JP5765733B2 - Information processing apparatus, information processing method, and program thereof - Google Patents

Description

  The present invention relates to an information processing apparatus, an information processing method, and a program thereof.

  Conventionally, as an information processing device that evaluates tamper resistance, which is resistance to an attack from the outside of the cryptographic processing circuit, the tamper resistance is actually determined by whether or not the attack is actually attempted to the cryptographic processing circuit. What is to be evaluated is known. As such an attack technique, power difference analysis is known in which secret information is acquired from power consumption using the relationship between the power consumption of the cryptographic processing circuit and the secret information in the circuit. For example, Patent Document 1 describes that power consumption is calculated based on the number of times a signal of a logic circuit changes, and a tamper resistance is evaluated by performing a power difference analysis. Patent Document 2 describes that the tamper resistant circuit is evaluated by comparing the results of the power difference analysis when the function of the tamper resistant circuit is enabled and when the function is not enabled. .

  Here, the power difference analysis is an attack technique in which an average value is obtained from a large number of power consumption data of the encryption circuit, and secret information is obtained based on the difference between the two when the data is grouped into two. is there. For example, the power difference analysis is performed as follows. First, the power consumption of the cryptographic processing circuit is measured, and a large number of power consumption data in which output data and power consumption are associated with each other is acquired. Subsequently, secret information (for example, a secret key) to be acquired is assumed to be a specific value, and input data of the cryptographic processing circuit for output data of power consumption data is predicted under the assumption. Next, a specific bit in the input data is set as a selection function, and the power consumption data is divided into two groups depending on whether the selection function has a value of 0 or 1, and an average waveform of power consumption for each group is obtained. The difference between the average waveforms of the two groups is obtained. Such an average waveform difference is obtained for all patterns that can be taken by the secret information (for example, 256 patterns in the case of an 8-bit secret key). In this way, the variation in power consumption data due to different input data is canceled in the average waveform, while when the assumed secret information is a correct value, it depends on whether the selection function is a value 0 or a value 1. Since the difference in power consumption in the cryptographic processing circuit is not canceled, the average waveform difference becomes a large value. On the other hand, when the assumed secret information is not a correct value, the difference between the average waveforms of the two groups is a small value. Using such a property, it is possible to acquire the secret information by estimating that the assumed value of the secret information when the difference between the average waveforms is the maximum is a correct value.

International Publication No. 2006-006198 Japanese Patent No. 4594665

  However, the technique of evaluating the tamper resistance based on whether or not the attack is successful by performing an attack on the cryptographic processing circuit by the power difference analysis has a problem that the evaluation takes time and effort. For example, in order to perform one attack in the power difference analysis, it takes time and effort because it is necessary to derive a difference between the average waveforms for all patterns that can be taken by the secret information and compare them. Furthermore, since the success or failure of the attack depends on which bit the selection function is set to, it is necessary to change the selection function and test this multiple time-consuming attacks using power difference analysis. there were. For this reason, it has been desired to evaluate tamper resistance more efficiently.

  The present invention has been made in view of the above-described problems, and has as its main object to more efficiently evaluate tamper resistance of a cryptographic processing circuit.

The information processing apparatus of the present invention
An information processing apparatus for evaluating tamper resistance of a cryptographic processing circuit,
Power consumption data acquisition means for acquiring a plurality of power consumption data in which a state variable indicating a state of at least one of an input bit and an output bit in the cryptographic processing circuit and power consumption in the cryptographic processing circuit are associated;
Based on the plurality of acquired power consumption data, regression analysis is performed using the power consumption as an objective variable and the state variable associated with the power consumption as an explanatory variable. An analysis means for deriving either as an analysis value;
Evaluation means for evaluating tamper resistance of the cryptographic processing circuit based on the derived analysis value;
It is equipped with.

  In the information processing apparatus of the present invention, a plurality of pieces of power consumption data in which state variables representing the state of at least one of input bits and output bits in the cryptographic processing circuit and power consumption in the cryptographic processing circuit are associated with each other are acquired and acquired. Based on a plurality of power consumption data, a regression analysis is performed using power consumption as an objective variable and a state variable associated with power consumption as an explanatory variable, and at least one of a determination coefficient and a regression coefficient is analyzed as an analysis value. To derive. Then, the tamper resistance of the cryptographic processing circuit is evaluated based on the derived analysis value. The analysis value thus derived represents the correlation between the state variable and the power consumption. In other words, it represents whether or not the value of the state variable is easily estimated from the power consumption. By evaluating tamper resistance based on this analysis value, the tamper resistance of the cryptographic processing circuit can be improved compared to the case where tamper resistance is evaluated based on whether or not the attack is successful after multiple power differential analysis attacks. It can be evaluated efficiently. Here, regression analysis means either or both of multiple regression analysis and single regression analysis. The coefficient of determination means one or both of a coefficient of determination adjusted for the degree of freedom and a coefficient of determination for which the degree of freedom has not been adjusted. The regression coefficient means either or both of a regression coefficient in single regression analysis and a partial regression coefficient in multiple regression analysis. In addition, the state variable representing the state of at least one of the input bit and the output bit may be, for example, the value of at least one of the input bit and the output bit, or may be the presence or absence of a value transition. In addition, the state variable may be a variable representing the value of one bit of the input bits or the output bits or the presence / absence of transition of values.

  In the information processing apparatus of the present invention, the power consumption data acquisition means is means for acquiring a plurality of power consumption data in which a plurality of different state variables and power consumption in the cryptographic processing circuit are associated, and the analysis The means performs a multiple regression analysis using the power consumption as an objective variable and the plurality of state variables associated with the power consumption as explanatory variables based on the acquired power consumption data, and the coefficient of determination is determined by the analysis. And at least one of partial regression coefficients may be derived as the analysis value. In this way, since the correlation between the plurality of state variables and the power consumption can be collectively analyzed by multiple regression analysis, tamper resistance can be evaluated more efficiently than when performing multiple regression analysis.

  In the information processing apparatus of the present invention, the analysis means is a means for deriving the partial regression coefficient as the analysis value, and the evaluation means is based on the derived partial regression coefficient, and It is good also as a means to determine a state variable with low tamper resistance among several state variables. In this way, it is possible to specifically determine a state variable with low tamper resistance. In this case, when there is a partial regression coefficient that is not included in the predetermined partial regression coefficient allowable area among the derived partial regression coefficients, it is determined that the tamper resistance of the state variable corresponding to the partial regression coefficient is low. It is good also as a means to do. In this way, the tamper resistance of each state variable can be evaluated by a simple method. Here, the predetermined partial regression coefficient allowable region is a region of the partial regression coefficient that can be regarded as having high tamper resistance, and may be a region that is empirically determined by experiment, for example. In addition, when there is a state variable determined to have low tamper resistance based on the partial regression coefficient, the evaluation unit performs a power difference analysis of the cryptographic processing circuit using the state variable as a selection function, and the power difference analysis It may be a means for evaluating the tamper resistance of the cryptographic processing circuit depending on whether or not the above has succeeded. By doing this, tamper resistance can be more reliably evaluated because power difference analysis is performed on the state variable determined to have low tamper resistance and the tamper resistance is evaluated.

  In the information processing apparatus of the present invention, the analysis unit is a unit that derives the determination coefficient as the analysis value, and the evaluation unit determines whether or not the derived determination coefficient is included in a predetermined determination coefficient allowable region. Based on the above, it may be a means for determining whether or not the tamper resistance is high. In this way, since the determination coefficient represents the overall correlation between the state variable and the power consumption, the tamper resistance can be evaluated based on the determination coefficient. Here, the predetermined determination coefficient allowable region is a region of a determination coefficient that can be regarded as having a low overall correlation between state variables and power consumption and having high tamper resistance. Good. In this case, the analysis means is means for deriving the determination coefficient and the partial regression coefficient as the analysis value, and the evaluation means is a predetermined determination in which the derived determination coefficient is different from the determination coefficient allowable region. When it is included in the coefficient non-permissible region, it is determined that tamper resistance is low, and when the derived determination coefficient is not included in either the determination coefficient allowable region or the determination coefficient non-permissible region, the derived It is good also as a means to determine a state variable with low tamper resistance among said several state variables based on a partial regression coefficient. In this way, when the determination by the determination coefficient is not high in tamper resistance, but the tamper resistance is not low, it is possible to specifically determine a state variable with low tamper resistance. For this reason, evaluation of tamper resistance can be efficiently performed as compared with the case of always determining a state variable having low tamper resistance. Here, the predetermined determination coefficient non-permissible area is an area of a determination coefficient that can be regarded as having a high overall correlation between state variables and power consumption and having low tamper resistance. Also good. In addition, when the derived coefficient of determination is not included in any of the determination coefficient allowable area and the determined coefficient non-permissible area, the determined coefficient is included in an intermediate area between the determined coefficient allowable area and the determined coefficient non-allowable area. Means when. In this case, the evaluation means determines that the derived partial regression coefficient is a predetermined partial regression coefficient when the derived determination coefficient is not included in any of the determination coefficient allowable area and the determination coefficient non-allowable area. Means for determining whether or not the state variable is included in the allowable region and determining that the tamper resistance of the state variable corresponding to the partial regression coefficient not included in the partial regression coefficient allowable region is low may be used. In this way, the tamper resistance of each state variable can be evaluated by a simple method.

  In the information processing apparatus of the present invention, the evaluation unit determines whether or not the tamper resistance is high based on a standard deviation of the acquired plurality of pieces of power consumption data. The tamper resistance of the cryptographic processing circuit may be evaluated based on the analyzed value. When the standard deviation of the power consumption data is small, that is, when the variation of the power consumption data is small, the correlation between the state variable and the power consumption data is also small, so that tamper resistance is considered high. Therefore, by evaluating tamper resistance based on analysis values when it is determined that tamper resistance is low based on the standard deviation of power consumption data, efficiency is always higher than when evaluating tamper resistance based on analysis values. Tamper resistance can be evaluated.

  In the information processing apparatus of the present invention, the cryptographic processing circuit includes a random number mask circuit that masks an internal circuit operation with a value of a random number bit, and the power consumption data acquisition unit includes an input bit in the cryptographic processing circuit. And a means for obtaining a plurality of the power consumption data in which the state variable indicating the state of at least one of the output bits and the state variable indicating the state of the random number bit are associated with the power consumption in the cryptographic processing circuit, Based on the plurality of acquired power consumption data, a regression analysis is performed using the power consumption as an objective variable and a state variable representing the state of the random number bit associated with the power consumption as an explanatory variable, and is determined by the analysis. Deriving at least one of a coefficient and a regression coefficient as a correlation value between the random number bits and the power consumption, and based on the correlation value, When it is determined that the correlation between the random number bits and the power consumption is high, the plurality of acquired power consumption data is classified into a plurality of groups according to the value of the random number bits, and the analysis means is the same The analysis value may be derived by performing the regression analysis based on the power consumption data belonging to the group. In this way, when the correlation between the random number bits of the random number mask circuit and the power consumption is high, the tamper resistance can be evaluated by removing the influence of the random number bits by performing the regression analysis after grouping the power consumption data. As a result, for example, as an attack on the actual cryptographic processing circuit, first, the value of the random number bit is read from the correlation between the power consumption data and the random number bit, and then only the power consumption data having the same value of the random number bit. Tamper resistance against attack techniques such as power difference analysis can be evaluated. Here, the random number mask circuit includes, for example, an RSL (Random Switch Logic) circuit and an MDPL (Masked Dual-rail Pre-charge Logic) circuit.

The information processing method of the present invention includes:
An information processing method for evaluating tamper resistance of a cryptographic processing circuit,
(A) obtaining a plurality of power consumption data in which state variables representing at least one state of input bits and output bits in the cryptographic processing circuit are associated with power consumption in the cryptographic processing circuit;
(B) Based on the acquired plurality of power consumption data, regression analysis is performed using the power consumption as an objective variable and the state variable associated with the power consumption as an explanatory variable. Deriving at least one of the coefficients as an analysis value;
(C) evaluating the tamper resistance of the cryptographic processing circuit based on the derived analysis value;
Is included.

  In the information processing method of the present invention, a plurality of power consumption data in which a state variable representing the state of at least one of an input bit and an output bit in the cryptographic processing circuit and power consumption in the cryptographic processing circuit are associated are acquired and acquired. Based on a plurality of power consumption data, a regression analysis is performed using power consumption as an objective variable and a state variable associated with power consumption as an explanatory variable, and at least one of a determination coefficient and a regression coefficient is analyzed as an analysis value. To derive. Then, the tamper resistance of the cryptographic processing circuit is evaluated based on the derived analysis value. The analysis value thus derived represents the correlation between the state variable and the power consumption. In other words, it represents whether or not the value of the state variable is easily estimated from the power consumption. By evaluating tamper resistance based on this analysis value, the tamper resistance of the cryptographic processing circuit is more efficient than when tamper resistance is evaluated based on whether the power analysis attack is performed multiple times and the attack succeeds. Can be evaluated. In this information processing method, various aspects of the information processing apparatus described above may be adopted, or steps for realizing each function of the information processing apparatus described above may be added.

  The program of the present invention is for causing one or more computers to realize each step of the information processing method described above. If this program is executed by a computer, the information processing method of the present invention described above is realized, and thus the same operation and effect as the information processing method of the present invention can be obtained. The program of the present invention may be recorded on a computer-readable recording medium (eg, hard disk, ROM, FD, CD, DVD, etc.) or via a transmission medium (communication network such as the Internet or LAN). It may be distributed from a computer to another computer, or may be exchanged in any other form.

1 is a configuration diagram showing an outline of the configuration of an information processing apparatus 10. FIG. The flowchart which shows an example of a tamper resistance evaluation routine. FIG. 3 is a configuration diagram showing an outline of a configuration of an evaluation circuit 40. Explanatory drawing of the truth table which defined the output value of SubBytes conversion circuit 44. 4 is an explanatory diagram illustrating an example of evaluation circuit data representing an evaluation circuit 40. FIG. Explanatory drawing which shows an example of the circuit data for evaluation after conversion. Explanatory drawing which shows an example of the input data which the input data generation part 23 produced | generated. Explanatory drawing which shows an example of a simulation result. Explanatory drawing of the acquired power consumption data. The flowchart which shows an example of an analysis evaluation process. Explanatory drawing which shows an example of the derived | led-out analytical value. FIG. 2 is a configuration diagram showing an outline of the configuration of an information processing apparatus 110. The block diagram which shows the outline of a structure of the circuit for evaluation 140. Explanatory drawing which showed the content of the acquired power consumption data as a table. The flowchart which shows an example of an analysis evaluation process. Explanatory drawing which shows an example of the derived | led-out analysis value and correlation value. In the evaluation experiment 1 showed a value of coefficient of determination R ² for each time slot graph. The graph which showed the value of the partial regression coefficients a1-a8 with respect to each time slot in the evaluation experiment 1. FIG. The graph which showed the relationship between the total number of power consumption data in the evaluation experiment 1, and the order of a correct key. In the evaluation experiment 2 showed the value of the coefficient of determination R ² for each time slot graph. The graph which showed the value of the partial regression coefficients a1-a8 with respect to each time slot in the evaluation experiment 2. FIG. The graph which showed the relationship between the total number of power consumption data in the evaluation experiment 2, and the order of a correct key. In the evaluation experiment 3 showed a value of coefficient of determination R ² for each time slot graph. The graph which shows the value of the partial regression coefficients a1-a8, b with respect to each time slot in the evaluation experiment 3. FIG. The graph which showed the relationship between the total number of power consumption data in the evaluation experiment 3, and the order of a correct key. 10 is a graph showing the relationship between the Hamming weight of the input bit A and the power consumption W in the evaluation experiment 3. The graph which showed the value of the partial regression coefficients a1-a8 with respect to each time slot after grouping in the evaluation experiment 3. FIG. The graph which showed the relationship between the total number of the power consumption data after grouping in the evaluation experiment 3, and the order | rank of a correct key. The graph which shows an example of the evaluation result of the tamper resistance by the information processing apparatus of an Example in the evaluation experiment 4. The graph which showed the relationship between the total number of power consumption data in the evaluation experiment 4, and the order of a correct key. 10 is a graph showing the relationship between the Hamming weight of the input bit A and the power consumption W in the evaluation experiment 4.

[First Embodiment]
FIG. 1 is a configuration diagram illustrating an outline of a configuration of an information processing apparatus 10 according to the first embodiment. As illustrated, the information processing apparatus 10 includes a control unit 12, a storage unit 14, a display unit 16, and an operation unit 18. The information processing apparatus 10 is a general-purpose computer, for example, and has a function as an apparatus for evaluating tamper resistance of the cryptographic processing circuit.

  The control unit 12 controls the entire information processing apparatus 10 and is configured as a processor including a CPU, a ROM, a RAM, and the like. The control unit 12 executes a tamper resistance evaluation program stored in the storage unit 14, controls the display unit 16 to output display data and displays a screen, and inputs an operation signal from the operation unit 18. To do.

  The storage unit 14 is configured as a mass storage device such as an HDD, and stores various application programs and various data files. The storage unit 14 includes a tamper resistance evaluation program 20 and a circuit database 31.

  The tamper resistance evaluation program 20 includes an evaluation circuit data generation unit 21, an evaluation circuit data conversion unit 22, an input data generation unit 23, a circuit simulator 24, a power consumption data acquisition unit 25, and an analysis unit 26. And an evaluation unit 27. The evaluation circuit data generation unit 21 has a function of reading data stored in the circuit database 31 of the storage unit 14 and generating evaluation circuit data that is data of a cryptographic processing circuit to be evaluated for tamper resistance. Have. The evaluation circuit data converter 22 has a function of converting the evaluation circuit data generated by the evaluation circuit data generator 21 into a data format that can be used by the circuit simulator 24. The input data generation unit 23 has a function of generating input data to be input to the evaluation circuit in the simulation performed by the circuit simulator 24. The circuit simulator 24 acquires the evaluation circuit data converted by the evaluation circuit data conversion unit 22 and the input data generated by the input data generation unit 23, and converts the evaluation circuit data into the evaluation circuit represented by the evaluation circuit data. It has a function of simulating a circuit operation when input data is input and generating output data and a consumption current waveform. In the present embodiment, the circuit simulator 24 is SPICE (Simulation Program with Integrated Circuit Emphasis) which is software for simulating the analog operation of an electronic circuit. The power consumption data acquisition unit 25 determines, based on the result of the simulation in the circuit simulator 24, a state variable indicating the state of at least one of the input bit and the output bit in the cryptographic processing circuit represented by the evaluation circuit data and the cryptographic processing circuit. It has a function of acquiring a plurality of power consumption data associated with power consumption. Based on the plurality of power consumption data acquired by the power consumption data acquisition unit 25, the analysis unit 26 performs regression analysis using the power consumption as an objective variable and state variables associated with the power consumption as explanatory variables. It has a function of deriving at least one of a determination coefficient and a regression coefficient as an analysis value. The evaluation unit 27 has a function of evaluating the tamper resistance of the cryptographic processing circuit based on the analysis value derived to the analysis unit 26. The control unit 12 executes the tamper resistance evaluation program 20, whereby the evaluation circuit data generation unit 21, the evaluation circuit data conversion unit 22, the input data generation unit 23, the circuit simulator 24, and the power consumption data acquisition unit 25. The above-described functions of the analysis unit 26 and the evaluation unit 27 are realized.

  The circuit database 31 stores data including circuit data of the entire device including the cryptographic processing circuit to be evaluated for tamper resistance and the device including the cryptographic processing circuit, and design data such as a cell library of the device.

  The display unit 16 is configured as a liquid crystal display, for example, and has a function of displaying an image based on display data output from the control unit 12 and displaying various information to the user. The operation unit 18 is configured as an input device such as a keyboard or a mouse, for example, and has a function of outputting an operation signal based on an operation input from a user to the control unit 12.

  Next, the operation of the information processing apparatus 10 configured as described above, particularly, the operation when evaluating the tamper resistance of the cryptographic processing circuit will be described. FIG. 2 is a flowchart illustrating an example of a tamper resistance evaluation routine. In this routine, when the user operates the operation unit 18 to specify an evaluation circuit to be evaluated for tamper resistance, and the control unit 12 instructs to perform tamper resistance evaluation, the control unit 12 performs a tamper resistance evaluation program. This is done by executing 20.

  When this tamper resistance evaluation routine is executed, the evaluation circuit data generation unit 21 first converts the circuit data of the evaluation circuit designated by the user into the data stored in the circuit database 31 as the evaluation circuit data. It generates based on (Step S100). FIG. 3 is a configuration diagram showing an outline of the configuration of the evaluation circuit 40. In the present embodiment, the following description will be given on the assumption that the user has designated the tamper resistance evaluation of the evaluation circuit 40 shown in this figure. The evaluation circuit 40 is an encryption processing circuit configured as a partial module of an AES (Advanced Encryption Standard) circuit, which is one of encryption methods, and includes a register 42, a SubBytes conversion circuit 44, and an exclusive OR. Circuit 46. The register 42 holds the input 8-bit input bit A. The SubBytes conversion circuit 44 is connected to the output unit of the register 42 and performs SubBytes processing, which is nonlinear conversion in AES, on the input bit A. The output determined by the truth table corresponding to the input bit A A logic circuit configured to output a value. FIG. 4 is an explanatory diagram of a truth table that defines the output value of the SubBytes conversion circuit 44. As shown in this figure, the value of the upper 4 bits of the input bit A is the vertical axis, the value of the lower 4 bits is the horizontal axis, and the value located at the intersection of both is the output value (8 bits). For example, when the upper 4 bits of the input A have the value 0 (0000 in binary notation) and the lower 4 bits of the input A have the value 8 (1000 in binary notation), the SubBytes conversion circuit 44 outputs the value 30. The exclusive OR circuit 46 is a circuit that performs an AddRoundKey process, which is a process for incorporating a secret key for encryption in AES, and the output value of the SubBytes conversion circuit 44 and the secret key input to the exclusive OR circuit 46. An exclusive OR with K (8 bits) is calculated, and the result is output as an output bit B (8 bits). FIG. 3 shows an outline of the evaluation circuit 40. The actual evaluation circuit data is data representing the evaluation circuit 40 in a predetermined hardware description language (for example, Verilog-HDL). FIG. 5 is an explanatory diagram illustrating an example of evaluation circuit data representing the evaluation circuit 40. In FIG. 5, “module SingleSbAttack (x, k, clk, y);” to “endmodule” are descriptions of the highest hierarchy of the evaluation circuit 40. Among them, "always @ (posedge clk) begin" to "end" are descriptions representing the register 42, and "SubBytesTBL sb1 (.x (dreg) ,. y (addkey_in));" is a description representing the SubBytes conversion circuit 44 , “Assign y = addkey_in ^ k;” is a description representing the exclusive OR circuit 46. Also, “module SubBytesTBL (x, y);” and subsequent descriptions are descriptions representing details of the configuration of the SubBytes conversion circuit 44.

  Next, the evaluation circuit data converter 22 converts the evaluation circuit data into a SPICE data format so that the circuit simulator 24 can use it (step S110). FIG. 6 is an explanatory diagram showing an example of evaluation circuit data after conversion. In FIG. 6, “.subckt” and subsequent are descriptions of the SPICE subcircuit in the evaluation circuit 40. “XU1229” and subsequent descriptions are gate connection specifications in the cell library stored in the circuit data storage unit 31. Subsequently, the input data generation unit 23 generates input data to be input to the evaluation circuit 40 (step S120). The input data is, for example, data such as the value of the input bit A supplied to the evaluation circuit data, the value of the clock signal, the value of the secret key K, and the input value to a control pin (not shown) of the evaluation circuit 40. In this embodiment, the value of the input bit A is changed randomly every time a predetermined period T1 (50 nsec in this embodiment) elapses. The value of the secret key K is a value determined at random. FIG. 7 is an explanatory diagram illustrating an example of input data generated by the input data generation unit 23. In FIG. 7, an 8-digit numerical value represents time. Of the nine digits corresponding to each time, the left eight digits represent the value of the input bit A, and the rightmost digit represents the value of the clock signal. For example, time “00000025” means time 25 nsec, and the corresponding value “011001001” means that the input bit A at time 25 nsec is the value “01100100” in binary notation, and the clock signal is value 1. doing. In the present embodiment, since the predetermined period T1 is set to a value of 50 nsec, the value of the input bit A changes every 50 nsec in FIG. The predetermined period T1 is determined based on, for example, an input data processing interval when the evaluation circuit 40 is actually used in a device.

  Next, the circuit simulator 24 acquires the evaluation circuit data converted to the evaluation circuit data conversion unit 22 in step S110 and the input data generated in the input data generation unit 23 in step S120, and the evaluation circuit A simulation of circuit operation when input data is input to 40 is performed (step S130). Thereby, the circuit simulator 24 generates a consumption current waveform calculated based on the value of the output bit B output for the input bit A and the operation content of the evaluation circuit 40.

Subsequently, the power consumption data acquisition unit 25 determines whether each bit of the input bit A in the evaluation circuit 40 is the value 0 or the value 1 from the simulation result of the circuit simulator 24 and the evaluation circuit. A plurality of pieces of power consumption data associated with the power consumption W in 40 are acquired according to the values of the plurality of input bits A (step S140). FIG. 8 is an explanatory diagram illustrating an example of a simulation result. In FIG. 8, “25000” and subsequent data are consumption current waveform data of the evaluation circuit 40 derived as a result of the simulation. The consumption current waveform data is represented as data of time and consumption current value every 0.01 nsec. For example, the time “25010” means that the time is 25.010 nsec, and the current consumption value “12968315” means that the current consumption value at the time 25.010 nsec is 12968315 × 10 ⁻¹⁰ A. FIG. 9 is an explanatory diagram of the acquired power consumption data. FIG. 9A is an explanatory diagram showing the contents of the acquired power consumption data as a table, and FIG. 9B is an explanatory diagram showing the relationship between the time slot and the power consumption W. As shown in FIG. 9A, the power consumption data is data in which the input bit A, the output bit B, and the power consumption W are associated with each other. In this embodiment, the power consumption data is generated by the input data generation unit 23. M + 1 pieces (2000 pieces in this embodiment) up to pattern numbers 0 to m (in this embodiment, pattern number m is 1999) when the value of input bit A is changed every predetermined period T1 based on the input data. ) Power consumption data. Note that “h” in FIG. 9A means hexadecimal notation. For example, the value of the input bit A in the pattern number 0 is “64h”, which means “01100100” when expressed in a bit string. This value corresponds to the value of the input bit A at the times “00000000” and “00000025” shown in FIG. Similarly, the value of the input bit A in the pattern number 1 corresponds to the value of the input bit A at the times “00000050” and “00000075” shown in FIG. Further, as shown in FIG. 9A, for one power consumption data, the value of the power consumption W exists for every eight time slots from time slot numbers 0 to 7. As shown in FIG. 9B, the period from the input of the value of the input bit A to the first time slot is a predetermined period T2, the start time of the first time slot is time t0, and the time width of one time slot Is a predetermined period T3 (in this embodiment, 0.2 nsec), the time slot is a period in which time is divided every predetermined period T3 from time t0. For example, the time slot number s in the power consumption data of the pattern number 0 is the time t0 when the predetermined period T2 has elapsed from the time when the value 64h of the input bit A of the pattern number 0 is input to the evaluation circuit 40. It means a period from (t0 + T3 × (s−1)) to time (t0 + T3 × s). The power consumption W is a value derived as an average value of power consumption for each time slot based on the current consumption waveform derived to the circuit simulator 24. Here, as shown in FIG. 8, the circuit simulator 24 derives the current consumption. However, the control voltage of the evaluation circuit 40 is constant, and the power consumption from the current consumption and the power consumption W as an average value thereof. Can be easily calculated. The predetermined periods T2 and T3 are set empirically as follows, for example. First, in consideration of the processing time required from the input to the output of the circuit of the evaluation circuit 40 and the contents of the internal processing, a period during which the evaluation circuit 40 is likely to be attacked when it is attacked by power difference analysis is examined in advance. . That is, a period during which it is assumed that secret information can be easily acquired from power consumption is checked in advance. Then, predetermined periods T2 and T3 are set so that the period is included in the time slot. Note that a period from when the value of the input bit A is input to when the next input bit A is input, that is, a period until the predetermined period T1 elapses, is divided equally to set a plurality of time slots. May be.

  Subsequently, the analysis unit 26 and the evaluation unit 27 execute a tamper resistance analysis / evaluation process of the evaluation circuit 40 based on the power consumption data acquired in step S140 (step S150). Here, the description of the tamper resistance evaluation routine will be interrupted, and the analysis evaluation process will be described. FIG. 10 is a flowchart illustrating an example of the analysis evaluation process.

  When this analysis evaluation process is started, the evaluation unit 27 first initializes the time slot number n to be processed to a value 1 (step S200). Subsequently, the evaluation unit 27 derives an average value μ and a standard deviation σ of 2000 pieces of power consumption W corresponding to the time slot number n among the power consumption data of pattern numbers 0 to 1999 (step S210). Then, it is determined whether or not the derived standard deviation σ is less than the threshold σth (step S220). Here, the threshold σth is a value set as the upper limit value of the standard deviation allowable region in which the overall correlation between the state variable and the power consumption is low and the tamper resistance is high because the power consumption variation is small. This is an experimentally determined value. Since the standard deviation σ is small and the value of the 2000 power consumption W is less varied, the correlation between the value of the input value A, which is a state variable, and the power consumption W is low. By comparing with the deviation σ, it is determined whether or not the tamper resistance is high.

  When the standard deviation σ is greater than or equal to the threshold σth in step S220, the analysis unit 26 considers that the tamper resistance is relatively low, and corresponds to the time slot number n in the power consumption data from the pattern numbers 0 to 1999. The value of 2000 power consumption W to be standardized is performed (step S230). In the present embodiment, assuming that the power corresponding to the pattern number i among the 2000 power consumptions W is the power consumption Wi, the standardized power consumption w i is derived as wi = (Wi−μ) / σ. The 2000 power consumption w derived in this way has a distribution with an average value of 0 and a standard deviation of value 1. By performing the subsequent analysis and evaluation after standardization in this way, it is easy to compare the evaluation results with, for example, the evaluation of tamper resistance for other cryptographic processing circuits with different absolute values of power consumption. Become.

Subsequently, the analysis unit 26 performs multiple regression analysis using the state variables, that is, each bit of the input bit A as explanatory variables, and 2000 power consumption w corresponding to the time slot number n as an objective variable, and biases it as an analysis value. regression coefficients A1 to Aj (variable j in the present embodiment, the value 8) to derive and coefficient of determination R ² (step S240). This process is performed as follows, for example. First, the values of the first bit to j-th bit of the input bit A are assumed to be state variables x1 to xj, respectively, and the relationship between the power consumption w and x1 to xj is assumed as in the following equation (1). The coefficients a0 to aj at this time are referred to as partial regression coefficients. Assuming Equation (1) in this way, the power consumption wi derived by substituting the state variables xi1 to xij corresponding to the pattern number i into Equation (1) and the power consumption wi in the actual power consumption data are as follows. The sum of squared differences E, which is the sum of the squares of the differences for all of the pattern numbers 0 to m, can be expressed by the following equation (2). Then, partial regression coefficients a0 to an that minimize the sum of squares E of the differences are derived. In other words, partial regression coefficients a0 to aj are derived so that the expression (1) is an expression that approximates the relationship between the power consumption w and x1 to xj with the highest accuracy. Thus, by calculating | requiring partial regression coefficient a0-aj, Formula (1) turns into an approximate expression (multiple regression formula) of the relationship between state variables x1-xj and power consumption w. The partial regression coefficients a0 to aj are derived by, for example, deriving an expression in which partial differentiation of the expression (2) with respect to a0 is set to a value 0, and for the partial regression coefficients a1 to aj, a similar expression is derived, This can be done by solving simultaneous equations represented by these equations. When deriving the partial regression coefficients A1 to Aj, to derive the coefficient of determination R ² using this. Specifically, first, the square of the difference between the power consumption wi in the actual power consumption data and the average value thereof is derived, and this is derived for all of the pattern numbers 0 to m and the sum of the actual measurement values. The sum of squares St is obtained. Further, the difference between the power consumption wi in the actual power consumption data and the power consumption wi as a predicted value derived by substituting the derived partial regression coefficients a0 to a8 and the actual xi1 to xij into the equation (1). The square is derived, and this is derived for all of the pattern numbers 0 to m, and the sum of squares Se of differences is obtained. Then, the determination coefficient R ² is derived from the following equation (3). In Equation (3), the constant N is the number of samples, and in this embodiment is a value 2000 that is the total number of power consumption data. The constant p is the number of explanatory variables, and is 8 in this embodiment. The coefficient of determination R ² is also referred to as degree of freedom adjusted coefficient of determination. Deriving a partial regression coefficients a1~aj and determination coefficient R ² as an analysis value as described above. FIG. 11 is an explanatory diagram illustrating an example of the derived analysis value. In Figure 11 shows the analysis value when the time slot number n is value 0, corresponding to time slot number n, the coefficient of determination R ² and partial regression coefficient a1~a8 is derived. Here, the partial regression coefficients a1 to aj are numerical values representing the level of correlation between each state variable and the power consumption w corresponding to the time slot number n. The partial regression coefficients a1 to aj take values from −1 to 1, and the larger the absolute value, the higher the positive or negative correlation between the state variable corresponding to the partial regression coefficient and the power consumption w. For example, the value of the partial regression coefficient a1 represents the correlation between the value of the first bit of the input bit A and the power consumption w. More specifically, as the absolute value of the partial regression coefficient a1 is larger, the value of the power consumption w tends to vary greatly depending on whether the first bit of the input bit A is the value 0 or the value 1. Means that. For example, in FIG. 11, since the absolute values of the partial regression coefficients a2, a3, and a4 are larger than the partial regression coefficient a1, the power consumption w is greater in the second to fourth bits than in the first bit of the input bit A. It can be seen that the correlation is high. Further, the determination coefficient R ² is a numerical value representing the probability of approximation of the expression (1). The determination coefficient R ² takes a value of 0 to 1, and the closer the value is to 1, the higher the accuracy of approximation, and the higher the overall correlation between the input bit A, which is a state variable, and the power consumption w. . Incidentally, partial regression coefficients a0, albeit a necessary value to derive the coefficient of determination R ^2, since the present embodiment is not used in the evaluation of subsequent tamper resistance, not included in analysis.

Next, the evaluation unit 27 acquires the analysis value derived by the analysis unit 26 and performs an evaluation process (step S250) for evaluating the tamper resistance of the evaluation circuit 40. As an evaluation processing in step S250, first, the coefficient of determination R ² of the analysis determines whether it is less than the threshold value R ² th1 (step S251). Here, the threshold value R ² th1 is an upper limit value of a determination coefficient R ² region that can be regarded as having a low overall correlation between the input bit A that is a state variable and the power consumption w and high tamper resistance, that is, a determination coefficient allowable region. It is a set value, for example, a value empirically determined by experiment.

When the standard deviation σ is less than the threshold σth in step S220 or when the determination coefficient R ² is less than the threshold R ² th1 in step S251, the evaluation circuit 40 has high tamper resistance as a whole. Is stored as an evaluation result corresponding to the time slot number n to be processed (step S252).

On the other hand, when the coefficient of determination R ² was threshold R ² th1 or more in step S251, the coefficient of determination R ² is equal to or threshold R ² th2 or more (step S253). Here, the threshold value R ² th2 is a lower limit value of the region of the determination coefficient R ² that can be regarded as having a high overall correlation between the input bit A that is a state variable and the power consumption w and that the tamper resistance is low, that is, the determination coefficient non-permissible region For example, a value empirically determined by experiment. In the present embodiment, the threshold value R ² th2 is larger than the threshold value R ² th1. When the determination coefficient R ² is equal to or greater than the threshold value R ² th2 in step S253, information indicating that the evaluation circuit 40 has low tamper resistance as a whole is obtained as an evaluation result corresponding to the time slot number n to be processed. Store (step S254).

When the coefficient of determination R ² less than the threshold value R ² th2 in step S253, determines a low state variable x1~xj tamper resistance based on the value of partial regression coefficient a1 to a8 (step S255). The coefficient of determination R ² in step S251 is not less threshold R ² th1 or more, when the coefficient of determination R ² less than the threshold value R ² th2 in step S253, i.e. the coefficient of determination R ² is the coefficient of determination acceptable area and the coefficient of determination nonpermissive region Is not determined that the tamper resistance is generally high according to the determination by the determination coefficient, but is not the case where it is not determined that the tamper resistance is generally low. Therefore, it is determined that the tamper resistance is partially low, and among the state variables x1 to xj, a state variable having a particularly low tamper resistance is specified. In the present embodiment, the process of step S255 is included in a predetermined partial regression coefficient allowable region in which each value of the partial regression coefficients a1 to a8 has a low correlation between the state variable and the power consumption w and can be regarded as having high tamper resistance. This is performed by determining whether or not a state variable corresponding to a partial regression coefficient not included is low in tamper resistance. For example, when the partial regression coefficients a1 and a3 are not included in the partial regression coefficient allowable area, if the value of the first bit and the value of the third bit of the input bit A have a high correlation with the power consumption w and the tamper resistance is low. judge. Here, such a partial regression coefficient allowable region can be determined empirically by, for example, experiments. For example, relative determination may be performed, such as determining a value having the highest absolute value among the values of the partial regression coefficients a1 to a8 as a state variable having low tamper resistance. If a state variable with low tamper resistance is determined in step S255, information indicating that the tamper resistance is partially low and a state variable determined to have low tamper resistance are evaluated results corresponding to the time slot number n to be processed. (Step S256).

  When the above-described processing of steps S251 to S256, that is, the evaluation processing of step S250 is performed and the evaluation result of any of steps S252, S254, and S256 is stored, the evaluation unit 27 increments the time slot number n by 1 ( In step S260, it is determined whether or not the time slot number n has exceeded an upper limit value (value 7 in the present embodiment) (step S270). If the time slot number n does not exceed the upper limit value, the process proceeds to step S210. On the other hand, when the time slot number n exceeds the upper limit value, the analysis evaluation process is terminated. By performing this analysis and evaluation process, the tamper resistance of the evaluation circuit 40 using the power consumption data for each time slot is evaluated.

Returning to the tamper resistance evaluation routine of FIG. When the analysis evaluation process in step S150 is performed, the evaluation unit 27 reads the evaluation result stored in any of steps S252, S254, and S256 for each time slot, and causes the display unit 16 to display the evaluation result output screen ( Step S160), this routine is finished. On the evaluation result output screen, for example, evaluation results such as “overall high”, “partially low” and “overall low” are displayed for each time slot, or the tamper resistance is partially low. For the time slot, it is displayed how many bits of the input bit A are determined to have low tamper resistance. Further, the standard deviation σ obtained by the tamper resistance evaluation routine and the value of the analysis value are displayed as a table or graph in association with the time slot. Thus, in the tamper resistance evaluation routine, the standard deviation σ, the partial regression coefficients a1 to a8, and the determination coefficient R ² are derived based on the power consumption data, and the tamper resistance of the evaluation circuit 40 is evaluated based on these. To do.

  Here, the correspondence between the components of the first embodiment and the components of the present invention will be clarified. The information processing apparatus 10 of the first embodiment corresponds to the information processing apparatus of the present invention, the power consumption data acquisition unit 25 corresponds to the power consumption data acquisition unit, the analysis unit 26 corresponds to the analysis unit, and the evaluation unit 27 Corresponds to evaluation means. In the present embodiment, an example of the information processing method of the present invention is also clarified by describing the operation of the information processing apparatus 10.

According to the information processing apparatus 10 of the first embodiment described in detail above, the state variable indicating the state of the input bit A in the evaluation circuit 40 that is a cryptographic processing circuit is associated with the power consumption W in the evaluation circuit 40. Multiple power consumption data is acquired, and based on the acquired power consumption data, a multiple regression analysis is performed using the power consumption W as an objective variable and the state variables x1 to xj associated with the power consumption W as explanatory variables. The determination coefficient R ² and the partial regression coefficients a1 to a8 are derived as analysis values by analysis. Then, the tamper resistance of the evaluation circuit 40 is evaluated based on the derived analysis value. This makes it possible to efficiently evaluate the tamper resistance of the cryptographic processing circuit as compared with the case where the tamper resistance is evaluated based on whether the power difference analysis attack is performed a plurality of times and the attack is successful.

  In addition, since the value of each bit of the input bit A is a state variable, and multiple regression analysis is performed based on power consumption data in which a plurality of different state variables x1 to xj and power consumption W are associated, The correlation between the state variable and the power consumption W can be collectively analyzed by the multiple regression analysis, and the tamper resistance can be efficiently evaluated as compared with the case where the single regression analysis is performed a plurality of times.

Furthermore, in order to determine whether or not the tamper resistance is high based on whether or not the determination coefficient R ² is included in the predetermined determination coefficient allowable region, the determination coefficient that represents the overall correlation between the state variable and the power consumption Tamper resistance can be evaluated based on The coefficient of determination when R ² is not included in any of the coefficient of determination allowable area and the coefficient of determination unacceptable region, tamper resistant low state of the plurality of state variables based on the partial regression coefficient a1~a8 derived In order to determine the variable, the determination by the determination coefficient is not high in tamper resistance, but when the tamper resistance is not low, a state variable having low low tamper resistance can be specifically determined. Further, it is determined whether or not the derived partial regression coefficients a1 to a8 are included in a predetermined partial regression coefficient allowable area, and a tamper resistance of a state variable corresponding to the partial regression coefficient not included in the partial regression coefficient allowable area is determined. Therefore, the tamper resistance of each state variable can be evaluated by a simple method.

Furthermore, when tamper resistance is determined to be low based on the standard deviation σ of the power consumption data, the tamper resistance based on the analysis value is evaluated. Therefore, the tamper resistance is always evaluated based on the analysis value. Tamper resistance can be evaluated efficiently.

  It should be noted that the present invention is not limited to the above-described embodiment, and it goes without saying that the present invention can be implemented in various modes as long as it belongs to the technical scope of the present invention.

For example, the processing of steps S210 and S220 in the first embodiment described above may be omitted, and multiple regression analysis may be always performed regardless of the value of the standard deviation σ. Further, step S253, S255, and omits the processing of S256, or coefficient of determination R ² in step S251 proceeds to step S254 when it is not less than the threshold value R ² th1, the coefficient of determination R ² is included in a predetermined coefficient of determination acceptable area not Whether or not the tamper resistance is high may be determined based on the above. In this case, partial regression coefficients a1~a8 derived in step S240 is not the analysis, only the coefficient of determination R ² may be the analytical value. Further, omitting the processing in step S253, S254, the process proceeds to step S255 when determining coefficient R ² in step S251 is not less than the threshold value R ² th1, always resistant when the coefficient of determination R ² is not included in the predetermined determination coefficient allowable region A state variable with low tampering may be determined. Alternatively, the processing of steps S251, S253, and S254 may be omitted, and when the multiple regression analysis of step S240 is performed, the process proceeds to step S255, and a state variable with low tamper resistance may always be determined. In this case, the determination coefficient may not be derived in step S240. The evaluation of the tamper-resistant with and steps after S254 as also performs the process of step S255, S256, determination coefficient evaluating the partial regression coefficients a1~a8 tamperproof with R ² After step S252 May always be performed.

[Second Embodiment]
FIG. 12 is a configuration diagram illustrating an outline of a configuration of the information processing apparatus 110 according to the second embodiment. In addition, about the component similar to the information processing apparatus 10 among the information processing apparatuses 110 of 2nd Embodiment, the code | symbol same as the component of the information processing apparatus 10 is attached | subjected, and the description is abbreviate | omitted.

  The information processing apparatus 110 includes a control unit 12, a storage unit 114, a display unit 16, and an operation unit 18. In this information processing apparatus 110, the control circuit 12 executes the tamper resistance evaluation program 120 to evaluate the tamper resistance, and the evaluation circuit 140 masks the internal circuit operation with the value of the random number bit C. The information processing apparatus 10 is different from the information processing apparatus 10 in that it is an encryption processing circuit having an RSL (Random Switch Logic) circuit which is a kind of mask circuit.

  The storage unit 114 is configured as a large-capacity storage device such as an HDD and stores various application programs and various data files. The storage unit 114 includes a tamper resistance evaluation program 120 and a circuit database 31.

  The tamper resistance evaluation program 120 includes an evaluation circuit data generation unit 21, an evaluation circuit data conversion unit 22, an input data generation unit 123, a circuit simulator 24, a power consumption data acquisition unit 125, and an analysis unit 26. The evaluation unit 27 and the classification unit 128 are provided. The input data generation unit 123 has the same function as the input data generation unit 23 in FIG. 1 except that the input data to be generated includes the value of the random number bit C of the RSL circuit. The power consumption data acquisition unit 125 includes a state variable indicating the state of at least one of the input bit and the output bit in the evaluation circuit 140 and a state variable indicating the state of the random number bit C, and the power consumption W in the evaluation circuit 140. It has a function of acquiring associated power consumption data. Based on the plurality of power consumption data acquired by the power consumption data acquisition unit 125, the classification unit 128 explains the state variable representing the state of the random number bit C associated with the power consumption W using the power consumption W as a target variable. A regression analysis is performed as a variable, and at least one of the determination coefficient and the regression coefficient is derived as a correlation value between the random number bit C and the power consumption data by the analysis, and the random number bit C and the power consumption W are calculated based on the derived correlation value. When it is determined that the correlation is high, it has a function of classifying the plurality of acquired power consumption data into a plurality of groups according to the value of the random number bit C. The control unit 12 executes the tamper resistance evaluation program 120, whereby the evaluation circuit data generation unit 21, the evaluation circuit data conversion unit 22, the input data generation unit 123, the circuit simulator 24, and the power consumption data acquisition unit 125. The functions of the analysis unit 26, the evaluation unit 27, and the classification unit 128 are realized.

  Next, the operation of the information processing apparatus 110 configured as described above, particularly the operation when evaluating the tamper resistance of the cryptographic processing circuit will be described. When the user operates the operation unit 18 to specify an evaluation circuit to be evaluated for tamper resistance and instructed to perform tamper resistance evaluation, the control unit 12 executes a tamper resistance evaluation routine. Since this tamper resistance evaluation routine has the same processing steps as the tamper resistance evaluation routine of FIG. 2, it will be described using the same step numbers as in FIG.

  When this tamper resistance evaluation routine is executed, first, the evaluation circuit data generation unit 21 and the evaluation circuit data conversion unit 22 perform the processing of steps S100 to S110. This process is performed in the same manner as in FIG. 2 except that the configuration of the evaluation circuit 140 designated by the user is different. FIG. 13 is a configuration diagram showing an outline of the configuration of the evaluation circuit 140. 13A is a block diagram showing the overall configuration of the evaluation circuit 140, and FIG. 13B is a block diagram showing the configuration of the RSL circuit 148 in the SubBytes conversion circuit 144 in the evaluation circuit 140. It is. As illustrated in FIG. 13A, the evaluation circuit 140 includes a register 142, a SubBytes conversion circuit 144, and an exclusive OR circuit 46. The evaluation circuit 140 is an encryption processing circuit configured as a partial module of an AES circuit, which is one of the encryption methods, similar to the evaluation circuit 40. The evaluation circuit 140 includes a register 142, a SubBytes conversion circuit 144, and an exclusive circuit. And a logical OR circuit 146. The register 42 holds the input 8-bit input bit A, 1-bit random number bit C, and 1-bit output enable en. The SubBytes conversion circuit 144 is connected to the output unit of the register 42, receives the input bit A, the random number bit C, and the output enable en from the register 42, and performs a SubBytes process that is a non-linear conversion in AES on the input bit A. Is. This SubBytes conversion circuit 144 has an RSL circuit 148 shown in FIG. As illustrated, the RSL circuit 148 receives two input values of 1 bit each, a random number bit C, and an output enable en. The RSL circuit 148 operates as a different logic circuit with the internal operation mode switched depending on the value of the random number bit C. Specifically, when the output enable en is 1 and the random number bit C is 0, the RSL circuit 148 operates as a NAND gate and outputs a 1-bit output value based on two input values. When the output enable en is 1 and the random number bit C is 1, the RSL circuit 148 operates as a NOR gate and outputs a 1-bit output value based on two input values. When the output enable en is 0, the output value of the RSL circuit 148 is fixed to 0. The SubBytes conversion circuit 144 is configured as a circuit combining a plurality of RSL circuits 148, and the correspondence between the input bit A and the output bit B is the same as that of the SubBytes conversion circuit 44 in FIG. Depending on whether the value is 0 or 1, the internal circuit configuration changes and the power consumption also changes. As described above, the SubBytes conversion circuit 144 includes the RSL circuit 148, so that the power consumption is changed according to the value of the random number bit C, and the correlation between the input bit A and the power consumption becomes low, that is, the internal circuit operation is masked. Thus, the circuit is more tamper resistant than the circuit of the SubBytes conversion circuit 144 in FIG.

  Subsequently, the input data generation unit 123 performs the process of step S120 to generate input data to the evaluation circuit 140, and the circuit simulator 24 performs the process of step S130 and inputs the input data to the evaluation circuit 140. The simulation of the circuit operation is performed. And the power consumption data acquisition part 125 performs the process of step S140, and acquires power consumption data. In the present embodiment, the power consumption data acquisition unit 125 determines the state variable indicating the value of each bit of the input bit A and the value of the random number bit C in the evaluation circuit 140 and the evaluation circuit 140 from the simulation result of the circuit simulator 24. A plurality of pieces of power consumption data associated with the power consumption W are obtained according to the values of the input bit A and the random number bit C. FIG. 14 is an explanatory diagram showing the contents of the acquired power consumption data as a table. As shown in this figure, the power consumption data acquired by the power consumption data acquisition unit 125 is obtained by adding the value of the random number bit C corresponding to each pattern number to the power consumption data shown in FIG. ing.

Next, the analysis unit 26 and the evaluation unit 27 perform the process of step S150 for executing the tamper resistance analysis evaluation process of the evaluation circuit 140 based on the power consumption data acquired in step S140. FIG. 15 is a flowchart illustrating an example of the analysis evaluation process in the present embodiment. In FIG. 15, only the parts different from the analysis evaluation process of FIG. 10 are shown, and the same processes as in FIG. 10 will be described using the same step numbers. When this analysis evaluation process is executed, first, the processes of steps S200 to S230 are performed. When the processing in step S230 is performed, the analysis unit 26 uses the state variables, that is, each bit of the input bit A and the random number bit C as explanatory variables, and uses 2000 power consumption w corresponding to the time slot number n as an objective variable. performing a multiple regression analysis, (variable j in the present embodiment, the value 8) partial regression coefficients a1~aj as an analytical value with deriving a and coefficient of determination R ^2, derives the partial regression coefficient b as a correlation value (step S240a ). This process is the same as step S240 except that a state variable x9 representing the value of the random number bit C is added to the state variables x1 to x8 in step S240, and a partial regression coefficient b is added to the partial regression coefficients a0 to a8. It can be performed in the same way. That is, to derive the partial regression coefficient a0~a9 as square sum E of the difference equation (2) in the case where the variable j to the value 9 in the formula (1) described above is minimized, then the coefficient of determination R ² derived by the partial regression coefficients a1~a8 and determination coefficient R ² and analysis values is as the correlation value partial regression coefficient a9 (= partial regression coefficient b). FIG. 16 is an explanatory diagram illustrating an example of the derived analysis value and correlation value. FIG. 16 shows the analysis value and the correlation value when the time slot number n is 0, and the determination coefficient R ² and the partial regression coefficients a1 to a8, b are derived corresponding to the time slot number n. ing. In the example of FIG. 16, the absolute value of the partial regression coefficient b is larger than the partial regression coefficients a1 to a8, and the random number bit C is more correlated with the power consumption w than the input bit A value. I understand that it is expensive.

  Subsequently, the analysis unit 26 and the evaluation unit 27 perform the process of step S250, that is, the processes of steps S251 to S256, and evaluate the tamper resistance of the evaluation circuit 140. Then, when the process of step S250 is performed, the classification unit 128 determines whether or not the partial regression coefficient b, which is the correlation value derived in step S240a, is less than the threshold value bth (step S300). Here, the threshold value bth is a value set as the lower limit value of the partial regression coefficient b region in which the correlation between the random number bit C, which is a state variable, and the power consumption w is low and the tamper resistance can be regarded as high. For example, it is a value empirically determined by experiment. In the present embodiment, the partial regression coefficient allowable area is the same as the partial regression coefficient allowable area when determining a state variable with low tamper resistance in step S255, but both may be different areas.

  When the partial regression coefficient b is less than the threshold value bth in step S300, the classification unit 128 stores that the tamper resistance of the random number bit C is low as an evaluation result corresponding to the time slot number n (step S310). ), The process proceeds to step S260. On the other hand, when the partial regression coefficient b is not greater than or equal to the threshold value bth in step S300, the power consumption data is classified into a plurality of groups according to the value of the random number bit C (step S320). In the present embodiment, since the random number bit C is 1 bit, the power consumption data is classified into two groups depending on whether the random number bit C is 0 or 1. For example, when the power consumption data shown in FIG. 14 is classified, the power consumption data of pattern numbers 0 and 2 whose random number bit C is 0 and the pattern numbers 1, 3 and 4 whose random number bit C is 1 are stored. It is classified into a group different from the power consumption data.

Subsequently, the analysis unit 26 and the evaluation unit 27 set any one of the classified groups as a processing target group (step S330), and the processing after step S210 in FIG. 10 is performed on the power consumption data of the processing target group. I do. The processes after step S210 are performed in the same manner as steps S210 to S250 except that the processes of steps S252a, S254a, and S256a are performed instead of steps S252, S254, and S256. That is, first, the processes of steps S210 and S220 are performed. When the standard deviation σ is equal to or larger than the threshold σth in step S220, the processes of steps S230 to S251 are performed. Then, when the standard deviation σ is less than the threshold value σth in step S220, or step when the coefficient of determination R ² less than the threshold value R ² th1 in S251, the overall tamper resistance evaluation circuit 140 for processing target group High is stored as an evaluation result corresponding to the processing target group and the time slot number n (step S252a). Further, when the coefficient of determination R ² was threshold R ² th1 or more in step S251 performs steps S253, but when the coefficient of determination R ² was threshold R ² th2 or more in step S253, the evaluation circuit 140 The fact that the overall tamper resistance is low is stored as an evaluation result corresponding to the processing target group and the time slot number n (step S254a). When the determination coefficient R ² is less than the threshold value R ² th2 in step S253, the state variable having low tamper resistance is determined by performing the process in step S255, and the tamper resistance is partially reduced. The state variable determined to be low is stored as the evaluation result corresponding to the processing target group and the time slot number n (step S256a). When the evaluation result of any one of steps S252a, S254a, and S256a is stored, it is determined whether or not there is an unprocessed group (step S340). If there is an unprocessed group, the process proceeds to step S330. On the other hand, if there is no unprocessed group, the process proceeds to step S260.

  As described above, in the analysis evaluation process of FIG. 15, in addition to the analysis evaluation process of FIG. 10, it is determined whether or not the random number bit C has a high correlation with the power consumption. When the correlation between the random number bit C and the power consumption W is high, the power consumption data is grouped and then subjected to multiple regression analysis to evaluate tamper resistance without the influence of the random number bits.

  Here, the correspondence between the constituent elements of the second embodiment and the constituent elements of the present invention will be clarified. The information processing apparatus 110 of the second embodiment corresponds to the information processing apparatus of the present invention, the power consumption data acquisition unit 125 corresponds to the power consumption data acquisition unit, the analysis unit 26 corresponds to the analysis unit, and the evaluation unit 27 The analyzing unit 26, the evaluating unit 27, and the classifying unit 128 correspond to the classifying unit.

  According to the information processing apparatus 10 of the second embodiment described in detail above, when the correlation between the random number bit C of the RSL circuit 148 and the power consumption W is high, the power regression data is grouped and then the multiple regression analysis is performed. Thus, tamper resistance can be evaluated without the influence of random bits. As a result, for example, as an attack on the actual cryptographic processing circuit, first, the value of the random number bit is read from the correlation between the power consumption data and the random number bit, and then only the power consumption data having the same value of the random number bit. Tamper resistance against attack techniques such as power difference analysis can be evaluated.

  It should be noted that the present invention is not limited to the above-described embodiment, and it goes without saying that the present invention can be implemented in various modes as long as it belongs to the technical scope of the present invention.

  For example, in the second embodiment described above, the random number bit C is 1 bit, but may be a plurality of bits. In that case, the value of each bit of the random number bits may be used as an explanatory variable, or a value represented by a plurality of bits may be used as one explanatory variable.

  In the first and second embodiments described above, when there is a state variable determined to have low tamper resistance based on the partial regression coefficient, power difference analysis of the evaluation circuit is performed using the state variable as a selection function. The tamper resistance of the evaluation circuit may be evaluated depending on whether the analysis is successful. By doing this, tamper resistance can be more reliably evaluated because power difference analysis is performed on the state variable determined to have low tamper resistance and the tamper resistance is evaluated. In this case, for example, when there is a state variable determined to have low tamper resistance in step S255, this may be used as a selection function to perform power difference analysis after step S150.

  In the first and second embodiments described above, the multiple regression analysis is performed using the value of the input bit A as an explanatory variable. However, the presence or absence of transition of the input bit A may be used as an explanatory variable. For example, among the 8-bit values of the input bit A, the explanatory variable corresponding to the bit whose value has changed from the state before the input may be the value 1, and the explanatory variable corresponding to the bit having no transition may be the value 0. . In this case, for example, when the bit string “10001001” is input as the input bit A and the value of the input bit A before input is “00000000”, the values of the first, fifth, and eighth bits of the input bit A are Since there are transitions, the explanatory variables indicating the presence / absence of transitions of the first, fifth, and eighth bits each have a value of 1, and the explanatory variables indicating the presence / absence of other bit transitions each have a value of 0. Further, the value of the output bit B may be an explanatory variable, and the presence or absence of the transition of the output bit B may be an explanatory variable.

  In the first and second embodiments described above, the multiple regression analysis is performed using all 8 bits of the input bits A as explanatory variables. However, some bits may be used as explanatory variables. Further, multiple regression analysis may be performed using a multi-bit value as one explanatory variable. For example, since the upper 4 bits of the input bit A are any value from 0 to 15, this may be used as one explanatory variable. Alternatively, only one bit may be used as an explanatory variable to perform single regression analysis instead of multiple regression analysis, and tamper resistance may be evaluated using a regression coefficient instead of a partial regression coefficient.

  In the first and second embodiments described above, the circuit simulator performs simulation based on the data generated by the evaluation circuit data generation unit, the evaluation circuit data conversion unit, and the input data generation unit, and obtains power consumption data from the result. Although the unit acquires a plurality of power consumption data, the tamper resistance evaluation program may not include the evaluation circuit data generation unit, the evaluation circuit data conversion unit, the input data generation unit, and the circuit simulator. In this case, power consumption data may be created in advance and stored in the storage unit, and the power consumption data acquisition unit may acquire the power consumption data from the storage unit. Alternatively, the power consumption data acquisition unit may acquire power consumption data by measuring the power consumption of the cryptographic processing circuit actually manufactured.

  In the first and second embodiments described above, the power consumption W exists for each of the eight time slots from time slot numbers 0 to 7 for the power consumption data of one pattern number. It is also possible that only one power consumption W exists corresponding to one pattern number without providing a plurality of patterns.

  In the first and second embodiments described above, the multiple regression analysis is performed after the power consumption data is standardized, but the multiple regression analysis may be performed without standardizing the power consumption data.

In the first and second embodiments described above, the determination coefficient R ² is a degree-of-freedom-adjusted determination coefficient, but a determination coefficient that has not been adjusted for the degree of freedom may be used as the determination coefficient R ² . However, since the determination coefficient that has not been adjusted for the degree of freedom tends to approach the value 1 as the number of explanatory variables increases and the accuracy of approximation apparently increases, it is preferable to use the determination coefficient for which the degree of freedom has been adjusted. In addition, it is good also as what derives | leads-out as an analytical value both the determination coefficient with freedom degree adjusted, and the determination coefficient which has not adjusted freedom degree, and uses it for evaluation of tamper resistance.

  Hereinafter, an example in which a tamper resistance evaluation program and an information processing apparatus are actually created will be described as an example.

[Example]
As an example, a tamper resistance evaluation program having both functions of the first and second embodiments was created. And this was memorize | stored in the hard disk of the computer which has a control part whose CPU is Xeon W3565 (3.2 GHz) and RAM capacity is 8 GB, and it was set as the information processing apparatus of the Example. In evaluating tamper resistance, the selection of whether to use the value of the input bit A or the presence or absence of transition as the explanatory variable of the multiple regression analysis, the number of time slots, and the values of the predetermined periods T1 to T3 are as follows: It can be set by the user. Further, after step S252 of FIG. 10, after step S254, after step S252a in FIG. 15, and as each well after step S254a performs the process of step S255, S256, regardless of the value of the coefficient of determination R ² Tamper resistance was always evaluated using partial regression coefficients. In addition, the information processing apparatus according to the example displays the determination coefficient R ² and the partial regression coefficient values obtained by the tamper resistance evaluation routine as a graph in association with the time slot as an evaluation result.

[Comparative example]
As a comparative example, whether an attack corresponding to each bit succeeds by performing a power difference analysis attack on the evaluation circuit using one of the input bits as a selection function, and repeating this for 8 bits of the input bit. A tamper resistance evaluation program for evaluating tamper resistance depending on whether or not was created. And this was memorize | stored in the hard disk of the computer similar to an Example, and it was set as the information processing apparatus of the comparative example. Evaluation of tamper resistance in the information processing apparatus of the comparative example was performed as follows. First, by changing the value of the input bit at random, the power consumption data that associates the power consumption after a predetermined period after the value of the input bit changes and the value of the output bit corresponding to the value of the input bit Get a lot. Next, for each power consumption data, the input bit is predicted from the output bit assuming that the secret key (8 bits) of the evaluation circuit is a specific value. Next, using one bit of the predicted input bits as a selection function, the power consumption data is divided into two groups depending on whether the selection function has a value of 0 or 1, and an average waveform of power consumption for each group is obtained. The difference between the average waveforms of the two groups is obtained. Subsequently, this difference is obtained for all possible values (256) of the secret key, and the assumed values of the secret key are arranged in descending order of the average waveform difference, and the assumed values are ranked. Subsequently, the rank of the correct value of the secret key K is checked, and it is determined whether or not the attack is successful depending on whether or not it is first. Then, such a determination is performed for each bit of the input bit by changing the selection function, and it is determined whether or not the attack is successful for each bit.

[Tamper resistance evaluation experiment 1]
Evaluation circuit data of the evaluation circuit 40 shown in FIG. 3 was prepared as a target for evaluation of tamper resistance. The SubBytes conversion circuit 44 of the evaluation circuit 40 is a composite circuit having a configuration in which an inverse operation circuit and an affine conversion circuit are connected in series. With respect to the evaluation circuit data, tamper resistance was evaluated using the information processing apparatuses of Examples and Comparative Examples. In the information processing apparatus of the example, the presence / absence of transition of the input bit A was evaluated as an explanatory variable. In addition, the predetermined period T1 is 50 nsec, the predetermined period T2 is 0 nsec, the predetermined period T3 is 0.2 nsec, the time slots are 10 from time slot numbers 0 to 9, and the number of patterns of power consumption data to be acquired is 2000. . In the information processing apparatus of the comparative example, the power consumption from the time when the “predetermined period T2 + 0.6 nsec” elapses until the time when the “predetermined period T2 + 0.8 nsec” elapses after the value of the input bit A changes A large number of power consumption data associated with the value of the output bit B to be obtained was acquired and evaluated as described above. That is, the evaluation was performed using the same power consumption data as the time slot number 3 of the information processing apparatus of the example. Moreover, in the information processing apparatus of the comparative example, the total number of power consumption data used for the evaluation was changed and the evaluation was performed a plurality of times.

(Experimental result)
The experimental results of the tamper resistance evaluation experiment 1 are shown in FIGS. FIG. 17 is a graph showing the value of the determination coefficient R ² for each time slot among the evaluation results by the information processing apparatus of the example. FIG. 18 is a graph showing the values of partial regression coefficients a1 to a8 for each time slot among the evaluation results by the information processing apparatus of the example. FIG. 19 is a graph showing the relationship between the total number of power consumption data used for evaluation and the order of correct keys when each bit of the input value A is a selection function among the evaluation results by the information processing apparatus of the comparative example. It is.

From Figure 17, of the derived coefficient of determination R ^2, the coefficient of determination R ² is found to be a larger value than the other, in particular corresponding to time slot number 0 to 3. For this reason, the evaluation result that the power consumption of the time slot numbers 0 to 3 is lower than the other time slots is obtained. Further, from FIG. 18, the values of the partial regression coefficients a1 to a8 corresponding to the time slot number 3 are in the order of the partial regression coefficients a2, a7, a5, a6, a1, a8, a3, a4 when arranged in descending order. ing. The evaluation result that the tamper resistance is lower is obtained for the bit of the input value A corresponding to the higher partial regression coefficient of this value. In FIG. 19, since the correct key rank is 1 and the attack is successful in the 2nd, 5th, 6th and 7th bits of the input bit A, the tamper resistance of this bit is low. Evaluation results are obtained. In addition, the smaller the total number of power consumption data used for evaluation when the correct key rank is 1st, the lower the tamper resistance, and the lower the correct key rank, the higher the tamper resistance. In 19, when the bits of the input bit A are arranged in the order of lower tamper resistance, the order of the second, seventh, fifth, sixth, first, eighth, third and fourth bits is obtained. This arrangement order matches the order of the partial regression coefficients a1 to a8 in FIG. 18, and the evaluation result for the time slot number 3 of the information processing apparatus of the embodiment and the evaluation result of the information processing apparatus of the comparative example are It turns out that they match. In the information processing apparatus of the comparative example, evaluation is performed using the same power consumption data as the time slot number 3 of the information processing apparatus of the embodiment. For this reason, the fact that the evaluation results of both coincide with each other means that the information processing apparatus according to the embodiment can correctly evaluate the tolerance to the actual power difference analysis. In addition, the information processing apparatus according to the example took 17 seconds to perform the multiple regression analysis using the power consumption data having 2000 patterns and obtain the evaluation result, whereas the information processing apparatus according to the comparative example. In the apparatus, the time required for performing the power difference analysis using the same 2000 pieces of power consumption data and obtaining the evaluation result was 416 sec. From this, it can be seen that the information processing apparatus according to the embodiment can evaluate tamper resistance more efficiently than the technique of performing tamper resistance based on whether or not the attack is successful by performing an attack based on power difference analysis. It was.

[Tamper resistance evaluation experiment 2]
In the case where the SubBytes conversion circuit 44 of the evaluation circuit 40 is configured by a circuit other than the composite system, the tamper resistance was evaluated by the information processing apparatuses of the example and the comparative example in the same manner as the tamper resistance evaluation experiment 1. . Specifically, tamper resistance was evaluated for an evaluation circuit in which the SubBytes conversion circuit 44 is configured by a truth table method, a PPRM (Positive Polarity Reed Muller) 1 method, and a PPRM3 method. The truth table-based SubBytes conversion circuit 44 is a circuit in which gates are connected so that the input / output of the SubBytes conversion circuit 44 is in the correspondence relationship of the truth table of FIG. 4, and the correspondence relationship is described using a logic synthesis tool. It was created as circuit data obtained by converting to. The PPRM1-based SubBytes conversion circuit 44 is a circuit configured by a combination of an AND gate group and an XOR gate group. The PPRM3 type SubBytes conversion circuit 44 is a circuit formed by converting a composite type circuit into a three-stage PPRM type circuit. FIG. 20 is a graph showing the value of the determination coefficient R ² for each time slot of the truth table method, the PPRM1 method, and the PPRM3 method among the evaluation results by the information processing apparatus of the embodiment. FIG. 21 is a graph showing the values of partial regression coefficients a1 to a8 for each time slot of the truth table method, the PPRM1 method, and the PPRM3 method among the evaluation results by the information processing apparatus of the example. FIG. 21A is a graph for the truth table method, FIG. 21B is a graph for the PPRM1 method, and FIG. 21C is a graph for the PPRM3 method. FIG. 22 is a graph showing the relationship between the total number of power consumption data of the truth table method, the PPRM1 method, and the PPRM3 method for the time slot number 5 and the rank of the correct key among the evaluation results by the information processing apparatus of the comparative example. It is. 22A is a graph for the truth table method, FIG. 22B is a graph for the PPRM1 method, and FIG. 22C is a graph for the PPRM3 method.

In FIG. 20, the determination coefficient R ² in time slot number 5 is in descending order of the truth table method, the PPRM1 method, and the PPRM3 method. In FIG. 22, the truth table method, the PPRM1 method, and the PPRM3 method are in order from the smallest power consumption data required until the correct key ranks first. The evaluation results were consistent with each other. Further, if the partial regression coefficients in time slot number 5 in FIG. 21 are arranged in descending order, the truth key method, PPRM1 method, and PPRM3 method are necessary until the correct key rank is ranked first in FIG. Thus, the order of arrangement was the same as when the bits of the input bits A were arranged in ascending order of the total power consumption data, and the evaluation results were the same between the example and the comparative example. From these facts, it was confirmed that the tolerance to the actual power difference analysis could be correctly evaluated by the information processing apparatus of the example for the other systems as well as the composite system.

[Tamper resistance evaluation experiment 3]
Evaluation circuit data of the evaluation circuit 140 shown in FIG. 13 was prepared as a target for evaluation of tamper resistance. With respect to the evaluation circuit data, tamper resistance was evaluated using the information processing apparatuses of Examples and Comparative Examples. In the information processing apparatus of the example, evaluation was performed using the value of the input bit A and the value of the random number bit C as explanatory variables. The predetermined periods T1 to T3 and the time slot were the same as in the tamper resistance evaluation experiment 1. In the information processing apparatus of the comparative example, first, the value of the input bit A is set in the same manner as in the tamper resistance evaluation experiment 1 without distinguishing between the power consumption data whose random number bit is 0 and the power consumption data whose value is 1. Tamper resistance was evaluated bit by bit as a selection function. Further, an average value of power consumption in the power consumption data was obtained, and the power consumption data was divided into two groups depending on whether the power consumption was equal to or higher than the average value. Then, using only the power consumption data of one of the groups, the tamper resistance evaluation by the information processing apparatus of the comparative example is performed by using the value of the input bit A as a selection function bit by bit as in the tamper resistance evaluation experiment 1. went. The evaluation by the information processing apparatus of the comparative example was performed on the same power consumption data as the time slot number 5 of the information processing apparatus of the example.

(Experimental result)
The experimental results of the tamper resistance evaluation experiment 3 will be described. FIG. 23 is a graph showing the value of the determination coefficient R ² for each time slot when the value of the input bit A and the value of the random bit C are used as explanatory variables in the evaluation results by the information processing apparatus of the embodiment. . FIG. 24 shows the values of partial regression coefficients a1 to a8, b for each time slot when the value of the input bit A and the value of the random number bit C are used as explanatory variables in the evaluation results by the information processing apparatus of the embodiment. It is a graph. FIG. 25 illustrates a case where the total number of power consumption data used for evaluation and each bit of the input value A are selected functions when the power consumption data is not grouped among the evaluation results obtained by the information processing apparatus of the comparative example. It is the graph which showed the relationship with the order | rank of a correct key.

From Figure 23, of the derived coefficient of determination R ^2, the coefficient of determination R ² is found to be closer to the value 1 in particular corresponding to the time slot number 2 and later. Therefore, an evaluation result is obtained that the power consumption W after time slot number 2 is lower in tamper resistance compared to other time slots. Further, from FIG. 24, the partial regression coefficients a1 to a8 are all values of 0.1 or less and small values, but the partial regression coefficient b is a large value, and is particularly close to the value 1 after time slot number 2. Value. From this, it was inferred that the reason why the determination coefficient R ² was high in FIG. 23 was that the correlation between the random number bit C corresponding to the partial regression coefficient b and the power consumption W was high. Further, the evaluation circuit 140 has a lower correlation between the input bit A and the power consumption W than the evaluation circuit 40, and an evaluation result indicating that the tamper resistance is high when the power consumption data is not grouped is obtained. Will be. On the other hand, as shown in FIG. 25, in the information processing apparatus of the comparative example, when the total number of power consumption data is 3500 or more, the correct key ranks first in the sixth bit of the input bit A. The bit was not ranked first and the correct key could not be estimated. As can be seen from FIG. 24, even in the information processing apparatus of the example, the partial regression coefficient a6 was larger than other partial regression coefficients. From these results, it was confirmed that the evaluation results were the same between the example and the comparative example, and that the information processing apparatus of the example was able to correctly evaluate the tolerance to the actual power difference analysis.

  Further, in the information processing apparatus of the example, since the correlation between the random number bit C and the power consumption W was high, power consumption data was grouped in the tamper resistance evaluation experiment 3 and multiple regression analysis was performed for each group. . FIG. 26 is a graph showing the relationship between the Hamming weight of the input bit A (the number of bits having the value 1) and the power consumption W in time slot number 2. As shown in the figure, in the evaluation circuit 140, the distribution of the power consumption W is separated depending on whether the random number bit C is 1 or 0, and the attacker predicts the value of the random number bit C from the power consumption data. It was speculated that it would be possible. Therefore, it can be seen that the evaluation circuit 140 needs to perform grouping of the power consumption data based on the value of the random number bit C and perform tamper resistance evaluation excluding the influence of the random number bit. Evaluation results in Examples and Comparative Examples after grouping are shown in FIGS. FIG. 27 is a partial regression coefficient for each time slot when the value of the input bit A is used as an explanatory variable for a group of power consumption data in which the random bit C is 0 in the evaluation result by the information processing apparatus of the embodiment. It is the graph which showed the value of a1-a8. FIG. 28 shows each of the total power consumption data and the input value A used for the evaluation in the case where the power consumption data of the group in which the random number bit C is 0 among the evaluation results by the information processing apparatus of the comparative example. It is the graph which showed the relationship with the order | rank of a correct key when a bit is made into a selection function. 27 and 24, when the influence of the random number bit C is removed by grouping, the values of the partial regression coefficients a1 to a8 are increased as a whole, and the input bit A and the power consumption W are The correlation was high. In addition, the values of the partial regression coefficients a1 to a8 corresponding to the time slot number 5 in FIG. 27 are comparatively large values of the partial regression coefficients a2, 3, 4, 6, and 8, and the partial regression coefficients a1, 5, 7 Was a relatively small value. Therefore, an evaluation result indicating that the tamper resistance of the second, third, fourth, sixth and eighth bits of the input bit A is particularly low is obtained. On the other hand, in the evaluation result in FIG. 28, the correct key rank is 1st in the second, third, fourth, sixth and eighth bits of the input bit A, and the correct key estimation is successful. became. Therefore, in the information processing apparatus according to the embodiment, when the correlation between the random number bits C and the power consumption W is high, the power consumption data is grouped and then subjected to multiple regression analysis to eliminate the influence of the random number bits. It was confirmed that tamperability could be evaluated and that tolerance to power difference analysis could be correctly evaluated.

[Tamper resistance evaluation experiment 4]
Also in the case where the SubBytes conversion circuit 144 of the evaluation circuit 140 is configured using an MDPL (Masked Dual-rail Pre-charge Logic) circuit which is a kind of random number mask circuit instead of the RSL circuit 148, the tamper resistance evaluation experiment 3 In the same manner, tamper resistance was evaluated by the information processing apparatuses of the example and the comparative example. The MDPL circuit includes a circuit for positive logic data and a circuit for negative logic data in parallel, and performs a complementary operation to balance power consumption to suppress fluctuations in power consumption in the entire circuit. It is. Similarly to the RSL circuit 148 shown in FIG. 13, the circuit for positive logic data and the circuit for negative logic data consume the input bit A by switching the operation mode according to the value of the random number bit C (1 bit). It is comprised so that the correlation with the electric power W may become low. FIG. 29 is a graph illustrating an example of a tamper resistance evaluation result by the information processing apparatus of the example. Figure 29 (a) is a graph showing the value of the coefficient of determination R ² for each time slot, Figure 29 (b) is a graph showing the values of partial regression coefficient a1 to a8, b for each time slot. FIG. 30 shows a case where the total number of power consumption data used for evaluation and each bit of the input value A are used as selection functions when the power consumption data is not grouped among the evaluation results by the information processing apparatus of the comparative example. It is the graph which showed the relationship with the order | rank of a correct key.

From FIG. 29 (a), the it was found that the coefficient of determination R ² corresponding to the time slot number 5 has a larger value than in the case of other time slot number. Further, from FIG. 29 (b), the partial regression coefficients a1 to a8 corresponding to the time slot number 5 were all small values with a value of 0.1 or less, but the partial regression coefficients b were large values. From this, the determination coefficient R ² has a large value in FIG. 29A because the correlation between the random number bit C and the power consumption W is higher than in the case of other time slot numbers. Inferred. Further, since the values of the partial regression coefficients a1 to a8 are small, an evaluation result indicating that tamper resistance is high is obtained in a state where the power consumption data is not grouped. On the other hand, as shown in FIG. 30, in the information processing apparatus of the comparative example, even when the total amount of power consumption data is 4000, there is no bit in which the correct key rank is the first among the input bits A, and the correct key The estimation of was not successful. From these, it was confirmed that the evaluation results were the same between the example and the comparative example, and the information processing apparatus of the example was able to correctly evaluate the resistance to the actual power difference analysis. The value of the partial regression coefficient b is smaller than that of the partial regression coefficient b shown in FIG. 24 even in the case of time slot number 5, and the evaluation using the MDPL circuit is compared with the evaluation circuit using the RSL circuit 148. An evaluation result indicating that the circuit has higher tamper resistance with respect to the random number bit C is obtained. This evaluation result also coincides with the evaluation result by the information processing apparatus of the comparative example that the order of correct keys is generally lower in FIG. 30 in FIG. 25 and FIG. FIG. 31 is a graph showing the relationship between the Hamming weight of the input bit A and the power consumption W at time slot number 5 of the evaluation circuit 140 using the MDPL circuit. As shown in this figure, in the evaluation circuit using the MDPL circuit, the distribution of the power consumption W is not separated as much as in FIG. 26 depending on whether the random number bit C is 1 or 0, and it is determined from the power consumption data. It is considered that the attacker cannot predict the value of the random number bit C. This result coincides with the fact that the value of the partial regression coefficient b shown in FIG. 30 is smaller than the partial regression coefficient b shown in FIG. As described above, in the information processing apparatus according to the embodiment, whether the attacker can predict the value of the random bit C from the power consumption data by evaluating the tamper resistance of the random bit C using the partial regression coefficient b. You can evaluate whether or not. In addition, for example, by simply comparing FIG. 26 and FIG. 30 with eyes, the evaluation circuit using the MDPL circuit quantitatively evaluates how much tamper resistance is higher than the evaluation circuit using the RSL circuit. However, the information processing apparatus according to the embodiment can perform quantitative evaluation by comparing the partial regression coefficients b of the two.

  10, 110 information processing apparatus, 12 control unit, 14, 114 storage unit, 16 display unit, 18 operation unit, 20, 120 tamper resistance evaluation program, 21 evaluation circuit data generation unit, 22 evaluation circuit data conversion unit, 23,123 Input data generation unit, 24 Circuit simulator, 25,125 Power consumption data acquisition unit, 26 Analysis unit, 27 Evaluation unit, 128 Classification unit, 31 Circuit data storage unit, 40,140 Evaluation circuit, 42,142 Register 44, 144 SubBytes conversion circuit, 46 exclusive OR circuit, 148 RSL circuit.

Claims (8)

An information processing apparatus for evaluating tamper resistance of a cryptographic processing circuit,
Power consumption data acquisition means for acquiring a plurality of power consumption data in which a plurality of different state variables representing states of at least one of input bits and output bits in the cryptographic processing circuit and power consumption in the cryptographic processing circuit are associated with each other; ,
Based on the plurality of power consumption data to which the acquired performing a multiple regression analysis more said state variables associated with the digestion cost power aimed variable the power consumption as an explanatory variable, the coefficient of determination and polarized by the analytical and analysis means for deriving a regression coefficient as analysis value,
Evaluation means for evaluating tamper resistance of the cryptographic processing circuit based on the derived analysis value;
Equipped with a,
The evaluation means determines whether or not the tamper resistance is high based on whether or not the derived determination coefficient is included in a predetermined determination coefficient allowable region, and the derived determination coefficient is the determination coefficient When it is included in a predetermined determination coefficient non-permissible area different from the allowable area, it is determined that tamper resistance is low, and the derived determination coefficient is included in both the determination coefficient allowable area and the determination coefficient non-permissible area. When not, it is means for determining a state variable having low tamper resistance among the plurality of state variables based on the derived partial regression coefficient.
Information processing apparatus. The evaluation means includes the derived partial regression coefficient in a predetermined partial regression coefficient allowable region when the derived determination coefficient is not included in either the determination coefficient allowable region or the determination coefficient non-permissible region. Is a means for determining whether or not the tamper resistance of the state variable corresponding to the partial regression coefficient not included in the partial regression coefficient allowable region is low.
The information processing apparatus according to claim 1 . When there is a state variable determined to have low tamper resistance based on the partial regression coefficient, the evaluation unit performs a power difference analysis of the cryptographic processing circuit using the state variable as a selection function, and the power difference analysis is successful. A means for evaluating tamper resistance of the cryptographic processing circuit depending on whether or not
The information processing apparatus according to claim 1 or 2 . The evaluation means determines whether or not the tamper resistance is high based on a standard deviation of the acquired plurality of power consumption data. When the tamper resistance is low, the evaluation means determines whether the tamper resistance is low or not based on the derived analysis value. A means for evaluating tamper resistance of the cryptographic processing circuit.
The information processing apparatus according to any one of claims 1 to 3 . The state variable is a variable that represents the value of one of the input bits or the output bits or the presence or absence of a transition of values.
The information processing apparatus according to any one of claims 1 to 4 . The information processing apparatus according to any one of claims 1 to 5 ,
The cryptographic processing circuit has a random number mask circuit that masks internal circuit operation by the value of a random number bit,
The power consumption data acquisition means corresponds to a state variable representing a state of at least one of an input bit and an output bit in the cryptographic processing circuit and a state variable representing a state of the random number bit, and power consumption in the cryptographic processing circuit. Means for acquiring a plurality of attached power consumption data,
Based on the plurality of acquired power consumption data, a regression analysis is performed using the power consumption as an objective variable and a state variable representing the state of the random number bit associated with the power consumption as an explanatory variable, and is determined by the analysis. When at least one of a coefficient and a regression coefficient is derived as a correlation value between the random number bit and the power consumption, and when it is determined that the correlation between the random number bit and the power consumption is high based on the correlation value, the acquired Classification means for classifying a plurality of power consumption data into a plurality of groups according to the value of a random number bit,
With
The analysis means is means for deriving the analysis value by performing the multiple regression analysis based on power consumption data belonging to the same group.
Information processing device. An information processing method for evaluating tamper resistance of a cryptographic processing circuit,
(A) obtaining a plurality of power consumption data in which a plurality of different state variables representing the states of at least one of input bits and output bits in the cryptographic processing circuit and power consumption in the cryptographic processing circuit are associated;
Based on (b) the obtained plurality of power consumption data, performs a multiple regression analysis more said state variables associated with the digestion cost power aimed variable the power consumption as explanatory variables, determined by the analysis deriving a coefficient and partial regression coefficient as analysis value,
(C) evaluating the tamper resistance of the cryptographic processing circuit based on the derived analysis value;
Only including,
In the step (c), based on whether or not the derived determination coefficient is included in a predetermined determination coefficient allowable region, it is determined whether or not the tamper resistance is high. When it is included in a predetermined determination coefficient non-permissible area different from the determination coefficient allowable area, it is determined that the tamper resistance is low, and the derived determination coefficient is in both the determination coefficient allowable area and the determination coefficient non-permissible area. When not included, a state variable having low tamper resistance is determined among the plurality of state variables based on the derived partial regression coefficient.
Information processing method. A program for causing each step of the information processing method according to claim 7 to be realized by one or a plurality of computers.

Images