Patent Grant
7796759
1. Field of the Invention
The present invention relates to the use of a secret quantity coming from an integrated circuit or from an electronic sub-assembly element containing such a circuit. For example, the present invention relates to the use of such a secret quantity by programs, as an encryption key, as a secret quantity of an integrated circuit identification or authentication process. The present invention more specifically relates to integrated circuits capable of executing several different application programs, be these programs contained in the integrated circuit or the electronic sub-assembly containing it or housed in distant systems.
2. Discussion of the Related Art
An example of application of the present invention relates to smart cards where the integrated circuit chip can be used for several purposes (for example, electronic payment, identification of the holder, etc.). In this case, it is desirable not to use the same secret quantity (digital datum) (of integrated circuit authentication or data encryption) for all the application programs likely to use this chip. Indeed, if a pirate attempts to executes a fraudulent application program from the integrated circuit chip, the secret quantity of the chip is also used. The distant system executing the fraudulent application can recover the secret quantity or key of the chip. This quantity can then be fraudulently used for other applications.
To avoid this type of fraud, conventional systems using smart cards in which the transmission with the exploitation terminal can be performed with or without contact, provide that the secret quantity of the chip is not read by the application program but is generated on request of the application program by the smart card operating system (for example, an operating system known under trade name JAVACard).
These conventional solutions require significant resources in terms of programming to execute the authentication or encryption process.
The present invention more specifically relates to the generation of distinct secret quantities according to the applications.
Among means for generating a secret quantity within an integrated circuit, the solutions using storage elements and those causing a generation of a binary word based on a physical parameter network linked to the integrated circuit manufacturing are essentially distinguished.
It could be thought to multiply the number of physical parameter networks so that they correspond to the number of applications that the integrated circuit can process. However, such a solution requires much more space and comprises a non-negligible risk of obtaining identical secret quantities generated by the physical parameter network.
Further, each application may require a minimum size of the secret quantity greater than the size of the quantity directly provided by the physical parameter network.
The present invention aims at overcoming the disadvantages of known solutions requiring an individualization of secret quantities according to the application programs involving an integrated circuit chip.
The present invention more specifically aims at providing a solution which is compatible with the use of a physical parameter network for the generation of the secret quantity.
The present invention also aims at providing a solution which is compatible with conventional methods of exploitation of secret quantities in authentication or encryption applications. In particular, it aims at remaining compatible with an authentication by the actual application programs, without requiring complex protocols of authentication by a central system.
The present invention further aims at providing a solution which is of small bulk on the integrated circuit chip.
To achieve these and other objects, the present invention provides a method of generation of several secret quantities by an integrated circuit according to the destination of these secret quantities, comprising taking into account a first digital word forming a single identifier of the integrated circuit chip and coming from a physical parameter network, and of individualizing this identifier according to the application.
According to an embodiment of the present invention, the first digital word is combined with a second word coming from a non-volatile memory containing several words.
According to an embodiment of the present invention, the word coming from the physical parameter network is used in a feedback shift register.
According to an embodiment of the present invention, several feedback shift registers are used.
According to an embodiment of the present invention, the shift register(s) are with a linear feedback.
The present invention also provides a cell for generating several secret quantities by means of a single identifier of an integrated circuit coming from a physical parameter network, including means for individualizing a first digital word coming from the physical parameter network based on a parameter which is a function of the desired quantity.
According to an embodiment of the present invention, the cell includes at least one feedback shift register, intended to be loaded with the first word coming from the physical parameter network, and to provide one of said secret quantities.
According to an embodiment of the present invention, the cell includes a combiner of the first word coming from the physical parameter network with a second digital word, extracted from a non-volatile memory and selected depending on a parameter chosen according to the desired quantity.
According to an embodiment of the present invention, the cell further includes a scrambler of the words contained in the non-volatile memory, based on the physical parameter network.
The foregoing objects, features and advantages of the present invention, will be discussed in detail in the following non-limiting description of specific embodiments in connection with the accompanying drawings.
Same elements have been designated with same references in the different drawings. For clarity, only those elements of the integrated circuit that are necessary to the understanding of the present invention have been shown in the drawings and will be described hereafter. In particular, the application programs using the quantities (digital data) generated by the present invention have not been detailed.
A feature of the present invention is to generate a secret quantity taking into account an identifier based on a physical parameter network of the integrated circuit chip and the concerned application. In other words, the present invention provides individualizing the secret quantities provided according to the application requiring the secret quantity, always using as a basis a same physical parameter network.
Cell 1 belongs to an integrated circuit 3 forming, for example, the chip of a smart card.
Physical parameter network 2 is associated with a circuit 4 (EXTRACT) for extracting signals coming from network 2 to generate a first digital word stored in a temporary storage element 5 (REG1) and forming a single identifier of the integrated circuit chip.
According to the first embodiment of the present invention illustrated in
The selection of the word for personalizing the quantity according to the application is performed by means of a selector 10 controlled by signal APPLi. If word table 7 corresponds to a space of a ROM or an EEPROM of the integrated circuit, the selector of course corresponds to the addressing circuit of this memory.
The generation (for storage) of words Wi associated with the different applications is performed in a personalization phase prior to the chip use. Words Wi may come from a generator 11 of random words, or from a preestablished table. The generation of an additional word Wi may further be provided upon addition of a new functionality, that is, at the time when the smart card is configured to operate with a new application. As an alternative, generator 11 is external to cell 1.
Cell 1 further includes a central unit 9 (CU) in charge of controlling and synchronizing the operation of all its components. In
An advantage of combining the identifier coming from the physical parameter network with a word depending on the application is that this optimally secures the exploitation of the secret quantities. In particular, if a pirate implements a fraudulent application and requests a secret quantity, the quantity that will be provided to him will not enable him to use this quantity, for example, to fraudulently identify on other application systems.
According to a simplified embodiment, number n of words to be stored in memory 7 is predefined upon manufacturing and the words are generated upon manufacturing or upon first use of the chip. After, for each new application requiring an authentication key, an encryption key or the like, a serial number is assigned in word table 7.
The physical parameter network may be formed by any conventional network. It may be, for example, a network of electric parameter measurement, in the form of a measurement of a threshold voltage of a transistor, a measurement of a resistance or a measurement of a stray capacitance, a measurement of the current generated by a current source, a measurement of a time constant (for example, an RC circuit), a measurement of an oscillation frequency, etc. Since these characteristics are sensitive to technological and manufacturing process dispersions of the integrated circuit, it can be considered that the electric parameter(s) taken into account are specific to the chip and form a signature thereof.
In the example of an electric parameter measurement, the signals are converted into digital signals by means of an analog-to-digital converter included in extractor 4 and may be multiplexed to form the first binary word stored in register 5.
As a physical parameter network, circuits using a time measurement may also be used. For example, the read/write time of an EEPROM-type memory is measured. An example of a physical parameter network of this type is described in U.S. Pat. No. 5,818,738, which is incorporated herein by reference.
A physical parameter network based on flip-flops such as described in French patent application no. 0,104,585 of the applicant may further be used, which application is herein incorporated by reference.
In use, circuit 12 is used as a decoder for word Wi extracted from table 7, for said word to be used by combiner 6. The decoder is here again performed based on the word contained in register 5 and extracted from the physical parameter network.
Preferably, in the embodiment of
It should be noted that the word used to scramble words Wi may, while coming from the physical parameter network, be different from the word used by combiner 6. For example, part of the word contained in register 5 may be used or another register of temporary storage of a word coming from the physical parameter network which is different from the word used by combiner 6 may be provided.
According to this second embodiment, the binary word extracted from the physical parameter network is used to program at least one linear feedback shift register 22 (LFSRi). In the example of
Preferably, selection signal APPLi is combined (combiner 30) with a word coming from the physical parameter network. It may be all or part of register 5 or, as illustrated in
This preferred alternative thus is a combination or a scrambling of parameterizing word APPLi by means of the physical parameter network. It may also be implemented in the embodiment of
An example of application of the embodiment of
Preferably, the used feedback function is a linear function formed of an X-OR of several bits of the shift register. The list of bits of the shift register taken in the feedback function forms the derivation sequence of the linear feedback register or Fibonacci configuration. It may also be envisaged to use a non-linear feedback function, provided that it enables outputting a reproducible word.
In a linear feedback shift register of m bits, 2m−1 distinct binary sequences are available. In other words, by loading the successive bits provided on output OUT in a register of adapted size, secret quantities having sizes reaching 2m−1 bits may be obtained. This is the longest word before repetition. The fact of using a series unloading of the code provided by the linear feedback shift register enables lengthening the secret quantity with respect to the length of the word provided by the physical parameter network.
According to the present invention, the identifier coming from the physical parameter network is used to determine the starting word of the shift register. After, central unit 9 controls a number of register shiftings, which enables outputting the word forming the key. As for the loading of register 25, either a parallel unloading (over n bits), or a series unloading of the word may be provided. If the word is loaded in series in register 25, an input selector will simply be provided to choose between the feedback function output and the loading at the level of most significant bit Bm.
Two integrated circuit chips having different identifiers by means of their physical parameter networks will provide, with a same shift register, different quantities. Similarly, the different shift registers 22 used by the present invention in the circuit of
As an alternative, rather than using several linear feedback shift registers, a same register may be used, the derivation sequence of which is programmed according to the parameter identifying the application. It may directly be parameter APPLi or a parameter indirectly coming from this value.
According to another alternative, a single linear feedback shift register is still used and the parameter identifying the application conditions the number of shift cycles applied to register 25.
The successive contents of register 25′ will be, assuming an initialization with value 1000, that is, a loading of a state 1 in bit B4 after resetting all other bits to 0:
The choice of the derivation frequency according to the number of possible combinations before repeating is within the abilities of those skilled in the art according to the application. The realization of a linear shift register, be it in hardware or software form, is perfectly conventional. Reference may be made, for example, to work “Applied cryptography” by Bruce Schneier, published by Wiley, second edition, pages 395 to 401, which is incorporated herein by reference.
An advantage of the present invention is that it maintains the volatile (ephemeral) character of the secret quantities based on the extraction of a word coming from a physical parameter network.
Of course, the present invention is likely to have various alterations, modifications, and improvement which will readily occur to those skilled in the art. In particular, the practical implementation of the circuit which is the object of the present invention is within the abilities of those skilled in the art based on the functional indications given hereabove.
Further, although the present invention has been discussed with more specific relation to hardware elements, it may be implemented by software means, provided to keep the use of a physical parameter network of an integrated circuit chip.
Further, the respective sizes of the different digital words used are defined according to the application. On this regard, it should be noted that the implementation of the present invention requires no modification of application programs.
Finally, other functions than those discussed as an example to individualize the identifier may be used. In particular, any one-way reproducible function, as for example, so-called one-way chopping functions, may be used. “One-way” means a transformation for which the knowledge of the output word does not enable determining the input word (coming from the physical parameter network). “Reproducible” means a transformation always providing the same output word for a given input word. The different embodiments may further be combined according to the types of application.
Such alterations, modifications, and improvements are intended to be part of this disclosure, and are intended to be within the spirit and the scope of the present invention. Accordingly, the foregoing description is by way of example only and is not intended to be limiting. The present invention is limited only as defined in the following claims and the equivalents thereto.
| Number | Date | Country | Kind |
|---|---|---|---|
| 01 15531 | Nov 2001 | FR | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 4529870 | Chaum | Jul 1985 | A |
| 4663500 | Okamoto et al. | May 1987 | A |
| 4783801 | Kaule | Nov 1988 | A |
| 4862501 | Kamitake et al. | Aug 1989 | A |
| 5036461 | Elliott et al. | Jul 1991 | A |
| 5227613 | Takagi et al. | Jul 1993 | A |
| 5363448 | Koopman et al. | Nov 1994 | A |
| 5436971 | Armbrust et al. | Jul 1995 | A |
| 5495419 | Rostoker et al. | Feb 1996 | A |
| 5680458 | Spelman et al. | Oct 1997 | A |
| 5734819 | Lewis | Mar 1998 | A |
| 5818738 | Effing | Oct 1998 | A |
| 5841866 | Bruwer et al. | Nov 1998 | A |
| 5903461 | Rostoker et al. | May 1999 | A |
| 5999629 | Heer et al. | Dec 1999 | A |
| 6073236 | Kusakabe et al. | Jun 2000 | A |
| 6097814 | Mochizuki | Aug 2000 | A |
| 6161213 | Lofstrom | Dec 2000 | A |
| 6209098 | Davis | Mar 2001 | B1 |
| 6230267 | Richards et al. | May 2001 | B1 |
| 6230270 | Laczko, Sr. | May 2001 | B1 |
| 6253223 | Sprunk | Jun 2001 | B1 |
| 6308256 | Folmsbee | Oct 2001 | B1 |
| 6317829 | Van Oorschot | Nov 2001 | B1 |
| 6408388 | Fischer | Jun 2002 | B1 |
| 6438718 | Cline | Aug 2002 | B1 |
| 6641050 | Kelley et al. | Nov 2003 | B2 |
| 6650753 | Lotspiech et al. | Nov 2003 | B1 |
| 6651170 | Rix | Nov 2003 | B1 |
| 6704872 | Okada | Mar 2004 | B1 |
| 6715078 | Chasko et al. | Mar 2004 | B1 |
| 6795837 | Wells | Sep 2004 | B1 |
| 6845450 | Kobayashi et al. | Jan 2005 | B1 |
| 7016924 | Nakabe et al. | Mar 2006 | B2 |
| 20010055132 | Oshima et al. | Dec 2001 | A1 |
| 20030102493 | Wuidart et al. | Jun 2003 | A1 |
| 20030103629 | Wuidart et al. | Jun 2003 | A1 |
| 20040199736 | Kamano et al. | Oct 2004 | A1 |
| 20050021990 | Liardet et al. | Jan 2005 | A1 |
| 20050188218 | Walmsley et al. | Aug 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| 19843424 | Mar 2000 | DE |
| 998073 | May 2000 | EP |
| Number | Date | Country | |
|---|---|---|---|
| 20030103628 A1 | Jun 2003 | US |
