A technology is known in which a physically unclonable function (PUF) is used in generating data, such as an identifier used in authentication or a cryptographic key used in cryptographic communication, having a high degree of confidentiality. The PUF represents a technology in which manufacturing errors occurring during semiconductor manufacturing are put to use for the purpose of deriving device-specific output. Generally, even if the same input is given to the same PUF, the output of that PUF includes errors in some part depending on the factors such as the voltage and the temperature in the execution environment. In that regard, using an error correction technology or using the data calculated by a fuzzy extractor; the intended data, such as an identifier or a cryptographic key, can be generated in a correct manner from the error-containing output of a PUF. Meanwhile, the output of a PUF represents device-specific data. However, if data adjusted to absorb the differences between the outputs of a plurality of PUFs is used, then the outputs of PUFs can be used to generate data, such as a shared key, that is sharable among a plurality of devices.
In the following explanation, device-specific data output by a PUF is called “first data”. Moreover, the data used for the purpose of generating the intended data, such as an identifier or a cryptographic key, from the first data is called “second data”. Furthermore, the data such as an identifier or a cryptographic key that is generated using the first data and the second data is called “third data”.
The second data can be stored in advance in a memory area in a device. However, instead of storing the second data in the device, if the second data is obtained from the outside of the device, then the required memory area in the device can be reduced thereby making it possible to cut down the manufacturing cost of the device. However, in such a configuration, for example, there is a risk of an attack mounted in the form of repeatedly inputting falsified second data to the device so as to infer the first data or the third data. Hence, it is necessary to have a countermeasure to such an attack.