1. Field of the Invention
The present invention relates to an encryption processing apparatus, an encryption processing method, and a computer program. More particularly, the present invention relates to an encryption processing apparatus and method for realizing an encryption process having high resistance to encryption processing analysis based on power analysis in a computation circuit of, for example, an IC module for performing an encryption process, and to a computer program therefor.
2. Description of the Related Art
Recently, along with the development of network communication and electronic business transactions, insurance of security communication has become an important issue. One of methods of ensuring security is encryption technology, and at present, communications using various encryption techniques have been performed in practice.
For example, a system is implemented in which an encryption processing module is incorporated in a compact device such as an IC card, and data transmission and reception is performed between the IC card and a reader/writer serving as a data reading/writing device, so that an authentication process is performed, or the transmission and reception data is encrypted and decrypted.
In the encryption processing module, for example, a data encryption process for inputting plain text and outputting encrypted text, or a decryption process for inputting encrypted text and outputting plain text is performed. These encryption processes include electrical processes by hardware which forms an encryption processing module, for example, semiconductors. Therefore, there is a risk in that, by analyzing power consumption when an encryption process is performed in such a semiconductor module, the encryption processing procedure is analyzed.
Examples of attacks on a computation processing device such as an IC, that is, cryptanalysis attacks, include timing attack (TA) for estimating secret information by analyzing the processing time; simple power analysis (SPA) for estimating secret information by observing consumption power during an encryption process; and differential power analysis (DPA) for estimating secret information by measuring consumption power during an encryption process on a large amount of data and by statistically analyzing the measured data.
Several technologies for increasing the resistance to power analysis have already been proposed. For example, in Japanese Unexamined Patent Application Publication No. 2000-305453, a configuration is disclosed in which intermediate data control means is provided, intermediate data generated in the encryption process is changed by random numbers, and consumption power is controlled by random numbers, making an analysis difficult based on consumption power. Furthermore, Japanese Unexamined Patent Application Publication Nos. 2001-256116 and 2001-256713 disclose, as a configuration for preventing analysis using electrical-current detection of a bus which forms an encryption process circuit, a configuration in which analysis is made difficult by adding a configuration in which the number of bytes of data which is transferred through the bus is controlled.
In addition, in Japanese Unexamined Patent Application Publication No. 2002-526797, a configuration is disclosed in which analysis using consumption power is made difficult by causing a computation process within an encryption processing module and data transfer among registers to be performed in parallel with respect to time. In Japanese Unexamined Patent Application Publication No. 2002-526849, a configuration is disclosed in which analysis is made difficult by performing a process for writing a value generated on the basis of a random number when the process for writing data to the memory is performed.
In the manner described above, various technologies aimed at improving the resistance to power analysis have been proposed. However, in a configuration in which power control based on a random number for the intermediate data is performed, when it is determined at which position in the encryption processing sequence power control based on the random number is performed, there is a risk in that power analysis at a real encryption processing sequence execution position other than that position becomes possible. Also, in a configuration in which power analysis by parallel processing is made difficult, there is a risk in that, if parallel processing is performed at a specific step in the encryption processing sequence, power analysis becomes possible if the processing position of the parallel processing is found.