Semiconductor device that generates security keys, method for generating a security key and method for registering the security key

DE102018123103B4Active Publication Date: 2026-07-02SAMSUNG ELECTRONICS CO LTD

Patent Information

Authority / Receiving Office
DE · DE
Patent Type
Patents
Current Assignee / Owner
SAMSUNG ELECTRONICS CO LTD
Filing Date
2018-09-20
Publication Date
2026-07-02

AI Technical Summary

Technical Problem

Semiconductor devices with physically unclonable functions (PUFs) generate unique security keys based on process variation, but the data output can contain errors due to process variation, leading to increased bit error rates and longer error correction times, which are problematic as data output sizes increase.

Method used

A semiconductor device with a PUF cell array, non-volatile memory, and decoding units that include an extraction unit, unmasking unit, bit decoding unit, and block decoding unit, which operate in series to extract, correct, and decode bits efficiently, reducing error rates and processing time.

Benefits of technology

The solution effectively reduces bit error rates and operating time for generating security keys, ensuring secure and efficient key generation and registration processes.

✦ Generated by Eureka AI based on patent content.
Patent Text Reader

Abstract

Semiconductor device comprising: a physically non-clonable functional field (PUF) with PUF cells that output first bits; a non-volatile memory configured to store marker bits indicating whether the first bits are valid, first mask bits generated by masking second bits depending on a parity of the second bits, and second mask bits generated by masking auxiliary bits associated with the second bits, wherein the second bits are valid bits derived from the first bits; an extraction unit configured to extract the second bits from the first bits using the marker bits; a de-masking unit configured to de-mask the second bits using the first mask bits while receiving the second bits to provide third bits;a bit decoding unit configured to compress the third bits to provide fourth bits while receiving the third bits; and a block decoding unit configured to generate a security key by decoding the fourth bits and the second mask bits, wherein the extraction unit, the unmasking unit, the bit decoding unit, and the block decoding unit are connected in series and operate simultaneously.
Need to check novelty before this filing date? Find Prior Art

Description

REFERENCE TO RELATED APPLICATIONS

[0001] A claim of priority relates to Korean Patent Application No. 10-2017-0133540, filed on October 13, 2017, and Korean Patent Application No. 10-2018-0057964, filed on May 21, 2018, in the Korean Intellectual Property Office, the entire contents of which are hereby incorporated by reference. BACKGROUND

[0002] The present inventive concepts relate to semiconductor devices that generate a security key, a method for generating the security key, and a method for registering the security key.

[0003] Technologies related to security and encryption have become increasingly important in communications and mobile devices. Since keys generated by software schemes can be lost or stolen through hacking, hardware-based security schemes are currently being developed. In particular, semiconductor devices with a physically unclonable function (PUF) are being developed.

[0004] Semiconductor devices with a PUF can randomly generate a unique key based on a process variation. The key generated by such semiconductor devices can be prevented from being cloned because of the process variation. However, the data output from such semiconductor devices may contain an error due to the process variation. An error correction operation can be used to reduce a bit error rate (BER) of the output data. Currently, as security and encryption have become increasingly important, the size or amount of data output from semiconductor devices has increased, and thus, the time required to perform error correction operations has increased. Accordingly, there is a need to reduce the area and operating time of the semiconductor device. SUMMARY

[0005] Embodiments of the inventive concepts provide a semiconductor device that generates a security key, a method for generating the security key, and a method for registering the security key.

[0006] Embodiments of the inventive concepts provide a semiconductor device including a physically unclonable function (PUF) cell array including PUF cells that output first bits; a non-volatile memory that stores mask bits indicating whether the first bits are valid, first mask bits generated by masking second bits depending on a parity of the second bits, and second mask bits generated by masking auxiliary bits associated with the second bits, the second bits being valid bits from the first bits; an extraction unit that extracts the second bits from the first bits using the mask bits; an unmasking unit that unmasks the second bits using the first mask bits while receiving the second bits to provide third bits;a bit decoding unit that compresses the third bits to provide fourth bits while receiving the third bits; and a block decoding unit that generates a security key by decoding the fourth bits and the second mask bits. The extraction unit, the unmasking unit, the bit decoding unit, and the block decoding unit may be connected in series and may operate simultaneously.

[0007] Embodiments of the inventive concepts also provide a security key generation method for a semiconductor device including a physically unclonable function (PUF) cell array, an extraction unit, a demasking unit, a bit decoding unit, and a block decoding unit connected in series. The security key generation method includes extracting second bits from the first bits by the extraction unit while receiving the first bits from the PUF cell array, and receiving mask bits indicating whether the first bits are valid from a non-volatile memory, the second bits being valid bits from the first bits;Unmasking the second bits by the unmasking unit to provide unmasked third bits using first mask bits while receiving the second bits from the extraction unit and receiving the first mask bits from the non-volatile memory; compressing the unmasked third bits by the bit decoding unit to provide fourth bits while receiving the unmasked third bits from the unmasking unit; and generating a security key by the block decoding unit by decoding the fourth bits and the second mask bits while receiving the fourth bits from the bit decoding unit and the second mask bits from the non-volatile memory.

[0008] Embodiments of the inventive concepts further provide a security key registration method for a semiconductor device including a physically unclonable function (PUF) cell array, an extraction unit, a bit encoding unit, and a block encoding unit connected in series. The security key registration method includes transmitting, by the extraction unit, mask bits indicating second bits from the first bits to a non-volatile memory while receiving the first bits from the PUF cell array, the second bits being valid bits from the first bits; generating first mask bits by the bit encoding unit by encoding the second bits depending on a parity of the second bits while receiving the second bits from the extraction unit, and transmitting the first mask bits to the non-volatile memory;Generating third bits by the bit encoding unit by compressing the second bits; and generating auxiliary bits by the block encoding unit by encoding the third bits, generating second mask bits by masking the auxiliary bits using the third bits, and transmitting the second mask bits to the non-volatile memory while receiving the third bits from the bit encoding unit.

[0009] Embodiments of the inventive concepts further provide an electronic system including a host; and a storage device including a physically unclonable function (PUF) device. The PUF device includes a PUF cell array having PUF cells that output first bits, and a key generation unit configured to extract second bits from the first bits while receiving mask bits from a non-volatile memory and indicating whether the first bits are valid, the second bits being valid bits from the first bits, unmasking the second bits to provide unmasked third bits using first mask bits received from the non-volatile memory, compressing the unmasked third bits to provide fourth bits, and generating a security key by decoding the fourth bits and the second mask bits received from the non-volatile memory.The host is configured to perform an authentication procedure for accessing the storage device based on the security key. Character list

[0010] The above and other objects and features of the inventive concepts will become apparent in view of the following detailed description of exemplary embodiments with reference to the accompanying drawings. Fig. 1 illustrates a block diagram of a semiconductor device according to embodiments of the inventive concepts. Fig. Figure 2 illustrates a block diagram of a key registration unit of Fig. 1 in detail. Fig. 3 illustrates a block diagram of a bit coding unit of Fig. 2 in detail. Fig. 4 illustrates a block diagram of a block coding unit of Fig. 2 in detail. Fig.Figure 5 illustrates a block diagram of a key generation unit of Fig. 1 in detail. Fig. Figure 6 illustrates a block diagram of a demasking unit and a bit decoding unit of Fig. 5 in detail, where there is no error at any output of the PUF cell array. Fig. Figure 7 illustrates a block diagram of a demasking unit and a bit decoding unit of Fig. 5 in detail, where there is an error in an output of the PUF cell array. Fig. Figure 8 illustrates a block diagram of a block decoding unit of Fig. 5 in detail. Fig. Figure 9 illustrates a diagram of how data in a key generation unit of Fig. 1 are processed. Fig. 10 illustrates a flowchart of a key registration process according to embodiments of the inventive concepts. Fig.11 illustrates a flowchart of a key generation process according to embodiments of the inventive concepts. Fig. 12 illustrates a block diagram of an electronic system to which a semiconductor device according to embodiments of the inventive concepts is applied. Fig. Figure 13 illustrates a block diagram of an electronic device in which a smart card of Fig. 12 is applied. Fig. 14 illustrates a block diagram of a computing device to which a semiconductor device according to embodiments of the inventive concepts is applied. DETAILED DESCRIPTION

[0011] Embodiments of the inventive concepts are described below in detail and clearly to such an extent that a person skilled in the art can easily implement the inventive concepts.

[0012] As is traditional in the field of inventive concepts, embodiments may be described and illustrated in terms of units that perform one or more of the described functions. These units, which may be referred to herein as blocks or modules or the like, are physically implemented by analog and / or digital circuits such as logic gates, integrated circuits, microprocessors, microcontrollers, memory circuits, passive electronic components, active electronic components, optical components, hard-wired circuits, and the like, and may optionally be controlled by firmware and / or software. The circuits may, for example, be embodied in one or more semiconductor chips or on substrate carriers such as printed circuit boards and the like. The circuits forming a unit may be implemented by dedicated hardware or by a processor (e.g.,one or more programmed microprocessors and associated circuitry) or by a combination of dedicated hardware for performing some functions of the unit and a processor for performing other functions of the unit. Each unit of the embodiments may be physically separated into two or more interrelated and discrete units without departing from the scope of the inventive concepts. Likewise, the units of the embodiments may be physically combined into more complex units without departing from the scope of the inventive concepts.

[0013] Fig. 1 illustrates a block diagram of a semiconductor device according to embodiments of the inventive concepts. The semiconductor device 100 contains a cell array 110 with physically non-clonable function (PUF), a key registration unit 120 , a key generation unit130 and a non-volatile memory (hereinafter referred to as NVM) 140 .

[0014] The PUF cell array 110 contains PUF cells. The PUF cell array 110 generates a unique electronic signature according to a process variation that occurs during the manufacture of the PUF cell array 110 occurs. Due to process variations, data output from PUF cell arrays of a plurality of semiconductor devices may differ from each other. This means that each of the semiconductor devices using the PUF cell array 110 can generate a unique security key.

[0015] For example, the PUF cell array 110at least one PUF cell based on a threshold voltage of a transistor, an arbiter-based PUF cell (e.g., a feedforward PUF cell, an XOR PUF cell in which arbiter PUF cells are arranged in parallel, or a lightweight PUF cell), a ring oscillator-based PUF cell, a memory-based PUF cell (e.g., a static random access memory (SRAM) PUF cell, a cache PUF cell, a flash memory PUF cell, or a memistor PUF cell), and a PUF cell reconfigurable according to a laser beam or a thermal variation, among other types of PUF cells.

[0016] A bit error rate (BER) of the PUF data received from the PUF cell array 110issued can be high due to process variation. However, the integrity of a key should be ensured if the PUF data is used as a key for encryption and decryption or as a key such as an authentication code. The semiconductor device 100 therefore contains a circuit, module or unit to improve the BER of the PUF data.

[0017] The key registration unit 120 generates data to improve or decrease the BER of the PUF data. The key registration unit 120 stores data used to correct an error in the PUF data through a key registration process in the NVM 140 .

[0018] The key registration unit 120 receives the PUF data from the PUF cell array 110and generates marker data. The marker data may contain mask bits indicating valid bits generated by valid PUF cells of all PUF cells in the PUF cell array 110 The valid PUF cells of the PUF cell array 110 can be selected through various testing processes of a mass production stage. The selected valid PUF cells can be used to register and generate a key, and unselected PUF cells cannot be used to register and generate a key. The key registration unit 120 transfers the marking data to the NVM 140 .

[0019] In one embodiment, the number of mask bits of the marker data may be identical to the number of PUF bits that configure the PUF data. A valid memory map may be created using the mask bits of the marker data that indicate whether the respective PUF cells of the PUF cell array 110 are valid. For example, a mask bit with a logical value of " 1 ” indicate a valid PUF bit, and a mask bit with a logical value of “ 0 " may indicate an invalid PUF bit. In contrast, and as another example, a mask bit with a logical value of " 0 ” indicate a valid PUF bit, and a mask bit with a logical value of “ 1 “ may indicate an invalid PUF bit. That is, the valid memory image composed of mask bits whose number is equal to the number of all PUF cells of the PUF cell array 110 is identical, can be NVM140 be saved.

[0020] The key registration unit 120 can generate data to correct an error in the PUF data. The key registration unit 120 can encode the PUF data of valid PUF cells. The key registration unit 120 can send an encoding result to the NVM 140 The encoding result can be generated based on the PUF data. In the case where the encoding result is stored without change in the NVM 140 stored, an attacker can extract the PUF data using the NVM 140 stored coding result. Accordingly, the coding result may be masked and the masked coding result may be passed to the NVM 140 be transferred.

[0021] With reference to Fig.1, the masked coding result may include first mask data and second mask data. For example, the first mask data is data from which auxiliary data used to correct a bit error of the PUF data is masked, and the second mask data is data from which auxiliary data used to correct a block error of the PUF data is masked. The error of the PUF data may be corrected in bit units or in block units. A 1-bit error may be corrected by bit error correction, and an error of a plurality of bits included in a block may be corrected by block error correction. The size or length of the plurality of bits included in the block may be determined depending on an error correction code.

[0022] In one embodiment, the key registration unit 120used to store the marking data and the masked coding result in the NVM 140 The key registration can only be performed once by the key registration unit 120 be carried out in a mass production process (or a test process). This means that the key registration unit 120 in the mass production process for storing the marking data, the first mask data and the second mask data in the NVM 140 can be used.

[0023] The key generation unit 130 reads the marker data, the first mask data and the second mask data stored in the NVM 140 stored after the key registration process. The key generation unit 130decodes the PUF data using the marker data, the first mask data, and the second mask data, corrects an error that may be contained in the PUF data, and generates a security key (i.e., key). Due to process variation, the PUF data of the key generation process may differ from the PUF data of the key registration process. Nevertheless, the key generation unit may 130 recover a key through bit error correction and block error correction.

[0024] The length of the security key can be determined depending on different applications that the semiconductor device 100 used, such as a security algorithm and an encryption algorithm, and the PUF cell field 110can output the PUF data with a size greater than the length of the security key. According to an embodiment of the inventive concepts, the key registration unit 120 and the key generation unit 130 do not process any PUF bits after all PUF bits required to register and generate a key have been received from the PUF cell array 110 were issued. The key registration unit 120 and the key generation unit 130 can process received PUF bits while extracting the PUF bits from the PUF cell array 110 received.

[0025] The NVM 140 stores the marker data, the first mask data, and the second mask data. With reference to Fig. 1 the NVM 140 than in the semiconductor device 100 contained or in the semiconductor device 100However, the inventive concepts are not limited thereto. For example, the NVM 140 In some embodiments of the inventive concepts, a memory device may be located outside the semiconductor device 100 is positioned.

[0026] In one embodiment of the inventive concepts, the NVM 140 for example, at least one of the following: NAND flash memory, NOR flash memory, resistive random access memory (RRAM), ferroelectric random access memory (FRAM) and phase change random access memory (PRAM), thyristor random access memory (TRAM), magnetic random access memory (MRAM) and one-time programmable (OTP) memory or the like.

[0027] Fig. Figure 2 illustrates a block diagram of a key registration unit of Fig. 1 in detail. Fig. 2 is made with reference to Fig.1. For the purpose of simplification, the representation of the key generation unit 130 from Fig. 1 in Fig. 2 omitted.

[0028] The PUF cell array 110 transmits first data (data 1 ), composed of first bits, to the key registration unit 120 For example, the PUF cell array 110 PUF cells whose number is a multiple of 2 such as 4096. According to an embodiment of the inventive concepts, the PUF cell array 110 the first bits output by all PUF cells may not be sent to the key registration unit at the same time 120 Instead, the PUF cell array can 110 the first bits sequentially to the key registration unit 120transmitted, whereby the first bits may contain a number of bits corresponding to a number of PUF cells that configure a sub-PUF cell array. For example, the sub-PUF cell array may be a PUF cell set consisting of a portion of the PUF cells of the PUF cell array 110 For example, the PUF cell array 110 all first bits to the key registration unit 120 transmitted by sequentially transmitting first bits to the key registration unit 120 in units of the size of a sub-PUF cell array, such as 16 bits or 32 bits.

[0029] The key registration unit 120 contains an extraction unit 121 , a bit coding unit 122 and a block coding unit 123 . With reference to Fig. 2 can extract the unit 121 , the bit coding unit 122 and the block coding unit 123be connected in series to enable pipeline operation. The key registration unit 120 may not have to wait until all the first bits configuring the first data are read from the PUF cell array 110 For example, during the reception of the first bits from the PUF cell array 110 , the number of which corresponds to the number of PUF cells of the sub-PUF cell array (or in units of a sub-PUF cell array), the key registration unit 120 process the received first bits according to the number of PUF cells of the sub-PUF cell array.

[0030] The extraction unit 121 receives the first bits configuring the first data from the PUF cell array 110 . The extraction unit 121 generates mask bits indicating second bits that are valid from the first bits while the first bits are being received. The extraction unit 121transmits the mask bits (marking data) to the NVM 140 . The extraction unit 121 transmits second data (data 2 ), composed of the second bits, to the bit coding unit 122 Here, as described above, the second bits can be valid bits from the received first bits.

[0031] The bit coding unit 122 encodes the second bits in units of bit coding while receiving the second bits containing the second data from the extraction unit 121 For example, the bit coding unit 122generate first mask bits by encoding the second bits, depending on the parity of the second bits, whose size corresponds to the bit encoding unit. The first mask bits can configure the first mask data, and the first mask data can be used to correct an error in the second bits that may occur during the key generation process, in units of one bit. The bit encoding unit 122 transmits the first mask bits (mask data 1 ) to the NVM 140 .

[0032] The bit coding unit 122 also transmits third bits (data 3 ), which are compressed second bits, to the block coding unit 123 Each of the third bits may correspond to a bit that is one of the compressed second bits according to the bit coding unit. The third bits may configure third data.

[0033] The block coding unit 123encodes the third bits in units of block coding while receiving the third bits containing the third data from the bit coding unit 122 For example, the block coding unit 123 generate second mask bits by encoding the third bits, whose size corresponds to the unit of block coding, into an error correction code (ECC). The second mask bits can configure the second mask data, and the second mask data can be used to correct an error in the second bits that may occur during the key generation process, in units of a block. The block coding unit 123 transmits the second mask bits (mask data 2 ) to the NVM 140 .

[0034] In one embodiment of the inventive concepts, the error correction code may be at least one of coded modulations, such as a low-density parity check (LDPC) code, a Bose-Chaudhuri-Hocquenghem (BCH) code, a turbo code, a Reed-Solomon code, a convolutional code, a recursive systematic code (RSC), trellis-coded modulation (TCM), and block-coded modulation (BCM).

[0035] As described above, the PUF cell array 110 , the extraction unit 121 , the bit coding unit 122 and the block coding unit 123 be connected in series. The extraction unit 121 can select the second bits that are valid from the first bits that are received from the PUF cell array 110 output to the bit coding unit 122 transmitted. The bit coding unit 122 can collect and encode the second bits in units of bit coding. The bit coding unit122 can send the third bits to the block coding unit 123 transmitted. The block coding unit 123 can collect and encode the third bits in units of block coding.

[0036] In one embodiment of the inventive concepts, the extraction unit 121 , the bit coding unit 122 and the block coding unit 123 operate based on a clock. The second bits and the third bits can be transmitted synchronously with the clock. For example, the extraction unit 121 and the bit coding unit 122 Confirmation signals ACK exchange with each other to send and receive the second bits based on the clock. The bit encoding unit 122 and the block coding unit 123 can confirmation signals ACK exchange with each other to send and receive the third bits based on the clock.

[0037] The unit of bit coding may be determined depending on a bit error correction code or a bit error correction operation and may be referred to as a "unit of coding for the bit error correction code." For example, the bit error correction code may be a repetition code associated with a majority voting operation. As in the above description, the unit of block coding may be determined depending on a block error correction code or a block error correction operation and may be referred to as a "unit of coding for the block error correction code." For example, the block error correction code may be a BCH code.

[0038] Bits can be sequentially added to the extraction unit 121 , the bit coding unit 122 and the block coding unit 123 transferred, and each of the extraction units 121 , the bit coding unit 122and the block coding unit 123 can process a received bit while receiving a bit. That is, the extraction unit 121 , the bit coding unit 122 and the block coding unit 123 can work simultaneously. While the PUF cell array 110 outputs the first bits, the extraction unit can 121 process the first bits that are first received from the PUF cell array 110 While the extraction unit 121 outputs the second bits, the bit coding unit can 122 from the extraction unit 121 first output second bits. While the bit coding unit 122 outputs the third bits, the block coding unit can 123 which is generated by the bit coding unit 122first output third bits. Accordingly, while the PUF data (i.e., the first data composed of the first bits) from the PUF cell array 110 output, the time required to register a key can be reduced because the marker data, the first mask data and the second mask data stored in the NVM 140 are to be saved.

[0039] Fig. 3 illustrates a block diagram of a bit coding unit of Fig. 2 in detail. Fig. 3 is made with reference to Fig. 2. The bit coding unit 122 contains a first buffer (buffer 1 ) 122_1 , a second buffer (buffer 2 ) 122_2 and a parity checker 122_3 .

[0040] The first buffer 122_1 receives and stores the second bits of the second data from the extraction unit 121. The first buffer 122_1 stored second bits can be extracted by the extraction unit 121 The number of data in the first buffer 122_1 stored second bits can be determined depending on a unit of bit coding. In the case where the bit coding unit 122 the second bits are encoded in dependence on a repetition code, for example, the number of bits stored in the first buffer 122_1 The number of bits to be stored must be an odd number of at least 3 or more. An example is shown in Fig. 3, where three bits in the first buffer 122_1 However, the inventive concepts are not limited thereto, and according to some embodiments of the inventive concepts, the first buffer 122_1 store second bits in units of bit encoding instead of storing all second bits that configure the second data.

[0041] The second buffer 122_2 stores first mask bits of the first mask data which is a result of a bitwise operation of the bit coding unit 122 The number of bits stored in the second buffer 122_2 can also be determined depending on the unit of bit coding and can be identical to the number of bits stored in the first buffer 122_1 should be stored. The second buffer 122_2 can store the first mask bits in units of bit encoding instead of storing all the first mask bits that configure the first mask data.

[0042] The parity checker 122_3 checks the parity of the data in the first buffer 122_1 stored second bits, ie, the number of ones. For example, the parity checker 122_3 a key bit " 0 “ if the number of ones is even, and it can output a key bit “ 1" if the number of ones is odd. Here, the key bit can be a third bit (ie, data 3 ) and is created by compressing the data stored in the first buffer 122_1 stored second bits generated by the parity check.

[0043] The bit coding unit 122 performs the bitwise operation on the second bits stored in the first buffer 122_1 stored, and generates the first mask bits. An example is shown in Fig. 3, where the second bits of “ 101 “ in the first buffer 122_1 are stored. For example, the 122 can perform an exclusive OR (XOR) operation on " 101 " and " 000 “ and can generate the first mask bits. The bit coding unit 122 In addition to the XOR operation, it can perform various operations bitwise, for example an XNOR operation. Here, bits " 000 “ and bits “ 111“, which is used by the parity checker 122_3 issued, based on a verification result of the parity checker 122_3 For example, if the number of ones of the second bits stored in the first buffer 122_1 stored, is even, the bits " 000 “ from the parity checker 122_3 for the bitwise operation. For example, if the number of ones of the second bits stored in the first buffer 122_1 stored is odd, the bits " 111 “ from the parity checker 122_3 for the bitwise operation.

[0044] The following Table 1 shows an operation result of the bit coding unit 122 according to values ​​of the second bits stored in the first buffer 122_1 are stored. [Table 1] Data 2 Number of "1" bits Key bit Bitwise operation Mask data 1 000 Straight 0 000 00 001 Odd 1 110 10 010 Odd 1 101 01 011 Straight 0 011 11 100 Odd 1 011 11 101 Straight 0 101 01 110 Straight 0 110 10 111 Odd 1 000 00

[0045] If the number of ones in Table 1 is even, a result of the bitwise operation of the bit coding unit 122 with one in the first buffer 122_1 stored value. If the number of ones is odd, the result of the bitwise operation of the bit coding unit 122 be an inverted version of a value stored in the first buffer 122_1 A description is given with reference to Fig. 3 and Table 1, while the bit coding unit 122 performs coding based on even parity. In other embodiments of the inventive concepts, the bit coding unit 122 but perform encoding based on odd parity.

[0046] A result of the bitwise operation may be a value that is determined based on the second bits by the bit coding unit 122In the case where the result of the bitwise operation is stored without modification in the NVM 140 stored, an attacker can extract the PUF data from it using the result of the NVM 140 derive or predict the stored bitwise operation. To prevent the PUF data from being derived or predicted, the result of the bitwise operation can be masked.

[0047] In Table 1, two values ​​of second bits that are inversely related to each other have the same result of the bitwise operation. That is, in the case where the second bits are " 000 " or " 111 ” (i.e., are inversely related to each other), the results of the bitwise operations can be identical, i.e., “000”. In the case where the second bits “ 001 " or " 110 “, the results of the bitwise operations can be identical, ie, “ 110". In the case where the second bits " 010 " or " 101 “, the results of the bitwise operations can be identical, ie, “ 101 ". In the case where the second bits " 011 " or " 100 “, the results of the bitwise operations can be identical, ie, “ 011 Although a bit may be removed from the result of the bitwise operation, the removed bit can be restored accordingly depending on the even parity and the odd parity from which the bit coding unit 122 depends.

[0048] That is, the result of the bitwise operation may be masked by removing a bit from the result of the bitwise operation. Any bit corresponding to the result of the bitwise operation may be removed. For example, with reference to Table 1, the first mask bits may be generated by removing a most significant bit (MSB) from the result of the bitwise operation. In other embodiments, in contrast to Table 1, for example, a low-order bit ( LSB ) or an intermediate bit is removed from the result of the bitwise operation. The bit coding unit 122 transmits the remaining bits (ie, the first mask bits) of the bits stored in the second buffer 122_2 except the removed bit are stored to the NVM 140 .

[0049] In one embodiment of the inventive concepts, the bit coding unit 122further a buffer for storing an intermediate value, a final value, etc., which is obtained by encoding the data stored in the first buffer 122_1 stored second bits, checking the parity of the second bits or performing a bitwise operation on the second bits, in addition to the first and second buffers 122_1 and 122_2 contain, which in Fig. 3. In addition, Fig. 3 illustrates an embodiment in which the bit coding unit 122 a first buffer 122_1 and a second buffer 122_2 However, the inventive concepts are not limited to providing a first buffer 122_1 and a second buffer 122_2 and it can contain any number of buffers.

[0050] Fig. 4 illustrates a block diagram of a block coding unit of Fig. 2 in detail. Fig. 4 is made with reference to Fig.2. The block coding unit 123 contains a third buffer (buffer 3 ) 123_1 , a block encoder 123_2 and a fourth buffer (buffer 4 ) 123_3 .

[0051] The third buffer 123_1 receives and stores third bits (key bits) of the third data from the bit coding unit 122 . The third buffer 123_1 stored third bits can be read by the bit coding unit 122 be updated. The third buffer 123_1 can store the third bits in units of block coding. The third buffer 123_1 can store the third bits in units of block coding instead of storing all the third bits configuring the third data.

[0052] The block encoder 123_2encodes the third bits in accordance with a block error correction code (e.g., a BCH code) and generates auxiliary bits. The auxiliary bits may thus be encoded bits generated in response to the third bits. The auxiliary bits may configure auxiliary data, and the auxiliary data may be used to correct an error in the second data (valid data of the PUF data) described above. The auxiliary data may be generated based on the second data (that is, based on the second bits of the second data, which are the valid bits of the first data). In the case where the auxiliary data is stored without modification in the NVM 140 stored, an attacker can extract the PUF data using the NVM 140 stored auxiliary data. To prevent inference or prediction of the PUF data, the auxiliary data can be masked in the same way as in the first masking data.

[0053] To mask the auxiliary bits, the third buffer receives and stores 123_1 furthermore the third bits from the bit coding unit 122 That is, with reference to Fig. 4 the third buffer 123_1 In addition to third bits corresponding to the block error correction operation coding unit, store third bits for masking. The block coding unit 123 a bitwise operation (e.g. an XOR operation) can be performed on the auxiliary bits and the third bits for masking (bit 3 for masking) and can generate second mask bits. The second mask bits can generate the second mask data (mask data 2 ) configure.

[0054] The fourth buffer 123_3 stores the second mask bits of the second mask data which is a result of the bitwise operation of the block coding unit 123 The fourth buffer 123_3may store the second mask bits corresponding to the masked auxiliary bits (ie, auxiliary bits corresponding to the unit of the block error correction operation) generated by the block coding, instead of storing all the second mask bits configuring the second mask data. If all the second mask bits of the second mask data are completely stored by the fourth buffer 123_3 to the NVM 140 transferred, the key registration process ends.

[0055] In one embodiment of the inventive concepts, the block coding unit 123 further a buffer for storing an intermediate value, a final value, etc., which is formed by encoding third bits stored in the third buffer 123_1 stored or generated by performing a bitwise operation on the third bits, in addition to the third and fourth buffers 123_1 and 123_3 included in image 4Furthermore, an embodiment is shown in Fig. 4, in which the block coding unit 123 a third buffer 123_1 and a fourth buffer 123_3 However, the inventive concepts are not limited to a third buffer 123_1 and a fourth buffer 123_3 and it can contain any number of buffers.

[0056] Fig. 5 illustrates a block diagram of a key generation unit of the semiconductor device 100 from Fig. 1 in detail. Before describing Fig. 5 are the first to third dates (ie, dates 1 , Data 2 and data 3 ), which in Fig. 2, data generated in the key registration process, and the first to fourth data generated in Fig.5 are data generated in the key generation process. Accordingly, the first to third data shown in Fig. 2, from the first to fourth dates shown in Fig. 5. Furthermore, for the purpose of simplification, the key registration unit 120 from Fig. 1 not in Fig. 5 shown.

[0057] As with the transfer of initial data to the key registration unit 120 sends the PUF cell field 110 , as in Fig. 5 shown, first data (data 1 ) to the key generation unit 130 . The key generation unit 130 receives the first data from the PUF cell array 110 depending on a request from an application that uses the semiconductor device 100used (or based on a user request or authentication request), and recovers a security key using the marker data (Marker Data), the first mask data (Mask Data 1 ) and the second mask data (mask data 2 ), which the key registration unit 120 in the NVM 140 saves.

[0058] The key generation unit 130 contains the extraction unit 121 , a demasking unit 132 , a bit decoding unit 133 and a block decoding unit 134 . The PUF cell array 110 , the extraction unit 121 , the unmasking unit 132 and the bit decoding unit 133 , and the block decoding unit 134 can be connected in series to enable pipeline operation. As in the key registration unit 120the key generation unit must 130 may not wait until all the first bits that configure the first data are read from the PUF cell array 110 be received to begin processing. While the first bits from the PUF cell array 110 received by a unit of the sub-PUF cell array, the key generation unit 130 process the first bits received.

[0059] The extraction unit 121 can be identical to the extraction unit 121 stored in the key registration unit 120 from Fig. 1 is included. The extraction unit 121 receives the first data (data 1 ) from the PUF cell array 110 in the key generation process. As described above, due to a feature of the PUF cell array 110the first data generated in the key registration process may be identical to or different from the first data generated in the key generation process.

[0060] The extraction unit 121 receives the first bits configuring the first data from the PUF cell array 110 and receives the mask bits that configure the marking data from the NVM 140 . That is, the extraction unit 121 sends the marking data to the NVM 140 in the key registration process and receives the tag data from the NVM 140 in the key generation process.

[0061] The extraction unit 121extracts second bits that are valid from the first bits using the mask bits. As described above, the mask bits can configure the valid memory map that indicates whether the first bits are valid. Accordingly, the extraction unit can 121 Depending on a logical value ("0" or "1") of a mask bit, determine whether a received first bit should be output as a second bit. The extraction unit 121 extracts only valid bits of the first bits. The extraction unit 121 transmits the second bits configuring the second data to the unmasking unit 132 .

[0062] The unmasking unit 132 receives the second bits, which are the second data (data 2 ) from the extraction unit 121 the key generation unit 130 and receives the first mask bits, which configure the first mask data, from the NVM 140. The unmasking unit 132 can unmask the second bits using the first mask bits that configure the first mask data, and can generate third bits that are unmasked while receiving the second bits that configure the second data. Here, the third bits can be third data (data 3 ), and the second data can be converted into the third data for bit error correction by the unmasking operation. The unmasking unit 132 transmits the third bits configuring the third data to the bit decoding unit 133 .

[0063] The bit decoding unit 133 decodes the third bits for a bit error correction operation while receiving the third bits containing the third data from the unmasking unit 132 For example, the bit decoding unit 133perform a majority voting operation on the third bits and can correct a bit error of the second bits. The bit decoding unit 133 compresses the third bits to fourth bits (key bits) and transmits the fourth bits to the block decoding unit 134 . The fourth bits can be fourth data (data 4 ) configure.

[0064] The block decoding unit 134 decodes the fourth bits while receiving the fourth bits containing the fourth data from the bit decoding unit 133 configure. The decoding unit of the block decoding unit 134 can be a block, and the block decoding unit 134 can collect the fourth bits and generate blocks. The block decoding unit 134 receives the second mask bits configuring the second mask data from the NVM 140and unmasks the second mask bits for the auxiliary bits described above (ie, the auxiliary bits of the auxiliary data of Fig. 4). The block decoding unit 134 can correct an error of the second bits depending on an error correction code. That is, the block decoding unit 134 can correct an error by decoding the fourth bits and the second mask bits and can generate a final key (or a security key).

[0065] Fig. Figure 6 illustrates a block diagram of a demasking unit and a bit decoding unit of Fig. 5 in detail, where there is no error at any output of the PUF cell array. Fig. Figure 7 illustrates a block diagram of a demasking unit and a bit decoding unit of Fig. 5 in detail, where an error is present in an output of the PUF cell array. The unmasking unit 132contains a fifth buffer (buffer 5 ) 132_1 and a sixth buffer (buffer 6 ) 132_2 .

[0066] The fifth buffer 132_1 receives and stores the second bits of the second data from the extraction unit 121 the key generation unit 130 . The fifth buffer 132_1 stored second bits can be extracted by the extraction unit 121 The number of data in the fifth buffer 132_1 The number of bits to be stored can be determined in units of bit coding, which can be identical to the units of bit error correction or the units of bit coding. In the case where the bit decoding unit 133 third bits depending on the repetition code, for example, the number of bits in the fifth buffer 132_1 The number of bits to be stored must be an odd number of at least 3 or more.

[0067] An example is in the Fig. 6 and Fig. 7, where three bits in the fifth buffer 132_1 However, the inventive concepts are not limited thereto, and in some embodiments, the fifth buffer 132_1 the second bits in units of bit decoding of the bit decoding unit 133 instead of storing all the second bits that configure the second data.

[0068] In still further embodiments of the inventive concepts, the fifth buffer 132_1 different than in Fig. 6, the second bits are not stored in units of bit decoding. The fifth buffer 132_1 can store at least a second bit instead. In this case, the bit in the fifth buffer 132_1 stored second bit can be made available for a bitwise operation, and then a new second bit can be stored in the fifth buffer 132_1 be saved.

[0069] The sixth buffer 132_2 receives and stores the first mask bits that configure the first mask data from the NVM 140 . The number of in the sixth buffer 132_2 bits to be stored can be determined depending on the unit of bit decoding and can be calculated with the number of bits stored in the fifth buffer 132_1 to be stored must be identical. The sixth buffer 132_2 can store the first mask bits in units of bit decoding instead of storing all the first mask bits that configure the first mask data.

[0070] In some embodiments of the inventive concepts, other than Fig. 6 shows the sixth buffer 132_2 do not store the first mask bits in units of bit decoding. The sixth buffer 132_2 can instead store at least a first mask bit. In this case, a first mask bit in the sixth buffer 132_2stored mask bit can be provided for a bitwise operation, and then a new first mask bit can be stored in the sixth buffer 132_2 be saved.

[0071] The unmasking unit 132 receives the first mask bits, which configure the first mask data, from the NVM 140 and restores any bit removed in an encoding process, depending on the even parity and the odd parity from which the bit encoding unit 122 For example, in the document with reference to Fig. 6 described embodiment, it is assumed that the bit coding unit 122 based on even parity and the NVM 140 transmits the first mask bits of “01”. As in Fig. 6, the unmasking unit 132 the removed bit of " 1 “ depending on the even parity, and “ 101 “ can be found in the sixth buffer132_2 In contrast to the example described above, in other embodiments of the inventive concepts in which the bit coding unit 122 operates on the basis of odd parity, the unmasking unit 132 restore the removed bit depending on the odd parity.

[0072] The unmasking unit 132 performs a bitwise operation on the second bits stored in the fifth buffer 132_1 stored, and the first mask bits stored in the sixth buffer 132_2 stored, and generates third bits (data 3 ). The second bits can be determined by the bitwise operation of the unmasking unit 132 for the third bits. Here, the bitwise operation can be an XOR operation, an XNOR operation, or another logical operation.

[0073] The bit decoding unit 133contains a seventh buffer (buffer 7 ) 133_1 . The seventh buffer 133_1 receives and stores the unmasked third bits of the third data from the unmasking unit 132 . The number of third bits stored in the seventh buffer 133_1 can be determined depending on the unit of bit decoding and can be determined by the number of bits stored in each of the fifth and sixth buffers 132_1 and 132_2 are to be stored must be identical. The seventh buffer 133_1 can store the third bits in units of bit decoding, instead of storing all the third bits that configure the third data. For example, the seventh buffer 133_1 store the third bits in units of the majority decision operation.

[0074] The bit decoding unit 133 can perform the majority decision operation on the third bits stored in the seventh buffer133_1 For example, the bit decoding unit 133 in the seventh buffer 133_1 compressed third bits stored into a key bit (a fourth bit).

[0075] The following Table 2 shows operation results of the unmasking unit 132 and the bit decoding unit 133 according to values ​​of the second bits stored in the fifth buffer 132_1 are stored. [Table 2] Data 2 Mask data 1 Recovered mask data 1 Bitwise operation Key bit 000 00 000 000 0 001 10 110 111 1 010 01 101 111 1 011 11 011 000 0 100 11 011 111 1 101 01 101 000 0 110 10 110 000 0 111 00 000 111 1

[0076] In Table 2, the first mask bits from the NVM 140 transmitted and can be identical to the first mask bits in Table 1. In Table 2, recovered first mask bits in the sixth buffer 132_2 In Table 2, the recovered first mask bits from the unmasking unit 132based on even parity. If there is no error in the second bits, the bits obtained as a result of the bitwise operation can have the same logical value of " 0 " or " 1 “. That is, the bit coding unit 122 may generate the first mask bits in the key registration process, so that bits that are generated as a result of the bitwise operation of the unmasking unit 132 generated (e.g. the XOR operation in Fig. 6) are identical to each other (e.g., 000). An example in which a 2-bit error is corrected is described in detail below.

[0077] Fig. 6 illustrates the case where no error is detected on an output of the PUF cell array 110 The second bits, which are transmitted from the Fig. 2 shown extraction unit 121during the key registration process in response to the first data output by the PUF cell array 110 output can be identical to the second bits output by the Fig. 5 shown extraction unit 121 , during the key generation process in response to the first data output from the PUF cell array 110 That is, as in the case where “ 101 “ in the first buffer 122_1 in picture 3 can be stored, " 101 “ in the fifth buffer 132_1 from Fig. 6 are saved.

[0078] Fig. Figure 7 illustrates the case where an error in the output of the PUF cell array 110 The second bits, which are transmitted from the Fig. 2 shown extraction unit 121issued during the key registration process in response to the first data received from the PUF cell array 110 output may differ from the second bits, which are output by the Fig. 5 shown extraction unit 121 , during the key generation process in response to the first data output by the PUF cell array 110 This is different from the case where “ 101 “ in the first buffer shown in 3 Fig. 122_1 can be stored, second bits, one of which is reversed, for example “ 001 “, in the fifth buffer 132_1 from Fig. 7 are saved.

[0079] The first mask bits are sent by the NVM 140 Accordingly, the first mask bits of " 101 “ identical in the sixth buffer 132_2 from Fig. 6 and the sixth buffer 132_2 from Fig. 7 are saved.

[0080] With reference to Fig. 6 leads the unmasking unit 132 an XOR operation on “ 101 " and " 101 “ and generates the third bits “ 000 “. The bit decoding unit 133 checks the number of zeros and the number of ones from the third bits " 000 ". There " 0 “ bits only in the seventh buffer 133_1 from Fig. 6 are stored, the bit decoding unit 133 a key bit of " 0 " out of.

[0081] With reference to Fig. 7 leads the unmasking unit 132 an XOR operation on “ 001 " and " 101 “ and generates the third bits of “ 100 “. The bit decoding unit 133 checks the number of zeros and the number of ones from the third bits " 100 ". Since a " 1 “ -bit and two “ 0 “ bits in the seventh buffer 133_1from Fig. 7 are stored, the bit decoding unit 133 a key bit " 0 This means that the error of the second bits can be corrected by the majority decision operation. An example is in Fig. 7, in which an MSB of the second bits stored in the fifth buffer 132_1 from Fig. 7 is faulty. However, if the error is in a bit other than the MSB, the error can be corrected by the majority voting process.

[0082] In one embodiment of the inventive concepts, the unmasking unit 132 further a buffer for storing an intermediate value, a final value, etc., which is obtained by unmasking second in the fifth buffer 132_1stored bits, restoring a removed first mask bit, or performing a bitwise operation on the second bits and the first mask bits, in addition to the fifth and sixth buffers 132_1 and 132_2 contained in the Fig. 6 and Fig. 7. An embodiment of the inventive concepts is also shown in the Fig. 6 and Fig. 7 illustrates where the unmasking unit 132 a fifth buffer 132_1 and a sixth buffer 132_2 However, the inventive concepts are not limited to including a fifth buffer 132_1 and a sixth buffer 132_3 and it can contain any number of buffers.

[0083] As in the Fig. 6 and Fig. As shown in Figure 7, the bit decoding unit 133 in addition to the seventh buffer 133_1a buffer for storing an intermediate value, a final value, etc., generated by correcting a bit error. An embodiment is also shown in the Fig. 6 and Fig. 7, in which the bit decoding unit 133 a seventh buffer 133_1 However, the inventive concepts are not limited to including a seventh buffer 133_1 and it can contain any number of buffers.

[0084] Fig. Figure 8 illustrates a block diagram of a block decoding unit of Fig. 5 in detail. Fig. 8 is made with reference to the Fig. 5 to Fig. 7. The block decoding unit 134 contains an eighth buffer (buffer 8 ) 134_1 , a ninth buffer (buffer 9 ) 134_2 and a block decoder 134_3 .

[0085] The eighth buffer 134_1receives and stores fourth bits (key bits) of the fourth data from the bit decoding unit 133 . The eighth buffer 134_1 The stored fourth bits can be read by the bit decoding unit 133 be updated. The eighth buffer 134_1 can store bits in units of block decoding, which can be the unit of block error correction or the unit of block coding. The eighth buffer 134_1 can store the fourth bits in units of block decoding instead of storing all the fourth bits configuring the fourth data. In addition, the eighth buffer receives and stores 134_1 fourth bits from the bit decoding unit 133 for unmasking the second mask bits configuring the second mask data in addition to the fourth bits corresponding to the block decoding unit.

[0086] The ninth buffer 134_2receives and stores the second mask bits from the NVM 140 . The ninth buffer 134_2 may store the second mask bits for unmasking auxiliary data required for a block error correction operation, instead of storing all the second mask bits that configure the second mask data.

[0087] The block decoding unit 134 unmasks the second mask bits that are in the ninth buffer 134_2 stored, using the fourth bits for unmasking, which are stored in the eighth buffer 134_1 are stored. The block decoding unit 134 performs a bitwise operation (e.g. an XOR operation) on the fourth bits to unmask, which in the eighth buffer 134_1 and the second mask bits stored in the ninth buffer 134_2 stored and generates auxiliary bits that configure the auxiliary data.

[0088] The block decoder 134_3decodes block data composed of the fourth bits and the auxiliary data composed of the auxiliary bits, depending on an error correction code, corrects an error, and provides the result as the final key (i.e., the security key). The block error correction code can be a BCH code. The block decoder 134_3 does not decode all bits of the data at once so that the bit error of all these decoded bits can then be corrected. Instead, the block decoder divides 134_3 every fourth bits into a plurality of blocks and performs an error correction operation in units of one block. In addition, all auxiliary bits of the auxiliary data can be divided. Referring to Fig. 8 the block decoder decodes 134_3 the fourth bits received from the eighth buffer 134_1provided in the units of a block and the auxiliary bits obtained as a result of the bitwise operation, and corrects an error in a block.

[0089] In one embodiment of the inventive concepts, the block decoding unit 134 further a buffer for storing an intermediate value, a final value, etc., which is obtained by decoding fourth bits stored in the eighth buffer 134_1 stored, or generated by performing a bitwise operation containing the fourth unmasking bits and the second mask bits, in addition to the eighth and ninth buffers 134_1 and 134_2 , which in Fig. 8. An embodiment is shown in Fig. 8, in which the block decoding unit 134 an eighth buffer 134_1 and a ninth buffer 134_2However, the inventive concepts are not limited to an eighth buffer 134_1 and a ninth buffer 134_2 and it can contain any number of buffers.

[0090] In one embodiment, each of the buffers described above 122_1 , 122_2 , 123_1 , 123_2 , 132_1 , 132_2 , 133_1 , 134_1 and 134_2 be implemented using at least one buffer, one register, and one SRAM. In addition, each of the buffers 122_1 , 122_2 , 123_1 , 123_2 , 132_1 , 132_2 , 133_1 , 134_1 and 134_2 receive or send bits based on the clock and the ACK signal described previously. For example, each of the buffers 122_1 , 122_2 , 123_1 , 123_2 , 132_1 , 132_2 , 133_1 , 134_1 and134_2 be implemented using a shift register that stores the received bits sequentially.

[0091] Fig. Figure 9 shows a diagram illustrating how data in a key generation unit of Fig. 1 are processed. Fig. 9 is made with reference to the Fig. 5 to Fig. 8 described.

[0092] The extraction unit 121 , the unmasking unit 132 , the bit decoding unit 133 and the block decoding unit 134 are connected in series. Referring to Fig. 9 transfers the extraction unit 121 second bits (e.g. as in data 2 ) to the unmasking unit 132 . The unmasking unit 132 sends unmasked third bits (e.g. as in data 3 ) to the bit decoding unit 133 . The bit decoding unit 133collects and decodes the third bits in units of bit decoding. The unit of bit decoding can be referred to as the "unit of decoding a bit error correction code (e.g., a repetition code)." The bit decoding unit 133 transmits fourth bits (e.g. data 4 ) to the block decoding unit 134 . A fourth bit can be generated by compressing at least three third bits. The block decoding unit 134 Collects and decodes the fourth bits in units of block decoding. The unit of block decoding can be defined as "the unit of decoding a block error correction code (e.g., a BCH code)."

[0093] In one embodiment, the extraction unit 121 , the unmasking unit 132 , the bit decoding unit 133 and the block decoding unit 134operate based on a clock. The second bits, the third bits, and the fourth bits can be transmitted synchronously with the clock. For example, the extraction unit 121 and the unmasking unit 132 Exchange confirmation signals with each other to send and receive the second bits based on the clock. The unmasking unit 132 and the bit decoding unit 133 can exchange confirmation signals with each other to send and receive the third bits based on the clock. The bit decoding unit 133 and the block decoding unit 134 can exchange confirmation signals with each other to send and receive the fourth bits based on the clock.

[0094] With reference to Fig. 9 bits can be sequentially transferred to the extraction unit 121 , the unmasking unit 132 , the bit decoding unit 133and the block decoding unit 134 and each of the extraction units 121 , the unmasking unit 132 , the bit decoding unit 133 transmitted, and the block decoding unit 134 can process received bits while receiving bits. That is, the extraction unit 121 , the unmasking unit 132 , the bit decoding unit 133 and the block decoding unit 134 can work at the same time (ie, simultaneously and concurrently). While the PUF cell array 110 outputs the first bits, the extraction unit can 121 the first output of the first bit from the PUF cell array 110 While the extraction unit 121 outputs the second bits, the unmasking unit can 132 the first output of the second bits from the extraction unit 121 While the unmasking unit 132outputs the third bits, the bit decoding unit can 133 by the unmasking unit 132 first output third bits. While the bit decoding unit 133 outputs the fourth bits, the block decoding unit can 134 which is generated by the bit decoding unit 133 Process the fourth bit first output. Accordingly, the time required to generate a key can be reduced.

[0095] Fig. 10 illustrates a flowchart of a key registration process according to an embodiment of the inventive concepts. Fig. 10 is made with reference to Fig. 2 described.

[0096] In operation S110 generates the PUF cell array 110 PUF data (first data). PUF bits of the PUF data may not be output simultaneously. For example, the PUF bits may be output repeatedly in units of 16 Bits or 32Bits corresponding to the size of a sub-PUF cell array are output.

[0097] In operation S121 creates the extraction unit 121 Marking data that indicates valid PUF data. The extraction unit 121 transfers the marking data to the NVM 140 In detail, the extraction unit 121 Mask bits from the first bits indicating second bits that are valid to the NVM 140 while receiving first bits that represent the first data from the PUF cell array 110 configure. In Operation S121 stores the NVM 140 from the extraction unit 121 output marking data. In Operation S122 transfers the extraction unit 121 valid data (second data) to the bit coding unit 122 In one embodiment, the operation S121 and process S122be performed while the PUF data of the operation S110 be transferred.

[0098] In operation S131 checks the bit coding unit 122 the parity of the valid data. The bit coding unit 122 generates a value to be used for a bitwise operation on the valid data depending on the parity of the valid data. In the operation S132 generates the bit coding unit 122 the first mask data depending on the parity of the valid data and transmits the first mask data to the NVM 140 . While in detail the second bits are extracted by the extraction unit 121 received, the bit coding unit 122 generate the first mask bits by encoding the second bits depending on the parity of the second bits and send the first mask bits to the NVM 140 transferred. In operation S132 stores the NVM 140the first marker data received from the bit coding unit 122 be issued.

[0099] In operation S133 generates the bit coding unit 122 Compression data (third data) of the valid data depending on the parity of the valid data (ie, the parity of the second bits). The bit coding unit 122 transmits the compression data to the block coding unit 123 In one embodiment of the inventive concepts, the operation S131 , the operation S132 and the operation S133 be performed while the PUF data of the operation S110 transferred and while the valid data of Operation S121 and surgery S122 be transferred.

[0100] In the operation S141 encodes the block coding unit 123 the compression data and generates the auxiliary data. The block coding unit 123masks the auxiliary data and provides the masked auxiliary data as second mask data. While in detail the third bits are received, which are the second bits generated by the bit coding unit 122 compressed, the block coding unit 123 generate the auxiliary bits by encoding the third bits and mask the auxiliary bits using the third bits for masking.

[0101] In operation S142 transmits the block coding unit 123 the second mask data to the NVM 140 . In operation S142 stores the NVM 140 which is generated by the block coding unit 123 output second mask data. In one embodiment of the inventive concepts, the operation S141 and the operation S142 be performed while the PUF data of the operation S110 transferred, while the valid data of the operation S121 and the operationS122 are transferred, and while the first mask data of the operation S131 and the operation S132 be transferred.

[0102] Fig. 11 illustrates a flowchart of a key generation process according to an embodiment of the inventive concepts. Fig. 11 is made with reference to Fig. 5 described.

[0103] In operation S210 generates the PUF cell array 110 PUF data (first data). The operation S210 can the operation S110 be similar. The S210 generated PUF data can be compared with the data in the operation S110 generated PUF data may be identical or different (if there is an error).

[0104] In the operation S220 transmits the NVM 140 those in the operation S121 stored marking data to the Fig. 5 shown extraction unit 121. In the operation S220 receives the extraction unit 121 which is provided by the NVM 140 output marking data. The extraction unit 121 extracts valid data (second data) from the PUF data using the marker data. The extraction unit 121 transmits the valid data to the unmasking unit 132 In detail, the extraction unit 121 extract second bits that are valid from the first bits, while extracting the first bits that configure the first data from the PUF cell array 110 and receives the mask bits that represent the marking data from the NVM 140 In one embodiment, the operation S220 executed while the PUF data of the operation S210 be transferred.

[0105] In step S230 transmits the NVM 140 which in step S132stored first mask data to the unmasking unit 132 . The unmasking unit 132 receives the first mask data from the NVM 140 . The unmasking unit 132 unmasks valid data using the first mask data. The unmasking unit 132 transmits unmasked data (third data) to the bit decoding unit 133 In detail, the unmasking unit 132 unmask the second bits using the first mask bits, while extracting the second bits from the extraction unit 121 and receives the first masking bits that represent the first mask data from the NVM 140 In one embodiment, the operation S230 executed while the PUF data of the operation S210 sent and while the valid data of the operation S220 be transferred.

[0106] In operation S240performs the bit decoding unit 133 performs a bit error correction operation on the unmasked data. That is, the bit error correction operation is performed on the valid data. For example, the bit error correction operation can be the majority voting operation. The bit decoding unit 133 transmits key bits (fourth data) generated as a result of the majority decision operation to the block decoding unit 134 . In detail, the bit decoding unit 133 compress the third bits to the fourth bits, while extracting the third bits that configure the third data from the unmasking unit 132 In one embodiment, the operation S240 be performed while the PUF data of the operation S210 transferred, while the valid data of the operation S220 are transmitted and while the unmasked data of the operation S230be transferred.

[0107] In operation S251 transmits the NVM 140 those in operation S142 stored second mask data to the block decoding unit 134 . The block decoding unit 134 receives the second mask data from the NVM 140 . The block decoding unit 134 unmasks the second mask data using the key bits and generates the auxiliary data. In the operation S252 decodes the block decoding unit 134 the key bits in units of block decoding using the auxiliary data and corrects an error in units of block decoding using a block error correction code. In the operation S253 generates the block decoding unit 134 a final key (or a security key). In detail, the block decoding unit 134generate a key by decoding the fourth bits and the second mask bits, while the fourth bits are decode by the bit decoding unit 133 are received and the second mask bits from the NVM 140 In one embodiment of the inventive concepts, the third bits for masking, as stored in the third buffer 123_1 in the block coding unit 123 are stored, and the fourth bits for unmasking, as they are in the eighth buffer 134_1 the block decoding unit 134 stored, output bits from a same set of PUF cells within the PUF cell array 110 In one embodiment, the operation S251 until S253 be performed while the PUF data of the operation S210 transferred, while the valid data of the operation S220 transferred, while the unmasked data of the operation S230transmitted, and while the key bits of the operation S240 be transferred.

[0108] In the semiconductor device according to an embodiment of the inventive concept, the operations S210 until S253 at the same time. Although the number of PUF cells, the size of the PUF data, or the size of a security key increases, the sizes of the buffers described above can be 122_1 , 122_2 , 122_3 , 123_1 , 123_2 , 132 1 , 132_2 , 133_1 , 134_1 and 134_2 be maintained consistently. Furthermore, the time required to generate a key can be reduced by processing the PUF data.

[0109] Fig.12 illustrates a block diagram of an electronic system in which a semiconductor device according to embodiments of the inventive concepts is applied. The electronic system 1000 contains a smart card 1100 and a host 1200 .

[0110] The smart card 1100 is a card with one or more integrated circuits. The smart card 1100 can be called an “IC card” or “chip card.” For security, the smart card can 1100 a PUF device 1110 according to embodiments of the inventive concepts. The PUF device 1110 the semiconductor device 100 which, with reference to the Fig. 1 to Fig. 11. The smart card 1100 can perform an authentication procedure with the host 1200 using a security key provided by the PUF device 1110Although in Fig. 12 not illustrated, the smart card 1100 further include a memory for storing data, a processor for processing data, and other various components.

[0111] In one embodiment, the PUF device 1110 be packaged as different semiconductor packages. An integrated circuit can be 1100assembled using packaging technologies such as: Package-on-Package (PoP), Ball Grid Arrays (BGAs), Chip-Scale Packages (CSPs), Plastic-Leaded-Chip-Carriers (PLCC), Plastic-Dual-In-Line Package (PDIP), Die in WaflelpACK, Die-In-Wafer form, Chip-on-Board (COB), Ceramic-In-Line-Package (CERDIP), Metric Quad Flat Pack (MQFP), Thin Quad Flat Pack (TQFP), Small Outline Integrated Circuit (SOIC), Shrink Small Outline Package (SSOP), Thin Small Outline Package (TSOP), System-In Package (SIP), Multi-Chip Package (MCP), Wafer-Level Fabricated Package (WFP) or Wafer Level Stack Package (WSP).

[0112] The host 1200 the authentication procedure with the smart card 1100 using the security key output from the PUF device 1110 After the authentication procedure has been performed, the host can 1200 Data on the smart card 1100 save or data from the smartcard1100 read. The host 1200 can be a computing device with one or more processors, a portable electronic device with an application processor (AP), or a server.

[0113] Fig. Figure 13 illustrates a block diagram of an electronic device in which a smart card of Fig. 12 is applied. The electronic device 2000 may be a data processing device that may, for example, use or support interfaces proposed by the MIPI® (Mobile Industry Processor Interface) Alliance or other interface standards. The electronic device 2000 may be, for example, a portable communications terminal, a personal digital assistant (PDA), a portable multimedia player (PMP), a smartphone or wearable device, or any type of portable device.

[0114] The electronic device 2000the in Fig. The embodiment shown in Figure 13 includes an application processor 2100 , an advertisement 2200 and an image sensor 2300 . The application processor 2100 contains a DigRFSM master 2110 , a serial display interface (DSI) host 2120 , a serial camera interface (CSI) host 2130 and a physical layer 2140 .

[0115] The DSI host 2120 can be connected via the DSI with a DSI device 2210 the ad 2200 For example, an optical serializer SER in the DSI host 2120 be implemented, and an optical deserializer DES can be implemented in the DSI device 2210 be implemented.

[0116] The CSI host 2130 can be done via the CSI with a CSI device 2310 of the image sensor 2300 For example, an optical deserializer DES in the CSI host2130 be implemented, and an optical serializer SER can be integrated in the CSI device 2310 be implemented.

[0117] The electronic device 2000 may further include a radio frequency (RF) chip 2400 that is connected to the application processor 2100 communicates. The RF chip 2400 can be a physical layer (PHY) 2410 , a DigRFSM slave 2420 and an antenna 2430 For example, the physical layer 2410 of the RF chip 2400 and the physical layer 2140 of the application processor 2100 exchange data with each other via a DigRFSM interface supported by the MIPI® Alliance.

[0118] The electronic device 2000 can also have a card memory 2500 included. The card memory 2500 the smartcard can 1100 from Fig.12. After an authentication procedure has been performed, the smart card can 1100 Data with the application processor 2100 in a state where safety is maintained.

[0119] The electronic device 2000 can be connected to an external system through worldwide interoperability for microwave access (WiMAX) 2610 , a wireless local area network (WLAN) 2620 , an ultra-wideband (UWB) 2630 communicate using other wireless distribution methods. The electronic device 2000 may also contain a GPS device (Global Positioning System) 2640 for processing position information. The electronic device 2000 can also have a bridge chip 2650 to manage the connection to peripheral devices.

[0120] Fig.14 illustrates a block diagram of a computing device to which a semiconductor device according to embodiments of the inventive concepts is applied. The computing device 3000 contains a processor 3100 , a RAM 3200 , a PUF device 3300 , a crypto processor 3400 , an NVM interface 3500 , an NVM 3600 and a user interface 3700 , all through the bus 3800 are connected to each other.

[0121] The processor 3100 can comprehensively perform operations of the computing device 3000 control. The processor 3100 , which is a central processing unit, can perform various types of operations. For example, the processor 3100 contain one or more processor cores.

[0122] The RAM 3200 can exchange data with the processor 3100replace. The RAM 3200 may temporarily store data necessary for the operation of the computing device 3000 For example, the RAM 3200 for example, contain a high-speed memory such as DRAM or SRAM.

[0123] The PUF device 3300 the semiconductor device 100 which, with reference to the Fig. 1 to Fig. 11. The PUF device 3300 can generate a key necessary for security. The PUF device 3300 can be implemented with hardware, software, or firmware. The crypto processor 3400 can perform encryption and decryption operations using a key output from the PUF device 3300 carry out.

[0124] The NVM interface 3500 can transfer data with the NVM 3600 under the control of the processor3100 , the PUF device 3300 or the crypto processor 3400 exchange. The NVM 3600 can store data that must be kept independent of a power supply. In one embodiment, the marker data, the first mask data and the second mask data described with reference to Fig. 1, in the NVM 3600 stored, and the PUF device 3300 may not contain NVM in it.

[0125] The user interface 3700 can mediate communication between a user and the computing device 3000 under the control of the processor 3100 In one embodiment, the user interface 3700Input interfaces such as a keyboard, a keypad, a button, a touch panel, a touch screen, a touchpad, a touch ball, a camera, a microphone, a gyroscope sensor, and a vibration sensor, among various other possible input interfaces. Furthermore, the user interface 3700 an output interface such as a liquid crystal display (LCD) device, a light-emitting diode (LED) display device, an organic LED (OLED) display device, an active matrix OLED (AMOLED) display device, a speaker, a motor, or the like.

[0126] The bus 3800 can provide a communication path between the components of the computing device 3000 The components of the computing device 3000can exchange data with each other in accordance with a bus format. In one embodiment, the bus format may include, for example, a Universal Serial Bus (USB) format, a Small Computer System Interface (SCSI) format, a Peripheral Component Interconnect Express (PCIe) bus format, an Advanced Technology Attachment (ATA) bus format, a Parallel ATA (PATA) bus format, a Serial ATA (SATA) bus format, a Serial Attached SCSI (SAS) bus format, and an Integrated Drive Electronics (IDE) bus format, or the like.

[0127] It is described that the semiconductor device 100 Units. The various described units or blocks may be implemented with hardware, software, or firmware, or a combination of hardware, software, and firmware. For example, in some embodiments, the key registration unit 120 which the extraction unit 121, the bit coding unit 122 and the block coding unit 123 and the key generation unit 130 , which the extraction unit 121 , the unmasking unit 132 , the bit decoding unit 133 and the block decoding unit 134 contains hardware, such as logic gates, integrated circuits, passive and active electronic components and / or hard-wired circuits. The units may be circuits. The hardware may optionally be controlled by firmware and / or software. In other embodiments, the key registration unit 120 and the key generation unit 130 implemented by one or more programmed microprocessors. In still further embodiments, the key registration unit 120 and the key generation unit 130be implemented by a combination of dedicated hardware to perform some functions and one or more processors to perform other functions.

[0128] In a semiconductor device according to embodiments of the inventive concepts, PUF data can be processed using a pipeline operation. Although the number of PUF cells, the size of the PUF data, or the size of a security key increases, the size of a buffer that stores data generated during processing while generating a key from the PUF data can be maintained uniformly. Furthermore, the time required to generate a key by processing the PUF data can be reduced.

[0129] While the inventive concepts have been described with reference to exemplary embodiments thereof, it will be apparent to one of ordinary skill in the art that various changes and modifications may be made therein without departing from the spirit and scope of the inventive concepts as set forth in the following claims. QUOTES CONTAINED IN THE DESCRIPTION

[0000] This list of documents submitted by the applicant was generated automatically and is included solely for the convenience of the reader. This list is not part of the German patent or utility model application. The DPMA assumes no liability for any errors or omissions. Cited patent literature

[0000] KR 1020170133540

[0001] KR 1020180057964

[0001]

Claims

[1] A semiconductor device comprising: a physically non-clonable function field (PUF) with PUF cells that output first bits; a non-volatile memory configured to store marker bits indicating whether the first bits are valid, first mask bits generated by masking second bits depending on a parity of the second bits, and second mask bits generated by masking auxiliary bits associated with the second bits, the second bits being valid bits from the first bits; an extraction unit configured to extract the second bits from the first bits using the marker bits; an unmasking unit configured to unmask the second bits using the first mask bits while receiving the second bits to provide third bits; a bit decoding unit configured to compress the third bits to provide fourth bits while receiving the third bits; and a block decoding unit configured to generate a security key by decoding the fourth bits and the second mask bits, wherein the extraction unit, the unmasking unit, the bit decoding unit and the block decoding unit are connected in series and operate simultaneously. [2] The semiconductor device according to claim 1, wherein the unmasking unit is configured to perform a bit-by-bit operation on the second bits and the first mask bits to provide the third bits. [3] The semiconductor device according to claim 2, wherein the demasking unit comprises: a first buffer configured to store at least one bit of the second bits; and a second buffer configured to store at least one bit of the first mask bits, and wherein the unmasking unit is further configured to perform the bitwise operation on bits stored in the first and second buffers. [4] The semiconductor device according to claim 2, wherein the bitwise operation is an exclusive-OR (XOR) operation. [5] The semiconductor device according to claim 1, wherein the bit decoding unit is further configured to correct an error of the second bits by performing a majority decision operation on the third bits, and wherein the block decoding unit is further configured to correct an error of the second bits by decoding the fourth bits and the second mask bits in accordance with a block error correction code. [6] The semiconductor device according to claim 5, wherein the bit decoding unit comprises a buffer configured to store bits, a number of which corresponds to a unit of decoding the majority decision operation from the third bits, and wherein the bit decoding unit is further configured to perform the majority voting operation on the bits stored in the buffer. [7] The semiconductor device according to claim 5, wherein the block decoding unit comprises a buffer configured to store bits, a number of which corresponds to a unit of decoding the block error correction code from the fourth bits, and wherein the block decoding unit is further configured to decode the bits stored in the buffer. [8] The semiconductor device according to claim 7, wherein the block decoding unit is further configured to generate the auxiliary bits by performing a bitwise operation on the second mask bits and bits among the fourth bits corresponding to the second mask bits, and to correct the errors of the second bits using the auxiliary bits. [9] The semiconductor device according to claim 5, wherein the block error correction code comprises a Bose-Chaudhuri-Hocquenghem (BCH) code. [10] The semiconductor device according to claim 1, wherein the extraction unit is configured to send the second bits to the unmasking unit, and the unmasking unit is configured to transmit the third bits to the bit decoding unit in synchronization with a clock. [11] A security key generation method for a semiconductor device comprising a PUF cell array, an extraction unit, a demasking unit, a bit decoding unit, and a block decoding unit connected in series, the method comprising: Extracting second bits from the first bits by the extraction unit while receiving the first bits from the PUF cell array, and receiving flag bits indicating whether the first bits are valid from a non-volatile memory, the second bits being valid bits from the first bits; Unmasking the second bits by the unmasking unit to provide unmasked third bits by using first mask bits while receiving the second bits from the extraction unit and receiving the first mask bits from the non-volatile memory; compressing the unmasked third bits by the bit decoding unit to provide fourth bits while receiving the unmasked third bits from the unmasking unit; and Generating a security key by the block decoding unit by decoding the fourth bits and the second mask bits while receiving the fourth bits from the bit decoding unit and the second mask bits from the non-volatile memory. [12] The method of claim 11, wherein extracting the second bits comprises determining whether the first bits are valid depending on logical values ​​of the marker bits. [13] The method of claim 11, wherein unmasking the second bits comprises performing a bitwise operation on the second bits and the first mask bits. [14] The method of claim 11, wherein compressing the unmasked third bits comprises performing a majority voting operation on the unmasked third bits. [15] The method of claim 11, wherein generating the security key comprises: Generating auxiliary bits by performing a bitwise operation on the second mask bits and bits from the fourth bits corresponding to the second mask bits; and Decoding the fourth bits using the auxiliary bits depending on a block error correction code. [16] A security key registration method for a semiconductor device comprising a PUF cell array, an extraction unit, a bit encoding unit, and a block encoding unit connected in series, the method comprising: transmitting, by the extraction unit, marker bits indicating second bits from the first bits to a non-volatile memory while receiving the first bits from the PUF cell array, the second bits being valid bits from the first bits; generating first mask bits by the bit encoding unit by encoding the second bits depending on a parity of the second bits while receiving the second bits from the extraction unit, and transmitting the first mask bits to the non-volatile memory; generating third bits by the bit encoding unit by compressing the second bits; and generating auxiliary bits by the block coding unit by encoding the third bits, generating second mask bits by masking the auxiliary bits using the third bits, and transmitting the second mask bits to the non-volatile memory while receiving the third bits from the bit coding unit. [17] The method of claim 16, wherein transferring the first mask bits to the non-volatile memory comprises performing a bitwise operation on the second bits depending on the parity of the second bits. [18] The method of claim 17, wherein generating the third bits comprises compressing the second bits depending on the parity of the second bits. [19] The method of claim 16, wherein generating the auxiliary bits comprises generating the auxiliary bits by decoding the third bits in response to a block error correction code. [20] The method of claim 19, wherein transferring the second mask bits to the non-volatile memory further comprises masking the auxiliary bits by performing a bitwise operation on the auxiliary bits and the third bits. [21] Electronic system comprising: a host; and a storage device comprising a physically non-clonable functional device (PUF device), wherein the PUF device comprises: a PUF cell array comprising PUF cells that output first bits, and a key generation unit configured to: Extracting second bits from the first bits while receiving marker bits from a non-volatile memory and indicating whether the first bits are valid, the second bits being valid bits from the first bits, Unmasking the second bits to provide unmasked third bits by using first mask bits received from the non-volatile memory, Compressing the unmasked third bits to provide fourth bits, and Generating a security key by decoding the fourth bits and the second mask bits received from the non-volatile memory, wherein the host is configured to perform an authentication procedure for accessing the storage device based on the security key. [22] The electronic system of claim 21, wherein the key generation unit is configured to perform a bitwise operation on the second bits and the first mask bits to provide the unmasked third bits. [23] The electronic system of claim 22, wherein the bitwise operation is an exclusive-OR (XOR) operation. [24] The electronic system of claim 21, wherein the key generation unit is further configured to correct an error of the second bits by performing a majority voting operation on the unmasked third bits and by decoding the fourth bits and the second mask bits depending on a block error correction code. [25] The electronic system according to claim 21, wherein the key generation unit is configured to generate auxiliary bits by performing a bitwise operation on the second mask bits and bits among the fourth bits corresponding to the second mask bits, and to decode the fourth bits by using the auxiliary bits depending on a block error correction code.