The present invention relates to a cryptographic operation processing circuit, and more particularly, to a cryptographic operation processing circuit comprising a means for preventing analysis of secret data, such as an encryption key or the like.
Recently, as electronic commerce, automatic ticket gates and the like that employ IC cards, mobile telephones with IC card functions or the like have been developed, it is important to secure the security of IC cards or the like.
However, methods have been found in which, by observing and analyzing power consumption (consumed current) when an IC card is performing a cryptographic operation process, an encryption key or details of the cryptographic operation process in the IC card are analyzed. Representative examples of such an analysis means include simple power analysis (SPA), in which variations in consumed current are directly used for analysis, differential power analysis (DPA), in which a secret encryption key is estimated by performing a statistical process with respect to observed data, and the like.
In order to address the conventional simple power analysis, there are known methods in which a dummy process for changing the timing of a cryptographic operation procedure is inserted in a normal process or a consumed current is changed on a time axis by changing an operation clock cycle. In these methods, the procedure or timing of a cryptographic operation process is changed every time it is performed, so that a consumed current waveform is changed as viewed on the time axis. Therefore, data-dependent analysis in which current waveforms are compared on the time axis is substantially disabled, thereby achieving security (see Patent Document 1).
In order to address the conventional differential power analysis, there is a known method in which a noise generating circuit superimposes a noise current onto a consumed current of a normal process. In this technique, even when the same operation is performed a plurality of times, resultant current waveforms differ from each other, thereby making it difficult to perform differential analysis to achieve security (see Patent Document 2).
If a dummy process for changing the timing of a cryptographic operation procedure is added to an excessively large extent so as to address simple power analysis, a time required to complete the execution of a cryptographic operation is caused to be long, so that the performance of a cryptographic operation process is significantly reduced. Conversely, if a dummy process for changing the timing of a cryptographic operation procedure is added to a small extent, a reduction in the performance of a cryptographic operation process is small. In this case, however, variations in current waveform of a normal cryptographic process are easily tapped from the outside.
In the case of the technique of changing a consumed current on a time axis by changing an operation clock cycle so as to address simple power analysis, information, such as a clock cycle or the like, is easily observed from the outside, and an observed current waveform can be analyzed and repaired into a current waveform having a constant clock cycle by a digital signal process.
In the case of the technique of superposing a noise current onto a consumed current of a normal process by a noise generating circuit so as to address differential power analysis, a physical position at which a current is consumed inside an LSI can be identified by a recent LSI analysis technique, such as liquid crystal analysis, light emission analysis or the like. With liquid crystal analysis, a change in current at a specific location can be observed as a change in transmittance of liquid crystal, so that current analysis can be performed.
To solve the above-described problem, a cryptographic operation processing circuit according to the present invention comprises a memory for storing data for a cryptographic operation, an operator for operating the cryptographic operation data, a register for temporarily storing input/output data of the operator, a cryptographic control circuit for receiving a cryptographic operation instruction and controlling the memory, the operator and the register so as to perform a cryptographic process with respect to the cryptographic operation data, and a dummy operation instruction circuit for receiving an operation completion signal indicating that execution of the cryptographic operation instruction has been ended, and issuing a dummy operation instruction for operating the memory, the operator and the register to the cryptographic control circuit.
In the cryptographic operation processing circuit of the present invention, the dummy operation instruction circuit issues a dummy operation instruction for operating a memory, an operator or a register after execution of a cryptographic operation instruction from a CPU or the like, though they are normally inactivated for that period, so that the memory, the operator or the register is operated as in the case of a cryptographic operation instruction and a current is consumed. Therefore, it is difficult to identify timing of the end, start and the like of a cryptographic operation process based on the magnitude of a consumed current, resulting in an improvement in security. The dummy operation instruction is issued only for a period of time for which the cryptographic operation instruction is not issued from the CPU or the like, i.e., the issuance of the cryptographic operation instruction from the CPU or the like is not delayed. Therefore, the performance of the cryptographic operation process is not deteriorated.
Hereinafter, a best mode for carrying out the present invention will be described with reference to the accompanying drawings. Note that the same or like parts are indicated by the same reference numerals and will not be repeatedly described.
The dummy operation instruction circuit 100 recognizes that a cryptographic operation is started, based on a cryptographic operation instruction 111 output from a CPU 109, and thereafter, receives an operation completion signal 114 indicating that the execution of the cryptographic operation instruction 111 has been ended, and outputs a cryptographic operation completion signal 112 to the CPU 109 and issues a dummy operation instruction 113 to the cryptographic control circuit 101. Thereafter, the dummy operation instruction circuit 100, when receiving the operation completion signal 114 also indicating that the execution of the dummy operation instruction 113 has been ended and recognizing that a dummy operation has been completed, issues the dummy operation instruction 113 again. The issuance of the dummy operation instruction 113 is repeated until the cryptographic operation instruction 111 is newly issued from the CPU 109.
The cryptographic control circuit 101 receives the cryptographic operation instruction 111 from the CPU 109 or the dummy operation instruction 113 from the dummy operation instruction circuit 100, and outputs a memory A control signal 115, a memory B control signal 120, an operator control signal 118, a register A control signal 116, a register B control signal 117, and a register C control signal 119 so as to control the memory A 103, the memory B 104, the operator 105, the register A 106, the register B 107, and the register C 108. Also, the cryptographic control circuit 101, when the execution of the cryptographic operation instruction 111 or the dummy operation instruction 113 has been ended, outputs the operation completion signal 114. When the cryptographic operation instruction 111 is issued from the CPU 109 during the execution of a process of the dummy operation instruction 113, a control by the dummy operation instruction 113 is forcedly ended, and a process of the cryptographic operation instruction 111 is started.
The memory A 103 is, for example, a memory that is in synchronization with a falling edge of a clock 110 and outputs memory A output data 121 from an address indicated by the memory A control signal 115 from the cryptographic control circuit 101.
The memory B 104 is, for example, a memory that is in synchronization with a falling edge of the clock 110 and writes register C output data 125 to an address indicated by the memory B control signal 120 from the cryptographic control circuit 101.
The operator 105 is a combinational circuit that receives register A output data 122 and register B output data 123, performs an operation in accordance with the operator control signal 118, and outputs the result to operator output data 124.
The register A 106 receives the memory A output data 121, and when the register A control signal 116 from the cryptographic control circuit 101 is effective, holds and outputs the memory A output data 121 to the register A output data 122.
The register B 107 receives the memory A output data 121, and when the register B control signal 117 from the cryptographic control circuit 101 is effective, holds and outputs the memory A output data 121 to the register B output data 123.
The register C 108 receives the operator output data 124, and when the register C control signal 119 from the cryptographic control circuit 101 is effective, holds and outputs the operator output data 124 to the register C output data 125.
The CPU 109 issues the cryptographic operation instruction 111 to the cryptographic control circuit 101 to cause the cryptographic control circuit 101 to perform a cryptographic operation process, and also receives the cryptographic operation completion signal 112 from the dummy operation instruction circuit 100 to recognize the end of a cryptographic operation process.
The cryptographic control circuit 101 decodes instruction 1 to read data D1 and data D2 from address A1 and address A2 of the memory A 103, and inputs data D1 to the register A 106 and data D2 to the register B 107. A memory A consumed current II is a consumed current caused by the memory A 103 performing a read operation and has a consumed current waveform corresponding to a read operation of address A1 and address A2.
The cryptographic control circuit 101 decodes instruction 1 to output operation 1 as the operator control signal 118. In this example, operation 1 is assumed to be an instruction that requires at least five clock cycles until an output result is settled. The operator 105 operates output D1 of the register A output data 122 and output D2 of the register B output data 123, and after three clock cycles, outputs DA as the operator output data 124. An operation section consumed current II is changed every time data is input to the register A 106 and the register B 107 that are input registers for the operator 105 that is a combinational circuit, and is consumed for three clock cycles even after values of the register A 106 and the register B 107 are settled, since an operation is executed for that period of time.
The cryptographic control circuit 101 decodes instruction 1 and outputs the register C control signal 119 for inputting an operation result to the register C 108 with timing when operation 1 is ended, so that DA is stored to the register C 108. Thereafter, the cryptographic control circuit 101 decodes instruction 1 and issues the memory B control signal 120, so that DA that is the register C output data 125 is stored into address AA of the memory B 104. A memory B consumed current II is a consumed current caused by a write operation to the memory B 104, and has a consumed current waveform corresponding to a write operation to address AA.
Thereafter, the cryptographic control circuit 101 outputs the operation completion signal 114 indicating the end of the execution of instruction 1 from the CPU 109, to the dummy operation instruction circuit 100.
The dummy operation instruction circuit 100 recognizes that a cryptographic operation for instruction 1 has been started, based on the cryptographic operation instruction 111 output from the CPU 109, and thereafter, receives the operation completion signal 114 that is a signal indicating the end of instruction 1, and outputs the cryptographic operation completion signal 112 to the CPU 109. A period of time from the start to the end of the cryptographic operation of instruction 1 is hereinafter defined as a “cryptographic operation process 1” period.
In the CPU 109, several tens of clock cycles are required as a program processing period so as to issue instruction 2 that is a new cryptographic operation instruction 111 after receiving the cryptographic operation completion signal 112. Note that, in
The dummy operation instruction circuit 100 issues instruction G as the dummy operation instruction 113 to the cryptographic control circuit 101. It is here assumed that instruction G is an instruction that is fixedly output from the dummy operation instruction circuit 100, and with which data d1 and data d2 are read out from address a1 and address a2 of the memory A 103, respectively, data d1 and data d2 are stored into the register A 106 and the register B 107, respectively, a required operation is performed in the operator 105 for two clock cycles until an output result is settled, dx is stored as an operation result into the register C 108, dx is stored at address ax of the memory B 104, and thereafter, the operation completion signal 114 is output to the dummy operation instruction circuit 100, and a process of instruction G is thus completed. Note that address ax at which data is stored by the memory B control signal 120 needs not to destroy a memory space that is used by the cryptographic operation instruction 111 or the like, and therefore, an address that is not used by the CPU 109 is used as an address for storing data.
In accordance with the operation completion signal 114 indicating that the execution of the dummy operation instruction 113 has been ended, the dummy operation instruction circuit 100 repeatedly issues the dummy operation instruction 113 until the cryptographic operation instruction 111 is newly issued from the CPU 109. In the example of
In
As described above, in the cryptographic operation processing circuit of
Further, the dummy operation instruction 113 is issued only for a period of time for which the cryptographic operation instruction 111 from the CPU 109 or the like is not issued. Thus, since the issuance of the cryptographic operation instruction 111 from the CPU 109 or the like is not delayed, the performance of the cryptographic operation process is not deteriorated.
Although it has been assumed above that the dummy operation instruction 113 is fixed and invariably the same, the same instruction as the cryptographic operation instruction 111 immediately previously issued from the CPU 109 may be issued as the dummy operation instruction 113. Thereby, even when the execution of the cryptographic operation instruction 111 is ended, the dummy operation instruction 113 having the same consumed current waveform is executed, so that it is difficult to analyze the timing of the end of execution of the cryptographic operation instruction 111, resulting in a further improvement in security against current analysis.
Note that the memory A 103 and the memory B 104 may be the same memory. Further, the operator 105 may have three or more inputs, and three or more registers for holding the input data may be provided. Further, the operator 105 may be comprised of a plurality of operational elements, such as an adder, a multiplier, and the like.
The cryptographic operation instruction storing circuit 400 stores the cryptographic operation instruction 111 output by the CPU 109 as cryptographic operation instruction history information 402.
The dummy operation instruction generating circuit 401 receives the operation completion signal 114 that is a signal indicating the end of execution of the cryptographic operation instruction 111, and generates the dummy operation instruction 113 based on the cryptographic operation instruction history information 402 output from the cryptographic operation instruction storing circuit 400.
In
The dummy operation instruction generating circuit 401 receives the operation completion signal 114 that is a signal indicating that the execution of the cryptographic operation instruction 111 has been ended, and scans the cryptographic operation instructions 111 stored in slot 1 to slot 5 to recognize that there are two multiplications where 160 bits are input, two additions where 160 bits are input, and one subtraction where 160 bits are input. The multiplications and the additions have the same frequency of occurrence (the number of times). In slot 1 that has been issued at the latest, a multiplication is stored. Therefore, an addition is selected, i.e., slot 4 is selected, so that based on the cryptographic operation instruction 111 of slot 4, the dummy operation instruction 113 is generated in which an addition where data of 160 bits in length is input from each of address 0 and address 1 and the result is output to address AX, is performed. Address AX for storing data needs not to destroy a memory space that is used by the cryptographic operation instruction 111 or the like, and therefore, an address that is not used by the CPU 109 is used as the data storing address.
As described above, in the configuration of
Note that the dummy operation instruction generating circuit 401 may randomly select a cryptographic operation instruction 111 from the stored cryptographic operation instructions 111 and issue it as the dummy operation instruction 113. Thereby, even when current analysis is performed, it is difficult to distinguish the execution of successively issued cryptographic operation instructions 111 from the execution of a past cryptographic operation instructions 111 randomly selected as the dummy operation instruction 113, resulting in a further improvement in security against current analysis.
Also, the cryptographic operation instruction storing circuit 400 may be comprised of a non-volatile memory. Thereby, cryptographic operation instructions 111 successively issued from the CPU 109 or the like are stored in the non-volatile memory. Therefore, a history of past cryptographic operation instructions 111 can be stored after power-off, and a cryptographic operation instruction 111 is selected from the stored cryptographic operation instructions 111 and is issued as the dummy operation instruction 113. Therefore, even in the case of a current analysis technique in which, for example, a sequence of power-on, execution of a cryptographic operation, and power-off is repeatedly execute to observe changes in current waveform, it is difficult to distinguish the execution of a cryptographic operation instruction 111 from the execution of a past cryptographic operation instruction 111 as the dummy operation instruction 113, resulting in a further improvement in security against current analysis.
Although it has been assumed above that the number of slots in the cryptographic operation instruction storing circuit 400 is five, the number of slots may be increased or decreased.
A period of time for which the memories 103 and 104, the operator 105, and the registers 106, 107 and 108 are inactivated exists in some clock cycle units even when a cryptographic operation instruction 111 from the CPU 109 or the like is being executed. Also, even when the dummy operation instruction 113 is being executed, a period of time for which the memories 103 and 104, the operator 105, and the registers 106, 107 and 108 are inactivated exists in some clock cycle units. In view of this, in the following example, the operational resources 103 to 108 are invariably operated to consume a current, resulting in a further improvement in security against current analysis.
The normal control circuit 601 receives the cryptographic operation instruction 111 or the dummy operation instruction 113, and outputs to the selector 603 a normal control circuit memory A control signal 604, a normal control circuit register A control signal 605, a normal control circuit register B control signal 606, a normal control circuit operator control signal 607, a normal control circuit register C control signal 608, and a normal control circuit memory B control signal 609 (these control signals are hereinafter referred to as normal control signals). Further, when a control by the cryptographic operation instruction 111 or the dummy operation instruction 113 has been ended, the normal control circuit 601 outputs the operation completion signal 114 to the dummy operation instruction circuit 100.
The dummy control circuit 602 outputs to the selector 603 a dummy control circuit memory A control signal 610, a dummy control circuit register A control signal 611, a dummy control circuit register B control signal 612, a dummy control circuit operator control signal 613, a dummy control circuit register C control signal 614, and a dummy control circuit memory B control signal 615 (these control signals are hereinafter referred to as dummy control signals).
The operation status notification circuit 600 outputs to the selector 603 a 6-bit operation status notification signal [5:0] 616 indicating a clock cycle period for which the normal control signal from the normal control circuit 601 does not need to occupy the memory A 103, the memory B 104, the operator 105, the register A 106, the register B 107, or the register C 108 even when the cryptographic operation instruction 111 or the dummy operation instruction 113 is being executed.
Based on the operation status notification signal [5:0] 616, the selector 603 selects the memory A control signal 115 from the normal control circuit memory A control signal 604 or the dummy control circuit memory A control signal 610 using an operation status notification signal [0], the register A control signal 116 from the normal control circuit register A control signal 605 or the dummy control circuit register A control signal 611 using an operation status notification signal [1], the register B control signal 117 from the normal control circuit register B control signal 606 or the dummy control circuit register B control signal 612 using an operation status notification signal [2], the operator control signal 118 from the normal control circuit operator control signal 607 or the dummy control circuit operator control signal 613 using an operation status notification signal [3], the register C control signal 119 from the normal control circuit register C control signal 608 or the dummy control circuit register C control signal 614 using an operation status notification signal [4], and the memory B control signal 120 from the normal control circuit memory B control signal 609 or the dummy control circuit memory B control signal 615 using an operation status notification signal [5].
Next, an operation of the thus-configured cryptographic operation processing circuit will be described with reference to
The operation status notification signal [0] 616 is such that, as a result of decoding of the cryptographic operation instruction 111, the normal control circuit memory A control signal 604 is selected for two clock cycles, and the dummy control circuit memory A control signal 610 is selected for the other clock cycles. The normal control circuit memory A control signal 604 is a read signal for address A1 and address A2, and the dummy control circuit memory A control signal 610 outputs read signals for address A6 to address A16 that are incremented every clock.
The selector 603 outputs the memory A control signal 115 that accesses the memory A 103 every clock cycle from the normal control circuit memory A control signal 604 or the dummy control circuit memory A control signal 610 based on the operation status notification signal [0] 616. In accordance with the memory A control signal 115, the memory A output data 121 is read out from the memory A 103, and as a result, a consumed current waveform that consumes a current every clock cycle, such as a memory A consumed current III, is obtained.
The operation status notification signal [1] 616 is such that, as a result of decoding of the cryptographic operation instruction 111, the normal control circuit register A control signal 605 is selected for six clock cycles, and the dummy control circuit register A control signal 611 is selected for the other clock cycles. The normal control circuit register A control signal 605 is a signal for storing value D1 from the memory A output data 121 into the register A 106. The dummy control circuit register A control signal 611 outputs a signal that is invariably at a High level so as to input the memory A output data 121 to the register A 106 every clock cycle.
The operation status notification signal [2] 616 is such that, as a result of decoding of the cryptographic operation instruction 111, the normal control circuit register B control signal 606 is selected for five clock cycles, and the dummy control circuit register B control signal 612 is selected for the other clock cycles. The normal control circuit register B control signal 606 is a signal for storing value D2 from the memory A output data 121 into the register B 107. The dummy control circuit register B control signal 612 outputs a signal that is invariably at a High level so as to input the memory A output data 121 to the register B 107 every clock cycle.
Based on the operation status notification signal [1] 616, the selector 603 outputs the register A control signal 116 so that data D6, data D7, data D1, data D14, data D15, and data D16 from the memory A output data 121 are input to the register A 106. Also, based on the operation status notification signal [2] 616, the selector 603 outputs the register B control signal 117 so that data D6, data D7, data D1, data D2, data D14, data D15, data D16 from the memory A output data 121 are input to the register B 107.
The operation status notification signal [3] 616 is such that, as a result of decoding of the cryptographic operation instruction 111, the normal control circuit operator control signal 607 is selected for five clock cycles, and the dummy control circuit operator control signal 613 is selected for the other clock cycles. The normal control circuit operator control signal 607 is a signal for causing the operator 105 to execute operation 1 where value D1 from the register A output data 122 and value D2 from the register B output data 123 are input. The dummy control circuit operator control signal 613 is a signal for causing the operator 105 to operate where the register A output data 122 and the register B output data 123 are input. In this example, a signal for executing each of operation 0 to operation 10 in units of a clock cycle is output.
The operation status notification signal [4] 616 is such that, as a result of decoding of the cryptographic operation instruction 111, the normal control circuit register C control signal 608 is selected for one clock cycle, and the dummy control circuit register C control signal 614 is selected for the other clock cycles. The normal control circuit register C control signal 608 is a signal for storing value DA that is a result of an operation from the operator output data 124 into the register C 108. The dummy control circuit register C control signal 614 outputs a signal that is invariably at a High level so as to input the operator output data 124 to the register C 108 every clock cycle.
Based on the operation status notification signal [3] 616, the selector 603 outputs the operator control signal 118 for causing the operator 105 to execute operation 0, operation 1, operation 2, operation 1, operation 8, operation 9, and operation 10 where the memory A output data 122 and the memory B output data 123 are input to the operator 105. Also, based on the operation status notification signal [4] 616, the selector 603 outputs the register C control signal 119 for inputting the operator output data 124 to the register C 108 every clock cycle. By the operator control signal 118 and the register C control signal 119, an operation is executed in the operator 105 every clock cycle, and a result of the operation is stored into the register C 108, so that a consumed current waveform in which a current is consumed every clock cycle, such as an operation section consumed current III, is obtained.
The operation status notification signal [5] 616 is such that, as a result of decoding of the cryptographic operation instruction 111, the normal control circuit memory B control signal 609 is selected for one clock cycle, and the dummy control circuit memory B control signal 615 is selected for the other clock cycles. The normal control circuit memory B control signal 609 is a signal for writing the register C output data value DA to address AA of the memory B 104. The dummy control circuit memory B control signal 615 is a signal for writing the register C output data 125 to the fixed address AX of memory B 104 every clock. Regarding the write operation to the memory B 104 in accordance with the dummy control circuit memory B control signal 615, data required for the cryptographic operation instruction 111 or the like is likely to be overwritten at some addresses, and therefore, address AX that is not used by the CPU 109 is used as an address for storing data.
Based on the operation status notification signal [5] 616, the selector 603 outputs the memory B control signal 120 in accordance with which write is performed from the normal control circuit memory B control signal 609 or the dummy control circuit memory B control signal 615 to the memory B 104 every clock cycle. In accordance with the memory B control signal 120, the register C output data 125 is written to the memory B 104, and as a result, a consumed current waveform in which a current is consumed every clock cycle, such as the memory B consumed current III, is obtained.
Although the operation of the cryptographic control circuit 101 during the execution of the cryptographic operation instruction 111 has been described with reference to
As described above, the configuration of
The dummy control signal generating circuit 801 reads out the normal control signal history information 802 stored in these slots and generates the dummy control signals 610 to 615. An algorithm to determine from which slot the dummy control signal generating circuit 801 reads out data may be any of (1) reading out data in order in which the data has been stored, (2) selecting a slot having a most frequent cryptographic operation instruction, (3) randomly selecting a slot, and the like.
When read is performed using an algorithm as described above, operations of the operation resources 103 to 108 performed in the past, operations of the operation resources 103 to 108 having a consumed current waveform having a high frequency of occurrence in the past, and operations of the operation resources 103 to 108 in which past states of a consumed current waveform appear randomly, can be performed even in clock cycle units, so that a consumed current in a cryptographic operation instruction or the dummy operation instruction 113 becomes uniform, resulting in a further improvement in security against current analysis.
Also, the normal control signal storing circuit 800 may be comprised of a non-volatile memory. In this case, past normal control signal history information 802 can be stored after power-off, and the dummy control signals 610 to 615 are selected from the stored normal control signals 604 to 609 and are output. Therefore, even in the case of a current analysis technique in which, for example, a sequence of power-on, execution of a cryptographic operation, and power-off is repeatedly performed to observe changes in current waveform, a consumed current waveform during the execution of the cryptographic operation instruction 111 or the execution of the dummy operation instruction 113 appears, depending on the stored past normal control signals 604 to 609, resulting in a further improvement in security against current analysis.
When the same process is performed in the operator 105, a consumed current in the operator 105 significantly depends on input data to be operated. Specifically, a difference in consumed current occurs between when the input data has a large number of bit values of 0 and when the input data has a small number of bit values of 0. Therefore, in the following example, security against current analysis is improved by using the number of counts of a bit value of 0.
For example, if the memory A output data 121 has a data width of 32 bits and outputs data of 39DF7EB6 in hexadecimal, the data is 0011—1001—1101—1111—0111—1110—1011—0110 in binary, so that the number of bits having a bit value of 0 is 10. Therefore, the bit value-0 count information 1001 outputs 10.
It is assumed that the memory A output data 121 has a data width of 32 bits. In this case, by the cryptographic operation instruction 111 stored in slot 1 of
By the cryptographic operation instruction 111 stored in slot 2, an operation of instruction 3 where data at each of address A5 and address A6 is input is performed, and the result is stored at address A7. In this case, the bit value-0 count information 1001 counted by the bit value-0 count circuit 1000 is 14 at address A5 and 16 at address A6.
By the cryptographic operation instruction 111 stored in slot 3, an operation of instruction 3 where data at each of address A7 and address A8 is input is performed, and the result is stored at address A9. In this case, the bit value-0 count information 1001 counted by the bit value-0 count circuit 1000 is 5 at address A7 and 3 at address A8. In other words, both data read out from address A7 and data read out from address A8 have a small number of counts of a bit value of 0 in the 32-bit data width.
By the cryptographic operation instruction 111 stored in slot 4, an operation of instruction 3 where data at each of address A3 and address A4 is input is performed, and the result is stored at address A5. In this case, the bit value-0 count information 1001 counted by the bit value-0 count circuit 1000 is 18 at address A3 and 19 at address A4.
All the cryptographic operation instructions 111 stored in the slots are an instruction that issues instruction 3 to the operator 105. The number of counts of a value of 0 stored in each slot is small in slot 3 and is similar in slot 1, slot 2, and slot 4. If data having a considerably small or large number of counts of a value of 0 for the data width exists, the number of bits to be activated is considerably small in a cryptographic operation employing such data, so that a characteristic peak occurs in a consumed current waveform during a cryptographic operation process.
The dummy operation instruction generating circuit 401 receives the operation completion signal 114 that is a signal indicating that the execution of the cryptographic operation instruction 111 has been ended, and scans the cryptographic operation instructions 111 stored in slot 1 to slot 4. When recognizing that all the slots have instruction 3, the dummy operation instruction generating circuit 401 further scans the bit value-0 count information 1001. If data having a considerably small or large number of counts of a value of 0 for the data width exists, an operation employing such data has a considerably small number of bits to be activated, so that a characteristic peak occurs in a consumed current waveform during a cryptographic operation process. Therefore, the dummy operation instruction 113 is generated so as to intentionally increase the number of such peaks. Thereby, slot 3 that is a slot having a smallest bit value-0 count number is selected to generate the dummy operation instruction 113.
As described above, in the cryptographic operation processing circuit having the configuration of
Note that the dummy operation instruction generating circuit 401 may determine a distribution of bit value-0 count numbers stored in the cryptographic operation instruction storing circuit 400, and selects a cryptographic operation instruction 111 employing an average bit value-0 count number to generate the dummy operation instruction 113. Since a cryptographic operation instruction 111 employing an average bit value-0 count number is selected to generate the dummy operation instruction 113, the generated dummy operation instruction 113 can indicate an average consumed current waveform, so that it is difficult to distinguish the execution of a cryptographic operation instruction 111 from the execution of a cryptographic operation instruction 111 having a frequent bit value-0 count number in data as the dummy operation instruction 113, resulting in a further improvement in security against current analysis.
It is assumed that the memory A output data 121 has a data width of 32 bits. According to slot 1 of
Also, conversely, in the data stored in slot 3 of
As described above, when data having a considerably small or large value-0 count number for the data width exists, a cryptographic operation employing such data has a considerably small number of bits to be activated, so that a characteristic peak occurs in a consumed current waveform during a cryptographic operation process.
Data stored in slot 1 is the latest data, and therefore, the normal control circuit 601 recently outputs the normal control signals 604 to 609 in which a characteristic peak as described above occurs. In such a case, the following dummy control signals 610 to 615 cannot be effectively deceptive unless they are a control signal in which a similar characteristic peak occurs. Also, conversely, when the normal control circuit 601 outputs the normal control signals 604 to 609 in which a characteristic peak as described above does not occur are output, the following dummy control signals 610 to 615 cannot be effectively deceptive unless they are a control signal in which a characteristic peak does not occur. Therefore, the dummy control signal generating circuit 801 determines bit value-0 count information 1001 in slots that have been stored at the latest, and reads out data in a slot having, for example, average, largest or smallest bit value-0 count information 1001 and generates the dummy control signals 610 to 615.
By performing such a dummy operation, it is difficult to distinguish a consumed current waveform during the execution of an original cryptographic operation from that during the dummy operation, so that the timing of the original cryptographic operation is not likely to be analyzed.
As described above, in the cryptographic operation processing circuit having the configuration of
In successive controls of the operator 105, even if values of input data read out from different addresses in the memory A 103 are completely the same, a current is not consumed in the operator 105. Therefore, in the following example, security against current analysis is improved by presetting a potential of a circuit included in the operator 105.
The preset circuit A 1300, when a preset circuit A control signal 1302 from the pulse signal generating circuit 1306 becomes effective, inverts the register A output data 122 from the register A 106 and outputs the result as preset circuit A output data 1304 to the operator 105.
The preset circuit B 1301, when a preset circuit B control signal 1303 from the pulse signal generating circuit 1306 becomes effective, inverts the register B output data 123 from the register B 107 and outputs the result as a preset circuit B output data 1305 to the operator 105.
The pulse signal generating circuit 1306 is a circuit for generating a pulse signal using the clock 110. The generated signal is output as the preset circuit A control signal 1302 and the preset circuit B control signal 1303 to the preset circuit A 1300 and the preset circuit B 1301.
In
The cryptographic control circuit 101 decodes instruction 4, reads out data D1 and data D2 from address A1 to address A8 of the memory A 103, and stores data D1 into the register A 106 and data D2 into the register B 107. A memory A consumed current IV is a consumed current caused by a read operation being performed by the memory A 103, and has a consumed current waveform corresponding to a read operation from address A1 to address A8.
The cryptographic control circuit 101 instructs the operator 105 to execute operation 4 by the operator control signal 118. In this case, the pulse signal generating circuit 1306 controls the preset circuit A control signal 1302 to temporarily invert the register A output data 122 and output the result to the preset circuit A output data 1304. Thereby, the operator 105 temporarily executes an operation of data obtained by inverting D1, and D2 before performing an operation of the original data D1, and D2. An operation section consumed current IV is changed every time data is stored into the register A 106 and the register B 107 that are input registers for the operator 105 (combinational circuit), and even after values in the register A 106 and the register B 107 are settled, an operation is executed and a current is therefore consumed for two clock cycles.
When the memory A output data 121 read out from address A1 to address A8 is a succession of D1 and D2 as shown in
Next, the cryptographic control circuit 101 decodes instruction 4 to output the register C control signal 119 for storing an operation result into the register C 108 with timing when operation 4 is ended, so that DA is stored into the register C 108. Also, the cryptographic control circuit 101 decodes instruction 4 to issue the memory B control signal 120, so that DA (register C output data 125) is stored into address AA to address AD of the memory B 104. A memory B consumed current IV is a consumed current caused by a write operation to the memory B 104, and has a consumed current waveform corresponding to a write operation to address AA to address AD.
As described above, with the configuration of
Although an inverter circuit has been described as an example of the preset circuits 1300 and 1301 of
The delay circuit A 1500 adds a delay amount to each bit of the preset circuit A output data 1304 from the preset circuit A 1300 every clock cycle, the delay amounts differing from each other, and outputs the resultant data in which not all the bits are changed with the same timing, as delay circuit A output data 1502, to the operator 105.
The delay circuit B 1501 adds a delay amount to each bit of the preset circuit B output data 1305 from the preset circuit B 1301, the delay amounts differing from each other, and outputs the resultant data in which not all the bits are changed with the same timing, as delay circuit B output data 1503, to the operator 105.
The cryptographic control circuit 101 decodes instruction 4, reads out data D1 and data D2 from address A1 to address A8 of the memory A 103, and stores data D1 into the register A 106 and data D2 into the register B 107. A memory A consumed current V is a consumed current caused by a read operation being performed by the memory A 103, and has a consumed current waveform corresponding to a read operation from address A1 to address A8.
The cryptographic control circuit 101 instructs the operator 105 to execute operation 4 by the operator control signal 118. In this case, the pulse signal generating circuit 1306 controls the preset circuit A control signal 1302 to temporarily invert the register A output data 122 and output the result to the preset circuit A output data 1304. Further, the delay circuit A 1500 adds a delay amount to each bit of the preset circuit A output data 1304 every clock cycle, the delay amounts differing from each other, and outputs the resultant data in which not all the bits are changed with the same timing, as delay circuit A output data 1502. Thereby, the operator 105 temporarily executes an operation of data obtained by inverting D1, and D2 before performing an operation of the original data D1, and D2. In addition, since the delay amount is changed every bit at a change point of data, the operator 105 executes an operation with respect to continuously differing data. An operation section consumed current V is changed every time data is stored into the register A 106 and the register B 107 that are input registers for the operator 105 (combinational circuit), and even after values in the register A 106 and the register B 107 are settled, an operation is executed and a current is therefore consumed for two clock cycles.
When the memory A output data 121 read out from address A1 to address A8 is a succession of D1 and D2 as shown in
Next, the cryptographic control circuit 101 decodes instruction 4 to output the register C control signal 119 for storing an operation result into the register C 108 with timing when operation 4 is ended, so that DA is stored into the register C 108. Also, the cryptographic control circuit 101 decodes instruction 4 to issue the memory B control signal 120, so that DA (register C output data 125) is stored into address AA to address AD of the memory B 104. A memory B consumed current V is a consumed current caused by a write operation to the memory B 104, and has a consumed current waveform corresponding to a write operation to address AA to address AD.
As described above, with the configuration of
As described above, the cryptographic operation processing circuit of the present invention is useful as a data processing circuit for which security, such as a cryptographic operation or the like, is required, and is applicable to IC cards and the like.
Number | Date | Country | Kind |
---|---|---|---|
2006-304068 | Nov 2006 | JP | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/JP2007/062293 | 6/19/2007 | WO | 00 | 5/23/2008 |