The present application is based on, and claims priority from Japanese Patent Application Serial Number 2017-250596, the disclosure of which is hereby incorporated by reference herein in its entirety.
The present disclosure relates to a communication system including a first communication device and a second communication device, and method for data communication between the first and the second communication devices.
Cryptosystems currently in use are perceived to be computationally secure against cryptanalysis. Actually providing a cryptographic module with an encryption device, however, may result in leaks caused by providing the module, such as power consumption and processing time. Threats of side channel attacks are increasing, in an attempt to illicitly obtain secret information such as secret keys by observing these operational conditions by various physical means.
Examples of side channel attacks include power analysis attacks which are conducted to analyze secret information by measuring the power consumption of a device. There is a report that Differential Power Analysis (DPA) and Correlation Power Analysis (CPA), which are an analysis of power consumption measurements by statistical functions, are one of the most powerful attacks among such side channel attacks. See Paul Kocher et al. “Introduction to Differential Power Analysis and related Attacks,” [online], Cryptography Research, searched in the Internet on Dec. 1, 2017, <http://www.cryptography.com/public/pdf/DPATechInfo.pdf>, and Eric Brier et al., “Correlation Power Analysis with a Leakage Model,” [online], Gemplus Card International, searched on the Internet on Dec. 1, 2017, <https://www.iacr.org/archive/ches2004/31560016/31560016.pdf>.
Various circuits are proposed as a countermeasure against the DPA and CPA attacks. For example, Daisuke Suzuki et al., “Random Switching Logic: A Countermeasure against DPA based on Transition Probability.” [online], International Association for Cryptologic Research, searched on the Internet on Dec. 1, 2017 <http://eprint.iacr.org/2004/346.pdf> propose Random Switching Logic (RSL) circuit and Wave Dynamic Differential Logic (WDDL) circuit. The RSL circuit switches an operational mode of a logic circuit with a random number, so as to eliminate a biased state transition probability, thereby randomizing power consumption to avoid dependence on a cryptographic key. The WDDL circuit reduces a difference in current consumption due to difference in bit values in an arithmetic operation with a complementary circuit after precharging, so as to render the power consumption uniform.
A communication system includes a first communication device including first circuitry and a second communication device configured to be connected to the first communication device and including second circuitry. The first circuitry is configured to perform first encryption including first non-linear processing, and perform first decryption including first inverse non-linear processing. The second circuitry being configured to perform second decryption including second inverse non-linear processing, and perform second encryption including second non-linear processing. In transmission of first data from the first communication device to the second communication device, the first circuitry and the second circuitry is configured to selectively switch first processing including encrypting the first data by the first non-linear processing to generate first encrypted data in the first circuitry, and decrypting the first encrypted data by the second inverse non-linear processing in the second circuitry, and second processing including encrypting the first data by the first inverse non-linear processing to generate first encrypted data in the first circuitry, and decrypting the first encrypted data by the second non-linear processing in the second circuitry.
A data communication method between a first communication device including first circuitry configured to perform first encryption including first non-linear processing and first decryption including first inverse non-linear processing, and a second communication device including second circuitry configured to perform second decryption including second inverse non-linear processing and second encryption including second non-linear processing includes selectively switching, in transmission of first data from the first communication device to the second communication device, encrypting the first data by the first non-linear processing to generate first encrypted data, and decrypting the first encrypted data by the second inverse non-linear processing, and encrypting the first data by the first inverse non-linear processing to generate first encrypted data, and decrypting the first encrypted data by the second non-linear processing.
In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the disclosed embodiments. It will be apparent, however, that one or more embodiments may be practiced without these specific details. In other instances, well-known structures and devices are schematically illustrated in order to simplify the drawing. The term “circuitry” herein may partly or entirely be implemented by using either hardware or software, or both hardware and software.
Providing an encryption device with the above-described RSL or WDDL circuit causes increase in arithmetic operation time, circuit size and power consumption by several to several dozen times, in comparison to not providing such circuits, which results in increase in cost.
The present disclosure is directed to a communication system and a data communication method that achieve effective countermeasure against the DPA and CPA attacks readily and at low cost.
A communication system according to an aspect of the present disclosure includes a first communication device including a first encryption-decryption unit, and a second communication device configured to be connected to the first communication device and including a second encryption-decryption unit. The first encryption-decryption unit includes a first encryption unit including a first non-linear processing unit and a first decryption unit including a first inverse non-linear processing unit. The second encryption-decryption unit includes a second decryption unit including a second inverse non-linear processing unit and a second encryption unit including a second non-linear processing unit. In transmission of first data from the first communication device to the second communication device, the first encryption-decryption unit and the second encryption-decryption unit are configured to selectively switch first processing including encrypting the first data with the first non-linear processing unit to generate first encrypted data in the first encryption-decryption unit, and decrypting the first encrypted data with the second inverse non-linear processing unit in the second encryption-decryption unit, and second processing including encrypting the first data with the first inverse non-linear processing unit to generate first encrypted data in the first encryption-decryption unit, and decrypting the first encrypted data with the second non-linear processing unit in the second encryption-decryption unit. The first encryption-decryption unit, the second encryption-decryption unit, the first encryption unit, the first non-linear processing unit, the first decryption unit, the first inverse non-linear processing unit, the second decryption unit, the second inverse non-linear processing unit, the second encryption unit, and the second non-linear processing unit may comprise suitable logic, circuitry, interfaces, and/or code.
In the communication system according to this aspect, in transmission of first data from the first communication device to the second communication device, the first encryption-decryption unit and the second encryption-decryption unit selectively switch first processing including encrypting the first data with the first non-linear processing unit to generate first encrypted data in the first encryption-decryption unit, and decrypting the first encrypted data with the second inverse non-linear processing unit in the second encryption-decryption unit, and second processing including encrypting the first data with the first inverse non-linear processing unit to generate first encrypted data in the first encryption-decryption unit and decrypting the first encrypted data with the second non-linear processing unit in the second encryption-decryption unit. DPA or CPA attacks mainly target the non-linear and the inverse non-linear processing units of the encryption-decryption unit for analysis of power consumption characteristics. Performing transmission of first data from the first communication device to the second communication device by selectively switching the first processing in which the first non-linear processing unit performs encryption and the second inverse non-linear processing unit performs decryption, and the second processing in which the first inverse non-linear processing unit performs encryption and the second non-linear processing unit performs decryption effectively conceals power consumption characteristics of the first encryption-decryption unit and the second encryption-decryption unit. No need for an RSL or WDDL circuit helps avoid increase in cost. In consequence, effective countermeasure against the DPA and CPA attacks is achieved readily and at low cost.
In some embodiments, in transmission of second data in response to the first data from the second communication device to the first communication device, the first encryption-decryption unit and the second encryption-decryption unit are configured to selectively switch third processing including encrypting the second data with the second non-linear processing unit to generate second encrypted data in the second encryption-decryption unit, and decrypting the second encrypted data with the first inverse non-linear processing unit in the first encryption-decryption unit, and fourth processing including encrypting the second data with the second inverse non-linear processing unit to generate second encrypted data in the second encryption-decryption unit, and decrypting the second encrypted data with the first non-linear processing unit in the first encryption-decryption unit.
According to such embodiments, in transmission of second data from the second communication device to the first communication device, the first encryption-decryption unit and the second encryption-decryption unit selectively switch third processing including encrypting the second data with the second non-linear processing unit to generate second encrypted data in the second encryption-decryption unit, and decrypting the second encrypted data with the first inverse non-linear processing unit in the first encryption-decryption unit, and fourth processing including encrypting the second data with the second inverse non-linear processing unit to generate second encrypted data in the second encryption-decryption unit and decrypting the second encrypted data with the first non-linear processing unit in the first encryption-decryption unit. Selectively switching the third processing in which the second non-linear processing unit performs encryption and the first inverse non-linear processing unit performs decryption, and the fourth processing in which the second inverse non-linear processing unit performs encryption and the first non-linear processing unit performs decryption in transmission of second data from the second communication device to the first communication device, as well as transmission of first data from the first communication device to the second communication device, more effectively conceals power consumption characteristics of the first encryption-decryption unit and the second encryption-decryption unit.
In some embodiments, the first communication device further includes a first switching controller configured to control switching between the third processing and the fourth processing by the first encryption-decryption unit. The second communication device further includes a second switching controller configured to control switching between the third processing and the fourth processing by the second encryption-decryption unit. The first switching controller and the second switching controller may comprise suitable logic, circuitry, interfaces, and/or code.
According to such embodiments, the first communication device includes the first switching controller that controls switching between the third processing and the fourth processing by the first encryption-decryption unit. The second communication device includes the second switching controller that controls switching between the third processing and the fourth processing by the second encryption-decryption unit. The first switching controller and the second switching controller synchronously perform switching between the third processing and the fourth processing in the first encryption-decryption unit and switching between the third processing and the fourth processing in the second encryption-decryption unit, by which transmission of second data from the second communication device to the first communication device by the third processing or the fourth processing is performed appropriately.
In some embodiments, the first switching controller and the second switching controller are configured to separately hold a selection table containing a rule for selectively switching between the third processing and the fourth processing, and select between the third processing and the fourth processing by referring to the selection table.
According to such embodiments, the first switching controller and the second switching controller select between the third processing and the fourth processing by referring to a common selection table. No need for selection information for instruction of switching between the third processing and the fourth processing to be sent/received between the first communication device and the second communication device helps avoid increase in communication data between the two devices. The selection table containing an arbitrary rule enables arbitrarily setting a timing and a pattern for switching between the third processing and the fourth processing in advance.
In some embodiments, the first encrypted data includes first selection information on selection between the third processing and the fourth processing. The second switching controller is configured to select between the third processing and the fourth processing, based on the first selection information extracted from the first encrypted data.
According to such embodiments, the second switching controller selects the third processing or the fourth processing, based on the first selection information extracted from the first encrypted data. This enables arbitrarily setting the timing and the pattern for switching between the third processing and the fourth processing by the first communication device.
In some embodiments, the first switching controller and the second switching controller separately include a common counter. The first switching controller and the second switching controller are configured to select between the third processing and the fourth processing, based on a counter value from the counter.
According to such embodiments, the first switching controller and the second switching controller select the third processing or the fourth processing, based on a counter value from the common counter. No need for selection information for instruction of switching between the third processing and the fourth processing to be sent/received between the first communication device and the second communication device helps avoid increase in communication data between the two devices. By employing the counter value, the third processing and the fourth processing are switched irregularly. In consequence, power consumption characteristics are concealed more effectively.
In some embodiments, the first switching controller and the second switching controller separately include a common random number generator. The first switching controller and the second switching controller are configured to select between the third processing and the fourth processing based on a random number value from the random number generator.
According to such embodiments, the first switching controller and the second switching controller select the third processing or the fourth processing, based on a random number value from the common random number generator. No need for selection information for instruction of switching between the third processing and the fourth processing to be sent/received between the first communication device and the second communication device helps avoid increase in communication data between the two devices. By employing a random number value, the third processing and the fourth processing are switched irregularly. In consequence, power consumption characteristics are concealed more effectively.
In some embodiments, if the third processing is selected, the second encryption-decryption unit is configured to dummy-drive the second inverse non-linear processing unit, while if the fourth processing is selected, the second encryption-decryption unit is configured to dummy-drive the second non-linear processing unit.
According to such embodiments, if the third processing is selected, the second encryption-decryption unit dummy-drives the second inverse non-linear processing unit, while if the fourth processing is selected, the second encryption-decryption unit dummy-drives the second non-linear processing unit. Dummy-driving the non-linear processing unit or the inverse non-linear processing unit which is not selected generates largely-distributed power consumption noise by the non-selected non-linear processing unit or inverse non-linear processing unit. In consequence, this power consumption noise effectively conceals the power consumption characteristics of the selected non-linear processing unit and inverse non-linear processing unit.
In some embodiments, the first encryption-decryption unit and the second encryption-decryption unit are configured to select between the third processing and the fourth processing, at every transmission of the second data from the second communication device to the first communication device.
According to such embodiments, the first encryption-decryption unit and the second encryption-decryption unit select the third processing and the fourth processing at every transmission of second data from the second communication device to the first communication device. Switching between the third processing and the fourth processing frequently conceals power consumption characteristics more effectively.
In some embodiments, the first encryption unit and the second decryption unit are configured to generate and decrypt the second encrypted data with one of the first common key and the second common key in the third processing, and the first decryption unit and the second encryption unit are configured to generate and decrypt the second encrypted data with the other of the first common key and the second common key in the fourth processing.
According to such embodiments, the first encryption unit and the second decryption unit generate and decrypt the second encrypted data with one of the first common key and the second common key in the third processing, and the first decryption unit and the second encryption unit generate and decrypt the second encrypted data with the other of the first common key and the second common key in the fourth processing. Employing different common keys in the third processing and the fourth processing effectively makes analysis by a third party difficult.
In some embodiments, if the third processing is selected in a present transmission of the second data, the first encryption-decryption unit and the second encryption-decryption unit are configured to select the first processing in a subsequent transmission of the first data, while if the fourth processing is selected in the present transmission of the second data, the first encryption-decryption unit and the second encryption-decryption unit are configured to select the second processing in the subsequent transmission of the first data.
According to such embodiments, if the third processing is selected in the present transmission of the second data, the first encryption-decryption unit and the second encryption-decryption unit select the first processing in the subsequent transmission of the first data, while if the fourth processing is selected in the present transmission of the second data, the first encryption-decryption unit and the second encryption-decryption unit select the second processing in the subsequent transmission of the first data. The second encryption-decryption unit recognizes which of the first processing and the second processing is to be selected in the subsequent transmission of the first data, depending on which of the third processing and the fourth processing is selected in the present transmission of the second data. This achieves appropriate decryption of the first encrypted data when received from the first communication device in the subsequent transmission by the second decryption unit or the second encryption unit.
In some embodiments, the first communication device further includes a first switching controller configured to control switching between the first processing and the second processing by the first encryption-decryption unit. The second communication device further includes a second switching controller configured to control switching between the first processing and the second processing by the second encryption-decryption unit. The first switching controller and the second switching controller may comprise suitable logic, circuitry, interfaces, and/or code.
According to such embodiments, the first communication device includes the first switching controller that controls switching between the first processing and the second processing by the first encryption-decryption unit. The second communication device includes the second switching controller that controls switching between the first processing and the second processing by the second encryption-decryption unit. The first switching controller and the second switching controller synchronously perform switching between the first processing and the second processing in the first encryption-decryption unit and switching between the first processing and the second processing in the second encryption-decryption unit, by which transmission of first data from the first communication device to the second communication device by the first processing or the second processing is performed appropriately.
In some embodiments, the first switching controller and the second switching controller are configured to separately hold a selection table containing a rule for selectively switching between the first processing and the second processing, and select between the first processing and the second processing by referring to the selection table.
According to such embodiments, the first switching controller and the second switching controller select between the first processing and the second processing by referring to a common selection table. No need for selection information for instruction of switching between the first processing and the second processing to be sent/received between the first communication device and the second communication device helps avoid increase in communication data between the two devices. The selection table containing an arbitrary rule enables arbitrarily setting a timing and a pattern for switching between the first processing and the second processing in advance.
In some embodiments, the first encrypted data includes second selection information on select between the first processing and the second processing for a subsequent transmission of the first data. The second switching controller is configured to select between the first processing and the second processing, based on the second selection information, on completion of processing in response to the first data presently received.
According to such embodiments, the second switching controller selects between the first processing and the second processing, based on the second selection information, on completion of processing in response to the first data presently received. This enables the second encryption-decryption unit to appropriately decrypt the first encrypted data when received from the first communication device in the subsequent transmission by the second decryption unit or the second encryption unit. A combination of the third processing or the fourth processing in response the present first data and the first processing or the second processing for receiving the subsequent first data is arbitrarily selected. In consequence, power consumption characteristics are concealed more effectively.
In some embodiments, the first switching controller and the second switching controller separately include a common counter. The first switching controller and the second switching controller are configured to select between the first processing and the second processing, based on a counter value from the counter.
According to such embodiments, the first switching controller and the second switching controller selects the first processing or the second processing, based on a counter value from the common counter. No need for selection information for instruction of switching between the first processing and the second processing to be sent/received between the first communication device and the second communication device helps avoid increase in communication data between the two devices. By employing the counter value, the first processing and the second processing are switched irregularly. In consequence, power consumption characteristics are concealed more effectively.
In some embodiments, the first switching controller and the second switching controller separately include a common random number generator. The first switching controller and the second switching controller are configured to select between the first processing and the second processing based on a random number value from the random number generator.
According to such embodiments, the first switching controller and the second switching controller select the first processing or the second processing, based on a random number value from the common random number generator. No need for selection information for instruction of switching between the first processing and the second processing to be sent/received between the first communication device and the second communication device helps avoid increase in communication data between the two devices. By employing a random number value, the first processing and the second processing are switched irregularly. In consequence, power consumption characteristics are concealed more effectively.
In some embodiments, if the first processing is selected, the first encryption-decryption unit is configured to dummy-drive the first inverse non-linear processing unit, while if the second processing is selected, the first encryption-decryption unit is configured to dummy-drive the first non-linear processing unit.
According to such embodiments, if the first processing is selected, the first encryption-decryption unit dummy-drives the first inverse non-linear processing unit, while if the second processing is selected, the first encryption-decryption unit dummy-drives the first non-linear processing unit. Dummy-driving the non-linear processing unit or the inverse non-linear processing unit which is not selected generates largely-distributed power consumption noise by the non-selected non-linear processing unit or inverse non-linear processing unit. In consequence, this power consumption noise effectively conceals the power consumption characteristics of the selected non-linear processing unit and inverse non-linear processing unit.
In some embodiments, the first encryption-decryption unit and the second encryption-decryption unit are configured to select between the first processing and the second processing, at every transmission of the first data from the first communication device to the second communication device.
According to such embodiments, the first encryption-decryption unit and the second encryption-decryption unit select between the first processing and the second processing at every transmission of first data from the first communication device to the second communication device. Switching between the first processing and the second processing conceals power consumption characteristics more effectively.
In some embodiments, the first encryption unit and the second decryption unit are configured to generate and decrypt the first encrypted data with one of the first common key and the second common key in the first processing, and the first decryption unit and the second encryption unit are configured to generate and decrypt the first encrypted data with the other of the first common key and the second common key in the second processing.
According to such embodiments, the first encryption unit and the second decryption unit generate and decrypt the first encrypted data with one of the first common key and the second common key in the first processing, and the first decryption unit and the second encryption unit generate and decrypt the first encrypted data with the other of the first common key and the second common key in the second processing. Employing different common keys in the first processing and the second processing effectively makes analysis by a third party difficult.
In some embodiments, the first communication device and the second communication device further include a key generation unit configured to generate the first common key and the second common key based on an identical common key. The key generation unit may comprise suitable logic, circuitry, interfaces, and/or code.
According to such embodiments, the key generation unit generates the first common key and the second common key based on an identical common key. This facilitates generation and management of the first common key and the second common key.
A data communication method between a first communication device including a first encryption unit including a first non-linear processing unit and a first decryption unit including a first inverse non-linear processing unit and a second communication device including a second decryption unit including a second inverse non-linear processing unit and a second encryption unit including a second non-linear processing unit, according to another aspect of the present disclosure, includes, in transmission of first data from the first communication device to the second communication device, selectively switching encrypting the first data with the first non-linear processing unit to generate first encrypted data, and decrypting the first encrypted data with the second inverse non-linear processing unit, and encrypting the first data with the first inverse non-linear processing unit to generate first encrypted data, and decrypting the first encrypted data with the second non-linear processing unit. The first encryption unit, the first non-linear processing unit, the first decryption unit, the first inverse non-linear processing unit, the second decryption unit, the second inverse non-linear processing unit, the second encryption unit, and the second non-linear processing unit may comprise suitable logic, circuitry, interfaces, and/or code.
In the data communication method according to this aspect, in transmission of first data from the first communication device to the second communication device, encryption of first data with the first non-linear processing unit to generate the encrypted data and decryption of the first encrypted data with the second inverse non-linear processing unit, and encryption of first data with the first inverse non-linear processing unit to generate first encrypted data and decryption of the first encrypted data with the second non-linear processing unit are selectively switched. DPA or CPA attacks mainly target the non-linear and the inverse non-linear processing units for analysis of power consumption characteristics. Performing transmission of first data from the first communication device to the second communication device by selectively switching encryption with the first non-linear processing unit and decryption with the second inverse non-linear processing unit, and encryption with the first inverse non-linear processing unit and decryption with the second non-linear processing unit effectively conceals power consumption characteristics of the non-linear processing unit and the inverse non-linear processing unit. No need for an RSL or WDDL circuit helps avoid increase in cost. In consequence, effective countermeasure against the DPA and CPA attacks is achieved readily and at low cost.
Some embodiments of the present disclosure achieve an effective countermeasure against the DPA and CPA attacks readily and at low cost.
These and other objects, features, aspects and advantages of the present disclosure will become more apparent from the following description of embodiments when taken in conjunction with the accompanying drawings.
Embodiments of the present disclosure are described in detail below referring to the drawings. It should be noted that identical reference numerals throughout the drawings indicate identical or equivalent elements.
The host device 2 includes a CPU 11, a key management unit 12, a storage 13, an encryption-decryption unit 14, and a switching controller 15 connected to each other via a bus 10. The switching controller 15 holds a below-described selection table T1 in its internal memory.
The memory device 3 includes a memory controller 21, a key management unit 22, a memory array 23, an encryption-decryption unit 24 similar to the encryption-decryption unit 14, and a switching controller 25. The memory array 23 retains arbitrary data such as content data. The switching controller 25 holds the same selection table T1 as the selection table T1 held in the switching controller 15 in its internal memory.
The host device 2 and the memory device 3 secretly manage an identical common key K0 in the key management units 12 and 22. The encryption-decryption units 14 and 24 perform encryption and decryption on commands sent from the host device 2 to the memory device 3 and content data sent from the memory device 3 to the host device 2. The memory system 1 according to the present embodiment adopts a cryptographic algorithm having a Substitution Permutation Network (SPN) structure in which an encryption circuit and a decryption circuit is independently provided in the encryption-decryption units 14 and 24. Examples of cryptographic algorithms having an SPN structure include Advanced Encryption Standard (AES) and Hierocrypt. The present embodiment employs AES as an example.
Side channel attacks mainly targets the encryption-decryption units 14 and 24 for analysis of power consumption characteristics, especially, the power consumption characteristics of the S-box and the InvS-box circuits that exhibit large power-consumption distribution.
The decryption unit 32 and the encryption unit 42 uses an identical cryptographic algorithm and an identical common key K0, and thus when the decryption unit 32 encrypts and the encryption unit 42 decrypts, an original plaintext command is correctly regenerated. In other words, an identical plaintext command results in an identical decrypted command, whichever of the patterns P1 and P2 is selected.
The S-box circuit of the encryption unit 31 and the InvS-box circuit of the decryption unit 32 employ different transformation tables. Thus an identical original plaintext command results in a different encrypted command. For example, when input data is “0x78”, the S-box circuit outputs “0xBC”, while the InvS-box circuit outputs “0xC1,” causing differences in Hamming distance between input and output data and in variation in Hamming weight between input and output data. The power consumption characteristics are different between the encryption-decryption units 14 and 24, depending on which of the patterns P and P2 is selected.
Similar to the above, identical plaintext content data results in identical decrypted content data, whichever of the patterns P3 and P4 is selected. The power consumption characteristics are different between the encryption-decryption units 14 and 24, depending on which of the patterns P3 and P4 is selected.
In the present embodiment, the pattern P1 is selected in the first command transmission after power supply from the host device 2 to the memory device 3. If the pattern P4 is selected in the present transmission of content data, the pattern P2 is selected in the next command transmission, while if the pattern P3 is selected in the present transmission of content data, the pattern P1 is selected in the next command transmission.
The operations of the memory system 1 according to the present embodiment are described below with reference to
Referring to
Referring to
In the latency period A2 (see
Referring to
The encryption unit 31 decrypts the received encrypted content data. Processing on the first read command is then completed.
As described above, the memory system 1 according to the present embodiment is configured such that the pattern P2 is selected in the next command transmission when the pattern P4 is selected in the present transmission of content data. Referring to
When the CPU 11 issues the second read command, the encryption-decryption unit 14 encrypts the read command by the decryption unit 32, and sends the encrypted read command to the memory device 3. The encryption-decryption unit 24 decrypts the received encrypted read command by the encryption unit 42. Triggered by the receipt completion flag, the switching controllers 15 and 25 select a pattern for transmission of content data. Referring to
As described above, the memory system 1 according to the present embodiment is configured such that the pattern P1 is selected in the next command transmission when the pattern P3 is selected in the present transmission of content data. Referring to
When the CPU 11 issues the third read command, the encryption-decryption unit 14 encrypts the read command by the encryption unit 31, and sends the encrypted read command to the memory device 3. The encryption-decryption unit 24 decrypts the received encrypted read command by the decryption unit 41. Triggered by the receipt completion flag, the switching controllers 15 and 25 select a pattern for transmission of content data. Referring to
To sum up the above, the pattern P1 is selected in the first command transmission, and the pattern P4 is selected in the first transmission of content data in response. The pattern P2 is selected in the second command transmission, and the pattern P3 is selected in the second transmission of content data in response. The pattern P1 is selected in the third command transmission, and the pattern P4 is selected in the third transmission of content data in response. The same processes as the above are repeated from the fourth transmission and onwards.
In the memory system 1 (communication system) according to the present embodiment, the encryption-decryption unit 14 (first encryption-decryption unit) and the encryption-decryption unit 24 (second encryption-decryption unit) selectively switch the pattern P1 (first processing) and the pattern P2 (second processing) in sending a command (first data) from the host device 2 (first communication device) to the memory device 3 (second communication device). According to the pattern P1, the encryption-decryption unit 14 encrypts a command (first encrypted data) with the S-box circuit of the encryption unit 31 (first non-linear processing unit) to generate an encrypted command, and the encryption-decryption unit 24 decrypts the encrypted command with the InvS-box circuit of the decryption unit 41 (second inverse non-linear processing unit). According to the pattern P2, the encryption-decryption unit 14 encrypts a command with the InvS-box circuit of the decryption unit 32 (first inverse non-linear processing unit) to generate an encrypted command, and the encryption-decryption unit 24 decrypts the encrypted command with the S-box circuit of the encryption unit 42 (second non-linear processing unit). DPA or CPA attacks mainly target the S-box and the InvS-box circuits of the encryption-decryption units 14 and 24 for analysis of power consumption characteristics. Performing command transmission from the host device 2 to the memory device 3 by selectively switching the pattern P1 in which the S-box circuit of the encryption unit 31 performs encryption and the InvS-box circuit of the decryption unit 41 performs decryption and the pattern P2 in which the InvS-box circuit of the decryption unit 32 performs encryption and the S-box circuit of the encryption unit 42 performs decryption effectively conceals the power consumption characteristics of the encryption-decryption units 14 and 24. No need for an RSL or a WDDL circuit helps avoid increase in cost. In consequence, effective countermeasure against the DPA and CPA attacks are achieved readily and at low cost.
In the memory system 1 according to the present embodiment, the encryption-decryption units 14 and 24 selectively switch the pattern P3 (third processing) and the pattern P4 (fourth processing) in sending content data (second data) from the memory device 3 to the host device 2. According to the pattern P3, the encryption-decryption unit 24 encrypts content data with the S-box circuit of the encryption unit 42 to generate an encrypted content data (second encrypted data), and the encryption-decryption unit 14 decrypts the encrypted content data with the InvS-box circuit of the decryption unit 32. According to the pattern P4, the encryption-decryption unit 24 encrypts content data with the InvS-box circuit of the decryption unit 41 to generate encrypted content data, and the encryption-decryption unit 14 decrypts the encrypted content data with the S-box circuit of the encryption unit 31. Selectively switching the patterns P3 and P4 in transmission of content data from the memory device 3 to the host device 2, as well as in command transmission from the host device 2 to the memory device 3, more effectively conceals power consumption characteristics of the encryption-decryption units 14 and 24.
In the memory system 1 according to the present embodiment, the host device 2 includes the switching controller 15 (first switching controller) that controls switching between the patterns P and P2 and between the patterns P3 and P4 by the encryption-decryption unit 14, and the memory device 3 includes the switching controller 25 (second switching controller) that controls switching between the patterns P1 and P2 and between the patterns P3 and P4 by the encryption-decryption unit 24. The switching controllers 15 and 25 synchronously perform switching of patterns in the encryption-decryption unit 14 and switching of patterns in the encryption-decryption unit 24, by which command transmission from the host device 2 to the memory device 3 and transmission of content data from the memory device 3 to the host device 2 are performed appropriately with the selected pattern.
In the memory system 1 according to the present embodiment, the switching controllers 15 and 25 refer to the common selection table T1 in selecting the pattern P3 or P4. No need for selection information for instruction of switching between the patterns P3 and P4 to be sent/received between the host device 2 and the memory device 3 helps avoid increase in communication data between the two devices. The selection table T1 containing an arbitrary rule enables arbitrarily setting the timing and the pattern for switching between the patterns P3 and P4 in advance.
In the memory system 1 according to the present embodiment, the switching controllers 15 and 25 select between the patterns P3 and P4 at every transmission of content data from the memory device 3 to the host device 2. Switching the patterns P3 and P4 frequently conceals power consumption characteristics more effectively.
In the memory system 1 according to the present embodiment, when the pattern P3 is selected in the present transmission of content data, the switching controllers 15 and 25 select the pattern P1 in the next command transmission, and when the pattern P4 is select in the present transmission of content data, the pattern P2 is selected in the next command transmission. The encryption-decryption unit 24 recognizes which of the patterns P1 and P2 is to be selected in the next command transmission, depending which of the patterns P3 and P4 is selected in the present transmission of content data. This achieves appropriate decryption of the encrypted command when received from the host device 2 in the next transmission, by the decryption unit 41 or the encryption unit 42.
In the above embodiment, the switching controllers 15 and 25 arbitrarily select between the patterns P3 and P4, while the patterns P1 and P2 to be selected in the next command transmission depends on selection between the patterns P3 and P4 in the present transmission of content data.
In the present modification, the switching controllers 15 and 25 arbitrarily select between the patterns P1 and P2, as well as between the patterns P3 and P4.
In the present modification, the patterns P3 and P4 are arbitrarily selected at every transmission of content data from the memory device 3 to the host device 2, and the patterns P1 and P2 are arbitrarily selected at every command transmission from the host device 2 to the memory device 3. The selection information is described in the selection table T1. The selection table T1 may contain an arbitrary rule according to which the patterns P1 and P2 and the patterns P3 and P4 are irregularly selected separately. According to the example illustrated in
In a similar way to the above embodiment, the pattern P1 is selected in the first command transmission. Uneven selection of one of the patterns P1 and P2 is better avoided. The proportions of the patterns P1 and P2 in selection of predetermined times are preferably identical. This also applies to the patterns P3 and P4.
In the memory system 1 according to the present modification, the switching controllers 15 and 25 arbitrarily select between the patterns P1 and P2 in the next command transmission, irrespective of which of the patterns P3 and P4 is selected in the present transmission of content data. Without constraints between selection between the patterns P3 and P4 in the present transmission of content data and selection between the patterns P1 and P2 in the next command transmission, the patterns P1 and P2 are arbitrarily selected in the next command transmission, which in consequence conceals power consumption characteristics more effectively.
In the memory system 1 according to the present modification, the switching controllers 15 and 25 refer to the common selection table T1 in selecting between the patterns P1 and P2. No need for selection information for instruction of switching between the patterns P1 and P2 to be sent/received between the host device 2 and the memory device 3 helps avoid increase in communication data between the two devices. The selection table T1 containing an arbitrary rule enables arbitrarily setting the timing and the pattern for switching between the patterns P and P2 in advance.
In the above embodiment, the switching controller 25 refers to the selection table T1 to select between the patterns P3 and P4.
In the present modification, the encryption-decryption unit 14 sends a first selection information for selection between the patterns P3 and P4 along with the encrypted command to the memory device 3, and the switching controller 25 selects between the patterns P3 and P4 on the basis of the first selection information extracted from the received encrypted command.
The encryption-decryption unit 24 decrypts the received encrypted command TD and then extracts the first selection information SS1. The switching controller 25 selects the pattern P3 or P4 to be used in transmission of content data in response to the present read command RC on the basis of the first selection information SS. Then the encryption-decryption unit 24 sends content data read from the memory array 23 in accordance with the pattern P3 or P4 selected on the basis of the first selection information SS1 to the host device 2.
In the memory system 1 according to the present modification, the switching controller 25 selects the pattern P3 or P4 on the basis of the first selection information SS1 extracted from the encrypted command TD. This enables arbitrarily setting the timing and the pattern for switching between the patterns P3 and P4 by the CPU 11 of the host device 2.
In Modification 2, the CPU 11 arbitrarily selects between the patterns P3 and P4. The CPU 11 may arbitrarily select between the patterns P1 and P2, as well as between the patterns P3 and P4.
The encryption-decryption unit 24 decrypts the received encrypted command TD and then extracts the first selection information SS1 and the second selection information SS2. The switching controller 25 selects the pattern P3 or P4 to be used in transmission of content data in response to the present read command RC on the basis of the first selection information SS1. Then the encryption-decryption unit 24 sends content data read from the memory array 23 in accordance with the pattern P3 or P4 selected on the basis of the first selection information SS1 to the host device 2. On completion of transmission of content data, the switching controller 25 selects the pattern P1 or P2 to be used in the next command transmission on the basis of the second selection information SS2.
In the memory system 1 according to the present modification, the switching controller 25 selects the pattern P1 or P2 on the basis of the second selection information SS2 on completion of processing in response to the present command. This enables the encryption-decryption unit 24 to appropriately decrypt an encrypted command when received from the host device 2 in the next transmission by the decryption unit 41 or the encryption unit 42. The CPU 11 arbitrarily selects the combination of the pattern P3 or P4 for processing in response to the present command and the pattern P1 or P2 for receiving the next command. This conceals power consumption characteristics more effectively.
In the above embodiment, the switching controllers 15 and 25 refer to the selection table T1 in selecting the pattern P1 or P2 in command transmission, and refer to the selection table T1 in selecting the pattern P3 or P4 in transmission of content data.
In the present modification, the switching controllers 15 and 25 perform selection between the patterns P1 and P2 and selection between the patterns P3 and P4 separately on the basis of a common counter value.
In the memory system 1 according to the present modification, the switching controllers 15 and 25 perform selection between the patterns P1 and P2 and selection between the patterns P3 and P4, on the basis of a counter value output from the common counter 50. No need for selection information for instruction of switching between the patterns P1 and P2 and between the patterns P3 and P4 to be sent/received between the host device 2 and the memory device 3 helps avoid increase in communication data between the two devices. The setting timing based on a counter value varies at each communication, and thus by employing the counter value, the patterns P1 and P2 and the patterns P3 and P4 are switched irregularly. In consequence, power consumption characteristics are concealed more effectively.
In the above embodiment, the switching controllers 15 and 25 refer to the selection table T1 in selecting the pattern P1 or P2 in command transmission, and refer to the selection table T1 in selecting the pattern P3 or P4 in transmission of content data.
In the present modification, the switching controllers 15 and 25 perform selection between the patterns P1 and P2 and selection between the patterns P3 and P4 separately on the basis of a common random number value.
In the memory system 1 according to the present modification, the switching controllers 15 and 25 perform selection between the patterns P1 and P2 and selection between the patterns P3 and P4, on the basis of a random number value output from the common random number generator 60. No need for selection information for instruction of switching between the patterns P1 and P2 and between the patterns P3 and P4 to be sent/received between the host device 2 and the memory device 3 helps avoid increase in communication data between the two devices. By employing a random number value, the patterns P1 and P2 and the patterns P3 and P4 are switched irregularly. In consequence, power consumption characteristics are concealed more effectively.
In the above embodiment, the encryption unit or the decryption unit belonging to a non-selected pattern receives no command and no content data in command transmission and transmission of content data, and the non-selected encryption unit or decryption unit does not perform encryption of a command and content data.
In the present modification, the encryption unit or the decryption unit belonging to a non-selected pattern also receives a command and content data, and performs encryption.
In command transmission, a command issued by the CPU 11 is input to the encryption unit 31 and the decryption unit 32. The encryption unit 31 and the decryption unit 32 encrypt the received command, and input the encrypted command to the buffer circuits 71 and 72, respectively. If the pattern P1 is selected, the encrypted command stored in the buffer circuit 71 is sent to the memory device 3, while if the pattern P2 is selected, the encrypted command stored in the buffer circuit 72 is sent to the memory device 3. The encryption-decryption unit 14 discards the encrypted command stored in the buffer circuit 71 or 72 belonging to the non-selected pattern.
In transmission of content data, content data read from the memory array 23 is input to the decryption unit 41 and the encryption unit 42. The decryption unit 41 and the encryption unit 42 encrypt the received content data, and input the encrypted content data to the buffer circuits 73 and 74, respectively. If the pattern P3 is selected, the encrypted content data stored in the buffer circuit 74 is sent to the host device 2, while if the pattern P4 is selected, the encrypted content data stored in the buffer circuit 73 is sent to the host device 2. The encryption-decryption unit 24 discards the encrypted content data stored in the buffer circuit 73 or 74 belonging to the non-selected pattern.
In the memory system 1 according to the present modification, in command transmission, the encryption-decryption unit 14 dummy-drives the decryption unit 32 if the pattern P1 is selected, while it dummy-drives the encryption unit 31 if the pattern P2 is selected. In transmission of content data, the encryption-decryption unit 24 dummy-drives the decryption unit 41 if the pattern P3 is selected, while it dummy-drives the encryption unit 42 if the pattern P4 is selected. Dummy-driving the encryption unit or the decryption unit belonging to the non-selected pattern generates largely-distributed power consumption noise by the non-selected encryption unit or decryption unit. In consequence, this power consumption noise effectively conceals the power consumption characteristics of the selected encryption unit and the non-linear processing unit.
In the above embodiment, the encryption-decryption units 14 and 24 employ the common key K0 for both of the patterns P and P2 in command transmission and employ the common key K0 for both of the patterns P3 and P4 in transmission of content data.
In the present modification, the encryption-decryption units 14 and 24 employ common key which are different between the patterns P1 and P2 in command transmission, and employ common keys which are different between the patterns P3 and P4 in transmission of content data.
In command transmission, the encryption-decryption units 14 and 24 employ one of the first common key K1 and the second common key K2 if the pattern P1 is selected, while they employ the other if the pattern P2 is selected. Employing different common keys K1 and K2 in the patterns P1 and P2 effectively makes analysis by a third party difficult.
In transmission of content data, the encryption-decryption units 14 and 24 employ one of the first common key K1 and the second common key K2 if the pattern P3 is selected, while they employ the other if the pattern P4 is selected. Employing different common keys K1 and K2 in the patterns P3 and P4 effectively makes analysis by a third party difficult.
The above description is an example of applying embodiments of the present disclosure to the memory system 1 including the host device 2 and the memory device 3. The present disclosure is applicable to any arbitrary communication system where secure communication is realized by encryption between a first and a second communication device configured to be connected to each other. For example, the present disclosure is applicable to the following:
While the invention has been described in detail, the foregoing description is in all aspects illustrative and not restrictive. It is understood that numerous other modifications and variations can be devised without departing from the scope of the invention.
Number | Date | Country | Kind |
---|---|---|---|
2017-250596 | Dec 2017 | JP | national |