1. Field of the Invention
The present invention relates to the field of algorithms implemented by integrated circuits. The present invention more specifically relates to algorithms for cyphering, encrypting or the like using data as well as one or several secret keys used by the algorithm to cypher the data. Reference will be made hereafter to cyphering algorithms using secret keys and data but it should be noted that the present invention more generally applies to any function or series of functions of calculation or of combination of input data and of one or several keys and/or of one or several random words, to provide one or several cyphered messages outside of the integrated circuit.
2. Discussion of the Related Art
In this type of application, the algorithm is generally desired to be qualified, that is, its resistance against external attack attempts by unauthorized users trying to penetrate the “secret” of the key(s) used or of the cyphering implemented by the algorithm is desired to be evaluated. Such a qualification of an algorithm is performed with respect to a given type of attack, that is, an analysis method likely to be used by a possible pirate.
The present invention more specifically relates to the qualification of an algorithm with respect to so-called power or current attacks which consist of correlating the integrated circuit consumption with the internal variables of the algorithm. These variables are functions both of the input data and of the key which is searched and which is used by the integrated circuit. This key is contained in a storage element of the integrated circuit, and is thus known by said circuit, but not from the outside. Such power attacks are described in literature (see, for example, article “Differential Power Analysis” by Paul Kocher, Joshua Jaffe, and Benjamin Jun, published in 1999, Conference CRYPTO 99, pages 388-397, published by Springer-Verlag LNCS 1666) and are known as the differential power analysis (DPA).
A conventional method for testing the resistance of an algorithm against attacks of this type consists of using a device similar to that used to perform such an attack, to study the behavior of the algorithm.
FIG. 1 very schematically shows in the form of blocks a conventional example of a system for attacking an algorithm executed by an integrated circuit 1 (IC) by differential power analysis, or for testing the resistance of an algorithm against differential power analysis attacks of an integrated circuit 1 executing this algorithm.
Algorithm ALGO to be tested (or to be attacked) is generally contained in a specific block 2 (CYPH) of integrated circuit 1. Block 2 essentially has the function of executing an algorithm (block 3, detail of FIG. 1) or a function used, for example, for the cyphering/decyphering of data. Generally, the data are formed of any digital word and they may be programs or actual data. Algorithm ALGO cyphers the input data and provides output data CYPHDATA based on one or several keys and, possibly, on one or several random numbers ALEA.
In FIG. 1, only cyphering block 2 has been shown in integrated circuit 1, the rest of the integrated circuit being of any kind. Similarly, the present invention applies to any algorithm ALGO. It may be a symmetrical or asymmetrical cyphering algorithm, and the key(s) used may be contained in circuit 1 or come from the outside.
For a differential power analysis of integrated circuit 1 upon execution of algorithm 3, a device 6 having the function of measuring current I consumed by circuit 1 is interposed, on one of lines 4, 5 of supply by a voltage Valim of circuit 1. The measurement performed, for example, by an amperemeter 7 (A) interposed on line 4, is provided to a processor 10 (DPA PROC) in charge of correlating the consumed current I with the searched key. For this purpose, processor 10 exploits input/output signals of the integrated circuit. These signals have arbitrarily been illustrated by an input/output bus 8 of circuit 1 on which is interposed a device 9 of branching to processor 10. The supply voltage of circuit 1 may also be controlled by processor 10 (for example, by means of a voltmeter 11 (V) connected between lines 4 and 5).
Devices 6, 9, and 10 described in relation with FIG. 1 actually represent the devices used to implement differential power analysis attacks of circuit 1. To test the integrated circuit resistance to such attacks, the same kind of devices is conventionally used.
FIG. 2 illustrates, in the form of a table 20, a conventional example of implementation of a test of the resistance against attacks of differential current power analysis type of an integrated circuit such as shown in FIG. 1. In the example of FIG. 2, it is assumed for simplification that a single secret key is taken into account by the algorithm.
Data sets DATAj (j ranging between 1 and m) are generated, for example, randomly or pseudo-randomly, and are submitted at the algorithm input (block 3, FIG. 1).
At a regular algorithm execution interval (times Ti, i ranging between 1 and n), supply current I(i,j) of the integrated circuit is measured. The set of measurements of current I(i,j) is stored. The shorter the regular interval between times Ti, the better the accuracy of the analysis. The measured currents are a function of the key contained in the integrated circuit.
Hypotheses about all or part of the key are then formulated within processor 10, which are correlated to the consumption measurements (acquisitions).
As known, the current responses (all the measured currents) are analyzed at the different times. To test the resistance of integrated circuit 1 against power analysis attacks, it is checked whether the key is found after a number of trials by a DPA attack. A trial number threshold beyond which, if the key is not found, the algorithm is considered as resistant, is set. The resistance tests are thus performed on a final component (for example, a smart card).
A disadvantage of the conventional method is that the resistance of the entire circuit to a differential power analysis attack is actually tested. Accordingly, the tests are sensitive to possible parasitic noises which may mask weaknesses of the actual algorithm. Further, such noises are linked to the hardware implementation and may thus result in validating an algorithm on account of its implementation while it is in fact vulnerable to differential power analysis attacks.