JP4664655B2 - Information processing apparatus and address control method thereof - Google Patents

Description

  The present invention relates to an information processing apparatus and an address control method thereof, and relates to an information processing apparatus having an information storage memory and a function for accessing the memory, and conceals processing data represented by a smart card. The present invention relates to an information processing apparatus suitable for use in a tamper-resistant information processing apparatus where safety is important, and an address control method thereof.

  In recent years, information processing apparatuses that embed a microprocessor (microcomputer) with a built-in memory in an IC card or the like so that personal information can be used and can be used in various scenes of life have attracted attention.

  Hereinafter, a CPU and a memory management unit will be described as conventional techniques related to such an information processing apparatus.

  The central processing unit (CPU) is an arithmetic unit that performs a predetermined operation according to an instruction code. A general CPU can process an instruction code group composed of logical operation, arithmetic operation, comparison operation, and branch processing. The instruction code is stored in the memory, and an address where an instruction code to be executed next is stored is stored in a program counter (PC) held by the CPU. If the size of the instruction code read at a time is S, S is added to the PC every time one instruction code is processed. In many cases, S is a constant value for speeding up the process. When the branch process is performed, the relative distance to the branch destination is added or subtracted to the PC, or the absolute address of the branch destination is set.

  Many microcomputers including a CPU and a memory include a controller called a memory management unit (MMU). The main functions of the MMU are address translation and memory protection. The address conversion is to convert a logical address given from the CPU into a physical address (which is a memory entity). Memory protection is to set read / write permission for each logical address (or for each block after grouping a plurality of logical addresses into one block and dividing the entire logical address space into several blocks) This is to protect an area used by a system such as an OS from being invaded by a user program.

The address area accessible by the CPU is determined by the bit length of the address line provided in the CPU. In the case of a 32-bit CPU, the bit length of the address line is often 32 bits. The number of addresses that can be expressed in 32 bits is (2 ³² =) about 4.3 billion. In other words, if one byte of data is stored per address, the 32-bit CPU can calculate 4 gigabytes of memory space. However, the capacity of the memory actually mounted on the information processing apparatus is almost smaller than the size of the address space that can be specified by the CPU. For example, current smart card memory capacity is less than 1 megabyte.

  By the way, in a smart card used for a credit card or the like, since personal information is held in a memory, it is the most important issue to protect confidentiality so as not to be stolen or leaked.

  A malicious attacker attempts to read information held in a smart card by piracy (tampering). There is a power consumption analysis method for such an attacker to read information on a smart card.

  The power consumption analysis method is an attack method that specifies an encryption key by using a correlation between power consumption when performing cryptographic processing on an IC chip and data in the middle of cryptographic processing. More specifically, it is as follows. The power consumption during the operation of an IC chip composed of CMOS is proportional to the number of ON / OFF operations of the CMOS switch. Therefore, a logical change (Hamming distance) of data processed inside the IC chip is observed as power consumption. The security of the cryptographic algorithm is guaranteed in the form of “I do not know the secret key even if the input and output to the cipher are obtained”, and there is no guarantee that the secret key is not known from the data being processed. Actually, if the data during the encryption process is known, the security of the encryption is lowered. In the power consumption analysis method, power consumption during encryption processing is recorded and used for attacks. In other words, the power consumption analysis method can be said to be an attack method by observing data in the middle of encryption processing in the form of power consumption, that is, the Hamming distance of the data, thereby reducing the security inherent in the encryption.

  Finally, the conventional technology and its problems related to the prevention method of power consumption analysis are described.

  Patent Document 1 below is effective as a countermeasure against power consumption analysis by reducing the correlation between data passing through a data bus and stored data by encrypting stored data. Is disclosed. A feature of this method is that when a certain data D is recorded at a certain physical address PA, a set L = {LA ′ [I]: I = 0, 1,... , N−1}, LA ′ [I] of L is selected by a method that cannot be predicted from the outside, and data D is D ′ [I] depending on the selected LA ′ [I]. It is to be transformed into. Thus, even when data D is stored at the same physical address, the stored data value can be changed to a value that cannot be predicted from the outside.

  However, this method has a limitation that it is necessary to use the same logical address LA ′ [I] for writing and reading. If LA ′ [I] is the same at the time of writing and at the time of reading, the relationship between LA ′ [I] and the current consumption is utilized, for example, “at which timing at least the same data D is used”, etc. Information about data D can be obtained. Furthermore, although not directly mentioned in this specification, the logical address used for writing and reading needs to be the same, so the logical address used for writing is stored in preparation for reading. It is necessary to keep. This means that it is necessary to provide a special memory for storing the logical address used at the time of writing. In a small device such as a smart card, the memory capacity that can be mounted is limited. Therefore, a countermeasure method that does not require a special memory is desirable.

  Patent Document 2 below discloses a method of concealing a power consumption pattern depending on a logical address value when transferring data recorded at consecutive addresses of a memory device to a register inside a cryptographic processing arithmetic unit. is doing. In paragraph Nos. 0059 and 0060 of Patent Document 2, when n is the size of data to be read, a continuous logical address group LA [I] (Iε {0,..., N−1} in which each data is stored. ) Is expressed by two of the offset LO and the number of read bytes LD. For illustration, it is assumed that the logical address is 16 bits expressed in hexadecimal, 1 byte of data is stored in each address, and the data is read out every 1 byte. When reading 16 bytes from the logical address 0100, in a general microcomputer, 0100, 0101, 0102,..., 100F appear in order, but in the information processing apparatus of Patent Document 2, data appearing on the address bus , Which represents 0100 which is a read start address and 0010 which represents 16 which is a read size. Furthermore, these are masked in advance with values shared by the memory device and the cryptographic processing arithmetic unit. For example, if the mask value is F8B2, the address start appears at the read start address. A certain (0100 + F8B2 =) F9B2 or (0100−F8B2 =) 084E and a read size (0010 + F8B2 =) F8C2 or (0010−F8B2 =) 075E are obtained. In addition, in order to conceal that the transmission of information is completed by transmitting two data from the place where 16 addresses appear in the address bus, the computation for cryptographic processing is performed at the timing when the remaining 14 addresses should appear. The unit transmits random numbers through the address bus, and the memory device on the receiving side is configured to ignore them. For this reason, even if the attacker observes the power consumption of the address bus, it is merely observing the random number, and thus cannot know from which address the data is read.

JP 2002-328844 A JP 2001-195555 A

  By the power consumption analysis method described above, the attacker can infer the processing flow of the program from the change sequence of the program counter held in the CPU.

  In the following, an analysis example of the processing flow of the program by the power consumption analysis method will be described.

  Attention is paid to a series of Hamming distances between successive program counter values in the program counter variation sequence. As described above, the Hamming distance series can be observed as the power consumption. Here, the Hamming distance can be defined as the number of bit positions whose values change in a pattern having a bit string of the same length. For example, when 11 = (1, 0, 1, 1) and 12 = (1, 1, 0, 0) are expressed in the bit string representation, three of the second to fourth bits are changed. Therefore, the Hamming distance is 3.

The change sequence of the program counter changes according to the processing flow of the program. For example, consider a case where a branch is made to series 1 or series 2 by a conditional branch instruction. The logical address is 16 bits expressed in hexadecimal, and the program counter is incremented by two. A conditional branch instruction is installed at the logical address 0000, and the sequence 1 starts from 0010 and the sequence 2 starts from 001A. At this time, the change of the program counter of the processing sequence 1 is
0000 → 0010 → 0012 → 0014 → 0016 → 0018 → 001A → 001C → 001E → 0020 →
On the other hand, the change in the program counter of processing sequence 2 is
0000 → 001A → 001C → 001E → 0020 → 0022 → 0024 → 0026 → 0028 → 002A →…
It becomes.

Each Hamming distance series is series 1,
1 → 1 → 2 → 1 → 3 → 1 → 2 → 1 → 5 →…
In contrast, in series 2,
3 → 2 → 1 → 5 → 1 → 2 → 1 → 3 → 1 →…
This clearly shows that the power consumption series are different. From this, the attacker can know whether or not the branch condition is satisfied.

By this analysis, it is possible to decrypt RSA encryption used in electronic commerce and the like. The core operation of the RSA cipher is a power-residue operation y ^x mod N, where y is an input value of the operation, N is a public key, and x is a secret key. The attacker's purpose is to know the secret key x. A general processing method for the power-residue operation is a binary method. Len (x) represents the bit length of x, x [i] represents the i + 1th bit from the MSB when x is binary expanded, and the binary algorithm is described in the C language style as follows: Can be expressed as
V = 1;
for (i = 0; i <Len (x); i ++) {
V = V ² mod N;
if (x [i] == 1) {…… (*)
V = V × y mod N;
}
}
return V;
In this algorithm, the establishment / non-establishment of the conditional branch in (*) depends on each bit of the secret key x. That is, if it is found that the conditional branch is established or not, the secret key can be specified. In this algorithm, a process of multiplying V by y is performed when a branch is taken. Since the PC value change sequence at this time is clearly different from the case where the branch is not established, the secret key can be specified for the reason described above.

  The technique disclosed in Patent Document 1 described above functions as a countermeasure against power consumption analysis in the memory because there are a plurality of types of logical addresses when accessing the memory cells. However, since the values that are the generation sources of the plurality of types of logical addresses are held in the program counter as values corresponding to the physical addresses in the CPU, the power consumption analysis for the program counter in the CPU is performed. It does not function as a countermeasure. The same is true for the technique disclosed in Patent Document 2, which functions as a countermeasure against power consumption analysis in the address bus, but in the CPU, the logical address and the physical address are simply associated with each other and processed. Therefore, it does not function as a measure for power consumption analysis inside the CPU.

  The present invention has been made in order to solve the above-mentioned problems, and the object thereof is internal data obtained by analyzing power consumption in an address bus, a program counter in the CPU, and related registers, among other IC chips. It is an object of the present invention to provide a highly secure information processing apparatus and an address control method thereof by making it difficult to estimate or specify the information.

  The information processing apparatus of the present invention masks the value d of the register storing the address displacement value used for updating the program counter with an arbitrary value α. The value of the program counter is sequentially updated according to the masked address displacement value. In addition, the information processing apparatus of the present invention includes an address reverse conversion device on the address receiving side, that is, the storage device side. By inversely converting the masked address, a corresponding address is obtained, and the CPU The memory cell is accessed by the address. Here, “mask” means that a value to be protected is converted to an unpredictable value using a value that cannot be predicted by an attacker.

  In this way, since the value of the program counter used by the CPU is masked by a value α that cannot be predicted from the outside, the power consumption depending on the change sequence of the program counter is analyzed inside the CPU and the address bus. However, useful information regarding the program processing flow and memory access cannot be obtained.

  The address displacement value means the following value. When the program process proceeds inside the microcomputer, data is read from the memory device by the size of the instruction code, and a process for preparing the next instruction code is performed. In general, a fixed value such as 2 bytes to 4 bytes is used as the size of the read data at this time. This fixed value is called an address displacement value here. In many cases, the address displacement value is set in a single manner, but it is not necessarily required to be in a single manner, and may take various values depending on the preceding instruction code. However, since it is possible to obtain the same effect if it is configured to have masked address displacement values for all of these multiple types of address displacement values, here, only one fixed value is used as the address displacement value. Is described.

  The mask processing may be an arithmetic operation such as exclusive OR, addition / subtraction, or multiplication with an arbitrary value α, a permutation using α as a parameter, or encryption processing using α as a key.

  Furthermore, the value used as α may be a case where a pre-defined series of values is used in an arbitrary order, or an output of a true random number generator based on a physical mechanism or a pseudo random number generator realized by software. is assumed.

  According to the present invention, it is possible to make an attempt to estimate and specify internal data by analyzing power consumption in an address bus, a program counter in the CPU, and a related register in the IC chip, in particular, A highly functional information processing apparatus and its address control method can be provided.

[Configuration of microcomputer and mounting on IC card]
First, the state of mounting on a microcomputer and an IC card according to the present invention will be described with reference to FIGS.
FIG. 2 is a diagram showing a state in which the microcomputer according to the present invention is mounted on an IC card.
FIG. 3 is a block diagram showing the basic configuration of the microcomputer according to the present invention.

  As shown in FIG. 2, the microcomputer according to the present invention can be used for a contact type IC card in which a chip of this semiconductor device is mounted on a plastic card.

  The main body of this microcomputer is an IC chip 202 in the form of a package called COT, which is arranged next to the center of the card.

  As shown also in FIG. 3, the IC card 201 has terminals of Vcc (power supply), GND (ground), RST (reset), I / O (input / output) and CLK (clock). The upper chip operates by supplying these signals from the outside, for example, from a terminal. In this case, the terminal itself may basically have the same specifications as a general card system.

  As shown in FIG. 3, the microcomputer has a central processing unit CPU, a read-only memory ROM as a storage device, a rewritable nonvolatile memory EEPROM and a rewritable volatile memory RAM, a coprocessor CPR, and exchange of information of each part. Input / output port I / O for performing the above, and an address bus 301 and a data bus 302 as signal lines connecting them.

  The coprocessor CPR may have its own storage device CRAM inside. The central processing unit CPU is a device that performs logical operations and arithmetic operations, and the storage device is a device that stores programs and data. The clock generator CLKG receives the supply of a clock signal from the outside of the IC chip via the terminal 202 of the IC chip shown in FIG. 2, generates an internal system clock signal synchronized with the clock signal, Supply to the device. The system controller SYSSCR is a device that controls the CPU and bus signals, and controls the random number generator RNG, timer TIM, security logic SECL, and the like.

  The security logic SECL is a mechanism for encrypting address information so as not to perform power consumption analysis from an attacker, which will be described in detail later.

  Note that SYSSCR, CPU, TIM, SECL, etc. may be collectively referred to as a CPU.

  The storage device is configured using, for example, a ROM (Read Only Memory), a RAM (Random Access Memory), an EEPROM (Electrically Erasable Programmable Read Only Memory), an FRAM (Ferromagnetic Random Access Memory), or the like. The ROM is a memory whose contents are fixed and cannot be changed, and is a memory mainly storing a program. The RAM is a rewritable memory, but the stored contents are lost when the supply of power is interrupted. That is, when the power supply to the device is interrupted, the contents of the RAM are so-called volatile memories that cannot be retained. EEPROM and FRAM are so-called non-volatile memories that can retain their contents even when power supply is interrupted. Since the difference between these combinations is not necessarily related to the essence of the present invention, FIG. 3 does not describe all types of memory configurations. It goes without saying that an information processing apparatus consisting of only a ROM or an information processing apparatus having a magnetic storage device can be configured in the same manner.

  The input / output port I / O is a port for performing data communication between the inside and outside of the IC chip. The address bus 301 is a bus for transferring the address of the storage device to be accessed, and the data bus 302 is a bus used for transferring data read from the address or data to be written to the address. .

  The CPU has a program counter PC inside, and reads and processes an instruction code and data stored at an address indicated by the PC. The PC is usually updated by a method of incrementing by a certain value. That is, after reading the instruction code from the address indicated by the PC, the PC is updated so as to indicate the previous address by a certain address displacement value d (| PC | = | PC | + d, where | PC | (Value stored in the inside), and then the process of reading the instruction code from the address indicated by the PC is repeated. Here, the constant address displacement value is often 2 in many cases. This is because an instruction code of an 8-bit CPU is often composed of 2 bytes of a 1-byte instruction code and a 1-byte operand.

Embodiment 1
The first embodiment according to the present invention will be described below with reference to FIGS. 1 and 4 to 9.

First, the configuration of the information processing apparatus according to the present invention will be described with reference to FIG.
FIG. 1 is a configuration diagram of an information processing apparatus according to the first embodiment of the present invention.

  As described above, the information processing apparatus according to the present invention includes the security logic SECL unit, and in order to prevent a malicious attacker from analyzing the power consumption of the information processing apparatus and reading the information, the address information is converted into the security logic SECL unit. Is encrypted and transferred to the memory side, decrypted on the memory side, and an address for the CPU to access the memory is taken out.

  The security logic SECL unit is composed of an address translation device ATE, and has an increment size register ISR inside.

  The increment size register ISR stores the increment size d of the PC.

  An address reverse conversion device ATD is connected to an address bus 101 between the address reverse conversion device ATD and a storage device, and the ATD has a register ATR for storing a value for address reverse conversion therein.

  In this information processing apparatus, before the IC chip is activated and the program is executed, the ISR value d is masked by the mask value α generated by the ATE. The ISR inside the ATE is rewritten by the value obtained by masking the ISR value d with the ATE.

  Then, the ATE generates a value β necessary for inverse conversion based on the mask value α, and transmits it to the ATD. As a result, ATD retains β in the ATR.

  After performing the above initial processing, the PC is sequentially updated in accordance with the ISR value in the ATE as usual. When the CPU accesses the address LA ′ indicated by the PC value, the ATD receives LA ′ transferred through the address bus, the ATD performs the inverse conversion of LA ′ using the ATR value β, and the CPU accesses the memory. The LA corresponding to the current address is obtained. Then, the CPU accesses the actual memory cell corresponding to the LA. When the access is a read operation, the read data is transferred to the CPU through the data bus 302, and when the access is a write operation, the data to be written is transferred from the CPU to the storage device through the data bus.

  These processes are described in more detail as follows. The ATE and CPU receive the initialization signal INI from the system controller SYSSCR. The SYSCR issues the INI when the reset signal RST is received from the outside of the IC chip, or when the CPU instructs resetting as an instruction code. The ATE having received the INI selects a certain mask value α using the random number generator RNG, and calculates β = f (α) using a certain function f (x). This β is a value used for address decoding.

  Then, assuming that the initial value d is held in the increment size register ISR, the increment size register ISR is rewritten by the calculated value of the initial value d and the mask value α. The RNG may be a true random number generator realized by a hardware mechanism, or may be a pseudo random number generator realized by software. The ATE sends this β to the ATD, and the ATD stores β in the ATR.

  The CPU holds a program counter PC that stores a memory address to be accessed. During this time, the CPU initializes the PC to zero. The above is the initialization process.

  The subsequent operation is as follows. The CPU increments | PC | 'by ISR every time the instruction code is read from the memory using ATE. That is, | PC | '= | PC |' + | ISR |. Here, | ISR | is a value obtained by masking the initial value d of ISR with the mask value α. In addition, the symbol | PC | 'here indicates that the value of the program counter is updated with a displacement value obtained by masking the PC value.

  If | PC | ′ = LA ′, LA ′ is sent to the memory via the address bus. On the memory side, before LA ′ reaches the memory cell, ATD receives LA ′ and uses the previous value β held in the ATR, and LA = corresponding to the address when the CPU accesses the memory = g (LA ′, β) is obtained. Here, g (x, y) is a function for removing the mask.

  A specific example of the above-described series of address processing will be described as follows.

  Assume that the initial value d of the increment size register ISR is 2.

d = | ISR | = 2 (Formula 1)
The mask value α is 2B37 in hexadecimal notation.

α = (2B37) (Formula 2)
When updating the value of ISR for the first time, the product of d and α is taken. If this value is d ′,
d ′ = | ISR | = d · α = 2 × (2B37) (Formula 3)
It is.

A function f (x) used for calculating β is assumed to be f (x) = x ⁻¹ mod 2 ⁿ . This corresponds to obtaining an inverse element of multiplication in a finite ring when the number of elements is 2 ⁿ . Here, n is an appropriate integer corresponding to the size of the memory, for example, n = 16. That is,
α · β≡1 mod 2 ¹⁶ (Formula 4)
(2B37) · β≡1 mod 2 ¹⁶
It is.

Here, since the finite ring in the case where the element is 2 ⁿ does not have an inverse element when α is a multiple of zero and 2, it is necessary that α is not a multiple of zero and 2, that is, an odd number. . When a true random number generator or a pseudo random number generator is used for generating α, α is an even number with a probability of 1/2. However, in order to obtain an odd number α, it is sufficient to process the least significant bit of α unconditionally, and it is possible to guarantee that α is an odd number with little processing load.

Since the value of the program counter is initially 0, it is an integer multiple of the masked address displacement value. Therefore, the following (Equation 5) holds, where k is an integer.
LA ′ = k · d ′ = k · 2α (Formula 5)
Multiplying Equation 5 by β in Equation 4,
LA = LA ′ · β = k · d ′ · β = k · 2α · β (Formula 6)
≡ 2k mod 2 ⁿ
As LA.

Here, the function g (x, y) for inverse transformation is g (x, y) = x × y mod 2 ⁿ .

Next, the influence of the Hamming distance by the PC value mask using the function f (x) will be described with reference to FIG.
FIG. 4 is a graph showing a change in the Hamming distance for each change series of the PC.

Now, the PC value change series is
0000 → 0010 → 0012 → 0014 → 0016 → 0018 → 001A → 001C → 001E → 0020 → (Series 1)
The sequence of Hamming distances is
1 → 1 → 2 → 1 → 3 → 1 → 2 → 1 → 5 →…
It is.

  When the PC value series is masked using 2B37 as the mask value, the PC value change series changes as follows.

0000 → B370 → 09DE → 604C → B6BA → 0D28 → 6396 → BA04 → 1072 → 66E0 → (series 2)
The series of Hamming distances corresponding to this is as follows.

8 → 10 → 7 → 11 → 9 → 11 → 8 → 9 → 8 →…
On the other hand, when another mask value D4C9 is used, the PC value change sequence changes as follows.

0000 → 4C90 → F622 → 9FB4 → 4946 → F2D8 → 9C6A → 45FC → EF8E → 9920 → (Series 3)
The series of Hamming distances corresponding to this is as follows.

5 → 9 → 8 → 10 → 11 → 9 → 9 → 8 → 10 →…
As described above, the hamming distance series also changes depending on the mask value even in the same PC value change series. FIG. 4 shows a Hamming distance sequence when the same PC value change sequence is masked using three different mask values. Since the hamming distance series behaves differently depending on the mask value, the power consumption appears in proportion to the hamming distance, so that it is understood that useful information cannot be obtained even by observing the power consumption. Processing related to the address of the information processing apparatus according to the first embodiment of the present invention will be described with reference to FIG.
FIG. 5 is a configuration diagram of the address translation device ATE.
FIG. 6 is a configuration diagram of the address reverse translation device ATD.

  First, the processing procedure at the time of initialization will be described.

  When the initialization signal INI is turned on, the address translation device ATE confirms that the output α of the random number generator RNG is not zero. When the least significant bit of α is 1, the address translation device ATE stores the address displacement value register ISR in the address displacement value register ISR. The value d ′ masked by the original value d is stored in the address displacement value register ISR. When the output of the RNG is zero, the least significant bit is set to 1, a new value is generated again, or an RNG failure diagnosis is performed.

  The value α of the ISR is further input to the function f (x), that is, the inverse element calculator INV. The output β of INV is sent to the address bus AB. At the same time, the signal βE for encouraging the address reverse conversion device ATD to take in the value β used for reverse conversion is turned on. In the ATD, in response to βE being on, the input value β from AB is taken into the address translation value register ATR using the output selector SELO that selects one of the two outputs. When the above procedure is completed, INI is turned off.

  Next, PC update and memory access will be described.

  When updating the PC, the CPU sends the PC value to the input port PCI of the ATE. The ATE adds the ISR value to the PC value received from the PCI and sends it to the output port PCO. The CPU stores the output value from the PCO as a new PC value.

  Using the conventional notation, | PC | '= | PC |' + | ISR | = | PC | '+ d'.

  Then, the CPU transmits | PC | 'which is a PC value through AB.

  When the CPU accesses the memory, the ATD receives | PC | 'from AB and βE is off. In the above specific example, the result of multiplying the ATR value β by using the multiplier MUL is output to the output port PB. To do. As confirmed above, the output value is an address for the unmasked CPU to access the memory.

  If the INI is not necessarily issued when the IC chip is reset, the initial value of ATR is set to 1. This initial value is necessary to ensure consistency when ATE is not used. This is a method using the fact that even if an unmasked address value is multiplied by 1, the value does not change. However, if the ATR value is 1, if the multiplication itself is not performed, it is necessary for processing. Since time and power can be reduced, such a configuration is desirable. Of course, when the ATD is not used, the ATD unit can be inactivated and bypassed.

  The above processing is processing when the program counter is sequentially updated with a constant address displacement value, but a general CPU can execute an instruction corresponding to a jump instruction. The jump instruction is an instruction for changing the value of the PC from a certain address to a predetermined address. In this case, the instruction code includes the jump destination address. Since the instruction code is often recorded in a non-rewritable storage device such as a ROM, it is necessary to convert the jump destination address according to the mask value before the instruction is executed. The address conversion described so far can be easily performed by multiplying the jump destination address by the mask value when the CPU determines that the instruction code is a jump instruction. If the CPU is provided with an instruction code cache, this address conversion can be performed without penalty of instruction execution time.

  In addition, the case where the address conversion device and the address reverse conversion device appropriately perform arithmetic processing has been described. However, the address conversion and the reverse conversion table are created at the time of initialization, and the address conversion processing and the reverse conversion processing are performed by referring to the table. It may be. With such a configuration, the processing speed can be increased. The address conversion and reverse conversion tables are stored in the volatile memory and regenerated every time the chip is reset. If it is not necessary to update the mask value, the address conversion and inverse conversion table may be stored in a memory that can be written only once. By using mask values that are not correlated with each other at least in different IC chips, even if a malicious attacker analyzes one IC chip, no clue to analysis of other IC chips can be obtained. Can do.

[Embodiment 2]
Hereinafter, a second embodiment according to the present invention will be described with reference to FIGS.
FIG. 7 is a configuration diagram of the address translation device ATEU.
FIG. 8 is a configuration diagram of the address reverse translation device ATDU.
FIG. 9 is a timing chart showing the flow of data in the signal line of the information processing apparatus according to the second embodiment of the present invention.

  In the first embodiment, the mask value is generated by the random number generator RNG. However, once the mask value α is determined, the CPU itself can be reset or reset in order to maintain the continuity of the memory address of the CPU. I couldn't change it until it started.

  The present embodiment relates to an information processing apparatus capable of changing a mask value at an arbitrary time or starting address conversion at an arbitrary time.

  Since the address translation device and the address reverse translation device of the present embodiment support the function of updating the mask value, they will be described as the address translation device ATEU and the address reverse translation device ATDU, respectively.

  The procedure for updating the mask value is as follows.

In the second embodiment, the inverse transformation function of the mask value will be described as f (x) = x ⁻¹ mod 2 ⁿ .

When the mask value update signal UPD is turned on, the ATEU shown in FIG. 7 generates an arbitrary value α ^ using RNG and stores it in the temporary register TR. Further, the TR value is input to INV by an input selector SELI that selects and outputs one of the two inputs. The output value β ^ = α ^ ⁻¹ mod 2 ⁿ is transmitted as it is to the ATDU through AB.

At the timing when TR is updated, the TR value is multiplied by the current ISR value using MUL, and the result is stored in the ISR again. The TR value is also multiplied by | PC | 'input from the PCI, and the result is output through the PCO. That is, | ISR | = | ISR | × α ^ mod 2 ⁿ and | PC | ′ = | PC | ′ × α ^ mod 2 ⁿ .

Since the UPD is on, the signal UE instructing the update and βE that prompts the acquisition of the AB value are turned on. The ATD takes the value of AB into TR because βE is on, and multiplies the ATR value by the TR value β ^ because the UE is on. The result is stored in the ATR. That is, | ATR | = | ATR | × β ^ mod 2 ⁿ . As a result, α × α ^ mod 2 ⁿ is stored in the ISR, and α ⁻¹ × α ^ ⁻¹ mod 2 ⁿ (= (α × α ^) ⁻¹ mod 2 ⁿ ) is stored in the ATR. Remembered. Also, | PC | 'is an α × α ^ mod 2 ⁿ multiple of the unmasked value. That is, the access destination address transmitted from the CPU is a value multiplied by α × α ^ mod 2 ⁿ , and the mask can be removed by multiplying by ATR.

  When the mask process is started at a certain time, the relationship between the signal lines shown in FIGS. 7 and 8 is as shown in FIG.

  ￣AE (AE overline) is a logical inversion value of AE which means that the value LA indicating the address is obtained through the address bus AB. Therefore, if ￣AE is off (logic 0), LA is passed through AB. It means that it is in the obtained state. In the present embodiment, when the value β for inverse conversion is transferred from ATEU to ATDU, security is enhanced by sharing the address bus, so LA and β cannot be transferred simultaneously. Thus, when ￣AE is off, βE needs to be off, and when βE is on, ￣AE needs to be on. In this example, ￣AE is turned off, and the CPU sends address LA [1] to address bus AB. At the same time, ATDU reverse-converts address LA [1] obtained from AB using 1 which is a value stored in ATR inside ATDU, and obtains address LA [1] from which the CPU accesses the memory. LA [1] is sent to the address bus PB, and the memory cell is accessed. As described above, when the ATR value is 1, since the inverse transformation is an identity transformation to itself, the result of the inverse transformation by ATDU has the same value as the input. That is, in this case, it is possible to adopt a configuration in which the processing itself is bypassed.

  Subsequently, when the update signal UPD is turned on, the ATEU generates an arbitrary value α internally and further generates β from α. β is transmitted through the address bus AB. At this time, UE and βE are also turned on, and ATDU takes in β from AB and multiplies the ATR value to update the ATR value. At the timing when the update is completed, UPD is turned off. As a result, UE and βE are also turned off. At the subsequent timing, the program counter value used by the CPU becomes a masked value, and therefore, the masked value LA ′ [2] appears in AB in the next memory access. Since ￣AE is off, the ATDU takes LA ′ [2] as an address, performs inverse conversion by multiplying by the ATR value, and obtains an address LA [2] at which the CPU accesses the memory. Thereafter, the processing is continued in the same manner while the value of the program counter is masked.

  The mask value can be updated at any timing. However, when concealing the difference between a branch and a non-branch in a loop at the time of a power-residue operation, the interval between a branch process in the loop and the next branch process is hidden. It is desirable to do this. For example, the mask value may be updated immediately after the branch instruction is executed. Also, depending on the S / N ratio when measuring power consumption, the mask value is always updated for each branch instruction process in view of the fact that it may not be possible to determine the presence or absence of a branch just by observing several branch processes. There is no need, and an instruction code for updating the mask value may be prepared so that the user can execute it at an arbitrary timing. Furthermore, it may be performed at a timing that cannot be predicted from the outside using RNG.

  When the PC value mask is no longer necessary, for example, when it is no longer necessary to ensure security during the process, the address translation device ATEU receives the ATR value from the address reverse translation device ATDU, and | PC | ' The mask can be removed by multiplying by. That is, it corresponds to the transfer in the reverse direction when β for reverse conversion is transferred from the address conversion apparatus in the case described above to the address reverse conversion apparatus. For subsequent PC updates, an increment value provided in the CPU may be used. The ATR value is initialized to 1 or deactivated by the method described above. Besides receiving the ATR value, the ISR value can be processed by INV in the ATEU and the value can be used. Further, a copy of the ATR value can be held in the ATEU or CPU to prepare for mask removal processing. In order to enhance the security, it is possible to provide a “security mode” and a “security bit” for switching the security mode ON / OFF so that the user can control the setting of this security bit. Thus, it is possible to apply and release protection as necessary. When the security bit is ON, processing with improved safety is performed according to the above procedure, and when the security bit is OFF, protection by the mask may be stopped.

[Embodiment 3]
Hereinafter, a third embodiment according to the present invention will be described with reference to FIG.
FIG. 10 is a configuration diagram of an information processing apparatus according to the third embodiment of the present invention.

  In FIG. 10, the address translation device ATE and the address translation device ATD are described, but the address translation device ATEU and the address translation device ATDU having a mask value update function as in the second embodiment may be used.

  In the present embodiment, as a path connecting the address translation device ATE and the address reverse translation device ATD, in addition to the address bus 401 and the data bus 403, a dedicated bus 402 for transferring the reverse translation value β is provided. . In the previous embodiment, by transferring the value for inverse conversion using the address bus, the wiring can be reduced and the transfer of β can be concealed, but the memory access at the time of updating the mask value The rate will drop. On the other hand, if the dedicated bus for transferring the value for inverse conversion is provided as in this embodiment, it is not necessary to occupy the address bus, so that the mask value update process can be speeded up. However, since β is an important value for security, it is possible to make the wiring of the bus 402 as difficult as possible to discover, or to take measures such as transferring random numbers except when transferring the β value. Analysis by an attacker can be made difficult.

[Embodiment 4]
Hereinafter, the fourth embodiment according to the present invention will be described with reference to FIG.
FIG. 11 is a configuration diagram of an information processing apparatus according to the fourth embodiment of the present invention.

  In FIG. 11, the address translation device ATE and the address translation device ATD are described, but the address translation device ATEU and the address translation device ATDU having a mask value update function as in the second embodiment may be used.

  In this embodiment, an address reverse translation device ATD is prepared for each storage device. The ATE includes a plurality of ISRs so that different mask values can be used for the respective storage devices. By using a plurality of mask values, safety can be improved. However, it is not always necessary to configure all the mask values to be different, and some or all of them may have the same value.

[Embodiment 5]
The fifth embodiment according to the present invention will be described below with reference to FIG.
FIG. 12 is a configuration diagram of an information processing apparatus according to the fifth embodiment of the present invention.

  In FIG. 12, the address translation device ATE and the address translation device ATD are described, but the address translation device ATEU and the address translation device ATDU having a mask value update function as in the second embodiment may be used.

  In this embodiment, the ATD is installed only in a part of the storage devices. However, a separate program counter is prepared for each storage area and can be accessed as a separate address space.

  As a storage device in which the ATD is installed, it is desirable to select a storage device that is not frequently rewritten. For example, a ROM that is a read-only memory, an EEPROM with a limited number of rewrites, and the like are candidates for protection by installing an ATD. There is a method in which such protection area limitation is performed by a system function, in addition to the method performed by the type of storage device. That is, it is possible to define a partial area of the address space as an area for ensuring security and to perform protection by ATE and ATD only when the address area is accessed.

[Embodiment 6]
The sixth embodiment according to the present invention will be described below with reference to FIG.
FIG. 13 is a configuration diagram of an information processing apparatus according to the sixth embodiment of the present invention.

  In FIG. 13, the address translation device ATE and the address translation device ATD are described, but the address translation device ATEU and the address translation device ATDU having a mask value update function as in the second embodiment may be used.

  In the configuration of this embodiment, a set of two or more PC [I], ISR [I], and ATR [I] (Iε {1, 2,..., M}) is provided, and which set is used. Make the selection in an unpredictable way. Accordingly, since a plurality of mask values can be switched and used without updating the mask value, an attack for acquiring information from power consumption can be prevented more efficiently. For selection of which set to use, for example, a random number obtained from the random number generation device RNG is used. The set to be used may be changed in accordance with the timing as described in the second embodiment as the mask value update timing. In addition, by using different sets for reading and writing, if the power consumption during reading and writing is different, an analysis using the correlation between data writing and power consumption during reading is also possible. Can be prevented. Which set is used can be conveyed by transferring a value generated by the ATE to the ATD through the dedicated bus 502.

1 is a configuration diagram of an information processing apparatus according to a first embodiment of the present invention. It is a figure which shows a mode that the microcomputer based on this invention was mounted in the IC card. It is a block diagram which shows the basic composition of the microcomputer which concerns on this invention. It is a graph showing the change of the Hamming distance for every change series of PC. It is a block diagram of the address translation apparatus ATE. It is a block diagram of the address reverse translation apparatus ATD. It is a block diagram of the address translation apparatus ATEU. It is a block diagram of address reverse translation apparatus ATDU. It is a timing chart showing the flow of data in the signal line of the information processor concerning a second embodiment of the present invention. It is a block diagram of the information processing apparatus which concerns on 3rd embodiment of this invention. It is a block diagram of the information processing apparatus which concerns on 4th embodiment of this invention. It is a block diagram of the information processing apparatus which concerns on 5th embodiment of this invention. It is a block diagram of the information processing apparatus which concerns on the 6th embodiment of this invention.

Explanation of symbols

102, 302, 403, 503 ... Data bus 402 ... ATR value transfer bus 502 ... Selection information transfer bus CPU ... Central processing unit PC ... Program counter I / O ... Input / output device and input / output port ATE ... Address conversion device ISR ... Increment Address register RNG ... random number generator SYSCL ... system controller SECL ... security logic TIM ... timer ATD ... address reverse conversion device ATR ... address reverse conversion parameter register ROM ... read-only nonvolatile memory EEPROM ... rewritable nonvolatile memory RAM ... rewritable Volatile memory CPR ... Coprocessor CRAM ... Coprocessor memory Vcc ... Power input terminal Vss ... Ground terminal RST ... Reset input terminal CLK ... Clock input terminal CLKG ... System clock generator NV: inverse element calculator ADD ... adder MUL ... multiplier SELO ... selector SELI for selecting one from two outputs .beta.E selector for selecting one from two inputs .beta.E ... signal lines 101, 301, 401 for instructing fetch of .beta. Value 501, AB: Address bus PB that may have been encrypted ... Address bus UE that has not been encrypted ... Signal line TR instructing mask value update ... Temporary value storage register

Claims (10)

In an information processing apparatus comprising a central processing unit having a program counter and a storage device accessed from the central processing unit,
Furthermore, an address displacement value conversion unit having an address displacement value register and an address reverse conversion unit are provided,
The address displacement value conversion unit encrypts the value stored in the address displacement value register, sequentially updates the program counter with the encrypted value,
The central processing unit transfers the value of the program counter to the address reverse conversion unit via a bus,
The address reverse conversion unit decodes the transferred value of the program counter and obtains an address for the central processing unit to access the storage device. The address displacement value conversion unit includes an arbitrary value generator, and the value of the address displacement value register is a value obtained by calculating an initial value of the address displacement value register and a value generated by the arbitrary value generator. The information processing apparatus according to claim 1.   The information processing apparatus according to claim 2, wherein the value generated by the arbitrary value generator is a true random number or a pseudo random number. The information processing apparatus according to claim 1, wherein the address reverse conversion unit receives a value for decoding the program counter via the bus. The information processing apparatus according to claim 1, wherein the address reverse conversion unit includes a dedicated bus for receiving a value for decoding the program counter. The address displacement value conversion unit multiplies the value stored in the address displacement value register by a mask value, and the multiplied value is an increment value for updating the program counter,
The address displacement value conversion unit obtains an inverse element in a finite ring with an element number 2 ⁿ of the mask value, and the address inverse conversion unit decodes the transferred program counter based on the inverse element. The information processing apparatus according to claim 1. In an address control method for an information processing apparatus comprising a central processing unit having a program counter and a storage device accessed from the central processing unit,
The information processing apparatus further includes an address displacement value conversion unit having an address displacement value register, an address inverse conversion unit, and an arbitrary value generator.
The address displacement value conversion unit sets a value in the address displacement value register;
The arbitrary value generator generates a mask value generated by a true random number or a pseudo random number; and
The address displacement value conversion unit calculates a value of the address displacement value register and the mask value;
The central processing unit updates the program counter with a value obtained by calculating the value of the address displacement value register and the mask value;
The address displacement value conversion unit obtains a value necessary for decoding the program counter based on the mask value;
The address displacement value converting unit transfers a value necessary for decoding the program counter to the address inverse converting unit via a bus;
The central processing unit transfers the value of the program counter to the address reverse conversion unit via a bus;
The address inverse conversion unit obtains an address by decoding the value of the program counter transferred based on a value necessary for decoding the program counter; and
An address control method for an information processing apparatus, comprising: a procedure for the central processing unit to access the storage device using the decrypted address. In an address control method for an information processing apparatus comprising a central processing unit having a program counter and a storage device accessed from the central processing unit,
The information processing apparatus further includes an address displacement value conversion unit having an address displacement value register, an address inverse conversion unit, and an arbitrary value generator.
A procedure in which the address displacement value converter sets a value d in the address displacement value register;
The arbitrary value generator generates a mask value α generated by a genuine random number or a pseudo random number; and
A procedure in which the address displacement value conversion unit calculates a multiplication value d × α of the value d of the address displacement value register and the mask value α;
A step in which the central processing unit increments the program counter by a multiplication value d × α of the value of the address displacement value register d and the mask value α;
The address displacement value conversion unit obtains an inverse element β in a finite ring of element number 2 ⁿ of the mask value α as a value necessary for decoding the program counter;
The address displacement value conversion unit transfers a value β necessary for decoding the program counter to the address reverse conversion unit via a bus;
The address inverse conversion unit obtains an address by decoding the value of the program counter transferred based on the value β necessary for decoding the program counter;
An address control method for an information processing apparatus, comprising: a procedure for the central processing unit to access the storage device using the decrypted address. The address displacement value conversion unit, a procedure for setting a value in the address displacement value register, an address control method for an information processing apparatus according to claim 7, wherein the performed before starting the program.   8. The address control method for an information processing apparatus according to claim 7, wherein the step of generating a mask value by the arbitrary value generator is performed at an arbitrary time when the central processing unit is operating.

Images