WO2011071063A1 - Side channel attack resistance assessment device, side channel attack resistance assessment method, and program thereof - Google Patents

Side channel attack resistance assessment device, side channel attack resistance assessment method, and program thereof Download PDF

Info

Publication number
WO2011071063A1
WO2011071063A1 PCT/JP2010/071977 JP2010071977W WO2011071063A1 WO 2011071063 A1 WO2011071063 A1 WO 2011071063A1 JP 2010071977 W JP2010071977 W JP 2010071977W WO 2011071063 A1 WO2011071063 A1 WO 2011071063A1
Authority
WO
WIPO (PCT)
Prior art keywords
side channel
channel attack
analysis range
evaluation
resistance evaluation
Prior art date
Application number
PCT/JP2010/071977
Other languages
French (fr)
Japanese (ja)
Inventor
哲孝 山下
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2011545223A priority Critical patent/JP5733215B2/en
Publication of WO2011071063A1 publication Critical patent/WO2011071063A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/002Countermeasures against attacks on cryptographic mechanisms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry

Definitions

  • the present invention relates to a side channel attack resistance evaluation apparatus, a side channel attack resistance evaluation method, and a program therefor, and more particularly, a side channel that evaluates resistance to a side channel attack of a cryptographic apparatus using side channel information leaked from the cryptographic apparatus.
  • the present invention relates to an attack resistance evaluation apparatus, a side channel attack resistance evaluation method, and a program thereof.
  • side channel information under the assumption that attackers can accurately measure side channel information such as processing time and power consumption in devices such as IC cards with a cryptographic function and portable terminals.
  • a side-channel attack that attempts to acquire confidential information from the Internet and its countermeasures are major research themes.
  • the side channel information includes information related to the processing and data being executed in the cryptographic device that is the target of attack.
  • the cryptographic algorithm, processing timing, and secret key can be estimated. It is.
  • a timing attack focusing on processing time for example, refer to Non-Patent Document 1
  • a power analysis focusing on power consumption for example, refer to Non-Patent Document 2
  • a leakage electromagnetic wave for example, Non-Patent Document 3
  • An electromagnetic wave analysis see, for example, Non-Patent Document 3 is known.
  • DPA Differential Power Analysis
  • DPA Correlation Power Analysis
  • tamper resistance In an apparatus equipped with encryption, practically, resistance against side channel attacks (hereinafter referred to as “tamper resistance” as appropriate) is required. For this reason, research on tamper resistance technology that makes it difficult to estimate secret information such as encryption algorithms from side channel information has been promoted.
  • tamper resistance refers to the performance of preventing leakage of confidential information and modification of functions against attacks.
  • a tamper resistant technique for preventing leakage of confidential information from side channel information by arbitrarily adding unnecessary information to the side channel information has been proposed.
  • Patent Document 1 a tamper resistant technique for preventing leakage of confidential information from side channel information by arbitrarily adding unnecessary information to the side channel information.
  • Non-Patent Document 5 a technique for evaluating the resistance against side channel attacks is required (see, for example, Non-Patent Document 5).
  • Non-Patent Document 5 As described above, for example, by using the technique described in Non-Patent Document 5, it is possible to evaluate resistance to side channel attacks.
  • the analysis may fail due to the waveform processing range being too wide.
  • DPA digital to amino acid conversion
  • a feature appears in a part not related to the secret key and the analysis fails. There is.
  • it may be erroneously determined that there is resistance even though the resistance is actually low. Therefore, in order to increase the accuracy of resistance evaluation, it is required not to process an extra portion in the side channel attack resistance evaluation.
  • the present invention suppresses a reduction in accuracy of resistance evaluation due to unnecessary information on side channel information, and can evaluate a side channel attack resistance against a cryptographic device with high accuracy. It is an object to provide a resistance evaluation method and a program thereof.
  • the encryption device in the side channel attack resistance evaluation device that evaluates the resistance of the encryption device to a side channel attack using the side channel information leaked from the encryption device, the encryption device subject to resistance evaluation
  • the side channel information receiving unit that receives the side channel information acquired from the outside and takes in the side channel information
  • the analysis range setting unit that sets the analysis range that is the range to be analyzed from within the entire range of the side channel information
  • a side channel attack resistance evaluation unit that determines whether or not the cryptographic device to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set by the analysis range setting unit.
  • the cryptographic device subject to resistance evaluation Side channel information receiving step for receiving the side channel information acquired from the outside and taking in the side channel information, and an analysis range setting step for setting an analysis range which is a range to be analyzed from within all the ranges of the side channel information
  • a side channel attack resistance evaluation step for determining whether or not the cryptographic device to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set in the analysis range setting step.
  • the side channel attack resistance evaluation incorporated in the side channel attack resistance evaluation device that evaluates the resistance of the encryption device to the side channel attack using the side channel information leaked from the encryption device.
  • the side channel information acquired from the cryptographic device subject to tolerance evaluation is received from the outside, and the side channel information receiving unit that takes in the side channel information, and the range to be analyzed from within the entire range of the side channel information
  • An analysis range setting unit that sets an analysis range, and a side channel that determines whether the evaluation target encryption device is resistant to a side channel attack using side channel information within the analysis range set by the analysis range setting unit
  • a side channel attack resistance evaluation device comprising an attack resistance evaluation unit.
  • Side channel attack resistance evaluation program for causing to function over data is provided.
  • the present invention by setting the analysis range and narrowing down the side channel information used for the tolerance evaluation, it is possible to suppress the possibility of performing an erroneous evaluation that occurs by using the evaluation up to an extra range. It becomes possible to improve the evaluation accuracy of the target side channel attack resistance.
  • DPA difference electric power analysis
  • Example 1 It is an electromagnetic wave measurement waveform at the time of DES encryption processing. It is the figure which showed the analysis range set in the electromagnetic wave measurement waveform at the time of DES encryption processing. It is the figure which extracted the set analysis range part in the electromagnetic wave measurement waveform at the time of DES encryption processing.
  • Example 1 it is a figure showing the table
  • Example 1 it is a figure showing the table
  • the present embodiment generally includes an encryption device to be evaluated, a side channel information measurement device that measures side channel information of the encryption device, and a side channel of the encryption device using the side channel information measured by the side channel information measurement device.
  • a side channel attack resistance evaluation device that evaluates resistance against side channel attacks that analyze internal processing related to encryption of the encryption device and confidential information;
  • the side channel attack resistance evaluation device includes a side channel information input unit that inputs side channel information measured by the side channel information measurement device to the side channel attack resistance evaluation device, and side channel information input from the side channel information input unit.
  • an analysis range setting unit that sets an analysis range in resistance evaluation
  • a side channel attack resistance evaluation unit that performs side channel resistance evaluation of the cryptographic device using side channel information within the range set by the analysis range setting unit And have.
  • FIG. 1 is a block diagram illustrating a schematic configuration of a side channel attack resistance evaluation apparatus 300 and other apparatuses according to the first embodiment of the present invention.
  • the present embodiment includes an encryption device 100, a side channel information measurement device 200, and a side channel attack resistance evaluation device 300.
  • the encryption device 100 is a device that performs processing such as encryption on plaintext and decryption on ciphertext (hereinafter, these processes are collectively referred to as “encryption / decryption processing”).
  • encryption / decryption processing various information processing devices capable of executing encryption / decryption processing can be employed. Examples of devices that can be employed include personal computers (PCs), portable terminals such as cellular phones, contact-type and non-contact-type IC cards, and reader / writers.
  • the side channel information measuring device 200 is a device that measures side channel information leaked when the encryption device 100 performs encryption / decryption processing.
  • As the side channel information to be measured various kinds of information affected by internal processing in the encryption apparatus can be considered. Specifically, power, electromagnetic waves, sound, temperature and the like can be exemplified.
  • the side channel information measuring apparatus 200 can employ an oscilloscope, a spectrum analyzer, or the like.
  • the side channel attack resistance evaluation apparatus 300 is an apparatus that uses the side channel information obtained from the side channel information measurement apparatus 200 to evaluate the resistance against the side channel attack of the encryption apparatus 100 that is the evaluation target encryption apparatus.
  • the side channel attack resistance evaluation apparatus 300 includes a side channel information reception unit 301, an analysis range setting unit 302, and a side channel attack resistance evaluation unit 303.
  • the side channel information receiving unit 301 has a function of taking side channel information measured by the side channel information measuring apparatus 200 into the side channel attack resistance evaluating apparatus 300. Note that it is not the gist of the present embodiment how the side channel information receiving unit 301 specifically captures the side channel information. Therefore, it is possible to capture using any method. For example, USB (Universal Serial Bus), RS-232C (Recommended Standard 232 version C), IEEE 1394 (Institute of Electrical and Electronic Electronics Engineers 1394), SCSI (Small Computer System Interface) can be used.
  • USB Universal Serial Bus
  • RS-232C Recommended Standard 232 version C
  • IEEE 1394 Institute of Electrical and Electronic Electronics Engineers 1394
  • SCSI Small Computer System Interface
  • a method of reading from a recording medium such as a disk, a magnetic tape, or a flash memory and taking it in can be used.
  • the analysis range setting unit 302 sets the analysis range of the side channel information used by the side channel attack resistance evaluation unit 303.
  • analysis range setting methods the following four methods can be exemplified.
  • the first method for setting the analysis range is to set the analysis range based on external input.
  • the analysis range is set with reference to the point in time when the input from the outside is detected. Set the analysis range as the start point or end point of the analysis range, set the analysis range as the center point of the analysis range, or set the point before or after a certain point from the detection point as the start point, end point, or center point of the analysis range
  • a setting method can be considered.
  • the second method of setting the specific analysis range is a method of setting the analysis range based on the input side channel information.
  • this method for example, rising and falling of side channel information, spikes, and the like are detected based on predetermined parameters. Then, the analysis range is set based on the detected position.
  • a method of setting the start point, end point, etc. of the analysis range can be considered as in the first method with the detected position as a reference.
  • the input side channel information is subjected to calculations such as correlation and matching with reference information, and the analysis range is set based on the calculation result.
  • a method is mentioned. In this method, there can be considered a method of determining the starting point of the analysis range in the same manner as the first method, based on a location where a high correlation is obtained or a location where the similarity is the highest in matching.
  • the fourth method of setting the specific analysis range is to conduct side channel attack resistance evaluation using the entire side channel information or side channel information within the analysis range set appropriately, and based on the results.
  • a method for setting the analysis range can be mentioned. Note that the four methods described above are merely examples. It is also possible to use methods other than these four methods.
  • the side channel attack resistance evaluation unit 303 uses the side channel information within the range set by the analysis range setting unit 302 to perform an evaluation of the encryption device 100 against a side channel attack.
  • a side channel attack is performed on the side channel information within the analysis range, and the result of determining whether or not the attack is successful, the correlation with the reference waveform, distance, and similarity are used. Methods and the like.
  • Examples of the side channel attack method include timing attack, electromagnetic wave analysis, simple power analysis, differential power analysis, failure use attack, cache attack, acoustic analysis attack, and the like.
  • the input in the side channel information receiving unit 301 and the processing in the analysis range setting unit 302 are performed a plurality of times, whereby a plurality of side channel information is obtained. Is possible to get.
  • the second and subsequent waveforms only the range set by the analysis range setting unit 302 is repeatedly input by the side channel information receiving unit 301, whereby a plurality of side channel information can be acquired.
  • the analysis range setting unit 302 has a function of changing the analysis range according to the result of the resistance evaluation, the content of the resistance evaluation of the side channel attack (the presence / absence of resistance, the location of the peak at the time of analysis, A means for propagating the peak value, correlation value, distance, similarity, etc.) to the analysis range setting unit 302.
  • the side channel attack resistance evaluation unit 303 uses the side channel information within the set analysis range to attack the side channel attack of the encryption device 100. Perform resistance assessment.
  • “S1” and “S2” represent “side channel information”.
  • “S3” represents “analysis range-set side channel information”.
  • “S4” in FIG. 1 represents “side channel information tolerance evaluation result information”.
  • the connection from the side channel attack resistance evaluation unit 303 to the analysis range setting unit 302 is not always necessary depending on the operation example. It is also possible to omit this connection and “S4”.
  • FIG. 2 is a flowchart showing an operation example of the side channel attack resistance evaluation apparatus 300 in the present embodiment.
  • the analysis range setting unit 302 sets an analysis range for the side channel information input from the side channel information receiving unit 301, and the side channel attack resistance evaluation unit 303 within the set analysis range.
  • the side channel attack resistance evaluation of the cryptographic device 100 is performed using the side channel information.
  • the side channel information receiving unit 301 receives the side channel information and takes in the received side channel information (step A1).
  • the analysis range setting unit 302 sets the analysis range of the side channel information used by the side channel attack resistance evaluation unit 303 based on the input side channel information based on a predetermined criterion. (Step A2).
  • the side channel attack resistance evaluation unit 303 performs side channel attack resistance evaluation using the side channel information within the analysis range set by the analysis range setting unit 302, and ends the evaluation (step A3).
  • the time required for evaluation can be reduced by narrowing down the analysis range.
  • the evaluation accuracy is improved.
  • FIG. 3 is a block diagram showing a configuration example in the present embodiment.
  • the side channel attack resistance evaluation device 310 has a side channel information measurement unit 304 instead of the side channel reception unit 301 and external side channel information.
  • the measuring device 200 is unnecessary.
  • the side channel information measurement unit 304 has a function of measuring side channel information leaked when the encryption device 100 performs the encryption / decryption processing, similarly to the side channel information measurement device 200.
  • Examples of the measurement target include power, electromagnetic waves, sound, temperature, and the like.
  • S2 in FIG. 3 represents “side channel information”.
  • S3 represents “analysis range set side channel information”.
  • S4 in FIG. 3 represents “side channel information tolerance evaluation result information”.
  • the connection from the side channel attack resistance evaluation unit 303 to the analysis range setting unit 302 is not always necessary depending on the operation example. It is also possible to omit this connection and “S4”.
  • FIG. 4 is a flowchart showing an operation example of the side channel attack resistance evaluation apparatus 310 in the present embodiment.
  • the difference from the operation example of the first embodiment is that when the side channel information is input at the start of evaluation, the side channel measurement unit 304 measures the side channel information from the encryption device 100, so that the side channel information is changed to the side channel information. This is a point that is taken into the attack resistance evaluation device 310 (step A1-1).
  • the flow of operation after inputting the side channel information is the same as that in the first embodiment (steps A2 and A3).
  • the side channel information measurement unit 304 into the side channel attack resistance evaluation device 310, the side channel information can be directly captured from the encryption device 100. Therefore, it is possible to perform side channel attack resistance evaluation even in an environment where the side channel information measuring apparatus 200 does not exist.
  • side channel attack resistance evaluation is performed using the entire side channel information or side channel information within a preset analysis range. Also, the analysis range is reset based on the evaluation result, and the side channel attack resistance is evaluated again. Further, the operation of setting the analysis range and evaluating the tolerance is repeated based on the evaluation result.
  • FIG. 5 is a flowchart of the side channel attack resistance evaluation apparatus 300 in this embodiment.
  • the difference from the first embodiment is that resistance evaluation and analysis range setting are repeated.
  • the side channel attack resistance evaluation unit 303 first evaluates the side channel attack resistance (step A3). Then, the analysis range setting unit 302 sets the analysis range according to the evaluation result in step A3 (step A2-1). Then, the resistance evaluation in the side channel attack resistance evaluation unit 303 and the analysis range setting in the analysis range setting unit 302 are repeated (step A3, step A2-1).
  • step A3 after evaluating side channel attack resistance (step A3), if the analysis range falls below a certain range, loops a predetermined number of times, or the result of resistance evaluation meets the criteria, etc. End (YES in step A5).
  • steps A3 if the analysis range falls below a certain range, loops a predetermined number of times, or the result of resistance evaluation meets the criteria, etc. End (YES in step A5).
  • steps A5 merely examples, and other conditions may be used as conditions for repeated termination. Further, the process may be terminated repeatedly if one of the conditions is satisfied, or may be terminated when all of the plurality of conditions are satisfied.
  • step A2-1 again and continues the operation (NO in step A5).
  • examples of the criterion of the resistance evaluation result in step A5 include the success / failure of the secret key analysis, the distance from the reference waveform, and the high correlation / similarity. If multiple keys are to be analyzed, the number of keys successfully analyzed. Further, if DPA or a method derived from it is used, the peak height can be exemplified. Furthermore, even if the analysis range cannot be improved sufficiently by narrowing down the analysis range only once, improvement of the analysis accuracy can be expected by repeating resetting of the analysis range.
  • the secret key is estimated from the power consumption waveform W and the ciphertext or plaintext corresponding to the waveform.
  • the ciphertext C is used will be described. For the description, refer to the flowchart of FIG.
  • K ′ and ciphertext C are classified into two groups using a function F (K ′, C) called a selection function (step B2).
  • step B2 When the classification of all Ws is completed in step B2, the average of W is obtained for each group (step B3).
  • the power consumption waveform W and the function F have a strong correlation, so that a peak appears in W after taking the difference.
  • K ′ and the correct key do not match, there is no correlation between W and F, and no peak appears in W after taking the difference. Therefore, the peak is detected after calculating the average difference between the two groups (step B5). The peak detection process is performed on all key candidates in the same manner, and K ′ showing the highest peak is used as the estimation result. Finally, if the estimated key matches the correct key, the analysis is successful.
  • FIG. 7 is a flowchart of the side channel attack resistance evaluation apparatus 300 in this embodiment.
  • step A2-1 is changed, step A6 is added, and it is corrected to step A2-2.
  • the analysis range setting unit 302 sets the analysis range, if there is a partial key that has been successfully analyzed as a result of analysis once (YES in step A6), the location where the peak appears with the partial key is determined. This is a point (step A2-2) as a reference for resetting the analysis range.
  • the point where the peak appears in the successfully analyzed key is set as the analysis range setting standard.
  • a method of ending the operation is considered as an example (NO in step A6).
  • a method of setting the analysis range by a predetermined method instead of ending the operation may be considered. Possible methods of setting the range include a method based on the peak of the correct key that has been successfully analyzed, and a method of analyzing both of them by dividing the analysis range by half. .
  • the analysis range can be set by the following method.
  • the first method is a method in which priorities are assigned to keys, and a peak of a higher priority key is used as a reference. It is also possible to rank in order from the first partial key.
  • the second is a method in which the peak heights are compared and the highest peak is used as a reference.
  • the key is estimated based on the difference between the two groups.
  • the key may be estimated based on characteristics other than the difference.
  • the key is estimated based on the height of the correlation coefficient.
  • the embodiment of the present invention can also apply a feature used for estimating a key as a criterion for setting an analysis range even in a technique other than DPA.
  • processing using each partial key may be processed continuously or in parallel. In such a case, a portion having a correlation in each partial key exists in the vicinity. Therefore, by narrowing down the analysis range on the basis of the location where the correct key peak appears, the analysis accuracy is improved and the evaluation accuracy of the side channel attack resistance evaluation is improved.
  • FIG. 9 is a flowchart of the side channel attack resistance evaluation apparatus 300 in this embodiment.
  • the difference from the operation example of the fourth embodiment is that when there are a plurality of partial keys that have been successfully analyzed, the peak value of the correct key is compared with the peak values of other key candidates, and the peak values are compared.
  • the analysis range is determined according to the result.
  • the analysis range setting unit 302 compares the peak value of the correct key with the peak value of the other key candidates (step S7).
  • A8) is to determine the analysis range according to the comparison result of the peak values (step A2-5).
  • the analysis range setting unit 302 sets the analysis range based on the peak position of the key that has been successfully analyzed (step A2-4). ).
  • the number of candidates per partial key of DES is 64, and peak values are calculated for the 64 key candidates. If the peak value for the correct key is the highest, the analysis is successful. In the embodiment of the present invention, the highest peak value among the peak values of 63 key candidates other than the correct key is compared with the peak value of the correct key. This is performed for all correct keys that have been successfully analyzed, and the one with the best peak value comparison result is used as the reference for setting the analysis range. As a comparison method, a difference or ratio between peaks can be considered.
  • the difference is 2 and the ratio is 10/8.
  • the difference is 4 and the ratio is 6/2.
  • the portion where the peak of the partial key B appears is set as the analysis range setting reference.
  • FIG. 10 is a flowchart of the side channel attack resistance evaluation apparatus 300 in this embodiment.
  • the difference from the operation example of the fourth embodiment is that when there is no correct partial key, the peak of the correct key is compared with the highest peak among other key candidates, and the peak value The analysis range is determined according to the comparison result.
  • the analysis range setting unit 302 compares the peak of the correct key with the highest peak among other key candidates.
  • Step A9 is that the analysis range is determined according to the comparison result of the peak values (Step A2-6).
  • the analysis range is determined based on the peak of the key.
  • the peak of the correct key is compared with the highest peak among the other key candidates, and the analysis range is determined according to the comparison result.
  • a difference or ratio between peaks can be considered as in the fifth embodiment.
  • the peak of the correct key where the difference or ratio between the peak of the correct key and the other peak is the smallest is set as the analysis range setting reference.
  • the difference or ratio between the maximum peak and the correct key peak is small, when the analysis range is narrowed down at the location where the correct key peak appears, the correct key peak is the highest and the analysis may be successful. high. Therefore, when the analysis fails, the analysis accuracy is improved by setting the analysis range based on the difference or ratio of the peaks, and as a result, the accuracy of resistance evaluation can be improved.
  • the side channel attack resistance evaluation is performed once using the entire side channel information or the side channel information within the analysis range set appropriately, the analysis range is reset based on the result, and the side channel attack resistance is set again. To evaluate. Furthermore, a method of repeating analysis range setting and tolerance evaluation based on the evaluation result will be described.
  • FIG. 11 is a flowchart showing an operation example of the side channel attack resistance evaluation apparatus 300 in the present embodiment.
  • step A1 the analysis range setting unit 302 divides the analysis range into two parts A and B (step A10).
  • step A10 the analysis range setting unit 302 divides the analysis range into two parts A and B.
  • step A11 the side channel attack resistance evaluation unit 303 performs analysis within the analysis ranges of A and B (steps A3-1 and A3-2). ).
  • step A12 If the analysis result of either step A3-1 or step A3-2 satisfies the criteria, the evaluation is terminated (YES in step A12).
  • the analysis range setting unit 302 compares the analysis results (step A13). Then, the analysis range that is determined to be more effective is set as an analysis range that is divided into two (step A14). Then, the analysis range is divided into two again (step A10), and the analysis for each range is repeated.
  • analysis range may be divided into three or more instead of two. In this case, analysis and comparison of results are performed within each range.
  • a secret key is analyzed successfully / unsuccessfully, a distance from a reference waveform, a high correlation / similarity, and a plurality of keys are analyzed. Can be exemplified by the number of keys successfully analyzed. Further, if DPA or a method derived from it is used, the peak height can be exemplified.
  • step A13 the same standard as in step A12 can be used for comparison.
  • the analysis range A and the analysis range B the number of keys successfully analyzed can be compared, and the method with the larger number of successes can be exemplified as the analysis range divided into the following two.
  • there is a method of using a peak for comparison in DPA An example is a method in which an analysis range in which the peak is simply higher is divided into the following two parts.
  • the difference between the peaks if a partial key analysis is mutually successful based on the comparison result of the peak between the correct key and the other key candidates, the difference between the peaks Alternatively, a method in which the larger ratio is used as the analysis range divided into the following two can be exemplified. On the other hand, if the key analysis fails, it is possible to exemplify a method of setting an analysis range in which the smaller peak difference or ratio is divided into the following two.
  • DES is mounted on an evaluation board (corresponding to the encryption device 100 in FIG. 1) capable of performing encryption, and an oscilloscope (corresponding to the side channel information measurement device 200 in FIG. 1) is used.
  • an evaluation board corresponding to the encryption device 100 in FIG. 1
  • an oscilloscope corresponding to the side channel information measurement device 200 in FIG. 1.
  • the encryption used is DES
  • the key length is 64 bits
  • the number of rounds is 16 stages
  • the side channel attack resistance is evaluated based on whether or not the 48 bits (8 6-bit partial keys) round key can be analyzed in the final stage. To do.
  • step A3 As the operation, an operation corresponding to each step shown in FIG. 9 is performed.
  • CPA is used to calculate the peak value and position of the correlation coefficient for 64 key candidates for every 8 partial keys, and the peak value of the correct key is that of the other 63 key candidates. If it is higher than the peak value, the partial key is successfully analyzed.
  • step A5 if it loops 5 times, it is evaluated that it is resistant, and the process ends. If the analysis of five or more partial keys out of the eight partial keys is successful, it is evaluated that there is no tolerance and the process ends.
  • step A8 the ratio between the peak value of the correct key and the peak value of the other key candidates is determined for the partial key that has been successfully analyzed, and the peak position of the partial key having the largest ratio is set in the analysis range in step A2-4.
  • the standard The standard.
  • step A2-4 the analysis range is set around the peak position of the key that has been successfully analyzed.
  • step A2-5 the analysis range is set around the peak position of the partial key having the largest ratio.
  • the range is 251 points for the first loop, 101 points for the second loop, 51 points for the third loop, 25 points for the fourth loop, and 11 points for the fifth loop.
  • step A1 DES is executed on the evaluation board, and a plurality of DES electromagnetic wave waveforms are measured (step A1). Note that the number of points in the first waveform is 28000 points.
  • FIG. 12 shows the measured electromagnetic wave waveform.
  • CPA is performed on the measured electromagnetic wave waveform of DES, and eight partial keys are analyzed (step A3).
  • Table 1 below shows correct answers of eight partial keys (Keys 1 to 8).
  • FIG. 15 shows the first analysis result.
  • FIG. 15 shows the peak value and peak position of the three key candidates and the value of the key candidate in order from the highest peak as a result of analysis for each partial key.
  • a grayed portion indicates a correct key.
  • FIG. 15 shows that there are three partial keys that have been successfully analyzed. Therefore, the number of keys successfully analyzed is 4 or less (NO in step A5), and a plurality of partial keys have been successfully analyzed (YES in step A6, YES in A7). Therefore, the peak values of successful partial keys are compared (step A8). Table 2 below shows the peak values of the correct key and other key candidates and the ratio of the peak values in the successful partial keys.
  • FIG. 13 shows a portion to be analyzed (a portion indicated by an arrow) in the electromagnetic wave waveform.
  • FIG. 14 shows a waveform obtained by cutting out the range to be analyzed.
  • the CPA is executed again within the newly set analysis range to analyze the partial key (step A3).
  • the results of analysis in the new analysis range are shown in FIG.
  • the items in FIG. 16 are the same as those in FIG. FIG. 16 shows that the number of partial keys successfully analyzed has increased to six. Therefore, since the number of partial keys that have been successfully analyzed is five or more, it is evaluated that the current evaluation target does not have side channel attack resistance, and the side channel attack resistance evaluation ends (YES in step A5). .
  • the analysis accuracy is improved by narrowing down the analysis range according to the analysis result.
  • a side channel attack resistance evaluation device with high evaluation accuracy can be realized.
  • the embodiment of the present invention aims to increase the evaluation accuracy of the side channel attack resistance evaluation apparatus by setting the analysis range, but the side channel information is not yet analyzed at the stage where the side channel information has not been analyzed yet. It is possible to determine the analysis range according to the characteristics of the channel information.
  • the side channel attack resistance evaluation apparatus can be realized by hardware, but a computer-readable recording program for causing a computer to function as the side channel attack resistance evaluation apparatus It can also be realized by reading from the medium and executing it.
  • the side channel attack resistance evaluation method according to the embodiment of the present invention can be realized by hardware, but the computer reads a program for causing the computer to execute the method from a computer-readable recording medium and executes the program. Can also be realized.
  • the side channel information acquired from the encryption apparatus of tolerance evaluation object is shown.
  • a side channel information receiving unit that receives from the outside and takes in the side channel information
  • an analysis range setting unit that sets an analysis range that is a range to be analyzed from within the entire range of the side channel information
  • the analysis range setting unit A side channel attack resistance evaluation unit that determines whether or not the encryption device to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set in step (b). Resistance evaluation device.
  • the side channel attack tolerance evaluation apparatus of Additional remark 1 WHEREIN It replaces with the said side channel information reception part, and is provided with the side channel information measurement part which measures the side channel information of the said encryption apparatus for evaluation. Side channel attack resistance evaluation device.
  • the analysis range setting unit performs analysis range setting again according to an evaluation result in the side channel attack resistance evaluation unit, and the side channel attack resistance A side channel attack resistance evaluation apparatus, wherein the evaluation unit performs side channel attack resistance evaluation again, and the second analysis range setting and the second side channel resistance evaluation are repeated.
  • the analysis range setting unit is configured to determine the second analysis range based on a peak in a key that has been successfully analyzed by the side channel attack resistance evaluation unit.
  • the analysis range setting unit includes the correct key and the other keys at the time of successful analysis among the evaluation results in the side channel attack resistance evaluation unit.
  • a side channel attack resistance evaluation apparatus wherein peaks in key candidates are compared and the analysis range is set again based on the comparison result.
  • the analysis range setting unit includes a correct key at the time of analysis failure and other than that in the evaluation result in the side channel attack resistance evaluation unit
  • a side-channel attack resistance evaluation apparatus characterized by comparing peaks in key candidates and setting the analysis range again based on the comparison result.
  • the analysis range setting unit divides the analysis range, and the side channel attack resistance evaluation unit divides the analysis range
  • the analysis range setting unit selects the analysis range to be divided again according to the evaluation result for each of the divided analysis ranges, and the analysis range is divided again.
  • a side channel attack resistance evaluation apparatus characterized by performing resistance evaluation for each analysis range and selecting the analysis range.
  • the side channel information acquired from the encryption apparatus of tolerance evaluation object is used.
  • a side channel information receiving step for receiving from the outside and capturing the side channel information; an analysis range setting step for setting an analysis range that is a range to be analyzed from within all the ranges of the side channel information; and the analysis range setting step
  • a side channel attack resistance evaluation step for determining whether or not the cryptographic apparatus to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set in step (b). Resistance evaluation method.
  • the side channel attack resistance evaluation method according to supplementary note 9, further comprising a side channel information measurement step of measuring side channel information of the encryption device to be evaluated instead of the side channel information reception step. Side channel attack resistance evaluation method.
  • the analysis range setting step sets the analysis range again according to the evaluation result in the side channel attack resistance evaluation step, and again the side channel attack resistance
  • a side channel attack resistance evaluation method characterized by performing an evaluation and repeating the second analysis range setting and the second side channel resistance evaluation.
  • the second analysis range is determined based on a peak in the key that has been successfully analyzed in the side channel attack resistance evaluation step.
  • a side channel attack resistance evaluation method characterized by setting.
  • a side channel attack resistance evaluation method comprising: comparing peaks in key candidates and setting the analysis range again based on the comparison result.
  • a side channel attack resistance evaluation method comprising: comparing peaks in key candidates and setting the analysis range again based on the comparison result.
  • the analysis range is divided at the analysis range setting step, and the analysis range is divided at the side channel attack resistance evaluation step.
  • the evaluation is performed every time, the analysis range to be divided again is selected according to the evaluation result for each divided analysis range in the analysis range setting step, and the analysis range is divided again.
  • a side channel attack resistance evaluation method characterized by performing resistance evaluation for each analysis range and selecting the analysis range.
  • a side incorporated in a side channel attack resistance evaluation apparatus that evaluates resistance to side channel attacks for analyzing internal processing related to encryption of the encryption apparatus or analyzing confidential information using side channel information leaked from the encryption apparatus
  • the side channel information acquired from the cryptographic device of the resistance evaluation target is received from the outside, the side channel information reception unit that captures the side channel information, and the analysis target from all within the range of the side channel information
  • An analysis range setting unit that sets an analysis range that is a range to be analyzed, and whether or not the evaluation target encryption device is resistant to side channel attacks using side channel information within the analysis range set by the analysis range setting unit
  • a side channel comprising: a side channel attack resistance evaluation unit for determining Side channel attack resistance evaluation program for causing a computer to function as ⁇ evaluation device.
  • the side channel attack resistance evaluation device replaces the side channel information reception unit and measures the side channel information of the encryption device to be evaluated.
  • a side channel attack tolerance evaluation program comprising a channel information measurement unit.
  • the analysis range setting unit performs analysis range setting again according to the evaluation result in the side channel attack resistance evaluation unit, and the side channel attack resistance A side channel attack resistance evaluation program, wherein the evaluation unit performs side channel attack resistance evaluation again, and the second analysis range setting and the second side channel resistance evaluation are repeated.
  • the analysis range setting unit is configured to determine the second analysis range based on a peak in a key that has been successfully analyzed by the side channel attack resistance evaluation unit.
  • a side channel attack resistance evaluation program characterized by setting.
  • the analysis range setting unit includes the correct key and the other keys at the time of successful analysis among the evaluation results in the side channel attack tolerance evaluation unit.
  • a side-channel attack resistance evaluation program characterized by comparing peaks in key candidates and setting the analysis range again based on the comparison result.
  • the analysis range setting unit includes a correct key at the time of analysis failure and other than that in the evaluation result in the side channel attack tolerance evaluation unit
  • a side-channel attack resistance evaluation program characterized by comparing peaks in key candidates and setting the analysis range again based on the comparison result.
  • the analysis range setting unit divides the analysis range, and the side channel attack resistance evaluation unit divides the analysis range.
  • the analysis range setting unit selects the analysis range to be divided again according to the evaluation result for each of the divided analysis ranges, and the analysis range is divided again.
  • a side channel attack resistance evaluation program characterized by performing resistance evaluation for each analysis range and selecting the analysis range.

Abstract

A side channel attack resistance assessment device employs side channel information that leaks from an encryption device to assess the resistance of the encryption device to side channel attacks. The side channel attack resistance assessment device comprises a side channel information receiving unit that receives and captures side channel information, acquired from the encryption device to be assessed for resistance, from an external source; an analysis scope setting unit that sets the analysis scope, which is the scope that is the object of the analysis, from among the total scope of the side channel information; and a side channel attack resistance assessment unit, which employs the side channel information within the analysis scope thus set to determine whether the encryption device being assessed is resistant to side channel attacks.

Description

サイドチャネル攻撃耐性評価装置、サイドチャネル攻撃耐性評価方法及びそのプログラムSide channel attack resistance evaluation apparatus, side channel attack resistance evaluation method, and program thereof
 本発明は、サイドチャネル攻撃耐性評価装置、サイドチャネル攻撃耐性評価方法及びそのプログラムに関し、特に、暗号装置から漏洩するサイドチャネル情報を用いて、暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価装置、サイドチャネル攻撃耐性評価方法及びそのプログラムに関する。 The present invention relates to a side channel attack resistance evaluation apparatus, a side channel attack resistance evaluation method, and a program therefor, and more particularly, a side channel that evaluates resistance to a side channel attack of a cryptographic apparatus using side channel information leaked from the cryptographic apparatus. The present invention relates to an attack resistance evaluation apparatus, a side channel attack resistance evaluation method, and a program thereof.
 情報の電子データ化が進む中で、情報の保護、秘匿な通信、といった観点から暗号は欠かせない技術となっている。暗号はその安全性を保つために、鍵等の秘匿情報が容易に推測できないようにする必要がある。鍵の全数探索や数学的に解読を行う線形解読や差分解読等といった暗号解析方法が知られているが、現実的な時間での解析は不可能な状況といえる。 As information becomes electronic data, encryption is an indispensable technology from the viewpoint of information protection and confidential communication. In order to maintain the security of the cipher, it is necessary to prevent secret information such as a key from being easily guessed. Cryptanalysis methods such as full key search, mathematical cryptanalysis, differential cryptanalysis, and the like are known, but it can be said that analysis in real time is impossible.
 その一方で、暗号機能付きのICカードや携帯端末などの暗号を実装した装置において、攻撃者が処理時間や消費電力などのサイドチャネル情報を精密に測定できるとの仮定の下で、サイドチャネル情報から秘匿情報の取得を試みるサイドチャネル攻撃とその対策が大きな研究テーマとなっている。サイドチャネル情報には、攻撃対象である暗号装置内で実行されている処理やデータに関する情報が含まれており、サイドチャネル情報を解析することで、暗号アルゴリズム、処理タイミング、秘密鍵の推定が可能である。前記サイドチャネル攻撃の具体的な攻撃方法としては、処理時間に注目したタイミング攻撃(例えば非特許文献1参照)や消費電力に注目した電力解析(例えば非特許文献2参照)、漏洩電磁波に注目した電磁波解析(例えば非特許文献3参照)等が知られている。 On the other hand, side channel information under the assumption that attackers can accurately measure side channel information such as processing time and power consumption in devices such as IC cards with a cryptographic function and portable terminals. A side-channel attack that attempts to acquire confidential information from the Internet and its countermeasures are major research themes. The side channel information includes information related to the processing and data being executed in the cryptographic device that is the target of attack. By analyzing the side channel information, the cryptographic algorithm, processing timing, and secret key can be estimated. It is. As a specific attack method of the side channel attack, a timing attack focusing on processing time (for example, refer to Non-Patent Document 1), a power analysis focusing on power consumption (for example, refer to Non-Patent Document 2), and a leakage electromagnetic wave. An electromagnetic wave analysis (see, for example, Non-Patent Document 3) is known.
 電力解析の一手法として、Kocher氏らは非特許文献2において差分電力解析(DPA:Differential Power Analysis)を提案した。DPAではまず、大量のサイドチャネル情報を測定し、取得した大量の測定波形に対して統計処理を行う。統計処理を行う際に、秘密鍵を仮定して処理を行うが、この仮定が正解であれば統計処理を行った後の波形において、秘密鍵と関連している箇所の特徴としてピークが出現する。一方、仮定が不正解であれば、統計処理を行った後の波形において、ピークは出現しない。このピークを見ることによって、秘密鍵を解析するのがDPAである。DPAでは、大量のサイドチャネル情報に対して統計処理をすることにより、波形に含まれるノイズなどの余分な情報の影響を排除することにより攻撃の精度を高めている。さらに、攻撃の精度を上げる方法として、相関電力解析(CPA:Correlation Power Analysis)等DPAから派生した方法が複数提案されている(例えば非特許文献4参照)。 As a method of power analysis, Kocher et al. Proposed Non-Patent Document 2 for differential power analysis (DPA: Differential Power Analysis). In DPA, first, a large amount of side channel information is measured, and statistical processing is performed on the acquired large amount of measurement waveforms. When performing statistical processing, processing is performed assuming a secret key. If this assumption is correct, a peak appears as a feature of the location related to the secret key in the waveform after statistical processing. . On the other hand, if the assumption is incorrect, no peak appears in the waveform after statistical processing. It is DPA that analyzes the secret key by seeing this peak. In DPA, the accuracy of an attack is improved by performing statistical processing on a large amount of side channel information to eliminate the influence of extra information such as noise included in the waveform. Furthermore, as a method for improving the accuracy of the attack, a plurality of methods derived from DPA such as correlation power analysis (CPA: Correlation Power Analysis) have been proposed (for example, see Non-Patent Document 4).
 暗号を実装した装置においては、実用上、サイドチャネル攻撃に対する攻撃耐性(以下、適宜「耐タンパ性」と呼ぶ。)が求められる。そのため、サイドチャネル情報から暗号アルゴリズムなどの秘匿情報の推定を困難にする耐タンパ技術の研究がすすめられている。ここで、耐タンパ性とは攻撃に対して、秘匿情報の漏洩や機能の改変を防ぐ性能のことである。 In an apparatus equipped with encryption, practically, resistance against side channel attacks (hereinafter referred to as “tamper resistance” as appropriate) is required. For this reason, research on tamper resistance technology that makes it difficult to estimate secret information such as encryption algorithms from side channel information has been promoted. Here, tamper resistance refers to the performance of preventing leakage of confidential information and modification of functions against attacks.
 耐タンパ技術として、恣意的にサイドチャネル情報に不要な情報を付加することで、サイドチャネル情報から秘匿情報の漏洩を防ぐ耐タンパ手法(特許文献1参照)等が提案されている。ここで、上記のような耐タンパ手法を適用することで実際にサイドチャネル攻撃への耐性が向上しているか、耐タンパ手法の有効性を評価する必要がある。 As a tamper resistant technique, a tamper resistant technique (see Patent Document 1) for preventing leakage of confidential information from side channel information by arbitrarily adding unnecessary information to the side channel information has been proposed. Here, it is necessary to evaluate the effectiveness of the tamper-resistant technique as to whether the resistance to side channel attacks is actually improved by applying the tamper-resistant technique as described above.
 また、実装された暗号装置が本当に安全なのか確認するため、サイドチャネル攻撃に対する耐性を評価する技術が求められている(例えば非特許文献5参照)。 Also, in order to confirm whether the installed cryptographic device is really safe, a technique for evaluating the resistance against side channel attacks is required (see, for example, Non-Patent Document 5).
特開2007-116215号公報JP 2007-116215 A
 上述のように、例えば非特許文献5に記載の技術を用いることによりサイドチャネル攻撃に対する耐性を評価することが可能となる。 As described above, for example, by using the technique described in Non-Patent Document 5, it is possible to evaluate resistance to side channel attacks.
 しかしながら、評価する際に、波形の処理範囲が広すぎることが原因で、解析に失敗することがある。例えば、DPAにおいて、秘密鍵と関連していない箇所を処理範囲とすることによって、不正解鍵を仮定したときに、秘密鍵と関連していない箇所において特徴が現れてしまい、解析に失敗する場合がある。その結果、実際には耐性が低いにもかかわらず、耐性があると誤判定することがある。よって、耐性評価の精度を高めるためには、サイドチャネル攻撃耐性評価において余分な部分を処理しないことが求められる。 However, in the evaluation, the analysis may fail due to the waveform processing range being too wide. For example, in DPA, when an illegal key is assumed by setting a part not related to the secret key as a processing range, a feature appears in a part not related to the secret key and the analysis fails. There is. As a result, it may be erroneously determined that there is resistance even though the resistance is actually low. Therefore, in order to increase the accuracy of resistance evaluation, it is required not to process an extra portion in the side channel attack resistance evaluation.
 そこで、本発明は、サイドチャネル情報上の不要な情報による耐性評価の精度低下を抑制し、暗号機器に対するサイドチャネル攻撃の可否を高精度で評価可能な、サイドチャネル攻撃耐性評価装置、サイドチャネル攻撃耐性評価方法及びそのプログラムを提供することを目的とする。 Therefore, the present invention suppresses a reduction in accuracy of resistance evaluation due to unnecessary information on side channel information, and can evaluate a side channel attack resistance against a cryptographic device with high accuracy. It is an object to provide a resistance evaluation method and a program thereof.
 本発明の第1の観点によれば、暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価装置において、耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付部と、前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定部と、前記解析範囲設定部で設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドチャネル攻撃耐性評価部と、を備えることを特徴とするサイドチャネル攻撃耐性評価装置が提供される。 According to the first aspect of the present invention, in the side channel attack resistance evaluation device that evaluates the resistance of the encryption device to a side channel attack using the side channel information leaked from the encryption device, the encryption device subject to resistance evaluation The side channel information receiving unit that receives the side channel information acquired from the outside and takes in the side channel information, and the analysis range setting unit that sets the analysis range that is the range to be analyzed from within the entire range of the side channel information And a side channel attack resistance evaluation unit that determines whether or not the cryptographic device to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set by the analysis range setting unit. A side channel attack resistance evaluation apparatus characterized by the above is provided.
 本発明の第2の観点によれば、暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価方法において、耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付ステップと、前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定ステップと、前記解析範囲設定ステップで設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドチャネル攻撃耐性評価ステップと、を備えることを特徴とするサイドチャネル攻撃耐性評価方法が提供される。 According to a second aspect of the present invention, in the side channel attack resistance evaluation method for evaluating the resistance of the cryptographic device to a side channel attack using the side channel information leaked from the cryptographic device, the cryptographic device subject to resistance evaluation Side channel information receiving step for receiving the side channel information acquired from the outside and taking in the side channel information, and an analysis range setting step for setting an analysis range which is a range to be analyzed from within all the ranges of the side channel information And a side channel attack resistance evaluation step for determining whether or not the cryptographic device to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set in the analysis range setting step. A side channel attack resistance evaluation method is provided.
 本発明の第3の観点によれば、暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価装置に組み込まれるサイドチャネル攻撃耐性評価プログラムにおいて、耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付部と、前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定部と、前記解析範囲設定部で設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドチャネル攻撃耐性評価部と、を備えるサイドチャネル攻撃耐性評価装置としてコンピュータを機能させることを特徴とするサイドチャネル攻撃耐性評価プログラムが提供される。 According to the third aspect of the present invention, the side channel attack resistance evaluation incorporated in the side channel attack resistance evaluation device that evaluates the resistance of the encryption device to the side channel attack using the side channel information leaked from the encryption device. In the program, the side channel information acquired from the cryptographic device subject to tolerance evaluation is received from the outside, and the side channel information receiving unit that takes in the side channel information, and the range to be analyzed from within the entire range of the side channel information An analysis range setting unit that sets an analysis range, and a side channel that determines whether the evaluation target encryption device is resistant to a side channel attack using side channel information within the analysis range set by the analysis range setting unit A side channel attack resistance evaluation device comprising an attack resistance evaluation unit. Side channel attack resistance evaluation program for causing to function over data is provided.
 本発明によれば、解析範囲を設定して耐性評価に用いるサイドチャネル情報を絞り込むことで、余分な範囲まで評価に用いることで発生してしまう誤った評価を行う可能性を抑制できることから、評価対象のサイドチャネル攻撃耐性の評価精度の向上を図ることが可能となる。 According to the present invention, by setting the analysis range and narrowing down the side channel information used for the tolerance evaluation, it is possible to suppress the possibility of performing an erroneous evaluation that occurs by using the evaluation up to an extra range. It becomes possible to improve the evaluation accuracy of the target side channel attack resistance.
本発明の第1の実施形態に係るサイドチャネル攻撃耐性評価装置の構成を表すブロック図である。It is a block diagram showing the structure of the side channel attack tolerance evaluation apparatus which concerns on the 1st Embodiment of this invention. 本発明の第1の実施形態に係るサイドチャネル攻撃耐性判定装置の動作を示したフローチャートである。It is the flowchart which showed operation | movement of the side channel attack tolerance determination apparatus which concerns on the 1st Embodiment of this invention. 本発明の第2の実施形態に係るサイドチャネル攻撃耐性判定装置の構成を表すブロック図である。It is a block diagram showing the structure of the side channel attack tolerance determination apparatus which concerns on the 2nd Embodiment of this invention. 本発明の第2の実施形態に係るサイドチャネル攻撃耐性判定装置の動作を示したフローチャートである。It is the flowchart which showed operation | movement of the side channel attack tolerance determination apparatus which concerns on the 2nd Embodiment of this invention. 本発明の第3の実施形態に係るサイドチャネル攻撃耐性判定装置の動作を示したフローチャートである。It is the flowchart which showed operation | movement of the side channel attack tolerance determination apparatus which concerns on the 3rd Embodiment of this invention. 差分電力解析(DPA)のピーク検出手段を示したフローチャートである。It is the flowchart which showed the peak detection means of the difference electric power analysis (DPA). 本発明の第4の実施形態に係るサイドチャネル攻撃耐性判定装置の動作を示したフローチャートである。It is the flowchart which showed operation | movement of the side channel attack tolerance determination apparatus which concerns on the 4th Embodiment of this invention. 本発明の第4の実施形態に係るサイドチャネル攻撃耐性判定装置の動作を示したフローチャート(解析失敗時に事前に決められた基準に基づいて解析範囲を設定)である。It is the flowchart which showed operation | movement of the side channel attack tolerance determination apparatus which concerns on the 4th Embodiment of this invention (an analysis range is set based on the reference | standard decided beforehand at the time of an analysis failure). 本発明の第5の実施形態に係るサイドチャネル攻撃耐性判定装置の動作を示したフローチャートである。It is the flowchart which showed operation | movement of the side channel attack tolerance determination apparatus which concerns on the 5th Embodiment of this invention. 本発明の第6の実施形態に係るサイドチャネル攻撃耐性判定装置の動作を示したフローチャートである。It is the flowchart which showed operation | movement of the side channel attack tolerance determination apparatus which concerns on the 6th Embodiment of this invention. 本発明の第7の実施形態に係るサイドチャネル攻撃耐性判定装置の動作を示したフローチャートである。It is the flowchart which showed operation | movement of the side channel attack tolerance determination apparatus which concerns on the 7th Embodiment of this invention. DES暗号処理時の電磁波測定波形である。It is an electromagnetic wave measurement waveform at the time of DES encryption processing. DES暗号処理時の電磁波測定波形において、設定された解析範囲を示した図である。It is the figure which showed the analysis range set in the electromagnetic wave measurement waveform at the time of DES encryption processing. DES暗号処理時の電磁波測定波形において、設定された解析範囲部分を抜き出した図である。It is the figure which extracted the set analysis range part in the electromagnetic wave measurement waveform at the time of DES encryption processing. 実施例1において、最初に耐性評価を実施した時の解析結果を示した表を表す図である。In Example 1, it is a figure showing the table | surface which showed the analysis result when tolerance evaluation was implemented initially. 実施例1において、解析範囲を設定した後に耐性評価を実施した時の解析結果を示した表を表す図である。In Example 1, it is a figure showing the table | surface which showed the analysis result when tolerance evaluation was implemented after setting the analysis range.
 以下、本発明に係るサイドチャネル攻撃耐性評価装置、サイドチャネル攻撃耐性評価方法及びそのプログラムの実施形態について、図面を参照して詳細に説明する。 Hereinafter, embodiments of a side channel attack resistance evaluation apparatus, a side channel attack resistance evaluation method, and a program thereof according to the present invention will be described in detail with reference to the drawings.
 まず、本発明の実施形態の概略を説明する。本実施形態は、概略、評価対象の暗号装置と、暗号装置のサイドチャネル情報を測定するサイドチャネル情報測定装置と、サイドチャネル情報測定装置で測定されたサイドチャネル情報を用いて暗号装置のサイドチャネル耐性評価、すなわち暗号装置の暗号化に関する内部処理や秘匿情報を解析するサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価装置とを有している。 First, an outline of an embodiment of the present invention will be described. The present embodiment generally includes an encryption device to be evaluated, a side channel information measurement device that measures side channel information of the encryption device, and a side channel of the encryption device using the side channel information measured by the side channel information measurement device. A side channel attack resistance evaluation device that evaluates resistance against side channel attacks that analyze internal processing related to encryption of the encryption device and confidential information;
 サイドチャネル攻撃耐性評価装置は、サイドチャネル情報測定装置により測定されたサイドチャネル情報をサイドチャネル攻撃耐性評価装置に入力するサイドチャネル情報入力部と、サイドチャネル情報入力部から入力されたサイドチャネル情報に対して、耐性評価における解析範囲を設定する解析範囲設定部と、解析範囲設定部で設定された範囲内のサイドチャネル情報を用いて前記暗号装置のサイドチャネル耐性評価を行うサイドチャネル攻撃耐性評価部とを有している。 The side channel attack resistance evaluation device includes a side channel information input unit that inputs side channel information measured by the side channel information measurement device to the side channel attack resistance evaluation device, and side channel information input from the side channel information input unit. On the other hand, an analysis range setting unit that sets an analysis range in resistance evaluation, and a side channel attack resistance evaluation unit that performs side channel resistance evaluation of the cryptographic device using side channel information within the range set by the analysis range setting unit And have.
 [第1の実施形態]
 図1は、本発明の第1の実施形態であるサイドチャネル攻撃耐性評価装置300の概略構成及びその他の装置について表したブロック図である。 [First Embodiment]
FIG. 1 is a block diagram illustrating a schematic configuration of a side channel attack resistance evaluation apparatus 300 and other apparatuses according to the first embodiment of the present invention.
 図1を参照すると、本実施形態は、暗号装置100、サイドチャネル情報測定装置200及びサイドチャネル攻撃耐性評価装置300を有する。 Referring to FIG. 1, the present embodiment includes an encryption device 100, a side channel information measurement device 200, and a side channel attack resistance evaluation device 300.
 暗号装置100は、平文に対する暗号化や暗号文に対する復号化等の処理(以下、これらの処理を総称して「暗復号処理」と呼ぶ。)を行う装置である。暗号装置100としては、暗復号処理を実行可能な種々の情報処理装置を採用することが可能である。採用可能な装置としては、パーソナルコンピュータ(PC)、携帯電話機等の携帯端末、接触型および非接触型のICカード、リーダライタ等が例示できる。 The encryption device 100 is a device that performs processing such as encryption on plaintext and decryption on ciphertext (hereinafter, these processes are collectively referred to as “encryption / decryption processing”). As the encryption device 100, various information processing devices capable of executing encryption / decryption processing can be employed. Examples of devices that can be employed include personal computers (PCs), portable terminals such as cellular phones, contact-type and non-contact-type IC cards, and reader / writers.
 サイドチャネル情報測定装置200は、暗号装置100が暗復号処理を実施する際に漏洩するサイドチャネル情報を測定する装置である。測定対象とするサイドチャネル情報としては、暗号装置において内部の処理に影響を受ける種々の情報が考えられる。具体的には、電力、電磁波、音、温度等が例示できる。 The side channel information measuring device 200 is a device that measures side channel information leaked when the encryption device 100 performs encryption / decryption processing. As the side channel information to be measured, various kinds of information affected by internal processing in the encryption apparatus can be considered. Specifically, power, electromagnetic waves, sound, temperature and the like can be exemplified.
 もしも、電磁波をサイドチャネル情報として用いるのであれば、サイドチャネル情報測定装置200は、オシロスコープやスペクトラムアナライザ等を採用することが可能である。 If an electromagnetic wave is used as side channel information, the side channel information measuring apparatus 200 can employ an oscilloscope, a spectrum analyzer, or the like.
 サイドチャネル攻撃耐性評価装置300は、サイドチャネル情報測定装置200から得られるサイドチャネル情報を用いて、評価対象の暗号装置である暗号装置100のサイドチャネル攻撃に対する耐性を評価する装置である。 The side channel attack resistance evaluation apparatus 300 is an apparatus that uses the side channel information obtained from the side channel information measurement apparatus 200 to evaluate the resistance against the side channel attack of the encryption apparatus 100 that is the evaluation target encryption apparatus.
 サイドチャネル攻撃耐性評価装置300は、サイドチャネル情報受付部301と、解析範囲設定部302と、サイドチャネル攻撃耐性評価部303を有している。 The side channel attack resistance evaluation apparatus 300 includes a side channel information reception unit 301, an analysis range setting unit 302, and a side channel attack resistance evaluation unit 303.
 サイドチャネル情報受付部301は、サイドチャネル情報測定装置200で測定されたサイドチャネル情報をサイドチャネル攻撃耐性評価装置300に取り込む機能を有する。なお、サイドチャネル情報受付部301が具体的にどのような方法によりサイドチャネル情報を取り込むのかは本実施形態の要旨ではない。そのため、任意の方法を用いて取り込むことが可能である。取り込む方法としては、例えば、サイドチャネル情報測定装置200からUSB(Universal Serial Bus)やRS-232C(Recommended Standard 232 version C)、IEEE1394(Institute of Electrical and Electronic Engineers 1394)、SCSI(Small Computer System Interface)等の規格に準拠したケーブルを経由して取り込む方法、赤外線や電波などの電磁波を受信して取り込む方法、ハードディスク、CD(Compact Disc)やDVD(Digital Versatile Disc)、ブルーレイディスク、フロッピー(登録商標)ディスク、磁気テープ、フラッシュメモリなどの記録媒体から読み込んで取り込む方法などが挙げられる。 The side channel information receiving unit 301 has a function of taking side channel information measured by the side channel information measuring apparatus 200 into the side channel attack resistance evaluating apparatus 300. Note that it is not the gist of the present embodiment how the side channel information receiving unit 301 specifically captures the side channel information. Therefore, it is possible to capture using any method. For example, USB (Universal Serial Bus), RS-232C (Recommended Standard 232 version C), IEEE 1394 (Institute of Electrical and Electronic Electronics Engineers 1394), SCSI (Small Computer System Interface) can be used. Importing via cables compliant with standards such as, receiving and capturing electromagnetic waves such as infrared rays and radio waves, hard disk, CD (Compact Disc) and DVD (Digital Versatile Disc), Blu-ray Disc, floppy (registered trademark) For example, a method of reading from a recording medium such as a disk, a magnetic tape, or a flash memory and taking it in can be used.
 解析範囲設定部302は、サイドチャネル攻撃耐性評価部303で用いるサイドチャネル情報の解析範囲の設定を行う。具体的な解析範囲の設定方法としては、以下に記載する4つの方法が例示できる。 The analysis range setting unit 302 sets the analysis range of the side channel information used by the side channel attack resistance evaluation unit 303. As specific analysis range setting methods, the following four methods can be exemplified.
 具体的な解析範囲の設定方法の1つ目として、外部からの入力に基づいて解析範囲を設定する方法が挙げられる。この方法では、外部からの入力が検出された時点を基準として解析範囲を設定することとなる。検出した時点を解析範囲の始点としたり、終点としたり、または解析範囲の中心点として解析範囲を設定したり、検出した時点から一定ポイント前もしくは後ろのポイントを解析範囲の始点や終点、中心点とする設定方法などが考えられる。 The first method for setting the analysis range is to set the analysis range based on external input. In this method, the analysis range is set with reference to the point in time when the input from the outside is detected. Set the analysis range as the start point or end point of the analysis range, set the analysis range as the center point of the analysis range, or set the point before or after a certain point from the detection point as the start point, end point, or center point of the analysis range A setting method can be considered.
 具体的な解析範囲の設定方法の2つ目として、入力されたサイドチャネル情報に基づいて解析範囲を設定する方法が挙げられる。この方法では、例えばサイドチャネル情報の立ち上がりや立下り、スパイクなどを事前に決められたパラメータに基づいて検出する。そして、検出した位置を基準に解析範囲を設定することとなる。この方法でも、検出した位置を基準として、1つ目の方法と同様に、解析範囲の始点や終点などを設定する方法が考えられる。 The second method of setting the specific analysis range is a method of setting the analysis range based on the input side channel information. In this method, for example, rising and falling of side channel information, spikes, and the like are detected based on predetermined parameters. Then, the analysis range is set based on the detected position. In this method as well, a method of setting the start point, end point, etc. of the analysis range can be considered as in the first method with the detected position as a reference.
 具体的な解析範囲の設定方法の3つ目として、入力されたサイドチャネル情報に対して、基準情報との相関の算出、マッチングなどの演算を行い、その演算結果に基づいて解析範囲を設定する方法が挙げられる。こちらの方法では、高い相関が得られた箇所やマッチングでもっとも類似度が高かった箇所を基準として1つ目の方法と同様に解析範囲の始点などを決める方法が考えられる。 As a third method for setting the analysis range, the input side channel information is subjected to calculations such as correlation and matching with reference information, and the analysis range is set based on the calculation result. A method is mentioned. In this method, there can be considered a method of determining the starting point of the analysis range in the same manner as the first method, based on a location where a high correlation is obtained or a location where the similarity is the highest in matching.
 具体的な解析範囲の設定方法の4つ目として、一度、サイドチャネル情報全体、もしくは適当に設定した解析範囲内のサイドチャネル情報を使ってサイドチャネル攻撃耐性評価を実施し、その結果に基づいて解析範囲を設定する方法が挙げられる。なお、上述した4つの方法はあくまで例として示したに過ぎない。これら4つの方法以外の方法を用いることも可能である。 The fourth method of setting the specific analysis range is to conduct side channel attack resistance evaluation using the entire side channel information or side channel information within the analysis range set appropriately, and based on the results. A method for setting the analysis range can be mentioned. Note that the four methods described above are merely examples. It is also possible to use methods other than these four methods.
 サイドチャネル攻撃耐性評価部303は、解析範囲設定部302で設定された範囲内のサイドチャネル情報を用いて、暗号装置100のサイドチャネル攻撃への耐性評価を実施する。評価方法として、解析範囲内のサイドチャネル情報に対してサイドチャネル攻撃を行い、攻撃が成功するか否かの判定結果を利用する方法や、基準波形との相関や距離、および類似度を利用する方法等があげられる。なお、サイドチャネル攻撃の方法としては、タイミング攻撃、電磁波解析、単純電力解析、差分電力解析、故障利用攻撃、キャッシュ攻撃、音響解析攻撃等が例示できる。また、耐性評価において、複数のサイドチャネル情報を必要とする場合には、サイドチャネル情報受付部301での入力、および解析範囲設定部302での処理を複数回行うことで、複数のサイドチャネル情報を取得することが可能である。または、2波形目以降は解析範囲設定部302で設定された範囲のみを繰り返しサイドチャネル情報受付部301で入力することで、複数のサイドチャネル情報を取得可能となる。また、解析範囲設定部302が解析範囲を耐性評価の結果に応じて変動させる機能を有している場合は、サイドチャネル攻撃の耐性評価の内容(耐性の有無、解析時のピークの出現箇所やピークの値、相関値、距離、類似度等)を解析範囲設定部302に伝播する手段を有する。 The side channel attack resistance evaluation unit 303 uses the side channel information within the range set by the analysis range setting unit 302 to perform an evaluation of the encryption device 100 against a side channel attack. As an evaluation method, a side channel attack is performed on the side channel information within the analysis range, and the result of determining whether or not the attack is successful, the correlation with the reference waveform, distance, and similarity are used. Methods and the like. Examples of the side channel attack method include timing attack, electromagnetic wave analysis, simple power analysis, differential power analysis, failure use attack, cache attack, acoustic analysis attack, and the like. Further, in the tolerance evaluation, when a plurality of side channel information is required, the input in the side channel information receiving unit 301 and the processing in the analysis range setting unit 302 are performed a plurality of times, whereby a plurality of side channel information is obtained. Is possible to get. Alternatively, for the second and subsequent waveforms, only the range set by the analysis range setting unit 302 is repeatedly input by the side channel information receiving unit 301, whereby a plurality of side channel information can be acquired. In addition, when the analysis range setting unit 302 has a function of changing the analysis range according to the result of the resistance evaluation, the content of the resistance evaluation of the side channel attack (the presence / absence of resistance, the location of the peak at the time of analysis, A means for propagating the peak value, correlation value, distance, similarity, etc.) to the analysis range setting unit 302.
 上述のように構成されたサイドチャネル攻撃耐性評価装置において、最後に、設定された解析範囲内のサイドチャネル情報を用いて、サイドチャネル攻撃耐性評価部303にて暗号装置100のサイドチャネル攻撃への耐性評価を実施する。なお、図1中で「S1」及び「S2」は「サイドチャネル情報」を表すものとする。また、図1中で「S3」は「解析範囲設定済みサイドチャネル情報」を表すものとする。更に、図1中で「S4」は「サイドチャネル情報耐性評価結果情報」を表すものとする。また、サイドチャネル攻撃耐性評価部303から解析範囲設定部302への接続は動作例によっては必ずしも必要ではない。この接続及び「S4」を省略することも可能である。 In the side channel attack resistance evaluation device configured as described above, finally, the side channel attack resistance evaluation unit 303 uses the side channel information within the set analysis range to attack the side channel attack of the encryption device 100. Perform resistance assessment. In FIG. 1, “S1” and “S2” represent “side channel information”. In FIG. 1, “S3” represents “analysis range-set side channel information”. Furthermore, “S4” in FIG. 1 represents “side channel information tolerance evaluation result information”. Further, the connection from the side channel attack resistance evaluation unit 303 to the analysis range setting unit 302 is not always necessary depending on the operation example. It is also possible to omit this connection and “S4”.
 次に、本実施形態における動作例について説明する。図2は、本実施形態におけるサイドチャネル攻撃耐性評価装置300の動作例を表すフローチャートである。 Next, an operation example in this embodiment will be described. FIG. 2 is a flowchart showing an operation example of the side channel attack resistance evaluation apparatus 300 in the present embodiment.
 動作例においては、解析範囲設定部302にて、サイドチャネル情報受付部301から入力したサイドチャネル情報に対して解析範囲を設定し、サイドチャネル攻撃耐性評価部303にて、設定された解析範囲内のサイドチャネル情報を用いて暗号装置100のサイドチャネル攻撃耐性評価を実施する。 In the operation example, the analysis range setting unit 302 sets an analysis range for the side channel information input from the side channel information receiving unit 301, and the side channel attack resistance evaluation unit 303 within the set analysis range. The side channel attack resistance evaluation of the cryptographic device 100 is performed using the side channel information.
 まず、評価処理が開始されると、サイドチャネル情報受付部301が、サイドチャネル情報を受け付け、受け付けたサイドチャネル情報を取り込む(ステップA1)。 First, when the evaluation process is started, the side channel information receiving unit 301 receives the side channel information and takes in the received side channel information (step A1).
 サイドチャネル情報の取り込みが終了すると、解析範囲設定部302が、入力されたサイドチャネル情報を事前に決められた基準に基づいて、サイドチャネル攻撃耐性評価部303で用いるサイドチャネル情報の解析範囲を設定する(ステップA2)。 When the capturing of the side channel information is completed, the analysis range setting unit 302 sets the analysis range of the side channel information used by the side channel attack resistance evaluation unit 303 based on the input side channel information based on a predetermined criterion. (Step A2).
 サイドチャネル攻撃耐性評価部303は、解析範囲設定部302で設定された解析範囲内のサイドチャネル情報を用いてサイドチャネル攻撃耐性評価を実施し、評価を終了する(ステップA3)。 The side channel attack resistance evaluation unit 303 performs side channel attack resistance evaluation using the side channel information within the analysis range set by the analysis range setting unit 302, and ends the evaluation (step A3).
 以上のような方法を用いて、解析範囲を設定し、耐性評価に用いるサイドチャネル情報を絞り込むことで、余分な範囲まで評価に用いることで発生してしまう誤った評価を行う可能性を抑制できる。そして、このように誤った評価を行う可能性を抑制できることから、暗号装置機器(暗号装置100)に対して高い精度でサイドチャネル攻撃耐性を評価することが可能となる。 By using the method as described above, setting the analysis range and narrowing down the side channel information used for tolerance evaluation can suppress the possibility of erroneous evaluation that would occur due to use of the extra range for evaluation. . Since the possibility of performing erroneous evaluation in this way can be suppressed, it is possible to evaluate the side channel attack resistance with high accuracy against the cryptographic device (cryptographic device 100).
 また、解析範囲を絞り込むことにより、評価に要する時間を抑制することができる。一方、同一の時間でより大量の情報を評価に使えるようになるため、評価精度の向上につながる。 Also, the time required for evaluation can be reduced by narrowing down the analysis range. On the other hand, since a larger amount of information can be used for evaluation in the same time, the evaluation accuracy is improved.
 [第2の実施形態]
 続いて、本発明の第2の実施形態の構成例について説明する。図3は、本実施形態における構成例を示したブロック図である。 [Second Embodiment]
Next, a configuration example of the second embodiment of the present invention will be described. FIG. 3 is a block diagram showing a configuration example in the present embodiment.
 第1の実施形態の構成例との相違点は、サイドチャネル攻撃耐性評価装置310が、サイドチャネル受付部301の代わりにサイドチャネル情報測定部304を有している点と、外部のサイドチャネル情報測定装置200が不要となっている点である。 The difference from the configuration example of the first embodiment is that the side channel attack resistance evaluation device 310 has a side channel information measurement unit 304 instead of the side channel reception unit 301 and external side channel information. The measuring device 200 is unnecessary.
 サイドチャネル情報測定部304は、サイドチャネル情報測定装置200と同様に、暗号装置100が暗復号処理を実施する際に漏洩するサイドチャネル情報を測定する機能を有する。測定の対象として、例えば、電力、電磁波、音、温度等が挙げられる。なお、図1と同様に、図3中で「S2」は「サイドチャネル情報」を表すものとする。また、図3中で「S3」は「解析範囲設定済みサイドチャネル情報」を表すものとする。更に、図3中で「S4」は「サイドチャネル情報耐性評価結果情報」を表すものとする。また、サイドチャネル攻撃耐性評価部303から解析範囲設定部302への接続は動作例によっては必ずしも必要ではない。この接続及び「S4」を省略することも可能である。 The side channel information measurement unit 304 has a function of measuring side channel information leaked when the encryption device 100 performs the encryption / decryption processing, similarly to the side channel information measurement device 200. Examples of the measurement target include power, electromagnetic waves, sound, temperature, and the like. As in FIG. 1, “S2” in FIG. 3 represents “side channel information”. In FIG. 3, “S3” represents “analysis range set side channel information”. Further, “S4” in FIG. 3 represents “side channel information tolerance evaluation result information”. Further, the connection from the side channel attack resistance evaluation unit 303 to the analysis range setting unit 302 is not always necessary depending on the operation example. It is also possible to omit this connection and “S4”.
 図4は、本実施形態におけるサイドチャネル攻撃耐性評価装置310の動作例を表すフローチャートである。 FIG. 4 is a flowchart showing an operation example of the side channel attack resistance evaluation apparatus 310 in the present embodiment.
 第1の実施形態の動作例との相違点は、評価開始時のサイドチャネル情報の入力において、サイドチャネル測定部304が暗号装置100からサイドチャネル情報を測定することによって、サイドチャネル情報がサイドチャネル攻撃耐性評価装置310へ取り込まれる点である(ステップA1-1)。サイドチャネル情報入力後の動作の流れは第1の実施形態と同様である(ステップA2、A3)。 The difference from the operation example of the first embodiment is that when the side channel information is input at the start of evaluation, the side channel measurement unit 304 measures the side channel information from the encryption device 100, so that the side channel information is changed to the side channel information. This is a point that is taken into the attack resistance evaluation device 310 (step A1-1). The flow of operation after inputting the side channel information is the same as that in the first embodiment (steps A2 and A3).
 本実施形態では、サイドチャネル情報測定部304をサイドチャネル攻撃耐性評価装置310に組み込むことで、暗号装置100から直接サイドチャネル情報を取り込むことができる。よってサイドチャネル情報測定装置200が存在しない環境下においてもサイドチャネル攻撃耐性評価を実施することが可能となる。 In this embodiment, by incorporating the side channel information measurement unit 304 into the side channel attack resistance evaluation device 310, the side channel information can be directly captured from the encryption device 100. Therefore, it is possible to perform side channel attack resistance evaluation even in an environment where the side channel information measuring apparatus 200 does not exist.
 [第3の実施形態]
 続いて、本発明の第3の実施形態について説明する。本実施形態は、一度サイドチャネル情報の全体、若しくは、予め設定した解析範囲内、のサイドチャネル情報を使ってサイドチャネル攻撃耐性評価を実施する。また、その評価結果に基づいて解析範囲を再設定し、再びサイドチャネル攻撃耐性を評価する。さらに、評価結果に基づいて解析範囲の設定と耐性評価を繰り返すという動作をする。 [Third Embodiment]
Subsequently, a third embodiment of the present invention will be described. In the present embodiment, side channel attack resistance evaluation is performed using the entire side channel information or side channel information within a preset analysis range. Also, the analysis range is reset based on the evaluation result, and the side channel attack resistance is evaluated again. Further, the operation of setting the analysis range and evaluating the tolerance is repeated based on the evaluation result.
 図5は、本実施形態におけるサイドチャネル攻撃耐性評価装置300のフローチャートである。 FIG. 5 is a flowchart of the side channel attack resistance evaluation apparatus 300 in this embodiment.
 第1の実施形態との相違点は、耐性評価及び解析範囲設定を繰り返す点である。 The difference from the first embodiment is that resistance evaluation and analysis range setting are repeated.
 具体的には、サイドチャネル情報受付部301がサイドチャネル情報を取り込んだ後(ステップA1)に、まずサイドチャネル攻撃耐性評価部303がサイドチャネル攻撃耐性の評価を行う(ステップA3)。そして、ステップA3における評価結果に応じて解析範囲設定部302が解析範囲を設定(ステップA2-1)する。そして、再びサイドチャネル攻撃耐性評価部303における耐性評価および解析範囲設定部302における解析範囲設定を繰り返す(ステップA3、ステップA2-1)。 Specifically, after the side channel information receiving unit 301 takes in the side channel information (step A1), the side channel attack resistance evaluation unit 303 first evaluates the side channel attack resistance (step A3). Then, the analysis range setting unit 302 sets the analysis range according to the evaluation result in step A3 (step A2-1). Then, the resistance evaluation in the side channel attack resistance evaluation unit 303 and the analysis range setting in the analysis range setting unit 302 are repeated (step A3, step A2-1).
 なお、繰り返しの終了については、サイドチャネル攻撃耐性の評価を行った後(ステップA3)に解析範囲が一定範囲以下になるか、既定回数ループするか、もしくは耐性評価の結果が基準を満たすなどしたら終了する(ステップA5においてYES)。これらの条件はあくまで例示であり、他の条件を繰り返し終了の条件としてもよい。また、何れかの条件の一つを満たせば繰り返し終了としてもよく、複数の条件の全てを満たした場合に繰り返し終了としてもよい。 Regarding the end of repetition, after evaluating side channel attack resistance (step A3), if the analysis range falls below a certain range, loops a predetermined number of times, or the result of resistance evaluation meets the criteria, etc. End (YES in step A5). These conditions are merely examples, and other conditions may be used as conditions for repeated termination. Further, the process may be terminated repeatedly if one of the conditions is satisfied, or may be terminated when all of the plurality of conditions are satisfied.
 一方、条件を満たさない場合は再度ステップA2-1に進み動作を継続する(ステップA5においてNO)。 On the other hand, if the condition is not satisfied, the process proceeds to step A2-1 again and continues the operation (NO in step A5).
 ここで、ステップA5における耐性評価結果の基準としては、秘密鍵の解析成功/不成功や、基準波形との距離や相関・類似度の高さが例示できる。また、複数の鍵を解析対象としている場合には、解析に成功した鍵の数。また、DPAやそれの派生した手法を利用しているならばピークの高さ、などといったものが例示できる。更に、1回だけ解析範囲を絞り込んだだけでは十分に解析精度を向上できなくても、解析範囲の再設定を繰り返すことにより、解析精度の向上が期待できる。 Here, examples of the criterion of the resistance evaluation result in step A5 include the success / failure of the secret key analysis, the distance from the reference waveform, and the high correlation / similarity. If multiple keys are to be analyzed, the number of keys successfully analyzed. Further, if DPA or a method derived from it is used, the peak height can be exemplified. Furthermore, even if the analysis range cannot be improved sufficiently by narrowing down the analysis range only once, improvement of the analysis accuracy can be expected by repeating resetting of the analysis range.
 [第4の実施形態]
 続いて、本発明の第4の実施形態について説明する。本実施形態では、サイドチャネル攻撃としてDPAを対象としたときに、解析範囲を再設定するときの基準として、複数ある鍵のうち一部の鍵解析に成功したときのピーク位置を利用する方法について説明する。 [Fourth Embodiment]
Subsequently, a fourth embodiment of the present invention will be described. In this embodiment, when a DPA is targeted as a side channel attack, a method of using a peak position when a part of key analysis is successful among a plurality of keys is used as a reference when resetting the analysis range. explain.
 DPAでは、消費電力波形Wとその波形に対応する暗号文もしくは平文から秘密鍵の推測を行う。ここでは、暗号文Cを使う場合を説明する。説明に際しては、図6のフローチャートを参照する。 In DPA, the secret key is estimated from the power consumption waveform W and the ciphertext or plaintext corresponding to the waveform. Here, a case where the ciphertext C is used will be described. For the description, refer to the flowchart of FIG.
 推測する際に、ある推測鍵K'を仮定する(ステップB1)。 When guessing, a certain guess key K ′ is assumed (step B1).
 次に、K'と暗号文Cを選択関数と呼ばれる関数F(K',C)を利用して、Wを2つのグループに分類する(ステップB2)。 Next, K ′ and ciphertext C are classified into two groups using a function F (K ′, C) called a selection function (step B2).
 ステップB2においてすべてのWの分類が終わったら、グループごとにWの平均を求める(ステップB3)。 When the classification of all Ws is completed in step B2, the average of W is obtained for each group (step B3).
 そして、2つのグループのWの平均の差分を計算する(ステップB4)。 Then, the average difference of W of the two groups is calculated (step B4).
 ここで、推測した鍵K'が正解鍵と一致していた場合には、消費電力波形Wと関数Fとは強い相関をもつため、差分をとったあとのWにおいてピークが出現する。一方、K'と正解鍵が一致していない場合、WとFでは相関がなく差分をとったあとのWにピークが出現しない。そのため、2グループの平均の差分を計算した後にピークの検出を行う(ステップB5)。すべての鍵候補に対して同様にピーク検出処理を行い、もっとも高いピークを示したK'を推測結果とする。最後に、推測した鍵が正解鍵と一致した場合に、解析成功したことになる。 Here, when the estimated key K ′ matches the correct key, the power consumption waveform W and the function F have a strong correlation, so that a peak appears in W after taking the difference. On the other hand, if K ′ and the correct key do not match, there is no correlation between W and F, and no peak appears in W after taking the difference. Therefore, the peak is detected after calculating the average difference between the two groups (step B5). The peak detection process is performed on all key candidates in the same manner, and K ′ showing the highest peak is used as the estimation result. Finally, if the estimated key matches the correct key, the analysis is successful.
 ここで、推測する鍵が複数ある場合についてみてみる。例えば、DES(Data Encryption Standard)のラウンド鍵を推測する場合には、8個の6bit部分鍵を推測することとなる。このとき、一部の部分鍵しか解析成功しなかった場合に、より解析精度を高めるために解析範囲を絞り込む基準として、本発明の実施形態ではDPAのピークを利用する。 Suppose here that there are multiple keys to guess. For example, in the case of estimating a DES (Data ラ ウ ン ド Encryption6Standard) round key, eight 6-bit partial keys are estimated. At this time, when only a partial key is successfully analyzed, the DPA peak is used in the embodiment of the present invention as a reference for narrowing the analysis range in order to further improve the analysis accuracy.
 図7は、本実施形態におけるサイドチャネル攻撃耐性評価装置300のフローチャートである。 FIG. 7 is a flowchart of the side channel attack resistance evaluation apparatus 300 in this embodiment.
 第3の実施形態の動作例との相違点は、ステップA2-1の内容が変更され、ステップA6が追加されており、またステップA2-2と修正されている点である。 The difference from the operation example of the third embodiment is that the content of step A2-1 is changed, step A6 is added, and it is corrected to step A2-2.
 具体的には、解析範囲設定部302が解析範囲の設定をする際に、一度解析した結果、解析成功した部分鍵があれば(ステップA6においてYES)、その部分鍵でピークが出現した箇所を解析範囲の再設定の基準とする点(ステップA2-2)である。 Specifically, when the analysis range setting unit 302 sets the analysis range, if there is a partial key that has been successfully analyzed as a result of analysis once (YES in step A6), the location where the peak appears with the partial key is determined. This is a point (step A2-2) as a reference for resetting the analysis range.
 例えばDESの解析において、8個の部分鍵のうち、1個でも解析成功した鍵があった場合、その解析成功した鍵でピークが現れた箇所を解析範囲の設定基準とする。一方で、解析成功した部分鍵が存在しない場合の対処としては、そのまま動作終了する方法が一例として考えられる(ステップA6においてNO)。また、動作を終了させるのではなく事前に決められた方法で解析範囲を設定してしまう方法(図8のステップA2-3)等も考えられる。範囲の設定の仕方としては、解析に成功した正解鍵のピークのうち最もピークが高かった箇所を基準とする方法や、とりあえず解析範囲を半分にして、両方でそれぞれ解析する方法、などが考えられる。 For example, in the analysis of DES, when there is a key that has been successfully analyzed among 8 partial keys, the point where the peak appears in the successfully analyzed key is set as the analysis range setting standard. On the other hand, as a countermeasure when there is no partial key that has been successfully analyzed, a method of ending the operation is considered as an example (NO in step A6). In addition, a method of setting the analysis range by a predetermined method instead of ending the operation (step A2-3 in FIG. 8) may be considered. Possible methods of setting the range include a method based on the peak of the correct key that has been successfully analyzed, and a method of analyzing both of them by dividing the analysis range by half. .
 もし、複数の部分鍵が解析成功していた場合には、次のような方法で解析範囲を設定することができる。1つ目は、鍵に優先順位をつけておき、優先順位が上位の鍵のピークを基準とする方法である。最初の部分鍵から順に位をつけることも可能である。2つ目は、ピークの高さを比較し、最も高いピークを基準とする方法である。3つ目は解析成功している或る部分鍵において、正解鍵以外の鍵候補の中で最も高いピークと正解鍵のピークを比較し、2つのピークの差もしくは2つのピークの比が最も大きくなるピークを基準とする方法が考えられる。 If multiple partial keys have been successfully analyzed, the analysis range can be set by the following method. The first method is a method in which priorities are assigned to keys, and a peak of a higher priority key is used as a reference. It is also possible to rank in order from the first partial key. The second is a method in which the peak heights are compared and the highest peak is used as a reference. Third, in a partial key that has been successfully analyzed, the highest peak among the key candidates other than the correct key and the peak of the correct key are compared, and the difference between the two peaks or the ratio of the two peaks is the largest. A method based on the following peak can be considered.
 なお、DPAにおいては2つのグループの差分によって鍵を推測するが、DPAから派生した方法では差分以外の特徴で鍵を推測することがある。たとえば、CPAでは相関係数の高さによって鍵の推測を行う。本発明の実施形態は、DPA以外の手法においても、鍵を推測するために用いる特徴を、解析範囲の設定基準として適用することが可能である。 In DPA, the key is estimated based on the difference between the two groups. However, in a method derived from DPA, the key may be estimated based on characteristics other than the difference. For example, in CPA, the key is estimated based on the height of the correlation coefficient. The embodiment of the present invention can also apply a feature used for estimating a key as a criterion for setting an analysis range even in a technique other than DPA.
 暗号化処理においては、各部分鍵を使った処理を連続もしくは並列に処理することがある。このような場合には、各部分鍵において相関を持つ箇所が近傍に存在することとなる。よって、正解した鍵のピークが出現した箇所を基準として解析範囲を絞り込むことによって、解析精度が向上し、サイドチャネル攻撃耐性評価の評価精度の向上につながる。 In encryption processing, processing using each partial key may be processed continuously or in parallel. In such a case, a portion having a correlation in each partial key exists in the vicinity. Therefore, by narrowing down the analysis range on the basis of the location where the correct key peak appears, the analysis accuracy is improved and the evaluation accuracy of the side channel attack resistance evaluation is improved.
 [第5の実施形態]
 続いて、本発明の第5の実施形態について説明する。本実施形態では、正解鍵のピークとそれ以外の鍵のピークを比較することによって、解析範囲を設定する方法について説明する。 [Fifth Embodiment]
Subsequently, a fifth embodiment of the present invention will be described. In this embodiment, a method for setting the analysis range by comparing the peak of the correct key and the peak of the other key will be described.
 図9は、本実施形態におけるサイドチャネル攻撃耐性評価装置300のフローチャートである。 FIG. 9 is a flowchart of the side channel attack resistance evaluation apparatus 300 in this embodiment.
 第4の実施形態の動作例との相違点は、解析成功した部分鍵が複数あった場合に、正解鍵のピーク値とそれ以外の鍵候補のピーク値とを比較し、そのピーク値の比較結果に応じて解析範囲を決める点である。 The difference from the operation example of the fourth embodiment is that when there are a plurality of partial keys that have been successfully analyzed, the peak value of the correct key is compared with the peak values of other key candidates, and the peak values are compared. The analysis range is determined according to the result.
 具体的には、解析成功した部分鍵が複数あった場合に(ステップA7においてYES)、解析範囲設定部302が、正解鍵のピーク値とそれ以外の鍵候補のピーク値とを比較し(ステップA8)、そのピーク値の比較結果に応じて解析範囲を決める点である(ステップA2-5)。 Specifically, when there are a plurality of partial keys that have been successfully analyzed (YES in step A7), the analysis range setting unit 302 compares the peak value of the correct key with the peak value of the other key candidates (step S7). A8) is to determine the analysis range according to the comparison result of the peak values (step A2-5).
 なお、解析成功した鍵が1つだけであった場合には(ステップA7においてNO)、解析範囲設定部302が、解析成功した鍵のピーク位置に基づいて解析範囲を設定する(ステップA2-4)。 If only one key has been successfully analyzed (NO in step A7), the analysis range setting unit 302 sets the analysis range based on the peak position of the key that has been successfully analyzed (step A2-4). ).
 例えば、DESの8個ある6bit部分鍵の推測において、2個の部分鍵の解析に成功していた場合について述べる。DESの1個の部分鍵あたりの候補の数は64個あり、64個の鍵候補においてピーク値が計算され、正解鍵におけるピーク値が最も高ければ解析成功となる。本発明の実施形態では、正解鍵以外の63個の鍵候補におけるピーク値のうち、最も高いピーク値と正解鍵のピーク値を比較する。それを、すべての解析に成功している正解鍵に対して実施し、もっともピーク値の比較結果が良かったものを解析範囲設定の基準とする。比較方法としては、ピーク同士の差や比が考えられる。例えば、部分鍵Aにおいて正解鍵のピークが10、他の鍵候補における最大のピークが8であった場合、差分なら2、比なら10/8ということになる。同様に、部分鍵Bにおいて正解鍵のピークが6、他の鍵候補における最大のピークが2であった場合、差分なら4、比なら6/2ということになる。この場合、部分鍵Bのほうが部分鍵Aの場合よりも差や比が大きいこととなるので、部分鍵Bのピークが現れた箇所を解析範囲の設定基準とする。 For example, a case where the analysis of two partial keys in the estimation of 8 6-bit partial keys of DES was successful will be described. The number of candidates per partial key of DES is 64, and peak values are calculated for the 64 key candidates. If the peak value for the correct key is the highest, the analysis is successful. In the embodiment of the present invention, the highest peak value among the peak values of 63 key candidates other than the correct key is compared with the peak value of the correct key. This is performed for all correct keys that have been successfully analyzed, and the one with the best peak value comparison result is used as the reference for setting the analysis range. As a comparison method, a difference or ratio between peaks can be considered. For example, when the partial key A has a correct key peak of 10 and another key candidate has a maximum peak of 8, the difference is 2 and the ratio is 10/8. Similarly, in the partial key B, when the peak of the correct key is 6, and the maximum peak of the other key candidates is 2, the difference is 4 and the ratio is 6/2. In this case, since the difference or ratio of the partial key B is larger than that of the partial key A, the portion where the peak of the partial key B appears is set as the analysis range setting reference.
 ピークが最も高いものを基準とする方法もあるが、他の鍵候補のピーク値が正解鍵のピーク値と近い場合には、解析範囲を変更した場合に正解鍵のピークと他の鍵候補のピークの区別がつきにくくなることがある。また、他の鍵候補のピーク値が正解鍵のピーク値と近い場合、偶然正解鍵のピークが大きくなったという可能性もある。そのため、ピークを比較して解析範囲の基準を決定することで解析精度の向上、ならびに耐性評価の精度向上が期待できる。 There is a method based on the one with the highest peak, but if the peak value of the other key candidates is close to the peak value of the correct key, the peak of the correct key and the other key candidates are changed when the analysis range is changed. It may be difficult to distinguish peaks. Moreover, when the peak value of another key candidate is close to the peak value of the correct key, there is a possibility that the peak of the correct key accidentally increases. Therefore, it is possible to expect improvement in analysis accuracy and improvement in tolerance evaluation accuracy by comparing the peaks and determining the reference of the analysis range.
 [第6の実施形態]
 続いて、本発明の第6の実施形態について説明する。本実施形態では、正解した部分鍵が存在しなかった場合に、正解鍵のピークとそれ以外の鍵のピークを比較することによって、解析範囲を設定する方法について説明する。 [Sixth Embodiment]
Subsequently, a sixth embodiment of the present invention will be described. In the present embodiment, a method for setting the analysis range by comparing the peak of the correct key with the peak of other keys when there is no correct partial key will be described.
 図10は、本実施形態におけるサイドチャネル攻撃耐性評価装置300のフローチャートである。 FIG. 10 is a flowchart of the side channel attack resistance evaluation apparatus 300 in this embodiment.
 第4の実施形態の動作例との相違点は、正解した部分鍵が存在しなかった場合に、正解鍵のピークと他の鍵候補の中で最も高いピークとを比較し、そのピーク値の比較結果に応じて解析範囲を決定する点である。 The difference from the operation example of the fourth embodiment is that when there is no correct partial key, the peak of the correct key is compared with the highest peak among other key candidates, and the peak value The analysis range is determined according to the comparison result.
 具体的には、解析正解した部分鍵が存在しなかった場合に(ステップA6においてNO)、解析範囲設定部302が、正解鍵のピークと他の鍵候補の中で最も高いピークとを比較し(ステップA9)、そのピーク値の比較結果に応じて解析範囲を決定する点である(ステップA2-6)。 Specifically, when there is no partial key that has been correctly analyzed (NO in step A6), the analysis range setting unit 302 compares the peak of the correct key with the highest peak among other key candidates. (Step A9) is that the analysis range is determined according to the comparison result of the peak values (Step A2-6).
 例えば、DESの8個ある6bit部分鍵の推測において、1つも部分鍵の解析に成功しなかった場合について述べる。解析成功している鍵がある場合には、その鍵のピークを基準に解析範囲を決めることとなる。一方、成功した鍵がない場合には、正解鍵のピークと、それ以外の鍵候補の中で最も高いピークとを比較し、その比較結果に応じて解析範囲を決定する。比較方法としては第5の実施形態同様にピーク同士の差や比が考えられる。ただし、第5の実施形態とは異なり、本実施形態では、正解鍵のピークとそれ以外のピークとの差もしくは比が最も小さくなる、正解鍵のピーク箇所を解析範囲の設定基準とする。 For example, in the case of guessing 8 6-bit partial keys of DES, a case where no partial key was successfully analyzed will be described. If there is a key that has been successfully analyzed, the analysis range is determined based on the peak of the key. On the other hand, when there is no successful key, the peak of the correct key is compared with the highest peak among the other key candidates, and the analysis range is determined according to the comparison result. As a comparison method, a difference or ratio between peaks can be considered as in the fifth embodiment. However, unlike the fifth embodiment, in this embodiment, the peak of the correct key where the difference or ratio between the peak of the correct key and the other peak is the smallest is set as the analysis range setting reference.
 最大のピークと正解鍵のピークとの差や比が小さいならば、正解鍵のピークが現れた箇所で解析範囲を絞り込んだときに、正解鍵のピークが最も高くなり解析に成功する可能性が高い。したがって、解析失敗時においてピークの差や比によって解析範囲を設定することで解析精度が向上し、結果として耐性評価の精度向上が期待できる。 If the difference or ratio between the maximum peak and the correct key peak is small, when the analysis range is narrowed down at the location where the correct key peak appears, the correct key peak is the highest and the analysis may be successful. high. Therefore, when the analysis fails, the analysis accuracy is improved by setting the analysis range based on the difference or ratio of the peaks, and as a result, the accuracy of resistance evaluation can be improved.
 [第7の実施形態]
 続いて、本発明の第7の実施形態について説明する。本実施形態では、一度サイドチャネル情報全体もしくは適当に設定した解析範囲内のサイドチャネル情報を使ってサイドチャネル攻撃耐性評価を実施し、その結果に基づいて解析範囲を再設定、再びサイドチャネル攻撃耐性を評価する。さらに、評価結果に基づいて解析範囲の設定と耐性評価を繰り返す方法について説明する。 [Seventh Embodiment]
Subsequently, a seventh embodiment of the present invention will be described. In this embodiment, the side channel attack resistance evaluation is performed once using the entire side channel information or the side channel information within the analysis range set appropriately, the analysis range is reset based on the result, and the side channel attack resistance is set again. To evaluate. Furthermore, a method of repeating analysis range setting and tolerance evaluation based on the evaluation result will be described.
 図11は、本実施形態におけるサイドチャネル攻撃耐性評価装置300の動作例を表すフローチャートである。 FIG. 11 is a flowchart showing an operation example of the side channel attack resistance evaluation apparatus 300 in the present embodiment.
 第3の実施形態の動作例との相違点は、サイドチャネル情報が入力された後(ステップA1)、解析範囲設定部302が解析範囲をAとBの2つに分割する(ステップA10)。ここで、ループ回数が指定回数まわったか、2分した解析範囲が一定値以下になってしまったら、そこで評価を終了とする(ステップA11においてYES)。 The difference from the operation example of the third embodiment is that after the side channel information is input (step A1), the analysis range setting unit 302 divides the analysis range into two parts A and B (step A10). Here, if the number of loops reaches the specified number or the analysis range divided into two becomes equal to or less than a certain value, the evaluation is terminated (YES in step A11).
 一方、ループ回数・解析範囲の終了条件を満たさなければ(ステップA11においてNO、サイドチャネル攻撃耐性評価部303がA、Bそれぞれの解析範囲内で解析を実施する(ステップA3-1、A3-2)。 On the other hand, if the end condition of the loop count / analysis range is not satisfied (NO in step A11, the side channel attack resistance evaluation unit 303 performs analysis within the analysis ranges of A and B (steps A3-1 and A3-2). ).
 そして、ステップA3-1又はステップA3-2のどちらかの解析結果が基準を満たした場合、そこで評価を終了とする(ステップA12においてYES)。 If the analysis result of either step A3-1 or step A3-2 satisfies the criteria, the evaluation is terminated (YES in step A12).
 一方、解析結果が基準を満たさなかった場合(ステップA12においてNO)、解析範囲設定部302が各解析結果を比較する(ステップA13)。そして、より有効だと判定されたほうの解析範囲を次に2分する解析範囲とする(ステップA14)。そして、再び解析範囲を2分して(ステップA10)各範囲に対する解析を繰り返す。 On the other hand, when the analysis result does not satisfy the standard (NO in step A12), the analysis range setting unit 302 compares the analysis results (step A13). Then, the analysis range that is determined to be more effective is set as an analysis range that is divided into two (step A14). Then, the analysis range is divided into two again (step A10), and the analysis for each range is repeated.
 なお、解析範囲の分割については2つではなく、3つ以上に分割することも考えられる。この場合、各範囲内で解析と結果の比較が行われることとなる。 Note that the analysis range may be divided into three or more instead of two. In this case, analysis and comparison of results are performed within each range.
 ステップA12における基準としては、第3の実施形態のときと同様、秘密鍵の解析成功/不成功や、基準波形との距離や相関・類似度の高さ、複数の鍵を解析対象としている場合には、解析に成功した鍵の数等が例示できる。また、DPAやそれの派生した手法を利用しているならばピークの高さ、などといったものが例示できる。 As a reference in step A12, as in the case of the third embodiment, a secret key is analyzed successfully / unsuccessfully, a distance from a reference waveform, a high correlation / similarity, and a plurality of keys are analyzed. Can be exemplified by the number of keys successfully analyzed. Further, if DPA or a method derived from it is used, the peak height can be exemplified.
 また、ステップA13の比較方法としては、ステップA12と同様の基準を比較に用いることが可能である。例えば、解析範囲Aと解析範囲Bにおいて、解析に成功した鍵の数を比較し、成功数が多いほうを次の2分する解析範囲とする方法が例示できる。または、DPAにおいて、ピークを比較に用いる方法もある。単にピークが高いほうを次の2分する解析範囲とする方法が例示できる。更に第5や第6の実施形態で述べたような、正解鍵とそれ以外の鍵候補でのピークの比較結果を基準とし、お互いに一部鍵解析に成功しているならば、ピークの差または比が大きいほうを次の2分する解析範囲とする方法が例示できる。一方、お互いに鍵解析に失敗しているならば、ピークの差または比が小さいほうを次の2分する解析範囲とする方法等が例示できる。 Also, as a comparison method in step A13, the same standard as in step A12 can be used for comparison. For example, in the analysis range A and the analysis range B, the number of keys successfully analyzed can be compared, and the method with the larger number of successes can be exemplified as the analysis range divided into the following two. Alternatively, there is a method of using a peak for comparison in DPA. An example is a method in which an analysis range in which the peak is simply higher is divided into the following two parts. Further, as described in the fifth and sixth embodiments, if a partial key analysis is mutually successful based on the comparison result of the peak between the correct key and the other key candidates, the difference between the peaks Alternatively, a method in which the larger ratio is used as the analysis range divided into the following two can be exemplified. On the other hand, if the key analysis fails, it is possible to exemplify a method of setting an analysis range in which the smaller peak difference or ratio is divided into the following two.
 2つの解析範囲の結果を比較しながら解析範囲を絞っていくことで、耐性評価に有効な解析範囲を探索することが可能となる。その結果、耐性評価の精度を向上させることが可能となる。 比較 By narrowing down the analysis range while comparing the results of the two analysis ranges, it becomes possible to search for an effective analysis range for resistance evaluation. As a result, it is possible to improve the accuracy of resistance evaluation.
 本発明の第5の実施形態において、暗号を実施可能な評価ボード(図1の暗号装置100に相当)においてDESを実装し、オシロスコープ(図1のサイドチャネル情報測定装置200に相当)を用いて、暗号処理中の評価ボードから漏洩する電磁波(各実施形態におけるサイドチャネル情報に相当)を測定し、測定した電磁波を用いてサイドチャネル攻撃耐性を評価する場合について説明する。 In the fifth embodiment of the present invention, DES is mounted on an evaluation board (corresponding to the encryption device 100 in FIG. 1) capable of performing encryption, and an oscilloscope (corresponding to the side channel information measurement device 200 in FIG. 1) is used. A case where electromagnetic waves leaking from the evaluation board during encryption processing (corresponding to side channel information in each embodiment) is measured and side channel attack resistance is evaluated using the measured electromagnetic waves will be described.
 今回の実施例では、使用暗号はDESとし、鍵長は64bit、ラウンド数16段として、最終段における48bit(6bitの部分鍵が8個)のラウンド鍵の解析の可否でサイドチャネル攻撃耐性を評価する。 In this embodiment, the encryption used is DES, the key length is 64 bits, the number of rounds is 16 stages, and the side channel attack resistance is evaluated based on whether or not the 48 bits (8 6-bit partial keys) round key can be analyzed in the final stage. To do.
 動作としては、図9に示した各ステップに相当する動作を行う。ステップA3の耐性評価ではCPAを用い、8個の部分鍵ごとに64個の鍵候補に対する相関係数のピーク値と位置を算出し、そのうち正解鍵のピーク値が他の63個の鍵候補のピーク値より高ければその部分鍵は解析成功となる。 As the operation, an operation corresponding to each step shown in FIG. 9 is performed. In the tolerance evaluation of step A3, CPA is used to calculate the peak value and position of the correlation coefficient for 64 key candidates for every 8 partial keys, and the peak value of the correct key is that of the other 63 key candidates. If it is higher than the peak value, the partial key is successfully analyzed.
 ステップA5では5回ループしたら耐性ありと評価して終了とする。また、8個ある部分鍵のうち5つ以上の部分鍵の解析に成功した場合は、耐性なしと評価して終了とする。 In step A5, if it loops 5 times, it is evaluated that it is resistant, and the process ends. If the analysis of five or more partial keys out of the eight partial keys is successful, it is evaluated that there is no tolerance and the process ends.
 ステップA8では、解析成功した部分鍵において、正解鍵のピーク値と他の鍵候補のピーク値の比を求め、最も比が大きくなった部分鍵のピーク位置をステップA2-4における解析範囲の設定の基準とする。 In step A8, the ratio between the peak value of the correct key and the peak value of the other key candidates is determined for the partial key that has been successfully analyzed, and the peak position of the partial key having the largest ratio is set in the analysis range in step A2-4. The standard.
 ステップA2-4では解析に成功した鍵のピーク位置を中心に解析範囲を設定する。また、ステップA2-5では最も比が大きくなった部分鍵のピーク位置を中心として解析範囲を設定する。その範囲は1回目のループでは251ポイント、2回目のループでは101ポイント、3回目は51ポイント、4回目は25ポイント、5回目は11ポイントとする。 In step A2-4, the analysis range is set around the peak position of the key that has been successfully analyzed. In step A2-5, the analysis range is set around the peak position of the partial key having the largest ratio. The range is 251 points for the first loop, 101 points for the second loop, 51 points for the third loop, 25 points for the fourth loop, and 11 points for the fifth loop.
 サイドチャネル攻撃耐性評価の流れについて説明する。はじめに、評価ボードにてDESを実行し、DESの電磁波波形を複数測定する(ステップA1)。なお、最初の波形のポイント数は28000ポイントとしている。図12に測定した電磁波波形を示す。 The flow of side channel attack resistance evaluation will be explained. First, DES is executed on the evaluation board, and a plurality of DES electromagnetic wave waveforms are measured (step A1). Note that the number of points in the first waveform is 28000 points. FIG. 12 shows the measured electromagnetic wave waveform.
 次に、サイドチャネル攻撃耐性評価として、測定したDESの電磁波波形に対し、CPAを実施し8個の部分鍵を解析する(ステップA3)。下記の表1に8個の部分鍵(Key1~8)の正解を示す。 Next, as a side channel attack resistance evaluation, CPA is performed on the measured electromagnetic wave waveform of DES, and eight partial keys are analyzed (step A3). Table 1 below shows correct answers of eight partial keys (Keys 1 to 8).
Figure JPOXMLDOC01-appb-T000001
  また、図15に1回目の解析結果を示す。ここで図15は各部分鍵に対して解析した結果、ピークが高かった順に3個の鍵候補のピーク値とピーク位置、および鍵候補の値を示している。また、灰色が塗られている箇所は正解鍵であることを示している。図15より、解析成功した部分鍵は3個であることがわかる。したがって、解析に成功した鍵の個数は4個以下(ステップA5においてNO)であり、また複数の部分鍵の解析に成功している(ステップA6においてYES、A7においてYES)。したがって、成功した部分鍵のピーク値の比較を行う(ステップA8)。下記の表2に成功した部分鍵における、正解鍵と他の鍵候補のピーク値、およびそのピーク値の比をとったものを示す。
Figure JPOXMLDOC01-appb-T000001
 FIG. 15 shows the first analysis result. Here, FIG. 15 shows the peak value and peak position of the three key candidates and the value of the key candidate in order from the highest peak as a result of analysis for each partial key. In addition, a grayed portion indicates a correct key. FIG. 15 shows that there are three partial keys that have been successfully analyzed. Therefore, the number of keys successfully analyzed is 4 or less (NO in step A5), and a plurality of partial keys have been successfully analyzed (YES in step A6, YES in A7). Therefore, the peak values of successful partial keys are compared (step A8). Table 2 below shows the peak values of the correct key and other key candidates and the ratio of the peak values in the successful partial keys.
Figure JPOXMLDOC01-appb-T000002
  表2より、Key6の比が最も高いことがわかる。したがって、Key6のピーク位置8736ポイントを中心に251ポイントとった、8611~8861ポイントを次の解析範囲と設定する(ステップA2-5)。図13に電磁波波形において解析対象とした箇所(矢印で示した箇所)を示す。また、図14に解析対象の範囲を切り出した波形を示す。
Figure JPOXMLDOC01-appb-T000002
 From Table 2, it can be seen that the ratio of Key 6 is the highest. Therefore, 8611 to 8861 points, which are 251 points centered on the peak position 8736 points of Key6, are set as the next analysis range (step A2-5). FIG. 13 shows a portion to be analyzed (a portion indicated by an arrow) in the electromagnetic wave waveform. FIG. 14 shows a waveform obtained by cutting out the range to be analyzed.
 そして、新たに設定した解析範囲で再びCPAを実行して部分鍵の解析を行う(ステップA3)。新たな解析範囲で解析した結果を図16に示す。図16の項目は、図15と同様である。図16より、解析に成功した部分鍵の数が6個に増加していることがわかる。したがって、解析に成功した部分鍵の数が5個以上となったため、今回の評価対象にはサイドチャネル攻撃耐性はないと評価して、サイドチャネル攻撃耐性評価は終了となる(ステップA5においてYES)。 Then, the CPA is executed again within the newly set analysis range to analyze the partial key (step A3). The results of analysis in the new analysis range are shown in FIG. The items in FIG. 16 are the same as those in FIG. FIG. 16 shows that the number of partial keys successfully analyzed has increased to six. Therefore, since the number of partial keys that have been successfully analyzed is five or more, it is evaluated that the current evaluation target does not have side channel attack resistance, and the side channel attack resistance evaluation ends (YES in step A5). .
 このように、解析結果に応じて解析範囲を絞り込むことにより、解析精度が向上する。その結果、高い評価精度を持つサイドチャネル攻撃耐性評価装置を実現できる。 Thus, the analysis accuracy is improved by narrowing down the analysis range according to the analysis result. As a result, a side channel attack resistance evaluation device with high evaluation accuracy can be realized.
 また、本発明の実施形態は、解析範囲を設定することでサイドチャネル攻撃耐性評価装置の評価精度を高めることを目的とするものであるが、サイドチャネル情報の解析を未だ行っていない段階においてサイドチャネル情報の持つ特徴に応じて解析範囲を決定することが可能である。 In addition, the embodiment of the present invention aims to increase the evaluation accuracy of the side channel attack resistance evaluation apparatus by setting the analysis range, but the side channel information is not yet analyzed at the stage where the side channel information has not been analyzed yet. It is possible to determine the analysis range according to the characteristics of the channel information.
 すなわち、サイドチャネル情報の解析結果に基づいて初めて解析する範囲を決定し、その後に再解析を行うといった技術とは相違する点も有している。 That is, it has a different point from the technique of determining the range to be analyzed for the first time based on the analysis result of the side channel information and then performing reanalysis.
 なお、本発明の実施形態であるサイドチャネル攻撃耐性評価装置は、ハードウェアにより実現することもできるが、コンピュータをそのサイドチャネル攻撃耐性評価装置として機能させるためのプログラムをコンピュータがコンピュータ読み取り可能な記録媒体から読み込んで実行することによっても実現することができる。 Note that the side channel attack resistance evaluation apparatus according to the embodiment of the present invention can be realized by hardware, but a computer-readable recording program for causing a computer to function as the side channel attack resistance evaluation apparatus It can also be realized by reading from the medium and executing it.
 また、本発明の実施形態によるサイドチャネル攻撃耐性評価方法は、ハードウェアにより実現することもできるが、コンピュータにその方法を実行させるためのプログラムをコンピュータがコンピュータ読み取り可能な記録媒体から読み込んで実行することによっても実現することができる。 Also, the side channel attack resistance evaluation method according to the embodiment of the present invention can be realized by hardware, but the computer reads a program for causing the computer to execute the method from a computer-readable recording medium and executes the program. Can also be realized.
 上記の実施形態の一部又は全部は、以下の付記のようにも記載されうるが、以下には限定されない。 Some or all of the above embodiments may be described as in the following supplementary notes, but are not limited to the following.
 (付記1)暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価装置において、耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付部と、前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定部と、前記解析範囲設定部で設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドチャネル攻撃耐性評価部と、を備えることを特徴とするサイドチャネル攻撃耐性評価装置。 (Additional remark 1) In the side channel attack tolerance evaluation apparatus which evaluates the tolerance with respect to the side channel attack of the said encryption apparatus using the side channel information leaked from an encryption apparatus, the side channel information acquired from the encryption apparatus of tolerance evaluation object is shown. A side channel information receiving unit that receives from the outside and takes in the side channel information, an analysis range setting unit that sets an analysis range that is a range to be analyzed from within the entire range of the side channel information, and the analysis range setting unit A side channel attack resistance evaluation unit that determines whether or not the encryption device to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set in step (b). Resistance evaluation device.
 (付記2)付記1に記載のサイドチャネル攻撃耐性評価装置において、前記サイドチャネル情報受付部に代えて、前記評価対象の暗号装置のサイドチャネル情報を測定するサイドチャネル情報測定部を備えることを特徴とするサイドチャネル攻撃耐性評価装置。 (Additional remark 2) The side channel attack tolerance evaluation apparatus of Additional remark 1 WHEREIN: It replaces with the said side channel information reception part, and is provided with the side channel information measurement part which measures the side channel information of the said encryption apparatus for evaluation. Side channel attack resistance evaluation device.
 (付記3)付記1又は2に記載のサイドチャネル攻撃耐性評価装置において、前記解析範囲設定部が前記サイドチャネル攻撃耐性評価部における評価結果に応じて再度解析範囲設定を行い、前記サイドチャネル攻撃耐性評価部が、再度サイドチャネル攻撃耐性評価を行い、当該再度の解析範囲設定及び当該再度のサイドチャネル耐性評価が繰り返されることを特徴とするサイドチャネル攻撃耐性評価装置。 (Supplementary note 3) In the side channel attack resistance evaluation apparatus according to supplementary note 1 or 2, the analysis range setting unit performs analysis range setting again according to an evaluation result in the side channel attack resistance evaluation unit, and the side channel attack resistance A side channel attack resistance evaluation apparatus, wherein the evaluation unit performs side channel attack resistance evaluation again, and the second analysis range setting and the second side channel resistance evaluation are repeated.
 (付記4)付記3に記載のサイドチャネル攻撃耐性評価装置において、前記再度の解析範囲設定及び前記再度のサイドチャネル耐性評価は、予め定められた条件が満足されるまで繰り返されることを特徴とするサイドチャネル攻撃耐性評価装置。 (Supplementary note 4) In the side channel attack resistance evaluation apparatus according to supplementary note 3, the second analysis range setting and the second side channel resistance evaluation are repeated until a predetermined condition is satisfied. Side channel attack resistance evaluation device.
 (付記5)付記3又は4に記載のサイドチャネル攻撃耐性評価装置において、前記解析範囲設定部は、前記サイドチャネル攻撃耐性評価部において解析に成功した鍵におけるピークに基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価装置。 (Supplementary Note 5) In the side channel attack resistance evaluation device according to Supplementary Note 3 or 4, the analysis range setting unit is configured to determine the second analysis range based on a peak in a key that has been successfully analyzed by the side channel attack resistance evaluation unit. A side channel attack resistance evaluation device characterized by setting.
 (付記6)付記3又は4に記載のサイドチャネル攻撃耐性評価装置において、前記解析範囲設定部は、前記サイドチャネル攻撃耐性評価部における評価結果の中で、解析成功時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価装置。 (Supplementary note 6) In the side channel attack resistance evaluation device according to supplementary note 3 or 4, the analysis range setting unit includes the correct key and the other keys at the time of successful analysis among the evaluation results in the side channel attack resistance evaluation unit. A side channel attack resistance evaluation apparatus, wherein peaks in key candidates are compared and the analysis range is set again based on the comparison result.
 (付記7)付記3又は4に記載のサイドチャネル攻撃耐性評価装置において、前記解析範囲設定部が、前記サイドチャネル攻撃耐性評価部における評価結果の中で、解析失敗時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定を設定することを特徴とするサイドチャネル攻撃耐性評価装置。 (Supplementary note 7) In the side channel attack resistance evaluation device according to supplementary note 3 or 4, the analysis range setting unit includes a correct key at the time of analysis failure and other than that in the evaluation result in the side channel attack resistance evaluation unit A side-channel attack resistance evaluation apparatus characterized by comparing peaks in key candidates and setting the analysis range again based on the comparison result.
 (付記8)付記3乃至7の何れか1項に記載のサイドチャネル攻撃耐性評価装置において、前記解析範囲設定部が解析範囲を分割し、前記サイドチャネル攻撃耐性評価部が前記分割された解析範囲毎に前記評価をし、前記解析範囲設定部が前記分割された解析範囲毎の評価の結果に応じて再度の分割の対象とする解析範囲を選択し、再び前記解析範囲分割、前記分割された解析範囲毎の耐性評価及び前記解析範囲の選択を行うことを特徴とするサイドチャネル攻撃耐性評価装置。 (Supplementary note 8) In the side channel attack resistance evaluation apparatus according to any one of supplementary notes 3 to 7, the analysis range setting unit divides the analysis range, and the side channel attack resistance evaluation unit divides the analysis range The analysis range setting unit selects the analysis range to be divided again according to the evaluation result for each of the divided analysis ranges, and the analysis range is divided again. A side channel attack resistance evaluation apparatus characterized by performing resistance evaluation for each analysis range and selecting the analysis range.
 (付記9)暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価方法において、耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付ステップと、前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定ステップと、前記解析範囲設定ステップで設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドチャネル攻撃耐性評価ステップと、を備えることを特徴とするサイドチャネル攻撃耐性評価方法。 (Additional remark 9) In the side channel attack tolerance evaluation method which evaluates the tolerance with respect to the side channel attack of the said encryption apparatus using the side channel information leaked from an encryption apparatus, the side channel information acquired from the encryption apparatus of tolerance evaluation object is used. A side channel information receiving step for receiving from the outside and capturing the side channel information; an analysis range setting step for setting an analysis range that is a range to be analyzed from within all the ranges of the side channel information; and the analysis range setting step A side channel attack resistance evaluation step for determining whether or not the cryptographic apparatus to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set in step (b). Resistance evaluation method.
 (付記10)付記9に記載のサイドチャネル攻撃耐性評価方法において、前記サイドチャネル情報受付ステップに代えて、前記評価対象の暗号装置のサイドチャネル情報を測定するサイドチャネル情報測定ステップを備えることを特徴とするサイドチャネル攻撃耐性評価方法。 (Supplementary note 10) The side channel attack resistance evaluation method according to supplementary note 9, further comprising a side channel information measurement step of measuring side channel information of the encryption device to be evaluated instead of the side channel information reception step. Side channel attack resistance evaluation method.
 (付記11)付記9又は10に記載のサイドチャネル攻撃耐性評価方法において、前記解析範囲設定ステップが前記サイドチャネル攻撃耐性評価ステップにおける評価結果に応じて再度解析範囲設定を行い、再度サイドチャネル攻撃耐性評価を行い、当該再度の解析範囲設定及び当該再度のサイドチャネル耐性評価が繰り返されることを特徴とするサイドチャネル攻撃耐性評価方法。 (Supplementary note 11) In the side channel attack resistance evaluation method according to supplementary note 9 or 10, the analysis range setting step sets the analysis range again according to the evaluation result in the side channel attack resistance evaluation step, and again the side channel attack resistance A side channel attack resistance evaluation method characterized by performing an evaluation and repeating the second analysis range setting and the second side channel resistance evaluation.
 (付記12)付記11に記載のサイドチャネル攻撃耐性評価方法において、前記再度の解析範囲設定及び前記再度のサイドチャネル耐性評価は、予め定められた条件が満足されるまで繰り返されることを特徴とするサイドチャネル攻撃耐性評価方法。 (Supplementary note 12) In the side channel attack resistance evaluation method according to supplementary note 11, the second analysis range setting and the second side channel resistance evaluation are repeated until a predetermined condition is satisfied. Side channel attack resistance evaluation method.
 (付記13)付記11又は12に記載のサイドチャネル攻撃耐性評価方法において、前記解析範囲設定ステップでは、前記サイドチャネル攻撃耐性評価ステップにおいて解析に成功した鍵におけるピークに基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価方法。 (Supplementary note 13) In the side channel attack resistance evaluation method according to supplementary note 11 or 12, in the analysis range setting step, the second analysis range is determined based on a peak in the key that has been successfully analyzed in the side channel attack resistance evaluation step. A side channel attack resistance evaluation method characterized by setting.
 (付記14)付記11又は12に記載のサイドチャネル攻撃耐性評価方法において、前記解析範囲設定ステップでは、前記サイドチャネル攻撃耐性評価ステップにおける評価結果の中で、解析成功時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価方法。 (Supplementary note 14) In the side channel attack resistance evaluation method according to supplementary note 11 or 12, in the analysis range setting step, among the evaluation results in the side channel attack resistance evaluation step, the correct key at the time of successful analysis and the other key A side channel attack resistance evaluation method comprising: comparing peaks in key candidates and setting the analysis range again based on the comparison result.
 (付記15)付記11又は12に記載のサイドチャネル攻撃耐性評価方法において、前記解析範囲設定ステップでは、前記サイドチャネル攻撃耐性評価ステップにおける評価結果の中で、解析失敗時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価方法。 (Supplementary note 15) In the side channel attack resistance evaluation method according to supplementary note 11 or 12, in the analysis range setting step, among the evaluation results in the side channel attack resistance evaluation step, the correct key at the time of analysis failure and the other key A side channel attack resistance evaluation method comprising: comparing peaks in key candidates and setting the analysis range again based on the comparison result.
 (付記16)付記11乃至15の何れか1項に記載のサイドチャネル攻撃耐性評価方法において、前記解析範囲設定ステップで解析範囲を分割し、前記サイドチャネル攻撃耐性評価ステップで前記分割された解析範囲毎に前記評価をし、前記解析範囲設定ステップで前記分割された解析範囲毎の評価の結果に応じて再度の分割の対象とする解析範囲を選択し、再び前記解析範囲分割、前記分割された解析範囲毎の耐性評価及び前記解析範囲の選択を行うことを特徴とするサイドチャネル攻撃耐性評価方法。 (Supplementary note 16) In the side channel attack resistance evaluation method according to any one of supplementary notes 11 to 15, the analysis range is divided at the analysis range setting step, and the analysis range is divided at the side channel attack resistance evaluation step. The evaluation is performed every time, the analysis range to be divided again is selected according to the evaluation result for each divided analysis range in the analysis range setting step, and the analysis range is divided again. A side channel attack resistance evaluation method, characterized by performing resistance evaluation for each analysis range and selecting the analysis range.
 (付記17)暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置の暗号化に関する内部処理又は秘匿情報を解析するサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価装置に組み込まれるサイドチャネル攻撃耐性評価プログラムにおいて、耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付部と、前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定部と、前記解析範囲設定部で設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドチャネル攻撃耐性評価部と、を備えるサイドチャネル攻撃耐性評価装置としてコンピュータを機能させることを特徴とするサイドチャネル攻撃耐性評価プログラム。 (Supplementary Note 17) A side incorporated in a side channel attack resistance evaluation apparatus that evaluates resistance to side channel attacks for analyzing internal processing related to encryption of the encryption apparatus or analyzing confidential information using side channel information leaked from the encryption apparatus In the channel attack resistance evaluation program, the side channel information acquired from the cryptographic device of the resistance evaluation target is received from the outside, the side channel information reception unit that captures the side channel information, and the analysis target from all within the range of the side channel information An analysis range setting unit that sets an analysis range that is a range to be analyzed, and whether or not the evaluation target encryption device is resistant to side channel attacks using side channel information within the analysis range set by the analysis range setting unit A side channel comprising: a side channel attack resistance evaluation unit for determining Side channel attack resistance evaluation program for causing a computer to function as 撃耐 evaluation device.
 (付記18)付記17に記載のサイドチャネル攻撃耐性評価プログラムにおいて、前記サイドチャネル攻撃耐性評価装置は、前記サイドチャネル情報受付部に代えて、前記評価対象の暗号装置のサイドチャネル情報を測定するサイドチャネル情報測定部を備えることを特徴とするサイドチャネル攻撃耐性評価プログラム。 (Supplementary note 18) In the side channel attack resistance evaluation program according to supplementary note 17, the side channel attack resistance evaluation device replaces the side channel information reception unit and measures the side channel information of the encryption device to be evaluated. A side channel attack tolerance evaluation program comprising a channel information measurement unit.
 (付記19)付記17又は18に記載のサイドチャネル攻撃耐性評価プログラムにおいて、前記解析範囲設定部が前記サイドチャネル攻撃耐性評価部における評価結果に応じて再度解析範囲設定を行い、前記サイドチャネル攻撃耐性評価部が、再度サイドチャネル攻撃耐性評価を行い、当該再度の解析範囲設定及び当該再度のサイドチャネル耐性評価が繰り返されることを特徴とするサイドチャネル攻撃耐性評価プログラム。 (Supplementary note 19) In the side channel attack resistance evaluation program according to supplementary note 17 or 18, the analysis range setting unit performs analysis range setting again according to the evaluation result in the side channel attack resistance evaluation unit, and the side channel attack resistance A side channel attack resistance evaluation program, wherein the evaluation unit performs side channel attack resistance evaluation again, and the second analysis range setting and the second side channel resistance evaluation are repeated.
 (付記20)付記19に記載のサイドチャネル攻撃耐性評価プログラムにおいて、前記再度の解析範囲設定及び前記再度のサイドチャネル耐性評価は、予め定められた条件が満足されるまで繰り返されることを特徴とするサイドチャネル攻撃耐性評価プログラム。 (Supplementary note 20) In the side channel attack resistance evaluation program according to supplementary note 19, the second analysis range setting and the second side channel resistance evaluation are repeated until a predetermined condition is satisfied. Side channel attack resistance evaluation program.
 (付記21)付記19又は20に記載のサイドチャネル攻撃耐性評価プログラムにおいて、前記解析範囲設定部は、前記サイドチャネル攻撃耐性評価部において解析に成功した鍵におけるピークに基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価プログラム。 (Supplementary note 21) In the side channel attack resistance evaluation program according to supplementary note 19 or 20, the analysis range setting unit is configured to determine the second analysis range based on a peak in a key that has been successfully analyzed by the side channel attack resistance evaluation unit. A side channel attack resistance evaluation program characterized by setting.
 (付記22)付記19又は20に記載のサイドチャネル攻撃耐性評価プログラムにおいて、前記解析範囲設定部は、前記サイドチャネル攻撃耐性評価部における評価結果の中で、解析成功時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価プログラム。 (Supplementary note 22) In the side channel attack tolerance evaluation program according to supplementary note 19 or 20, the analysis range setting unit includes the correct key and the other keys at the time of successful analysis among the evaluation results in the side channel attack tolerance evaluation unit. A side-channel attack resistance evaluation program characterized by comparing peaks in key candidates and setting the analysis range again based on the comparison result.
 (付記23)付記19又は20に記載のサイドチャネル攻撃耐性評価プログラムにおいて、前記解析範囲設定部が、前記サイドチャネル攻撃耐性評価部における評価結果の中で、解析失敗時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定を設定することを特徴とするサイドチャネル攻撃耐性評価プログラム。 (Supplementary note 23) In the side channel attack tolerance evaluation program according to supplementary note 19 or 20, the analysis range setting unit includes a correct key at the time of analysis failure and other than that in the evaluation result in the side channel attack tolerance evaluation unit A side-channel attack resistance evaluation program characterized by comparing peaks in key candidates and setting the analysis range again based on the comparison result.
 (付記24)付記19乃至23の何れか1項に記載のサイドチャネル攻撃耐性評価プログラムにおいて、前記解析範囲設定部が解析範囲を分割し、前記サイドチャネル攻撃耐性評価部が前記分割された解析範囲毎に前記評価をし、前記解析範囲設定部が前記分割された解析範囲毎の評価の結果に応じて再度の分割の対象とする解析範囲を選択し、再び前記解析範囲分割、前記分割された解析範囲毎の耐性評価及び前記解析範囲の選択を行うことを特徴とするサイドチャネル攻撃耐性評価プログラム。 (Supplementary note 24) In the side channel attack resistance evaluation program according to any one of supplementary notes 19 to 23, the analysis range setting unit divides the analysis range, and the side channel attack resistance evaluation unit divides the analysis range. The analysis range setting unit selects the analysis range to be divided again according to the evaluation result for each of the divided analysis ranges, and the analysis range is divided again. A side channel attack resistance evaluation program characterized by performing resistance evaluation for each analysis range and selecting the analysis range.
 また、上述した実施形態は、本発明の好適な実施形態ではあるが、上記実施形態のみに本発明の範囲を限定するものではなく、本発明の要旨を逸脱しない範囲において種々の変更を施した形態での実施が可能である。 Moreover, although the above-described embodiment is a preferred embodiment of the present invention, the scope of the present invention is not limited only to the above-described embodiment, and various modifications are made without departing from the gist of the present invention. Implementation in the form is possible.
 この出願は、2009年12月10日に出願された日本出願特願2009-280487号を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2009-280487 filed on Dec. 10, 2009, the entire disclosure of which is incorporated herein.
100 暗号装置
200 サイドチャネル情報測定装置
300、301 サイドチャネル攻撃耐性評価装置
301 サイドチャネル情報受付部
302 解析範囲設定部
303 サイドチャネル攻撃耐性評価部
304 サイドチャネル情報測定部 DESCRIPTION OF SYMBOLS 100 Encryption apparatus 200 Side channel information measurement apparatus 300, 301 Side channel attack tolerance evaluation apparatus 301 Side channel information reception part 302 Analysis range setting part 303 Side channel attack tolerance evaluation part 304 Side channel information measurement part

Claims (24)

  1.  暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価装置において、
     耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付部と、
     前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定部と、
     前記解析範囲設定部で設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドチャネル攻撃耐性評価部と、
     を備えることを特徴とするサイドチャネル攻撃耐性評価装置。     In the side channel attack resistance evaluation device that evaluates the resistance to the side channel attack of the encryption device using the side channel information leaked from the encryption device,
    A side channel information accepting unit that accepts the side channel information acquired from the cryptographic device subject to the tolerance evaluation from the outside, and captures the side channel information;
    An analysis range setting unit for setting an analysis range that is a range to be analyzed from within the entire range of the side channel information;
    A side channel attack resistance evaluation unit that determines whether the evaluation target encryption device is resistant to a side channel attack using the side channel information within the analysis range set by the analysis range setting unit;
    A side channel attack resistance evaluation apparatus comprising:
  2.  請求項1に記載のサイドチャネル攻撃耐性評価装置において、
     前記サイドチャネル情報受付部に代えて、前記評価対象の暗号装置のサイドチャネル情報を測定するサイドチャネル情報測定部を備えることを特徴とするサイドチャネル攻撃耐性評価装置。     In the side channel attack tolerance evaluation apparatus according to claim 1,
    In place of the side channel information reception unit, a side channel attack resistance evaluation device comprising a side channel information measurement unit that measures side channel information of the cryptographic device to be evaluated.
  3.  請求項1又は2に記載のサイドチャネル攻撃耐性評価装置において、
     前記解析範囲設定部が前記サイドチャネル攻撃耐性評価部における評価結果に応じて再度解析範囲設定を行い、前記サイドチャネル攻撃耐性評価部が、再度サイドチャネル攻撃耐性評価を行い、当該再度の解析範囲設定及び当該再度のサイドチャネル耐性評価が繰り返されることを特徴とするサイドチャネル攻撃耐性評価装置。     In the side channel attack tolerance evaluation apparatus according to claim 1 or 2,
    The analysis range setting unit performs analysis range setting again according to the evaluation result in the side channel attack resistance evaluation unit, the side channel attack resistance evaluation unit performs side channel attack resistance evaluation again, and sets the analysis range again And the side channel attack tolerance evaluation apparatus characterized by repeating the said side channel tolerance evaluation again.
  4.  請求項3に記載のサイドチャネル攻撃耐性評価装置において、
     前記再度の解析範囲設定及び前記再度のサイドチャネル耐性評価は、予め定められた条件が満足されるまで繰り返されることを特徴とするサイドチャネル攻撃耐性評価装置。     In the side channel attack tolerance evaluation apparatus according to claim 3,
    The re-analysis range setting and the re-side channel resistance evaluation are repeated until a predetermined condition is satisfied.
  5.  請求項3又は4に記載のサイドチャネル攻撃耐性評価装置において、
     前記解析範囲設定部は、前記サイドチャネル攻撃耐性評価部において解析に成功した鍵におけるピークに基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価装置。     In the side channel attack tolerance evaluation apparatus according to claim 3 or 4,
    The said analysis range setting part sets the said analysis range again based on the peak in the key which was successfully analyzed in the said side channel attack tolerance evaluation part, The side channel attack tolerance evaluation apparatus characterized by the above-mentioned.
  6.  請求項3又は4に記載のサイドチャネル攻撃耐性評価装置において、
     前記解析範囲設定部は、前記サイドチャネル攻撃耐性評価部における評価結果の中で、解析成功時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価装置。     In the side channel attack tolerance evaluation apparatus according to claim 3 or 4,
    The analysis range setting unit compares the correct key at the time of successful analysis with the peak of the other key candidates among the evaluation results in the side channel attack resistance evaluation unit, and the second analysis range based on the comparison result A side channel attack resistance evaluation device characterized in that
  7.  請求項3又は4に記載のサイドチャネル攻撃耐性評価装置において、
     前記解析範囲設定部が、前記サイドチャネル攻撃耐性評価部における評価結果の中で、解析失敗時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定を設定することを特徴とするサイドチャネル攻撃耐性評価装置。     In the side channel attack tolerance evaluation apparatus according to claim 3 or 4,
    The analysis range setting section compares the correct key at the time of analysis failure with the peak in other key candidates among the evaluation results in the side channel attack resistance evaluation section, and the second analysis range based on the comparison result The side channel attack tolerance evaluation apparatus characterized by setting the setting.
  8.  請求項3乃至7の何れか1項に記載のサイドチャネル攻撃耐性評価装置において、
     前記解析範囲設定部が解析範囲を分割し、前記サイドチャネル攻撃耐性評価部が前記分割された解析範囲毎に前記評価をし、前記解析範囲設定部が前記分割された解析範囲毎の評価の結果に応じて再度の分割の対象とする解析範囲を選択し、再び前記解析範囲分割、前記分割された解析範囲毎の耐性評価及び前記解析範囲の選択を行うことを特徴とするサイドチャネル攻撃耐性評価装置。     In the side channel attack tolerance evaluation apparatus according to any one of claims 3 to 7,
    The analysis range setting unit divides the analysis range, the side channel attack resistance evaluation unit performs the evaluation for each of the divided analysis ranges, and the analysis range setting unit results of the evaluation for each of the divided analysis ranges. A side channel attack resistance evaluation characterized by selecting an analysis range to be re-divided in accordance with and performing the analysis range division again, resistance evaluation for each of the divided analysis ranges, and selection of the analysis range. apparatus.
  9.  暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価方法において、
     耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付ステップと、
     前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定ステップと、
     前記解析範囲設定ステップで設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドチャネル攻撃耐性評価ステップと、
     を備えることを特徴とするサイドチャネル攻撃耐性評価方法。     In the side channel attack resistance evaluation method for evaluating the resistance to the side channel attack of the encryption device using the side channel information leaked from the encryption device,
    A side channel information receiving step for receiving side channel information acquired from a cryptographic device subject to tolerance evaluation from the outside, and capturing the side channel information;
    An analysis range setting step for setting an analysis range that is a range to be analyzed from within all the ranges of the side channel information;
    A side channel attack resistance evaluation step for determining whether or not a cryptographic device to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set in the analysis range setting step;
    A side channel attack resistance evaluation method comprising:
  10.  請求項9に記載のサイドチャネル攻撃耐性評価方法において、
     前記サイドチャネル情報受付ステップに代えて、前記評価対象の暗号装置のサイドチャネル情報を測定するサイドチャネル情報測定ステップを備えることを特徴とするサイドチャネル攻撃耐性評価方法。     In the side channel attack tolerance evaluation method according to claim 9,
    In place of the side channel information receiving step, a side channel attack resistance evaluation method comprising a side channel information measurement step of measuring side channel information of the cryptographic device to be evaluated.
  11.  請求項9又は10に記載のサイドチャネル攻撃耐性評価方法において、
     前記解析範囲設定ステップが前記サイドチャネル攻撃耐性評価ステップにおける評価結果に応じて再度解析範囲設定を行い、再度サイドチャネル攻撃耐性評価を行い、当該再度の解析範囲設定及び当該再度のサイドチャネル耐性評価が繰り返されることを特徴とするサイドチャネル攻撃耐性評価方法。     In the side channel attack tolerance evaluation method according to claim 9 or 10,
    The analysis range setting step performs analysis range setting again according to the evaluation result in the side channel attack resistance evaluation step, performs side channel attack resistance evaluation again, and performs the second analysis range setting and the second side channel resistance evaluation again. A side channel attack resistance evaluation method that is repeated.
  12.  請求項11に記載のサイドチャネル攻撃耐性評価方法において、
     前記再度の解析範囲設定及び前記再度のサイドチャネル耐性評価は、予め定められた条件が満足されるまで繰り返されることを特徴とするサイドチャネル攻撃耐性評価方法。     In the side channel attack tolerance evaluation method according to claim 11,
    The re-analysis range setting and the re-side channel resistance evaluation are repeated until a predetermined condition is satisfied.
  13.  請求項11又は12に記載のサイドチャネル攻撃耐性評価方法において、
     前記解析範囲設定ステップでは、前記サイドチャネル攻撃耐性評価ステップにおいて解析に成功した鍵におけるピークに基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価方法。     In the side channel attack tolerance evaluation method according to claim 11 or 12,
    In the analysis range setting step, the analysis range is set again based on a peak in the key that has been successfully analyzed in the side channel attack resistance evaluation step.
  14.  請求項11又は12に記載のサイドチャネル攻撃耐性評価方法において、
     前記解析範囲設定ステップでは、前記サイドチャネル攻撃耐性評価ステップにおける評価結果の中で、解析成功時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価方法。     In the side channel attack tolerance evaluation method according to claim 11 or 12,
    In the analysis range setting step, in the evaluation result in the side channel attack resistance evaluation step, the correct key at the time of successful analysis is compared with the peak in the other key candidates, and the analysis range is again determined based on the comparison result. A side channel attack resistance evaluation method, characterized by:
  15.  請求項11又は12に記載のサイドチャネル攻撃耐性評価方法において、
     前記解析範囲設定ステップでは、前記サイドチャネル攻撃耐性評価ステップにおける評価結果の中で、解析失敗時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価方法。     In the side channel attack tolerance evaluation method according to claim 11 or 12,
    In the analysis range setting step, among the evaluation results in the side channel attack resistance evaluation step, the correct key at the time of analysis failure and the peak in the other key candidates are compared, and the second analysis range based on the comparison result A side channel attack resistance evaluation method, characterized by:
  16.  請求項11乃至15の何れか1項に記載のサイドチャネル攻撃耐性評価方法において、
     前記解析範囲設定ステップで解析範囲を分割し、前記サイドチャネル攻撃耐性評価ステップで前記分割された解析範囲毎に前記評価をし、前記解析範囲設定ステップで前記分割された解析範囲毎の評価の結果に応じて再度の分割の対象とする解析範囲を選択し、再び前記解析範囲分割、前記分割された解析範囲毎の耐性評価及び前記解析範囲の選択を行うことを特徴とするサイドチャネル攻撃耐性評価方法。     In the side channel attack tolerance evaluation method according to any one of claims 11 to 15,
    The analysis range is divided in the analysis range setting step, the evaluation is performed for each of the divided analysis ranges in the side channel attack resistance evaluation step, and the evaluation result for each of the divided analysis ranges in the analysis range setting step A side channel attack resistance evaluation characterized by selecting an analysis range to be re-divided in accordance with and performing the analysis range division again, resistance evaluation for each of the divided analysis ranges, and selection of the analysis range. Method.
  17.  暗号装置から漏洩するサイドチャネル情報を用いて、前記暗号装置のサイドチャネル攻撃への耐性を評価するサイドチャネル攻撃耐性評価装置に組み込まれるサイドチャネル攻撃耐性評価プログラムにおいて、
     耐性評価対象の暗号装置から取得したサイドチャネル情報を外部から受け付け、当該サイドチャネル情報を取り込むサイドチャネル情報受付部と、
     前記サイドチャネル情報の全ての範囲内から解析対象とする範囲である解析範囲を設定する解析範囲設定部と、
     前記解析範囲設定部で設定された前記解析範囲内のサイドチャネル情報を用いて評価対象の暗号装置のサイドチャネル攻撃への耐性の可否を判定するサイドtチャネル攻撃耐性評価部と、
     を備えるサイドチャネル攻撃耐性評価装置としてコンピュータを機能させることを特徴とするサイドチャネル攻撃耐性評価プログラム。     In the side channel attack resistance evaluation program incorporated in the side channel attack resistance evaluation device that evaluates the resistance to the side channel attack of the encryption device using the side channel information leaked from the encryption device,
    A side channel information accepting unit that accepts the side channel information acquired from the cryptographic device subject to the tolerance evaluation from the outside, and captures the side channel information;
    An analysis range setting unit for setting an analysis range that is a range to be analyzed from within the entire range of the side channel information;
    A side t channel attack resistance evaluation unit that determines whether or not the cryptographic device to be evaluated is resistant to a side channel attack using the side channel information within the analysis range set by the analysis range setting unit;
    A side channel attack resistance evaluation program that causes a computer to function as a side channel attack resistance evaluation apparatus.
  18.  請求項17に記載のサイドチャネル攻撃耐性評価プログラムにおいて、
     前記サイドチャネル攻撃耐性評価装置は、前記サイドチャネル情報受付部に代えて、前記評価対象の暗号装置のサイドチャネル情報を測定するサイドチャネル情報測定部を備えることを特徴とするサイドチャネル攻撃耐性評価プログラム。     In the side channel attack tolerance evaluation program according to claim 17,
    The side channel attack resistance evaluation device includes a side channel information measurement unit that measures side channel information of the encryption device to be evaluated instead of the side channel information reception unit. .
  19.  請求項17又は18に記載のサイドチャネル攻撃耐性評価プログラムにおいて、
     前記解析範囲設定部が前記サイドチャネル攻撃耐性評価部における評価結果に応じて再度解析範囲設定を行い、前記サイドチャネル攻撃耐性評価部が、再度サイドチャネル攻撃耐性評価を行い、当該再度の解析範囲設定及び当該再度のサイドチャネル耐性評価が繰り返されることを特徴とするサイドチャネル攻撃耐性評価プログラム。     In the side channel attack resistance evaluation program according to claim 17 or 18,
    The analysis range setting unit performs analysis range setting again according to the evaluation result in the side channel attack resistance evaluation unit, the side channel attack resistance evaluation unit performs side channel attack resistance evaluation again, and sets the analysis range again And the side channel attack tolerance evaluation program characterized by repeating the said side channel tolerance evaluation again.
  20.  請求項19に記載のサイドチャネル攻撃耐性評価プログラムにおいて、
     前記再度の解析範囲設定及び前記再度のサイドチャネル耐性評価は、予め定められた条件が満足されるまで繰り返されることを特徴とするサイドチャネル攻撃耐性評価プログラム。     In the side channel attack resistance evaluation program according to claim 19,
    The re-analysis range setting and the re-side channel resistance evaluation are repeated until a predetermined condition is satisfied.
  21.  請求項19又は20に記載のサイドチャネル攻撃耐性評価プログラムにおいて、
     前記解析範囲設定部は、前記サイドチャネル攻撃耐性評価部において解析に成功した鍵におけるピークに基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価プログラム。     In the side channel attack resistance evaluation program according to claim 19 or 20,
    The analysis range setting unit sets the analysis range again based on a peak in a key that has been successfully analyzed by the side channel attack resistance evaluation unit.
  22.  請求項19又は20に記載のサイドチャネル攻撃耐性評価プログラムにおいて、
     前記解析範囲設定部は、前記サイドチャネル攻撃耐性評価部における評価結果の中で、解析成功時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定をすることを特徴とするサイドチャネル攻撃耐性評価プログラム。     In the side channel attack resistance evaluation program according to claim 19 or 20,
    The analysis range setting unit compares the correct key at the time of successful analysis with the peak of the other key candidates among the evaluation results in the side channel attack resistance evaluation unit, and the second analysis range based on the comparison result Side channel attack resistance evaluation program characterized by setting
  23.  請求項19又は20に記載のサイドチャネル攻撃耐性評価プログラムにおいて、
     前記解析範囲設定部が、前記サイドチャネル攻撃耐性評価部における評価結果の中で、解析失敗時における正解鍵とそれ以外の鍵候補におけるピークを比較し、比較した結果に基づいて前記再度の解析範囲の設定を設定することを特徴とするサイドチャネル攻撃耐性評価プログラム。     In the side channel attack resistance evaluation program according to claim 19 or 20,
    The analysis range setting section compares the correct key at the time of analysis failure with the peak in other key candidates among the evaluation results in the side channel attack resistance evaluation section, and the second analysis range based on the comparison result Side channel attack resistance evaluation program characterized by setting the setting of.
  24.  請求項19乃至23の何れか1項に記載のサイドチャネル攻撃耐性評価プログラムにおいて、
     前記解析範囲設定部が解析範囲を分割し、前記サイドチャネル攻撃耐性評価部が前記分割された解析範囲毎に前記評価をし、前記解析範囲設定部が前記分割された解析範囲毎の評価の結果に応じて再度の分割の対象とする解析範囲を選択し、再び前記解析範囲分割、前記分割された解析範囲毎の耐性評価及び前記解析範囲の選択を行うことを特徴とするサイドチャネル攻撃耐性評価プログラム。     In the side channel attack tolerance evaluation program according to any one of claims 19 to 23,
    The analysis range setting unit divides the analysis range, the side channel attack resistance evaluation unit performs the evaluation for each of the divided analysis ranges, and the analysis range setting unit results of the evaluation for each of the divided analysis ranges. A side channel attack resistance evaluation characterized by selecting an analysis range to be re-divided in accordance with and performing the analysis range division again, resistance evaluation for each of the divided analysis ranges, and selection of the analysis range. program.
PCT/JP2010/071977 2009-12-10 2010-12-08 Side channel attack resistance assessment device, side channel attack resistance assessment method, and program thereof WO2011071063A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2011545223A JP5733215B2 (en) 2009-12-10 2010-12-08 Side channel attack resistance evaluation apparatus, side channel attack resistance evaluation method, and program thereof

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009280487 2009-12-10
JP2009-280487 2009-12-10

Publications (1)

Publication Number Publication Date
WO2011071063A1 true WO2011071063A1 (en) 2011-06-16

Family

ID=44145607

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/071977 WO2011071063A1 (en) 2009-12-10 2010-12-08 Side channel attack resistance assessment device, side channel attack resistance assessment method, and program thereof

Country Status (2)

Country Link
JP (1) JP5733215B2 (en)
WO (1) WO2011071063A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014007705A (en) * 2012-06-27 2014-01-16 Tokai Rika Co Ltd Side channel evaluation device and side channel evaluation method
JP2014006484A (en) * 2012-06-27 2014-01-16 Tokai Rika Co Ltd Side-channel evaluation device and side-channel evaluation method
CN106936561A (en) * 2015-12-29 2017-07-07 航天信息股份有限公司 A kind of side-channel attack protective capacities appraisal procedure and system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"2009 Nen Symposium on Cryptography and Information Security SCIS 2009 [CD-ROM], 23 January 2009", 23 January 2009, article NORITAKA YAMASHITA ET AL.: "Shingo Shori o Riyo shita SASEBO ni Okeru Sabun Denryoku Kaiseki", pages: 1 - 6 *
DAISAKU MINAMIZAKI: "Construction of the experiment environment for the CPA attack", IEICE TECHNICAL REPORT, vol. 108, no. 355, 10 December 2008 (2008-12-10), pages 61 - 66 *
YOHEI HORI: "Development of Side-channel Attack Standard Evaluation Board and Tool", IEICE TECHNICAL REPORT, vol. 108, no. 300, 10 November 2008 (2008-11-10), pages 87 - 92 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014007705A (en) * 2012-06-27 2014-01-16 Tokai Rika Co Ltd Side channel evaluation device and side channel evaluation method
JP2014006484A (en) * 2012-06-27 2014-01-16 Tokai Rika Co Ltd Side-channel evaluation device and side-channel evaluation method
CN106936561A (en) * 2015-12-29 2017-07-07 航天信息股份有限公司 A kind of side-channel attack protective capacities appraisal procedure and system

Also Published As

Publication number Publication date
JPWO2011071063A1 (en) 2013-04-22
JP5733215B2 (en) 2015-06-10

Similar Documents

Publication Publication Date Title
CN108604981B (en) Method and apparatus for estimating secret value
Doget et al. Univariate side channel attacks and leakage modeling
US9069971B2 (en) Method for testing the security of an electronic device against an attack, and electronic device implementing countermeasures
KR20170098732A (en) Method of testing the resistance of a circuit to a side channel analysis of second order or more
US20100246808A1 (en) Side channel attack tolerance evaluation apparatus, method and program
EP3447509B1 (en) Method of testing the resistance of a circuit to a side channel analysis
Mohamed et al. Improved algebraic side-channel attack on AES
EP3040901A1 (en) System and method for aligning time-series data over a large range of time indices
JP5733215B2 (en) Side channel attack resistance evaluation apparatus, side channel attack resistance evaluation method, and program thereof
Diop et al. Collision based attacks in practice
Oren et al. Tolerant algebraic side-channel analysis of {AES}
JP2010135881A (en) Device, method and program for evaluating side-channel attack resistance
Heyszl et al. Investigating profiled side-channel attacks against the DES key schedule
Pammu et al. A highly efficient side channel attack with profiling through relevance-learning on physical leakage information
KR20160114252A (en) Method for processing side channel analysis
JP5397625B2 (en) Side channel attack resistance evaluation apparatus, method and program thereof
Le et al. Mutual information analysis under the view of higher-order statistics
US11606195B2 (en) Method of verifying integrity of a pair of cryptographic keys and cryptographic device
Gebotys et al. A sliding window phase-only correlation method for side-channel alignment in a smartphone
Zhang et al. Efficient nonprofiling 2nd-order power analysis on masked devices utilizing multiple leakage points
Masoumi et al. Efficient implementation of power analysis attack resistant advanced encryption standard algorithm on side-channel attack standard evaluation board
Masoumi et al. An efficient smart card implementation of the AES algorithm robust against differential side channel analysis
Ueno et al. Constructing Sliding Windows Leak from Noisy Cache Timing Information of OSS-RSA.
Fan et al. How to Choose Interesting Points for Template Attacks?
Hu et al. Ciphertext and plaintext leakage reveals the entire TDES key

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10835983

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011545223

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10835983

Country of ref document: EP

Kind code of ref document: A1