JP5483838B2 - Data processing device - Google Patents

Description

  The present invention relates to a data processing technique for improving the reliability of verification of cryptographic operations as a countermeasure against a failure attack on cryptographic operations. For example, the present invention relates to a cryptographic coprocessor conforming to AES (Advanced Encryption Standard) or DES (Data Encryption Standard). It is related to effective technology.

  The IC card microcomputer is mounted on a card for financial, transportation, health insurance, etc., and stores electronic money and personal information. Therefore, it is necessary to prevent attacks such as information leakage and tampering with a combination of hardware and software. is there. Failure analysis is one of the attacks on IC card microcomputers. In particular, an attack by locally irradiating a pulse laser has been alive recently. For example, in academic societies such as FDTC (Fault Diagnosis and Tolerance in Cryptography), presentations on laser attacks against cryptographic operations have been made. If a cryptographic coprocessor installed in an IC card microcomputer or the like outputs a value whose cryptographic operation result differs from the expected value due to a malfunction, the key used by the erroneous ciphertext can be extracted. There is sex. As a method for avoiding this, there is an inspection method for performing the same calculation again. For example, the encryption operation is performed a plurality of times, and the result is returned when a plurality of operation results match. As another method, there is a verification method that performs back calculation. For example, the decryption operation is further performed in the case of the encryption operation, the encryption operation is further performed in the case of the decryption operation, and the result is returned when the reverse operation results match. Although a method for performing such a check takes time, a malfunction can be detected without introducing redundant circuits such as parity. The following Non-Patent Document 1 is a document describing measures against failure utilization analysis.

Masahiro Kaminaga Takashi Watanabe "Information Security Theory and Technology-From Cryptography to IC Card Tamper-Resistance Technology" Morikita Publishing Co., Ltd., published October 15, 2005, pp. 198-205.

  As a countermeasure against a failure attack on cryptographic operations, it is recommended to carry out the above calculation twice or reversely, but according to the study of the present inventors, it has been clarified that there are the following problems.

  [1] Even if the calculation is performed twice or more, when the same data is used in the calculation, the verification can be invalidated by attacking the value. For example, if an AES extended key is a system that uses the same value for verification even if it is calculated at the time of encryption, the effect cannot be detected if a failure attack occurs during the encryption operation. For example, as illustrated in FIG. 3, when the value is changed by receiving an attack on the extended key register once, the same result can be obtained no matter how many times the same operation is repeated, and a failure attack can be dealt with. Absent.

  [2] When the performance of a device that causes a failure, such as a laser, is very high (high output energy, high light collection capability, short output interval, etc.) Or, even if the decoding operation is performed, if the same calculation is performed at the same timing in each calculation of a plurality of times, the same fault injection is given every time as illustrated in FIG. It may be invalidated by generating.

  [3] For block ciphers such as DES and AES, OFB (Output Feedback) mode, CTR (Counter) mode, CFB (Cipher Feedback) mode, etc. There is a cryptographic usage mode to calculate. In this case, even if the verification is performed by the encryption / decryption operation, the operation of the common key encryption itself is “encryption”, so that the same operation is performed, and the same vulnerability as in FIG. 4 exists. FIG. 5 and FIG. 6 show the data flow of encryption enabling / decrypting operation in ECB (Electronic Codebook) mode and OFB mode, respectively. In plaintext P0 to P2, ciphertext C0 to C2, key K, and initial value IV, the common key cipher operation unit (thick frame portion in FIG. 6) inputs not the decryption operation D but the initial value IV in the OFB mode decryption operation. Since the encryption operation E with the key K is performed, it is weaker than the verification in the case of FIG.

  An object of the present invention is to provide a data processing apparatus capable of taking a strong counter measure against a failure attack on a cryptographic operation.

  The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.

  The following is a brief description of an outline of typical inventions disclosed in the present application.

  In other words, when performing a reverse calculation and verifying, a verification is added as to whether the encryption key finally used in the reverse calculation matches the encryption key used initially in the initial calculation. As a result, it becomes possible to detect a failure attack that cannot be detected by verification of the result of back calculation.

  The effects obtained by the representative ones of the inventions disclosed in the present application will be briefly described as follows.

  That is, it is possible to take a strong check measure against a failure attack on the cryptographic operation.

1. First, an outline of a typical embodiment of the invention disclosed in the present application will be described. Reference numerals in the drawings referred to in parentheses in the outline description of the representative embodiments merely exemplify what are included in the concept of the components to which the reference numerals are attached.

  [1] A data processing apparatus according to the present invention includes processors (7, 7A, 7B) that perform encryption of plaintext and decryption of ciphertext using an encryption key. When the processor performs the encryption or decryption as an initial operation, the processor performs a reverse operation of the initial operation, and a storage circuit (24) that holds the encryption key finally used in the reverse operation so as to be accessible from the outside Have As a result, when the encryption key first used in the initial calculation is managed in the data processing apparatus, the management entity can access the encryption key finally used in the back calculation held by the storage circuit. Therefore, it becomes possible to detect a failure attack that cannot be detected by simple reverse calculation, depending on whether or not both coincide.

  [2] Another data processing device according to the present invention is a data processing device including a processor that encrypts plaintext and decrypts a ciphertext using an encryption key. The processor initially performs the encryption or decryption. When this operation is performed, a reverse calculation of the initial calculation is performed, and it is verified whether or not the encryption key finally used in the reverse calculation matches the encryption key used initially in the initial calculation. The processor itself can detect fault attacks.

  [3] Still another data processing apparatus according to the present invention includes a processor, which uses a cryptographic key (K0 to K10) sequentially updated based on an initial value of the cryptographic key input from the outside. Encryption is repeated a plurality of times sequentially, and the operation using the encryption key (K10 to K0) sequentially updated based on the encryption key input from the outside is sequentially repeated a plurality of times to perform the decryption. Alternatively, a storage circuit (24) is provided which holds the latest updated encryption key used for the decryption operation so as to be accessible from the outside. In encryption / decryption represented by the ECB mode, it becomes possible to detect a failure attack that cannot be detected by simple reverse calculation.

  [4] The data processing device according to item 3, further comprising a central processing unit (3) for controlling the processor, wherein the storage circuit is arranged in an address space of the central processing unit. The processor reads the encryption key from the storage circuit and compares it with the expected value, so that a failure attack can be detected.

  [5] In the data processing device according to item 4, the storage circuit is an area in which the initial value of the encryption key is written by the central processing unit, and thereafter the latest encryption sequentially updated based on the initial value of the encryption key. This area is rewritten by the key.

  [6] In the data processing device according to item 3, when the processor encrypts plaintext, the initial value of the encryption key (K10) used in the last encryption operation of the encryption is obtained for the encryption result. Decryption is performed as an inverse operation, and the encryption key (K0) used at the end of the decryption is written into the storage circuit.

  [7] In the data processing device according to item 3, when the ciphertext is decrypted, the processor repeatedly updates the initial value of the encryption key in the same manner as in the case of encryption, and uses the encryption key (K10) used at the end of encryption. The decryption operation using the generated encryption key as an initial value is sequentially repeated a plurality of times to perform decryption, and the encryption key (K0) used at the end of the decryption is written into the storage circuit.

  [8] In the data processing device according to item 6 or 7, the processor determines whether the encryption key used at the end of the decryption written in the storage circuit matches the encryption key used at the beginning of the encryption. It further has a comparator (26) for determining whether or not. The processor itself can detect fault attacks.

  [9] In the data processing apparatus according to item 8, the discriminant determination result by the comparator is a signal requesting exception processing, and further includes a central processing unit that requires the exception processing.

  [10] In the data processing device according to item 9, the exception processing is reset exception processing of the central processing unit.

  [11] Still another data processing apparatus according to the present invention includes a processor (7C), and the processor sequentially performs operations using the encryption keys sequentially updated based on the initial value of the encryption key input from the outside. Perform unit encryption that is repeated multiple times in series for multiple units to perform encryption, and unit decryption that repeats operations using an encryption key that is sequentially updated based on an encryption key input from the outside Decodes by executing serially for multiple units. The unit encryption uses an encryption process (E) in which an encryption operation using an encryption key sequentially updated based on an initial value of an encryption key input from the outside is sequentially repeated a plurality of times and a processing result of the encryption process is used. It consists of cryptographic logic operations. The unit decryption uses an encryption process (E) in which the encryption operation using the encryption key sequentially updated based on the initial value of the encryption key input from the outside is sequentially repeated a plurality of times and a processing result of the encryption process. And decoding logic operation. The processor performs the unit encryption of the previous block in parallel with the unit encryption encryption process (E in FIG. 9) of the next block that receives the result of the encryption process of the unit encryption of the previous block in the encryption. The decryption process (D in FIG. 9) is performed as the inverse operation of the encryption process of the unit encryption using the result of the encryption process, and the latest updated encryption key used for the inverse operation can be accessed from the outside. A memory circuit (24) for holding is included. This makes it possible to detect a failure attack that cannot be detected by simple reverse calculation in encryption in an operation mode represented by the OFB mode.

  [12] In the data processing device according to item 11, the processor is configured to execute the unit of the previous block in parallel with the unit decryption encryption process of the next block that receives the result of the unit decryption process of the previous block in the decryption. Using the result of the decryption encryption process, the decryption process is performed as the inverse operation of the unit encryption encryption process, and the storage circuit can access the latest updated encryption key used for the inverse operation from the outside. Hold. In decoding in an operation mode typified by the OFB mode, it becomes possible to detect a failure attack that cannot be detected by simple reverse calculation.

  [13] The data processing device according to item 12, further comprising a central processing unit (3) for controlling the processor, wherein the storage circuit is arranged in an address space of the central processing unit.

  [14] In the data processing device according to item 13, the storage circuit is an area in which the initial value of the encryption key is written by the central processing unit, and thereafter the latest encryption sequentially updated based on the initial value of the encryption key. This area is rewritten by the key.

  [15] In the data processing device according to item 12, the encryption logical operation and the decryption logical operation are exclusive OR operations.

  [16] In the data processing device according to item 12, the processor determines whether the encryption key used at the end of the decryption written in the storage circuit matches the encryption key used at the beginning of the encryption. It further has a comparator for discriminating.

  [17] In the data processing apparatus according to item 16, the discrepancy determination result by the comparator is a signal requesting exception processing, and further includes a central processing unit that requires the exception processing.

  [18] In the data processing device according to item 17, the exception processing is reset exception processing of the central processing unit.

  [19] In the data processing device according to item 3 or 12, the processor conforms to AES.

  [20] In the data processing apparatus according to item 3 or 12, the data processing apparatus is a microcomputer for an IC card formed on a semiconductor substrate.

  [21] In the data processing device according to [3] or [11], the processor has a function of processing verification by decryption processing in an encryption usage mode that uses only an encryption function of an encryption algorithm.

2. Details of Embodiments Embodiments will be further described in detail. DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiments for carrying out the invention, and the repetitive description thereof will be omitted.

<Microcontroller for IC card>
FIG. 2 illustrates a block diagram of an IC card microcomputer according to an example of the present invention. The IC card microcomputer 1 includes a communication module 2 for performing non-contact or contact interface, a central processing unit (CPU) 3 that performs overall control of the IC card microcomputer 1, interrupts and resets of the IC card microcomputer, etc. System control logic 4 that performs exception processing control and operation mode control, non-volatile memory 5 that holds an operation program and data table of the CPU 3, a RAM 6 that is used for a work area of the CPU 3, a common that conforms to DEA or AES, etc. A key encryption processor 7, a public key encryption processor 8 that performs exponentiation and multiplication, an elliptic encryption operation, and the like, and a clock generation circuit 9 that generates a clock signal CK that serves as an operation reference clock for the IC card microcomputer 1. Reference numeral 10 denotes an internal bus. The nonvolatile memory 5 may be a mask ROM, EEPROM, flash memory, or the like. The IC card microcomputer 1 is configured by an integrated circuit manufacturing technology such as CMOS on a single semiconductor substrate such as single crystal silicon.

  FIG. 1 shows an implementation example of an AES coprocessor as an example of the common key cryptographic processor 7. Details of the AES coprocessor are described in the first document of “NIST (National Institute of Standards and Technology), ADVANCED ENCRYPTION STANDARD (AES), Federal Information Processing Standard Publications (FIPS PUBS) 197, 2001”. Here, the detail regarding the structure relevant to the feature point of this invention is demonstrated.

  A common key cryptographic processor 7 (also simply referred to as a cryptographic processor 7) includes an AES arithmetic unit 20 that calculates AES subbytes, an initial value register 21, a plaintext / ciphertext register 22, a control register 23, and a key register. 24, a comparison key register 25, and a comparator 26. The cipher usage mode in the cryptographic operation is described in the second document “NIST, Recommendation for Block Cipher Modes of Operation, NIST Special Publication 800-38A, 2001”. The cipher usage mode includes, for example, an ECB mode schematically shown in FIG. 5 and an OFB mode schematically shown in FIG.

《Countermeasure against failure attack in ECB mode》
In FIG. 1, for example, the ECB mode of FIG. 5 is used as the encryption mode. As is clear from the notation of FIG. 5, the encryption operation indicated by E and the decryption operation indicated by D are different in the processing contents in the ECB mode. FIG. 7 exemplifies calculation methods for encryption and decryption in the ECB mode. Here, the encryption operation indicated by one E in FIG. 5 is realized by repeating a plurality of steps of Se0 to Se10 indicated by Enc in FIG. The given key K is used after being autonomously updated to K0 to K10 sequentially in each step of Steps Se0 to Se10. K0 = K, and K1 to K10 are referred to as extended keys. The suffixes 1 to 10 of Se0 to Se10 are referred to as round numbers. That is, the step of round i is Sei. An encoding operation is performed in each round of steps Se0 to Se10, P is encoded to M1, M1 is encoded to M2, M2 is encoded to M3, and finally M10 is encoded to C. As a result, the plaintext P is encrypted into the ciphertext C. The decoding operation indicated by one D in FIG. 5 is realized by repeating a plurality of steps Sd0 to Sd10 indicated by Dec in FIG. In each step of steps Sd0 to Sd10, the keys are updated and used autonomously in order from K10 to K0. Also in decoding, the suffix of steps Sd0 to Sd10 is referred to as the number of rounds. A decryption operation is performed in each round of steps Sd0 to Sd10, C is decrypted to M10, M10 is decrypted to M9, M9 is decrypted to M8, and finally M1 is decrypted to P. Is decrypted into plaintext P. For example, specific processing described in the first document and the second document may be applied to the encryption and decryption operations in each round, and detailed description thereof is omitted here.

  At this time, it is verified whether the plaintext P can be obtained by performing an inverse operation to decrypt the calculated ciphertext C at the time of encryption. At the same time, it is verified whether or not the expanded key K0 used in step Sd10 finally matches the key K used in the first step Se0 of the encoding in the reverse operation. This check has the following significance. For example, if an extended key is tampered with, for example, K3 is changed to K3 ′ in the middle of an encryption operation due to a failure analysis attack due to pulse laser irradiation or the like, the influence is sequentially propagated to the subsequent extended key. A ciphertext C ′ is generated by K10 ′. When the decryption inverse operation using the expanded key K10 'and the ciphertext C' is performed, the plaintext P is obtained in step Sd10, but the final expanded key becomes K0 'and does not match the original K. When the key is changed in encryption, the plaintext obtained by the reverse decryption operation matches the plaintext to be encrypted if the same key is used. Therefore, it is possible to detect abnormalities that cannot be detected only by the reverse operation of the ciphertext by comparing the expanded key (the key at step Se0 and the key at step Sd10). This is because the encoding operation and the decoding operation of the extended key are performed by referring to the value of the immediately preceding extended key, so that the key value is different between the beginning of the encoding operation and the end of the reverse decoding operation. By doing. FIG. 10 illustrates a timing chart of the encryption operation at the time of encryption, and FIG. 11 illustrates a timing chart of the decryption reverse operation performed at the time of encryption.

  In the decryption, only the expanded key calculation for generating the expanded key K10 used at the beginning of the decryption from the initial value K of the key is first performed in a preliminary manner, and the expanded key K10 obtained thereby is used to indicate Dec. The decoding operation is performed. Also in this decryption calculation, by verifying whether or not the extended key K0 used in step Sd10 finally matches the first key K, a failure analysis attack occurs in the preliminary extended key calculation step. It detects whether or not the expanded key has been tampered with. Since it is possible to detect whether or not the extended key has been falsified due to a failure analysis attack at the time of decryption by this key verification, it is not necessary to perform an inverse operation to encrypt the decryption result of the key in decryption. FIG. 12 illustrates a timing chart at the time of decryption, and FIG. 13 illustrates an operation timing chart when the expanded key is falsified by a failure analysis attack in the preliminary expanded key calculation process in the decryption. In FIG. 13, in order to output an erroneous plaintext and not activate the exception processing signal, it is necessary to make a fault again so that it becomes K0 at the end of the final extended key calculation. However, it is difficult to align all 128 bits. As for the attack when calculating the second K8 'that seems to be the easiest to inject again, the first calculation is calculated from round 7, the second calculation is calculated from round 9, and different circuits. It is practically difficult to perform a failure analysis attack in which a failure is injected into the operation and returned to K8. That is, the failure analysis attack countermeasure according to the present invention is considered to be strong.

  Returning to FIG. 1, a specific configuration of the AES coprocessor 7 will be described. In FIG. 1, the registers 21 to 24 are registers that can be accessed by the CPU 3, the key K is initially set in the key register 24, and the plaintext / ciphertext register 22 is plaintext to be encrypted or ciphertext to be decrypted. Is set by the CPU 3, and ciphertext or plaintext calculated by the AES calculation unit 20 is set. The control register 23 includes an encryption or decryption calculation start instruction bit, an encryption use mode bit for selecting an encryption use mode such as an ECB mode and a CBC (Cipher Block Chaining) mode. These bits can be read / written from the CPU 3 via the bus 10, and it is possible to confirm whether each mode is set or an operation is performed by a CPU command. The initial value register 21 is a register for storing an initial value that appears in the CBC mode or the like. The plaintext / ciphertext register 22 and the initial value register 21 are updated after the calculation by the AES coprocessor 7 is completed.

  The AES calculation unit 20 includes an interface circuit (I / F) 30, an intermediate value register 31, an AES calculation circuit 32, a control circuit 33, an extended key calculation circuit 34, and an extended key register 35. Based on the information of each bit of the control register, the control circuit 33 controls the data movement in the AES coprocessor 7, selects the calculation type of the AES calculation circuit 32, and manages the number of rounds currently calculated. I do. The control circuit 33 also performs control to change the status bit of the control register 23 at the end of the calculation. The intermediate value register 31 stores the encryption / decryption result in the middle of each round. The extended key calculator 34 sequentially calculates the extended key for each round. The extended key register 35 sequentially stores the calculated extended keys, and passes the extended key to the extended key calculator 34 for the next extended key calculation. The first key K is transferred from the key register 24 to the extended key register 35, and keys are exchanged between the extended key register 35 and the key register 24. That is, for example, the extended key calculated by the extended key calculator 34 and given to the extended key register 35 is transferred to the key register 24, and the extended key held by the key register 24 is transferred to the extended key register 35 before that. The The comparison key register 25 stores the first key K. The interface circuit 30 selects the data input type according to the encryption usage mode, and performs an EOR (exclusive logic ring) operation as necessary. The ASE operation circuit 32 performs encryption and decryption operations for each round using the values of the extended key register 35 and the intermediate value register 31. For example, specific processing described in the first document and the second document may be applied to the calculation, and detailed description thereof is omitted here. The comparator 26 is used to confirm whether the value of the key register 24 and the value of the comparison key register 25 match at a desired comparison timing. For example, the predetermined timing is the timing at which the last K0 value is determined by the decryption inverse operation as illustrated in FIG. 11 in the encryption process, and the preliminary process as illustrated in FIG. 12 in the decryption process. This is the timing at which the last K0 value of the decoding operation is determined. In the case of mismatch, a countermeasure against failure such as transition to a reset state by an exception processing signal is mounted in the system control logic 4.

  FIG. 14 illustrates a flowchart of cryptographic operations in the circuit of FIG. 1 when the key length is 128 bits and the cryptographic usage mode is the ECB mode. The processing of E0 to E10 corresponds to the processing of steps Se0 to Se10 in FIG. 7, and the arithmetic processing algorithms are equalized. FIG. 15 illustrates a flowchart of the inverse decoding operation after the processing of FIG. If the determination result of step STP1 does not match, it becomes clear that the extended key has been tampered with during the encryption operation following a failure analysis attack, and the process proceeds to exception processing. FIG. 17 illustrates a flowchart when the process of checking the coincidence between the plaintext to be encrypted in the encryption process and the plaintext obtained by the decryption reverse operation of the encrypted ciphertext is performed. The

  FIG. 16 illustrates a flowchart of the decryption operation in the case of the circuit of FIG. 1 when the key length is 128 bits and the encryption usage mode is the ECB mode. The processing of D0 to D10 corresponds to the processing of steps Sd0 to Sd10 in FIG. 7, and the arithmetic processing algorithms are made equal. FIG. 18 illustrates a flowchart when the reverse encryption operation of the plaintext decrypted in the decryption process is performed and the process of checking the match between the original ciphertext and the encrypted reverse ciphertext is also performed. Is done.

  In each of the above timing charts, the AES_CS bit is a control register bit that controls the start / end of AES encryption, and a status bit that informs the encryption operation status when AES Copro changes the AES_CS bit at the end of encryption. It is said.

  According to the AES coprocessor, when performing a decryption operation from ciphertext, or when performing a decryption inverse operation after encryption calculation from plaintext, with respect to the expanded key calculated and stored from the encryption key, In order to check if there is a failure attack, the back-up of the extended key is performed, and the result is compared with the stored extended key or encryption key. Trouble countermeasures can be taken.

  FIG. 19 shows a first modification of the AES coprocessor 7 of FIG. The AES coprocessor 7A shown in FIG. 19 has an AES operation unit 20A in which the comparison key register 25 and the comparator 26 are eliminated, and the AES operation unit 20A includes a control circuit 33A corresponding thereto. In this configuration, the decryption operation is performed by writing the first key used in the decryption operation to the key register 24 and the extended key register 35 at the start of the decryption operation. The expanded key register 35 stores an encryption key that is finally generated as a result of the exchange with the expanded key calculator 34. The sequential key replacement control between the key register 24 and the extended key register 35 is the same as in FIG. In this example, the CPU reads the expanded key finally obtained by the decryption operation from the key register 24 and determines its normality to verify the presence or absence of a failure attack. Since the other structure is the same as that of FIG. 1, detailed description thereof is omitted.

  In the circuit of FIG. 19, a flowchart when encryption operation is performed when the key length is 128 bits and the encryption use mode is the ECB mode is illustrated in FIG. 20, and the timing chart at that time is illustrated in FIG. 22.

  In the circuit of FIG. 19, a flowchart when the decryption operation is performed when the key length is 128 bits and the encryption use mode is the ECB mode is illustrated in FIG. 21, and the timing chart at that time is illustrated in FIG. 23. If the final round key K10 is not generated during the decryption operation, the post-generation operation is performed as shown in FIG.

  After the decryption operation is completed in the AES operation circuit 32, the value of the extended key register 35 and the value of the key register 24 are exchanged, and the generated encryption key can be read by the CPU 3 accessing the key register 24. It can be evaluated without a comparator whether there is a fault injection in it.

  In FIG. 19, the CPU reads the extended key obtained at the end of the encryption operation process from the key register 24 and determines its normality, thereby verifying the presence of a failure attack in the encryption operation process. It is. As a premise, the CPU 3 manages K10 in addition to the key K outside the AES coprocessor 7A.

  FIG. 24 shows a second modification of the AES coprocessor 7 of FIG. The AES coprocessor 7B of FIG. 24 has an expanded key storage register 40 instead of the comparison key register 25, and includes a comparator 41 whose value is also compared, and the AES operation unit 20B responds accordingly. A control circuit 33B is included. In this configuration, when the key K is generated, the CPU 3 constructs a system capable of generating extended keys K1 to K10 other than the encryption key K and delivering them so as to be set in advance in the extended key storage register 40. It is possible to detect fault injection by always comparing the expanded keys generated from. Since the other structure is the same as that of FIG. 1, detailed description thereof is omitted. In the circuit of FIG. 24, the flowchart of the cryptographic operation when the key length is 128 bits and the encryption usage mode is the ECB mode is illustrated in FIG. 25, and the flowchart of the decryption operation is illustrated in FIG. In step STO10 of FIG. 25, it is determined whether or not the expanded key of round i of the expanded key storage register matches the value of the expanded key register. In FIG. 26, in step STO20, it is determined whether or not the expanded key of round i of the expanded key storage register matches the value of the expanded key register. When the round variable i is 0, the value of the key register 24 is used instead of the extended key storage register 40.

  In FIG. 24, when failure countermeasures are not taken into account, detection by the comparator 41 can be stopped and an extended key can be loaded from the extended key storage register 40 and used. It is also possible to set the expanded key stored in the expanded key storage register 40 as a part of only the final round, etc., and perform the verification only on the stored expanded key, and input the expanded key calculation result to the AES arithmetic circuit.

  As represented by the modification examples in FIGS. 19 and 24, the timing of comparison between the extended key (including the encryption key) obtained by calculation and the stored extended key is various methods such as every round, only at the end of the calculation. Can be considered. In the first encryption operation, the expanded key is not necessarily calculated, but when the expanded key is already calculated and stored in the register, verification similar to the above-described decryption operation is possible.

<< Measures against failure attacks in OFB mode >>
In the encryption / decryption process in the OFB mode, as shown in FIG. 6, the encryption / decryption algorithm “E” is commonly used for both encryption and decryption. FIG. 8 shows this point in more detail. Both the Enc encoding and the Dec decoding are performed by performing the encryption process (E) using the key K for the input IV in common. A ciphertext C0 is generated by taking an exclusive OR with the plaintext P0 for the processing (E) result R, and an exclusive OR with the ciphertext C0 for the encryption processing (E) result R in the decryption To generate plaintext P0. Therefore, even if the reverse operation of decryption is simply performed at the time of encryption, the encryption process (E) is shared, so the effectiveness of detection against a failure attack is low. The encryption process (E) is the same as the encryption process of E in the ECB mode described so far, for example.

  FIG. 9 conceptually shows a verification process in the OFB mode encryption. An arithmetic process (E) is performed on the value Ii, and as a result, an exclusive logical ring with the plaintext Pi is taken for the result Ij to generate a ciphertext Ci, and the same arithmetic process (E) is performed on Ij. When the process of sequentially generating the ciphertext Cj by taking the exclusive logical ring with the plaintext Pj for the result Ik is performed in parallel with the encryption process (E) for Ij, the reverse operation to Ij, that is, the decryption process ( D) is performed. The decoding process (D) is the same as the D decoding process in the ECB mode described so far. For example, assuming that the key is autonomously processed to K0 to K10 in the encryption process (E) for Ij, the key of K10 to K0 is generated by the autonomous calculation process in the reverse operation to Ij, that is, the decryption process (D). To do. Therefore, the series of encryption processing (E) and inverse operation decryption processing (D) are substantially the same as the verification processing described with reference to FIG. 1, and similarly, it is possible to verify the presence or absence of a failure attack. As described above, when the encryption process (E) and the decryption process (D) that is the inverse operation of the previous encryption process (E) are parallelized, the process is performed as shown in FIG. In parallel with this, the reverse operation process R1 is performed, and in parallel with the process P2, the reverse operation process R2 is performed.

  FIG. 28 illustrates an AES coprocessor 7C having an automatic reverse calculation function in the OFB mode as shown in FIG. The configuration of the AES calculation unit 20C is different from that of FIG. 1, and two intermediate value registers 31a and 31b and two extended key registers 35a and 35b are provided to perform encryption and reverse calculation in parallel. The difference is that a comparison register 50, two comparators 51 and 52 are provided, and a control circuit 33C for controlling them is provided. In the configuration of FIG. 28, the reverse calculation results of both plaintext / ciphertext and the extended key are verified, and each result is output as an exception processing signal to the outside of the AES coprocessor 7C. EOR is an exclusive OR circuit.

  29 and 30 illustrate a flowchart when the encryption operation is performed in the circuit of FIG. 28 when the key length is 128 bits and the encryption usage mode is the OFB mode. The flowchart at the time of decryption is not particularly shown, but in FIGS. 29 and 30, the ciphertext C0 is inserted instead of the plaintext P0, and the plaintext P0 is inserted instead of the ciphertext C0.

  FIG. 31 shows a timing chart of the first operation of the cryptographic operation, which corresponds to the encryption process (E) of the process P0 in FIG. FIG. 32 illustrates a timing chart of the second operation of the cryptographic operation, which corresponds to the encryption process (E) of process P1 and the reverse operation decryption process of R1 in FIG. Each timing chart shows the AES_CS bit, which is a control / status signal in the control register, in addition to the registers, and the status of the verification bit indicating whether or not past cryptographic computation has been performed (that is, whether or not verification has been performed).

  According to FIG. 31, when “1” is written to the AES_CS bit via the bus 10, the AES operation unit 20C starts its operation. Since the result of the ciphertext and the expanded key that are the targets of the reverse calculation is not obtained for the operation immediately after the key setting, the intermediate value register 2 (31b), the comparison register (50), and the expanded key register 2 (35b) are undefined. It has become. The expanded key is sequentially generated for each cryptographic operation and the value of the expanded key register 1 (35a) is updated, and the operation result in each round is updated and stored in the intermediate value register 1 (31a). After the end of the final round, I1 that is the result of encryption of the initial value IV is stored in the intermediate value register 1 (31a). In order to perform the reverse calculation, the expanded key K10 of the last round is written in the expanded key register 2 (35b), and the initial value IV is written in the comparison register (50). After that, I1 is calculated in the initial value register (21), the value K0 of the key register (24) is calculated in the extended key register 1 (35a), and C0 is calculated from the values of I1 and plaintext P0, and written to the plaintext / ciphertext register. Then, a flag is set for the verification bit in the control register (23).

  According to FIG. 32, after the calculation of FIG. 31, the user obtains C0 from the plaintext / ciphertext register and writes P1. When “1” is written to the AES_CS bit via the bus 1, the AES operation unit 20C starts operation. The second time, the encryption operation of P1 and the decryption operation that is the inverse operation of C0 are processed in parallel. This process is a pipeline process. This is because the AES arithmetic circuit 32 and the extended key calculator 34 are shared for the encryption process and the inverse operation decryption process. Through pipeline processing, the extended keys for each round are sequentially generated to update the values of both extended key registers 35a and 35b, and the encryption / decryption operation results in each round are stored in both intermediate value registers 31a and 31b. Stored. After the final round, I2 which is the result of encryption of I1 is stored in the intermediate value register 1 (31a), and IV which is the result of decryption of I1 is stored in the intermediate value register 2 (31b). Here, the comparator 1 (51) compares the values of the comparison register (50) and the intermediate value register 2 (31b) to determine whether they are attacked during the first cryptographic operation or reverse calculation. Signal 1 informs the outside of the AES processor 7C. Similarly, the comparator 2 (52) compares the values of the key register (24) and the extended key register 2 (35b) for whether there is an attack in the expanded key operation. Notify outside. For example, when the system control logic 4 receives the exception processing signals 1 and 2, the IC card microcomputer is changed to a reset state or the like to shut off information from the outside or generate an interrupt, and the encrypted result of the AES is obtained. It is possible to notify that it is not valid.

  After the verification, in order to perform the next operation / back-calculation, the expanded key K10 of the final round is written in the expanded key register, and the initial value I1 is written in the comparison register 50. Thereafter, I2 is calculated in the initial value register 21, the value K0 of the key register 24 is calculated in the extended key register 1 (35a), and C1 is calculated from the values of I2 and plaintext P1 and written in the plaintext / ciphertext register 22, respectively.

  The same processing is performed for the subsequent ciphertext C2 = EOR (AES (I2), P2). For the last ciphertext Cn = EOR (In, Pn), although there is no plaintext to be encrypted, it is possible to verify by back-calculation by performing an AES operation once more, and a mode that only performs back-calculation Can also be provided exclusively.

  In the above, by writing the ciphertexts C0, C1,... In the plaintext / ciphertext register 22 instead of the plaintexts P0, P1,..., The encryption process (E) and its inverse operation decryption process also in the decryption operation in the OFB mode The same check can be performed by (D).

  The example of FIG. 28 has a circuit configuration that implements up to simultaneous encryption / decryption operations by hardware. However, by adding hardware that can perform decryption operations simply by inputting an initial value register, R1, R2, etc. in FIG. It is also possible to support inverse operations. In CFB mode, OFB mode, and CRT mode, the initial value is input to the AES coprocessor, but since the AES coprocessor performs encryption processing even during decryption, encryption is used as a countermeasure against failure attacks in those operation modes. Both the decryption and decryption are characterized in that the decryption operation is performed on the input value in parallel with the encryption operation of the input value. 28, the comparison circuit 52 may be eliminated, and the CPU 3 may read-access the key register 24 to determine the normality of the key.

  According to the embodiment of the present invention described above, the following operational effects are obtained.

  (1) When performing verification by performing reverse calculation, verification is performed not only on the result of reverse calculation, but also on whether the encryption key finally used in the reverse calculation matches the encryption key initially used in the initial calculation. As a result, it is possible to confirm whether or not an attack is made with a key schedule as shown in FIG.

  (2) When the expanded key is generated on the fly every time, the encryption key is calculated based on the expanded key of the final round at the time of decryption operation, so it is stored with the generated encryption key By comparing the encryption keys, it is possible to detect whether or not an erroneous extended key as shown in FIG. 4 is used. An encryption key is not generated at the time of encryption, but verification of an extended key can be incorporated by performing reverse calculation as verification. Even if it is possible to generate a wrong ciphertext by performing a failure analysis attack on the key schedule at the time of encryption, in order to make it impossible to detect at the time of verification by back calculation, decryption is performed when calculating the decryption key from the encryption key and at the time of decryption operation. A failure analysis attack when calculating an encryption key from a key is required, and two attacks are required in one cryptographic operation. Since the difficulty level of the fault injection due to the difference in the timing and location of the two attacks is increased, it is possible to improve the detection performance by the check against the fault analysis attack.

  (3) Even when the encryption usage mode is the OFB mode or the like, the encryption and decryption operations are not simply performed by the AES arithmetic circuit as shown in FIG. Since the decoding operation (D) is performed on the input value in parallel with (E), it becomes difficult to make the same error even if a fault is injected twice as shown in FIG. Detection performance by verification can be improved.

  Although the invention made by the present inventor has been specifically described based on the embodiments, it is needless to say that the present invention is not limited thereto and can be variously modified without departing from the gist thereof.

  For example, the data processing apparatus according to the present invention is not limited to an IC card microcomputer, and may be an RFID chip, a general-purpose microcomputer, or the like. Furthermore, the data processing apparatus according to the present invention is not limited to a one-chip semiconductor integrated circuit. Further, the data processing apparatus may not be equipped with a public cryptographic processor. In the present invention, the processor that performs encryption / decryption is not limited to a coprocessor that performs processing conforming to DES or AES, and can be changed as appropriate.

FIG. 1 is a block diagram showing an implementation example of an AES coprocessor as an example of a common key cryptographic processor. FIG. 2 is a block diagram of an IC card microcomputer according to an example of the present invention. FIG. 3 is an explanatory diagram illustrating a case where a failure attack cannot be dealt with because only the same result can be obtained no matter how many times the same operation is repeated when the value is changed by receiving a single attack on the extended key register. It is. FIG. 4 shows the possibility of invalidating the verification for a fault attack by giving the same fault injection every time and generating the same wrong value when the same calculation is performed at the same timing in each calculation of a plurality of calculations. It is explanatory drawing which shows that there exists. FIG. 5 is an explanatory diagram showing an ECB mode as an encryption usage mode. FIG. 6 is an explanatory diagram showing the OFB mode as the encryption usage mode. FIG. 7 is an explanatory view exemplifying calculation methods for encryption and decryption in the ECB mode. FIG. 8 is an explanatory diagram showing in detail that the “encryption processing” algorithm indicated by E is commonly used for both encryption and decryption in the OFB mode. FIG. 9 is an explanatory diagram conceptually illustrating a verification process in the OFB mode encryption. FIG. 10 is a timing chart of the encryption operation performed when encrypting in the ECB mode. FIG. 11 is a timing chart of the reverse decryption operation performed when encrypting in the ECB mode. FIG. 12 is an operation timing chart for decoding in the ECB mode. FIG. 13 is an operation timing chart when the extended key is altered by a failure analysis attack in the preliminary extended key calculation process in the ECB mode decryption. FIG. 14 is a flowchart of cryptographic operations in the circuit of FIG. 1 when the key length is 128 bits and the cryptographic usage mode is the ECB mode. FIG. 15 is a flowchart of the inverse decoding operation after the processing of FIG. FIG. 16 is a flowchart of the decryption operation when the key length is 128 bits and the encryption usage mode is the ECB mode in the circuit of FIG. FIG. 17 is a flowchart when the process of checking the coincidence between the plaintext to be encrypted and the plaintext obtained by the decryption inverse operation of the encrypted ciphertext in the encryption process is also performed. FIG. 18 is a flowchart when the reverse encryption operation of the plaintext decrypted in the decryption process is performed, and the process of checking the match between the original ciphertext and the encrypted reverse ciphertext is also performed. FIG. 19 is a block diagram showing a first modification of the AES coprocessor of FIG. FIG. 20 is a flowchart when the encryption operation is performed in the circuit of FIG. 19 when the key length is 128 bits and the encryption usage mode is the ECB mode. FIG. 21 is a flowchart when the decryption operation is performed in the circuit of FIG. 19 when the key length is 128 bits and the encryption usage mode is the ECB mode. FIG. 22 is a timing chart corresponding to FIG. FIG. 23 is a timing chart corresponding to FIG. FIG. 24 is a block diagram showing a second modification of the AES coprocessor 7 of FIG. FIG. 25 is a flowchart of the cryptographic operation in the circuit of FIG. 24 when the key length is 128 bits and the encryption usage mode is the ECB mode. FIG. 26 is a flowchart of the decoding operation of FIG. In FIG. 27, when the encryption process (E) and the decryption process (D) that is the inverse operation of the preceding encryption process (E) are parallelized, the inverse operation process R1 is performed in parallel with the process P1, and the process P2 is performed. It is explanatory drawing which illustrates a mode that reverse operation process R2 is performed in parallel. FIG. 28 is a block diagram illustrating an AES coprocessor 7C having an automatic reverse calculation function in the OFB mode as shown in FIG. FIG. 29 is a flowchart when an encryption operation is performed in the circuit of FIG. 28 when the key length is 128 bits and the encryption usage mode is the OFB mode. FIG. 30 is a flowchart following FIG. FIG. 31 is a timing chart of the first operation of the cryptographic operation and is a timing chart corresponding to the encryption process (E) of the process P0 of FIG. FIG. 32 is a timing chart of the second operation of the cryptographic operation, corresponding to the encryption process (E) of process P1 and the reverse operation decryption process of R1 in FIG.

Explanation of symbols

1 Microcontroller for IC card 2 Communication module 3 Central processing unit (CPU)
4 System control logic 5 Non-volatile memory 6 RAM
7, 7A, 7B, 7C Common Key Cryptographic Processor 8 Public Key Cryptographic Processor 9 Clock Generation Circuit 10 Internal Bus 20, 20A, 20B, 20C AES Operation Unit 21 Initial Value Register 22 Plain Text / Cipher Text Register 23 Control Register 24 Key Register 25 Comparison key register 26, 41, 51, 52 Comparator 30 Interface circuit (I / F)
31, 31a, 31b Intermediate value register 32 AES arithmetic circuit 33, 33A, 33B, 33C Control circuit 34 Extended key calculation circuit 35, 35a, 35b Extended key register 40 Extended key storage register 50 Comparison register

Claims (21)

A data processing apparatus including a processor that encrypts plaintext and decrypts ciphertext using an encryption key,
When the encryption is performed on the plaintext as an initial operation, the processor performs decryption on the encryption result as a reverse operation of the original operation, or the decryption on the ciphertext is initially performed. When performing as the operation of, the encryption for the result of the decryption is performed as a reverse operation of the initial operation, and has a storage circuit that holds the encryption key finally used in the reverse operation,
The data processing device is configured to be accessible to the storage circuit in order to verify whether or not the encryption key finally used in the reverse calculation matches the encryption key used initially in the initial calculation. Data processing device. A data processing apparatus including a processor that encrypts plaintext and decrypts ciphertext using an encryption key,
When the encryption is performed on the plaintext as an initial operation, the processor performs decryption on the encryption result as a reverse operation of the original operation, or the decryption on the ciphertext is initially performed. Is performed as a reverse operation of the initial operation, and the encryption key finally used in the reverse operation matches the encryption key initially used in the initial operation. A data processing device that verifies A data processing apparatus comprising a processor,
The processor repeats the encryption operation using the encryption key sequentially updated based on the initial value of the encryption key input from the outside of the processor a plurality of times sequentially with respect to the result of the encryption operation, The plaintext input from the encryption is performed, or the decryption operation using the encryption key sequentially updated based on the encryption key input from the outside of the processor is sequentially repeated a plurality of times for the result of the decryption operation, A decryption is performed on the ciphertext input from the outside of the processor, and the storage circuit that holds the latest updated encryption key used for the encryption operation or the decryption operation,
When the data processing apparatus performs the encryption as an initial operation on the plaintext , the data processing device performs a decryption on the encryption result as a reverse operation of the original operation, or the decryption on the ciphertext Is performed as an initial operation, encryption for the result of the decryption is performed as a reverse operation of the original operation , and the encryption key finally used in the reverse operation matches the encryption key initially used in the initial operation In order to verify whether or not, the data processing device is configured to be accessible to the storage circuit.   The data processing apparatus according to claim 3, further comprising a central processing unit that controls the processor, wherein the storage circuit is arranged in an address space of the central processing unit.   5. The storage circuit is an area in which an initial value of the encryption key is written by a central processing unit, and thereafter is an area that is rewritten with the latest encryption key that is sequentially updated based on the initial value of the encryption key. The data processing apparatus described.   When encrypting plaintext, the processor performs an inverse operation on the encryption result used as the initial value of the encryption key used in the last encryption operation of the encryption, and used at the end of the decryption. The data processing apparatus according to claim 3, wherein an encryption key is written in the storage circuit.   When decrypting the ciphertext, the processor repeatedly updates the initial value of the encryption key in the same manner as in the case of encryption, generates an encryption key used at the end of encryption, and uses the generated encryption key as an initial value. 4. The data processing device according to claim 3, wherein the decryption operation is sequentially repeated a plurality of times to perform decryption, and the encryption key used at the end of decryption is written to the storage circuit.   The comparator further comprising: a comparator for determining whether or not the encryption key used at the end of the decryption written in the storage circuit matches the encryption key used at the beginning of the encryption. Data processing equipment. The discrimination result of the mismatch by the comparator is a signal requesting an exception process,
The data processing apparatus according to claim 8, further comprising a central processing unit that requires the exception processing.   The data processing apparatus according to claim 9, wherein the exception process is a reset exception process of the central processing unit. A data processing apparatus comprising a processor,
The processor performs serial encryption for a plurality of units by repeating unit encryption using a cryptographic key that is sequentially updated based on an initial value of the cryptographic key input from the outside, and performs encryption in series. In addition, the unit decryption is performed by serially performing unit decryption for a plurality of units in order to repeat the operation using the encryption key sequentially updated based on the encryption key input from the outside, and performing decryption.
The unit encryption is an encryption logic that uses an encryption process that sequentially repeats an encryption operation using an encryption key that is sequentially updated based on an initial value of an encryption key that is input from the outside, and a processing result of the encryption process. Consisting of operations,
The unit decryption includes an encryption process that sequentially repeats the encryption operation using an encryption key that is sequentially updated based on an initial value of an encryption key that is input from the outside, and a decryption logic operation that uses a processing result of the encryption process And
In parallel with the encryption processing of the unit encryption of the next block, the processor receives the result of the encryption processing of the unit encryption of the previous block in the encryption, and the result of the encryption processing of the unit encryption of the previous block A decryption process as an inverse operation of the encryption process of unit encryption, and a storage circuit that holds the latest updated encryption key used in the inverse operation,
Wherein the data processing apparatus, since the final encryption key used in the inverse operation to verify whether the match the encryption key used for the first in the encrypted configured the storage circuit accessibly , Data processing equipment. The processor uses the result of the unit decryption process of the previous block in parallel with the unit decryption process of the next block that receives the result of the unit decryption process of the previous block in the decryption. Perform decryption processing as the inverse operation of encryption processing of encryption,
The data processing apparatus according to claim 11, wherein the storage circuit holds the latest updated encryption key used for the inverse operation.   The data processing device according to claim 12, further comprising a central processing unit that controls the processor, wherein the storage circuit is arranged in an address space of the central processing unit.   14. The storage circuit is an area in which an initial value of the encryption key is written by a central processing unit, and thereafter is an area that is rewritten with the latest encryption key that is sequentially updated based on the initial value of the encryption key. The data processing apparatus described.   The data processing apparatus according to claim 12, wherein the encryption logical operation and the decryption logical operation are exclusive OR operations.   13. The data according to claim 12, further comprising a comparator for determining whether or not the encryption key used at the end of the decryption written in the storage circuit matches the encryption key used at the beginning of the encryption. Processing equipment. The discrimination result of the mismatch by the comparator is a signal requesting an exception process,
The data processing apparatus according to claim 16, further comprising a central processing unit for which the exception processing is required.   The data processing apparatus according to claim 17, wherein the exception process is a reset exception process of the central processing unit.   The data processor according to claim 3 or 12, wherein the processor conforms to AES.   The data processing apparatus according to claim 3 or 12, wherein the data processing apparatus is a microcomputer for an IC card formed on a semiconductor substrate.   The data processor according to claim 3 or 11, wherein the processor has a function of processing verification by decryption processing in an encryption usage mode that uses only an encryption function of an encryption algorithm.

Images