The present invention relates to a pseudorandom number generator and a data communication apparatus on which the pseudorandom number generator is mounted.
As described in, for example, “Design Wave Magazine”, February issue, 2006, (CQ publishing Co., Ltd) “special issue 2: protection LSI from “bugging”, chapter 2, understanding of mechanism of side channel attack” (pp. 105 to 114), since a microcomputer for an IC card is mounted on a card for finance, traffic, health insurance, and the like and electronic money and personal information is stored, it is necessary to prevent leakage of information, an attack of falsification by a combination of hardware and software. One of attacks to the microcomputer for an IC card is leak analysis. The leak analysis is an analyzing method such that, since current consumption in a microcomputer taking no countermeasure depends on a change in data, by observing leak of current consumption or the like, a change of data is estimated.
The leak analysis is a method of estimating a key by determining whether current is generated (whether data changes) in a specific location by calculation sequentially with respect to all of candidates of a key on input data, on the other hand, measuring current while changing an input, comparing the currents, and repeating the operation. A representative countermeasure against the leak analysis is a method called “masking”. The masking is a method of executing encryption by exclusive-OR operation between data and a random number, and eliminating correlation between consumption current and a change in the data by using the encryption. The masking is an effective countermeasure in both hardware and software. To generate a random number as mask data, a pseudorandom number generator is used. The pseudorandom number generator is configured by an LFSR (Linear Feedback Shift Register) for feeding back data by an exclusive-OR gate to a shift register. However, when the number of clocks of the LFSR is the same, mask data also has the same value. Consequently, leak analysis resistance deteriorates.
Japanese Unexamined Patent Publication No. 2003-122560 discloses a technique of generating a random number having high irregularity by using data transmitted via a data input/output terminal (SIO terminal) in an LFSR. An exclusive-OR operation between serial data transmitted via the SIO terminal and an output of a first shift register 203 is performed. A result of the operation is input to a second shift register 204.
Usually, a set signal for setting a logic value “1” is supplied to each of flip flop circuits in the LFSR for a period since power-on until external resetting cancellation. However, even when the set signal or a reset signal for resetting the logic value to “0” is not supplied, the same value tends to be set at power-on because of the characteristic of a process, and different values are not assured each time. In the case where the set signal or the like is not supplied, there is the possibility that values all of which are “0” become initial values. In this case, even when a clock signal is supplied, the value of the LFSR is not updated. In the case where initialization is not performed, there is the possibility that it is difficult to carry out an operation check test.
In the leak analysis, in operation of the DES (Data Encryption Standard), AES (Advanced Encryption Standard), and the like, an attacker has to know a plain text or cipher text and has to enter a plurality of sentences (up to millions of sentences) in encryption operation (if values are different, an arbitrary text is sufficient). It is easier for an attacker who wishes to perform leak analysis to make a transmission path (cipher text) whose external terminal is seen and observe leak when a cipher text on the transmission path is decoded than a method of altering a microcomputer and generating a plan text. Therefore, in a microcomputer for an IC card and the like, further improvement in leak analysis resistance is demanded.
An object of the present invention is to provide a technique for improving leak analysis resistance by improving randomness of pseudorandom numbers.
The above and other objects of the present invention and novel features will become apparent from the description of the specification and the appended drawings.
Outline of representative inventions out of inventions disclosed in the application will be briefly described as follows.
A pseudorandom number generator as a representative embodiment of the invention includes a shift resistor obtained by coupling a plurality of flip flop circuits and can generate a pseudorandom number by shifting signals by the shift register synchronously with a clock signal. A shift amount changing circuit capable of changing a shift amount in the shift register in accordance with a control signal provided from the outside of the pseudorandom number generator is provided. By changing the shift amount in the shift register by the shift amount changing circuit in accordance with the control signal supplied from the outside of the pseudorandom number generator, it becomes difficult to make outputs of the pseudorandom number generator the same. By using such a pseudorandom number generator, leak analysis resistance can be improved.
An effect obtained by the representative invention of inventions disclosed in the application will be briefly described as follows.
By improving randomness of a pseudorandom number, further improvement in the leak analysis resistance can be realized.