CN112131614A - Self-adaptively configured PUF (physical unclonable function) equipment, fusion terminal containing PUF equipment and identity authentication system - Google Patents
Self-adaptively configured PUF (physical unclonable function) equipment, fusion terminal containing PUF equipment and identity authentication system Download PDFInfo
- Publication number
- CN112131614A CN112131614A CN202010922127.4A CN202010922127A CN112131614A CN 112131614 A CN112131614 A CN 112131614A CN 202010922127 A CN202010922127 A CN 202010922127A CN 112131614 A CN112131614 A CN 112131614A
- Authority
- CN
- China
- Prior art keywords
- signal
- response
- configuration
- puf
- excitation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000004927 fusion Effects 0.000 title claims abstract description 33
- 230000004044 response Effects 0.000 claims abstract description 109
- 230000005284 excitation Effects 0.000 claims abstract description 92
- 230000010355 oscillation Effects 0.000 claims abstract description 69
- 238000012937 correction Methods 0.000 claims abstract description 48
- 238000012545 processing Methods 0.000 claims abstract description 16
- 238000000034 method Methods 0.000 claims description 22
- 230000008569 process Effects 0.000 claims description 14
- 230000003044 adaptive effect Effects 0.000 claims description 12
- 238000000605 extraction Methods 0.000 claims description 7
- 238000010615 ring circuit Methods 0.000 claims description 5
- 230000003111 delayed effect Effects 0.000 claims description 3
- 239000004576 sand Substances 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 11
- 238000004590 computer program Methods 0.000 description 7
- 238000004519 manufacturing process Methods 0.000 description 6
- 238000003860 storage Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 101100328518 Caenorhabditis elegans cnt-1 gene Proteins 0.000 description 3
- 101100328519 Caenorhabditis elegans cnt-2 gene Proteins 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000009776 industrial production Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000005070 sampling Methods 0.000 description 2
- 208000011580 syndromic disease Diseases 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000000739 chaotic effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000007620 mathematical function Methods 0.000 description 1
- 239000011159 matrix material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/73—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2103—Challenge-response
Abstract
The invention discloses a self-adaptively configured PUF device, a fusion terminal containing the PUF device and an identity authentication system. Under the coordination control of the control module, the encryption error correction module encrypts the original excitation signal to obtain a configuration signal; the oscillating circuit of each RO unit receives the configuration signal, and outputs the response signal bit value of a single RO unit after counting and comparison; the control module generates response output signals of the PUF according to the response signal bit values output by the plurality of RO units in the RO array, and the encryption error correction module performs error correction processing on the response output signals of the PUF to obtain final excitation response signals. The PUF equipment can realize self-adaptive adjustment of self oscillation frequency of different configuration signals and guarantee the uniqueness, reliability and stability of excitation response.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a PUF device with self-adaptive configuration, a fusion terminal containing the PUF device and an identity authentication system.
Background
Physically Unclonable Functions (PUFs) are an emerging type of cryptographic component that can extract random differences introduced by manufacturing process inconsistencies between gates or connections (wires) within an integrated circuit and use these random differences to generate a cryptographic (response) signal with certain rules. The response signal of the PUF can be automatically generated when the device is powered up and annihilated when the device is powered down. Thus, if the response signal of the PUF is used as the encryption key, this key does not need to be stored using a memory, thereby improving the security of key storage. In addition, the PUF also has the characteristics of simple principle structure, low power consumption, physical unclonable, unpredictable and the like, and has immeasurable research value and wide application prospect in the field of information security.
Since a conventional PUF requires more hardware resources, it is difficult to implement an encryption application with sufficient security, such as an RFID system, if a low-cost constraint is considered. The PUF structures proposed at present have the problems of high hardware implementation cost, poor security and reliability, and the like in performance.
Disclosure of Invention
The invention aims to provide a PUF device with self-adaptive configuration, a fusion terminal containing the PUF device and an identity authentication system.
The technical scheme adopted by the invention is as follows:
in one aspect, the present invention provides an adaptively configured PUF device comprising a control module and an RO array, the RO array comprising a plurality of RO units, each RO unit comprising an oscillation circuit, a register, a counter, and a comparator, respectively; the oscillation circuits of the RO units have the same structure;
in each PUF response process of each RO unit, the control module controls each oscillating circuit to receive a pair of configuration signals, and the oscillating circuit successively responds to each configuration signal and respectively outputs the oscillating signals to the counter; the control module controls the counter to count the oscillation signals corresponding to the configuration signals and outputs the previously obtained counting result to the register; the control module controls the comparator to obtain two counting results output by the register and the counter, and outputs a response signal bit value corresponding to a single RO unit according to the comparison result of the two counting results;
the control module generates response output signals of the PUF according to the response signal bit values output by the plurality of RO units in the RO array.
When the method is applied, two configuration signals in a pair of configuration signals input to the RO unit ring oscillation circuit are different, the oscillation circuit is adapted to the different configuration signals to generate different oscillation frequencies, and therefore a response signal bit value is obtained based on a comparison result of the two oscillation frequencies. Due to errors in the manufacturing process of the plurality of RO units, the response signal bit values output by the plurality of RO units of the same PUF may be the same or different, and the response output signal output by the PUF may consist of the response signal bit values of the plurality of RO units.
Optionally, the oscillation circuit unit includes a plurality of inverter delay units connected in series in a ring circuit, and a nand gate delay unit, each nand gate delay unit and each inverter delay unit respectively include a configuration input end, and the ring circuit includes an oscillation signal output end for connecting a counter; the configuration signals include delay adjustment signals corresponding to each of the configuration inputs. The configuration signal is used for carrying out configuration adjustment on the time delay of the NAND gate delay unit and the inverter delay unit, so that the ring oscillator circuit generates different oscillation frequencies.
Optionally, the adaptive PUF device of the present invention further includes an encryption error correction module, where the control module controls the encryption error correction module to receive an external original excitation signal, and encrypts the original excitation signal to obtain a configuration signal, and transmits the configuration signal to an oscillation circuit unit in each RO unit;
the control module also controls the encryption error correction module to carry out error correction processing on the response output signal of the PUF to obtain a final excitation response signal. The encryption and error correction module of the invention can adopt SM1 encryption algorithm to encrypt the excitation signal.
Optionally, the encryption error correction module performs error correction processing on the response output signal of the RO array by using a fuzzy extraction algorithm of IBS encoding to obtain a final excitation response signal.
Optionally, the adaptive PUF device further comprises a timer controlled by the control module;
the control module clears the timer and the counter in response to receiving the external excitation signal;
the control module controls the encryption error correction module to process an external excitation signal to obtain a pair of different configuration signals, the control module controls the encryption error correction module to transmit the two configuration signals to the oscillation circuit in sequence for delayed configuration, and the operation executed after each configuration comprises the following steps: enabling a timer and an oscillating circuit, and controlling a counter to start counting the oscillation frequency of the oscillating circuit; in response to the overflow of the timer, controlling the oscillation circuit to stop running, and stopping counting by the counter;
for two configuration signals corresponding to one external excitation signal, the control module controls the counter to store the counting result obtained by corresponding to the prior configuration into the register, and then the operation executed after the configuration is repeated, so that the counter obtains the counting result obtained by corresponding to the subsequent configuration and transmits the counting result to the comparator.
In a second aspect, the present invention provides a key generation method for an adaptive PUF device according to the first aspect, including:
receiving an external excitation signal;
in response to receiving an external excitation signal, encrypting the external excitation signal to obtain an oscillation circuit configuration signal;
configuring the oscillation circuit in each RO unit based on the configuration signal to obtain the oscillation signal of the configured ring oscillation circuit;
the oscillation times of the oscillation circuit in each RO unit responding to the two configuration signals are respectively counted in a timing mode, and the two counting results are compared;
and determining a response output signal, namely the secret key, according to the counting comparison result of each RO unit in the RO array.
Optionally, determining the response output signal according to the count comparison result of each RO unit in the RO array comprises:
determining the output of the counting comparison result of each RO unit;
and (3) performing error correction processing on the technical comparison result output of each RO unit in the RO array by adopting a fuzzy extraction algorithm of IBS coding to obtain a final response output signal.
In a third aspect, the present invention provides a convergence terminal, which includes the PUF device of the first aspect.
The integrated terminal can be terminal equipment which is applied to various occasions and needs identity authentication, for example, the integrated terminal can also comprise a core CPU, an alternating current sampling module, a communication module, a storage module, a local indication module and the like, and the function realization of a control module in the PUF equipment can be realized by the core CPU by adopting a container technology, so that the independent development or expansion of related software in a key generation process is facilitated.
In a fourth aspect, the present invention provides an identity authentication system, including the converged terminal and the master station in the third aspect, where the master station includes a database of Pairs of stimulus responses (CRPs), and the database of CRPs stores a plurality of Pairs of stimulus responses corresponding to PUF devices in the converged terminal;
when the identity is authenticated, the master station sends an excitation signal of any excitation response pair in the CRPs database to the fusion terminal at least once;
the fusion terminal generates an excitation response signal based on the received excitation signal by using the PUF equipment and returns the excitation response signal to the master station;
the master station receives the identity authentication identification code and inquires CRPSAnd judging whether the corresponding excitation response pair exists in the database, and judging that the fusion terminal is legal equipment according to the query result.
Optionally, the master station sends an excitation signal to the fusion terminal for multiple times, acquires a corresponding signal returned by the fusion terminal, queries an excitation response pair, and determines that the fusion terminal is a legal device if a query result with a set time ratio indicates that a corresponding excitation response pair exists;
after each authentication, the primary station deletes the excitation response pairs that have been used in the CRPs database. Avoiding the safety risk brought by the repeated use.
Optionally, in the identity authentication system, the master station prestores unique identity identification codes of the respective fusion terminals, and during each identity authentication, the master station sends a handshake signal to the fusion terminals, the fusion terminals return the unique identity identification codes to the master station in response to receiving the handshake signal, the master station performs local inquiry after receiving the handshake signal, and if a corresponding unique identity identification code exists, sends an excitation signal to the fusion terminals.
And if the identification codes do not accord with each other, the verification of the excitation response pair is not continued.
Advantageous effects
The invention improves the traditional RO-PUF, compares the oscillation frequency change of the same RO unit under different configuration signals through an RO circuit which changes the oscillation frequency through a self-adaptive configuration signal, and further determines one bit of data in an excitation response signal to obtain all the excitation response signals, thereby realizing the self-adaptive APUF.
On the basis, the invention can further ensure the uniqueness, reliability and stability of the PUF device by encrypting the excitation signal and carrying out error correction processing on the excitation response signal.
The identity authentication system can be suitable for various scenes of industrial production to realize the identity authentication of equipment and ensure the production safety.
Drawings
FIG. 1 is a schematic diagram of the principle structure of an adaptive APUF apparatus according to the present invention;
FIG. 2 is a schematic diagram of a k-sum PUF principle;
FIG. 3 is a schematic diagram of IBS-ECC (index-based syndrome error-correcting code) IBS error correction coding principle;
fig. 4 is a schematic diagram of a chain comparison strategy.
Detailed Description
The following further description is made in conjunction with the accompanying drawings and the specific embodiments.
Example 1
This embodiment introduces a self-adaptively configured PUF device, comprising a control module and an RO array, the RO array comprising a plurality of RO units, each RO unit comprising an oscillation circuit, a register, a counter, and a comparator, respectively; as shown in fig. 1.
In each PUF response process of each RO unit, the control module controls each oscillating circuit to receive a pair of configuration signals, and the oscillating circuit successively responds to each configuration signal and respectively outputs the oscillating signals to the counter; the control module controls the counter to count the oscillation signals corresponding to the configuration signals and outputs the previously obtained counting result to the register; the control module controls the comparator to obtain two counting results output by the register and the counter, and outputs a response signal bit value corresponding to a single RO unit according to the comparison result of the two counting results;
the control module generates response output signals of the PUF according to the response signal bit values output by the plurality of RO units in the RO array.
When the method is applied, two configuration signals in a pair of configuration signals input to the RO unit ring oscillation circuit are different, the oscillation circuit is adapted to the different configuration signals to generate different oscillation frequencies, and therefore a response signal bit value is obtained based on a comparison result of the two oscillation frequencies. Due to errors in the manufacturing process of the plurality of RO units, the response signal bit values output by the plurality of RO units of the same PUF may be the same or different, and the response output signal output by the PUF may consist of the response signal bit values of the plurality of RO units.
In this embodiment, the control module is configured to coordinate and control operations among other components, including controlling output of configuration signals, enabling the oscillation circuit, controlling counting/storing of the counter/register and evaluation of the comparator. In addition, a timer function should be implemented in the control module for implementing time control in the system.
The oscillating circuit Unit includes a plurality of Inverter Delay Units (IDUs) and NAND gate Delay units (NDUs) connected in series in a ring circuit, where a plurality of IDUs are shown in fig. 1 and one of NDUs is shown. Each NAND gate delay unit and each inverter delay unit respectively comprise a configuration input end, and the annular circuit comprises an oscillation signal output end used for being connected with the counter. The configuration signals comprise delay adjusting signals corresponding to each configuration input end in the oscillating circuit; the configuration signal is used for carrying out configuration adjustment on the time delay of the NAND gate delay unit and the inverter delay unit, so that the ring oscillator circuit generates different oscillation frequencies.
The RO comparison strategy of the invention is to realize the comparison of the oscillation frequency of the same RO under different configuration signals, and the APUF can adaptively adjust the oscillation frequency of the APUF under the conditions of optimal uniqueness, reliability and stability according to the configuration information. The response generation of the APUF is realized by comparing the frequency difference of the ring oscillator under different configuration signals. The ring oscillation circuit can be composed of an RC charge-discharge loop, a Schmidt unit, an inverse delay unit and a NOT gate delay unit, and the circuit is provided with an enabling control end.
The RO array is composed of a certain number of RO units, and the larger the number of RO units is, the more RO pairs can be made, i.e., the larger the number of bits can be generated, the larger the response set, and the higher the security of the system. In order to ensure that the response generated by the APUF is completely determined by the random difference between the ROs, the ring oscillation single-path of each RO unit in the RO array is required to have the completely same circuit structure, so as to eliminate or reduce the influence of other factors on the RO oscillation frequency, and ensure the fairness of comparison between the ROs or the randomness of the generated response.
In fig. 1, the adaptive PUF device further includes an encryption error correction module, and the control module controls the encryption error correction module to receive an external original excitation signal, and encrypts the original excitation signal to obtain a configuration signal, which is transmitted to an oscillation circuit unit in each RO unit;
the control module also controls the encryption error correction module to carry out error correction processing on the response output signal of the PUF to obtain a final excitation response signal. The encryption and error correction module of the invention can adopt SM1 encryption algorithm to encrypt the excitation signal.
Since APUF needs to compare the RO oscillation frequency at two different configuration signals for each generation of a 1-bit response signal, each excitation signal needs to correspond to a pair of configuration signals, according to the conceptual analysis of the excitation/response pair (CRP), for example: the stimulus signal C1 may correspond to a configuration signal pair (S1, S2), S1 and S2 representing two different sets of select signals. The encryption function of the encryption error correction module is to implement the SM1 encryption process between the excitation signal and the configuration signal pair.
In order to further improve the stability of APUF output and reduce or eliminate unstable output bits in response, the APUF is mainly realized by adding an IBS error correction module in a PUF system. That is, the encryption error correction module performs error correction processing on the response output signal of the RO array by using a fuzzy extraction algorithm of IBS encoding to obtain a final excitation response signal. IBS uses a bitwise XOR mask to generate pointers to values in the APUF output sequence so that the correction bits no longer require a direct linear mathematical function of the APUF output bits and parity bits. IBS can reduce the complexity of error correction codes.
Specifically, the invention adopts a k-sum PUF structure combined with an IBS coding mechanism, and the IBS mechanism carries out fuzzy extraction on sampled k bits and real value results. The K-sum PUF system structure is shown in FIG. 2. The K-sum PUF contains 2K Ring Oscillators (RO) with oscillation frequency Oi, which is determined by a single signal propagation delay unit. Two ROs are logically grouped into one stage. The difference of the oscillation frequencies generated in each RO stage is summed to excite the bit CiE { -1,1} is defined as the sign of the hold or flip one phase difference, and the integer value of the sum is defined as the soft decision value Rj:
RjThe sign bit of (A) is defined as a check bit and a reserved bit, if the check bit is negative, the check bit Rj<0,RjIs defined as 0, otherwise is defined as 1. The excitation bits for each soft decision value are derived with a fixed primary excitation. In fig. 2, an LFSR (Linear Feedback Shift Register) is used to generate the excitation.
Like the output of most PUF classes, the soft decision bits are noise. To eliminate noise and improve the reliability of PUF classes, APUF uses IBS encoding as a fuzzy extractor. Suppose a sequence q.ltoreq.2sIs equal to (R)0,...,Rq-1) Is generated by a fixed stimulus and a given private bit B. The IBS encoder is defined as follows:
the encoding result P can be thought of as an s-bit pointer or index that points to either the maximum or minimum value of R based on the given private bit B. Because the maximum or minimum value is selected, the soft decision value with the highest rank is selected from the sequence R and P is stored for the IBS decoder. The IBS decoder generates a soft decision sequence R '═ (R'0,...,R′q-1) Recovering a private bit B. The decoding process is defined as:
if B' is B, the decoder successfully recovers the private bit B. When the result value P is indexed from R to have the highest level of soft decision value Rp, the decoder has high reliability.
Fig. 3 is an IBS error correction coding scheme. Vxq yields the total PUF output, deriving the vj index. Assuming that q is 8, k is 4, and ν is 7, the sign bit of the PUF output value points to P using the maximum-minimum criterion, and B' is extracted. The BCH ECC error correction code ν is 7, κ is 4, τ is 1, and the following generator matrix:
assume that the ECC encoder has an input
B0,B1,B2,B3=1,0,0,0
Then, ECC encodes the output
1,0,0,0,1,0,1
The result is the input to the IBS mapper
...
Output of IBS mapper
P0 ═ 3 (find maximum 80)
P1 ═ 5 (find min-3)
...
P6 ═ 7 (find maximum 102)
At the input of the IBS demapper, there are
P0,P1,...,P6=3,5,...,7
...
The output of the IBS demapper would be
B′0=sign(84)=+=1
B′1=sign(3)=+=1
...
B′6=sign(99)=+=1
The output of the ECC decoder will be
1,0,0,0
Then, B is recovered0,B1,B2,B3=1,0,0,0。
In the embodiment, a mode of combining the PUF with the SM1 chaotic sequence encryption algorithm and the IBS (Index-Based Syndrome) error correction algorithm is adopted, so that the work in the aspect of security analysis can be reduced, and the application can be realized more quickly. The encryption error correction module further improves the stability of APUF output and reduces or eliminates unstable output bits in response.
Further, in this embodiment, the adaptive PUF device further includes a timer controlled by the control module;
the control module clears the timer and the counter in response to receiving the external excitation signal;
the control module controls the encryption error correction module to process an external excitation signal to obtain a pair of different configuration signals, the control module controls the encryption error correction module to transmit the two configuration signals to the oscillation circuit in sequence for delayed configuration, and the operation executed after each configuration comprises the following steps: enabling a timer and an oscillating circuit, and controlling a counter to start counting the oscillation frequency of the oscillating circuit; in response to the overflow of the timer, controlling the oscillation circuit to stop running, and stopping counting by the counter;
for two configuration signals corresponding to one external excitation signal, the control module controls the counter to store the counting result obtained by corresponding to the prior configuration into the register, and then the operation executed after the configuration is repeated, so that the counter obtains the counting result obtained by corresponding to the subsequent configuration and transmits the counting result to the comparator.
Example 2
This embodiment introduces a key generation method for an adaptive PUF device in embodiment 1, including:
receiving an external excitation signal;
in response to receiving an external excitation signal, encrypting the external excitation signal to obtain an oscillation circuit configuration signal;
configuring the oscillation circuit in each RO unit based on the configuration signal to obtain the oscillation signal of the configured ring oscillation circuit;
the oscillation times of the oscillation circuit in each RO unit responding to the two configuration signals are respectively counted in a timing mode, and the two counting results are compared;
and determining a response output signal, namely the secret key, according to the counting comparison result of each RO unit in the RO array.
Specifically, the determining the response output signal according to the count comparison result of each RO unit in the RO array includes:
determining the output of the counting comparison result of each RO unit;
and (3) performing error correction processing on the technical comparison result output of each RO unit in the RO array by adopting a fuzzy extraction algorithm of IBS coding to obtain a final response output signal.
Based on the PUF device of embodiment 1, a specific implementation step of this embodiment includes:
1) after the system is started, when an external signal is input, the control module judges whether the external signal is an excitation signal, ignores the signal if the external signal is not the excitation signal, and clears the cache; if the excitation signal is the excitation signal, the excitation signal is processed and then sent to the encryption error correction module. Before the response is sent out, the communication system does not receive a new excitation signal any more;
2) after receiving the excitation signal, the timer and the counter are cleared, then the timer and the RO are enabled, and the counter starts to count the number of times of RO oscillation. When the timer overflows, the RO is closed, the counter stops counting and transmits the count value to the comparator, and the comparator is enabled to generate the most original APUF response;
3) after the IBS error correction coding is completed, controlling the communication module to send out a response, and simultaneously enabling the receiving function of the communication module again;
4) with the error correction of IBS, step 2) will be repeated a number of times, the specific number of times being determined by IBS.
The APUF comprises a comparator, a first circuit and a second circuit, wherein the comparator is used for comparing oscillation frequencies of the same RO under different configuration signals, and the working flow of the APUF is roughly divided into the following three steps:
1) when the comparison starts, firstly, the counter and the register are cleared, and simultaneously, the encryption error correction module outputs a first configuration signal S1; next, enabling the oscillator and the timer, counting the oscillation times of the RO by the counter before the timer is timed out (cnt 1); when the timer finishes timing, the oscillator is closed and the cnt1 value is stored in the register;
2) before the second counting, the counter is cleared (the register is not cleared at this time) and the second configuration signal S2 is output, and the process of counting the number of times of RO oscillation is substantially the same as that in step 1); when the timer finishes timing, the oscillation frequency (cnt2) in the counter is not transferred to the register at the moment, but is directly input into the comparator;
3) the comparator generates a response output by comparing the cnt1 input to the register with the cnt2 input to the counter.
The timer in step 1) and step 2) of the RO comparator is the same. (S1, S2) is the pair of configuration signals output by the encryption error correction module. The response generation process of the APUF is a process repeatedly executed by the RO comparator.
Example 3
This embodiment introduces a convergence terminal, which includes the PUF device described in the first aspect, and the convergence terminal may generate a key for identity authentication through the PUF device.
The integrated terminal can be terminal equipment which is applied to various occasions and needs identity authentication, for example, the integrated terminal can also comprise a core CPU, an alternating current sampling module, a communication module, a storage module, a local indication module and the like, and the function realization of a control module in the PUF equipment can be realized by the core CPU by adopting a container technology, so that the independent development or expansion of related software in a key generation process is facilitated.
Example 4
This embodiment introduces an identity authentication system, which includes the convergence terminal and the primary station of embodiment 3, where the primary station includes a CRPSThe CRPs database stores a plurality of excitation response pair data corresponding to the PUF equipment in the fusion terminal;
when the identity is authenticated, the master station sends an excitation signal of any excitation response pair in the CRPs database to the fusion terminal at least once;
the fusion terminal generates an excitation response signal based on the received excitation signal by using the PUF equipment and returns the excitation response signal to the master station;
the master station receives the identity authentication identification code and inquires CRPSAnd judging whether the corresponding excitation response pair exists in the database, and judging that the fusion terminal is legal equipment according to the query result.
Further, in this embodiment, the master station sends an excitation signal to the fusion terminal for multiple times, acquires a corresponding signal returned by the fusion terminal, performs query of excitation response pairs, and determines that the fusion terminal is a legal device if a query result with a set time ratio indicates that a corresponding excitation response pair exists;
after each authentication, the primary station deletes the excitation response pairs that have been used in the CRPs database. Avoiding the safety risk brought by the repeated use.
Optionally, in the identity authentication system, the master station prestores unique identity identification codes of the respective fusion terminals, and during each identity authentication, the master station sends a handshake signal to the fusion terminals, the fusion terminals return the unique identity identification codes to the master station in response to receiving the handshake signal, the master station performs local inquiry after receiving the handshake signal, and if a corresponding unique identity identification code exists, sends an excitation signal to the fusion terminals.
And if the identification codes do not accord with each other, the verification of the excitation response pair is not continued.
In summary, the invention improves the conventional RO-PUF, and realizes an adaptive APUF by comparing the oscillation frequency change of the same RO unit under different configuration signals through an RO circuit that changes the oscillation frequency through an adaptive configuration signal, and further determining one bit of data in an excitation response signal to obtain all excitation response signals. On the basis, the invention can further ensure the uniqueness, reliability and stability of the PUF device by encrypting the excitation signal and carrying out error correction processing on the excitation response signal. The identity authentication system can be suitable for various scenes of industrial production to realize the identity authentication of equipment and ensure the production safety.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the present invention has been described with reference to the embodiments shown in the drawings, the present invention is not limited to the embodiments, which are illustrative and not restrictive, and it will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. A self-adaptive configuration PUF device is characterized by comprising a control module and an RO array, wherein the RO array comprises a plurality of RO units, and each RO unit comprises an oscillating circuit, a register, a counter and a comparator respectively; the oscillation circuits of the RO units have the same structure;
in each PUF response process of each RO unit, the control module controls each oscillating circuit to receive a pair of configuration signals, and the oscillating circuit successively responds to each configuration signal and respectively outputs the oscillating signals to the counter; the control module controls the counter to count the oscillation signals corresponding to the configuration signals and outputs the previously obtained counting result to the register; the control module controls the comparator to obtain two counting results output by the register and the counter, and outputs a response signal bit value corresponding to a single RO unit according to the comparison result of the two counting results;
the control module generates response output signals of the PUF according to the response signal bit values output by the plurality of RO units in the RO array.
2. The adaptively configured PUF device of claim 1, wherein said oscillator circuit unit comprises a plurality of inverter delay units and nand gate delay units connected in series in a ring circuit, each nand gate delay unit and each inverter delay unit comprising a configuration input, the ring circuit comprising an oscillator signal output for connection to a counter; the configuration signals include delay adjustment signals corresponding to the configuration input terminals.
3. The PUF device with the adaptive configuration according to claim 1, further comprising an encryption error correction module, wherein the control module controls the encryption error correction module to receive an external original excitation signal, encrypt the original excitation signal to obtain a configuration signal, and transmit the configuration signal to the oscillation circuit unit in each RO unit;
the control module also controls the encryption error correction module to carry out error correction processing on the response output signal of the PUF to obtain a final excitation response signal.
4. The adaptively configured PUF device of claim 3, wherein said cryptographic error correction module performs error correction processing on the response output signal of the RO array using a fuzzy extraction algorithm for IBS encoding to obtain a final excitation response signal.
5. The adaptively configured PUF device according to claim 3, wherein the adaptive PUF device further comprises a timer controlled by the control module;
the control module clears the timer and the counter in response to receiving the external excitation signal;
the control module controls the encryption error correction module to process an external excitation signal to obtain a pair of different configuration signals, the control module controls the encryption error correction module to transmit the two configuration signals to the oscillation circuit in sequence for delayed configuration, and the operation executed after each configuration comprises the following steps: enabling a timer and an oscillating circuit, and controlling a counter to start counting the oscillation frequency of the oscillating circuit; in response to the overflow of the timer, controlling the oscillation circuit to stop running, and stopping counting by the counter;
for two configuration signals corresponding to one external excitation signal, the control module controls the counter to store the counting result obtained by corresponding to the prior configuration into the register, and then the operation executed after the configuration is repeated, so that the counter obtains the counting result obtained by corresponding to the subsequent configuration and transmits the counting result to the comparator.
6. A method for generating a key for an adaptive PUF device according to any of claims 1 to 5, comprising:
receiving an external excitation signal;
in response to receiving an external excitation signal, encrypting the external excitation signal to obtain an oscillation circuit configuration signal;
configuring the oscillation circuit in each RO unit based on the configuration signal to obtain the oscillation signal of the configured ring oscillation circuit;
the oscillation times of the oscillation circuit in each RO unit responding to the two configuration signals are respectively counted in a timing mode, and the two counting results are compared;
and determining a response output signal, namely the secret key, according to the counting comparison result of each RO unit in the RO array.
7. The method of claim 6, wherein determining the response output signal based on the count comparison of each RO unit in the RO array comprises:
determining the output of the counting comparison result of each RO unit;
and (3) performing error correction processing on the technical comparison result output of each RO unit in the RO array by adopting a fuzzy extraction algorithm of IBS coding to obtain a final response output signal.
8. A convergence terminal comprising a PUF device according to any of claims 1-5.
9. An identity authentication system comprising the convergence terminal of claim 8 and a primary station, the primary station comprising a database of stimulus/response pairs CRPs, the CRPsSThe database stores a plurality of excitation response pair data corresponding to the PUF equipment in the fusion terminal;
when identity authentication is carried out, the main station sends CRP to the fusion terminal at least onceSExcitation signals of any excitation response pair in the database;
the fusion terminal generates an excitation response signal based on the received excitation signal by using the PUF equipment and returns the excitation response signal to the master station;
the master station receives the identity authentication identification code and inquires CRPSAnd judging whether the corresponding excitation response pair exists in the database, and judging that the fusion terminal is legal equipment according to the query result.
10. The identity authentication system of claim 9, wherein the master station sends an excitation signal to the convergence terminal for a plurality of times, acquires a corresponding signal returned by the convergence terminal, performs an excitation response pair query, and determines that the convergence terminal is a legal device if a corresponding excitation response pair exists in a query result with a set time ratio;
after each identity authentication, the master station deletes the used excitation response pairs in the CRPs database;
and/or the master station prestores the unique identification codes of all the fusion terminals, sends a handshake signal to the fusion terminals during each identity authentication, returns the unique identification codes to the master station in response to the received handshake signal, carries out local inquiry after the master station receives the handshake signal, and sends an excitation signal to the fusion terminals if corresponding unique identification codes exist.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010922127.4A CN112131614A (en) | 2020-09-04 | 2020-09-04 | Self-adaptively configured PUF (physical unclonable function) equipment, fusion terminal containing PUF equipment and identity authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010922127.4A CN112131614A (en) | 2020-09-04 | 2020-09-04 | Self-adaptively configured PUF (physical unclonable function) equipment, fusion terminal containing PUF equipment and identity authentication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112131614A true CN112131614A (en) | 2020-12-25 |
Family
ID=73847966
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010922127.4A Pending CN112131614A (en) | 2020-09-04 | 2020-09-04 | Self-adaptively configured PUF (physical unclonable function) equipment, fusion terminal containing PUF equipment and identity authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112131614A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112837737A (en) * | 2021-01-28 | 2021-05-25 | 翼盾(上海)智能科技有限公司 | PUF circuit having exponential growth type response number and encryption device |
| CN112905506A (en) * | 2021-03-17 | 2021-06-04 | 清华大学无锡应用技术研究院 | Reconfigurable system based on multi-value APUF |
| CN113507362A (en) * | 2021-07-08 | 2021-10-15 | 电子科技大学 | RO PUF secret key generation method based on quadruple comparison strategy |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200180A (en) * | 2014-07-17 | 2014-12-10 | 南京航空航天大学 | Physical unclonable function based on reconfigurable ring oscillators and generation method of physical unclonable function based on reconfigurable ring oscillators |
| CN108199845A (en) * | 2017-12-08 | 2018-06-22 | 中国电子科技集团公司第三十研究所 | A kind of light-weight authentication equipment and authentication method based on PUF |
| CN111027102A (en) * | 2019-11-13 | 2020-04-17 | 云南大学 | High-safety configurable RO-PUF circuit structure |
-
2020
- 2020-09-04 CN CN202010922127.4A patent/CN112131614A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104200180A (en) * | 2014-07-17 | 2014-12-10 | 南京航空航天大学 | Physical unclonable function based on reconfigurable ring oscillators and generation method of physical unclonable function based on reconfigurable ring oscillators |
| CN108199845A (en) * | 2017-12-08 | 2018-06-22 | 中国电子科技集团公司第三十研究所 | A kind of light-weight authentication equipment and authentication method based on PUF |
| CN111027102A (en) * | 2019-11-13 | 2020-04-17 | 云南大学 | High-safety configurable RO-PUF circuit structure |
Non-Patent Citations (1)
| Title |
|---|
| 余益飞: ""环形振荡器物理不可克隆函数的比较策略及可重构研究"", 《中国优秀硕士论文信息科技辑》, no. 2016, pages 20 - 61 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112837737A (en) * | 2021-01-28 | 2021-05-25 | 翼盾(上海)智能科技有限公司 | PUF circuit having exponential growth type response number and encryption device |
| CN112905506A (en) * | 2021-03-17 | 2021-06-04 | 清华大学无锡应用技术研究院 | Reconfigurable system based on multi-value APUF |
| CN113507362A (en) * | 2021-07-08 | 2021-10-15 | 电子科技大学 | RO PUF secret key generation method based on quadruple comparison strategy |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112131614A (en) | Self-adaptively configured PUF (physical unclonable function) equipment, fusion terminal containing PUF equipment and identity authentication system | |
| EP3069249B1 (en) | Authenticatable device | |
| US9313026B2 (en) | Key negotiation method and apparatus according to SM2 key exchange protocol | |
| Tyagi et al. | When is a function securely computable? | |
| Li et al. | Achieving one-round password-based authenticated key exchange over lattices | |
| TW201812630A (en) | Block chain identity system | |
| US11477039B2 (en) | Response-based cryptography using physical unclonable functions | |
| CN112769558B (en) | Code rate self-adaptive QKD post-processing method and system | |
| CN112019347B (en) | Lightweight security authentication method based on XOR-APUF | |
| CN101964789A (en) | Method and system for safely accessing protected resources | |
| KR20210095460A (en) | Integrated circuit performing authentication by using challenge-response protocol and method for using the same | |
| CN112715016A (en) | Key encapsulation protocol | |
| US10305687B2 (en) | Verification system and method | |
| CN114070567A (en) | Zero-knowledge proof equal-block chain identity authentication and privacy protection core technology | |
| EP1406412B1 (en) | Shared data refining device and shared data refining method | |
| Jiang et al. | PAKEs: new framework, new techniques and more efficient lattice-based constructions in the standard model | |
| Jain et al. | Device authentication in IoT using reconfigurable PUF | |
| WO2021232255A1 (en) | True random number generator and electronic device | |
| US20230216838A1 (en) | System and methods for puf-based authentication | |
| Ghafi et al. | A distributed PUF-Based mutual authentication system with self-correction | |
| CN111709011B (en) | Light-weight RFID (radio frequency identification device) bidirectional authentication method based on PUF (physical unclonable function) | |
| CN112507366A (en) | Method and system for efficient data aggregation of multidimensional data in smart power grid | |
| JP4231926B2 (en) | Quantum key distribution method and communication apparatus | |
| Chen et al. | A provably secure and PUF-based authentication key agreement scheme for cloud-edge IoT | |
| Ain et al. | Hardware implementation of ultralightweight cryptographic protocols |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |