1

My question is kind of related to this topic: Can we prove possession of an AES-256 key without showing it?

But I couldn't figure out how to apply it to my problem.

Description:
Lets say I have a hardware chip, and I want to prove it has not been copied. The chip can store a AES-128 key and can do some encryption with it - it can for example output a ciphered text and plain text. This key cannot be read from the chip again so it is safe there.

I would like to create a system where 3rd party could verify the authenticity of the chip without knowing the secret AES key, I also would like to avoid storing this key anywhere, I would like to forget it after it was created. During creation I can prepare all needed data, like ciphered text or anything that is needed and put in public domain.

Is it even possible to create such system? The chip is not programmable so it can do only basic operation, what operations would it need to perform to prove it's authenticity?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
PiotrSB
  • 11
  • 2
  • 1
    How does proving you know the key also prove that the chip/key has not been copied? – knaccc Feb 03 '22 at 16:10
  • Well, the key is stored in the place on the chip that can't be easily copied, or at least it is hard enough to hack and copy. So proving that the chip has correct key proves the authenticity of the chip. – PiotrSB Feb 03 '22 at 16:38
  • 2
    Is your question specific to AES-128? Yes, it's possible to create a zero knowledge proof of an AES key that (say) translates a specific plaintext block to a specific ciphertext block - it's also rather expensive. It would appear to be much easier to prove knowledge of a discrete log (either finite field or EC), even though AES-128 is much more hardware-friendly... – poncho Feb 03 '22 at 17:25
  • Could you say something more about it? Is there any particular protocol/algorithm I could try out? – PiotrSB Feb 04 '22 at 12:22
  • @poncho Wouldn't that require knowledge of the key? – Maarten Bodewes Feb 04 '22 at 19:17
  • When we're talking about symmetric cryptography generally a device specific key is used, which can be derived from some kind of master key and a device specific ID such as a serial number. Then a simple challenge / response protocol can be used. Maybe you could be a target audience for the hardware security course by Maryland U (which I think was terrible because it seemingly just focused on chip IP rights and such). – Maarten Bodewes Feb 04 '22 at 19:19
  • @MaartenBodewes challenge / response protocol is good when you assume that the verifier knows the secret key. My question is if you can prove that the device has a correct key without knowing the key. – PiotrSB Feb 07 '22 at 16:52

0 Answers0