WO2018174112A1 - Technology for authenticating device on network - Google Patents

Technology for authenticating device on network Download PDF

Info

Publication number
WO2018174112A1
WO2018174112A1 PCT/JP2018/011231 JP2018011231W WO2018174112A1 WO 2018174112 A1 WO2018174112 A1 WO 2018174112A1 JP 2018011231 W JP2018011231 W JP 2018011231W WO 2018174112 A1 WO2018174112 A1 WO 2018174112A1
Authority
WO
WIPO (PCT)
Prior art keywords
client
key
block
public key
network
Prior art date
Application number
PCT/JP2018/011231
Other languages
French (fr)
Japanese (ja)
Other versions
WO2018174112A4 (en
Inventor
渡辺浩志
木下敦寛
Original Assignee
渡辺浩志
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to JP2017054728 priority Critical
Priority to JP2017-054728 priority
Application filed by 渡辺浩志 filed Critical 渡辺浩志
Publication of WO2018174112A1 publication Critical patent/WO2018174112A1/en
Publication of WO2018174112A4 publication Critical patent/WO2018174112A4/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCODING OR CIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/10Cryptographic mechanisms or cryptographic arrangements for secret or secure communication with particular housing, physical features or manual controls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Abstract

[Problem] To improve the reliability of a hardware network using a blockchain, enable the replacement of failed hardware using a private ledger, and economically maintain and manage a system that is a hardware network. [Solution] A blockchain and a private ledger that is provided in a server are used in combination to prevent the falsifying of a history of data transmission and reception between logical nodes linking hardware while ensuring that, even if failed hardware is replaced, the blockchain linked to said hardware is not affected.

Description

Apparatus authentication technologies on the network

The present invention relates to a technique for authenticating a device on the network.

The number of devices connected to the evolving Internet increases with age, has also been complicated and diversified its network structure. However, basically, and client-server (CS) type, which was laid in the central node of the server with a special function (core node), all of the nodes does not exist such a backbone node is basically it can be broadly classified into Piatua (P2P) type of connection comparable form.

Network generally consist of nodal (nodes) and the communication line (link). The first node and the second node, linked by a signal transmission path is a communication line. For example, the first over de and the second node, are exchanging a form of data via the signal transmission path protocol data unit (PDU). The first node and the second node handles a protocol data unit in accordance with each protocol having a certain consistency.

In things Internet (IoT), these first and second node is a device that connects to the network (hardware), referred to as a physical node because with physical reality. In this case, it is regarded as the first physical node and the second physical nodes are connected by a signal transmission path having a physical reality. Such signal transmission path, transmits the wired and wireless electronic signals or light signals. The network to which this is constructed by a plurality of physical nodes and the signal transmission path to call the physical network.

The addresses used to recognize the physical nodes on a physical network is called a physical address. That is, the first physical node has a first physical address, the second physical node has a second physical address. That sends the data to a second physical node from a first physical node, the second physical address from the first physical address, the data through the signal transmission path having the physical realities (in this case the frame as an example) is it is that is sent.

On the other hand, if the physical reality is not in the first and second nodes, referred to as the nodes and logical node. Logical node is a node associated with the virtually defined logical addresses on the network, not necessarily associated with a particular bird wear. The network constructed by a plurality of logical nodes is called a logical network. At this time, the signal transmission path linking the first logical node and the second logical node may not necessarily have a physical reality.

The addresses used to recognize the logical nodes on the logical network is called a logical address. In other words, the fact that the first logical node sends data to the second logical node is interpreted as data is sent from the first logical address to the second logical address. In practice is also to attach the first logical address and the second logical address order as the code to the data to be transferred. Thus repeating the transfer, so that the list of the plurality of logical addresses are appended to the data. This list of logical addresses are those that contain the latest logical address and the past of the transfer history of this data. Thus, all the logical nodes that access this data, the data is how transfer where, in which logical node now can know is defined as being present virtually. Thus, the block data transfer history is attached, including the latest logical address or referred to as a logical block. As long as the transfer history is not tampered, the logic block may suitably recognized by the latest logical address.

What spotlighted in recent years as a technology to disable tamper with the transfer history is a technology called public ledger. Those most famous among the public ledger technique, a block chain devised to disable tamper remittance data encryption currency called Bitcoin. That is, a network system for preventing unauthorized transfer it to prevent tampering with the money transfer history.

(Block chain)

Briefly described here block chain.

Block chain is the public ledger system in a peer-to-peer (P2P) type network. In a P2P network structure, without assuming the existence of a server at the core, all the nodes that node to the network (nodal) are non-core, is equal, to ensure security by mutually monitor each other It is necessary. That can provide unfeasible application on the client-server network assumes the existence of a core (core) server.

The most important of which is the money transfer system according to cipher currency called Bitcoin. In the bit coin, first, the past processing history as the account name that is subject to processing to encrypt and synthesis. And forwards it as an electronic signature is for a new process. Therefore, it not left the processing means to financial institutions. Processing history transferred updated is monitored by many other non-core nodes in the network, it is certified in a manner similar to the majority.

Transfer of processing history is synonymous with the transfer of currency, certified by the processing history is treated like a currency. In this way, the process slide into progress without going through a specific core present as a bank.

Encryption to be used for electronic signature flowing over the network, it is easiest to describe in Alice and Bob's famous public-key cryptography in metaphor. Alice should send your public key in advance Bob. This public key may be stolen by someone on the net. Bob, encrypts the letter with the public key, which I got from Alice, sent to the Alice. To decrypt the encrypted letter, there is a need for secret key that is a public key and a pair of Alice. Therefore, as long as the encryption is not deciphered, I never read the contents of the letter is also being stolen by someone on the network. It is to have the secret key is because only Alice. Alice, solves the Bob's letter of encryption with the private key you have on your own, it is possible to read it.

In this way, the public key may be exposed to on the network. Therefore, Alice is not the only Bob to send a public key. However, the read the letter by solving the encrypted encryption with the public key is the only Alice that encryption is in possession of the private key unless it is decrypted. Although the public key and private key is always generated in one set, that from the public key to play the secret key must be made as to be practically impossible. In other words, the fact that solving the encryption is that from the public key to play the secret key. In addition, the letter that was encrypted with the private key can also be the solution degree in public key.

Another important role of the public key, the destination for sending a letter to Alice, that is, be the address on Alice's network. When passing a letter Bob encrypts network, so that over any recipient of the hand connected to the network. In this case not be read to be able solution Nos. How that can not be read even if it is an agreement and that has not been received. Therefore, the fact that only Alice could solution No. is equivalent that arrived only to Alice. In this way, it becomes clear that another of the role of the public key is the logical address on the network. Therefore, the public key that is used in the bit coin is also referred to as a Bitcoin address.

For example, a logical node is that purse to pay cryptographic currencies such as Bitcoin, logical address is assigned in advance. The contents of the wallet some of the some sort of monetary value (data related to such currency or its equivalent coins) is paid. Using any cryptographic further has the contents of the address and wallets to be attached to purse as an electronic signature.

Such a wallet, for example, can be used to install a dedicated application personal computers, tablets, smart phones, and hardware such as a smart card. At that time, the contents of the wallet is stored as digital data to the hardware of storage you have installed a dedicated app. Management of this digital data, for example, in the electronic processing on the premise of P2P, it is necessary to managers and owners of the hardware to do with their own responsibility. This point is different from the client-server type. In the client-server type, so that the financial institutions do have a responsibility. Electronic processing in P2P does not require the presence, such as a financial institution having thus the core functionality.

1, the process (N-2, N-1), processing (N-1, N), the process (N, N + 1), is a view showing a ... chain of. Treatment (N-2, N-1) is any process from purse (N-2) to the wallet (N-1), processing (N-1, N) is wallet purse (N-1) (N ) is any process to process (N, N + 1) is any process from purse (N) to the wallet (N + 1). However, N is an arbitrary natural number of 3 or more.

The contents of the purse (N-1) is, for example, let's say it was 1000 yen, which has been credited from somewhere. The 1000 yen transfer source and wallets (N-2), further an electronic signature for this 1000 yen (N-2) is assumed to be attached. However, because 1000 yen is only an example, it may be any other monetary value equivalent to or commutative digital information. Wallet (N-1) is, and 1000 yen, the contents of the purse, and the electronic signature, unique public key of which forms the secret key (N-1), at the same a pair of sets to be used for the following e-signature creation consisting of (N-1). As described above, the public key (N-1) is an address on the network wallet (N-1). As an example, Bitcoin address is raised.

Next, the public key (N-1), wallet (N-1) of the contents, and electronic signature from (N-2), using the hash function (SHA-256 as an example), a hash value (N-1) to generate. This hash value (N-1) was sent to the wallet (N), to save the wallet (N) it as the contents of the wallet (N). On the other hand, by using a transfer source of the secret key of the (N-1), wallet public key is the address of the (N) (N) and the hash value, which is the contents (N-1) digital signature by encrypting the (N-1 ) generates and transfers the hash value together with (N-1) to the wallet (N).

Thus purse (N) is the hash value (N-1) and an electronic signature (N-1) and further forming a pair of set, purse specific public key (N) (N) and a private key (N) It will be constructed from. In this way, wallet (N-1) the process of remittance of 1000 yen to the wallet (N) from is completed.

The hash value (N-1), this 1000 yen should contain the information that came from the purse (N-1). However, the hash because non inverse transform unlike encryption, it is impossible to read it and hash value (N-1) the inverse transform (solution No.). Therefore, the electronic signature (N-1) is attached. This electronic signature (N-1) is obtained by encrypting together the secret key (N-1) using the public key (N) and the hash value (N-1). Therefore, To see whether the electronic signature is really came from purse (N-1), as that solution degree in this electronic signature (N-1) the public key (N-1), wallet ( public key paid to N) (N) and the hash value (N-1) and may be compared. As long as the encryption is not broken, do not lie to certainly that was an electronic signature with the private key (N-1) If the match. If they do not match the electronic signature is false. Or another public key, for example, if consistent with the results of solution No. public key (Q), it is seen that the wallet owns the public key (Q) as an address (Q) was illegal operation.

However, there is a need for another way to prove that there is no illegal operation in the past of history. Because only the electronic signature is from not deny the possibility that misbehaving a person who owns the regular private key (N-1). For example, it is conceivable abuse of the secret key by the owner. In the bit coin, which was the P2P on the assumption, it is trying to prevent by "proof by the work" (PoW) it. This is generally thought to have done well. Described below for the "Proof by work" (PoW).

In Figure 1, followed by the public key (N), wallet (N) (in this case a hash value (N-1)) to and from the electronic signature (N-1), (SHA-256 as an example) hash function using, to create a hash value (N). Send wallet (N) is the hash value (N) to the wallet (N + 1), wallet (N + 1) is fit it as wallet (N + 1). On the other hand, purse (N), using the secret key (N), wallet (N + 1) public key is the address of the (N + 1) and the hash value (N) and encryption, electronic signature (N) to generate. Then, send the electronic signature with the hash value (N) (N) is in the wallet (N + 1).

From the above, the wallet (N), it is understood that the purse processing (N-1) from the wallet (N) (N-1, N) is recorded as a hash value (N-1). Similarly, the wallet (N + 1), it is understood that the purse processes from (N) to the wallet (N + 1) (N, N + 1) is recorded as a hash value (N). In this way, the contents of any of the purse, all of the processing history of the past it is found to contain a chain reaction. In other words, the most recent of the hash values ​​of the past, is representative of all of the history of the past.

Meanwhile, wallet remit to one purse is not limited to one as in the example of FIG. In fact would not a few if you want to send money to one of the purse from multiple wallet. Also, would not a few may be remitted from one purse to more than one purse. In this way, it can be seen that the processing history of the remittance is more complex. However, hash values, including the most recent history is one sure only. It is called the root of the Merkle. Therefore, it is possible to go back in the past from the root of the Merkle. Which, as in FIG. 2, so that the dendrogram was branching from the root of the Merkle. This is called Merkle tree diagram. In this way, Merkle tree form is also arranged a collection of all of the history of the past in chronological order. In other words, this corresponds to the logical block described above. Also, the roots of the Merkle, the latest history is a code characterizing the logical block.

For example, the hash value is the root of the Merkle (ABCD) has led to history corresponding to the hash value (AB) and the hash value (CD). Hash value (AB) are connected each further past history corresponding to the hash value (A) and the hash value (B), i.e., the process (A) and treatment (B). Hash value (CD) has led further past history corresponding to the hash value (C) and the hash value (D), that is, each process (C) and treated (D).

However, originally the hash value is impossible to trace the history of the remittance processing by decrypting the hash value so impossible inverse transform. For example, one way to follow the contents of the purse (N) (hash value (N-1)) of the past processing history of the practice, select any other wallet (M), using the public key (M) electronic signature (N) and the solution No., comparing the results public key (N) and the hash value (N-1). If it does not match select a different purse (M + 1), public key (M + 1) using the solution No. in the same work. If they match the processing it can be seen that was remitted from purse (M + 1). At this time M + 1 it is seen that an N-1. Subsequently purse containing a hash value (N-3) and (N-2) public key (N-2) can also be searched in a similar manner. It is possible to trace back the process history by repeating this operation. Where M and N is an arbitrary natural number.

In this way, it is not can be logically Yuku going back the past of processing history, it is actually not necessarily need to go back one by one past history with this way the hash value. Rather, it collected the process from several hundred thousand or so to lump, these processes may once approved together in some way that was present in reality. Specifically, to delete all of the hash values ​​other than the root of the Merkle, it may be used latest of a hash value (for example, ABCD) as a code. A collection of processing represented by a single code is referred to as a logical block.

(In the above example the hash value (ABCD)) roots Merkle approve that there is collection of past processing represented by the time stamp. Thus approved logic block is published on the network. Thus, it referred to as the public ledger this. This approval is a work similar to the date authentication have them sealed letter with a date to bring the documents to the notary public's office (work). Is referred to as posting to approve the collection of processing unauthorized as a new logical block, the bookkeeping who took certain rewards in exchange for authentication work is given in bits coins. Thus mining to win a bit coin called the (mining), it refers to the user of Bitcoin to mine miners and (minor). However, because only one person minor that can be booked at a time, a minor who is mining compete ahead. Mining bit coins will be distributed in the market on the logical network.

Figure 3 used as an example, explaining this approval easily work. First to win some hash value for the approved past the logical block. Then discovered a collection of unauthorized processing that exist on the network, to win the root (hash value) of Merkle of the collection. Add the thing called variable nonce value to the two hash values, making block hashes further hashed. At this time, utilizing SHA-256 as the hash function is a bit coin. Of course, it is also possible to generate a block hashes using other hash functions.

Nonce value is generally any value 32 bits. The nonce value generated hash values ​​included (block hash in this case) is the value of 256 bits. 256 square of 2 is greater than 77 square of 10, the block hash is seen to have a large degree of freedom. When adjusting the nonce value may be the first few bits of the block hash to zero. As an example, the probability that the first 16 bits are all zeros newly generated block hashes 1 of the sixteenth power of two fraction, that is, 1 of 65,536 minutes. In other words, the chance is that it does not happen almost.

Hash function is a non-reversible. Therefore, (in this example 16 bit) first several bit hash value is zero the nonce value so as to generate (block hash in this case), it is generally impossible to determine the inverse transform. That is, repeated hashing while changing the nonce value, it must be repeated until it first few bits of the hash value generated each time is all zeros. Thus, the determination of nonce values ​​for the first 16 bits to generate a block hash such that all zero, it can be seen that it is essential to use a certain or more computers.

In a P2P network, perform mining is not a node with a certain core functionality. Anyone can be mined, if possible take advantage of the certain level of computer resources. Minor, more precisely, the nodes on P2P its minor to take advantage performs brute search on the network while changing the nonce value, collection of unauthorized processing such that first several digits are all zeros the may be Mitsukedase. That is, the are around to mining on the network (mining) while changing the nonce value. Thus, it is not always necessary to adjust the nonce value for a particular set of unauthorized processing.

In any case, when (in this example 16 bit) first few bits zero block hash is dug, unauthorized processing corresponding to the block hash gatherings, supra as newly approved logical block it is allowed to be connected to the past of the logical block of approved public. Thus posting of the logical block is completed. That is, all the first predetermined number of bits to be zero which is a condition of a logical block coupling. A plurality of blocks are connected by repeating the mining block chain Yuku formed.

As can be seen from the above description, the bit coin reliability currencies are reliable past processing history. That guarantees the reliability Instead fair authentication is a block chain. Falsification as the block chain stretches long is difficult. For example, when rewriting the data of the part of the logical blocks, connection condition between the logical blocks that lead to the logical block (the first few bits of the block hashes all zeros) is not satisfied the. Therefore Correct the nonce value of the logical blocks must be such this condition is met. As described above, since the hash function is irreversible, to it is required calculations accordingly. However, adjusting the nonce value of the logical block, it must also be adjusted nonce value of subsequent logical blocks. After all, you will have to readjust the nonce value of a plurality of logical blocks by simply tamper part of the data is connected to the block chain. This requires a more massive computing power to. Thus, there is a geometric progression tampering as block chain stretches longer difficult.

In Bitcoin, the currency of counterfeiting is a falsification and unauthorized copying of the past processing history. Since the verification of the process is to attach an electronic signature to processing history as the testimony success, is the currency of the forgery is a forgery of the electronic signature. You can create an electronic signature, as long as the encryption is not broken, it is only the owner of the previous wallet that owns the secret key required to only electronic signature. In other words, even as the encryption has not been broken, authorized user of the secret key is possible if you try to tamper with the past of processing history. However, the thus pumped once block chain as described above, even if a legitimate user of the secret key, it is difficult to tamper with all nonce values ​​linking the block chain. The degree of difficulty as the block chain stretches longer be dramatically increased. In other words, tampering retrospectively once by lengthening the time block chain, or, it is almost impossible to edit. This "proof by work (Proof-of-Work)" that (PoW).

However, when surpassing the computing power of the side of computing power misbehaving is distributed to other minor worldwide, there is a possibility that fraud chain is longer than the normal chain. This is referred to as "51% attack".

51% attack, there is a debate not realistic in relation cost effective. However, this does not apply when performed as cyber attacks to vulnerable financial base of a population. For example, suppose that FinTech 2.0 was based block chain at some great power has been widely used. A small country is not might be able to put the defense costs in mining order to paralyze the financial system of the major powers. In this case it would be possible to suppress the cost from the development of nuclear weapons. Further, likely it is that some skill to acquire the ability of temporary 51% attack by development of cloud mining.

Such to prevent the attack, it will be attacked powers also it becomes necessary to participate in the block chain. Multiple national to participate, any nation is also a problem if in a state that can not be carried out 51% attack will not. Although such a block chain is a P2P, it will be to combine the aspects of international information and communication infrastructure.

To share the history of the processing on the P2P network, the idea of ​​a public ledger system that ensure the reliability leave the approved work to a minor, also a wide range of applications in addition to the bit coin is expected to be used as information and communication infrastructure. This is due to the reason that the falsification of the past processing at the lowest cost possible to realistically impossible. Realistically tampering impossible demand of the database, for example, and health care that utilizes the stored medical data increases daily, securities transactions and using the stored processing data increases daily, is accumulated to increase day-to-day Other all kinds of information services can be considered to take advantage of big data. Then, causing a wave of global financial innovation called the FinTech 2.0.

There is another point to suppress 51% attack. First of all, it is that not the number of nodes to attack to infinity. When the address to be assigned to the node is a logical address such as an IP address, the attacker becomes possible to obtain an infinite number of attacks for nodes in the virtual space. Therefore, node nodules P2P must link to form a one-to-one combination, such as the CPU all. This concept is referred to as a One-CPU-One-Vote (one vote a single). For example, because one person one ballot, is an essential condition in the system, such as the majority.

In this way, it can be seen that it is necessary to associate the individual authentication of hardware with a secret key and the physical reality. However, there is no edge is the secret key is a product of software physical reality. To begin the software are those designed to function similarly be installed on any hardware designed and manufactured by the same standard. In other words, it is required to move in the same manner regardless of the difference in the respective physical reality. It is unrelated to say from the origins and therefore physical reality. Despite, to configure the IoT network, and countless hardware is a collection of wired and wireless signal transmission path to exchange them electronic data by connecting. Here there is both reason and one of the tips to associate the secret key and the physical reality.

Specifically, it is possible to link in some way that is not tampered with the public key and the physical address. The physical address requested here shall a non rewritable unlike like MAC address.


(Non-rewritable physical address)

Thus, it is obvious that the required (non-rewritable physical address). How to achieve it, even in software technology, even in network technology, it is anything even in the hardware technology. In any case, the software technology, network technology, hardware technology or, it is sufficient as long as it can be related to a chip having a physical reality in some form by many, etc. or combinations thereof technology.

Figure 4 is a view for explaining the relationship between the logical network to leverage the physical network equipped with hardware to participate, the public ledger a (rewritable physical address). The hardware has the physical reality is a physical node because the nodes of the physical network. To link one-to-one with the secret key of the physical address that has been set in advance in some way. Logical node to logical address a public key forming a secret key and a pair of set by the public key encryption, making this physical node or hardware and pairs corresponding thereto.

As in FIG. 1, information between logical nodes to the public key the physical address and link the logical addresses are transferred. Purse contents is a hash value of (N) (N-1) is purse contents is a hash value of (N-1) (N-2), the logical address at which the public key (N-1) and the electronic signature (N-2) are collectively are those obtained by hashing. Here, wallets (N-1), wallet (N), wallets (N + 1) ... are each logical node (N-1), a logical node (N), a logical node (N + 1) ... corresponding to the .

Here logical node (N-1) and pair address of the physical node that forms, i.e. attempt to have falsified the physical address (N-1). Secret key that links one-to-one with the physical address (N-1) (N-1) is linked one-to-one with the logical nodes (N-1) logical address at which the public key of the (N-1) . Accordingly, the fact that tampering with the physical address (N-1) is meant to carry out the alteration of the public key (N-1) at the same time.

As described in FIG. 1, the public key (N-1) is hashed to the hash value (N-1) along with the hash value (N-2) and the electronic signature (N-2). Therefore, falsification of public key (N-1) is also a falsification of the hash value (N-1). In general, the hash value (N-1) is the latest of the hash value, that is not necessarily the root of the Merkle. However, Merkle tree shape, i.e., it be tampered be part of a logical block is synonymous with that tampers roots Merkle.

As shown in FIG. 3, block hash constituting the contents of the logical block (N + 1) (N) is obtained by hashing together all the logical blocks (N). Logic block (N) contains the roots of Merkle. If roots of the Merkle is to be falsified, as described above, to break the connection condition between the logical block (N) and logical block (N + 1). Thus, to recover the connection conditions, it is necessary to readjust the nonce value of the logical block (N). For example, block hash (N + 1) the first 16 bits of the must recalculate the nonce value logical logic block (N) to be the all zero again. Here, the hash function is in this calculation because irreversible requires certain level of computing power.

Thus (for example) re-adjusting to the nonce value even if all the first 16 bits successfully zero, the data of the 17 bits subsequent long as the roots of the Merkle has been tampered is falsified. Eventually block hash (N-1) is also altered to destroy the connection condition of a logical block (N) and logical block (N + 1). To recover Similarly the coupling conditions as described above are required consumption of computing power above a certain, further destroying the connection condition of a logical block (N + 1) and a logical block (N + 2). Thus as long as the block chain is continuous long we will have to continue the calculation for endlessly block coupling conditions recovery.

As long as this way are sufficiently long block chain is constructed, alteration of the physical address even if part becomes practically impossible. If forcibly tampered no longer satisfied coupling conditions between logical block, the block chain is broken. Thus it is possible to realize a public ledger techniques such as block chain (non-rewritable physical addresses) by using the physical address obtained by the private key and the link.

(Key generation method)

It describes a method of generating a public key that forms a pair of set together with the private key. Roughly includes a method of using the RSA type key generating apparatus for generating a private key and a public key forming a pair of set together from one input, a public key which forms a mutually paired set this secret key by entering a secret key It can be broadly divided into ElGamal type key generating device for generating. In any case, it is very difficult to play the secret key from at least the public key. Note that these key generating device may be a kind of program recorded in the memory, may be a built-in circuit mounted on a semiconductor chip.

First, the RSA type description. This is an invention cryptographic key generation process by Rivest-Shamir-Adleman. (
reference. ) Rivest, Ronald L.Shamir, Adi. Adelman, Len M. (1977-07-04), "A Method for Obtaining Digital Signature and Public-key Cryptsystems", MIT-LCS-TM-082 (MIT Laboratory for Computer Science) .

In the RSA method, to prepare the first appropriate non-negative integer e. To adopt a plus one to 16 square of the normal 2, but it is also possible to adopt a natural number of positive otherwise. Then generates a set {p, q} of two large prime numbers in some way, to compute their product n (= pq). At this time {e, n} is a public key. Subsequently, the (p-1) and (q-1) the private key d what the remainder obtained by dividing the product divided by the further positive integer a 1 e of. However, {e, n} {p, q} in addition also it becomes possible to acquire d by calculation if the known, {p, q} shall avoid leaking to the outside or discard . Prime set {p, q} if you are stored so as not to leak to the outside set {d, p, q} can be view that a secret key.

Cut the first few bits from the code display physical address, it is possible to the e by adding 1. Alternatively, by adding 1 to the code display physical address it is possible to generate a positive integer e.

It is also possible to generate the prime {p, q} from the physical address. As an example, addition of 1 to the code display physical address, ascertain whether prime. If a prime number to the prime number and p. The addition for a further 1 be a prime number ascertain whether or not the prime number. Repeat this, determine the prime numbers p. Repeat the same procedure after you decide to prime numbers p, determine the prime q. Thus it is possible to find the prime numbers {p, q}.

Another example of how to determine the prime number q can ascertain whether prime with addition of 2 to physical addresses. If a prime number to the prime number and q. If it is not a prime number further addition of 2 ascertain whether or not the prime number. Determine the prime numbers q This is repeated.

The number of additions to the physical address to determine the prime number p or q not only 1 or 2, it is possible to employ an arbitrary integer (e.g., k). In this case it is possible to the k and the security parameters. For example, randomly selected from integers within a certain range by using a physical random number or pseudo-random number, it is possible to make it a security parameter k. In any case, those synthesized in some way the physical address and k which code display was that it is possible to repeat the synthesis until the prime. Unless physical address is sufficiently large as a number p q, becomes sufficiently large prime number, the selection of the security parameter k also becomes more diverse.

Code synthesizing method of a display physical address and k, all arithmetic operations and their combinations addition, subtraction, multiplication, and division, or it can be any bit operation as possible. In any case, a physical address (N) or p is also sufficiently large prime number as long as the k is sufficiently large as a number. Wherein k may be either an external input within the input.

In any case, the method, as an example, the determination step of determining a synthesizing step of synthesizing a physical address and appropriately given variable, synthesized number whether the prime determining the prime number p or q from the physical address If, consists, is that until actual prime is obtained repeating the synthesis step and the determination step. See Figure 5.

Next, description will be ElGamal type. This is an invention cryptographic key generation process by the ElGamal. (
reference. ) A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, Taher Elgamal, IEEE Transactions on Information Theory, v. IT-31, n. 4, 1985, pp. 469-472.

In the El Gamal method, first decide the large prime numbers p and the primitive root g. Prime number p and primitive root g can be chosen according to design specifications. Then, the secret key to select the p-1 less than the non-negative integer x randomly. Then, the public key the remainder of x-th power of the primitive root g divided by p.

When the secret key performs appropriate code conversion from the physical address, it is possible to link the physical address and a private key. As an example, code display physical address, or a modulo p-1 plus an integer of 1 or more to the physical address may be a secret key.

RSA type key generation method also ElGamal type key generation method is also specific algorithm plurality of. Is the ECDSA method, which is the improved version of the thing called DSA method of are often used in current electronic signature in this. Other Schnorr method also, random oracle method, but there is a wide variety, such as Kramer show up method, these common point is that from the public key to generate a secret key is realistically difficult. (But can not prove that it is mathematically impossible, it can be said that it is actually generated is difficult.) In addition, listed as a common point is also possible to generate an electronic signature by encrypting the hash value and the like in the secret key It is. The difference, or to generate a public key from the private key, or, or not to generate a public key and a private key from another input variable, and the like. Alternatively, there are also differences in the algebraic problem of using the variable transformation. For example, factorization, discrete logarithm problem, the random oracle assumption, and the like, such as elliptic curve problem.

(System integration)

Given the large-scale system composed of a large number of hardware. Hack to this system, nothing but the hacking to at least one hardware. That it has been hacked to be kept secret, must Saleh erase the history of access to the hardware. This is nothing but the falsification of history. Further, in order to take over the system, it is necessary to tamper with the physical address of a portion of the hardware is at least a component.

Thus, if connected to a one-to-one with physical and logical addresses in the manner described above, it is possible to protect against hacking the system by block chain.

(Hardware-specific issues)

However, the hardware with physical reality, the problem exists that impossible in the logical node having no physical reality. That is, a logical node is not be subject to mechanical failure, the risk always mechanical failures in the hardware stalking. The failed hardware, must be replaced with new hardware in order to preserve the system.

Different hardware physical address of the hardware fails to exchange this time, the even physical address are exchanged. This is the same as that tampering with the physical address. Thus will the logical blocks constituting the block chains are falsified. As a result, no longer meet the connection conditions of the logical block, the block chain is also destroyed.

To prevent the destruction of such a block chain includes not only the physical address, it must transfer the failed hardware is recorded in the history (hash value) and hardware information to all exchanges, such as electronic signature. However, it is not always possible at any time to take out in all such information intact from the failed hardware. Rather, it is impossible to maintain and manage the system to be prepared to do if it is impossible due to a failure.

For example, if the system is a large-scale data centers, is assigned a physical address countless individual drive (SSD), the physical address respectively are connected one-to-one with the logical address, blocking hacking from the outside in the block chain to it can be. In this way, it can be constructed at low cost secure intranet.

To be able to cope at all times to access such as a search from all over the world, such a large-scale data center is composed of a huge number of SSD. SSD is a hardware, not escape to mechanical failure. How even as a high failure frequency reliability is low, there is a need for exchange on a daily basis SSD for maintenance and inspection for the number of SSD is enormous. The nature of the block chain, block chain when interchanging the SSD at only one is destroyed. In this way, it becomes difficult to protect the large-scale system using the block chain from malicious hacker attacks. Further, even if the required information from the failed hardware in order to prevent destruction of the block chain could be extracted Luckily, in practice such information to retrieve the is not time and labor intensive economical.

The present invention has been made in view of the above circumstances, and provides network management technology logical block is not tampered by replacing the hardware that is part of the component, a secure intranet using the block chain an object of the present invention is to build a low cost.

The present invention for solving the above problems, adopts the following means.

A plurality of clients in a network composed of at least one server,
The server has an output interface for the exchange of each client and the data,
Wherein the plurality of clients, each having a unique physical address, and sends the physical address through the input-output interface to the server,
The server further comprises a key generation apparatus and synthesis device,
The key generation device and the synthesizer, from the physical address, generates a private key and a public key corresponding to each client,
The secret key and the public key is passed to the client that the corresponding,

The server, in response to each of the plurality of clients, to generate the physical address, the private key, and the authentication variables consisting of said public key,
Recorded private ledger collects authentication variable corresponding to said plurality of clients,
Characterized in that,
On the network.

Wherein the plurality of clients includes a different first client with one another, and a second client, a third client, and
The key generating apparatus generates a first public key from the first secret key corresponding to the first client,
The synthesizer generates said first public key, said second second private key corresponding to the second physical address, from the second client corresponding to the client,
The key generating apparatus, from said second secret key to generate a second public key corresponding to said second client,
The synthesizer generates said second public key, and a third physical address corresponding to the third client, a third private key corresponding to the third client,
The key generation device, from the third secret key, and generates a third public key,

The first the first secret key of the public key, form a pair of set together,
The second the second private key and public key, form a pair of set together,
The third the third private key and public key, together form a pair of set,

Characterized in that,
On the network.

It said second client is replaced with a fourth client having a fourth physical addresses,
The fourth physical address, through the output interface, is transmitted to the server,

In the private ledger, the authentication variables corresponding to the second client, the fourth physical address, the second private key, and replaced by combinations comprising the second public key,

The fourth of the client, the passed the second secret key and the second public key from the server, and passed the first of the from the client the second hash value and the second digital signature,

Characterized in that,
On the network.

A first logical block with attached first timestamp at some point, a second logical block with attached second stamp at some time before, the further third stamping at some point before a third logical blocks attachments, coupling and constitute a part or all of the block chain,

Wherein the first timestamp, said first logic block, at least a portion of the recording of the first block hashes, and the first public ledger approved together nonce value,

The second timestamp, said second logic block, at least a portion of the recording of the second block hashes, and a second public ledger approved together nonce value,

The third time stamp, said third logic block, at least a portion of the recording of the third block hashes, and a third public ledger approved together nonce value,

Said first block hashes, said second block, said second block hashes, said second nonce value, and in summary that generated by hashed,

Said second block hashes, the third block, the third block hashes, the third nonce value, is generated using hashed together,

Characterized in that,
On the network.

According to the present invention, it is possible to simultaneously improve the maintenance of the economy and safety of the vast number large system composed of hardware.

Hereinafter, the best mode for carrying out the invention will be described.


(First Embodiment)

In general, regardless of their size, are a plurality of physical nodes to configure the system. The plurality of physical nodes is a kind of hardware, respectively, creating a function of the system while exchanging data with each other via a signal transmission path. Such multiple physical nodes constituting the large-scale system can be roughly classified as backbone nodes responsible for core functions, the peripheral node in charge of part of the functions in cooperation with backbone node. Since the structure as inevitably network is a client-server type, the backbone node server, it will be referred to as peripheral node and the client less.

If such a system is a data center, the client is a SSD as an example. If the system is a SSD, the client is a NAND flash as an example, the server is the controller. If the system is a controller, the server is a processing unit, client, etc. cache memory.

6, before the client incorporated into the system (N-1), a client (N), and the client (N + 1). Each physical address (N-1), physical address (N), and the physical address (N + 1) is assigned. However, N is a natural number of 2 or more.

Figure 7 illustrates a method for certification of these clients to the server. Refers to be incorporated into the system for the first time the client and the initial setting, say the re-set that re-certification in circumstances such as maintenance and management. The server assigns the input-output interface (I / F) corresponding to each client. Each client physical address (N-1) through the I / F, and transmits the physical address (N), the physical address (N + 1) each server.

The server uses the physical address (N) received from each client, it generates a private key (N) in a suitable way. The server further comprises a key generation device, the key generating apparatus generates a public key (N) from the secret key (N) in accordance with the ElGamal type encryption key generation method. Here, the private key (N) and the public key (N) each other form a pair of set. Step-by-step will be described in detail below.

And N = 2, and generates a secret key (1) from the physical address (1). Then, the key generation device generates a public key (1) from the secret key (1). Secret key (1) and pass public key (1) to the client (1). In this way, the client (1) (physical address (1), the secret key (1), public key (1)) combination is formed. On the other hand, also in the server corresponding to the client (1) (physical address (1), the secret key (1), public key (1)), the combination of the remains. Referred to as the combination authentication variable, it is registered in the ledger in the server. This ledger may be referred to as a private ledger because the private to the outside server.

The server further comprises a synthesizer. The synthesizer synthesizes the public key (1) the physical address (2), to generate a secret key (2) from the synthesis result. Followed by the key generation apparatus generates a public key (2) from the secret key (2). Secret key (2) and pass public key (2) to the client (2). Thus, the client (2) (physical address (2), secret key (2), the public key (2)) combinations is formed. On the other hand, authentication variable (physical address (2), the secret key (2), public key (2)) also in the server corresponding to the client (2) is remaining, to register it with the private ledger in the server.

Update the subsequent N while repeating this work. That is, the synthesizer synthesizes the public and physical address (N) key (N-1), to produce a private key (N) from the synthesis result. Subsequently, the key generating apparatus generates a public key (N) from the secret key (N). Passing secret key (N) and the public key (N) to the client (N). Thus, the client (N) combination (physical address (N), the private key (N), the public key (N)) is formed. On the other hand, authentication variables into the server corresponding to the client (N) the rest (physical address (N), the secret key (N), public key (N)), to register it with the private ledger in the server.

Then the synthesizer will be described a specific method of generating a private key. As an example, to prepare a large prime number p, first a suitable manner. Then, hashed those synthesized the physical address (N) and the public key (N-1), split the combined result in p-1, for the remainder with the secret key (N). Here, the hash of the physical address also includes a role in arranging the format. It is also possible to physical address already be omitted as long as being arranged into a form suitable for generating a private key. In addition, in the case of N = 1, public key (0) is a dummy because it does not exist. Therefore, it is necessary to prepare in advance as initial input on the server side. May be used in place of the initial input the public key (0).

Wherein said synthesizing device synthesizes the public key and the physical address is various diverse. For example, addition, subtraction, multiplication, division, a combination of these arithmetic operations, it is possible to take advantage of every bit arithmetic logical operation, as much as other possible.

In this way, the client (N) set of (physical address (N), the secret key (N) and the public key (N)) is stored. At the same time, in the private ledger set of (physical address (N), the secret key (N), public key (N)) to be registered from N = 1 in the order. This private ledger is stored and managed on the server, not to disclose to the outside in order to increase the safety.

Figure 8 is linked by hashing client after initial setting and resetting, it shows a method of forming a logical block. Method of generating the logical block is the same as the bit coin. That is, the public key (N-1) of the client (N-1), are those combinations of the hash value (N-2) and the electronic signature (N-2) corresponds to the bit coin purse (N-1) in the present application is a logical node (N-1). The hashing logic node (N-1), generates a hash value (N-1). Then, together with this hash value public key of (N-1) and the client (N) (N) is encrypted with the private key (N-1), to generate an electronic signature (N-1). Finally, the client (N-1), sends the hash value (N-1) and electronic signature (N-1) are both in the client (N). The client (N), the public key (N), a hash value (N-1) and electronic signature (N-1) from the logical node (N) is formed.

Subsequently, hashes the logical nodes (N), the program generates a hash value (N). Then, encrypted with the private key (N) together with this hash value (N) and client (N + 1) public key of the (N + 1), to generate an electronic signature (N). Finally, it is sent to the client (N) hash value (N) and electronic signature (N) together client (N + 1). The client (N + 1), the public key (N + 1), a hash value (N) and the electronic signature (N) from the logical node (N + 1) is formed.

Repeat this procedure, logic block is formed comprising a plurality of logical nodes. How in the manner described above go forwards the hash value between clients is one way to transfer data between the client. If the encryption currency and its data is something of monetary value, that the case of Bitcoin is a process record. (Actually a hashed hash value.) If the client is a storage such as SSD, not necessarily monetary value to the data needed. Only simple hashed data is transferred between the SSD. Still it is possible to form such a logical block. In other words, a logical block may form regardless of the content of the data.

If the client containing the logical block is hardware, a method is needed to cope with the mechanical failure of the hardware, as described above. In other words, it must be replaced the failed hardware to new hardware.

As shown in FIG. 9, consider the case where the hardware of the client (N) has failed. In this case, the failed hardware and physical address (N) is attached, the physical address (N ') is attached to the new hardware to be replaced with this. The private ledger that are stored on the server (physical address (N), the secret key (N), public key (N)) is recorded. And authentication variable corresponding to the client (N). Failed client (N) and a physical address via the I / F which had signed the server (N ') is input to the server. Server, edit the private ledger, the authentication variable to modify the (physical address (N '), the secret key (N), public key (N)). Or (physical address (N '), the secret key (N), public key (N); physical address (N)) and recorded again, it is also possible to leave to history client (N) is to replace the hardware . Here, there is no need to modify the secret key (N) and public key (N).

Figure 10 is a diagram showing a state after replacing the faulty hardware. When compare with FIG. 8, it can be seen that a logical node is exactly the same. In other words, need not be logical nodes tampering. Thus, by utilizing the server according to the present embodiment, it is possible to replace a failed hardware without tampering with the logical block.

Before the hardware fails, attempt a collection of logical nodes in FIG. 8 and its data transfer history is exposed as a logical block. The logical block Minor or has struck extensive logic block from enclosing the logical block is to bookkeeping public ledger (e.g. block chain). Thereafter hardware failure, replacing the hardware in the method of FIG. However, as shown in FIG. 10, there is no change in the logical node of the client that replace the hardware in this embodiment. Thus, not the logical block is falsified, no concern is to break the connection condition of the block chain.

Thus by utilizing the private register according to the present embodiment, it is possible to replace a failed hardware without breaking the connection condition of the block chain. Because of the additional cost to the use of an external block chain does not occur, it can be protected at a low cost intranet comprising said server and said plurality of clients from outside hacking.

(Second Embodiment)

Hash value constituting a part of a logical node is changed each time of exchanging data between the client. Therefore the logic block is also changed. Take time axis on the vertical axis and to attach a time stamp separated this change at appropriate time intervals, it is possible to stack a logical block that varies from the bottom to the top as shown in FIG. 11. Latest is a logic block (M), which was approved before one is a logical block (M-1). Furthermore the preceding is a logical block (M-2). However, in this embodiment, is a server to connect the client to configure the logical block to issue this timestamp. Timestamp is issued at every predetermined time interval defined by the convenience of the client maintenance management using the server according to the present embodiment.

That server issues a time stamp is that server on behalf of that the logical block was present at the time the public ledger (e.g. block chain) is approved. On the other hand, in the block chain that assumes the P2P network, the approval operation is performed by any minor. Approval of the logic block according to the embodiment in this respect is fundamentally different from methods utilizing conventional block chain. In other words, the chain of logic blocks contiguous in the vertical in FIG. 11 differs from the conventional block chain.

Figure 12 is a drawing showing an example of the approval operation by the server according to the embodiment. History and time stamp of the logical block are arranged from left to right in FIG. It is the latest of what the time stamp (M), time stamp (M-1) retroactively one by one, time stamp (M-2) ... become. Similarly logic block (M), a logical block (M-1), can be traced back logic block (M-2) ... and.

Combined block hash (M-3) and suitably chosen nonce value to the logical block (M-2), to generate a hashed to block hash (M-2). Together the blocks hash (M-2) and suitably chosen nonce value to the logical block (M-1), to generate a hashed to block hash (M-1). To generate the next block hash (M) is combined logic block (M) and suitably chosen nonce value to the block hash (M-1), it may be hashed.

The bit coin, nonce value is generally 32 any value of the bit. The nonce value generated hash values ​​included (block hash in this case) is the value of 256 bits. 256 square of 2 is greater than 77 square of 10, the block hash is seen to have a large degree of freedom. The first few bits of the block hashes when appropriately adjusting the nonce value may be zero. As an example, the probability that the first 16 bits are all zeros newly generated block hashes 1 of the sixteenth power of two fraction, that is, 1 of 65,536 minutes. The chance is that it does not happen most, is to strike such a nonce value, which is the necessary work of the corresponding (work). Further, a connection condition for making the first 16 bits of the block hashes to zero to connect the new logical blocks existing logical blocks. The first was to the number of bits 16 to zero is to adjust so that the frequency of the new logical block is approved is about once in 10 minutes worldwide.

16 connecting condition bit is for the purpose of maintaining the reliability of data transfer in the P2P network without going through the management by the server, the reliability of data transfer between a particular client between leading through the server as in the present if for maintaining, it considered 16 bits than enough. Rather a reduced number of bits, the server according to the present embodiment it may be necessary to shorten the average time to approve the new logical block.

In view of this situation, the logic block connections conditions herein is to zero all the first L bits of the block hashes. However, L is 16 less than the natural number. Nonce value related to the present application is adjusted this connection condition is satisfied.

Thus by adjusting the nonce value, approved a new logical block, it can issue a time stamp as shown in Figure 12. This task is preferably carried out in the server regarding this application.

Thus, the block chain related application is different from the conventional block chain to be utilized like the bit coin. In the present application, it is possible to prevent tampering of the processing history from the outside if in the even maintenance of server to approve a new logical block proper. Further, as long as the public encryption for corresponding public and private keys in one-to-one are not violated, it may be linked to logical addresses and physical addresses as shown in Figure 4.

As long as the proper management of private ledger stored in the server, it is impossible to rewrite the physical address from the other server. Thus, it is possible to realize a (physical address non rewritten from the outside). Furthermore, it is not necessary to destroy the block chain involved in this application by replacing the faulty hardware. This is a characteristic not found in conventional block chain running only in the logical network (block chain does not employ private ledger related to the present application).

For example, the storage of such SSD running in large quantities in the data center, Rael thought that dealing with big data in cooperation with each other. SSD is an example of application of the client, exchanging historical data between SSD is managed so that there is no tampering in the block chain related application is hashed. This management is substantially the management by the server to store the private ledger.

Update of the logical block is performed by the server that controls the activities of the data center. By utilizing the private ledger stored in the server to an electronic signature technology and application, it may be de to prevent tampering once the physical address of the initialized SSD by the server from the outside. (Physical address non rewritten from the outside) Further, by utilizing the private ledger inside the server, it is possible to replace the SSD failed without destroying the block chain.

(Third embodiment)

The physical address can be generated from any physical clutter extracted from the cell array in a semiconductor chip having a physical reality. Such a chip is called the authentication chip.

Figure 13 is an example of a cell array consisting of the word lines and bit lines. Authentication device where the word lines and bit lines intersect are arranged. In this example, the number of rows (the number of word lines) is N, the number of columns (number of bit lines) is M. However, the rows and columns is at any time possible replacement.

As an example, the authentication device has at least two terminals, respectively (the first terminal and a second terminal), connects one of the word lines and bit lines to the first terminal, the other is the second terminal Connecting. Or as another example, as shown in FIG. 14, to connect the word line to the first control gate, connecting the bit line to the second control gate. Alternatively, as shown in FIG. 15, to connect the bit line to the first control gate, connecting the word line to the second control gate. In any case, in this way it is possible to control access between the first terminal and the authentication device. The second terminal is the source line as necessary, the substrate electrode or, drop to the ground.

Authentication device as an example is a resistor (or conductor). Alternatively, a capacitor. Or a PN junction. Or a Schottky junction. Or a transistor. Or a DRAM cell comprising a transistor and a capacitor. Or a variable resistance memory cell including transistors and a variable resistor. Or a magnetoresistive memory cell comprising a transistor and magnetoresistive (MRAM). Or a spin-torque MRAM (STT-MRAM). Or a charge storage layer with the non-volatile memory cell. Charge storage layer may be either in the floating gate in the charge trapping layer.

Alternatively, it is intentionally charge storage layer with the non-volatile memory cells arranged on a NAND-type array which eliminated the bit line terminal as shown in Figure 16. Alternatively, it is intentionally transistor arranged on a NAND-type array which eliminated the bit line terminal as shown in Figure 17. However, the bit line terminal is connected to one of the ends of the population of the authentication element in series in the bit line direction, the source line terminal is connected to the other. Be removed in this way the bit line terminal, the authentication device at which the bit lines and the word lines intersect, it is possible to read by conventional NAND-type reading method. More specifically, read by applying a transfer voltage to the authentication device (selected cell) bit lines that contain the word lines of all other authentication device communicating with the (selected bit line) (non-selected word line), other than the selected cell all the switch-on state. As the word line above the selected cell (selected word line) may be applied to lower than the transfer voltage voltage (read gate voltage). At this time, it may be measuring a current flowing between them by applying an appropriate voltage (read drain voltage) between the bit line terminal and the source line terminal.

Here, the portion of the plurality of authentication devices on the cell array is destroyed for some reason, it has become a destructive bits, or have become defective bits that do not exhibit the characteristics defined for some reason, the try. Distribution in the cell array of such destructive bit or the defective bit is considered to be physically random specific to the semiconductor chip. Further, breaking bits, some stress stochastically generated by deliberately applying a semiconductor chip, distributed randomly on the cell array. Defective bit is stochastically generated by some variations in uncontrolled semiconductor chip manufacturing step, randomly distributed on the array. In any case, generation mechanism does not relate to any kind of algorithm, it is physically random.

Hereinafter specifically described an example of the method.

First select the word lines with the word line decoder selects a bit line with a bit line decoder, authentication element selected in each selected word line (selected word line) and bit lines (selected bit line) It is referred to as the selected cell.

Here, the authentication device is generally divided into two types. The first type is easy to flow a current time of applying the read voltage when broken, difficult electric current when not destroyed. The main examples are capacitors, PN junction, and the like Schottky junction. To determine if from being destroyed, the absolute value of the current it is checked whether lower higher or nondestructive determination current value than the breakdown determination current value when applying the breakdown determination voltage. However, destruction determination current value is higher than the non-destructive determination current value.

The second type is less likely to flow a current time of applying the read voltage when broken, it tends to flow current when not destroyed. The main example is resistor (or conductor). To determine whether it is corrupt, the absolute value of the current it is checked whether lower higher or fracture determination current value from the non-destructive determination current value when applying the breakdown determination voltage. However, destruction determination current value is lower than the non-destructive determination current value.

When read by selecting a plurality of cells from a population of authentication element on the cell array, generally found multiple fracture bits. Alternatively, it found defective bits that do not exhibit the characteristics defined. Location information on cell array fracture bit or the defective bit is a sequence consisting of the word line number and bit line number. If Tile code display position information of the plurality of broken bits or bad bit, authentication code corresponding to the distribution of fracture bit or the defective bit is obtained. Unless the occurrence of fracture bit or the defective bit is physically random, this authentication code is expected to be physically random specific to the semiconductor chip. The format of the authentication code appropriately shaped, and the physical address used for this application.

The number of broken bits or defective bits is Q, the number of selected cells to R. However, Q is a small number than R. The number of cases of the authentication code at this time is equal to the number of cases to choose Q from R. In other words, not smaller extent R is negligible existence probability of sufficiently large breakdown bit or the defective bit, the number of cases of the authentication code is large numbers in very.

The Q and 1 giga (Billions), when the R 1 kilometers (1000), the extent number and multiplied by 2.5 to 6432 square of 10 when the authentication code. That is, it means that the probability that the authentication code is the same for the two semiconductor chips chip chance when producing semiconductor chips 1 trillion required tri Rion node (10 12 squared) becomes 4E-6421 . The probability that the authentication code of the two semiconductor chips are the same by chance as the semiconductor chip 100 trillion supply will 4E-6419. This is practically almost zero.

In addition, Q is R is equivalent to the failure rate of 100 per million because 1 km 1 giga. That is, even if the semiconductor chip is assumed to have a low enough defect rate to achieve a six sigma (1,000,000 3.4 or less), the probability that the authentication code of the two semiconductor chips by chance the same is near zero it can be said.

In consideration along Six Sigma (1,000,000 3.4 or less), it is not a no problem to use one kilobit equivalent to parts per million or less in 1 gigabit chip products for other purposes. Therefore, it assigns a kilobit the cell array for authentication elements, to intentionally destroy almost half by applying some stress to the cell array for authentication cell. At this time, the number of cases of the authentication code is 2.7 times the 299 square of 10. That is, the probability that the authentication code is the same for the two semiconductor chips by chance a semiconductor chip as the 100 trillion supply becomes 3.7E-286. That is, it is practically almost zero.

The stress, electrical stress, optical stress, mechanical stress, there is a wide variety, such as an electromagnetic field stress.

An example of an electrical stress, select the first authentication cell part of the area chosen to produce an authentication code from all the cell array simultaneously, it applies a high voltage pulse to all the selected cells. It reads each cell, if the number of non-destructive bit was less than the number of broken bits select only non-destructive bit applying a second high voltage pulse. The number of non-destructive bits repeats this operation until about the same as the number of broken bits.

An example of an optical stress, and X-rays or ultraviolet rays for a predetermined amount of radiation to the cell array for authentication element before assembly. Dose is adjusted to the extent that the number of broken bits and non-destructive bits is substantially equal. However, if the area of ​​the cell array for authentication elements are very small, the stress in the same manner is applied also to the other element. A relatively effective method when the cell array for authentication elements all chips.

An example of a mechanical stress, or to bend the verifying chip, and to or added blow. However, since the stress equally to other cell array for authentication element is applied, it is only effective method when the cell array for authentication elements all chips.

An example of the electromagnetic field stress is to expose the authentication chip strong electromagnetic fields. However, since the stress equally to other cell array for authentication element is applied, it is only effective method when the cell array for authentication elements all chips.

In any case, as long as the destruction of the authentication element is produced stochastically, authentication code is physically generated randomly. Further, as long as the probability of the authentication code of the two semiconductor chips by chance the same is practically almost zero, the authentication code is well-class as a physical address unique to the semiconductor chip.

Thus, the physical address of this embodiment can be generated from disruption of the bit distribution in the cell array. Alternatively, the physical address of this embodiment can be generated from a bad bit distribution in the cell array. Alternatively, the physical address of this embodiment can be generated from disruption bits and bad bits distribution in the cell array.

(Fourth Embodiment)

Some of the memory chip products, provided with a redundant bit line for pre into account that the defective bit occurs in a certain percentage below, replacing each bit line bit line defective bit occurs in the memory cell there. Cause of such failure are manifold, the semiconductor chip (in this example memory chip) depends on the naturally occurring variations in the physical formation process of manufacturing variations or members in the manufacturing stage of the. Generally, these variations are uncontrollable. Redundant bit line is generally not included in the bit capacity of the memory chip products. See FIG. 18 as an example.

In Figure 18, it separates the bit line group arranged in the row direction into two groups. One was a redundant bit line group including a plurality of redundant bit lines, the normal bit line group consisting of the other from the normal bit line. The number of lines normal bit line group is N, the number of row redundancy bit line group and L. N also L is also a non-negative integer, N is greater than L. Bit capacity of the memory chip products is equivalent to the number of cells included in the normal bit line group.

When certain conditions are met defective bit in a normal bit line group in the pre-shipment inspection it is found to have occurred, in one of the redundant bit lines in the normal bit line including the defective bit of the redundant bit line groups assign. Such reading recombination (recombination read in the figure A, replaced B ...) and performed on normal bit lines each including a defective bit, it is possible to substantially obviate defective bit.

More specifically, the bit line number of the redundant bit line changing reading the bit line and the bit line number of defects found bit line pre-shipment inspection as a peripheral memory (an example that is mixed in the peripheral region the fuse memory, etc. ) to record. The peripheral memory is referred when accessing to the memory cell. In the present embodiment, the information recorded in the peripheral memory and code display serves the physical address obtained by molding into a predetermined format.

DRAM can be mentioned as an example of such a condition is satisfied memory chip products. Other flash memory, phase change memory, the resistance change memory, magnetic resistance change memory (MRAM), can be considered a spin-torque MRAM like.

If the number of defective bits discovered in pre-shipment inspection is m, the number in this case is a combination of choosing m from the N. That is, C (N, m). Taking or respectively replaced read any redundant bit lines into consideration, the number of cases must further multiplying the number of permutations of arranging choose m from the L. That is, C (N, m) P (L, m). That is, the number of cases even underestimate some degree C (N, m).

For a typical 4 gigabit DRAM products, for example, redundant bit line number for all the bit lines is 6.55 million present is 150,003 thousand about. That is, the number of rows defective bits in the bit line in the normal bit line group occurs by some reason, be acceptable mass DRAM up 150,003 about thousand. The number of cases of this time reallocation to a redundant bit line is equal to the combination chosen 150,000 3,000 from among 6.55 million. When calculations of approximately 10 315,289 squared (1E315,289). That is, the probability that the authentication code is the same for the two DRAM chips accidentally be DRAM chips as the 100 trillion supply will 1E-315,275. Realistically it is almost zero.

In the present embodiment, it is also possible to replace the bit line and word line. That is, the redundant word line number for all the word lines is 4.4 million present is about this 3,044. Assuming with the recombinant read all redundant word lines, the number of cases is approximately 2.9E10,938. It becomes much less than the number of the former case, but still a large number terribly. That is, the probability of the authentication code of the two authentication chip are the same by chance the DRAM chips as the 100 trillion supply will 1E-10,924. Realistically it is almost zero.

Thus, it is possible to generate an authentication code having a very large information entropy. Here Notably, in the present embodiment is that not taking the extra also 1 bit in order to generate an authentication code. That is, the redundant bit line (or a redundant word line) are those which have already been mounted on the memory chip products, is the same peripheral memory for recording replaced information. Moreover authentication code two semiconductor chips by chance probability of the same realistically small that substantially out zero. This authentication code is well-class as the physical address of the present application.

Physical address for application is a code information assigned to the hardware. Alternatively, the code information allocated to a part of the components constituting the hardware. Alternatively, a chip authentication assigned to the semiconductor chip constituting the hardware. It said chip authentication is characterized in that it is generated based on the inherent physical randomness to the semiconductor chip. The semiconductor chip is composed of a plurality of elements, said plurality of elements are destroyed probabilistically by applying a predetermined stress, the set of position information of the destroyed element (distribution) specific to said semiconductor chip characterized in that the physical clutter of. Alternatively, a plurality of elements constituting the semiconductor chip, due to variations in uncontrolled in the manufacturing process, a stochastically defective bit. Said set of position information of the defective bit (distribution) is characterized by comprising a unique physical clutter in the semiconductor chip. The predetermined stress, electrical stress, mechanical stress, electromagnetic fields stress, characterized in that it is an optical stress like.

By building a successful network hardware security systems for this application, replacing the physical node failed without destroying the block chain using the private ledger it is possible. The block chain utilizes what is booked by any minor from (First Embodiment) In the external logical network. That, which the conventional block chain consistent, it is possible to perform the maintenance of the data center by utilizing the external network efficiently and safely. On the one hand (the second embodiment), it stores the private ledger server constitute a unique block chain by posting a logical block.

According to the present, disables the falsification of the past processing history, realized (physical address non rewritten from the outside), yet, the network hardware security system capable of replacing the failed hardware it is possible to construct.

In the present application they are using frequently hashing. It may be used as a hash function for hashing. Hash function, MD2, MD4, MD5, RIPE-MD160, there are many such SHA-256, SHA-384, SHA-512, the bit coin being used is SHA-256 as these examples.
The technical scope of the present invention is not limited to the above embodiment, it is possible to add various modifications without departing from the scope of the present invention.

It is possible to provide at lower cost a safe and basic technologies high IoT business convenient

Diagram for explaining the mechanism of transfer of encryption currency. Diagram for explaining a tree diagram of a Merkle. Diagram for explaining the mechanism of the block chain (published ledger). Diagram for explaining an example of a concept that associates a physical network and a logical network. Diagram for explaining an example of a method of generating a prime from the physical address for this application. Diagram for explaining an example of a pre-initialization of the client. Diagram for explaining an example of a client initialization or re-settings for this application. It shows a client state after initial setting and resetting, the logical block formed by the initial setting and resetting. It illustrates an example of a method for replacing a failed hardware. State and shows the logical block after replacing the faulty hardware. It illustrates an example of a relationship between the update and the time stamp of the logical blocks. It illustrates an example of a method for forming a featured block chain in the present application. Diagram for explaining an example of a cell array Sekiru authentication device herein. Diagram illustrating an example of how to access Sekiru authentication device herein. Diagram illustrating an example of how to access Sekiru authentication device herein. Sekiru authentication device in the present application is a non-volatile memory cell which consists of the charge accumulation layer with transistors a diagram for explaining an example in which arranged in NAND type. Sekiru authentication element in the present application is a transistor, diagram illustrating an example in which arranged in NAND type. It illustrates an example of a method for utilizing a defective bit memory cell.

Claims (13)

  1. A plurality of clients in a network composed of at least one server,
    The server has an output interface for the exchange of each client and the data,
    Wherein the plurality of clients, each having a unique physical address, and sends the physical address through the input-output interface to the server,
    The server further comprises a key generation apparatus and synthesis device,
    The key generation device and the synthesizer, from the physical address, generates a private key and a public key corresponding to each client,
    The secret key and the public key is passed to the client that the corresponding,

    Network, characterized in that.
  2. The server, in response to each of the plurality of clients, to generate the physical address, the private key, and the authentication variables consisting of said public key,
    Recorded private ledger attracting the authentication variables corresponding to the plurality of clients,
    Characterized in that,
    Network of claim 1, wherein.
  3. The private ledger, and stored in said server, characterized in that it is a private to the outside of the server,
    Network of claim 1, wherein.
  4. Wherein the plurality of clients includes a different first client with one another, and a second client, a third client, and
    The key generating apparatus generates a first public key from the first secret key corresponding to the first client,
    The synthesizer generates said first public key, said second second private key corresponding to the second physical address, from the second client corresponding to the client,
    The key generating apparatus, from said second secret key to generate a second public key corresponding to said second client,
    The synthesizer generates said second public key, and a third physical address corresponding to the third client, a third private key corresponding to the third client,
    The key generation device, from the third secret key, and generates a third public key,

    The first the first secret key of the public key, form a pair of set together,
    The second the second private key and public key, form a pair of set together,
    The third the third private key and public key, together form a pair of set,

    Characterized in that,
    Network of claim 1, wherein.
  5. The synthesizer, said first public key, and said second physical address, a value obtained by combining a predetermined synthesis method, the remainder obtained by dividing a value obtained by subtracting 1 from a predetermined prime number, and the second secret key,
    Characterized in that,
    Network according to claim 4.
  6. It said first public key, the first hash value, and the first electronic signature, to form a first logical node,
    It said second public key, the second hash value, and the second electronic signature, to form a second logical node,
    The third public key, the third hash value, and the third electronic signature, to form a third logical node,

    Said second hash, which is generated by hashing the first logical node,
    The third hash, which is generated by hashing the second logical node,

    Said second digital signature, which the said second hash value and the second public key of the generated encrypted with the first secret key,
    Said third digital signature is one in which the said third hash value and said third public key of the generated encrypted with the second private key,

    Characterized in that,
    Network according to claim 4.
  7. It said second client is replaced with a fourth client having a fourth physical addresses,
    The fourth physical address, through the output interface, is transmitted to the server,

    In the private ledger, the authentication variables corresponding to the second client, the fourth physical address, the second private key, and replaced by combinations comprising the second public key,

    The fourth of the client, the passed the second secret key and the second public key from the server, and passed the first of the from the client the second hash value and the second digital signature,

    Characterized in that,
    Network of claim 6, wherein.
  8. It said first logical node, the second logical node, and the third logical node form part or all of the logical blocks,

    Said first logical node corresponds to the first client,
    It said second logical node corresponding to said second client,
    Said third logical node corresponds to the third client,

    By transferring data to the second client from the first client, the second hash value is updated, the logical block is changed,

    The server accepts the logic blocks at predetermined time intervals, to attach a time stamp at that point, and recording at least a portion of the change in the history of the logic blocks,
    Network of claim 6, wherein.
  9. A first logical block with attached first timestamp at some point, a second logical block with attached second stamp at some time before, the further third stamping at some point before a third logic block attached is linked, characterized in that it constitutes a part or all of the block chain,

    Network according to claim 8.
  10. Wherein the first timestamp, said first logic block, at least a portion of the recording of the first block hashes, and the first public ledger approved together nonce value,

    The second timestamp, said second logic block, at least a portion of the recording of the second block hashes, and a second public ledger approved together nonce value,

    The third time stamp, said third logic block, at least a portion of the recording of the third block hashes, and a third public ledger approved together nonce value,

    Said first block hashes, said second logic block, said second block hashes, said second nonce value, and in summary that generated by hashed,

    Said second block hashes, said third logic block, said third block hashes, the third nonce value, is generated using hashed together,

    Characterized in that,
    Network of claim 9, wherein.
  11. It said first block hashes, the second block hashes, and the third block hashes are respectively composed of a sequence of a plurality of bits of a predetermined number of digits,

    Wherein the plurality of bits, respectively, a first value or a second value, a value of either,

    It said second nonce value, first Q significant bits of the first block hash is adjusted to a first value,

    The third nonce value, first Q significant bits of the second block hash is adjusted to the first value,

    Wherein Q is a 16 natural number smaller than,

    Characterized in that,
    Network of claim 10, wherein.
  12. Wherein the plurality of clients are each comprised of a plurality of hardware,
    Wherein the plurality of hardware each comprise at least one semiconductor chip,
    The semiconductor chip includes at least the cell array,
    The cell array includes a plurality of authentication devices,

    Some of the plurality of authentication devices, due to variations in uncontrolled in the manufacturing stage of the semiconductor chip becomes defective bits,
    Alternatively, a portion of the plurality of authentication devices, the stress was applied intentionally to said semiconductor chip, becomes broken bits,

    The defective bit or, in the destruction bits, depending on the distribution in the cell array, generating the physical address,

    Characterized in that,
    Network of claim 1, wherein.
  13. The stress, electrical stress, optical stress, mechanical stress or a field stress,

    Characterized in that,
    Network of claim 12, wherein.
PCT/JP2018/011231 2017-03-21 2018-03-21 Technology for authenticating device on network WO2018174112A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2017054728 2017-03-21
JP2017-054728 2017-03-21

Publications (2)

Publication Number Publication Date
WO2018174112A1 true WO2018174112A1 (en) 2018-09-27
WO2018174112A4 WO2018174112A4 (en) 2018-11-29

Family

ID=63584558

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/011231 WO2018174112A1 (en) 2017-03-21 2018-03-21 Technology for authenticating device on network

Country Status (1)

Country Link
WO (1) WO2018174112A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002537646A (en) * 1999-02-17 2002-11-05 アイシーアイディー リミテッド ライアビリティー カンパニー System that provides a unique identifier for the integrated circuit
WO2005064844A1 (en) * 2003-12-26 2005-07-14 Matsushita Electric Industrial Co.,Ltd. Prime calculation device, method, and key issuing system
WO2016164310A1 (en) * 2015-04-05 2016-10-13 Digital Asset Holdings Digital asset intermediary electronic settlement platform

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002537646A (en) * 1999-02-17 2002-11-05 アイシーアイディー リミテッド ライアビリティー カンパニー System that provides a unique identifier for the integrated circuit
WO2005064844A1 (en) * 2003-12-26 2005-07-14 Matsushita Electric Industrial Co.,Ltd. Prime calculation device, method, and key issuing system
WO2016164310A1 (en) * 2015-04-05 2016-10-13 Digital Asset Holdings Digital asset intermediary electronic settlement platform

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
FUCHITA, YASUYUKI ET AL.: "Innovation and improvement of financial blockchain and financial transaction", NOMURA CAPITAL MARKETS QUARTERLY, vol. 19, no. 2, 1 November 2015 (2015-11-01), pages 11 - 35, XP009507516 *
SHIBATA, YOICHI ET AL.: "Mechanism- based PKI", COMPUTER SECURITY SYMPOSIUM 2013, vol. 2003, no. 15, 29 October 2003 (2003-10-29), pages 181 - 186, XP002987575 *

Also Published As

Publication number Publication date
WO2018174112A4 (en) 2018-11-29

Similar Documents

Publication Publication Date Title
Gennaro et al. Non-interactive verifiable computing: Outsourcing computation to untrusted workers
Anderson et al. Low cost attacks on tamper resistant devices
US7904731B2 (en) Integrated circuit that uses a dynamic characteristic of the circuit
US5675649A (en) Process for cryptographic key generation and safekeeping
Guajardo et al. Physical unclonable functions and public-key crypto for FPGA IP protection
Dong et al. When private set intersection meets big data: an efficient and scalable protocol
Erway et al. Dynamic provable data possession
EP2747335B1 (en) Device and method for puf-based inter-device security authentication in machine-to-machine communication
US9852572B2 (en) Cryptographic token with leak-resistant key derivation
Resch Development Cleversafe, Inc. 222 S. Riverside Plaza, Suite 1700 Chicago, IL 60606
Ateniese et al. Remote data checking using provable data possession
JP5319783B2 (en) Non-network rfid-puf authentication
US9064364B2 (en) Confidential fraud detection system and method
KR101727130B1 (en) Device and method for obtaining a cryptographic key
Zhu et al. Dynamic audit services for outsourced storages in clouds
CN101847296B (en) Integrated circuit, encryption communication apparatus, encryption communication system, information processing method and encryption communication method
Schneier et al. Secure audit logs to support computer forensics
KR101066063B1 (en) System, apparatus and method for replacing a cryptographic key
EP2214117B1 (en) Authentication with physical unclonable functions
JP4819269B2 (en) Method for protecting data
CN102725737B (en) Verifiable leak-proof encryption and decryption
Dubey et al. Cloud-user security based on RSA and MD5 algorithm for resource attestation and sharing in java environment
Syta et al. Keeping authorities" honest or bust" with decentralized witness cosigning
US8291229B2 (en) System and method for digital signatures and authentication
JP2011198317A (en) Authentication processing method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18771672

Country of ref document: EP

Kind code of ref document: A1