Is it possible to prove possession of AES-128 key?

PiotrSB

6/3/23, 3:18 PM

My question is kind of related to this topic: Can we prove possession of an AES-256 key without showing it?

But I couldn't figure out how to apply it to my problem.

Description:
Lets say I have a hardware chip, and I want to prove it has not been copied. The chip can store a AES-128 key and can do some encryption with it - it can for example output a ciphered text and plain text. This key cannot be read from the chip again so it is safe there.

I would like to create a system where 3rd party could verify the authenticity of the chip without knowing the secret AES key, I also would like to avoid storing this key anywhere, I would like to forget it after it was created. During creation I can prepare all needed data, like ciphered text or anything that is needed and put in public domain.

Is it even possible to create such system? The chip is not programmable so it can do only basic operation, what operations would it need to perform to prove it's authenticity?

0 + 0

aes

authentication

zero-knowledge-proofs

knaccc

6/3/23, 4:10 PM

How does proving you know the key also prove that the chip/key has not been copied?

PiotrSB

6/3/23, 4:38 PM

Well, the key is stored in the place on the chip that can't be easily copied, or at least it is hard enough to hack and copy. So proving that the chip has correct key proves the authenticity of the chip.

poncho

6/3/23, 5:25 PM

Is your question specific to AES-128? Yes, it's possible to create a zero knowledge proof of an AES key that (say) translates a specific plaintext block to a specific ciphertext block - it's also rather expensive. It would appear to be much easier to prove knowledge of a discrete log (either finite field or EC), even though AES-128 is much more hardware-friendly...

PiotrSB

6/4/23, 12:22 PM

Could you say something more about it? Is there any particular protocol/algorithm I could try out?

Maarten Bodewes

6/4/23, 7:17 PM

@poncho Wouldn't that require knowledge of the key?

Maarten Bodewes

6/4/23, 7:19 PM

When we're talking about symmetric cryptography generally a device specific key is used, which can be derived from some kind of master key and a device specific ID such as a serial number. Then a simple challenge / response protocol can be used. Maybe you could be a target audience for the [hardware security course by Maryland U](https://www.coursera.org/learn/hardware-security) (which I think was terrible because it seemingly just focused on chip IP rights and such).

PiotrSB

6/7/23, 4:52 PM

@MaartenBodewes challenge / response protocol is good when you assume that the verifier knows the secret key. My question is if you can prove that the device has a correct key without knowing the key.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to prove possession of AES-128 key?

TH: สามารถพิสูจน์การครอบครองคีย์ AES-128 ได้หรือไม่

RO: Este posibil să se dovedească deținerea cheii AES-128?

RU: Можно ли доказать владение ключом AES-128?

VI: Có thể chứng minh sở hữu khóa AES-128 không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.