JPWO2004047052A1 - Tamper resistant information processing equipment - Google Patents

Abstract

When it is difficult to extract secret information from changes in the power consumption of the IC chip and the tamper resistance is increased, the processing speed is increased by avoiding an increase in the amount of calculation. When performing power-residue calculation or scalar multiplication of points on an elliptic curve that are executed inside the IC chip, the data is blinded based on random numbers and unblinded after the calculation, but the data used for the blind is calculated The blind method is changed so that it becomes constant through the repetition of the above. As a result, the amount of calculation during unblinding can be reduced.

Description

  The present invention relates to a technique for ensuring the safety and reliability of information using encryption, and more particularly to a tamper resistant information processing apparatus for preventing attacks on encryption.

Currently, the IC (Integrated Circuit) card whose market is expanding and the GSM (Global Systems for Mobile Communication) standard mobile phone widely used in Europe are mobile phones that can perform user authentication and electronic commerce. It is a terminal. Furthermore, the IC card is also used as electronic money in which reliability and safety are particularly important. On the other hand, the GSM mobile phone employs a form called a SIM (Subscriber Identification Module) module for similar use.
Both the IC card and the SIM module are card-type information processing devices, and have a structure in which a semiconductor chip with terminals is attached to a plastic plate. Since both structures are basically the same, the IC card will be described below.
The IC card used as described above holds personal information that cannot be rewritten without permission, and also encrypts data and decrypts ciphertext using an encryption key that is secret information.
The IC card itself does not have a power source, and can operate by receiving power from a reader / writer that controls the IC card. In a contact type IC card, power is directly supplied via a terminal of a semiconductor chip. On the other hand, in a non-contact type IC card, a built-in antenna coil receives a radio wave emitted from a reader / writer and detects and rectifies the resonance output, thereby extracting electric power for operating the semiconductor chip.
When the IC card becomes operable, it receives a command transmitted from the reader / writer and performs processing such as data transfer in accordance with the command.
As shown in FIG. 10, the IC card is obtained by mounting a semiconductor chip 102 which is an IC (semiconductor integrated circuit) on a card 101. In general, an IC card has a supply voltage terminal Vcc, a ground terminal GND, a reset terminal RST, an input / output terminal I / O, and a clock terminal CLK at positions defined by the ISO 7816 standard, and a reader / writer (not shown) is passed through these terminals. Power supply and data communication with the reader / writer.
The configuration of the semiconductor chip 102 that performs information processing is basically the same as that of a normal microcomputer. As shown in FIG. 11, the configuration includes a CPU (central processing unit) 201, a storage device (MEM) 204, an input / output port (I / O) 207, and a coprocessor (COPRO) 202.
The CPU 201 is a device that performs logical operations and arithmetic operations, and the storage device 204 includes a program storage unit (PS) 205 and a data storage unit (DS) 206. The input / output port 207 is a device that communicates with the reader / writer. The coprocessor 202 is a device that performs cryptographic processing itself or computation necessary for cryptographic processing at high speed. For example, a special computing device for performing a remainder computation on a widely used RSA cipher, DES, (A data encryption standard in the United States) There are encryption devices that perform encryption round processing. Many IC card processors do not have the coprocessor 202. Each device is connected to each other by a data bus 203.
The storage device 204 includes a ROM (Read Only Memory), a RAM (Random Access Memory), an EEPROM (Electrically Erasable Programmable Read Only Memory), and the like. In recent years, some use FeRAM (Ferroelectric RAM) instead of EEPROM.
A program is mainly stored in a ROM which is a memory that cannot be rewritten. The rewritable EEPROM stores data required to be held in a state where the IC card is removed from the reader / writer. For example, the prepaid frequency of the prepaid card is rewritten every time it is used, and is stored in the EEPROM.
Thus, in the IC card, programs and important information are sealed in the semiconductor chip. In other words, the IC card is used for storing important information and internally performing encryption processing.
Conventionally, it has been considered that the difficulty of decrypting the encryption of the IC card from the outside is the same as the difficulty of decrypting the encryption algorithm. However, by observing and analyzing the current consumption (supplied from the reader / writer) when the IC card is performing encryption processing, it is possible to estimate the content and encryption key of encryption processing more easily than decryption of the encryption algorithm. It has been suggested that this is possible. Such a risk is described in, for example, Reference 1: 1997, John Wiley & Sons publisher “SMARTCARD HANDBOOK” (co-authored by W. Rankl and Effing), page 263 (8.5.1.1 “Passive Protective Mechanism”). )It is described in.
In particular, in the data bus 203 of the semiconductor chip 102 formed of CMOS (Complementary Metal Oxide Transistor) transistors, the bus driver uses a bus driver because of the capacitance of the wiring and the capacitance of the transistor connected to the wiring. Power is consumed when the value changes from 1 to 0 or from 0 to 1. On the other hand, little power is consumed when the transistor level is fixed. Therefore, by observing the power consumption, it may be possible to understand what is operating in the semiconductor chip 102.
FIG. 12 shows an example of the power consumption waveform in one cycle of the semiconductor chip 102. Depending on the data being processed, the power consumption waveform differs as shown by curve 301 and curve 302. Such a difference occurs depending on data flowing through the bus 203 and data processed by the CPU 201. Therefore, by observing the current consumption, it may be possible to know what is operating in the semiconductor chip 102.
The coprocessor 202 may perform, for example, a 512-bit remainder operation in parallel with the CPU 201. In that case, a consumption current waveform different from the consumption current of the CPU 201 continues for a long time. Therefore, the number of operations of the coprocessor 202 can be easily measured by observing the characteristic waveform. If the number of operations of the coprocessor 202 has some relationship with the encryption key, the encryption key may be estimated from the number of operations of the coprocessor 202.
For example, RSA encryption processing
Y ^ X mod N (^ represents power)
In the implementation often used in the above, it is a remainder multiplication according to whether each term of the binary representation of X, which is a secret exponent, is 0 or 1.
A * B mod N (* represents multiplication)
The number of executions of changes. The processing (decryption) of the RSA encryption will be described later. Y is a ciphertext, X is a secret exponent known only by the IC card, N is a public method (modulus), and Z mod N is Z It means the remainder divided by N.
A normal IC card has a built-in coprocessor 202 that executes the remainder operation. The operating current of the coprocessor is relatively large and may show a power consumption pattern different from that of the CPU 201. In this case, it is easy to count the number of operations of the coprocessor 202. Therefore, the information of the secret key X, that is, the number of 1 can be identified from the power consumption pattern.
Further, when the calculation content in the coprocessor 202 has a bias depending on the encryption key (secret phase index), the bias may be reflected in the current consumption, and the encryption key may be estimated. If the bias is significant, all bit patterns of X may be identified. Similar circumstances exist in the CPU 201. Since the encryption key is constant, there is a possibility that the influence of the bit value of the encryption key can be observed by changing the data to be processed and observing the current consumption. By statistically processing these waveforms of current consumption, there is a possibility that an encryption key can be identified [(For example, “Crypto '99”, published by Springer-Verlag publisher, ( Proceedings of Crypto '99), pages 1 to 10 (see P. Kocher, J. Jaffe and B. Jun “Differential Power Analysis”).
In order to protect internal data from the attack (tamper) as described above, that is, to have tamper resistance, the relevance between data processing in the IC chip 102 and current consumption is reduced. If the relationship between the current consumption and the chip processing decreases, it becomes difficult to process the IC chip 102 and estimate the encryption key from the observed current consumption waveform.
An encryption method includes a public key method that enables decryption without using a common encryption / decryption key, and is often used. In this case, the encryption key is made public and the decryption key is known only on the decryption side. RSA cryptography and elliptic curve cryptography are representative examples of cryptography that employs a public key scheme.
Here, a typical conventional example of tamper resistance that reduces the relevance between the above data processing and current consumption will be described, particularly taking RSA encryption as an example. Prior to the description, the RSA encryption process will be described below.
The RSA encryption processing is often executed by a combination of unit processing (this is common to elliptic curve encryption). The decryption process of RSA encryption is, for example,
S = Y ^ X mod N
This is performed by the power-residue calculation for obtaining the decoding result S. FIG. 13 is a flowchart showing an example of this power residue calculation that is normally implemented on a computer. This power-residue calculation is performed based on the addition chain algorithm (for example, reference 3: page 615 of "HANDBOOK OF APPLIED CRYPTOGRAPHY" published by CRC Press Publisher, 1997) Algorithm 14.82 "). The outline of the calculation procedure for obtaining the decoding result S is as follows.
Start the encryption calculation of this example,
(1) The n bits of the secret exponent X are divided into desired bits J, for example, every 2 bits (J = 2), and read from the higher order, which is 00, 01, 10, or 11 In response to the,
TBL [0] = 1
TBL [1] = Y
TBL [2] = Y ^ 2 mod N
TBL [3] = Y ^ 3 mod N
(Step 0601),
(2) Perform these multiplication remainder calculations.
As described above, dividing the bits of the secret key X every two bits is an example for convenience of explanation. Actually, the bits of the secret key X may be calculated as 1 bit, 3 bits, and 4 bits. At that time, the basic concept of the calculation method is the same.
When the calculation is performed using such an addition chain method, Step 0602 and Step 0611 for performing the square calculation twice are performed irrespective of the bit of X.
On the other hand, in the subsequent multiplication remainder calculation, conditional branches (step 0603, step 0604, step 0605, and step 0606) are performed in accordance with the value of the bit of X (in this example, indicating 2 bits). . Then, in accordance with each bit, multiplication remainder calculation in step 0607, step 0608, step 0609, and step 0610 is performed. The computations of steps 0602, 0611 and steps 0607-0610 are performed n / J times for each delimited X until the counter k changes from n / J to 1. That is, every time one calculation is completed, 1 is subtracted from k. When k = 0, the calculation ends, and the calculation result at that time becomes the final result.
From the viewpoint of mounting, this multiplication remainder calculation is heavy, and in many IC cards, a dedicated coprocessor is often used for multiplication remainder calculation instead of the CPU.
In this multiplication remainder calculation, what is different for each bit is the value of the table generated in step 0601, that is, TBL [0], TBL [1], TBL [2], TBL [3].
In general, as described above, the multiplication remainder calculation is heavy, and the generated current is very large. In particular, in multi-digit calculations, it may be known which of TBL [0], TBL [1], TBL [2], and TBL [3] is being processed.
From such a difference in current waveform, for example, if the current waveform pattern can be classified into four types, a secret key bit pattern can be found. That is, based on four types of current waveforms, the number of patterns in the four permutations is 4! = Try 24 streets. The situation is the same when the number of bits of modulus N increases.
This attacking method for finding the bit pattern of the secret key is particularly effective when the number of N bits is increased. For example, if N is 2048 bits, it is virtually impossible to perform factorization at present. However, if the current consumption of the IC chip can be seen using an oscilloscope, the bit pattern of the secret key can be found.
For example, to know the value of X (about 2000 bits), there are the following procedures. First, a waveform block of current consumption of about 2000 bits (about 1000 blocks if divided every 2 bits) is classified into four types. For each of the four classified categories, the power residue calculation is executed using another computer. Then, the result of each power-residue calculation is compared with the result output from the IC chip, and a search is made for a match between the two. This verification is no more than 24 ways. Therefore, the normal processing of the RSA encryption as shown in FIG. 13 has a high possibility of data being decrypted.
The basic idea of disturbing such analysis is to transform the data, perform cryptographic processing, and finally reverse transform. An example of a method for protecting against attacks by applying this idea to a DES cipher employing a common key is described in, for example, Document 4: Japanese Patent Laid-Open No. 2000-182012.
As a conventional representative method for RSA cryptography that disturbs analysis, that is, obtains tamper resistance by reducing the relationship between data processing and current consumption, instead of Y, KY mod N (K Is a conventional (method A) in which processing is performed using a random number having a reciprocal number under modulus N, and correction processing is finally performed. (Method A) is disclosed in, for example, Reference 5: Springer-Verlag publisher “Crypto '96” Proceedings of Crypto '96, pages 104 to 113 (P. Kocher “Timing Attacks on Implementation of Implementation”). Diffie-Hellman, RSA, DSS, and Other Systems ").
In (Method A), since KY is calculated with respect to the random number K, not the input data Y itself, the current consumed in the coprocessor that performs the modular multiplication differs. Since K is a random number and is not known from the outside, it does not know what the value of KY will be, and accordingly, the corresponding current also has no correlation with the original one. This makes it difficult to know the secret key from the current.

In (Method A), the result obtained is
(KY) ^ X mod N
And to get the correct results,
K ^ (-X) mod N
It is necessary to correct by multiplying. The increase in the calculation time is caused by transforming the data into something different from the original one and finally performing the inverse transformation collectively. In order to suppress an increase in calculation time, the present inventor has focused on reducing the processing by changing the calculation configuration by the above-described deformation and batch reverse deformation.
In the present invention, the information processing apparatus is configured so as to avoid the enlargement of the calculation. In order to explain the contents of the present invention, first, (Method A) is first decomposed, To clarify.
(Method A) is shown in FIGS. In the preprocessing shown in FIG. 14, first, a random number K (K <N) is generated (step 0701). Then, using the input Y and the random number K,
TBL [K, j] = (K * Y) ^ j mod N
(J = 0, 1, 2, 3)
Is created (step 0702).
Then, the reciprocal of K with respect to N (K must be relatively prime to N) is calculated using the Euclidean algorithm (see, for example, page 67 (Algorithm 2.107) of Document 3), C (step 0703).
Using C,
B [j] = C ^ j mod N (j = 0, 1, 2, 3)
Is created (step 0704).
Next, the process proceeds to the power residue calculation shown in FIG. The process in FIG. 15 is the same as the process in FIG. 13 except that TBL [K, j] is used in steps 0801, 0802, 0803, 0804. In this process,
S = (K * Y) ^ X mod N
Is calculated.
Subsequently, the process proceeds to the power residue calculation for the random number K shown in FIG. The process of FIG.
T = C ^ X mod N = K ^ (-X) mod N
13 is the same as the processing in FIG. 13 except that B [j] is used in steps 0901, 0902, 0903, and 0904.
Then, the process proceeds to the correction process shown in FIG. In the process of FIG. 17, S * T mod N
Is calculated and set to S again, and the process ends.
At this time, the process of two remainder multiplications and one remainder multiplication shown in FIG. 15 corresponds to a unit process. (Here, the process of multiplying by 1 is also performed darely, but this is for the purpose of explanation, and in many cases, the process is not actually performed.) The unit process includes the intermediate result S, the random number K, and the exponent X [ k].
U (S, K, X [k])
Shall be written. In other words, in this notation, the processing of (Method A) is as shown in FIGS.
The pre-processing in FIG. 18 performs pre-calculation steps 0701, 0702, 0703, and 0704, and step 0705, which is an initialization process for S and T.
The process of the power residue calculation and the power residue calculation for the random number K in FIG. 19 is to calculate S and T following the process of FIG. Here, the processing of steps 1201 and 1202 is the unit processing described above. Finally, the process of step 1203 is performed, and the process of calculating the power residue is completed.
In the case of (Method A), in this unit processing U (S, K, X [k]), the intermediate processing result S is obtained for a random number K and an exponent 2-bit block X [k].
S * (Y * K) ^ (4 + X [k]) mod N
= (S * Y ^ (4 + X [k])) * K ^ (4 + X [k]) mod N
And transformed. Therefore, this calculation is affected by the exponent 2-bit block X [k] and is affected until the exponent is exhausted. This causes the final process to become large. This problem occurs because the index of the random number K used for data hiding changes. If the index of K does not change for each 2-bit processing, processing enlargement can be avoided.
This situation is the same in elliptic curve cryptography. Below, the outline | summary of the calculation process of elliptic curve cryptography is demonstrated.
In elliptic curve cryptography, for points P and Q on an elliptic curve (cubic curve) E defined on a finite field (algebraic system in which four arithmetic operations are defined between finite elements) F, A point P + Q on E which is the sum of is defined. Further, a point (infinity point) O corresponding to normal 0 (zero) is defined. That is, for any point P on E, there is only one point O such that P + O = O + P = P. Furthermore, for any point P on E, there is a point Q (written as -P) such that P + Q = O, and the entire point on E forms one additive group (Abelian group). To do. A value obtained by adding m P is written as mP, and for a negative number m, a value obtained by adding -m -P is written as mP. For m = 0, mP = 0 (infinity point). This is called a scalar multiplication of P. Currently, m is often an integer of about 160 bits.
The elliptic curve cryptography uses the fact that the problem of determining m when P and Q are given in the equation mP = Q (discrete logarithm problem on an elliptic curve) requires a lot of computation time. Key encryption.
The main body of the cryptographic process is the calculation of a scalar multiple mP of the appropriate point P of E. The addition chain algorithm used for RSA encryption processing can also be applied to this calculation. FIG. 20 shows a modification of the addition chain algorithm in which the RSA cipher exponent of 2 bits is used as a processing unit, so as to perform scalar multiplication in the elliptic curve cipher processing, following the previous examples.
As can be easily understood, the difference between the processing of FIG. 13 and the processing of FIG. 20 is only the difference in data and the operation between them. That is,
A * B mod N
Corresponds to A + B (addition on an elliptic curve) and 1 corresponds to O (point at infinity).
This indicates that the addition chain algorithm is more general regardless of the type of operation.
Therefore, even in the scalar multiplication process in elliptic curve cryptography, the same security problem as in the RSA cipher, that is, the problem of receiving an attack (tamper) occurs. Further, among the processes for concealing elliptic curve encryption data, the following (Method B), which is similar to (Method A) in the RSA encryption process, also causes a problem of an increase in calculation amount.
(Method B) is a process of performing scalar multiplication (m + K) P using m + K (K is a random number) instead of m, and finally adding -KP. In this (Method B) as well as (Method A), there is a problem that the amount of calculation increases.
That is, the process for obtaining -KP requires the same processing time as that for calculating mP if K has a bit length equal to or greater than m. The reason why K needs a bit length equal to or larger than m is that if m is smaller than K (for example, half the length), the upper part of m is almost the same raw value. This is because it will be processed.
The calculations given here are merely examples, and there are other conventional methods for hiding various data. Although the explanation is omitted, the same problem occurs in both cases.
The present inventor has found that if the inverse transformation is sequentially performed, the processing becomes light and the relation between the power consumption and the internal processing can be reduced. In this method, since the data format does not change before and after the unit processing, it is transformed into something different from the original data as in the conventional (Method A) or (Method B), and finally the inverse transformation is performed. It is possible to avoid the enlargement of processing that occurs by carrying out collectively. The unit process corresponds to, for example, U in FIG.
The processing procedure of the present invention will be described below with reference to FIG. Now, with regard to A # B, which is performed using the signal A and the signal B when the desired operation is represented by #, a general operation used in many public key cryptography is as follows:
Y ^ X = Y # Y # ... # Y (X pieces)
And the format of A # B is included. The present invention is directed to such operations. In the calculation, it is assumed that the bit length of X is n, and processing using an addition chain method in units of J bits is employed. J is a non-negative integer.
In order to avoid complicated explanation, it is assumed that n is a multiple of J. In the following description, X divided from the higher order every J bits is expressed as X = (X [n / J] X [n / J−1]... X [k]... X [1]). (K = 1, 2,..., N / J-1, n / J)
In step S1, k = n / J,
In step S2, a signal W is determined based on the signal generated by the random number generation source,
In step S3, L = W. That is, the signal W is input to the L storage unit,
In step S4, L # L is calculated and written back to the storage unit of L again J times.
In step S5, a signal B [k] * W ^ ((2 ^ J) -1) uniquely determined based on X [k] and W
Against
A # B [k] #W ^ ((2 ^ J) -1)
, And execute the operation to write back to the storage unit of A again.
In step S6, 1 is subtracted from k.
In step S7, if k = 0, the process proceeds to step S7. If k> 0, the process returns to step S4 again.
In step S8, for the processing result T when k = 0,
T # W ^ (-1)
Is the output result S. However, W ^ (-1) is Y that satisfies W # Y = I.
Hereinafter, how the value of S changes by these series of processes will be described.
First, at step S3, L = W. By step S4, the value is
L = W ^ (2 ^ J)
It becomes. By step S5, the value of L is
W ^ (2 ^ J) #B [k] #W ^ (-(2 ^ J-1))
= B [k] #W
It becomes. At this stage, if k is not 0, the process returns to step S4 again by step S7. Similarly, through steps S4 and S5, the value of L is
B [k] ^ (2 ^ J) #W
It becomes. At this time, it is important that the value of L is multiplied by W before and after the unit processing and the value when W = I (unit element) is not broken. In the same way, before and after the unit processing,
“Intermediate result when W = I” #W
Will continue to be maintained. Since the value of W is unknown, the processing data remains unknown, and therefore it becomes difficult to illegally read internal information from the power consumption of the IC chip.
In other words, when the counter k that determines the value of k becomes 0 and the calculation from step S4 to step S7 is completed, the result is
Y ^ X # W
In this case, in step S8,
W ^ (-1) mod N
By multiplying by, a desired value Y ^ X can be obtained. At this time, the processing necessary for correcting to a desired value is step S8, and there is no need for heavy correction processing of multiplying W ^ (− X) as in the conventional (method A). .
The order of X to be picked up is n / J in the above description, but this may be reversed from 1 or the number may be changed by 2. Therefore, the above expression of X is amended using h for simply representing the order, and k is changed from h as X = (X [h] X [h−1]... X [k]... X [1]). It can be determined in order.

  FIG. 1 is a flowchart for explaining the procedure executed by the information processing apparatus according to the present invention, FIG. 2 is a block diagram for explaining the information processing apparatus of the present invention, and FIG. FIG. 4 is a block diagram for explaining an example of a random number generator, FIG. 4 is a flowchart for explaining pre-processing of the first embodiment of the present invention, and FIG. 5 is a diagram showing the first embodiment. FIG. 6 is a flowchart for explaining an example raised remainder calculation unit, FIG. 6 is a flowchart for explaining a correction processing unit of the first embodiment, and FIG. 7 is a second flowchart of the present invention. FIG. 8 is a flowchart for explaining a pre-processing unit of the embodiment, FIG. 8 is a flowchart for explaining a scalar multiplication processing unit of the second embodiment, and FIG. 9 is a flowchart of the second embodiment. FIG. 10 is a flowchart for explaining a correction processing unit, FIG. FIG. 11 is a plan view for explaining an overview of an IC card and various terminals, FIG. 11 is a configuration diagram for explaining an example of a conventional information processing apparatus, and FIG. 12 is a diagram of power consumption by data. FIG. 13 is a flow chart for explaining an example of RSA decoding by an addition chain method, and FIG. 14 is a flowchart of pre-processing of conventional tamper-resistant RSA decoding. FIG. 15 is a flowchart for explaining an example of a power-residue calculating unit of conventional tamper resistant RSA decoding, and FIG. 16 is a flowchart of conventional tamper resistant decoding processing. FIG. 17 is a flowchart for explaining an example of a power residue calculation unit for a random number K, and FIG. 17 is a flowchart for explaining an example of a correction processing unit of a conventional tamper resistant decoding process. FIG. 18 is another flowchart for explaining an example of the prior process of the conventional tamper-resistant decoding process, and FIG. 19 shows the power residue calculation unit and the random number K of the conventional tamper-resistant decoding process FIG. 20 is another flowchart for explaining an example of the power-residue calculating unit, and FIG. 20 is a flowchart for explaining another conventional tamper resistant encryption process.

Hereinafter, the tamper resistant information processing apparatus according to the present invention will be described in more detail with reference to the embodiments shown in the drawings.
The configuration of the information processing apparatus of this embodiment is shown in FIG. In the figure, 201 is a CPU (central processing unit) that performs logical operations and arithmetic operations, 204 is a storage device (MEM) that includes a program storage unit (PS) 205 and a data storage unit (DS) 206, 207 Is an input / output port (I / O) that communicates with a reader / writer (not shown), 202 is an encryption process itself or a coprocessor (COPRO) that performs operations necessary for the encryption process at high speed, and 208 is a random number generator. A random number generator (RNG) 203 serving as a source indicates a data bus that interconnects the devices. Each of the above devices is built in the IC chip.
The CPU 201 and the coprocessor 202 execute the following cryptographic processing steps according to the cryptographic processing program stored in the program storage unit 205.
The configuration of the random number generator 208 is shown in FIG. In FIG. 3, 1402 is a resistor having one terminal grounded, 1407 is an amplifier (op amp) having an input terminal connected to the other terminal of the resistor 1402, 1404 is an input connecting the output terminal of the amplifier 1407 The comparator has a terminal 1406 and an input terminal 1403 for inputting a reference power supply.
The other input terminal of the amplifier 1407 is grounded. The potential of the reference power supply is fixed to Vth, and the comparator 1404 compares the potential of the terminal 1406 with Vth. When the potential of the terminal 1406 is higher than Vth, 1 is output from the output terminal 1405. If it is low, 0 is output. An output signal from the output terminal 1405 is supplied to the bus 203.
The resistor 1402 fluctuates due to heat and generates thermal noise whose amplitude change is random. The amplifier 1407 amplifies this, and the comparator 1404 compares the output potential with an appropriate potential Vth, thereby generating an unpredictable bit string.
The above information processing apparatus is mounted as an IC chip on a SIM module used in an IC card or a GSM mobile phone.
First, RSA encryption will be taken up as a first embodiment. In this embodiment, the operation # is
A # B = A * B mod N
It is configured by defining Here, the data A, B, and N are assumed to be positive integers of 1024 bits. The above A * B mod N means a remainder obtained by dividing the normal product of A and B by N. For example,
5 * 3 mod 7 = 1
It is.
The decryption operation of the RSA cipher is
Y ^ X mod N
It is executed by calculating Here, Y is a ciphertext, X is a secret exponent, and N is a public modulus. The calculation is
Y ^ X = Y # Y # ... # Y (X pieces)
As done.
The attacker's target is X. X is assumed to be n = 1024 bits, and the operation is processed by an addition chain method in units of 2 bits, that is, J = 2. In the following, X divided from the upper 2 bits is expressed as X = (X [512] X [511]... X [1]).
In this embodiment, coprocessor 202 calculates A * B mod N. The coprocessor has registers A, B, and N in the data storage unit 206, calculates A * B mod N, and stores the result in the A register again. In general, since A, B, and N are large integers of about 1024 bits, it takes time to calculate A * B mod N. Therefore, a dedicated coprocessor is usually prepared.
In the following description, the register size of the CPU is 32 bits.
The present invention will be described with reference to FIGS. 4, 5, and 6. FIG. First, the process of the flowchart shown in FIG. 4 is started. The processing in step 1501 corresponds to step S2 described above, and the built-in random number generator 208 generates a random number W. It is assumed that W is smaller than N and is relatively prime to N. In RSA cryptography, N is a product of large prime numbers P and Q (both have a bit length approximately half that of N), so if W is smaller than the smaller of P and Q, it is certain. Are prime to each other. Here, W is set to 32 bits or less in consideration of high-speed processing. The present invention is not limited to 32 bits, and other values such as 64 bits, 16 bits, and 8 bits can be adopted.
Here, for the RSA encryption process, Y0, Y1, Y2, and Y3 used in the operation corresponding to step S5 are calculated as follows using a coprocessor 202 having registers A and B as a pre-process.
In step 1502,
M = W ^ (-1) mod N
Is calculated. This calculation is performed by using an extended Euclidean algorithm (see, for example, page 67 (Algorithm 2.107) of Document 3). The calculation for obtaining M is mathematically an indefinite equation (Diofontas equation) M * W−H * N = 1
Is equivalent to finding M.
At this time, since W is 32 bits and is much smaller than the number of bits of N (1024 bits), the first step in the extended Euclidean algorithm algorithm, that is, the stage where N is divided by W is performed. , N divided by W becomes 32 bits or less. Therefore, if the first step can be executed at high speed, the subsequent processing is light. As is well known, a method for speeding up the first step is a separation method (Non Restoring Method), which is adopted in this embodiment. In this method, subtraction, which is an intermediate process of division, is calculated regardless of whether it is positive or negative, and finally the value is adjusted.
Next, in step 1503,
W ^ (-3) mod N = M ^ 3 mod N
Is calculated. Specifically, M is stored in the A register, and the coprocessor 202 is used.
A * A mod N
And then stores M in the B register and the coprocessor 202
A * B mod N
Is executed, W (−3) mod N is stored in the A register. This is subsequently transferred to the RAM area of the data storage unit 206. This is Y0 in step 1504.
Next, Y0 is stored in the B register, and A * B mod N is executed, so that Y1 = Y * W ^ (− 3) mod N in the A register.
The value of is stored. This value is transferred to the RAM area (an area not overlapping with Y0).
Next, by executing A * B mod N again,
Y2 = Y ^ 2 * W ^ (-3) mod N
Is stored. This value is transferred to the RAM area (not overlapping with Y0 and Y1).
Next, by executing A * B mod N again,
Y3 = Y ^ 3 mod N
Is stored. This value is transferred to the RAM area (not overlapping Y0, Y1, Y2). As a result, the processing in step 1504 is completed, and all the values of Y0 to Y3 are obtained.
The processing in step 1505 initializes the counter to k = 512, and corresponds to step S1.
Next, in step 1506, the random number W is stored in the A register (corresponding to step S3). Then, the process proceeds to FIG.
In step 1601, first, it is checked whether or not the value of the counter k is 0 (corresponding to step S6). If k is not 0, the value of the A register is raised to the fourth power by steps 1602 and 1603 corresponding to step S4.
Next, in steps 1604, 1605, 1606, 1607, one of Y0 to Y3 is selected according to the value of the 2-bit block X [k] of the index X. In steps 1608, 1609, 1610, 1611, This is transferred to the B register. Subsequently, in step 1612 A * B mod N is calculated. Steps 1604 to 1612 correspond to step S5.
Next, 1 is subtracted from k (step 1613 corresponding to step S6). Then, the process returns to step 1601 and the same process is continued until the value of the counter k becomes zero. When the value of the counter k becomes 0, the process proceeds to FIG.
The process in FIG. 6 is a correction process corresponding to step S7, where M is stored in the B register (step 1701), A * B mod N is calculated, and the result is stored in the A register (step 1702). .
This process
Y ^ X * W * M mod N
= Y ^ X * W * W ^ (-1) mod N
= Y ^ X mod N
Thus, a desired result is obtained.
In the process shown in FIG. 5, since random numbers are multiplied by all data, it is difficult to extract secret information from the outside based on the power consumption of the IC chip. Further, in the course of the process shown in FIG. 6, there is no need for a heavy correction process of multiplying by W ^ (− X), which has been conventionally performed, so that the process is not enlarged and the process is speeded up. Is done. Although the case where the data length is 1024 bits has been dealt with here, it goes without saying that processing can be similarly performed in other cases.
Next, as a second embodiment, processing for elliptic curve cryptography will be taken up. Prior to explanation, elliptic curve cryptography will be described.
The elliptic curve represents (curve E) Y ^ 2 = a * X ^ 3 + b * X + c
A special element O called a point at infinity is added to a cubic curve having a standard form of However, (curve E) is selected so that it is non-singular, that is, the right side has no multiple roots. Here, a, b, and c are constants and are elements of the finite field F. X and Y are also elements of F, but these are variables.
A finite field is an algebraic system consisting of a finite number of elements and capable of four arithmetic operations. The simplest finite field is a prime field GF (P). Here, P is a prime number, and GF (P) is set as
GF (P) = {0, 1, 2,..., P-1}
It is.
The four arithmetic operations in GF (P) are
(Sum) A + B mod P
(Difference) A-B mod P
(Product) A * B mod P
(Quotient) A * B ^ (-1) mod P
It is. In the definition of (quotient), B is not 0.
Taking an irreducible nth-order polynomial Φ (Z) for a set consisting of all of the n-1th and lower order polynomials of Z having coefficients of elements of GF (P),
(Sum) A (Z) + B (Z) mod Φ (Z)
(Difference) A (Z) -B (Z) mod Φ (Z)
(Product) A (Z) * B (Z) mod Φ (Z)
(Quotient) A (Z) * B (Z) ^ (-1) mod Φ (Z)
The field that defines the four arithmetic operations is also a field, and its algebraic structure does not depend on how to select Φ (Z). This is called an nth-order extension of GF (P). In cryptographic processing, a prime field GF (P) and a characteristic 2 Galois field GF (2 ^ n) are often used from the standpoint of reducing the amount of calculation.
Taking two points R and S of (curve E), one straight line passing through R and S is determined (when R = S, a tangent is taken). Since (curve E) is a cubic curve, it always intersects at another point except when the straight line passing through R and S is parallel to the Y axis. Let this point be T, and the point at a symmetrical position with respect to the T and X axes is the sum of R and S.
R + S
It is written. When a straight line passing through R and S is parallel to the Y axis, R + S is assumed to be an infinite point O. A point V where R + V = O is called an inverse element of R and is represented by -R. Under such rules, the entire point of (curve E) constitutes an algebraic system called a commutative group, that is, a Mordell-Weil group of E.
The calculation of the sum on the elliptic curve is achieved by four arithmetic operations of X and Y [for example, Reference 6: "Introduction to Elliptic Curve Theory" published by Springer Fairlark Tokyo Publishing Company in 1994 (by JH Silverman and Tate) See Tsuneo Adachi et al.)].
In this embodiment, the operation # is
R # S = R + S (sum on elliptic curve E)
It is configured by defining Here, an elliptic curve defined on the prime field GF (P) is considered.
Elliptic curve cryptography is a scalar multiplication mR (m is an integer, P is an E point)
This is done by calculating The target of the attacker is an integer m. Assume that m is 160 bits, and processing is performed by an addition chain method in units of 2 bits. Hereinafter, X obtained by dividing X from the upper 2 bits is expressed as m = (m [80] m [79]... M [1]).
Also in this embodiment, as in the first embodiment, the random number generator 208 built in the IC chip is used and the coprocessor 202 for calculating A * B mod N is used. The coprocessor 202 can calculate the product and quotient on GF (P). The CPU 201 can easily process the sum and difference. Specifically, the operation
R1 (X1, Y1), R2 (X2, Y2)
Whereas
R1 + R2 = (X3, Y3)
Then,
X3 = H ^ 2-X1-X2 mod P
Y3 =-(H * X3 + Y2-H * X2) mod P
H = (Y2-Y1) * (X2-X1) ^ (-1) mod P
Can be written.
The present embodiment will be described with reference to FIGS. 7, 8, and 9. FIG. First, the process of FIG. 7 is started. In the process of Step 1801, the random number generator 208 generates random numbers W1 and W2. Let W = (W1, W2).
Next, in step 1802,
-W = (W1, P-W2)
Is calculated. The value of the calculation result is transferred to the RAM area of the data storage unit 206.
Next, in step 1803, -3W is calculated. This value is transferred to the RAM area (an area that does not overlap with -W).
In step 1804, the same process as in the RSA cipher is performed with the sum on the elliptic curve instead of the remainder multiplication.
R0 = 3W
R1 = R-3W
R2 = 2R-3W
R3 = 3R-3W
And a table storing these is created. These values are all arranged so as not to overlap each other.
The processing in step 1805 is to initialize the counter to k = 80.
Next, W is stored in the area S on the RAM (step 1806), and the process proceeds to FIG.
In step 1901, first, it is checked whether or not the value of the counter k is zero. If k is not 0, the 4th point of S is calculated in steps 1902 and 1903.
Next, in steps 1904, 1905, 1906 and 1907, one of R0 to R3 is selected according to the value of the 2-bit block m [k] of m, and in steps 1908, 1909, 1910 and 1911, S + (Any of R0 to R3) is calculated.
Next, 1 is subtracted from k (step 1912). Then, the process again proceeds to step 1901 and the same process is continued until the value of the counter k becomes zero.
When the value of the counter k becomes 0, the processing moves to the processing shown in FIG.
The process shown in FIG. 9 is a correction process, SW is calculated, and the resulting value is stored in the S register (step 2001).
This process
mR + W-W = mR
Thus, a desired result is obtained.
In the process up to FIG. 9, since random numbers are added to all data, it is difficult to extract secret information from the outside based on the power consumption of the IC chip. Furthermore, in the course of the process shown in FIG. 9, there is no need for a heavy correction process of multiplying W ^ (-X), which has been performed in the prior art. Is done.
The two embodiments described above are essentially obtained by simply replacing the meaning of the operation #, and needless to say, it can be generalized.
According to the present invention, it is possible to provide a tamper resistant information processing apparatus such as an IC card that can maintain high security without enlarging processing.

  The present invention is used to safely protect information held in an IC chip used in an IC card, a GSM mobile phone, or the like.

Claims (11)

A signal input unit for inputting a signal, a storage unit for storing a processing program, a storage unit for storing data being processed, a random number generator for generating a random number signal, and the signal input unit according to the processing program A calculation unit that performs predetermined data processing on the received signal, and a signal output unit that outputs a signal of the processing result,
The processing program stored in the storage unit is related to the operation A # B performed with the signal A and the signal B when the desired operation is represented by #, and given integer sequences X [h], X [H-1], ..., X [k], ..., X [1] (where h is an integer),
The processing program is stored in the arithmetic unit.
a first procedure for k = h;
A second procedure for determining a signal W based on a random number signal generated by the random number generator;
A third procedure for storing W in the storage unit of L, where L = W;
A fourth step of calculating L # L and writing back to the storage unit of L again J times (where J is a non-negative integer);
For a signal B [k] #W ^ ((2 ^ J) -1) uniquely determined based on X [k] and W, L # B [k] #W ^ ((2 ^ J)- 5) to calculate 1) and execute the operation of writing back to the storage unit of L again;
a sixth procedure for subtracting 1 from k;
If k> 0, the process returns to the fourth procedure, and if k = 0, the seventh procedure for outputting the processing result T;
An information processing apparatus that causes the processing result T to execute an eighth procedure in which T # W ^ (-1) is an output result S. The operation A # B is an integer operation # of remainder multiplication.
A # B = A * B mod N
The information processing apparatus according to claim 1, wherein W is an integer that is relatively prime to N. 3. The information processing apparatus according to claim 2, wherein the calculation unit includes a central processing unit and a coprocessor, and the coprocessor executes the calculation A * B mod N. The information processing apparatus according to claim 2, wherein the number of bits of W is 8, 16, 32, or 64. 2. The information processing apparatus according to claim 1, wherein the operation A # B is a sum operation of a Mordell-Weil group on an algebraic curve E defined on a finite field. 6. The information processing apparatus according to claim 5, wherein the finite group by the Model-Weil group is a prime field GF (P) (P is a prime number). 6. The information processing apparatus according to claim 5, wherein the finite group by the Model-Weil group is a Galois field GF (2 ^ n) (n is a positive integer) having a Galois characteristic 2. An IC card comprising the information processing apparatus according to claim 2 mounted thereon. An IC card comprising the information processing apparatus according to claim 5 mounted thereon. A SIM module in a GSM mobile phone, wherein the information processing device according to claim 2 is mounted. A SIM module in a GSM mobile phone, wherein the information processing apparatus according to claim 5 is mounted.

Images