Microprocessor in a security-sensitive system

Information

  • Patent Grant
  • 8205097
  • Patent Number
    8,205,097
  • Date Filed
    Friday, May 9, 2008
    16 years ago
  • Date Issued
    Tuesday, June 19, 2012
    12 years ago
Abstract
A Microprocessor (1) in a security-sensitive computing system for processing an operand according to an instruction is for improving its security provided with a modulo-based check hardware (2) to perform operations in parallel to the microprocessor (1) and for comparing both results regarding congruence.
Description
FIELD OF THE INVENTION

The Invention relates to a microprocessor in a security-sensitive system for processing an operand according to an instruction.


BACKGROUND OF THE INVENTION

Modular arithmetic is a powerful tool in many different disciplines such as cryptography and computer science. With modular arithmetic it is possible to code and decode messages or the like with the aid of microprocessors performing certain steps of multiplication, addition, division and/or subtraction according to certain instructions.


Hereby two integers a and a′ are called congruent modulo n whereas n is a positive integer if a−a′ is an integer multiple of n and it is expressed as a≡a′ (mod n).


If a≡a′ (mod n) and b≡b′ (mod n) then for the integers a, a′, b and b′ the following rules apply:


(a+b)≡(a′+b′) (mod n)


(a−b)≡(a′−b′) (mod n)


(a*b)≡(a′*b′) (mod n).


Especially in security-sensitive computing systems for example in smart card controllers the arithmetic operations performed by a microprocessor may be disturbed or even manipulated by an attack of an unauthorised person called hacker. This can be dangerous since sensitive data might be stolen particularly if cryptography algorithms like RSA are computed by software.


To overcome this problem two well known solutions are common. In a first solution the microprocessor computation hardware is doubled. But this mostly costs too much chip area. In a second solution a double calculation is performed but thereby the system performance is reduced.


OBJECT AND SUMMARY OF THE INVENTION

Accordingly the invention is directed to a microprocessor which is able to perform security-sensitive calculations and which is protected against an attack without a substantial reduction of its performance.


To achieve this object the microprocessor is provided with a modulo-based check hardware to perform operations in parallel to the microprocessor and for comparing both results regarding congruence.


The core of the invention lies in the fact that a common microprocessor is additionally equipped with a modulo-based check hardware to enhance the system security. The redundant hardware can perform addition, subtraction, multiplication, MAD (Multiply and Addition) and MSUB (Multiply and Subtraction) operations in parallel with the main computation unit or microprocessor and compare both results regarding congruence. In case of a mismatch an attack will be reported to the system.


Since the width of operand vectors is reduced after modulo operation the computation logic in the check unit will be less complex compared with that of the main computation unit. Therefore the modulo-based check represents a cost-effective solution which also does not need a big chip area.


It is clear that precise hardware architecture of the microprocessor and the check hardware can be chosen by a person skilled in the art dependent on the requirements and the amount of data to be computed.


To affect the original computation functionality as little as possible it is recommended to build the check unit outside the main computation unit in the same hierarchy. Both units share all relevant input signals including instruction and both operands.


Additionally the check unit takes the result output of the computation unit as an input.


If a mismatch in congruence has been detected by the check hardware an attack will be reported to the system. That means that an arbitrary error message is displayed and for example a software exception and/or a system reset is performed.


Special attention must be given to the overflow scenarios of the main computation unit. In this case the results of both units will typically mismatch. If an overflow status signal from the computation unit is available it can be used by the check unit to suppress the modulo error status otherwise the modulo check must be disabled for the software code sections that causes the overflow.





BRIEF DESCRIPTION OF THE DRAWINGS

An embodiment of the invention is described below. The drawing shows:



FIG. 1: a schematic microprocessor with a check-hardware.





DESCRIPTION OF EMBODIMENTS


FIG. 1 depicts the general hardware architecture of modulo-based check for addition, subtraction and multiplication operations inside a microprocessor 1 of which detailed implementation can vary for different microprocessor types. To affect the original computation functionality as little as possible it is recommended to build the check unit 2 outside the main computation unit or microprocessor 1 in the same hierarchy. Both units 1, 2 share all relevant input signals including instruction and both operands A, B. Additionally the check unit 2 takes the result output of the computation unit as an input as illustrated with the arrows.


Each time when an instruction is received by the microprocessor 1 the check unit 2 will firstly determine whether it shall be modulo-based checked. If it is the case the both operands A; B will be moduloed whereas a real division operation normally is replaced by other simpler ones and afterwards they are added, subtracted or multiplied according to the instruction type. Finally the result will be moduloed again if necessary. After the result of the microprocessor 1 becomes available, it will be also moduloed and compared with the one of the check unit 2. If the number of cycles that the microprocessor 1 takes for a certain instruction is fixed, the check unit 2 only has to wait for the same number of cycles. Otherwise a status signal of the microprocessor 1 indicating operation completion can be used by the check unit 2. In case the results mismatch the check unit 2 will assert an error status output to signal the attack.


Some microprocessors 2 support the more complex instructions MAD and MSUB. Before checking them the content of the computation unit result register will be firstly moduloed and buffered. After the multiplication of the moduloed operands A, B is finished the buffered value will be added to or subtracted from the multiplication result to get the final reference moduloed result.


For the modulus n the error detection is equal to (n−1)/n. The larger the modulus, the bigger the error detection will be but also the complexity of the check hardware 2. Therefore an appropriate trade-off must be chosen by a designer.


LIST OF REFERENCES


1 microprocessor



2 check hardware


A, B operands

Claims
  • 1. A security-sensitive computing system, comprising: a microprocessor configured to process at least one operand according to an instruction and output a microprocessor result; anda modulo-based check hardware configured to perform operations in parallel to the microprocessor, wherein the check hardware is configured to: perform at least one modulo operation on the at least one operand to generate a first modulo result,perform at least one computation on the first modulo result based on the instruction to generate a first computation result,perform at least one modulo operation on the first computation result to generate a second modulo result,perform at least one modulo operation on the microprocessor result to generate a microprocessor modulo result, andcompare the second modulo result and the microprocessor modulo result to determine if they are congruent.
  • 2. The computing system according to claim 1, wherein the check hardware is built separately from the microprocessor in the same hierarchy.
  • 3. The computing system according to claim 1, wherein an error message is displayed if the second modulo result and the microprocessor modulo result are not congruent.
  • 4. The computing system according to claim 1, wherein the check hardware is configured to consider an overflow status signal.
  • 5. The computing system according to claim 1, wherein the at least one computation performed by the check hardware is at least one of addition, subtraction, multiplication, multiply and addition (MAD), and multiply and subtraction (MSUB).
  • 6. The computing system according to claim 1, wherein the check hardware is configured to receive the microprocessor result.
  • 7. A security-sensitive computing system, comprising: a microprocessor configured to process a first operand and a second operand according to an instruction and output a microprocessor result; anda modulo-based check hardware configured to perform operations in parallel to the microprocessor, wherein the check hardware is configured to: perform at least one modulo operation on the first operand to generate a first modulo result,perform at least one modulo operation on the second operand to generate a second modulo result,perform at least one computation on the first modulo result and the second modulo result based on the instruction to generate a first computation result,perform at least one modulo operation on the first computation result to generate a third modulo result,perform at least one modulo operation on the microprocessor result to generate a microprocessor modulo result, andcompare the third modulo result and the microprocessor modulo result to determine if they are congruent.
  • 8. The computing system according to claim 7, wherein the check hardware is built separately from the microprocessor in the same hierarchy.
  • 9. The computing system according to claim 7, wherein an error message is displayed if the second modulo result and the microprocessor modulo result are not congruent.
  • 10. The computing system according to claim 7, wherein the check hardware is configured to consider an overflow status signal.
  • 11. The computing system according to claim 7, wherein the at least one computation performed by the check hardware is at least one of addition, subtraction, multiplication, multiply and addition (MAD), and multiply and subtraction (MSUB).
  • 12. A method for detecting an error in a security-sensitive computing system, comprising: processing at least one operand in a microprocessor according to an instruction and outputting a microprocessor result;generating a first modulo result in a check hardware by performing at least one modulo operation on the at least one operand;generating first computation result in the check hardware by performing at least one computation on the first modulo result;generating a second modulo result in the check hardware by performing at least one modulo operation on the first computation result;generating a microprocessor modulo result in the check hardware by performing at least one modulo operation on the microprocessor result; andcomparing the second modulo result and the microprocessor modulo result in the check hardware to determine if they are congruent, wherein the check hardware operates in parallel to the microprocessor.
  • 13. The method according to claim 12, wherein the at least one computation is at least one of addition, subtraction, multiplication, multiply and addition (MAD), and multiply and subtraction (MSUB).
Priority Claims (1)
Number Date Country Kind
07111867 Jul 2007 EP regional
PCT Information
Filing Document Filing Date Country Kind 371c Date
PCT/IB2008/051849 5/9/2008 WO 00 12/28/2009
Publishing Document Publishing Date Country Kind
WO2009/004505 1/8/2009 WO A
US Referenced Citations (26)
Number Name Date Kind
4183085 Roberts et al. Jan 1980 A
5458404 Fennel et al. Oct 1995 A
6028939 Yin Feb 2000 A
6738478 Vanstone et al. May 2004 B1
6832316 Sibert Dec 2004 B1
6978372 Jakobsson Dec 2005 B1
6996712 Perlman et al. Feb 2006 B1
7168065 Naccache et al. Jan 2007 B1
7404089 Campagna et al. Jul 2008 B1
7502943 Henry et al. Mar 2009 B2
7624442 Dellow et al. Nov 2009 B2
7707638 Dellow Apr 2010 B2
7742595 Joye et al. Jun 2010 B2
7940928 Sibert May 2011 B2
7954153 Bancel et al. May 2011 B2
8065531 Tobergte Nov 2011 B2
8135958 Greco et al. Mar 2012 B2
20030128842 Nakano et al. Jul 2003 A1
20030182570 Dellow Sep 2003 A1
20040230813 Check et al. Nov 2004 A1
20050028004 Dellow et al. Feb 2005 A1
20050060560 Sibert Mar 2005 A1
20050108555 Sibert May 2005 A1
20060259673 Bancel et al. Nov 2006 A1
20070005992 Schluessler et al. Jan 2007 A1
20090180610 Tobergte Jul 2009 A1
Foreign Referenced Citations (3)
Number Date Country
19631309 Feb 1998 DE
1465038 Oct 2004 EP
WO 2007113697 Oct 2007 WO
Related Publications (1)
Number Date Country
20100191980 A1 Jul 2010 US