TECHNICAL FIELD OF THE INVENTION

This invention relates to cryptographic devices, microprocessors, integrated circuits, and computer program security.

BACKGROUND OF THE INVENTION

Development of computer programs for microcomputers and the data files which they process is often expensive and time-consuming. If such development is undertaken with the object of selling or leasing the programs and data, it is important to the developers that their programs be protected from piracy perpetrated by microcomputer owners who may be numerous and anonymous.

Encryption has been used for protecting programs as described by Richard L. Enison in a Computation Planning Inc. technical note dated 7-28-77. In this system, programs are stored in a conventional host computer in encrypted form. Attached to the host computer is a "Hard Node" computer which deciphers a selected program and outputs the program in deciphered form into the host computer's main storage. The host CPU then executes the deciphered program from its own main storage. Such a system protects the deciphered program from access by other programs, but does not protect the deciphered program from people who have access to the wiring of main storage. The present invention avoids any need for storing a deciphered program in main storage.

Various systems have been developed in the prior art for enciphering digital information to improve the security and privacy of data within data processing systems, during transmission over telecommunications networks, and during storage on media such as magnetic tape and disc. Examples of such cipher systems may be found in U.S. Patents 3,798,359 and 3,958,081.

Another approach to software protection is described in U.S. Patent 4,120,030 by Johnstone. In this system a conventional microprocessor is used, the program instructions are stored in conventional sequence and the instruction operation codes are not enciphered. The data memory units transform data addresses so that effectively a byte transposition of the data bytes results. But the data address unscrambling function can be discovered by storing test data into selected locations in data memory, then searching scrambled addresses sequentially until the test data is located.

SUMMARY OF THE INVENTION

This invention is a cryptographic microprocessor which executes a computer program which is stored in cipher form to prevent piracy. This crypto-microprocessor includes circuitry for deciphering an instruction in the enciphered program, circuitry for executing the deciphered instruction, and circuitry for addressing successor instructions in the enciphered program. The deciphering circuits are integrated with the processing circuits on the same semiconductor chip, so that the deciphered instructions are not externally accessible.

This crypto-microprocessor executes an enciphered program by deciphering the instructions piecemeal as it executes them. The program as a whole is not stored in deciphered form. Hence the program is not accessible to people who have access to the wiring of the computer in which the crypto-microprocessor is a component.

Various deciphering methods are herein described for use in the crypto-microprocessor, including methods which result in the cipher of an instruction being a complex function of the instruction's address in memory. Such enciphering makes the work required to break the cipher more expensive for the pirate than redeveloping the program independently, and thereby deters program piracy.

This invention makes it possible to distribute and execute copies of a proprietary program, while simultaneously keeping the program secret.

BRIEF DESCRIPTION OF THE DRAWINGS

• Figure 1 is a block diagram of a crypto-microprocessor which uses a cipher key to control deciphering.
• Figure 2 is a schematic diagram of a scrambled address embodiment of deciphering circuit 4 Figure 1.
• Figure 3 is a generalized schematic diagram of a 3-stage address scrambler using alternating substitution and transposition.
• Figure 4 is a generalized schematic diagram of a 5-stage address scrambler using alternating substitution and transposition.
• Figure 5 is a block diagram of a crypto-microprocessor with on-chip read-only memory using byte transposition.
• Figure 6 is a schematic diagram of one embodiment of deciphering circuit 4 Figure 1 using bit transposition.
• Figure 7 is a schematic diagram of one embodiment of deciphering circuit 4 Figure 1 using byte substitution.
• Figure 8 is a block diagram of one embodiment of deciphering circuit 4 Figure 1 using a block cipher with address-modified keys.

DETAILED DESCRIPTION OF THE INVENTION

Referring to Figure 1, a typical crypto-microprocessor 16 executes an enciphered program stored in random-access memory 12 by addressing program instructions in memory 12 via address bus 13, deciphering the instructions in deciphering circuit 4, and decoding and executing in circuit 67 each deciphered instruction obtained from circuit 4 via bus 64. Microprocessor 16 is constructed as an integrated circuit.

The portion of information addressed in memory 12 and input to microprocessor 16 via data bus 14 may be a byte or block containing an instruction or part of an instruction or several instructions. Information addressed in memory 12 may also include enciphered data. Deciphering of instructions is done piecemeal as the program executes, so that the program as a whole is not present in deciphered form in the computer in which microprocessor 16 is a component.

A typical crypto-microprocessor 16 includes conventional instruction decode and execute circuit 67 arithmetic-logic unit 70, data registers 71, address registers 73, internal bus 61, and instruction register or queue 65. Queue 65 may store additional instructions which are deciphered in advance of their being needed for execution. Portions of the deciphered instructions fetched from queue 65 include operation codes which are decoded by circuit 67, immediate data which is passed via buses 68 and 61 to memory 75 or bus 14, and address portions which are passed via bus 72 to conventional address register file 73. This file may include base, segment, page, word and/or byte addresses from which conventional addressing unit 74 computes an instruction address for outputting on bus 13. External address bus 13, data bus 14 and internal bus 61 may consist of 8-bits, 16-bits, 20-bits or other bus sizes.

Microprocessor 16 operates in a conventional cyclical sequence: incrementing a program counter in address register 73, outputting an address on bus 13 during an instruction address cycle, inputting an instruction byte on bus 14 from random-access memory 12 in a fetch cycle, decoding and executing the fetched instruction in circuit 67, reading a data address from memory 12 into address register 73, addressing a byte of data in a data address cycle, and reading data from memory 12 into internal memory 75 or register 71. Other conventional instruction and microinstruction sequences may be used.

Memory 12 may be any of a variety of conventional storage devices, such as solid-state read-only memory or read-write memory into which the enciphered program has been copied from storage media such as magnetic disc or tape, optically-coded discs (videodiscs), or ragnetic bubble domain memory.

Deciphering circuit 4 is detailed for various embodiments in Figures 2, 3, 4, 6, 7, and 8, and is comprised of various elements depending on the cipher method used. Enciphering and deciphering methods may be used in vaious combinations in microprocessor 16 and may be controlled by a cipher key stored in key registers 5 or 89 (Figure 8), or by one or more substitution tables 32, 35, 90 and 91 (Figures 2 and 7), or by one or more transposition matrices 92 and 93 (Figure 6) or by an arrangement of crossed wires 48 (Figure 2). Deciphering methods may include substitution (monoalphabetic, poly- alphabetic, and/or block), transposition (bit or byte), exclusive-OR addition (modulo-two), or other methods. The deciphering process may be a function of program addresses (as in Figure 2) or may be independent of program addresses (for example in Figure 6 if transposition matrix 93 and gates 29 are omitted). Deciphering may be used during instruction fetch (as in Figure 1) and may be used with byte transposition (as in Figure 5). Block ciphers (Figures 3 and 4) using alternating substitution and transposition may be used for address scrambling (as in Figure 2) or for deciphering blocks of program in circuit 95 (Figure 8).

Unlike conventional deciphering devices used in secure data communication systems which output deciphered information to authorized persons, deciphering circuit 4 produces deciphered instructions which are intended for use only by instruction decode/execute circuit 67 within microprocessor 16. Although small portions of the deciphered information such as error messages and control characters may be output by microprocessor 16, executable instructions should not be output. Internal buses such as bus 64 which convey deciphered instructions should be isolated from external access by buffer 60 during such conveying.

Plain unenciphered data may be read and written in a conventional manner via buses 14 and 61 and buffer 60. Alternatively, data processed by microprocessor 16 may be enciphered and deciphered by circuit 4 under control of the key in register 5 or 89.

Register 5 may consist of volatile memory which is maintained by an electric battery, or non-volatile electrically-alterable storage which is not accessible on external buses and not readily susceptible to probing nor optically readable from microprocessor chip 16.

SCRAMBLED ADDRESS EMBODIMENTS

Each enciphered byte on bus 45 may be deciphered as it is read into microprocessor 16 by combining the byte being deciphered with its address, so that an instruction is deciphered differently depending on where in memory it is located. Three embodiments of circuit 4 are detailed in Figures 2, 6, and 7 in which the enciphered byte on bus 45 is exclusive-ORed in gates 29 with a scrambled function on bus 27 of the byte's address on bus 82. The address scrambling process may be simple substitution 91 (Figure 7) or bit transposition 93 (Figure 6), or a combination of alternating stages of substitution and transposition (Figure 2). A byte which is combined in gates 29 with the byte's scrambled address, may be further deciphered by substitution table 90 (Figure 7) or transposition matrix 92 (Figure 6) which contain quasi-random permutations of integers or bit positions.

The embodiment of deciphering circuit 4 shown in Figure 2 scrambles the 20-bit address on bus 82 down to an 8-bit scrambled address on bus 27 for deciphering and enciphering 8-bit bytes on buses 45 and 64. The substitution tables 32 and 35 each contain one or more sets of integers ch may be permuted in any quasi-random order. This quasi-random arrangement of integers is kept secret and may be different for each microprocessor unit. These permuted integers may be stored into substitution tables 32 and 35 when the programs to be protected are enciphered, or may be generated when needed from a cipher key in register 5. Microprocessor 16 may execute a program stored in memory 18 which generates integers for storing into tables 32 and 35. This table loading process is symbolized by box 76 (Figure 2).

Summarizing the sequence of events during the fetching of a typical instruction, and referring to Figures 1 and 2, an instruction address is computed by conventional addressing circuit 74 from address values in register file 73. The computed instruction address on bus 96 is output on bus 13 and is also conveyed internally via bus 82 to deciphering circuit 4 (Figure 1) which generates a scrambled address on bus 27 (Figure 2) from the address on bus 82. An enciphered instruction byte is read onto data bus 14 from the location in memory 12 specified by address bus 13. The enciphered instruction byte is read by microprocessor 16 in a fetch cycle from bus 14 onto bus 45. The scrambled address on bus 27 (Figure 2) is exclusive-ORed in gates 29 with the enciphered instruction byte on bus 45 to produce a deciphered instruction byte on bus 64 which is stored into instruction queue 65. Circuit 67 decodes and executes each instruction obtained from queue 65 or memory 18.

If the instruction being executed stores a byte into external storage in cipher form, the data address on buses 96, 82, and 13 is scrambled to produce a scrambled address on bus 27 (Figure 2). This scrambled address is exclusive-ORed in gates 28 with the plain data byte on buses 61 and 64, to produce a cipher byte on bus 45. This enciphered data byte is output via buffer 60 to external data bus 14 which conveys the cipher byte to external memory 12.

Later when this data byte is read from memory 12 the cipher byte on buses 14 and 45 is exclusive-ORed with the same scrambled address on bus 27 yielding the original plain data byte on buses 64, 69 and 61.

The address-scrambling method illustrated in Figure 2 may be used for scrambling addresses other than 20-bit addresses and words other than 8-bit bytes. For example addresses of 16 bits may be scrambled by using four 4-bit substitution tables 32 and four 4-bit substitution tables 35. Such an address scrambler is shown schematically in Figure 3. The security of the address scramble in Figure 3 may be increased by increasing the number of stages. If tables 32 and 35 each have 4-bits in and 4-bits out, then an additional substitution stage 33 and transposition stage 34 may be included as shown in Figure 4.

Each substitution table 32 in Figure 2 provides a table-lookup of a 3-bit integer in a table of 16 permuted integers. In this example each substitution table 32 contains two sets of the eight 3-bit integers "000" through "lll", i.e. 16 integers are stored in each substitution table 32. The two sets of integers may be intermingled when they are loaded into substitution tables 32. Similarly, substitution tables 35 in this example each contain four sets of the eight 3-bit integers "000" through "111", i.e. 32 integers. Each integer value is stored four times at random locations in each table of 32 integers. Each of the bits from a substitution table in one stage are transposed to a different substitution table in the next stage to insure that a change in any one bit on bus 82 affects all bits on bus 45. Substitution tables 32 cause each address all to affect 3 bits on lines 47. The transposition mat .8 spreads these 3 bits to the 3 substitution tables 5. Thus each bit of address on bus 82 affects all 3 substitution tables 35 which affect all 8 bits in bus 27 and bus 45. Transposition stage 48 may be accomplished by simple crossed wires or a matrix of semiconductor devices.

BLOCK CIPHER EMBODIMENTS

A program may be enciphered in multi-byte blocks using block cipher methods. Details of deciphering circuit 4 for blocks are shown in Figure 8. Each block may consist of 64 bits, 32 bits or other convenient sizes and may contain several instructions which are deciphered as a block. The cipher key may be altered for each block address, so that each block is enciphered with a different key. The block address may be exclusive-ORed in gates 97 with the basic key in register 5 to produce an altered key on bus 11 for deciphering circuit 95.

Referring to Figures 1 and 8, each block of instructions in memory 12 is addressed by conventional addressing circuit 74 via address bus 13. The addressed block is read from memory 12 onto data bus 14 and thence via bus 45 to block register 62 (Figure 8). Deciphering unit 95 then deciphers the enciphered block in register 62 under the control of the altered key on bus 11. The deciphered block of instructions, which deciphering unit 95 stores into register 63, passes to instruction queue 65 via bus 64.

Each successive block of enciphered information is likewise deciphered by circuit 95 using the cipher key modified by the block address. The key should be at least 56 bits to prevent testing of all possible keys by a pirate who has obtained portions of the deciphered program.

Block deciphering circuit 95 may be constructed as described in U.S. Patent 3,958,081 or as described above using alternating stage of substitution and transposition which are schematically represented in Figures 3 and 4.

In such block cipher systems each bit of the enciphered block affects all bits of the deciphered block. Hence a pirate is prevented from tricking the microprocessor into executing slightly altered instructions, because changing any one bit of an enciphered block produces a deciphered block of gibberish.

Data may also be stored in enciphered form in memory 12 and be read via data bus 14 into block register 62 for deciphering by circuit 95. The deciphered data in data register 63 passes via buses 69 and 61 to internal memory 75. Data which is output in cipher to external memory 12 passes from internal memory 75 via buses 61 and 45 to register 65 for enciphering. Circuit 95 is switched to an enciphering mode to produce an enciphered block in register 63. This block is output via buses 69, 61 and 14 to external memory 12 or to another storage device addressed by bus 13.

EMBODIMENTS WITH ON-CHIP MEMORY

If the enciphered program is small enough it may be stored in read-only memory in cipher form or transposed form on the crypto-microprocessor chip (Figure 5) to prevent a pirate from reading the program from a photographic enlargement of the chip or by probing an easily found internal bus. A small cipher key can be hidden among the tens of thousands of devices on the chip, but a large memory cannot be so hidden.

Referring to Figures 1 and 5, a simple embodiment is shown for microprocessor 16 which stores the bytes of the program in a transposed or scrambled arrangement in memory 12. Since each byte in the program has an address, if this address is scrambled by scrambler 84 using substitution, bit-transposition or other means, the effect is to scatter the bytes of the program in memory 12. A person studying bytes that were read from memory 12 would not know in what sequence they are executed, nor which bytes are operation codes, addresses, or data. Circuit 3 represents instruction decoding and executing circuit 67 and other circuitry shown in Figure 1. When an address is read from memory 12 on bus 7 as part of an instruction, the address may be unenciphered and may be stored in an address register in file 73 where it may be incremented for sequential instruction fetch. This incremented address is passed via bus 166 to address scrambler 84. The scrambled address on bus 13 addresses the desired byte in memory 12.

A pirate should not be able to access the circuitry of microprocessor 16 without causing erasure of the cipher key or otherwise making microprocessor 16 disfunctional. Potting in thermoset plastic is an adequate deterrent to all but the most skilled pirate. To prevent removal of the plastic using stripping solvants, a highly crosslinked resin may be used. Heavy, preferably opaque, glassification of the chip, such as that described in U.S. Patent 4,133,690, may also be used.

The word "byte" has been used herein in a broad sense to mean a portion of information or word of 8 bits or other small word sizes such as 7 bits or 16 bits.

The present disclosure is made only by way of example. Equivalent embodiments which do not depart from the scope and spirit of my invention as defined in the appended claims may occur to those skilled in the art in the light of this disclosure.