Patent Grant
8205097
The Invention relates to a microprocessor in a security-sensitive system for processing an operand according to an instruction.
Modular arithmetic is a powerful tool in many different disciplines such as cryptography and computer science. With modular arithmetic it is possible to code and decode messages or the like with the aid of microprocessors performing certain steps of multiplication, addition, division and/or subtraction according to certain instructions.
Hereby two integers a and a′ are called congruent modulo n whereas n is a positive integer if a−a′ is an integer multiple of n and it is expressed as a≡a′ (mod n).
If a≡a′ (mod n) and b≡b′ (mod n) then for the integers a, a′, b and b′ the following rules apply:
(a+b)≡(a′+b′) (mod n)
(a−b)≡(a′−b′) (mod n)
(a*b)≡(a′*b′) (mod n).
Especially in security-sensitive computing systems for example in smart card controllers the arithmetic operations performed by a microprocessor may be disturbed or even manipulated by an attack of an unauthorised person called hacker. This can be dangerous since sensitive data might be stolen particularly if cryptography algorithms like RSA are computed by software.
To overcome this problem two well known solutions are common. In a first solution the microprocessor computation hardware is doubled. But this mostly costs too much chip area. In a second solution a double calculation is performed but thereby the system performance is reduced.
Accordingly the invention is directed to a microprocessor which is able to perform security-sensitive calculations and which is protected against an attack without a substantial reduction of its performance.
To achieve this object the microprocessor is provided with a modulo-based check hardware to perform operations in parallel to the microprocessor and for comparing both results regarding congruence.
The core of the invention lies in the fact that a common microprocessor is additionally equipped with a modulo-based check hardware to enhance the system security. The redundant hardware can perform addition, subtraction, multiplication, MAD (Multiply and Addition) and MSUB (Multiply and Subtraction) operations in parallel with the main computation unit or microprocessor and compare both results regarding congruence. In case of a mismatch an attack will be reported to the system.
Since the width of operand vectors is reduced after modulo operation the computation logic in the check unit will be less complex compared with that of the main computation unit. Therefore the modulo-based check represents a cost-effective solution which also does not need a big chip area.
It is clear that precise hardware architecture of the microprocessor and the check hardware can be chosen by a person skilled in the art dependent on the requirements and the amount of data to be computed.
To affect the original computation functionality as little as possible it is recommended to build the check unit outside the main computation unit in the same hierarchy. Both units share all relevant input signals including instruction and both operands.
Additionally the check unit takes the result output of the computation unit as an input.
If a mismatch in congruence has been detected by the check hardware an attack will be reported to the system. That means that an arbitrary error message is displayed and for example a software exception and/or a system reset is performed.
Special attention must be given to the overflow scenarios of the main computation unit. In this case the results of both units will typically mismatch. If an overflow status signal from the computation unit is available it can be used by the check unit to suppress the modulo error status otherwise the modulo check must be disabled for the software code sections that causes the overflow.
An embodiment of the invention is described below. The drawing shows:
Each time when an instruction is received by the microprocessor 1 the check unit 2 will firstly determine whether it shall be modulo-based checked. If it is the case the both operands A; B will be moduloed whereas a real division operation normally is replaced by other simpler ones and afterwards they are added, subtracted or multiplied according to the instruction type. Finally the result will be moduloed again if necessary. After the result of the microprocessor 1 becomes available, it will be also moduloed and compared with the one of the check unit 2. If the number of cycles that the microprocessor 1 takes for a certain instruction is fixed, the check unit 2 only has to wait for the same number of cycles. Otherwise a status signal of the microprocessor 1 indicating operation completion can be used by the check unit 2. In case the results mismatch the check unit 2 will assert an error status output to signal the attack.
Some microprocessors 2 support the more complex instructions MAD and MSUB. Before checking them the content of the computation unit result register will be firstly moduloed and buffered. After the multiplication of the moduloed operands A, B is finished the buffered value will be added to or subtracted from the multiplication result to get the final reference moduloed result.
For the modulus n the error detection is equal to (n−1)/n. The larger the modulus, the bigger the error detection will be but also the complexity of the check hardware 2. Therefore an appropriate trade-off must be chosen by a designer.
1 microprocessor
2 check hardware
A, B operands
| Number | Date | Country | Kind |
|---|---|---|---|
| 07111867 | Jul 2007 | EP | regional |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/IB2008/051849 | 5/9/2008 | WO | 00 | 12/28/2009 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO2009/004505 | 1/8/2009 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 4183085 | Roberts et al. | Jan 1980 | A |
| 5458404 | Fennel et al. | Oct 1995 | A |
| 6028939 | Yin | Feb 2000 | A |
| 6738478 | Vanstone et al. | May 2004 | B1 |
| 6832316 | Sibert | Dec 2004 | B1 |
| 6978372 | Jakobsson | Dec 2005 | B1 |
| 6996712 | Perlman et al. | Feb 2006 | B1 |
| 7168065 | Naccache et al. | Jan 2007 | B1 |
| 7404089 | Campagna et al. | Jul 2008 | B1 |
| 7502943 | Henry et al. | Mar 2009 | B2 |
| 7624442 | Dellow et al. | Nov 2009 | B2 |
| 7707638 | Dellow | Apr 2010 | B2 |
| 7742595 | Joye et al. | Jun 2010 | B2 |
| 7940928 | Sibert | May 2011 | B2 |
| 7954153 | Bancel et al. | May 2011 | B2 |
| 8065531 | Tobergte | Nov 2011 | B2 |
| 8135958 | Greco et al. | Mar 2012 | B2 |
| 20030128842 | Nakano et al. | Jul 2003 | A1 |
| 20030182570 | Dellow | Sep 2003 | A1 |
| 20040230813 | Check et al. | Nov 2004 | A1 |
| 20050028004 | Dellow et al. | Feb 2005 | A1 |
| 20050060560 | Sibert | Mar 2005 | A1 |
| 20050108555 | Sibert | May 2005 | A1 |
| 20060259673 | Bancel et al. | Nov 2006 | A1 |
| 20070005992 | Schluessler et al. | Jan 2007 | A1 |
| 20090180610 | Tobergte | Jul 2009 | A1 |
| Number | Date | Country |
|---|---|---|
| 19631309 | Feb 1998 | DE |
| 1465038 | Oct 2004 | EP |
| WO 2007113697 | Oct 2007 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20100191980 A1 | Jul 2010 | US |
