JP2007325219A - Encryption processing system and encryption processing apparatus - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an encryption processing system and an encryption processing apparatus for making a DFA attack difficult. <P>SOLUTION: The encryption processing apparatus includes an encryption engine 140 which performs encrypting operation, a memory 140 including at least one region 141 capable of rewriting a value indicative of a state, and a control unit 110 which controls encryption processing and is capable of accessing the region 141 of the memory. The encryption engine 150 includes a DFA detection section 151 capable of detecting that a DFA (Differential Fault Analysis) attack is performed and when the DFA attack is detected by the DFA detection section, a signal indicative of the detection is outputted to the control unit 110. After initiation, the control unit 110 reads a value in the region 141 of the memory and when the value is a preset initial allowable value, ordinary encryption processing operation is performed. When the value is different from the allowable value, the different value is rewritten into a value that is nearly the allowable value. When a detection signal of the DFA attack is received during the encrypting operation due to ordinary operation, a value different from the allowable value is written in the region 141 of the memory and the system is reset. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a cryptographic processing system and a cryptographic processing device, and more particularly, a cryptographic processing system and a cryptographic processing device that have improved resistance to failure differential analysis (DFA) known as cryptographic analysis processing and attack processing. It is about.

  In recent years, with the development of IC cards, network communication, electronic commerce, and the like, ensuring security in data transmission / reception using IC cards and communication via networks has become an important issue. One method of ensuring security is encryption technology, and currently, communication using various encryption methods is actually performed.

  For example, an encryption processing module is embedded in a small device such as an IC card, and data is transmitted / received between the IC card and a reader / writer as a data reading / writing device, and authentication processing or encryption / decryption of transmitted / received data is performed. The system to do is put into practical use.

  In an IC card, for example, when data is exchanged with a reader / writer or a host computer, transmission / reception data is encrypted so that no problem occurs even if secret information stored in the IC card leaks in the process.

One of the methods often used as this encryption method is DES (Data Encryption Standard).
DES is a typical common key encryption algorithm. For example, an IC card as a data sender and a host computer have the same key, and the data transmission side encrypts the data with the key and transmits the data. Recipients decrypt the message with the same key and retrieve the message.

Even if a malicious third party eavesdrops in the course of communication, it is difficult to retrieve the message after decryption unless it has a key.
In addition, the key used for encryption / decryption is stored in a non-volatile memory such as EEPROM in the IC card, and is directly transferred to the encryption engine in the IC card without going through the CPU during encryption / decryption. Under such control, security is maintained by adopting a configuration in which even the owner of the IC card or the development engineer of the IC card cannot extract the key data.

  FIG. 1 is a diagram illustrating a general configuration of a DES arithmetic circuit, and FIG. 2 is a diagram illustrating a configuration example of an F function unit.

As shown in FIG. 1, the DES arithmetic circuit 10 includes an initial replacement unit [IP (Initial Permutation)] 11, a switch (SW1) 12, a left register (referred to as L register) 13, a right register (R register) 14, F A function unit 15, an EXOR operation unit 16, a switch (SW 2) 17, an inverse replacement unit (IP ⁻¹ ) 18, and a ciphertext output unit (Crypto) 19 are included.

The switch (SW1) 12 includes an L register side switch 12L and an R register side switch 12R. Similarly, the switch (SW2) 17 includes an L register side switch 17L and an R register side switch 17R.
The operating contact a of the switch 12L is connected to the output of the initial replacement unit 11, the operating contact b is connected to the output of the R register 14 and the operating contact a of the switch 17L, and the fixed contact c is connected to the input of the L register 13. Yes.
The operation contact a of the switch 12R is connected to the output of the initial replacement unit 11, the operation contact b is connected to the output of the EXOR operation unit 16 and the operation contact a of the switch 17R, and the fixed contact c is connected to the input of the R register 14. ing.
Further, the fixed contact c of the switches 17L and 17R is connected to the input of the reverse replacement unit (IP ⁻¹ ) 18.

In the DES operation circuit 10 of FIG. 1, the switches (SW1) 12L and 12R have the fixed contact c connected to the operation contact “a” side at the start of the DES operation.
When the DES operation is started, the plaintext is IP-replaced by the initial replacement unit 11 and then divided into two 32-bit data L ₀ and R _0, and at the rise of a latch pulse (Latch Pulse) as a control timing based on the control clock. The data is taken into the L register 13 and the R register 14. In parallel with this, in the switches 12L and 12R, the connection of the fixed contact c is switched to the working contact “b” side.

As a result of this data capture, the outputs of the L register 13 and the R register 14 become “L ₀ ” and “R ₀ ”, and then a round in which the F function unit 15 and the EXOR operation unit 16 are applied based on these register stored values. The (Round) operation is executed, and the result is supplied again to the inputs of the L register 13 and the R register 14 via the switches (SW) 12L and 12R.

Furthermore, the next round operation is started by taking in the L register 13 and the R register 14 at the rising edge of the latch pulse in the next clock cycle and updating the output.
After repeating this operation for 16 clock cycles, the operation result is output to the reverse replacement unit (IP ⁻¹ ) 18 through the switch 17 to perform reverse replacement conversion and output as ciphertext.

As shown in FIG. 2, the F function unit 15 includes a plurality (8 in FIG. 2) of S boxes S _{1 to} S ₈ that execute nonlinear processing. The input value F-in from the previous stage, that is, R (n-1) is expanded to 48 bits by the extension unit (EX) 151, and further, the key (48 bits) Kn input from the key schedule unit and the EXOR operation unit 152 The EXOR operation is executed, and the output is input to a plurality of S boxes S _{1 to} S ₈ that execute the nonlinear conversion process every 6 bits. In each of the S boxes S _{1 to} S ₈ , non-linear conversion processing from 6 bits to 4 bits to which a conversion table is applied is executed.
The output bits 4 × 8 = 32 bits from the S boxes S _{1 to} S ₈ are input to the replacement unit (P) 153, where the bit position is replaced, and the F function output 32 bits are generated and output.

  However, an attack method called differential power analysis (DPA) that measures the current consumption of an IC card, performs statistical processing on it, and retrieves the key, or malfunctions in the computation process by changing the operating environment during cryptographic computation execution A threat such as an attack method called differential fault analysis (DFA), in which the difference between the operation result and the operation result of normal operation is taken and the key is extracted by analyzing the difference, has been reported. Yes.

  For example, when a DFA attack is performed on an IC from which a mold is removed, a register (Register) or the like is irradiated with a laser beam to change the value of retained data, and an incorrect result is output. The key is extracted by analyzing the value.

Hereinafter, the DFA attack will be further described with reference to the drawings.
FIG. 3 is a diagram illustrating a calculation flow of DES, FIGS. 4A to 4E are diagrams illustrating calculation examples of the F function unit in FIG. 2, and FIG. 5 is an example of a DFA attack in the case of round 16 FIG. 6 is a diagram illustrating an example of calculation of the F function when subjected to a DFA attack.

In normal operation, the values of the L register 13 and the R register 14 after 16 rounds are as shown in FIG. 3 and the following expressions (1) and (2), and then the reverse substitution (IP ⁻¹ ) conversion is performed. Is output.

  Substituting equation (1) into equation (2) results in the following.

In this equation, “R ₁₆ ” and “L ₁₆ ” can be easily obtained by performing the inverse transformation (IP ⁻¹ ) of the operation result, and the F function is configured as shown in FIG. Thus, the calculation in the F function as shown in FIGS. 4 (A) to (E) is performed.

Here, for example, during a 16 round of DES, when a laser beam irradiation or the like to reverse the one-bit R ₁₅ registers, the value of L register 13 and R register 14 at the time when the 16 th round is finished , FIG. 5 and the following equations (4) and (5), and then output by performing reverse permutation (IP ⁻¹ ) conversion.

  Substituting equation (4) into equation (5) gives the following.

In this equation, “R ₁₆ ” and “L ₁₆ ” can be easily obtained by performing the inverse transformation (IP ⁻¹ ) of the operation result. Then, by comparing the expressions (1) and (4), the position of the bit changed by the laser light irradiation can be specified.
For example, when bit 2 of the R ₁₅ register is inverted from “0” to “1” by laser light irradiation, it is possible to know that bit 2 of the R ₁₅ register has changed by executing the following operation.

  On the other hand, by performing an EXOR operation on the equations (3) and (6), the following results.

Furthermore, when reverse substitution (P ⁻¹ ) of P substitution in the F function is performed on both sides of the equation (8), the result is as follows.

In this equation, “R ₁₆ ”, “R ₁₆ ′”, “L ₁₆ ”, and “L ₁₆ ′” are values that can be easily obtained from cryptographic operation results, and the F function is also publicly known. Therefore, the unknown numerical value is only “K ₁₆ ”. In the case of this example, since it is known from the equation (7) that the bit 2 of the R ₁₅ register has changed, the value of the equation (8) (difference between the equations (3) and (6)) is eight. This is due to the difference in the output of “S ₁ ” in the S-box.
Therefore, among the keys of round 16, when the 6 bits used as the input of “S ₁ ” are changed from “00 ₍₁₆₎ ” to “3f ₍₁₆₎ ”, a value satisfying the equation (9) is obtained.
“03 ₍₁₆₎ ”, “07 ₍₁₆₎ ”, “19 ₍₁₆₎ ”, “1d ₍₁₆₎ ”, “28 ₍₁₆₎ ”, “2c ₍₁₆₎ ”, “31 ₍₁₆₎ ”, “ 36 ₍₁₆₎ ”,“ 3a ₍₁₆₎ ”,“ 3e ₍₁₆₎ ”
Is obtained.

Next, for example, when bit 3 of the R ₁₅ register is inverted from “1” to “0”, equation (7) becomes as follows.

  And (9) Formula is as follows.

In this equation, “R ₁₆ ” ”and“ L ₁₆ ”” are different from “R ₁₆ ′” and “L ₁₆ ′” in the equations (7) and (9).
Of the round 16 keys, changing the 6 bits as input of “S ₁ ” from “00 ₍₁₆₎ ” to “3f ₍₁₆₎ ” to obtain a value satisfying the expression (11),
“34 ₍₁₆₎ ”, “36 ₍₁₆₎ ”, “3d ₍₁₆₎ ”, “3f ₍₁₆₎ ”
Compared with the 6-bit key candidate derived from equation (9), only “36 ₍₁₆₎ ” is common, and the 16-bit key of round 16 corresponding to the input of “S ₁ ” The value of is obtained as “36 ₍₁₆₎ ”.

Similarly, it is possible to obtain the value of the 6-bit key of round 16 corresponding to the input of “S ₂ ” to “S ₈ ”, and 48 bits of the 56-bit key are obtained by these DFA attacks. The remaining 8 bits can be easily obtained by 2 ⁸ = 256 exhaustive attacks.

A technique for countering this attack is proposed in Patent Document 1.
In the technique disclosed in Patent Document 1,
1) After executing the plaintext encryption operation, the operation result is decrypted again, and if the operation result matches the plaintext, the cipher operation result is output as a correct operation result. If they do not match, the CPU is notified of the occurrence of an error and the cryptographic operation processing is terminated.
2) The plaintext is calculated by a plurality of cryptographic operation circuits, and the operation result is output as a correct operation result only when the results match. If they do not match, the CPU is notified of the occurrence of an error and the cryptographic operation processing is terminated.
To deal with DFA attacks.

When an error is issued from the DES circuit, the CPU counters an illegal attack by resetting the system and requesting an operation from the beginning again.
JP-A-10-154976

  However, in the case of 1) above, if the same bit in the same register can be successfully irradiated with laser light in the same round of encryption and decryption flow, the decrypted value and the original plaintext value match, The ciphertext subjected to the DFA attack is output as if there was no attack.

  In the case of 2), although technically advanced, if a plurality of lasers are arranged and the same bit of each register is irradiated in the same round, the outputs of all the DES circuits coincide with each other, and the DFA attack Output encrypted ciphertext.

Normally, a lot of signal wiring is formed (running) on the circuit, and an aluminum (Al) pattern is intentionally densely placed on the upper part of the encryption device. Laser light to the lower circuit by making it difficult to see or placing a wiring pattern on the entire surface of the uppermost Al layer using Active Shield technology and sending a signal to detect the disconnection or short of the wiring Measures that are extremely difficult to irradiate are taken.
For this reason, technology is necessary to irradiate the laser beam to the register targeted by the DFA attack, but the threat point of the DFA attack is that if the target register bit can be irradiated even once in the round (Round), The key is that at least 6-bit key data can be extracted from the analysis of the output.
In addition, the IC opened by the attacker is placed on the stage, and the irradiation timing is shifted gradually by irradiating the laser beam, or the DFA attack is automatically performed by moving the stage little by little and changing the irradiation position. If a device for analyzing the above is developed, there is a high possibility that key extraction will be realized.

  An object of the present invention is to provide a cryptographic processing system and a cryptographic processing device that make it difficult to perform a DFA attack by an automated device.

  A cryptographic processing system according to a first aspect of the present invention includes a cryptographic engine that performs cryptographic operations, a memory that includes at least one area in which a value indicating a state can be rewritten, and a cryptographic process that controls the area of the memory. A cryptography engine having a DFA detection unit capable of detecting that a DFA (Differential Fault Analysis) attack has been performed, and the DFA detection unit performs a DFA attack. When detected, it outputs a signal indicating that it has been detected to the control unit, and the control unit reads the value of the area of the memory after activation, and when the value is an initial allowable value set in advance. Performs a normal cryptographic processing operation, and when the value is different from the allowable value, rewrites the different value to a value close to the allowable value, and receives a DFA attack detection signal during the cryptographic operation in the normal operation. Above memory A value different from the allowable value is written in the area of.

  According to a second aspect of the present invention, there is provided a cryptographic processing apparatus that performs cryptographic processing calculation including round function iteration processing, an arithmetic register that stores data for round calculation, a parity register that stores parity data, Parity generator that generates parity data from round operation data input to the operation register, outputs round operation data to the operation register, and outputs parity data to the parity register, the operation register, and the parity register A parity check circuit that performs a parity check based on the stored data and outputs the detection signal to the control unit when a parity error is detected.

  According to a third aspect of the present invention, there is provided a cryptographic processing apparatus that executes cryptographic processing calculation including round function iteration processing, and stores a first calculation register that stores first data for round calculation and first parity data. A first parity register that stores second data for round operation, a second parity register that stores second parity data, and first data that is input to the first operation register. 1 parity data is generated, the first data is output to the first arithmetic register, the first parity data is output to the first parity register, and the first arithmetic data is input to the second arithmetic register. The second parity data is generated from the second data, the second data is output to the second operation register, and the second parity data is output to the second operation register. The parity check is performed based on the second parity generator output to the second parity register, the data stored in the first operation register and the first parity register, and when a parity error is detected, the detection signal is sent to the control unit. A parity check is performed based on data stored in the first parity check circuit to be output, the second operation register and the second parity register, and when a parity error is detected, the detection signal is output to the control unit. A circuit, and a round operation unit that performs a round operation according to the first data stored in the first operation register and the second data stored in the second operation register.

  According to the present invention, every time a DFA attack is detected, there is an advantage that a situation in which a DFA attack cannot be performed after a system reset occurs, and a risk that a key is extracted by the DFA attack is reduced.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

<First Embodiment>
FIG. 7 is a block diagram showing a configuration example of the cryptographic processing system according to the first embodiment of the present invention.

The cryptographic processing system 100 has a predetermined DFA detection circuit mounted on a DES arithmetic circuit as a cryptographic processing device, and has an area (several bytes) for storing a value on a nonvolatile memory. 0.
The system 100 reads the value in the area after activation, and performs normal operation if it is zero. If the value is greater than 0, the value minus -1 is written back and normal operation is not performed. If the DFA detection circuit detects a DFA attack during cryptographic operation in normal operation, the value in the area is written. And has a function of resetting the system.

  As shown in FIG. 7, the cryptographic processing system 100 includes a central processing unit (CPU) 110, a read-only-memory (ROM) 120, a random access memory (RAM) 130, a non-volatile memory 140, an encryption memory, and the like. An engine (cryptographic processing device, DES arithmetic circuit) 150 and a peripheral device (Peripheral) 160 are connected by a data bus 170.

In the cryptographic processing system 100, when a DFA attack is detected during execution of cryptographic computation in a system including a cryptographic module with DFA countermeasures, a reset signal is issued to the CPU 110. The flow to reset the system after increasing a certain value of is input.
During normal use, the CPU 110 checks a certain value on the nonvolatile memory 140 when the power is turned on, and writes a value obtained by decrementing the value so that the value approaches the allowable value if the preset allowable value is not “0”. During the period until it is turned off, control is performed so that cryptographic operations are not executed. This makes DFA attacks difficult.

  In addition, the CPU 110 has a function as a processor that executes encryption processing start and end, data transmission / reception control, data transfer control between each component unit, switching control of each switch described above, and other various programs. is doing.

  The ROM 120 stores programs executed by the CPU 110 or fixed data as calculation parameters.

  The RAM 130 is used as a storage area and work area for programs executed in the processing of the CPU 110 and parameters that change as appropriate in the program processing.

The non-volatile memory 140 is formed of, for example, an EEPROM, and has an area (area 1) 141 of several bytes for storing a predetermined state check value. The initial value of the area 141 is set to an allowable value 0 when the product is shipped.
The value of the area 141 of the nonvolatile memory 140 is read by the CPU 110 after activation, and if the value is 0, normal operation is performed. If the value in the area 141 is greater than 0, the CPU 110 writes back the value decremented by −1 and no normal operation is performed.

  The RAM 130 and the nonvolatile memory 140 can be used as a storage area for key data and the like necessary for encryption processing.

The cryptographic engine 150 is a cryptographic processing device that executes a cryptographic algorithm including, for example, a multi-stage round function repetitive process such as a DES algorithm, and the DES arithmetic circuit 200 of FIG. 8 is applied.
The cryptographic engine 150 has a DFA detection circuit 151 composed of, for example, a parity check circuit system. When this DFA detection circuit 151 detects a parity error, it generates a reset signal RST (-L, -R) and generates a CPU 110. Forward to.

  FIG. 8 is a diagram illustrating a configuration example of a DES arithmetic circuit as a cryptographic processing apparatus according to an embodiment of the present invention.

The DES arithmetic circuit 200 includes an initial permutation unit [IP (Initial Permutation)] 201, a switch (SW1) 202, a left parity generator (first parity generator) 203, and a right parity generator (second parity generator) 204. , Left register (L register, first arithmetic register) 205, left parity register (PL register, first parity register) 206, right register (R register, second arithmetic register) 207, right parity register (PR register, second register) (Parity register) 208, left parity check circuit (first parity check circuit) 209, right parity check circuit (second parity check circuit) 210, F function unit 211, EXOR operation unit 212, switch (SW2) 213, and reverse replacement Part (IP ⁻¹ ) 214.

The switch (SW1) 202 includes an L register side switch 202L and an R register side switch 202R.
The operation contact a of the switch 202L is connected to the output of the initial replacement unit 201, the operation contact b is connected to the output of the R register 207 and the switch (SW2) 213, and the fixed contact c is connected to the input of the parity generator 203. Yes.
The operation contact a of the switch 202R is connected to the output of the initial replacement unit 201, the operation contact b is connected to the output of the EXOR operation unit 212 and the switch (SW2) 213, and the fixed contact c is connected to the input of the parity generator 204. ing.
Switching control of the switches 202L and 202R is performed by a timing generation circuit (not shown), for example.

  The parity generator 204 generates, for example, 1-bit parity based on data input via the switch 202R, supplies the data to the R register 207, and supplies the generated parity bit to the PR register 208.

  The parity generator 204 generates, for example, 1-bit parity based on data input via the switch 202R, supplies the data to the R register 207, and supplies the generated parity bit to the PR register 208.

  The L register (first operation register) 205 latches (stores) the data supplied from the parity generator 203 in synchronization with, for example, a latch pulse as a data capture signal. The latch data of the L register 205 is supplied to one input of the parity check circuit 209 and the EXOR operation unit 212.

  The PL register (first parity register) 206 latches (stores) the parity data supplied from the parity generator 203 in synchronization with, for example, a latch pulse. The latch parity data of the PL register 206 is supplied to the parity check circuit 209.

  The R register (second arithmetic register) 207 latches (stores) data supplied from the parity generator 204 in synchronization with, for example, a latch pulse as a data fetch signal. The latch data of the R register 207 is supplied to the parity check circuit 210, the input of the F function unit 211, and the switch 213.

  The PR register (second parity register) 208 latches (stores) the parity data supplied from the parity generator 204 in synchronization with the latch pulse, for example. The latch parity data of the PR register 208 is supplied to the parity check circuit 210.

  The first parity check circuit 209 receives the latch data of the L register 205 and the latch parity data of the PL register 206, performs a parity check, generates a reset signal RST-L as a detection signal when an error is detected, and transfers it to the CPU 110 To do.

  The second parity check circuit 210 receives the latch data of the R register 207 and the latch parity data of the PR register 208 and performs a parity check. When an error is detected, the second parity check circuit 210 generates a reset signal RST-R as a detection signal and transfers it to the CPU 110. To do.

The F function unit 211 includes a plurality (8 as shown in FIG. 2) of S boxes S _{1 to} S ₈ for executing nonlinear processing. The input value FinR (n−1) is expanded to 48 bits by the extension unit (EX), and further an EXOR operation is performed with the input key (48 bits) Kn, and the output is subjected to nonlinear conversion processing every 6 bits. To S boxes S _{1 to} S ₈ . In each of the S boxes S _{1 to} S ₈ , non-linear conversion processing from 6 bits to 4 bits to which a conversion table is applied is executed.
The output bits 4 × 8 = 32 bits from the S boxes S _{1 to} S ₈ are input to the replacement unit (P), the bit position is exchanged, and the F function output 32 bits are generated and output.

  The EXOR operation unit 212 performs an EXOR operation on the data FinL stored in the L register 205 and the output of the F function unit 211, and supplies the result to the parity generation circuit 204 through the switch 202R and to the inverse replacement unit 214 through the switch 213R.

The switch (SW2) 213 includes an L register side switch 213L and an R register side switch 213R.
The operation contact a of the switch 213L is connected to the output of the R register 207, and the fixed contact c is connected to the input of the reverse replacement unit 214.
The operation contact a of the switch 213R is connected to the output of the EXOR operation unit 212, and the fixed contact c is connected to the input of the reverse replacement unit 214.
Switching control of the switches 213L and 213R is performed by a timing generation circuit (not shown), for example.

The reverse replacement unit 214 performs reverse replacement transformation (IP ⁻¹ ) on the 16 round operation results input via the switches 213L and 213R, and outputs the result as ciphertext.

In a normal DES operation circuit, a round operation unit composed of a 32-bit L / R register, an F function, and an EXOR operation circuit is arranged, and 16 rounds of DES operation are performed by operating it 16 times. Execute.
The DES operation circuit 200 according to the present embodiment further includes a DFA detection circuit having the following configuration in addition to the function of the normal DES operation circuit.
That is, the parity generators 203 and 204 are arranged in front of the inputs of the L / R registers 205 and 207, and 1-bit parity registers 206 and 208 are added to the L / R registers 205 and 207, respectively. The value of the parity register 206 is input to the parity check circuit 209 for parity check, and the values of the R register 207 and its parity register 208 are input to the parity check circuit 210 for parity check.
When a parity error is detected by the parity check circuits 209 and 210, the corresponding reset signals “RST-L” and “RST-R” are generated. A reset signal is issued from the DFA detection circuit 151 to the CPU 110.
Further, it is assumed that “area 1” 141 provided in the nonvolatile memory 140 such as an EEPROM is set to 0.

  Next, the operation of FIG. 7 will be described with reference to FIG.

After the power is turned on, the CPU 110 reads the value of “area 1” 141 of the nonvolatile memory 140, and performs normal operation if the value is zero.
When a DFA attack is detected during a cryptographic operation during the normal operation period, upon receiving a reset signal issued from the cryptographic engine 150, the CPU 110 writes, for example, 2 in “area 1” 141 to reset the system.
Next, when the power is turned on, the CPU 110 reads the value of the “area 1” 141 of the nonvolatile memory 140, and if the value is a value other than 0, the value is rewritten with a value obtained by decrementing the value of the area 141 by −1 and then normal No action is taken.
For example, the system may be reset after the value of “area 1” 141 is rewritten, or the normal operation is performed after the value of “area 1” 141 is rewritten, but a cryptographic operation instruction is issued from the CPU 110. Sometimes, it may be controlled to reset itself.

  With this control, when a DFA attack is detected, 2 is written in “Area 1” 141 and then reset immediately. However, after the power is turned on twice, the value of “Area 1” is decremented after being decremented. Since the reset can be performed without performing the calculation, only one DFA attack can be performed by turning on the power three times, and the efficiency of the DFA attack falls to one third. If the value written in “area 1” after the DFA detection is increased, the efficiency of the DFA attack is further reduced.

Second Embodiment
FIG. 10 is a block diagram illustrating a configuration example of the cryptographic processing system according to the second embodiment of the present invention.

  The cryptographic processing system 100A according to the second embodiment is different from the cryptographic processing system 100 according to the first embodiment in that, in addition to the “area 1” 141, the “area 2” 142 is added to the nonvolatile memory 140A such as an EEPROM. Is in the point provided.

Also in the second embodiment, the initial values of the first area 141 and the second area 142 are both set to 0.
Further, it is assumed that the DES arithmetic circuit of the cryptographic engine 140 has the same configuration as the circuit of FIG. 8 and is equipped with a DFA detection circuit 151 configured with a parity check circuit system.

  Next, the operation of FIG. 10 will be described with reference to FIG.

After the power is turned on, the CPU 110 reads the value of “area 1” 141 in the nonvolatile memory 140A, and performs normal operation if the value is zero.
If a “DFA attack” is detected by the “DFA detection circuit” during the cryptographic operation during the normal operation period, a reset signal is issued from the cryptographic engine 150, whereby the CPU 110 reads the value of “region 2” 142, and the value is If it is 0, for example, 2 (first value) is written into “area 2” 142 and “area 1” 141 by writing a value (second value) obtained by doubling the value, for example, to a system other than 0. Apply a reset.
Next, when the power is turned on, the CPU 110 reads the value of the “area 1” 141 of the nonvolatile memory 140A, and if the value is a value other than 0, the value of the area 141 is rewritten to a value minus −1, and then normal No action is taken.
The system may be reset after the value of “area 1” 141 is rewritten, or the normal operation is performed after the value of “area 1” 141 is rewritten, but is reset when a cryptographic operation instruction is issued. It may be controlled in the same way.

Thereby, when the first DFA attack is detected, the cryptographic operation cannot be executed unless the reset is performed three times including this.
If a DFA attack is detected during the execution of cryptographic operations after three resets, the CPU 110 reads the value of “area 2” 142 and the value is “2”, so that “area 1” 141 and “area 2” “2” is written in “142” to “142”, and the state shifts to a state where the cryptographic operation cannot be executed.
If the operation of turning on the power again after the reset is repeated five times, the value of “area 1” 141 becomes “0” and the cryptographic calculation can be executed.

Here, when the DFA attack is performed again and detected by the DFA detection circuit 151, double “8” is written in “area 1” 141 and “area 2” 142, and the state shifts to a state where the cryptographic operation cannot be executed.
This time, unless the operation of turning on the power again after resetting is repeated nine times, the normal cryptographic operation cannot be executed.
Thereafter, the DFA attack cannot be applied unless the reset is repeated twice and the power is turned on twice.

  In the example of FIG. 11, the value to be written in “area 2” 142 is 2 → 4 → 8 →..., Initial value “2” and multiple “2”. If the value to be included is 4 → 16 → 64 →..., The initial value is “4” and the multiple is “4”, the proportion of DFA attacks can be greatly reduced, and the probability of success in DFA attacks will be significantly reduced.

  By this control, the number of times of resetting before returning to normal operation every time a DFA attack is detected increases by a power, and the DFA attack can hardly be performed, and the key extraction by the DFA attack becomes very difficult.

  As described above, according to the present embodiment, every time a DFA attack is detected, there is an advantage that a situation in which the DFA attack cannot be performed after a system reset occurs, and the risk of a key being taken out by the DFA attack is reduced. .

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner.

  Note that the various types of processing described in this specification are not only executed in time series according to the description, but may also be executed in parallel or individually as required by the processing capability of the device that executes the processing. . Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

It is a figure which shows the general structure of a DES arithmetic circuit. It is a figure which shows the structural example of F function part. It is a figure which shows the calculation flow of DES. It is a figure which shows the example of a calculation of the F function part of FIG. It is a figure which shows the example of the DFA attack in the case of round 16. It is a figure which shows the example of a calculation of F function when receiving a DFA attack. It is a block diagram which shows the structural example of the encryption processing system which concerns on the 1st Embodiment of this invention. It is a figure which shows the structural example of the DES arithmetic circuit which concerns on this embodiment. It is a figure for demonstrating the operation | movement of 1st Embodiment. It is a block diagram which shows the structural example of the encryption processing system which concerns on the 2nd Embodiment of this invention. It is a figure for demonstrating operation | movement of 2nd Embodiment.

Explanation of symbols

100, 100A ... cryptographic processing system, 110 ... CPU, 120 ... ROM, 130 ... RAM, 140, 140A ... non-volatile memory, 141 ... area 1, 142 ... area 2, 150 ... Cryptographic engine, 151 ... DFA detection circuit, 200 ... DES operation circuit, 201 ... Initial substitution unit [IP (Initial Permutation)], 202 ... Switch (SW1), 203 ... Left parity generator, 204 ... Right parity generator, 205 ... Left register (L register), 206 ... Left parity register (PL register), 207 ... Right register (R register) 208 right side parity register (PR register) 209 left side parity check circuit 210 right side parity check circuit 211 ... F function part, 212 ... EXOR operation part, 213 ... Switch (SW2), 214 ... Reverse replacement part (IP ^-1 ).

Claims (11)

A cryptographic engine that performs cryptographic operations;
A memory including at least one area in which a value indicating a state can be rewritten;
A control unit that controls cryptographic processing and is capable of accessing the area of the memory,
The cryptographic engine is
A DFA detection unit capable of detecting that a DFA (Differential Fault Analysis) attack has been performed, and when a DFA attack is detected by the DFA detection unit, a signal indicating the detection is output to the control unit;
The control unit
After startup, the value in the memory area is read, and if the value is an initial allowable value set in advance, a normal cryptographic processing operation is performed. If the value is different from the allowable value, the different value is A cryptographic processing system that rewrites a value close to an allowable value and writes a value different from the allowable value in the memory area when receiving a DFA attack detection signal during a cryptographic operation in normal operation. The cryptographic processing system according to claim 1, wherein the control unit resets the system after writing a value different from the allowable value in the memory area in response to the detection signal. The cryptographic processing system according to claim 1, wherein the control unit controls the cryptographic engine not to perform cryptographic computation when a value different from the allowable value is rewritten to a value close to the allowable value. The memory includes a first area and a second area,
The control unit
After startup, the value of the first area of the memory is read, and if the value of the first area is an initial allowable value set in advance, the normal cryptographic processing operation is performed, and during the cryptographic operation in the normal operation, When receiving the detection signal of the DFA attack, the value of the second area of the memory is read. When the value of the second area is the allowable value, the first value different from the allowable value is set to the first area and The cryptographic processing according to claim 2, wherein the second value is written in the second region, and if the value is different from the allowable value, a second value that is farther from the allowable value than the first value is written in the first region and the second region. system. The cryptographic processing system according to claim 1, wherein the DFA detection unit performs error detection by a parity check and outputs a detection signal to the control unit when a parity error is detected. The cryptographic engine is a cryptographic processing device that performs cryptographic processing calculation including round function iteration processing,
A calculation register for storing round calculation data;
A parity register for storing parity data;
A parity generator that generates parity data from round operation data input to the operation register, outputs round operation data to the operation register, and outputs parity data to the parity register;
The cryptographic processing system according to claim 5, further comprising: a parity check circuit that performs a parity check based on data stored in the arithmetic register and the parity register and outputs the detection signal to the control unit when a parity error is detected. The cryptographic engine is a cryptographic processing device that performs cryptographic processing calculation including round function iteration processing,
A first operation register for storing first data for round operation;
A first parity register for storing first parity data;
A second operation register for storing second data for round operation;
A second parity register for storing second parity data;
The first parity data is generated from the first data input to the first arithmetic register, the first data is output to the first arithmetic register, and the first parity data is output to the first parity register. A first parity generator;
The second parity data is generated from the second data input to the second arithmetic register, the second data is output to the second arithmetic register, and the second parity data is output to the second parity register. A second parity generator;
A first parity check circuit that performs a parity check based on data stored in the first arithmetic register and the first parity register, and outputs the detection signal to the control unit when a parity error is detected;
A second parity check circuit that performs a parity check based on data stored in the second operation register and the second parity register and outputs the detection signal to the control unit when a parity error is detected;
The cryptographic processing system according to claim 5, further comprising: a round operation unit that performs a round operation according to the first data stored in the first operation register and the second data stored in the second operation register. A cryptographic processing device that executes cryptographic processing calculation including round function iteration processing,
A calculation register for storing round calculation data;
A parity register for storing parity data;
A parity generator that generates parity data from round operation data input to the operation register, outputs round operation data to the operation register, and outputs parity data to the parity register;
A parity check circuit that performs a parity check based on data stored in the arithmetic register and the parity register, and outputs a detection signal to the control unit when a parity error is detected;
A cryptographic processing apparatus. A cryptographic processing device that executes cryptographic processing calculation including round function iteration processing,
A first operation register for storing first data for round operation;
A first parity register for storing first parity data;
A second operation register for storing second data for round operation;
A second parity register for storing second parity data;
The first parity data is generated from the first data input to the first arithmetic register, the first data is output to the first arithmetic register, and the first parity data is output to the first parity register. A first parity generator;
The second parity data is generated from the second data input to the second arithmetic register, the second data is output to the second arithmetic register, and the second parity data is output to the second parity register. A second parity generator;
A first parity check circuit that performs a parity check based on data stored in the first arithmetic register and the first parity register, and outputs the detection signal to the control unit when a parity error is detected;
A second parity check circuit that performs a parity check based on data stored in the second operation register and the second parity register and outputs the detection signal to the control unit when a parity error is detected;
A round operation unit for performing a round operation according to the first data stored in the first operation register and the second data stored in the second operation register;
A cryptographic processing apparatus. The round calculation unit has an S box as a nonlinear conversion unit,
The cryptographic processing device according to claim 9, wherein the first operation register and the second operation register store result data of a round operation process including a non-linear conversion process by the S box. The cryptographic processing device includes:
The cryptographic processing apparatus according to any one of claims 8 to 10, wherein cryptographic processing calculation is performed according to a DES (Data Encryption Standard) algorithm.

Images