1. Field of the Invention
The present invention relates to an encryption apparatus for performing an encryption process according to a public key encryption algorithm.
2. Description of the Related Art
Recently, a variety of services using various communication technologies, such as electronic commerce or on-line shopping over the Internet or the like, have become popular. With the growth of communication technologies, terminal-based communication systems and card-like devices including non-contact semiconductor memory cards having a communication function integrated into a circuit (these devices are hereinafter referred to as non-contact IC (integrated circuit) cards) have been developed for use in various situations such as electronic toll collection of transportation facilities and electronic money transactions.
In view of their convenience of handling, the non-contact IC cards must have a reduced circuit size and operate with very low power consumption.
The services using such non-contact IC cards generally require mutual authentication to authenticate the communicating parties and encryption to ensure data communication security. These functions must be performed at high speed in the non-contact IC cards. These functions, which are implemented by software, require a high-clock CPU (central processing unit), which is not suitable for practical use. Therefore, it is desirable that the mutual authentication function and the encryption function be implemented in the non-contact IC cards by hardware rather than software.
Most of the non-contact IC cards in which these functions are implemented by hardware employ so-called common key encryption algorithms, e.g., DES (data encryption standard), to reduce the consumption power because relatively reduced circuit size and power consumption of the non-contact IC cards are achievable. Some of the non-contact IC cards which employ the common key encryption algorithms typically have a communication distance of several centimeters to a reader/writer. Even a communication distance of as much as 10 cm can be realized, depending upon the type of interface.
However, in the common key encryption algorithms, a common key is used for both encoding and decoding, and so transmission and reception of key data are essential. Therefore, the common key encryption algorithms are vulnerable to attacks from unauthorized third parties. This has led to fears that the non-contact IC cards applied to financial services in the future may have problems.
In the services using non-contact IC cards, therefore, the demands for high security systems using so-called public key encryption algorithms, e.g., RSA (Rivest-Shamir-Adleman) and ECC (elliptic curve cryptosystem), have increased. In public key encryption, separate keys are used for encoding and decoding and a secret common key is kept by one particular individual. Many studies on non-contact IC cards for performing signature generation and authentication using public key techniques have been made.
Public key encryption algorithms have higher security than common key encryption algorithms, but require a large amount of calculation. Public key encryption algorithms implemented by hardware require circuits several tens of times larger than otherwise and also require a large amount of power supplied to such large circuits. Furthermore, concurrent calculations performed in circuits increase the instantaneous power of the circuits.
In the art, non-contact IC cards using the public key encryption algorithms have not achieved the desired characteristics in terms of circuit size, power consumption, and cost. In the current non-contact IC cards, most of the power must be supplied to an encryption circuit, and the communication distance is as small as about several millimeters. In addition, when the instantaneous power exceeds a predetermined power limit, the calculations must be interrupted and must be performed again. This delays the operations in the non-contact IC cards.
FIGS. 14A through 14D are schematic graphs showing, for comparison, the consumption power for various operations and the total power consumption of the non-contact IC card. In the graphs shown in FIGS. 14A through 14D, the y-axis represents the consumption power W, and the x-axis represents the processing time T. FIG. 14A shows the consumption power of gates, FIG. 14B shows the consumption power for accessing an ALU RAM in which hash values are stored, and FIG. 14C shows the consumption power of a RAM. FIG. 14D shows the consumption power of the overall non-contact IC card, indicating the sum of the consumption powers shown in FIGS. 14A through 14C. The concurrent operations of the gates, the ALU RAM, and the RAM at processing time t0, as shown in FIGS. 14A through 14C, may cause the consumption power for the overall non-contact IC card to exceed the power limit for an instant, as shown in FIG. 14D. If the power consumption for the overall non-contact IC card exceeds the power limit, the operations must be interrupted and performed again, and thus any operation carried out up to the time when the consumption power exceeds the power limit becomes wasteful.
Such wasteful operations each time the consumption power exceeds the power limit hinder high-speed processing of the non-contact IC card, leading to a serious problem because the non-contact IC card is demanded to perform processing at high speed. In particular, the instantaneous power consumption for a period of as short as several nanoseconds is large when accessing the ALU RAM, and other concurrent operations may cause the instantaneous power for the overall non-contact IC card to exceed the power limit, resulting in delay of the operations.
Although the demands for non-contact IC cards using public key encryption algorithms having high security robustness have increased, it is difficult to implement the algorithms because such non-contact IC cards have limitations on power supply, chip size, etc. It is also difficult to achieve high-speed processing due to the limitation on the power consumption.