KR102313584B1 - Updating cryptographic keys stored in non-volatile memory - Google Patents

Abstract

A method is provided for generating a new instance of an N-bit cryptographic key for storage in non-volatile memory in which non-programmed cells have a specific binary value. The method includes generating a random N-bit updating sequence and, without invalidating any bits in the current instance of the N-bit cryptographic key that do not have a specific binary value, of the corresponding position in the random N-bit updating sequence. generating a new instance of the N-bit encryption key by invalidating each bit in the current instance of the N-bit encryption key that is different from the bits and has a specific binary value. Other embodiments are also described.

Description

Updating cryptographic keys stored in non-volatile memory {UPDATING CRYPTOGRAPHIC KEYS STORED IN NON-VOLATILE MEMORY}

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to cybersecurity, and more particularly to encryption keys used to encrypt communications.

The entropy of an N-bit cryptographic key H(N,p) = H(N,1-p) quantifies the randomness of the key. Here, p is the probability that any one of the bits in the key is 0 or 1. A key with high entropy is more secure than a key with low entropy. For keys with randomness, independence and equally distributed (iid) bits, H(N,p) = NH(p) bits, where H(p) = -(plog ₂ p + (1-p) log ₂ (1-p))(For keys having bits that are random, independent, and identically distributed (iid), H(N,p) = NH(p) bits, where H(p) = -(plog ₂ p + (1-p)log ₂ (1-p))). For example, for unbiased iid bits (p = 0.5), H(p) gets one highest value such that H(N,p) = N.

A non-volatile memory (NVM) includes a plurality of single-bit memory cells, and each of the single-bit memory cells may be in a programmed state or a non-programmed state. Typically, programmed cells have a binary value of 0, while unprogrammed cells have a binary value of 1. In an OTP one-time programmable NVM (NVM), a programming operation cannot be undone, ie, a programmed cell cannot be subsequently deprogrammed (or "erased").

A new instance of the N-bit encryption key for storage in a non-volatile memory (NVM) belonging to a device, in which unprogrammed cells have a specific binary value according to some embodiments of the present invention A device for generating a cryptographic key) is provided. The device includes a network interface and a processor. The processor is configured to generate a random N-bit updating sequence. The processor does not negate any bits in the current instance of the N-bit cryptographic key that do not have a particular binary value, but ups the random N-bits. Further to generate a new instance of the N-bit cryptographic key by invalidating each bit in the current instance of the N-bit cryptographic key that is different from the correspondingly-positioned bit in the dating sequence and has a specific binary value. is composed The processor is further configured to, after generating the new instance of the N-bit encryption key, communicate, using the network interface, the new instance of the N-bit encryption key to the device for storage in the NVM.

In some embodiments, the specific binary value is 1, and the processor performs a bitwise AND operation between the N-bit cryptographic key and the random N-bit updating sequence, thereby and invalidate each bit in the current instance of the N-bit cryptographic key that is different from the bit in the corresponding position and has a specific binary value.

In some embodiments, the particular binary value is 0, and the processor

By performing a bitwise OR operation between the current instance of the N-bit cryptographic key and the random N-bit updating sequence, an N-bit having a specific binary value and different from a bit at a corresponding position in the random N-bit updating sequence It is configured to invalidate each bit in the current instance of the encryption key.

In some embodiments, the processor is configured to generate each bit in the random N-bit updating sequence with a probability of having a particular binary value greater than 0.5.

In some embodiments,

The probability is equal to ^{n/2 m} for a predetermined integer m and a variable integer n,

the processor

extending an unbiased random seed with E bits into a sequence of N m-bits each corresponding to bits of a random N-bit updating sequence,

For each bit in the random N-bit updating sequence, by setting a bit to a specific binary value in response to the value of the corresponding m-bit sequence being less than n,

and generate a random N-bit updating sequence.

In some embodiments, after the processor communicates a new instance of the N-bit encryption key to the device, the processor uses the new instance of the N-bit encryption key for encrypting and decrypting communication with the device. more composed.

In some embodiments, the processor is further configured to encrypt the new instance of the N-bit cryptographic key using the current instance of the N-bit cryptographic key prior to communicating the new instance of the N-bit cryptographic key to the device.

According to some embodiments of the present invention, non-programmed ones of cells having a specific binary value, non- comprising a plurality of single-bit cells configured to store an N-bit cryptographic key. An apparatus comprising a volatile memory (NVM) and a processor is further provided. The processor is configured to generate a random N-bit updating sequence. The processor does not invalidate any bits in the current instance of the N-bit cryptographic key that do not have a specific binary value, but is different from the bit in the corresponding position in the random N-bit updating sequence, and does not have a specific binary value. and invalidate each bit in the current instance of the bit encryption key, thereby creating a new instance of the N-bit encryption key. The processor is configured to, after generating a new instance of the N-bit cryptographic key, replace the current instance of the N-bit cryptographic key with the new instance of the N-bit cryptographic key in the NVM.

In some embodiments,

the processor is configured to generate each bit in the random N-bit updating sequence with a specific probability to have a specific binary value;

The processor is further configured to calculate, prior to generating the random N-bit updating sequence, a certain probability such that the expected entropy of a new instance of the key relative to the current instance of the key is not less than a predefined threshold E less than N.

In some embodiments, the particular probability is greater than 0.5.

According to some embodiments of the present invention, there is further provided a method of generating a new instance of an N-bit cryptographic key for storage in a non-volatile memory (NVM) in which unprogrammed cells have a specific binary value. The method includes generating a random N-bit updating sequence and, without invalidating any bits in the current instance of the N-bit cryptographic key that do not have a specific binary value, of the corresponding position in the random N-bit updating sequence. generating a new instance of the N-bit encryption key by invalidating each bit in the current instance of the N-bit encryption key that is different from the bits and has a specific binary value.

In some embodiments, generating the random N-bit updating sequence includes generating each bit in the random N-bit updating sequence with a probability to have a particular binary value greater than 0.5.

In some embodiments, the method includes, prior to generating the random N-bit updating sequence, identifying a number N1 of bits in the current instance of the N-bit cryptographic key having a particular binary value; Step of solving -(qlog ₂ q + (1-q)log ₂ (1-q)) = E/N1 for q -E is a predefined entropy threshold -; and deriving a probability from q.

In some embodiments, deriving the probability from q comprises deriving the probability from q by setting the probability to q.

In some embodiments, deriving the probability from q comprises deriving the probability from q by setting the probability to ^{a highest value n/2 m not greater than q.} Here, m is a predetermined integer and n is a variable integer.

In some embodiments, prior to generating the random N-bit updating sequence, the method includes:

identifying a number N1 of bits in a current instance of an N-bit cryptographic key having a particular binary value; and

-(qlog ₂ q + (1-q)log ₂ (1-q)) setting the probability to a maximum value among multiple predefined values of q not less than E/N1. Here, E is a predefined entropy threshold.

According to some embodiments of the present invention, a method is further provided for enabling multiple updates of an N-bit cryptographic key in a non-volatile memory (NVM) where unprogrammed cells have a specific binary value. The method is different for updates, such that, for each i-th update of updates, the expected entropy of a new instance of the N-bit cryptographic key for the current instance of the N-bit cryptographic key is not less than a predefined threshold E less than N. calculating each probability {q _i } (i = 1...U). Here, (i) the new instance of the N-bit cryptographic key does not invalidate any bits in the current instance of the N-bit cryptographic key that do not have a specific binary value, but at the corresponding position in the N-bit random updating sequence. generated by invalidating each bit in a current instance of an N-bit cryptographic key that is different from a bit and has a specific binary value, (ii) a probability q _{i that each bit in the N-bit random updating sequence has a specific binary value} is created with The method further comprises providing probabilities to be used to perform updates after calculating the probabilities.

In some embodiments, each of the probabilities is greater than 0.5.

을 푸는 단계(여기서, q₀는 1) 및 q로부터 q_i를 도출하는 단계를 포함한다.In some embodiments, calculating the probabilities comprises for each i-th update of the updates, for q

Solving for (where q ₀ is 1) and deriving _{q i from q.}

By setting the In some embodiments, deriving the q _i q from the q _i to q, and a step of deriving from q _i q.

By setting the In some embodiments, deriving from q _i q is the maximum value n / 2 ^m is not greater than q q _i, and a step of deriving from q _i q. Here, m is a predetermined integer and n is a variable integer.

보다 작지 않은 q의 다중 미리 정의된 값들 중 최대값으로 q_i를 설정하는 단계를 포함한다. 여기서, q0은 1이다.In some embodiments, calculating the probabilities comprises, for each i-th update of updates, -(qlog ₂ q + (1-q)log ₂ (1-q))

_{setting q i} to the maximum of multiple predefined values of q not less than. Here, q0 is 1.

BRIEF DESCRIPTION OF THE DRAWINGS The present invention will be more fully understood from the following detailed description of embodiments in conjunction with the drawings.

1 is a schematic diagram of a system for updating an encryption key in accordance with some embodiments of the present invention.
2 is a schematic diagram of the creation of a new instance of a cryptographic key in accordance with some embodiments of the present invention.
3 is a schematic diagram of a technique for generating a random sequence in accordance with some embodiments of the present invention.
4 is a schematic diagram of a technique for calculating a bit-generation probability in accordance with some embodiments of the present invention.
5 is a schematic diagram of a method for enabling multiple updates of a cryptographic key in accordance with some embodiments of the present invention.

introduction

In the context of this application, including the claims, "updating" a cryptographic key means (i) computing a new instance of the key, (ii) replacing the current instance of the key with a new instance of the key in memory, or (iii) It can refer to both (i) and (ii).

This specification generally assumes that in NVM, programmed cells have a binary value of 0, whereas unprogrammed cells have a binary value of 1. However, as explicitly noted below with reference to FIG. 2 , the techniques described herein may also be utilized in NVMs using reverse convention.

summary

Updating cryptographic keys in non-volatile memory can be difficult. For example, as described above in the background art, OTP NVM does not allow erasure. Moreover, the update operation can be unstable even for other types of non-volatile memory that allows erasure, and an attacker can terminate the operation after erasing the current value of the key and before writing the new value of the key, so the key "freezes" to a known unprogrammed state.

To solve this problem, embodiments of the present invention update the key by changing only the (non-programmed) 1 bits in the key, without changing any (programmed) 0 bits. In particular, the current instance of the N- bit key K _i (hereinafter, referred to as a "K _i") is given to the ground, "S _i" (hereinafter N- bit of bits S _i-random sequence (N-bit sequence updating) ) is created, and a new instance K _i+1 (hereinafter referred to as "K _i+1 ") of the key is calculated by performing a bitwise AND operation or any equivalent operation between _{K i} and S _i. (To ensure that there is enough hard An attacker with knowledge of words, K _i to assume the K _{i + 1),} a new instance of the keys to ensure gateum enough entropy for the current instance, the length of the key N is longer than if both 0 bits and 1 bits have to be updated.

(It should be noted that, using alternate descriptive convention, K _i and K _i+1 may be referred to as different keys, and not as different instances or values of the same key. For example, _{we can say that K i+1} is the new key that replaces _{K i ).}

Typically, in order to allow a number of possible update, it S _i is an (indicated below, "q _i") probability q _i for each bit within the same S _i and 1 are generated by biased to greater than 0.5. (In some cases, for the last update of the key, q _i can be exactly 0.5.) In particular, the maximum q _i value giving the required entropy is calculated numerically, and this maximum value produces S _i . used to do

In some embodiments, each q _i value is computed just before the i-th update, taking into account the current key K _{i .} If by the introduction, K _i is given, the entropy of the K _{i + 1} is N1 _i * H (q _i) with the same and, N1 _i has K _i is the number of my one _{bit, H (q i) = -} (q _i log ₂ q _i + (1-q _i )log ₂ (1-q _i )). For this entropy to be greater than or equal to a certain threshold E (hereinafter referred to as "E"), H(q _i ) must be greater than or equal to E/N1 _{i .} Therefore, before the i-th update, the quantity E/N1 _i can be calculated. Then, if E/N1i is less than or equal to 1 (the maximum possible value of H(q)), then the equation H(q) = E/N1 _i can be solved numerically for q. (It should be noted that the solution accuracy to be calculated is determined by the manner in which the numerical calculation (numerical method) and the calculation method used to be implemented. The solution to the equation q _i * or the q _i * Small nearest than A suitable value can be used as the _{value of q i .}

(여기서, q₀는 1),의 기대값은 K_i가 주어진 K_i+1의 엔트로피를 추정하는 데 이용되므로, 요구되는 엔트로피 E를 획득하기 위해 H(q_i)은

보다 크거나 같아야 한다. (이 양은

(여기서,

= E/N)로 보다 간결하게 작성될 수 있다.) q_i 값들은

이 1보다 큰 것으로 (i=U+1) 확인될 때까지 q₁으로 시작하여 반복적으로 풀릴 수 있다. _{In other embodiments, the set of q i} values {q ₁ , q ₂ , ... q _U } for use in performing U updates of the key is precomputed prior to performing any updates. For this calculation, N1 _i ,

(where q ₀ is 1), the expected value of K _{i is used to estimate the entropy of K i+1} given K i , so to obtain the required entropy E H(q _i ) is

must be greater than or equal to (This amount

(here,

= E/N) can be written more concisely.) q _i values are

It can be solved iteratively, starting with _{q 1} , until it is found to be greater than 1 (i=U+1).

Typically, _{to enable S i} generation, q _i is of the form ^{n/2 m} for a predetermined integer m and a variable integer n. To generate S _i , an unbiased random seed X _i (hereinafter referred to as “X _i ”) comprising E bits is generated or obtained. Then, X _i is expanded - for example using a hash function - into N m-bit sequences, each corresponding to the N bits of _{S i .} The value of each m-bit sequence is then compared to n. If the bit value is less than n corresponding in S _i is set to 1, otherwise the bit is set to zero.

System Description

First, reference is made to FIG. 1, which is a schematic diagram of a system 20 for updating a cryptographic key in accordance with some embodiments of the present invention. 1 , the N-bit encryption key “K” is used to encrypt communication between an Internet service provider (ISP) and an Internet of Things (IoT) device 22 over the Internet 24 . .

In general, if the device 22 is maintained with the same ISP and the security of the key is not compromised, there is no need to update the key. However, if the device 22 switches to a different ISP, or if the security of the key is compromised, it may be necessary to update the key.

For example, FIG. 1 depicts a scenario in which device 22 is serviced by a first ISP 26a, but is subsequently serviced by a second ISP 26b. In this scenario, the second ISP 26b requests the current instance of the _{key K i from the first ISP 26a.} In response to this request, the first ISP 26a communicates _{K i over the Internet 24 to the second ISP 26b.} The first ISP 26a may further communicate the value of i to the second ISP 26b. That is, the first ISP 26a may specify the number of updates to the previously performed encryption key. The second ISP 26b _{then creates a new instance K i+1} of the key, and then to the device 22 , for example via the router 28 serving the WiFi network to which the device 22 belongs. It communicates _{K i+1} over the Internet 24 . (Typically, the 2 ISP (26b) by using a, for example, K _i before communicating the K _{i + 1} to the device 22, and encrypts the K _{i + 1.)} Subsequently, the device 22 and the The second ISPs 26b may start communication with each other by using _{K i+1 for encryption and decryption of communication.}

The second ISP 26b includes a processor and a network interface 43 including, for example, a network interface controller (NIC). The processor 30 is configured to exchange communications with the device 22 and the first ISP 26a (as well as other devices) via the network interface 32 . The processor 30 is further configured to update the encryption key used to encrypt communications with the device 22 . For example, as described above, the processor 30 may update the key when initiating communication with the device 22 . Optionally or additionally, the processor 30 may be responsive to the processor 30 (or an external cybersecurity system) to update the key identifying that the key has been stolen by an attacker.

Similarly, device 22 includes a processor 34 and a communication interface 36 . The processor 34 is configured to exchange communication with the second ISP 26b (as well as other devices) via the communication interface 36 . For example, communication interface 36 may include a WiFi card that processor 34 may use to exchange communications via router 28 .

Device 22 further includes memory 38 in which processor 34 stores cryptographic keys. Thus, for example, memory 38 may initially hold _{K i . After receiving K i+1} from the second ISP 26b , the processor 34 may overwrite _{K i} with K _{i+1 .}

Typically, memory 38 is non-volatile. For example, the memory 38 may be an OTP NVM, flash memory, or electrically erasable programmable read-only memory (EEPROM). Advantageously, however, updating the cryptographic key does not require deprogramming any memory cells in memory 38, as further described below with reference to FIG. 2 .

In some embodiments, as described below with reference to FIG. 5 , the second ISP 26b uses a parameter (specifically, the bit-generation probability q _i ) included in the data sheet provided by the server 40 . to generate K _{i + 1 .} For example, using the network interface 44 , the server 40 may publish a data sheet on a website. Immediately before generating K _i+1 , the second ISP 26b may retrieve the data sheet from the website and look up in the data sheet the parameters needed to generate _{K i+1 .} Alternatively, at _{any time prior to the generation of K i+1} , the server 40 may communicate the data sheet (eg, via the Internet 24 ) to the second ISP 26b , after which the second ISP 26b may store data sheets in volatile or non-volatile memory (not shown). Then, _{just before generating K i+1} , the second ISP 26b may retrieve the data sheet from memory and then look up the relevant parameters.

In other embodiments, the processor 34 of the device 22 will generate a K _{i + 1,} and thereafter communicating the K _{i + 1} to the ISP 2 (26b). In such embodiments, the processor 34 may receive the data sheet described above from the server 40 . In another embodiment, server 40 or any other suitable third party generates _{K i+1 and then sends K i+1} to both device 22 and second ISP 26b . can communicate.

The server 40 includes a processor 42 and a network interface 44 including, for example, a NIC. The processor 42 is configured to exchange communication with the second ISP 26b (and/or the device 22 ) via the network interface 44 .

It is emphasized that the components and configuration of system 20 are provided by way of example only. In general, each of the various techniques described herein may be executed by any suitable processor belonging to any suitable system. For example, the techniques described herein may be used to update a cryptographic key stored in an embedded subscriber identification module (eSIM) or embedded secure element (eSE) belonging to a mobile phone. For example, the service provider for the mobile phone generates a K _{i + 1,} and communicates the K _{i + 1} to the mobile phone, then the mobile phone is non-belonging to the phone the K _{i + 1} - can be stored in volatile memory, have.

In general, each of the processors described herein may be embedded as a single processor or as a set of cooperating networked or clustered processes. In some embodiments, the functionality of at least one of the processors described herein is implemented solely in hardware, for example using one or more Application-Specific Integrated Circuits (ASICs) or Field-Programmable Gate Arrays (FPGAs). In other embodiments, the functionality of each of the processes described herein is implemented, at least in part, in software. For example, in some embodiments, each of the processors described herein is embedded as a programmed digital computing device that includes at least a central processing unit (CPU) and random access memory (RAM). Program code, including software programs and/or data, is loaded into RAM for execution and processing by the CPU. The program code and/or data may be downloaded to the processor in electronic form, for example via a network. Alternatively or additionally, program code and/or data may be provided and/or stored in non-transitory tangible media, such as magnetic, optical or electronic memory. Such program code and/or data, when provided to a processor, creates a machine or special-purpose computer configured to perform the tasks described herein.

create a new instance of the key

Reference is now made to FIG. 2 , which is a schematic diagram of the creation of a new instance of a cryptographic key, in accordance with some embodiments of the present invention.

FIG. 2 relates to the scenario shown in FIG. 1 , in which processor 30 (or any other processor, as described above) _{, given a current instance K i} of a key, creates a new instance K of an N-bit cryptographic key. create _i+1 The K _{i + 1} is generated as also described in outline with reference to Figure 1, to replace the K _i to K _{i + 1} in the NVM to eliminate the need to de-programming of any memory cell. Nevertheless, with reference to Figure 4 as will be described in detail below, the expected entropy of the K _{i + 1} for the K _i is not less than a predefined threshold, entropy E. (The threshold E less than the number N of bits in the encryption key may be defined by, for example, a security architect of the system 20 .)

In particular, _{to generate K i+1} , the processor first generates a random N-bit updating sequence S _i . Next, the processor by invalidating a K _i within each bit having a bit different from, the binary value 1 at the location without invalidate any bit in K _i does not have a binary value of 1, S _i within the corresponding, K create _i+1 2 shows two negative bits, each indicated by upward arrows.

Typically, as shown in FIG. 2 , the processor generates _{K i+1} by performing a bitwise AND operation between _{K i} and S _{i .} Thus, K _i within some one bits, but replaced with K _{i + 1} in bit 0, K _i within 0 bits are not replaced by one bit, so that keys are updated in NVM without having to also de-program certain cells can

The processor generating a respective bit _i within S 1 was the probability q and _i, q _i is typically greater than 0.5. (As mentioned in the overview, in some cases, q _i may be exactly 0.5 for the last update of the key.) In some embodiments, q _i is determined by server 40 , as described above with reference to FIG. 1 . As specified in the data sheet provided. Such a data sheet may include, for example, a lookup table specifying _{q i} for one or more values of E, one or more values of N, and various values of i. In other embodiments, the processor computes _{q i .} Further details regarding the calculation of q _i are described below with reference to FIG. 4 .

For the unprogrammed memory cells have a binary value inverse NVM rules having 0 (NVM reverse convention), the processor generates each bit in S _i to zero probability q _i. After that, the processor, for example by performing a bit-wise OR operation between K _i and S _i, K _i invalidates the bit which is different in each of the 0 bit position S _i in response.

Random Sequence Generation

Reference is now made to FIG. 3 , which is a schematic diagram of a technique for generating a _{random sequence S i} , in accordance with some embodiments of the present invention. This technique assumes that q _i is equal to ^{n/2 m} for a predetermined integer m and a variable integer n. (e.g. m can be 10, so q _i = n/1024)

To generate S _i , the processor first generates or obtains an _{unbiased random seed X i} with E bits from an external source. (X _i, so that each bit of a probability of 1 in 0.5, X _i is biased language.) The processor further look-up the q _i = n / 2 ^m or calculated. Then, the processor expands _{X i} with N m-bit sequences {Zij} (where j = 1...N), each corresponding to bits _{of S i .} For example, the processor applies a hash function f(X, c) to _{X i} with N different respective counters c, eg, a first m-bit sequence corresponding to the first bit of _{S i .} Z _i1 is equal to f(X _i , 1 ), and a second m-bit sequence Z _{i2 corresponding to the second bit of S i} is equal to f(X _i , 2). Examples of suitable hash functions include secure hash algorithm (SHA) functions such as SHA-2, SHA-256, SHA-512, and SHA-3.

Next, for each bit within the S _i, the processor sets a bit to 1 in response to the value of the bit sequence corresponding m- smaller than n. For example, if Z _i1 is less than n, _{the first bit in S i} is set to 1, otherwise the bit is set to 0.

Despite the particular technique illustrated in FIG. 3, S _i is generated using the respective bits within the S _i 1 probability q _i, if having any other suitable technique (q _i is n / 2 if not an ^m shape) It should be noted that it can be

Calculate bit-generation probability for single update

Reference is now made to FIG. 4 , which is a schematic diagram of a technique for calculating a _{bit-generation probability q i} in accordance with some embodiments of the present invention.

In some embodiments, the processor generating _{K i+1} computes _{q i} before generating _{S i .} Typically, in such embodiments, the processor first identifies the number N1 _{i of 1 bits in K i .} Next, as shown in Figure 4, the processor solves for q H(q) = -(qlog ₂ q + (1-q)log ₂ (1-q)) = E/N1 _i , and this solution is indicated in FIG. 4 with the notation q _i ^{* .} (In most cases, there are two solutions for the equation, the processor selects the larger of the two solutions from the solution.) After that, the processor derives from q _i q _i ^*. For example, the processor may set q _i to q _i ^* or to the highest value n/2 ^m less than or equal to q _i ^* . (In other words, the processor finds the highest integer n where ^{n/2 m} is less than or equal to q _i ^*.)

As described above in summary, given the K _i entropy of K _{i + 1} is equal to the _{N1 i * H (q i)} . Therefore, by setting q _i to _{the nearest suitable value less than q i} ^* or q _i ^* , the processor effectively chooses the largest suitable value of _{q i} giving at least an entropy of E .

Instead of solving for q _i ^* , the processor defines multiple values of q and then sets q _i to the maximum of these values for which H(q) _{is not less than E/N1 i .} For example, the processor may generate an array of values [2 ^m-1 /2 ^m , (2 ^m-1 +1)/2 ^m , . . . (2 ^m −1)/2 ^m ], and then set q _i to the maximum of these values for which H(q) _{is not less than E/N1 i .}

If E/N1 _i is greater than 1, the processor does not generate _{K i+1} because the required entropy E cannot be obtained. In this case, the processor may generate an appropriate error message indicating that, for example, the memory 38 in the device 22 needs to be replaced or erased.

Precompute bit-generation probabilities for multiple updates

In some embodiments, the processor generating _{K i+1} does not use N1 _{i to compute q i .} Rather, the processor computes the sequence of q _i values for multiple updates of keys on the basis of each update, N1 _i ^* _i estimated value of N1 in advance. Alternatively, server 30 ( FIG. 1 ) may generate a data sheet specifying respective sequences of _{q i values for one or more pairs of N and E values.} Then, as described above with reference to Fig. 1, the server 40 (such as the second ISP 26b) that wants to update the encryption key in the manner described above with reference to Figs. party) can provide a data sheet.

In this regard, reference is now made to FIG. 5, which is a flow diagram of a method 46 for enabling multiple updates of a cryptographic key in accordance with some embodiments of the present invention. In particular, in method 46, { A data sheet specifying the q _i } sequences is generated and provided. Method 46 is typically performed by processor 42 of server 40 as described above. Alternatively, a subset of the steps of method 46 (eg, _{computation of {q i} } for a single (N,E) pair) is performed on a processor such as processor 30 of second ISP 26b that updates the key. can be performed by

The method 46 begins with a selection step 47 in which the processor 42 selects the next predefined (N,E) pair for which the sequence of bit-generation probabilities is to be computed. (Each (N,E) pair may, for example, be provided to the processor 42 by the security expert.) Next, the processor, for U updates of the key, gives different respective probabilities {q _i } ( Here, i = 1…U) is calculated. Key prediction of the new instance of the (K _{i + 1)} for the current instance of the computed each q _i value, when a new instance of a key, see Fig. 2 and 3 to generate, as described above, the key (K _i) The intropy is not less than E. That is, q _i is generally calculated as described above with reference to FIG 4, K _i expected entropy of K _{i + 1} for the (H (q) * N1 _i ^*) is the actual entropy (unknown in advance) is used instead.

를 계산한다. 다음으로, 제1 검사 단계(52)에서, 프로세서는 E/N1_i ^*이 1보다 작거나 같은지 여부를 체크한다. 만약 그렇다면, 프로세서는 설정 단계(54)에서 q_i를 H(q)가 E/N1_i ^*보다 작지 않은 q의 최대 적합한 값으로 설정한다. 예를 들어, 도 4를 참조하여 전술한 바와 같이, 프로세서는 q_i를 (H(q_i ^*) = E/N1_i ^*인) q_i ^* 또는 q_i ^*보다 낮은 가장 가까운 적합한 값으로 설정할 수 있다. 이어서, 증가 단계(56)에서, 프로세서는 인덱스 i를 증가시킨다.More specifically, following the selection step 47 , the processor sets q ₀ to 1 and initializes the index i to 1 in an initialization step 48 . _{Then, the processor iteratively computes q i} until the expected entropy of a new instance of the key is less than E and increments the index. To compute q _i , the processor first in a computation step 50

to calculate Next, in a first check step 52 , the processor _{checks whether E/N1 i} ^* is less than or equal to one. If so, the processor sets q _i to the maximum suitable value of q where H(q) _{is not less than E/N1 i} ^{* in a setting step 54 .} For example, as described above with reference to Figure 4, the processor can set q _i to the nearest suitable value lower than _{q i} ^* or q _i ^* (where H(q _i ^* ) = E/N1 _i ^* ). have. Then, in an increment step 56, the processor increments the index i.

In the first check step 52 , if E/N1 _i ^* is found to be greater than 1, the processor does not calculate _{q i for the current index i.} Rather, the sequence calculated to date {q ₁ , q ₂ , ... q _U } (where U (less than the current index) is the maximum number of updates allowed for the key) is appended to the datasheet as (N,E) in the data-sheet-updating step 58 .

Following the data-sheet-updating step 58 , the processor checks whether there are more (N,E) pairs remaining in a second check step 60 . If so, the processor returns to selection step 47 _{, computes {q i} } for the selected (N,E) pair, and then updates the data sheet. Otherwise, the processor provides a completed data sheet for use in updating the encryption key in the provision step 62 . For example, as described above with reference to FIG. 1 , the processor may upload the data sheet to a website or communicate the data sheet to another device.

As discussed above with reference to FIG. 2 , each q _i value is typically greater than 0.5. (Although, in some cases, q _U can be exactly 0.5.) As can be seen by observing the graph of H(q) shown in Fig. 4, if E/N1 _i ^* increases with i, i increases. The values of q _i ^* (and thus q _i ) decrease as For example, for E=80 and N=256, method 46 _{calculates a decreasing sequence of 11 q i} ^* values (0.943, 0.938, 0.933, 0.926, 0.918, 0.907, 0.893, 0.872, 0.841, 0.785 and 0.623) is returned. (The implication is that a 256-bit key can be updated 11 times using the technique described here, provided the required entropy does not exceed 80 bits.)

Given the data sheet, the processor generating a new instance of the key, such as processor 30 of the second ISP 26b, looks up the _{appropriate q i value given by N, E and i.} (As described above with reference to FIG. 1 , the first ISP 26a may specify i as the second ISP 26b.) Then, as described above with reference to FIGS. 2 and 3 , the processor generates q _i using the generated updating the sequence S _i, and then using the S _i to generate a K _{i + 1} from the K _i.

Claims (15)

An apparatus for generating a new instance of an N-bit cryptographic key for storage in a non-volatile memory (NVM) belonging to a device, wherein non-programmed cells have a specific binary value, the device comprising:
network interface; and
processor
including,
the processor
generate a random N-bit updating sequence,
the bit different from the corresponding position in the random N-bit updating sequence and having the specific binary value, without invalidating any bits in the current instance of the N-bit cryptographic key that do not have the specific binary value. generating the new instance of the N-bit encryption key by invalidating each bit in the current instance of the N-bit encryption key;
after generating the new instance of the N-bit encryption key, communicate, using the network interface, the new instance of the N-bit encryption key to the device for storage in the non-volatile memory (NVM);
the processor
generate each bit in the random N-bit updating sequence with a probability of having the specified binary value greater than 0.5;
the probability is equal to ^{n/2 m} for a predetermined integer m and a variable integer n,
the processor
Extend an unbiased random seed with E bits into N m-bit sequences respectively corresponding to bits of the random N-bit updating sequence, for each bit in the random N-bit updating sequence, generate the random N-bit updating sequence by setting the bit to the particular binary value in response to a value of a corresponding m-bit sequence being less than n;
Device. According to claim 1,
the processor
by performing a bitwise AND operation between the current instance of the N-bit cryptographic key and the random N-bit updating sequence, which is different from the bit at the corresponding position in the random N-bit updating sequence, and the specific binary configured to invalidate each bit in the current instance of the N-bit cryptographic key having a value,
Device. delete delete a non-volatile memory (NVM) comprising a plurality of single-bit cells, configured to store an N-bit cryptographic key, wherein a non-programmed one of the cells has a specific binary value; and
processor
including,
the processor
generate a random N-bit updating sequence,
the bit different from the corresponding position in the random N-bit updating sequence and having the specific binary value, without invalidating any bits in the current instance of the N-bit cryptographic key that do not have the specific binary value. generating a new instance of the N-bit cryptographic key by invalidating each bit in the current instance of the N-bit cryptographic key;
after generating the new instance of the N-bit encryption key, replacing the current instance of the N-bit encryption key with the new instance of the N-bit encryption key in the NVM;
the processor
generate each bit in the random N-bit updating sequence with a probability of having the specified binary value greater than 0.5;
the probability is equal to ^{n/2 m} for a predetermined integer m and a variable integer n,
the processor
Extend an unbiased random seed with E bits into N m-bit sequences each corresponding to bits of the random N-bit updating sequence, for each bit in the random N-bit updating sequence, generate the random N-bit updating sequence by setting the bit to the particular binary value in response to a value of a corresponding m-bit sequence being less than n;
Device. 6. The method of claim 5,
the processor
and generate each bit in the random N-bit updating sequence with a specific probability to have the specific binary value;
the processor
prior to generating the random N-bit updating sequence such that the expected entropy of the new instance of the N-bit encryption key relative to the current instance of the N-bit encryption key is not less than a predetermined threshold E less than N , further configured to calculate the specific probability,
Device. 7. The method of claim 6,
wherein the specific probability is greater than 0.5;
Device. A method for generating a new instance of an N-bit cryptographic key for storage in a non-volatile memory (NVM), wherein unprogrammed cells have a specific binary value, the method comprising:
generating a random N-bit updating sequence; and
the bit different from the corresponding position in the random N-bit updating sequence and having the specific binary value, without invalidating any bits in the current instance of the N-bit cryptographic key that do not have the specific binary value. generating the new instance of the N-bit encryption key by invalidating each bit in the current instance of the N-bit encryption key.
including,
The step of generating the random N-bit updating sequence comprises:
generating each bit in the random N-bit updating sequence with a probability of having the specified binary value greater than 0.5;
including,
the probability is
equal to ^{n/2 m} for a predetermined integer m and a variable integer n,
The step of generating the random N-bit updating sequence comprises:
extending an unbiased random seed with E bits into N M-bit sequences each corresponding to bits of the random N-bit updating sequence; and
for each bit in the random N-bit updating sequence, setting the bit to the specific binary value in response to the value of the corresponding m-bit sequence being less than n;
A method comprising 9. The method of claim 8,
The invalidation step is
performing a bitwise AND operation between the current instance of the N-bit encryption key and the random N-bit updating sequence;
containing,
Way. delete 9. The method of claim 8,
Prior to generating the random N-bit updating sequence,
identifying the number N1 of bits in the current instance of the N-bit cryptographic key having the particular binary value;
Solving -(qlog ₂ q + (1-q)log ₂ (1-q)) = E/N1 for q - E is the predefined entropy threshold -; and
deriving the probability from q
A method further comprising: 12. The method of claim 11,
The step of deriving the probability from q is
deriving the probability from q by setting the probability to q;
containing,
Way. 12. The method of claim 11,
The step of deriving the probability from q is
deriving the probability from q by setting the probability to the highest value n/2 ^m not greater than q, where m is a predetermined integer and n is a variable integer;
containing,
Way. delete A method for enabling multiple updates of an N-bit cryptographic key in a non-volatile memory (NVM), wherein non-programmed cells have a specific binary value, the method comprising:
such that for each i-th of the updates, the expected entropy of a new instance of the N-bit cryptographic key relative to the current instance of the N-bit cryptographic key is not less than a predefined threshold E less than N; calculating each different probability {q _i } (i = 1...U) for and
after calculating the probabilities, providing the probabilities to be used in performing the updates;
including,
The new instance of the N-bit encryption key is
The specific binary value and different from the bit in the corresponding position in the N-bit random updating sequence, without invalidating any bits in the current instance of the N-bit cryptographic key that do not have the specific binary value. generated by invalidating each bit in the current instance of an N-bit cryptographic key,
Each bit in the N-bit random updating sequence is
which is generated with the probability q _{i with the particular binary value}
Way.

Images