1. Field of the Invention
The present invention generally relates to the execution of calculation functions by an integrated circuit. The present invention more specifically relates to the control of the execution of an algorithm, especially of cryptography, against attacks by injection of faults aiming at discovering the secret (generally, a key) handled by this algorithm.
2. Discussion of the Related Art
An attack by fault injection consists of introducing a fault into the executed program (for example, blowing up the program counter) or into the handled data to obtain an erroneous result. This fault injection is repeated several times and ends by enabling the attacker to discover the handled secret quantity. For example, for cryptography algorithms (DSA, RSA, DES, AES, etc.), the secret keys can be discovered by means of a pirating causing instruction jumps.
A known technique to protect a program against fault injections consists of calculating a signature (application of a ciphering algorithm to at least a portion of the software code) upon installation or writing of the program. This signature is then stored inside or outside of the integrated circuit executing the program. Then, in the execution of the software code, the exploitation system recalculates a signature based on the same algorithm as that having been used to generate the initial signature. The current signature is then compared with the predetermined signature. A divergence between these two signatures means that the stored program has been modified and thus enables identifying a potential attack, voluntary or incidental. An example of such an integrity control method is described in U.S. Pat. No. 5,442,645, which is incorporated hereby by reference.
Such a solution protects the program, but not the data and, especially, not the handled secret keys. Further, attacks by fault injection such as described in document “DFA of DES with single injection faults” by M. Witterman in IBM Workshop on Security—April 2000, remain efficient on algorithms such as the DES.
To protect the data, a known technique consists of applying a function C for calculating an error-correction code to data D being processed. Before starting a given operation O of the program, this calculation function is applied to the data to be processed to obtain an initial code C(D). At the end of the processing of the data by the operation, the same function C is applied to the result data O(D) and operation O of the program is applied to the initial code C(D). The data have not been modified during the processing if the two results C(O(D)) and O(C(D)) are identical.
A disadvantage of this technique is that it is not applicable to all operations. In particular, it requires for the operation handling the data and for the code calculation function to respect, for valid data, condition C(O(D))=O(C(D)).
Another known solution to control the execution of a program is to perform certain operations twice, to have a redundancy on the data to check the consistency between the two executions. A disadvantage of such a solution is that it requires either doubling the execution time, or doubling the hardware calculation elements.