JP4634788B2 - Cryptographic operation circuit, information processing apparatus and IC card having the cryptographic operation circuit - Google Patents

Description

  The present invention relates to a cryptographic operation circuit, an information processing apparatus and an IC card having the cryptographic operation circuit.

  IC (Integrated Circuit) cards are used not only for payment of credit cards, commuter passes, and other commercial transactions, but also in various fields as ID cards for employee cards, membership cards, insurance cards, etc. ing. This is because the IC has a CPU, ROM, RAM, EEPROM, etc. so that it can perform various functions compared to conventional magnetic cards, and it is difficult to forge. It is. Details of the IC card are defined in Non-Patent Document 1.

  Since the IC card stores important information such as personal information, the data is encrypted using encryption or the card user is authenticated. Therefore, sufficient security is maintained in normal use. However, in 1996, Paul Kocher et al. Announced a theory called a power analysis attack technique in which the secret key used in cryptography can be derived by acquiring and analyzing the power consumption waveform at the moment when the IC card performs cryptographic processing. It was done. There are roughly three analysis methods according to this theory.

  In the first method, when there is a difference in processing time depending on each bit of the secret key used for encryption, the bit is found from the processing time or the power consumption waveform, and all the secret keys are found in the same manner. That's it. The details are described in Non-Patent Document 2.

  In the second method, when there is a difference in the power consumption waveform of the part that processes the data depending on each bit of the secret key used for encryption, the bit is found, and in the same way, all the secret keys are It turns out. In general, a CMOS constituting an IC chip consumes power when it changes from 0 → 1 or 1 → 0, and thus there is some difference in the power consumption waveform as described above.

  The third method is to obtain a large number of power consumption waveforms during cryptographic processing and derive a secret key by performing statistical processing. This method is a more powerful version of the second method. If a large number of power consumption waveforms that are part of the cryptographic process can be obtained, it can be attacked relatively easily. Details regarding the second and third methods are described in Non-Patent Document 3.

  Various countermeasures against the above three attack methods have been discussed and thought out. However, if the software implements common key cryptography and is executed by the CPU, or if public key cryptography that takes much longer processing time than common key cryptography is processed using a coprocessor, the power consumption waveform In many cases, the processing behavior appears clearly. That is, it is often easy to identify the encryption processing unit in the power consumption waveform, which is a precondition for the attack, and to acquire the waveform. Even if countermeasures against attacks are taken, if the power consumption waveform of the cryptographic processing unit to be attacked is acquired, there is a possibility of various attacks. In some cases, countermeasures are invalidated and the secret key is derived. May lead to

  On the other hand, when the common key encryption process is performed using a dedicated encryption processing circuit, the processing time is extremely shortened compared to the case where the process is implemented by software, and the behavior of the process is less likely to appear in the power consumption waveform. However, in this case as well, the cryptographic processing circuit operates separately from the processing of the CPU, so that the power consumption waveform at the moment when this circuit operates increases to some extent, and the cryptographic processing unit may be discriminated. In this case, how much power consumption increases depends on the performance of the hardware. In addition, since the common key encryption has the property of repeatedly performing a certain number of processes a predetermined number of times, the encryption processing unit can be specified by specifying a part having the same characteristics by repeating the determined number of times from the power consumption waveform. Sometimes.

In this way, power analysis attacks are very powerful attack methods, so it is difficult to identify cryptographic processing units in the power consumption waveform, which is a prerequisite for attacks, while establishing countermeasures that can withstand attacks. Becomes very important.
ISO / IEC 7816-1part1,2 P. Kocher, “Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS and Other Systems”, Advances in Cryptology: Proceedings of CRYPTO'96, Springer-Verlag, 1996, pp.104-113 P. Kocher, J. Jaffe, B. Jun, “Differential Power Analysis”, Advances in Cryptology: Proceedings of CRYPTO'99, Springer-Verlag, 1999, pp.388-397

  An object of the present invention is to make it difficult to specify an encryption processing unit in a power consumption waveform of an IC card or an information processing apparatus.

  In the invention according to the aspect of the present invention, in order to make it difficult to specify the encryption processing unit in the power consumption waveform of the IC card, the dummy data block processing is performed during the processing of the data block used for the encryption processing. Inserted as appropriate. Specifically, it is as follows.

  The invention according to the aspect of the present invention provides a result value obtained by applying a first data block having a predetermined number of bits and key information to a predetermined non-linear function F, and a first number having the same number of bits as the first data block. Performing a logical operation on the second data block, replacing the second data block with the first data block, and repeatedly executing the step of replacing the first data block with the result value of the logical operation a predetermined number of times. Means for holding the first and second data blocks in a cryptographic operation circuit that performs encryption processing and executes encryption processing for outputting the processing result to the outside as encrypted data; and Means for holding first and second dummy data blocks having the same number of bits as the second data block; and the first and second data blocks Means for appropriately inserting the execution of the dummy encryption process using the first and second dummy data blocks based on a predetermined condition while executing the predetermined encryption process a predetermined number of times. It is characterized by comprising.

  This makes it difficult to perform a power analysis attack, and can prevent the secret key from leaking outside. As described above, according to the present invention, the processing part of the common key encryption implemented by the dedicated hardware that is difficult to specify the operation part from the power consumption waveform of the IC card is changed to the number of iterations of a known algorithm. This makes it more difficult to specify information such as information, and makes it difficult to apply a power analysis attack to an IC card or information processing device equipped with the cryptographic processing circuit and suppresses leakage of the secret key to the outside. it can.

Embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a diagram showing a schematic configuration of an IC card including a cryptographic operation circuit according to the present invention. The details of the IC card are defined in Non-Patent Document 1, as described above. As shown in FIG. 1, an IC chip 102 is mounted in a card 101. FIG. 2 is a diagram showing an internal configuration of a general IC chip.

  As shown in FIG. 2, the IC chip 102 according to the present invention includes a CPU 201, a RAM 202, a ROM 203, an EEPROM 204, an I / O port 205, a coprocessor 206, and a cryptographic processing circuit 207.

  In the above configuration, the CPU 201 executes an IC card program stored in the ROM 203, and the RAM 202 and the EEPROM 204 store data necessary for processing. The I / O port 205 receives a command from an external device (for example, a reader / writer), and outputs the processing result of the CPU 201 as a response. The data bus 208 is a bus for transferring data between devices. The coprocessor 206 is a dedicated device for performing a power-residue operation, and is used for public key encryption processing such as RSA encryption. Therefore, some IC cards are not installed. The encryption processing circuit 207 is mainly used for common key encryption processing, and performs the entire common key encryption processing or plays a role of assisting a part of the processing when the CPU 201 performs the common key encryption processing. Therefore, some IC cards are not installed. As described above, the coprocessor 206 and the cryptographic processing circuit 207 may not be used depending on the application. Here, DES (Data Encryption Standard) will be described as an example of a common key encryption algorithm implemented in the encryption processing circuit 207. In the present invention, it is assumed that the cryptographic processing circuit 207 is installed. This is because the provision of a dedicated cryptographic processing device makes it much more difficult to attack by using a CPU or a coprocessor than when the cryptographic code is processed by software.

In the IC card configured as described above, the flow of DES processing will be briefly described with reference to the flowchart of FIG. FIG. 3 is a flowchart showing the flow of DES.
First, a bit transposition process called initial permutation (IP) is performed on the 64 bits of input plain text (step 301). Next, the data after the initial transposition is divided into 32 bits (step 302), and the following processing is repeated with these two as initial values (step 303 and step 304).
L_ {i} ← R_ {i−1}
R_ {i} ← L_ {i−1} xor F (K_ {i}, R_ {i−1})
In the above formula, ← indicates substitution.
Here, the number of operations is i (1 ≦ i ≦ 16), one divided 32 bits (right side) at the time of the i-th operation is R_ {i}, and the other 32 bits (left side) is L_ {i}. , The i-th partial key is K_ {i}. This partial key is generated for the number of operations (16) by performing key scheduling processing based on a 64-bit secret key. A process including nonlinear transformation or transposition using a conversion table called SBOX, and an exclusive OR of partial keys and data is called an F function, and is represented by F (K, R).

  L_ {16}, which is the result after repeating this iterative process (step 303 and step 304) 16 times, is combined as upper 32 bits, and R_ {16} is combined as lower 32 bits (step 305). Finally, the synthesized 64 bits are subjected to an inverse transformation process of initial transposition called final transposition (FP) (step 306) to obtain 64 bits of output ciphertext.

Next, FIG. 4 shows an outline of the internal configuration of the cryptographic processing circuit 207 in which DES is mounted. The cryptographic processing circuit 207 includes a cryptographic processing unit 401, a random number generation unit 402, a control circuit unit 403, a key generation unit 404, and an I / F unit 405.
The encryption processing unit 401 encrypts the input received from the I / F unit using DES. The random number generation unit 402 generates a random number used for DES processing. The control circuit unit 403 includes a control information register (details will be described later) for storing information for controlling DES processing. The key generation unit 404 generates a partial key for each process by key scheduling from the information in the control information register and the DES secret key 64 bits. The I / F unit 405 inputs and outputs data with the CPU 201 and the like.

With reference to FIG. 5, the internal details of the cryptographic processing unit 401, which is the main part of the cryptographic processing circuit 207, will be described.
The IP 501 performs an initial transposition operation based on a predetermined rule. The 3-input 2-output selector 502 has three inputs (hereinafter referred to as “3 inputs”), the upper 32 bits of data output from the IP 501, the upper 32 bits of data input from the random number generator 402, and the output 32 bits of the selector 509. ”), And any one of the three inputs is output to either the register L504 or the register L_dummy 505 in accordance with the signal CTL from the control circuit unit 403. Similarly, the 3-input 2-output selector 503 outputs the output lower 32 bits of the IP 501 data, the lower 32 bits of the input RND from the random number generator 402, and the output 32 bits of the selector 508 and the output of the F function 510. Inputs 32 bits of 3 bits after exclusive OR (by logic operation circuit 512) and outputs either 3 inputs to register R506 or register R_dummy 507 according to signal CTL from control circuit unit 403 To do. Register L504, register L_dummy 505, register R506, and register R_dummy 507 are registers each having a 32-bit width. The 2-input 1-output selector 508 outputs either 32 bits of the output of the register L504 or the register L_dummy 505 in accordance with the signal CTL from the control circuit unit 403. Similarly, the 2-input 1-output selector 509 outputs either 32 bits of the output of the register R506 or the register R_dummy 507 in accordance with the signal CTL from the control circuit unit 403. The F function 510 receives the 32-bit output of the selector 509 as input, and performs an expansion transposition process, an exclusive OR with a partial key, a non-linear process by SBOX, and a transposition process. The FP 511 is a circuit module that performs an operation of inverse transformation of initial transposition based on a predetermined rule. The input is 64 bits, the upper 32 bits are 32 bits obtained by exclusive ORing the output of the F function 510 and the output of the selector 508, and the lower 32 bits are the output 32 bits of the selector 509.

  The flow of DES processing using the cryptographic processing circuit 207 configured as described above will be described with reference to the flowchart of FIG. The selector control will be described in the operation of the control circuit unit 403.

  First, the upper 32 bits of the random number RND from the random number generation unit 402 are stored in the register L_dummy 505 and the lower 32 bits are stored in the register R_dummy 507 as initial values (step 601). The input plaintext 64 bits are transposed by the IP 501 and the upper 32 bits are stored in the register L504 and the lower 32 bits are stored in the register R506 as initial values (step 602). When the MSB of the signal CTL from the control circuit unit 403 is 1 (step 603), the output 32 bits of the register R506 is input and the F function 510 is processed (step 604). The exclusive OR with the 32 bits of the output of L504 is taken (step 606). At this time, if the lower nibble of the signal CTL from the control circuit unit 403 is not 15 (step 608), the 32 bits of the output of the register R506 are stored in the register L504, and the exclusive OR result is stored in the register R506 (step 609). ).

  In step 603, when the MSB of the signal CTL from the control circuit unit 403 is not 1 (for example, 0) (step 603), the output 32 bits of the register R_dummy 507 is input and the F function 510 is processed (step 605). ), The exclusive OR of the 32 bits of the output of the F function 510 and the 32 bits of the output of the register L_dummy 505 is obtained (step 607). In this case, the 32-bit output of the register R_dummy 507 is stored in the register L_dummy 505 without referring to the signal CTL from the control circuit unit 403, and the exclusive OR result is stored in the register R_dummy 507 (step 610). In this way, when the MSB of the signal CTL is 1 or 0, the processing data and the storage destination are different, and when the processing of the MSB 1 is completed for 16 DES processing steps (step 608), the exclusive OR result is the upper 32 bits, The output of the register R506 is synthesized as the lower 32 bits, and FP processing is performed. Then, the data after the FP processing is transferred to the I / F unit 405 (step 611).

Before describing the processing flow of the control circuit unit 403, a control information register that stores information of the signal CTL that controls the selector in the encryption processing unit 401 will be described. This register is in the control circuit unit 403 and is composed of 8 bits from 0 to 7 (from the 1st bit to the 8th bit). The bit assignment of this register is as follows.
The fourth to first bits represent the number of DES processing stages that have already been completed in the cryptographic processing unit 401.
When 1 is set in the fifth bit, the input of the selector 502 is set to RND, the output is set to the register L_dummy 505, the input of the selector 503 is set to RND, and the output is set to the register R_dummy 507. In this way, control for setting the initial random number to the registers L_dummy 505 and R_dummy 507 in the encryption processing circuit 207 is performed based on the information of the fifth bit.
When 1 is set in the sixth bit, the input of the selector 502 is the IP output, the output is the register L504, the input of the selector 503 is the IP output, and the output is the register R506. In this way, control for setting values after IP output to the registers L504 and R506 in the cryptographic processing circuit 207 is performed based on the information of the sixth bit.
When 1 is set in the seventh bit, the input of the selector 502 is the output of the selector 509, and the input of the selector 503 is the exclusive OR result of the output of the F function 510 and the output of the selector 508. In this way, control of performing processing of the DES main body after the initial value is set in each register is performed by the information of the seventh bit.
When 1 is set in the eighth bit, the output of the selector 502 is set to the register L504 or the register L_dummy 505, the output of the selector 503 is set to the register R506 or the register R_dummy 507, the input of the selector 508 is set to the register L504 or the register L_dummy 505, The input is the register R506 or the register R_dummy 507. In this way, control for discriminating between the original process of DES and the dummy process is performed based on the information of the eighth bit. That is, control is performed so that the original process is performed when 1 is set in the eighth bit, and the dummy process is performed when 0 is set.

Processing of the control circuit unit 403 that generates and outputs a signal CTL for controlling the selector in the encryption processing unit 401 will be described with reference to a flowchart of FIG.
First, a 64-bit random number is received from the random number generation unit 402 (step 701). Then, the value of the control information register is confirmed (step 702). When the value of the register is 0H (step 703), since no random number is set in the encryption processing unit 401, 1 is set to the fifth bit of the value CTL of the control information register and the value is output (step 704, Step 713). If the value of the register is 10H (step 705), it means that the IP processing of the cryptographic processing unit 401 has not ended, so 0 is set to the 5th bit of the value CTL of the control information register and 1 is set to the 6th bit. The value is set and the value is output (steps 706 and 713). If the value of the register is 20H (step 707), it means that the encryption processing unit 401 is ready to repeat the DES, so 0 is set to the 6th bit of the value CTL of the control information register and 7 bits. Set 1 to the eye (step 708). Next, the parity of the 64-bit random number fetched from the random number generation unit 402 is calculated (step 709). When the parity is 1 (step 710), the eighth bit of the value CTL of the control information register is set to 1, the lower nibble is incremented (step 712), and the value is output (step 713). In step 710, when the parity is 0, the eighth bit is set to 0, the lower nibble is not incremented (step 711), and the value is output (step 713).

  The key generation unit 404 creates a partial key for the processing stage of the corresponding DES from the information in the lower nibble of the value CTL of the control information register, and passes it to the encryption processing unit 401. That is, as long as the value of the lower nibble of the control information register does not change, the key generation unit 404 outputs the same partial key.

  In the above description, the value of the 8th bit of the control information register that separates the DES real process and the dummy process is determined based on the parity of the 64-bit random number. The method of determining the value of the 8th bit is described above. It is not limited to form. For example, in consideration of security strength, it is preferable to determine such that the probability that the 8th bit becomes 1 is lower than the probability that it becomes 0. This is a case where there is no difference in the power consumption waveform between the case where the eighth bit is 1 and the case where it is 0, or it cannot be observed. In this regard, the cryptographic processing circuit 207 targeted this time is a hardware circuit dedicated to cryptographic processing, and unlike the software implementation, the processing time does not differ depending on whether the eighth bit is 1 or 0. Processing is performed in approximately one clock. For this reason, the above assumption is appropriate in consideration of the fact that the difference in data handled during one-stage processing hardly appears as a difference in power consumption. Furthermore, by combining the present invention with the current disturbance circuit that puts noise on the power consumption waveform and masking of intermediate data during processing with random numbers, the security strength can be increased, that is, the power analysis attack can be made more difficult. Is possible.

  The present invention is not limited to the above-described embodiments, and various modifications can be made without departing from the scope of the invention at the stage of implementation. For example, in the above embodiment, the IC card has been described. However, in addition to the IC card, the present invention can be applied to an information device such as a PDA, a personal computer, or a mobile phone having an encryption circuit for preventing external attacks. Of course. Further, the above embodiments include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent elements.

  In addition, for example, even if some structural requirements are deleted from all the structural requirements shown in each embodiment, the problem described in the column of the problem to be solved by the invention can be solved, and the effect described in the effect of the invention Can be obtained as an invention.

The figure which shows schematic structure of the IC card provided with the cryptographic operation circuit which concerns on this invention. The figure which shows the general internal structure of an IC chip. The flowchart which shows the process of DES. The figure which shows the outline | summary of the internal structure of the encryption processing circuit which mounted DES. The figure which shows the internal structure of an encryption process part. The flowchart which shows the process of an encryption process part. The flowchart which shows the process of a control circuit part.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 101 ... Card, 102 ... IC chip, 201 ... CPU, 202 ... RAM, 203 ... ROM, 204 ... EEPROM, 205 ... I / O port, 206 ... Coprocessor, 207 ... Cryptographic processing circuit, 208 ... Data bus, 401 ... Cryptographic processing unit, 402 ... random number generation unit, 403 ... control circuit unit, 404 ... key generation unit, 405 ... F unit, 501 ... IP, 502 ... selector, 503 ... selector, 508 ... selector, 509 ... selector, 511 ... FP .

Claims (5)

A logical operation is performed on a result value obtained by applying a first data block having a predetermined number of bits and key information to a predetermined non-linear function F and a second data block having the same number of bits as the first data block. The second data block is replaced with the first data block, and the step of replacing the first data block with the result value of the logical operation is repeatedly executed a predetermined number of times to perform encryption processing, In a cryptographic operation circuit that executes encryption processing for outputting processing results to the outside as encrypted data,
Means for holding the first and second data blocks;
Means for holding first and second dummy data blocks having the same number of bits as the first and second data blocks;
While the encryption process using the first and second data blocks is executed a predetermined number of times, the execution of the dummy encryption process using the first and second dummy data blocks is performed under a predetermined condition. A cryptographic operation circuit comprising means for controlling such that insertion is appropriately performed based on the above. 2. The cryptographic operation circuit according to claim 1, further comprising data processing means for exchanging data of the intermediate data being operated in units of bits or bytes. 3. The cryptographic operation circuit according to claim 1, wherein the control means makes the number of insertions of the dummy cryptographic processing larger than the number of times of the cryptographic processing. A logical operation is performed on a result value obtained by applying a first data block having a predetermined number of bits and key information to a predetermined non-linear function F and a second data block having the same number of bits as the first data block. The second data block is replaced with the first data block, and the step of replacing the first data block with the result value of the logical operation is repeatedly executed a predetermined number of times to perform encryption processing, An IC chip having a cryptographic operation circuit for executing encryption processing for outputting processing results to the outside as encrypted data;
In an IC card comprising a card on which the IC chip is mounted,
The cryptographic operation circuit is:
Means for holding the first and second data blocks;
Means for holding first and second dummy data blocks having the same number of bits as the first and second data blocks;
While the encryption process using the first and second data blocks is executed a predetermined number of times, the execution of the dummy encryption process using the first and second dummy data blocks is performed under a predetermined condition. An IC card characterized by comprising means for controlling such that it is inserted as appropriate. A logical operation is performed on a result value obtained by applying a first data block having a predetermined number of bits and key information to a predetermined non-linear function F and a second data block having the same number of bits as the first data block. The second data block is replaced with the first data block, and the step of replacing the first data block with the result value of the logical operation is repeatedly executed a predetermined number of times to perform encryption processing, In an information processing apparatus having a cryptographic operation circuit that executes encryption processing for outputting processing results to the outside as encrypted data,
The cryptographic operation circuit is:
Means for holding the first and second data blocks;
Means for holding first and second dummy data blocks having the same number of bits as the first and second data blocks;
While the encryption process using the first and second data blocks is executed a predetermined number of times, the execution of the dummy encryption process using the first and second dummy data blocks is performed under a predetermined condition. An information processing apparatus comprising means for controlling such that insertion is appropriately performed based on the information.

Images