The present invention relates to a tamper-resistant crypto-processing method for high security media such as IC cards.
An IC card is a device which keeps tamper-prohibited personal formation or performs encryption of data or decryption of a ciphertext with the use of secret keys. An IC card itself does not have its own power supply, and when it is inserted into a reader/writer for an IC card, power is supplied to the IC card and it is made operable. After it is made operable, the IC card receives commands transmitted from the reader/writer, and following the commands the IC card processes, for example, transfer of data. A general explanation of an IC card is given in Junichi Mizusawa, “IC card”, Ohm Corporation, compiled by the Society of Electronic Communication and Information, etc.
An IC card is constituted such that a chip 102 for an IC card is mounted on a card 101 as shown in FIG. 1. In general, an IC card comprises a power supply terminal VCC, a grounding terminal GND, a reset terminal RST, an input/output terminal I/O, and a clock pulse terminal CLK at the positions determined by the ISO7816 standards, and through these terminals an IC card is supplied power from a reader/writer or communicates with it (Refer to W. Rank1 and Effing: Smartcard Handbook, John Wiley & AMP; SONS, 1997, PP. 41).
The configuration of a chip for an IC card is basically the same as that of a typical microcomputer. The configuration is, as shown in FIG. 2, composed of a central processing unit (CPU) 201, a memory device 204, an input/output (I/O) port 207, and a coprocessor 202 (in some case, there is no coprocessor). The CPU 201 is a device which performs logical operation, arithmetical operation, etc. The memory device 204 is a device which stores programs 205, data, etc. The input/output port 207 is a device which communicates with the reader/writer. The coprocessor 202 is a device which performs crypto-processing itself or performs operation necessary for crypto-processing with a high speed. There is, for example, a special calculator for performing residue operation of RSA cryptogram or a cipher device which performs round processing of DES cryptogram. Some of the processors for IC cards comprise no coprocessor. A data bus 203 is a bus which connect respective devices to each other.
The memory device 204 is composed of ROM (read only memory), RAM (random access memory), EEPROM (electrical erasable programmable read only memory), etc. ROM is a memory which is not changeable and it is mainly used for storing programs. RAM is a memory which can be freely rewritable but when the power supply thereof is off, the stored contents of the RAM are erased. When an IC card is drawn out of a reader/writer, since the power supply is made off, the contents of the RAM disappear. EEPROM is a memory which holds the contents even when the power supply is stopped. EEPROM is used to store the data which are to be held thereon even when it is disconnected from the reader/writer in a case where rewriting is needed. For example, the number of prepaid times of a prepaid-card is rewritten every time it is used, and the data should be held even when it is taken off from the reader/writer. Therefore such data must be held on an EEPROM.
An IC card has programs and/or other important information enclosed in the chip, and is used to store important information or to perform crypto-processing therein. Conventionally, the difficulties to decrypt a ciphertext in an IC card have been considered to be equivalent to those to decrypt a cipher-algorithm. However if we observe and analyze the consumption current when an IC card is performing crypto-processing, it is suggested that the contents of crypto-processing or secret keys may be estimated easier than the decryption of crypto-algorithm. The consumption current can be observed by the measurement of a current supplied from a reader/writer. The details of this threatening attack are described on John Wiley & Amp; Sons, W. Rankl & Amp; W. Effing, “Smart Card Handbook”, 8.5.1.1 Passive Protective Mechanisms (page 263).
CMOS which constitutes a chip of an IC card consumes current when its output conditions turn from 1 to 0 or from 0 to 1. In particular, in the data bus 203, because of the current for a bus driver, the static capacity of wirings and the transistors connected to the wirings, when the bus value is changed from 1 to 0 or 0 to 1, a large current flows. Therefore, when one observes the consumption current, there is a possibility that one may be able to estimate what is being operated inside the IC card chip.
FIG. 3 shows the waveform of a consumption current in a cycle of an IC card chip. Depending on the kind of data processing, the current waveform differs as 301 or 302 shown in the figure. The difference like this occurs depending on the kind of data flowing through the bus 203 or the data being processed in the CPU 201.
The coprocessor 202, in parallel to the CPU, for example, is able to perform a modular arithmetic operation of 512 bits. Therefore, it is possible to observe a consumption current of a waveform different from that of the CPU over a long time. By the observation of the characteristic waveform, the number of times of operations of the coprocessor can be easily estimated. If there is any relation between the operation times of the coprocessor and secret keys, there is a possibility that one can estimate the secret keys from the operation times of the coprocessor.
If there is a deviation depending on the secret keys in the contents of operation of the coprocessor, the deviation is obtained from the consumption current, and the secret keys can be estimated from it.
Also in the case of the CPU, similar circumstances exist. Since the number of bits of a secret key is known, if the consumption current is observed by changing the data to be processed, the influence of the bit value of the secret key might be able to be observed. If these waveforms of the consumption current are processed statistically, the secret key might be estimated.