A cryptographic device, e.g., a cryptographic Integrated Chip (IC), may receive input data and generate output data by internally processing secret data, for example, an encryption key, a secret key, secret information decrypted from the input data, and/or any other suitable data.
One or more parameters, representing “side effects” that are related to an operation of the cryptographic device, may be correlated with the secret data. For example, a variation in a power consumption and/or Electro-Magnetic (EM) radiation of the cryptographic device may be correlated with the secret data being processed by the device. Therefore, an attempt to detect the secret data (“an attack”) may include measuring one or more side effects of the device in order to deduce and/or reveal the secret data. For example, a side channel attack, e.g., a Differential Power Analysis (DPA) attack, may include analyzing the power consumption of the cryptographic device to reveal the secret data.
One approach for counteracting a DPA attack may include using a dual-rail pre-charge logic, as described in “Masked Dual-Rail Pre-Charge Logic: DPA-Resistance without Routing Constraints”, Thomas Popp and Stefan Mangard, Cryptographic Hardware and Embedded Systems (CHES) 2005. However, this implementation results in significant increases in area.
Another counteract approach includes masking the secret data. However, such implementation may be inefficient if glitches occur within logical circuits of the cryptographic device, as described in “Successfully Attacking Masked AES Hardware Implementations”, Stefan Mangard, Norbert Pramstaller and Elisabeth Oswald, CHES 2005.