CN102546149B

CN102546149B - Crypto chip system and secret key extraction method

Info

Publication number: CN102546149B
Application number: CN201210013772.XA
Authority: CN
Inventors: 邹候文; 唐韶华; 唐屹; 唐春明; 彭俊好; 苏胡双
Original assignee: South China University of Technology SCUT; Guangzhou University
Current assignee: South China University of Technology SCUT; Guangzhou University
Priority date: 2012-01-16
Filing date: 2012-01-16
Publication date: 2014-12-03
Anticipated expiration: 2032-01-16
Also published as: CN102546149A

Abstract

The invention discloses a crypto chip system and a secret key extraction method. The system comprises a public key crypto engine, a symmetry crypto engine, a HASH engine, a one-way function engine, a nonvolatile memory, an execution engine, t secret key assistant management parties and a double-arbiter physical unclonable function module DAPUF. The other purpose of the invention aims at providing a secret key extraction method of the crypto chip system. The method comprises the steps of (1) a secret key generation stage, and (2) a secret key reconstruction stage. According to the invention, an effective bit is selected by an exclusive-or result of the DAPUF, and in combination with the steps and under a condition that multiple challenge/response characteristics are provided, the system and the method enable the obtained response to have the characteristics of no 01 deviation on probability, reliable reconstruction certainty, low average time complexity, small challenge and response redundancy, physical invasion attack sensation and the like.

Description

A kind of crypto chip system and key extraction method

Technical field

The present invention relates to the crypto chip security fields in information security, particularly the crypto chip system of high safety grade and the key extraction method based on this crypto chip system.

Background technology

High safety grade key is conventionally stored in band and distorts in the volatile memory of Sampling network, volatile memory is deposited key needs long-term power supply, when low temperature, after power-off, still can keep the data long period, it is low and once by physics invasion, attacked PIA experiment yet and confirmed not unbreakable that it does not distort Sampling network cost.

From physics, can not clone and module PUF, extract key and replace key storage scheme to be subject to researcher paying close attention to.PUF is a kind of complicated physical system of utilizing production process deviation, and its input is called challenge (C), is output as and replys (R), R=PUF (C).Owing to there is deviation in production process, cause production firm cannot produce consistent complicated physical system, so opponent is also difficult to clone such physical system.Just because of uncontrollable this deviation in production process, make replying of PUF inherent with randomness, singularity, nonclonability, and distort damage.

For high safety grade key, from silicon technology PUF, extract key and there is following advantage than the RAM storage scheme with sensing detection network:

1) cost advantage: RAM storage needs long-term power supply, and PUF can adopt the CMOS technique of standard;

2) be difficult to clone: the foundation of PUF is the uncontrollable deviation of production firm, and production firm cannot produce identical PUF, so opponent is difficult to clone;

3) can effectively improve the complexity that invasion is attacked: be that on the one hand key only just occurs when needed in digital form; Attacking on the other hand PUF can only modeling and forecasting (ignoring hardware wooden horse), and modeling and forecasting need to obtain enough challenge responses pair, utilize the sensitive circuit cloth of PUF to be set as cage structure, needing opponent to break through cage structure and do not destroy the sensitive circuit of PUF and can wiretap can modeling and forecasting.

4) more new key is convenient: concerning PUF, only need a fresh key sequence number of outside input, public-key cryptography sequence number does not affect the fail safe of its corresponding key, and RAM storage needs external module to send safely new key to.

Replying by sensitive circuit of silicon PUF produces, be subject to the factors such as temperature voltage and chip are aging impact, for identical challenge, between resulting replying, may not there are differences in the same time, mainly by error correction, reduce at present the probability (error rate) of reconstruction failure.The expense of error correction is not low, and the error rate is lower, and its expense is also higher.For the key of high safety grade, probability ground extracts the solution that key is made mistakes and has not been.In addition, for high safety grade key, the fail safe that often replacing can improve key, therefore requires PUF can produce a large amount of challenge responses pair, and has good randomness.Generally speaking, replacement key memory requirement PUF energy certainty is rebuild, randomness is good, challenge response is many, and in addition, expense is also an importance.

In existing PUF scheme, the people such as Abhranil Maiti have provided a kind of oscillation rings PUF of high randomness of the FPGA of being suitable for realization in Improved Ring Oscillator PUF:An FPGA-friendly Secure Primitive (CRO scheme) literary composition, experimental result shows to approach 100% probability and rebuilds and reply, but the right quantity of the challenge response of their scheme is few, in reliability, approach 100% also slightly inadequately for high-grade key, be therefore unsuitable for substituting high-grade key storage.Oscillation rings PUF equally, the schemes of people in Secure and Robust Error Correction for Physical Unclonable Functions (IBS scheme) literary composition such as Meng-Day (Mandel) YU can realize many challenge responses pair, also reach high random and higher reliability.Yet, be to have used error correction algorithm after all, increased on the one hand expense, on the other hand also infinite approach 1 hard to say of its reliability.

According to the experimental result of people in Extracting Secret Keys From Integrated Circuits mono-literary composition such as Daihyun Lim, without the arbitration physics of feedforward, can not clone variance rate between the sheet of modules A PUF is 23% (deviation=1-2*23%=52%), and in sheet, difference (error rate) is about 4.8%; Between the sheet of the APUF of band feedforward, variance rate is 38% (deviation=1-2*38%=24%), and the error rate is about 9.8%.The randomness of two kinds of APUF schemes (deviation is large) and reliability (error rate is high) all cannot meet the requirement of high-grade key.The people such as G.Edward Suh utilize APUF and oscillation rings PUF as cipher key source in AEGIS:A single-chip secure processor, in APUF, used BCH (255,63,30) error correcting code makes the error rate reach 1e-6 rank, because variance rate between the APUF sheet of their use only has 23%, therefore, its part random in replying is no more than 46%, existence is not less than 52% bit or is fixed as 1, be fixed as 0, uncertain key bit number is about 64*46%=29.44 (total acknowledgement bit is 255 bits); In oscillation rings PUF, used BCH (127,64,21) and preliminary treatment measure to reach the very low error rate, but this scheme exist challenge response the same as CRO scheme is to few problem.

In sum, current PUF solution is difficult to meet the demand of high safety grade key in reliability and efficiency.

Summary of the invention

The shortcoming that the object of the invention is to overcome prior art is with not enough, and design dual arbiter physics can not be cloned module DAPUF, provides a kind of invasion to physics based on DAPUF to attack the responsive crypto chip system that meets high safety grade demand.

Another object of the present invention is to, a kind of key extraction method of above-mentioned crypto chip system is provided, key can be rebuild successfully with very low average time complexity certainty.

In order to reach above-mentioned the first object, the present invention by the following technical solutions:

A kind of crypto chip system of the present invention, comprise that public key cryptography engine, symmetric cryptography engine, HASH engine, one-way function engine, nonvolatile storage, execution engine, a t key assistant manager side and dual arbiter physics can not clone module DAPUF, the sensitive circuit of DAPUF is laid in the periphery of crypto chip, forming cage structure is surrounded all execution engines, t key assistant manager square tube crossed IO bus and is connected with crypto chip system, and nonvolatile storage is integrated in chip.

Described public key cryptography engine is for carrying out the encryption of message and checking, and from DAPUF, extracts key and be decrypted and sign, also for carrying out the cryptographic operation to effective response share at key generation phase.

Described symmetric cryptography engine is for information is encrypted and is deciphered, and the key using can be the key of interim exchange, also can from DAPUF, extract.

Described HASH engine is signed and verifies required eap-message digest for generating public key cryptography, and from DAPUF, extracts key generating message authentication code.

Described one-way function engine is used for carrying out three parametrization one-way functions, and described parametrization one-way function is irreversible function; Three parametrization one-way functions are respectively the first parametrization one-way function OWF ₁, the second parametrization one-way function OWF ₂with the 3rd parametrization one-way function OWF ₃.

Described nonvolatile storage is for storage key sequence number KEYN, the hash result SETLR of effective response, the anti-XOR result DAXOR that arbitrates of just arbitration that DAPUF replys.

Described execution engine is used for carrying out key generation phase flow process and key phase of regeneration flow process, and uses Shamir threshold schemes that effective response is divided into t part, or uses Shamir threshold schemes that t part effective response share is merged into effective response.

The PKI of described t the key side of assistant manager in the management, for encrypting the effective response share after cutting apart, obtains the effective response share that t part is encrypted; When the owner of crypto chip files an application and the effective response share of encryption is provided, after at least one party's key assistant manager side checks and does not exist physics invasion to attack, t key assistant manager side used private key deciphering effective response separately, and decrypted result is sent back to crypto chip.

Described dual arbiter physics can not be cloned module DAPUF and be comprised m group delay circuit, and m positive moderator and m anti-moderator form, and the challenge C of a n bit of input obtains m bit and just arbitrating and reply LR and RR is replied in the anti-arbitration of m bit; In DAPUF, every group of delay circuit is comprised of n the two path selectors that enter scene 2, the pumping signal path of each path selector is controlled by a bit of challenging in C, pumping signal is divided into upper and lower two paths and arrives first path selector simultaneously, if the first bit of challenge is 0, the straight-through output of two paths of signals, exports otherwise intersect; After n the path selector that two paths of signals is controlled by the n bit by challenging, upper and lower two paths of signals is delivered to anti-moderator after directly delivering to positive moderator and intersection, the sequencing that positive moderator and anti-moderator arrive according to upper and lower two paths of signals, if set out on a journey, arrive first, export 1, otherwise output 0.

Preferably, m bit is just being arbitrated and is being replied the anti-arbitration of LR and m bit and reply RR XOR and obtain positive and negative XOR DAXOR, is that 1 response position corresponding to bit is significant bit, otherwise is invalid bit in DAXOR, abandon and just arbitrate after the invalid bit of replying, obtain effective response TLR.

Preferably, described the first parametrization one-way function OWF ₁for key sequence number KEYN is carried out to hash, the hashed value obtaining is as the challenge C of DAPUF, i.e. C=OWF ₁(KEYN); Described the second parametrization one-way function OWF ₂for being carried out to hash, effective response TLR obtains SETLR, i.e. SETLR=OWF ₂(TLR); Described the 3rd parametrization one-way function OWF ₃also for TLR is carried out to hash, the result of gained is as key K EY, i.e. KEY=OWF ₃(TLR).

In order to reach above-mentioned the second object, the present invention by the following technical solutions:

The key extraction method of a kind of crypto chip system of the present invention, comprises the steps:

S1: key generation phase:

S11: select a fresh Bit String to be designated as KEYN, by KEYN through the first parametrization one-way function OWF ₁the hashed value obtaining is as the challenge C of DAPUF, obtains m bit and just arbitrating and reply LR and RR is replied in the anti-arbitration of m bit, and the i bit of LR and RR is generated through positive moderator and the arbitration of anti-moderator by i group delay circuit;

S12: repeat once to using the hashed value of KEYN as challenge, the m bit obtaining is just being arbitrated and replied LR1, if LR1 is not equal to LR, returns to step S11, otherwise enters step S13;

S13:LR and RR XOR obtain DAXOR, and DAXOR result is that 1 corresponding position is effective bit, otherwise is invalid bit, if invalid bit surpasses s position, return to step S11; The invalid bit that abandons LR obtains effective response TLR, using TLR as the second parametrization one-way function OWF ₂input obtain hashed value SETLR; KEYN, SETLR and DAXOR are stored in nonvolatile storage as a tuple, so that phase of regeneration accurately recovers TLR;

S14: TLR is divided into t effective response share with Shamir threshold schemes, separately deposits after the public key encryption with t the key side of assistant manager in the management respectively;

S15: output key K EY=OWF ₃(TLR).

S2: key phase of regeneration:

S21: the challenge using the hashed value of KEYN as DAPUF, obtain replying into LR1 and RR1, in the DAXOR preserving according to generation phase, be 0 position, the invalid bit that abandons LR1 obtains TLR1;

S22: calculate SETLR1=OWF ₂(TLR1),, if SETLR1=SETLR, TLR=TLR1, exports key K EY=OWF ₃and finish phase of regeneration, otherwise execution step S23 (TLR1);

S23: the XOR result of calculating LR1 and RR1 obtains DAXOR1, finds the position of the difference bit between DAXOR1 and DAXOR, the relevant position of negate LR1 and abandon invalid bit after obtain TLR2, calculate SETLR2=OWF ₂(TLR2), if SETLR=SETLR2, TLR=TLR2, output KEY=OWF ₃and finish phase of regeneration (TLR2), add up else if number of times that this step carries out and be less than q time and return to step S21, otherwise; Execution step S24;

S24: the position of the difference bit obtaining according to step S23, and suppose have k bit there are differences, to each difference bit position, at every turn by 0 to 2 ^ka number in-1 converts k bit binary number to, replaces the value of corresponding difference bit position in LR1, abandons invalid bit and obtains TLR3; A bit in each negate TLR3 obtains TLRi3 (wherein not negate first), calculates SETLR4=OWF ₂(TLRi3),, if SETLR4=SETLR, TLR=TLRi3, exports key K EY=OWF ₃(TLRi3) and finish phase of regeneration, S24 carries out and is less than w time and returns to S21 else if, otherwise performs step S25;

S25: crypto chip is issued t key assistant manager side request deciphering by t effective response share of encrypting, key share is separately deciphered and beamed back in t key assistant manager side after at least one party confirms not exist physics invasion to attack; After collecting key share, use Shamir threshold schemes to recover effective response TLR, output key K EY=OWF ₃and finish phase of regeneration (TLR).

The present invention has following advantage and effect with respect to prior art:

1, key energy certainty is rebuild: step S25 guarantees that key can rebuild.

2, average behavior is good:

According to 64 groups of time-delay access in (xc5vlx30-2ff324 and the xc5vlx50-2ff324) FPGA in Xilinx company, 64 selectors of every group of path, altogether carry out 6,300,000 times and generated and rebuild experiment, analyzed the experimental result that draws correlation step in key extraction method.

For generation phase flow process, the time complexity of S11 is 1 one-way function computing, and the probability that in S12, LR1 and LR are equal is about 90%, and the probability that therefore jumps to S11 is 10%; In step S13, if set s, be 20% of LR length, produce the probability of redirect lower than 4%; Therefore in generation phase, time complexity is not cut apart higher than 4 one-way function computings and 1 Shamir threshold schemes.Concerning the generation phase of error correction scheme, wherein also essential to 2 one-way function computings of challenging and replying key to key sequence number, with IBS scheme, select BCH (63,30,6) be example, the coding of generation phase also needs polynomial multiplication, delivery and the addition of 63 bits respectively once (although CRO scheme approaches 100% reconstruction success, for high-grade key, its error rate is hard to say to meet the demands, and the challenge response of this scheme is few to quantity).

The error rate p1 of step S22 is not higher than 0.08, and the error rate p2 of step S23 is not higher than 0.004.Step S21-S23 is averaged to the estimation of time complexity:

Circulation for the first time: 1* (1-p1)+2*p1;

Circulation for the second time: 3*p2* (1-p1)+4*p2*p1;

Suppose q=2, the estimation error rate of step S21-S23 is p2 ²=1.6E-5, averaging of income time complexity is less than OWF 1.1 times ₂computing.

Consider temperature voltage difference, and the factor impact such as chip is aging, the actual error rate of step S21-S23 does not estimate that result is so little, and its reason is not have consideration because positive and negative moderator is made mistakes and caused the situation of DAXOR=DAXOR1 simultaneously.The one positive and negative moderator in tunnel is replied the experiment probability of simultaneously makeing mistakes and is less than 1e-4 (the 630 Wan Ci 64 positive and negative moderators in tunnels experiments Zhong Yi road are replied to make mistakes and occurred 617 times, two-way or do not have to occur above) and k be greater than 1 probability not higher than 0.004, step S24 needs 2 at most ^k* 65 OWF ₂computing (wherein once not negate, all the other are for 64 times each negate one bit), so expectation computing complexity is less than OWF 0.1 time ₂computing.

It is why low that the one positive and negative moderator in tunnel is replied the probability of simultaneously makeing mistakes, its reason is: noise is divided into moderator noise and delay circuit noise (overall noises of 64 selectors of experiment middle finger), if causing just to arbitrate, delay circuit noise replys upset, can prove, it is more stable that this noise can allow anti-arbitration reply, and vice versa; Only very little at delay circuit noise, and positive moderator and when anti-moderator noise is anti-phase and absolute value is all very large, can occur that positive and negative arbitration is replied simultaneously to make mistakes.

The experiment probability of simultaneously makeing mistakes due to the positive and negative moderator of two-way is not higher than 1.6e-7 (not occurring in 6,300,000 experiments), and the probability that step S25 carries out is very low, and it can be ignored the contribution of average calculating operation complexity.

Therefore, suitably select q value in S23 and the w value in S24, the probability of carrying out threshold schemes can approach arbitrarily 0, and the expectation computing complexity of key phase of regeneration flow process is not higher than 3.5 one-way function computings (1.2 OWF ₁+ 1.2 OWF ₂+ 1 OWF ₃computing).

If S12 does not allow to jump to S11, q and the w in S24 in S23 can not be greater than 1, and the probability of carrying out S24 is slightly high, but statistical average time complexity is not now also higher than 4 one-way function computings.If S13 does not allow to return S11 yet, may make some significant bit in replying less, in experiment, once occurred that, up to 23 invalid bits, average invalid bit was about 7.6.

Generation in cipher key-extraction and the basis that rebuilds computing are that bit XOR relatively abandons and one-way function, and one-way function can utilize symmetric cryptography or HASH to construct, thereby can realize high-speed and area is multiplexing.(IBS selects BCH (n=63 to error correction scheme, 30, t=6)) coding need n bit polynomial multiplication, delivery and addition each once, the complexity of decoding approximately needs n bit addition of polynomial and each 2t of multiplication (n+t) inferior (n herein and t are the parameters of BCH).Certainly, similar with the generation phase of error correction scheme, the phase of regeneration of error correction scheme also needs 2 one-way function computings.

In key extraction method of the present invention, the complexity of generation phase is higher than phase of regeneration, and error correction is contrary.Due to concerning a key, generation phase only needs once, and phase of regeneration is repeatedly, so this has also improved whole efficiency.

3, randomness is good: can prove that the output bias (output more than 1 to 0 or more than 0 to 1) of APUF, from the delay inequality (being called for short the arbitration time difference) of two input pins of moderator, removes after invalid bit at DAPUF, be equivalent to the part of deviation to remove.Arbitrate in practice difference (two arbitration time differences subtract each other) and be not equal to zero, therefore concerning concrete device, still there is less output bias, but for different components, because arbitration difference can just can be born, therefore concerning a large amount of devices, there is not deviation in its total output; In addition, concerning individual devices, completely contrary with the Output rusults of anti-arbitration owing to effectively just arbitrating, there is not in this sense deviation yet.

4, the challenge response of DAPUF is to many: according to experimental result, surpass 96% the significant bit of replying over 80%, therefore, estimate that total challenge response is to reaching 0.96*2 ⁶⁴> 2 ^64*80%=2 ⁵¹right, this is conservative estimation, if by 7.6 calculations of average invalid bit of experiment, total challenge response is to reaching 2 ^56.4to ° further right quantity of challenge response that increases of bit number meeting that increases the bit number of challenge and just arbitrating anti-arbitration, if the bit number of challenge is u, the bit number of just arbitrating is v, estimates that challenge response is approximately min (0.96*2 to quantity ^u, 2 ^v*80%).

5, challenge and reply redundancy few.Although error correction scheme cannot reach certainty, rebuild successfully, error correction still can realize the error rate lower than 1e-6.Same output v bit significant bit, DAPUF scheme needs 20% redundancy, need the positive and negative arbitration of v*1.25 bit to reply, and IBS needs * 63 bits are replied (every bit is replied by 8 pairs of oscillation rings difference on the frequencies and produced).Set identical minimum entropy, reply redundancy minimizing and mean the also corresponding minimizing of area that PUF sensitive circuit consumes.For challenge, DAPUF comprises about 4% redundancy, and IBS scheme has 87.5% redundancy.

6, it is more responsive to PIA: if PIA destroys the PUF circuit that surpasses a road significant bit, DAPUF scheme causes reconstruction failure (average every destruction 2.5 tunnels postpone the PUF circuit that path will cause destroying two-way significant bit) owing to being no less than side's key assistant manager side refusal deciphering TLR share, and error correction scheme is still likely reconstructed into merit higher than can correct number of bits in the situation that destroying not, concerning IBS scheme, destroy over 6 bit PUF circuit and still can rebuild successfully with high probability.

Accompanying drawing explanation

Fig. 1 is the structural representation of crypto chip of the present invention;

Fig. 2 is the structural representation of the APUF of people's propositions such as Daihun Lim;

Fig. 3 is the structural representation of DAPUF of the present invention;

Fig. 4 is key generation phase flow chart of the present invention;

Fig. 5 is key phase of regeneration flow chart of the present invention.

Embodiment

Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but embodiments of the present invention are not limited to this.

Embodiment

Crypto chip as shown in Figure 1, comprise public key cryptography engine, symmetric cryptography engine, HASH engine, one-way function engine, nonvolatile storage, execution engine, a t key assistant manager side and dual arbiter physics and can not clone module DAPUF, the sensitive circuit of DAPUF is laid in the periphery of crypto chip, forms cage structure all execution engines are surrounded.T password assistant manager square tube crossed IO bus and is connected, and nonvolatile storage is integrated in chip.

Described one-way function engine is used for carrying out three parametrization one-way functions, and described three parametrization one-way functions are respectively the first parametrization one-way function OWF ₁, the second parametrization one-way function OWF ₂with the 3rd parametrization one-way function OWF ₃, described the first parametrization one-way function OWF ₁for key sequence number KEYN is carried out to hash, the hashed value obtaining is as the challenge of DAPUF; Described the second parametrization one-way function OWF ₂for the effective response bit string TLR to DAPUF, carry out hash, result SETLR and the KEYN of gained are stored together; Described the 3rd parametrization one-way function OWF ₃also for TLR is carried out to hash, the result of gained is as key K EY.Described nonvolatile storage is just arbitrating for hash result SETLR, the DAPUF of storage key sequence number KEYN, effective response the XOR result DAXOR that anti-arbitration is replied.

The PKI of described t the key side of assistant manager in the management, for encrypting the effective response after cutting apart, obtains the effective response that t part is encrypted; When the owner of crypto chip files an application and the effective response share of encryption is provided, after at least one party's password assistant manager side checks and does not exist physics invasion to attack, t key assistant manager side used private key deciphering effective response separately, and decrypted result is sent back to crypto chip.

Described dual arbiter physics can not be cloned module DAPUF increases an anti-moderator on the basis of APUF, the original moderator of APUF is called positive moderator, positive moderator and the parallel connection of anti-moderator and up and down two paths of signals exchange, and obtain respectively and are just arbitrating and instead arbitrating and reply; DAPUF is usingd n bit challenge information C as input, wherein C=OWF ₁(KEYN), the m bit obtaining is just being arbitrated and is being replied the anti-arbitration with m bit and reply, just arbitrating and anti-arbitration to reply in XOR result DAXOR be that 1 response position corresponding to bit is effective bit, just arbitrating bit string TLR that the effective bit of replying forms through OWF ₂the hashed value SETLR obtaining, TLR is through OWF ₃the hashed value obtaining is as key K EY corresponding to key sequence number, and KEYN, SETLR and DAXOR are stored together, to judge whether to obtain correct KEY when rebuilding.

The dual arbiter physics that the present embodiment proposes can not be cloned module DAPUF and can not be cloned modules A PUF and improve by arbitrating physics, and APUF is proposed in Extracting Secret Keys From Integrated Circuits mono-literary composition by people such as Daihyun Lim.A given challenge C can obtain one and reply R from PUF.As shown in Figure 2, the delay circuit that APUF is comprised of n selector and a moderator form, and are called n stage A PUF.The challenge C=c of APUF ₀, c ₁, L, c _nin each bit control a selector, work as c _ibe 0 o'clock, the straight-through output of two paths of signals of selector, works as c _ibe 1 o'clock, the two paths of signals of selector intersects to be exported.When a rising edge pumping signal is transferred to first selector, for this selector, the rising edge of upper and lower two paths of signals arrives simultaneously.Signal, through first selector, due to the deviation of circuit manufacture procedure, changes the sequencing of two-way output signal.After n selector, two paths of signals arrives moderator, and its priority sequence number has determined the output of moderator, if the signal of setting out on a journey first arrives, moderator output 1, otherwise output 0.

The structure of DAPUF as shown in Figure 3, the schematic diagram of Tu3Shi No. mono-delay circuit, available d type flip flop is as moderator, when the many bits of needs are replied, only need copy multichannel.In FPGA experiment, rising edge pumping signal is produced by register, and register is set to full 0 in advance, then complete 1, writes register and produces rising edge pumping signal.The object of doing is like this synthesis tool abbreviation circuit for fear of FPGA.Passing through on the basis of theory analysis APUF as shown in Figure 1, process is altogether just being arbitrated for 6,300,000 times at every turn replied and instead arbitrate and reply in (xc5vlx30-2ff324 and the xc5vlx50-2ff324) of Xilinx company FPGA is all the experimental verification of 64 bits, and the error rate of the significant bit of the DAPUF shown in Fig. 3 is lower than 0.08.In 6300000 experiments, appearance one tunnel is just being arbitrated and replied the number of times of simultaneously makeing mistakes with anti-arbitration is 617 times; Just arbitrating and replying the road of makeing mistakes and have 478555 times, two-way to have 19453 times, three tunnels to have 506 times, four tunnels to have 16 times, five tunnels to have 1 time, surpassing 5 tunnels and just arbitrating the situation of makeing mistakes and do not occur.According to theory analysis and experimental result, we propose the key extraction method as described in summary of the invention " key generation phase " and " key phase of regeneration ", do not occur needing Shamir threshold schemes to recover the situation of key in 6,300,000 experiments.

As long as it is irreversible that the one-way function that the present embodiment is carried meets, can be as required with symmetric cryptographic algorithm or HASH algorithm construction.

DAPUF performance evaluation:

Wherein as shown in Figure 2, the time delay time difference of remembering each selector is Δ to the structure of APUF _i, note moderator is Δ to the time delay time difference of upper and lower two paths of signals _a, total time delay time difference is to ignore noise effect:

Θ＝(Δ ₁+Δ ₂+，L，+Δ _n+Δ _a)

＝Δ _d+Δ _a

In formula (1), Δ _dthe TF that represents delay circuit.The output of arbitration can be expressed as:

r = \{\begin{matrix} 1 & Θ > 0 \\ 0 & Θ \leq 0 \end{matrix}

= \{\begin{matrix} 1 & Δ_{d} > {- Δ}_{a} \\ 0 & Δ_{d} \leq {- Δ}_{a} \end{matrix}

The time missionary society of two pins of moderator causes that the output of moderator produces deviation, | Δ _a| less deviation is less.Work as Δ _aduring < 0, moderator is output as 0 deviation (replying of producing of random challenge, 0 quantity is than more than 1), works as Δ _aduring > 0, moderator is output as 1 deviation.

The time delay absolute value of moderator is less, and the number of stages of delay circuit is more, and the randomness of its output is better.

Because the time delay absolute value of moderator is determined by system, can not infinitely reduce (if certainly too little or equal 0 be also unfavorable for improving reliability), the number of stages of delay circuit can not infinitely increase.For effectively improving randomness, the present embodiment proposes to adopt DAPUF as shown in Figure 3, its objective is by the difference of two moderators, 0 deviation or 1 deviation is removed, thereby effectively improved randomness and the reliability of output.

As the circuit of Fig. 3, for two moderators:

(1) work as Δ _aduring > 0, the output of two moderators can be 11,01 and 10, can not occur 00;

(2) work as Δ _aduring < 0, the output of two moderators can be 00,01 and 10, can not occur 11.

No matter be situation 1 or situation 2, only two moderators need to be exported to identical situation and reject, will not there is not deviation in the output of moderator.DAPUF, just by difference, exports identical situation by two moderators and rejects, thereby rejects the deviation in output.This is the equal resulting result of the pin time difference of two moderators of supposition, and unequal when the pin time difference of two moderators, the randomness of DAPUF is subject to | Δ _a1-Δ _a2| impact.

While considering noise problem, can reduce the reliability of moderator output.Yet the part rejected due to DAPUF is more easily affected by noise has low reliability, so the output of DAPUF is improved significantly than the reliability of the output of APUF.Noise is designated as to Δ _nd, Δ n _a1and Δ _na2, represent respectively the noise of delay circuit, positive moderator noise and anti-moderator noise.The noise that affects positive moderator output reliability is Δ _nd+ Δ _na1, the noise that affects anti-moderator output reliability is-Δ _nd+ Δ _na2, therefore, if | Δ _nd| when very large, will cause that a moderator output changes, the stability of another moderator output is but strengthened, and only exists | Δ _nd| very little, and | Δ _na1| and | Δ _na2| when all very large, just can cause that the output of two moderators changes simultaneously.

Table 1

Note 1: generate in original text and rebuild all not mention and use 2 unidirectional computings, if but using the PUF scheme in original text as cipher key source, unidirectional computing is essential.

Note 2:CRO scheme at the error rate and challenge response to quantitatively being all difficult to meet the requirement of high-grade key.

The Performance Ratio that table 1 has been listed the DAPUF that the present embodiment is put forward (this case) and diplomatic scheme.During deviation refers to reply, 1 probability subtracts the absolute value of 0 probability, deviation is 0 to be the necessary condition of randomness, in selector time delay evenly with under distributional assumption, the provable deviation of this case is 0, consider moderator time delay difference and saving resource problem, in single-chip experiment, deviation can be up to 2%, and multi-chip experiment is basic Normal Distribution.The error rate refers to rebuilds the error probability of replying.CRPs refers to the quantity that the challenge response in scheme is right.Expense comprises computing cost and reply redundancy, and in preliminary treatment, IBS and CRO calculate number do subtraction cycle of oscillation, and each bit is replied the difference on the frequency that need to calculate 8 pairs of oscillation rings, and this case is for XOR with abandon invalid response; Error correction coding need n bit (n refers to total bit number that PUF replys herein) polynomial multiplication, delivery and addition each once, the complexity of decoding approximately need n bit addition of polynomial and each 2t of multiplication (n+t) inferior.Error correction is abandoned in this case, adopted and repeated to rebuild comparison and in conjunction with threshold schemes, average calculating operation expense is mainly that (key generation phase has been used Shamir threshold schemes to cut apart to one-way function, in reconstruction, need the probability that uses Shamir threshold schemes to recover to approach arbitrarily 0, concerning a key, only generate and need once, rebuild and can in the life cycle of this key, use repeatedly), one-way function can be constructed with symmetric cryptography, also available HASH constructs, only need to meet irreversiblely, employing threshold schemes guarantee that the sure reconstruction of the present embodiment replys; The multiple of acknowledgement bit refers to the ratio of replying total bit number and effective response bit number.

The key extraction method of the present embodiment based on above-mentioned crypto chip system, comprises key generation phase and key phase of regeneration, below with regard to these two stage concrete analyses.

As shown in Figure 4, the key generation method of the present embodiment crypto chip system key extracting method is as follows:

S15: output key K EY=OWF ₃(TLR).

With algorithm pattern, key generation phase flow process is described as follows:

As shown in Figure 5, the key reconsul construction method of the present embodiment based on crypto chip system key extracting method, comprises the steps:

S21: the challenge using the hashed value of KEYN as DAPUF, obtain replying into LR1 and RR1, in the DAXOR preserving according to generation phase, be 0 position, the invalid bit that abandons LR1 obtains TLR1:

S22: calculate SETLR1=OWF ₂(TLR1),, if SETLR1=SETLR, TLR=TLR1, exports key K EY=OWF ₃and finish phase of regeneration, otherwise execution step S23 (LR1);

S23: the XOR result of calculating LR1 and RR1 obtains DAXOR1, finds the position of the difference bit between DAXOR1 and DAXOR, the relevant position of negate LR1 and abandon invalid bit after obtain TLR2, calculate SETLR2=OWF ₂(TLR2), if SETLR=SETLR2, TLR=TLR2, output KEY=OWF ₃(TLR2) and finish phase of regeneration, add up else if number of times that this step carries out and be less than q time and return to step S21, otherwise perform step S24;

With algorithm pattern, key phase of regeneration flow process is described as follows:

Above-described embodiment is preferably execution mode of the present invention; but embodiments of the present invention are not restricted to the described embodiments; other any do not deviate from change, the modification done under Spirit Essence of the present invention and principle, substitutes, combination, simplify; all should be equivalent substitute mode, within being included in protection scope of the present invention.

Claims

1. a crypto chip system, it is characterized in that, comprise that public key cryptography engine, symmetric cryptography engine, HASH engine, one-way function engine, nonvolatile storage, execution engine, a t key assistant manager side and dual arbiter physics can not clone module DAPUF, the sensitive circuit of DAPUF is laid in the periphery of crypto chip, forming cage structure is surrounded all execution engines, t key assistant manager square tube crossed IO bus and is connected with crypto chip system, and nonvolatile storage is integrated in chip;

Described public key cryptography engine is for carrying out the encryption of message and checking, and from DAPUF, extracts key and be decrypted and sign, also for carrying out the cryptographic operation to effective response share at key generation phase;

Described symmetric cryptography engine is for information is encrypted and is deciphered, and the key using can be the key of interim exchange, also can from DAPUF, extract;

Described HASH engine is signed and verifies required eap-message digest for generating public key cryptography, and from DAPUF, extracts key generating message authentication code;

Described one-way function engine is used for carrying out three parametrization one-way functions, and described parametrization one-way function is irreversible function; Three parametrization one-way functions are respectively the first parametrization one-way function OWF ₁, the second parametrization one-way function OWF ₂with the 3rd parametrization one-way function OWF ₃;

Described nonvolatile storage is for storage key sequence number KEYN, the hash result SETLR of effective response, the anti-XOR result DAXOR that arbitrates of just arbitration that DAPUF replys;

Described execution engine is used for carrying out key generation phase flow process and key phase of regeneration flow process, and uses Shamir threshold schemes that effective response is divided into t part, or uses Shamir threshold schemes that t part effective response share is merged into effective response;

The PKI of described t the key side of assistant manager in the management, for encrypting the effective response share after cutting apart, obtains the effective response share that t part is encrypted; When the owner of crypto chip files an application and the effective response share of encryption is provided, after at least one party's key assistant manager side checks and does not exist physics invasion to attack, t key assistant manager side used private key deciphering effective response separately, and decrypted result is sent back to crypto chip;

Described dual arbiter physics can not be cloned module DAPUF and be comprised m group delay circuit, m positive moderator and m anti-moderator, and the challenge C of a n bit of input obtains m bit and is just arbitrating and reply LR and RR is replied in the anti-arbitration of m bit; In DAPUF, every group of delay circuit is comprised of n the two path selectors that enter scene 2, the pumping signal path of each path selector is controlled by a bit of challenging in C, pumping signal is divided into upper and lower two paths and arrives first path selector simultaneously, if the first bit of challenge is 0, the straight-through output of two paths of signals, exports otherwise intersect; After n the path selector that two paths of signals is controlled by the n bit by challenging, upper and lower two paths of signals is delivered to anti-moderator after directly delivering to positive moderator and intersection, the sequencing that positive moderator and anti-moderator arrive according to upper and lower two paths of signals, if set out on a journey, arrive first, export 1, otherwise output 0.

2. crypto chip system according to claim 1, it is characterized in that m bit is just being arbitrated replys the anti-arbitration of LR and m bit and replys RR XOR and obtain positive and negative XOR DAXOR, in DAXOR, be that 1 response position corresponding to bit is significant bit, otherwise be invalid bit, abandon and just arbitrate after the invalid bit of replying, obtain effective response TLR.

3. crypto chip system according to claim 2, is characterized in that, described the first parametrization one-way function OWF ₁for key sequence number KEYN is carried out to hash, the hashed value obtaining is as the challenge C of DAPUF, i.e. C=OWF ₁(KEYN); Described the second parametrization one-way function OWF ₂for being carried out to hash, effective response TLR obtains SETLR, i.e. SETLR=OWF ₂(TLR); Described the 3rd parametrization one-way function OWF ₃also for TLR is carried out to hash, the result of gained is as key K EY, i.e. KEY=OWF ₃(TLR).

4. the key extraction method based on crypto chip system described in claim 3, is characterized in that, comprises the steps:

S1: key generation phase:

S11: select a fresh Bit String as key sequence number KEYN, by KEYN through the first parametrization one-way function OWF ₁the hashed value obtaining is as the challenge C of DAPUF, obtains m bit and just arbitrating and reply LR and RR is replied in the anti-arbitration of m bit, and the i bit of LR and RR is generated through positive moderator and the arbitration of anti-moderator by i group delay circuit, and wherein i gets all over each value between 1 to m;

S15: output key K EY=OWF ₃(TLR);

S2: key phase of regeneration:

S24: the position of the difference bit obtaining according to step S23, and suppose have k bit there are differences, to each difference bit position, at every turn by 0 to 2 ^ka number in-1 converts k bit binary number to, replaces the value of corresponding difference bit position in LR1, abandons invalid bit and obtains TLR3; TLRi3 get all over set TLR3, negate TLR3 the 1st bit, negate TLR3 the 2nd bit ..., last bit of negate TLR3 in each value, calculate SETLR4=OWF ₂(TLRi3),, if SETLR4=SETLR, TLR=TLRi3, exports key K EY=OWF ₃(TLRi3) and finish phase of regeneration, S24 carries out and is less than w time and returns to S21 else if, otherwise performs step S25;