1. Field of the Invention
The present invention generally relates to the handling of numbers by integrated circuits and, more specifically, to the masking of binary numbers manipulated by a processor to make these numbers undetectable.
2. Discussion of the Related Art
FIG. 2 very schematically illustrates in the form of blocks a first known example of implementation of a bijective transformation 1. According to this example, each time data DATAi must be transformed, a random number (block 10, RNG) having its result directly or indirectly providing masked data MDATAi is drawn. To avoid possible collisions (assignment of same masked data to two distinct initial pieces of data), it is checked (block 11, EXIST ?) from a correspondence table 12 whether data MDATAi have already been assigned to data to be masked. If not (N), current data MDATAi are assigned to the data to be masked. If so (Y), that is, if the drawing has already been used, a new drawing is performed by block 10.
The inverse transformation consists, from data MDATAi, to extract the corresponding data DATAi of table 12, thus forming a correspondence table reset each time a new bijection is necessary.
A disadvantage of such a solution is that the table generation requires significant calculation resources to avoid reusing values which have already been assigned.
Another disadvantage is that it requires storage of a correspondence table in a volatile memory.
FIG. 3 illustrates a second example of a known solution by a simplified representation of permutation block 1. According to this example, a constant Ct is drawn by a random generator (not shown) at each new bijection (on each circuit reset, for example). Constant Ct is combined with data DATAi to be masked by an XOR function 22 and the result provides data MDATAi. Such an XOR combination operation is involutional, same data MDATAi combined with the same constant Ct giving back initial data DATAi. The only condition is for the data and the constant to have the same size (for example, m bits).
The solution of FIG. 3 has the advantage of being simple to implement. It however has the significant disadvantage of considerably reducing the number of possible bijections for a size m of binary words. Indeed, for an m-bit word, the bijection number is limited to 2m, that is, the random drawing of constant Ct enables generating but a small part of the possible bijective transformations for the considered number of bits. Theoretically, the number of possible bijections for an m-bit word is the factorial of 2 at power m (2m!). For example, for eight-bit words, this amounts to approximately 10600 bijections against 256 in the case of FIG. 3.
A disadvantage is the risk (linked to the number of bijections) of executions in which the same random constant Ct is drawn.