WO2002086846A1 - Enciphering / deciphering device, enciphering / deciphering method, data enciphering method, and ic card - Google Patents

Enciphering / deciphering device, enciphering / deciphering method, data enciphering method, and ic card Download PDF

Info

Publication number
WO2002086846A1
WO2002086846A1 PCT/JP2002/002064 JP0202064W WO02086846A1 WO 2002086846 A1 WO2002086846 A1 WO 2002086846A1 JP 0202064 W JP0202064 W JP 0202064W WO 02086846 A1 WO02086846 A1 WO 02086846A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
circuit
transposition
signal
output
Prior art date
Application number
PCT/JP2002/002064
Other languages
French (fr)
Japanese (ja)
Inventor
Masatoshi Takahashi
Original Assignee
Renesas Technology Corp.
Hitachi Ulsi Systems Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Renesas Technology Corp., Hitachi Ulsi Systems Co., Ltd. filed Critical Renesas Technology Corp.
Publication of WO2002086846A1 publication Critical patent/WO2002086846A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • H04L9/003Countermeasures against attacks on cryptographic mechanisms for power analysis, e.g. differential power analysis [DPA] or simple power analysis [SPA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/08Randomization, e.g. dummy operations or using noise
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/125Parallelization or pipelining, e.g. for accelerating processing of cryptographic operations

Definitions

  • Encryption / decryption device Encryption / decryption device, encryption / decryption method, data encryption method, and Ic card
  • the present invention relates to an encryption / decryption device, an encryption / decryption method, a data encryption method, and an IC card.
  • a cryptographic key including a CPU and memory like a chip microcomputer
  • DES Data Encryption Standard
  • IP transposition (replacement of signals)
  • IP 1 data is divided into upper and lower 3 bits each, and transposition and substitution processing is repeated 16 times. Integrating upper and lower respectively 3 2-bit data to the end, performs permutation called IP 1, to obtain the ciphertext.
  • IP transposition and substitution processing
  • IP 1 Integrating upper and lower respectively 3 2-bit data to the end, performs permutation called IP 1, to obtain the ciphertext.
  • IP 1 permutation
  • key scheduling differs between encryption and decryption. The details of the key scheduling part are omitted, but 48-bit key scheduling data is output to each stage based on the key data.
  • the normal DES algorithm always performs the same internal operation on the same plaintext.
  • D Easy statistical processing by PA Different Power Analysis
  • the current consumption waveform is statistically processed to estimate the encryption key. I do. This process is repeated while changing the encryption key in various ways, and when the key is correct, the current waveform shows a large peak.
  • Japanese Patent Application Laid-Open No. 2000-066585 discloses an example of a countermeasure against the above-mentioned DPA decoding by DPA. According to the technology described in this publication, a pair of a mask a pattern and a bit-reversed mask pattern is provided, and each time encryption is performed, one of the pairs is randomly selected by a switch, and the result is written in plaintext inside the device. It masks the dependent bits and removes the effect of the mask a from the ciphertext by P before outputting the ciphertext.
  • the original data is masked, and the mask is released immediately before inputting to each S box.
  • this mask is released, there is a possibility that it will be decrypted by DPA, so the mask is released immediately before input to S box, input to S box with original data after unmasking, and mask of output from S box
  • the operation is calculated in advance, stored as a table, and the calculation result is obtained by referring to the table.Therefore, the calculation of the exclusive OR for masking and the calculation of the exclusive OR for masking are performed. It is explained that it could not be decrypted by DPA because it would not be confused.
  • the calculation of the exclusive OR is stored in advance as a table, and the bits corresponding to the original data are set in order to sufficiently exert the function of the mask. Since the number of combinations is enormous, the circuit size of the table (storage circuit) that stores the operation results corresponding to the masks composed of such enormous combinations is large. It will be sharp.
  • the present invention provides an encryption / decryption device that realizes stable security enhancement with a simple configuration. It aims to provide an encryption / decryption method and an IC card.
  • the input selection circuit randomly fetches either the non-inverted data corresponding to the processing unit data of the plaintext data or the ciphertext or the inverted data of all the bits, and passes the data through the input selection circuit.
  • the transposition is transmitted to the non-inverted data transposition corresponding to the non-inverted data and the positive scrambling circuit for performing the substitution processing and the transposition corresponding to the inverted data and the negative scrambling circuit performing the substitution processing, and the output selection circuit performs the positive scrambling.
  • One of the output signals transposed and replaced by the negative scramble circuit or the negative scramble circuit is taken out in accordance with the selection operation of the input selection circuit, and the output circuit outputs the output signal in the positive scramble circuit and the negative scramble circuit. Transpose multiple times ⁇ Finally transpose the result of substitution to obtain ciphertext or plaintext data.
  • Processing unit data of plaintext data or ciphertext Either the non-inverted data corresponding to the evening or the inverted data of all the bits thereof is taken in at random, and the data is transposed / substituted according to the non-inverted data.
  • Processing and negative scramble signal processing for performing transposition and substitution processing corresponding to the above inverted data processing are performed in parallel, and one of the corresponding output signals is selected as data in the first signal processing.
  • the extraction operation corresponding to the operation is performed a plurality of times, and the result of the last transposition / substitution is used as encrypted data or decrypted data.
  • FIG. 1 is a schematic block diagram showing an embodiment of an encryption / decryption device, an encryption / decryption method, and a DS encryption coprocessor adapted to an IC card according to the present invention
  • FIG. 2 is a configuration diagram for explaining the algorithm of the DES encryption used in the present invention.
  • FIG. 3 is a block diagram for explaining the operation part in the algorithm of the DESS ⁇ used in the present invention.
  • FIG. 4 is a configuration diagram for explaining the inside of S B ⁇ X in the algorithm of the DES encryption used in the present invention.
  • FIG. 5 is an explanatory diagram of an example of S 1 in how to create S BO X in the algorithm of the D E S B notation used in the present invention
  • FIG. 6 is an explanatory diagram for logically explaining how to make the SBOX according to the present invention using S1 as an example.
  • FIG. 7 is an explanatory diagram for logically explaining another example of how to make the SBOX according to the present invention, taking S1 as an example,
  • FIG. 8 shows an embodiment of the basic structure (transposed part of plaintext transposition) for explaining the encryption / decryption device and the encryption / decryption method according to the present invention.
  • FIG. 9 is a block diagram for explaining another embodiment of the encryption / decryption device and the input selection circuit in the encryption / decryption method according to the present invention.
  • FIG. 10 is a block diagram for explaining the data flow of the operation / data inversion portion in the encryption / decryption device and the encryption / decryption method according to the present invention
  • FIG. 11 is a block diagram for explaining the data flow of the SB0X output selection part in the encryption / decryption device and the encryption / decryption method according to the present invention
  • FIG. 11 is a block diagram showing an embodiment of an encryption / decryption device and a circuit for forming a selection signal for inversion / non-inversion of data in an encryption / decryption method according to the present invention.
  • FIG. 13 is a block diagram showing one embodiment of a 0 Z 1 ratio correction circuit used in the present invention.
  • FIG. 14 is an external view showing an embodiment of the IC card according to the present invention.
  • FIG. 15 is a schematic block diagram showing an embodiment of an IC card chip (microcomputer) mounted on the IC card according to the present invention.
  • FIG. 1 shows an outline of an embodiment of an encryption / decryption device, an encryption / decryption method, and a DES encryption coprocessor adapted to an IC card according to the present invention.
  • An internal operation signal 3 is obtained by adding a sign bit 1 of 1 bit to a plaintext signal (data) 1 in the DES encryption coprocessor.
  • the code bit is "0"
  • the plaintext signal indicates positive (the signal value is the plaintext value itself).
  • the sign bit is "1”
  • all bits of the internal operation signal are inverted by exclusive OR 5 with the inversion random number signal 4 for each operation.
  • Two types of scramble circuits 6 for the positive signal and 2 for the negative signal, are provided separately, and the output signal of the positive signal 6 and the negative signal 7 are selected using the selector 8 according to the value of the sign bit 2. select. After 16 repetitive operations in such a circuit, an exclusive OR 9 is placed before the output of the encrypted data, and if the sign bit 2 is "1", the encrypted data is inverted.
  • FIG. 2 is a configuration diagram for explaining an algorithm of the DES encryption, which is an encryption method processed by the present cryptographic coprocessor.
  • the DES encryption / decryption operation uses 64 bits of plaintext (data to be encrypted).
  • the DES algorithm can be roughly divided into plaintext data flow and key data flow.
  • the plaintext data flow after performing the initial transposition (signal exchange) called IP, the data is divided into 32 bits for each of the upper and lower bits, and the transposition and substitution processing shown in Fig. 3 is performed. 1 Repeat 6 times. Integrating upper and lower respectively 3 2-bit data to the end, performs permutation called IP 1, to obtain the ciphertext.
  • DES encryption and decryption can be realized by the same process.
  • key scheduling differs between encryption and decryption.
  • the 16-time repetition operation shown in Fig. 3 consists of transposition, exclusive OR operation, and substitution processing called SBOX.
  • SB OX is a 48-bit input and 32-bit output conversion process based on a conversion table.
  • the conversion table of SBOX is defined in FIPS-46, ANSI-80, and ISO.
  • the inside of the SBOX is divided into eight substitution processing sections S1 to S8. Each substitution process is 6 bits input and 4 bits output.
  • DPA attack is an analysis method that estimates the value of the encryption key from the current consumption waveform of the chip.
  • the attacker first gives the chip plaintext data and measures the current consumption waveform when processing the data. Next, assuming (part of) the value of the secret key stored in the chip, the prediction of the change in the signal line of interest (a slight increase in the current consumption) is applied to the actual current consumption waveform. If the assumed key is correct, the increase in current consumption will be amplified and peaked.
  • DES encryption is an algorithm originally designed to be easily implemented in hardware. Therefore, when designing hardware for DES encryption, all products have a similar internal structure. This facilitates analysis with DPA.
  • SB OX has different conversion tables for inverted data and non-inverted data
  • S BOX is prepared.
  • the sign bit selects whether to use SBOX or SBOX-BAR. In other words, the output signal of one of the two SBOX and SBOX-BAR is taken out as valid.
  • Fig. 5 shows the substitution structure of S1 based on the DES standard.
  • the horizontal direction is a number represented by 4 bits out of 6 bits (0 to 5)
  • the vertical direction is the remaining 2 bits of input (0 to 3)
  • the written number is Represents the output 4 bits (0 to 15) for that input.
  • the inverted data S1 BAR is logically created by inverting both the input and output of S1 as shown in Fig. 6 (b).
  • Fig. 5 (b) shows the substitution of S1-BAR.
  • FIG. 5 (a) “14” in the upper left represents the output value when the input is “0000 000”.
  • the S 1—BAR corresponding to this output corresponds to “1”, which is the inverted version of “14”, in the lower right of FIG. 5 (b) (corresponding to the input “1 1 1 1 1”).
  • FIG. 8 is a block diagram showing one embodiment of a basic structure (transposed part of plaintext transposition processing) for explaining the encryption / decryption device and the zero-code / decryption method according to the present invention.
  • IP, IP- 1 and key scheduling are the same as the basic algorithm of DES described with reference to FIGS. 2 to 4, and therefore description thereof is omitted.
  • the portion represented by A is a portion for randomly determining whether or not the operation data is inverted in FIG. 1, and the portion represented by B is a portion for selecting the outputs of two SB ⁇ X. .
  • FIG. 8 is a block diagram showing one embodiment of a basic structure (transposed part of plaintext transposition processing) for explaining the encryption / decryption device and the zero-code / decryption method according to the present invention.
  • IP, IP- 1 and key scheduling are the same as the basic algorithm of DES described with reference to FIGS. 2 to 4, and therefore description thereof is omitted.
  • the portion represented by A is a portion
  • an equivalent circuit can be formed by using an exclusive OR that commonly receives a 1-bit selection signal. That is, if the selection signal is logic 0, the 33-bit input data including the sign bit is output as it is, and if the selection signal is logic 1, the 33-bit input signal is inverted and output. Regardless of the case where the inverter circuit and the multiplexer are used as shown in FIG. 8 or the case where an exclusive OR circuit is used as shown in FIG. There is no big difference in choosing either one because it can be composed of the same circuit elements.
  • FIG. 10 is a block diagram for explaining the data flow of the operation data inversion portion.
  • FIG. 10 (a) shows the operation when the value of the selection signal, that is, the value of the random number signal for determining the inversion / non-inversion of the data is "0".
  • FIG. 10 (b) shows the operation when the selection signal is "1". If the data coming from the previous stage is M, when the selection signal is "0", As shown in Fig. 10 (a), M is selected as the data that enters the enlarged transposition E. When the selection signal is "1", as shown in FIG. 10 (b), MB (8 is the inverted signal of FIG. 10 (b)) as the data to enter into the enlarged transposition E. ) Is selected.
  • E (MB) is equal to E (M) B because the extended transpose E is a signal reordering process.
  • the output of the expanded transposition E with respect to M is an inverted value of E (M) when the selection signal is “0”, and E (M) when the selection signal is “1”.
  • FIG. 11 is a block diagram for explaining the data toughness of the SBOX output selection portion.
  • the output is selected by the sign bit of the data entering the SBOX.
  • Fig. 11 (a) when the data input to the SBOX is X (code signal-"0"), the output of the SBOX for non-inverted data is selected.
  • FIG. 12 is a block diagram showing one embodiment of a circuit for forming a selection signal for inverted Z non-inverted data.
  • an asynchronous oscillation signal of a random number generator mounted on an IC card is used as a selection signal.
  • the output of the asynchronous oscillation signal is biased by temperature and voltage, it is used after passing through the correction circuit. With the correction circuit, even if the asynchronous oscillation signal skips to 0 or 1, a signal with a ratio of 0/1 close to 50% can be used as a selection signal.
  • FIG. 13 is a block diagram showing one embodiment of the 0/1 ratio correction circuit used in the present invention.
  • eight stages of shift registers are connected in a ring.
  • An exclusive OR of the output signal of the first stage circuit B1 of the shift register and the output signal of the last stage B8 is taken to the input signal and Is done.
  • the output signal of the second stage B2 is exclusive ORed with the output of the asynchronous oscillation signal supplied from the random number generator, and is used as the input signal of the third stage B3.
  • the information is sequentially transmitted from the third stage B3 to the last stage B8.
  • the output signal of the sixth stage B6 is used as the selection signal.
  • the bits stored in the shift registers B2 to B8 successively have the same value, the bits are appropriately inverted by an exclusive OR process in B1, and a random number generator is used. Even if the asynchronous oscillation signal from is continuously biased to logic 0 or 1, the occurrence ratio of logic 0 and logic 1 is reduced by 50% by appropriately inverting between shift stages B2 and B3. It is to be corrected every time.
  • the inversion / non-inversion selection signal that determines the DPA resistance.
  • the DPA measures the current consumption waveform when processing data and searches for peaks by a statistical method.Therefore, by setting the above 0/1 appearance ratio to 50%, Since the current consumption in the statistical processing is averaged and the peak disappears, it becomes difficult to decode by such DPA.
  • a sign bit is added to the plaintext data so that it has both positive and negative states. Data is changed randomly for each code at the time of repeated operation in encryption.
  • Operations that are not affected by the sign are performed without regard to the sign.
  • operations that are affected by the sign eg, operations using a conversion table
  • a positive operation circuit and a negative operation circuit are provided, and a mechanism is used to select the output of the operation circuit according to the data sign.
  • the cryptographic operation time does not increase.
  • FIG. 14 is an external view of an embodiment of an IC card to which the present invention is applied.
  • the IC card has a card 101 made of a plastic case, and a chip for IC chip consisting of a one-chip microcomputer (not shown) mounted inside the card 101.
  • the IC card further has a plurality of contacts (electrodes) 10 connected to external terminals of the IC card chip.
  • the plurality of contacts 102 are connected to a power supply terminal VCC, a power supply reference potential terminal VSS, a reset input terminal RES bar, a clock terminal CLK, and a data terminal I / 0-1 as described later with reference to FIG. / 1 RQ bar, I / O-2 / 1 RQ bar.
  • FIG. 15 is a schematic block diagram of one embodiment of an IC card chip (microcomputer) mounted on the IC card according to the present invention.
  • Each circuit block shown in the figure is formed on a single semiconductor substrate such as single crystal silicon, although not particularly limited by a known MOS integrated circuit manufacturing technique.
  • the configuration of the IC card chip according to the present invention is basically the same as that of the microcomputer. Its configuration consists of a clock generation circuit, a central processing unit (hereinafter simply referred to as CPU), storage devices such as ROM (Read Only Memory), RAM (Random Access Memory), and non-volatile memory (EEPR ⁇ M), encryption and Coprocessor that performs the operation of decryption processing (encryption It consists of a 'decryption device', input / output ports (I / O ports), etc.
  • CPU central processing unit
  • storage devices such as ROM (Read Only Memory), RAM (Random Access Memory), and non-volatile memory (EEPR ⁇ M)
  • encryption and Coprocessor that performs the operation of decryption processing (encryption It consists of a 'decryption device', input / output ports (I / O ports), etc.
  • the clock generation circuit receives an external clock CLK supplied from a reader / writer (external coupling device) (not shown) via the contact 102 in FIG. 1, forms a system clock signal synchronized with the external clock signal, and generates the system clock signal.
  • This is a circuit to be supplied inside the chip.
  • the CPU 201 is a device that performs a logical operation, an arithmetic operation, and the like, and controls a system control logic, a random number generator, a security logic, a timer, and the like.
  • Storage devices such as RAM, ROM, and EEPROM are devices for storing program data.
  • the coprocessor is composed of a circuit adapted to the DES diacritic system as described above.
  • the IZO (input / output) port is a device that communicates with the reader / writer.
  • the data bus and the address bus are buses that interconnect each device.
  • the ROM is a memory in which stored contents are fixed in a nonvolatile manner, and is a memory mainly for storing programs.
  • Volatile memory (hereinafter referred to as RAM) is a memory in which stored information can be freely rewritten. However, when power supply is interrupted, the stored content is lost. If the IC card is removed from the reader / writer, the power supply will be interrupted, and the contents of the RAM will not be retained.
  • EE PROM Electrical Erasable Programmable Read Only Memory
  • EE PROM Electrical Erasable Programmable Read Only Memory
  • This EEPROM is used to store data that needs to be rewritten and that should be retained even if the IC card is removed from the reader / writer. For example, when an IC card is used as a prepaid card, the frequency of the prepaid card is rewritten each time the card is used. In this case, the frequency, etc. Even if it is stored, it must be stored in the IC card, so it is stored in the EEPROM.
  • the CPU is configured similarly to a so-called microprocessor. That is, although not shown in detail, an instruction register therein, an instruction register, a micro instruction ROM for decoding various instructions written in the instruction register, and various micro instructions or control signals, an arithmetic circuit, a general-purpose register, etc. (Such as RG6) and an input / output circuit such as a bus driver and a bus receiver connected to the internal bus BUS.
  • the CPU reads an instruction stored in a ROM or the like and performs an operation corresponding to the instruction.
  • the CPU fetches external data input via the I / O port, reads data such as instructions from ROM and fixed data necessary for executing instructions, and reads data from RAM and EE PROM. It controls evening writing and reading operations.
  • the CPU receives a system clock signal generated from a clock generation circuit and operates with an operation timing and a period determined by the system clock signal.
  • the main part of the CPU is composed of a CMOS circuit consisting of a P-channel MOSFET and an N-channel MOSFET.
  • the CPU includes a CM0S scanning circuit capable of static operation such as a CMOS static flip-flop, a precharge of a charge to a signal output node and a signal to a signal output node. And a CM 0 S dynamic circuit that performs output in synchronization with a system clock signal.
  • the coprocessor adds a code bit to the plaintext data to be handled internally, so that it has both a positive / negative state.
  • Data is changed randomly for each code at the time of repeated operation in encryption.
  • Operations that are not affected by the sign (such as exclusive OR) are performed without regard to the sign.
  • Operations that are affected by the sign (such as operations using a conversion table)
  • An operation circuit for the operation and an operation circuit for the negative are prepared, and a mechanism is used to select the output of the operation circuit according to the sign of the data.
  • the IC card of this embodiment also employs a disturbing method in which the contents of internal processing are different each time a calculation is performed, so that the time required for one calculation is the same as when no countermeasure is taken, so that high-speed data processing is possible. It is possible, and since the DPA countermeasures are incorporated in the hardware, there is no need for the CPU to perform extra operations for the DPA countermeasures, so that no extra load is imposed on the user.
  • the input selection circuit randomly fetches either the non-inverted data corresponding to the processing unit data of the plaintext data or the ciphertext or the inverted data of all the bits, and the input selecting circuit
  • the data passed to the transposition and non-inversion data corresponding to the non-inverted data is transmitted to the positive scramble circuit that performs the transposition processing and the transposition and the negative scramble circuit that performs the substitution processing corresponding to the inverted data.
  • One of the output signals transposed / substituted by the input scrambling circuit or the negative scrambling circuit is taken out in accordance with the selection operation of the input selection circuit, and the output scrambling circuit and the negative scrambling circuit are output by the output circuit. Transpose multiple times at the same time ⁇
  • a code bit is added to the plaintext data or ciphertext, and a randomly generated selection signal is supplied to the input selection circuit, and the signal including the code bit is not inverted.
  • the above sign bit is separated and The data is transposed / substituted by the positive scramble circuit and the negative scramble circuit, and the non-inverted data or the non-inverted data captured by the input select circuit by controlling the output select circuit using the separated code bits is controlled.
  • the IC card may include a single semiconductor integrated circuit device or a plurality of semiconductor integrated circuit devices.
  • the microcomputer on which the encryption / decryption device is mounted is not only formed on a single semiconductor integrated circuit device, but also includes a CPU and its peripheral circuits composed of multiple chips, mounted on a single module substrate. It may be made of.
  • the microphone port computer may be of any type as long as it includes a data processing device and a ROM in which a data processing procedure by the data processing device is written, and performs a data input / output operation in accordance with the data processing procedure.
  • a data processing device and a ROM in which a data processing procedure by the data processing device is written, and performs a data input / output operation in accordance with the data processing procedure.
  • ROM read-only memory
  • the present invention can be widely used in various IC microcomputers requiring an encryption / decryption device, an encryption / decryption method, a data encryption method, and confidentiality protection.

Abstract

A positive scramble signal processing in which either non-inverted data corresponding to processing unit data on plain or cipher text or the inverted data on all the bits are captured at random and is subjected to transposition/substitution corresponding to the non-inverted data and a negative scramble signal processing in witch the transposition/substitution corresponding to the inverted data is carried out are parallel conducted. The capturing either of the output signals corresponding to the respective processings in response to the data selection in the first signal processing is repeated a plurality of times, and the results of the final transposition/substitution are used as ciphered or deciphered data.

Description

暗号化 ·復号化装置、 暗号化 ·復号化方法、 データの暗号化方法及び I cカード Encryption / decryption device, encryption / decryption method, data encryption method, and Ic card
技術分野 Technical field
この発明は、 暗号化'復号化装置、 暗号化'復号化方法、 データの暗 号化方法及び I Cカードに関し、特に I Cカードやプログラム内蔵の 1 明  The present invention relates to an encryption / decryption device, an encryption / decryption method, a data encryption method, and an IC card.
チップマイクロコンピュータのような C P Uとメモリを含み暗号鍵を使 田 Using a cryptographic key including a CPU and memory like a chip microcomputer
つたデータ処理を行なうものの機密保護技術に利用して有効な技術に関 するものである。 It is related to technologies that perform data processing but are effective for security technology.
背景技術 Background art
D E S (Data Encryption Standard) は、 広範に用いられている秘密 鍵ブロック暗号である。 D E Sのアルゴリズムは、 大きく平文のデ一夕 フローと鍵のデータフローに分割できる。 平文データフローでは、 I P とよばれる転置 (信号の入れ換え) を行った後、 上位と下位それぞれ 3 ビッ卜ずつにデータを分割し、転置 ·換字処理を 1 6回繰り返す。 最 後に上位と下位それぞれ 3 2ビットデータを統合し、 I P 1とよばれる 転置を行い、 暗号文を得る。 D E Sでは、 暗号化と復号化が同じ処理で 実現できる。 ただし暗号化と復号化では、鍵のスケジューリングが異な る。 鍵のスケジューリング部分について、詳細は省略するが、鍵データ を元に、 各段に対して 4 8ビット鍵スケジューリングデータの出力を行 。 DES (Data Encryption Standard) is a widely used secret key block cipher. The DES algorithm can be roughly divided into plaintext data flow and key data flow. In the plaintext data flow, after transposition (replacement of signals) called IP, data is divided into upper and lower 3 bits each, and transposition and substitution processing is repeated 16 times. Integrating upper and lower respectively 3 2-bit data to the end, performs permutation called IP 1, to obtain the ciphertext. With DES, encryption and decryption can be realized by the same process. However, key scheduling differs between encryption and decryption. The details of the key scheduling part are omitted, but 48-bit key scheduling data is output to each stage based on the key data.
通常の D E Sアルゴリズムでは、 同じ平文に対しては常に同じ内部動 作を行う。 その結果、 内部信号が入力信号に依存して変化するので、 D P A (Diffrential Power Analysis)法での統計処理を行いやすい。 つま り、 D P A法では、 消費電流波形を統計処理して暗号鍵を推定し、 例え ば D E Sのある部分に仮定した暗号鍵を当てはめて、 平文を変化させな がら消費電流波形を測定して統計する。 暗号鍵を様々に変化させながら この作業を繰り返し、 正しい鍵のときには電流波形が大きなピークを示 す。 The normal DES algorithm always performs the same internal operation on the same plaintext. As a result, since the internal signal changes depending on the input signal, D Easy statistical processing by PA (Diffrential Power Analysis) method. In other words, in the DPA method, the current consumption waveform is statistically processed to estimate the encryption key. I do. This process is repeated while changing the encryption key in various ways, and when the key is correct, the current waveform shows a large peak.
上記のような D P Aによる D E S解読に対する対策の例として、 特開 2 0 0 0 - 0 6 6 5 8 5号公報がある。 この公報に記載の技術では、 マ スク aのパターンと、 そのビット反転のマスクパターンのペアを設け、 暗号化を行う毎にこのペアの一方をスィツチによりランダムに選択して 、 装置内部の平文に依存したビットをマスクし、 暗号文を出力する前に 暗号文からマスク aの影響を P余去するようにするものである。  Japanese Patent Application Laid-Open No. 2000-066585 discloses an example of a countermeasure against the above-mentioned DPA decoding by DPA. According to the technology described in this publication, a pair of a mask a pattern and a bit-reversed mask pattern is provided, and each time encryption is performed, one of the pairs is randomly selected by a switch, and the result is written in plaintext inside the device. It masks the dependent bits and removes the effect of the mask a from the ciphertext by P before outputting the ciphertext.
上記公報に記載の技術では、 本来のデータにマスクし、 各 S箱に入力 する直前でそのマスクを解除する。 このマスクを解除したときに D P A により解読される恐れがあるので、 S箱への入力直前におけるマスク解 除、 マスク解除後の本来のデータによる S箱への入力、 及び S箱からの 出力のマスク操作を、 事前に計算し、 テーブルとして記憶し、 テーブル 参照することにより計算結果を求めるのでマスク解除のための排他的論 理和の計算や、 マスクをかけるための排他的論理和の計算が行われるこ とはないので D P Aによる解読を不可能にすることができる説明されて いる。  According to the technique described in the above publication, the original data is masked, and the mask is released immediately before inputting to each S box. When this mask is released, there is a possibility that it will be decrypted by DPA, so the mask is released immediately before input to S box, input to S box with original data after unmasking, and mask of output from S box The operation is calculated in advance, stored as a table, and the calculation result is obtained by referring to the table.Therefore, the calculation of the exclusive OR for masking and the calculation of the exclusive OR for masking are performed. It is explained that it could not be decrypted by DPA because it would not be confused.
しかしながら、 上記公報の技術では、 排他的論理和の計算を事前にテ —ブルとして記憶させる構成であり、 上記マスクの機能を充分に発揮さ せるために本来のデータに相当するようなビットにする必要があり、 そ の組み合わせも膨大になるので、 かかる膨大な組み合わせからなるマス クに対応した演算結果を格納するテーブル (記憶回路) の回路規模が大 きくなつてしまう。 また、 D P Aによる角军読防止のためには、上記マス クが特定のパターンに偏らないようにする必要のあることは説明されて いるが、 どのようにすれば複数ビッ卜のパターンが偏らないようにでき ることの具体的な記述はなく、 D P Aによる解読の可能性を残している したがって、 この発明は、 簡単な構成で安定的に機密保護の強化を実 現した暗号化 ·復号化装置、 暗号化■復号化方法及び I Cカードを提供 することを目的としている。 この発明の前記ならぴにそのほかの目的と 新規な特徴は、本明細書の記述および添付図面から明らかになるであろ う。 発明の開示 However, in the technique disclosed in the above publication, the calculation of the exclusive OR is stored in advance as a table, and the bits corresponding to the original data are set in order to sufficiently exert the function of the mask. Since the number of combinations is enormous, the circuit size of the table (storage circuit) that stores the operation results corresponding to the masks composed of such enormous combinations is large. It will be sharp. In addition, it is explained that in order to prevent angle reading by DPA, it is necessary to prevent the above mask from being biased to a specific pattern, but how to make a pattern of multiple bits not biased There is no specific description of what can be done, and the possibility of decryption by DPA remains. Therefore, the present invention provides an encryption / decryption device that realizes stable security enhancement with a simple configuration. It aims to provide an encryption / decryption method and an IC card. The above and other objects and novel features of the present invention will become apparent from the description of the present specification and the accompanying drawings. Disclosure of the invention
本願において開示される発明のうち代表的なものの概要を簡単に説明 すれば、下記の通りである。 入力選択回路において、平文データ又は暗 号文の処理単位デ一夕に対応した非反転デー夕又はその全ビットの反転 デ一夕のいずれか一方をランダムに取り込み、 かかる入力選択回路を通 したデ一夕を上記非反転デ一夕に対応した転置 ·換字処理を行うポジ用 スクランブル回路及び反転デー夕に対応した転置 ·換字処理を行うネガ 用スクランブル回路に伝え、 出力選択回路により上記ポジ用スクランブ ル回路又はネガ用スクランブル回路で転置 ·換字処理された出力信号の いずれか一方を上記入力選択回路の選択動作に対応させて取り出し、 出 力回路により上記ポジ用スクランブル回路及びネガ用スクランブル回路 での複数回の転置 ·換字の結果を最終転置して暗号文又は平文デ一夕を 得る。  The following is a brief description of an outline of typical inventions disclosed in the present application. The input selection circuit randomly fetches either the non-inverted data corresponding to the processing unit data of the plaintext data or the ciphertext or the inverted data of all the bits, and passes the data through the input selection circuit. The transposition is transmitted to the non-inverted data transposition corresponding to the non-inverted data and the positive scrambling circuit for performing the substitution processing and the transposition corresponding to the inverted data and the negative scrambling circuit performing the substitution processing, and the output selection circuit performs the positive scrambling. One of the output signals transposed and replaced by the negative scramble circuit or the negative scramble circuit is taken out in accordance with the selection operation of the input selection circuit, and the output circuit outputs the output signal in the positive scramble circuit and the negative scramble circuit. Transpose multiple times ・ Finally transpose the result of substitution to obtain ciphertext or plaintext data.
本願において開示される発明のうち他の代表的なものの概要を簡単に 説明すれば、下記の通りである。 平文データ又は暗号文の処理単位デー 夕に対応した非反転データ又はその全ビットの反転デ一夕のいずれか一 方をランダムに取り込み、 かかるデ一夕を上記非反転デ一夕に対応した 転置 ·換字処理を行うポジ用スクランブル信号処理と、 上記反転デ一夕 に対応した転置 ·換字処理を行うネガ用スクランブル信号処理とを並列 的に行ない、 それぞれに対応した出力信号のいずれか一方を上記第 1信 号処理でのデータ選択動作に対応させて取り出す動作を複数回行ない、 最後の転置 ·換字の結果を暗号化データ又は復号化デ一タとする。 図面の簡単な説明 The outline of other typical inventions disclosed in the present application will be briefly described as follows. Processing unit data of plaintext data or ciphertext Either the non-inverted data corresponding to the evening or the inverted data of all the bits thereof is taken in at random, and the data is transposed / substituted according to the non-inverted data. Processing and negative scramble signal processing for performing transposition and substitution processing corresponding to the above inverted data processing are performed in parallel, and one of the corresponding output signals is selected as data in the first signal processing. The extraction operation corresponding to the operation is performed a plurality of times, and the result of the last transposition / substitution is used as encrypted data or decrypted data. BRIEF DESCRIPTION OF THE FIGURES
第 1図は、 この発明に係る暗号ィ匕 ·復号化装置、 暗号ィ匕 ·復号化方法 及び I Cカードに適合された D E S暗号コプロセッサの一実施例を示す 概略ブロック図であり、  FIG. 1 is a schematic block diagram showing an embodiment of an encryption / decryption device, an encryption / decryption method, and a DS encryption coprocessor adapted to an IC card according to the present invention;
第 2図は、 この発明に用いられる D E S暗号のアルゴリズムを説明す るための構成図であり、  FIG. 2 is a configuration diagram for explaining the algorithm of the DES encryption used in the present invention.
第 3図は、 この発明に用いられる D E S喑号のアルゴリズムにおける 演算部分を説明するためのブロック図であり、  FIG. 3 is a block diagram for explaining the operation part in the algorithm of the DESS 喑 used in the present invention.
第 4図は、 この発明に用いられる D E S暗号のアルゴリズムにおける S B〇 Xの内部を説明するための構成図であり、  FIG. 4 is a configuration diagram for explaining the inside of S B〇 X in the algorithm of the DES encryption used in the present invention.
第 5図は、 この発明に用いられる D E S B音号のアルゴリズムにおける S B O Xの作り方を、 S 1を例にした説明図であり、  FIG. 5 is an explanatory diagram of an example of S 1 in how to create S BO X in the algorithm of the D E S B notation used in the present invention,
第 6図は、 この発明に係る S B O Xの作り方を、 S 1を例にして論理 的に説明するための説明図であり、  FIG. 6 is an explanatory diagram for logically explaining how to make the SBOX according to the present invention using S1 as an example.
第 7図は、 この発明に係る S B O Xの作り方の他の一例をを、 S 1を 例にして論理的に説明するための説明図であり、  FIG. 7 is an explanatory diagram for logically explaining another example of how to make the SBOX according to the present invention, taking S1 as an example,
第 8図は、 この発明に係る暗号化'復号化装置、 暗号化'復号化方法 を説明するための基本構造 (平文の転置'換字処理部分) の一実施例を 示すブロック図であり、 FIG. 8 shows an embodiment of the basic structure (transposed part of plaintext transposition) for explaining the encryption / decryption device and the encryption / decryption method according to the present invention. FIG.
第 9図は、 この本発明に係る暗号ィ匕 ·復号化装置、 暗号化 ·復号化方 法における入力選択回路の他の一実施例を説明するためのプロック図で あり、  FIG. 9 is a block diagram for explaining another embodiment of the encryption / decryption device and the input selection circuit in the encryption / decryption method according to the present invention.
第 1 0図は、 この発明に係る暗号化 ·復号化装置、 暗号化 ·復号化方 法における演算データ反転部分のデータフローを説明するためのブ口ッ ク図であり、  FIG. 10 is a block diagram for explaining the data flow of the operation / data inversion portion in the encryption / decryption device and the encryption / decryption method according to the present invention;
第 1 1図は、 この発明に係る暗号化 ·復号化装置、 暗号化 ·復号ィ匕方 法における S B 0 X出力選択部分のデータフ口一を説明するためのプロ ック図であり、  FIG. 11 is a block diagram for explaining the data flow of the SB0X output selection part in the encryption / decryption device and the encryption / decryption method according to the present invention;
第 1 1図は、 この発明に係る暗号化 ·復号化装置、 暗号化 ·復号化方 法におけるデー夕の反転/非反転用の選択信号を形成する回路の一実施 例を示すブロック図であり、  FIG. 11 is a block diagram showing an embodiment of an encryption / decryption device and a circuit for forming a selection signal for inversion / non-inversion of data in an encryption / decryption method according to the present invention. ,
第 1 3図は、 この発明に用いられる 0 Z 1比率補正回路の一実施例を 示すブロック図であり、  FIG. 13 is a block diagram showing one embodiment of a 0 Z 1 ratio correction circuit used in the present invention.
第 1 4図は、 この発明に係る I Cカードの一実施例を示す外観図であ FIG. 14 is an external view showing an embodiment of the IC card according to the present invention.
0、 0,
第 1 5図は、 この発明に係る I Cカードに搭載される I Cカード用チ ップ (マイクロコンピュータ) の一実施例を示す概略プロック図である  FIG. 15 is a schematic block diagram showing an embodiment of an IC card chip (microcomputer) mounted on the IC card according to the present invention.
発明を実施するための最良の形態 BEST MODE FOR CARRYING OUT THE INVENTION
この発明をより詳細に説述するために、 添付の図面に従ってこれを説 明する。  The present invention will be described in more detail with reference to the accompanying drawings.
第 1図には、 この発明に係る暗号ィ匕 ·復号化装置、 暗号化 ·復号化方 法及び I Cカードに適合された D E S暗号コプロセッザの一実施例の概 略ブロック図が示されている。 この実施例では、 D E S暗号コプロセッ サ内の平文信号 (データ) 1に 1ビットからなる符号ビット 1を付加し て内部演算用信号 3とする。 上記符号ビッ卜が" 0 " のとき、平文信号 はポジ (信号値が平文値そのもの) を表す。 符号ビッ卜が" 1 " のとき はネガ (信号値の反転値が平文値) を表す。 平文信号および符号 ット は、演算ごとに反転用乱数信号 4によって、排他的論理和 5で内部演算 信号全ビットを反転させる。 FIG. 1 shows an outline of an embodiment of an encryption / decryption device, an encryption / decryption method, and a DES encryption coprocessor adapted to an IC card according to the present invention. A schematic block diagram is shown. In this embodiment, an internal operation signal 3 is obtained by adding a sign bit 1 of 1 bit to a plaintext signal (data) 1 in the DES encryption coprocessor. When the code bit is "0", the plaintext signal indicates positive (the signal value is the plaintext value itself). When the sign bit is "1", it indicates a negative (the inverted value of the signal value is a plaintext value). For the plaintext signal and code, all bits of the internal operation signal are inverted by exclusive OR 5 with the inversion random number signal 4 for each operation.
スクランブル回路はポジ信号用 6とネガ信号用 Ίの 2種類が別々に用 意されており、 符号ビット 2の値により、 ポジ信号用 6とネガ信号用 7 の各出力信号をセレクタ 8を用いて選択する。 このような回路での 1 6 回の繰り返し演算のあと、 暗号データの出力の前に排他的論理和 9を置 き、 符号ビット 2が" 1 " なら暗号データを反転させる。  Two types of scramble circuits, 6 for the positive signal and 2 for the negative signal, are provided separately, and the output signal of the positive signal 6 and the negative signal 7 are selected using the selector 8 according to the value of the sign bit 2. select. After 16 repetitive operations in such a circuit, an exclusive OR 9 is placed before the output of the encrypted data, and if the sign bit 2 is "1", the encrypted data is inverted.
第 2図には、 本暗号コプロセッサが処理する暗号方式である、 D E S 暗号のァルゴリズムを説明するための構成図が示されている。 D E Sの 暗号化/復号化演算は、 6 4ビットの平文 (暗号化の対象となるデータ FIG. 2 is a configuration diagram for explaining an algorithm of the DES encryption, which is an encryption method processed by the present cryptographic coprocessor. The DES encryption / decryption operation uses 64 bits of plaintext (data to be encrypted).
) あるいは 6 4ビッ卜の暗号文と、 5 6ビッ卜の鍵を用いて行われる。 ) Or using a 64 bit ciphertext and a 56 bit key.
D E Sのアルゴリズムは、大きく平文のデータフローと鍵のデータフ 口一に分割できる。 平文データフローでは、 I Pとよばれる初期転置 ( 信号の入れ換え) を行った後、 上位と下位それぞれ 3 2ビッ卜ずつにデ ータを分割し、 第 3図で示された転置 ·換字処理を 1 6回繰り返す。 最 後に上位と下位それぞれ 3 2ビットデータを統合し、 I P 1とよばれる 転置を行い、 暗号文を得る。 The DES algorithm can be roughly divided into plaintext data flow and key data flow. In the plaintext data flow, after performing the initial transposition (signal exchange) called IP, the data is divided into 32 bits for each of the upper and lower bits, and the transposition and substitution processing shown in Fig. 3 is performed. 1 Repeat 6 times. Integrating upper and lower respectively 3 2-bit data to the end, performs permutation called IP 1, to obtain the ciphertext.
D E Sでは、 暗号化と復号化が同じ処理で実現できる。 ただし暗号化 と復号化では、 鍵のスケジューリングが異なる。 鍵のスケジューリング 部分について、 詳細は省略するが、 鍵データを元に、 各段に対して 4 8 ビット鍵スケジユーリングデ一夕の出力を行う。 第 3図に示された 1 6回の繰り返し演算部分は、 転置処理、排他的論 理和演算、 および SBOXとよばれる換字処理で構成されている。 SB OXは入力 48ビット、 出力 32ビッ卜の、変換テーブルを元にした換 字処理である。 S BOXの変換テーブルは、 F I PS— 4 6や ANS I — 80、 I SOでその内容が定義されている。 SBOXの内部は、 第 4 図に示されているように、 S 1から S 8の 8つの換字処理部に分割され る。 それぞれの換字処理は、 入力 6ビット、 出力 4ビットである。 上記のような D E Sアルゴリズムをそのままハードウェア化した際に 問題点となるのは、 DP A (Differential Power Analysis)による電流 解析に弱い点である。 D P Aアタックは、 チップの消費電流波形から暗 号鍵の値を推定する解析手法である。 DP Aでは、 アタッカーはまずチ ップに平文デー夕を与え、 そのデータを処理する際の消費電流波形を計 測する。 次に、 チップ内部に納められた秘密鍵の値 (の一部) を仮定し 、着目した信号線の変化 消費電流の微小増加) の予測を、 実際の消費 電流波形に適用する。 仮定した鍵が正しい場合、 消費電流の増加が増幅 され、 ピークとなって表れる。 DES暗号は元々、 ハードウェア化が容 易になるよう設計されたアルゴリズムである。 そのため D E S暗号処理 用のハードウヱァを設計すると、 どの製品でも似たような内部構造とな る。 これが DP Aによる解析を容易にしている。 With DES, encryption and decryption can be realized by the same process. However, key scheduling differs between encryption and decryption. Although details are omitted for the key scheduling part, 48-bit key scheduling data is output to each stage based on the key data. The 16-time repetition operation shown in Fig. 3 consists of transposition, exclusive OR operation, and substitution processing called SBOX. SB OX is a 48-bit input and 32-bit output conversion process based on a conversion table. The conversion table of SBOX is defined in FIPS-46, ANSI-80, and ISO. As shown in FIG. 4, the inside of the SBOX is divided into eight substitution processing sections S1 to S8. Each substitution process is 6 bits input and 4 bits output. The problem with the hardware implementation of the DES algorithm as described above is that it is weak in current analysis using Differential Power Analysis (DPA). DPA attack is an analysis method that estimates the value of the encryption key from the current consumption waveform of the chip. In DP A, the attacker first gives the chip plaintext data and measures the current consumption waveform when processing the data. Next, assuming (part of) the value of the secret key stored in the chip, the prediction of the change in the signal line of interest (a slight increase in the current consumption) is applied to the actual current consumption waveform. If the assumed key is correct, the increase in current consumption will be amplified and peaked. DES encryption is an algorithm originally designed to be easily implemented in hardware. Therefore, when designing hardware for DES encryption, all products have a similar internal structure. This facilitates analysis with DPA.
DPAによる解析を困難にする方法として、 前記のように特開 200 0 - 066585号公報のように、 演算ごとに内部データや処理内容を 変化させるという方法がある。 内部デ一タを毎回変える方法で簡単なの は、平文に何らかのスクランブル用コードとの排他的論理和をかける方 法である。 しかしこの方法だと、転置処理を行う度に、 データにかかつ ているスクランブルコードの値が変わる。 そのため、演算デ一夕にかか つているスクランブルコードの値を保持しておく必要がある。 この発明では、演算データの全ビットを反転させるか否かをランダム に決定する方式をとる。 この方式だと、演算データに 1ビッ卜の符号デ 一夕を付与するだけで、 現在の演算データの状態 (反転/非反転) を保 持できる。 また、転置と排他的論理和の影響を受けない。 ただし、 SB OXだけは反転データと非反転データで変換テーブルが異なるため、 非 反転データ用 (通常の S BOX) と、 本願によって追加された反転デ一 夕用 (SB0X— BAR) の二種類の S BOXが用意される。 そして符 号ビットにより、 SBOXと S BOX— BARのどちらを使用するかを 選択する。 つまり、 2つの SBOXと SBOX— BARのいずれか一方 の出力信号を有効として取り出す。 As a method of making analysis by DPA difficult, there is a method of changing internal data and processing contents for each operation as described in Japanese Patent Application Laid-Open No. 2000-066585. A simple method of changing the internal data every time is to apply an exclusive OR to the plaintext with some scrambling code. However, with this method, the value of the scramble code in the data changes each time the transposition process is performed. Therefore, it is necessary to hold the value of the scramble code associated with the operation data overnight. The present invention employs a method of randomly determining whether to invert all bits of operation data. With this method, the current state of the computation data (inverted / non-inverted) can be maintained by simply adding one bit of code data to the computed data. Also, it is not affected by transposition and exclusive OR. However, since only SB OX has different conversion tables for inverted data and non-inverted data, there are two types, one for non-inverted data (normal S BOX) and one for inverted data added by the present application (SB0X—BAR). S BOX is prepared. The sign bit selects whether to use SBOX or SBOX-BAR. In other words, the output signal of one of the two SBOX and SBOX-BAR is taken out as valid.
上記 SBOXの作り方を、 S 1を例に説明すると次の通りである。 D ES規格に基づく S 1の換字構成を第 5図に示す。 第 5図 (a) の横方 向が入力 6ビット中 4ビッ卜で表される数字 (0〜 5) 、 縦方向が入 力の残り 2ビット (0〜3) 、 書かれている数字がその入力に対する出 力 4ビット (0〜 1 5) を表している。 反転データ用 S 1一 BARは、 第 6図 (b) に示すように、論理的には S 1の入力と出力両方を反転さ せることで作成する。 第 5図 (b) に S 1— BARの換字構成が示され ている。 第 5図 (a)左上の" 1 4" は、 入力が" 0 00 000 " のと きの出力値を表している。 この出力に対応する S 1— BARは、 第 5図 (b) の右下(入力" 1 1 1 1 1 1" に相当) の、 " 1 4" を反転させ た" 1 " にあたる。  The following describes how to make the above SBOX, taking S1 as an example. Fig. 5 shows the substitution structure of S1 based on the DES standard. In Fig. 5 (a), the horizontal direction is a number represented by 4 bits out of 6 bits (0 to 5), the vertical direction is the remaining 2 bits of input (0 to 3), and the written number is Represents the output 4 bits (0 to 15) for that input. The inverted data S1 BAR is logically created by inverting both the input and output of S1 as shown in Fig. 6 (b). Fig. 5 (b) shows the substitution of S1-BAR. FIG. 5 (a) “14” in the upper left represents the output value when the input is “0000 000”. The S 1—BAR corresponding to this output corresponds to “1”, which is the inverted version of “14”, in the lower right of FIG. 5 (b) (corresponding to the input “1 1 1 1 1 1 1”).
実際のコプロセッサに組み込むのは、 第 5図 (b) のように再計算し た換字構成である。 すなわち、 第 6図 (a) の非反転データ用に対応し た SBOXに対して、 第 6図 (b) に示したように、 同じ SBOXに対 して入力と出力にインバー夕回路を設けたような論理をそのまま使用す るわけではない。 本発明の変形例としては、第 7図 (a ) 示したように入力側のみにィ ンバータ回路を設けた S B〇X、 あるいは第 7図 (b ) に示したように 出力側にのみィンバータ回路を設けた S B O Xと等価な換字構成 (表) を用いた S B O Xのペアを使用することも可能である。 Incorporation into the actual coprocessor is the recalculated substitution configuration as shown in Fig. 5 (b). In other words, as shown in Fig. 6 (b), for the SBOX corresponding to the non-inverted data in Fig. 6 (a), an inverter circuit is provided for the input and output for the same SBOX. Such logic is not used directly. As a modified example of the present invention, an SB〇X in which an inverter circuit is provided only on the input side as shown in FIG. 7 (a), or an inverter circuit only on the output side as shown in FIG. 7 (b) It is also possible to use a pair of SBOXs that use a substitution structure (Table) equivalent to an SBOX with a.
第 8図には、本発明に係る暗号化 ·復号化装置、 0音号化 ·復号化方法 を説明するための基本構造 (平文の転置'換字処理部分) の一実施例の ブロック図が示されている。 I P、 I P一1、鍵スケジユーリング咅は、 前記第 2図ないし第 4図を用いて説明した D E Sの基本ァルゴリズムと 同じなので、 その説明を省略する。 第 8図において、 Aで表される個所 が第 1図において演算データを反転か否かをランダムに決定する部分、 Bで表される個所が 2つの S B〇Xの出力を選択する部分である。 第 8図において、 Aの部分をインバ一タ回路を通した反転信号と、 そ の入力信号とを選択信号で制御されるマルチプレクサで出力させるよう に示されているが、 第 9図で示したように、 1 ビッ卜の選択信号を共通 に受ける排他的論理和を使用しても等価な回路が構成できる。 つまり、 符号ビットを含んだ 3 3ビッ卜の入力データは、 選択信号が論理 0なら そのまま出力され、 選択信号が論理 1なら上記 3 3ビッ 卜の入力信号が 反転されて出力される。 第 8図のようにィンバ一夕回路とマルチプレク サを用いた場合でも、 第 9図のように排他的論理和回路を用いた場合で も、 M O S F E Tで構成した場合には基本的にはほぼ同じ回路素子で構 成できるのでいずれを選んでも大差はない。 FIG. 8 is a block diagram showing one embodiment of a basic structure (transposed part of plaintext transposition processing) for explaining the encryption / decryption device and the zero-code / decryption method according to the present invention. Have been. IP, IP- 1 and key scheduling are the same as the basic algorithm of DES described with reference to FIGS. 2 to 4, and therefore description thereof is omitted. In FIG. 8, the portion represented by A is a portion for randomly determining whether or not the operation data is inverted in FIG. 1, and the portion represented by B is a portion for selecting the outputs of two SB〇X. . In FIG. 8, it is shown that the portion A is output by a multiplexer controlled by the selection signal, and the inverted signal passed through the inverter circuit and its input signal are shown in FIG. As described above, an equivalent circuit can be formed by using an exclusive OR that commonly receives a 1-bit selection signal. That is, if the selection signal is logic 0, the 33-bit input data including the sign bit is output as it is, and if the selection signal is logic 1, the 33-bit input signal is inverted and output. Regardless of the case where the inverter circuit and the multiplexer are used as shown in FIG. 8 or the case where an exclusive OR circuit is used as shown in FIG. There is no big difference in choosing either one because it can be composed of the same circuit elements.
第 1 0図には、演算データ反転部分のデータフローを説明するための ブロック図が示されている。 第 1 0図 (a ) は、選択信号、 つまりデ一 夕の反転/非反転を決定する乱数信号の値が" 0 " のときの動作を示し ている。 第 1 0図 (b ) は、選択信号が" 1 " のときの動作を示してい る。 前段から来るデータを Mとすると、 選択信号が" 0 " のときには、 第 1 0図 (a) のように、 拡大転置 Eに入るデータは Mが選択される。 選択信号が" 1" のときには、第 1 0図 (b) のように、 拡大転置 Eに 入るデータとして MB (8は第1 0図 (b) の反転信号であるバ一を表 している) が選択される。 拡大転置 Eの出力はそれぞれ E (M) 、 E ( MB). となる。 拡大転置 Eは信号の並び換え処理なので、 E (MB) は E (M) Bと等しい。 結局、 Mに対する拡大転置 Eの出力は、選択信号 =" 0" のときに E (M) 、選択信号 =" 1" のときに E (M) の反転 値となる。 FIG. 10 is a block diagram for explaining the data flow of the operation data inversion portion. FIG. 10 (a) shows the operation when the value of the selection signal, that is, the value of the random number signal for determining the inversion / non-inversion of the data is "0". FIG. 10 (b) shows the operation when the selection signal is "1". If the data coming from the previous stage is M, when the selection signal is "0", As shown in Fig. 10 (a), M is selected as the data that enters the enlarged transposition E. When the selection signal is "1", as shown in FIG. 10 (b), MB (8 is the inverted signal of FIG. 10 (b)) as the data to enter into the enlarged transposition E. ) Is selected. The output of the expanded transpose E is E (M) and E (MB), respectively. E (MB) is equal to E (M) B because the extended transpose E is a signal reordering process. After all, the output of the expanded transposition E with respect to M is an inverted value of E (M) when the selection signal is “0”, and E (M) when the selection signal is “1”.
第 1 1図には、 S BOX出力選択部分のデ一タフ口一を説明するため のブロック図が示されている。 出力の選択は、 S BOXに入るデータの 符号ビットによって行われる。 第 1 1図 (a) に示すように、 SBOX に入力されるデータが X (符号信号-" 0" ) の場合、 非反転デ一夕用 の S BOXの出力が選択される。 第 1 1図 (b) に示すように、 入力信 号が XB (Xの反転データ、 符号信号 =" 1" ) の場合、 反転データ用 の S BOX— BARの出力が選択される。  FIG. 11 is a block diagram for explaining the data toughness of the SBOX output selection portion. The output is selected by the sign bit of the data entering the SBOX. As shown in Fig. 11 (a), when the data input to the SBOX is X (code signal-"0"), the output of the SBOX for non-inverted data is selected. As shown in Fig. 11 (b), when the input signal is XB (inverted data of X, code signal = "1"), the output of S BOX-BAR for inverted data is selected.
第 1 2図には、 デ一夕の反転 Z非反転用の選択信号を形成する回路の 一実施例のブロック図が示されている。 この実施例では、 選択信号とし て、 I Cカードに搭載されている乱数発生器の非同期発振信号を使用し ている。 ただし非同期発振信号は温度や電圧によって出力に偏りがでる ため、補正回路を介してから使用している。 補正回路により、非同期発 振信号が 0あるいは 1にス夕ックした場合でも、 0/1の比率が 50 % に近い信号を選択信号として使用することができる。  FIG. 12 is a block diagram showing one embodiment of a circuit for forming a selection signal for inverted Z non-inverted data. In this embodiment, an asynchronous oscillation signal of a random number generator mounted on an IC card is used as a selection signal. However, since the output of the asynchronous oscillation signal is biased by temperature and voltage, it is used after passing through the correction circuit. With the correction circuit, even if the asynchronous oscillation signal skips to 0 or 1, a signal with a ratio of 0/1 close to 50% can be used as a selection signal.
第 1 3図には、 この発明に用いられる 0/1比率補正回路の一実施例 のブロック図が示されている。 この実施例では、 8段のシフトレジスタ がリング状に接続される。 シフトレジスタの初段回路 B 1には、 その出 力信号と最終段 B 8の出力信号との排他的論理和が採られて入力信号と される。 第 2段目 B 2の出力信号は、 乱数発生器より供給される非同期 発振信号の出力と排他的論理和が採られて第 3段目 B 3の入力信号とさ れる。 以下、 第 3段目 B 3から最終段 B 8までは順次に伝えられる。 そ して、特に制限されないが、 第 6段目 B 6の出力信号が選択信号として 用いられる。 FIG. 13 is a block diagram showing one embodiment of the 0/1 ratio correction circuit used in the present invention. In this embodiment, eight stages of shift registers are connected in a ring. An exclusive OR of the output signal of the first stage circuit B1 of the shift register and the output signal of the last stage B8 is taken to the input signal and Is done. The output signal of the second stage B2 is exclusive ORed with the output of the asynchronous oscillation signal supplied from the random number generator, and is used as the input signal of the third stage B3. Hereinafter, the information is sequentially transmitted from the third stage B3 to the last stage B8. Then, although not particularly limited, the output signal of the sixth stage B6 is used as the selection signal.
この実施例では、 シフトレジスタ B 2〜B 8で記憶されたビッ トが連 続して同じ値になったときに、 B 1での排他的論理和処理により適宜反 転させ、 かつ乱数発生器からの非同期発振信号が連続して、論理 0又は 1に偏った場合にも、 シフト段 B 2と B 3の間で適宜に反転させて、 論 理 0と論理 1の出現率を 5 0 %ずつに補正するものである。  In this embodiment, when the bits stored in the shift registers B2 to B8 successively have the same value, the bits are appropriately inverted by an exclusive OR process in B1, and a random number generator is used. Even if the asynchronous oscillation signal from is continuously biased to logic 0 or 1, the occurrence ratio of logic 0 and logic 1 is reduced by 50% by appropriately inverting between shift stages B2 and B3. It is to be corrected every time.
本発明において、 耐 D P A強度を決定するのが、反転/非反転用の選 択信号である。 チップ内部信号の 0 / 1出現比率を 5 0 %に近くするこ とで、 D P Aによる解析を困難にすることが可能となる。 つまり、前記 のように D P Aでは、 データを処理する際の消費電流波形を計測して統 計的手法によつてピークを探すので、 上記 0 / 1出現比率を 5 0 %にす ることにより、 統計処理での消費電流が平均化されてピ一クが無くなつ てしまうので、 かかる D P Aによる解読が困難になるものである。 この実施例では、前記説明したように、 平文デ一夕に符号ビットを付 加し、 ポジ/ネガの両方の状態を持つようにする。 暗号化における繰り 返し演算時に、 データを符号ごとランダムに変更する。 符号の影響を受 けない演算(排他的論理和など) はそのまま符号を無視して演算する。 符号の影響を受ける演算(変換表を用いた演算など) では、 ポジ用の演 算回路とネガ用の演算回路を用意し、 データの符号によつて演算回路の 出力を選択する機構を用いる。  In the present invention, it is the inversion / non-inversion selection signal that determines the DPA resistance. By making the 0/1 appearance ratio of the chip internal signal close to 50%, it becomes possible to make analysis by DPA difficult. In other words, as described above, the DPA measures the current consumption waveform when processing data and searches for peaks by a statistical method.Therefore, by setting the above 0/1 appearance ratio to 50%, Since the current consumption in the statistical processing is averaged and the peak disappears, it becomes difficult to decode by such DPA. In this embodiment, as described above, a sign bit is added to the plaintext data so that it has both positive and negative states. Data is changed randomly for each code at the time of repeated operation in encryption. Operations that are not affected by the sign (exclusive OR, etc.) are performed without regard to the sign. For operations that are affected by the sign (eg, operations using a conversion table), a positive operation circuit and a negative operation circuit are provided, and a mechanism is used to select the output of the operation circuit according to the data sign.
この実施例に従えば、 暗号演算時間が増カ卩しない。 例えばダミーの演 算を行うなど、演算時間を延ばして撹乱する方法もあるが、本方法は演 算するたびに内部処理内容が異なるという撹乱方法をとつているため、According to this embodiment, the cryptographic operation time does not increase. For example, there is a method of extending the operation time and performing disturbance, such as performing a dummy operation. Because the internal processing contents are different each time the calculation is performed,
1回の演算にかかる時間は未対策のときと同じである。 そして、 この実 施例では、 DP A対策をハードウ 1ァに盛り込んでいるので、 ソフトゥ エアにより対策を採る場合のようにユーザに余分な負荷をかけない。 第 1 4図には、 この発明が適用される I Cカードの一実施例の外観図 が示されている。 I C力一ドは、 プラスチックケースからなるカード 1 0 1と、 かかるカード 1 0 1の内部に搭載された図示しない 1チップの マイクロコンピュータ等からなる I C力一ド用チップを持つものである 。 上記 I C力一ドは、 さらに上記 I Cカード用チップの外部端子に接続 されている複数の接点 (電極) 1 0 を持つ。 複数の接点 1 02は、 後 で第 1 5図によって説明するような電源端子 VCC、 電源基準電位端子 VS S、 リセッ ト入力端子 RESバー、 クロック端子 CLK、 デ一夕端 子 I /0- 1/1 RQバー、 I/O- 2/1 RQバーとされる。 I C力 ードは、 かかる接点 1 0 2を通して図示しないリーダーライタのような 外部結合装置から電源供給を受け、 また外部結合装置との間でのデータ の通信を fi1う。 The time required for one operation is the same as when no measures are taken. In this embodiment, since the DPA countermeasures are included in the hardware, no extra load is imposed on the user as in the case where countermeasures are taken by software. FIG. 14 is an external view of an embodiment of an IC card to which the present invention is applied. The IC card has a card 101 made of a plastic case, and a chip for IC chip consisting of a one-chip microcomputer (not shown) mounted inside the card 101. The IC card further has a plurality of contacts (electrodes) 10 connected to external terminals of the IC card chip. The plurality of contacts 102 are connected to a power supply terminal VCC, a power supply reference potential terminal VSS, a reset input terminal RES bar, a clock terminal CLK, and a data terminal I / 0-1 as described later with reference to FIG. / 1 RQ bar, I / O-2 / 1 RQ bar. IC power over de receives the power supply from an external coupling device such as a reader-writer (not shown) through such contacts 1 0 2, also intends fi 1 communication of data with an external coupling device.
第 1 5図には、 この発明に係る I Cカードに搭載される I Cカード用 チップ (マイクロコンピュータ) の一実施例の概略プロック図が示され ている。 同図の各回路ブロックは、 公知の MOS集積回路の製造技術に より、 特に制限されないが、 単結晶シリコンのような 1個の半導体基板 上において形成される。  FIG. 15 is a schematic block diagram of one embodiment of an IC card chip (microcomputer) mounted on the IC card according to the present invention. Each circuit block shown in the figure is formed on a single semiconductor substrate such as single crystal silicon, although not particularly limited by a known MOS integrated circuit manufacturing technique.
この発明に係る I Cカード用チップの構成は、 基本的にマイクロコン ピュー夕と同じような構成である。 その構成は、 クロック生成回路、 中 央処理装置 (以下、 単に CPUという) 、 ROM (Read Only Memory)や RAM (Random Access Memory)、 不揮発性メモリ ( E E P R〇 M ) など の記憶装置、 暗号化及び復号化処理の演算を行なうコプロセッサ (暗号 '化'復号化装置) 、 入出力ポート (I/Oポート) などからなる。 The configuration of the IC card chip according to the present invention is basically the same as that of the microcomputer. Its configuration consists of a clock generation circuit, a central processing unit (hereinafter simply referred to as CPU), storage devices such as ROM (Read Only Memory), RAM (Random Access Memory), and non-volatile memory (EEPR〇M), encryption and Coprocessor that performs the operation of decryption processing (encryption It consists of a 'decryption device', input / output ports (I / O ports), etc.
クロック生成回路は、 図示しないリーダライタ (外部結合装置) から 第 1図の接点 102を介して供給される外部クロック CLKを受け、 か かる外部クロック信号に同期したシステムクロック信号を形成し、 それ をチップ内部に供給する回路である。 CPU 201は、論理演算や算術 演算などを行う装置であり、 システムコントロールロジック、 乱数発生 器及びセキュリイロジック及びタイマなどを制御する。 RAM、 ROM 、 EEPROMのような記憶装置は、 プロダラムゃデ一タを格納する装 置である。 コプロセッサは、 前記説明したようり DES ø音号法などに適 合された回路から構成される。 IZO (入出力) ポートは、 リーダライ 夕と通信を行う装置である。 データバスとアドレスバスは、 各装置を相 互に接続するバスである。  The clock generation circuit receives an external clock CLK supplied from a reader / writer (external coupling device) (not shown) via the contact 102 in FIG. 1, forms a system clock signal synchronized with the external clock signal, and generates the system clock signal. This is a circuit to be supplied inside the chip. The CPU 201 is a device that performs a logical operation, an arithmetic operation, and the like, and controls a system control logic, a random number generator, a security logic, a timer, and the like. Storage devices such as RAM, ROM, and EEPROM are devices for storing program data. The coprocessor is composed of a circuit adapted to the DES diacritic system as described above. The IZO (input / output) port is a device that communicates with the reader / writer. The data bus and the address bus are buses that interconnect each device.
上記記憶装置のうち、 ROMは、 記憶内容が不揮発的に固定されてい るメモリであり、 主にプロ.グラムを格納するメモリである。 揮発性メモ リ (以下、 RAMという) は自由に記憶情報の書き換えができるメモリ であるが、 電源の供給が中断されると、 記憶している内容が消えてなく なる。 I Cカードがリ一ダライタから抜かれると電源の供給が中断され るため、 上記 RAMの内容は、 保持されなくなる。  Among the above storage devices, the ROM is a memory in which stored contents are fixed in a nonvolatile manner, and is a memory mainly for storing programs. Volatile memory (hereinafter referred to as RAM) is a memory in which stored information can be freely rewritten. However, when power supply is interrupted, the stored content is lost. If the IC card is removed from the reader / writer, the power supply will be interrupted, and the contents of the RAM will not be retained.
上記不揮発性メモリ (以下、 EE PROM (Electrical Erasable Pro grammable Read Only Memory) という) は、 内容の書き換えが可能な不 揮発性メモリであり、 その中に一旦書き込まれた情報は、 電源の供給が 停止されてもその内部に保持される。 この EEPROMは、 書き換える 必要があり、 かつ I Cカードがリーダライタから抜かれても保持すべき データを格納するために使われる。 例えば、 I Cカードがプリペイ ド力 ードとして使用されるような場合、 のプリペイ ドの度数などは、 使用す るたびに書き換えられる。 この場合の度数などは、 リーダライ夕か抜か れても I Cカード内で記憶保持する必要があるため、 EEPROMで保 持される。 The above non-volatile memory (hereinafter referred to as EE PROM (Electrical Erasable Programmable Read Only Memory)) is a non-volatile memory whose contents can be rewritten. Even if it is done, it is retained inside. This EEPROM is used to store data that needs to be rewritten and that should be retained even if the IC card is removed from the reader / writer. For example, when an IC card is used as a prepaid card, the frequency of the prepaid card is rewritten each time the card is used. In this case, the frequency, etc. Even if it is stored, it must be stored in the IC card, so it is stored in the EEPROM.
CPUは、 いわゆるマイクロプロセッサと同様な構成にされる。 すな わち、 その詳細を図示しないけれども、 その内部に命令レジスタ、 命令 レジス夕に書込まれた命令をデコードし、 各種のマイクロ命令ないしは 制御信号を形成するマイクロ命令 ROM、 演算回路、 汎用レジスタ (R G6等) 、内部バス BUSに結合するバスドライバ、 バスレシーバなど の入出力回路を持つ。 CPUは、 ROMなどに格納されている命令を読 み出し、 その命令に対応する動作を行う。 CPUは、 I/Oポートを介 して入力される外部データの取り込み、 ROMからの命令や命令実行の ために必要となる固定データのようなデ一タの読み出し、 R A Mや E E PROMに対するデ一夕の書き込みと読み出し動作制御等を行う。 上記 CPUは、 クロック生成回路から発生されるシステムクロック信 号を受けそのシステムクロック信号によって決められる動作タイミング 、 周期をもって動作される。 CPUは、 その内部の主要部が Pチャンネ ル型M〇SFETとNチャンネル型MOSFETとからなるCMOS回 路から構成される。 特に制限されないが、 CPUは、 CMOSスタティ ックフリップフ口ップのようなスタティック動作可能な C M 0 Sス夕テ ック回路と、 信号出力ノ一ドへの電荷のプリチャージと信号出力ノード への信号出力とをシステムクロック信号に同期して行うような C M 0 S ダイナミック回路とを含む。  The CPU is configured similarly to a so-called microprocessor. That is, although not shown in detail, an instruction register therein, an instruction register, a micro instruction ROM for decoding various instructions written in the instruction register, and various micro instructions or control signals, an arithmetic circuit, a general-purpose register, etc. (Such as RG6) and an input / output circuit such as a bus driver and a bus receiver connected to the internal bus BUS. The CPU reads an instruction stored in a ROM or the like and performs an operation corresponding to the instruction. The CPU fetches external data input via the I / O port, reads data such as instructions from ROM and fixed data necessary for executing instructions, and reads data from RAM and EE PROM. It controls evening writing and reading operations. The CPU receives a system clock signal generated from a clock generation circuit and operates with an operation timing and a period determined by the system clock signal. The main part of the CPU is composed of a CMOS circuit consisting of a P-channel MOSFET and an N-channel MOSFET. Although not particularly limited, the CPU includes a CM0S scanning circuit capable of static operation such as a CMOS static flip-flop, a precharge of a charge to a signal output node and a signal to a signal output node. And a CM 0 S dynamic circuit that performs output in synchronization with a system clock signal.
コプロセッサは、 前記説明したように内部で扱う平文デー夕に符号ビ ッ トを付カ卩し、 ポジ/ネガの両方の状態を持つようにする。 暗号化にお ける繰り返し演算時に、 データを符号ごとランダムに変更する。 符号の 影響を受けない演算 (排他的論理和など) はそのまま符号を無視して演 算する。 符号の影響を受ける演算 (変換表を用いた演算など) では、 ポ ジ用の演算回路とネガ用の演算回路を用意し、 データの符号によつて演 算回路の出力を選択する機構を用いる。 As described above, the coprocessor adds a code bit to the plaintext data to be handled internally, so that it has both a positive / negative state. Data is changed randomly for each code at the time of repeated operation in encryption. Operations that are not affected by the sign (such as exclusive OR) are performed without regard to the sign. Operations that are affected by the sign (such as operations using a conversion table) An operation circuit for the operation and an operation circuit for the negative are prepared, and a mechanism is used to select the output of the operation circuit according to the sign of the data.
この実施例の I Cカードにおいても、 演算するたびに内部処理内容が 異なるという撹乱方法をとっているため、 1回の演算にかかる時間は未 対策のときと同じであるので、 高速なデータ処理が可能であり、 D P A 対策をハードウェアに盛り込んでいるので、 D P A対策のために C P U が余分な動作を行う必要がないのでユーザに余分な負荷をかけなくて済 む。  The IC card of this embodiment also employs a disturbing method in which the contents of internal processing are different each time a calculation is performed, so that the time required for one calculation is the same as when no countermeasure is taken, so that high-speed data processing is possible. It is possible, and since the DPA countermeasures are incorporated in the hardware, there is no need for the CPU to perform extra operations for the DPA countermeasures, so that no extra load is imposed on the user.
上記の実施例から得られる作用効果は、 下記の通りである。 すなわち  The operational effects obtained from the above embodiment are as follows. Ie
( 1 ) 入力選択回路において、 平文データ又は暗号文の処理単位デ一 夕に対応した非反転デ一夕又はその全ビットの反転デ一夕のいずれか一 方をランダムに取り込み、 かかる入力選択回路を通したデータを上記非 反転データに対応した転置 ·換字処理を行うポジ用スクランブル回路及 び反転デ一タに対応した転置 ·換字処理を行うネガ用スクランブル回路 に伝え、 出力選択回路により上記ポジ用スクランブル回路又はネガ用ス クランブル回路で転置 ·換字処理された出力信号のいずれか一方を上記 入力選択回路の選択動作に対応させて取り出し、 出力回路により上記ポ ジ用スクランブル回路及びネガ用スクランブル回路での複数回の転置 · 換字の結果を最終転置して暗号文又は平文データを得ることにより、簡 単な構成で高速にしかも安定的に D P A対策による機密保護を実現でき るという効果が得られる。 (1) The input selection circuit randomly fetches either the non-inverted data corresponding to the processing unit data of the plaintext data or the ciphertext or the inverted data of all the bits, and the input selecting circuit The data passed to the transposition and non-inversion data corresponding to the non-inverted data is transmitted to the positive scramble circuit that performs the transposition processing and the transposition and the negative scramble circuit that performs the substitution processing corresponding to the inverted data. One of the output signals transposed / substituted by the input scrambling circuit or the negative scrambling circuit is taken out in accordance with the selection operation of the input selection circuit, and the output scrambling circuit and the negative scrambling circuit are output by the output circuit. Transpose multiple times at the same time · By obtaining the ciphertext or plaintext data by final transposition of the result of substitution, only the simple configuration and high speed Stably effect Ru can achieve security by D P A countermeasure is obtained.
( 2 ) 上記に加えて、 符号ビットを上記平文データ又は暗号文に対し て付カ卩し、 ランダムに発生される選択信号を上記入力選択回路に供給し て、 上記符号ビットを含めて非反転データ又はその全ビッ卜の反転デー 夕のいずれか一方を取り込むようにし、上記符号ビットを分離して上記 データを上記ポジ用スクランブル回路及びネガ用スクランブル回路で転 置 ·換字処理し、 分離された上記符号ビットを用いて、 上記出力選択回 路を制御して入力選択回路で取り込まれた非反転データ又はその全ビッ 卜の反転デ一夕に対応した上記転置 ·換字処理された出力信号を取り出 すことにより、簡単な構成により D P A対策を実現できるという効果が 得られる。 (2) In addition to the above, a code bit is added to the plaintext data or ciphertext, and a randomly generated selection signal is supplied to the input selection circuit, and the signal including the code bit is not inverted. Either the data or the inverted data of all the bits should be fetched, the above sign bit is separated and The data is transposed / substituted by the positive scramble circuit and the negative scramble circuit, and the non-inverted data or the non-inverted data captured by the input select circuit by controlling the output select circuit using the separated code bits is controlled. By taking out the above-mentioned transposed / substituted output signal corresponding to the inverted data of all the bits, the effect that the DPA countermeasure can be realized with a simple configuration is obtained.
( 3 ) 上記に加えて、上記転置 ·換字処理を D E S暗号'復号ァルゴ リズムにより行うようにすることにより、 B音号化と復号化が同じ処理で 実現できるから回路の簡素化が可能になるという効果が得られる。 ( 4 ) 上記に加えて、 ランダムに発生される選択信号を、乱数発生回 路で形成された 1ビットの 2値信号を受けて、 その論理 1と論理 0の出 現率をほぼ 1 / 2に補正するという簡単な回路を付加することにより、 より強固な D P A対策を実現できるという効果が得られる。  (3) In addition to the above, by performing the transposition / substitution processing using the DES encryption / decryption algorithm, it is possible to simplify the circuit since B-encryption and decryption can be realized by the same processing. The effect is obtained. (4) In addition to the above, a selection signal generated at random is received by receiving a 1-bit binary signal formed by a random number generation circuit, and the appearance rate of logic 1 and logic 0 is reduced by almost 1/2. By adding a simple circuit to compensate for DPA, the effect of realizing more robust DPA measures can be obtained.
以上本発明者よりなされた発明を実施例に基づき具体的に説明したが 、 本願発明は前記実施例に限定されるものではなく、 その要旨を逸脱し ない範囲で種々変更可能であることはいうまでもない。 例えば、 I C力 —ドには、 1つの半導体集積回路装置を搭載するもの他、 複数の半導体 集積回路装置が搭載されるものであってもよい。 暗号化 ·復号化装置が 搭載されるマイクロコンピュータは、 1つの半導体集積回路装置に形成 されるもの他、 C P Uとその周辺回路が複数チップで構成されて、 1つ のモジュ一ル基板に搭載されてなるものであってもよい。  Although the invention made by the inventor has been specifically described based on the embodiment, the invention of the present application is not limited to the embodiment, and it can be said that various modifications can be made without departing from the gist of the invention. Not even. For example, the IC card may include a single semiconductor integrated circuit device or a plurality of semiconductor integrated circuit devices. The microcomputer on which the encryption / decryption device is mounted is not only formed on a single semiconductor integrated circuit device, but also includes a CPU and its peripheral circuits composed of multiple chips, mounted on a single module substrate. It may be made of.
上記マイク口コンピュータは、 データ処理装置とかかるデー夕処理装 置によるデータ処理手順が書き込まれた R O Mを含んで上記データ処理 手順に従ってデータの入出力動作が行われるものであれば何であっても よい。 例えば、 前記のような I Cカード用チップの他に、 ゲーム用等の The microphone port computer may be of any type as long as it includes a data processing device and a ROM in which a data processing procedure by the data processing device is written, and performs a data input / output operation in accordance with the data processing procedure. . For example, in addition to the IC card chip described above,
1チップマイクロコンピュータ等のように機密保護の必要な各種マィク 口コンピュータに広く適用できるものである。 産業上の利用可能性 Various microphones that require security, such as a one-chip microcomputer It can be widely applied to mouth computers. Industrial applicability
この発明は、 暗号化 '復号化装置、 暗号化 ·復号化方法、 データの暗号 化方法及び機密保護を必要とする各種 I C力一ドゃマイクロコンピュー 夕に広く利用できる。 INDUSTRIAL APPLICABILITY The present invention can be widely used in various IC microcomputers requiring an encryption / decryption device, an encryption / decryption method, a data encryption method, and confidentiality protection.

Claims

請 求 の 範 囲 The scope of the claims
1 . 平文データ又は暗号文の処理単位データに対応した非反転データ又 はその全ビットの反転デ一夕のレ、ずれか一方をランダムに取り込む入力 選択回路と、 '  1. An input selection circuit that randomly picks up either non-inverted data corresponding to plaintext data or ciphertext processing unit data, or inverted data of all the bits, or a shift.
上記入力選択回路を通したデ一夕を受け、 上記非反転デ一夕に対応し た転置 ·換字処理を行うポジ用スクランブル回路と、  A positive scramble circuit for receiving transposition through the input selection circuit and performing transposition and substitution processing corresponding to the non-inverted data;
上記入力選択回路を通したデー夕を受け、 上記反転データに対応した 転置 ·換字処理を行うネガ用スクランブル回路と、  A negative scramble circuit that performs transposition and substitution processing corresponding to the inverted data in response to the data passed through the input selection circuit;
上記ポジ用スクランブル回路又はネガ用スクランブル回路で転置 ·換 字処理された出力信号のいずれか一方を上記入力選択回路の選択動作に 対応させて取り出す出力選択回路と、  An output selection circuit that extracts one of the output signals transposed and transposed by the positive scramble circuit or the negative scramble circuit in accordance with the selection operation of the input selection circuit;
上記ポジ用スクランブル回路及びネガ用スクランブル回路での複数回 の転置 ·換字の結果を最終転置する出力回路とを備え、  An output circuit for final transposing the result of the transposition and substitution in the positive scramble circuit and the negative scramble circuit,
上記出力回路を通して暗号文又は平文データを得ることを特徴とする 暗号化 .復号化装置。  An encryption / decryption device wherein ciphertext or plaintext data is obtained through the output circuit.
2 . 請求の範囲第 1項において、  2. In Claim 1,
符号ビットを上記平文データ又は暗号文に対して付加する回路を更に 含み、  A circuit for adding a sign bit to the plaintext data or the ciphertext;
ランダムに発生される選択信号を上記入力選択回路に供給して、 上記 符号ビットを含めて非反転データ又はその全ビッ卜の反転データのいず れか一方を取り込むようにし、  A selection signal generated at random is supplied to the input selection circuit so that either the non-inverted data including the sign bit or the inverted data of all the bits is taken in,
上記符号ビットを分離して上記データを上記ポジ用スクランブル回路 及びネガ用スクランブル回路で転置 ·換字処理し、  The sign bit is separated and the data is transposed and replaced by the positive scramble circuit and the negative scramble circuit,
上記分離された符号ビットを用いて、 上記出力選択回路を制御して入 力選択回路で取り込まれた非反転データ又はその全ビッ卜の反転データ に対応した上記転置 ·換字処理された出力信号を取り出すことを特徴と する暗号化'復号化装置。 Using the separated code bits, the output selection circuit is controlled to output the non-inverted data fetched by the input selection circuit or the transposed / substituted output signal corresponding to the inverted data of all the bits. It is characterized by taking out To encrypt and decrypt devices.
3 . 請求の範囲第 1項において、  3. In Claim 1,
上記転置 ·換字処理は、 D E S暗号 ·復号アルゴリズムにより行われ るものであることを特徴とする暗号化■復号化装置。  The above-mentioned transposition / substitution processing is performed by a DS encryption / decryption algorithm.
4 . 請求項の範囲第 2項において、 4. In Claim 2,
上記ランダムに発生される選択信号は、 乱数発生回路で形成された 1 ビッ卜の 2値信号を受けて、 その論理 1と論理 0の出現率をほぼ 1 / 2 に補正する補正回路で形成されることを特徴とする暗号化 ·復号化装置  The selection signal generated at random is formed by a correction circuit that receives a 1-bit binary signal formed by a random number generation circuit and corrects the appearance ratio of logic 1 and logic 0 to approximately 1/2. Encryption / decryption device
5 . 平文デー夕又は暗号文の処理単位データに対応した非反転デ一夕又 はその全ビッ卜の反転データのいずれか一方をランダムに取り込む第 1 信号処理と、 5. First signal processing to randomly take in either the non-inverted data corresponding to the plaintext data or the ciphertext processing unit data or the inverted data of all the bits, and
上記第 1信号処理で取り込まれたデ一夕を上記非反転データに対応し た転置 ·換字処理を行うポジ用スクランブル信号処理と、上記反転デー 夕に対応した転置 ·換字処理を行うネガ用スクランブル信号処理とを並 列的に行なう第 2信号処理と、  Positive scrambling signal processing for transposition and substitution processing corresponding to the non-inverted data, and negative scrambling for transposition and substitution processing corresponding to the inverted data. A second signal processing for performing the signal processing in parallel;
上記ポジ用スクランブル信号処理又はネガ用スクランブル信号処理で 転置 ·換字処理された出力信号のいずれか一方を上記第 1信号処理での デー夕選択動作に対応させて取り出す第 3信号処理と、  A third signal processing for extracting one of the output signals subjected to transposition and substitution processing in the positive scramble signal processing or the negative scramble signal processing in accordance with the data selection operation in the first signal processing;
を複数回行ない、最後の転置 ·換字の結果を暗号ィ匕デ一夕又は復号化 データとしてなることを特徴とする暗号化 ·復号化方法。  A plurality of times, and the result of the last transposition / substitution is used as encryption data or decryption data.
6 . 請求の範囲第 5項において、  6. In Claim 5,
上記平文データ又は暗号文に対して符号ビットを付加する動作と、 ランダムに発生される選択信号を形成する動作とを更に含み、 上記第 1信号処理において、 選択信号を用いて上記符号ビットを含め て非反転データ又はその全ビットの反転データのいずれか一方を取り込 むようにし、 The method further includes an operation of adding a sign bit to the plaintext data or ciphertext, and an operation of forming a randomly generated selection signal. In the first signal processing, the operation includes including the sign bit using the selection signal. Either non-inverted data or inverted data of all bits So that
上記第 2信号処理において、符号ビッ卜を分離して上記ポジ用とネガ 用のスクランブル信号処理を行ない、  In the second signal processing, the code bits are separated and the positive and negative scramble signal processing is performed.
上記第 3信号処理において、上記分離された符号ビットを用いて上記 第 1信号処理において取り込まれた非反転データ又はその全ビッ卜の反 転データに対応した上記転置 ·換字処理された出力信号を取り出すよう にしてなることを特徴とする暗号ィ匕 ·復号化方法。  In the third signal processing, the non-inverted data fetched in the first signal processing or the output signal subjected to the transposition / substitution processing corresponding to the inverted data of all the bits is used by using the separated code bits. An encryption / decryption method characterized by being taken out.
7 . 請求の範囲第 5項において、  7. In Claim 5,
上記転置 ·換字処理を D E S暗号 ·復号アルゴリズムにより行うよう にしてなることを特徴とする暗号化 ·復号化方法。  An encryption / decryption method characterized in that the transposition / substitution processing is performed by a DS encryption / decryption algorithm.
8 . 請求の範囲第 6項において、  8. In Claim 6,
上記ランダムに発生される選択信号は、 乱数発生回路で形成された 1 ビットの 2値信号の論理 1と論理 0の出現率をほぼ 1 / 2に補正するよ うな信号処理が行われることを特徴とする暗号ィヒ ·復号化方法。  The randomly generated selection signal is characterized by signal processing that corrects the appearance ratio of logic 1 and logic 0 of the 1-bit binary signal formed by the random number generation circuit to almost 1/2. The encryption method and the decryption method.
9 . 入力されたデータに対し、 所定の回数だけ所定の変換処理を行うこ とで、 入力されたデ一タに対応した暗号化されたデ一夕を得るデー夕の 暗号化方法であって、  9. A data encryption method in which input data is subjected to a predetermined conversion process a predetermined number of times to obtain an encrypted data corresponding to the input data. ,
上記所定の変換処理は、論理 0又は論理 1のいずれかの状態をとる制 御信号が入力され、 入力データの全ビットを反転しない入力データにつ いての処理を行ない第 1のデータを生成し、 入力データの全ビットを反 転した入力データについての処理を行ない第 2のデータを生成し、 上記 制御信号の状態に応じて、 上記第 1データと上記第 2データのいずれか を上記所定の変換処理の出力として出力し、 上記第 1のデータの生成 と上記第 データの生成とは並列的に行われ、  In the above-mentioned predetermined conversion processing, a control signal that takes a state of either logic 0 or logic 1 is input, and processing is performed on input data that does not invert all bits of the input data to generate first data. Process the input data obtained by inverting all the bits of the input data to generate second data, and convert any of the first data and the second data into the predetermined data according to the state of the control signal Output as an output of the conversion process, the first data generation and the second data generation are performed in parallel,
上記制御信号のとる状態は、 論理 0又は論理 1のそれぞれの出現比率 がおおよそ 5 0 %となるように制御されていることを特徴とするデータ の暗号化方法。 The state that the above control signal takes is controlled so that the appearance ratio of each of logic 0 or logic 1 is controlled to be approximately 50%. Encryption method.
1 0 . 請求の範囲第 9項において、  10. In claim 9,
上記制御信号のとる状態が、論理 0又は論理 1のそれぞれの出現比率 がおおよそ 5 0 %となるように制御するための制御装置を用いることを 特徴とするデータの暗号ィ匕方法。  A data encryption method comprising using a control device for controlling the state of the control signal so that the appearance ratio of each of logic 0 or logic 1 is approximately 50%.
1 1 . 請求の範囲第 1 0項において、  1 1. In claim 10,
上記制御装置は、舌し数発生装置を有することを特徴とするデータの暗 号化方法。  The data encryption method, wherein the control device has a tongue number generation device.
1 2 . 外部端子がリードライト装置と電気的に接続されることによって 動作電圧が供給され、 力、つ、 中央処理装置からの指示を受けて動作する 暗号処理用演算ュニットによる暗号ィ匕処理又は復号化処理を伴つたデー 夕の入出力動作を含む I Cカードであって、  1 2. The operating voltage is supplied by the external terminal being electrically connected to the read / write device, and the power is supplied to the read / write device. An IC card that includes data input / output operations with decryption processing,
上記暗号処理用演算ュニットは、  The cryptographic processing unit is
平文データ又は暗号文の処理単位デー夕に対応した非反転デー夕 又はその全ビッ卜の反転データのいずれか一方をランダムに取り込む入 力選択回路と、  An input selection circuit that randomly takes in either non-inverted data corresponding to plaintext data or ciphertext processing unit data or inverted data of all bits thereof,
上記入力選択回路を通したデータを受け、 上記非反転デー夕に対 応した転置 ·換字処理を行うポジ用スクランブル回路と、  A positive scramble circuit that receives data passed through the input selection circuit and performs transposition and substitution processing corresponding to the non-inverted data;
上記入力選択回路を通したデー夕を受け、 上記反転デ一タに対応 した転置 ·換字処理を行うネガ用スクランブル回路と、  A negative scramble circuit for receiving the data passed through the input selection circuit and performing transposition and substitution processing corresponding to the inverted data;
上記ポジ用スクランブル回路又はネガ用スクランブル回路で転置 •換字処理された出力信号のいずれか一方を上記入力選択回路の選択動 作に対応させて取り出す出力選択回路と、  An output selection circuit that transposes with the above-described positive scramble circuit or negative scramble circuit and takes out one of the output signals subjected to the substitution processing in accordance with the selection operation of the input selection circuit;
上記ポジ用スクランブル回路及びネガ用スクランブル回路での複 数回の転置 ·換字の結果を最終転置する出力回路とを備え、  An output circuit for final transposition of the result of the transposition and substitution in the positive scramble circuit and the negative scramble circuit a plurality of times;
上記出力回路を通して暗号文又は平文デー夕を得るものであるこ とを特徴とする I C力一ド。 The ciphertext or plaintext data must be obtained through the output circuit. IC capabilities.
1 3 . 請求の範囲第 1 2項において、  1 3. In Claims 1 and 2,
符号ビットを上記平文データ又は暗号文に対して付加する回路を更に 含み、  A circuit for adding a sign bit to the plaintext data or the ciphertext;
ランダムに発生される選択信号を上記入力選択回路に供給して、 上記 符号ビットを含めて非反転データ又はその全ビットの反転データのいず れか一方を取り込むようにし、  A selection signal generated at random is supplied to the input selection circuit so that either the non-inverted data including the sign bit or the inverted data of all the bits is taken in,
上記符号ビッ卜を分離して上記データを上記ポジ用スクランブル回路 及びネガ用スクランブル回路で転置 ·換字処理し、  The sign bit is separated and the data is transposed and replaced by the positive scramble circuit and the negative scramble circuit,
上記分離された符号ビットを用いて、上記出力選択回路を制御して入 力選択回路で取り込まれた非反転デ一夕又はその全ビットの反転デ一夕 に対応した上記転置 ·換字処理された出力信号を取り出すことを特徴と する I Cカード。  Using the separated code bits, the output selection circuit is controlled to perform the transposition / substitution processing corresponding to the non-inverted data captured by the input selecting circuit or the inverted data of all the bits. An IC card characterized by extracting output signals.
1 4 . 請求の範囲第 1 2項ににおいて、  1 4. In Claims 1 and 2,
上記転置 ·換字処理は、 D E S暗号'復号ァルゴリズムにより行われ るものであることを特^¾とする I Cカード。  An IC card characterized in that the transposition / substitution processing is performed by a DS encryption / decryption algorithm.
1 5 . 請求の範囲第 1 3項において、  15. In claim 13,
上記ランダムに発生される選択信号は、乱数発生回路で形成された 1 ビッ卜の 2値信号を受けて、 その論理 1と論理 0の出現率をほぼ 1 / 2 に補正する補正回路で形成されることを特徴とする I Cカード。  The selection signal generated at random is formed by a correction circuit that receives a 1-bit binary signal formed by a random number generation circuit and corrects the appearance ratio of logic 1 and logic 0 to approximately 1/2. IC card characterized by the fact that:
PCT/JP2002/002064 2001-04-16 2002-03-06 Enciphering / deciphering device, enciphering / deciphering method, data enciphering method, and ic card WO2002086846A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2001116254A JP3844116B2 (en) 2001-04-16 2001-04-16 Encryption / decryption device and IC card
JP2001-116254 2001-04-16

Publications (1)

Publication Number Publication Date
WO2002086846A1 true WO2002086846A1 (en) 2002-10-31

Family

ID=18967016

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2002/002064 WO2002086846A1 (en) 2001-04-16 2002-03-06 Enciphering / deciphering device, enciphering / deciphering method, data enciphering method, and ic card

Country Status (2)

Country Link
JP (1) JP3844116B2 (en)
WO (1) WO2002086846A1 (en)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4357815B2 (en) 2002-09-11 2009-11-04 株式会社東芝 Cryptographic operation circuit
JP4588969B2 (en) * 2002-10-29 2010-12-01 三菱電機株式会社 Secure device
JP2005031471A (en) * 2003-07-07 2005-02-03 Sony Corp Encryption processing device and encryption processing method
JP3998616B2 (en) * 2003-09-10 2007-10-31 株式会社東芝 Encryption / decryption module
JP4565314B2 (en) * 2004-03-12 2010-10-20 ソニー株式会社 Signal processing circuit and method
JP4589327B2 (en) 2004-07-07 2010-12-01 三菱電機株式会社 Electronic device and data processing method
JP2006025366A (en) * 2004-07-09 2006-01-26 Sony Corp Encryption apparatus and semiconductor integrated circuit
JP2006054568A (en) * 2004-08-10 2006-02-23 Sony Corp Encryption apparatus, decryption apparatus and method, and computer program
JP4529719B2 (en) * 2005-02-16 2010-08-25 ソニー株式会社 Signal processing circuit
JP4936996B2 (en) * 2007-05-24 2012-05-23 株式会社東芝 Nonlinear data converter, encryption device, and decryption device
JP5354914B2 (en) * 2008-01-18 2013-11-27 三菱電機株式会社 Encryption processing device, decryption processing device, and program
JP5146156B2 (en) * 2008-06-30 2013-02-20 富士通株式会社 Arithmetic processing unit
EP2180631A1 (en) * 2008-10-24 2010-04-28 Gemalto SA Cryptographic algorithm fault protections
WO2010116474A1 (en) 2009-03-30 2010-10-14 富士通株式会社 Optical transmission system and optical transmission method
JPWO2013190782A1 (en) * 2012-06-22 2016-02-08 日本電気株式会社 Encryption processing circuit and decryption processing circuit

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0433020A (en) * 1990-05-24 1992-02-04 Nec Corp Semiconductor integrated circuit with security protection function
JP2000066585A (en) * 1998-08-20 2000-03-03 Toshiba Corp Encryption and decryption apparatus, encryption and decryption method and their program memory medium
JP2000165375A (en) * 1998-11-30 2000-06-16 Hitachi Ltd Information processor and ic card

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0433020A (en) * 1990-05-24 1992-02-04 Nec Corp Semiconductor integrated circuit with security protection function
JP2000066585A (en) * 1998-08-20 2000-03-03 Toshiba Corp Encryption and decryption apparatus, encryption and decryption method and their program memory medium
JP2000165375A (en) * 1998-11-30 2000-06-16 Hitachi Ltd Information processor and ic card

Also Published As

Publication number Publication date
JP2002311826A (en) 2002-10-25
JP3844116B2 (en) 2006-11-08

Similar Documents

Publication Publication Date Title
US6691921B2 (en) Information processing device
US8332634B2 (en) Cryptographic systems for encrypting input data using an address associated with the input data, error detection circuits, and methods of operating the same
US7659837B2 (en) Operation processing apparatus, operation processing control method, and computer program
KR20020085753A (en) Semiconductor integrated circuit on ic card protected against tampering
US8428251B2 (en) System and method for stream/block cipher with internal random states
JP4960044B2 (en) Cryptographic processing circuit and IC card
WO2002086846A1 (en) Enciphering / deciphering device, enciphering / deciphering method, data enciphering method, and ic card
CN106487497B (en) DPA protection for RIJNDAEL algorithm
EP2190143A1 (en) Cryptographic processing apparatus with improved resistance to power analysis
US7454017B2 (en) Information processing unit
CN106487498B (en) Verification of the resistance of an electronic circuit to side-channel attacks
CN106487499B (en) protection of Rijndael algorithm
US10389530B2 (en) Secure method for processing content stored within a component, and corresponding component
JP3586475B2 (en) Method and circuit device for generating pseudo-random number sequence
JP2007328789A (en) Cryptographic system for encrypting input data by using address associated with input data, error detection circuit, and operation method of the same
KR100456599B1 (en) Cryptographic apparatus with parallel des structure
KR20040038777A (en) Data encryption method
EP2413305B1 (en) Data processing device and data processing method
JP2005149262A (en) Information processor
JP2007067942A (en) Ic card, and ic card program
JP2006025366A (en) Encryption apparatus and semiconductor integrated circuit
Panato et al. An IP of an Advanced Encryption Standard for Altera/spl trade/devices
Savitha et al. Implementation of AES algorithm to overt fake keys against counter attacks
WO2004105306A1 (en) Method and apparatus for a low memory hardware implementation of the key expansion function
KR20060068006A (en) Method and apparatus for preventing dpa(differential power analysis) attacks on data bus

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): CN KR SG US

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase