The present invention relates to a tamper-resistant crypto-processing method for high security media such as IC cards.
An IC card is a device which keeps personal information which is not allowed to tamper or performs encryption of data or decryption of a ciphertext with the use of secret keys. An IC card itself does not have its own power supply, and when it is inserted into a reader/writer for an IC card, power is supplied to the IC card and it is made operable. After it is made operable, the IC card receives commands transmitted from the reader/writer, and following the commands the IC card processes, for example, transfer of data. A general explanation of IC card is given in Junichi Mizusawa, “IC card”, Ohm-sha, denshi-tsuushin-jouhou-gakkai-hen, etc.
An IC card is constituted such that a chip 102 for an IC card is mounted on a card 101 as shown in FIG. 1. In general, an IC card comprises a power supply terminal VCC, a grounding terminal GND, a reset terminal RST, an input/output terminal I/O, and a clock pulse terminal CLK at the positions determined by the ISO7816 standards, and through these terminals an IC card is supplied power from a reader/writer or communicates with it (Refer to W. Rankl and Effing: Smartcard Handbook, John Wiley & AMP; SONS, 1997, PP. 41).
The configuration of a chip for an IC card is basically the same as that of a typical microcomputer. The configuration is, as shown in FIG. 2, composed of a central processing unit(CPU) 201, a memory device 204, an input/output (I/O) port 207, and a coprocessor 202 (in some case, there is no coprocessor). The CPU 201 is a device which performs logical operation, arithmetical operation, etc. The memory device 204 is a device which stores programs, data, etc. The input/output port is a device which communicates with the reader/writer. The coprocessor is a device which performs crypto-processing itself or performs operation necessary for crypto-processing with a high speed. There is, for example, a special calculator for performing residue operation of RSA cryptogram or a cipher device which performs round processing of DES-cryptogram. Some of the processors for IC cards comprise no coprocessor. A data bus 203 is a bus which connect respective devices to each other.
The memory device 204 is composed of ROM (read only memory), RAM (random access memory), EEPROM (electrical erasable programmable read only memory), etc. ROM is a memory which is not changeable and it is mainly used for storing programs. RAM is a memory which can be freely rewritable but when the power supply thereof is off, the stored contents of the RAM are erased. When an IC card is drawn out of a reader/writer, since the power supply is made off, the contents of the RAM disappear. EEPROM is a memory which holds the contents even when the power supply is stopped. EEPROM is used to store the data which are to be held thereon even when it is disconnected from the reader/writer in a case where rewriting is needed. For example, the number of prepaid times of a prepaid-card is rewritten every time it is used, and the data should be held even when it is taken off from the reader/writer. Therefore such data must be held on an EEPROM.
An IC card has programs and/or other important information enclosed in the chip, and is used to store important information or to perform crypto-processing therein. Conventionally, the difficulties to decrypt a ciphertext in an IC card have been considered to be equivalent to those to decrypt a cipher-algorithm. However, the consumption current, when it is performing crypto-processing, is closely observed and analyzed it; thereby it is suggested that contents of a crypto-processing or secret keys may be estimated easier than the decryption of a crypto-algorithm. The consumption current can be observed by the measurement of the current being supplied from the reader/writer. The detail of this threatening attack method is described in 8.5.1 Passive Protective Mechanisms (p. 263) of John Wiley & AMP; SONS, W. Rankl & AMP; W. Effing “Smart Card Handbook”.
CMOS which constitutes a chip for an IC card consumes current when its output conditions turns from 1 to 0 or from 0 to 1. In particular, in the data bus 203, because of the current of a bus driver, and the static capacity of wirings and the transistors connected to the wirings, when the value of the bus changes from 1 to 0 or from 0 to 1, a large current flows. Therefore, if the consumed current is observed, there is a possibility that one may be able to estimate what is being operated inside.
FIG. 3 shows the waveform of a consumed current by an IC card chip in a cycle. Depending on the kind of data processing, the waveform differs as shown in curves 301 and 302. The difference like this occurs depending on the kind of data flowing in the bus 203 or being processed in the CPU 201.
The coprocessor 202, in parallel to the CPU, for example, it is able to perform modular arithmetic operation of 512 bits, so that it is possible to observe a consumption current of a different waveform from that of the CPU over a long time. By the observation of the distinctive pattern, the number of times of operations of a coprocessor can be easily estimated. If there is any relation between secret keys and the operation times of the coprocessor, there is a possibility that one can estimate the secret keys from the operation times of the coprocessor.
If there is a deviation depending on the secret keys in the contents of operation of the coprocessor, the deviation is obtained from the consumption current, and the secret keys can be estimated. For example, in an overflow processing which occurs in the case of modular multiplication operation, in many cases, a consumption current particular to an overflow is generated. In another case, processing time sometimes differs depending on an overflow process is executed or not.
In the case of CPU, similar circumstances exist. Since the number of bits of a secret key is known, if the consumption current is observed by changing data to be processed, the influence of the bit value of the secret key might be able to be observed. When the waveforms of consumption currents are statistically processed, one might be able to estimate the secret key.