In an LSI having an operation processing apparatus such as a microcomputer, DPA (Differential Power Analysis) measures the power consumed while processing a cryptograph operation and extracts key information from the LSI based on the consumed power (For example see, Paul Kocher, Joshua Jaffe, and Benjamin Jun, “Differential Power analysis”. In Advances in Cryptology of CRYPTO '99 Springer-Verlag Lecture notes in Computer Science Vol. 1666 p. 388–398).
We explain the principle of differential power analysis (DPA).
First: A plain data is input to the LSI and is ciphered using a secret key. During a cipher operation, a consumed power is measured. Using some different plain data, such measurement is performed several times.
Second: Guess a secret key and calculate guessed intermediate values determined by a secret key, the plain data and the cipher data. Calculate a correlation between the guessed values and the power consumption data. If the guessed key is collect, a strong correlation occurs between the guessed value and the consumed power of the ciphered data using a secret key. On the other hand, if the guessed key is mistaken, a correlation between the guessed value and the consumed power is weak.
By using this principle, DPA is a method for estimating key information in a cryptographic operation circuit by measuring the consumed power. DPA is thus an attack without destructive action so it is difficult to judge a damage of DPA from an appearance of apparatus. Therefore, it won't notice having been attacked or discovering will be overdue and damage is expanded. Since it is above, protection from DPA in the cryptograph operation circuit is necessary.
Briefly, we explain the relation between power consumption and operation data.
A usual LSI is manufactured CMOS (Complementary Metal-Oxide Semiconductor) design, one bit data is represented as one line, and the clock signal is used for it. A change of power consumption depends on current data and previous data because of characteristics of CMOS.
Hereinafter, we explain an operation of NOT element (inverter) of CMOS design. FIG. 1 is a block diagram of CMOS design of the prior art. As shown in FIG. 1, NOT element, which using CMOS design, includes a power supply line Vcc, a ground line GND, nMOS and pMOS transistors serially connected between Vcc and GND, an input signal line connected to gates of nMOS and pMOS transistors, an output signal line connected to connection line between nMOS and pMOS transistors, and a capacity C connected between the output signal line and GND.
If input of NOT element is high (or “1”), the nMOS transistor conducts. A positive electric charge of the capacity C flows to GND through the nMOS transistor. Accordingly, electric potential of the output becomes low (or “0”). In this case, “high” is electric potential logically recognized as “1” and “low” is electric potential logically recognized as “0” in the operation processing apparatus.
Conversely, if the input of NOT element is low, the pMOS transistor conducts, and nMOS becomes non-conductive status. Accordingly, positive electric charge is accumulated in the capacity C from Vcc and the electric potential of the output becomes high.
In the case that input transition does not occur (For example, the input maintains high), the nMOS transistor is continuously conductive status, and the electric potential of the output is continuously low. In this case, the pMOS transistor is non-conductive status. Accordingly, the electric charge does not flow to GND and the power is not consumed. On the other hand, in the case that the input maintains low, the pMOS transistor becomes conductive, and the electric potential of the output is continuously high. In this case, the nMOS transistor is non-conductive. Accordingly, the electric charge does not flow to GND and the power is not consumed.
In this way, in the case that status of the signal line does not change as ideal status, CMOS design does not consume power. A low power consumption LSI is realizable with CMOS design.
Ideally, a logic element using CMOS design consumes only electric power when input signal changes. As a result, the consumed power of CMOS design with input transition is different from the consumed power of CMOS design without input transition. Accordingly, if transition of the signal line relates to key information, the consumed power changes in relation to the operation of the key information. This change of the consumed power can be observed from the outside. In this case, the key information can be specified by DPA.
Ideally, CMOS design does not consume power when signals aren't changed. Electric power is consumed by not only changes of a signal line but leakage current. This leakage current flows from an input to a drain through a gate of the pMOS or nMOS transistor, or flows from Vcc to GND through the pMOS or nMOS transistor. The leakage current quantity depends on statuses of input signal line and output signal line of CMOS design.
As mentioned-above, in the case of data operation of microcomputer using CMOS design, a change in the consumed power is detected dependent on the power consumed based on status “0, 1” of signal line without status transition of signal line, and the number of signal lines of transition.
Usually, a CMOS design circuit in which a datum is represented by a single data line (single rail), the change of power consumption depends on previous data and current data. During executing operation related with key information, if change of the consumed power correlates with the key information, the key information in the microcomputer can be estimated by DPA.
In the prior art, as a countermeasure for DPA, data to be operated is masked and operated (For example, Japanese Patent Disclosure (Kokai) P2000-66585). In this method, key information is masked and operation is executed using the masked key information so that change of consumed power on operation using the key information does not correlate with the key information. Briefly, by masking key information, non-relationship between change of consumed power and key information is regarded as defense for DPA. In this way, non-relationship between change of consumed power and key information is effective as defense for DPA. However, in this method, extra hardware or calculation time is necessary for mask operation.
As a countermeasure for attack by DPA, except for masking intermediate data by random number, a method for constantly equalizing the consumed power irrespective of operation data is considered. In a circuit component in which the consumed power is constantly equal irrespective of value of intermediate data, change of the consumed power does not correlate with the key information, and this method is used as countermeasure for DPA. In order to realize this method, the circuit component independent on processing data and previous processing data in microcomputer is necessary. However, this technique is not known yet.