Conventional countermeasures for protecting confidential information on semiconductor devices are divided roughly into two types: software based countermeasures using a specific semiconductor device, which is typified by Central Processing Unit (CPU), and hardware based countermeasures on the semiconductor device itself.
The software based countermeasures of the former case are implemented by a device formed by both a CPU and a memory in itself, which is typified by an IC card. JP2000066585, for example, describes as follows: a widely used common key block encryption, DES (Data Encryption Standard), uses a conversion table called S-box, which is used in the algorithms thereof. The algorithms are computed by using a random parameter R based on a predetermined rule X, in advance to obtain a plurality of conversion tables that are different from the S-box prescribed by the algorithms. Then, a result thereof is stored in a memory. When the algorithms are processed, the plaintext data M (or the ciphertext data C) is processed by using the key data K and the random number parameter R to obtain the ciphertext data C (plaintext data M). This makes the processing flow vary because of R as much as the number thereof, which is different from the conventional process of M(C) using K only, thereby resulting in diversity of power consumption. Furthermore, the use of the random number parameter R makes intermediate values in the process unpredictable, and it is therefore impossible to decipher confidential information from power consumption. As another example, JP2002540654T discloses similar countermeasures. This art discloses a different method in setting the rule X and the random number parameter R from that of the previous one. Substantially, however, they show equivalent countermeasures.
The hardware based countermeasures of the latter case are implemented by a design method for implementing algorithms by a semiconductor device. For example, JP2003526134T describes as follows; countermeasures are taken by implementing a pair of an AND gate as an elementary device of a digital circuit and an INV-AND gate, which has a switching characteristic complementary to (offsetting) that of the AND gate (which will be referred to hereinafter as a gate pair). Therefore the intermediate value of algorithm does not dependent on power consumption. This makes it impossible to decipher confidential information from power consumption. JP2002311826 discloses analogous countermeasures as follows: a pair is formed not on a gate basis but on a circuit basis (a circuit for implementing the S-box in this specific case). Apparently this is different from the countermeasures of JP2003526134T, but substantially they are the same.
In principle, with those conventional gate-pair based countermeasures, confidential information may be deciphered for the following reason.
The security of the gate pair is based on a fully complementary operation performed by the AND gate and the INV-AND gate. To meet this condition, it is required that the pair of the AND gate and the INV-AND gate operate with the same timing and also that loads connected to the gates are the same. This is because a tiny gap in operation timing will also cause a time difference in power consumption to be measured, so that power resulting from the gates will be measured with a phase difference. If the gate loads of the AND gate and the INV-AND gate of a gate pair are different from each other, then the power consumptions of the two gates measured immediately after their operations are also different. This easily shows which gate operated. This does not provide a complementary operation. A gate added to provide a complimentary operation (which will be referred to hereinafter as a dummy gate) is a redundant gate in terms of logical implementation, and therefore an output from the gate is not used. Therefore, the dummy gate tends to have load smaller than that of a necessary gate. In order to have load equalization, a pair may be formed by whole circuits instead of gates, which is exemplified by the countermeasures described in JP2002311826. It is however very difficult to guarantee that a corresponding gate pair will operate with the same timing. The problems posed here result from the fact that there are two output nodes in order to allow a gate pair or a circuit pair to perform a complementary operation.    Patent Document 1: JP2000066585    Patent Document 2: JP2002540654T    Patent Document 3: JP2003526134T    Patent Document 4: JP2002311826