Attack-resistant implementation method
First Claim
1. A method for countering unauthorized decryption comprising a step of scrambling at least one correlation between a data decryption processing in a hardware and at least one respective hardware operational phenomenon by randomly changing at least one arithmetic operation order in the data decryption processing, wherein the correlation is scrambled by an arithmetic operation method implemented by an information processing apparatus comprising the steps of:
- for two integers K1 and K2, when finding a value F(K, A) of a function F satisfying F(K1+K2,A)=F(K1, A) ◯
F(K2, A) (◯
denotes an arithmetic operation in a communtative semigroup S. K designates an integer and A designates an element of S), decomposing the K to the sum of m integers K[0]+K[1]+. . . K[m−
1];
using T(0), T(1), . . . T(m−
1) resulted from rearranging a string of integers 0, 1, . . . m−
1 by permutation T; and
operating on terms F(K[T(0)], A) to F(K[T(m−
1)], A) on the right side of F(K, A)=F(K[T(0)], A) ◯
F(K[T(1)], A) ◯
. . . F(K[T(m−
1)], A) . . . (“
expression 1”
) in an order of F(K[T(0)], A), F(K[T(1)], A), . . . F(K[T(m−
1)], A) to find F(K, A).
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention makes it difficult for unauthorized parties to estimate processing and a secret key based upon the waveforms of power consumption of an IC card chip by changing a processing order in the IC card chip so that it is not estimated by the attackers. In an information processing apparatus comprising storing means having a program storing part for storing programs and a data storing part for storing data, an operation processing unit, means for inputting data to be operated on in the operation processing unit, and means for outputting operation processing results on the data by the operation processing unit, an arithmetic operation method is provided which comprises the steps of: for two integers K1 and K2, when finding a value F(K, A) of a function F satisfying F(K1+K2, A)=F(K1, A)◯F(K2, A) (◯ denotes an arithmetic operation in a communtative semigroup S. K designates an integer and A designates an element of S), decomposing the K to the sum of m integers K[0]+K[1]+ . . . K[m−1]; using T(0), T(1), . . . T(m−1) resulting from rearranging a string of the m integers 0, 1, . . . m−1 by permutation T (the result corresponds one for one to the integer string 0, 1, . . . m−1); and operating on terms F(K[T(0)], A) to F(K[T(m−1)], A) on the right side of
F(K, A)=F(K[T(0)], A)◯F(K[T(1)], A)◯ . . . F(K[T(m−1)], A) . . . (expression 1)
in the order of F(K[T(0)], A), F(K[T(1)], A), . . . F(K[T(m−1)], A) to find F(K, A).
89 Citations
19 Claims
-
1. A method for countering unauthorized decryption comprising a step of scrambling at least one correlation between a data decryption processing in a hardware and at least one respective hardware operational phenomenon by randomly changing at least one arithmetic operation order in the data decryption processing, wherein the correlation is scrambled by an arithmetic operation method implemented by an information processing apparatus comprising the steps of:
-
for two integers K1 and K2, when finding a value F(K, A) of a function F satisfying F(K1+K2,A)=F(K1, A) ◯
F(K2, A) (◯
denotes an arithmetic operation in a communtative semigroup S. K designates an integer and A designates an element of S), decomposing the K to the sum of m integers K[0]+K[1]+. . . K[m−
1];using T(0), T(1), . . . T(m−
1) resulted from rearranging a string of integers 0, 1, . . . m−
1 by permutation T; andoperating on terms F(K[T(0)], A) to F(K[T(m−
1)], A) on the right side of F(K, A)=F(K[T(0)], A) ◯
F(K[T(1)], A) ◯
. . . F(K[T(m−
1)], A) . . . (“
expression 1”
) in an order of F(K[T(0)], A), F(K[T(1)], A), . . . F(K[T(m−
1)], A) to find F(K, A). - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for calculating a value F(K, A) of a function F satisfying F(K1+K2, A)=F(K1, A) ◯
- F(K2, A) for two integers K1 and K2 in an encryption or decryption process of a cryptosystem by means of an information processing device which comprises a processing unit and a memory device, wherein ◯
denotes an arithmetic operation in a commutative semigroup S, K designates an integer, and A designates an element of S, the method comprising;decomposing the value K in the processing unit to m integers K[0], K[1], . . . , K[m−
1] each of which is a value of a n-bit unit of a binary representation of the value K, wherein the binary representation of the value K is w bit, m*n equals w; andcalculating F(K[T(0)]*(2^n)^(m−
1T[0]), A) ◯
F(K[T(1)]*(2^n)^(m−
1−
T[1]), A) ◯
, . . . F(K[T(m−
1)]*(2^n)^(m−
1−
T[m−
1]), A) in the processing unit in an order of F(K[T(0])*(2^n)^(m−
1−
T[0]), A), F(K[T(1)]*(2^n)^(m−
1−
T[1]), A), . . . F(K[T(m−
1)*(2^n)^(m−
1T[m−
1]), A) defined by a string of integers T(0), T(1), . . . T(m−
1) which is a random permutation of a string of integers 0, 1, . . . m−
1. - View Dependent Claims (13, 14, 15)
- F(K2, A) for two integers K1 and K2 in an encryption or decryption process of a cryptosystem by means of an information processing device which comprises a processing unit and a memory device, wherein ◯
-
16. An information processing device for calculating a value F(K,A) of a function F satisfying F(K1+K2, A)=F(K1, A) ◯
- F(K2, A) for two integers K 1 and K2 in an encryption or decryption process of a cryptosystem, wherein ◯
denotes an arithmetic operation in a commutative semigroup S, K designates an integer, and A designates an element of S, the information processing device comprising;a processing unit; and a memory device, wherein the processing unit is adapted to decompose the value K to m integers K(0], K[1], . . . , K[m−
1], each of which is a value of a n-bit unit of a binary representation of the value K, wherein the binary representation of the value K is w bit, m*n equals w, andthe processing unit is further adapted to calculate F(K[T(0)]*(2^n)^(m−
1−
T[0]), A) ◯
F(K[T(1)*(2^n)^(m−
1−
T[1]), A) ◯
, . . . F(K[T(m−
1)]*(2^n)^(m−
1−
T[m−
1]), A) in an order of F(K[T(0))*(2^n)^(m−
1−
T[0]), A), F(K[T(1)1*(2^n)^(m−
1−
T)[1], A), . . . F(K[T(m−
1)]*(2^n)^(m−
1−
T[m−
1]), A) defined by a string of integers T(0), T(1), . . . T(m−
1) which is a random permutation of a string of integers 0, 1, . . . m−
1. - View Dependent Claims (17, 18, 19)
- F(K2, A) for two integers K 1 and K2 in an encryption or decryption process of a cryptosystem, wherein ◯
Specification