JP2006025366A - Encryption apparatus and semiconductor integrated circuit - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To realize an encryption apparatus capable of improving immunity to a power analysis attack so as to more improve difficulty of decryption. <P>SOLUTION: By inserting dummy DES operation in the middle of main DES operation, it becomes difficult to specify an execution timing of the main DES operation and by providing a first XOR section 31 which uses output data fn of an (f) function of DES to carry out XOR operation, an inverter 33 for inverting bits of the output data fn and a second XOR section 34 which uses the bit-inverted output data fn to carry out the XOR operation, a hamming weight inside an encryption apparatus is fixed without depending upon a value of the output data fn, thereby approximately fixing power consumption in the case of encryption. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an encryption device and a semiconductor integrated circuit, and is suitable for application to, for example, an encryption circuit that performs encryption or decryption using a secret key.

  In recent years, electronic money systems using IC (Integrated Circuit) cards, transportation systems, and the like have become widespread. In such a system, it is important to ensure safety so that personal information and balance information of electronic money stored in the IC card are not leaked or tampered with.

  Therefore, in such a system, security is ensured by using various encryptions using a secret key at the time of mutual authentication and data transmission / reception between the IC card and the reader / writer.

  However, as a method of decrypting such encryption, there is a power analysis attack that attempts to extract a secret key by analyzing fluctuations in power consumption (current consumption) during operation of the encryption circuit.

  In this power analysis attack, it is simple to identify the execution timing of cryptographic operations by focusing on the fact that the power consumption of the cryptographic circuit increases during cryptographic operations, analyze the power consumption fluctuations at that time, and extract the secret key Simple analysis of power (SPA) and data generated in the cryptographic circuit are repeatedly measured and statistically analyzed. Based on the results of this analysis, the state of the location that depends on the secret key in the cryptographic circuit is analyzed. By specifying, there is a differential power analysis (DPA) that tries to extract a secret key.

  Here, for example, a case where a secret key of DES (Data Encryption Standard), which is one of encryption methods, is extracted by a power analysis attack will be described. As shown in FIG. 12, the DES algorithm is executed in the order of initial transposition (Initial Permutation), 16-round conversion processing, and inverse transposition (Inverse Initial Permutation). In practice, in DES, first, the input 64-bit data (Input) is divided into left 32-bit block data L0 and right 32-bit block data R0 by initial transposition.

  Next, as a first round of conversion processing, non-linear transposition and replacement processing called an f function is executed using block data R0 and a 48-bit subkey K1 generated from a 64-bit secret key. XOR (exclusive OR) of the output of the function and the block data L0 is taken.

  The result of the XOR between the output of the f function and the block data L0 is given to the second round conversion process as block data R1, and the block data R0 is given to the second round conversion process as block data L1.

  In the conversion process of the second round, as in the case of the first round, the f function is executed using the block data R1 and the 48-bit subkey K2 generated from the 64-bit secret key. Is XORed with the block data L1.

  The result of the XOR between the output of the f function and the block data L1 is given to the third round conversion process as block data R2, and the block data R1 is given to the third round conversion process as block data L2.

  Thereafter, the same conversion process is executed until the 16th round, and the block data R16 and the block data L16 obtained as a result are finally inverted and the ciphertext is output.

  Since this DES algorithm is known, for example, in simple power analysis, the timing at which 16-round conversion processing of DES is easily performed by observing fluctuations in power consumption of a cryptographic circuit that performs encryption using this algorithm. Can be specified.

  That is, as shown in FIG. 13, it can be estimated that the place where the time during which the power consumption increases continues for 16 rounds is the place where the DES calculation is executed. In particular, since the first round or the sixteenth round is the rising or falling part of the waveform, it is easy to find.

  On the other hand, in the differential power analysis, first, for example, the bit of the subkey K1 (or K16) used in the first round (or the 16th round) is predicted. Next, pay attention to the value (“0” or “1”) of the first bit of the data (L1, R1, etc.) output as a result of the first round conversion process, and the power consumption based on that value The measurement data is classified (classified into a group having a value of “0” and a group having a value of “1”). Furthermore, the average of the measurement data is taken in each classification, and the difference between them is taken. If the predicted bit of the subkey K1 is correct, the difference in power consumption at the time of cryptographic operation will be large, and if the bit is not correct, the difference will be small and inconspicuous. To do. Then, the DES secret key is specified based on the subkey K1.

Thus, in the differential power analysis of DES, focusing on the fact that the power consumption of the cryptographic circuit is proportional to the Hamming weight of the data output as a result of the cryptographic operation, the difference in the power consumption is statistically analyzed, and the secret A key is specified (for example, see Non-Patent Document 1).
P. Kocher, J. Jaffe, B. Jun, "Differential Power Analysis," Advances in Cryptology-Crypto 99 Proceedings, Lecture Notes In Computer Science Vol. 1666, M. Wiener ed., Springer-Verlag, 1999.

  As described above, in the conventional encryption circuit, it is becoming difficult to decipher the cipher due to the power analysis attack, and improvement in resistance to the power analysis attack is demanded. That is, it is required to realize an encryption circuit that performs an encryption process that is more difficult to decipher (hereinafter, the property of being difficult to decipher is called difficulty of deciphering).

  The present invention has been made in consideration of the above points, and an object of the present invention is to propose an encryption device and a semiconductor integrated circuit that can further improve the difficulty of decryption of encryption.

  In order to solve this problem, in the encryption device and the semiconductor integrated circuit according to the present invention, the cryptographic data is generated by repeatedly executing the cryptographic calculation process using the first key data serving as the secret key based on the input data. A cryptographic operation using encryption means and second key data different from the first key data is randomly inserted during the repetition of the cryptographic operation using the first key data and executed in the encryption means. Insertion means to be provided.

  As described above, the cryptographic operation processing using the second key data different from the first key data is randomly inserted and executed during the cryptographic operation processing using the first key data serving as the secret key. As a result, it is possible to make it difficult to specify the execution timing of the original cryptographic operation processing using the first key data, and thus it is possible to improve resistance to power analysis attacks.

  In the encryption apparatus and the semiconductor integrated circuit according to the present invention, the first cryptographic operation means for executing the first cryptographic operation using the first key data serving as the secret key based on the input data, The second cryptographic operation means for executing the second cryptographic operation using the output data output as a result of the first cryptographic operation by the cryptographic operation means, and the output data output from the first cryptographic operation means Bit inversion means for bit inversion and third cipher operation means for executing a third cipher operation similar to the second cipher operation using the bit-inverted output data are provided.

  Thus, using the second cryptographic operation means for executing the second cryptographic operation using the output data correlated with the first key data serving as the secret key, and the data obtained by bit-inversion of the output data By providing the third cryptographic calculation means for executing the third cryptographic calculation similar to the second cryptographic calculation, the bits are always inverted between the second cryptographic calculation means and the third cryptographic calculation means. Since the cryptographic operation can be executed using the data, the Hamming weight in the encryption device can be made constant regardless of the value of the output data, and the power consumption during the cryptographic operation can be made almost constant.

  According to the present invention, a cryptographic operation process using second key data different from the first key data is randomly inserted during the cryptographic operation process using the first key data serving as a secret key. By executing this, it is possible to make it difficult to specify the execution timing of the original cryptographic operation processing using the first key data, and to use the output data correlated with the first key data serving as the secret key. A second cryptographic operation means for executing the second cryptographic operation, and a third cryptographic operation means for executing a third cryptographic operation similar to the second cryptographic operation using data obtained by bit-inversion of the output data. Since the encryption operation can always be executed by using the data whose bits are inverted by the second encryption operation means and the third encryption operation means, the encryption operation can be performed regardless of the value of the output data. Hamin in the composting device It can be made substantially constant power consumption during cryptographic operation by the weighting constant. As a result, it is possible to improve the resistance against the power analysis attack, and thus to realize an encryption device and a semiconductor integrated circuit that can further improve the difficulty of decrypting the code.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(1) First Embodiment (1-1) Circuit Configuration of IC Card In FIG. 1, reference numeral 1 denotes a non-contact type IC card according to the present embodiment as a whole so that it can communicate with a reader / writer (not shown). Has been made. The IC card 1 includes a central processing unit (CPU) 2 that controls the entire system, an interface unit 3 that communicates with the outside (reader / writer) in a non-contact manner, a read only memory (ROM) 4 that stores a program, and temporary work A RAM (Random Access Memory) 5 serving as an area, an encryption circuit 6 for encrypting various data, and an EEPROM (Electrically Erasable and Programmable ROM) 7 for storing various data are connected via a bus 8.

  The IC card 1 operates by generating electric power in the interface unit 3 based on electromagnetic waves supplied from the reader / writer. For example, when the reader / writer requests to transmit data stored in the EEPROM 7, Data is encrypted by the encryption circuit 6 and transmitted to the reader / writer.

(1-2) Configuration of Encryption Circuit Next, the configuration of the encryption circuit 6 provided in the IC card 1 will be described with reference to FIG. The cryptographic circuit 6 in the present embodiment is a circuit that performs cryptographic operation processing using a DES algorithm, and that performs an DES round f function and XOR operation (hereinafter also referred to as a DES operation). An arithmetic unit 10, a data register 11 including an L register and an R register (not shown) for holding each round of block data Ln and Rn (n = 0, 1, 2,..., 16), and a secret of DES A key register 12 that holds a key (subkey), a dummy key register 13 that holds a key different from the DES subkey (hereinafter also referred to as a dummy key), first and second selectors 14 and 15, Consists of.

  Here, the circuit portion that performs the initial transposition and the reverse transposition of DES is omitted. That is, actually, input data to be encrypted is initially transposed by an initial transposition unit (not shown) to become block data L0 and R0, and the block data L0 and R0 are latched in the data register 11. Then, the block data L16 and R16 latched after the 16th round of DES are sent from the data register 11 to a reverse placement unit (not shown) and reversed, and finally become encrypted data.

  In the encryption circuit 6 according to the present embodiment, a DES operation process (hereinafter referred to as “DES”) using a DES subkey according to a 1-bit random number value (“0” or “1”) supplied from the outside (for example, the CPU 2) This is called the present DES operation), or a DES operation process using a dummy key unrelated to the subkey (hereinafter referred to as a dummy DES operation) is selected and executed. ing. That is, in this cryptographic circuit 6, a dummy DES calculation is inserted in the middle of the cryptographic calculation process, and the flow of the cryptographic calculation process in the cryptographic circuit 6 will be described below.

  When the cryptographic circuit 6 starts cryptographic calculation processing in response to a command from the CPU 2, the cryptographic circuit 6 inputs a 1-bit random number supplied from the CPU 2 to the first selector 14 and the second selector 15. When this random number value is “1”, the first selector 14 acquires the DES subkey held in the key register 12 and sends it to the DES operation unit 10, and the random value is “0”. In this case, the dummy key held in the dummy key register 13 is acquired and sent to the DES operation unit 10.

  The DES operation unit 10 uses the key (subkey or dummy key) supplied from the first selector 14 based on the block data L0 and R0 supplied from the data register 11 to perform the DES operation (this DES operation or dummy). DES operation). Then, the DES calculation unit 10 sends the result of the DES calculation to the second selector 15 and the dummy key register 13.

  When the input random number value is “1”, the second selector 15 causes the data register 11 to latch the result of the DES calculation supplied from the DES calculation unit 10 as the first round of block data L1 and R1. When the value of the random number is “0”, the block data L0 and R0 of the data register 11 are latched in the data register 11 again.

  In other words, the operation result of the dummy DES operation is not latched in the data register 11, but only the operation result of the present DES operation is latched. The dummy key held in the dummy key register 13 is updated with the calculation result supplied from the DES calculation unit 10 for each DES calculation by the DES calculation unit 10.

  When the DES operation by the DES operation unit 10 is thus completed, the encryption circuit 6 obtains a random number again, and executes the DES operation or the dummy DES operation according to the value of the random number. The encryption circuit 6 repeats the above processing until the output data L16 and R16 are latched in the data register 11, that is, until this DES operation is executed for 16 rounds.

  Here, using an actual example, for example, as shown in FIG. 3, in the first DES operation in the cryptographic operation processing, the dummy DES operation is executed because the input random number value is “0”. In the second DES operation, since the random value is “1”, the first round of the DES operation is executed and the block data L1 and R1 are latched in the data register 11, and the third and fourth DES operations are performed. In the calculation, the dummy DES operation is executed when the random number value is “0”, and the second round of the DES operation is executed when the random number value is “1” in the fifth DES operation. Thus, dummy DES operations are randomly inserted in the middle of 16 rounds of this DES operation so that the block data L2 and R2 are latched in the data register 11.

  Since the actual calculation method is the same for the present DES calculation and the dummy DES calculation except for the key used, as shown in FIG. 3, the power consumption of the encryption circuit 6 is almost equal regardless of which DES calculation is executed. Will be equal.

  In this way, in this cryptographic circuit 6, the relationship between the power consumption and the execution timing of 16 rounds of DES is compared with the conventional one by randomly inserting a dummy DES operation in the middle of 16 rounds of this DES computation. It can be made much smaller.

(1-3) Operation and Effect According to First Embodiment In the above configuration, the cryptographic circuit 6 has a case where the value of a 1-bit random number supplied from the outside is “0” during DES cryptographic calculation processing. In this case, a dummy DES operation using a dummy key is executed. If the value of the random number is “1”, a main DES operation using a DES subkey is executed.

  Then, after the first DES operation (dummy DES operation or main DES operation) is completed, the dummy DES operation or main DES operation is executed again according to the value of the random number. Hereinafter, this process is performed for 16 rounds. Repeat until

  As described above, in the DES encryption processing of the encryption circuit 6, dummy DES operations unrelated to the main DES operation are randomly inserted in the middle of the 16-round main DES operation. In addition, since the calculation methods of the DES calculation and the dummy DES calculation are the same, the power consumption during the calculation in the cryptographic circuit 6 is almost the same. Even if the power consumption is observed, the DES calculation is executed. It is difficult to specify the timing.

  Thus, in the cryptographic circuit 6, the relationship between the power consumption and the execution timing of 16 rounds of DES can be remarkably reduced as compared with the conventional case, so the execution timing of 16 rounds of DES is specified from the observation of power consumption. Can be prevented.

  According to the above configuration, the encryption circuit 6 executes the dummy DES operation during the 16 rounds of the DES operation according to the value of the 1-bit random number supplied from the outside, thereby reducing the power consumption and the DES. Since the relevance with the execution timing of 16 rounds can be made much smaller than before, and it is possible to prevent the execution timing of 16 rounds of DES from being identified from the observation of power consumption, it is possible to perform power analysis attacks (particularly simple It is possible to improve resistance to power analysis, and to further improve the difficulty of decrypting the code.

(2) Second Embodiment Next, a second embodiment will be described. The second embodiment is the same as the first embodiment except for the configuration of the encryption circuit 6 (6A in this embodiment), and the description of the same parts is omitted.

  The encryption circuit 6A according to the second embodiment includes a dummy DES operation according to a 1-bit random number supplied from the outside, as shown in FIG. A dummy control unit 20 for controlling the execution of is added.

  When a random number is input, the dummy control unit 20 outputs 1-bit output data having the same value “1” as the random number to the first and second selectors 14 in the subsequent stage when the value of the random number is “1”. And 15. On the other hand, if the value of the input random number is “0”, if the value of the output data sent to the first and second selectors 14 and 15 last time is “1”, the input random number and If the output data of the same value “0” is sent to the first and second selectors 14 and 15, and the value of the output data sent to the first and second selectors 14 and 15 last time is “0”, this input is made. The output data having a value “1” opposite to the random value “0” is sent to the first and second selectors 14 and 15.

  Here, using an actual example, for example, as shown in FIG. 5, when a random number “0” is input at the time of the first DES calculation, the dummy control unit 20 determines that this time is the first DES calculation. Since there is no random number sent to the first and second selectors 14 and 15 last time, output data having the same value “0” as the input random number is sent to the first and second selectors 14 and 15 and this transmission is performed. The output data “0” is latched. As a result, the DES calculation unit 10 executes the dummy DES calculation as in the first embodiment.

  When the random number “1” is input during the subsequent second DES calculation, the dummy control unit 20 outputs the output data of the same value “1” as the first and first output values because the random number value is “1”. 2 The data is sent to the selectors 14 and 15, and the sent output data “1” is latched. As a result, the DES calculation unit 10 executes this DES calculation as in the first embodiment.

  When a random number “0” is input during the subsequent third DES calculation, the dummy control unit 20 determines the value of the latched output data (that is, the output data sent to the first and second selectors 14 and 15 last time). Since (value) is “1”, output data having the same value “0” as the input random number is sent to the first and second selectors 14 and 15, and the sent output data “0” is latched. As a result, the DES calculation unit 10 performs a dummy DES calculation.

  When the random number “0” is input during the subsequent fourth DES calculation, the dummy control unit 20 determines that the value of the input random number is “0” because the value of the latched output data is “0”. The output data having the opposite value “1” is sent to the first and second selectors 14 and 15 and the sent output data “1” is latched. As a result, the DES calculation unit 10 performs a dummy DES calculation. Thereafter, the fifth, sixth,... DES operations are executed in the same manner.

  As described above, the dummy control unit 20 bit-inverts the input random number value “0” so that the dummy DES operation is not continuously executed when “0” continues to the input random number value. Output data of value “1” is sent to the first and second selectors 14 and 15.

  Thereby, in the encryption circuit 6A, the DES operation process can be completed by 32 DES operations that alternately execute the dummy DES operation and the main DES operation at the longest. Thus, according to the encryption circuit 6A, it is possible to prevent the execution timing of the DES operation from being specified and to prevent the dummy DES operation from being repeatedly executed. It can be guaranteed that the processing time will end at the calculation time of 16 rounds × 2 at the longest.

  This is particularly important in the encryption circuit 6A incorporated in an apparatus (for example, the non-contact type IC card 1 or its reader / writer) that requires strict restrictions on the processing time.

(3) Third Embodiment Next, a third embodiment will be described. The third embodiment is the same as the first embodiment except for the configuration of the encryption circuit 6 (6B in the present embodiment), and the description of the same parts is omitted.

  In the encryption circuit 6B according to the third embodiment, the operation result of the DES operation circuit 10 is sent only to the second selector 15, as shown in FIG. Thus, the dummy key in the dummy key register 13 is not updated with this calculation result. That is, in the encryption circuit 6B, a dummy key having a fixed value is held in the dummy key register 13, and a dummy DES operation is executed with this dummy key.

  Actually, if the dummy key is randomly changed for each DES operation as in the first embodiment, if the tens of thousands of output data of the cryptographic circuit 6 is collected and statistically analyzed, the dummy key is averaged. It can be considered that the effect of the dummy is reduced due to noise.

  Therefore, in the present embodiment, the dummy key is set to a fixed value in order to keep the dummy key irrelevant to the DES subkey and keep a predetermined bias. For example, even when tens of thousands of output data are collected and statistically analyzed, the dummy effect is sustained, and it may be more effective as a countermeasure against a power differential attack.

  The fixed value dummy key may be supplied from the outside. In this case, if the dummy key is updated every certain period (for example, every month), it may be more effective as a countermeasure against the power differential attack.

(4) Fourth Embodiment Next, a fourth embodiment will be described. The fourth embodiment is the same as the second embodiment except for the configuration of the encryption circuit 6A (6C in this embodiment), and the description of the same parts is omitted.

  The encryption circuit 6C according to the fourth embodiment is provided with a dummy control unit 20A as shown in FIG. 7 in which the same reference numerals are assigned to corresponding parts to those in FIG. Random number is input to the dummy control unit 20A, and the dummy control unit 20A controls the execution of the dummy DES calculation according to the value of the n-bit random number input.

  Here, as an example, a case will be described in which a 4-bit random number that randomly takes values from “0” to “15” is supplied from the outside and input to the dummy control unit 20A.

  In the encryption circuit 6C, the dummy DES operation is repeatedly executed according to the value of a 4-bit random number inputted before the main DES operation of the first round and after the main DES operation of the 16th round. Yes.

  That is, as shown in FIG. 8, when a random number having a value of “6”, for example, is input during the first DES calculation, the dummy control unit 20A of the encryption circuit 6C responds to the random value “6”. , 1-bit output data whose value is “0” is sent to the first and second selectors 14 and 15 in the subsequent stage six times in succession. As a result, the DES calculation unit 10 executes the dummy DES calculation six times continuously.

  After sending the output data of the value “0” according to the random number value in this way, the dummy control unit 20A subsequently outputs the output data of the value “1” 16 times in succession to the first and second selectors 14 and 15 to send. As a result, the DES calculation unit 10 executes this DES calculation up to 16 rounds.

  Next, when a 4-bit random number is input again, the dummy control unit 20A counts the output data whose value is “0” twice in succession according to the input random number value (for example, “2”). The data is sent to the first and second selectors 14 and 15. As a result, the DES calculation unit 10 executes the dummy DES calculation twice in succession.

  As described above, in the cryptographic circuit 6C, after the dummy DES operation is performed six times, the 16-round main DES operation is subsequently performed, and then the dummy DES operation is performed twice. As a result, in the encryption circuit 6C, the relationship between the power consumption and the execution timing of the 16 rounds of the DES operation can be remarkably reduced as compared with the conventional case. It can be prevented from being specified.

  Incidentally, in practice, an attacker often targets either the first round or the sixteenth round of the DES calculation as an attack target. This is because the rising or falling portion of power consumption generally matches the execution timing of the first round or the sixteenth round. Therefore, as shown in FIG. 9A, the attacker pays attention to the rise in power consumption, for example, and performs an analysis by predicting that the first DES operation of the first round will be executed at this timing.

  Therefore, in the encryption circuit 6A of the second embodiment described above, a dummy DES operation is randomly inserted in the middle of the DES operation, as shown in FIGS. 9A and 9B. Actually, the dummy DES operation is executed only when the value of the input 1-bit random number is “0”, and the dummy DES operation is controlled not to be executed continuously.

  In this case, the probability that the first DES calculation of the first round is executed at the rising portion of the power consumption is 50%, and the first DES calculation of the first round is not necessarily executed at the rising portion of the power consumption. However, even if this is done, for example, if the statistical analysis is performed by doubling the number of samples at the rising portion of power consumption by the attacker when no dummy DES operation is inserted, the same result as when the dummy DES operation is not inserted is obtained. There is a risk that the code will be decrypted in a relatively short time.

  Therefore, if a dummy DES operation is inserted according to a 4-bit random number that randomly takes a value from “0” to “15” as in the encryption circuit 6C of the present embodiment, the rising portion of the power consumption Therefore, the probability that the first DES operation in the first round is executed is 1/16, and the attacker must perform statistical analysis by multiplying the number of samples at the rising portion of power consumption by 16 times that when no dummy DES operation is inserted. This eliminates the effect of dummy DES operation insertion.

  Furthermore, in this cryptographic circuit 6C, the dummy DES operation is inserted only before the first round and the 16th round, which are attack targets, thereby making it difficult to specify the execution timing of the first round and the 16th round. At the same time, it can be guaranteed that the processing time of the DES calculation will end at the calculation time of 15 rounds (dummy) +16 rounds (main) +15 rounds (dummy).

  Thus, according to the encryption circuit 6C, it is possible to make it difficult to specify the execution timing of the first round and the 16th round, which are attack targets, so that it is possible to further improve the difficulty of decrypting the cipher. It can be assured that the process is completed within a predetermined time.

(5) Fifth Embodiment Next, a fifth embodiment will be described. The fifth embodiment is the same as the first embodiment except for the configuration of the encryption circuit 6 (6D in this embodiment), and the description of the same parts is omitted.

  The encryption circuit 6D according to the present embodiment includes a DES operation unit 10A in which DPA countermeasures are taken, as shown in FIG. The DES operation unit 10A performs an operation based on the f function of DES using the 32-bit block data Rn supplied from the R register 11R of the data register 11 and the 48-bit subkey supplied from the key register 12. an f function unit 30, a first XOR unit 31 that performs an XOR operation of the 32-bit output data fn output from the f function unit 30 and the 32-bit block data Rn supplied from the L register 11 L of the data register 11; And a DPA countermeasure circuit 32 to be described later.

  Then, the DES operation unit 10A configured as described above sends the block data Rn supplied from the R register 11R to the L register 11L as block data Ln + 1 of the next round, and a 32-bit output from the first XOR operation unit 31. The output data X1n is sent to the R register 11R as the next round block data Rn + 1.

  In the present embodiment, for the sake of convenience of explanation, the description regarding the insertion of the dummy DES operation described in the first embodiment is omitted, but actually, the dummy DES operation is randomly inserted at the time of the DES operation. It may be. In this case, the first and second selectors 14 and 15 and the dummy key register 13 may be added to the encryption circuit 6D of FIG.

  The DPA countermeasure circuit 32 is supplied from an inverter 33 that inverts the output data fn of the f function unit 30, the bit-inverted output data fn (hereinafter also referred to as bit-inverted data rfn), and the L register 11L. A second XOR unit 34 that performs an XOR operation with the block data Ln, and eight NAND circuits (negative OR circuits) that terminate the 32-bit output data X2n output from the second XOR unit 34 in units of 4 bits. ) And a termination processing unit 35.

  That is, the 32-bit output data fn output from the f function unit 30 is sent to the first XOR unit 31 and the inverter 33 of the DPA countermeasure circuit 32, and the output data fn supplied to the inverter 33 is the inverter 33. The bit inversion is performed to generate bit inversion data rfn, which is sent to the second XOR unit 34.

  Then, the first XOR unit 31 performs an XOR operation using the output data fn of the f function unit 30 and the block data Ln, and almost simultaneously, the second XOR unit 34 of the DPA countermeasure circuit 32 outputs the output data fn of the f function unit 30. XOR operation using the bit-reversed data rfn obtained by bit-reversing and the block data Ln is performed.

  By the way, as described above, the attacker pays attention to the fact that the power consumption of the circuit is proportional to the Hamming weight of the data output as a result of the cryptographic operation using the key. The power consumption measurement data is classified according to “0” and “1”, and a DES key is specified by statistically analyzing the difference.

  Therefore, in the encryption circuit 6D, for example, when a bit value of the output data fn of the f function unit 30 is “0”, the bit value is inverted to “1” by the inverter 33 of the DPA countermeasure circuit 32, and When a certain bit value of the output data fn of the f function unit 30 is “1”, the inverter 33 inverts this bit value to “0”, and the first XOR unit 31 and the second XOR unit 34 in the subsequent stage The operation is performed on the data in which the bit values (“0” or “1”) are inverted.

  That is, the DES operation unit 10A is provided with a pair of circuit portions for processing data with inverted bit values, so that the hamming weight in the circuit can always be kept constant. The power consumption at the time of calculation is made substantially constant (that is, the power consumption in the encryption circuit 6D is almost constant regardless of whether the bit value of the output data fn of the f function unit 30 is “1” or “0”). Can do.

  As a result, in this encryption circuit 6D, the Hamming weight can be made constant regardless of the value of the output data fn depending on the DES key, so that the correlation between the key and the power consumption is much smaller than in the conventional case. can do.

  Therefore, no matter how much the attacker performs the statistical analysis of the difference in power consumption in the cryptographic circuit 6D, the difference is always almost zero, so the secret key cannot be specified.

  Thus, according to the encryption circuit 6D, the XOR operation using the output data fn of the f function unit 30 is executed by the first XOR unit 31, and the output data fn is bit-inverted by the inverter 33 to be the bit-inverted data rfn. By performing the XOR operation using the bit inverted data rfn in the second XOR unit 34, the Hamming weight in the encryption device is made constant regardless of the value of the output data fn, and the power consumption during the cryptographic operation is reduced. It can be made almost constant. As a result, the cryptographic circuit 6D can improve resistance to power analysis attacks (particularly differential power analysis), and thus can further improve the difficulty of decrypting the code.

(6) Sixth Embodiment Next, a sixth embodiment will be described. The sixth embodiment is the same as the fifth embodiment except for the configuration of the encryption circuit 6D (6E in this embodiment), and the description of the same parts is omitted.

  The encryption circuit 6E according to the sixth embodiment has a DES operation unit 10B on which a DPA countermeasure circuit 32A is mounted, as shown in FIG. The DPA countermeasure circuit 32A is newly provided with a DPA countermeasure data register 40 (R ′ register 40R and L ′ register 40L) and an inverter 41 which are paired with the data register 11 (R register 11R and L register 11L). Of these, the R ′ register 40R of the DPA countermeasure data register 40 replaces the termination processing unit 35 in the fifth embodiment.

  In the encryption circuit 6E, the block data Rn supplied from the R register 11R is sent to the L register 11L to be latched as block data Ln + 1 of the next round, and this block data Rn is also sent to the inverter 41 of the DPA countermeasure circuit 32A. The bit is inverted and the bit is inverted, and then latched in the L ′ register 40L.

  In the encryption circuit 6E, the output data X1n of the first XOR operation unit 31 is latched in the R register 11R as the next round block data Rn + 1, and the output data X2n of the second XOR unit 34 is latched in the R ′ register 40R. Has been made.

  That is, an R ′ register 40R and an L ′ register 40L having the same role as the R register 11R and the L register 11L are provided in the DPA countermeasure circuit 32A, and the R ′ register 40R, the L ′ register 40L, the R register 11R, and the L register are provided. The data whose bit values are inverted from each other is latched at 11L.

  In this way, in this encryption circuit 6E, the difference in power consumption related to the bit value in the encryption circuit 6E can be further reduced by making the configuration of the pair of circuit portions that process data with inverted bit values the same. As a result, resistance against power analysis attacks (particularly, differential power analysis) can be improved, so that it is possible to further improve the difficulty of decrypting the code.

(7) Other Embodiments In the above-described embodiment, the case where DES is used as the encryption technique used in the encryption circuits 6, 6A, 6B, 6C, 6D, and 6E has been described. The present invention is not limited to this, and various other encryption techniques such as Triple DES, AES (Advanced Encryption Standard), IDEA (International Data Encryption Algorithm), RC (Ron's Code) 2, RC4, RC5, etc. are used. May be.

  In the above-described embodiments, the configurations shown in FIGS. 2, 4, 6, 7, 10, and 11 are disclosed as the configurations of the encryption circuits 6, 6A, 6B, 6C, 6D, and 6E. However, the present invention is not limited to this, and any software or hardware (for example, IC (integrated) may be used as long as it has a configuration that can actually realize the same functions as those of the cryptographic circuits 6, 6A, 6B, 6C, 6D, and 6E. circuit) chip), and a combination thereof.

  Furthermore, in the above-described embodiment, the case where the present invention is applied to the encryption circuit 6 mounted on the IC card 1 has been described. However, the present invention is not limited to this, and various apparatuses (for performing cryptographic operations) ( For example, the present invention may be applied to a reader / writer of the IC card 1, a mobile phone, a notebook personal computer, etc.), a circuit, an IC chip as a semiconductor integrated circuit, or the like.

  Further, in the first to fourth embodiments described above, the case where the DES operation (the present DES operation or the dummy DES operation) is executed according to the value of the random number supplied from the outside has been described. The present invention is not limited to this. For example, a random number generation unit may be provided in the encryption circuit, and the DES calculation may be executed according to the value of the random number generated by the random number generation unit. If the random number is generated in the encryption circuit in this way, the risk of falsification of the random number can be reduced as compared with the case where the random number is supplied from the outside.

  Further, in the above-described sixth embodiment, the DPA countermeasure data register 40 as the second holding means paired with the data register 11 as the first holding means is provided in the DPA countermeasure circuit 32A. As described above, the present invention is not limited to this. For example, the L ′ register 40L and the inverter 41 of the DPA countermeasure data register 40 may be omitted.

  Further, in the first to fourth embodiments described above, a cipher that performs cryptographic operation processing based on the DES algorithm using a DES subkey as the first key data and a dummy key as the second key data. The DES operation units 10, 10A, and 10B as operation means, the dummy key register 13 and the first selector 14 as insertion means constitute encryption circuits 6, 6A, 6B, and 6C as encryption devices and semiconductor integrated circuits. Although the case has been described, the present invention is not limited to this, and various other configurations may be used.

  Further, in the fifth and sixth embodiments described above, the f function unit 30 as the first cryptographic operation means for executing the operation based on the f function as the first cryptographic operation, and the f function unit 30 The first XOR unit 31 as a second cryptographic operation means that performs an XOR operation as a second cryptographic operation using the output data fn, the inverter 33 that inverts the output data fn of the f function unit 30, and the bit inversion The encryption device and the encryption circuits 6D and 6E as the semiconductor integrated circuit are configured by the second XOR unit 34 as the third encryption operation means that executes the XOR operation as the third encryption operation using the data rfn. Although the case has been described, the present invention is not limited to this, and various other configurations may be used.

  The present invention can be widely used in apparatuses, circuits, IC chips and the like that execute cryptographic operations.

It is a basic diagram which shows the structure of the IC card in 1st Embodiment. It is a basic diagram which shows the structure of the encryption circuit in 1st Embodiment. 6 is a timing chart showing the execution timing of the DES calculation in the first embodiment. It is a basic diagram which shows the structure of the encryption circuit in 2nd Embodiment. It is a timing chart which shows the execution timing of the DES calculation in 2nd Embodiment. It is a basic diagram which shows the structure of the encryption circuit in 3rd Embodiment. It is a basic diagram which shows the structure of the encryption circuit in 4th Embodiment. It is a timing chart which shows the execution timing of the DES calculation in 4th Embodiment. It is a timing chart which shows the timing of DPA analysis. It is a basic diagram which shows the structure of the encryption circuit in 5th Embodiment. It is a basic diagram which shows the structure of the encryption circuit in 6th Embodiment. It is a basic diagram which shows a DES encryption algorithm. It is a timing chart which shows the relationship between power consumption fluctuation | variation and DES calculation.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... IC card, 2 ... CPU, 3 ... Interface part, 4 ... ROM, 6, 6A, 6B, 6C, 6D, 6E ... Encryption circuit, 7 ... EEPROM, 11 ... Data register, 11L , 40L: L register, 11R, 40R: R register, 12: key register, 13: dummy key register, 14: first selector, 15: second selector, 20, 20A: dummy control unit , Generating unit, 30... F function unit, 31... First XOR unit, 32, 32 A... DPA countermeasure circuit, 33, 41.

Claims (16)

Encryption means for repeatedly generating cryptographic data by repeatedly executing cryptographic calculation processing using first key data serving as a secret key based on input data;
Insertion in which encryption operation using second key data different from the first key data is randomly inserted during the repetition of encryption operation using the first key data and executed by the encryption means An encryption device comprising: means. The insertion means is
2. The encryption according to claim 1, wherein insertion of the cryptographic operation processing using the second key data is controlled so as not to repeatedly and repeatedly insert the cryptographic operation processing using the second key data. apparatus. The insertion means is
The encryption apparatus according to claim 1, wherein the second key data is updated with a result of a cryptographic operation process executed by the encryption means. The encryption apparatus according to claim 1, wherein the second key data is a fixed value. The insertion means is
Randomly inserting and executing a cryptographic calculation process using the second key data before and after the cryptographic calculation process using the first key is repeatedly executed by the encryption unit. The encryption device according to claim 1. The cryptographic operation means is
First cryptographic operation means for executing a first cryptographic operation using the first key data;
Second cryptographic operation means for executing a second cryptographic operation using output data output as a result of the first cryptographic operation by the first cryptographic operation means;
Bit inversion means for bit-inverting the output data output as a result of the first encryption operation by the first encryption operation means;
2. The encryption apparatus according to claim 1, further comprising a third cryptographic operation unit that performs a third cryptographic operation similar to the second cryptographic operation using the output data that has been bit-inverted. First holding means for holding a result of the second cryptographic calculation by the second cryptographic calculation means;
The encryption apparatus according to claim 1, further comprising: a second holding unit that holds a result of the third cryptographic calculation by the third cryptographic calculation unit. First cryptographic operation means for executing a first cryptographic operation using first key data serving as a secret key based on input data;
Second cryptographic operation means for executing a second cryptographic operation using output data output as a result of the first cryptographic operation by the first cryptographic operation means;
Bit inversion means for bit-inverting the output data output from the first cryptographic operation means;
And a third cryptographic operation means for performing a third cryptographic operation similar to the second cryptographic operation using the output data bit-inverted. First holding means for holding a result of the second cryptographic calculation by the second cryptographic calculation means;
The encryption apparatus according to claim 8, further comprising: a second holding unit that holds a result of the third cryptographic calculation by the third cryptographic calculation unit. The first encryption operation using the first key data, the second encryption operation, the third encryption operation means, the second encryption operation means, and the third encryption operation means. During the repeated execution of the cryptographic calculation process consisting of the first cryptographic calculation, the first cryptographic calculation using the second key data different from the first key data, the second cryptographic calculation, and the second An insertion means for randomly inserting a cryptographic calculation process comprising three cryptographic calculations and causing the first cryptographic calculation means, the second cryptographic calculation means, and the third cryptographic calculation means to execute. 9. The encryption device according to claim 8, wherein The insertion means is
Controls insertion of the cryptographic operation processing so that the cryptographic operation processing including the first cryptographic operation using the second key data, the second cryptographic operation, and the third cryptographic operation is not repeatedly repeated. The encryption device according to claim 8, wherein: The insertion means is
9. The second key data is updated with a result of cryptographic calculation processing executed by the first cryptographic calculation means, the second cryptographic calculation means, and the third cryptographic calculation means. The encryption device described in 1. The encryption apparatus according to claim 8, wherein the second key data is a fixed value. The insertion means is
The first encryption operation using the first key data, the second encryption operation, the third encryption operation means, the second encryption operation means, and the third encryption operation means. The first cryptographic operation, the second cryptographic operation, and the third cryptographic operation using the second key data before and after the cryptographic operation processing including the cryptographic operation is repeatedly executed. The encryption apparatus according to claim 8, wherein the cryptographic operation processing comprising: Encryption means for repeatedly generating cryptographic data by repeatedly executing cryptographic calculation processing using first key data serving as a secret key based on input data;
Insertion in which encryption operation using second key data different from the first key data is randomly inserted during the repetition of encryption operation using the first key data and executed by the encryption means A semiconductor integrated circuit comprising: means. First cryptographic operation means for executing a first cryptographic operation using first key data serving as a secret key based on input data;
Second cryptographic operation means for executing a second cryptographic operation using output data output as a result of the first cryptographic operation by the first cryptographic operation means;
Bit inversion means for bit-inverting the output data output from the first cryptographic operation means;
And a third cryptographic operation means for executing a third cryptographic operation similar to the second cryptographic operation using the output data bit-inverted.

Images