JP2013077034A - Encryption device loaded with common key encryption function and integration device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To increase the safety of an integration apparatus such as a smart card by making it difficult to decrypt a secret key of encryption processing such as an Advanced Encryption Standards (AES) as a representative common key algorithm.SOLUTION: A common key block encryption device for operating non-linear conversion by multiplication processing in a binary body or a composite body includes: an arithmetic unit for executing any arithmetic processing other than the non-linear conversion on the basis of fixed value masked input data obtained by executing an XOR operation to a fixed value mask; an XOR operation circuit for converting all the input data into fixed value masked input data by executing the XOR operation to the fixed value mask, and for further converting the fixed value masked input data into random value masked input data by executing the XOR operation to a random value mask in multiplication processing; a multiplier for executing multiplication processing on the basis of the random value masked input data output by the XOR operation circuit; and a random value mask/fixed value mask conversion circuit for reconverting the random value masked output data to be output from the multiplier into the fixed value masked output data for output.

Description

  The present invention belongs to the field of cryptography and relates to a countermeasure technique for preventing a cryptanalysis called a power analysis attack.

  Encryption methods are roughly classified into public key encryption methods and common key encryption methods. Public key cryptography is a scheme that uses different keys for encryption and decryption, and instead of publicly disclosing the key for encryption (public key), the key for decrypting the ciphertext (secret key) Is a method of maintaining security by making secret information only for the receiver. On the other hand, what is called a common key encryption method is a method that uses the same key (secret key) for encryption and decryption, and makes this secret key information unknown to a third party other than the sender and receiver. This is a method to keep safety.

  One technology in the field of cryptography is called decryption technology. The decryption technique is a technique for estimating secret information such as a secret key from available information such as ciphertext, and there are various methods. Among them, a technique that has recently attracted attention is a method called power analysis attack (PA). PA is a technique devised by Paul Kocher in 1998, which collects and analyzes power consumption data when various input data are given to cryptographic processors mounted on embedded devices such as smart cards. This is a technique for estimating the key information inside the processor. It is known that by using PA, a secret key can be estimated from a cryptographic processor for both public key encryption and secret key encryption.

  There are two types of PAs: simple power analysis (SPA) and differential power analysis (DPA). SPA is a method for estimating a secret key from the characteristics of a single power consumption data in a cryptographic processor, and DPA is a method for estimating a secret key by analyzing the difference of a large number of power consumption data. It is said to be powerful. The following papers have been published as typical decoding techniques using SPA and DPA. The decryption method using DPA for public key cryptography such as RSA is described in documents such as Non-Patent Document 1 below. Non-Patent Document 2 below describes a decryption method using SPA and DPA for DES (Data Encryption Standards) currently used as a standard in the common key cryptosystem. In addition to DES, the possibility of decryption using DPA has been pointed out in documents such as the following non-patent document 3 for Rijndael, which is a common key cryptosystem that is expected to be used as a standard in the next generation.

  Decoding technology using PA is attracting attention as a particularly effective method, and various decoding methods have been studied. In addition, not only decoding technology but also countermeasure technology for preventing decoding by PA has been developed, and it is attracting attention as an important technology as well as decoding technology.

  A general configuration of the common key encryption process is shown in FIG. Generally, the common key encryption process is composed of two processes, a round process and an extended key generation. In the extended key generation, a plurality of data called extended keys (hereinafter referred to as extended key 0, extended key 1,..., Extended key N) are generated from the input secret key and output to the round process. By inputting these expanded key and plaintext to the round process, conversion for encryption is performed and ciphertext is output.

  AES (Advanced Encryption Standards) is known as a typical common key encryption algorithm, and is disclosed as Non-Patent Document 4 below.

The configuration of AES is shown in FIG.
AES is an algorithm using 128-bit as an encryption unit. That is, a 128-bit ciphertext is generated from a 128-bit plaintext. The secret key can be selected from three types: 128, 192, and 256-bit. By executing the extended key process, N + 1 128-bit extended keys are generated from the secret key. AES round processing is composed of four types, RoundKey, Subbyte, ShiftRow, and MixColumn. Of these, an expanded key is used in RoundKey. By inputting plain text to the round process, the process of RoundKey, Subbyte, ShiftRow, MixColumn is repeated N-1 times. Next, processing of RoundKey, Subbyte, ShiftRow, and RoundKey is executed and ciphertext is output. The number of repetitions N varies depending on the bit length of the secret key. N = 10 in the case of 128-bit, N = 12 in the case of 192-bit, and N = 14 in the case of 256-bit. FIG. 3 shows the RoundKey processing, FIG. 4 shows the Subbyte processing, FIG. 5 shows the MixColumn processing, and FIG. 6 shows the ShiftRow processing.

が成立する。具体的には、図６のShiftRowのようなビット置換処理や、図５のMixColumnのような行列演算などがこれに該当する。図９は非線形変換処理であり、入力データXに対してZ=W(X)を満たすZを出力する。このとき、Wは任意のX,Yに関して、W(X○Y) =W(X)○W(Y)が成立しない(非線形)。具体的には、Sboxと呼ばれる非線型変換テーブル索引で実現する場合が多く、入力XをX=x₀x₁…x_u-1とu個に分割し、Sbox w_jを用いてz_j=w_j(x_j)で表されるz_jを計算、再びZ=z₀z₁...z_u-1と結合してZを出力する。 <Deciphering secret key with DPA>
In the following, the secret key decryption method using DPA is described. DPA is a technique for decrypting a secret key by measuring power consumption related to the round processing of FIG. Hereinafter, the processing configuration of the common key encryption that can be decrypted using DPA will be described without being limited to AES. In general common key cryptography, round processing is configured by combining three of expanded key XOR processing (FIG. 7), linear transformation processing (FIG. 8), and nonlinear transformation processing (FIG. 3), and the round processing is repeated a plurality of times. Consists of. As shown in FIG. 7, the expanded key XOR process is a process of outputting the operation result Z of the exclusive OR (XOR) of the expanded key K with respect to the input data X. FIG. 8 shows a linear conversion process in which Z that satisfies Z = L (X) is output for input data X. At this time, L is arbitrary X and Y,

Is established. Specifically, this corresponds to bit replacement processing such as ShiftRow in FIG. 6 and matrix operation such as MixColumn in FIG. FIG. 9 shows non-linear conversion processing, in which Z that satisfies Z = W (X) is output for input data X. At this time, W does not hold W (X ○ Y) = W (X) ○ W (Y) for any X and Y (nonlinear). Specifically, often implemented in a non-linear conversion table indexes called Sbox, divides the input _{X X = x 0 x 1 ...} x u-1 and the u-number, z _j using Sbox w _j = z _j represented by w _j (x _j ) is calculated and combined with Z = z ₀ z ₁ ... z _u−1 again to output Z.

Next, a cryptanalysis method using DPA for the common key encryption combined with the above processing will be shown.
As the simplest example, it is shown that the extended key K can be decrypted by using DPA for the process of FIG. 10 that combines FIG. 7 and FIG. Note that FIG. 10 is equivalent to a structure combining RoundKey (FIG. 3) and Subbyte (FIG. 4) in AES.

FIG. 11 shows a configuration in which only bits related to w _j input / output are extracted in the configuration of FIG. In FIG. 11, it is assumed that m _j is a known value such as plain text, k _j is an unknown value, and w _j is a known Sbox table. It is shown that the extended key k _j can be estimated by DPA under this assumption.

  The DPA is composed of two stages: measurement of power consumption data and analysis of an extended key using power difference data. In the measurement of power consumption data, the power consumption data consumed by the cryptographic processor when given a plaintext is measured as a power consumption curve as shown in FIG. 12 using an oscilloscope or the like. Such measurement is repeated while changing the plaintext value, and the measurement is terminated when a sufficient number of measurement data is obtained. Let G be the set of power consumption curves obtained by this series of measurements.

Next, expansion key analysis using a power consumption curve will be described. An assumption is made that k _j = k ′ _j for the extended key k _j used inside the cryptographic process. Since m _j and w _j are known, based on this k ′ _j assumption, the set G can be classified into the following two types of sets shown as G ₀ (k ′ _j ) and G ₁ (k ′ _j ).

G ₀ (k ' _j ) = {G | z _j = w _j (m _j ○ k' _j ) e-th bit value = 0} (1)
G ₁ (k ' _j ) = {G | z _j = w _j (m _j ○ k' _j ) e-th bit value = 1} (2)
Then, a power difference curve DG (k ′ _j ) shown below is created.
DG (k ' _i ) = (average power consumption curve belonging to set G ₁ )
-(Average power consumption curve belonging to set G ₀ ) (3)

If this assumption is correct, that is, k ′ _j = k _j , a spike as shown in FIG. 13A appears. If this assumption is incorrect, that is, k ′ _j ¹ k _j , a flat curve with no spike appears as shown in FIG. 13B. Therefore, if the power difference curve as shown in FIG. 13A is obtained from the assumed k ′ _j , the expanded key k _j can be decrypted. If such decryption of k _j is performed for each j, the extended key K in FIG. 10 can be finally decrypted. By repeating this decryption for the expanded key 0, expanded key 1,..., Expanded key N, the secret key can be decrypted. In the case of AES, because of the nature of the algorithm, the first value of the expanded key is the secret key value as it is, so if the secret key is 128-bit, the expanded key is 0, and if the secret key is 192-bit or 256-bit, For example, if the extended key 0 and the extended key 1 are decrypted, the entire secret key can be decrypted.

Next, the reason why a spike appears in the power difference curve DG (k ′ _j ) when k ′ _j = k _j is described. When k ' _j = k _j , Eq. (4) is established for z _{j by} classifying G ₀ (k' _j ) and G ₁ (k ' _j ) according to _Eqs . (1) and (2). To do.

(Average hamming weight of z _j belonging to G ₁ )
-(Average hamming weight of z _j belonging to G ₀ ) = 1 (4)

On the other hand, in the case of k ′ _j ¹ k _j , equation (4) is not satisfied, and random classification is performed, so equation (5) is satisfied.

(Average hamming weight of z _j belonging to G ₁ )
-(Average hamming weight of z _j belonging to G ₀ ) = 0 (5)

However, the Hamming weight is the number of bit values = '1' when a certain value is expressed as a bit value. For example, the Hamming weight of the bit value (1101) ₂ is 3.

Therefore, if equation (4) holds, there will be a difference in the average hamming weight of load value z _j between G ₁ (k ' _j ) and G ₀ (k' _j ), but equation (5) holds. In this case, there is no difference in the average hamming weight of the load value z _j between G ₁ (k ′ _j ) and G ₀ (k ′ _j ).

  In general, power consumption is considered to be proportional to the Hamming weight of a data value, and experimental results showing that this is correct are shown in documents such as Non-Patent Document 5 below.

Therefore, when k ' _j = k _j , the difference in power consumption appears as a spike on the power difference curve when Equation (4) is satisfied, but in the case of Equation (5), a spike appears. Instead, it becomes a flat curve.

  Although the DPA for the simplest structure of FIG. 10 has been described above, it has been found that such a method can be established even if the linear transformation of FIG. 9 is inserted between them.

FIG. 14 is a generalized structure of FIG. 10, and is a processing structure in which two linear transformation processes L ₁ and L ₂ are inserted before and after the key XOR process. For example, FIG. 14 shows a structure equivalent to SC2000, where L ₁ is a function that outputs the input as it is, L ₂ is a bit transposition function, and w _j is an Sbox called the B function of SC2000. For the specifications of SC2000, see Non-Patent Document 6 below. Since L ₂ is a bit permutation function, the process of FIG. 14 can be converted to the same process as in FIG. 11 by considering a structure in which only the bits related to w _j input / output are taken out. Can be used to decrypt the extended key K.

In the above method, DPA is applied focusing on Sbox output during nonlinear processing, but in addition, the value immediately after XOR of input m _j and key k _j (output value of key XOR processing) or Sbox A method of applying DPA by paying attention to the value of the input value x _j is known (non-patent document 7 below).

  To summarize the above, the secret key K is estimated by DPA when the following conditions are satisfied. (These DPA attack conditions are also described in Patent Document 1 below.)

DPA-1. If the input M is known and controllable, the key K is unknown and fixed, and the conversion of Sbox w _j is known, measure the power consumption curve of part A (output of Sbox w _j ) in FIG. DPA is possible.

DPA-2. If the input M is known and controllable, and the key K is unknown and fixed, DPA is possible by measuring the power consumption curve of the part B in Fig. 15 (writing the output of the key XOR process).

DPA-3. When the input M is known and controllable, and the key K is unknown and fixed, by measuring the power consumption curve of the part C in FIG. 15 (loading the input value to index Sbox w _j ) DPA is possible.

といった乗算処理の消費電力を観察する。ただし、◎は乗算をあらわす記号であり、AES処理では、後に説明する合成体の計算（図２３）において、a,b,cがGF(2⁸)やGF(((2²)²)²)の元である場合の乗算処理が行われる。入力データであるaもしくはbに’0’が入力された場合、0との乗算、つまり0=0◎bもしくは0=a◎0の演算が行われる(以下、ゼロ乗算と呼ぶ)。ゼロ乗算の消費電力波形と、a,b共に非ゼロの場合の乗算（以下、非ゼロ乗算と呼ぶ）の電力波形と比較した場合、前者は非常に特殊な波形となることが知られている。つまり、乗算処理におけるゼロ乗算と非ゼロ乗算の区別は、SPAにより観察できる。この性質を利用することで、秘密鍵を解読することができる。この攻撃をゼロ乗算SPAと呼ぶ。ゼロ乗算SPAは、その性質上乗算処理を用いる暗号処理装置に対してのみ実施可能な攻撃法である。AESの場合、後に述べる合成体の計算（図２３）を用いたSubbyte処理を用いる暗号処理装置に対してのみこの攻撃法が可能であり、そうでない暗号処理装置に対してはこの攻撃は不可能である。 <Secret key decryption using SPA>
In the following, a secret key decryption method using SPA will be described. This attack

Observe the power consumption of the multiplication process. However, ◎ is a symbol representing multiplication. In AES processing, a, b, and c are GF (2 ⁸ ) and GF (((2 ² ) ² ) ^{2 in} the calculation of a composite field (FIG. 23) described later. ) Is multiplied. When '0' is input to the input data a or b, multiplication with 0, that is, 0 = 0 演算 b or 0 = a ◎ 0 is performed (hereinafter referred to as zero multiplication). It is known that the former is a very special waveform when compared to the power consumption waveform of zero multiplication and the power waveform of multiplication when both a and b are non-zero (hereinafter referred to as non-zero multiplication). . That is, the distinction between zero multiplication and non-zero multiplication in the multiplication process can be observed by SPA. By using this property, the secret key can be decrypted. This attack is called zero multiplication SPA. Zero multiplication SPA is an attack method that can be implemented only for cryptographic processing devices that use multiplication processing due to its nature. In the case of AES, this attack method is possible only for cryptographic processing devices that use Subbyte processing using the calculation of composite fields described later (FIG. 23), and this attack is not possible for cryptographic processing devices that are not. It is.

FIG. 16 shows a circuit configuration of cryptographic processing that can be attacked by zero multiplication SPA.
In FIG. 16, M is a value known to the attacker such as plaintext, and K is a value unknown to the attacker such as a key. After performing an XOR operation of X = M 乗 算 K, a multiplication process Z = X ◎ Y with data Y is performed. The value of Y is a value that is unknown to the attacker. The attacker observes this process with SPA, and observes the occurrence of zero multiplication in the calculation of X ◎ Y while changing the value of M. If zero multiplication is observed, X = 0. In other words, since M ○ K = 0, it can be seen that K = M, that is, Unknown K matches M, and K is successfully decoded. For this attack to succeed, the value of Y is any value other than 0.

Zero multiplication SPA is also possible for the circuit configuration of FIG.
In FIG. 17, M is a value known to the attacker such as plaintext, and K is a value unknown to the attacker such as a key. α is an arbitrary transformation function. If the attacker can calculate the inverse transformation α ^-1 (0) for zero (that is, z satisfying α (z) = 0), either linear or non-linear transformation is possible. But it ’s okay. After performing an XOR operation of V = M ○ K and an operation of X = α (V), a multiplication process Z = X ◎ Y with data Y is performed. The value of Y is a value that is unknown to the attacker. The attacker observes this process with SPA, and observes the occurrence of zero multiplication in the calculation of X ◎ Y while changing the value of M. If zero multiplication is observed, X = 0. That is, since α (MMK) = 0, it can be seen that M ○ K = z. In other words, because K = M ○ z is known, K can be successfully decoded.

<Conventional technology>
As a conventional DPA countermeasure method, there is a method of taking a countermeasure against cryptographic processing and randomizing power consumption. The following two conventional examples are known as countermeasures using this technique, and are shown as Conventional Example 1 and Conventional Example 2 below. A method for realizing reduction of the Subbyte circuit with respect to an AES circuit without DPA countermeasures is shown in the following conventional example 3. It should be noted that Conventional Examples 1 and 2 are safe against zero multiplication SPA because the Subbyte circuit is executed not by multiplication but by table operation, and therefore it becomes a PA countermeasure by taking a DPA countermeasure.

Conventional Example 1
As a representative method for randomizing power consumption, a method called a masking method is known (Non-patent Document 8 below, hereinafter referred to as “Conventional Example 1”). Assuming that the data calculated in the encryption process without DPA countermeasures is M, the DPA countermeasure described in the conventional example 1 is the data M ′, represented by M ′ = M ○ R, instead of calculating the data M. This is a method of performing cryptographic processing by calculating R. However, R is a random number, and is a value generated every time encryption processing is executed. By this method, the data for encryption processing is masked with a random value. Therefore, since the power is randomized by randomizing the data, it is possible to realize a safe process for the PA. In the following description, a value XORed with respect to data without PA countermeasures such as R is called a mask value.

FIG. 19 shows an AES circuit in which the DPA countermeasure according to Conventional Example 1 is applied to the AES circuit not taking the DPA countermeasure of FIG. In this circuit, instead of the data M _i are calculated in FIG. 18, calculates the two random data with R _i 'M _i satisfying = M _i ○ R _i' M _i against random number R _i To do. Since the data value calculated for each encryption process is random, a process that is safe against DPA can be realized. However, since the data must be calculated for both M _i ′ and R _i , the circuit scale increases. (Approximately twice that of FIG. 18). In FIG. 18, AES Subbyte processing is performed by table reference processing (0 £ x 255) using a static conversion table S [x] with fixed data. The conversion table S [x] used in the Subbyte process is called Sbox. On the other hand, the Sbox table data S ′ [x] used in FIG. 19 is S ′ [x] according to S ′ [x] = S [xRin] ○ Rout according to the random numbers Rin and Rout. Need to be dynamically updated for x = 0,1, ..., 255 respectively. Since this update process requires 256 cycles, the circuit of FIG. 19 has a disadvantage that the processing speed is low when compared with FIG.

Problems of Conventional Example 1 The circuit scale is larger than the circuit without DPA countermeasures.
Problem 2 The processing speed is slower than the circuit without DPA countermeasures.
Conventional example 2
A method for solving the problem 2 of the conventional example 1 is disclosed in the following Patent Document 1 (hereinafter referred to as “conventional example 2”). In the conventional example 1, the value to be masked is randomly generated, while in the conventional example 2, one of a plurality of pre-calculated fixed values is masked with a value selected by a random number. The selected mask value is expressed as R _i. In the conventional example 2, similarly to the conventional example 1, _i 'data M satisfy _i = M _i ○ R _i' to M, but to calculate the R _i, for R _i is pre-computed value, M _'i , R _i need not be calculated, only M ′ _i need be calculated. Since the random number is a pre-calculated value, unlike the conventional example 1, there is no need to dynamically update the Sbox table data, and it is only necessary to prepare a plurality of pre-calculated static data. High-speed processing can be realized. By using the DPA countermeasure method of Conventional Example 2, the AES encryption process without the DPA countermeasure shown in FIG. 18 is replaced with the encryption process as shown in FIG.

  FIG. 20 will be described. q-1 MUX represents a selector and selects one of q input data by random numbers. q-1 DEMUX represents a demultiplexer, and selects one of the input data from q output destinations by a random number.

The input data M ′ _{i is} subjected to XOR processing using the expanded key K _i , Subbyte processing using Sbox, ShiftRow, MixColumn processing, and data M ′ _{i + 1} is output. In a series of these processes, one of q fixed values is selected by a random number r (0 £ rq-1), and a mask process using this value is performed. For example, when q fixed values are expressed as c _h (h = 0,1, .., q−1), a fixed value selected by the random number _r is expressed as cr. When the input data in the process without DPA countermeasures is denoted as M _i, M _'i for a fixed value f _r selected by the random number r, M' satisfy _i = M _i ○ f _r. That is, since M _i ′ is XORed with f _r , the mask value of M _i is f _r .

For expanded key Ki, after being masked by a fixed value e _r selected by the random number r, is XOR against M _'i. Mask value M _i 'is f _r, the mask value of the extended key K _i is because e _r, since the mask values of the data input to the Sbox is represented by XOR between these mask values, f _r ○ e _r . Wherein any h = 0,1, ..., when expressed as c _h = f _h ○ e _h against q-1, the mask value of the data input to Sbox becomes c _r.

Next, non-linear conversion processing by the Sbox circuit is performed. This process is performed by selecting one of q Sboxes using a random number. The Sbox input data is masked by c _r, output data performs processing such as masked by d _r. In order to realize this process, if Sbox with mask is represented as S ' _h [x] and Sbox without countermeasure is represented as S [x], S' _h [x] = S [x ○ c _h ] ○ S ' _h [x] is designed so that the relation of d _h is satisfied (h = 0,1, ..., q-1). Since there is a q-1 DEMUX at the input of the Sbox circuit and a q-1 MUX circuit at the output, only one signal of the expanded key XOR operation is transmitted out of the q Sboxes. Since the power characteristics of q Sboxes are different from each other, by selecting one of these by a random number, power consumption is randomized, and PA-safe processing can be realized. Unlike the conventional example 1, since the Sbox table can use pre-calculated data, it can realize a higher speed process than the conventional example 1. However, the configuration of FIG. 20 requires a q-times Sbox circuit without countermeasures shown in FIG. Since the circuit of Sbox is generally very large in AES, the circuit scale of these q Sboxes has a drawback of increasing the circuit scale of AES as a whole. Therefore, the conventional example 2 has the following problems as in the conventional example 1.

Problems of Conventional Example 2 The circuit scale is larger than the circuit without DPA countermeasures.
Conventional example 3
As a method for reducing the circuit scale of the AES Sbox, a method using a composite field is known. This method is known as a method that can be applied to an AES circuit that does not use SPA and DPA countermeasures.

As a premise for explaining this method, a general configuration of an AES Sbox circuit will be described. FIG. 21 shows the configuration of an AES Sbox circuit described in “5.1.1 SubBytes () Transformation” of Non-Patent Document 4 below. The Sbox circuit is shown for encryption and decryption, respectively. Inverse function I (x) and Affine transformation A (x) for the remainder of polynomial x ⁸ + x ⁴ + x ³ + x + 1 of GF (2 ⁸ ) , And Affine inverse transformation A ⁻¹ (x) which is an inverse function of Affine transformation. However, GF () is a symbol representing a Galois Field. In particular, a Galois field represented as GF (2 ^β ) using an integer value β is called a binary field, and GF ((... ( The Galois field represented as (2 ^β1 ) ^β2 )…) ^βγ ) is called a composite field. A Galois field is a type of data representation format, and data represented in this data representation format is called an element. The element of the binary field is arbitrary data of β-bit, and the element of the composite field is arbitrary data of (β1 ×... × βγ) -bit. The element of GF (2 ^β ) is only β-bit data format, but the element of GF ((… ((2 ^β1 ) ^β2 )…) ^βγ ) is β1-bit, β1 × β2-bit, It corresponds to a data format of γ types of bit lengths such as (β1 ×... × βγ) -bit, and a data format with a smaller bit length allows arithmetic processing with a smaller circuit scale. For each element of the binary field and the composite field, multiplication 、, XOR operation ◯, and remainder operation mod (f (x)) using a polynomial f (x) are defined.

An inverse element is an 8-bit value y that satisfies I (x) = x ^-1 mod (x ⁸ + x ⁴ + x ³ + x + 1) for any 8-bit value x That is, x ◎ y = 1 mod (x ⁸ + x ⁴ + x ³ + x + 1) is satisfied. For the Affine transformation and the inverse element, see also “5.1.1 SubBytes () Transformation” in Non-Patent Document 4 below.

A (x) is used only for encryption, A ⁻¹ (x) is used only for decryption, and I (x) is a common circuit used for both encryption and decryption. A (x) and A ^-1 (x) are circuits that perform 8-bit input / output operations by simple logic operations, and are known to have a small circuit scale. In contrast, I (x) is a circuit that performs 8-bit input / output operations using a table, and is known for its large circuit scale. That is, since the circuit scale of I (x), which is a common circuit used for both encryption and decryption, is large in the configuration of FIG. 21, reduction of the circuit scale of I (x) becomes a problem. As a method for reducing the circuit scale of I (x), an inverse element calculation method using a composite field is proposed in Non-Patent Document 10 below. A general inverse element calculation circuit using a table is shown in FIG. 22, and an inverse element calculation circuit using a composite is shown in FIG.

As shown in FIG. 22, a general inverse element calculation circuit performs a process of converting 8-bit input data into 8-bit output data by using a table. Since it is an input / output, the circuit scale is very large. When converting m-bit input data to n-bit output data in a circuit that performs table operations, it is known that the circuit scale is proportional to m′n′2 ^m (FIG. 22). In order to reduce the size, it is an important issue to reduce both the input and output bit lengths m and n. This problem is solved by an inverse element arithmetic circuit using the composite shown in FIG. 23, which uses a table of m = 4 and n = 4. Comparing the size of the table with m = n = 8 shown in FIG. 22 and the table with m = n = 4 shown in FIG. 23, (4′4′2 ⁴ ) / (8′8′2 ⁸ ) = ( Since 2 ⁸ ) / (2 ¹⁴ ) = 1/64, that is, the table of FIG. 23 is 1/64 the size of the table of FIG. 22, the circuit scale can be reduced.

The processing content of FIG. 23 is demonstrated. FIG. 23 calculates the inverse element T ⁻¹ of the element T of GF (2 ⁸ ). In order to calculate this T ⁻¹ with a 4-bit input / output table, the element U of GF (((2 ² ) ² ) ² ) is used. However, the element U of the composite field GF (((2 ² ) ² ) ² ) is the polynomial GF ((2 ⁴ ) ² ) = x ² + x + (1100) ₂ , GF ((2 ² ) ² ) = x ² + The remainder of x + (10) ₂ , GF (2 ² ) = x ² + x + 1. Both T and U are 8-bit data, and T and U are calculated by U = δ (T) and U = δ ⁻¹ (T) by a conversion called δ conversion. The δ, δ ⁻¹ conversion is a matrix operation called an isomorphism function. For details, see Non-Patent Document 11 below. First, U is calculated from T by δ transformation, and then U ¹⁶ and U ¹⁷ are calculated. U ¹⁷ is calculated by multiplying = U ¹⁶ and U. As a result of this calculation, it is known that the most significant 4-bit of U ¹⁷ of the 8-bit value is “0000”. That is, U ¹⁷ is a value represented by 4 bits instead of 8 bits. Similarly, U- ¹⁷ , which is the inverse element of ^U17 , is a value represented by 4 bits. That is, the table circuit for calculating U ¹⁷ to U ^-17 can be reduced to 4-bit input / output compared to 8-bit input / output in the method of FIG. After calculating the U ^-17 This table, to calculate the U ^-1 by U ^-1 = U ^{-17'U 16.} Finally, T ⁻¹ is calculated by T ⁻¹ = δ ⁻¹ (U ⁻¹ ).

  In the circuit of FIG. 23, a 16th power circuit and a multiplication circuit are added instead of reducing the bit length of the table, but the circuit scale is very small compared to the 8-bit input / output table of FIG. Therefore, the inverse element calculation circuit shown in FIG. 23 can realize a circuit scale smaller than the inverse element calculation circuit of FIG. However, since Conventional Example 3 does not take PA countermeasures, there is a problem shown in Problem 3 below.

Problems of Conventional Example 3 Safe processing cannot be realized for SPA and DPA.
Note that the following types of multiplications ◎ using elements of GF (2 ⁸ ) and elements of GF (((2 ² ) ² ) ² ) are known. The laws shown in (law-1), (law-2), (law-3), and (law-4) hold for multiplication ◎ and XOR operation ○.

• Multiplication of GF (2 ⁸ ): Only one of the following types is defined.
-Only 8-bit '8-bit multiplication defined by c = a ◎ b is defined. a, b and c are all 8-bit values.
• Multiplication of GF (((2 ² ) ² ) ² ): The following three types are defined.
-8-bit´8-bit multiplication defined by c = a ◎ b. a, b and c are all 8-bit values.
-8-bit '4-bit multiplication defined by c = a ◎ b. a and c are 8-bit values and b is a 4-bit value.
-4-bit´4-bit multiplication defined by c = a ◎ b. a, b and c are all 4-bit values.

(law-1) a ◎ b = b ◎ a
However, a and b are 8-bit or 4-bit data and are elements of GF (2 ⁸ ) or GF (((2 ² ) ² ) ² ).
(law-2) a ◎ (b ○ c) = a ◎ b ○ a ◎ c
However, a, b, and c are 8-bit or 4-bit data, and are elements of GF (2 ⁸ ) or GF (((2 ² ) ² ) ² ).
(law-3) a ○ a = 0
However, a is 8-bit or 4-bit data, and is an element of GF (2 ⁸ ) or GF (((2 ² ) ² ) ² ).
(law-4) a ◎ b = a _H ◎ b || a _L ◎ b
However, a is 8-bit data, a _H is upper 4-bit of a, a _L is lower 4-bit of a, and b is 4-bit data. || is a symbol representing bit concatenation. For example, a bit value (1110) ₂ is expressed as (1110) ₂ = (11) ₂ || (10) ₂ . Further, a, a _H, the relationship of a _L is expressed as a = a _H || a _L. a, a _H , a _L , and b are elements of GF (((2 ² ) ² ) ² ).

(law-1) and (law-2) are an exchange rule a′b = b′a and a combination rule a ′ (b + c) = a′b + a′c that hold for multiplication ′ and addition + in integers. Which holds for both GF (2 ⁸ ) and GF (((2 ² ) ² ) ² ). (law-3) is clear from the definition of XOR operation 0 ○ 0 = 0, 1 ○ 1 = 0, and holds for both GF (2 ⁸ ) and GF (((2 ² ) ² ) ² ). (law-4) is a special law that holds only for GF (((2 ² ) ² ) ² ). The calculation result of 8-bit'4-bit multiplication in GF (((2 ² ) ² ) ² ) is the bit combination of the calculation results of two 4-bit'4-bit multiplications a _H ◎ b, a _L ◎ b. It means that it can be obtained.

For general Galois fields other than GF (2 ⁸ ), GF (((2 ² ) ² ) ² ), (law-1) (law-2) (law-3) is an arbitrary binary GF ( 2 ^β ) and any composite GF ((... (2 ^β1 )... ^Ββ )). (law-4) is established when the composite GF ((... (2 ^β1 )... ^ββ ) satisfies βγ = 2. In other words, when a is (β1 ×… × βγ-1 × 2) -bit and a _H , a _L , b are (β1 ×… × βγ-1) -bit, the result of a ◎ b is ( Follow law-4).

  Table 1 summarizes the comparison of the features of the conventional examples 1, 2, and 3 described above. Table 1 compares three points of PA safety, circuit scale, and processing speed. In terms of safety, “safe” is better. In terms of circuit scale, “small” is better. Regarding the processing speed, “high speed” is superior. From Table 1, it can be seen that Conventional Examples 1, 2, and 3 are not systems having excellent characteristics in all three points.

<Conventional issues and solutions>
Here, the means of the present invention that exhibits excellent effects for all three features shown in Table 1 are shown. In order to explain this means, a simple combination of Conventional Example 2 and Conventional Example 3 is shown, and the solution means according to the present invention is shown. First, one simple combination of Conventional Examples 2 and 3 is shown in FIG.

  FIG. 24 shows a circuit according to a combination of Conventional Example 2 and Conventional Example 3. The problem of Conventional Example 2 is that the circuit scale of q Sboxes shown in FIG. 20 is large. Therefore, FIG. 24 aims to reduce the Sbox circuit, which is a disadvantage of the conventional example 2, by replacing these Sbox circuits with the composite circuit shown in FIG. 23, and the table index of the inverse element calculation circuit of FIG. For processing, a table selection technique corresponding to random numbers shown in FIG. 20 is introduced.

Input data of FIG. 24 is a M ○ K ○ p _r. This is a value obtained by masking a value obtained by XORing the plaintext M and the extended key K with a fixed value p _r (0 £ r £ q-1) selected by a random number r.

A value obtained by performing δ conversion on this value is X = δ (MMK ○ p _r ) = δ (M ○ K) ○ δ (p _r ). That is, X is masked by the mask value Δ (p _r ). Since δ, δ ^-1 transformation is linear transformation, δ (a ○ b) = δ (a) ○ δ (b), δ ^-1 (a ○ b) = δ ⁻ for any a, b ¹ (a) ○ δ ⁻¹ (b) is a function that holds.

In Figure 24, to a multiplier for multiplying the X and X ^16, by using a zero multiplication SPA, it is possible to narrow the candidates of the key K 256 to q street. The value of q can theoretically be increased indefinitely, but if it is increased too much, the circuit scale increases, so a value of about q = 4 is practically used. That is, since the 256 key K values can be narrowed down to four, the circuit in FIG. 24 is vulnerable to zero multiplication SPA. The attack method will be described below.

First, the premise of the attack is explained. M is a value known to the attacker, K is an unknown value to the attacker, r is an unknown value to the attacker, and a set of q fixed values p ₀ , p ₁ ,…, p _q-1 is the attacker Assume a known value. Based on this assumption, a zero multiplication SPA method for the circuit of FIG. 24 will be described.

The target multiplier whose power consumption is observed by the zero multiplication SPA can be observed by the SPA when the zero multiplication by X = 0 occurs. Since this SPA means X = 0, the attacker knows that δ (M ○ K) ○ δ (p _r ) = 0, that is, δ (M ○ K) = δ (p _r ). By performing δ ⁻¹ conversion on both sides, M ^変換 K = _pr is obtained. Thus, it can be seen that the attacker is a K = M ○ p _r. That is, since the attacker knows that K = M Mp _r for any of r = 0, 1, .., q−1, the value of K can be narrowed down to q. Such a zero multiplication SPA is applied not only to the multiplier that performs the multiplication of X and X ¹⁶ in FIG. 24 but also to the multiplier that multiplies the output of X ¹⁶ and the 4-bit table I ′ _r [x]. Is possible.

From the above, the circuit shown in FIG. 24, despite performing randomization of data by the mask value p _r, is vulnerable to zero multiplication SPA. The reason for this selection values one by a random number from among the p _r is the q 8-bit fixed value and because it is (hereinafter, the fixed value mask, fixed mask value called a), as a result, 256 The value of street K can be narrowed down to q ways. Instead of a fixed mask value p _r, i.e. mask any 8-bit random number R value (hereinafter, random value mask, random mask value hereinafter) is used as a, as a zero multiplication even were observed by SPA attacks Cannot narrow down the candidates for K values. This is because the information that the attacker obtained by the zero multiplication observation, K = but instead of M ○ p _r is K = M ○ R, Unknown values in this case R is any 8-bit random number attacker Therefore, the number of K value candidates cannot be reduced from 256.

  As described above, in AES processing using composite field calculation, when data masked by a fixed value mask is input to a multiplier, data that is vulnerable to zero multiplication SPA and masked by a random value mask Is entered, it is concluded that it is safe for zero multiplication SPA. FIG. 25 shows the result of diagramizing such a condition for safety against the zero multiplication SPA regarding the multiplication processing.

In FIG. 25, X and Y are unmasked data and are data calculated in the AES process without DPA and SPA countermeasures. p _r and q _s represent fixed value masks selected by the random numbers r and s. R and S represent random value masks. Randomized value masking (Random value masking) (Random value mask processing such as R and S) for data X and Y calculated in processing without DPA and SPA countermeasures such as X ○ R and Y ○ S value masking), and the XORed data XR and YS as a result are called random value masked data. Similarly, XOR of fixed value masks such as p _r and q _s for data X and Y calculated in processing without DPA and SPA countermeasures, such as X ○ p _r and Y ○ q _s Is called fixed value masking, and the resulting XORed data _XXpr and Y ○ q _s are called fixed value masked data.

As shown in FIG. 25, the safe multiplication process for the zero multiplication SPA is a process of inputting random value masked data for both the two inputs a and b of the multiplication process represented by c = aab. If a value that is not random value masked data is input to one or both of the two inputs a and b for multiplication, it becomes vulnerable to zero multiplication SPA. For example, both a and b are fixed value masked data such as c = (X ○ p _r ) ◎ (Y ○ q _s ), and only b is disturbed such as c = (X ○ p _r ) ◎ (Y ○ S). In the case of numerical value masked data, random number masked data of only a such as c = (XR) ◎ Y, each case is vulnerable to zero multiplication SPA. As described above, the condition for realizing the safe processing for the zero multiplication SPA is expressed by the following (ZSPA-sec).

(ZSPA-sec) The multiplication process that is safe against the zero multiplication SPA is an operation in which randomized value masked data is input to both the two inputs a and b of the multiplication process represented by c = aab.

  The following literature group is a well-known example cited in this specification.

JP 2002-366029 A

Thomas S. Messerges, Ezzy A. Dabbish and Robert H. Sloan “Power Analysis Attacks of Modular Exponentitiation in Smartcards”, Cryptographic Hardware and Embedded Systems (CHES’99), Springer-Verlag, pp.144-157 Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power Analysis,” in proceedings of Advances in Cryptology-CRYPTO’99, Springer-Verlag, 1999, pp. 388-397 S. Chari, C. Jutla, J.R.Rao, P. Rohatgi, “An Cautionary Note Regarding Evaluation of AES Candidates on Smart-Cards,” Second Advanced Encryption Standard Candidate Conference, March 1999 NIST (National Institute of Standards and Technology), Standard FIPS197 (Federal Information Processing Standards Publication) http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf T. S. Messerge, Ezzy A. Dabbish and Robert H. Sloan, “Investigations of Power Attacks on Smartcards”. Proceedings of USENIX Workshop on Smartcard Technology, Mar 1999. Takeshi Shimoyama, Hitoshi Yanami, Kazuhiro Yokoyama, Masahiko Takenaka, Kouichi Itoh, Jun Yajima, Naoya Torii, Hidema Tanaka "The Block Cipher SC2000", Fast Software Encryption (FSE 2001), pp.312-327, LNCS vol.2355 M.Akkar, RBevan, P.Dischamp, and D. Moyart, "Power Analysis, What Is Now Possible ...", Asiacrypt 2000) Thomas S. Messerges, “Securing the AES Finalists Against Power Analysis Attacks,” in proceedings of Fast Software Encryption Workshop 2000, Springer-Verlag, April 2000. Akashi Satoh, Sumio Morioka, Kohji Takano and Seiji Munetoh: "A Compact Rijndael Hardware Architecture with S-Box Optimization", ASIACRYPT2001, LNCS Vol.2248, pp.239-254, Dec 2001. Akashi Satoh, Sumio Morioka, Kohji Takano and Seiji Munetoh: "A Compact Rijndael Hardware Architecture with S-Box Optimization", ASIACRYPT2001, LNCS Vol.2248, pp.239-254, Dec 2001. "A Compact Rijndael Hardware Architecture with S-Box Optimization"

  As described above, when the conventional examples are simply combined, it is impossible to realize an AES encryption apparatus with SPA and DPA countermeasures that solves all of the problems 1, 2, and 3 described above. Therefore, it is an object of the present invention to solve all these problems.

  The first aspect of the present invention is premised on a common key block encryption device that performs non-linear conversion by multiplication processing in a binary or composite field.

  First, there is an arithmetic unit that performs arithmetic processing other than non-linear conversion using fixed value masked input data obtained by exclusive OR operation (hereinafter referred to as “XOR”) of a fixed value mask (hereinafter referred to as “fixed value mask”). .

  Next, in multiplication processing in nonlinear conversion, all input data is XORed with fixed value masks to convert to fixed value masked input data, and then a random value mask (hereinafter referred to as “random number mask”) is XORed. XOR operation circuit for converting to random value masked input data, a multiplier for executing multiplication processing based on the random value masked input data output from the XOR operation circuit, and a random value mask output from the multiplier A random value mask-fixed value mask conversion circuit that reconverts the output data into fixed value masked output data and outputs the result.

  Based on the first aspect of the present invention, the second aspect of the present invention has the following configuration.

That is, the multiplication process according to the first aspect of the present invention is such that the input data of the multiplication process in the non-linear transformation is X, Y, the random value mask is R, S, the fixed value mask is _fr , the circle is an XOR operation circuit, and Let R ', S' be a random value mask obtained by XORing a random number to a fixed value mask such as R '= R ○ p _r , S' = S ○ q _r
J1 = (X ○ R ') ◎ (Y ○ S')
J2 = S '◎ (X ○ R')
J3 = R '◎ (Y ○ S')
J4 = R '◎ S'
J0 = J1 ○ J2 ○ J3 ○ J4 ○ f r
The calculates constituted by the arithmetic circuit or equivalent computing circuit for computing an output _{J0 = X ◎ Y ○ f r} .

  Based on the first aspect of the present invention, the third aspect of the present invention has the following configuration.

That is, the multiplication process according to the first aspect of the present invention is such that the input data of the multiplication process in the non-linear transformation is X, Y, the random value mask is R, the fixed value mask is _fr , the circle is an XOR operation circuit, and the circle is a multiplier. and then, 'the random number mask XOR random number to a fixed value mask as = _R ○ p _r R' R a,
J1 = (X ○ R ') ◎ (Y ○ R')
J2 = R '◎ ((X ○ R') ○ (Y ○ R ') ○ R')
J0 = J1 ○ J2 ○ f _r
The calculates constituted by the arithmetic circuit or equivalent computing circuit for computing an output _{J0 = X ◎ Y ○ f r} .

  Based on the first aspect of the present invention, the fourth aspect of the present invention has the following configuration.

That is, the multiplication process in the first aspect of the present invention is an operation in the composite GF ((... (2 ^β1 )... ^Βγ ) satisfying βγ = 2, and the multiplication process is an input of the multiplication process in the nonlinear transformation. Data is X, Y, random value mask is R, S, fixed value mask is f _r , ○ is an XOR operation circuit, ◎ is a multiplier, and R '= R ○ p _r , S' = S ○ q _r A random value mask obtained by XORing random numbers into a fixed value mask is R ′, S ′, and R ′ _H and R ′ _L are bit values when R ′ is divided into upper and lower half, J2 || ( 0000) ₂ is an operation that joins a zero bit string of the same number of bits to the lower side of J2,
J1 = (X ○ R ') ◎ (Y ○ _R'L )
J2 = (Y ○ R ' _H ) ◎ R' _H ○ R ' _H ²
J3 = ((X ○ R ') ○ (Y ○ R' _L ) ○ R ' _L ) ◎ R' _L
J0 = J1 ○ (J2 || (0000) ₂ ) ○ J3 ○ _fr
The calculates constituted by the arithmetic circuit or equivalent computing circuit for computing an output _{J0 = X ◎ Y ○ f r} .

  Based on the first aspect of the present invention, the fifth aspect of the present invention has the following configuration.

That is, the multiplication process in the first aspect of the present invention is an operation in the composite GF ((... (2 ^β1 )... ^Βγ ) satisfying βγ = 2, and the multiplication process is an input of the multiplication process in the nonlinear transformation. Data is X, Y, random value mask is R, S, fixed value mask is f _r , ○ is an XOR operation circuit, ◎ is a multiplier, and R '= R ○ p _r , S' = S ○ q _r R ', S' is a random value mask obtained by XORing random numbers into a fixed value mask, and R ' _H and R' _L are bit values when R 'is divided into upper and lower half respectively, and X' _H and X ' _L is a bit value when X' is divided into half of upper and lower half respectively.
J1 = (X _H ○ R ' _L ) ◎ (Y ○ R' _L )
J2 = ((X _H ○ R ' _L ) ○ (Y ○ R' _L ) ○ R ' _L ) ◎ R' _L
J3 = (X _L ○ R ' _L ) ◎ (Y ○ R' _L )
J4 = ((X _L ○ R ' _L ) ○ (Y ○ R' _L ) ○ R ' _L ) ◎ R' _L
J0 = ((J1 ○ J2) || (J3 ○ J4)) ○ f r
The calculates constituted by the arithmetic circuit or equivalent computing circuit for computing an output _{J0 = X ◎ Y ○ f r} .

Using the arithmetic circuit for multiplication processing according to the second or third aspect of the present invention described above, it is possible to perform a multiplication of U ¹⁶ ◎ U in a binary field or a composite field.

Further, it is configured to perform the multiplication of U ^-17 ◎ U ¹⁶ in a binary field or a composite field by using the arithmetic circuit of the multiplication process according to the second, fourth, or fifth aspect of the present invention described above. Can do.

A sixth aspect of the invention, a fixed mask value selected by 4-bit c _r, 8-bit g _r, 4 bits of d _r, and 8 bits of f _r each random number r, the 8-bit R as random number mask R ', the output data U ^-1 ○ f _r of 8 bits from the input data U ○ g _r of 8 bits, satisfying the [beta] [gamma] = 2 composite ^{GF ((... (2 β1)} ...) βγ Assuming the common key block encryption device operated in (1), it has the following configuration.

First, a 4-bit value U ¹⁷ ○ c _r is calculated from input data U ○ g _r by U ¹⁶ ◎ U calculation executed by XORing a random value mask, and 8-bit U ¹⁶ ○ R ′ and R ′, respectively. A maskedU ¹⁶ ◎ U calculation circuit is provided.

Then, with its maskedU ¹⁶ ◎ U calculates the 4-bit U ^-17 ○ d _r from U ¹⁷ ○ c _r outputted from the calculation circuit, 4-bit to 4-bit conversion table circuit selected by a random number r.

Then, 4-bit-to-4 U ^-17 ○ d _r outputted from the bit conversion table circuit and maskedU ¹⁶ ◎ output from U calculation circuit U ¹⁶ ○ R 'and R' were respectively input, output data U ^-1 ○ It has a maskedU ^-17 ◎ U ¹⁶ calculation circuit for calculating f _r .

  Based on the sixth aspect of the present invention, the seventh aspect of the present invention has the following configuration.

That is, the maskedU ¹⁶ ◎ U calculation circuit inputs a fixed value mask g _r , input data U ○ g _r , and a random value mask R, and U ○ R = (U ○ g _r ) ○ R ○ g _r , An arithmetic circuit group for calculating three data of U ¹⁶ ○ R ¹⁶ = (U ○ R) ¹⁶ and R ¹⁶ ,
J1 = (U ○ R) ◎ (U ¹⁶ ○ R ¹⁶ )
J2 = R ¹⁶ ◎ (U ○ R)
J3 = R ◎ (U ¹⁶ ○ R ¹⁶ )
J4 = R ◎ R ¹⁶
J0 = J1 ○ J2 ○ J3 ○ J4 ○ _cr
And an arithmetic circuit group that executes an operation equivalent to this, J0 is input as U ¹⁷ ○ _cr to the 4-bit to 4-bit conversion table circuit, and U ¹⁶ ○ R ¹⁶ and R ¹⁶ are input to U ¹⁶ ○ R 'and R' are input to maskedU ^-17 ◎ U ¹⁶ calculation circuit.

  Based on the sixth aspect of the present invention, the eighth aspect of the present invention has the following configuration.

That is, the maskedU ¹⁶ ◎ U calculation circuit inputs a fixed value mask g _r , input data U ○ g _r , and a random value mask R, and inputs U ○ R = (U ○ g _r ) ○ R ○ g _r and U ¹⁶ ○ and ^{R = (U ○ R) 16} ○ R ○ arithmetic circuits for calculating the two data R ^16,
J1 = (U ○ R) ◎ (U ¹⁶ ○ R)
J2 = R ◎ ((U ○ R) ○ (U ¹⁶ ○ R) ○ R)
J0 = J1 ○ J2 ○ _cr
And an arithmetic circuit group that executes an operation equivalent to this, J0 is input as U ¹⁷ ○ c _r to the 4-bit to 4-bit conversion table circuit, and U ¹⁶ ○ R and R are U ¹⁶ ○ R 'And R' are input to maskedU ^-17 ◎ U ¹⁶ calculation circuit.

  Based on the sixth aspect of the present invention, the ninth aspect of the present invention has the following configuration.

That, maskedU ^-17 ◎ U ¹⁶ the computing circuitry, U ^-17 ○ d _r outputted from the 4-bit to 4-bit conversion table circuit, a fixed mask value d _r and f _r, output from maskedU ¹⁶ ◎ U calculation circuit Input U ¹⁶ ○ R ', R' and the internally generated random number S, U ^-17 ○ S ○ d _r = (U ^-17 ○ d _r ) ○ S, and S ○ d _r A group of arithmetic circuits for calculating data;
J1 = (U ^-17 ○ S ○ d _r ) ◎ (U ¹⁶ ○ R ')
J2 = R '◎ (U ^-17 ○ S ○ d _r )
J3 = (S ○ d _r ) ◎ (U ¹⁶ ○ R ')
J4 = (S ○ d _r ) ◎ R '
J0 = J1 ○ J2 ○ J3 ○ J4 ○ f r
It is composed of a calculation or its arithmetic circuits to perform equivalent operations, and outputs the J0 as U ^-1 ○ f _r.

  Based on the sixth aspect of the present invention, the tenth aspect of the present invention has the following configuration.

That, maskedU ^-17 ◎ U ¹⁶ the computing circuitry, U ^-17 ○ d _r outputted from the 4-bit to 4-bit conversion table circuit, a fixed mask value d _r and f _r, output from maskedU ¹⁶ ◎ U calculation circuit U ¹⁶ ○ R ′ _H which is the upper 4 bits of R ′, R ′ and R ′, and R ′ _L which is the lower 4 bits of R ′ are input, and U ¹⁶ ○ (d _r || d _r ) ○ Arithmetic circuit group for calculating five data of R ', U ^-17 ○ _dr ○ R' _L , _dr ○ R ', U ^-17 ○ _dr ○ R' _H , _dr ○ R ' _H ,
J1 = (U ¹⁶ ○ (d _r || d _r ) ○ R ') ◎ (U ^-17 ○ d _r ○ R' _H )
J2 = (U ^-17 ○ d _r ○ R ' _H ) ◎ (d _r ○ R' _H ) ○ (d _r ○ R ' _H ) ²
J3 = ((U ¹⁶ ○ (d _r || d _r ) ○ R ') ○ (U ^-17 ○ d _r ○ R' _L ) ○ (d _r ○ R ' _L )) ◎ (d _r ○ R' _L )
J0 = J1 ○ (J2 || (0000) ₂ ) ○ J3 ○ _fr
It is composed of a calculation or its arithmetic circuits to perform equivalent operations, and outputs the J0 as U ^-1 ○ f _r.

  Based on the sixth aspect of the present invention, the eleventh aspect of the present invention has the following configuration.

That, maskedU ^-17 ◎ U ¹⁶ the computing circuitry, U ^-17 ○ d _r outputted from the 4-bit to 4-bit conversion table circuit, a fixed mask value d _r and f _r, output from maskedU ¹⁶ ◎ U calculation circuit U ¹⁶ ○ R ′ _H , which is the upper 4 bits of R ′, R ′, and R ′, and R ′ _L, which is the lower 4 bits of R ′ _, are input, and U ¹⁶ _H and U ¹⁶ _L are each 8 as the upper 4 bits and lower 4 bits of the bit value _{^{U 16, U 16 H ○ R}} 'L = (U 16 ○ R' upper 4 bits _{of) ○ R 'L ○ R'} H, U -17 ○ R 'L = (U ^-17 ○ d _r ) ○ R ' _L ○ d _r , U ¹⁶ _L ○ R' _L = (lower 4 bits of U ¹⁶ ○ R ')
J1 = (U ¹⁶ _H ○ R ' _L ) ◎ (U ^-17 ○ R' _L )
J2 = ((U ¹⁶ _H ○ R ' _L ) ○ (U ^-17 ○ R' _L ) ○ R ' _L ) ◎ R' _L
J3 = (U ¹⁶ _L ○ R ' _L ) ◎ (U ^-17 ○ R' _L )
J4 = ((U ¹⁶ _L ○ R ' _L ) ○ (U ^-17 ○ R' _L ) ○ R ' _L ) ◎ R' _L
J0 = ((J1 ○ J2) || (J3 ○ J4)) ○ f r
It is composed of a calculation or its arithmetic circuits to perform equivalent operations, and outputs the J0 as U ^-1 ○ f _r.

In any one of the first, second, third, sixth, seventh, and eighth aspects of the present invention described above, the multiplication process in the nonlinear conversion is performed in a binary field represented by GF (2 ⁸ ). It can be configured to be executed. At this time, the binary field GF (2 ⁸ ) is represented by, for example, a remainder of a polynomial x ⁸ + x ⁴ + x ³ + x + 1.

In any one of the first to eleventh aspects, the multiplication process in the nonlinear conversion is configured to be executed in the composite represented by GF (((2 ² ) ² ) ² ). Can do. At this time, the composite field GF (((2 ² ) ² ) ² ) is, for example, a polynomial GF ((2 ⁴ ) ² ) = x ² + x + (1100) ₂ , GF ((2 ² ) ² ) = x ² + It is represented by the remainder of x + (10) ₂ and GF (2 ² ) = x ² + x + 1.

  The present invention can also be implemented as an embedded device incorporating the encryption device according to any one of the first to eleventh aspects described above.

  The present invention is an implementation technique for implementing PA countermeasures for a cryptographic processor that performs common key cryptography. By using this technology, it becomes difficult to decrypt private keys for cryptographic processing including AES, which is a typical common key algorithm, and the security of embedded devices such as smart cards can be improved.

It is a figure showing the general structure of a common key encryption process. This is a configuration of a generally known AES encryption algorithm. This is RoundKey processing in AES that is generally known. Subbyte processing in AES that is generally known. It is a generally known MixColumn process in AES. It is a commonly known ShiftRow process in AES. This is extended key XOR processing in general common key cryptography without DPA countermeasures. This is a linear conversion process in a common symmetric key encryption without DPA countermeasures. This is a non-linear transformation process in general common key cryptography without DPA countermeasures. This process is a combination of FIG. 7 and FIG. It is the figure which took out the bit relevant to the input / output of wj about the process of FIG. It is an example of the power consumption of a smart card. In this example, a power difference curve is created and spikes appear. This is an example in which a power difference curve was created and spikes did not appear. This is a combination of FIG. 7, FIG. 8, and FIG. This is a condition related to the power consumption measurement location for decrypting the secret key by DPA. It is a figure showing the 1st structure of the encryption circuit which can be attacked by zero multiplication SPA. It is a figure showing the 2nd structure of the encryption circuit which can be attacked by zero multiplication SPA. It is a figure showing the AES circuit without a general DPA countermeasure. This is a circuit in which the DPA countermeasure of Conventional Example 1 is applied to the AES circuit without DPA countermeasure of FIG. This is a circuit in which the DPA countermeasure of Conventional Example 2 is applied to the AES circuit without the DPA countermeasure of FIG. It is a figure showing the structure of a general AES Sbox circuit. It is a figure showing the general inverse element calculation circuit using a table. This is an inverse element calculation circuit using a composite field described in Conventional Example 3. This is an inverse element calculation circuit based on a simple combination of Conventional Example 2 and Conventional Example 3. FIG. 5 is a diagram showing the focus of points for deriving a basic idea of the present invention, which is a condition of input data to a multiplier for realizing safe processing for zero multiplication SPA. It is a figure showing the multiplication circuit by the basic idea of this invention. 1 is a first configuration diagram of a multiplication circuit according to the present invention. (Basic principle-1) It is a 2nd block diagram of the multiplication circuit by this invention. (Basic principle-2) It is a 3rd block diagram of the multiplication circuit by this invention. (Basic principle-3) FIG. 6 is a fourth block diagram of a multiplication circuit according to the present invention. (Basic principle-4) It is a figure showing the framework of the inverse element calculation process using the technique of this invention. This is the first embodiment when the basic principle-1 is used for the masked U ¹⁶ × U calculation. This is a second embodiment in which basic principle-2 is used for masked U ¹⁶ × U calculation. This is a third embodiment in which the basic principle-1 is used for masked U ^-17 × U ¹⁶ calculation. This is a fourth embodiment in which the basic principle-3 is used for masked U ^-17 × U ¹⁶ calculation. FIG. 36 shows a fifth embodiment when the basic principle-4 is used for the masked U ^-17 × U ¹⁶ calculation.

  The best mode for carrying out the present invention will be described below in detail with reference to the drawings.

Basic Principle of the Present Invention The present invention realizes an AES encryption processing apparatus that solves all of the problems 1, 2, and 3 pointed out in “Background Art”. Therefore, processing that satisfies the following (Condition-1), (Condition-2), (Condition-3), and (Condition-4) is performed.

(Condition-1) Processing other than AES Subbyte processing is performed according to Conventional Example 2.
(Condition-2) In AES Subbyte processing, inverse element calculation by composite field is executed in a safe manner for SPA and DPA.
(Condition-3) The table processing in the composite field computation of (Condition-2) is performed according to Conventional Example 2.
(Condition-4) Random value masked data is always input for multiplication in composite field operation of (Condition-2).

  By introducing (Condition-1), Problem 1, Problem 2, and Problem 3 are solved at the same time, except for AES Subbyte processing. This is because the problem 1 which was the only problem in the conventional example 2 is a problem related only to the Subbyte circuit. Therefore, if the conventional example 2 is not used for the Subbyte processing, all these problems are solved. After that, if problems 1, 2, and 3 can be solved with respect to the AES subbyte processing, all the problems can be solved as a whole AES processing.

  By introducing (Condition-2), Problem 1 is solved for Subbyte processing of AES. By substituting the inverse operation with a large circuit scale in the Subbyte process with the process using the composite of Conventional Example 3 as shown in FIG. However, when the calculation of the composite of Conventional Example 3 is used as it is, it is not safe for SPA and DPA, so Problem 3 is unsolved. Moreover, it is necessary to clear the problem 2 also when taking measures against SPA and DPA.

  (Condition-3) is a table operation according to Conventional Example 2 for the table operation among the inverse element operations using the composite shown in FIG. That is, a method is used in which q pre-calculation tables are prepared and one of them is selected by a random number. Since q pre-computation tables are required, the problem shown in Task 1 may occur. However, since it is not an inverse operation using an 8-bit input / output table but a 4-bit input / output table operation using a composite field, Since the circuit scale of each table can be reduced to 1/64 of the 8-bit input / output table, the problem of problem 1 does not occur. Therefore, all the problems 1, 2 and 3 can be solved for the table calculation in FIG. If this table calculation process is executed by the method of Conventional Example 1, it is necessary to update the table according to the random number. Updating a 4-bit table requires 16 cycles. Since table operations are generally executed in one cycle, this table update penalty greatly reduces the processing speed, and the problem shown in Problem 2 occurs.

  (Condition-4) is a SPA / DPA countermeasure policy regarding multiplication of inverse operations using the composite shown in FIG. As described in the above (ZSPA-sec), the data input to the multiplication process is all random-value masked data, thereby serving as a zero multiplication SPA countermeasure. By using random value masked data, DPA countermeasures for multiplication can be executed simultaneously. Therefore, Problem 3 is solved. In addition, this multiplication process can be executed in one cycle, and a penalty related to the processing speed, such as a process of updating a table according to a random number, does not occur.

  The present invention executes an AES process that satisfies all of the above (condition-1) to (condition-4). The basic policy for satisfying all of these conditions is to perform mask processing using a random value mask only for multiplication processing in the inverse operation of a composite field, and use a fixed value mask for other processing. The mask process is executed. The basic idea for realizing this is described below.

<Basic ideas for solving problems>
FIG. 26 shows a basic idea of the present invention in which only multiplication processing is performed using random value masked data, and other processing is performed using fixed value masked data.

In the case of the conventional example, as shown in the upper part of FIG. 26, one or both inputs of the multiplier are fixed value masked data. On the other hand, in the present invention, as shown in the lower part of FIG. 26, the fixed value masked data is converted to random value masked data by XORing the random value mask with respect to the fixed value masked data. That is, masked data X ○ p _r with a fixed mask value p _r is a fixed value masked data, the further random number R for this data and XOR result X ○ _R ○ p _r. If R is a random value that can take an arbitrary 8-bit value, R ′ represented by R ′ = R ○ p _r is also a random value that can take an arbitrary 8-bit value. ○ p _r = X ○ R 'is the random value masked data.

By XOR similarly random S even for masked data Y ○ q _r by the fixed mask value _{q r, Y ○ S ○ q} r = Y ○ S ' is a random number value masked data. Since these random number value masked data are multiplied by (X ○ R ′) ◎ (Y ○ S ′), that is, the two inputs of the multiplier are both random value masked data, the method of the present invention Realizes safe processing for SPA and DPA. However, the data output as a result of this multiplication is also random value masked data. As shown in (Condition-1), in the present invention, it is necessary to perform processing according to Conventional Example 2, that is, processing based on fixed value mask value data, except for Subbyte processing. Therefore, it is necessary to convert the random value masked data output as a result of multiplying the random value masked data into fixed value masked data. This processing is executed by the random value mask-fixed value mask conversion processing circuit of FIG.

FIG. 26 is an abstract representation of the idea of multiplication processing in the present invention, and various specific calculation methods can be considered. In the inverse element processing using the composite field, two types of U ¹⁷ = U ¹⁶ ◎ U and U ⁻¹ = U ^-17 ◎ U ¹⁶ are executed, and the multiplication processing of the present invention is performed in these two types. The method of giving R and S and the calculation method of the random value mask-fixed value mask conversion process differ depending on which one is executed. The multiplication method of the present invention applicable to both of these two types or any one of the multiplication processes, (Basic Principle-1), (Basic Principle-2), (Basic Principle-3), (Basic Principle-4) ). Types of multiplication to which the techniques of (Basic Principle-1), (Basic Principle-2), (Basic Principle-3), and (Basic Principle-4) can be applied (U ¹⁷ = U ¹⁶ ◎ U and U ^-1 = U ^-17 ◎ U ¹⁶ ) correspondence table is shown in Table 2.

In the following explanations of (Basic Principle-1) to (Basic Principle-4), X and Y are the data calculated by normal AES processing without PA countermeasures, R and S are random value masks, and fixed value masks are Write f _r . _{R '= R ○ p r,} S' = as in S ○ q _r, the random number mask XOR random number to the fixed mask value R ', S' is indicated as.

[Basic Principle-1]
This is a method applicable to the multiplication of both U ¹⁷ = U ¹⁶ ◎ U and U ⁻¹ = U ^-17 ◎ U ¹⁶ . (Fig. 27)
J1 = (X ○ R ') ◎ (Y ○ S')
J2 = S '◎ (X ○ R')
J3 = R '◎ (Y ○ S')
J4 = R '◎ S'
However, U ¹⁷ = U ¹⁶ ◎ If U, X, Y, R ', S' is 8-bit, U ^-1 = U ^-17 ◎ If U ^16, X, R 'is 8-bit, Y, S' is 4 -bit.

J1, J2, calculates the J3, J4, obtain J0 = X ◎ Y ○ f _r by J0 = J1 ○ J2 ○ J3 ○ J4 ○ f r. A circuit for calculating the X ◎ Y ○ f _r by basic principle -1, MaskedMul_1 as a symbol (X ○ R ', Y ○ S', R ', S', f r) is represented by. Also, considering (law-1) to (law-3),
J1 = X ◎ Y ○ X ◎ S '○ Y ◎ R' ○ R '◎ S'
J2 = S '◎ X ○ S' ◎ R '
J3 = R '◎ Y ○ R' ◎ S '
J4 = R '◎ S'
Since it is, it can confirm the J0 = J1 ○ J2 ○ J3 ○ J4 ○ f r = X ◎ Y ○ f r.

Since all the input data to the multiplication processing of J1 to J4 is random value masked data, it is possible to realize safe processing for SPA and DPA. The number of multiplications required for this processing is as follows.

-U ¹⁷ = U ¹⁶ ◎ In case of U: 8-bit´8-bit multiplication 4 times,
-U ^-1 = U ^-17 ◎ For U ¹⁶ : 4 times 8-bit´4-bit multiplication (or 8 times 4-bit´4-bit multiplication).

Since the basic principle-1 is based on (law-1) to (law-3), it can be applied to operations of arbitrary binary fields and composite fields.

[Basic Principle-2]
When PA countermeasures based on Basic Principle-1 are used, one multiplication without PA countermeasures is replaced with four multiplications. This increase in the number of multiplications is an overhead associated with PA countermeasures. Therefore, reducing the number of multiplications after the replacement reduces the overhead associated with PA countermeasures. In order to reduce this overhead, S 'in the basic principle-1 is specialized by S' = R '(basic principle-2). By performing this specialization, the arithmetic processing is simplified, so that one multiplication without PA countermeasure is replaced with two multiplications.

However, specialization by S ′ = R ′ is possible only when the data bit lengths of S ′ and R ′ are equal. Therefore, only when the bit lengths of two input data of multiplication without PA countermeasure are equal (basic principle-2) can be applied. In other words, U ¹⁷ = U ¹⁶ ◎ This is a method applicable only to 8-bit′8-bit multiplication shown in U (FIG. 28), U ⁻¹ = U ^-17 ◎ 8 shown in U ¹⁶ Not applicable to bit´4-bit multiplication.

J1 = (X ○ R ') ◎ (Y ○ R')
J2 = R '◎ ((X ○ R') ○ (Y ○ R ') ○ R')
However, X, Y, and R ′ are 8-bit. J1, J2 is calculated, and obtain J0 = X ◎ Y ○ f _r by _{J0 = J1 ○ J2 ○ f r} . A circuit for calculating the X ◎ Y ○ f _r by basic principle -2, MaskedMul_2 as a symbol (X ○ R ', Y ○ R', R ', f r) is represented by. Also considering (law-1) to (law-3)
J1 = X ◎ Y ○ X ◎ R '○ Y ◎ R' ○ R ' ²
J2 = X ◎ R '○ Y' ◎ R '○ R' ²
Since it is, it can confirm the _{J0 = J1 ○ J2 ○ f r} = X ◎ Y ○ f r.

Since all input data to the multiplication processing of J1 and J2 is random value masked data, safe processing can be realized for SPA and DPA. The number of multiplications required for this processing is as follows.
-U ¹⁷ = U ¹⁶ ◎ U: 8-bit '8-bit multiplication twice basic principle-2 is based on (law-1) to (law-3), so it can be combined with any binary field Applicable to field operations.

[Basic principle-3]
By using the basic principle-2, the overhead of the number of multiplications associated with the PA countermeasure can be reduced from the present invention 1, but the technology can be applied to U ¹⁷ = U ¹⁶ ◎ 8- bit'8-bit multiplication is only, not applicable to 8-bit'4-bit multiplication shown in ^{U -1 = U -17 ◎ U 16} . In order to improve this problem, U ^-1 = U ^-17 ◎ Applicable to 8-bit'4-bit multiplication shown in U ¹⁶ and a method of reducing the number of multiplication overhead from the basic principle-1. This is the basic principle-3 shown below.

The basic idea of the basic principle-2 was to simplify the calculation by sharing the random number mask R ′ of X and the random number mask S ′ of Y by S ′ = R ′. This idea is possible only when the bit lengths of X and Y are equal, but when the bit lengths are different, it is impossible to set S ′ = R ′. Therefore, when the bit lengths are different, it is impossible to make the two random value masks the same, but it is possible to make them partially match. In other words, when R 'is 8-bit and S' is 4-bit, R 'is higher 4-bit value R' _H and lower 4-bit, as R '= R' _H || R ' _L When the values are divided into the values R ′ _L , the random value masks can be partially matched by setting S ′ = R ′ _L. By using this concept, the overhead of the number of multiplications is reduced from the basic principle-1, and the following method can be applied to 8-bit'4-bit multiplication indicated by U ^-1 = U ^-17 ◎ U ¹⁶ (FIG. 29).

J1 = (X ○ R ') ◎ (Y ○ R' _L )
J2 = (Y ○ R ' _H ) ◎ R' _H ○ R ' _H ²
J3 = ((X ○ R ') ○ (Y ○ R' _L ) ○ R ' _L ) ◎ R' _L
However, X and R ′ are 8-bit, Y, R ′ _H and R ′ _L are 4-bit, and R ′ = R ′ _H || R ′ _L. J1, J2, calculates the J3, obtain J0 = X ◎ Y ○ f _r by J0 = J1 ○ (J2 || ( 0000) 2) ○ J3 ○ f r. A circuit for calculating the X ◎ Y ○ f _r by the basic principle -3, MaskedMul_3 as a symbol (X ○ R ', Y ○ R' H, Y ○ R 'L, R' H, R 'L, f r) by Express. Also, considering (law-1) to (law-4),

J1 = (X _H ○ R ' _H ) ◎ (Y ○ R' _L ) || (X _L ○ R ' _L ) ◎ (Y ○ R' _L )
= (X _H ◎ Y ○ X _H ◎ R ' _L ○ Y ◎ R' _H ○ R ' _H ◎ R' _L ) || (X _L ◎ Y ○ X _L ◎ R ' _L ○ Y ◎ R' _L ○ R ' _H ◎ R' _L ² )
J2 || (0000) ₂ = (Y ◎ R ' _H ) || (0000) ₂
J3 = (X _H ○ R ' _H ) ◎ R' _L || (X _L ○ R ' _L ○ Y ○ R' _L ○ R ' _L ) ◎ R' _L
= (X _H ◎ R ' _L ○ R' _H ◎ R ' _L ) || (X _L ◎ R' _L ○ Y _L ◎ R ' _L ○ R' _L ² )
It is. However, X _H and X _L are 4-bit values that satisfy X = X _H || X _L. Therefore, J0 = J1 ○ (J2 || (0000) ₂ ) ○ J3 ○ f _r = ((X _H ◎ Y) || (X _L ◎ Y)) ○ f _r , but from (law-4) , X ◎ Y = ((X _H ◎ Y) || (X _L ◎ Y)), J0 = J1 ○ (J2 || (0000) ₂ ) ○ J3 ○ f _r = X ◎ Y ○ f _r Can be derived.

Since all input data to the multiplication processing of J1, J2, and J3 is random value masked data, safe processing can be realized for SPA and DPA. The number of multiplications required for this processing is as follows.
-U ¹⁷ = U ¹⁶ ◎ U: Two 8-bit '4-bit multiplications, one 4-bit' 4-bit multiplication, one 4-bit '4-bit self multiplication.

Furthermore, one 8-bit´4-bit multiplication is equivalent to two 4-bit´4-bit multiplications. One 4-bit´4-bit multiplication is one 4-bit´4-bit multiplication. Considering the operation at a lower cost (that is, the cost of less than once for 4-bit'4-bit multiplication), the number of multiplications necessary for the basic principle-3 can be expressed as follows.
-U ¹⁷ = U ¹⁶ ◎ U: 8-bit´4-bit multiplication φ times (2.5 <φ <3)
Since Basic Principle-3 is based on (law-1) to (law-4), it is applicable to the computation of the composite GF ((… (2 ^β1 )…) ^βγ ) satisfying βγ = 2 .

[Basic Principle-4]
U ^-1 = U ^-17 ◎ Regarding the 8-bit '4-bit multiplication shown in U ¹⁶ , the basic principle-1 requires four 8-bit' 4-bit multiplications, while the basic By using Principle-3, we succeeded in reducing it to φ 8-bit'4-bit multiplication (2.5 <φ <3). The basic principle-4 is a method that can further reduce the number of multiplications by utilizing the property of 8-bit′4-bit multiplication. From (law-4), 8-bit '4-bit multiplication can be decomposed into two 4-bit' 4-bit multiplications. In the basic principle-4, XOR of the same random number value is performed on the two pieces of data input to each of these 4-bit'4-bit multiplications as in (Basic principle-2) (FIG. 30).

J1 = (X _H ○ R ' _L ) ◎ (Y ○ R' _L )
J2 = ((X _H ○ R ' _L ) ○ (Y ○ R' _L ) ○ R ' _L ) ◎ R' _L
J3 = (X _L ○ R ' _L ) ◎ (Y ○ R' _L )
J4 = ((X _L ○ R ' _L ) ○ (Y ○ R' _L ) ○ R ' _L ) ◎ R' _L
However, X is 8-bit, X _H , X _L , Y, R ′ _L is 4-bit, and X = X _H || X _L. J1, J2, J3, and calculates the J4, obtain J0 = ((J1 ○ J2) || (J3 ○ J4)) ○ f r by _{J0 = X ◎ Y ○ f r} . Considering (law-1) to (law-4),

J1 ○ J2 = (X _H ○ R ' _L ) ◎ (Y ○ R' _L ) ○ (X _H ○ R ' _L ○ Y ○ R' _L ○ R ' _L ) ◎ R' _L
= X _H ◎ Y ○ X _H ◎ R ' _L ○ Y ◎ R' _L ○ R ' _L ² ○ X _H ◎ R' _L ○ Y ◎ R ' _L ○ R' _L ² = X _H ◎ Y
J3 ○ J4 = (X _L ○ R ' _L ) ◎ (Y ○ R' _L ) ○ (X _L ○ R ' _L ○ Y ○ R' _L ○ R ' _L ) ◎ R' _L
= X _L ◎ Y ○ X _L ◎ R ' _L ○ Y ◎ R' _L ○ R ' _L ² ○ X _L ◎ R' _L ○ Y ◎ R ' _L ○ R' _L ² = X _L ◎ Y
It is. A circuit that calculates X ◎ Y ○ f _r based on the basic principle-4 is expressed as a symbol MaskedMul_4 (X _H ○ R ' _L , X _L ○ R' _L , Y ○ R ' _L , R' _L , f _r ) To do. From (law-4), X ◎ Y = ((X _H ◎ Y) || (X _L ◎ Y)), so J0 = ((J1 ○ J2) || (J3 ○ J4)) ○ f _r = X ◎ Y ○ f _r can be confirmed.

Since all input data to the multiplication processing of J1, J2, J3, and J4 is random value masked data, it is possible to realize safe processing for SPA and DPA. The number of multiplications required for this processing is as follows.
-U ¹⁷ = U ¹⁶ ◎ U: 4 times 4-bit´4-bit multiplication (equivalent to 2 times 8-bit´4-bit multiplication).
Since Basic Principle-4 is based on (law-1) to (law-4), it is applicable to the calculation of the composite GF ((… (2 ^β1 )…) ^βγ ) satisfying βγ = 2 .

The basic principle-1, basic principle-2, basic principle-3, basic principle-3, basic principle-4 of each embodiment of the present invention are applied to the inverse element operation shown in the conventional example 3 shown in FIG. The embodiment applied to is shown below. In the following description of the embodiment, as shown in FIG. 31, an embodiment in which the present invention is used for the core part of the inverse element processing, that is, the calculation part of the composite field is shown. In the inverse operation described in the embodiment of the present invention, the following steps I to IV are executed in common.

i. Inverse operation circuit by inputting the original T ○ p _r of GF (2 ^8), is a circuit that calculates and outputs the original T ^-1 ○ q _r of GF (2 ^8). Here, p _r and q _r represent fixed value masks selected by the random number r.

ii. Perform [delta] converted back T ○ g _r of the input ^{GF (2 8), δ (} T ○ p r) = δ (T) ○ δ to calculate the _{(p r) = U ○ g} r. However, g _r is a fixed value mask selected by the random number r and satisfies g _r = δ (p _r ).

iii. Against U ○ g _r, by performing a calculation combining multiplies the table calculation, the U ○ g _r, calculates the U ^-1 ○ f _r. Here, f _r represents a fixed value mask selected by the random number r.

iv. U ^-1 ○ against f _r, δ ^-1 δ by performing conversion _{^{-1 (U -1 ○ f r)}} = δ -1 (U -1) ○ δ -1 (f r) = T -1 ○ q _r is calculated. However, a relational expression of δ ⁻¹ (f _r ) = q _r is established between q _r and f _r .

  In the following, among the above i to iv steps, the technique of the present invention described in Basic Principle-1, Basic Principle-2, Basic Principle-3, Basic Principle-4 is applied to the step of inverse element operation described in iii. An embodiment for realizing SPA and DPA countermeasures by application will be described.

A framework for performing the iii calculation is shown in FIG.
The calculation in FIG. 31 includes two multiplication processes “masked U ¹⁶ ◎ U calculation” and “masked U ^-17 ◎ U ¹⁶ calculation”. These are circuits that perform multiplication processing while performing data mask processing, and each have the following functions.

· Masked U ¹⁶ ◎ U calculating basic function of this circuit, by inputting a U ○ g _r, is that calculates and outputs a U ¹⁷ ○ c _r. However, c _r, g _r is a fixed value mask is selected by a random number r, c _r is a 4-bit, g _r is 8-bit. The fixed value masks c _r and g _r are given as inputs to this circuit. A random number R is given as an input in order to execute multiplication with the random value masked data inside the circuit. ^{Also, U 16 ○ R ', R} ' outputs two data represented by, giving as input to masked U ^-17 ◎ U ¹⁶ calculation. The value output as R ′ differs depending on the embodiment of this circuit. In the case of the first embodiment using the multiplication circuit of the basic principle-1, R ′ = R ¹⁶ and the multiplication of the basic principle-2. In the case of [Second Embodiment] using a circuit, R ′ = R. Details of the first embodiment and the second embodiment will be described later.

・Masked U ^-17 ◎ U ¹⁶ calculation The basic function of this circuit is to calculate and output U ^-1 ○ f _r by inputting U ^-17 ○ d _r, U ¹⁶ ○ R 'and random number R'. It is. However, d _r, f _r is a fixed value mask is selected by a random number r, d _r is a 4-bit, f _r is 8-bit. The fixed value masks d _r and f _r are given as inputs to this circuit.

Figure 31 is a process for calculating the output data U ^-1 ○ f _r from the input data U ○ g _r. The overall flow of this calculation process will be described.

The masked U ¹⁶ ◎ U calculation, calculates a 4-bit value U ¹⁷ ○ c _r from 8-bit value U ○ g _r. For this U ¹⁷ ○ c _r , U ⁻¹⁷ ○ d _r is calculated using the 4-bita4-bit conversion table I ′ _r [x] selected by the random number r. When the 4-bita4-bit inverse element conversion table in the element of GF (((2 ² ) ² ) ² ) is expressed as I [x] = x ⁻¹ , I ′ _h [x] is h-0,1, .., q-1 is a table for performing conversion given by I ′ _h [x] = I [x o c _h ] o d _h . By converting U ¹⁷ ○ c _{r with} I ′ _r [x], I ′ [U ¹⁷ ○ c _r ] = I [(U ¹⁷ ○ c _r ) ○ c _r ] ○ d _r = I [U ¹⁷ ] ○ d _r = (U ¹⁷ ) ⁻¹ ○ d _r = U ^-17 ○ d _r can be calculated. This data is a first input of the two input data to the masked U ^-17 ◎ U ¹⁶ calculation.

as the second input data to the masked U ^-17 ◎ U ¹⁶ calculation, the calculation of U ¹⁶ ○ R '. In the case of the first embodiment to be described later, U ¹⁶ R ′ is calculated in the process of masked U ¹⁶ ◎ U, and uses data of (UR) ¹⁶ = U ¹⁶ ○ R ^16. '= R ¹⁶ In the case of [Second Embodiment] described later, R ′ = R because the value of U ¹⁶ ○ R calculated in the process of masked U ¹⁶ ◎ U is used.

Note that (U ○ R) ¹⁶ = U ¹⁶ ○ R ¹⁶ is established because the 16th power calculation is a calculation that repeats the squaring operation four times, and the result of one square operation is (law-3) (U ○ R) ² = U ² ○ 2U ◎ R ○ R ² = U ² ○ R ² , that is, it satisfies the form of U ^k ○ R ^k for integer k. Case U ¹⁶ ○ R ¹⁶

Thus, after calculating U ^-17 ○ d _r and U ¹⁶ ○ R ′, by giving these values as two input data for the masked U ^-17 ◎ U ¹⁶ calculation, U ⁻¹ ○ f _r Get.

For the above “masked U ¹⁶ ◎ U calculation” and “masked U ^-17 ◎ U ¹⁶ calculation”, this is the book described in Basic Principle-1, Basic Principle-2, Basic Principle-3, and Basic Principle-4. By using the circuit of the invention, safe processing can be realized for SPA and DPA. In the following, "masked U ¹⁶ ◎ U computing", for the "masked U ^-17 ◎ U ¹⁶ calculates" basic principle -1, basic principle -2, basic principles -3, the result of applying the basic principle -4 An embodiment is shown.

FIG. 32 is a block diagram of the first embodiment of the present invention for calculating masked U ¹⁶ ◎ U using the multiplication circuit of basic principle-1. Calculates three data from input data g _r , U ○ g _r , R: U ○ R = (U ○ g _r ) ○ R ○ g _r , U ¹⁶ ○ R ¹⁶ = (U ○ R) ¹⁶ , R ¹⁶ To do. Then, using the MaskMul_1 circuit basic principles _{^{-1, U 17 ○ c r =}} MaskMul_1 (U ○ R, U 16 ○ R 16, R, R 16, c r) by calculating the U ¹⁷ ○ c _r. U ¹⁶ ○ R ¹⁶ and R ¹⁶ generated in this calculation process are output as U ¹⁶ ○ R ′ and R ′, respectively.

FIG. 33 is a block diagram of a second embodiment in which masked U ¹⁶ ◎ U is calculated using the multiplication circuit of basic principle-2. From input data g _r , U ○ g _r , R, two data of U ○ R = (U ○ g _r ) ○ R ○ g _r , U ¹⁶ ○ R = (U ○ R) ¹⁶ ○ R ○ R ¹⁶ calculate. After that, using the MaskMul_2 circuit of the basic principle-2, U ¹⁷ ○ c _r is calculated by U ¹⁷ ○ c _r = MaskMul_2 (U ○ R, U ¹⁶ ○ R, R, _cr ). U ¹⁶ ○ R and R generated in this calculation process are output as U ¹⁶ ○ R ′ and R ′, respectively.

FIG. 34 is a block diagram of a third embodiment of the present invention for calculating masked U ^-17 ◎ U ¹⁶ using the multiplication circuit of basic principle-1. From input data U ^-17 ○ d _r , d _r , U ¹⁶ ○ R ', R', f _r and internally generated random number S, U ^-17 ○ S ○ d _r = (U ^-17 ○ d _r ) ○ S, to calculate the two data of the S ○ d _r. Then, using the MaskMul_1 circuit basic principles _{^{-1, U -1 ○ f r =}} MaskMul_1 (U -17 ○ S ○ d r, U 16 ○ R, S ○ d r, R ', f r) by U ^{- 1} Calculate f _r .

FIG. 35 is a block diagram of a fourth embodiment of the present invention for calculating masked U ^-17 ◎ U ¹⁶ using the multiplication circuit of basic principle-3. Input data U ^-17 ○ d _r , d _r , U ¹⁶ ○ R ' , R ′ and the upper 4-bit R ′ _{H of} the 8-bit random number R ′ and the lower 4-bit R ′ _L , U ¹⁶ ○ (d _r || d _r ) ○ R ′, _{^{U -17 ○ d r ○ R '}} L, d r ○ R L', U -17 ○ d r ○ R 'H, d r ○ R' to calculate the five data of _H. Then, using the MaskMul_3 circuit basic principles _{^{-3, U -1 ○ f r =}} MaskMul_3 (U 16 ○ (d r || d r) ○ R ', U -17 ○ d r ○ R' H, U - ¹⁷ ○ _dr ○ R ′ _L , _dr ○ R ′ _H , _dr ○ R ′ _L , f _r ), U− ¹ ○ _fr is calculated.

FIG. 36 is a block diagram of the fifth embodiment of the present invention for calculating masked U ^-17 ◎ U ¹⁶ using the multiplication circuit of basic principle-4. Input data U ^-17 ○ d _r , d _r , U ¹⁶ ○ R ' _r , f _r , R', and R ' _H which is the upper 4-bit of 8-bit random number R', R which is the lower 4-bit ' _L, U ¹⁶ _H ○ R' _L = (Upper 4-bit of U ¹⁶ ○ R ') ○ R' _L ○ R ' _H , U ^-17 ○ R' _L = (U ^-17 ○ d _r ) ○ R ' _L ○ d _r , U ¹⁶ _L ○ R' _L = (lower 4 bits of U ¹⁶ ○ R ') is calculated. However, U ¹⁶ _H and U ¹⁶ _L represent the upper 4-bit and the lower 4-bit of the 8-bit value U ¹⁶ , respectively. After that, using the MaskMul_4 circuit of Basic Principle-4, U ^-1 ○ f _r = MaskMul_4 (U ¹⁶ _H ○ R ' _L , U ¹⁶ _L ○ R' _L , U ^-17 ○ R ' _L , R' _L , U ⁻¹ ○ f _r is calculated from f _r ).

Advantages of each embodiment of the present invention The AES encryption processing device using the technology of the present invention is described in (Condition-1), (Condition-2), (Condition-3), (Condition-3), Since Condition-4) is satisfied, all the problems 1, 2, and 3 that cannot be solved by the conventional examples 1, 2, and 3 can be solved. In other words, all three points that were impossible with the conventional example: small circuit scale (solution for issue 1), high processing speed (solution for issue 2), and safe processing for SPA and DPA (solution for issue 3). A satisfying AES encryption processor can be realized. Table 3 compares the conventional examples 1, 2, and 3 with the present invention.

  In addition, by using the technique of the present invention, it is possible to realize a cryptographic processing apparatus that solves the problems 1, 2, and 3 for all common key cryptosystems that perform multiplication processing using not only AES but also a composite field. it can. For example, the present invention is also applied to CLEFIA (http://www.sony.co.jp/Products/clefia/technical/data/clefia-spec-1.0.pdf) which is a 128-bit common key block cipher algorithm. Applicable.

  There are four basic multiplication circuits for realizing the technology of the present invention: basic principle-1, basic principle-2, basic principle-3, and basic principle-4. Table 4 shows the number of bit'4-bit multiplications.

The multiplication circuit of the present invention is one of [first embodiment] to [fifth embodiment] for two calculations of “masked U ¹⁶ ◎ U calculation” and “masked U ^-17 ◎ U ¹⁶ calculation”. Depending on which embodiment is applied, the necessary number of 8-bit′4-bit multiplications varies. The number of multiplications is evaluated by the total number of multiplications required for each of the basic principle-1 to basic principle-4, which are the basis of the embodiment. The evaluation results are shown in Table 5.

The evaluation in Table 5 does not include the number of operations to the 16th power. This is because the GF (((2 ² ) ² ) ² ) 16th operation is a special operation that can be realized with a very small circuit scale. Because. Specifically, the 16th power operation result X ¹⁶ for X is expressed as X ¹⁶ = X _H || (X _L ○ X _H ) using the upper 4-bit X _H and lower 4-bit X _L of X. The calculation can be performed only by the 4-bit XOR operation, which is very small compared with the circuit scale of the multiplication circuit, and can be ignored.

Claims (2)

○ is XOR operation processing, ◎ is multiplication processing,
4 bits of c _r, 8-bit g _r, 4 bits of d _r, and 8 bits of f _r a fixed mask value to be selected by the respective random number r, 8-bit R, a random number mask R ', 8-bit output data U ^-1 ○ f _r from 8-bit input data U ○ g _r, satisfies the [beta] [gamma] = 2 composite ^{GF ((... (2 β1)} ...) βγ) common key block encryption for computing the A device,
U ¹⁶ ◎ Executed by XORing the random value mask, U-calculation calculates a 4-bit value U ¹⁷ ○ c _r from the input data U ○ g _r , and 8-bit U ¹⁶ ○ R ′ and R ′ respectively. MaskedU ^{16 to} calculate ◎ U calculation circuit,
Wherein calculating the U ¹⁷ ○ c _r from the 4-bit U ^-17 ○ d _r outputted from the maskedU ¹⁶ ◎ U calculation circuit, and a 4-bit to 4-bit conversion table circuit selected by a random number r,
The 4-bit to 4 and bit conversion output from the table circuit U ^-17 ○ d _r wherein maskedU ¹⁶ ◎ output from U calculation circuit U ¹⁶ ○ R 'and R' were respectively input, the output data U ^-1 ○ f maskedU ^-17 to calculate _r ◎ U ¹⁶ calculation circuit,
An encryption device comprising: ○ is XOR operation processing, ◎ is multiplication processing,
4 bits of c _r, 8-bit g _r, 4 bits of d _r, and 8 bits of f _r a fixed mask value to be selected by the respective random number r, 8-bit R, a random number mask R ', 8-bit output data U ^-1 ○ f _r from 8-bit input data U ○ g _r, satisfies the [beta] [gamma] = 2 composite ^{GF ((... (2 β1)} ...) βγ) common key block encryption for computing the A method,
U ¹⁶ ◎ Executed by XORing the random value mask, U-calculation calculates a 4-bit value U ¹⁷ ○ c _r from the input data U ○ g _r , and 8-bit U ¹⁶ ○ R ′ and R ′ respectively. MaskedU ^{16 to} calculate ◎ U calculation step,
The maskedU ¹⁶ ◎ calculates the 4-bit from ^{_{U 17 ○ c r U -17 ○}} d r is the output of the U computation step, the 4-bit to 4-bit conversion table step selected by the random number r,
The 4-bit-to-four, which is the output of the bit conversion table steps and U ^-17 ○ d _r wherein maskedU ¹⁶ ◎ which is the output of the U calculation step U ¹⁶ ○ R 'and R' were respectively input, the output data U ^-1 ○ maskedU ^-17 to calculate f _r ◎ U ¹⁶ calculation step,
The encryption method characterized by performing this.

Images