Using Pre-Loaded Entropy as UDS for TCG DICE PQC Key Generation (N22b)
The generation of post-quantum cryptography (PQC) keys for Trusted Computing Group (TCG) Device Identifier Composition Engine (DICE) layers presents unique challenges in complying with NIST’s PQC algorithm standards. TCG DICE layering architecture requires spawning identity keys for multiple layers from a Unique Device Secret (UDS) in a deterministic manner.
This talk presents a design for generating DICE key hierarchies that combine traditional and PQC keys. The design begins with entropy preloaded into module fuses at the factory as the UDS and adheres to FIPS 186 and FIPS 204/205 by using Approved RNGs to enforce domain separation for different keys. The talk addresses compliance, FIPS 140-3 certification claims, and restrictions specific to embedded controllers, such as firmware update limitations. Additional speakers Stephan Mueller of atsec information security and Thomas Bowen of Intel contribute insights into key generation design, compliance considerations, and technical constraints.