1. Field of the Invention
The present invention relates to a tamper resistant information processing unit with a high level of security, and more particularly to a technique that is extremely effective if the technique is applied to IC cards, and the like.
The present invention relates to a tamper resistant information processing unit capable of preventing processing information from being read and analyzed by power analysis or hardware probing in the information processing unit. Further, the present invention relates to a fault-detectable tamper resistant information processing unit that can detect a change in data and falsification of data caused by an attack at the time of writing/reading the data, or to a fault-tolerant tamper resistant information processing unit that can automatically recover data from the change or the falsification. In particular, the present invention relates to an information processing unit integrated into one chip, which is typified by IC cards (smart cards), in which the above functions are required.
2. Description of the Related Art
The IC card is a device that holds private information which must not be rewritten without permission, and that encrypts data by use of an encryption key, which is secret information, and decrypts encrypted data. The IC card itself is not equipped with the power supply. If a contact-type IC card is inserted into a reader/writer used for IC cards, the power is supplied to the contact-type IC card so that it becomes operable. A contactless-type IC card becomes operable by receiving a radio wave generated by a reader/writer so that the electric power is generated by use of the principles of electromagnetic induction. When the IC card becomes operable, the IC card receives a command transmitted from the reader/writer, and then performs processing, such as data transmission, according to the command. The contact-type and contactless-type IC cards are in principle the same because their main bodies are the same IC chips. Therefore, hereinafter only the contact-type IC card will be described.
As shown in FIG. 1, the basic concept of an IC card is that an IC card chip 102 is mounted on a card 101. In general, as shown in the figure, an IC card has at specified positions a supply voltage terminal Vcc, a ground terminal GND, a reset terminal RST, an input/output terminal I/O, and a clock terminal CLK. The positions of these terminals are specified in the standard of ISO 7816. Through these terminals, the power is supplied from the reader/writer, and data communication with the reader/writer is performed.
A semiconductor chip mounted on the IC card is basically configured in the same manner as ordinary microcomputers. FIG. 2 is a block diagram illustrating a basic configuration of a semiconductor chip mounted on an IC card. As shown in FIG. 2, the semiconductor chip used for a card member comprises a central processing unit (CPU) 201, a memory device 204, an input-output (I/O) port 207, and a coprocessor 202. Here, the memory device 204 has a PA (program area) and a DA (data area).
Incidentally, depending on a kind of system, there is also a system in which a coprocessor is not included. The CPU 201 is a device that performs logical operation, arithmetic operation, and the like. The memory device 204 is a device for storing a program and data. The input-output port is a device used to communicate with a reader/writer. The coprocessor is a device that performs, at high speed, encryption itself or arithmetic operation required for the encryption. For example, there are a special arithmetic unit for performing modular calculation of RSA cryptography, a device for performing processing of DES cryptography, and the like. Some processors for IC cards do not include a coprocessor. The data bus 203 is a bus for connecting devices to one another.
The memory device 204 comprises a ROM (Read Only Memory), a RAM (Random Access Memory), and an EEPROM (Electric Erasable Programmable Read Only Memory). The ROM is a memory, stored information of which cannot be changed. The ROM is a memory that mainly stores a program. The RAM is a memory, stored contents of which can be freely rewritten. However, if the power supply is interrupted, the stored contents are lost. The EEPROM is a memory that can hold its contents even if the power supply is interrupted. The EEPROM is used to store information that needs to be rewritten, and to store data that can be held even if the IC card is taken out from the reader/writer. For example, the amount of money spent by a prepaid card is held in the EEPROM.
In an information processing unit such as a microcomputer, typified by the IC card described above, information to be kept secret is held so that not only attackers who try to illegally access the information processing unit but also authorized users cannot perform read and write freely. Therefore, by use of an encryption key that is secret information, data to be kept secret may be encrypted and decrypted.
However, there is a possibility that information processed in the information processing unit inside will be predicted by observing the electric current consumption, and a radiated electromagnetic wave, of the information processing unit.
As measures against the above, there is a method in which a stored location of data is first changed, and next the data is encrypted/decrypted before the data is stored; and there is also a method in which a stored location of data is interchanged so that it is not possible to predict a stored location after the interchange from the stored location before the interchange (for example, refer to Japanese Patent Application Laid-Open No. 2003-134103).
The “attacker” on a certain system and a certain device means a person who, using a method that is not expected by a designer, analyzes the system and the device and thereby carries out an attack on them to extract information that is not disclosed to the outside in the first place. In a microcomputer chip with a high level of security, typified by IC cards, information to be kept secret is held so that not only attackers who try to illegally access the information processing unit but also authorized users cannot perform read and write freely. Therefore, by use of an encryption key that is secret information, data to be kept secret may be encrypted and decrypted (for example, refers to Japanese Patent Application Laid-Open No. 2003-134103).
Incidentally, Japanese Patent Application Laid-Open No. 2000-507072 discloses the technique in which between a digital receiver (for example, a decoder of a MPEG-2 digital television receiver) and a system decoder, the bit order of a cryptogram bit stream constituted of N bits from an N parallel bit line of a first data bus is scrambled to generate a scrambled cryptogram bit stream having a width of N bits, and then the bit order of the scrambled N-bit cryptogram bit stream is descrambled to generate a descrambled cryptogram bit stream that is the same as the original cryptogram bit stream.
As shown in FIG. 10, the microcomputer is basically configured to comprise: a central processing unit 1001; a memory device 1004; an input-output port 1007 for exchanging information with each part; and a signal line 1003 for connecting them to one another. The central processing unit 1001 is a device that performs logical operation, arithmetic operation, and the like. The memory device 1004 is a device for storing a program and data. The memory device 1004 is configured to include a ROM (Read Only Memory), a RAM (Random Access Memory), an EEPROM (Electric Erasable Programmable Read Only Memory), and a FRAM (Ferromagnetic Random Access Memory). The ROM is a memory, contents of which are fixed and therefore cannot be changed. The ROM is a memory that mainly stores a program. The RAM is a memory, stored contents of which can be freely rewritten. However, if the power supply is interrupted, the stored contents are lost. To be more specific, when the power supply to the device is interrupted, it becomes impossible to hold the contents of the RAM. The EEPROM and the FRAM are memories that can hold contents thereof even if the power supply is interrupted.
For example, an example of a computer main body used for the contact-type smart card is shown in FIG. 2. FIG. 2 is a diagram illustrating how terminals are placed when a chip of this semiconductor device is mounted on a plastic card. The computer main body in question is a packaged IC chip 1102, which is called COT. The IC chip 1102 is placed at a position next to the center of the card. FIG. 11 illustrates an example of how terminals are placed. To be more specific, the IC card has terminals of: Vcc (power supply); GND (ground); RST (reset); I/O (input/output); and CLK (clock). Supplying these signals from outside, for example, from a terminal unit, causes the chip to operate. As the terminal unit itself, basically a terminal unit of a general card system can be used.
As a method for attacking a microcomputer, typified by IC cards, the Differential Power Analysis (DPA) is known. The DPA is described in “Smart Card Handbook Second Edition” by W. Rankl, W. Effing (John Wiley & sons, LTD.) P. 422. The DPA is the analysis of power consumption at the time of encryption processing by a microcomputer. The DPA is an attack identifying a secret key that has been used for the encryption processing. The power consumption can be measured by placing a resistance between Vcc and GND shown in FIG. 2 to observe a voltage across the both ends. As for the method for measuring the power consumption, an example is also described in “Smart Card Handbook Second Edition” by W. Rankl, W. Effing (John Wiley & sons, LTD.) P. 422.
As a technique for protecting against the attack that is made by means of the power analysis, Japanese Patent Application Laid-Open No. 2001-5731 discloses the method in which data is encrypted between both information processing units before transmitting/receiving the data. The use of this method makes it possible to decrease or eliminate the correlation between the power consumption and transmitted data when the data is transmitted. As a result, the attack made by means of the power analysis becomes remarkably difficult.
In addition, as a method for changing data so that the electric current consumption cannot be predicted even if a value of the data is the same, Japanese Patent Application Laid-open No. 2003-152702 discloses the technique by which the relevance of a true value of data to its electric expression cannot be predicted as a result of encrypting data and then changing an encryption key in a short period of time.
In the meantime, there is known an attack that extracts a secret encryption key by changing processing data on purpose using a method for making a physical change, such as a FIB process. For example, an attack which extracts a secret encryption key by changing processing data during RSA cryptography processing is published as D. Boneh, R. A. Demillo, R. J. Lipton, “On the Importance of Checking Cryptographic Protocols for Faults”, Proc. of EUROCRYPT '97, pp. 37-51, Springer-Verlag, 1997; and an attack on the DES cryptography is published as E. Biham, A. Shamir, “Differential Fault Analysis of Secret Key Cryptosystems”, Proc. of Crypto '97, pp. 513-525, Springer-Verlag, 1997. As general measures, there is known a method in which the same processing is performed twice or more, and if the results agree with each other, it is determined that the result of the processing is correct.
According to the present invention, it is possible to provide a tamper resistant information processing unit with a high level of security such as card members.
A technical object of the present invention is to reduce the relevance between data processing in an IC card chip (for example, a card member) and the electric current consumption. If the relevance between the electric current consumption and processing of a chip is reduced, it becomes difficult to predict the processing in the IC card chip and an encryption key thereof from an observed waveform of the electric current consumption.
To be more specific, an object of the present invention is to provide a card member, or the like, with a high level of security.
Because a program and important information are concealed in a chip used for an IC card, the IC card is used to store the important information, and to perform encryption inside the card. Heretofore, the difficulty in decrypting the cryptography of an IC card was thought to be the same as that in decrypting the encryption algorithm thereof. However, what is suggested is a possibility that observing and analyzing the electric current consumption while the IC card performs the encryption will make it possible to predict contents of encryption and an encryption key more easily than decryption of the encryption algorithm. The electric current consumption can be observed by measuring an electric current supplied from a reader/writer. The reason will be described as follows.
A CMOS forming an IC card chip consumes an electric current when an output state changes from 1 to 0 or from 0 to 1. In particular, when a value of the bus changes from 1 to 0 or 0 to 1, a large amount of electric current flows through the data bus 203 because of an electric current of a bus driver, wiring, the electrostatic capacity of a transistor connected to the wiring. Therefore, there is a possibility that by observing the electric current consumption, an attacker will be able to know what is operating in the IC card chip.
FIG. 3 is a graph illustrating a one-cycle waveform of the electric current consumption by an IC card chip. Depending on data being processed, there is a difference in electric current waveform as shown by reference numerals 301 and 302. Such a difference arises depending on data flowing through the bus 203 and data processed by the central processing unit 201.
The coprocessor 202 can perform, for example, 512-bit modular calculation in parallel with the CPU. Accordingly, it is possible to make a long-time observation of a waveform of the electric current consumption thereof, which differs from the electric current consumption of the CPU. Observing a characteristic waveform of the coprocessor makes it possible to easily measure the number of times the coprocessor operates. If the number of times the coprocessor operates has some kind of relationship with an encryption key, there is a possibility that the encryption key can be predicted from the number of times. In addition, if there is a bias which is dependent on an encryption key, in the result of arithmetic operation by the coprocessor, there is a possibility that the bias will be determined by the electric current consumption, and thereby the encryption key will be predicted.
A typical example of the power consumption dependent on data is the electric power used in an address bus. Because the address bus must always operate, the operation is controlled by a static method. In the static method, without clearing data every time, the electric power is consumed by the amount equivalent to the change between the last value and a current value. Accordingly, for example, if an address (program counter) changes at every 2 bits as 800C→800E→8010→8012→8014→8016→8018, the electric power consumed is substantially in proportion to:
The number of bits changed at the time of 800C→800E is equivalent to 1;    The number of bits changed at the time of 800E→8010 is equivalent to 4;    The number of bits changed at the time of 8010→8012 is equivalent to 1;    The number of bits changed at the time of 8012→8014 is equivalent to 2;    The number of bits changed at the time of 8014→8016 is equivalent to 1; and    The number of bits changed at the time of 8016→8018 is equivalent to 3.
Here, the values of the addresses are expressed in hexadecimal numbers (hereinafter, addresses are expressed in hexadecimal numbers unless otherwise specified). Because how the power is consumed depends on a binary value, expressing in binary numbers enables easier understanding of the power consumption. Because the higher 8 bits do not change, the change in the lower 8 bits of the above-mentioned addresses is shown as follows.
00001100→100001110→100010000→100010010→00010100→00010110→00011000
If exclusive OR operation is performed between two consecutive values, the change in values is obtained as follows.                00000010→00011110→00000010→00000110→00000010→00001110        
It can be easily understood that these hamming weights correspond to the changed number of bits described above.
If this characteristic is made use of, it is possible to illegally extract internal information by checking the change in power consumption without opening the IC chip. In particular, the Differential Power Analysis (DPA), which is an attack performing statistical processing for a large amount of data to extract an encryption key, is effective even if an attacker does not have the knowledge about a method for implementing a cryptography program at all.
As an effective method for solving this problem, there is considered a method in which data is located so that the hamming distance becomes equal. However, in general, as far as small-size devices such as IC cards are concerned, the size of a RAM is severely limited. If the number of data is large, or if data is large, it is difficult to locate the data in a manner that the hamming distance becomes completely equal.
An object of the present invention is to make a power analysis attack difficult, and at the same time, to make direct data reading by hardware probing difficult, and further to detect or correct an error occurring at the time of data transmission through a data bus. More specifically, the object of the present invention is to provide an information processing unit with a high level of security. As a representative example of the information processing unit in question, a computer system (in particular, a microcomputer system) can be named. Moreover, the present invention provides a card member and a card system with a high level of security, typified by IC cards (smart cards).
A more technical object of the present invention is to reduce the relevance between data processing in a microcomputer chip and the power consumption thereof. Additionally, another object is to prevent data transmitted inside the chip from being directly read by probing and from being falsified. In particular, IC cards are used to store important information to be concealed, and also to perform encryption and authentication processing of data in the IC cards. The reason why the IC cards are used for the purposes requiring the high level of security is that a program and important information are concealed in an IC card chip, and that various kinds of measures for concealing information are taken so that it becomes difficult to illegally trace processing of secret data.
Heretofore, the difficulty in decrypting encryption processing in an IC card was thought to be the same as that in decrypting encryption algorithm itself. However, the attack method by which contents of encryption processing and an encryption key are predicted by analyzing the power consumption when an IC card performs encryption is considered to be easier than the method for directly decrypting the encryption algorithm.
This method, which is called power analysis and was proposed by P. Kocher, and others, is an attack that makes use of the relevance between a bit state of data processed by an IC card and the power consumption thereof. Accordingly, if the relevance between the power consumption and processing of the chip is reduced, it becomes difficult to predict processing in the IC card chip and an encryption key from the power consumption observed. A main point aimed at by the present invention is to reduce the relevance between the power consumption of a microcomputer and data being processed. Main means for achieving this object is to change the charge and the discharge of signal lines (for example, bus lines, bit lines in a RAM, and word lines), which are one of causes of the difference in power consumption, to a state different from that of original data.