The present invention relates to a countermeasure method for a microcontroller in which sequences of program instructions are executed.
The present invention applies in particular to protected electronic components such as microcontrollers for chip cards, for example.
Microcontrollers are monolithic integrated circuits incorporating at least one microprocessor, also referred to as a CPU, standing for Central Processing Unit in English terminology These microcontrollers are true computers on a single silicon substrate, or integrated circuit chip.
Thus microcontroller chip cards constitute protected information carriers which have the same structure as a computer, that is to say they make it possible to store data and also to process information. In this context, the role of the microcontroller is to authenticate the card and its bearer, to encode and decode messages and to calculate electronic signatures proving that a licit operation has indeed been performed.
FIG. 1 illustrates schematically the structure of a microcontroller for a chip card. Such a microcontroller, integrated on a chip, has a microprocessor, or CPU, able to process the data and programs recorded on the chip. The microprocessor is associated with different types of memory by means of data buses. The operating programs and the algorithms are generally stored in a ROM memory, whilst the data, secret or not, are stored in a programmable memory of the EEPROM type, for example. A RAM memory contains the working registers necessary for the various internal processing actions. An input/output component, composed of a connector, for a chip card with contact, provides the dialogues with the outside world.
The operations of the microcontroller are sequenced by a clock (CLK). The microcontroller also has a power supply Vcc and an earth GND.
There are essentially two families of microcontroller. The majority of microcontrollers existing at the present time (approximately 90%) are based on a CISC (from the English Complex Instructions Set Computer) architecture in which the instructions are read and executed sequentially by a large decoding engine. However, the current trend is to use, more and more, microcontrollers with RISC (from the English Reduced Instruction Set Computer) architecture in which the instructions are read and executed in parallel. Such an architecture requires several expensive decoding engines in place on the integrated circuit chip, but it is also much more rapid in the execution of the sequences of instructions. In particular, RISC architectures using a so-called “pipeline” method make it possible to interleave several instructions by dividing them into substeps and executing steps of several instructions in the same clock cycle. The particularities of the pipeline in RISC architecture will be enlarged on hereinafter.
The execution of programs by the microcontroller must therefore be protected since all or some of the data being manipulated are secret. The protection can be provided by mathematical algorithms integrated into the programs executed, and/or by so-called countermeasure methods.
A countermeasure method is a protection method which consists of preventing the data manipulated during the execution of the instructions of a program being able to be interpreted outside the protected component. Such a leakage of information is possible through the very structure of the microcontroller, which may suffer what are referred to as power attacks, or DPA, standing for Differential Power Attack in English terminology.
FIG. 2 illustrates the principle of power attack by means of a graph of the current consumption I of the chip according to the number of clock beats t.
When the microprocessor executes a program composed of a sequence of instructions (Ins1, Ins2, Ins3, . . . ), with an algorithm, whether secret or not, it seeks the necessary data in memory, processes them and writes the results in memory.
Conventionally, the execution of a sequence of instructions always takes place in the same way, identical and determined, whatever the architecture (CISC or RISC) of the microcontroller used.
It then becomes possible to effect a power attack simply by reading the current consumption of the microcontroller (from its power supply Vcc), which may allow information on the secret data being handled to show through. In order to obtain such information, it is necessary to perform the same sequence of instructions several times. It then becomes possible to correlate the current consumption with the data processed during the execution of the same instruction. The current consumption of the microcontroller can thus become a veritable indicator of the data being manipulated.
For example, an attacker can proceed in the following manner. If a secret data item of eight bytes k[i], with i from 1 to 8, is considered. An accumulator is used and a loop is effected for i from 1 to 8 Acc=k[i]xor k[i+1]. At the end of the loop, Acc=xor(Σ(i=1 to 8)k[i]) is obtained. When the current consumption I is observed as a function of time during this sequence (loop), a curve is obtained with the cyclic trend which is the reflection of what was executed in the microcontroller, that is to say in the example cited eight identical signals are obtained for the eight operations of the loop. Nevertheless, if each element of the signals is compared, it is possible to extract differences, and thus information on the k[i] secrets. Observation is also facilitated by the possibility of having the same loop executed several times. The current consumption of the card being the same for one and the same sequence of operations, it is possible to extract the information sought.
Consequently it becomes essential to eliminate the repetition in the current consumption for the same sequence of instructions. This is the objective of the countermeasure methods.
Such countermeasure methods already exist, in particular in the software field, where programs containing random variants may be used. Such programs can have recourse to subprograms in a random fashion. Thus, for the same task repeated several times, which conventionally would invoke the same sequence of instructions, different subprograms are invoked and give rise to the execution of different sequences of instructions. It becomes impossible to correlate the current consumption and the data being manipulated.
Such a software solution is however complex to implement. It is necessary in fact to write the different subprograms, which is expensive in development time and in code size.