 73, a public key generation function 74, a third cryptographic hash function 84, and a signature verification function 91. In order to verify a signature, a user or external program first has to setup a secure channel, which is managed by the SC-handler 36. Once the secure channel is established, the user/program can invoke the verification function/service.
The user/program may supply the PUF 33 and reproduce function 34 with the further challenge c2 and the helper data w2, e.g. from certificate 79. Alternatively, the CPUF chip 11 may retrieve the certificate 79 from storage (where the storage may even be encrypted using the afore-mentioned encryption/decryption function). If the further challenge c2 and the helper data w2 from certificate 79 are used, it needs to be verified that the signature of the certificate authority (CA) is correct.
Fig. 15 shows that a secret key sk, in this case a private key, is generated based on the output of the second cryptographic hash function 45, as described in relation to Fig. 8. The output of the second cryptographic hash function 45 h(s) is provided to the private key generation function 73, which generates a private key sk. From the private key sk, a corresponding public key pk is derived by public key generation function 74.
A hash of data m of message 83 is obtained by applying the third cryptographic hash function 84 to data m. The public key pk, the hash h(m), and the signature 86 are input into the signature verification function 91. The signature verification function 91 outputs a true or false, depending on whether the signature 86 is correct or not, i.e. depending on whether the signature has been created from the data m with the private key sk or not. The signature 86 and the data 83 may be stored in the CPUF system, e.g. in the CPUF chip 11, or may be stored outside the CPUF system, e.g. received from the further system of the user or external program.
The result of the verification is sent to the further system of the user or external program. Although the signature 86 can also be verified without the CPUF chip 11, because the public key pk is public, by letting the CPUF chip 11 verify the signature 86, it can be verified that it was indeed the CPUF chip 11 that generated the private key with which the signature was signed. If the verification function/service is invoked over a secure channel that was setup using a different CRP than the secure channel over which the public key/signature creation function/service was invoked, the verification result will be negative (false). The CPUF chip 11 described above may also be used for other applications than decryption/encryption of data on external storage means, creation of public keys/signatures, signing of data, and verification of signatures. Like CPUFs in general, the CPUF chip 11 may also be used for authentication, certified execution of programs, creation of proof-of-execution, and certified measurements, for example. Certified execution of programs means that the PUF can only be accessed by programs. For example, the programs access the PUF by using two primitive processes whose outputs depend on the program containing these primitives. The process of creating proof-of-execution is a process that produces, together with a computation output, a certificate (called e-certificate) which proves to the user of a specific processor chip that a specific computation was carried out on that specific processor chip, and that the computation was executed and produces the given computed output.
Furthermore, data may be encrypted/decrypted with an asymmetric cryptographic key instead of a symmetric cryptographic key. For example, the user or external program may request the CPUF system to create a public key, and optionally a certificate, and another user or another external program may encrypt data with this public key. After the user or external program has received the encrypted data, the user or external program requests the CPUF system to decrypt the encrypted data. In order to do this, the CPUF chip 11 first regenerates the private key. The CPUF system then transmits the decrypted data to the further system of the user or external program over the secure channel.
Various embodiments of the invention may be implemented as a program product for use with a computer system, where the program(s) of the program product define functions of the embodiments (including the methods described herein). In one embodiment, the program(s) can be contained on a variety of non-transitory computer-readable storage media, where, as used herein, the expression “non-transitory computer readable storage media” comprises all computer-readable media, with the sole exception being a transitory, propagating signal. In another embodiment, the program(s) can be contained on a variety of transitory computer-readable storage media. Illustrative computer-readable storage media include, but are not limited to: (i) non-writable storage media (e.g., read-only memory devices within a computer such as CD-ROM disks readable by a CD-ROM drive, ROM chips or any type of solid-state non-volatile semiconductor memory) on which information is permanently stored; and (ii) writable storage media (e.g., flash memory, floppy disks within a diskette drive or hard-disk drive or any type of solid-state random-access semiconductor memory) on which alterable information is stored. The computer program may be run on the processor 302 described herein. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description of embodiments of the present invention has been presented for purposes of illustration, but is not intended to be exhaustive or limited to the implementations in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope of the present invention.
The embodiments were chosen and described in order to best explain the principles and some practical applications of the present invention, and to enable others of ordinary skill in the art to understand the present invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims

CLAIMS:
1. A system (1) for establishing secure channels with multiple further systems of multiple users, the system (1) comprising: a physically unclonable function (6); at least one input interface (3); at least one output interface (4); and at least one processor (5) configured to:
- receive, via the at least one input interface (3), from a further system (21), a request to establish a secure channel, the request comprising a challenge,
- provide the challenge to the physically unclonable function (6) to cause the physically unclonable function (6) to determine a response based on the challenge,
- generate a shared secret based on the response,
- provide the secure channel by encrypting communication to be transmitted via the at least one output interface (4) to the further system (21) with the shared secret and/or decrypting communication received via the at least one input interface (3) from the further system (21) with the shared secret,
- receive, via the at least one input interface (3), from the further system (21), over the secure channel, a further request to use a service provided by the system (1),
- obtain a further challenge,
- provide the further challenge to the physically unclonable function (6) to cause the physically unclonable function (6) to determine a further response based on the further challenge,
- generate a cryptographic key based on the further response, wherein the cryptographic key is generated, and/or the further response is determined, further based on at least one of the challenge and the response, and
- provide the requested service with the cryptographic key.
2. A system (1) as claimed in claim 1, wherein the at least one processor (5) is configured to produce a key based on the response, determine input for a hash function based on the key, generate the shared secret by applying the hash function to the input, produce a further key based on the further response, determine a further input for a further hash function based on the further key and at least one of the challenge, the response, the key, and the shared secret, and generate the cryptographic key by applying the further hash function to the further input.
3. A system (1) as claimed in claim 2, wherein the at least one processor (5) is configured to obtain helper data associated with the further challenge and produce the further key based on the further response and the helper data.
4. A system (1) as claimed in any one of claims 1 to 3, wherein the cryptographic key comprises a symmetric key.
5. A system (1) as claimed in claim 4, wherein the further request requests access to data stored on external storage means (23) connected to the system (1) and the at least one processor (5) is configured to obtain encrypted data from the external storage means (23) and decrypt the encrypted data with the symmetric key.
6. A system (1) as claimed in claim 5, wherein the at least one processor (5) is configured to obtain the further challenge from the external storage means (23) before providing the further challenge to the physically unclonable function (6).
7. A system (1) as claimed in any one of claims 1 to 3, wherein the cryptographic key comprises a private key.
8. A system (1) as claimed in claim 7, wherein the further request requests the system (1) to sign data and the at least one processor (5) is configured to obtain the data and create a signature of the data with the private key.
9. A system (1) as claimed in claim 7, wherein the further request requests the system (1) to decrypt encrypted data and the at least one processor (5) is configured to receive the encrypted data from the further system (21) via the at least one input interface (3), decrypt the encrypted data with the private key, and transmit the decrypted data to the further system (21) via the at least one output interface (4).
10. A system (1) as claimed in claim 7 or 8, wherein the at least one processor (5) is configured to generate a public key which corresponds to the private key and transmit the public key to the further system (21) via the at least one output interface (4).
11. A system (1) as claimed in claim 10, wherein the at least one processor (5) is configured to generate a certificate (79) which includes the public key and transmit the certificate to the further system (21) via the at least one output interface (4).
12. A system (1) as claimed in claim 11, wherein the at least one processor (5) is configured to include the further challenge in the certificate (79).
13. A method of establishing secure channels between a system and multiple further systems of multiple users, the method comprising:
- the system receiving (101) from a further system, a request to establish a secure channel, the request comprising a challenge;
- the system providing (103) the challenge to a physically unclonable function to cause the physically unclonable function to determine a response based on the challenge;
- the system generating (105) a shared secret based on the response;
- the system providing (107) the secure channel by encrypting communication to be transmitted to the further system with the shared secret and/or decrypting communication received from the further system with the shared secret;
- the system receiving (109) from the further system, over the secure channel, a further request to use a service provided by the system;
- the system obtaining (111) a further challenge;
- the system providing (113) the further challenge to the physically unclonable function to cause the physically unclonable function to determine a further response based on the further challenge;
- the system generating (115) a cryptographic key based on the further response, wherein the cryptographic key is generated, and/or the further response is determined, further based on at least one of the challenge and the response, and
- providing the requested service with the cryptographic key.
14. A computer program or suite of computer programs comprising at least one software code portion or a computer program product storing at least one software code portion, the software code portion, when run on a computer system, being configured for performing the method of claim 13.
PCT/EP2025/058757 2024-04-02 2025-03-31 Controllable physically unclonable function Pending WO2025209994A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
EP24168018.0 2024-04-02
EP24168018 2024-04-02

Publications (1)

Publication Number Publication Date
WO2025209994A1 true WO2025209994A1 (en) 2025-10-09

Family

ID=90717768

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2025/058757 Pending WO2025209994A1 (en) 2024-04-02 2025-03-31 Controllable physically unclonable function

Country Status (1)

Country Link
WO (1) WO2025209994A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003090259A2 (en) 2002-04-16 2003-10-30 Massachusetts Institute Of Technology Authentication of integrated circuits
WO2011089143A1 (en) 2010-01-20 2011-07-28 Intrinsic Id B.V. Device and method for obtaining a cryptographic key
US20190165954A1 (en) * 2017-11-28 2019-05-30 Taiwan Semiconductor Manufacturing Company Ltd. Method and system for secure key exchange using physically unclonable function (puf)-based keys
US20200412556A1 (en) 2019-06-28 2020-12-31 Electronics And Telecommunications Research Institute User device, physical-unclonable-function-based authentication server, and operating method thereof
US20210392004A1 (en) * 2020-06-10 2021-12-16 Electronics And Telecommunications Research Institute Apparatus and method for authenticating device based on certificate using physical unclonable function

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003090259A2 (en) 2002-04-16 2003-10-30 Massachusetts Institute Of Technology Authentication of integrated circuits
WO2011089143A1 (en) 2010-01-20 2011-07-28 Intrinsic Id B.V. Device and method for obtaining a cryptographic key
US20190165954A1 (en) * 2017-11-28 2019-05-30 Taiwan Semiconductor Manufacturing Company Ltd. Method and system for secure key exchange using physically unclonable function (puf)-based keys
US20200412556A1 (en) 2019-06-28 2020-12-31 Electronics And Telecommunications Research Institute User device, physical-unclonable-function-based authentication server, and operating method thereof
US20210392004A1 (en) * 2020-06-10 2021-12-16 Electronics And Telecommunications Research Institute Apparatus and method for authenticating device based on certificate using physical unclonable function

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
BORIS SKORICMARC X. MAKKES: "Flowchart description of security primitives for controlled physical unclonable functions", INTERNATIONAL JOURNAL OF INFORMATION SECURITY, vol. 9, 2010, XP019808780

Similar Documents

Publication Publication Date Title
CN110750803B (en) Method and device for providing and fusing data
CN114651421A (en) Forward security in transport layer security using temporary keys
US10880100B2 (en) Apparatus and method for certificate enrollment
CN111971929B (en) Secure distributed key management system
US7877604B2 (en) Proof of execution using random function
US20140006806A1 (en) Effective data protection for mobile devices
KR102591826B1 (en) Apparatus and method for authenticating device based on certificate using physical unclonable function
CN113890768B (en) Device authentication method and system, Internet of Things device and authentication server
CN109754226B (en) Data management method, device and storage medium
US20080059809A1 (en) Sharing a Secret by Using Random Function
TW201630378A (en) Key splitting
CN115801232A (en) Private key protection method, device, equipment and storage medium
JP5171787B2 (en) Sign-encryption system and sign-encryption generation method
KR101579696B1 (en) System and method for obfuscating initiation values of a cryptography protocol
CN113886793A (en) Device login method, device, electronic device, system and storage medium
CN115941328A (en) Encryption processing method, device and system for shareable user data
CN119276489B (en) U-shield key backup method and system
US20230376574A1 (en) Information processing device and method, and information processing system
WO2025209994A1 (en) Controllable physically unclonable function
CN115348054B (en) Blockchain data proxy re-encryption model based on IPFS
CN113779629A (en) Key file sharing method, device, processor chip and server
CN115859329B (en) Encryption and decryption method and device
CN118555068B (en) PUF-based TEE trusted root generation and use method and related device
CN118487801B (en) Double encryption single sign-on method, system, device and medium
TWI904709B (en) Method and system for secure file storage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 25715276

Country of ref document: EP

Kind code of ref document: A1