WO2006003711A1

WO2006003711A1 - Prepaid card, settlement system thereof, and electronic key

Info

Publication number: WO2006003711A1
Application number: PCT/JP2004/009534
Authority: WO
Inventors: Masaya Muranaka
Original assignee: Hitachi Ulsi Systems Co.,Ltd.
Priority date: 2004-07-05
Filing date: 2004-07-05
Publication date: 2006-01-12
Also published as: JP4530229B2; JPWO2006003711A1

Abstract

A semiconductor chip is mounted on a prepaid card which is promised to receive a predetermined service. The semiconductor chip includes a first and a second gate circuit formed with the identical shape by the same manufacturing process. The semiconductor chip outputs a multi-bit identifier formed by a plurality of unit identification circuits, each supplying an operation control signal to a second input of the first and the second gate circuit and extracting a unique identifier decided by the difference between the logical threshold values of the first and the second gate circuit during the operation state. The identifier is extracted from the prepaid card and sent to the service provider so that a service is provided only once according to the registered identifier.

Description

Specification

Prepaid card, payment system and electronic key

Technical field

TECHNICAL FIELD [0001] The present invention relates to a prepaid card, its settlement system, and an electronic key, and in particular, effectively uses an identification information generation circuit that is considered so that micro-element variation in semiconductor manufacturing technology can be used appropriately. It is related to effective technology.

Background art

As a typical technique for generating identification information in a semiconductor chip, Japanese Patent Application Laid-Open No. 2002-184872

(Patent Document 1) and JP 2003-324552 (Patent Document 2). In Patent Document 1, an identification number is recorded by an electron beam drawing method. In Patent Document 2, consideration is given so that micro-element variation in threshold voltage such as a gate circuit can be appropriately used. Patent Document 1: JP 2002-184872

Patent Document 2: Japanese Patent Laid-Open No. 2003-332245

Disclosure of the invention

[0003] With the spread of the Internet and the advancement of IT in recent years, information exchange, electronic settlement, and the use of e-commerce are rapidly expanding in business and general social life. Authentication and confidentiality of information are becoming increasingly important. Under these circumstances, various communication technologies, authentication technologies, and encryption technologies have been proposed and put into practical use. The authentication / encryption technology that is currently mainstream on the Internet is called the “public key method” or “asymmetric key method” represented by RSA. Without this technology, the current network society exists. It ’s not an exaggeration to say that I do n’t.

[0004] However, although the “public key method” has high security, it requires a large amount of calculation for actual processing and a procedure with a fair certification body in authenticating the right owner of the key. It is pointed out that the complexity and problems of this are pointed out.

[0005] Therefore, the inventor of the present application takes advantage of the characteristics of the identification information generation circuit as shown in Patent Document 2 to make the “identifier” and “key” related to the authentication and encryption technology simple and low. It has led to the development of useful usage as a costly technology. Accordingly, one object of the present invention is to provide a simple, low-cost and highly reliable prepaid force force, a settlement system thereof, and an electronic key. The above and other objects and novel features of the present invention will become apparent from the description of the present specification and the accompanying drawings.

[0007] The following is a brief description of an outline of typical inventions among inventions disclosed in the present application. That is, it includes first and second gate circuits formed in the same form with the same manufacturing process, and an operation control signal is supplied to the second input of the first and second gate circuits. When there are 20 unit identification circuits that take out unique identification information determined by the difference in logic threshold between the first gate circuit and the second gate circuit in the state, output identification information consisting of multiple bits The semiconductor chip is mounted on a prepaid card promised to provide a predetermined service, and the identification information is extracted from the prepaid card and transmitted to the service provider. Based on the registered identification information Receive one-time service.

Brief Description of Drawings

FIG. 1 is a block diagram showing an embodiment of an IC prepaid card payment system according to the present invention.

2 is a block diagram showing an embodiment of an integrated circuit that generates the authenticator of FIG. 1. FIG.

FIG. 3 is a typical configuration diagram of an integrated circuit device on which the integrated circuit of FIG. 2 is mounted.

FIG. 4 is a typical block diagram related to an IC prepaid card according to the present application.

5 is an explanatory diagram of a typical manufacturing process according to the IC prepaid card of FIG.

FIG. 6 is an explanatory diagram of a usage pattern of an embodiment of an IC prepaid card according to the present invention.

FIG. 7 is a block diagram of another embodiment of an integrated circuit provided in an integrated circuit device in an IC prepaid card according to the present invention.

FIG. 8 is a block diagram showing an embodiment of an IC prepaid card authentication processing method according to the present invention.

FIG. 9 is a block diagram showing another embodiment of the IC prepaid card authentication processing method according to the present invention.

FIG. 10 is a block diagram showing an embodiment of an authenticator generating circuit according to the present invention. 11] A block diagram showing another embodiment of a semiconductor chip used in the present invention. FIG. 12] A schematic diagram for explaining the manufacturing process of the IC prepaid card according to the present invention. [13] FIG. 13 is a detailed block diagram showing an example of the card inspection process of FIG.

FIG. 14 is a configuration diagram for explaining an authentication processing method of the IC prepaid card 470 according to the present invention.

FIG. 15 is a block diagram showing an embodiment in which an electronic key using the identification information generating circuit is applied to plaintext encryption / decryption.

FIG. 16 is a configuration diagram showing an embodiment of a method for providing a specific service using an electronic key according to the present invention, and a method for providing a specific service.

FIG. 17 is a block diagram showing another embodiment of an encryption communication method or a specific service providing method using an electronic key according to the present invention.

FIG. 18 is a block diagram showing still another embodiment of a method for providing a specific service using an electronic key according to the present invention and a method for providing a specific service.

FIG. 19] A block diagram showing an embodiment of a method of using an electronic key according to the present invention.

FIG. 20] is an explanatory diagram of an example of the identification information 800 formed by the identification information generation circuit shown in FIG. 25 or FIG.

FIG. 21 is an explanatory diagram showing an example of an electronic key such as an encryption key used in the encryption technology according to the present invention.

FIG. 22 is a schematic diagram showing the basic concept of the principle of the cryptographic technique according to the present invention.

FIG. 23 is a block diagram showing an embodiment according to an encryption method using the composite block key.

FIG. 24] is an explanatory diagram of the decryption method of the composite key ciphertext shown in FIG.

FIG. 25] is a logic circuit diagram showing an embodiment of the identification information generation times used in the present invention.

FIG. 26 is a specific circuit diagram showing one embodiment of a basic circuit in the identification information generating circuit of FIG. 25.

FIG. 27] is a block diagram showing another embodiment of an identification information generating circuit used in the present invention. FIG. 28 is a specific circuit diagram showing one embodiment of the circuit elements in FIG. 27.

FIG. 29 is a circuit diagram showing one embodiment of the clocked inverter circuit in FIG. 27.

30 is a schematic waveform diagram for explaining an example of the operation of the identification information generating circuit of FIG. 27. BEST MODE FOR CARRYING OUT THE INVENTION

[0009] In order to describe the present invention in more detail, it will be described with reference to the accompanying drawings.

FIG. 25 shows a logic circuit diagram of one embodiment of the identification information generation times used for the prepaid card and its payment system and electronic key according to the present invention. The identification information generation circuit 1000 is composed of n basic circuits 1010 represented by 0−n−1. 1-bit identification signal (also called authenticator) The basic circuit 1010 that forms DO is composed of NAND gate circuits G1-G4. In the 2-input NAND gate circuit G1, one input and output are coupled. The common input / output of this gate circuit G1 is connected to one input of the gate circuit G2. The output of gate circuit G2 is connected to one input of gate circuit G3. The output of the gate circuit G3 is connected to one input of the gate circuit G4. The operation control signal ACT is commonly supplied to the other inputs of these gate circuits G1 to G4.

When the gate circuits G1 to G4 are used, each of the gate circuits G1 to G4 has the operation control signal when the operation control signal ACT is set to an inactive level such as a low level (logic 0). Regardless of the other input signal different from ACT, the output signal is set to high level (logic 1), and no DC current is generated in each of the gate circuits Gl and G2. That is, in this embodiment circuit, the operation control signal ACT is set to an activation level such as a high level (logic 1) at a timing when identification information is required. As a result, each of the gate circuits G1 to G4 performs an operation as an inverter circuit in which an inverted signal is formed in response to the other input signal different from the operation control signal ACT. FIG. 26 shows a specific circuit diagram of an embodiment of the basic circuit in the identification information generating circuit of FIG. Gate circuit G1 consists of N-channel MOSFETs Q1 and Q3 connected in series between output node Z and circuit ground potential VSS, and P-channel MOSFE TQ2 connected in parallel between output node N1 and power supply voltage VDD. And Q4. The gates of the MOSFETs Q1 and Q2 are connected in common Input 1 of X. The gates of the MOSFETs Q3 and Q4 are connected in common and used as the second input Y. The input Y and output Z are connected in common, although there is no particular limitation. The other gate circuits G2 to G4 are composed of the same circuits as above.

In FIG. 25 and FIG. 26, the gate circuits G1 to G4 are configured to have the same characteristics within a practically controllable range in designing and manufacturing a semiconductor integrated circuit. . A technique for making a plurality of gate circuits have the same characteristics will be briefly described below. It will be understood that in the gate circuit G1 G4, the characteristic logic threshold is generally determined by the P-channel MOSFET and the N-channel MOSFET that compose it. From this point of view, it can be understood that a CMOS gate circuit with the same characteristics can be configured by MOSFETs having the same ratio W / L of channel width W and channel length L but different sizes. However, the influence on the electrical characteristics due to the manufacturing variation of the semiconductor integrated circuit device is different for elements of different sizes.

[0013] In this embodiment, each of the plurality of gate circuits G1 to G4, which are powerful, preferably includes a mutual element, that is, a P-channel MOSFET and an N-channel MOSFET. Each other has the same structure and the same size. Needless to say, these devices are manufactured according to the characteristics of a semiconductor integrated circuit in which the same devices are manufactured together under the same process. As a result, the plurality of gate circuits G1 to G4 are equally affected by manufacturing variations such as variations in processing dimensions in manufacturing semiconductor integrated circuits, variations in thickness of various layers, and variations in impurity concentration. .

In the embodiment shown in FIG. 25, the determination output of the logic threshold values of the two gate circuits G1 and G2 is output from the gate circuit G2. The determination signal is amplified by the subsequent gate circuits G3 and G4 to obtain a CMOS level binary signal. This binary signal is used as 1-bit identification information or an authenticator 1020 as described later. Therefore, strictly speaking, the gate circuits G3 and G4 simply perform an amplification operation, so that the P-channel MOSFETs and the N-channel MOSFETs have the same structure as each other, like the gate circuits G1 and G2. Although not necessarily configured with the same size, in this embodiment, it is configured with the same structure and the same size mainly from the viewpoint of circuit design.

[0015] The cause of variation in the logic threshold of the gate circuit is the MOS transistor characteristics It may be considered that the variation of the is dominant. The causes of variations in MOS transistor characteristics include the gate width of the MOS transistor, the gate insulating film thickness, the conductivity-determining impurity concentration and its distribution, and the like. These variations can be divided into macro and micro parts. The macro part is the gate width variation among multiple wafers in the same lot.

[0016] In the present invention, the variation in the micro portion is mainly taken into consideration, and the variation in the elements arranged at relatively close positions was examined. Such micro variations are observed as randomly occurring between relatively close elements.

That is, the variation in the logic threshold value of the gate circuits Gl and G2 in FIG. 25 is considered to be random. Such variations in characteristic characteristics of semiconductor elements are used as unique identification information. In other words, when a CMOS gate circuit is used, the variation in the logic threshold can be regarded as the variation of the N-channel MOS transistor plus the variation of the P-channel MOS transistor. As a result, the range of variation becomes wider, and it is possible to effectively generate an identification number or identification information. Thus, in the identification information generation circuit of FIG. 25, by setting the operation control signal ACT to the high level, the identification information (identifier consisting of n bits such as the multiple force DO—Dn—1 of the basic circuit 1010). Or an authenticator).

In this embodiment, when the circuit is in a stopped state, that is, when the operation control signal ACT is at a low level, the N-channel MOSFET Q1 in FIG. 26 is turned off, and the through current generated by connecting the input Y and the output node X Is suppressed. The advantage of using a NAND circuit as a gate circuit is that it is a standard element of a CMOS logic LSI, so it does not limit the products to be applied. In other words, circuit design is easy because it consists of a complete logic description type circuit.

[0019] In FIG. 25, the operation control signal ACT is the force supplied to the gate of Q1 of the series N-channel MOSFET. Instead, the operation control signal ACT is supplied to the gate of N-channel MOSFET Q3, and the output node Z May be connected to the gate of Q3 of the N-channel MOSFET. [0020] What is important in the transistor level circuit description is the signal connection position of the MOSFET in each NAND element. In the embodiment of FIG. 25, in the above stop state where the operation control signal ACT force S is set to the low level, the outputs of the gate circuits G1 to G4, that is, the potentials of the nodes Nl, N2 and N3 automatically become the power supply voltage. Therefore, it is possible to prevent fluctuations in characteristics due to NBTI of the P-channel MOSFET to which these signals are connected.

A MOS transistor may fluctuate undesirably due to electric field stress whose threshold voltage depends on electric field strength and temperature. Especially NBTI (Negative Bias

The phenomenon called “Temperature Instability” is a phenomenon that appears prominently in P-channel MOSFETs. As a defensive measure, a method is often used in which the voltage applied to the gate of the PMOS is set to a high voltage during non-target times. In this embodiment, the logic threshold value judgment operation is performed according to the high level of the operation control signal ACT, and the power control signal ACT is set to the low level and the P channel type is set in the case other than the logic threshold value judgment operation. The gate of the MOSFET is a fixed voltage so as to supply a power supply voltage. As a result, in the P-channel MOSFET, the gate, drain, source, and substrate (channel) all have the same potential equal to the power supply voltage, and fluctuations in the logic threshold due to the aging of the MOSFET are minimized. This is particularly effective in obtaining identification information by combining the output signals of the basic circuits as described above.

[0022] Note that the P-channel MOSFET Q2 and the like to which the low level of the operation control signal ACT is supplied in the stop state are turned off when identification information is generated in which the operation control signal ACT is set to the high level. It is not involved in information generation operations. For this reason, the stop state becomes longer, and even if the logic threshold value fluctuates due to aging of the MOSFET, there is virtually no problem.

[0023] The gate circuits G3 and G4 that operate as an amplifier circuit do not need to be set as described above, but it is easy to use the same gate circuits G1 and G2 in terms of circuit design or element layout. This is advantageous in hiding the existence of the identification information generation circuit 1000 as will be described later.

In FIG. 25, a NOR gate may be used instead of the force NAND that forms a basic circuit using a NAND gate. However, in that case, such a basic circuit Is activated when the operation control signal ACT is at low level (logic 0). As described above, the deterioration phenomenon caused by the electric field stress called NBTI is particularly remarkable in the P-channel MOSFET. However, in other devices such as polysilicon FETs and organic transistors, if the degradation phenomenon is significant not in the P-channel type but in the N-channel type, it is desirable to use a NOR gate. Les.

In the embodiment shown in FIG. 25, the NAND gates G2, G3, and G4 in each basic circuit are always connected to the power supply VDD by connecting the common control signal ACT connected to the power supply VDD (logic 1). However, the basic function of this embodiment does not change.

FIG. 27 shows a block diagram of another embodiment of the identification information generating circuit used in the present invention. The basic circuit (element circuit) 1020 shown in Fig. 28 is arranged in a matrix like M X N pieces.

In one row, a basic circuit 1020 shown in FIG. 28 is connected in series, and a NAND circuit GO selected by a row selection signal R0 or the like and a row selection circuit 1021 including a clocked inverter circuit CN0 are provided at its output section. Provided. The basic circuits 1020 constituting each of the M rows are selected in common by a column selection signal CO-CM-1 formed by a column decoder. One of the N basic circuits arranged in the row direction is selected by a row selection signal R0-RN-1 formed by the row decoder 1023. The row selection signal R0-RN-1 is also used as a selection signal for the row selection circuit 1021 including the NAND gate circuit GO and the clocked inverter circuit CN0. Since the clocked inverter circuit CN0 constituting the row selection circuit 1021 is in an output high impedance state when it is not operating, the output signals of the N clocked inverter circuits are connected in common and selected. The output signal of the clocked inverter circuit corresponding to one row is transmitted to the NAND gate circuit G11.

[0028] A clock CLK is supplied to an M-ary counter 1024 through a NAND gate circuit G10 whose gate is controlled by an operation control signal ACT and an inverter circuit INV10. As a result, when the operation control signal ACT is active, the M-ary counter 1024 performs a count operation of 0 to 1 in response to the clock CLK, and the column decoder 1022 that receives a powerful count output sets the C0 CM-1 to A selection signal is formed and the output signal of the basic circuit 1020 is output serially. [0029] Since the carry signal of the M-ary counter 1024 is supplied to the N-ary counter 1025, the N-ary counter 1025 performs a counting operation corresponding to one rotation of the M-ary counter 1024. As a result, when the M basic circuits 1020 arranged in the row direction are read, the row selection is switched, and the N basic circuits 1020 are read until the 0th row force RN—the first row. Overflow is carried out.

In the present embodiment, since all basic circuits are read in the M X N cycle, the M X N bit identification information D can be output through the gate circuit Gl 1 and the inverter circuit INV11 in the M X N cycle.

FIG. 28 shows a specific circuit diagram of an embodiment of the circuit element shown in FIG. In the basic circuit, a gate circuit G5 for providing a row / column selection function and a gate circuit G6 operating as an inverter circuit are added to the gate circuits G1 to G4 shown in FIG. A column selection signal Ci and a row selection signal Ri are supplied to two inputs of the NAND gate circuit G5. The gate circuit G3 is supplied with the output signal Di of the previous basic circuit in the row. The unselected basic circuit performs the operation of transmitting the signal Di from the previous stage input through the gate circuits G3 and G4 as the output signal Di + 1 as it is. As a result, only one basic circuit in which the row and column are selected is set to the above-described operating state and output.

[0032] As shown in FIG. 29, the clocked inverter circuit CN in FIG. 27 is connected in series between the power supply voltage VDD and the ground potential VSS of the circuit, P-channel M〇SFETQ11, Q12 and N-channel M〇SFETQ14. Q13 force is composed. The gates of P-channel MOSFET Q11 and N-channel MOSFET Q13 are connected in common to serve as input terminal A. P channel Child B. The control signal supplied from the terminal C is supplied to the gate of the N-channel MOSFET Q14, and the control signal is inverted by the inverter circuit INV12 and supplied to the gate of the P-channel MOSFET Q12.

[0033] When a selection signal such as a row selection signal supplied from terminal C is at a high level, N-channel MOSFET Q14 and P-channel MOSFET Q12 are turned on, and input terminal A An output signal corresponding to OFF is output from output terminal B. In addition, when the selection signal such as the row selection signal supplied from terminal C is at low level, N-channel MOSFET Q14 and P-channel MOSFET Q12 are simultaneously turned off, and output terminal B is not related to the input signal from input terminal A. Output high impedance state. The clocked inverter circuit CN in FIG. 29 may have a configuration in which a transfer gate is provided at the output portion of the CMOS inverter circuit.

FIG. 30 is a schematic waveform diagram for explaining an example of the operation of the identification information generation circuit of FIG. When the clock CLK is input while the operation control signal ACT is at the high activation level, the column selection signal CO—CM—1 is output from the column decoder accordingly. At this time, since the count value of the N-ary counter is zero, the row selection signal R0 of the 0th row is set to the selection level, so that the output signal of the basic circuit of the 0th row is changed to the column selection signal C0—CM—1. Correspondingly output serially. When the basic circuit on the 0th row is read, the N-ary counter performs a counting operation of +1 by the carry signal, and the first row R1 is selected instead of deselecting the 0th row R0. To. In this way, the basic circuits up to the N-1st line are read sequentially. The number of cycles required to select all M X N basic circuits (unit identification circuits) is M X N times.

In the identification information generating circuit 1000 as described above, random identification information can be obtained automatically only by incorporating a gate circuit or the like into a semiconductor integrated circuit and manufacturing it by a normal process. This eliminates the need to write the identification number one by one as in the prior art 1, and has the first feature that it can be manufactured at a very low cost.

[0036] The identification information generating circuit 1000 has a second feature that it is substantially impossible to decode. In other words, it uses the micro-element variation of the threshold voltage of the gate circuit as described above appropriately, and there is a characteristic circuit pattern corresponding to the identification number as in Prior Art 1. It is impossible to decipher from Shinare. And the existence location is also composed of a gate circuit, so it is difficult to decipher the existence location by using a normal logic circuit. If only the chip is taken out in order to decode the circuit pattern, mechanical stress, chemicals and plasma damage are added to the semiconductor chip in the process, and the element characteristics themselves are also changed. Fluctuates and becomes meaningless information even if it is output.

[0037] Taking advantage of the features described above, the powerful identification information generation circuit 1000 is used for the following prepaid force and its payment system and electronic key, thereby realizing low-cost and safe transactions. You can get a prepaid card and its payment system and electronic key

FIG. 1 shows a block diagram of an embodiment of an IC prepaid card settlement system according to the present invention. In this embodiment, a typical use form regarding an IC prepaid card and its settlement system is shown. For example, a user 126 who wants to receive a specific service such as admission of an event or purchase of a product inserts the IC prepaid card 120 according to the present invention into the IC card reader 121, thereby Using the communication means such as the above, the authentication is received by the IC prepaid card management company 123 and the service is provided. The card management company 123, in cooperation with a credit company (not shown), can perform cash settlement if the credit is withdrawn at the stage when the strength and credential are established.

The outline of the authentication procedure for the IC prepaid card 120 will be described as follows.禾 When the IJ user 126 inserts the IC prepaid card 120 into the IC card reader 121, the card management company 123 is requested for authentication via the Internet 122. The IC prepaid card management company 123 uses the identification information (authentication) recorded in the integrated circuit device (semiconductor chip) provided with the identification information generation circuit 1000 mounted on the IC prepaid card 120 with respect to the IC card reader 121. Child) Request 124. The card reader 121 returns the authenticator 124 to the card management company 123 via the Internet 122. The card management company 123 verifies the authenticator 124 against the registered identification information 125 that is preliminarily registered, and when the verification is successful, sends an authentication response to the card reader 121. As a result, the user 126 can receive the service. One service is provided for each of the above-mentioned authenticators 124. Once authentication and service are provided, the authenticator 124 loses the right to receive the provision of the service after strong authentication. .

FIG. 2 shows a block diagram of one embodiment of an integrated circuit that generates the authenticator of FIG. A control signal 20 is generated in response to a request for the control input 10 input to the control circuit 100 in the integrated circuit 01, and the authenticator 30 is generated from the authenticator generation circuit 101 by the control signal 20. The authenticator 30 is output through the output circuit 102. The authenticator generation circuit 101 includes an identification information generation circuit 1000 as shown in FIG. 25 or FIG.

In the following specification of the present application, what is called the authenticator is referred to as “authenticator” or “identifier” depending on the purpose. The “authenticator” and “identifier” are both information generated from the authenticator generation circuit (identification information generation circuit 1000) 101.

Basically, the properties and characteristics are the same. The “identifier” is used to mean information given to an integrated circuit or a device on which the integrated circuit is mounted so as to distinguish it from other devices. On the other hand, “authenticator” means that the owner of a device equipped with the authenticator has the qualification or right to receive a specific service with the person providing the service in advance. It is used in the sense of information to prove that

FIG. 3 shows a typical configuration diagram of an integrated circuit device on which the integrated circuit 01 is mounted. The integrated circuit 01 constitutes the integrated circuit device 110 alone or together with another integrated circuit 02. The input / output and control circuit 130 generates a control signal 10 to the integrated circuit 01 by a signal given from the external connection electrode 132 of the integrated circuit device 110, and outputs the output 50 of the integrated circuit 01 to the outside or other Tell the integrated circuit 02.

FIG. 4 shows a typical configuration diagram related to an IC prepaid card among the inventions disclosed in the present application. The integrated circuit device 110 according to the present invention is mounted on a base material (resin or the like) of the IC prepaid card 120 and exchanges electrical signals with the outside through the electrodes 112. The IC prepaid card 120 shows a communication method via the electrical contact 112, but is not particularly concerned with the method, for example, a non-contact method in which an antenna is formed on the base material. Anyway.

[0044] A prepaid card, such as a public telephone card (hereinafter referred to as a "telephone card"), is paid to a telephone communication company when a general user purchases the telephone card, The user can use the public telephone up to the purchase amount. Similar to the telephone card, there are bus use cards such as buses and trains, and convenience store prepaid cards. Currently, telephone cards that are widely used in Japan apply a magnetic material to a resin sheet and magnetically record data such as the amount used on the magnetic material. However, in such a magnetic recording method, alteration of the magnetic data or forgery of the card itself is difficult. It cannot be said that it is relatively easy and safe, and it is difficult to issue a card with a high usage limit. For this reason, so-called IC prepaid cards that use integrated circuit devices (ICs), which have a low risk of tampering and counterfeiting, are also popular. However, IC prepaid cards have the problem of high manufacturing costs compared to magnetic cards.

[0045] The present invention is effective in solving both the prepaid card and the IC prepaid card. The objects and effects of the present invention relating to the integrated circuit 01 will be understood based on the following embodiments relating to an inexpensive and highly secure IC prepaid card.

FIG. 5 is an explanatory view of a typical manufacturing process related to the IC prepaid card 120. The integrated circuit device 110 on the wafer 150 that has completed the semiconductor manufacturing process is inspected for an electrical function and the like in the IC inspection process 151, and at the same time, from the authenticator generation circuit 101 in the integrated circuit 110. 30 is read.

The authenticator 30 is stored in the information storage device 155 as a registered authenticator 154 from an IC inspection device (not shown) in the IC inspection step 151. The integrated circuit 110 that has undergone the IC inspection process 151 is processed into the IC prepaid card 120 by an assembly process 152. The IC prepaid card 120 is then subjected to a final inspection in a card inspection step 153. At the same time, the authenticator 101 is stored in the authentication information storage device 155 from the card inspection device.

In the same figure, the registration authenticator 154 is collected from the IC inspection process or card inspection process and the force inspection process 153, but the acquisition and the authentication information storage device 155 can be obtained by either one of them. Can be stored in The IC prepaid card 120 that has passed the card inspection step 153 is shipped as a non-defective product.

FIG. 6 shows an explanatory diagram of a usage pattern of an embodiment of the IC prepaid card according to the present invention. This figure shows in more detail the processing method that is effective for authentication with the card management company using the IC prepaid card 120 manufactured as described above.

The authenticator 30 in the IC prepaid card 120 inserted into the card reader 121 is sent to the authentication processing system 163 of the card management company 123, and the authentication information managed in the authentication processing system 163 The database 160 is queried. The authentication information data base 160 includes a plurality of authentication information records 163 including an authentication registration information field 161 and an exhaustion flag field 162. The information of the authentication registration information finale 161 is the registration authenticator 154 of FIG. The total number of information records 153 matches the total number of IC prepaid cards 120 shipped.

[0051] The verification performed in the authentication processing system 163 includes "a verification process" for the authentication information record 163 in the authentication information database 160 that matches the code of the authenticator 30, and the verification authentication information record The state of the exhaust field 162 in 163 is “update process”. The “collating process” includes calculating the distance between the authenticator 30 and the codes of the authentication registration information 154 in all the authentication registration information fields 161 registered in the authentication information database 160, and The authentication information record 163 including the authentication registration information 154 having the smallest Hamming distance is selected, and the “updating process” is a logic when the exhaustion field 162 of the collated authentication information record 163 is logical 0. It should be updated to 1 and remain at logic 1 when at logic 1.

[0052] The exhaustion flag finale 162 is all logic 0 at the time of registration, and the logic 0 is "not verified", that is, the user 126 who owns the IC prepaid card 110 is entitled to receive a specific service. Logic 1 means “verified”, that is, the user 126 has used up the right. Further, the authentication information record 163 in which the exhaustion flag field becomes logic 1 is not subject to the next verification. In the inquiry, if the exhaust field force S is “verification is not completed”, the authentication processing system 163 notifies the card reader 121 of authentication.

[0053] The Hamming distance refers to two symbol sequences (xl, χ2, χ3 ·· χη) and (yl, y2, y3---yn). The total number of places. The authenticator 30 generated by the authenticator generation circuit 101 shown in FIG. 2 is completely random (random), and has the property that there is no correlation between the authenticator generation circuits 101. In the case of the authenticator 30 having such a random property, when the bit length of the authenticator 30 is given, the probability distribution of the Hamming distance among the innumerable identifiers 30 can be estimated. Furthermore, the minimum Hamming distance between the plurality of authenticators 30 can be estimated from the probability distribution.

[0054] By the way, the authenticator 30 is subject to fluctuations in some of the bits that constitute the operating principle. There is power S. That is, the threshold voltages of the gate circuits G1 and G2 in FIG. 25 are very close to each other, and are obtained at the first time in the same integrated circuit device 110 due to the influence of thermal noise and power supply voltage fluctuation. Since there is a possibility that different bits (hereinafter referred to as “variable bits”) exist between the first authenticator 30 and the second authenticator 30 acquired at another second time point, the two It is difficult to verify the identity of the authenticator by an exact match of the bits of both authenticators. However, if the total number of variable bits included in the authenticator 30 is smaller than the minimum Hamming distance, it is possible to distinguish between the same authenticator 30 and different authenticators 30.

FIG. 7 shows a block diagram of an embodiment different from the integrated circuit 01 shown in FIG. 2 relating to the integrated circuit device in the IC prepaid card 110. The integrated circuit 01 generates a single authenticator 30. The integrated circuit 03 generates a plurality of authenticators. A control signal 166 is generated in response to a request for the control input 164 input to the control circuit 165 in the integrated circuit 03, and one of the plurality of authenticator generation circuits 101 selected by the control signal 166 is authenticated. And the authenticator 169 is output through the output circuit 168.

In the integrated circuit 03, instead of the plurality of authenticator generation circuits 101, the authentication force of one authenticator generation circuit 101 may be divided so that the force applied is also a plurality of authenticator generation circuits. By mounting the integrated circuit 03 on the integrated circuit device 110 as shown in FIG. 3 and mounting it on the IC prepaid card 120 as shown in FIG. 4, the IC prepaid card 120 can be used like a coupon ticket. Can do. The objects and effects of the invention relating to the integrated circuit 03 will be understood from the authentication processing method relating to the IC prepaid card 170 on which the integrated circuit 03 is mounted.

FIG. 8 shows a configuration diagram of an embodiment of a method for processing authentication of the IC prepaid card 170 on which the integrated circuit 03 is mounted. The first authenticator (i) of the authenticator 171 in the IC prepaid card 170 inserted into the card reader 121 is sent to the authentication processing system 172 of the card management company 123, and in the authentication processing system 172 It is checked against the registration authenticator 154 in the authentication registration information field 176 in the authentication information database 174 managed. The authentication information database 174 includes an authentication registration information field 176 and an exhaustion flag flag. It consists of multiple authentication information records 175 consisting of fields 177.

The information in the authentication registration information field 176 is authentication registration information 154 obtained by the same process and method as in FIG. 5. The total number of the authentication information records 176 is the total number of shipments of the IC prepaid card 170. And the number of authenticators 171 included in the IC prepaid card 170 respectively.

[0059] The verification in the authentication processing system 172 includes "a verification process" of the authentication information record 175 in the authentication information database 174 that matches the code of the authenticator (i), and the verification authentication information. It consists of “updating” the state of the exhaust field 177 in the record 175. The “matching step” means calculating a Hamming distance between the authenticator (i) and the codes of the authentication registration information 154 of all the authentication registration information fields 176 registered in the authentication information database 174, and The authentication information record 176 including the authentication registration information 154 having the smallest Hamming distance is selected, and the “updating process” means that when the exhausted field 177 of the verified authentication information record 175 is logic 0, It should be updated to 1 and remain at logic 1 when at logic 1.

[0060] The exhaustion flag finale 177 is all logical 0 at the time of registration, and the logical 0 is “not verified”, that is, the user 126 who owns the IC prepaid card 110 has the right to receive a specific service. Logic 1 means “verified”, that is, the user 126 has used up the right. Further, the authentication information record 175 in which the exhaustion flag field is 1 is not subject to the next verification.

If the exhaustion field is “not verified” in response to the inquiry, the authentication processing system 172 notifies the card reader 121 of authentication. However, if the flag field is already exhausted as shown in the figure, the authentication processing system 172 and the card reader 121 are notified of the authentication refusal, and the notification is made. The received IC prepaid field 170 sends an authentication processing system 172 next to the authentication code in the authentication code 171 to the authentication processing system 172. The data in the authentication registration information field 176 of the authentication information record 175 in which the exhaustion field is logical 0 in the authentication information database 174 managed in the authentication processing system 172 is checked again. If the authentication information record 175 is verified by the verification, the authentication information record The exhaust flag field 177 in code 175 is set to logic 1. After the verification is established, the authentication processing system 172 notifies the card reader 121 of authentication. In addition, there is no limit to the number of authenticators 171 and integrated circuits 03 included in one IC prepaid card, and multiple authenticators 171 are authenticated in a single authentication operation, and user 126 is an expensive service. Can also be provided.

FIG. 9 shows a configuration diagram of another embodiment of the authentication processing method of the IC prepaid card 170 on which the integrated circuit 03 is mounted. The first authenticator (a) of the authenticator 171 in the IC prepaid card 170 inserted in the card reader 121 is used as an identifier for identifying the IC prepaid card 170, and the authentication processing system 183 of the card management company 123 is used. And is collated with information in the identification information field 186 of the card identification registration information record 185 in the authentication information database 184 managed in the authentication processing system 183.

The card identification record 185 is composed of a plurality of card identification records 185 including a registration identifier field 186 and an available authentication number field 187. Each of the card identification records 185 is further subordinate to a plurality of registered authenticator fields 190. The registration identifier field 186 and the registration authenticator field 190 are authentication registration information 154 obtained by the same process and method as in FIG. 5, and the total number of the card identification records 185 is the same as that of the shipment. The total number of the IC prepaid card 170, and the total number of the registration authenticator field 190 is obtained by subtracting the total number of the IC prepaid card 170 shipped from the total number of the authenticators 171 included in the shipped IC prepaid card 170. Matches the number. Since the collation is the same as the contents of the previous embodiment, the description is omitted.

If the collation is established here, the numerical value in the usable authentication number field 187 in the card identification record 185 is confirmed. The number of available authentication field 187 is the total number of authenticators 171 in the IC prepaid card 170 at the time of registration, and 0 or more is the number of users 126 who own the IC prepaid card 170. There is a right to receive the specific service as many times as the number of available authentications field 187, and 0 means that the user 126 has used up the right. However, if the usable authentication number field 187 is already 0, the authenticator 171 has been exhausted, and the usable authentication number field 187 The card identification record 185 that has become SO is not subject to verification.

If the verification of the card identification record 185 is established, the authentication processing system 183 sends the value (indx) of the available authentication number field 187 of the force identification registration information record 185 to the IC prepaid card 170 described above. Forward. The IC prepaid card 170 receiving the (indx) extracts (indx) —the first position authenticator (2) from the top of the authenticator 171 and sends it to the authentication processing system 183. Upon receipt of the authenticator (2), the authentication processing system 183 matches the authenticator (189) with the authenticator 189 subordinate to the card identification record 185. As a result of the collation, if the same as the (indx) -th authenticator 189, the number in the usable authentication number field 187 in the card identification record 185 is set to _1, and the IC prepaid card 170 is Notify authentication.

FIG. 10 shows a block diagram of an embodiment of an authenticator generation circuit according to the present invention. This embodiment eliminates the influence of the change of the authenticator 30 related to the authenticator generation circuit 101 constituted by the identification information generation circuit 1000 as shown in FIG. 25 and FIG. 27, and further authenticates difficult to falsify. Is directed to the generator circuit.

[0067] The outline of the authenticator generating circuit will be described. The first authenticator at a certain point of time outputted from the authenticator generating circuit 101 is temporarily stored in the nonvolatile memory (PROM) 401, and the memory of the memory is stored. When the value is the second authenticator and the authenticator is used, the second authenticator is always used, and the first authenticator and the second authenticator are compared and falsification has occurred. It is necessary to prepare a method for detecting the self.

[0068] In response to a request for the control input 410 input to the control circuit 400 in the integrated circuit 04, a control signal 411 is generated, and an authentication code 412 is generated from the authentication code generation circuit 101 by the control signal 411. (Non-volatile memory: read-only memory capable of electrical batch writing) 401 stores an authenticator 412. In response to a request for the control input 410 input to the control circuit 400, the output 413 of the PROM 401 storing the authenticator 412 is output to the output terminal 50 through the output circuit 403. However, the fact that an authenticator can be recorded in a writable memory means that if the reverse is turned back, the possibility of falsification of the authenticator by rewriting the contents of the memory, etc. is recalled by itself. Loses the advantage of the authenticator generation circuit that is targeted by attackers (hereinafter referred to as “attacker”) and cannot be tampered with in the first place Resulting in.

[0069] Therefore, the following means for detecting and protecting the falsification of the authenticator 413 of the PROM 401 by the attacker is provided. The comparison circuit 402 calculates the hamming distance between the authenticator 412 and the output 413 of the PROM 401 in which the authenticator 412 is stored. If the Hamming distance is equal to or greater than a specified value, the detection result 414 indicates that the output circuit 403 The output 50 is forcibly disabled.

[0070] If a method of falsification attack by an attacker on the integrated circuit 04 is shown, the following 1) 1 and 3 are assumed. 1) Attack PR0M401 and alter its value. 2) Attack the authenticator generation circuit and tamper with its value. 3) Attack both the PROM 401 and the authenticator 101 and tamper with their contents.

In the attack method of 1), the worst possible dangerous situation is that an attacker can obtain a method that allows the attacker to selectively and freely change the value of the PR OM401. However, even if a powerful change method is obtained, the attacker can only change the value of the PROM 401 within the specified value by the operation of the comparison circuit 402. In the authenticator according to the present invention, the hamming distances of significant authenticator values are far away from each other, and the value of the authenticator is changed to another significant authenticator by slightly changing the authenticator value. It is difficult to apply.

[0072] In the attack method of 2) above, the attacker can only change the value of the authenticator generation circuit within the specified value by the action of the comparison circuit, as in the attack of 1). . Moreover, since the operating principle of the authenticator generation circuit uses subtle characteristic variations of the MOS transistor element, in order to change the value of the authenticator generating circuit, for example, light, heat, ions, etc. It is necessary to take a method of giving energy, which is more difficult than the attack on PROM 401 described in 1) above, and even more difficult to change to an arbitrary value. In other words, the attack method 2) requires a considerable amount of energy for the act of falsification with low tampering selectivity.

[0073] The attack method of 3) is a combination of the above 1) and 2). Perhaps the attacker changes the value of the authenticator of the authenticator generation circuit by 2), and then by 1) It seems that the method of avoiding the detection of the comparison circuit is taken. However, attack method 3) above However, it is not different from 2) in the difficulty of arbitrarily changing the value of the authenticator generation circuit. That is, the integrated circuit 04 can generate an authenticator for constructing a highly secure system against the tampering attacks by the attackers 1) to 3) that can be assumed. The objects and advantages of the invention relating to the integrated circuit 04 will be better understood in other embodiments described herein.

FIG. 11 is a block diagram showing another embodiment of the semiconductor chip used in the present invention. This embodiment is directed to another integrated circuit on which the integrated circuit 04 is mounted. In integrated circuit 05, RAM 504, arithmetic unit 505 and hash function 506 are added to integrated circuit 04. Has been. An outline of the purpose and effect of the invention relating to the integrated circuit 05 will be described. It is possible to authenticate an integrated circuit or the like on which the integrated circuit 05 is mounted.

A control signal 511 is generated in response to a request for the control input 510 input to the control circuit 500 in the integrated circuit 05, and an authenticator 513 is generated from the integrated circuit 04 by the control signal 511. The authenticator 513 is a value stored in the PROM 401 in the integrated circuit 04 and shows the same value every time a read operation is performed. The RAM 504 is a temporarily readable / writable memory, and temporarily stores an external reference value 515 given to the control circuit 500 from the control signal 510. The computing unit 505 performs an exclusive OR operation between the output value 513 of the integrated circuit 04 and the output value 516 of the RAM 504, and the NO / SH function 506 is the value of the output value 517 of the computing unit 500. The hash value is calculated, and the output circuit 503 outputs the output value 518 of the hash function to the output terminal 520.

FIG. 12 shows a manufacturing process of an IC prepaid card 470 in which the integrated circuit 05 is mounted on an integrated circuit device as shown in FIG. 3 and mounted in the same manner as the IC prepaid card as shown in FIG. A schematic diagram is shown. The integrated circuit device 460 on which the integrated circuit 05 on the wafer 450 on which the semiconductor manufacturing pre-process has been completed is inspected for electrical performance in the IC inspection process 461 and processed into the IC prepaid card 470 in the assembly process 462. The Thereafter, the IC prepaid card 470 is subjected to a final inspection in a card inspection process 463. The card inspection In the step 463, the output value 465 of the reference value generator 474 and the hash value 466 obtained by the hash function in the integrated circuit 05 mounted on the IC prepaid card 470 based on the output value 465 are illustrated. Acquired by a card inspection device that does not, and registers it in the authentication information storage device 467. The IC prepaid card 470 that has passed the card inspection process 463 is shipped as a non-defective product.

In the card verification process 463, in the verification of one IC prepaid card 470, a plurality of seed values 472 and corresponding hash values 473 are acquired and stored in the authentication information storage device 467. Among the plurality of seed values 472 and hash values 473, the seed value 472 in a specific order (for example, the head) uses the hash value 473 generated by the seed key as an identifier of the IC prepaid force 470. Therefore, it is the same regardless of the IC prepaid card 470.

FIG. 13 shows a detailed configuration diagram of the card inspection process 463. The inspection process

463, the IC prepaid card 470 (in this figure, the IC prepaid card 470 is mounted with an integrated circuit device on which the integrated circuit 05 is mounted, and the object and effect of the invention to be described here are The seed value 472 generated by the reference value generator 474 is input to (only the configuration necessary and sufficient for understanding is extracted and shown).

On the other hand, the secret value is automatically generated by the integrated circuit 04 and cannot be known from the outside. The calculator 478 calculates an exclusive OR of the seed value 472 and the secret value 477. A hash value 473 is generated from the calculation result through the no-shake function 471. Even if the seed value 472 is the same, if the IC prepaid card 470 is different, the secret value 477 is different, and thus a hash value 473 having a completely different value is generated. The Due to the characteristics of the one-way hash function, it is impossible to reversely calculate the seed value 472 and the concealment value 477 from the no-shake value 473 even if the IC prepaid card 470 can be obtained.

FIG. 14 shows a configuration diagram of an authentication processing method of the IC prepaid card 470 on which the integrated circuit 05 is mounted. The IC prepaid force 470 inserted in the card reader 121 applies a service authentication request to the authentication system 660 in the card management company 123. The card management company 123 sends an authenticator number (indxO) and an identification reference value R0 to the IC prepaid card 470 in order to identify the IC prepaid card 470. The authenticator number (indxO) is used to identify the IC prepaid card 470 out of the authenticator 652. The reference value R0 is a value common to all other IC prepaid cards 470.

The IC prepaid card 470 that has received the authenticator number (indxO) and the identification reference value R0 calculates the authentication value 651 of the number designated by the authenticator number (indxO) and the reference value RO. The hash value HO is obtained by applying the result 657 calculated in 656 to the hash function, and the system 660 is answered. Upon receiving the hash value H0, the authentication system 660 collates the hash value H0 with the card identifier record 661 in the authentication information database 664. Since the collation is the same as the contents of the previous embodiment, the description is omitted.

The authentication information database 664 includes a plurality of card identifier records 661 including a registration identifier field 662 and a usable authentication number field 666. Each of the card identification records 661 is further subordinate to a plurality of registered authenticator records 667 including a reference value field 669 and a hash value field 670.

The reference value field 669 and the hash value field 670 are the reference value 465 and the registered hash value 466 acquired in the card inspection step 463 of FIG. 12, and the total number of the card identification records 661 is shipped. The total number of the IC prepaid card 470, and the total number of the registered authenticator records 667 is the total number of the IC prepaid cards 470 shipped from the total number of the authenticators 651 included in the shipped IC prepaid card 470. It matches the number obtained by subtracting.

Here, when the collation is established, the numerical value of the usable authentication number field 666 in the card identification record 661 is confirmed. The number of available authentication fields 666 is the total number of authenticators 652 in the IC prepaid card 470 at the time of registration, and the number of zero or more is the number of users 126 who own the IC prepaid card 470. There is a right to receive the specific service as many times as the value of the usable authentication number field 666, and 0 means that the user 126 has used up the right. If the usable authentication number field 666 is already 0, the authenticator 652 is exhausted, and the card identification record 661 for which the usable authentication number field 666 is 0 must be the target. Les.

[0085] When the usable authentication number field 666 is 1 or more, the authentication processing system 660 includes a value (indx) of the usable authentication number field 666 of the card identifier record 661, and (Indx) —transfers the value R of the reference value field 669 in the first registered authenticator record 667 to the IC prepaid card 470.

The IC prepaid card 470 that has received the (indx) and the reference value R reads (indx) —the first position authenticator from the beginning of the authenticator 65 2, and the authentication value by the computing unit 656 And a hash value H obtained by multiplying the hash function 658 of the exclusive OR result of the value and the reference value R is sent to the authentication processing system 660. The authentication processing system 660 that has received the hash value H includes the registration authenticator record 667 corresponding to the reference value R of the reference value field 669 in the registration authenticator record 667 sent to the destination of the hash value H. Confirm that the value matches the value in the hash value field 670. When the result of collation of the hash values matches, the numerical value of the usable authentication number field 666 in the card identification record 666 is set to 1, and the IC prepaid card 470 is notified of authentication.

[0087] Information of the authenticator itself is exchanged between the IC prepaid card 470 and the authentication processing system 660 so that the power of the IC prepaid card 470 and the power of the processing method can be understood. Therefore, it is possible to realize an authentication system that is highly secure against counterfeiting and tampering. The present authentication system can reuse the same IC prepaid card 470 by updating the value of the reference value field 669 and the value of the hash value field 670 in the registered authenticator record 667. . For example, the IC prepaid card 470 is inserted into a dedicated IC card renewal terminal, newly charged, and a new reference value and hash value are registered in the database 664 of the authentication processing system 660 of the card management company 123. In this way, even if the same IC prepaid card is used, forgery of the IC prepaid card and impersonation of the user by a third party can be prevented.

FIG. 15 shows a block diagram of an embodiment in which an electronic key using the identification information generating circuit is applied to plaintext encryption / decryption. The purpose of the present invention relating to the symbol * decoding circuit and the outline of the effect will be described as follows. When encrypting certain original information (plain text), if the original information is encrypted by the No. 4 IV circuit and the cipher text is created, the cipher text is used for encryption. Therefore, decryption is not possible without using the encryption circuit having the secret key (electronic key). The value of the encryption key used in the decryption circuit can be assigned or written from outside the decryption circuit. It is characterized by the fact that it is not necessary to program the memory element or the like and the value cannot be read out, and it is possible to construct an extremely secure cryptographic system.

The integrated circuit 700 includes an encryption circuit 701 and a decryption circuit 702. The plaintext 704 is transferred to the ciphertext 706 using the secret key 703, and the ciphertext 706 is converted to the original plaintext 704 using the secret key 703. This is the same as plain text 705. The encryption circuit 701 and the decryption circuit 702 employ a common key system represented by DES and AES. Since DES can use the same device for encryption and decryption, the scale of the integrated circuit can be reduced. The secret key 703 is mainly generated by the integrated circuit 04. Therefore, the above-described safety effect can be obtained without risk of falsification or leakage of the secret key.

FIG. 16 shows a configuration diagram of an embodiment of the encryption communication method or the specific service providing method using the electronic key according to the present invention. Although not particularly limited, the electronic key of this embodiment is realized as a prepaid card on which the integrated circuit 700 is mounted. On the sender 711 side of the plaintext 710 that is the original information, the ciphertext 712 is transmitted from the plaintext 710 using the function of the integrated circuit 710 mounted on the electronic key 713 provided in the form of prepaid or the like. Create Thereafter, the sender 711 sends the electronic key 713 and the ciphertext 712 to the information receiver 715. The encrypted ciphertext 712 uses a means 717 such as recording on a flexible disk or DVD, or transmitted via a network or the like, and the electronic key 713 uses a transfer means 716 such as manual delivery, mail, or home delivery. The receiver 715 uses the decryption function of the integrated circuit 700 mounted on the electronic key 713 to decrypt the ciphertext 712 to obtain the plaintext 714.

Even if the ciphertext 712 is wiretapped in the middle of the transmission means 717, the plaintext 714 cannot be obtained without the electronic key 713, so that the security is high. Further, since the sender does not know the value of the common key used for encryption, the ciphertext cannot be decrypted without the electronic key 713 itself. Here, it is assumed that the sender and receiver of information are different. In this case, the electronic key 713 is used as a key of electronic data obtained by encrypting important information.

FIG. 17 shows a configuration diagram of another embodiment of the encryption communication method or the specific service providing method using the electronic key according to the present invention. Main examples of the embodiment shown in Fig. 16 The purpose was that sender 710 encrypted and sent important information to recipient 715. On the other hand, in this embodiment, the important information in FIG. 16 is replaced with a key for encryption.

That is, the sender 720, common key 721, electronic key 713, encrypted common key 723, common key 725, receiver 726, transfer means 729, and transmission means 730 in FIG. It corresponds to hand 711, plaintext 710, electronic key 713, ciphertext 712, plaintext 714, receiver 715, transport means 716 and transmission means 717.

[0094] The sender 720 and the receiver 726 are connected to the receiver 726 and the common key by the same procedure as in FIG.

721 and 725 can be shared in advance. After the shared common keys 721 and 725 are pre-shared, the plaintexts 722 and 728 are converted into ciphertext 731 by using the common key and the common key encryption method 喑 decryptors 724 and 727. Can be exchanged.

[0095] In this embodiment, in order to prevent the common key 725 from leaking to a third party, the electronic key 713, the common key 725, and the bag decryption device 727 are made into a plastic case like one integrated circuit device or a prepaid card. By incorporating it in 732, higher safety can be obtained. Further, the common key 721 and the key number 匕 common key 723 may be plural as in the authenticator of the embodiment of the IC prepaid card instead of one.

FIG. 18 shows a configuration diagram of still another embodiment of the encryption communication method or the specific service providing method using the electronic key according to the present invention. An example of a suitable usage method of this embodiment is that a record company distributes software content such as music and video to an authorized user via the Internet, for example. The effect will be better understood.

The IC prepaid card 470 has a one-way hash function. The common key 750 is a hash value generated from the key type 752 by the hash function. The sender 751 registers the combination of the key type 752 and the common key 750 in advance in a database (not shown). The sender 751 encrypts the plaintext 753 by using the common key 750 and the decryption device 754. The receiver 756 obtains 759 the IC prepaid card 470, similarly obtains the Internet equality key type 752, and generates the common key 756 from the key type 752 using the IC prepaid card 470. This allows both parties to share the same common keys 750 and 755 in advance. Thereafter, the ciphertext 761 encrypted by the sender 751 using the common key is decrypted with the common key 755 using the trap decryption device 757 to obtain a plaintext 758. By sharing the common key as described above, the sender 751 and the receiver 756 can be exchanged to exchange information bidirectionally.

[0099] In order to prevent the common key 755 from leaking to a third party, the integrated circuit device 740, the common key 755, and the decryption device 757 are combined into one integrated circuit device (IC prepaid card) 762. Safety can be obtained.

FIG. 19 shows a block diagram of an embodiment of a method for using an electronic key according to the present invention. This embodiment is directed to the case where software content such as music and video is distributed via the Internet.

A distributor who distributes various contents (1) registers the key type 752 and the common key 750 in a database (not shown) as advance preparation. The distributor (2) distributes the IC prepaid card 470 to general users. (3) A user who (3) purchases the IC prepaid card 470 (4) uses the card reader 121 or the like to request (5) distribution of content to the distributor.

(6) The distributor receiving the request receives the IC prepaid card 470 possessed by the requesting user.

(7) To authenticate (8) Send a reference value. The IC prepaid card 470 calculates (9) a hash value, which is the received reference value identification information, and (10) answers to the distributor. The distributor confirms whether the received identification information matches the reference value sent earlier, and if it is authorized S (ll) authentication, (12) To share the common key (13) Send the key type. The user who receives the key type (14) calculates a hash value that is a common key. As a result, the key can be shared by both parties and encryption communication is possible. The user requests (15) content using encryption. The distributor (16) encrypts the requested content using the common key and (17) distributes it to the user. The user decrypts the distributed content using the common key (18). When the content is available, (19) a service termination request is sent and the provision of a series of services is terminated.

[0102] The embodiment described above is one of the preferred fields of use for the IC prepaid card 470, and can be used in various ways.

[0103] The "encryption key" used for encryption and decryption (decryption) in encryption technology is the "encryption key" used for encryption and the "decryption key" used for decryption is completely " Must match. (" In what is called “public key method” or “asymmetric key method”, the combination of both keys is strictly defined as “encryption key” ≠ “decryption key”. It is considered to be the concept of “match” in the sense). This is the iron rule and common sense of cryptography. The “encryption key” here is a “key having a mathematical meaning” in an encryption technology rather than a “key that represents a feature” in security technology or authentication technology. In other words, when an encryption key is formed by an identification information generation circuit using micro-element variations in threshold voltage such as the gate circuit as described above, in order to always reliably extract certain information. In addition, it is necessary to extract the identification information through a storage circuit such as a PROM.

The inventor of the present application has devised a new encryption technique that breaks the common sense of the “signature key” in the encryption technique based on various studies and considerations related to the present invention. That is, a character string or a part of a number string constituting an “encryption key” as formed by an identification information generation circuit using micro-element variation in threshold voltage of the gate circuit or the like is changed slightly. Even an unstable “encryption key” can be used to decrypt information and ciphertext.

FIG. 20 is an explanatory diagram showing an example of the identification information 800 formed by the identification information generation circuit shown in FIG. 25 or FIG. In the identification information 800, due to the principle of the identification information generation circuit, part of bit information constituting the identification information 800 varies randomly. The amount of variation depends on the manufacturing process of the integrated circuit device on which the identification information generating circuit is mounted, but is a few percent. In other words, if the identification information is composed of K bits, this identification information includes “[K] X [average fluctuation amount]” fluctuation bits on average. In any case, the knowledge information 800 itself cannot be used as an “encryption key” used for the encryption technology as described above.

FIG. 21 shows an explanatory diagram of an example of an electronic key such as an encryption key used in the encryption technique according to the present invention. A general “encryption key” of several tens to one hundred bits is used. In this embodiment, the identification information 800 consisting of a plurality of bits (for example, 400 bits) shown in FIG. N = 40 blocks are divided into 801, and 4 blocks are connected and expanded to 40 bits. The combination of the composite block key 810 The total number is a combination (combination) of selecting four of 40 block power, and M = 91, 3 90 ways.

FIG. 22 shows a schematic diagram of the basic concept of the principle of the cryptographic technique according to the present invention. When the plaintext 812 is encrypted by the encryption device 811, if the composite block key 820 created based on the identification information 800 is used, the same number of ciphertexts 813 as the type of the composite block key 820 are obtained from the same plaintext 812. Generated. In the case of the above example, the number is 91,390.

Next, when the decryption device 814 uses the decryption block key 821 to decrypt the ciphertext 813, it is decrypted if the decryption block key 821 is exactly the same as the composite block key 820. The 91 and 390 types of plaintext 815 are all the same as the original plaintext 812. However, it is not assumed by the present invention that the decryption block key 821 and the composite block key 820 are the same. The situation handled by the present invention is that only the identification information 800 is used as the source of the “encryption key” at the time of the encryption and decryption, both in the case of 喑号匕 and decryption. Therefore, there is no knowledge about the decryption block key 820 and the composite block key 821 that are substantially used.

[0109] Further, as described above, the identification information 800, which is a prime element of the "encryption key", changes its constituent bit information from the principle as described above. The key 8 20 and the composite block key 821 are rather premised on not being identical. However, if there are at least one composite block key 820 that is not affected by the fluctuation in the 91,390 types of composite block keys 820, it is possible to obtain a correctly decrypted plain 815.

[0110] As described with reference to Fig. 20, the identification information 800 includes variable bits at a certain rate. Therefore, some of the blocks 801 obtained by dividing the identification information 800 include some variable bits. For this reason, the 91,390 types of composite block keys 821 are not the ones that are all affected by fluctuations, but probabilistically the same as the composite block key 820 at the time of encryption. In other words, plaintext 1 to plaintext M in the decrypted plaintext 815 are correctly decrypted with the same composite block key 821 as the composite block key 820. Whether or not the data has been correctly decrypted can be confirmed by a text digest using a verification code or a hash value inserted in the plaintext 812 in advance.

[0111] The ratio of variable bits included in the identification information 800, that is, the average variable bit rate is predicted. If possible, it can be probabilistically estimated how many of the 40 blocks contain one or more of the variable bits. For example, assuming that the variable bit rate is 5% under the block configuration, the probability of including one or more variable bits in each block is 39%. This 39% number is a block that contains at least 1 bit of variation in all identification information 800 80 1 9%, that is, 15 blocks (= 40 X 39%). This does not mean that there are 61% or 25 (= 40 X 61%) blocks 801 that do not contain bits. It is an average when the infinite number of identification information 800 is targeted, and there may be a probability that the number of blocks 801 including one or more bits of variation is 15 or more and 15 or less.

[0112] As described above, if there is one or more composite block keys 820 that are not affected by the variable bits, decryption is possible. However, this is because the block of the identification information 800 is affected by the variable bits. It is synonymous with 4 or more blocks 801 that are not present. Under the above block configuration, the probability that the block 801 in the identification information 800 is less than 4 blocks not affected by variable bits is about 2 X 10— ^ I / SX IC ^^ S, billion A fraction). In other words, there is a probability that there are only 500 billion pieces of identification information 800 that cannot be decoded at last, and it can be considered that decoding is practically possible in most cases.

[0113] However, these are premised on the above configuration, and depend on the variation rate determined by the manufacturing process in which the identification information generation circuit is implemented, the required secret key specifications, and the like. Needless to say. In other words, it is possible to determine the bit length of the identification information 800 and the minimum specification of the decryption block key from the variation rate and the like.

[0114] FIG. 23 shows a configuration diagram of an embodiment that is effective for an encryption method using the composite block key. The plaintext 834 is encrypted by the encryption device 835 using the common key 831 generated by the random number generator 830 to create a ciphertext 839. A composite key 833 is the composite block key 820 generated by the composite key generation circuit 832, and the common key 831 is a composite key encryption device 836 using the composite key 833, Generate 840. A combination of the ciphertext 839 and the encryption common key 840 is referred to as a composite key ciphertext 837. Speaking of the characteristics of the composite key ciphertext 837, the ciphertext 839 is obtained by signing with a common key 831. The value of the common key 831 is generated artificially by the random number generator 830, and the common key 831 is signed by the composite key 833. The common key 833 is determined artificially by the identification information generation circuit in the composite key generation circuit 832. No one knows the true values of the two keys, and the composite key code sentence 837 cannot be decrypted unless the method described below is used.

FIG. 24 shows an explanatory diagram of a method of decrypting the composite key ciphertext 837. In order to obtain the common key 853 necessary for decrypting the ciphertext 839 included in the composite key ciphertext 837, it is necessary to decrypt the encrypted common key 840. Further, in order to decrypt the key ィ ihi common key 840, a composite key 851 is required, but the composite key 851 can only be generated by the composite key generation circuit 832 itself used for encryption. Therefore, a highly confidential and secure encryption system can be realized.

[0116] In order to realize an encryption method having the above-described features, a random number generation circuit 830, a composite key generation circuit 832, a composite key encryption device 836, and an encryption device 835 necessary for encryption are used. It is desirable that the necessary composite key decryption device 852, decryption device 857 and the common composite key generation circuit are built in an integrated circuit device or a plastic card.

[0117] If the identification information 800 is biased or periodic, the encryption method becomes extremely weak. However, the fact that the identification information generating circuit that generates the identification information 800 generates disordered identification information supports the actions and effects of the present invention. Furthermore, the advantage of using the identification information generation circuit is that it does not use a writable circuit element such as PROM, so it cannot be tampered with by rewriting, and cannot be manipulated artificially. There is no need for a process (can be realized with a standard CMOS process).

[0118] While the invention made by the present inventor has been specifically described based on the embodiments, the present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention. Needless to say, For example, in FIG. 25, the gate circuit can be replaced with an inverter circuit as shown in the second prior art. However, in order to reduce the power consumption, it is desirable to use the CMOS gate circuit as described above. I When an inverter circuit is used, it may be replaced with a clocked inverter circuit as shown in FIG. 29 in order to reduce the current consumption, and activated by an operation control signal.

Industrial applicability

The present invention provides a prepaid card, its settlement system, and an electronic key that is provided with a service using a communication line such as a network, or a specific service provided by hand such as an admission ticket or a check. Can be widely used for what you receive.

Claims

The scope of the claims

[1] including first and second gate circuits formed in the same form with the same manufacturing process,

In the first gate circuit, the first input and the output are connected,

The first input of the second gate circuit is connected to the commonly connected input and output of the first gate circuit,

An operation control signal is supplied to the second input of the first and second gate circuits, and unique identification information determined by the difference in logic threshold value between the first gate circuit and the second gate circuit. A semiconductor chip comprising a plurality of unit identification information generating circuits and outputting identification information consisting of a plurality of bits is formed by a prepaid card promised to provide a predetermined service. There,

The identification information output from the semiconductor chip power of the prepaid card is registered with the service provider,

The prepaid card is characterized in that, when receiving the service provision, the identification information is taken out from the prepaid card and transmitted to the service provider to receive the service provision only once.

[2] In claim 1,

The plurality of unit identification information generation circuits are sequentially activated in response to the operation control signal formed by the sequential circuit,

A prepaid card characterized in that a gate circuit that serially outputs identification information of each unit identification information generation circuit corresponding to the operation sequence is provided at an output section of the plurality of unit identification information generation circuits. .

[3] In claim 2,

The semiconductor chip is

A programmable ROM for storing the identification information;

A prepaid card, further comprising: an arithmetic circuit that calculates a one-way hash value based on the identification information stored in the programmable ROM to obtain the identification information.

[4] In claim 3,

When the output signals of the plurality of unit identification information generation circuits and the output signals of the programmable ROM are compared, and the distance between them is calculated, the semiconductor chip is identified A prepaid card characterized by a tamper detection circuit that invalidates information.

[5] including first and second gate circuits formed in the same form with the same manufacturing process,

In the first gate circuit, the first input and the output are connected,

An operation control signal is supplied to the second input of the first and second gate circuits, and unique identification information determined by the difference in logic threshold value between the first gate circuit and the second gate circuit. A semiconductor chip having a plurality of unit identification information generating circuits and outputting a plurality of bits of identification information is formed on the prepaid card promised to provide a predetermined service. Equipped with

Register the identification information output to the semiconductor chip power of the prepaid card with the service provider,

When providing the service, the identification information is extracted from the prepaid card and compared with the registration information of the service provider. The prepaid card payment system is characterized in that the provision of the service is permitted and the flag of the identification information registered by the service provider is used.

[6] In claim 5,

The plurality of unit identification information generation circuits are sequentially activated in response to an operation control signal formed by a sequential circuit, and an output unit of the plurality of unit identification information generation circuits corresponds to the operation sequence. A gate circuit is provided for serially outputting the identification information of each unit identification information generation circuit.

Programmable ROM for storing the identification information and output of the programmable ROM A prepaid card payment system, further comprising an arithmetic circuit that calculates a one-way hash value based on the identification information output from the force unit to obtain the identification information.

[7] includes first and second gate circuits formed in the same form with the same manufacturing process, wherein the first gate circuit has a first input and an output connected to each other, and the second gate circuit The first input of the path is connected to the commonly connected input and output of the first gate circuit, and an operation control signal is supplied to the second input of the first and second gate circuits. A plurality of unit identification information generating circuits for forming unique identification information determined based on a difference in logic threshold value between the first gate circuit and the second gate circuit based on an output signal of the second gate circuit. An identification information generation circuit that outputs identification information consisting of a plurality of bits, and an encryption circuit that converts plain text input using the identification information formed by the identification information generation circuit as an encryption key into ciphertext,

An electronic key comprising: a single semiconductor chip including a decryption circuit that converts the ciphertext input using the identification information generated by the identification information generation circuit as an encryption key into the original plaintext.

[8] In claim 7,

The semiconductor key includes a programmable ROM for storing the identification information, and the storage information of the programmable ROM is used as the encryption key.

[9] In claim 8,

The electronic key is mounted on a prepaid card promised to provide a predetermined service,

The electronic key characterized in that the provision of the service is realized by returning the ciphertext to plaintext.

[10] In claim 7,

The identification information is divided into a plurality of blocks,

The divided identification information of each block forms a plurality of ciphertexts corresponding to the number of divisions as an encryption key, An electronic key characterized in that decryption processing is performed so that a plurality of ciphertexts corresponding to the number of divisions are decrypted with a plurality of encryption keys corresponding to the division identification information to form a plurality of plaintexts.