As more information is converted into electronic data, cryptography has become an indispensable technology for protection of information and confidential communication. To secure the safety of ciphers, it is necessary to make secret information such as a key not easily inferable. Though cryptanalysis methods such as the exhaustive search of a key, linear decryption that performs mathematical decryption, and differential decryption are known, such an analysis in a realistic time frame is considered to be impracticable.
On the other hand, side channel attacks trying to acquire confidential information from side channel information under the assumption that an attacker can precisely measure side channel information such as the processing time and power consumption in an apparatus (cryptographic module) such as a mobile terminal equipped with a cryptographic function and measures against such attacks have become an important subject of research.
Side channel attacks include a power analysis attack that measures power consumption of a cryptographic module to analyze secret information such as a key from the power consumption. Among others, the differential power analysis that carries out an analysis by performing statistical processing on a plurality of power consumption wave forms is considered to be a particularly powerful attack method (NPL 1).
When cipher text is generated by performing preset encryption processing a predetermined number of times, the bit transition (Hamming distance) and power consumption of a register are considered to be correlated before and after the encryption processing (NPL 2).
Thus, a problem that a secret key can be analyzed by focusing on the bit transition arises.
As an example of techniques of measures against attacks focusing on the bit transition, Wave Differential Dynamic Logic (hereinafter, abbreviated as “WDDL”) is proposed (NPL 3). In WDDL, after a precharge operation is performed, an operation is performed by using a complementary circuit to equalize power consumption. Measures against the differential power analysis are implemented by eliminating differences of power consumption due to differences of bit values during operation. A precharge is needed as an operation in WDDL and the operating speed is correspondingly decreased for the precharge. Moreover, a complementary circuit is needed and the circuit area is increased. As a result, a problem of a lower performance/area ratio arises in WDDL.
PTL 1 discloses a cipher processing apparatus having tamper resistance to DPA (Differential Power Analysis) attacks by being configured to connect two round operation circuits in series to perform cipher processing operations by alternately switching a normal round operation to which a normal round key is applied and a dummy round operation to which a dummy round key is applied.
PTL 2 discloses a technology that divides plain text into a plurality of blocks and performs pipeline processing by a CPU to encrypt each block when each block is independently encrypted.