JP2024081152A - DEVICE HAVING MULTIPLE HARDWARE SIGNATURES DERIVED FROM A SINGLE PUF CIRCUIT SOURCE AND ASSOCIATED METHODS, SYSTEMS AND APPLICATIONS - Patent application - Google Patents

Abstract

An apparatus and method for generating multiple unique digital signatures using a single Physical Unclonable Function (PUF) entropy source is provided. The apparatus includes a PUF entropy source 300, which includes a dynamically measurable PUF entropy source, a random number generator, and a quasi-static voting mechanism. The dynamically measurable PUF entropy source is a circuit system that can measure access at any time during device and circuit operation, and does not depend on other electronic processes, power-on cycles, or specific electronic voltage or impedance offsets, except for digital trigger signal measurement circuits. The random number generator directly obtains true random numbers for any function, mechanism, or engine upon request of the host device. The quasi-static voting mechanism is used during a digital signature index registration mechanism or a digital signature index recovery and loading mechanism. [Selected Figure]

Description

The present invention relates to physically unclonable function (PUF) technology, and in particular to devices having multiple hardware signatures derived from a single PUF circuit source and related methods and applications.

A physically unclonable function (PUF) is a function built into a physical system. A PUF source is actually a true random pattern generating system, and the results generated cannot be replicated under the same logic or structure. Common PUF sources include human DNA and atmospheric noise. In the field of electronics, PUF sources are designed by semiconductor technology so that the uniqueness of the PUF source is found in the semiconductor process where random semiconductor parameter changes occur. Thus, in a common semiconductor design structure, each design will randomly and always produce similar digital patterns and behaviors.

Based on such a PUF source (also called an entropy source), the system can run a PUF algorithm that can extract an immutable digital sequence called a digital ID, a hardware signature, or a digital signature.

The hardware signature or digital signature, when combined with a True Random Number Generator (TRNG), is the only ID on the silicon chip that can be used to deploy a root of trust system as known in the prior art.

In the prior art and related art, the inventors utilize a PUF source, selectively in conjunction with additionally stored checkpoint data, also referred to as auxiliary data, to generate or obtain a physically attached digital signature, which is then used to provide a PUF-derived key required for a cryptographic application.

In the prior art, systems use a hardware digital signature from a single PUF entropy source. Each time the secure credentials or unique digital sequences used for the cryptosystem need to be updated, they are created or generated from this single hardware digital signature and are not shared or persistently stored. A root of trust hardware security system is deployed using a single hardware digital signature to establish the necessary secure credentials.

Currently, there are no known systems that can create multiple independent (non-derived) hardware digital signatures within the same chip, and therefore secure credentials derived directly from a single PUF source system cannot provide the redundancy and diversity.

Conventional systems first attach a single PUF entropy source to a single hardware digital signature, and then derive multiple secure credentials based on this hardware digital signature.

The main drawback of the prior art is that once a digital signature is performed, the key it provides cannot be changed. In other words, the prior art can only attach a single PUF entropy source to a single, independent digital signature for each device operation time or power-on sequence.

If the digital signature is corrupted or the checkpoint is damaged, it cannot be instantly changed, updated or recovered from without terminating all PUF-related processes and then power cycling. In traditional technical cases, a corrupted digital signature even poses a persistent security threat.

Therefore, a PUF hardware digital signature is needed that can create, update and retrieve multiple digital signatures, such that each signature can be attached to its own PUF-derived key or PUF digital sequence, so that any electronic system can have multiple sets of digital identities for different system entities and parties for different applications.

The present invention relates to a circuit and system that can generate multiple unique digital signatures by using a single PUF entropy source. Although a single silicon unique pattern appears through the source of the PUF entropy circuit system, by implementing the method and system of the present invention, a set of new digital signatures can be generated by intertwining the unique quasi-static digital device print, also called the PUF source (the PUF source itself is an entropy source), with the true random numbers generated by the true random number generator of the present invention, not directly as random numbers. The related patents and technologies are made by key derivation methods to smoothly re-obtain the same unique digital signature from the PUF source, and the present invention does not directly use this unique digital signature at all, but obtains multiple digital signatures randomly intertwined based on this method apart from the procedure of a simple key derivation function.

The technology adopted by the present invention is similar to some related precedents in terms of PUF system structure, and similarly includes a randomized PUF source with both static and dynamic entropy, a circuit for generating checkpoint material, a verification circuit for verifying whether the digital ID is successfully recovered, and a final digital signature recovery circuit using the checkpoint material. However, the present invention is different in that the method of generating checkpoint data, verifying PUF integrity, and recovering each unique signature can add multiple uniqueness by creating multiple independent digital signatures of the intertwining of true random numbers, designed key derivation functions, format-preserving encryption/decryption, shuffle and toggle functions, and logical digital circuit systems. The root keys of all signatures are hidden within different mathematical curves and are only used for a specific digital signature recovery process, and all other security authentication information created by the circuit of the present invention is only associated with each locked digital signature, rather than directly associated with the original quasi-static digital device print or PUF source. In other words, this is a PUF system circuit that has a second re-randomized uniqueness with dynamic, changeable, and updateable properties, and can effectively protect the host device. If a digital signature is corrupted by an attack, other digital signatures and the original quasi-static digital device print are not affected.

The PUF system circuitry of the present invention includes a dynamically measurable PUF entropy source implemented in hardware form, and other logic and cryptographic circuit blocks that may be implemented in a variety of ways, including a silicon-based hardware circuit system, or in some embodiments a processor farm, or a non-volatile memory storage device that is circumscribed in the form of an entity designed to be subordinate to or separate from the underlying components of the hardware PUF system.

The system of the present invention can be implemented in the form of a PUF-based secure credential provider so that a safe for storing all digital secrets can be built in any electronic system, internal or external to a microprocessor or processor or custom circuitry, and can provide secure credentials that do not need to be stored by relying on the volatile generation and recovery of multiple unique and genuine hardware IDs, so that these secrets can be obtained by a volatile and unique circuit that does not contain any trace of standard security cryptographic secret storage.

According to one aspect of the invention, the system includes electronic circuitry for generating a dynamically measurable PUF entropy source that can be measured at any time during operation of the device by a trigger signal and the measurement results can be used to generate quasi-static digital device prints and true random numbers; a random number generator circuit that uses the measurement results from the dynamically measurable PUF entropy source; a quasi-static voting mechanism that uses the measurement results from the dynamically measurable PUF entropy source to generate a quasi-static digital device print pattern; and a set of digital bitwise shuffle and toggle functions for randomizing and shuffling the quasi-static digital device prints. functions), a key derivation function engine that takes random numbers, static and quasi-static digital sequences as inputs and generates an intertwined digital output, a set of format-preserving encryption and decryption engines that include both encryption and decryption mechanisms and can be arbitrarily replicated within the circuit, providing the ability to create or register as well as recover and load multiple unique PUF-based digital sequences used as unique digital signatures, a non-volatile memory medium in which specific checkpoint data is stored and may, but need not, be integrated within the device silicon area, a communication interface used to communicate data with a host or connected device by standard communication protocols and located in a target host device of the system to manage the inputs and outputs of the system, and a system controller for executing instructions and providing the results of the multiple digital signature security zone system from the target host device or connected device. The format-preserving encryption and decryption engine is a symmetric encryption mechanism that takes a digital key and digital input data, encrypted data or plaintext data, and a sequence as input to output encrypted data or plaintext data.

According to one embodiment of the present invention, a dynamically measurable PUF entropy source is a PUF cell unit array that can be measured at any time after a power supply abnormality occurs, without being affected by power-on cycles, system time pulse frequency, and process.

According to one embodiment of the present invention, the random number generator circuit is a true random number generator that uses repeated measurements of the binary state results of a dynamically measurable PUF entropy source to directly generate true random numbers without the assistance of other pseudorandom number generation algorithms.

According to one embodiment of the present invention, the quasi-static voting mechanism is a static counting circuit that uses repeated measurements of binary state measurements of the PUF entropy source to generate quasi-static digital device prints, where the quasi-static digital device prints for each measurement iteration may be the same or different.

According to one embodiment of the present invention, the shuffle and toggle functions can be implemented as a common resource block for any function using internally generated true random numbers from a dynamically measurable PUF entropy source, and defined static parameters used by the functions can be changed without affecting correct functioning. Also, the shuffle and toggle functions can be implemented in a hardware circuit system or software.

According to one embodiment of the present invention, the key derivation function is a circuit consisting of a defined control loop of a checksum function and a hash with defined internal digital parameters.

According to one embodiment of the present invention, except for the PUF entropy source, the design of the remaining parts of the system may be implemented in a hardware silicon circuit system or in software.

According to one embodiment of the present invention, the non-volatile memory device can be integrated internally or externally into the system.

According to one embodiment of the present invention, the communication interface is integrated with a central system controller according to the host target device, independent of the external interface.

According to another aspect of the present invention, the digital signature index registration system includes a true random number generator used to randomize each registration and iteration process to create a different digital signature for each iteration, independent of other fixed digital inputs; a dynamically measurable PUF entropy source used to measure a unique system digital operation, i.e., a digital device print, after any given request during device operation; a logic circuit including sequentially arranged key derivation functions, scrambling functions, shuffle functions, toggle functions, checksum functions, and format-preserving encryption/decryption functions to generate an encrypted unique digital signature and checkpoint data by converging toward a unique digital signature using multiple curve cryptography engines based on fixed inputs, the PUF entropy source, and checkpoint data without performing an error-correcting code algorithm; and a non-volatile storage medium to store each different digital signature mathematical checkpoint data used to recover and load the target index digital signature.

According to one embodiment of the present invention, the true random number generator is a logical bit operation that uses as input the resulting output of a dynamically measurable PUF entropy source.

In one embodiment of the present invention, the logic circuit performs digital signature registration with a true random number generator, a dynamically measurable PUF entropy source with multiple outcomes, if desired, and any digital host device input.

According to one embodiment of the present invention, the non-volatile storage medium stores specific mathematical checkpoint data appended to a unique set of random numbers, a unique set of PUF entropy sources, and a unique arbitrary digital input that may be fixed within the system if not specified.

According to one embodiment of the present invention, digital checkpoint data is stored on the non-volatile memory medium and used to recover and load one unique index digital signature, and the non-volatile memory medium can store one or more versions of the checkpoint data to generate multiple unique digital signatures allowing digital signature diversity on a single system.

According to one embodiment of the present invention, the checkpoint data stored in the non-volatile memory medium is stored and indexed at a specific index provided by the host or connected device via a communications interface.

According to one embodiment of the present invention, the checkpoint data is a sequence of random numbers that is added separately to the device's unique system in the same way as the defined digital inputs and does not provide any clues about the respective digital signature values or the digital inputs used.

According to another aspect of the present invention, a PUF digital signature recovery device is provided. The device is also referred to as a "mechanism." The PUF digital signature recovery device includes a dynamically measurable PUF entropy source, a logic circuit having a set of ordered key derivation functions, toggle functions, checksum functions, and format-preserving encryption/decryption functions, the logic circuit utilizing a fixed input, a data checkpoint based on the entropy source and checkpoint data, and a plurality of curve cryptographic functions, and converging toward the encrypted unique signature to obtain the encrypted unique digital signature similar to a system function block, and a non-volatile storage medium for reading the digital signature mathematical checkpoints.

According to one embodiment of the present invention, a dynamically scalable PUF entropy source provides a unique measurement result each time it is requested.

According to one embodiment of the present invention, the logic circuitry performs recovery and loading of the digital signature based on target index checkpoint information from the non-volatile memory storage medium, new PUF source result measurements, and digital input by any host or connected device, which may be fixed as a parameter or a pre-set value.

According to one embodiment of the present invention, the checkpoint data in the non-volatile memory medium constitutes a digital signature index selected for targeting, recovery, and loading by the host device via the communications interface system.

According to one embodiment of the present invention, a unique digital signature is recovered according to the digital input of the host device.

According to another aspect of the present invention, a format-preserving encryption and decryption engine is provided. The format-preserving encryption and decryption engine includes a set of shuffle and toggle functions that take an input key or signature and an input plaintext data or encrypted data and perform modifications to the input plaintext data or encrypted data based on the input key or signature, an XOR operation engine that permutes the output of the shuffle and toggle function blocks by utilizing a bit input permutation table, a checksum function that creates a hash value on the output value of the previous function output, and a control loop having a defined number of iterations that determines when the final output of the format-preserving encryption or decryption algorithm is ready to be the result of the final shuffle and toggle function.

According to one embodiment of the present invention, the digital input signature is used as a symmetric encryption key, and the host device provides data that the host device encrypts or decrypts and receives the associated results through communication.

In one embodiment of the present invention, a digital input key is used as a symmetric encryption key, and the host device provides the data to be encrypted or decrypted and stores the results in a non-volatile memory medium.

According to one embodiment of the present invention, a format-preserving encryption engine performs data input encryption.

According to one embodiment of the present invention, a format-preserving decoding engine performs data input decoding.

According to one embodiment of the present invention, the digital signature is used as a symmetric encryption key to encrypt or decrypt input request data loaded from the non-volatile memory medium by the host device.

According to one embodiment of the present invention, the system can recover multiple versions of a single digital checkpoint data at any time during the device's operating cycle.

According to one embodiment of the present invention, a request may be made to the random number generator at any time during the device's operating cycle.

According to one embodiment of the present invention, the recovered digital signature can be stored in device volatile memory for a system or user defined time or period.

According to one embodiment of the present invention, the communication interface and the central system controller may be a processor unit.

According to one embodiment of the present invention, the management of digital signature creation and recovery relies on host device commands or predefined user commands and input actions and does not affect the operating cycles, power-ups and functions of other devices and host devices.

According to one embodiment of the present invention, the only device outputs seen by the host device are the outputs of the true random number generator unit or the output of the format-preserving encryption/decryption.

According to another aspect of the present invention, a dynamic and reusable PUF-based multiple unique digital hardware signature creation and recovery system is used to create or register and recover each different index hardware digital signature, and includes a dynamically measurable PUF entropy source that can be measured at any time during operation of the device, a true random number generator engine that is a dynamically measurable PUF entropy source of data, a persistent and dynamic digital access engine that accesses and generates during the signature registration mechanism a set of different indexes stored externally or internally, each associated with one specific hardware signature index, and is used for the signature recovery and loading mechanism, a hardware digital signature registration mechanism responsible for creating checkpoint data of the index hardware digital signature based on fixed and dynamic parameters, and a hardware digital signature recovery mechanism that utilizes the index checkpoint data to recover the index hardware-based digital signature and reuses the same fixed and/or dynamic parameters used for the digital signature registration mechanism.

According to one embodiment of the present invention, the dynamically measurable PUF entropy source may be implemented solely in a hardware design, while the other elements may be implemented in software or hardware.

In accordance with one embodiment of the present invention, the persistent and dynamic digital access engine for storing checkpoint data internally or externally is a logical design of an instantaneous read/write protocol that can be activated or used at any particular time during the operation of the device.

According to one embodiment of the present invention, the hardware digital signature registration engine creates unique checkpoint data based on the use of a set of cryptographic functions to ensure the success of the recovery and loading mechanism.

According to one embodiment of the present invention, the hardware signature recovery mechanism reads the checkpoint data of a unique target hardware signature index and recovers this unique digital signature using the same set, or at least the same cryptographic function.

FIG. 1 illustrates an electronic device, referred to in certain embodiments as a host device or connected device, that interfaces with electronic circuitry capable of providing multiple digital signature secure credentials (multiple digital signature security zones) to network security applications via a communications interface. FIG. 2A is a diagram of one embodiment of the multiple digital signature security zone circuit system of FIG. FIG. 2B illustrates an embodiment of the multiple digital signature security zone circuit system of FIG. 1 in which the design of the PUF entropy source must be physically integrated into hardware, and the remaining circuit system may be implemented in different forms, such as software and/or physical hardware. FIG. 3 illustrates a PUF entropy source subsystem that can provide a unique truly random number and quasi-static digital device print for each instance of a manufactured silicon device upon request of a trigger signal. FIG. 4 is a diagram showing the implementation method and flow of the circuit system of the key derivation function (KDF) in the system of FIG. 2A and FIG. 2B. FIG. 5A illustrates the implementation and flow of the format-preserving encryption (FPE) circuit used in the systems of FIGS. 2A and 2B, which is a symmetrical encryption mechanism to the system of FIG. 5B, and which is the format-preserving encryption (1) block. FIG. 5B is a diagram illustrating the implementation and flow of the format-preserving decode (FPD) circuit used in the systems of FIGS. 2A and 2B, which is a symmetric cryptographic mechanism to that of the system of FIG. 5A, and which is the format-preserving decode (1) block. FIG. 5C is a diagram illustrating the implementation and flow of the format-preserving encryption (FPE) circuit used in the multiple digital signature security zone entity of FIGS. 2A and 2B, whose output and input sequences are passed back and forth over a host device communication interface, the result of which is dependent on the recovered signature X after the process described in FIG. 7, resulting in an FPE(2) function. FIG. 5D illustrates the implementation and flow of the format-preserving decryption (FPD) circuit used in the multiple digital signature security zone entity of FIGS. 2A and 2B , whose output and input sequences are passed back and forth over a host device communication interface and whose results depend on the signature index X recovered after the process described in FIG. 7 , resulting in the decryption operation of FIG. 5C , which is the FPD(2) function. FIG. 6 illustrates a circuit implementation and flow for performing signature index X registration using the dynamically scalable PUF entropy source of FIG. 3 and the KDF and FPE methods of FIGS. 4, 5A, and 5B. FIG. 7 is a diagram illustrating the implementation method and flow of the circuit used to utilize the subcircuits of FIGS. 2A and 2B to perform recovery and loading of a target signature index X to operate and buffer a requested signature index X, which is further used by the systems of FIGS. 5C and 5D to achieve functional PUP-style authentication with a host or connected device. FIG. 8 illustrates an implementation and flow diagram of the PUF checking process performed by the PUF checking engine of FIGS. 2A and 2B and a circuit that uses the sub-circuits of FIGS. 4, 5A and 5B to check the validity of a PUF system together with the internal logic operations and non-volatile memory described in FIGS. 2A and 2A.

To make the above and other objects, features, advantages and embodiments of the present invention more comprehensible, reference is made to the accompanying drawings as follows:
In accordance with common practice, the various features and components of the drawings are not drawn to scale in order to best illustrate the specific features and components relevant to the present invention, and the same or similar component numbers are used to refer to like elements and components among different drawings.

The following provides different embodiments or examples for constructing different features of the provided subject matter. The specific examples of components and arrangement manners described below are intended to simplify the present disclosure and are not intended to constitute limitations. The dimensions and shapes of the elements are not limited by the disclosed ranges or values, but may depend on the process conditions or desired properties of the elements. For example, the technical features of the present invention are described using cross-sectional views intended as ideal examples. Therefore, due to manufacturing processes and/or tolerances, the shapes shown are expected to vary and should not be so limited.

Spatial relative terms, such as "below," "below...," "below," "above...," and "above," are used to facilitate describing relationships between elements or features shown in the drawings. Spatial relative terms also include different orientations in use or operation of the elements in addition to the orientation shown.

In light of the ever-increasing security challenges, individual electronic devices have begun to systematically incorporate Physical Unclonable Function (PUF) systems, based on a unique silicon DNA circuit, to establish trusted connections between devices, and to establish a unique encryption/decryption rule, a unique set of cryptographic keys, and uniquely identifiable digital signatures for various connected services associated with the devices.

Therefore, to realize the functionality of a PUF system and its circuits, the main challenge of modern electronics is to incorporate into itself a circuit or system that is manufactured in a generic way but allows a unique digital response to a specific digital challenge. Such a circuit or system can be used as the basis for recoverable and measurable digital uniqueness, with the same system design, with the same manufacturing rules and processes, ensuring the security of the device in digital transactions and applications.

The PUF system structure includes a PUF entropy circuit system source that, in combination with a PUF engine, can create and recover a unique digital sequence. In some currently popular PUF system technologies, such as systems that use SRAM logic for the PUF entropy source, the PUF engine uses so-called checkpoint data (also called auxiliary data in some prior art) to retrieve the unique digital PUF sequence intertwined with the digital secret from the randomness of the PUF entropy source. In other PUF system technologies, the checkpoint data is not necessarily used, and the digital unique sequence is directly recovered after processing the measured PUF entropy circuit system source response. However, these PUF methods have no record of the checkpoint data intertwined with the source of PUF entropy, but are less flexible because any changes, updates, or intertwining of the unique digital PUF sequence response must be linked to the original PUF entropy circuit system, which can be problematic if it is damaged by any attack.

Conventional PUF systems that use checkpoint data, also known as auxiliary data, use an error correcting code circuit system to correct variations in measurements of the PUF entropy source and ensure that a unique digital sequence is successfully recovered from the PUF entropy source. The present invention also uses checkpoint data, but rather than relying on error correcting codes, it utilizes a curve encryption algorithm that combines a key derivation function formula and format-preserving digital decryption, and adds digital shuffling and boolean operations. The use of a curve encrypted PUF engine improves bit error rate, intra-hamming distance and inter-hamming distance as measured by the PUF entropy source.
Curve cryptography can provide a larger margin for error (distance) because it can balance the digital state distribution and allow for bit variations without completely correcting for these errors or variations.

Recovering the unique digital sequence with error-correcting codes also has the following disadvantages: For example, the amount of computation required depends on the number of errors detected, and the number of errors may grow over time. Secondly, the system may not know if the recovered digital signature is actually correct, which may result in false positives or missing parts of the errors.

By using multiple curve cryptography algorithms, the PUF system can recover a unique digital sequence without having to completely correct all errors in the PUF entropy source measurements. It statistically approaches a unique solution through the convergence of multiple mathematical curves, and can provide greater margin in recovering an accurate unique digital signature because it accounts for the inevitable changes over time in the PUF entropy source. Such more complex transformation trial-and-error transformation curve mechanisms also allow the system to check the validity of the results, helping to reduce the number of false positive results to near zero over time, so that previously random digital signature false positive results are replaced with true positive results without compromising the security of the host device.

The present invention further adds a PUF engine such that the single unique digital pattern from the original PUF entropy source can be further intertwined with a randomized curve cryptography mathematical solution to provide a second digital uniqueness equivalent to being intertwined with a truly randomized checkpoint data code that is recoverable from the creation and retrieval (or, in some embodiments, referred to as recovery) of an infinite number of all digitally unique signatures from the same PUF entropy circuit system source.

In other words, the system of the present invention can provide efficiency comparable to prior art techniques involving all PUF systems within a single silicon device, with only a single bulk system circuit incorporating a single PUF entropy source and a PUF engine.

In certain embodiments, the letter X represents one of multiple digital signatures that may be generated and recovered by the system of the present invention.

100 in FIG. 1 is a system of the present invention, in which the host device or connected device 110 may be any computer system or computing processor with a communication interface 120, which may be any of a variety of standard interfaces, such as, but not limited to, Universal Asynchronous Receiver Transmitter (UART), Sequence Peripheral Interface (SPI), Integrated Circuit Bus (I2C), Advanced Extensible Interface (AXI), etc. The system has a multiple digital signature security zone 130, also called a security zone, which is a circuit system for performing all PUF-related functions requested by the host device or connected device 110 through the communication interface 120. The security zone circuit system 130 in FIG. 1 is called a multiple digital signature security zone and connects externally or internally to a target host electronic device. The external electronic device can select which unique digital signature index X to use to perform the operation of the signature X registration and recovery engine 134, and can send and receive a specific digital sequence to the multiple digital signature security zone 130. The device may or may not use a specific input digital sequence, and further, each digital signature index X can be intertwined with a digital input, called a token, in a particular embodiment. If the host device 110 does not specify an input token, the system of the present invention can use a pre-token value that does not affect the diversity of the digital signatures and the randomness of each digital signature index X. Each digital signature is entangled with its specific randomized checkpoint data set 135 using the random number generator 132, any user input token, and a common dynamically measurable PUF entropy source 131. Therefore, the ability to dynamically trigger this PUF entropy source and select any specific checkpoint data set at any time is what allows multiple independent hardware digital stampings to be generated using a single PUF entropy source in a single device. Entanglement with other hardware signatures can be obtained by certain fixed parameters and/or user inputs called tokens. The output of the host or connected device 110 in the present invention is the output of the random number generator 132 or the encryption/decryption input/output subsystem 133, and the random number generator 132 in the embodiment of the present invention is a true random number generator.

2A and 2B, the multiple digital signature security zone 2000 connects with other systems via a communication interface 2400. It includes a dynamically scalable PUF entropy source 2020, a random number generator 2030, a quasi-static voting mechanism 2040, a non-volatile memory medium 2050, a system controller 2060 for computation management and communication interface management, a binary shuffle and toggle function engine, a curve cipher engine 2080 including one or more key derivation function formulas (KDFs) 2081 and format-preserving encryption (FPE) 2082 and decryption (FPD) 2083, a PUF logic processor engine 2090 that works with a set of logical computation functions, a PUF checking engine 2100 system that reuses the functions of the curve cipher engine 2080, and a second version of format-preserving encryption (2) 2200 and format-preserving encryption (2) 2300 that can be selected to perform independent sequence decryption on the recovered digital signature index X of the rest of the PUF system. This additional FPE-FPD symmetric encryption system, consisting of 2200 and 2300, can further include standard encryption algorithms such as AES.

As shown in FIG. 2B, the dynamically scalable PUF entropy source 2020 and random number generator 2030 are only embedded in the on-chip hardware zone (non-flexible) by hardware design, and all other functions and system blocks 2400, 2050, 2060, 2070, 2080, 2090, 2100, 2200, 2300, and 2400 in this specification can be implemented either in software or hardware.

Each system block connected to the system controller 2060 is described in an independent embodiment, and the system controller 2060 is responsible for controlling and interconnecting each system block after receiving a relevant command request from the host device or the connected device 110.

The PUF entropy source 300 is a dynamically measurable PUF entropy source 310 based on FIG. 3, which is a circuit system that can measure access at any time during operation of the device and circuit, and does not depend on any other electronic process, e.g., power-on cycles or specific electronic voltage or impedance offsets, except for the digital trigger signal measurement circuit.

The dynamic measurements of the PUF entropy source are used in different processes of both the random number generator 320 and the quasi-static voting mechanism 330. The random number generator 320 in an embodiment of the present invention is a true random number generator.

The random number generator 320 can be used independently to obtain true random numbers directly for any function, mechanism, or engine of the present invention upon request of the host device. The semi-static voting mechanism 330 is used during the Digital Signature Index X Registration 600 mechanism or the Digital Signature Index X Recovery and Load 700 mechanism.

3, the random number generator 320 outputs a true random number set, also called RN set, and in certain embodiments RN set X, to represent the current digital signature index being created. During the process of generating or creating the signature index X, i.e., during the signature index X registration 600, the digital signature index X registration and recovery engine 134 uses a particular set of random numbers (RN set X) to intertwine the particular signature index X with its randomized checkpoint data 135, as described in registration 600 of FIG. 6 and recovery and loading 700 of FIG. 7, respectively. Since different random number sets (RN set X) are generated at any point in time, each newly created digital signature X can be intertwined with a different random number set (RN set) to achieve signature diversity.

When the device is not in use or operational, the checkpoint data at index X135 is not different from a truly random sequence that is only useful and logical in computations in combination with the tangle of user input, tokens and fixed parameters, and changing measurements of the PUF entropy source 300.

In further description of a particular embodiment of the multiple digital signature security zone 2000, the result of the random number generator engine is called the RN set, and the output of the quasi-static voting mechanism 330 is called the PUF source. Both results are used to create a new digital signature index X, but only the PUF source is used to recover a previously created digital signature X. When recovering a previously created digital signature X with the PUF source, the checkpoint data of index X135 and the integrated curve crypto engine 2080 algorithm are utilized. Even if some bit changes occur in the measurements of each PUF entropy source 131 that do not require complete correction, the algorithm can recover the unrandomized digital signature (i.e., from the root) from the randomized stored checkpoint index X135 and each changed PUF entropy source 131 measurement.

The KDF engine block diagram or mechanism 400 shown in FIG. 4 is a part of the curve cipher engine 2080 of FIG. 2A and FIG. 2B. The KDF 400 includes a designed control cycle consisting of a checksum function 410, a 32-bit sized cyclic redundancy check (CRC32) 420, and a hash function 430. The KDF 400 takes two digital inputs: an initial input key called key# and an input token. If the host device does not specify an input token via the communication interface, the input token may be fixed to a preset value.

The input key # is again input in the form of a digital sequence after updating, now called C, which is the output result of the hash function 430. The input C is combined with a fixed input token and all or part of it is converted to a CRC32
420, and then the results of the checksum function 410 and the CRC32 420 are both used in a hash function 430 to generate an updated C value. When the control loop of the KDF 400 is completed, the result of the KDF corresponds to the latest C result, called the output key * (which is different from the initial input key #), and a bit-permutation index table, called the output permutation table, which is the cumulative permutation result of the control loop process.

The KDF 400 in the embodiment of FIG. 4 may be used multiple times in any process of the present invention, including within the logic of the Signature Index X Registration 600, the Signature Index X Recovery and Loading Mechanism 700, or the second FPE(2) 2200 and FPD(2) 2300 of FIGS. 2A and 2B.

In the particular computational embodiment described, a 510 or 530 format-preserving encryption and 520 or 540 decryption engine, such as 510 in FIG. 5A, 520 in FIG. 5B, 520 in FIG. 5C, and 540 in FIG. 5D, is performed following the KDF mechanism 400. The FPE and FPD perform a symmetric decryption operation similar to AES, meaning that the input 510 or output 530 of the FPE corresponds to the output and input 520 or 540 of the FPD, respectively, when using the same key and initial vector.

5A and 5C show functional block diagrams of the FPE 510 and FPE 530-2200, including shuffle and toggle functions 511 and 531, respectively, which are operated using random numbers and fixed parameters obtained from the RN set of 320, XOR operations 512 and 532, and checksum function 513 and 533 engines, which can be the same or different from those used in the KDF400 engine of FIG. 4. The inputs of the FPE engines include the input digital key (i.e., the input key * of 510 in FIG. 5A and the input signature of 530 in FIG. 5C), the input plaintext data (D in FIG. 5A and FIG. 5C), the input substitution table, and the input token (i.e., the user input optionally provided via the communication interface 120 in the system of FIG. 1). The output of the FPE 510 and 530 is the last result of the shuffle and toggle functions from a control loop in which the shuffle and toggle functions, the XOR operations, and the checksum functions operate one after the other.

The FPD 520 and 540 engines follow the same procedure as the encryption engines FPE 510 and 530, but change the order of execution of the same checksum functions 523 and 543, and the same XOR operations 522 and 542. In this way, if the input key *, input substitution table, and input token are the same as the FPE and FPD processes, the input encrypted data (C shown in 520 in FIG. 5B and 540 in FIG. 5D) can be decrypted to the corresponding output plaintext data.

510 in FIG. 5A and 530 in FIG. 5B correspond to the FPE-FPD function process during signature index X registration 600 or signature index X recovery and loading 700, and 520 in FIG. 5C and 540 in FIG. 5D correspond to the FPE-FPD used for data operations of the host device 110 with the recovered signature index X, i.e., FPE(2) 2200 and FPD(2) 2300 in FIG. 2A and FIG. 2B.

The FPE-FPD(2) 2200 and 2300 engines for the cryptographic services of the host device 110 may use input substitution tables and input tokens that are different from the substitution tables and tokens used by the FPE-FPD(1) 2082 and 2083 engines during Signature Index X Registration 600 and Signature Index X Recovery and Load 700, and the input tokens may be fixed values or may be specified by the host device. In the present invention, the number of FPE-FPD engines with different parameters is not limited to two, and more FPE-FPD engines with different parameters may be used depending on the specific application or purpose.

The FPE-FPD engines used in the embodiments of Figures 6, 7 and 8 correspond to FPE(1) 2082 and FPD(1) 2083 of Figures 2A and 2B. FPE(2) and FPE(2) of Figure 2 may be similar to FPE-FPD(3) and others, but are not involved in the Signature Index X Registration 600 or Recovery and Load 700 processes.

Incorporating an FPE(2)2200 and FPD(2)2300 or higher engine into the system of the present invention ensures that all output sequences of the system of the present invention behave as if they comprise a set of truly random number sequences, making it more likely that the system's true hardware ID will undergo multiple cryptographic protections before being used for standard security and encryption mechanisms such as, for example, device authentication, symmetric or asymmetric encryption.

The shuffle and toggle function 2070, the digital logic circuit system of the PUF logic processor engine 2090, the KDF 2081 and the FPE-FPD 2082-2083 engines, along with the quasi-static digital device print provided by 330, the measurable PUF entropy source 310, and the random number set (i.e., the RN set X provided by 320) are used for the signature index X registration 600 or recovery and loading 700 process.

In other embodiments, the subsystems PUF logic processor engine 2090, PUF check engine 2100, and shuffle and toggle function engine 2070 of Figures 2A and 2B include other computational system blocks in addition to the KDF and FPE.

The process and method for creating a new signature index X is shown in FIG. 6 and is called Signature Index X Registration 600. Each new index X is intertwined with a random number set X (RN Set X) and used to form the randomized checkpoint data for index X 135, which is stored as an entity securely stored in a non-volatile memory 2050 medium contained within the circuit or otherwise connected.

Signature index X registration 600 is a process of creating a signature index X with inputs PUF source X_1 and RN set X_1 after receiving a request by the host device 110 to create or regenerate a particular known digital signature index X. X corresponds to the final signature index, and the digital after X corresponds to the number of iterations of the function in the process.

A scrambling function is performed from the first measured quasi-static PUF source X_1 and the first RN set X_1, and a first digital sequence is extracted as the PUF key X_1 and a second digital sequence is extracted as the PUF data X_1 by a binary logic extractor having the function of adding digital noise. After the original PUF source X_1 is scrambled, the scrambled mapping data X_1 must be stored for reuse, and the now scrambled PUF source X_1 must also be stored.

The KDF engine 400 of FIG. 4 processes the randomized PUF key X_1, i.e., input key #, with a designated or pre-input token. The output result of the KDF engine 400 is shown as PUF key D_1, which also includes a defined bit permutation table corresponding to the output permutation table of FIG. 4. The randomized PUF data X_1 is then processed by the FPE engine 510 of FIG. 5A, whose encryption is entangled with the same input token as the previous operation of the KDF engine 400 and PUF key D_1.

The first set of checkpoint data X_1 generated by this first FPE510 process is temporarily stored along with the scramble mapping data X_1 index used to randomize the original PUF source X_1.

Then, a second PUF source X_2 is requested from the dynamically measurable PUF entropy source 310 via a quasi-static voting mechanism 330 to attempt to perform a PUF functionally complete operation verification procedure as described in FIG. 8. If the input token is the same as the previous operation, the circuit uses a different PUF source input (called PUF source X_2) via 330 and the same scrambled mapping data X_1 as used by PUF source X_1 and attempts to converge to the same checkpoint data X_1 output.

After the PUF check process 800 is successful, a new RN set X_2 can be provided and 320 can be requested to perform a new scrambling function, but reusing the first RN set X_1 scrambling mapping data. Because each PUF source X provided by 330 is not identical, identical scrambling parameters will produce different scrambled PUF source X results.

The PUF data X_2 sequence may be extracted from the scrambled PUF source X_2, such that the PUF data X_1 is extracted. The PUF key X_2 is again extracted from the scrambled PUF source X_1 without adding random noise, and the KDF400 engine generates the PUF key D_2 using the same digital input token as before. The PUF data X_2, the PUF key D_2, and the input token are input to the FPE510 engine of FIG. 5A to generate the updated checkpoint data X_2, i.e., the final checkpoint data index X135 that is attached to the signature index X and intertwined with the volatile input token provided by the user, which is typically a password, fingerprint, hash sequence, etc., or a pre-configured input token.

7 shows a process and method of signature index X recovery and loading 700 for recovering a signature index X previously created according to 600 in the embodiment of FIG. 6. The host or connected electronic device 110 selects a key and recovers and loads the signature index X via the communication interface 120. In the signature process of index X recovery and loading 700, each index X corresponds to a set of checkpoint indexes X135 stored in the non-volatile memory 2050 media, which may be embedded in the silicon device of the multiple digital signature security zone 2000 or in an externally connected form. When the host or connected electronic device 110 selects an index X and provides an input token that matches the one used by the process of registering the target signature index X 600, the process of recovering and loading the signature index X 700 can be initiated. If the input token is not used during the signature index X registration mechanism 600, the pre-configured digital input token used to create the signature index X is reused for loading the signature index X. The first step of signature index X recovery and loading 700 is to retrieve PUF source X_3 generated by 330. Under the principle that acceptable statistical variations are ignored, PUF source X_3 is different from PUF sources X_1 and X_2 used to register and create signature index X.

PUF source X_3 is descrambled based on the scrambling mapping data X used for PUF source X_2 in the signature index X registration 600 mechanism by a descrambling function that performs the reverse process of the scrambling function in FIG. 6 using the checkpoint data index X135. Then, a PUF check process 800 is performed as shown in detail by the embodiment of FIG. 8. The PUF check process 800 evaluates the validity of the PUF source X_3 in combination with the checkpoint index X135 with the same digital input token, checkpoint index X135, and new dynamically measured PUF source X_3 used by the signature index X registration mechanism 600. The target of this PUF check process 800 is to recover a digital sequence key X_3 from the new PUF source X_3 that matches the recovery key X_2 based on the new PUF source X_3 and the checkpoint data X. If successful, the recovered key X_2 is kept and derived using the same matching digital input token via the KDF 400 engine. After recovering the key D_2 that matches the key obtained during the signature registration phase, the original data X2 obtained during the signature index X registration 600 is obtained by the FPD 2083 engine, and the final digital sequence signature index X is calculated from this data by a combinatorial logic extractor in the PUF logic processor 2090 engine. The digital sequence signature index X can thus be used for any decryption mechanism that is individually related to the unique PUF source quasi-static behavior of the present invention generated by 330, the specific random number generated by 320, the digital input token provided via 120, and the checkpoint data 135, such as, for example, the combination of the FPE(2) 2200, the FPD(2) 2300, AES 256, a symmetric encryption mechanism, a hash mechanism, or an authentication mechanism. Once the signature index X is recovered and loaded, it can be used via the FPE(2)-FPD(2) 2200-2300 engine for various applications such as data encryption, encrypted security key storage, or unique security key generation, utilizing the dynamically measurable characteristics of the PUF entropy source 300 to individually generate random numbers. According to the present invention, an unlimited number of signature indexes X can be registered, created, updated and recovered at any time. Each signature depends on the static entropy of each PUF source generated by 330, the truly random number generated by 320, and other digital input tokens provided by 120, which may take the form of, but are not limited to, a password, a network address, or a fingerprint. FIG. 8 shows a specific embodiment of a PUF check process 800. The purpose of the PUF check process 800, be it either new signature index X registration 600 or signature index X recovery and loading 700, is to evaluate the association between a set of saved checkpoint data inputs and a new PUF source input if the input token of the current process is the same as the token used to create the checkpoint data previously. In both signature index X registration 600 and signature index X recovery and loading 700, the new PUF source input is converted to a scrambled version of the PUF source via 330 using a scrambling function. The scrambled data of the periodically updated PUF source is called the updated scrambled PUF source, and the three engines, the PUF key and data extractor, the KDF 400 and the FPD 520 engine, repeat the cycle until the Hamming distance H1 between the new PUF extracted data and the decryption result from the loaded checkpoint data 135 falls below a defined threshold Hamming distance or until the maximum allowed cycle operation number. The second part of the PUF checking process 800 aims to successfully recover the disturbed PUF source based on the checkpoint data 135 and the input token and compare it with the latest updated disturbed PUF source obtained by the first part of the process. The success criterion is the Hamming distance H2 between the two final scrambled sources, which are respectively the source that manages the update from the new PUF source process (called the updated scrambled PUF source) and the source that recovers from the more part of the checkpoint resource and the new PUF source (called the PUF scrambled value obtained by the index). The PUF checking process 800 ensures that if the device is tampered with or if any input is erroneous, the system will never recover the digital signature and avoids possible false alarm results, and ensures that the combination of dependencies is different for each index X by checking the correct intertwining of all dependencies, including the operation parameters, input tokens, PUF source measurements, and checkpoint data.

The present invention has various advantages, including: (1) multiple unique digital signatures on a single device and a single PUF source circuit; (2) flexibility in terms of creating, updating and loading digital content and device unique digital sequences; (3) process independence; (4) device life cycle independence, independent of power-on cycles and computational pulse frequency; (5) ability to reset and recover on its own when a network security threat is detected, thus enabling multi-layer security, validation and authorization within the device itself.

The above embodiments are for illustrating the technical solutions of the present invention, but are not intended to be limiting. Although the present invention has been described in detail with reference to preferred embodiments, those skilled in the art will understand that modifications or equivalent replacements of the technical solutions of the present invention can be made without departing from the spirit and scope of the technical solutions of the present invention.

100 System 110 Host or Connected Device 120 Communication Interface 130 Multiple Digital Signature Security Zones 131 Dynamically Measurable PUF Entropy Source 132 Random Number Generator 133 Encryption/Decryption I/O Subsystem 134 Signature X Registration and Recovery Engine 135 Checkpoint Data 300 PUF Entropy Source 310 Dynamically Measurable PUF Entropy Source 320 Random Number Generator 330 Semi-Static Voting Mechanism 400 Key Derivation Function Engine Block Diagram 410 Checksum Function 420 CRC32
430 Hash Function 510 Format Preserving Encryption (FPE)
511 shuffle and toggle functions 512 XOR operation 513 checksum function 520 format preserving decoding (FPD)
521 shuffle and toggle functions 522 XOR operation 523 checksum function 530 format-preserving encryption (FPE)
531 shuffle and toggle functions 532 XOR operation 533 checksum function 540 format preserving decoding (FPD)
541 Shuffle and Toggle Functions 542 XOR Operation 543 Checksum Function 2000 Multiple Digital Signature Security Zone 2010 Hardware Zone 2020 Dynamically Measurable PUF Entropy Source 2030 Random Number Generator 2040 Quasi-Static Voting Mechanism 2050 Non-Volatile Memory 2060 System Controller 2070 Shuffle and Toggle Function Engine 2080 Curve Cipher Engine 2081 Key Derivation Function 2082 Format-Preserving Encryption (1)
2083 Format Preserving Decoding (1)
2090 PUF logic processor engine 2100 PUF check engine 2200 Format-preserving encryption (2)
2300 Format Preserving Decoding (2)
2400 Communication Interface

Claims (37)

an electronic circuit for generating a dynamically measurable PUF entropy source that can be measured at any time during operation of the device in response to a trigger signal, the measurement results being usable to generate quasi-static digital device prints and true random numbers;
a random number generator circuit that uses measurements from the dynamically scalable PUF entropy source;
a semi-static voting mechanism that uses measurements from the dynamically scalable PUF entropy source to generate a semi-static digital device print pattern;
A set of digital bitwise shuffle and toggle functions for randomizing and shuffling quasi-static digital device prints;
a key derivation function engine that takes random numbers, static and quasi-static digital sequences as input and produces an entangled digital output;
a set of format-preserving encryption and decryption engines that contain both encryption and decryption mechanisms and can be arbitrarily replicated within said circuitry, providing the ability to create or register, as well as recover and load, multiple unique PUF-based digital sequences to be used as unique digital signatures;
a non-volatile memory medium in which specific checkpoint data is stored and which may, but need not, be integrated within said device silicon area;
a communications interface located on a target host device of the system for managing inputs and outputs of the system;
a system controller for executing instructions and providing results of the multiple digital signature security zone system from the target host device or connected device;
The format-preserving encryption and decryption engine is a symmetric encryption mechanism that takes a digital key and a sequence of digital input data, encrypted data or plaintext data, as input to output encrypted data or plaintext data. The dynamically scalable PUF entropy source is a PUF cell unit array that can be measured at any time after a power supply abnormality occurs, without being affected by power-on cycles, system time pulse frequency, and process.
2. The system of claim 1 . The random number generator circuit is a true random number generator that uses repeated measurements of binary state results of a dynamically measurable PUF entropy source to directly generate true random numbers without the aid of other pseudorandom number generation algorithms.
2. The system of claim 1 . the quasi-static voting mechanism is a static counting circuit that uses repeated measurements of binary state measurements of the PUF entropy source to generate quasi-static digital device prints, the quasi-static digital device prints for each measurement iteration being the same or different;
2. The system of claim 1 . The shuffle and toggle functions use internally generated truly random numbers from the dynamically measurable PUF entropy source and can be implemented as a common resource block for any function, and defined static parameters used by the functions can be changed without affecting their correct functioning.
2. The system of claim 1 . The shuffle and toggle functions can be implemented in a hardware circuit system or in software.
6. The system of claim 5. A key derivation function is a circuit that consists of a defined control loop of a checksum function and a hash with defined internal digital parameters.
2. The system of claim 1 . The design of the system can be implemented in hardware silicon circuit system or software;
7. The system of claim 6. The non-volatile memory medium can be integrated internally or externally to the system.
2. The system of claim 1 . The communication interface is integrated with a central system controller according to a host target device, independent of an external interface;
2. The system of claim 1 . may request a random number generator at any time during the operating cycle of the device;
2. The system of claim 1 . The recovered digital signature may be stored in device volatile memory for a time or period defined by the system or user.
2. The system of claim 1 . said communication interface and central system controller being a processor unit;
2. The system of claim 1 . The management of the creation and recovery of said digital signatures is dependent on host device commands or predefined user commands and input actions and does not affect the operation cycles, power-ups and functions of other devices and host devices;
2. The system of claim 1 . The only device outputs seen by the host device are the outputs of the true random number generator unit or the outputs of the format-preserving encryption/decryption;
2. The system of claim 1 . a true random number generator used to randomize each enrollment and iteration process to create a different digital signature for each iteration, independent of other fixed digital inputs;
a dynamically scalable PUF entropy source that is used to measure the unique system digital operation, i.e., digital device print, after any given request during device operation;
a logic circuit including a key derivation function, a scramble function, a shuffle function, a toggle function, a checksum function, and a format-preserving encryption/decryption function arranged in a sequential manner to generate an encrypted unique digital signature and checkpoint data, where the encrypted unique digital signature is recovered by converging toward the unique digital signature using a plurality of curve crypto engines based on a fixed input, a PUF entropy source, and checkpoint data without executing an error correcting code algorithm;
and a non-volatile storage medium storing each different digital signature mathematical checkpoint data used to recover and load the target index digital signature.
A digital signature index registration system comprising: The true random number generator is a logical bitwise operation that uses as input the resulting output of the dynamically measurable PUF entropy source.
17. The system of claim 16. The logic circuit performs digital signature registration with a true random number generator, a dynamically measurable PUF entropy source with optional multiple outcomes, and any digital host device input.
17. The system of claim 16. The system of claim 16, wherein the non-volatile storage medium stores specific mathematical checkpoint data appended to a unique set of random numbers, a unique set of PUF entropy sources, and a unique arbitrary digital input that can be fixed inside the system if not specified. The digital checkpoint data is stored in a non-volatile memory medium and is used to recover and load one unique index digital signature; and
The non-volatile memory medium can store one or more versions of checkpoint data to generate multiple unique digital signatures enabling digital signature diversity on a single system.
17. The system of claim 16. a communication interface for communicating with a host or a connected device via a standard communication protocol, and the digital signature mathematical checkpoint data stored in the non-volatile storage medium is stored and indexed based on a specific index provided by the host or connected device via the communication interface;
17. The system of claim 16. The checkpoint data is a sequence of random numbers that is added separately to the device's unique system as a defined digital input and does not provide any clues about the respective digital signature value or the digital input used.
17. The system of claim 16. The system is configured to be able to create multiple versions of a single digital checkpoint data,
17. The system of claim 16. The system is implemented in the silicon-based hardware or firmware software implementation of the device;
17. The system of claim 16. a dynamically measurable PUF entropy source;
a logic circuit having a set of ordered key derivation functions, toggle functions, checksum functions, and format-preserving encryption/decryption functions, the logic circuit utilizing a fixed input, an entropy source, and data checkpoints based on checkpoint data, and a plurality of curve cryptographic functions to obtain the encrypted unique digital signature similar to a system function block by converging towards the encrypted unique signature;
a non-volatile storage medium for reading the digital signature mathematical checkpoint;
A PUF digital signature recovery device. A dynamically scalable PUF entropy source provides a unique measurement every time one is requested.
26. The apparatus of claim 25. the logic circuit performs recovery and loading of the digital signature based on target index checkpoint information from a non-volatile memory storage medium, new PUF source result measurements, and digital input by any host or connected device, the digital input being fixed as a parameter or a pre-set value;
26. The apparatus of claim 25. the checkpoint data in the non-volatile memory medium constitutes a digital signature index selected for targeting, recovery and loading by the host device via the communications interface system;
26. The apparatus of claim 25. the logic circuit recovers a unique digital signature according to a digital input of a host device.
26. The apparatus of claim 25. The system is configured to be able to create multiple versions of a single digital checkpoint data,
26. The apparatus of claim 25. The system is implemented in the silicon-based hardware or firmware software implementation of the device;
26. The apparatus of claim 25. A dynamically measurable PUF entropy source that is used to create or register and recover each different index hardware digital signature and that can be measured at any time during operation of the device;
a dynamically measurable data or PUF entropy source, a true random number generator engine;
a persistent and dynamic digital access engine that accesses a set of different indexes, stored externally or internally, each associated with one particular hardware signature index, generates them during the signature registration mechanism, and is used for the signature recovery and loading mechanism;
A hardware digital signature registration mechanism is responsible for creating an index hardware digital signature checkpoint data according to fixed and dynamic parameters;
a hardware digital signature recovery mechanism that utilizes the index checkpoint data to recover the digital signature of the index hardware and reuses the same fixed and/or dynamic parameters used for the digital signature registration mechanism.
A dynamic and reusable PUF-based multiple unique digital hardware signature creation and recovery system. The dynamically scalable PUF entropy source may be implemented only in a hardware design, while other elements may be implemented in software or hardware.
33. The system of claim 32. The persistent and dynamic digital access engine for storing the checkpoint data internally or externally is a logical design of an instantaneous read/write protocol that can be activated or used at any particular time during the operation of the device.
33. The system of claim 32. The hardware digital signature registration engine creates unique checkpoint data based on the use of a set of cryptographic functions to ensure the success of the recovery and loading mechanisms.
33. The system of claim 32. a recovery engine of the hardware inlet reads the unique checkpoint data, obtains the target hardware inlet, and recovers the unique digital signature using the same set or at least one cryptographic function;
33. The system of claim 32. 33. The system of claim 32, wherein at any time during operation of the system, a different hardware digital signature is created, updated, or retrieved in response to instructions entered by the system.