JP2017028506A - Memory device, host device, and memory system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a memory device in which measures against DPA (differential power analysis) attack can be implemented at low cost.SOLUTION: A memory device comprises: encryption modules 32 and 33 that execute a normal operation for encrypting and decrypting data transmitted/received between a host device and the memory device; an encryption module 34 that executes a dummy operation on the basis of a dummy key K12; a control circuit 31 that controls an operation of the encryption module 34. The control circuit 31 makes the encryption module 34 execute the dummy operation during a time period in which one of the encryption modules 32 and 33 executes the normal operation.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a memory device, a host device, and a memory system including them.

  2. Description of the Related Art In a memory system including a host device and a memory device connected to the host device, a memory system in which security is improved by encrypting commands and data transmitted / received between both devices has been put into practical use.

  Currently used cryptography is computationally safe for cryptographic analysis techniques. However, when the cryptographic module is actually mounted on the memory system, leaks depending on the mounting, such as power consumption and processing time, occur. By observing such an operating state with various physical means, the threat of side channel attacks that attempt to illegally acquire secret information such as a secret key has increased.

  As one of the side channel attacks, there is a power analysis attack that analyzes secret information by measuring the power consumption of the apparatus. Among them, differential power analysis (DPA: Differential Power Analysis) for performing analysis by statistical processing on a plurality of measured power consumption waveforms has been reported as a particularly powerful attack method (see Non-Patent Document 1 below).

  Therefore, in recent years, various countermeasure circuits against DPA attacks have been proposed. For example, the following Non-Patent Document 2 proposes an RSL (Random Switching Logic) circuit and a WDDL (Wave Dynamic Differential Logic) circuit. The RSL circuit eliminates the bias of the state transition probability by switching the operation mode of the logic circuit using a random number, and thereby randomizes the power consumption so as not to depend on the encryption key. After performing the precharge operation, the WDDL circuit equalizes the power consumption by reducing the difference in current consumption due to the difference in bit value at the time of calculation by the complementary circuit.

Paul Kocher and two others, “Introduction to Differential Power Analysis and related Attacks”, [online], Cryptography Research, search July 1, 2015, Internet <http://www.cryptography.com/public/pdf/ DPATechInfo.pdf> Daisuke Suzuki and two others, "Random Switching Logic: A Countermeasure against DPA based on Transition Probability", [online], International Association for Cryptologic Research, July 1, 2015 search, Internet <http: //eprint.iacr .org / 2004 / 346.pdf>

  However, in a memory system including a host device and a memory device, when the RSL circuit or the WDDL circuit described above is mounted on the device, operation time, circuit scale, and consumption are compared with a device that does not mount these circuits. Since the power increases by 2 to 3 times or more, the cost increases.

  The present invention has been made in view of such circumstances, and an object of the present invention is to obtain a memory device, a host device, and a memory system including them that can implement a countermeasure against a DPA attack at a low cost. It is.

  A memory device according to a first aspect of the present invention is a memory device connected to a host device, and is usually used for encrypting and decrypting data transmitted and received between the host device and the memory device. A first cryptographic module and a second cryptographic module that execute an operation, a third cryptographic module that performs a dummy operation based on dummy key information, and a control circuit that controls the operation of the third cryptographic module And the control circuit causes the third cryptographic module to perform a dummy operation during a period in which one of the first cryptographic module and the second cryptographic module performs a normal operation. To do.

  According to the memory device of the first aspect, the control circuit causes the third cryptographic module to perform a dummy operation during a period in which one of the first cryptographic module and the second cryptographic module performs a normal operation. In this way, by causing the third cryptographic module to perform a dummy operation, it is possible to hide the power consumption characteristics of the first or second cryptographic module that is performing the normal operation. As a result, a countermeasure against the DPA attack can be implemented at a low cost.

  The memory device according to a second aspect of the present invention is the memory device according to the first aspect, in particular, the control circuit further includes the second cryptographic module executing a normal operation and the first cryptographic module being a normal one. The dummy operation is executed by the first cryptographic module during a period in which no operation is performed.

  According to the memory device of the second aspect, the control circuit performs a dummy operation on the first cryptographic module during a period in which the second cryptographic module performs a normal operation and the first cryptographic module does not perform a normal operation. Let it run. As described above, the power consumption characteristic of the second cryptographic module can be further concealed by performing the dummy operation of the first cryptographic module during the period in which only the second cryptographic module performs the normal operation.

  The memory device according to a third aspect of the present invention is the memory device according to the second aspect, in particular, the control circuit further includes that both the first cryptographic module and the second cryptographic module simultaneously perform normal operation. In the period of execution, the third cryptographic module is caused to execute a dummy operation.

  According to the memory device of the third aspect, the control circuit causes the third cryptographic module to perform a dummy operation during a period in which both the first cryptographic module and the second cryptographic module simultaneously perform normal operations. . As described above, by performing the dummy operation of the third cryptographic module during the period in which both the first cryptographic module and the second cryptographic module simultaneously perform the normal operation, the first cryptographic module and the second cryptographic module are The power consumption characteristics possessed can be further concealed.

  The memory device according to a fourth aspect of the present invention is the memory device according to any one of the first to third aspects, and in particular, the first cryptographic module generates temporary data based on input data. 1 temporary data generation circuit, the second cryptographic module has a first cryptographic processing circuit that executes cryptographic processing based on the temporary data generated by the first temporary data generation circuit, The third cryptographic module executes a second temporary data generation circuit that generates temporary data based on dummy input data, and a cryptographic process based on the temporary data generated by the second temporary data generation circuit And the control circuit is configured to allow only the first temporary data generation circuit to pass through the first temporary data generation circuit and the first encryption processing circuit. In the period for executing the operation, the second cryptographic processing circuit is caused to perform a dummy operation, and only the first cryptographic processing circuit of the first temporary data generation circuit and the first cryptographic processing circuit is normally operated. In the period in which the second temporary data generation circuit is executed, the dummy operation is executed by the second temporary data generation circuit.

  According to the memory device of the fourth aspect, the control circuit causes the second encryption processing circuit to execute a dummy operation during the period in which only the first temporary data generation circuit executes the normal operation, and the first encryption During the period in which only the processing circuit executes the normal operation, the second temporary data generation circuit is caused to execute the dummy operation. As a result, the power consumption of the entire memory device can be made uniform, making it difficult to analyze the power consumption characteristics due to the DPA attack.

  A memory device according to a fifth aspect of the present invention is characterized in that, in the memory device according to the fourth aspect, the dummy input data is a fixed value.

  According to the memory device of the fifth aspect, the dummy input data is a fixed value. In this way, the dummy input data is set to a fixed value and the attacker predicts that some key data generation processing is being executed, thereby attacking the useless work of identifying dummy input data through analysis. Can be expected. As a result, it is possible to protect true input data for a long time. Further, by setting the dummy input data to a fixed value, it becomes possible to equalize the power consumption of the third cryptographic module accompanying the dummy operation.

  The memory device according to a sixth aspect of the present invention is characterized in that, in the memory device according to the fourth aspect, the dummy input data is a variable value.

  According to the memory device of the sixth aspect, the dummy input data is a fluctuation value. Accordingly, since the power consumption of the third cryptographic module also varies each time the dummy input data varies, the power consumption of the entire memory device can be varied. As a result, it becomes possible to make it difficult to analyze the power consumption characteristics due to the DPA attack.

  A memory device according to a seventh aspect of the present invention is characterized in that, in the memory device according to any one of the fourth to sixth aspects, the input data is key information.

  According to the memory device of the seventh aspect, by inputting key information as input data, the first temporary data generation circuit can generate a session key as temporary data.

  The memory device according to an eighth aspect of the present invention, in the memory device according to any one of the first to seventh aspects, further includes an unauthorized access detection circuit that detects unauthorized access from the host device, The control circuit causes the third cryptographic module to perform a dummy operation when the unauthorized access detection circuit detects unauthorized access.

  According to the memory device of the eighth aspect, the control circuit causes the third cryptographic module to perform a dummy operation when the unauthorized access detection circuit detects unauthorized access. Therefore, the availability of the system can be ensured, and an increase in power consumption caused by executing a dummy operation when no unauthorized access is detected can be avoided.

  A host device according to a ninth aspect of the present invention is a host device to which a memory device is connected, and is usually used for encrypting and decrypting data transmitted and received between the host device and the memory device. A first cryptographic module and a second cryptographic module that execute an operation, a third cryptographic module that performs a dummy operation based on dummy key information, and a control circuit that controls the operation of the third cryptographic module And the control circuit causes the third cryptographic module to perform a dummy operation during a period in which one of the first cryptographic module and the second cryptographic module performs a normal operation. To do.

  According to the host device of the ninth aspect, the control circuit causes the third cryptographic module to perform a dummy operation during a period in which one of the first cryptographic module and the second cryptographic module performs a normal operation. In this way, by causing the third cryptographic module to perform a dummy operation, it is possible to hide the power consumption characteristics of the first or second cryptographic module that is performing the normal operation. As a result, a countermeasure against the DPA attack can be implemented at a low cost.

  The host device according to a tenth aspect of the present invention is the host device according to the ninth aspect, in particular, the control circuit further includes the second cryptographic module executing a normal operation and the first cryptographic module being a normal one. The dummy operation is executed by the first cryptographic module during a period in which no operation is performed.

  According to the host device of the tenth aspect, the control circuit performs a dummy operation on the first cryptographic module during a period in which the second cryptographic module performs a normal operation and the first cryptographic module does not perform a normal operation. Let it run. As described above, the power consumption characteristic of the second cryptographic module can be further concealed by performing the dummy operation of the first cryptographic module during the period in which only the second cryptographic module performs the normal operation.

  The host device according to the eleventh aspect of the present invention is the host device according to the tenth aspect, in which the control circuit further performs normal operation simultaneously on both the first cryptographic module and the second cryptographic module. In the period of execution, the third cryptographic module is caused to execute a dummy operation.

  According to the host device of the eleventh aspect, the control circuit causes the third cryptographic module to perform a dummy operation during a period in which both the first cryptographic module and the second cryptographic module simultaneously perform normal operations. . As described above, by performing the dummy operation of the third cryptographic module during the period in which both the first cryptographic module and the second cryptographic module simultaneously perform the normal operation, the first cryptographic module and the second cryptographic module are The power consumption characteristics possessed can be further concealed.

  A host device according to a twelfth aspect of the present invention is the host device according to any one of the ninth to eleventh aspects, and in particular, the first cryptographic module generates temporary data based on input data. 1 temporary data generation circuit, the second cryptographic module has a first cryptographic processing circuit that executes cryptographic processing based on the temporary data generated by the first temporary data generation circuit, The third cryptographic module executes a second temporary data generation circuit that generates temporary data based on dummy input data, and a cryptographic process based on the temporary data generated by the second temporary data generation circuit And the control circuit includes only the first temporary data generation circuit among the first temporary data generation circuit and the first encryption processing circuit. During the period for executing the normal operation, the second cryptographic processing circuit is caused to execute a dummy operation, and only the first cryptographic processing circuit among the first temporary data generation circuit and the first cryptographic processing circuit is normal. In the period for executing the operation, the second temporary data generation circuit is caused to execute a dummy operation.

  According to the host device of the twelfth aspect, the control circuit causes the second encryption processing circuit to execute a dummy operation during the period in which only the first temporary data generation circuit executes the normal operation, and the first encryption During the period in which only the processing circuit executes the normal operation, the second temporary data generation circuit is caused to execute the dummy operation. As a result, the power consumption of the entire host device can be made uniform, making it difficult to analyze the power consumption characteristics due to the DPA attack.

  The host device according to a thirteenth aspect of the present invention is characterized in that, in the host device according to the twelfth aspect, the dummy input data is a fixed value.

  According to the host device of the thirteenth aspect, the dummy input data is a fixed value. In this way, the dummy input data is set to a fixed value and the attacker predicts that some key data generation processing is being executed, thereby attacking the useless work of identifying dummy input data through analysis. Can be expected. As a result, it is possible to protect true input data for a long time. Further, by setting the dummy input data to a fixed value, it becomes possible to equalize the power consumption of the third cryptographic module accompanying the dummy operation.

  The host device according to the fourteenth aspect of the present invention is characterized in that, in the host device according to the twelfth aspect, the dummy input data is a variable value.

  According to the host device of the fourteenth aspect, the dummy input data is a fluctuation value. Accordingly, since the power consumption of the third cryptographic module also varies each time the dummy input data varies, the power consumption of the entire host device can be varied. As a result, it becomes possible to make it difficult to analyze the power consumption characteristics due to the DPA attack.

  A host device according to a fifteenth aspect of the present invention is characterized in that, in the host device according to any one of the twelfth to fourteenth aspects, the input data is key information.

  According to the host device of the fifteenth aspect, by inputting key information as input data, the first temporary data generation circuit can generate a session key as temporary data.

  A memory system according to a sixteenth aspect of the present invention includes the memory device according to any one of the first to eighth aspects, and the host device according to any one of the ninth to fifteenth aspects. It is characterized by.

  According to the memory system of the sixteenth aspect, since the countermeasure against the DPA attack is implemented in both the memory device and the host device, it is possible to enhance the resistance against the DPA attack as the whole memory system.

  According to the present invention, it is possible to implement a countermeasure against a DPA attack at a low cost.

It is a figure which shows the structure of the memory system which concerns on embodiment of this invention. It is a figure which shows the structure of the encryption block of a memory device. It is a timing chart which shows the processing content of a session key generation circuit, a stream data generation circuit, and an encryption module. It is a figure which shows the structure of the encryption block of a host apparatus. It is a timing chart which shows the processing content of a session key generation circuit, a stream data generation circuit, and an encryption module. It is a figure which shows the structure of the encryption block of a memory device. It is a figure which shows the structure of the encryption block of a memory device. It is a timing chart which shows the processing content of a session key generation circuit and a stream data generation circuit. It is a timing chart which shows the processing content of a session key generation circuit, a stream data generation circuit, and an encryption module.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In addition, the element which attached | subjected the same code | symbol in different drawing shall show the same or corresponding element.

  FIG. 1 is a diagram showing a simplified configuration of a memory system 1 according to an embodiment of the present invention. As shown in FIG. 1, the memory system 1 includes a host device 2 and a memory device 3 such as a semiconductor memory that is detachably connected to the host device 2.

  The host device 2 includes a CPU 11, an internal memory 12, a main control circuit 13, and an encryption block 14. The memory device 3 includes an encryption block 21 similar to the encryption block 14 and a memory array 22 in which arbitrary data such as content data is stored. The encryption blocks 14 and 21 execute encryption processing and decryption processing on commands and data transmitted and received between the host device 2 and the memory device 3.

  FIG. 2 is a diagram illustrating a configuration of the encryption block 21 of the memory device 3. As illustrated in FIG. 2, the encryption block 21 includes a control circuit 31, encryption modules 32 to 34, and an arithmetic circuit 35. The cryptographic module 32 has a session key generation circuit 42. The session key generation circuit 42 functions as a temporary data generation circuit, and generates a session key D12 as temporary data based on key information (secret key K11) as input data. The cryptographic module 33 has a stream data generation circuit 43. The stream data generation circuit 43 functions as an encryption processing circuit, and generates stream data D13 for stream encryption based on the key information (secret key K13) and the session key D12 input from the session key generation circuit 42. To do. The arithmetic circuit 35 restores the non-encrypted command S12 by calculating an exclusive OR of the encrypted command S11 received from the host device 2 and the stream data D13 input from the stream data generating circuit 43. Further, the arithmetic circuit 35 calculates the exclusive OR of the non-encrypted data S13 read from the memory array 22 and the stream data D13 input from the stream data generation circuit 43, thereby obtaining the encrypted data S14. Is generated.

  The cryptographic module 34 is a cryptographic module having a cryptographic algorithm different from that of the cryptographic modules 32 and 33, and performs a dummy operation that does not contribute to encryption and decryption of commands and data. The encryption module 34 receives the control signal S20 and the key information (dummy key K12) from the control circuit 31. The dummy key K12 may be a fixed value or a variable value using a random number generator. Alternatively, the dummy key K12 may be the same as the secret key K11 or the secret key K13. The cryptographic module 34 may be a cryptographic module having the same cryptographic algorithm as the cryptographic module 32 or the cryptographic module 33. In this case, a key different from the secret keys K11 and K13 is used as the dummy key K12. .

  FIG. 3 is a timing chart showing the processing contents of the session key generation circuit 42, the stream data generation circuit 43, and the encryption module 34.

  In the command processing period (time T11 to T12), the stream data generation circuit 43 performs generation processing of the stream data D13 as a normal operation for executing encryption or decryption of the command or data, and thereby the encrypted command. The decryption of S11 is executed. In the command processing period, the session key generation circuit 42 does not operate, and the cryptographic module 34 executes a dummy operation in synchronization with the operation period of the stream data generation circuit 43.

  In the latency period (time T12 to T13), the session key generation circuit 42 first performs update processing of the session key D12 as a normal operation. Next, the stream data generation circuit 43 performs initialization processing using the updated session key D12 as a normal operation. Further, in the latency period, the cryptographic module 34 performs a dummy operation in synchronization with each operation period of the session key generation circuit 42 and the stream data generation circuit 43.

  In the data processing period (time T13 to T14) after the reading of data from the memory array 22 is completed, the stream data generation circuit 43 performs the generation process of the stream data D13 as a normal operation, and thereby the non-encrypted data S13. Encryption is performed. In the data processing period, the session key generation circuit 42 does not operate, and the cryptographic module 34 performs a dummy operation in synchronization with the operation period of the stream data generation circuit 43.

  Hereinafter, the operation of the memory device 3 will be described in detail by taking as an example a process of reading data stored in the memory array 22 from the memory device 3 to the host device 2.

  When the memory system 1 is activated, the control circuit 31 reads out DPA control information D11 (ON or OFF flag information) stored at a predetermined location in the memory array 22. The control circuit 31 executes the DPA countermeasure process described below when the DPA control information D11 is set to ON, and does not execute it when it is set to OFF. In the example of the present embodiment, it is assumed that the DPA control information D11 is set to ON. The DPA control information D11 may be stored in a part of a command issued from the host apparatus 2. In this case, the host apparatus 2 can easily switch whether or not to execute the DPA countermeasure process. It becomes possible.

  Next, the control circuit 31 inputs the control signal S20 and the dummy key K12 to the cryptographic module 34 in order to execute the dummy operation of the cryptographic module 34 as DPA countermeasure processing.

  Next, the host apparatus 2 transmits the encryption command S11 to the memory device 3 by encrypting the read command issued by the CPU 11 with the encryption block 14.

  Next, in the command processing period (time T11 to T12), the stream data generation circuit 43 performs generation processing of the stream data D13 based on the latest session key D12 input from the session key generation circuit 42 as a normal operation. As a result, the encryption command S11 is decrypted. The cryptographic module 34 performs a dummy operation based on the dummy key K12 in synchronization with the operation period of the stream data generation circuit 43. Data generated by the dummy operation of the cryptographic module 34 may be discarded in the memory device 3 or output to the outside of the memory device 3 as dummy data.

  Next, in the latency period (time T12 to T13), the session key generation circuit 42 first generates a new session key D12 by performing update processing of the session key D12 as a normal operation. The cryptographic module 34 performs a dummy operation in synchronization with the operation period of the session key generation circuit 42. Next, the stream data generation circuit 43 performs initialization processing using the updated session key D12 as a normal operation. The cryptographic module 34 performs a dummy operation in synchronization with the operation period of the session key generation circuit 42. Next, desired data S13 is read from the memory array 22 based on the non-encrypted command S12 restored by the decryption of the encrypted command S11.

  Next, in the data processing period (time T13 to T14), the stream data generation circuit 43 performs the generation process of the stream data D13 based on the updated session key D12 input from the session key generation circuit 42 as a normal operation. Thereby, the encryption of the non-encrypted data S13 is executed. The encrypted data S14 is transmitted from the memory device 3 to the host device 2. The cryptographic module 34 performs a dummy operation in synchronization with the operation period of the stream data generation circuit 43.

  As described above, according to the memory device 3 according to the present embodiment, in the control circuit 31, one of the cryptographic module 32 (first cryptographic module) and the cryptographic module 33 (second cryptographic module) performs a normal operation. In the period, the cryptographic module 34 (third cryptographic module) is caused to perform a dummy operation. As described above, by causing the cryptographic module 34 to perform the dummy operation, the power consumption characteristic of the cryptographic module 32 or the cryptographic module 33 that is performing the normal operation can be hidden. As a result, a countermeasure against the DPA attack can be implemented at a low cost.

  In addition, the dummy key K12 is set to a fixed value, and the attacker predicts that some key data generation processing is being executed, thereby causing the attacker to perform useless work of specifying the dummy key K12 by analysis. The effect can be expected. As a result, the secret keys K11 and K13 can be protected for a long time. Further, by setting the dummy key K12 to a fixed value, it becomes possible to equalize the power consumption of the cryptographic module 34 accompanying the dummy operation.

  Further, by setting the dummy key K12 as a variation value, the power consumption of the cryptographic module 34 also varies each time the dummy key K12 varies, so that the power consumption of the entire memory device 3 can be varied. As a result, it becomes possible to make it difficult to analyze the power consumption characteristics due to the DPA attack.

  Further, by inputting the secret key K11 (key information) as input data, the session key generation circuit 42 can generate a session key D12 as temporary data.

<First Modification>
In the above-described embodiment, the example in which the DPA countermeasure is implemented in the memory device 3 has been described, but the DPA countermeasure may be implemented in the host device 2.

  FIG. 4 is a diagram illustrating the configuration of the encryption block 14 of the host device 2. As shown in FIG. 4, the encryption block 14 includes a control circuit 51, encryption modules 52 to 54, and an arithmetic circuit 55. The cryptographic module 52 has a session key generation circuit 62. The session key generation circuit 62 functions as a temporary data generation circuit, and generates a session key D22 as temporary data based on key information (secret key K21) as input data. The cryptographic module 53 has a stream data generation circuit 63. The stream data generation circuit 63 functions as an encryption processing circuit, and generates stream data D23 for stream encryption based on the key information (secret key K23) and the session key D22 input from the session key generation circuit 62. To do. The arithmetic circuit 55 restores the non-encrypted data S24 by calculating an exclusive OR of the encrypted data S23 received from the memory device 3 and the stream data D23 input from the stream data generating circuit 63. Further, the arithmetic circuit 55 calculates the exclusive OR of the non-encrypted command S21 input from the main control circuit 13 and the stream data D23 input from the stream data generation circuit 63, thereby obtaining the encrypted command S22. Is generated.

  The cryptographic module 54 is a cryptographic module having a cryptographic algorithm different from that of the cryptographic modules 52 and 53, and executes a dummy operation that does not contribute to encryption and decryption of commands and data. The cryptographic module 54 receives a control signal S30 and key information (dummy key K22) from the control circuit 51. The dummy key K22 may be a fixed value or a variable value using a random number generator. Alternatively, the dummy key K22 may be the same as the secret key K21 or the secret key K23. The cryptographic module 54 may be a cryptographic module having the same cryptographic algorithm as the cryptographic module 52 or the cryptographic module 53. In this case, a key different from the secret keys K21 and K23 is used as the dummy key K22. .

  FIG. 5 is a timing chart showing processing contents of the session key generation circuit 62, the stream data generation circuit 63, and the encryption module 54.

  In the command processing period (time T21 to T22), the stream data generation circuit 63 performs generation processing of the stream data D23 as a normal operation for executing encryption or decryption of the command or data, and thereby performs non-encryption. Encryption of command S21 is executed. In the command processing period, the session key generation circuit 62 does not operate, and the cryptographic module 54 performs a dummy operation in synchronization with the operation period of the stream data generation circuit 63.

  In the latency period (time T22 to T23), the session key generation circuit 62 first performs update processing of the session key D22 as a normal operation. Next, the stream data generation circuit 63 performs initialization processing using the updated session key D22 as a normal operation. Further, in the latency period, the cryptographic module 54 performs a dummy operation in synchronization with each operation period of the session key generation circuit 62 and the stream data generation circuit 63.

  In the data processing period (time T23 to T24), the stream data generation circuit 63 performs the generation process of the stream data D23 as a normal operation, and thereby the encrypted data S23 is decrypted. In the data processing period, the session key generation circuit 62 does not operate, and the cryptographic module 54 performs a dummy operation in synchronization with the operation period of the stream data generation circuit 63.

  Hereinafter, the operation of the host device 2 will be described in detail by taking as an example a process of reading data stored in the memory array 22 from the memory device 3 to the host device 2.

  When the memory system 1 is activated, the control circuit 51 reads out DPA control information D11 stored in a predetermined location of the memory array 22. The control circuit 51 executes the DPA countermeasure process described below when the DPA control information D11 is set to ON, and does not execute it when it is set to OFF. In this modification, it is assumed that the DPA control information D11 is set to ON.

  Next, the CPU 11 issues a non-encrypted read command S21. The command S21 is input to the encryption block 14 via the main control circuit 13.

  Next, in the command processing period (time T21 to T22), the stream data generation circuit 63 performs generation processing of the stream data D23 based on the latest session key D22 input from the session key generation circuit 62 as a normal operation. Thereby, the encryption of the non-encrypted command S21 is executed. The cryptographic module 54 performs a dummy operation based on the dummy key K22 in synchronization with the operation period of the stream data generation circuit 63. The data generated by the dummy operation of the cryptographic module 54 may be discarded in the host device 2 or output to the outside of the host device 2 as dummy data.

  Next, in the latency period (time T22 to T23), the session key generation circuit 62 first generates a new session key D22 by performing update processing of the session key D22 as a normal operation. The cryptographic module 54 performs a dummy operation in synchronization with the operation period of the session key generation circuit 62. Next, the stream data generation circuit 63 performs initialization processing using the updated session key D22 as a normal operation. The cryptographic module 54 performs a dummy operation in synchronization with the operation period of the session key generation circuit 62.

  Next, in the data processing period (time T23 to T24), the stream data generation circuit 63 performs generation processing of the stream data D23 based on the updated session key D22 input from the session key generation circuit 62 as a normal operation. As a result, the encrypted data S23 is decrypted. The decrypted data S24 is input to the CPU 11 via the main control circuit 13.

  As described above, according to the host device 2 according to the present modification, the control circuit 51 is configured so that one of the cryptographic module 52 (first cryptographic module) and the cryptographic module 53 (second cryptographic module) performs a normal operation. Then, the cryptographic module 54 (third cryptographic module) is caused to perform a dummy operation. As described above, by causing the cryptographic module 54 to perform the dummy operation, it is possible to hide the power consumption characteristics of the cryptographic module 52 or the cryptographic module 53 that is performing the normal operation. As a result, a countermeasure against the DPA attack can be implemented at a low cost.

  In addition, the dummy key K22 is set to a fixed value, and the attacker predicts that some key data generation processing is being executed, thereby causing the attacker to perform useless work of specifying the dummy key K22 by analysis. The effect can be expected. As a result, the secret keys K21 and K23 can be protected for a long time. Further, by setting the dummy key K22 to a fixed value, it is possible to make the power consumption of the cryptographic module 54 associated with the dummy operation uniform.

  Further, by setting the dummy key K22 as a variation value, the power consumption of the cryptographic module 54 varies each time the dummy key K22 varies, so that the power consumption of the entire host device 2 can be varied. As a result, it becomes possible to make it difficult to analyze the power consumption characteristics due to the DPA attack.

  Further, by inputting the secret key K21 (key information) as input data, the session key generation circuit 62 can generate a session key D22 as temporary data.

<Second Modification>
In the above embodiment, the necessity of executing the DPA countermeasure process is determined based on the DPA control information D11. However, the DPA countermeasure process is performed on condition that there is an unauthorized access from the host device 2 to the memory device 3. May be executed.

  FIG. 6 is a diagram showing a configuration of the encryption block 21 of the memory device 3. An unauthorized access detection circuit 36 is added to the configuration shown in FIG. The unauthorized access detection circuit 36 receives the unencrypted command S12 restored by the decryption from the arithmetic circuit 35.

  The unauthorized access detection circuit 36, for example, receives an access request to a predetermined access prohibited area, an access request exceeding the data capacity of the memory array 22, an access request by an undefined command with no command ID defined, and a prescribed command sequence. When an access request or the like based on a sequence other than the above is received from the host device 2, the access is detected as an unauthorized access, and an unauthorized access detection signal D 14 is input to the control circuit 31.

  The control circuit 31 executes the DPA countermeasure process described in the above embodiment on the condition that the unauthorized access detection signal D14 is input.

  As described above, according to the memory device 3 according to the present modification, the control circuit 31 executes the DPA countermeasure process when the unauthorized access detection circuit 36 detects unauthorized access. Therefore, it is possible to ensure the availability of the memory system 1 and avoid an increase in power consumption caused by executing a dummy operation when no unauthorized access is detected.

<Third Modification>
FIG. 7 is a diagram illustrating a configuration of the encryption block 21 of the memory device 3. As illustrated in FIG. 7, the encryption block 21 includes a control circuit 31, encryption modules 32 to 34, and an arithmetic circuit 35. The encryption module 34 includes a session key generation circuit 72 (second temporary data generation circuit) similar to the session key generation circuit 42 (first temporary data generation circuit) and a stream data generation circuit 43 (first encryption processing circuit). ) And the same stream data generation circuit 73 (second encryption processing circuit).

  FIG. 8 is a timing chart showing processing contents of the session key generation circuits 42 and 72 and the stream data generation circuits 43 and 73.

  In the command processing period (time T11 to T12), the stream data generation circuit 43 performs the generation process of the stream data D13 as a normal operation, and thereby the encryption command S11 is decrypted. At this time, the session key generation circuit 42 and the stream data generation circuit 73 do not operate, and the session key generation circuit 72 executes a dummy operation in synchronization with the operation period of the stream data generation circuit 43.

  In the latency period (time T12 to T13), the session key generation circuit 42 first performs update processing of the session key D12 as a normal operation. At this time, the stream data generation circuit 43 and the session key generation circuit 72 do not operate, and the stream data generation circuit 73 executes a dummy operation in synchronization with the operation period of the session key generation circuit 42. Next, the stream data generation circuit 43 performs initialization processing using the updated session key D12 as a normal operation. At this time, the session key generation circuit 42 and the stream data generation circuit 73 do not operate, and the session key generation circuit 72 executes a dummy operation in synchronization with the operation period of the stream data generation circuit 43.

  In the data processing period (time T13 to T14), the stream data generation circuit 43 performs the generation process of the stream data D13 as a normal operation, and thereby the encryption of the non-encrypted data S13 is executed. At this time, the session key generation circuit 42 and the stream data generation circuit 73 do not operate, and the session key generation circuit 72 executes a dummy operation in synchronization with the operation period of the stream data generation circuit 43.

  As described above, according to the memory device 3 according to the present modification, the control circuit 31 causes the stream data generation circuit 73 to perform the dummy operation during the period in which only the session key generation circuit 42 executes the normal operation, thereby generating the stream data. In a period in which only the circuit 43 executes the normal operation, the session key generation circuit 72 is caused to execute a dummy operation. As a result, the power consumption of the entire memory device 3 can be made uniform, which makes it difficult to analyze the power consumption characteristics due to the DPA attack.

  In the above description, the example in which the present modification is applied to the memory device 3 has been described. However, the present modification can also be applied to the host device 2, and the same effect can be obtained.

<Fourth Modification>
FIG. 9 is a timing chart showing processing contents of the session key generation circuit 42, the stream data generation circuit 43, and the encryption module 34.

  In the command processing period (time T11 to T12), the stream data generation circuit 43 performs the generation process of the stream data D13 as a normal operation, and thereby the encryption command S11 is decrypted. At this time, the session key generation circuit 42 and the encryption module 34 execute a dummy operation in synchronization with the operation period of the stream data generation circuit 43.

  In order to execute the dummy operation of the session key generation circuit 42, the control circuit 31 reads state transition information indicating the current setting contents of the session key generation circuit 42 from the cryptographic module 32, and the control circuit 31 has a holding circuit included therein. Holds the state transition information. In addition, the control circuit 31 inputs a fixed value or variable value dummy key to the session key generation circuit 42 instead of the secret key K11. The session key generation circuit 42 generates a dummy session key D12 based on the dummy key.

  Next, in the latency period (time T12 to T13), the control circuit 31 writes back the state transition information held by the holding circuit to the session key generation circuit 42. Thereby, the setting content of the session key generation circuit 42 is reset to the state before the dummy operation is executed. The control circuit 31 inputs the secret key K11 to the session key generation circuit 42 instead of the dummy key. The session key generation circuit 42 generates a new session key D12 to be used next time by performing update processing of the session key D12 as a normal operation. At the same time, the stream data generation circuit 43 performs an initialization process as a normal operation using the session key D12 before update that is currently input. At this time, the cryptographic module 34 performs a dummy operation in synchronization with the operation periods of the session key generation circuit 42 and the stream data generation circuit 43.

  Next, in the data processing period (time T13 to T14), the stream data generation circuit 43 performs the generation process of the stream data D13 as a normal operation, and thereby the non-encrypted data S13 is encrypted. At this time, the session key generation circuit 42 and the encryption module 34 execute a dummy operation in synchronization with the operation period of the stream data generation circuit 43.

  As described above, according to the memory device 3 according to the present modification, the control circuit 31 is configured so that the cryptographic module 33 performs a normal operation and the cryptographic module 32 does not perform a normal operation (command processing period and data processing period). The cryptographic modules 32 and 34 are caused to perform a dummy operation. As described above, the power consumption characteristics of the cryptographic module 33 can be further concealed by performing the dummy operation of the cryptographic modules 32 and 34 during the period in which only the cryptographic module 33 performs the normal operation.

  In addition, the control circuit 31 causes the cryptographic module 34 to execute a dummy operation in a period (latency period) in which both the cryptographic modules 32 and 33 simultaneously perform normal operations. As described above, the power consumption characteristics of the cryptographic modules 32 and 33 can be further concealed by performing the dummy operation of the cryptographic module 34 during the period in which both of the cryptographic modules 32 and 33 perform the normal operation simultaneously.

  In the above description, the example in which the present modification is applied to the memory device 3 has been described. However, the present modification can also be applied to the host device 2, and the same effect can be obtained.

DESCRIPTION OF SYMBOLS 1 Memory system 2 Host apparatus 3 Memory apparatus 14, 21 Encryption block 31, 51 Control circuit 32-34, 52-54 Encryption module 36 Unauthorized access detection circuit 42, 62, 72 Session key generation circuit 43, 63, 73 Stream data generation circuit

Claims (16)

A memory device connected to a host device,
A first cryptographic module and a second cryptographic module that perform normal operations to encrypt and decrypt data transmitted and received between the host device and the memory device;
A third cryptographic module that performs a dummy operation based on the dummy key information;
A control circuit for controlling the operation of the third cryptographic module;
With
The memory device, wherein the control circuit causes the third cryptographic module to perform a dummy operation during a period in which one of the first cryptographic module and the second cryptographic module performs a normal operation.   The control circuit further causes the first cryptographic module to perform a dummy operation during a period in which the second cryptographic module performs a normal operation and the first cryptographic module does not perform a normal operation. The memory device described.   3. The control circuit according to claim 2, wherein the control circuit further causes the third cryptographic module to perform a dummy operation during a period in which both the first cryptographic module and the second cryptographic module simultaneously perform normal operations. Memory device. The first cryptographic module has a first temporary data generation circuit that generates temporary data based on input data;
The second cryptographic module has a first cryptographic processing circuit that performs cryptographic processing based on the temporary data generated by the first temporary data generating circuit,
The third cryptographic module is
A second temporary data generation circuit for generating temporary data based on dummy input data;
A second cryptographic processing circuit for performing cryptographic processing based on the temporary data generated by the second temporary data generating circuit;
Have
The control circuit includes:
Of the first temporary data generation circuit and the first cryptographic processing circuit, in a period in which only the first temporary data generation circuit performs a normal operation, the second cryptographic processing circuit is caused to perform a dummy operation,
Causing the second temporary data generation circuit to perform a dummy operation in a period in which only the first encryption processing circuit of the first temporary data generation circuit and the first encryption processing circuit executes a normal operation; The memory device according to claim 1.   The memory device according to claim 4, wherein the dummy input data is a fixed value.   The memory device according to claim 4, wherein the dummy input data is a variable value.   The memory device according to claim 4, wherein the input data is key information. An unauthorized access detection circuit for detecting unauthorized access from the host device;
The memory device according to claim 1, wherein the control circuit causes the third cryptographic module to perform a dummy operation when the unauthorized access detection circuit detects unauthorized access. A host device to which a memory device is connected,
A first cryptographic module and a second cryptographic module that perform normal operations to encrypt and decrypt data transmitted and received between the host device and the memory device;
A third cryptographic module that performs a dummy operation based on the dummy key information;
A control circuit for controlling the operation of the third cryptographic module;
With
The host device, wherein the control circuit causes the third cryptographic module to perform a dummy operation during a period in which one of the first cryptographic module and the second cryptographic module performs a normal operation.   The control circuit further causes the first cryptographic module to perform a dummy operation during a period when the second cryptographic module performs a normal operation and the first cryptographic module does not perform a normal operation. The host device described.   11. The control circuit according to claim 10, wherein the control circuit further causes the third cryptographic module to perform a dummy operation during a period in which both the first cryptographic module and the second cryptographic module simultaneously perform normal operations. Host device. The first cryptographic module has a first temporary data generation circuit that generates temporary data based on input data;
The second cryptographic module has a first cryptographic processing circuit that performs cryptographic processing based on the temporary data generated by the first temporary data generating circuit,
The third cryptographic module is
A second temporary data generation circuit for generating temporary data based on dummy input data;
A second cryptographic processing circuit for performing cryptographic processing based on the temporary data generated by the second temporary data generating circuit;
Have
The control circuit includes:
Of the first temporary data generation circuit and the first cryptographic processing circuit, in a period in which only the first temporary data generation circuit performs a normal operation, the second cryptographic processing circuit is caused to perform a dummy operation,
Causing the second temporary data generation circuit to perform a dummy operation in a period in which only the first encryption processing circuit of the first temporary data generation circuit and the first encryption processing circuit executes a normal operation; The host device according to any one of claims 9 to 11.   The host device according to claim 12, wherein the dummy input data is a fixed value.   The memory device according to claim 12, wherein the dummy input data is a variable value.   The memory device according to claim 12, wherein the input data is key information. A memory device according to any one of claims 1 to 8,
A host device according to any one of claims 9 to 15,
A memory system.

Images