In recent years, as more built-in devices represented by mobile phones are becoming subjected to networking, the built-in device is increasingly demanded to perform processing involving information security in order to conceal data handled by the built-in device, maintain integrity thereof, and authenticate the built-in device itself. Such processing involving the information security is implemented by an encryption algorithm or an authentication algorithm.
Here, consideration is given to a system in which two LSIs perform authentication to confirm that one device to which the other device is connected is valid. As a specific example thereof, there is a conceivable case where an LSI mounted to a mobile phone main body authenticates an LSI mounted to a battery thereof to confirm that the battery is allowed to be connected thereto.
In general, such a function is implemented by the following authentication protocol.
(1) In advance, secret information K is stored in each of the LSI mounted to the mobile phone main body and the LSI mounted to the battery.
(2) At a time of authentication, the mobile phone main body sends a random number C to a battery side. At the same time, an encryption function Enc(C, K)=R is executed, and a result thereof is held as Rm.
(3) On the battery side, in the same manner as on the main body side, the encryption function Enc(C, K)=R is executed for the random number C that has been sent to the battery, and the execution result is transmitted to the main body side as Rs.
(4) On the main body side, it is verified whether or not Rs received from the battery side and Rm calculated by itself are equal to each other, and the authentication is determined to be OK when equal and NG when different.
It is a point of this protocol that the authentication can be successfully passed as long as the mobile phone main body and the battery have the same secret information K.
It is a major premise in executing this protocol that the respective device “securely” hold the secret information K. The word “securely” means that it is difficult for a person who is not legally allowed to access the device to read or tamper with secret information.
As a method of securely holding the secret information, there is a technology called a physical unclonable function (PUF). One of major features of the PUF resides in that the secret information K is not held within the device as non-volatile digital data. Further, there are several embodiments of such PUF (see, for example, Patent Literatures 1 and 2).
Here, when the protocol formed of (1) to (4) described above is divided into more detailed functions, it is found that at least the following three functions are necessary.
<Function 1> Function of holding the secret information K securely within each device.
<Function 2> Function of generating the random number C.
<Function 3> Function of processing the encryption function Enc.
<Function 1> is a function that can be achieved by the above-mentioned PUF. Further, <Function 2> needs generation of a random number that does not have reproducibility, and therefore needs a physical random number generator. In addition, in regard to <Function 3>, processing for a block cipher algorithm such as advanced encryption standard (AES of the U.S. standard cryptography) is given as a representative example.