JP6354376B2 - Power residue calculation device, IC card, power residue calculation method, and power residue calculation program - Google Patents

Description

  The present invention relates to a technical field such as a residue arithmetic apparatus to be used for implementation of public key cryptosystems such as RSA (Rivest Shamir Adleman scheme) cryptography and Diffie-Hellman key agreement (Key Agreement).

  Conventionally, in an IC card or a portable information terminal on which an IC chip or the like is mounted, personal information stored in the IC chip is generally encrypted by a RSA (Rivest Shamir Adleman scheme) encryption method and is nonvolatile. When personal information or the like written in the memory and encrypted is read out, it is decrypted and output. In the RSA encryption, encryption processing is performed based on the following equation (1) by power-residue calculation, and decryption processing is performed based on the following equation (2).

C = M ^d modn (1)
M = C ^e modn (2)

  Where M is the plaintext to be encrypted, C is the encrypted plaintext (ie, ciphertext), d (power value) is the private key (private key) index, and e (power value) is the public key index. , N is the public key modulus. The public key modulus n is a product of prime numbers p and q.

In the power-residue calculation in the above-described encryption process and decryption process, a binary method (iterative square method) is generally used. A power-residue calculation algorithm in encryption processing using this binary method is shown below.
S = 1
for (j = k-1 to 0)
S = S ² modn
if (d _i = 1) then
S = S * Mmodn
end if
end for

Here, k is the bit length of d, and d _i is the binary representation of d. In the power-residue calculation algorithm in the encryption process, a square-residue calculation (S ² modn) with an initial value of S being “1” and a multiplication-residue calculation (S * Mmodn) equal to the number of bits with d _i = 1. ) Is repeated.

A power-residue calculation algorithm in the decoding process using the binary method is shown below.
S = 1
for (j = k-1 to 0)
S = S ² modn
if (e _i = 1) then
S = S * Cmodn
end if
end for

Here, k is the bit length of e, and e _i is a binary representation of e. In the power-residue algorithm in the decoding process, a square-residue operation (S ² modn) with an initial value of S being “1” and a multiplication-residue operation (S * Cmodn) equal to the number of bits for which e _i = 1. Is repeated.

By the way, as described above, when the binary method is used in the power-residue calculation, the calculation method differs depending on whether d _i and e _i are 1 or 0 (that is, whether the multiplication remainder calculation is performed or not). ). For this reason, there has been a problem that side channel attacks such as SPA (Simple Power Analysis) and DPA (Differential Power Analysis) which attempt to derive a secret key by observing fluctuations in power consumption during power-residue calculation. Also known are attack techniques called SEMA (Simple ElectroMagnetic Analysis) and DEMA (Differential ElectroMagnetic Analysis) that observe fluctuations in the electromagnetic field instead of power consumption. As a countermeasure against such a side channel attack, for example, a countermeasure for making the data being calculated and the secret key uncorrelated by masking (blinding) the data being calculated using the secret key with a random number or the like is known. . For example, Patent Document 1 discloses a technique for blinding secret key exponents using random numbers.

Patent 5412274 Shay Gueron, Jean-Pierre Seifert, "Is It Wise to Publish Your Public RSA Keys?", Fault Diagnosis and Tolerance in Cryptography (FDTC 2006), Lecture Notes in Computer Science Volume 4236, 2006, pp.1-12

  By the way, in Non-Patent Document 1, by Dr. Jean-Pierre Seifert et al., A failure use attack is executed aiming at the timing of “power residue calculation” at the time of signature verification, and signature verification succeeds even for fake signatures. The attack “Bypass Fault Attack” has been reported. For example, an attacker who does not know the secret key d cannot create a correct signature value (ciphertext) C that can be successfully verified, and therefore provides the original plaintext M as an input for the signature verification step. Then, the attacker attacks the result of the above-mentioned multiplication residue calculation at the timing when it is performed only once, so that the calculation result in which the index e is set to e = 1 (that is, M is the power of M and remains M). The signature verification judgment routine is given and the signature verification is skipped. By this method, the attacker can successfully accept the signature even if it is a fake public key certificate without the correct signature of the CA station. Conventionally, an effective measure against such “Bypass Fault Attack” has not been known.

  Therefore, the present invention has been made in view of the above points and the like, and a power residue calculation device, an IC card, and a power residue calculation method capable of effectively responding to attacks such as “Bypass Fault Attack” An object of the present invention is to provide a modular exponentiation operation program.

In order to solve the above problem, the invention according to claim 1 is a positive integer represented by a plurality of bits in a power-residue arithmetic unit that performs an operation of S = C ^e modn using a binary method. , E, and n, and when e is a binary number expression e _i (k (bit length of e)> i ≧ 0), k times square remainder operation and e _i = 1 and calculating means for performing a repetitive operation of modular multiplication of times equal to the number of bits comprising a counting means for counting the number of operations before Symbol modular multiplication, and counted the number of operations by said counting means, e a determination unit that compares a set number of times set to the number of bits for which _i = 1 and determines that the calculation is not abnormal when the number of calculations is not the set number of times based on the comparison result; Determined to be If it, characterized in that it comprises a processing means for performing an error process.

According to a second aspect of the invention, the modular exponentiation operation apparatus according to claim 1, wherein C is verified data, wherein e is the public key exponent, wherein n is a public key modulus, not abnormal by the determining means Verifying means for verifying the C by determining whether or not the S calculated by the iterative calculation and the plaintext data to be encrypted by the power-residue calculation match. It is further provided with the feature.

According to a third aspect of the present invention, there is provided an input means for inputting C, e, and n, which are positive integers expressed by a plurality of bits, in an IC card that performs an operation of S = C ^e modn using a binary method. , When e is a binary number expression e _i (k (bit length of e)> i ≧ 0), k times of modular multiplication and the number of multiplication remainders equal to the number of bits where e _i = 1 calculating means for performing a repeated operation of the operation, a count means for counting the number of operations before Symbol modular multiplication, and counted the number of operations by the counting means is set to the number of bits to be e i _{= 1} A determination unit that determines that the number of calculations is abnormal based on the comparison result, and that determines that the determination unit is abnormal. Processing means to perform , Characterized in that it comprises a.

The invention according to claim 4 is a modular multiplication method to be executed by a computer that performs a calculation of S = C ^e modn using a binary method, and is a positive integer expressed by a plurality of bits, C, e , And n, and when e is a binary expression e _i (k (bit length of e)> i ≧ 0), k square remainder operations and bits where e _i = 1 performing a repetitive operation number and the number of modular multiplication equal, the steps of counting the number of operations before Symbol modular multiplication, and the counted the number of calculations, the number of bits to be e i _{= 1} If compared with the set predetermined number of times, it is determined and a determination step and the number of calculations on the basis of the comparison result is abnormal if not the set number, to be abnormal in the determination step, Characterized in that it comprises a step of performing error processing, the.

According to a fifth aspect of the present invention, a step of inputting positive integers C, e, and n expressed by a plurality of bits to a computer that performs an operation of S = C ^e modn using a binary method; Is expressed as a binary number e _i (k (bit length of e)> i ≧ 0), and k times the square remainder operation and the number of multiplication remainder operations equal to the number of bits where e _i = 1. comparing performing a repetitive operation, the steps of counting the number of operations before Symbol modular multiplication, and the counted the number of operations, and a set number of times set to the number of bits to be e i _{= 1,} a determination step and the number of calculations on the basis of the comparison result is abnormal if not the set number, if it is determined that the abnormality in the determining step, this to execute the steps of performing error processing The features.

  According to the present invention, the number of operations of the square remainder operation or the multiplication residue operation is counted, the counted number of operations is compared with a preset number of times, and whether or not there is an abnormality based on the comparison result If it is determined whether or not there is an abnormality, error processing is performed, so that an abnormality caused by an attack such as “Bypass Fault Attack” can be quickly detected and dealt with effectively.

1 is a diagram illustrating a schematic configuration example of an IC card 1. FIG. 5 is a flowchart illustrating an example of a decoding process executed by a coprocessor 11. 5 is a flowchart illustrating an example of a decoding process executed by a coprocessor 11.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The embodiment described below is an embodiment when the present invention is applied to an IC chip.

  First, the schematic configuration and functions of the IC card 1 will be described with reference to FIG. FIG. 1 is a diagram illustrating a schematic configuration example of the IC card 1. The IC card 1 is used as a cash card, credit card, employee card or the like. Alternatively, the IC card 1 is incorporated into a communication device such as a smartphone or a mobile phone. The IC chip 1a may be configured by being directly incorporated on a circuit board of a communication device.

  As shown in FIG. 1, an IC chip 1a mounted on an IC card 1 includes a CPU (Central Processing Unit) 10, a coprocessor 11, a ROM (Read Only Memory) 12, a RAM (Random Access Memory) 13, and a nonvolatile memory. 14 and an I / O circuit 15. The coprocessor 11 is an example of a power residue calculation apparatus and a computer according to the present invention, and mainly performs verification processing assisted by the CPU 10. In the present embodiment, the coprocessor 11 is an example of a verification device. For example, a flash memory is applied as the nonvolatile memory 14. Alternatively, “Electrically Erasable Programmable Read-Only Memory” may be applied. The I / O circuit 15 serves as an interface with the external terminal 2. In the case of the contact type IC chip 1a, the I / O circuit 15 includes, for example, eight terminals C1 to C8. For example, the C1 terminal is a power supply terminal, the C2 terminal is a reset terminal, the C3 terminal is a clock terminal, the C5 terminal is a ground terminal, and the C7 terminal is a terminal for communicating with the external terminal 2. On the other hand, in the case of the non-contact type IC chip 1a, the I / O circuit 15 includes, for example, an antenna and a modulation / demodulation circuit. Examples of the external terminal 2 include an IC card issuing machine, ATM, ticket gate, authentication gate, and the like. Alternatively, when the IC chip 1a is incorporated in a communication device, the external terminal 2 corresponds to a control unit responsible for the function of the communication device.

  The ROM 12 or the nonvolatile memory 14 stores programs executed by the CPU 10 and the coprocessor 11 and various data. The program stored in the nonvolatile memory 14 includes a command processing program that defines command processing to be executed by the CPU 10. The program stored in the non-volatile memory 14 includes an encryption processing program that defines the encryption processing to be executed by the coprocessor 11 and a decryption processing program that specifies the decryption processing to be executed by the coprocessor 11 (of the present invention). Including a power residue calculation program). The non-volatile memory 14 is provided with a secure storage area in which a secret key d used in the encryption process, a public key (a, n) used in the decryption process, and the like are stored. Is done.

When receiving a command transmitted from the external terminal 2, the CPU 10 executes command processing according to the command in accordance with the command processing program. In particular, when the command processing involves data encryption or data decryption, the CPU 10 causes the coprocessor 11 to execute the encryption processing or decryption processing. The coprocessor 11 is an example of an input unit, a calculation unit, a count unit, a determination unit, a processing unit, and a verification unit in the present invention. The coprocessor 11 includes, for example, a power residue calculation unit, a counter, a verification unit, a plurality of registers, and the like, and executes encryption processing or decryption processing according to the encryption processing program or the decryption processing program. In this decoding process, the coprocessor 11 performs an operation of S = C ^e modn using the binary method. The CPU 10 may function as a counting unit, a determining unit, a processing unit, and a verification unit in the present invention instead of the coprocessor 11. In this case, the CPU 10 includes, for example, a counter and a verification unit.

Specifically, the coprocessor 11 converts C (data to be verified), e (public key index), and n (public key modulus), which are positive integers expressed by a plurality of bits, into the RAM 13 or the nonvolatile memory 14. Input from (read). When the input e is represented by a binary number e _i , the coprocessor 11 performs k square remainder operations (S ² modn) and multiplication remainder operations (S *) equal to the number of bits where e _i = 1. Cmodn) is repeated. Here, k is the bit length of e, and e _i is a binary representation of e (k> i ≧ 0). If each bit of e expressed in binary notation is expressed as E [j], e can be expressed by the following equation (3).

e = 2 ^k-1 E [k-1] + 2 ^k-2 E [k-2] + ... + 2 ² E [2] + 2E [1] + E [0] (3)

  The repetitive calculation is composed of multiplication and division (mod calculation). Multiplication is a part that performs S * S or S * M on the value of S, which has an initial value of 1. The division is a part for performing modn (operation for obtaining a remainder when dividing by n) on the value obtained by each multiplication. In the repetitive operation, multiplication and division are performed as a pair of operations according to the bit value of e. That is, multiplication and division are performed according to the contents of each bit from the most significant bit to the least significant bit of e.

  The coprocessor 11 or the CPU 10 counts the number of times of the square remainder calculation or the multiplication remainder calculation in the above repeated calculation. Then, the coprocessor 11 compares the counted number of calculations with a preset number of times, determines whether or not it is abnormal based on the comparison result, and if it is determined that there is an error, Process. When the coprocessor 11 determines that there is no abnormality, the coprocessor 11 determines whether S calculated by the repetitive calculation matches M (plaintext data) to be encrypted by the power-residue calculation. To verify C.

  Next, a specific example of the decoding process executed by the coprocessor 11 will be described with reference to FIGS. 2 and 3. 2 and 3 are flowcharts illustrating an example of the decoding process executed by the coprocessor 11. In the following description, the coprocessor 11 counts the number of times of the square remainder calculation or multiplication remainder calculation, compares the counted number of times with a preset number of times, and performs an abnormality based on the comparison result. If it is determined whether or not it is abnormal, it is assumed that error processing is performed. However, such a series of processing may be performed by the CPU 10.

Example 1
First, the decoding process executed by the coprocessor 11 will be described with reference to FIG. The decoding process shown in FIG. 2 is an example in which it is determined that there is an abnormality when the number of operations of the modular multiplication is “1” in the iterative calculation.

  The process illustrated in FIG. 2 is started when a signature verification command is received from the CPU 10, for example. As a premise of the processing shown in FIG. 2, the set number of times is set to “1”. When the processing shown in FIG. 2 is started, the coprocessor 11 sets M (plain text data), C (data to be verified), e (public key index), and n (public key modulus) to, for example, the RAM 13 or nonvolatile memory. From the memory 14, M is stored in the M register, C is stored in the C register, e is stored in the E register, and n is stored in the N register. The E register stores the value of each bit in which e is expressed in binary. Then, the coprocessor 11 sets k to “bit length of e”, sets S to “1” (initial value), and sets ct to “0” (step S1). For example, “bit length of e” is stored in the K register, “1” is stored in the S register, and “0” is stored in the CT register.

Next, the coprocessor 11 sets j indicating the bit position (from the most significant to the least significant) as “k−1” (step S2). For example, “k−1” is stored in the J register. Next, the coprocessor 11 calculates S by performing a square remainder calculation (S ² modn) by the power-residue calculation unit (step S3). The value stored in the S register is updated by the S thus calculated. Then, the coprocessor 11 refers to the E register, determines whether _{e j} is "1" (step S4). Coprocessor 11, when judging that _{e j} is "1" (step S4: YES), the process proceeds to step S5. On the other hand, co-processor 11, _{e j} is not "1" (i.e., _{e j} is "0") when it is determined that (Step S4: NO), the process proceeds to step S7.

  In step S <b> 5, the coprocessor 11 calculates S by performing a modular multiplication (S * Cmodn) by a power modular arithmetic unit. The value stored in the S register is updated by the S thus calculated. Next, the coprocessor 11 adds “1” to the value of ct (count value of the modular multiplication operation) by the counter (1 count up) (step S6). As a result, the value stored in the CT register is updated.

  In step S7, the coprocessor 11 subtracts “1” from the value of j. As a result, the value stored in the J register is updated. Next, the coprocessor 11 refers to the J register and determines whether or not the value of j is “0” or more (step S8). If the coprocessor 11 determines that the value of j is greater than or equal to “0” (step S8: YES), the coprocessor 11 returns to step S3 and repeats the processing after step S3. On the other hand, if the coprocessor 11 determines that the value of j is not greater than or equal to “0” (that is, the repetitive calculation has been performed k times) (step S8: NO), the process proceeds to step S9.

  In step S9, the coprocessor 11 refers to the CT register and compares ct with “1” (the set number of times) (that is, compares the counted number of multiplication remainder operations with the set number of times, It is determined whether or not it is abnormal based on the comparison result. That is, in the example of FIG. 2, it is determined whether or not the number of operations of modular multiplication is “1”. When the coprocessor 11 determines that ct is “1” (step S9: YES), the coprocessor 11 determines that there is an abnormality (abnormality detection) and performs error processing (step S10). That is, when the number of operations of the modular multiplication operation is “1”, it is assumed that the attack is performed at the timing when the modular multiplication operation is performed only once, and thus error processing is performed. In this error processing, for example, the coprocessor 11 outputs an alarm to the CPU 10 (for example, outputs a message indicating that an abnormality such as an attack has occurred), and ends the processing shown in FIG. ). Alternatively, in error processing, the coprocessor 11 may stop the operation.

  When the alarm output from the coprocessor 11 is input, the CPU 10 stops the operation of the IC chip 1a, or stops the operation of a specific program being activated in the IC chip 1a. Alternatively, in this case, the CPU 10 transmits an error response to the external terminal 2. The error response indicates that an error has occurred in the IC chip 1a. The CPU 10 may stop the operation of the IC chip 1a or the specific program and transmit an error response to the external terminal 2.

  On the other hand, when the coprocessor 11 determines in step S9 that ct is not “1” (step S9: NO), S (the value finally stored in the S register) calculated by repetitive calculation; The verification unit determines whether or not M (a value stored in the M register) to be encrypted by the power-residue calculation matches (step S11). Thereby, the input C is verified. If the coprocessor 11 determines that S and M match (step S11: YES), the coprocessor 11 outputs a message indicating the verification success to the CPU 10 (step S12), and ends the processing shown in FIG. On the other hand, if the coprocessor 11 determines that S and M do not match (step S11: NO), the coprocessor 11 outputs a message indicating a verification failure to the CPU 10 (step S13), and ends the process shown in FIG. The CPU 10 performs processing according to the verification success or the verification failure from the coprocessor 11. In addition, you may comprise so that CPU10 may perform the process of step S11. In this case, when the coprocessor 11 determines that ct is not “1” (step S9: NO), the coprocessor 11 outputs S (the value finally stored in the S register) calculated by the repetitive calculation to the CPU 10. It will be.

  As described above, according to the first embodiment, for example, when M is input as the verification target data (originally ciphertext C) and the attack is performed at the timing when the above modular multiplication is performed only once. Even if it exists, an abnormality due to this attack can be detected and error processing can be performed. Therefore, it is possible to quickly detect an abnormality due to an attack such as “Bypass Fault Attack” and effectively deal with it.

  Note that the process of adding “1” to the value of ct may be configured not to be performed immediately after step S5 but between, for example, step S3 and step S4. In this case, the number of square remainder calculations is counted. In this case as well, the set number of times may be “1”, but normal repetitive calculation (square remainder calculation) is performed k times. Therefore, the set number of times may be set to k, and in step S9, the coprocessor 11 may determine whether or not ct is less than k. If ct is less than k, error processing may be performed. With this configuration, it is possible to grasp the number of times that an iterative operation has been performed when the binary method is used in the power-residue operation, so that it is possible to detect the possibility of being attacked during the operation.

(Example 2)
Next, a decoding process executed by the coprocessor 11 will be described with reference to FIG. The decoding process shown in FIG. 2 is an example in which it is determined that there is an abnormality when the number of operations of the modular multiplication is not “the number of bits where e _j = 1” in the iterative operation. Note that the processes other than step S29 shown in FIG. 3 are the same as the processes shown in FIG. In step S29, the coprocessor 11 determines whether or not ct is “the number of bits for which e _j = 1”. If the coprocessor 11 determines that ct is “the number of bits for which e _j = 1” (step S29: YES), the coprocessor 11 proceeds to step S31 and performs verification. On the other hand, if the coprocessor 11 determines that ct is not “the number of bits for which e _j = 1” (step S29: NO), the coprocessor 11 proceeds to step S30 and performs error processing. For example, when the public key exponent e = 65537, this binary number representation is “10000000000000000001”, and “1” is set in 2 bits out of 17 bits. If so, the value of ct should be “2” in step S29. Therefore, if ct is not “2”, the coprocessor 11 determines that there is an abnormality (abnormality detection) and performs error processing.

  As described above, according to the second embodiment, it is possible to detect an attack such as “Bypass Fault Attack” with higher accuracy and perform error processing. Therefore, it is possible to detect an abnormality caused by an attack such as “Bypass Fault Attack” with high accuracy and effectively deal with it. Furthermore, according to the second embodiment, not only “Bypass Fault Attack”, but also an abnormality can be detected even when the binary computation is disturbed by an unknown attack at the present time.

  In the above embodiment, the present invention is applied to an IC chip. However, the present invention can be applied to an embedded microprocessor other than the IC chip. In the above embodiment, an example in which each unit of the present invention is configured by software has been described. However, each unit of the present invention may be configured by hardware.

1 IC card 1a IC chip 10 CPU
11 Coprocessor 12 ROM
13 RAM
14 Nonvolatile memory 15 I / O circuit

Claims (5)

In a power-residue computing device that performs S = C ^e modn using a binary method,
Input means for inputting C, e, and n, which are positive integers expressed by a plurality of bits;
When e is a binary number expression e _i (k (bit length of e)> i ≧ 0), k times of a modular remainder operation and a number of multiplication remainder operations equal to the number of bits where e _i = 1. An arithmetic means for repeatedly calculating
Counting means for counting the number of operations before Symbol modular multiplication,
The number of operations counted by the counting means is compared with the number of times set to the number of bits where e _i = 1, and it is abnormal if the number of operations is not the set number of times based on the comparison result. determination means that there is,
Processing means for performing error processing when it is determined that the determination means is abnormal;
A power-residue calculating device comprising: C is data to be verified, e is a public key index, and n is a public key modulus.
When it is determined by the determination means that there is no abnormality, it is determined whether or not the S calculated by the repetitive calculation matches the plaintext data to be encrypted by the power-residue calculation. The power-residue calculating apparatus according to claim 1, further comprising verification means for performing verification. In an IC card that performs a calculation of S = C ^e modn using a binary method,
Input means for inputting C, e, and n, which are positive integers expressed by a plurality of bits;
When e is a binary number expression e _i (k (bit length of e)> i ≧ 0), k times of a modular remainder operation and a number of multiplication remainder operations equal to the number of bits where e _i = 1. An arithmetic means for repeatedly calculating
Counting means for counting the number of operations before Symbol modular multiplication,
The number of operations counted by the counting means is compared with the number of times set to the number of bits where e _i = 1, and it is abnormal if the number of operations is not the set number of times based on the comparison result. determination means that there is,
Processing means for performing error processing when it is determined that the determination means is abnormal;
An IC card comprising: A modular exponentiation method to be executed by a computer that performs a computation of S = C ^e modn using a binary method,
Inputting positive integers C, e, and n expressed in multiple bits;
When e is a binary number expression e _i (k (bit length of e)> i ≧ 0), k times of a modular remainder operation and a number of multiplication remainder operations equal to the number of bits where e _i = 1. A step of repeatedly calculating with
A step of counting the number of operations before Symbol modular multiplication,
The counted number of operations is compared with the set number of times set to the number of bits where e _i = 1, and it is determined that there is an abnormality when the number of operations is not the set number of times based on the comparison result A determination step to:
A step of performing error processing when it is determined in the determination step that there is an abnormality;
A power-residue calculation method comprising: To a computer that performs S = C ^e modn using a binary method,
Inputting positive integers C, e, and n expressed in multiple bits;
When e is a binary number expression e _i (k (bit length of e)> i ≧ 0), k times of a modular remainder operation and a number of multiplication remainder operations equal to the number of bits where e _i = 1. A step of repeatedly calculating with
A step of counting the number of operations before Symbol modular multiplication,
The counted number of operations is compared with the set number of times set to the number of bits where e _i = 1, and it is determined that there is an abnormality when the number of operations is not the set number of times based on the comparison result A determination step to:
A step of performing error processing when it is determined in the determination step that there is an abnormality;
A power-residue calculation program, characterized in that

Images