JP2006019872A - Encryption processing apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an encryption processing apparatus and method with high immunity against a DPA attack. <P>SOLUTION: The encryption processing apparatus for executing the encryption algorithm including repetitive processing of a plurality of stages of round functions such as the DES is configured to enter a random number to an F function part in a round transition state, and thereafter outputs intermediate data stored in a register to execute the arithmetic processing. Through the configuration above, an S box output on the basis of the random number in a round transition is produced, and current or potential variations in a register connection path are produced, which result in a current or potential variation independently of configuration bit information of a session key (round key) as secret information applied to each round, so as to realize the encryption processing apparatus with a high security level whereby it is impossible to analyze the secret information by the DPA attack. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a cryptographic processing apparatus. More specifically, the present invention relates to a cryptographic processing apparatus having improved resistance to power analysis known as cryptographic analysis processing and attack processing.

  In recent years, with the development of network communication and electronic commerce, ensuring security in communication has become an important issue. One method of ensuring security is encryption technology, and currently, communication using various encryption methods is actually performed.

  For example, an encryption processing module is embedded in a small device such as an IC card, and data is transmitted / received between the IC card and a reader / writer as a data reading / writing device, and authentication processing or encryption / decryption of transmitted / received data is performed. The system to do is put into practical use.

  In an IC card, for example, when data is exchanged with a reader / writer or a host computer, there is no problem even if secret information stored in the IC card leaks in the process. Is used.

  There are various cryptographic processing algorithms, but broadly classified, the encryption key and the decryption key are different keys, for example, a public key cryptosystem that sets a public key and a private key, and an encryption key and a decryption key. It is classified into a common key encryption method set as a common key.

  There are various algorithms in the common key cryptosystem, one of which generates a plurality of keys based on the common key, and uses the generated plurality of keys as a block unit (64 bits, 128 bits, etc.) data. There is a method for repeatedly executing the conversion process. A typical algorithm applying such a key generation method and data conversion processing is a common key block encryption method.

  As a typical common key block cipher algorithm, for example, there is a DES (Data Encryption Standard) algorithm as a US standard cipher, which is widely used in various fields.

  When communication with encryption processing based on DES is performed between the IC card and the host computer, the owner of the IC card and the host computer have the same key (common key), and the data transmission side uses the key as the data transmission side. The data is encrypted and transmitted, and the data recipient decrypts it with the same key and retrieves the message. Even if a malicious third party eavesdrops in the course of communication, it is difficult to decrypt and extract a message unless it has a key. In addition, the key used for encryption / decryption is stored in a non-volatile memory such as EEPROM in the IC card, and is directly transferred to the encryption engine in the IC card without going through the CPU during encryption / decryption. Under such control, security is maintained by adopting a configuration in which even key card owners and IC card development engineers cannot extract key data.

  Common key block cipher algorithms typified by DES can be mainly divided into a round function part that performs conversion of input data and a key schedule part that generates a key to be applied in each round of the round function part. A round key (sub key) to be applied in each round of the round function part is generated by being input to the key schedule part based on one master key (primary key) and applied in each round function part.

  However, in such a common key encryption process, there is a problem of key leakage due to cryptographic analysis. There are several types of cryptographic analysis methods. One of them is a simple power analysis (SPA).

  Most tamper-resistant devices such as smart cards are composed of logic circuits composed of transistors, and when voltage is applied to the gate, current flows and power is consumed. In general, the power consumption of a circuit is related to the operation being executed and the value of the data being used.

  Since power consumption varies depending on the calculation and data value, it is possible to obtain information such as the Hamming weight regarding the secret information by observing the change in the power consumption of the device performing the calculation using the secret information. It becomes possible and entropy can be made small. A method of directly using changes in power consumption for analysis is called simple power analysis.

  The power consumption of the device can be obtained from a current value flowing through the resistor by inserting a resistor in series between the device and the power source or the ground. When power consumption is measured for a smart card that is actually performing a common key encryption operation, the operation of each stage of the common key encryption can be clearly confirmed from the measured waveform. Furthermore, information such as key register exchange can be obtained by analyzing the power consumption waveform in detail.

  Next, power difference analysis (DPA: Differential Power Analysis) will be described. The power consumption of the tamper resistant device generally depends on the calculation contents and secret information used for the calculation. However, changes in power consumption depending on these contents are small, and it is generally difficult to distinguish from measurement errors and noise.

  Therefore, P.I. Kocher et al. Take the average of a large amount of measurement values to reduce the influence of measurement errors and noise, and take the difference from the average value of all data to eliminate the influence of power consumption due to the calculation process, thereby using confidential information We proposed a method (power difference analysis) to extract only changes in power consumption due to.

  P. Kocher et al. Shows an application example for DES. First, one bit of data expected to be written to the register at the end of the first stage or the 16th stage by predicting a bit of a part of the key entering the first stage or the 16th stage of the round function part Pay attention to the value of, and classify the observation data of power consumption according to the value. Next, the average of the measured values is taken for each group, and the difference between them is taken. When the prediction is correct, the difference in power consumption becomes large when the focused bit is used for the calculation. If the forecasts are different, no noticeable difference is confirmed. Based on such an event confirmation process, the constituent bits of the key applied to the encryption process are sequentially obtained.

  This P.I. According to the cryptographic analysis method based on the proposal of Kocher et al., It is possible to estimate the first and 16th round keys of the DES.

The DES encryption process has a structure for converting plaintext into ciphertext by simple repetition of a conversion function. FIG. 1 shows a basic configuration of DES encryption processing. The round function unit 110 executes conversion of input data, and the key schedule unit 120 generates a key to be applied in each round of the round function unit.

  In the round function unit 110, the plaintext (64 bits) is first divided into 32 bits each of L and R after replacement in the initial replacement unit 111, and the divided L and R 32 bits are sent to the first-stage round function unit 112. The conversion process is performed based on the key K (1) input and input from the first-stage key generation unit 122 of the key schedule unit 120. The conversion process result is input to the second-stage round function unit 113 in the next stage.

  In the key schedule unit 120, first, the master key (primary key) replacement unit (PC-1) 121 removes the 8 bits of parity of the input master key (primary key: 64 bits), and the remaining 56 bits are replaced. Input to the first round key generation unit 122. The first-stage round key generation unit 122 executes a shift process of the input bit string and discards 8-bit data, generates a 48-bit round key K (1), and uses the generated round key K (1) as a round function. To the first round function unit 112 of the unit 110. The first-stage round key generation unit 122 outputs the higher-order bit string (28 bits) and the lower-order bit string (28 bits) obtained by the shift process to the second-stage round key generation unit 123 in the lower stage.

  The round function section has 16 round function sections, each of which executes the conversion process using the key input from the key schedule section 120 with the output of the previous round function section as an input, and converts the conversion result into the subsequent round function. To the output. The output converted by the 16-stage round function part is input to the reverse replacement part 114, the reverse replacement process of the initial replacement part 111 is executed, and output as ciphertext.

  FIG. 2 shows the configuration of the round function unit at each stage constituting each round of the round function unit 110. As shown in FIG. 2, the round function unit receives two inputs, L (n-1) and R (n-1), from the round function unit of the previous stage (n-1 stage), and the key from the key schedule part. Enter (k (n)). In the F function unit 151, the bit string (R (n-1)) input from the previous round function unit is converted using the key (k (n)) input from the key schedule unit, and the conversion result is converted to the previous result. The remaining bit string (L (n-1)) input from the round function part and exclusive OR are executed to generate the output R (n) of the next round function part. In the next round function section, a bit string with R (n-1) as L (n) and the above F function and R (n) generated by the exclusive OR operation are input, and the same processing is repeated. It is.

  The configuration of the F function is shown in FIG. The F function includes a plurality of S boxes (Sboxes) that perform nonlinear processing. The input value R (n−1) from the previous stage of the round function part is expanded to 48 bits by the replacing part 171, and the exclusive OR is executed with the key (48 bits) input from the key schedule part, and the output is 6 It is input to a plurality of S boxes 181-1 to 18-8 for executing nonlinear conversion processing bit by bit. In each S box, for example, nonlinear conversion processing from 6 bits to 4 bits to which a conversion table is applied is executed.

  The output bits 4 × 8 = 32 bits from the S box 181-1 to 8 are input to the replacement unit 172, the bit position is exchanged, and the F function output 32 bits are generated and output.

  As described with reference to FIGS. 1 to 3, the DES encryption process is executed by a multi-stage (16-stage) conversion process.

  Various data is transmitted through the signal line in the above-described cryptographic processing calculation process, and the function execution unit executes the calculation. The arithmetic unit is usually a circuit composed of MOS transistors, but the current consumed by the arithmetic circuit differs slightly depending on whether the input bit is "0" or "1". However, since the calculation is performed in parallel with a plurality of bits, it is difficult to specify whether the focused bit is “0” or “1” by focusing only on the current consumption of a specific bit.

On the other hand, in the DPA attack, about 1000 plaintexts generated by random numbers are encrypted by the DES encryption engine mounted on the IC card, and the current consumption at that time is statistically processed and stored in the IC card. It was shown that it is possible to take out the key that has been used. This attack can be performed at any node related to the key information in the DES calculation flow. For example, in the S box, after the input value (32 bits) of the F function is expanded to 48 bits, each round key generated by the key schedule unit and the exclusive OR value are input. This round key (48 bits) is obtained by rearranging the bits of 56 bits excluding the parity of the 64-bit encryption key and discarding 8 bits of the result, so that the 48-bit key data remains as it is. Remaining. Therefore, if 48-bit key data is obtained by the SPA DPA attack, the remaining 8 bits can be easily obtained by 2 ⁸ = 256 exhaustive attacks. The procedure for attacking the output node of the S box is shown below.

(Process 1) About 1000 plaintexts (M1 to M1000) are generated with random numbers, which are put in an IC card and encrypted with DES. The current consumption waveform at that time is measured and held for each plaintext.
(Process 2) The DES simulator encrypts the plaintext (M1 to M1000) assuming a key. Then, the power consumption waveform corresponding to each plaintext is classified according to whether the node of interest (for example, the least significant output bit of one “S1” of the S box) is “0” or “1”, and the average current consumption of each group Find the waveform.
G0 = Σ {power consumption waveform when the output bit of the node of interest is “0”} / m
However, m is the number of corresponding plaintexts G1 = Σ {power consumption waveform with output bit of target node “1”} / n
However, n is the number of corresponding plaintexts. (Process 3) Calculate the difference (G0-G1) in the current consumption waveform.
If a peak occurs in this differential waveform,
The key of the estimated part of the node of interest is determined to be correct, and the key of the next S box (for example, “S2”) is obtained in (Process 2).
If no peak occurs,
The key of the part estimated by the node of interest is determined to be wrong, and the assumed key ("S1" part) is changed and the statistical process is performed again in (Process 2).

  By this procedure, a key of 48 bits in total is obtained from each S box (S1 to S8) by 6 bits, and the remaining 8 bits are obtained by exhaustive search of 256 times. Here, the reason why a peak appears in the difference of the consumption current waveform subjected to the statistical processing when the assumed key matches the actual key in (Process 3) will be described.

  If the key is known, a plurality of plaintexts are encrypted with the key, and 2 depending on whether the node of interest (for example, the least significant output bit of “S1”) in a round in the DES algorithm is “0” or “1”. When classified into one group, since the same data is output to the node of interest in each group, currents resulting from this flow at almost the same timing. The current of the data output is very small, but if the nodes that produce the same output at the node of interest are collected, the current value is integrated by that number.

  When this classification is performed, since the classification is based on the output data of S1, the inputs of the other S boxes (S2 to S8) operating at the same time are random values, and random data appears at the output. The timing of current flow varies. The sum of all these currents becomes the current consumption during the S box operation. Therefore, when the number of data is sufficiently large (for example, 1000 pieces of data) and classified into two groups according to the data of the least significant bit of “S1”, both groups have other than the least significant bit of “S1”. The same number of “0” s and “1” s appear in the bits and each bit of “S2” to “S8”. On the other hand, only the output current of the least significant bit of “S1”, only the output current of “0” appears in one group and only the output current of “1” appears in the other group. Taking the average difference in current consumption, the bits other than the least significant bit of “S1” and the output currents of “S2” to “S8” cancel each other, and only the current resulting from the output current of the least significant bit of “S1” Appears as a peak.

The above is an explanation when the key is known. If the key is known, the output value of the node of interest can be obtained by inputting the key and plaintext into the simulator. It can be divided into groups, and the peak current waveform can be obtained by taking the average of both groups and finding the difference. However, if the key is not known, the key is estimated, the key and plaintext are input to the simulator, and the corresponding plaintext is input according to the simulation result of the node of interest (for example, the output of the least significant bit of “S1”). When classifying the current values of actual measurements and taking the average of each group and taking the difference between the two,
(A) Peak current appears → Input bit of “S1” in the estimated key data is correct (b) Peak current does not appear → Input bit of “S1” in the estimated key data can be determined to be incorrect . If it is determined that the input bit of “S1” is wrong, another “S1” is set and the same evaluation is performed.

Since the input bits of “S1” are 6 bits, the correct key of “S1” can be obtained by repeating 2 ⁶ = 64 times at the maximum. If this operation is requested for another S box, all 48-bit keys related to the input bits of the S-box can be obtained by this attack. The remaining 8 bits can be obtained with 2 ⁸ = 256 attacks even if all the search is performed. In this way, the DES attack does not require 2 ⁵⁶ = 7.2 × 10 ¹⁶ attacks, and the secret key is obtained by 2 ⁶ × 8 = 512 statistical processing and 2 ⁸ = 256 exhaustive searches. It becomes possible to ask.

  As a means to counter this, a circuit that executes a DES operation with a flow different from a normal DES flow may be mounted. Since the DPA attack is based on the premise that the DES simulator and the actual IC operate with the same calculation flow, if the IC is designed with a different calculation flow, the simulator calculates with the correct key and the value of the node of interest Even if the current waveforms measured with the actual device are grouped based on, the calculation flow is different, so the actual value of the target node is not the same in each group, and as a result, the difference in the average current between the groups Even if it is taken, no peak appears, and it is resistant to DPA attacks.

  There exists patent document 1 as a prior art which disclosed this structure. In Patent Document 1, a value (positive) and an inverted value (negative) as they are input to the F function are generated, and a value to be input to the extension function is selected by a random number. In this configuration, it is necessary to prepare two types of S box, that is, a normal one (positive) and one corresponding to inverted data (negative), which leads to an increase in circuit scale.

  Further, in Patent Document 2, the data obtained by initial replacement (IP) is calculated by dividing a fixed value selected by a random number and a value obtained by EOR into L and R, and in the F function, in addition to the session key, A value obtained by performing an exclusive OR operation with a fixed value selected with a random number is input to the S box. Note that the S boxes are prepared by the number of sets corresponding to the number of fixed values selected by random numbers in the F function, and the S boxes corresponding to the fixed values selected by random numbers are selected. With this configuration, the resistance to DPA is significantly improved, but it is necessary to prepare a plurality of sets of S boxes, and the circuit scale is several times larger than that of a normal DES.

For example, IC modules that execute cryptographic processing are actively used in various gates such as station ticket gates, shopping centers, and the like, and demands for downsizing and speeding up of processing have become strict. Yes. Therefore, there is a need for a configuration that does not complicate the processing algorithm and is resistant to power analysis.
JP 2002-31826 A JP 2002-366029 A

  The present invention has been made in view of the above problems, and without complicating the processing algorithm, the cryptographic analysis based on the power analysis based on the detection of power consumption fluctuations associated with the regular processing of the cryptographic processing sequence. It is an object of the present invention to provide a cryptographic processing apparatus that can increase the difficulty.

The first aspect of the present invention is:
A cryptographic processing device that performs cryptographic computation processing including round function iteration processing,
A function operation unit that executes data processing corresponding to the round function for each round;
A data storage register for storing intermediate data as a calculation result of each round in the function calculation unit;
A random number register for storing random numbers;
A switch unit that selectively connects the data storage register and the random number register to the function calculation unit;
A control unit that performs switching control of the switch unit,
The controller is
The switch unit is configured to perform connection switching control so that the random number stored in the random number register is output to the function calculation unit at the time of a round transition, and then the intermediate data stored in the data storage register is output. In the cryptographic processing device characterized by the above.

  Further, in one embodiment of the cryptographic processing apparatus of the present invention, the control unit repeatedly executes connection switching processing of the switch unit for each round, and stores the random number stored in the random number register at the start time of each round. It is configured to execute connection switching control that outputs to the calculation unit and outputs intermediate data stored in the data storage register to the function calculation unit after a predetermined time of the same round, and the data storage register has an end of round In some cases, the switch control is performed so that new intermediate data as a calculation result of the function calculation unit based on the intermediate data is stored.

  Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the switch unit is configured on a wiring path connected to the data storage register.

  Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the cryptographic processing apparatus further includes random number generation means, wherein the random number generation means generates a different random number for each round, and at the time of transition of each round In the above, the random number that is different for each round is output to the function calculation unit.

  Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the function calculation unit has an S box as a non-linear conversion unit, and the data storage register includes a round function calculation process including a non-linear conversion process by the S box. The result data is stored.

  Furthermore, in one embodiment of the cryptographic processing apparatus of the present invention, the cryptographic processing apparatus is configured to execute cryptographic processing calculation in accordance with a DES (Data Encryption Standard) algorithm.

  Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

  According to the configuration of the present invention, a cryptographic processing device that increases the difficulty of cryptographic analysis by power analysis based on detection of power consumption fluctuations associated with regular processing of cryptographic processing sequences without complicating the processing algorithm Is realized.

  In the configuration of the present invention, a random number is input to a so-called F function unit that executes round function processing in a cryptographic processing device that executes a cryptographic algorithm including repetitive processing of a multi-stage round function, such as DES. Thereafter, the intermediate data stored in the register is output to execute the arithmetic processing. With this configuration, an S box output based on a random number is generated at the time of a round transition, and a current or potential fluctuation occurs in the register connection path. Therefore, these are current or potential fluctuations unrelated to the configuration bit information of the session key (round key) as secret information applied in each round, and the power difference based on the current or potential fluctuation of the output of the S box or the register connection path Analysis of secret information by analysis (DPA: Differential Power Analysis) becomes impossible, and a cryptographic processing apparatus with a high security level is realized.

  According to the configuration of the present invention, a cryptographic processing device having high resistance to an attack based on power difference analysis (DPA) is realized with a simple configuration in which a random number input configuration by switch control is added. By executing random number input in each round, the output of the S box and the current or potential fluctuation of the register connection path become independent of the secret information (round key configuration bit information), and a DPA-resistant cryptographic processor is realized.

  Details of the cryptographic processing apparatus of the present invention will be described below. The present invention is a cryptographic processing apparatus that executes a cryptographic algorithm including a repetition process of a multi-stage round function typified by, for example, a DES (Data Encryption Standard) algorithm. The object is to provide a circuit configuration having (DPA) tolerance.

  As described above with reference to FIGS. 1 to 3, the circuit that executes the DES arithmetic processing includes a circuit that repeatedly executes a mixing function of a plurality of stages (16 stages). Normally, when designing an execution circuit for the DES calculation flow, a configuration is adopted in which one stirrer function portion that repeats 16 times is created and operated 16 times.

  A specific circuit configuration of the stirring function will be described with reference to FIG. FIG. 4 shows a configuration example of an F function unit 200 having an S box 204 and an encryption processing device having an L register 211 and an R register 212 as intermediate data storage units.

  When executing the conversion process of a plurality of stages (16 stages) described with reference to FIGS. 1 to 3, intermediate data generated for each process stage is stored in the L register 211 and the R register 212, and the next process stage Then, the intermediate data is extracted from the L register 211 and the R register 212, and the process is executed.

  The switch 1 [SW1] 215 and the switch 2 [SW2] 216 are initially set to the “a” side, and the replacement data in the initial replacement unit 221 for the input message 231 is the L register 211 and the R register. The switch 1 [SW1] 215 and the switch 2 [SW2] 216 are then tilted to the “b” side, and 16 round operations are executed. Then, after 16 round operations are completed, the reverse replacement unit 222 performs the last replacement and outputs the ciphertext 232.

  FIG. 4A corresponds to the configuration shown in FIG. 2, and FIG. 4B shows the details and details of the connection configuration with a register as an intermediate data storage unit. In each round, the processing results of the previous round stage (n-1 stage), that is, L (n-1) and R (n-1) are stored in the L register 211 and the R register 212, respectively. The 32-bit data is input to the F function unit 200, and the replacement unit 201 performs expansion replacement from 32 bits to 48 bits. The replacement unit 201 corresponds to the replacement unit 171 in FIG.

  Further, a round key (also called a session key) (k (n)) 202 is applied from the key schedule unit to the output of the replacement unit 201, and an exclusive OR operation process is performed in the exclusive OR (XOR) unit 203. The processing result is input to the S box 204. After the non-linear transformation is executed in the S box and the S box 204 output is subjected to a replacement process such as bit replacement in the replacement unit 205, the replacement result is converted into the stored value of the L register 211 in the exclusive OR (XOR) unit 206. An exclusive OR operation process is performed, and the result appears at the input of the R register 212. The output of the R register 212 appears at the input of the L register 211. Then, it is taken in at the rising edge of the clock input of the L register 211 and R register 212. These stored data are further extracted in the processing of the next stage, and the same processing is repeated.

  In the implementation as shown in FIG. 4, the output of the F function unit 200 is directly stored in the register, and in the subsequent processing, processing based on the data extracted by executing data extraction from the register is executed.

  A device that performs these processes is a logic circuit composed of transistors, and as described above, power consumption related to the operation being performed and the value of the data being used is generated. For example, by observing a change in power consumption of a device that is performing an operation of repeatedly writing intermediate data to a register, an estimation process such as a change in a register storage value and a change in an S-box output value is performed. It is possible to analyze the secret information, specifically, the session key (round key) applied in each round.

  A specific example of secret information analysis processing will be described with reference to the circuit diagram of FIG. 4 and the timing chart of FIG. FIG. 5 shows the timing of the first number CLK when the circuit shown in FIG. 4 is operated and the output value of the main node.

In the timing chart shown in FIG. 5, from the top, [CLK]: clock timing [DES]: execution timing of DES encryption processing [S Key]: transition of session key (round key) used in the F function unit 200 [L Reg]: Storage data transition of the L register 211 [R Reg]: Storage data transition of the R register 212 [S-box]: Output transition of the S box (S-box) 204.

  In the circuit configuration of FIG. 4, when the encryption process is executed, the input plaintext message 231 is replaced with data by the replacement function (IP) of the initial initial replacement unit 221 and then divided into 32 bits. Are input to the L register 211 and the R register 212.

  As shown in the timing chart shown in FIG. 5, the data output from the initial replacement unit 221 at the rising edge of the clock is taken into the registers 211 and 212.

  At this time, the values stored in the registers 211 and 212 change from “L_init” to “L0” and from “R_init” to “R0”, respectively. The output value of the R register 212 is connected to the input of the L register 211 by switching (a → b) of the switch 1 (SW1) 215 and is also input to the F function unit 200.

  The output value of the L register 211 is changed from the output value of the F function unit 200 to the switch 2 (SW2) 216 after the exclusive OR (E-OR) operation is executed in the exclusive OR (XOR) unit 206 ( a → b) to the input of the R register 212.

Then, at the next clock rise (Round 1 → Round 2 in FIG. 5), the values of the L register 211 and the R register 212 are updated from “L0” and “R0” to “L1” and “R1”, respectively. At this time, the relationship between the stored values “L1” and “R1” of each register and “L0” and “R0” is expressed by the following formulas (formulas 1, 2) using the session key (round key) “K1” in round 1. ).

Generally, a relational expression in round n (Roundn) is expressed by the following expressions (Expressions 3 and 4) using a session key (round key) “Kn”.

This operation is repeated 16 times. The output [Sout_n] of the S-box in each round n is expressed by the following formula (Formula 5).

  In this equation (Equation 5), EX (A) indicates the output of the replacement unit (extended function) 201 for the input A, and S [B] is the output of the nonlinear transformation in the S box (S-box) 204 for the input B. Represents.

In this configuration, the nodes that are targets of the power analysis (DPA) attack are the following nodes.
(1) Output of S-box (2) Output of L register and R register
The details of the output analysis (1) and (2) will be described below.

(1) About the analysis processing of the output of the S-box 204 The attack for the purpose of analyzing the output of the S-box 204 is a DES simulator (simulator) that performs a DES operation assuming a key, and the result of the S-box 204 of interest By grouping the current consumption waveforms measured in multiple plaintexts according to the value of the output bit, and determining the validity of the assumed key based on whether or not the peak current is generated by the difference in the average current of each group Do.

FIG. 5 shows the transition of the timing of the first number CLK and the output value of the main node when the circuit shown in FIG. 4 is operated as described above. The output of the S-box 204 is output after the operation is switched to Round 1 (Round 1), after the E-OR operation with the extension function and the session key, and the non-linear operation in the S-box. The output of the S-box 204 before switching to round 1 is “R-init” as the value of the R register 212 before starting the round operation, and “K_init” as the value output from the session key generation circuit to the F function unit 200. In this case, the value is shown in the following formula (Formula 6).

  R_init and K_init indicate the value of the R register 212 before the start of the DES calculation and the output of the session key (round key) generation circuit. In the DES calculation immediately after the power is turned on, they are usually the same value, that is, a fixed value. . Therefore, the value of the above (Expression 6) is also a fixed value immediately after the power is turned on.

Then, at the rise of CLK in round 1, “R0” is taken into the R register 212 and input to the F function unit 200, and “K1”, which is the key for round 1 from the session key generation circuit, is F. Input to the function section. As a result, the output of the S-box 204 changes to a value represented by the following equation (Equation 7).

  As a result, the output change of the S-box 204 and the current accompanying the output change of the S-box 204 when switching to round 1 in the DES calculation immediately after the power is turned on are as shown in FIG.

As shown in FIG. 6, the current flows in accordance with the bit where “1” stands in the following formula (Formula 8).

  In the bit where “1” is set in the above equation (Equation 8), a current accompanying the change in the output of the S-box 204 is generated.

Next, details of (2) output analysis of the L register and the R register will be described.
The current that can be analyzed in the output analysis of the L register 211 and the R register 212 is a current caused by the data stored in each register. When new data is stored in each register, it is caused by the presence of a bit different from the original data. Current.

  In the DPA attack, (1) Simulation is performed assuming the same key as in the S-box output analysis, and the current consumption waveforms are grouped according to the bit change before and after the data storage of the register of interest as a result. This is executed as a process of determining the validity of the assumed key based on whether or not the peak current is generated based on the difference between the average waveforms of the consumption currents of both groups.

  The DPA attack is performed, for example, when data is stored in the register at the rising edge of the round 2 (Round 2) clock shown in FIG. In the timing chart shown in FIG. 5, at the start of Round 2 (Round 2), the output value of the R register 212 changes from “R0” to “R1”. At this time, the relationship between the combination of bit values of interest and the presence / absence of current is the relationship shown in FIG.

At this time, the bit through which the current flows is a real device, and is a bit in which “1” stands in the following formula (formula 9).

  In the above formula, the bit where “1” is set is a case where the value of the bit is replaced before and after the round, which matches the operation result in the DES simulator when the estimated key is correct, and R1. Includes the round key component “K1” as shown in the equation (Equation 2). Therefore, when the current consumption is statistically processed based on the calculated value of the DES simulator, the value of the round key “K1”, that is, the secret key Of these, 48 bits can be derived.

The following configuration is effective as a configuration that counters such power analysis.
(1) As a countermeasure against S-box output analysis,
What is necessary is just to set it as the structure which the change of the output value of S-box of an actual DES has a value uncorrelated with the change of the calculation value in a DES simulator.
(2) As a countermeasure against the output analysis of the L register and R register,
The bit through which the output current of the register flows when data is stored in the L register and R register may be different from the bit that changes in the DES simulator.

The present invention proposes a circuit configuration having the above countermeasures.
The circuit configuration of the cryptographic processing apparatus according to the present invention is shown in FIG. 8, and the operation at the time of cryptographic processing in the cryptographic processing apparatus according to the present invention and the data transition of the register input / output data and S-box output data The timing chart shown is shown in FIG.

  8 shows the configuration of the F function unit 200 having the S box 204 similar to that shown in FIG. 4 and the cryptographic processing apparatus according to the present invention having the L register 211 and the R register 212 as intermediate data storage units. The circuit structure which comprises is shown. The F function unit 200 is a function calculation unit that executes data processing corresponding to a round function for each round.

  In the configuration shown in FIG. 8, the difference from the circuit configuration shown in FIG. 4 is that the switch 3 (SW3) 301 is arranged between the L register 211 and the path L (path_L) 311 that is the output wiring thereof. , The switch 4 (SW4) 302 is inserted between the R register 212 and the path R (path_R) 312 which is the output wiring thereof. With this configuration, the path L (path_L) 311 and the path R (path_R) The input value after 312 can be switched between the value of the L / R register and the random number (RN1, RN2).

  These two SW circuits, switch 3 (SW3) 301 and switch 4 (SW4) 302, operate under the control of a control unit (not shown). The control unit is, for example, a CPU, and the control unit controls switching of the switches according to a predetermined control sequence. The control sequence will be described in detail according to the timing chart shown in FIG.

  The two SW circuits, switch 3 (SW3) 301 and switch 4 (SW4) 302 operate at the same timing. In the timing chart shown in FIG. 9, [SW] indicates the operating state of the switch 3 (SW3) 301 and the switch 4 (SW4) 302.

In the timing chart shown in FIG. 9, from the top, [CLK]: clock timing [DES]: execution timing of DES encryption processing [S Key]: session key (round key) used in the F function unit 200 [SW]: Transition of switch 3 (SW3) 301 and switch 4 (SW4) 302 (switching between c and d) [L Reg]: Transition of stored data in L register 211 [R Reg]: Transition of R register 212 Stored data transition [path_L]: Data transition of path L (path_L) 311 [path_R]: Data transition of path R (path_R) 312 [S-box]: Indicates output transition of S box (S-box) 205 .

  As understood from the timing chart shown in FIG. 9, the switch 3 (SW3) 301 and the switch 4 (SW4) 302 are connected to the “d” side, which is the random number side, for the first fixed period of each round. (RN1 or RN2) are output to the path L (path_L) 311 and the path R (path_R) 312 respectively, and the subsequent calculation is executed.

  After the elapse of the first fixed period of each round, the switch 3 (SW3) 301 and the switch 4 (SW4) 302 are switched to the respective registers, that is, the “c” side which is the L register 211 and the R register 212 side. The stored values of the register 211 and the R register 212 are output to a path L (path_L) 311 and a path R (path_R) 312 to perform subsequent operations. The switch 3 (SW3) 301 and the switch 4 (SW4) 302 repeatedly perform this switch switching every round.

  Also in this configuration, the stored values of the L register 211 and the R register 212 and the values of the output nodes thereof are not different from those in the conventional configuration, but when storing data at the start of each round for the L register 211 and the R register 212, the L register 211, since the wiring load from the R register 212 to the path L (path_L) 311 and the path R (path_R) 312 is disconnected by the switch 3 (SW3) 301 and the switch 4 (SW4) 302, each round starts. The current consumption associated with the change in the stored values of the L register 211 and R register 212 is only due to the operation in the L register 211 and R register 212 circuits. It becomes quite difficult.

  On the other hand, the wiring path L (path_L) 311 for generating the charging / discharging current is connected to the RN1 register 331 and the L1 register 331 which are registers storing random numbers by switching the switch 3 (SW3) 301 in each round (switching between c and d). The wiring path R (path_R) 312 is also alternately connected to the register 211, and the switch 4 (SW4) 302 is switched (switching between c and d), and the RN2 register 332 and R are registers that store random numbers. Alternately connected to the register 212.

  For this reason, for example, immediately after switching to Round 1 (Round 1), the input to the F function unit 200 is random from the RN2 register 332, which is a register storing random values, via the switch 4 (SW4) 302. A numerical value “RN2” is input, and a session key (round key) “K1” is input.

Therefore, as shown in FIG. 9, the output of the S-box 204 at this timing transitions from the value represented by the following formula (formula 10) to the value represented by the formula (formula 11).

  In the above equation, EX (A) represents the output of the replacement unit (extension function) 201 for the input A, and S [B] represents the output of the nonlinear transformation in the S box (S-box) 204 for the input B.

Immediately after switching to Round 1 (Round 1), the output of the S-box 204 changes from the value represented by the above formula (Formula 10) to the value represented by the formula (Formula 11). Here, in the above formulas (Formulas 10 and 11),
The random number [RN2] is independent of any of the following values (a) to (d) and is an independent value.
(A) [R_init]: Initial stored value of R register 212 before the start of round 1, that is, initial stored value at the time of initial replacement (IP)
(B) [K_init]: Session key (round key) before the start of round 1
(C) [R0]: value stored in the R register 212 at the time of round 1;
(D) [K1]: Session key (round key) at the time of round 1

When the output of the S-box 204 changes before and after the start of round 1 and the wiring load is charged and discharged when the value shown in the equation (Equation 10) changes to the value shown in the equation (11), This is a case where bit 1 stands in the equation (Equation 12).

  In the above formula, the case where bit 1 stands corresponds to the case where the output bit value from S-box 204 changes before and after round 1.

After a predetermined time has elapsed after the transition to round 1, the switch 4 (SW4) 302 switches from “d” to “c”, and the value [R0] stored in the R register 212 is input to the F function unit 200. Then, the calculation in the F function unit 200 is executed, and the output of the S-box 204 changes from the value of the above formula (Formula 11) to the value of the following formula (Formula 13).

At this time, when charge / discharge of the load wiring occurs based on the change in the output of the S-box 204, bit 1 is set in the following equation (Equation 14).

  The above bit change is compared with the calculation result in the simulation when the DPA attack is performed. FIG. 10 shows the correspondence between the grouping in the simulator when performing the DPA attack based on the output of the S-box 204 and the output value of the S box in the circuit configuration of the cryptographic processing apparatus of the present invention shown in FIG.

FIG. 10 shows the calculated values of the simulator when the key is assumed.
(A1) S box output value before start of round 1 (a2) S box output value after start of round 1 (a3) Current generation before and after start of round 1 (1 = current generation)
(A4) Grouping: Grouping based on the result of (a3), with current generation = group 1 and no current generation = 0.

  On the other hand, in the actual IC operation, the random number [RN2] of the input of the F function can take “0” and “1” in any of the four cases of the calculated values of the simulator. As shown by the equation (Equation 11), both 0 and 1 values may occur.

As a result, the change in the output of the actual S box (S-box) 204 is as shown in FIG.
(B1) Change in the S box output value before the start of round 1 (b2) The change in the S box output value after the start of round 1 takes either 0 or 1 value.

  Therefore, when the consumption current waveform is divided into two groups based on the calculation result of the simulator, even if the assumed key matches with the correct key, both groups actually have the same number of “0” and “1”. Including the difference between the two groups, no peak appears.

Next, the case of a DPA attack on the load current of the R register 212 will be described.
At the time of switching from round 1 (Round 1) to round 2 (Round 2), the switch 3 (SW3) 301 and the switch 4 (SW4) 302 are on the random number register (RN1 register 331 and RN2 register 332) side, respectively. Set to "".

Accordingly, the path L (path_L) 311 changes from the L register stored value = L0 to the random value = RN1, and the path R (path_R) 312 changes from the R register stored value = R0 to the random value = RN2. At this time, for example, in the path R (path_R) 312, charging / discharging occurs when bit 1 is set in the following equation (Equation 15) in accordance with the change from the R register stored value = R0 to the random value = RN2.

  However, as can be understood from this equation (Equation 15), the above equation (Equation 15) depends on the random value = RN2, and the random number [RN2] is generated equally in both 0 and 1. There is a possibility, and even if a simulation is performed with [0] or [1] set as the estimated bit value, information analysis by peak detection becomes impossible.

  FIG. 11 shows the correspondence between the grouping in the simulator when performing a DPA attack against the load current of the R register 212 and the load current of the R register 212 in the circuit configuration of the cryptographic processing apparatus of the present invention shown in FIG.

In FIG. 11, the calculated value of the simulator is
(A1) Data value of path R (path_R) 312 before the start of round 2 (a2) Data value of path R (path_R) 312 after the start of round 2 (a3) Presence / absence of occurrence of charge / discharge before and after the start of round 2 (1 = Charge / discharge occurrence)
(A4) Grouping: Charging / discharging occurs = Group 1, Charging / discharging does not occur = 0
Is shown.

  However, at the actual transition from round 1 to round 2, the switch 4 (SW4) 302 is set to “d” on the RN2 register 332 side, and the output from the RN2 register 332 at this time is either 0 or 1 Values can also occur.

As a result, whether or not the actual charging / discharging of the path R (path_R) 312 occurs before and after the start of round 2 is the case where bit 1 is present in the above equation (Equation 15), and FIG. 11 (b1), that is,
(B1) Presence / absence of charge / discharge before and after the start of round 2 (1 = charge / discharge occurrence)
As shown in the figure, both 0 and 1 values are generated.

  Therefore, when the charging / discharging occurrence of the path R (path_R) 312 is divided into two groups based on the calculation result of the simulator, even if the assumed key is the correct key, both groups are actually almost Even if the same number of “0” and “1” is included and the difference between the two groups is taken, no peak appears, and analysis based on whether or not the path R (path_R) 312 is charged or discharged becomes impossible.

  This situation is the same for the path L (path_L) 311, and information analysis based on whether the path L (path_L) 311 is charged or discharged is impossible.

  When a preset time elapses after the transition to round 2, the switch 3 (SW3) 301 and the switch 4 (SW4) 302 are changed from “d” on the random number register (RN1 register 331 and RN2 register 332) side, respectively. Switching to “c”, the value [R — 0] stored in the R register 212 is input to the F function unit 200, and the calculation in the F function unit 200 is executed.

  At this time, the path L (path_L) 311 and the path R (path_R) 312 change from RN1 to L1 and RN2 to R1, respectively.

In this, “R1” is data including the element of the session key (round key) “K1”, which is secret information, as understood from the above formula (Formula 2), but the path R (path_R). When the change in the current value via 312 is generated, the case of [1] in the following equation (Equation 16) is obtained.

  In the above equation, when bit 1 is set, the switch 4 (SW4) 302 switches from “d” to “c” after a predetermined time elapses after the transition of round 2 during the round 2 period. 2 corresponds to the case where a change in the current value via the path R (path_R) 312 occurs. When observing this change, as understood from the above formula (Formula 16), the change in the current value via the path R (path_R) 312 becomes a value depending on the input random number [RN2], and the input random number [RN2 ] May occur equally in both 0 and 1 values. As a result, the occurrence probability of a change in the current value via the path R (path_R) 312 is also equal, and [0] or [ Even if the simulation with 1] is performed, information analysis by peak detection, that is, DPA analysis is impossible.

  In the above description of the embodiment, it is preferable that the random numbers RN1 and RN2 are generated for each round and different random numbers are applied for each round. That is, it has a random number generation means, the random number generation means generates a different random number for each round, and outputs a different random number for each round to the F function unit at the transition of each round. A cryptographic processing apparatus with improved durability is realized.

  As a specific example, for example, a 1-bit random number value is generated for each round, and when the value is “1”, the random number used in the previous round is shifted by 1 bit and applied as a random number for that round. It is good also as a structure of these. With this configuration, an encryption processing apparatus with further improved DPA tolerance is realized.

  Finally, a configuration example of the IC module 600 as a device that executes the above-described encryption processing will be described with reference to FIG. The above-described processing can be executed by, for example, various information processing apparatuses such as a PC, an IC card, a reader / writer, and the IC module 600 shown in FIG. 12 can be configured in these various devices.

  A CPU (Central processing Unit) 601 shown in FIG. 12 executes encryption processing start and end, data transmission / reception control, data transfer control between components, and switch switching control described above, and other various programs. Processor. The memory 602 is a ROM (Read-Only-Memory) that stores programs executed by the CPU 601 or fixed data as calculation parameters, a program executed in the processing of the CPU 601, and a parameter storage area that changes as appropriate in the program processing, It consists of RAM (Random Access Memory) used as a work area. The memory 602 can be used as a storage area for key data and the like necessary for encryption processing. The data storage area is preferably configured as a memory having a tamper-resistant structure.

  The cryptographic processing unit 603 is a cryptographic processing unit that executes a cryptographic algorithm including a repetition process of a plurality of round functions such as the DES algorithm described above.

  The random number generator 604 executes processing for generating random numbers to be input to the F function unit at the time of transition of each round described above.

  The transmission / reception unit 605 is a data communication processing unit that performs data communication with the outside. For example, the data transmission / reception unit 605 performs data communication with an IC module such as a reader / writer, and outputs ciphertext generated in the IC module or an external reader. Data input from devices such as writers is executed.

  Note that various control signals applied in the encryption processing unit 603, for example, the switch switching control signal described above, are generated in the timing generation circuit 607 that operates with the clock signal from the clock 606 as a trigger, and is sent to the encryption processing unit 603. It is possible to supply.

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims section described at the beginning should be considered.

  The series of processes described in the specification can be executed by hardware, software, or a combined configuration of both. When executing processing by software, the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and executed.

  The various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes. Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

  In the configuration of the present invention, a random number is input to a so-called F function unit that executes round function processing in a cryptographic processing device that executes a cryptographic algorithm including repetitive processing of a multi-stage round function, such as DES. Thereafter, the intermediate data stored in the register is output to execute the arithmetic processing. With this configuration, an S box output based on a random number is generated at the time of a round transition, and a current or potential fluctuation occurs in the register connection path. Therefore, these are current or potential fluctuations unrelated to the configuration bit information of the session key (round key) as secret information applied in each round, and the power difference based on the current or potential fluctuation of the output of the S box or the register connection path Analysis of secret information by analysis (DPA: Differential Power Analysis) becomes impossible, and a cryptographic processing apparatus with a high security level is realized.

  According to the configuration of the present invention, a cryptographic processing device having high resistance to an attack based on power difference analysis (DPA) is realized with a simple configuration in which a random number input configuration by switch control is added. By executing random number input in each round, the output of the S box and the current or potential fluctuation of the register connection path become independent of the secret information (round key configuration bit information), and a DPA-resistant cryptographic processor is realized.

It is a figure which shows the basic composition of a DES encryption process. It is a figure which shows the structure of the conversion part which comprises each round of a round function part. It is a figure which shows the structure of F function. It is a figure which shows the circuit structure of the concrete F function part which has a register. FIG. 6 is a timing chart for explaining the timing of the first number CLK when the circuit shown in FIG. 4 is operated and output values of main nodes. It is a figure which shows the electric current value accompanying the output change of S-box 204 when switching to round 1 by the DES calculation immediately after power-on, and the output change of this S-box 204. It is a figure explaining the relationship with the presence or absence of the electric current on the path | pass accompanying the change of the output value of R register | resistor 212 from "R0" to "R1". It is a figure explaining the circuit structure which the encryption processing apparatus which concerns on this invention has. It is a figure which shows the timing chart which shows the data transition of the register input / output data in the encryption processing apparatus which concerns on this invention, and S-box output data. It is a figure which shows a response | compatibility with the grouping in the simulator in the case of performing the DPA attack based on the output of S-box, and the output value of S box in the circuit structure of the encryption processing apparatus of this invention shown in FIG. FIG. 9 is a diagram illustrating a correspondence between grouping in a simulator when performing a DPA attack on a load current of an R register and a load current of an R register 212 in the circuit configuration of the cryptographic processing device of the present invention illustrated in FIG. 8. It is a figure which shows the structural example of IC module as a cryptographic processing execution device which can apply the structure of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 110 Round function part 111 Initial replacement part 112,113 Conversion part 114 Reverse replacement part 120 Key schedule part 121 Selection replacement part 122,123 Key generation part 151 F function part 171,172 Replacement part 181 S box 200 F function part 201 Replacement part 202 Session key (round key)
203 Exclusive OR part 204 S box (S-box)
205 Replacement Unit 206 Exclusive OR Unit 211 L Register 212 R Register 215, 216 Switch 221 Initial Replacement Unit 222 Reverse Replacement Unit 231 Message 232 Ciphertext 301, 302 Switch 311 Wiring Path L
312 Wiring path R
331 Random number (RN1) register 332 Random number (RN2) register 600 IC module 601 CPU (Central processing Unit)
602 Memory 603 Encryption processing unit 604 Random number generator 605 Transmission / reception unit 606 Clock 607 Timing generation circuit

Claims (6)

A cryptographic processing device that performs cryptographic computation processing including round function iteration processing,
A function operation unit that executes data processing corresponding to the round function for each round;
A data storage register for storing intermediate data as a calculation result of each round in the function calculation unit;
A random number register for storing random numbers;
A switch unit that selectively connects the data storage register and the random number register to the function calculation unit;
A control unit that performs switching control of the switch unit,
The controller is
The switch unit is configured to perform connection switching control so that the random number stored in the random number register is output to the function calculation unit at the time of a round transition, and then the intermediate data stored in the data storage register is output. A cryptographic processing device characterized by The controller is
The connection switching process of the switch unit is repeatedly executed for each round, and the random number stored in the random number register is output to the function calculation unit at the start of each round, and stored in the data storage register after a predetermined time of the same round. The intermediate storage data is output to the function calculation unit, and the connection switching control is executed. At the end of the round, the data storage register includes a new intermediate as a calculation result of the function calculation unit based on the intermediate data. The cryptographic processing apparatus according to claim 1, wherein the encryption control apparatus is configured to perform switch control so that data is stored.   The cryptographic processing apparatus according to claim 1, wherein the switch unit is configured on a wiring path connected to the data storage register. The cryptographic processing apparatus further includes random number generation means,
2. The configuration according to claim 1, wherein the random number generation unit is configured to generate a different random number for each round and to output a different random number for each round to the function calculation unit at the time of transition of each round. Cryptographic processing device. The function calculation unit has an S box as a nonlinear conversion unit,
2. The cryptographic processing apparatus according to claim 1, wherein the data storage register is configured to store result data of a round function calculation process including a non-linear conversion process by the S box. The cryptographic processing device includes:
The cryptographic processing apparatus according to claim 1, wherein the cryptographic processing apparatus is configured to execute a cryptographic processing operation in accordance with a DES (Data Encryption Standard) algorithm.

Images