The present invention relates to an information processing equipment, and more particularly to an information processing apparatus suitable for a tamper resistance device such as an IC card providing high security.
An IC card is mainly used for storing information in a manner so as not to be altered by a third party or for enciphering data or deciphering a cipher text by using a cipher key which is kept in secret. Since the IC card is not provided with a power source, it becomes operable only when it is inserted into a reader-writer. The IC card receives a command from the reader-writer to execute data transfer.
As shown in FIG. 1, an IC card has the structure that an IC card chip 102 is fabricated on a card 101. A general IC card has contacts via which a power is supplied from a reader-writer and data is transferred.
The structure of an IC card chip is basically the same as that of a microcomputer. As shown in FIG. 2, the IC card chip includes a central processor 201, a storage memory 204, an input/output port 207, and a co-processor 202. The central processor 201 executes logical and arithmetic calculations, and the storage memory 204 stores programs and data. The input/output port 207 communicates with a reader-writer. The co-processor 202 is a special calculation device for executing modular calculations, and is used for calculations in anti-symmetric RSA or the like. Many of IC card processors have no co-processor. A data bus 203 inter-connects components of the IC card.
The storage memory 204 includes a ROM (Read Only Memory), a RAM (Random Access Memory), an EEPROM (Electrically Erasable Programmable Read Only Memory) and the like. ROM is a memory device whose contents cannot be rewritten freely, and is mainly used for storing programs. RAM is a memory whose contents can be rewritten freely and are erased if a power supply is intercepted. When the IC card is disconnected from the reader-writer, a supply of the power is intercepted so that the contents of RAM cannot be retained. EEPROM is a rewritable memory whose contents can be retained even if a power supply is interrupted. Therefore, EEPROM is used for storing data which may be rewritten and can be retained even if the IC card is disconnected from the reader-writer. For example, the number of prepaid times of a prepaid card is stored in EEPROM because it is updated each time the card is used and the contents thereof are required to be retained even if the card is disconnected from the reader-writer.
An IC card is used for storing programs and important information in the IC card chip to execute a cipher process. It has been long considered that the difficulty in decryption of a cipher process executed in the IC card is the same as that in decryption of a ciphering algorithm. However, it has been suggested recently that there is a possibility of presuming the contents of a cipher process and a cipher key by measuring and analyzing a consumption current while the cipher process is executed, easier than decryption of a cipher algorithm. The consumption current can be monitored by measuring the current supplied from the reader-writer. This possible danger is described in xe2x80x9cSmart Card Handbookxe2x80x9d, by W. Rankl and W. Effing, John Willey and Sons, paragraph 8.5.1.1 xe2x80x9cPassive protective mechanismxe2x80x9d, at p. 263.
CMOSs constituting an IC card chip consume current when an output state changes from xe2x80x9c1xe2x80x9d to xe2x80x9c0xe2x80x9d or vice versa. The data bus 203 in particular flows a large current when its state changes from xe2x80x9c1xe2x80x9d to xe2x80x9c0xe2x80x9d or vice versa, because the data bus has a large electrical capacitance. This suggests a possibility of presuming the operation state in the IC card chip by monitoring the consumption current.
FIG. 3 shows wave shapes of consumption current during one cycle operation of an IC card chip. Depending upon processed data, the current wave shape becomes different as indicated at 301 and 302. This difference is generated depending upon data on the bus 203 and data being processed by the central processor 201.
Consider now the data transfer on a pre-charge bus of 16 bits. The pre-charge bus is reset prior to data transfer so that all bits on the bus have a value xe2x80x9c0xe2x80x9d. If the data having the same number of xe2x80x9c1xe2x80x9d bits and different values, e.g., data of hexadecimal xe2x80x9c88xe2x80x9d and xe2x80x9c11xe2x80x9d both having two xe2x80x9c1xe2x80x9d bits, is transferred to this bus, the current wave shapes are generally the same. This is because the numbers of bits changing from xe2x80x9c0xe2x80x9d to xe2x80x9c1xe2x80x9d are the same and the same current is consumed to have similar current wave shapes. If the data having a difference of one xe2x80x9c1xe2x80x9d bit, e.g., data of hexadecimal xe2x80x9c89xe2x80x9d and xe2x80x9c19xe2x80x9d both having three xe2x80x9c1xe2x80x9d bits, is transferred to this bus, the current wave shape becomes different from that of the data having two xe2x80x9c1xe2x80x9d bits. This is because the number of bits changing from xe2x80x9c0xe2x80x9d to xe2x80x9c1xe2x80x9d changes to three bits and a corresponding current is consumed increasingly. Therefore, as compared to the data having two xe2x80x9c1xe2x80x9d bits, the consumption current increases in amount corresponding to one bit. There is a regularity that the larger the number of xe2x80x9c1xe2x80x9d bits, the larger the amplitude of the current wave shape becomes. From this regularity, the transferred data can be presumed.
The current wave shapes shown in FIG. 3 indicate the total sum of current flowing not only through the bus but also through other components constituting the IC card chip. A microcomputer such as an IC card chip includes a phase during which data is transferred mainly to the bus, a phase during which a CPU operates mainly, a phase during which data is written in a register, and other phases. If the phases are taken into account, it is possible to know by which component a difference between consumption currents was mainly produced, and the data process at the component can be presumed.
A difference between consumption currents will be described by using as an example the following left shift instruction.
shift1R1xe2x80x83xe2x80x83(1)
This instruction shifts the contents of the register R1 to the left, i.e., shifts the bit train in the register to the left, and the value of the most significant bit is entered in a condition code register as a carry. Since the most significant bit in the register R1 is transferred via the data bus to the condition code register, whether the most significant bit is xe2x80x9c0xe2x80x9d or xe2x80x9c1xe2x80x9d can be possibly discriminated by comparing the amplitudes of current wave shapes. If important data is stored in the register R1, there is a possibility of discriminating whether this data is xe2x80x9c0xe2x80x9d or xe2x80x9c1xe2x80x9d although the data is only one bit. The cryptographic process, particularly DES, frequently uses an operation of shifting a cipher key. During this shift operation, the current wave shape allowing to presume the data of the cipher key is generated so that there is a possibility that the cipher key is presumed.
The above-described case is also applied to the operation of the co-processor 202. If the operation contents include any unbalance dependent upon a cipher key, this shift can be presumed from the consumption current, and there is a possibility that the cipher key is presumed.
An issue associated with the present invention is to reduce the relation between the data process in an IC card chip and its consumption current. If the relation between the data process in an IC card chip and its consumption current can be reduced, it becomes difficult to presume the data process in the IC card chip and the cipher key, from the observed consumption current shapes. The feature of this invention is to make difficult to presume the data process and the cipher key from the consumption current wave shape, by processing the data in the IC card chip after it is transformed.
The tamper resistance device, typically an IC card chip, is considered as an information processing equipment which comprises: a storage memory including a program storage unit for storing a program and a data storage unit for storing data; and a central processing unit for executing a data process in accordance with the program, the program including one or more data process means each being a process instruction for giving an execution instruction to the central processing unit. According to the invention, as the method of reducing the relation between the data process in an IC card chip and its consumption current, data is first transformed by using disturbance data and then processed. After this process, the data is untransformed by using the disturbance data to obtain a correct process result. The disturbance data to be used after the data process may be the same disturbance data used for the data process, if necessary. The disturbance data is changed randomly at each data process. With these processes, during each data process, transformed data can be used without using the original data. It becomes therefore difficult to presume the data from current wave shapes.
Specifically, disturbance data Xi is first generated and the data D1 is transformed by using the disturbance data Xi to generate transformed data H1. The transforming method may be exclusive logical OR, addition, multiplication or the like. During the data process, the transformed data H1 is processed to generate processed and transformed data H2. Since the transformed data H1 is used instead of original data D1, it is difficult to presume the data D1 from the current wave shapes during the process of the transformed data H1. Since the transformed data is generated by using different disturbance data Xi at each process, the transformed data generated at each process is different. Therefore, the current wave shape during the process of the transformed data H1 becomes different at each process. Presuming the transformed data H1 from current wave shapes is therefore meaningless.
If it is necessary for the disturbance data Xi to be processed in a manner similar to the data D1, the disturbance data Xi is processed to generate processed disturbance data. The processed and transformed data H1 is processed by using the processed disturbance data Xo to generate the processed data D2 which is a result of the input data process for the input data D1.
If it is necessary to use different data transformation methods, it may be required to connect several data transformations. In such a case, a combination of a data transforming process, a transformed data process, a disturbance data process, and a data untransforming process is used and these several data transformations are connected so as not to process original data.
According to this invention, it is possible to conceal the information that may be gotten in the permutation process and substitution process for replacing data and in the access process to data tables, during execution of an encryption algorithm. The transformation process that ensures to get the correct data is one of effective methods to be used for data encryption and decryption. In this transformation process, the exclusive logical OR is used to transform data in a data exchanging process, and the transformed data and disturbance data are processed by the same method in the data process.
The typical structure of the invention is as follows. An information processing equipment comprising: a storage memory including a program storage unit for storing a program and a data storage unit for storing data; a central processing unit for executing a data process in accordance with the program, the program including one or more data process means each being a process instruction for giving an execution instruction to the central processing unit; and input data processing means wherein one data processing means processes input data and outputs the processed data, comprises: data transforming process means for transforming input data D1 by using disturbance data Xi to generate transformed data H1; transformed data processing means for executing an operation process OP1 for the transformed data H1 in place of the operation process OP1 for the input data D1 to be executed by the input data processing means, to generate processed and transformed data H2; disturbance data processing means for executing the operation process OP1 for the disturbance data Xi to generate processed disturbance data Xo; and data untransforming processing means for executing an operation process OP2 for the processed and transformed data H2 by using the processed disturbance data Xo, to generate processed data D2 which is a result of the operation process OP1 for the input data D1.
The operation process OP1 corresponds, for example, to the process of an embodiment illustrated in FIG. 4 to be described later. The operation process OP1 corresponds, for example, to the process for disturbance data 2 (510 to 513, and 516 to 520).