1. Field of the Invention
The present invention relates to an integrated circuit in which an encryption circuit is incorporated, and an electronic apparatus.
2. Description of the Related Art
Regarding integrated circuit (IC) cards, when sending/receiving of data is performed between the IC cards and host computers, in order to prevent problems from occurring even in a case in which confidential information stored in the IC cards leaks in the course of sending/receiving data, encrypted data is used as data to be send/received.
A method that is most frequently used at present as a method for encrypting such data is the data encryption standard (DES).
In the DES, for encryption of data, the owner of such an IC card and a host computer have the same key. Additionally, in the DES, a sending side for data encrypts the data using the key, and sends the encrypted data. A receiving side for the data decrypts the data using the same key, and extracts a message.
Even when a malicious third party obtains the data in the course of communication secretly, as long as the third party does not have the key, it is very difficult for the third part to decrypt the data and extract the message.
Furthermore, data concerning the key used to perform encryption/decryption is stored in a non-volatile memory, such as an electrically erasable programmable read-only memory (EEPROM), that is provided in the IC card.
At a time of encryption/decryption, control of directly transferring the data concerning the key to an encryption engine that is provided in the IC card without using a central processing unit (CPU) is performed. With this control, a configuration in which even the owner of the IC card or engineers who developed the IC card are not able to extract the data concerning the key is employed, thereby maintaining security.
Two types of IC cards, i.e., a contact IC card and a non-contact IC card, exist.
The contact IC card has a plurality of metallic terminals on the surface thereof. At a time of using the IC card, the IC card is inserted into a reader/writer apparatus. In this case, in the reader/writer apparatus, the metallic terminals are in contact with the reader/writer apparatus. The read/writer apparatus supplies power and signals to the IC card, thereby causing an IC which is provided in the IC card to operate so that a necessary process is performed.
For the non-contact IC card, for example, a configuration illustrated in FIG. 1 is employed.
An antenna 11 that is disposed in a non-contact IC card 1 receives magnetic lines of force LM from a reader/writer apparatus 2, and converts the magnetic lines of force LM into a signal indicating electromotive force. In this example, the signal is input to a radio frequency (RF) chip 12, and the RF chip 12 extracts a necessary signal.
In the IC card 1, a constant voltage is generated from the electromotive force that is generated in the antenna 11. The constant voltage is supplied to a secure application module (SAM) chip 13 that performs a process associated security, and the SAM chip 13 performs a necessary process.
A result of the process performed by the SAM chip 13 is sent back to the RF chip 12. In the RF chip 12, the result is superimposed on a signal waveform, and is sent back to the reader/writer 2.
In this case, encrypted data is used as a sent/received signal. This ensures security of a system.
However, an attack method (differential power analysis (DPA) attack), in which a consumed current flowing through an IC card is measured and in which a key is extracted by performing a statistical process on the consumed current, has been reported by P. Kocher et al.
In the DPA attack, encryption arithmetic is performed using about 1,000 different clear texts. A consumed current at the time of encryption arithmetic is measured to obtain a waveform thereof. A key is extracted by performing a statistical process on the consumed current.
Similarly, the DPA attack can also be performed on a non-contact IC card. Only the SAM chip that performs a process associated with security is demounted. By supplying power and necessary signals, the SAM chip is caused to operate. Accordingly, the DPA attack can be performed.
Furthermore, when a current that flows through a wiring pattern for output in each circuit in an IC chip changes, a minute magnetic field formed in the vicinity of the wiring pattern changes in accordance with the change in the current.
As illustrated in FIG. 2, when a small coil CL is brought near to an IC chip in a state in which the IC chip is mounted in a plastic package that is sealed, a signal indicating magnetic lines of force in a small region in which the coil CL can receive magnetic lines of force can be obtained.
Then, the position of an encryption circuit is estimated using the relationships between signals that are input/output to/from the IC chip and the obtained signal indicating magnetic lines of force. A waveform of a more specific signal indicating the magnetic lines of force is obtained at the position, and a statistical process which is similar to that performed in the DPA attack is performed. If estimation of the position of the encryption circuit is correctly performed, security information, such as information concerning a key, can be obtained.
The above attack is called a differential electro magnetic analysis (DEMA) attack. Regarding the feature of the DEMA attack, an attack that targets one portion of a circuit can be performed using the DEMA attack.
FIG. 3 is a diagram illustrating a feature of the DEMA attack.
For example, when a circuit 3 that causes a noise current controlled using a random number to flow is disposed for prevention of the DPA attack, an element indicating the noise current is assuredly superimposed on a waveform of a consumed current.
However, in a case of measurement of magnetic lines of force, the strength of an element of a magnetic field indicated by magnetic lines of force caused by the noise current decreases with a distance from a noise-current source as illustrated in FIG. 3. A signal indicating magnetic lines of force that are not influenced by the noise current can be obtained in a region that is a predetermined distance or more far from the noise-current source.
When a circuit that is a target of the DEMA attack, such as an encryption circuit, exists in the region, a signal indicating magnetic lines of force that are not influenced by the noise current can be obtained.
Methods that are proposed as main defensive methods for the DPA attack and the DEMA attack are as follows. A first method is a method in which an encryption circuit has a complementary configuration, thereby employing a configuration in which a result assuredly changes regardless of clear text data. A second method is a method in which signals are disturbed using random numbers.
When the first method described above is used, a circuit size and an operating current are increased. When the second method is used, because there is a probability that a key will be extracted using a higher-order DPA attack, prevention for the higher-order DPA attack is also necessary.
In each of the first and second methods described above, power with which an IC operates is supplied from a power-supply terminal of the IC. Accordingly, an element indicating a current that is consumed in a circuit operation appears at the power-supply terminal of the IC.
For example, a method disclosed in Japanese Unexamined Patent Application Publication No. 2000-196584 is common as a method in which a current flowing through a particular circuit such as an encryption circuit does not appear at a power-supply terminal of an IC.
FIG. 4 is a diagram illustrating an example of a configuration of an IC in which the method disclosed in Japanese Unexamined Patent Application Publication No. 2000-196584 is employed.
An IC 4 includes a CPU 41, a random-access memory (RAM)/read-only memory (ROM) 42, an EEPROM 43, an encryption circuit 44, a capacitor C, and a switch 45.
In the configuration, a power-supply line 46 for the encryption circuit 44 that is provided in the IC 4 is connected via the switch 45 to another power-supply line 47 to which an external power supply is connected.
The capacitor C is disposed between the power-supply line 46 associated with encryption and a ground (GND) line 48. At times of operations other than encryption arithmetic, the switch 45 is turned on, and the capacitor C is charged. Then, at a time of encryption arithmetic, the switch 45 is turned off, and the encryption arithmetic is performed in the encryption circuit 44 using charge in the charged capacitor C.