1. Field of the Invention
The present invention relates to a circuit for detecting a malfunction generation attack which serves to avoid a Fault Induction Attack (FIA) attack or the like, and an integrated circuit using the same.
2. Description of the Related Art
In an integrated circuit (IC) card, for the purpose of preventing a problem from being caused even when confidential information stored in the IC card is leaked in the process of exchange of data between a host computer and the IC card, encryption data is used as data for the exchange.
With regard to a method for encryption, a Data Encryption Standard (DES) is concurrently most commonly used. In the DES, for the encryption of data, a possessor of the IC card, and the host computer possess the same key, the data encrypted with the key is transmitted from a transmission side of the data to a receiver for the data, and the receiver for the data decrypts the encrypted data with the same key to fetch a message from the decrypted data.
Even when a malicious third party wiretaps the data in the process of the communication, he/she hardly fetches the message from the encrypted data by decrypting the encrypted data unless he/she possesses the key.
In addition, the key which is used in the phase of the encryption or decryption is stored in a non-volatile memory, such as an EEPROM, provided within the IC card. Also, in the phase of the encryption or decryption, the key is directly transferred to an encryption engine provided within the IC card without through a CPU.
The configuration with which even the possessor of the IC card, and a development engineer for the IC card can not fetch the key data in accordance with such control is adopted, thereby holding the security for the IC card.
However, P. Kocher et al. reported an attack method (Differential Power Analysis: DPA) of measuring a consumption current of an IC card, and subjecting the data on the consumption current to statistical processing, thereby fetching a key.
This attack method is a very strong attack method that an encryption key can be acquired in accordance with the statistical processing for a waveform of the consumption current. In order to take measures to cope with this attack method, various kinds of defense methods have been proposed.
Also, a Differential Fault Analysis (DFA) is known as an attack method with which the measures are required to be taken to cope, along with the DPA attack method.
With this attack method, a radiation of a laser beam or the like is carried out for a chip obtained by removing a mold while an encryption arithmetic operation is carried out, thereby causing an output change in a logic circuit, bit inversion in a register, and the like.
Also, with this attack method, a mal-arithmetic operation result about an output statement is compared with a proper arithmetic operation result to carry out an analysis about the comparison result, thereby acquiring the key data.
An attack method of carrying out this attack on the CPU to acquire the confidential information is called a Fault Induction Attack (FIA), and also becomes a threat.
With the FIA, while the CPU executes an instruction, a laser beam is radiated to a program counter, a register and a logic circuit which are provided within a CPU block, thereby changing values in the program counter, the register and the logic circuit within the CPU block. As a result, an execution of a false instruction, creation of a false processing result, and the like are caused, and secrete data is fetched by using the execution of the false instruction, the creation of the false processing result, and the like.
Here, a description will be given with respect to a mechanism in which the output from the logic circuit, and the value stored in the register are changed by the radiation of the laser beam.
[Generation of Free Electron Due to Radiation of Laser Beam and Internal Photoelectric Effect]
At the present time, a material which is most commonly used as a semiconductor is silicon (Si). A silicon atom has four bonding hands, and forms a covalent bond with adjacent four silicon atoms.
In an n-type semiconductor, for example, as shown in FIG. 1A, a small amount of impurity belonging to a group V in a periodic table and having five bonding hands, for example, phosphorus (P) is added to an intrinsic semiconductor. At this time, one electron not contributing to the covalent band remains in an atom of phosphorous, and goes around the phosphorus atom. At this time, when a light having a certain energy or more is radiated to the electron, this electron gets the energy of the light thus radiated to become “a free electron” which can break free from the chains of the phosphorous atom to freely move. This phenomenon is referred to as “an internal photoelectric effect.”
The internal photoelectric effect will now be described in relation to an energy band diagram shown in FIG. 1B.
Energy levels of the electrons chained down by the atomic nuclei of phosphorous are collectively called a valence band. On the other hand, energy levels of the electrons which get some sorts of energies to break free from the chains of the atomic nuclei of phosphorous, thereby being able to freely move, are collectively called a conduction band. Also, a band between the valence band and the conduction band is called a forbidden band, and also an energy difference between the valence band and the conduction band is called a band gap (Eg). In order that the electron in the valence band may transit from the valence band to the conduction band by radiating the light to the electron in the valence band, it is necessary to radiate the light having the energy equal to or higher than the band gap (about 1.1 eV) of silicon to the electron in the valence band.
A wavelength, λ(m), of the light meeting the condition described above is expressed by Expression (1):Eg<hν=hc/λ  (1)
where ν is a frequency (Hz) of the light, c is a speed (m/s) of the light, and h is a Plank constant (J·s).
Expression (1) is transformed into Expression (2) when numerical values are substituted into Expression (1):
                                                                        λ                <                                  hc                  /                  Eg                                            =                            ⁢                              6.63                ×                                  10                                      -                    34                                                  ×                3.0                ×                                                      10                    8                                    /                                      (                                          1.1                      ×                      1.6                      ×                                              10                                                  -                          19                                                                                      )                                                                                                                                          ≈                                ⁢                                  1130                  ×                                      10                                          -                      9                                                        ⁢                                                                          ⁢                                      (                    m                    )                                                              =                              1130                ⁢                                                                  ⁢                                  (                  nm                  )                                                                                        (        2        )            
Since the wavelength of the visible light is in the range of 780 nm (red) to 380 nm (violet), all the visible lights meet Expression (2).
A laser beam is a beam having a uniform phase, and thus has a high energy. On the other hand, in a semiconductor chip, for example, five-level metallic wiring layers are disposed, and transistors are disposed below the five-level metallic wiring layers.
As shown in FIG. 2, the laser beam impinges on a metallic wiring layer (MT) to be reflected.
The laser beam which has passed through a gap defined between the adjacent metallic wiring layers travels in a straight line, is diffracted, and is reflected between the metals of the lower layers. Finally, a part of the reflected laser beam reaches a transistor Tr through a complicated path, so that the malfunction is caused in the semiconductor chip by the free electrons generated in accordance with the internal photoelectric effect.
A designer is conscious of the DFA/FIA attack, and thus disposed a dummy metal pattern for light blocking in an area in which each of layers has no signal wiring, thereby defending that the part of the reflected laser beam reaches the transistor layer as much as possible. However, the designer may not perfectly defend that the part of the reflected laser beam reaches the transistor layer.
In addition, although in the case of the radiation of the laser beam from a back surface of the semiconductor chip, a given rate of laser beam is reflected by the back surface of the semiconductor chip, a part of the laser beam reaches the transistor layer to cause the malfunction in the semiconductor chip. The device for the wiring layer can not cope with the attack from the back side.
[Principles of Output Change in Logic Circuit by Radiation of Laser Beam]
The following phenomenon is caused when, for example, as shown in FIG. 3A, the light meeting Expression (2) is made incident to an inverter INV in which an input level is a Low level, and an output level is a High level.
The free electrons generated in an NMOS transistor NT of the inverter INV in accordance with the internal photoelectric effect appear at an output terminal of the inverter INV, and serves to reduce an output voltage developed at the output terminal.
On the other hand, since the input level of the inverter INV is the Low level, a PMOS transistor is held in an ON state. Thus, when the voltage developed at the output terminal drops, the PMOS transistor supplies a current through a power source terminal. As a result, an output from the inverter INV is held at a voltage depending on these two operations. This output voltage returns back to the High level in accordance with an ON current of the PMOS transistor PT because the supply of the free electrons due to the internal photoelectric effect is stopped when the radiation of the laser beam is completed.
The malfunction is caused when for a period of time for which the laser beam is radiated, in a circuit to which the output signal is inputted from the inverter INV, this input signal is recognized as the signal at the Low level by mistake, and the data is taken in a register circuit disposed in the subsequent signal path during the radiation of the laser beam.
That is to say, the error data is taken in the register circuit and thus the register circuit outputs the faulty arithmetic operation result, and carries out the faulty control.
[Principles of Register Bit Inversion by Radiation of Laser Beam]
A register circuit, for example, has a configuration as shown in FIG. 4A. This register circuit is composed of inverters INV1 to INV7, and transfer gates TM1 to TM4.
It is noted that a description of data inversion will now be given in relation to the simplest configuration of a register circuit shown in FIG. 4B.
This register circuit adopts a configuration which is composed of two inverters INV1 and INV2, and in which an output terminal of the inverter INV1 is connected to an input terminal of the inverter INV2, and an output terminal of the inverter INV2 is connected to an input terminal of the inverter INV1.
When an output from the inverter INV1 becomes a High level, an NMOS transistor NT2 of the inverter INV2 is turned ON, an output from the inverter INV2 becomes a Low level, and the output from the inverter INV2 at the Low level is inputted to a gate of the inverter INV1.
Also, in the inverter INV1, a PMOS transistor PT1 is turned ON, and thus the inverter INV1 outputs an output at the High level. As a result, the output from the inverter INV1 is stably held at the High level, and the output from the inverter INV2 is stably held at the Low level.
In the case where a laser beam is radiated to this register circuit, normally, the two inverters INV1 and INV2 are disposed adjacent to each other, and thus a reaching range of the radiation of the laser beam for which a beam diameter, scattering and diffraction of the laser beam are taken into consideration is sufficiently larger than the disposition distance between the two inverters INV1 and INV2.
For this reason, the laser beam is radiated to either the inverters INV1 and INV2, or none of the inverters INV1 and INV2. Also, when the laser beam is radiated to both the inverters INV1 and INV2, the free electrons are generated in both the NMOS transistors NT1 and NT2 in accordance with the internal photoelectric effect, and are then supplied to the output terminal.
The same operation as that described in the output change in the logic circuit described above is caused in the output from the inverter INV1, in which the input is held at the Low level, and the output is held at the High level, of the two inverters INV1 and INV2. As a result, that output from the inverter INV1 becomes an intermediate potential which is supplied in turn to the input terminal of the other inverter INV2.
In the inverter INV2, the input thereof becomes the intermediate potential, whereby both the transistors PT2 and NT2 are turned ON. Moreover, the free electrons are supplied from the NMOS transistor NT2 in accordance with the internal photoelectric effect, and thus the voltage at the output terminal gets settled into a voltage at which both the operations are balanced.
Also, the intermediate potential at that output terminal is supplied to the input terminal of the inverter INV1 to turn ON the NMOS transistor NT1 as well. Thus, the voltage at the output terminal gets settled into a voltage at which a through current, and the supply of the free electrons generated in the NMOS transistor NT1 in accordance with the internal photoelectric effect are balanced.
As a result, each of the input and output voltages of both the inverters INV1 and INV2 becomes the intermediate potential irrespective of the stored data before the radiation of the laser beam.
The stop of the radiation of the laser beam results in that the generation of the free electrons in the NMOS transistor caused by the internal photoelectric effect is also stopped. Also, each of the input and output voltages of both the inverters INV1 and INV2 becomes the intermediate potential. However, the positive feedback acts on the delicate potential difference between the input and output voltages of both the inverters INV1 and INV2, so that one of them gets settled into the High level, and the other gets settled into the Low level. Also, in the case of the values different from those before the radiation of the laser beam, it is recognized that the DFA attack has been carried out, and the processing to cope with this situation is executed. On the other hand, in the case of the values identical to those before the radiation of the laser beam, it is recognized that no DFA attack has been carried out, and the normal processing is executed.
On the other hand, even in the outside of the area corresponding to the beam diameter of the laser beam, the laser beam reaches up to a measure of area by the scattering and the diffraction.
However, in an area located at a distance several times as long as the beam diameter away from the laser beam, the intensity of the laser beam becomes weak. Thus, even when the laser beam reaches the NMOS transistor of the inverter composing the register circuit to generate the free electrons in the NMOS transistor in accordance with the internal photodiode effect, the ON current of the PMOS transistor becomes larger than the ON current of the NMOS transistor. As a result, the voltage at the output terminal of the inverter circuit converges into a voltage near the Low level. Even when the laser beam reaches this area, no inversion of the data stored in the register is caused because the intensity of the laser beam is weak.
In the intermediate area, the state changes as a function of a distance from the center of the laser beam.
Next, a description will now be given with respect to an attack method of fetching secure information such as a key of an encryption circuit by utilizing this malfunction.
The attack, for example, is carried out in accordance with a procedure shown in FIG. 5.
In Step ST1, a semiconductor chip is put in a nitric acid to dissolve a mold, thereby taking out the semiconductor chip from the nitric acid.
In Step ST2, the semiconductor chip, for example, is bonded to a ceramic package.
In Step ST3, the semiconductor chip is set in a laser beam radiating device in such a way that a portion radiated by a laser beam becomes a start point of an attack.
In Step ST4, the laser beam is scanned for the semiconductor chip through the radiation to successively fetch outputs while signals are supplied from a CPU to the chip.
Also, a portion in which error data is generated is picked up.
In Step ST5, the portion in which the malfunction is caused in Step ST4 is attacked in detail while a timing is also taken into consideration, thereby fetching the output.
Also, any suitable one, of the attack results, which can be analyzed is selected and analyzed.
For example, when bit inversion or the like is generated in data arithmetically operated by the radiation of the laser beam during the arithmetic operation for Data Encryption Standard (DES) cipher as one of common key ciphers, an incorrect arithmetic operation result is outputted. The resulting incorrect arithmetic operation result is compared with a result obtained through a normal arithmetic operation carried out for a plain text, and the key is taken out based on a difference between those results (refer to FIG. 6).
When 1 bit in an R register is inverted, the resulting error data is inputted to an F function, so that the bit number of error data increases. Also, the bit number of error data increases every round.
On the other hand, the less number of error bits is preferable in terms of the analysis using the DFA attack, and a small number of bits is desirably inverted for the final attack.
Ideally, when as shown in FIG. 6, only the data in the R register is inverted in a final round, the key of Sub Sbox corresponding to the error bit can be reliably specified. Although actually, the possibility that the attack result shows such a situation is very low, it is the threat of the DFA attack that when such a situation occurs even one time in a multiple number of attacks, the corresponding key is obtained from such a situation.
In addition, it is assumed that as shown in FIG. 7A, an IC circuit 10 is composed of a CPU 11, a Mask ROM 12, an EEPROM 13, a RAM 14, an encryption circuit 15, and an input/output circuit 16. In addition, it is assumed that a sub-routine for encryption execution instructions as shown in FIG. 7B is stored from an A000H address in the Mask ROM 12.
This operation is such that the CPU 11 sets an encryption key “Key” stored in the EEPROM 13, and a plain text “Message” stored in the RAM 14 in a register provided in the encryption circuit 15 through internal registers Reg A and Reg B, respectively, thereby carrying out an encryption arithmetic operation. Also, after completion of the encryption arithmetic operation, an encrypted text is fetched and is then outputted to the outside through the register Reg A.
It is assumed in this program that when a program counter P.C. becomes an A002 address, the bit inversion is caused in a bit b2 of the program counter P.C. by the radiation of the laser beam, so that the program counter P.C. is changed from the A002 address to an A006 address.
An instruction in the A006 address is to output the data stored in the register Reg A to the outside, and thus the output of the encrypted text is essentially supposed therein. However, when the instruction in the A006 address is executed after execution of the instruction in the A001 address, the encryption key as the data stored in the register Reg A is outputted to the outside in accordance with the execution of the instruction in the A006 address.
This is a program example for explaining the FIA attack. If the FIA attack succeeds at the timing described above in accordance with such a program, an attacker gets the encryption key. Since actually, the program is described while the attack is taken into consideration, such a program is not thought. However, although if this program is described, the probability that this attack is carried out is very low, it is the threat of the FIA attack that when this attack succeeds even once in a multiple number of attacks, the key is taken out.
The techniques described in Japanese Patent Laid-Open Nos. Hei 10-154976 and 2002-261751 (referred to as Patent Document 1 and 2 hereinafter), and JP-T-2005-503069 and JP-T-2005-522912 (referred to as Patent Document 3 and 4 hereinafter), respectively, are proposed as measures to cope with the DFA attack on the encryption of the attacks each using the principles described above.
With the technique described in Patent Document 1, two encryption circuits are disposed, and presence or absence of the attack is detected by comparing both the arithmetic operation results with each other after completion of the arithmetic operations in the two encryption circuits. Also, the same arithmetic operation is carried out twice to compare the two arithmetic operation results with each other, thereby detecting presence or absence of the attack.
With the technique described in Patent Document 2, a decryption arithmetic operation is carried out after completion of the encryption arithmetic operation, the arithmetic operation result is compared with a plain text, thereby detecting presence or absence of the attack.
With the technique described in Patent Document 3, an intermediate value of the encryption arithmetic operation is held, and decryption is carried out halfway after completion of the encryption arithmetic operation to be compared with the intermediate value, thereby detecting presence or absence of the attack.
With the technique described in Patent Document 4, an intermediate value of the encryption arithmetic operation is held, the encryption arithmetic operation is carried out again from the intermediate value after completion of the encryption arithmetic operation, and the results of the two encryption arithmetic operations are compared with each other, thereby detecting presence or absence of the attack.