DE102022125568A1 - device for data processing - Google Patents

Abstract

The invention relates to a method and a device for generating a random bit. The method includes the generation of a pulse sequence with random intervals using at least two SPAD diodes, the pulse sequence including pulses from a first altitude class (601) and a second altitude class (602). The method also includes separating the pulses of the first height class (601) from the pulses of the second height class (602) by means of a cutting level (603, 404.1) and detecting (501) the first value of the time interval between a first pulse of the second height class (602) and a second pulse of the second height class (602), which differs from the first pulse, and the detection (501) of the second value of the time interval between a third pulse of the second height class (602), which differs from the first pulse, and a fourth pulse of the second height class (602) which is different from the first pulse and from the second pulse and from the third pulse. The method additionally comprises the steps of comparing (502) the first value with the second value and outputting (503) a first logical value as a random bit if the first value is greater than the second value and outputting (503) a second logical value different from the first logical value as the random bit if the first value is smaller than the second value.

Description

priorities

This patent application takes priority from the German patent application DE 10 2021 128 005.2 from 10/27/2022.

On the examination notification of the sister registration DE 10 2021 128 004.4 we point out here.

field of invention

The invention relates to a microcontroller which comprises at least one quantum process-based generator for true random numbers (Quantum Random Number Generator: QRNG) as a random number generator, in particular for encryption.

The present invention thus relates to a data processing device with a quantum technology-based random number generator.

Background of the Invention

The automotive and other industries are increasingly exposed to a variety of piracy attacks. The counterfeiters copy the spare parts and products of the affected industrial producers and usually use their brand names. Another point of attack is data transmission within the products and/or data transmission to the product and back.

The entropy properties of common random number generators for such systems are typically inadequate. Quantum Random Number Generators: QRNG) are known from the prior art, but these are difficult to integrate or have a poor quantum yield.

Task

The device of the independent claim solves this problem. Developments are the subject of the dependent claims.

solution of the task

The automotive and other industries are increasingly exposed to a variety of piracy attacks. The counterfeiters copy the spare parts and products of the affected industrial producers and usually use their brand names. Another point of attack is data transmission within the products and/or data transmission to the product and back.

The entropy properties of common random number generators for such systems are typically inadequate. Quantum Random Number Generators: QRNG) are known from the prior art, but these are difficult to integrate or have a poor quantum yield.

It is known in the art to provide an integrated circuit that includes, among other features, a data processor. In some applications it is necessary to ensure that the data being processed, including the executable code, cannot be modified by unauthorized persons accessing data stored outside the integrated circuit or, if such access occurs, that it cannot go unnoticed.

SUMMARY OF THE INVENTION

According to one aspect of the present invention there is provided an apparatus comprising: an integrated circuit including a data processor and a non-volatile memory storing at least one security code; a first memory external to the integrated circuit storing data, the data being cryptographically protected in a first format; and a second memory external to the integrated circuit for storing data; where the pros device arranged to transfer data from the first memory via the integrated circuit to the second memory for access by the data processor from the second memory; the integrated circuit is arranged to validate during transmission the data read from the first memory using a security code stored in the non-volatile memory and, when the data is validated, to apply cryptographic protection in a second format to the validated data using a apply security codes stored in the non-volatile memory and store the data protected in the second format in the second memory. The proposed device uses a quantum technology-based, micro-integrated random number generator for encryption. Such a random number generator supplies a true random number, since the process of random number generation is based on an unpredictable quantum process.

By transmitting data through the integrated circuit and using the integrated circuit to validate data and protect the transmitted data, security is maintained because validation occurs within the integrated circuit and protection is applied.

The data is secured by cryptographically protecting the data in the first and second memories based on one or more security codes in the non-volatile memory of the integrated circuit.

In one embodiment, only validated data from the first memory is processed and when data is read from the second memory by the data processor, only validated data from the second memory is processed.

In one embodiment, the second memory is random access memory (RAM) for the data processor, allowing the data processor to store and retrieve individual words that are individually protected, in contrast to the first memory, which is read-only memory (ROM) and which only allows read access to a data set.

• Eine integrierte Schaltung mit einem Datenprozessor, einem nichtflüchtigen Speicher, der mindestens einen Sicherheitscode speichert, einem Hash-Rechner und einer Schnittstelle an der Grenze der integrierten Schaltung; und einen Speicher außerhalb der integrierten Schaltung zum Speichern von Daten zur Verwendung durch den Prozessor, wobei der Speicher über die Schnittstelle an der Grenze der integrierten Schaltung mit dem Datenprozessor gekoppelt ist, um Wörter vom Datenprozessor zu empfangen und Wörter an den Datenprozessor zu liefern, der Datenprozessor und der Hash-Rechner sind so angeordnet, dass sie
  1. a. für jedes Wort eine Hash-Funktion in Abhängigkeit von einem in dem nichtflüchtigen Speicher gespeicherten Sicherheitscode berechnen und den Hash in Verbindung mit dem Wort speichern,
  2. b. Abrufen gespeicherter Wörter aus dem Speicher, Neuberechnen einer Hash-Funktion für jedes abgerufene Wort unter Verwendung des Sicherheitscodes und Vergleichen des neu berechneten Hash-Wertes mit dem gespeicherten Hash-Wert, und
  3. c. die Verarbeitung des abgerufenen Wortes durch die Datenverarbeitungsanlage nur dann zuzulassen, wenn die neu berechneten und gespeicherten Hashes eine vorher festgelegte Beziehung aufweisen.

The invention also provides a data processing device comprising:

• An integrated circuit comprising a data processor, a non-volatile memory storing at least one security code, a hash calculator and an interface at the integrated circuit boundary; and a memory external to the integrated circuit for storing data for use by the processor, the memory being coupled to the data processor via the interface at the integrated circuit boundary for receiving words from the data processor and delivering words to the data processor Data processor and the hash calculator are arranged so that they
  1. a. calculate a hash function for each word depending on a security code stored in the non-volatile memory and store the hash associated with the word,
  2. b. retrieving stored words from memory, recomputing a hash function for each retrieved word using the security code and comparing the recomputed hash value with the stored hash value, and
  3. c. to allow the processing of the retrieved word by the data processing system only if the recalculated and stored hashes have a predetermined relationship.

Embodiments of the invention will now be described by way of example with reference to the accompanying drawings.

character list

• 1 shows a schematic block diagram of a data processing device in combination with a controlled system;
• 2 FIG. 12 shows a schematic block diagram of a circuit for deactivating a test interface of the device of FIG 1 ;
• 3 shows a diagram illustrating verification of digital signatures;
• 4 FIG. 12 is a flow chart showing the use of HASH functions in storing and retrieving data from a DRAM of the device of FIG 1 illustrated.
• 5 shows a proposed SPAD diode in cross section.
• 6 shows the combination of two proposed SPAD diodes in cross section.
• 7 FIG. 12 shows the combination of two proposed SPAD diodes in cross section, with several insulation layers now forming the optical waveguide 44.
• 8th shows the integration of the SPAD diodes and the optical fiber in an evaluation and operating circuit
• 9 equals to 8th , which is now supplemented by monitoring circuits.
• 10 shows a typical output signal of the second SPAD diode.

Features of the invention

The features of the invention summarize this again. Applications of the technical teaching can combine the features with one another, provided these combinations do not cause factual contradictions. In this respect, the dependencies and references presented here only represent particularly preferred, exemplary embodiments.

• - mit einem Halbleiterkristall und
• - mit Speicherelementen und
• - mit zumindest einem internen Bus 2 und
• - mit zumindest einem 8/16/32/15-Bit-Microkontrollerkern 16 und
• - mit einer oder mehreren Datenschnittstellen und
• - mit zumindest einem quantenprozessbasierenden Generator für echte Zufallszahlen (Englisch: Quantum Random Number Generator: QRNG) 15, und
• - wobei die Speicherelemente mit dem internen Bus 2 verbunden sind und
• - wobei die Datenschnittstelle mit dem internen Bus 2 verbunden ist und
• - wobei der quantenprozessbasierende Generator für echte Zufallszahlen (QRNG) 15 mit dem internen Bus 2 verbunden ist und
• - wobei der Mikrocontrollerkern 16 mit dem internen Bus 2 verbunden ist und
• - wobei der quantenprozessbasierende Generator für echte Zufallszahlen (QRNG) 15 auf Anfrage des Mikrocontrollerkerns 16 eine Zufallszahl erzeugt und
• - wobei der Mikrocontrollerkern 16 mit Hilfe eines Programms aus einem oder mehreren seiner Speicherelemente und mit Hilfe der Zufallszahl einen Schlüssel erzeugt und
• - wobei der Mikrocontrollerkern 16 mit Hilfe eines Programms aus einem oder mehreren seiner Speicherelemente und mit Hilfe des Schlüssels Daten verschlüsselt und entschlüsselt, die er über die Datenschnittstelle mit Vorrichtungen außerhalb des sicheren Mikrocontrollers austauscht und
• - wobei der Halbleiterkristall diese Teilvorrichtungen des sicheren Mikrocontrollers 1 einstückig umfasst,
• - wobei diese Teilvorrichtungen des sicheren Mikrocontrollers 1 die Speicherelemente, den internen Bus 2, den zumindest einem 8/16/32/15-Bit-Microkontrollerkern 16, die Datenschnittstellen und den quantenprozessbasierenden Generator für echte Zufallszahlen (Englisch: Quantum Random Number Generator: QRNG) 15 umfassen.

Feature 1: Secure microcontroller 1 for controlling automotive devices

• - with a semiconductor crystal and
• - with memory elements and
• - with at least one internal bus 2 and
• - with at least one 8/16/32/15-bit microcontroller core 16 and
• - with one or more data interfaces and
• - with at least one quantum process-based generator for true random numbers (English: Quantum Random Number Generator: QRNG) 15, and
• - wherein the memory elements are connected to the internal bus 2 and
• - wherein the data interface is connected to the internal bus 2 and
• - wherein the quantum process based true random number generator (QRNG) 15 is connected to the internal bus 2 and
• - wherein the microcontroller core 16 is connected to the internal bus 2 and
• - wherein the quantum process-based true random number generator (QRNG) 15 generates a random number upon request of the microcontroller core 16, and
• - Wherein the microcontroller core 16 generates a key with the aid of a program from one or more of its memory elements and with the aid of the random number and
• - wherein the microcontroller core 16, using a program from one or more of its memory elements and using the key, encrypts and decrypts data which it exchanges via the data interface with devices outside the secure microcontroller and
• - wherein the semiconductor crystal comprises these sub-devices of the secure microcontroller 1 in one piece,
• - These sub-devices of the secure microcontroller 1 comprising the memory elements, the internal bus 2, the at least one 8/16/32/15-bit microcontroller core 16, the data interfaces and the quantum process-based generator for real random numbers (English: Quantum Random Number Generator: QRNG ) 15 include.

• - wobei die Speicherelemente ein oder mehrere Schreib/Lese-Speicher RAM 3 und/oder ein oder mehrere beschreibbare nicht flüchtige Speicher, insbesondere EEPROM-Speicher 4 und/oder Flash-Speicher 4 und/oder OTP-Speicher 4, und/oder ein oder mehrere reine Lesespeicher und/oder ein oder mehrere nicht flüchtige Herstellerspeicher insbesondere ein oder mehrere Hersteller-ROMs 6 und/oder ein oder mehrere Hersteller EEPROMs und/oder ein oder mehrere Hersteller-Flash-Speicher, umfassen.

Feature 2: Safe microcontroller 1 according to feature 1,

• - Wherein the memory elements are one or more read/write memories RAM 3 and/or one or more writable non-volatile memories, in particular EEPROM memory 4 and/or flash memory 4 and/or OTP memory 4, and/or one or several read-only memories and/or one or more non-volatile manufacturer memories, in particular one or more manufacturer ROMs 6 and/or one or more manufacturer EEPROMs and/or one or more manufacturer flash memories.

• - wobei das Hersteller-ROM 6 die Boot-Software umfasst.

Feature 3: Safe microcontroller 1 according to feature 2,

• - where the manufacturer ROM 6 contains the boot software.

• - wobei eine Hersteller-Speicher Firewall 8 zwischen dem Hersteller-Speicher 6 und dem internen Bus 2 vorgesehen ist.

Feature 4: Safe microcontroller 1 according to feature 2 or 3,

• - A manufacturer memory firewall 8 between the manufacturer memory 6 and the internal bus 2 is provided.

• - mit einer oder mehrerer der folgenden Komponenten:
  • - einer Basistakterzeugung 21 (CLK)
  • - einer Taktgeneratorschaltung 12 und/oder
  • - einer Rücksetzschaltung 22 und/oder
  • - einer Stromversorgungs- oder einer Vcc-Schaltung 23 mit Spannungsreglern, die die Betriebsspannungen bereitstellen, und/oder
  • - einer Masseschaltung 24 und/oder
  • - einer Eingangs-/Ausgangsschaltung 25 und/oder
  • - einem oder mehreren Verarbeitungsmodulen,
• - wobei die Verarbeitungsmodule mit dem internen Bus 2 kommunizieren und
• - wobei die Verarbeitungsmodule eines oder mehrere der folgenden Module umfassen:
  • - ein CRC-Modul (Cyclic Redundancy Check) 11,
  • - ein Taktgeneratormodul 12,
  • - mit einem DES-Beschleuniger und/oder einem AES-Beschleuniger 7
  • - ein oder mehrere Zeitgeber-Module 13,
  • - eine Sicherheitsüberwachungs- und -steuerungsschaltung 14,
  • - eine Datenschnittstelle, insbesondere einen Universellen Asynchronen Receiver Transmitter (UART) 17.

Feature 5: Safe microcontroller 1 according to one or more of features 1 to 4

• - with one or more of the following components:
  • - a basic clock generation 21 (CLK)
  • - a clock generator circuit 12 and/or
  • - a reset circuit 22 and/or
  • - a power supply or a Vcc circuit 23 with voltage regulators providing the operating voltages, and/or
  • - a ground circuit 24 and/or
  • - an input/output circuit 25 and/or
  • - one or more processing modules,
• - the processing modules communicating with the internal bus 2 and
• - wherein the processing modules comprise one or more of the following modules:
  • - a CRC module (Cyclic Redundancy Check) 11,
  • - a clock generator module 12,
  • - with a DES accelerator and/or an AES accelerator 7
  • - one or more timer modules 13,
  • - a security monitoring and control circuit 14,
  • - a data interface, in particular a universal asynchronous receiver transmitter (UART) 17.

• - mit zumindest einer ersten SPAD-Diode 44 und
• - mit zumindest einer zweiten SPAD-Diode 45 und
• - mit zumindest einem optischen Lichtwellenleiter 34 und
• - mit zumindest einer Verarbeitungsschaltung und
• - mit zumindest einer Betriebsschaltung,
• - wobei der quantenprozessbasierende Generator für echte Zufallszahlen (QRNG) 15 zumindest die erste SPAD-Diode 44 als Lichtquelle für das optische Quantensignal umfasst und
• - wobei der quantenprozessbasierende Generator für echte Zufallszahlen (QRNG) 15 zumindest die zweite SPAD-Diode 45 als Fotodetektor für das optische Quantensignal umfasst und
• - wobei der quantenprozessbasierende Generator für echte Zufallszahlen (QRNG) 15 zumindest die Verarbeitungsschaltung umfasst und
• - wobei der quantenprozessbasierende Generator für echte Zufallszahlen (QRNG) 15 zumindest den optischen Lichtwellenleiter umfasst und
• - wobei der zumindest eine optische Lichtwellenleiter 34 die zumindest eines erste SPAD-Diode 44 mit der zumindest einen zweiten SPAD-Diode 45 optisch koppelt und
• - wobei die Betriebsschaltung die erste SPAD-Diode 44 so mit elektrischer Energie versorgt, dass die erste SPAD-Diode Licht 44 emittiert und
• - wobei die Verarbeitungsschaltung das Signal der zweiten SPAD-Diode 45 erfasst und daraus die Zufallszahl bildet und dem Mikrocontrollerkern 16 zur Verfügung stellt.

Feature 6: Safe microcontroller 1 according to one or more of features 1 to 5,

• - With at least one first SPAD diode 44 and
• - With at least one second SPAD diode 45 and
• - With at least one optical fiber 34 and
• - having at least one processing circuit and
• - with at least one operating circuit,
• - wherein the quantum process-based true random number generator (QRNG) 15 comprises at least the first SPAD diode 44 as a light source for the optical quantum signal and
• - wherein the quantum process-based true random number generator (QRNG) 15 comprises at least the second SPAD diode 45 as a photodetector for the optical quantum signal, and
• - wherein the quantum process-based true random number generator (QRNG) 15 comprises at least the processing circuitry and
• - wherein the quantum process-based true random number generator (QRNG) 15 comprises at least the optical fiber and
• - wherein the at least one optical waveguide 34 optically couples the at least one first SPAD diode 44 to the at least one second SPAD diode 45 and
• - wherein the operating circuit supplies the first SPAD diode 44 with electrical energy such that the first SPAD diode emits light 44 and
• - Wherein the processing circuit detects the signal of the second SPAD diode 45 and forms the random number from it and makes it available to the microcontroller core 16 .

• - wobei der Halbleiterkristall eine Oberfläche 46 aufweist und
• - wobei der Halbleiterkristall ein halbleitendes Material unterhalb seiner Oberfläche 46 aufweist und
• - wobei die Oberfläche 46 des Halbleiterkristalls einen Metallisierungsstapel aufweist und
• - wobei der Metallisierungsstapel eine typischerweise strukturierte und optisch transparente und elektrisch isolierendem Schicht 34 aufweist und
• - wobei zumindest ein Teil dieser typischerweise strukturierten, transparenten und elektrisch isolierenden Schicht der Oberfläche 46 den optischen Lichtwellenleiter 34 bildet und
• - wobei die erste SPAD-Diode 44 aus dem halbleitenden Material des Halbleitersubstrats in diesen optischen Lichtwellenleiter 34 einstrahlt und
• - wobei der optische Lichtwellenleiter die zweite SPAD-Diode 44 so bestrahlt, dass das Licht von innerhalb des Lichtwellenleiters 34 wieder in das halbleitende Material des Halbeleitersubstrats von der Oberfläche aus eindringt und dort Vorrichtungsteile der zweiten SPAD-Diode 44 trifft.

Feature 7: Safe microcontroller 1 according to feature 6

• - wherein the semiconductor crystal has a surface 46 and
• - wherein the semiconductor crystal has a semiconducting material below its surface 46 and
• - wherein the surface 46 of the semiconductor crystal has a metallization stack and
• - wherein the metallization stack comprises a typically structured and optically transparent and electrically insulating layer 34 and
• - wherein at least part of this typically structured, transparent and electrically insulating layer of the surface 46 forms the optical waveguide 34 and
• - Wherein the first SPAD diode 44 radiates from the semiconducting material of the semiconductor substrate into this optical waveguide 34 and
• - wherein the optical waveguide irradiates the second SPAD diode 44 in such a way that the light from within the light waveguide 34 re-enters the semiconducting material of the semiconductor substrate from the surface and hits device parts of the second SPAD diode 44 there.

• - wobei die zumindest eine Betriebsschaltung die zumindest eine erste SPAD-Diode 44 zumindest zeitweise mit elektrischer Energie versorgt und
• - wobei die zumindest eine erste SPAD-Diode 44 bei Versorgung mit ausreichender elektrischer Energie Photonen in den zumindest einen Lichtwellenleiter 34 einspeist und
• - wobei der zumindest eine Lichtwellenleiter 34 solche Photonen in die zweite SPAD-Diode 45 einstrahlt.

Feature 8: Safe microcontroller 1 according to feature 6 and/or 7,

• - wherein the at least one operating circuit supplies the at least one first SPAD diode 44 with electrical energy at least temporarily and
• - wherein the at least one first SPAD diode 44 feeds photons into the at least one optical waveguide 34 when supplied with sufficient electrical energy and
• - wherein the at least one optical fiber 34 radiates such photons into the second SPAD diode 45.

• - wobei eine Datenschnittstelle der eine oder mehreren Datenschnittstellen eine drahtgebundene automobile Datenbusschnittstelle ist und
• - wobei die drahtgebundene automobile Datenbusschnittstelle insbesondere
  • - eine CAN-Datenbusschnittstelle und/oder
  • - eine CAN-FD-Datenbusschnittstelle und/oder
  • - eine Flexray-Datenbusschnittstelle und/oder
  • - eine PSl5-Datenbusschnittstelle und/oder
  • - eine DSl3-Datenbusschnittstelle und/oder
  • - eine LIN-Datenbusschnittstelle und/oder
  • - eine Ethernet-Datenbusschnittstelle und/oder
  • - eine LIN-Datenbusschnittstelle und/oder
  • - eine MELIBUS-Datenbusschnittstelle umfasst

Feature 9: Safe microcontroller 1 according to one or more of the preceding features 1 to 8,

• - wherein a data interface of the one or more data interfaces is a wired automotive data bus interface and
• - The wired automotive data bus interface in particular
  • - a CAN data bus interface and/or
  • - a CAN FD data bus interface and/or
  • - a Flexray data bus interface and/or
  • - a PSl5 data bus interface and/or
  • - a DSL3 data bus interface and/or
  • - a LIN data bus interface and/or
  • - an Ethernet data bus interface and/or
  • - a LIN data bus interface and/or
  • - includes a MELIBUS data bus interface

• - wobei eine Datenschnittstelle der eine oder mehreren Datenschnittstellen eine drahtlose Datenbusschnittstelle ist und
• - wobei die drahtlose Datenbusschnittstelle insbesondere
• - eine WLAN-Schnittstelle und/oder
• - eine Bluetooth-Schnittstelle umfasst

Feature 10: Safe microcontroller 1 according to one or more of the preceding features 1 to 9

• - wherein a data interface of the one or more data interfaces is a wireless data bus interface and
• - the wireless data bus interface in particular
• - a WLAN interface and/or
• - Includes a Bluetooth interface

• - wobei eine Datenschnittstelle der eine oder mehreren Datenschnittstellen eine drahtgebundene Datenbusschnittstelle ist und
• - wobei die drahtlose Datenbusschnittstelle insbesondere
• - eine KNX-Datenbusschnittstelle und/oder
• - eine EIB-Datenbusschnittstelle und/oder
• - eine DALI-Datenbusschnittstelle und/oder
• - eine PROFIBUS-Datenbusschnittstelle
• - ist.

Feature 11: Safe microcontroller 1 according to one or more of the preceding features 1 to 10

• - wherein a data interface of the one or more data interfaces is a wired data bus interface and
• - the wireless data bus interface in particular
• - a KNX data bus interface and/or
• - an EIB data bus interface and/or
• - a DALI data bus interface and/or
• - a PROFIBUS data bus interface
• - is.

• wobei die Vorrichtung eine integrierte Schaltung (4) mit einem ersten Prozessor (10-1) und einem nichtflüchtigen Speicher (16) aufweist und
• wobei die Vorrichtung einen ersten Speicher aufweist,
• wobei der nicht flüchtige Speicher zumindest mindestens einen Sicherheitscode speichert;
• wobei der erste Speicher Daten speichert und
• wobei die Daten in dem ersten Speicher in einem ersten Format kryptografisch geschützt sind und
• wobei die integrierte Schaltung dazu eingerichtet ist, während einer Übertragung von Daten aus dem ersten Speicher die aus dem ersten Speicher gelesenen Daten zu validieren und,
• wobei die Vorrichtung einen Quantenzufallszahlengenerator (28) aufweist und
• wobei die integrierte Schaltung und der Quantenzufallszahlengenerator (28) in einem Halbleiterkristall gefertigt sind und
• wobei der Halbleiterkristall eine Oberfläche (56) aufweist und
• wobei der Halbleiterkristall ein halbleitendes Material unterhalb seiner Oberfläche (56) aufweist und
• wobei die Oberfläche (56) des Halbleiterkristalls einen Metallisierungsstapel aufweist und
• wobei der Metallisierungsstapel eine typischerweise strukturierte und optisch transparente und elektrisch isolierende Schicht (44) aufweist und
• wobei zumindest ein Teil dieser typischerweise strukturierten, transparenten und elektrisch isolierenden Schicht (44) der Oberfläche (56) den optischen Lichtwellenleiter 44 bildet und
• wobei die erste SPAD-Diode (54) aus dem halbleitenden Material des Halbleitersubstrats heraus Photonen (57) in diesen optischen Lichtwellenleiter (44) einstrahlt und
• wobei der zumindest eine optische Lichtwellenleiter (44) solche Photonen (58) zur zweiten SPAD-Diode (55) transportiert und
• wobei der optische Lichtwellenleiter (44) die zweite SPAD-Diode (55) so bestrahlt, dass das Licht (59) von innerhalb des Lichtwellenleiters (44) wieder in das halbleitende Material des Halbeleitersubstrats von der Oberfläche (56) aus eindringt und dort Vorrichtungsteile der zweiten SPAD-Diode (55) trifft und
• wobei die erste SPAD-Diode (54) und die zweite SPAD-Diode (55) und der Lichtwellenleiter (44) Teil des Quantenzufallszahlengenerators (28) sind.

Feature 12: A device

• the device having an integrated circuit (4) with a first processor (10-1) and a non-volatile memory (16) and
• the device having a first memory,
• wherein the non-volatile memory stores at least one security code;
• wherein the first memory stores data and
• wherein the data in the first memory is cryptographically protected in a first format, and
• wherein the integrated circuit is set up to validate the data read from the first memory during a transmission of data from the first memory and,
• the apparatus comprising a quantum random number generator (28) and
• wherein the integrated circuit and the quantum random number generator (28) are fabricated in a semiconductor crystal and
• the semiconductor crystal having a surface (56) and
• said semiconductor crystal having a semiconducting material below its surface (56) and
• wherein the surface (56) of the semiconductor crystal has a metallization stack and
• wherein the metallization stack has a typically structured and optically transparent and electrically insulating layer (44) and
• at least part of this typically structured, transparent and electrically insulating layer (44) of the surface (56) forming the optical waveguide 44 and
• wherein the first SPAD diode (54) radiates photons (57) from the semiconducting material of the semiconductor substrate into this optical waveguide (44) and
• wherein the at least one optical waveguide (44) transports such photons (58) to the second SPAD diode (55) and
• wherein the optical light waveguide (44) irradiates the second SPAD diode (55) in such a way that the light (59) from within the light waveguide (44) re-enters the semiconducting material of the semiconductor substrate from the surface (56) and there device parts of the second SPAD diode (55) meets and
• wherein the first SPAD diode (54) and the second SPAD diode (55) and the optical fiber (44) are part of the quantum random number generator (28).

• wobei die Vorrichtung zumindest eine Betriebsschaltung aufweist und
• wobei die zumindest eine Betriebsschaltung die zumindest eine erste SPAD-Diode (54) zumindest zeitweise mit elektrischer Energie versorgt und
• wobei die zumindest eine erste SPAD-Diode (54) bei Versorgung mit ausreichender elektrischer Energie Photonen (57) in den zumindest einen Lichtwellenleiter (44) einspeist und
• wobei der zumindest eine Lichtwellenleiter (44) solche Photonen (58) zur zweiten SPAD-Diode (55) transportiert und
• wobei der zumindest eine Lichtwellenleiter (44) solche Photonen (59) in die zweite SPAD-Diode (55) einstrahlt.

Feature 13: device according to feature 12,

• wherein the device has at least one operating circuit and
• wherein the at least one operating circuit supplies the at least one first SPAD diode (54) with electrical energy at least at times and
• wherein the at least one first SPAD diode (54) feeds photons (57) into the at least one optical waveguide (44) when supplied with sufficient electrical energy and
• wherein the at least one optical waveguide (44) transports such photons (58) to the second SPAD diode (55) and
• wherein the at least one optical waveguide (44) radiates such photons (59) into the second SPAD diode (55).

• wobei der Quantenzufallszahlengenerator (28) zumindest die erste SPAD-Diode (54) als Lichtquelle für das optische Quantensignal umfasst und
• wobei der Quantenzufallszahlengenerator (28) zumindest die zweite SPAD-Diode (55) als Fotodetektor für das optische Quantensignal umfasst und
• wobei der Quantenzufallszahlengenerator (28) zumindest eine Verarbeitungsschaltung umfasst und
• wobei der Quantenzufallszahlengenerator (28) zumindest den optischen Lichtwellenleiter (44) umfasst und
• wobei der zumindest eine optische Lichtwellenleiter (44), die zumindest eines erste SPAD-Diode (54) mit der zumindest einen zweiten SPAD-Diode (55) optisch koppelt und
• wobei die Betriebsschaltung die erste SPAD-Diode (54) so mit elektrischer Energieversorgt, dass die erste SPAD-Diode Licht (54) emittiert und
• wobei die Verarbeitungsschaltung das Signal der zweiten SPAD-Diode (55) erfasst und daraus die Zufallszahl bildet und dem Datenprozessor (10) oder einem anderen Vorrichtungsteil zur Verfügung stellt.

Feature 14: device according to feature 13,

• wherein the quantum random number generator (28) comprises at least the first SPAD diode (54) as a light source for the optical quantum signal and
• wherein the quantum random number generator (28) comprises at least the second SPAD diode (55) as a photodetector for the optical quantum signal and
• wherein the quantum random number generator (28) comprises at least one processing circuit and
• wherein the quantum random number generator (28) comprises at least the optical waveguide (44) and
• wherein the at least one optical waveguide (44) optically couples the at least one first SPAD diode (54) to the at least one second SPAD diode (55) and
• wherein the operating circuit provides electrical power to the first SPAD diode (54) such that the first SPAD diode emits light (54), and
• wherein the processing circuit detects the signal of the second SPAD diode (55) and forms the random number therefrom and makes it available to the data processor (10) or another part of the device.

• wobei sich der erste Speicher außerhalb der integrierten Schaltung befindet und
• wobei die Vorrichtung einen zweiten Speicher zum Speichern von Daten aufweist
• und wobei sich der zweite Speicher außerhalb der integrierten Schaltung; befindet;
• wobei die Vorrichtung so eingerichtet ist,
• dass sie Daten vom ersten Speicher über die integrierte Schaltung zum zweiten Speicher überträgt, damit der Datenprozessor vom zweiten Speicher aus darauf zugreifen kann, und
• wobei die integrierte Schaltung dazu eingerichtet ist,
• während einer Übertragung von Daten aus dem ersten Speicher in den zweiten Speicher die aus dem ersten Speicher gelesenen Daten unter Verwendung eines in dem nichtflüchtigen Speicher gespeicherten Sicherheitscodes zu validieren und,
• falls die Daten validiert werden, einen kryptographischen Schutz in einem zweiten Format auf die validierten Daten unter Verwendung eines in dem nichtflüchtigen Speicher gespeicherten Sicherheitscodes anzuwenden, und
• die im zweiten Format geschützten Daten im zweiten Speicher zu speichern.

Feature 15: Device according to one of features 12 to 14,

• wherein the first memory is external to the integrated circuit and
• the device having a second memory for storing data
• and wherein the second memory is external to the integrated circuit; located;
• the device being set up in such a way
• in that it transfers data from the first memory via the integrated circuit to the second memory for access by the data processor from the second memory, and
• wherein the integrated circuit is set up to
• during a transfer of data from the first memory to the second memory, validate the data read from the first memory using a security code stored in the non-volatile memory and,
• if the data is validated, applying cryptographic protection in a second format to the validated data using a security code stored in the non-volatile memory, and
• store the data protected in the second format in the second memory.

• wobei der erste Speicher einen Festwertspeicher aufweist.

Feature 16: Device according to one of features 12 to 15,

• wherein the first memory comprises a read-only memory.

• wobei der zweite Speicher einen Direktzugriffsspeicher aufweist.

Feature 17: Device according to one of features 15 to 16,

• wherein the second memory comprises a random access memory.

• wobei der kryptografische Schutz, der auf die Daten im ersten Speicher angewendet wird, sich von dem kryptografischen Schutz unterscheidet, der auf die Daten im zweiten Speicher angewendet wird.

Feature 18: Device according to one of features 15 to 17,

• wherein the cryptographic protection applied to the data in the first storage differs from the cryptographic protection applied to the data in the second storage.

• wobei die integrierte Schaltung einen Speicher zum Speichern von Daten enthält, die von dem Datenprozessor verarbeitet werden sollen, und
• wobei das Gerät so eingerichtet ist, dass es einige Daten des validierten Datensatzes im Speicher und den Rest im zweiten Speicher speichert.

Feature 19: Device according to one of features 12 to 18,

• wherein the integrated circuit includes a memory for storing data to be processed by the data processor, and
• the device being arranged to store some data of the validated dataset in the memory and the rest in the second memory.

• wobei der erste Speicher Daten in einem ersten Datenformat speichert und der zweite Speicher so angeordnet ist, dass er Daten in einem zweiten, anderen Datenformat speichert.

Feature 20: Device according to one of features 15 to 19,

• wherein the first memory stores data in a first data format and the second memory is arranged to store data in a second, different data format.

• wobei die im ersten Speicher gespeicherten Daten durch eine erste Authentifizierungstechnik geschützt sind und
• wobei die Vorrichtung so eingerichtet ist, dass sie die Daten im zweiten Speicher durch eine zweite, andere Authentifizierungstechnik schützt.

Feature 21: device according to feature 20,

• wherein the data stored in the first memory is protected by a first authentication technique, and
• wherein the device is arranged to protect the data in the second memory by a second, different authentication technique.

• wobei die Daten in dem ersten Speicher in mindestens einem Datensatz gespeichert sind und der oder jeder Datensatz als Satz kryptografisch geschützt ist und
• wobei die Vorrichtung so eingerichtet ist, dass sie in dem zweiten Speicher Wörter oder Wortgruppen eines validierten Datensatzes speichert, wobei jedes Wort oder jede Wortgruppe separat kryptografisch geschützt ist.

Feature 22: Device according to one of features 15 to 21,

• wherein the data in the first memory is stored in at least one record and the or each record is cryptographically protected as a set and
• wherein the device is arranged to store in the second memory words or groups of words of a validated data set, each word or group of words being cryptographically protected separately.

• dass sie die Wörter oder Wortgruppen aus dem zweiten Speicher liest, und
• dass sie die gelesenen Wörter oder Wortgruppen unter Verwendung eines in dem nichtflüchtigen Speicher gespeicherten Sicherheitscodes validiert und
• dass sie die gelesenen und validierten Wörter oder Wortgruppen in dem Datenprozessor verarbeitet.

Feature 23: Device according to feature 22, so constructed that

• that it reads the words or groups of words from the second memory, and
• that it validates the words or groups of words read using a security code stored in the non-volatile memory and
• that it processes the read and validated words or groups of words in the data processor.

• wobei die integrierte Schaltung einen Hash-Rechner aufweist, und
• wobei der Datenprozessor und der Hash-Rechner so angeordnet sind,
  1. dass a) für jedes Wort oder jede Gruppe von Wörtern eine Hash-Funktion in Abhängigkeit von einem in dem nichtflüchtigen Speicher gespeicherten Sicherheitscode berechnen und den Hash in Verbindung mit dem Wort oder der Gruppe in dem zweiten Speicher speichern,
  2. b) Abrufen eines gespeicherten Worts oder einer Gruppe aus dem zweiten Speicher, Neuberechnen einer Hash-Funktion für das abgerufene Wort oder die abgerufene Gruppe unter Verwendung des Sicherheitscodes und Vergleichen des neu berechneten Hashs mit dem gespeicherten Hash, und
  3. c) die Verarbeitung des abgerufenen Worts oder der abgerufenen Gruppe durch die Datenverarbeitungsanlage nur dann zulassen, wenn die neu berechneten und gespeicherten Hashes in einem bestimmten Verhältnis zueinanderstehen.

Feature 24: device according to feature 23,

• wherein the integrated circuit has a hash calculator, and
• wherein the data processor and the hash calculator are arranged so
  1. that a) calculate a hash function for each word or group of words as a function of a security code stored in the non-volatile memory and store the hash in connection with the word or group in the second memory,
  2. b) retrieving a stored word or group from the second memory, recomputing a hash function for the retrieved word or group using the security code and comparing the recomputed hash with the stored hash, and
  3. c) only allow the retrieved word or group to be processed by the data processing system if the newly calculated and stored hashes are in a specific relationship to one another.

• wobei der Hash-Rechner eine Schaltung in der integrierten Schaltung ist.

Feature 15: device according to feature 24,

• wherein the hash calculator is a circuit in the integrated circuit.

• wobei der nichtflüchtige Speicher der integrierten Schaltung ein einmalig programmierbarer Speicher ist.

Feature 26 Device according to one of features 12 to 25,

• wherein the non-volatile memory of the integrated circuit is a one-time programmable memory.

• wobei der oder jeder im ersten Speicher gespeicherte Datensatz durch eine entsprechende digitale Signatur kryptographisch geschützt ist.

Feature 27 Device according to one of features 12 to 26,

• wherein the or each data set stored in the first memory is cryptographically protected by a corresponding digital signature.

• wobei der oder jeder im ersten Speicher gespeicherte Datensatz durch eine entsprechende digitale Signatur kryptographisch unter Zuhilfenahme zumindest einer Zufallszahl des Quantenzufallszahlengenerators geschützt ist.

Feature 28: Device according to one of features 12 to 28,

• wherein the or each data set stored in the first memory is cryptographically protected by a corresponding digital signature with the aid of at least one random number of the quantum random number generator.

• wobei in dem nichtflüchtigen Speicher der integrierten Schaltung ein Sicherheitscode gespeichert ist, den die Vorrichtung zumindest teilweise mittels zumindest einer Zufallszahl des Quantenzufallszahlgenerators (28) erzeugt hat.

Feature 29: device according to feature 27 or 28,

• wherein a security code is stored in the non-volatile memory of the integrated circuit, which the device has at least partially generated by means of at least one random number of the quantum random number generator (28).

• wobei die Vorrichtung so eingerichtet ist, dass sie eine digitale Signatur des Datensatzes unter Bezugnahme auf einen oder unter Bezugnahme auf den in dem nichtflüchtigen Speicher der integrierten Schaltung gespeicherten Sicherheitscode validiert.

Feature 30: Device according to one of features 27 to 29,

• wherein the device is arranged to validate a digital signature of the data set with reference to or with reference to the security code stored in the non-volatile memory of the integrated circuit.

• wobei das Datenverarbeitungsgerät eine integrierte Schaltung aufweist und
• wobei die integrierte Schaltung einen Datenprozessor aufweist und
• wobei die integrierte Schaltung einen nichtflüchtigen Speicher und
• wobei der nichtflüchtige Speicher mindestens einen Sicherheitscode speichert und
• wobei die integrierte Schaltung einen Hash-Rechner aufweist und
• wobei die integrierte Schaltung eine Schnittstelle an der Grenze der integrierten Schaltung aufweist und
• wobei die integrierte Schaltung einen Quantenzufallszahlengenerator aufweist und
• wobei die integrierte Schaltung und der Quantenzufallszahlengenerator in einem Halbleiterkristall gefertigt sind und
• wobei der Halbleiterkristall eine Oberfläche (56) aufweist und
• wobei der Halbleiterkristall ein halbleitendes Material unterhalb seiner Oberfläche (56) aufweist und
• wobei die Oberfläche (56) des Halbleiterkristalls einen Metallisierungsstapel aufweist und
• wobei der Metallisierungsstapel eine typischerweise strukturierte und optisch transparente und elektrisch isolierende Schicht (44) aufweist und
• wobei zumindest ein Teil dieser typischerweise strukturierten, transparenten und elektrisch isolierenden Schicht (44) der Oberfläche (46) den optischen Lichtwellenleiter (44) bildet und
• wobei die erste SPAD-Diode (54) aus dem halbleitenden Material des Halbleitersubstrats heraus Photonen (57) in diesen optischen Lichtwellenleiter (44) einstrahlt und
• wobei der zumindest eine Lichtwellenleiter (44) solche Photonen (58) zur zweiten SPAD-Diode 55 transportiert und
• wobei der optische Lichtwellenleiter (44) die zweite SPAD-Diode (55) so bestrahlt, dass das Licht (59) von innerhalb des Lichtwellenleiters (44) wieder in das halbleitende Material des Halbeleitersubstrats von der Oberfläche (56) aus eindringt und dort Vorrichtungsteile der zweiten SPAD-Diode (55) trifft und
• wobei die erste SPAD-Diode (54) und die zweite SPAD-Diode (55) und der Lichtwellenleiter (44) Teil des Quantenzufallszahlengenerators (28) sind.

Feature 31: A data processing device,

• wherein the data processing device comprises an integrated circuit and
• wherein the integrated circuit comprises a data processor and
• wherein the integrated circuit includes a non-volatile memory and
• wherein the non-volatile memory stores at least one security code and
• wherein the integrated circuit has a hash calculator and
• wherein the integrated circuit has an interface at the boundary of the integrated circuit and
• wherein the integrated circuit comprises a quantum random number generator and
• wherein the integrated circuit and the quantum random number generator are fabricated in a semiconductor crystal and
• the semiconductor crystal having a surface (56) and
• said semiconductor crystal having a semiconducting material below its surface (56) and
• wherein the surface (56) of the semiconductor crystal has a metallization stack and
• wherein the metallization stack has a typically structured and optically transparent and electrically insulating layer (44) and
• at least part of this typically structured, transparent and electrically insulating layer (44) of the surface (46) forming the optical waveguide (44) and
• wherein the first SPAD diode (54) radiates photons (57) from the semiconducting material of the semiconductor substrate into this optical waveguide (44) and
• wherein the at least one optical waveguide (44) transports such photons (58) to the second SPAD diode 55 and
• wherein the optical light waveguide (44) irradiates the second SPAD diode (55) in such a way that the light (59) from within the light waveguide (44) re-enters the semiconducting material of the semiconductor substrate from the surface (56) and there device parts of the second SPAD diode (55) meets and
• wherein the first SPAD diode (54) and the second SPAD diode (55) and the optical fiber (44) are part of the quantum random number generator (28).

• wobei der Datenprozessor und/oder ein anderer Vorrichtungsteil des Datenverarbeitungsgeräts Daten unter Zuhilfenahme zumindest einer Zufallszahl des Quantenzufallszahlengenerators verschlüsselt oder entschlüsselt.

Feature 32: data processing device according to claim 31,

• wherein the data processor and/or another device part of the data processing device encrypts or decrypts data with the aid of at least one random number of the quantum random number generator.

• wobei das Datenverarbeitungsgerät einen Speicher aufweist und
• wobei der Speicher zum Speichern von Daten bei Verwendung durch den Prozessor dient und;
• wobei der Speicher mit dem Datenprozessor gekoppelt ist, um Wörter vom Datenprozessor zu empfangen und Wörter an den Datenprozessor zu liefern.

Feature 33: data processing equipment according to feature 31 or 32,

• wherein the data processing device has a memory and
• wherein the memory is for storing data when used by the processor and;
• wherein the memory is coupled to the data processor to receive words from the data processor and to provide words to the data processor.

• wobei der Speicher extern von der integrierten Schaltung ist und
• wobei der Speicher über die Schnittstelle an der Grenze der integrierten Schaltung mit dem Datenprozessor gekoppelt ist, um Wörter vom Datenprozessor zu empfangen und Wörter an den Datenprozessor zu liefern.

Feature 24: Data processing device according to one of features 31 to 33,

• wherein the memory is external to the integrated circuit and
• wherein the memory is coupled to the data processor via the integrated circuit boundary interface for receiving words from the data processor and providing words to the data processor.

• wobei der Datenprozessor und der Hash-Rechner sind so angeordnet, dass sie
  • - a) für jedes Wort eine Hash-Funktion in Abhängigkeit von einem in dem nichtflüchtigen Speicher gespeicherten Sicherheitscode berechnen und den Hash in Verbindung mit dem Wort speichern,
  • - b) Abrufen gespeicherter Wörter aus dem Speicher, Neuberechnen einer Hash-Funktion für jedes abgerufene Wort unter Verwendung des Sicherheitscodes und Vergleichen des neu berechneten Hash-Wertes mit dem gespeicherten Hash-Wert, und
  • - c) die Verarbeitung des abgerufenen Wortes durch die Datenverarbeitungsanlage nur dann zuzulassen, wenn die neu berechneten und gespeicherten Hashes eine vorher festgelegte Beziehung aufweisen.

Feature 35 data processing device according to one of claims 31 to 34,

• where the data processor and the hash calculator are arranged so that they
  • - a) calculate for each word a hash function depending on a security code stored in the non-volatile memory and store the hash in connection with the word,
  • - b) retrieving stored words from memory, recalculating a hash function for each retrieved word using the security code and comparing the recalculated hash value with the stored hash value, and
  • - c) allow the processing of the retrieved word by the data processing system only if the newly calculated and stored hashes have a predetermined relationship.

• eine integrierte Schaltung, die ein Datenverarbeitungsmittel und ein nichtflüchtiges Speichermittel enthält, das mindestens einen Sicherheitscode speichert;
• ein erstes Mittel, das Daten speichert, wobei die Daten in einem ersten Format zumindest durch einen Authentifizierungscode kryptografisch geschützt sind; und
• einen Quantenzufallszahlengenerator (28) als Teil der integrierten Schaltung,
• wobei der Quantenzufallszahlengenerator eine erste SPAD-Diode (54) und eine zweite SPAD-Diode (55) umfasst, die über einen Lichtwellenleiter (44), der außerhalb des Halbleitersubstrats der integrierten Schaltung auf der Oberfläche der integrierten Schaltung gefertigt ist, miteinander gekoppelt sind oder gekoppelt werden können und
• wobei die Vorrichtung zumindest eine Zufallszahl des Quantenzufallszahlengenerators (28) für eine Verschlüsselung oder Entschlüsselung eines Datums oder des Authentifizierungscodes zumindest zeitweise nutzt.

Feature 36: An apparatus comprising:

• an integrated circuit including data processing means and non-volatile memory means storing at least one security code;
• a first means storing data, the data being cryptographically protected in a first format by at least one authentication code; and
• a quantum random number generator (28) as part of the integrated circuit,
• wherein the quantum random number generator comprises a first SPAD diode (54) and a second SPAD diode (55) coupled to each other via an optical fiber (44) fabricated outside the semiconductor substrate of the integrated circuit on the surface of the integrated circuit, or can be paired and
• wherein the device at least temporarily uses at least one random number of the quantum random number generator (28) for encryption or decryption of a datum or the authentication code.

• wobei die Vorrichtung eine zweite Einrichtung, insbesondere außerhalb des integrierten Schaltkreises, zur Speicherung von Daten aufweist und
• wobei die Vorrichtung Mittel zum Übertragen von Daten vom ersten Speicher über die integrierte Schaltung zum zweiten Speicher aufweist, damit der Datenprozessor vom zweiten Speicher aus darauf zugreifen kann, und
• wobei die Vorrichtung Mittel zur Validierung der aus dem ersten Speicher gelesenen Daten während der Übertragung unter Verwendung eines in dem nichtflüchtigen Speicher gespeicherten Sicherheitscodes aufweist und
• wobei die Vorrichtung Mittel zum Anwenden eines kryptografischen Schutzes, der mindestens einen Authentifizierungscode umfasst, auf die validierten Daten in einem zweiten Format unter Verwendung eines in dem nichtflüchtigen Speicher gespeicherten Sicherheitscodes, wenn die Daten validiert werden, aufweist und
• wobei die Vorrichtung Mittel zum Speichern der geschützten Daten im zweiten Speicher im zweiten Format ausweist.

Feature 37 A device according to Feature 36,

• wherein the device has a second device, in particular outside the integrated circuit, for storing data and
• the apparatus comprising means for transferring data from the first memory via the integrated circuit to the second memory for access by the data processor from the second memory, and
• the device comprising means for validating the data read from the first memory during transmission using a security code stored in the non-volatile memory and
• the device comprising means for applying a cryptographic protection comprising at least one authentication code to the validated data in a second format using a security code stored in the non-volatile memory when the data is validated and
• the apparatus having means for storing the protected data in the second memory in the second format.

• wobei die Vorrichtung einen Quantenzufallszahlengenerator (400) umfasst und
• wobei der Quantenzufallszahlengenerator folgende Vorrichtungsteile umfasst:
• eine erste SPAD-Diode (404.1)
• eine zweite SPAD-Diode (404.3),
• einen Lichtwellenleiter (404.2), der die erste SPAD-Diode (404.1) und die zweite SPAD-Diode (404.3) optisch miteinander koppelt,
• einen Verstärker (403) und/oder Filter,
• einen Analog-zu-Digital-Wandler (403),
• einen Komparator (404.2),
• einen Zeit-zu-Digital-Wandler (404.3),
• eine Entropie-Extraktionsvorrichtung (404.4), die Ausgangswerte des Zeit-zu-Digital-Wandlers (403) in erste und zweite Werte wandelt und daraus Zufallsbits erzeugt.

Feature 38: Device, in particular according to one of features 12 to 37,

• the device comprising a quantum random number generator (400) and
• wherein the quantum random number generator comprises the following device parts:
• a first SPAD diode (404.1)
• a second SPAD diode (404.3),
• an optical waveguide (404.2) which optically couples the first SPAD diode (404.1) and the second SPAD diode (404.3) to one another,
• an amplifier (403) and/or filter,
• an analog to digital converter (403),
• a comparator (404.2),
• a time-to-digital converter (404.3),
• an entropy extraction device (404.4) which converts output values of the time-to-digital converter (403) into first and second values and generates random bits therefrom.

• wobei die Vorrichtung einen Watchdog (404.5) umfasst, der Vorrichtungsteile des Quantenzufallszahlengenerators (400) überwacht.

Feature 39: device according to feature 27,

• wherein the device comprises a watchdog (404.5) that monitors device parts of the quantum random number generator (400).

• wobei die Vorrichtung einen Spannungsmonitor (413) aufweist, der analoge Werte analoger Signale erfasst und überwacht.

Feature 40: Device according to one of features 38 to 39,

• the device comprising a voltage monitor (413) which acquires and monitors analog values of analog signals.

• wobei die Vorrichtung einen Pseudozufallszahlengenerator (404.6), insbesondere in Form eines linear rückgekoppelten Schieberegisters (404.6), umfasst.

Feature 41: Device according to one of features 38 to 40,

• wherein the device comprises a pseudo-random number generator (404.6), in particular in the form of a linear feedback shift register (404.6).

• wobei die Vorrichtung einen Signalmultiplexer aufweist, der im Falle eines Fehlers von dem Signal des Ausgangs 411 der Entropie-Extrakionsvorrichtung auf ein Signal eines Ersatz-Zufallszahlengenerators oder eines Ersatzpseudozufallszahlengenerators (404.6) umschaltet.

Feature 42: Device according to one of features 38 to 41,

• the device having a signal multiplexer which, in the event of an error, switches from the signal of the output 411 of the entropy extraction device to a signal of a substitute random number generator or a substitute pseudo-random number generator (404.6).

• wobei der Startwert des Pseudozufallszahlengenerators (404.6) im Fehlerfall von zuvor korrekt erzeugten Zufallsbits des Quantenzufallszahlengenerators (400) abhängt.

Feature 43: Device according to one of features 38 to 42,

• the start value of the pseudo-random number generator (404.6) in the event of an error depending on previously correctly generated random bits of the quantum random number generator (400).

• Erzeugen einer Pulsfolge mit zufälligen Abstaänden mittels zumindest zweier SPAD-Dioden, wobei die Pulsfolge Pulse einer ersten Höhenkasse (601) und einer zweiten Höhenkalsse (602) umfasst;
• Trennen der Pulse der ersten Höhenklasse (601) von den Pulsen der zweiten Höhenklasse (602) mittels eines Schneidepegels (603, 404.1);
• Erfassen (501) ersten Werts des zeitlichen Abstands zwischen einem ersten Puls der zweiten Höhenklasse (602) und einem zweiten Puls der zweiten Höhenklasse (602), der vom ersten Puls verschieden ist;
• Erfassen (501) zweiten Werts des zeitlichen Abstands zwischen einem dritten Puls der zweiten Höhenklasse (602), der vom ersten Puls verschieden ist, und einem vierten Puls der zweiten Höhenklasse (602), der vom ersten Puls und vom zweiten Puls und vom dritten Puls verschieden ist.
• Vergleichen (502) des ersten Werts mit dem zweiten Wert und
• Ausgeben (503) eines ersten logischen Werts als ein Zufallsbit, wenn der erste Wert größer als der zweite Wert ist, und
• Ausgeben (503) eines zweiten logischen Werts, der vom ersten logischen Wert verschieden ist, als das Zufallsbit, wenn der erste Wert kleiner als der zweite Wert ist.

Feature 44: Method of generating a random bit

• Generating a pulse sequence with random intervals by means of at least two SPAD diodes, the pulse sequence comprising pulses from a first altitude class (601) and a second altitude class (602);
• separating the pulses of the first height class (601) from the pulses of the second height class (602) by means of a slice level (603, 404.1);
• detecting (501) a first value of the time interval between a first pulse of the second height class (602) and a second pulse of the second height class (602), which differs from the first pulse;
• Detecting (501) the second value of the time interval between a third pulse of the second height class (602), which differs from the first pulse, and a fourth pulse of the second height class (602), which differs from the first pulse and from the second pulse and from the third pulse is different.
• comparing (502) the first value to the second value and
• outputting (503) a first logical value as a random bit if the first value is greater than the second value, and
• outputting (503) a second logical value different from the first logical value as the random bit if the first value is less than the second value.

• Ezeugung (3710) eines zufälligen Einzelphotonenstroms (57, 58, 59, 401.2) aus Einzelphotonen mittels einer oder mehrerer erster SPAD-Dioden (401.1, 54);
• Übertragung (3720) des zufälligen Einzelphotonenstroms (57, 58, 59, 401.2) mittels eines vom Halbleitersubstrat (49, 48) verschiedenen Lichtwellenleiters (44, 401.2) an eine oder mehrere zweite SPAD-Dioden (401.3, 55);
• Wandlung (3730) des zufälligen Einzelphotonenstroms (57, 58, 59, 401.2) in ein Detektionssignal mittels der einen oder der mehreren zweiten SPAD-Dioden (401.3, 55);
• Aufbereiten (3740) des Detektionssignals in ein aufbereitetes Detektionssignal;
• Abtrennen (3750) der durch Kopplungen der Emissionen einer ersten SPAD-Diode (401.1) der einen oder der mehreren ersten SPAD-Dioden (401.1, 54) und einer zweiten SPAD-Diode (401.3, 55) der einen oder der mehreren zweiten SPAD-Dioden (401.3, 55) entstandenen Pulse des aufbereiteten Detektionssignals von den durch spontane Emission der zweiten SPAD-Diode (401.3, 55) entstandenen Pulsen des aufbereiteten Detektionssignals duch Vergleich des des aufbereiteten Detektionssignals mit einem Schwellwert (404.1);
• Ermittlung (3760) eines ersten zeitlichen Abstands zwischen dem ersten Puls und dem zweiten Puls eines ersten Paares aus zwei aufeinander folgenden, durch Kopplungen der Emissionen einer ersten SPAD-Diode (401.1, 54) und einer zweiten SPAD-Diode (401.3, 55) entstandenen Pulse des aufbereiteten Detektionssignals und Ermittlung eines zweiten zeitlichen Abstands zwischen einem dritten Puls und einem vierten Puls eines zweiten Paares aus zwei aufeinander folgenden, durch Kopplungen der Emissionen einer ersten SPAD-Diode (401.1, 54) und einer zweiten SPAD-Diode (401.3, 55) entstandenen Pulse des aufbereiteten Detektionssignals;
• Ermittlung (3670) des Bitwerts eines Zufallsbits durch Vergleich des Werts des ersten zeitlichen Abstands und des Wert des zweiten zeitlichen Abstands;
• Sofern die Anzahl (3680) n der ermittelten Zufallsbits kleiner als die gewünschte Zahl m der Zufallsbits der zu erzeugenden Quantenzufallszahl QZ ist, Wiederholung der vorstehenden Schritte (3710 bis 3770) und Beenden des Prozesses zur Erzeugung einer Quantenzufallszahl sofern die Anzahl (3680) n der ermittelten Zufallsbits größer oder gleich der gewünschten Zahl m der Zufallsbits der zu erzeugenden Quantenzufallszahl QZ ist.

Feature 45: Method (3700) for generating a quantum random number QZ with m random bits with the steps;

• generation (3710) of a random single photon stream (57, 58, 59, 401.2) from single photons by means of one or more first SPAD diodes (401.1, 54);
• Transmission (3720) of the random stream of single photons (57, 58, 59, 401.2) by means of an optical waveguide (44, 401.2) different from the semiconductor substrate (49, 48) to one or more second SPAD diodes (401.3, 55);
• converting (3730) the random single photon stream (57, 58, 59, 401.2) into a detection signal using the one or more second SPAD diodes (401.3, 55);
• processing (3740) the detection signal into a processed detection signal;
• Separating (3750) the emissions caused by couplings of a first SPAD diode (401.1) of the one or more first SPAD diodes (401.1, 54) and a second SPAD diode (401.3, 55) of the one or more second SPAD diodes (401.3, 55) resulting pulses of the processed detection signal from the pulses of the processed detection signal resulting from spontaneous emission of the second SPAD diode (401.3, 55) by comparing the processed detection signal with a threshold value (404.1);
• Determination (3760) of a first time interval between the first pulse and the second pulse of a first pair of two consecutive ones created by coupling the emissions of a first SPAD diode (401.1, 54) and a second SPAD diode (401.3, 55). Pulses of the processed detection signal and determination of a second time interval between a third pulse and a fourth pulse of a second pair of two consecutive ones, by coupling the emissions of a first SPAD diode (401.1, 54) and a second SPAD diode (401.3, 55 ) resulting pulses of the processed detection signal;
• determining (3670) the bit value of a random bit by comparing the value of the first time interval and the value of the second time interval;
• If the number (3680) n of determined random bits is less than the desired number m of random bits of the quantum random number QZ to be generated, repeat the above steps (3710 to 3770) and end the process for generating a quantum random number if the number (3680) n of the determined random bits is greater than or equal to the desired number m of random bits of the quantum random number QZ to be generated.

Advantage

The safe microcontroller presented here has an improved entropy of its random number generator. As a result, the encryption of this secure microcontroller is post-quantum secure, in contrast to the prior art. However, the advantages are not limited to this.

Description of the figures

The figures show simplified examples of essential parts of the proposed devices and methods. By way of illustration, specific examples constructed in accordance with the teachings of this disclosure will now be described with reference to the accompanying drawings, in which:

DETAILED DESCRIPTION OF EMBODIMENTS OF THE INVENTION

In this example, the data processing device is a computer 2 for controlling a controlled system 26.

The following description first describes the configuration of the computer 2 and the contents of its various memories as it would be used after manufacture.

The computer 2 is connected to a controlled system 26 via a connection 3 . For example, the controlled system may be a backup tape drive. With a backup tape drive, it is important that the integrity of the backed up data is maintained. It is therefore important that the integrity of the data and programs used by the computer 2 is preserved.

The computer 2 includes in the example 1 for example a printed circuit board comprising a control device 4, a non-volatile memory 6 and a random access memory 8. The non-volatile memory 6 can be of any suitable type, e.g. B. a flash memory and other types. In this example it is a read-only memory, e.g. B. an EEPROM. The random access memory 8 can be any suitable memory, e.g. B. an SRAM, but in this case it is a DRAM. The non-volatile memory 6 and the random access memory 8 are external to the control device 4. A further non-volatile memory 30 can optionally be provided on the printed circuit board external to the control device and connected to it via an interface 301.

The control device 4 is preferably a monolithic integrated circuit comprising: one or more processors 10-1, 10-2; a tightly coupled memory 14, which may be SRAM; a non-volatile boot ROM 16 containing unalterable code; a hashing engine 18; one or more one-time programmable memories (OTP) 20 and 22; a test port 12; an interface 32; interfaces 63, 81 and 301 coupled to external memories 6, 8 and 30; a quantum random number generator 28, also referred to as QRNG (English abbreviation for Quantum Random Number Generator); and a hard-wired test disable circuit 24. The OTP memories 20 and 22 may be separate memories or portions of one memory. In this example, they are sections of a single memory. The test disable circuit 24 resides between the test port 12, which in this example is a JTAG port, and the processor(s) 10. The disable circuit 24 is responsive to the data in the OTP memory section 22. The hashing engine 18 uses data (one or more keys) in the OTP storage section 20. The OTP storage section 20 stores Critical Security Parameters (CSPs) including a secret key and at least one public key. Other keys can be stored in the OTP memory section 20. In one embodiment of the invention, the secret key is preferably unique for each entity of the computer 2 .

The processor(s) 10 execute(s) instructions from tightly coupled memory 14 and DRAM 8 only. The boundary of the controller 4 is a cryptographic boundary, and data and program execution within this boundary are considered secure, as discussed below. The EEPROM 6 and DRAM 8 (and memory 30 if present) are outside the cryptographic boundary and without security measures the contents of these memories would not be secure. The interfaces 12, 63, 301, 32 and 81 are located at the physical and cryptographic boundary of the control device 4.

The contents of the DRAM 8 and EEPROM 6 are cryptographically protected by authentication codes. In this example, the authentication codes used in DRAM are of a different type than those used in EEPROM. In this example, the content of the EEPROM 6 is protected from undetected malicious modification at least through the use of digital signatures. The format of the data in EEPROM is also different from that in DRAM.

The EEPROM 6 stores firmware arranged in one or more data sets 61 each having a digital signature 62 . The digital signatures used in this example of the invention use public and private keys. Therefore, the details of the digital signatures will not be described further as they are well known to those skilled in the art. When a data set is read from the EEPROM 6, its digital signature is checked by the processor(s) 10 and if valid, the data set is processed by the processor(s) 10. The processor(s) 10 only execute validly signed firmware.

As in 1 As shown, in one example, boot ROM 16 contains code used to read a boot program S2 from EEPROM 6 to read more data sets from EEPROM. A program counter (not shown) in the processor 10 is loaded with the boot ROM 15 start address. The processor then executes the code in the boot ROM. This code can read a loader program from the EEPROM 6. The boot code in the boot ROM is considered secure because it is inside the cryptographic boundary. The loader is protected by a digital signature which the boot ROM code S4 verifies against the public key stored in the first OTP 20. Subsequent data records are read using the loader program S6. The loader and the subsequent data sets are each provided with a digital signature and have one or more public ones key embedded. The loading code checks S8 the signature of the data set newly read from the EEPROM 6 using a public key which is embedded in a data set previously loaded or stored in the OTP memory 20 .

A data set read from EEPROM 6 may contain too much firmware code/data for the small tightly coupled memory TCM 14 on controller 4 to store. The TCM 14 stores firmware code/data needed immediately by the processor(s) 10 and the remainder of the firmware record is transferred to the DRAM 8. Since the DRAM 8 is outside the cryptographic boundary, the codes/data stored there are cryptographically protected by authentication codes. As in 3 shown, the data is read from EEPROM 6 as a record and written to or read from DRAM 8 as words. In this example, when a data set is read from the EEPROM S20, it is read as in 4 described, validated. At least part of the data of the sentence is stored in the TCM 14 in step S21. The remaining data of the set is processed and stored in the DRAM 8 as follows. The processor(s) 10 cooperate(s) with the hash engine 18 to calculate S22 a hash value for each word of the remaining data and S24 the hash value in DRAM at a value associated with the stored word place to save. The word size is chosen according to the system limitations. It can be as small as one byte. In practice it can be 32 bits. When a word S26 is read from DRAM 8, the processor 10 and hash engine recalculate the hash value and compare S30 the recalculated hash value with the corresponding hash value stored in DRAM. If the hash values have a predetermined relationship S34, e.g. B. are the same, the read data S38 is processed by the processor(s) 10. If they do not have the predetermined relationship, the processing S36 is interrupted and/or an error message is generated and/or the data/code is ignored.

The storage of words in DRAM with appropriate authentication codes facilitates random access to the words by the processor(s) 10.

The hash function can be any suitable hash function. An example is the well-known HMAC function. In this example, the HASH function uses the secret key stored in the OTP memory 20. It could also use a different key stored in OTP storage. An example of the hash value is HMAC (addresslldatallsecret key), where 11 represents concatenation. The hash value has at least enough bits, considering the number of bytes that the DRAM can store, to avoid or at least reduce duplication of hash values in the DRAM. The number of bits in the HASH value is at least 96 bits and can also be significantly larger. The industry standard is 160 bits, which reduces the likelihood of duplication of HASH values to a low enough level.

By providing the cryptographic boundary and protecting the data stored in DRAM 8 and EEPROM 6, computer 2 is protected from unauthorized access to the programs and data used by the computer's processor(s) during normal operation. However, the JTAG test port could allow access to the processor(s) 10 in a test mode with known EMULATE and TRACE routines and allow program changes. The JTAG test port is required at least during manufacturing for testing and can be used for post-manufacturing troubleshooting.

In order to prevent unauthorized use of the test port, the OTP memory 22 contains at least one security bit which, together with the blocking circuit 24, blocks the port 12.

In one example, OTP memory 22 contains only one bit. The OTP memory 22 allows a bit to be read only once from a state, e.g. B. "0" to change to the opposite state "1". During the manufacture of the calculator 2, the bit is "0" which allows testing, and the bit is set to "1" before the calculator 2 is released for use. The JTAG connector 12 has a serial input and a serial output (see ). The deactivation circuit, which is part of the integrated circuit of the control device 4, has a gate 241 connected between the serial output and the processor(s) 10 and a gate 242 connected between the serial input and the processor(s) ( en) 10 lies. The security bit "1" in the OTP disables gates 241 and 242. Since the security bit cannot be changed, the test port is secured against use after the calculator 2 has been manufactured.

In another example, the OTP memory 22 has a two-bit security code that is initially "00". This allows for a check during manufacture, after which the code is set to "01", ie one of the two bits is set to "1". This "01" code disables gates 241 and 242. If an error occurs Calculator 2 is returned to the manufacturer, who sets the other bit to '1', giving the code '11', allowing testing through port 12. The OTP memory 22 can be accessed to change the security code using a suitable access code which is provided with a digital signature which can be verified by a key stored in the OTP memory 20 . The key is the default public key stored in memory 20, for example. This allows the security code to be changed to "11", allowing verification through port 12. The original calculator 2 is retained by the manufacturer and the user receives a new calculator 2.

In another example, the security code may consist of three or more bits that change using the signed access code. When manufacturing, the code is "000" and when releasing to a user, it is "001". If an error occurs, the manufacturer changes the code to "011" to enable a test. After testing, the code is changed to "111", which locks port 12 against use and allows calculator 2 to be returned to the user. Only a signed access code provided with a digital signature verified by a key in OTP memory 20 can be used to change the code stored in OTP memory 22 .

Security codes of two or more bits allow an audit trail for testing (or any unauthorized testing attempts) after manufacture.

Additional interface and additional EEPROM

As in 1 shown, the control device 4 can have at least one interface 32 in addition to the connections 3 and 12 . This interface can be an Ethernet port or a Fiber Channel port. A fiber channel connection in the sense of the present document is a data connection that uses an optical fiber or another waveguide for electromagnetic radiation.

The computer 2 can also have a further non-volatile memory 30 outside of the control device 4, which stores data that is cryptographically protected by a security parameter stored in the OTP memory 20. The additional non-volatile memory 30 is coupled to the control device 4 via the interface 301 .

The further non-volatile memory 30 can be an EEPROM. The additional memory 30 can store additional critical safety parameters outside of the control device 4 . The other parameters are encrypted and provided with digital signatures to make them secure. The other parameters are encrypted with the secret key that only applies to the control device 4 and is stored in the OTP memory 20 . The digital signatures of the further parameters are created using the unique secret key stored in the OTP memory 20 . This secret key is used to decrypt the additional security parameters and to check the digital signatures read from the additional memory 30 .

The other non-volatile memory may contain other encrypted and/or digitally signed data.

The additional security parameters outside of the control device 4 can be used to secure the data and codes transmitted via the interface(s) 32 .

Making the calculator 2.

During manufacture of the computer 2, the boot code is preferably hard-coded in the boot ROM 16; the loader and other codes/data are stored in the EEPROM with digital signatures based on the public and private keys; and at least one public key is stored in the OTP memory 20.

The secret key is not stored in the OTP 20 until the security code is set in the OTP 22 and the test port 12 has been locked. The controller 4 includes a quantum random number generator QRNG 28. The firmware stored in the tightly coupled memory 14 or in the DRAM 8 reads a random number of e.g. B. 256 bits from the quantum random number generator 28 and stores them in the OTP 20 as a secret key without leaving the control device 4. This happens after deactivation tion of the test port to prevent access to the secret key even for those who have access to the manufacturing process.

The hash function can be any suitable hash function and is not limited to the HMAC example described above.

The on-chip quantum random number generator 28 QRNG could be omitted from the integrated circuit and an off-chip quantum random number generator QRNG used instead to generate the secret key during the manufacturing process. However, an on-chip quantum random number generator QRNG is more secure.

The firmware stored in EEPROM 6 is cryptographically protected, in this example by digital signatures. During manufacture, the firmware is first compiled. It is then digitally signed with a secret private key from a private-public-key system. The public key is stored in the OTP memory 20 so that the signature can be verified. The signed firmware is stored in EEPROM 6. The digital signatures can be created by submitting the compiled firmware to a secure signature generator during the manufacturing process. The signed firmware can be sent via a communication link, e.g. B. the Internet, in the EEPROM 6 can be downloaded.

Instead of an EEPROM, the non-volatile memory 6 can be any other suitable device, for example a FLASH memory.

The further non-volatile memory 30 can be a serial EEPROM.

The one-time programmable memory OTP 22 containing the security code can be replaced with reprogrammable non-volatile memory and the security code changed using signed firmware. A one-time programmable memory 22 is more secure because its programming is irreversible.

The DRAM can be further protected by making access to the DRAM very difficult physically and detectable if attempted. For example, the connections between the DRAM and the controller 4 may be buried in layers of the circuit board 2 or otherwise protected from physical sensing.

The entire computer 2 can be housed in a tamper-resistant housing with tamper-resistant seals.

The secure computer 2 preferably has at least one first SPAD diode 54 and at least one second SPAD diode 55 and at least one optical fiber optic cable 44 . The quantum random number generator 28 is preferably a quantum process-based true random number generator (QRNG) 28. The quantum process-based true random number generator (QRNG) 28 preferably comprises a first SPAD diode 44 as a light source for a quantum optical signal and a second SPAD diode 45 as a photodetector for the optical quantum signal. Furthermore, the quantum process-based true random number generator (QRNG) 18 preferably comprises at least the processing circuitry and the optical fiber optic cable 44. Preferably, the at least one optical fiber cable 44 optically couples the at least one first SPAD diode 54 to the at least one second SPAD diode 55. An operating circuit provides electrical power to the first SPAD diode 54 such that the first SPAD diode 54 emits light. In this case, the emission of light requires that the operating voltage provide a sufficient electrical bias voltage of the first SPAD diode 54 (404.1). A processing circuit (402, 403, 404) detects the signal from the second SPAD diode 55 (404.3) and forms the random number from it. The processing circuit then preferably makes the random number formed in this way available to one or more of the one or more processors 10 via a data bus.

The semiconductor crystal of the control device 4 of the computer 2 preferably has a surface 56 . Typically, the semiconductor crystal has a semiconductive material beneath its surface 56 . In particular when using conventional semiconductor circuit manufacturing processes, such as CMOS processes, bipolar processes and BiCMOS processes, the surface 56 of the semiconductor crystal typically has a metallization stack as structured metal layers and electrical insulation layers. The structured metal layers typically form the conductor tracks that run through the insulation layers are electrically isolated from each other. Thus, the metallization stack has a typically structured and optically transparent and electrically insulating layer 44 . At least part of this typically structured, transparent and electrically insulating layer 44 of the surface 56 preferably forms the optical waveguide 44. The first SPAD diode 54 typically radiates light 57 into this optical waveguide 44 from the semiconducting material of the semiconductor substrate. i.e. As a rule, in contrast to the prior art, the first SPAD diode 54 radiates perpendicularly to the surface 56 essentially upwards and not to the side into the semiconductor substrate of the semiconductor crystal, which has a high level of attenuation. Despite this, the emission of the photons 57 from the first SPAD diode 54 in the optical waveguide 44 is not directed. In particular, the emission via the substrate 48, 49 is very attenuated since visible light has a very high absorption. This allows the device to couple more photons from the first SPAD diode 54 directly to the second SPAD diode 55 . The optical fiber 44 transports these photons 57, 58, 59 of the first SPAD diode 54 in the optical fiber 44 to the second SPAD diode 55 with practically no loss compared to the prior art. The optical fiber 44 irradiates these photons 57, 58, 59 of the first SPAD diode 54 the second SPAD diode 55 in such a way that the light 59 from within the optical waveguide 44 again penetrates into the semiconducting material of the semiconductor substrate from the surface 56 and there device parts of the second SPAD diode 55 hits. The second SPAD diode 55 then generates a received signal as a function of the irradiation with these photons 59 .

Typically, at least one operating circuit supplies the at least one first SPAD diode 54 with electrical energy at least at times. The at least one first SPAD diode 54 then feeds photons 57 into the at least one optical waveguide 44 when it is supplied with sufficient electrical energy. The optical waveguide 44 then transports these photons 57, 58, 59 further. The at least one optical waveguide 44 then radiates the transported photons 58 into the second SPAD diode 55 as photons 59 moving essentially vertically. Since this transport of photons from the first SPAD diode 54 to the second SPAD diode 55 loses significantly fewer photons than in the prior art design using the highly absorptive semiconductor substrate 49,49 due to the low attenuation in the optical waveguide 44 the quantum efficiency is massively higher. This increases the bit rate at which the device can generate random numbers. Therefore, in the construction presented here, a pair of a single first SPAD diode 54 and a single second SPAD diode 55 is sufficient. The prior art always uses multiple SPAD diodes.

In a further development of the proposed secure computer 2, at least one data interface of the one or more data interfaces 64 is a wired automotive data bus interface 64. In this case, the wired automotive data bus interface 64 can be, for example, a CAN data bus interface or a CAN FD data bus interface or a Flexray - data bus interface or a PSI5 data bus interface or a DSI3 data bus interface or a LIN data bus interface or an Ethernet data bus interface or an SPI data bus interface or a MELIBUS data bus interface.

In a further development of the proposed secure computer 2, at least one data interface 64 of the one or more data interfaces 64 is a wireless data bus interface. The wireless data bus interface 64 can be a WLAN interface or a Bluetooth interface, for example.

In a further development of the proposed secure computer 2, at least one data interface 64 of the one or more data interfaces 64 is a wired data bus interface 64. The wireless data bus interface 64 can be, for example, a KNX data bus interface or an EIB data bus interface or a DALI data bus interface or a PROFIBUS data bus interface be.

Although the invention has been described by way of example with reference to a control device 4, it is not limited to a control device 4. The invention can also be applied to other types of integrated circuit data processors.

Embodiments of the invention store data external to the integrated circuit. Embodiments of the invention ensure that the data to be processed, including the executable code, cannot be modified by unauthorized persons accessing the data stored outside the integrated circuit or, if such access occurs, ensure that it cannot go unnoticed can be changed. Security is ensured by security data, and the Security data itself is secure because it is stored within the integrated circuit and protected from unauthorized access.

The above description is not exhaustive and does not limit this disclosure to the examples shown. Other variations to the disclosed examples may be understood and practiced by those of ordinary skill in the art given the drawings, disclosure, and claims. The indefinite article "a" or "an" and its inflections do not exclude a plurality, while the mention of a definite number of elements does not exclude the possibility of there being more or fewer elements. A single entity may perform the functions of multiple elements recited in the disclosure, and conversely, multiple elements may perform the function of one entity. Numerous alternatives, equivalents, variations, and combinations are possible without departing from the scope of the present disclosure.

Unless otherwise stated, all features of the present invention can be freely combined with one another. This applies to the entire document presented here. Unless otherwise stated, the features described in the description of the figures can also be freely combined with the other features as features of the invention. A limitation of individual features of the exemplary embodiments to the combination with other features of the exemplary embodiments is expressly not intended. In addition, physical features of the device can also be reworded as method features and method features can be reworded as physical features of the device. Such a reformulation is thus automatically disclosed.

In the foregoing detailed description, reference is made to the accompanying drawings. The examples in the specification and drawings should be considered as illustrative and not limiting on the specific example or element described. Several examples can be derived from the foregoing description and/or the drawings and/or the claims by modifying, combining or varying certain elements. Furthermore, examples or elements that are not literally described can be derived from the description and/or the drawings by a person skilled in the art.

figure 6

The secure computer 2 preferably has at least one first SPAD diode 54 and at least one second SPAD diode 55 and at least one optical fiber optic cable 44 . The quantum random number generator 28 is preferably a quantum process-based true random number generator (QRNG) 28. The quantum process-based true random number generator (QRNG) 28 preferably comprises a first SPAD diode 54 as a light source for a quantum optical signal and a second SPAD diode 55 as a photodetector for the optical quantum signal. Furthermore, the quantum process-based true random number generator (QRNG) 28 preferably comprises at least the processing circuitry and the optical fiber optic cable 44. Preferably, the at least one optical fiber cable 44 optically couples the at least one first SPAD diode 54 to the at least one second SPAD diode 55. An operating circuit provides electrical power to the first SPAD diode 54 such that the first SPAD diode 54 emits light. In this case, the emission of light requires that the operating voltage provide a sufficient electrical bias voltage of the first SPAD diode 54 (404.1). A processing circuit (402, 403, 404) detects the signal from the second SPAD diode 55 (404.3) and forms the random number from it. The processing circuit then preferably makes the random number formed in this way available to one or more of the one or more processors 10 via a data bus.

The semiconductor crystal of the control device 4 of the computer 2 preferably has a surface 56 . Typically, the semiconductor crystal has a semiconductive material beneath its surface 56 . In particular when using conventional semiconductor circuit manufacturing processes, such as CMOS processes, bipolar processes and BiCMOS processes, the surface 56 of the semiconductor crystal typically has a metallization stack as structured metal layers and electrical insulation layers. The structured metal layers typically form the conductor tracks, which are electrically isolated from one another by the insulating layers. Thus, the metallization stack has a typically structured and optically transparent and electrically insulating layer 44 . At least part of this typically structured, transparent and electrically insulating layer 44 of the surface 56 preferably forms the optical waveguide 44. The first SPAD diode 54 typically radiates light 57 into this optical waveguide 44 from the semiconducting material of the semiconductor substrate. i.e. usually shines first SPAD diode 54, in contrast to the prior art, perpendicular to surface 56 essentially upwards and not to the side into the semiconductor substrate of the semiconductor crystal, which has a high attenuation. Despite this, the emission of the photons 57 from the first SPAD diode 54 in the optical waveguide 44 is not directed. In particular, the emission via the substrate 48, 49 is very attenuated since visible light has a very high absorption. This allows the device to couple more photons from the first SPAD diode 54 directly to the second SPAD diode 55 . The optical fiber 44 transports these photons 57, 58, 59 of the first SPAD diode 54 in the optical fiber 44 to the second SPAD diode 55 with practically no loss compared to the prior art. The optical fiber 44 irradiates these photons 57, 58, 59 of the first SPAD diode 54 the second SPAD diode 55 in such a way that the light 59 from within the optical waveguide 44 again penetrates into the semiconducting material of the semiconductor substrate from the surface 56 and there device parts of the second SPAD diode 55 hits. The second SPAD diode 55 then generates a received signal as a function of the irradiation with these photons 59 .

Typically, at least one operating circuit supplies the at least one first SPAD diode 54 with electrical energy at least at times. The at least one first SPAD diode 54 then feeds photons 57 into the at least one optical waveguide 44 when it is supplied with sufficient electrical energy. The optical waveguide 44 then transports these photons 57, 58, 59 further. The at least one optical waveguide 44 then radiates the transported photons 58 into the second SPAD diode 55 as photons 59 moving essentially vertically. Since this transport of photons from the first SPAD diode 54 to the second SPAD diode 55 loses significantly fewer photons than in the prior art design using the highly absorptive semiconductor substrate 48,49 due to the low attenuation in the optical fiber 44 the quantum efficiency is massively higher. This increases the bit rate at which the device can generate random numbers. Therefore, in the construction presented here, a pair of a single first SPAD diode 54 and a single second SPAD diode 55 is sufficient. The prior art always uses multiple SPAD diodes.

figure 7

7 essentially corresponds to the 39 . In contrast to 39 the semiconductor crystal 48 and the epitaxial layer 49 are now covered with a first optically transparent insulating layer, for example an oxide layer 143 . The vias 140 are filled with metal in an electrically conductive manner. The metallization level 1 with the electrical lines of the first wiring level 141 contact these vias 140. On this first insulation layer 142 and the first metallization layer with the first wiring level 141, a second optically transparent insulation layer 144, preferably also in the form of an oxide layer, is applied. This can also be done by vias that are in the 7 are not shown, be plated through, so lines of the first metallization level can be connected to lines of the second metallization level. The boundary surface 145 drawn in as a dashed line between the first optically transparent insulation layer 143 and the second optically transparent insulation layer 144 is also essentially optically transparent and preferably does not essentially reflect and/or absorb the light of the first SPAD diode 55 . The first optically transparent insulating layer 143 and the second optically transparent insulating layer 144 essentially form the optical waveguide in the area of the first SPAD diode 54 and the second SPAD diode 55. In the optical path between the first SPAD diode 54 and the second SPAD Diode 55 there are preferably no vias 140 and no metal lines 141, so that the light from the first SPAD diode 54 can reach the second SPAD diode 55 unhindered. A metal cover 142 prevents photons from escaping upwards and preferably reflects them back into the optical waveguide 44 . The vias 140 and the metal lines of the first metallization level 141 similarly prevent light from being lost from the optical fiber in the horizontal.

figure 8

8th FIG. 4 schematically shows the simplified block diagram of a quantum-based random number generator 400 as proposed in this document.

A preferred common clock preferably clocks the digital circuits in the example in the 8th device shown. The quantum random number generator 60, 4100 der 41 is preferably part of the control device 4. The structure includes an entropy source 401, preferably a broadband 40 dB high-frequency amplifier 402 or the like, an analog-to-digital converter 403, which may also be just an inverter or the like. In experiments, an analog-to-digital converter 403 with a Resolution of 14 bits and a sampling rate of 125 MS/s and with an evaluation device 404, which essentially includes sub-devices of the control device 4.

The entropy source 401 of the quantum random number generator 400 typically comprises an array of Single Photon Avalanche Diodes (SPAD). The quantum random number generator 400 preferably operates the SPADs in the so-called Geiger mode with a supply voltage above the breakdown voltage. In addition, a quenching resistor 401.4 is preferably connected in series for each diode. The quenching resistor prevents thermal destruction of the respective SPAD diode if a charge carrier avalanche is triggered. The respective quenching resistor 401.4 in the figure is used here at the same time as a shunt resistor for detecting the diode current through the SPAD diodes 401.3. The current signal of the second single photon avalanche diode 401.3 is measured via a shunt resistor 401.4 for this second SPAD diode 401.3. An example of the 41 the series resistor for limiting the current strength through the respective SPAD diodes forms the shunt resistor shunt resistor 401.4. However, the shunt resistor shunt resistor 401.4 can be inserted into the supply line of the respective SPAD diode 401.1, 401.3 independently of the quenching resistor 401.4. An example array of SPAD diodes includes in the example of FIG 41 for example four active first SPAD diodes 401.1 and twelve passive second SPAD diodes 401.3. The exemplary four active, first SPAD diodes 401.1 and twelve passive, second SPAD diodes 401.3 are preferably coupled via an optical waveguide 401.2. The active first SPAD diodes 401.1 spontaneously and randomly emit individual light pulses. They correspond to the first SPAD diode 54 of FIG 6 and 7 . The active first SPAD diodes 401.1, 54 are preferably located inside the array of first and second SPAD diodes 401.1 and 401.3. The proposed device supplies the active, first SPAD diodes 401.1 with an increased supply voltage, therefore operates the active, first SPAD diodes 401.1 preferably far above the breakdown voltage of the first SPAD diodes 401.1, 54. This increases the dark count rate, which leads to a higher number of spontaneously emitted photons 3957 leads. The optical waveguide 401.2, 44 forwards some photons 58 of the emitted photons 57 to the passive, second SPAD diodes 401.3, 55. The optical waveguide 401.2, 44 corresponds to the optical waveguide 44 of 6 and 7 . The passive, second SPAD diodes 401.3 correspond to the second SPAD diode 55 of FIG 6 and 7 . The proposed device supplies the passive, second SPAD diodes 401.3, 55 with an increased supply voltage. The proposed device therefore operates the passive, second SPAD diodes 401.3, 55 just above the breakdown voltage. The passive, second SPAD diodes 401.3, 55 are preferably arranged as a ring around the active, first SPAD diodes 401.2, 54. The passive, second SPAD diodes 401.3, 55 detect at least part of the photons 59 arriving via the optical waveguide 401.2, 44. The passive, second SPAD diodes 401.3, 55 generate a current flow via a shunt resistor depending on the arriving photons 59 , which is assigned to the second SPAD diodes 401.3, 55. The entropy source 401 preferably includes the shunt resistors, the operating device of the SPAD diodes, the SPAD diodes 401.1 and 401.3 and the optical waveguide 401.2. A voltage signal 405 from the entropy source 401 preferably connects the entropy source 401 to a preferred, exemplary, broadband 40 dB radio frequency amplifier 402. Preferably, the voltage signal corresponds to the voltage drop across the quenching resistor 401.4, which in the example of the figure acts as a shunt resistor 401.4 . The proposed exemplary radio frequency amplifier 402 preferably and exemplary has a bandwidth of 30 to 4000 MHz and preferably a 1 dB compression point of 20 dBm. The voltage swing of the voltage signal 405 of the entropy source 401 is typically in the sub-millivolt range. The high-frequency amplifier 402 proposed as an example amplifies the voltage swing of this voltage signal 405 of the entropy source 401 to 50 to 150 mV, for example.

An amplifier output signal 406 of the high-frequency amplifier 402 connects, for example, the exemplary high-frequency amplifier 402 to an exemplary evaluation device 404 which essentially comprises sub-devices of the control device 4 of the fuse 1 . The evaluation device 404 of 8th is just one of many different implementation options for the technical teaching presented in this document. The evaluation device 404 has a microcontroller. The microcontroller is preferably a Zynq 7010 from Xilinx with a dual-core ARM Cortex-A9 MPCore. This can be installed, for example, on a STEMlab 125-14 measurement board 404 from RedPitaya, which is referred to as evaluation circuit 404 below. The FPGA measurement board 404 The evaluation circuit 401 has in the examples of 41 and 42 via an exemplary 14-bit analog-to-digital converter (ADC) 403, 570 with an exemplary sample rate of 125 megasamples/s and an exemplary bandwidth of 50 MHz. It has been shown during development that smaller bit widths and lower sampling rates are possible. If necessary, analog pre-processing prior to digitization by the analog-to-digital converter 403 using circuits for pulse broadening is expedient. The amplified voltage signal of the example radio frequency amplifier 402 is the amplifier output signal 406 of the RF amplifier 402. The analog-to-digital converter 403 samples the amplifier output signal 406 of the RF amplifier 402 at an analog-to-digital converter 403 sampling rate. The analog-to-digital converter 403 forwards, for example, the determined sampling values of the amplifier output signal 406 of the high-frequency amplifier 402 digitally with a bus width of, for example, 14 bits to the evaluation device 404, for example.

The simplified as a block diagram of in 41 The device shown includes, for example, a comparator 404.2, a time-to-digital converter (TDC=time to digital converter) 404.3, an entropy extraction device 404.4 and a finite state machine (finite automaton) 404.8.

The comparator 404.2 compares in the example of the 8th the exemplary digital 14-bit value 407 of the analog-to-digital converter 403, 570 with a constant 404.1, which represents a threshold value, and generates a two-clock long 1-bit output pulse on its output signal 409 of the comparator 404.2 if the value of the analog -to-digital converter 403 is greater than the constant 404.1. The output signal 409 of the comparator 404.2 connects the comparator 404.2 to the time-to-digital converter 404.3. The time-to-digital converter 404.3 preferably consists of a 32-bit counter, for example, which counts up in time with the evaluation device 404. The oscillator 30 and the clock system of the control device 4 typically provide this clock. The bit width of this counter can vary depending on the application. This clock can have a frequency of 125 MHz, for example. The 1-bit output signal of the comparator 404.2 preferably resets the count of this counter. The time-to-digital converter 404.3 applies the counter reading present at this point in time immediately before the reset to the output 410 of the time-to-digital converter (TDC) 404.3. With an exemplary 125MHz clock, the counting result has a resolution of 1/(125MHz)=8 ns. The output 410 of the time-to-digital converter (TDC) 404.3 forwards the exemplary 32-bit count result, also referred to as raw data, of the time-to-digital converter 404.3 to the entropy extraction 404.4 that follows in the signal path. The entropy extraction 404.4 converts the random raw data RD of the time-to-digital converter (TDC) 404.3 on the signal of the output 410 of the time-to-digital converter (TDC) 404.3 into a 1-bit random number 411 RN. The output 411 of the entropy extraction 404.4 is connected to the input of the finite state machine FSM 404.8.

The finite state machine 404.8 typically has the task of receiving data in the form of a serial stream of random bits 411 from the entropy extraction 404.4, converting the serial stream of random data bits into random data words and storing them in the block RAM 404.9 of the evaluation device 404, which is typically the volatile Storage is to store. The finite state machine 404.8 preferably communicates with the microcontroller 404.11 via an internal data bus 419. After a successful write operation, the finite state machine 404.8 sets a finish flag 404.10. The microcontroller 404.11 can preferably write and/or read the finish flag 404.10 via the internal data bus 419. The finish flag 404.10 may be part of the RAM 404.9 or a register of the microcontroller 404.11. The microcontroller 404.11 preferably controls and monitors the finite state machine 404.8 via the internal data bus 419. The finish flag 404.10 is preferably not set at system start. The microcontroller 404.11 can then access the block RAM 414.9 and read the random number from the RAM 404.9, for example using a C program that is started on the embedded microcontroller 404.11, for example a dual-core Arm Cortex-A9 MPCore. The microcontroller 404.11 is preferably identical to the first processor 10-1 of 1 . The microcontroller 404.11 can be a dual-core Arm Cortex-A9 MPCore, for example. The microcontroller 404.11 can also execute some of the functions of the sub-devices of the evaluation device 404 using a suitable program and can thus replace these device parts if necessary.

The microcontroller 404.11 preferably controls a watchdog 404.5. In the sense of the document presented here, the watchdog 404.5 is not just a watchdog timer that includes a timer that is clocked with the system clock of the quantum random number generator 400 or the clock of the microcontroller 404.11 and which is sent at regular time intervals by the microcontroller 404.11 has to be reset to a starting value in order to avoid interrupting the program execution of the microcontroller 404.11 when the counter reading of the timer of the watchdog 405.5 reaches and/or crosses a watchdog counter reading threshold value. The watchdog 405.5 also carries out further monitoring tasks within the quantum random number generator 400. For example, the watchdog 404.5 preferably monitors the entropy of the random bits 411. In particular, the watchdog 404.5 ensures that the random bits 411 preferably have no more than k consecutive random bits of the same logical value. If this is the case, the watchdog 404.5 preferably inserts other bits instead of the random bits 411 into this serial bit data stream from the entropy extraction 404.5 to the finite state machine 407.8. For this in the following 9 more. Preferably, the watchdog adds 404.5 in this case Random bits from another true random number generator and/or another quantum random number generator and/or pseudo-random bits from a pseudo-random number generator whose seed value is determined by valid random bits from a quantum random number generator (QRNG) or a true random number generator (TRNG). The watchdog 404.5 is preferably also a watchdog of the first processor 10-1 at the same time. In addition, the watchdog 404.5 monitors other variables within the meaning of the document presented here, such as the agreement of voltage values within the quantum random number generator 400 and/or within the device using one or more analog-to-digital converters etc.

figure 9

9 shows the extended exemplary evaluation device 404, which now includes monitoring of the random number 411 RN and has an additional backup system in the event of an error, in order to secure the security (security) of the application circuit by means of an emergency operation method even if the quantum random number generator fails. For a better overview, the components microcontroller 404.11 RAM 404.9 and finish flag 404.10 have been left out. The reader should use these device parts or functions in the 9 continue to be considered as existing. However, the person skilled in the art can easily connect to the finite state machine 404.8 from the 8th in the 9 copy and then comes to the revealed technical teaching. The watchdog 404.5, a linearly feedback shift register 404.6 as a pseudo-random number generator PRNG and a signal multiplexer 404.7 expand the device 8th to the device 9 . The microcontroller 404.11 can also be set up externally with these components.

The output 411 of the entropy extraction 404.4 is now connected to the watchdog 404.5 and the signal multiplexer 404.7, for example. The watchdog 404.5 monitors the random number RN at the output 411 of the entropy extraction 404.4. According to the proposal, the watchdog 404.5 records at least three defined error cases. For this purpose, the watchdog 404.5 supplies, for example, the last valid random numbers as a seed S 412 to the shift register 404.6 with linear feedback. If an error occurs, the watchdog 404.5 sets error bits in an undrawn error register ER of the microcontroller 404.11. Which error bit the watchdog 404.5 sets in the error register of the microcontroller 404.11 is preferably dependent on the respective error that the watchdog 404.5 detects. In addition, the watchdog 404.5 is connected to a voltage monitor 413 via one or more, preferably digital, input/output signal lines 414. The watchdog circuit preferably monitors the voltage values that the voltage monitor 413 determines. It is good practice if the voltage monitor 413 determines and monitors not only the voltages in the quantum random number generator 400, but also other voltages within the respective application circuit. The voltage monitor 413 can be said analog-to-digital converter.

The voltage monitor 413 monitors, for example, the operating voltages of the entropy source 401 and/or the voltages generated within the application circuit. If one of the operating voltages of one of the SPAD diode circuits 401.1 or 401.3 is too low, i.e. the voltage value is below a lower SPAD operating voltage threshold value, or too high, i.e. the voltage value is above an upper SPAD operating voltage threshold value, then the operating voltage monitor 413 detects this voltage deviation. The microcontroller 404.11 can preferably read out the values of the voltage monitor 413 via the internal data bus of the control device 4 . In the event of such a voltage deviation, the voltage monitor 433 signals such a deviation to the watchdog 404.5 or directly to the microcontroller 404.11. In the case of a signaling to the watchdog 404.5, the watchdog 404.5 can, for example, generate an interrupt signal 420 for the microcontroller 404.11. The watchdog 404.5 can, for example, trigger such an interrupt 420 of the microcontroller 404.11 or another sub-device of an application system if the supply voltage of the entropy source 401 or the high-frequency amplifier 402 or another device part of the quantum random number generator QRNG 400 and/or the application device is faulty. If watchdog 404.5 has detected an error in quantum random number generator 400, then quantum random number generator 400 switches to an emergency mode. For this purpose, the watchdog 404.5 sets the selection signal 416 of the signal multiplexer 404.7, so that the signal multiplexer 404.7 instead of the output 411 of the entropy extraction 4104.4 uses the pseudo-random number PRN of the linear feedback shift register 4104.6 in the form of a stream of pseudo-random bits via a pseudo-random signal line 417 as a replacement for the at least potentially faulty one Random number RN of the output 411 of the entropy extraction 404.4 to the input of the finite state machine 404.8.

The shift register 404.6 with linear feedback is connected to the output Seed S 412 of the watchdog 404.5. In the event of an error, the watchdog 404.5 activates the linear feedback shift register 4104.6. The linear feedback shift register 4104.6 then generates pseudo-random numbers PRN as pseudo-random number generator PRNG. The seed S 412 preferably has the last, for example, 16 random numbers that are just about valid (for example, 1 bit each). The watchdog 404.5 preferably places these last valid random numbers at the input of the linear feedback shift register 404.6. The seed S thus serves as a random PQC secure starting value for the generator polynomial of the feedback of the linear feedback shift register 404.6 for the generation of the pseudo-random number PRN and its signaling via the pseudo-random signal line 417. The generator polynomial and the degree of the generator polynomial can preferably be freely selected.

The signal of the output 411 of the entropy extraction 404.4 with the 1-bit random number RN of the entropy extraction 404.4 or the signal of the pseudo-random signal line 417 with the pseudo-random number PRN of the linear feedback shift register 404.6 are connected to the inputs of the signal multiplexer 4104.7. Depending on the value of the selection signal 416 SEL, the signal multiplexer 404.7 forwards one of the two inputs to the finite state machine 404.8. Of course it is conceivable to use a multiplexer with more than two inputs and a more complex control signal if the application requires it. The number of inputs of the signal multiplexer 404.7 is therefore typically greater than or equal to two.

Here, too, the finite state machine 404.8 has the task of receiving the random data RN or the pseudo-random number PRN at the output of the signal multiplexer 404.7 and writing them to the block RAM 404.9, 15 of the evaluation device 404 within the control device 4. If the writing process is successful, the finite state machine 404.8 sets the finish flag 404.10 again. The microcontroller 404.11 can then access the block RAM 404.9, for example by means of a C program, which preferably runs on the embedded microcontroller 404.11, and read out the random number and use it for encryption, for example.

10 FIG. 5 shows the flow diagram 500 of the entropy extraction method, which for example carries out the entropy extraction 404.4. The method provides for two values of the output 410 of the time-to-digital converter 404.3 to be determined in a first step 501 and to be stored in a shift register of the entropy extraction 404.4. If two values are stored in the entropy extraction shift register 404.4, the entropy extraction 404.4 compares these two values in a second step 4502. The two values in the entropy extraction shift register 404.4 therefore include a first value and a second value, both of which correspond to the time to-digital converter 404 by means of two different measurements of the respective time period between two signal pulses above the value of the constant 404.1. In a third step 503, the entropy extraction 404.4 evaluates the two values. If the first value is less than the second value and the difference between value 1 and value 2 is greater than a minimum difference ε, then entropy extraction 404.4 sets the value of its output 411 to a first logical value. If the first value is greater than the second value and the difference between the first value and the second value 2 is greater than the minimum difference ε, then the entropy extraction 404.4 sets its output to a second logical value that differs from the first logical value. If the difference between the first value and the second value is less than the minimum difference ε, then the entropy extraction discards the first value and the second value. In such a case, the entropy extraction preferably causes the watchdog 404.5 to increase an error counter by a first error counter increment. The first error counter increment can be negative. Conversely, the entropy extraction 404.4 can decrease the error counter of the watchdog 404.5 by a second error counter increment if the difference between the first value and the second value is greater than the minimum difference ε. The second error counter increment may be equal to the first error counter increment. Typically, the signs of the first error counter increment and the second error counter increment are the same. The microcontroller 404.11 can preferably set the error counter increments and the start value of the error counter and an error counter threshold value. If the count of the error counter crosses the error counter threshold value, the watchdog 404.5 preferably uses an interrupt 420 or other signaling to signal the microcontroller 404.11 that a critical error state is present. The microcontroller 404.11 then typically starts a self-test program to test the various parts of the quantum random number generator 400. For this purpose, microcontroller 404.11 can preferably put analog-to-digital converter 403, 570 into a state in which microcontroller 404.11 can write test values to an output register of analog-to-digital converter 403, which the subsequent signal chain then uses as real samples processed. Since the test values are already known, the microcontroller 404.11 (computer core 2) can observe and evaluate the correct reaction of the rest of the system, for example the incrementing of the error counter in the watchdog 404.5. The microcontroller 404.11 can therefore preferably monitor as many storage nodes as possible of the evaluation circuit 4104 or the control device 4 and read their logic state.

If a time value at the output 410 of the time-to-digital converter 404.3 is less than a minimum value, this is a value that lies within the dead time of the SPAD diodes 401.1, 401.3. The evaluation device 404 preferably discards such a value and preferably increases the error counter by the first error increment, which can also be negative. In that case, the entropy extraction 404.4 waits for the determination of the next time value by the time-to-digital converter 404.3. Once the random bit is extracted in this way, the quantum random number generator 400 starts the process over.

If the error counter crosses or reaches the error counter threshold value, an error may be present, for example, in which the time-to-digital converter 403 supplies constant numerical values due to an error, for example.

This device is thus able to detect a failure of the voltage supply 5 of the entropy source 401 or other parts of the device 4, 400. The microcontroller 404.11 can also use the analog-to-digital converter 403 to record voltages and currents in the quantum random number generator 400 and/or within the control device 4 for test purposes and compare the values determined in this way with expected value ranges in which these values must lie. The microcontroller 404.11 (the computer core 2) can also acquire digital values within the quantum random number generator 400 and/or the control device 4. For example, for test purposes, the microcontroller 404.11 can set the constant Const 404.1 so low that the noise floor essentially controls the time-to-digital converter 404.3. The values of the time-to-digital converter 404.3 should then satisfy an expected statistic within a tolerance band. If this is not the case, then there is an error. The microcontroller 404.11 (computer core 2) can create these statistics and, if necessary, deduce this error if the determined statistical values are not in an expected value interval.

The watchdog 404.5 can monitor the entropy of the random numbers 411 supplied. If the average entropy of the bits 411 over an entropy measurement period deviates significantly more than a permitted entropy deviation value from the expected random mean value of 50%, the watchdog 404.5 preferably concludes that there is an error in the quantum random number generator 4100, 60, and preferably increments the error counter by the said error counter increment. The watchdog 4104.5 then preferably stops using these random bits of the output 411 of the entropy extraction in order to prevent the transmission of plain text by the fuse 1 via the data bus. Clear text, as used in the document presented here, means that the data sent and/or stored is in a form that allows a third party to gain unauthorized access to the content of a data message and/or from stored data and/or program code. It is namely conceivable that a virtual permanent one or a virtual permanent zero is also randomly generated in the case of functioning sub-devices. Chance also includes the permanent zero and the permanent one. It is therefore useful if the maximum length of a bit sequence without changing the logic state at the output 411 of the entropy extraction 404.4 is limited to a value that can be programmed by the microcontroller 404.11 (computer core 2) by the watchdog 4195.5.

• • Störung von Versorgungsspannungen
• • Fehlerhafte Signalerzeugung der SPAD-Dioden 401.1 und 401.3,
• • Störung des Lichtwellenleiters 401.2 und/oder der Ankoppelungen der SPAD-Dioden 401.1 und 401.3 an den Lichtwellenleiter 401.2,
• • Schaltungsausfälle im Digitalteil 404 des Quantenzufallszahlengenerators 400
• • Fehlerhafte Entropie der gelieferten Zufallszahlen 411.

Essentially, the above-described quantum random number generator 4100 can thus detect the following errors and catch them with a lower security level by means of an emergency operation using a pseudo-random number generator 4104.6, i.e. for example using a linear feedback shift register 4104.6:

• • Disturbance of supply voltages
• • Faulty signal generation of the SPAD diodes 401.1 and 401.3,
• • Malfunction of the optical waveguide 401.2 and/or the coupling of the SPAD diodes 401.1 and 401.3 to the optical waveguide 401.2,
• • Circuit failures in the digital part 404 of the quantum random number generator 400
• • Incorrect entropy of the supplied random numbers 411.

It is conceivable to use a second complete quantum random number generator 400 instead of the linear feedback shift register 404.6 or the pseudo-random number generator 404.6, the output 411 of which the entropy extraction is then used by the multiplexer 404.7 instead of the signal on the pseudo-random signal line 417 for the emergency operation of the quantum random number generator 400. In case the If the output of the pseudo-random number generator 404.6 depends on one or more genuine random bits 412 as a seed, it is again a quantum random number as long as the number of inserted bits is limited. The watchdog 405.5 preferably determines the number k of the permitted maximum consecutive quantum bits 411 from a quantum random number. If this quantum random number 411, which the watchdog 404.5 uses for the determination of k, comprises only bits with a single logical value, then there is the possibility that an error has occurred. The number k should then not be a maximum in order to avoid sending or storing plain text. Rather, the watchdog 404.5 should then choose the number k to be very small, preferably minimal.

figure 11

11 shows an exemplary oscillogram of the voltage signal 404 of the entropy source 401. As can easily be seen, first spikes 601 occur with a first height and second spikes 602 with a second height. The scattering of the first height of the first spikes 601 and the scattering of the second height of the second spikes 602 are each so small that a clear separation of these events 601, 602 is possible by means of an exemplary cutting level 603 via the selection of the constant 404.1. The cutting level 603 corresponds to the value that the microcontroller 404.11 sets by means of the constant 404.1, which is preferably implemented as a register of the microcontroller 404.11.

figure 12

• Zu Beginn erzeugt sich der erste Prozessor 10-1 des Rechners 2 des Servers einen Socket-Descriptor in Schritt 3000. Ein Socket-Descriptor im Sinne des hier vorgelegten Dokuments ist ein Integer ähnlicher File-Handle, den beispielsweise die Standard C Library-Funktion socket() der socket.h Library erzeugt. Der erste Prozessor 10-1 des Rechners 2 des Servers kann diesen Socket-Descriptor in späteren Funktionsaufrufen, die Sockets verwenden, nutzen.

12 shows the schematic sequence of a server-client communication using a proposed quantum random number generator. In this case, a first device, such as that of 1 , as a server via a data bus with a second device, such as that of 1 , communicate encrypted as a client. In a first example, both the first device and the second device should each include a quantum random number generator 28, which the respective first processor 10-1 of the computer 2 uses for the encryption. The quantum random number generator 28 preferably corresponds in whole or in part to a construction corresponding to one of 5 until 9 . Very particularly preferably, the quantum random number generators of the first device and the second device each include a quantum random number generator 28, which in each case has at least one first SPAD diode and in each case at least one optical waveguide, preferably in the form of the oxide stack 44 on the semiconductor surface, and preferably at least one second SPAD diode as receiver. This increases the data rate of the generated random bits and enables the first processor 10-1 of the computer 2 of the respective device to generate and exchange the key very quickly. The respective first processors 10-1 of the respective computers 2 of the respective devices encrypt their mutual communication, preferably using an RSA encryption method. The exemplary RSA encryption method is, for example, from RL Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" Communications of the ACM, February 1978, Vol. 21, No. 2, pages 120 known to 126. The prime numbers, which the respective first processor 10-1 of the respective computer 2 of the respective device preferably uses to generate the public key and the private key, are preferably generated randomly by the quantum random number generator 28 QRNG. The communication of the Micontroller 2 of the server with the respective first processor 10-1 of the respective computer 2 of the client preferably includes firstly the process "Server Process", which is on the respective first processor 10-1 of the respective computer 2 of the server, i.e. the first device, is started, and secondly the process “Client Process”, which is started on the respective first processor 10-1 of the respective computer 2 of the client, ie the second device. The respective first processor 10-1 of the respective computer 2 of the client typically communicates with the respective first processor 10-1 of the respective computer 2 of the server via so-called sockets. These are communication points that the respective operating system of the respective microcontroller 2 provides. The functions required to set up communication preferably come from the standard C library socket.h, for example. The following explains the communication according to an example 12 :

• At the beginning, the first processor 10-1 of the server's computer 2 generates a socket descriptor in step 3000. A socket descriptor in the sense of the document presented here is an integer similar to a file handle that, for example, the standard C library function socket () of the socket.h library is generated. The first processor 10-1 of the computer 2 of the server can use this socket descriptor in later function calls that use sockets.

In step 3010, the first processor 10-1 of the computer 2 of the server preferably binds the socket descriptor to a port and an IP address. For the purposes of this document, binding means that the first processor 10-1 of the server's computer 2 uses the standard C function bind() from the standard C library socket.h to logically associate the port and IP address with the socket descriptor created in step 3000. In the sense of this document, a port is a part of the network address that enables data packets to be assigned between server and client programs. For the purposes of this document, an IP address is a network address that makes a participant in a network clearly identifiable.

In the next step 3020, the first processor 10-1 of the computer 2 of the server goes into a passive wait state 3020 and waits for connection requests from a first processor 10-1 of the computer 2 of a client. In terms of the document presented here, the first processor 10-1 of the computer 2 of the server preferably calls the standard C function listen() of the socker.h library for this purpose. The function indicates that the first processor 10-1 of the computer 2 of the server is ready, that the first processor 10-1 of the computer 2 can accept connection requests from clients. The first processor 10-1 of the computer 2 creates a queue for incoming connection requests from the first processor 10-1 of the client's computer 2 in one of the memories of the computer 2 or the first processor 10-1 of the computer 2 or another part of the computer 2 If the first processor 10-1 of the server's computer 2 detects a connection request from a first processor 10-1 of the client's computer 2, the first processor 10-1 of the server's computer 2 accepts this connection request from the first processor 10-1 of the computer 2 of the client.

In a subsequent step 3030, the first processor 10-1 of the computer 2 of the server then establishes a connection 3030 to the first processor 10-1 of the computer 2 of the client. The first processor 10-1 of the computer 2 of the server makes a connection request from the first Processor 10-1 of computer 2 of the client in that the first processor 10-1 of computer 2 of the server leaves the listen() function. The first processor 10-1 of the computer 2 of the server preferably accepts the connection request by calling the standard C function accept() of the socket.h standard C library. The first processor 10-1 of the computer 2 of the server preferably extracts the first connection request from the queue of open connection requests for the server and then uses it to establish the connection to the first nprocessor 10-1 of the computer 2 of the client. If successful, the accept() function returns a socket descriptor of the client to the first processor 10-1 of the computer 2. A socket descriptor as used in this document is an integer similar to the file handle of the standard C library socket.h. This then creates the connection between the first processor 10-1 of the computer 2 of the server and the first processor 10-1 of the computer 2 of the client.

If said connection exists, the first processor 10-1 of the computer 2 of the server preferably starts a keyExchangeServer() function in a subsequent step 3040. The first processor 10-1 of the computer 2 of the server then executes this keyExchange() function in this step 3040 in order to send its public key to the first processor 10-1 of the computer 2 of the client. However, this keyExchangeServer() function is not a standard C function. In this function, in this step 3040 the first processor 10-1 of the computer 2 of the server generates random numbers by means of a quantum random number generator 28 QRNG. In this case, the random number preferably has a bit width n. In this case, n is a positive integer including zero. In the example presented in this document, these random numbers of the quantum random number generator 28 of the computer 2 of the server serve as indices for a look-up table of the first 2n prime numbers. This look-up table is preferably located in one of the memories of the computer 2 or in a memory of subdevices of the computer 2 of the server. The first processor 10-1 of the server computer 2 then reads the prime number corresponding to this index of the quantum random number of the quantum random number generator 28 of the computer 2 from the memory of the server computer 2. The first processor 10-1 of the computer 2 server uses these prime numbers to generate both a public key and a private key in accordance with the RSA encryption method mentioned.

The first processor 10-1 of the computer 2 then transmits a public key to the first processor 10-1 of the client's computer 2 via the data interface 64 of the server's computer 2 and the data bus 95 and the data interface 64 of the client's computer 2.

The first processor 10-1 of the server's computer 2 then waits for a message from the first processor 10-1 of the client's computer 2 via the data interface 64 of the client's computer 2 and the data bus 65 and the data interface 64 of the first processor 10-1 of computer 2 of the server. This message from the first processor 10-1 of the computer 2 of the client preferably includes a public key of the first processor s10-1 of the computer 2 of the client. The first processor 10-1 of the client's computer 2 thus typically transmits the private key of the first processor 10-1 of the client's computer 2 via the data interface 64 of the client's computer 2 and the data bus 95 and the data interface 64 of the computer 2 of the server to the first processor 10-1 of the computer 2 of the server. If the first processor 10-1 of the server's computer 2 has received the public key of the first processor 10-1 of the client's computer 2, the first processor 10-1 of the server's computer 2 stores this public key in a memory of the computer 2 of the server.

Then the first processor 10-1 of the computer 2 of the server sends, for example, its public key via its data bus interface 64 and the data bus 65 and the data bus interface 64 of the computer 2 of the client to the first processor 10-1 of the computer 2 of the client.

The server is thus typically prepared for the exchange of encrypted data between the first processor 10-1 of the computer 2 of the client and the first processor 10-1 of the computer 2 of the server.

After the keys have now been exchanged, the first processor 10-1 of the computer 2 of the server preferably executes the function recv() 3050 and waits for an encrypted message from the first processor 10-1 of the computer 2 of the client. If the first processor 10-1 of the computer 2 of the server receives a message, the first processor 10-1 of the computer 2 of the server preferably first stores this encrypted message in a temporary buffer memory of the computer 2 of the server. In terms of the present document, the recv() function is preferably a standard C function of the standard C library socket.h. The recv() function typically reads incoming data from a socket descriptor, in this case the socket descriptor of the first processor s10-1 of the client's computer 2 from step 3030 of the method. The recv() function, which the first processor 10-1 of the server's computer 2 typically executes, typically stores the received data in the temporary buffer of the server's computer 2.

If the first processor 10 - 1 of the computer 2 of the server has received an encrypted message in this way, the first processor 10 - 1 of the computer 2 of the server preferably executes the function Decrypt() 3060 in a further step 3060 . This Decrypt() function is not a standard C function. In this step 3060, the Decrypt() function decrypts the message of the server's private key from step 3040 temporarily stored in the memory of the computer 2 in accordance with the RSA method in accordance with the document presented here. As a result, the first processor 10-1 of the computer 2 of the server decrypts the received encrypted message from the client using the private key temporarily stored in the memory of the computer 2 from step 3040 according to the RSA method. The first processor 10-1 of the computer 2 of the server preferably stores the then decrypted message in a temporary buffer of the computer 2 of the server.

If the first processor 10-1 of the computer 2 of the server does not receive a message from the first processor 10-1 of the computer 2 of the client within a predetermined period of time, the first processor 10-1 of the computer 2 of the server jumps to the step now described. The first processor 10-1 of the computer 2 of the server checks whether a message is to be sent to the first processor 10-1 of the computer 2 of the client. Typically, such a message is stored in a memory of the computer 2 of the server in such a case to be sent. If necessary, the first processor 10-1 of the computer 2 of the server can also fetch such a message from another memory or system only before it is sent or have it transmitted. The first processor 10-1 of the computer 2 of the server then preferably stores such a message temporarily in a buffer memory of the computer 2 of the server. If such a message to be sent is waiting to be sent in a memory or buffer of server computer 2 , first processor 10 - 1 of server computer 2 preferably executes the Encrypt() function in a further step 3070 . In this step 3070, the first processor 10-1 of the computer 2 of the server encrypts its own message in this case using the client's public key from 3040 according to the RSA method. This function Encrypt() is not a standard C function. The server now stores its encrypted message in a temporary buffer store on computer 2 of the server.

The first processor 10 - 1 of the computer 2 of the server now executes the send() function in a step 3080 . In step 3080, the first processor 10-1 of the computer 2 of the server sends its encrypted message stored in the cache memory of the computer 2 to the first processor 10-1 of the computer 2 of the client via the data bus interface 64 of the first processor 10-1 of the Computer 2 of the server and via the data bus 65 and via the data interface 64 of the first processor 10-1 of the computer 2. For the purposes of the present document, the send() function is a standard C function of the standard C library socket.h. The send() function sends data through a socket descriptor, in this case the socket descriptor of the client from step 3030. With the end of the transfer, the typical cycle is over.

The encrypted communication for the first processor 10-1 of the computer 2 of the server then starts again at step 3040.

If the communication is terminated by the first processor 10-1 of the server's computer 2 or the first processor 10-1 of the client's computer 2, the first processor 10-1 of the server's computer 2 executes the close() 3090 function. The function close() is a standard C function of the standard C library socket.h. By executing the close() function, the first processor 10-1 of the server's computer 2 closes the open connection to a socket, here the socket of the client, and thus ends the communication.

In an analogous manner, the first processor 10-1 of the client's computer 2 executes a client process.

At the beginning of the "client process", the first processor 10-1 of the computer 2 of the client generates a socket descriptor in a step 3100. A socket descriptor in the sense of this document is again an integer similar to the file handle, for example the standard C Library function socket() of the socket.h library, which the first processor 10-1 of the client's computer 2 can use in later function calls that use sockets. The first processor 10-1 of the client's computer 2 makes a connection request to the first processor 10-1 of the server's computer 2 using the port and the IP address specified in step 3010.

For this purpose, the first processor 10-1 of the client's computer 2 preferably executes the standard C function connect() of the standard C library socket.h. This function establishes a connection between the server socket from step 3010 and the client socket from step 3100.

If the connection was accepted by the first processor 10 - 1 of the computer 2 of the server according to step 3030 , then the first processor 10 - 1 of the computer 2 of the client executes the KeyExchangeClient() function in a step 3120 . This function is not a standard C function. By performing this function, the first processor 10 - 1 of the client's computer 2 generates one or more QRNG random numbers using the quantum random number generator 28 . This random number has a bit width n. Here n is a positive integer including zero. These random numbers of the quantum random number generator 28 of the client's computer 2 preferably serve as indices for a look-up table of the first 2 ⁿ prime numbers. Using these prime numbers or other prime numbers, the first processor 10-1 of the client's computer 2 generates both a public key and a private key according to RSA encryption (ANGANG). The first processor 10-1 of the client's computer 2 preferably stores its public key generated in this way and its private key generated in this way in a memory of the client's computer 2. The first processor 10-1 of the client's computer 2 then sends its public key to the first processor 10-1 of the server's computer 2 via the data interface 64 of the client's computer 2 and via the data bus 65 and via the data interface 54 of the computer 2 of the server. The first processor 10-1 of the computer 2 of the client then waits for a message from the first processor 10-1 of the computer 2 of the server. This message from the first processor 10-1 of the computer 2 of the server typically contains the public key of the first processor 10-1 of the computer 2 of the server.

The first processor 10 - 1 of the client's computer 2 then executes the Encrypt() 3130 function. By executing the Encrypt() function in step 3130, the first processor 10-1 of the client's computer 2 encrypts its own message using the public key of the first processor 10-1 of the server's computer 2 from step 3040 using the RSA method. This function is not a standard C function. The client saves the encrypted message in a temporary cache.

The first processor 10-1 of the client's computer 2 now executes the send() function in step 3140 and sends its encrypted message to the first processor 10-1 of the server's computer 2. For the purposes of this document, the send() function is a standard C function of the standard C library socket.h. By executing the send() function, the first processor 10-1 of the client's computer 2 sends data via a socket descriptor, in this case the client's socket descriptor from 3100.

The first processor 10 - 1 of the client's computer 2 then executes the recv() 3150 function. The first processor 10-1 of the computer 2 of the client waits in step 3150 for an encrypted message from the first processor 10-1 of the computer 2 of the server. If the first processor 10-1 of the client's computer 2 receives a message, the first processor 10-1 of the client's computer 2 stores this received and typically encrypted message in a temporary buffer store. In terms of the present document, the recv() function is preferably a standard C function of the standard C library socket.h. The first processor 10-1 of the client's computer 2 performs incoming data from a socket descriptor, in this case the socket descriptor of the first processor 10-1 of the client's computer 2 from step 3100, by executing the recv() function. The first processor 10 - 1 of the client's computer 2 preferably stores the read data in a temporary buffer memory of the client's computer 2 .

If the first processor 10 - 1 of the client's computer 2 has received an encrypted message in this way, the first processor 10 - 1 of the client's computer 2 preferably executes the Decrypt() function in a step 3160 . This DeCrypt() function is not a standard C function. The first processor 10-1 of the client's computer 2 decrypts an encrypted message received by the first processor 10-1 of the client's computer 2 from the first processor 10-1 of the server's computer 2 using the private key by executing the Decrypt() function of the first processor 10-1 of the client's computer 2 from step 3120 using the RSA method. Then the first processor 10 - 1 of the client's computer 2 stores the message decrypted in this way in a temporary buffer of the client's computer 2 .

Thereafter, the communication between the first processor 10-1 of the server's computer 2 and the first processor 10-1 of the client's computer 2 starts again at step 3120.

If the communication is terminated by the first processor 10-1 of the client's computer 2 or the first processor 10-1 of the server's computer 2, the first processor 10-1 of the client's computer 2 executes the close() function in step 3170 . The function close() is a standard C function of the standard C library socket.h. Because the first processor 10-1 of the client's computer 2 executes the close() function, the first processor 10-1 of the client's computer 2 closes the open connection to a socket and thus ends the communication with the first processor 10-1 of computer 2 of the server.

figure 13

13 shows the schematic sequence of the KeyExchangeServer() and KeyExchangeClient() functions.

When starting the KeyExchangeServer() function, the first processor 10-1 of the server's computer 2 first calls the setPrimes() function in step 3200. This KeyExchangeServer() function is not a standard C function. The first processor 10-1 of the computer 2 of the server uses the KeyExchangeServer() function to generate two different prime numbers p and q, the product n=p*q and Euler's phi function phi = (p-1)(q-1) in step 3200.

Thereafter, the first processor 10-1 of the computer 2 of the server calls the function setE() in step 3210. This setE() function in step 3210 is not a standard C function. When the setE() function is called in step 3210, the first processor 10-1 of the server's computer 2 generates a number e which is relatively prime to phi, the number phi being that from step 3200. For the purposes of this document, coprime means that there is no natural number other than the number one that divides the number e and phi at the same time.

The first processor 10-1 of the computer 2 of the server then executes the function findD() in step 3220. This findD() function is not a standard C function. The first processor 10-1 of the computer 2 of the server uses the findD() function to calculate the multiplicative inverse of e, so that (e*d)mod phi=1 applies.

Now the first processor 10-1 of the computer 2 of the server calls the function recv() in step 3230. The first processor 10-1 of the computer 2 of the server now waits for an incoming message from the first processor 10-1 of the computer 2 of the client, which should typically include the public key of the client. For the purposes of this document, the recv() function is a standard C function of the standard C library socket.h. By calling the recv() function reads first Processor 10-1 of computer 2 of the server receives the incoming data from a socket descriptor, in this case the socket descriptor of the client. The first processor 10-1 of the computer 2 of the server preferably stores the read data in a temporary buffer memory of the computer 2.

Now the first processor 10-1 of the computer 2 of the server calls the function send() in step 3240. In this step 3240, the first processor 10-1 of the computer 2 of the server sends its public key (d,n) from steps 3200 and 3220 to the first processor 10-1 of the computer 2 of the client. For the purposes of this document, the send() function is a standard C function of the standard C library socket.h. The first processor 10-1 of the computer 2 of the server uses the send() function to send data via a socket descriptor, in this case the socket descriptor of the client from step 3030.

The first processor 10-1 of computer 2 of the server then exits the KeyExchangeServer() function in step 3245.

In starting the KeyExchangeClient() function, the first processor 10-1 of the client's machine 2 first calls the setPrimes() function in step 3250. This function is not a standard C function. The first processor 10-1 of the computer 2 of the client uses the KexExchangeClient() function to generate the prime number p and the prime number q, which is different from q. The first processor 10-1 of the client's computer 2 uses the KexExchangeClient() function to generate the product n=p*q. The first processor 10-1 of the computer 2 of the client uses the KexExchangeClient() function to generate Euler's phi function phi=(p-1)(q-1).

Thereafter, in step 3260, the first processor 10-1 of the client's computer 2 calls the setE() function. This function is not a standard C function. The first processor 10-1 of the client's computer 2 uses the setE() function to generate an integer e which is relatively prime to the number phi from step 3250. Coprime in the sense of the present document means that there is no natural number apart from the number one that simultaneously divides the number e and phi without remainder.

The first processor 10 - 1 of the computer 2 of the client then calls the findD() 3270 function. This function is not a standard C function. The first processor 10-1 of the client's computer 2 uses the findD() function to calculate the multiplicative inverse of the number e, so that (e*d)mod phi=1 applies.

The first processor 10-1 of the computer 2 of the client now calls the function send() 3280 and sends its public key (d,n) from steps 3250 and 3270 to the first processor 10-1 of the computer 2 of the server. For the purposes of this document, the send() function is a standard C function of the standard C library socket.h. The first processor 10-1 of the client's computer 2 uses the send() function to send data via a socket descriptor, in this case the client's socket descriptor from step 3100.

Now the first processor 10-1 of the computer 2 of the client calls the function recv() in step 3290. The first processor 10-1 of the computer 2 of the client now waits for an incoming message from the first processor 10-1 of the computer 2 of the server with the public key of the first processor 10-1 of the computer 2 of the server. For the purposes of this document, the recv() function is a standard C function of the standard C library socket.h. The first processor 10-1 of the client's computer 2 uses the recv() function to read incoming data from the first processor 10-1 of the server's computer 2 from a socket descriptor, in this case from the client's socket descriptor from step 3100 , and saves the data in a temporary buffer of the client's computer 2.

The first processor 10-1 of the client's computer 2 then exits the KeyExchangeClient() function in step 3295.

figure 14

14 shows the schematic sequence of the setPrimes() function.

The first processor 10-1 of the client's computer 2 and the first processor 10-1 of the server's computer 2 each call up this function at the given time. If one of these first processors 10-1 calls the function setPrimes(), then the calling processor 10-1 is generated, in the case of the present document the first processor 10-1 of the computer 2 of the server or the first processor 10-1 of the computer 2 of the client, a random number using a Quantum Random Number Generator QRNG in step 3300. This random number has a bit width n. Here n is a positive integer including zero. In the technical teaching of the document presented here, these random numbers serve as indices for a look-up table of the first 2 ⁿ prime numbers. The calling first processor 10-1 stores the prime number indexed by the random number as a variable p.

The calling first processor 10-1 then generates another random number in step 3310 with the preferred bit width n using the quantum random number generator 28 QRNG. These random numbers are used by the calling first processor 1O-1 again as indices for a look-up table of the first 2 ⁿ prime numbers. The calling first processor 10-1 stores the prime number, which is indexed by the random number, as a variable q in an intermediate memory of the computer 2, part of which the first processor 10-1 is preferred.

Now, in step 3320, the calling first processor 10-1 checks whether the logical statement q ==p is true. If this statement is true, step 3310 is repeated.

Subsequently, the calling processor 10-1 calculates the product n = p * q in step 3330.

Thereafter, the calling processor 10-1 calculates Euler's phi function phi = (q-1) * (p-1) in step 3340.

The calling processor 10-1 then exits the setPrimes() function in step 3350.

figure 15

The 15 shows the schematic sequence of the function setE() 3400. When the function setE() is called in step 3400, the caller, in the case of the present document the first processor 10-1 of the computer 2 of the server or the first processor 10-1 of the computer, generates 2 of the client, a random number e which is coprime to the number phi. For the purposes of this document, coprime means that there is no natural number other than the number one that divides the number e and phi at the same time. The calling processor 10-1 can generate the number e both by a random number from the quantum random number generator 28 QRNG and by a pseudo-random number generator PRNG and by incrementing an integer starting with 2. However, generation by means of the quantum random number generator 18 QRNG is preferred.

Thereafter, in step 3410, the calling processor 10-1 checks whether the logical statement gcd(e,phi) != 1 is true.

If the logical statement is fulfilled, the calling processor 10-1 repeats step 3400.

If the logical statement is not fulfilled, the calling processor 10-1 exits the setE() function and returns the current value of e as a return value to the calling processor 10-1. The gcd(a,b) function is not a standard C function. The calling processor 10-1 uses this function gcd(a,b) to calculate the greatest common divisor of the transfer parameters a, b and returns the result to the calling processor 10-1.

figure 16

16 shows the schematic flow of the findD() function. When the calling processor 10-1 calls the findD() function in step 3500, the calling processor 10-1 initializes a variable d to 0 in step 3500.

In subsequent step 3510, the calling processor 10-1 adds 1 to the number d.

Now, in step 3520, the calling processor 10-1 checks whether the logical statement (e*d) (mod phi) == 1 is fulfilled. If the logical statement (e*d) (mod phi) == 1 is not fulfilled, the calling processor repeats the steps from step 3510.

If the logical statement (e*d) (mod phi) == 1 is fulfilled, then in step 3530 the calling processor 10-1 leaves the findD() function and the calling processor 10-1 specifies the current value of d as the return value the calling processor 10-1, in the case of the present document the first processor 10-1 of the computer 2 of the server or the first processor 10-1 of the computer 2 of the client.

figure 17

17 shows the schematic sequence of a secure transmission of quantum-based random numbers between a first processor 10-1 of the computer 2 of a server 3600 and a first processor 10-1 of the computer 2 of a client 3610.

In the case of the present document, the server 3600 is a first processor 10-1 of a computer 2, the computer 2 of this server 3600 having a quantum random number generator 28 QRNG. In the case of the present document, the client 3610 is a further first processor 10-1 of a computer 2, this computer 2 of the client 3610 now having NO quantum random number generator 28 QRNG.

At the beginning, the first processor 10-1 of the computer 2 of the server 3600 generates quantum random numbers QZ1. The first processor 10-1 of the computer 2 of the server 3600 uses the quantum random numbers QZ1 as a basis for generating a private key and a public key of the server 3600 according to an asymmetric encryption method.

The asymmetric encryption method can be, for example, the RSA method (APPENDIX).

In a step 3620, the first processor 10-1 of the computer 2 of the server 360 sends the public key of the server 3600 via a non-tap-proof channel to the first processor 10-1 of the computer 2 of the client 3610.

The first processor 10-1 of the computer 2 of the client 3610 then generates a pseudo-random number PZ or a random number generated in a different way. The first processor 10 - 1 of the computer 2 of the client 3610 stores the pseudo-random number PZ or the random number generated in a different way in a memory of the computer 2 of the client 3610 . The first processor 10-1 of the computer 2 of the client 3610 generates a first private key of the client 3610 and a first public key of the client 3610 using this pseudo-random number PZ or this random number generated in a different way.

The first processor 10-1 of the computer 2 of the client 3610 encrypts the first public key of the client 3610 using the public key of the server 3600.

The first processor 10-1 of the computer 2 of the client 3610 then sends the encrypted first public key of the client 3610 to the first processor 10-1 of the computer 2 of the server 3600.

The first processor 10-1 of the computer 2 of the server 3600 now decrypts this message with its first private key. As a result, the first processor 10-1 of the computer 2 of the server 3600 now has the first public key of the client 3610 without this third party being able to know it.

The first processor 10 - 1 of the computer 2 of the server 3600 then generates a further, second quantum random number QZ2 using the quantum random number generator 28 . The bit width of this second quantum random number is preferably equal to the bit width of the random number PZ of the client 3610.

The first processor 10-1 of the computer 2 of the server 3600 now encrypts the second quantum random number QZ2 with the first public key of the client 3610. For example, the first public key of the client 3610 can be the client. In this case, the first processor 10-1 of the computer 2 of the server 3600 can encrypt the second quantum random number QZ2, for example by bitwise XORing the second quantum random number QZ2 with PZ to form an encrypted second quantum random number QZ2′. The first processor 10-1 of the computer 2 of the server 3600 then preferably sends the encrypted second quantum random number QZ2' to the first processor 10-1 of the computer 2 of the client 3610 in a step 3640.

The first processor 10-1 of the computer 2 of the client 3610 decrypts the encrypted second quantum random number QZ2' using its first private key to form the second quantum random number QZ2. If the first processor 10-1 of the computer 2 has determined the second encrypted quantum random number QZ2' by bitwise XORing the random number PZ with the second quantum random number QZ2, the first processor 10-1 of the computer 2 of the client 3610 can, for example, by bitwise XOR Linking the encrypted second quantum random number QZ2 'decode with the random number PZ known to him to the second quantum random number QZ2.

The first processor 10-1 of the computer 2 of the client 3610 preferably uses the second quantum random number QZ2 now available to it as a basis for generating a second private key and a second public key according to an asymmetric encryption method. The asymmetric encryption method can be, for example, the RSA method (APPENDIX). The first processor 10-1 of the computer 2 of the client 3610 now sends its second public key to the server 3600 via the non-tap-proof channel. It preferably encrypts this second public key of the client 3610 with the public key of the server 3600. The server 3600 decrypts the encrypted second public key of the client 3610 and then uses this second public key of the client to encrypt further messages to the first processor 10-1 of the computer 2 of the client 3610. The first processor 10-1 of the computer 2 preferably generates and sends of the server 3600 after a predetermined time or after sending a predetermined amount of data to the processor 10-1 of the computer 2 of the client 3610 a new public key on the basis of a new quantum random number of its quantum random number generator 28 QRNG encrypted with the second public key of the client 3610. The first processor 10-1 of the computer 2 of the server 3600 and the first processor 10-1 of the computer 2 of the client then preferably carry out the previously described method again, so that the keys change permanently. This also makes it impossible for a quantum computer to break the keys.

As a result, after these keys have been exchanged, communication can be carried out on the basis of the selected asymmetric encryption method.

figure 18

18 shows schematically the proposed method 3700 for generating a quantum random number. The method 3700 begins with the generation 3710 of a random stream of single photons (57, 58, 59, 401.2) using one or more first SPAD diodes (401.1, 54). The method 3700 continues with the transmission 3720 of the random stream of single photons (57, 58, 59, 401.2) by means of an optical waveguide (44, 401.2) that is different from the semiconductor substrate (49, 48) to one or more second SPAD diodes (401.3, 55 ). This is followed by the conversion 3700 of the random single-photon stream (57, 58, 59, 401.2) into a detection signal in the form of a voltage signal 405 from the entropy source 401, which preferably includes the first SPAD diodes 401.1 and the optical waveguide 401.2 and the second SPAD diodes 401.3 . This is followed by the processing 3740, in particular amplification and/or filtering and/or analog-to-digital conversion, of the detection signal into a processed detection signal, in particular a digital 14-bit value 407 of the analog-to-digital converter 403 Then the separation 3750 of the pulses of the processed detection signal, which are caused by coupling the emissions of a first SPAD diode 401.1 and a second SPAD diode 401.3, from the pulses of the processed detection signal, which are caused by spontaneous emission, takes place by comparing the of the processed detection signal with a threshold value, in particular in a comparator 404.2 and the generation of a corresponding output signal 409, in particular of the comparator 404.2. This is followed by the determination 3760 of a first time interval between the first pulse and the second pulse of a first pair of two consecutive pulses of the processed detection signal caused by coupling the emissions of a first SPAD diode 401.1 and a second SPAD diode 401.3, and the determination a second time interval between a third pulse and a fourth ppulse of a second pair of two consecutive pulses of the processed detection signal, caused by coupling the emissions of a first SPAD diode 401.1 and a second SPAD diode 401.3, and, in particular, to determine the first value of the Output 410 of the time-to-digital converter 404.3 and the second value of the output 410 of the time-to-digital converter 404.3. On this basis, the bit value of a random bit is then determined 3670 by comparing the value of the first time interval and the value of the second time interval. In a final check 3680, the first processor 10-1 of the computer 2 checks whether the number n of determined random bits is still smaller than the desired number m of random bits of the desired quantum random number. If this is not the case, the first processor 10-1 of the computer 2 repeats the above steps. Otherwise, the processor 10-1 of the calculator 2 ends the process of generating a quantum random number.

The above description is not exhaustive and does not limit this disclosure to the examples shown. Other variations to the disclosed examples may be understood and practiced by those of ordinary skill in the art given the drawings, disclosure, and claims. The indefinite article "a" or "an" and its inflections do not exclude a plurality, while the mention of a definite number of elements does not exclude the possibility of there being more or fewer elements. A single entity may perform the functions of multiple elements recited in the disclosure, and conversely, multiple elements may perform the function of one entity. Numerous alternatives, equivalents, variations, and combinations are possible without departing from the scope of the present disclosure.

Unless otherwise stated, all features of the present invention can be freely combined with one another. This applies to the entire document presented here. Unless otherwise stated, the features described in the description of the figures can also be freely combined with the other features as features of the invention. A limitation of individual features of the exemplary embodiments to the combination with other features of the exemplary embodiments is expressly not intended. In addition, physical features of the device can also be reworded as method features and method features can be reworded as physical features of the device. Such a reformulation is thus automatically disclosed.

In the foregoing detailed description, reference is made to the accompanying drawings. The examples in the specification and drawings should be considered as illustrative and not limiting on the specific example or element described. Several examples can be derived from the foregoing description and/or the drawings and/or the claims by modifying, combining or varying certain elements. Furthermore, examples or elements that are not literally described can be derived from the description and/or the drawings by a person skilled in the art.

Reference List

2

microcontrollers;

3

Connection;

4

control device;

6

non-volatile memory, EEPROM, external memory;

8th

random access memory, external memory;

10-1

first processor;

10-2

second processor;

11

concatenation;

12

test port;

14

tightly coupled memory TCM;

15

boot rom start address;

16

non-volatile boot ROM;

18

hashing engine;

20

first one-time programmable memory (OTP);

22

second one-time programmable memory (OTP);

24

test disable circuit, disable circuit;

26

controlled system, controlled system;

28

quantum random number generator;

30

other non-volatile storage, external storage;

32

Interface;

40

Exemplary SPAD diode 30 for use as a sensor element of a single photon detector;

41

Isolation, such as shallow trench isolation STI 41 of the example SPAD diode 40 or LOCOS isolation;

42

anode contact 42 of example SPAD diode 40;

43

Cathode contact 43 of example SPAD diode 40. Cathode contact 43 of example SPAD diode 40 is preferably made of indium tin oxide (ITO) or other transparent and electrically conductive material;

44

Optical fiber 44 for transporting the photons of the first SPAD diode 54 to the second SPAD diode 55. The optical fiber 44 is made of a cap oxide 44 or optically transparent insulating layer 44 of the exemplary SPAD diode 40;

45

highly doped first connection region 45 of a first conductivity type, also referred to as n+ S/D implantation. In a CMOS technology with a p-doped wafer material, this can be an n+-doped region in the semiconducting substrate material of the SPAD diode 40, for example;

46

first doped well 46 of a second conductivity type. In a CMOS technology with a p-doped wafer material, it can be a p − -doped region in the semiconducting substrate material of the SPAD diode 40, for example;

47

second doped well 47 of a second conductivity type. In a CMOS technology with a p-doped wafer material, this can be a p − -doped region in the semiconducting substrate material of the SPAD diode 40, for example;

48

epitaxial layer 48 of a second conductivity type. In a CMOS technology with a p-doped wafer material, this can be a p-doped epitaxial layer in the semiconducting substrate material of the SPAD diode 40, for example;

49

Base material 49 of the semiconducting single-crystal wafer having a second conductivity type. In a CMOS technology with a p-doped wafer material, this is, for example, a p-doped monocrystalline semiconductor wafer;

50

second doped well of a second conductivity type below the anode contact. In a CMOS technology with a p-doped wafer material, this can be a p − -doped region in the semiconducting substrate material of the SPAD diode 40, for example;

51

Highly doped second connection region of a second conductivity type, also referred to as p+ S/D implantation. In a CMOS technology with a p-doped wafer material, this can be a p+-doped region in the semiconducting substrate material of the SPAD diode 40, for example;

52

insulation such as an oxide or the like;

53

metal cover of optical fiber 44;

54

First SPAD diode. The first SPAD diode 55 serves at least temporarily as a light source for irradiating the second SPAD diode 45 with photons from the first SPAD diode 54;

55

Second SPAD diode 55. The second SPAD diode 55 serves, for example, at least temporarily as a photodetector for the light from the first SPAD diode 54.

56

Surface 56 of the wafer in the sense of the document presented here;

57

light 57 emitted vertically upwards in the direction perpendicular to the surface 56 of the first SPAD diode 54;

58

light 58 transported horizontally in the optical waveguide 44, which is a part of the light 57 radiated vertically from the first SPAD diode 54 into the optical waveguide 44;

59

Light 59 of the first SPAD diode 54 radiated vertically downwards in a direction perpendicular to the surface 56 from the optical waveguide 44 into the second SPAD diode 55, which was emitted by the first SPAD diode 54 as perpendicular light 57 into the optical waveguide 44 and was then transported horizontally to the second SPAD diode 55 by the optical fiber 44 .

61

records

62

digital signaling

63

interface

64

data bus interface;

65

data bus. In the sense of the document presented here, the data bus can be a wired data connection or a wireless data connection;

81

interface

140

Contact;

141

metal 1 lines;

142

metal 2 lines / metal 2 covers;

241

gate

242

gate

301

interface

400

Quantum Random Number Generator QRNG;

401

entropy source;

401.1

one or more first SPAD diodes;

401.2

Optical fiber;

401.3

one or more second SPAD diodes;

402

high frequency amplifier;

403

analog to digital converter (ADC);

404

measuring board with FPGA;

404.1

Constant;

404.2

comparator;

404.3

time to digital converter;

404.4

entropy extraction device 404.4;

404.5

watchdog;

404.6

linear feedback slice register. The feedback is preferably a simple primitive polynomial to generate pseudo-random bit sequences.

404.7

signal multiplexer;

404.8

Finite State Machine (finite automaton);

404.9

R.A.M;

404.10

finish flag;

404.11

microcontrollers;

405

Voltage signal from entropy source 401;

406

amplifier output signal 406 of radio frequency amplifier 402;

407

digital 14-bit value 407 of the analog-to-digital converter 403. Other bit widths are conceivable;

408

404.1 constant signal;

409

output signal 409 of the comparator 404.2;

410

output 410 of time-to-digital converter 404.3;

411

output of entronie extraction 404.4;

412

Seed S;413 Voltage Monitor;

414

signal lines;

416

selection signal;

417

pseudo random signal line;

418

random data words;

419

internal data bus of the quantum random number generator 400. It is preferably the internal data bus of the control device 4;

420

Interrupt signal of the watchdog 404.5 of the quantum random number generator 400 or the control device 4 of the fuse 1;

500

Flow diagram 500 of the entropy extraction method;

501

first step 501 with determination of the first value of the output 410 of the time-to-digital converter 404.3 and the second value of the output 410 of the time-to-digital converter 404.3 and storage in a shift register of the entropy extraction 404.4;

502

second step of comparing the first value with the second value;

503

third step of evaluating the first value and the second value and generating the random bit;

601

first spikes;

602

second spikes;

603

clip level;

3000

generation of a socket descriptor;

3010

binding the socket descriptor to a port and IP address;

3020

passive waiting state and waiting for connection requests from a microcontroller 2 of a client;

3030

establishing a connection from the first processor 10-1 of the computer 2 of the server to the first processor 10-1 of the computer 2 of the client by the first processor 10-1 of the computer 2 of the server;

3040

Generation of a quantum random number 411 and generation of a public and a private key using an RSA method by the first processor 10-1 of the computer 2 of the server using a quantum random number generator 28 QRNG and an RSA method.

3050

Waiting for an encrypted message from the first processor 10-1 of the computer 2 client by the first processor 10-1 of the computer 2 of the server;

3060

Decryption of the message using the private key temporarily stored in a memory of the computer 2 from step 3040 according to the RSA method

3070

Encryption of the message from the first processor 10-1 of the computer 2 of the server using the public key of the first processor 10-1 of the computer 2 of the client from step 3040 according to the RSA method by the first processor 10-1 of the computer 2 of the server;

3080

Sending the encrypted message stored in the hiss memory of the server's computer 2 to the first processor 10-1 of the client's computer 2 via the data bus interface 64 of the first processor 10-1 of the server's computer 2 and via the data bus 65 and via the data interface 64 the first processor 10-1 of the computer by the first processor 10-1 of the computer 2 of the server;.

3090

Execution of the close() function and closing of the open connection to a socket, here the socket of the client, and termination of communication with the client by the first processor 10-1 of the computer 2 of the server;

3100

Generating a socket descriptor by the first processor 10-1 of the client's computer 2 and making a connection request to the first processor 10-1 of the server's computer 2 using the port and the IP address specified in step 3010 , by the The first processor 10-1 of the computer 2 of the client;

3110

establishing a connection between the server socket of step 3010 and the client socket of step 3100;

3120

Generation of a quantum random number 411 and generation of a public key and a private key using an RSA method by the first processor 10-1 of the client's computer 2 using a quantum random number generator 28 QRNG and an RSA method.

3130

Encryption of the client's own message using the public key of the first processor 10-1 of the server's computer 2 from step 3040 using the RSA method by the first processor 10-1 of the client's computer 2;

3140

Sending the client's encrypted message to the first processor 10-1 of the server's computer 2 by the first processor 10-1 of the client's computer 2;

3150

Waiting for an encrypted message from the first processor 10-1 of the server's computer 2 by the first processor 10-1 of the client's computer 2 and receiving a message from the first processor 10-1 of the server Clients and storing the thus received and typically encrypted message of the first processor 10-1 of the server in a temporary buffer of the computer 2 by the first processor 10-1 of the computer 2 of the client and reading the incoming data of the first processor 10-1 of the server by the first processor 10-1 of the client's computer 2 by executing the function recv() from a socket descriptor, in this case from the socket descriptor of the first processor 10-1 of the client's computer 2 from step 3100 and storing the read data preferably in a temporary buffer of the client's computer 2 by the first processor 10-1 of the client's computer 2;

3160

Decryption of an encrypted message received by the first processor 10-1 of the client's computer 2 from the first processor 10-1 of the server's computer 2 by the first processor 10-1 of the client's computer 2 by executing the Decrypt() function the first processor 10-1 of the client's computer 2 using the private key of the first processor 10-1 of the client's computer 2 from step 3120 by means of the RSA method and then storing the message decrypted in this way in a temporary buffer of the computer 2 of the client by the first processor 10-1 of the computer 2 of the client;

3170

closing the open connection to the socket by the first processor 10-1 of the client's computer 2 and terminating the communication with the first processor 10-1 of the server's computer 2 by the first processor 10-1 of the client's computer 2;

3200

Generation of two different prime numbers p and q and the product n=p*q and the result of Euler's phi function phi=(p-1)(q-1) by the first processor 10-1 of the computer 2 of the server using the function KeyExchangeServer();

3210

Generation of a number e that is relatively prime to phi by calling the function setE () by the first processor 10-1 of the computer 2 of the server, the number phi being that from step 3200 and where relatively prime in the sense of the present document means that there are no natural number other than the number one, which simultaneously integer-divides the number e and the number phi at the same time;

3220

Calculation of the multiplicative inverse of the number e by means of the first processor 10-1 of the computer 2 of the server using the findD() function, so that (e*d)mod phi = 1;

3230

Waiting for an incoming message from the first processor 10-1 of the client's computer 2, which should typically include the client's public key, by the first processor 10-1 of the server's computer 2 and reading the incoming data from a socket descriptor, in this case the socket descriptor of the client by the first processor 10-1 of the computer 2 of the server and storing the read data preferably in a temporary buffer of the computer 2 by the first processor 10-1 of the computer 2 of the server;

3240

Sending the public key (d,n) of the first processor 10-1 of the server's computer 2 from steps 3200 and 3220 by the first processor 10-1 of the server's computer 2 to the first processor 10-1 of the client's computer 2 via a socket descriptor, in this case the socket descriptor of the client from step 3030;

3245

leaving the KeyExchangeServer() function by the first processor 10-1 of the computer 2 of the server;

3250

Generating the prime number p and generating the prime number q different from q and generating the product n=p*q and generating the Euler phi function phi = (p-1)(q-1) by the first processor 10-1 of the computer, respectively 2 of the client using the KexExchangeClient();

3260

Generating an integer e that is relatively prime to the number phi from step 3250 by the first processor 10-1 of the computer 2 of the client using the setE() function, where relatively prime in the sense of the present document means that there is no natural number other than the number one exists, which at the same time divides the number e and the phi without remainder;

3270

Calculating the multiplicative inverse of the number e by the first processor 10-1 of the client's computer 2 using the findD() function, such that (e*d)mod phi = 1;

3280

Sending the public keys (d,n) of the first processor 10-1 of the client's computer 2 from steps 3250 and 3270 to the first processor 10-1 of the server's computer 2 by the first processor 10-1 of the client's computer 2 , the first processor 10-1 of the client's computer 2 sending data via a socket descriptor, in this case the client's socket descriptor from step 3100, by means of the send() function;

3290

Waiting for an incoming message from the first processor 10-1 of the server's computer 2 with the public key of the first processor 10-1 of the server's computer 2 by the first processor 10-1 of the client's computer 2 and reading incoming data from the first processor 10-1 of the server's computer 2 from a socket descriptor, in this case from the client's socket descriptor from step 3100, by the first processor 10-1 of the client's computer 2 by means of the recv() function and storing this data into a temporary buffer of the client's computer 2 by the first processor 10-1 of the client's computer 2;

3295

exiting the KeyExchangeClient() function by the first processor 10-1 of the client's computer 2;

3300

Generating a random number using a quantum random number generator 28 QRNG by the calling first processor 10-1 and determining a prime number depending on this random number by the calling first processor 10-1 and storing this prime number as a variable p in the memory of the computer 2, part of which is the calling first processor 10-1;

3110

Generating a second random number using a Quantum Random Number Generator 28 QRNG by the calling first processor 10-1 and determining a prime number as a function of this random number by the calling first processor 10-1 and storing this prime number as a variable q in the memory of the computer 2 , part of which is the calling first processor 10-1;

3320

checking whether the logical statement q==p is true by the calling first processor 10-1 and repeating the steps from step 3310 by the calling processor 10-1 if this statement is true;

3330

calculating the product n= p * q by the calling processor 10-1;

3340

computing Euler's phi function phi = (q-1) * (p-1) D by the calling processor 10-1;

3350

exit from the setPrimes() function by the calling processor 10-1;

3400

Execution of the function SetE() When calling the function setE() in step 3400, the caller, in the case of the present document the first processor 10-1 of the computer 2 of the server or the first processor 10-1 of the computer 2 of the client, generates a random number e such that it is relatively prime to the number phi. For the purposes of this document, coprime means that there is no natural number other than the number one that divides the number e and phi at the same time. The calling processor 10-1 can generate the number e both by a random number from the quantum random number generator 28 QRNG and by a pseudo-random number generator PRNG and by incrementing an integer starting with 2. However, generation by means of the quantum random number generator 18 QRNG is preferred;

3410

Checking whether the logical statement gcd(e,phi) != 1 is satisfied by the calling processor 10-1 and repeating step 3400 by the calling processor 10-1 if the logical statement is satisfied. The calling processor 10-1 calculates the greatest common divisor of the transfer parameters a, b using this function gcd(a,b) and returns the result to the calling processor 10-1;

3420

the calling processor 10-1 exiting the setE() function and returning the current value of e as a return value to the calling processor 10-1 if the logical statement gcd(e,phi) != 1 is not satisfied;

3500

Initializing a variable d with 0 by the calling processor 10-1, here the first processor 10-1 of the client's computer 2 or the first processor 10-1 of the server's computer 2;

3510

adding the number 1 to the number d by the calling processor 10-1;

3520

Checking whether the logical statement (e*d) (mod phi) == 1 is satisfied by the calling processor 10-1 and repeating the steps from step 3510 if the logical statement (e*d) (mod phi) = = 1 is not satisfied;

3530

exiting the findD() function by the calling processor 10-1 if the logical statement (e*d) (mod phi) == 1 is satisfied, and returning the current value of d as a return value to the calling processor 10-1, in the case of the present document, the first processor 10-1 of the computer 2 of the server or the first processor 10-1 of the computer 2 of the client;

3600

Server;

3610

clients;

3620

Sending the public key of the server 3600 based on a first quantum random number of the quantum random number generator 28 QRNG of the computer 2 of the server 3600 via a non-tap-proof channel to the first processor 10-1 of the computer 2 of the client 3610 by the first processor 10-1 of the computer 2 the server 3600;

3630

Generating a pseudo-random number PZ or a random number generated in another way by the first processor 10-1 of the computer 2 of the client 3610 and storing the pseudo-random number PZ or the random number generated in a different way in a memory of the computer 2 of the client 3610 the first processor 10-1 of the computer 2 of the client 3610 and generating a first private key of the client 3610 and a first public key of the client 3610 using this pseudo-random number PZ or this random number generated differently by the first processor 10-1 of the computer 2 of the client 3610 and encrypting this first public Key of the client 3610 using the public key of the server 3600 by the first processor 10-1 of the computer 2 of the client 3610 and sending the encrypted first public key of the client 3610 to the first processor 10-1 of the computer 2 of the server 3600 by the first processor 10-1 of client 3610 computer 2;

3640

Decrypting the message of the first processor 10-1 of the computer 2 of the client 3610 with the first private key of the first processor 10-1 of the computer 2 of the client 3610, so that the first processor 10-1 of the computer 2 of the server 3600 has the first public key of the client 3610, without this third party being able to be known, and generation of a further, second quantum random number QZ2 by the first processor 10-1 of the computer 2 of the server 3600 by means of the quantum random number generator 28 QRNG, the bit width of this second quantum random number preferably being equal to the Bit width, the random number PZ of the client 3610, and encryption of the second quantum random number QZ2 with the first public key of the first processor 10-1 of the computer 2 of the client 3610 to an encrypted second quantum random number QZ2' by the first processor 10-1 of the computer 2 of the server 3600, in which case, for example, the first public key of the client 3610 can be the random number PZ of the client and in which case the first processor 10-1 of the computer 2 of the server 3600 uses the second quantum random number QZ2, for example by bitwise XORing the second quantum random number QZ2 can encrypt with PZ to an encrypted second quantum random number QZ2', and sending the encrypted second quantum random number QZ2' to the first processor 10-1 of the computer 2 of the client 3610 by the first processor 10-1 of the computer 2 of the server 3600.

3650

Decryption of the encrypted second quantum random number QZ2 'using the first private key of the first processor 10-1 of the computer 2 of the server 3600 to the second quantum random number QZ2 by the first processor 10-1 of the computer 2 of the client 3610. The first processor 10-1 of the computer 2 determines the second encrypted quantum random number QZ2' by bitwise XORing the random number PZ with the second quantum random number QZ2, then the first processor 10-1 of the computer 2 of the client 3610 can, for example, by bitwise XORing the encrypted second quantum random number QZ2' with the random number PZ known to him to the second quantum random number QZ2. The first processor 10-1 of the computer 2 of the client 3610 preferably uses the second quantum random number QZ2 now available to it as a basis for generating a second private key and a second public key according to an asymmetric encryption method. The asymmetric encryption method can be, for example, the RSA method (APPENDIX). The first processor 10-1 of the computer 2 of the client 3610 now sends its second public key to the server 3600 via the non-tap-proof channel. It preferably encrypts this second public key of the client 3610 with the public key of the server 3600. The server 3600 decrypts the encrypted second public key of the client 3610 and then uses this second public key of the client to encrypt further messages to the first processor 10-1 of the computer 2 of the client 3610. The first processor 10-1 of the computer 2 preferably generates and sends of the server 3600 after a predetermined time or after sending a predetermined amount of data to the processor 10-1 of the computer 2 of the client 3610 a new public key on the basis of a new quantum random number of its quantum random number generator 28 QRNG encrypted with the second public key of the client 3610. The first processor 10-1 of the computer 2 of the server 3600 and the first processor 10-1 of the computer 2 of the client then preferably carry out the previously described method again, so that the keys change permanently. This also makes it impossible for a quantum computer to break the keys;

3700

Method for generating a quantum random number QZ with m random bits;

3710

generating a random stream of single photons (57, 58, 59, 401.2) by means of one or more first SPAD diodes (401.1, 54);

3720

transmission of the random stream of single photons (57, 58, 59, 401.2) to one or more second SPAD diodes (401.3, 55) by means of an optical waveguide (44, 401.2) which is different from the semiconductor substrate (49, 48);

3730

Conversion of the random stream of single photons (57, 58, 59, 401.2) into a detection signal in the form of a voltage signal 405 from the entropy source 401, which preferably includes the first SPAD diodes 401.1 and the optical waveguide 401.2 and the second SPAD diodes 401.3;

3740

Processing, in particular amplifying and/or filtering and/or analog-to-digital conversion, of the detection signal into a processed detection signal, in particular a digital 14-bit value 407 of the analog-to-digital converter 403;

3750

Separation of the pulses of the processed detection signal caused by coupling the emissions of a first SPAD diode 401.1 and a second SPAD diode 401.3 from the pulses of the processed detection signal caused by spontaneous emission by comparing the processed detection signal with a threshold value, in particular in a comparator 404.2 and generation of a corresponding output signal 409, in particular of the comparator 404.2;

3760

Determination of a first time interval between the first pulse and the second pulse of a first pair of two consecutive pulses of the processed detection signal caused by coupling the emissions of a first SPAD diode 401.1 and a second SPAD diode 401.3 and determination of a second time interval between a third pulse and a fourth ppulse of a second pair of two consecutive pulses of the processed detection signal, which were produced by coupling the emissions of a first SPAD diode 401.1 and a second SPAD diode 401.3, and, in particular, for determining the first value of the output 410 of the time to digital converter 404.3 and the second value of the output 410 of the time to digital converter 404.3;

3670

determining the bit value of a random bit by comparing the value of the first time interval and the value of the second time interval;

3680

If the number n of random bits determined up to this step is less than the desired number m of random bits of the desired quantum random number, the above steps are repeated. Otherwise, the process of generating a quantum random number with m random bits is terminated.

S2

reading a boot program from the EEPROM 6;

S4

verification of the digital signature of the boot ROM code using the public key stored in the first OTP 20;

S6

Reading subsequent data sets using the loader

S8

checking the signature of the data set newly read from the EEPROM 6 using a public key embedded in a data set previously loaded or stored in the OTP memory 20 by the load code;

S20

reading a data record from the EEPROM;

S21

storing at least part of the data of the sentence in the TCM 14;

S22

calculating a hash value for each word of the remaining data;

S24

storing the calculated hash value in DRAM in a location associated with the stored word by cooperation of the processor 10 or processors 10 on the one hand and the hash engine 18 on the other hand;

S26

recalculation of the hash value when a word is read from the DRAM 8 by the processor 10 and hash engine;

S30

comparing the newly calculated hash value with the corresponding hash value stored in DRAM, using the processor 10 and the hash engine;

S34

Checking that the hash values have a predetermined relationship, e.g. B. are the same;

S36

stopping processing and/or generating an error message and/or ignoring data/code if it does not have the specified relationship;

S38

Processing of the data read by means of the processor or processors 10 if the hash values have a predetermined relationship, e.g. B. are the same;

Relevant writings

• R.L. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems" Communications of the ACM, February 1978, Vol. 21, No. 2, pages 120-126

QUOTES INCLUDED IN DESCRIPTION

This list of documents cited by the applicant was generated automatically and is included solely for the better information of the reader. The list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions.

Patent Literature Cited

• DE 102021128005 [0001]
• DE 102021128004 [0002]

Claims (3)

Method for generating a random bit Generating a pulse train with random intervals using at least two SPAD diodes, wherein the pulse sequence comprises pulses of a first height class (601) and a second height class (602); separating the pulses of the first height class (601) from the pulses of the second height class (602) by means of a slice level (603, 404.1); detecting (501) a first value of the time interval between a first pulse of the second height class (602) and a second pulse of the second height class (602), which differs from the first pulse; Detecting (501) the second value of the time interval between a third pulse of the second height class (602), which differs from the first pulse, and a fourth pulse of the second height class (602), which differs from the first pulse and from the second pulse and from the third pulse is different. comparing (502) the first value to the second value and outputting (503) a first logical value as a random bit if the first value is greater than the second value, and outputting (503) a second logical value different from the first logical value as the random bit if the first value is less than the second value. Method (3700) for generating a quantum random number QZ with m random bits, comprising the steps; generation (3710) of a random single photon stream (57, 58, 59, 401.2) from single photons by means of one or more first SPAD diodes (401.1, 54); Transmission (3720) of the random stream of single photons (57, 58, 59, 401.2) by means of an optical waveguide (44, 401.2) different from the semiconductor substrate (49, 48) to one or more second SPAD diodes (401.3, 55); converting (3730) the random single photon stream (57, 58, 59, 401.2) into a detection signal using the one or more second SPAD diodes (401.3, 55); processing (3740) the detection signal into a processed detection signal; Separating (3750) the emissions caused by couplings of a first SPAD diode (401.1) of the one or more first SPAD diodes (401.1, 54) and a second SPAD diode (401.3, 55) of the one or more second SPAD diodes (401.3, 55) resulting pulses of the processed detection signal from the pulses of the processed detection signal resulting from spontaneous emission of the second SPAD diode (401.3, 55) by comparing the processed detection signal with a threshold value (404.1); Determination (3760) of a first time interval between the first pulse and the second pulse of a first pair of two consecutive ones created by coupling the emissions of a first SPAD diode (401.1, 54) and a second SPAD diode (401.3, 55). Pulses of the processed detection signal and determination of a second time interval between a third pulse and a fourth pulse of a second pair of two consecutive ones, by coupling the emissions of a first SPAD diode (401.1, 54) and a second SPAD diode (401.3, 55 ) resulting pulses of the processed detection signal; determining (3670) the bit value of a random bit by comparing the value of the first time interval and the value of the second time interval; If the number (3680) n of determined random bits is less than the desired number m of random bits of the quantum random number QZ to be generated, repeat the above steps (3710 to 3770) and end the process for generating a quantum random number if the number (3680) n of the determined random bits is greater than or equal to the desired number m of random bits of the quantum random number QZ to be generated. Device for generating a quantum random number QZ, with one or more first SPAD diodes (401.1, 54) which generate a random single photon stream (57, 58, 59, 401.2) from single photons (3710) and with one or more second SPAD diodes ( 401.3, 55) and with an optical waveguide (44, 401.2) which is different from the semiconductor substrate (49, 48) and which transmits the random single photon stream (57, 58, 59, 401.2) to one or more second SPAD diodes (401.3, 55) ( 3720), and wherein the one or more second SPAD diodes (401.3, 55) convert the random single photon stream (57, 58, 59, 401.2) into a detection signal (3730) and wherein a signal processing device, in particular an amplifier (402), the detection signal is processed into a processed detection signal (3740) and wherein a comparator (404.02) or a functionally equivalent device is coupled by the Emis sion of a first SPAD diode (401.1) of the one or more first SPAD diodes (401.1, 54) and a second SPAD diode (401.3, 55) of the one or more second SPAD diodes (401.3, 55) resulting pulses the processed detection signal is separated (3750) from the pulses of the processed detection signal caused by spontaneous emission of the second SPAD diode (401.3, 55) by comparing the processed detection signal with a threshold value (404.1) and wherein a time-to-digital converter ( 404.3) a first time interval between the first pulse and the second pulse of a first pair of two consecutive pulses created by coupling the emissions of a first SPAD diode (401.1, 54) and a second SPAD diode (401.3, 55) of the processed detection signal determined (3760) and a second time interval between a third pulse and a fourth pulse of a second pair of two consecutive, by coupling the emissions of a first SPAD diode (401.1, 54) and a second SPAD diode (401.3, 55) the resulting pulses of the processed detection signal are determined and an entropy extraction device (404.4) determines the bit value of a random bit by comparing the value of the first time interval and the value of the second time interval (3670) and a finite state machine (404.8) generates a quantum random number QZ (417) from the bit data stream of the random bits (411).

Images