JPWO2018174112A1 - Device authentication technology on the network - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve the reliability of a hardware network by using a block chain and replace a failed hardware by using a private ledger, and to economically perform maintenance management of a system which is a network of hardware. To be able to do it. SOLUTION: A blockchain and a private ledger provided in a server are used together to make it impossible to tamper with the history of data transmission / reception between logical nodes linked to the hardware, and to replace the failed hardware with the hardware. Make sure that the linked blockchain is not affected.

Description

The present invention relates to a technique for authenticating a device existing on a network.

The number of devices connected to the ever-evolving Internet has increased over the years, and the network structure has become complicated and diversified. However, basically, there is no client / server (CS) type in which a server with a special function is set as a central node (backbone node), and there is no such core node, and all nodes are basically It can be roughly divided into peer-to-peer (P2P) types that connect in an equal manner.

A network generally consists of nodes (nodes) and communication lines (links). The first node and the second node are linked by a signal transmission line which is a communication line. For example, the first node and the second node exchange protocol data units (PDUs), which are a form of data, via signaling paths. The first node and the second node each handle a protocol data unit according to a protocol having a certain consistency.

In the Internet of Things (IoT), these first and second nodes are devices (hardware) that connect to the network, and are called physical nodes because they have a physical substance. At this time, it is considered that the first physical node and the second physical node are connected by a signal transmission path having a physical substance. Such a signal transmission path transmits a wired / wireless electronic signal or an optical signal. A network constructed by a plurality of physical nodes and signal transmission paths in this way is called a physical network.

An address used to recognize a physical node on a physical network is called a physical address. That is, the first physical node has the first physical address and the second physical node has the second physical address. Sending data from the first physical node to the second physical node means that data (frame in this case as an example) is transmitted from the first physical address to the second physical address through a signal transmission path having a physical substance. It is to be sent.

On the other hand, when the first and second nodes have no physical substance, these nodes are called logical nodes. The logical node is a node associated with a logical address virtually defined on the network, and is not necessarily associated with a specific piece of birdware. A network constructed by a plurality of logical nodes is called a logical network. At this time, the signal transmission path that connects the first logic node and the second logic node does not necessarily have a physical reality.

An address used to recognize a logical node on a logical network is called a logical address. That is, sending data from the first logical node to the second logical node is interpreted as sending data from the first logical address to the second logical address. Actually, the first logical address and the second logical address are sequentially attached as codes to the data to be transferred. Therefore, when the transfer is repeated, a list of a plurality of logical addresses will be attached to the data. This list of logical addresses includes the latest logical address of this data and the past transfer history. In this way, all the logical nodes that access this data can know where and how this data was transferred, and which logical node is now defined as virtually existing. The data to which the transfer history including the latest logical address is attached is called a block or a logical block. Unless the transfer history is tampered with, the logical block can be properly recognized by the latest logical address.

A technique called an open ledger has been in the limelight in recent years as a technique for making the transfer history tamper-proof. The most famous public ledger technology is a blockchain designed to make it impossible to tamper with remittance data of cryptocurrency called Bitcoin. In other words, it is a network system that prevents unauthorized remittance by preventing the remittance history from being tampered with.

(Block chain)

Here, the block chain will be briefly described.

Blockchain is a public ledger system for peer-to-peer (P2P) networks. In the P2P type network structure, all the nodes (nodes) that connect to the network are non-core, equal, and do not assume the existence of a server that plays a central role, and secure security by monitoring each other. It is necessary. That is, it is possible to provide an application that cannot be realized in a client / server network that assumes the existence of a core server.

The most important one is the remittance system using cryptocurrency called Bitcoin. In Bitcoin, first, the past processing history and the account name that is the subject of processing are combined and encrypted. It is transferred as an electronic signature for new processing. Therefore, the processing means should not be left to financial institutions. The updated and forwarded processing history is monitored by many other non-core nodes on the network and authorized in a voting-like manner.

Transfer of processing history is synonymous with transfer of currency, and the approved processing history is treated like currency. In this way, processing proceeds without going through a specific core existence like a bank.

The cryptography used for digital signatures flowing on the network is the easiest to explain with public key cryptography, which is famous for the metaphor of Alice and Bob. Alice sends Bob her public key in advance. This public key can be stolen by anyone on the net. Bob encrypts the letter with Alice's public key and sends it to Alice. Decryption of this encrypted letter requires a private key paired with Alice's public key. Therefore, the contents of a letter cannot be read if someone steals it on the network unless the code is decrypted. This is because only Alice has the secret key. Alice can decrypt and read Bob's letter with her private key.

In this way, the public key may be exposed on the network. Therefore, Alice is not the only one who sends public keys. However, only Alice, who possesses the private key, can decrypt the cipher encrypted with the public key and read the letter. The public key and the private key are always generated as a pair, but it must be practically impossible to reproduce the private key from the public key. In other words, descrambling means reproducing the secret key from the public key. The letter encrypted with the private key can also be decrypted with the public key.

Another important role of the public key is to be the destination for sending letters to Alice, the address on Alice's network. When Bob sends the encrypted letter over the network, it will fall into the hands of any recipient connected to the network. At this time, you cannot read it unless you can unravel. Unreadable in any way agrees to not having received it. Therefore, the fact that only Alice can issue an issue is equivalent to the fact that only Alice reached. In this way, it becomes clear that another role of the public key is a logical address on the network. Therefore, the public key used in Bitcoin is also called a Bitcoin address.

For example, a logical node is a wallet that stores cryptocurrencies such as bit coins, and is given a logical address in advance. Something of monetary value (data about currency and equivalent coins) is stored in the wallet. Furthermore, some encryption technology can be used to attach the address and the contents of the wallet to the wallet as an electronic signature.

Such a wallet can be used, for example, by installing a dedicated application on hardware such as a personal computer, a tablet, a smartphone, and a smart card. At that time, the contents of the wallet are stored as digital data in the storage of the hardware in which the dedicated application is installed. For digital processing, for example, in electronic processing premised on P2P, it is necessary for the manager / owner of the hardware to take responsibility for the management. This is the difference from the client / server type. In the client / server type, financial institutions will be responsible for this. Electronic processing in P2P does not require existence like financial institutions with such core functions.

FIG. 1 is a drawing showing a chain of processes (N-2, N-1), processes (N-1, N), processes (N, N + 1), .... Process (N-2, N-1) is any process from wallet (N-2) to wallet (N-1), and process (N-1, N) is from wallet (N-1) to wallet (N ), And the process (N, N + 1) is a process from the wallet (N) to the wallet (N + 1). However, N is an arbitrary natural number of 3 or more.

Let's say that the contents of the wallet (N-1) was, for example, 1,000 yen transferred from somewhere. It is assumed that the transfer source of these 1000 yen is a wallet (N-2), and that the electronic signature (N-2) is attached to the 1000 yen. However, 1000 yen is only an example, and any digital information equivalent to or commutative with other monetary values may be used. The wallet (N-1) is the contents of the wallet, 1000 yen, its electronic signature, the private key (N-1) used to create the next electronic signature, and a unique public key that forms a pair with it. It consists of (N-1). As described above, the public key (N-1) is the address of the wallet (N-1) on the network. As an example, the Bitcoin address is raised.

Next, using the hash function (SHA-256 as an example) from the public key (N-1), the contents of the wallet (N-1), and the electronic signature (N-2), the hash value (N-1) To generate. This hash value (N-1) is sent to the wallet (N), and the wallet (N) stores it as the contents of the wallet (N). On the other hand, by using the private key (N-1) of the transfer source, the public key (N) which is the address of the wallet (N) and the hash value (N-1) which is the content are encrypted and the electronic signature (N-1 ) Is generated and is transferred to the wallet (N) together with the hash value (N-1).

In this way, the wallet (N) forms a pair of a hash value (N-1), an electronic signature (N-1), and a pair of public key (N) and private key (N) unique to the wallet (N). It will consist of In this way, the process of transferring 1000 yen from the wallet (N-1) to the wallet (N) is completed.

The hash value (N-1) should include information that this 1000 yen came from the wallet (N-1). However, since the hash cannot be reverse-converted unlike the cryptography, the hash value (N-1) cannot be reverse-converted (signed) and read. Therefore, the electronic signature (N-1) is attached. The electronic signature (N-1) is a public key (N) and a hash value (N-1) that are collectively encrypted using the secret key (N-1). Therefore, in order to confirm whether this digital signature really came from the wallet (N-1), the digital signature (N-1) was decrypted with the public key (N-1) and the wallet ( Compare with the public key (N) and hash value (N-1) stored in N). As long as the code is not broken, it is true that the digital signature was made with the private key (N-1) if they match. If they do not match, the electronic signature is false. Alternatively, if the result agrees with the issue of another public key, for example, the public key (Q), it can be known that the wallet (Q) having the public key (Q) as an address has been illegally processed.

However, another method is required to prove that there is no illegal processing in the past history. This is because the electronic signature alone cannot deny the possibility that a person who legally possesses the private key (N-1) will commit fraud. For example, the owner may misuse the private key. Bitcoin, which is based on P2P, is trying to prevent it by "proof of work" (PoW). This is generally considered to work well. "Proof of work" (PoW) is described below.

In FIG. 1, a hash function (SHA-256 as an example) is then calculated from the contents of the public key (N), wallet (N) (hash value (N-1) in this case), and electronic signature (N-1). Use to create a hash value (N). The wallet (N) sends this hash value (N) to the wallet (N + 1), and the wallet (N + 1) stores it as the contents of the wallet (N + 1). On the other hand, the wallet (N) uses the private key (N) to encrypt the public key (N + 1), which is the address of the wallet (N + 1), and this hash value (N) to obtain the electronic signature (N). To generate. Then, this electronic signature (N) is sent to the wallet (N + 1) together with the hash value (N).

From the above, it is understood that the processing (N-1, N) from the wallet (N-1) to the wallet (N) is recorded as the hash value (N-1) in the content of the wallet (N). Similarly, it is understood that the processing (N, N + 1) from the wallet (N) to the wallet (N + 1) is recorded as the hash value (N) in the content of the wallet (N + 1). In this way, it can be seen that the contents of any purse include all past processing histories in a chain. That is, the latest past hash value represents all past histories.

On the other hand, the number of wallets that send money to one wallet is not limited to one as in the example of FIG. In reality, it is not uncommon to transfer money from multiple wallets into a single wallet. Also, it is not uncommon for money to be transferred from one wallet to multiple wallets. Thus, it can be seen that the remittance processing history becomes more complicated. However, there is always only one hash value containing the latest history. It is called the root of Merkle. Therefore, the past can be traced back from the root of Merkle. It looks like a dendrogram branching from the root of the Merkle, as in Figure 2. This is called the Merkle tree diagram. In this way, the Merkle tree is a time series of all past histories. That is, this corresponds to the logic block described above. In addition, the root of the newest history, the Merkle, is a code that characterizes the logical block.

For example, the hash value (ABCD), which is the root of Merkle, is connected to the history corresponding to the hash value (AB) and the hash value (CD). The hash value (AB) is further connected to the past history corresponding to the hash value (A) and the hash value (B), that is, the process (A) and the process (B), respectively. The hash value (CD) is further connected to the past history corresponding to the hash value (C) and the hash value (D), that is, the process (C) and the process (D), respectively.

However, since the hash value cannot be inversely converted in the first place, it is impossible to trace the history of remittance processing by decrypting the hash value. For example, one way to actually trace the past processing history of the contents of the wallet (N) (hash value (N-1)) is to select any other wallet (M) and use its public key (M). The digital signature (N) is decrypted and the result is compared with the public key (N) and hash value (N-1). If they do not match, select another wallet (M + 1), use your public key (M + 1) to unlock, and do the same. If they match, it is understood that the process was a remittance from the wallet (M + 1). At this time, it can be seen that M + 1 is N-1. Subsequently, the public key (N-2) of the wallet (N-2) including the hash value (N-3) can be searched by the same method. By repeating this operation, the processing history can be traced back. Here, M and N are arbitrary natural numbers.

In this way, it is logically possible to trace back the past processing history, but it is not always necessary to trace back the past history one by one using the hash value in this way. Rather, it is sufficient to collect a few hundred to a thousand processes in a single block, and collectively approve that these processes actually existed in some way. Specifically, all hash values other than the root of Merkle may be deleted, and the latest hash value (for example, ABCD) may be used as the code. A set of processes represented by one code is called a logical block.

Confirm that there is a collection of past processes represented by the root of Merkle (hash value (ABCD) in the above example) with a time stamp. The logical block thus approved is published on the network. Therefore, this is called a public ledger. This approval is a work similar to the date authentication in which a document is brought to the notary public office and dated and sealed. Approving a group of unapproved processes as a new logical block is called bookkeeping, and a certain reward is given in bitcoin to the person who posted the book as a consideration for the authentication work. Obtaining bitcoins in this way is called mining, and users of the mined bitcoins are called miners. However, since only one miner can be booked at a time, the miners compete and mine for the first time. The mined Bitcoin is distributed in the market on the logical network.

This approval work will be briefly described with reference to FIG. 3 as an example. First, some hash value for the approved past logical block is acquired. Next, a group of unapproved processes existing on the network is discovered, and the root (hash value) of the Merkle of the group is acquired. A variable nonce value is added to these two hash values and hashed to create a block hash. At this time, SHA-256 is used as a hash function in Bitcoin. Of course, it is also possible to generate the block hash using another hash function.

The nonce value is generally an arbitrary value of 32 bits. The hash value (block hash in this case) generated including this nonce value is a 256-bit value. 2 256 is larger than 10 77, and it can be seen that the block hash has enormous degrees of freedom. Adjusting the nonce value allows the first few bits of the block hash to be zero. As an example, the probability that the first 16 bits of the newly generated block hash are all zero is 1 in 2 to the 16th power, that is, 1 in 65,536. That is, it almost never happens by chance.

Hash functions are irreversible. Therefore, it is generally impossible to obtain the nonce value by the inverse transform so as to generate the hash value (here, the block hash) in which the first few bits (16 bits in this example) are zero. In other words, hashing must be repeated while changing the nonce value, and it must be repeated until the first few bits of the generated hash value are all zero. Thus, it can be seen that the use of a computer above a certain level is indispensable for determining the nonce value for generating the block hash in which the first 16 bits are all zero.

In P2P networks, it is not the nodes that have a particular core function that perform mining. Anyone can mine if they can utilize the computer resources above a certain level. A miner is, more accurately, a group of unapproved processes in which the nodes on P2P used by that miner perform a brute force search on the network while changing the nonce value, and the first few digits are all zeros. You just have to find out. In other words, it is mining around the network while changing the nonce value. Thus, it is not necessary to adjust the nonce value for a particular set of unapproved processes.

In any case, when a block hash with the first few bits (16 bits in this example) zero is mined, the set of unapproved processes corresponding to this block hash is the newly admitted logical block described above. It is allowed to link and publish to the approved past logical block. In this way, the entry of the logical block is completed. That is, the condition for logical block concatenation is to set all the first predetermined bits to zero. By repeating the mining, multiple blocks are linked and a block chain is formed.

As can be seen from the above, the reliability of currency in Bitcoin is the reliability of past processing history. Instead of fair certification, the blockchain guarantees its reliability. Tampering becomes more difficult as the block chain grows longer. For example, when the data of a part of the logical blocks is rewritten, the connection condition with the logical blocks connected to the logical block (the first few bits of the block hash are all zero) cannot be satisfied. Therefore, the nonce value of the logical block must be modified so that this condition is satisfied. As mentioned above, since the hash function is irreversible, it requires a corresponding calculation. However, if the nonce value of that logical block is adjusted, the nonce value of the subsequent logical blocks must also be adjusted. In the end, it becomes necessary to readjust the nonce values of a plurality of logical blocks connected to the block chain simply by tampering with some data. This requires a huge amount of computing power. Thus, it is said that the longer the blockchain grows, the more difficult it becomes to tamper with it geometrically.

In Bitcoin, forgery of currency is falsification or illegal copying of past processing history. Since the electronic signature is attached to the processing history as a proof that the processing has been successfully verified, the forgery of the currency is the forgery of the electronic signature. The electronic signature can be created only by the owner of the wallet before possessing the private key required for the electronic signature, unless the code is broken. Conversely, even if the code is not broken, it is possible for the legitimate user of the private key to tamper with the past processing history. However, once the blockchain is pumped up as described above, it is difficult for even a legitimate user of the private key to falsify all the nonce values that connect the blockchains. The difficulty increases dramatically as the blockchain grows longer. In other words, once the blockchain is lengthened, it is almost impossible to tamper with or edit it retroactively. This is called "Proof-of-Work" (PoW).

However, when the fraudulent computing power exceeds the computing power distributed to other miners around the world, the fraud chain can be longer than the legitimate chain. This is called "51% attack".

It is argued that a 51% attack is not practical due to its cost effectiveness. However, this is not the case when a cyber attack is performed to weaken the financial base of a group. For example, let's say that blockchain-based FinTech 2.0 was widely used in a large country. It is possible that a small country may spend defense money on mining to paralyze the financial system of this large country. In this case, it will be possible to reduce costs more than the development of nuclear weapons. Also, due to the development of cloud mining, it is possible that some companies will temporarily gain the ability to attack by 51%.

In order to prevent such attacks, it will become necessary for the powerhouses that will be attacked to join the blockchain. There will be no problem if multiple nations participate and no nation can carry out a 51% attack. Thus, although the blockchain is P2P, it will also have the aspect of an international information and communication infrastructure.

The idea of an open ledger system that shares processing history on a P2P network and entrusts miners with approval work to ensure reliability is expected to have a wide range of applications other than bitcoin as an information and communication infrastructure. This is because tampering with past processes can be practically impossible at the lowest cost. The demand for a database that cannot be tampered with is, for example, healthcare that uses accumulated medical data that increases daily, securities transactions that use accumulated processed data that increases daily, and other accumulated demand that increases daily. All kinds of information services that utilize big data are possible. And it is causing a wave of global financial innovation called FinTech 2.0.

There is another point in suppressing 51% attacks. First, do not make the number of attacking nodes infinite. If the address assigned to the node is a logical address such as an IP address, the attacker can acquire an infinite number of attack nodes in the virtual space. Therefore, all nodes that connect to P2P must be linked so as to form a one-to-one combination with a CPU or the like. This idea is called One-CPU-One-Vote. For example, one ballot is an essential condition in a system such as majority voting.

Thus, it can be seen that it is necessary to associate the private key with the individual authentication of hardware that has a physical substance. However, the private key is a product of software and has nothing to do with the physical reality. In the first place, software is designed to function the same when installed on any hardware designed and manufactured to the same standard. That is, it is required to move similarly regardless of the difference in individual physical reality. Therefore, it has nothing to do with the physical reality. Nevertheless, what constitutes an IoT network is a collection of innumerable hardware and wired and wireless signal transmission paths that connect them to exchange electronic data. Here is both a reason and a hint to associate the private key with the physical reality.

Specifically, the public key and the physical address are linked by some method that is not falsified. The physical address required here must not be rewritable, unlike the MAC address.


(Unrewritable physical address)

Thus, it is clear that (non-rewritable physical address) is needed. The method for realizing it may be software technology, network technology, or hardware technology. In any case, it suffices if it is possible to be associated with a chip having a physical reality in some way by software technology, network technology, hardware technology, or some combination of these technologies.

FIG. 4 is a diagram for explaining the relationship between a physical network in which hardware equipped with (non-rewritable physical address) participates and a logical network that utilizes a public ledger. The hardware is a physical node because it has a physical reality and serves as a node that constitutes a physical network. The preset physical address is linked to the private key one-to-one by some method. A logical node whose logical address is a public key forming a pair with this private key by public key cryptography forms a pair with this physical node or the corresponding hardware.

As shown in FIG. 1, information is transferred between logical nodes whose logical address is a public key linked to the physical address. The hash value (N-1) that is the contents of the wallet (N) is the hash value (N-2) that is the contents of the wallet (N-1), its logical address is the public key (N-1) and the electronic signature. It is a hashed version of (N-2). Here, the wallet (N-1), the wallet (N), the wallet (N + 1) ... Corresponds to the logical node (N-1), the logical node (N), the logical node (N + 1), respectively. ..

Here, it is assumed that the address of the physical node forming a pair with the logical node (N-1), that is, the physical address (N-1) has been tampered with. The private key (N-1) linked to this physical address (N-1) one-to-one is also linked to the public key (N-1) which is the logical address of the logical node (N-1) one-to-one. .. Therefore, falsifying the physical address (N-1) means simultaneously falsifying the public key (N-1).

As described in FIG. 1, the public key (N-1) is hashed into the hash value (N-1) together with the hash value (N-2) and the electronic signature (N-2). Therefore, falsification of the public key (N-1) is also falsification of the hash value (N-1). In general, the hash value (N-1) is not always the latest hash value, that is, the root of Merkle. However, if you tamper with the Merkle tree, that is, a part of the logic block, you agree that you have tampered with the root of the Merkle.

As shown in FIG. 3, the block hash (N) forming the contents of the logical block (N + 1) is a hash of all the logical blocks (N). The logic block (N) contains the root of Merkle. If the root of this Merkle is falsified as described above, the connection condition between the logical block (N) and the logical block (N + 1) is destroyed. Therefore, it is necessary to readjust the nonce value of the logical block (N) so as to recover the concatenation condition. For example, the nonce value of the logical logic block (N) must be recalculated so that the first 16 bits of the block hash (N + 1) are all zero again. Here, since the hash function is irreversible, a certain computing power or more is required for this calculation.

In this way, even if the nonce value is readjusted (as an example) and the first 16 bits are all zero, the data after the 17th bit is tampered as long as the root of the Merkle is tampered with. Eventually, the block hash (N-1) is also tampered with, destroying the connection condition between the logical block (N) and the logical block (N + 1). As described above, in order to recover this connection condition, it is necessary to consume a certain amount of computing power or more, and the connection condition between the logical block (N + 1) and the logical block (N + 2) is destroyed. As long as the block chain continues for a long time in this way, the calculation will have to be continued to recover the block connection condition endlessly.

As long as a sufficiently long blockchain is constructed in this way, it is practically impossible to tamper with a physical address even if it is a part. If it is tampered with forcibly, the connection condition between logical blocks will not be satisfied and the block chain will be destroyed. Thus, by using the physical address linked to the private key, it becomes possible to realize (non-rewritable physical address) by public ledger technology such as block chain.

(Key generation method)

A method of generating a public key that forms a pair with the private key will be described. Broadly speaking, a method of using an RSA type key generation device that generates a pair of a private key and a public key from a certain input, and a method of inputting a private key and a public key that forms a pair with the private key It can be roughly classified into an Ergamal-type key generation device for generation. In any case, at least it is very difficult to recover the private key from the public key. It should be noted that these key generation devices may be a kind of program recorded in a memory or an embedded circuit mounted on a semiconductor chip.

First, the RSA type is explained. This is a cryptographic key generation method invented by Rivest Shamir Edelman. (
reference. ) Rivest, Ronald L. Shamir, Adi. Adelman, Len M. (1977-07-04), “A Method for Obtaining Digital Signature and Public-key Cryptsystems”, MIT-LCS-TM-082 (MIT Laboratory for Computer Science) .

In the RSA method, first, an appropriate non-negative integer e is prepared. Normally, 2 to the 16th power plus 1 is adopted, but other positive natural numbers can be adopted. Next, a pair of two next-larger prime numbers {p, q} is generated by some method, and a product n (= pq) of them is calculated. At this time, {e, n} is the public key. Subsequently, a secret integer d is obtained by further dividing a positive integer having a remainder of 1 divided by the product of (p-1) and (q-1) by e. However, if {p, q} is known in addition to {e, n}, then d can be obtained by calculation, so {p, q} must be discarded or not leaked to the outside. .. If the set of prime numbers {p, q} is stored so as not to be leaked to the outside, the set {d, p, q} can be viewed as a secret key.

It is possible to cut out the first few bits from the coded physical address and add 1 to obtain e. Alternatively, it is possible to generate a positive integer e by adding 1 to the coded physical address.

It is also possible to generate the prime number {p, q} from a physical address. As an example, 1 is added to the coded physical address to check whether it is a prime number. If it is a prime number, let p be the prime number. If it is not a prime number, add 1 to it to see if it is a prime number. This is repeated to determine the prime number p. After determining the prime number p, the same procedure is repeated to determine the prime number q. In this way, the prime number {p, q} can be obtained.

Another example of how to determine the prime number q is to add 2 to the physical address to check whether it is a prime number. If it is a prime number, let that prime number be q. If it is not a prime number, add 2 more to see if it is a prime number. This is repeated to determine the prime number q.

The number to be added to the physical address to obtain the prime number p or q is not limited to 1 or 2, but an arbitrary integer (for example, k) can be adopted. At this time, k can be used as a security parameter. For example, it is possible to randomly select from an integer within a certain range using a physical random number or a pseudo random number, and use it as the security parameter k. In any case, the composition can be repeated until the composition of the coded physical address and k by some method becomes a prime number. As long as the physical address is sufficiently large as a numerical value, both p and q are sufficiently large prime numbers, and the selection of the security parameter k becomes more diverse.

As for the method of synthesizing the coded physical address and k, all arithmetic operations of addition, subtraction, multiplication and division and combinations thereof, or all possible bit operations are possible. In any case, p is a sufficiently large prime number as long as the physical address (N) or k is sufficiently large as a numerical value. The k may be an internal input or an external input.

In any case, the method of obtaining the prime number p or q from the physical address is, as an example, a synthesizing step of synthesizing the physical address and an appropriately given variable, and a determining step of determining whether the synthesized number is a prime number. And is repeated, and the synthesizing step and the determining step are repeated until a prime number is actually obtained. See FIG.

Next, the El Gamal type will be explained. This is a cryptographic key generation method invented by Ergamal. (
reference. ) A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, Taher Elgamal, IEEE Transactions on Information Theory, v.IT-31, n. 4, 1985, pp. 469-472.

In the Ergamal method, first, a large prime number p and its primitive root g are determined. The prime number p and the primitive root g can be selected according to the design specifications. Next, a non-negative integer x smaller than p-1 is randomly selected and used as a secret key. Subsequently, the remainder obtained by dividing the primitive root g to the power of x by p is used as a public key.

If the private key is obtained by performing appropriate code conversion from the physical address, it becomes possible to link the physical address and the private key. As an example, the physical address represented by the code or the remainder obtained by adding an integer of 1 or more to the physical address and dividing by p-1 may be used as the secret key.

There are multiple concrete algorithms for both the RSA-type key generation method and the Ergamal-type key generation method. Of these, the DSA method and its improved version, the ECDSA method, are often used for digital signatures. There are various other methods such as the Schnorr method, the random oracle method, and the Kramer-Shoup method, but the common point of them is that it is practically difficult to generate a private key from a public key. (It is difficult to prove that it is mathematically impossible, but it can be said that it is difficult to actually generate it.) In addition, it is also common to generate a digital signature by encrypting a hash value with a secret key. Be done. The difference is whether to generate a public key from a secret key, or to generate a public key and a secret key from another input variable. Alternatively, there are differences in algebraic problems used for variable conversion. For example, prime factorization, discrete logarithm problem, random oracle assumption, elliptic curve problem, etc.

(System integration)

Consider a large-scale system consisting of many pieces of hardware. Hacking this system is nothing but hacking at least one piece of hardware. To keep the hack secret, you have to erase the access history to the hardware. This is nothing but tampering with the history. Further, in order to take over this system, it is necessary to falsify the physical addresses of at least some of the hardware components.

Therefore, if the physical address and the logical address are connected one-to-one by the above method, the block chain can protect the system from hacking.

(Hardware specific problem)

However, hardware that has a physical reality has a problem that cannot occur in a logical node that does not have a physical reality. That is, the logic node cannot cause mechanical failure, but the hardware is always at risk of mechanical failure. Failed hardware must be replaced with new hardware to keep the system.

At this time, if the physical address of the hardware to be replaced is different from that of the failed hardware, the physical address will also be replaced. This is the same as tampering with the physical address. In this way, the logical blocks that make up the block chain are tampered with. As a result, the link condition of the logical blocks cannot be satisfied, and the block chain is destroyed.

In order to prevent such block chain destruction, not only the physical address, but also the history (hash value) recorded in the failed hardware, electronic signature, and other information must all be transferred to the exchanged hardware. However, it is not always possible to retrieve all such information in perfect condition from a failed hardware. Rather, it will be impossible to maintain and manage the system unless a method for coping with a situation that is impossible due to a failure is prepared.

For example, if the above system is a large-scale data center, physical addresses are assigned to innumerable individual drives (SSDs), and each physical address is linked to a logical address one-to-one, and blockchain blocks external hacking. You can do it. In this way, a safe intranet can be constructed inexpensively.

Such a large-scale data center is configured with a huge number of SSDs so that access such as search from the whole world can be dealt with at all times. SSDs are hardware and cannot escape mechanical failure. No matter how reliable and low the failure frequency is, the number of SSDs is huge, so SSDs must be replaced on a daily basis for maintenance and inspection. Due to the nature of the blockchain, replacing just one SSD will destroy the blockchain. This makes it difficult to use blockchain to protect large systems from malicious hacker attacks. Even if the information necessary to prevent the blockchain from being broken can be retrieved from the broken hardware, it is time-consuming, labor-intensive, and uneconomical to actually retrieve such information.

The present invention has been made in view of the above circumstances, and provides a network management technique in which a logical block is not tampered with even if hardware that is a part of a component is replaced, and a secure intranet is provided by using a block chain. Aim to build cheaply.

The present invention adopts the following means in order to solve the above problems.

In a network consisting of multiple clients and at least one server,
The server has an input / output interface for exchanging data with each client,
Each of the plurality of clients has a unique physical address, and sends the physical address to the server through the input / output interface.
The server further includes a key generator and a synthesizer,
The key generation device and the synthesis device generate a private key and a public key corresponding to each client from the physical address,
The private key and the public key are passed to the corresponding clients,

The server generates an authentication variable composed of a combination of the physical address, the private key, and the public key for each of the plurality of clients,
Collecting authentication variables corresponding to the plurality of clients and recording them in a private ledger,
Characterized by that
Regarding the network.

The plurality of clients includes a first client, a second client, and a third client that are different from each other,
The key generation device generates a first public key from a first secret key corresponding to the first client,
The synthesizer generates a second secret key corresponding to the second client from the first public key and a second physical address corresponding to the second client,
The key generation device generates a second public key corresponding to the second client from the second secret key,
The synthesizer generates a third secret key corresponding to the third client from the second public key and a third physical address corresponding to the third client,
The key generation device generates a third public key from the third secret key,

The first public key and the first secret key form a pair with each other,
The second public key and the second private key form a pair with each other,
The third public key and the third private key form a pair with each other,

Characterized by that
Regarding the network.

The second client is replaced with a fourth client having a fourth physical address,
The fourth physical address is transmitted to the server through the input / output interface,

In the private ledger, the authentication variable corresponding to the second client is replaced with a combination including the fourth physical address, the second secret key, and the second public key,

The fourth client is passed the second secret key and the second public key from the server, and is passed the second hash value and the second electronic signature from the first client,

Characterized by that
Regarding the network.

The first logical block with the first time stamp attached at a certain point, the second logical block with the second stamp attached at a certain point before that, and the third stamp at a certain point before that. The attached third logical block is connected to form part or all of the block chain,

The first time stamp is at least a portion of a record of a public ledger that collectively approved the first logical block, the first block hash, and the first nonce value,

The second time stamp is at least a portion of a record of a public ledger that collectively approved the second logical block, the second block hash, and the second nonce value,

The third time stamp is at least a portion of a record of a public ledger that collectively approved the third logical block, the third block hash, and the third nonce value,

The first block hash is generated by collectively hashing the second block, the second block hash, and the second nonce value,

The second block hash is generated by collectively hashing the third block, the third block hash, and the third nonce value.

Characterized by that
Regarding the network.

According to the present invention, it is possible to achieve both the economical efficiency of maintenance and the improvement of safety of a large-scale system composed of a huge number of hardware.

Hereinafter, the best mode for carrying out the invention will be specifically described.

(First embodiment)

In general, regardless of the size of the system, it is a plurality of physical nodes that make up the system. Each of these plurality of physical nodes is a kind of hardware, and exchanges data with each other via a signal transmission path to produce a function as a system. The plurality of physical nodes that constitute such a large-scale system can be roughly divided into a core node that handles core functions and a peripheral node that handles some functions in cooperation with the core node. Inevitably, the network structure will be a client-server type, so the core nodes will be called servers and peripheral nodes will be called clients below.

When such a system is a data center, the client is an SSD as an example. If the system is SSD, the client is NAND flash as an example and the server is the controller. When the system is a controller, the server is a processor and the client is a cache memory or the like.

FIG. 6 shows a client (N-1), a client (N), and a client (N + 1) before being incorporated in the system. A physical address (N-1), a physical address (N), and a physical address (N + 1) are assigned respectively. However, N is a natural number of 2 or more.

FIG. 7 shows a method of authenticating and registering these clients with the server. Initializing the client for the first time in the system is called initial setting, and re-registering authentication for convenience of maintenance and management is called resetting. The server assigns an input / output interface (I / F) to each client. Each client sends a physical address (N-1), a physical address (N), and a physical address (N + 1) to the server via this I / F.

The server uses the physical address (N) received from each client to generate a secret key (N) by an appropriate method. The server further includes a key generation device, and the key generation device generates the public key (N) from the secret key (N) according to the Elgamar-type encryption key generation method. Here, the private key (N) and the public key (N) form a pair with each other. A detailed description will be given below in order.

With N = 2, the secret key (1) is generated from the physical address (1). Then, the key generation device generates a public key (1) from this secret key (1). Pass the private key (1) and public key (1) to the client (1). In this way, a combination of (physical address (1), secret key (1), public key (1)) is formed in the client (1). On the other hand, the combination of (physical address (1), private key (1), public key (1)) corresponding to the client (1) remains in the server. It is called this combination authentication variable and is registered in the ledger in the server. Since this ledger is closed to the outside of the server, it can be called a closed ledger.

The server further includes a synthesizer. This synthesizer synthesizes a public key (1) and a physical address (2) and generates a secret key (2) from the synthesis result. Subsequently, the key generation device generates a public key (2) from this secret key (2). Pass the private key (2) and public key (2) to the client (2). In this way, a combination of (physical address (2), secret key (2), public key (2)) is formed in the client (2). On the other hand, the authentication variables (physical address (2), secret key (2), public key (2)) corresponding to the client (2) also remain in the server and are registered in the private ledger in the server.

After that, this work is repeated while updating N. That is, the synthesizing device synthesizes the physical address (N) and the public key (N-1), and generates the secret key (N) from the synthesis result. Then, the key generation device generates a public key (N) from the secret key (N). Pass the private key (N) and public key (N) to the client (N). Thus, a combination of (physical address (N), secret key (N), public key (N)) is formed in the client (N). On the other hand, the authentication variables (physical address (N), secret key (N), public key (N)) corresponding to the client (N) remain in the server and are registered in the private ledger in the server.

Next, a specific method for the synthesizer to generate a secret key will be described. As an example, first, a large prime number p is prepared by an appropriate method. Next, a combination of the physical address (N) and the public key (N-1) is hashed, the combined result is divided by p-1, and the remainder is used as the secret key (N). Here, the hashing of physical addresses also includes the role of formatting. It can be omitted if the physical address is already in a format suitable for generating a private key. When N = 1, the public key (0) does not exist and is a dummy. Therefore, it is necessary to prepare in advance as an initial input on the server side. This initial input may be used instead of the public key (0).

There are various methods of synthesizing the physical address and the public key by the synthesizer. For example, it is possible to utilize addition, subtraction, multiplication, division, combinations of these arithmetic operations, logical operations, and all possible bit operations.

Thus, the set of (physical address (N), secret key (N) and public key (N)) is stored in the client (N). At the same time, a set of (physical address (N), secret key (N), public key (N)) is registered in the secret ledger in order from N = 1. This private ledger is stored and managed on the server and is not disclosed to the outside to enhance security.

FIG. 8 shows a method of forming a logical block by connecting clients after initial setting / resetting by hashing. The method of generating this logical block is similar to that of bitcoin. That is, the combination of the public key (N-1) of the client (N-1), the hash value (N-2), and the electronic signature (N-2) corresponds to the bitcoin purse (N-1). In this application, it is a logical node (N-1). This logical node (N-1) is hashed to generate a hash value (N-1). Then, the hash value (N-1) and the public key (N) of the client (N) are collectively encrypted with the secret key (N-1) to generate an electronic signature (N-1). Finally, the client (N-1) sends the hash value (N-1) and the electronic signature (N-1) together to the client (N). In the client (N), a logical node (N) is formed from the public key (N), hash value (N-1) and electronic signature (N-1).

Then, the logical node (N) is hashed to generate a hash value (N). Then, the hash value (N) and the public key (N + 1) of the client (N + 1) are collectively encrypted with the secret key (N) to generate an electronic signature (N). Finally, the client (N) sends the hash value (N) and the electronic signature (N) together to the client (N + 1). In the client (N + 1), a logical node (N + 1) is formed from the public key (N + 1), hash value (N) and electronic signature (N).

By repeating this operation, a logical block including a plurality of logical nodes is formed. The method of transferring the hash value between the clients by the method as described above is one method of transferring the data between the clients. In the case of cryptocurrency, the data is something with a monetary value, and in the case of bitcoin it is a transaction record. (Actually, it is a hashed value.) If the client is a storage such as SSD, this data does not necessarily have a monetary value. Simply hashed data is transferred between SSDs. Nevertheless, it is possible to form logical blocks in this way. That is, a logical block can be formed regardless of the content of data.

When the client including the logic block is hardware, a method for coping with mechanical failure of hardware is necessary as described above. That is, the failed hardware must be replaced with new hardware.

Consider the case where the hardware of the client (N) fails as shown in FIG. At this time, the physical address (N) is attached to the failed hardware, and the physical address (N ') is attached to the new hardware to be replaced. The private ledger stored on the server records (physical address (N), private key (N), public key (N)). This is the authentication variable corresponding to the client (N). The physical address (N ') is input to the server through the I / F that connects the failed client (N) and the server. The server edits the private ledger and modifies the authentication variable to (physical address (N '), private key (N), public key (N)). Alternatively, it is possible to re-record (physical address (N '), secret key (N), public key (N); physical address (N)) and leave the history of the client (N) exchanging hardware. .. Here, it is not necessary to modify the private key (N) and public key (N).

FIG. 10 is a diagram showing a state after replacing the failed hardware. It can be seen from comparison with FIG. 8 that the logical nodes are exactly the same. That is, the logical node does not have to be tampered with. Thus, by using the server according to the present embodiment, it becomes possible to replace the failed hardware without tampering with the logical block.

It is assumed that the set of logical nodes in FIG. 8 and the data transfer history thereof have been disclosed as logical blocks before the hardware fails. A miner who digs into this logical block or a wider logical block that includes this logical block records in a public ledger (for example, block chain). After that, the hardware fails, and the hardware is replaced by the method shown in FIG. However, as shown in FIG. 10, in this embodiment, there is no change in the logical node of the client whose hardware has been exchanged. Therefore, the logical block is not tampered with, and there is no fear of breaking the block chain connection condition.

In this way, by using the private ledger relating to the present embodiment, it becomes possible to replace the failed hardware without destroying the block chain connection conditions. Since no additional cost is incurred by using an external blockchain, the intranet including the server and the plurality of clients can be protected from external hacking at low cost.

(Second embodiment)

Each time data is exchanged between clients, the hash value that forms part of the logical node changes. Therefore, the logical block also changes. By taking the time axis as the vertical axis and dividing this change at appropriate time intervals and attaching a time stamp, it is possible to stack logical blocks that change from bottom to top as shown in FIG. The latest one is the logical block (M), and the one approved one before is the logical block (M-1). Further immediately before that is the logical block (M-2). However, in the present embodiment, it is the server connected to the client that constitutes the logical block that issues this time stamp. The time stamp is issued at predetermined time intervals determined for the convenience of client maintenance management using the server according to this embodiment.

When the server issues a time stamp, it means that the server approves the existence of the logical block at that time on behalf of the public ledger (eg, blockchain). On the other hand, in the blockchain based on the P2P type network, this approval work is performed by an arbitrary miner. In this respect, the approval of the logical block according to the present embodiment is fundamentally different from the conventional method using the block chain. That is, the chain of vertically continuous logical blocks in FIG. 11 is different from the normal block chain.

FIG. 12 is a diagram showing an example of the approval work by the server according to the present embodiment. The transitions and time stamps of logic blocks are arranged from left to right in the figure. The latest one is the time stamp (M), which goes back one by one to become the time stamp (M-1), the time stamp (M-2) .... Similarly, it can be traced back to a logical block (M), a logical block (M-1), a logical block (M-2) ...

The block hash (M-3) and the appropriately selected nonce value are combined with the logical block (M-2) and hashed to generate the block hash (M-2). The block hash (M-2) and an appropriately selected nonce value are combined with the logical block (M-1) and hashed to generate a block hash (M-1). In order to generate the next block hash (M), the block block (M-1) may be combined with the logical block (M) and an appropriately selected nonce value and hashed.

In Bitcoin, the nonce value is generally an arbitrary value of 32 bits. The hash value (block hash in this case) generated including this nonce value is a 256-bit value. 2 256 is larger than 10 77, and it can be seen that the block hash has enormous degrees of freedom. By properly adjusting the nonce value, the first few bits of the block hash can be zero. As an example, the probability that the first 16 bits of the newly generated block hash are all zero is 1 in 2 to the 16th power, that is, 1 in 65,536. It rarely happens by chance, and appropriate work is needed to find out such a nonce value. Further, setting the first 16 bits of the block hash to zero is a connection condition for connecting a new logical block to an existing logical block. The number of bits to be set to zero is set to 16 at the beginning for the purpose of adjusting the frequency of approval of a new logical block to be about once every 10 minutes in the world.

The 16-bit connection condition is for maintaining the reliability of data transfer in a P2P type network without management by the server, and the reliability of data transfer between specific clients connected via the server as in the present application. 16 bits is considered more than sufficient to maintain Rather, it may be necessary to reduce this number of bits to reduce the average time it takes for the server in this embodiment to accept a new logical block.

In view of such a situation, the logical block connection condition in the present application is to set all the first L bits of the block hash to zero. However, L is a natural number smaller than 16. The nonce value according to the present application is adjusted to satisfy this connection condition.

Thus, the nonce value can be adjusted, the new logic block approved, and the time stamp issued as in FIG. This work is preferably performed on the server for this application.

As described above, the block chain related to the present application is different from the conventional block chain used for bit coins and the like. In the present application, it is possible to prevent tampering with the processing history from the outside if the maintenance and management of the server that approves the new logical block is properly performed. Further, as long as the public code that makes the public key and the private key correspond one-to-one is not broken, the logical address and the physical address can be linked as shown in FIG.

As long as the private ledger stored in the server is properly managed, it is impossible to rewrite the physical address from other than the server. In this way, (a physical address that cannot be rewritten from the outside) can be realized. Furthermore, even if the broken hardware is replaced, it is not necessary to destroy the block chain related to the present application. This is a feature that does not exist in the conventional blockchain that operates only in the logical network (blockchain that does not adopt the private ledger related to the present application).

For example, it is conceivable that storages such as SSDs that are operating in large quantities in data centers handle big data in cooperation with each other. The SSD is an example of the client of the present application, and the history of data exchange between SSDs is hashed and managed so that it cannot be tampered with by the blockchain related to the present application. This management is substantially management by the server that stores the private ledger.

The update of the logical block is performed by the server that controls the activity of the data center. By using the electronic signature technology and the private ledger stored in the server related to the present application, it is possible to prevent the physical address of the SSD once initialized by the server from being tampered with from the outside. (Physical address that cannot be rewritten from the outside) By using the private ledger inside the server, it becomes possible to replace the failed SSD without destroying the blockchain.

(Third embodiment)

The physical address can be generated from some physical randomness extracted from a cell array in a semiconductor chip having a physical substance. Such a chip is called an authentication chip.

FIG. 13 is an example of a cell array composed of word lines and bit lines. The authentication element is arranged at the intersection of the word line and the bit line. In this example, the number of rows (the number of word lines) is N and the number of columns (the number of bit lines) is M. However, the rows and columns can be swapped at any time.

As an example, the authentication element has at least two terminals (first terminal and second terminal), respectively, one of the word line and the bit line is connected to the first terminal, the other to the second terminal. Connecting. Alternatively, as another example, as shown in FIG. 14, the word line is connected to the first control gate and the bit line is connected to the second control gate. Alternatively, as shown in FIG. 15, the bit line is connected to the first control gate and the word line is connected to the second control gate. In any case, it is thus possible to control the access between the first terminal and the authentication element. The second terminal is dropped to the source line, substrate electrode, or ground as necessary.

As an example, the authentication element is a resistor (or a conductor). Alternatively, there is a capacitor. Alternatively, it is a PN junction. Alternatively, it is a Schottky junction. Or there is a transistor. Alternatively, it is a DRAM cell including a transistor and a capacitor. Alternatively, it is a variable resistance memory cell including a transistor and a variable resistance. Alternatively, it is a magnetoresistive memory cell (MRAM) including a transistor and a magnetoresistive element. Alternatively, it is a spin torque MRAM (STT-MRAM). Alternatively, it is a nonvolatile memory cell with a charge storage layer. The charge storage layer may be either a charge trapping layer or a floating gate.

Alternatively, as shown in FIG. 16, it is a nonvolatile memory cell with a charge storage layer arranged on a NAND type array in which bit line terminals are intentionally excluded. Alternatively, as shown in FIG. 17, the transistors are intentionally arranged on a NAND type array in which the bit line terminals are excluded. However, the bit line terminal is connected to one of both ends of the group of the authentication elements serially arranged in the bit line direction, and the source line terminal is connected to the other. Even if the bit line terminal is removed in this way, the authentication element at the intersection of the bit line and the word line can be read by a normal NAND type reading method. More specifically, the transfer voltage is applied to the word lines (non-selected word lines) of all the other authentication elements connected to the bit line (selected bit line) including the authentication element (selected cell) to be read, and the other than the selected cell. Turn on all switches. Then, a voltage (read gate voltage) lower than the transfer voltage may be applied to the word line (selected word line) of the selected cell. At this time, an appropriate voltage (read drain voltage) may be applied between the bit line terminal and the source line terminal and the current flowing between them may be measured.

Here, it is assumed that some of the plurality of authentication elements on the cell array are destroyed for some reason and become a destroyed bit, or for some reason a defective bit that does not exhibit specified characteristics. The distribution of such destroyed bits or defective bits in the cell array is considered to be unique to the semiconductor chip and physically random. Further, the destruction bits are stochastically generated by intentionally applying some stress to the semiconductor chip, and are randomly distributed on the cell array. The defective bits are stochastically generated due to some uncontrollable variation at the semiconductor chip manufacturing stage, and are randomly distributed on the cell array. In any case, the generation mechanism is physically random since it has nothing to do with any algorithm.

An example of the method will be specifically described below.

First, the word line decoder is used to select the word line, the bit line decoder is used to select the bit line, and the authentication element selected by the selected word line (selected word line) and bit line (selected bit line), respectively. Is the selected cell.

Here, there are roughly two types of authentication elements. In the first type, a current flows easily when a read voltage is applied when it is destroyed, and it is difficult to flow a current when it is not destroyed. Typical examples are capacitors, PN junctions and Schottky junctions. In order to determine whether or not it is destroyed, it is necessary to check whether the absolute value of the current when the breakdown determination voltage is applied is higher than the breakdown determination current value or lower than the non-destruction determination current value. However, the destructive determination current value is higher than the non-destructive determination current value.

In the second type, it is difficult for a current to flow when a read voltage is applied when it is destroyed, and it is easy to flow a current when it is not destroyed. The main examples are resistors (or conductors). In order to determine whether or not it has been destroyed, it is sufficient to check whether the absolute value of the current when the breakdown determination voltage is applied is higher than the non-destruction determination current value or lower than the breakdown determination current value. However, the destructive determination current value is lower than the non-destructive determination current value.

When a plurality of cells are selected and read from a group of authentication elements on a cell array, a plurality of destructive bits are generally found. Alternatively, a defective bit that does not exhibit the specified characteristics is found. The position information of the destroyed bit or the defective bit on the cell array is an array of word line numbers and bit line numbers. If the position information of the plurality of destroyed bits or defective bits is arranged and displayed as a code, an authentication code corresponding to the distribution of the destroyed bits or defective bits can be obtained. The authentication code is expected to be unique to the semiconductor chip and physically random, as long as the generation of the destruction bit or the defective bit is physically random. The format of this authentication code is appropriately formed into a physical address used in the present application.

The number of destroyed or defective bits is Q, and the number of selected cells is R. However, Q is a number smaller than R. At this time, the number for the authentication code is equal to the number for selecting Q from R. That is, if R is sufficiently large and the existence probability of a destroyed bit or defective bit is not so small that it can be ignored, the number of authentication codes will be a very large number.

If Q is 1 giga (1 billion) and R is 1 kilo (1000), the number of authentication codes is approximately 106432 raised to 2.5. That is, it means that when one trillion (10 12) semiconductor chips required for a trillion node are produced, the probability that the authentication codes of two semiconductor chip chips are the same by chance is 4E-6421. .. Even if 100 trillion semiconductor chips are supplied, the probability that the authentication codes of two semiconductor chips are the same is 4E-6419. This is practically zero.

Further, a Q of 1 giga and an R of 1 kg correspond to a defect rate of 1 in 1,000,000. That is, even if it is assumed that the defect rate is low enough for the semiconductor chips to attain Six Sigma (3.4 / million or less), the probability that the authentication codes of the two semiconductor chips are the same is almost zero. I can say.

Further, considering along Six Sigma (3.4 / million or less), it is no problem to use 1 kilobit, which corresponds to 1 / million or less, for other purposes in a 1-gigabit chip product. Therefore, 1 kilobit is assigned to the cell array for the authentication element, and some stress is applied to the cell array for the authentication cell to intentionally destroy approximately half. At this time, the number of authentication codes is about 2.7 times 10 299. That is, even if 100 trillion semiconductor chips are supplied, the probability that the authentication codes of the two semiconductor chips are the same is 3.7E-286. That is, it is practically zero.

There are various types of stress such as electrical stress, optical stress, mechanical stress, and electromagnetic field stress.

As an example of electrical stress, first, authentication cells in a partial region selected for generating an authentication code are simultaneously selected from all cell arrays, and a high voltage pulse is applied to all selected cells. When each cell is read and the number of non-destructive bits is less than the number of destructive bits, only the non-destructive bits are selected and the second high voltage pulse is applied. This process is repeated until the number of non-destructive bits becomes almost the same as the number of destructive bits.

One example of the optical stress is to irradiate the cell array for the authentication element with a certain amount of X-rays or ultraviolet rays before assembling. The irradiation amount is adjusted so that the number of non-destructive bits and the number of destructive bits are almost the same. However, when the area of the cell array for the authentication element is very small, stress is similarly applied to the other elements. This is a relatively effective method when all the chips are used as the cell array for the authentication element.

One example of mechanical stress is bending or striking the authentication chip. However, since stress is similarly applied to the cell array for the authentication element, this method is effective only when all the chips are used as the cell array for the authentication element.

One example of electromagnetic field stress is exposing the authentication chip to a strong electromagnetic field. However, since stress is similarly applied to the cell array for the authentication element, this method is effective only when all the chips are used as the cell array for the authentication element.

In any case, as long as the destruction of the authentication element occurs stochastically, the authentication code is physically randomly generated. Further, as long as the probability that the authentication codes of the two semiconductor chips are coincidentally the same is substantially zero, the authentication code is sufficiently valid as a physical address unique to the semiconductor chip.

As described above, the physical address of this embodiment can be generated from the distribution of the destruction bits in the cell array. Alternatively, the physical address of the present embodiment can be generated from the distribution of defective bits in the cell array. Alternatively, the physical address of this embodiment can be generated from the distribution of destroyed bits and defective bits in the cell array.

(Fourth embodiment)

Some memory chip products are equipped with redundant bit lines to replace the bit lines in which defective bits have occurred with each bit line in consideration of the fact that defective bits occur in memory cells at a certain rate or less beforehand. There is. There are various kinds of causes of such defects, and they depend on manufacturing variations at the manufacturing stage of the semiconductor chips (memory chips in this example) and naturally occurring variations in the physical forming process of the members. Generally, these variations are out of control. Redundant bit lines are not normally included in the bit capacity of memory chip products. See FIG. 18 for an example.

In FIG. 18, the bit line group arranged in the row direction is divided into two groups. One is a redundant bit line group including a plurality of redundant bit lines, and the other is a normal bit line group including normal bit lines. The number of rows of the normal bit line group is N, and the number of rows of the redundant bit line group is L. N and L are non-negative integers, and N is larger than L. The bit capacity of the memory chip product corresponds to the number of cells included in this normal bit line group.

If it is found in the pre-shipment inspection that defective bits satisfying a certain condition are generated in the normal bit line group, the normal bit line including the defective bit is set to one redundant bit line in the redundant bit line group. assign. Such read-out (read-out A, read-out B in the figure) is performed for each normal bit line including the defective bit, and the defective bit can be substantially removed.

More specifically, a peripheral memory in which a bit line number of a bit line in which a defect is found in the pre-shipment inspection and a bit line number of a redundant bit line for rereading the bit line are mixedly mounted in a peripheral area (for example, a fuse memory, etc. ). This peripheral memory is referred to when accessing the memory cell. In the present embodiment, the information recorded in the peripheral memory is code-displayed and shaped into a predetermined format to serve as a physical address.

A DRAM is an example of a memory chip product that satisfies such conditions. In addition, a flash memory, a phase change memory, a resistance change memory, a magnetic resistance change memory (MRAM), a spin torque type MRAM, etc. can be considered.

Assuming that the number of defective bits detected in the pre-shipment inspection is m, the number in that case is a combination in which m is selected from N. That is, C (N, m). Taking into consideration which redundant bit line to read each, the number of cases must be further multiplied by the number of permutations in which m is selected from L. That is, C (N, m) P (L, m). That is, the number of cases is about C (N, m) even if it is underestimated.

In the case of a typical 4 gigabit DRAM product, for example, the number of redundant bit lines is about 153,000 with respect to the total number of bit lines of 650,000. That is, the number of rows in which a defective bit occurs in the bit line in the normal bit line group for some reason can be allowed up to about 153,000 as a mass production DRAM. At this time, the number in the case of reallocation to the redundant bit line is equal to the combination of 155,000 selected from 655,000. When it is calculated, it becomes about 315 to the power of 289 (1E315, 289). In other words, even if 100 trillion DRAM chips are supplied, the probability that the authentication codes of the two DRAM chips are the same is 1E-315, 275. It is practically zero.

In this embodiment, the bit line and the word line can be exchanged. That is, the total number of word lines is 4.4 million, and the number of redundant word lines is about 30,44. Assuming that all redundant word lines have been used for reading, the number in that case is approximately 2.9E10, 938. It's much smaller than the former case, but still a terribly large number. That is, even if 100 trillion DRAM chips are supplied, the probability that the authentication codes of the two authentication chips are the same is 1E-10,924. It is practically zero.

In this way, it is possible to generate an authentication code with a very large information entropy. What should be noted here is that, in the present embodiment, even one bit is not excessively generated in order to generate the authentication code. That is, the redundant bit line (or redundant word line) is already mounted in the memory chip product, and the peripheral memory for recording the replacement information is also the same. Moreover, the probability that the authentication codes of the two semiconductor chips are the same by chance is so small that it is practically zero. This authentication code is sufficiently valid as the physical address of the present application.

The physical address related to the present application is code information assigned to hardware. Alternatively, it is code information assigned to a part of the components that make up the hardware. Alternatively, it is chip authentication assigned to a semiconductor chip that constitutes hardware. The chip authentication is generated based on physical randomness unique to the semiconductor chip. The semiconductor chip is composed of a plurality of elements, the plurality of elements are stochastically destroyed by applying a predetermined stress, and a set (distribution) of position information of the destroyed elements is unique to the semiconductor chip. It is characterized by being a physical disorder of. Alternatively, the plurality of elements forming the semiconductor chip become stochastic defective bits due to uncontrollable variations in the manufacturing process. The set (distribution) of position information of the defective bits is a physical disorder unique to the semiconductor chip. The predetermined stress is electrical stress, mechanical stress, electromagnetic field stress, optical stress, or the like.

By building a clever network hardware security system for the present application, it is possible to use a private ledger to replace a failed physical node without destroying the blockchain. In this block chain (first embodiment), the one that is registered by an arbitrary miner from an external logical network is used. That is, it is compatible with the conventional block chain, and the maintenance and management of the data center can be efficiently and safely performed using the external network. On the other hand, in the second embodiment, the server that stores the private ledger records the logical blocks to form a unique block chain.

According to the present application, there is provided a network hardware security system capable of tampering with past processing history, realizing (a physical address that cannot be rewritten from the outside), and replacing failed hardware. It is possible to build.

Hashing is frequently used in this application. A hash function may be used for hashing. There are many hash functions such as MD2, MD4, MD5, RIPE-MD160, SHA-256, SHA-384, and SHA-512. Of these, SHA-256 is used in Bitcoin as an example.
The technical scope of the present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the spirit of the present invention.

It will be possible to provide safe and convenient basic technology for IoT business at a lower cost

The figure explaining the mechanism of remittance of cryptocurrency. The figure explaining the tree diagram of Merkle. The figure explaining the mechanism of a blockchain (public ledger). The figure explaining an example of the concept which links | relates a physical network and a logical network. The figure explaining an example of the method of generating a prime number from the physical address concerning this application. The figure explaining an example of the client before initialization. The figure explaining an example of the initial setting / reset of the client regarding this application. The figure which shows the state of the client after initialization and resetting, and the logical block formed by initialization and resetting. The figure which shows an example of the method of exchanging faulty hardware. The figure which shows the state and logic block after replacing the faulty hardware. The figure which shows an example of the update of a logic block, and the relationship of a time stamp. The figure which shows an example of the formation method of the block chain characteristic to this application. The figure explaining an example of the cell array of the authentication element concerning this application. The figure which shows an example of the access method to the authentication element concerning this application. The figure which shows an example of the access method to the authentication element concerning this application. FIG. 6 is a diagram illustrating an example in which the authentication element according to the present application is a nonvolatile memory cell including a transistor with a charge storage layer and arranged in a NAND type. The figure explaining the example which the authentication element concerning this application is a transistor and it has arranged in NAND type. The figure which shows an example of the method of utilizing the defective bit of a memory cell.

Claims (13)

In a network consisting of multiple clients and at least one server,
The server has an input / output interface for exchanging data with each client,
Each of the plurality of clients has a unique physical address, and sends the physical address to the server through the input / output interface.
The server further includes a key generator and a synthesizer,
The key generation device and the synthesis device generate a private key and a public key corresponding to each client from the physical address,
The private key and the public key are passed to the corresponding clients,

A network characterized by that.
The server generates an authentication variable composed of a combination of the physical address, the private key, and the public key for each of the plurality of clients,
Collecting the authentication variables corresponding to the plurality of clients and recording them in a private ledger,
Characterized by that
The network according to claim 1.
The private ledger is stored in the server and is private to the outside of the server,
The network according to claim 1.
The plurality of clients includes a first client, a second client, and a third client that are different from each other,
The key generation device generates a first public key from a first secret key corresponding to the first client,
The synthesizing device generates a second secret key corresponding to the second client from the first public key and a second physical address corresponding to the second client,
The key generation device generates a second public key corresponding to the second client from the second secret key,
The synthesizer generates a third secret key corresponding to the third client from the second public key and a third physical address corresponding to the third client,
The key generation device generates a third public key from the third secret key,

The first public key and the first secret key form a pair with each other,
The second public key and the second secret key form a pair with each other,
The third public key and the third secret key form a pair with each other,

Characterized by that
The network according to claim 1.
The synthesizer divides a value obtained by synthesizing the first public key and the second physical address by a predetermined synthesizing method by a value obtained by subtracting 1 from a predetermined prime number, The second secret key,
Characterized by that
The network according to claim 4.
Forming a first logical node from the first public key, the first hash value, and the first digital signature,
Forming a second logical node from the second public key, the second hash value, and the second digital signature,
Forming a third logical node from the third public key, the third hash value, and the third digital signature,

The second hash is generated by hashing the first logical node,
The third hash is generated by hashing the second logical node,

The second electronic signature is generated by encrypting the second hash value and the second public key with the first secret key,
The third electronic signature is generated by encrypting the third hash value and the third public key with the second secret key.

Characterized by that
The network according to claim 4.
The second client is replaced with a fourth client having a fourth physical address,
The fourth physical address is transmitted to the server through the input / output interface,

In the private ledger, the authentication variable corresponding to the second client is replaced with a combination including the fourth physical address, the second secret key, and the second public key,

The fourth client is passed the second secret key and the second public key from the server, and is passed the second hash value and the second electronic signature from the first client,

Characterized by that
The network according to claim 6.
The first logic node, the second logic node, and the third logic node form part or all of a logic block,

The first logical node corresponds to the first client,
The second logical node corresponds to the second client,
The third logical node corresponds to the third client,

By transferring data from the first client to the second client, the second hash value is updated, the logical block changes,

The server approves the logical block at a predetermined time interval, attaches a time stamp at that time, and records at least a part of a history of changes of the logical block.
The network according to claim 6.
The first logical block with the first time stamp attached at a certain point, the second logical block with the second stamp attached at a certain point before that, and the third stamp at a certain point before that. The attached third logic block is connected to form a part or all of the block chain,

The network according to claim 8.
The first time stamp is at least a portion of a record of a public ledger that collectively approved the first logical block, the first block hash, and the first nonce value,

The second time stamp is at least a portion of a record of a public ledger that collectively approved the second logical block, the second block hash, and the second nonce value,

The third time stamp is at least a portion of a record of a public ledger that collectively approved the third logical block, the third block hash, and the third nonce value,

The first block hash is generated by hashing the second logical block, the second block hash, and the second nonce value together.

The second block hash is generated by collectively hashing the third logical block, the third block hash, and the third nonce value.

Characterized by that
The network according to claim 9.
The first block hash, the second block hash, and the third block hash are each composed of a sequence of a plurality of bits with a predetermined number of digits,

Each of the plurality of bits is either a first value or a second value,

The second nonce value is adjusted such that the first Q-th bit of the first block hash is a first value,

The third nonce value is adjusted such that the first Q-bits of the second block hash are the first value,

The Q is a natural number less than 16,

Characterized by that
The network according to claim 10.
Each of the plurality of clients is composed of a plurality of hardware,
Each of the plurality of hardware includes at least one semiconductor chip,
The semiconductor chip includes at least a cell array,
The cell array is composed of a plurality of authentication elements,

Some of the plurality of authentication elements become defective bits due to uncontrollable variations in the manufacturing process of the semiconductor chip,
Alternatively, a part of the plurality of authentication elements becomes a destruction bit due to stress intentionally applied to the semiconductor chip,

Generating the physical address according to the distribution of the defective bit or the destroyed bit in the cell array,

Characterized by that
The network according to claim 1.
The stress is electrical stress, optical stress, mechanical stress, or electromagnetic field stress,

Characterized by that
The network according to claim 12.

Images