Data Security Device with Analog Components

JP2026041797A5Pending Publication Date: 2026-07-02OPE LLC +1

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
OPE LLC
Filing Date
2025-11-21
Publication Date
2026-07-02

Smart Images

  • Figure 00000000_0000_ABST
    Figure 00000000_0000_ABST
Patent Text Reader

Abstract

A high throughput encryption and decryption system is provided that is equally applicable to data in transit as to data at rest. The data security device includes analog components and control circuitry that operate internally with a high degree of entropy. The high degree of entropy resides in interactions between components responsive to external driving signals that have a sufficiently high level of entropy that digital simulation of the analog components is impractical. In the data security device, a portion of the conversion between plaintext and ciphertext uses analog components. Because analog components are digitally unclonable, the portion of the conversion process that uses the analog components requires possession of the analog components themselves or another analog component with the same signature.
Need to check novelty before this filing date? Find Prior Art

Description

[Technical Field]

[0001] (CROSS-REFERENCE TO RELATED APPLICATIONS) This application claims the benefit of priority from U.S. Provisional Patent Application No. 62 / 517,533, filed June 9, 2017, which is incorporated herein by reference in its entirety. [Brief explanation of the drawings]

[0002] The drawings are included to provide a better understanding of the following description, and are incorporated into and constitute a part of this specification. These drawings illustrate exemplary embodiments of the present disclosure and, together with the detailed description, serve to explain the principles of the disclosure.

[0003] [Figure 1A] 1 illustrates an exemplary embodiment of a first subcomponent 105 of an analog component 100, showing a first tier.

[0004] [Figure 1B] FIG. 1B is a cross-sectional view of the example shown in FIG. 1A. [Figure 1C] FIG. 1B is a cross-sectional view of the example shown in FIG. 1A. [Figure 1D] FIG. 1B is a cross-sectional view of the example shown in FIG. 1A. [Figure 1E] FIG. 1B is a cross-sectional view of the example shown in FIG. 1A. [Figure 1F] FIG. 1B is a cross-sectional view of the example shown in FIG. 1A.

[0005] [Figure 2A] 1 illustrates a second layer of an exemplary embodiment.

[0006] [Figure 2B] FIG. 2B is a cross-sectional view of the example shown in FIG. 2A. [Figure 2C] FIG. 2B is a cross-sectional view of the example shown in FIG. 2A. [Figure 2D] FIG. 2B is a cross-sectional view of the example shown in FIG. 2A. [Figure 2E] FIG. 2B is a cross-sectional view of the example shown in FIG. 2A. [Figure 2F] FIG. 2B is a cross-sectional view of the example shown in FIG. 2A.

[0007] [Figure 3A] 10 illustrates a third layer of an exemplary embodiment.

[0008] [Figure 3B] FIG. 3B is a cross-sectional view of the example shown in FIG. 3A. [Figure 3C] FIG. 3B is a cross-sectional view of the example shown in FIG. 3A. [Figure 3D] FIG. 3B is a cross-sectional view of the example shown in FIG. 3A. [Figure 3E] FIG. 3B is a cross-sectional view of the example shown in FIG. 3A. [Figure 3F] FIG. 3B is a cross-sectional view of the example shown in FIG. 3A.

[0009] [Figure 4A] 10 illustrates a fourth layer of an exemplary embodiment.

[0010] [Figure 4B] FIG. 4B is a cross-sectional view of the example shown in FIG. 4A. [Figure 4C] FIG. 4B is a cross-sectional view of the example shown in FIG. 4A. [Figure 4D] FIG. 4B is a cross-sectional view of the example shown in FIG. 4A. [Figure 4E] FIG. 4B is a cross-sectional view of the example shown in FIG. 4A. [Figure 4F] FIG. 4B is a cross-sectional view of the example shown in FIG. 4A.

[0011] [Figure 5A] 10 illustrates a fourth layer of an exemplary embodiment.

[0012] [Figure 5B] FIG. 5B is a cross-sectional view of the example shown in FIG. 5A. [Figure 5C] FIG. 5B is a cross-sectional view of the example shown in FIG. 5A. [Figure 5D] FIG. 5B is a cross-sectional view of the example shown in FIG. 5A. [Figure 5E] FIG. 5B is a cross-sectional view of the example shown in FIG. 5A. [Figure 5F] FIG. 5B is a cross-sectional view of the example shown in FIG. 5A.

[0013] [Figure 6A] 10 illustrates a fourth layer of an exemplary embodiment.

[0014] [Figure 6B] FIG. 6B is a cross-sectional view of the example shown in FIG. 6A. [Figure 6C] FIG. 6B is a cross-sectional view of the example shown in FIG. 6A. [Figure 6D] FIG. 6B is a cross-sectional view of the example shown in FIG. 6A. [Figure 6E] FIG. 6B is a cross-sectional view of the example shown in FIG. 6A. [Figure 6F] FIG. 6B is a cross-sectional view of the example shown in FIG. 6A.

[0015] [Figure 7A] 10 illustrates a fourth layer of an exemplary embodiment.

[0016] [Figure 7B] FIG. 7B is a cross-sectional view of the example shown in FIG. 7A. [Figure 7C] FIG. 7B is a cross-sectional view of the example shown in FIG. 7A. [Figure 7D] FIG. 7B is a cross-sectional view of the example shown in FIG. 7A. [Figure 7E] FIG. 7B is a cross-sectional view of the example shown in FIG. 7A. [Figure 7F] FIG. 7B is a cross-sectional view of the example shown in FIG. 7A.

[0017] [Figure 8A] 10 illustrates a fourth layer of an exemplary embodiment.

[0018] [Figure 8B] FIG. 8B is a cross-sectional view of the example shown in FIG. 8A. [Figure 8C] FIG. 8B is a cross-sectional view of the example shown in FIG. 8A. [Figure 8D] FIG. 8B is a cross-sectional view of the example shown in FIG. 8A. [Figure 8E] FIG. 8B is a cross-sectional view of the example shown in FIG. 8A. [Figure 8F] FIG. 8B is a cross-sectional view of the example shown in FIG. 8A.

[0019] [Figure 9A] 10 illustrates a fourth layer of an exemplary embodiment.

[0020] [Figure 9B] FIG. 9B is a cross-sectional view of the example shown in FIG. 9A. [Figure 9C] FIG. 9B is a cross-sectional view of the example shown in FIG. 9A. [Figure 9D] FIG. 9B is a cross-sectional view of the example shown in FIG. 9A. [Figure 9E] FIG. 9B is a cross-sectional view of the example shown in FIG. 9A. [Figure 9F] FIG. 9B is a cross-sectional view of the example shown in FIG. 9A.

[0021] [Figure 10A] 10 illustrates a fourth layer of an exemplary embodiment.

[0022] [Figure 10B] FIG. 10B is a cross-sectional view of the example shown in FIG. 10A. [Figure 10C] FIG. 10B is a cross-sectional view of the example shown in FIG. 10A. [Figure 10D] FIG. 10B is a cross-sectional view of the example shown in FIG. 10A. [Figure 10E] FIG. 10B is a cross-sectional view of the example shown in FIG. 10A. [Figure 10F] FIG. 10B is a cross-sectional view of the example shown in FIG. 10A.

[0023] [Figure 11A] 10 illustrates a fourth layer of an exemplary embodiment.

[0024] [Figure 11B] FIG. 11B is a cross-sectional view of the example shown in FIG. 11A. [Figure 11C] FIG. 11B is a cross-sectional view of the example shown in FIG. 11A. [Figure 11D] FIG. 11B is a cross-sectional view of the example shown in FIG. 11A. [Figure 11E] FIG. 11B is a cross-sectional view of the example shown in FIG. 11A. [Figure 11F] FIG. 11B is a cross-sectional view of the example shown in FIG. 11A.

[0025] [Figure 12A] 1 illustrates an exemplary embodiment of a bottom view of the second subcomponent 107 of the analog component 100.

[0026] [Figure 12B] 12B shows a cross section of the example shown in FIG. 12A.

[0027] [Figure 13A] 1 shows a top view of an exemplary embodiment of an analog component 100 assembled with a first subcomponent 105 and a second subcomponent 107. FIG.

[0028] [Figure 13B] 13B illustrates a cross section of the exemplary embodiment shown in FIG. 13A. [Figure 13C] 13B illustrates a cross section of the exemplary embodiment shown in FIG. 13A.

[0029] [Figure 14A] 11F shows an exemplary embodiment similar to that of FIG. 11F assembled as an analog component 100.

[0030] [Figure 14B] 11E shows an exemplary embodiment similar to that of FIG. 11E assembled as an analog component 100.

[0031] [Figure 15] To illustrate an exemplary operation, a first electrode signal line 120 is shown.

[0032] [Figure 16] To illustrate an exemplary operation, first electrode signal line 120 and first electrode 320 are shown.

[0033] [Figure 17] 16 shows an internal top view of a liquid crystal cell 1600 according to an exemplary operation.

[0034] [Figure 18] 16 shows an internal top view of a liquid crystal cell 1600 according to another exemplary operation.

[0035] [Figure 19A] 2 shows a data security device 2000 for performing cryptographic operations.

[0036] [Figure 19B] 2 shows a data security device 2000 for performing a decryption operation.

[0037] [Figure 20] 2 illustrates the relationship between a control circuit 2100 and an analog component 100 in a data security device 2000.

[0038] [Figure 21] 2 illustrates a flow of encryption operations according to an exemplary embodiment in the control circuit 2100.

[0039] [Figure 22] 2 illustrates a flow of decoding operations in the control circuit 2100 according to an exemplary embodiment.

[0040] [Figure 23] The overall structure of an exemplary block cipher E1, which is a 16-round substitution / transposition network, is shown, along with a variant of the block cipher, E2.

[0041] [Figure 24] This shows how the authenticated encryption (AE) scheme works.

[0042] [Figure 25] 1 illustrates the structure of a function EK using a block cipher according to an exemplary embodiment.

[0043] [Figure 26] 1 illustrates a counter mode of operation for encryption according to an exemplary embodiment.

[0044] [Figure 27] 1 illustrates a message authentication code mode of operation according to an exemplary embodiment.

[0045] [Figure 28] 1 illustrates an overall AEA encryption mode according to an exemplary embodiment. DETAILED DESCRIPTION OF THE INVENTION

[0046] The data security device includes analog components that operate internally with a high degree of entropy. This high degree of entropy resides in the interactions between the internal components in response to external driving signals. The interactions within the analog components have a sufficiently high level of entropy that digital simulation of the analog components is impractical. The analog components described below are referred to as digitally unclonable because digital simulation is not practically feasible.

[0047] Analog components, as described below, accept input and generate an output based on this input. If two analog components are identically constructed, they will generate the same output in response to the same input. The manner in which an analog component generates its output from its input is called the analog component's signature.

[0048] A data security device processes data by encrypting plaintext data into ciphertext and / or decrypting data from ciphertext back to plaintext. Part of the conversion between plaintext and ciphertext uses analog components. Because analog components are digitally unclonable (i.e., digital simulation is not practical), parts of the conversion process that use analog components require possession of the analog component itself or other analog components with the same signature.

[0049] In various exemplary embodiments, the signature of a given analog component or a given set of analog components is modified by adjusting the manufacturing process. As described below, this adjustment is easily and inexpensively performed. In other exemplary embodiments, the signature is modified outside of the manufacturing process of the analog components.

[0050] The data security device described below is a high throughput encryption and decryption system that is equally applicable to data in transit and data at rest.

[0051] Through simulation studies, the inventors have found that using a high-performance digital cluster, decoding just one cycle of data requires two years of processing. The next cycle of data requires another two years. This is a function of the high level of entropy mentioned above, which is expanded upon below. Furthermore, quantum computing is not expected to alleviate the impracticality of digitally simulating the functionality of analog components.

[0052] The data security device generally comprises an analog component and a driving component. The analog component will be described first, followed by the driving component.

[0053] Analog Components 1A-18 depict an exemplary embodiment of an analog component 100 for use in a data security device. This exemplary embodiment is a didactic embodiment provided to teach the principles of the inventive concept. Numerous modifications, variations, changes, improvements, and substitutions may occur to those skilled in the art, all of which are deemed to be within the scope of the inventive concept described herein. The metes and bounds of the inventive concept are as set forth in the appended claims. Additionally, unless otherwise specified to the contrary, any known manufacturing techniques may be used to construct the structures depicted in FIGS. 1A-13C, according to the details of available equipment and selected materials.

[0054] 1A-1F partially illustrate a device hereafter referred to as analog component 100. In these figures, a first subcomponent 105 is shown constructed on a first substrate 110. In this exemplary embodiment, the first substrate 110 is a silicon-on-insulator substrate. In other exemplary embodiments, a dielectric layer is applied before adding any structures made of conductive material. The first substrate 110 includes several conductive pads 130. Some of the pads 130 are integral with first electrode signal lines 120, which are also conductive. These figures show 16 first electrode signal lines 120. In other exemplary embodiments, the number of first electrode signal lines 120 is 64 or 128. The term "first" does not imply any order of fabrication, but is used only to distinguish these signal lines from other signal lines described below.

[0055] 2A-2F partially illustrate the first dielectric layer 210 on the arrangement depicted in FIGS. 1A-1F. The signal line vias 220 are filled with a conductive material and extend the first electrode signal lines 120. The pads 130 are similarly extended by pad extensions 230. The exemplary embodiment has 16 signal line vias 220, one for each of the first electrode signal lines 120. FIG. 2C illustrates the signal line vias 220 in direct contact with the first electrode signal lines 120. This arrangement is not strictly necessary, and other intermediate components may be present.

[0056] 3A to 3F partially illustrate the third layer of the first subcomponent 105 of the analog component 100. The third layer includes a ground plane 350 formed of a conductor, a first electrode 320 formed of a conductor, and a second dielectric layer 310 formed of an insulator. Some of the pads 130 extended by the pad extensions 230 are electrically connected to the ground plane 350, and are therefore grounded pads 330.

[0057] In the exemplary embodiment shown in Figure 3A, ground plane 350 defines an interior region in which first electrodes 320 are formed. In the exemplary embodiment shown in Figure 3A, first electrodes 320 are formed entirely on one side of the interior region, with no electrodes on the other side of the interior region.

[0058] FIG. 3A also shows that the first electrodes 320 are formed in rows and columns. The lengths of the first electrodes 320 vary from row to row, as shown in the cross-section of FIG. 3E. The widths and depths of the first electrodes 320 are uniform in each column, as shown in the cross-section of FIG. 3D. With reference to FIG. 3A, for any given two electrodes in different rows, it can be said that the first of the electrodes has a first dimension in a first direction and the second of the electrodes has a second dimension in the same first direction (i.e., along the cross-section of FIG. 3E), where the first dimension is different from the second dimension. In other words, the lengths, widths, or depths of the first electrodes 320 vary.

[0059] 3A-3F, the first electrodes 320 double in length with each row, starting with the row closest to the bottom of the drawing. Other variations in dimensions are possible and constitute alternative exemplary embodiments within the scope of the inventive concept.

[0060] In FIG. 3C , the first electrodes 320 are each electrically connected to the first electrode signal lines 120. Here, "electrically connected" means that charge can travel along the conductor's path. In the exemplary embodiment of FIG. 3C , the conductor's path includes conductive material formed within signal line vias 220. Signal line vias 220 need not strictly be present in all exemplary embodiments. In other exemplary embodiments, the first electrodes 320 are integrally formed with the first electrode signal lines 120. In still other exemplary embodiments, the first electrodes 320 and the first electrode signal lines 120 are electrically connected by additional layers, lines, and vias, depending on the engineering requirements of a given implementation.

[0061] 3C, pad extension 230 is formed over pad extension 230 from a previously formed layer. The reader will understand that in this exemplary embodiment, each layer is built up on pad 130 to facilitate desired access and testing. Pad extension 230 may be omitted from a particular pad 130 if not needed.

[0062] 4A-4F partially illustrate the fourth layer of the first subcomponent 105 of the analog component 100. In this layer, a first cladding layer 410 and several ground plane posts 450 are formed on the third layer. FIG. 4D shows in cross section that the ground plane posts 450 are electrically connected to the ground plane 350.

[0063] 4C and 4E show that the first electrode 320 is directly below the first cladding layer 410.

[0064] 5A-5F partially illustrate the fifth layer of the first subcomponent 105 of the analog component 100, with many elements formed of waveguide material, including input waveguides 561, output waveguides 564, and waveguide spacers 560. In other exemplary embodiments, the number of output waveguides 564 is 16 or more. In the exemplary embodiment of FIGS. 5A-5F, the number of 564 corresponds to the number of columns of the first electrodes 320. Here, the first electrodes 320 are formed in four columns, and there are four output waveguides 564.

[0065] In FIG. 5A, input waveguide 561 is disposed along one edge of the region housing the liquid crystal cell, which will be described later. Output waveguide 564 is disposed at the other end of the region housing the liquid crystal cell, opposite input waveguide 561. The end of the region where input waveguide 561 is located may be referred to as the input end, and the end of the region where output waveguide 564 is located may be referred to as the output end. FIG. 5E shows a cross section of first subcomponent 105 through input waveguide 561, which is on the left side of the figure. FIG. 5F shows a cross section of first subcomponent 105 through one of output waveguides 564 toward the right side of the figure.

[0066] While FIG. 5E shows one of the first electrodes 320 partially underlie the input waveguide 561, in other exemplary embodiments, there is no first electrode 320 underlie any of the waveguides.

[0067] The number, location, and size of the waveguide spacers 560 may be varied. The spacers along the left and right sides of the area containing the liquid crystal cell in this exemplary embodiment facilitate subsequent formation of the cell's sidewalls.

[0068] 6A-6F partially illustrate a sixth layer of the first subcomponent 105 of the analog component 100, in which a third dielectric layer 610 is formed over certain portions of the first subcomponent 105 but not over or removed from other portions, and in which a ground plane post extension 650 is formed. A sensor cavity 660 is formed within the third dielectric layer 610, as shown in FIGS. 6A, 6B, and 6F.

[0069] FIG. 6F shows an example of a sensor cavity 660 positioned to receive the optical output that has passed through an example of an output waveguide 564.

[0070] 7A-7F partially illustrate the seventh layer of the first subcomponent 105, on which sensor signal lines 720 are formed. The sensor signal lines 720 are electrically connected to the pads 130 via pad extensions 230, respectively. Additionally, a ground plane post extension 750 is constructed on one of the ground plane post extensions 650. FIG. 7B shows that the ground plane post extension 750 elevates this particular ground plane post higher than the two ground plane post extensions 650 shown in FIG. 7D. This is a convenient implementation detail provided for grounding in the assembly of the sensor, as described below. Other implementations are within the scope of the inventive concept.

[0071] 8A-8F partially illustrate the eighth layer of the first subcomponent 105 of the analog component 100, which includes a fourth dielectric layer 810 and a sensor signal line via 820. The sensor signal line via 820 is filled with a conductive material and extends the sensor signal line 720. The fourth dielectric layer 810 is not formed or is removed from certain portions of the first subcomponent 105.

[0072] 9A-9F partially illustrate the ninth layer of the first subcomponent 105 of the analog component 100, in which a first polyimide layer 910 is formed at least in the area that houses the liquid crystal cell, and the first polyimide layer 910 is not formed or removed at least within the sensor cavity 660.

[0073] 10A-10F partially illustrate the tenth layer of the first subcomponent 105 of the analog component 100, where conductive epoxy 1050 is provided on the ground plane post extensions 650, and where gasket material 1070 is provided near the waveguide spacer 560, the input waveguide 561, and the output waveguide 564.

[0074] 11A-11F partially illustrate the 11th layer of the first subcomponent 105 of the analog component 100, in which a sensor assembly 1160 is disposed over the sensor cavity 660. The sensor assembly 1160 includes a sensor housing 1161 and one or more sensors 1164. The sensor housing 1161 is grounded to the ground plane 350 via a sensor assembly ground wire 1150, via other conductors depicted in FIG.

[0075] 11A-11F, each output waveguide 564 has a corresponding one of the sensor cavities 660 and a corresponding one of the sensors 1164 located over the sensor cavity 660. The input and output of the sensor 1164 are electrically connected to the sensor signal line 720.

[0076] 11F shows one of the output waveguides 564 in cross section. This output waveguide is positioned to receive optical input from the liquid crystal cell. This output waveguide is also positioned to transmit optical output to a corresponding one of the sensor cavities 660. A corresponding one of the sensors 1164 is positioned over one of the sensor cavities 660 to perform sensing, and the results are output via the sensor signal line 720. The output waveguide transmits the optical output of the liquid crystal cell to the sensor.

[0077] 12A and 12B show the second subcomponent 107 of the first substrate 110. FIG. 12B shows a three-layer construction on the second substrate 1510 to achieve the second subcomponent 107 depicted in FIG. 12A. As a first layer, a second electrode 1420 is formed on the second substrate 1510. In this exemplary embodiment, the second electrode 1420 is formed as the only electrode and covers substantially all of the second substrate 1510.

[0078] As a second layer, a second cladding layer 1310 is formed on the second electrode 1420 except for the location of the second electrode ground post extension 1250. The second electrode ground post extension 1250 is electrically connected to the second electrode 1420.

[0079] As a third layer, a second polyimide layer 1210 is formed on the second cladding layer 1310 except that the second electrode ground post extension 1250 extends through the second cladding layer 1310 .

[0080] 13A-13C show the combination of a first subcomponent 105 and a second subcomponent 107 to form an analog component 100. FIG.

[0081] Prior to assembling the first subcomponent 105 and the second subcomponent 107, the polyimide layer undergoes a pretreatment called rubbing. In an exemplary embodiment, the polyimide layer is rubbed by hand, although other rubbing processes are within the scope of the present invention. Rubbing imparts molecular alignment to the polyimide layer. In an alternative exemplary embodiment, multiple polyimide layers are rubbed to create a disordered molecular alignment. In other words, one or both of the first polyimide layer 910 and the second polyimide layer 1210 are rubbed in more than one direction, which increases the difficulty of predicting or modeling the functionality of the analog component 100.

[0082] 13B, ground plane post extension 650 is bonded to second electrode ground post extension 1250 by conductive epoxy 1050. When second subcomponent 107 is attached to first subcomponent 105, second polyimide layer 1210 compresses and deforms gasket material 1070. The compressed and deformed gasket material 1070 presses against both sides of input waveguide 561, both sides of output waveguide 564, and one side of waveguide spacer 560 to provide sidewalls surrounding the liquid crystal cell cavity.

[0083] 14A and 14B show the cavity filled with liquid crystal material forming liquid crystal cell 1600. In FIG. 14A, an example one of the sensor cavities 660 is shown filled with, for example, an optical oil that facilitates the transmission of light from one of the output waveguides 564 to one of the sensors 1164.

[0084] Insertion of the liquid crystal material into the cavity is accomplished by any conventional method, for example, using a vacuum induced through a port (not shown) that is opened for that purpose and then permanently closed.

[0085] As mentioned above, the first electrodes 320 are electrically connected to the first electrode signal lines 120. Fig. 14B shows that the liquid crystal cell 1600 is located on this first electrode 320. The left and right edges of the first electrode 320 are only partially covered by the liquid crystal cell 1600, but the liquid crystal cell 1600 is located on the first electrode 320.

[0086] Figure 14B also shows a second electrode 1420 on the liquid crystal cell 1600. The example shown in Figure 14B includes only one second electrode over the entire liquid crystal cell 1600. In other exemplary embodiments, multiple second electrodes are provided. Whether only one or more second electrodes are provided, the second electrode must face the first electrode 320 in the manner depicted in Figure 14B. In other words, the first and second electrodes are on opposite sides of the liquid crystal cell 1600 so that an electric charge can be formed between the first electrode 320 and the second electrode 1420, causing the orientation of the crystals in the liquid crystal material to change within the liquid crystal cell 1600.

[0087] Analog component 100 has been taught in relation to first subcomponent 105 and second subcomponent 107. In other exemplary embodiments, analog component 100 is formed with different layers on each subcomponent. In other exemplary embodiments, the layers are combined and / or rearranged.

[0088] Analog Component Operation In operation, an optical input, which in an exemplary embodiment is a coherent optical input, is introduced into input waveguide 561. Input waveguide 561 conveys an optical signal to liquid crystal cell 1600. When first electrode signal line 120 is energized, the charge between first electrode 320 and second electrode 1420 changes the orientation of the crystals within liquid crystal cell 1600. The passage of the optical input through liquid crystal cell 1600 is affected by the orientation of the crystals, which cause diffusion, constructive interference, and destructive interference in unpredictable ways.

[0089] The output waveguides 564 receive whatever optical output of the liquid crystal cell 1600 is and transmit it to the sensor cavity 660. The output is different for each output waveguide. The optical output of the liquid crystal cell 1600 that is conveyed through the output waveguides 564 enters the optical oil in the sensor cavity 660 and is transmitted through this medium to the sensor 1164.

[0090] Thus, the sensor 1164 senses the light output of the liquid crystal cell 1600 .

[0091] 14A and 14B can be modified in many ways depending on the particular sensor assembly 1160. The exemplary embodiment of FIGS. 14A and 14B teaches an implementation in which the sensor assembly 1160 is installed as a separate device at or near the end of the manufacturing process of the analog component 100. The result of this implementation is an angle between the output of the output waveguide 564 and the input to the sensor 1164. Optical oil is used to help the output reach the sensor 1164. Those skilled in the art will recognize alternatives such as the use of angled reflective surfaces within the sensor cavity 660.

[0092] In another exemplary embodiment, the sensor 1164 is fabricated as an integral structure of the analog component 100 and is oriented so that the light output of the liquid crystal cell 1600 passes through the output waveguide 564 and travels directly to the sensor 1164 without changing direction.

[0093] In another exemplary embodiment, the optical output of the liquid crystal cell 1600 is conveyed by the output waveguide 564 to a butt-coupled optical fiber, which provides the output to the sensor 1164 .

[0094] In another exemplary embodiment, the sensor assembly 1160 is off-chip. Having the sensor 1164 on-chip has the advantage that the analog component 100 is more resistant to reverse engineering. The above discussion generally described a device having first electrodes each electrically connected to a first electrode signal line, a liquid crystal cell on the first electrode, one or more second electrodes on the liquid crystal cell facing the first electrode, an input waveguide configured to transmit an optical input to the liquid crystal cell, and a sensor configured to sense an optical output of the liquid crystal cell. The device also has an output waveguide configured to transmit the optical output of the liquid crystal cell to the sensor.

[0095] 14B shows, each of the depicted first electrodes 320 has a different dimension (length in this example) in a first direction (from left to right in this example). These differences in dimensions between the first electrodes 320 have the advantage that the charge supplied between the first electrode 320 and the second electrode 1420, and the corresponding effect on the orientation of the crystals in the liquid crystal cell 1600, will be more chaotic and therefore more resistant to analysis and reverse engineering.

[0096] 3A, the placement of the first electrode 320 can be thought of as an aspect of a particular signature for a given analog component 100. Two instances of analog component 100 with identical signatures will perform identical operations, or nearly identical operations enough to achieve interoperability for purposes of converting between plaintext and ciphertext, as described below. Two instances of analog component 100 with mismatched signatures will not be able to interoperate.

[0097] The analog component 100 described above by way of a simplified example has several aspects that can be easily modified to achieve different signatures. As noted above, the placement of the first electrodes 320 is one such aspect. To achieve a change in the signature of a given device, the manufacturing process simply requires changing the mask that provides the first electrodes 320. The position, length, width, and shape of a given first electrode 320 can be easily altered by changing the mask. Other aspects that can be altered to achieve different signatures of such an analog component include changing the polyimide rubbing of the first polyimide layer 910 and / or the second polyimide layer 1210, changing the formulation applied to the material filling the liquid crystal cell 1600, and changing the specific materials used to construct the input waveguide 561 and the output waveguide 564.

[0098] In various exemplary embodiments, a temperature controller (not shown) adjusts the temperature of the material within liquid crystal cell 1600 to achieve consistent operation in various environments. Another aspect that can be varied to achieve different signatures of analog component 100 is the temperature to which liquid crystal cell 1600 is adjusted.

[0099] The combination of the above aspects may be varied to obtain one or more sets of analog components suitable for interoperation, or to obtain analog components that are not interoperable with others.

[0100] During operation, a steady optical input is introduced into the input waveguide 561. The output of the liquid crystal cell 1600 is sensed by the sensor 1164. Analog component input A to analog component 100 i may be provided via the first electrode signal line. i is a binary value or sequence of bits.

[0101] In an exemplary embodiment partially shown in Figure 15, the analog component 100 has 16 first electrode signal lines 120 individually numbered 120-0 through 120-F. The first electrode signal lines 120 are electrically connected to respective first electrodes 320, so that signals from these first electrode signal lines 120 travel to the first electrodes 320. In an exemplary embodiment partially shown in Figure 16, the analog component 100 has 16 first electrodes 320. The first electrodes 320 are individually numbered 320-0 through 320-F. The first electrode signal line 120-0 is electrically connected to the first electrode 320-0, and so on.

[0102] Analog component input A i is input to analog component 100, 16 bits at a time in this exemplary embodiment. Under control of a clock, for example, each value of the next 16 bits of the bit stream is used to drive a respective one of the first electrode signal lines 120. For example, if the value of the 0th bit is 1, first electrode signal line 120-0 is driven. For example, if the value of the 1st bit is 0, first electrode signal line 120-1 is not driven, and so on up to the Fth bit. Driving a particular one of the first electrode signal lines 120 introduces charge into a corresponding one of the first electrodes 320. Thus, in a particular cycle, the analog component input A i According to the value of the 16-bit bitstream used as the first electrode 320, a charge is introduced to a particular first electrode 320, and no charge is introduced to other first electrodes 320.

[0103] Because all of the first electrodes 320 face at least one second electrode 1420 , the presence of a charge on a given one of the first electrodes 320 affects the crystallization of the liquid crystal material within the liquid crystal cell 1600 .

[0104] Figure 17 shows a 16-bit analog component input A i17 shows an example of a simulation result in which "0110000010010000" is applied to the first electrode signal line 120 as a sigma. Here, the most significant bit (left) is used to drive line 120-0, and the least significant bit (right) is used to drive line 120-F. In this example, lines 120-1, 120-2, 120-8, and 120-B are driven. Corresponding electrodes 320-1, 320-2, 320-8, and 320-B are energized, affecting the orientation of the crystals in liquid crystal cell 1600. In FIG. 17, the crystals in liquid crystal cell 1600, when undisturbed by charge, are represented by rectangular pillars arranged vertically from top to bottom of the page. In the figure, the crystals realign in the direction from the bottom of the page when fully displaced by charge, and adopt an intermediate position when a charge is present but insufficient to fully reorient the crystals.

[0105] Figure 18 is similar to Figure 17, but shows the analog component input A i The 16 bits of the digits are "10111110111100111." Charge is introduced to electrodes 320-0, 320-2 through 320-5, 320-7 through 320-A, and 320-D through 320-F. In this simulation, the area enclosed by the dashed ellipse contains crystals that are affected by the charges of nearby electrodes 320-0, 320-2, 320-D, and 320-F, even though the crystals are not directly under any of the first electrodes 320. These simulated crystals are almost completely reoriented. Now, comparing the area between electrodes 320-5 and 320-6, the crystals between these two electrodes are affected by the nearby charges, but not to the extent that they completely reoriented.

[0106] Light introduced into input waveguide 561 passes to output waveguide 564 differently in the examples of Figures 17 and 18, resulting in a different value sensed by sensor 1164 in each case.

[0107] By varying the lengths of the first electrodes 320, the entropy of the internal interactions between the light introduced through the input waveguide 561 and the multiple crystals within the liquid crystal cell 1600 is increased.

[0108] Forming the first electrode 320 along less than the entire liquid crystal cell 1600 (the half depicted on the right side in Figures 17 and 18) also increases entropy and contributes to the digital unclonability of the analog component 100.

[0109] Analog component input A in the above exemplary embodiment i Each of the four sensors 1164 is sensitive enough to detect 16 variations in light, meaning that each sensor can output a value that can be encoded onto 4 bits. The 4 bits encoded from the output of each of the four sensors 1164 is 16 bits in total. These four sets of 4 bits are concatenated to produce a 16-bit analog component output A o This becomes:

[0110] In the above example, a bit stream was used to drive the first electrode signal line 120 of the analog component 100. This bit stream, which is taken in 16 bits at a time, is more generally referred to as the analog component input A. i is.

[0111] In the example above, the 16-bit analog component output A o The crystal in the liquid crystal cell 1600 is analog component input A i The output of the analog component A is determined by the sensed signal of the sensor 1164 after being affected by the o is the analog component input A i Using the appropriate control circuitry described below, the analog component input A i Based on this, analog component 100 to analog component output A o can be repeatedly obtained to process a bitstream of any length in 16-bit increments.

[0112] In the exemplary embodiment described above, sixteen first electrode signal lines 120, sixteen first electrodes 320, four output waveguides 564, and four sensors 1164 were used, but these numbers are used to teach the reader the concepts of the present invention.

[0113] In another exemplary embodiment, the analog component 100 is designed to process a 256-bit bitstream by using 256 first electrode signal lines 120. This example is hereinafter referred to as a 256-bit chip. These first electrode signal lines 120 are each connected to a corresponding one of the 256 first electrodes 320. These first electrodes 320 are arranged in four columns as in FIG. 18, but with 64 first electrodes 320 in each column. This exemplary embodiment of the 256-bit chip has 64 output waveguides 564, each of which transmits the optical output of the liquid crystal cell 1600 to a corresponding one of the 64 sensors 1164. The sensors 1164 output 4-bit values ​​that are concatenated to form a 256-bit analog component output A. o is provided.

[0114] In yet another exemplary embodiment, similar to the 256-bit chip described in the immediately preceding paragraph, only 32 output waveguides 564 are formed and only 32 sensors 1164 are provided, except that in this example, each sensor is sensitive enough to output an 8-bit value. The 32 8-bit values ​​are concatenated to produce a 256-bit analog component output A o In yet another exemplary embodiment, similar to the 256-bit chip, the first electrodes 320 are arranged in more or fewer rows and columns. In other exemplary embodiments, the positions of the output waveguides 564 are set to maximize entropy. The reader may envision still other variations without departing from the inventive concepts described herein.

[0115] The above description explains how the interconnections between the first electrode signal lines 120 and the first electrodes 320 determine which first electrodes 320 will have charge introduced into them when the first electrode signal lines 120 are activated. Varying the connection pattern between the first electrode signal lines 120 and the first electrodes 320 will result in different signatures of the analog component 100. Therefore, in addition to the several ways in which the configuration of the analog component 100 can be changed, the configuration of the connections between the first electrode signal lines 120 and the first electrodes 320 can also be changed. In one exemplary embodiment, an additional interconnect layer is provided to allow for convenient changes to the connections between the first electrode signal lines 120 and the first electrodes 320.

[0116] Drive Components Analog component 100 is useful, for example, as part of a data security device 2000 shown generally in Figures 19A and 19B. In Figure 19A, data security device 2000 receives a plaintext message M, also referred to as digital data M. The term "plaintext" here does not imply that the plaintext message M must represent a human-readable message. The plaintext message M represents a set of bits before being encrypted. The plaintext message M in various exemplary embodiments is data that has been previously encrypted by some other process, and in other exemplary embodiments, is data that has not been previously encrypted by other processes.

[0117] Through the encryption process, the data security device 2000 converts the plaintext message M into ciphertext C. In Figure 19B, the data security device 2000 receives the ciphertext C. Through the decryption process, the data security device 2000 recovers the ciphertext C into a plaintext message M that matches the plaintext message M originally input in Figure 19A.

[0118] While highly simplified, Figures 19A and 19B provide a general idea of ​​the environment in which analog components 100 are used. The data security device 2000 shown in Figures 19A and 19B is, in one example, the same data security device 2000, but using at least one analog component 100 to perform encryption or decryption. In another example, the data security device 2000 in Figure 19A is separated from the data security device 2000 in Figure 19B via a communications link, and in the exemplary embodiment, is remote from the data security device 2000 in Figure 19B. In this latter example, the signatures of the data security devices 2000 in each of Figures 19A and 19B must match; otherwise, the plaintext message M input to one will not match the plaintext message M output from the other.

[0119] 20 shows in more detail an exemplary embodiment of the data security device 2000 shown in FIG. 19A and subsequent figures. The data security device 2000 includes a control circuit 2100 and an analog component 100. The control circuit 2100 receives a plaintext message M from outside the data security device 2000 and outputs a ciphertext C to the outside of the data security device 2000. The analog component 100 is used as part of the processing of the plaintext message M into the ciphertext C.

[0120] In one exemplary embodiment, the control circuit 2100 is implemented as an application specific integrated circuit (ASIC).

[0121] In another exemplary embodiment, control circuit 2100 is implemented as a field programmable gate array (FPGA). While ASICs are configured before manufacture, FPGAs are integrated circuits that can be configured after manufacture using hardware description languages ​​(HDLs) similar to those used to describe ASICs.

[0122] HDL defines the behavior of the FPGA and programs it to have a structure that performs a defined function: the structure of the FPGA is defined by HDL, and once programmed, the FPGA becomes a structurally unique electronic circuit, like an ASIC.

[0123] The relationship between the structure of an FPGA and the HDL used to program it (and similarly the relationship between the structure of an ASIC and the HDL used to define its fabrication) is now re-expressed as circuits configured (or adapted) to perform various predefined operations, where "predefined operations" are operations embodied in the HDL (or other definition language such as Verilog or VHDL).

[0124] In an exemplary embodiment, the control circuit 2100 is a secure FPGA.

[0125] 21 illustrates an embodiment of a defined operation for encryption by control circuit 2100. This embodiment assumes that the plaintext message M is processed sequentially in units appropriate for the particular analog component 100. For example, for the analog component 100 shown in FIGS. 1A-18, an appropriate unit is 16 bits. For the 256-bit exemplary embodiment, this unit is 256 bits. In the following, an appropriately sized unit is generally referred to as a chunk.

[0126] Next, the symbols used in FIG. 21 will be explained.

[0127] In Figure 21, a plaintext message M has length |M| and is divided into m chunks M i where i=1,...,m. Symbol M i denotes the i-th chunk of the plaintext message M.

[0128] Figure 21 includes the concept of a keystream S, also called a digital keystream S. A keystream is made up of m chunks S i where i=1,...,m. S iare the respective M i is generated for

[0129] The ciphertext C is C i =M i XOR S i By doing so, m chunks C i where i=1,...,m.

[0130] N is a nonce. K1 and K2 are 256-bit keys.

number

number

[0131] The analog component, whether it is a 16-bit version, a 256-bit version, or another exemplary embodiment, is represented as A. The analog component input is A i and the analog component output is A o is.

[0132] Based on the above, the function E K teeth

number

number

number

[0133] E K Using the definition of (x), the keystream S is

number

number

[0134] The process of Figure 21 begins when some plaintext message M is to be encrypted. A counter is initialized in s2110. The first chunk of bits M i is obtained in s2120. If the chunk is too short, it is padded to a value sufficient to create the chunk. When the chunk is padded, the padded digits are later discarded and are not included in the ciphertext C.

[0135] Processing continues at s2130, and the sum of nonce N and i minus 1 is E1. K1 The result is used in s2140 to drive the first electrode signal lines 120 of the analog component 100, introducing charge into the particular first electrode 320, thereby changing the orientation of the liquid crystal in the liquid crystal cell 1600. The output of the sensor 1164 is represented in digital form and is represented by A o This is obtained as

number

number

[0136] In s2150, the result is encrypted again using K1,

number

[0137] The operations s2130 through s2150 incorporate a first encryption and key K1. In fact, the first encryption is used twice: once at N+i-1 to generate the analog component input, and once at the analog component output. This first encryption is a block cipher in the exemplary embodiment. The operation at s2160 incorporates a second encryption and key K2, which is different from key K1. In the exemplary embodiment, the second encryption is also a block cipher. At s2160, the second encryption is performed at N+i-1, resulting in (E2 K2 (N=I-1) is obtained.

[0138] In s2170, an XOR operation is performed to obtain Si.

[0139] In s2180, M i and S i The XOR operation is performed on C i is obtained.

[0140] In s2190, chunk M is processed by M. i If there are any chunks remaining, processing continues at s2195 followed by s2120. Incrementing the counter at s2195 causes processing to proceed to the next chunk M i On the other hand, if there are no chunks left to process, encryption ends except for discarding the padded digits.

[0141] FIG. 22 shows the defined operation of the control circuit 2100 during decoding.

[0142] Figure 22 is identical to Figure 21 with two exceptions: in s2220, instead of a chunk of plaintext message M, a chunk C of ciphertext C is used. i is obtained. In s2280, C i and S i The XOR operation is performed on M iis obtained.

[0143] In the encryption process

number

number

number

[0144] Additional aspects of the control circuit 2100 can be provided to improve the security of the data security device 2000.

[0145] Detailed implementation A more detailed implementation of the defined operations of control circuit 2100 will now be described in accordance with an exemplary embodiment, in which the more detailed operations implement Authenticated Encryption Over Analog Components (AEA) as a specific type of Authenticated Encryption (AE).

[0146] In an exemplary embodiment, the block cipher E1 is a substitution / transposition network according to Figure 23. The block cipher E1 has a block length of 256 bits and a key size of 256 bits. It accepts as input a 256-bit plaintext X and a 256-bit key K, and generates a corresponding 256-bit ciphertext Y = E1. K Generate (x).

[0147] The block cipher E2 is used to establish a baseline level of security that relies solely on digital components. In this example, the block cipher E2 is designed as a variant of E1, and its overall structure is also shown in Figure 23. It is a substitution / transposition network with a block length of 256 bits and a key size of 256 bits. It accepts as input a 256-bit plaintext X and a 256-bit master key K, and generates the corresponding 256-bit ciphertext Y=E2 K Generate (x).

[0148] In an exemplary embodiment, E2 shares both the global SPN structure and the structure of the round transformation and key schedule with E1, although the permutation layer, diffusion layer, and round key distribution components are different from those of E1.

[0149] Permutation layer: Different nonlinear 8-bit S-boxes are used.

[0150] Diffusion layer: A different 32x32 MDS matrix is ​​used.

[0151] Key Appending: Derive subkeys from the master key using different 256-bit round constants.

[0152] In an exemplary embodiment, E1 and E2 are substitution / transposition networks with a full MDS diffusion layer similar to the block cipher SHARK (Vincent Rijmen, Joan Daemen, Bart Preneel, Antoon Bosselaers, Erik De Win: The cipher SHARK. FSE 1996, LNCS 1039, pp. 99-111). Unlike AES, the MDS matrix is ​​applied to the entire state in each round, and not just one column. While somewhat more expensive in terms of implementation efficiency, this leads to very rapid diffusion (full diffusion is reached in just one round), and the cryptanalytic properties decay much faster over several rounds. The table below compares E1 / E2 with both SHARK and AES. [Table 1]

[0153] AEA AEA is a mode for authenticated encryption (AE) according to the inventive concept, which utilizes block ciphers E1 and E2 and an analog component A that maps a 256-bit input to a 256-bit output. The AEA mode does not assume that analog component A is strictly bijective; it allows for incompleteness in the bijection. However, component A is a deterministic function, which means that equal inputs result in equal outputs.

[0154] AE One goal of an authenticated encryption (AE) scheme is to provide confidentiality and authenticity / integrity simultaneously, which can be achieved by combining an encryption algorithm, such as a block cipher, with an authenticity and integrity mechanism, such as a message authentication code (MAC).

[0155] Upon inputting a message and a key, the AE algorithm outputs the corresponding ciphertext and authentication tag. During decryption, this authentication tag is verified. Upon successful verification, the plaintext is returned; otherwise, a failure is signaled and the plaintext is not recovered. The basic idea is that only the owner of the key can generate a valid authentication tag, and if the ciphertext or tag (or both) are altered in transit, there is a high probability that the verification will fail.

[0156] Similar to the block cipher mode of operation, many AE schemes also take as input a nonce (a one-time number that is made public but not repeated with the same key). The nonce input must be the same for encryption and decryption of a particular message.

[0157] The operation is shown in Figure 24, which shows nonce-based authenticated encryption. The sender sends a nonce N, a ciphertext C, and a tag T. Nonce N is only used for a single message under the same key.

[0158] Interface The authenticated encryption AEA mode of operation takes as input the following: 1. A 512-bit private key K, which includes a 256-bit private key K1 and a 256-bit private key K2, i.e., K=(K1,K2); i) The key K1 is tightly integrated with the analog component A, for example on an ASIC chip. ii) Key K2 can be located outside the hardware module containing analog component A, for example on an FPGA or in user software, for the purpose of establishing a baseline level of security for authenticated encryption. 2. A 256-bit nonce N (a one-time number); 3. Length

number

[0159] When used for encryption and authentication, it outputs a ciphertext of the same length as the message input, along with an authentication tag T of 256 bits in length.

number

number

[0160] Below we define the various building blocks and finally the AEA encryption, decryption / verification algorithms.

[0161] CTR mode The building block CTR(N,K,M) consists of a 256-bit nonce N, a 512-bit key K, and a message input M (of length

number

number

number

number

number

[0162] CBC-MAC The building block CBC(K,M) is a 512-bit key K and message input M (length

number

number

[0163] where E K (M) is defined as above in CTR encryption. Function EK This MAC algorithm based on is shown in FIG.

[0164] Padding Padding Algorithm

number

number

number

number

[0165] Message Authentication Code (MAC) algorithm The MAC algorithm MAC(t,K,M) takes as input a 256-bit integer t, a 512-bit key K, and a length

number

number

number

[0166] AEA-ENCRYPT: Encryption and tag generation The AEA authenticated encryption algorithm AEA-ENCRYPT(K,N,M) has a 512-bit key K, a 256-bit nonce N, and a length

number

number

[0167] Using a different constant (the integer t) for the two MAC invocations ensures proper domain separation between the processing of the nonce and ciphertext blocks.

[0168] Note that the ciphertext always has the same length as the plaintext. The overall operation of the AEA algorithm is shown in Figure 28.

[0169] AEA-VERIFY: Decryption and tag verification AEA Decoding and Verification Algorithm

number

number

[0170] Design Rationale and Security Analysis Counter mode encryption routine E K (M)

number

[0171] The overall structure of operation of the AEA authenticated mode is not the same as the EAX design (see M. Bellare, P. Rogaway and D. Wagner, "A Conventional Authenticated-Encryption Mode," 2003). EAX uses a conventional block cipher call for counter-mode encryption instead of the AEA E1 / A / E2 design. Also, the AEA MAC design is different from OMAC. The difference between the two keys L1 and L2 is the difference between the two keys L1 and L2 in the finite field.

number

[0172] AEA uses forward implementations of the block ciphers E1 and E2, and does not use their inverse functions, which further improves implementation characteristics, especially in hardware.

[0173] The AEA mode of operation benefits from the provable security properties of EAX. As an authenticated encryption mode of operation, two security concepts are important: privacy and authenticity. Privacy refers to the confidentiality of the plaintext, and authenticity refers to security against forgery attacks.

[0174] The EAX authors prove that for these two security concepts, the advantage of an attacker querying a message block of σn bits or less (possibly over many queries) is bounded as follows:

number

number

[0175] A further difference between AEA and EAX concerns the use of an analog component A that is not necessarily bijective. However, the security analysis of EAX actually abstracts from the full block cipher and assumes a random n-bit to n-bit function. The security bounds mentioned above are derived using the assumption of a random function. This is because the non-bijective nature of A implies that the collision probability of a 256-bit to 256-bit random function, i.e., 1 / 2 256 which means that the security bound applies equally to AEA if either block cipher E1 is a secure pseudorandom permutation or block cipher E2 is a secure pseudorandom permutation.

[0176] Since both E1 and E2 are designed to be secure pseudorandom permutations, the security limits of EAX also apply to AEA.

[0177] Finally, the provable security analysis of EAX applicable to AEA assumes a nonce-sensitive attacker, so no guarantees are made when nonce is repeated. For this reason, AEA uses unique nonces.

[0178] Partial compromise analysis The above security analysis applies to the standard model in which cryptographic keys are assumed not to be compromised, and the attacker's goal is to either decrypt a new ciphertext or successfully forge a new message with a valid authentication tag, the latter in one of two settings: Existential forgery: Deriving valid new message / tag pairs without control over the message content. Universal forgery: Derive any valid new message / tag pair with full control over the message content.

[0179] All of this is not possible if the key is not compromised, up to the proven security limits outlined above.

[0180] E K Describe the impact of compromising one or two components of cryptography. Recall the following definitions:

number

[0181] In the first scenario (S1), the digital part E2 K2 In the second scenario (S2), all digitally implemented functions can be reconstructed by the attacker, i.e., E1 K1 and E2 K2Any query against both K1 and K2 may be computed, with or without recovery of both K1 and K2. Note that this second scenario corresponds to the compromise of the entire master key K = (K1, K2).

[0182] Security against S1 attacks In this scenario, the attacker can determine if E2 K2 (x) can be computed. For security goals, this has the following implications:

[0183] Confidentiality: Ciphertext block C i To decrypt, the attacker must

number

number

number

[0184] Forgery: As outlined above, an attacker can forge E2 K2 Given only knowledge of , the attacker cannot compute the counter keystream. The attacker cannot create the correct ciphertext corresponding to his chosen plaintext, and universal forgery is ruled out. In the case of existential forgery, the attacker could try to compute the correct tag for a random ciphertext (or a ciphertext obtained from another query with the same key). However, to generate the correct CBC-MAC ciphertext, which he does not have,

number

[0185] In summary,

number

number

[0186] Security against S2 attacks In this scenario, the attacker can

number

[0187] Confidentiality: Ciphertext block C i To decrypt the

number

number

number

number

number

number

[0188] Forgery: As in the (S1) scenario, security against both existential and universal forgery now depends entirely on the unique uncompromised component A. If the collision probability is higher than random, the corresponding confidentiality bound is

number

number

[0189] In summary,

number

[0190] Post-quantum security Using quantum computers, and in particular Grover's algorithm, the problem of exhaustively searching keys for symmetric encryption algorithms such as E1 and E2 can be sped up as a function of the square root of the search space. Using Grover's algorithm, a k-bit key can be found in O(2 k ) instead of O(2 k / 2) time. E1 and E2 are assumed to be 256-bit keys, and therefore still provide a 128-bit quantized security level. A second consideration is the size of the quantum circuit (number of qubits) required to actually implement Grover's algorithm to exhaustively search for keys of the complete block cipher. Recent work (M. Grassl et al.: Applying Grover's Algorithm to AES: Quantum Resource Estimates, PQCrypto 2016) estimates that a total of 6681 qubit quantum circuits are required to attack AES-256. The time complexity is 1.44 × 2 151 It is estimated that E1 and E2 are designed with larger state sizes, so a successful quantum attack would require at least the resources mentioned above.

[0191] The second concern is the post-quantum security of the AEA mode of operation. As a composite mode, its security is based on the security of the underlying CBC and CTR modes of operation. Both CBC and CTR are well-known to provide indistinguishable chosen-plaintext attack (IND-CPA) security against quantum attackers under standard PRF assumptions whenever the encryption algorithm is implemented classically. This means that a quantum attacker can simply use a quantum algorithm to process normal encryption queries without requiring any special quantum encryption queries. The situation changes if the encryption algorithm is also implemented on a quantum computer and the attacker can request quantum queries with superimposed messages. Recent research (M. Anand et al.: Post-quantum Security of the CBC, CFB, OFB, CTR, and XTS Modes of Operation, PQCrypto 2016) reveals that in this case, the standard non-quantum PRF assumptions of the underlying block cipher are only sufficient to achieve IND-qCPA for CTR, but not for CBC. For CBC to provide IND-qCPA security, the underlying block cipher needs to be a qPRF (quantum secure PRF).

[0192] AES-based variants In an alternative embodiment, the dedicated block ciphers E2 and / or E1 used in the AEA can be replaced with an AES-based block cipher construction. Since AES is a 128-bit block cipher, it is transformed into a 256-bit block cipher using a balanced Feistel network with AES-256 (the key is a 256-bit key) as the F function. The encryption of a 256-bit input X to a ciphertext Y under a 256-bit key K is given as follows:

number

number

number

[0193] If AES-256 is a secure block cipher, Dai and Steinberger's results (Yuanxi Dai, John Steinberger: Indifferntiability in 8-round Feistel networks, CRYPTO 2016) suggest indifferntiability from random permutations after 8 rounds, with 2 additional rounds added for an additional security margin.

[0194] Promiscuity is a very powerful security concept. For example, birthday bounds (2 128 Security against all adaptively chosen plaintext attacks up to 1000 is achieved after just four rounds (M. Luby, C. Rackoff, How to construct pseudorandom permutations from pseudo-random functions, SIAM Journal on Computing, vol. 17, n. 2, pp. 373-386, April 1988).

[0195] Sample Application Programming Interface Encryption:

number

[0196] Decryption and verification:

number

[0197] Other features and functions will occur to those skilled in the art, and such variations are anticipated in light of the complete and detailed examples provided above, but such variations should not be considered outside the scope and spirit of the following claims.

[0198] (Addendum) (Appendix 1) First electrodes electrically connected to the first electrode signal lines, respectively; a liquid crystal cell on the first electrode; one or more second electrodes on the liquid crystal cell and facing the first electrodes; an input waveguide configured to transmit an optical input to the liquid crystal cell; a sensor configured to sense the light output of the liquid crystal cell; An apparatus comprising:

[0199] (Appendix 2) 10. The device of claim 1, further comprising an output waveguide that transmits the optical output of the liquid crystal cell to the sensor.

[0200] (Appendix 3) a first one of the first electrodes having a first dimension in a first direction; a second one of the first electrodes having a second dimension in the first direction; Further comprising: the first dimension value is different from the second dimension value; 10. The apparatus described in Appendix 1.

[0201] (Appendix 4) 10. The device of claim 1, further comprising a polyimide layer in contact with the liquid crystal cell and having a random molecular alignment.

[0202] (Appendix 5) Analog components and Obtaining digital data M of length |M| and a digital keystream

number

number

number

number

number

number

[0203] (Appendix 6) the analog component A includes a liquid crystal cell having a first electrode on a first side and a second electrode on a second side; The control circuit is E1 K1 (N) to drive the first electrode; Analog component output A o is determined by sensing the light output of the liquid crystal cell driven by the control circuit. 10. The apparatus described in Appendix 5.

Claims

1. A light source configured to output a constant light signal, A liquid crystal cell configured to receive the aforementioned constant optical signal, having a first electrode and one or more second electrodes facing the first electrode, A sensor configured to provide a sensor output based on sensing the light output of the liquid crystal cell, A first electrode signal line electrically connected to the first electrode, The system comprises a control circuit that is electrically connected to the first electrode signal line and drives the first electrode, The aforementioned control circuit is Use nonce N to obtain the nonce value, The nonce value is encrypted with the first key K1 to obtain the first encrypted value E1. K1 Obtain, The first encrypted value E1 K1 Based on this, a drive signal A is applied to the first electrode. i Generate, The aforementioned drive signal A i While the first electrode is being driven, the sensor output is acquired, and the acquired sensor output is represented in digital format as digital representation A. o Provided, The aforementioned digital representation A o Adapted to perform operations including creating a digital keystream S based on, Device.

2. The control circuit further, Input Digital Data D i Obtain, the input digital data D i and calculates output digital data D o based on the digital key stream S The apparatus according to claim 1.

3. The control circuit further, The aforementioned output digital data D o of [Math 1] Calculate as follows: The apparatus according to claim 2.

4. The control circuit further, Using the first key K1, the digital representation A o Encrypt it and double encryption value E1 K1 (A o ) provides, The aforementioned double-encrypted value E1 K1 (A o The digital key stream S is created based on the above. The apparatus according to claim 1.

5. The control circuit further, The nonce value is encrypted with the second key K2 to obtain the second encrypted value E2 K2 Obtain, The second encrypted value E2 K2 Based on this, the aforementioned digital key stream S is created. The apparatus according to claim 1.

6. The control circuit further, Using the first key K1, the digital representation A o Encrypt it and double encryption value E1 K1 (A o ) provides, The nonce value is encrypted with the second key K2 to obtain the second encrypted value E2 K2 Obtain, The aforementioned double-encrypted value E1 K1 (A o ) and the second encrypted value E2 K2 Based on this, the digital keystream S is created. The apparatus according to claim 1.

7. The control circuit further, S=E1 K1 (A o ) XOR E2 K2 The digital key stream S is created by calculating the following: The apparatus according to claim 6.

8. A method for implementing a data security device, The light source and the liquid crystal cell are arranged so that the liquid crystal cell receives the output of the light source. A first electrode and one or more second electrodes are arranged on the opposing surface of the liquid crystal cell. A sensor is provided to detect the light output of the liquid crystal cell. The aforementioned light source is activated to output a constant optical signal, Drive signal A using nonce value N and first key K1 i We decided, The aforementioned drive signal A i The first electrode is driven accordingly, The light source outputs the constant optical signal, and the first electrode receives the drive signal A. i When driven by the sensor, the sensor senses the light output of the liquid crystal cell and provides a sensor output. Digital representation A of the output of the aforementioned sensor o Provided, The aforementioned digital representation A o Based on this, generate a digital keystream S. method.

9. The aforementioned drive signal A i The decision was, The nonce value is encrypted with the first key K1 to obtain the first encrypted value E1 K1 Obtain, The first encrypted value E1 K1 Based on the drive signal A i It further includes generating, The method according to claim 8.

10. Select a signature for the aforementioned data security device, Select a mask according to the selected signature, The first electrode is further prepared using the mask. The method according to claim 9.

11. A polyimide layer is placed adjacent to the liquid crystal cell, Select a signature for the aforementioned data security device, The further comprising performing polyimide abrasion of the polyimide layer in accordance with the selected signature, The method according to claim 9.

12. Select a signature for the aforementioned data security device, In accordance with the selected signature, a formulation is selected for the material in which the liquid crystal cell is filled. The further comprising providing the liquid crystal cell to be filled with the material according to the selected formulation, The method according to claim 9.

13. Select a signature for the aforementioned data security device, Waveguide material is selected according to the selected signature. To provide a waveguide of the aforementioned waveguide material, The further comprising arranging the waveguide in or from the liquid crystal cell, The method according to claim 9.

14. A temperature controller is provided to adjust the temperature of the material in the aforementioned liquid crystal cell. Select a signature for the aforementioned data security device, The system further comprises controlling the temperature controller based on the selected signature. The method according to claim 9.

15. Input Digital Data D i Obtain, The aforementioned input digital data D i Based on the aforementioned digital keystream S, output digital data D o To further include the ability to calculate, The method according to claim 8.

16. The aforementioned output digital data D o of D o =D i XOR S It further includes the ability to calculate as follows: The method according to claim 15.

17. Analog component A configured to provide a sensor output, A control circuit comprising a circuit configured to perform a predefined operation, The aforementioned defined behavior is: Obtain the plain text message M, A drive signal is transmitted to drive the analog component A. A digital keystream S is generated based on the digital representation Ao of the sensor output. Based on the digital keystream S and the plaintext message M, a ciphertext C is generated. Output the ciphertext C, Data security device.

18. The control circuit comprises an application-specific integrated circuit, The data security device according to claim 17.

19. The control circuit comprises a field-programmable gate array, The data security device according to claim 17.

20. The defined operation of the control circuit is the ciphertext C [Math 2] Further including generating by The data security device according to claim 17.

21. The defined operation is to send the plaintext message M to the analog component A in m chunks M i (i = 1 , . . . ,m, and Mi i represents the i-th chunk of the plaintext message M) further comprising providing sequentially, The data security device according to claim 17.

22. Mi has a number of bits based on the characteristics of the analog component A, The data security device according to claim 21.

23. The digital keystream S comprises m chunks S i (i = 1 , . . . ,m, where Si represents the i-th chunk of the digital keystream S corresponding to Mi) provided, The data security device according to claim 21.

24. The control circuit divides the ciphertext C into m chunks C i (i = 1 , . . . ,m, [Math 3] (is) and acquire them sequentially. The data security device according to claim 23.

25. The defined operation further comprises computing an analog component input A i by encrypting a set of bits x using a first key K1. The data security device according to claim 24.

26. The encryption of the set of bits x using the first key K1 is block encryption. The data security device according to claim 25.

27. ​​Block encryption using the first key K1 is performed on a substitution transpose network. The data security device according to claim 26.

28. The set of bits x is a nonce-based value based on nonce N. The data security device according to claim 25.

29. The control circuit calculates a nons-based value by N + i - 1. The data security device according to claim 28.

30. When the control circuit drives the analog component A, it uses the bits of the analog component input A i as the drive signal. The data security device according to claim 25.

31. The analog component A comprises a liquid crystal cell configured to be driven via an electrode that receives the drive signal, The system further comprises a sensor configured to provide the sensor output based on the optical output of the liquid crystal cell. The data security device according to claim 30.

32. The analog component A further comprises a light source configured to output a constant optical signal as an optical input to the liquid crystal cell, The electrodes are arranged to the side of the liquid crystal cell. The data security device according to claim 31.

33. The defined operation is: The aforementioned digital representation A o is encrypted using the first key K1 to obtain E1 K1 (A o). S i =E1 K1 (A o ) The system further comprises generating the digital keystream S based on the above, The data security device according to claim 25.

34. The defined operation is: The aforementioned set of bits x is encrypted using the second key K2 to obtain E2 K2. [Math 4] The system further comprises generating the digital keystream S based on the above, The data security device according to claim 33.

35. The encryption of the set of bits x using the second key K2 is block encryption. The data security device according to claim 34.

36. Block encryption using the second key K2 is performed on a substitution transpose network. The data security device according to claim 35.

37. A method for encrypting plaintext data into ciphertext, or decrypting ciphertext data into plaintext data, Received input message M, The input message M is divided into m chunks M i (i = 1 , . . , m, where Mi i represents the i-th chunk of the input message M) and it is divided into these parts. The digital keystream S is generated in m chunks S i (where S i is the i-th chunk of the digital keystream S based on the output of analog component A), m chunks C i (where C i is the i-th chunk of the output message C) [Math 5] In this case, the output message C is generated sequentially. method.

38. Mi, Si, and Ci have a number of bits based on the characteristics of the analog component A. The method according to claim 37.

39. Further comprising generating a drive signal Ai for the analog component A independently of the bit value of Mi, The method according to claim 37.

40. A drive signal A i for the analog component A is generated, The analog component A is driven using the aforementioned drive signal A i. When driven by the aforementioned drive signal A i, the digital representation A o of the output of the analog component A, represented as A o = A(A i), is obtained. The digital keystream S further comprises being based on A o. The method according to claim 37.

41. Obtain a non-base value, The system further comprises generating the drive signal A i based on the non-base value, The method according to claim 40.

42. The nons base value is determined according to nons N such that the nons base value is (N + i - 1) for Mi. The method according to claim 41.

43. Encrypt the nonce-based value with the first key K1 and obtain the first encrypted value E1 K1. The system further comprises generating the drive signal according to A i = E1 K1. The method according to claim 41.

44. Encrypt the digital representation A o with the first key K1, and obtain the second encrypted value E1 K1 (A o), The digital key stream S is further based on the second encrypted value E1 K1 (A o), The method according to claim 43.

45. Encrypt the nonce-based value with the second key K2 and obtain the third encrypted value E2 K2, The digital key stream S is further based on the third encrypted value E2 K2. The method according to claim 44.

46. The nons-based value for Mi is (N + i - 1) when N is a nons, The first encrypted value is E1 K1 (N+i-1), The second encrypted value is E1 K1 (A(E1 K1 (N+i-1))), The third encrypted value is E2 K2 (N+i-1), The aforementioned digital keystream S is [Math 6] It also has the characteristic of being The method according to claim 45.

47. The analog component A is provided with a liquid crystal cell configured to be driven via an electrode that receives the drive signal A i. The method according to claim 40.

48. Further comprising providing a sensor configured to sense the output of the analog component A, The method according to claim 47.

49. The digital representation A o is further based on a value from the sensor. The method according to claim 48.

50. Further comprising providing a constant optical signal as an optical input to the liquid crystal cell, The method according to claim 47.

51. The electrode is provided on at least one side of the liquid crystal cell, The method according to claim 47.