JP2010232709A - Encryption arithmetic circuit device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve a problem that the addition of a complicated circuit for masking is needed conventionally, a gate scale and an arithmetic amount are increased, and the power consumption of a circuit is increased. <P>SOLUTION: An encryption arithmetic circuit device has a function processing unit which performs a predetermined function processing on input data to generate output data, and outputs, to the outside as encryption data, the output data obtained by repeating, with predetermined number of times, a series of processing wherein the function processing is performed on the external input data in first processing and then the function processing is performed on the generated output data, as input data for next time, in subsequent processing. The encryption arithmetic circuit device is provided with: a random number generating unit which generates random number data with a bit width being equal to that of the output data of the function processing unit; two data holding units which temporarily store the output data of the function processing unit or the random number data; and a controlling unit which controls the processing timing of the random number generating unit, function processing unit, and data holding units. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a cryptographic operation circuit device that performs cryptographic algorithm processing. In particular, the present invention relates to a technique for avoiding a cryptographic analysis attack that decrypts a cipher by analyzing a physical change amount of a calculation intermediate value in a cryptographic operation circuit.

  In recent years, IC cards and portable terminals having a security function have been widely used. Such a device requiring security uses some kind of cryptographic algorithm, and has a mechanism that prevents information from leaking to a third party. Recently, however, side-channel attacks against cryptographic algorithms implemented in such IC cards and portable terminals have become a major threat. A side channel attack is an attempt to obtain fraudulent information by using leakage information such as power consumption, leakage electromagnetic waves, or calculation time when a cryptographic operation circuit that is not supposed to be acquired by a third party is operating. Is an attack. Among such side channel attacks, a technique for statistically processing the amount of change in power consumption obtained during cryptographic operations and decrypting secret information is called a differential power analysis (DPA) attack and is a major threat. It has become.

  There are two methods for implementing cryptographic algorithms in such a security device: software implementation by a CPU (central processing unit) and hardware implementation by wired logic. In many cases, hardware implementation is adopted for implementation of cryptographic algorithms on an IC card or a simple portable terminal due to a problem of processing speed or a demand for low power consumption.

  Here, an example in which a block cipher algorithm represented by AES (Advanced Encryption Standard) is implemented in hardware will be described. FIG. 6 is a diagram showing a configuration of a cryptographic operation circuit device 900 that calculates a round function, and is divided into a stirring unit 901 and a key scheduling unit 902.

  In FIG. 6, the agitation unit 901 includes a selector 903 that selects plaintext (or ciphertext) input from the outside and data after round processing, a combinational circuit 904 that performs round processing with a predetermined processing function, and a combinational circuit 904. The register 905 temporarily holds the output data of the register 905 and the selector 906 that selects the output data of the register 905 or All = 0 (all 0 data) and outputs the selected data to the outside. The agitation unit 901 inputs plaintext (or ciphertext) as processing target data, performs encryption a predetermined number of times using a subkey (round key) created from the secret key by the key scheduling unit 902, Output the sentence (or plaintext) as processed data.

  In the agitation unit 901, one round process is performed in one clock, and the round process of one cycle of the selector 903, the combinational circuit 904, and the register 905 is repeated a predetermined number of times in synchronization with the clock. That is, the agitation unit 901 based on the round process of the combinational circuit 904 performs a new round process using the value of the sub key output from the key scheduling unit 902 and the intermediate value of the round process one clock before, The process of storing the operation result in the register as a new intermediate value is repeated. Then, the operation result of the round processing function is held in the register 905 as an intermediate value for each clock, and after the clock has advanced by the required number of rounds, the value appearing in the register 905 becomes the final operation result. The data is output to the outside of the cryptographic operation circuit device 900 as (in the case of encryption) or plain text (in the case of decryption). As described above, in order to avoid outputting unnecessary information such as an intermediate value of an intermediate round process to the outside, only the final result after all round processes are output.

  On the other hand, the key scheduling unit 902 includes a selector 907 that selects a secret key input from the outside and data after key scheduling processing, a register 908 that temporarily stores output data of the selector 907, and a key with a predetermined processing function. And a combinational circuit 909 that performs scheduling processing. The key scheduling unit 902 generates a subkey necessary for each round process from a secret key given from the outside of the cryptographic operation circuit device 900.

  The control unit 950 outputs a clock, a control signal a, a control signal b, and a control signal c to the selector 903, the register 905, the selector 906, the selector 907, and the register 908 to control the processing timing of each unit.

  Here, it is necessary to securely manage the secret key value so that it is not known to a third party. However, if the value of the subkey used in each round process is revealed by some method, the process of the key scheduling unit 902 is performed. There is a problem that the value of the secret key is known to a third party by calculating back. Therefore, in the design of the cryptographic operation circuit, it is necessary to consider so that the subkey is not estimated by a differential power analysis attack or the like.

  Among the differential power analysis attacks, the CPA (Correlation Power Analysis) attack shown in Non-Patent Document 1 is an attack method that focuses on the change of the register value that holds the operation intermediate value. It is known as a very effective attack method. The outline of the CPA attack against the AES algorithm will be described below (see Non-Patent Document 1).

  In the agitation unit 901 of the cryptographic operation circuit device 900 showing the hardware configuration of the block cipher algorithm in FIG. 6 described above, if the amount of change (Hamming distance) in the register 905 after one clock is large, the current time It can be considered that power consumption should be large. Further, when the value of the register 905 changes, the input value of the logic gate constituting the combinational circuit 904 that performs the round process also changes accordingly, so that the state transition of the logic gate is performed. As a result, there should be a correlation between the Hamming distance of the register 905 and the power consumption at that time. Here, when the intermediate value of the register 905 is controlled so as not to be output to the outside during the round process, the possibility of calculating the Hamming distance of the register 905 is the initial round with input from the outside. Two places in the final round with output to the outside. Here, a case where the last round becomes an attack point will be described (see Non-Patent Document 1).

The register value one clock before the last round can be calculated by tracing the last round process of AES in reverse, assuming a subkey value for the last round. For example, as shown in FIG. 7, the final round process is a process of SubBytes->ShiftRow-> AddKey, and is closed to a process of 1 byte unit. Therefore, 256 values of byte values from 0x00 to 0xff are set as subkey estimation targets. If any one of them is determined, the processing byte value one clock before can be calculated. In FIG. 7, the register value one clock before is s _{i, j} , the ciphertext output is c _{i, j} , and the subkey is k _{i, j} (where i and j are integers of 4 × 4 16 bytes) For example, as shown in FIG. 7, the processing byte value s _2,0 one clock before can be calculated as s _2,0 = c _2,2 (+) k _2,2 (here (+) Indicates an EXOR operation). Therefore, the hamming distance before and after one clock of the last round for the 1-byte component at the coordinate (2,0) position is s _2,0 (+) c _2,0 , and when calculated backward, c _2,0 (+) c _2,2 (+) K _{2 and 2} can be calculated. Here, as described above, k _2,2 can take any value from 0x00 to 0xff, but the processing byte value one clock before can be obtained by only determining one of 256 values. Can be calculated. The same applies to the remaining 15-byte component of the coordinate position.

Here, an operation is performed on N plaintexts (c _i ) of 1 ≦ i ≦ N (N is a natural number), and the Hamming distance determined from the value of the subkey k is set to h _i (k), and the correlation with the power consumption. As the Pearson correlation coefficient. Also, if the power consumption for c _i is p _i (t),
Pearson correlation coefficient Corr of h _i (k) and _{p i (t) (h i} (k), p i (t)) is,

  Such a correlation coefficient is calculated for all values from 0x00 to 0xff that the subkey can take.

  As described above, since the Hamming distance and the power consumption have a positive correlation, the value of the sub key that maximizes the correlation coefficient is the true sub key. If the values of all the 16-byte subkeys are estimated in this way, the secret key value can be obtained illegally by calculating back the key scheduling processing unit 902.

  As a conventional countermeasure against the differential power analysis attack represented by such a CPA attack, a method of masking an intermediate value of an operation using a random number is known (for example, see Non-Patent Document 2). In this document, masking of the SubBytes function, which is a key function of the AES algorithm, is described, but other functions such as the MixColumn function are also masked and include intermediate values stored in a register in the middle of round processing. Since all intermediate values except the ciphertext that is the final operation result can be masked with random numbers, the value obtained by masking the original round processing result is stored in the register.

FIG. 8 shows a configuration when a round processing function of AES (SubBytes->ShiftRows->MixColumns-> AddRoundKey) is masked with random numbers (for example, see Non-Patent Document 2). In FIG. 8, f is the isomorphism map, and g is the composite map of the inverse map of the isomorphism map and the linear transformation part of the AES affine transformation. The Galois field inverse element x ^{−1 in} SubBytes is shown in FIG. 8 shows a circuit according _{a r a, r tmp1, r tmp2} , r b , respectively M, Z, W, random number mask corresponding to the F. Here, since ShiftRows is a simple Byte shift operation and AddRoundKey is an EXOR operation, a general function can be used as it is. Further, MixColumn is a linear function, and by performing an EXOR operation on a value obtained by processing the MixColumn function on the processing result by MixColumn (1) and a value obtained by processing the same MixColumn function on a random number by MixColumn (2), MixColumn is performed. The random component of the input of (1) can be canceled. Here, in comparison with the normal round processing function that does not perform the mask processing as described in FIG. 6, in addition to the EXOR operation with the random number, functions of f and g, a MixColumn function, and the like for converting the random number value are added. Has been. As a result, the value obtained by EXORing the value of the normal round processing result and the random number value is stored in the register, so that the Hamming distance is calculated from the difference between the values before and after the round processing by the mask effect of the random number. I can't. For this reason, the correlation between the difference amount and the correct subkey value becomes small, and the peak of the correlation coefficient does not appear, so that the differential power analysis attack represented by the CPA attack can be protected.

  In this way, in the prior art, the differential power analysis attack is protected by a complicated cryptographic operation circuit as shown in FIG.

Sugawara, Honma, Aoki, Sato, “Power channel analysis experiment on cryptographic hardware using side channel attack standard evaluation FPGA board,” Multimedia, Distributed, Collaboration and Mobile (DICOMO2007) Symposium, 7D-5, 2007. E. Trichina, “Small Size, Low Power Side Channel-Immune AES Co-processor Design and Synthesis Results”, AES 2004.

  As described above, the CPA attack protection measures according to the prior art have a complicated configuration of the cryptographic operation circuit, a large amount of processing, and problems with circuit scale and cost. For example, the defense countermeasure shown in Non-Patent Document 2 is a countermeasure against CPA attack that masks all intermediate values in the middle of Galois field inverse element calculation of the SubBytes part. For this reason, since it is necessary to mask not only the SubBytes part but also the combination circuit of the whole round process such as the MixColumn part and the AddKey part, random numbers necessary for masking must be prepared for each logic gate constituting the round processing function. I must. As a result, it is necessary to add an EXOR circuit and a spare circuit accompanying masking, and the circuit of the round processing function is complicated, the gate scale is increased, and the amount of calculation is further increased, so that the power consumption of the circuit increases. Occurs.

  In view of the above problems, an object of the present invention is to divert an encryption processing function block that is not masked as it is, and to increase the gate circuit scale and power consumption without newly installing an EXOR gate or a spare circuit. It is an object of the present invention to provide a cryptographic operation circuit device capable of avoiding a CPA attack while suppressing the above.

  A cryptographic operation circuit device according to claim 1 of the present invention includes a function processing unit that generates output data by performing predetermined function processing on input data. In the first processing, the function processing is performed on input data from the outside. In the cryptographic operation circuit device that outputs the output data obtained by repeating a predetermined number of times a series of processing for performing the function processing as the next input data, the output data generated in the subsequent processing, as encrypted data, A random number generation unit that generates random data having a bit width equal to the output data of the function processing unit, two data holding units that temporarily store the output data of the function processing unit or the random number data, and the random number generation unit; The function processing unit and a control unit for controlling processing timing of the data holding unit are provided.

  In the first aspect, for example, two registers (two of the processing results (function processing unit) including the combination function that repeatedly executes the cryptographic calculation processing every clock of the processing timing (control unit) are used as the calculation intermediate value. A cryptographic operation circuit device that repeatedly stores a predetermined number of processing operations by the progress of a clock signal and stores random number data having a bit width equal to the data size as a processing unit. Newly generated every time (random number generator). By generating random number data, there is no correlation between the amount of power consumption and the calculation result, and the amount of change in power consumption obtained during cryptographic calculation can be statistically processed to protect against CPA attacks that decrypt secret information.

  The cryptographic operation circuit device according to claim 2 of the present invention is the cryptographic operation circuit device according to claim 1, wherein the control unit performs the process one time before the function processing unit performs an initial process. The random number data generated by the random number generation unit is stored in one of the two data holding units, and the output data generated by the function processing unit in the first process is stored in the same data holding unit in which the random number data is stored. It is characterized by controlling to store.

  In the second aspect, for example, the output timing generated by the function processing unit at the first timing is stored as an operation intermediate value in one of the two registers (two data holding units) of the register 1 or the register 2. Since the random number generated by the random number generation unit is stored in either the register 1 or the register 2 at the timing one clock before, it is possible to protect in the initial round that is susceptible to the CPA attack.

  The cryptographic operation circuit device according to claim 3 of the present invention is the cryptographic operation circuit device according to claim 1, wherein the control unit performs processing one time before the function processing unit performs the last processing. The random number data generated by the random number generation unit is stored in one of the two data holding units, and the output generated by the function processing unit in the last processing is the same data holding unit in which the random number data is stored Control is performed to store data.

  In the third aspect of the invention, for example, the output timing generated by the function processing unit at the last timing is stored as an operation intermediate value in one of the two registers (two data holding units) of the register 1 or the register 2. Since the random number generated by the random number generation unit is stored in either the register 1 or the register 2 at the timing one clock before, it becomes possible to defend in the final round that is susceptible to the CPA attack.

  The cryptographic operation circuit device according to claim 4 of the present invention is the cryptographic operation circuit device according to claim 1, wherein the control unit is configured such that the function processing unit performs the first process and the final process once. The random number data generated by the random number generation unit in the previous process is stored in one of the two data holding units, and the function processing unit is set to the same data holding unit in which the random number data is stored. Control is performed so as to store the output data generated by the above process.

  According to a fourth aspect of the present invention, there is provided a clock for storing a result of a function processed at the very first timing and the last timing as an operation intermediate value in either one of the two registers (two data holding units) of the register 1 or the register 2 Since the random number generated by the random number generation unit is stored in either the register 1 or the register 2 at a timing one clock before the timing, it is possible to protect in the initial round and the final round that are susceptible to the CPA attack.

  Moreover, the cryptographic operation circuit device according to claim 5 of the present invention is the cryptographic operation circuit device according to any one of claims 1 to 4, wherein the control unit performs the function processing for each function processing of the function processing unit. The random number data is controlled to be stored in at least one of the two data holding units.

  In claim 5, when the result of the function processed for each clock is stored as an operation intermediate value in register 1 or register 2 in synchronization with the clock, a random number is stored in the other register different from the register storing the operation intermediate value. Stores the random number generated by the generator. As a result, there is no correlation between the power consumption amount and the calculation result in all rounds, not only in the initial round and the final round, and it is possible to protect against the CPA attack.

  Moreover, the cryptographic operation circuit device according to claim 6 of the present invention is the cryptographic operation circuit device according to any one of claims 1 to 4, wherein the control unit is configured for each function processing of the function processing unit. Control is performed so that the output data of the function processing unit or the random number data is alternately stored in the two data holding units.

  According to the sixth aspect, the result of the function processed for each clock is alternately stored in the register 1 or the register 2 in synchronism with the clock as an operation intermediate value. Then, the random number generated by the random number generation unit is stored in the other register different from the register storing the operation intermediate value at the clock timing. As a result, there is no correlation between the power consumption amount and the calculation result in all rounds, not only in the initial round and the final round, and it is possible to protect against the CPA attack.

  A cryptographic operation circuit device according to claim 7 of the present invention is the cryptographic operation circuit device according to any one of claims 1 to 6, wherein the function processing performed by the function processing unit is encryption in a block encryption algorithm. Alternatively, it is a basic process of decoding round operation. As a result, the present invention can also be applied to a cryptographic operation circuit device using a block cipher algorithm such as AES.

  The cryptographic operation circuit device according to claim 8 of the present invention is the cryptographic operation circuit device according to any one of claims 1 to 6, wherein the function processing performed by the function processing unit is used in a public key cryptographic algorithm. It is a basic process of an iterative operation for executing a modular exponentiation operation or an elliptic scalar multiplication operation to be performed. As a result, the present invention can also be applied to a cryptographic operation circuit device using a public key cryptographic algorithm such as a power-residue calculation or elliptic scalar multiplication.

  The cryptographic operation circuit device according to the present invention generates random number data having a bit width equal to the output data of the function processing unit, and stores the output data or random number data of the function processing unit in the two data holding units. There is no correlation between the amount of power and the calculation result, and the amount of change in power consumption obtained during the cryptographic calculation can be statistically processed to protect against a CPA attack that decrypts secret information. In particular, a block of an encryption processing function (function processing unit) that is not masked is used as it is, and CPA while suppressing an increase in gate circuit scale and an increase in power consumption without newly installing an EXOR gate or a spare circuit. Attacks can be avoided.

It is explanatory drawing which shows the structural example of the cryptographic operation circuit apparatus 100 which concerns on 1st Embodiment. 3 is a timing chart of the cryptographic operation circuit device 100 according to the first embodiment. It is explanatory drawing which shows the structural example of the cryptographic operation circuit apparatus 200 which concerns on 2nd Embodiment. It is a timing chart of the cryptographic operation circuit device 200 according to the second embodiment. It is explanatory drawing which shows the structural example of the cryptographic operation circuit apparatus 300 which concerns on 3rd Embodiment. It is explanatory drawing which shows the structural example of the cryptographic operation circuit apparatus 900 which processes the conventional block cipher algorithm. It is explanatory drawing of the last round process of a general AES round process function. It is explanatory drawing which shows the example of the AES round process which performed the conventional masking countermeasure.

  Hereinafter, embodiments of a cryptographic operation circuit device according to the present invention will be described in detail with reference to the drawings.

(First embodiment)
FIG. 1 shows a configuration example of a cryptographic operation circuit device 100 according to the present embodiment. The cryptographic operation circuit device 100 shown in FIG. 1 corresponds to the cryptographic operation circuit device 900 of FIG. 6 described in the prior art, and is configured to perform one round processing with one clock for a block encryption algorithm typified by AES. ing. 1 includes the agitation unit 101 and the control unit 150 without including a portion corresponding to the key scheduling unit 902 in FIG. 6, and the sub key is input from the outside. However, the same block as the key scheduling unit 902 may be included as the cryptographic operation circuit device 100.

  In FIG. 1, a stirring unit 101 includes a selector 103 that selects plaintext (or ciphertext) input from the outside or data after round processing, a combinational circuit 104 that performs round processing with a predetermined processing function, and a random number generation unit. 105, a selector 106 that selects output data of the combinational circuit 104 or random number data generated by the random number generation unit 105, a register 107 that temporarily holds output data of the selector 106, and output data or random numbers of the combinational circuit 104 Select the selector 108 that selects the random number data generated by the generation unit 105, the register 109 that temporarily holds the output data of the selector 108, and the output data of the register 109 or All = 0 (all 0 data). It comprises a selector 110 that outputs to the outside.

  Further, the control unit 150 supplies a clock to the random number generation unit 105, the register 107, and the register 109, the control signal 1 to the selector 103, the control signal 2 to the selector 106, the control signal 3 to the selector 108, and the control signal 4 to the selector 110. Are respectively output to control the processing timing of the stirring unit 101. Note that the control unit 150 controls the overall operation of the cryptographic operation circuit device 100. When the key scheduling unit 902 of FIG. 6 is included, the control unit 150 also provides a clock and clock to the key scheduling unit 902 as in the control unit 905 of FIG. Output a control signal. In this case, the control unit 150 outputs a control signal c to the selector 907 of the key scheduling unit 902 and supplies a clock to the register 908.

  Similar to the agitation unit 901 of FIG. 6 of the prior art, the agitation unit 101 in FIG. 1 inputs plaintext (or ciphertext) as processing target data, and creates a subkey (round) created from the secret key by the key scheduling unit 902 or the like. The key is used for encryption by performing a predetermined number of round processes, and ciphertext (or plaintext) is output as processed data.

  In the agitation unit 101, one round process is performed in one clock, and a series of round processes that go around the selector 103, the combinational circuit 104, the selector 106, and the register 107 are repeated a predetermined number of times in synchronization with the clock. That is, the agitation unit 101 based on the round process of the combinational circuit 104 performs a new round process using the value of the sub key output from the key scheduling unit 102 and the intermediate value of the round process one clock before, The process of storing the operation result in the register 107 as a new intermediate value is repeated. Then, the calculation result of the round processing function is held as an intermediate value in the register 107 for each clock, and after the clock has advanced by the required number of rounds, the data output from the combinational circuit 104 in the final round becomes the final calculation result. The value is held in the register 109 via the selector 108 as ciphertext (in the case of encryption) or plaintext (in the case of decryption), and is output to the outside of the cryptographic operation circuit device 100 via the selector 110.

  In this way, the intermediate value of the intermediate round process is stored in the register 107, and only the final result of the final round is stored in the register 109 and output to the outside.

  Here, in FIG. 1, the control signal 1 of the selector 103 for selecting the input data from the outside (plaintext or ciphertext) or the output data of the register 107 holding the intermediate value of the round processing function, and the register 109 The output data or the fixed value (all = 0 in this embodiment) and the control signal 4 of the selector 110 correspond to the control signal a of the selector 903 and the control signal b of the selector 906 of the stirring unit 901 in FIG.

  In the present embodiment, the register 107 that holds the intermediate value of the round process and the calculation as a register for holding the calculation result (output data) of the round process or the random value (random number data) generated by the random number generation unit 105 Two systems of registers 109 are provided for holding the final value of the final result. Here, the control signal 2 is a control signal for selecting whether to store the round processing function calculation result or the random value generated by the random number generation unit 105 in the register 107, and the control signal 3 is the round processing function calculation. This is a control signal for selecting which of the result and the random number value generated by the random number generation unit 105 is stored in the register 109.

  Next, the operation of the cryptographic operation circuit device 100 of FIG. 1 will be described in detail with reference to the timing chart of FIG. FIG. 2 is a timing chart illustrating a relationship among processing timings of the clock output from the control unit 150, the control signal 1, the control signal 2, the control signal 3, the control signal 4, the register 107, and the register 109. It is. In FIG. 2, all (n + 1) rounds from the initial round to the final round are defined as one block calculation, and a ciphertext (or plaintext) as a processing result is output to the outside for each block calculation. Further, the round processing function by the combinational circuit 104 in FIG. 1 is executed every clock cycle, and the register 107 and the register 109 hold the input data to each register in one clock cycle.

In FIG. _2, t _{n +} 2 from the timing t ₀ represents the timing of each clock period, d _n from d ₀ represents the output data for each round of the round processing function by the combination circuit 104. For example d ₀ indicates the results of the values of the initial round processing function, d ₁ the value of the result of the first round processing function, d _n is the resulting value of the final round processing functions, respectively. Further, r and r ′ represent random numbers generated by the random number generation unit 105 at an update frequency for each block calculation cycle, and the random number r and the random number r ′ are different random values. In FIG. 1, the clock is also input from the control unit 150 to the random number generation unit 105. However, in the flowchart of FIG. 2, the random number generation unit 105 will be described as generating a new random number every final round. This case can be realized by providing a counter that counts one block of clocks inside the random number generator 105. Alternatively, although the power consumption of the random number generation unit 105 is slightly increased, a random number may be simply generated every clock cycle. In this case, only the value of the random number r generated by the random number generator 105 is different for each round, and the effect of this embodiment is not changed.

In FIG. 2, first, at timing t ₀ , the control signal 2 is controlled to be High prior to the cryptographic operation for one block period, and for example, a 128-bit random number r generated by the random number generation unit 105 is stored in the register 107. During this time, the control signal 1 is controlled to Low, the control signal 2 is controlled to Low at timing t ₁ , and plain text (or cipher text) input from the outside is subjected to initial round processing and stored in the register 107. The control signal 1 is controlled to High from timing t ₂ to timing t _{n + 1} for processing the final round, and the output data of the combinational circuit 104 is updated and held in the register 107 for each round processing. During this time, the control signal 3 is controlled to High until the timing t _{n at} which the (n−1) -th round is processed, and a 128-bit random number is stored in the register 109. At timing t _{n + 1} for processing the final round, the control signal 2 is controlled to be High, and a 128-bit random number is stored in the register 107. At the same time, the control signal 3 is controlled to be Low, and the processing result of the last round is stored in the register 109. The control signal 4 is controlled to Low only when the final round process is confirmed, and the calculation result is output to the outside via the selector 110. The control signal 4 is controlled to High at a timing other than when the final round process is finalized, and a fixed value (for example, all = 0) is output to the outside via the selector 110. Timing t _{n + 2} in the control signal 1 is controlled again Low, similarly to the previous time t _1, then the processing from the processing of the initial round of the final round the plaintext block which is input from outside (or ciphertext) The one block encryption operation up to is repeated.

Here, in the cryptographic operation circuit device 100 according to the present embodiment, attention is paid to the processing of the initial round and the final round that are targets of the CPA attack. First, in the initial round process at timing t ₁ , the value of the register 107 changes from the random number r to the output data d ₀ of the round process function. At this time, since the value of the random number r is different for each block operation, the amount of change (hamming distance) in the value of the register 107 cannot be estimated. Then, in the final round of the timing _{t n + 1,} the value of the register 107 is changed to the random number r 'from the output data _{d n-1,} the value of the register 109 are simultaneously changed to the output data _{d n} from a random number r. Here, r ′ is an updated random number value. Even in the final round, the amount of change (hamming distance) in the register 109 cannot be estimated due to the influence of the random number r.

  As described above, the cryptographic operation circuit device 100 according to the present embodiment cannot calculate the Hamming distance in each register by assuming the subkey, and can eliminate the correlation between the subkey and the power consumption. As a result, a conventional round processing function that is not subjected to masking processing can be used as it is, and there is no need to add an EXOR circuit or a spare circuit for masking the entire round processing function with random numbers as in the prior art. It becomes. In particular, in the case of the cryptographic operation circuit device 100 according to the present embodiment shown in FIG. 1, in addition to the random number generator (also necessary for conventional masking), the Hamming distance can be reduced by adding only one register and two selectors. Calculations can be made difficult, and it is possible to prevent CPA attacks while avoiding an increase in gate size and power consumption.

(Second Embodiment)
Next, a cryptographic operation circuit device 200 according to the second embodiment will be described. FIG. 3 shows a configuration example of the cryptographic operation circuit device 200. The cryptographic operation circuit device 200 shown in FIG. 3 corresponds to a block encryption algorithm typified by AES, similar to the cryptographic operation circuit device 900 described in the prior art and the cryptographic operation circuit device 100 according to the first embodiment, It is configured to perform one round process with one clock. 3 includes the agitation unit 201 and the control unit 250 without including the portion corresponding to the key scheduling unit 902 in FIG. 6, and the sub key is input from the outside. However, the same block as the key scheduling unit 902 may be included in the cryptographic operation circuit device 200.

  In the first embodiment, the countermeasure for avoiding the calculation of the change amount (hamming distance) of the register value due to the random number is limited to the initial round and the final round. In the second embodiment, the initial round and the final round are performed. It is intended to avoid calculation of register value change amount (Humming distance) in all rounds including not only the intermediate round.

  Hereinafter, the cryptographic operation circuit device 200 according to the second embodiment will be described in detail with reference to FIG. In FIG. 3, the agitation unit 201 includes a selector 203 that selects plaintext (or ciphertext) input from the outside or data after round processing, a combinational circuit 204 that performs round processing with a predetermined processing function, and a random number generation unit. 205, a selector 206 that selects output data of the combination circuit 204 or random number data generated by the random number generation unit 205, a register 207 that temporarily holds output data of the selector 206, and output data or random numbers of the combination circuit 204 A selector 208 that selects random number data generated by the generation unit 205, a register 209 that temporarily holds output data of the selector 208, a selector 211 that selects output data of the register 207 or output data of the register 209, and a selector 211 output data or All = 0 (all 0 data Composed of a selector 210 to be output to the outside select. Here, the agitation unit 101 of FIG. 1 of the first embodiment is configured by two registers and four selectors in addition to the combinational circuit 104 and the random number generation unit 105, whereas the diagram of the second embodiment. The third stirring unit 201 is different from the combination circuit 204 and the random number generation unit 205 in that it includes two registers and five selectors. In particular, there is a feature in that a selector 211 that alternately selects output data of the register 207 and the register 209 is provided.

  Further, the control unit 250 supplies a clock to the random number generation unit 205, the register 207, and the register 209 as in the control unit 150 of the first embodiment, the control signal 21 to the selector 203, the control signal 22 to the selector 206, The control signal 23 is output to the selector 208, the control signal 24 is output to the selector 210, and the control signal 25 is output to the selector 210 to control the processing timing of the stirring unit 201. Here, the control signal 1 in FIG. 1 and the control signal 21 in FIG. 2 and the control signal 4 in FIG. 1 and the control signal 24 in FIG. 2 operate at the same processing timing, but the processing timings of the other control signals are different. Each processing timing will be described in detail later. Furthermore, the control unit 250 controls the overall operation of the cryptographic operation circuit device 200. When the control unit 250 includes the key scheduling unit 902 in FIG. Output a control signal. In this case, the control unit 250 outputs a control signal c to the selector 907 of the key scheduling unit 902 and supplies a clock to the register 908.

  Similar to the agitation unit 901 of FIG. 6 of the prior art, the agitation unit 201 in FIG. 3 inputs plaintext (or ciphertext) as processing target data, and creates a subkey (round) created from the secret key by the key scheduling unit 902 or the like. The key is used for encryption by performing a predetermined number of round processes, and ciphertext (or plaintext) is output as processed data.

  In the agitation unit 201, one round process is performed in one clock, and a series of round processes from the selector 203 to the combinational circuit 204, the selector 206 or the selector 208, the register 207 or the register 209, and the selector 211 are synchronized with the clock. Repeat a predetermined number of times. That is, the agitation unit 201 based on the round process of the combinational circuit 204 performs a new round process using the value of the sub key input from the key scheduling unit 902 or the like and the intermediate value of the round process one clock before, The process of storing the calculation result as a new intermediate value in the register 207 or the register 209 is repeated. Then, after the clock has advanced by the required number of rounds, the value of the register 207 or the register 209 storing the data output from the combinational circuit 204 in the final round is selected by the selector 211 as the final calculation result, and this value is encrypted. The data is output to the outside of the cryptographic operation circuit device 200 via the selector 210 as (encryption) or plaintext (decryption).

  Here, in the present embodiment, as a register for holding a calculation result (output data) of the round process or a random value (random number data) generated by the random number generation unit 205, a register 207 that holds an intermediate value of the round process and Two systems of registers 209 are provided. The control signal 22 and the control signal 23 are control signals for alternately storing either the calculation result of the round processing function or the random value generated by the random number generation unit 205 in the register 207 or the register 209. The control signal 25 is This is a control signal for selecting the calculation result of the round processing function stored in either the register 207 or the register 209.

  Next, the operation of the cryptographic operation circuit device 200 of FIG. 3 will be described in detail with reference to the timing chart of FIG. FIG. 3 shows the relationship between the clock output from the control unit 250, the control signal 21, the control signal 22, the control signal 23, the control signal 24, the control signal 25, the register 207, and the register 209. It is a timing chart which drew. In FIG. 4, (n + 1) rounds from the initial round to the final round are defined as one block calculation, and the ciphertext (or plaintext) as a processing result is output to the outside for each block calculation. Further, the round processing function by the combinational circuit 204 in FIG. 3 is executed every clock cycle, and the register 207 and the register 209 hold the input data to each register in one clock cycle.

4, similarly to FIG. 2 of the first embodiment, t _{n + 2} from the timing t ₀ represents the timing of each clock period, d ₀ from d _n is the output of each round of the round processing function by the combination circuit 204 Data are shown. For example d ₀ indicates the results of the values of the initial round processing function, d ₁ the value of the result of the first round processing function, d _n is the resulting value of the final round processing functions, respectively. Further, r and r ′ represent random numbers generated by the random number generation unit 105 at an update frequency for each block calculation cycle, and the random number r and the random number r ′ are different random values. The random number generation unit 205 in FIG. 3 receives a clock from the control unit 250 in the same manner as the random number generation unit 105 in FIG. 1 of the first embodiment, but in the flowchart in FIG. A description will be given assuming that a new random number is generated at each processing timing of the final round. However, as described in the random number generation unit 105, the random number generation unit 205 may simply generate a random number every clock cycle. In this case, only the value of the random number r stored in the register 207 or the register 209 is different for each round, and the effect of this embodiment is not changed.

In FIG. 4, at timing t ₀ , the control signal 22 is controlled to be High prior to the cryptographic operation for one block period, and a 128-bit random number r generated by the random number generation unit 205 is stored in the register 207. During this time, the control signal 21 is controlled to Low, the control signal 2 is controlled to Low at timing t ₁ , and the plaintext (or ciphertext) input from the outside is subjected to initial round processing and stored in the register 207.

On the other hand, at timing t ₁ , the control signal 23 is controlled to be High, and a 128-bit random number r is stored in the register 209. The control signal 25 is controlled to Low until timing t ₂ , and the initial round operation result d ₀ stored in the register 207 is input to the round processing function (combination circuit 204) as first round input data.

Next timing _{t 2} the control signal 22 is High, the control signal 23 is controlled to Low, 128-bit random number r in the register 207, also calculation result _{d 1} of the first round is stored in the register 209, the timing At t ₃ , the control signal 25 is controlled to High, and the operation result d ₁ of the round processing function stored in the register 209 is input to the round processing function as second round input data.

At timing t ₄ , the control signal 22 and the control signal 23 are controlled to have opposite phases to the previous clock cycle (third clock), the first round operation result d ₂ is stored in the register 207, and the register 209 is also registered. Stores a 128-bit random number r. At timing t ₄ , the control signal 25 is controlled to be Low, and the operation result d ₂ of the round processing function stored in the register 207 is input to the round processing function as third round input data. The same operation is repeated until the final round.

  In the final round, the final calculation result (ciphertext or plaintext) of the round processing function is stored in either the register 207 or the register 209 according to the total number of round processing, and the final round is obtained by controlling the control signal 24 to Low. The value of the operation result is output to the outside of the cryptographic operation circuit device 200.

In the next block operation, the operation result of the initial round is stored in the other register different from the register 207 or the register 209 in which the final operation result of the previous block is stored. In the case of FIG. 4, the operation result d ₀ ′ of the initial round of the next block operation is stored in the register 209, and the random number r ′ newly generated by the random number generation unit 205 at the timing of the control signal 24 is stored in the register 207. The

In this way, the control signal 22 and the control signal 23 are alternately inverted every clock, and the operation result of the round processing function alternately stored in the register 207 or the register 209 is alternately selected by the control signal 25. Thus, the operation result d _i (i is an integer) of the round processing function and the random number r generated by the random number generation unit 205 are alternately stored in the register 207 or the register 209.

Here, in the register 207 or the register 209, the value stored in each register is a random number → the operation result of the round processing function → the random number → the operation result of the round processing function → the random number →. Since the random number is always stored every other clock, the amount of change (Hamming distance) of the value of each register can be randomized at any clock timing. As a result, in all clocks (all round processes), the Hamming distances of the values stored in the registers 207 and 209 before and after the clock are r (+) d _i (where (+) indicates an EXOR operation). Therefore, it is impossible to reversely calculate the Hamming distance of the value stored in each register assuming the sub key. Furthermore, since the random number is updated to a new value in the block calculation cycle for processing the data unit to be encrypted, the correlation between the sub key and the power consumption can be eliminated. As described above, the random number may be generated in a clock cycle or a plurality of clock units, but it is necessary to update the random number at least every block calculation cycle.

  As described above, the cryptographic operation circuit device 200 according to the present embodiment can use a conventional round processing function that is not subjected to masking processing as it is, and masks the entire round processing function with a random number as in the conventional technique. Therefore, it is not necessary to add an EXOR circuit or a spare circuit. In particular, in the case of the cryptographic operation circuit device 200 according to the present embodiment shown in FIG. 3, in addition to the random number generator (also necessary for conventional masking), the Hamming distance can be reduced by adding only one register and three selectors. Calculations can be made difficult, and it is possible to prevent CPA attacks while avoiding an increase in gate size and power consumption.

(Third embodiment)
Next, a cryptographic operation circuit device 300 according to the third embodiment will be described. In the cryptographic operation circuit device 100 according to the first embodiment and the cryptographic operation circuit device 200 according to the second embodiment, an example in the case of application to a block encryption algorithm typified by AES has been shown. In the case of implementing a hardware implementation in which a register has a pipeline configuration for a cryptographic module that performs a power-residue operation and an elliptic scalar multiplication operation in FIG. Can be applied. Hereinafter, in the present embodiment, an example in which the present invention is applied to the power-residue calculation and the elliptic scalar multiplication used in the calculation of such a public key encryption algorithm will be described.

  FIG. 5 is a configuration diagram of the cryptographic operation circuit device 300 according to the third embodiment. In FIG. 5, the cryptographic operation circuit device 300 includes a stirring unit 301 and a control unit 350. The basic configuration of the agitation unit 301 of the cryptographic operation circuit device 300 of FIG. 5 is the same as that of the agitation unit 201 of FIG. 3 shown in the second embodiment except for the combinational circuit 304. In the agitation unit 201 in FIG. 3, the combinational circuit 204 is a circuit that executes the round processing function of the block cipher algorithm based on the subkey generated by the key scheduling unit 902. However, the combinational circuit 304 in FIG. Is constituted by a circuit that performs a power residue calculation or an elliptic scalar multiplication operation based on the output value of the exponent expansion unit 302. The power-residue calculation or the elliptic scalar multiplication is a well-known calculation, and a detailed description thereof will be omitted. Further, the processing timing of the agitation unit 301 is also exactly the same as the timing chart of FIG. 4 described in the second embodiment, and a duplicate description is omitted.

  In FIG. 5, the exponent expansion unit 302 expands the value of the exponent that is a secret key into, for example, a binary value, and performs multiplication or self-multiplication in the case of a power-residue operation in order from the upper or lower bits of the expanded binary value. In the case of elliptic scalar multiplication, ellipse addition or elliptic doubling is executed. Similar to the stirring unit 201 of FIG. 3, the calculation result of the processing function in the combinational circuit 304 is alternately stored in the register 207 or the register 209 as an intermediate value. At this time, the random number generated by the random number generation unit 205 is stored in the other register in which the operation result is not stored.

  The timing chart of the cryptographic operation circuit device 300 according to the third embodiment of FIG. 5 is the same as that of the second embodiment described with reference to FIG. 4, but for example, in the case of the left binary method, the first round in FIG. , The second round,..., And the initial round correspond to the most significant bit, the (most significant −1) bit,. In addition, the random number generated by the random number generation unit 205 is updated to a new value every time a power-residue calculation or elliptic scalar single calculation is triggered.

  Here, the CPA attack for the power-residue operation and the elliptic scalar multiplication operation uses an attack method in which analysis is performed in units of bits in order in each process from the most significant bit to the least significant bit. The method of storing random numbers in the register 207 or the register 209 alternately in bit units is very effective in avoiding the calculation of the Hamming distance.

  As described above, the cryptographic operation circuit device 300 according to the present embodiment can also be applied to a cryptographic module that performs a power-residue operation or an elliptic scalar multiplication operation in a public key encryption algorithm, and performs analysis in bit units. It becomes possible to defend the CPA attack to be performed.

  As described above, in the cryptographic operation circuit device 100 according to the first embodiment and the cryptographic operation circuit device 200 according to the second embodiment, an example in the case of application to a block encryption algorithm typified by AES is shown, and the third embodiment In the cryptographic operation circuit device 300 according to the example shown in FIG. In addition to these embodiments, for example, when stream cipher is used, the present invention can be applied to a case where a cryptographic operation circuit is realized by hardware implementation having a similar pipelined register configuration.

  In this way, by providing two systems for storing the calculation result of the encryption processing function, it is possible to prevent a CPA attack that calculates the Hamming distance from the amount of change in the register value. In particular, since the conventional encryption processing function without masking can be used as it is, there is no need to newly install an EXOR gate or a spare circuit, and it is effective while suppressing an increase in the gate circuit scale and an increase in power consumption. CPA attacks can be avoided.

  Although the embodiments of the cryptographic operation circuit device according to the present invention have been described above, the present invention can be implemented in various other forms without departing from the spirit or main features thereof. Therefore, the above-described embodiment is merely an example in all respects and should not be interpreted in a limited manner. The present invention is shown by the scope of claims, and the present invention is not limited to the text of the specification. Furthermore, all modifications and changes belonging to the scope of the claims are within the scope of the present invention.

1, 2, 3, 4, 21, 22, 23, 24, 25, a, b, c... Control signals 100, 200, 300, 900... Cryptographic operation circuit devices 101, 201, 301, 901,. .. Stirring units 103, 106, 108, 110, 203, 206, 208, 210, 211, 903, 906, 907... Selectors 104, 204, 304, 904, 909.・ Random number generators 107, 109, 207, 209, 905, 908... Registers 150, 250, 350, 950... Control unit 201... Stirring unit 250. 902: Key scheduling unit

Claims (8)

It has a function processing unit that performs predetermined function processing on input data to generate output data. In the first processing, the function processing is performed on input data from the outside, and in the subsequent processing, the generated output data is In the cryptographic operation circuit device for outputting the output data obtained by repeating a series of processing for performing the function processing as input data to the outside as encryption data,
A random number generator for generating random data having a bit width equal to the output data of the function processor;
Two data holding units for temporarily storing the output data of the function processing unit or the random number data;
A cryptographic operation circuit device comprising: the random number generation unit, the function processing unit, and a control unit that controls processing timing of the data holding unit. The cryptographic operation circuit device according to claim 1,
The control unit stores the random number data generated by the random number generation unit in one of the previous processes in which the function processing unit performs an initial process in one of the two data holding units, and the random number data is stored. A cryptographic operation circuit device that controls to store the output data generated by the function processing unit in the first process in the same data holding unit. The cryptographic operation circuit device according to claim 1,
The control unit stores the random number data generated by the random number generation unit in one of the previous processes in which the function processing unit performs the final process, and stores the random number data. The cryptographic operation circuit device is controlled to store the output data generated by the function processing unit in the last processing in the same data holding unit. The cryptographic operation circuit device according to claim 1,
The control unit stores the random number data generated by the random number generation unit in one of the previous processes in which the function processing unit performs each of the initial and final processes in one of the two data holding units, A cryptographic operation circuit device, wherein the function processing unit is controlled to store output data generated by the first and last processing in the same data holding unit in which random number data is stored. In the cryptographic operation circuit device according to any one of claims 1 to 4,
The control unit controls to store the random number data in at least one of the two data holding units for each function processing of the function processing unit. In the cryptographic operation circuit device according to any one of claims 1 to 4,
The control unit controls the output data of the function processing unit or the random number data to be alternately stored in the two data holding units for each function processing of the function processing unit. apparatus. In the cryptographic operation circuit device according to any one of claims 1 to 6,
The function processing performed by the function processing unit is basic processing of encryption or decryption round operation in a block cipher algorithm. In the cryptographic operation circuit device according to any one of claims 1 to 6,
The cryptographic processing circuit apparatus, wherein the functional processing performed by the function processing unit is a basic processing of repetitive calculation for executing a modular multiplication or elliptic scalar multiplication operation to be used in a public key cryptographic algorithm.

Images